Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 18
In this blog series, members of Optiv’s attack and penetration team are covering the top 20 Center for Internet Security (CIS) Critical Security Controls (CSC), showing an attack example and explaining how the control could have prevented the attack from being successful. Please read previous posts covering:
CSC 18: Application Software Security
Manage the security lifecycle of all in-house developed and acquired software in order to prevent, detect and correct security weaknesses.
In the current security climate, organizations are dedicating more resources to perimeter security than ever before, which has led to a significant reduction in attack surface; however, web applications still pose a significant risk to an organization’s security and reputation due to weak security processes during the software development lifecycle. Oftentimes, an attacker will leverage high impact flaws in a web application, such as command injection, default configurations or SQL injection to compromise perimeter defenses.
To begin the attack scenario for this control, let’s start as an attacker who has just identified an Internet-facing employee login portal. This is a common occurrence as most organizations provide portals for their employees to access company resources remotely.
Figure 1: Internet-facing employee login portal
Many times, in-house or third-party login applications have not undergone vigorous security testing and may contain security flaws before being deployed into production. In the example below, the developers left a comment in the HTML to remove all test pages that were being used in development. This reveals the location of a potential test page at /store_locator_test, which could assist an attack in enumeration of more content. It is not uncommon to find usernames and passwords or other sensitive information as hidden comments within application test pages.
Figure 2: Location of potential test page
The page found at “/store_locator_test” provides very simple functionality: the application takes a zip code as an input and returns all stored identification numbers located in that zip code as output. The nature of the query suggests that the application is querying a SQL database to retrieve the information.
Figure 3: Test functionality at /store_locator_test
Identifying test functionality deployed in an environment is a common occurrence, and these test applications can often contain security flaws such as SQL injection and cross-site scripting (XSS). When the developers created the test applications, the focus was put on functionality over the security of the application.
A common technique for testing for SQL injection is to insert characters which may break concatenated queries. In this case, when the application is given a single quote as input, the error message reveals that the application is not adequately handling user input when building and executing the SQL statement. This implies the application may be vulnerable to SQL injection.
Figure 4: A single quote causes an application error
SQL injection occurs when user input is not properly sanitized before being inserted into a SQL query. This allows an attacker to insert SQL meta-characters and keywords in order to manipulate the statement itself, which allows an attacker to query database resources and potentially gain access to the database server.
It was possible to re-write the SQL syntax with additional statements to alter the behavior of the web application. Using a query string of “2222 OR 1=1;--” changes the SQL query to change to “SELECT * FROM stores WHERE zip_code = 22222 OR 1=1;--”. The modified statement will return a true result to the Boolean logic, end the statement, and then comment the remainder of the statement. Bypassing Boolean logic is a common technique for bypassing application authentication and enumerating copious amounts of data from the database. Furthermore, application login allowed the attacker to use the UNION technique, which as shown below, makes it trivial to both enumerate and exfiltrate data contained in the underlying database.
Figure 5: The injection string is passed to the database by the application server
Figure 6: The input '2222 OR 1=1;--' reveals the entire table
Figure 7: “2222 UNION SELECT schema_name, 2 FROM information_schema.schemata;--" reveals available databases
Figure 8: "22222 UNION SELECT username, password FROM users.users WHERE 1=1;--" reveals usernames and hashes
Due to a lack of defined security procedures in the software development lifecycle this organization has put their customers at a severe risk of fraud and their internal network at risk of compromise.
If organizations wish to design their own applications, certain controls need to be in place to ensure the security of these applications. A robust security program including the items outlined below can reduce the overall risk:
The next post will cover CSC 19: Incident Response and Management.
July 21, 2015
Learn how we help protect your environment while maintaining connectivity.
Let us know what you need, and we will have an Optiv professional contact you shortly.