Saturday, 28 October 2017

Security design review -- Design flaw in Business Logic invocation technique

In the name of Allah the beneficient the most merciful.

Folks today i would like to talk  about "security design review and the design flaw in business logic invocation technique " which i acquired the little bit knowledge from OWASP code review guide.

Most of the developers give attention to secure coding and its best practices , but many of them forget about design level flaws in application and also such flaws are hard to find in static or dynamic application scanning tools. We need to understand the application architecture and layout in deep to uncover the flaws manually.

So, why design review is needed?
Security review at design level can uncover many inherent backdoors in the application.

Business Logic Invocation Technique:

Consider the design below , which identifies the business logic based on the configuration file(config.xml) in which the url is mapped to its respective business logic class (action class).



In the above design first the users input (url ) is checked in config.xml file and then the respective url is mapped with its action class in which the execute method is called .

Now let us look at a sample config.xml file from the owasp guide.













                  

In the above configuration file you can see that there are three classes (AdduserDetails, Changepassword and Testaction) mapped with their respective urls.
At the first glance you might think that the Testaction class is used by developer to test wheather the application is working correctly or not just for testing purpose but when you see inside the Testaction class (see below)





                                         

There is a backdoor in the execute() method of TestAction class which deletes the user record given his username.
Here there might be two chances why this backdoor exists
1) Malicious developer inside the organization deliberately kept the Testaction in configuration file
2) Developer might forgot to remove the Testaction from configuration file before deployment to production.

In both the cases above if design level security review is done then we can eliminate such backdoors.

So, the recommendation for avoiding such backdoors is to look for all redundant/test/unexposed business logic configurations from config.xml file.

Thats all for today.

Hope you enjoy reading it.



Reference:
OWASP code review guide
https://www.owasp.org/images/f/fa/Code_Review_Guide_Pre-AlphaV2_(1).pdf