">
Thursday, November 7, 2013
Friday, February 10, 2012
PCI ASV Scans - Risk Ratings
PCI Scanning stands for 'Payment Card Industry' scanning. As per the standard guidelines It involves having a PCI ASV (Approved Scanning Vendor) perform a vulnerability scan on all vendor IP addresses/devices etc which store, process or transmit credit card data, the scan aims to identify both network and web application vulnerabilities like XSS and SQL, there is lot of guidelines and process involved here as per PCI guidelines, we are not going to discuss that currently.
We are going to discuss how we are going to calculate and rate the risks identified during the scans.
Risk Ratings:
In PCI ASV reports risk for vulnerabilities identified during the ASV scans are calculated based on the CVSS Score. CVSS stands for common vulnerability scoring system which is the scoring standard adopted and well accepted throughout the security domain for calculating the security risk.
More information on CVSS and how to calculate the CVSS scores can be found at:
Refer:
http://www.first.org/cvss/cvss-guide
http://nvd.nist.gov/cvss.cfm?calculator
The basic thumb rule for calculating the risk is
If CVSS score is > = 4.0 then that particular vulnerability will result in non-compliance to PCI, the affected device/IP will be considered as FAIL and CVSS <=3.9 will result in vulnerability as compliant to PCI.
Useful Tips and Suggestion:
1. Most of the vulnerability scanning tools provide CVSS score with vulnerabilities, sometimes few scanners may provide false or inaccurate CVSS scores hence the scores must be reviewed and validated before finalizing the risk.
2. CVSS score if not present for vulnerability, should be calculated manually using the CVSS calculator and appropriate risk should be finalized.
3. Right parameter should be used while calculating the risk, wrong parameters may result in wrong score and wrong compliance status.
4. If to reduce the risk, vendor has a compensatory control for vulnerability then new CVSS score should be calculated considering the compensatory control and risk should be rated accordingly.
5. As per PCI ASV DOS vulnerabilities will be rated as per below rule.
In case of denial-of-service vulnerabilities, where the vulnerability has both a CVSS Confidentiality Impact=none and a CVSS Integrity Impact=none, the vulnerability must be marked as pass and must be rated as low risk.
PCI Scanning stands for 'Payment Card Industry' scanning. As per the standard guidelines It involves having a PCI ASV (Approved Scanning Vendor) perform a vulnerability scan on all vendor IP addresses/devices etc which store, process or transmit credit card data, the scan aims to identify both network and web application vulnerabilities like XSS and SQL, there is lot of guidelines and process involved here as per PCI guidelines, we are not going to discuss that currently.
We are going to discuss how we are going to calculate and rate the risks identified during the scans.
Risk Ratings:
In PCI ASV reports risk for vulnerabilities identified during the ASV scans are calculated based on the CVSS Score. CVSS stands for common vulnerability scoring system which is the scoring standard adopted and well accepted throughout the security domain for calculating the security risk.
More information on CVSS and how to calculate the CVSS scores can be found at:
Refer:
http://www.first.org/cvss/cvss-guide
http://nvd.nist.gov/cvss.cfm?calculator
The basic thumb rule for calculating the risk is
If CVSS score is > = 4.0 then that particular vulnerability will result in non-compliance to PCI, the affected device/IP will be considered as FAIL and CVSS <=3.9 will result in vulnerability as compliant to PCI.
Useful Tips and Suggestion:
1. Most of the vulnerability scanning tools provide CVSS score with vulnerabilities, sometimes few scanners may provide false or inaccurate CVSS scores hence the scores must be reviewed and validated before finalizing the risk.
2. CVSS score if not present for vulnerability, should be calculated manually using the CVSS calculator and appropriate risk should be finalized.
3. Right parameter should be used while calculating the risk, wrong parameters may result in wrong score and wrong compliance status.
4. If to reduce the risk, vendor has a compensatory control for vulnerability then new CVSS score should be calculated considering the compensatory control and risk should be rated accordingly.
5. As per PCI ASV DOS vulnerabilities will be rated as per below rule.
In case of denial-of-service vulnerabilities, where the vulnerability has both a CVSS Confidentiality Impact=none and a CVSS Integrity Impact=none, the vulnerability must be marked as pass and must be rated as low risk.
GWT Penetration Testing
Penetration Testing GWT Application:
One of my recent engagements I have got an opportunity to work on Black box application testing which uses Google’s Web Tool Kit. Initially it was difficult to test as the technology was new and all the parameters were obfuscated, but as we went deeper lot of authorization and other security flaws were unfolded.
Google Web Tool Kit:
A) Boot Strap Loading ->cache/no cache Files
GWT requires no plug-in and has less cross browser headaches. Typically when ever application loads every application has a process called as bootstrap process which is kicked off and initiates application initiation process, where process likes browser detection takes place and appropriate compatible java scripts files are created which are supported by the browser., this is done by files called as gwt.js and .nocache.js where deferred binding occurs which acts as boot strap process and loads appropriate configurations , modules and browser specific classes .
{HEX}.cache.html is browser specific files and it consists of application logic which are generated post authentication. They are named according to the MD5 sum of their contents and consist of RPC methods, other restricted methods and sensitive information.
Sample Cache files looks like:
https://www.xyz.com/testapp/9E871855826913D91F95F8F65F4ED9E3.cache.html https://www.xyz.com/testapp/C2C2D9E9AB0BBFD8B66FD43702FAF3B5.cache.html
Security Issue:
HEX}.cache.html are generated post authentication, the file should be restricted and should not be accessible pre-authentication , if accessible this file can disclose sensitive information.
B) Obfuscated Client Side Code :
Google obfuscates code to save space. In GWT all the client side code is downloaded to browser and consists of RPC methods, other restricted methods and sensitive information. These are often obfuscated by GWT and are hidden.
degwt is a utility that de-obfuscates GWT generated java script code and one such example is present at
http://code.google.com/p/degwt/
Sometimes RPC methods can be enumerated and there are enumeration tools which can be used to enumerate these methods Refer the below link, this may or may not be successful all the time
http://blog.gdssecurity.com/labs/2010/7/20/gwtenum-enumerating-gwt-rpc-method-calls.html
Security Issue:
1. If code can be de-obfuscated using tools like degwt can disclose sensitive information to the user.
2. If RPC method enumerated using gwtenum can disclose sensitive RPC information
C) Authorization:
Authorization testing is much easier when all application functionality is available, this is most common flaw in the GWT application, and most of the time authorization controls are not implemented in GWT applications and in the application, most common authorization check are applicable here .
Security Issues:
1. Low level user can perform unauthorized execute by just replaying the request for recorded from the high level user
2. Low level user can read files available to higher level user by just manipulating the parameters.
D) Cross Site Scripting/CSRF:
Most classis script attacks can work here as GWT is not immune to XSS/CSRF, if the JavaScript is not properly coded it’s always vulnerable to XSS/CSRF.
Security Issues:
Perform a through XSS manual and automated testing to identify any XSS Issues.
E) Other Web Vulnerabilities:
Note that GWT RPC services are vulnerable to the same typical vulnerabilities as typical web apps.
Ex. SQL Injection, XFS, Parameter Tampering etc.
References:
http://blog.gdssecurity.com
http://code.google.com/webtoolkit
Tuesday, August 16, 2011
Fighting with Malwares:
I was inspired to write this article after becoming victim of a malware which infected my system while I was working at my office.
During my research work in office I had clicked a link on web which had installed some kind of malicious software without my knowledge. Although I am security guy, I have taken utmost precautions to secure my system with updated top antivirus software running with on access malware check capability enabled, firewall enabled still I was victimized.
The reason behind this was , the malware was the latest with no information available about it, so I was probably front runner victim of the malware and my antivirus software did not had signature although it was updated fully so it was unable to detect.
After infection my system became the malware storage lab, the installed malware created several files, and created backdoors, to my goodness the antivirus software was able to detect these files which were newly created by malware and stopped further infection, but it was not able clean the parent process which was creating these files as it did not had signatures updated to clean. So I had to re-ghost my system to solve the problem, I took a back up and did the same. Finally problem was solved but I thought my back up should be also infected.
When I scanned the back up with my own antivirus, It did not detect any malware infection although it was fully updated, but after few days when again I scanned after providing the latest update to the same antivirus , it detected and cleaned number of files and removed the malware.
I felt the any antivirus software or take any other security software it cannot provide you instantaneous security; everything in the world has limitations.
This incident made me think further
- How to identify if your system is affected by malware?
- Can we remove malware from malware Infected system without formatting it?
- What should one do if he is affected by latest malware and your antivirus vendor doesn't not have signature updated
Identifying if your system is infected by malware
1. The first step which you can do to identify if your system is affected by any malware is to find out the ports which are listening on your system. This can be accomplished by going to command prompt and using netstat.
The net stat command provides you with the details of the listening ports on your system.
| Command | Functionality |
| netstat –an | Gives you list of listening TCP and UDP ports |
| netstat –ano | Gives you list of listening TCP and UDP ports with the process id |
| netstat –anob | Gives you list of listening TCP and UDP ports with process ID and EXE name with DLL link |
| netstat –ano 1 | Gives you list of listening TCP and UDP ports with the process id and refreshes every 1 second |
The list of open ports thus open can be compared with the white list of common port and common service which are run by windows or any standard application. During the comparison ignore the local loopback ports (127.0.0.1) and focus on the “all network devices entry” (0.0.0.0) as well as those devices which have an IP address assigned.
List of standard ports:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cnfc_por_gdqc.mspx?mfr=true
2. Unusual Processes:
Look for any unusual processes names running in the system. Unusual processes some times can be identified by the name of the process. e.g. YQSIW.exe, WSOCK32.DLL these process names look similar to window typical processes but are actually not, these processes running should be compared with the white list of standard processes running
Tools such as PSlist , Process explore from Sysinternals can be used to view these processes.
Sysinternal tools:
http://technet.microsoft.com/en-us/sysinternals/bb896682.aspx
Standard white list of windows processes:
http://www.lsa.umich.edu/lsait/admin/Common_Windows_Processes.htm
http://www.lsa.umich.edu/lsait/admin/Common_Windows_Processes.htm
3. Prefetch directory:
Prefetch Directory in windows keeps a shortcut to recently used programs in order to speed the launching time for most frequently used applications.
Click -> Start->Run->”Prefetch”
The only downside to this is that windows will never clear that directory automatically and this can be used by malwares. This is often a treasure trove of information on newly executed malware and can give us clues as to the software that ran, which DLLs were required to support it, and the date and time of initial execution etc.
4. Windows Registries
Malware can position itself on a system by adding and modifying registry entries. The Registry is a repository of system configuration settings and includes links to applications that need to be executed.
To access registry: Click Start->Run->”regedit”
Malware typically modifies the keys which control things like firewalls, anti-virus, windows update, etc,
Typical registry entries where security controls are located
HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center
FirstRunDisabled REG_DWORD 0x1
AntiVirusDisableNotify REG_DWORD 0x0
FirewallDisableNotify REG_DWORD 0x0
UpdatesDisableNotify REG_DWORD 0x0
AntiVirusOverride REG_DWORD 0x0
FirewallOverride REG_DWORD 0x0
If these registries are loaded with the odd values, security will be disabled.
Location in the registries such as
\HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\CurrentVersion
"Run"
"RunOnce"
"RunOnce\Setup"
"RunOnceEx"
"RunServices"
"RunServicesOnce"
The applications in these folders are what Windows executes immediately after a system is started up, malware typically modifies entries at these locations so that the malware executes when the system reboots.
There are other areas as well in registry entries were the malware infects.
5. Other Auto startup Locations
In C:/windows directory malware can modify System.ini and Win.ini and modify "run=" or "load=" sections of the files with malicious files, another place where you can find autostart entries are in the Start > (All) Programs > Startup folder.
Going Start Programs-> Run-> “sysedit” one can read content of all the autostart files.
6. Hidden Files:
The malware can install itself as hidden file, while searching for malware at prime suspected location make sure that
Going Start Programs-> Run->Explorer -> Tools->Folder Option-> View -> “Show hidden files is checked”
7. Local accounts:
Most of the time malware adds an account to the local machine, go to Start Programs-> Run->cmd and type “net users “to check for any suspected accounts added.
8. Odd things such as Notepad.exe, Winlogon.exe etc. communicating on the network via thread injection.
Re-formatting is always the first and easy advice to the people who know nothing about computers; unless the system files are totally destroyed there are always ways by which we can remove viruses or malware without formatting the system, the typical scenarios the way the antivirus do find and clean based on the signatures by cleaning the registries, deleting and killing the malicious files and processes.
Following things one has to take to avoid minimum effect from any malware and to avoid possibilities of formatting of the system.
- If you find your system is infected by the malware, first most thing you do is to disconnect your system from the internet.
- Take a back up, it is always important to take a backup of the files and data available before doing anything, if your system is not allowing and loading properly, try starting your system in a safe mode where minimum process are only loaded and which should allow you to take a backup.
- Turn off the system restore, as infection caused by the malware can be restored again.
- My Computer-> Properties->click the System Restore tab-> Click to select the Turn off System Restore check box
- Change all your password, as you cannot be sure what information is logged by the malware and sent to the attackers’ server
- Install and Scan your system with latest updated antivirus and spyware software to clean the malware or spyware, be sure to enable prompt for delete option before deleting any corrupted file, as the antivirus can delete files which can be a system file if they are not able to clean, which may lead to irregularities during next system re-boot, which might make your system down.
- Reboot your system and update all the antivirus signatures and again rescan your system your system with antivirus and spyware.
- If your system is still affected by the malware, then your operation system process running must be infected by the malware or spyware, to solve this issue you need to have live boot software CD BART PE (http://www.nu2.nu/pebuilder/ ) , and boot from the CD here in this scenario your infected operating system process will not be running , using the advance tools like HIJACK THIS can be used have more control over the operating system process and remove the infection.
Monday, June 30, 2008
Web Application penetration testing is the way to identify vulnerabilities that exists in an Web Application.
A penetration test usually involves the use of attacking methods conducted by trusted individuals that are, similarly used by hostile intruders or hackers. It involves scanning of a given URL of the web Application offering services with known vulnerabilities or even exploiting known vulnerabilities that exists in an unpatched part of Web Application. The results of these tests or attacks are then documented and presented as a report to the client and the vulnerabilities identified can then be resolved.
Steps
Stage 1 - Information Gathering. This stage provides the auditor with information about the target(s) at hand. It includes the gathering of both technical details on the target application or network, as well as the gathering of publicly available information on the owner of the network or application in question.
Stage 2 - Information Analysis and Planning. This stage represents the collation of the information gathered in Stage 1 by the auditor. Once this information is organized, a series of actions are taken. These include high-level attack planning regarding the overall approach for the audit in question, as well as formalizing which targets require further research in Stage 3.
Stage 3 - Vulnerability Detection. When all the targets and approaches have been identified, the auditing team searches for vulnerabilities in the targets, which will allow them to gain access.
Stage 4 - Target Penetration. This is the stage of the process where an actual break-in is attempted. This stage is dependent on the successful completion of Stage 3.
Stage 5 – Analysis & Reporting
Top List of the Vulnerabilities possible on the Web Applications are
- Invalidated Input
- Broken Access Control
- Broken Authentication and Session Management
- Cross Site Scripting Flaws(XSS)
- Buffer Over Flows
- Injection Flaws
- Improper Error Handling
- Insecure Storage
- Denial of Service
- Insecure Configuration Management
Subscribe to:
Posts (Atom)