Vulnerability assessments require more than a methodology and checklist to perform. In this talk we will cover several creative aspects of application penetration testing including component discovery, abusing arithmetic, reversing algorithms, and subverting business logic. We will also review several high profile vulnerabilities which involved a combination of technical and logical failures to show where art and science meet.
2. VULNERABILITY ASSESSMENTS
What we can’t always teach
•
•
•
•
Component discovery
Identifying data of value
Subverting arithmetic
Reversing algorithms
March 4, 2014
VIRTUE SECURITY
3. VULNERABILITY ASSESSMENTS
Principles of an Application Vulnerability
Assessments
• Understanding business purpose
• Parameters are out control variables
• Understand who an attacker may be and
develop appropriate threats.
March 4, 2014
VIRTUE SECURITY
5. VULNERABILITY ASSESSMENTS
Control Characters are Your Friend
0x00
NUL
0x01
SOH
0x02
STX
0x03
ETX
0x04
EOT
0x05
ENQ
0x08
BS
…
• Control characters are
often poorly handled
by compiled
applications.
• Can be useful to
identify or tamper with
legacy systems.
…
March 4, 2014
VIRTUE SECURITY
7. VULNERABILITY ASSESSMENTS
What is Useful to an Attacker?
• The obvious: usernames, passwords,
session tokens, etc..
• The less obvious: order numbers,
timestamps,
• Anything that can be used to negatively
impact business integrity.
March 4, 2014
VIRTUE SECURITY
8. VULNERABILITY ASSESSMENTS
Joe’s Banana Stand
• Vendor A notices an Ajax request used to
confirm orders:
order_confirmed.jsp?ordernumber=7567401102182014
Responds TRUE / False
March 4, 2014
VIRTUE SECURITY
9. VULNERABILITY ASSESSMENTS
Joe’s Banana Stand
• Vendor A learns the following:
– 7567 (unknown)
– 4011 (banana PLU code)
– 02182014 (date)
March 4, 2014
VIRTUE SECURITY
13. VULNERABILITY ASSESSMENTS
Not All Numbers Are the Same
• Integers may be defined differently.
– Limited capacity
– Signed / unsigned
– Varying support of decimals
• Applications may also handle numbers differently
–
–
–
–
Order quantities with fractions
Transactions with fractions of cents
Negative values
Divide by zero
March 4, 2014
VIRTUE SECURITY
15. VULNERABILITY ASSESSMENTS
Attacking Tokenizing Algorithms
•
Example parameter:
account_number=6578364,6578376,6587653
•
May have the following attacks:
account_number=6578364,6578376[SQLi],6587653
account_number=6578364,65783760000000,6587653
account_number=6578364,%00,6587653
account_number=6578364,-1,6587653
account_number=6578364,6578376,71111111
account_number=6578364,6578376,6587653,71111111
March 4, 2014
VIRTUE SECURITY
16. VULNERABILITY ASSESSMENTS
Denial of Service / Amplification
•
Amplification is the ratio at which work is performed on the server
vs the work required to make the request:
•
•
•
•
•
•
www.example.com/cart/display.jsp?category=5&pageNum=4
Response time: 51ms
www.example.com/cart/display.jsp?category=5&pageNum=40
Response time: 614ms
www.example.com/cart/display.jsp?category=5&pageNum=10000
Response time: 43120ms
March 4, 2014
VIRTUE SECURITY
17. VULNERABILITY ASSESSMENTS
What about tools?
• Scanners should never be relied upon
• Tools should be user driven
• Tools should be used to make custom
attacks more efficient
March 4, 2014
VIRTUE SECURITY
18. VULNERABILITY ASSESSMENTS
How can we make things better?
• Give users as little control as possible
• Maintain state on the server side wherever
possible:
http://www.example.com/viewaccount?id=67546737
http://www.example.com/viewaccount
March 4, 2014
VIRTUE SECURITY
19. VULNERABILITY ASSESSMENTS
Never Forget
• This is more than a job!
• People really depend on you
• Maintain a balance of structure and
creativity
March 4, 2014
VIRTUE SECURITY