what the fuzz
TRANSCRIPT
WHAT THE FUZZ???Christopher Frenz
NEED FOR APPLICATION SECURITY
• According to SANS• 60% of all internet attacks target
Web applications• SQL Injection and XSS constitute
80% of all recently discovered vulnerabilities
• Application vulnerabilities now exceed OS vulnerabilities
Applications
Operating Systems
Network
# Vulnerabilities
OWASP TOP 10
https://xkcd.com/327/
WHAT TO DO???• More developers need to be made aware of the need for secure software
development as well as the practices associated with secure software development• Education is key
• Security needs to be part of the mindset of any software development project from day 1• Security CANNOT be an afterthought• Security CANNOT be effectively added on later (e.g. firewalls)
WHY EDUCATION?• Response from development
team – There is no issue here, you encountered this error while using Mozilla. Our product documentation says the application is only compatible with IE.
A QUESTION OF CASE• What the Fuzz?
• Basic testing or fuzzing would have discovered that capitalizing a letter would result in all data being returned and not just the authorized set
• Validation was only being done client side
SECURING THE SDLC
• Requirements• Security needs to be a requirement• Risk Assessment
• Design• Security controls to ensure all requirements
are met• Design review
• Implementation• Coding standards• Static code analysis• Peer code review
• Testing• Abuse Cases• Fuzzing• Vulnerability scans• Pen Testing
• Release/Maintenance• Patching/Updating
Security needs to be a factor in all phases of the software development lifecycle
THREAT MODELING• Spoofing• Tampering• Repudiation• Information disclosure• Denial of Service• Elevation of privilege
• Makes programmers think like an attacker in order to identify potential ways in which their application could be abused
RISK ASSESSMENT• Damage potential• Reproducibility• Exploitability• Affected Users• Discoverability
• Each threat is ranked in each category on a scale of 1 to 3, with 1 being a threat with minimal potential impact and 3 being a serious threat
STRIDE + DREAD EXAMPLE
Helps to identify which threats pose the biggest risk
FUZZING
• Fuzzing is an automated process of providing invalid and random inputs into an application and monitoring the application for crashes • It can help to identify inputs that the application cannot properly
handle and that hence could be used as potential attack
OWASP MUTILLIDAE
A deliberately vulnerable web application for training security testing skills
XAMPP ON VIRTUAL MACHINE
MUTILLIDAE
Mutillidae unzips into the htdocs folder of the Apache install
BURP
Suite of tools for performing Web application security testing
FOXY PROXY
Enables you to quickly switch between the Burp intercepting proxy and non-proxied browsing
START BURP
Start Burp and use Foxy Proxy to ensure that our Web browser requests go through Burp
FIND TARGET
Burp lets us see the pages loaded through the browser as well as spider a target site to identify additional web pages
FUZZ TARGET
Lets Identify the page we want to target for fuzzing and send it to the Burp Intruder Module
IDENTIFY POSITIONS
Identify which positions we want to receive our fuzzed input strings
LAUNCH THE ATTACK
Interesting, one attack returned a different page than the rest. Let’s try it out.
TEST THE ATTACK
We used an SQLi attack to bypass the authentication mechanism
QUESTIONS