BlackBerry Website and Web Application Penetration Testing Service

Transcription

1 BlackBerry Website and Web Application Penetration Testing Service This document includes all attached Annexes, is provided for informational purposes only, and does not in itself constitute a binding legal document. BlackBerry assumes no responsibility for any typographical, technical or other inaccuracies in this document. BlackBerry reserves the right to periodically change information that is contained in this document; however, BlackBerry makes no commitment to provide any such changes, updates, enhancements or other additions to this document to you in a timely manner or at all.

2 Introduction A website / web application penetration test aims to review an entire application. An assessed application will be subjected to a review for vulnerabilities (including those detailed within the OWASP Top Ten ) in order to identify any weaknesses that could allow an attacker to compromise the application, the data it interacts with, its users or the hosting environment. Website / Web application security testing should be part of any organizations risk assessment phase prior to launching live services. We take web application security testing to the highest level, ensuring that a Customer can release their web app, knowing it has been extensively scrutinized by industry leaders. We can provide scheduled monthly website/web application penetration testing services to a Customer to ensure their web presence is secure on an ongoing basis. The difference between the terms Website and Web Application A website is typically considered a set of web pages viewed within a browser. This is meant to be a static set of pages that provides viewers with information; similar to a brochure, with limited or no ways for users to interact with it. One way to look at it is that a website is like a big conference that everyone can attend, but they have to sit and listen to the speaker without any ability to interact. Web applications are interactive sites or those that rely on and provide interactive elements. These could be sites like Wikipedia or Facebook. The value of both of these examples is predicated upon user engagement; without it, neither application is very useful. Think of this like a networking event people have to engage with others to provide value for everyone. Customer Prerequisites The following prerequisites are required from the Customer URLs Credentials/User Accounts if required IP Address if testing the associated infrastructure (i.e. the server on which the site is hosted) Permission from hosting company (if not hosted at the Customer s site) Point of Contact details Deliverables In-depth report, broken down into 3 main parts Management Summary Technical Overview Detailed Technical Findings Highlighting the vulnerabilities Type of RISK The EFFECT of that RISK Full details on how to fix ALL vulnerabilities Estimate of working hours required to FIX any RISKS itentified

3 Scope of Work - Website/ Application Penetration Test In Depth Penetration Testing of Website/Application A full test on the nominated website/application (including OWASP Top Ten most common vulnerabilities) with attempted exploitation of any potential vulnerability found. This will be followed by an in depth analysis and report highlighting risk, effect and effort to fix What Purpose of Test Remote Scan To ascertain any potential vulnerabilities and open doors. This will also identify links to other sites that could present a risk to the target site. Those sites that are identified and require examination will be added to the scope once authority to do so is given. In Depth Exploitation A senior security consultant will use the results of automated and manual assessment to identify target areas which may be vulnerable. These areas will then be scrutinised further with the aim to exploit the issue in order to identify what an attacker could achieve. The testing will be non-destructive, thus protecting the integrity of the website in a live environment. Information Gathering Fingerprinting the application using bespoke and COTS tools to identify assets/software/resources in use. Configuration Management Testing Review the services presenting the application and that the application interacts with (where possible). This can include database management systems, infrastructure and secure communication protocols. Business Logic Testing Creating functional tests to understand how the application works and then applying incorrect functional flow to assess how the application reacts. Assessing the security of authentication mechanisms in use. Authentication Testing If the application provides user login functionality then it can be tested from both black- and grey-box approaches: Black-box: User enumeration and brute force attacks will be attempted on the user login function to gain authenticated access from an unauthorised perspective. Grey-box: An account with a low level privilege within the application will be provided to the test team in order to assess the application as a legitimate user. Where present/required, the assessment will also include the reviewing of functionality including CAPTCHA, multiple-factor authentication, testing the application s resilience to brute-force testing and identifying the predictability of username and password combinations.

4 Scope of Work - Website/ Application Penetration Test What Purpose of Test Applications which implement access controls/user accounts will be tested for privilege escalation and authorisation bypass issues to help ensure that users are unable to gain access to resources/functionality beyond their requirements/authorization. Authorisation Testing This will be reviewed in two manners Horizontal segregation: The application will be assessed to identify any issues which could allow access to resources belonging to another user account by a similarly privileged user (outside of their required access). Vertical segregation: The application will be assessed to identify any issues which could allow a lessprivileged user account to access privileged resources (e.g. administrative functionality). Session Management Testing for cookie implementation, linear regression testing of cookie value randomness, session management schema, session fixation, session variable theft and exposure and cross-site request forgery. Data Validation A thorough series of automated and manual tests will be undertaken to verify that all user-supplied data sent to the application is correctly sanitised. Testing seeks to identify, but is not limited to, cross-site scripting, DOM-based issues, SQL, LDAP, ORM, XML, SSI and Xpath injections, as well as vector-based overflows. Denial of Service Testing activity will be undertaken to actively seek out functions which may be abused to create a denial-of-service condition within the application. Such issues will only be leveraged if permitted within the scope of the assessment. Web Services/APIs Where present, web services and APIs, such as SOAP/RESTful services, will be tested using the same methodology as detailed above. For in-depth white-box assessments, a copy of the service/api schema and example requests can be requested.

5 Attempt to Gain Identity Credentials for Applications Application Testing BlackBerry will employ different software testing techniques to find security bugs in applications hosted on the Internet. Output List of applications List of application components List of application vulnerabilities List of application system trusts Approach Re-Engineering Decompose or deconstruct the binary codes, if accessible Determines the protocol specification of the applications Guess program logic from the error/debug messages in the application outputs and program behaviours/performance Authentication Find possible brute force password guessing access points in the applications Find a valid login credentials with password grinding, if possible Bypass authentication system with spoofed tokens Bypass authentication system with authentication information Determine the application logic to maintain the authentication sessions - number of (consecutive) failure logins allowed, login timeout, etc. Determine the limitations of access control in the applications - access permissions, login session duration, idle duration

6 Approach Session Management Determine the session management information - number of concurrent sessions, IP-based authentication, role-based authentication, identity-based authentication, cookie usage, session ID in URL encoding string, session ID in hidden HTML field variables, etc. Guess the session ID sequence and format Determine if the session ID is maintained with IP address information; check if the same session information can be retried and reused in another machine Determine the session management limitations - bandwidth usages, file download/upload limitations, transaction limitations, etc. Gather excessive information with direct URL, direct instruction, action sequence jumping and/or pages skipping Gather sensitive information with Man-In-the-Middle attacks Inject excess/bogus information with Session-Hijacking techniques Replay gathered information to fool the applications Input Manipulation Find the limitations of the defined variables and protocol payload - data length, data type, construct format, etc. Use exceptionally long character-strings to find buffer overflows vulnerability in the applications Concatenate commands in the input strings of the applications Inject SQL language in the input strings of database-tired web applications Examine Cross-Site Scripting in the web applications of the system Examine unauthorised directory/file access with path/directory traversal in the input strings of the applications Use specific URL-encoded strings and/or Unicode-encoded strings to bypass input validation mechanisms of the applications Execute remote commands through Server Side Include Manipulate the session/persistent cookies to fool or modify the logic in the server-side web applications Manipulate the (hidden) field variable in the HTML forms to fool or modify the logic in the server-side Output Manipulation Retrieve valuable information stored in the cookies Retrieve valuable information from the applications cache Retrieve valuable information stored in the serialised objects Retrieve valuable information stored in the temporary files and objects Information Leakage Find useful information in hidden field variables of the HTML forms and comments in the HTML documents Examine the information contained in the applications banners, usage instructions, welcome messages, farewell messages, application help messages, debug/error messages, etc.

7 Reporting On conclusion of the testing, the results will be fully analysed by a BlackBerry senior tester, and a full report will be prepared for the client which will set out the scope of the test and the methodology used. Vulnerabilities are rated Critical High Medium Low The test team findings will be represented in three sections Management Overview A plain English description of discovered vulnerabilities and their potential business impact, with an easy to understand diagram showing vulnerabilities. Technical Overview A section for technical managers which aims to assist in the prioritization of patching and resolving any issues found. Full Technical This section of the report is intended for technical personnel and will include full details of all vulnerabilities found, how they were exploited and a route map with detailed fixes for remediation where appropriate. Alongside the final report, BlackBerry willproduce an Excel spreadsheet listing the vulnerabilities found so you can track remediation more easily. The report will give the tested target a rating of either CRITICAL, HIGH, MEDIUM OR LOW RISK. Deliverable Acceptance Criteria Interim deliverables will be completed and presented to the Customer for review at regular intervals throughout the project. The Customer will review, and either accept, or document specific corrective items in writing, within 3 business days. In the absence of any comments, deliverables produced by BlackBerry will be deemed accepted after 3 business days.

8 Limitations, Exclusions and Additional Customer Responsibilities a. Additional Professional Services offerings may be purchased as add-ons, otherwise additional consulting work not specifically contained in this Program Description is out of scope. b. If Customer Prerequisites and other Customer tasks are not completed in a timely manner as agreed to with the BlackBerry Project Manager and the work contemplated by this Program Description is delayed by greater than two (2) weeks or ten (10) business days, or if the work must be rescheduled by the Customer, BlackBerry reserves the right at its sole discretion to terminate the engagement without refund, or to charge the Customer for additional resources at BlackBerry s current daily rate of $2500 USD for the delay period. c. Customer must ensure that Customer Project Team Members are assigned and available to meet for project Kick Off at project start date. d. The Customer must provide BlackBerry Representatives with information and resources to successfully execute the project. This can include, without limitation, providing access and credentials to systems, completing installation prerequisites, providing project resources, and attendance in planning, execution, or training meetings. e. Customer will ensure resources are available in a timely manner to undertake tasks for which the Customer is responsible. f. Customer must ensure that Customer has necessary escalation and communication channels to resolve any project blockers in a timely manner, including project dependencies on third parties and Customer s other vendors, suppliers, and consultants. g. If BlackBerry Professional Services personnel travel to a Customer location for the delivery of this engagement, there will be additional Travel and Expense costs. These Travel and Expense costs can be paid for prior to the engagement, or at BlackBerry s actual cost, at engagement completion. h. Customer will provide BlackBerry s assigned Program Manager with confirmation of receipt and acceptance of the services rendered on a weekly basis and promptly following the completion of the project. All services shall be deemed to be delivered, and on no account shall BlackBerry be obligated under to deliver further services beyond sixty (60) days after the date specified on the services order form. i. BlackBerry may subcontract all or a portion of the services and/or have the services performed by one of its affiliates.

9 BlackBerry Professional Services BlackBerry Professional Services offers additional consulting and educational offerings. To learn more about these offerings, please go to: Note: The services described in this Program Description are subject to the terms and conditions of the Business Services by BlackBerry Terms found at: There are no warranties, express or implied, with respect to content of this document, amd all information provided herein is provided As Is. Except as expressly agreed to by BlackBerry in an agreement between BlackBerry and you for services, in no event shall BlackBerry or any of its Shareholder, Affiliates, Directors, Officers, E,ployes, Agents or Suppliers, be liable to any Party for any direct, indirect, special or consequential, punitive or exemplary damages for any use of this document, including without limitation, reliance on the information presented, lost profits, lost data, or business interruption, arising in contract, tort, strict liablility or otherwise, even if BlackBerry was expressly advised of the possiblility of such damages About BlackBerry BlackBerry is securing a connected world, delivering innovative solutions across the entire mobile ecosystem and beyond. We secure the world s most sensitive data across all end points from cars to smartphones making the mobile-first enterprise vision a reality. Founded in 1984 and based in Waterloo, Ontario, BlackBerry operates offices in North America, Europe, Middle East and Africa, Asia Pacific and Latin America. The Company trades under the ticker symbols BB on the Toronto Stock Exchange and BBRY on the NASDAQ. For more information, visit BlackBerry Corporation 6700 Koll Center Parkway, #200 Pleasanton, California USA BlackBerry Limited 2200 University Ave. E Waterloo, Ontario Canada N2K 0A7 BlackBerry UK Limited 200 Bath Road Slough, Berkshire United Kingdom SL1 3XE BlackBerry Singapore Pte. Limited The Synergy Building, 2nd Floor 1 International Business Park Singapore Tel: (925) Fax: (925) Tel: (519) Fax: (519) Tel: +44 (0) Fax: +44 (0) Tel: info@blackberry.com info@blackberry.com info@blackberry.com info@blackberry.com 2016 BlackBerry Limited. All rights reserved. The BlackBerry and BlackBerry families of related marks, images and symbols are the exclusive properties of BlackBerry Limited. BlackBerry, Always On, Always Connected, the envelope in motion symbol and the BlackBerry logo are registered with the U.S. Patent and Trademark Office and may be pending or registered in other countries. All other brands, product names, company names, trademarks and service marks are the properties of their respective owners. The handheld and/or associated software are protected by copyright, international treaties and various patents, including one or more of the following U.S. patents: 6,278,442; 6,271,605; 6,219,694; 6,075,470; 6,073,318; D,445,428; D,433,460; D,416,256. Other patents are registered or pending in various countries around the world.