Application Layer Vulnerabilities

Vishwas Sharma

What is application Layer

The application layer is the seventh layer of the OSI model and the only
one that directly interacts with the end user
In TCP/IP networking, It consists of protocols that focus on process-toprocess communication across an IP network and provides a firm
communication interface and end-user services.
The application layer only standardizes communication and depends upon
the underlying transport layer protocols to establish host-to-host data
transfer channels and manage the data exchange in a clientserver or peer-to-peer networking model.
Application layer provides many services including:
-Simple Mail Transfer Protocol
-File Transfer
-Web Surfing
-Network Data Sharing

Application Layer Vulnerability

An application vulnerability is a system flaw or weakness in an
application that could be exploited to compromise the security of
the application.
Once an attacker has found a flaw, or application vulnerability, and
determined how to access it, the attacker has the potential to
exploit the application vulnerability to facilitate a cyber crime.
These crimes target the confidentiality, integrity, or availability
(known as the CIA triad) of resources possessed by an application,
its creators, and its users.
Attackers typically rely on specific tools or methods to perform
application vulnerability discovery and compromise.
According to Gartner Security, the application layer currently
contains 90% of all vulnerabilities.

Some interesting facts

Application vulnerabilities can be inherent or it may be a
function of dependencies(vulnerable libraries such as versions
of openssl with heartbleed)
Vulnerabilities in Compilers and Interpreters
There is a possibility to infect a given application by use of a
malware which is designed to exploit certain vulnerabilities

What makes Application layer Vulnerable

Application layer is most open-ended of all of the layers, and can be
considered catchall for any issues not addressed within the other six
layers.
From Info-sec perspective the Application layer is the realm where user
interaction is obtained and high-level functions operate above network
layer
These high level functions access the network from either a client or
server perspective, with peer based systems filling both functions
simultaneously
Open ended nature of Application layer groups many threats together
and its end of stack
One of the prime threats at the Application layer is poor or non-existent
security design of the basic function of an application

Some Application Vulnerabilities Scenarios

Some applications may insecurely handle sensitive information by placing it in

publicly accessible files or encoding it in hidden areas which are trivially
displayed , such as in an HTML code or a web form
Programs may have known/unknown backdoors or shortcuts that bypass
otherwise secure controls and provide unauthorized access
Applications with weak or no authentication
Applications may rely upon untrustworthy channels to establish identity or set
privilege
Applications often grant excessive access to resources, allowing unprivileged
uses excessive access or imposing inadequate control to prevent the
corruption or loss of data
User input can be a serious threat as a user may provide unexpected input
into an application environment, which if not handled properly could lead to
crashes or other unexpected behavior
An unsuspecting hapless user may cause his application to crash or otherwise
fail
A malicious user may be able to exploit bugs and program flaws to attack and
gain access to resources or data

Controlling Application layer

Strong design and implementation practices for applications
Applications should make use of the secure facilities available to them in
the lower network layers.
Applications should carefully check incoming and outgoing data and
assume that communication can and will be subjected to attack
Applications should require strong authentication and encryption to
validate and protect data as it travels across the network.
Applications should also implement their own security controls, allowing
for fine grained control of privilege to access resources and data
Privilege control should be straightforward and should strike a balance
between usability and effectiveness.
Detailed logging and audit capability should be standard feature of any
application that handles sensitive or valuable data

Controlling Application layer..cont.

Security monitoring devices such as IDS, IPS, UTM can possibly
detect/prevent some attacks but they cant protect against all types
of application layer attacks
Therefore security has to be in-built into the application layer
Testing and review is critical as a control for application layer
Given the wide variety of both problems and solutions, standards
and practices will not be able to capture all possible twists and
turns in application environment
Developers will often have conflicting motivations and agendas
regarding their applications .
In structured programming environment Code Review and
Application Security testing are critical parts of a Secure Software
Development Life Cycle(SDLC)

Vulnerability Testing
Approach

Outline

Structure of Technology
Why to test
What to test
When to test
How to test
Demo of a unix platform test
Hot topics

10

Definition
Penetration testing v Vulnerability testing ?
Wikepedia

Security testing techniques scour for vulnerabilities or

security holes in applications. These vulnerabilities
leave applications open to exploitation. Ideally, security
testing is implemented throughout the entire software
development life cycle (SDLC) so that vulnerabilities
may be addressed in a timely and thorough manner.
Unfortunately, testing is often conducted as
anafterthought at the end of the development cycle.
Why ? test against standards, identify misconfigurations, old vunerable versions of
software, test drive
Ethics & Legality
11

Why testing

Preventing financial loss through fraud (hackers, extortionists and disgruntled

employees) or through lost revenue due to unreliable business systems and
processes.
Proving due diligence and compliance to your industry regulators, customers and
shareholders. Non-compliance can result in your organisation losing business,
receiving heavy fines, gathering bad PR or ultimately failing. Protecting your
brand by avoiding loss of consumer confidence and business reputation.
vulnerability testing helps shape information security strategy through identifying
vulnerabilities and quantifying their impact and likelihood so that they can be
managed proactively; budget can be allocated and corrective measures
implemented.

12

Defining the scope

Full-Scale vs. Targeted Testing
Platform, Network, Database,
Applications
Remote vs. Local Testing
In-house v outsourcing

13

Defense in depth

Network

Operating
System
Database

Application

14

Tester
Nmap
Nessus

Network
elements
e.g
SGSNs,
HLRs

Sun
Solaris
Application
Server

HP-UX

Redhat

Oracle
DB

Apache Web
server

Windows File
server

15

Nmap

16

Nessus: Known Vulnerability Scanner

17

Tester

Network
elements
e.g
SGSNs,
HLRs

Sun
Solaris
Application
Server

HP-UX

Redhat

Oracle
DB

Apache Web
server

Windows File
server

18

Tester

Network
elements
e.g
SGSNs,
HLRs

Sun
Solaris
Application
Server

HP-UX

Redhat

Oracle
DB

Apache Web
server

Windows File
server

19

Backtrack

20

Tester

Network
elements
e.g
SGSNs,
HLRs
Assuria CLI Remote test (Data
Centre)

Sun
Solaris
Application
Server

HP-UX

Redhat

Oracle
DB

Apache Web
server

Windows File
server

21

Pentest definition from

Wikipedia
Penetration test, Pentest
A penetration test, occasionally pentest, is a method of evaluating
the security of a computer system or network by simulating an attack
from malicious outsiders (who do not have an authorized means of
accessing the organization's systems) and malicious insiders (who
have some level of authorized access). The process involves an
active analysis of the system for any potential vulnerabilities that
could result from poor or improper system configuration, both known
and unknown hardware or software flaws, or operational
weaknesses in process or technical countermeasures. This analysis is
carried out from the position of a potential attacker and can
involve active exploitation of security vulnerabilities.[Wikipedia]

Fuzzing is a leading Vulnerability discovery mechanism

Fuzzing for Zero-Day vulnerability

elimination
Hackers are using Fuzzing to find vulnerabilities
Found vulnerabilities [Zero-Days] are developed to exploits or used to
launch DoS attacks
As a mitigation, companies have started to integrate the same security
techniques
Fuzzing tools to automate security testing
Harden devices and networks against attacks
Not just against hacking
General quality improvement and preparedness for unexpected

Vulnerability example: Stuxnet

Probably most sophisticated Malware ever
Stuxnet is a Windows-specific computer worm It was specifically
written to attack Supervisory Control And Data Acquisition (SCADA)
systems used to control and monitor industrial processes. [4] Stuxnet
includes the capability to reprogram the programmable logic
controllers (PLCs) and hide its changes.[5] [Wikipedia]

Malware is end-product of Unknown Vulnerabilities /

Stuxnet attacks Windows systems using four zero-day attacks

Zero-Days

(plus the CPLINK vulnerability and a vulnerability used by the

Conficker worm) and targets systems using Siemens' WinCC/PCS 7 SCADA
software

Proactive Unknown Vulnerability elimination is key security

assurance activity

Defender needs to focus on inherent,

built in security
Fuzzing is a technology

for systematic vulnerability

elimination
Can be employed both on node- and system level
Multi tiered effort is needed
Vendors to integrate systematic security testing in processes
End user organizations to do system level acceptance testing
Pentest Government mandated certification processes
Pentesting focuses on identifying individual vulnerability
from outside perimeter Fuzzing focuses on finding and
eliminating vulnerabilities holistically

Conclusions
We need to adopt security testing in SDLC
Pre-deployment security testing should be
carried out
We need to test security beyond
obvious(Known)
We need to secure Operational environment
of the applications
We need to bring awareness about secure
usage