The Hacker Mindset CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona...
-
Upload
kerry-mclaughlin -
Category
Documents
-
view
215 -
download
2
Transcript of The Hacker Mindset CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona...
![Page 1: The Hacker Mindset CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649d215503460f949f6460/html5/thumbnails/1.jpg)
The Hacker Mindset
CSE 591 – Security and Vulnerability Analysis
Spring 2015
Adam Doupé
Arizona State University
http://adamdoupe.com
![Page 2: The Hacker Mindset CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649d215503460f949f6460/html5/thumbnails/2.jpg)
Adam Doupé, Security and Vulnerability Analysis
What is a Vulnerability?
• Make the application to do something that it is not supposed to do
• Therefore, in order to find vulnerabilities, you must first understand the application– What is the intended functionality?– What is the intended behavior?– What does the application use as input?– What does the application produce as output?
![Page 3: The Hacker Mindset CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649d215503460f949f6460/html5/thumbnails/3.jpg)
Adam Doupé, Security and Vulnerability Analysis
Example
• Find: unauthenticated users can edit page content
• Is this a vulnerability?– On cnn.com, yes!– On wikipedia.org, no!
• This is why understanding the web application is critical
![Page 4: The Hacker Mindset CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649d215503460f949f6460/html5/thumbnails/4.jpg)
Adam Doupé, Security and Vulnerability Analysis
How to Rob a Bank*
• Step 1: Reconnaissance– Who works at the bank?– What is their role?– Who has the keys?– When do the guards change or take a break?– What does the layout of the bank look like?– What does the vault look like?– What kind of lock does the bank use?– …
• Step 2: Build elaborate plan• Step 3: Everything goes wrong• Step 4: Profit?*Knowledge comes from movies
![Page 5: The Hacker Mindset CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649d215503460f949f6460/html5/thumbnails/5.jpg)
Adam Doupé, Security and Vulnerability Analysis
How to Rob a Web Application
• Step 1: Reconnaissance– How does the application work?– Are there user accounts?– Do the user accounts have different privileges?– How are privileges enforced?– What does the layout of the web application look like (URLs)?– What URLs should only be accessible via a certain privilege?– What is the input to the web application?– What is the output of the web application?– How is the web application probably written?
• Step 2: Develop vulnerability hypothesis• Step 3: Test vulnerability hypothesis• Step 4: Develop exploit• Step 5: Profit
![Page 6: The Hacker Mindset CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649d215503460f949f6460/html5/thumbnails/6.jpg)
Adam Doupé, Security and Vulnerability Analysis
Injection Vectors
• All user input to the web application• Some examples
– Query parameters– URL path– POST parameters– Cookies– Referer header– Files– Other websites (twitter feed)– Emails
![Page 7: The Hacker Mindset CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649d215503460f949f6460/html5/thumbnails/7.jpg)
Adam Doupé, Security and Vulnerability Analysis
Understand Data Flow
• How does the input data flow through the program?– Data on page X is displayed on page Y and
used to calculate the result of page Z
• How does the output of a page flow through the program?– Result of a calculation used as part of a tweet
![Page 8: The Hacker Mindset CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649d215503460f949f6460/html5/thumbnails/8.jpg)
Adam Doupé, Security and Vulnerability Analysis
Summary
• First step to hacking is reconnaissance• Critical to understand the web application
– Helps to decide what is a vulnerability and what is not!
• Want to reverse engineer the web application– Ask yourself how would I have written this web
application?– What mistakes might the developer have made?