Application

Five Ways That Ethical Hacking is Changing

1 – New Application Frameworks

One of the most notable emerging web application frameworks is Node.js (or “Node” for short). Node uses an event driven asynchronous programming model, and runs code on Chrome’s v8 JavaScript engine. Node’s asynchronous programming model also means many applications can benefit dramatically in performance. But with great benefits also come new considerations which must be given for security. Node has its own unique subset of security problems which may affect its applications. Serious code injection vulnerabilities may be introduced with dangerous JS functions such as eval() which evaluate strings as code. What previously (on the client side) could have resulted in a Cross-site scripting vulnerability, can now result in server side code injection. In addition to this, Node’s vast ecosystem also promotes rapid development with reuse of modules developed by the Node community. This promotes a greater risk of malware via this ecosystem and very sensitive applications may want to audit the entire module chain independently to verify the integrity of all code included within the application.

Ethical hackers should be well versed in Node when testing such an application. While traditional web application attack vectors remain the same, there are several critical caveats every pen-tester should be aware of. More information about NodeJS can be found at the project website: http://nodejs.org/ A great place to begin Node application security is the Node Security Project.

2 – Preventative Measures

Security headers are maturing and can now provide stronger reinforcements for secure web applications. One of the most interesting and powerful new specifications is Content Security Policy (CSP). CSP is more than just another security header; CSP has the capability to create a policy which defines restrictions on how all content in a web application can be loaded. This gives application developers the ability to whitelist locations from where content can be loaded. CSP also governs how JavaScript can run; by default, inline JavaScript is blocked, as are dangerous functions such as eval() and setTimeout().

Professional ethical hackers should understand the full implications of CSP. While some may wish to recommend the use of such policies as part of a vulnerability assessment, it should at least be understood by those conducting a vulnerability assessment. In addition to CSP, HSTS and X-Frame-Options should also be given strong consideration.

3 – NoSQL

NoSQL databases are simple and fast data stores which remove traditional constraints of relational databases. This less structured model favors speed and scalability over complex relational models. As a result NoSQL has flourished in big data industries but still growing in smaller applications. NoSQL provides little in terms of security at the database level and relies greatly on security at the application level.

Ethical hackers need to understand is that the days of simply checking for typical SQL injection vulnerabilities are gone. JavaScript and JSON may now be manipulated in malicious ways to obtain unauthorized data. NoSQL databases may have unique operators which are prone to abuse and may allow server side JavaScript injection.

4 – Expanding HTML5

HTML5 extensions are under active development and introduce a constant expansion of security concerns. Even the core HTML5 specifications which include extensions such as local storage, websockets, and CORS, are not always well understood by security professionals. At the time of this writing, many popular security tools still do not yet support interaction with websockets. This leaves a strong possibility that vulnerabilities nested within these technologies may go undiscovered by novice security testers. Ethical hackers must devote significant time to research these technologies and understand the full range of security implications each one requires.

A list of some draft extensions can be found at the following URL: http://www.w3.org/html/wg/wiki/ExtensionSpecifications

5 – Bug Bounties

Large organizations with applications that face intense public exposure may benefit from running a bug bounty program. These programs reward independent security researchers for finding vulnerabilities on an individual basis. By offering a reward for each vulnerability found, they create a much greater incentive to responsibly disclose vulnerabilities rather than exploiting them for profit. These programs have already seen great success with large organizations such as Google, Twitter, Facebook, and now Yahoo!

One new company, Bugcrowd, has brought this testing model to companies which may not have the resources to handle such programs themselves. This type of security testing model can be difficult to manage and may incur significant false positives from less skilled ethical hackers. By providing vulnerability verification and payment services, Bugcrowd allows much smaller organizations to benefit from this type of testing.