Lost in Translation: Understanding the Hacker Mindset

Similar documents
FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Where every interaction matters.

elearning for Secure Application Development

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

Rational AppScan & Ounce Products

The Top Web Application Attacks: Are you vulnerable?

Columbia University Web Security Standards and Practices. Objective and Scope

Adobe Systems Incorporated

What is Web Security? Motivation

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Application Security Testing. Generic Test Strategy

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Web Application Penetration Testing

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Magento Security and Vulnerabilities. Roman Stepanov

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Sitefinity Security and Best Practices

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

SAST, DAST and Vulnerability Assessments, = 4

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

05.0 Application Development

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Web application security

Passing PCI Compliance How to Address the Application Security Mandates

90% of data breaches are caused by software vulnerabilities.

OWASP Top Ten Tools and Tactics

Cloud Security:Threats & Mitgations

Using Free Tools To Test Web Application Security

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Chapter 1 Web Application (In)security 1

CYBER TRENDS & INDUSTRY PENETRATION TESTING. Technology Risk Supervision Division Monetary Authority of Singapore

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

OWASP AND APPLICATION SECURITY

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Web App Security Audit Services

Application Code Development Standards

Don t Get Burned! Are you Leaving your Critical Applications Defenseless?

(WAPT) Web Application Penetration Testing

Web Application Report

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Criteria for web application security check. Version

Professional Services Overview

Integrating Security Testing into Quality Control

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Hack Proof Your Webapps

Columbia University Web Application Security Standards and Practices. Objective and Scope

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Enterprise Application Security Workshop Series

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Secure Code Development

KEN VAN WYK. Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

SQuAD: Application Security Testing

MANAGED SECURITY TESTING

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

Thick Client Application Security

Essential IT Security Testing

Attack Vector Detail Report Atlassian

Template for PFI Final Incident Report for Remote Investigations

Application Security Testing

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis

Secure Web Applications. The front line defense

How To Ensure That Your Computer System Is Safe

Reducing Application Vulnerabilities by Security Engineering

Data Breaches and Web Servers: The Giant Sucking Sound

Building & Measuring Security in Web Applications. Fabio Cerullo Cycubix Limited 30 May Belfast

Check list for web developers

Information Security Services

Ruby on Rails Secure Coding Recommendations

Web Application Guidelines

Payment Card Industry (PCI) Data Security Standard PFI Final Incident Report. Template for PFI Final Incident Report. Version 1.0.

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Payment Card Industry (PCI) Data Security Standard PFI Final Incident Report. Template for PFI Final Incident Report. Version 1.1.

SENSITIVE AUSTRALIAN SPORTS COMMISSION ATHLETE MANAGEMENT SYSTEM (AMS) SMARTBASE SECURITY TEST PLAN. Final. Version 1.0

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

Threat Modeling/ Security Testing. Tarun Banga, Adobe 1. Agenda

Azure Security Notes

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A.

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Network Security Audit. Vulnerability Assessment (VA)

More Repeatable Vulnerability Assessment An introduction

Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0

Transcription:

Lost in Translation: Understanding the Hacker Mindset 11710 Plaza America Dr., Ste 520, Reston, VA 20190 www.knowledgecg.com Voice: 703.467.2000 Fax: 703.547.0322 1

Agenda Introductions Secure SDLC Approach Penetration Testing: Real-world Examples Lessons Learned Open Q&A 2

Speaker Bios Paul Nguyen Paul Nguyen, CISSP, CISA, CGEIT, currently serves as the Vice President of Cyber Solutions for Knowledge Consulting Group where he advises federal Chief Information Officers (CIO) and CISOs on various cybersecurity issues. He is also a former software developer in a CMM Level 5 organization, former CISO of the U.S. Court Services and Supervision Agency, and attack/exploitation practitioner with renowned firms such as @stake and Neohapsis. Mr. Nguyen holds a Bachelors and Masters degrees from Carnegie Mellon University. Ryan Stinson Ryan Stinson is the lead for Cyber Assessment Services at Knowledge Consulting Group. The KCG Cyber Assessment Group provides penetration testing, code reviews, secure architecture assessments, web application security testing, and vulnerability research. Mr. Stinson holds a Bachelor of Science in Computer Science, as well as certifications as a Certified Information Systems Security Professional (CISSP), GIAC Certified Incident Handler and GIAC Certified Penetration Tester. 3

Secure SDLC Approach 4

Where to Begin? Before we even get into development of an application, one must rationalize the various frameworks, standards, best practices, software development methodology, and any drivers that may impact the security posture of the system. The security approach should adapt to the software development methodology chosen and ensure the proper checks and balances are in place. FIPS 199 OWASP Top 10 NIST SP 800-53 rev. 3 Top 25 Common Weakness Enumeration DoD 8500.2 ICD 503... NIST Risk Management Framework DISA Secure Technical Implementation Guide Software Dev. Methodology RAD Waterfall Prototyping RUP Agile... 5

Top 25 CWE and OWASP Top 10 Deeper Look Understanding the Top 25 and OWASP Top 10 provides a basis for understanding how malicious attackers think. Permutations of the vulnerabilities will vary from platform to platform (e.g..net, J2EE, AJAX, etc...). The goal is to provide context for engineers and developers to understand the various mistakes that can be avoided (I ve made the same mistakes as a reformed developer!). Rank ID Name [1] CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [2] CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [3] CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') [4] CWE-352 Cross-Site Request Forgery (CSRF) [5] CWE-285 Improper Access Control (Authorization) [6] CWE-807 Reliance on Untrusted Inputs in a Security Decision [7] CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [8] CWE-434 Unrestricted Upload of File with Dangerous Type [9] CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') [10] CWE-311 Missing Encryption of Sensitive Data [11] CWE-798 Use of Hard-coded Credentials [12] CWE-805 Buffer Access with Incorrect Length Value [13] CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') [14] CWE-129 Improper Validation of Array Index [15] CWE-754 Improper Check for Unusual or Exceptional Conditions [16] CWE-209 Information Exposure Through an Error Message [17] CWE-190 Integer Overflow or Wraparound [18] CWE-131 Incorrect Calculation of Buffer Size [19] CWE-306 Missing Authentication for Critical Function [20] CWE-494 Download of Code Without Integrity Check [21] CWE-732 Incorrect Permission Assignment for Critical Resource [22] CWE-770 Allocation of Resources Without Limits or Throttling [23] CWE-601 URL Redirection to Untrusted Site ('Open Redirect') [24] CWE-327 Use of a Broken or Risky Cryptographic Algorithm [25] CWE-362 Race Condition 6

Threats to Your Applications Area Input Validation Authentication Authorization Configuration Management Sensitive Data Session Management Cryptography Parameter Manipulation Exception Management Auditing and Logging Threats/Attacks Buffer overflows; Cross-Site Scripting; SQL Injection; Cannonicalization attacks Network eavesdropping; Brute force attacks; Dictionary attacks; Cookie replay attacks; Credential theft Elevation of privilege; Disclosure of confidential data; Data tampering; Luring attacks Unauthorized access to administration interfaces; Unauthorized access to configuration stores; Retrieval of clear text; configuration secrets; No individual accountability; Over privileged process and service accounts Access sensitive data in storage; Network eavesdropping; Information Disclosure Session Hijacking; Session Replay; Man in the Middle Poor key generation or key management; weak or custom encryption Query string manipulation; Form field manipulation; Cookie manipulation; HTTP header manipulation System or Application Details Are Revealed; Denial of service User denies performing an operation; Attacker exploits an application without trace; Attacker covers his tracks 7

Secure Development Lifecycle SDL Prerequisites Project Inception Product Risk Assessments Security Tools & Documentation Management The Security Push Preparation Design Security Requirements Analysis Development Secure Coding Policies Review Release Education & Awareness Define/ Design Best Practices Risk Analysis Secure Testing Policies Final Security Review Process and Technology Review SDL struggles: How do we validate application security throughout the development process How do I incorporate security into our development process How do I measure externally developed applications adhere to a similar process SDL program capability: Do you have the fundamental framework to incorporate security What is are the required phases to address security from initial design through deployment What additional skill set development is required What additional processes can accommodate our current requirements What does a mature SDL process consist of, and what will suit our organization Security Response Planning Product Release Security Response Execution 8

Security Infrastructure Applications Putting the SDL into Action System Development Life Cycle Support Requirements Design Development Testing Maintenance Application Security Requirements Analysis Application Security Design Review Application Code Review Application Penetration Testing/ Vulnerability Assessment Periodic Reviews/ Application Penetration Testing Infrastructure Security Requirements Analysis Infrastructure Security Design Review Infrastructure Configuration Review Penetration Testing/ Vulnerability Assessment Periodic Configuration Reviews/ Infrastructure Penetration Testing Provide guidance and interpretation of security policies and requirements; support development of securityrelated functional and technical requirements Support system security design and assist in the selection of controls that suit the architecture of the system Conduct reviews of modules/components to validate design specifications Support the development of appropriate test cases, scenarios, and procedures to tailor to the specific operating environment; intent is to test functional security requirements Support analysis of continuous monitoring results and recommend technical enhancements to continue to improve security posture 9

Requirements Analysis Key Considerations Understand the threat environment and potential pitfalls (Top 25 CWE/OWASP) FIPS 199 Categorization NIST 800-53 Baseline Requirements: biggest challenge comes from interpreting the requirements within the context of the architecture Review your agency s policies, standards, and Enterprise Architecture to ensure proper alignment Security s Role Conduct threat modeling prior to requirements phase (understand what threat scenarios you re concerned about) Providing enough interpretation and expertise in defining the proper security requirements (understanding the malicious mindset to prevent the mistakes) Injecting the proper security requirements within the context of the architecture 10

Design Considerations Area Input Validation Authentication Authorization Guidelines Don t trust input; validate input: length, range, format and type; constrain, reject, sanitize input Use strong password policies; Don t store credentials; Encrypt communication channels to secure authentication tokens; use HTTPs only with Forms cookies Use least privilege accounts; Consider granularity of access; Enforce separation of privileges Configuration Management Sensitive Data Session Management Parameter Manipulation Exception Management Cryptography Auditing and Logging Use least privileged service accounts; Don t store credentials in plaintext; Use strong authentication and authorization on administrative interfaces; Don t use the LSA; avoid storing sensitive information in the web space Don t store secrets in software; Enforce separation of privileges; Encrypt sensitive data over the wire; Secure the channel Partition site by anonymous, identified and authenticated; reduce the timout; avoid storing sensitive data in Session; Secure the channel Don t trust fields the client can manipulate (Query string, Form fields, Cookie values, HTTP headers) Use structured exception handling (try-catch); Only catch and wrap exceptions if the operation adds value/information; Don't reveal sensitive system or app info; Don't log private data (passwords... etc.) Don t roll your own; XOR is not encryption; RNGCryptoServiceProvider for random numbers; Avoid key management (use DPAPI); Cycle your keys identify malign or malicious behavior; know your baseline (what does good traffic look like); instrument to expose behavior that can be watched (the big mistake here is typically app instrumentation is completely missing) 11

Development Identify Source Code to be Reviewed Choose a threat path. Start with highest risk. If critical processing modules identified, review those modules first. Identify source code modules for components on the threat path Identify source code for utility classes and functions used by modules on the threat path Review code for known classes of problems Arbitrary code injection: buffer overflows and format string attacks Race conditions Inadequate privilege checking Canonicalization issues Error handling Information leakage Script injection Cryptographic implementation errors Code Review Toolkit Source Code Analyzers provide developers with the ability to conduct unit testing for security vulns Examples: Fortify, Ounce Labs, Parasoft and even open source 12

Stack Overflow example The size of the string copied into a buffer exceeds its size What happens when argv[1] has a length greater than 7? #include <string.h> // for strcpy int main(int argc, char *argv[]) { char buff[8]; strcpy( buff, argv[1] ); return 1; } Buffers on heap can be exploited as well. 13

Testing Key Considerations Choose a comprehensive approach to include all components: Web App Pen. Testing Infrastructure Pen. Testing SOA Application Pen Testing Testing should occur as early as possible to provide time for remediation Make sure the rules are established for the testing (put a Rules of Engagement in place) Security s Role Simulation of threat vectors and attack scenarios identified during threat modeling Identification of attacks that could compromise the system or data Documentation of the vulnerabilities and risks Providing recommendations to support remediation 14

Penetration Testing: Real-World Examples 15

Overview of the Application Penetration Test System Information 4-tier J2EE Internet-facing Web Application Apache JBOSS Windows Server 2008 MS SQL Server 2008 Contains highly sensitive information related to personally identifiablee information (PII) Development timeframe was 6 months start to finish Leveraged a COTS product as the core with custom development to meet the agency s functional requirements Our Objectives Provide security subject matter expertise to support all phases of the SDLC and integrate into the development project plan Obtain an Authorization to Operate (ATO) for the new system as required under FISMA Ensure risks are identified as early in the SDLC as possible to minimize the cost of potential vulnerabilities later in the SDLC Conduct final Security Assessment using Application Penetration Testing techniques and infrastructure vulnerability assessment 16

Anatomy of an attack The attack strategy used by professional white hat and black hat purposes follows five significant and noteworthy stages, culminating in the discovery and possible removal of sensitive data, including PII. Open Source Intel Public Accessibility Privilege Escalation Data-centric Exploitation Data Exfiltration Identification of potential client-side targets Spear phishing preparation Review of social network profiles Email address harvesting Identification of publicly accessible services Service fingerprinting Public vulnerability research Network profiling Development environment exploitation Application layer vulnerabilities VPN password guessing Malicious authorized users Authorized client compromise Exploitation of internal vulnerabilities Network spidering Expand access Database exploitation Credential Intercept Man-in-themiddle attacks Mainframe attacks Credential Reuse Data harvesting Removal of data from the interior network Transmit externally via SMTP, HTTPS 17

Anatomy of an attack The attack strategy used by professional white hat and black hat purposes follows five significant stages, culminating in the discovery and possible removal of sensitive data, including PII. 18

Input Validation Am I properly handling user input? What if I inject "'" or 1=1;-- into the Search box Something isn t right looks like insufficient scrubbing of my input and definitely wasn t expecting it Top 25 CWE CWE-732: Incorrect Permission Assignment for Critical Resource OWASP Category A6 - Security Misconfiguration or Category A4 - Insecure Direct Object References 19

Error Handling Giving Us Way Too Much Information Building on the last step we re getting SQL fragments. Sign of a SQL Injection Top 25 CWE CWE-209: Information Exposure Through an Error Message CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') OWASP Category A6 - Security Misconfiguration Category A1 - Injection 20

SQL Injection Can I get to the data I want? Let s test how far I can get with this SQL Injection and test the limits Couple things here...the application logic from the search box kept interpreting spaces as separate search terms. To pull this off we had to create a SQL query with no spaces in it How d I accomplish that I used SQL comment characters /**/ Simple test against SQL Server to pull the server information. Here s the injection string 'UNION/**/ALL/**/SELECT/**/1,36,@@version,'1','1','1', 1,'1';-- Look mom no spaces! In fairness, they used PreparedStatements which means variables passed as arguments to prepared statements will automatically be escaped by the JDBC driver. However, all queries should be parameterized and not passed directly to the query which is why this was possible: PreparedStatement prepstmt = con.preparestatement("select * FROM user WHERE userid = '+strusername+'"); Top 25 CWE CWE-209: Information Exposure Through an Error Message OWASP Category A6 - Security Misconfiguration 21

Access Control How deep do I go? Building on the last step I know a couple of things: The Search box is available without authentication yet I still have access to SQL Server system tables Indication the access control model is broken This function should not have read/write/update/delete access to any tables outside of the table it needs and even then should only be read access Common mistake is to think hackers will never get that far back to even touch the database Top 25 CWE CWE-732: Incorrect Permission Assignment for Critical Resource OWASP Category A6 - Security Misconfiguration or Category A4 - Insecure Direct Object References 22

Local File Inclusion Top 25 CWE CWE-98: Improper Control of Filename for Include OWASP Category A8 Failure to Restrict URL Access 23

Clear-text Passwords But it s only on my internal network Looks like we can traverse to the web.xml and pull out cleartext passwords Top 25 CWE CWE-311: Missing Encryption of Sensitive Information OWASP Category A8 - Insecure Cryptographic Storage 24

Full Compromise! There goes my data The injection string 'UNION/**/ALL/**/SELECT/**/1, ssn, ssn,null,null, first_name,1,null/**/from/**/peoples_pii;-- Here s Johnny!!! We used test data to simulate the SSN. In the end, I want to make off with the information and all I had to do was dump it to the Search results page and I m home free Went right through an HTTPS port without even being seen every firewall has those ports open (although an application firewall may have caught this) 25

Lessons Learned 26

What d we learn from this experience You can t possibly predict every possible permutation of a vulnerability This exploitation scenario was possible due to multiple vulnerabilities tied together There was clear intent to implement security but somewhere in the middle things got Lost in Translation between security and the development team Where do we go from here Better education to help developers (I used to be one) understand the potential threat scenarios and attack paths and have the hacker mindset Application security continues to evolve with the technology but the general principles remain the same We (security and IT) must continually work together and improve our processes and technologies to mitigate these risks (I promise security is not there to be a complete PITA ) 27

Contact Us Paul Nguyen, Vice President, Cyber Solutions Paul.nguyen@knowledgecg.com Phone: (703) 467-2000 x108 Mobile: (571) 722-7083 Ryan Stinson, Lead Assessment Engineer Ryan.stinson@knowledgecg.com Phone: (703) 467-2000 Mobile: (703) 600-9388 Knowledge Consulting Group (KCG) 11710 Plaza America Dr., Ste 520 Reston, VA 20190 Voice: 703.467.2000 Fax: 703.547.0322 http://www.knowledgecg.com 28

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information