so your company hired a pentester
DESCRIPTION
TRANSCRIPT
So Your Company Hired a Pentest Team
Carl Sue, Security AnalystFishNet Security, Application Security
Disclaimer
The contents of this talk are my own personal research and training. FishNet Security has no affiliation with this talk and can not be held responsible for any of its contents. As such it should not be seen as marketing or any other from of public interaction by FishNet Security.
Don’t Panic!
No Really!
Don’t Panic!
Truly Secure Site
Web 2.0 is about Risk Assessmentthese sites are still considered secure
Facebook WordPress
Why Risk Assessment?
• The Internet is BIG• No, no no The Internet is REALLY REALLY BIG• To go along with this really big internet we have
a really big Codebase• To add to this really big codebase, just like we
learned in our first programming class there are a thousand ways to do just about anything .
• Risk Assessment is more about hardening your web app or site to common attacks than uncommon attacks that target your unique situation.
• Now you must be thinking what's a low hanging fruit?
Low Hanging Fruit
• OWASP top Ten• OWASP is the open Web Application Security
Project.• Every few years they put out a report of the top
ten vulnerabilities found on the internet.• They Also have some great tools for testing your
Web Applications. • If you want an Idea of how to prepare for a
Security Audit OWASP is a great resource.
OWASP Top Ten 2010
A1: InjectionA2: Cross-Site
Scripting (XSS)
A3: Broken Authentication
and Session Management
A4: Insecure Direct Object References
A5: Cross Site Request Forgery (CSRF)
A6: Security Misconfigurati
on
A7: Failure to Restrict URL
Access
A8: Insecure Cryptographic
Storage
A9: Insufficient Transport
Layer Protection
A10: Unvalidated
Redirects and Forwards
A1 - Injection
• Tricking an application into including unintended commands in the data sent to an interpreter
Injection means…
• Many applications still susceptible (really don’t know why)
• Even though it’s usually very simple to avoid
SQL injection is still quite common
• Usually severe. Entire database can usually be read or modified
• May also allow full database schema, or account access, or even OS level access
Typical Impact
Injection Defense Recommendations
1. Avoid the interpreter entirely, or2. Use an interface that supports bind variables (e.g.,
prepared statements, or stored procedures), Bind variables allow the interpreter to distinguish between
code and data
3. Encode all user input before passing it to the interpreter Always perform ‘white list’ input validation on all user
supplied input Always minimize database privileges to reduce the
impact of a flaw
A2 – Cross Site Scripting (XSS)
• Raw data from attacker is sent to an innocent user’s browser
Occurs any time…
• Steal user’s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site
• Most Severe: Install XSS proxy which allows attacker to observe and direct all user’s behavior on vulnerable site and force user to other sites
Typical Impact
Cross Site Scripting Negation
Recommendations Eliminate Flaw
Don’t include user supplied input in the output page Defend Against the Flaw
Primary Recommendation: Output encode all user supplied input
Perform ‘white list’ input validation on all user input to be included in page
For large chunks of user supplied HTML, use HTML sanitization to sanitize all HTML and make it safe
A6 – Security Misconfiguration• Everywhere from the OS up through the App Server• Don’t forget all the libraries you are using!!
Web applications rely on a secure foundation
• Think of all the places your source code goes• Security should not require secret source code
Is your source code a secret?
• All credentials should change in production
CM must extend to all parts of the application
• Install backdoor through missing OS or server patch• XSS flaw exploits due to missing application framework patches• Unauthorized access to default accounts, application functionality or data, or
unused but accessible functionality due to poor server configuration
Typical Impact
Proper Security Configuration Management
Verify your system’s configuration management Secure configuration “hardening” guideline
Automation is REALLY USEFUL here Must cover entire platform and application Keep up with patches for ALL components
This includes software libraries, not just OS and Server applications Analyze security effects of changes
Can you “dump” the application configuration Build reporting into your process If you can’t verify it, it isn’t secure
Verify the implementation Scanning finds generic configuration and missing patch
problems
Are Your Coms Secure?
SSL
VPN
PKI
SSH/SFTP
PKI - If I Can’t read it nobody can
SSL - Keeping it Clean
• Third Party Authentication• PKI encryption• Keeps the conversation between the client and the host
Does
• Protect the client from malware snooping or interference• Remove malicious code.
Does Not
• Encryption is process heavy• The internet is old
Why Its not standard
• Always…• When dynamic code is used• At least when logins are in use anywhere on the site.
When you should use it.
VPN - Keeping it Local
• PKI encryption• Keeps the conversation between the client and the host
Does
• Protect the client from malware snooping or interference• Remove malicious code.
Does Not
• Encryption is process heavy• The internet is old
Why Its not standard
• Always…• When dynamic code is used• At least when logins are in use anywhere on the site.
When you should use it.
SSH/SFTP – Connect Properly
• PKI encryption• Connects to your server for quick secure file management• Allows you to issue commands to your server
Does
• Help the Client• Provide any code sanitization
Does Not
• FTP• God forbid Telnet
What It Replaces
• Anytime you connect to your server• All File transfer for source code• Editing any source on host
When You Should Use It.
Contact InfoEmail: [email protected]: @iamcoboltWeb: http://www.fishnetsecurity.com/BlogsPersonal: http://www.carlsue.com
Thanks For Having Me!
More Info• https://www.owasp.org• Web Application Hackers Handbook• The Tangled Web – No Starch Press• SQL Injection Attacks and Defense
Questions?