Tech Tales: PCI Compliance with Application Security Testing

We discuss how Ecomservicessummit customers use the products and services of our company to identify security risks within their organizations.

Customers of Ecomservicessummit come from all industries, including financial services and automobile. public sector and medical as well as healthcare. They all share one thing in common: building trust in their software. Ecomservicessummit provides integrated solutions that transform how organizations build and deliver software. This accelerates innovation while managing business risk.

This tech tales story features members of the Ecomservicessummit consultancy team. We spoke to them about how one customer in financial services used Ecomservicessummit security testing tools and services for Payment Card Industry (PCI) compliance.

What was their security history/testing history? (Are they new to security or do they have a mature security program? Which tests did they pass in the past/now? )?

This customer is required to conduct annual tests on all applications and networks that deal with PCI data as part of compliance.

Were they a victim of a security breach/close call, peer/industry pressure or a mature program? New CISO/management? )?

They were looking to expand their application security testing program, and replace the penetration testing vendor they had with a more experienced one. We performed some proof-of-concept testing for them, and showed superior quality testing and results to the incumbent vendor.

What was the objective?

After conducting an initial assessment, we discovered several potential problems:

  • Unauthenticated remote code execution (RCE). Hackers exploit a new vulnerability that allows remote code execution. This exploit is most common in situations where prior authentication is not required.
  • SQL injection. SQL injection is the execution of SQL queries that are dynamically concatenated with user-supplied data and static SQL query strings. This implementation leaves the database unable to distinguish between the developer’s SQL syntax and any user-supplied SQL syntax. SQL injection is possible because attackers can insert SQL query syntax into static queries to alter the structure of the target query.
  • Login page enumeration. The login function of the application returns different results depending on whether or not the username entered is valid. Although the differences in the responses might be simple like “invalid password” and “user [username] doesn’t exist”, they can also be subtler. An application might return a generic failed log message. This message may differ depending on whether a valid username or invalid password is supplied. Or, the application may display one error message but another (potentially invisible) part of the response’s content.

What was your method of finding the problem?

Unauthenticated RCE issues were discovered by unauthenticated arbitrary upload attacks via ELFinder (a PHP-based file manager embedded within the TikiWiki instance).

A proxy tool was used to identify the SQL injection problem.

Automated brute force guessing was used to compile a list valid users in order to exploit the login user enumeration problem. After assembling a list of valid usernames, password guessing was automated. This resulted in a large number of valid credentials that could be used for the application.

What was the potential effect of the new issues?

On the customer’s Wiki page, the unauthenticated RCE issue had been discovered. After initial exploit, the machine ran an older OS, which allowed for easier privilege escalation and password dumping. It was also connected via Active Directory (AD) to allow it to have lateral network connectivity with other systems in the AD.

SQL injection allows an attacker modify the structure of a SQL statement executed by the application. The type of SQL server being used will determine whether the attacker can modify existing queries or add new queries to an existing query. A modified query can access any part of the database with the same rights that are granted to the connection, potentially leading:

  • An attacker can gain access to unauthorised information and cause loss of confidentiality
  • Modification of log files or other sensitive information by other users can cause loss of integrity.
  • Loss of availability when attacker deletes data from other users, executes commands to take down the server or performs denial-of service attacks that fill the database and then exhaust the storage.
  • Modification of SQL queries to verify credentials can bypass authentication
  • Authorization bypass is a way to gain access or modify data in ways that the application’s business logic prohibits.

An attacker can retrieve a large number of valid usernames by automating guesses. Once an attacker has a list valid usernames, they are able to begin guessing passwords in order to steal credentials or impersonate others. Depending on the login anti-automation mechanism used by the application, password guessing can be either manually or automatically. In large-scale account lockout attacks, phishing attempts and phishing activities, valid usernames can also be used. This particular instance makes this problem even more dangerous because many of the compromised accounts had the same password that the login.

What was the customer’s remediation advice?

Once it becomes apparent that the service version is at risk of being attacked, preventative measures must be taken to minimize the vulnerability. We recommend patching or upgrading the software service to fix the unauthenticated RCE.

We recommended that customers rewrite any SQL queries created through dynamic concatenation in order to avoid SQL injection. Modern programming languages have “parameterized query” features that allow users to safely insert data as values into dynamic SQL queries. Instead of concatenating user-supplied information to static SQL query string fragments to create a dynamic SQL query, data values are identified by parameter markers or variables in the query. SQL provides a mechanism that allows dynamic data to be passed that stops the data being changed from the query’s meaning.

The username enumeration problem should be addressed by the application. It doesn’t matter if the provided username is associated to a valid account. For all invalid credentials, an example response could be “The username and password entered are not compatible.”

Which were the results?

The customer works in the financial services sector. The applications that were tested contained customer data. This qualifies the applications for PCI compliance. We were able test the applications to verify compliance with the PCI compliance mandate and to meet the strict requirements of auditors.

What can we do for them now and in the future?

We test new applications as customers acquire companies. We can do this in a very short turnaround time. Currently, we test around 200 applications per year. We also conduct mobile and network penetration tests for these customers.

Leave a Reply

Your email address will not be published. Required fields are marked *