1BO4r2U
1BO4r2U
1BO4r2U
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
103 104<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
Automated HTTP verb tampering testing<br />
If you are able to analyze your application via simple HTTP status<br />
codes (200 OK, 501 Error, etc) - then the following bash script will<br />
test all available HTTP methods.<br />
#!/bin/bash<br />
for webservmethod in GET POST PUT TRACE CONNECT OP-<br />
TIONS PROPFIND;<br />
do<br />
printf “$webservmethod “ ;<br />
printf “$webservmethod / HTTP/1.1\nHost: $1\n\n” | nc -q 1<br />
$1 80 | grep “HTTP/1.1”<br />
done<br />
Code copied verbatim from the Penetration Testing Lab blog [5]<br />
References<br />
Whitepapers<br />
• Arshan Dabirsiaghi: “Bypassing URL Authentication and Authorization<br />
with HTTP Verb Tampering” - http: /www.aspectsecurity.<br />
com/research-presentations/bypassing-vbaac-with-http-verbtampering<br />
Testing for HTTP Parameter pollution<br />
(OTG-INPVAL-004)<br />
Summary<br />
Supplying multiple HTTP parameters with the same name may<br />
cause an application to interpret values in unanticipated ways. By<br />
exploiting these effects, an attacker may be able to bypass input<br />
validation, trigger application errors or modify internal variables values.<br />
As HTTP Parameter Pollution (in short HPP) affects a building<br />
block of all web technologies, server and client side attacks exist.<br />
Current HTTP standards do not include guidance on how to interpret<br />
multiple input parameters with the same name. For instance, RFC<br />
3986 simply defines the term Query String as a series of field-value<br />
pairs and RFC 2396 defines classes of reversed and unreserved<br />
query string characters. Without a standard in place, web application<br />
components handle this edge case in a variety of ways (see the<br />
table below for details).<br />
By itself, this is not necessarily an indication of vulnerability. However,<br />
if the developer is not aware of the problem, the presence of<br />
duplicated parameters may produce an anomalous behavior in the<br />
application that can be potentially exploited by an attacker. As often<br />
in security, unexpected behaviors are a usual source of weaknesses<br />
that could lead to HTTP Parameter Pollution attacks in this case.<br />
To better introduce this class of vulnerabilities and the outcome of<br />
HPP attacks, it is interesting to analyze some real-life examples<br />
that have been discovered in the past.<br />
Input Validation and filters bypass<br />
In 2009, immediately after the publication of the first research on<br />
HTTP Parameter Pollution, the technique received attention from<br />
the security community as a possible way to bypass web application<br />
firewalls.<br />
One of these flaws, affecting ModSecurity SQL Injection Core Rules,<br />
represents a perfect example of the impedance mismatch between<br />
applications and filters. The ModSecurity filter would correctly<br />
blacklist the following string: select 1,2,3 from table, thus blocking<br />
this example URL from being processed by the web server: /index.<br />
aspx?page=select 1,2,3 from table. However, by exploiting the concatenation<br />
of multiple HTTP parameters, an attacker could cause<br />
the application server to concatenate the string after the ModSecurity<br />
filter already accepted the input. As an example, the URL /<br />
index.aspx?page=select 1&page=2,3 from table would not trigger<br />
the ModSecurity filter, yet the application layer would concatenate<br />
the input back into the full malicious string.<br />
Another HPP vulnerability turned out to affect Apple Cups, the<br />
well-known printing system used by many UNIX systems. Exploiting<br />
HPP, an attacker could easily trigger a Cross-Site Scripting<br />
vulnerability using the following URL: http: /127.0.0.1:631/admin<br />
/?kerberos=onmouseover=alert(1)&kerberos. The application validation<br />
checkpoint could be bypassed by adding an extra kerberos<br />
argument having a valid string (e.g. empty string). As the validation<br />
checkpoint would only consider the second occurrence, the first<br />
kerberos parameter was not properly sanitized before being used<br />
to generate dynamic HTML content. Successful exploitation would<br />
result in Javascript code execution under the context of the hosting<br />
web site.<br />
Authentication bypass<br />
An even more critical HPP vulnerability was discovered in Blogger,<br />
the popular blogging platform. The bug allowed malicious users to<br />
take ownership of the victim’s blog by using the following HTTP request:<br />
POST /add-authors.do HTTP/1.1<br />
security_token=attackertoken&blogID=attackerblogidvalue&blogID=victimblogidvalue&authorsList=goldshlager19test%40gmail.com(attacker<br />
email)&ok=Invite<br />
The flaw resided in the authentication mechanism used by the web<br />
application, as the security check was performed on the first blogID<br />
parameter, whereas the actual operation used the second occurrence.<br />
Expected Behavior by Application Server<br />
The following table illustrates how different web technologies behave<br />
in presence of multiple occurrences of the same HTTP parameter.<br />
Given the URL and querystring: http:/example.com/?color=red&color=blue<br />
Web Application Server Backend<br />
ASP.NET / IIS<br />
ASP / IIS<br />
PHP / Apache<br />
PHP / Zeus<br />
JSP, Servlet / Apache Tomcat<br />
JSP, Servlet / Oracle Application<br />
Server 10g<br />
JSP, Servlet / Jetty<br />
IBM Lotus Domino<br />
IBM HTTP Server<br />
mod_perl, libapreq2 / Apache<br />
Perl CGI / Apache<br />
mod_wsgi (Python) / Apache<br />
Python / Zope<br />
ASP<br />
All occurrences concatenated<br />
with a comma<br />
All occurrences concatenated<br />
with a comma<br />
Last occurrence only<br />
Last occurrence only<br />
First occurrence only<br />
First occurrence only<br />
First occurrence only<br />
Last occurrence only<br />
First occurrence only<br />
First occurrence only<br />
First occurrence only<br />
First occurrence only<br />
All occurrences in List data<br />
type<br />
(source: Media:AppsecEU09_CarettoniDiPaola_v0.8.pdf )<br />
How to Test<br />
Luckily, because the assignment of HTTP parameters is typically handled<br />
via the web application server, and not the application code itself,<br />
testing the response to parameter pollution should be standard across<br />
all pages and actions. However, as in-depth business logic knowledge<br />
is necessary, testing HPP requires manual testing. Automatic tools<br />
can only partially assist auditors as they tend to generate too many<br />
false positives. In addition, HPP can manifest itself in client-side and<br />
server-side components.<br />
Server-side HPP<br />
To test for HPP vulnerabilities, identify any form or action that allows<br />
user-supplied input. Query string parameters in HTTP GET requests<br />
are easy to tweak in the navigation bar of the browser. If the form action<br />
submits data via POST, the tester will need to use an intercepting<br />
proxy to tamper with the POST data as it is sent to the server. Having<br />
identified a particular input parameter to test, one can edit the GET<br />
or POST data by intercepting the request, or change the query string<br />
after the response page loads. To test for HPP vulnerabilities simply<br />
append the same parameter to the GET or POST data but with a different<br />
value assigned.<br />
For example: if testing the search_string parameter in the query<br />
string, the request URL would include that parameter name and value.<br />
http:/example.com/?search_string=kittens<br />
JSP<br />
color=red,blue<br />
color=red,blue<br />
color=blue<br />
color=blue<br />
color=red<br />
color=red<br />
color=red<br />
color=blue<br />
color=red<br />
color=red<br />
color=red<br />
color=red<br />
color=[‘red’,’blue’]<br />
The particular parameter might be hidden among several other parameters,<br />
but the approach is the same; leave the other parameters in<br />
place and append the duplicate.<br />
http:/example.com/?mode=guest&search_string=kittens&num_results=100<br />
Append the same parameter with a different value<br />
http:/example.com/?mode=guest&search_string=kittens&num_results=100&search_string=puppies<br />
and submit the new request.<br />
Analyze the response page to determine which value(s) were parsed.<br />
In the above example, the search results may show kittens, puppies,<br />
some combination of both (kittens,puppies or kittens~puppies or [‘kittens’,’puppies’]),<br />
may give an empty result, or error page.<br />
This behavior, whether using the first, last, or combination of input parameters<br />
with the same name, is very likely to be consistent across<br />
the entire application. Whether or not this default behavior reveals<br />
a potential vulnerability depends on the specific input validation and<br />
filtering specific to a particular application. As a general rule: if existing<br />
input validation and other security mechanisms are sufficient on<br />
single inputs, and if the server assigns only the first or last polluted<br />
parameters, then parameter pollution does not reveal a vulnerability. If<br />
the duplicate parameters are concatenated, different web application<br />
components use different occurrences or testing generates an error,<br />
there is an increased likelihood of being able to use parameter pollution<br />
to trigger security vulnerabilities.<br />
A more in-depth analysis would require three HTTP requests for each<br />
HTTP parameter:<br />
[1] Submit an HTTP request containing the standard parameter name<br />
and value, and record the HTTP response. E.g. page?par1=val1<br />
[2] Replace the parameter value with a tampered value, submit and<br />
record the HTTP response. E.g. page?par1=HPP_TEST1<br />
[3] Send a new request combining step (1) and (2). Again, save the<br />
HTTP response. E.g. page?par1=val1&par1=HPP_TEST1<br />
[4] Compare the responses obtained during all previous steps. If the<br />
response from (3) is different from (1) and the response from (3) is<br />
also different from (2), there is an impedance mismatch that may be<br />
eventually abused to trigger HPP vulnerabilities.<br />
Crafting a full exploit from a parameter pollution weakness is beyond<br />
the scope of this text. See the references for examples and details.<br />
Client-side HPP<br />
Similarly to server-side HPP, manual testing is the only reliable technique<br />
to audit web applications in order to detect parameter pollution<br />
vulnerabilities affecting client-side components. While in the server-side<br />
variant the attacker leverages a vulnerable web application to<br />
access protected data or perform actions that either not permitted or<br />
not supposed to be executed, client-side attacks aim at subverting client-side<br />
components and technologies.<br />
To test for HPP client-side vulnerabilities, identify any form or action<br />
that allows user input and shows a result of that input back to the<br />
user. A search page is ideal, but a login box might not work (as it might<br />
not show an invalid username back to the user).<br />
Similarly to server-side HPP, pollute each HTTP parameter with<br />
%26HPP_TEST and look for url-decoded occurrences of the user-sup-