Last Updated: 2009-09-16 13:01:30 UTC
by Raul Siles (Version: 1)
Are you applying consistent security controls to all the input vectors of your Web Applications? Attackers are finding these inconsistencies and flaws... and exploiting them!
Robert (Thanks!) sent us a link to a blog post by Ryan Barnett (WASC & OWASP), "Distributed Brute Force Attacks Against Yahoo" . It is an awesome educational example of how important it is to apply consistent security controls to all the input vectors of your Web Applications, and specially, when new functionality is added. Are you applying the same controls to the access through your standard web page, and the access through your brand new Web Services API? The best way of setting up this is through a common security library that implements all your security controls and it is invoked from all the web entry points. If your development team doesn't know how to start implementing this, a good community reference is the OWASP Enterprise Security API (ESAPI) library.
In this incident, the problem lies in the lack of strict controls in the authentication mechanism to Yahoo's infrastructure when the access is performed through the Web Services API. They failed to implement security 101 on the Web Services input, as not only the CAPTCHA control to avoid brute forcing is not available, but the error messages disclose what portion of the credentials is wrong, username or password :( Attackers found it.
Another good example I like to use when teaching Web-App security and pen-testing is the inconsistent XSS filtering MySpace established when their mobile functionality was added back in early 2008. Let's learn from the big web players and avoid the same mistakes in our web environments!
Consistency and thoroughness are key elements to keep the security level of your complex web infrastructure in shape!
Shameless plug: I will be teaching the "Web App Penetration Testing and Ethical Hacking" (SEC542) class in London at the end of November, 2009. Hope to see some of our ISC readers there!