How Chaining Of Attack Vectors Gave Defencely an Upper Hand in Pentests!?

Howdy,

Today as part of our ongoing efforts to spread cyber security awareness, we’ve taken measures to go an extra mile & bring you rich blog posts about tales & adventures at Defencely Lab. We are going to explain & demonstrate how we chained up critical information to gain access to millions of customer accounts in order to safeguard our valued clientele pro-actively.

We are intentionally excluding the names of the target to stick to confidentiality clause which we’ve signed up. At this point, our readers should be able to have an analogy of the steps which are taken & mentioned in this post to get the complete picture of what’s happening.

CONTENTS

  1. Understanding the workflow of the Application.
  2. Technical Understanding.
  3. Chaining up and Exploiting the vulnerability on the basis of Collected information.

WORKFLOW

Our target had an Android Application as well as a Web Application giving ourselves a wide scope to start enumerating and having a general idea of how their applications were working at the back-end, we look our own research time to be spend wisely before we actually started to hit the targets.

Working of the Web Application: This web application allows anyone to Sign Up for their services hosted on a particular sub-domain say example.target.com. And once you’re signed up as a normal user with the company you can upload your details and information related to you on the account to set it up according to the services offered.

Working of the Android Application: This Android Application is of their Partners Portal. The Android Application was more interesting as this Application doesn’t allows everyone to sign up as a Partner, You need to verify yourself as a legitimate person having skills on the works they offer & submitting documents related to the work they are offering. We reverse engineered the APK file & The only thing which were similar between the Web App & the Android App was both their APIs which were connecting to the same domain but having different endpoints.

So, this was going really interesting as we do not have access to any of their test credentials for the Partner’s Android App to test their API endpoints. We were only left with the reverse engineered files & codes on the desk. Now we have a basic idea about how things were working, let us jump into the technical understanding of the application and lets understand how we escalated this from having nothing to compromising millions of their accounts registered with the company.

TECHNICAL UNDERSTANDING 

If you want to register yourself as a Partner you need to call them on a given number on the website to their 24 * 7 available customer support and can provide details they needed to verify yourself as a legitimate partner.

So, what would you have done if you were at the same scenario we were? It’s obvious. We called them up & social engineered them to make them believe that we want to sign up as a partner and provided some legit looking details which were actually dummy details created at our end. The verification process was over, everything went fine. But they informed us that they will take couple of days to provide us the credentials to partner portal. We know we have deadlines, 2-3 days was a long time and we can’t afford wasting time on just registering a account on their partner’s portal.

If you remember we already have reversed engineered the APK file. So we went that way. We started looking into the huge source codes available.

We were looking through the directory structures and found some susceptible files where we can now at least concentrate into.

Above are the files we were specifically looking into. We started reading the codes of the ISignIn.java  file. And within a couple of minutes we found something really interesting which took our attention and made everything clear about the Login mechanisms they were using and how they were Saving passwords to the databases at the back-end.

Lets look at the code and understand the mechanism.

Vulnerable Code which could allow us to take over Partner Accounts: 

@FormUrlEncoded
@POST("/ppapp/savepassword")
void getSavePassword(@Field("mobile") String str, @Field("password") String str2, @Field("confirmPassword") String str3, Callback<OTPModel> callback);

This particular function took our attention which were sending some form-collected data into the POST parameters to the endpoint /ppapp/savepassword. I was pretty sure the developers were using this function to set new passwords for the users.

But here the question arises. How we are going to exploit this vulnerability? If we look into the function, we can see the function getSavePassword takes three functions parameters in.

getSavePassword(@Field("mobile") String str, @Field("password") String str2, @Field("confirmPassword")

  1. `mobile` parameter
  2. `password` parameter
  3. `confirmPassword` parameter

We need to full fill the need of supplying three parameters to the function to make the request happen. You might have noticed they are changing the password of users putting mobile phone number as their uniquely identified kind a`key`.

The first priority here is we need to have a mobile number already registered with the company. And to full fill the need we started enumerating other files which might throw us some more details regarding users already registered.

While enumerating other files, we found another endpoint which seems to be related with the customer profile details or vice versa.

We started searching where and how this endpoint @GET("/getprofilejson") is working by looking at the source codes left with us.

We found that the endpoint @GET("/getprofilejson") is working with two HTTP GET parameters.

  1. `uri`
  2. `consumerId`

Enumerating the source codes more and more gave us the values which were fitting into these two parameters. The `uri` parameter is taking a `location` which in my case was %2Feast%2Fassam%2Fbongaigaon%2F and `consumerId` was of 6 digit integer value, so i just passed a random 6 digit integer value ‘123456’ But nothing happened.

I wrote a python script to bruteforce the `consumerId`.

The API endpoint was throwing data’s at ‘391149’ which holds a token value for ‘example_profile_id’ and meant to be supplied as HTTP POST  parameter on the endpoint @GET("/getprofilejson") as "example_profile_id=82f088332d0611e484950e2f866a9102" to get hold on the registered customer profile details.

Our goals are achieved. Now we have a registered customer’s phone number. It’s time to code a exploit and make it happen. Lets jump into the last section of exploitation.

 

EXPLOITING THE VULNERABILITY

A coded up exploit to account take over.

Response:

We finally coded a mass account take over exploit where the script grabs user’s phone number bruteforcing the `consumerId` and passing the token value retrieved from the response to get phone numbers of the users and finally the invoking the  @POST("/ppapp/savepassword") endpoint to directly changing the password.

 

That’s all we have for now. Let’s look forward to more amazement at Defencely Red Team Operations Labs next week for absolutely yet another amazing uncover story of how we’re adding value to our customerbase with insider threat program as well as routine sound-ful & an offensive Vulnerability Assessment followed by a Penetration Test for critical applications both at the staging level & production bases. Our manual security assessments methods have proved the best value. Feel free to touchbase at shritam@defencely.com, Shritam Bhowmick, Red Team Lead @Defencely for any Security Operations Related queries or say “Hi” to us at hi@defencely.com for inquiries.

We should see you again next week with another operational tale of the broad security premises where 0days are always a possibility & at proximity of a security compliance issue which always will be a sooner or later decision by the Indian E-Commerce Management & stakeholders.

Let’s act pro-actively.

Solution to Cutting Out Cost Expenditure on Information Security

It’s not at all by surprise that information security is most expensive task and is closely knit to risk managers to provide quality assured security to it’s end-product be it: web applications, thick clients or in general software. To reduce overthinking over complicated executive level decision by project managers, it’s essential in general to know how an information security program works.

How to access necessary components for Enterprise security solutions?

The first approach to solving a problem is to understand it’s question. In information security, the question for an organization is to solve security gaps by placing a security program a provide a security plan further to eliminate this rising security gap but how shall the security program look like and how it shall commence is entirely upto security managers. The necessary components are to be placed before the administration and gain an approval to commence these components in order to manage enterprise risks – which includes ‘security’.

In applications, this entire Application life-cycle management (ALM) will have a particular process and it’s components will be essentially:

  1. people
  2. process
  3. product

SDLC_1

Security management for all of them have to be taken into consideration, whether it’s to educate it’s people about security and provide required awareness about information security policies around the organization, secure processes for the organization and the secure product itself. This can be a top-down approach to provide a framework for security (security program) and then plan security in specific ways to protect business assets and it’s interests of the organization. During this entire time in the process, cost can be a factor due to the approved budget for the program and maintenance of the security program to keep solving security gaps in a way they should be.

How to solve ”cost” factor in a security program?

The security managers takes decisions related to security and hence should be able to decide the overall cost in recurring terms. But it’s not just about determining the cost – it’s also about cost cutting to9 get the project budget fixed without affecting the quality provided by the security program. First it’s necessary to access what accomplishments are to be made during the entire life-span of an application or the application that is being developed in-house and will be in production servers after it’s deployed. Some of these have to be considered while setting by layout and determine the costs:

  1. Objectives
  2. Required people
  3. Required outsourcing
  4. Required maintenance

The objectives should be very clear to the project managers in order to set the right people in-house to handle security problems and these people will be responsible to handle and mitigate risks and plan further with internal development teams. It’s also necessary to outsource tasks which needs subject matter expertise since security isn’t about just one thing. When discussing information security – for an instance there might be one than more components that are to be taken care of such as:

  1. secure coding practices in-house
  2. architectural risk analysis
  3. threat analysis
  4. security audits
  5. penetration testing

For most applications, the first three is done in-house and these includes costs too. Involvement of penetration testing comes from outsourcing after the product or software (web applications) are deployed but during SDLC a ‘secure’ mechanism has to be placed which gives birth to SSDLC (secure SDLC). Most threat analysis come after risk analysis has been done at an architectural level because managers have to decide on resource that is to be allocated to each of these components. To cut costs, it’s required that skilled-labor are employed to each of the steps in security framework rather than trying to randomly handle security which most often fails and which isn’t cost effective at-all. Threat analysis will involve:

  • threat modeling
  • threat treatment
  • threat management

Thereat management people and it’s resources will also be responsible for the later results which are out during penetration tests and in-case expected outputs are not acquired, a team of expertise should be able to look at the functional dependency and improve their formal test cases which are two:

  1. positive testing (functional testing)
  2. negative testing (exceptional testing)

Functional testing means what web applications are supposed to do i.e. input v/s output and negative testing means how the applications handle exception or are there any ways in which exceptions occur, and could these lead to business risks? Most of the negative test cases are something which needs focus since they are the elements to which later penetration testing proves unit security testing wasn’t effective and that can be something which might be of concern. Why? because at later stages costs comes to an exponentially to manages security risks and accordingly rearrange and re-implement to make a correction and make the product work without it’s security being affected (and also since organizations have to maintain compliance).

These pointers are small things where the cost cutting can be most accurate because if a pin-point analysis is done how such extra costs can be reduced in security programs, so that at later stages all of it contributes to an overall security budget of the organization. Sometimes it’s also the reason why organization now outsource finance to managed bug bounties. To deliberately handle security the right way, it’s also necessary to keep quality while in the SDLC period, since after the product is released – it might be out of hand and a little too late for managers to manage security.

How does Defencely solve your problems?

Defencely provides a 360 security solution to organizational security problems whether the products are in SDLC or it has been already deployed. If applications are in SDLC phases, it’s more beneficial to cost-cut your resources and get dedicated security expertise to help you realize and reduce risks before any commitments or deployments to your applications – it’s like winning the war before it starts. This could also be beneficial to compliance that the organization has chosen and the required reports it needs to prove their applications are secure for it’s customers and end-users.

The solutions provided is overall and hence it’s extremely helpful to know if certain application passed improvement to maintain a continual security check . This can be in terms of application security assessments, penetration tests, and simulated security testing where a red team accesses your applications in offensive ways to determine measure of security and give your organization the overall security posture. Let’s get you started with the right security program for your platform, contact us to get to help you solve your enterprise security problems.

About the Author

Shritam Bhowmick is an application penetration tester professionally equipped with traditional as well as professional application penetration test experience adding value to Defencely Inc. Red Team and currently holds Technical Expertise at application threat reporting and coordination for Defencely Inc.’s global clients. At his belt of accomplishments, he has experience in identifying critical application vulnerabilities and add value to Defencely Inc. with his research work. The R&D sector towards application security is growing green at Defencely and is taken care by him air max sale. Professionally, he have had experiences with several other companies working on critical application security vulnerability assessments and penetration test security engagements, leading the Red Team and also holds experience training curious students at his leisure time. He also does independent application security consultancy.

Out of professional expertise at Application Security, Shritam Bhowmick utilizes his knowledge for constructive Red Teaming Penetration Testing Engagements for Indian Top Notch Clients and has a proven record for his excellence in the field of IT Security. A Google search with his name would suffice the eye. Shritam Bhowmick has been delivering numerous research papers which are mostly application security centric and loves to go beyond in the details. This approach has taken him into innovating stuff rather than re-inventing the wheel for others to harness old security concepts. In his spare time, which is barely a little; he blogs, brain-storms on web security concepts and prefers to stay away from the normal living. Apart from his professional living, he finds bliss in reading books, playing chess, philanthropy, and basket-ball for the sweat. He wildly loves watching horror movies for the thrill and exploring new places for seeking new people alike.

Defencely Business Enterprise Security Solutions

Hello again, sometime not long before; Defencely.com had described a series of posts how enterprise security risks are evaluated and how these security risks are determined in order to proactively close them in a responsible manner. This post would ensure the key-points which encircle the Enterprise Business Security Threats and is brought forward to spread business security centric awareness among the industries. In order for enterprise community to work according to it’s workflow, the business functional model should never overlap the data model. In case if it does overlap each other, a business logic threat could possibly be potentially present. This threat accessing model present three distinct risk factors, which are:

  1. Confidentiality
  2. Integrity
  3. Availablility

It’s also known by the C.I.A triad. A risk to the confidentiality would arise if a certain access control feature integrated to the business functional model is bypassed using certain different techniques and hence provides an intruder with confidential data which otherwise should not had been compromised. A risk to the Integrity would mean that data was modified during it’s processing or somewhere in-between it’s whole life-cycle. This again woudl be a threat to the business. A risk to availability is when certain business critical public data is restrained from access and hence financially depriving the company or a corporation from accessing resources thereby the intruder forcing the business model to consume more resources confining these resources to itself and making it unavailable.

CIA_triad

Authenticity in business risk model is yet another concern due to which intruders coudl gain unauthorized access to critical business resources and hence compromise the company in certain ways. This in itself could be a tragic scenario to a company taking it’s toll in a tragic way and leading the company to losses. Consider the folowing intrusions for an instance:

  1. Uber Cab compromised with Github Security Key
  2. Staples compromised – the retail hack hijacking cards
  3. Home Depot email compomises – 53 email addresses exposed
  4. CNET – compromised by Russian Attackers

These were some of the haunting and threat-awareness-inspiring cases from some of the major giants around the buiness community and the industry. At past, Microsoft, Oracle, Sony, etc also had been attacked and compromised in a successful ways with business security and logical deduction of security. In these cases, the business security were comprmised in different ways but these were only possible keeping compromise in data in mind. The data compromised were all realted to the business assets and not in a way wherein a procedure was taken keeping business logic security in perspective. Certain types of application threat evaluation require these business data to be first realtively measured with proper processing. The evaluation process would then take certain test cases which the application should either pass or fail. These test cases are as described as follows:

  1. Identify threats to business protocols, if these could be violated in any way.
  2. Identify threats to business timing, if resources could be violated against timed access.
  3. Identify threats realted to compromise of data assets – if data is not segregated from un-essential workflow.
  4. Identify threats realted to financial assets of the company – if financial records could be compromised.
  5. Identify threats related to processing – if certain steps in the process could be bypassed.

Some of the common Business Logic Threats are:

  1. Autentication Failure and Escalation of Priviledges.
  2. Unauthorized Access to Resources via Parameter Manipulation.
  3. Business Process Logic Bypass via Cookies or Tampering Cookies.
  4. Bypass of Client Side Business Assets leading to Process Bypasses.
  5. E-Shop Lifting via Business Logic Manipulation leading to losses.
  6. Functional Bypass of Business Flaw leading to access of 3rd party limited resources.
  7. Service Availability based Denial of Service Attacks via Business Logic Threats.

There could be numerous other ways to access critical data and exfilter them with Business Logic Security. Recommendations are to test the application against these new techniques and build a proper segregation channeling for them in order to prevent intruders from harming the business working of a company. A prevention chart should be followed by enterprise developers during the development phases in the entire SDLC. This latter mentioned would securely deploy the applications and would restrict unauthorized use of data which otherwise could had been compromised by application level vulnerabilities or remains of business logic vulnerabilities. Either of them are fatal and could lead to lossess, sometimes ranging to reputation to financial losses.

diagram

Defencely provides services against these aforementioned threats along with long cutting edge reporting deliverables for it’s clients. The services enable it’s client to access potential threats and remedify them in order to patch them. Defencely provides an in-depth scope and individual deliverables for it’s clients which includes:

  1. Application Security Executive and Technical Reports
  2. Business Logic Threat Executive and Technical Reports
  3. Mobile Security Executive and Technical Reports
  4. Individual Mitigation Trackers for both Application and Business Reports
  5. A Monthly Mitigation Overall Record for all the Identified Vulnerabilities

Aside, Defencely.com also provides custom tailored services for Network Security and Code Audit. These deliverables are in focus with network security for server hardening and hence enables the clients to follow strict security policy rules and compliances. Contact Defencely for it’s amazing fast reliable services at hi@defencely.com and make your web applications, servers, mobile apps, and code audits glitter with real sense of security.

About the Author

Shritam Bhowmick is an application penetration tester professionally equipped with traditional as well as professional application penetration test experience adding value to Defencely Inc. Red Team and currently holds Technical Expertise at application threat reporting and coordination for Defencely Inc.’s global clients. At his belt of accomplishments, he has experience in identifying critical application vulnerabilities and add value to Defencely Inc. with his research work. The R&D sector towards application security is growing green at Defencely and is taken care by him. Professionally, he have had experiences with several other companies working on critical application penetration test engagement, leading the Red Team and also holds experience training curious students at his leisure time. The application security guy!

Out of professional expertise at Application Security, Shritam Bhowmick utilizes his knowledge for constructive Red Teaming Penetration Test Engagements for Indian Top Notch Clients and has a proven record for his excellence in the field of IT Security. A Google search with his name would suffice the eye. Shritam Bhowmick has been delivering numerous research papers which are mostly application security centric and loves to go beyond in the details. This approach has taken him into innovating stuff rather than re-inventing the wheel for others to harness old security concepts. In his spare time, which is barely a little; he blogs, brain-storms on web security concepts and prefers to stay away from the normal living. Apart from his professional living, he finds bliss in reading books, playing chess, philanthropy, and basket-ball for the sweat. He wildly loves watching horror movies for the thrill.

 

 

Defencely Smart DAST Scanner Analysis – Mindblowing Results!

Benchmarks and Evaluation based on:

→ Range of Attack vectors
→ Protocol Support (HTTP/SSL/TLS)
→ Proxy Support
→ Authentication and Session Management
→ Crawling Capability
→ Metadata functionality
→ Parsing
→ Command and Control
→ User Interface
→ Assessment based on

  1. OWASP Top 10
  2. WASC Threat Classification
  3. SANS Top 20
  4. SOX

→ Reporting Customization
→ Reporting Format (XML/HTML/PDF)
→ Commercial/Opensource

As a part of recent benchmarking I went over for application scanners at Defencely, the most amazing set of DAST scanners were what originally popped my mind to look over and turn attention into them to seek information if they were as capable of manual vulnerability assessments without risks involved. I found results which were both focused at zero false positive affinity and towards time saving goals of each of these scanners tested. Either way, DAST scanners have been my lunch for today and had to be analyzed to let others know what are some of the most amazing open-source and commercial scanners available. When I began my research, I had to overlook at Burp Suite, since it was the only tool-set with Burp Extenders I would require for any manual vulnerability assessment and penetration testing of web applications. This wasn’t however focused at Burp Suite Professional, and I had to gave our readers some of the points of other scanners which are available at their disposal with costing (for commercial frameworks or scanners). I would list them at ascending order for DAST scanning capabilities they have attracted corporate giants across the globe (but with many limitations, adverse effects and with much cost!):

1. IBM AppScan. (Commercial)

  • scans DAST (Dynamic Application Security Testing)
  • scans SAST (Static Application Security Testing)
  • Wide range of attack vectors on WAVSEP benchmark review (http://code.google.com/p/wavsep/)
  • Good score over other web application scanners
  • Less false positives
  • Download and other references: 01-ibm.com/software/awdtools/appscan/
  • 2015 current version: v9.0 (332MB or 513MB on Windows Platform)
  • Audit features can be compared to WebInspect, W3af and Acunetix
  • Costs $20,300 USD equivalent Rs 877,200 INR

081612_1622_IBMRational1

2. WebInspect. |Commercial|

hpweb

 

3. IronWASP (Opensource)

  • Requires .NET SP2.
  • Source code available.
  • Less false positives.
  • Editable core scripts on RUBY or Python
  • Download at: http://ironwasp.org/download.html
  • Stable, flexible, and without cost (free)
  • Runs on Windows, .EXE support and 5.1 MB zip compressed

ironwasp_post_import_1

4.  Acunetix WVS |Commercial|

  • Boasts high performance on Windows, with great security audit features.
  • Comparable to IBM’s AppScan with less rating on attack vectors and false +’ves
  • UI is friendly, great speeds and URL discovery capability.
  • Detection Accuracy is high, which makes it a good scanner overall.
  • Comparable with Syhunt Mini (Sandcat Mini) and ZAP.
  • Download at: acunetix.com/vulnerability-scanner
  • For Windows, good fuzzing inbuilt.
  • Costs for the Consultant Edition is $7955 USD equivalent Rs 4,37,445 INR.

acu

5.  Syhunt Dynamic (Commercial)

  • Previously renowned as Sandcat Pro.
  • Syhunt Hybrid performs hybrid DAST and SAST.
  • Great UI (User Interface)
  • Designed for Windows Platform.
  • Order at: syhunt.com/?n=Syhunt.Dynamic
  • Good user reviews.
  • Wide source code analysis and then vulnerability detection.
  • Costs high as $8000 USD equivalent Rs 4,39,920 per year.

assfwrgtytjyrgfd

6. BurpSuite Professional (Commercial)

  • Great crawling features with equivalent scanner
  • Available for Windows as well as for Linux
  • Good Proxy Usage.
  • Large database of attack vectors.
  • Get at: portswigger.net/burp/
  • Costs $299 USD per year. Rs 16,442 INR equivalent.

scanner_1

7. Core Impact (Commercial)

  • Good profiling.
  • Wide range of attack vectors
  • Extreme levels of Pivoting across different multi-layer infrastructure.
  • Good report generation capability.
  • IPS/IDS evasions, and detection
  • Accurate Detection rate with very little or no false positives.
  • Costs around $30,000 USD equivalent Rs 1649700 INR
  • Available only on contact with the Core Impact Team.

Most-Expensive-Computer-Software-in-the-World-TOP-10-3

8. Jsky (Commercial)

  • Good URI Indexing.
  • Great User Interface.
  • Comparable to opensource security audit tools
  • Is a assessment tool and also a scanner
  • Costs on per PC basis
  • Contact site: nosec.org/en/evaluate/

JSky_1

9. WebApp360 (Commercial)

  • OWASP Top 10 through vulnerability scans.
  • Boasts good performance speeds with low false positives.
  • Stripped XSS, Reflected XSS and other wide range of Web attack vectors.
  • Heuristic Based scans with proper detection rate.
  • Proper Web application Sanitizing detection and reporting.
  • Latest Joomla, WordPress plugins and web application services based repository.
  • Checks Jquery, and java- based scripts and DOM objects.
  • Get Webapp360 with a evaluation demo: ncircle.com/index.php?s=products_webapp360

SecureScan Screenshot Scan Profile

10. Nstalker (Commercial)

  • Source code assessment
  • Wide attack vectors.
  • OWASP top 10 detection with flawless efficiency.
  • Very low or no false positives.
  • 3rd party package vulnerability detection[s].
  • Great reporting and USER REVIEWS.
  • Get at: nstalker.com/buy/
  • Costs $3,199 USD equivalent to Rs 175913 INR.

nss

11. WA3F (Opensource)

  • Independent opensource web application scanner.
  • Good OWASP top 10 detections.
  • Less speed.
  • Less reporting features.
  • Medium False positives.
  • Great site crawler.
  • Considered good among opensource web application audit and security framework.

sql_vulns_w3af

12. Arachni (Opensource)

  • Command Line Utility as well as GUI
  • Ruby Library based scanner framework.
  • Highly automated.
  • Great web application scanning and tuning features.
  • Good web application attack vector records.
  • Free and opensource framework.

arachni_big1

13. Gamja (Opensource)

  • Good for common web application attack vectors
  • Command line as well as GUI.
  • Comparable but not as powerful as other opensource specific attack tools like SQLmap, XSSer, and Vega
  • Free and opensource.

 gam

14. Vega (Opensource)

  • Vega is good for attack vectors.
  • Robust but high detection rates.
  • False positives quite often detected.
  • Opensource and free

alertresponsehighlighting

15.  Nikto (Opensource)

  • High false positives.
  • Good records of web application attack vectors.
  • Opensource and free.
  • Included in Linux OS Back|Track

nikto1

16. Unicorn Scan |Opensource|

  • Great number of payloads
  • Good records of web attack vectors
  • High detecting rate.
  • Well documented.
  • Operational for initial web application tests

uniasa

17. WebSecurify (Commercial)

  • Wide range of attack vectors.
  • Uses XULrunner to perform configurations
  • Opensource (previously) as well as commercial.
  • Easy to use features.
  • Not complex.

WebSecurifyLarge

18. SkipFish (Opensource)

  • Command line utility.
  • Wide range of attack vectors.
  • Good support and well documeted.
  • Less dependencies on a linux based system.
  • Opensource and free to use for all.
  • Overall good performance.

skipfish

19. Grendel-Scan (Opensource)

  • Wide range of scan criteria
  • Well documented.
  • Command line Utility.
  • Uses Nikto configurations as intake.
  • Opensource and free to the community.

greden

Miscellaneous Scanners

Scanners Specifically for an attack vector:
  • SQLMAP for SQL Injections
  • XSSer for DOM based and persistent XSS.
  • Joomscan for Joomla based vulnerability.
  • Wpscan for wordpress vulnerabilities.
  • Dirbuster for directory crawler.
  • Whatweb for web application detections.

The list wouldn’t end if I had to specify each toolset used for a vulnerability assessment and penetration testing. With that said, DAST scanners are sometimes highly discouraged due to their adverse effects on the web-server and the application themselves. Running these DAST scanner with a segregated set-up clone of the original application is a recommendation; however most amateurs use these scanners without having done any risk assessments. Defencely provides a firm grips over DAST automated scanners with it’s manual vulnerability assessments which have zero chances of any false positives (which are a higher amount in aforementioned DAST scanners).

Now, one would question, if DAST scanners have already been in the market and their are available alternatives for the web application vulnerability assessments along with reporting merged with these shipped DAST application scanners, why would an enterprise problem need Defencely Manual Application Penetration Testing and Vulnerability Assessment solutions? Their is a 100 page answer to this, and I would break out some key-points for those who do not have previous technical back-ground and would require a very straight-forward answer!

DAST Scanners for profit?

Or a miss-out on the most important vulnerability not detected?

DAST scanners are notorious for generating random big logs into the web-server but this isn’t that important. While on a vulnerability assessment, the goals for any penetration tester would be to detect the application bugs that count. Since, DAST scanners are per-programmed as per the limited knowledge of how an application “might” work and does not detect the entire work-flow of the application, the logical part misses out or is never counted as a part of the test by default. There are some scanners such as HP WebInspect and other dynamic scanners which focuses on these particular areas, but they as well are limited to external application logic. Apart from what are the cons, I would break down the entire con-list and focus on these below mentioned key-points:

  • DAST Scanners does not locate the specific line of code to which the vulnerability is affected against.
  • The quality of the code could not be determined even if it was a white-box assessment.
  • Because of previous lack of code quality assurance, chances are other vulnerabilities are missed.
  • Apart from code level application vulnerabilities, logical bug detection isn’t a part by default.
  • The blind test cases are seldom logically imprinted to the payload and hence fails at bypasses.
  • Threat Modeling and prior risk assessment is never done which might harm the production-set.
  • Scanners generate a lot of traffic, leave behind massive logs with more false positives.

After all of the entire DAST scanning operations, the web application penetration tester is left with false positives and the company with false reports which were originally meant for an initial assessment which had to be investigated by security experts. This again is more consultancy cost and if not, the application is again highly vulnerable since most of the bugs were left alone at their own places which a scanner never pin-pointed and hence developers never patched. This would come up as a risk where the entire goal of the engagement is void because either way the application gets compromised and customer data stolen or out. This shouldn’t likely be the case. Now if the 3rd party company tries to invest in a re-pentest, again additionally a cost revenue has to be re-initiated. This overall is a non-productive task which is repetitive and yet not profitable or has a serious time consumption.

Vulnerability Assessment Solutions

Smart testing that works! for clients, for penetration testers, and the developers.

Methodological vulnerability assessments and penetration tests are never created from heaven nor they free-fall from the sky. Security experts who do what they do and those penetration testers who have been always best proven doing professionally target oriented penetration tests hence will agree on manually preparing test cases after scoping the web applications for a specific goal in an engagement. The client requirement is a the clear goal for the penetration testers, satisfying the developers needs is yet another goal which has to be met and hence a requirement analysis is to be fore-taken by the Red Team (a group of penetration testers). After going through massive enumeration, application scoping, realizing every possible targets doing background and the present status of the application, an entire risk assessment involved with the project is drawn out and presented to the applicable distribution list (those who would be executive, lead and representative).

After the scope creep, subscription prices and a formal meet-up for setting the goals of the penetration testing engagements to follow has been finalized; the testers would now be given with a set of priority list along with the authorization for the manual conduct of engagements. After having taking up the engagement contracts and operationally testing the application for specific loophole which might be a risk to the company in production or development (both cases or either of the two), a progress chart has to be prepared of how much the testing is covered and what assets are saved, and why certain business risks have now been mitigated as per the commitments to the goals of the entire project/engagement. This is highly effective determined, tactical and customized penetration testing designed to deliver the customers of what they deserve.

Defencely has a clean set of effective smart solutions which will work for your business value addition and not only does it project custom penetration testing services which meet up to your requirements but is a proven methodological manual vulnerability testing with man-power working behind the curtains (the entire Red Teaming!). This in turn benefits business with clear understanding workflow and helps developers fix the potential threats which if left open could possibly compromise the entire application as well as escalate to system compromise, web-server compromise and data exfilteration from database back-ends. The Defencely Security solution therefore provides its clients with total 360 degree security and keeps it under the protective umbrella.

About the Author

Shritam Bhowmick is an application penetration tester professionally equipped with traditional as well as professional application penetration test experience adding value to Defencely Inc. Red Team and currently holds Technical Expertise at application threat reporting and coordination for Defencely Inc.’s global clients. At his belt of accomplishments, he has experience in identifying critical application vulnerabilities and add value to Defencely Inc. with his research work. The R&D sector towards application security is growing green at Defencely and is taken care by him. Professionally, he have had experiences with several other companies working on critical application penetration test engagement, leading the Red Team and also holds experience training curious students at his leisure time. The application security guy!

Out of professional expertise at Application Security, Shritam Bhowmick utilizes his knowledge for constructive Red Teaming Penetration Test Engagements for Indian Top Notch Clients and has a proven record for his excellence in the field of IT Security. A Google search with his name would suffice the eye. Shritam Bhowmick has been delivering numerous research papers which are mostly application security centric and loves to go beyond in the details. This approach has taken him into innovating stuff rather than re-inventing the wheel for others to harness old security concepts. In his spare time, which is barely a little; he blogs, brain-storms on web security concepts and prefers to stay away from the normal living. Apart from his professional living, he finds bliss in reading books, playing chess, philanthropy, and basket-ball for the sweat. He wildly loves watching horror movies for the thrill.