- A Gallop Insight The Average security breach can cost a company between $90 and $305 per lost record, according to a new study from forrester research.
Introduction The new age enterprises face a relentless onslaught of security challenges ranging from DDoS attacks, Database compromise, Unauthorized entry, breach of access control, login flaws and vulnerabilities across sessions, multiple authentications, caches etc. Security is one area which needs constant reinforcements, meticulous assessment and a one step ahead approach to minimize the scope of error. Hence, security testing is a combination of offensive procedures backed by CEHs and strategic reviews which block and cement the IT system against threats, inherent as well as directed. Security testing is a combination of attacks like fault injections, assessment of vulnerable areas like the presence of redundant, readable and downloadable files on a web server. The combination of test approach depends on the size, scope and the coverage of the IT system. This white paper is an incorporation of inputs from Gallop s Security Testing team and is designed to help you understand the types of Security Testing, their requirement and the tools that enable testing. In addition, the white paper explains scenarios which affect the security of an IT system. The white paper aims to predict, prevent and address the security issues with testing approaches that improve overall resilience. 55% of IT practitioneerrs lack a formal strategy to govern moving data 61% of organizations say data theft and cybercrime are the greatest threats to thgeri reputation A Gallop Insight Gallop proprietary & confidential. Not for public distribution www.gallop.net 1
Configuration Management Security Testing Software Testing Often analysis of the network infrastructure and web application architecture can reveal good amount of information such as source code, HTTP methods permitted, administrative functionality, authentication methods, infrastructural configurations etc. In present scenarios, complexity of interconnected and heterogeneous web server infrastructure, which can count hundreds of servers, makes configuration management review and validation a fundamental step in testing. The application penetration test should include the checking of how infrastructure was deployed and secured. While the application may be secure, a small aspect of the configuration could still be at a default install stage and vulnerable to exploitation. Testing for Configuration Management usually includes Usage of strong cipher algorithm and its proper implementation Security of DB listener port and component web servers, database servers, authentication servers, software versions and its associated vulnerabilities Default configuration of application and its associated vulnerabilities File extension handling configuration Presence of redundant, readable and downloadable files on a web server Admin functionality usage by authorized users Configuration of HTTP methods and its associated vulnerabilities The Average security breach can cost a company between $90 $305 & per lost record, according to a new study from research. List of scanners tools that can identify vulnerabilities related to configurations are as follows- Vulnerability Type Open Source / Free Tools Commercial Tools Application Configuration W3AF, Nessus, Sandcat, Skipfish, arachni, IBM AppScan, WebInspect, Cenzic Hailstorm, Acunetix, Sandcat, Jsky, Weakness oedipus, iscan, N-Stalker, WSTool Netsparker, Grendel Scan, ParosPro, Webcruiser, Web Injection Scanner HTTP Methods and XST Old, Backup and Unreferenced files W3AF, Nessus, Sandcat, arachni, ZAP, Oedipus, Andiparos, Watobo, Jsky, N-Stalker, Skipfish W3AF, ZAP, Syhunt Mini, Wapiti, WATOBO, Andiparos, Paros Proxy IBM AppScan, WebInspect, Cenzic Hailstorm, Acunetix, Sandcat, Jsky, Netsparker, Burpsuite, Vega, Grendel Scan, ParosPro, Paros Proxy, iscan IBM AppScan, WebInspect, Acunetix, Burp Suite Professional, NTO Spider, Syhunt Dynamic, QualysGuard WAS, Netsparker, ScantoSecure, N-Stalker A Gallop Insight Gallop proprietary & confidential. Not for public distribution www.gallop.net 2
Authentication Security Testing Authentication is the process of attempting to verify the digital identity of the sender of a communication. The sender could be user, process or device. A common example of such a process is the logon process but authentication happens every time when we use our computers. Much of the authentication that happens is transparent to the user and handled via computer. Testing the authentication schema means understanding how the authentication process works and use that information to circumvent the authentication mechanism. As a Penetration Tester, it is valuable to be able to gain the trust of a system and bypass security as an authorized entity. The most common method by which people confirm their identity is something they know such as a password. Testing for Authentication usually includes Understand if data travel unencrypted from the web browser to the server The enterprise security infrastructure market Collecting set of valid user names and then trying brute force testing is projected to grow at an approximate Trying default username and password of deployed application / server compoung annual growth rate (CAGR) of Retrieve a valid user account and password by trying to enumerate many 10.9% Bypassing the authentication schema by tampering with requests and tricking the application Flaw the Remember Password and Password Reset functions into 2014 as companies continue to expand the Flaw the logout and caching functions technologies they use to improve their overall security. CAPTCHA validation Evaluating the strength of a Multiple Factors Authentication System like OTP (One Time Password) Testing for race condition, a situation difficult to test for List of scanners tools that can identify vulnerabilities related to authentication are as follows- Vulnera bility Type Open Source / Free Tools C ommercia l Tools Bypassing Authentication Nessus, WebScarab, WebGoat IBM AppScan, WebInspect, Cenzic Hailstorm, NTOSpider, Grendel Scan Schema A Gallop Insight Gallop proprietary & confidential. Not for public distribution www.gallop.net 3
Session Management Security Testing Authentication and Session Management take care of all aspects of handling user authentication and managing active sessions. HTTP is a stateless protocol and hence even simple logic requires a user s multiple requests to be associated with each other across a session. With regards to web applications, a session is the length of time users spend on a website. It is always advisable to manage authorized sessions duration prudently. The goal of penetration tester is to identify accounts that are permitted access to sessions with high-level privileges and unlimited time to access the web application. Testing for Session Management usually includes Understand the existing Session Management schema 60% Understand if cookies are protected As much as of important Access another user s account through the active session (Session Fixation) corporate data resides on desktop & Retrieving Session Tokens whilst in transit between the Client browser and the application server laptop computers that are not Force an unknowing user to execute unwanted actions (Cross Site Request Forgery) properly protected. List of scanners tools that can identify vulnerabilities related to sessions are as follows- Vulnera bility Type Open Source / Free Tools C ommercia l Tools Session Identifier Complexity Analysis W3AF, Nessus, Sandcat, Jsky, Webscarab Cenzic Hailstorm, NTO Spider, Sandcat, Burpsuite, Grendel Scan A Gallop Insight Gallop proprietary & confidential. Not for public distribution www.gallop.net 4
Authorization Security Testing Authorization is the concept of allowing access to resources only to those permitted to use them. While Authentication is about establishing and verifying user identity, Authorization is about permissions. Is an user allowed to perform the operation it is invoking? Testing for Authorization means understanding how the authorization process works and using that information to circumvent the authorization. Testing for Authorization usually includes Execute a path traversal attack and access reserved information Bypassing the authorization schema User can escalate his / her privilege within the application by himself List of scanners tools that can identify vulnerabilities related to authorization are as follows- Vulnera bility Type Open Source / Free Tools C ommercia l Tools Path Traversal W3AF, IronWASP, ZAP, arachni, SkipFish, Wapiti, Vega, WATOBO, safe3wvs, WebSecurify IBM AppScan, WebInspect, Acunetix, Burp Suite Professional, NTO Spider, Syhunt Dynamic, WAS, Netsparker, ScantoSecure, Jsky, N-Stalker, Ammonite, ParosPro Privilege Escalation Webscarab IBM AppScan, WebInspect, Cenzic Hailstorm, NTOSpider Gartner predicts that revenue from security products and related service markets will increase from $55 billion in 2011 to over $71billion by 2014. A Gallop Insight Gallop proprietary & confidential. Not for public distribution www.gallop.net 5
Business Logic Security Testing Business logic can have security flaws that allow a user to do something that isn't allowed by the business. For example, Can a user make a purchase for a negative amount of money? Attacks on the business logic of an application are dangerous, difficult to detect and are usually specific to the application. This type of vulnerability cannot be detected by a vulnerability scanner and relies upon the skills and creativity of the penetration tester. There are no scanners tools that can identify vulnerabilities related to business logic as it is more context driven. Data Validation Security Testing One security weakness that leads to almost all of the vulnerabilities in web application such as XSS, SQL Injection etc. is erroneous data from external entity. The data from external entity can be tampered with by an attacker or unknowingly given by user and hence it is important to filter and sanitize all input data by the application before it is trusted and processed. Data Validation testing is the task of testing all possible form of input, to understand if the application scrutinize all data correctly or not. Data Validation testing usually includes Make victim loading the offending URI (Reflected Cross-site Scripting) Store malicious code into the web page (Stored Cross-site Scripting) Controlling a DOM element (DOM Cross-site Scripting) Vulnerabilities like DOM based Cross-site Scripting in flawed Flash application Injection of SQL query via the input data (SQL Injection) Manipulating input parameters and passed to internal search, add and modify functions (LDAP Injection) Inject a particular XML document into the application (XML Injection) Inject code into HTML pages (SSI Injection) Inject data into the application so that it executes user-controlled XPath queries (XPath Injection) Inject arbitrary IMAP/SMTP commands into the mail servers (IMAP / SMTP Injection) Inject into the application data that will be later executed by web server (Code Injection) Inject an OS command through an HTTP request (OS Commanding) Understand different types of buffer overflow vulnerabilities HTTP splitting and HTTP smuggling A Gallop Insight Gallop proprietary & confidential. Not for public distribution www.gallop.net 6
List of scanners tools that can identify vulnerabilities related to data input from external entities are as follows- Vulnera bility Type Open Source / Free Tools C ommercia l Tools Buffer Overflow W3AF, Nessus, Sandcat IBM AppScan, WebInspect, Accunetix, Sandcat Format String W3AF, Nessus IBM AppScan, WebInspect, Cenzic Hailstorm, Skipfish, Vega Code Injection Sandcat, arachini, Uber Web Security Scanner IBM AppScan, Cenzic Hailstorm, Acunetix, SandcatCS, Skipfish, Netsparker DOM Based Cross Site W3AF, Watobo, arachini IBM AppScan, Cenzic Hailstorm, Acunetix, NTO Spider Scripting HTTP Splitting / Smuggling WebGoat, W3AF, Nessus, SandcatCS, arachini, IBM AppScan, WebInspect, Cenzic Hailstorm Professional, Wapiti, ZAP, PowerFuzzer, Andiparos, Paros Proxy, Acunetix, NTOSpider, Sandcat Pro, Jsky, Netsparker, Web Securify, WebScarab Burpsuite, Vega, Grendel Scan, ParosPro IMAP/SMTP Injection W3AF, Sandcat CS IBM AppScan, Acunetix, Sandcat LDAP Injection W3AF, SandcatCS, arachini, Wapiti, Power Fuzzer, IBM AppScan, WebInspect, Cenzic Hailstorm Professional, Uber Web Security Scanner Acunetix, Sandcat Pro, Jsky, Burp Suite OS Commanding W3AF, Nessus, Sandcat, arachni, Wapiti, PowerFuzzer, Oedipus IBM AppScan, WebInspect, Cenzic Hailstorm, Acunetix, NTO Spider, Sandcat, Skipfish, Jsky, Netsparker, Burpsuite, Vega Reflected Cross Site Scripting W3AF, IronWASP, ZAP, arachni, Syhunt Mini (Sandcat Mini), SkipFish, Wapiti, Sandcat, Vega, IBM AppScan, WebInspect, Acunetix, Burp Suite Professional, NTO Spider, Syhunt Dynamic, QualysGuard WAS, Netsparker, Grendel Scan, WATOBO, Andiparos, PowerFuzzer, ScantoSecure, Jsky, N-Stalker, Ammonite, ParosPro, Paros Proxy, Oedipus, Uber Web Security Scanner, WebCruiser Jsky, safe3wvs, WebSecurify, Grabber, Netsparker, WebCruiser, Proxy Strike, Acunetix WVS, WebScarab, N-Stalker, XSSer, Gamja, Secubat, A Gallop Insight Gallop proprietary & confidential. Not for public distribution www.gallop.net 7
List of scanners tools that can identify vulnerabilities related to data input from external entities are as follows- Vulnera bilit y Type Open Source / Free Tools C ommercia l Tools SQL Injection W3AF, IronWASP, ZAP, arachni, Syhunt Mini (Sandcat Mini), SkipFish, Wapiti, Sandcat, Vega, IBM AppScan, WebInspect, Acunetix, Burp Suite Professional, NTO Spider, Syhunt Dynamic, QualysGuard WAS, Netsparker, Grendel Scan, WATOBO, Andiparos, PowerFuzzer, ScantoSecure, Jsky, N-Stalker, Ammonite, ParosPro, Paros Proxy, Oedipus, Uber Web Security Scanner, WebCruiser Jsky, safe3wvs, WebSecurify, Grabber, Netsparker, WebCruiser, Proxy Strike, SQLiX, sqlmap, Gamja, Mini Mysqlator, Secubat, WSTool, DSSS, aidsql, Scrawlr, LoverBoy, SQLID, VulnDetector, openacunetix, Priamos, Gamja, Secubat, XCobra, safe3wvs, iscan SSI Injection W3AF, Nessus, ZAP, Andiparos, Paros Proxy, Proxy IBM AppScan, WebInspect, Cenzic Hailstorm, ParosPro Strike Stored Cross Site Scripting W3AF, Nessus, Wapiti, PowerFuzzer, XSSploit IBM AppScan, WebInspect, Cenzic Hailstorm, Acunetix, NTO Spider, Skipfish, Netsparker, BurpSuite XML Injection Nessus, Uber Web Security Scanner IBM AppScan, Skipfish, BurpSuite, Vega Xpath Injection W3AF, SandcatCS, Sandcat, arachni, Wapiti, Powerfuzzer, WebCruiser IBM AppScan, WebInspect, Acunetix, Skipfish, Sandcat, Jsky, WebCruiser Cross Site Scripting Unvalidated Redirects and Forwards W3AF, IronWASP, ZAP, arachni, Syhunt Mini (Sandcat Mini), SkipFish, Wapiti, Vega W3AF, IronWASP, ZAP, arachni, Skipfish IBM AppScan, WebInspect, Acunetix, Burp Suite Professional, NTO Spider, Syhunt Dynamic, Netsparker, ScantoSecure, Jsky, N-Stalker, Ammonite IBM AppScan, WebInspect, Acunetix, Burp Suite Professional, NTO Spider, QualysGuard WAS, Netsparker, ScantoSecure, N- Stalker A Gallop Insight Gallop proprietary & confidential. Not for public distribution www.gallop.net 8
Denial of Service Security Testing One of the most common and simplest forms of attack on a system is Denial of Service (DoS) attack. This attack does not attempt to intrude to the system or to obtain sensitive information; it simply aims to prevent legitimate users from accessing the system. DoS attacks can be on individual machines, on the network that connects the machines or all the machines simultaneously. It is based on the fact that any device has operational limits. Any computer system, web server or network can handle a finite load and simply overloading the system with requests will block serving the requests of legitimate users. In this section, focus will be attacks against availability that can be launched by just one malicious user on a single machine. Denial of Service (DoS) testing usually includes - Forcing the underlying database to carry out CPU intensive queries by using several wildcards Locking valid user accounts by repeatedly attempting to log in with a wrong password Causing DoS attack by overflowing one or more data structure of the target application Exhaust server resources by making it allocate a very high number of objects Force the application to loop through a code segment that needs high computing resources Fill the target disks by log data Understand if application properly releases resources (memory or files) after their usage Allocate big amount of data into a user session object List of scanners tools that can identify vulnerabilities related to DoS attack are as follows- Vulnerability Type Open Source / Free Tools C ommercial Tools Regular Expression Denial W3AF, Nessus, Wapiti, safe3wvs, WebInspect of Service WebSecurify According to Gartner one laptop is stolen every 53 seconds. A Gallop Insight Gallop proprietary & confidential. Not for public distribution www.gallop.net 9
Web Service Security Testing Web services are exposed to net like any other service but can be used on HTTP, FTP, SMTP and MQ among other transport protocols. The Web Services Framework utilizes the HTTP protocol in conjunction with XML, SOAP, REST, WSDL and UDDI technologies. The vulnerabilities in web services are similar to other vulnerabilities, such as SQL injection, information disclosure and leakage but Web Services also have unique XML / parser related vulnerabilities. Web service security testing usually includes - Understand the Web service entry point and the communication schema Invoke an operation that is not used in a standard SOAP Request Sending very large or malformed XML messages Attack the Web service by passing malicious content on the HTTP GET string Attach binary files (executables, malware etc.) to Web service if it accepts attachments Conduct man-in-the-middle of the attack List of scanners tools that can identify vulnerabilities related to web services are as follows- Vulnerability Type Open Source / Free Tools C ommercial Tools XML Content Level WebScarab, Metasploit - XML Structural Webscarab - 50% of organizations reported laptop or mobile device theft in 2007. A Gallop Insight Gallop proprietary & confidential. Not for public distribution www.gallop.net 10
AJAX Security Testing AJAX uses XMLHttpRequest object and JavaScript to make asynchronous requests to the web server, parsing the responses and then updating the page DOM and CSS. AJAX application is more complicated because processing is done on both the client side and the server side. This complexity is avoided by having framework but that also result in situations where developers do not fully understand where the code will execute, and can lead to a situation where it is difficult to properly assess the risk associated with particular applications or features. AJAX applications have same vulnerabilities like SQL injection, data validation etc. that a traditional web application can have. In addition, AJAX application can be vulnerable to new classes of attack such as Cross Site Request Forgery (XSRF). Testing AJAX applications can be challenging due to different encoding or serialization scheme used by developers while submitting POST data and make it difficult for testing tools to reliably create automated test requests. The use of web proxy tool is extremely helpful for analyzing the traffic. List of scanners tools that can identify vulnerabilities related to AJAX are as follows- Vulnerability Type Open Source / Free Tools C ommercial Tools OWASP Sprajax, safe2wvs, Acunetix, Hailstorm, WebInspect, Watchfire, N-Stalker, Grabber, IBM AJAX Vulnerabilities Sandcat, W3AF AppScan, Jsky, Netsparker, NTOSpider, ParosPro, Sandcat 75% of IT risks impact customers satisfaction and brand reputation A Gallop Insight Gallop proprietary & confidential. Not for public distribution www.gallop.net 11
Disclaimer: This white paper is issued for information only. Gallop declines all responsibility for any errors and any loss or damage resulting from use of the contents of this White Paper. Gallop also declines responsibility for any infringement of any third party's Intellectual Property Rights but will be pleased to acknowledge any IPR and correct any infringement of which it is advised. About the White Paper: At Gallop, innovation is a continuous endeavor to ensure the best services in every engagement. As part of the Security Testing R&D, Gallop consolidates and communicates information that enriches Software Testing as a discipline. The content is an incorporation of inputs and observations from Security Testing experts and business leaders with cross vertical experience in addressing some of the most complex and most gigantic software testing challenges. While the white paper details the standard procedures of Security testing, the procedures mentioned in the white paper have been simplified to cater to a wider audience for general reference. For more details write to contact@gallop.net About Gallop Gallop is a Pure play Independent Testing Services company since 2003. Gallop has 150+ career testers across North America. In addition to Propriety Testing IP (ETAS) for enhanced productivity, Gallop has Partnerships & Alliances with leading Test Tool vendors. Gallop has a strong Executive Management Team with proven experience which has led us to become a Trusted QA Partner for leading ISVs and Enterprises. A Gallop Insight Gallop proprietary & confidential. Not for public distribution www.gallop.net 12