1BO4r2U
1BO4r2U
1BO4r2U
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
59 60<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
Tools<br />
While the most thorough and accurate approach to completing<br />
this test is to conduct it manually, spidering tools [2] are also useful.<br />
Log on with each role in turn and spider the application (don’t<br />
forget to exclude the logout link from the spidering).<br />
References<br />
• Role Engineering for Enterprise Security Management, E Coyne<br />
& J Davis, 2007<br />
• Role engineering and RBAC standards<br />
Remediation<br />
Remediation of the issues can take the following forms:<br />
• Role Engineering<br />
• Mapping of business roles to system roles<br />
• Separation of Duties<br />
Test User Registration Process<br />
(OTG-IDENT-002)<br />
Summary<br />
Some websites offer a user registration process that automates<br />
(or semi-automates) the provisioning of system access to users.<br />
The identity requirements for access vary from positive identification<br />
to none at all, depending on the security requirements of<br />
the system. Many public applications completely automate the<br />
registration and provisioning process because the size of the user<br />
base makes it impossible to manage manually. However, many<br />
corporate applications will provision users manually, so this test<br />
case may not apply.<br />
Test objectives<br />
[1] Verify that the identity requirements for user registration are<br />
aligned with business and security requirements.<br />
[2] Validate the registration process.<br />
How to test<br />
Verify that the identity requirements for user registration are<br />
aligned with business and security requirements:<br />
[1] Can anyone register for access?<br />
[2] Are registrations vetted by a human prior to provisioning, or<br />
are they automatically granted if the criteria are met?<br />
[3] Can the same person or identity register multiple times?<br />
[4] Can users register for different roles or permissions?<br />
[5] What proof of identity is required for a registration to be successful?<br />
[6] Are registered identities verified?<br />
Validate the registration process:<br />
[1] Can identity information be easily forged or faked?<br />
[2] Can the exchange of identity information be manipulated<br />
during registration?<br />
Example<br />
In the WordPress example below, the only identification requirement<br />
is an email address that is accessible to the registrant.<br />
In contrast, in the Google example below the identification requirements<br />
include name, date of birth, country, mobile phone number,<br />
email address and CAPTCHA response. While only two of these can be<br />
verified (email address and mobile number), the identification requirements<br />
are stricter than WordPress.<br />
Tools<br />
A HTTP proxy can be a useful tool to test this control.<br />
References<br />
User Registration Design<br />
Remediation<br />
Implement identification and verification requirements that correspond<br />
to the security requirements of the information the credentials<br />
protect.<br />
Test Account Provisioning Process<br />
(OTG-IDENT-003)<br />
Summary<br />
The provisioning of accounts presents an opportunity for an attacker<br />
to create a valid account without application of the proper identification<br />
and authorization process.<br />
Test objectives<br />
Verify which accounts may provision other accounts and of what type.<br />
How to test<br />
Determine which roles are able to provision users and what sort of<br />
accounts they can provision.<br />
• Is there any verification, vetting and authorization of provisioning<br />
requests?<br />
• Is there any verification, vetting and authorization of de-provisioning<br />
requests?<br />
• Can an administrator provision other administrators or just users?<br />
• Can an administrator or other user provision accounts with privileges<br />
message similar to:<br />
Using WebScarab, notice the information retrieved from this unsucgreater<br />
than their own?<br />
• Can an administrator or user de-provision themselves?<br />
• How are the files or resources owned by the de-provisioned user<br />
managed? Are they deleted? Is access transferred?<br />
Example<br />
In WordPress, only a user’s name and email address are required to<br />
provision the user, as shown below:<br />
De-provisioning of users requires the administrator to select the users<br />
to be de-provisioned, select Delete from the dropdown menu (circled)<br />
and then applying this action. The administrator is then presented<br />
with a dialog box asking what to do with the user’s posts (delete or<br />
transfer them).<br />
Tools<br />
While the most thorough and accurate approach to completing this<br />
test is to conduct it manually, HTTP proxy tools could be also useful.<br />
Testing for Account Enumeration and Guessable<br />
User Account (OTG-IDENT-004)<br />
Summary<br />
The scope of this test is to verify if it is possible to collect a set of valid<br />
usernames by interacting with the authentication mechanism of the<br />
application. This test will be useful for brute force testing, in which the<br />
tester verifies if, given a valid username, it is possible to find the corresponding<br />
password.<br />
Often, web applications reveal when a username exists on system,<br />
either as a consequence of mis-configuration or as a design decision.<br />
For example, sometimes, when we submit wrong credentials, we receive<br />
a message that states that either the username is present on<br />
the system or the provided password is wrong. The information obtained<br />
can be used by an attacker to gain a list of users on system. This<br />
information can be used to attack the web application, for example,<br />
through a brute force or default username and password attack.<br />
The tester should interact with the authentication mechanism of the<br />
application to understand if sending particular requests causes the<br />
application to answer in different manners. This issue exists because<br />
the information released from web application or web server when<br />
the user provide a valid username is different than when they use an<br />
invalid one.<br />
In some cases, a message is received that reveals if the provided credentials<br />
are wrong because an invalid username or an invalid password<br />
was used. Sometimes, testers can enumerate the existing users<br />
by sending a username and an empty password.<br />
How to Test<br />
In black box testing, the tester knows nothing about the specific application,<br />
username, application logic, error messages on log in page, or<br />
password recovery facilities. If the application is vulnerable, the tester<br />
receives a response message that reveals, directly or indirectly, some<br />
information useful for enumerating users.<br />
HTTP Response message<br />
Testing for Valid user/right password<br />
Record the server answer when you submit a valid user ID and valid<br />
password.<br />
Result Expected:<br />
Using WebScarab, notice the information retrieved from this successful<br />
authentication (HTTP 200 Response, length of the response).<br />
Testing for valid user with wrong password<br />
Now, the tester should try to insert a valid user ID and a wrong password<br />
and record the error message generated by the application.<br />
Result Expected:<br />
The browser should display a message similar to the following one:<br />
or something like:<br />
against any message that reveals the existence of user, for instance,<br />
Login for User foo: invalid password