Erwin Geirnaert – Security Innovation BVBA
[email protected] +32478289466
Security Testing of (web)
applications
SECURITY INNOVATION BVBA
Agenda
• Objectives
• Security Test Checklist
• Risk assessment
• Source code review
• Tools
• Some examples
Cross-site-scripting
• Insert Javascript in input fields to steal
cookies, manipulate forms, ...
• Vulnerable applications: forums, search,
user login, ...
• To test:
<script>alert(document.cookie)</script>
• XSS Cheat-sheet:
http://ha.ckers.org/xss.html
References
• Tech-Ed 2004 – Designing in Security
• OWASP – AppSec Europe 2005 - Tools of
the Trade: AppSec Assessment Tools
Security Tester Toolbox
• Tools are just a way of manipulating web
applications
• They are no silver bullet, a lot of false
positives can be the result of automated
scan
• They can be really expensive
• They can be useful
• You need to learn how to use them and
what the limitations are
• Internet Explorer can do the job and for
free
Tools
Tools that can help:
• Static Analysis Tools
• Dynamic Analysis Tools
• Application Vulnerability Scanners
• Other Tools
Static analysis tools
• Source code scanners crawl your source tree to discover possible errors at the code level
• Strengths– Finding logical errors
– Finding security errors
• Weaknesses– Runtime errors
– False positives
– False sense of security
• Examples– Klocwork inSpect
– Coverity SWAT
– Lint
Dynamic analysis tools
• Dynamic Analysis tools watch the application while it is running to find possible errors.
• Strengths– Finding errors that may surface at runtime
– Code Coverage
– Performance Analysis
• Weaknesses– Difficult to execute every code path
– Difficult to find many security problems
• Examples– Compuware
– Code Coverage tools
– Perf analysis tools
Tools in the past
• 4 years ago, a limited list of free tools:
– Achilles: local proxy
– @Stake WebProxy: local proxy& fuzzer, in Java
– WebSleuth: plugin for IE, raw requests
– Whisker: vulnerability scanner
– Nikto: vulnerability scanner
– Nessus: didn’t include web vulnerabilities yet
– But they did the job, only it required more time....
Commercial Fault Injection Test Tools
1. SPI Dynamics WebInspect2. Sanctum now Watchfire AppScan3. Kavado Scando4. AppSecInc AppDetective for Web Apps5. Cenzic Hailstorm6. NT Objectives NTOSpider7. Acunetix Web Vulnerability Scanner 28. Compuware DevPartner Fault Simulator9. Fortify Pen Testing Team Tool10. @stake Web Proxy 2.011. Burp Intruder12. Sandsprite Web Sleuth13. MaxPatrol 714. Syhunt Sandcat Scanner & Miner15. TrustSecurityConsulting HTTPExplorer16. Ecyware BlueGreen Inspector17. NGS Typhon18. Parasoft WebKing (more QA-type tool)
Application vulnerability scanners
• Application Vulnerability Scanners test your application through known avenues of attack.
• Strengths– Help to ensure your application is not vulnerable to known attack
vectors
– Find some security vulnerabilities
• Weaknesses– Web Applications only
– Still in their infancy
• Examples– Kavado Scando
– Spidynamics WebInspect
Other tools
• Hex Editors– Allow a tester to view binary data in an editable
hexadecimal/ASCII representation
– Can search for clear text passwords, or sections containing high amounts of entropy which could lead to the discovery of encrypted data or hashes.
• Debuggers– Allow a tester to view memory space, stack, and
machine instructions while the application is running.
– Can be used to help exploit buffer overruns, discover clear text or encrypted data while in memory.
OWASP - WebScarab
• Java based: download stand-alone JAR
and runtime
• HTTP Proxy
• Client-certificates
• Session analysis
• Raw request
• Spider
• Custom plugins: BeanShell
Agenda
• Objectives
• Security Test Checklist
• Risk assessment
• Source code review
• Tools
• Some examples
Open Source or Freeware Fault Injection Test Tools
1. WebScarab (HTTPush, Exodus)2. Paros Proxy3. Burp Spider4. Burp Proxy5. SPIKE Proxy6. SPIKE7. Achilles Proxy8. Odysseus Proxy9. Webstretch Proxy10. Absinthe 1.1 (formerly SQLSqueal)11. NGS SQL Injection Inference Tool (BH Europe 2005)12. Internet Explorer HTMLBar Plugin13. Firefox LiveHTTPHeaders and Developer Tools14. Sensepost Wikto (Google cached fault-finding)15. Foundstone Sitedigger (Google cached fault-finding)
Source code review
• Identify vulnerabilities from the code
• Requires good eyes
• Source code scanners can help
• How to test for this backdoor?
public void doPost( HttpServletRequest request, HttpServletResponse response)
{
String magic = “sf8g7sfjdsurtsdieerwqredsgnfg8d”;
boolean admin = magic.equals( request.getParameter(“magic”));
if (admin) doAdmin( request, response);
else …. // normal processing
}
Agenda
• Objectives
• Security Test Checklist
• Risk assessment
• Source code review
• Tools
• Some examples
Risk assessment
• Identify your risks and test for the threats
• Existing methodologies:
– OCTAVE: Operationally Critical Threat, Asset
and Vulnerability Evaluation –
www.cert.org/octave
– Simplified security risk analysis
– Threat modeling
“You cannot test a system until you
understand the threats”
Threat modeling is the design activity to discover
the threats that your application is susceptible to.
Threat modeling yields both threats and
vulnerabilities and provides ways to perform
security testing in order to prioritize the security
fixes needed.
Threat modeling
Threats are possible attacks. Vulnerabilities are
security related software errors:
• A threat is what an attacker might try to do to an asset or
through an entry point
• A vulnerability is a specific security exploit due to an
unmitigated threat path
Threat modeling - Definitions
Test Plan
• The test plan will contain the test cases
• A test case consists of:
– Test Case number
– The possible attacks
– Details and tools
– Expected result
Agenda
• Objectives
• Security Test Checklist
• Risk assessment
• Source code review
• Tools
• Some examples
STRIDE: Examples
Type of Threat Examples
Spoofing •Forging Email Message
•Replaying Authentication
Tampering •Altering data during transmission
•Changing data in database
Repudiation •Delete critical data and deny it
•Purchase product and deny it
Information disclosure •Expose information in error messages
•Expose code on web site
Denial of Service •Flood web service with invalid request
•Flood network with SYN
Elevation of Privilege •Obtain Administrator privileges
•Use assembly in GAC to create acct
Threat Tree
Inside Attack
Enabled
Attack domain
controller
from inside
SQL Injection
An application
doesn’t validate
user’s input and
allows evil texts
Dev Server
Unhardened
SQL server
used by internal
developers
Messenger Xfer
Novice admin
uses an instant
messenger on a
server
Trojan Soc Eng
Attacker sends
a trojan
masquerading
as network util
OR
AND AND
Document Threats
• Document
– Threat Target
– Risk
– Attack Techniques
– Countermeasure
• Leave Risk Blank
• Input test plan
1. Identify Assets
2. Create an Architecture Overview
3. Decompose the System
4. Identify the Threats
5. Document the Threats
6. Rate the Threats
DREAD:• Damage potential – what’s the extent of the damage if this
vulnerability was to be exploited
• Reproducibility – how well can the finder reproduce the
issue
• Exploitability – difficulty of taking advantage of the flaw for
malicious purpose
• Affected users – how many or what type of users are
affected by the flaw
• Discoverability – how fast can it be publicly be discovered
• DREAD is used to analyze the risk of discovered vulnerabilities
Threat modeling - DREAD
Document Threats (Step
5)
Description Target Risk Attack
Techniques
Countermeasures
Attacker
obtains
credentials
User Auth
process
Sniffer Use SSL to encrypt
channel
Injection of
SQL
commands
Data Access
Component
Append
SQL to user
name
Validate user name
Parameterized
stored procedure
for data access
Rate Threats
• Rate Risk
• Order by Risk
• Address/test in order
• Use DREAD
Risk’s Exposure =
Probability * Damage
Potential
1. Identify Assets
2. Create an Architecture Overview
3. Decompose the System
4. Identify the Threats
5. Document the Threats
6. Rate the Threats
Attack Vector in a Threat
TreeTheft of
Auth Cookies
Unencrypted
Connection
Cookies travel
over
unencrypted
HTTP
Eavesdropping
Attacker uses
sniffer to
monitor HTTP
traffic
Cross-Site
Scripting
Attacker
possesses
means and
knowledge
XSS
Vulnerability
Application is
vulnerable to
XSS attacks
OR
AND AND
Parameter Tampering
Cookie Tampering
Cross-site Scripting
SQL Injection
Script Injection
Command Injection
Encoding Attacks
Buffer Overflows
Format-string attacks
Harvesting User IDs
Brute-forcing Accounts
Path Truncation Attacks
Hidden Path Discovery
Application Directory and File Mapping
Forceful Browsing
Source Code Disclosure
Web server vulnerability exploitation
Attack vectors for web
applications
Threat Modeling
• Structured analysis
aimed at:
– Finding infrastructure
vulnerabilities
– Evaluating security
threats
– Identify
countermeasures
– Originated from software
development security
threat analysis
1. Identify Assets
2. Create an Architecture Overview
3. Decompose the System
4. Identify the Threats
5. Document the Threats
6. Rate the Threats
Identify Assets
• What do you need to
protect?
– Confidential data
– Orders
– Customers
– Web Pages
– Availability
• What is important?
1. Identify Assets
2. Create an Architecture Overview
3. Decompose the System
4. Identify the Threats
5. Document the Threats
6. Rate the Threats
Threats can be classified using the STRIDE
classification:• Spoofing – lying about identity
• Tampering – Destroying data
• Repudiation – Cleaning the steps of an attack/Denying a
transaction
• Information Disclosure – Stealing valuable private data
• Denial of Service – Stopping an application from providing
its basic functionality
• Escalation of Privileges – Executing code with stolen high
privileges
Whenever discovering threats the analyst will always think about STRIDE
elements
Threat modeling - STRIDE
Decomposition (Step 3)
Bob
Alice
BillIIS ASP.NET
Web Server Database ServerTrust
Forms Authentication URL Authorization
DPAPI Windows Authentication
Fire
wall
Login
State
Main
Identify Threats
• Use STRIDE to
identify threats
• Use categorized threat
lists
– Network
– Host
– Application
1. Identify Assets
2. Create an Architecture Overview
3. Decompose the System
4. Identify the Threats
5. Document the Threats
6. Rate the Threats
Architecture Diagram (Step 2)
Bob
Alice
Bill
Asset #4
Asset #1 Asset #2 Asset #3
Asset #5 Asset #6
IIS ASP.NET
Web Server
Login
State
Main
Database Server
Fire
wall
Decompose Application
• Identify trust boundaries
• Identify data flow
• Identify entry points
• Identify privileged code
• Document the security
profile
– Architecture & Design
Review
1. Identify Assets
2. Create an Architecture Overview
3. Decompose the System
4. Identify the Threats
5. Document the Threats
6. Rate the Threats
Create Architecture Overview
• Identify what the
application does
• Create an architecture
diagram
• Identify the
technologies used
1. Identify Assets
2. Create an Architecture Overview
3. Decompose the System
4. Identify the Threats
5. Document the Threats
6. Rate the Threats
Security Test Checklist
You need an EXPERIENCED TESTER
Create a threat model and a test plan
Web application testing <> penetration
testing
Do not rely ONLY on automated web
application security scanners
Source code of the web application
HELPS
Have a Security Tester Toolbox
Log everything
Online Checklist
• OWASP = Open Web Application Security
Project - Web Application Penetration
Checklist v1.1 from www.owasp.org
• OSSTMM = Open Source Security Testing
Methodology Manual – www.osstmm.org
Agenda
• Objectives
• Security Test Checklist
• Risk assessment
• Source code review
• Tools
• Some examples
Objectives
• Define security testing
• Best practices to execute security tests
• Discover some tools that you can use
• Testing is not the silver bullet