Transcript Hacker Mindset

The Hacker Mindset
CSE 591 – Security and Vulnerability Analysis
Spring 2015
Adam Doupé
Arizona State University
http://adamdoupe.com
What is a Vulnerability?
• Make the application to do something that
it is not supposed to do
• Therefore, in order to find vulnerabilities,
you must first understand the application
– What is the intended functionality?
– What is the intended behavior?
– What does the application use as input?
– What does the application produce as output?
Adam Doupé, Security and Vulnerability Analysis
Example
• Find: unauthenticated users can edit page
content
• Is this a vulnerability?
– On cnn.com, yes!
– On wikipedia.org, no!
• This is why understanding the web
application is critical
Adam Doupé, Security and Vulnerability Analysis
How to Rob a Bank*
• Step 1: Reconnaissance
–
–
–
–
–
–
–
–
Who works at the bank?
What is their role?
Who has the keys?
When do the guards change or take a break?
What does the layout of the bank look like?
What does the vault look like?
What kind of lock does the bank use?
…
• Step 2: Build elaborate plan
• Step 3: Everything goes wrong
• Step 4: Profit?
*Knowledge comes from movies
Adam Doupé, Security and Vulnerability Analysis
How to Rob a Web Application
• Step 1: Reconnaissance
–
–
–
–
–
–
–
–
–
•
•
•
•
How does the application work?
Are there user accounts?
Do the user accounts have different privileges?
How are privileges enforced?
What does the layout of the web application look like (URLs)?
What URLs should only be accessible via a certain privilege?
What is the input to the web application?
What is the output of the web application?
How is the web application probably written?
Step 2: Develop vulnerability hypothesis
Step 3: Test vulnerability hypothesis
Step 4: Develop exploit
Step 5: Profit
Adam Doupé, Security and Vulnerability Analysis
Injection Vectors
• All user input to the web application
• Some examples
–
–
–
–
–
–
–
–
Query parameters
URL path
POST parameters
Cookies
Referer header
Files
Other websites (twitter feed)
Emails
Adam Doupé, Security and Vulnerability Analysis
Understand Data Flow
• How does the input data flow through the
program?
– Data on page X is displayed on page Y and
used to calculate the result of page Z
• How does the output of a page flow
through the program?
– Result of a calculation used as part of a tweet
Adam Doupé, Security and Vulnerability Analysis
Summary
• First step to hacking is reconnaissance
• Critical to understand the web application
– Helps to decide what is a vulnerability and what is
not!
• Want to reverse engineer the web application
– Ask yourself how would I have written this web
application?
– What mistakes might the developer have made?
Adam Doupé, Security and Vulnerability Analysis