Chapter 9 - 04 - Application Security Testing Techniques and Tools - 02_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Application Security Exam 212-82 Web Application Fuzz Testing O Web application fuzz testing (fuzzing) is a black-box testing method. It is a quality checking and assurance technique used to identify coding errors and security loopholes in web applications O Huge amounts of random data called ‘Fuzz’ will be generated by the fuzz testing tools (Fuzzers) and used against the target web application to discover vulnerabilities that can be exploited by various attacks O Employ this fuzz testing technique to test the robustness and immunity of the developed web application against attacks like buffer overflow, DOS, XSS, and SQL injection Fuzz Testing Scenario Attack Script: Setup('WebApplicationName’) do @host = “localhost” @port=80 Feeeeeseesd > Fuzz Program end Web Application Fuzz Testing Web application fuzz testing assurance technique used to Massive amounts of random used against the target web various attacks. Attackers (fuzzing) is a black box testing method. It is a quality identify coding errors and security loopholes in web data called “fuzz” are generated by fuzz testing tools application to discover vulnerabilities that can be employ various attack techniques to crash the checking and applications. (fuzzers) and exploited by victim’s web applications and cause havoc in the least possible time. Security personnel and web developers employ this fuzz testing technique to test the robustness and immunity of the developed web application against attacks such as buffer overflow, DOS, XSS, and SQL injection. Steps of Fuzz Testing Web application fuzz testing involves the following steps: = |dentify the target system * |dentify inputs * Generate fuzzed data = Execute the test using fuzz data = = Monitor system behavior Log defects Fuzz Testing Scenario The diagram below shows an overview of the main components of the fuzzer. An attacker script is fed to the fuzzer, which in turn translates the attacks to the target as http requests. These Module 09 Page 1194 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 http requests will get responses from the target and all the requests and their responses are then logged for manual inspection. Attack Script: Setup(‘WebApplicationName’) do @host = "localhost” @port=80 eeeeeseens > Fuzz Program end v Logs Figure 9.11: Web application fuzz testing scenario Module 09 Page 1195 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 Application Whitelisting Whitelisting Approach QO Application whitelisting is a security practice to control access by allowing only a list of approved applications, software, emails, domains, etc. (whitelisted applications) Q It automatically denies access to all applications other than the whitelisted applications Q An application whitelist includes all the required (allowed) applications pes —E l Deny By Default (Do Not Run) Implementing application whitelisting helps in the following: » Trust Centric (Do Not Run the Protecting the applications in the organization from malware attacks » Mitigating zero-day attacks » Increased visibility and greatly reduced attack surface » Security independent of constant application updating » Reduced bring-your-own-device (BYOD) risk Application Whitelisting Application whitelisting is a form of access control that allows only specific programs to run. Unless a program is whitelisted, it is blocked on a host. Application whitelisting technologies are also called application control programs or whitelisting programs. The approach of application whitelisting is trust centric. By default, applications that are not in the whitelist are prevented from being executed. To allow the execution of any program or application, the security professional must add it in the application whitelist. —»E Trust Centric Deny By Default (Do Not Run) Is Application on Whitelist? No Deny (Do Not Run the Application) l ves Allow (Run the Application) Figure 9.12: Whitelisting approach Module 09 Page 1196 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Any runtime process, Exam 212-82 host, application and application components files, software libraries, and extensions), email addresses, create a whitelist. (plug-ins, configuration port numbers, etc. can be used to Advantages of Whitelisting Implementing application whitelisting ensures the confidentiality, integrity, and availability of data. Application whitelisting provides security professionals and organizations the following benefits. Protection against malware attacks The whitelisting of applications in an organization can prevent malware attacks. Any application that is not in the whitelist is blocked. Mitigating zero-day attacks Generally, attackers start exploiting vulnerabilities once a software patch is released. Occasionally, malware for unpatched systems is ready to be deployed in a short time window during which a new patch has not yet been tested or implemented. Antivirus vendors also take time to identify new signatures to produce and distribute. Implementing application whitelisting hinders the execution of such vulnerabilities. Improved efficiency of computers Application whitelisting prevents unauthorized organizations, improving the efficiency of computers. applications from running in Increased visibility and greatly reduced attack surface Application whitelisting removes many basic attacks by protecting against the attack vector of download and execute. Application whitelisting enables organizations to track which applications are running or blocked on company systems. Improving the capability of monitoring and controlling applications greatly reduces the attack surface area, unauthorized changes to applications, and inspection requirements. Reclaiming bandwidth from streaming or sharing applications Application whitelisting avoids the significant use of resources to operate unapproved and unnecessary applications, ensuring the optimal utilization of company resources in organizations. Application whitelisting limits the exposure of social media applications, bans certain websites, eliminates games, and blocks other destructive applications that consume excessive employee time and network bandwidth. Avoiding organizations from facing lawsuits or paying unnecessary license fees Application whitelisting helps organizations avoid troubles such as lawsuits or license fees for unknowingly using unlicensed or illegal applications. Security independent of constant application updating Unlike antivirus programs, application whitelisting solutions do not need to get updated periodically to be active. Module 09 Page 1197 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security = Exam 212-82 Easier attack detection Attack detection becomes easier when many attack activities are blocked, and attacks generate a lot of noise. The noise created by attackers provide valuable information to incident response teams. This helps in measuring how long it takes for an antivirus solution to detect the existence of malware or changes on a system. * Reduced bring-your-own-device (BYOD) risk Application whitelisting reduces BYOD risk through the enforcement of mobile- application policies. Module 09 Page 1198 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.