canheit_presentation_20140610
advertisement
APPLICATION
VULNERABILITY
ASSESSMENTS
REVISITED
Application testing at Memorial University
Jared Perry GSEC, GWAPT, GCWN
COMPUTING AND COMMUNICATIONS
www.mun.ca
PREVIOUS TALK
CANHEIT 2012
• Walked through methodology
•
Recon, Discovery, Exploitation, Reporting
• Talked about common vulnerabilities
•
XSS, SQLi
• This talk will
•
Discuss how techniques have evolved
•
What we have learned since last presentation
COMPUTING AND COMMUNICATIONS
SO, WHAT HAS CHANGED?
PERSPECTIVE
COMPUTING AND COMMUNICATIONS
SO, WHAT HAS CHANGED?
INDUSTRY
• Bug Bounties
•
Reward security professionals who report vulnerabilities
•
glory, swag, $$$$
• Moving in right direction
•
With a mature security program bug bounties are successful
•
See Facebook, Google, BugCrowd Programs
• Caveats
•
Higher Ed institutions likely not positioned well for such programs
•
Scope and response to disclosures would be key
•
Good way to hone personal skills
COMPUTING AND COMMUNICATIONS
SO, WHAT HAS CHANGED?
COMMON VULNERABILITIES
• SQLi
•
Frameworks and developer/vendor awareness
• Cross Site Scripting
•
Still common however efforts are usually made to prevent
• Broken Authentication/Access Controls
•
DIY authentication/access control functionality
• Code Injection
•
Via file uploads or external file references
• Misconfigurations/Using Known Vulnerable Code
•
Vendor implementations…
COMPUTING AND COMMUNICATIONS
SO, WHAT HAS CHANGED?
INTERNAL DEVELOPERS
• Developers Receptive
•
Internal developers have embraced security standards
•
Use standardized and well tested frameworks/code
•
Presentations
•
Developer testing
• Continuously Changing
•
The languages, frameworks and platforms developers are using is
changing frequently making testing a challenge
•
AngularJS, Node, new PHP frameworks, Mobile, etc
COMPUTING AND COMMUNICATIONS
SO, WHAT HAS CHANGED?
VENDORS
• Vendors are becoming more security conscious
•
Many provide direct methods for vulnerability disclosure
• However still run into occasional resistance
COMPUTING AND COMMUNICATIONS
VENDORS
SUCCESS STORIES
• OpenText FirstClass
•
OpenText had recently rebuilt the software with a new framework
•
Found that the framework was not sanitizing input or encoding
output allowing for multiple XSS vulnerabilities
•
Vendor response was immediate
• Cisco Identity Service Engine (ISE) - CVE-2014-0681
•
Allowed remote, unauthenticated persistent XSS attack against
ISE administrators
•
All versions were affected, patched version is available
COMPUTING AND COMMUNICATIONS
PROCESS
PRIORITIZING
• Standard Questions
•
Name of the application(s)
•
Whether it is internally, vendor or open source developed
•
Programming language(s) they are written in
•
List of other servers connected to the application such as
database, application or file servers
•
Description of data that will be stored in this application
•
Estimate of the number of users
•
A summary of how the application is used/functionality
COMPUTING AND COMMUNICATIONS
PROCESS
MINIMIZE DATA/LIMIT ACCESS
• Basic Concept
•
Everyone wants to collect everything, retain it forever and have it
accessible from anywhere
•
We work with clients on new applications to reduce attack surface
• Bonus: Reduces extent of testing
COMPUTING AND COMMUNICATIONS
TECHNIQUES
MANUAL TESTING
• Benefits
•
Finds vulnerabilities automated tools are not designed to detect
•
Business logic, insecure application functionality, access controls
•
Can be as simple as fuzzing, security QA
• Intercept Proxy
•
Burp Suite (Personal Favorite), Zed Attack Proxy, W3AF
•
Use the target application
•
Review requests and responses
•
Manipulate
COMPUTING AND COMMUNICATIONS
TECHNIQUES
MANUAL TESTING
COMPUTING AND COMMUNICATIONS
TECHNIQUES
MANUAL TESTING
COMPUTING AND COMMUNICATIONS
TECHNIQUES
MANUAL TESTING
• Checklist
•
OWASP is a great resource with starter checklist
• Basic Tests
•
Create new account
•
Password Requirements
•
Forgot password process
•
Change password
– Does the application ask for the current password first?
•
etc
COMPUTING AND COMMUNICATIONS
TECHNIQUES
MANUAL TESTING
• Advanced Tests
•
Disable/Manipulate client-side code
– Look for client-side authentication checks
•
Creative inputs
– Automated tools won’t test many types of user input
– File Uploads, WYSIWYG, etc
•
Redirect requests as needed
– Fuzzing inputs – Burp Intruder/Repeater
COMPUTING AND COMMUNICATIONS
TECHNIQUES
MANUAL TESTING - XSS
• Manual XSS Testing
•
As basic as '';!--"<XSS>=&{()} or
<SCRIPT>alert("XSS")</SCRIPT>
•
Focus on inputs that are difficult for automated scanners to test
•
Try Burp Suite Intruder XSS payload, ZAP Fuzzer
• Advanced
•
Use evasion techniques, good cheat sheet available from OWASP
•
Creative inputs
– Examples: file upload metadata, authentication requests
COMPUTING AND COMMUNICATIONS
TECHNIQUES
MANUAL TESTING - XSS
COMPUTING AND COMMUNICATIONS
TECHNIQUES
MANUAL TESTING - XSS
COMPUTING AND COMMUNICATIONS
TECHNIQUES
MANUAL TESTING - XSS
COMPUTING AND COMMUNICATIONS
TECHNIQUES
MANUAL TESTING - XSS
COMPUTING AND COMMUNICATIONS
TECHNIQUES
MANUAL TESTING - AUTH
• Authentication is not a DIY project
•
Don’t reinvent the wheel
•
Use session management available in the language or framework
• Testing Session Management
•
Look at application responses for session data
•
Look for sensitive information
•
Is the session id sufficiently random? Burp Sequencer
•
Attempt Decoding – Burp Decoder – Base64
•
Is the expiration sufficient?
COMPUTING AND COMMUNICATIONS
TECHNIQUES
MANUAL TESTING - CSRF
• Very few vendors or developers implement CSRF protections
•
ASP Viewstate
•
Tokens
• Difficult Execution
•
CSRF attacks require the victim to be logged into target app then
click malicious link
•
Prime targets are “always open” applications
• Portals, ERP, E-Learning, Webmail, etc
• Hope to introduce more awareness with devs and vendors
COMPUTING AND COMMUNICATIONS
TECHNIQUES
MANUAL TESTING - MOBILE
• Increasing need to test mobile apps
•
Clients want mobile and native applications
•
Mobile Apps and related APIs are being integrated systems with
sensitive data, eg Student Grades
• How do we test mobile applications?
•
Proxy communications through testing computer
•
Requires trusting SSL certificates from intercept proxy
•
Review and map mobile APIs similar to any other application
COMPUTING AND COMMUNICATIONS
TECHNIQUES
AUTOMATED TESTING
• Follow-up to Manual Testing
•
Finish testing with automated testing to find any low hanging fruit
or vulnerabilities possibly missed.
• Burp/Zap
•
Both have automated scanning functions
• Skipfish
•
Automated scanning function that is great for finding hidden
application components
• W3AF
•
Swiss army knife of scanning tools
COMPUTING AND COMMUNICATIONS
PROCESS
REPORTING
• Summarize
•
Details about the application and related data
•
The scope of testing
•
Limitations and/or concerns
• List vulnerabilities
•
Descriptions should be targeted to the audience (devs vs mgmt)
•
Detail how the vulnerability could be used
•
Detail impact and likelihood of it being exploited
•
Provide recommendations for remediation
•
Provide example screen captures to developers/vendors
COMPUTING AND COMMUNICATIONS
PROCESS
REMEDIATION
• Complete/Partial Remediation
•
Not reasonable to have every issues found to be completely
remediated.
• Retesting Cycle
•
Can be a lot of back and forth trying to address an issue
– May have to settle for partial remediation or alternative
mitigations
• Sign-off for remaining vulnerabilities
•
For vulnerabilities not remediated detail the risk and obtain sign-off
from those responsible for the data and application
COMPUTING AND COMMUNICATIONS
PROCESS
FUTURE PLANS
• Formalize
•
Tracking of vulnerabilities
•
Retain testing data
•
Maintain data on applications, dev teams and vendors
•
Automate testing options for developers
• Threadfix/Mozilla Minion
•
Open source applications for tracking vulnerabilities
•
Provides options to allow developers to do automated scanning
COMPUTING AND COMMUNICATIONS
PROCESS
FUTURE PLANS
• Information Sharing
•
Reduce duplication of efforts
– Higher Ed has a lot of niche applications and many institutions
use the same applications
•
Security SIG discussion mailing list?
•
Improve vendor responses and coordination
•
Legal concerns
COMPUTING AND COMMUNICATIONS
TECHNIQUES
MANUAL TESTING
• Burp Sequencer and Decoder Demo - mutillidae
COMPUTING AND COMMUNICATIONS
TECHNIQUES
MANUAL TESTING - CSRF
• CSRF Attack Demo with Burp Suite - mutillidae
COMPUTING AND COMMUNICATIONS
TECHNIQUES
MANUAL TESTING - MOBILE
• Mobile Demo with Burp Suite – Ellucian GO
COMPUTING AND COMMUNICATIONS
QUESTIONS
Jared Perry IT Security Administrator, GSEC, GWAPT, GCWN
Email: jaredp@mun.ca
Twitter: @jared_perry
Phone: (709) 864-2619
COMPUTING AND COMMUNICATIONS
RESOURCES
• OWASP Link References
•
https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series
•
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_She
et
• Threadfix/Mozilla Minion
•
https://github.com/denimgroup/threadfix/
•
https://wiki.mozilla.org/Security/Projects/Minion
• Mobile App Testing
•
http://jaredperry.ca/mapping-mobile-app-apis/
COMPUTING AND COMMUNICATIONS
RESOURCES
• Zed Attack Proxy (ZAP)
•
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Pro
ject
• Kali Linux
•
http://www.kali.org/
• Burp Suite
•
http://portswigger.net/burp/
• Bug Bounties
•
https://bugcrowd.com/
COMPUTING AND COMMUNICATIONS
