<html><head></head><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div id="yui_3_16_0_ym19_1_1465330961704_16534"><span id="yui_3_16_0_ym19_1_1465330961704_16551">Here are a few additional possible technical requirements for a new data collection system using JSON. I hope this is all relevant, as the learning curve is quite steep right now, and I haven't been able to read enough about all the tools used by a web/application developer that are mentioned below. </span></div><div id="yui_3_16_0_ym19_1_1465330961704_16534"><span><br></span></div><div style="background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_16997"><b id="yui_3_16_0_ym19_1_1465330961704_16998"><span style="font-size:13.5pt;font-family:"Helvetica",sans-serif;mso-fareast-font-family:"Times New Roman";color:#191919" id="yui_3_16_0_ym19_1_1465330961704_16999">1. Authentication flags and privilege
escalation<o:p id="yui_3_16_0_ym19_1_1465330961704_17000"></o:p></span></b></div><div style="margin-bottom: 12pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17001"><span style="font-size:12.0pt;font-family:"Helvetica",sans-serif;mso-fareast-font-family:"Times New Roman";color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17002">Since applications have
their own access-control lists and privileges, if the implementation of the
authorization is weak, it opens up vulnerabilities that can be exploited, such
as accessing another's content or becoming a higher-level user with greater
permissions. <o:p id="yui_3_16_0_ym19_1_1465330961704_17003"></o:p></span></div><div style="margin-bottom: 12pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17004"><b id="yui_3_16_0_ym19_1_1465330961704_17005"><span style="font-size:12.0pt;font-family:"Helvetica",sans-serif;mso-fareast-font-family:"Times New Roman";color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17006">[SM-D1-R01]</span></b><span style="font-size:12.0pt;font-family:"Helvetica",sans-serif;mso-fareast-font-family:"Times New Roman";color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17007">
Identifying parameter names that have something to do with ACL/permission that
could become a target, and the tester can use fuzzing tools to try and change
bit patterns or permission flags, which may show the point at which
exploitation, escalating privileges or bypassing authentication can be achieved
by an attacker.<o:p id="yui_3_16_0_ym19_1_1465330961704_17008"></o:p></span></div><h3 style="background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17009"><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17010">2. Critical parameter manipulation and access to unauthorized
information/content<o:p id="yui_3_16_0_ym19_1_1465330961704_17011"></o:p></span></h3><div style="margin: 0in 0in 12pt; font-size: 1.0625rem; line-height: 1.6rem; max-width: 620px; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17012"><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17013">HTTP
GET and POST requests are typically accompanied with several parameters when
submitted to the application, typically in the form of name/value pairs, JSON,
XML and so forth, but they can be tampered with and guessed by predicting. <o:p id="yui_3_16_0_ym19_1_1465330961704_17014"></o:p></span></div><div style="margin: 0in 0in 12pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17015"><b id="yui_3_16_0_ym19_1_1465330961704_17016"><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17017">[SM-D1-R02] </span></b><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17018">Tests for this look
for easily guessable values and whether a parameter's value can be changed in
order to gain unauthorized access.<o:p id="yui_3_16_0_ym19_1_1465330961704_17019"></o:p></span></div><div style="mso-element:para-border-div;border:none;border-bottom:solid #D0E0E3 1.0pt;mso-border-bottom-alt:solid #D0E0E3 .75pt;padding:0in 0in 6.0pt 0in;background:#30352E;margin-left:-11.25pt;margin-right:-11.25pt" id="yui_3_16_0_ym19_1_1465330961704_17020">
<h2 style="margin-top: 0in; border: none; padding: 0in; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17021"><i id="yui_3_16_0_ym19_1_1465330961704_17022"><span style="font-size:11.0pt;line-height:107%;font-family:"Arial",sans-serif;color:white;mso-themecolor:background1" id="yui_3_16_0_ym19_1_1465330961704_17023">JSON XSRF Attacks<o:p id="yui_3_16_0_ym19_1_1465330961704_17024"></o:p></span></i></h2>
</div><div style="margin-bottom:0in;margin-bottom:.0001pt;line-height:13.65pt;background:#30352E" id="yui_3_16_0_ym19_1_1465330961704_17025"><span style="font-family:"Arial",sans-serif;mso-fareast-font-family:"Times New Roman";color:white;mso-themecolor:background1" id="yui_3_16_0_ym19_1_1465330961704_17026">All
modern web browsers implement <b id="yui_3_16_0_ym19_1_1465330961704_17027">Same Origin Policy (SOP)</b> on
website content. This policy avoids one website from writing contents of frame
that was issued from a different domain. This policy was implemented against
Frame Injection flaws. JSON CSRF exploits SOP by lifting one way restriction on
website and allows data from another website to execute on a different domain.
This vulnerability is the result of flaw in SOP which treats JavaScript as code,
not as data. According to browser policy, a code is allowed to be downloaded
and executed over a client browser though the original source of the script is
different.<o:p id="yui_3_16_0_ym19_1_1465330961704_17028"></o:p></span></div><div style="margin-bottom:0in;margin-bottom:.0001pt;line-height:13.65pt;background:#30352E" id="yui_3_16_0_ym19_1_1465330961704_17029"><span style="font-family:"Arial",sans-serif;mso-fareast-font-family:"Times New Roman";color:white;mso-themecolor:background1" id="yui_3_16_0_ym19_1_1465330961704_17030"> </span></div><div style="margin-bottom:0in;margin-bottom:.0001pt;line-height:13.65pt;background:#30352E" id="yui_3_16_0_ym19_1_1465330961704_17031"><b id="yui_3_16_0_ym19_1_1465330961704_17032"><span style="font-family:"Arial",sans-serif;mso-fareast-font-family:"Times New Roman";color:white;mso-themecolor:background1" id="yui_3_16_0_ym19_1_1465330961704_17033">JSON</span></b><span style="font-family:"Arial",sans-serif;mso-fareast-font-family:"Times New Roman";color:white;mso-themecolor:background1" id="yui_3_16_0_ym19_1_1465330961704_17034"> means <b id="yui_3_16_0_ym19_1_1465330961704_17035">Java Script Object
Notification</b> which is a data transfer format for JavaScript
interpreters. It is used in AJAX based applications as an alternative to
standard XML data transfer format. In these applications, requests are made
using <b id="yui_3_16_0_ym19_1_1465330961704_17036">XML Http Request </b>to a server and the server returns data in
JSON format. The received data is transferred on to the client side. Since
JavaScript is used to transmit data, then pure code SOP policy can get
exploited to gain data generated by other applications. This data is
transmitted back in the form of an array. Therefore, because of JSON, an XSRF
attack can easily be executed on vulnerable site. It is quite clear that JSON
CSRF attacks can be implemented over an AJAX based website which uses JSON data
transfer format against standard XML data transfer format.<o:p id="yui_3_16_0_ym19_1_1465330961704_17037"></o:p></span></div><div style="margin-bottom: 0.0001pt; background: rgb(48, 53, 46);" id="yui_3_16_0_ym19_1_1465330961704_17038"><i id="yui_3_16_0_ym19_1_1465330961704_17039"><span style="font-family:"Arial",sans-serif;mso-fareast-font-family:"Times New Roman";color:white" id="yui_3_16_0_ym19_1_1465330961704_17040"> </span></i></div><div style="margin-bottom: 0.0001pt; background: rgb(48, 53, 46);" id="yui_3_16_0_ym19_1_1465330961704_17041"><i id="yui_3_16_0_ym19_1_1465330961704_17042"><span style="font-family:"Arial",sans-serif;mso-fareast-font-family:"Times New Roman";color:white" id="yui_3_16_0_ym19_1_1465330961704_17043">The following are
preventive measures that can be implemented against XSRF attacks.<o:p id="yui_3_16_0_ym19_1_1465330961704_17044"></o:p></span></i></div><div style="margin-bottom: 0.0001pt; background: rgb(48, 53, 46);" id="yui_3_16_0_ym19_1_1465330961704_17045"><i id="yui_3_16_0_ym19_1_1465330961704_17046"><span style="font-family:"Arial",sans-serif;mso-fareast-font-family:"Times New Roman";color:white" id="yui_3_16_0_ym19_1_1465330961704_17047"> </span></i></div><div style="margin: 0in 0in 3pt; text-indent: 0in; background: rgb(48, 53, 46);" id="yui_3_16_0_ym19_1_1465330961704_17048"><!--[if !supportLists]--><span style="font-size:10.0pt;mso-bidi-font-size:11.0pt;font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:Symbol;color:white;mso-bidi-font-style:italic" id="yui_3_16_0_ym19_1_1465330961704_17049">·<span style="font-stretch: normal; font-size: 7pt; font-family: 'Times New Roman';" id="yui_3_16_0_ym19_1_1465330961704_17050">
</span></span><!--[endif]--><i id="yui_3_16_0_ym19_1_1465330961704_17051"><span style="font-family:"Arial",sans-serif;mso-fareast-font-family:"Times New Roman";color:white" id="yui_3_16_0_ym19_1_1465330961704_17052">First of all, the
application must implement all kinds of basic XSRF attacks.<o:p id="yui_3_16_0_ym19_1_1465330961704_17053"></o:p></span></i></div><div style="margin: 0in 0in 3pt; text-indent: 0in; background: rgb(48, 53, 46);" id="yui_3_16_0_ym19_1_1465330961704_17054"><!--[if !supportLists]--><span style="font-size:10.0pt;mso-bidi-font-size:11.0pt;font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:Symbol;color:white;mso-bidi-font-style:italic" id="yui_3_16_0_ym19_1_1465330961704_17055">·<span style="font-stretch: normal; font-size: 7pt; font-family: 'Times New Roman';" id="yui_3_16_0_ym19_1_1465330961704_17056">
</span></span><!--[endif]--><i id="yui_3_16_0_ym19_1_1465330961704_17057"><span style="font-family:"Arial",sans-serif;mso-fareast-font-family:"Times New Roman";color:white" id="yui_3_16_0_ym19_1_1465330961704_17058">Always use unpredictable
parameters for JSON objects.<o:p id="yui_3_16_0_ym19_1_1465330961704_17059"></o:p></span></i></div><div style="margin: 0in 0in 3pt; text-indent: 0in; background: rgb(48, 53, 46);" id="yui_3_16_0_ym19_1_1465330961704_17060"><!--[if !supportLists]--><span style="font-size:10.0pt;mso-bidi-font-size:11.0pt;font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:Symbol;color:white;mso-bidi-font-style:italic" id="yui_3_16_0_ym19_1_1465330961704_17061">·<span style="font-stretch: normal; font-size: 7pt; font-family: 'Times New Roman';" id="yui_3_16_0_ym19_1_1465330961704_17062">
</span></span><!--[endif]--><i id="yui_3_16_0_ym19_1_1465330961704_17063"><span style="font-family:"Arial",sans-serif;mso-fareast-font-family:"Times New Roman";color:white" id="yui_3_16_0_ym19_1_1465330961704_17064">JSON XSRF attacks are
possible because the application can send XML Http Requests to retrieve JSON
data and it can only retrieve data by using the GET method; therefore, it is
better to implement only the POST method as a countermeasure against JSON XSRF.<o:p id="yui_3_16_0_ym19_1_1465330961704_17065"></o:p></span></i></div><div style="margin: 0in 0in 12pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17066"><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17067"> </span></div><h3 style="background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17068"><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17069">3. Developer's cookie tampering and business process/logic
bypass<o:p id="yui_3_16_0_ym19_1_1465330961704_17070"></o:p></span></h3><div style="margin: 0in 0in 12pt; font-size: 1.0625rem; line-height: 1.6rem; max-width: 620px; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17071"><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17072">Cookies
are often used to maintain state over HTTP, but developers are not just using
session cookies, but are building data internally using session-only variables.
Application developers set new cookies on the browser at important junctures
which exposes logic holes. The danger is that these cookies can be reverse
engineered or have values that can be guessed or deciphered and attackers try
to identify these holes that are easy to exploit. <o:p id="yui_3_16_0_ym19_1_1465330961704_17073"></o:p></span></div><div style="margin: 0in 0in 12pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17074"><b id="yui_3_16_0_ym19_1_1465330961704_17075"><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17076">[SM-D1-R03] </span></b><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17077">Tests here typically
involve analysis of cookies delivered during profiling, and looking for easily
guessable values, and whether a cookie value can be changed.<o:p id="yui_3_16_0_ym19_1_1465330961704_17078"></o:p></span></div><h3 style="background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17079"><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17080">4. LDAP parameter identification and critical infrastructure
access<o:p id="yui_3_16_0_ym19_1_1465330961704_17081"></o:p></span></h3><div style="margin: 0in 0in 12pt; font-size: 1.0625rem; line-height: 1.6rem; max-width: 620px; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17082"><span style="font-size: 10.5pt; font-family: Arial, sans-serif; color: rgb(37, 37, 37); background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17083">A common use of LDAP is to provide a central
place to store usernames and passwords. This allows many different applications
and services to connect to the LDAP server to validate users. This has a major
benefit that allows a central place to update and change user passwords. </span><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17084">LDAP is becoming an
important aspect for large applications and may get integrated with
"single sign-on" as well. Many infrastructure layer tools like
SiteMinder and Load Balancer use LDAP for both authentication and
authorization. LDAP parameters can carry business-logic decision flags that can
be abused or leveraged. Attackers can find business-layer bypasses and logical
injections if the application is not doing enough validation. <o:p id="yui_3_16_0_ym19_1_1465330961704_17085"></o:p></span></div><div style="margin: 0in 0in 12pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17086"><b id="yui_3_16_0_ym19_1_1465330961704_17087"><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17088">[SM-D01-R04] </span></b><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17089">Tests for this focus
on finding parameters linked with DAP, such as those taking email or usernames,
which are prospective targets.<o:p id="yui_3_16_0_ym19_1_1465330961704_17090"></o:p></span></div><h3 style="background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17091"><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17092">5. Business constraint exploitation<o:p id="yui_3_16_0_ym19_1_1465330961704_17093"></o:p></span></h3><div style="margin: 0in 0in 12pt; font-size: 1.0625rem; line-height: 1.6rem; max-width: 620px; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17094"><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17095">The
application's business logic should have defined rules and constraints, but if
poorly designed, attackers can crawl them and browse through hidden fields and
understand their context. <o:p id="yui_3_16_0_ym19_1_1465330961704_17096"></o:p></span></div><div style="margin: 0in 0in 12pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17097"><b id="yui_3_16_0_ym19_1_1465330961704_17098"><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17099">[SM-D01-R05] </span></b><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17100">Test hidden parameters
and values, checking business-specific calls that can become a target and
manipulated.<o:p id="yui_3_16_0_ym19_1_1465330961704_17101"></o:p></span></div><h3 style="background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17102"><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17103">6. Business flow bypass<o:p id="yui_3_16_0_ym19_1_1465330961704_17104"></o:p></span></h3><div style="margin: 0in 0in 12pt; font-size: 1.0625rem; line-height: 1.6rem; max-width: 620px; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17105"><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17106">Applications
include flows that are controlled by redirects and page transfers. However, in
many cases, this flow can be bypassed, which can lead to an error condition or
information leakage, which can help an attacker identify critical backend
information. <o:p id="yui_3_16_0_ym19_1_1465330961704_17107"></o:p></span></div><div style="margin: 0in 0in 12pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17108"><b id="yui_3_16_0_ym19_1_1465330961704_17109"><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17110">[SM-D01-R06] </span></b><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17111">Test whether business
functionality and parameters can be tampered with through a proxy.<o:p id="yui_3_16_0_ym19_1_1465330961704_17112"></o:p></span></div><h3 style="background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17113"><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17114">7. Exploiting client-side business routines embedded in JavaScript,
Flash or Silverlight<o:p id="yui_3_16_0_ym19_1_1465330961704_17115"></o:p></span></h3><div style="margin: 0in 0in 12pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17116"><span style="font-size: 13pt; font-family: Helvetica, sans-serif; color: rgb(25, 25, 25); background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17117">Many business applications now run on rich
Internet application frameworks leveraging JavaScript, and in many cases the
logic is embedded in the client-side component. These can be reverse engineered.
JavaScript can be debugged line by line to identify embedded logic. This could
include logic for cryptography algorithms, credential storage, privilege
management and other security. This may lead to possible exploits. <o:p id="yui_3_16_0_ym19_1_1465330961704_17118"></o:p></span></div><div style="margin: 0in 0in 12pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17119"><b id="yui_3_16_0_ym19_1_1465330961704_17120"><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17121">[SM-D01-R06] </span></b><span style="font-size: 13pt; font-family: Helvetica, sans-serif; color: rgb(25, 25, 25); background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17122">To check for these kind of weaknesses, analyze the Document
Object Model (DOM) and identify variables on a browser stack, and look for
suspicious values and parameters that can be exploited in DOM.</span><o:p id="yui_3_16_0_ym19_1_1465330961704_17123"></o:p></div><h3 style="background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17124"><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17125">8. Identity or profile extraction<o:p id="yui_3_16_0_ym19_1_1465330961704_17126"></o:p></span></h3><div style="margin: 0in 0in 12pt; font-size: 1.0625rem; line-height: 1.6rem; max-width: 620px; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17127"><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17128">A
critical parameter in authenticated applications, the user's identity is
maintained using session or other forms of tokens. Attackers can identify these
token parameters in poorly designed and developed applications, opening up the
potential for abuse and systemwide exploitation. The token may only be using a
sequential number or guessable username. <o:p id="yui_3_16_0_ym19_1_1465330961704_17129"></o:p></span></div><div style="margin: 0in 0in 12pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17130"><b id="yui_3_16_0_ym19_1_1465330961704_17131"><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17132">[SM-D01-R07] </span></b><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17133">To test for this, look
for parameters that are controlling profiles; if it's possible to decipher,
guess or reverse engineer tokens.<o:p id="yui_3_16_0_ym19_1_1465330961704_17134"></o:p></span></div><h3 style="font-size: 1.125rem; margin-top: 1.625rem; margin-bottom: 16px; margin-left: 160px; max-width: 620px; line-height: 1.4375rem; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17135"><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17136">9. File or
unauthorized URL access and business information extraction<o:p id="yui_3_16_0_ym19_1_1465330961704_17137"></o:p></span></h3><div style="margin: 0in 0in 12pt; font-size: 1.0625rem; line-height: 1.6rem; max-width: 620px; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17138"><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17139">Business
applications contain critical information in their features, in the files that
are exported and in the export functionality. Users can export their data in a
selected file format (PDF, XLS or CSV) and download it. If this functionality
is carelessly implemented, it can enable asset leakage. <o:p id="yui_3_16_0_ym19_1_1465330961704_17140"></o:p></span></div><div style="margin: 0in 0in 12pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17141"><b id="yui_3_16_0_ym19_1_1465330961704_17142"><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17143">[SM-D01-R08] </span></b><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17144">To test for this, identify
call functionalities based on parameter names like file, doc, and dir, which
will point you to possible unauthorized file-access vulnerabilities, and then a
good test is doing basic brute force or guesswork to fetch another user's files
from a server.<o:p id="yui_3_16_0_ym19_1_1465330961704_17145"></o:p></span></div><h3 style="background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17146"><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17147">10. Denial of service (DoS) with business logic<o:p id="yui_3_16_0_ym19_1_1465330961704_17148"></o:p></span></h3><div style="margin: 0in 0in 12pt; font-size: 1.0625rem; line-height: 1.6rem; max-width: 620px; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17149"><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17150">Denial-of-service
vulnerabilities for business applications pose serious issues because if
exploited, the application can be brought down for a length of time or at a
critical juncture. Sometimes attackers can identify a loophole and try to
exploit it during a DoS condition. There are no universal DoS attacks like TCP
flooding on networking at the application layer, but in some cases, infinite
loops implemented in the application layer can lead to a DoS condition. <o:p id="yui_3_16_0_ym19_1_1465330961704_17151"></o:p></span></div><div style="margin: 0in 0in 12pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17152"><b id="yui_3_16_0_ym19_1_1465330961704_17153"><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17154">[SM-D01-R09] </span></b><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17155">Test applications
against a threat model and provide defense at the application layer.</span><span style="font-family:"Helvetica",sans-serif;color:white;mso-themecolor:background1" id="yui_3_16_0_ym19_1_1465330961704_17156"><o:p id="yui_3_16_0_ym19_1_1465330961704_17157"></o:p></span></div><div style="margin: 0in 0in 12pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17158"><b id="yui_3_16_0_ym19_1_1465330961704_17159"><span style="font-family: Helvetica, sans-serif; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17160">JSON
Web Token (JWT) libraries <o:p id="yui_3_16_0_ym19_1_1465330961704_17161"></o:p></span></b></div><div style="margin: 0in 0in 12pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17162"><span style="font-family: Helvetica, sans-serif; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17163">Critical vulnerabilities exist in several JSON
Web Token (JWT) libraries – namely the JavaScript and PHP versions – that could
let an attacker bypass the verification step. Attackers could exploit one of
those vulnerabilities, which abuses an asymmetric signing
algorithm, in some JWT libraries.</span><span style="font-family: Helvetica, sans-serif;" id="yui_3_16_0_ym19_1_1465330961704_17164"><br id="yui_3_16_0_ym19_1_1465330961704_17165">
<br id="yui_3_16_0_ym19_1_1465330961704_17166">
<span style="background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17167">JWT is a
standard that produces tokens between two parties. For example, a server
can produce an admin token, transferred in JSON, and signed by the server’s
key. Clients can go on to use that token to verify the user is logged in as an
admin. The issue revolves around a public key confusion between systems
signed with the hash function HMAC and those signed with RSA. If a server is
expecting a token signed with RSA, but actually receives a token signed with
HMAC, it will think the public key is actually an HMAC key. HMAC secret keys
are supposed to be kept private, while private keys are well, public. In this
scenario if an attacker got access to a public key, through an API in some
JWT libraries, they could use it as a token and the server would accept it. <o:p id="yui_3_16_0_ym19_1_1465330961704_17168"></o:p></span></span></div><div style="margin: 0in 0in 12pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17169"><b id="yui_3_16_0_ym19_1_1465330961704_17170"><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17171">[SM-D01-R10] </span></b><span style="font-family: Helvetica, sans-serif; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17172">To
address the issue, verify that tokens with different signatures are set up to
be rejected either via a whitelisting or blacklisting mechanism. The server
should already know what algorithm it uses to sign tokens, and it’s not safe to
allow attackers to provide this value. <o:p id="yui_3_16_0_ym19_1_1465330961704_17173"></o:p></span></div><div style="margin: 0in 0in 12pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17174"><span style="font-family: Helvetica, sans-serif; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17175">A separate issue, since fixed in many
JWT libraries, previously let attackers choose the way tokens are verified. This
issue is rooted in the way that some libraries handled an algorithm known
as “none.” Tokens signed with “none” could have be acknowledged as
valid tokens with valid signatures. Attackers could modify tokens and sign them
with “none” instead of HMAC-SHA256, or HS256. The tokens would then appear
“signed.” Attackers then could have gone on to attach their own payload to gain
arbitrary account access on some systems. <o:p id="yui_3_16_0_ym19_1_1465330961704_17176"></o:p></span></div><div style="margin: 0in 0in 12pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17177"><b id="yui_3_16_0_ym19_1_1465330961704_17178"><span style="font-family:"Helvetica",sans-serif;color:#191919" id="yui_3_16_0_ym19_1_1465330961704_17179">[SM-D01-R11] </span></b><span style="font-family: Helvetica, sans-serif; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17180">Fix the
“none” issue by ensuring that token verification fails any tokens that
use the “none” algorithm. Fix the attacker-controlled algorithm. JWTs
can work across several languages, .NET, Node.js, Python, PHP, Java, Ruby, to
name a few, and many remain vulnerable.<o:p id="yui_3_16_0_ym19_1_1465330961704_17181"></o:p></span></div><div style="margin: 0in 0in 12pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17182"><u id="yui_3_16_0_ym19_1_1465330961704_17183"><span style="font-family: Helvetica, sans-serif; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17184">List of non-vulnerable libraries (partial)</span></u><span style="font-family: Helvetica, sans-serif; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17185">: The
issue is fixed in the Node.js library and users should upgrade to 4.2.2, the
latest version. Jose Padilla, who maintains the Python build of the library,
fixed the signature verification vulnerability in version 1.0.0 last month by
adding support for an alg whitelist. The most recent version, 1.0.1, also
includes the fix. <o:p id="yui_3_16_0_ym19_1_1465330961704_17186"></o:p></span></div><div style="margin: 0in 0in 12pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17187"><u id="yui_3_16_0_ym19_1_1465330961704_17188"><span style="font-family: Helvetica, sans-serif; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17189">List of vulnerable libraries (partial)</span></u><span style="font-family: Helvetica, sans-serif; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17190">: The PHP
or JavaScript versions of the libraries remain vulnerable. Auth0 is instructing
those who run those versions of JWT in particular to seek out another
non-vulnerable library until the issues are fixed or verified. The Ruby version
of the library is still vulnerable as well. <o:p id="yui_3_16_0_ym19_1_1465330961704_17191"></o:p></span></div><div style="margin: 0in 0in 12pt 0.5in; text-indent: -0.25in; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17192"><!--[if !supportLists]--><span style="font-family: Wingdings;" id="yui_3_16_0_ym19_1_1465330961704_17193">ð<span style="font-stretch: normal; font-size: 7pt; font-family: 'Times New Roman';" id="yui_3_16_0_ym19_1_1465330961704_17194">
</span></span><!--[endif]--><span style="font-family: Helvetica, sans-serif; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1465330961704_17195">A change to the specification, deprecating the
header’s alg field, would ultimately benefit the community. </span><o:p id="yui_3_16_0_ym19_1_1465330961704_17196"></o:p></div><div id="yui_3_16_0_ym19_1_1465330961704_16534">
</div><div style="margin: 0in 0in 12pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" dir="ltr" id="yui_3_16_0_ym19_1_1465330961704_17197"><o:p id="yui_3_16_0_ym19_1_1465330961704_17198"> </o:p></div><div id="yui_3_16_0_ym19_1_1465330961704_16534"><span>Best regards,</span></div><div></div><div id="yui_3_16_0_ym19_1_1465330961704_16541"> </div><div class="signature" id="yui_3_16_0_ym19_1_1465330961704_16542">Nathalie Coupet </div></div></body></html>