Andy Tinkham & Zach Bergman, Magenic Technologies

Contact Us

1600 Utica Avenue South, Suite 800

St. Louis Park, MN 55416

1 (877)-277-1044

info@magenic.com

» Magenic: Leading consultancy providing custom application development,

testing and QA services

» Andy

» 17 years of testing experience, focusing on automation, performance & other

technical testing

» Principal Consultant at Magenic, leading all our technical testing activities

» Zach

» 3 years of testing experience, focusing on security & test automation

» Consultant at Magenic, driving internal security growth & initiatives

» Testing focused on 3 aspects of a system

» Authentication – determining an entity is who they claim to be

» Authorization – determining whether an entity is allowed to use a

requested action or resource

» Accounting – documenting what occurs in the systemAuthentication

Authorization Accounting

» Talk about the most prevalent security vulnerabilities

» Structure that talk using the OWASP Top 10 list

» Andy will describe issue

» Zach will demonstrate issue and talk about techniques to identify it

» Cover some very basic testing techniques to find these

» Only begin to scratch the surface of security testing

» Open Web Application Security Project

» Non-profit organization focused on improving the security of software

» Around since 2001

» Not affiliated with any technology company

» Provide a variety of free tools, education, and information around application security

» Local chapter: https://www.owasp.org/index.php/Minneapolis_St_Paul

Next meeting: 1/21/2013, Gunnar Peterson, “Mobile AppSec – How

iOS and Android Apps fail and what to do to protect them”

10. Unvalidated Redirects and Forwards

9. Insufficient Transport Layer Protection

8. Failure to Restrict URL Access

7. Insecure Cryptographic Storage

6. Security Misconfiguration

5. Cross-Site Request Forgery

4. Insecure Direct Object References

3. Broken Authentication & Session Management

2. Cross-Site Scripting

1. Injection

• Most critical web application security flaws

• Occur frequently

• Easy to find

• Easy to exploit

» Security is a big deal

» 77 million user accounts compromised on Sony PlayStation network

» $1 trillion dollars worth of intellectual property stolen in 2008 (McAfee)

» Symantec estimates the global price tag of consumer cybercrime to be $110 billion with 18 victims every second

» 90% of businesses suffered some sort of hack in last 12 months (Research Ponemon/Juniper Networks, June 2011)

» 83% of websites have had a high, critical or urgent issue (WhiteHat Security, 2009)

» Poor security can lead to

» Unwanted information disclosure

» Compromised data

» Financial and Reputational Costs

» Legal Issues (HIPAA, other industry information security governance)

» Burp Suite (http://www.portswigger.net/burp/)

» Awesome Cookie Manager (Chrome App Store)

» BodgeIt Store (http://code.google.com/p/bodgeit/)

» REST Console (Chrome App Store)

» Use of an app’s built-in redirect to access an unintended location

» http://yoursite.com/redirect.php?url=http://yoursite.com/admin.php

» http://yoursite.com/redirect.php?url=http://badsite.com

» Users can be convinced to give information thinking they’re giving it to

you

» Example

Exploitability: Average

Prevalence: Uncommon

Detectability: Easy

Impact: Moderate

Testing Technique: Look for redirect functions

throughout application in URL or request parameters

» Unencrypted data traversing networks can be seen, manipulated, and

used without user knowledge

» The session information from browser

» User personally-identifiable information

Exploitability: Difficult

Prevalence: Common

Detectability: Easy

Impact: Moderate

Testing Technique: See if HTTPS and TLS 1.1+ is being

used on appropriate secure pages

Request over HTTP Request over HTTPS (SSL)

» Typically happens when assumptions are made regarding users’

knowledge of the app’s layout/functionality – security by obscurity

» http://www.mysite.com/MySecretAdminConsole.php

» http://www.mysite.com/ManagerReports

» Hidden or Unlisted resources

» Only show the user functionality they can use

Exploitability: Easy

Prevalence: Uncommon

Detectability: Average

Impact: Moderate

Testing Technique: Look for exposed URLs. If unlisted,

check if URLs may be accessed with wrong authentication

» Apps may not secure sensitive data with appropriate cryptography or may

not store the artifacts around the cryptography securely

» Inside or Outside of the physical data storage

» Stored plaintext

» Weak algorithm used

» Unrestricted access to decrypt function

» Private keys accessible

Exploitability: Difficult

Prevalence: Uncommon

Detectability: Difficult

Impact: Severe

Testing Technique: Look for sensitive data in plaintext.

Look for encryption in transit. (#9)

» Default settings of platform being used

» Configuration

» Default usernames/passwords

» Default error messages

» Debugger sessions open

» Lack of updates being applied

Exploitability: Easy

Prevalence: Common

Detectability: Easy

Impact: Moderate

Testing Technique: Look for custom error messages.

Look for debugger session being allowed.

» 200 - OK

» 401 - Unauthorized

» 403 - Forbidden

» Targets user’s session information in order to act as the user

» http://www.store.com/AddToCart.aspx?itemID=1234

» http://www.blog.com/ChangePassword.php?NewPass=password

» Attacker takes advantage of user’s currently stored sessions

» In other tabs of browser

» In browser if cookies haven’t been cleared after closing

Exploitability: Average

Prevalence: Widespread

Detectability: Easy

Impact: Moderate

Testing Technique: Look for actions, which can be

completed by visiting a URL.

» The image is right here:

» <img

src=“http://10.30.46.15/bodgeit/basket.jsp?productid=17&price=4.1&qu

antity=1” >

» Some application resources are accessible without going through access control

» http://www.mysite.com/Report00032

» http://www.mysite.com/files/BugsToFix.pdf

» Manipulate requests to access resources

» hPp://www.mysite.com/Report00032 →

http://www.mysite.com/Report00033

» http://www.mysite.com/MyAccount.php?user=bob →

http://www.mysite.com/MyAccount.php?user=joan Exploitability: Easy

Prevalence: Common

Detectability: Easy

Impact: Moderate

Testing Technique: Look for references to objects,

and attempt to access other similar objects.

» Poorly implemented protections can still be insecure, leading to additional vulnerabilities

» Sessions should expire

» Logout should revoke the user’s session

» Login should revoke any active sessions for same user

» User shouldn’t be able to manipulate or guess session

» Key actions should revoke certain session permissions

» Session fixationExploitability: Average

Prevalence: Common

Detectability: Average

Impact: Severe

Testing Technique: Verify that sessions are actually

revoked following key actions.

» Untrusted input is not cleaned prior to being passed back to the browser

» Can involve rendered HTML, JavaScript or any other web content

Exploitability: Average

Prevalence: Very Widespread

Detectability: Easy

Impact: Moderate

Testing Technique: Verify that input is being validated

or escaped so that it does not execute.

» Untrusted input is not cleaned prior to being used by the application

» Users may inject their own code into

» The App

» SQL Queries

» XPath Queries

» Operating System

» Browser/DOM

» Anywhere data is combined into executable statements

Exploitability: Easy

Prevalence: Common

Detectability: Average

Impact: Severe

Testing Technique: Verify that input is being validated

so that it is not executed server-side.

» SELECT Username FROM Users WHERE Password = ‘our input here’

» SELECT Username FROM Users WHERE Password = ‘a’ or ‘b’=‘b’

» Security is a big deal

» As testers, we can begin to look for obvious issues in the course of our

normal work

» OWASP Top 10 lists 10 most prevalent web security issues & is a good

starting point

» All of these security issues require deeper analysis beyond these

techniques

» OWASP Top 10 document (http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf)

» Troy Hunt’s OWASP Top 10 for .NET Developers eBook(https://asafaweb.com/OWASP%20Top%2010%20for%20.NET%20developers.pdf)

» The Web Application Hacker’s Handbook, 2nd Ed.Dafydd Stuttard and Marcus Pinto

Contact us:

AndyT@magenic.com

ZachB@magenic.com