Business Logic Automatons: Friend or Foe

Jump to: navigation, search

The presentation

OWASP IL 2008 01 Ofer Shezaf.jpg

While researchers often pointed out that the real threat to web applications are logic issues rather than syntactic issues, little was done to actually analyze those threats, classify them and suggest protective means. Our presentation focuses on understanding, classifying and offering ways to mitigate one family of business logic attacks: the automated kind. While syntactic issues such as SQL injection and XSS vulnerabilities are prevalent, they are well understood and therefore readily mitigated. However business logic automation attacks present an entirely different problem: it is often very hard to distinguish abuse from normal use. Furthermore, in many cases the attack may be harmful to the victim, but not unlawful or even not ill intended by the attacker. A good example would be comparative shopping which started as leeching on e-commerce sites and is now considered a mainstream marketing method. The presentation will cover a long list of attacks including Brute Forcing, Resource Locking, Web Spam, Click Fraud, Queue Jumping, Auction Sniping, Poll Skewing & Leeching. We will show that in many cases the line between good and bad is fine, will discuss the pros and cons of existing anti-automation solutions and suggest and present a solution based on ModSecurity to non intrusively modify the business flow to mitigate some of these attacks.

The speakers

Ofer Shezaf is an active member of the Web Application Security Community. Ofer leads the OWASP Israeli Chapter for the last 5 years and is a member of OWASP global chapter committee. Ofer runs, a community web site devoted to Web Application Firewalls and is a major contributor to ModSecurity, an open source web application firewall. Ofer also leads two important industry projects: The Web Application Firewall Evaluation Criteria and the Web Hacking Incidents Database, both under the Web Applicatoin Security Consortium's ubmrella. Ofer is a frequent speaker in security conferences and spoke in the past at BlackHat and in many OWASP conferences and chapter meetings. In his day job, Ofer does security product definition at Better Place, a company whose mission is to create the infrastructure enabling wide spread use of electric cars. Prior to Joining Better Place Ofer held senior management position in security research and product management at Breach Security, a leading WAF vendor.

Amichai Shulman is co-founder and CTO of Imperva, where he heads the Application Defense Center (ADC), Imperva's internationally recognized research organization focused on security and compliance. Mr. Shulman regularly lectures at trade conferences such as RSA, OWASP, INFOSEC and delivers monthly eSeminars. The press draws on Mr. Shulman's expertise to comment on breaking news, including security breaches, mitigation techniques, and related technologies. Under his direction, the ADC has been credited with the discovery of serious vulnerabilities in commercial Web application and database products, including Oracle, IBM, and Microsoft. Prior to Imperva, Mr. Shulman was founder and CTO of Edvice Security Services Ltd., a consulting group that provided application and database security services to major financial institutions, including Web and database penetration testing and security strategy, design and implementation. Mr. Shulman served in the Israel Defense Forces, where he led a team that identified new computer attack and defense techniques. He has B.Sc and Masters Degrees in Computer Science from the Technion, Israel Institute of Technology