Friday, October 2, 2015

Steps in conducting Web Pen Testing

1. Check the versions of OS, middlewares (web server, web application engine, database, framework, etc) used
  • If we found that the version used is an EOL software/product, report to the client as soon as possible. It is imperative to let them know before they plan to release the website. Let them know that there is a risk that further vulnerablities for that version would not be patched. Suggest them to use newer version.
  • Check if there is any known vulnerabilites with high severity level, and if the web application have that vulnerabilities. The client needs to patch if they insist to use the EOL software/product.
2.  Check for generally known vulnerabilities, i.e.
  • SQL injection
  • Command injection
  • XSS
  • Open redirect 
  • URL rewriting of cookie sesion
  • If the user IDs are subject to dictionary attacks / rainbow attacks
  • If the login are subject to brute force attack (no account lockout, etc)
  • If users can set a password that is easy to guess
  • Cookie for Session ID is not secure 
  • No logout
  • Credit card info was not handled properly
  • Codes or information not deleted properly or shown when error occuredetc.
Things to consider:
  • Even though the page shows an error when we tried to do some attack by manupulating parameters, sometimes error handling is not done correctly, i.e. manipulated data is in the session and is not cleared, or even written back to database, etc.)
Posted by at No comments:

Dos and Donts in Developing Ecommerce Sites

Things to do:
1. Handling E-Commerce Payment
Ref: https://www.owasp.org/index.php/Handling_E-Commerce_Payments
Best practices compliant with the Payment Card Industry (PCI) guidelines is explained in the link above.

PCI compliance goal:
  • Build and maintain a secure network
  • Protect Cardholder Data
  • Maintain a Vulnerability Management Program
  • Implement Strong Access Control Measures
  • Regularly Monitor and Test Networks
  • Maintain an Information Security Policy


Things to avoid:
1. Unvalidated Redirects and Forwards
Ref:
https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet

Safe use of redirects and forwards can be done in a number of ways:
  • Simply avoid using redirects and forwards.
  • If used, do not allow the url as user input for the destination. This can usually be done. In this case, you should have a method to validate URL.
  • If user input can’t be avoided, ensure that the supplied value is valid, appropriate for the application, and is authorized for the user.
  • It is recommended that any such destination input be mapped to a value, rather than the actual URL or portion of the URL, and that server side code translate this value to the target URL.
  • Sanitize input by creating a list of trusted URL's (lists of hosts or a regex).
  • Force all redirects to first go through a page notifying users that they are going off of your site, and have them click a link to confirm. 
Posted by at No comments:

Tuesday, December 2, 2014

Targeted ICS softwares

Target ICS softwares:
- GE CIMPLICITY
- Advantech
- Siemens


Vulnerabilty in GE CIMPLICITY

- path traversal vulnerability if the web app of the system is connected to internet.
  More and more vulnerabilities was exploited by phishing email attack.
- it is turned off by default.

How attacker found the systems:
- through shodan
- searching port 10212


Examples of malwares:
- Stutnex
- Havex ICS
- Black Energy ICS


How to prevent:
- Tactical
  1. Appropriate network segmentation
  2. Policies governing internet access to any machine that can talk into ICS network
  3. Works with vendors and integrators to achieve secure systems
  4. Use IOCs (Indicator of Compromises) at network perimeters
      and key communication aggregation points.
- Strategic (organization specific)
  1. Inventory
  2. System hardening
  3. File validation
  4. Monitoring
  5. Response capabilities
  6. Training

Reference: SANS webcast (by Critical Intelligence)
Posted by at No comments:

Tuesday, August 12, 2014

Lancope's StealthWatch

[Requirement]
- need to have the following flow data as the input:
   NetFlow (from Cisco, Juniper), IPFIX, or sFlow (from HP ProCurve, Brocade)

[Input & How]
- by collecting and analyzing NetFlow, IPFIX and other types of flow data
- Through pervasive insight across distributed networks, including mobile, identity and application awareness

[Output]
- (quickly) detect a wide range of attacks from APTs and DDoS to zero-day malware and insider threats

[Advantage of using the solution]
- accelerates incident response, improves forensic investigations and reduces enterprise risk
[Links] - http://www.lancope.com/products/
Posted by at No comments:
Subscribe to: Comments (Atom)