We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Modified over 4 years ago
©2009 Justin C. Klein Keane PHP Code Auditing Session 6 Auditing Strategies & Demonstration Justin C. Klein Keane firstname.lastname@example.org
©2009 Justin C. Klein Keane Installing the Exercise Download and install Vmware Player or Vmware Fusion Download and extract the target image Be sure PHP Eclipse is set up with RSE
©2009 Justin C. Klein Keane First Looks Start up the virtual machine and log in with root/password Retrieve the ip address Browse the IP in a web browser on your host system Connect to the target with Eclipse SSH to the target with PuTTY or similar
©2009 Justin C. Klein Keane Strategies for Finding Vulns Black box testing View the application from the end user perspective Logical pathways Follow the flow of the code Vulnerability checklist Examine the code once for each type of vuln Linear approach Parse through the code systematically
©2009 Justin C. Klein Keane Time vs. Thoroughness Plan your audit based on the available time and the criticality of your target Black box testing is least time intensive but is also least thorough Linear approach is very time intensive but also extremely thorough (it can catch orphaned code and other problems) Vulnerability checklist and logical pathway approaches are good compromises
©2009 Justin C. Klein Keane Take Notes Be sure to document vulnerabilities Even if you can't exploit them, someone else could Be sure to note every potential exploit Tendency to “target fixate” may result in overlooking trivial vulnerabilities in hunt for severe ones Notes should include vulnerability type, file location, and relevant lines of code
©2009 Justin C. Klein Keane Black Box Testing Surface analysis of the application from the user perspective Examine the application without looking at the code Try to identify potential areas of exploitation Turn to the code after and try to find vulnerabilities Can be aided by automated tools and proxies
©2009 Justin C. Klein Keane Logical Pathways Follow the program flow in an IDE Begin looking at the code from points of entry Trace code through to termination and display Will overlook orphaned code and things like documentation or other artifacts Branching can sidetrack you so take careful notes
©2009 Justin C. Klein Keane Vulnerability Checklist Target vulnerabilities one at a time Start with one class of vulnerability, such as SQL injection Find all functions that could trigger that vulnerability, such as mysql_query(), using utilities like 'find' and 'grep' Custom applications may abstract these functions, so you may have to look for the abstraction layer This process is more difficult with vulnerabilities that don't have a specific trigger, such as authentication bypass or logic flaws
©2009 Justin C. Klein Keane Linear Approach Most thorough, and time consuming Review the application externally Review the code for flow and functional comprehension Go through each file of the application line by line looking for any class of vulnerability Utilize both internal and external perspectives
©2009 Justin C. Klein Keane In a Pinch If time is an issue tailor your vulnerability review to risk assessment If the application has no valuable data, SQL injection should focus on attackers hosting malicious content or enabling social engineering rather than exposing sensitive data Be sure to understand threat models! Just because you don't see a value doesn't mean an attacker won't
©2009 Justin C. Klein Keane Vulnerability Report Be sure to note every vulnerability you identify, regardless of whether it can be exploited Try and rank vulnerabilities in terms of criticality, for example: High: exploit compromises entire host or can compromise other applications/services Medium: exploit could cause denial of service or expose clients to attack Low: denial of service or non sensitive information disclosure Note that type of data/application will influence severity ranking
©2009 Justin C. Klein Keane Exercise Let's identify some vulnerabilities in the exercise Authentication bypass SQL Injection XSS Arbitrary command execution Arbitrary file upload
Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.
©Copyright Justin C. Klein Keane PHP Vulnerability Potpourri File Include, Command Injection & Authentication Bypass Vulnerabilities.
©2009 Justin C. Klein Keane PHP Code Auditing Session 4.2 – File Include Vulnerabilities Justin C. Klien Keane
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
Hands on Demonstration for Testing Security in Web Applications
©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,
©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane
WebGoat & WebScarab “What is computer security for $1000 Alex?”
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
©2009 Justin C. Klein Keane PHP Code Auditing Session 7 Sessions and Cookies Justin C. Klein Keane
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input: Information.
©2009 Justin C. Klein Keane PHP Code Auditing Session 4.1 – Command Injection Justin C. Klein Keane
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Copyright 2009 Justin C. Klein Keane PHP Code Auditing Session 1 – PHP Foundations Justin C. Klein Keane
Web server security Dr Jim Briggs WEBP security1.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Project Implementation for COSC 5050 Distributed Database Applications Lab1.
© 2020 SlidePlayer.com Inc. All rights reserved.