Software Attacks Lora Borisova QA Engineer WCATeam Anton Angelov QA Engineer Bysiness System Team Telerik QA Academy Telerik QA Academy
Security Vulnerability Testing – Main Concepts Characteristics of a Secure Software Threat Modeling Methods of Security Testing Popular Software Attacks Cryptography 2
Main Concepts
What is security testing? Directed and focused form of testing that attempts to force specific failures to occur Focused especially on reliability 4
Where do bugs come from? Bugs arise from interactions between the software and its environment during operation What is the software's operating environment? The human user The file system The operating system Other cohabitating and interoperating software 5
Where do bugs come from? Bugs arise from the software's capabilities Accepting inputs Producing outputs Storing data Performing computations 6
Is Software Security a Feature? Most people consider software security as a necessary feature of a product Is Security Vulnerability a Bug? If the software "failed" and allowed a hacker to see personal info, most users would consider that a software bug 7
Vulnerabilities typically fall into two categories Bugs at the implementation level Bugs tend to be easier for attackers to exploit Flaws at the design level The hardest defect category to handle Also the most prevalent and critical 8
Intended vs. implemented software behavior in applications 9
In the real world, software failures usually happen spontaneously Without intentional mischief Failures can be result of malicious attacks For the Challenge/Prestige Curiosity driven Aiming to use resources Vandalizing Stealing 10
Software security testing includes: Creating security abuse/misuse cases Listing normative security requirements Performing architectural risk analysis Building risk-based security test plans Wielding static analysis tools Performing security tests Performing penetration testing in the final environment Cleaning up after security breaches 11
Software Development Life Cycle, With Security In Mind 12 Requirements and use cases Design Test plans Code Test results Field feedback Abusecases Security requirements Security breaks External review Risk-based security tests Static analysis (tools) Riskanalysis Riskanalysis Penetration testing
Make your applications as simple as possible The more complicated you make a software – the greater the chance for mistakes The greater the chance for a security breakthrough 13
Confidentiality Disclosure of information to only intended parties Integrity Determine whether the information is correct or not Data Security Privacy Data Protection Controlled Access 15
Authentication Access to Authorized People Availability Ready for Use when expected Non Repudiation Information Exchange with proof 16
Ever have anyone ask you this? There’s an easy answer: NO There are no “Secure” apps But there are apps that are secure enough How to achieve enough security?
Nobody has an infinite security budget Many folks would be happy if they had any budget Be practical! Get the most bang for your buck
Threat modeling A process for evaluating a software system for security issues Can be considered as a variation of formal reviews The review team looks for areas of the product's feature set that are susceptible to security vulnerabilities 20
Threat modeling helps you find what is “secure enough” What are you trying to protect? Who is likely to attack you? What avenues of attack exist? Which vulnerabilities are the highest risk? Go after the high risk vulnerabilities first!
Don’t have a security expert? Use Microsoft Patterns & Practices Threat Modeling Web Applications us/library/ms aspx us/library/ms aspx us/library/ms aspx Security guidance put together by well-known experts
Threat modeling follows a few steps: Assemble the threat modeling team Identify the assets Create an architecture overview Decompose the application Identify the threats Document the threats Rank the threats 23
Threats are not equally important A way to rank the threats is the DREAD formula – using these criteria: Damage potential Reproducibility Exploitability Affected Users Discoverability 24
Hackers attack where the weakest link is Find the weakest security link of your application and secure it as best as possible After you harden the weakest link, another one becomes the weakest one 25
OS Hardening Configure and Apply Patches Updating the Operating System Disable or Restrict unwanted Services and Ports Lock Down the Ports Manage the Log Files Install Root Certificate Protect from Internet Misuse and be Cyber Safe Protect from Malware 27
Vulnerability Scanning Identify Known Vulnerabilities Scan Intrusively for Unknown Vulnerabilities Port Scanning and Service Mapping Identification and locating of Open Ports Identification of Running Services 28
Penetration Testing Simulating Attack from a Malicious Source Includes Network Scanning and Vulnerability Scanning Simulates Attack from someone Unfamiliar with the System Simulates Attack by having access to Source Code, Network, Passwords 29
Firewall Rule Testing Identify Inappropriate or Conflicting Rules Appropriate Placement of Vulnerable Systems behind Firewall Discovering Administrative Backdoors or Tunnels SQL Injection Exploits Database Layer Security Vulnerability Unexpected Execution of User Inputs 30
Cross Site Scripting Injecting Malicious Client Side Script into Web Pages Persistent, Non-Persistent and DOM based Vulnerabilities Parameter Manipulation Cookie Manipulation Form Field Manipulation URL Manipulation HTTP Header Manipulation 31
Denial of Service Testing Flooding a target machine with enough traffic to make it incapable Command Injection Inject and execute commands specified by the attacker Execute System level commands through a Vulnerable Application 32
Network Scanning Identifying Active Hosts on a network Collecting IP addresses that can be accessed over the Internet Collecting OS Details, System Architecture and Running Services Collecting Network User and Group names Collecting Routing Tables and SNMP data 33
Password Cracking Collecting Passwords from the Stored or Transmitted Data Using Brute Force and Dictionary Attacks Identifying Weak Passwords Ethical Hacking Penetration Testing, Intrusion Testing and Red Teaming 34
File Integrity Testing Verifying File Integrity against corruption using Checksum Format String Testing Supplying Format type specifiers in the Application input 35
War Dialing Using a Modem to dial a list of Telephone Numbers Searching for Computers, Bulletin Board System and Fax Machines Wireless LAN Testing Searching for existing WLAN and logging Wireless Access Points 36
Buffer Overflow Testing Overwriting of Memory fragments of the Process, Buffers of Char type Random Data Testing Random Data Inputs by a Program Encoded Random Data included as Parameters Crashing built-in code Assertions 37
Random Mutation Testing Bit Flipping of known Legitimate Data Byte stream Sliding within known Legitimate Data Session Hijacking Exploitation of Valid Computer Session Exploitation of the Web Session control mechanism Gain unauthorized access to the Web Server 38
Phishing Masquerading as a trustworthy entity in an electronic communication Acquiring usernames, passwords and credit card details URL Manipulation Make a web server deliver inaccessible web pages URL Rewriting 39
IP Spoofing Creating Internet Protocol (IP) packets with a forged source IP address Packet Sniffing Capture and Analyze all of the Network traffic 40
Virtual Private Network Testing Penetration Testing Social Engineering Psychological Manipulation of People Divulging confidential information 41
SANS (System Administration, Networking, and Security) Institute Established in 1989 as a cooperative research and education organization Enables more than 165,000 security professionals, auditors, system administrators, and network administrators to share the lessons they are learning and find solutions to the challenges they face See for more information 44
SQL injection OS command injection Cross-Site Scripting (XSS) Cross-Site Request Forgery (CSRF) Unrestricted upload of dangerous file URL redirection to untrusted site (Open Redirect) Buffer overflow Improper limitation of a pathname 45
Download of a code without integrity check Uncontrolled format string Missing or incorrect authorization Use of hard-coded credentials Missing encryption of sensitive data Execution of unnecessary privileges Improper restriction of excessive authentication attempts 46
What is SQL injection? A code injection technique Malicious code is inserted into strings Later passed to an instance of SQL Server for parsing and execution 47
Original SQL Query: String sqlQuery = "SELECT * FROM user WHERE name = '" + username +"' AND pass='" + password + "'“ 48 Setting username to John & password to ' OR '1'= '1 produces String sqlQuery = SELECT * FROM user WHERE name = 'John' AND pass='' OR '1'='1' The result: If a user John exists – he is logged in without password
49
Use Prepared Statements Validate all of the user information Remove special characters from the user input Never show SQL error messages to the user Use different field names for user interface and database Disable all unused features of the database Limit user permissions for the database 50
51 An OS command injection attack occurs when an attacker attempts to execute system level commands through a vulnerable application.
52 The application, which executes unwanted system commands, is like a pseudo system shell, and the attacker may use it as any authorized system user The application, which executes unwanted system commands, is like a pseudo system shell, and the attacker may use it as any authorized system user However, commands are executed with the same privileges and environment as the application has
DEMO
Do you really need a method or a class to be public? If not – make it private or protected 54
What is XSS? A type of computer security vulnerability Allows injecting client-side script into web pages viewed by other users 55
What is XSS? The malicious code along with the original webpage gets displayed in the web client Allows hackers to gain greater access of that page 56
Stealing other user’s cookies Stealing their private information Performing actions on behalf of other users Redirecting to other websites Showing ads in hidden IFRAMES and pop-ups Showing ads in hidden IFRAMES and pop-ups 57
Validate all input data from the user Never show data entered by the user without cleaning them from JavaScript and HTML If showing HTML and JavaScript from the user is needed – use the tag The browser will ignore entered code 58
Consider each user input as incorrect until proven correct Never accept user input without complete validation 60
Acunetix WVS ( checks your web applications for XSS, SQL Injection & other vulnerabilities Free demo version with limited functionality available (XSS checks only) 61
What is buffer overflow? An anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory Also called buffer overrun 63
Buffer overflow is commonly associated with C and C++ Provide no built-in protection against accessing or overwriting data 64
Choice of programming language Use of safe libraries Buffer overflow protection Pointer protection Executable space protection Address space layout randomization Deep packet inspection 65
What is Wireshark? Free and open-source packet analyzer Used for: Network troubleshooting Analysis Software and communications protocol development Source:
Demo
What is a password attack? A type of software attack in which the attacker tries to guess passwords or crack encrypted password files Either manually or through the use of scripts 70
Simple guessing Dictionary attacks Using a list of popular passwords Password phishing Masquerading as a trustworthy entity Brute force attacks Generating all possible combinations 71
72
9.8% have the passwords password, or ; 14% have a password from the top 10 passwords 40% have a password from the top 100 passwords 79% have a password from the top 500 passwords 91% have a password from the top passwords 98.8% have a password from the top passwords 73
What is THC-Hydra? A very fast network logon cracker which support many different services. Free of charge for non-enterprise use Source:
Currently this tool supports: POP3 FTP HTTP-GET, HTTP-FORM-POST, HTTPS-GET… Firebird Subversion (SVN) Telnet And many more… 76
What type of attacks can HYDRA-HTC do? Parallel dictionary attacks (16 threads by default) Brute force/Hybrid attacks Check for null, reversed, same as username passwords Slow down the process of attack- prevent detection- IPS (Intrusion Prevention System) Parallel attack of different servers 77
Download and install CYGWIN – Linux-like environment for Windows Go to the directory of hydra: CYGWIN cd C:\hydra-7.3 CYGWIN cd C:\hydra-7.3 Type "./configure", then "make" and finally "make install" For help type: hydra For help for module: hydra –U "module-name" Example: hydra –U http-form-post 78
DEMO
Choosing good passwords: 1. Start with a Base Word Phrase cstfttt 2. Lengthen the Phrase cstftttGmail 3. Scramble the Phrase 4. Lastly: Rotate/Change Your Password Regularly hbd(Gmail Use Strong Password Generator: FlyingBit FlyingBit 80
What is Denial of Service attack? An attempt to make a computer resource unavailable to its intended users Sending messages which exhaust service provider’s resources Network bandwidth, system resources, application resources 81
DDoS attacks Employing multiple (dozens to millions) compromised computers to perform a coordinated and widely distributed DoS attack 82
Limit ability of systems to send spoofed packets Rate controls in upstream distribution nets Use modified TCP connection handling Block IP broadcasts Block suspicious services & combinations 83
Manage application attacks with “puzzles” to distinguish legitimate human requests Good general system security practices Use mirrored and replicated servers when high performance and reliability required 84
An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. Real redirect: // // // Faked link: /../../../redirect.asp%3F%3Dhttp%3 A// assword_recovery_system /../../../redirect.asp%3F%3Dhttp%3 A// assword_recovery_system /../../../redirect.asp%3F%3Dhttp%3 A// assword_recovery_system 85
Imagine a user receives an invitation to view his profile at: Accidentally he omits the final "9" and opens: As a result – he opens someone else's profile Gaining access to someone's personal information 86
Why would someone manipulate URL? Getting a web server to deliver web pages he is not supposed to have access to Trigering an exception thus revealing information in an error message 87
Example: Removing any site from Google Even when you don’t control it! Exploit in Google Webmaster Tools Fixed within 7 hours Just open the following URL: request?hl=en&siteUrl= {YOUR_URL} /&urlt= {URL_TO_BLOCK} request?hl=en&siteUrl= {YOUR_URL} /&urlt= {URL_TO_BLOCK} 88
See: from-google-even-if-you-dont-control-it.html from-google-even-if-you-dont-control-it.html from-google-even-if-you-dont-control-it.html 89
URL Attack as an XSS %3a%2f%2fwww.badplace.com%2fnasty.js%22%3e%3c%2f script%3e %3a%2f%2fwww.badplace.com%2fnasty.js%22%3e%3c%2f script%3e %3a%2f%2fwww.badplace.com%2fnasty.js%22%3e%3c%2f script%3e URL Attack as an SQL Injection ogintable%20set%20passwd%3d%270n3d%27%3b--%00 ogintable%20set%20passwd%3d%270n3d%27%3b--%00 ogintable%20set%20passwd%3d%270n3d%27%3b--%00 90
A.k.a one-click attack or session riding and abbreviated as CSRF (pronounced sea-surf) or XSRF Type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts A vulnerable URL: &amount= &for=mallory &amount= &for=mallory &amount= &for=mallory Secret cookies and accepting only POST requests does not help 91
Follow the Principle of the "Weakest Privilege" Give no user greater permissions than he needs for performing his job 92
Error messages can reveal important information about your site Error messages like that should not be allowed: 93
94 DEMO
All applications throw errors every once in a while Make sure that even in this case your application remains stable 95
What is IP address spoofing? Creation of Internet Protocol (IP) packets with a forged source IP address What is the purpose? Concealing the identity of the sender Impersonating another computing system 96
Packet filtering Ingress filtering Blocking of packets from outside the network with a source address inside the network Egress filtering Blocking of packets from inside the network with a source address that is not inside Not relying on IP for authentication 97
What is session hijacking? Getting access to the session state of a particular user Steals a valid session ID which is used to get into system and retrieve the data 98
Spoofing An attacker does not actively take another user offline to perform the attack He mainly pretends to be another user or machine to gain access 99 I am John and here are my credentials
Hijacking An attacker takes over an existing session He relies on the legitimate user to make a connection and authenticate 100 John logs on to the server with his credentials
Hijacking Subsequently, the attacker takes over the session 101
Session fixation Setting a user's session id to a predefined one Session sidejacking Using packet sniffing to read network traffic between two parties and steal the session cookie Cross-site scripting Obtain a copy of the cookie 102
There are two main types of session hijacking: Active An attacker finds an active session and takes over Passive An attacker hijacks a session Sits back, and watches and records all the traffic that is being sent forth 103
104 DEMO
Use encryption Use a secure protocol Limit incoming connections Minimize remote access Educate the employees 105
Check authentication data constantly A user or an application might have once passed a security check That does not mean they should be trusted blindly from that moment on 106
What is social engineering? The act of manipulating people into performing actions or revealing confidential information Instead of breaking in or using technical hacking techniques Essentially – a fancier, more technical way of lying 107
"Dumpster Diving" "Shoulder Surfing" Malicious Attachments Deception and Manipulation "Phishing" "Pharming" Reverse Social Engineering PBX Disguise 108
Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication 109
Pharming is a hacker's attack aiming to redirect a website's traffic to another, bogus website. 110
"Dumpster Diving“, a.k.a. trashing or skipping, is the practice of sifting through commercial or residential trash to find items that have been discarded by their owners, but which may be useful to the dumpster diver 111
112
Real story: Japan Earthquake scammers were spreading malicious links to “dramatic” videos of the disaster. So, you ended up clicking on a link that actually downloaded malware onto your PC or took you to a phishing site that asked for personal information 113
These are direct observation techniques, such as looking over someone's shoulder, to get information. Shoulder surfing is particularly effective in crowded places because it is relatively easy to observe someone as they: fill out a form enter their PIN enter their password tell sensitive information over the phone 114
Public Business Exchange – attacker manipulates company ID system to impersonate someone of authority 115 “Hello? Who is this? Tech support? Oh, I’m sorry. I’m trying to reach Terry Simpson at extension Can you transfer me, please? I’m in a hurry.” … “Hi Terry, this is Jim from Tech Support. You can verify my identity from the caller-ID. Yes, I need to reset your password…”
A final, more advanced method of gaining illicit information is known as “reverse social engineering”. This is when the hacker creates a persona that appears to be in a position of authority so that employees will ask him for information, rather than the other way around Includes three phases: sabotage, advertising, assisting 116
Magstudio ( had created an online game for one of their customers – Petrol AD 118
At the end of the game, the collected player’s points were submitted directly as a POST query, without any encryption POST /path/script.cgi HTTP/1.0 From: User-Agent: HTTPTool/1.0 Content-Type: application/x-www-form- urlencoded Content-Length: 33 name=Peter&surname=Sabev&score=10 Changed to Content-Length: 36 name=Peter&surname=Sabev&score=
What is Cryptography? The practice and study of hiding information It is considered as a branch of both Mathematics and Computer Science 120
Cryptography has three main elements Encryption: is the process of transforming information (referred to as plaintext) using an algorithm (called a cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key Decryption Key A value that works with a cryptographic algorithm to produce a specific cipher text 121
Based on the type of key used, Cryptography is categorized into: Symmetric key Cryptography Asymmetric key Cryptography Public-key cryptography The biggest 128 -bit number: 340,282,366,920,938,463,463,374,607,431,768,211,455 which equals to − 1 122
123
124 Precomputed table for reversing cryptographic hash functions Cracking password hashes Recovering the plaintext password, up to a certain length consisting of a limited set of characters Cryptohaze GPU Rainbow Cracker - r.php r.php r.php
125 Full Rainbow tables: Md 5 ( )- > fcea 920 f > Reduction(fcea 920 f 749 ) - > > Md 5 ( ) - > d 7 db 1 cf 7- > Reduction(d 7 db 1 cf 7 ) Md 5 ( )- > fcea 920 f > Reduction(fcea 920 f 749 ) - > > Md 5 ( ) - > d 7 db 1 cf 7- > Reduction(d 7 db 1 cf 7 ) Here is the algorithm: 1. Check to see if the hash matches any of the final hashes. If so, break out of the loop because you have found the chain that contains its plaintext. 2. If the hash doesn’t match any of the final hashes in the tables, use the reduction function on it to reduce it into another plaintext, and then hash the new plaintext. Go back to step 1.
126
Salt consists of random bits, creating one of the inputs to a hash function Salt consists of random bits, creating one of the inputs to a hash function 127
128 DEMO
129
Questions?