That Guy always ahead us – OWASP Top 10 Vs Web Hacking Techniques

OWASP – Open Web Application Security Project, is the leading open source platform for Application Security. Beginners can find more on here :

They have released a special project called “OWASP Top 10” in Year 2003 which consisted most critical web vulnerabilities by that time. So far OWASP has published several versions of Top 10 vulnerabilities based on their statistics. Now it is a mature project in OWASP.

OWASP Top 10 :

Most organizations, developers and penetration testers use this project as a baseline for their software security, which is good and appreciable. As per the processes following in software companies, they develop secure codes, verify their business logics and test for security aspects before major releases. It’s like we are coming closer to hack proof web applications. Really?

Those days we couldn’t find trustful accessible place to get knowledge about application security. Then OWASP appeared. So people tend to build their web applications more securely and it’s still continuing.

So far we are talking about good side of these concepts. What’s the end result? We are secured!

Not at all.

When one party defending all the holes, other party should be looking for new holes. That’s what exactly happen in cyber security world. IT security professionals stop the bleeding in one edge, Hackers attack to another edge with different techniques.

We said to world that we are OWASP compliance, SANS compliance. But our applications are still hacked by others. We show the world that we have put guards on all the identified entry points. Are you still believe that they try with the same entry points?

Better you may not. Every year WhiteHat security published Top 10 web hacking techniques. Most of the time Top hacking techniques are not targeting the top web vulnerabilities. If you need examples, here are some,

Keep in mind that OWASP Top 10 list which we are currently using published in 2013. Now it’s 2016 and we are screaming attackers are one step ahead us.

Few nominated hacking techniques for 2015

• Abusing CDN’s with SSRF Flash and DNS
• Abusing XLST for Practical Attacks
• Hunting Asynchronous vulnerabilities
• Logjam and Magic Hashes

Better you google the meaning of those attacks. So where are we now?

Here are some top hacking techniques in year 2014,

• Heartbleed, ShellShock, Poodle, Rosetta Flash…

 

Am I telling OWASP, SANS are bad? Sorry you misunderstood. I’m telling that it’s not enough in this game. You can clearly see a gap between top 10 vulnerabilities and top 10 attacks. So we need be creative here, not only applying theoretical security practices to our applications and systems.

This is not a problem with OWASP or SANS, they have done enough and don’t expect everything from them. We all have limitations. Do your own home works and try to be handsome.

 

 

The way you securing your application is completely wrong

I was involving into few application security assessments last few months and thought to express some ideas linked with application security.

Let’s have a look into traditional way of application security process. Software team get-together and decides architectural plans, reviews and then designs the software. After some periods they produce the piece of software and hand it over to security testers/consultants for pen testing. Within two or three weeks pen testers assess the application and release to live environment. Conceptually, all is well until application gets hacked.

Application hacked

Let me point out some facts,

• Developers may take years to develop and expect to assess security concerns within two weeks

• All the architectural designs are defined and practically impossible to correct if any breaches found in design level

• Attacker has 24*7*365 days to break but defender has only 20 man days to protect

• Security consultants completely assess the application on theoretical security practices but spend only few times to ensure real security

• Finally, would you ever believe your security consultants are good as the bad guys?

It’s time to change these traditional methods. Security should be a part from the design level and that should be a continuous process of monitoring and testing. Agile testing would be a good practice here if follows the correct manner.

cyber defense

Most pen testers/consultants use only http scanning, request tampering and automated scanning for assessing application security. But most of the modern applications are running with AJAX, Flex, Flash and HTML5 technologies. There are native mobile apps as well. So, scanning is not enough anymore. We need object model based security assessments like string analysis and javascript parsing.

Another important thing is security consultants mainly concern on technical security aspects as session management, scripting attacks and injections. But 50% of applications risks are combined with the business logic. Why I am saying this as scary, cause even simple user without having technical knowledge or breaking mindset will able to abuse the application by bypassing business model. Because of that security team should test against some abuse cases as well.

Application security

 

 

 

 

 

 

 

There are some tools to automate security testing. But all these automations are limited to scalable surface of security. That even won’t check a single scenario of business security because those tools are working with anomaly base models.

Primarily you can use automated tools for security testing but still manual validation is the best. Before starting any security assessment get to know, from whom you are protecting the application. Then identify the real risk. SQL injections or XSS may not be the real risk in your case.

Finally, most and every teams use popular open source libraries in their application. Only limited groups are worried on these 3^rd party security controls. People update their hardware, OS, Servers and all other infrastructures but not the application libraries/frameworks and CMS. Most applications get hacked because of this. Yes, indeed this could be a challenge with patch management and application dependencies. Anyhow we have to find out a way of doing things right.

So, talented security consultants, skilled developers, resources or huge budgets won’t protect your application from external attack vectors anymore. Change the process of defending and pattern of thinking. That will be the only way of defense in this era.

cyber security

 

 

 

 

Hacking Sri Lankan websites – think like a thief

Past recent days was not auspicious for the community of srilankan cyber security. Several government websites, media websites, banking and financial websites hit in spate of cyber attacks. Some sites were defaced and DB information published online. There might be numerous reasons behind those cyber attacks, but this is kind of alarm for us.

catch a thief

Huge numbers of websites get attacked every day around the world. Unsecured websites as well as well secured websites include into this. So, there is no big deal in attacking SL websites. Problem is if there are no basic level security implementations, can we handle massive cyber threats?

Script kiddies are everywhere. Exploiting websites vulnerabilities, defacing, dumping databases is not a rocket science with hacking tools. Even if some attacked websites have high profile status, they didn’t put enough concern on information security. That’s where we all went wrong so far. We are always worried about actions not quality.

Well, most attacked websites are at top of the Google dorks results, if you are looking for certain vulnerabilities.

This graph shows the most popular web attacking techniques in year 2012.

web hacking techniques

 

It is cleared that, most SL websites hacked through sql injections. Developers usually lock down their application/site on login portal. But login is not the only place where application interacts with the database. Forums, comments, user profiles, news and search areas all link with DB. XSS, remote file inclusions, CMS issues and IM level vulnerabilities would be the next top methods.

When I was at interview in university, there were software professionals from industry. When they got to know that I am keen in security stuffs, said “we have experienced CISSP guys and network security engineers, so nothing to worry about security”. But they are software vendors.

Website or application can be hacked in two different scenarios. One is the lack of security implementation in infrastructure level and other is poor security standards in application level. So, breached in SL sites could happen because of hosting company or site developers. But most sites were hacked through sql injections, this directly focus on application developers and testers.

I know, explaining something is easy than implementing. But still I can rarely see that developers/software firms concern on their products’ security. This is very same for government sector.

We develop…develop…and someone breaks

Okay, whoever attacked those sites might get their self-satisfaction. Some organizations may lose their privacy and dignity. I think government will much focus on cyber security than finding whose IP was that. Prominently, we should wake up on this alarm.

Most script kiddies are likely to be insiders.

 

“To catch a thief, we must think like a thief”