Thick Client (In)Security - OWASPIn)Security... · Goal Educate the audience about the various...
-
Upload
vuongnguyet -
Category
Documents
-
view
222 -
download
0
Transcript of Thick Client (In)Security - OWASPIn)Security... · Goal Educate the audience about the various...
![Page 1: Thick Client (In)Security - OWASPIn)Security... · Goal Educate the audience about the various strategies that can be used to test thick client applications from a security perspective](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a6ffb027f8b9abb538b87c8/html5/thumbnails/1.jpg)
Thick Client (In)Security
Neelay S Shah
March 24, 2010
![Page 2: Thick Client (In)Security - OWASPIn)Security... · Goal Educate the audience about the various strategies that can be used to test thick client applications from a security perspective](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a6ffb027f8b9abb538b87c8/html5/thumbnails/2.jpg)
Introduction
www.foundstone.com© 2008, McAfee, Inc.
![Page 3: Thick Client (In)Security - OWASPIn)Security... · Goal Educate the audience about the various strategies that can be used to test thick client applications from a security perspective](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a6ffb027f8b9abb538b87c8/html5/thumbnails/3.jpg)
Goal
►Educate the audience about the various
strategies that can be used to test thick
client applications from a security
perspective
www.foundstone.com© 2008, McAfee, Inc.
![Page 4: Thick Client (In)Security - OWASPIn)Security... · Goal Educate the audience about the various strategies that can be used to test thick client applications from a security perspective](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a6ffb027f8b9abb538b87c8/html5/thumbnails/4.jpg)
Agenda
►Motivation
►Scope
www.foundstone.com© 2008, McAfee, Inc.
►Types of thick client applications
►Tools and techniques for security testing
►Questions
![Page 5: Thick Client (In)Security - OWASPIn)Security... · Goal Educate the audience about the various strategies that can be used to test thick client applications from a security perspective](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a6ffb027f8b9abb538b87c8/html5/thumbnails/5.jpg)
Motivation
►Tendency to trust the client
■ Development team themselves wrote the client as well
■ Performance / Speed optimization
www.foundstone.com© 2008, McAfee, Inc.
■ Performance / Speed optimization
![Page 6: Thick Client (In)Security - OWASPIn)Security... · Goal Educate the audience about the various strategies that can be used to test thick client applications from a security perspective](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a6ffb027f8b9abb538b87c8/html5/thumbnails/6.jpg)
Scope
►What do you mean by security testing?
■ Configuration management, authentication, authorization, data validation, user and session management, error handling, logging testing etc.
www.foundstone.com© 2008, McAfee, Inc.
►For today’s presentation
■ Bypass client side validation checks
�Data validation, authorization testing etc.
![Page 7: Thick Client (In)Security - OWASPIn)Security... · Goal Educate the audience about the various strategies that can be used to test thick client applications from a security perspective](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a6ffb027f8b9abb538b87c8/html5/thumbnails/7.jpg)
Bypass client side validation checks
►Man-In-The-Middle Attack
■ Intercept the client – server communication
■ Do NOT need to understand / modify the application code
www.foundstone.com© 2008, McAfee, Inc.
application code
■ Typically is the fastest way of security testing the application
![Page 8: Thick Client (In)Security - OWASPIn)Security... · Goal Educate the audience about the various strategies that can be used to test thick client applications from a security perspective](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a6ffb027f8b9abb538b87c8/html5/thumbnails/8.jpg)
Bypassing client side validation
►Reverse engineer
■ Understand the client - server communication code
■ Disable the client side validation checks
www.foundstone.com© 2008, McAfee, Inc.
■ Disable the client side validation checks
■ Can be very tedious and time consuming depending on the application technology
![Page 9: Thick Client (In)Security - OWASPIn)Security... · Goal Educate the audience about the various strategies that can be used to test thick client applications from a security perspective](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a6ffb027f8b9abb538b87c8/html5/thumbnails/9.jpg)
Bypassing client side validation
►Write a new client■ Understand the client – server communication
■ Write up a new client simulating the same control / communication flows
www.foundstone.com© 2008, McAfee, Inc.
/ communication flows
■ Can be very time consuming based on the scale of the application at hand
■ Typically needs knowledge of some scripting language such as Perl, Python, Tcl etc.
![Page 10: Thick Client (In)Security - OWASPIn)Security... · Goal Educate the audience about the various strategies that can be used to test thick client applications from a security perspective](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a6ffb027f8b9abb538b87c8/html5/thumbnails/10.jpg)
Scope
►For today’s presentation
■ Man-In-The-Middle attacks / Intercept the client –server communication
www.foundstone.com© 2008, McAfee, Inc.
![Page 11: Thick Client (In)Security - OWASPIn)Security... · Goal Educate the audience about the various strategies that can be used to test thick client applications from a security perspective](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a6ffb027f8b9abb538b87c8/html5/thumbnails/11.jpg)
Types of Thick Client – Server Applications
►Thick client and server using HTTP to
communicate
►Thick client and server using HTTP over
www.foundstone.com© 2008, McAfee, Inc.
►Thick client and server using HTTP over
SSL to communicate
►Thick client and server using a proprietary
TCP protocol to communicate (without any
encryption)
![Page 12: Thick Client (In)Security - OWASPIn)Security... · Goal Educate the audience about the various strategies that can be used to test thick client applications from a security perspective](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a6ffb027f8b9abb538b87c8/html5/thumbnails/12.jpg)
Types of Thick Client – Server Applications
►Thick client and server using a proprietary
TCP protocol over SSL to communicate
►Thick client and server using a proprietary
www.foundstone.com© 2008, McAfee, Inc.
►Thick client and server using a proprietary
TCP protocol and shared key / custom
cryptography to communicate
![Page 13: Thick Client (In)Security - OWASPIn)Security... · Goal Educate the audience about the various strategies that can be used to test thick client applications from a security perspective](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a6ffb027f8b9abb538b87c8/html5/thumbnails/13.jpg)
Thick client – server using HTTP to communicate - Techniques
►Network Sniffing
►HTTP proxy should work
►Configuring the HTTP proxy■ Does the application support configuring a proxy through a
www.foundstone.com© 2008, McAfee, Inc.
■ Does the application support configuring a proxy through a configuration file?
■ Does the application respect the browser proxy settings?
■ If it is a Java application, does it respect the Java proxy settings?
■ Use the “hosts” file to setup the HTTP proxy
![Page 14: Thick Client (In)Security - OWASPIn)Security... · Goal Educate the audience about the various strategies that can be used to test thick client applications from a security perspective](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a6ffb027f8b9abb538b87c8/html5/thumbnails/14.jpg)
Thick client – server using HTTP over SSL to communicate - Techniques
►Network sniffing will NOT help
►HTTP proxy should work
►Configuring the HTTP proxy■ Does the application support configuring a proxy through a
www.foundstone.com© 2008, McAfee, Inc.
■ Does the application support configuring a proxy through a configuration file?
■ Does the application respect the browser proxy settings?
■ If it is a Java application, does it respect the Java proxy settings?
■ Use the “hosts” file to setup the HTTP proxy
![Page 15: Thick Client (In)Security - OWASPIn)Security... · Goal Educate the audience about the various strategies that can be used to test thick client applications from a security perspective](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a6ffb027f8b9abb538b87c8/html5/thumbnails/15.jpg)
Thick client – server using HTTP over SSL to communicate - Techniques
►Configuring the server’s certificate■ Install the proxy’s SSL certificate in the trusted
certificate authority store�Trusted certificate authority store can be accessed from
“Start � Control Panel � Administrative Tools” or type “certmgr.msc” on the Run prompt
www.foundstone.com© 2008, McAfee, Inc.
“certmgr.msc” on the Run prompt
■ For Java applications�Add the proxy’s certificate to the Java certificate “User”
store accessible from the Java control panel applet
�Add the proxy’s certificate to the Java “System” store which is a file on the local file system using the keytool application
![Page 16: Thick Client (In)Security - OWASPIn)Security... · Goal Educate the audience about the various strategies that can be used to test thick client applications from a security perspective](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a6ffb027f8b9abb538b87c8/html5/thumbnails/16.jpg)
Thick client – server using HTTP over SSL to communicate - Techniques
►Configuring the server’s certificate■ If the client ships with the server’s certificate (in the install
directory or another location on the file system), replace it with the proxy’s certificate
■ Generating a certificate� Openssl
www.foundstone.com© 2008, McAfee, Inc.
� Openssl– openssl req -x509 -newkey rsa:1024 -keyout <private_key_file> -out
<certificate_file>
� Java keytool
� Fiddler HTTP proxy– Automatically generates the certificate– keytool.exe -import -alias <cert_alias> -file <cert_file> -trustcacerts -
storetype jks –<file_system_key_store_location>
![Page 17: Thick Client (In)Security - OWASPIn)Security... · Goal Educate the audience about the various strategies that can be used to test thick client applications from a security perspective](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a6ffb027f8b9abb538b87c8/html5/thumbnails/17.jpg)
Thick client – server using HTTP over SSL to communicate - Techniques
►Configuring the server’s certificate■ If the Java client application ships with the server’s
certificate as part of the (signed) JAR, then you will need to decompile, modify the JAR, recompile and resign the JAR
■ Decompile the JAR� Extract the JAR
www.foundstone.com© 2008, McAfee, Inc.
� Extract the JAR� Use a Java decompiler such as Jad to decompile the .class files
■ Modify the code to update the server’s certificate
■ Recompile and Resign the JAR� Remove the META-INF folder� Create the Jar file from the modified code
– jar.exe –cvf <Jar_Name> .
![Page 18: Thick Client (In)Security - OWASPIn)Security... · Goal Educate the audience about the various strategies that can be used to test thick client applications from a security perspective](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a6ffb027f8b9abb538b87c8/html5/thumbnails/18.jpg)
Thick client – server using HTTP over SSL to communicate - Techniques
►Configuring the server’s certificate■ Recompile and Resign the JAR
�Create a new signing key-pair
– keytool.exe" -genkeypair -alias <keypair_alias> -keystore <file_system_key_store_location> -storepass <store_password> -validity 500 -dname <Name_Details>
www.foundstone.com© 2008, McAfee, Inc.
<store_password> -validity 500 -dname <Name_Details>
�Sign the Jar file
– jarsigner.exe -keystore <file_system_key_store_location> -storepass <store_password> -keypass <key_pass> <Jar_name> <keypair_alias>
�Verify the signed Jar file
– jarsigner.exe -verify <Jar_name>
![Page 19: Thick Client (In)Security - OWASPIn)Security... · Goal Educate the audience about the various strategies that can be used to test thick client applications from a security perspective](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a6ffb027f8b9abb538b87c8/html5/thumbnails/19.jpg)
Thick client – server using proprietary
TCP protocol to communicate (without encryption)
►Network Sniffing
►HTTP proxy will NOT help
www.foundstone.com© 2008, McAfee, Inc.
►TCP Proxy such as EchoMirage should work
■ Hooks into the Windows socket library
■ Limited ability to modify data
![Page 20: Thick Client (In)Security - OWASPIn)Security... · Goal Educate the audience about the various strategies that can be used to test thick client applications from a security perspective](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a6ffb027f8b9abb538b87c8/html5/thumbnails/20.jpg)
Thick client – server using proprietary TCP protocol to communicate over SSL
►Network sniffing will NOT help
►HTTP Proxy will NOT help
www.foundstone.com© 2008, McAfee, Inc.
►TCP Proxy like EchoMirage should help
■ Hooks into the Windows Sockets library
■ Limited ability to modify data
![Page 21: Thick Client (In)Security - OWASPIn)Security... · Goal Educate the audience about the various strategies that can be used to test thick client applications from a security perspective](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a6ffb027f8b9abb538b87c8/html5/thumbnails/21.jpg)
Thick client – server using proprietary
TCP protocol over custom / shared key cryptography to communicate
►Network sniffing will NOT help
►HTTP proxy will NOT help
www.foundstone.com© 2008, McAfee, Inc.
►TCP proxy will NOT help
►“Detours” will help
■ Provides the ability to hook into arbitrary Win32 calls
![Page 22: Thick Client (In)Security - OWASPIn)Security... · Goal Educate the audience about the various strategies that can be used to test thick client applications from a security perspective](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a6ffb027f8b9abb538b87c8/html5/thumbnails/22.jpg)
Summary
►No one-size fits all methodology
►Need to understand the development
technology and the communication protocols
www.foundstone.com© 2008, McAfee, Inc.
technology and the communication protocols
used by the thick client
![Page 23: Thick Client (In)Security - OWASPIn)Security... · Goal Educate the audience about the various strategies that can be used to test thick client applications from a security perspective](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a6ffb027f8b9abb538b87c8/html5/thumbnails/23.jpg)
References
► Fiddler HTTP Proxy - http://www.fiddler2.com/fiddler2/
► EchoMirage - http://www.bindshell.net/tools/echomirage
►Microsoft Detours - http://research.microsoft.com/en-us/projects/detours/
www.foundstone.com© 2008, McAfee, Inc.
us/projects/detours/
► Keytool command -http://java.sun.com/j2se/1.4.2/docs/tooldocs/solaris/keytool.html
► Openssl command -http://www.openssl.org/docs/apps/req.html#EXAMPLES
![Page 24: Thick Client (In)Security - OWASPIn)Security... · Goal Educate the audience about the various strategies that can be used to test thick client applications from a security perspective](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a6ffb027f8b9abb538b87c8/html5/thumbnails/24.jpg)
Questions
www.foundstone.com© 2008, McAfee, Inc.
![Page 25: Thick Client (In)Security - OWASPIn)Security... · Goal Educate the audience about the various strategies that can be used to test thick client applications from a security perspective](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a6ffb027f8b9abb538b87c8/html5/thumbnails/25.jpg)
Thick Client (In)Security
Neelay S Shah
March 24, 2010