Online travel portals are increasingly becoming targets for attackers in E commerce security.It is therefore essential to test the security of these portals from an attacker’s perspective. Application penetration testing gives you a true picture of the current state of security as well as helps to verify if all the security mechanism implemented are working correctly or not. Amongst all the vulnerability classes normally tested, business logic vulnerability are perhaps the most ignored one and also the most exploited by hackers. Thus in iViZ we emphasize more on finding out new classes of business logic vulnerabilities which would directly bring in huge financial loss or impersonation of users for an organization. Here in iViZ we have developed a customized framework which goes beyond traditional and automated web application scanning results. Let’s review the basics of our testing approach.
- Create a Threat Profile for the Target sites
- Create the Test Plan
- Perform the Tests
- Prepare the Report
The Threat Profile is prepared by our consultants through extensive research which presents the list all possible threats to the target Web Application. “Threat” is the goal of an adversary – it’s what he wants to achieve. As the owner of a travel site, the threats are what you are worried about. Thus, the threat profile for an online travel site would include these threats:
An adversary…
- cancels the tickets booked by another user
- buys tickets at a lower price than quoted
- buys tickets on flights where no more tickets are available
- steals the credit card details of other users
- gets the travel itinerary of all users
- changes the itinerary of other users
- deletes hotels from the inventory
The Threat Profile helps us focus on our testing. It helps us pursue the attacks an adversary is most interested in. It takes us about a day or two to prepare the Threat Profile. The test engineers then shares the Threat Profile with the customer to get their feedback: have we missed something? Have we exaggerated a threat? The Threat Profile drives the Test Plan. For an online travel site, the Threat Profile might identify about 50 threats.
Once the threat profile of the application is identified, we create the Test Plan. The test plan at first maps each threat in the Threat profile to the relevant pages in the application. E.g. for the threat “an adversary cancels the tickets booked by another user”, we identify the “cancel tickets” page as the relevant page. Once the relevant pages are clear, we then decide which all attacks to try on that page to realize the threat. For instance, to test “an adversary cancels the tickets booked by another user”, we choose Variable manipulation and SQL Injection on the Cancel Tickets page. Similarly, for each Threat in the Threat Profile, we identify the relevant pages and the attacks. Lot of thought and creativity goes in to create the test plan.
Once the test plan is approved the testing begins. During the entire course of the testing we follow an “inference” based scanning model. This is significantly different from what is conventionally done by tools, scanners and people (who uses those tools). It is an expert systems approach that learns information about a system in exactly the same fashion that a hacker would. Inference-based assessment systems integrate new knowledge about the application as it is discovered. This knowledge is used to build intelligence on the machine in real-time and helps us to run precisely the tests that are likely to produce results. Usually we get lot of newer ideas once we begin the testing under this model. We continually keep on updating the Test Plan till the test is complete. The tests themselves are a combination of manual and automated checks.
When we find vulnerability, we capture step-by-step screenshots of the attack. In the final report, we walk through the attack with the aid of these screenshots. The report describes the solution for fixing each vulnerability and also provides references to good papers on the topic.
{ 2 comments… read them below or add one }
Great advice. I dont know how many times I have to tell people the very same things. Glad I’m not the only one.
Thanks for sharing this post. Its really helpful.