The cloud is a integral part of the business infrastructure. While most people recognize Office 365 or Dropbox as a key SaaS provider, the reality is that the typical enterprise organization is going to have 10's to 100's of these applications in use by their employees as part of the normal daily business related workflow. This becomes a security challenge as few security departments are aware of the SaaS security issues contained within these sites, if they are aware of their use at all.
In this section, we are going to outline just a few of the 0Day vulnerabilities that we have discovered so you can learn from our experiences and build your assessments so they can catch the bugs before they become breaches.
Vulnerabilities in Logging
Logging is essential in a regulated environment. In the case of HIPAA, all CRUD (Create-Read-Update-Delete) data needs to be logged and made available. Unfortunately, access to these log files can fall outside the project scope and become an adhoc piece of the web application, which creates the perfect world for errors. The following lists two such examples:
1. XSS in Logging - Cross site scripting is a well known attack vector and most frameworks detect and deal with it natively. However, in the case of log viewers, XSS attempts may end up recorded as raw text because they are captured before any character encoding or validation occurs. In one such case, the SaaS's web interface was designed to provide a list of all CRUD transactions. Although the XSS injection attempt failed when inserted directly into an Access Policy displayed to all users of the website, it was inserted into the log file unfiltered. As a result, this Javascript was rendered when viewed in the browser, allowing a XSS attack to work.
2. Unauthorized access to other clients logs - SaaS solutions come in two main forms - those with a dedicated database for each user and those without. In this second example, we reviewed a site that had appropriate controls around what was exposed through our session and properly controlled access to other clients data. However, there was a boundary error in the second stage of a log download workflow that exposed all the other vendors logs, including all the sensitive PHI in those logs. Again, since this piece of the web application was bolted on to the solution as part of a missed scope, it didn't go through the same checks the rest of the solution went through. As a result, all it took was the simple modificaiton of a URL variable to access another clients logs (e.g DownloadHipaaLogReport?groupId=<modify value>&dateFrom=20141219&dateTo=20141219).Â