1BO4r2U
1BO4r2U
1BO4r2U
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
67 68<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
See the OWASP article on Brute Force Attacks.<br />
Remediation<br />
Apply account unlock mechanisms depending on the risk level. In order<br />
from lowest to highest assurance:<br />
[1] Time-based lockout and unlock.<br />
[2] Self-service unlock (sends unlock email to registered email address).<br />
[3] Manual administrator unlock.<br />
[4] Manual administrator unlock with positive user identification.<br />
Parameter Modification<br />
and gain unauthorized access to the application, impersonating a<br />
previously authenticated user.<br />
In the following figure, values inside cookies increase linearly, so it<br />
could be easy for an attacker to guess a valid session ID.<br />
n the following figure, values inside cookies change only partially,<br />
it is sometimes possible to bypass the authentication form.<br />
Gray Box Testing<br />
Testing for Bypassing Authentication Schema<br />
(OTG-AUTHN-004)<br />
Summary<br />
While most applications require authentication to gain access to private<br />
information or to execute tasks, not every authentication method<br />
is able to provide adequate security. Negligence, ignorance, or simple<br />
understatement of security threats often result in authentication<br />
schemes that can be bypassed by simply skipping the log in page and<br />
directly calling an internal page that is supposed to be accessed only<br />
after authentication has been performed.<br />
In addition, it is often possible to bypass authentication measures by<br />
tampering with requests and tricking the application into thinking that<br />
the user is already authenticated. This can be accomplished either by<br />
modifying the given URL parameter, by manipulating the form, or by<br />
counterfeiting sessions.<br />
Problems related to the authentication schema can be found at different<br />
stages of the software development life cycle (SDLC), like the<br />
design, development, and deployment phases:<br />
Another problem related to authentication design is when the application<br />
verifies a successful log in on the basis of a fixed value parameters.<br />
A user could modify these parameters to gain access to the<br />
protected areas without providing valid credentials. In the example<br />
below, the “authenticated” parameter is changed to a value of “yes”,<br />
which allows the user to gain access. In this example, the parameter<br />
is in the URL, but a proxy could also be used to modify the parameter,<br />
especially when the parameters are sent as form elements in a POST<br />
request or when the parameters are stored in a cookie.<br />
Session ID Prediction<br />
http:/www.site.com/page.asp?authenticated=no<br />
raven@blackbox /home $nc www.site.com 80<br />
GET /page.asp?authenticated=yes HTTP/1.0<br />
so it’s possible to restrict a brute force attack to the defined fields<br />
shown below.<br />
SQL Injection (HTML Form Authentication)<br />
If an attacker has been able to retrieve the application source code<br />
by exploiting a previously discovered vulnerability (e.g., directory<br />
traversal), or from a web repository (Open Source Applications),<br />
it could be possible to perform refined attacks against the<br />
implementation of the authentication process.<br />
In the following example (PHPBB 2.0.13 - Authentication Bypass<br />
Vulnerability), at line 5 the unserialize() function parses a user<br />
supplied cookie and sets values inside the $row array. At line 10 the<br />
user’s MD5 password hash stored inside the back end database is<br />
compared to the one supplied.<br />
In PHP, a comparison between a string value and a boolean value (1<br />
• In the design phase errors can include a wrong definition of application<br />
sections to be protected, the choice of not applying strong encryption<br />
protocols for securing the transmission of credentials, and<br />
many more.<br />
• In the development phase errors can include the incorrect implementation<br />
of input validation functionality or not following the security<br />
best practices for the specific language.<br />
• In the application deployment phase, there may be issues during the<br />
application setup (installation and configuration activities) due to a lack<br />
in required technical skills or due to the lack of good documentation.<br />
How to Test<br />
Black Box testing<br />
There are several methods of bypassing the authentication schema<br />
that is used by a web application:<br />
• Direct page request (forced browsing)<br />
• Parameter modification<br />
• Session ID prediction<br />
• SQL injection<br />
HTTP/1.1 200 OK<br />
Date: Sat, 11 Nov 2006 10:22:44 GMT<br />
Server: Apache<br />
Connection: close<br />
Content-Type: text/html; charset=iso-8859-1<br />
<br />
<br />
<br />
You Are Authenticated<br />
<br />
SQL Injection is a widely known attack technique. This section is<br />
not going to describe this technique in detail as there are several<br />
sections in this guide that explain injection techniques beyond the<br />
scope of this section.<br />
The following figure shows that with a simple SQL injection attack,<br />
1. if ( isset($HTTP_COOKIE_VARS[$cookiename . ‘_sid’]) ||<br />
2. {<br />
3. $sessiondata = isset( $HTTP_COOKIE_VARS[$cookiename<br />
. ‘_data’] ) ?<br />
4.<br />
5. unserialize(stripslashes($HTTP_COOKIE_VARS[$cookiename<br />
. ‘_data’])) : array();<br />
6.<br />
7. $sessionmethod = SESSION_METHOD_COOKIE;<br />
8. }<br />
9.<br />
10. if( md5($password) == $row[‘user_password’] &&<br />
$row[‘user_active’] )<br />
11.<br />
12. {<br />
13. $autologin = ( isset($HTTP_POST_VARS[‘autologin’]) ) ?<br />
TRUE : 0;<br />
14. }<br />
Direct page request<br />
If a web application implements access control only on the log in page,<br />
the authentication schema could be bypassed. For example, if a user<br />
directly requests a different page via forced browsing, that page may<br />
not check the credentials of the user before granting access. Attempt<br />
to directly access a protected page through the address bar in your<br />
browser to test using this method.<br />
Many web applications manage authentication by using session<br />
identifiers (session IDs). Therefore, if session ID generation is<br />
predictable, a malicious user could be able to find a valid session ID<br />
- “TRUE”) is always “TRUE”, so by supplying the following string (the<br />
important part is “b:1”) to the unserialize() function, it is possible to<br />
bypass the authentication control:<br />
Tools