[OWASP Sofia] Atanas Pashov - Pros n Cons of Penetration Testing (June 27th, 2019)

[OWASP Sofia] Atanas Pashov - Pros n Cons of Penetration Testing (June 27th, 2019)

Details
In this session you will learn what is penetration testing. What are the objectives and benefits of it and at what cost. You will also learn why some vulnerabilities may not be ever discovered by automated tools. You will see only real life examples from real penetration tests, no theory, no set-ups, no fictious vulnerabilities, nothing discovered by somebody else that you can find somewhere else.

Atanas is a cloud security penetration tester at SAP LAB Bulgaria. He has more than 10 years experience in information security working in various position as an infosec manager, security officer and network and firewall administrator for huge enterprise companies in different industries like banking, service providers, pharmaceuticals and software development. He is keen on pentesting especially in infrastructure and web application perspective.

6d817debf2ee0bd27ed1e032bdcd7263?s=128

OWASP Sofia

June 27, 2019
Tweet

Transcript

  1. INTERNAL Atanas Pashov SAP Labs Bulgaria Pros & Cons of

    Penetration Testing
  2. • Cloud Security Penetration Tester • SAP Labs • Team

    of 3 security experts • Just 2 ½ year at SAP • …but has more than 10 years of IT security background
  3. What is Really Penetration Testing…? • Manual Security Validation of

    IT Products and Solutions; • Is There an Automated Approach? No, NOT Really! • Mindset of What Can go Wrong; • Draws the Thick Line Between Vulnerability and Exploit; • Guts to Break Things on a Daily Basis.
  4. Real ( )Life Examples: • Burp & ZAP VS a

    pair of eyes and some insight… • Reflected XXS in Dynatrace Default 404 Error Page • Dynatrace is Leader in Application Performance Management • Upper-Right Corner of Gartner Magic Quadrant • … And YET! They have XSS in their code…
  5. Where is it? Here it is: https://vsa2602507.wdf.sap.corp/accessforbidden-onprem.jsp? accProblemsParam=NO_TENANT&tenantUUID=%3Cscript %3Ealert(%22XSS%22)%3C%2fscript%3E

  6. Real ( )Life Examples: • Dynatrace Totally Messing up the

    Authentication Mechanism. • Sometime you have to combine a few vulnerabilities into one to make an exploit – in our case: four • World readable file where the authentication token is kept • Authentication token is the same for all managed nodes • Nodes do not check central server certificate • Central Server does not check nodes’ certificates • No Application layer Encryption and Integrity
  7. Where is it? Here it is: When communicating to FQDN:

    https://vsa2602507.wdf.sap.corp
  8. Where is it Part 2? Here it is:

  9. Real ( )Life Examples: • User Impersonation in SAP Cloud

    Platform? • Something like response splitting…? • Accounts.sap.com IDP has restriction but what about Proxy IDP?
  10. Where is it? Here it is: • Naming convention: i+XXXXXX+platformIdPTenantID

    • Example: i000012_milen.sso.ondemand.com (Dev IDP) • User with “\n” bad character that can be treated as new line • Example: i000012\nHEADER:_milen.sso.ondemand.com • Which will be: USER_CLIENT:i000012 HEADER:_milen.sso.ondemand.com
  11. Custom IDP via Proxy IDP scenario Pt.2

  12. Custom IDP via Proxy IDP scenario Pt.3

  13. Custom IDP via Proxy IDP scenario Pt.4

  14. Cloud Foundry Virtual Machine as a Service • Cloud Foundry

    ORG/Space RBAC was broken • SSH Tunnel Service – to access other ports than SSH • Remote Code Execution via Public Key population Three Critical Vulnerabilities:
  15. How dose it work? • Query the VMaaS API for

    binding of VM name (in our case: jasenvm) • API returns the Internal Private IP address of the Virtual Machine • Opens reverse SSH tunnel to localhost and opens port (in our case: 56789)
  16. Tampering the Rest API Response…

  17. … And here we go:

  18. But what about access to other services?

  19. Finally here we are!

  20. Can it get worse than RCE… Same as this: Root

    cause, vulnerable code:
  21. • GO Lang Scanned with Checkmarks – Did not find

    it!
  22. Wrap Up: • Dynamic Analysis Tools Are Not 100% accurate

    • Same Goes for Static Code Analysis / Scans • Cannot Combine Multiple Vulnerabilities into One • There is No Tool That Can Follow Logic/Business Flaws • Cannot perform complex operations - i.e.: patch binaries
  23. And the Drawbacks of course…: • Dedicated Team is needed

    • Vast Area of Expertise, Team Must Combine Different Backgrounds • It Is Definitely Not a Bulletproof Approach • Must Lobby a Lot In front of the Higher Management
  24. But the advantages are: • Greatly Increase of the Products’

    Security • Objective Risk Assessment • Have Security Experts That Are Recognized by Everyone • Really Sweats Out the Most of the External Pentesters • Positive Cost/Benefit analysis for Exploit Remediation and Follow-up • Helps for Threat Modeling and Security Architecture of Products • Know-how that stays in the company • Long-term investment that pays off!
  25. CONTACT INFORMATION Atanas Pashov / atanas.pashov@sap.com SAP Labs Bulgaria THANK

    YOU