Wednesday, October 29, 2008

Instinctive threat modeling

A friend of mine sent me a link to a new site today, and, as tends to happen, my mind immediately turned to "how could this be broken?"

In this particular case, what interested me was a field that allowed an unauthenticated user to add an arbitrary subdomain to the site, as in <user input>.thedomain.com.

Depending on how the process occurs, something as simple and common as CRLF injection could potentially be a serious hole here.

It occurs to me that this ability to instinctively identify where the potential biggest holes are, before even beginning testing, is a fairly important skill for a security professional. I firmly believe that having a well-rounded technology background is the key to this. In the case of this particular site, I had to tap into experience with:
1. Web development
2. DNS protocol and software
3. Common web site security flaws

There are certain flaws that a security person with the right background can identify just by understanding the thought processes of a developer or a sysadmin, along with a solid grasp on "how it works". One great example is the DNS flaw discovered by Dan Kaminsky earlier this summer. Ultimately an incredibly simple flaw that, once revealed, seemed painstakingly obvious to anyone with an understanding of how DNS works. But it took someone like Dan with a very deep, practical knowledge of DNS along with an advanced security mindset to put all the pieces together.

No comments: