« [WebAppSec] Sign-in seals against phishing | Main | The Tainted Edition »
Monday
Mar032008

Intranet and Admin Security

These days the intranet is coming back. I heard it a couple of times: Our intranet is safe, there's an authentication system and it can be accessed  by hosts from our local IP range only, but no, there are no further security measures. If someone manages to get in, he will be able to do and see a lot. And, yes, the bad guy can get in under certain circumstances.

Last year, for example, we have seen the first tailor-made Trojan which stole information from an intranet, the "Monster for employers" web site of Monster.com. These Trojans are very rare so far and the risk is quite low (see details at Symantec), but it's certainly a possibility and an example of how the security of the client host is important, too.


 
XSS in your intranet
While special malware might be less likely for small intranets, XSS and CSRF are not. If your intranet application re-displays unsanitized user input from the extranet (user names, comments, spam reports, order addresses to name just a few uncommon places where I've seen malicious user input), the application will be vulnerable to XSS.
Already one single place in the intranet where the input has not been sanitized makes the entire application vulnerable. Vulnerable to what? Well, cookie stealing (YES, it's a priviledged intranet cookie), content alteration to lure victims to a fake intranet where he might enter confidential information and so on. So I hope you have found a way to eliminate XSS everywhere in your app.

 

CSRF in your intranet
Yup, CSRF (Cross Site Request Forgery) is real, as well. It takes place in combination with XSS or the old-fashioned way: Send an HTML e-mail with CSRF to the victim or lure him to an infected web page. What is CSRF? Take a look at two examples which trigger a GET and POST action (.src is src):

<img .src="http://intranet/project/1/delete" />

Generate this in Rails and you have a link to a POST action:

link_to("To the survey", "http://www.your-online-expense-tracker.com/account/delete", :method => :post)
Now if the user views the page (for the image) or clicks the link, and he is logged in to the application (i.e. the cookie is set in the browser), the project or account will be deleted. Of course, the attacker has to know the URL structure, but most Rails URLs are quite straightforward or they're publicly accessible like in the expense tracker application.
The attacker may even do 1,000 lucky guesses. The countermeasure in Rails is to include a token in each POST request that will be verified on the server. See the first post about this, but the csrf_killer plugin has been merged into Rails.

 

Administration
Now, you do have an administration interface for your application? How about its security? Did you take it more serious than the actual applications' security? You should, because in most cases a security breach is more harmful here.

The common admin interface is like this: It's located at www....com/admin, may be accessed only if the admin flag is set in the User model, re-displays user input and allows the admin to delete/add/edit a lot. Here are some thoughts about this:

  • As an admin interface is kind of an intranet, the same vulnerabilities as described above may be there. The attacker could steal an admin cookie (via XSS) or use CSRF to delete some users: www....com/admin/user/delete/2

  • It is always very important to think about the worst case: What if someone really got hold of my cookie or user credentials. You could introduce roles for the admin interface to limit the possibilities of the attacker.
    And how about special login credentials (other than the ones used for the public part of the app) for the admin controller and another password for very serious actions?

  • Does the admin really have to access the interface from everywhere in the world? Think about limiting the login to a bunch of source IP addresses. Take a look at this post about how to find out about the user's IP address. This is not bullet-proof, but a great barrier.

  • Put the admin interface to a special sub-domain such as admin.application.com. This makes stealing an admin cookie from the usual domain impossible.
    This is because of the same origin policy in your browser: An injected (XSS) script on www.application.com may not read the cookie for admin.application.com and vice-versa. Of course this precaution will be useless if the attacker got hold of the cookie from www.application.com and may simply copy the cookie string to make one for the admin.application.com host. Use two session tables (if you use the :active_record_store session store) or a seperate admin application for that.

PrintView Printer Friendly Version

EmailEmail Article to Friend

References (17)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
    Response: the best indexer
    Very good Web page, Carry on the excellent job. Thank you so much!
  • Response
    Response: batman cap
    Ruby on Rails Security Project - Journal - Intranet and Admin Security
  • Response
    Ruby on Rails Security Project - Journal - Intranet and Admin Security
  • Response
    Gem d茅coration, belle imprimante ainsi mode avec seront probablement appel pour presque toutes les consommateurs . En ce moment , juste concentration le th猫me dans les embrayages . Le plus r茅cent choix de Prada Le nouveau an bourses Printemps / 脡t茅 est compos茅 de un arr锚t connexion avec le cristal clair ...
  • Response
    Ruby on Rails Security Project - Journal - Intranet and Admin Security
  • Response
    Ruby on Rails Security Project - Journal - Intranet and Admin Security
  • Response
    Ruby on Rails Security Project - Journal - Intranet and Admin Security
  • Response
    Ruby on Rails Security Project - Journal - Intranet and Admin Security
  • Response
    Ruby on Rails Security Project - Journal - Intranet and Admin Security
  • Response
    Ruby on Rails Security Project - Journal - Intranet and Admin Security
  • Response
    Response: dumpsters
    Ruby on Rails Security Project - Journal - Intranet and Admin Security
  • Response
    Response: online blogging
    Ruby on Rails Security Project - Journal - Intranet and Admin Security
  • Response
    Response: online blogging
    Ruby on Rails Security Project - Journal - Intranet and Admin Security
  • Response
    Ruby on Rails Security Project - Journal - Intranet and Admin Security
  • Response
    Ruby on Rails Security Project - Journal - Intranet and Admin Security
  • Response
    Response: you can look here
    Ruby on Rails Security Project - Journal - Intranet and Admin Security
  • Response
    Response: you can look here
    Ruby on Rails Security Project - Journal - Intranet and Admin Security

Reader Comments (73)

Great place to visit!

[url=http://goliyop.freehyperspace2.com/free5008.html] free [/url]

May 8, 2008 | Unregistered CommenterKristion

thanks for letting me view your guest book and giving me all the information

[url=http://goliert.007sites.com/of2331.html] of [/url]

May 9, 2008 | Unregistered CommenterAris

Very realistic and amusing site.

[url=http://candelaria.freehostplace.com/com2224.html] com [/url] [url=http://members.lycos.co.uk/alfredmyers/com7215.html] com [/url]

May 10, 2008 | Unregistered CommenterYannis

Thanks for the interesting and informative site. That’s definitely what I’ve been looking for.

[url=http://martinmargaret.domaingler.com/com31.html] com [/url]

May 17, 2008 | Unregistered CommenterAleksiu

archy it i, and i like you!

[url=http://tommycaswell.007sites.com/com1607.html] com [/url] [url=http://larondadyer.rack111.com/com1403.html] com [/url]

May 19, 2008 | Unregistered CommenterGiannis

It is a member of the site.

[url=http://kristenbentz.itrello.com/com4973.html] com [/url]

May 20, 2008 | Unregistered CommenterCosmo

hi im mohan i am having problems.

[url=http://hollyernst.247ihost.com/of5547.html] of [/url]

May 22, 2008 | Unregistered CommenterApostolis

WOW, so much stuff here, an excellent resource. Thanks guys!

[url=http://donnamullen.freewebhosting360.com/free2644.html] free [/url] [url=http://meredithgay.freehostingz.com/free261.html] free [/url]

May 24, 2008 | Unregistered CommenterAlexandros

Hi! Guys how you manage to make such perfect sites? Good fellows!

[url=http://teresastephens.007sites.com/free2266.html] free [/url]

May 26, 2008 | Unregistered CommenterIakovos

The mission of the your site.

[url=http://solomonadams.977mb.com/free9351.html] free [/url] [url=http://brandonbradley.hostingtribe.com/free8624.html] free [/url]

May 31, 2008 | Unregistered CommenterConstantine
May 31, 2008 | Unregistered CommenterSpiridon

WOW, so much stuff here, an excellent resource. Thanks guys!

[url=http://elizabethvera.0buckhost.com/com2851.html] com [/url]

May 31, 2008 | Unregistered CommenterThanasios

I would love to hear more about this …

[url=http://almajahnke.servik.com/free7692.html] free [/url] [url=http://solomonadams.977mb.com/free7661.html] free [/url]

June 1, 2008 | Unregistered CommenterGiannis

Really great site with alot of good information!! Keep up the good work!!!!

[url=http://andrewsnow.hostedwith.us/free5699.html] free [/url] [url=http://stevenwalker.00bp.com/oldest9248.html] oldest [/url]

June 1, 2008 | Unregistered CommenterSotiris
June 4, 2008 | Unregistered CommenterTimotheos

very well made it .All information on this site is represented

[url=http://xiaobarnett.678host.com/of3395.html] of [/url]

June 5, 2008 | Unregistered CommenterAchilleas

The site’s very professional! Keep up the good work!

[url=http://veronicakelley.247ihost.com/free3671.html] free [/url]

June 11, 2008 | Unregistered CommenterDimitris

This is one of the best sites I have ever found. Thanks!!! Very nice and informal. I enjoy being here.

[url=http://sharonsmith.fizwig.com/com6413.html] com [/url] [url=http://crystalhunter.freemysqlphphosting.com/com1905.html] com [/url]

June 12, 2008 | Unregistered CommenterDino

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>