Documentation< Previous | Contents | Next >
11.2.4. Application Assessment
While most assessments have a broad scope, an application assessment is a specialty that is nar- rowly focused on a single application. These sorts of assessments are becoming more common due to the complexity of mission-critical applications that organizations use, many of which are built in-house. An application assessment is usually added on to a broader assessment, as required. Applications that may be assessed in this manner include, but are not limited to:
• Web applications: The most common externally-facing attack surface, web applications make great targets simply because they are accessible. Often, standard assessments will find basic problems in web applications, however a more focused review is often worth the time to identify issues relating to the workflow of the application. The kali-linux-web meta- package has a number of tools to help with these assessments.
• Compiled desktop applications: Server software is not the only target; desktop applications also make up a wonderful attack surface. In years past, many desktop applications such as
21http://docs.kali.org/kali-dojo/02-mastering-live-build 22https://www.offensive-security.com/kali-linux/kali-rolling-iso-of-doom/ 23http://docs.kali.org/development/live-build-a-custom-kali-iso 24https://www.offensive-security.com/kali-linux/kali-linux-recipes/
PDF readers or web-based video programs were highly targeted, forcing them to mature. However, there are still a wide number of desktop applications that are a wealth of vulner- abilities when properly reviewed.
• Mobile applications: As mobile devices become more popular, mobile applications will be- come that much more of a standard attack surface in many assessments. This is a fast mov- ing target and methodologies are still maturing in this area, leading to new developments practically every week. Tools related to the analysis of mobile applications can be found in the Reverse Engineering menu category.
Application assessments can be conducted in a variety of different ways. As a simple example, an application-specific automated tool can be run against the application in an attempt to identify potential issues. These tools will use application-specific logic in an attempt to identify unknown issues rather than just depending on a set of known signatures. These tools must have a built-in understanding of the application’s behavior. A common example of this would be a web applica- tion vulnerability scanner such as Burp Suite25, directed against an application that first identifies various input fields and then sends common SQL injection attacks to these fields while monitoring the application’s response for indications of a successful attack.
In a more complex scenario, an application assessment can be conducted interactively in either a
black box or white box manner.
• Black Box Assessment: The tool (or assessor) interacts with the application with no special knowledge or access beyond that of a standard user. For instance, in the case of a web ap- plication, the assessor may only have access to the functions and features that are available to a user that has not logged into the system. Any user accounts used would be ones where a general user can self-register the account. This would prevent the attacker from being able to review any functionality that is only available to users that need to be created by an administrator.
• White Box Assessment: The tool (or assessor) will often have full access to the source code, administrative access to the platform running the application, and so on. This ensures that a full and comprehensive review of all application functionality is completed, regardless of where that functionality lives in the application. The trade-off with this is that the assess- ment is in no way a simulation of actual malicious activity.
There are obviously shades of grey in between. Typically, the deciding factor is the goal of the assessment. If the goal is to identify what would happen in the event that the application came under a focused external attack, a black box assessment would likely be best. If the goal is to identify and eliminate as many security issues as possible in a relatively short time period, a white box approach may be more efficient.
25https://portswigger.net/burp/
In other cases, a hybrid approach may be taken where the assessor does not have full access to the application source code of the platform running the application, but user accounts are provisioned by an administrator to allow access to as much application functionality as possible.
Kali is an ideal platform for all manner of application assessments. On a default installation, a range of different application-specific scanners are available. For more advanced assessments, a range of tools, source editors, and scripting environments exist. You may find the Web Applica- tion26 and Reverse Engineering27 sections of the Kali Tools28 website helpful.