1BO4r2U
1BO4r2U
1BO4r2U
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
63 64<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
an Encrypted Channel (OTG-AUTHN-001)<br />
Summary<br />
Testing for credentials transport means verifying that the user’s<br />
authentication data are transferred via an encrypted channel to<br />
avoid being intercepted by malicious users. The analysis focuses<br />
simply on trying to understand if the data travels unencrypted<br />
from the web browser to the server, or if the web application takes<br />
the appropriate security measures using a protocol like HTTPS.<br />
The HTTPS protocol is built on TLS/SSL to encrypt the data that<br />
is transmitted and to ensure that user is being sent towards the<br />
desired site.<br />
Clearly, the fact that traffic is encrypted does not necessarily<br />
mean that it’s completely safe. The security also depends on the<br />
encryption algorithm used and the robustness of the keys that the<br />
application is using, but this particular topic will not be addressed<br />
in this section.<br />
For a more detailed discussion on testing the safety of TLS/SSL<br />
channels refer to the chapter Testing for Weak SSL/TLS. Here, the<br />
tester will just try to understand if the data that users put in to<br />
web forms in order to log in to a web site, are transmitted using<br />
secure protocols that protect them from an attacker.<br />
Nowadays, the most common example of this issue is the log in<br />
page of a web application. The tester should verify that user’s<br />
credentials are transmitted via an encrypted channel. In order to<br />
log in to a web site, the user usually has to fill a simple form that<br />
transmits the inserted data to the web application with the POST<br />
method. What is less obvious is that this data can be passed using<br />
the HTTP protocol, which transmits the data in a non-secure, clear<br />
text form, or using the HTTPS protocol, which encrypts the data<br />
during the transmission. To further complicate things, there is the<br />
possibility that the site has the login page accessible via HTTP<br />
(making us believe that the transmission is insecure), but then it<br />
actually sends data via HTTPS. This test is done to be sure that an<br />
attacker cannot retrieve sensitive information by simply sniffing<br />
the network with a sniffer tool.<br />
How to Test<br />
Black Box testing<br />
In the following examples we will use WebScarab in order to capture<br />
packet headers and to inspect them. You can use any web<br />
proxy that you prefer.<br />
Example 1: Sending data with POST method through HTTP<br />
Suppose that the login page presents a form with fields User,<br />
Pass, and the Submit button to authenticate and give access to<br />
the application. If we look at the headers of our request with Web-<br />
Scarab, we can get something like this:<br />
From this example the tester can understand that the POST request<br />
POST http:/www.example.com/AuthenticationServlet<br />
HTTP/1.1<br />
Host: www.example.com<br />
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it;<br />
rv:1.8.1.14) Gecko/20080404<br />
Accept: text/xml,application/xml,application/xhtml+xml<br />
POST http:/www.example.com/AuthenticationServlet<br />
HTTP/1.1<br />
Host: www.example.com<br />
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it;<br />
rv:1.8.1.14) Gecko/20080404<br />
Accept: text/xml,application/xml,application/xhtml+xml<br />
sends the data to the page www.example.com/AuthenticationServlet<br />
using HTTP. Sothe data is transmitted without encryption and a<br />
malicious user could intercept the username and password by simply<br />
sniffing the network with a tool like Wireshark.<br />
Example 2: Sending data with POST method through HTTPS<br />
Suppose that our web application uses the HTTPS protocol to encrypt<br />
the data we are sending (or at least for transmitting sensitive<br />
data like credentials). In this case, when logging on to the web application<br />
the header of our POST request would be similar to the following:<br />
We can see that the request is addressed to www.example.<br />
POST https:/www.example.com:443/cgi-bin/login.cgi<br />
HTTP/1.1<br />
Host: www.example.com<br />
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it;<br />
rv:1.8.1.14) Gecko/20080404<br />
Accept: text/xml,application/xml,application/xhtml+xml,text/<br />
html<br />
Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3<br />
Accept-Encoding: gzip,deflate<br />
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7<br />
Keep-Alive: 300<br />
Connection: keep-alive<br />
Referer: https:/www.example.com/cgi-bin/login.cgi<br />
Cookie: language=English;<br />
Content-Type: application/x-www-form-urlencoded<br />
Content-length: 50<br />
Command=Login&User=test&Pass=test<br />
com:443/cgi-bin/login.cgi using the HTTPS protocol. This ensures<br />
that our credentials are sent using an encrypted channel and that<br />
the credentials are not readable by a malicious user using a sniffer.<br />
Example 3: sending data with POST method via HTTPS on a page<br />
reachable via HTTP<br />
Now, imagine having a web page reachable via HTTP and that only<br />
data sent from the authentication form are transmitted via HTTPS.<br />
This situation occurs, for example, when we are on a portal of a big<br />
company that offers various information and services that are publicly<br />
available, without identification, but the site also has a private<br />
section accessible from the home page when users log in. So when<br />
we try to log in, the header of our request will look like the following<br />
example:<br />
We can see that our request is addressed to www.example.com:443/<br />
login.do using HTTPS. But if we have a look at the Referer-header<br />
(the page from which we came), it is www.example.com/homepage.<br />
do and is accessible via simple HTTP. Although we are sending data<br />
via HTTPS, this deployment can allow SSLStrip attacks (a type of<br />
Man-in-the-middle attack)<br />
Example 4: Sending data with GET method through HTTPS<br />
In this last example, suppose that the application transfers data using<br />
the GET method. This method should never be used in a form that<br />
transmits sensitive data such as username and password, because<br />
the data is displayed in clear text in the URL and this causes a whole<br />
set of security issues. For example, the URL that is requested is easily<br />
available from the server logs or from your browser history, which<br />
makes your sensitive data retrievable for unauthorized persons. So<br />
this example is purely demonstrative, but, in reality, it is strongly<br />
suggested to use the POST method instead.<br />
You can see that the data is transferred in clear text in the URL and<br />
not in the body of the request as before. But we must consider that<br />
GET https:/www.example.com/success.html?user=test&-<br />
pass=test HTTP/1.1<br />
Host: www.example.com<br />
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it;<br />
rv:1.8.1.14) Gecko/20080404<br />
Accept: text/xml,application/xml,application/xhtml+xml,text/html<br />
Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3<br />
Accept-Encoding: gzip,deflate<br />
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7<br />
Keep-Alive: 300<br />
Connection: keep-alive<br />
Referer: https:/www.example.com/form.html<br />
If-Modified-Since: Mon, 30 Jun 2008 07:55:11 GMT<br />
If-None-Match: “43a01-5b-4868915f”<br />
SSL/TLS is a level 5 protocol, a lower level than HTTP, so the whole<br />
HTTP packet is still encrypted making the URL unreadable to a malicious<br />
user using a sniffer. Nevertheless as stated before, it is not<br />
a good practice to use the GET method to send sensitive data to a<br />
web application, because the information contained in the URL can<br />
be stored in many locations such as proxy and web server logs.<br />
Gray Box testing<br />
Speak with the developers of the web application and try to understand<br />
if they are aware of the differences between HTTP and HTTPS<br />
protocols and why they should use HTTPS for transmitting sensitive<br />
information. Then, check with them if HTTPS is used in every sensitive<br />
request, like those in log in pages, to prevent unauthorized users<br />
to intercept the data.<br />
Tools<br />
• WebScarab<br />
• OWASP Zed Attack Proxy (ZAP)<br />
References<br />
Whitepapers<br />
• HTTP/1.1: Security Considerations - http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html<br />
• SSL is not about encryption<br />
Testing for default credentials (OTG-AUTHN-002)<br />
Summary<br />
Nowadays web applications often make use of popular open source<br />
or commercial software that can be installed on servers with minimal<br />
configuration or customization by the server administrator. Moreover,<br />
a lot of hardware appliances (i.e. network routers and database servers)<br />
offer web-based configuration or administrative interfaces.<br />
Often these applications, once installed, are not properly configured<br />
and the default credentials provided for initial authentication and configuration<br />
are never changed. These default credentials are well known<br />
by penetration testers and, unfortunately, also by malicious attackers,<br />
who can use them to gain access to various types of applications.<br />
Furthermore, in many situations, when a new account is created on an<br />
application, a default password (with some standard characteristics) is<br />
generated. If this password is predictable and the user does not change<br />
it on the first access, this can lead to an attacker gaining unauthorized<br />
access to the application.<br />
The root cause of this problem can be identified as:<br />
• Inexperienced IT personnel, who are unaware of the importance of<br />
changing default passwords on installed infrastructure components,<br />
or leave the password as default for “ease of maintenance”.<br />
• Programmers who leave back doors to easily access and test their<br />
application and later forget to remove them.<br />
• Applications with built-in non-removable default accounts with a<br />
preset username and password.<br />
• Applications that do not force the user to change the default<br />
credentials after the first log in.<br />
How to Test<br />
Testing for default credentials of common applications<br />
In black box testing the tester knows nothing about the application and<br />
its underlying infrastructure. In reality this is often not true, and some<br />
information about the application is known. We suppose that you have<br />
identified, through the use of the techniques described in this Testing<br />
Guide under the chapter Information Gathering, at least one or more<br />
common applications that may contain accessible administrative interfaces.<br />
When you have identified an application interface, for example a Cisco<br />
router web interface or a Weblogic administrator portal, check that the<br />
known usernames and passwords for these devices do not result in<br />
successful authentication. To do this you can consult the manufacturer’s<br />
documentation or, in a much simpler way, you can find common<br />
credentials using a search engine or by using one of the sites or tools<br />
listed in the Reference section.<br />
When facing applications where we do not have a list of default and<br />
common user accounts (for example due to the fact that the application<br />
is not wide spread) we can attempt to guess valid default credentials.<br />
Note that the application being tested may have an account<br />
lockout policy enabled, and multiple password guess attempts with a<br />
known username may cause the account to be locked. If it is possible to<br />
lock the administrator account, it may be troublesome for the system<br />
administrator to reset it.<br />
Many applications have verbose error messages that inform the site<br />
users as to the validity of entered usernames. This information will be<br />
helpful when testing for default or guessable user accounts. Such functionality<br />
can be found, for example, on the log in page, password reset<br />
and forgotten password page, and sign up page. Once you have found<br />
a default username you could also start guessing passwords for this<br />
account.