Chapter 9 - 04 - Application Security Testing Techniques and Tools - 02_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Application Security

Web Application Fuzz Testing
O Web application fuzz testing (fuzzing) is a black-box testing method. It is a quality checking and assurance technique used to identify
coding errors and security loopholes in web applications

O Huge amounts of random data called ‘Fuzz’ will be generated by the fuzz testing tools (Fuzzers) and used against the target web
application to discover vulnerabilities that can be exploited by various attacks

O Employ this fuzz testing technique to test the robustness and immunity of the developed web application against attacks like buffer
overflow, DOS, XSS, and SQL injection

Fuzz Testing Scenario

Attack Script:
Setup('WebApplicationName’) do
@host = “localhost”
@port=80 Feeeeeseesd > Fuzz Program
end

Web Application Fuzz Testing
Web application fuzz testing (fuzzing) is a black box testing method. It is a quality checking and
assurance technique used to identify coding errors and security loopholes in web applications.
Massive amounts of random data called “fuzz” are generated by fuzz testing tools (fuzzers) and
used against the target web application to discover vulnerabilities that can be exploited by
various attacks. Attackers employ various attack techniques to crash the victim’s web
applications and cause havoc in the least possible time. Security personnel and web developers
employ this fuzz testing technique to test the robustness and immunity of the developed web
application against attacks such as buffer overflow, DOS, XSS, and SQL injection.

Steps of Fuzz Testing
Web application fuzz testing involves the following steps:
= |dentify the target system
* |dentify inputs
* Generate fuzzed data
= Execute the test using fuzz data
= Monitor system behavior

= Log defects
Fuzz Testing Scenario

The diagram below shows an overview of the main components of the fuzzer. An attacker script
is fed to the fuzzer, which in turn translates the attacks to the target as http requests. These

Module 09 Page 1194 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Application Security

http requests will get responses from the target and all the requests and their responses are
then logged for manual inspection.

Attack Script:
Setup(‘WebApplicationName’) do
@host = "localhost”
@port=80 eeesesees >
eeeeeseens Fuzz Program

end
v
Logs

Figure 9.11: Web application fuzz testing scenario

Module 09 Page 1195 Certified Cybersecurity Technician Copyright © by EG-Council
EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Application Security

Application Whitelisting
QO Application whitelisting is a security practice to control access by Whitelisting Approach
allowing only aa list of approved applications, software, emails,

pes
domains, etc. (whitelisted applications)
QQO It automatically denies access to all applications other than the fi —E Trust Centric
whitelisted applications
OQ An application whitelist includes all the required (allowed)
applications l Deny By Default (Do Not Run)

Implementing application whitelisting helps
in the following: (Do Not Run the

» Protecting the applications in the organization from malware
attacks

» Mitigating zero-day attacks
» Increased visibility and greatly reduced attack surface
» Security independent of constant application updating
» Reduced bring-your-own-device (BYOD) risk

Application Whitelisting
Application whitelisting is a form of access control that allows only specific programs to run.
Unless a program is whitelisted, it is blocked on a host. Application whitelisting technologies are
also called application control programs or whitelisting programs.
The approach of application whitelisting is trust centric. By default, applications that are not in
the whitelist are prevented from being executed. To allow the execution of any program or
application, the security professional must add it in the application whitelist.

—»E Trust Centric

Deny By Default (Do Not Run)

Is No Deny
Application (Do Not Run the
on Whitelist? Application)

l ves
Allow
(Run the
Application)

Figure 9.12: Whitelisting approach

Module 09 Page 1196 EG-Council
Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Application Security

Any runtime process, host, application and application components (plug-ins, configuration
files, software libraries, and extensions), email addresses, port numbers, etc. can be used to
create a whitelist.

Advantages of Whitelisting
Implementing application whitelisting ensures the confidentiality, integrity, and availability of
data. Application whitelisting provides security professionals and organizations the following
benefits.
Protection against malware attacks

The whitelisting of applications in an organization can prevent malware attacks. Any
application that is not in the whitelist is blocked.
Mitigating zero-day attacks
Generally, attackers start exploiting vulnerabilities once a software patch is released.
Occasionally, malware for unpatched systems is ready to be deployed in a short time
window during which a new patch has not yet been tested or implemented. Antivirus
vendors also take time to identify new signatures to produce and distribute.
Implementing application whitelisting hinders the execution of such vulnerabilities.
Improved efficiency of computers
Application whitelisting prevents unauthorized applications from running in
organizations, improving the efficiency of computers.
Increased visibility and greatly reduced attack surface

Application whitelisting removes many basic attacks by protecting against the attack
vector of download and execute. Application whitelisting enables organizations to track
which applications are running or blocked on company systems. Improving the
capability of monitoring and controlling applications greatly reduces the attack surface
area, unauthorized changes to applications, and inspection requirements.
Reclaiming bandwidth from streaming or sharing applications
Application whitelisting avoids the significant use of resources to operate unapproved
and unnecessary applications, ensuring the optimal utilization of company resources in
organizations. Application whitelisting limits the exposure of social media applications,
bans certain websites, eliminates games, and blocks other destructive applications that
consume excessive employee time and network bandwidth.

Avoiding organizations from facing lawsuits or paying unnecessary license fees

Application whitelisting helps organizations avoid troubles such as lawsuits or license
fees for unknowingly using unlicensed or illegal applications.
Security independent of constant application updating
Unlike antivirus programs, application whitelisting solutions do not need to get updated
periodically to be active.

Module 09 Page 1197 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Application Security

= Easier attack detection

Attack detection becomes easier when many attack activities are blocked, and attacks
generate a lot of noise. The noise created by attackers provide valuable information to
incident response teams. This helps in measuring how long it takes for an antivirus
solution to detect the existence of malware or changes on a system.
* Reduced bring-your-own-device (BYOD) risk
Application whitelisting reduces BYOD risk through the enforcement of mobile-
application policies.

Module 09 Page 1198 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.