Expert Services Group (Security Testing) Nilesh Dasharathi Sadaf Kazi Aztecsoft Limited

Transcription

1 Practical Aspects of Web Application Penetration Testing & Vulnerability Analysis Expert Services Group (Security Testing) Nilesh Dasharathi Sadaf Kazi Aztecsoft Limited

2 Presentation Path Motivation Penetration Testing Practical aspects of Penetration ti testingti Vulnerability Analysis The Road Ahead Slide 2

3 Security Testing Universe Application close to 80% of today s attacks are tunneling through Web applications Gartner Network Standards d Compliance Physical Process Slide 3

4 Recent attacks Financial Services Authority, regulatory body for the financial sector says victims lost a total of 23.2 million pounds (34.4 million euros) in 2006 Hacker successfully breached the IT defenses of the Best Western Hotel group's online booking system and sold details of how to access it. This led to large amountoflosses.reported: p 21 ST Aug Slide 4

5 Recent attacks The Secret Service arrested 6 people for information theft at an Ohio court web site resulted in a $40,000 loss to the victims sensitive information was stolen by manipulating predictable identifier e parameters a stolen information belonged to 270 people and included the name, address, age and other information that could be used to obtain credit card numbers and to open bank accounts Reported: 22 December 2007 Slide 5

6 Industry Verticals Percentage of websites with either URGENT, CRITICAL or HIGH severity vulnerabilities ranked by industry Source: Whitehat Security Inc Slide 6

7 Motivation Relative indifference towards the importance of web application penetration testing Lack of a well defined, organized and comprehensive execution cycle for web application penetration testing projects Too much emphasis on tool based security assessment of web applications Slide 7

8 Application Penetration Testing is a Quality Control activity with a focus on threat modeling, planning and executing various attacks on the application under test and suggesting mitigation strategies Vulnerability Analysis is a process that identifies, and classifies the security holes (vulnerabilities) in a computer, network, or communications infrastructure Slide 8

9 Practical aspects of PT & VA Understanding business workflow Threat modeling Planning and executing attacks Vulnerability Analysis Vulnerability Assessment Report Slide 9

10 Understanding business workflow Assess the security preparedness of the application by carrying out security audit a security audit questionnaire for the client Example: Does the application use dynamic SQL in any form? If yes, enumerate mechanisms implemented to prevent SQL injection attacks? Response of the developers to aforementioned auditing question will define the course of attack to expose SQL injection flaws Slide 10

11 Understanding business workflow Browse the application Heuristics based Paros plug-in to capture important parameters while browsing the application to create a list of potential vulnerable parameters As opposed to using the spidering features of automated tools Identify business critical assets and workflows these assets and scenarios provide input for comprehensive threat modeling exercise Slide 11

12 Threat Modeling Threat Modeling structured approach to ensure extensive testing coverage identify attack surface areas Prepare privilege matrix Function Normal User Administrator Super User Function 1 NO YES YES Function 2 NO YES YES Function 3 NO NO NO Function 4 NO NO NO Function 5 NO YES YES Function 6 NO YES YES NO YES Function cannot be performed by user Function can be performed by user Slide 12

13 Planning attacks for vulnerabilities Plan penetration testing approach based on audit questionnaire business scenario browsing threat model Project Execution Workspace stores the project day to day activities list of all identified threats for the AUT Slide 13

14 In-House Process Accelerators Roadmap file step by step guide to carry out penetration testing tells the tester what to do in each phase Aztecsoft Security Knowledgebase continually evolving repository of all information needed to carry out penetration tests dirty-tricks repertoire i.e. the injections database, containing a list of potential attacks vulnerability details, testing and mitigation strategies domain specific and generic threats Slide 14

15 Penetration Testing Test data creation Using automated tools Open Source Vulnerability Assessment Tools Home grown specialized tools Web application i analyzer Insecure ID s Burp Plug-in Manual business logic testing execute custom intelligent tests exploiting XSS: a practical approach Slide 15

16 Exploiting XSS : a practical approach Tester Malicious Code Inserted by attacker <SCRIPT>Send Cookie to attacker.com</script> Vulnerable application p// /ad /Use Accounts anappprove/ + Cookies Executed User Cookie User Slide 16

17 Vulnerability Analysis Resolve false positives reported by automated tools Carry out deeper investigation to understand loopholes which cause the threat Identify multiple attack vectors to exploit identified vulnerabilities Prioritization and Impact analysis For e.g.: If the underlying vulnerability is Insecure Id s then find the impact of this vulnerability on the entire application Identify potential mitigation strategies Slide 17

18 Vulnerability Assessment Reporting Security preparedness of the application Vulnerability Statistics Detailed exploits Mitigation strategies Standard templates Security Test Tracking Report Security Test Analysis Report Slide 18

19 Vulnerability Assessment Report (Snapshot) Expert Services Group Slide 19 (Security Testing)

20 Slide 20

21 Slide 21

22 Slide 22

23 Slide 23

24 Slide 24

25 Road Ahead Extend our service to include testing of SaaS based applications Enhance processes & tool repository Slide 25

26 References outcome_ value_ monetary_ loss.shtml Hacker uses Social Security numbers from Ohio court site News Story, Ohio.com/AP, 22 December php ts pdf Slide 26

27 Slide 27