Security testing
46
Security Testing Author : Khizra Abdul Sammad
-
Upload
khizra-sammad -
Category
Software
-
view
27 -
download
0
Transcript of Security testing
Slide 1
Security Testing
Author : Khizra Abdul Sammad
Security Testing is a process to determine that an information system protects data and maintains functionality as intended.
Purpose of Security TestingPrimary purpose of security testing is to identify the vulnerabilities and subsequently repairing them.
Finding out loopholes that can cause loss of important information and allow any intruder enter into the system.
Improving the current system and also ensuring that the system will work for longer time.
Ensuring that people in your organization understand and obey security policies.
Security Testing TechniquesMain security testing techniques are:Vulnerability ScanningSecurity ScanningPenetration TestingEthical HackingRisk AssessmentSecurity AuditingPosture Assessment & Security TestingPassword crackingcross-site scriptingcross-site request forgery (XSRF).
Vulnerability Scanning
It involves scanning of the application for all known vulnerabilities.
Acomputer programdesigned to assess computers, computer systems, networksorapplicationsfor weaknesses.
Generally done through various vulnerability scanning software. Ex : Nessus, Sara, and ISS.
Security Scanning
Scanning and verification of the system and applications.
Find out the weaknesses in the OS, applications and networks.Cont..
Penetration Testing
Tester may try to enter into the application / system with the help of some other application or with the help of combinations of loopholes that the application has kept open unknowingly.
It is the most effective way to practically find out potential loopholes in the application.
Ethical Hacking
Ethical Hacking involves number of penetration tests over the wide network on the system under test. It is conducted by ethical hackers to find possible problems in the system.
Cont..
Risk Assessment
Is a method of analyzing and deciding the risk that depends upon the type of loss and the possibility / probability of loss occurrence.
Risk assessment is carried out in the form of various interviews, discussions and analysis of the same.
Security Auditing
Security Auditing involves hands on internal inspection of Operating Systems and Applications, often via line-by-line inspection of the code.
A security audit is a systematic evaluation of the security of a company's information system.
Cont..
Posture Assessment and Security Testing
It combines Security Scanning, Ethical Hacking and Risk Assessments to show an overall Security Posture of the organization.
Password Cracking
Password cracking programs can be used to identify weak passwords.
Password cracking verifies that users are employing sufficiently strong passwords. Cont..
Cross-site scripting (XSS) Enables attackers to inject client-side script into Web pages viewed by other users.
Non-Persistent XSS AttackAttack requires a user to visit the specially crafted link by the attacker. When the user visit the link, the crafted code will get executed by the users browser.
Persistent XSS Attack Code injected by the attacker will be stored in a secondary storage device (mostly on a database).
The damage caused by Persistent attack is more than the non-persistent attack.
Cont..
Gruyere Setup
To access Gruyere, go tohttp://google-gruyere.appspot.com/start.
AppEngine will start a new instance of Gruyere and assign it a unique id and redirect you tohttp://google-gruyere.appspot.com/123/(where123is your unique id). Each instance of Gruyere is "sandboxed" from the other instances so your instance won't be affected by anyone else using Gruyere.
Features and Technologies
Gruyere includes a number of special features and technologies which add attack surface. Each of these introduces new vulnerabilities.HTML in Snippets: Users can include a limited subset of HTML in their snippets.
File upload: Users can upload files to the server, e.g., to include pictures in their snippets.
Web administration: System administrators can manage the system using a web interface.
New accounts: Users can create their own accounts.
5. Template language: Gruyere Template Language(GTL) is a new language that makes writing web pages easy as the templates connect directly to the database. Documentation for GTL can be found ingruyere/gtl.py.
6. AJAX: Gruyere uses AJAX to implement refresh on the home and snippets page. You should ignore the AJAX parts of Gruyere except for the challenges that specifically tell you to focus on AJAX.
Cont..
In a real application, refresh would probably happen automatically, but in Gruyere we've made it manual so that you can be in complete control while you are working with it. When you click the refresh link, Gruyere fetchesfeed.gtlwhich contains refresh data for the current page and then client-side script uses the browser DOM API (Document Object Model) to insert the new snippets into the page. Since AJAX runs code on the client side, this script is visible to attackers who do not have access to your source code.Cont..
Using Gruyere
To familiarize yourself with the features of Gruyere, complete the following tasks:
View another user's snippets by following the "All snippets" link on the main page. Also check out what they have their Homepage set to.
Sign up for an account for yourself to use when hacking.Do not use the same password for your Gruyere account as you use for any real service.
Fill in your account's profile, including a private snippet and an icon that will be displayed by your name.
Create a snippet (via "New Snippet") containing your favorite joke.
Upload a file (via "Upload") to your account.
Cont..
Web Application Exploits and Defenses
Cross-Site Scripting (XSS)Reflected XSSAttack
Cross-Site Scripting (XSS)
Cross-site scripting (XSS) is a vulnerability that permits an attacker to inject code (typically HTML or Javascript) into contents of a website not under the attacker's control. When a victim views such a page, the injected code executes in the victim's browser. Thus, the attacker has bypassed the browser's same origin policyand can steal victim's private information associated with the website in question.
Cont..
Reflected XSSIn areflected XSSattack, the attack is in the request itself (frequently the URL) and the vulnerability occurs when the server inserts the attack in the response verbatim or incorrectly escaped or sanitized. The victim triggers the attack by browsing to a malicious URL created by the attacker.Cont..
XSS is a difficult beast. On one hand, a fix to an XSS vulnerability is usually trivial and involves applying the correct sanitizing function to user input when it's displayed in a certain context. On the other hand, if history is any indication, this is extremely difficult to get right.Cont..
Following Steps should be taken to prevent bugsof XSS vulnerabilities:
First, make sure youunderstand the problem.
Wherever possible, do sanitizing via templates features instead of calling escaping functions in source code. This way, all of your escaping is done in one place and your product can benefit from security technologies designed for template systems that verify their correctness or actually do the escaping for you. Also, familiarize yourself with the other security features of your template system.
Employ good testing practices with respect to XSS.
Don't write your own template library.
Cont..
Client-State Manipulation
When a user interacts with a web application, they do it indirectly through a browser. When the user clicks a button or submits a form, the browser sends a request back to the web server. Because the browser runs on a machine that can be controlled by an attacker, the application must not trust any data sent by the browser.
If the user submits a form that says they wish to purchase an item, it's OK to trust that data. But if the submitted form also includes the price of the item, that's something that cannot be trusted.
Exploit and Fix
You can convert your account to being an administrator by issuing either of the following requests:
http://google-gruyere.appspot.com/123/saveprofile?action=update&is_admin=True
http://google-gruyere.appspot.com/123/saveprofile?action=update&is_admin=True&uid=username(which will make anyusernameinto an an admin)
Cont..
4. After visiting this URL, your account is now marked as an administrator but your cookie still says you're not. So sign out and back in to get a new cookie. After logging in, notice the 'Manage this server' link on the top right.
5. The bug here is that there is no validation on the server side that the request is authorized. The only part of the code that restricts the changes that a user is allowed to make are in the template, hiding parts of the UI that they shouldn't have access to. The correct thing to do is to check for authorization on the server, at the time that the request is received.
Cont..
ExapmleSuppose Blogger is vulnerable to XSRF attacks (it isn't). And let us say Blogger has a Delete Blog button on the dashboard that points to this URL:http://www.blogger.com/deleteblog.do?blogId=BLOGID Bob, the attacker, embeds the following HTML on his web page onhttp://www.evil.example.com:
Cont..
If the victim, Alice, is logged in towww.blogger.comwhen she views the above page, here is what happens:
Her browser loads the page fromhttp://www.evil.example.com. The browser then tries to load all embedded objects in the page, including theimgshown above.
The browser makes a request tohttp://www.blogger.com/deleteblog.do?blogId=alice's-blog-idto load the image. Since Alice is logged into Blogger that is, she has a Blogger cookie the browser also sends that cookie in the request.
Cont..
Blogger verifies the cookie is a valid session cookie for Alice. It verifies that the blog referenced byalice's-blog-idis owned by Alice. It deletes Alice's blog.Alice has no idea what hit her.
In this sample attack, since each user has their own blog id, the attack has to be specifically targeted to a single person. In many cases, though, requests like these don't contain any user-specific data.
Cont..
Path Traversal--4
Most web applications serve static resources like images and CSS files. Frequently, applications simply serve all the files in a folder.
If the application isn't careful, the user can use a path traversal attack to read files from other folders that they shouldn't have access to. For example, in both Windows and Linux,..represents the parent directory, so if you can inject../in a path you can "escape" to the parent directory.
If an attacker knows the structure of your file system, then they can craft a URL that will traverse out of the installation directory to/etc.
For example, if Picasa was vulnerable to path traversal (it isn't) and the Picasa servers use a Unix-like system, then the following would retrieve the password file:
http://www.picasa.com/../../../../../../../etc/passwdCont..
this attack is not even necessary in many cases: people often install applications and never change the defaults. So the first thing an attacker would try is the default value
This isn't a black box attack because you need to know that thesecret.txtfile exists, where it's stored, and where Gruyere stores its resource files. You don't need to look at any source code.Cont..
Denial of Service
A denial of service (DoS) attack is an attempt to make a server unable to service ordinary requests.
A common form of DoS attack is sending more requests to a server than it can handle.
The server spends all its time servicing the attacker's requests that it has very little time to service legitimate requests. Protecting an application against these kinds of DoS attacks is outside the scope of this codelab. And attacking Gruyere in this way would be interpreted as an attack on AppEngine.
Hackers can also prevent a server from servicing requests by taking advantage of server bugs, such as sending requests that crash a server, make it run out of memory, or otherwise cause it fail serving legitimate requests in some way. In the next few challenges, you'll take advantage of bugs in Gruyere to perform DoS attacks.Cont..
DoS - Quit the Server
The simplest form of denial of service is shutting down a service.
Exploit and Fix
To exploit,make a request tohttp://google-gruyere.appspot.com/123/quitserver.
You should need to be logged in as an administrator to do this, but you don't.
This is another example of a common bug. The server protects against non-administrators accessing certain URLs but the list includes/quitinstead of the actual URL/quitserver.
Cont..
To fix,add/quitserverto the URLS only accessible to administrators:
_PROTECTED_URLS = [ "/quitserver", "/reset" This doesn't completely solve the problem.
TheresetURL is in the protected list.To fix,put the security check inside the dangerous functions rather than outside them. That ensures that no matter how we get there, the security check can't be skipped.Cont..
DoS - Overloading the Server
You can upload a template that does this.
Exploit and Fix
To exploit,create a file namedmenubar.gtlcontaining:[[include:menubar.gtl]]DoS[[/include:menubar.gtl]] and upload it to theresourcesdirectory using a path traversal attack, e.g., creating a user named../resources.
To fix,implement the protections against path traversal and uploading templates discussed earlier.NOTE:After performing the previous exploit, you'll need to push thereset button.
Code Execution
If an attacker can execute arbitrary code remotely on your server, it's usually game over. They may be able to take control over the running program or potentially break out the process to open a new shell on the computer. From here, it's usually not hard to compromise the entire machine the server is running on.
Similar to information disclosure and denial of service, there is no recipe or specific defense to prevent remote code execution.
The program must perform validation of all user input before handling it and where possible, implement functions with least privilege rights. This topic can't be done justice in just a short paragraph, but know that this is likely the scariest results a security bug can have and trumps any of the above attacks.Cont..
Even though there is no single or simple defense to remote code execution, here is a short list of some preventative measures:Least Privilege:Always run your application with theleast privilegesit needs.
Application Level Checks:Avoid passing user input directly into commands that evaluate arbitrary code, likeeval()orsystem(). Instead, use the user input as a switch to choose from a set of developer controlled commands.
Bounds Checks:Implement proper bounds checks for non-safe languages like C++. Avoidunsafe string functions. Keep in mind that even safe languages like Python and Java use native libraries.
Preventative measures
Configuration Vulnerabilities
Applications are often installed with default settings that attackers can use to attack them. This is particularly an issue with third party software where an attacker has easy access to a copy of the same application or framework you are running. Hackers know the default account names and passwords.
For example, looking at the contents ofdata.pyyou know that there's a default administrator account named 'admin' with the password 'secret'.
Configuration vulnerabilities also include features that increase attack surface. A common example is a feature that is on by default but you are not using, so you didn't configure it and the default configuration is vulnerable. It also includes debug features like status pages or dumping stack traces on failures.Cont..
AJAX vulnerabilities
Bad AJAX code allows attackers to modify parts of your application in ways that you might not expect. In traditional client development, there is a clear separation between the application and the data it displays
To exploit,create a user namedprivate_snippetand create at least one snippet.
The JSON response will then be{'private_snippet' : }and the attacker's snippet replaces the user's.
To fix,the AJAX code needs to make sure that the data only goes where it's supposed to go.
The flaw here is that the JSON structure is not robust. A better structure would be[, { : ,...}].
Cont..
Other Vulnerabilities
Buffer Overflow Integer Overflow
Buffer Overflow
Abuffer overflowvulnerability exists when an application does not properly guard its buffers and allow user data to write past the end of a buffer.
This excess data can modify other variables, including pointers and function return addresses, leading to arbitrary code execution.
Historically, buffer overflow vulnerabilities have been responsible for some of the most widespread internet attacks includingSQL Slammer,BlasterandCode Redcomputer worms. The PS2, Xbox and Wii have all been hacked using buffer overflow exploits.Cont..
Integer Overflow
integer overflowvulnerabilities can be just as dangerous. Any time an integer computation silently returns an incorrect result, the application will operate incorrectly.
In the best case, the application fails. In the worst case, there is a security bug. For example, if an application checks thatlength+1
