Penetration tests you Don't know: Attack and Defense of application Virtualization (1)

Penetration tests you Don't know: Attack and Defense of application Virtualization (1)

Web penetration testing is familiar to everyone, but penetration testing for application virtualization may be rarely used by everyone, and there is no relevant information on the Internet. As a cutting-edge attack and defense team, this technical topic will introduce the related attack and defense technologies for the application of virtualization technology based on past project experience.

First, we will introduce what is application virtualization. In fact, application virtualization refers to the application/server computing A/S architecture, using technologies similar to virtual terminals, isolate the application's human-computer interaction logic (application interface, keyboard and mouse operations, etc.) from the computing logic. The server opens an independent session space for users, the computing logic of the application runs in this session space. The changed human-computer interaction logic is transmitted to the client and displayed on the corresponding device of the client. The common saying is "thin terminal ".

Currently, the mainstream manufacturers include Ctrix and VMWare. The following is an example of Ctrix application Virtualization:

Through this application virtualization technology, enterprises can improve the efficiency and efficiency of employees' office work. For office staff, they can achieve office anytime, anywhere, improving the convenience, it is a benefit of both parties. However, the more convenient it is, the higher its vulnerability is. In addition, most engineers do not have security experience when deploying this type of application virtualization products, many details of the security issues have not been paid much attention to, TRT encountered in the project process this type of system is basically easy to intrude into successfully.

Attack and Defense is a continuous process. In the process of penetration testing, we must know ourselves, know ourselves, and know each other. It is critical to understand the application system. Therefore, we need to briefly introduce the working mode of application virtualization, take the XenApp of Ctrix as an example:

The client accesses the CtrixWeb Interface and selects the application to be opened. For example, the Ctrix Web Interface calls the application server of the data center to open the application, and uses a special protocol, for example, Citrix ICA maps the applications opened by the application server to the user's client. All operations on an application are performed in the data center. You can use the application even if it is not installed.

The problem arises. Since the opened application is in the data center, it means that the user is directly operating the server in the data center. If the access control of the application is not complete, it means, attackers can exploit the lack of access control to access unauthorized resources and even directly control the server.