SlideShare a Scribd company logo

Art and Science of Vulnerability Assessments

Virtue Security
Virtue Security

Vulnerability assessments require more than a methodology and checklist to perform. In this talk we will cover several creative aspects of application penetration testing including component discovery, abusing arithmetic, reversing algorithms, and subverting business logic. We will also review several high profile vulnerabilities which involved a combination of technical and logical failures to show where art and science meet.

Technology
1 of 19
Download to read offline
VULNERABILITY ASSESSMENTS THE ART AND SCIENCE OF VULNERABILITY ASSESSMENTS (ISC)2 New York Metro March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS What we can’t always teach • • • • Component discovery Identifying data of value Subverting arithmetic Reversing algorithms March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS Principles of an Application Vulnerability Assessments • Understanding business purpose • Parameters are out control variables • Understand who an attacker may be and develop appropriate threats. March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS Component Discovery Request parameters Components Session Token Request Timestamp Page_num User_ID March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS Control Characters are Your Friend 0x00 NUL 0x01 SOH 0x02 STX 0x03 ETX 0x04 EOT 0x05 ENQ 0x08 BS … • Control characters are often poorly handled by compiled applications. • Can be useful to identify or tamper with legacy systems. … March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS Component Discovery Request parameters Components URL: http://example.com/%00 Request Timestamp Page_num March 4, 2014 User_ID VIRTUE SECURITY
VULNERABILITY ASSESSMENTS What is Useful to an Attacker? • The obvious: usernames, passwords, session tokens, etc.. • The less obvious: order numbers, timestamps, • Anything that can be used to negatively impact business integrity. March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS Joe’s Banana Stand • Vendor A notices an Ajax request used to confirm orders: order_confirmed.jsp?ordernumber=7567401102182014 Responds TRUE / False March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS Joe’s Banana Stand • Vendor A learns the following: – 7567 (unknown) – 4011 (banana PLU code) – 02182014 (date) March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS APPLICATION ARITHMETIC • Negative Values account_value += transfer_value; account_value = 1000 + 100; account_value = 1000 + -100; March 4, 2014 // account_value = 1100 // account_value = 900 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS Integer overflows / wraparounds 32 bits: 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 +1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Signed range: −2,147,483,648 to +2,147,483,647 Unsigned range: 0 to 4,294,967,295 March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS Decimal Values System A • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 = 1000.00 March 4, 2014 System B • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 = 1000.01 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS Not All Numbers Are the Same • Integers may be defined differently. – Limited capacity – Signed / unsigned – Varying support of decimals • Applications may also handle numbers differently – – – – Order quantities with fractions Transactions with fractions of cents Negative values Divide by zero March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS Creating Better Payloads • Input field: johndoe@example.com Johndoe @ example.com • Attack strings: – johndoe’%20or%201=1--@example.com – johndoe@’%20or%201=1--example.com – johndoe@example.com’%20or%201=1-- March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS Attacking Tokenizing Algorithms • Example parameter: account_number=6578364,6578376,6587653 • May have the following attacks: account_number=6578364,6578376[SQLi],6587653 account_number=6578364,65783760000000,6587653 account_number=6578364,%00,6587653 account_number=6578364,-1,6587653 account_number=6578364,6578376,71111111 account_number=6578364,6578376,6587653,71111111 March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS Denial of Service / Amplification • Amplification is the ratio at which work is performed on the server vs the work required to make the request: • • • • • • www.example.com/cart/display.jsp?category=5&pageNum=4 Response time: 51ms www.example.com/cart/display.jsp?category=5&pageNum=40 Response time: 614ms www.example.com/cart/display.jsp?category=5&pageNum=10000 Response time: 43120ms March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS What about tools? • Scanners should never be relied upon • Tools should be user driven • Tools should be used to make custom attacks more efficient March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS How can we make things better? • Give users as little control as possible • Maintain state on the server side wherever possible: http://www.example.com/viewaccount?id=67546737 http://www.example.com/viewaccount March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS Never Forget • This is more than a job! • People really depend on you • Maintain a balance of structure and creativity March 4, 2014 VIRTUE SECURITY

Recommended

Ethical Hacking Services
Ethical Hacking ServicesEthical Hacking Services
Ethical Hacking Services
Virtue Security
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Roorkee Cetpa
 
Ethical hacking Chapter 2 - TCP/IP - Eric Vanderburg
Ethical hacking Chapter 2 - TCP/IP - Eric VanderburgEthical hacking Chapter 2 - TCP/IP - Eric Vanderburg
Ethical hacking Chapter 2 - TCP/IP - Eric Vanderburg
Eric Vanderburg
 
EC-Council Certified Ethical Hacker (CEH) v9 - Hackers are here. Where are you?
EC-Council Certified Ethical Hacker (CEH) v9 - Hackers are here. Where are you?EC-Council Certified Ethical Hacker (CEH) v9 - Hackers are here. Where are you?
EC-Council Certified Ethical Hacker (CEH) v9 - Hackers are here. Where are you?
ITpreneurs
 
CEHV9
CEHV9CEHV9
CEHV9
Nityanand Thakur
 
Course on Ehtical Hacking - Introduction
Course on Ehtical Hacking - IntroductionCourse on Ehtical Hacking - Introduction
Course on Ehtical Hacking - Introduction
Bharat Thakkar
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Nitheesh Adithyan
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
Neel Kamal
 

Recommended

Ethical Hacking Services
Ethical Hacking ServicesEthical Hacking Services
Ethical Hacking Services
Virtue Security
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Roorkee Cetpa
 
Ethical hacking Chapter 2 - TCP/IP - Eric Vanderburg
Ethical hacking Chapter 2 - TCP/IP - Eric VanderburgEthical hacking Chapter 2 - TCP/IP - Eric Vanderburg
Ethical hacking Chapter 2 - TCP/IP - Eric Vanderburg
Eric Vanderburg
 
EC-Council Certified Ethical Hacker (CEH) v9 - Hackers are here. Where are you?
EC-Council Certified Ethical Hacker (CEH) v9 - Hackers are here. Where are you?EC-Council Certified Ethical Hacker (CEH) v9 - Hackers are here. Where are you?
EC-Council Certified Ethical Hacker (CEH) v9 - Hackers are here. Where are you?
ITpreneurs
 
CEHV9
CEHV9CEHV9
CEHV9
Nityanand Thakur
 
Course on Ehtical Hacking - Introduction
Course on Ehtical Hacking - IntroductionCourse on Ehtical Hacking - Introduction
Course on Ehtical Hacking - Introduction
Bharat Thakkar
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Nitheesh Adithyan
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
Neel Kamal
 
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
Spiceworks
 
What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?
PECB
 
Security Attack Analysis for Finding and Stopping Network Attacks
Security Attack Analysis for Finding and Stopping Network AttacksSecurity Attack Analysis for Finding and Stopping Network Attacks
Security Attack Analysis for Finding and Stopping Network Attacks
Savvius, Inc
 
Best Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat IntelligenceBest Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat Intelligence
AlienVault
 
Cyber Security and Healthcare
Cyber Security and HealthcareCyber Security and Healthcare
Cyber Security and Healthcare
Jonathon Coulter
 
HEALTHCARE, THE CLOUD, AND ITS SECURITY
HEALTHCARE, THE CLOUD, AND ITS SECURITYHEALTHCARE, THE CLOUD, AND ITS SECURITY
HEALTHCARE, THE CLOUD, AND ITS SECURITY
SilverlineCRM
 
SIEM-plifying security monitoring: A different approach to security visibility
SIEM-plifying security monitoring: A different approach to security visibilitySIEM-plifying security monitoring: A different approach to security visibility
SIEM-plifying security monitoring: A different approach to security visibility
AlienVault
 
Dual Detection Engines - Using Layered Security to Battle Cybercrime
Dual Detection Engines - Using Layered Security to Battle CybercrimeDual Detection Engines - Using Layered Security to Battle Cybercrime
Dual Detection Engines - Using Layered Security to Battle Cybercrime
Cyren, Inc
 
From Bad to Worse: How to Stay Protected from a Mega Data Breach
From Bad to Worse: How to Stay Protected from a Mega Data BreachFrom Bad to Worse: How to Stay Protected from a Mega Data Breach
From Bad to Worse: How to Stay Protected from a Mega Data Breach
Paymetric, Inc.
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Denim Group
 
Infosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSPInfosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSP
Huntsman Security
 
Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise"
mycroftinc
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.com
Aravind R
 
Ensuring Security through Continuous Testing
Ensuring Security through Continuous TestingEnsuring Security through Continuous Testing
Ensuring Security through Continuous Testing
TechWell
 
Rapid Fire Tools: Top Ways to Use IT Assessments to Win New Business & Grow
Rapid Fire Tools: Top Ways to Use IT Assessments to Win New Business & GrowRapid Fire Tools: Top Ways to Use IT Assessments to Win New Business & Grow
Rapid Fire Tools: Top Ways to Use IT Assessments to Win New Business & Grow
MAXfocus
 
Archery - BlackHat Asia 2018
Archery - BlackHat Asia 2018 Archery - BlackHat Asia 2018
Archery - BlackHat Asia 2018
Anand Tiwari
 
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake OilLASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
David Ochel
 
NormShield Cyber Threat & Vulnerability Orchestration Overview
NormShield Cyber Threat & Vulnerability Orchestration OverviewNormShield Cyber Threat & Vulnerability Orchestration Overview
NormShield Cyber Threat & Vulnerability Orchestration Overview
NormShield, Inc.
 
Intelligent Authentication
Intelligent AuthenticationIntelligent Authentication
Intelligent Authentication
CA Technologies
 
Security Awareness: 360 empowerment for cyber defense - JurInnov - Eric Vande...
Security Awareness: 360 empowerment for cyber defense - JurInnov - Eric Vande...Security Awareness: 360 empowerment for cyber defense - JurInnov - Eric Vande...
Security Awareness: 360 empowerment for cyber defense - JurInnov - Eric Vande...
Eric Vanderburg
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
 

More Related Content

Similar to Art and Science of Vulnerability Assessments

What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?
PECB
 
Security Attack Analysis for Finding and Stopping Network Attacks
Security Attack Analysis for Finding and Stopping Network AttacksSecurity Attack Analysis for Finding and Stopping Network Attacks
Security Attack Analysis for Finding and Stopping Network Attacks
Savvius, Inc
 
Best Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat IntelligenceBest Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat Intelligence
AlienVault
 
SIEM-plifying security monitoring: A different approach to security visibility
SIEM-plifying security monitoring: A different approach to security visibilitySIEM-plifying security monitoring: A different approach to security visibility
SIEM-plifying security monitoring: A different approach to security visibility
AlienVault
 
Infosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSPInfosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSP
Huntsman Security
 
Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise"
mycroftinc
 
Ensuring Security through Continuous Testing
Ensuring Security through Continuous TestingEnsuring Security through Continuous Testing
Ensuring Security through Continuous Testing
TechWell
 
Rapid Fire Tools: Top Ways to Use IT Assessments to Win New Business & Grow
Rapid Fire Tools: Top Ways to Use IT Assessments to Win New Business & GrowRapid Fire Tools: Top Ways to Use IT Assessments to Win New Business & Grow
Rapid Fire Tools: Top Ways to Use IT Assessments to Win New Business & Grow
MAXfocus
 

Similar to Art and Science of Vulnerability Assessments (20)

Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
 
What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?
 
Security Attack Analysis for Finding and Stopping Network Attacks
Security Attack Analysis for Finding and Stopping Network AttacksSecurity Attack Analysis for Finding and Stopping Network Attacks
Security Attack Analysis for Finding and Stopping Network Attacks
 
Best Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat IntelligenceBest Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat Intelligence
 
Cyber Security and Healthcare
Cyber Security and HealthcareCyber Security and Healthcare
Cyber Security and Healthcare
 
HEALTHCARE, THE CLOUD, AND ITS SECURITY
HEALTHCARE, THE CLOUD, AND ITS SECURITYHEALTHCARE, THE CLOUD, AND ITS SECURITY
HEALTHCARE, THE CLOUD, AND ITS SECURITY
 
SIEM-plifying security monitoring: A different approach to security visibility
SIEM-plifying security monitoring: A different approach to security visibilitySIEM-plifying security monitoring: A different approach to security visibility
SIEM-plifying security monitoring: A different approach to security visibility
 
Dual Detection Engines - Using Layered Security to Battle Cybercrime
Dual Detection Engines - Using Layered Security to Battle CybercrimeDual Detection Engines - Using Layered Security to Battle Cybercrime
Dual Detection Engines - Using Layered Security to Battle Cybercrime
 
From Bad to Worse: How to Stay Protected from a Mega Data Breach
From Bad to Worse: How to Stay Protected from a Mega Data BreachFrom Bad to Worse: How to Stay Protected from a Mega Data Breach
From Bad to Worse: How to Stay Protected from a Mega Data Breach
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
 
Infosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSPInfosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSP
 
Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise"
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.com
 
Ensuring Security through Continuous Testing
Ensuring Security through Continuous TestingEnsuring Security through Continuous Testing
Ensuring Security through Continuous Testing
 
Rapid Fire Tools: Top Ways to Use IT Assessments to Win New Business & Grow
Rapid Fire Tools: Top Ways to Use IT Assessments to Win New Business & GrowRapid Fire Tools: Top Ways to Use IT Assessments to Win New Business & Grow
Rapid Fire Tools: Top Ways to Use IT Assessments to Win New Business & Grow
 
Archery - BlackHat Asia 2018
Archery - BlackHat Asia 2018 Archery - BlackHat Asia 2018
Archery - BlackHat Asia 2018
 
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake OilLASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
 
NormShield Cyber Threat & Vulnerability Orchestration Overview
NormShield Cyber Threat & Vulnerability Orchestration OverviewNormShield Cyber Threat & Vulnerability Orchestration Overview
NormShield Cyber Threat & Vulnerability Orchestration Overview
 
Intelligent Authentication
Intelligent AuthenticationIntelligent Authentication
Intelligent Authentication
 
Security Awareness: 360 empowerment for cyber defense - JurInnov - Eric Vande...
Security Awareness: 360 empowerment for cyber defense - JurInnov - Eric Vande...Security Awareness: 360 empowerment for cyber defense - JurInnov - Eric Vande...
Security Awareness: 360 empowerment for cyber defense - JurInnov - Eric Vande...
 

Recently uploaded

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 

Recently uploaded (20)

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Art and Science of Vulnerability Assessments

  • 1. VULNERABILITY ASSESSMENTS THE ART AND SCIENCE OF VULNERABILITY ASSESSMENTS (ISC)2 New York Metro March 4, 2014 VIRTUE SECURITY
  • 2. VULNERABILITY ASSESSMENTS What we can’t always teach • • • • Component discovery Identifying data of value Subverting arithmetic Reversing algorithms March 4, 2014 VIRTUE SECURITY
  • 3. VULNERABILITY ASSESSMENTS Principles of an Application Vulnerability Assessments • Understanding business purpose • Parameters are out control variables • Understand who an attacker may be and develop appropriate threats. March 4, 2014 VIRTUE SECURITY
  • 4. VULNERABILITY ASSESSMENTS Component Discovery Request parameters Components Session Token Request Timestamp Page_num User_ID March 4, 2014 VIRTUE SECURITY
  • 5. VULNERABILITY ASSESSMENTS Control Characters are Your Friend 0x00 NUL 0x01 SOH 0x02 STX 0x03 ETX 0x04 EOT 0x05 ENQ 0x08 BS … • Control characters are often poorly handled by compiled applications. • Can be useful to identify or tamper with legacy systems. … March 4, 2014 VIRTUE SECURITY
  • 6. VULNERABILITY ASSESSMENTS Component Discovery Request parameters Components URL: http://example.com/%00 Request Timestamp Page_num March 4, 2014 User_ID VIRTUE SECURITY
  • 7. VULNERABILITY ASSESSMENTS What is Useful to an Attacker? • The obvious: usernames, passwords, session tokens, etc.. • The less obvious: order numbers, timestamps, • Anything that can be used to negatively impact business integrity. March 4, 2014 VIRTUE SECURITY
  • 8. VULNERABILITY ASSESSMENTS Joe’s Banana Stand • Vendor A notices an Ajax request used to confirm orders: order_confirmed.jsp?ordernumber=7567401102182014 Responds TRUE / False March 4, 2014 VIRTUE SECURITY
  • 9. VULNERABILITY ASSESSMENTS Joe’s Banana Stand • Vendor A learns the following: – 7567 (unknown) – 4011 (banana PLU code) – 02182014 (date) March 4, 2014 VIRTUE SECURITY
  • 10. VULNERABILITY ASSESSMENTS APPLICATION ARITHMETIC • Negative Values account_value += transfer_value; account_value = 1000 + 100; account_value = 1000 + -100; March 4, 2014 // account_value = 1100 // account_value = 900 VIRTUE SECURITY
  • 11. VULNERABILITY ASSESSMENTS Integer overflows / wraparounds 32 bits: 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 +1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Signed range: −2,147,483,648 to +2,147,483,647 Unsigned range: 0 to 4,294,967,295 March 4, 2014 VIRTUE SECURITY
  • 12. VULNERABILITY ASSESSMENTS Decimal Values System A • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 = 1000.00 March 4, 2014 System B • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 = 1000.01 VIRTUE SECURITY
  • 13. VULNERABILITY ASSESSMENTS Not All Numbers Are the Same • Integers may be defined differently. – Limited capacity – Signed / unsigned – Varying support of decimals • Applications may also handle numbers differently – – – – Order quantities with fractions Transactions with fractions of cents Negative values Divide by zero March 4, 2014 VIRTUE SECURITY
  • 14. VULNERABILITY ASSESSMENTS Creating Better Payloads • Input field: johndoe@example.com Johndoe @ example.com • Attack strings: – johndoe’%20or%201=1--@example.com – johndoe@’%20or%201=1--example.com – johndoe@example.com’%20or%201=1-- March 4, 2014 VIRTUE SECURITY
  • 15. VULNERABILITY ASSESSMENTS Attacking Tokenizing Algorithms • Example parameter: account_number=6578364,6578376,6587653 • May have the following attacks: account_number=6578364,6578376[SQLi],6587653 account_number=6578364,65783760000000,6587653 account_number=6578364,%00,6587653 account_number=6578364,-1,6587653 account_number=6578364,6578376,71111111 account_number=6578364,6578376,6587653,71111111 March 4, 2014 VIRTUE SECURITY
  • 16. VULNERABILITY ASSESSMENTS Denial of Service / Amplification • Amplification is the ratio at which work is performed on the server vs the work required to make the request: • • • • • • www.example.com/cart/display.jsp?category=5&pageNum=4 Response time: 51ms www.example.com/cart/display.jsp?category=5&pageNum=40 Response time: 614ms www.example.com/cart/display.jsp?category=5&pageNum=10000 Response time: 43120ms March 4, 2014 VIRTUE SECURITY
  • 17. VULNERABILITY ASSESSMENTS What about tools? • Scanners should never be relied upon • Tools should be user driven • Tools should be used to make custom attacks more efficient March 4, 2014 VIRTUE SECURITY
  • 18. VULNERABILITY ASSESSMENTS How can we make things better? • Give users as little control as possible • Maintain state on the server side wherever possible: http://www.example.com/viewaccount?id=67546737 http://www.example.com/viewaccount March 4, 2014 VIRTUE SECURITY
  • 19. VULNERABILITY ASSESSMENTS Never Forget • This is more than a job! • People really depend on you • Maintain a balance of structure and creativity March 4, 2014 VIRTUE SECURITY