610 likes | 665 Views
Search, Explore and Rescue. Sebastian Agachie. 24.02.2016. About me. Sebastian Agachie Ethical hacker @ Centric Security Discipline Coordinator Application Developer / Scrum Master Security, Pentests , Trainings, Compliancy. Agenda. Introduction 1. The Three Pillars of Security
E N D
Search, Explore and Rescue Sebastian Agachie 24.02.2016
About me Sebastian Agachie • Ethical hacker @ Centric • Security Discipline Coordinator • Application Developer / Scrum Master • Security, Pentests, Trainings, Compliancy
Agenda Introduction 1. The Three Pillars of Security 2. Security Testing: • Security Testing: Quiz Game of RedTeam • Search, explore and rescue vs Search and exploit • Search, explore and rescue: OWASP Examples 3. Acunetix: What, Why, How? 4. Q&A?
The Three Pillars of Security Security C.I.A
The Three Pillars of Security Confidentiality
The Three Pillars of Security Integrity
The Three Pillars of Security Availability
The Three Pillars of Security • Confidentiality (prevent disclosure of information or data to unauthorized individuals or system) • Integrity (methods and actions taken to protect the information for unauthorized alteration or revision) • Availability (communications systems and data being ready for use when legitimate users need them)
Speaking about "3" Pillars Security Triangle
Security Testing • Let's play a game! • Use your phone and navigate to https://kahoot.it • Enter the Game PIN Enter a game Nickname • Find your name on the screen • Answer correct to the questions and win points • The faster and correct you respond the more points you get.
Security Testing Search, explore and rescue vs Search and exploit Tester (security) vs Ethical Hacker
A1- INJECTION How? String query = “SELECT user_id FROM user_data WHERE “user_name=‘ “ + req.getParameter(“user”)+”’AND user_password =‘ “ +req.getParameter(“password”) +” ‘ “; SELECT user_id FROM user_data WHERE user_name= ‘ ‘or 1=1 -- AND user_password=“superstrongpassword”
A1- INJECTION • Types of Injections • SQL - Structured Query Language • HQL - Hibernate Query Language • LDAP - Lightweight Directory Access Protocol • XPath • XQuery • XSLT - Xtensible Stylesheet Language Transformations • XML • OS command injection - • and many more.
Security Testing - Injection ---- Data Validation Testing----: • Testing for SSI Injection • Testing for XPath Injection • IMAP/SMTP Injection • Testing for Code Injection • Testing for Local File Inclusion • Testing for Remote File Inclusion • Testing for Command Injection • Testing for HTML Injection • Testing for CSS Injection • Testing for SQL Injection • Oracle Testing • MySQL Testing • SQL Server Testing • Testing PostgreSQL • MS Access Testing • Testing for NoSQL injection • Testing for LDAP Injection • Testing for ORM Injection • Testing for XML Injection More on OWASP Injections: https://www.owasp.org/index.php/Top_10_2013-A1-Injection
A2 - Broken authentication and session management How? • Hardcoded passwords • Unlimited login attempts • Use passwords less than 7 characters, preferably digits only • Resend this at every request preferably • Nonexistent logging mechanism • No session management, it never expires, just keep sending the password.
A2 - Broken authentication and session management (I.)A.A.A.
A2 - Broken authentication and session management • Identifications – knowing who you are (username, password) - “Knocking at the gate” • Authentication – provides a way of identifying a user, typically by having the user enter a valid name and valid password before access is granted. • Authorization – determines if a user has the authority to issue different kind of role based commands • Accounting/Nonrepudiation – measures the resources a user consumes during access(log every action)
Security Testing - BASM ----Identity Management Testing ----: • Test Role Definitions • Test User Registration Process • Test Account Provisioning Process • Testing for Account Enumeration and Guessable User Account • Testing for Weak or unenforced username policy • Test Permissions of Guest/Training Accounts • Test Account Suspension/Resumption Process
Security Testing - BASM ----Authentication Testing----: • Testing for Credentials Transported over an Encrypted Channel • Testing for default credentials • Testing for Weak lock out mechanism • Testing for bypassing authentication schema • Test remember password functionality • Testing for Browser cache weakness • Testing for Weak password policy • Testing for Weak security question/answer • Testing for weak password change or reset functionalities • Testing for Weaker authentication in alternative channel
Security Testing - BASM ----Authorization Testing ----: • Testing Directory traversal/file include • Testing for bypassing authorization schema • Testing for Privilege Escalation • Testing for Insecure Direct Object References
Security Testing - BASM ----Session Management Testing ----: • Testing for Bypassing Session Management Schema • Testing for Cookies attributes • Testing for Session Fixation • Testing for Exposed Session Variables • Testing for Cross Site Request Forgery • Testing for logout functionality • Test Session Timeout • Testing for Session puzzling
A3 - Cross-Site Scripting (XSS) HOW? • >< • <requestvalidation = OFF!> • <script> <img> <html>
Security Testing - XSS ---- Data Validation Testing ----: • Testing for Clickjacking • Testing for Cross Site Flashing • Testing for DOM based Cross Site Scripting (><) • Testing for JavaScript Execution • Testing for Reflected Cross Site Scripting • Testing for Stored Cross Site Scripting
A4 - Insecure Direct Object References How? • /myapp/config • /myapp/services
Security Testing – IDOR - : • Analysis of Error Codes • Analysis of Stack Traces • Identify application entry points • Map execution paths through application • Fingerprint Web Application Framework • Fingerprint Web ApplicationMap Application Architecture
A5 - Security Misconfiguration How? • Server-side security (webserver port 80) • Default credentials • Open directories • Stack trances enabled
Security Testing - Security Misconfiguration -: • Test Network/Infrastructure Configuration • Test Application Platform Configuration • Test File Extensions Handling for Sensitive Information • Backup and Unreferenced Files for Sensitive Information • Enumerate Infrastructure and Application Admin Interfaces • Test HTTP Methods • Test HTTP Strict Transport Security • Test RIA cross domain policy
A6 - Sensitive Data Exposure How? • No SSL (or weak existing one - F Class certificates) • Transport encryption 512 bit • Credentials and information transport made in clear text
Security Testing - Sensitive Data Exposure -: • Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection • Testing for Padding Oracle • Testing for Sensitive information sent via unencrypted channels • Error Handling • Analysis of Error Codes • Analysis of Stack Traces
A7 - Missing Function Level Access Control How? • Make use of IFRAME / Adobe modules • /Admin/ -> = Admin • /phpMyAdmin/
Security Testing - Missing Level Access Control - • Conduct Search Engine Discovery and Reconnaissance for Information Leakage • Fingerprint Web Server • Review Webserver Metafiles for Information Leakage • Enumerate Applications on Webserver • Review Webpage Comments and Metadata for Information Leakage • ....Also IDOR Tests
A8 - Cross-Site Request Forgery (CSRF) How? <form method=“GET” action=“Actions/Transfer/”> <input name=“from” value=“You”> <input name=“to” value=“Me”> <input name=“value” value=“10000”> <input name=“currency” value=“EUR”> <form>
Security Testing – CSRF - • Testing for Client Side URL Redirect • Testing for Client Side Resource Manipulation • Test Cross Origin Resource Sharing • Test data validation • Test Upload of Unexpected File Types • Test Upload of Malicious Files
A9 - Using Known Vulnerable Components How? • External libraries • Javascript • Jquery • Adobe ....... and the list continues
Security Testing - Vulnerable Components - • Verify components versions • Check components for vulnerabilities via web
Security Testing - Redirects and Forwards - • Testing for Client Side URL Redirect
Security Testing - Additional Tests: • Business Logic Testing • Test Business Logic Data Validation • Test Ability to Forge Requests • Test Integrity Checks • Test for Process Timing • Test Number of Times a Function Can be Used Limits • Testing for the Circumvention of Work Flows • Test Defenses Against Application Mis-use • Test Upload of Unexpected File Types • Test Upload of Malicious Files • • • Data Validation Testing • Testing for HTTP Verb Tampering • Testing for HTTP Parameter pollution • Testing for Buffer overflow • Testing for Heap overflow • Testing for Stack overflow • Testing for Format string • Testing for incubated vulnerabilities • Testing for HTTP Splitting/Smuggling Client Side Testing • Testing WebSockets • Test Web Messaging • Test Local Storage
WhY? What? How? • Why do we need it? • What does it do? • How shall we use it?
WhY? What? How? • Improve yourself • Because…..Websites and web applications • No security fines • Some firewalls and SSL provide no protection against web application hacking
WhY? What? How? • Most web applications are custom-made • Web application security remains the most critical • Automated web application security testing tool • Create confidence among testers and rise the level of security awareness
WhY? What? How? • Web Vulnerability Scanner (Server Headers, Port Scanner, Owasp10, Directories etc.) • Web Services Scanner • Crawling processes • Subdomain Scanner
WhY? What? How? • HTTP Editor, HTTP Sniffer, HTTP Fuzzer • Blind SQL Injector • Authentication Tester • Compare Results • Report generator
WhY? What? How? • Remote access to Acunetix Server • Login with your domain credentials • Open Acunetix Web Vulnerability Scanner 10.0 • Start a new scan (single or resumed scan – select/define profiles - optimize technologies – login sequence – Start scan) • Generate Report • Resumed scan after you crawled the web application • Default profile covers most of the vulnerabilities but can take a while to be finished • False technologies selected may influence the end result • You can define a login sequence and save it
WhY? What? How? • Start a new scan
WhY? What? How? • Select the type of scan (single or resumed scan)