Software has seen a radical shift away from stand alone applications and one that embraces the ability to include a distributed architecture of external services.
Some of these risks were expertly explained by a talk at the RSA conference by Johannes Ullrich and Jason Lam in their presentation Attack & Defend: Protecting Modern Distributed Applications and Components. This presentation presented how a sophisticated attacker could exploit weaknesses in the distributed architecture of an application and also how such an attack could be defended. What made this presentation so captivating is that the presenters each took on a role, one as an attacker that explained his attack path, played by Jason Lam, and then the defender who explained his defense strategy. This unique presentation style gave fantastic insight into both the mind of an attacker and defender, or a red team and blue team if you will.
Secrets inside a secret
During the presentation they explained how an attacker could manipulate an authentication token to be able to use it for malicious purposes. To do this they used an example of a bearer token, this the modern day version of a session ID cookie and regularly used in modern development to authenticate a user. What was particularly interesting in this example is that the attacker used his own credential. This means it wasn’t a credential that was leaked or stolen, it was generated using the correct authentication process and then accessed using commonly available development tools built into a web browser. It wasn’t the token itself that provided access to the services, it was the information that they could extract from this token that was used.
In one example Jason used this token with some CURL commands to bypass an api gateway and communicate directly with the backend. This means that they were able to bypass much of the controls the gateway established and gain access to protected information. In another example they used a tool jwt.io and showed all the information that can be extracted from the bearer token. In its native state the bearer token is unreliable cypher text, but buried inside is readable information. Using jwt.io they were able to extract useful information from the bearer token to identify different services that used this token, this allowed them to map out what Jason called the juicy targets. The targets in their example were not designed to be accessed by the user through the interface, but because they knew the services existed based on information from the bearer token, they were able to interact with these services.
Of course these attacks were then reviewed by Johannes who explained what his defense strategy would be, but rather repeat the talk I suggest you check out the presentation itself.
The most fascinating takeaway from this presentation was again, that this is not a credential that was leaked or stolen and compromised. It was the attacker's own authentication token granted through the regular authentication process. Jason was able to then use and manipulate the credential, in this case a bearer toke, to be able to uncover more information and stretch the credential to grant them higher level access.
I will be providing more updates on my favorite presentations from the RSA conference so be sure to subscribe to the blog for more updates.