Confessions of an Accidental Security Tester
-
Upload
alan-richardson -
Category
Software
-
view
4.362 -
download
1
description
Transcript of Confessions of an Accidental Security Tester
![Page 1: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/1.jpg)
Confessions of an Accidental Security Tester
Alan Richardson@eviltester
www.SeleniumSimplified.comwww.EvilTester.com
www.CompendiumDev.co.ukwww.JavaForTesters.com
"I didn't break in, you left the door open"
![Page 2: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/2.jpg)
2
WARNING
I AM NOT A SECURITY TESTER
![Page 3: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/3.jpg)
3
“I am not a security tester”
● I am a user that observes the system at a lower level of detail than many users
● I think about what I observe● Based on my observations I then ask
the system 'what if?' questions
![Page 4: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/4.jpg)
4
“Accidentally Stumble”
I prefer to get paid for finding defects
But...● I use the web for business● My personal details are submitted to web sites● I like to make sure I'm safe● I 'accidentally stumble' across security defects
![Page 5: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/5.jpg)
5
“By adopting my 'Bad' habits, you can Accidentally Stumble
across Security Defects too”
![Page 6: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/6.jpg)
6
How I 'Accidentally Stumble'
● I use browser dev tools in my normal day to day web surfing:– Firebug, Chrome Developer Tools
● I often have all my web traffic running through a debug proxy: – Fiddler, BurpSuite, ZAP
● I inspect Web Forms before I submit them
This is normal behaviour for me.
![Page 7: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/7.jpg)
7
“I developed these 'bad' habits out of
necessity”
![Page 8: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/8.jpg)
8
I wanted to skip the online TV ads
![Page 9: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/9.jpg)
9
I sucked at online games
![Page 10: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/10.jpg)
10
Reading 'unreadable content'
![Page 11: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/11.jpg)
11
Bypassing Bugs and annoyances on WebSites
● Div based overlays that stop me doing what I need to
● Buttons not enabled when they should be● Incorrect JavaScript validation that marks
invalid my valid details● Etc.
![Page 12: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/12.jpg)
12
“It wasn't me Guv, THEY made me do it”
![Page 13: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/13.jpg)
13
“Other normal people will develop these
habits as well”
![Page 14: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/14.jpg)
14
It won't just be me doing this
● Browser Dev Tools are now installed by default● Everyone has access to lower level observation
and manipulation features● “No user would ever do that” is no longer valid● Some users are kids.
– Kids love doing this
![Page 15: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/15.jpg)
15
“I'm not a security tester. I'm just a
Cruddy guy”
![Page 16: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/16.jpg)
16
C.R.U.D.dy● Create
– Create new POST requests with the information you want
● Read– Read the HTTP requests and see the information to
build a model of the system
● Update– Update the information sent to the server to match
what I want
● Delete– Delete requests and responses I dont' want
![Page 17: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/17.jpg)
17
What do you apply CRUD to?
● URL● Cookies● Payloads● Form Fields● DOM● HTTP Methods● HTTP Headers● etc.
– make a list of 'entities' involved in HTTP process
![Page 18: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/18.jpg)
18
Example URL CRUD● URL
– (C)Guess new urls, new params, mixup params
– (R)track used urls,
– (U)amend params in url,
– (D)change HTTP method; delete params
● Why?– See new products, change items in page,
undocumented API commands, etc.
● How?– Proxy tools, Amend DOM, Amend URL in browser
![Page 19: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/19.jpg)
19
Example HTTP Request
Browser Proxy Server
● Read● Update Before Sending● Delete so never sent● Create new requests
based on old requests
Amend in DOM before sent to proxy
● Read● Update Before Receipt● Create/Replace so receive
something else● Delete so never Received
![Page 20: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/20.jpg)
20
Example Cookie CRUD
● Create new Cookies● Update values● Read – track cookies over time● Delete Cookies● Why?
– Session hijacking, new permissions, change baskets, depends what they are used for, etc.
● How?– Browser dev tools, Debug Proxy
![Page 21: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/21.jpg)
21
My First Proper Security Bug
● My first crowd sourced testing experiment– Testing a 'social media' video sharing
& watching site
● Everyone else:– Low hanging fruit, spelling errors,
broken links, missing images, etc.
● Me:– I can access the live system and see
all customer details including emails and addresses
![Page 22: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/22.jpg)
22
How did I find the defect?
● I used the site● I ran the traffic through a Proxy ● I saw the urls of requests that
returned user data● I created a request & tried /users/
instead of /user● I changed test.site.com to site.com
to hit live● Ooops, live data vulnerability
Read
Observe / Model
Create
Update
![Page 23: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/23.jpg)
23
Lessons Learned – Companies Love Security Defects
5 Star Tester
Only Quality Defects Here
![Page 24: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/24.jpg)
24
See how much they loved me
I raised a showstopper!
I raised a Technical Defect
I was 5 star, now I'm 4.5
$$ Big Money $$
![Page 25: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/25.jpg)
25
I didn't deliberately look for a security issue
● I explored the system– Perform normal functions, observing traffic
● I built a model– How do the requests map to the functions
● I thought about the model from a 'risk' perspective– Does the API let you see all Users?
– Does this work on live?
● I found a way to ask the system the questions
![Page 26: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/26.jpg)
26
Generic Lessons Learned
● The techniques and tools that we normally use for web testing extend to security testing
● Increase your ability to Observe the system● Model the system● Think about what that model implies● Manipulate the system and ask 'what if'
questions– Sometimes known as 'testing'
![Page 27: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/27.jpg)
27
Defects I 'mostly' got fixed● Viewing the revenue reports for other sellers
– Urls not protected by user permissions
● Unpaid video downloading via ipad and android– Permissions from web across devices
● The 'Get' that became a 'Post'– Comments in site, Open source documentation
● Should I be able to buy this for $0?– Shopping cart amendment
![Page 28: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/28.jpg)
28
Some notes on Reporting and
Advocacy
![Page 29: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/29.jpg)
29
My old process
● Email to support● Another Email● And another● Etc.
![Page 30: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/30.jpg)
30
When it was really serious
● Email to support● Public post in their user forums or Facebook● Email to support● Find the emails of CEO, CTO, etc.● Email as many people in the company as I can● Replies to other people's posts in the forums
Nag Nag Naggity Nag
![Page 31: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/31.jpg)
31
What I've found works
● Create a video of you doing the exploit, as though it were a tutorial video
● Email the video● Mention that you release video tutorials to
YouTube
youtube.com/EvilTesterVideos
![Page 32: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/32.jpg)
32
Lessons learned
● Make it impossible to misunderstand– Write it up clearly
– Show it in Action
– Create a 'script' that performs the exploit
● Let everyone in the company that you can find see the exploit
![Page 33: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/33.jpg)
33
And if they don't fix it...
...at least you have an automated script that allows you to continue to take advantage of it
![Page 34: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/34.jpg)
34
“Some Defects don't get fixed
quickly, they are still live”
![Page 35: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/35.jpg)
35
“I stumbled across security issues on
a well known developer
conference web site”
![Page 36: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/36.jpg)
36
“There are product sales sites where I can still download their stuff for free”
![Page 37: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/37.jpg)
37
“I found a 'download' form that supplied me
with emails and server commands I
could have tried”
![Page 38: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/38.jpg)
38
If you are a tester...
● You should already have the thought processes required to stumble across these issues– Model, Observe, Risk, Manipulate, CRUD
● You may need to learn– to read HTTP requests
– JavaScript, and use the Dev Tool Debugger
● You may need to start using – Debug Proxies – Fiddler, ZAP, BurpSuite
– Browser Dev Tools & Firebug
![Page 39: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/39.jpg)
39
WARNINGTHIS IS A SLIPPERY
SLOPE
OUCH!
![Page 40: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/40.jpg)
40
Warning: Slippery Slope
● You start seeing more of these problems● You become more concerned...
– And start using VPNs
– Monitoring your apps and network using Wireshark
● You gain more technical knowledge● You test at deeper levels of the system
![Page 41: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/41.jpg)
41
And I learn generic issues
● Too much data in JSON– Performance issue
– Possible Security Issue
● Knock on security impact of small change● Data in JSON used in 'other' places
– Enrich domain model from multiple sources
![Page 42: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/42.jpg)
42
Suggested Reading/ Viewing
unow.be/at/techwebtest101
![Page 43: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/43.jpg)
43
Suggested Gateway Hobbies
● Monitor HTTP Wifi Network traffic using WireShark– Suggested locations: Hotels, Public WiFi,
Conferences, and Airport Lounges
● Monitor your network traffic using an HTTP debug proxy
● Investigate the DOM using Browser Dev Tools, by default
● Break out of the sandbox of Kiosk systems
![Page 44: Confessions of an Accidental Security Tester](https://reader033.fdocuments.net/reader033/viewer/2022042715/558c92e6d8b42acf098b4596/html5/thumbnails/44.jpg)
44
Blogs and Websites● CompendiumDev.co.uk● SeleniumSimplified.com● EvilTester.com● JavaForTesters.com● Twitter: @eviltester
Online Training Courses
● Technical Web Testing 101Unow.be/at/techwebtest101
● Intro to SeleniumUnow.be/at/startwebdriver
● Selenium 2 WebDriver APIUnow.be/at/webdriverapi
Videos
youtube.com/user/EviltesterVideos
Books
Selenium Simplified
Unow.be/rc/selsimp
Java For Testers
leanpub.com/javaForTesters
Alan Richardson
uk.linkedin.com/in/eviltester
Independent Test Consultant & Custom Training
Contact Alan
http://compendiumdev.co.uk/contact