Effective Application Security Testing: The Evil Streak

Posted by Joe Basirico on April 17, 2012 at 10:54 AM
Find me on:

We've made it to the last part of my four part series on what makes a great security tester or hacker. Even though this fourth piece is what I consider to be the most important and exciting quality of a hacker, I do recommend you go back and read the first three pieces of the series. In part one I gave an overview of the qualities I look for in the next great security tester. In part two I talked about the first thing you'll need, Complete Knowledge of the System you'll be testing. In part three I talked in depth about the next thing you'll need, a Good Imagination. Finally in this part I'll talk about the final, and possibly, most important thing you'll need an Evil Streak.

I've spoken with, trained, and managed hundreds of great testers over the years, and I've discovered that great functional testers don't necessarily make great security testers. I'm in the business of creating the best security testers in the world and one fundamentally important piece of the puzzle is the ability to think like the attacker, to think about the worst possible thing that could happen to an application, to have an evil streak. These people don't just like testing, they love breaking the software in ways never before thought of. They like to cause the application *true pain* and they don't back off, they reach for the shaker of salt to pour into the wound.

When I started in the industry we wrote input validation to make our software usable, not secure. We verified our inputs to make sure the user had a good experience, not to ensure the bad guys weren't out to get us. I remember submitting a bug report that went something like this "When I type 10,000 of the letter 'A' into the username field the application crashes." Now when you hear this, hopefully by now your brain is screaming "Buffer Overflow!!" Unfortunately this was met with "Why on earth would anybody type that much data into the username field? That's just crazy. Won't Fix." Fast forward a few years after "Smashing the Stack for Fun and Profit" was released and you could get almost any bug fixed if you'd type the magic words at the end of your bug report "Potential Buffer Overflow."

This was the time before software developers had "The Evil Streak"

What I mean by an Evil Streak is the ability to take a potential vulnerability to it's logical end. We could potentially submit a SQL injection vulnerability after we receive a basic database error from inputting a single quote into a text box, but what would the fun be in that? Instead discover how deep the rabbit hole really goes. What permissions does the database user have? What commands can we execute? Can I select from other tables? Can I delete rows? Drop Tables? Execute arbitrary Stored Procedures? Is XP_CMDSHELL still enabled? If so, what permissions does the database user have available to it?

If we find a format string vulnerability, or another command injection vulnerability prove it, and not by pointing to an article online, prove it by popping up calc.exe or uploading a remote shell, or changing somebody's screensaver, or anything else your evil mind can come up with.

Some people have this by default. Some people learn this over time. Sometimes it's a matter of simply knowing what's possible, but sometimes it's a matter of being a mischief maker and finding a goal and learning and linking things together until you have accomplished that goal.

The Evil Streak, as I mentioned, is possibly the most important quality in a hacker. Not because it gives you some superhuman ability, but rather because it gives the spark that will drive the other two qualities. If I want to accomplish some goal with enough focus I can learn what I need to know and imagine the pieces that will make it possible. With out complete knowledge of the system and a good imagination I'll have a serious uphill battle ahead of me, but with enough time and focus I'll get there.

Topics: application security

Joe Basirico

Written by Joe Basirico