1BO4r2U
1BO4r2U
1BO4r2U
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
23 24<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
4<br />
Web<br />
Testing: Introduction and objectives<br />
This section describes the OWASP web application security testing<br />
methodology and explains how to test for evidence of vulnerabilities<br />
within the application due to deficiencies with identified security<br />
controls.<br />
What is Web Application Security Testing?<br />
A security test is a method of evaluating the security of a computer<br />
system or network by methodically validating and verifying the<br />
effectiveness of application security controls. A web application<br />
security test focuses only on evaluating the security of a web application.<br />
The process involves an active analysis of the application<br />
for any weaknesses, technical flaws, or vulnerabilities. Any security<br />
issues that are found will be presented to the system owner, together<br />
with an assessment of the impact, a proposal for mitigation<br />
or a technical solution.<br />
What is a Vulnerability?<br />
A vulnerability is a flaw or weakness in a system’s design, implementation,<br />
operation or management that could be exploited to<br />
compromise the system’s security objectives.<br />
What is a Threat?<br />
A threat is anything (a malicious external attacker, an internal user,<br />
a system instability, etc) that may harm the assets owned by an<br />
application (resources of value, such as the data in a database or in<br />
the file system) by exploiting a vulnerability.<br />
What is a Test?<br />
A test is an action to demonstrate that an application meets the<br />
security requirements of its stakeholders.<br />
The Approach in Writing this Guide<br />
The OWASP approach is open and collaborative:<br />
• Open: every security expert can participate with his or her experience<br />
in the project. Everything is free.<br />
• Collaborative: brainstorming is performed before the articles are<br />
written so the team can share ideas and develop a collective vision<br />
of the project. That means rough consensus, a wider audience and<br />
increased participation.<br />
This approach tends to create a defined Testing Methodology that<br />
will be:<br />
• Consistent<br />
• Reproducible<br />
• Rigorous<br />
• Under quality control<br />
Application<br />
Security Testing<br />
The following sections describe the 12<br />
subcategories of the Web Application<br />
Penetration Testing Methodology:<br />
The problems to be addressed are fully documented and tested. It<br />
is important to use a method to test all known vulnerabilities and<br />
document all the security test activities.<br />
What is the OWASP testing methodology?<br />
Security testing will never be an exact science where a complete<br />
list of all possible issues that should be tested can be defined. Indeed,<br />
security testing is only an appropriate technique for testing<br />
the security of web applications under certain circumstances. The<br />
goal of this project is to collect all the possible testing techniques,<br />
explain these techniques, and keep the guide updated. The OWASP<br />
Web Application Security Testing method is based on the black box<br />
approach. The tester knows nothing or has very little information<br />
about the application to be tested.<br />
The testing model consists of:<br />
• Tester: Who performs the testing activities<br />
• Tools and methodology: The core of this Testing Guide project<br />
• Application: The black box to test<br />
The test is divided into 2 phases:<br />
• Phase 1 Passive mode:<br />
In the passive mode the tester tries to understand the application’s<br />
logic and plays with the application. Tools can be used for information<br />
gathering. For example, an HTTP proxy can be used to observe<br />
all the HTTP requests and responses. At the end of this phase, the<br />
tester should understand all the access points (gates) of the application<br />
(e.g., HTTP headers, parameters, and cookies). The Information<br />
Gathering section explains how to perform a passive mode test.<br />
For example the tester could find the following:<br />
https:/www.example.com/login/Authentic_Form.html<br />
This may indicate an authentication form where the application requests<br />
a username and a password.<br />
The following parameters represent two access points (gates) to<br />
the application:<br />
http:/www.example.com/Appx.jsp?a=1&b=1<br />
In this case, the application shows two gates (parameters a and<br />
b). All the gates found in this phase represent a point of testing. A<br />
spreadsheet with the directory tree of the application and all the<br />
access points would be useful for the second phase.<br />
• Phase 2 Active mode:<br />
In this phase the tester begins to test using the methodology described<br />
in the follow sections.<br />
The set of active tests have been split into 11 sub-categories for<br />
a total of 91 controls:<br />
• Information Gathering<br />
• Configuration and Deployment Management Testing<br />
• Identity Management Testing<br />
• Authentication Testing<br />
• Authorization Testing<br />
• Session Management Testing<br />
• Input Validation Testing<br />
• Error Handling<br />
• Cryptography<br />
• Business Logic Testing<br />
• Client Side Testing<br />
Testing for Information Gathering<br />
Understanding the deployed configuration of the server hosting<br />
the web application is almost as important as the application security<br />
testing itself. After all, an application chain is only as strong<br />
as its weakest link. App lication platforms are wide and varied,<br />
but some key platform configuration errors can compromise the<br />
application in the same way an unsecured application can compromise<br />
the server.<br />
Conduct search engine discovery/reconnaissance<br />
for information leakage (OTG-INFO-001)<br />
Summary<br />
There are direct and indirect elements to search engine discovery<br />
and reconnaissance. Direct methods relate to searching the<br />
indexes and the associated content from caches. Indirect methods<br />
relate to gleaning sensitive design and configuration information<br />
by searching forums, newsgroups, and tendering websites.<br />
Once a search engine robot has completed crawling, it commences<br />
indexing the web page based on tags and associated attributes,<br />
such as , in order to return the relevant search results [1].<br />
If the robots.txt file is not updated during the lifetime of the web<br />
site, and inline HTML meta tags that instruct robots not to index<br />
content have not been used, then it is possible for indexes to contain<br />
web content not intended to be included in by the owners.<br />
Website owners may use the previously mentioned robots.txt,<br />
HTML meta tags, authentication, and tools provided by search engines<br />
to remove such content.<br />
Test Objectives<br />
To understand what sensitive design and configuration information<br />
of the application/system/organization is exposed both directly<br />
(on the organization’s website) or indirectly (on a third party<br />
website).<br />
How to Test<br />
Use a search engine to search for:<br />
• Network diagrams and configurations<br />
• Archived posts and emails by administrators and other key staff<br />
• Log on procedures and username formats<br />
• Usernames and passwords<br />
• Error message content<br />
• Development, test, UAT and staging versions of the website<br />
Search operators<br />
Using the advanced “site:” search operator, it is possible to restrict<br />
search results to a specific domain [2]. Do not limit testing to just<br />
one search engine provider as they may generate different results<br />
depending on when they crawled content and their own algorithms.<br />
Consider using the following search engines:<br />
• Baidu<br />
• binsearch.info<br />
• Bing<br />
• Duck Duck Go<br />
• ixquick/Startpage<br />
• Google<br />
• Shodan<br />
• PunkSpider<br />
Duck Duck Go and ixquick/Startpage provide reduced information<br />
leakage about the tester.<br />
Google provides the Advanced “cache:” search operator [2], but<br />
this is the equivalent to clicking the “Cached” next to each Google<br />
Search Result. Hence, the use of the Advanced “site:” Search Operator<br />
and then clicking “Cached” is preferred.<br />
The Google SOAP Search API supports the doGetCachedPage and<br />
the associated doGetCachedPageResponse SOAP Messages [3]<br />
to assist with retrieving cached pages. An implementation of this<br />
is under development by the OWASP “Google Hacking” Project.<br />
PunkSpider is web application vulnerability search engine. It is of<br />
little use for a penetration tester doing manual work. However it<br />
can be useful as demonstration of easiness of finding vulnerabilities<br />
by script-kiddies.<br />
Example To find the web content of owasp.org indexed by a typical<br />
search engine, the syntax required is:<br />
site:owasp.org