| External Penetration Test: | | The purpose of the external penetration test is to emulate activities that could be performed by a criminal on this Internet application. Using a combination of scanning and enumeration techniques, the test will identify the external facing profile and investigate each facet for weaknesses and vulnerabilities. |
| Jez: July 12, 2011: | | The external test must be performed against the infrastructure and web application stack. This activity must test all components of the system that are externally accessible / exposed and mimic the journey that an external hacker could perform. |
| Root Level Files: | | The attack surface is defined by the following root level files: | | FAVICON.ICO as an icon. | | INDEX.HTML as the home web page. | | INDEX.C2 as every other web page. | | ROBOTS.TXT as a search engine file to restrict access. |
| Root Level Libraries: | | The attack surface is defined by the following root level libraries: | | SIS_2100_PUBLIC.PNG holding a set of public image files that are frozen and distributed to many servers. | | SIS_2100_PUBLIC.CSS holding a set of public style files that are frozen and distributed to many servers. | | SIS_2100_PUBLIC.JS holding a set of public script files that are frozen and distributed to many servers. |
| Topology: | | External security analysis will report the following ports: | | 21 as the FTP port. | | 22 as the SSH secure FTPS port. | | 25 as the SMTP email port. | | 53 as the domain port. | | 80 as the HTTP port. | | 106 as the POP3 email port. | | 110 as the POP3 email port. | | 143 as the IMAP email port. | | 443 as the HTTPS port. | | 465 as the SMTPS email port. | | 993 as the IMPAS email port. | | 995 as the POP3 email port. | | 8443 as the HTTPS port. |
| Blacklist: | | An IP black list and white list are also employed to keep hackers away and to help authorized users to sign in. To prevent password guessing utilities from being used, the user profile is blacklisted without any error message when hacking is detected. | | As a policy, the only error message is to show the home page and blacklist the user profile. |
| | | Authentication: | | 1 Sign in Handle should not the same as a persons name on a business card. | | 2 Email should be a private email address and not what is on a business card. | | 3 Pass Phrase must be valid within a few attempts else the user profile is blacklisted. | | 4 Mode each user is told what mode to select. | | 5 Time of Day must be within assigned business working hours. | | 6 Day of Week must be within assigned business working days. | | 7 Geo-Location IP address must be registered to the users approved country. | | 8 IP Address may be from an assigned IP address or IP address range. | | 9 ISP Name may be from an assigned ISP name. | | 10 Operating System may be from an assigned computer operating system such as MAC or WXP. | | 11 Browser may be from an assigned browser such as Safari or IE7. |
| Lessons learned with thanks to Context: | | 1. On day-1, at 13:20 an SQL injection hack using "SELECT 100108" as the key was successful - this was fixed within the hour. While a normal user with a normal browser could not make this internal attack, an authorized criminal with applicable Firefox extensions was able to make unauthorized DB updates. This hack succeeded after 822 page requests and 34 prior fatal hacking attempts where blacklisting of the criminal user had been suspended. The user profile data has been restored to its original values. | | 2. At the end of day one, the blacklisting logic was switched back on to enable the "one hacking attempt and the user is blacklisted" policy. The application is now operating in normal production mode where it is not practical to make 34 hacking attempts and sign in again 34 times without being noticed and stopped. | | 3. The interaction of hacking attempt and selection of "What Did I Do" page implied too much information was being provided to the criminal user - some data has been simplified to reduce its value to a criminal. |
|