Web Application Security Assessments:

Presented by:Blake Turrentine, Blake@AppFuzzer.com

Date:August 25, 2008

Locale: DHS Conference and Workshops,Baltimore, MD

Beyond the Automated Scanners

AUGUST 2008 2

Scanning Web 1.0 Technology

AUGUST 2008 3

Scanning Today’s Web 2.0 Technology

AUGUST 2008 4

Mashups and Web Widgets

AUGUST 2008 5

Beyond the Browser: Desktop Widgets

AUGUST 2008 6

The Security Process Threat Modeling

STRIDE

CIGITAL

CLASP

FISMA/NIST

AUGUST 2008 7

Types of Testing Techniques Black Box

White Box

Grey Box

AUGUST 2008 8

Types of Automated Scanners Static Code Analysis

Vulnerability

Web Application Specific

Fuzzers

Web Application Firewalls

AUGUST 2008 9

Fortify Source Code Analyzer

Qualys, Nessus, Saint, Foundscan

WebInspect, Cenzic, Appscan, Nikto

Mu4000, Codenomicon, Peach, Spike

Web application firewalls:

Imperva

Fortify

Mod-Security

Today’s Automated Scanners

AUGUST 2008 10

Putting too much faith in automated scanners

Their limitations – intuitiveness

Low hanging fruit

False positives and false negatives

508 Compliance / CAPTCHA

Out-maneuvering IPS and WAFS

Dangers of injecting code in production environments

Problems with Automated Scans

AUGUST 2008 11

Spidering

Complex business logic

Complex session handling

Semantics

Detecting Sensitive Data

Asynchronous dynamic code execution

Horizontal and vertical escalation

Mashups, Ajax bridges, widgets, RSS feeds

Emerging technologies such as Air and Silverlight

More Problems With Automated Scans

AUGUST 2008 12

Validation of automated scanners

Application profiling

Examining known attack vectors

Looking for compromise

Fuzzing

Approaching a Better Solution: Taking a Closer Look

AUGUST 2008 13

Application Fingerprinting

COTS

The mindset of application developers:

Server Side Code Developer

Client Side Code Developer

System Administrator (SA)

Database Administrator (DBA)

Application Profiling

AUGUST 2008 14

Catalog application, then vulnerability detection

The checklist

Examining Known Vectors

AUGUST 2008 15

Obfuscation

Lazy-Loading

Compromise

Browser/Server Security tradeoffs

Client Side: Why scanners have difficulties in handling Advance JavaScript

AUGUST 2008 16

Decompiling Bytecode / (It is not HTML)

Complex Session Management

Client Side: Why scanners can’t handle Applets

AUGUST 2008 17

Upload/download of files

Effective screening of content/control

Open boundary conditions

Embedded objects, action scripts, plug-ins, Active-X

Who’s responsible for the content supplied

Blacklists, Whitelists, Regex, selective lists

Server Side: Input/output of content is getting more complex

AUGUST 2008 18

Response Analysis

Blacklisting

Encoding tactics

Problems in dealing with Rich Internet Apps (Flash, RSS, Widgets)

Whitelisting drawbacks: bypassing Regex

Employ input and output validation with both Whitelists and Blacklists

Good input validation, poor output validation

Server Side: Scanners Lack of Filter Enumeration and Evasion

AUGUST 2008 19

XML parsing, manipulation, appending files, lack of tools

AJAX -Extended Footprint (traditional Web application with Web services)

Complexity of analysis in Web Services

AUGUST 2008 20

Inter-protocol exploitation and communication

Forced directory browsing - access control

Backend Web services

API reverse engineering

Authorization, session management, horizontal and vertical escalation, AJAX

Difficulties in Testing Application Logic

AUGUST 2008 21

XSS, SQL, Command, HTML Injection

SMTP

Browser types, versions and plug-ins, ActiveX

Server configurations

Interpretation of Error handling (database errors, stack traces)

Encoding Tactics

Attacking the Admin

Multilayer, 2nd Order Attacks, Edge Cases

Sophistication in Combining Attacks Vectors

AUGUST 2008 22

Parsing the database

Script calls

Embedded AJAX

RSS

Flash

CSRF

Active-X calls

Outbound calls

Botnets

Mastering the DOM- polymorphic JavaScript

Most Scanners Don’t Look for Infestation

CSRF

AUGUST 2008 23

Looking for Hooking Events Onload and OnFocus, eval()

Looking for user events such as, OnMouseOver

Making HTTP connections to offsite

OnKeyEvent

Asynchronous Stream Injections With Dynamic Script Execution

The Javascript Interpreter (Caffeine Monkey, SpiderMonkey) Obfuscation, whitespacing

Infestation DetectionFirewall

AUGUST 2008 24

Pros and Cons

File Fuzzing

Fuzzing APIs

HTTP Server Responses Codes

Code Paths

Difficulties in Fuzzing Analysis

AUGUST 2008 25

The machine and the human element

Machine to machine

Code maintenance

Preventing your app from becoming a part of a Botnet

SDLC process

Regression testing

Dealing with 0-day attacks

Closing Remarks

AUGUST 2008 26

Demonstration: Bypassing Defense in Depth

AUGUST 2008 27

Webmail Application Test: Combining Server & Client Attack Vectors

AUGUST 2008 28

Webmail Application Test: IE Recognizes File as a HTML

AUGUST 2008 29

Webmail Application Test: Session Cookie is Displayed

AUGUST 2008 30

GMail Web Application Test: Screenshot of Attached file

AUGUST 2008 31

GMail Web Application Test: IE Recognizes File as an HTML

AUGUST 2008 32

GMail Web Application Test: Javascript Fires

AUGUST 2008 33

Yahoo Mail Web Application Test:Creating an Email

AUGUST 2008 34

Yahoo Mail Web Application Test:Contents of ‘Instructions.doc’

AUGUST 2008 35

Yahoo Mail Web Application Test:Screenshot of Attached File

AUGUST 2008 36

Yahoo Mail Web Application Test:Norton AV Scans File Before Download

AUGUST 2008 37

Yahoo Mail Web Application Test:Javascript Fires

AUGUST 2008 38

Yahoo Mail Web Application Test:Redirection to Another Site

AUGUST 2008 39

Q u e s t i o n s ??