1BO4r2U
1BO4r2U
1BO4r2U
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
203 204<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
Tools<br />
• Context Information Security: “Clickjacking Tool” - http://www.<br />
contextis.com/research/tools/clickjacking-tool/<br />
References<br />
OWASP Resources<br />
• Clickjacking<br />
Whitepapers<br />
• Marcus Niemietz: “UI Redressing: Attacks and Countermeasures<br />
Revisited” - http://ui-redressing.mniemietz.de/uiRedressing.pdf<br />
• “Clickjacking” - https://en.wikipedia.org/wiki/Clickjacking<br />
• Gustav Rydstedt, Elie Bursztein, Dan Boneh, and Collin Jackson:<br />
“Busting Frame Busting: a Study of Clickjacking Vulnerabilities on<br />
Popular Sites” - http://seclab.stanford.edu/websec/framebusting/<br />
framebust.pdf<br />
• Paul Stone: “Next generation clickjacking” - https://media.blackhat.<br />
com/bh-eu-10/presentations/Stone/BlackHat-EU-2010-Stone-<br />
Next-Generation-Clickjacking-slides.pdf<br />
Testing WebSockets (OTG-CLIENT-010)<br />
Summary<br />
Traditionally the HTTP protocol only allows one request/response<br />
per TCP connection. Asynchronous JavaScript and XML (AJAX) allows<br />
clients to send and receive data asynchronously (in the background<br />
without a page refresh) to the server, however, AJAX requires<br />
the client to initiate the requests and wait for the server responses<br />
(half-duplex).<br />
HTML5 WebSockets allow the client/server to create a ‘full-duplex’<br />
(two-way) communication channels, allowing the client and server<br />
to truly communicate asynchronously. WebSockets conduct their<br />
initial ‘upgrade’ handshake over HTTP and from then on all communication<br />
is carried out over TCP channels by use of frames.<br />
Origin<br />
It is the server’s responsibility to verify the Origin header in the initial<br />
HTTP WebSocket handshake. If the server does not validate the origin<br />
header in the initial WebSocket handshake, the WebSocket server<br />
may accept connections from any origin. This could allow attackers<br />
to communicate with the WebSocket server cross-domain allowing<br />
for Top 10 2013-A8-Cross-Site Request Forgery (CSRF) type issues.<br />
Confidentiality and Integrity<br />
WebSockets can be used over unencrypted TCP or over encrypted<br />
TLS. To use unencrypted WebSockets the ws:// URI scheme is used<br />
(default port 80), to use encrypted (TLS) WebSockets the wss:// URI<br />
scheme is used (default port 443). Look out for Top 10 2013-A6-Sensitive<br />
Data Exposure type issues.<br />
Authentication<br />
WebSockets do not handle authentication, instead normal application<br />
authentication mechanisms apply, such as cookies, HTTP Authentication<br />
or TLS authentication. Look out for Top 10 2013-A2-Broken<br />
Authentication and Session Management type issues.<br />
Authorization<br />
WebSockets do not handle authorization, normal application authorization<br />
mechanisms apply. Look out for Top 10 2013-A4-Insecure<br />
Direct Object References and Top 10 2013-A7-Missing Function<br />
Level Access Control type issues.<br />
Input Sanitization<br />
As with any data originating from untrusted sources, the data should<br />
be properly sanitised and encoded. Look out for Top 10 2013-A1-Injection<br />
and Top 10 2013-A3-Cross-Site Scripting (XSS) type issues.<br />
How to Test<br />
Black Box testing<br />
1. Identify that the application is using WebSockets.<br />
• Inspect the client-side source code for the ws:// or wss:// URI<br />
scheme.<br />
• Use Google Chrome’s Developer Tools to view the Network Web-<br />
Socket communication.<br />
• Use OWASP Zed Attack Proxy (ZAP)’s WebSocket tab.<br />
2. Origin.<br />
• Using a WebSocket client (one can be found in the Tools section<br />
below) attempt to connect to the remote WebSocket server. If a<br />
connection is established the server may not be checking the origin<br />
header of the WebSocket handshake.<br />
3. Confidentiality and Integrity.<br />
• Check that the WebSocket connection is using SSL to transport<br />
sensitive information (wss://).<br />
• Check the SSL Implementation for security issues (Valid Certificate,<br />
BEAST, CRIME, RC4, etc). Refer to the Testing for Weak SSL/TLS Ciphers,<br />
Insufficient Transport Layer Protection (OTG-CRYPST-001)<br />
section of this guide.<br />
4. Authentication.<br />
• WebSockets do not handle authentication, normal black-box authentication<br />
tests should be carried out. Refer to the Authentication<br />
Testing sections of this guide.<br />
5. Authorization.<br />
• WebSockets do not handle authorization, normal black-box authorization<br />
tests should be carried out. Refer to the Authorization Testing<br />
sections of this guide.<br />
6. Input Sanitization.<br />
• Use OWASP Zed Attack Proxy (ZAP)’s WebSocket tab to replay<br />
and fuzz WebSocket request and responses. Refer to the Testing for<br />
Data Validation sections of this guide.<br />
Example 1<br />
Once we have identified that the application is using WebSockets (as<br />
described above) we can use the OWASP Zed Attack Proxy (ZAP) to<br />
intercept the WebSocket request and responses. ZAP can then be<br />
used to replay and fuzz the WebSocket request/responses.<br />
Example 2<br />
Using a WebSocket client (one can be found in the Tools section below)<br />
attempt to connect to the remote WebSocket server. If the connection<br />
is allowed the WebSocket server may not be checking the<br />
WebSocket handshake’s origin header. Attempt to replay requests<br />
previously intercepted to verify that cross-domain WebSocket communication<br />
is possible.<br />
Gray Box testing<br />
Gray box testing is similar to black box testing. In gray box testing the<br />
pen-tester has partial knowledge of the application. The only difference<br />
here is that you may have API documentation for the application<br />
being tested which includes the expected WebSocket request<br />
and responses.<br />
Tools<br />
• OWASP Zed Attack Proxy (ZAP) - https://www.owasp.org/index.<br />
php/OWASP_Zed_Attack_Proxy_Project<br />
ZAP is an easy to use integrated penetration testing tool for finding<br />
vulnerabilities in web applications. It is designed to be used by people<br />
with a wide range of security experience and as such is ideal for developers<br />
and functional testers who are new to penetration testing.<br />
ZAP provides automated scanners as well as a set of tools that allow<br />
you to find security vulnerabilities manually.<br />
• WebSocket Client - https://github.com/RandomStorm/scripts/<br />
blob/master/WebSockets.html<br />
A WebSocket client that can be used to interact with a WebSocket<br />
server.<br />
• Google Chrome Simple WebSocket Client - https://chrome.google.<br />
com/webstore/detail/simple-websocket-client/pfdhoblngboilpfeibdedpjgfnlcodoo?hl=en<br />
Construct custom Web Socket requests and handle responses to directly<br />
test your Web Socket services.<br />
References<br />
Whitepapers<br />
• HTML5 Rocks - Introducing WebSockets: Bringing Sockets to<br />
the Web: http://www.html5rocks.com/en/tutorials/websockets/<br />
basics/<br />
• W3C - The WebSocket API: http://dev.w3.org/html5/websockets/<br />
• IETF - The WebSocket Protocol: https://tools.ietf.org/html/<br />
rfc6455<br />
• Christian Schneider - Cross-Site WebSocket Hijacking (CSWSH):<br />
http://www.christian-schneider.net/CrossSiteWebSocketHijacking.<br />
html<br />
• Jussi-Pekka Erkkilä - WebSocket Security Analysis: http://juerkkil.<br />
iki.fi/files/writings/websocket2012.pdf<br />
• Robert Koch- On WebSockets in Penetration Testing: http://www.<br />
ub.tuwien.ac.at/dipl/2013/AC07815487.pdf<br />
• DigiNinja - OWASP ZAP and Web Sockets: http://www.digininja.<br />
org/blog/zap_web_sockets.php<br />
Test Web Messaging (OTG-CLIENT-011)<br />
Summary<br />
Web Messaging (also known as Cross Document Messaging) allows<br />
applications running on different domains to communicate in a secure<br />
manner. Before the introduction of web messaging the communication<br />
of different origins (between iframes, tabs and windows)<br />
was restricted by the same origin policy and enforced by the browser,<br />
however developers used multiple hacks in order to accomplish<br />
these tasks, most of them were mainly insecure.<br />
This restriction within the browser is in place to restrict a malicious<br />
website to read confidential data from other iframes, tabs, etc, however<br />
there are some legitimate cases where two trusted websites<br />
need to exchange data between each other. To meet this need Cross<br />
Document Messaging was introduced within he WHATWG HTML5<br />
draft specification and implemented in all major browsers. It enables<br />
secure communication between multiple origins across iframes,<br />
tabs and windows.<br />
The Messaging API introduced the postMessage() method, with<br />
which plain-text messages can be sent cross-origin. It consists of<br />
two parameters, message and domain.<br />
There are some security concerns when using ‘*’ as the domain that<br />
we discuss below. Then, in order to receive messages the receiving<br />
website needs to add a new event handler, and has the following attributes:<br />
• data: The content of the incoming message<br />
• origin: The origin of the sender document<br />
• source: source window<br />
An example:<br />
Send message:<br />
iframe1.contentWindow.postMessage(“Hello world”,”http:/<br />
www.example.com”);<br />
Receive message:<br />
window.addEventListener(“message”, handler, true);<br />
function handler(event) {<br />
if(event.origin === ‘chat.example.com’) {<br />
/* process message (event.data) */<br />
} else {<br />
/* ignore messages from untrusted domains */<br />
}<br />
}