SEARCH EXPLORE AND RESCUE SEBASTIAN AGACHIE 24 02
SEARCH, EXPLORE AND RESCUE SEBASTIAN AGACHIE 24. 02. 2016
ABOUT ME Sebastian Agachie • • Ethical hacker @ Centric Security Discipline Coordinator Application Developer / Scrum Master Security, Pentests, Trainings, Compliancy
AGENDA Introduction 1. The Three Pillars of Security 2. Security Testing: • • • Security Testing: Quiz Game of Red. Team Search, explore and rescue vs Search and exploit Search, explore and rescue: OWASP Examples 3. Acunetix: What, Why, How? 4. Q&A?
THE THREE PILLARS OF SECURITY Security C. I. A
THE THREE PILLARS OF SECURITY Confidentiality
THE THREE PILLARS OF SECURITY Integrity
THE THREE PILLARS OF SECURITY Availability
THE THREE PILLARS OF SECURITY • Confidentiality (prevent disclosure of information or data to unauthorized individuals or system) • Integrity (methods and actions taken to protect the information for unauthorized alteration or revision) • Availability (communications systems and data being ready for use when legitimate users need them)
SPEAKING ABOUT "3" PILLARS Security Triangle
SECURITY TESTING • Let's play a game! • Use your phone and navigate to https: //kahoot. it • Enter the Game PIN Enter a game Nickname • Find your name on the screen • Answer correct to the questions and win points • The faster and correct you respond the more points you get.
SECURITY TESTING Search, explore and rescue vs Search and exploit Tester (security) vs Ethical Hacker
SEARCH, EXPLORE AND RESCUE: OWASP
OWASP TOP 10
OWASP TOP 10
A 1 - INJECTION How? String query = “SELECT user_id FROM user_data WHERE “user_name=‘ “ + req. get. Parameter(“user”)+”’AND user_password =‘ “ +req. get. Parameter(“password”) +” ‘ “; SELECT user_id FROM user_data WHERE user_name= ‘ ‘or 1=1 -- AND user_password=“superstrongpassword”
A 1 - INJECTION • Types of Injections • • • SQL - Structured Query Language HQL - Hibernate Query Language LDAP - Lightweight Directory Access Protocol XPath XQuery XSLT - Xtensible Stylesheet Language Transformations XML OS command injection - and many more.
SECURITY TESTING - INJECTION ---- DATA VALIDATION TESTING ----: • • • Testing for SQL Injection • • • Oracle Testing • Testing Postgre. SQL • MS Access Testing My. SQL Testing SQL Server Testing for No. SQL injection Testing for LDAP Injection • • Testing for SSI Injection • • IMAP/SMTP Injection Testing for XPath Injection Testing for Code Injection • • Testing for Local File Inclusion Testing for Remote File Inclusion Testing for Command Injection Testing for HTML Injection More on OWASP Injections: https: //www. owasp. org/index. php/Top _10_2013 -A 1 -Injection
A 2 - BROKEN AUTHENTICATION AND SESSION MANAGEMENT How? • • • Hardcoded passwords • • • Resend this at every request preferably Unlimited login attempts Use passwords less than 7 characters, preferably digits only Nonexistent logging mechanism No session management, it never expires, just keep sending the password.
A 2 - BROKEN AUTHENTICATION AND SESSION MANAGEMENT (I. )A. A. A.
A 2 - BROKEN AUTHENTICATION AND SESSION MANAGEMENT • Identifications – knowing who you are (username, password) - “Knocking at the gate” • Authentication – provides a way of identifying a user, typically by having the user enter a valid name and valid password before access is granted. • Authorization – determines if a user has the authority to issue different kind of role based commands • Accounting/Nonrepudiation – measures the resources a user consumes during access(log every action)
SECURITY TESTING - BASM ---- IDENTITY MANAGEMENT TESTING ----: • Test Role Definitions • Test User Registration Process • Test Account Provisioning Process • Testing for Account Enumeration and Guessable User Account • Testing for Weak or unenforced username policy • Test Permissions of Guest/Training Accounts • Test Account Suspension/Resumption Process
SECURITY TESTING - BASM ---- AUTHENTICATION TESTING ----: • • • Testing for Credentials Transported over an Encrypted Channel Testing for default credentials Testing for Weak lock out mechanism Testing for bypassing authentication schema Test remember password functionality Testing for Browser cache weakness Testing for Weak password policy Testing for Weak security question/answer Testing for weak password change or reset functionalities Testing for Weaker authentication in alternative channel
SECURITY TESTING - BASM ----AUTHORIZATION TESTING ----: • Testing Directory traversal/file include • Testing for bypassing authorization schema • Testing for Privilege Escalation • Testing for Insecure Direct Object References
SECURITY TESTING - BASM ----SESSION MANAGEMENT TESTING ----: • Testing for Bypassing Session Management Schema • • Testing for Cookies attributes Testing for Session Fixation Testing for Exposed Session Variables Testing for Cross Site Request Forgery Testing for logout functionality Test Session Timeout Testing for Session puzzling
A 3 - CROSS-SITE SCRIPTING (XSS) HOW? • • • >< <requestvalidation = OFF!> <script> <img> <html>
SECURITY TESTING - XSS ---- DATA VALIDATION TESTING ----: • Testing for Clickjacking • Testing for Cross Site Flashing • Testing for DOM based Cross Site Scripting (><) • Testing for Java. Script Execution • Testing for Reflected Cross Site Scripting • Testing for Stored Cross Site Scripting
A 4 - INSECURE DIRECT OBJECT REFERENCES How? • • /myapp/config /myapp/services
SECURITY TESTING – IDOR - : • Analysis of Error Codes • Analysis of Stack Traces • Identify application entry points • Map execution paths through application • Fingerprint Web Application Framework • Fingerprint Web Application. Map Application Architecture
A 5 - SECURITY MISCONFIGURATION How? • Server-side security (webserver port 80) • • • Default credentials Open directories Stack trances enabled
SECURITY TESTING - SECURITY MISCONFIGURATION -: • • Test Network/Infrastructure Configuration Test Application Platform Configuration Test File Extensions Handling for Sensitive Information Backup and Unreferenced Files for Sensitive Information Enumerate Infrastructure and Application Admin Interfaces Test HTTP Methods Test HTTP Strict Transport Security Test RIA cross domain policy
A 6 - SENSITIVE DATA EXPOSURE How? • No SSL (or weak existing one - F Class certificates) • • Transport encryption 512 bit Credentials and information transport made in clear text
SECURITY TESTING - SENSITIVE DATA EXPOSURE -: • Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection • Testing for Padding Oracle • Testing for Sensitive information sent via unencrypted channels • Error Handling • • Analysis of Error Codes Analysis of Stack Traces
A 7 - MISSING FUNCTION LEVEL ACCESS CONTROL How? • Make use of IFRAME / Adobe modules • • /Admin/ -> = Admin /php. My. Admin/
SECURITY TESTING - MISSING LEVEL ACCESS CONTROL • Conduct Search Engine Discovery and Reconnaissance for Information Leakage • Fingerprint Web Server • Review Webserver Metafiles for Information Leakage • Enumerate Applications on Webserver • Review Webpage Comments and Metadata for Information Leakage • . . Also IDOR Tests
A 8 - CROSS-SITE REQUEST FORGERY (CSRF) How? <form method=“GET” action=“Actions/Transfer/”> <input name=“from” value=“You”> <input name=“to” value=“Me”> <input name=“value” value=“ 10000”> <input name=“currency” value=“EUR”> <form>
SECURITY TESTING – CSRF • Testing for Client Side URL Redirect • Testing for Client Side Resource Manipulation • Test Cross Origin Resource Sharing • Test data validation • Test Upload of Unexpected File Types • Test Upload of Malicious Files
A 9 - USING KNOWN VULNERABLE COMPONENTS How? • External libraries • • • Javascript Jquery Adobe. . . . and the list continues
SECURITY TESTING - VULNERABLE COMPONENTS - • Verify components versions • Check components for vulnerabilities via web
A 10 - UNVCALIDATED REDIRECTS AND FORWARDS
SECURITY TESTING - REDIRECTS AND FORWARDS • Testing for Client Side URL Redirect
SECURITY TESTING - ADDITIONAL TESTS: Data Validation Testing Business Logic Testing • • Test Business Logic Data Validation Testing for HTTP Verb Tampering • Testing for HTTP Parameter pollution • Testing for Buffer overflow • Test Integrity Checks • Test for Process Timing • • Testing for Heap overflow Testing for incubated vulnerabilities • Testing for the Circumvention of Work Flows • Testing for HTTP Splitting/Smuggling • Test Defenses Against Application Mis-use Testing for Stack overflow • Test Number of Times a Function Can be Used Limits Testing for Format string Client Side Testing • • • Test Ability to Forge Requests Testing Web. Sockets Test Web Messaging • Test Upload of Unexpected File Types • Test Upload of Malicious Files
SOFTWARE SOLUTIONS FOR TESTERS
WHY? WHAT? HOW? • Why do we need it? • What does it do? • How shall we use it?
WHY? WHAT? HOW? • Improve yourself • Because…. . Websites and web applications • No security fines • Some firewalls and SSL provide no protection against web application hacking
WHY? WHAT? HOW? • Most web applications are custom-made • Web application security remains the most critical • Automated web application security testing tool • Create confidence among testers and rise the level of security awareness
WHY? WHAT? HOW? • Web Vulnerability Scanner (Server Headers, Port Scanner, Owasp 10, Directories etc. ) • Web Services Scanner • Crawling processes • Subdomain Scanner
WHY? • HTTP Editor, HTTP Sniffer, HTTP Fuzzer • Blind SQL Injector • Authentication Tester • Compare Results • Report generator WHAT? HOW?
WHY? WHAT? • • Remote access to Acunetix Server • Generate Report HOW? Login with your domain credentials Open Acunetix Web Vulnerability Scanner 10. 0 Start a new scan (single or resumed scan – select/define profiles - optimize technologies – login sequence – Start scan) • • Resumed scan after you crawled the web application Default profile covers most of the vulnerabilities but can take a while to be finished False technologies selected may influence the end result You can define a login sequence and save it
WHY? WHAT? • Start a new scan HOW?
WHY? WHAT? • Select the type of scan (single or resumed scan) HOW?
WHY? WHAT? • Select/define profiles HOW?
WHY? WHAT? • Optimize technologies HOW?
WHY? WHAT? • Define Login sequence HOW?
WHY? WHAT? • Scanning in progress • Pressing on a vulnerability will display useful information and advises on how you can mitigate threat HOW?
WHY? WHAT? • Generate Report HOW?
RECOMMENDATIONS • Use Acunetix only after you security test (exploratory) the application; • Acunetix can verify what you already discovered and give you confidence. It doesn’t replace security testing!! • Use Acunetix on a different environment (not production, test, demo, dev etc. ) • Security environment (There is a chance that Acunetix may interfere with the build) • Use Acunetix at a specific time interval • Not for every text box that is added to the application
WHY? WHAT? HOW?
THANK YOU! Sebastian. Agachie@centric. eu
- Slides: 59