Competent site security audit
Web application security has always been a sore point. They talk a lot about it, but the overall picture doesn’t change much - the hacker attacks are still quite a few, and often they are very successful for intruders and the costs for the victims.
The owners of the South Korean marketplace Interpark faced a serious problem - the hacker entered their database, stole information about 10 million clients from it and now demands a ransom for its nondisclosure. Also on the list of high-profile incidents was the hacking of the official Ubuntu forum using SQL injection through a well-known vulnerability in the vBulletin engine. The personal data of 2 million users has been stolen.
All this is only for the current July. And only for large sites. It is difficult to imagine how many attacks on smaller projects. However, the researchers from Wallarm were not too lazy and considered that in 2015 they recorded 100 million attacks on the web resources of their clients.
One of the most effective ways to protect your site is to conduct an audit of its security. So let's take a look at how this event goes.
')
Most often, a security check of a resource is carried out according to the “black box” method - a security specialist starts trying to break into his target, as if he were a real attacker and pursued some self-serving goal: hacking a competitor, attacking visitors to the site, secretly from the owner to monetize the site or just entertain your ambition.
Thus, the tester must solve at least one of the global tasks:
As you can see from this list, you can not just take and conduct an audit of the site. We need some preparation for penetration testing, without which it will either be ineffective or could be a real hacker attack with sad consequences. It is necessary to do at least the following.
Search in open sources. Since the “black box” method is used, the tester is completely unaware of what the attacked object looks like from the inside, otherwise hacking would be an extremely trivial task. Therefore, in the course of a preliminary collection of information.
The specialist is primarily interested in the technical side of the web application - in what language it is written, what CMS is used and with which extensions. You can learn all this without even resorting to special tools, sometimes only Google is enough. For example, you can find employees of the attacked company in LinkedIn, select programmers among them and determine which language they specialize in.
Moreover, if you wish, you can find out, and what exactly they did. It's enough to search by their names or nicknames, and you can find in the issuance of a lot of interesting things. This could be, for example, a discussion on behalf of this programmer of a module for the engine or an order from a corporate account with a freelance contractor of a new plug-in with detailed TK.
Determination of protective equipment. The presence of any security software - intrusion prevention systems, protection against DDoS, firewall - can seriously complicate the task of hacking, so it must be detected. Usually special programs are used for this. For example, you can detect the presence of firewall using a port scanner, and antidos services are determined by the DNS records of the domain.
Using standard vulnerabilities. Before starting to search for unknown zero-day vulnerabilities, examine the logic of the web application and its architecture, the tester will test the site’s resistance to conventional attack methods. For example, this may be the use of a known exploit for the old version of the engine. It was at this stage that the aforementioned Interpark and Ubuntu forum suffered.
In general, at this stage, the following usually happens:
An unconventional approach. When well-known methods do not help, the tester, by combining all the above-described methods and his own understanding of security systems, tries to circumvent the existing protection or detect an unknown vulnerability.
Not all auditors conduct this procedure, since it is rather complicated, it requires very high qualification of specialists and costs a lot. As practice shows, very often zero-day vulnerabilities are discovered by outside researchers. However, the reward for their discovery, they receive the appropriate.
In fact, if your site successfully passes testing for all standard types of threats, then the test can be considered successful. A more detailed and in-depth study of hacking methods relevant only for very large projects, for hacking which can attract really high-class hackers who are able to detect new security gaps.
The result of any penetration testing is a document that should include:
Competently performed audit is a very effective measure for finding weaknesses in the site and its server. It is extremely rare to pass the test completely, usually any part is overlooked by the developers. But even if the web resource was not able to be hacked, this is still the result - now its owner will definitely be able to sleep in peace.
The owners of the South Korean marketplace Interpark faced a serious problem - the hacker entered their database, stole information about 10 million clients from it and now demands a ransom for its nondisclosure. Also on the list of high-profile incidents was the hacking of the official Ubuntu forum using SQL injection through a well-known vulnerability in the vBulletin engine. The personal data of 2 million users has been stolen.
All this is only for the current July. And only for large sites. It is difficult to imagine how many attacks on smaller projects. However, the researchers from Wallarm were not too lazy and considered that in 2015 they recorded 100 million attacks on the web resources of their clients.
One of the most effective ways to protect your site is to conduct an audit of its security. So let's take a look at how this event goes.
')
Penetration Testing
Most often, a security check of a resource is carried out according to the “black box” method - a security specialist starts trying to break into his target, as if he were a real attacker and pursued some self-serving goal: hacking a competitor, attacking visitors to the site, secretly from the owner to monetize the site or just entertain your ambition.
Thus, the tester must solve at least one of the global tasks:
- Violate the confidentiality of customer information.
- Restrict access to key data.
- Modify or destroy any information without the possibility of their recovery.
As you can see from this list, you can not just take and conduct an audit of the site. We need some preparation for penetration testing, without which it will either be ineffective or could be a real hacker attack with sad consequences. It is necessary to do at least the following.
- Signing a non-disclosure agreement. A researcher may gain access to very valuable confidential information. Reputable organizations involved in security testing are unlikely to use it for their own purposes, but it is not always possible to verify the integrity of the contractor, so it is better to conclude an agreement.
- Conduct an audit on a complete copy of the main site. The tester will use all methods of hackers, including those that lead to the breakdown of a web resource or the destruction of data on it. It is better not to expose the combat version of the project to such stress and limit it to a clone.
- Concealment of the audit. The fewer people who know about testing, the better. Attackers rarely warn about their attack, so if you tell a large number of people about an event, this can distort the result.
Penetration testing methods
Search in open sources. Since the “black box” method is used, the tester is completely unaware of what the attacked object looks like from the inside, otherwise hacking would be an extremely trivial task. Therefore, in the course of a preliminary collection of information.
The specialist is primarily interested in the technical side of the web application - in what language it is written, what CMS is used and with which extensions. You can learn all this without even resorting to special tools, sometimes only Google is enough. For example, you can find employees of the attacked company in LinkedIn, select programmers among them and determine which language they specialize in.
Moreover, if you wish, you can find out, and what exactly they did. It's enough to search by their names or nicknames, and you can find in the issuance of a lot of interesting things. This could be, for example, a discussion on behalf of this programmer of a module for the engine or an order from a corporate account with a freelance contractor of a new plug-in with detailed TK.
Determination of protective equipment. The presence of any security software - intrusion prevention systems, protection against DDoS, firewall - can seriously complicate the task of hacking, so it must be detected. Usually special programs are used for this. For example, you can detect the presence of firewall using a port scanner, and antidos services are determined by the DNS records of the domain.
Using standard vulnerabilities. Before starting to search for unknown zero-day vulnerabilities, examine the logic of the web application and its architecture, the tester will test the site’s resistance to conventional attack methods. For example, this may be the use of a known exploit for the old version of the engine. It was at this stage that the aforementioned Interpark and Ubuntu forum suffered.
In general, at this stage, the following usually happens:
- Attempt remote code execution.
- Attempt SQL injection.
- Exploiting XSS, RFI and LFI vulnerabilities.
- Search for backup storage locations and access to them.
- Manipulations with the authorization system: brute force, search for unsafe password recovery, authentication bypass.
- The study of the file structure of the site in order to detect files, access to which is limited only by the absence of an explicit link to it.
- Interception of traffic and its research.
- Search for options for unauthorized access to confidential information.
An unconventional approach. When well-known methods do not help, the tester, by combining all the above-described methods and his own understanding of security systems, tries to circumvent the existing protection or detect an unknown vulnerability.
Not all auditors conduct this procedure, since it is rather complicated, it requires very high qualification of specialists and costs a lot. As practice shows, very often zero-day vulnerabilities are discovered by outside researchers. However, the reward for their discovery, they receive the appropriate.
In fact, if your site successfully passes testing for all standard types of threats, then the test can be considered successful. A more detailed and in-depth study of hacking methods relevant only for very large projects, for hacking which can attract really high-class hackers who are able to detect new security gaps.
Audit completion
The result of any penetration testing is a document that should include:
- Information about the methods used at the time of the audit.
- Development of the concept of the attacker, his potential goals and motivation.
- Description of attack scripts developed and implemented by testers.
- Detailed report on all found vulnerabilities.
- Recommendations for their elimination.
Competently performed audit is a very effective measure for finding weaknesses in the site and its server. It is extremely rare to pass the test completely, usually any part is overlooked by the developers. But even if the web resource was not able to be hacked, this is still the result - now its owner will definitely be able to sleep in peace.
Source: https://habr.com/ru/post/307050/
All Articles