[OWASP Sofia] Atanas Pashov - Pros n Cons of Penetration Testing (June 27th, 2019)

Transcript

1. INTERNAL Atanas Pashov SAP Labs Bulgaria Pros & Cons of

   Penetration Testing

2. • Cloud Security Penetration Tester • SAP Labs • Team

   of 3 security experts • Just 2 ½ year at SAP • …but has more than 10 years of IT security background

3. What is Really Penetration Testing…? • Manual Security Validation of

   IT Products and Solutions; • Is There an Automated Approach? No, NOT Really! • Mindset of What Can go Wrong; • Draws the Thick Line Between Vulnerability and Exploit; • Guts to Break Things on a Daily Basis.

4. Real ( )Life Examples: • Burp & ZAP VS a

   pair of eyes and some insight… • Reflected XXS in Dynatrace Default 404 Error Page • Dynatrace is Leader in Application Performance Management • Upper-Right Corner of Gartner Magic Quadrant • … And YET! They have XSS in their code…

5. Where is it? Here it is: https://vsa2602507.wdf.sap.corp/accessforbidden-onprem.jsp? accProblemsParam=NO_TENANT&tenantUUID=%3Cscript %3Ealert(%22XSS%22)%3C%2fscript%3E

6. Real ( )Life Examples: • Dynatrace Totally Messing up the

   Authentication Mechanism. • Sometime you have to combine a few vulnerabilities into one to make an exploit – in our case: four • World readable file where the authentication token is kept • Authentication token is the same for all managed nodes • Nodes do not check central server certificate • Central Server does not check nodes’ certificates • No Application layer Encryption and Integrity

7. Where is it? Here it is: When communicating to FQDN:

   https://vsa2602507.wdf.sap.corp

8. Where is it Part 2? Here it is:

9. Real ( )Life Examples: • User Impersonation in SAP Cloud

   Platform? • Something like response splitting…? • Accounts.sap.com IDP has restriction but what about Proxy IDP?

10. Where is it? Here it is: • Naming convention: i+XXXXXX+platformIdPTenantID

    • Example: i000012_milen.sso.ondemand.com (Dev IDP) • User with “\n” bad character that can be treated as new line • Example: i000012\nHEADER:_milen.sso.ondemand.com • Which will be: USER_CLIENT:i000012 HEADER:_milen.sso.ondemand.com

11. Custom IDP via Proxy IDP scenario Pt.2

12. Custom IDP via Proxy IDP scenario Pt.3

13. Custom IDP via Proxy IDP scenario Pt.4

14. Cloud Foundry Virtual Machine as a Service • Cloud Foundry

    ORG/Space RBAC was broken • SSH Tunnel Service – to access other ports than SSH • Remote Code Execution via Public Key population Three Critical Vulnerabilities:

15. How dose it work? • Query the VMaaS API for

    binding of VM name (in our case: jasenvm) • API returns the Internal Private IP address of the Virtual Machine • Opens reverse SSH tunnel to localhost and opens port (in our case: 56789)

16. Tampering the Rest API Response…

17. … And here we go:

18. But what about access to other services?

19. Finally here we are!

20. Can it get worse than RCE… Same as this: Root

    cause, vulnerable code:

21. • GO Lang Scanned with Checkmarks – Did not find

    it!

22. Wrap Up: • Dynamic Analysis Tools Are Not 100% accurate

    • Same Goes for Static Code Analysis / Scans • Cannot Combine Multiple Vulnerabilities into One • There is No Tool That Can Follow Logic/Business Flaws • Cannot perform complex operations - i.e.: patch binaries

23. And the Drawbacks of course…: • Dedicated Team is needed

    • Vast Area of Expertise, Team Must Combine Different Backgrounds • It Is Definitely Not a Bulletproof Approach • Must Lobby a Lot In front of the Higher Management

24. But the advantages are: • Greatly Increase of the Products’

    Security • Objective Risk Assessment • Have Security Experts That Are Recognized by Everyone • Really Sweats Out the Most of the External Pentesters • Positive Cost/Benefit analysis for Exploit Remediation and Follow-up • Helps for Threat Modeling and Security Architecture of Products • Know-how that stays in the company • Long-term investment that pays off!

25. CONTACT INFORMATION Atanas Pashov / [email protected] SAP Labs Bulgaria THANK

    YOU