[Previous entry: "Recipe for Orange Fluff"] [Main Index] [Next entry: "2011 tulip haul"]

Aug 15, 2007 8:44:18 AM Archived Entry: "Security testing"

Application Security - Threats & Remedies
• [CIA]
- Confidentiality - ensure no unauthorized access to info
- Integrity - assurance that info has not been compromised
- Availability - info can be accessed when needed

• Application Security is concerned with
- Handling of customer data
- How the data is stored
- How data is transmitted to other systems
- What information is logged
- Backups
- Upgrades
- Client side code
- Configuration
- Audit trails
- Uptime

• Section1: Understanding the Threats

When to Consider Threats
• What does this mean for application development?
- Consider threats when designing application
- Consider threats when writing code
- Engage with the Security team at requirements stage so as to consider possible threats and security considerations specific to your application
- Get sensitive functionality code reviewed
- Request application penetration testing to be conducted on the application

• Online threats are real, hackers are real
• Attacks in previous 12 months
- Phishing attacks
- DOS attacks
• Moving from network level to application
• Customer Robot misuse
- Bogus customer claims that their account was hacked and funds spent.
- Scripting attacks
- Scripting vulnerabilities published on external site
- Misuse of Registraton pages
• (involving character recognition software)
• Other incidents included bomb threats, other phone threats, internal theft/fraud

Specific Application Attacks
• SQL Injection attacks (top cc attack)
• Cross Site Scripting (XSS) attacks (persistent and once off)
- Forum script
- Forum links
• Phishing Attacks
• Authentication attacks
- Username disclosure in error messages
- Brute force
- Poor session management
- Weak password recovery
• Information Disclosure - Browser cache, error pages
• Buffer / Integer Overflows
• Denial of Service - searches etc
• Request / Cookie Manipulation
• Weak administrative controls
• Registration Abuse
• Bogus Credit Card Transactions

Example: SQL Injection
• Top means of theft for online Credit Card details
• Attack involves manipulating the SQL that gets executed
• Involves exploiting a search query
• select * from products where title like '%someuserkeyword%'

• User Input: '; SHUTDOWN; --
• select * from products where title like '%'; SHUTDOWN; --%'

• -restart-

Example: XSS
• Typically involves executing injected Javascript in a user's webpage
• A web applications is vulnerable if it accept parameters from a user's browser and includes the parameter values in the response to the user

• Can be exploited by a hacker sending Javascript as a parameter that steals user cookies and sends them to a remote site
• Beware of shared interactive content on websites
- Blogs, forum postings, customer reviews etc

• DIV tags
• XSS Proxy?

Example: XSS Basic Example
• Cross Site Scripting vulnerabilities occur when an input request parameter value is included in the html of the response
IE a log in page, user inputs "joe." The error page says Welcome Joe (but also says "You've entered an invalid password, please try again").

Second example: The attacker constructs a bad link, emails the URL to user and gets him to click on it. The user request the page from a legitimate server, somehow gets a page with malicious script, runs the bad script but sends through an authorized request. (Confused here!)
Third example: the returned HTML address includes the information to construct a web page, IE
s and

s.
Third example: Example: XSS - Forum
• . Input:
-
- which is exactly 30 characters long.
- No javascript used

• How about if Javascript was added that loads a remote js library
-

Phishing
• Phishing - is the activity of fraudulently acquiring sensitive information, such as passwords and credit card details by masquerading as a trustworthy person or business
• Often Phishing attacks involve bogus emails sent to customers on behalf of the company. They may also involve redirecting customers to a bogus website that masquerades as the website of the legitimate company.
• Phishing emails typically include HTML content, so you can fake links

Example: Phishing

• Mail characteristics
- Common greeting
- False sense of urgency
- Misspellings and bad grammar
- Fake links
- Bogus webpage
- hidden address bar
• Deceptive URL
- www.somesite.com/yourcompanyssite.html
- www.yourcompanyssite.com@23423534
- www.yourcompanyssite.winbet.com
- www.yourcompanyssitepromotion.com
- www.yourcompanyssiteWITHMISSPELLING.com
• Reminder:
- Always use a proper yourcompanyssite.com domain
- Avoid linking to images on other sites

Example: click on link for email from financial site, note the URL doesn't match the company's normal URL. NOTE: some browsers may mark these as a "suspected web forgery."

Advanced Phishing
• Advanced Phishing websites use a combination of HTA, HTML and javascript commands to rebuild a fake address bar using images and text.
• Fraudulent URL - https://www.paypal.com/cgi-bin/webscr?cmd=_login-run
• Real URL - http://smba.swu.ac.kr/css/.accVerify/secure/log1.htm

Example: Authentication Attack
• Error messages disclosing usernames
- SOooooo dangerous!
- Effect of mass account lockout would be huge
- Applies to login, forgot password etc

• Poor SessionID hygiene
- Pre SSOID Exchange
- Consider Internet Café

Session Attack
Leaving a session for a non-signed in user the same after they sign in is dangerous. New arrivals should always get new session IDs, signed in users should get new session IDs, and session IDs should be killed whenever the session is killed.

Information Disclosure: Browser Cache
• Dumpautocomplete - displays the browser's cache
• Tool reads the browser cache files and shows a wealth of data:
- multiple addresses, phone nums, credit card numbers, CV2 codes, expiry dates etc
• Mitigation: HTML Input fields must set the autocomplete property set to ‘off ‘
• Consider browsers in an Internet Cafe

Information Disclosure
If you throw overly detailed error messages, the user can get important information about how to hack into the site.

Buffer Overflows
• Primarily affects C/C++ applications.
• Can affect applications written in .Net or Java if they call native code / libraries
• Caused when a process attempts to store data beyond the boundaries of a fixed length buffer. This results in adjacent memory being overwritten.
• Typical result is that the process crashes
• Skilled attackers can cause vulnerable applications to execute arbitrary code, possibly taking over the machine
• Overflow vulnerabilities vary per architecture, operating system and memory region

Integer Overflows
• Typically no exception is thrown when an Integer overflow occurs
• Java or .Net do not automatically detect such errors
• Java int range is -2147483648 to 2147483647.
- However 2147483647+1 results in a negative number -2147483647
- Extra bits beyond 32-nd bit are discarded. Values greater than 2147483647 wrap around to negative values
- Also applies to Integer. Equivalent for problems for type long etc.

Public static void main (String [] args) {
Int largestINt = 2147483647;
System.out.println("largestInt :" + largestInt);
System.out.println("Overflow? largestInt incremented :" + (++largestInt));
}

Output:

LargestInt :2147483647

Overflow? largestInt incremented :-2147483648

DOS Attacks
• Moving from network / OS attacks to the application level
• Global Botnets
• Careful profiling of site functionality by attacker
- Looking for slow response times under load
• Attackers are persistent

Bogus Credit Card Transactions
• Processing bogus credit card transactions incurs a processing cost
• Detect bogus credit cards numbers by:
- Enforcing the Luhn Algorithm checksum
• Detect stolen credit cards by implementing
- AVS (address verification)
- CVV2 (card verification value)
- 3D Secure
 Verified by Visa
 Mastercard SecureCode

Administrative Interfaces
• Urls often easy to find
• Default passwords
• Security controls not as strong
- No account lockout
- No detection of brute force attacks
- PhpMyAdmin
• Can we restrict admin interface to Betfair IP addresses?

Registration Abuse
• CAPTCHA images
- Completely Automated Public Turing test to Tell Computers and Humans Apart
- A challenge response test to determine if user is a human
- appreciated by customers
- Intended to prevent scripted attacks
- Freely available optical character recognition software can identify letters in most CAPTCHAs
• Threshold counters
- based on IP
- Based on first 3 IP octets (192.176.12.*)

Misplaced Trust
A false sense of security is worse than no security at all."
• SSL
• Firewalls
• Client-side validation
• Source code analysis tools

"Only weak men fear able women" - Marion Boyars