Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ken De Souza KWSQA, April 2016 V. 1.0

Published byDylan Kelley Modified over 8 years ago

Similar presentations

Presentation on theme: "Ken De Souza KWSQA, April 2016 V. 1.0"— Presentation transcript:

1 Ken De Souza KWSQA, April 2016 V. 1.0
The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0

2 Show in the next slide that all it took was to inspect some JSON from a mobile app and he was able to take control. Controlling vehicle features of Nissan LEAFs across the globe via vulnerable APIs Source:

3 Show in the next slide that all it took was to inspect some JSON from a mobile app and he was able to take control.

4 GET https://[redacted]

5

6 GET https://[redacted]

7 Source: https://youtu.be/Nt33m7G_42Q

8 http://1drv.ms/1xNOWV7 http://bit.ly/Wn2Xdz https://goo.gl/Ir2vAQ
Short URLs Considered Harmful for Cloud Services Scan revealed over publicly accessible OneDrive documents A similar scan of 100,000,000 random 7-character bit.ly tokens yielded - URLs to 1,000,000 publicly accessible OneDrive documents.  Much of which contained private information Around 7% of the OneDrive folders discovered in this fashion allow writing.   This means that anyone who randomly scans bit.ly URLs will find thousands of unlocked OneDrive folders and can modify existing files in them or upload arbitrary content, potentially including malware.   Microsoft’s virus scanning for OneDrive accounts is trivial to evade (for example, it fails to discover even the test EICAR virus if the attacker goes to the trouble of compressing it).  Furthermore, OneDrive “synchronizes” account contents across the user’s OneDrive clients.  Therefore, the injected malware will be automatically downloaded to all of the user’s machines and devices running OneDrive. Source:

9 Before September 2015, short goo.gl/maps URLs used 5-character tokens.  
Our sample random scan of these URLs yielded 23,965,718 live links, of which 10% were for maps with driving directions.

10 This topic is HUGE Doing this from my experiences...
Not talking about Secure coding Infrastructure SDLC I’m trying to keep this talk as some one who has been through a few ‘audits Customer initiated typically Note: we always passed because… Security is like disaster recovery, it’s a life style… not something you need to do when you need to do it.

11 Common terminology Learn something about the threats Demos of tools Explain the risks to stake holders Where to go next Show in the next slide that all it took was to inspect some JSON from a mobile app and he was able to take control.

12 Small companies don’t have $$$ to spend on all the latest tools, like BurpSuite, etc. There are excellent tools. The tools don’t replace thinking.

13 "security, just like disaster recovery, is a lifestyle, not a checklist" This is not a black and white problem This isn’t just a talk Source:

14

15 Source: http://www.amanhardikar.com/mindmaps/webapptest.html

16 This is a practical / experience talk
This is a practical / experience talk. These are the tools I use on a daily(ish) basis when I'm testing software. Your mileage may vary.

17 The Tools STRIDE (identification) DREAD (classification) OWASP Top 10 (attack vectors) Wireshark / tcpdump (network analysis) OWASP ZAP (application analysis) MS Threat Modeling (communication)

18 STRIDE Spoofing Tampering Repudiation Information Disclosure DoS
Identification tool, DoS Elevation of Privilege Source:

19 Information disclosure Confidentiality Denial of service Availability
Type Security Control Spoofing Authentication Tampering Integrity Repudiation Non-Repudiation Information disclosure Confidentiality Denial of service Availability Elevation of privilege Authorization Spoofing: illegally access and use another user's credentials, such as username and password. Tampering: maliciously change/modify persistent data, such as persistent data in a database, and the alteration of data in transit between two computers over an open network, such as the Internet. Repudiation: illegal operations in a system that lacks the ability to trace the prohibited operations. Information disclosure: read a file that one was not granted access to, or to read data in transit. Denial of service: Threat aimed to deny access to valid users, such as by making a web server temporarily unavailable or unusable. Elevation of privilege: Threat aimed to gain privileged access to resources for gaining unauthorized access to information or to compromise a system. Source:c

20 DREAD Damage Reproducibility Exploitability Affected users
Classification tool Affected users Discoverability Source:

21 Developer point of view….
DREAD Parameter Rating Rationale Damage Potential 5 An attacker could read and alter data in the product database. Reproducibility 10 Can reproduce every time. Exploitability 2 Easily exploitable by automated tools found on the Internet. Affected Users 1 Affects critical administrative users Discoverability Affected page “admin.aspx” easily guessed by an attacker. Overall Rating 3.8 Classification tool Source:

22 Tester point of view… DREAD Parameter Rating Rationale
Damage Potential 10 An attacker could read and alter data in the product database. Reproducibility Can reproduce every time. Exploitability Easily exploitable by automated tools found on the Internet. Affected Users Affects critical administrative users Discoverability Affected page “admin.aspx” easily guessed by an attacker. Overall Rating Classification tool Source:

23 STRIDE / DREAD Open Web Application Security Project
Source: ‪

24 OWASP Top 10 Open Web Application Security Project
Source: ‪

25 OWASP TOP 10 A1: Injection A2: Broken Authentication and Session Management A3: Cross Site Scripting (XSS) <script>alert('test');</script> A4: Insecure Direct Object References A5: Security Misconfiguration Default admin account enabled; directories shown on site; Stack traces shown to users; The second example I gave, that goes into A4 The first example at the beginning of the talk fell directly into A2, A6 and A7. Could have been caught, if someone had thought about it. (the LEAF car) A2: Application’s timeouts aren’t set properly… someone closes a browser and the session isn’t invalided. A3: input isn’t sanitized, thus allowing execution of code. Source:

26 OWASP TOP 10 A6: Sensitive Data Exposure
SSL not being used Heartbleed Bad programming (Obamacare) A7: Missing Function Level Access Control Access areas where you shouldn’t be able to access A8: Cross-Site Request Forgery <img src=" width="0" height="0" /> A9: Using Components with known vulnerability Not patching your 3rd party sh*t A10: Unvalidated redirects and forwards The first example at the beginning of the talk fell directly into A6 and A7. Could have been caught, if someone had thought about it. (the LEAF car) A8 - The application allows a user to submit a state changing request that does not include anything secret. For example: So, the attacker constructs a request that will transfer money from the victim’s account to the attacker’s account, and then embeds this attack in an image request or iframe stored on various sites under the attacker’s control: A9: Rather simple one: A10: The application has a page called “redirect.jsp” which takes a single parameter named “url”. The attacker crafts a malicious URL that redirects users to a malicious site that performs phishing and installs malware. Source:

27 A2: Broken Authentication and Session Management
Vulnerability Tool A1: Injection SQLMap or ZAP A2: Broken Authentication and Session Management ZAP A3: Cross Site Scripting (XSS) A4: Insecure Direct Object References A5: Security Misconfiguration OpenVAS A6: Sensitive Data Exposure Your brain… A7: Missing Function Level Access Control A8: Cross-Site Request Forgery A9: Using Components with known vulnerability A10: Unvalidated redirects and forwards The first example at the beginning of the talk fell directly into A6 and A7. Could have been caught, if someone had thought about it. (the LEAF car) A8 - The application allows a user to submit a state changing request that does not include anything secret. For example: So, the attacker constructs a request that will transfer money from the victim’s account to the attacker’s account, and then embeds this attack in an image request or iframe stored on various sites under the attacker’s control: A9: Rather simple one: A10: The application has a page called “redirect.jsp” which takes a single parameter named “url”. The attacker crafts a malicious URL that redirects users to a malicious site that performs phishing and installs malware.

28 Demos: Setup Virtualbox running “OWASP Broken Web Apps” This VM has LOTS of broken web applications that are designed to learn from.

29 Network packet / protocol analysis tool
What is Wireshark Network packet / protocol analysis tool Allows users to capture network traffic from any interface, like Ethernet, Wifi, Bluetooth, USB, etc

30 Basically, if you’re doing an audit of your system, you can see all the information that coming/going from it, record it and search on it. Source:

31 Why use Wireshark? It is a great tool to debug your environment Help to examine potential security problems

32 Wireshark: Look at red/yellow lines between systems
Open Web Application Security Project Source: ‪

33 Wireshark Demo Intro into wireshark
QUESTION: who uses wiresshark? Dev tools on your browser? Provide my example: I am working a networking company… it important to find out what data is being transferred from various devices in the netwoek, so I’m looking at much than just 80 and 443 Every packet is captured Hit a web site The idea, you can see everything on the wire. If you’re https, you’ll need the key (and depending on your company, you might get it for testing purposes) No proxy required This is a great tool for not just the dev tools portion, but if you doing a threat analysis, you can also find out information about what is incoming/outgoing using this (and TCPDump) Search around in there using http, tcp, Explain what I use it for SHOW: How to capture packets Display filters Follow the stream/conversation Access to all the protocols

34 TCPDump: Look at red/yellow lines between systems
Open Web Application Security Project Source: ‪

35 Use this when you can’t use Wireshark Great for servers
Why use tcpdump? Use this when you can’t use Wireshark Great for servers

36 tcpdump -lnni eth0 \ -w dump -s 65535 host web01 \ and port 80
Example tcpdump -lnni eth0 \ -w dump -s host web01 \ and port 80

37 TCPDump Demo Lots of stuff is still insecure. SNMP, 3rd Party tools. Getting right to the wire and finding out is sometimes the best way to tackle this. SHOW: - limit requests and captures -

38 What is OWASP ZAP? Find security vulnerabilities in your web applications Can be used both manually and in an automated manner Active/Passive meaning?

39 Why use ZAP? Can be used to find many of the top 10 exploits
Can be quick integrated into you manual or automated workflow Can be used in active or passive mode Active/Passive meaning?

40 OWASP ZAP Open Web Application Security Project
Source: ‪

41

42

43

44 OWASP ZAP Demo

45 What is SQLMap? SQL injection tool Takes a lot of the exploits available and automates them Active/Passive meaning?

46 SQLMap Open Web Application Security Project
Source: ‪

47 SQLMap Demo

48 Threat Modeling - What is it?
A way to analyze and communicate security related problems This is a much larger topic than we have time for … but I’ll give you the basics The ability to communicate the threat. This is one way to get buy in (where there might not be buy in)

49 Threat Modeling - Why do this?
To explain to management To explain to customers To explain to developers, architects, etc. With the tools I just showed you, you now have the basics to be able to build a model The ability to communicate the threat. Now that you have data to show there are vul'n... you need to be able to articulate that to a wider audience. Maybe management, maybe a customer. This tool will help you do that and provide guidance on how to fix issues. This is one way to get buy in (where there might not be buy in)

50 Threat Modeling: Communicating it…
Open Web Application Security Project Source: ‪

51 Threat Modeling Step 1: Enumerate Product functionality
Technologies used Processes Listening ports Process to port mappings Users processes that running 3rd party applications / installations Product functionality? - What does it do? Does a human interact with it? Is there a web interface? REST interface? Is it a SaaS? On prem? Will people upload/submit data to the system? Technologies used: Linux? Java? Postgres? Spring? Scala? Do you have your security patches applied? Processes? - What running on these boxes? Who’s running them? What ports do they have open? Can anyone access them?

52 Threat Modeling Step 2: Data flow with boundaries
Source:

53 MS Threat Risk Modeling Tool Demo

54 Threat Modeling Using tools like OWASP ZAP, Wireshark, etc, you can build yourself a plan These tools can help you articulate the risk

55 Threat Modeling Can be done at various stages of the SDLC
Source:

56 Other really good tools
nmap netstat nslookup ps browser dev tools

57 All these tools, help to answer the question Is your application secure?

58 Where to go next?

59 Full disclosure Get a plan together and get your manager to sign off on it. 

60 Read! Get a plan together and get your manager to sign off on it. 

61 OWASP Testing Guide Talk about my example:
Decided to pick a vector (A?? With imgur), since I saw some behavirou on my mobile device Proxed the traffic and looked it via wireshark, got the get command, change the id and was able to get into private areas Submitted to imgur

62

63 Bug bounties Talk about my example:
Decided to pick a vector (A?? With imgur), since I saw some behavirou on my mobile device Proxed the traffic and looked it via wireshark, got the get command, change the id and was able to get into private areas Submitted to imgur

64 To conclude… Get a plan together and get your manager to sign off on it. 

65 Be aware and prepare yourself for the worst
Be aware and prepare yourself for the worst. Coming up with a plan is important Understanding vectors is important Get a plan together and get your manager to sign off on it. 

66 Thanks! Some questions for you:
In your environment, do you usually test for security related items? Is this part of your every day activities?

67

68 References Preventing CSRF with the same-site cookie attribute: Security Ninjas: An Open Source Application Security Training Program: Threat modeling web application: a case study: Chapter 3 Threat Modeling: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities: Real World Application Threat Modelling By Example: The BodgeIt Store Part 1:

Download ppt "Ken De Souza KWSQA, April 2016 V. 1.0"

Similar presentations

OWASP Web Vulnerabilities and Auditing

OWASP Web Vulnerabilities and Auditing
PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.

Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.
Hands on Demonstration for Testing Security in Web Applications

Hands on Demonstration for Testing Security in Web Applications
A Demo of and Preventing XSS in.NET Applications.

A Demo of and Preventing XSS in.NET Applications.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Chapter 4 Application Security Knowledge and Test Prep

Chapter 4 Application Security Knowledge and Test Prep
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
Workshop 3 Web Application Security Li Weichao March 14 2014.

Workshop 3 Web Application Security Li Weichao March
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.

Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.
The OWASP Way Understanding the OWASP Vision and the Top Ten.

The OWASP Way Understanding the OWASP Vision and the Top Ten.

Similar presentations

Ads by Google