canheit_presentation_20140610

Download Report

Transcript canheit_presentation_20140610

APPLICATION VULNERABILITY ASSESSMENTS REVISITED

Application testing at Memorial University Jared Perry GSEC, GWAPT, GCWN COMPUTING AND COMMUNICATIONS www.mun.ca

PREVIOUS TALK CANHEIT 2012

• • •

Walked through methodology

• Recon, Discovery, Exploitation, Reporting

Talked about common vulnerabilities

• XSS, SQLi

This talk will

• • Discuss how techniques have evolved What we have learned since last presentation COMPUTING AND COMMUNICATIONS

SO, WHAT HAS CHANGED?

PERSPECTIVE

COMPUTING AND COMMUNICATIONS

SO, WHAT HAS CHANGED?

INDUSTRY

• • •

Bug Bounties

• • Reward security professionals who report vulnerabilities glory, swag, $$$$

Moving in right direction

• • With a mature security program bug bounties are successful See Facebook, Google, BugCrowd Programs

Caveats

• • • Higher Ed institutions likely not positioned well for such programs Scope and response to disclosures would be key Good way to hone personal skills COMPUTING AND COMMUNICATIONS

• • • • •

SO, WHAT HAS CHANGED?

COMMON VULNERABILITIES

SQLi

• Frameworks and developer/vendor awareness

Cross Site Scripting

• Still common however efforts are usually made to prevent

Broken Authentication

/

Access Controls

• DIY authentication/access control functionality

Code Injection

• Via file uploads or external file references

Misconfigurations/Using Known Vulnerable Code

• Vendor implementations… COMPUTING AND COMMUNICATIONS

SO, WHAT HAS CHANGED?

INTERNAL DEVELOPERS

• •

Developers Receptive

• • • • Internal developers have embraced security standards Use standardized and well tested frameworks/code Presentations Developer testing

Continuously Changing

• • The languages, frameworks and platforms developers are using is changing frequently making testing a challenge AngularJS, Node, new PHP frameworks, Mobile, etc COMPUTING AND COMMUNICATIONS

SO, WHAT HAS CHANGED?

VENDORS

• •

Vendors are becoming more security conscious

• Many provide direct methods for vulnerability disclosure

However still run into occasional resistance

COMPUTING AND COMMUNICATIONS

VENDORS SUCCESS STORIES

• •

OpenText FirstClass

• • OpenText had recently rebuilt the software with a new framework Found that the framework was not sanitizing input or encoding output allowing for multiple XSS vulnerabilities • Vendor response was immediate

Cisco Identity Service Engine (ISE) - CVE-2014-0681

• • Allowed remote, unauthenticated persistent XSS attack against ISE administrators All versions were affected, patched version is available COMPUTING AND COMMUNICATIONS

PROCESS PRIORITIZING

Standard Questions

• • • • • • • Name of the application(s) Whether it is internally, vendor or open source developed Programming language(s) they are written in List of other servers connected to the application such as database, application or file servers Description of data that will be stored in this application Estimate of the number of users A summary of how the application is used/functionality COMPUTING AND COMMUNICATIONS

PROCESS MINIMIZE DATA/LIMIT ACCESS

• •

Basic Concept

• Everyone wants to collect everything, retain it forever and have it accessible from anywhere • We work with clients on new applications to reduce attack surface

Bonus: Reduces extent of testing

COMPUTING AND COMMUNICATIONS

TECHNIQUES MANUAL TESTING

• •

Benefits

• • • Finds vulnerabilities automated tools are not designed to detect Business logic, insecure application functionality, access controls Can be as simple as fuzzing, security QA

Intercept Proxy

• • • • Burp Suite (Personal Favorite), Zed Attack Proxy, W3AF Use the target application Review requests and responses Manipulate COMPUTING AND COMMUNICATIONS

TECHNIQUES MANUAL TESTING

COMPUTING AND COMMUNICATIONS

TECHNIQUES MANUAL TESTING

COMPUTING AND COMMUNICATIONS

TECHNIQUES MANUAL TESTING

• •

Checklist

• OWASP is a great resource with starter checklist

Basic Tests

• • • • • Create new account Password Requirements Forgot password process Change password – Does the application ask for the current password first?

etc COMPUTING AND COMMUNICATIONS

TECHNIQUES MANUAL TESTING

Advanced Tests

• • • Disable/Manipulate client-side code – Look for client-side authentication checks  Creative inputs – Automated tools won’t test many types of user input – File Uploads, WYSIWYG, etc Redirect requests as needed – Fuzzing inputs – Burp Intruder/Repeater COMPUTING AND COMMUNICATIONS

TECHNIQUES MANUAL TESTING - XSS

• •

Manual XSS Testing

• • • As basic as '';!--"=&{()} or Focus on inputs that are difficult for automated scanners to test Try Burp Suite Intruder XSS payload, ZAP Fuzzer

Advanced

• • Use evasion techniques, good cheat sheet available from OWASP Creative inputs – Examples: file upload metadata, authentication requests COMPUTING AND COMMUNICATIONS

TECHNIQUES MANUAL TESTING - XSS

COMPUTING AND COMMUNICATIONS

TECHNIQUES MANUAL TESTING - XSS

COMPUTING AND COMMUNICATIONS

TECHNIQUES MANUAL TESTING - XSS

COMPUTING AND COMMUNICATIONS

TECHNIQUES MANUAL TESTING - XSS

COMPUTING AND COMMUNICATIONS

TECHNIQUES MANUAL TESTING - AUTH

• •

Authentication is not a DIY project

• • Don’t reinvent the wheel Use session management available in the language or framework

Testing Session Management

• • • • • Look at application responses for session data Look for sensitive information Is the session id sufficiently random? Burp Sequencer Attempt Decoding – Burp Decoder – Base64 Is the expiration sufficient?

COMPUTING AND COMMUNICATIONS

TECHNIQUES MANUAL TESTING - CSRF

• • •

Very few vendors or developers implement CSRF protections

• • ASP Viewstate Tokens

Difficult Execution

• • CSRF attacks require the victim to be logged into target app then click malicious link Prime targets are “always open” applications • Portals, ERP, E-Learning, Webmail, etc

Hope to introduce more awareness with devs and vendors

COMPUTING AND COMMUNICATIONS

TECHNIQUES MANUAL TESTING - MOBILE

• •

Increasing need to test mobile apps

• • Clients want mobile and native applications Mobile Apps and related APIs are being integrated systems with sensitive data, eg Student Grades

How do we test mobile applications?

• • • Proxy communications through testing computer Requires trusting SSL certificates from intercept proxy Review and map mobile APIs similar to any other application COMPUTING AND COMMUNICATIONS

TECHNIQUES AUTOMATED TESTING

• • • •

Follow-up to Manual Testing

• Finish testing with automated testing to find any low hanging fruit or vulnerabilities possibly missed.

Burp/Zap

• Both have automated scanning functions

Skipfish

W3AF

Automated scanning function that is great for finding hidden application components • Swiss army knife of scanning tools COMPUTING AND COMMUNICATIONS

PROCESS REPORTING

• •

Summarize

• • • Details about the application and related data The scope of testing Limitations and/or concerns

List vulnerabilities

• • • • • Descriptions should be targeted to the audience (devs vs mgmt) Detail how the vulnerability could be used Detail impact and likelihood of it being exploited Provide recommendations for remediation Provide example screen captures to developers/vendors COMPUTING AND COMMUNICATIONS

PROCESS REMEDIATION

• • •

Complete/Partial Remediation

• Not reasonable to have every issues found to be completely remediated.

Retesting Cycle

• Can be a lot of back and forth trying to address an issue – May have to settle for partial remediation or alternative mitigations

Sign-off for remaining vulnerabilities

• For vulnerabilities not remediated detail the risk and obtain sign-off from those responsible for the data and application COMPUTING AND COMMUNICATIONS

PROCESS FUTURE PLANS

• •

Formalize

• • • • Tracking of vulnerabilities Retain testing data Maintain data on applications, dev teams and vendors Automate testing options for developers

Threadfix/Mozilla Minion

• • Open source applications for tracking vulnerabilities Provides options to allow developers to do automated scanning COMPUTING AND COMMUNICATIONS

PROCESS FUTURE PLANS

Information Sharing

• • • • Reduce duplication of efforts – Higher Ed has a lot of niche applications and many institutions use the same applications Security SIG discussion mailing list?

Improve vendor responses and coordination Legal concerns COMPUTING AND COMMUNICATIONS

TECHNIQUES MANUAL TESTING

Burp Sequencer and Decoder Demo - mutillidae

COMPUTING AND COMMUNICATIONS

TECHNIQUES MANUAL TESTING - CSRF

CSRF Attack Demo with Burp Suite - mutillidae

COMPUTING AND COMMUNICATIONS

TECHNIQUES MANUAL TESTING - MOBILE

Mobile Demo with Burp Suite – Ellucian GO

COMPUTING AND COMMUNICATIONS

QUESTIONS

Jared Perry IT Security Administrator, GSEC, GWAPT, GCWN

Email: [email protected]

Twitter: @jared_perry Phone: (709) 864-2619 COMPUTING AND COMMUNICATIONS

RESOURCES

• • •

OWASP Link References

• • https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_She et

Threadfix/Mozilla Minion

• • https://github.com/denimgroup/threadfix/ https://wiki.mozilla.org/Security/Projects/Minion

Mobile App Testing

• http://jaredperry.ca/mapping-mobile-app-apis/ COMPUTING AND COMMUNICATIONS

RESOURCES

• • • •

Zed Attack Proxy (ZAP)

• https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Pro ject

Kali Linux

• http://www.kali.org/

Burp Suite

• http://portswigger.net/burp/

Bug Bounties

• https://bugcrowd.com/ COMPUTING AND COMMUNICATIONS