TYPO3Camp Nantes 2017 - Web applications penetration testing methodology

Transcript

1. web applications penetration testing methodology At #TYPO3CampNantes by @FedirFr

2. About this presentation • Duration 1 hour • 100% open

   source • Intermediate technical level recommended • @ Developers || QA Engineers|| DevOps || CTO || ... • Interactive, study-oriented ...

3. Contents • Introduction to Web security ◦ Major security risks

   ◦ Pentesting types • Insecure code • Vulnerable site create / study • Manual security testing with scanners • Manual security testing using Zed Attack Proxy GUI • Automated security testing

4. Introduction to Web Security

5. Pentesting A penetration test, colloquially known as a pen test,

   is an authorized simulated attack on a computer system that looks for security weaknesses, potentially gaining access to the system's features and data. Security issues that the penetration test uncovers should be reported to the system owner. Penetration tests are a component of a full security audit. https://en.wikipedia.org/wiki/Penetration_test

6. Major Pentesting Vectors

7. Flaw hypothesis methodology (FHM) • Black box • Grey box

   • Open box

8. Pentesting methods - Black-box • We don't know what is

   inside and how it works • Testing as an external user

9. Pentesting methods - Grey-box • Global knowledge of used algorithms

   • Global architecture of code • Credentials • Demonstrations of the application • Communication with the target • ...

10. Pentesting methods - White-box • We know all about the

    project • We have the access to the project code • Detailed technical documentation • Project specifications • Credentials • ...

11. Manual Penetration Testing Scanner Target

12. Manual Penetration Testing with Proxy Web browser Attack Proxy Target

13. Automating Penetration Testing Web browser Attack Proxy Target Security Framework

    CI Bugtraceker

14. Classical continuous delivery model - https://en.wikipedia.org/wiki/Continuous_delivery

15. Sources of risk for TYPO3

16. Current situation for TYPO3 8.7 https://www.cvedetails.com/vendor/3887/Typo3.html

17. Where (majority of) vulnerabilities are hidden Role Risks of vulnerabilities

    Types Frontend Integrator JavaScript XSS, JS Hijacking, ... Integrator TYPO3 TypoScript, Fluid XSS, SQL, ... Backend Developer PHP SQL, Remote execution, ... DevOps Files permission Remote execution, CSRF, ... System administrator Obsolete packages, Firewall, Packages configuration CSRF, system access, ...

18. Analyze recent security fixes • http://typo3versions.felixnagel.com/ ◦ Check security fixes

    ◦ Check TYPO3 versions 7 and 8 • Examples ◦ https://github.com/TYPO3/TYPO3.CMS/commits/TYPO3_8-6-1 ▪ https://github.com/TYPO3/TYPO3.CMS/commit/278af8209 db33d8f2ee85c46d6321918e680f58a ◦ https://github.com/TYPO3/TYPO3.CMS/commits/TYPO3_8-5-1 ▪ https://github.com/TYPO3/TYPO3.CMS/commit/c7e1ce9ce 3254ee73bdcd325244078e3647bb907

19. TYPO3 Security > Information disclosure > Google Hacking examples •

    https://www.google.fr/search?q=inurl:typo3conf/LocalC onfiguration.php • https://www.google.fr/search?q=filetype:ts+inurl:typo3c onf • https://www.google.fr/search?q=inurl:typo3conf/ENABL E_INSTALL_TOOL

20. LocalConfiguration recommendations Good : Bad :

21. There are much more risks ... SQL, HTML, iFrame, SSI,

    OS Command, PHP, XML, XPath, LDAP, Host Header and SMTP injections Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF) AJAX and Web Services issues (jQuery/JSON/XML/SOAP/WSDL) Authentication, authorization and session issues, file upload flaws and backdoor files Arbitrary file access, directory traversals, local and remote file inclusions (LFI/RFI) Configuration issues: Man-in-the-Middle, cross-domain policy files, information disclosures,... HTTP parameter pollution, HTTP response splitting and HTTP verb tampering Insecure DistCC, FTP, NTP, Samba, SNMP, VNC and WebDAV configurations HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues XML External Entity attacks (XXE) and Server Side Request Forgery (SSRF) Heartbleed and Shellshock vulnerability (OpenSSL), Denial-of-Service (DoS) attacks Parameter tampering, cookie and password reset poisoning ...

22. Some nice tools for everyday life

23. Example of used infrastructure • Virtualbox VM ◦ Ubuntu 16.04

    LTS server 64 bit ◦ Jenkins CI ◦ OWASP ZAP, sqlmap, CMSMap ... ◦ Vulnerable site for manual and automatic testing

24. sqlmap python sqlmap.py -v 2 --url=http://127.0.0.1/user/ --user-agent=SQLMAP --delay=1 --retries=2 --keep-alive

    --threads=5 --batch --dbms=MySQL --os=Linux --level=5 --risk=2 --banner --is-dba --dbs --tables --technique=BEUST -s /tmp/scan_report.txt --flush-session -t /tmp/scan_trace.txt --fresh-queries

25. gauntlt • https://github.com/gauntlt/gauntlt • https://github.com/gauntlt/gauntlt-demo/tree/master/e xamples Uses natural language in

    a Given, When, Then Gherkin syntax to describe security requirements as features.

26. bdd-security https://github.com/continuumsecurity/bdd-security https://www.continuumsecurity.net/bdd-security/ Selenium + OWASP ZAP + Nessus +

    SSLyze + Internal security tools

27. OWASP ZAP

28. OWASP ZAP - Simple scan zap-cli quick-scan --self-contained --start-options '-config

    api.disablekey=true' http://127.0.0.1/ zap-cli --api-key coeoobt6fof9k4g3iajshtnp7v quick-scan --self-contained --spider -r http://127.0.0.1/ * API key could be found in ~/.ZAP/config.xml of current user.

29. OWASP ZAP - Simple scan with ZAPR zapr --debug --summary

    http://127.0.0.1

30. OWASP ZAP - Running as a daemon /opt/zaproxy/zap.sh -daemon -host

    0.0.0.0 -port 8480 Also, Docker usage possible : https://github.com/zaproxy/zaproxy/wiki/Docker

31. OWASP ZAP - Plugins management Install all plugins, take some

    time : su jenkins /opt/zaproxy/zap.sh -daemon -host 0.0.0.0 -port 8480 -addoninstallall Install selected plugin : su jenkins /opt/zaproxy/zap.sh -daemon -host 0.0.0.0 -port 8480 -addoninstall exportreport * Plugins will be installed in the ~/.ZAP folder of user, who launches ZAP. ** Plugins keys could be found here : https://github.com/zaproxy/zap-extensions/releases

32. OWASP ZAP https://github.com/zaproxy/zaproxy/wiki/Docker zap.sh -daemon -host 0.0.0.0 -port 8480 zap-x.sh

    -daemon -host 0.0.0.0 -port 8080 zap-cli quick-scan --self-contained \ --start-options '-config api.disablekey=true' http://target

33. Configure Jenkins CI security project

34. Ubuntu server VM Jenkins CI Server TYPO3 site target Owasp

    ZED Attack Proxy Report results Run security scan Automated security testing model

35. Jenkins CI - Plugins used • Official OWASP ZAP Jenkins

    Plugin • Environment Injector Plugin

36. Jenkins - OWASP ZAP Plugin - Configuration https://wiki.jenkins-ci.org/display/JENKINS/ZAProxy+Plugin

37. Ressources • https://martijnvanlambalgen.wordpress.com/2015/10/18/automating-your-vulnerability-scan-with-owasp-zap/ • https://www.securify.nl/blog/SFY20150303/automating_security_tests_using_owasp_zap_and_jenkins.html • https://tools.pentestbox.org/ • https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project •

    http://connect.ed-diamond.com/MISC/MISC-087/Pourquoi-inclure-la-securite-dans-votre-pipeline-DevOps • https://www.owasp.org/index.php/Automated_Audit_using_SQLMap • https://myexploit.wordpress.com/information-gathering-sqlmap/ • https://docs.typo3.org/typo3cms/SecurityGuide/ • https://typo3.org/teams/security/extension-security-policy/ • https://insights.sei.cmu.edu/devops/2016/01/adding-security-to-your-devops-pipeline.html • https://www.slideshare.net/wickett/pragmatic-security-and-rugged-devops-sxsw-2015 • https://es.slideshare.net/StephendeVries2/automating-security-tests-for-continuous-integration • https://prezi.com/gn3zack_uxr-/typo3-website-hacking-and-penetration-testing/ • https://www.cvedetails.com/vendor/3887/Typo3.html • http://www.exploitalert.com/search-results.html?search=typo3 • https://www.owasp.org/index.php/How_to_write_insecure_code • https://es.slideshare.net/StephendeVries2/continuous-and-visible-security-testing-with-bddsecurity • https://theagileadmin.com/2015/12/03/security-tooling-delivered-by-docker/ • https://en.wikipedia.org/wiki/Trusted_Computer_System_Evaluation_Criteria

38. Special thanks • To @AgenceStratis, which understands the importance of

    open source culture and supports it • To Mikke Schirén (@mikkdroid) for the help with Jenkins • To TYPO3 Camp Nantes team for great organization of the event