Ken De Souza KWSQA, April 2016 V. 1.0 The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0

Show in the next slide that all it took was to inspect some JSON from a mobile app and he was able to take control. Controlling vehicle features of Nissan LEAFs across the globe via vulnerable APIs Source: http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html

Show in the next slide that all it took was to inspect some JSON from a mobile app and he was able to take control.

GET https://[redacted]

GET https://[redacted]

Source: https://youtu.be/Nt33m7G_42Q

http://1drv.ms/1xNOWV7 http://bit.ly/Wn2Xdz https://goo.gl/Ir2vAQ http://1drv.ms/1xNOWV7 http://bit.ly/Wn2Xdz https://goo.gl/Ir2vAQ Short URLs Considered Harmful for Cloud Services Scan revealed over 270000 publicly accessible OneDrive documents A similar scan of 100,000,000 random 7-character bit.ly tokens yielded - URLs to 1,000,000 publicly accessible OneDrive documents.  Much of which contained private information Around 7% of the OneDrive folders discovered in this fashion allow writing.   This means that anyone who randomly scans bit.ly URLs will find thousands of unlocked OneDrive folders and can modify existing files in them or upload arbitrary content, potentially including malware.   Microsoft’s virus scanning for OneDrive accounts is trivial to evade (for example, it fails to discover even the test EICAR virus if the attacker goes to the trouble of compressing it).  Furthermore, OneDrive “synchronizes” account contents across the user’s OneDrive clients.  Therefore, the injected malware will be automatically downloaded to all of the user’s machines and devices running OneDrive. Source: https://freedom-to-tinker.com/blog/vitaly/gone-in-six-characters-short-urls-considered-harmful-for-cloud-services/

Before September 2015, short goo.gl/maps URLs used 5-character tokens.   Our sample random scan of these URLs yielded 23,965,718 live links, of which 10% were for maps with driving directions.

This topic is HUGE Doing this from my experiences... Not talking about Secure coding Infrastructure SDLC I’m trying to keep this talk as some one who has been through a few ‘audits Customer initiated typically Note: we always passed because… Security is like disaster recovery, it’s a life style… not something you need to do when you need to do it.

Common terminology Learn something about the threats Demos of tools Explain the risks to stake holders Where to go next Show in the next slide that all it took was to inspect some JSON from a mobile app and he was able to take control.

Small companies don’t have $$$ to spend on all the latest tools, like BurpSuite, etc. There are excellent tools. The tools don’t replace thinking.

"security, just like disaster recovery, is a lifestyle, not a checklist" This is not a black and white problem This isn’t just a talk Source: https://news.ycombinator.com/item?id=11323849

Source: http://www.amanhardikar.com/mindmaps/webapptest.html

This is a practical / experience talk This is a practical / experience talk. These are the tools I use on a daily(ish) basis when I'm testing software. Your mileage may vary.

The Tools STRIDE (identification) DREAD (classification) OWASP Top 10 (attack vectors) Wireshark / tcpdump (network analysis) OWASP ZAP (application analysis) MS Threat Modeling (communication)

STRIDE Spoofing Tampering Repudiation Information Disclosure DoS Identification tool, DoS Elevation of Privilege Source:

Information disclosure Confidentiality Denial of service Availability Type Security Control Spoofing Authentication Tampering Integrity Repudiation Non-Repudiation Information disclosure Confidentiality Denial of service Availability Elevation of privilege Authorization Spoofing: illegally access and use another user's credentials, such as username and password. Tampering: maliciously change/modify persistent data, such as persistent data in a database, and the alteration of data in transit between two computers over an open network, such as the Internet. Repudiation: illegal operations in a system that lacks the ability to trace the prohibited operations. Information disclosure: read a file that one was not granted access to, or to read data in transit. Denial of service: Threat aimed to deny access to valid users, such as by making a web server temporarily unavailable or unusable. Elevation of privilege: Threat aimed to gain privileged access to resources for gaining unauthorized access to information or to compromise a system. Source:c https://www.owasp.org/index.php/Application_Threat_Modeling

DREAD Damage Reproducibility Exploitability Affected users https://msdn.microsoft.com/en-us/library/aa302419.aspx Classification tool Affected users Discoverability Source: https://msdn.microsoft.com/en-us/library/aa302419.aspx

Developer point of view…. DREAD Parameter Rating Rationale Damage Potential 5 An attacker could read and alter data in the product database. Reproducibility 10 Can reproduce every time. Exploitability 2 Easily exploitable by automated tools found on the Internet. Affected Users 1 Affects critical administrative users Discoverability Affected page “admin.aspx” easily guessed by an attacker. Overall Rating 3.8 https://msdn.microsoft.com/en-us/library/aa302419.aspx Classification tool Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx

Tester point of view… DREAD Parameter Rating Rationale Damage Potential 10 An attacker could read and alter data in the product database. Reproducibility Can reproduce every time. Exploitability Easily exploitable by automated tools found on the Internet. Affected Users Affects critical administrative users Discoverability Affected page “admin.aspx” easily guessed by an attacker. Overall Rating https://msdn.microsoft.com/en-us/library/aa302419.aspx Classification tool Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx

STRIDE / DREAD Open Web Application Security Project Source: ‪https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf‪.‬

OWASP Top 10 Open Web Application Security Project Source: ‪https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf‪.‬

OWASP TOP 10 A1: Injection http://example.com/app/accountView?id=' A2: Broken Authentication and Session Management http://example.com/sale/saleitems?sessionid=268544541&dest=Hawaii A3: Cross Site Scripting (XSS) <script>alert('test');</script> A4: Insecure Direct Object References http://example.com/app/accountInfo?acct=notmyacct A5: Security Misconfiguration Default admin account enabled; directories shown on site; Stack traces shown to users; The second example I gave, that goes into A4 The first example at the beginning of the talk fell directly into A2, A6 and A7. Could have been caught, if someone had thought about it. (the LEAF car) A2: Application’s timeouts aren’t set properly… someone closes a browser and the session isn’t invalided. A3: input isn’t sanitized, thus allowing execution of code. Source: https://www.owasp.org/index.php/Top_10_2013-Top_10

OWASP TOP 10 A6: Sensitive Data Exposure SSL not being used Heartbleed Bad programming (Obamacare) A7: Missing Function Level Access Control Access areas where you shouldn’t be able to access A8: Cross-Site Request Forgery <img src="http://example.com/app/transferFunds?amount=1500&destinationAccount=attackersAcct#" width="0" height="0" /> A9: Using Components with known vulnerability Not patching your 3rd party sh*t A10: Unvalidated redirects and forwards http://www.example.com/redirect.jsp?url=evil.com The first example at the beginning of the talk fell directly into A6 and A7. Could have been caught, if someone had thought about it. (the LEAF car) A8 - The application allows a user to submit a state changing request that does not include anything secret. For example: So, the attacker constructs a request that will transfer money from the victim’s account to the attacker’s account, and then embeds this attack in an image request or iframe stored on various sites under the attacker’s control: A9: Rather simple one: https://www.owasp.org/index.php/OWASP_Dependency_Check A10: The application has a page called “redirect.jsp” which takes a single parameter named “url”. The attacker crafts a malicious URL that redirects users to a malicious site that performs phishing and installs malware. Source: https://www.owasp.org/index.php/Top_10_2013-Top_10

A2: Broken Authentication and Session Management Vulnerability Tool A1: Injection SQLMap or ZAP A2: Broken Authentication and Session Management ZAP A3: Cross Site Scripting (XSS) A4: Insecure Direct Object References A5: Security Misconfiguration OpenVAS A6: Sensitive Data Exposure Your brain… A7: Missing Function Level Access Control A8: Cross-Site Request Forgery A9: Using Components with known vulnerability A10: Unvalidated redirects and forwards The first example at the beginning of the talk fell directly into A6 and A7. Could have been caught, if someone had thought about it. (the LEAF car) A8 - The application allows a user to submit a state changing request that does not include anything secret. For example: So, the attacker constructs a request that will transfer money from the victim’s account to the attacker’s account, and then embeds this attack in an image request or iframe stored on various sites under the attacker’s control: A9: Rather simple one: https://www.owasp.org/index.php/OWASP_Dependency_Check A10: The application has a page called “redirect.jsp” which takes a single parameter named “url”. The attacker crafts a malicious URL that redirects users to a malicious site that performs phishing and installs malware.

Demos: Setup Virtualbox running “OWASP Broken Web Apps” This VM has LOTS of broken web applications that are designed to learn from.

Network packet / protocol analysis tool What is Wireshark Network packet / protocol analysis tool Allows users to capture network traffic from any interface, like Ethernet, Wifi, Bluetooth, USB, etc

Basically, if you’re doing an audit of your system, you can see all the information that coming/going from it, record it and search on it. Source: http://www.aboutdebian.com/mailfram.gif

Why use Wireshark? It is a great tool to debug your environment Help to examine potential security problems

Wireshark: Look at red/yellow lines between systems Open Web Application Security Project Source: ‪https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf‪.‬

Wireshark Demo Intro into wireshark QUESTION: who uses wiresshark? Dev tools on your browser? Provide my example: I am working a networking company… it important to find out what data is being transferred from various devices in the netwoek, so I’m looking at much than just 80 and 443 Every packet is captured Hit a web site The idea, you can see everything on the wire. If you’re https, you’ll need the key (and depending on your company, you might get it for testing purposes) No proxy required This is a great tool for not just the dev tools portion, but if you doing a threat analysis, you can also find out information about what is incoming/outgoing using this (and TCPDump) Search around in there using http, tcp, Explain what I use it for SHOW: How to capture packets Display filters Follow the stream/conversation Access to all the protocols

TCPDump: Look at red/yellow lines between systems Open Web Application Security Project Source: ‪https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf‪.‬

Use this when you can’t use Wireshark Great for servers Why use tcpdump? Use this when you can’t use Wireshark Great for servers

tcpdump -lnni eth0 \ -w dump -s 65535 host web01 \ and port 80 Example tcpdump -lnni eth0 \ -w dump -s 65535 host web01 \ and port 80

TCPDump Demo Lots of stuff is still insecure. SNMP, 3rd Party tools. Getting right to the wire and finding out is sometimes the best way to tackle this. SHOW: - limit requests and captures -

What is OWASP ZAP? Find security vulnerabilities in your web applications Can be used both manually and in an automated manner Active/Passive meaning?

Why use ZAP? Can be used to find many of the top 10 exploits Can be quick integrated into you manual or automated workflow Can be used in active or passive mode Active/Passive meaning?

OWASP ZAP Open Web Application Security Project Source: ‪https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf‪.‬

OWASP ZAP Demo

What is SQLMap? SQL injection tool Takes a lot of the exploits available and automates them Active/Passive meaning?

SQLMap Open Web Application Security Project Source: ‪https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf‪.‬

SQLMap Demo

Threat Modeling - What is it? A way to analyze and communicate security related problems This is a much larger topic than we have time for … but I’ll give you the basics The ability to communicate the threat. This is one way to get buy in (where there might not be buy in)

Threat Modeling - Why do this? To explain to management To explain to customers To explain to developers, architects, etc. With the tools I just showed you, you now have the basics to be able to build a model The ability to communicate the threat. Now that you have data to show there are vul'n... you need to be able to articulate that to a wider audience. Maybe management, maybe a customer. This tool will help you do that and provide guidance on how to fix issues. This is one way to get buy in (where there might not be buy in)

Threat Modeling: Communicating it… Open Web Application Security Project Source: ‪https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf‪.‬

Threat Modeling Step 1: Enumerate Product functionality Technologies used Processes Listening ports Process to port mappings Users processes that running 3rd party applications / installations Product functionality? - What does it do? Does a human interact with it? Is there a web interface? REST interface? Is it a SaaS? On prem? Will people upload/submit data to the system? Technologies used: Linux? Java? Postgres? Spring? Scala? Do you have your security patches applied? Processes? - What running on these boxes? Who’s running them? What ports do they have open? Can anyone access them?

Threat Modeling Step 2: Data flow with boundaries Source: http://geekswithblogs.net/hroggero/archive/2014/12/18/microsoft-azure-and-threat-modeling-you-apps.aspx

MS Threat Risk Modeling Tool Demo

Threat Modeling Using tools like OWASP ZAP, Wireshark, etc, you can build yourself a plan These tools can help you articulate the risk

Threat Modeling Can be done at various stages of the SDLC Source: http://www.slideshare.net/starbuck3000/threat-modeling-web-application-a-case-study

Other really good tools nmap netstat nslookup ps browser dev tools

All these tools, help to answer the question Is your application secure?

Where to go next?

Full disclosure Get a plan together and get your manager to sign off on it. 

Read! Get a plan together and get your manager to sign off on it. 

OWASP Testing Guide Talk about my example: Decided to pick a vector (A?? With imgur), since I saw some behavirou on my mobile device Proxed the traffic and looked it via wireshark, got the get command, change the id and was able to get into private areas Submitted to imgur

Bug bounties Talk about my example: Decided to pick a vector (A?? With imgur), since I saw some behavirou on my mobile device Proxed the traffic and looked it via wireshark, got the get command, change the id and was able to get into private areas Submitted to imgur

To conclude… Get a plan together and get your manager to sign off on it. 

Be aware and prepare yourself for the worst Be aware and prepare yourself for the worst. Coming up with a plan is important Understanding vectors is important Get a plan together and get your manager to sign off on it. 

Thanks! Some questions for you: In your environment, do you usually test for security related items? Is this part of your every day activities?

References Preventing CSRF with the same-site cookie attribute: http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/ Security Ninjas: An Open Source Application Security Training Program: http://www.slideshare.net/OpenDNS/security-ninjas-opensource Threat modeling web application: a case study: http://www.slideshare.net/starbuck3000/threat-modeling-web-application-a-case-study Chapter 3 Threat Modeling: https://msdn.microsoft.com/en-us/library/aa302419.aspx Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities: http://www.slideshare.net/anantshri/understanding-the-known-owasp-a9-using-components-with-known-vulnerabilities Real World Application Threat Modelling By Example: http://www.slideshare.net/NCC_Group/real-world-application-threat-modelling-by-example The BodgeIt Store Part 1: http://resources.infosecinstitute.com/the-bodgeit-store-part-1-2/