1BO4r2U
1BO4r2U
1BO4r2U
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
143 144<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
Directory of c:\<br />
18/10/2006 00:27 2,675 Dir_Prog.txt<br />
18/10/2006 00:28 3,887 Dir_ProgFile.txt<br />
16/11/2006 10:43<br />
Doc<br />
11/11/2006 17:25<br />
Documents and Settings<br />
25/10/2006 03:11<br />
I386<br />
14/11/2006 18:51<br />
h4ck3r<br />
30/09/2005 21:40 25,934<br />
OWASP1.JPG<br />
03/11/2006 18:29<br />
Prog<br />
18/11/2006 11:20<br />
Program Files<br />
16/11/2006 21:12<br />
Software<br />
24/10/2006<br />
18:25<br />
Setup<br />
24/10/2006 23:37<br />
Technologies<br />
18/11/2006 11:14<br />
3 File 32,496 byte<br />
13 Directory 6,921,269,248 byte disponibili<br />
Return code: 0<br />
Tools<br />
• OWASP WebScarab<br />
• OWASP WebGoat<br />
References<br />
White papers<br />
• http://www.securityfocus.com/infocus/1709<br />
Remediation<br />
Sanitization<br />
The URL and form data needs to be sanitized for invalid characters. A<br />
“blacklist” of characters is an option but it may be difficult to think of<br />
all of the characters to validate against. Also there may be some that<br />
were not discovered as of yet. A “white list” containing only allowable<br />
characters should be created to validate the user input. Characters<br />
that were missed, as well as undiscovered threats, should be eliminated<br />
by this list.<br />
Permissions<br />
The web application and its components should be running under<br />
strict permissions that do not allow operating system command execution.<br />
Try to verify all these informations to test from a Gray Box<br />
point of view<br />
Testing for Buffer Overflow (OTG-INPVAL-014)<br />
Summary<br />
To find out more about buffer overflow vulnerabilities, please go to<br />
Buffer Overflow pages.<br />
See the OWASP article on Buffer Overflow Attacks.<br />
See the OWASP article on Buffer Overflow Vulnerabilities.<br />
How to test<br />
Different types of buffer overflow vulnerabilities have different testing<br />
methods. Here are the testing methods for the common types of<br />
buffer overflow vulnerabilities.<br />
• Testing for heap overflow vulnerability<br />
• Testing for stack overflow vulnerability<br />
• Testing for format string vulnerability<br />
Code Review<br />
See the OWASP Code Review Guide article on how to Review Code<br />
for Buffer Overruns and Overflows Vulnerabilities.<br />
Remediation<br />
See the OWASP Development Guide article on how to Avoid Buffer<br />
Overflow Vulnerabilities.<br />
Testing for Heap Overflow<br />
Summary<br />
In this test the penetration tester checks whether a they can make a<br />
Heap overflow that exploits a memory segment.<br />
Heap is a memory segment that is used for storing dynamically allocated<br />
data and global variables. Each chunk of memory in heap<br />
consists of boundary tags that contain memory management information.<br />
When a heap-based buffer is overflowed the control information<br />
in these tags is overwritten. When the heap management routine<br />
frees the buffer, a memory address overwrite takes place leading to<br />
an access violation. When the overflow is executed in a controlled<br />
fashion, the vulnerability would allow an adversary to overwrite a<br />
desired memory location with a user-controlled value. In practice,<br />
an attacker would be able to overwrite function pointers and various<br />
addresses stored in structures like GOT, .dtors or TEB with the address<br />
of a malicious payload.<br />
There are numerous variants of the heap overflow (heap corruption)<br />
vulnerability that can allow anything from overwriting function<br />
pointers to exploiting memory management structures for arbitrary<br />
code execution. Locating heap overflows requires closer examination<br />
in comparison to stack overflows, since there are certain conditions<br />
that need to exist in the code for these vulnerabilities to be<br />
exploitable.<br />
How to Test<br />
Black Box testing<br />
The principles of black box testing for heap overflows remain the<br />
same as stack overflows. The key is to supply as input strings that<br />
are longer than expected. Although the test process remains the<br />
same, the results that are visible in a debugger are significantly different.<br />
While in the case of a stack overflow, an instruction pointer or<br />
SEH overwrite would be apparent, this does not hold true for a heap<br />
overflow condition. When debugging a windows program, a heap<br />
overflow can appear in several different forms, the most common<br />
one being a pointer exchange taking place after the heap management<br />
routine comes into action. Shown below is a scenario that illustrates<br />
a heap overflow vulnerability.<br />
The two registers shown, EAX and ECX, can be populated with user<br />
supplied addresses which are a part of the data that is used to overflow<br />
the heap buffer. One of the addresses can point to a function<br />
pointer which needs to be overwritten, for example UEF (Unhandled<br />
Exception filter), and the other can be the address of user supplied<br />
code that needs to be executed.<br />
When the MOV instructions shown in the left pane are executed,<br />
the overwrite takes place and, when the function is called, user supplied<br />
code gets executed. As mentioned previously, other methods<br />
of testing such vulnerabilities include reverse engineering the application<br />
binaries, which is a complex and tedious process, and using<br />
fuzzing techniques.<br />
Gray Box testing<br />
When reviewing code, one must realize that there are several avenues<br />
where heap related vulnerabilities may arise. Code that seems<br />
innocuous at the first glance can actually be vulnerable under certain<br />
conditions. Since there are several variants of this vulnerability, we<br />
will cover only the issues that are predominant.<br />
Most of the time, heap buffers are considered safe by a lot of developers<br />
who do not hesitate to perform insecure operations like strcpy(<br />
) on them. The myth that a stack overflow and instruction pointer<br />
overwrite are the only means to execute arbitrary code proves to be<br />
hazardous in case of code shown below:-<br />
In this case, if buf exceeds 260 bytes, it will overwrite pointers in<br />
the adjacent boundary tag, facilitating the overwrite of an arbitrary<br />
memory location with 4 bytes of data once the heap management<br />
routine kicks in.<br />
int main(int argc, char *argv[])<br />
{<br />
……<br />
}<br />
vulnerable(argv[1]);<br />
return 0;<br />
int vulnerable(char *buf)<br />
{<br />
}<br />
……..<br />
HANDLE hp = HeapCreate(0, 0, 0);<br />
HLOCAL chunk = HeapAlloc(hp, 0, 260);<br />
strcpy(chunk, buf); ‘’’ Vulnerability’’’<br />
return 0;<br />
Lately, several products, especially anti-virus libraries, have been<br />
affected by variants that are combinations of an integer overflow<br />
and copy operations to a heap buffer. As an example, consider a vulnerable<br />
code snippet, a part of code responsible for processing TNEF<br />
filetypes, from Clam Anti Virus 0.86.1, source file tnef.c and function<br />
tnef_message( ):<br />
string = cli_malloc(length + 1); ‘’’ Vulnerability’’’<br />
if(fread(string, 1, length, fp) != length) {‘’’ Vulnerability’’’<br />
free(string);<br />
return -1;<br />
}<br />
The malloc in line 1 allocates memory based on the value of length,<br />
which happens to be a 32 bit integer. In this particular example,<br />
length is user-controllable and a malicious TNEF file can be crafted<br />
to set length to ‘-1’, which would result in malloc( 0 ). Therefore, this<br />
malloc would allocate a small heap buffer, which would be 16 bytes<br />
on most 32 bit platforms (as indicated in malloc.h).<br />
And now, in line 2, a heap overflow occurs in the call to fread( ). The<br />
3rd argument, in this case length, is expected to be a size_t variable.<br />
But if it’s going to be ‘-1’, the argument wraps to 0xFFFFFFFF, thus<br />
copying 0xFFFFFFFF bytes into the 16 byte buffer.<br />
Static code analysis tools can also help in locating heap related vulnerabilities<br />
such as “double free” etc. A variety of tools like RATS,<br />
Flawfinder and ITS4 are available for analyzing C-style languages.<br />
Tools<br />
• OllyDbg: “A windows based debugger used for analyzing buffer<br />
overflow vulnerabilities” - http://www.ollydbg.de<br />
• Spike, A fuzzer framework that can be used to explore vulnerabilities<br />
and perform length testing - http://www.immunitysec.com/<br />
downloads/SPIKE2.9.tgz<br />
• Brute Force Binary Tester (BFB), A proactive binary checker - http://<br />
bfbtester.sourceforge.net