Monday, March 24, 2008

Testing For Client Side Vulnerabilities


Lenny Zeltser has a good paper on Testing For Client Side Vulnerabilities:
http://www.zeltser.com/client-side-vulnerabilities/

He gives 3 attack scenarios when testing:

1. Track the clicks (low impact).
2. Plant a back door without exploitation (medium impact).
3. Exploit a client-side vulnerability (high impact).

Dean did a post about spear phishing during a pen-test, which basically covered the 1st option. We used google analytics to track who clicked on the initial link then a 2nd one for who actually entered data. Of course we dont know if that data was any good, but someone put "something" and hit the Enter button.

I would propose a 4th category which is i actually use the credentials to see if i can escalate on the network or data mine. its important to see just how much damage can be done when a user gives up a network logon to the badguy.

anyway, Lenny's paper is worth a read as well as taking a look at Jay Beale's talk on "They're Hacking Our Clients" http://toorcon.org/2007/talks/63/ClientVA-Toorcon9-Oct2007.pdf

They're is also an associated site that hasnt been updated since last year :-(
http://clientva.org/

I'm not one of those "security predictions" kind of people but organizations should start moving to conducting client side exploitation during pen tests as both a training event and to see what kind of access can be gained and damage done when credentials are obtained. instead of 1) saying we have training program so we are good or 2) saying yes we know our clients are jacked up so go ahead and just test the network defenses anyway.
CG

1 comment:

Anonymous said...

Good post. I agree that a organization should be testing users for phishing awareness and/or client side vulnerabilities. I was surprised when doing a phishing simulation in a pen test how many users actually click on the links. I suggest that pen testers include client side testing as part of a pen test offering to clients and/or your internal security awareness program.