Transcript Search, Explore and Rescue

SEARCH, EXPLORE AND RESCUE
SEBASTIAN AGACHIE
24.02.2016
ABOUT ME
Sebastian Agachie
• Ethical hacker @ Centric
• Security Discipline Coordinator
• Application Developer / Scrum Master
• Security, Pentests, Trainings, Compliancy
AGENDA
Introduction
1. The Three Pillars of Security
2. Security Testing:
•
•
•
Security Testing: Quiz Game of RedTeam
Search, explore and rescue vs Search and exploit
Search, explore and rescue: OWASP Examples
3. Acunetix: What, Why, How?
4. Q&A?
THE THREE PILLARS OF SECURITY
Security C.I.A
THE THREE PILLARS OF SECURITY
Confidentiality
THE THREE PILLARS OF SECURITY
Integrity
THE THREE PILLARS OF SECURITY
Availability
THE THREE PILLARS OF SECURITY
• Confidentiality (prevent disclosure of information or data to unauthorized individuals or system)
• Integrity (methods and actions taken to protect the information for unauthorized alteration or revision)
• Availability (communications systems and data being ready for use when legitimate users need them)
SPEAKING ABOUT "3" PILLARS
Security Triangle
SECURITY TESTING
•
Let's play a game!
•
Use your phone and navigate to https://kahoot.it
•
Enter the Game PIN
Enter a game Nickname
•
Find your name on the screen
•
Answer correct to the questions and win points
•
The faster and correct you respond the more points you get.
SECURITY TESTING
Search, explore and rescue vs Search and exploit
Tester (security) vs Ethical Hacker
SEARCH, EXPLORE AND RESCUE: OWASP
OWASP TOP 10
OWASP TOP 10
A1- INJECTION
How?
String query = “SELECT user_id FROM user_data WHERE “user_name=‘ “ + req.getParameter(“user”)+”’AND
user_password =‘ “ +req.getParameter(“password”) +” ‘ “;
SELECT user_id
FROM user_data
WHERE user_name= ‘ ‘or 1=1
-- AND user_password=“superstrongpassword”
A1- INJECTION
•
Types of Injections
• SQL - Structured Query Language
• HQL - Hibernate Query Language
• LDAP - Lightweight Directory Access Protocol
• XPath
• XQuery
• XSLT - Xtensible Stylesheet Language Transformations
• XML
• OS command injection • and many more.
SECURITY TESTING - INJECTION ---- DATA VALIDATION TESTING ----:
•
Testing for SQL Injection
•
•
•
•
•
•
Oracle Testing
MySQL Testing
SQL Server Testing
Testing PostgreSQL
MS Access Testing
Testing for NoSQL
injection
•
Testing for LDAP Injection
•
Testing for ORM Injection
•
Testing for XML Injection
•
•
•
•
Testing for SSI Injection
Testing for XPath Injection
IMAP/SMTP Injection
Testing for Code Injection
• Testing for Local File
•
Inclusion
Testing for Remote File
Inclusion
• Testing for Command
Injection
• Testing for HTML Injection
• Testing for CSS Injection
More on OWASP Injections:
https://www.owasp.org/index.php/Top
_10_2013-A1-Injection
A2 - BROKEN AUTHENTICATION AND SESSION MANAGEMENT
How?
•
•
•
•
•
•
Hardcoded passwords
Unlimited login attempts
Use passwords less than 7 characters, preferably digits only
Resend this at every request preferably
Nonexistent logging mechanism
No session management, it never expires, just keep sending
the password.
A2 - BROKEN AUTHENTICATION AND SESSION MANAGEMENT
(I.)A.A.A.
A2 - BROKEN AUTHENTICATION AND SESSION MANAGEMENT
•
Identifications
– knowing who you are (username, password)
- “Knocking at the gate”
•
Authentication
– provides a way of identifying a user, typically by having the user enter a
valid name and valid password before access is granted.
•
Authorization
– determines if a user has the authority to issue different kind of role based
commands
•
Accounting/Nonrepudiation
– measures the resources a user consumes during access(log every action)
SECURITY TESTING - BASM ---- IDENTITY MANAGEMENT TESTING ----:
• Test Role Definitions
• Test User Registration Process
• Test Account Provisioning Process
• Testing for Account Enumeration and Guessable User Account
• Testing for Weak or unenforced username policy
• Test Permissions of Guest/Training Accounts
• Test Account Suspension/Resumption Process
SECURITY TESTING - BASM ---- AUTHENTICATION TESTING ----:
•
•
•
•
•
•
•
•
•
•
Testing for Credentials Transported over an Encrypted Channel
Testing for default credentials
Testing for Weak lock out mechanism
Testing for bypassing authentication schema
Test remember password functionality
Testing for Browser cache weakness
Testing for Weak password policy
Testing for Weak security question/answer
Testing for weak password change or reset functionalities
Testing for Weaker authentication in alternative channel
SECURITY TESTING - BASM ----AUTHORIZATION TESTING ----:
• Testing Directory traversal/file include
• Testing for bypassing authorization schema
• Testing for Privilege Escalation
• Testing for Insecure Direct Object References
SECURITY TESTING - BASM ----SESSION MANAGEMENT TESTING ----:
•
•
•
•
•
•
•
•
Testing for Bypassing Session Management Schema
Testing for Cookies attributes
Testing for Session Fixation
Testing for Exposed Session Variables
Testing for Cross Site Request Forgery
Testing for logout functionality
Test Session Timeout
Testing for Session puzzling
A3 - CROSS-SITE SCRIPTING (XSS)
HOW?
• ><
• <requestvalidation = OFF!>
• <script> <img> <html>
SECURITY TESTING - XSS ---- DATA VALIDATION TESTING ----:
• Testing for Clickjacking
• Testing for Cross Site Flashing
• Testing for DOM based Cross Site Scripting (><)
• Testing for JavaScript Execution
• Testing for Reflected Cross Site Scripting
• Testing for Stored Cross Site Scripting
A4 - INSECURE DIRECT OBJECT REFERENCES
How?
• /myapp/config
• /myapp/services
SECURITY TESTING – IDOR - :
• Analysis of Error Codes
• Analysis of Stack Traces
• Identify application entry points
• Map execution paths through application
• Fingerprint Web Application Framework
• Fingerprint Web ApplicationMap Application Architecture
A5 - SECURITY MISCONFIGURATION
How?
• Server-side security
(webserver port 80)
• Default credentials
• Open directories
• Stack trances enabled
SECURITY TESTING - SECURITY MISCONFIGURATION -:
•
•
•
•
•
•
•
•
Test Network/Infrastructure Configuration
Test Application Platform Configuration
Test File Extensions Handling for Sensitive Information
Backup and Unreferenced Files for Sensitive Information
Enumerate Infrastructure and Application Admin Interfaces
Test HTTP Methods
Test HTTP Strict Transport Security
Test RIA cross domain policy
A6 - SENSITIVE DATA EXPOSURE
How?
• No SSL (or weak existing one - F Class certificates)
• Transport encryption 512 bit
• Credentials and information transport made in clear text
SECURITY TESTING - SENSITIVE DATA EXPOSURE -:
• Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection
• Testing for Padding Oracle
• Testing for Sensitive information sent via unencrypted channels
• Error Handling
• Analysis of Error Codes
• Analysis of Stack Traces
A7 - MISSING FUNCTION LEVEL ACCESS CONTROL
How?
• Make use of IFRAME / Adobe modules
• /Admin/ -> = Admin
• /phpMyAdmin/
SECURITY TESTING - MISSING LEVEL ACCESS CONTROL •
Conduct Search Engine Discovery and Reconnaissance for Information Leakage
•
Fingerprint Web Server
•
Review Webserver Metafiles for Information Leakage
•
Enumerate Applications on Webserver
•
Review Webpage Comments and Metadata for Information Leakage
•
....Also IDOR Tests
A8 - CROSS-SITE REQUEST FORGERY (CSRF)
How?
<form method=“GET” action=“Actions/Transfer/”>
<input name=“from” value=“You”>
<input name=“to” value=“Me”>
<input name=“value” value=“10000”>
<input name=“currency” value=“EUR”>
<form>
SECURITY TESTING – CSRF • Testing for Client Side URL Redirect
• Testing for Client Side Resource Manipulation
• Test Cross Origin Resource Sharing
• Test data validation
• Test Upload of Unexpected File Types
• Test Upload of Malicious Files
A9 - USING KNOWN VULNERABLE COMPONENTS
How?
• External libraries
• Javascript
• Jquery
• Adobe ....... and the list continues
SECURITY TESTING - VULNERABLE COMPONENTS -
• Verify components versions
• Check components for vulnerabilities via web
A10 - UNVCALIDATED REDIRECTS AND FORWARDS
SECURITY TESTING - REDIRECTS AND FORWARDS • Testing for Client Side URL Redirect
SECURITY TESTING - ADDITIONAL TESTS:
Data Validation Testing
Business Logic Testing
• Testing for HTTP Verb Tampering
• Testing for HTTP Parameter
• Test Business Logic Data Validation
pollution
• Testing for Buffer overflow
•
•
•
•
•
• Test Ability to Forge Requests
• Test Integrity Checks
Testing for Heap overflow
• Test for Process Timing
Testing for Stack overflow
• Test Number of Times a Function Can be Used Limits
Testing for Format string
Testing for incubated vulnerabilities
Testing for HTTP
Splitting/Smuggling
Client Side Testing
• Testing WebSockets
• Test Web Messaging
• Test Local Storage
• Testing for the Circumvention of Work Flows
• Test Defenses Against Application Mis-use
• Test Upload of Unexpected File Types
• Test Upload of Malicious Files
SOFTWARE SOLUTIONS FOR TESTERS
WHY? WHAT? HOW?
• Why do we need it?
• What does it do?
• How shall we use it?
WHY? WHAT? HOW?
•
Improve yourself
•
Because…..Websites and web applications
•
No security fines
•
Some firewalls and SSL provide no protection against web application hacking
WHY? WHAT? HOW?
•
Most web applications are custom-made
•
Web application security remains the most critical
•
Automated web application security testing tool
•
Create confidence among testers and rise the level of security awareness
WHY?
WHAT? HOW?
• Web Vulnerability Scanner (Server Headers, Port Scanner, Owasp10, Directories etc.)
• Web Services Scanner
• Crawling processes
• Subdomain Scanner
WHY?
• HTTP Editor, HTTP Sniffer, HTTP Fuzzer
• Blind SQL Injector
• Authentication Tester
• Compare Results
• Report generator
WHAT? HOW?
WHY? WHAT?
•
•
•
•
HOW?
Remote access to Acunetix Server
Login with your domain credentials
Open Acunetix Web Vulnerability Scanner 10.0
Start a new scan (single or resumed scan – select/define profiles - optimize technologies – login sequence –
Start scan)
• Generate Report
•
•
•
•
Resumed scan after you crawled the web application
Default profile covers most of the vulnerabilities but can take a while to be finished
False technologies selected may influence the end result
You can define a login sequence and save it
WHY? WHAT?
• Start a new scan
HOW?
WHY? WHAT?
• Select the type of scan
(single or resumed scan)
HOW?
WHY? WHAT?
• Select/define profiles
HOW?
WHY? WHAT?
• Optimize technologies
HOW?
WHY? WHAT?
• Define Login sequence
HOW?
WHY? WHAT?
• Scanning in progress
• Pressing on a vulnerability will display
useful information and advises on how
you can mitigate the threat
HOW?
WHY? WHAT?
• Generate Report
HOW?
RECOMMENDATIONS
• Use Acunetix only after you security test (exploratory) the application;
• Acunetix can verify what you already discovered and give you confidence. It doesn’t replace security testing!!
• Use Acunetix on a different environment (not production, test, demo, dev etc.)
•
Security environment (There is a chance that Acunetix may interfere with the build)
• Use Acunetix at a specific time interval
•
Not for every text box that is added to the application
WHY? WHAT?
HOW?
THANK YOU!
[email protected]