VULNERABILITY ASSESSMENTS

THE ART AND SCIENCE OF VULNERABILITY ASSESSMENTS

(ISC)2 New York Metro

VIRTUE SECURITY March 4, 2014

VULNERABILITY ASSESSMENTS

What we can’t always teach

• Component discovery

• Identifying data of value

• Subverting arithmetic

• Reversing algorithms

March 4, 2014 VIRTUE SECURITY

VULNERABILITY ASSESSMENTS

Principles of an Application Vulnerability

Assessments

• Understanding business purpose

• Parameters are out control variables

• Understand who an attacker may be and

develop appropriate threats.

March 4, 2014 VIRTUE SECURITY

VULNERABILITY ASSESSMENTS

Component Discovery

Request

Session Token

User_ID

Page_num

Timestamp

March 4, 2014 VIRTUE SECURITY

Request parameters Components

VULNERABILITY ASSESSMENTS

Control Characters are Your Friend

0x00 NUL

0x01 SOH

0x02 STX

0x03 ETX

0x04 EOT

0x05 ENQ

0x08 BS

… …

March 4, 2014 VIRTUE SECURITY

• Control characters are often poorly handled by compiled applications.

• Can be useful to identify or tamper with legacy systems.

VULNERABILITY ASSESSMENTS

Component Discovery

Request

URL: http://example.com/%00

User_ID Page_num

Timestamp

March 4, 2014 VIRTUE SECURITY

Request parameters Components

VULNERABILITY ASSESSMENTS

What is Useful to an Attacker?

• The obvious: usernames, passwords,

session tokens, etc..

• The less obvious: order numbers,

timestamps,

• Anything that can be used to negatively

impact business integrity.

March 4, 2014 VIRTUE SECURITY

VULNERABILITY ASSESSMENTS

Joe’s Banana Stand

• Vendor A notices an Ajax request used to

confirm orders:

order_confirmed.jsp?ordernumber=7567401102182014

Responds TRUE / False

March 4, 2014 VIRTUE SECURITY

VULNERABILITY ASSESSMENTS

Joe’s Banana Stand

• Vendor A learns the following:

– 7567 (unknown)

– 4011 (banana PLU code)

– 02182014 (date)

March 4, 2014 VIRTUE SECURITY

VULNERABILITY ASSESSMENTS

APPLICATION ARITHMETIC

• Negative Values

VIRTUE SECURITY March 4, 2014

account_value += transfer_value;

account_value = 1000 + 100; // account_value = 1100

account_value = 1000 + -100; // account_value = 900

VULNERABILITY ASSESSMENTS

Integer overflows / wraparounds

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

March 4, 2014 VIRTUE SECURITY

32 bits:

Signed range: −2,147,483,648 to +2,147,483,647 Unsigned range: 0 to 4,294,967,295

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

+1

VULNERABILITY ASSESSMENTS

Decimal Values

March 4, 2014 VIRTUE SECURITY

System A

• 1000 + 0.001

• 1000 + 0.001

• 1000 + 0.001

• 1000 + 0.001

• 1000 + 0.001

• 1000 + 0.001

• 1000 + 0.001

• 1000 + 0.001

• 1000 + 0.001

• 1000 + 0.001 = 1000.00

System B

• 1000 + 0.001

• 1000 + 0.001

• 1000 + 0.001

• 1000 + 0.001

• 1000 + 0.001

• 1000 + 0.001

• 1000 + 0.001

• 1000 + 0.001

• 1000 + 0.001

• 1000 + 0.001 = 1000.01

VULNERABILITY ASSESSMENTS

Not All Numbers Are the Same

• Integers may be defined differently.

– Limited capacity

– Signed / unsigned

– Varying support of decimals

• Applications may also handle numbers differently

– Order quantities with fractions

– Transactions with fractions of cents

– Negative values

– Divide by zero

March 4, 2014 VIRTUE SECURITY

VULNERABILITY ASSESSMENTS

Creating Better Payloads

• Input field:

• Attack strings: – johndoe’%20or%201=1--@example.com

– johndoe@’%20or%201=1--example.com

– johndoe@example.com’%20or%201=1--

March 4, 2014 VIRTUE SECURITY

johndoe@example.com

Johndoe @ example.com

VULNERABILITY ASSESSMENTS

Attacking Tokenizing Algorithms

• Example parameter:

account_number=6578364,6578376,6587653

• May have the following attacks:

account_number=6578364,6578376[SQLi],6587653 account_number=6578364,65783760000000,6587653 account_number=6578364,%00,6587653 account_number=6578364,-1,6587653 account_number=6578364,6578376,71111111 account_number=6578364,6578376,6587653,71111111

March 4, 2014 VIRTUE SECURITY

VULNERABILITY ASSESSMENTS

Denial of Service / Amplification

• Amplification is the ratio at which work is performed on the server

vs the work required to make the request:

• www.example.com/cart/display.jsp?category=5&pageNum=4

• Response time: 51ms

• www.example.com/cart/display.jsp?category=5&pageNum=40

• Response time: 614ms

• www.example.com/cart/display.jsp?category=5&pageNum=10000

• Response time: 43120ms

March 4, 2014 VIRTUE SECURITY

VULNERABILITY ASSESSMENTS

What about tools?

• Scanners should never be relied upon

• Tools should be user driven

• Tools should be used to make custom

attacks more efficient

March 4, 2014 VIRTUE SECURITY

VULNERABILITY ASSESSMENTS

How can we make things better?

• Give users as little control as possible

• Maintain state on the server side wherever

possible:

http://www.example.com/viewaccount?id=67546737

http://www.example.com/viewaccount

March 4, 2014 VIRTUE SECURITY

VULNERABILITY ASSESSMENTS

Never Forget

• This is more than a job!

• People really depend on you

• Maintain a balance of structure and

creativity

March 4, 2014 VIRTUE SECURITY