• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Web 2.0 Hacking

Web 2.0 Hacking



Explore the limitations of today's web scanners and see where manual web testing takes over.

Explore the limitations of today's web scanners and see where manual web testing takes over.



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Web 2.0 Hacking Web 2.0 Hacking Presentation Transcript

    • Web Application Security Assessments: Beyond the Automated Scanners Presented by: Blake Turrentine, [email_address] Date: August 25, 2008 Locale: DHS Conference and Workshops, Baltimore, MD
    • Scanning Web 1.0 Technology
    • Scanning Today’s Web 2.0 Technology
    • Mashups and Web Widgets
    • Beyond the Browser: Desktop Widgets
    • The Security Process
      • Threat Modeling
      • STRIDE
      • CIGITAL
      • CLASP
      • FISMA/NIST
    • Types of Testing Techniques
      • Black Box
      • White Box
      • Grey Box
    • Types of Automated Scanners
      • Static Code Analysis
      • Vulnerability
      • Web Application Specific
      • Fuzzers
      • Web Application Firewalls
      • Fortify Source Code Analyzer
      • Qualys, Nessus, Saint, Foundscan
      • WebInspect, Cenzic, Appscan, Nikto
      • Mu4000, Codenomicon, Peach, Spike
      • Web application firewalls:
        • Imperva
        • Fortify
        • Mod-Security
      Today’s Automated Scanners
      • Putting too much faith in automated scanners
      • Their limitations – intuitiveness
      • Low hanging fruit
      • False positives and false negatives
      • 508 Compliance / CAPTCHA
      • Out-maneuvering IPS and WAFS
      • Dangers of injecting code in production environments
      Problems with Automated Scans
      • Spidering
      • Complex business logic
      • Complex session handling
      • Semantics
      • Detecting Sensitive Data
      • Asynchronous dynamic code execution
      • Horizontal and vertical escalation
      • Mashups, Ajax bridges, widgets, RSS feeds
      • Emerging technologies such as Air and Silverlight
      More Problems With Automated Scans
      • Validation of automated scanners
      • Application profiling
      • Examining known attack vectors
      • Looking for compromise
      • Fuzzing
      Approaching a Better Solution: Taking a Closer Look
      • Application Fingerprinting
      • COTS
      • The mindset of application developers:
        • Server Side Code Developer
        • Client Side Code Developer
        • System Administrator (SA)
        • Database Administrator (DBA)
      Application Profiling
      • Catalog application, then vulnerability detection
      • The checklist
      Examining Known Vectors
      • Obfuscation
      • Lazy-Loading
      • Compromise
      • Browser/Server Security tradeoffs
      Client Side: Why scanners have difficulties in handling Advance JavaScript
      • Decompiling Bytecode / (It is not HTML)
      • Complex Session Management
      Client Side: Why scanners can’t handle Applets
      • Upload/download of files
      • Effective screening of content/control
      • Open boundary conditions
      • Embedded objects, action scripts, plug-ins, Active-X
      • Who’s responsible for the content supplied
      • Blacklists, Whitelists, Regex, selective lists
      Server Side: Input/output of content is getting more complex
      • Response Analysis
      • Blacklisting
      • Encoding tactics
      • Problems in dealing with Rich Internet Apps (Flash, RSS, Widgets)
      • Whitelisting drawbacks: bypassing Regex
      • Employ input and output validation with both Whitelists and Blacklists
      • Good input validation, poor output validation
      Server Side: Scanners Lack of Filter Enumeration and Evasion
      • XML parsing, manipulation, appending files, lack of tools
      • AJAX -Extended Footprint (traditional Web application with Web services)
      Complexity of analysis in Web Services
      • Inter-protocol exploitation and communication
      • Forced directory browsing - access control
      • Backend Web services
      • API reverse engineering
      • Authorization, session management, horizontal and vertical escalation, AJAX
      Difficulties in Testing Application Logic
      • XSS, SQL, Command, HTML Injection
      • SMTP
      • Browser types, versions and plug-ins, ActiveX
      • Server configurations
      • Interpretation of Error handling (database errors, stack traces)
      • Encoding Tactics
      • Attacking the Admin
      • Multilayer, 2 nd Order Attacks, Edge Cases
      Sophistication in Combining Attacks Vectors
      • Parsing the database
      • Script calls
      • Embedded AJAX
      • RSS
      • Flash
      • CSRF
      • Active-X calls
      • Outbound calls
      • Botnets
      • Mastering the DOM- polymorphic JavaScript
      Most Scanners Don’t Look for Infestation CSRF
      • Looking for Hooking Events Onload and OnFocus, eval()
      • Looking for user events such as, OnMouseOver
      • Making HTTP connections to offsite
      • OnKeyEvent
      • Asynchronous Stream Injections With Dynamic Script Execution
      • The Javascript Interpreter (Caffeine Monkey, SpiderMonkey) Obfuscation, whitespacing
      Infestation Detection
      • Pros and Cons
      • File Fuzzing
      • Fuzzing APIs
      • HTTP Server Responses Codes
      • Code Paths
      Difficulties in Fuzzing Analysis
      • The machine and the human element
      • Machine to machine
      • Code maintenance
      • Preventing your app from becoming a part of a Botnet
      • SDLC process
      • Regression testing
      • Dealing with 0-day attacks
      Closing Remarks
    • Demonstration:
      • Bypassing Defense in Depth
    • Webmail Application Test: Combining Server & Client Attack Vectors
    • Webmail Application Test: IE Recognizes File as a HTML
    • Webmail Application Test: Session Cookie is Displayed
    • GMail Web Application Test: Screenshot of Attached file
    • GMail Web Application Test: IE Recognizes File as an HTML
    • GMail Web Application Test: Javascript Fires
    • Yahoo Mail Web Application Test: Creating an Email
    • Yahoo Mail Web Application Test: Contents of ‘Instructions.doc’
    • Yahoo Mail Web Application Test: Screenshot of Attached File
    • Yahoo Mail Web Application Test: Norton AV Scans File Before Download
    • Yahoo Mail Web Application Test: Javascript Fires
    • Yahoo Mail Web Application Test: Redirection to Another Site
    • Q u e s t i o n s ??