Developer-centric Application Security Scans Ray Kelly, Practice - - PowerPoint PPT Presentation

#MicroFocusCyberSummit

Developer-centric Application Security Scans

Ray Kelly, Practice Principal - Fortify Sherman Monroe, Senior Security Consultant Thomas Ryan, Fortify Solutions Architect

Mobile Apps – The Bad, The Worse And The Ugly Attacking Web Services using Web Inspect Developer-centric Application Security Scans with Fortify

3

Session Agenda

#MicroFocusCyberSummit

Mobile Apps – The Bad, The Worse And The Ugly

Ray Kelly Practice Principal - Fortify

Overview of the mobile landscape The mobile threat surface Real world mobile app vulnerabilities Q&A

5

Agenda

About Me

Ray Kelly

• Developer for 20 years
• Internet Security for 15 years
• Lead Developer of WebInspect with SPI Dynamics
• Mobile Pen Test Manager

6

All vulnerabilities discussed in this presentation are either already publicly disclosed or have been anonymized/scrubbed These are developer mistakes that potentially leave users at risk Apps are made by developers with the best of intentions

7

Considerations

8

The Mobile Landscape

Source: https://www.statista.com/statistics/274774/forecast-of-mobile-phone-users-worldwide/

The Mobile Landscape

• Mobile development is the hottest type of

development right now. But users may be at risk.

• The pressure to release new features on

mobile devices may mean that security is not prioritized.

• Mobile devices are more vulnerable to

threats, so building devices with adequate security and mobile device developers with security training are valuable.

9

10

Mobile Threat Surface

Client Network Server

• Credentials in memory
• Credentials on file system
• Data stored on file system
• Poor certificate management
• Clear text credentials
• Clear text data
• Backdoor data
• Data leakage
• Injection flaws
• Authentication
• Session management
• Access control
• Logic flaws

Mobile Threat Surface

Two key differences:

(Compared to traditional apps)

Magnified network vulnerability

• Your network traffic is more likely to

be visible to others with a mobile device than local traffic at work or home

Magnified physical vulnerability

• As with most other types of

hardware, once the attacker has physical access, it’s over

11

12

Mobile Threat Surface

89 11

Mobile applications which have at least one critical or high vulnerability

Source: Micro Focus 2018 Application Security Research Update Report

Vulnerabilities

Server Side

13

• Vulnerable to all traditional web app vulnerabilities
• SQLi, WebDav, XSS etc.
• Developers assume APIs are invisible

Vulnerabilities

Server Side

14

Account enumeration

Vulnerabilities

Network/Privacy

15

• Privacy/data leakage, clear text data
• 3rd party data leakage

16

Vulnerabilities

Network/Privacy

17

Vulnerabilities

Network/Privacy

Vulnerabilities

Client Side/Logging

18

Starbucks Mobile App

/Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog <input class="field text medium" id="Account_UserName" maxlength="200" name="Account.UserName" tabindex="0" type="text" value="CLEARTEXT" /> <label for="Account_PassWord" class="">Password <span class='req'>*</span></label> <input class="field text medium" id="Account_PassWord" maxlength="200" name="Account.PassWord" tabindex="0" type="password" value="CLEARTEXT" />

“When reached Wednesday, Crashlytics, a Boston-based firm that specializes in crash reporting solutions, couldn’t comment on specific customers but did reiterate that the firm doesn’t recommend developers log sensitive information.”

Source: https://threatpost.com/starbucks-app-stores-user-information-passwords-in-clear-text/103649/2/

19

Vulnerabilities

Client Side/Logging

20

Vulnerabilities

Client Side/Storage

21

Vulnerabilities

Client Side/Debug Screens

22

Vulnerabilities

Client Side

23

Fortify on Demand

Provides Application Security as a Service

Discover

Understanding your application portfolio is the first step to securing it Comprehensive static, dynamic/interactive web and mobile testing delivered at the speed of development Continuously monitors and protects software running in production Integrated workflows to fix vulnerabilities faster and accelerate a mature AppSec program

Assess Monitor & Protect Integrate

Leading-edge developer training for secure coding best practices and prevent vulnerabilities before check-in Securing DevOps through broad Fortify Ecosystem integrations and automation tools Thick-client Web Mobile

Remediate

Educate

24

Fortify On Demand

Client Network Services

Why Fortify on Demand MAST?

• iOS applications
• Android applications
• 50+ unique vulnerability categories
• Designed for mobile app developers
• Manual testing performed on-device

Mobile Assessments include:

Vulnerability analysis of mobile binary Endpoint reputation analysis Security expert review of prioritized results

Mobile + Assessments include:

Manual testing of binary, network and services WebInspect analysis of backend services

Thank You.

Visit Fortify On Demand at http://microfocus.com/fod Follow us on Twitter @MicroFocusSec

#MicroFocusCyberSummit

Ray Kelly Follow me on Twitter: @vbisbest

#MicroFocusCyberSummit

Attacking Web Services using Web Inspect

Sherman Monroe

Overview of Web Service Scanning SOAP scan setup Manual RESTful Scan setup Automated RESTful Scan setup

27

Overview

28

How does Automated Scanning work?

Crawl

Determining attack surface Historically only link-based Today employ JavaScript emulation to get dynamic requests

Audit

Sending known attack vectors Fuzzing parameters Session-based

Understanding request generation (i.e. links) Understanding parameters Understanding session management

29

What to look for in a scanner?

• Endpoints not always explicit in dynamic code
• Complex payloads not exposed
• URL parameters (e.g. empl/38482/profile)

Discoverability

Demo – Proxies & Web Macros

Non-standard parameter specs

• As part of URL (e.g. path parameters)
• Headers
• Request body
• Upload file content (Content-Type:

multipart/form-data)

Patterns in URL segments

• Highly random path nodes
• Numerical values, dates, etc.

Component Values

• Look for structure in parameter values
• Look for delimiters

Identifying Parameters

Identifying Parameters: Component Values

POST /acme/geo/get_feature?uid=68e4cf6a8077912a02b250b230b8abe73265753b HTTP/1.1 Host: acme.com Connection: keep-alive X-CUST-SESSIONID: h57768d18hfr883xc36b53100jeew99sb2b320eb User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: */* Accept-Encoding: gzip, deflate, sdch Accept-Language: ja,en-US;q=0.8,en;q=0.6 {“location":"48.854325",“feature_area_id":”tag=3hks83n3j;name=sector_north”} HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Date: Mon, 05 May 2017 03:03:56 GMT Content-Length: 138 Connection: keep-alive {“feature_id":"\u30a4\u30d9\u30f3\u30c8\u3000\u5341\u4e00",“sz":532,“wght":0.32,"last_photo":"",“resp_code":0} Desktop Manager Web Server Feature Service Image Service Spatial DBMS JPEG JPEG JSON Response REST Request SOAP Request GML

POST /acme/geo/get_feature?uid=68e4cf6a8077912a02b250b230b8abe73265753b HTTP/1.1 Host: acme.com Connection: keep-alive X-CUST-SESSIONID: h57768d18hfr883xc36b53100jeew99sb2b320eb User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: */* Accept-Encoding: gzip, deflate, sdch Accept-Language: ja,en-US;q=0.8,en;q=0.6 {“location":"48.854325",“feature_area_id":”tag=3hks83n3j;name=sector_north”} HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Date: Mon, 05 May 2017 03:03:56 GMT Content-Length: 138 Connection: keep-alive {“feature_id":"\u30a4\u30d9\u30f3\u30c8\u3000\u5341\u4e00",“sz":532,“wght":0.32,"last_photo":"",“resp_code":0}

Identifying Parameters: Component Values

Desktop Manager Web Server Feature Service Image Service Spatial DBMS JPEG JPEG JSON Response REST Request SOAP Request GML

• Refer to documentation or use heuristics to determine the parameter

data types

• Hex strings are typically used as tokens or userids
• Tokens and other sensitive data in URL
• /acme/profile/set_photo/2015/11/20?token=fa423b369272e7e19b2a5fa4eeba560e74c0d457
• Look for high variance in URL paths of proxied traffic
• Examine response codes of parent paths to find start of parameters

Identifying Parameters

Demo – Custom Parameters

• Proxy –
• undocumented APIs (e.g. RESTful)
• Non web applications (e.g. mobile applications)
• Dynamically generated requests (e.g. Web 2.0, AJAX)
• Automated (WSDL, WADL, Swagger)
• WISwag.exe

Automation: Importing Data

38

Importing Data

39

Importing Data

Demo – Service Definition Import

Thank You.

#MicroFocusCyberSummit

Navigate the Eclipse IDE and Fortify plug-in & Security Assistant Examine & Remediate SQL injection Full scan from the Eclipse IDE Understand the Jenkins Continuous integration tool Configure static scan and result automation with the Jenkins build Enable predictive analysis with audit assistant through SSC View results in Fortify Software Security Center with audit assistant predictions

42

Agenda

Q&A

Thank You.

#MicroFocusCyberSummit

#MicroFocusCyberSummit