The Hacker Mindset

CSE 591 – Security and Vulnerability Analysis

Spring 2015

Adam Doupé

Arizona State University

http://adamdoupe.com

Adam Doupé, Security and Vulnerability Analysis

What is a Vulnerability?

• Make the application to do something that it is not supposed to do

• Therefore, in order to find vulnerabilities, you must first understand the application– What is the intended functionality?– What is the intended behavior?– What does the application use as input?– What does the application produce as output?

Adam Doupé, Security and Vulnerability Analysis

Example

• Find: unauthenticated users can edit page content

• Is this a vulnerability?– On cnn.com, yes!– On wikipedia.org, no!

• This is why understanding the web application is critical

Adam Doupé, Security and Vulnerability Analysis

How to Rob a Bank*

• Step 1: Reconnaissance– Who works at the bank?– What is their role?– Who has the keys?– When do the guards change or take a break?– What does the layout of the bank look like?– What does the vault look like?– What kind of lock does the bank use?– …

• Step 2: Build elaborate plan• Step 3: Everything goes wrong• Step 4: Profit?*Knowledge comes from movies

Adam Doupé, Security and Vulnerability Analysis

How to Rob a Web Application

• Step 1: Reconnaissance– How does the application work?– Are there user accounts?– Do the user accounts have different privileges?– How are privileges enforced?– What does the layout of the web application look like (URLs)?– What URLs should only be accessible via a certain privilege?– What is the input to the web application?– What is the output of the web application?– How is the web application probably written?

• Step 2: Develop vulnerability hypothesis• Step 3: Test vulnerability hypothesis• Step 4: Develop exploit• Step 5: Profit

Adam Doupé, Security and Vulnerability Analysis

Injection Vectors

• All user input to the web application• Some examples

– Query parameters– URL path– POST parameters– Cookies– Referer header– Files– Other websites (twitter feed)– Emails

Adam Doupé, Security and Vulnerability Analysis

Understand Data Flow

• How does the input data flow through the program?– Data on page X is displayed on page Y and

used to calculate the result of page Z

• How does the output of a page flow through the program?– Result of a calculation used as part of a tweet

Adam Doupé, Security and Vulnerability Analysis

Summary

• First step to hacking is reconnaissance• Critical to understand the web application

– Helps to decide what is a vulnerability and what is not!

• Want to reverse engineer the web application– Ask yourself how would I have written this web

application?– What mistakes might the developer have made?