Security Testing Of (Web) Applications. Erwin Geirmaert Security Innovation

Transcription

1 Security Testing Of (Web) Applications Erwin Geirmaert Security Innovation

2 SECURITY INNOVATION BVBA Security Testing of (web) applications Erwin Geirnaert Security Innovation BVBA

3 Agenda Objectives Security Test Checklist Risk assessment Source code review Tools Some examples

4 Some examples Parameter tampering Cross-site-scripting Hidden fields

5 Parameter Tampering

6 Parameter Tampering - Example

7 Parameter Tampering - Example

8 Parameter Tampering - Example

9 Parameter tampering

10 Parameter tampering

11 Cross-site-scripting Insert Javascript in input fields to steal cookies, manipulate forms,... Vulnerable applications: forums, search, user login,... To test: <script>alert(document.cookie)</script> XSS Cheat-sheet:

12 Hidden fields

13 Hidden field manipulation

14 Hidden field manipulation

15 WebGoat Demo

16 References Tech-Ed 2004 Designing in Security OWASP AppSec Europe Tools of the Trade: AppSec Assessment Tools

17 That s it Any Questions? Thank you! Erwin Geirnaert egeirnaert@securityinnovation.be +32(0)

18 Hidden fields

19 Security Tester Toolbox Tools are just a way of manipulating web applications They are no silver bullet, a lot of false positives can be the result of automated scan They can be really expensive They can be useful You need to learn how to use them and what the limitations are Internet Explorer can do the job and for

20 Tools Tools that can help: Static Analysis Tools Dynamic Analysis Tools Application Vulnerability Scanners Other Tools

21 Static analysis tools Source code scanners crawl your source tree to discover possible errors at the code level Strengths Finding logical errors Finding security errors Weaknesses Runtime errors False positives False sense of security Examples Klocwork inspect Coverity SWAT Lint

22 Dynamic analysis tools Dynamic Analysis tools watch the application while it is running to find possible errors. Strengths Finding errors that may surface at runtime Code Coverage Performance Analysis Weaknesses Difficult to execute every code path Difficult to find many security problems Examples Compuware Code Coverage tools Perf analysis tools

23 Tools in the past 4 years ago, a limited list of free tools: Achilles: local WebProxy: local proxy& fuzzer, in Java WebSleuth: plugin for IE, raw requests Whisker: vulnerability scanner Nikto: vulnerability scanner Nessus: didn t include web vulnerabilities yet But they did the job, only it required more time...

24 Commercial Fault Injection Test Tools 1. SPI Dynamics WebInspect 2. Sanctum now Watchfire AppScan 3. Kavado Scando 4. AppSecInc AppDetective for Web Apps 5. Cenzic Hailstorm 6. NT Objectives NTOSpider 7. Acunetix Web Vulnerability Scanner 2 8. Compuware DevPartner Fault Simulator 9. Fortify Pen Testing Team Tool Web Proxy Burp Intruder 12. Sandsprite Web Sleuth 13. MaxPatrol Syhunt Sandcat Scanner & Miner 15. TrustSecurityConsulting HTTPExplorer 16. Ecyware BlueGreen Inspector 17. NGS Typhon 18. Parasoft WebKing (more QA-type tool)

25 Application vulnerability scanners Application Vulnerability Scanners test your application through known avenues of attack. Strengths Help to ensure your application is not vulnerable to known attack vectors Find some security vulnerabilities Weaknesses Web Applications only Still in their infancy Examples Kavado Scando Spidynamics WebInspect

26 Other tools Hex Editors Allow a tester to view binary data in an editable hexadecimal/ascii representation Can search for clear text passwords, or sections containing high amounts of entropy which could lead to the discovery of encrypted data or hashes. Debuggers Allow a tester to view memory space, stack, and machine instructions while the application is running. Can be used to help exploit buffer overruns, discover clear text or encrypted data while in memory.

27 OWASP - WebScarab Java based: download stand-alone JAR and runtime HTTP Proxy Client-certificates Session analysis Raw request Spider Custom plugins: BeanShell

28 OWASP WebScarab - Interceptor

29 WebScarab Raw Request

30 WebScarab - Spider

31 WebScarab SessionID Analysis

32 Agenda Objectives Security Test Checklist Risk assessment Source code review Tools Some examples

33 WebScarab Transcoder

34 WebScarab SessionID Analysis

35 Open Source or Freeware Fault Injection Test Tools 1. WebScarab (HTTPush, Exodus) 2. Paros Proxy 3. Burp Spider 4. Burp Proxy 5. SPIKE Proxy 6. SPIKE 7. Achilles Proxy 8. Odysseus Proxy 9. Webstretch Proxy 10. Absinthe 1.1 (formerly SQLSqueal) 11. NGS SQL Injection Inference Tool (BH Europe 2005) 12. Internet Explorer HTMLBar Plugin 13. Firefox LiveHTTPHeaders and Developer Tools 14. Sensepost Wikto (Google cached fault-finding) 15. Foundstone Sitedigger (Google cached fault-finding)

36 Source code review Identify vulnerabilities from the code Requires good eyes Source code scanners can help How to test for this backdoor? public void dopost( HttpServletRequest request, HttpServletResponse response) { String magic = sf8g7sfjdsurtsdieerwqredsgnfg8d ; boolean admin = magic.equals( request.getparameter( magic )); if (admin) doadmin( request, response); else. // normal processing }

37 Agenda Objectives Security Test Checklist Risk assessment Source code review Tools Some examples

38 Risk assessment Identify your risks and test for the threats Existing methodologies: OCTAVE: Operationally Critical Threat, Asset and Vulnerability Evaluation Simplified security risk analysis Threat modeling

39 Threat modeling You cannot test a system until you understand the threats Threat modeling is the design activity to discover the threats that your application is susceptible to. Threat modeling yields both threats and vulnerabilities and provides ways to perform security testing in order to prioritize the security fixes needed.

40 Threat modeling - Definitions Threats are possible attacks. Vulnerabilities are security related software errors: A threat is what an attacker might try to do to an asset or through an entry point A vulnerability is a specific security exploit due to an unmitigated threat path

41 Test Plan The test plan will contain the test cases A test case consists of: Test Case number The possible attacks Details and tools Expected result

42 Agenda Objectives Security Test Checklist Risk assessment Source code review Tools Some examples

43 STRIDE: Examples Type of Threat Examples Spoofing Tampering Repudiation Information disclosure Denial of Service Elevation of Privilege Forging Message Replaying Authentication Altering data during transmission Changing data in database Delete critical data and deny it Purchase product and deny it Expose information in error messages Expose code on web site Flood web service with invalid request Flood network with SYN Obtain Administrator privileges Use assembly in GAC to create acct

44 Threat Tree Inside Attack Enabled Attack domain controller from inside OR AND AND SQL Injection Dev Server Messenger Xfer Trojan Soc Eng An application doesn t validate user s input and allows evil texts Unhardened SQL server used by internal developers Novice admin uses an instant messenger on a server Attacker sends a trojan masquerading as network util

45 Document Threats 1. Identify Assets 2. Create an Architecture Overview 3. Decompose the System 4. Identify the Threats 5. Document the Threats 6. Rate the Threats Document Threat Target Risk Attack Techniques Countermeasure Leave Risk Blank Input test plan

46 Threat modeling - DREAD DREAD: Damage potential what s the extent of the damage if this vulnerability was to be exploited Reproducibility how well can the finder reproduce the issue Exploitability difficulty of taking advantage of the flaw for malicious purpose Affected users how many or what type of users are affected by the flaw Discoverability how fast can it be publicly be discovered DREAD is used to analyze the risk of discovered vulnerabilities

47 Document Threats (Step 5) Description Target Risk Attack Techniques Countermeasures Attacker obtains credentials User Auth process Sniffer Use SSL to encrypt channel Injection of SQL commands Data Access Component Append SQL to user name Validate user name Parameterized stored procedure for data access

48 Rate Threats 1. Identify Assets 2. Create an Architecture Overview 3. Decompose the System Rate Risk Order by Risk Address/test in order Use DREAD 4. Identify the Threats 5. Document the Threats 6. Rate the Threats Risk s Exposure = Probability * Damage Potential

49 Attack Vector in a Threat Tree Theft of Auth Cookies OR AND AND Unencrypted Connection Eavesdropping Cross-Site Scripting XSS Vulnerability Cookies travel over unencrypted HTTP Attacker uses sniffer to monitor HTTP traffic Attacker possesses means and knowledge Application is vulnerable to XSS attacks

50 Attack vectors for web applications Parameter Tampering Cookie Tampering Cross-site Scripting SQL Injection Script Injection Command Injection Encoding Attacks Buffer Overflows Format-string attacks Harvesting User IDs Brute-forcing Accounts Path Truncation Attacks Hidden Path Discovery Application Directory and File Mapping Forceful Browsing Source Code Disclosure Web server vulnerability exploitation

51 Threat Modeling 1. Identify Assets 2. Create an Architecture Overview 3. Decompose the System 4. Identify the Threats 5. Document the Threats 6. Rate the Threats Structured analysis aimed at: Finding infrastructure vulnerabilities Evaluating security threats Identify countermeasures Originated from software development security threat analysis

52 Identify Assets 1. Identify Assets 2. Create an Architecture Overview 3. Decompose the System 4. Identify the Threats 5. Document the Threats 6. Rate the Threats What do you need to protect? Confidential data Orders Customers Web Pages Availability What is important?

53 Threat modeling - STRIDE Threats can be classified using the STRIDE classification: Spoofing lying about identity Tampering Destroying data Repudiation Cleaning the steps of an attack/denying a transaction Information Disclosure Stealing valuable private data Denial of Service Stopping an application from providing its basic functionality Escalation of Privileges Executing code with stolen high privileges Whenever discovering threats the analyst will always think about STRIDE elements

54 Decomposition (Step 3) Forms Authentication URL Authorization Web Server Trust Database Server Bob Alice Bill Firewall IIS ASP.NET Login Main State DPAPI Windows Authentication

55 Identify Threats 1. Identify Assets 2. Create an Architecture Overview 3. Decompose the System 4. Identify the Threats 5. Document the Threats Use STRIDE to identify threats Use categorized threat lists Network Host Application 6. Rate the Threats

56 Architecture Diagram (Step 2) Asset #1 Asset #2 Asset #3 Web Server Database Server Bob Alice Bill Firewall IIS ASP.NET Login Main State Asset #4 Asset #5 Asset #6

57 Decompose Application 1. Identify Assets 2. Create an Architecture Overview 3. Decompose the System 4. Identify the Threats 5. Document the Threats Identify trust boundaries Identify data flow Identify entry points Identify privileged code Document the security profile Architecture & Design Review 6. Rate the Threats

58 Create Architecture Overview 1. Identify Assets 2. Create an Architecture Overview 3. Decompose the System 4. Identify the Threats Identify what the application does Create an architecture diagram Identify the technologies used 5. Document the Threats 6. Rate the Threats

59 Security Test Checklist You need an EXPERIENCED TESTER Create a threat model and a test plan Web application testing <> penetration testing Do not rely ONLY on automated web application security scanners Source code of the web application HELPS Have a Security Tester Toolbox

60 Online Checklist OWASP = Open Web Application Security Project - Web Application Penetration Checklist v1.1 from OSSTMM = Open Source Security Testing Methodology Manual

61 Agenda Objectives Security Test Checklist Risk assessment Source code review Tools Some examples

62 Objectives Define security testing Best practices to execute security tests Discover some tools that you can use Testing is not the silver bullet

63 Agenda Objectives Security Test Checklist Risk assessment Source code review Tools Some examples