iStock_000030628102Large

15 AppSec Tips From the Top Ethical Hackers of 2014

Dec 31, 2014 By Sharon Solomon

2014 will go down as the year of the mega-attacks. It all started off during last years holiday season with the Target hackings that affected over 100 million customers. Soon the Heartbleed and Shellshock vulnerabilities were exposed, causing havoc all across the planet. The hackings kept on coming in the latter stages of the year – the Snapchat fiasco, iCloud photo leaks and North Korean orchestrated Sony Pictures hacking just to name a few.

 

On contrary to common belief, many high-profile hackings in 2014 were performed by ethical hackers interested only in the benefit of the community. Despite the lack of reward and incentive, these ethical hackers tested the robustness of applications used by millions worldwide and reported their findings to the relevant companies.

 

There are no boundaries whatsoever when it comes to ethical hackings. These experts are genuinely concerned about cybercrime and are committed to the improvement of security standards in web and mobile applications. We have interviewed the 5 top ethical hackers who made the headlines this year and collected their insights to create this list.Name: Rafay Baloch a.k.a The Pakistani Hacking Prodigy.


Location: Karachi, Pakistan.
Claim to fame:
Found SOP issues in Android’s stock AOSP browser.
Preferred hacking tools: Burp Suite, Zap Proxy, Firebug, Chrome JS Console.

 

Rafay Baloch, one of the most promising ethical hackers in Pakistan, took the world by storm after finding glaring flaws in Android’s stock AOSP browser. These security loopholes have not been addressed and are allowing hackers to steal session cookies to this very day, enabling them to perform a wide variety of malicious actions including identity theft.

 

 

The Pakistani AppSec expert, currently an undergraduate student who spends his free time honing his research skills, is a firm believer in developing applications in a secure Software Development Life Cycle (sSDLC). He highly recommends organizations, big and small alike, to automate testing and integrate it into the development process.

 

AppSec Tip No.1 – Enforce Secure Coding Practices: I strongly endorse the OWASP guidelines.
AppSec Tip No.2 – Opt for Secure Frameworks: Frameworks such as Ruby on Rails and Django offer basic yet important protection against common security vulnerabilities such as XSS and CSRF.
AppSec Tip No.3 – Using RBAC: Role-based access control (RBAC) should be applied when developing applications.

Name: Guy Aharonovsky a.k.a The Ethical Hacker from Zion.
Location: Tel Aviv, Israel.
Claim to fame:
Exploited vulnerable APIs in Google Chrome.
Preferred hacking tools: Burp Suite, Customized Pen Testing Tools.

 

Google Chrome has become the world’s most commonly used browser, thanks in part to the ever-growing popularity of the Android mobile platform. Israeli security researcher Guy Aharonovsky shocked the world with his findings that revolved around old Chrome APIs. If manipulated, this could lead malicious attackers to eavesdrop on their victims.

 

Aharonovsky spoke to Checkmarx about the serious security issue, which he claims to have spotted by playing with the vulnerable feature for just a few moments. He expressed his deep disappointment with Google’s lack of interest in the issue, as he believes that the flaw can cause serious damage if embraced by the hacking fraternity.

 

[To Listen without Consent (live demo) – Abusing the HTML5 Speech

 

“SCA could have helped mitigate these security issues,” Aharonovsky commented. “The flaw is located in an old code with no direct “owners”, which is a common occurrence during software development. Automated testing is valuable as it can help catch old code regressions that programmers usually have no time to locate or deal with.”

 

AppSec Tip No.4 – Open Source Vulnerabilities: Always assess open source components before implementation.
AppSec Tip No.5 – SDLC: I am a firm believer in secure Software Development Life Cycles.
AppSec Tip No.6 – Break the Build: Better delaying the build to fix vulnerabilities than to deal with them later.

 

Name: Yasser Ali a.k.a Mr.Ali.
Location: Qena, Egypt.
Claim to fame:
Found CSRF issues in PayPal’s web application.
Preferred hacking tools: Burp Suite, Wireshark, NMap, Nikto, SQLmap, etc.

 

The internet boom and the exponential rise in the popularity of “eBay shopping” have made PayPal the most recognized e-commerce payment platform today. Egyptian security researcher Yasser Ali recently participated in PayPal’s Bug Bounty Program and came up with a critical Cross-Site Request Forgery (CSRF) vulnerability finding.

 

 

This CSRF exploit involved the PayPal application’s anti-CSRF token. Just typing in any active email ID with a wrong password enabled Yasser Ali to intercept the valid anti-CSRF authentication token. As shown in the POC above, all Ali needed to do was to capture the POST request sent back to PayPal before the logging in process.

 

Yasser’s message to organizations and developers is clear: “You must find potential vulnerabilities in the development cycle before the hackers find them for you. Source Code Analysis (SCA) is a great way to get this done.”

 

AppSec Tip No.7 – Security Awareness: Most of the attacks in 2014 were targeting the victims through Social Engineering techniques, hence the Security Awareness is mandatory to prevent or limit such attacks.
AppSec Tip No.8 – Defense in Depth: The malicious attacker can be slowed down by implementing layered defenses that cover this three main areas of concern: people, technology and operations.
AppSec Tip No.9 – Code Review and Analysis: Educate your programmers to write secure code, they should be aware of the technology they are using and the pitfalls it may have.

 

Name: Antonio Sanso a.k.a A.S.
Location: Basel, Switzerland.
Claim to fame:
Hacked OAuth and Github.
Preferred hacking tools: Burp Suite, OWASP ZAP, DNS-Discovery.

Antonio Sanso found a critical CSRF vulnerability in the OAuth application, showing how scopes associated with its OAuth token can be removed with the help of the CSRF methodology.

Initiating an OAuth flow requesting fewer scopes did not require the user to authorize the removal of those scopes. Initiating an OAuth flow requesting fewer scopes didn’t require the user to authorize the removal of these scopes, allowing the attacker to CSRF the OAuth flow and manipulate the scopes.

Sanso also found a glaring issue in the .patch selector in github.com, which was vulnerable to Cross-Site Scripting (XSS). Patches containing JavaScript are not properly sanitized and the malicious scripts are executed, a common issue on older browser versions. Making matters worse, this vulnerability was found also on Safari for iPhone.

AppSec Tip No.10 – Train Your Developers to Code Securely: Secure coding helps eliminate post-release issues.
AppSec Tip No.11 – Combine SCA and Pen Testing: This security combo is the best way to stay safe.
AppSec Tip No.12 – Use Input Validation: Blacklisting and whitelisting user input/requests helps fight SQLi.

Name: Mohamed Baset a.k.a The Wizard of the Nile.
Location: Luxor, Egypt.
Claim to fame: Exploited Samsung’s Find my Mobile application.
Preferred Hacking Tools: Burp Suite, Kali Linux OS, Wireshark, Fiddler, SQLmap.

 

Mohamed Baset found glaring CSRF vulnerabilities in Samsung’s proprietary Find my Mobile “geo-locating” application, which currently has millions of users worldwide. Baset showed in his POC how it’s possible to exploit the app and perform remote actions without the user’s knowledge. NIST gave the vulnerability a CVSS severity rating of 7.8.

 

Baset started off the hacking by logging into the Find My Mobile service at Samsung.com via his browser. He then accessed a personally-created malicious website in a new tab, which is what initiates the manipulation. Malicious commands are injected into the Find My Mobile tab, enabling Baset to perform the locking/unlocking and ringing.

AppSec Tip No.13 – Use open source tools: If you don’t have the resources, use code reviewing is now easy and free.
AppSec Tip No.14 – Mind your language: Refrain from adding sensitive details to your comments while coding. This can provide the hacker with valuable parameters that he can use to attack the application.
AppSec Tip No.15 – Strong business logic: Follow the business logic of your app and ensure that it’s implemented.

Cyber-criminals are constantly manipulating conventional defenses and infiltrating businesses..

Like with the Target raids in 2013, the Staples chain has been hacked recently. More than 1.1 million payment card details have been allegedly stolen after the commercial giant’s PoS systems were compromised with malicious software. Details of the hackings are still unknown due to the ongoing investigations, but the implications of this catastrophe are obvious.

As evident by the tips provided by the aforementioned ethical hackers, safe coding practices and proper code analysis are paramount to developing secure applications. Unless the applications today are not strengthened from their foundation, the source code, malicious attackers will keep finding ways to gain unauthorized access and cause damage.

It’s also important to encourage Bug Bounty Programs and events to raise awareness about security and catch severe vulnerabilities while doing so. Checkmarx highly recommends following the aforementioned ethical hackers and understanding the discovered loopholes to avoid potential re-occurrences.

Checkmarx wishes you all a Happy New Year and safe 2015.

The following two tabs change content below.

Sharon Solomon

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

REQUEST A DEMO

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.