Learn how to discover every web application you own and ascertain their risk levels through the hacker’s lens to gain a better understanding of the overall attack surface and locate the right path for remediation.
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Outpost24 webinar - Demystifying Web Application Security with Attack Surface Visibility
1. Demystify Web application Security
with attack surface visibility
Simon Roe and John Stock, Outpost24
27th January 2021
2. Helping customers improve security posture since 2001
Full stack security assessment
Over 2,000 customers in all regions of the world
Complete Application security for DevSecOps
Crest certificated penetration testing.
5. 5
• Pen testing, DAST scanning,
SAST, SCA, IAST
• DevSecOps
• WAF, RASP
• So many buzz words, different
products,
• Where do we start
Overwhelming choice
6. 6
• What you know (your Ecommerce system)
• What you don’t know
• IOT devices
• Benefits
• Marketing campaigns
• Acquisitions
• Other 3rd party sites (employee
benefits)
• These make up your addressable attack
surface
How to identify your application attack
surface score
10. 10
• Basic understanding of the web
application
• Don’t need to understand DEVOPS or
be an Appsec Guru
• Mostly what we would call ‘Basic
security best practice’
Where to start…
11. 11
• Basic understanding of the web application
• Don’t need to understand DEVOPS or be an
Appsec Guru
• Mostly what we would call ‘Basic security best
practice’
• Available tools include:
• Maltego
• theHarvester
• ShodanHQ
• But as its out site, we can also just use the
most powerful tool available… A web browser!
What tools do I need?
13. 13
How was the page created?
• Static HTTP
• Or dynamic content, eg PHP,
ASP, JSP…
Page Creation Method
14. Degree of Distribution
• Cross domain is always harder to
secure
• The greater the number of second
level and sub domains, the higher
the risk
14
15. 15
• Is there authentication?
• Is it email & password?
• Any signs of 2FA?
Authentication
16. Input Vectors
How many opportunities are there for
data input?
• Forms
• Hidden parameters
• URL parameters
• Search
16
17. Active Content
• JavaScript, external JavaScript,
Server Side Scripting, AJAX,
Java, Flash, External Flash, RSS
feed…… Oh boy!
• Does it make use of a plugin or
helper app? Active!
17
18. 18
Everyone loves cookies!
• Number of cookies
• both external (foreign)
• internal (local)
• Type of cookie:
• Tracking
• Session Management
• Authentication
Cookies
20. • Turn those attack vectors into
scores
20
Scoring your application attack surface
SM PCM DOD AUT IV ACT CS
9.95 100 91.18 33.33 29.04 100 0
21. Translate scores to a visual Attack surface summary
21
0.00
0.20
0.40
0.60
0.80
1.00
V1: Security
Mechanisms
V2: Page Creation
Method
V3: Degree of
Distribution
V4:
Authentication
V5: Input Vectors
V6: Active
Content
V7: Cookies
Attack Surface Radar
AS Score: 33.48 of 42.19
22. Overall Application attack surface score card
jQuery 1.12.4
jQuery Migrate 1.4.1
PHP/5.6.40
Apache/2.4.6
Findings:
Scope: www.Outpost24.com AS Score: 39. 16 of 42.00
SM PCM DOD AUT IV ACT CS
9.95 100 91.18 33.33 29.04 100 0
Alexa Ranking:
#413,480 in global internet engagement
Vulnerable
Vulnerable
WordPress 5.2.6
DOS, Vulnerable
Vulnerable
OK
Over the past 90 days
0.00
0.20
0.40
0.60
0.80
1.00
V1: Security
Mechanisms
V2: Page Creation
Method
V3: Degree of
Distribution
V4:
Authentication
V5: Input Vectors
V6: Active
Content
V7: Cookies
Attack Surface Radar
<- Screenshot of app
23. Leads to informed choice of tools
• Make informed choices about tools, solutions and services
• Critical applications : Continuous hybrid application testing
• Less critical : DAST scanning + one time penetration test
• Identify IOT devices, turn off access or block with firewall
• Start to inform development decisions
• SCA for 3rd party components
• SAST or IAT for code improvements
• Build a continuous application security assessment program
23
25. Takeaways
• Applications continues to be a prime vector for breaches.
• Measuring the right attack vectors gives you a comprehensive
view of an applications attack surface
• This in turn gives you a sense of the risk the application poses
• Using this information can help drive your application security
program (ASP)
• Your ASP should be dynamic and continuous, not one time
and done
25