application vulnerability assessments revisited computing and communications jared perry gsec,...
Post on 16-Dec-2015
221 Views
Preview:
TRANSCRIPT
APPLICATION VULNERABILITY ASSESSMENTSREVISITED
COMPUTING AND COMMUNICATIONS www.mun.ca
Jared Perry GSEC, GWAPT, GCWN
Application testing at Memorial University
PREVIOUS TALKCANHEIT 2012
• Walked through methodology
• Recon, Discovery, Exploitation, Reporting
• Talked about common vulnerabilities
• XSS, SQLi
• This talk will
• Discuss how techniques have evolved
• What we have learned since last presentation
COMPUTING AND COMMUNICATIONS
Attacks of OpportunityMass ScanningScript Kiddies
TargetedActivists
Organized Crime
SO, WHAT HAS CHANGED?PERSPECTIVE
COMPUTING AND COMMUNICATIONS
APT
SO, WHAT HAS CHANGED?INDUSTRY
• Bug Bounties
• Reward security professionals who report vulnerabilities
• glory, swag, $$$$
• Moving in right direction
• With a mature security program bug bounties are successful
• See Facebook, Google, BugCrowd Programs
• Caveats
• Higher Ed institutions likely not positioned well for such programs
• Scope and response to disclosures would be key
• Good way to hone personal skills
COMPUTING AND COMMUNICATIONS
SO, WHAT HAS CHANGED?COMMON VULNERABILITIES• SQLi
• Frameworks and developer/vendor awareness
• Cross Site Scripting
• Still common however efforts are usually made to prevent
• Broken Authentication/Access Controls
• DIY authentication/access control functionality
• Code Injection
• Via file uploads or external file references
• Misconfigurations/Using Known Vulnerable Code
• Vendor implementations…
COMPUTING AND COMMUNICATIONS
SO, WHAT HAS CHANGED?INTERNAL DEVELOPERS
• Developers Receptive
• Internal developers have embraced security standards
• Use standardized and well tested frameworks/code
• Presentations
• Developer testing
• Continuously Changing
• The languages, frameworks and platforms developers are using is
changing frequently making testing a challenge
• AngularJS, Node, new PHP frameworks, Mobile, etc
COMPUTING AND COMMUNICATIONS
SO, WHAT HAS CHANGED?VENDORS
• Vendors are becoming more security conscious
• Many provide direct methods for vulnerability disclosure
• However still run into occasional resistance
COMPUTING AND COMMUNICATIONS
VENDORSSUCCESS STORIES
• OpenText FirstClass
• OpenText had recently rebuilt the software with a new framework
• Found that the framework was not sanitizing input or encoding
output allowing for multiple XSS vulnerabilities
• Vendor response was immediate
• Cisco Identity Service Engine (ISE) - CVE-2014-0681
• Allowed remote, unauthenticated persistent XSS attack against
ISE administrators
• All versions were affected, patched version is available
COMPUTING AND COMMUNICATIONS
PROCESSPRIORITIZING
• Standard Questions
• Name of the application(s)
• Whether it is internally, vendor or open source developed
• Programming language(s) they are written in
• List of other servers connected to the application such as
database, application or file servers
• Description of data that will be stored in this application
• Estimate of the number of users
• A summary of how the application is used/functionality
COMPUTING AND COMMUNICATIONS
PROCESSMINIMIZE DATA/LIMIT ACCESS
• Basic Concept
• Everyone wants to collect everything, retain it forever and have it
accessible from anywhere
• We work with clients on new applications to reduce attack surface
• Bonus: Reduces extent of testing
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING
• Benefits
• Finds vulnerabilities automated tools are not designed to detect
• Business logic, insecure application functionality, access controls
• Can be as simple as fuzzing, security QA
• Intercept Proxy
• Burp Suite (Personal Favorite), Zed Attack Proxy, W3AF
• Use the target application
• Review requests and responses
• Manipulate
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING
• Checklist
• OWASP is a great resource with starter checklist
• Basic Tests
• Create new account
• Password Requirements
• Forgot password process
• Change password
– Does the application ask for the current password first?
• etc
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING
• Advanced Tests
• Disable/Manipulate client-side code
– Look for client-side authentication checks
• Creative inputs
– Automated tools won’t test many types of user input
– File Uploads, WYSIWYG, etc
• Redirect requests as needed
– Fuzzing inputs – Burp Intruder/Repeater
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING - XSS
• Manual XSS Testing
• As basic as '';!--"<XSS>=&{()} or
<SCRIPT>alert("XSS")</SCRIPT>
• Focus on inputs that are difficult for automated scanners to test
• Try Burp Suite Intruder XSS payload, ZAP Fuzzer
• Advanced
• Use evasion techniques, good cheat sheet available from OWASP
• Creative inputs
– Examples: file upload metadata, authentication requests
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING - XSS
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING - XSS
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING - XSS
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING - XSS
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING - AUTH
• Authentication is not a DIY project
• Don’t reinvent the wheel
• Use session management available in the language or framework
• Testing Session Management
• Look at application responses for session data
• Look for sensitive information
• Is the session id sufficiently random? Burp Sequencer
• Attempt Decoding – Burp Decoder – Base64
• Is the expiration sufficient?
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING - CSRF
• Very few vendors or developers implement CSRF protections
• ASP Viewstate
• Tokens
• Difficult Execution
• CSRF attacks require the victim to be logged into target app then
click malicious link
• Prime targets are “always open” applications
• Portals, ERP, E-Learning, Webmail, etc
• Hope to introduce more awareness with devs and vendors
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING - MOBILE
• Increasing need to test mobile apps
• Clients want mobile and native applications
• Mobile Apps and related APIs are being integrated systems with
sensitive data, eg Student Grades
• How do we test mobile applications?
• Proxy communications through testing computer
• Requires trusting SSL certificates from intercept proxy
• Review and map mobile APIs similar to any other application
COMPUTING AND COMMUNICATIONS
TECHNIQUESAUTOMATED TESTING
• Follow-up to Manual Testing
• Finish testing with automated testing to find any low hanging fruit
or vulnerabilities possibly missed.
• Burp/Zap
• Both have automated scanning functions
• Skipfish
• Automated scanning function that is great for finding hidden
application components
• W3AF
• Swiss army knife of scanning toolsCOMPUTING AND COMMUNICATIONS
PROCESSREPORTING
• Summarize
• Details about the application and related data
• The scope of testing
• Limitations and/or concerns
• List vulnerabilities
• Descriptions should be targeted to the audience (devs vs mgmt)
• Detail how the vulnerability could be used
• Detail impact and likelihood of it being exploited
• Provide recommendations for remediation
• Provide example screen captures to developers/vendors
COMPUTING AND COMMUNICATIONS
PROCESSREMEDIATION
• Complete/Partial Remediation
• Not reasonable to have every issues found to be completely
remediated.
• Retesting Cycle
• Can be a lot of back and forth trying to address an issue
– May have to settle for partial remediation or alternative
mitigations
• Sign-off for remaining vulnerabilities
• For vulnerabilities not remediated detail the risk and obtain sign-off
from those responsible for the data and application
COMPUTING AND COMMUNICATIONS
PROCESSFUTURE PLANS
• Formalize
• Tracking of vulnerabilities
• Retain testing data
• Maintain data on applications, dev teams and vendors
• Automate testing options for developers
• Threadfix/Mozilla Minion
• Open source applications for tracking vulnerabilities
• Provides options to allow developers to do automated scanning
COMPUTING AND COMMUNICATIONS
PROCESSFUTURE PLANS
• Information Sharing
• Reduce duplication of efforts
– Higher Ed has a lot of niche applications and many institutions
use the same applications
• Security SIG discussion mailing list?
• Improve vendor responses and coordination
• Legal concerns
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING
• Burp Sequencer and Decoder Demo - mutillidae
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING - CSRF
• CSRF Attack Demo with Burp Suite - mutillidae
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING - MOBILE
• Mobile Demo with Burp Suite – Ellucian GO
COMPUTING AND COMMUNICATIONS
QUESTIONS
Jared Perry IT Security Administrator, GSEC, GWAPT, GCWN
Email: jaredp@mun.ca
Twitter: @jared_perry
Phone: (709) 864-2619
COMPUTING AND COMMUNICATIONS
RESOURCES
• OWASP Link References
• https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series
• https://www.owasp.org/index.php/
XSS_Filter_Evasion_Cheat_Sheet
• Threadfix/Mozilla Minion
• https://github.com/denimgroup/threadfix/
• https://wiki.mozilla.org/Security/Projects/Minion
• Mobile App Testing
• http://jaredperry.ca/mapping-mobile-app-apis/
COMPUTING AND COMMUNICATIONS
RESOURCES
• Zed Attack Proxy (ZAP)
• https://www.owasp.org/index.php/
OWASP_Zed_Attack_Proxy_Project
• Kali Linux
• http://www.kali.org/
• Burp Suite
• http://portswigger.net/burp/
• Bug Bounties
• https://bugcrowd.com/
COMPUTING AND COMMUNICATIONS
top related