Presentation is loading. Please wait.

Presentation is loading. Please wait.

Metro (down the Tube) Security Testing Windows Store Apps Marion McCune – ScotSTS Ltd.

Published byEdgar Hunt Modified over 9 years ago

Similar presentations

Presentation on theme: "Metro (down the Tube) Security Testing Windows Store Apps Marion McCune – ScotSTS Ltd."— Presentation transcript:

1 Metro (down the Tube) Security Testing Windows Store Apps Marion McCune – ScotSTS Ltd

2 Marion McCune  20 Years in IT  Worked with Microsoft products since DOS 3  Director of own security testing company for 3 years  Web Applications, MS products and mobile

3 Introducing Windows Store Apps Background Windows Store Some Apps Security Architecture Microsoft Testing Process Development Environments- HTML, JavaScript.NET Store Requirements and Certifcation Win RT (Windows Runtime)

4 Background

5 The Windows Store

6 Some Apps….

7 Security Architecture  Apps run in a Sandbox  The App Container  Integrity Levels

8 Security Architecture (cont)  Capabilities  Contracts  Broker Process

9 Win RT

10 Development Environments .NET – C# and VB.NET with XAML  C++ with XAML  JavaScript and HTML 59% 5% 36%

11 Store Requirements and Certification  Package up the App and Deploy to the Store  Various requirements – mostly to do with development practices and content  Give it a WACK!!  If it passes WACK it still may fail acceptance for the Store (but they will indicate why)

12 Security Tests BinScope Binary Analyzer Tests  AllowPartiallyTrustedCallersAttribute  /SafeSEH Exception Handling Protection  Data Execution Prevention  Address Space Layout Randomization  Read/Write Shared PE Section  AppContainerCheck  ExecutableImportsCheck  WXCheck Attack Surface Analyzer Secure executable files that have weak ACLs Secure directories that contain objects and have weak ACLs Secure registry keys with weak ACLs Services that allow access to non-administrator accounts and are vulnerable to tampering Services that have fast restarts or might restart more than twice every 24 hours

13 Great, But…..  https://www.blackhat.com/html/bh-us-12/bh-us-12-archives.html  Protect the OS  Defeat Malware  App v. User or User v. App?  User A v. User B?

14 Security Testing Windows Store Apps Where are they? Some lessons from another country Testing Approaches Software Setup Web ServicesDecompilation Local Data JavaScript/ HTML

15 Where are they?  C:\Program Files\WindowsApps\  Show hidden files and folders  Go to Security Tab and take ownership  Then take control when prompted  Must be logged in as an Administrator

16 App Packages

17 Some lessons from another Country

18 OWASP Mobile Top Ten Insecure Data Storage Weak Server Side Controls Insufficient Transport Layer Protection Client Side InjectionPoor Authorization and Authentication Improper Session Handling Security Decisions via Untrusted Inputs Side Channel Data Leakage Broken Cryptography Sensitive Information Disclosure

19 Turning it on its head…. Compile with VSMinimize App Capibilities Use File Picker instead of library capabilities Don’t trust remote data Don’t let the web access WinRT Authenticate correctly Validate contentUse HTTPs

20 Testing Approaches  Attacking the Sandbox?  Web Application  Local Data  Decompilation/Code Review  Web Services

21 Software Setup

22

23

24

25 JavaScript/HTML Apps  Really are Web Applications and can be tested as such  Local context versus Web context  Run as a headless version of IE – can be seen in task explorer as ‘wwahost.exe’  Suffer from the typical problems of apps with a good framework  Unlikely (but possible) to get XSS  No more likely or less likely to have other flaws

26

27 Decompilation/Code Review .NET Apps can be trivially decompiled but may be obfuscated  A lot depends on your ability to read the language  Credentials/Keys  Developer Mode  SSL -

28 Bad Coding Practices  Eval, ExecScript, MsAppExecUnsafeLocalFunction

29 Bad Coding Practices  XMLHttpRequest  Untrusted dynamic content var myDiv = document.createElement("div"); myDiv.innerHTML = xhr.responseText document.body.appendChild(myDiv); document.writeln(xhr.responseText);

30 Local Data  Apps can write to C:\users\username\AppData\Packages\appname  LocalState or RemoteState

31 Web Services

32 a' and 1=0/@@version;-- soap:server Server was unable to process request. ---&gt Conversion failed when converting the nvarchar value Microsoft SQL Server 2008 R2 (SP2) - 10.50.4000.0(X64) June28 2012 08:36:30 Copyright (c) Microsoft Corporation Enterprise Edition (64-bit) on Windows NT 6.1 (Build 7601: Service Pack 1)' to data type int.

33 A little interlude

34 Belt and Braces time….  Enforced Integrity level makes it difficult to modify WindowsApps  Linux to the rescue!  But no….

35 One cool trick  Making a modifiable copy of a store app  Look to see what template the app uses  Create a Visual Studio project with the same template and close it  Delete the js, css and default.htm files from your project and copy in the corresponding files from the real app  Add any resources to the project (eg. Image directory)  Build the app in Visual Studio

36 Conclusion

37 Questions?Answers?Questions?Answers?

Download ppt "Metro (down the Tube) Security Testing Windows Store Apps Marion McCune – ScotSTS Ltd."

Similar presentations

Webgoat.

Webgoat.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Man-In-The-Front Ray Kelly.

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Man-In-The-Front Ray Kelly.
DT211/3 Internet Application Development Active Server Pages & IIS Web server.

DT211/3 Internet Application Development Active Server Pages & IIS Web server.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.

Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.
Windows.Net Programming Series Preview. Course Schedule - 2014 CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.

Windows.Net Programming Series Preview. Course Schedule CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.
Architecture Of ASP.NET. What is ASP?  Server-side scripting technology.  Files containing HTML and scripting code.  Access via HTTP requests.  Scripting.

Architecture Of ASP.NET. What is ASP?  Server-side scripting technology.  Files containing HTML and scripting code.  Access via HTTP requests.  Scripting.
NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholder to insert your own image. WEB.

NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholder to insert your own image. WEB.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Similar presentations

Ads by Google