Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Pentester's Mindset! - Ravikumar Paghdal

I will represent multiple case studies to convey the message that if you think limited, you will be limited. Bug bounty approach has degraded the quality of penetration testing, for both the customers as well as the practitioners. It is hard for the customer to differentiate between a good penetration testing and a quick and dirty top-10 or top-25 approach.

https://nsconclave.net-square.com/pentesters-mindset.html

  • Be the first to comment

Pentester's Mindset! - Ravikumar Paghdal

  1. 1. Pentester’s Mindset! Get out of the limited OWASP top 10 / SANS top 25 / Bug Bounty mindset Ravikumar Paghdal – Net Square 25th January 2020
  2. 2. # Whoami – Ravikumar Paghdal • Sr. Manager at Net Square • Hacker • Trainer • Bounty Hunter [2012-17] - Google [ Top 50 hacker list ] - Apple , Microsoft , Oracle .. • LinkedIn : /in/raviramesh • Twitter : @_RaviRamesh
  3. 3. Caution This talk can and will change the mindset and habit of typical pen tester.
  4. 4. I'll discusses multiple case studies to convey the message that if you think limited, you will be limited. The Same Old Thinking The Same Old Results
  5. 5. The survey and statistic of the ethical hacker community - hackerone 2019
  6. 6. The 2019 Edition of the Inside the Mind of a Hacker Report - bugcrowd 2019
  7. 7. The survey and statistic of the ethical hacker community - hackerone 2019
  8. 8. According to the 2019 Edition of the Inside the Mind of a Hacker Report [ largest attack surface ] - bugcrowd
  9. 9. According to a survey conducted by Hacker One in 2019 "The survey and statistic of the ethical hacker community", more than 50% of Bug Bounty hunters are focusing on XSS and SQL Injection only. https://www.hackerone.com/sites/default/files/2019-02/the-2019-hacker-report_3.pdf
  10. 10. When asked about their favourite attack vector, technique or method, over 38% of hackers surveyed said they prefer searching for cross-site scripting (XSS) vulnerabilities. That’s up from just 28% last year, and puts XSS significantly ahead of all other attack vector preferences. SQL injection placed second at 13.5%, while fuzzing, business logic, and information gathering rounded out the top five. In 2017, neither business logic nor information gathering placed in the top 10 last year. https://www.hackerone.com/sites/default/files/2019-02/the-2019-hacker-report_3.pdf
  11. 11. What happened with PenTester’s Mindset ? Choose your organization’s random web/mobile app VAPT report and you will find one common thing in the report. Guess what ? "The most common thing is the well-known vulnerabilities." SQL Injection, XSS, CSRF, IDOR, Missing Security Headers …
  12. 12. Most of the analyst's testing mechanism or mindset towards testing, the basic strategy is to intercept HTTP request and inject single quotes (‘), double quotes (“), greater than sign (>) and less than sign (<) to identify vulnerabilities. While injecting those special characters, the mind of an analyst has a thought process that eventually leads to finding such as XSS and SQL Injection only ;)
  13. 13. backtick (`) pipe (|) Null character (%00) Zalgo text ( N̯̱ ̣͇̖̦̦ ̣ ͥͮͩͪ̐͑͂̈̅ ͦ͋̆̔͆̀̆̀̚̚ ̕ ) multibyte character ( ﷽#$%&, ) Zero Width Space U+200B (ZWSP) Carriage Return (ASCII 13), Line Feed (ASCII 10) or different varied characters .. Why not !!
  14. 14. According to Common Weakness Enumeration (CWE List version 3.4) the total number of software weaknesses is 808. Why not !!
  15. 15. HTTP Request 1.Which part of the request is vulnerable? 2.Which vulnerability will affect the application and on which part?
  16. 16. Behind scenes.. Architecture
  17. 17. 1. Server to Server communication parameter -> XML
  18. 18. 2. Log Entry XML -> LOG (SQL, OS Command)
  19. 19. 3. Authentication XML -> LDAP -> JWT
  20. 20. 4. Data Access XML -> NoSQL DB
  21. 21. 1. Server to Server communication parameter -> XML
  22. 22. Possible Vulnerability 1.XML Attacks à XML Injection à XSLT Injection [ If XSLT involved ] à XInclude Attack à XXE à XPATH Injection [ If XPATH Query involved ] à XSS through <![CDATA[ ]]> à Billion laughs attack or XML Bomb [DoS] à Quadratic Blowup Attack à SSRF using XML processing à XML Schema Attacks example. XML Schema Poisoning attack
  23. 23. 2. Log Entry XML -> LOG (SQL, OS Command)
  24. 24. Possible Vulnerability 1. Log Entry in SQL Database à Blind Out of Band SQL Injection 2. Log Entry in Linux OS à Blind Out of Band OS Command Injection
  25. 25. 3. Authentication XML -> LDAP -> JWT
  26. 26. Possible Vulnerability 1. LDAP Authentication à LDAP Injection 2. JSON Web Token (JWT) à Weak Symmetric Keys à Incorrect Composition of Encryption and Signature à Plaintext Leakage through Analysis of Ciphertext Length à Insecure Use of Elliptic Curve Encryption à Multiplicity of JSON Encodings à Substitution Attacks à Cross-JWT Confusion
  27. 27. 4. Data Access XML -> NoSQL DB
  28. 28. Possible Vulnerability 1. NoSQL Database à NoSQL Injection
  29. 29. HTTP Headers CVE-2019-5418 - File Content Disclosure on Rails CVE-2014-6271 - Shellshock, also known as Bashdoor
  30. 30. Same question Again 1.Which part of the request is vulnerable? 2.Which vulnerability will affect the application and on which part?
  31. 31. Root cause analysis Following factors are responsible … 1. Training Institutes 2. Our Old Mindset 3. Quality compromised by Security firms and App vendors
  32. 32. 1. training institutes
  33. 33. Major movement in developing world in between 2000~2019
  34. 34. Major movement in server side architecture in between 2016~2019
  35. 35. In InfoSec, training course not update with the time... SQL Injection NoSQL Injection ORM Injection SSI Injection … XSS SSJI SSTI … CSRF SSRF …
  36. 36. 2. OUR OLD Mindset
  37. 37. Which circle do you believe is larger ?
  38. 38. Just imagine: as a child, you were taught that the blue circle is larger than the red. 🧒 🔵 > 🔴 If you say it enough times, you convince yourself that is the truth. ⏱ 📢 If you're told the lie enough times, it becomes part of your reality. 💯
  39. 39. And if enough people are taught the lie that the blue circle is larger than the red, now, it becomes part of the culture. 🧑🤝🧑🧑🤝🧑🧑🤝🧑🧑🤝🧑 And if that culture then passes that misinformation along to the next generation , well now it becomes tradition. - James Wildman
  40. 40. alert(1). ≠ XSS ‘ or ‘1’=‘1 ≠ SQL Injection Taught in trainings, you convince yourself, you're told the lie enough times, enough people are taught the lie through blogs and writeups. Now you passes that misinformation along to the next generation.
  41. 41. sometimes Script kiddies be like ..
  42. 42. "security analyst or a penetration tester only focuses on well-known vulnerabilities.” Let us understand the habitual behaviors or patterns of practice.
  43. 43. After few days or months.. it will print in our unconscious mind. It will passively force you to take same action without your active observation.
  44. 44. 3. Quality compromised by security FIRMS and APP vendors
  45. 45. Contrasting lifestyles Lotta Money Boundless fun Unlimited Time Zero Liability
  46. 46. Contrasting lifestyles It’s out of scopeDo a comprehensive PT…. But in 3 days time No commercial tools. Budget is limited It’s a Prod environment. Not Exploits allowed ! You can’t use Linux tool, we are using windows Vendor doesn’t support that configuration Nobody else could figure that out You can’t explain the risk to “The Business” It’s legacy system It’s “too critical to patch” Provide RCA, Why you not found in previous VAPT It’s managed by a third party It’s an internal system It’s handled in the Cloud It’s an interim solution It’s XYZ compliant It’s encrypted communication It’s behind the firewall It’s only a pilot/proof of concept
  47. 47. તમારો આભાર @_RaviRamesh http://raviramesh.info/mindset.html

×