ASSIGNMENT 4 – SECURE PROGRAMMING Abuse Cases
20067817 Danny O’Leary
Contents Requirements ....................................................................................................................................... 2 Use Cases .............................................................................................................................................. 3 Normal User ...................................................................................................................................... 3 Moderator ........................................................................................................................................ 4 Administrator .................................................................................................................................... 5 Use case diagram for a forum ........................................................................................................... 6 Threat Cases ......................................................................................................................................... 6 Flood Registration ............................................................................................................................. 6 Hijack Login ....................................................................................................................................... 6 Spam Posts ........................................................................................................................................ 7 Injection Attacks ............................................................................................................................... 7 Spread Malicious Software ............................................................................................................... 7 Privilege escalation ........................................................................................................................... 8 Use Case / Threat Case diagram ....................................................................................................... 8 Threat Mitigation .................................................................................................................................. 9 HTTPS ................................................................................................................................................ 9 Captcha ............................................................................................................................................. 9 Screen user input ............................................................................................................................ 10 Security Service (Cloud flare) .......................................................................................................... 10 2 Step Verification........................................................................................................................... 10 Use Case / Abuse Case / Threat Mitigation diagram ....................................................................... 11 References .......................................................................................................................................... 12
Requirements The software system that I chose for this assignment is an online forum. The reason I chose an online forum is because it makes for many different scenarios and potential use cases because it incorporates lots of different people into one area. Since forums are usually very comprehensive with many different features such as being able to post, search, create an account, login or maybe a karma system. I thought it would also be a good idea to do a forum because it has many different types of users(actors). In the case of the forum I picked, I had three different types of users that were: 1. Administrator 2. Moderator 3. Normal User With the use of different types of users, there’s always going to be potentially for more attacks since it might not directly be an attack on the site, but rather an attack on an Administrator account.
The requirements that should be in place for a normal user could be:
Ability to be able to search different user’s threads Ability to be able to post their own threads Ability to be able to search posts Ability to be able to post on other people’s thread Ability to report posts to moderators
The requirements that should be in place for a moderator could be:
A moderator should be able to have all the features that a regular user has In addition, a moderator should be able to view reported posts A moderator should be able to remove posts/threads A moderator should be able to ban members if they don’t obey the forums rules
The requirements that should be in place for an administrator could be:
An administrator should have every feature that a moderator has An administrator should be able to be able to change features on the forum An administrator should be able to block IP addresses from accessing their website to prevent against DDOS attacks. An administrator should be able to add other security features
Use Cases Normal User This is where most people of the forum would be, and where the forum would be aimed at. These are the people who would be interacting on a forum. To get started, a user could use the registration page to sign up to the forum, and get started posting their own threads or posting on other people’s threads. Without registration a normal user would have to have a lot of features restricted from what they normally would have if they were registered. The only feature in this forum that would be enabled is the ability to read threads. The reason for allowing a non-registered user the ability to read threads is because it may get a user interested in signing up for the forum. After a user has registered, a user would be browsing the threads on the forum, and then has the ability to be able to be able to use the karma system which would be an indication of how popular the post is (vote up for good threads, down for bad threads) or be able to post on the thread. On any thread a user also has the potential to report a post, this is to prevent posts that are not relevant and prevent against any spam posts. A user can also private message anyone on the forum if they wish to have a private conversation with someone. An example use case for a common normal user would be: A user making a post
User goes onto the website User logs in to the website using their details if they are already signed up When logging in the information that a user should have is both a valid username and a valid password When a user is successfully logged in they are taking to the websites homepage User goes to search some of the threads on the forum, and finds one they are interested in User uses the text box implemented on the forum to reply to the thread User clicks a button “post”, and then the post is added to thread for everyone to see If the user likes the thread they might rate the thread as good which will add to the karma of the thread
A user reporting a post
User goes onto the forum User uses the login page to enter their details and login. The information that a user needs to provide is both a valid username and a valid password After successfully logging a user is taking to the forums homepage Now the user is able to search through various threads User finds a thread that doesn’t follow the forums rules User clicks on a button called “report” When the button is clicked, it gives many different options on what you are reporting to help out moderators. Some of these may include: low quality post, off topic, spam After selecting on which different option you are reporting, you are returned to the websites homepage
Moderator A moderator is someone on the forum who is capable of keeping control of all the posts on the forum, and are used to help out an administrator but with a lot less of the features that an administrator. A moderator may have started off as a regular user, and has since earned the position of moderator. To assign moderators, the administrator can choose which users that they trust or think would be good for the job. This way you have people who already like the forum, and are willing to do the work for free. A moderator has all the privileges and features that a regular user has. They can post on other people’s threads, post their own threads, talk in private messages to another user. The moderator also has the ability to view all the reports that have been made, and then it’s their job to deal with these reports accordingly. A moderator also has the power to ban users in certain circumstances if it’s clear that the user deserves to be banned. A moderator may need to work with an Administrator about the bans because if they don’t you have the potential for a Moderator to do a lot of damage to the forum. An example of a typical use case for a moderator would be: Moderator dealing with reported posts
The moderator first visits the forum The moderator uses the login page, with their correct username and password to successfully login to the forum The moderator is now taking to the forum’s homepage which appears a little bit different to them than a regular user. The moderator can see how many reports currently have not been dealt with, and can click each one of them to be taking to the report. The moderator clicks on one of the reports, and looks at the reason it was reported. If the moderator feels like this post is breaking the rules of the forum, they can remove the post and depending on the severity may also ban the user. The moderator removes the post from the thread The moderator can now remove the report by clicking a button that says that moderator has dealt with the post The thread can now be viewed as normal with the exception of the post that broke the rules
A moderator banning a user
The moderator first visits the forum The moderator uses the login page, with their correct username and password to successfully login to the forum The moderator is now taking to the forum’s homepage which appears a little bit different to them than a regular user. The moderator can see how many reports currently have not been dealt with, and can click each one of them to be taking to the report. The moderator then clicks on one of the reports that have not been dealt with yet. They can look at the reason it has been reported. In this case it is assumed that the post broke very strict forum rules. In this case the post was trying to spread their virus. The moderator removes the post The moderator now bans the user for 2 months. This means that all the user can do is view threads as if they are not logged in. They lose all the ability to post on threads, post threads, report posts or private message another user.
Since the moderator feels like this is a big deal, he messages an administrator about it. The administrator could then be able to use an IP address ban if they feel it’s a big deal and potentially harm the users of their forum.
Administrator The administrators are the ones who have all the power on a forum. Every feature on the forum is available to the administrator. They are also the ones who are enabling these features on the forum. A lot of the administrator’s work is quite like the moderator where they will be dealing with reported posts, and maybe problems that the users are having which are received by the administrator through the private message system. If something goes wrong with the forum such as it goes offline, it is the administrators job to be able to find the problem that the forum currently has and be able to fix it as quickly as possible. They’re also in charge of the way the forum is designed. This could involve the different backgrounds that a forum might have, the different categories or even the general layout of everything on the forum. Even though, the administrator is in charge of all of this they will still be posting threads or posts like a regular user of the forum, but maybe less often since they have lots of other work to do for the forum behind the scenes like developing new features. An example of a typical use case for an administrator could be: An administrator dealing with a private message
An administrator visits the forum An administrator uses the login page with the correct credentials for their account which is a valid username and a valid password The administrator is then taking to either the homepage of the website or their control panel which is where they can carry out work on the forum. In this case to the homepage. The administrator can then see the number of private messages that they have not read The administrator reads a message from another user who is reporting abuse from another member through the private message system. The administrator can then check through their private messages, and see if harassment or abuse took place. If there was harassment or abuse in the private messages between the users, the administrator would ban the user for a certain period of time. If it was a permanent ban, the administrator could also block this persons IP address
An administrator adding a new feature to the forum
An administrator visits the forum An administrator uses the login page with the correct credentials for their account which is a valid username and a valid password The administrator is then taking to either the homepage of the website or their control panel which is where they can carry out work on the forum. In this case to the homepage. In this case however the administrator has created a thread to see what new features users would like on the forum The administrator then gets to work on implementing the feature on the forum trying to make sure that there’s no way to be able to abuse the feature The administrator could first give it to moderators to see what effect it would have on the forum before releasing it to everyone After releasing the new feature, the administrator would be responsible for keeping an eye on the functionality of the new feature
Use case diagram for a forum Below is a use case diagram that I developed for a forum, with 3 different actors: User, Moderator and Administrator. In this it shows each of the features that are available to do the actor with use cases using arrows.
Threat Cases Flood Registration Flood registration is an attack where the attacker will attempt to fill up the database with fake users in an attempt to stop legitimate users from signing up, and potentially rendering the whole forum inoperable. An example of a flood registration threat case:
An attacker designs a program that can automatically create users extremely fast at the forum. The attacker then runs the program creating many users Eventually the users fill up the database of the forum and now no more people can sign up
Hijack Login When a forum operates on the HTTP protocol, it’s at risk to having its user’s logins hijacked. This happens because the forum needs some way of identifying a user so a session is created for each specific user. This is where hijacking logins becomes possible because if an attacker can somehow steal the session information, then they will have access to all of the user’s information (Owasp.org, 2016). An example of a hijack login threat case:
An attacker runs a packet sniffer on the login page of the website, this is a custom tool developed by the hacker which is able to determine session information An unsuspected user is attempting to login to the website
The attacker using his packet sniffer is able to spot the session information of the unsuspecting user, and able to use it to find out his username and password From here the attacker can change the information, and now the user no longer has access to their account
Spam Posts Spam posts are unwanted posts that are made on the forum which may be advertising something, it could link to malicious websites or it could simply make no sense. With spam posts they are made in huge quantities and aim to fill up the forum and get as many people as possible to see the message in the thread. An example of a spam post threat case:
An attacker develops a program that is able to make threads on the forum extremely quickly. This program is given a message and then is used to make huge amounts of the same post throughout the forum. The attacker registers an account on the forum The attacker logs in to the forum with the account they just registered Currently everything on the forum is normal for a user, and they see everything the way they should be. This attacker is being paid to advertise a rival forum, and so begins the program on the forum with a message that is advertising the other forum. A normal user tries to view the newest, latest threads on the forum and all they can see are loads of the same thread advertising this other forum.
Injection Attacks Injection attacks are when an attacker inputs information onto the forum through some form of input such as the text box for posts where the information causes something to execute or some way exploit the text box in means it shouldn’t be able to. There are many different types of injection attacks, and included in this one will be cross site scripting also. Injection attacks are one of the most common attacks used to day and can cause for some serious issues on websites. An example of an injection attack threat case:
An attacker registers an account on the forum The attacker logs in to the account that they created The attacker knows about an injection vulnerability in the post box of the forum. This vulnerability is an SQL Injection attack that when done returns the database The attacker enters the malicious code into the text box The attacker gains all the information from the database including every user’s log in details
Spread Malicious Software In this attack an attacker would be trying to get people to download their malicious software. This could be many different forms of virus’s, or Trojans etc. The attacker has a few different ways that they can spread their malicious software on the forum. These include, making posts about them, making threads about them, and also sending private messages to other users. An example of spreading Malicious Software threat case:
An attacker registers an account on the forum The attacker logs in to the account that they created
The attacker decides to post a thread with the malicious software as a download link Unsuspecting people download the malicious software
Privilege escalation Privilege escalation is where an attacker will attempt to gain privileges on the forum that he does not belong to. This type of attack can be extremely dangerous to a forum because of the potential damage an attacker could do. An example of privilege escalation threat case:
An attacker has found an exploit in the forum to be able to escalate his privileges to an administrator An attacker first registers a new account An attacker then logs into this account The attacker now carries out the exploit The attack now has administrator access and can do whatever the attacker wants to the forum
Use Case / Threat Case diagram
Threat Mitigation HTTPS The use of HTTPS protocol rather the HTTP protocol should be used whenever a user has to enter any account details. In this case it would be on the login page of the forum. HTTPS is much more secure than the HTTP protocol because it works with SSL (Secure sockets layer). When HTTPS is sending traffic from one source to another, SSL is used to be able to encrypt the traffic which will prevent users from seeing what is actually being sent. In the example threat case where a user was using a packet sniffer to be able to detect the information of a user’s session, this would only be possible on HTTP. If the forum decided to implement HTTPS then the user’s session would be encrypted, and it would be much harder for an attacker to be able to work out the session information (Dotson, 2016).
Captcha A captcha is a system that is implemented on a website to prevent bots from carrying out certain activities on the website. They do this by getting a user to type in 2 words that are easy enough for humans to read, but since computers are bad at image processing they will struggle to be able to read what the message says. An example of a captcha:
(www.captcha.net) On this particular forum, Captcha’s can be carried out for two different purposes. The first of these is the potential threat of an attacker to flood registration by creating users using a program. A captcha system would be able to prevent this system by making users who register for the site fill out a captcha when they register. An alternative to this if you didn’t want users to be filling out captcha’s would be to implement captcha’s when more than one account from that IP address has been made. The other potential use for a captcha would be to prevent spam. A captcha could be implemented that if a user is posting just after posting another post, then they would have to fill out a captcha. This would help to prevent against spam because the bot would have to fill out the captcha to spam the forum quickly.
Screen user input Screening a user’s input is to make sure that no potential harmful code is carried out when a user is inputting information on a website. This can be done in a number of different ways, and one of the most popular is the use of regular expressions to only allow the information in a specific format e.g. A date of birth field would have to be filled out like: DD/MM/YYYY. To go along with this, there’s different ways to stop the potential of scripts being carried out by being able to filter out <script> tags. In the SQL Injection sample above, with the use of screening user input, the request would never even query the database because of the way that the user input is being handled. This is one of the major issues in security and time should be spent on getting this right as they are some of the most widely abused exploits. In the case of this forum, screening user input would have to take place on a number of different sections of the forum. These include: 1. 2. 3. 4. 5. 6.
Registration page Login page Posting a thread Posting a reply Sending a private message Searching for a thread
Security Service (Cloud flare) This is getting an external source to help protect your website from attacks. This can be used to protect against many different types of attacks. In this forum it could be used to prevent a lot of the attacks such as spam, and registration flooding, but in this case it is only set up to deal with spreading malicious software. This is done by being able to detect potential harmful links to websites that have been used to spread malicious software on other websites before. This system would help to prevent against the spread of popular malicious software, but it would be up to reports to do more private ones that are not well known. This service also has the potential to slow down how fast your service operates.
2 Step Verification 2 Step verification is used to add additional security to an account. Rather than just requiring a password to login, there will be an additional step that will be required. This additional step a lot of the time is to send a code to a user’s phone and having them enter the code. This helps greatly in keeping an account secure for the user. In the case of our forum, 2 step verification can be implemented to prevent any potential privilege escalation that might take place. This could be set to default any time a moderator or an administrator goes to login, they have to carry out 2 step verification or another possible solution would be that if an unknown IP address is trying to login as a moderator or an administrator, then 2 step verification could be required (Google.com, 2016).
Use Case / Abuse Case / Threat Mitigation diagram
References Owasp.org. (2016). Session hijacking attack - OWASP. [online] Available at: https://www.owasp.org/index.php/Session_hijacking_attack [Accessed 28 Apr. 2016]. Dotson, J. (2016). HTTP vs. HTTPS: What's the Difference?. [online] BizTech. Available at: http://www.biztechmagazine.com/article/2007/07/http-vs-https [Accessed 28 Apr. 2016]. Google.com. (2016). Google 2-Step Verification. [online] Available at: https://www.google.com/landing/2step/#tab=how-it-works [Accessed 28 Apr. 2016].
Also used were lecture slides on Moodle and example assignment on Moodle.