• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Art and Science of Vulnerability Assessments
 

Art and Science of Vulnerability Assessments

on

  • 104 views

Vulnerability assessments require more than a methodology and checklist to perform. In this talk we will cover several creative aspects of application penetration testing including component ...

Vulnerability assessments require more than a methodology and checklist to perform. In this talk we will cover several creative aspects of application penetration testing including component discovery, abusing arithmetic, reversing algorithms, and subverting business logic. We will also review several high profile vulnerabilities which involved a combination of technical and logical failures to show where art and science meet.

Statistics

Views

Total Views
104
Views on SlideShare
104
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Art and Science of Vulnerability Assessments Art and Science of Vulnerability Assessments Presentation Transcript

    • VULNERABILITY ASSESSMENTS THE ART AND SCIENCE OF VULNERABILITY ASSESSMENTS (ISC)2 New York Metro March 4, 2014 VIRTUE SECURITY
    • VULNERABILITY ASSESSMENTS What we can’t always teach • • • • Component discovery Identifying data of value Subverting arithmetic Reversing algorithms March 4, 2014 VIRTUE SECURITY
    • VULNERABILITY ASSESSMENTS Principles of an Application Vulnerability Assessments • Understanding business purpose • Parameters are out control variables • Understand who an attacker may be and develop appropriate threats. March 4, 2014 VIRTUE SECURITY
    • VULNERABILITY ASSESSMENTS Component Discovery Request parameters Components Session Token Request Timestamp Page_num User_ID March 4, 2014 VIRTUE SECURITY
    • VULNERABILITY ASSESSMENTS Control Characters are Your Friend 0x00 NUL 0x01 SOH 0x02 STX 0x03 ETX 0x04 EOT 0x05 ENQ 0x08 BS … • Control characters are often poorly handled by compiled applications. • Can be useful to identify or tamper with legacy systems. … March 4, 2014 VIRTUE SECURITY
    • VULNERABILITY ASSESSMENTS Component Discovery Request parameters Components URL: http://example.com/%00 Request Timestamp Page_num March 4, 2014 User_ID VIRTUE SECURITY
    • VULNERABILITY ASSESSMENTS What is Useful to an Attacker? • The obvious: usernames, passwords, session tokens, etc.. • The less obvious: order numbers, timestamps, • Anything that can be used to negatively impact business integrity. March 4, 2014 VIRTUE SECURITY
    • VULNERABILITY ASSESSMENTS Joe’s Banana Stand • Vendor A notices an Ajax request used to confirm orders: order_confirmed.jsp?ordernumber=7567401102182014 Responds TRUE / False March 4, 2014 VIRTUE SECURITY
    • VULNERABILITY ASSESSMENTS Joe’s Banana Stand • Vendor A learns the following: – 7567 (unknown) – 4011 (banana PLU code) – 02182014 (date) March 4, 2014 VIRTUE SECURITY
    • VULNERABILITY ASSESSMENTS APPLICATION ARITHMETIC • Negative Values account_value += transfer_value; account_value = 1000 + 100; account_value = 1000 + -100; March 4, 2014 // account_value = 1100 // account_value = 900 VIRTUE SECURITY
    • VULNERABILITY ASSESSMENTS Integer overflows / wraparounds 32 bits: 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 +1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Signed range: −2,147,483,648 to +2,147,483,647 Unsigned range: 0 to 4,294,967,295 March 4, 2014 VIRTUE SECURITY
    • VULNERABILITY ASSESSMENTS Decimal Values System A • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 = 1000.00 March 4, 2014 System B • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 = 1000.01 VIRTUE SECURITY
    • VULNERABILITY ASSESSMENTS Not All Numbers Are the Same • Integers may be defined differently. – Limited capacity – Signed / unsigned – Varying support of decimals • Applications may also handle numbers differently – – – – Order quantities with fractions Transactions with fractions of cents Negative values Divide by zero March 4, 2014 VIRTUE SECURITY
    • VULNERABILITY ASSESSMENTS Creating Better Payloads • Input field: johndoe@example.com Johndoe @ example.com • Attack strings: – johndoe’%20or%201=1--@example.com – johndoe@’%20or%201=1--example.com – johndoe@example.com’%20or%201=1-- March 4, 2014 VIRTUE SECURITY
    • VULNERABILITY ASSESSMENTS Attacking Tokenizing Algorithms • Example parameter: account_number=6578364,6578376,6587653 • May have the following attacks: account_number=6578364,6578376[SQLi],6587653 account_number=6578364,65783760000000,6587653 account_number=6578364,%00,6587653 account_number=6578364,-1,6587653 account_number=6578364,6578376,71111111 account_number=6578364,6578376,6587653,71111111 March 4, 2014 VIRTUE SECURITY
    • VULNERABILITY ASSESSMENTS Denial of Service / Amplification • Amplification is the ratio at which work is performed on the server vs the work required to make the request: • • • • • • www.example.com/cart/display.jsp?category=5&pageNum=4 Response time: 51ms www.example.com/cart/display.jsp?category=5&pageNum=40 Response time: 614ms www.example.com/cart/display.jsp?category=5&pageNum=10000 Response time: 43120ms March 4, 2014 VIRTUE SECURITY
    • VULNERABILITY ASSESSMENTS What about tools? • Scanners should never be relied upon • Tools should be user driven • Tools should be used to make custom attacks more efficient March 4, 2014 VIRTUE SECURITY
    • VULNERABILITY ASSESSMENTS How can we make things better? • Give users as little control as possible • Maintain state on the server side wherever possible: http://www.example.com/viewaccount?id=67546737 http://www.example.com/viewaccount March 4, 2014 VIRTUE SECURITY
    • VULNERABILITY ASSESSMENTS Never Forget • This is more than a job! • People really depend on you • Maintain a balance of structure and creativity March 4, 2014 VIRTUE SECURITY