A Note on Vendor Application Security

No need for tinfoil hats when it comes to application security, we’re all too painfully aware of what can happen. From data breaches to destructive attacks, the potential impacts couldn’t be more clear.

Web applications in particular are interesting because of their exposed position — it’s not uncommon for sensitive web applications to be secured “only” by their application logic.

This means that a logical flaw in one of the functions, be it the login function, authorisation function, or access control function, could have a devastating impact.

Application Security Audits

Penetration testing is a common method to assess the “security” of an application or system, as it entails trying to break in or perform unwanted actions. The result is that application owner, be it the developer or whoever bought the software, gains a better understanding of what flaws are present.

The final report will, almost always, include recommendations on how to fix the underlying problem, or otherwise lessen the risk level.

Verify According to Your Needs

The proverb “trust, but verify” (or perhaps “never trust, always verify”) applies to application security because of two unfortunate reasons:

  • It is easy to save effort on not doing “proper” security testing; and
  • The product might be secure, but your deployment and install might not.

I put “proper” in quotation marks because what is a reasonable level of security for one organisation may not be acceptable for another. The depth of analysis and testing is tied to the level of verification required.

Unfortunately, this might mean that the risk appetite and security level of the vendor does not match that of your organisation. It doesn’t mean that the vendor didn’t do an okay job of securing their product, but the extent to which they did may not be sufficient for you.

Always verify according to your needs.

OWASP Top 10 2013 – A10 – Unvalidated Redirects and Forwards

> How did I end up here?

Whenever a user is sent to some unexpected (and perhaps malicious) third-party site, an Unvalidated Redirection is said to have occurred. Though it is also known by quite a few other names: unvalidated redirect, open redirection, unvalidated forward, and so on.

Continue reading “OWASP Top 10 2013 – A10 – Unvalidated Redirects and Forwards”

PC Gaming in 2018

New years eve is just around the corner, so why not summarise the gaming that happened in 2018 :)!

In total I acquired about 50 games, of which I’ve played 15. Once again Humble bundle is responsible for the sheer numbers, with F2P-games (~10) coming in second. Most games have been launched at least, though I’m not counting them as “played”. A prime example of that is Quake 4. I thought I’d play it, but really, there are better games nowadays. Feels good to have it on Steam, though.

Continue reading “PC Gaming in 2018”

Setting up Web Application Pentesting Tools

This post will walk you through how to set up the basics needed to do web app pentesting. More specificly, we’ll be setting up a web browser for pointing and clicking, an attack proxy for hackety hacking – all while covering the configuration needed. Continue reading “Setting up Web Application Pentesting Tools”

F-Secure Radar Login Page Unvalidated Redirect Vulnerability

CVE-2018-6324
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-6324

Summary

The application will upon successfully logging in redirect the user to a user-controlled destination. A victim user may not recognise that a redirection takes place as they expect to be sent to a new page.

Vendor Description

F-Secure Radar is a turnkey vulnerability scanning and management platform. It allows you to identify and manage both internal and external threats, report risks, and be compliant with current and future regulations (such as PCI and GDPR compliance). It gives you visibility into shadow IT – to map your full attack surface and respond to critical vulnerabilities associated with cyber threats.
Source: https://www.f-secure.com/en/web/business_global/radar

Remediation

F-Secure has remediated this issue; no action required for cloud users or on-premise users receiving updates.

Technical Details

Navigating to the Radar application at https://portal.radar.f-secure.com/ will result in the user being sent to https://portal.radar.f-secure.com/login?ReturnUrl=~2Fdashboard.

Upon successful authentication, the value of the ReturnURL query parameter will be used to determine the redirect destination. It is possible to set this to any arbitrary domain as the value is neither validated nor forced to be a relative path.

The following URL would redirect the user to example.com after logging in:
https://portal.radar.f-secure.com/login?ReturnUrl=~2F~2Fexample.com

This could be used to send the user to a phishing site, prompting them to re-authenticate (e.g. “Wrong password or username, please try again”).

Vulnerability Disclosure Timeline

2018-02-05 – Vulnerability discovered
2018-02-05 – Vendor contact & response
2018-02-09 – Vendor confirms fix
2018-02-15 – Public disclosure

F-Secure Radar Persistent Cross-Site Scripting Vulnerability

CVE-2018-6189
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-6189

Summary

The application can suggest metadata tags for assets, and in doing so it can execute JavaScript entered previously by a malicious user.

Vendor Description

F-Secure Radar is a turnkey vulnerability scanning and management platform. It allows you to identify and manage both internal and external threats, report risks, and be compliant with current and future regulations (such as PCI and GDPR compliance). It gives you visibility into shadow IT – to map your full attack surface and respond to critical vulnerabilities associated with cyber threats.
Source: https://www.f-secure.com/en/web/business_global/radar

Remediation

F-Secure has remediated this issue; no action required for cloud users or on-premise users receiving updates.

Technical Details

The frontend application issues a PUT request to the server when metadata tags are updated:

PUT /api/latest/vulnerabilityscans/tags/batch HTTP/1.1
Host: portal.radar.f-secure.com
[…]

The Tags parameter in the JSON request body can be modified to contain arbitrary JavaScript, e.g.:

[…], “Tags”:[“<img src=a onerror=\”alert(1)\”>”], […]

This script will execute whenever the frontend attempts to suggest tags, e.g. when a user opts to add tags to a new asset.

Vulnerability Disclosure Timeline

2018-01-24 – Vulnerability discovered
2018-01-24 – Vendor contact & response
2018-02-01 – Vendor confirms fix
2018-02-15 – Public disclosure