Web browsers become tools for criminals
According to security expert Jeremiah Grossman, the days for intricate attacks on web servers using special tools are numbered. Instead, he says, criminals can use web browsers as an all-round weapon for making money. According to Grossman, this becomes possible due to widespread business logic flaws in web applications, such as lack of authentication or unprotected access to information. The best example for such a flaw was a vulnerability in the open source osCommerce and xt:commerce shop systems discovered last February which allowed simply skipping the payment step while still generating a valid order by calling a URL.
Grossman says that instead of involved cross-site scripting attacks on users and SQL injection attacks on web server databases, criminals now only need a little bit of background knowledge to obtain money or goods. This is not a new type of vulnerability. A variation of the theme has been practised by hackers for years: Forced browsing, which involves using the browser to call pages or resources which don't actually have any link connections. Google in particular often discloses information not intended for the public by the web server operator.
Since many service providers now offer their services via the internet, Grossman says that it is now much easier to find vulnerable applications. According to his report the procedure isn't even necessarily illegal, and in many cases the attacker only violates the provider's terms and conditions.
It is relatively difficult to safeguard systems against this type of attack as attacks don't follow a set pattern the way SQL injections do. Normal Intrusion Prevention Systems (IPS) or Web Application Firewalls (WAF) therefore struggle to detect and safeguard systems against them. Criminals are already said to exploit the vulnerabilities on a large scale.
At the upcoming Black Hat conference in Las Vegas, Grossman plans to present details of the attacks, including certain affiliate networks which rake in large amounts of cash via fraudulent user credentials. Grossman also intends to present the case of a bank which lost $70,000 because of a business logic flaw.
- Testing for business logic, information from the Open Web Application Security Project (OWASP)
- Seven Business Logic Flaws That Put Your Website At Risk, – PDF – a paper by Jeremiah Grossman