SlideShare una empresa de Scribd logo

Art and Science of Vulnerability Assessments

Virtue Security
Virtue Security

Vulnerability assessments require more than a methodology and checklist to perform. In this talk we will cover several creative aspects of application penetration testing including component discovery, abusing arithmetic, reversing algorithms, and subverting business logic. We will also review several high profile vulnerabilities which involved a combination of technical and logical failures to show where art and science meet.

Tecnología
1 de 19
Descargar para leer sin conexión
VULNERABILITY ASSESSMENTS THE ART AND SCIENCE OF VULNERABILITY ASSESSMENTS (ISC)2 New York Metro March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS What we can’t always teach • • • • Component discovery Identifying data of value Subverting arithmetic Reversing algorithms March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS Principles of an Application Vulnerability Assessments • Understanding business purpose • Parameters are out control variables • Understand who an attacker may be and develop appropriate threats. March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS Component Discovery Request parameters Components Session Token Request Timestamp Page_num User_ID March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS Control Characters are Your Friend 0x00 NUL 0x01 SOH 0x02 STX 0x03 ETX 0x04 EOT 0x05 ENQ 0x08 BS … • Control characters are often poorly handled by compiled applications. • Can be useful to identify or tamper with legacy systems. … March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS Component Discovery Request parameters Components URL: http://example.com/%00 Request Timestamp Page_num March 4, 2014 User_ID VIRTUE SECURITY
VULNERABILITY ASSESSMENTS What is Useful to an Attacker? • The obvious: usernames, passwords, session tokens, etc.. • The less obvious: order numbers, timestamps, • Anything that can be used to negatively impact business integrity. March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS Joe’s Banana Stand • Vendor A notices an Ajax request used to confirm orders: order_confirmed.jsp?ordernumber=7567401102182014 Responds TRUE / False March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS Joe’s Banana Stand • Vendor A learns the following: – 7567 (unknown) – 4011 (banana PLU code) – 02182014 (date) March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS APPLICATION ARITHMETIC • Negative Values account_value += transfer_value; account_value = 1000 + 100; account_value = 1000 + -100; March 4, 2014 // account_value = 1100 // account_value = 900 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS Integer overflows / wraparounds 32 bits: 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 +1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Signed range: −2,147,483,648 to +2,147,483,647 Unsigned range: 0 to 4,294,967,295 March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS Decimal Values System A • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 = 1000.00 March 4, 2014 System B • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 = 1000.01 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS Not All Numbers Are the Same • Integers may be defined differently. – Limited capacity – Signed / unsigned – Varying support of decimals • Applications may also handle numbers differently – – – – Order quantities with fractions Transactions with fractions of cents Negative values Divide by zero March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS Creating Better Payloads • Input field: johndoe@example.com Johndoe @ example.com • Attack strings: – johndoe’%20or%201=1--@example.com – johndoe@’%20or%201=1--example.com – johndoe@example.com’%20or%201=1-- March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS Attacking Tokenizing Algorithms • Example parameter: account_number=6578364,6578376,6587653 • May have the following attacks: account_number=6578364,6578376[SQLi],6587653 account_number=6578364,65783760000000,6587653 account_number=6578364,%00,6587653 account_number=6578364,-1,6587653 account_number=6578364,6578376,71111111 account_number=6578364,6578376,6587653,71111111 March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS Denial of Service / Amplification • Amplification is the ratio at which work is performed on the server vs the work required to make the request: • • • • • • www.example.com/cart/display.jsp?category=5&pageNum=4 Response time: 51ms www.example.com/cart/display.jsp?category=5&pageNum=40 Response time: 614ms www.example.com/cart/display.jsp?category=5&pageNum=10000 Response time: 43120ms March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS What about tools? • Scanners should never be relied upon • Tools should be user driven • Tools should be used to make custom attacks more efficient March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS How can we make things better? • Give users as little control as possible • Maintain state on the server side wherever possible: http://www.example.com/viewaccount?id=67546737 http://www.example.com/viewaccount March 4, 2014 VIRTUE SECURITY
VULNERABILITY ASSESSMENTS Never Forget • This is more than a job! • People really depend on you • Maintain a balance of structure and creativity March 4, 2014 VIRTUE SECURITY

Recomendados

Ethical Hacking Services
Ethical Hacking ServicesEthical Hacking Services
Ethical Hacking Services
Virtue Security
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Roorkee Cetpa
 
Ethical hacking Chapter 2 - TCP/IP - Eric Vanderburg
Ethical hacking Chapter 2 - TCP/IP - Eric VanderburgEthical hacking Chapter 2 - TCP/IP - Eric Vanderburg
Ethical hacking Chapter 2 - TCP/IP - Eric Vanderburg
Eric Vanderburg
 
EC-Council Certified Ethical Hacker (CEH) v9 - Hackers are here. Where are you?
EC-Council Certified Ethical Hacker (CEH) v9 - Hackers are here. Where are you?EC-Council Certified Ethical Hacker (CEH) v9 - Hackers are here. Where are you?
EC-Council Certified Ethical Hacker (CEH) v9 - Hackers are here. Where are you?
ITpreneurs
 
CEHV9
CEHV9CEHV9
CEHV9
Nityanand Thakur
 
Course on Ehtical Hacking - Introduction
Course on Ehtical Hacking - IntroductionCourse on Ehtical Hacking - Introduction
Course on Ehtical Hacking - Introduction
Bharat Thakkar
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Nitheesh Adithyan
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
Neel Kamal
 

Recomendados

Ethical Hacking Services
Ethical Hacking ServicesEthical Hacking Services
Ethical Hacking Services
Virtue Security
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Roorkee Cetpa
 
Ethical hacking Chapter 2 - TCP/IP - Eric Vanderburg
Ethical hacking Chapter 2 - TCP/IP - Eric VanderburgEthical hacking Chapter 2 - TCP/IP - Eric Vanderburg
Ethical hacking Chapter 2 - TCP/IP - Eric Vanderburg
Eric Vanderburg
 
EC-Council Certified Ethical Hacker (CEH) v9 - Hackers are here. Where are you?
EC-Council Certified Ethical Hacker (CEH) v9 - Hackers are here. Where are you?EC-Council Certified Ethical Hacker (CEH) v9 - Hackers are here. Where are you?
EC-Council Certified Ethical Hacker (CEH) v9 - Hackers are here. Where are you?
ITpreneurs
 
CEHV9
CEHV9CEHV9
CEHV9
Nityanand Thakur
 
Course on Ehtical Hacking - Introduction
Course on Ehtical Hacking - IntroductionCourse on Ehtical Hacking - Introduction
Course on Ehtical Hacking - Introduction
Bharat Thakkar
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Nitheesh Adithyan
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
Neel Kamal
 
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
Spiceworks
 
What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?
PECB
 
Security Attack Analysis for Finding and Stopping Network Attacks
Security Attack Analysis for Finding and Stopping Network AttacksSecurity Attack Analysis for Finding and Stopping Network Attacks
Security Attack Analysis for Finding and Stopping Network Attacks
Savvius, Inc
 
Best Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat IntelligenceBest Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat Intelligence
AlienVault
 
Cyber Security and Healthcare
Cyber Security and HealthcareCyber Security and Healthcare
Cyber Security and Healthcare
Jonathon Coulter
 
HEALTHCARE, THE CLOUD, AND ITS SECURITY
HEALTHCARE, THE CLOUD, AND ITS SECURITYHEALTHCARE, THE CLOUD, AND ITS SECURITY
HEALTHCARE, THE CLOUD, AND ITS SECURITY
SilverlineCRM
 
SIEM-plifying security monitoring: A different approach to security visibility
SIEM-plifying security monitoring: A different approach to security visibilitySIEM-plifying security monitoring: A different approach to security visibility
SIEM-plifying security monitoring: A different approach to security visibility
AlienVault
 
Dual Detection Engines - Using Layered Security to Battle Cybercrime
Dual Detection Engines - Using Layered Security to Battle CybercrimeDual Detection Engines - Using Layered Security to Battle Cybercrime
Dual Detection Engines - Using Layered Security to Battle Cybercrime
Cyren, Inc
 
From Bad to Worse: How to Stay Protected from a Mega Data Breach
From Bad to Worse: How to Stay Protected from a Mega Data BreachFrom Bad to Worse: How to Stay Protected from a Mega Data Breach
From Bad to Worse: How to Stay Protected from a Mega Data Breach
Paymetric, Inc.
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Denim Group
 
Infosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSPInfosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSP
Huntsman Security
 
Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise"
mycroftinc
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.com
Aravind R
 
Ensuring Security through Continuous Testing
Ensuring Security through Continuous TestingEnsuring Security through Continuous Testing
Ensuring Security through Continuous Testing
TechWell
 
Rapid Fire Tools: Top Ways to Use IT Assessments to Win New Business & Grow
Rapid Fire Tools: Top Ways to Use IT Assessments to Win New Business & GrowRapid Fire Tools: Top Ways to Use IT Assessments to Win New Business & Grow
Rapid Fire Tools: Top Ways to Use IT Assessments to Win New Business & Grow
MAXfocus
 
Archery - BlackHat Asia 2018
Archery - BlackHat Asia 2018 Archery - BlackHat Asia 2018
Archery - BlackHat Asia 2018
Anand Tiwari
 
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake OilLASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
David Ochel
 
NormShield Cyber Threat & Vulnerability Orchestration Overview
NormShield Cyber Threat & Vulnerability Orchestration OverviewNormShield Cyber Threat & Vulnerability Orchestration Overview
NormShield Cyber Threat & Vulnerability Orchestration Overview
NormShield, Inc.
 
Intelligent Authentication
Intelligent AuthenticationIntelligent Authentication
Intelligent Authentication
CA Technologies
 
Security Awareness: 360 empowerment for cyber defense - JurInnov - Eric Vande...
Security Awareness: 360 empowerment for cyber defense - JurInnov - Eric Vande...Security Awareness: 360 empowerment for cyber defense - JurInnov - Eric Vande...
Security Awareness: 360 empowerment for cyber defense - JurInnov - Eric Vande...
Eric Vanderburg
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
apidays
 

Más contenido relacionado

Similar a Art and Science of Vulnerability Assessments

What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?
PECB
 
Security Attack Analysis for Finding and Stopping Network Attacks
Security Attack Analysis for Finding and Stopping Network AttacksSecurity Attack Analysis for Finding and Stopping Network Attacks
Security Attack Analysis for Finding and Stopping Network Attacks
Savvius, Inc
 
Best Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat IntelligenceBest Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat Intelligence
AlienVault
 
SIEM-plifying security monitoring: A different approach to security visibility
SIEM-plifying security monitoring: A different approach to security visibilitySIEM-plifying security monitoring: A different approach to security visibility
SIEM-plifying security monitoring: A different approach to security visibility
AlienVault
 
Infosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSPInfosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSP
Huntsman Security
 
Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise"
mycroftinc
 
Ensuring Security through Continuous Testing
Ensuring Security through Continuous TestingEnsuring Security through Continuous Testing
Ensuring Security through Continuous Testing
TechWell
 
Rapid Fire Tools: Top Ways to Use IT Assessments to Win New Business & Grow
Rapid Fire Tools: Top Ways to Use IT Assessments to Win New Business & GrowRapid Fire Tools: Top Ways to Use IT Assessments to Win New Business & Grow
Rapid Fire Tools: Top Ways to Use IT Assessments to Win New Business & Grow
MAXfocus
 

Similar a Art and Science of Vulnerability Assessments (20)

Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
 
What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?
 
Security Attack Analysis for Finding and Stopping Network Attacks
Security Attack Analysis for Finding and Stopping Network AttacksSecurity Attack Analysis for Finding and Stopping Network Attacks
Security Attack Analysis for Finding and Stopping Network Attacks
 
Best Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat IntelligenceBest Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat Intelligence
 
Cyber Security and Healthcare
Cyber Security and HealthcareCyber Security and Healthcare
Cyber Security and Healthcare
 
HEALTHCARE, THE CLOUD, AND ITS SECURITY
HEALTHCARE, THE CLOUD, AND ITS SECURITYHEALTHCARE, THE CLOUD, AND ITS SECURITY
HEALTHCARE, THE CLOUD, AND ITS SECURITY
 
SIEM-plifying security monitoring: A different approach to security visibility
SIEM-plifying security monitoring: A different approach to security visibilitySIEM-plifying security monitoring: A different approach to security visibility
SIEM-plifying security monitoring: A different approach to security visibility
 
Dual Detection Engines - Using Layered Security to Battle Cybercrime
Dual Detection Engines - Using Layered Security to Battle CybercrimeDual Detection Engines - Using Layered Security to Battle Cybercrime
Dual Detection Engines - Using Layered Security to Battle Cybercrime
 
From Bad to Worse: How to Stay Protected from a Mega Data Breach
From Bad to Worse: How to Stay Protected from a Mega Data BreachFrom Bad to Worse: How to Stay Protected from a Mega Data Breach
From Bad to Worse: How to Stay Protected from a Mega Data Breach
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
 
Infosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSPInfosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSP
 
Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise"
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.com
 
Ensuring Security through Continuous Testing
Ensuring Security through Continuous TestingEnsuring Security through Continuous Testing
Ensuring Security through Continuous Testing
 
Rapid Fire Tools: Top Ways to Use IT Assessments to Win New Business & Grow
Rapid Fire Tools: Top Ways to Use IT Assessments to Win New Business & GrowRapid Fire Tools: Top Ways to Use IT Assessments to Win New Business & Grow
Rapid Fire Tools: Top Ways to Use IT Assessments to Win New Business & Grow
 
Archery - BlackHat Asia 2018
Archery - BlackHat Asia 2018 Archery - BlackHat Asia 2018
Archery - BlackHat Asia 2018
 
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake OilLASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
 
NormShield Cyber Threat & Vulnerability Orchestration Overview
NormShield Cyber Threat & Vulnerability Orchestration OverviewNormShield Cyber Threat & Vulnerability Orchestration Overview
NormShield Cyber Threat & Vulnerability Orchestration Overview
 
Intelligent Authentication
Intelligent AuthenticationIntelligent Authentication
Intelligent Authentication
 
Security Awareness: 360 empowerment for cyber defense - JurInnov - Eric Vande...
Security Awareness: 360 empowerment for cyber defense - JurInnov - Eric Vande...Security Awareness: 360 empowerment for cyber defense - JurInnov - Eric Vande...
Security Awareness: 360 empowerment for cyber defense - JurInnov - Eric Vande...
 

Último

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 

Último (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 

Art and Science of Vulnerability Assessments

  • 1. VULNERABILITY ASSESSMENTS THE ART AND SCIENCE OF VULNERABILITY ASSESSMENTS (ISC)2 New York Metro March 4, 2014 VIRTUE SECURITY
  • 2. VULNERABILITY ASSESSMENTS What we can’t always teach • • • • Component discovery Identifying data of value Subverting arithmetic Reversing algorithms March 4, 2014 VIRTUE SECURITY
  • 3. VULNERABILITY ASSESSMENTS Principles of an Application Vulnerability Assessments • Understanding business purpose • Parameters are out control variables • Understand who an attacker may be and develop appropriate threats. March 4, 2014 VIRTUE SECURITY
  • 4. VULNERABILITY ASSESSMENTS Component Discovery Request parameters Components Session Token Request Timestamp Page_num User_ID March 4, 2014 VIRTUE SECURITY
  • 5. VULNERABILITY ASSESSMENTS Control Characters are Your Friend 0x00 NUL 0x01 SOH 0x02 STX 0x03 ETX 0x04 EOT 0x05 ENQ 0x08 BS … • Control characters are often poorly handled by compiled applications. • Can be useful to identify or tamper with legacy systems. … March 4, 2014 VIRTUE SECURITY
  • 6. VULNERABILITY ASSESSMENTS Component Discovery Request parameters Components URL: http://example.com/%00 Request Timestamp Page_num March 4, 2014 User_ID VIRTUE SECURITY
  • 7. VULNERABILITY ASSESSMENTS What is Useful to an Attacker? • The obvious: usernames, passwords, session tokens, etc.. • The less obvious: order numbers, timestamps, • Anything that can be used to negatively impact business integrity. March 4, 2014 VIRTUE SECURITY
  • 8. VULNERABILITY ASSESSMENTS Joe’s Banana Stand • Vendor A notices an Ajax request used to confirm orders: order_confirmed.jsp?ordernumber=7567401102182014 Responds TRUE / False March 4, 2014 VIRTUE SECURITY
  • 9. VULNERABILITY ASSESSMENTS Joe’s Banana Stand • Vendor A learns the following: – 7567 (unknown) – 4011 (banana PLU code) – 02182014 (date) March 4, 2014 VIRTUE SECURITY
  • 10. VULNERABILITY ASSESSMENTS APPLICATION ARITHMETIC • Negative Values account_value += transfer_value; account_value = 1000 + 100; account_value = 1000 + -100; March 4, 2014 // account_value = 1100 // account_value = 900 VIRTUE SECURITY
  • 11. VULNERABILITY ASSESSMENTS Integer overflows / wraparounds 32 bits: 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 +1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Signed range: −2,147,483,648 to +2,147,483,647 Unsigned range: 0 to 4,294,967,295 March 4, 2014 VIRTUE SECURITY
  • 12. VULNERABILITY ASSESSMENTS Decimal Values System A • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 = 1000.00 March 4, 2014 System B • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 • 1000 + 0.001 = 1000.01 VIRTUE SECURITY
  • 13. VULNERABILITY ASSESSMENTS Not All Numbers Are the Same • Integers may be defined differently. – Limited capacity – Signed / unsigned – Varying support of decimals • Applications may also handle numbers differently – – – – Order quantities with fractions Transactions with fractions of cents Negative values Divide by zero March 4, 2014 VIRTUE SECURITY
  • 14. VULNERABILITY ASSESSMENTS Creating Better Payloads • Input field: johndoe@example.com Johndoe @ example.com • Attack strings: – johndoe’%20or%201=1--@example.com – johndoe@’%20or%201=1--example.com – johndoe@example.com’%20or%201=1-- March 4, 2014 VIRTUE SECURITY
  • 15. VULNERABILITY ASSESSMENTS Attacking Tokenizing Algorithms • Example parameter: account_number=6578364,6578376,6587653 • May have the following attacks: account_number=6578364,6578376[SQLi],6587653 account_number=6578364,65783760000000,6587653 account_number=6578364,%00,6587653 account_number=6578364,-1,6587653 account_number=6578364,6578376,71111111 account_number=6578364,6578376,6587653,71111111 March 4, 2014 VIRTUE SECURITY
  • 16. VULNERABILITY ASSESSMENTS Denial of Service / Amplification • Amplification is the ratio at which work is performed on the server vs the work required to make the request: • • • • • • www.example.com/cart/display.jsp?category=5&pageNum=4 Response time: 51ms www.example.com/cart/display.jsp?category=5&pageNum=40 Response time: 614ms www.example.com/cart/display.jsp?category=5&pageNum=10000 Response time: 43120ms March 4, 2014 VIRTUE SECURITY
  • 17. VULNERABILITY ASSESSMENTS What about tools? • Scanners should never be relied upon • Tools should be user driven • Tools should be used to make custom attacks more efficient March 4, 2014 VIRTUE SECURITY
  • 18. VULNERABILITY ASSESSMENTS How can we make things better? • Give users as little control as possible • Maintain state on the server side wherever possible: http://www.example.com/viewaccount?id=67546737 http://www.example.com/viewaccount March 4, 2014 VIRTUE SECURITY
  • 19. VULNERABILITY ASSESSMENTS Never Forget • This is more than a job! • People really depend on you • Maintain a balance of structure and creativity March 4, 2014 VIRTUE SECURITY