application vulnerability assessments revisited computing and communications jared perry gsec,...

APPLICATION VULNERABILITY ASSESSMENTSREVISITED

COMPUTING AND COMMUNICATIONS www.mun.ca

Jared Perry GSEC, GWAPT, GCWN

Application testing at Memorial University

PREVIOUS TALKCANHEIT 2012

• Walked through methodology

• Recon, Discovery, Exploitation, Reporting

• Talked about common vulnerabilities

• XSS, SQLi

• This talk will

• Discuss how techniques have evolved

• What we have learned since last presentation

COMPUTING AND COMMUNICATIONS

Attacks of OpportunityMass ScanningScript Kiddies

TargetedActivists

Organized Crime

SO, WHAT HAS CHANGED?PERSPECTIVE

COMPUTING AND COMMUNICATIONS

APT

SO, WHAT HAS CHANGED?INDUSTRY

• Bug Bounties

• Reward security professionals who report vulnerabilities

• glory, swag, $$$$

• Moving in right direction

• With a mature security program bug bounties are successful

• See Facebook, Google, BugCrowd Programs

• Caveats

• Higher Ed institutions likely not positioned well for such programs

• Scope and response to disclosures would be key

• Good way to hone personal skills

COMPUTING AND COMMUNICATIONS

SO, WHAT HAS CHANGED?COMMON VULNERABILITIES• SQLi

• Frameworks and developer/vendor awareness

• Cross Site Scripting

• Still common however efforts are usually made to prevent

• Broken Authentication/Access Controls

• DIY authentication/access control functionality

• Code Injection

• Via file uploads or external file references

• Misconfigurations/Using Known Vulnerable Code

• Vendor implementations…

COMPUTING AND COMMUNICATIONS

SO, WHAT HAS CHANGED?INTERNAL DEVELOPERS

• Developers Receptive

• Internal developers have embraced security standards

• Use standardized and well tested frameworks/code

• Presentations

• Developer testing

• Continuously Changing

• The languages, frameworks and platforms developers are using is

changing frequently making testing a challenge

• AngularJS, Node, new PHP frameworks, Mobile, etc

COMPUTING AND COMMUNICATIONS

SO, WHAT HAS CHANGED?VENDORS

• Vendors are becoming more security conscious

• Many provide direct methods for vulnerability disclosure

• However still run into occasional resistance

COMPUTING AND COMMUNICATIONS

VENDORSSUCCESS STORIES

• OpenText FirstClass

• OpenText had recently rebuilt the software with a new framework

• Found that the framework was not sanitizing input or encoding

output allowing for multiple XSS vulnerabilities

• Vendor response was immediate

• Cisco Identity Service Engine (ISE) - CVE-2014-0681

• Allowed remote, unauthenticated persistent XSS attack against

ISE administrators

• All versions were affected, patched version is available

COMPUTING AND COMMUNICATIONS

PROCESSPRIORITIZING

• Standard Questions

• Name of the application(s)

• Whether it is internally, vendor or open source developed

• Programming language(s) they are written in

• List of other servers connected to the application such as

database, application or file servers

• Description of data that will be stored in this application

• Estimate of the number of users

• A summary of how the application is used/functionality

COMPUTING AND COMMUNICATIONS

PROCESSMINIMIZE DATA/LIMIT ACCESS

• Basic Concept

• Everyone wants to collect everything, retain it forever and have it

accessible from anywhere

• We work with clients on new applications to reduce attack surface

• Bonus: Reduces extent of testing

COMPUTING AND COMMUNICATIONS

TECHNIQUESMANUAL TESTING

• Benefits

• Finds vulnerabilities automated tools are not designed to detect

• Business logic, insecure application functionality, access controls

• Can be as simple as fuzzing, security QA

• Intercept Proxy

• Burp Suite (Personal Favorite), Zed Attack Proxy, W3AF

• Use the target application

• Review requests and responses

• Manipulate

COMPUTING AND COMMUNICATIONS

TECHNIQUESMANUAL TESTING

COMPUTING AND COMMUNICATIONS

TECHNIQUESMANUAL TESTING

COMPUTING AND COMMUNICATIONS

TECHNIQUESMANUAL TESTING

• Checklist

• OWASP is a great resource with starter checklist

• Basic Tests

• Create new account

• Password Requirements

• Forgot password process

• Change password

– Does the application ask for the current password first?

• etc

COMPUTING AND COMMUNICATIONS

TECHNIQUESMANUAL TESTING

• Advanced Tests

• Disable/Manipulate client-side code

– Look for client-side authentication checks

• Creative inputs

– Automated tools won’t test many types of user input

– File Uploads, WYSIWYG, etc

• Redirect requests as needed

– Fuzzing inputs – Burp Intruder/Repeater

COMPUTING AND COMMUNICATIONS

TECHNIQUESMANUAL TESTING - XSS

• Manual XSS Testing

• As basic as '';!--"<XSS>=&{()} or

<SCRIPT>alert("XSS")</SCRIPT>

• Focus on inputs that are difficult for automated scanners to test

• Try Burp Suite Intruder XSS payload, ZAP Fuzzer

• Advanced

• Use evasion techniques, good cheat sheet available from OWASP

• Creative inputs

– Examples: file upload metadata, authentication requests

COMPUTING AND COMMUNICATIONS

TECHNIQUESMANUAL TESTING - XSS

COMPUTING AND COMMUNICATIONS

TECHNIQUESMANUAL TESTING - XSS

COMPUTING AND COMMUNICATIONS

TECHNIQUESMANUAL TESTING - XSS

COMPUTING AND COMMUNICATIONS

TECHNIQUESMANUAL TESTING - XSS

COMPUTING AND COMMUNICATIONS

TECHNIQUESMANUAL TESTING - AUTH

• Authentication is not a DIY project

• Don’t reinvent the wheel

• Use session management available in the language or framework

• Testing Session Management

• Look at application responses for session data

• Look for sensitive information

• Is the session id sufficiently random? Burp Sequencer

• Attempt Decoding – Burp Decoder – Base64

• Is the expiration sufficient?

COMPUTING AND COMMUNICATIONS

TECHNIQUESMANUAL TESTING - CSRF

• Very few vendors or developers implement CSRF protections

• ASP Viewstate

• Tokens

• Difficult Execution

• CSRF attacks require the victim to be logged into target app then

click malicious link

• Prime targets are “always open” applications

• Portals, ERP, E-Learning, Webmail, etc

• Hope to introduce more awareness with devs and vendors

COMPUTING AND COMMUNICATIONS

TECHNIQUESMANUAL TESTING - MOBILE

• Increasing need to test mobile apps

• Clients want mobile and native applications

• Mobile Apps and related APIs are being integrated systems with

sensitive data, eg Student Grades

• How do we test mobile applications?

• Proxy communications through testing computer

• Requires trusting SSL certificates from intercept proxy

• Review and map mobile APIs similar to any other application

COMPUTING AND COMMUNICATIONS

TECHNIQUESAUTOMATED TESTING

• Follow-up to Manual Testing

• Finish testing with automated testing to find any low hanging fruit

or vulnerabilities possibly missed.

• Burp/Zap

• Both have automated scanning functions

• Skipfish

• Automated scanning function that is great for finding hidden

application components

• W3AF

• Swiss army knife of scanning toolsCOMPUTING AND COMMUNICATIONS

PROCESSREPORTING

• Summarize

• Details about the application and related data

• The scope of testing

• Limitations and/or concerns

• List vulnerabilities

• Descriptions should be targeted to the audience (devs vs mgmt)

• Detail how the vulnerability could be used

• Detail impact and likelihood of it being exploited

• Provide recommendations for remediation

• Provide example screen captures to developers/vendors

COMPUTING AND COMMUNICATIONS

PROCESSREMEDIATION

• Complete/Partial Remediation

• Not reasonable to have every issues found to be completely

remediated.

• Retesting Cycle

• Can be a lot of back and forth trying to address an issue

– May have to settle for partial remediation or alternative

mitigations

• Sign-off for remaining vulnerabilities

• For vulnerabilities not remediated detail the risk and obtain sign-off

from those responsible for the data and application

COMPUTING AND COMMUNICATIONS

PROCESSFUTURE PLANS

• Formalize

• Tracking of vulnerabilities

• Retain testing data

• Maintain data on applications, dev teams and vendors

• Automate testing options for developers

• Threadfix/Mozilla Minion

• Open source applications for tracking vulnerabilities

• Provides options to allow developers to do automated scanning

COMPUTING AND COMMUNICATIONS

PROCESSFUTURE PLANS

• Information Sharing

• Reduce duplication of efforts

– Higher Ed has a lot of niche applications and many institutions

use the same applications

• Security SIG discussion mailing list?

• Improve vendor responses and coordination

• Legal concerns

COMPUTING AND COMMUNICATIONS

TECHNIQUESMANUAL TESTING

• Burp Sequencer and Decoder Demo - mutillidae

COMPUTING AND COMMUNICATIONS

TECHNIQUESMANUAL TESTING - CSRF

• CSRF Attack Demo with Burp Suite - mutillidae

COMPUTING AND COMMUNICATIONS

TECHNIQUESMANUAL TESTING - MOBILE

• Mobile Demo with Burp Suite – Ellucian GO

COMPUTING AND COMMUNICATIONS

QUESTIONS

Jared Perry IT Security Administrator, GSEC, GWAPT, GCWN

Email: jaredp@mun.ca

Twitter: @jared_perry

Phone: (709) 864-2619

COMPUTING AND COMMUNICATIONS

RESOURCES

• OWASP Link References

• https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series

• https://www.owasp.org/index.php/

XSS_Filter_Evasion_Cheat_Sheet

• Threadfix/Mozilla Minion

• https://github.com/denimgroup/threadfix/

• https://wiki.mozilla.org/Security/Projects/Minion

• Mobile App Testing

• http://jaredperry.ca/mapping-mobile-app-apis/

COMPUTING AND COMMUNICATIONS

RESOURCES

• Zed Attack Proxy (ZAP)

• https://www.owasp.org/index.php/

OWASP_Zed_Attack_Proxy_Project

• Kali Linux

• http://www.kali.org/

• Burp Suite

• http://portswigger.net/burp/

• Bug Bounties

• https://bugcrowd.com/

COMPUTING AND COMMUNICATIONS