| Abstract: | | The ASP continually conduct internal penetration tests using people who fully understand how the application is designed to be used. It is hard to imagine how any external consultants could be effective in doing any internal penetration test without many weeks of one-on-one training. With Intrusion Prevention Systems (IPS) a fundamental part of the production application, any criminal hacking attempt will instantly cause the user to be blacklisted. |
| URL Query String: | | The public web pages have a normal query string with 3 parameters. The public dashboard and popup web pages have a normal query string with 3 parameters. | | Where the URL is shown in the address bar, a normal query string is employed. Is is possible to "accidently" change the 3 parameters in the address bar and the only result is that the home page will be shown. |
| Authorized User: | | Where an authorized user with criminal intent and hacking experience was to make any change to a URL, that change would be detected and the user would be blacklisted to prevent any futher hacking attempts. It is not possible to "accidently" change the URL to a database update or business document function, so such criminal behaviour will prevent that user from ever signing in again. |
| URL with Cryptographic Hash Function (CHF) tag: | | When an internal URL is employed to link to internal popup forms, documents or update, then a CHF mechanism is employed to prevent hacking. If any change is made to a CHF protected URL query string, that change will be detected an the authorized user shall be blacklisted to prevent further hacking attacks. As the CHF protected URL is always hidden, it cannot be accidently changed, so only criminal intent can be assigned to any change to the URL. | | A CHF protected URL query string is a string of more than 100 numbers - those numbers include CHF digits to detect any change. A subject character string is shown as a honeytrap - if it is changed, that change will be detected and the user blacklisted. A object key is shown as a honeytrap - if it is changed, that change will be detected and the user blacklisted. | | The CHF mechanism and algorithm are secret and is changed daily to prevent the accumulation of intelligence. The cost and time taken to break this CHF mechanism will exceed the rewards from all the effort. Traditional functional and data access controls are also employed, so CHF tagging are just an additional layer of security to detect and stop hacking. | | The CHF is created with a secret key when the URL is created and the same function decodes the URL when it is recieved - the secret key does not need to be transmitted to detect any URL change. Because the secret key is internal to the application and never communicated, the algorithm includes day-of-the-year to prevent the accumulation of intelligence. |
| | | Penetration Test: | | Because every hacking attempt is the last hacking attempt for that user, the idea that a traditional penetration test could be conducted is not realistic. Penetration testing becomes a paper analysis exercise to discover the URL machanisms used and theroise as to how it could be broken. Many techniques are employed to cause the amount of time needed to analyse the URL mechanism to exceed any rewards that could be gained from understanding the URL mechanism. |
| Time Line: | | Internal penetration testing is not practical because the intrusion prevention system does not permit traditional testing to take place. Whatever kind of XSS or SQL injection is attempted, it will be detected and the testing terminated with the user being blacklisted. | | Even if it was practical to rapidly reinstate the user profile, the amount of time assigned to testing the one program could be 5, 50 or 500 days - the result would be the same. Because only one program is involved, the penetration test duration cannot be defined by the application stack to be tested and the project cannot be planned using any known metrics. | | Almost 2000 functions exist, but the cost of testing all functions could take longer than the rate of function change. It can be hard to plan a testing strategy when things are continually evolving and the result of testing an evolving application must have questionable conclusions. |
|