[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Common issues found in vuln assessments

Posted on 2012-09-21
9
Medium Priority
?
538 Views
Last Modified: 2012-10-03
I just wondered if you do vuln asst/pen testing for external clients, if you would be willing to share the common security weaknesses you find in your assessments? Specifically the levels below the application front end (sqli etc) is what I am mainly intregued in just to see what vulns you find regularly in assessments - as there arent really many people to share such common issues with.
0
Comment
Question by:pma111
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 668 total points
ID: 38423611
The OWASP top 10 really is the top ten for a reason :)
Persistent XSS is harder to achieve than is indicated when doing an assessment, you can't always get ti to stick. You find a lot more reflected XSS than you do persistent. But one can lead to the other so you have to manually hunt around. SQLi is still very easy, sanitation is tough to get right, but using prepared statements or sqli frameworks is best. Old versions of software is the other, outdated IIS or Apache are easy to exploit and unless some mitigation is done by (it never is:) then just the server header will tell you how the rest of the assessment is going to go.
https://www.owasp.org/index.php/Top_10_2010-Main
Nothing beats a good pair of eyes though, scanning tools miss quite a lot, comments and metadata make it into production code all the time, and you can get usernames, passwords, ip's, internal server names etc..
-rich
0
 
LVL 65

Assisted Solution

by:btan
btan earned 668 total points
ID: 38424296
it is all s/w faults - lame excuse typically but matter of facts as due diligence check is not catered enough or worst still be aware of with security lifecycle events such as those you mentioned. So if we are doing those scanning, I still see appl flaws being the prevalent those the common network enumerations and unnecessary services should be locked down or server to be hardened accordingly. Web appl is the entry point normally esp from a blackbox external agent perspective.

if you have some time, glimpse through the charts (esp fig 4) in the coverity report :)

http://www.h-online.com/security/news/item/Study-finds-web-developers-undertake-too-little-vulnerability-testing-1710284.html 

having said that, if you try shodanhq before, that is another avenue to search certain fingerprint of exposure - old patch release or vulnerable OS version is easy catch as well as sometime you dont even need to "exploit" and merely listing the cve can be already be convincing to client (and esp their stakeholders). I like cvedetails.com and itsecdb.com

http://www.shodanhq.com/
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 664 total points
ID: 38426892
> ...  common security weaknesses ...
everything already online since ages:
OWASP Top 10 (link see above)
SANS 25 http://cwe.mitre.org/top25/
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 3

Author Comment

by:pma111
ID: 38432042
What about at a system/server level, i.e. lower down the stack, what issues do you come across there regularly
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 38432167
if you mean going down (in numbers) the OSI layer, then OWASP does not cover that except if it is the web server itself and encryption there, SANS covers some parts of the network too
anyway, anything on network layer (mainly OSI 1-3) can be handled by proper version management and be detected by most scanners
on the other side you may have issues there in configurations, like IPSec, TCP/IP TTL, SSL/TLS which need manual inspection, AFAIK there is no congrete list about that, it's all experience (that's why you have to pay $$$$ for good consultants:)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 38432336
"Down the stack(osi)" seems relative to the applications running, vuln scan's are not breaking the stack, or finding flaws in TCP so perhaps you mean things like: Missing patches? Misconfigured permissions on folders/files? Expired certificates? Default credentials unchanged? I find all of those ALL OF THE TIME, and are still part of the OWASP top 10.
Now going further is a penetration test... vuln's cover "foothold" or initial penetration. Once you jump from one external host and into the internal ones you have to get more interactive. On the internal side you find things like no egress filtering, lack of separation or access controls. Too much internal trust, users are able to get to production servers and vice versa (so a virus may also jump from user to server). Weak passwords, most passwords have the company name or it's popular products in them etc...
-rich
0
 
LVL 3

Author Comment

by:pma111
ID: 38432348
Ouch!
0
 
LVL 65

Expert Comment

by:btan
ID: 38432770
Taking a quick snapshot if this make sense, down the OSI stack also has attack as below
L3 - IP Spoof, BGP neighbor poisoning, SYN flood, Ping of Death, UDP flood
L2 - ARP Spoof, MAC Spoof, VLAN Hoping, MAC Flood, CAM exhaustion
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 38433957
don't forget those attack which are not solely on a particular layer, like SSL MiTM attacks or slowloris

other examples not well documented and/or covered by OWASP top 10 are attacks on web servers like malformed request-lines or GET requests with POST data
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question