SlideShare una empresa de Scribd logo

Thick Application Penetration Testing - A Crash Course

NetSPI
NetSPI
Tecnología
1 de 39
Thick Application Penetration Test CRASH COURSE v1.0 Author: Scott Sutherland
Who am I? Scott Sutherland Principal Security Consultant • Penetration Testing ‒ Networks ‒ Web apps / services ‒ Thick apps • Community Stuff ‒ Researcher ‒ Blogger ‒ Tool smith (or smithy if you like) ‒ Twitter stalker: @_nullbind
What are we going to talk about? • Why should you care • Testing Goal and Objectives • Project Scoping • Common Architectures • Accessing the Application • Testing Requirements • Application Walkthrough • Managed vs. Unmanaged • Testing the Application • Vulnerability Categories • Reporting
Why am I talking about this? Thick applications create unique risks that web applications don't.
Why am I talking about this? Users often have full control over the application environment which: ‒ Allows attacks on trusted components ‒ Exposes data, admin/hidden functions ‒ Leads to application and OS privilege escalation
Why am I talking about this? Thick applications are the new web applications.
Why am I talking about this? Publishing thick applications via Terminal Services and Citrix: Good Stuff ‒ Helps meet client demand for “cloud services” ‒Converts Client/Server model to SaaS model ‒Cheaper/Faster than developing actual web based solution from scratch
Why am I talking about this? Publishing thick applications via Terminal Services and Citrix: Bad Stuff ‒Very hard to secure published desktops/applications ‒Commonly results in direct database access ‒Often exposes internal networks of service provider
Testing Goal & Objectives Goal: Determine what risks the application implementation presents to the business so they can be mitigated. Objectives: Identify vulnerabilities that may exist in: ‒ The client application and server components ‒ The workstation or published application configuration ‒ The server or network configuration
Scoping Projects Estimate effort: ‒ Number of forms ‒ Number of files ‒ Number of registry keys ‒ Number of user levels ‒ Application architecture ‒ Application technology ‒ Constraints ‒ Environment Generally… ‒ More stuff = more time ‒ More complexity = more time
Common Architectures Desktop Client  Remote Database ‒ Usually entire implementation is on internal network Desktop Client  local DB Remote Database ‒ Local db typically syncs with remote db ‒ Usually client and local db are on internal network remote db is hosted by service provider Desktop Client  Application Server  Database ‒ Usually client in on internal network and app/db server is located is hosted by service provider ‒ Common technologies: Web Services, Web Applications, JBOSS, and IBM WebSphere
Common Architectures Terminal Services Application ‒ RDP  Terminal Server  Published app ‒ Website  RDP  Terminal Server  Published app Citrix Application ‒ Citrix client  Terminal Server  Published app ‒ Website  Citrix client  Published app Thin Application ‒ VMware application ‒ Hyper-V application
Accessing the Application • Install locally, and test over VPN • Install locally, and test over the internet • Test over VPN, RDP to a client system, and install the tool sets for testing • VPN + Terminal Services (TS) • Web based TS • VPN + Citrix Client • Web based Citrix • Run from network share
Testing Requirements Minimum Requirements: • 2 application credentials for each role • Application Access Potential Requirements: • VPN access • Local administrator on client test system • Internet endpoints • Installation package
Application Walkthrough • Verify connectivity to application • Verify all credentials • Walk through common use cases • Identify potential areas of client concern • Better understand application architecture
Application Targets UNMANAGED CODE APPLICATIONS and MANAGED CODE APPLICATIONS
UNMANAGED CODE APPLICATIONS • General Information ‒ C and C++ (“unmanaged” or “native” languages) ‒ Compiled to machine code ‒ Include exportable functions • Pros ‒ Typically run faster due to pre compiled code ‒ Can’t be easily decompiled to the original source code • Cons ‒ Architecture specific ‒ Disassembly and reassembly is still possible ‒ API hooking is still possible
MANAGED CODE APPLICATIONS • General Information ‒ Frameworks: .net (C# VB), Java Runtime, Dalvik ‒ Compiled to bytecode ‒ Usually does not include exportable functions ‒ Uses reflection to share public functions • Pros ‒ Architecture independent ‒ Can be coded in different languages ‒ Can access unmanaged/native code • Cons ‒ Slower due to Just in Time (JIT) compiling ‒ Disassembly and reassembly of CIL code is still possible ‒ Decompiling via reflection is still possible ‒ Global Assembly Cache (GAC) poisoning is possible ‒ API hooking is still possible
Attack Vectors The usual suspects: • Network traffic • Application memory • Configurations • Application GUI • Files and folders • Windows registry
Application Test Plan Create a test plan and follow it… • Address high priority test cases identified by clients and business owners first • Testing can be broken out by vector: ‒ GUI Review ‒ File Review ‒ Registry Review ‒ Network Review ‒ Memory Review ‒ Configuration Review
How far do we take this? Stay in scope! • That means only networks, servers, and applications defined by the client • On in scope systems: ‒ Application admin = yes ‒ Database user = yes ‒ Database admin = yes ‒ Local OS admin = yes ‒ Remote OS admin = yes ‒ Domain Admin = yes (IF logged into system) …then no more escalation
Testing the Servers • Automated authenticated scanning ‒ Multiple tools ‒ Multiple rounds • Manual testing using standardized penetration test approach ‒ Information Gathering ‒ Vulnerability Enumeration ‒ Penetration ‒ Escalation ‒ Evidence Gathering ‒ Clean up
Testing the Application: GUI • GUI object privileges Show hidden form objects Enable disabled functionality Reveal masked passwords (GUI B GONE) • GUI content Review for sensitive data and passwords • GUI logic Bypass controls using intended GUI Functionality Common Examples: ‒ SQL query windows ‒ Access control fields ‒ Export functions allow more access to data ‒ Break out of Citrix and Terminal Server applications ‒ External program execution
Testing the Application: GUI Tool Description UISpy Enable disabled functions, and call actions related to disabled functions. WinCheat Show hidden objects, enabled disabled objects, execution functions, and generally manipulate remote form objects. Window Detective View form object properties including the value of masked password fields, and mask card numbers.
Testing the Application: Files • File permissions Files and folders • File Integrity Strong naming, Authenticode signing • File content Debugging Symbols/files, sensitive data, passwords, and settings • File and content manipulation Backdoor the framework DLL pre loading Race conditions Replacing files and content Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords and Private keys
Testing the Application: Files • Exported Functions (usually native code) Identify and run exported functions without authenticating • Public Methods (managed code reflection) Create a wrapper to access public methods without authenticating • Decompile and Recompile Recover source code, passwords, keys, and create patched assembly • Decrypt and Deobfuscate Recover source code, passwords, keys, etc • Disassemble and Reassemble Create patched assembly
Testing the Application: Files Tool Description AccessEnum, Privesc, autoruns, schtasks Dump file, registry, and service permissions. Also, review scheduled tasks excessive privilege and write script locations. .Net Reflector, Reflexil, ildasm, IL_Spy, Graywolf,JD Java decompiler, java byte code editor, Metasm, CFFExplorer Decompile or disassemble binaries to recover source code, IL code, or assembly code. Use code review tools to identify vulnerabilities, and review for sensitive data such as passwords, private keys, proprietary algorithms. Reflexil .net reflector plugin, Graywolf De obfuscate decompiled assemblies CFF Explorer, dllexp Review exports, view/edit imports, edit and extract resources, view disk/memory usage to identify compression, disassemble binary, and finger print language Metasploit MSFpayload. MSFencode, and MSFVenom can be used to generate shell code, DLL and EXE payloads for injection and side loading. This also ships with METASM ruby library that can be used to disassemble and compile binaries Process Explorer View image file settings, process, connections, threads, permissions, strings from process, environmental variables Process Hacker 2 View DEP/ASLR settings, image file settings, process, connections, threads, permissions, strings from process, environmental variables Process Monitor, API Monitor Monitors calls to file, registry keys, and sockets. API monitor does what it sounds like. Spider2008 Search file system for interesting strings with regular expressions Strings Dump strings from files Symantec EPP Scan all files for know malware PE Explorer Detect compiler or packer type and version UPX, MPRESS, Iexpress, 7zip Decompress/unpack binaries and other files Visual Studio, Ilasm, Metasm, winhex Edit exported .net reflector projects, IL, or assembly and create patched executables.
Testing the Application: Registry • Registry permissions Read and write access to registry keys • Registry content Sensitive data, passwords, and settings • Registry manipulation Bypass authentication and authorization Replace content Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords ‒ Private keys
Testing the Application: Registry Tools: Tool Description AccessEnum Dump file and registry permissions Regedit Backup, review, and edit the registry Regshot Registry diffing tool. Process Monitor Monitors calls to file, registry keys, and sockets
Testing the Application: Network • Network Rules Local and network firewall rules • Network content Sensitive data, files, passwords, and settings • Network manipulation Bypass authentication and authorization (SQL) Replacing content (Parameters) Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords ‒ Private keys • Reverse and Fuzz Proprietary Protocols
Testing the Application: Network Tool Description Cain Can be used for ARP based man in the middle attacks. Can be used to parse password in live traffic or a pcap file. Burp Can be used to manipulate HTTP traffic. Metasploit Create custom fuzzer for RPC protocols. Sully Create custom fuzzing templates. Echo Mirage Generic TCP proxy. Ettercap Can be used for man in the middle attacks. Can be used to modify traffic in transit with filters. Evilgrade, interceptor-ng Tool for delivering Metasploit payloads instead of legitimate updates. Network Miner Parse network traffic for files, systems, and shares. oSpy, API Monitor 2 Dump data like encrypted SSL traffic and connection strings when DLL calls are made. SOAPUI Can be used to interact directly with web services, and is often used with BURP Web Inspect Service Attack Tool Generic web service review. Wireshark, windump, tcpdump,Rawcap Dump all network traffic. Rawcap is the bomb.
Testing the Application: Memory • Process controls DEP, ASLR, permissions, and privileges • Memory content Sensitive data, passwords, and settings • Memory manipulation Bypass authentication and authorization Replacing content Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords ‒ Private keys
Testing the Application: Memory Run-time Modifications • Direct editing • DLL injection • Shell code Injection • Process replacement • Modify assembly in memory • Identification of dangerous functions • Check if debugger can be run • Debugging via stepping and breakpoints to analyze and modify
Testing the Application: Memory Tool Description Metasploit Can be used to generate shell code, exe, and DLL payloads. Can also be used to migrate into a running process. Process Explorer View image file settings, process, connections, threads, permissions, strings from process, environmental variables Process Hacker 2 View image file settings, DEP/ASLR settings, connections, threads, permissions, environmental variables, inject DLL RemoteDLL Can be used to inject a DLL into a process. Tsearch Can be used to quickly find and replace strings in memory. Immunity, OllyDBG, Windbg, and IDA Debuggers Can be used to step through the application and modify assembly instructions on the fly. Winhex Can be used to quickly find and replace strings in memory. Userdump Dump memory from process.
Testing the Application: Configurations • Application user privileges • Service account privileges • Service configuration privileges • Service registration • Database account privileges • Remote share permissions • TS breakouts to OS • Citrix breakouts to OS
Testing the Application: Configurations Tool Description windows-privesc- check Check privileges on servers and associated program directories, and manually check for insecurely registered services. Citrix Client Used to connect to Citrix applications. Data Source (ODBC) Administrative Tool Look for existing ODBC connection and use tools like excel to leverage them. Services.msc, windows-privesc- check Review application services for insecure registration, binary paths, and determine users who is running the service. SQL Clients Used to connect directly to the database. Examples include OSQL, ISQL, SQLCMD, RAZOR SQL,TOAD, Microsoft SQL Management Studio Express. Windows Explorer and common dialog boxes Access Windows dialog boxes to obtain access to a cmd console or Powershell. Target links, shortcuts, open file functions, export functions, import functions, and reporting functions. Help menus and verbose error pages can also be handy.
Vulnerability Categories 1. Application Logic 2. Code Injection 3. Excessive Privileges 4. Unencrypted Storage of Sensitive Data 5. Unencrypted Transmission of Sensitive Data 6. Weak Encryption Implementations 7. Weak Assembly Controls 8. Weak GUI Controls 9. Weak or Default Passwords
Reporting Stuff • Create severity ranking system based on static criteria • Internally, criteria should take compensating controls into consideration • Prioritize findings based on ranking system • Include instructions or screen shots to help reproduce and fix issues • Don’t forget recommendations
Wrap Up • General Summary ‒ Attack thick applications and related infrastructure from many vectors using many tools ‒ Managed code suffers from inherent weaknesses that can’t be fixed and is easier to attack • General Advice ‒ Never store sensitive anything in an assembly ‒ If something sensitive “must” be stored in an assembly use unmanaged coding languages like C and C++ ‒ Be very careful to implement sufficient controls when deploying thick applications via terminal services or Citrix

Recomendados

Reverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsReverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsSteve Markey
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingNetSPI
 
Thick client application security assessment
Thick client application security assessmentThick client application security assessment
Thick client application security assessmentSanjay Kumar (Seeking options outside India)
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2NetSPI
 
Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From WindowsNetSPI
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingNetSPI
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 

Recomendados

Reverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsReverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsSteve Markey
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingNetSPI
 
Thick client application security assessment
Thick client application security assessmentThick client application security assessment
Thick client application security assessmentSanjay Kumar (Seeking options outside India)
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2NetSPI
 
Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From WindowsNetSPI
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingNetSPI
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360Scott Sutherland
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking AuthenticationSam Bowne
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3Sam Bowne
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application SecurityChristian Martorella
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)NCC Group
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by DesignJon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Designjonmccoy
 
CNIT 129S Ch 4: Mapping the Application
CNIT 129S Ch 4: Mapping the ApplicationCNIT 129S Ch 4: Mapping the Application
CNIT 129S Ch 4: Mapping the ApplicationSam Bowne
 
CISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecurityCISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecuritySam Bowne
 
CNIT 129: 6. Attacking Authentication
CNIT 129: 6. Attacking AuthenticationCNIT 129: 6. Attacking Authentication
CNIT 129: 6. Attacking AuthenticationSam Bowne
 
Ch 7: Attacking Session Management
Ch 7: Attacking Session ManagementCh 7: Attacking Session Management
Ch 7: Attacking Session ManagementSam Bowne
 
Is Your Mobile App Secure?
Is Your Mobile App Secure?Is Your Mobile App Secure?
Is Your Mobile App Secure?Sam Bowne
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application TechnologiesSam Bowne
 
CNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceCNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceSam Bowne
 
Exploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedExploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedNCC Group
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securitySecuRing
 
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)Sam Bowne
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchainjasonhaddix
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfSouvikRoy114738
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 

Más contenido relacionado

La actualidad más candente

All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360Scott Sutherland
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking AuthenticationSam Bowne
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3Sam Bowne
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application SecurityChristian Martorella
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)NCC Group
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by DesignJon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Designjonmccoy
 
CNIT 129S Ch 4: Mapping the Application
CNIT 129S Ch 4: Mapping the ApplicationCNIT 129S Ch 4: Mapping the Application
CNIT 129S Ch 4: Mapping the ApplicationSam Bowne
 
CISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecurityCISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecuritySam Bowne
 
CNIT 129: 6. Attacking Authentication
CNIT 129: 6. Attacking AuthenticationCNIT 129: 6. Attacking Authentication
CNIT 129: 6. Attacking AuthenticationSam Bowne
 
Ch 7: Attacking Session Management
Ch 7: Attacking Session ManagementCh 7: Attacking Session Management
Ch 7: Attacking Session ManagementSam Bowne
 
Is Your Mobile App Secure?
Is Your Mobile App Secure?Is Your Mobile App Secure?
Is Your Mobile App Secure?Sam Bowne
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application TechnologiesSam Bowne
 
CNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceCNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceSam Bowne
 
Exploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedExploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedNCC Group
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securitySecuRing
 
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)Sam Bowne
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchainjasonhaddix
 

La actualidad más candente (20)

All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application Security
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by DesignJon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
 
CNIT 129S Ch 4: Mapping the Application
CNIT 129S Ch 4: Mapping the ApplicationCNIT 129S Ch 4: Mapping the Application
CNIT 129S Ch 4: Mapping the Application
 
CISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecurityCISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development Security
 
CNIT 129: 6. Attacking Authentication
CNIT 129: 6. Attacking AuthenticationCNIT 129: 6. Attacking Authentication
CNIT 129: 6. Attacking Authentication
 
Ch 7: Attacking Session Management
Ch 7: Attacking Session ManagementCh 7: Attacking Session Management
Ch 7: Attacking Session Management
 
Is Your Mobile App Secure?
Is Your Mobile App Secure?Is Your Mobile App Secure?
Is Your Mobile App Secure?
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application Technologies
 
CNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceCNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise Service
 
Exploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedExploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removed
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces security
 
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchain
 

Similar a Thick Application Penetration Testing - A Crash Course

Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfSouvikRoy114738
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataPrecisely
 
15-factor-apps.pdf
15-factor-apps.pdf15-factor-apps.pdf
15-factor-apps.pdfNilesh Gule
 
Back to the Future: Containerize Legacy Applications - Rob Tanner, Northern T...
Back to the Future: Containerize Legacy Applications - Rob Tanner, Northern T...Back to the Future: Containerize Legacy Applications - Rob Tanner, Northern T...
Back to the Future: Containerize Legacy Applications - Rob Tanner, Northern T...Docker, Inc.
 
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternativeApplication Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternativeDenis Gundarev
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App AttacksAlert Logic
 
FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE
 
The eBay-Way Meetup IL - CI/CD with Microservices
The eBay-Way Meetup IL - CI/CD with MicroservicesThe eBay-Way Meetup IL - CI/CD with Microservices
The eBay-Way Meetup IL - CI/CD with Microservicesyinonavraham
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataPrecisely
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceBlack Duck by Synopsys
 

Similar a Thick Application Penetration Testing - A Crash Course (20)

Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdf
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 
Build Time Hacking
Build Time HackingBuild Time Hacking
Build Time Hacking
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
 
12-Factor Apps
12-Factor Apps12-Factor Apps
12-Factor Apps
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
15-factor-apps.pdf
15-factor-apps.pdf15-factor-apps.pdf
15-factor-apps.pdf
 
Back to the Future: Containerize Legacy Applications - Rob Tanner, Northern T...
Back to the Future: Containerize Legacy Applications - Rob Tanner, Northern T...Back to the Future: Containerize Legacy Applications - Rob Tanner, Northern T...
Back to the Future: Containerize Legacy Applications - Rob Tanner, Northern T...
 
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternativeApplication Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App Attacks
 
FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT Agents
 
The eBay-Way Meetup IL - CI/CD with Microservices
The eBay-Way Meetup IL - CI/CD with MicroservicesThe eBay-Way Meetup IL - CI/CD with Microservices
The eBay-Way Meetup IL - CI/CD with Microservices
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
 

Último

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Último (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Thick Application Penetration Testing - A Crash Course

  • 1. Thick Application Penetration Test CRASH COURSE v1.0 Author: Scott Sutherland
  • 2. Who am I? Scott Sutherland Principal Security Consultant • Penetration Testing ‒ Networks ‒ Web apps / services ‒ Thick apps • Community Stuff ‒ Researcher ‒ Blogger ‒ Tool smith (or smithy if you like) ‒ Twitter stalker: @_nullbind
  • 3. What are we going to talk about? • Why should you care • Testing Goal and Objectives • Project Scoping • Common Architectures • Accessing the Application • Testing Requirements • Application Walkthrough • Managed vs. Unmanaged • Testing the Application • Vulnerability Categories • Reporting
  • 4. Why am I talking about this? Thick applications create unique risks that web applications don't.
  • 5. Why am I talking about this? Users often have full control over the application environment which: ‒ Allows attacks on trusted components ‒ Exposes data, admin/hidden functions ‒ Leads to application and OS privilege escalation
  • 6. Why am I talking about this? Thick applications are the new web applications.
  • 7. Why am I talking about this? Publishing thick applications via Terminal Services and Citrix: Good Stuff ‒ Helps meet client demand for “cloud services” ‒Converts Client/Server model to SaaS model ‒Cheaper/Faster than developing actual web based solution from scratch
  • 8. Why am I talking about this? Publishing thick applications via Terminal Services and Citrix: Bad Stuff ‒Very hard to secure published desktops/applications ‒Commonly results in direct database access ‒Often exposes internal networks of service provider
  • 9. Testing Goal & Objectives Goal: Determine what risks the application implementation presents to the business so they can be mitigated. Objectives: Identify vulnerabilities that may exist in: ‒ The client application and server components ‒ The workstation or published application configuration ‒ The server or network configuration
  • 10. Scoping Projects Estimate effort: ‒ Number of forms ‒ Number of files ‒ Number of registry keys ‒ Number of user levels ‒ Application architecture ‒ Application technology ‒ Constraints ‒ Environment Generally… ‒ More stuff = more time ‒ More complexity = more time
  • 11. Common Architectures Desktop Client  Remote Database ‒ Usually entire implementation is on internal network Desktop Client  local DB Remote Database ‒ Local db typically syncs with remote db ‒ Usually client and local db are on internal network remote db is hosted by service provider Desktop Client  Application Server  Database ‒ Usually client in on internal network and app/db server is located is hosted by service provider ‒ Common technologies: Web Services, Web Applications, JBOSS, and IBM WebSphere
  • 12. Common Architectures Terminal Services Application ‒ RDP  Terminal Server  Published app ‒ Website  RDP  Terminal Server  Published app Citrix Application ‒ Citrix client  Terminal Server  Published app ‒ Website  Citrix client  Published app Thin Application ‒ VMware application ‒ Hyper-V application
  • 13. Accessing the Application • Install locally, and test over VPN • Install locally, and test over the internet • Test over VPN, RDP to a client system, and install the tool sets for testing • VPN + Terminal Services (TS) • Web based TS • VPN + Citrix Client • Web based Citrix • Run from network share
  • 14. Testing Requirements Minimum Requirements: • 2 application credentials for each role • Application Access Potential Requirements: • VPN access • Local administrator on client test system • Internet endpoints • Installation package
  • 15. Application Walkthrough • Verify connectivity to application • Verify all credentials • Walk through common use cases • Identify potential areas of client concern • Better understand application architecture
  • 16. Application Targets UNMANAGED CODE APPLICATIONS and MANAGED CODE APPLICATIONS
  • 17. UNMANAGED CODE APPLICATIONS • General Information ‒ C and C++ (“unmanaged” or “native” languages) ‒ Compiled to machine code ‒ Include exportable functions • Pros ‒ Typically run faster due to pre compiled code ‒ Can’t be easily decompiled to the original source code • Cons ‒ Architecture specific ‒ Disassembly and reassembly is still possible ‒ API hooking is still possible
  • 18. MANAGED CODE APPLICATIONS • General Information ‒ Frameworks: .net (C# VB), Java Runtime, Dalvik ‒ Compiled to bytecode ‒ Usually does not include exportable functions ‒ Uses reflection to share public functions • Pros ‒ Architecture independent ‒ Can be coded in different languages ‒ Can access unmanaged/native code • Cons ‒ Slower due to Just in Time (JIT) compiling ‒ Disassembly and reassembly of CIL code is still possible ‒ Decompiling via reflection is still possible ‒ Global Assembly Cache (GAC) poisoning is possible ‒ API hooking is still possible
  • 19. Attack Vectors The usual suspects: • Network traffic • Application memory • Configurations • Application GUI • Files and folders • Windows registry
  • 20. Application Test Plan Create a test plan and follow it… • Address high priority test cases identified by clients and business owners first • Testing can be broken out by vector: ‒ GUI Review ‒ File Review ‒ Registry Review ‒ Network Review ‒ Memory Review ‒ Configuration Review
  • 21. How far do we take this? Stay in scope! • That means only networks, servers, and applications defined by the client • On in scope systems: ‒ Application admin = yes ‒ Database user = yes ‒ Database admin = yes ‒ Local OS admin = yes ‒ Remote OS admin = yes ‒ Domain Admin = yes (IF logged into system) …then no more escalation
  • 22. Testing the Servers • Automated authenticated scanning ‒ Multiple tools ‒ Multiple rounds • Manual testing using standardized penetration test approach ‒ Information Gathering ‒ Vulnerability Enumeration ‒ Penetration ‒ Escalation ‒ Evidence Gathering ‒ Clean up
  • 23. Testing the Application: GUI • GUI object privileges Show hidden form objects Enable disabled functionality Reveal masked passwords (GUI B GONE) • GUI content Review for sensitive data and passwords • GUI logic Bypass controls using intended GUI Functionality Common Examples: ‒ SQL query windows ‒ Access control fields ‒ Export functions allow more access to data ‒ Break out of Citrix and Terminal Server applications ‒ External program execution
  • 24. Testing the Application: GUI Tool Description UISpy Enable disabled functions, and call actions related to disabled functions. WinCheat Show hidden objects, enabled disabled objects, execution functions, and generally manipulate remote form objects. Window Detective View form object properties including the value of masked password fields, and mask card numbers.
  • 25. Testing the Application: Files • File permissions Files and folders • File Integrity Strong naming, Authenticode signing • File content Debugging Symbols/files, sensitive data, passwords, and settings • File and content manipulation Backdoor the framework DLL pre loading Race conditions Replacing files and content Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords and Private keys
  • 26. Testing the Application: Files • Exported Functions (usually native code) Identify and run exported functions without authenticating • Public Methods (managed code reflection) Create a wrapper to access public methods without authenticating • Decompile and Recompile Recover source code, passwords, keys, and create patched assembly • Decrypt and Deobfuscate Recover source code, passwords, keys, etc • Disassemble and Reassemble Create patched assembly
  • 27. Testing the Application: Files Tool Description AccessEnum, Privesc, autoruns, schtasks Dump file, registry, and service permissions. Also, review scheduled tasks excessive privilege and write script locations. .Net Reflector, Reflexil, ildasm, IL_Spy, Graywolf,JD Java decompiler, java byte code editor, Metasm, CFFExplorer Decompile or disassemble binaries to recover source code, IL code, or assembly code. Use code review tools to identify vulnerabilities, and review for sensitive data such as passwords, private keys, proprietary algorithms. Reflexil .net reflector plugin, Graywolf De obfuscate decompiled assemblies CFF Explorer, dllexp Review exports, view/edit imports, edit and extract resources, view disk/memory usage to identify compression, disassemble binary, and finger print language Metasploit MSFpayload. MSFencode, and MSFVenom can be used to generate shell code, DLL and EXE payloads for injection and side loading. This also ships with METASM ruby library that can be used to disassemble and compile binaries Process Explorer View image file settings, process, connections, threads, permissions, strings from process, environmental variables Process Hacker 2 View DEP/ASLR settings, image file settings, process, connections, threads, permissions, strings from process, environmental variables Process Monitor, API Monitor Monitors calls to file, registry keys, and sockets. API monitor does what it sounds like. Spider2008 Search file system for interesting strings with regular expressions Strings Dump strings from files Symantec EPP Scan all files for know malware PE Explorer Detect compiler or packer type and version UPX, MPRESS, Iexpress, 7zip Decompress/unpack binaries and other files Visual Studio, Ilasm, Metasm, winhex Edit exported .net reflector projects, IL, or assembly and create patched executables.
  • 28. Testing the Application: Registry • Registry permissions Read and write access to registry keys • Registry content Sensitive data, passwords, and settings • Registry manipulation Bypass authentication and authorization Replace content Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords ‒ Private keys
  • 29. Testing the Application: Registry Tools: Tool Description AccessEnum Dump file and registry permissions Regedit Backup, review, and edit the registry Regshot Registry diffing tool. Process Monitor Monitors calls to file, registry keys, and sockets
  • 30. Testing the Application: Network • Network Rules Local and network firewall rules • Network content Sensitive data, files, passwords, and settings • Network manipulation Bypass authentication and authorization (SQL) Replacing content (Parameters) Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords ‒ Private keys • Reverse and Fuzz Proprietary Protocols
  • 31. Testing the Application: Network Tool Description Cain Can be used for ARP based man in the middle attacks. Can be used to parse password in live traffic or a pcap file. Burp Can be used to manipulate HTTP traffic. Metasploit Create custom fuzzer for RPC protocols. Sully Create custom fuzzing templates. Echo Mirage Generic TCP proxy. Ettercap Can be used for man in the middle attacks. Can be used to modify traffic in transit with filters. Evilgrade, interceptor-ng Tool for delivering Metasploit payloads instead of legitimate updates. Network Miner Parse network traffic for files, systems, and shares. oSpy, API Monitor 2 Dump data like encrypted SSL traffic and connection strings when DLL calls are made. SOAPUI Can be used to interact directly with web services, and is often used with BURP Web Inspect Service Attack Tool Generic web service review. Wireshark, windump, tcpdump,Rawcap Dump all network traffic. Rawcap is the bomb.
  • 32. Testing the Application: Memory • Process controls DEP, ASLR, permissions, and privileges • Memory content Sensitive data, passwords, and settings • Memory manipulation Bypass authentication and authorization Replacing content Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords ‒ Private keys
  • 33. Testing the Application: Memory Run-time Modifications • Direct editing • DLL injection • Shell code Injection • Process replacement • Modify assembly in memory • Identification of dangerous functions • Check if debugger can be run • Debugging via stepping and breakpoints to analyze and modify
  • 34. Testing the Application: Memory Tool Description Metasploit Can be used to generate shell code, exe, and DLL payloads. Can also be used to migrate into a running process. Process Explorer View image file settings, process, connections, threads, permissions, strings from process, environmental variables Process Hacker 2 View image file settings, DEP/ASLR settings, connections, threads, permissions, environmental variables, inject DLL RemoteDLL Can be used to inject a DLL into a process. Tsearch Can be used to quickly find and replace strings in memory. Immunity, OllyDBG, Windbg, and IDA Debuggers Can be used to step through the application and modify assembly instructions on the fly. Winhex Can be used to quickly find and replace strings in memory. Userdump Dump memory from process.
  • 35. Testing the Application: Configurations • Application user privileges • Service account privileges • Service configuration privileges • Service registration • Database account privileges • Remote share permissions • TS breakouts to OS • Citrix breakouts to OS
  • 36. Testing the Application: Configurations Tool Description windows-privesc- check Check privileges on servers and associated program directories, and manually check for insecurely registered services. Citrix Client Used to connect to Citrix applications. Data Source (ODBC) Administrative Tool Look for existing ODBC connection and use tools like excel to leverage them. Services.msc, windows-privesc- check Review application services for insecure registration, binary paths, and determine users who is running the service. SQL Clients Used to connect directly to the database. Examples include OSQL, ISQL, SQLCMD, RAZOR SQL,TOAD, Microsoft SQL Management Studio Express. Windows Explorer and common dialog boxes Access Windows dialog boxes to obtain access to a cmd console or Powershell. Target links, shortcuts, open file functions, export functions, import functions, and reporting functions. Help menus and verbose error pages can also be handy.
  • 37. Vulnerability Categories 1. Application Logic 2. Code Injection 3. Excessive Privileges 4. Unencrypted Storage of Sensitive Data 5. Unencrypted Transmission of Sensitive Data 6. Weak Encryption Implementations 7. Weak Assembly Controls 8. Weak GUI Controls 9. Weak or Default Passwords
  • 38. Reporting Stuff • Create severity ranking system based on static criteria • Internally, criteria should take compensating controls into consideration • Prioritize findings based on ranking system • Include instructions or screen shots to help reproduce and fix issues • Don’t forget recommendations
  • 39. Wrap Up • General Summary ‒ Attack thick applications and related infrastructure from many vectors using many tools ‒ Managed code suffers from inherent weaknesses that can’t be fixed and is easier to attack • General Advice ‒ Never store sensitive anything in an assembly ‒ If something sensitive “must” be stored in an assembly use unmanaged coding languages like C and C++ ‒ Be very careful to implement sufficient controls when deploying thick applications via terminal services or Citrix