"Practical Security Testing for Web Applications"

(1)

T10

Track

5/7/2009 11:15:00 AM

"Practical Security Testing for

Web Applications"

Presented by:

Rafal Los

Hewlett-Packard Application Security Center

(2)

Rafal Los

Rafal Los is currently a Sr. Security Consultant with Hewlett-Packard’s Application Security Center (ASC). Rafal has over 13 years of experience in network and system design, security policy and process design, risk analysis, penetration testing and consulting. Over the past eight years, he has focused on Information Security and Risk Management, leading security

architecture teams and managing successful enterprise security programs for General Electric and other Fortune 100 companies, as well as SMB enterprises. Previously Rafal spent three years in-house with GE Consumer Finance, leading its security programs.

(3)

Practical Security Testing

for Web Applications

24 February 2009

1

for Web Applications

Rafal M. Los Rafal M. Los

HP ASC Sr. Security Solutions Expert HP ASC Sr. Security Solutions Expert

Agenda

y

Understanding the QA/Security Relationship

y

Negative Testing 360°

y

Building Negative Tests

y

Implementation and Execution

(4)

Agenda

y

Looking Ahead

24 February 2009

3

Looking Ahead

Background

Why do QA teams care about security?

• Traditionally securityis left to the security team

• Security issues must be addressed throughout SDL • QA teams add missing element

QA teams are crucial to security • Understand application test-cases • Understand application workflows • Security is a natural extension of quality

(5)

QA – Security Relationship

Similarities – core principles • Testing web application logic • Functional testing on live code • Specific data-sets used

Differences – outlying goals Differences – outlying goals

24 February 2009

5

• Stress-test vs. break test • Positive vs. negative data sets

• Reinforcing positive vs. uncovering negative

The “Hacker” Mindset

y _{Why would anyone want to break an application?}

y _Fun y _Malice y _Profit y Attack users y Attack systems y _{Mentality difference}

y _{QA asks How does it perform?} y _{QA asks – How does it perform?} y _{Hacker asks – How can I break it?}

(6)

Whose Problem is Security?

y _{Many components to the security “problem”}

y _Policyy

y _{Development frameworks/standards} y _Audit

y _Metrics

y _{Security is a pillar of overall quality}

y _{Does it function?} f 24 February 2009 7 y _{Does it perform?} y y _{Is it secure?}_{Is it secure?}

Agenda

y

(7)

Negative Testing Overview

What is negative testing?

y _{Testing for}_{unintended features}

y _{Testing using}_{unintended data sets} y _{Testing for}_{unintended logic flow}

“ l d d h l d

24 February 2009

9

“Negative testing involves understanding the application, and finding ways to manipulate the code to perform in ways as to create unintended exposures”

Negative Testing Overview

Selection bias

Æ

Confirmation bias

y _{Testing to}_{confirm desired results}_{confirm desired results}

y _{Testing using}_{known desired data and fl}_{known desired data and flows} y _{Testing which completely misses the point…}

“ confirmation bias is a tendency to search for or interpret …confirmation bias is a tendency to search for or interpret new information in a way that confirms one's preconceptions and to avoid information and interpretations which

(8)

Negative Testing Mindset

Traditional QA: proving the positive

• Prove certain activity functions as defined by business case

• Requirements are easily defined in application flow and function

Negative testing: finding the negative

24 February 2009

11

• Find negative (unintended) functions/results

• No way to clearly define “bad stuff ” as a requirement to test against

Negative Testing - Data

Types of negative data depends on purpose

•• Exploit a clientExploit a client

• Client-side script or technology •• Corrupt or crash a systemCorrupt or crash a system

• Database control characters

• Non-native character sets, system characters • S t d

• System commands

•• Retrieve data from the systemRetrieve data from the system

• Database queries, control language • System commands

(9)

Negative Testing - Flow

Goal is to manipulate application logic

Identify “breakable” application logic

• Create a race condition

• Break application control-flow

• Force an out of processaction • Inject a rogue process

24 February 2009

13

Test-cases based off of proper application logic flows

Requires in-depth knowledge of application flow

Negative Testing - Tools

Tools are an integral part of

negative testing

•• Manual tools

Manual tools

• Flow diagrams

• Data sets

• Logic charts

•• Automated tools

Automated tools

g

•• Automated tools

Automated tools

• Black-box scanners

(10)

Negative Testing - Tools

W kfl b l biliti

Automated tools *cannot* perform all testing

• Workflow-base vulnerabilities…

• Analyze the application logic and data

Human beings must…

24 February 2009 15 • Guide tools • Interpret results

Agenda

y

(11)

Building the Test

24 February 2009

17

Building Data-Negative Tests

All possible inputs All possible inputs

Negative Test Data Negative Test Data

Data-unknown (unknown impact) p p p p •Letters •Numbers •Special characters •Control characters Situational Refinement •Database ÆSQLi •Client-side ÆXSS •XMLdbÆX-Path.i Allowed (positive) characters Case-specific

malicious •Cross-site scripting •SQL Injection

(12)

Building Data-Negative Tests

y

y _{Manual human testing}_{Manual human testing}

y _{Must build test data sets manuallyy}

y _{Sniper approach (can be precise)}

y _{Often very slow, methodical}

y _{Identifies false-positives}

y

y _Tools_{Tools--based testing}_{based testing}

y _{Builds test data sets automatically}

h h

24 February 2009

19

y _{Shotgun approach (not precise)}

y _{Ability to be extremely fast}

y _{Trouble with false-positives}

Negative Data Sets

Facts about negative data

y _{Negative data sets are best generated by tools if the tester}_g _g _y _{is not}

a security expert

y _{Many pre-built negative data sets already exist}

y Sla.ckers.org – XSS cheat-sheet

y _{Tools can point}Æ_clickÆ_test

y _{Black-box testing tools save time & effort} y _{Humans must analyze results}

y _{Must mix positive/negative data for completeness}

y Workflows often require good data to proceed

(13)

Flow Analysis Testing

Can a process step be bypassed? Can a process step be bypassed? Submit quote

Can a process step be injected? Can a process step be injected?

Step 1 Step 2 Step 3 Step 4

Verify Identity Request quote Receive quote Submit for purchase

Step 1 Step 2 Step 3 Step 4

Submit quote for someone

else?

24 February 2009

21

Verify Identity Request quote Receive quote

Injected!

Modify quote Submit for purchase

Flow Analysis Testing

y

y _{Manual human testing}_{Manual human testing}

y _{Can analytically identify specific}_y _y _{y p} _weak_points_p

y _{Distinguishes between success/failure readily}

y _{Often very slow, methodical}

y _{Ability to tailor testing to situation/process}

y

y _Tools_{Tools--based testing}_{based testing}

y _{Attacks every point, cannot distinguish}

ff l d h f l

y _{Difficulty distinguishing success/failure}

y _{Ability to be extremely fast}

(14)

Flow Analysis Testing

Facts about flow analysis testing

y _{Tester must understand application flow}_pp

y _{Proper application flow to turn into negative} y “Random manipulation” rarely works

y _{Focus on application control-points}

y Key points in application logic

y _{Don’t leave your testing to tools-only}

y _{Most tools can’t identify control points, dive deep into flows}

24 February 2009

23

y _{Human analyst has an obvious advantage (critical thinking)}

Agenda

y

(15)

Negative Testing Process

Analyze Requirements

Build Test Sets

Test Negative Analyze Findings[3]

24 February 2009

25

Test Positive Data

Test Negative Data[1]

Test Positive Flow

Test Negative Flow[2]

Testing Negative Data

1. Identify all visible inputs (data “source”)

i. Input positive datap p

y _{Analyze behavior}

ii. Input negative data

y Analyze behavior

2. Identify all hidden fields (data “source”)

i. Input positive data

y _{Analyze behavior}_{Analyze behavior}

ii. Input negative data

(16)

Testing Negative Flow

… as we’ve learned this will be manual work

y _{Map out all control-flows}_p

y _{Identify a potentially weak logic element}

y _{Walk the positive-control flow path}

y Ensure proper positive path is understood

y _{Map possible negative-control flow paths} y _{Execute negative-control flow paths}

A l diff b i i / i

24 February 2009

27

y _{Analyst difference between positive/negative attempts} y Repeat if necessary to adjust/adapt until satisfied

y Attempt at least 3-5 loop-repetitions

Identify Weaknesses

y _{How do you identify a weakness/defect}

y _{Undesired application reaction}_pp

y _Crash?

y _{Skip control step?}

y _{Disclosure of unintended data}

y Debug information

y Disclosure of internal data

(17)

Agenda

y

Looking Ahead 24 February 2009 29 Looking Ahead

Looking Ahead

y _{Addressing “deep” defects}

y

y _Workflow_{Workflow--based}_{based security defects}

y _{Traditionally cannot be scanned for}_{cannot be scanned for (with automated tools)}

y _{Analysis of Defects}

y _{When is a critical defect}_{critical defect… not?}

(18)

Questions?

• Security Strategist

• Application Security Specialist • Security Strategist

• Application Security Specialist

• Following the White Rabbit:

http://www.communities.hp.com/securitysoftware/blogs/rafal

• Digital Security SoapBox: http://preachsecurity.blogspot.com/

• Following the White Rabbit:

http://www.communities.hp.com/securitysoftware/blogs/rafal

• Digital Security SoapBox: http://preachsecurity.blogspot.com/

24 February 2009 31 • Email: [email protected] • Direct: (404) 606-6056 • Email: [email protected] • Direct: (404) 606-6056