Abuse it for Real Quality

“This is not a valid use case”, “Why would somebody do something like that”. These are very famous statements we get, whenever we pointed out a security vulnerability. Security vulnerabilities are not functional issues or bugs. We can not use functional test cases to find security vulnerabilities.

Hacker don’t care about functional test cases, instead, they abuse the system to find security issues. Abusing the system is the most effective way of finding security issues, which will improve the actual quality of the system.

How we can abuse the application. It is pretty simple, as an example, let's take a valid test case or a use case. User logs in as Admin into the system, click on Add New User link and application should display the Add New User interface to the user. Relevant url will be something like www.yoursite.com/admin/createuser/. What if we try to access this url without login to the system or when user logs in as a normal user. How system should behave in this case. Technically this is a valid use case because if admin user logs in, user should be able to access the feature and if not, user should not be able to access the feature.

Let's take another example. User logs in and click on Edit Profile. System should navigate the user to the Edit Profile page and should display the profile data. The url will be something like www.yoursite.com/profile/edit?id=10894. What happened if the user changed the url like www.yoursite.com/profile/edit?id=10890. Can a user edit someone else's profile data?. What will happen if the user enters a string value for the id (eg. www.yoursite.com/profile/edit?id=missu). Will the system crash?.

We can go on and on like this and figure out how many valid scenarios were ignored. Functional use cases or test case can please the customer and your self but it can do very little for the resiliency of the system.

We need to abuse the system to achieve the real quality, make it capable of standing against malicious attacks and it should be before the attacker abuse it.

WannaCry - A reason to Cry

Ransomware is not a surprise but this one surprised entire IT industry, mainly because of its super fast spreading behavior. WannaCry started on Friday, 13th May, and according to the records over 200,000 computers were infected across 99 countries. UK heath sector was effected severely.

Just like any other ransomware, WannaCry encrypts the disk and ask for money for the decryption key. This works for some ransomware some times, but not all the time. So far, no idea whether the ransom will work for WannaCry.

WannaCry uses a windows SMB v1 vulnerability to spared within the network and it act as a worm, which means spreading on its own. This is why WannaCry is pretty dangerous in terms of spreading and of course organizations are either not patching windows regularly or not upgrading. For example, UK heath sector was using windows XP boxes.

It is interesting and also funny to talk about the windows SMB vulnerability, simply because NSA is the one who developed the exploit for it and they called the exploit as EternalBlue. Unfortunately NSA got hacked by a group called "The Shadow Brokers" and set of exploits including EternalBlue got leaked. However Microsoft released a patch for the SMB v1 vulnerability in march and also user can disable the SMB v1 to protect them self's from WannaCry.

Interesting point here is why NSA developed and keep these exploits with them. Also after these exploits were stolen, NSA did not inform Microsoft about the vulnerabilities. It is really disappointing because according to the name, it is about national security, but in reality they are just any other hacking group. In a way it is proving that government sponsored hacking organization exists and then who is going to save us? almighty god or other hacking groups?.

Type Forwarding

Type forwarding is a powerful feature in the Common Language Runtime which allows to move a type from one assembly to another, without re-compiling the consumer application of the assembly.

Lets say we have a application that uses a class named About, which is in the referenced library named Utility.dll. Company decided to update the Utility library and wanted to move the About class to a separate library named Profile.dll. After releasing the new libraries (Utility.dll and Profile.dll) old version of the application will give an error, because it can not find the About class in the Utility library. We can overcome this situation using Type forwarding.

Lets code the above example.

Original About class in the Utility library
namespace Utility
{
public class About
{
public string GetInfo()
{
return "About class in the Utility.dll";
}
}
}

Application that uses the Utility library
namespace TestApp
{
public partial class Form2 : Form
{
public Form2()
{
InitializeComponent();
}

private void button1_Click(object sender, EventArgs e)
{
Utility.About about = new Utility.About();
MessageBox.Show(about.GetInfo());
}
}
}

When we click the button we will get the message box with the message "About class in the Utility.dll".

Move the About class to new library named Profile. (We can drag and drop the About class if the libraries are in the same solution. anyway after moving, Utility does not have the About class any more and Profile has it).
namespace Utility
{
public class About
{
public string GetInfo()
{
return "About class in the Profile.dll";
}
}
}
Now the About class is with the Profile library and the namespace should be Profile. But in order to use the type forwarding we must keep the namespace as Utility (as the old namespace).

Next step is to reference the Profile library into the Utility library and add the following attribute to AssemblyInfo.cs of the Utility library.
[assembly: TypeForwardedTo(typeof(About))]

Make sure that following using statement are there also.
using System.Runtime.CompilerServices;
using Utility;(This is because still the namespace of the About class is Utility)

Now re-compile the Utility library. This will automatically compile the Profile library because it is referenced by Utility library. Copy both the dlls (Utility.dll and Profile.dll) to the location where you have the application exe and run the application.

Now when we click the button we will get the message box with the message "About class in the Profile.dll".

Finally, this is a great feature that will improve the maintainability of our application.