1 / 34

Application Vulnerability Assessments

Application Vulnerability Assessments. Revisited. Computing and Communications. www.mun.ca. Application testing at Memorial University. Jared Perry GSEC, GWAPT, GCWN. Previous Talk. CANHEIT 2012. Computing and Communications. Walked through methodology

amable
Download Presentation

Application Vulnerability Assessments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Application Vulnerability Assessments Revisited Computing and Communications www.mun.ca Application testing at Memorial University Jared Perry GSEC, GWAPT, GCWN

  2. Previous Talk CANHEIT 2012 Computing and Communications Walked through methodology • Recon, Discovery, Exploitation, Reporting Talked about common vulnerabilities • XSS, SQLi This talk will • Discuss how techniques have evolved • What we have learned since last presentation

  3. So, what has changed? Perspective Computing and Communications Attacks of Opportunity Mass Scanning Script Kiddies Targeted Activists Organized Crime APT

  4. So, what has changed? Industry Computing and Communications Bug Bounties • Reward security professionals who report vulnerabilities • glory, swag, $$$$ Moving in right direction • With a mature security program bug bounties are successful • See Facebook, Google, BugCrowd Programs Caveats • Higher Ed institutions likely not positioned well for such programs • Scope and response to disclosures would be key • Good way to hone personal skills

  5. So, what has changed? Common Vulnerabilities Computing and Communications SQLi • Frameworks and developer/vendor awareness Cross Site Scripting • Still common however efforts are usually made to prevent Broken Authentication/Access Controls • DIY authentication/access control functionality Code Injection • Via file uploads or external file references Misconfigurations/Using Known Vulnerable Code • Vendor implementations…

  6. So, what has changed? Internal Developers Computing and Communications Developers Receptive • Internal developers have embraced security standards • Use standardized and well tested frameworks/code • Presentations • Developer testing Continuously Changing • The languages, frameworks and platforms developers are using is changing frequently making testing a challenge • AngularJS, Node, new PHP frameworks, Mobile, etc

  7. So, what has changed? Vendors Computing and Communications Vendors are becoming more security conscious • Many provide direct methods for vulnerability disclosure However still run into occasional resistance

  8. Vendors Success Stories Computing and Communications OpenTextFirstClass • OpenText had recently rebuilt the software with a new framework • Found that the framework was not sanitizing input or encoding output allowing for multiple XSS vulnerabilities • Vendor response was immediate Cisco Identity Service Engine (ISE) - CVE-2014-0681 • Allowed remote, unauthenticated persistent XSS attack against ISE administrators • All versions were affected, patched version is available

  9. Process Prioritizing Computing and Communications Standard Questions • Name of the application(s) • Whether it is internally, vendor or open source developed • Programming language(s) they are written in • List of other servers connected to the application such as database, application or file servers • Description of data that will be stored in this application • Estimate of the number of users • A summary of how the application is used/functionality

  10. Process Minimize Data/Limit Access Computing and Communications Basic Concept • Everyone wants to collect everything, retain it forever and have it accessible from anywhere • We work with clients on new applications to reduce attack surface Bonus: Reduces extent of testing

  11. Techniques Manual Testing Computing and Communications Benefits • Finds vulnerabilities automated tools are not designed to detect • Business logic, insecure application functionality, access controls • Can be as simple as fuzzing, security QA Intercept Proxy • Burp Suite (Personal Favorite), Zed Attack Proxy, W3AF • Use the target application • Review requests and responses • Manipulate

  12. Techniques Manual Testing Computing and Communications

  13. Techniques Manual Testing Computing and Communications

  14. Techniques Manual Testing Computing and Communications Checklist • OWASP is a great resource with starter checklist Basic Tests • Create new account • Password Requirements • Forgot password process • Change password • Does the application ask for the current password first? • etc

  15. Techniques Manual Testing Computing and Communications Advanced Tests • Disable/Manipulate client-side code • Look for client-side authentication checks  • Creative inputs • Automated tools won’t test many types of user input • File Uploads, WYSIWYG, etc • Redirect requests as needed • Fuzzing inputs – Burp Intruder/Repeater

  16. Techniques Manual Testing - XSS Computing and Communications Manual XSS Testing • As basic as '';!--"<XSS>=&{()} or <SCRIPT>alert("XSS")</SCRIPT> • Focus on inputs that are difficult for automated scanners to test • Try Burp Suite Intruder XSS payload, ZAP Fuzzer Advanced • Use evasion techniques, good cheat sheet available from OWASP • Creative inputs • Examples: file upload metadata, authentication requests

  17. Techniques Manual Testing - XSS Computing and Communications

  18. Techniques Manual Testing - XSS Computing and Communications

  19. Techniques Manual Testing - XSS Computing and Communications

  20. Techniques Manual Testing - XSS Computing and Communications

  21. Techniques Manual Testing - Auth Computing and Communications Authentication is not a DIY project • Don’t reinvent the wheel • Use session management available in the language or framework Testing Session Management • Look at application responses for session data • Look for sensitive information • Is the session id sufficiently random? Burp Sequencer • AttemptDecoding – BurpDecoder– Base64 • Is the expiration sufficient?

  22. Techniques Manual Testing - CSRF Computing and Communications Very few vendors or developers implement CSRF protections • ASP Viewstate • Tokens Difficult Execution • CSRF attacks require the victim to be logged into target app then click malicious link • Prime targets are “always open” applications • Portals, ERP, E-Learning, Webmail, etc Hope to introduce more awareness with devs and vendors

  23. Techniques Manual Testing - Mobile Computing and Communications Increasing need to test mobile apps • Clients want mobile and native applications • Mobile Apps and related APIs are being integrated systems with sensitive data, eg Student Grades How do we test mobile applications? • Proxy communications through testing computer • Requires trusting SSL certificates from intercept proxy • Review and map mobile APIs similar to any other application

  24. Techniques Automated Testing Computing and Communications Follow-up to Manual Testing • Finish testing with automated testing to find any low hanging fruit or vulnerabilities possibly missed. Burp/Zap • Both have automated scanning functions Skipfish • Automated scanning function that is great for finding hidden application components W3AF • Swiss army knife of scanning tools

  25. Process Reporting Computing and Communications Summarize • Details about the application and related data • The scope of testing • Limitations and/or concerns List vulnerabilities • Descriptions should be targeted to the audience (devsvsmgmt) • Detail how the vulnerability could be used • Detail impact and likelihood of it being exploited • Provide recommendations for remediation • Provide example screen captures to developers/vendors

  26. Process Remediation Computing and Communications Complete/Partial Remediation • Not reasonable to have every issues found to be completely remediated. Retesting Cycle • Can be a lot of back and forth trying to address an issue • May have to settle for partial remediation or alternative mitigations Sign-off for remaining vulnerabilities • For vulnerabilities not remediated detail the risk and obtain sign-off from those responsible for the data and application

  27. Process Future Plans Computing and Communications Formalize • Tracking of vulnerabilities • Retain testing data • Maintain data on applications, dev teams and vendors • Automate testing options for developers Threadfix/Mozilla Minion • Open source applications for tracking vulnerabilities • Provides options to allow developers to do automated scanning

  28. Process Future Plans Computing and Communications Information Sharing • Reduce duplication of efforts • Higher Ed has a lot of niche applications and many institutions use the same applications • Security SIG discussion mailing list? • Improve vendor responses and coordination • Legal concerns

  29. Techniques Manual Testing Computing and Communications Burp Sequencer and Decoder Demo - mutillidae

  30. Techniques Manual Testing - CSRF Computing and Communications CSRF Attack Demo with Burp Suite - mutillidae

  31. Techniques Manual Testing - Mobile Computing and Communications Mobile Demo with Burp Suite – Ellucian GO

  32. Questions Computing and COMMUNICATIONS Jared Perry IT Security Administrator, GSEC, GWAPT, GCWN Email: jaredp@mun.caTwitter: @jared_perryPhone: (709) 864-2619

  33. Resources Computing and Communications OWASP Link References • https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series • https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet Threadfix/Mozilla Minion • https://github.com/denimgroup/threadfix/ • https://wiki.mozilla.org/Security/Projects/Minion Mobile App Testing • http://jaredperry.ca/mapping-mobile-app-apis/

  34. Resources Computing and Communications Zed Attack Proxy (ZAP) • https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Kali Linux • http://www.kali.org/ Burp Suite • http://portswigger.net/burp/ Bug Bounties • https://bugcrowd.com/

More Related