1BO4r2U
1BO4r2U
1BO4r2U
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
173 174<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
• Information used in authentication (e.g. Credentials, PINs, Session<br />
identifiers, Tokens, Cookies…)<br />
• Information protected by laws, regulations or specific organizational<br />
policy (e.g. Credit Cards, Customers data)<br />
If the application transmits sensitive information via unencrypted<br />
channels - e.g. HTTP - it is considered a security risk. Some examples<br />
are Basic authentication which sends authentication credentials<br />
in plain-text over HTTP, form based authentication credentials<br />
sent via HTTP, or plain-text transmission of any other information<br />
considered sensitive due to regulations, laws, organizational policy<br />
or application business logic.<br />
How to Test<br />
Various types of information that must be protected, could be transmitted<br />
by the application in clear text. It is possible to check if this<br />
information is transmitted over HTTP instead of HTTPS, or whether<br />
weak cyphers are used. See more information about insecure<br />
transmission of credentials Top 10 2013-A6-Sensitive Data Exposure<br />
[3] or insufficient transport layer protection in general Top 10<br />
2010-A9-Insufficient Transport Layer Protection [2].<br />
Example 1: Basic Authentication over HTTP<br />
A typical example is the usage of Basic Authentication over HTTP.<br />
When using Basic Authentication, user credentials are encoded<br />
rather than encrypted, and are sent as HTTP headers. In the example<br />
below the tester uses curl [5] to test for this issue. Note how the<br />
application uses Basic authentication, and HTTP rather than HTTPS<br />
$ curl -kis http:/example.com/restricted/<br />
HTTP/1.1 401 Authorization Required<br />
Date: Fri, 01 Aug 2013 00:00:00 GMT<br />
WWW-Authenticate: Basic realm=”Restricted Area”<br />
Accept-Ranges: bytes Vary:<br />
Accept-Encoding Content-Length: 162<br />
Content-Type: text/html<br />
401 Authorization Required<br />
401 Authorization Required<br />
Invalid login credentials! <br />
Example 2: Form-Based Authentication Performed over HTTP<br />
Another typical example is authentication forms which transmit<br />
user authentication credentials over HTTP. In the example below<br />
one can see HTTP being used in the “action” attribute of the form. It<br />
is also possible to see this issue by examining the HTTP traffic with<br />
an interception proxy.<br />
<br />
User: <br />
Password: <br />
<br />
<br />
Example 3: Cookie Containing Session ID Sent over HTTP<br />
The Session ID Cookie must be transmitted over protected channels.<br />
If the cookie does not have the secure flag set [6] it is permitted for<br />
the application to transmit it unencrypted. Note below the setting<br />
of the cookie is done without the Secure flag, and the entire log in<br />
process is performed in HTTP and not HTTPS.<br />
https:/secure.example.com/login<br />
POST /login HTTP/1.1<br />
Host: secure.example.com<br />
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9;<br />
rv:25.0) Gecko/20100101 Firefox/25.0<br />
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />
Accept-Language: en-US,en;q=0.5<br />
Accept-Encoding: gzip, deflate<br />
Referer: https:/secure.example.com/<br />
Content-Type: application/x-www-form-urlencoded<br />
Content-Length: 188<br />
HTTP/1.1 302 Found<br />
Date: Tue, 03 Dec 2013 21:18:55 GMT<br />
Server: Apache<br />
Cache-Control: no-store, no-cache, must-revalidate, maxage=0<br />
Expires: Thu, 01 Jan 1970 00:00:00 GMT<br />
Pragma: no-cache<br />
Set-Cookie: JSESSIONID=BD99F321233AF69593ED-<br />
F52B123B5BDA; expires=Fri, 01-Jan-2014 00:00:00 GMT;<br />
path=/; domain=example.com; httponly<br />
Location: private/<br />
X-Content-Type-Options: nosniff<br />
X-XSS-Protection: 1; mode=block<br />
X-Frame-Options: SAMEORIGIN<br />
Content-Length: 0<br />
Keep-Alive: timeout=1, max=100<br />
Connection: Keep-Alive<br />
Content-Type: text/html<br />
----------------------------------------------------------<br />
http:/example.com/private<br />
GET /private HTTP/1.1<br />
Host: example.com<br />
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9;<br />
rv:25.0) Gecko/20100101 Firefox/25.0<br />
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />
Accept-Language: en-US,en;q=0.5<br />
Accept-Encoding: gzip, deflate<br />
Referer: https:/secure.example.com/login<br />
Cookie: JSESSIONID=BD99F321233AF69593ED-<br />
F52B123B5BDA;<br />
Connection: keep-alive<br />
HTTP/1.1 200 OK<br />
Cache-Control: no-store<br />
Pragma: no-cache<br />
Expires: 0<br />
Content-Type: text/html;charset=UTF-8<br />
Content-Length: 730<br />
Date: Tue, 25 Dec 2013 00:00:00 GMT<br />
----------------------------------------------------------<br />
Tools<br />
• [5] curl can be used to check manually for pages<br />
References<br />
OWASP Resources<br />
• [1] OWASP Testing Guide - Testing for Weak SSL/TLS Ciphers,<br />
Insufficient Transport Layer Protection (OTG-CRYPST-001)<br />
• [2] OWASP TOP 10 2010 - Insufficient Transport Layer Protection<br />
• [3] OWASP TOP 10 2013 - Sensitive Data Exposure<br />
• [4] OWASP ASVS v1.1 - V10 Communication Security Verification<br />
Requirements<br />
• [6] OWASP Testing Guide - Testing for Cookies attributes (OTG-<br />
SESS-002)<br />
Testing for business logic<br />
Summary<br />
Testing for business logic flaws in a multi-functional dynamic web<br />
application requires thinking in unconventional methods. If an application’s<br />
authentication mechanism is developed with the intention<br />
of performing steps 1, 2, 3 in that specific order to authenticate<br />
a user. What happens if the user goes from step 1 straight<br />
to step 3? In this simplistic example, does the application provide<br />
access by failing open; deny access, or just error out with a 500<br />
message?<br />
There are many examples that can be made, but the one constant<br />
lesson is “think outside of conventional wisdom”. This type of vulnerability<br />
cannot be detected by a vulnerability scanner and relies<br />
upon the skills and creativity of the penetration tester. In addition,<br />
this type of vulnerability is usually one of the hardest to detect,<br />
and usually application specific but, at the same time, usually one<br />
of the most detrimental to the application, if exploited.<br />
The classification of business logic flaws has been under-studied;<br />
although exploitation of business flaws frequently happens in real-world<br />
systems, and many applied vulnerability researchers investigate<br />
them. The greatest focus is in web applications. There<br />
is debate within the community about whether these problems<br />
represent particularly new concepts, or if they are variations of<br />
well-known principles.<br />
Testing of business logic flaws is similar to the test types used<br />
by functional testers that focus on logical or finite state testing.<br />
These types of tests require that security professionals think a bit<br />
differently, develop abused and misuse cases and use many of the<br />
testing techniques embraced by functional testers. Automation of<br />
business logic abuse cases is not possible and remains a manual<br />
art relying on the skills of the tester and their knowledge of the<br />
complete business process and its rules.<br />
Business Limits and Restrictions<br />
Consider the rules for the business function being provided by the<br />
application. Are there any limits or restrictions on people’s behavior?<br />
Then consider whether the application enforces those rules.<br />
It’s generally pretty easy to identify the test and analysis cases to<br />
verify the application if you’re familiar with the business. If you are<br />
a third-party tester, then you’re going to have to use your common<br />
sense and ask the business if different operations should be allowed<br />
by the application.<br />
Sometimes, in very complex applications, the tester will not have a<br />
full understanding of every aspect of the application initially. In these<br />
situations, it is best to have the client walk the tester through the application,<br />
so that they may gain a better understanding of the limits<br />
and intended functionality of the application, before the actual test<br />
begins. Additionally, having a direct line to the developers (if possible)<br />
during testing will help out greatly, if any questions arise regarding<br />
the application’s functionality.<br />
Description of the Issue<br />
Automated tools find it hard to understand context, hence it’s up to a<br />
person to perform these kinds of tests. The following two examples<br />
will illustrate how understanding the functionality of the application,<br />
the developer’s intentions, and some creative “out-of-the-box”<br />
thinking can break the application’s logic. The first example starts<br />
with a simplistic parameter manipulation, whereas the second is a<br />
real world example of a multi-step process leading to completely<br />
subvert the application.<br />
Example 1:<br />
Suppose an e-commerce site allows users to select items to purchase,<br />
view a summary page and then tender the sale. What if an<br />
attacker was able to go back to the summary page, maintaining their<br />
same valid session and inject a lower cost for an item and complete<br />
the transaction, and then check out?<br />
Example 2:<br />
Holding/locking resources and keeping others from purchases these<br />
items online may result in attackers purchasing items at a lower price.<br />
The countermeasure to this problem is to implement timeouts and<br />
mechanisms to ensure that only the correct price can be charged.<br />
Example 3:<br />
What if a user was able to start a transaction linked to their club/loyalty<br />
account and then after points have been added to their account<br />
cancel out of the transaction? Will the points/credits still be applied<br />
to their account?<br />
Business Logic Test Cases<br />
Every application has a different business process, application specific<br />
logic and can be manipulated in an infinite number of combinations.<br />
This section provides some common examples of business<br />
logic issues but in no way a complete list of all issues.<br />
Business Logic exploits can be broken into the following categories:<br />
4.12.1 Test business logic data validation (OTG-BUSLOGIC-001)<br />
In business logic data validation testing, we verify that the application<br />
does not allow users to insert “unvalidated” data into the system/application.<br />
This is important because without this safeguard