Home page logo

pen-test logo Penetration Testing mailing list archives

RE: Pen testing SSL VPN appliances?
From: "Palumbo, Dave" <Dave.Palumbo () factiva com>
Date: Wed, 3 Dec 2003 12:17:48 -0500

Well, most of these at their core are web applications that do SSL port
forwarding...So any standard web application security auditing tools and
techniques are relevant...Commercial tools like SpiDynamics Web Inspect,
Sanctum, etc...and of course things like netcat and your favorite client
side web proxy [Webscarab from www.owasp.org is making great strides]
are invaluable.  As you may know, most of the SSL VPN's run on top of an
enterprise web server platform like Apache...so even standard
vulnerability assessment tools like Nessus may provide some value.

Yeah, I would investigate cookies for sure....does the application write
a session cookie only, or persistent?  If persistent, what data is
stored in the cookie?  Can this somehow be manipulated to elevate
prvilege?  Also, the cookie(s) themselves...can they in any way be
stolen via a XSS attack or another means?  How our Session ID's
generated?  Etc, etc...

When we did our audit of the Neoteris I was able to successfully steal a
user's session cookie via a XSS in a particular CGI file...and once in
posession of the session cookie, that session can be trivially hijacked.

Most of these apps don't touch any backend databases, but for those that
do you can try SQL injection attacks...  I would also see if you can do
path manipulation and try to break out of the web root, perhaps by
trying encoding techniques...

- Dave

-----Original Message-----
From: Lachniet, Mark [mailto:mlachniet () sequoianet com] 
Sent: Monday, December 01, 2003 3:53 PM
To: pen-test () securityfocus com; cisspforum () yahoogroups com
Subject: Pen testing SSL VPN appliances?

Hello all,

Has anyone done a technical pen-test on a SSL VPN concentrator recently?
If yes, what tools did you use and what facets of the device did you
look at?  I am speaking of testing above and beyond such tools as
vulnerability assessment tools such as Nessus.  For example, analyzing
the client-side applets, browser cache files, cookie hijacking,
weaknesses in authentication, etc.

I am not really interested in the policy and practices side of things in
this case, such as when and where to use the SSL VPN (e.g. not in a
Starbucks or Kinkos), logging out, etc.

FWIW, there is a pretty good basic whitepaper by Joseph Steinberg of
Whale Communications on this topic at
http://www.sans.org/rr/wp/SSL_VPN.pdf, but I was hoping for more along
the line of success stories along the lines of "I found this using this"
or device-specific problems that are not addressed by current code


Mark Lachniet


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]