How to read security test report?

Similar documents
Top 10 Web Application Vulnerabilities

Pattern Recognition and Applications Lab WEB Security. Giorgio Giacinto.

Web Application Security. Philippe Bogaerts

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

16th Annual Karnataka Conference

Applica'on Threat Modelling

Objec&ves. Review: Security. Google s AI is wri&ng poetry SQL INJECTION ATTACK. SQL Injec&on. SQL Injec&on. Security:

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Solutions Business Manager Web Application Security Assessment

Application Layer Security

Web Application Penetration Testing

1 About Web Security. What is application security? So what can happen? see [?]

Applications Security

Secure Development Guide


Web Pen Tes)ng. Michael Hicks CMSC 498L, Fall 2012 Part 2 slides due to Eric Eames, Lead Penetra)on Tester, SAIC, March 2012

Sichere Software vom Java-Entwickler

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Copyright

Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers. Sunny Wear OWASP Tampa Chapter December

Application vulnerabilities and defences

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Certified Secure Web Application Engineer

OWASP TOP 10. By: Ilia

CSWAE Certified Secure Web Application Engineer

Information Security CS 526 Topic 11

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Executive Summary. Flex Bounty Program Overview. Bugcrowd Inc Page 2 of 7

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

CIS 4360 Secure Computer Systems XSS

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Welcome to the OWASP TOP 10

Web Application Vulnerabilities: OWASP Top 10 Revisited

Your Turn to Hack the OWASP Top 10!

COMP9321 Web Application Engineering

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Information Security CS 526 Topic 8

Advanced Web Technology 10) XSS, CSRF and SQL Injection

EasyCrypt passes an independent security audit

CS 161 Computer Security

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

WEB SECURITY: XSS & CSRF

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Development*Process*for*Secure* So2ware

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

WHY CSRF WORKS. Implicit authentication by Web browsers

COMP9321 Web Application Engineering

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

COMP9321 Web Application Engineering

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Presentation Overview

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

CSCD 303 Essential Computer Security Fall 2017

Web Applica+on Security

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

C1: Define Security Requirements

CISC So*ware Quality Assurance

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Security Best Practices. For DNN Websites

Exploiting and Defending: Common Web Application Vulnerabilities

Bank Infrastructure - Video - 1

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Cross-Site Request Forgery: The Sleeping Giant. Jeremiah Grossman Founder and CTO, WhiteHat Security

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Aguascalientes Local Chapter. Kickoff

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Web Security: Web Application Security [continued]

Domino Web Server Security

An analysis of security in a web application development process

In The Middle of Printers The (In)Security of Pull Prin8ng Solu8ons. Jakub Kałużny. SecuRing

Web Application Whitepaper

PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Web Security II. Slides from M. Hicks, University of Maryland

Web Applications Penetration Testing

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Information Security. Gabriel Lawrence Director, IT Security UCSD

AN E-GOVERNANCE WEB SECURITY AUDIT Deven Pandya 1, Dr. N. J. Patel 2 1 Research Scholar, Department of Computer Application

CNIT 129S: Securing Web Applications. Ch 4: Mapping the Application

P2_L12 Web Security Page 1

Threat modeling. Tuomas Aura T Informa1on security technology. Aalto University, autumn 2012

CS 142 Winter Session Management. Dan Boneh

Common Websites Security Issues. Ziv Perry

CSC 482/582: Computer Security. Cross-Site Security

Progress Exchange June, Phoenix, AZ, USA 1

Certified Secure Web Application Security Test Checklist

Test Harness for Web Application Attacks

SECURE CODING ESSENTIALS

F5 Big-IP Application Security Manager v11

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

TIBCO Cloud Integration Security Overview

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Transcription:

How to read security test report? Ainārs Galvāns Security Tester Exigen Services Latvia www.exigenservices.lv

Defini@ons (wikipedia) Term Threat Vulnerability Informa@on assurance Defini+on A threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm Vulnerability is a weakness which allows an ahacker to reduce a system's informa@on assurance Informa@on assurance includes protec@on of the integrity, availability, authen@city, non- repudia@on and confiden@ality of user data 2 www.exigenservices.lv

Vulnerability report A perfect report would include Threat described, including the possible harm Affected informa@on security item Repeatable exploit scenario Nothing is perfect Auditors inadequate business knowledge Insufficient @me/funding Not required by contract To exploit a vulnerability, an ahacker must have at least one applicable tool or technique that can connect to a system weakness 3 www.exigenservices.lv

Alterna@ve report examples Proof of possible exploit scenario existence, i.e. If <script>alert(1)</script> is executed, then any script possibly can be executed If there is no user lockout then one can find user password Not following best prac@ce, without exploit scenario Sending session ID as parameter Insecure Cookie usage Displaying technical error details to a user Undocumented features Missing authoriza@on to access logically private URLs 4 www.exigenservices.lv

Things you need to know to be able to READ AN INPERFECT REPORT 5 www.exigenservices.lv

Understanding penetra@on tes@ng Testable IS tes@ng weakness Nepilnība Nepilnība Nepilnība Nepilnība analyze vulnerability nr 1 vulnerability nr 2 Priority Danger Draudi Not exploitable Threat Apdraudējums Priority Danger Threat 6 www.exigenservices.lv

Weakness types OWASP risk Sample weakness AIacker may: 1 Injec@ons User input is concatenated into an sql statement 2 Broken auth. & ses. Mngmt. User s session id is publically available 3 Cross Site scrip@ng Data is allowed to contain HTML tags, including scripts 4 Isecure direct access Security only restrict sending secure URLs to user 5 Security misconfig. OS unpatched, default DB password, etc. execute any SQL statement Do whatever on behalf of the user Execute script in user s browser Guess an URL and access it various 7 www.exigenservices.lv

Weakness types OWASP risk Sample weakness AIacker may 6 Sensi@ve data exposure 7 Missing access control 8 Cross Site Req. Forgery 9 Known vulnerabili@es 10 Unvalidated Redirects HTTP protocol transfers sensi@ve data A web page missing authoriza@on check No CSRF protec@on implemented Old, unpatched 3 rd party library used A redirect use URL from a hidden field Act as man in the middle and steal data Access page unauthorized Submit ac@ons of behalf of other users Various Various, including stealing user session 8 www.exigenservices.lv

Understanding penetra@on tes@ng tools Tools (I use Burp) can: Scan you WEB Server for available URLs Work as Man- In- The- Middle even in the case of SSL In par@cular you can: Change HTML page: disable client- side valida@on, unhide hidden fields, change drop- down values, etc. Edit hhp(s) request or even forge a new one View and edit your cookies, change request headers 9 www.exigenservices.lv

Case Study DISCLAIMER Screen- shots in next slides are taken (and slightly edited) from the internal tes;ng environment by Exigen Services Latvia in order to test the security of the component that is part of Latvia.lv portal. Latvia.lv portal were not tested directly. 10 www.exigenservices.lv

Cookie+ FireFox plugin 11 www.exigenservices.lv

Un- hiding (editable) hidden fields 12 www.exigenservices.lv

Edi@ng HTTP request SQL injec@on in radio buhon value 13 www.exigenservices.lv

Session stealing explained IS WEB Server AHacker s WEB Server Login, passwd Secure token Open URL HTTP + Script Secure token WEB Browser 14 www.exigenservices.lv

Stored XSS explained AHacker Store business data (.i.e comment) with script ahached Request business data IS WEB Sever Data Script Web Browser Data and script 15 www.exigenservices.lv

CSRF explained IS WEB server AHacker s WEB Serveris Login, passwd Secure token HTTP + Script Open URL Transac @on WEB Browser Secure token (secure cookie) 16 www.exigenservices.lv

Not every weakness allows an ahacker to pose a THREAT TO THE BUSINESS 17 www.exigenservices.lv

Weakness/vulnerability analysis Predic@ng possible harm vulnerability exploit could cause Require different effort Require different skills/knowledge Alterna@ves Ask customer (get money?) Fix anyway (if it is not hard) Ignore (undertake risk) Env./ config. issue Must Be Fixed Hard to decide Low Priority 18 www.exigenservices.lv

Example: CSRF protec@on implemented Not a bug Wouldn t fix Postponed Fix There is no threat because all pages are «read only» «Outsider» can t learn how to forge a request Workaround: reducing risk by making request harder to forge Implement protec@on as recommended by OWASP Note: absence of CSRF protec@on could also cause DOS ahack risk 19 www.exigenservices.lv

Summary and conclusions Report is just an informa@on to be analyzed Not every security bug require code fix Penetra@on tester may not be able to decide which does Prerequisite for the decision making Install some penetra@on test tools to repeat bugs Understand security basics Understand business context and produc@on environment Func@onal tester role: you may Lead the process and report analysis In future discover some of the bugs reported 20 www.exigenservices.lv

QUESTIONS? Contact: Ainārs Galvāns Security Tester, Exigen Services Latvia ainars.galvans@exigenservices.com Eizensteina iela 29a Riga, LV-1079, Latvia phone +371 6707 2976 mobile +371 2943 2698 www.exigenservices.lv 21 www.exigenservices.lv

Addi@onal slides to support in case of ques@ons APPENDIXES 22 www.exigenservices.lv

Threat VS vulnerability Danger? Threat Back office user could steal other user s session External ahacker could guess portal user s password Back office user may submit a DOS ahack Vulnerability Data Import don t prevent XSS Login have invalidated redirect Poten@al XSS in old web pages Change password in portal allows a weak new password No protec@on for brute force ahack 23 www.exigenservices.lv

Defining your security context/level Different projects require different security Legisla@on may apply (i.e. Data Protec@on Direc@ve) IS security may be cri@cal to customer business IS data confiden@ally may be cri@cal to customer business Contractual details could also affect your security There may be requirements for security ac@vi@es required There may be explicit security requirements There may be requirements to integrate with or use 3 rd party libraries of a ques@onable security 24 www.exigenservices.lv

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback