What You Need to Know About Web App Security Testing in 2018

1. WhatYou Need to Know About Web App Security Testing in 2018 Ken De Souza STP Community Webinar, January 2018 V. 1.4 Twitter: @kgdesouz blog.tkee.org

2. Source: http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html

3. GET https://[redacted].com/orchestration_1111/gdc/ BatteryStatusRecordsRequest.php?RegionCode=NE&lg=no- NO&DCMID=&VIN=SJNFAAZE0U60XXXXX&tz=Europe/ Paris&TimeFrom=2014-09-27T09:15:21

4. GET https://[redacted].com/orchestration_1111/gdc/ BatteryStatusRecordsRequest.php?RegionCode=NE&lg=no- NO&DCMID=&VIN=SJNFAAZE0U60XXXXX&tz=Europe/ Paris&TimeFrom=2014-09-27T09:15:21

5. Source: https://youtu.be/Nt33m7G_42Q

6. CVE-2017-5638 March 2017 CVE-2017-9805 4 September 2017

7. Source: https://www.theguardian.com/us-news/2017/sep/07/equifax-credit-breach-hack-social-security, https:// nakedsecurity.sophos.com/2017/09/08/equifax-data-breach-what-you-need-to-know/

8. Source: https://github.com/mazen160/struts-pwn_CVE-2017-9805

9. Source: ‪https://news.ycombinator.com/item?id=15233399

10. Source: https://krebsonsecurity.com/ 2017/09/ayuda-help-equifax-has-my-data/

11. This is a practical / experience talk. These are the tools I use on a daily(ish) basis when I'm testing software. Your mileage may vary.

12. This topic is HUGE The tools don’t replace thinking.

13. Common terminology Learn something about the threats Demos of tools Explain the risks to stake holders Where to go next

14. "security, just like disaster recovery, is a lifestyle, not a checklist" This is not a black and white problem Source: https://news.ycombinator.com/item?id=11323849

15. STRIDE(identification) DREAD(classification) OWASP Top 10 (attack vectors)

16. OWASP ZAP (Web application vulnerability analysis) Dependency Check (3rd party vulnerability analysis)

17. nmap / Wireshark / tcpdump (network analysis) Microsoft Threat Modeling (communication)

18. Application Security Risks Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.

19. STRIDE Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege Source: https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx

20. Sources: https://www.owasp.org/index.php/Application_Threat_Modeling http://www.se.rit.edu/~swen-331/slides/07%20Threat%20Modeling.pptx Type Security Control Examples Spoofing Authentication I am Spartacus Tampering Integrity Looks like Johnny got an A! Repudiation Non- Repudiation Didn’t Johnny have a B? Information disclosure Confidentiality Johnny’s SSN is… Denial of service Availability Please try again later. Elevation of privilege Authorization sudo rm –rf /home/johnny

21. DREAD Damage Reproducibility Exploitability Affected users Discoverability Source: https://msdn.microsoft.com/en-us/library/aa302419.aspx

22. Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx Developer point of view…. DREAD Parameter Rating Rationale Damage Potential 5 An attacker could read and alter data in the product database. Reproducibility 10 Can reproduce every time. Exploitability 2 Easily exploitable by automated tools found on the Internet. Affected Users 1 Affects critical administrative users Discoverability 1 Affected page “admin.aspx” easily guessed by an attacker. Overall Rating 3.8

23. Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx Tester point of view… DREAD Parameter Rating Rationale Damage Potential 10 An attacker could read and alter data in the product database. Reproducibility 10 Can reproduce every time. Exploitability 10 Easily exploitable by automated tools found on the Internet. Affected Users 10 Affects critical administrative users Discoverability 10 Affected page “admin.aspx” easily guessed by an attacker. Overall Rating 10

24. STRIDE / DREAD Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.

25. OWASP Top 10, 2017 Source: https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pdf

26. OWASP Top 10 Open Web Application Security Project

27. A1: Injection http://example.com/app/accountView? id=' A2: Broken Authentication Using known passwords (from various public lists) Allowing insecure (not strong) passworrd (e.g.: Password1) A3: Sensitive Data Exposure SSL not being used Meltdown Bad programming A4: XML External Entities (new) <node attrib='foo''/> A5: Broken Access Control http://example.com/app/accountInfo? acct=notmyacct Source: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

28. A6: Security Misconfiguration Default admin account enabled; directories shown on site; Stack traces shown to users; A7: Cross Site Scripting (XSS) <script>alert('test');</script> A8: Insecure Deserialization (new) Typical data tampering attacks, such as access-control-related attacks, where existing data structures are used but the content is changed. A9: Using Components with known vulnerability Not patching your 3rd party sh*t A10: Insufficient Logging & Monitoring (new) Monitoring unauthorized access; Alerting on potential breaches; Source: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

29. nmap crt.sh dig

30. nmap what ports are open? Where can you attack? Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.

31. Source: crt.sh

32. Source: dig -f shopify-urls.txt +noall +answer

33. Source: shodan.io

34. Wireshark tcpdump

35. Network packet / protocol analysis tool Allows users to capture network traffic from any interface, like Ethernet,Wifi, Bluetooth, USB, etc

36. Why use Wireshark? It is a great tool to debug your environment Help to examine potential security problems

37. docker run -e "SPRING_PROFILES_ACTIVE=hsqldb" -p8080:8080 "dhatanian/ticketmagpie" This container has LOTS of vulnerabilities, designed for learning about web security Source: Docker running “Ticket magpie” (https://github.com/dhatanian/ticketmagpie)

38. Wireshark Look at red/yellow lines between systems Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.

39. Demo

40. tcpdump: Look at red/yellow lines between systems Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.

41. Why use tcpdump? Use this when you can’t use Wireshark Great for servers

42. tcpdump -lnni eth0 -w dump -s 65535 host web01 and port 80

43. OWASP ZAP

44. Why use OWASP ZAP? Can be used to find many of the top 10 exploits Can be quick integrated into you manual or automated workflow Can be used in active or passive mode

45. OWASP ZAP Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.

46. Demo

47. Dependency Check

48. What is it? Checks your application for 3rd party software Looks to see if there are any known vulnerabilities and gives you suggestions on how to fix them

49. Threat Modeling

50. What is it? A way to analyze and communicate security related problems This is a much larger topic than we have time for … but I’ll give you the basics

51. Why do this? To explain to management To explain to customers To explain to developers, architects, etc. With the tools I just showed you, you now have the basics to be able to build a model

52. Threat Modeling: Communicating it… Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.

53. Threat Modeling Step 1: Enumerate –  Product functionality –  Technologies used –  Processes –  Listening ports –  Process to port mappings –  Users processes that running –  3rd party applications / installations

54. Threat Modeling Step 2: Data flow with boundaries Source: http://geekswithblogs.net/hroggero/archive/2014/12/18/microsoft-azure-and-threat- modeling-you-apps.aspx

55. Demo

56. Threat Modeling Can be done at various stages of the SDLC https://www.checkmarx.com/wp-content/uploads/2014/10/SecurityintheSDLC.png

57. netstat nslookup ps browser dev tools BurpSuite

58. All these tools, help to answer the question Is your application secure?

59. Where to go next?

60. Bug bounties

61. Practice https://thetestdoctor.wordpress.com/2016/10/11/introducing-ticket-magpie/

62. Practice https://xss-game.appspot.com

63. To conclude…

64. Be aware and prepare yourself for the worst. Coming up with a plan is important Understanding attack vectors is important

65. Thanks!

66. References •  Preventing CSRF with the same-site cookie attribute: http://www.sjoerdlangkemper.nl/2016/04/14/ preventing-csrf-with-samesite-cookie-attribute/ •  Security Ninjas: An Open Source Application Security Training Program: http://www.slideshare.net/OpenDNS/ security-ninjas-opensource •  Threat modeling web application: a case study: http://www.slideshare.net/starbuck3000/threat-modeling- web-application-a-case-study •  Chapter 3 Threat Modeling: https://msdn.microsoft.com/en-us/library/aa302419.aspx •  Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities: http:// www.slideshare.net/anantshri/understanding-the-known-owasp-a9-using-components-with-known- vulnerabilities •  Real World Application Threat Modelling By Example: http://www.slideshare.net/NCC_Group/real-world- application-threat-modelling-by-example •  The BodgeIt Store Part 1: http://resources.infosecinstitute.com/the-bodgeit-store-part-1-2/ •  Threat modeling example: http://www.se.rit.edu/~swen-331/slides/07%20Threat%20Modeling.pptx •  Struts Bug Explained: https://nakedsecurity.sophos.com/2017/09/06/apache-struts-serialisation-vulnerability- what-you-need-to-know/

What You Need to Know About Web App Security Testing in 2018

Ken DeSouza

What You Need to Know About Web App Security Testing in 2018