Knowing What's Right, Doing What's Wrong

Security Testing Of

(Web) Applications

Erwin Geirmaert

Security Innovation

Erwin Geirnaert – Security Innovation BVBA

[email protected] +32478289466

Security Testing of (web)

applications

SECURITY INNOVATION BVBA

Agenda

• Objectives

• Security Test Checklist

• Risk assessment

• Source code review

• Tools

• Some examples

Some examples

• Parameter tampering

• Cross-site-scripting

• Hidden fields

Parameter Tampering

Parameter Tampering - Example



Parameter tampering

Parameter tampering

Cross-site-scripting

• Insert Javascript in input fields to steal

cookies, manipulate forms, ...

• Vulnerable applications: forums, search,

user login, ...

• To test:

<script>alert(document.cookie)</script>

• XSS Cheat-sheet:

http://ha.ckers.org/xss.html

Hidden fields

Hidden field manipulation

Hidden field manipulation

Demo

• WebGoat

References

• Tech-Ed 2004 – Designing in Security

• OWASP – AppSec Europe 2005 - Tools of

the Trade: AppSec Assessment Tools

That’s it…

• Any Questions?

Thank you!

Erwin Geirnaert

[email protected]

+32(0)478 28 94 66

Hidden fields

Security Tester Toolbox

• Tools are just a way of manipulating web

applications

• They are no silver bullet, a lot of false

positives can be the result of automated

scan

• They can be really expensive

• They can be useful

• You need to learn how to use them and

what the limitations are

• Internet Explorer can do the job and for

free

Tools

Tools that can help:

• Static Analysis Tools

• Dynamic Analysis Tools

• Application Vulnerability Scanners

• Other Tools

Static analysis tools

• Source code scanners crawl your source tree to discover possible errors at the code level

• Strengths– Finding logical errors

– Finding security errors

• Weaknesses– Runtime errors

– False positives

– False sense of security

• Examples– Klocwork inSpect

– Coverity SWAT

– Lint

Dynamic analysis tools

• Dynamic Analysis tools watch the application while it is running to find possible errors.

• Strengths– Finding errors that may surface at runtime

– Code Coverage

– Performance Analysis

• Weaknesses– Difficult to execute every code path

– Difficult to find many security problems

• Examples– Compuware

– Code Coverage tools

– Perf analysis tools

Tools in the past

• 4 years ago, a limited list of free tools:

– Achilles: local proxy

– @Stake WebProxy: local proxy& fuzzer, in Java

– WebSleuth: plugin for IE, raw requests

– Whisker: vulnerability scanner

– Nikto: vulnerability scanner

– Nessus: didn’t include web vulnerabilities yet

– But they did the job, only it required more time....

Commercial Fault Injection Test Tools

1. SPI Dynamics WebInspect2. Sanctum now Watchfire AppScan3. Kavado Scando4. AppSecInc AppDetective for Web Apps5. Cenzic Hailstorm6. NT Objectives NTOSpider7. Acunetix Web Vulnerability Scanner 28. Compuware DevPartner Fault Simulator9. Fortify Pen Testing Team Tool10. @stake Web Proxy 2.011. Burp Intruder12. Sandsprite Web Sleuth13. MaxPatrol 714. Syhunt Sandcat Scanner & Miner15. TrustSecurityConsulting HTTPExplorer16. Ecyware BlueGreen Inspector17. NGS Typhon18. Parasoft WebKing (more QA-type tool)

Application vulnerability scanners

• Application Vulnerability Scanners test your application through known avenues of attack.

• Strengths– Help to ensure your application is not vulnerable to known attack

vectors

– Find some security vulnerabilities

• Weaknesses– Web Applications only

– Still in their infancy

• Examples– Kavado Scando

– Spidynamics WebInspect

Other tools

• Hex Editors– Allow a tester to view binary data in an editable

hexadecimal/ASCII representation

– Can search for clear text passwords, or sections containing high amounts of entropy which could lead to the discovery of encrypted data or hashes.

• Debuggers– Allow a tester to view memory space, stack, and

machine instructions while the application is running.

– Can be used to help exploit buffer overruns, discover clear text or encrypted data while in memory.

OWASP - WebScarab

• Java based: download stand-alone JAR

and runtime

• HTTP Proxy

• Client-certificates

• Session analysis

• Raw request

• Spider

• Custom plugins: BeanShell

OWASP – WebScarab -

Interceptor

WebScarab – Raw Request

WebScarab - Spider

WebScarab – SessionID Analysis

Agenda

• Objectives


• Risk assessment


• Tools

• Some examples

WebScarab – Transcoder

WebScarab – SessionID Analysis

Open Source or Freeware Fault Injection Test Tools

1. WebScarab (HTTPush, Exodus)2. Paros Proxy3. Burp Spider4. Burp Proxy5. SPIKE Proxy6. SPIKE7. Achilles Proxy8. Odysseus Proxy9. Webstretch Proxy10. Absinthe 1.1 (formerly SQLSqueal)11. NGS SQL Injection Inference Tool (BH Europe 2005)12. Internet Explorer HTMLBar Plugin13. Firefox LiveHTTPHeaders and Developer Tools14. Sensepost Wikto (Google cached fault-finding)15. Foundstone Sitedigger (Google cached fault-finding)

Source code review

• Identify vulnerabilities from the code

• Requires good eyes

• Source code scanners can help

• How to test for this backdoor?

public void doPost( HttpServletRequest request, HttpServletResponse response)

{

String magic = “sf8g7sfjdsurtsdieerwqredsgnfg8d”;

boolean admin = magic.equals( request.getParameter(“magic”));

if (admin) doAdmin( request, response);

else …. // normal processing

}

Agenda

• Objectives


• Risk assessment


• Tools

• Some examples

Risk assessment

• Identify your risks and test for the threats

• Existing methodologies:

– OCTAVE: Operationally Critical Threat, Asset

and Vulnerability Evaluation –

www.cert.org/octave

– Simplified security risk analysis

– Threat modeling

“You cannot test a system until you

understand the threats”

Threat modeling is the design activity to discover

the threats that your application is susceptible to.

Threat modeling yields both threats and

vulnerabilities and provides ways to perform

security testing in order to prioritize the security

fixes needed.

Threat modeling

Threats are possible attacks. Vulnerabilities are

security related software errors:

• A threat is what an attacker might try to do to an asset or

through an entry point

• A vulnerability is a specific security exploit due to an

unmitigated threat path

Threat modeling - Definitions

Test Plan

• The test plan will contain the test cases

• A test case consists of:

– Test Case number

– The possible attacks

– Details and tools

– Expected result

Agenda

• Objectives


• Risk assessment


• Tools

• Some examples

STRIDE: Examples

Type of Threat Examples

Spoofing •Forging Email Message

•Replaying Authentication

Tampering •Altering data during transmission

•Changing data in database

Repudiation •Delete critical data and deny it

•Purchase product and deny it

Information disclosure •Expose information in error messages

•Expose code on web site

Denial of Service •Flood web service with invalid request

•Flood network with SYN

Elevation of Privilege •Obtain Administrator privileges

•Use assembly in GAC to create acct

Threat Tree

Inside Attack

Enabled

Attack domain

controller

from inside

SQL Injection

An application

doesn’t validate

user’s input and

allows evil texts

Dev Server

Unhardened

SQL server

used by internal

developers

Messenger Xfer

Novice admin

uses an instant

messenger on a

server

Trojan Soc Eng

Attacker sends

a trojan

masquerading

as network util

OR

AND AND

Document Threats

• Document

– Threat Target

– Risk

– Attack Techniques

– Countermeasure

• Leave Risk Blank

• Input test plan

1. Identify Assets

2. Create an Architecture Overview

3. Decompose the System

4. Identify the Threats

5. Document the Threats

6. Rate the Threats

DREAD:• Damage potential – what’s the extent of the damage if this

vulnerability was to be exploited

• Reproducibility – how well can the finder reproduce the

issue

• Exploitability – difficulty of taking advantage of the flaw for

malicious purpose

• Affected users – how many or what type of users are

affected by the flaw

• Discoverability – how fast can it be publicly be discovered

• DREAD is used to analyze the risk of discovered vulnerabilities

Threat modeling - DREAD

Document Threats (Step

5)

Description Target Risk Attack

Techniques

Countermeasures

Attacker

obtains

credentials

User Auth

process

Sniffer Use SSL to encrypt

channel

Injection of

SQL

commands

Data Access

Component

Append

SQL to user

name

Validate user name

Parameterized

stored procedure

for data access

Rate Threats

• Rate Risk

• Order by Risk

• Address/test in order

• Use DREAD

Risk’s Exposure =

Probability * Damage

Potential

1. Identify Assets





6. Rate the Threats

Attack Vector in a Threat

TreeTheft of

Auth Cookies

Unencrypted

Connection

Cookies travel

over

unencrypted

HTTP

Eavesdropping

Attacker uses

sniffer to

monitor HTTP

traffic

Cross-Site

Scripting

Attacker

possesses

means and

knowledge

XSS

Vulnerability

Application is

vulnerable to

XSS attacks

OR

AND AND

Parameter Tampering

Cookie Tampering

Cross-site Scripting

SQL Injection

Script Injection

Command Injection

Encoding Attacks

Buffer Overflows

Format-string attacks

Harvesting User IDs

Brute-forcing Accounts

Path Truncation Attacks

Hidden Path Discovery

Application Directory and File Mapping

Forceful Browsing

Source Code Disclosure

Web server vulnerability exploitation

Attack vectors for web

applications

Threat Modeling

• Structured analysis

aimed at:

– Finding infrastructure

vulnerabilities

– Evaluating security

threats

– Identify

countermeasures

– Originated from software

development security

threat analysis

1. Identify Assets





6. Rate the Threats

Identify Assets

• What do you need to

protect?

– Confidential data

– Orders

– Customers

– Web Pages

– Availability

• What is important?

1. Identify Assets





6. Rate the Threats

Threats can be classified using the STRIDE

classification:• Spoofing – lying about identity

• Tampering – Destroying data

• Repudiation – Cleaning the steps of an attack/Denying a

transaction

• Information Disclosure – Stealing valuable private data

• Denial of Service – Stopping an application from providing

its basic functionality

• Escalation of Privileges – Executing code with stolen high

privileges

Whenever discovering threats the analyst will always think about STRIDE

elements

Threat modeling - STRIDE

Decomposition (Step 3)

Bob

Alice

BillIIS ASP.NET

Web Server Database ServerTrust

Forms Authentication URL Authorization

DPAPI Windows Authentication

Fire

wall

Login

State

Main

Identify Threats

• Use STRIDE to

identify threats

• Use categorized threat

lists

– Network

– Host

– Application

1. Identify Assets





6. Rate the Threats

Architecture Diagram (Step 2)

Bob

Alice

Bill

Asset #4

Asset #1 Asset #2 Asset #3

Asset #5 Asset #6

IIS ASP.NET

Web Server

Login

State

Main

Database Server

Fire

wall

Decompose Application

• Identify trust boundaries

• Identify data flow

• Identify entry points

• Identify privileged code

• Document the security

profile

– Architecture & Design

Review

1. Identify Assets





6. Rate the Threats

Create Architecture Overview

• Identify what the

application does

• Create an architecture

diagram

• Identify the

technologies used

1. Identify Assets





6. Rate the Threats

Security Test Checklist

You need an EXPERIENCED TESTER

Create a threat model and a test plan

Web application testing <> penetration

testing

Do not rely ONLY on automated web

application security scanners

Source code of the web application

HELPS

Have a Security Tester Toolbox

Log everything

Online Checklist

• OWASP = Open Web Application Security

Project - Web Application Penetration

Checklist v1.1 from www.owasp.org

• OSSTMM = Open Source Security Testing

Methodology Manual – www.osstmm.org

http://www.owasp.org/

Agenda

• Objectives


• Risk assessment


• Tools

• Some examples

Objectives

• Define security testing

• Best practices to execute security tests

• Discover some tools that you can use

• Testing is not the silver bullet

Agenda

• Objectives


• Risk assessment


• Tools

• Some examples

Knowing What's Right, Doing What's Wrong

Documents