Penetration Testing mailing list archives
RE: Pen testing SSL VPN appliances?
From: "Palumbo, Dave" <Dave.Palumbo () factiva com>
Date: Wed, 3 Dec 2003 12:17:48 -0500
Well, most of these at their core are web applications that do SSL port forwarding...So any standard web application security auditing tools and techniques are relevant...Commercial tools like SpiDynamics Web Inspect, Sanctum, etc...and of course things like netcat and your favorite client side web proxy [Webscarab from www.owasp.org is making great strides] are invaluable. As you may know, most of the SSL VPN's run on top of an enterprise web server platform like Apache...so even standard vulnerability assessment tools like Nessus may provide some value. Yeah, I would investigate cookies for sure....does the application write a session cookie only, or persistent? If persistent, what data is stored in the cookie? Can this somehow be manipulated to elevate prvilege? Also, the cookie(s) themselves...can they in any way be stolen via a XSS attack or another means? How our Session ID's generated? Etc, etc... When we did our audit of the Neoteris I was able to successfully steal a user's session cookie via a XSS in a particular CGI file...and once in posession of the session cookie, that session can be trivially hijacked. Most of these apps don't touch any backend databases, but for those that do you can try SQL injection attacks... I would also see if you can do path manipulation and try to break out of the web root, perhaps by trying encoding techniques... - Dave -----Original Message----- From: Lachniet, Mark [mailto:mlachniet () sequoianet com] Sent: Monday, December 01, 2003 3:53 PM To: pen-test () securityfocus com; cisspforum () yahoogroups com Subject: Pen testing SSL VPN appliances? Hello all, Has anyone done a technical pen-test on a SSL VPN concentrator recently? If yes, what tools did you use and what facets of the device did you look at? I am speaking of testing above and beyond such tools as vulnerability assessment tools such as Nessus. For example, analyzing the client-side applets, browser cache files, cookie hijacking, weaknesses in authentication, etc. I am not really interested in the policy and practices side of things in this case, such as when and where to use the SSL VPN (e.g. not in a Starbucks or Kinkos), logging out, etc. FWIW, there is a pretty good basic whitepaper by Joseph Steinberg of Whale Communications on this topic at http://www.sans.org/rr/wp/SSL_VPN.pdf, but I was hoping for more along the line of success stories along the lines of "I found this using this" or device-specific problems that are not addressed by current code releases. Thanks, Mark Lachniet --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Pen testing SSL VPN appliances? Lachniet, Mark (Dec 01)
- <Possible follow-ups>
- RE: Pen testing SSL VPN appliances? Palumbo, Dave (Dec 03)