1BO4r2U
1BO4r2U
1BO4r2U
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
71 72<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
The majority of pre-generated questions are fairly simplistic in nature<br />
and can lead to insecure answers. For example:<br />
• The answers may be known to family members or close friends of<br />
the user, e.g. “What is your mother’s maiden name?”, “What is your<br />
date of birth?”<br />
• The answers may be easily guessable, e.g. “What is your favorite color?”,<br />
“What is your favorite baseball team?”<br />
• The answers may be brute forcible, e.g. “What is the first name of<br />
your favorite high school teacher?” - the answer is probably on some<br />
easily downloadable lists of popular first names, and therefore a simple<br />
brute force attack can be scripted.<br />
• The answers may be publicly discoverable, e.g. “What is your favorite<br />
movie?” - the answer may easily be found on the user’s social media<br />
profile page.<br />
Self-generated questions:<br />
The problem with having users to generate their own questions is that<br />
it allows them to generate very insecure questions, or even bypass the<br />
whole point of having a security question in the first place. Here are<br />
some real world examples that illustrate this point:<br />
• “What is 1+1?”<br />
• “What is your username?”<br />
• “My password is M3@t$p1N”<br />
How to Test<br />
Testing for weak pre-generated questions:<br />
Try to obtain a list of security questions by creating a new account or<br />
by following the “I don’t remember my password”-process. Try to generate<br />
as many questions as possible to get a good idea of the type<br />
of security questions that are asked. If any of the security questions<br />
fall in the categories described above, they are vulnerable to being attacked<br />
(guessed, brute-forced, available on social media, etc.).<br />
Testing for weak self-generated questions:<br />
Try to create security questions by creating a new account or by configuring<br />
your existing account’s password recovery properties. If the<br />
system allows the user to generate their own security questions, it is<br />
vulnerable to having insecure questions created. If the system uses<br />
the self-generated security questions during the forgotten password<br />
functionality and if usernames can be enumerated (see Testing for Account<br />
Enumeration and Guessable User Account (OTG-IDENT-004)),<br />
then it should be easy for the tester to enumerate a number of<br />
self-generated questions. It should be expected to find several weak<br />
self-generated questions using this method.<br />
Testing for brute-forcible answers:<br />
Use the methods described in Testing for Weak lock out mechanism<br />
(OTG-AUTHN-003) to determine if a number of incorrectly supplied<br />
security answers trigger a lockout mechanism.<br />
The first thing to take into consideration when trying to exploit security<br />
questions is the number of questions that need to be answered.<br />
The majority of applications only need the user to answer a single<br />
question, whereas some critical applications may require the user to<br />
answer two or even more questions.<br />
The next step is to assess the strength of the security questions. Could<br />
the answers be obtained by a simple Google search or with social engineering<br />
attack? As a penetration tester, here is a step-by-step walkthrough<br />
of exploiting a security question scheme:<br />
[1] Does the application allow the end-user to choose the question<br />
that needs to be answered? If so, focus on questions which have:<br />
• A “public” answer; for example, something that could be find with a<br />
simple search-engine query.<br />
• A factual answer such as a “first school” or other facts which can be<br />
looked up.<br />
• Few possible answers, such as “what model was your first car”.<br />
These questions would present the attacker with a short list of possible<br />
answers, and based on statistics the attacker could rank answers<br />
from most to least likely.<br />
[2] Determine how many guesses you have if possible.<br />
• Does the password reset allow unlimited attempts?<br />
• Is there a lockout period after X incorrect answers? Keep in mind that<br />
a lockout system can be a security problem in itself, as it can be exploited<br />
by an attacker to launch a Denial of Service against legitimate<br />
users.<br />
[3] Pick the appropriate question based on analysis from the above<br />
points, and do research to determine the most likely answers.<br />
The key to successfully exploiting and bypassing a weak security<br />
question scheme is to find a question or set of questions which give<br />
the possibility of easily finding the answers. Always look for questions<br />
which can give you the greatest statistical chance of guessing the correct<br />
answer, if you are completely unsure of any of the answers. In<br />
the end, a security question scheme is only as strong as the weakest<br />
question.<br />
References<br />
The Curse of the Secret Question<br />
Testing for weak password change or reset<br />
functionalities (OTG-AUTHN-009)<br />
Summary<br />
The password change and reset function of an application is a self-service<br />
password change or reset mechanism for users. This self-service<br />
mechanism allows users to quickly change or reset their password<br />
without an administrator intervening. When passwords are changed<br />
they are typically changed within the application. When passwords are<br />
reset they are either rendered within the application or emailed to the<br />
user. This may indicate that the passwords are stored in plain text or<br />
in a decryptable format.<br />
Test objectives<br />
[1] Determine the resistance of the application to subversion of the<br />
account change process allowing someone to change the password<br />
of an account.<br />
[2] Determine the resistance of the passwords reset functionality<br />
against guessing or bypassing.<br />
How to Test<br />
For both password change and password reset it is important to check:<br />
[1] if users, other than administrators, can change or reset passwords<br />
for accounts other than their own.<br />
[2] if users can manipulate or subvert the password change or reset<br />
process to change or reset the password of another user or administrator.<br />
[3] if the password change or reset process is vulnerable to CSRF.<br />
Test Password Reset<br />
In addition to the previous checks it is important to verify the following:<br />
• What information is required to reset the password?<br />
The first step is to check whether secret questions are required.<br />
Sending the password (or a password reset link) to the user email<br />
address without first asking for a secret question means relying<br />
100% on the security of that email address, which is not suitable if<br />
the application needs a high level of security.<br />
On the other hand, if secret questions are used, the next step is to<br />
assess their strength. This specific test is discussed in detail in the<br />
Testing for Weak security question/answer paragraph of this guide.<br />
• How are reset passwords communicated to the user?<br />
The most insecure scenario here is if the password reset tool shows<br />
you the password; this gives the attacker the ability to log into the<br />
account, and unless the application provides information about the<br />
last log in the victim would not know that their account has been<br />
compromised.<br />
A less insecure scenario is if the password reset tool forces the user<br />
to immediately change their password. While not as stealthy as the<br />
first case, it allows the attacker to gain access and locks the real<br />
user out.<br />
The best security is achieved if the password reset is done via an<br />
email to the address the user initially registered with, or some other<br />
email address; this forces the attacker to not only guess at which<br />
email account the password reset was sent to (unless the application<br />
show this information) but also to compromise that email account<br />
in order to obtain the temporary password or the password<br />
reset link.<br />
• Are reset passwords generated randomly?<br />
The most insecure scenario here is if the application sends or visualizes<br />
the old password in clear text because this means that passwords<br />
are not stored in a hashed form, which is a security issue in itself.<br />
The best security is achieved if passwords are randomly generated<br />
with a secure algorithm that cannot be derived.<br />
• Is the reset password functionality requesting confirmation before<br />
changing the password?<br />
To limit denial-of-service attacks the application should email a link<br />
to the user with a random token, and only if the user visits the link<br />
then the reset procedure is completed. This ensures that the current<br />
password will still be valid until the reset has been confirmed.<br />
Test Password Change<br />
In addition to the previous test it is important to verify:<br />
• Is the old password requested to complete the change?<br />
The most insecure scenario here is if the application permits the<br />
change of the password without requesting the current password.<br />
Indeed if an attacker is able to take control of a valid session they<br />
could easily change the victim’s password.<br />
See also Testing for Weak password policy paragraph of this guide.<br />
References<br />
• OWASP Forgot Password Cheat Sheet<br />
• OWASP Periodic Table of Vulnerabilities - Insufficient Password<br />
Recovery<br />
Remediation<br />
The password change or reset function is a sensitive function and<br />
requires some form of protection, such as requiring users to re-authenticate<br />
or presenting the user with confirmation screens during<br />
the process.<br />
Testing for Weaker authentication in alternative<br />
channel (OTG-AUTHN-010)<br />
Summary<br />
Even if the primary authentication mechanisms do not include any<br />
vulnerabilities, it may be that vulnerabilities exist in alternative legitimate<br />
authentication user channels for the same user accounts.<br />
Tests should be undertaken to identify alternative channels and,<br />
subject to test scoping, identify vulnerabilities.<br />
The alternative user interaction channels could be utilized to circumvent<br />
the primary channel, or expose information that can then<br />
be used to assist an attack against the primary channel. Some of<br />
these channels may themselves be separate web applications using<br />
different host names or paths. For example:<br />
• Standard website<br />
• Mobile, or specific device, optimized website<br />
• Accessibility optimized website<br />
• Alternative country and language websites<br />
• Parallel websites that utilize the same user accounts (e.g. another<br />
website offering different functionally of the same organization, a<br />
partner website with which user accounts are shared)<br />
• Development, test, UAT and staging versions of the standard<br />
website<br />
But they could also be other types of application or business processes:<br />
• Mobile device app<br />
• Desktop application<br />
• Call center operators<br />
• Interactive voice response or phone tree systems<br />
Note that the focus of this test is on alternative channels; some<br />
authentication alternatives might appear as different content delivered<br />
via the same website and would almost certainly be in scope<br />
for testing. These are not discussed further here, and should have<br />
been identified during information gathering and primary authentication<br />
testing. For example:<br />
• Progressive enrichment and graceful degradation that change<br />
functionality<br />
• Site use without cookies<br />
• Site use without JavaScript<br />
• Site use without plugins such as for Flash and Java<br />
Even if the scope of the test does not allow the alternative channels<br />
to be tested, their existence should be documented. These may undermine<br />
the degree of assurance in the authentication mechanisms<br />
and may be a precursor to additional testing.<br />
Example