1BO4r2U

Recommendations

Info

129 130 Web Application Penetration Testing Web Application Penetration Testing https: /media.blackhat.com/bh-us-11/Sullivan/BH_US_11_Sullivan_Server_Side_WP.pdf • Bryan Sullivan from Adobe: “NoSQL, But Even Less Security” - http: /blogs.adobe.com/asset/files/2011/04/NoSQL-But-Even- Less-Security.pdf • Erlend from Bekk Consulting: “[Security] NOSQL-injection” - http: /erlend.oftedal.no/blog/?blogid=110 • Felipe Aragon from Syhunt: “NoSQL/SSJS Injection” - http: / www.syhunt.com/?n=Articles.NoSQLInjection • MongoDB Documentation: “How does MongoDB address SQL or Query injection?” - http: /docs.mongodb.org/manual/faq/developers/#how-does-mongodb-address-sql-or-query-injection • PHP Documentation: “MongoCollection::find” - http: /php.net/ manual/en/mongocollection.find.php • “Hacking NodeJS and MongoDB” - http: /blog.websecurify. com/2014/08/hacking-nodejs-and-mongodb.html • “Attacking NodeJS and MongoDB” - http: /blog.websecurify. com/2014/08/attacks-nodejs-and-mongodb-part-to.html Testing for LDAP Injection (OTG-INPVAL-006) Summary The Lightweight Directory Access Protocol (LDAP) is used to store information about users, hosts, and many other objects. LDAP injection is a server side attack, which could allow sensitive information about users and hosts represented in an LDAP structure to be disclosed, modified, or inserted. This is done by manipulating input parameters afterwards passed to internal search, add, and modify functions. A web application could use LDAP in order to let users authenticate or search other users’ information inside a corporate structure. The goal of LDAP injection attacks is to inject LDAP search filters metacharacters in a query which will be executed by the application. [Rfc2254] defines a grammar on how to build a search filter on LDAPv3 and extends [Rfc1960] (LDAPv2). An LDAP search filter is constructed in Polish notation, also known as [prefix notation]. This means that a pseudo code condition on a search filter like this: find(“cn=John & userPassword=mypass”) will be represented as: find(“(&(cn=John)(userPassword=mypass))”) Boolean conditions and group aggregations on an LDAP search filter could be applied by using the following metacharacters: Metachar & | ! = ~= >=
131 132 Web Application Penetration Testing Web Application Penetration Testing Testing for XML Injection (OTG-INPVAL-008) Summary XML Injection testing is when a tester tries to inject an XML doc to the application. If the XML parser fails to contextually validate data, then the test will yield a positive result. This section describes practical examples of XML Injection. First, an XML style communication will be defined and its working principles explained. Then, the discovery method in which we try to insert XML metacharacters. Once the first step is accomplished, the tester will have some information about the XML structure, so it will be possible to try to inject XML data and tags (Tag Injection). How to Test Let’s suppose there is a web application using an XML style communication in order to perform user registration. This is done by creating and adding a new node in an xmlDb file. Let’s suppose the xmlDB file is like the following: gandalf !c3 0 gandalf@middleearth.com Stefan0 w1s3c 500 Stefan0@whysec.hmm When a user registers himself by filling an HTML form, the application receives the user’s data in a standard request, which, for the sake of simplicity, will be supposed to be sent as a GET request. For example, the following values: Username: tony Password: Un6R34kb!e E-mail: s4tan@hell.com will produce the request: http:/www.example.com/addUser.php?username=tony&password=Un6R34kb!e&email=s4tan@hell.com The application, then, builds the following node: which will be added to the xmlDB: Discovery The first step in order to test an application for the presence of a XML Injection vulnerability consists of trying to insert XML metacharacters. XML metacharacters are: • Single quote: ‘ - When not sanitized, this character could throw an exception during XML parsing, if the injected value is going to be part of an attribute value in a tag. As an example, let’s suppose there is the following attribute So, if: tony Un6R34kb!e 500 s4tan@hell.com gandalf !c3 0 gandalf@middleearth.com Stefan0 w1s3c 500 Stefan0@whysec.hmm tony Un6R34kb!e 500 s4tan@hell.com inputValue = foo’ is instantiated and then is inserted as the attrib value: then, the resulting XML document is not well formed. • Double quote: “ - this character has the same meaning as single quote and it could be used if the attribute value is enclosed in double quotes. So if: $inputValue = foo” the substitution gives: and the resulting XML document is invalid. • Angular parentheses: > and < - By adding an open or closed angular parenthesis in a user input like the following: Username = foo< the application will build a new node: foo
Page 1 and 2:
1 2 THE ICONS BELOW REPRESENT WHAT
Page 3 and 4:
3 4 Testing Guide Frontispiece Test
Page 5 and 6:
7 8 Testing Guide Introduction Test
Page 7 and 8:
11 12 Testing Guide Introduction Te
Page 9 and 10:
15 16 Testing Guide Introduction Te
Page 11 and 12:
19 20 Testing Guide Introduction of
Page 13 and 14:
23 24 Web Application Penetration T
Page 15 and 16: 27 28 Web Application Penetration T
Page 51 and 52: 99 100 Web Application Penetration
Page 65: 127 128 Web Application Penetration
Page 107 and 108: 211 212 Reporting Appendix Test ID
Page 109 and 110: 215 216 Appendix Appendix Testing -
Page 111: 219 220 LDAP Injection For details
show all

1BO4r2U

Create successful ePaper yourself

Delete template?

Save as template?