Presentation by Marco Slaviero at the University of Pretoria to their masters class of 2008. This presentation is an introduction to information security. The presentation starts with a look at the past and current state of network security. Penetration testing is discussed. SQL injection and XSS demonstrations are given

1. marcoslaviero
SensePost
May 2008

2. Company
◦ Infosec specialists
◦ SensePost turned 8!
◦ .pta.za company of +-20
◦ Services
 Assessments
 Automated services
 Training
 Technology
◦ Published papers + books. Presented at many international
conferences.
◦ Tool agnostic
Me
◦ senior analyst
◦ UP graduate

5.  Some facts
 Some info
 Quick hacks
 Trends
 What is penetration testing? How do we do it?
 Why is software insecure?
 Demos
 Observations
 Conclusion

6. 9000
95
8000
96
7000 97
6000 98
5000 99
00
4000
01
3000
02
2000 03
1000 04
0 05
06
Public Vulns 07
08
www.cert.org/stats

7. 88
140000
89
120000 90
91
100000 92
93
80000 94
95
60000 96
97
40000
98
99
20000
00
0 01
02
Reported Incidents 03
www.cert.org/stats

8. www.secunia.com

9. www.secunia.com

10. Networks last century
◦ Sometimes protected by means of a firewall at
the ingress/egress points
◦ Hard crunchy shell
◦ Completely 0wnable internal networks (the
soft, chewy centre)
◦ Many weak external facing standard services
◦ Servers sat on internal network
◦ Business services used variety of protocols
◦ Security was secondary to function

11. Current networks
◦ Virtually every network has some kind of firewall in
front
◦ Internal networks auto-updated
◦ Few external facing (hardened) services
◦ Servers isolated
◦ Business services migrated to HTTP
◦ Custom applications abound
◦ Security seen as important
◦ Major focus on user-content

12.  Increasing criminal element
 Client-side attacks
 Other platforms receiving more attention
 l33t 0wns no longer acceptable to corporates
without mature recommendations
 Mobile focus
 Value moving
 Vulns are marketable

13.  Site scanned
◦ port 80 open
◦ website appears clean
◦ run directory/file brute-forcer on website
 /webstats/stats/default.asp
Login Page
Sql injectible

14. ◦ Internal search field also SQL injectible
 returns errors
• used sql-injector.pl
• sql user a domain administrator
• changed password of domain admin user with term service access
• found external term services box
• login to internal network as domain administrator

16.  Metasploit - Open Source Platform for:
◦ Developing, Testing and Using Exploit Code
◦ Written in Perl/Ruby with components in C, Python
and Assembly
 Supports *nix as well as Windows (Cygwin)
 Makes running exploits trivial, requires no
underlying knowledge

18.  Hacking is not a black art – it can be
structured
 One hole is all we need
 It’s OK to be hacked (by us :)

19. The practical verification of security mechanisms
◦ Offensive
◦ Blackbox
Requirements
◦ Knowledge
 tools
 platforms
 protocols
◦ Puzzle solving abilities
◦ Tenacity
Targets
◦ networks
◦ machines
◦ applications
 web
 thick
◦ information

20. Typical pen-testing Goals
◦ enumerate users
◦ bypass authentication mechanisms
◦ access user data
◦ perform administrative actions
◦ deny service
◦ compromise underlying platform
◦ use target to hop further into the network
Ethics
◦ only done with mandate
◦ customer informed of
 targets
 testing times
◦ NDAs
◦ user data kept confidential (or redacted)

21. 1. There’s no madness in our method
2. Learn the trade, not the trick
3. It’s not about the what, it’s about the where
4. Everything’s easy in bite-sized chunks
5. Don’t worry about knowing the answers, it’s
figuring the questions that’s hard
6. The more you know, the luckier you’ll get

22.  Discover the possible set of targets
 Test whether targets are reachable
 Determine the services being offered
 Vulnerability detection & analysis
 Vulnerability exploitation
Methodology varies according to objective
Threat modelling useful for discovering
possible weak points in complex
applications

23. Network layer
◦ Attacks are mostly canned
◦ Testing is automated
◦ Software is mature – hence slightly more secure
Application layer
◦ Most business apps run over HTTP
◦ Custom apps mean custom vulns
◦ Custom software is less mature, fewer security protections
◦ Labour intensive testing
◦ Basic tasks are automated
◦ Web threats not fully understood
 Web 2.0 world changes that further

24.  On the Internet today, we hack web servers
◦ 13 Million unique web servers
◦ 70% of all open ports are HTTP
 Frameworks, code-sharing and thin clients make
developing for the web quick and easy
◦ Yet its much harder to develop securely than many think
 Web applications are attractive targets
◦ Internet facing
◦ Wide spread
◦ Encapsulate complex business logic
◦ Offer windows into the private network
 Responsibility lies largely with the developer
◦ Naivety increases our chances of success

26. Statement:
If we can build skyscrapers and bridges that
last 80 years and more without falling
down, why is software broken before it is
deployed?

27. Buildings do fall down
◦ Environmental factors not accounted for (Tacoma Narrows)
◦ Security threats (9/11?)
Security in general is always defeatable
◦ How much is the attacker willing to spend?
◦ Security is a human vs. human game – boundaries are
limited only by the attacker’s imagination
◦ Security is not limited to software (how secure is your
house?)
◦ How well do defenders understand the attackers?
◦ As tech evolves, so the threat landscape changes (pace of
change)

28. Developers are front-line software defenders. What
about them?
◦ Devs are not taught security fundamentals
 Input validation (whitelist/blacklist)
 Assertion checking
 Return status
 Unsafe functions/mechanisms
◦ Security is often seen as secondary on software projects
(features are king!)
◦ Often they only learn about threats when their applications
are compromised
◦ As new attacks emerge, the gap between the protected and
the exposed grows
◦ Spot fixing

29. How to fix?
◦ Cheques made out to ML Slaviero. CC also
accepted.
◦ Developer education (coding against threats)
◦ Tighter integration between application
components
◦ Abstraction of security code
◦ New architectures?!?

30. 1. SQL Injection
2. Cross Site Scripting

31. What is it?
◦ Most web applications interact with a database
◦ Users enter data which is passed into database queries
◦ Certain chars have special meaning in DBs
 eg ‘ for SQL
◦ Data is not escaped sufficiently, allowing the alteration of
the query
Effects?
◦ Data extraction
◦ Data modification
◦ Command execution?

33. x‘ OR 1=1--
5555
@result = “select * from Users where
Card = ‘$cardnumber’
And
Pin = ‘$customerpin’;”
@result = “select * from Users where
Card = ‘x‘ OR 1=1--
‘ And
Pin = ‘5555’;”

34. Solutions
◦ Input sanitisation
 whitelist/blacklist
◦ Prepared statements/parameterized queries
◦ Stored procedures

35. What is it?
◦ Web apps output their stored data as HTML to
browsers
◦ If data contains HTML, then the interface is
altered
◦ Caused by insufficient escaping of user supplied
data (input validation… sound familiar?)
◦ New exploits emerging all the time
Effects?
◦ Malicious HTML can be used to perform a variety
of attacks
 cookie theft
 internal port scanners
 perform actions on your behalf

37. Solutions
◦ Input sanitisation
 whitelist/blacklist
◦ Output sanitisation
◦ Cookie magic

38.  Old attacks don’t disappear
 Dev mistakes are repeated
 Development frameworks evolve to mitigate
some threats leading to over-reliance on
framework
◦ Authentication/input validation understood fairly well
◦ .Net input validation vuln
 Passwords are an attacker’s friend
 Authorisation issues widespread
 Users are gullible
 Value is moving
 Increasing complexity of attacks

39.  Hacking is learnable
 Education is key
 Know where you stand