Art and Science of Vulnerability Assessments

334 views

Published on

Vulnerability assessments require more than a methodology and checklist to perform. In this talk we will cover several creative aspects of application penetration testing including component discovery, abusing arithmetic, reversing algorithms, and subverting business logic. We will also review several high profile vulnerabilities which involved a combination of technical and logical failures to show where art and science meet.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
334
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Art and Science of Vulnerability Assessments

  1. 1. VULNERABILITY ASSESSMENTS THE ART AND SCIENCE OF VULNERABILITY ASSESSMENTS (ISC)2 New York Metro March 4, 2014 VIRTUE SECURITY
  2. 2. VULNERABILITY ASSESSMENTS What we can’t always teach • • • • Component discovery Identifying data of value Subverting arithmetic Reversing algorithms March 4, 2014 VIRTUE SECURITY
  3. 3. VULNERABILITY ASSESSMENTS Principles of an Application Vulnerability Assessments • Understanding business purpose • Parameters are out control variables • Understand who an attacker may be and develop appropriate threats. March 4, 2014 VIRTUE SECURITY
  4. 4. VULNERABILITY ASSESSMENTS Component Discovery Request parameters Components Session Token Request Timestamp Page_num User_ID March 4, 2014 VIRTUE SECURITY
  5. 5. VULNERABILITY ASSESSMENTS Control Characters are Your Friend 0x00 NUL 0x01 SOH 0x02 STX 0x03 ETX 0x04 EOT 0x05 ENQ 0x08 BS … • Control characters are often poorly handled by compiled applications. • Can be useful to identify or tamper with legacy systems. … March 4, 2014 VIRTUE SECURITY
  6. 6. VULNERABILITY ASSESSMENTS Component Discovery Request parameters Components URL: http://example.com/%00 Request Timestamp Page_num March 4, 2014 User_ID VIRTUE SECURITY
  7. 7. VULNERABILITY ASSESSMENTS What is Useful to an Attacker? • The obvious: usernames, passwords, session tokens, etc.. • The less obvious: order numbers, timestamps, • Anything that can be used to negatively impact business integrity. March 4, 2014 VIRTUE SECURITY
  8. 8. VULNERABILITY ASSESSMENTS Joe’s Banana Stand • Vendor A notices an Ajax request used to confirm orders: order_confirmed.jsp?ordernumber=7567401102182014 Responds TRUE / False March 4, 2014 VIRTUE SECURITY
  9. 9. VULNERABILITY ASSESSMENTS Joe’s Banana Stand • Vendor A learns the following: – 7567 (unknown) – 4011 (banana PLU code) – 02182014 (date) March 4, 2014 VIRTUE SECURITY
  10. 10. VULNERABILITY ASSESSMENTS APPLICATION ARITHMETIC • Negative Values account_value += transfer_value; account_value = 1000 + 100; account_value = 1000 + -100; March 4, 2014 // account_value = 1100 // account_value = 900 VIRTUE SECURITY
  11. 11. VULNERABILITY ASSESSMENTS Integer overflows / wraparounds 32 bits: 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 +1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Signed range: −2,147,483,648 to +2,147,483,647 Unsigned range: 0 to 4,294,967,295 March 4, 2014 VIRTUE SECURITY
  12. 12. VULNERABILITY ASSESSMENTS Decimal Values System A • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 = 1000.00 March 4, 2014 System B • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 = 1000.01 VIRTUE SECURITY
  13. 13. VULNERABILITY ASSESSMENTS Not All Numbers Are the Same • Integers may be defined differently. – Limited capacity – Signed / unsigned – Varying support of decimals • Applications may also handle numbers differently – – – – Order quantities with fractions Transactions with fractions of cents Negative values Divide by zero March 4, 2014 VIRTUE SECURITY
  14. 14. VULNERABILITY ASSESSMENTS Creating Better Payloads • Input field: johndoe@example.com Johndoe @ example.com • Attack strings: – johndoe’%20or%201=1--@example.com – johndoe@’%20or%201=1--example.com – johndoe@example.com’%20or%201=1-- March 4, 2014 VIRTUE SECURITY
  15. 15. VULNERABILITY ASSESSMENTS Attacking Tokenizing Algorithms • Example parameter: account_number=6578364,6578376,6587653 • May have the following attacks: account_number=6578364,6578376[SQLi],6587653 account_number=6578364,65783760000000,6587653 account_number=6578364,%00,6587653 account_number=6578364,-1,6587653 account_number=6578364,6578376,71111111 account_number=6578364,6578376,6587653,71111111 March 4, 2014 VIRTUE SECURITY
  16. 16. VULNERABILITY ASSESSMENTS Denial of Service / Amplification • Amplification is the ratio at which work is performed on the server vs the work required to make the request: • • • • • • www.example.com/cart/display.jsp?category=5&pageNum=4 Response time: 51ms www.example.com/cart/display.jsp?category=5&pageNum=40 Response time: 614ms www.example.com/cart/display.jsp?category=5&pageNum=10000 Response time: 43120ms March 4, 2014 VIRTUE SECURITY
  17. 17. VULNERABILITY ASSESSMENTS What about tools? • Scanners should never be relied upon • Tools should be user driven • Tools should be used to make custom attacks more efficient March 4, 2014 VIRTUE SECURITY
  18. 18. VULNERABILITY ASSESSMENTS How can we make things better? • Give users as little control as possible • Maintain state on the server side wherever possible: http://www.example.com/viewaccount?id=67546737 http://www.example.com/viewaccount March 4, 2014 VIRTUE SECURITY
  19. 19. VULNERABILITY ASSESSMENTS Never Forget • This is more than a job! • People really depend on you • Maintain a balance of structure and creativity March 4, 2014 VIRTUE SECURITY

×