Transcription
Pentest as verification of the security levelin Web ApplicationsVicente Aguilera Díazvaguilera@isecauditors.comInternet Security AuditorsMadrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications Who am I?–––––––––Vicente Aguilera DíazCISA, CISSP, CSSLP, ITIL, CEH I, ECSP I, OPSA, OPSTDirector of the Audit Department at Internet Security AuditorsOWASP Spain Chapter LeaderMember of the Technical Advisory Board of the “RedSeguridad”magazineContributor in open-source projects related with App. SecuritySpeaker at security conferencesCo-chair of IBWAS (Ibero-American WebAppSec) ConferencesPublication of several vulnerabilities and papers in specializedmediaMadrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications Agenda1.2.3.4.5.Current investment in IT securityDisciplines to create secure softwarePentest in web applicationsConclusions and recommendationsReferencesMadrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications1. Current investment in IT securityMadrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications1. Current investment in IT security The bulk of current investment in IT security relies on:infraestructure or application ?Madrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications1. Current investment in IT security According to Gartner[1], 90% is dedicated to classical perimetersecurity (firewalls)This fact is illogical if we think in terms of:IT budget (network, host, applications, data)Current threats and security risks[1] drid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications1. Current investment in IT security Target of attacksSource: UK Security Breach Investigations Report 2010 (7safe)Madrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications1. Current investment in IT security Industries represented by percent of breachesSource: 2009 Data Breach Investigations Report (Verizon Business RISK Team)Madrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications1. Current investment in IT security ConclusionsMost attackers (80%[2]) are externalsUsually the attacker has an economic objectiveThe business is in the webTraditional security systems do not provide application levelprotectionIs necessary to incorporate the security in the SDLC, butalso the balance should be balanced![2] UK Security Breach Investigations Report 2010 (7safe)Madrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications2. Disciplines to create secure softwareMadrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications2. Disciplines to create secure software The software is easy to be criticizeSecure softwareDesign, build and test the software for securityContinues to run properly under attackDesigned with failure in mindIt requieres knowledge and disciplineIt is still in its infancyBreaking something is easier to design it so it is not brokenSecurity is not a luxury, but a necessityMadrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications2. Disciplines to create secure software Why is now more important to create secure software?ConnectivityComplexityExtensibilityAnd there are mandatory standards!Madrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications2. Disciplines to create secure software Generic SDLC ModelWhat security activities we can / should add?Madrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications2. Disciplines to create secure software Secure SDLCSDLC based on security principlesThere is no single formula for all organizationsRequire involving the following factors:PeopleProcessesTechnologyMadrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications2. Disciplines to create secure software Best practicesMicrosoft SDL (Secure Development Lifecycle)OWASP CLASP (Comprehensive, Lightweight ApplicationSecurity Process)Cigital Software Security TouchpointsOWASP OpenSAMM (Software Assurance Maturity Model)BSIMM (Building Security In Maturity Model)SSE CMM (Secure Software Engineering CapabilityMaturity Model)Madrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications2. Disciplines to create secure software Benefits of adopting a formal and structured methodology:Allow to understand and implement the best practices usedtoday and take advantage of the experience of itsimplementation in other organizations.Provide a way to assess the state of an organization, andprioritize changes.Provide a way to build a balanced software securityassurance program in well-defined iterations.Allow to define and measure security-related activities.Allow to demonstrate concrete improvements to a securityassurance program.Madrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications3. Pentest in Web ApplicationsMadrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications3. Pentest in Web Applications What is testing?Comparison of the state of something with a set of criteriaWhy do it?Identify gap between organizational practices and bestindustry practicesWhen would you do?Throughout the SDLCWhat should be included in the testing?The three factors: people, process and technologyMadrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications3. Pentest in Web Applications Principles of testingThere is no silver bulletUnderstand the subjectThink strategically, not tacticallyDocument the test resultsThe devil is in the detailsUse source code when availableTest early and test oftenUnderstand the scope of securityDevelop the right mindsetMadrid, 16th-18th of November 2010- The SDLC is the king- Develop metrics- Use the right tools
Pentest as verification of the security level inWeb Applications3. Pentest in Web Applications Description:Method of assessing the security of an application bysimulating an attackObjective:Evaluate the security level of an applicationConsiderations:Think like an attackerBe creativeAutomated tools are insufficientMadrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications3. Pentest in Web Applications The tests are divided into two phases:Passive modeGathering informationUnderstanding the business logicIdentification of attack vectorsActive modeExecution of security tests based on a methodologyBaseline methodology:OWASP Testing GuideMadrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications3. Pentest in Web Applications OWASP Testing Guide v3.0Is a book: 349 pages!FreeA large number of contributorsExhaustive testsCover the entire SDLCEvolvesTranslated to different languagesOWASP Testing Guide v4.0Mid January 2011Madrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications3. Pentest in Web Applications OWASP Testing Guide v3.0The tests are classified into the following categories:Information Gathering- Business LogicConfiguration Management- Data ValidationAuthentication- Denial of ServiceSession Management- Web ServicesAuthorization- AJAXMadrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications3. Pentest in Web Applications OWASP Testing Guide v3.0 – Information GatheringFocused on collecting as much information as possibleabout a target application.Tests:Spiders, robots and crawlersSearch engine discovery/reconnaissanceIdentify application entry pointsWeb Application fingerprintApplication discoveryAnalysis of error codesMadrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications3. Pentest in Web Applications OWASP Testing Guide v3.0 – Information GatheringExamples:Madrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications3. Pentest in Web Applications OWASP Testing Guide v3.0 – Configuration managementFocused on the analysis of the infraestructure and topologyarchitecture.Tests:SSL/TLS- HTTP Methods and XSTDB ListenerInfraestructure configuration managementApplication configuration managementFile Extensions HandlingOld, backup and unreferenced filesInfraestructure and application admin interfacesMadrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications3. Pentest in Web Applications OWASP Testing Guide v3.0 – Configuration ManagementExamples:Madrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications3. Pentest in Web Applications OWASP Testing Guide v3.0 – AuthenticationAnalysis of the authentication process and using thisinformation to circumvent the authentication mechanismTests:Logout and browser cache- User enumerationGuessable user account- Race conditionsBrute force and CAPTCHABypassing the auth schemaRemember password and pwd resetMultiple factors authenticationCredentials transport over an encrypted channelMadrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications3. Pentest in Web Applications OWASP Testing Guide v3.0 – AuthenticationExamples:Madrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications3. Pentest in Web Applications OWASP Testing Guide v3.0 – Session ManagementFocused on the way in wich the webapp maintains the stateand control the user-interaction with the site.Tests:Session management schemaCookies atributesSession fixationExposed session variablesCross Site Request Forgery (CSRF)Madrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications3. Pentest in Web Applications OWASP Testing Guide v3.0 – Session ManagementExamplesMadrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications3. Pentest in Web Applications OWASP Testing Guide v3.0 – AuthorizationAnalysis of the authorization process and using thisinformation to circumvent the authorization mechanismTests:Path traversalBypassing authorization schemaPrivilege escalationMadrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications3. Pentest in Web Applications OWASP Testing Guide v3.0 – AuthorizationExamples:Madrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications3. Pentest in Web Applications OWASP Testing Guide v3.0 – Business logicAnalysis of business rules and workflows based on theordered tasks of passing documents or data from oneparticipant to anotherTests:Business logicMadrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications3. Pentest in Web Applications OWASP Testing Guide v3.0 – Business logicExamples:STEP 1STEP 2Madrid, 16th-18th of November 2010STEP 3OPERATION
Pentest as verification of the security level inWeb Applications3. Pentest in Web Applications OWASP Testing Guide v3.0 – Data validationAnalysis of all the possible forms of input to understand ifthe application sufficiently validates input data before usingit.Tests:XSS and Cross Site FlashingSQL/LDAP/ORM/XML/XPATH/IMAP/SMTP InjectionCode/Command InjectionBuffer overflowIncubated vulnerabilitiesHTTP Splitting/SmugglingMadrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications3. Pentest in Web Applications OWASP Testing Guide v3.0 – Data validationExamples:Madrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications3. Pentest in Web Applications OWASP Testing Guide v3.0 – Denial of serviceFocused on application layer attacks against availabilitythat can be launched by just one malicious user on a singlemachineTests:Failure to release resources- Buffer overflowsLocking customer accounts- SQL wildcard attacksStoring too much data in sessionUser specified object allocationUser input as a loop counterWriting user provided data to diskMadrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications3. Pentest in Web Applications OWASP Testing Guide v3.0 – Denial of serviceExamples:Madrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications3. Pentest in Web Applications OWASP Testing Guide v3.0 – Web ServicesAnalysis of Web Services and SOA applications, frominformation gathering to structural and content testing.Tests:WS Information Gathering- Replay testingTesting WSDLXML Structural testingXML Content-level testingHTTP GET parameteres/REST testingNaughty SOAP attachmentsMadrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications3. Pentest in Web Applications OWASP Testing Guide v3.0 – Web ServicesExamples:Madrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications3. Pentest in Web Applications OWASP Testing Guide v3.0 – AJAXAnalysis of used frameworks, communication between theclient and the server, encoding and serialization schemesand code.Tests:AJAX testingMadrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications3. Pentest in Web Applications OWASP Testing Guide v3.0 – AJAXExamples:Madrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications4. Conclusions and RecommendationsMadrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications4. Conclusions and Recommendations The most of the attacks occur at the application levelWe must invest more in protecting our applicationsWe need to create secure softwareWe need to adopt a security software initiativeSoftware security is the result of many activitiesRequires involving people, process, technologyMost attackers are externalThe pentest simulate the scenario of an attackThe pentest should be seen as an activity whose purpose is toverify the use of security best practices.Improving software security almost always means changing theway an organization workMadrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications5. ReferencesMadrid, 16th-18th of November 2010
Pentest as verification of the security level inWeb Applications5. References The Economics of Finding and Fixing Vulnerabilities inDistributed Systemshttp://1raindrop.typepad.com/1 g-vulnerabilities-in-distributed-systems-.html UK Security Breach Investigations Reporthttp://www.7safe.com/breach report/Breach report 2010.pdf 2009 Data Breach Investigations urity/reports/2009 databreach rp.pdf OWASP Testing Guidehttp://www.owasp.org/index.php/Category:OWASP Testing ProjectMadrid, 16th-18th of November 2010
?questions / comments / suggestionsThank you very much for your attention!Madrid, 16th-18th of November 2010
Vicente Aguilera Díazvaguilera@isecauditors.comC. Santander, 101. Edif. A. 2ºE-08030 Barcelona (Spain)Tel.: 34 93 305 13 18Fax: 34 93 278 22 48Madrid, 16th-18th of November 2010Pº. de la Castellana, 164-166. Entlo. 1ªE-28046 Madrid (Spain)Tel.: 34 91 788 57 78Fax: 34 91 788 57 01
OWASP Testing Guide v3.0 - Is a book: 349 pages! - Free - A large number of contributors - Exhaustive tests - Cover the entire SDLC - Evolves - Translated to different languages
