RE: Pen testing SSL VPN appliances?

From: Palumbo, Dave (Dave.Palumbo@factiva.com)
Date: Wed Dec 03 2003 - 12:17:48 EST


Well, most of these at their core are web applications that do SSL port
forwarding...So any standard web application security auditing tools and
techniques are relevant...Commercial tools like SpiDynamics Web Inspect,
Sanctum, etc...and of course things like netcat and your favorite client
side web proxy [Webscarab from www.owasp.org is making great strides]
are invaluable. As you may know, most of the SSL VPN's run on top of an
enterprise web server platform like Apache...so even standard
vulnerability assessment tools like Nessus may provide some value.

Yeah, I would investigate cookies for sure....does the application write
a session cookie only, or persistent? If persistent, what data is
stored in the cookie? Can this somehow be manipulated to elevate
prvilege? Also, the cookie(s) themselves...can they in any way be
stolen via a XSS attack or another means? How our Session ID's
generated? Etc, etc...

When we did our audit of the Neoteris I was able to successfully steal a
user's session cookie via a XSS in a particular CGI file...and once in
posession of the session cookie, that session can be trivially hijacked.

Most of these apps don't touch any backend databases, but for those that
do you can try SQL injection attacks... I would also see if you can do
path manipulation and try to break out of the web root, perhaps by
trying encoding techniques...

- Dave

-----Original Message-----
From: Lachniet, Mark [mailto:mlachniet@sequoianet.com]
Sent: Monday, December 01, 2003 3:53 PM
To: pen-test@securityfocus.com; cisspforum@yahoogroups.com
Subject: Pen testing SSL VPN appliances?

Hello all,

Has anyone done a technical pen-test on a SSL VPN concentrator recently?
If yes, what tools did you use and what facets of the device did you
look at? I am speaking of testing above and beyond such tools as
vulnerability assessment tools such as Nessus. For example, analyzing
the client-side applets, browser cache files, cookie hijacking,
weaknesses in authentication, etc.

I am not really interested in the policy and practices side of things in
this case, such as when and where to use the SSL VPN (e.g. not in a
Starbucks or Kinkos), logging out, etc.

FWIW, there is a pretty good basic whitepaper by Joseph Steinberg of
Whale Communications on this topic at
http://www.sans.org/rr/wp/SSL_VPN.pdf, but I was hoping for more along
the line of success stories along the lines of "I found this using this"
or device-specific problems that are not addressed by current code
releases.

Thanks,

Mark Lachniet

---------------------------------------------------------------------------
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:43 EDT