Rafay Baloch takes no prisoners when it comes to exposing vulnerabilities. An ethical hacker since the young age of 14, Baloch is now known within InfoSec circles as a seasoned security expert. His ever-growing list of “victims” includes leading platforms such as Android, Google, PayPal and Nokia, with the former earning him worldwide acclaim.
Known as “Pakistan’s Top Ethical Hacking Prodigy” in his early days, Baloch is currently a senior InfoSec manager at PTCL Etisalat. He was kind enough to give us his take on the leading Application Security solutions used by organizations and governments today. This article will showcase how he, as an experienced ethical hacker, views their technical prowess and overall value.
On WAF: “I have bypassed all WAFs I have encountered to date.”
The Web Application Firewall (WAF) has long been the default Application Security solution for organizations worldwide. But Rafay has no issues bypassing them at will.
“The WAF primarily uses two approaches – Whitelisting and Blacklisting,” the Pakistani security expert explains. “Due to the fact that the majority of the web applications today are dynamic, Whitelisting is not quite practical. This leaves organizations with the option of using the Blacklisting technique, which simply can’t deal with the dynamic nature of modern programming.”
Baloch also elaborated on the ineffectiveness of the WAF methodology as a blocking solution due to the False-Positives (FP) it generates, often creating unwanted Denial of Service (DOS) and performance issues. This usually turns it into a monitoring tool only. He also highlighted the technical issues that arise every time the application code is changed, requiring the tweaking and re-configuring of the WAF.
The Sucuri Cloud Proxy is a commonly implemented WAF solution, claiming to be capable of preventing DOS attacks and other code injection raids. But Baloch showed in his Sucuri WAF XSS Filter Bypass POC how he can trigger False Positives (FP) with harmless input and more importantly he also manipulated the WAF and bypassed it with ease with browser specific bugs.
On DAST: “Nice to have, but not mandatory due its inherited limitations.”
The Pakistani security expert was unimpressed with the various Dynamic Application Security Testing (DAST) solutions out there today due to their limited coverage and questionable functionality.
“Black Box Testing is not capable of detecting all Cross Site Scripting (XSS) issues,” Baloch stresses. “For me that itself is a huge disadvantage, because XSS techniques are being used to hack into leading websites worldwide. For me, if the security solution cannot accurately locate non-reflective vulnerabilities it’s not something I would opt for if I was a decision maker. Not enough value-for-money here.”
Edgescan’s 2014 Vulnerability Statictics Report crowned XSS as the “king of client-side vulnerabilities”. It mentions that 45% of the web applications had atleast one XSS issue.
On Penetration (Pen) Testing: “Costly, but highly recommended.”
Baloch strongly endorses Pen Testing. He believes that the best way to test an application is to mimic a hacker and use the same tools they would use in real-life scenarios.
“Pen Testing is an absolutely must for any application and it is highly recommended as a primary tool exactly as unit testing,” he explains. “The cost per test-cycle might seem a bit high at first, especially for small and upcoming organizations with limited finances. However the damages from the breaches can be 100 times costlier than the entire security process. Its a worthwhile investment.”
On SAST: “The most effective way to secure application code.”
Baloch is a firm believer in White Box Testing. He fully supports the automating of the security process and creating a secure Software Development Life Cycle (sSDLC).
“Identifying and fixing vulnerabilities early reduces the risk and the costing by three folds for the company. The later the vulnerability is identified, the more the damage increases.”
Baloch went on to recommend the implementation of Static Code Analysis (SCA), a leading SAST technology, into all stages of development to achieve high code integrity. He also mentioned the easy setup, low maintenance costs and the added benefit of “educating the developers” about secure coding practices. Baloch also believes in systematical planning before launching the development process.
“The modern web application is often used as a module for tens or hundreds of third-party components. A robust and secure coding design is very important in today’s cyberspace. Organizations should invest ample time in the planning and designing of the application. Once the code is less complex, fixing vulnerabilities and creating patches is much easier.” Rafay explained.
Baloch’s Application Security Tip: “Static Analysis with Pen Testing“
When asked about his ideal Application Security setup, Baloch was very clear that one solution alone is simply not enough to provide optimal protection. He feels that organizations looking for the silver bullet are preparing themselves for disappointment and possibly also disaster. He stressed that hacking avenues are always available and hence Application Security efforts should never stop.
“In upcoming years, expect to see the exposure of more and more vulnerabilities on the client side such as DOM Based XSS, Client Side SQL Injection, etc.” Baloch warns. “I believe that organizations looking to optimize Application Security should not settle for one solution. Using Static Analysis for strong code integrity and backing it up with Pen Testing prior to release is the best way to go today.”
Before concluding the interview Baloch also strongly endorsed the Bug Bounty program culture. He asked all leading organizations to empower ethical hackers and enable them to “examine” their web/mobile applications. As a veteran ethical hacker and InfoSec expert, he feels that fighting cybercrime is a global cause and application code should be secured by all means necessary. Stay safe!
To read more about Baloch’s research and POCs – Click Here