Monday, April 23, 2012

OWASP ZAP SmartCard Project

OWASP ZAP (Zed Attack Proxy) has become THE open-source web application interception proxy and security auditing tool, replacing well known open-source players in this field we have been using all over the last decade, such as Paros, WebScarab, or AndiParos. The tool is under active development nowadays, with new features and fixes added every other month, and with more to come, for example, from GSoC 2012. As a result of this tool progression and consolidation, ZAP was recently awarded the Toolsmith of the Year for 2011.

Some time after Paros was discontinued (v3.2.13 back in August 2006), new fork projects derived from Paros' source code were born. Surprisingly, as this behavior is not common in our industry, Psiinon (author of the original ZAP tool) and Axel (author of AndiParos), left their egos apart :-) and took a really smart decision: They joined forces to develop a single and powerful web application security tool, instead of developing two very similar but less powerful tools. The result is what we know today as OWASP ZAP!

However, inexplicably still today Paros is downloaded more than 2,500 times per week from the project page, while the latest ZAP stable version (1.3.4) has been downloaded only 15,000 times in total during the last 5 months (based on the official open-source platforms statistics). This demonstrates people are used to their routines, and that there is still a lot of work to do to promote and spread the word about the existence of ZAP, its features, and benefits.

ZAP considerably and brightly stays on top of other commercial and open-source web application security tools and web interception proxies when assessing the security of web applications making use of smartcard-based authentication. When a target web application requests client authentication through digital certificates during the SSL/TLS handshake (re)negotiation, ZAP is able to access the local smartcard and authenticate the user as she would do when no interception proxy is in place. ZAP provides support for multiple smartcard types under different operating systems (Windows, Linux, and Mac OS X) thanks to the Java smartcard built-in capabilities and its integration with PKCS#11 hardware modules. The original ZAP smartcard support (from version 1.1.0) was merged by Axel from Andiparos. The current ZAP smartcard support has been greatly simplified through the drivers.xml configuration file. This XML file offers a centralized and extensible architecture to easily add support for new smartcards.

Although other security tools provide support for client digital certificates (x.509 certificates obtained from a file, referred as PKCS#12), we have identified both significant and subtle differences in several target web applications in the way they interact and authenticate the user when using a standard client digital certificate versus a smartcard. Hence, the need to be able to assess how the application behaves when a smartcard is involved.

ZAP smartcard support can be found under the "Tools - Options" menu, within the "Certificate" category, and specifically, on the "PCKS#11" tab:

As a result of my research focused on the security of web applications based on the DNIe, I have been working on and committing code to ZAP to improve the stability and usage of smartcards, using the Spanish national eID (DNIe) as a reference. For example, capabilities to interact with target web applications that still provide support for unsafe SSL/TLS (HTTPS) renegotiation have been added (see my original blog post on this topic from two years ago), as well as minor fixes for several bugs and issues found during the execution of multiple web application penetration tests on DNIe-based environments. One of the key fixes was an improvement to overcome PKCS#11 concurrency access conflicts between ZAP and web browsers (such as Firefox).

Additionally, the Spanish DNIe implements brute-force protection capabilities by blocking the smartcard after three login attempts when the user fails to enter the associated access PIN or passcode. Once the DNIe is locked, the only chance to unlock it requires Spanish citizens to go to the police station and follow a custom unlocking procedure. There (in the police station), you can find proprietary DNIe kiosks that allow citizens to authenticate through their fingerprint, stored within a secure area of the smartcard at issuing time, and proceed to change the DNIe access PIN or passcode. In order to avoid frequent visits to the police station by security auditors and pentesters using their DNIe (or any other eID smartcard) while assessing the security of web applications, and entering by mistake the wrong PIN or passcode in ZAP, the tool now implements specific checks and warning messages to alert the user about failed login attempts, trying to avoid blocking the smartcard after three failed access attempts.

All this DNIe-related functionality has been available on the official ZAP SVN repository since revision 1209, live at RootedCON 2012 (check how to build ZAP from source code), and is currently available on the latest downloadable version, ZAP

To extend this previous research and the implementation already available within ZAP, I have launched a new ZAP-related project focused on improving the support of smartcard-based authentication within ZAP to other eID cards. More information about the "OWASP ZAP SmartCard Project" can be found at ZAP's official wiki.

The purpose of this project is to extend the currently available smartcard support within ZAP to other national eID cards worldwide (apart from the Belgium, Swiss, and Spanish eID's), as well as, to other proprietary smartcard solutions from commercial vendors (apart from ActivIdentity, Aladdin, or Axalto). The goal is for ZAP to provide the widest smartcard support within the web application security industry to be able to assess the security of any web application using smartcards and eIDs for authentication purposes through HTTPS (SSL/TLS). Besides that and based on my previous experience, the complementary goal is to extend ZAP with new features that might be required to deal with and manage the different smartcard types.

The current set of supported smartcards within ZAP can be found at ZAP's official wiki. This wiki page will be updated as soon as we add support for new smartcards within ZAP, although you can always directly check the "drivers.xml" file from the latest SVN revision. The draft list of countries that already provide eIDs (electronic-based identification for their citizens) I am aware of is available on the same page (we hope to add support for all or most of them over the following months with the help of the web application development and security communities).

The new "OWASP ZAP SmartCard Project" requires the implication of the community around the world to provide details and help to test new smartcard types. If you are interested on contributing to it, send me an e-mail or write to the OWASP ZAP Google group (mailing list). You can contribute in very different ways: from providing details about the existence of a new smartcard that is used in your country of origin or residence (or commercial smartcards used) for web-based authentication, as well as using ZAP to evaluate the security of smartcard-based web applications and report bugs or any other issues you may find, up to contributing new drivers.xml entries for new smartcards or additional operating systems.

At the end of September I will be talking about the "Security of National eID (smartcard-based) Web Applications" during the BruCON 2012 security conference in Ghent (Belgium) - first talks pre-release - and running the "Assessing and Exploiting Web Applications with Samurai-WTF" training.

Tuesday, April 10, 2012

DNIe-based Web Applications Security

Early last month the third edition of Rooted CON took place in Madrid, Rooted CON 2012, with great contents and very interesting topics. During the last day of the conference I presented the results of the research I've been involved in during 2011 and early 2012, focused on the security of web applications based on the Spanish electronic identity card or eID (electronic ID) smartcard, called DNIe ("Documento Nacional de Identidad electrónico", electronic National Identity Card).

The DNIe (or eDNI) is the electronic version of the national ID card for Spanish citizens, and it is currently used to access a great variety of digital services from public and private sectors all over the country, including eGovernment services and web portals plus services from financial institutions, insurance and telecomunication companies, or utility companies (gas, water, electricity...).

Therefore, the DNIe is a key element to authenticate and identify users (Spanish citizens) within private and public critical web applications and services in today's information society in Spain. However, due to the limitations to interact with smartcards and, in particular, the DNIe of the currently available web auditing and pen-testing security tools... ¿are we really sure that the DNIe-based web application and services are secure? The DNIe is (assumed to be) secure, but... ¿is it used in a secure way? ¿Are the web-based client components associated to the DNIe secure? The presentation explored all these questions through new tools, real-world scenarios, and practical demonstrations.

The DNIe is an ISO 7816 smartcard (an evolution from PCKS#15), that contains a pair of X.509 digital certificates plus the associated public and private keys. One certificate is used for authentication/identification purposes (KeyUsage = Digital Signature) while the other is used for signature purposes (KeyUsage = contentCommitment). It is important to emphasize that the latter has legal validity, similar to a traditional manuscript signature, what makes the DNIe a recognized CWA 14169 secure signature-creation device (EAL4+).

So far, the main DNIe (or generally speaking, smartcard) security threats assume the attacker was able to get physical access to the smartcard and the associated PIN/passcode, or was able to compromise the victim's computer where the smartcard is plugged to and used from. A couple of examples are last year's Rooted CON 2011 research on using a DNIe remotely through a proxying computer, “Man-In-Remote: PKCS11 for fun and non-profit” by Gabriel González, or the Sykipot trojan, targeting US DoD smartcards (ActivClient), reported by AlienVault.

Considering Spain is the worldwide leader on digital identity and signature, with more than 25 million DNIe issued as of September 29, 2011 (since this +341 million euros project started in 2005), I feel we should lead too the security implications of web applications making use of the DNIe and similar smartcard solutions. In the same way Spain was significantly ahead on the "Monitoring eAccessibility in Europe: 2011 Annual Report", we must be ahead on the next eSecurity report (if any) too, both on the public and private sectors. It seems there are at least 26 countries worldwide providing smartcard-based (or digital certificate based) identification and signature solutions to their citizens, therefore this research has to be extended to other smartcard types and scenarios (see [0]).

I presented together with the smart and fun José A. Guasch, security researcher and one of the editors of the security-related Spanish blog Security By Default, as a while ago we realized we were researching about different (but related) security aspects of DNIe-based web applications, so our findings fit perfectly for a joint presentation on this topic.

From a technical side, I talked about the authentication and signature capabilities of web applications based on the DNIe, and the three main vulnerable areas: HTTPS (SSL/TLS), user authentication and registration through the DNIe, and session management in web applications. I have published details and tools previously on the first (HTTPS) and last (session management) topics, so the main focus was on the web interaction with the DNIe (and smartcards in general). During the talk I published live the new DNIe capabilities for web application pen-testers through the OWASP ZAP SVN repository (SVN official revision 1209 - drivers.xml file). These new capabilities are available on the ZAP SVN branch as well as the OWASP ZAP 1.4.x version, published yesterday (see [0]).

The presentation covers in depth how to interact with PKCS#11 smartcard devices from Java, and how ZAP smartcard support has been enhanced with DNIe capabilities, stability fixes, and new functionality for the three most common pen-testing platforms: Windows, Linux, and Mac OS X. Additionally, the second portion of my talk presented the results and statistics (plus the associated recommendations) obtained from pen-testing the DNIe capabilities of 15 critical web applications during 2011. The impact of the different vulnerabilities and weaknesses identified on this type of applications is very significant, specially considering the perceived extra security and confidence in the usage of smartcard authentication. If DNIe-based web applications are not securely architected and developed, an attacker can decrypt the victim's web traffic, launch Man-in-the-Middle (MitM) attacks, and manipulate the user registration and authentication processes, plus the user session, to fully impersonate legitimate users in the target web application. Unfortunately, based on the results obtained from these pen-tests there is still a long way to walk to be able to assert that relevant web applications making use of the DNIe are secure.

José talked about the overall security, as well as specific vulnerabilities, that can be found on the client-side components used by web applications (Java applets and ActiveX controls) that interact with the DNIe. These components access the DNIe to (sometimes) provide authentication capabilities and (mainly) verify and generate digital signatures. More information is available on the associated Security By Default blog post(s) (in Spanish).

This research, plus the additions we are currently working on, are going to be contributed over time to the OWASP DNIe project (in Spanish). This open initiative was launched in June 2011 with the goal of evaluating and improving the security of web applications based on the DNIe.

The presentation (in Spanish) can be downloaded from Taddong's lab in PDF format and it is also available on-line (SlideShare) from the Rooted CON papers/talks archive.

[0]: More specific smartcard and DNIe-related ZAP details, as well as extended research I'm working on, will be published on a near future Taddong's blog post.