Software Attacks Lora Borisova QA Engineer WCATeam Anton Angelov QA Engineer Bysiness System Team Telerik QA Academy Telerik QA Academy

 Security Vulnerability Testing – Main Concepts  Characteristics of a Secure Software  Threat Modeling  Methods of Security Testing  Popular Software Attacks  Cryptography 2

Main Concepts

 What is security testing?  Directed and focused form of testing that attempts to force specific failures to occur  Focused especially on reliability 4

 Where do bugs come from?  Bugs arise from interactions between the software and its environment during operation  What is the software's operating environment?  The human user  The file system  The operating system  Other cohabitating and interoperating software 5

 Where do bugs come from?  Bugs arise from the software's capabilities  Accepting inputs  Producing outputs  Storing data  Performing computations 6

 Is Software Security a Feature?  Most people consider software security as a necessary feature of a product  Is Security Vulnerability a Bug?  If the software "failed" and allowed a hacker to see personal info, most users would consider that a software bug 7

 Vulnerabilities typically fall into two categories  Bugs at the implementation level  Bugs tend to be easier for attackers to exploit  Flaws at the design level  The hardest defect category to handle  Also the most prevalent and critical 8

 Intended vs. implemented software behavior in applications 9

 In the real world, software failures usually happen spontaneously  Without intentional mischief  Failures can be result of malicious attacks  For the Challenge/Prestige  Curiosity driven  Aiming to use resources  Vandalizing  Stealing 10

 Software security testing includes:  Creating security abuse/misuse cases  Listing normative security requirements  Performing architectural risk analysis  Building risk-based security test plans  Wielding static analysis tools  Performing security tests  Performing penetration testing in the final environment  Cleaning up after security breaches 11

 Software Development Life Cycle, With Security In Mind 12 Requirements and use cases Design Test plans Code Test results Field feedback Abusecases Security requirements Security breaks External review Risk-based security tests Static analysis (tools) Riskanalysis Riskanalysis Penetration testing

 Make your applications as simple as possible  The more complicated you make a software – the greater the chance for mistakes  The greater the chance for a security breakthrough 13

 Confidentiality  Disclosure of information to only intended parties  Integrity  Determine whether the information is correct or not  Data Security  Privacy  Data Protection  Controlled Access 15

 Authentication  Access to Authorized People  Availability  Ready for Use when expected  Non Repudiation  Information Exchange with proof 16

 Ever have anyone ask you this?  There’s an easy answer: NO  There are no “Secure” apps  But there are apps that are secure enough  How to achieve enough security?

 Nobody has an infinite security budget  Many folks would be happy if they had any budget  Be practical!  Get the most bang for your buck

 Threat modeling  A process for evaluating a software system for security issues  Can be considered as a variation of formal reviews  The review team looks for areas of the product's feature set that are susceptible to security vulnerabilities 20

 Threat modeling helps you find what is “secure enough”  What are you trying to protect?  Who is likely to attack you?  What avenues of attack exist?  Which vulnerabilities are the highest risk?  Go after the high risk vulnerabilities first!

 Don’t have a security expert?  Use Microsoft Patterns & Practices  Threat Modeling Web Applications  us/library/ms aspx us/library/ms aspx us/library/ms aspx  Security guidance put together by well-known experts

 Threat modeling follows a few steps:  Assemble the threat modeling team  Identify the assets  Create an architecture overview  Decompose the application  Identify the threats  Document the threats  Rank the threats 23

 Threats are not equally important  A way to rank the threats is the DREAD formula – using these criteria:  Damage potential  Reproducibility  Exploitability  Affected Users  Discoverability 24

 Hackers attack where the weakest link is  Find the weakest security link of your application and secure it as best as possible  After you harden the weakest link, another one becomes the weakest one 25

 OS Hardening  Configure and Apply Patches  Updating the Operating System  Disable or Restrict unwanted Services and Ports  Lock Down the Ports  Manage the Log Files  Install Root Certificate  Protect from Internet Misuse and be Cyber Safe  Protect from Malware 27

 Vulnerability Scanning  Identify Known Vulnerabilities  Scan Intrusively for Unknown Vulnerabilities  Port Scanning and Service Mapping  Identification and locating of Open Ports  Identification of Running Services 28

 Penetration Testing  Simulating Attack from a Malicious Source  Includes Network Scanning and Vulnerability Scanning  Simulates Attack from someone Unfamiliar with the System  Simulates Attack by having access to Source Code, Network, Passwords 29

 Firewall Rule Testing  Identify Inappropriate or Conflicting Rules  Appropriate Placement of Vulnerable Systems behind Firewall  Discovering Administrative Backdoors or Tunnels  SQL Injection  Exploits Database Layer Security Vulnerability  Unexpected Execution of User Inputs 30

 Cross Site Scripting  Injecting Malicious Client Side Script into Web Pages  Persistent, Non-Persistent and DOM based Vulnerabilities  Parameter Manipulation  Cookie Manipulation  Form Field Manipulation  URL Manipulation  HTTP Header Manipulation 31

 Denial of Service Testing  Flooding a target machine with enough traffic to make it incapable  Command Injection  Inject and execute commands specified by the attacker  Execute System level commands through a Vulnerable Application 32

 Network Scanning  Identifying Active Hosts on a network  Collecting IP addresses that can be accessed over the Internet  Collecting OS Details, System Architecture and Running Services  Collecting Network User and Group names  Collecting Routing Tables and SNMP data 33

 Password Cracking  Collecting Passwords from the Stored or Transmitted Data  Using Brute Force and Dictionary Attacks  Identifying Weak Passwords  Ethical Hacking  Penetration Testing, Intrusion Testing and Red Teaming 34

 File Integrity Testing  Verifying File Integrity against corruption using Checksum  Format String Testing  Supplying Format type specifiers in the Application input 35

 War Dialing  Using a Modem to dial a list of Telephone Numbers  Searching for Computers, Bulletin Board System and Fax Machines  Wireless LAN Testing  Searching for existing WLAN and logging Wireless Access Points 36

 Buffer Overflow Testing  Overwriting of Memory fragments of the Process, Buffers of Char type  Random Data Testing  Random Data Inputs by a Program  Encoded Random Data included as Parameters  Crashing built-in code Assertions 37

 Random Mutation Testing  Bit Flipping of known Legitimate Data  Byte stream Sliding within known Legitimate Data  Session Hijacking  Exploitation of Valid Computer Session  Exploitation of the Web Session control mechanism  Gain unauthorized access to the Web Server 38

 Phishing  Masquerading as a trustworthy entity in an electronic communication  Acquiring usernames, passwords and credit card details  URL Manipulation  Make a web server deliver inaccessible web pages  URL Rewriting 39

 IP Spoofing  Creating Internet Protocol (IP) packets with a forged source IP address  Packet Sniffing  Capture and Analyze all of the Network traffic 40

 Virtual Private Network Testing  Penetration Testing  Social Engineering  Psychological Manipulation of People  Divulging confidential information 41

 SANS (System Administration, Networking, and Security) Institute  Established in 1989 as a cooperative research and education organization  Enables more than 165,000 security professionals, auditors, system administrators, and network administrators to share the lessons they are learning and find solutions to the challenges they face  See for more information 44

 SQL injection  OS command injection  Cross-Site Scripting (XSS)  Cross-Site Request Forgery (CSRF)  Unrestricted upload of dangerous file  URL redirection to untrusted site (Open Redirect)  Buffer overflow  Improper limitation of a pathname 45

 Download of a code without integrity check  Uncontrolled format string  Missing or incorrect authorization  Use of hard-coded credentials  Missing encryption of sensitive data  Execution of unnecessary privileges  Improper restriction of excessive authentication attempts 46

 What is SQL injection?  A code injection technique  Malicious code is inserted into strings  Later passed to an instance of SQL Server for parsing and execution 47

 Original SQL Query: String sqlQuery = "SELECT * FROM user WHERE name = '" + username +"' AND pass='" + password + "'“ 48  Setting username to John & password to ' OR '1'= '1 produces String sqlQuery = SELECT * FROM user WHERE name = 'John' AND pass='' OR '1'='1'  The result:  If a user John exists – he is logged in without password

49

 Use Prepared Statements  Validate all of the user information  Remove special characters from the user input  Never show SQL error messages to the user  Use different field names for user interface and database  Disable all unused features of the database  Limit user permissions for the database 50

51  An OS command injection attack occurs when an attacker attempts to execute system level commands through a vulnerable application.

52  The application, which executes unwanted system commands, is like a pseudo system shell, and the attacker may use it as any authorized system user  The application, which executes unwanted system commands, is like a pseudo system shell, and the attacker may use it as any authorized system user However, commands are executed with the same privileges and environment as the application has

DEMO

 Do you really need a method or a class to be public?  If not – make it private or protected 54

 What is XSS?  A type of computer security vulnerability  Allows injecting client-side script into web pages viewed by other users 55

 What is XSS?  The malicious code along with the original webpage gets displayed in the web client  Allows hackers to gain greater access of that page 56

 Stealing other user’s cookies  Stealing their private information  Performing actions on behalf of other users  Redirecting to other websites  Showing ads in hidden IFRAMES and pop-ups  Showing ads in hidden IFRAMES and pop-ups 57

 Validate all input data from the user  Never show data entered by the user without cleaning them from JavaScript and HTML  If showing HTML and JavaScript from the user is needed – use the tag  The browser will ignore entered code 58

 Consider each user input as incorrect until proven correct  Never accept user input without complete validation 60

 Acunetix WVS ( checks your web applications for XSS, SQL Injection & other vulnerabilities  Free demo version with limited functionality available (XSS checks only) 61

 What is buffer overflow?  An anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory  Also called buffer overrun 63

 Buffer overflow is commonly associated with C and C++  Provide no built-in protection against accessing or overwriting data 64

 Choice of programming language  Use of safe libraries  Buffer overflow protection  Pointer protection  Executable space protection   Address space layout randomization   Deep packet inspection 65

 What is Wireshark?  Free and open-source packet analyzer  Used for:  Network troubleshooting  Analysis  Software and communications protocol development  Source:

Demo

 What is a password attack?  A type of software attack in which the attacker tries to guess passwords or crack encrypted password files  Either manually or through the use of scripts 70

 Simple guessing  Dictionary attacks  Using a list of popular passwords  Password phishing  Masquerading as a trustworthy entity  Brute force attacks  Generating all possible combinations 71

72

 9.8% have the passwords password, or ;  14% have a password from the top 10 passwords  40% have a password from the top 100 passwords  79% have a password from the top 500 passwords  91% have a password from the top passwords  98.8% have a password from the top passwords 73

 What is THC-Hydra?  A very fast network logon cracker which support many different services.  Free of charge for non-enterprise use  Source:

Currently this tool supports:  POP3  FTP  HTTP-GET, HTTP-FORM-POST, HTTPS-GET…  Firebird  Subversion (SVN)  Telnet  And many more… 76

 What type of attacks can HYDRA-HTC do?  Parallel dictionary attacks (16 threads by default)  Brute force/Hybrid attacks  Check for null, reversed, same as username passwords  Slow down the process of attack- prevent detection- IPS (Intrusion Prevention System)  Parallel attack of different servers 77

 Download and install CYGWIN – Linux-like environment for Windows  Go to the directory of hydra:  CYGWIN cd C:\hydra-7.3  CYGWIN  cd C:\hydra-7.3  Type "./configure", then "make" and finally "make install"  For help type: hydra  For help for module: hydra –U "module-name"  Example: hydra –U http-form-post 78

DEMO

 Choosing good passwords: 1. Start with a Base Word Phrase cstfttt 2. Lengthen the Phrase cstftttGmail 3. Scramble the Phrase 4. Lastly: Rotate/Change Your Password Regularly hbd(Gmail  Use Strong Password Generator: FlyingBit FlyingBit 80

 What is Denial of Service attack?  An attempt to make a computer resource unavailable to its intended users  Sending messages which exhaust service provider’s resources  Network bandwidth, system resources, application resources 81

 DDoS attacks  Employing multiple (dozens to millions) compromised computers to perform a coordinated and widely distributed DoS attack 82

 Limit ability of systems to send spoofed packets  Rate controls in upstream distribution nets  Use modified TCP connection handling  Block IP broadcasts  Block suspicious services & combinations 83

 Manage application attacks with “puzzles” to distinguish legitimate human requests  Good general system security practices  Use mirrored and replicated servers when high performance and reliability required 84

 An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation.  Real redirect: // // //  Faked link: /../../../redirect.asp%3F%3Dhttp%3 A// assword_recovery_system /../../../redirect.asp%3F%3Dhttp%3 A// assword_recovery_system /../../../redirect.asp%3F%3Dhttp%3 A// assword_recovery_system 85

 Imagine a user receives an invitation to view his profile at:  Accidentally he omits the final "9" and opens:  As a result – he opens someone else's profile  Gaining access to someone's personal information 86

 Why would someone manipulate URL?  Getting a web server to deliver web pages he is not supposed to have access to  Trigering an exception thus revealing information in an error message 87

 Example:  Removing any site from Google  Even when you don’t control it!  Exploit in Google Webmaster Tools  Fixed within 7 hours  Just open the following URL: request?hl=en&siteUrl= {YOUR_URL} /&urlt= {URL_TO_BLOCK} request?hl=en&siteUrl= {YOUR_URL} /&urlt= {URL_TO_BLOCK} 88

See: from-google-even-if-you-dont-control-it.html from-google-even-if-you-dont-control-it.html from-google-even-if-you-dont-control-it.html 89

 URL Attack as an XSS  %3a%2f%2fwww.badplace.com%2fnasty.js%22%3e%3c%2f script%3e %3a%2f%2fwww.badplace.com%2fnasty.js%22%3e%3c%2f script%3e %3a%2f%2fwww.badplace.com%2fnasty.js%22%3e%3c%2f script%3e    URL Attack as an SQL Injection  ogintable%20set%20passwd%3d%270n3d%27%3b--%00 ogintable%20set%20passwd%3d%270n3d%27%3b--%00 ogintable%20set%20passwd%3d%270n3d%27%3b--%00 90

 A.k.a one-click attack or session riding and abbreviated as CSRF (pronounced sea-surf) or XSRF  Type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts  A vulnerable URL: &amount= &for=mallory &amount= &for=mallory &amount= &for=mallory  Secret cookies and accepting only POST requests does not help 91

 Follow the Principle of the "Weakest Privilege"  Give no user greater permissions than he needs for performing his job 92

 Error messages can reveal important information about your site  Error messages like that should not be allowed: 93

94 DEMO

 All applications throw errors every once in a while  Make sure that even in this case your application remains stable 95

 What is IP address spoofing?  Creation of Internet Protocol (IP) packets with a forged source IP address  What is the purpose?  Concealing the identity of the sender  Impersonating another computing system 96

 Packet filtering  Ingress filtering  Blocking of packets from outside the network with a source address inside the network  Egress filtering  Blocking of packets from inside the network with a source address that is not inside  Not relying on IP for authentication 97

 What is session hijacking?  Getting access to the session state of a particular user  Steals a valid session ID which is used to get into system and retrieve the data 98

 Spoofing  An attacker does not actively take another user offline to perform the attack  He mainly pretends to be another user or machine to gain access 99 I am John and here are my credentials

 Hijacking  An attacker takes over an existing session  He relies on the legitimate user to make a connection and authenticate 100 John logs on to the server with his credentials

 Hijacking  Subsequently, the attacker takes over the session 101

 Session fixation  Setting a user's session id to a predefined one  Session sidejacking  Using packet sniffing to read network traffic between two parties and steal the session cookie  Cross-site scripting  Obtain a copy of the cookie 102

 There are two main types of session hijacking:  Active  An attacker finds an active session and takes over  Passive  An attacker hijacks a session  Sits back, and watches and records all the traffic that is being sent forth 103

104 DEMO

 Use encryption  Use a secure protocol  Limit incoming connections  Minimize remote access  Educate the employees 105

 Check authentication data constantly  A user or an application might have once passed a security check  That does not mean they should be trusted blindly from that moment on 106

 What is social engineering?  The act of manipulating people into performing actions or revealing confidential information  Instead of breaking in or using technical hacking techniques  Essentially – a fancier, more technical way of lying 107

 "Dumpster Diving"  "Shoulder Surfing"  Malicious Attachments  Deception and Manipulation  "Phishing"  "Pharming"  Reverse Social Engineering  PBX Disguise 108

 Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication 109

 Pharming is a hacker's attack aiming to redirect a website's traffic to another, bogus website. 110

 "Dumpster Diving“, a.k.a. trashing or skipping, is the practice of sifting through commercial or residential trash to find items that have been discarded by their owners, but which may be useful to the dumpster diver 111

112

 Real story: Japan Earthquake scammers were spreading malicious links to “dramatic” videos of the disaster. So, you ended up clicking on a link that actually downloaded malware onto your PC or took you to a phishing site that asked for personal information 113

 These are direct observation techniques, such as looking over someone's shoulder, to get information. Shoulder surfing is particularly effective in crowded places because it is relatively easy to observe someone as they:  fill out a form  enter their PIN  enter their password  tell sensitive information over the phone 114

 Public Business Exchange – attacker manipulates company ID system to impersonate someone of authority 115 “Hello? Who is this? Tech support? Oh, I’m sorry. I’m trying to reach Terry Simpson at extension Can you transfer me, please? I’m in a hurry.” … “Hi Terry, this is Jim from Tech Support. You can verify my identity from the caller-ID. Yes, I need to reset your password…”

 A final, more advanced method of gaining illicit information is known as “reverse social engineering”. This is when the hacker creates a persona that appears to be in a position of authority so that employees will ask him for information, rather than the other way around  Includes three phases: sabotage, advertising, assisting 116

 Magstudio ( had created an online game for one of their customers – Petrol AD 118

 At the end of the game, the collected player’s points were submitted directly as a POST query, without any encryption  POST /path/script.cgi HTTP/1.0 From: User-Agent: HTTPTool/1.0 Content-Type: application/x-www-form- urlencoded Content-Length: 33 name=Peter&surname=Sabev&score=10  Changed to Content-Length: 36 name=Peter&surname=Sabev&score=

 What is Cryptography?  The practice and study of hiding information  It is considered as a branch of both Mathematics and Computer Science 120

 Cryptography has three main elements  Encryption: is the process of transforming information (referred to as plaintext) using an algorithm (called a cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key  Decryption  Key  A value that works with a cryptographic algorithm to produce a specific cipher text 121

 Based on the type of key used, Cryptography is categorized into:  Symmetric key Cryptography  Asymmetric key Cryptography  Public-key cryptography  The biggest 128 -bit number: 340,282,366,920,938,463,463,374,607,431,768,211,455 which equals to − 1 122

123

124  Precomputed table for reversing cryptographic hash functions  Cracking password hashes  Recovering the plaintext password, up to a certain length consisting of a limited set of characters  Cryptohaze GPU Rainbow Cracker - r.php r.php r.php

125  Full Rainbow tables: Md 5 ( )- > fcea 920 f > Reduction(fcea 920 f 749 ) - > > Md 5 ( ) - > d 7 db 1 cf 7- > Reduction(d 7 db 1 cf 7 ) Md 5 ( )- > fcea 920 f > Reduction(fcea 920 f 749 ) - > > Md 5 ( ) - > d 7 db 1 cf 7- > Reduction(d 7 db 1 cf 7 )  Here is the algorithm: 1. Check to see if the hash matches any of the final hashes. If so, break out of the loop because you have found the chain that contains its plaintext. 2. If the hash doesn’t match any of the final hashes in the tables, use the reduction function on it to reduce it into another plaintext, and then hash the new plaintext. Go back to step 1.

126

Salt consists of random bits, creating one of the inputs to a hash function Salt consists of random bits, creating one of the inputs to a hash function 127

128 DEMO

129

Questions?