| | at : |


Archive

[HACKING] Mobile Application Vulnerability Research Guide(OWASP Mobile Security Project) 하훌 rwxr-xr-x 2 8/11/2016



[HACKING] Mobile Application Vulnerability Research Guide(OWASP Mobile Security Project)

Permission rw-r--r--
Author 하훌
Date and Time 8/11/2016
Label
License 크리에이티브 커먼즈 라이선스



오늘은 간만에 모바일 보안, 즉 스마트폰에 대한 이야기를 하려합니다.
(요즘 바빠서 글 쓸 시간이 없네요.. )

올해 OWASP는 Mobile Security Project로 Mobile Application Security Guide, 즉 취약점 점검, 모의해킹, 보안을 위한 체크리스트를 공개했습니다.

내용을 보시면 아시곘지만.. 악성코드 분석 이런 내용보다는 앱을 공격하고 취약점을 진단하는 내용에 포커싱이 맞춰져 있습니다. 총 91개의 항목으로 구성되어 있고 모바일 취약점 진단하시는 분이라면 조금 도움될 수 있는 문서인 것 같네요.

https://www.owasp.org/index.php/OWASP_Mobile_Security_Project > file

Intro

사실 취약점 분석이나 해킹의 과정이 절차가 있진 않습니다. 물론 개인적인 생각이지만..
Recon / Scanning 등 순서에 따라 하기보단 그냥 막 찔러보는게 제 스타일인 것 같네요.
[ 정보는 테스트하면서 수집하는거죠 :) ]

다만 취약점 분석 중 확실히 도움되는 부분 중 하나는 잘 정리된 체크리스트입니다.
어떤 어플리케이션 / 시스템의 취약성을 제거하는데는, 놓치는 것이 없도록 확인할 수 있는 체크리스트가 좋은 역할을 하죠. 그럼 한번 보도록 하겠습니다.



Mobile Security Check List

크게 Client 쪽 체크리스트, Server 단 체크리스트로 나뉘어져 있고 약간 "최소 꼭 확인해야할 것"
 정도의 느낌으로 해석하시면 될 것 같습니다.

NoVulnerabilityPlatformClassificationSIDE
1Application is Vulnerable to Reverse Engineering Attack/Lack of Code All Static CkecksClient-Side
2Account Lockout not Implemented All Dynamic CkecksClient-Side
3Application is Vulnerable to XSS All Static + Dynamic CkecksClient-Side
4Authentication bypassed All Dynamic CkecksClient-Side
5Hard coded sensitive information in Application Code (including Crypt All Static CkecksClient-Side
6Malicious File Upload All Dynamic CkecksClient-Side
7Session Fixation All Dynamic CkecksClient-Side
8Application does not Verify MSISDN WAP UnknownClient-Side
9Privilege Escalation All Dynamic CkecksClient-Side
10SQL Injection All Static + Dynamic CheckClient-Side
11Attacker can bypass Second Level Authentication All Dynamic CkecksClient-Side
12Application is vulnerable to LDAP Injection All Dynamic CkecksClient-Side
13Application is vulnerable to OS Command Injection All Dynamic CkecksClient-Side
14iOS snapshot/backgrounding Vulnerability iOS Dynamic CkecksClient-Side
15Debug is set to TRUE Android Static CkecksClient-Side
16Application makes use of Weak Cryptography All Static CkecksClient-Side
17Cleartext information under SSL Tunnel All Dynamic CkecksClient-Side
18Client Side Validation can be bypassed All Dynamic CkecksClient-Side
19Invalid SSL Certificate All Static CkecksClient-Side
20Sensitive Information is sent as Clear Text over network/Lack of Data All Dynamic CkecksClient-Side
21CAPTCHA is not implemented on Public Pages/Login Pages All Dynamic CkecksClient-Side
22Improper or NO implementation of Change Password Page All Dynamic CkecksClient-Side
23Application does not have Logout Functionality All Dynamic CkecksClient-Side
24Sensitive information in Application Log Files All Dynamic CkecksClient-Side
25Sensitive information sent as a querystring parameter All Dynamic CkecksClient-Side
26URL Modification All Dynamic CkecksClient-Side
27Sensitive information in Memory Dump All Dynamic CkecksClient-Side
28Weak Password Policy All Dynamic CkecksClient-Side
29Autocomplete is not set to OFF All Static CkecksClient-Side
30Application is accessible on Rooted or Jail Broken Device All Dynamic CkecksClient-Side
31Back-and-Refresh attack All Dynamic CkecksClient-Side
32Directory Browsing All Static + Dynamic ChecClient-Side
33Usage of Persistent Cookies All Dynamic CkecksClient-Side
34Open URL Redirects are possible All Dynamic CkecksClient-Side
35Improper exception Handling: In code All Static CkecksClient-Side
36Insecure Application Permissions All Static CkecksClient-Side
37Application build contains Obsolete Files All Static CkecksClient-Side
38Certificate Chain is not Validated All Static + Dynamic ChecClient-Side
39Last Login information is not displayed All Dynamic CkecksClient-Side
40Private IP Disclosure All Static CkecksClient-Side
41UI Impersonation through RMS file modification JAVA Dynamic CkecksClient-Side
42UI Impersonation through JAR file modification Android Dynamic CkecksClient-Side
43Operation on a resource after expiration or release All Dynamic CkecksClient-Side
44No Certificate Pinning All Dynamic CkecksClient-Side
45Cached Cookies or information not cleaned after application removal/ All Dynamic CkecksClient-Side
46ASLR Not Used iOS Static CkecksClient-Side
47Clipboard is not disabled All Dynamic CkecksClient-Side
48Cache smashing protection is not enabled iOS Static CkecksClient-Side
49Android Backup Vulnerability Android Static CkecksClient-Side
50Unencrypted Credentials in Databases (sqlite db) All Dynamic CkecksClient-Side
51Store sensitive information outside App Sandbox (on SDCard) All Dynamic CkecksClient-Side
52Allow Global File Permission on App Data Android Dynamic CkecksClient-Side
53Store Encryption Key LocAlly/Store Sensitive Data in ClearText All Dynamic CkecksClient-Side
54Bypass Certificate Pinning All Dynamic CkecksClient-Side
55Third-party Data Transit on Unencrypted Channel All Dynamic CkecksClient-Side
56Failure to Implement Trusted Issuers Android Static CkecksClient-Side
57Allow All Hostname VerifierAndroid Static CkecksClient-Side
58Ignore SSL Certificate Error All Static CkecksClient-Side
59Weak Custom Hostname Verifier Android Static CkecksClient-Side
60App/Web Caches Sensitive Data Leak All Dynamic CkecksClient-Side
61Leaking Content Provider Android Dynamic CkecksClient-Side
62Redundancy Permission Granted Android Static CkecksClient-Side
63Use Spoof-able Values for Authenticating User (IMEI, UDID) All Dynamic CkecksClient-Side
64Use of Insecure and/or Deprecated Algorithms All Static CkecksClient-Side
65Local File Inclusion (might be through XSS Vulnerability) All Static + Dynamic ChecClient-Side
66Activity Hijacking Android Static CkecksClient-Side
67Service Hijacking Android Static CkecksClient-Side
68Broadcast Thief Android Static CkecksClient-Side
69Malicious Broadcast Injection Android Static CkecksClient-Side
70Malicious Activity/Service Launch Android Static CkecksClient-Side
71Using Device Identifier as Session All Dynamic CkecksClient-Side
72Symbols Remnant iOS Static CkecksClient-Side
73Lack of Check-sum Controls/Altered Detection Android Dynamic CkecksClient-Side
74Insecure permissions on Unix domain sockets Android Static CkecksClient-Side
75Insecure use of network sockets Android Static CkecksClient-Side
76Cleartext password in Response All Dynamic CkecksServer-Side
77Direct Reference to internal resource without authentication All Dynamic CkecksServer-Side
78Application has NO or improper Session Management/Failure to Invali All Dynamic CkecksServer-Side
79Cross Domain Scripting Vulnerability All Dynamic CkecksServer-Side
80Cross Origin Resource Sharing All Dynamic CkecksServer-Side
81Improper Input Validation - Server Side All Dynamic CkecksServer-Side
82Detailed Error page shows internal sensitive information All Dynamic CkecksServer-Side
83Application Allows HTTP Methods besides GET and POST All Dynamic CkecksServer-Side
84Cross Site Request Forgery (CSRF)/SSRF All Dynamic CkecksServer-Side
85Cacheable HTTPS Responses All Dynamic CkecksServer-Side
86Path Attribute not set on a Cookie All Dynamic CkecksServer-Side
87HttpOnly Attribute not set for a cookie All Dynamic CkecksServer-Side
88Secure Attribute not set for a cookie All Dynamic CkecksServer-Side
89Application is Vulnerable to Clickjacking/Tapjacking attack All Dynamic CkecksServer-Side
90Server/OS fingerprinting is possible All Dynamic CkecksServer-Side
91Lack of Adequate Timeout Protection All Dynamic CkecksServer-Side

Reference

https://www.owasp.org/index.php/OWASP_Mobile_Security_Project

Share







HAHWUL
HACKING | PENETRATION-TEST | CODING
HACKERONE : GIT : 0DAY-TODAY : EXPLOIT-DB : PACKETSTORM
GOOGLE+ | HAHWUL@GMAIL.COM | TWITTER
WWW.HAHWUL.COM






Recent Post

댓글 2개:

  1. 하울님 정말 궁금한게 많아서 그러는데 카톡 helpme9138로 카톡한번 해주실수 있으신가요 ㅠㅠ

    답글삭제
    답글
    1. 익명 댓글이라 알림을 따로 못받으시겠지만.. 남겨놓습니다.
      개인적으로 카톡 잘 사용하지 않구요, 문의사항은 메일로 주시면 감사하겠습니다 : )
      (주소는 바로 위 서명부분에서 찾을 수 있습니다)

      삭제