HyperSec Consulting Group Services Code Audit


HyperSec has nurtured what is now known as the HyperSec Review Methodology over its many years of experience operating in the field of IT security. The program continues to guide highly efficient security analyses as it evolves to reflect the rapidly changing environment in which we work. To ensure the homogeneity of high standards across all assessments, the HyperSec Review Methodology is embraced organization-wide.
The methodology specifies a structure for each assessment and details objectives, approaches and tasks on a number of levels.

APPLICATION REVIEW (CODE-AUDIT).

There are many kinds of network-aware applications. The most common type we encounter is backed by database server, and has a login facility to validate a user who can proceed to manipulate data through a web-based interface. Complex applications involve numerous systems and interaction with remote servers. They may support many concurrent user sessions. Application review is an investigation into all aspects of the applicationís operation. We use techniques and tools in an attempt to subvert the application into behavior that is erroneous or insecure.

We find that applications available over the Internet frequently harbor vulnerabilities and provide a hole through the firewall. It is easy to make logical, design or implementation errors when developing applications, and the more complex an application, the greater the chance that such vulnerabilities will creep in. Typically, the vulnerabilities that we discover provide an intruder with the opportunity to manipulate data, crash the application or to compromise the server.
HyperSec distinguishes two approaches used for application review. These are summarised in the table.

Approaches Explanation
   
Validated User Review



 
Usually we work with two valid user accounts to see if it is possible to view or manipulate the other userís data. We also try to subvert the application such that we gain unauthorised privileges and, ultimately, access to the underlying operating system.
Source Access Review




 
Source Access Review supplements Validated User Review with a review of the programming source code of the application. We will also discuss the code with its developers and study design documentation. This is the most efficient method for discovering vulnerabilities within applications.

TABLE 1: Application Security Review Types


The usual starting point is a blind review, where HyperSec have no knowledge regarding the application prior to review. All aspects of the applicationís operation are investigated, including:

  • Enumerating all pages within the application (including guessing URLs not given);

  • Enumerating points of input;

  • Use of encryption;

  • Use and type of authentication (including the use of brute forcing);

  • Type and bounds checks on input (including attempting buffer overflow);

  • Cookies (including manipulation and spoofing of cookies);

  • Session-tracking;

  • Points of possible internal transactions.

The first procedure is generally an attempt to circumvent authentication controls. This may involve:

  • Brute force testing of user IDís and passwords;

  • Spoofing a cookie and changing certain parameters (if the applicationís authentication procedure is based on cookies);

  • Guessing URLs, in order to verify that all pages are password protected;

  • Studying the source code of each web page in order to obtain information that can be utilized during latter stages of testing;

  • Trying to exploit buffer overflow vulnerabilities by leveraging lack of input validation. This usually involves type and bounds tests (i.e. supplying different data types and excessively long input).

The second step consists of tests performed from a valid test user account. This is to verify that users are permitted control only over their own data and not that of other users.

Source Access Review could be said to be the final stage. An analysis of the code focuses on the discovery of common programmatic hazards as well as specific design or logic errors. Artifacts sought include buffer overflow points, input validation errors, bad coding practices, and the use of insecure products as part of the application. With the source code at hand the application review becomes more efficient.

If you want to know more about our penetration testing service, please download the requisition form and send it to info@hypersec.co.uk

Download our Code-Audit Requisition Form.


 

 
 
 

HyperSec is a trademark of HyperSec Consulting Group UK. All the logos, images, code and information
are property of his owners. HyperSec Consulting Group does not approve any illegal practice that
uses information contained within this site, for more information, please read the EULA of this page.
HyperSec Consulting Group UK.

Profile::

  Public-20040226

DataBase::

  HyperSec Consulting Gr.

Engine::

  1.0-stable