improving application security through penetration...

Improving Application Securitythrough Penetration Testing

Dominick Baier (dbaier@ernw.de)Security Consultant / BS 7799 Lead AuditorERNW GmbH

2

Outline

• What is Penetration Testing and Auditing• Standards and Ethics• The Process of Testing• Pen-Testing Web Applications• The Tools

3

"Improving the Security of Your Site byBreaking Into it"(Dan Farmer/Wietse Venema, 1993)http://www.fish.com/security/admin-guide-to-cracking.html

4

Penetration Testing vs. Auditing

• Penetration Testing– Simulating a motivated attacker for a specific amount of time– Black Box / White Box Approach– Is more like a snapshot of the current security of a system or a

business process

• Auditing– Analyzing

• Configuration Files• Architecture• Source Code

– Policy conformance• Operational Plans and Procedures

5

Why Penetration Testing

• To measure the security of a system, network or a businessprocess– By a third party

• To assess possible Risks

• To make the upper management "security aware"

6

Possible Goals of a Penetration Test

• How much information about our network is publiclyavailable ?

• Is it possible to compromise this and that system ?• Is it possible to disturb business process X ?• How effective work our security controls ?

– Firewall– AntiVirus / Spam / Content Filter– Intrusion Detection Systems

• Is our Information Security Policy correctly enforced ?• Can employees compromise workstation security?

• "Are we safe ?"

7

What can be tested

• Servers and Workstations– Web Server– Database Server– Domain Controller– Workstations

• Infrastructure– Network Devices– Wireless Networks– Dial-In Access– VPNs

• Applications• Employees (Social Engineering)

8

Attackers to simulate

• Outside Attackers– Script Kiddies– Competitors– Terrorists– Journalists

• Insiders– Employees– Disgruntled Employees– Contractors– Consultants

9

Standards

• Pete Herzogs's OSSTM"Open Source Security Testing Methodology Manual"– Very practical approach– Checklists of what and in which order to test– List of tools

• ISO 17799 / BS 7799 Standard for Information Security– Focuses more on the policy and paper work side of security– Extensive catalog of security controls– Defines a standard for audits

• NIST Guidelines for Network Security Testing

10

Ethics

• Findings are under strict NDAs

• No information gathered during the test – is sent in clear text over the internet– is used for personal profit

• ISACA Code of Professional Ethics• ISC2 Code of Ethics

• Full Disclosure

11

The STRIDE Threat Model

• STRIDE– Spoofing Identity– Tampering with data– Repudiation– Information Disclosure– Denial of Service– Elevation of Privilege

12

The Pen-Tester's Mantra

• Segregation of Duties• Minimal Machine• Least Privilege• Patch-Level• Defense in Depth• Secure the Weakest Link• Strong Authentication

13

Course of Actions

• Opening Meeting– Goals of the Pen-Test– Scope– Responsible Admins

• The Audit / Test itself

• The Report– Found issues– Countermeasures– Prioritization

• Closing Meeting

14

Stages of a Pen-Test

• Gathering Information• Analyzing the Infra-Structure• Analyzing the Machines

– Fingerprinting– Port / Vulnerability-Scanning– Attacking the System / Proof of Concept

• Analyzing Applications– Functional / Structural Analysis– Attacking Authentication and Authorization– Attacking Data and Back-End Communication– Attacking Clients

15

Information Gathering

• In this phase you try to compile as much publicly availableinformation as possible

– Internic– IANA / RIPE– Whois– Google / Usenet– Private homepages of employees– Email Addresses– Telephone numbers

16

17

18

Information Gathering

• Google Search-Syntax

– allintitle:”Index of /etc”– site:gov site:mil site:ztarget.com– filetype:doc filetype:pdf filetype:xls– intitle:, inurl:, allinurl:– allinurl:mssql, allinurl:gw …– inurl:".aspx?ReturnUrl="– "+www.ernw.+de"– related:www.ernw.de– login site:www.microsoft.com– [cached]

19

20

21

22

23

24

25

Information Gathering

• Mailing-Lists / Forums / Usenet– Some vendors even post internal support questions to public

newsgroups

?

26

Information Gathering

• Mailing-Lists / Forum / Usenet

Invitation?

27

Analyzing the Infra-Structure and Machines

• A layered modell

Data

Application

Service

OS

Data

Application

Service

OS

Network

28

Analyzing the Infra-Structure and Machines

• The Reality

BrowserWeb

ServerApplication

ServerDatabase

Server

AuthDatabase

Web Content

Data

AuditLogs

HTTP

LDAP

DCOM

CORBA

SOCKETS

29

Analyzing the Infra-Structure and Machines

• Querying System and DNS Information• Portscanning• Fingerprinting• Vulnerability Scanning• Exploiting a Vulnerability

30

Querying System and DNS Information

• TraceRoute– Tracing the network route give you information about

• The provider• Type of connection

– Simple / Redundant / Load Balanced– At which hop gets ICMP blocked?

31

Querying System and DNS Information

• DNS Zone transfer– DNS Server should be configured to allow Zone Transfers only

to specific peers– DNS Zones are very interesting

• Which machines are listed in the Zone• Get information about IP network-structure

32

Portscanning & Fingerprinting

• Port Scanning gives you information about which ports a machine listens on

• Every open port is potentially vulnerable• More advanced scanners try to figure out what kind of

software (+ vendor and version) is installed

• Most popular Port Scanners– SuperScan (www.foundstone.com)– NMAP (www.insecure.org/nmap)

33

Banner Grabbing

• Connect with Netcat or Telnet to a service• You will often get detailed information

34

Vulnerability Scanner

• Automated scanners that check for known vulnerabilities– They often give you more information for vulnerability

investigation

• There are vulnerability and exploit databases on the internet– SecurityFocus (www.securityfocus.com)– Packet Storm (www.packetstormsecurity.com)

35

Vulnerability Scanner

• System / Host Scanner– Nessus (www.nessus.org)– Retina (www.eeye.com)– ISS Security Scanner (www.iss.net)– Microsoft MBSA (www.microsoft.com)

• Database Scanner– MetaCoreTex (www.metacoretex.com)– AppSecInc AppDetective (www.appsecinc.com)– ISS Database Scanner (www.iss.net)

• Web Server Scanner– Nikto (www.cirt.net)

36

Vulnerability Investigation

• www.securityfocus.com/bid

37

Vulnerability Investigation

• www.packetstormsecurity.org

38

Pen-Testing Web Applications

• Visualize the HTTP Traffic– Sniffer (e.g. Ethereal)– Web Proxies

• Achilles (http://packetstormsecurity.nl/web/achilles-0-27.zip)• Fiddler (www.fiddlertool.com)• WebProxy (www.atstake.com)

– Hand craft HTTP Requests• Wfetch & Tinyget (IIS6 Resource Kit)

Email Addresses

NN/about/about.aspx

Login PagePOSTYN/login/login.aspx

NN/Index.aspx

CommentGET/POSTSSL?Auth?PathPage

39

Structural Analysis

• ...or graphical

40

Pen-Testing Web Applications

• Try some URLs– Common Directories

• /html, /images, /jsp, /cgi– "Hidden" Directories

• /admin, /secure, /adm, /management– Backup and Log Files

• /.bak, /backup, /back, /log, /logs, /archive, /old– Include Files

• /include, /inc, /js, /global, /local– Lokalized Versions

• /de, /en, /1033– trace.axd

• Look at the HTTP Status Codes– Everything besides 404 ist interesting

41

Pen-Testing Web Applications

• Look for– Cascading Style Sheets (.css)– XML Dateien / XML Stylesheets (.xml / .xsl)– JavaScript Dateien (.js)– Include Files (.inc)– Text Dateien (.txt)– Comments– Client-Side Validation– Forms

• Hidden Fields• Password Fields• MaxLength Attributes

42

Pen-Testing Web Applications

• "Odd" Query Strings

• Cookie values

www.site.com/show.aspx?content=marketing.xmlwww.site.com/UserArea/default.php?UserID=5www.site.com/dbsubmit.php?Title=Mr&Phone=123www.site.com/menu.asp?sid=73299

43

Canonicalization Errors

• Popular Examples– Apache WebServer

• /scripts und /SCRIPTS– Microsoft IIS 5

• ../ and .%2e%2f– ISS Firewall

• action=delete and action=%64elete– Microsoft IE4

• Dotless IP Bug

– ASP.NET Authorization Canonicalization Bug• http://localhost/formsec/secure%5csecret.aspx

44

Resource Names

• Example

• Can I use this page to show other files?

• Try some variations

http://server/cms/show.aspx?file=content.xml

http://server/cms/show.aspx?file=../web.config.http://server/cms/show.aspx?file=../web.config::$DATAhttp://server/cms/show.aspx?file=..%5cweb.confighttp://server/cms/show.aspx?file=..%255cweb.confighttp://server/cms/show.aspx?file=..%%35%63web.config

http://server/cms/show.aspx?file=../web.config

45

Testing for SQL Injection

• Try if you can inject SQL code in forms• If the programmer simply concatenates user input with SQL

statements a database compromise is most likely possible

• Try to generate errors– Insert a ' character– Does the application behave different ?– Is maybe even a database error returned ?

• You can execute nasty statements through SQL Injection– Union– Drop...– XP_CMDSHELL

46

Testing for Cross Site Scripting

• Cross Site Scripting let's an attacker inject script code in Web Pages

• This happens when the Application directly outputs clientinput whithout proper HTML encoding

• Can be hard to find - look in– Query Strings– Form Fields– HTTP Headers

• Enables Cookie Stealing / Harvesting Attacks

• Many Developers rely on ASPX's ValidateRequest– Try <%00...> encoding

47

Tools

• Automatic Mirroring of Web Sites– wget (www.gnu.org/directory/wget.html)– Black Widow (www.softbytelabs.com)– Teleport Pro (www.tenmax.com)

• Web Scanner– WebInspect (www.spidynamics.com)– NStealth (www.nstalker.com)

• ASP.NET Specific Scanners– ASP.NET Security Analyzer (www.owasp.org)– ASP.NET Shared Hosting Analyzer (www.owasp.org)

48

Conclusion

• Pen-Testing is no Black Magic• Very systematic procedure

• If you follow the 7 golden rules, you can eliminate most of thevulnerabilities

• Do regular Pen-Tests or Audits – you can only benefit– Internal and third party

49

• Questions ?

you can download the slides from www.leastprivilege.com

50

Links

• OSSTM– www.isecom.org

• NIST Draft Guidelines to Network Security Testing– http://csrc.nist.gov/publications/drafts/security-testing.pdf

• ISC2 Code of Ethics: – https://www.isc2.org/cgi/content.cgi?category=12

• ISACA Code of Professional Ethics– http://www.isaca.org/Template.cfm?Section=Code_of_Ethics1

51

Links

• Wfetch– (http://download.microsoft.com/download/d/e/5/de5351d6-

4463-4cc3-a27c-3e2274263c43/wfetch.exe)• NetCat

– http://www.atstake.com/research/ tools/network_utilities/nc11nt.zip)