• No results found

BlackBerry Website and Web Application Penetration Testing Service

N/A
N/A
Protected

Academic year: 2021

Share "BlackBerry Website and Web Application Penetration Testing Service"

Copied!
9
0
0

Loading.... (view fulltext now)

Full text

(1)

BlackBerry Website and

Web Application Penetration

Testing Service

Program Description

This document includes all attached Annexes, is provided for informational purposes only, and does not in itself constitute a binding legal document. BlackBerry assumes no responsibility for any typographical, technical or other inaccuracies in this document. BlackBerry reserves the right to periodically change information that is contained in this document; however, BlackBerry makes no commitment to provide any such changes, updates, enhancements or other additions to this document to you in a timely manner or at all.

(2)

Introduction

A website / web application penetration test aims to review an entire application. An assessed application will be subjected to a review for vulnerabilities (including those detailed within the OWASP Top Ten ) in order to identify any weaknesses that could allow an attacker to compromise the application, the data it interacts with, its users or the hosting environment. Website / Web application security testing should be part of any organizations risk assessment phase prior to launching live services. We take web application security testing to the highest level, ensuring that a Customer can release their web app, knowing it has been extensively scrutinized by industry leaders. We can provide scheduled monthly website/web application penetration testing services to a Customer to ensure their web presence is secure on an ongoing basis. The difference between the terms Website and Web Application

• A website is typically considered a set of web pages viewed within a browser. This is meant to be a static set of pages that provides viewers with information; similar to a brochure, with limited or no ways for users to interact with it. One way to look at it is that a website is like a big conference that everyone can attend, but they have to sit and listen to the speaker without any ability to interact.

• Web applications are interactive sites or those that rely on and provide interactive elements. These could be sites like Wikipedia or Facebook. The value of both of these examples is predicated upon user engagement; without it, neither application is very useful. Think of this like a networking event – people have to engage with others to provide value for everyone.

The following prerequisites are required from the Customer

• URLs

• Credentials/User Accounts – if required

• IP Address if testing the associated infrastructure (i.e. the server on which the site is hosted) • Permission from hosting company (if not hosted at the Customer’s site)

• Point of Contact details

In-depth report, broken down into 3 main parts

• Management Summary • Technical Overview • Detailed Technical Findings

Highlighting the vulnerabilities

Customer Prerequisites

Deliverables

(3)

Scope of Work - Website/

Application Penetration Test

In Depth Penetration Testing of Website/Application

What

Purpose of Test

Remote Scan

To ascertain any potential vulnerabilities and “open” doors.

This will also identify links to other sites that could present a risk to the target site. Those sites that are identified and require examination will be added to the scope once authority to do so is given.

In Depth Exploitation

A senior security consultant will use the results of automated and manual assessment to identify target areas which may be vulnerable. These areas will then be scrutinised further with the aim to exploit the issue in order to identify what an “attacker” could achieve. The testing will be non-destructive, thus protecting the integrity of the website in a live environment.

Information Gathering Fingerprinting the application using bespoke and COTS tools to identify assets/software/resources in use.

Configuration Management Testing

Review the services presenting the application and that the application interacts with (where possible). This can include database management systems, infrastructure and secure communication protocols.

Business Logic Testing Creating functional tests to understand how the application works and then applying incorrect functional flow

to assess how the application reacts.

Authentication Testing

Assessing the security of authentication mechanisms in use.

If the application provides user login functionality then it can be tested from both black- and grey-box ap-proaches:

Black-box: User enumeration and brute force attacks will be attempted on the user login function to gain authenticated access from an unauthorised perspective.

Grey-box: An account with a low level privilege within the application will be provided to the test team in order to assess the application as a legitimate user.

Where present/required, the assessment will also include the reviewing of functionality including CAPTCHA, multiple-factor authentication, testing the application’s resilience to brute-force testing and identifying the predictability of username and password combinations.

A full test on the nominated website/application (including OWASP Top Ten most common vulnerabilities) with attempted exploitation of any potential vulnerability found. This will be followed by an in depth analysis and report highlighting risk, effect and effort to fix

(4)

Scope of Work - Website/

Application Penetration Test

What

Purpose of Test

Authorisation Testing

Applications which implement access controls/user accounts will be tested for privilege escalation and authorisation bypass issues to help ensure that users are unable to gain access to resources/functionality beyond their requirements/authorization.

This will be reviewed in two manners

Horizontal segregation: The application will be assessed to identify any issues which could allow access to resources belonging to another user account by a similarly privileged user (outside of their required access). Vertical segregation: The application will be assessed to identify any issues which could allow a less-privileged user account to access less-privileged resources (e.g. administrative functionality).

Session Management Testing for cookie implementation, linear regression testing of cookie value randomness, session management

schema, session fixation, session variable theft and exposure and cross-site request forgery.

Data Validation

A thorough series of automated and manual tests will be undertaken to verify that all user-supplied data sent to the application is correctly sanitised. Testing seeks to identify, but is not limited to, cross-site scripting, DOM-based issues, SQL, LDAP, ORM, XML, SSI and Xpath injections, as well as vector-based overflows.

Denial of Service

Testing activity will be undertaken to actively seek out functions which may be abused to create a deni-al-of-service condition within the application.

Such issues will only be leveraged if permitted within the scope of the assessment.

Web Services/APIs

Where present, web services and APIs, such as SOAP/RESTful services, will be tested using the same meth-odology as detailed above.

For in-depth white-box assessments, a copy of the service/API schema and example requests can be re-quested.

(5)

Attempt to Gain Identity Credentials for Applications

Output

Re-Engineering

• Decompose or deconstruct the binary codes, if accessible • Determines the protocol specification of the applications

• Guess program logic from the error/debug messages in the application outputs and program behaviours/performance

Authentication

• Find possible brute force password guessing access points in the applications • Find a valid login credentials with password grinding, if possible

• Bypass authentication system with spoofed tokens

• Bypass authentication system with authentication information

• Determine the application logic to maintain the authentication sessions - number of (consecutive) failure logins allowed, login timeout, etc.

• Determine the limitations of access control in the applications - access permissions, login session duration, idle duration

Application Testing

BlackBerry will employ different software testing techniques to find “security bugs” in applications hosted on the Internet.

• List of applications

• List of application components • List of application vulnerabilities • List of application system trusts

Approach

(6)

Session Management

• Determine the session management information - number of concurrent sessions, IP-based authentication, role-based authentication, identity-based authentication, cookie usage, session ID in URL encoding string, session ID in hidden HTML field variables, etc.

• Guess the session ID sequence and format

• Determine if the session ID is maintained with IP address information; check if the same session information can be retried and reused in another machine

• Determine the session management limitations - bandwidth usages, file download/upload limitations, transaction limitations, etc.

• Gather excessive information with direct URL, direct instruction, action sequence jumping and/or pages skipping

• Gather sensitive information with Man-In-the-Middle attacks • Inject excess/bogus information with Session-Hijacking techniques • Replay gathered information to fool the applications

Input Manipulation

• Find the limitations of the defined variables and protocol payload - data length, data type, construct format, etc.

• Use exceptionally long character-strings to find buffer overflows vulnerability in the applications • Concatenate commands in the input strings of the applications

• Inject SQL language in the input strings of database-tired web applications • Examine “Cross-Site Scripting” in the web applications of the system

• Examine unauthorised directory/file access with path/directory traversal in the input strings of the applications

• Use specific URL-encoded strings and/or Unicode-encoded strings to bypass input validation mechanisms of the applications

• Execute remote commands through “Server Side Include”

• Manipulate the session/persistent cookies to fool or modify the logic in the server-side web applications • Manipulate the (hidden) field variable in the HTML forms to fool or modify the logic in the server-side

Output Manipulation

• Retrieve valuable information stored in the cookies • Retrieve valuable information from the applications cache • Retrieve valuable information stored in the serialised objects

• Retrieve valuable information stored in the temporary files and objects

Information Leakage

• Find useful information in hidden field variables of the HTML forms and comments in the HTML documents

• Examine the information contained in the applications banners, usage instructions,

welcome messages, farewell messages, application help messages, debug/error messages, etc.

Approach

(7)

On conclusion of the testing, the results will be fully analysed by a BlackBerry senior tester, and a full report will be prepared for the client which will set out the scope of the test and the methodology used.

Vulnerabilities are rated

Management Overview

A plain English description of discovered vulnerabilities and their potential business impact, with an easy to understand diagram showing vulnerabilities.

Technical Overview

A section for technical managers which aims to assist in the prioritization of patching and resolving any issues found.

Full Technical

This section of the report is intended for technical personnel and will include full details of all vulnerabilities found, how they were exploited and a route map with detailed fixes for remediation where appropriate. Alongside the final report, BlackBerry willproduce an Excel spreadsheet listing the vulnerabilities found so you can track remediation more easily.

The report will give the tested target a rating of either CRITICAL, HIGH, MEDIUM OR LOW RISK.

Interim deliverables will be completed and presented to the Customer for review at regular intervals throughout the project. The Customer will review, and either accept, or document specific corrective items in writing, within 3 business days. In the absence of any comments, deliverables produced by BlackBerry will be deemed accepted after 3 business days.

Reporting

The test team findings will be represented in three sections

Deliverable Acceptance Criteria

Critical

High

Medium

Low

(8)

Additional Professional Services offerings may be purchased as add-ons, otherwise additional consulting work not specifically contained in this Program Description is out of scope.

If Customer Prerequisites and other Customer tasks are not completed in a timely manner as agreed to with the BlackBerry Project Manager and the work contemplated by this Program Description is delayed by greater than two (2) weeks or ten (10) business days, or if the work must be rescheduled by the Customer, BlackBerry reserves the right at its sole discretion to terminate the engagement without refund, or to charge the Customer for additional resources at BlackBerry’s current daily rate of $2500 USD for the delay period.

Customer must ensure that Customer Project Team Members are assigned and available to meet for project Kick Off at project start date.

The Customer must provide BlackBerry Representatives with information and resources to successfully execute the project. This can include, without limitation, providing access and credentials to systems, completing installation prerequisites, providing project resources, and attendance in planning, execution, or training meetings.

Customer will ensure resources are available in a timely manner to undertake tasks for which the Customer is responsible.

Customer must ensure that Customer has necessary escalation and communication channels to resolve any project blockers in a timely manner, including project dependencies on third parties and Customer’s other vendors, suppliers, and consultants.

If BlackBerry Professional Services personnel travel to a Customer location for the delivery of this engagement, there will be additional Travel and Expense costs. These Travel and Expense costs can be paid for prior to the engagement, or at BlackBerry’s actual cost, at engagement completion. Customer will provide BlackBerry’s assigned Program Manager with email confirmation of receipt and acceptance of the services rendered on a weekly basis and promptly following the completion of the project. All services shall be deemed to be delivered, and on no account shall BlackBerry be obligated under to deliver further services beyond sixty (60) days after the date specified on the services order form.

BlackBerry may subcontract all or a portion of the services and/or have the services performed by one of its affiliates.

Limitations, Exclusions and Additional Customer Responsibilities

a. d. e. f. g. h. i. b. c.

Program Description

(9)

© 2016 BlackBerry Limited. All rights reserved. The BlackBerry and BlackBerry families of related marks, images and symbols are the exclusive properties of BlackBerry Limited. BlackBerry, ‘Always On, Always Connected’, the BlackBerry Corporation

6700 Koll Center Parkway, #200 Pleasanton, California USA 94566 Tel: (925) 931-6065 Fax: (925) 931-606 www.BlackBerry.com info@blackberry.com BlackBerry Limited 2200 University Ave. E Waterloo, Ontario Canada N2K 0A7 Tel: (519) 888-7465 Fax: (519) 888-6906 www.BlackBerry.com info@blackberry.com BlackBerry UK Limited 200 Bath Road Slough, Berkshire United Kingdom SL1 3XE Tel: +44 (0)1784 477465 Fax: +44 (0)1784 477455 www.BlackBerry.com info@blackberry.com

BlackBerry Singapore Pte. Limited The Synergy Building, 2nd Floor 1 International Business Park Singapore 609917 Tel: +65 6879 8700 www.BlackBerry.com info@blackberry.com

BlackBerry is securing a connected world, delivering innovative solutions across the entire mobile ecosystem and beyond. We secure the world’s most sensitive data across all end points – from cars to smartphones – making the mobile-first enterprise vision a reality. Founded in 1984 and based in Waterloo, Ontario, BlackBerry operates offices in North America, Europe, Middle East and Africa, Asia Pacific and Latin America. The Company trades under the ticker symbols “BB” on the Toronto Stock Exchange and “BBRY” on the NASDAQ. For more information, visit www.blackberry.com.

BlackBerry Professional Services offers additional consulting and educational offerings. To learn more about these offerings, please go to:

http://us.blackberry.com/enterprise/products/support-services.html Note:

The services described in this Program Description are subject to the terms and conditions of the Business Services by BlackBerry Terms found at:

http://us.blackberry.com/legal/technical-support-terms.html

There are no warranties, express or implied, with respect to content of this document, amd all information provided herein is provided “As Is”. Except as expressly agreed to by BlackBerry in an agreement between BlackBerry and you for services, in no event shall BlackBerry or any of its Shareholder, Affiliates, Directors, Officers, E,ployes, Agents or Suppliers, be liable to any Party for any direct, indirect, special or consequential, punitive or exemplary damages for any use of this document, including without limitation, reliance on the information presented, lost profits, lost data, or business interruption, arising in contract, tort, strict liablility or otherwise, even if BlackBerry was expressly advised of the possiblility of such damages

About BlackBerry

BlackBerry Professional Services

References

Related documents

◦ To use Microsoft Active Directory authentication to connect to the BlackBerry Web Services for BlackBerry Device Service, a Microsoft Active Directory account and password

2.2 In order to use the BlackBerry Internet Solution, You must have purchased a BlackBerry Wireless Handheld, signed the BlackBerry Service application form and

Service 10 software, with either BlackBerry 10 licenses or BlackBerry 10 and Secure Work Space licenses, is available at an additional cost.. Platinum Members:

Both BlackBerry Enterprise Server instances in the BlackBerry Enterprise Server pair include, by default, the BlackBerry Attachment Service, BlackBerry Dispatcher, BlackBerry ®

In a BlackBerry Enterprise Solution environment with the BlackBerry Device Manager Version 4.1, perform the following actions to deploy a Java application using the

Server BlackBerry Enterprise Server Express BlackBerry Internet Service BlackBerry Business Cloud Services • BlackBerry Web Desktop Manager • Over your organization's Wi-Fi network

Network services If you configure single sign-on authentication for the BlackBerry Administration Service and the BlackBerry Web Desktop Manager, Microsoft Active Directory running

Feature BlackBerry Enterprise Server BlackBerry Enterprise Server Express BlackBerry Internet Service BlackBerry Business Cloud Services BlackBerry Device Service •