Art and Science of Vulnerability Assessments
19
VULNERABILITY ASSESSMENTS THE ART AND SCIENCE OF VULNERABILITY ASSESSMENTS (ISC)2 New York Metro VIRTUE SECURITY March 4, 2014
-
Upload
virtue-security -
Category
Technology
-
view
99 -
download
0
description
Vulnerability assessments require more than a methodology and checklist to perform. In this talk we will cover several creative aspects of application penetration testing including component discovery, abusing arithmetic, reversing algorithms, and subverting business logic. We will also review several high profile vulnerabilities which involved a combination of technical and logical failures to show where art and science meet.
Transcript of Art and Science of Vulnerability Assessments
VULNERABILITY ASSESSMENTS
THE ART AND SCIENCE OF VULNERABILITY ASSESSMENTS
(ISC)2 New York Metro
VIRTUE SECURITY March 4, 2014
VULNERABILITY ASSESSMENTS
What we can’t always teach
• Component discovery
• Identifying data of value
• Subverting arithmetic
• Reversing algorithms
March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS
Principles of an Application Vulnerability
Assessments
• Understanding business purpose
• Parameters are out control variables
• Understand who an attacker may be and
develop appropriate threats.
March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS
Component Discovery
Request
Session Token
User_ID
Page_num
Timestamp
March 4, 2014 VIRTUE SECURITY
Request parameters Components
VULNERABILITY ASSESSMENTS
Control Characters are Your Friend
0x00 NUL
0x01 SOH
0x02 STX
0x03 ETX
0x04 EOT
0x05 ENQ
0x08 BS
… …
March 4, 2014 VIRTUE SECURITY
• Control characters are often poorly handled by compiled applications.
• Can be useful to identify or tamper with legacy systems.
VULNERABILITY ASSESSMENTS
Component Discovery
Request
URL: http://example.com/%00
User_ID Page_num
Timestamp
March 4, 2014 VIRTUE SECURITY
Request parameters Components
VULNERABILITY ASSESSMENTS
What is Useful to an Attacker?
• The obvious: usernames, passwords,
session tokens, etc..
• The less obvious: order numbers,
timestamps,
• Anything that can be used to negatively
impact business integrity.
March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS
Joe’s Banana Stand
• Vendor A notices an Ajax request used to
confirm orders:
order_confirmed.jsp?ordernumber=7567401102182014
Responds TRUE / False
March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS
Joe’s Banana Stand
• Vendor A learns the following:
– 7567 (unknown)
– 4011 (banana PLU code)
– 02182014 (date)
March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS
APPLICATION ARITHMETIC
• Negative Values
VIRTUE SECURITY March 4, 2014
account_value += transfer_value;
account_value = 1000 + 100; // account_value = 1100
account_value = 1000 + -100; // account_value = 900
VULNERABILITY ASSESSMENTS
Integer overflows / wraparounds
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
March 4, 2014 VIRTUE SECURITY
32 bits:
Signed range: −2,147,483,648 to +2,147,483,647 Unsigned range: 0 to 4,294,967,295
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
+1
VULNERABILITY ASSESSMENTS
Decimal Values
March 4, 2014 VIRTUE SECURITY
System A
• 1000 + 0.001
• 1000 + 0.001
• 1000 + 0.001
• 1000 + 0.001
• 1000 + 0.001
• 1000 + 0.001
• 1000 + 0.001
• 1000 + 0.001
• 1000 + 0.001
• 1000 + 0.001 = 1000.00
System B
• 1000 + 0.001
• 1000 + 0.001
• 1000 + 0.001
• 1000 + 0.001
• 1000 + 0.001
• 1000 + 0.001
• 1000 + 0.001
• 1000 + 0.001
• 1000 + 0.001
• 1000 + 0.001 = 1000.01
VULNERABILITY ASSESSMENTS
Not All Numbers Are the Same
• Integers may be defined differently.
– Limited capacity
– Signed / unsigned
– Varying support of decimals
• Applications may also handle numbers differently
– Order quantities with fractions
– Transactions with fractions of cents
– Negative values
– Divide by zero
March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS
Creating Better Payloads
• Input field:
• Attack strings: – johndoe’%20or%[email protected]
– johndoe@’%20or%201=1--example.com
– [email protected]’%20or%201=1--
March 4, 2014 VIRTUE SECURITY
Johndoe @ example.com
VULNERABILITY ASSESSMENTS
Attacking Tokenizing Algorithms
• Example parameter:
account_number=6578364,6578376,6587653
• May have the following attacks:
account_number=6578364,6578376[SQLi],6587653 account_number=6578364,65783760000000,6587653 account_number=6578364,%00,6587653 account_number=6578364,-1,6587653 account_number=6578364,6578376,71111111 account_number=6578364,6578376,6587653,71111111
March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS
Denial of Service / Amplification
• Amplification is the ratio at which work is performed on the server
vs the work required to make the request:
• www.example.com/cart/display.jsp?category=5&pageNum=4
• Response time: 51ms
• www.example.com/cart/display.jsp?category=5&pageNum=40
• Response time: 614ms
• www.example.com/cart/display.jsp?category=5&pageNum=10000
• Response time: 43120ms
March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS
What about tools?
• Scanners should never be relied upon
• Tools should be user driven
• Tools should be used to make custom
attacks more efficient
March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS
How can we make things better?
• Give users as little control as possible
• Maintain state on the server side wherever
possible:
http://www.example.com/viewaccount?id=67546737
http://www.example.com/viewaccount
March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS
Never Forget
• This is more than a job!
• People really depend on you
• Maintain a balance of structure and
creativity
March 4, 2014 VIRTUE SECURITY
