1BO4r2U

Recommendations

Info

153 154 Web Application Penetration Testing Web Application Penetration Testing Microsoft OLE DB Provider for ODBC Drivers error ‘80004005’ [Microsoft][ODBC Access 97 ODBC driver Driver]General error Unable to open registry key ‘DriverId’ nect string, we can invoke more detailed errors. In this example, we can see a generic error in the same situation which reveals the type and version of the associated database system and a dependence on Windows operating system registry key values. Now we will look at a practical example with a security test against a web application that loses its link to its database server and does not handle the exception in a controlled manner. This could be caused by a database name resolution issue, processing of unexpected variable values, or other network problems. Consider the scenario where we have a database administration web portal, which can be used as a front end GUI to issue database queries, create tables, and modify database fields. During the POST of the logon credentials, the following error message is presented to the penetration tester. The message indicates the presence of a MySQL database server: Microsoft OLE DB Provider for ODBC Drivers (0x80004005) [MySQL][ODBC 3.51 Driver]Unknown MySQL server host If we see in the HTML code of the logon page the presence of a hidden field with a database IP, we can try to change this value in the URL with the address of database server under the penetration tester’s control in an attempt to fool the application into thinking that the logon was successful. Another example: knowing the database server that services a web application, we can take advantage of this information to carry out a SQL Injection for that kind of database or a persistent XSS test. How to Test Below are some examples of testing for detailed error messages returned to the user. Each of the below examples has specific information about the operating system, application version, etc. Test: 404 Not Found Test: Result: Test: Content-Type: text/html; charset=iso-8859-1 ... 404 Not Found ... Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7g at Port 80 ... Network problems leading to the application being unable to access the database server Microsoft OLE DB Provider for ODBC Drivers (0x80004005) ‘ [MySQL][ODBC 3.51 Driver]Unknown MySQL server host Authentication failure due to missing credentials Result: Firewall version used for authentication: Error 407 FW-1 at : Unauthorized to access the document. • Authorization is needed for FW-1. • The authentication required by FW-1 is: unknown. • Reason for failure of last attempt: no user Test: 400 Bad Request telnet 80 GET / HTTP/1.1 400 Bad Request ... Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.9 with Suhosin-Patch at 127.0.1.1 Port 80 ... Test: 405 Method Not Allowed telnet 80 PUT /index.html HTTP/1.1 Host: Result: HTTP/1.1 405 Method Not Allowed Date: Fri, 07 Dec 2013 00:48:57 GMT Server: Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.9 with Suhosin-Patch Allow: GET, HEAD, POST, OPTIONS Vary: Accept-Encoding Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 ... 405 Method Not Allowed ... Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.9 with Suhosin-Patch at Port 80 ... Test: 408 Request Time-out telnet 80 GET / HTTP/1.1 - Wait X seconds – (Depending on the target server, 21 seconds for Apache by default) Test: 501 Method Not Implemented Result: Test: Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.9 with Suhosin-Patch at Port 80 ... telnet 80 RENAME /index.html HTTP/1.1 Host: HTTP/1.1 501 Method Not Implemented Date: Fri, 08 Dec 2013 09:59:32 GMT Server: Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.9 with Suhosin-Patch Allow: GET, HEAD, POST, OPTIONS Vary: Accept-Encoding Content-Length: 299 Connection: close Content-Type: text/html; charset=iso-8859-1 ... 501 Method Not Implemented ... Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.9 with Suhosin-Patch at Port 80 ... Enumeration of directories by using access denied error messages: http:// Result: telnet 80 GET / HTTP/1.1 host: Result: HTTP/1.1 404 Not Found Date: Sat, 04 Nov 2006 15:26:48 GMT Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7g Content-Length: 310 Connection: close Result: HTTP/1.1 400 Bad Request Date: Fri, 06 Dec 2013 23:57:53 GMT Server: Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.9 with Suhosin-Patch Vary: Accept-Encoding Content-Length: 301 Connection: close Content-Type: text/html; charset=iso-8859-1 ... Result: HTTP/1.1 408 Request Time-out Date: Fri, 07 Dec 2013 00:58:33 GMT Server: Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.9 with Suhosin-Patch Vary: Accept-Encoding Content-Length: 298 Connection: close Content-Type: text/html; charset=iso-8859-1 ... 408 Request Time-out ... Directory Listing Denied This Virtual Directory does not allow contents to be listed. Forbidden You don’t have permission to access / on this server. Tools • ErrorMint - http://sourceforge.net/projects/errormint/ • ZAP Proxy - https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
155 156 Web Application Penetration Testing Web Application Penetration Testing References • RFC2616] Hypertext Transfer Protocol -- HTTP/1.1 • [ErrorDocument] Apache ErrorDocument Directive • [AllowOverride] Apache AllowOverride Directive • [ServerTokens] Apache ServerTokens Directive • [ServerSignature] Apache ServerSignature Directive Remediation Error Handling in IIS and ASP .net ASP .net is a common framework from Microsoft used for developing web applications. IIS is one of the commonly used web servers. Errors occur in all applications, developers try to trap most errors but it is almost impossible to cover each and every exception (it is however possible to configure the web server to suppress detailed error messages from being returned to the user). IIS uses a set of custom error pages generally found in c:\winnt\ help\iishelp\common to display errors like ‘404 page not found’ to the user. These default pages can be changed and custom errors can be configured for IIS server. When IIS receives a request for an aspx page, the request is passed on to the dot net framework. There are various ways by which errors can be handled in dot net framework. Errors are handled at three places in ASP .net: • Inside Web.config customErrors section • Inside global.asax Application_Error Sub • At the the aspx or associated codebehind page in the Page_Error sub Handling errors using web.config mode=”On” will turn on custom errors. mode=RemoteOnly will show custom errors to the remote web application users. A user accessing the server locally will be presented with the complete stack trace and custom errors will not be shown to him. All the errors, except those explicitly specified, will cause a redirection to the resource specified by defaultRedirect, i.e., myerrorpagedefault.aspx. A status code 404 will be handled by myerrorpagefor404.aspx. Handling errors in Global.asax When an error occurs, the Application_Error sub is called. A developer can write code for error handling/page redirection in this sub. Private Sub Application_Error (ByVal sender As Object, ByVal e As System.EventArgs) Handles MyBase.Error End Sub Handling errors in Page_Error sub This is similar to application error. Private Sub Page_Error (ByVal sender As Object, ByVal e As System.EventArgs) Handles MyBase.Error End Sub Error hierarchy in ASP .net Page_Error sub will be processed first, followed by global.asax Application_Error sub, and, finally, customErrors section in web.config file. Information Gathering on web applications with server-side technology is quite difficult, but the information discovered can be useful for the correct execution of an attempted exploit (for example, SQL injection or Cross Site Scripting (XSS) attacks) and can reduce false positives. How to test for ASP.net and IIS Error Handling Fire up your browser and type a random page name http:\\www.mywebserver.com\anyrandomname.asp If the server returns The page cannot be found Internet Information Services it means that IIS custom errors are not configured. Please note the .asp extension. Also test for .net custom errors. Type a random page name with aspx extension in your browser http:\\www.mywebserver.com\anyrandomname.aspx If the server returns Server Error in ‘/’ Application. ------------------------------------------------------------ -------------------- The resource cannot be found. Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly. custom errors for .net are not configured. Error Handling in Apache Apache is a common HTTP server for serving HTML and PHP web pages. By default, Apache shows the server version, products installed and OS system in the HTTP error responses. Responses to the errors can be configured and customized globally, per site or per directory in the apache2.conf using the Error- Document directive [2] ErrorDocument 404 “Customized Not Found error message” ErrorDocument 403 /myerrorpagefor403.html ErrorDocument 501 http:/www.externaldomain.com/errorpagefor501.html Site administrators are able to manage their own errors using .htaccess file if the global directive AllowOverride is configured properly in apache2.conf [3] The information shown by Apache in the HTTP errors can also be configured using the directives ServerTokens [4] and ServerSignature [5] at apache2.conf configuration file. “ServerSignature Off” (On by default) removes the server information from the error responses, while ServerTokens [ProductOnly|Major|Minor|Minimal|OS|Full] (Full by default) defines what information has to be shown in the error pages. Error Handling in Tomcat Tomcat is a HTTP server to host JSP and Java Servlet applications. By default, Tomcat shows the server version in the HTTP error responses. Customization of the error responses can be configured in the configuration file web.xml. ErrorDocument 404 “Customized Not Found error message” ErrorDocument 403 /myerrorpagefor403.html ErrorDocument 501 http:/www.externaldomain.com/errorpagefor501.html Testing for Stack Traces (OTG-ERR-002) Summary Stack traces are not vulnerabilities by themselves, but they often reveal information that is interesting to an attacker. Attackers attempt to generate these stack traces by tampering with the input to the web application with malformed HTTP requests and other input data. If the application responds with stack traces that are not managed it could reveal information useful to attackers. This information could then be used in further attacks. Providing debugging information as a result of operations that generate errors is considered a bad practice due to multiple reasons. For example, it may contain information on internal workings of the application such as relative paths of the point where the application is installed or how objects are referenced internally. How to Test Black Box testing There are a variety of techniques that will cause exception messages to be sent in an HTTP response. Note that in most cases this will be an HTML page, but exceptions can be sent as part of SOAP or REST responses too. Some tests to try include: • invalid input (such as input that is not consistent with application logic. • input that contains non alphanumeric characters or query syntax. • empty inputs. • inputs that are too long. • access to internal pages without authentication. • bypassing application flow. All the above tests could lead to application errors that may contain stack traces. It is recommended to use a fuzzer in addition to any manual testing. Some tools, such as OWASP ZAP and Burp proxy will automatically detect these exceptions in the response stream as you are doing other penetration and testing work. Gray Box Testing Search the code for the calls that cause an exception to be rendered to a String or output stream. For example, in Java this might be code in a JSP that looks like: In some cases, the stack trace will be specifically formatted into HTML, so be careful of accesses to stack trace elements. Search the configuration to verify error handling configuration and the use of default error pages. For example, in Java this configuration can be found in web.xml. Tools • ZAP Proxy - https://www.owasp.org/index.php/OWASP_Zed_ Attack_Proxy_Project References • [RFC2616] Hypertext Transfer Protocol - HTTP/1.1 Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection (OTG-CRYPST-001) Summary Sensitive data must be protected when it is transmitted through the network. Such data can include user credentials and credit cards. As a rule of thumb, if data must be protected when it is stored, it must be protected also during transmission. HTTP is a clear-text protocol and it is normally secured via an SSL/ TLS tunnel, resulting in HTTPS traffic [1]. The use of this protocol ensures not only confidentiality, but also authentication. Servers are authenticated using digital certificates and it is also possible to use client certificate for mutual authentication. Even if high grade ciphers are today supported and normally used, some misconfiguration in the server can be used to force the use of
Page 1 and 2:
1 2 THE ICONS BELOW REPRESENT WHAT
Page 3 and 4:
3 4 Testing Guide Frontispiece Test
Page 5 and 6:
7 8 Testing Guide Introduction Test
Page 7 and 8:
11 12 Testing Guide Introduction Te
Page 9 and 10:
15 16 Testing Guide Introduction Te
Page 11 and 12:
19 20 Testing Guide Introduction of
Page 13 and 14:
23 24 Web Application Penetration T
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28: 51 52 Web Application Penetration T
Page 51 and 52: 99 100 Web Application Penetration
Page 77: 151 152 Web Application Penetration
Page 107 and 108: 211 212 Reporting Appendix Test ID
Page 109 and 110: 215 216 Appendix Appendix Testing -
Page 111: 219 220 LDAP Injection For details
show all

1BO4r2U

Create successful ePaper yourself

Delete template?

Save as template?