Secure Dose

Sunday, 8 November 2015

Bug Bounty!!

The Bug Bounty Trends
These days in India there's lot of people into earning money via Bug Bounty..
What actually bug bounty is? An ATM Machine where people get dollars??
Actually no. Lets see what it is actually and why there is more craze about bug bounty especially here in India.




What is Bug Bounty?
Well, bug bounty is a program offered by many companies which are into developing a Web-based or Standalone products to find bugs in it and on submission they verify the bug and based on the seviourity, these companies provide rewards. It is similar to any kind of deal.  It is open to public and anybody can take this program by finding bugs(Generally, Security bugs!) and properly reporting.
You might be thinking that If anybody can take this deal then penetration testers are losing their job then? Actually No they are not.


How it works?
There are procedure, protocols and standards has to be followed by the person taking part in the program for the sake of the companies risk. Not following these protocols can be illegal and may land you into jail and official issues. We will be discussing about it soon.
First lest see what actually companies do to start such a program.

Their bug bounty program is initiated only and only after they test their own application first.
This includes all types of tests like Security testing, Unit testing, Functionality testing, Compliance testing, etc and only after they are fine with it they initiate these programs. The reason is, if they do not do so, their company procedure will increase, also their reputation and trust among their clients reduces. 
Reputation? how? 
If they do not have their own testing team, they are likely to have more critical bugs, easy to find and exploit. This directly strikes the reputation of the company and hence, penetration testers are not losing their job at all.

How they take bug bounty these days?
Most of the bug hunters today are taking their level of skill based on the bug they find in much reputed companies  web-applications. The more reputed the company, the much "pro" they are.
Another thing is, a source of money to again a big population.
There are many out there who actually take this as a learning process.

What is the advantage of bug bounty program?
I would like to highlight the things we learn. 

1)The professionals who have actually participated bug bounty usually have their own blog where they post how did they found bugs. Reading bout such bugs you learn more about how to discovers vulnerabilities. So when we actually participate into this we increase our skill set into Vulnerability Assessment. 
  1. Vulnerability assessment 

2)When we submit bug to them we actually learn how to write a report. A quick search and you can find many ways to write a bug report with a good POC(Proof of Concept) with video and screenshot.
Here you can find why writing good report is important.
  1. Vulnerability assessment
  2. Bug Reporting

3)Interacting in a formal way is another skill you can add to your list. Many of them have skills and are good into VA but their interacting power is not so good hence they lose the bounty program. I have come across few people who find good bugs into reputed companies but they eventually do not get their bug approved just because of the interaction issue.
  1. Vulnerability assessment
  2. Bug Reporting
  3. Communication Skills

4)Companies get to know about your skills and may also hire you. Similar thing happened with me when I was finding something to do in my vacations. I found a bug in a startup's web-application, reported them and I was doing internship withing few weeks. Cool right? 
  1. Vulnerability assessment
  2. Bug Reporting
  3. Communication Skills
  4. Opportunity and Exposure 
5)You can include this into your CV that you participated in such bug bounty programs where you reported vulnerabilities in so and so companies. This makes your CV more attractive and gives a reason to hire you.
  1. Vulnerability assessment
  2. Bug Reporting
  3. Communication Skills
  4. Opportunity and Exposure
  5.  Attractive Portfolio

There are many websites which provide a platform for Hunters and Companies both.
To find some reputed companies program search about them. 
There are many more things which come up to you and you can learn. 
Hope this article helps to know more about bug bounties.  
pic source: bugbounty.att.com

Wednesday, 15 July 2015

The Famous Top 10!


Introduction:
The title says it all.
This is a list which has world top 10 vulnerabilities being found on web application.
Every person from the InfoSec community knows about it but as a beginner you should know about it.
In this post we'll check out what are this top 10 list and what is owasp.


OWASP:
OWASP(Open Web Application Security Project) is an open community where security researchers, professionals and security enthusiast from around the globe work together and build an Open Source security tools and project.
Anybody can contribute to it and anybody can create their own projects.
They even have an owasp slack team, where you can ask, join, chat and share files. Join the team @owasp.slack.com
and you can check out it's wiki to owasp.org

 List:
 These are the list of vulnerabilities defined and regularly updated. This is the list you must always have in priority while you test a web application. You can even consider this as a check list to have a eye or decide your vulnerability testing priorities. 


I was speaker at a local security meetup last to last month, where I represented and explained these lists and demonstrated XSS and Injection category. You can find the PDF from the resource section with the title "Breaking Web Application" and here is official list with description - [OWASP TOP 10].  

1. Injection:
Injection is the 1st category of Top OWASP List. Injection are the malicious codes written in between the original code.
Now the question arise, But we don't have access to the code then how it is possible to write such codes?
Answer to this is very simple. You don't need to have any kind of access to the original code. A simple typical way to write code in between the original code is to write where the user inputs are provided but it's not always necessary that only user inputs are the ways to inject malicious codes. There are several other ways like writing the code in the URL itself, into http request headers, into a crafted file which executes as soon it is uploaded, etc. 
There are so many method to inject as mentioned above. We will understand this briefly in later posts.

2. Session Management & Broken Authentication:  
The session management includes the maintenance of the state of entity communicating with it and Authentication is an act to confirm that something communicating with the system is the one who they claim they are.

3. Cross-Site-Scripting
Cross-site-scripting is also known as XSS. This is a generally used as a client side attack which affects the clients visiting the infected websites. This vulnerability can do lot of harm to users like and eventually harm to the site visitors. This actually loads javascript the victims browser which can cause stealing of credentials and identity and much more.

4. Insecure Direct Object reference:
It occurs when a  reference is being unknowingly left open which gives direct access to the internal implementation object. This includes directory access, config files access, etc where an attacker can take advantage of this and can further exploit the system and gain deep access.

5. Security Misconfiguration:
A good security is defined when configuring the firewall, web application, framework, database and servers in a secured manner. For example default configuration and default users and passwords and
Directory listing, extra information exposed, etc. also falls in this category.

6 Sensitive Data Exposure: 
This is a flaw where many of the web applications are vulnerable to. Sensitive data like configuration files, Exposure of internal files sharing in a company or at an enterprise level, and similar scenario. Taking advantage of these sensitive data can cause tragedy to the system.

7. Missing Functional Level Access:
What if you get access to a privilege without being asked? It is like being a student you can still perform actions of your HOD or Principle. Similar there is a website and you know the admin page, now as you visit the page you directly get access to it. This is A7.

8. Cross Site Request Forgery:
Cross Site Request Forgery can be "csrf" too. This is a kind of an attack which uses a web page. When an authenticated user of a vulnerable web application visit the malicious site, an action is automatically performed which is being executed on the user's browser and which act on the vulnerable website. This can change the password of that user. It'll work as if the user itself changed it own settings.

9. Using components with known vulnerabilities: 
The developers when not knowing what libraries, components or packages or plugin they are using, when they get outdated and vulnerable, the developers do not know as they are not "Security freak" as you. ;) They are unaware and bang!!! Somebody takes the advantage who knows the plugin is vulnerable and the developer is pwned. This is where some web apps are compromised.

10. Unvalidated redirects and forwards:
An unintended and unexpected(Developer's perspective) redirect the user to any or similar looking website(probably malicious{phishing page,drive by downloads, etc}). In a nutshell, it uses a parameter to redirect the website to something else. As provided in the sweety curl braces above are the attacks can be exploited. 

Conclusion:
The famous top 10 are one of the most important parameters to have a closer look as they can be considered as a check list while conducting Vulnerability Assessment and Penetration testing.

Monday, 8 June 2015

Secure Web Application PART - II

In case you haven't read PART - I read it here
Lets continue..

Common attack vectors:

@Attack Vectors are the "scope" of an attacker/malicious user to attack on the application and exploit the vulnerabilities discovered by him.

The Following are some common attack vectors where an attacker can attack and gain a particular level of access to your web application or can make it unavailable to other users so that they cannot access the resources and features provided by this web app.

1.  User Input Fields

2.  URL & Parameter Manipulation
3.  Information Disclosure (http header/server side error/etc..)
4.  @Authorization
5.  @Authentication
6.  Insecure Data Storage
7.  Insecure File Upload
8.  Pivilage Elevation
9.  Dos/DDos
10. Business Logics
11. Insecure Hosted Applications
12. Social Engineering
The following image includes them:



Check your existing web security:

Following are some of the question/check list to answer and have a look into to check whether your existing web application is having basic security implemented?
It can also be used as a checklist to develop a secured web application.

Infrastructure Considerations:
  • Does the network provide secure communication?
  • Does your deployment topology include an internal ‍ all?
  • Does your deployment topology include a remote application server?
  • What restrictions does infrastructure security impose?
Input Validation:
  • How are you ‍validating user inputs?
  • What do you do with the input?
Authorization:
  • How do you authorize end users?
  • How do you authorize the application in the database?
  • How do you restrict access to system-level resources?
Authentication:
  • Do you separate public and restricted access?
  • How do you authenticate the Application?
  • How do you authenticate with the database?
  • Do you enforce strong account management practices?
Sensitive Data:
  • Do you store secrets?
  • How do you store sensitive data?
  • Do you pass sensitive data over the network?
  • Do you log sensitive data?
Cryptography:
  • Why do you use particular algorithms?
  • How do you secure encryption keys?
  • Are you revealing your logic's unknowingly?
Parameter Manipulation:
  • Do you validate all input parameters?
  • Do you pass sensitive data in parameters?
  • Do you use HTTP header data for security?
Exception Management:
  • Are you revealing too much of information to the user?
  • Sure you have made a check to all the corners?
  • Are you exceptions default?
Monitoring Fails:
  • Do you log fail attempts?
  • Where are your logs stored?
  • Are they open to public?
  • Are your log files secure?
Using these check list and looking after it will fill up the basic gaps to secure your web application. Also do mind, that in maximum cases the insider is responsible behind the attack on an organization. 

So #OperationalSecurity is also to be taken care of. 


Web Application testing methodologies:

  • Where to start?
  • How to test a web application?
  • What are the per-requisites? 
  • How to finding vulnerabilities?
  • How to report?
  • Any standards?
  • Any drafts or documentation? 
  • How to mitigate risk?
To answer these questions, there are open communities where experts from around the world contribute.

Lets checkout few of them:
1.   Owasp (www.owasp.org)
2.   OSSTMM (www.isecom.org/research/osstmm.html)
3.   NIST (csrc.nist.gov)
4.   PTES (www.pentest-standard.org)
5.   ISACA (www.isaca.org)
6.   AppSec Labs Methodologies (www.appsec-labs.com) etc...

Why testing methodologies?
Testing with a particular method is known to be efficient because:
  • It helps if you have missed out something.
  • Defines the way to approach risk based testing
  • Systematic way to conduct test.
  • Proper report generation.
Conclusion
Having a checklist help developing a secured web application though, we never consider that an application is 100% secure but having this checklist we can say that we took security measures. 
Following the standards helps a lot with security as it shows the direction. From where to start till where to end. Well, security is a never ending task! :D

Tuesday, 2 June 2015

Secure Web Application Part - I


Introduction:

There are so awesome web developers with new idea's, new initiatives and startups. They sometimes fail what they claim. They claim to secure the files and have pretty good privacy features.There is always a need to have a security check simultaneously so that no re-engineering is required to implement necessary securities measures.The article is specifically for newbies, developers and security guys to have a check list or note while they develop or test a web application.Today we will be talking about how a secured web architecture and some security checks you must know, what are the things to be taken care of and what all things to implement, server side and at application-level.


A head start:

Typical Web Application Working:
So 1st of all we must know how a normal application exists and how it actually works along side with the server.An Application is firstly hosted on a web server or an application server. There is a difference. The web server accepts the request and accordingly responds. We have clients which we consider a web "browser" because these are used to send request to a website or a web application to access the feature provided by it. So we have browser as our client which connects to the internet (1) and then to the web server.That is the 1st request and with that css and other UI modules are loaded (2a)(2b). 




Now the web server interacts (3) with the web application server having web applications and processing stuff where it works and loads modules to provide feature to the client request along with that many times a database is needed so it also sends the request to the database server (4) and the data. Application server receives the data from the database and then it is again used in the response for the client as (5) with all the reverse process.

This is the working of web application which is very important to know to secure it.


What makes these web application vulnerable?
For most of the web developers, they configure SSL , Firewall, and Host Security to secure their web application. The case is mostly here in India but that should not be the case. These things only secure network and host but not the web application.
The reason why applications are vuln is:
  • Awareness at the 1st point.
  • Security testing session late in the Development Life Cycle.
  • Bad configurations.
  • Logical Issue's.
  • Leakage of valuable information.
  • Services running which are not in use.
  • Not changing default username and password
  • Revealing information on error such as stack traces.
  • Guessing user id and gaining direct access to the account and many other..
These are some of the common things to be taken care of which leads to compromise a web application. Lets further talk about the secured web.


A Secured web application:
A secured web application working consist of many parameters like validation both server side and at application-level, url manipulation, authorization, authentication, differing user level access and administration level access, encryption, securing sensitive data etc..
Here lets study about a secured web architecture that how a secure application should look like theoretically.

An application should have a WAF(Web Application Firewall) to prevent url manipulation(Not allowing special characters), protecting secure data and files(Restricting to access the directory), preventing session hijacking and replay attacks, etc.. waf's like mod_security,naxi, ironbee, csf and few more along with HAProxy for load balancing be configured to protect it as the 1st step.

Next is security to implement on web server like validating the user inputs, providing secure communication(SSL), native security configs, handling http error codes and other exceptions. 


On an application server logging activities and fails, authenticating and authorizing the requesting users identities, preventing the data and filtering the user inputs here. 
Having a daily track on auditing the logs is a very good practices to check out the fail attempts or any kind of server issues or finding a user behaving unexpectedly and possible malicious user.
Database needs to store sensitive information like passwords, cvv, etc. They can be stored with md5 hash and SHA etc.

Conclusion:
Analyzing and reviewing application at the initial level while development becomes efficient because later re-engineering may required.
Secured web application when applied help reducing a certain level of risk. 
If the application is already built, it will still help to fix the vulnerabilities and mind security in future design. 

Read out the 2nd Part..

Saturday, 18 April 2015

Things you must know before you dive into infosec..


The 1st time I met a professional was really the most confusing thing ever happened to me. There was a small hacker's meet in the city and I was suppose to be there.
We were around 9-10 people and I was the person meeting them for the 1st time. I don't know about others but I was completely blank what was actually going on and what was the thing they were talking about. So I recommend you to go through this small list before you go to any kind of hackers meetup. Well you can consider this as the 1st step into infosec that is Information Security.

WWW:
Its a short abbreviation of  World Wide Web, The web. All the users using HTTP and are globally connected to each other. The WWW is one of many applications of the network.
 It is based on the following technologies:
  • Webserver
  • HTML
  • HTTP
  • and a Web Browser 

HTTP & HTTPS:
HTTP is Hyper Text Transfer Protocol and HTTPS stands for Hyper Text Transfer Protocol Secure which are nothing but are application protocols that directs the network to decide how the documents should be displayed to you. HTTPS sends the data in encrypted form which means the data is not sent in plan text. These protocols needs a web browser to display the files. HyperText are text with a link directing to another text or document with its web address. There are many other protocols so here I am sharing a small list of protocols if you are further interested in.

SSL:
SSL is Secured Socket Layer which is a cryptographic protocol that make sure that the data is transferred from a browser to the destination server without any data manipulation and remains integral. To know about the working of SSL do check this link.

Kernel:
Kernel is a computer program which manages the hardware and convey the process  to be performed for the OS. Here you can find linux kernel Archive as Linux is Open Source you can find its kernel
Every OS has its own kernel. Moding a kernel in a correct way can add some new features to your OS.

Linux:
Linux is an operating system created by Linus Torvalds. He evolved linux from an kernel because a kernel by itself gets you nowhere. To get a working system you need a shell, compilers, a library etc.
Linux is open source and is distributed under GNUv2 and GPL licensing.
  
Shell:
A shell is a user interface which is/was used to interact with your operating system. It need particular commands to interact. There are many types of shell like Cshell, the Bourne shell, and the Korn shell. It is a part of command processor which runs based on the given input by the user. It verifies that the command is valid or not. If valid it sends the commands to another part of process.

Linux Distributions:
Linux distributions also called as Linux Distro are different different linux os based on different different DE(Deskstop Environment) loaded with software's and own built linux kernel. Kali, SamuraiSTF and Blackbuntu are some of the penetration testing linux distro's.

Vulnerability:
A vulnerability is a weakness in a web application or in a network protocol or a cartography algorithm or a lock or a safe.

Exploit:
Taking advantage of that vulnerability is exploitation. Using that vulnerability with actually breaking into the system or anything is called Exploitation. It is not always necessary that a vulnerability is exploitable. Exploitation can be in any form, like any programming language or can be a video or step by step procedure. This is Exploit or generally called a POC(Procedure Of Conduct).


Payload:
Things done after exploiting a system is called payload. Payload is again a code which is with exploit code so, as soon as an exploit is successful the payload takes the charge and start it's work like connecting the system back to the attacker or executing a Malware or simply fetch the credentials. The Payload completely depend on the attacker what he/she wants to do. 

Penetration Testing:
It is a way to test security of a web application or a network or a system methodically validating
and verifying security mechanism implemented on it.
This doesn't include only the above but also a proper reporting is to be done.

CVE:
CVE stands for "Common Vulnerabilities and Exposure" which maintains the list of Vulnerability reported and maintained it with a specific ID that would help in recognizing the vulnerability.
The main aim is to standardize names of the publicly known vulnerabilities.




You can get further information about lots and lots of terms related to security I am sharing:
OUSPG
NIST[PDF]
Sans Glossary 

 

 
biz.