AT&T Consulting © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

Web Application Penetration Testing

2010

AT&T Consulting Page 2

Will Bechtel – William.Bechtel@att.com

• Sr. Consulting Manager - Application Security Practice

• AT&T Consulting Part of AT&T Business Services / Application Solutions

• Formerly VeriSign Global Security Consulting – AT&T acquired Oct 2010

Experience with Organizations

• Primary verticals: Financial Services, High Tech, Retail

Application Experience

• 15 Years software development

• Web commerce development for fortune 500 customers

Caution

• Tools/techniques should only be used for authorized testing. Don't Be Evil…

• Be very careful how you configure tools or you may end up in real trouble.

Setup

AT&T Consulting Page 3

Overview of Web App Pen Testing

• Web Application Definition

• Drivers for Testing

• High Level Methodology

Overview of Tools

• Web App Scanners

• Proxies, Spiders, Fuzzers

• Strengths and Weaknesses

Review of Vulnerabilities

• OWASP Top Ten

Demonstration of Tools/Techniques

• Web Application Scanner – HP’s AppScan

• Burp Professional Proxy/Scanner

Presentation Overview

AT&T Consulting Page 4

Typical Web Application

Corporate Firewall

Web/Application Server

Database Server

Port 80 / 443

Port 21

Port 3389

AT&T Consulting Page 5

App Utilizes HTTP/HTTPS

• Web Browser Applications

• Web Services (blurring)

Client is Web Browser

• Application Interface is HTML/CSS/Javascript interpreted on the client.

• Blurring with java and activeX components delivered via HTTP. Out of scope for this presentation.

From Wikipedia

• A computer software application that is hosted in a browser-controlled environment (e.g. a Java applet) or coded in a browser-supported language (such as JavaScript, combined with a browser-rendered markup language like HTML) and reliant on a common web browser to render the application executable.

Web Application Defined

AT&T Consulting Page 6

HTTP Basics

• HTTP is a plain text protocol

• Browser sends request to web server

• Server sends back response with a status code

Web Application Basics

GET /search.aspx?q=answer+to+life HTTP/1.0

HTTP 200 OK

<html>

<body>

The answer is 42

</body>

</html>

AT&T Consulting Page 7

#1 Compliance

• PCI

– Requirement for Annual Pen Test – Internal/External

– Requirement for quarterly scanning (not pen test but uses automated scanners)

• GLBA, FTC, SOX, HIPAA, SB1386

Partnerships

• Many SAAS providers perform testing to ensure customers they are secure.

• Risk Managment

• Risk Management (Lower potential liability and losses)

• Protect Reputation

Web App Pen Test Drivers

AT&T Consulting Page 8

Determine Scope

• Evaluate Security Requirements

• Evaluate Compliance Objectives

• Identify any out of scope areas (document)

Determine Rules of Engagement

• Determine White Box, Grey Box, Black Box testing methodology

• Determine involved parties – who will support testing, issues that may come up, etc

• Gather contact information

• Review communication, notification, and issue escalation procedures.

• Review other specific requests and rules of engagement (e.g.,periods during which testing should not be performed).

• Review deliverables and any requirements

Application Architecture Review (if white or grey box)

• Review system architecture and logical model

• Review interfaces

Methodology

AT&T Consulting Page 9

Discovery

• Spidering

• Manual Traversal

Automated Scanning

• Platform Fingerprinting (web server/app server/database server)

• Test for Vulnerabilities

• Validation of Findings

• Manual Testing Validation where required

Manual Testing

• Exercise with Proxy

• Evaluate and Adjust

Analysis and Reporting

• Determine and Assign Risk (risk of vuln/likelihood/overall risk/recommendation for fixing/level of effort)

• Document – Assign risk at highest level until more information available.

Methodology

AT&T Consulting Page 10

Seek to simulate an application tester

• Perform Discover (Spider)

• Test for known platform vulnerabilities and common misconfigurations

• Determine and Test Authentication/Authorization Boundaries

• Exercise requests/manipulate parameters

Provide Analyst with Findings/Details/Recommendations

• Analyst reviews and removes false positives

Reporting

• Generate reports with vulnerability details, risk ratings and recommendations for remediation from validated findings

Automated Web Application Scanners

AT&T Consulting Page 11

Used to test, not to improve caching performance

• Many proxies utilized in organizations are setup to restrict, monitor and secure outbound connections as well as to improve performance.

Web Application Testing Proxy

• Designed specifically to perform web application testing

• Primary feature is to intercept and modify traffic to/from web browser and web server.

• Usually include spidering and sometimes scanning tools.

• Scanning can be passive or active.

Web App Proxy

AT&T Consulting Page 12

Fuzzing

• (Wikipedia) Fuzz testing or fuzzing is a software testing technique that provides invalid, unexpected, or random data to the inputs of a program. If the program fails (for example, by crashing or failing built-in code assertions), the defects can be noted.

Fuzzers

• Usually targeted at finding memory issues like buffer overflows

• Limited in functionality

• Some Web Proxies can be utilized as fuzzers (Burp Suite Pro, Webscarab)

Fuzzers

AT&T Consulting Page 13

Web App Scanning

• Strengths

– Fast, can scan for many common issues quickly, can be setup to regression test, good for finding reflected cross site scripting

• Weaknesses

– Can be difficult to configure, many times does not hold state well and misses much of app. Not good at finding subtle and multi step issues (stored xss), etc.

Web Proxy Testing

• Strengths

– Good for identifying/verifying all vulnerabilities, identifies more high risk issues (multi step and authorization issues)

• Weaknesses

– Takes strong experience to utilize, time consuming compared to automated, very time consuming to do any regression testing

Fuzzers • Strengths – finding memory issues such as buffer overflows, etc

• Weaknesses – very narrow usage

Tools Strengths and Weaknesses

AT&T Consulting Page 14

Open Web Application Security Project (OWASP)

• www.owasp.org

• Top Ten – most common vulnerabilities - http://www.owasp.org/images/0/0f/OWASP_T10_-_2010_rc1.pdf

• Information on how to identify and remediate these and many other application security issues

• Development of tools and frameworks and approaches for application security

Common Web App Vulnerabilities

AT&T Consulting Page 15

OWASP 2010 vs 2007 (owasp slides include info taken directly from www.owasp.org site)

AT&T Consulting Page 16

A1 - Injection

• Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data. Injected by user input, executed on server (web/app/db).

A2 –Cross Site Scripting (XSS)

• XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute script in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. Reflected (RXSS) initiated by user input, bounced (reflected) off server, executed in user browser. Stored (SXSS) – initiated by user input, stored on server, later executed in user browser (can be another user).

OWASP Top Ten

AT&T Consulting Page 17

A3 –Broken Authentication and Session Management

• Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit implementation flaws to assume other users’ identities. Very common to set session cookie before login and session fixation.

A4 –Insecure Direct Object References

• A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. https://www.bank.com/transfer?accountNum=1234

OWASP Top Ten

AT&T Consulting Page 18

A5 –Cross Site Request Forgery (CSRF)

• A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

A6 –Security Misconfiguration

• Security depends on having a secure configuration defined for the application, framework, web server, application server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults.

OWASP Top Ten

AT&T Consulting Page 19

A7 -Failure to Restrict URL Access

• Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks when these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway. Forced browsing

A8 –Unvalidated Redirects and Forwards

• Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

OWASP Top Ten

AT&T Consulting Page 20

A9 –Insecure Cryptographic Storage

• Many web application do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers may use this weakly protected data to conduct identity theft, credit card fraud, or other crimes.

A10 -Insufficient Transport Layer Protection

• Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly.

OWASP Top Ten

AT&T Consulting Page 21

Review

• Analyzing the Accuracy and Time Costs of Web Application Security Scanners http://ha.ckers.org/files/Accuracy_and_Time_Costs_of_Web_App_Scanners.pdf

– Does not weight vuln risk.

Scanners

• Accunetix

• Appscan by IBM

• BurpSuitePro

• Hailstorm by Cenzic

• WebInspect by HP

• NTOSpider by NT OBJECTives

Web Application Scanners

AT&T Consulting Page 22

Burp Suite

• My opinion this is the current best option

• Free and Pro Versions

– Pro has scanner, state save – 2 key features. Very Affordable.

• www.portswigger.net

Paros

• Free

• Kind of dated at this point

• Missing key features, limited on those it does support

Webscarab

• Free

• More features than Paros, less than Burp

Web Application Proxies

AT&T Consulting Page 23

Demo of Automated Scanning Tool

• IBM’s Appscan v7.9 (formerly Watchfire)

• http://download.boulder.ibm.com/ibmdl/pub/software/dw/demos/rIntroToAppScan/rIntroToAppScan.pdf

• High level overview of features

• Partial review of scan - Demo.testfire.net

Demo of Web Proxy Testing

• Burp Suite Professional v1.3 - High level overview of features

• Demo of testing and Burp features

Now the Fun Stuff

AT&T Consulting Page 24

Thank You!

William.Bechtel@att.com