1BO4r2U
1BO4r2U
1BO4r2U
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
169 170<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
[*] Vulnerability Status: No<br />
=====================================<br />
Checking localhost:443 for TLS Compression support against<br />
CRIME (CVE-2012-4929) & TIME attack ...<br />
[*] TLS Compression : DISABLED<br />
[*] Immune from CRIME & TIME attack mentioned in https:/<br />
media.blackhat.com/eu-13/briefings/Beery/bh-eu-13-a-perfect-crime-beery-wp.pdf<br />
[*] Vulnerability Status: No<br />
=====================================<br />
• Victim logs into the secure website at https://somesecuresite/.<br />
• The secure site issues a session cookie as the client logs in.<br />
• While logged in, the victim opens a new browser window and<br />
goes to http:// examplesite/<br />
• An attacker sitting on the same network is able to see the clear<br />
text traffic to http://examplesite.<br />
• The attacker sends back a “301 Moved Permanently” in response<br />
to the clear text traffic to http://examplesite. The response<br />
contains the header “Location: http://somesecuresite /”, which<br />
makes it appear that examplesite is sending the web browser to<br />
somesecuresite. Notice that the URL scheme is HTTP not HTTPS.<br />
• The victim’s browser starts a new clear text connection to http://<br />
somesecuresite/ and sends an HTTP request containing the cookie<br />
in the HTTP header in clear text<br />
• The attacker sees this traffic and logs the cookie for later use.<br />
To test if a website is vulnerable carry out the following tests:<br />
Configuration Review<br />
Testing for Weak SSL/TLS Cipher Suites<br />
Check the configuration of the web servers that provide https services.<br />
If the web application provides other SSL/TLS wrapped services,<br />
these should be checked as well.<br />
Example 9. Windows Server<br />
Check the configuration on a Microsoft Windows Server (2000, 2003<br />
and 2008) using the registry key:<br />
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\<br />
that has some sub-keys including Ciphers, Protocols and KeyExchangeAlgorithms.<br />
[+] Breacher finished scanning in 12 seconds.<br />
[+] Get your latest copy at http:/yehg.net/<br />
Testing SSL certificate validity – client and server<br />
Firstly upgrade the browser because CA certs expire and in every release<br />
of the browser these are renewed. Examine the validity of the<br />
certificates used by the application. Browsers will issue a warning<br />
when encountering expired certificates, certificates issued by untrusted<br />
CAs, and certificates which do not match name wise with<br />
the site to which they should refer.<br />
By clicking on the padlock that appears in the browser window when<br />
visiting an HTTPS site, testers can look at information related to the<br />
certificate – including the issuer, period of validity, encryption characteristics,<br />
etc. If the application requires a client certificate, that<br />
tester has probably installed one to access it. Certificate information<br />
is available in the browser by inspecting the relevant certificate(s) in<br />
the list of the installed certificates.<br />
These checks must be applied to all visible SSL-wrapped communication<br />
channels used by the application. Though this is the usual<br />
https service running on port 443, there may be additional services<br />
involved depending on the web application architecture and on deployment<br />
issues (an HTTPS administrative port left open, HTTPS<br />
services on non-standard ports, etc.). Therefore, apply these checks<br />
to all SSL-wrapped ports which have been discovered. For example,<br />
the nmap scanner features a scanning mode (enabled by the –sV<br />
command line switch) which identifies SSL-wrapped services. The<br />
Nessus vulnerability scanner has the capability of performing SSL<br />
checks on all SSL/TLS-wrapped services.<br />
Example 1. Testing for certificate validity (manually)<br />
Rather than providing a fictitious example, this guide includes an<br />
anonymized real-life example to stress how frequently one stumbles<br />
on https sites whose certificates are inaccurate with respect<br />
to naming. The following screenshots refer to a regional site of a<br />
high-profile IT company.<br />
We are visiting a .it site and the certificate was issued to a .com site.<br />
Internet Explorer warns that the name on the certificate does not<br />
match the name of the site.<br />
Warning issued by Microsoft Internet Explorer<br />
The message issued by Firefox is different. Firefox complains because<br />
it cannot ascertain the identity of the .com site the certificate<br />
refers to because it does not know the CA which signed the certificate.<br />
In fact, Internet Explorer and Firefox do not come pre-loaded<br />
with the same list of CAs. Therefore, the behavior experienced with<br />
various browsers may differ.<br />
Warning issued by Mozilla Firefox<br />
Testing for other vulnerabilities<br />
As mentioned previously, there are other types of vulnerabilities that<br />
are not related with the SSL/TLS protocol used, the cipher suites<br />
or Certificates. Apart from other vulnerabilities discussed in other<br />
parts of this guide, a vulnerability exists when the server provides<br />
the website both with the HTTP and HTTPS protocols, and permits<br />
an attacker to force a victim into using a non-secure channel instead<br />
of a secure one.<br />
Surf Jacking<br />
The Surf Jacking attack [7] was first presented by Sandro Gauci and<br />
permits to an attacker to hijack an HTTP session even when the victim’s<br />
connection is encrypted using SSL or TLS.<br />
The following is a scenario of how the attack can take place:<br />
[1] Check if website supports both HTTP and HTTPS protocols<br />
[2] Check if cookies do not have the “Secure” flag<br />
SSL Strip<br />
Some applications supports both HTTP and HTTPS, either for usability<br />
or so users can type both addresses and get to the site. Often<br />
users go into an HTTPS website from link or a redirect.<br />
Typically personal banking sites have a similar configuration with<br />
an iframed log in or a form with action attribute over HTTPS but<br />
the page under HTTP.<br />
An attacker in a privileged position - as described in SSL strip [8]<br />
- can intercept traffic when the user is in the http site and manipulate<br />
it to get a Man-In-The-Middle attack under HTTPS. An application<br />
is vulnerable if it supports both HTTP and HTTPS.<br />
Testing via HTTP proxy<br />
Inside corporate environments testers can see services<br />
that are not directly accessible and they can access them<br />
only via HTTP proxy using the CONNECT method [36].<br />
Most of the tools will not work in this scenario because they try to<br />
connect to the desired tcp port to start the SSL/TLS handshake.<br />
With the help of relaying software such as socat [37] testers can<br />
enable those tools for use with services behind an HTTP proxy.<br />
Example 8. Testing via HTTP proxy<br />
To connect to destined.application.lan:443 via proxy<br />
10.13.37.100:3128 run socat as follows:<br />
$ socat TCP-LISTEN:9999,reuseaddr,fork<br />
PROXY:10.13.37.100:destined.application.lan:443,proxyport=3128<br />
Then the tester can target all other tools to localhost:9999:<br />
$ openssl s_client -connect localhost:9999<br />
All connections to localhost:9999 will be effectively relayed by socat<br />
via proxy to destined.application.lan:443.<br />
Example 10: Apache<br />
To check the cipher suites and protocols supported by the Apache2<br />
web server, open the ssl.conf file and search for the SSLCipherSuite,<br />
SSLProtocol, SSLHonorCipherOrder,SSLInsecureRenegotiation and<br />
SSLCompression directives.<br />
Testing SSL certificate validity – client and server<br />
Examine the validity of the certificates used by the application at<br />
both server and client levels. The usage of certificates is primarily<br />
at the web server level, however, there may be additional communication<br />
paths protected by SSL (for example, towards the DBMS).<br />
Testers should check the application architecture to identify all SSL<br />
protected channels.<br />
Tools<br />
• [21][Qualys SSL Labs - SSL Server Test | https://www.ssllabs.com/<br />
ssltest/index.html]: internet facing scanner<br />
• [27] [Tenable - Nessus Vulnerability Scanner | http://www.tenable.com/products/nessus]:<br />
includes some plugins to test different<br />
SSL related vulnerabilities, Certificates and the presence of HTTP<br />
Basic authentication without SSL.<br />
• [32] [TestSSLServer | http://www.bolet.org/TestSSLServer/]: a<br />
java scanner - and also windows executable - includes tests for<br />
cipher suites, CRIME and BEAST<br />
• [33] [sslyze | https://github.com/iSECPartners/sslyze]: is a python<br />
script to check vulnerabilities in SSL/TLS.<br />
• [28] [SSLAudit|https://code.google.com/p/sslaudit/]: a perl script/<br />
windows executable scanner which follows Qualys SSL Labs Rating<br />
Guide.<br />
• [29] [SSLScan | http://sourceforge.net/projects/sslscan/]<br />
with [SSL Tests|http://www.pentesterscripting.com/discovery/<br />
ssl_tests]: a SSL Scanner and a wrapper in order to enumerate SSL<br />
vulnerabilities.<br />
• [31] [nmap|http://nmap.org/]: can be used primary to identify<br />
SSL-based services and then to check Certificate and SSL/TLS<br />
vulnerabilities. In particular it has some scripts to check [Certificate<br />
and SSLv2|http://nmap.org/nsedoc/scripts/ssl-cert.html] and<br />
supported [SSL/TLS protocols/ciphers|http://nmap.org/nsedoc/<br />
scripts/ssl-enum-ciphers.html] with an internal rating.<br />
• [30] [curl|http://curl.haxx.se/] and [openssl|http://www.openssl.<br />
org/]: can be used to query manually SSL/TLS services<br />
• [9] [Stunnel|http://www.stunnel.org]: a noteworthy class of SSL