Vulnérabilités communes à tester manuellement | CWEs to test manually

Vulnérabilités qui ne sont pas (toujours) bien détectées de façon automatique, qui nécessitent un test manuel (après le balayage).

Vulnerabilities that that scanners don't (always) find reliably, that warrant a manual test

• CWE-285 Improper Access Control (Authorization)
• CWE-306 Missing Authentication for Critical Function
• CWE-311 Missing Encryption of Sensitive Data [A06]
• CWE-352 Cross-Site Request Forgery (CSRF) [A08]
• CWE-434 Unrestricted Upload of File with Dangerous Type
• CWE-798 Use of Hard-coded Credentials  
• CWE-840 Business Logic Errors

Top 10 (2013)

• A02 Broken Authentication and Session  Management
• A04 Insecure Direct Object References 
• A05 Security Misconfiguration
• A06 Sensitive Data Exposure
• A08 Cross-Site Request Forgery (CSRF)
• A10 Unvalidated Redirects and Forwards

Celles qui son moins applicable or vérifiables. | Those that are less applicable (everywhere) or testable via black-box methods:

• CWE-494 Download of Code Without Integrity Check
• CWE-732 Incorrect Permission Assignment for Critical Resource
• CWE-754 Improper Check for Unusual or Exceptional Conditions
• CWE-770 Allocation of Resources Without Limits or Throttling 
• CWE-807 Reliance on Untrusted Inputs in a Security Decision
• [...]

Évidemment, cette liste est plutôt générique. On doit faire des choix selon le contexte, valider les problèmes relevés par les balayeurs (identifier les faux positifs, augmenter la sévérité/priorité selon l'exposition), essayer d'exploiter les certaines vulnérabilités récentes, essayer des nouvelles techniques, etc.

Of course, this is just a generic list. We still need to adapt our approach based on context, validate findings from scanners (identify false positives, adjust severity/priority based on exposure), try to exploit new vulns, try new techniqeus, etc.

CVEs importants qui ont impactés nos web apps | Important CVEs that have impacted our web apps

Une liste non-exhaustive des CVEs qui ont eu un impact important et généralisé sur la sécurité de nos applications web.

A list of important CVEs that have had a great general impact on our web app security.

DROWN- CVE-2016-0800
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack.

Resources:

• CVE-2016-0800
• Sherif's writeup and test
• Online Test 
• Details on openssl.org

FREAK - CVE-2015-0204

SSL/TLS vulnerability that allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data.

Resources:

• CVE-2015-0204 
• FreakAttack.com 
• Client test tool
• SSL Labs SSL Testing
• Symantec SSL Checker
• HT-Bridge Free SSL/TLS Server Test
• Shodan Query

LOGJAM - CVE-2015-4000

The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE.

Resources:

• CVE-2015-4000 
• WeakDH.org
• Server test tool  

WinShock - CVE-2014-6321 - MS14-066

Schannel in Microsoft Windows Server allows remote attackers to execute arbitrary code via crafted packets.

Resources:

• CVE-2014-6321
• Exploit 

ShellShock (BashBug) - CVE-2014-6271

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

Resources:

• CVE-2014-6271
• See my previous post
• Metasploit mod_cgi exploit (1 of n) 
• Shodan Query (for CGI)

Poodle - CVE-2014-3566

Padding Oracle On Downgraded Legacy Encryption (POODLE). The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack.

Resources:

• CVE-2014-3566
• Exploiting The SSL 3.0 Fallback
• SSL Testing

Heartbleed - CVE-2014-0160

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c.

Resources:

• CVE-2014-0160
• Heartbleed.com
• Test script on Exploit DB
• Shodan query (showing who's still vulnerable) 
• SSL testing
• Shell script testssl.sh
• Metasploit module (scan, dump memory, get private key)

Others worth mentioning

• Bar-Mitzvah RC4 Attack - CVE-2015-2808, Paper
• Rosetta Flash [CSRF, JSONP abuse, SOP bypass] - CVE-2014-4671
• ChangeCipherSpec (CCS) Injection - CVE-2014-0224, Test Tool 
• BEAST - CVE-2011-3389
• CRIME, TLS - CVE-2012-4929, Test Tool  

References

• Top 10 web hacking techniques of 2014
• TLS Security
• Qualys SSL Labs
• Top 10 exploited in 2014 from Verizon's DBIR 2015 (includes POODLE)
  

Brèches et Menaces 2015 | Threat & Breach Reports 2015

• Ponemon's Year of Mega-Breaches (2014)
• SANS State of AppSec
• Symantec Annual Thread Report
• Symantec Intelligence Report (Monthly) 
• Symantec Internet Security 2015 (Vol. 20)
• Verizon DBIR 2015