into the rabbithole — evolved web application security testing
DESCRIPTION
Into the Rabbithole — Evolved Web Application Security Testing. Rafal M. Los Security Evangelist HP Application Security Center Email: [email protected] – Twitter: @Wh1t3Rabbit – Skype: Wh1t3Rabbit +1 (404) 606-6056. OR. Better testing through evolved automation. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/1.jpg)
©2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Rafal M. LosSecurity EvangelistHP Application Security CenterEmail: [email protected] – Twitter: @Wh1t3Rabbit – Skype: Wh1t3Rabbit+1 (404) 606-6056
Into the Rabbithole—Evolved Web Application Security Testing
![Page 2: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/2.jpg)
Let’s descend down the
rabbit-hole
3
OR
Better testing through evolved
automation
![Page 3: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/3.jpg)
4
Automation: Love & Hate
Web App Sec has a LOVE|HATE
relationship with automation
HATE Attack surface coverage
unclear* Confuse automation’s purpose
LOVE Automation speeds defect
identification Scanning is fast, quickly producing
results
*More on the coverage problem shortly…
![Page 4: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/4.jpg)
5
Understanding Automation
Battle lines (the classic arguments)– Humans offer intelligence– Automation offers limited scope
Benefits of automation– Scalability: Analysis speed, coverage, processing– Complexity: Applications are increasingly process-driven
![Page 5: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/5.jpg)
6
So What?
We’ve reached a tipping point
![Page 6: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/6.jpg)
7
Why Did My Scanner Miss X?Two real reasons• X required a specific sequence, or FLOW• X required DATA to get there
Data + Flow no excuses• IF tools have data + logic… the result is “smarter” automation•No more “crawl n’ hope”
?
![Page 7: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/7.jpg)
STOP point n’ scan web application security testing
ENLIGHTENED METHODOLOGY• Application functional mapping w/data• Layered automation-infused testing• Concrete metrics & KPIs
“Radical” Testing Methodology
8
![Page 8: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/8.jpg)
9
Do what you do…
only smarter
![Page 9: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/9.jpg)
©2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Application Functional Mapping with Data
10
![Page 10: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/10.jpg)
©2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Defect vs. VulnerabilityHow many of you have ever performed functional testing ?
11
![Page 11: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/11.jpg)
12
Functional vs. Security Testing
QA TEAM INFOSECURITY TEAMFunctions known Functions unknownApplication understood Application unknownRely on functional specifications
Rely on crawlers + experience + luck
Coverage known Coverage unknownHighlight key business logic
Highlight “found” functionality
![Page 12: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/12.jpg)
Hard Lessons LearnedSecurity analysts, tools
[today] aren’t equipped to properly test highly complex applications…
13
MISSING PIECES• Understanding of application• Functional mapping of application• Application execution flow• Valid test data
![Page 13: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/13.jpg)
Bridging the Gaps
14
Is the kitchen-sink attack working?Hint: It used to…not
anymoreYOU ARE
HERETHEY ARE
THEREIDEAL
![Page 14: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/14.jpg)
As All This Is Happening—Technology Drives Forward…
15
![Page 15: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/15.jpg)
Application State Is Changing
HTTP State•Session/Cookie State•Server State
Client State• JavaScript State•Silverlight/Flash State
—Impossible to decouple HTTP from Client State—You can’t just crawl/guess your way through a
modern, complex application
16
![Page 16: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/16.jpg)
Proposed Approach
Combine functional + security testing, compensating for technology
• Address technology complexities•Session states•Code-complexity
• Address functional complexities•Mapping application function as execution flows•Mapping data for driving execution flows
17
![Page 17: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/17.jpg)
Incoming New Automation Technology!
18
![Page 18: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/18.jpg)
Standards & SpecificationsEFD
Execution Flow Diagram – Functional paths through the application logic
ADMApplication Data Mapping – Mapping data requirements against functional paths
19
![Page 19: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/19.jpg)
Improving the Testing ProcessFunctional Specification
Application functional mapping [EFD]
Application data mapping [ADM]
Function-based automated testing
Manual result & coverage validation
+=
![Page 20: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/20.jpg)
Basics of the EFD & ADM
21
![Page 21: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/21.jpg)
Basic EFD Concepts
Graph(s) of flows through the application- Nodes represent application states- Edges represent different actions- Paths between nodes represent state changes
- A set of paths is a flow
22
![Page 22: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/22.jpg)
Execution Flow Action Types
What is an action?•Something that causes a change in state•A human, server or browser-driven event
Three types of actions•Direct•Supplemental• Indirect
23
![Page 23: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/23.jpg)
Actions which change the browser’s document context• Causes an entirely new browser page
Examples-• Following hyperlink• Click login button
Direct Flow Actions
24
HTTP States(Pages)
Direct Flow Action
P1 P2GET /?step2
![Page 24: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/24.jpg)
Actions that change the state of the current document• Client-side action, maintaining browser page
Examples:– JavaScript menu– Flash client event
Supplemental Flow Actions
25
P1 P1.1.1
Supplementary Flows
DOM States
onLoad
onMouseOver
P1.1
![Page 25: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/25.jpg)
Actions automatically triggered by document context• Usually for supporting data, modifying document state
Examples:– Site analytics (js)– Stock ticker– XMLHTTPrequest
Indirect Flow Actions
26
Indirect Flow
PagesDirect Flow
Dojo Library
<script src=dojo.js />
![Page 26: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/26.jpg)
Basic ADM Concepts
An Application Data Map [ADM] defines flows with the context of data
WHY?• Flows mean nothing without DATA*• Data should be interchangeable• Monitoring requests make this impossible – no context
• Data can be direct or indirect
*Where not specifically defined within an action (at the edge) the data values are assumed to be arbitrary
27
![Page 27: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/27.jpg)
ADM + EFD VisuallyRetrieve something from a safe:1. Map the action2. Add data (context) necessary to execute3. Execute action using data
28
Combination:R23, L12, R31,
L9
I need somethingfrom that
safe
ACTION (open safe)
![Page 28: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/28.jpg)
ADM & EFD
Another example: Web site registration
29
STARTforkLandin
g Page Login
Registration
Page
UserData
Confirm Account
![Page 29: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/29.jpg)
Drives
Putting It All Together (1)
30
Technical Level
Functional Level Login
ComposeEmail
Send
![Page 30: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/30.jpg)
Driv
es
Putting It All Together (2)
31
EFD
1 2 3
45
7
6
JS DOM HTTPa GET /
b GET /?Login
c GET /?Compose
d onKeyPressed (160 times)
e DIV.onMouseOver
f LI.onChange
g FORM.submit() GET /?Send
a b
c
de
f
8g
![Page 31: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/31.jpg)
Putting It All Together (3)
32
JS DOM HTTP Dataa GET / N/A
b GET /?Login User,Pass,Captcha
c GET /?Compose N/A
d onKeyPressed (160 times)
Email_Text
e DIV.onMouseOver N/A
f LI.onChange Send_To_Address
g BTN.onClick GET /?Send N/A
Drives
![Page 32: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/32.jpg)
Applications of Execution Flow Diagrams
33
![Page 33: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/33.jpg)
Flow Based Threat Analysis
34
Checkout with Credit Card
Viewing Items
• Markup flow with Threat Information• Prioritize testing• Prioritize verified
vulnerabilities• Detect dangerous information flows
Partners Only
![Page 34: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/34.jpg)
Coverage Analysis
Flows defined by functional specification can be compared to security testing to determine gaps!
Q: “How much of the application was tested?”
A: “The scanner was able to test 8 of the 12 flows, we need to find out why/where it broke down” EFD can be referenced to determined where ADM can be referenced to determine why
35
![Page 35: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/35.jpg)
Demonstrate exactly how to reproduce a defect…
Demonstrate where application failed• Steps executed• Data used
36
STARTforkLanding
PageDATA<script>…
RegistrationPage
1
2 3
4
Flow-Based Reproduction
![Page 36: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/36.jpg)
Dysfunctional Use of EFD
Vulnerabilities happen when using the application in an unintended way.
If we know the right logic paths…
37
1 2 3
45
7
6
a b
c
de
f
8g
![Page 37: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/37.jpg)
Next Generation Automation
Automation of execution flows• Build maps from user-driven functional scripts• Recording/Playback• Record HTTP requests• Record JavaScript events• Recording Client UI events
• Attacking• [Re]Play Flows • Auditing HTTP Parameters and HTML Inputs
38
![Page 38: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/38.jpg)
Next: Automatic Exploration• Similar paths can be easily enumerated• JS Static Analysis to find other entry points to
paths
39
Select Flight 2
Select Flight 1
Automatically Found
![Page 39: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/39.jpg)
For Next Time…Layered automation-infused
testing
Testing must be layered to fully understand the attack surface of the application, including multiple levels of authentication, business logic, data sets.
Concrete metrics & KPIs
In order to concretely prove functional coverage, application surface area coverage, defect remediation and ultimately risk reduction business-oriented metrics and KPIs must be gathered.
40
![Page 40: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/40.jpg)
41
Get to it.
Insert cheesy cliché here…
…or you could just go do it.
Rafal LosEmail: [email protected]: @Wh1t3RabbitSkype: Wh1t3RabbitVoice: (765) 247-2325Blog: http://www.hp.com/go/white-rabbit
![Page 41: Into the Rabbithole — Evolved Web Application Security Testing](https://reader035.vdocuments.net/reader035/viewer/2022062310/568160bc550346895dcfe23f/html5/thumbnails/41.jpg)
Outcomes that matter.