Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[OWASP Sofia] Atanas Pashov - Pros n Cons of Pe...

[OWASP Sofia] Atanas Pashov - Pros n Cons of Penetration Testing (June 27th, 2019)

Details
In this session you will learn what is penetration testing. What are the objectives and benefits of it and at what cost. You will also learn why some vulnerabilities may not be ever discovered by automated tools. You will see only real life examples from real penetration tests, no theory, no set-ups, no fictious vulnerabilities, nothing discovered by somebody else that you can find somewhere else.

Atanas is a cloud security penetration tester at SAP LAB Bulgaria. He has more than 10 years experience in information security working in various position as an infosec manager, security officer and network and firewall administrator for huge enterprise companies in different industries like banking, service providers, pharmaceuticals and software development. He is keen on pentesting especially in infrastructure and web application perspective.

OWASP Sofia

June 27, 2019
Tweet

More Decks by OWASP Sofia

Other Decks in Technology

Transcript

  1. • Cloud Security Penetration Tester • SAP Labs • Team

    of 3 security experts • Just 2 ½ year at SAP • …but has more than 10 years of IT security background
  2. What is Really Penetration Testing…? • Manual Security Validation of

    IT Products and Solutions; • Is There an Automated Approach? No, NOT Really! • Mindset of What Can go Wrong; • Draws the Thick Line Between Vulnerability and Exploit; • Guts to Break Things on a Daily Basis.
  3. Real ( )Life Examples: • Burp & ZAP VS a

    pair of eyes and some insight… • Reflected XXS in Dynatrace Default 404 Error Page • Dynatrace is Leader in Application Performance Management • Upper-Right Corner of Gartner Magic Quadrant • … And YET! They have XSS in their code…
  4. Real ( )Life Examples: • Dynatrace Totally Messing up the

    Authentication Mechanism. • Sometime you have to combine a few vulnerabilities into one to make an exploit – in our case: four • World readable file where the authentication token is kept • Authentication token is the same for all managed nodes • Nodes do not check central server certificate • Central Server does not check nodes’ certificates • No Application layer Encryption and Integrity
  5. Real ( )Life Examples: • User Impersonation in SAP Cloud

    Platform? • Something like response splitting…? • Accounts.sap.com IDP has restriction but what about Proxy IDP?
  6. Where is it? Here it is: • Naming convention: i+XXXXXX+platformIdPTenantID

    • Example: i000012_milen.sso.ondemand.com (Dev IDP) • User with “\n” bad character that can be treated as new line • Example: i000012\nHEADER:_milen.sso.ondemand.com • Which will be: USER_CLIENT:i000012 HEADER:_milen.sso.ondemand.com
  7. Cloud Foundry Virtual Machine as a Service • Cloud Foundry

    ORG/Space RBAC was broken • SSH Tunnel Service – to access other ports than SSH • Remote Code Execution via Public Key population Three Critical Vulnerabilities:
  8. How dose it work? • Query the VMaaS API for

    binding of VM name (in our case: jasenvm) • API returns the Internal Private IP address of the Virtual Machine • Opens reverse SSH tunnel to localhost and opens port (in our case: 56789)
  9. Wrap Up: • Dynamic Analysis Tools Are Not 100% accurate

    • Same Goes for Static Code Analysis / Scans • Cannot Combine Multiple Vulnerabilities into One • There is No Tool That Can Follow Logic/Business Flaws • Cannot perform complex operations - i.e.: patch binaries
  10. And the Drawbacks of course…: • Dedicated Team is needed

    • Vast Area of Expertise, Team Must Combine Different Backgrounds • It Is Definitely Not a Bulletproof Approach • Must Lobby a Lot In front of the Higher Management
  11. But the advantages are: • Greatly Increase of the Products’

    Security • Objective Risk Assessment • Have Security Experts That Are Recognized by Everyone • Really Sweats Out the Most of the External Pentesters • Positive Cost/Benefit analysis for Exploit Remediation and Follow-up • Helps for Threat Modeling and Security Architecture of Products • Know-how that stays in the company • Long-term investment that pays off!