jouri dufour - how about security testing - eurostar 2013
DESCRIPTION
EuroSTAR Software Testing Conference 2013 presentation on How About Security Testing by Jouri Dufour. See more at: http://conference.eurostarsoftwaretesting.com/past-presentations/TRANSCRIPT
Jouri Dufour, CTG
How About Security Testing?
www.eurostarconferences.com
@esconfs#esconfs
How About Cybercrime?
Our BUSINESS LIFE is online.
“If A happens, then B must be the case, so I will do C.”
BUT WHAT IF X OCCURS?
Foolinga password change function
01
The functionality The assumption The attack
Existingpasswordparameter
?
Password change function
User
Administrator
Password change request
N
Y
UsernameExisting password *New passwordConfirm new password
* Only presented to users
The functionality The assumption The attack
Existingpasswordparameter
?
Password change function
User
Administrator
Password change request
N
Y
UsernameExisting password *New passwordConfirm new password
* Only presented to users
FLAW
The functionality The assumption The attack
Existingpasswordparameter
?
Password change function
User
Administrator
Password change request
N
Y
UsernameExisting password *New passwordConfirm new password
* Only presented to users
ATTACK
UsernameExisting password *New passwordConfirm new password
RECOMMENDED HACK STEPS
Try removing in turn each request parameter
Be sure to delete the actual parameter name as well as its value
Attack only one parameter at a time
Follow a multistage process through to completion
Proceedingto checkout
02
The functionality The assumption The attack
Retail application
Additems toshopping
basket
Finalizeorder
Enterpayment
information
Enterdelivery
information
The functionality The assumption The attack
Retail application
Additems toshopping
basket
Finalizeorder
Enterpayment
information
Enterdelivery
information
FLAW
The functionality The assumption The attack
Retail application
Additems toshopping
basket
Finalizeorder
Enterpayment
information
Enterdelivery
information
ATTACK
RECOMMENDED HACK STEPS
Attempt to submit requests out of the expected sequence
Be sure to fully understand the access mechanisms to distinct stages
Try to violate the developers’ assumptions
Use any interesting error messages and debug output to fine-tune your attacks
The application may enforce
strict access control only
on the initial stages of the process
Beatinga business limit
03
The functionality The assumption The attack
ERP application
Bankaccount
2
Bankaccount
1
Less than €10.000
?
Y
N
The functionality The assumption The attack
ERP application
Bankaccount
2
Bankaccount
1
Less than €10.000
?
Y
N
FLAW
The functionality The assumption The attack
ERP application
Bankaccount
2
Bankaccount
1
Less than €10.000
?
Y
N
-€20.000
€20.000
Many applications use numericlimits and beating such limits may
have serious business consequences
RECOMMENDED HACK STEPS
Try entering negative values
Sometimes several steps need to be repeated tobring the application in a vulnerable state
Cheatingon bulk discounts
04
The functionality The assumption The attack
Retail application
Purchasebundle
Shopping basket
Item 1 €...Item 2 €...Item 3 €...
-25%
The functionality The assumption The attack
Retail application
Purchasebundle
Shopping basket
Item 1 €...Item 2 €...Item 3 €...
-25%
FLAW
The functionality The assumption The attack
Retail application
Purchasebundle
Shopping basket
Item 1 €...Item 2 €...Item 3 €...
-25%
ATTACK
RECOMMENDED HACK STEPS
Find out if adjustments are made on a one-timebasis
Try to manipulate the application’s behavior to getadjustments that don’t correspond to the originalintended criteria
Escapingfrom escaping
05
The functionality The assumption The attack
Web application
Operatingsystem
command
User-controllable input
Sanitizationusing thebackslashcharacter
\
; | & < > `space newline
The functionality The assumption The attack
Web application
Operatingsystem
command
User-controllable input
Sanitizationusing thebackslashcharacter
\
; | & < > `space newline
FLAW
The functionality The assumption The attack
Web application
Operatingsystem
command
User-controllable input
Sanitizationusing thebackslashcharacter
\
; | & < > `space newline
ATTACK
The functionality The assumption The attack
Web application
Operatingsystem
command
Foo\;ls
Sanitizationusing thebackslashcharacter
\
; | & < > `space newline
Foo\\;ls
COMMAND INJECTION
RECOMMENDED HACK STEPS
Attempt to insert relevant metacharacters into thedata you control
Always try placing a backslash immediately beforeeach such character
This same defect can befound in some defenses against
cross-site scripting attacks
DynamicApplication
Security Testing(DAST)
StaticApplication
Security Testing(SAST)
IntegratedApplication
Security Testing(IAST)
+ =
Yesterday Today Tomorrow
Time00:00
Victims3176200:0100:0200:0300:0400:0500:0600:0700:0800:0900:1000:1100:1200:1300:1400:1500:1600:1700:1800:1900:2000:2100:2200:2300:2400:2500:2600:2700:2800:2900:3000:3100:3200:3300:3400:3500:3600:3700:3800:3900:4000:4100:4200:4300:4400:4500:4600:4700:4800:4900:5000:5100:5200:5300:5400:5500:5600:5700:5800:5901:00 3174431726317083169031672316543163631618316003158231564315463152831510314923147431456314383142031402313843136631348313303131231294312763125831240312223120431186311683115031132311143109631078310603104231024310063098830970309523093430916308983088030862308443082630808
HOW ABOUT SECURITY TESTING?
Fooling a password
change function
Proceeding to checkout
Beating a business limit
Cheating on bulk discounts
Escaping from escaping
Speaker: Jouri [email protected]