Section 13: Discovering Vulnerabilities

Vulnerability Discovery and Analysis

Application Scanning (DAST & IAST)

• Objective: Identify and mitigate vulnerabilities in web applications using Dynamic Application Security Testing (DAST) and Interactive Application Security Testing (IAST).

• Definition of Application Scanning:

  • Using tools and techniques to identify security vulnerabilities in software applications.

  • Protects against threats like SQL injection and cross-site scripting (XSS).

  • Divided into static and dynamic methods (DAST and IAST are dynamic).

Dynamic Application Security Testing (DAST)

• Method: Testing web applications from the outside in.

• Functionality:

  • DAST tools interact with the running application, simulating attacks.

  • Does not require access to source code.

  • Tests the application during runtime.

• Effectiveness:

  • Identifies authentication problems.

  • Detects server configuration errors.

  • Finds issues in application programming.

• Process:

  • Sends various inputs to the application.

  • Analyzes outputs for signs of vulnerabilities.

  • Example: Inputting malicious SQL commands into a login form to check for SQL injection.

• Tools:

  • OWASP ZAP (Zed Attack Proxy)

  • Burp Suite

• Strengths:

  • Identifies real-world vulnerabilities exploitable by attackers.

  • Uncovers issues static analysis might miss due to live environment testing.

• Limitations:

  • Can generate false positives.

  • May miss vulnerabilities that don't appear during runtime.

Interactive Application Security Testing (IAST)

• Method: Combines static and dynamic testing to analyze applications in real-time during execution.

• Functionality:

  • Works from within the application.

  • Monitors application behavior, data flow, and interactions.

  • Provides detailed insights into vulnerabilities.

• Integration:

  • Integrates with the application server.

  • Monitors internal operations.

• Accuracy:

  • Detects vulnerabilities with high accuracy.

  • Provides detailed information on the source of the issue.

  • Example: Pinpointing the exact line of code responsible for a cross-site scripting vulnerability and provides remediation recommendations.

• Benefits:

  • Provides real-time feedback to developers.

  • Identifies and reports vulnerabilities immediately.

  • Ensures security is integrated into the development process, reducing time and cost.

  • Detects complex vulnerabilities across multiple application components.

• Limitations:

  • Challenging setup, requires access to application internals.

  • May require modifications to the application or its environment.

  • May introduce performance overhead due to real-time monitoring.

• Summary:

  • DAST tests applications from the outside in, simulating attacks upon runtime vulnerabilities without source code access.

  • IAST works from within the application, monitoring behavior in real-time.

  • Together, they provide a comprehensive approach to securing web applications.

Software Analysis (SCA & SAST)

• Objective: Identify vulnerabilities and ensure software application security using Software Composition Analysis (SCA) and Static Application Security Testing (SAST).

• Definition of Software Analysis:

  • Examining components, code, and architecture of applications.

  • Identifies potential security vulnerabilities, license compliance issues, and other risks.

  • Maintains integrity and security, ensuring resilience against attacks and meeting compliance requirements.

Software Composition Analysis (SCA)

• Method: Identifies and manages open-source components within a software application.

• Functionality:

  • Scans the codebase to inventory open-source components.

  • Checks for known vulnerabilities, outdated versions, and license compliance issues.

• Process:

  • Compares application components against a database of known vulnerabilities and license terms.

  • Flags components with critical vulnerabilities and suggests remediation.

  • Example: Identifying the Log4Shell vulnerability in the Apache Log4j library.

• Benefits:

  • Provides visibility into third-party components used within an application.

  • Helps proactively address vulnerabilities.

  • Ensures compliance with open-source licenses, avoiding legal issues.

• Limitations:

  • Primarily focuses on known vulnerabilities.

  • Does not analyze custom code.

  • May miss vulnerabilities in proprietary parts of the application.

Static Application Security Testing (SAST)

• Method: Analyzes application source code, byte code, or binary code for security vulnerabilities without executing the program.

• Functionality:

  • Examines the codebase to identify potential security flaws such as buffer overflows, SQL injection, and cross-site scripting vulnerabilities early in the development process.

• Process:

  • Applies a set of rules and patterns to detect vulnerabilities.

  • Identifies hard-coded credentials, insecure API calls, and improper input validation.

• Benefits:

  • Provides detailed information about the exact location of the vulnerability in the code and recommendations for remediation.

  • Integrates into the deployment workflow, often as part of CI/CD pipelines.

  • Enforces secure coding practices.

• Tools:

  • SonarQube

• Advantages:

  • Detects vulnerabilities early in the software development life cycle.

  • Reduces the cost and effort associated with fixing vulnerabilities later.

• Limitations:

  • Can produce false positives.

  • Requires access to the source code.

• Summary:

  • SCA focuses on managing open-source components, ensuring they are free of known vulnerabilities and compliant with licenses.

  • SAST analyzes the source code for security flaws early in the development process, providing detailed feedback to developers.

  • Implementing these tools enhances the security and integrity of applications.

Host-Based Scanning

• Objective: Secure individual hosts within a network by identifying vulnerabilities using authenticated and unauthenticated scans, plus secret scanning.

• Definition: Examining individual computers or servers to identify security vulnerabilities, misconfigurations, and potential threats.

• Importance: Maintains the security posture of each device, as vulnerabilities on a single host can compromise the entire network.

Authenticated vs. Unauthenticated Scans

• Authenticated Scans:

  • Conducted using valid credentials for in-depth analysis.

  • Checks configurations, installed software, security settings.

  • Examines files and directories.

  • Detects missing patches, weak passwords, and misconfigured services.

  • Provides crucial insights for maintaining a secure environment.

  • Tools: Nessus, Qualys.

• Unauthenticated Scans:

  • Performed without credentials to simulate an attacker's perspective.

  • Identifies vulnerabilities that can be exploited without prior access.

  • Focuses on open ports, running services, and visible vulnerabilities.

  • Provides valuable insights into potential entry points.

  • Limited in scope compared to authenticated scans; may miss critical vulnerabilities requiring deeper access.

Secret Scanning

• Objective: Search for sensitive information (passwords, API keys, encryption keys) exposed within host files and environment variables.

• Functionality:

  • Detects exposed secrets that can be used by attackers for unauthorized access.

  • Identifies hard-coded passwords or API keys in source code committed to version control systems.

  • Finds sensitive information in configuration files or environment variables.

  • Tools: TrebleHone

• Real-World Example:

  • Uber Breach (2016): Attackers found hard-coded AWS credentials in Uber's GitHub repositories using which they accessed sensitive data.

Summary:

• Host-based scanning: Essential for identifying vulnerabilities and securing individual hosts on a network.

• Authenticated scans: Provide deep insights into the host's internal state, revealing vulnerabilities that require credentials to detect.

• Unauthenticated scans: Simulate an attacker's perspective, identifying external entry points.

• Secret scanning: Focuses on detecting exposed sensitive information such as passwords and API keys, which can be exploited by attackers.

Network Scanning (TCP/UDP, Stealth Scans)

• Objective: Identify open ports, running services, and potential vulnerabilities in a network using TCP/UDP and stealth scanning techniques.

• Definition of Network Scanning:

  • Using tools and techniques to discover devices on a network.

  • Identify open ports.

  • Gather information about services and protocols running on those devices.

  • Assesses network security posture and identifies potential entry points for attackers.

TCP (Transmission Control Protocol) Scans

• Most common type of network scans.

• Sends TCP packets to a range of ports to determine open ports and running services.

• TCP is connection-oriented, requiring a three-way handshake (SYN, SYN-ACK, ACK).

• Common Methods: SYN Scans, Full Connect Scans, FIN Scans.

  • SYN Scans (Half-Open Scans):

    • Fastest and stealthiest.

    • Sends a SYN packet and waits for a response.

    • If the port is open, the target responds with a SYN-ACK packet.

    • The scanner sends a reset packet to close the connection before it's fully established.

  • Full Connect Scans (Connect Scans):

    • Completes the three-way handshake.

    • Provides more detailed information about the services running on open ports.

    • More likely to be detected and logged.

  • FIN Scans:

    • Sends a FIN packet to the target port.

    • If the port is closed, the target system responds with a reset packet.

    • If the port is open, there will be no response.

    • Can bypass certain firewalls and packet filters.

UDP (User Datagram Protocol) Scans

• Works differently from TCP scans because UDP is connectionless.

• Sends UDP packets to target ports and analyzes the response.

• Scanning UDP ports can be more challenging and slower due to the lack of a handshake mechanism.

• When a UDP packet is sent to a closed port, the target system typically responds with an ICMP message.

• If no response is received, it suggests that the port is open or filtered, but firewalls might be blocking the response.

• Tools like Nmap use specific payloads to get responses from known UDP services to improve accuracy.

Stealth Scans

• Null Scans:

  • Sends packets with no flags set (TCP header devoid of control flags).

    • Systems using TCP respond with a reset packet if the port is closed; open ports do not respond.

  • Modern firewalls and intrusion detection systems can detect and block NULL scans.

• Fragmented Scans:

  • Breaks the TCP header into small fragments.

    • Harder for packet filters and intrusion detection systems to reassemble and analyze the packet.

• Idle Scans:

  • Uses a third-party system (zombie) to send packets to the target.

    • The scanner sends spoofed packets that appear to come from the zombie system.

    • Observes the response to infer the status of the target port.

    • Allows the scanner to remain completely hidden.

Summary:

• Network scans: Essential for identifying open ports, running services, and potential vulnerabilities within a network.

• TCP/UDP scans: Help discover open ports and gather information about services running on those ports.

• Stealth scans: Designed to avoid detection and minimize logging, valuable tools for penetration testers.

Mobile Scanning

• Objective: Ensure the security of mobile apps by identifying vulnerabilities using static and dynamic analysis.

• Definition of Mobile Scanning:

  • Using tools and techniques to analyze mobile applications and devices.

  • Identifies security vulnerabilities, misconfigurations, and potential threats.

SAST (Static Application Security Testing) for Mobile Apps

• Analyzes the source code, byte code, or binary code without executing it.

• Looks for vulnerabilities such as insecure coding practices, hard-coded credentials, and potential injection points.

• Performed early in the development life cycle to catch security issues before deployment.

• Tools: MobSF can decompile and analyze Android APKs and iOS IPAs.

DAST (Dynamic Application Security Testing) for Mobile Apps

• Analyzes the application while it is running.

• Simulates attacks to identify vulnerabilities that can be exploited at runtime, such as insecure communication channels, improper session handling, and data leaks.

• Tools: OWASP ZAP and Burp Suite can intercept and analyze network traffic.

Additional Mobile App Security Techniques

• Permission Analysis:

  • Analyzing permissions requested by applications to access device features.

  • Helps identify potential security risks associated with over-privileged applications.

• Configuration Analysis:

  • Analyzing configuration settings of mobile apps.

  • Identifies common security misconfigurations such as improper SSL/TLS implementation or insecure data storage.

  • Tools: Quark (Quick Android Review Kit) analyzes configuration settings.

• Mobile scans: Essential for identifying and mitigating vulnerabilities.

• Static application security testing (SAST): Analyzes source code, Identify potential security flaws early in the development cycle.

• Dynamic application security testing (DAST): Analyzes the running application, simulates attacks to identify vulnerabilities that occur at runtime.

Scanning Infrastructure as Code (IAC)

• Objective: Ensure the security of infrastructure deployments by scanning Infrastructure as Code (IAC) for vulnerabilities.

• Definition of Infrastructure as Code (IAC): Managing and provisioning computing infrastructure through files rather than physical hardware configuration or interactive configuration tools.

  • Popular IAC tools: Terraform, AWS CloudFormation, and Ansible.

Importance of Scanning IAC Templates

• IAC templates define the entire infrastructure stack, including network configuration, access controls, and resource provisioning.

• Security flaws in templates can be replicated across all deployed environments, leading to widespread vulnerabilities.

Static Code Analysis for IAC

• Analyzes code without executing it.

• Tools scan IAC files for syntax errors, misconfigurations, and best practice violations.

• Identifies potential issues before infrastructure is deployed.

  • Terraform: TF Lint

  • CloudFormation: CloudFormation Guard

• Analyzing Terraform template for AWS S3 bucket and alerting if the bucket is configured to allow public access which is a significant security risk.

Policy as Code

• Defines security and compliance policies in code for application to IAC templates.

• Ensures infrastructure adheres to organization's security policies and regulatory requirements.

• Requires all EC2 instances to use SHA-384 encryption and tested against Terraform templates to ensure compliance.

Integration with CI/CD Pipelines

• Ensures every change to infrastructure code is automatically tested for security issues before deployment.

• Helps catch vulnerabilities early in the development cycle.

  • CI/CD platforms: Jenkins, GitLab CI, and GitHub Actions.

• Automated tests including LAC scans. If a developer introduces a misconfiguration the tests will fail the build, preventing the deployment.

Drift Detection

• Monitors deployed infrastructure for changes that deviate from defined IAC templates.

• Detects manual changes to the infrastructure that can introduce vulnerabilities not reflected in IAC templates.

• Terraform capabilities for detecting drip by comparing the current state of the infrastructure with the ones that are defined in the templates.

  • Flagged alerts when a security group rule is altered to allow traffic from any IP address.

Common Vulnerabilities in Infrastructure Code

• Misconfigured access controls.

• Unrestricted network rules.

• Insecure default settings.

• Hardcoded secrets.

• Scanning infrastructure as code: Is a vital practice to ensure the security and compliance.

• Techniques such as static code analysis, policy as code, integration with CI/CD pipelines and drift detection can help identify and mitigate vulnerabilities.

ICS (Industrial Control Systems) Vulnerability Scanning

• Objective: Secure Industrial Control Systems (ICS) by identifying vulnerabilities through manual assessments and port mirroring.

• Definition of ICS Vulnerability Scanning: Using tools to identify security weaknesses in industrial control systems.

  • Examining network configurations, communication protocols, and device settings.

    • Uncovering potential vulnerabilities that could be exploited by attackers.

Manual Assessments

• Hands-on inspection and evaluation of ICS components by cybersecurity professionals.

• Adapts to the unique and complex environments often found in ICS systems.

• Thorough understanding of the ICS architecture.

• Assessor will identify critical assets, PLCs, HMIs, and RTUs, which are essential for the operation of industrial processes.

Port Mirroring

• Technique to monitor network traffic by duplicating data from ports on a network switch to a monitoring port.

• Allows security professionals to capture and analyze traffic without interfering with normal network operations.

• Extremely valuable for vulnerability scanning and monitoring in ICS.

• Mirrored traffic reveals the malicious activity that will allow the security team to respond properly.

• Security risks:

  • Secured and configured system.

  • Restricted authorized personnel.

  • Protected monitoring system against attacks.

Wireless Scanning

• Objective: Identify and mitigate vulnerabilities through SSID and channel scanning.

SSID Scanning (Service Set Identifier)

• SSID detection

Channel Scanning

• Channel Management: wireless networks operate on specific frequency channels within the radio spectrum.

• Identifying Congestion: wireless networks, especially those using 2.4 gigahertz and five gigahertz bands, have multiple channels available.