How About Security Testing?

Transcription

1 How About Security Testing? Jouri Dufour, CTG #esconfs

2 How About Cybercrime?

3

4

5

6

7

8 Our BUSINESS LIFE is online.

9

10 If A happens, then B must be the case, so I will do C. BUT WHAT IF X OCCURS?

11 01 Fooling a password change function

12 Password change function Administrator Username Existing password * New password Confirm new password * Only presented to users Password change request N Existing password parameter? Y User The functionality The assumption The attack

13 Password change function Administrator N FLAW Username Existing password * New password Confirm new password * Only presented to users Password change request Existing password parameter? Y User The functionality The assumption The attack

14 ATTACK Password change function Administrator Username Existing password * New password Confirm new password * Only presented to users Password change request N Existing password parameter? Y User The functionality The assumption The attack

15 RECOMMENDED HACK STEPS Try removing in turn each request parameter Be sure to delete the actual parameter name as well as its value Attack only one parameter at a time Follow a multistage process through to completion

16 02 Proceeding to checkout

17 Retail application Add items to shopping basket Finalize order Enter payment information Enter delivery information The functionality The assumption The attack

18 Retail application Add items to shopping basket Finalize order FLAW Enter payment information Enter delivery information The functionality The assumption The attack

19 Retail application ATTACK Add items to shopping basket Finalize order Enter payment information Enter delivery information The functionality The assumption The attack

20 RECOMMENDED HACK STEPS Attempt to submit requests out of the expected sequence Be sure to fully understand the access mechanisms to distinct stages Try to violate the developers assumptions Use any interesting error messages and debug output to fine-tune your attacks

21 The application may enforce strict access control only on the initial stages of the process

22 03 Beating a business limit

23 ERP application Bank account 1 Less than ? Y Bank account 2 N The functionality The assumption The attack

24 ERP application FLAW Bank account 1 Less than ? Y Bank account 2 N The functionality The assumption The attack

25 ERP application Bank account Less than ? Y Bank account 2 N The functionality The assumption The attack

26 Many applications use numeric limits and beating such limits may have serious business consequences

27 RECOMMENDED HACK STEPS Try entering negative values Sometimes several steps need to be repeated to bring the application in a vulnerable state

28 04 Cheating on bulk discounts

29 Retail application Shopping basket Item 1... Item 2... Item 3... Purchase bundle -25% The functionality The assumption The attack

30 Retail application Shopping basket Item 1... Item 2... Item 3... FLAW Purchase bundle -25% The functionality The assumption The attack

31 ATTACK Retail application Shopping basket Item 1... Item 2... Item 3... Purchase bundle -25% The functionality The assumption The attack

32 RECOMMENDED HACK STEPS Find out if adjustments are made on a one-time basis Try to manipulate the application s behavior to get adjustments that don t correspond to the original intended criteria

33 05 Escaping from escaping

34 Web application User-controllable input Sanitization using the backslash character \ ; & < > ` space newline Operating system command The functionality The assumption The attack

35 Web application User-controllable input Sanitization using the backslash character \ ; & < > ` space newline FLAW Operating system command The functionality The assumption The attack

36 ATTACK Web application User-controllable input Sanitization using the backslash character \ ; & < > ` space newline Operating system command The functionality The assumption The attack

37 Web application COMMAND INJECTION Foo\;ls Sanitization using the backslash character \ Foo\\;ls Operating system command ; & < > ` space newline The functionality The assumption The attack

38 RECOMMENDED HACK STEPS Attempt to insert relevant metacharacters into the data you control Always try placing a backslash immediately before each such character

39 This same defect can be found in some defenses against cross-site scripting attacks

40 Yesterday Today Tomorrow Dynamic Application Security Testing (DAST) Static Application Security Testing (SAST) + = Integrated Application Security Testing (IAST)

41 Time 00:00 Victims :01 00:02 00:03 00:04 00:05 00:06 00:07 00:08 00:09 00:10 00:11 00:12 00:13 00:14 00:15 00:16 00:17 00:18 00:19 00:20 00:21 00:22 00:23 00:24 00:25 00:26 00:27 00:28 00:29 00:30 00:31 00:32 00:33 00:34 00:35 00:36 00:37 00:38 00:39 00:40 00:41 00:42 00:43 00:44 00:45 00:46 00:47 00:48 00:49 00:50 00:51 00:52 00:53 00:54 00:55 00:56 00:57 00:58 00:59 01:

42 HOW ABOUT SECURITY TESTING? Fooling a password change function Proceeding to checkout Beating a business limit Cheating on bulk discounts Escaping from escaping Speaker: Jouri Dufour [email protected]