[Case Study] Enhancing DAST Security Scans for ACME News Company

Background
ACME, a prominent news-based company, operates hundreds of websites accessible over the internet. These sites, primarily content-focused, share a uniform technology stack. The company's admin applications, however, remain inaccessible from the internet. Given the minimal input and largely static nature of these websites, traditional penetration testing seemed unnecessary. However, the potential brand damage from a compromised site was a significant concern.

Challenge
ACME sought to ensure the security of its numerous websites through automated Dynamic Application Security Testing (DAST) scans on a monthly basis. The challenge lay in the sheer volume of links across these sites, coupled with their minimal functionality, which resulted in prolonged scanning durations. Each scan took days to complete, delaying the identification of potential vulnerabilities.

Solution
Blueinfy, leveraging its extensive experience in DAST scanners and a deep understanding of ACME's specific technology, developed an innovative approach to optimize the scanning process. Instead of a traditional, exhaustive scan of every link, Blueinfy devised a methodology where each unique functionality was tested only once. This streamlined approach significantly reduced the scanning time while maintaining accuracy of the results.

Furthermore, Blueinfy tailored the DAST scanner to align with ACME's specific technology stack, ensuring the scans were relevant and focused on the most critical vulnerabilities. To facilitate seamless integration into ACME's GRC platform, the scan results were converted into a specific CSV format, enabling easy import and efficient use of the data.

Outcome
With Blueinfy's tailored approach, ACME successfully implemented a more efficient and effective security scanning process. The new methodology allowed for timely and accurate scans, enabling ACME to promptly address vulnerabilities and protect its brand. The customization of the DAST scanner and the provision of results in CSV format ensured that the data was not only actionable but also easily integrated into ACME's existing systems.

Blueinfy's expertise in configuring DAST scanners to align with ACME's technology stack proved invaluable, offering a solution that was both time-efficient and highly accurate. This partnership underscored the importance of leveraging specialized knowledge to overcome unique challenges in cybersecurity.

Article by Hemil Shah

Authentication and Authorization Security Controls – Code Analysis

Authentication

Applications are running on the server and usually serving browsers. Application authentication is form based and done over HTTP. There are several layers involved in the authentication process and each layer should have their own security protections. There are several different authentication mechanism available on application like NTLM, Basic, Digest, HTML Form based, LDAP, Certificate based etc. Authentication is has two aspects in web based application one is authenticating user and second is making a tunnel or channel for authenticated user since HTTP itself is stateless protocol. Various different authentication controls help in protecting application and if any of the control is missing or poorly written then it opens up severe vulnerability in application. Here is a list of possible issues or vulnerabilities

1.) Authentication disclosing sensitive information
2.) Not having auditing on the authentication
3.) No user lockdown policy in place
4.) Authentication bypass (SQL / LDAP interface)
5.) Password strength is poor
6.) No deployment of CAPTCHA or similar identification product
7.) Credential are not securely transmitted
8.) Credential are stored on client side which can be retrieved
9.) Authentication token or cookies are not well crafted
10.) Single Sign On (SSO) can be abused
11.) Deliberated backdoors are created
12.) Hidden fields and information exposure

Authentication controls are part of application code and it is imperative to analyze full mechanism in detail. This layer of code can help in identifying possible loopholes. Authentication is very critical for sensitive and transaction based sites like banking, trading or mailing system. An attacker can bypass authentication and can take hold of full session, it gets opportunity to advance hacking from there. Over years we have seen popular attack vectors as below

1.) Brutefocing
2.) Cookie theft and replay
3.) Authentication injections with SQL/LDAP
4.) Network eavesdropping and malicious codes
5.) Dictionary attacks
6.) Exploiting backdoors
7.) Hidden data manipulation
8.) Local store and information theft

Above attack vectors can help in exploiting the application and these attacks are easy to carry out using different frameworks. Source code can be written in the most secure fashion to protect against above attacks.

Authorization

Once user gets authenticated next thing is to maintain authorization through out the application. Authorization on the application get maintained using proper access control lists (ACLs). Application runs on HTTP and being a stateless protocol, session tokens are required to maintain authorization. There are several issues which can make entire application weak with authorization perspective and that can lead to exploitable security vulnerability. Here is possible weak area in the application for authorization,

1.) Session tokens are insecure
2.) Weak authorization mechanism
3.) Client side tampering and manipulation possible
4.) Possible data and SQL injections
5.) Access to system level bypass
6.) Single place authorization bypass
7.) URL forcing and manipulation
8.) Guessable resources and access
9.) Role-based bypass exploitation and weakness

Above weakness opens up several different set of vulnerabilities. These vulnerabilities can give access to various resources and opens up larger attack surface. Attacker or hacker can launch various attacks and exploits against target application. Here are list of popular attack vectors,

1.) Elevation of privilege
2.) Confidential data leakage
3.) Data tampering
4.) Session hijacking
5.) Session token exploitation
6.) Authorization injections
7.) URL bruteforcing
8.) Clients side reverse engineering and exploits

Above attacks are very popular against applications with respect to authorization. One needs to analyze logic in detail to detect authorization based vulnerabilities.

Validations and Error Handling – Security Controls

Input Validations

Almost 90% of vulnerabilities arise out of having poor or no input validations at the entry point of the application. There are countless different vulnerabilities of input validation type out there and applications are exploited by attackers. Essentially when developers are not treating each input as evil then it gets consumed directly into the application and exposing business logic with severe payload. These injections can force application to go into vulnerable state. Here are possible set of vulnerabilities arising out of poor input validation in the code.

1.) Various injection vectors (SQL, LDAP, XPATH etc.)
2.) Cross Site Scripting (XSS)
3.) Cross Site Request Forgery (CSRF)
4.) Buffer overflows
5.) Integer and logical boundary overrun
6.) Canonicalization issues
7.) Validation bypass (Client side)
8.) Serialization attacks
9.) Information leakage

Input validation is very easy to detect since application usually breaks and send abnormal response back to client. This response contains some signature which helps in detecting type of vulnerability. Attacker or tester usually does fuzzing to determine state of validation. This is one of the most important domains for application security.

Data Validations

Application needs place to store and access data from the system. Application may be using various data sources like database, file system, third part application, cross domain calls/APIs, browser memory etc. All these sources can be manipulated by attacker and it can help in stealing information or manipulating behavior of the application. In era of Web 2.0 applications are not running in isolation with single domain, applications are interlinked and share information seamlessly in-between. Application data is no longer restricted to database and dataset, we are seeing data get exchanged in XML, RSS feed, JSON etc. Application need to validate this data before consuming. Here is a list of weak area in the application which can lead to possible vulnerabilities,

1.) Proxy injections from third party stream
2.) XSS injection with RSS feeds
3.) Client side logic bypass
4.) Upload/download stream injections
5.) Remote command/code injection and execution
6.) Callback manipulation in JavaScript

Data validation is becoming equally important like input validation, it is imperative to validate any stream before consuming either on server or client side. We are seeing new ways of hacking and attacking in this area once code is not developed securely.

Error Handling

Error and exception handling is very important aspect of the development process. Many applications are written without having strong and central error handling routine in place. If error is not handled properly then it can lead to information leakage, Denial of Services (DoS) etc. Here is the list of possible security vulnerabilities arising due to poor error handling,

1.) Information leakage
2.) Logic bypass
3.) Internal logic and routine disclosure
4.) Denial of Services (DoS)
5.) Stack trace enumeration

There are several best practices need to be followed in source code for error and exception handling and some of the popular attack vectors to exploit error handling routines are as follows.

1.) Fuzzing and fault code injections
2.) Denial of Services injections

Automated scanners and engines detect vulnerabilities based on error signatures and this information proves very useful for them. Error handling is responsible for over 90% of information leakage.

Business Logic, Session and Crypto – Security Controls

Business Logic Handling

Business logic is core of any application; if any loophole in business logic is identified by an attacker then it can lead to sever set of vulnerabilities. Logical handling with input validation can prove a dangerous cocktail. Business logic vulnerabilities are hard to identify and needs good understanding of source code. Logical decision making blocks are usually suspects for this range of vulnerabilities. Some common logical issues in the source are as follows

1.) Data type bypass
2.) ACLs manipulation
3.) Read/Write access
4.) Privilege escalation on application layer
5.) API abuse
6.) Cross Domain Call and API manipulation
7.) Client Side Logic reverse engineering

We have seen as lower hanging fruits (LHF) are getting exhausted on the application, hackers move on to find something else and logical vulnerabilities is one of the crucial domain they would like to hack in. Lot of secure coding measures is required to protect the application with respect to business logic bugs and vulnerabilities.

Session and Identity Handling

Session management and unique identity handling are very important aspect of web applications. Web applications runs on HTTP protocol and one of the fundamental limitations of this protocol is its non-statefulness. HTTP can not maintain state of network and over period several different mechanisms are developed like URL rewriting or cookie based access. If there is a loophole in session management then it can lead to key vulnerability which can be exploited to gain unauthorized access on the system. Here is a list of possible issues

1.) Session hijacking by eavesdropping
2.) Man in the middle attack
3.) Poor session identifier generation
4.) Browser hacks like XSS to gain cookies
5.) Predictable session identifier
6.) Session bypass and access
7.) Cookie scope and time abuse
8.) Abusing URL rewriting
9.) Local session storing access

Session handling is closely linked to both authentication and authorization layer as well. It can be complex in nature as well when comes to deployment. It is becoming increasingly interesting with Web 2.0 applications and lot of session management required for various different streams as well.

Crypto and secret handling

Cryptographic usage is another important aspect of modern day’s applications. Application needs to keep certain data and information very secret. Many times application data get used by internal users as well and it should not be accessible in clear text either. Application’s crypto usage need to be evaluated thoroughly as well and some of the vulnerabilities or weak area are as follows in this particular domain,

1.) Poor key generation
2.) Database fields are not well encrypted (password, social security number etc.)
3.) Poor encryption (customized)
4.) Checksum spoofing
5.) Some secrets in source code itself
6.) Configuration file containing secrets
7.) Secret getting revealed in error message or some other means

Source code assessment can help in identifying any weak area in crypto and managing secret. This domain is another very critical area of application.

Software Development Life Cycle (SDLC) for Application Security

Web application software has its own development life cycle and it can be divided into six broad sections like Requirement gathering, architecture, design, implementation, deployment and testing as shown in figure.

Software Development Life Cycle (SDLC) and Security

To protect final application corporate needs to have its own Application Security Cycle (ASC). While application development is going on, the corporate can define certain tasks in parallel to improve quality of end product with respect to security. One of the obvious means to achieve this is proper dissemination of application security knowledge at all levels by means of trainings and related literatures. We are focusing on other aspects of ASC and try to map with SDLC. Let’s see some of the phases of cycle and related security tasks along with tools:

Requirement – Application requirement and higher level goals can be created by corporate with respect to objective, at the same time one can define security policies and controls required to be followed by all during the process.

Tools – Policy documents, Threat and Risk frameworks, corporate guideline

Architecture – Application architecture consists of various different components like web and application server, database, third-party components etc. Application architecture can be laid down on paper along with key information. Once architecture of application is ready one can do its full review with respect to security and their integration points. Many times during this phase some vulnerability can be observed and defense can be put right into architecture layer to have secure application.

Tools – Threat Modeling Tool and Framework

Design – Application design phase contains much more granular interactions and class layout. This is the ideal time to perform full threat model for application for all possible use cases and branches of interactions. This helps in building proper attack profile and respective security controls for application. It also defines future path for developers in the form of remediation guideline and QA team for analysis approaches.

Tools – Threat Modeling Tool and Framework

Implementation – Developers can have best practices and secure coding guideline for application development. These guideline along with threat model helps in making implementation much more secure and countermeasure for all described threats. It is also possible to have security libraries for specific tasks like using AntiXSS for XSS defense and so forth.

Tools – Secure Coding Libraries and best secure coding practices

Deployment – Once application is about to deploy or initial testing is going on at QA one can start doing secure code review on it. Source code can be reviewed by static analysis tools, Instrumentation or related principals. This helps in verifying implementation of policies, controls and countermeasures defined in threat model.

Tools – Source Analysis and Instrumentation Tools

Testing – Security testing of application can be done by using zero knowledge approach if needed to verify on top of source code assessment. It is possible to run various different test cases for testing at protocol layer to determine strength of security along with fuzzing techniques.

Tools – Scanners

During Application Security Cycle (ASC) corporate needs various tools and knowledge base. Stronger cycle leads to better security and can have significant impact on overall architecture, design and implementation.