Human vs Artificial intelligence Battle of Trust

Similar documents
MIS Training Institute Page 1

Who Am I? Mobile Security chess board - Attacks & Defense. Mobile Top 10 - OWASP. Enterprise Mobile Cases

Top 10 AJAX security holes & driving factors

Certified Secure Web Application Engineer

Web Application Penetration Testing

RiskSense Attack Surface Validation for Web Applications

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

CSWAE Certified Secure Web Application Engineer

Solutions Business Manager Web Application Security Assessment

Web Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Notes From The field

Penetration Testing. James Walden Northern Kentucky University

RIA Security - Broken By Design. Joonas Lehtinen IT Mill - CEO

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Web Application Attacks

Vulnerability Validation Tutorial

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Jacksonville Linux User Group Presenter: Travis Phillips Date: 02/20/2013

Application security : going quicker

Web Application Security. OWASP 11 th August, The OWASP Foundation Basic SQL injection Basic Click Jacking

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

John Coggeshall Copyright 2006, Zend Technologies Inc.

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

C1: Define Security Requirements

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

IronWASP (Iron Web application Advanced Security testing Platform)

Web Application Security. Philippe Bogaerts

The OWASP Foundation

Introduction to Ethical Hacking

Vulnerability Analysis, Secure Development and Risk Management of Web 2.0 Applications OWASP. The OWASP Foundation

Application. Security. on line training. Academy. by Appsec Labs

Penetration Testing with Kali Linux

HP 2012 Cyber Security Risk Report Overview

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

java -jar Xmx2048mb /Applications/burpsuite_pro_v1.5.jar

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

SensePost Training Overview 2011/2012

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

EasyCrypt passes an independent security audit

COMP9321 Web Application Engineering

Surrogate Dependencies (in


Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Web 2.0 Käyttöliittymätekniikat

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

Copyright

Lecture Overview. IN5290 Ethical Hacking. Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Attacking Web2.0. Daiki Fukumori Secure Sky Technology Inc.

Web 2.0 Attacks Explained

Vulnerability Management From B Movie to Blockbuster Rahim Jina

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

NoSQL Injection SEC642. Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques S

RiskSense Attack Surface Validation for IoT Systems

WEB APPLICATION PENETRATION TESTING VERSION 2

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Common Websites Security Issues. Ziv Perry

RKN 2015 Application Layer Short Summary

Some Facts Web 2.0/Ajax Security

A D V I S O R Y S E R V I C E S. Web Application Assessment

Taking White Hats to the Laundry: How to Strengthen Testing in Common Criteria

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Configuring BIG-IP ASM v12.1 Application Security Manager

Securing ArcGIS Services

CIS 4360 Secure Computer Systems XSS

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

Finding Vulnerabilities in Web Applications

Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications

Security. CSC309 TA: Sukwon Oh

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

AWS Lambda + nodejs Hands-On Training

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

.NET Secure Coding for Client-Server Applications 4-Day hands on Course. Course Syllabus

Application vulnerabilities and defences

Risk Intelligence. Quick Start Guide - Data Breach Risk

GOING WHERE NO WAFS HAVE GONE BEFORE

BIG-IP Application Security Manager : Attack and Bot Signatures. Version 13.0

Web Applications (Part 2) The Hackers New Target

Integrity attacks (from data to code): Cross-site Scripting - XSS

CS50 Quiz Review. November 13, 2017

Web Security, Summer Term 2012

Base64 The Security Killer

WAPT in pills: Self-paced, online, flexible access interactive slides. 4+ hours of video materials

ECCouncil Exam v8 Certified Ethical Hacker v8 Exam Version: 7.0 [ Total Questions: 357 ]

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

WAPTv2 at a glance: Self-paced, online, flexible access interactive slides and 5+ hours of video material. Downloadable material

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

IEEE Sec Dev Conference

Web Robots Platform. Web Robots Chrome Extension. Web Robots Portal. Web Robots Cloud

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

An analysis of security in a web application development process

CS 161 Computer Security

Web Application Security

Simple AngularJS thanks to Best Practices

Transcription:

Human vs Artificial intelligence Battle of Trust Hemil Shah Co-CEO & Director Blueinfy Solutions Pvt Ltd

About Hemil Shah hemil@blueinjfy.net Position -, Co-CEO & Director at BlueInfy Solutions, - Founder & Director, esphere Security & ExtendedITArms, Member of advisory board on several security consulting companies, Speaker & trainer at different conferences Blueinfy Professional Application Security Services Company Blog blog.blueinfy.com Interest Application security research (Web & Mobile) Published research Articles / Papers Packstroem, etc. Tools DumpDroid, CheckDebugable, FSDroid, iappliscan, wsscanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc. Slide 2

Key Points Importance of manual application security reviews Unique cases used by humans to identify high value security vulnerabilities in applications Methodology of analyzing modern era applications to find complex security vulnerabilities Suggestions to protect against the vulnerabilities Slide 3

Vulnerabilities Human Intelligence 2 Medium = 1 Critical = Compromise Automated 2 Medium = 2 Medium Slide 4

Complex Structures Stack Protocols JSON, GWT, WebSockets, Custom, AMF 3.0, etc Database and File System NodeJS, Mashup driven, Cross Domain integrations, Web services, Webhooks, Browser Extensions, Entity frameworks etc MongoDB, Hadoop, IndexDB, FileAPI, etc Client side HTML5, AngularJS, ExpressJS, Knockout.js, etc Slide 5

Where are we standing? Source: Most vulnerable operating systems and applications in 2014 by GFI Languard Slide 6

2015 A Year that has been Source 2015 Edgescan Status Report Slide 7

2015 A Year that has been Source 2015 Trustwave Global Security Report Slide 8

Top 5 Vulnerabilities Zero application with NO vulnerability in first review From the stats of Blueinfy s data Slide 9

Attacks and Hacks 98% applications are having security issues Web Application Layer vulnerabilities are growing at higher rate in security space Client side hacking and vulnerabilities are on the rise Web browser vulnerabilities are growing at higher rate End point exploitation shifting from OS to browser and its plugins Slide 10

Technology Trend Slide 11

Today s Development Life Cycle Rapid/Agile development Catching up with new technologies Web 2.0, HTML5, Framework driven, Mobile, Cloud and on on on on on Tight deadlines Frequent release cycles Business requirement Security requirement Slide 12

Stack/Logic - Layers Android iphone/pad HTML 5 Other Storage Flash AMF Mobile WebSocket Server side Components WebSQL DOM JS Storage Flex XHR Silverlight Presentation Layer XAML WCF NET Business Layer Data Access Layer Authentication Communication etc. Client side Components (Browser) Runtime, Platform, Operating System Components Slide 13

Secure ADLC Is it enough??? Slide 14

Methodology, Scan and Attacks Assets Footprinting & Discovery Config Scanning Black Enumeration & Crawling Code Scanning White Attacks and Scanning Secure Coding Defense Web Firewall Secure Assets Slide 15

Automated Blackbox Footprinting & Discovery Profiling & Vulnerability Assessment Auto Attacks Exploit (Missing) & Co-Relation Defense Slide 16

Automated Whitebox identified Threats Identifying Configuration And Code Blocks Configuration Review Code Review Vulnerability Detection (Exploit/Deployment) Security Control Slide 17

Automated - Whitebox & Blackbox Blackbox method uses crawling and spidering to determine all possible resources Application assets are residing in JavaScript and various other tags in HTML, it makes asset detection very difficult and blackbox approach fails in many cases. Automated tools are headless and generate so many False Positives that usually real vulnerabilities are missed while eliminating false positives Automated tools may not perform behavioral analysis effectively Slide 18

Modern Application Challenges How to identify possible hosts running the application? Cross Domain Identifying Ajax and HTML5 calls Dynamic DOM manipulations Identifying XSS and XSRF vulnerabilities for Web 2.0 Discovering back end Web Services - SOAP, XML-RPC or REST. How to fuzz XML and JSON structures? Client side code review Mashup and networked application points Slide 19

Game is complex Slide 20

Value of Human in Application Security Reviews Slide 21

Server Side Session over riding Typically found in multi-step or wizard based functionality implementation The application is writing in to server side session to remember user selection/input from the previous page/step The application performs validation on each step but fails to perform validation at the end before performing actual transaction E-commerce application stores information when the user selects item Banking/Currency conversion will require to ask for user s authorization or transaction passwords Slide 22

Server Side Session over riding Slide 23

Server Side Session over riding - Attack Slide 24

Server Side Session over riding - Demo Slide 25

Bypassing Authorization with Response Fuzzing Traditionally penetration testing has been focusing only on modification of requests. As the browsers have become smart and feature rich, it provides a lot of functionalities along with storage on the client side Developers are leveraging it As a result, some of the business logic has been shifted from server side to client side Thus, it has become important to fuzz response along with request At times, flag change in response opens up new functionality or new menu items or access to an admin application Slide 26

Bypassing Authorization with Response Fuzzing Slide 27

HTML5 Client Side Storage Bypass HTML5 brings two different types of storage in to browser XSS was pain as it was stealing my cookie, now I can save my cookies in to client side storage in browser and XSS cannot steal it REALLY??? Brute force DOES not work any more as the accounts are locked REALLY??? Great, now I can save all my counters and information on the client side storage All these are wrong assumption as automated scanners do not find these vulnerabilities The applications are counting bad attempts and setting a value on the client side either in cookies or LocalStorage options provided by browsers Slide 28

HTML5 Client Side Storage Bypass - Demo Slide 29

Command Execution with File Upload The application has a upload functionality My favorite place to attack Result can be command execution, path traversal to get access to important files, impact system with virus Key is to find out where files are stored If uploads are not validated, can be very RISKY Slide 30

Command Execution with File Upload - Demo Slide 31

SQL Injection on Parameter Name SQL Injection in parameter value is very common isn t it What if you are validating all user input value Should input validation be only on the VALUE and not on the NAME if you are using it to construct query??? Slide 32

SQL Injection on Parameter Name - Demo Slide 33

Third party posting, injection and streaming There are number of applications out there which works as a proxy An application will allow user to create custom widgets and configure what they would like to see on the widget These widgets can make calls to third party server to fetch email, RSS feeds, blog, News, twitter, facebook and so on An attacker does not need to attack the application but needs to attack source of the application to compromise user XSS attack from RSS feed can lead in to user s loosing his session for the application and end up giving access to all other widgets of the user. Slide 34

Third party posting, injection and streaming Slide 35

Third party posting, injection and streaming Demo Slide 36

Asynchronous injections across critical functions Applications are leveraging Asynchronous channels i.e. email, OTP on the Mobile to implement critical functionalities SOA has made it easy as third party API integration has became really easy In the application, not all tasks need to be completed right away. Possibly another program can take care of the task later If you request an old statement in bank, bank will have transaction table where it enters the account number and run another program which runs at particular time The program will run the job and send results to user over outside communication channel i.e. email Slide 37

Asynchronous injections across critical functions What if we find SQL Injection and enter payload with account number??? The application will end up sending statement over email of all users Slide 38

Custom protocol handling AJAX calls making calls using non HTTP protocol Tough to analyze and craft request Only HUMAN can do it unless custom program is written to attack using custom protocol Slide 39

Information Leakage via Analytics calls Most applications leverages analytics to understand user s behavior Sends information to third party analytical services Easy to implement across the application BUT should not be implemented at key functionalities Forgot password Change password page Slide 40

Protect Input validation on the server side is key Perform validation for type, size, length and expected characters Client side validation is NO VALIDATION Implement defense in depth Defense at all possible layer Sanitize all output or perform output encoding Do not store files in webroot Have proper permission on directories which stored uploaded files Slide 41

Summary HUMANs can find what machine can not No matter what we do, HUMAN is going to be superior than machines to find HIGH risk vulnerabilities Leverage combination of human intelligence and machine (Automated) to achieve maximum security (Minimize Risk) Slide 42

THANK YOU! [Hemil Shah, hemil@blueinfy.net]

TITLE Human vs Artificial intelligence Battle of Trust Hemil Shah Co-CEO & Director Blueinfy Solutions Pvt Ltd Notes MIS Training Institute Section # - Page 1 XXXXXX XXX

TITLE About Hemil Shah hemil@blueinjfy.net Position -, Co-CEO & Director at BlueInfy Solutions, - Founder & Director, esphere Security & ExtendedITArms, Member of advisory board on several security consulting companies, Speaker & trainer at different conferences Blueinfy Professional Application Security Services Company Blog blog.blueinfy.com Interest Application security research (Web & Mobile) Published research Articles / Papers Packstroem, etc. Tools DumpDroid, CheckDebugable, FSDroid, iappliscan, wsscanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc. Slide 2 Notes

TITLE Key Points Importance of manual application security reviews Unique cases used by humans to identify high value security vulnerabilities in applications Methodology of analyzing modern era applications to find complex security vulnerabilities Suggestions to protect against the vulnerabilities Slide 3 Notes MIS Training Institute Section # - Page 3 XXXXXX XXX

TITLE Vulnerabilities Human Intelligence 2 Medium = 1 Critical = Compromise Automated 2 Medium = 2 Medium Slide 4 Notes

TITLE Complex Structures Stack Protocols JSON, GWT, WebSockets, Custom, AMF 3.0, etc Database and File System NodeJS, Mashup driven, Cross Domain integrations, Web services, Webhooks, Browser Extensions, Entity frameworks etc MongoDB, Hadoop, IndexDB, FileAPI, etc Client side HTML5, AngularJS, ExpressJS, Knockout.js, etc Slide 5 Notes

TITLE Where are we standing? Source: Most vulnerable operating systems and applications in 2014 by GFI Languard Slide 6 Notes

TITLE 2015 A Year that has been Source 2015 Edgescan Status Report Slide 7 Notes MIS Training Institute Section # - Page 7 XXXXXX XXX

TITLE 2015 A Year that has been Source 2015 Trustwave Global Security Report Slide 8 Notes MIS Training Institute Section # - Page 8 XXXXXX XXX

TITLE Top 5 Vulnerabilities Zero application with NO vulnerability in first review From the stats of Blueinfy s data Slide 9 Notes

TITLE Attacks and Hacks 98% applications are having security issues Web Application Layer vulnerabilities are growing at higher rate in security space Client side hacking and vulnerabilities are on the rise Web browser vulnerabilities are growing at higher rate End point exploitation shifting from OS to browser and its plugins Slide 10 Notes

TITLE Technology Trend Slide 11 Notes

TITLE Today s Development Life Cycle Rapid/Agile development Catching up with new technologies Web 2.0, HTML5, Framework driven, Mobile, Cloud and on on on on on Tight deadlines Frequent release cycles Business requirement Security requirement Slide 12 Notes

TITLE Stack/Logic - Layers Android iphone/pad HTML 5 Other Storage Flash AMF Mobile WebSocket Server side Components WebSQL DOM JS Storage Flex XHR Silverlight Presentation Layer XAML WCF NET Business Layer Data Access Layer Authentication Communication etc. Client side Components (Browser) Runtime, Platform, Operating System Components Slide 13 Notes

TITLE Secure ADLC Is it enough??? Slide 14 Notes

TITLE Methodology, Scan and Attacks Assets Footprinting & Discovery Config Scanning Black Enumeration & Crawling Code Scanning White Attacks and Scanning Secure Coding Defense Web Firewall Secure Assets Slide 15 Notes

TITLE Automated Blackbox Footprinting & Discovery Profiling & Vulnerability Assessment Auto Attacks Exploit (Missing) & Co-Relation Defense Slide 16 Notes

TITLE Automated Whitebox identified Threats Identifying Configuration And Code Blocks Configuration Review Code Review Vulnerability Detection (Exploit/Deployment) Security Control Slide 17 Notes

TITLE Automated - Whitebox & Blackbox Blackbox method uses crawling and spidering to determine all possible resources Application assets are residing in JavaScript and various other tags in HTML, it makes asset detection very difficult and blackbox approach fails in many cases. Automated tools are headless and generate so many False Positives that usually real vulnerabilities are missed while eliminating false positives Automated tools may not perform behavioral analysis effectively Slide 18 Notes

TITLE Modern Application Challenges How to identify possible hosts running the application? Cross Domain Identifying Ajax and HTML5 calls Dynamic DOM manipulations Identifying XSS and XSRF vulnerabilities for Web 2.0 Discovering back end Web Services - SOAP, XML-RPC or REST. How to fuzz XML and JSON structures? Client side code review Mashup and networked application points Slide 19 Notes

TITLE Game is complex Slide 20 Notes

TITLE Value of Human in Application Security Reviews Slide 21 Notes

TITLE Server Side Session over riding Typically found in multi-step or wizard based functionality implementation The application is writing in to server side session to remember user selection/input from the previous page/step The application performs validation on each step but fails to perform validation at the end before performing actual transaction E-commerce application stores information when the user selects item Banking/Currency conversion will require to ask for user s authorization or transaction passwords Slide 22 Notes

TITLE Server Side Session over riding Slide 23 Notes MIS Training Institute Section # - Page 23 XXXXXX XXX

TITLE Server Side Session over riding - Attack Slide 24 Notes MIS Training Institute Section # - Page 24 XXXXXX XXX

TITLE Server Side Session over riding - Demo Slide 25 Notes MIS Training Institute Section # - Page 25 XXXXXX XXX

TITLE Bypassing Authorization with Response Fuzzing Traditionally penetration testing has been focusing only on modification of requests. As the browsers have become smart and feature rich, it provides a lot of functionalities along with storage on the client side Developers are leveraging it As a result, some of the business logic has been shifted from server side to client side Thus, it has become important to fuzz response along with request At times, flag change in response opens up new functionality or new menu items or access to an admin application Slide 26 Notes

TITLE Bypassing Authorization with Response Fuzzing Slide 27 Notes MIS Training Institute Section # - Page 27 XXXXXX XXX

TITLE HTML5 Client Side Storage Bypass HTML5 brings two different types of storage in to browser XSS was pain as it was stealing my cookie, now I can save my cookies in to client side storage in browser and XSS cannot steal it REALLY??? Brute force DOES not work any more as the accounts are locked REALLY??? Great, now I can save all my counters and information on the client side storage All these are wrong assumption as automated scanners do not find these vulnerabilities The applications are counting bad attempts and setting a value on the client side either in cookies or LocalStorage options provided by browsers Slide 28 Notes

TITLE HTML5 Client Side Storage Bypass - Demo Slide 29 Notes MIS Training Institute Section # - Page 29 XXXXXX XXX

TITLE Command Execution with File Upload The application has a upload functionality My favorite place to attack Result can be command execution, path traversal to get access to important files, impact system with virus Key is to find out where files are stored If uploads are not validated, can be very RISKY Slide 30 Notes

TITLE Command Execution with File Upload - Demo Slide 31 Notes MIS Training Institute Section # - Page 31 XXXXXX XXX

TITLE SQL Injection on Parameter Name SQL Injection in parameter value is very common isn t it What if you are validating all user input value Should input validation be only on the VALUE and not on the NAME if you are using it to construct query??? Slide 32 Notes

TITLE SQL Injection on Parameter Name - Demo Slide 33 Notes MIS Training Institute Section # - Page 33 XXXXXX XXX

TITLE Third party posting, injection and streaming There are number of applications out there which works as a proxy An application will allow user to create custom widgets and configure what they would like to see on the widget These widgets can make calls to third party server to fetch email, RSS feeds, blog, News, twitter, facebook and so on An attacker does not need to attack the application but needs to attack source of the application to compromise user XSS attack from RSS feed can lead in to user s loosing his session for the application and end up giving access to all other widgets of the user. Slide 34 Notes

TITLE Third party posting, injection and streaming Slide 35 Notes

TITLE Third party posting, injection and streaming Demo Slide 36 Notes MIS Training Institute Section # - Page 36 XXXXXX XXX

TITLE Asynchronous injections across critical functions Applications are leveraging Asynchronous channels i.e. email, OTP on the Mobile to implement critical functionalities SOA has made it easy as third party API integration has became really easy In the application, not all tasks need to be completed right away. Possibly another program can take care of the task later If you request an old statement in bank, bank will have transaction table where it enters the account number and run another program which runs at particular time The program will run the job and send results to user over outside communication channel i.e. email Slide 37 Notes

TITLE Asynchronous injections across critical functions What if we find SQL Injection and enter payload with account number??? The application will end up sending statement over email of all users Slide 38 Notes

TITLE Custom protocol handling AJAX calls making calls using non HTTP protocol Tough to analyze and craft request Only HUMAN can do it unless custom program is written to attack using custom protocol Slide 39 Notes

TITLE Information Leakage via Analytics calls Most applications leverages analytics to understand user s behavior Sends information to third party analytical services Easy to implement across the application BUT should not be implemented at key functionalities Forgot password Change password page Slide 40 Notes

TITLE Protect Input validation on the server side is key Perform validation for type, size, length and expected characters Client side validation is NO VALIDATION Implement defense in depth Defense at all possible layer Sanitize all output or perform output encoding Do not store files in webroot Have proper permission on directories which stored uploaded files Slide 41 Notes MIS Training Institute Section # - Page 41 XXXXXX XXX

TITLE Summary HUMANs can find what machine can not No matter what we do, HUMAN is going to be superior than machines to find HIGH risk vulnerabilities Leverage combination of human intelligence and machine (Automated) to achieve maximum security (Minimize Risk) Slide 42 Notes MIS Training Institute Section # - Page 42 XXXXXX XXX

TITLE THANK YOU! [Hemil Shah, hemil@blueinfy.net] Notes MIS Training Institute Section # - Page 43 XXXXXX XXX

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback