Owasp m7-m8-shivang nullmeetblr 21june2015
1 like•887 views
Shivang Desai presented on OWASP Mobile Top 10 risks M7 (Client Side Injection) and M8 (Security Decisions via Untrusted Inputs). He defined the risks, showed examples like SQL injection, XSS, and URL scheme hijacking. The impacts include consuming paid resources, data exfiltration, and privilege escalation. Prevention methods include sanitizing untrusted data, prepared statements, input validation, and checking caller permissions.
![Who am I ?
● Shivang Desai (@5h1vang)
● Researcher at Zscaler Inc.
● Open Source enthusiast
● Small efforts to contribute :
– THC-Hydra [Release 7.6] (Kali Linux)
– OWASP Mobile
– Referenced in “The Mobile Application Hacker's Handbook”
– https://github.com/shivang1989](https://image.slidesharecdn.com/owasp-m7-m8-shivang-draft-150622072246-lva1-app6891/85/Owasp-m7-m8-shivang-nullmeetblr-21june2015-2-320.jpg)
Owasp m7-m8-shivang nullmeetblr 21june2015
- 1. OWASP Mobile Top 10 (M7 & M8) M7 – Client Side Injection. M8 – Security Decisions via Untrusted Inputs. By : Shivang Desai
- 2. Who am I ? ● Shivang Desai (@5h1vang) ● Researcher at Zscaler Inc. ● Open Source enthusiast ● Small efforts to contribute : – THC-Hydra [Release 7.6] (Kali Linux) – OWASP Mobile – Referenced in “The Mobile Application Hacker's Handbook” – https://github.com/shivang1989
- 3. Next 30 min... ● Understanding client-side injection ● Understanding Security Decisions via untrusted Inputs ● What's their impact ? ● Prevention tips !
- 4. Understanding M7 Client Side Injection • next image of client and server • Then, mobile app and OS and backend • Hybrid vs native apps • Hybrid == client-server • Native == second image (mobiel-OS-backend)
- 5. Understanding M7 Client Side Injection ● The name says it all : “Client-Side” ● Myth : Client-Side Injection == SQL injection ● Few types of client side injections : – Sql Injection – Cross Site Scripting – Local File Injection – XML Injection – Binary Code Injection
- 6. Demo .. ! ?? A quick demo : – Sql injection (optional) – XSS (Box App) – Binary Code Injection (adb backup vuln)
- 7. Impacts ! ● Consuming Paid Resources ● Data Exfiltration ● Privilege Escalation
- 8. Prevention ! ● ALWAYS consider input data as malicious. ● Sanitize and/or Escape untrusted data. ● Use Prepared Statements. (SQL injection) ● Minimize the sensitive native capabilities tied to hybrid web functionality. (As seen in WebView vuln just now) ● Input Validation (Local File Inclusion): – Input validation for NSFileManager calls. – Disable File System Access for any WebView (webview.getSettings().setAllowFileAccess(false);)
- 9. Understanding M8 Security Decisions via Untrusted Inputs. ● Decisions based on weak parameters like cookies, hidden form fields, Intents, URL schemes etc. ● Client Side Injection is one of the attack vector, along with Malicious apps ● Main causes: – Developer thinks values (cookies, environment variables, and hidden form fields) cannot be modified – Developer thinks client cannot manipulate and update application code – Lack of proper encryption and/or encoding during client-server interaction
- 10. Abusing iOS : URL Scheme ● URL Scheme is basically URL Protocol Handler ● Used mainly by browser to call internal apps (Eg: Safari calling dialer app) – <iframe src="tel:1-408-555-5555"></iframe> Problem ?????
- 11. Abusing URL Scheme (iOS) What's the problem ? ● Consider victim had opened skype in past and device has cached the credentials. ● Attacker embeds iframe in his/her site – <iframe src="skype://14085555555?call"></iframe> ● User visits the malicious site ● And boom...! ● Masque attack used URL scheme hijacking
- 12. Abusing Android : Intents What is Intent ? ● Intents acts as mechanism used: – to start an Activity – as a broadcast to inform interested programs – as a way to communicate with background services – to access data through ContentProviders – as a callback to handle events like returning results or errors asynchronously
- 13. Abusing Android : Intents Types of Intent Vulnerbilities ● Two types of Intent Vulnerabilities (1) Intent interception ● Intercept the generated intents (Broadcast events) (2) Intent Spoofing ● Generate a spoofed intent and target the victim
- 14. Abusing Android : Intents (PayPal Case Study) ● Android SDK comes along with a small tool called “am” ● Paypal Target Activity : SendMoneyActivity – am start -a android.intent.action.SENDTO -d mailto:[email protected] --es com.paypal.android.p2pmobile.Amount 9.99 --ei com.paypal.android.p2pmobile.ParamType 42 -n com.paypal.android.p2pmobile/.activity.SendMoneyActivity
- 15. Effects of M8! ● Device Compromise ● Toll Frauds ● Privilege Escalation
- 16. Prevention ! ● Check caller’s permissions at input boundaries ● Prompt the user for additional authorization before allowing ● Where permission checks cannot be performed, ensure additional steps required to launch sensitive actions
- 17. References ● https://cwe.mitre.org/data/definitions/807.html ● http://secappdev.org/handouts/2012/Ken%20van%20Wyk/1-3%20Android%20applic ations.pdf ● http://software-security.sans.org/blog/2010/11/08/insecure-handling-url-schemes-app les-ios/ ● https://www.fireeye.com/blog/threat-research/2015/02/ios_masque_attackre.html ● http://blog.palominolabs.com/2013/05/13/android-security/ ● http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks?next_slideshow =1 ● https://www.owasp.org/index.php/Mobile_Top_10_2014-M7 ● https://www.owasp.org/index.php/Mobile_Top_10_2014-M8