Presentation is loading. Please wait.

Presentation is loading. Please wait.

APPLICATION VULNERABILITY ASSESSMENTS REVISITED COMPUTING AND COMMUNICATIONS www.mun.ca Jared Perry GSEC, GWAPT, GCWN Application testing at Memorial University.

Published byDominic Roland Stokes Modified over 9 years ago

Similar presentations

Presentation on theme: "APPLICATION VULNERABILITY ASSESSMENTS REVISITED COMPUTING AND COMMUNICATIONS www.mun.ca Jared Perry GSEC, GWAPT, GCWN Application testing at Memorial University."— Presentation transcript:

1 APPLICATION VULNERABILITY ASSESSMENTS REVISITED COMPUTING AND COMMUNICATIONS www.mun.ca Jared Perry GSEC, GWAPT, GCWN Application testing at Memorial University

2 PREVIOUS TALK CANHEIT 2012 Walked through methodology Recon, Discovery, Exploitation, Reporting Talked about common vulnerabilities XSS, SQLi This talk will Discuss how techniques have evolved What we have learned since last presentation COMPUTING AND COMMUNICATIONS

3 SO, WHAT HAS CHANGED? PERSPECTIVE COMPUTING AND COMMUNICATIONS

4 SO, WHAT HAS CHANGED? INDUSTRY Bug Bounties Reward security professionals who report vulnerabilities glory, swag, $$$$ Moving in right direction With a mature security program bug bounties are successful See Facebook, Google, BugCrowd Programs Caveats Higher Ed institutions likely not positioned well for such programs Scope and response to disclosures would be key Good way to hone personal skills COMPUTING AND COMMUNICATIONS

5 SO, WHAT HAS CHANGED? COMMON VULNERABILITIES SQLi Frameworks and developer/vendor awareness Cross Site Scripting Still common however efforts are usually made to prevent Broken Authentication/Access Controls DIY authentication/access control functionality Code Injection Via file uploads or external file references Misconfigurations/Using Known Vulnerable Code Vendor implementations… COMPUTING AND COMMUNICATIONS

6 SO, WHAT HAS CHANGED? INTERNAL DEVELOPERS Developers Receptive Internal developers have embraced security standards Use standardized and well tested frameworks/code Presentations Developer testing Continuously Changing The languages, frameworks and platforms developers are using is changing frequently making testing a challenge AngularJS, Node, new PHP frameworks, Mobile, etc COMPUTING AND COMMUNICATIONS

7 SO, WHAT HAS CHANGED? VENDORS Vendors are becoming more security conscious Many provide direct methods for vulnerability disclosure However still run into occasional resistance COMPUTING AND COMMUNICATIONS

8 VENDORS SUCCESS STORIES OpenText FirstClass OpenText had recently rebuilt the software with a new framework Found that the framework was not sanitizing input or encoding output allowing for multiple XSS vulnerabilities Vendor response was immediate Cisco Identity Service Engine (ISE) - CVE-2014-0681 Allowed remote, unauthenticated persistent XSS attack against ISE administrators All versions were affected, patched version is available COMPUTING AND COMMUNICATIONS

9 PROCESS PRIORITIZING Standard Questions Name of the application(s) Whether it is internally, vendor or open source developed Programming language(s) they are written in List of other servers connected to the application such as database, application or file servers Description of data that will be stored in this application Estimate of the number of users A summary of how the application is used/functionality COMPUTING AND COMMUNICATIONS

10 PROCESS MINIMIZE DATA/LIMIT ACCESS Basic Concept Everyone wants to collect everything, retain it forever and have it accessible from anywhere We work with clients on new applications to reduce attack surface Bonus: Reduces extent of testing COMPUTING AND COMMUNICATIONS

11 TECHNIQUES MANUAL TESTING Benefits Finds vulnerabilities automated tools are not designed to detect Business logic, insecure application functionality, access controls Can be as simple as fuzzing, security QA Intercept Proxy Burp Suite (Personal Favorite), Zed Attack Proxy, W3AF Use the target application Review requests and responses Manipulate COMPUTING AND COMMUNICATIONS

12 TECHNIQUES MANUAL TESTING COMPUTING AND COMMUNICATIONS

13 TECHNIQUES MANUAL TESTING COMPUTING AND COMMUNICATIONS

14 TECHNIQUES MANUAL TESTING Checklist OWASP is a great resource with starter checklist Basic Tests Create new account Password Requirements Forgot password process Change password –Does the application ask for the current password first? etc COMPUTING AND COMMUNICATIONS

15 TECHNIQUES MANUAL TESTING Advanced Tests Disable/Manipulate client-side code –Look for client-side authentication checks  Creative inputs –Automated tools won’t test many types of user input –File Uploads, WYSIWYG, etc Redirect requests as needed –Fuzzing inputs – Burp Intruder/Repeater COMPUTING AND COMMUNICATIONS

16 TECHNIQUES MANUAL TESTING - XSS Manual XSS Testing As basic as '';!--" =&{()} or alert("XSS") Focus on inputs that are difficult for automated scanners to test Try Burp Suite Intruder XSS payload, ZAP Fuzzer Advanced Use evasion techniques, good cheat sheet available from OWASP Creative inputs –Examples: file upload metadata, authentication requests COMPUTING AND COMMUNICATIONS

17 TECHNIQUES MANUAL TESTING - XSS COMPUTING AND COMMUNICATIONS

18 TECHNIQUES MANUAL TESTING - XSS COMPUTING AND COMMUNICATIONS

19 TECHNIQUES MANUAL TESTING - XSS COMPUTING AND COMMUNICATIONS

20 TECHNIQUES MANUAL TESTING - XSS COMPUTING AND COMMUNICATIONS

21 TECHNIQUES MANUAL TESTING - AUTH Authentication is not a DIY project Don’t reinvent the wheel Use session management available in the language or framework Testing Session Management Look at application responses for session data Look for sensitive information Is the session id sufficiently random? Burp Sequencer Attempt Decoding – Burp Decoder – Base64 Is the expiration sufficient? COMPUTING AND COMMUNICATIONS

22 TECHNIQUES MANUAL TESTING - CSRF Very few vendors or developers implement CSRF protections ASP Viewstate Tokens Difficult Execution CSRF attacks require the victim to be logged into target app then click malicious link Prime targets are “always open” applications Portals, ERP, E-Learning, Webmail, etc Hope to introduce more awareness with devs and vendors COMPUTING AND COMMUNICATIONS

23 TECHNIQUES MANUAL TESTING - MOBILE Increasing need to test mobile apps Clients want mobile and native applications Mobile Apps and related APIs are being integrated systems with sensitive data, eg Student Grades How do we test mobile applications? Proxy communications through testing computer Requires trusting SSL certificates from intercept proxy Review and map mobile APIs similar to any other application COMPUTING AND COMMUNICATIONS

24 TECHNIQUES AUTOMATED TESTING Follow-up to Manual Testing Finish testing with automated testing to find any low hanging fruit or vulnerabilities possibly missed. Burp/Zap Both have automated scanning functions Skipfish Automated scanning function that is great for finding hidden application components W3AF Swiss army knife of scanning tools COMPUTING AND COMMUNICATIONS

25 PROCESS REPORTING Summarize Details about the application and related data The scope of testing Limitations and/or concerns List vulnerabilities Descriptions should be targeted to the audience (devs vs mgmt) Detail how the vulnerability could be used Detail impact and likelihood of it being exploited Provide recommendations for remediation Provide example screen captures to developers/vendors COMPUTING AND COMMUNICATIONS

26 PROCESS REMEDIATION Complete/Partial Remediation Not reasonable to have every issues found to be completely remediated. Retesting Cycle Can be a lot of back and forth trying to address an issue –May have to settle for partial remediation or alternative mitigations Sign-off for remaining vulnerabilities For vulnerabilities not remediated detail the risk and obtain sign-off from those responsible for the data and application COMPUTING AND COMMUNICATIONS

27 PROCESS FUTURE PLANS Formalize Tracking of vulnerabilities Retain testing data Maintain data on applications, dev teams and vendors Automate testing options for developers Threadfix/Mozilla Minion Open source applications for tracking vulnerabilities Provides options to allow developers to do automated scanning COMPUTING AND COMMUNICATIONS

28 PROCESS FUTURE PLANS Information Sharing Reduce duplication of efforts –Higher Ed has a lot of niche applications and many institutions use the same applications Security SIG discussion mailing list? Improve vendor responses and coordination Legal concerns COMPUTING AND COMMUNICATIONS

29 TECHNIQUES MANUAL TESTING Burp Sequencer and Decoder Demo - mutillidae COMPUTING AND COMMUNICATIONS

30 TECHNIQUES MANUAL TESTING - CSRF CSRF Attack Demo with Burp Suite - mutillidae COMPUTING AND COMMUNICATIONS

31 TECHNIQUES MANUAL TESTING - MOBILE Mobile Demo with Burp Suite – Ellucian GO COMPUTING AND COMMUNICATIONS

32 QUESTIONS Jared Perry IT Security Administrator, GSEC, GWAPT, GCWN Email: jaredp@mun.ca Twitter: @jared_perry Phone: (709) 864-2619 COMPUTING AND COMMUNICATIONS

33 RESOURCES OWASP Link References https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_She et Threadfix/Mozilla Minion https://github.com/denimgroup/threadfix/ https://wiki.mozilla.org/Security/Projects/Minion Mobile App Testing http://jaredperry.ca/mapping-mobile-app-apis/ COMPUTING AND COMMUNICATIONS

34 RESOURCES Zed Attack Proxy (ZAP) https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Pro ject Kali Linux http://www.kali.org/ Burp Suite http://portswigger.net/burp/ Bug Bounties https://bugcrowd.com/ COMPUTING AND COMMUNICATIONS

Download ppt "APPLICATION VULNERABILITY ASSESSMENTS REVISITED COMPUTING AND COMMUNICATIONS www.mun.ca Jared Perry GSEC, GWAPT, GCWN Application testing at Memorial University."

Similar presentations

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Attacking Session Management Juliette Lessing

Attacking Session Management Juliette Lessing
OWASP Xenotix XSS Exploit Framework

OWASP Xenotix XSS Exploit Framework
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

Similar presentations

Ads by Google