1BO4r2U
1BO4r2U
1BO4r2U
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
157 158<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
a weak cipher - or at worst no encryption - permitting to an attacker<br />
to gain access to the supposed secure communication channel. Other<br />
misconfiguration can be used for a Denial of Service attack.<br />
Common Issues<br />
A vulnerability occurs if the HTTP protocol is used to transmit sensitive<br />
information [2] (e.g. credentials transmitted over HTTP [3]).<br />
When the SSL/TLS service is present it is good but it increments the<br />
attack surface and the following vulnerabilities exist:<br />
• SSL/TLS protocols, ciphers, keys and renegotiation must be<br />
properly configured.<br />
• Certificate validity must be ensured.<br />
Other vulnerabilities linked to this are:<br />
• Software exposed must be updated due to possibility of known<br />
vulnerabilities [4].<br />
• Usage of Secure flag for Session Cookies [5].<br />
• Usage of HTTP Strict Transport Security (HSTS) [6].<br />
• The presence of HTTP and HTTPS both, which can be used to<br />
intercept traffic [7], [8].<br />
• The presence of mixed HTTPS and HTTP content in the same page,<br />
which can be used to Leak information.<br />
Sensitive data transmitted in clear-text<br />
The application should not transmit sensitive information via unencrypted<br />
channels. Typically it is possible to find basic authentication<br />
over HTTP, input password or session cookie sent via HTTP and, in<br />
general, other information considered by regulations, laws or organization<br />
policy.<br />
Weak SSL/TLS Ciphers/Protocols/Keys<br />
Historically, there have been limitations set in place by the U.S. government<br />
to allow cryptosystems to be exported only for key sizes of<br />
at most 40 bits, a key length which could be broken and would allow<br />
the decryption of communications. Since then cryptographic export<br />
regulations have been relaxed the maximum key size is 128 bits.<br />
It is important to check the SSL configuration being used to avoid<br />
putting in place cryptographic support which could be easily defeated.<br />
To reach this goal SSL-based services should not offer the possibility<br />
to choose weak cipher suite. A cipher suite is specified by an<br />
encryption protocol (e.g. DES, RC4, AES), the encryption key length<br />
(e.g. 40, 56, or 128 bits), and a hash algorithm (e.g. SHA, MD5) used<br />
for integrity checking.<br />
Briefly, the key points for the cipher suite determination are the following:<br />
[1] The client sends to the server a ClientHello message specifying,<br />
among other information, the protocol and the cipher suites that it<br />
is able to handle. Note that a client is usually a web browser (most<br />
popular SSL client nowadays), but not necessarily, since it can be any<br />
SSL-enabled application; the same holds for the server, which needs<br />
not to be a web server, though this is the most common case [9].<br />
[2] The server responds with a ServerHello message, containing the<br />
chosen protocol and cipher suite that will be used for that session<br />
(in general the server selects the strongest protocol and cipher suite<br />
supported by both the client and server).<br />
It is possible (for example, by means of configuration directives) to<br />
specify which cipher suites the server will honor. In this way you may<br />
control whether or not conversations with clients will support 40-bit<br />
encryption only.<br />
[1] The server sends its Certificate message and, if client authentication<br />
is required, also sends a CertificateRequest message to the<br />
client.<br />
[2] The server sends a ServerHelloDone message and waits for a<br />
client response.<br />
[3] Upon receipt of the ServerHelloDone message, the client verifies<br />
the validity of the server’s digital certificate.<br />
SSL certificate validity – client and server<br />
When accessing a web application via the HTTPS protocol, a secure<br />
channel is established between the client and the server. The identity<br />
of one (the server) or both parties (client and server) is then established<br />
by means of digital certificates. So, once the cipher suite<br />
is determined, the “SSL Handshake” continues with the exchange of<br />
the certificates:<br />
[1] The server sends its Certificate message and, if client authentication<br />
is required, also sends a CertificateRequest message to the<br />
client.<br />
[2] The server sends a ServerHelloDone message and waits for a<br />
client response.<br />
[3] Upon receipt of the ServerHelloDone message, the client verifies<br />
the validity of the server’s digital certificate.<br />
In order for the communication to be set up, a number of checks on<br />
the certificates must be passed. While discussing SSL and certificate<br />
based authentication is beyond the scope of this guide, this section<br />
will focus on the main criteria involved in ascertaining certificate validity:<br />
• Checking if the Certificate Authority (CA) is a known one (meaning<br />
one considered trusted);<br />
• Checking that the certificate is currently valid;<br />
• Checking that the name of the site and the name reported in the<br />
certificate match.<br />
Let’s examine each check more in detail.<br />
• Each browser comes with a pre-loaded list of trusted CAs,<br />
against which the certificate signing CA is compared (this list can be<br />
customized and expanded at will). During the initial negotiations with<br />
an HTTPS server, if the server certificate relates to a CA unknown<br />
to the browser, a warning is usually raised. This happens most<br />
often because a web application relies on a certificate signed by a<br />
self-established CA. Whether this is to be considered a concern<br />
depends on several factors. For example, this may be fine for an<br />
Intranet environment (think of corporate web email being provided<br />
via HTTPS; here, obviously all users recognize the internal CA as a<br />
trusted CA). When a service is provided to the general public via the<br />
Internet, however (i.e. when it is important to positively verify the<br />
identity of the server we are talking to), it is usually imperative to rely<br />
on a trusted CA, one which is recognized by all the user base (and<br />
here we stop with our considerations; we won’t delve deeper in the<br />
implications of the trust model being used by digital certificates).<br />
• Certificates have an associated period of validity, therefore they<br />
may expire. Again, we are warned by the browser about this.<br />
A public service needs a temporally valid certificate; otherwise, it<br />
means we are talking with a server whose certificate was issued by<br />
someone we trust, but has expired without being renewed.<br />
• What if the name on the certificate and the name of the server do<br />
not match? If this happens, it might sound suspicious. For a number<br />
of reasons, this is not so rare to see. A system may host a number<br />
of name-based virtual hosts, which share the same IP address and<br />
are identified by means of the HTTP 1.1 Host: header information.<br />
In this case, since the SSL handshake checks the server certificate<br />
before the HTTP request is processed, it is not possible to assign<br />
different certificates to each virtual server. Therefore, if the name of<br />
the site and the name reported in the certificate do not match, we<br />
have a condition which is typically signaled by the browser. To avoid<br />
this, IP-based virtual servers must be used. [33] and [34] describe<br />
techniques to deal with this problem and allow name-based virtual<br />
hosts to be correctly referenced.<br />
Other vulnerabilities<br />
The presence of a new service, listening in a separate tcp port may<br />
introduce vulnerabilities such as infrastructure vulnerabilities if the<br />
software is not up to date [4]. Furthermore, for the correct protection<br />
of data during transmission the Session Cookie must use the<br />
Secure flag [5] and some directives should be sent to the browser to<br />
accept only secure traffic (e.g. HSTS [6], CSP).<br />
Also there are some attacks that can be used to intercept traffic if<br />
the web server exposes the application on both HTTP and HTTPS<br />
[6], [7] or in case of mixed HTTP and HTTPS resources in the same<br />
page.<br />
How to Test<br />
Testing for sensitive data transmitted in clear-text<br />
Various types of information which must be protected can be also<br />
transmitted in clear text. It is possible to check if this information is<br />
transmitted over HTTP instead of HTTPS. Please refer to specific<br />
tests for full details, for credentials [3] and other kind of data [2].<br />
Example 1. Basic Authentication over HTTP<br />
A typical example is the usage of Basic Authentication over HTTP<br />
because with Basic Authentication, after log in, credentials are encoded<br />
- and not encrypted - into HTTP Headers.<br />
$ curl -kis http:/example.com/restricted/<br />
HTTP/1.1 401 Authorization Required<br />
Date: Fri, 01 Aug 2013 00:00:00 GMT<br />
WWW-Authenticate: Basic realm=”Restricted Area”<br />
Accept-Ranges: bytes<br />
Vary: Accept-Encoding<br />
Content-Length: 162<br />
Content-Type: text/html<br />
401 Authorization Required<br />
<br />
401 Authorization Required<br />
Invalid login credentials!<br />
<br />
Testing for Weak SSL/TLS Ciphers/Protocols/Keys vulnerabilities<br />
The large number of available cipher suites and quick progress in<br />
cryptanalysis makes testing an SSL server a non-trivial task.<br />
At the time of writing these criteria are widely recognized as minimum<br />
checklist:<br />
• Weak ciphers must not be used (e.g. less than 128 bits [10]; no<br />
NULL ciphers suite, due to no encryption used; no Anonymous Diffie-Hellmann,<br />
due to not provides authentication).<br />
• Weak protocols must be disabled (e.g. SSLv2 must be disabled, due<br />
to known weaknesses in protocol design [11]).<br />
• Renegotiation must be properly configured (e.g. Insecure Renegotiation<br />
must be disabled, due to MiTM attacks [12] and Client-initiated<br />
Renegotiation must be disabled, due to Denial of Service vulnerability<br />
[13]).<br />
• No Export (EXP) level cipher suites, due to can be easly broken [10].<br />
• X.509 certificates key length must be strong (e.g. if RSA or DSA is<br />
used the key must be at least 1024 bits).<br />
• X.509 certificates must be signed only with secure hashing algoritms<br />
(e.g. not signed using MD5 hash, due to known collision attacks<br />
on this hash).<br />
• Keys must be generated with proper entropy (e.g, Weak Key Generated<br />
with Debian) [14].<br />
A more complete checklist includes:<br />
• Secure Renegotiation should be enabled.<br />
• MD5 should not be used, due to known collision attacks. [35]<br />
• RC4 should not be used, due to crypto-analytical attacks [15].<br />
• Server should be protected from BEAST Attack [16].<br />
• Server should be protected from CRIME attack, TLS compression<br />
must be disabled [17].<br />
• Server should support Forward Secrecy [18].<br />
The following standards can be used as reference while assessing<br />
SSL servers:<br />
• PCI-DSS v2.0 in point 4.1 requires compliant parties to use “strong<br />
cryptography” without precisely defining key lengths and algorithms.<br />
Common interpretation, partially based on previous versions<br />
of the standard, is that at least 128 bit key cipher, no export strength<br />
algorithms and no SSLv2 should be used [19].<br />
• Qualys SSL Labs Server Rating Guide [14], Depoloyment best practice<br />
[10] and SSL Threat Model [20] has been proposed to standardize<br />
SSL server assessment and configuration. But is less updated<br />
than the SSL Server tool [21].<br />
• OWASP has a lot of resources about SSL/TLS Security [22], [23],<br />
[24], [25]. [26].<br />
Some tools and scanners both free (e.g. SSLAudit [28] or SSLScan<br />
[29]) and commercial (e.g. Tenable Nessus [27]), can be used to as-