Vulnerability Analysis – Part 2 RK Shyamasundar IIT Bombay
Outline • Software Security • Web Application Security – Buffer Overflow – Web content security: SSL – Buffer Overflow – Phishing attacks mitigation techniques – Side-channel attacks – Finding vulnerabilities – OWASP Top 10 (top 3) – Mitigation techniques – Best practices
Recap: Security Properties Primary Secondary • Confidentiality • Scalability • Authentication • Cost • Freshness • Usability • Availability • Privacy • Non-repudiation • Trust anchor/hierarchy • Integrity • State availability: on/off-line A practitioner of Security Engineering should be juggling between above security properties and find an acceptable balance with well-documented risks/assumptions.
HTTPS/SSL (Padlock & notion of Trust)
HTTPS/SSL (Padlock & notion of Trust)
Successful SSL = padlock
Padlock = layman’s icon for session security*
Getting into the details of a server certificate
Leaf-CA
Intermediate-CA
Root-CA
Certificate Details: Key’s Usage
Certificate Details: Cert’s Usage
Certificate Details: Cert Extension SAN
Certificate Details: Cert Extension CRL, OCSP
SSL Protocol
SSL Protocol
SSL Protocol
Broken padlock = ?
Interesting Read … (2 days ago) http://wrd.cm/2oEULr3
DNS, SMTP, HTTP
Security cannot be thought in isolation
Attacks on SSL • CRIME attack [Qualys] • What is the problem? – The root cause of the problem is information leakage that occurs when data is compressed prior to encryption. If someone can repeatedly inject and mix arbitrary content with some sensitive and relatively predictable data, and observe the resulting encrypted stream, then she will be able to extract the unknown data from it.
Information Leakage
Other reading … • Side channel leaks in Web applications [S&P 2010] • Sidebuster [CCS 2010]
Improper Configuration & Error Handling
Data Leakage/Privacy/Credential Theft • http://www.mi.com/in/hdindex/choosePro/in dex.html?pro=IN_REDMI3S&_1475044200 • URL submission variables • https://account.xiaomi.com/pass/auth/sns/ho me?userId=1617339665
Information leakage Type of webserver: incorrect configuration of webserver Attacker concentrates on a specific set of vulnerabilities!
View Source: continue exploring This webserver type is different from the previous webserver What does this tell me? (there is either: directory mapping or NFS, or webserver proxy feature in place)
Continue directory traversal
Two webservers offering same content!
Automate the process • Use open-source/professional tools • Limitation: known-vulnerabilities • 0-days: not covered
How should a bank protect its data if everything is SSL ized?
SSL Proxy References 1. https://blog.heckel.xyz/2013/08/04/use- sslsplit-to-transparently-sniff-tls-ssl- connections/ 2. https://blog.heckel.xyz/2013/07/01/how-to- use-mitmproxy-to-read-and-modify-https- traffic-of-your-phone/ 3. https://blog.heckel.xyz/2013/08/04/use- sslsplit-to-transparently-sniff-tls-ssl- connections/
Nessus Vulnerability Scanner: Dashboard
Nessus Vulnerability Scanner: Event Notification
Payloads!
Code injection attack • Code Injection is the general term for attack types which consist of injecting code that is then interpreted/executed by the application. • This type of attack exploits poor handling of untrusted data. These types of attacks are usually made possible due to a lack of proper input/output data validation, for example: – allowed characters (standard regular expressions classes or custom) – data format – amount of expected data
Code injection attack • These types of vulnerabilities can range from very hard to find, to easy to find • If found, are usually moderately hard to exploit, depending of scenario • If successfully exploited, impact could cover loss of confidentiality, loss of integrity, loss of availability, and/or loss of accountability
Input validation is necessary!
Preventive Techniques • Despite best efforts of application developers to detect and rectify bugs/vulnerabilities it may not be guaranteed that application will be remain secure in future. • One may take help of application firewalls to reduce exposure of the application to unauthorized users – modSecurity (Apache) – AppSensor (OWASP)
Growth of Threat: Growth in the tools available (2004!) 25,000 Categories: • Binder • Carding • Cracking Tool 20,000 • Flooder • Key Generator • Mail Bomber • Mailer • Misc Tool • Nuker 15,000 Hacker Tools • Packer • Password Cracker • Password Cracking Word List • Phreaking Tool • Port Scanner 10,000 • Probe Tool • Sniffer • Spoofer • Trojan • Trojan Creation Tool 5,000 • Virus Creation Tool • Virus Source • Virus Tutorial • War Dialer 0 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 8 8 8 8 8 8 8 8 8 8 9 9 9 9 9 9 9 9 9 9 0 0 0 0 0 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 Year Source: PestPatrol.com
Application Security tollgates in SDLC Iterative approach Static Penetration Security Design analysis testing requirements Review (tools) Risk Risk-based analysis security tests Code Requirements Design Test plans Test Field and use cases results feedback Code Review
References • https://www.metasploit.com/ • http://valgrind.org/ • https://www.coverity.com/ • http://www.arachni-scanner.com/ • http://www.openvas.org/ • http://www.tenable.com/ • https://www.rapid7.com/products/nexpose/ • https://en.wikipedia.org/wiki/Application_security • https://portswigger.net/burp/ • https://sourceforge.net/projects/paros/ • http://www.binaryanalysis.org/en/home • http://bitblaze.cs.berkeley.edu • https://www.veracode.com/products/static-analysis-sast/binary-code-analysis • http://angr.io/ • https://cyberpedia.in/manual-sql-injection-by-the-help-of-firebug/ • https://www.owasp.org/index.php/OWASP_AppSensor_Project • https://www.modsecurity.org/
For the curious ones! • Availability of services vs Denial of Services – Akamai & “ Krebsonsecurity.com ” https://krebsonsecurity.com/2016/09/the- democratization-of-censorship/ • https://projectshield.withgoogle.com/public/
Additional reading …
Outline • Software Security • Web Application Security – Buffer Overflow – Web content security: SSL – Buffer Overflow – Phishing attacks mitigation techniques – Side-channel attacks – Finding vulnerabilities – OWASP Top 10 (top 3) – Mitigation techniques – Best practices
OWASP top 10 Open Web Application Security Project Don’t stop at 10
SQL Injection – Illustrated "SELECT * FROM Account Summary Account: accounts WHERE Account: Knowledge Mgmt Communication Administration Bus. Functions Legacy Systems Human Resrcs Application Layer Transactions E-Commerce Web Services SKU: acct=‘’ OR 1=1 -- Directories SKU: Databases Accounts Acct:5424-6066-2134-4334 Finance HTTP Billing DB Table SQL HTTP Acct:4128-7574-3921-0192 ’" response query request Acct:5424-9383-2039-4029 APPLICATION Acct:4128-0004-1234-0293 ATTACK Custom Code 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data App Server 3. Application forwards attack to Web Server the database in a SQL query Network Layer Hardened OS 4. Database runs query containing attack and sends encrypted results back to application Firewall Firewall 5. Application decrypts data as normal and sends results to the user
Avoiding SQL Injection Flaws Recommendations • Avoid the interpreter entirely, or • Use an interface that supports bind variables (e.g., prepared statements, or stored procedures), • Bind variables allow the interpreter to distinguish between code and data • Encode all user input before passing it to the interpreter • Always perform ‘white list’ input validation on all user supplied input • Always minimize database privileges to reduce the impact of a flaw References • For more details, read the https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
HTTP is a stateless protocol
Recommend
More recommend
