1BO4r2U
1BO4r2U
1BO4r2U
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
43 44<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
Wappalyzer<br />
Website: http:/wappalyzer.com<br />
Wapplyzer is a Firefox Chrome plug-in. It works only on regular expression<br />
matching and doesn’t need anything other than the page to<br />
be loaded on browser. It works completely at the browser level and<br />
gives results in the form of icons. Although sometimes it has false<br />
positives, this is very handy to have notion of what technologies were<br />
used to construct a target website immediately after browsing a page.<br />
Sample output of a plug-in is presented on a screenshot below.<br />
References<br />
Whitepapers<br />
• Saumil Shah: “An Introduction to HTTP fingerprinting” - http:/www.<br />
net-square.com/httprint_paper.html<br />
• Anant Shrivastava : “Web Application Finger Printing” - http:/anantshri.info/articles/web_app_finger_printing.html<br />
Remediation<br />
The general advice is to use several of the tools described above and<br />
check logs to better understand what exactly helps an attacker to disclose<br />
the web framework. By performing multiple scans after changes<br />
have been made to hide framework tracks, it’s possible to achieve a<br />
better level of security and to make sure of the framework can not be<br />
detected by automatic scans. Below are some specific recommendations<br />
by framework marker location and some additional interesting<br />
approaches.<br />
HTTP headers<br />
Check the configuration and disable or obfuscate all HTTP-headers<br />
that disclose information the technologies used. Here is an interesting<br />
article about HTTP-headers obfuscation using Netscaler: http:/<br />
grahamhosking.blogspot.ru/2013/07/obfuscating-http-header-using-netscaler.html<br />
Cookies<br />
It is recommended to change cookie names by making changes in the<br />
corresponding configuration files.<br />
HTML source code<br />
Manually check the contents of the HTML code and remove everything<br />
that explicitly points to the framework.<br />
General guidelines:<br />
• Make sure there are no visual markers disclosing the framework<br />
• Remove any unnecessary comments (copyrights, bug information,<br />
specific framework comments)<br />
• Remove META and generator tags<br />
• Use the companies own css or js files and do not store those in a<br />
framework-specific folders<br />
• Do not use default scripts on the page or obfuscate them if they<br />
must be used.<br />
Specific files and folders<br />
General guidelines:<br />
• Remove any unnecessary or unused files on the server. This implies<br />
text files disclosing information about versions and installation too.<br />
• Restrict access to other files in order to achieve 404-response when<br />
accessing them from outside. This can be done, for example, by modifying<br />
htaccess file and adding RewriteCond or RewriteRule there. An<br />
example of such restriction for two common WordPress folders is presented<br />
below.<br />
RewriteCond %{REQUEST_URI} /wp-login\.php$ [OR]<br />
RewriteCond %{REQUEST_URI} /wp-admin/$<br />
RewriteRule $ /http:/your_website [R=404,L]<br />
However, these are not the only ways to restrict access. In order to<br />
automate this process, certain framework-specific plugins exist. One<br />
example for WordPress is StealthLogin (http:/wordpress.org/plugins/<br />
stealth-login-page).<br />
Additional approaches<br />
General guidelines:<br />
[1] Checksum management<br />
The purpose of this approach is to beat checksum-based scanners<br />
and not let them disclose files by their hashes. Generally, there are two<br />
approaches in checksum management:<br />
• Change the location of where those files are placed (i.e. move them<br />
to another folder, or rename the existing folder)<br />
• Modify the contents - even slight modification results in a completely<br />
different hash sum, so adding a single byte in the end of the file<br />
should not be a big problem.<br />
[1] Controlled chaos<br />
A funny and effective method that involves adding bogus files and<br />
folders from other frameworks in order to fool scanners and confuse<br />
an attacker. But be careful not to overwrite existing files and folders<br />
and to break the current framework!<br />
Map Application Architecture (OTG-INFO-010)<br />
Summary<br />
The complexity of interconnected and heterogeneous web server infrastructure<br />
can include hundreds of web applications and makes configuration<br />
management and review a fundamental step in testing and<br />
deploying every single application. In fact it takes only a single vulnerability<br />
to undermine the security of the entire infrastructure, and even<br />
small and seemingly unimportant problems may evolve into severe<br />
risks for another application on the same server.<br />
To address these problems, it is of utmost importance to perform an<br />
in-depth review of configuration and known security issues. Before<br />
performing an in-depth review it is necessary to map the network and<br />
application architecture. The different elements that make up the infrastructure<br />
need to be determined to understand how they interact<br />
with a web application and how they affect security.<br />
How to Test<br />
Map the application architecture<br />
The application architecture needs to be mapped through some test<br />
to determine what different components are used to build the web<br />
application. In small setups, such as a simple CGI-based application, a<br />
single server might be used that runs the web server which executes<br />
the C, Perl, or Shell CGIs application, and perhaps also the authentication<br />
mechanism.<br />
On more complex setups, such as an online bank system, multiple<br />
servers might be involved. These may include a reverse proxy, a frontend<br />
web server, an application server and a database server or LDAP<br />
server. Each of these servers will be used for different purposes and<br />
might be even be divided in different networks with firewalls between<br />
them. This creates different DMZs so that access to the web server<br />
will not grant a remote user access to the authentication mechanism<br />
itself, and so that compromises of the different elements of the architecture<br />
can be isolated so that they will not compromise the whole<br />
architecture.<br />
Getting knowledge of the application architecture can be easy if this<br />
information is provided to the testing team by the application developers<br />
in document form or through interviews, but can also prove to<br />
be very difficult if doing a blind penetration test.<br />
In the latter case, a tester will first start with the assumption that<br />
there is a simple setup (a single server). Then they will retrieve information<br />
from other tests and derive the different elements, question<br />
this assumption and extend the architecture map. The tester will start<br />
by asking simple questions such as: “Is there a firewalling system protecting<br />
the web server?”. This question will be answered based on the<br />
results of network scans targeted at the web server and the analysis<br />
of whether the network ports of the web server are being filtered<br />
in the network edge (no answer or ICMP unreachables are received)<br />
or if the server is directly connected to the Internet (i.e. returns RST<br />
packets for all non-listening ports). This analysis can be enhanced to<br />
determine the type of firewall used based on network packet tests.<br />
Is it a stateful firewall or is it an access list filter on a router? How is it<br />
configured? Can it be bypassed?<br />
Detecting a reverse proxy in front of the web server needs to be done<br />
by the analysis of the web server banner, which might directly disclose<br />
the existence of a reverse proxy (for example, if ‘WebSEAL’[1] is returned).<br />
It can also be determined by obtaining the answers given by<br />
the web server to requests and comparing them to the expected answers.<br />
For example, some reverse proxies act as “intrusion prevention<br />
systems” (or web-shields) by blocking known attacks targeted at the<br />
web server. If the web server is known to answer with a 404 message<br />
to a request that targets an unavailable page and returns a different<br />
error message for some common web attacks like those done by CGI<br />
scanners, it might be an indication of a reverse proxy (or an application-level<br />
firewall) which is filtering the requests and returning a different<br />
error page than the one expected. Another example: if the web<br />
server returns a set of available HTTP methods (including TRACE) but<br />
the expected methods return errors then there is probably something<br />
in between blocking them.<br />
In some cases, even the protection system gives itself away:<br />
GET /web-console/ServerInfo.jsp%00 HTTP/1.0<br />
HTTP/1.0 200<br />
Pragma: no-cache<br />
Cache-Control: no-cache<br />
Content-Type: text/html<br />
Content-Length: 83<br />
Error<br />
<br />
Error<br />
FW-1 at XXXXXX: Access denied.<br />
Example of the security server of Check Point Firewall-1 NG AI “protecting”<br />
a web server<br />
Reverse proxies can also be introduced as proxy-caches to accelerate<br />
the performance of back-end application servers. Detecting these<br />
proxies can be done based on the server header. They can also be<br />
detected by timing requests that should be cached by the server and<br />
comparing the time taken to server the first request with subsequent<br />
requests.<br />
Another element that can be detected is network load balancers.<br />
Typically, these systems will balance a given TCP/IP port to multiple<br />
servers based on different algorithms (round-robin, web server load,<br />
number of requests, etc.). Thus, the detection of this architecture element<br />
needs to be done by examining multiple requests and comparing<br />
results to determine if the requests are going to the same or different<br />
web servers. For example, based on the Date header if the server<br />
clocks are not synchronized. In some cases, the network load balance<br />
process might inject new information in the headers that will make it<br />
stand out distinctively, like the AlteonP cookie introduced by Nortel’s<br />
Alteon WebSystems load balancer.<br />
Application web servers are usually easy to detect. The request for<br />
several resources is handled by the application server itself (not the<br />
web server) and the response header will vary significantly (including<br />
different or additional values in the answer header). Another way to<br />
detect these is to see if the web server tries to set cookies which are<br />
indicative of an application web server being used (such as the JSES-<br />
SIONID provided by some J2EE servers), or to rewrite URLs automatically<br />
to do session tracking.<br />
Authentication back ends (such as LDAP directories, relational databases,<br />
or RADIUS servers) however, are not as easy to detect from an<br />
external point of view in an immediate way, since they will be hidden<br />
by the application itself.<br />
The use of a back end database can be determined simply by navigating<br />
an application. If there is highly dynamic content generated “on the<br />
fly,” it is probably being extracted from some sort of database by the<br />
application itself. Sometimes the way information is requested might<br />
give insight to the existence of a database back-end. For example, an<br />
online shopping application that uses numeric identifiers (‘id’) when<br />
browsing the different articles in the shop. However, when doing a<br />
blind application test, knowledge of the underlying database is usually<br />
only available when a vulnerability surfaces in the application, such as<br />
poor exception handling or susceptibility to SQL injection.