1 / 59

Search, Explore and Rescue

Search, Explore and Rescue. Sebastian Agachie. 24.02.2016. About me. Sebastian Agachie Ethical hacker @ Centric Security Discipline Coordinator Application Developer / Scrum Master Security, Pentests , Trainings, Compliancy. Agenda. Introduction 1. The Three Pillars of Security

brownt
Download Presentation

Search, Explore and Rescue

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Search, Explore and Rescue Sebastian Agachie 24.02.2016

  2. About me Sebastian Agachie • Ethical hacker @ Centric • Security Discipline Coordinator • Application Developer / Scrum Master • Security, Pentests, Trainings, Compliancy

  3. Agenda Introduction 1. The Three Pillars of Security 2. Security Testing: • Security Testing: Quiz Game of RedTeam • Search, explore and rescue vs Search and exploit • Search, explore and rescue: OWASP Examples 3. Acunetix: What, Why, How? 4. Q&A?

  4. The Three Pillars of Security Security C.I.A

  5. The Three Pillars of Security Confidentiality

  6. The Three Pillars of Security Integrity

  7. The Three Pillars of Security Availability

  8. The Three Pillars of Security • Confidentiality (prevent disclosure of information or data to unauthorized individuals or system) • Integrity (methods and actions taken to protect the information for unauthorized alteration or revision) • Availability (communications systems and data being ready for use when legitimate users need them)

  9. Speaking about "3" Pillars Security Triangle

  10. Security Testing • Let's play a game! • Use your phone and navigate to https://kahoot.it • Enter the Game PIN Enter a game Nickname • Find your name on the screen • Answer correct to the questions and win points • The faster and correct you respond the more points you get.

  11. Security Testing Search, explore and rescue vs Search and exploit Tester (security) vs Ethical Hacker

  12. Search, explore and rescue: OWASP

  13. OWASP TOP 10

  14. OWASP TOP 10

  15. A1- INJECTION How? String query = “SELECT user_id FROM user_data WHERE “user_name=‘ “ +   req.getParameter(“user”)+”’AND user_password =‘ “ +req.getParameter(“password”) +” ‘ “; SELECT user_id FROM user_data WHERE user_name= ‘ ‘or 1=1 -- AND user_password=“superstrongpassword”

  16. A1- INJECTION • Types of Injections • SQL -  Structured Query Language • HQL - Hibernate Query Language • LDAP -  Lightweight Directory Access Protocol  • XPath • XQuery • XSLT - Xtensible Stylesheet Language Transformations • XML • OS command injection - • and many more.

  17. Security Testing - Injection ---- Data Validation Testing----: • Testing for SSI Injection • Testing for XPath Injection • IMAP/SMTP Injection • Testing for Code Injection • Testing for Local File Inclusion • Testing for Remote File Inclusion • Testing for Command Injection • Testing for HTML Injection • Testing for CSS Injection • Testing for SQL Injection • Oracle Testing • MySQL Testing • SQL Server Testing • Testing PostgreSQL • MS Access Testing • Testing for NoSQL injection • Testing for LDAP Injection • Testing for ORM Injection • Testing for XML Injection More on OWASP Injections: https://www.owasp.org/index.php/Top_10_2013-A1-Injection

  18. A2 - Broken authentication and session management How? • Hardcoded passwords • Unlimited login attempts • Use passwords less than 7 characters, preferably digits only • Resend this at every request preferably • Nonexistent logging mechanism • No session management, it never expires, just keep sending the password.

  19. A2 - Broken authentication and session management (I.)A.A.A.

  20. A2 - Broken authentication and session management • Identifications – knowing who you are (username, password) - “Knocking at the gate” • Authentication – provides a way of identifying a user, typically by having the user enter a valid name and valid password before access is granted. • Authorization – determines if a user has the authority to issue different kind of role based commands • Accounting/Nonrepudiation – measures the resources a user consumes during access(log every action)

  21. Security Testing - BASM ----Identity Management Testing ----: • Test Role Definitions • Test User Registration Process • Test Account Provisioning Process • Testing for Account Enumeration and Guessable User Account • Testing for Weak or unenforced username policy • Test Permissions of Guest/Training Accounts • Test Account Suspension/Resumption Process

  22. Security Testing - BASM ----Authentication Testing----: • Testing for Credentials Transported over an Encrypted Channel • Testing for default credentials • Testing for Weak lock out mechanism • Testing for bypassing authentication schema • Test remember password functionality • Testing for Browser cache weakness • Testing for Weak password policy • Testing for Weak security question/answer • Testing for weak password change or reset functionalities • Testing for Weaker authentication in alternative channel

  23. Security Testing - BASM ----Authorization Testing ----: • Testing Directory traversal/file include • Testing for bypassing authorization schema • Testing for Privilege Escalation • Testing for Insecure Direct Object References

  24. Security Testing - BASM ----Session Management Testing ----: • Testing for Bypassing Session Management Schema • Testing for Cookies attributes • Testing for Session Fixation • Testing for Exposed Session Variables • Testing for Cross Site Request Forgery • Testing for logout functionality • Test Session Timeout • Testing for Session puzzling

  25. A3 - Cross-Site Scripting (XSS) HOW? • >< • <requestvalidation = OFF!>  • <script> <img> <html>

  26. Security Testing - XSS ---- Data Validation Testing ----: • Testing for Clickjacking • Testing for Cross Site Flashing • Testing for DOM based Cross Site Scripting (><) • Testing for JavaScript Execution • Testing for Reflected Cross Site Scripting • Testing for Stored Cross Site Scripting

  27. A4 - Insecure Direct Object References How? • /myapp/config • /myapp/services 

  28. Security Testing – IDOR - : • Analysis of Error Codes • Analysis of Stack Traces • Identify application entry points • Map execution paths through application • Fingerprint Web Application Framework • Fingerprint Web ApplicationMap Application Architecture

  29. A5 - Security Misconfiguration How? • Server-side security (webserver port 80) • Default credentials • Open directories • Stack trances enabled

  30. Security Testing - Security Misconfiguration -: • Test Network/Infrastructure Configuration • Test Application Platform Configuration • Test File Extensions Handling for Sensitive Information • Backup and Unreferenced Files for Sensitive Information • Enumerate Infrastructure and Application Admin Interfaces • Test HTTP Methods • Test HTTP Strict Transport Security • Test RIA cross domain policy

  31. A6 - Sensitive Data Exposure How? • No SSL (or weak existing one - F Class certificates) • Transport encryption 512 bit • Credentials and information transport made in clear text

  32. Security Testing - Sensitive Data Exposure -: • Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection • Testing for Padding Oracle • Testing for Sensitive information sent via unencrypted channels • Error Handling • Analysis of Error Codes • Analysis of Stack Traces

  33. A7 - Missing Function Level Access Control How? • Make use of IFRAME / Adobe modules • /Admin/ -> = Admin • /phpMyAdmin/

  34. Security Testing - Missing Level Access Control - • Conduct Search Engine Discovery and Reconnaissance for Information Leakage • Fingerprint Web Server • Review Webserver Metafiles for Information Leakage • Enumerate Applications on Webserver • Review Webpage Comments and Metadata for Information Leakage • ....Also IDOR Tests

  35. A8 - Cross-Site Request Forgery (CSRF) How? <form method=“GET” action=“Actions/Transfer/”> <input name=“from” value=“You”> <input name=“to” value=“Me”> <input name=“value” value=“10000”> <input name=“currency” value=“EUR”> <form>

  36. Security Testing – CSRF - • Testing for Client Side URL Redirect • Testing for Client Side Resource Manipulation • Test Cross Origin Resource Sharing • Test data validation • Test Upload of Unexpected File Types • Test Upload of Malicious Files

  37. A9 - Using Known Vulnerable Components How? • External libraries • Javascript • Jquery • Adobe ....... and the list continues

  38. Security Testing - Vulnerable Components - • Verify components versions • Check components for vulnerabilities via web

  39. A10 - UnvcalidatedRedirects and Forwards

  40. Security Testing - Redirects and Forwards - • Testing for Client Side URL Redirect

  41. Security Testing - Additional Tests: • Business Logic Testing • Test Business Logic Data Validation • Test Ability to Forge Requests • Test Integrity Checks • Test for Process Timing • Test Number of Times a Function Can be Used Limits • Testing for the Circumvention of Work Flows • Test Defenses Against Application Mis-use • Test Upload of Unexpected File Types • Test Upload of Malicious Files • ​ • ​ • ​ Data Validation Testing • Testing for HTTP Verb Tampering • Testing for HTTP Parameter pollution • Testing for Buffer overflow • Testing for Heap overflow • Testing for Stack overflow • Testing for Format string • Testing for incubated vulnerabilities • Testing for HTTP Splitting/Smuggling Client Side Testing • Testing WebSockets • Test Web Messaging • Test Local Storage

  42. Software solutions for testers

  43. WhY? What? How? • Why do we need it? • What does it do? • How shall we use it?

  44. WhY? What? How? • Improve yourself • Because…..Websites and web applications • No security fines • Some firewalls and SSL provide no protection against web application hacking

  45. WhY? What? How? • Most web applications are custom-made • Web application security remains the most critical • Automated web application security testing tool • Create confidence among testers and rise the level of security awareness

  46. WhY? What? How? • Web Vulnerability Scanner (Server Headers, Port Scanner, Owasp10, Directories etc.) • Web Services Scanner • Crawling processes • Subdomain Scanner

  47. WhY? What? How? • HTTP Editor, HTTP Sniffer, HTTP Fuzzer • Blind SQL Injector • Authentication Tester • Compare Results • Report generator

  48. WhY? What? How? • Remote access to Acunetix Server  • Login with your domain credentials • Open Acunetix Web Vulnerability Scanner 10.0  • Start a new scan (single or resumed scan – select/define profiles  -  optimize technologies – login sequence – Start scan) • Generate Report • Resumed scan after you crawled the web application • Default profile covers most of the vulnerabilities but can take a while to be finished • False technologies selected may influence the end result • You can define a login sequence and save it

  49. WhY? What? How? • Start a new scan

  50. WhY? What? How? • Select the type of scan (single or resumed scan)

More Related