application vulnerability assessments revisited computing and communications jared perry gsec,...
TRANSCRIPT
APPLICATION VULNERABILITY ASSESSMENTSREVISITED
COMPUTING AND COMMUNICATIONS www.mun.ca
Jared Perry GSEC, GWAPT, GCWN
Application testing at Memorial University
PREVIOUS TALKCANHEIT 2012
• Walked through methodology
• Recon, Discovery, Exploitation, Reporting
• Talked about common vulnerabilities
• XSS, SQLi
• This talk will
• Discuss how techniques have evolved
• What we have learned since last presentation
COMPUTING AND COMMUNICATIONS
Attacks of OpportunityMass ScanningScript Kiddies
TargetedActivists
Organized Crime
SO, WHAT HAS CHANGED?PERSPECTIVE
COMPUTING AND COMMUNICATIONS
APT
SO, WHAT HAS CHANGED?INDUSTRY
• Bug Bounties
• Reward security professionals who report vulnerabilities
• glory, swag, $$$$
• Moving in right direction
• With a mature security program bug bounties are successful
• See Facebook, Google, BugCrowd Programs
• Caveats
• Higher Ed institutions likely not positioned well for such programs
• Scope and response to disclosures would be key
• Good way to hone personal skills
COMPUTING AND COMMUNICATIONS
SO, WHAT HAS CHANGED?COMMON VULNERABILITIES• SQLi
• Frameworks and developer/vendor awareness
• Cross Site Scripting
• Still common however efforts are usually made to prevent
• Broken Authentication/Access Controls
• DIY authentication/access control functionality
• Code Injection
• Via file uploads or external file references
• Misconfigurations/Using Known Vulnerable Code
• Vendor implementations…
COMPUTING AND COMMUNICATIONS
SO, WHAT HAS CHANGED?INTERNAL DEVELOPERS
• Developers Receptive
• Internal developers have embraced security standards
• Use standardized and well tested frameworks/code
• Presentations
• Developer testing
• Continuously Changing
• The languages, frameworks and platforms developers are using is
changing frequently making testing a challenge
• AngularJS, Node, new PHP frameworks, Mobile, etc
COMPUTING AND COMMUNICATIONS
SO, WHAT HAS CHANGED?VENDORS
• Vendors are becoming more security conscious
• Many provide direct methods for vulnerability disclosure
• However still run into occasional resistance
COMPUTING AND COMMUNICATIONS
VENDORSSUCCESS STORIES
• OpenText FirstClass
• OpenText had recently rebuilt the software with a new framework
• Found that the framework was not sanitizing input or encoding
output allowing for multiple XSS vulnerabilities
• Vendor response was immediate
• Cisco Identity Service Engine (ISE) - CVE-2014-0681
• Allowed remote, unauthenticated persistent XSS attack against
ISE administrators
• All versions were affected, patched version is available
COMPUTING AND COMMUNICATIONS
PROCESSPRIORITIZING
• Standard Questions
• Name of the application(s)
• Whether it is internally, vendor or open source developed
• Programming language(s) they are written in
• List of other servers connected to the application such as
database, application or file servers
• Description of data that will be stored in this application
• Estimate of the number of users
• A summary of how the application is used/functionality
COMPUTING AND COMMUNICATIONS
PROCESSMINIMIZE DATA/LIMIT ACCESS
• Basic Concept
• Everyone wants to collect everything, retain it forever and have it
accessible from anywhere
• We work with clients on new applications to reduce attack surface
• Bonus: Reduces extent of testing
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING
• Benefits
• Finds vulnerabilities automated tools are not designed to detect
• Business logic, insecure application functionality, access controls
• Can be as simple as fuzzing, security QA
• Intercept Proxy
• Burp Suite (Personal Favorite), Zed Attack Proxy, W3AF
• Use the target application
• Review requests and responses
• Manipulate
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING
• Checklist
• OWASP is a great resource with starter checklist
• Basic Tests
• Create new account
• Password Requirements
• Forgot password process
• Change password
– Does the application ask for the current password first?
• etc
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING
• Advanced Tests
• Disable/Manipulate client-side code
– Look for client-side authentication checks
• Creative inputs
– Automated tools won’t test many types of user input
– File Uploads, WYSIWYG, etc
• Redirect requests as needed
– Fuzzing inputs – Burp Intruder/Repeater
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING - XSS
• Manual XSS Testing
• As basic as '';!--"<XSS>=&{()} or
<SCRIPT>alert("XSS")</SCRIPT>
• Focus on inputs that are difficult for automated scanners to test
• Try Burp Suite Intruder XSS payload, ZAP Fuzzer
• Advanced
• Use evasion techniques, good cheat sheet available from OWASP
• Creative inputs
– Examples: file upload metadata, authentication requests
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING - XSS
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING - XSS
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING - XSS
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING - XSS
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING - AUTH
• Authentication is not a DIY project
• Don’t reinvent the wheel
• Use session management available in the language or framework
• Testing Session Management
• Look at application responses for session data
• Look for sensitive information
• Is the session id sufficiently random? Burp Sequencer
• Attempt Decoding – Burp Decoder – Base64
• Is the expiration sufficient?
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING - CSRF
• Very few vendors or developers implement CSRF protections
• ASP Viewstate
• Tokens
• Difficult Execution
• CSRF attacks require the victim to be logged into target app then
click malicious link
• Prime targets are “always open” applications
• Portals, ERP, E-Learning, Webmail, etc
• Hope to introduce more awareness with devs and vendors
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING - MOBILE
• Increasing need to test mobile apps
• Clients want mobile and native applications
• Mobile Apps and related APIs are being integrated systems with
sensitive data, eg Student Grades
• How do we test mobile applications?
• Proxy communications through testing computer
• Requires trusting SSL certificates from intercept proxy
• Review and map mobile APIs similar to any other application
COMPUTING AND COMMUNICATIONS
TECHNIQUESAUTOMATED TESTING
• Follow-up to Manual Testing
• Finish testing with automated testing to find any low hanging fruit
or vulnerabilities possibly missed.
• Burp/Zap
• Both have automated scanning functions
• Skipfish
• Automated scanning function that is great for finding hidden
application components
• W3AF
• Swiss army knife of scanning toolsCOMPUTING AND COMMUNICATIONS
PROCESSREPORTING
• Summarize
• Details about the application and related data
• The scope of testing
• Limitations and/or concerns
• List vulnerabilities
• Descriptions should be targeted to the audience (devs vs mgmt)
• Detail how the vulnerability could be used
• Detail impact and likelihood of it being exploited
• Provide recommendations for remediation
• Provide example screen captures to developers/vendors
COMPUTING AND COMMUNICATIONS
PROCESSREMEDIATION
• Complete/Partial Remediation
• Not reasonable to have every issues found to be completely
remediated.
• Retesting Cycle
• Can be a lot of back and forth trying to address an issue
– May have to settle for partial remediation or alternative
mitigations
• Sign-off for remaining vulnerabilities
• For vulnerabilities not remediated detail the risk and obtain sign-off
from those responsible for the data and application
COMPUTING AND COMMUNICATIONS
PROCESSFUTURE PLANS
• Formalize
• Tracking of vulnerabilities
• Retain testing data
• Maintain data on applications, dev teams and vendors
• Automate testing options for developers
• Threadfix/Mozilla Minion
• Open source applications for tracking vulnerabilities
• Provides options to allow developers to do automated scanning
COMPUTING AND COMMUNICATIONS
PROCESSFUTURE PLANS
• Information Sharing
• Reduce duplication of efforts
– Higher Ed has a lot of niche applications and many institutions
use the same applications
• Security SIG discussion mailing list?
• Improve vendor responses and coordination
• Legal concerns
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING
• Burp Sequencer and Decoder Demo - mutillidae
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING - CSRF
• CSRF Attack Demo with Burp Suite - mutillidae
COMPUTING AND COMMUNICATIONS
TECHNIQUESMANUAL TESTING - MOBILE
• Mobile Demo with Burp Suite – Ellucian GO
COMPUTING AND COMMUNICATIONS
QUESTIONS
Jared Perry IT Security Administrator, GSEC, GWAPT, GCWN
Email: [email protected]
Twitter: @jared_perry
Phone: (709) 864-2619
COMPUTING AND COMMUNICATIONS
RESOURCES
• OWASP Link References
• https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series
• https://www.owasp.org/index.php/
XSS_Filter_Evasion_Cheat_Sheet
• Threadfix/Mozilla Minion
• https://github.com/denimgroup/threadfix/
• https://wiki.mozilla.org/Security/Projects/Minion
• Mobile App Testing
• http://jaredperry.ca/mapping-mobile-app-apis/
COMPUTING AND COMMUNICATIONS
RESOURCES
• Zed Attack Proxy (ZAP)
• https://www.owasp.org/index.php/
OWASP_Zed_Attack_Proxy_Project
• Kali Linux
• http://www.kali.org/
• Burp Suite
• http://portswigger.net/burp/
• Bug Bounties
• https://bugcrowd.com/
COMPUTING AND COMMUNICATIONS