The Shop (name changed) was a website which had numerous security vulnerabilities, a copy of the original website is used as a security test environment with known security vulnerabilities. Interns were tasked with performing a penetration test ("pen testing") on the environment and writing a brief of their analysis.
2. Structure of a Static Website
The user The Shop server
Request
Response
Gavin Wiener @ 2016
3. Structure of a Dynamic Website
Database
The user The Shop server
Request
Response
Gavin Wiener @ 2016
4. Database
1. Pros
a. User account
b. Products
c. Suppliers
2. Cons
a. Centralized location of private information
Gavin Wiener @ 2016
5. Vulnerabilities
A vulnerability is a weakness in a system which reduces the intended
access to or modification of information.
Requirements:
1. Vulnerability must exist
2. Access to the vulnerability
3. Knowledge to exploit the vulnerability Gavin Wiener @ 2016
6. Vulnerabilities
1. Hisk Risk
a. An attacker can control and modify company assets
2. Medium Risk
a. An attacker can control and modify company assets but relies on another
or future vulnerability
3. Low Risk
a. No control but information is unnecessarily leaked which helps the
attacker
Gavin Wiener @ 2016
7. High Risk - Control and Modification
1. SQL Injection
2. Execute System Commands
3. Concurrent Sessions
Gavin Wiener @ 2016
8. SQL Injection
SELECT * FROM UserAccounts WHERE username=’<input>’;
SQL injection leverages user input used in a SQL query to manipulate the
structure of the query and construct queries which were not intended.
Gavin Wiener @ 2016
13. SQL Injection
Solution
● Do not trust user input
● User input must always be sanitized
● Parameterized queries
SELECT * FROM UserAccounts WHERE username=? and password=?;
Gavin Wiener @ 2016
14. Execute System Commands
Executing instructions directly on the server. An attacker can modify
system information, affect the operation of system services, add a user.
Vulnerabilities:
1. XP_CMDSHELL
2. Command Line Injection
Gavin Wiener @ 2016
17. Execute System Commands
Command Line Injection
Requires acquiring admin account information - SQL injection
or session hijacking
Gavin Wiener @ 2016
20. Concurrent Sessions
A user can have multiple active sessions. Vulnerable because
the authentic user doesn’t know.
Requires access to user’s account:
● Session hijacking
● Acquired account information using SQL injection
Gavin Wiener @ 2016
21. Concurrent Sessions
David is logged in twice
The items do not show
Solution
Do not allow concurrent sessions
Solve session hijacking vulnerabilities
Gavin Wiener @ 2016
22. Medium Risk
● Local file access
● Password, login, and registration policy
● Stored cross-site scripting (XSS)
● Logic flaws
● Session management
Gavin Wiener @ 2016
24. Local File Access
Local File Inclusion
The Careers page includes a CV upload. Attacker can upload
any file
Validation is only done client-side using JavaScript
Gavin Wiener @ 2016
25. Local File Access
Local File Inclusion
Do not trust user input, always validate server-side
Gavin Wiener @ 2016
26. Local File Access
Local File Retrieval
Product pages provide download links for manuals
Manuals are stored locally
Gavin Wiener @ 2016
29. Local File Access
Local File Retrieval
An uploaded manuals index could be maintained
Amazon S3 - dedicated storage
Gavin Wiener @ 2016
30. Password, Login, and Registration Policy
1. Account lockout
2. Non minimum requirements
3. Username enumeration
Gavin Wiener @ 2016
31. Password and Login Policy
Account Lockout
Most websites will lock a user’s after predetermined failed
logins
Prevent brute-force attacks
Gavin Wiener @ 2016
32. Password and Login Policy
Account Lockout
Brute-force attack could lock all user accounts
Gavin Wiener @ 2016
33. Password and Login Policy
No Minimum Requirements
There is no password policy
● Minimum length
● Do not use personal details
● Do not lowercase passwords Gavin Wiener @ 2016
34. Password and Login Policy
Username Enumeration
Building a list of usernames
Registration indicates if a username exists without completing
the form
Gavin Wiener @ 2016
35. Password and Login Policy
Username Enumeration
Password recovery displays a user’s email if the username
exists
Gavin Wiener @ 2016
36. Password and Login Policy
Username Enumeration
Enables phishing attacks - attacker knows the username
Attacker can attack other websites with the same username
and password
Gavin Wiener @ 2016
37. Cross-Site Scripting
Reflective
User input is ‘reflected’/returned and displayed. JavaScript
could be input
Cookie stealing - requires phishing attack
Gavin Wiener @ 2016
43. Cross-Site Scripting
Solution
Do not display user input in the browser is not necessary
HTML encode all user input, the characters should not be
interpreted and a functioning syntax will not form
Gavin Wiener @ 2016
44. Logic Flaw in Purchasing
Processes which have expected progression.
Logic flaw bypasses this progression and it is not recognized
Gavin Wiener @ 2016
45. Logic Flaw in Purchasing
Purchase a product progression:
1. Choose product
2. Checkout
3. Confirm delivery address
4. Confirm payment
5. Complete Gavin Wiener @ 2016
47. Logic Flaw in Purchasing
Admin and User acknowledge the purchase
Gavin Wiener @ 2016
48. Logic Flaw in Purchasing
Solution
Server-side tracking the progression for each order process
If step is skipped, use is redirected, or sent to home page.
Gavin Wiener @ 2016
49. Session Management
Sessions and cookies enable smoother user experience
Poor management of sessions and cookies enables:
● Session hijacking
● Accessing a user’s account
● Session fixation Gavin Wiener @ 2016
51. Session Management
Session Hijacking
Acquiring a session ID via cross-site scripting, networking
monitoring, or another means enables the attacker set their
session ID and access whatever the user was doing
Gavin Wiener @ 2016
52. Session Management
Session Fixation
Induce a user to use an attacker’s session ID, they attacker
can access the user’s account.
Requires cross-site scripting as session ID is not passed as a
parameter in the URL. Gavin Wiener @ 2016
53. Session Management
Solution
Must prevent cross-site scripting - encoding any user input
which is displayed on the page
Acquiring SSL certificates will prevent network monitoring
Gavin Wiener @ 2016
55. Conclusion
Concepts
● Never trust user input - this can prevent many SQL injections and
cross-site scripting attacks which enable the other vulnerabilities
● Do not include unnecessary services which escalate privileges
● Services to directly execute Operating System commands are often
not needed. Gavin Wiener @ 2016