Jay Rasband - Senior IT Security Auditor

subduedjourneyΛογισμικό & κατασκευή λογ/κού

28 Οκτ 2013 (πριν από 3 χρόνια και 1 μήνα)

57 εμφανίσεις

Jay Rasband
-

Senior IT Security Auditor

Sean Clifford


IT Auditor

Arizona Office of the Auditor General


Understand what web applications are and
how they impact your organizations and audits


Develop a basic understanding of web
application security concerns


Introduction to a web application testing
methodology


Background


Identification/Assessment of Web Apps


Audit Scope


Auditing Methodology


Audit Recommendations


W
hat is a web application?


Application that allows users to retrieve and interact
with data through a web browser.


How
it works


C
omplex
coding with authentication and database
transactions (ColdFusion, ASP, JSP, PHP, JavaScript)


Interpreted language
-

S
eries
of executable statements
that utilize original program code and
user input



Internal Environment

Security

External
Environment

User

Firewall

IDS/IPS

Web App

Database


Why significant to audits?


O
rganizations
have converted legacy mainframe and
database systems into dynamic web
applications


E
asiest
and most direct route
to
internal network


Web Application Software


notoriously
full of
vulnerabilities


poor
security track
record

Legacy Systems


Database


Client Side App

1995
-

JavaScript


Client Side Scripting


Embedded Scripts


1999
-

Web Apps


No client side App necessary


Data accessible from web
browser


Publicity


Security concerns attract media attention to Web Apps



61%

54%

52%

47%

0%
20%
40%
60%
80%
XSS
Information
Leakage
Brute Force
SQL Injection
Most Common Vulnerabilities

(Percentage of all websites with vulnerabilities)







Web App vulnerabilities represent 41% of all security disclosures in 2011.

XSS vulnerabilities are identified in 55% of websites.

SQL injection exploits have the highest severity
level. (sensitive data)

SQLi

vulnerabilities exploitable without authentication in 5% of websites.

Statistics


Examples


a
mazon.com


aztaxes.gov


servicearizona.com


procure.az.gov




Resources


OWASP



worldwide non
-
profit organization focused on
improving security of web applications


WebGoat



deliberately insecure web application designed to
teach security lessons


Foundstone



division of McAfee that provides
vulnerability management


Hackme

Suite


6 web
-
based applications developed to
demonstrate common hacking techniques



Test Web Apps


http://demo.testfire.net

(IBM)


http://
crackme.cenzic.com/Kelev/view/home.php

(
Cenzic
)


Scanning Tools


Commercial


IBM Rational
AppScan


Cenzic

Hailstorm


HP
WebInspect



Open Source


W3af


Firefox add
-
ons (XSS Me, SQL Inject Me)


Foundstone

-

http
://
www.mcafee.com/us/downloads/free
-
tools/index.aspx




Web Proxies


Fiddler2



Identify all web apps and classify by risk


I
nformation they contain


Public data


Financial


Health


PII


Where/How developed


Purchased, off
-
the
-
shelf


D
eveloped in
-
house, home
-
grown


Accessibility


Public (www)


Internal only (intranet)


Users


Limited to specific users/departments


All staff


Multiple organizations


Public


Determine the audit scope of the Web Apps
you’ve selected


Client involvement


Whitebox



client provides details of systems and
equipment related to Web App (e.g.
test
accounts,
development code, network diagrams, IP addresses,
software versions, etc.)


Blackbox



client provides no or limited information
(e.g. URL)

Internals
Not
Known

Internals
Fully
Known


What to test


URLs of Web App


testing limited to Web App scanners
that traverse the website looking for XSS, SQL injection,
authentication errors,
etc


Supporting infrastructure


expanded testing includes
network scanning of servers (web, app, DB), routers, and
switches for unpatched software, blank passwords,
configuration errors)


Linked interfaces or utilities


Environments


production, development, test, etc.


Depth vs. Breadth of Testing


Exhaustive testing to identify all vulnerabilities and
all instances


Testing to identify most significant weakness and
demonstrate level of impact

Reconnaissance

Testing

Create
Findings/Report


Determine which tests to perform, results in
audit program


Step One: Scope
application(s),
gather info about
the application(s)


Step Two:
Fingerprint for
additional info


Step
Three: Create
s
ite map







Step Four: Develop audit program



Perform actual
testing:


Notification Letter


scope, tools, timeframe, contacts


Automated Scans
-

r
un automated tools early to
point to promising areas


Validation


try to identify scan results as legitimate
or false positives


Manual Testing


many tests for common
weaknesses can be performed without the use of
software tools



Look for clues


Authentication clues (e.g. passwords, IDs)


Comments re: architecture, design, infrastructure


Client
-
side code


Usernames, passwords


Table & field names for queries


Pass, change, or guess parameters that are
displayed in the browser address bar


http://.../admin.htm



Administration Pages


http://.../
Open&Login



Bypassing Authentication


http://.../page=2&level=0



Horizontal/Vertical
Escalation


http://.../quantity=1&price=59.99



Price and
quantity


Check input fields for susceptibility to cross
-
site scripting


Reflective
-

non
-
stored input fields i.e. search, logins


Persistent
-

stored input fields i.e.
comment, profile


<script>alert("You've been hacked!")</script
>


http://www.testfire.net




Use clues found in previous tests


Fields that may run queries


Search Forms, Login Pages, Filtered information


Test for common injection vulnerabilities


E.g.
' OR '1=1,


Error messages may reveal information!


How are passwords assigned?


New accounts, password reset requests, existing
accounts,


Look for:


Predictability, patterns (e.g. default passwords,
sequences, numbers)


Complexity requirements (written policy only or
system enforced?)


Lockout mechanisms


Client
-
side authentication


Informative error messages


Collect test results and
create report


Generate findings based on
tests performed


Use Findings Repository

Repository
a
a

Test Results
a
a


Sensitive nature of findings


don’t want to
publish a road map that hackers can use to
compromise an organization’s systems


Communicate orally


C
onfidential letter


Develop and i
mplement a
plan for conducting
regular security assessments of web
-
based
applications


Develop and
implement a process
for
classifying
and addressing
security weaknesses when they are
discovered


Develop and implement policies and procedures
for updating web servers





Develop and implement
standards for developing
web
-
based applications


Develop and implement
security
training for web
-
based application developers


Develop effective policies and procedures to
ensure good security practices are followed


Develop
and
implement
an ongoing process for
identifying and removing sensitive information
from publically accessible websites



Develop and
implement
an ongoing process for
monitoring system and network logs and
addressing abnormal and security incidents







Questions?