1BO4r2U

Recommendations

Info

161 162 Web Application Penetration Testing Web Application Penetration Testing And the tester can complete our request, checking for response. HEAD / HTTP/1.1 HTTP/1.1 403 Forbidden ( The server denies the specified Uniform Resource Locator (URL). Contact the server administrator. ) Connection: close Pragma: no-cache Cache-Control: no-cache Content-Type: text/html Content-Length: 1792 read:errno=0 Even if the HEAD is not permitted, Client-intiated renegotiaion is permitted. Example 5. Testing supported Cipher Suites, BEAST and CRIME attacks via TestSSLServer TestSSLServer [32] is a script which permits the tester to check the cipher suite and also for BEAST and CRIME attacks. BEAST (Browser Exploit Against SSL/TLS) exploits a vulnerability of CBC in TLS 1.0. CRIME (Compression Ratio Info-leak Made Easy) exploits a vulnerability of TLS Compression, that should be disabled. What is interesting is that the first fix for BEAST was the use of RC4, but this is now discouraged due to a crypto-analytical attack to RC4 [15]. An online tool to check for these attacks is SSL Labs, but can be used only for internet facing servers. Also consider that target data will be stored on SSL Labs server and also will result some connection from SSL Labs server [21]. $ java -jar TestSSLServer.jar www3.example.com 443 Supported versions: SSLv3 TLSv1.0 TLSv1.1 TLSv1.2 Deflate compression: no Supported cipher suites (ORDER IS NOT SIGNIFICANT): SSLv3 RSA_WITH_RC4_128_SHA RSA_WITH_3DES_EDE_CBC_SHA DHE_RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_AES_128_CBC_SHA DHE_RSA_WITH_AES_128_CBC_SHA RSA_WITH_AES_256_CBC_SHA DHE_RSA_WITH_AES_256_CBC_SHA RSA_WITH_CAMELLIA_128_CBC_SHA DHE_RSA_WITH_CAMELLIA_128_CBC_SHA RSA_WITH_CAMELLIA_256_CBC_SHA DHE_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_RSA_WITH_SEED_CBC_SHA TLS_DHE_RSA_WITH_SEED_CBC_SHA (TLSv1.0: idem) (TLSv1.1: idem) TLSv1.2 RSA_WITH_RC4_128_SHA RSA_WITH_3DES_EDE_CBC_SHA DHE_RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_AES_128_CBC_SHA DHE_RSA_WITH_AES_128_CBC_SHA RSA_WITH_AES_256_CBC_SHA DHE_RSA_WITH_AES_256_CBC_SHA RSA_WITH_AES_128_CBC_SHA256 RSA_WITH_AES_256_CBC_SHA256 RSA_WITH_CAMELLIA_128_CBC_SHA DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DHE_RSA_WITH_AES_128_CBC_SHA256 DHE_RSA_WITH_AES_256_CBC_SHA256 RSA_WITH_CAMELLIA_256_CBC_SHA DHE_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_RSA_WITH_SEED_CBC_SHA TLS_DHE_RSA_WITH_SEED_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 ---------------------- Server certificate(s): ****** ---------------------- Minimal encryption strength: strong encryption (96-bit or more) Achievable encryption strength: strong encryption (96-bit or more) BEAST status: vulnerable CRIME status: protected Example 6. Testing SSL/TLS vulnerabilities with sslyze Sslyze [33] is a python script which permits mass scanning and XML output. The following is an example of a regular scan. It is one of the most complete and versatile tools for SSL/TLS testing ./sslyze.py --regular example.com:443 REGISTERING AVAILABLE PLUGINS ----------------------------- PluginHSTS PluginSessionRenegotiation PluginCertInfo PluginSessionResumption PluginOpenSSLCipherSuites PluginCompression CHECKING HOST(S) AVAILABILITY ----------------------------- example.com:443 => 127.0.0.1:443 SCAN RESULTS FOR EXAMPLE.COM:443 - 127.0.0.1:443 --------------------------------------------------- * Compression : Compression Support: Disabled * Session Renegotiation : Client-initiated Renegotiations: Rejected Secure Renegotiation: Supported * Certificate : Validation w/ Mozilla’s CA Store: Certificate is NOT Trusted: unable to get local issuer certificate Hostname Validation: MISMATCH SHA1 Fingerprint: ****** Common Name: www.example.com Issuer: ****** Serial Number: **** Not Before: Sep 26 00:00:00 2010 GMT Not After: Sep 26 23:59:59 2020 GMT Signature Algorithm: sha1WithRSAEncryption Key Size: 1024 bit X509v3 Subject Alternative Name: {‘othername’: [‘’], ‘DNS’: [‘www.example.com’]} * OCSP Stapling : Server did not send back an OCSP response. * Session Resumption : With Session IDs: Supported (5 successful, 0 failed, 0 errors, 5 total attempts). With TLS Session Tickets: Supported * SSLV2 Cipher Suites : Rejected Cipher Suite(s): Hidden Preferred Cipher Suite: None Accepted Cipher Suite(s): None Undefined - An unexpected error happened: None * SSLV3 Cipher Suites : Rejected Cipher Suite(s): Hidden Preferred Cipher Suite: RC4-SHA 128 bits HTTP 200 OK Accepted Cipher Suite(s): CAMELLIA256-SHA 256 bits HTTP 200 OK RC4-SHA 128 bits HTTP 200 OK CAMELLIA128-SHA 128 bits HTTP 200 OK Undefined - An unexpected error happened: None * TLSV1_1 Cipher Suites : Rejected Cipher Suite(s): Hidden Preferred Cipher Suite: RC4-SHA 128 bits Timeout on HTTP GET Accepted Cipher Suite(s): CAMELLIA256-SHA 256 bits HTTP 200 OK RC4-SHA 128 bits HTTP 200 OK CAMELLIA128-SHA 128 bits HTTP 200 OK Undefined - An unexpected error happened: ADH-CAMELLIA256-SHA socket.timeout - timed out SCAN COMPLETED IN 9.68 S ------------------------ Example 7. Testing SSL/TLS with testssl.sh Testssl.sh [38] is a Linux shell script which provides clear output to facilitate good decision making. It can not only check web servers but also services on other ports, supports STARTTLS, SNI, SPDY and does a few check on the HTTP header as well. It’s a very easy to use tool. Here’s some sample output (without colors): user@myhost: % testssl.sh owasp.org ############################################## ########## testssl.sh v2.0rc3 (https:/testssl.sh) ($Id: testssl.sh,v 1.97 2014/04/15 21:54:29 dirkw Exp $) This program is free software. Redistribution + modification under GPLv2 is permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Note you can only check the server against what is available (ciphers/protocols) locally on your machine ############################################## ########## Using “OpenSSL 1.0.2-beta1 24 Feb 2014” on “myhost://bin/openssl64” Testing now (2014-04-17 15:06) ---> owasp.org:443 Testing Protocols SSLv2 SSLv3 TLSv1 NOT offered (ok) offered offered (ok)
163 164 Web Application Penetration Testing Web Application Penetration Testing TLSv1.1 offered (ok) TLSv1.2 offered (ok) SPDY/NPN not offered --> Testing standard cipher lists Null Cipher NOT offered (ok) Anonymous NULL Cipher NOT offered (ok) Anonymous DH Cipher NOT offered (ok) 40 Bit encryption NOT offered (ok) 56 Bit encryption NOT offered (ok) Export Cipher (general) NOT offered (ok) Low ( Testing server defaults (Server Hello) Negotiated protocol Negotiated cipher TLSv1.2 AES128-GCM-SHA256 Server key size 2048 bit TLS server extensions: server name, renegotiation info, session ticket, heartbeat Session Tickets RFC 5077 300 seconds --> Testing specific vulnerabilities Heartbleed (CVE-2014-0160), experimental NOT vulnerable (ok) Renegotiation (CVE 2009-3555) NOT vulnerable (ok) CRIME, TLS (CVE-2012-4929) NOT vulnerable (ok) --> Checking RC4 Ciphers RC4 seems generally available. Now testing specific ciphers... Hexcode Cipher Name KeyExch. Encryption Bits ----------------------------------------------------------- --------- [0x05] RC4-SHA RSA RC4 128 RC4 is kind of broken, for e.g. IE6 consider 0x13 or 0x0a --> Testing HTTP Header response HSTS no Server Apache Application (None) --> Testing (Perfect) Forward Secrecy (P)FS) no PFS available Done now (2014-04-17 15:07) ---> owasp.org:443
Page 1 and 2:
1 2 THE ICONS BELOW REPRESENT WHAT
Page 3 and 4:
3 4 Testing Guide Frontispiece Test
Page 5 and 6:
7 8 Testing Guide Introduction Test
Page 7 and 8:
11 12 Testing Guide Introduction Te
Page 9 and 10:
15 16 Testing Guide Introduction Te
Page 11 and 12:
19 20 Testing Guide Introduction of
Page 13 and 14:
23 24 Web Application Penetration T
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32: 59 60 Web Application Penetration T
Page 51 and 52: 99 100 Web Application Penetration
Page 81: 159 160 Web Application Penetration
Page 107 and 108: 211 212 Reporting Appendix Test ID
Page 109 and 110: 215 216 Appendix Appendix Testing -
Page 111: 219 220 LDAP Injection For details
show all

1BO4r2U

Create successful ePaper yourself

Delete template?

Save as template?