1BO4r2U
1BO4r2U
1BO4r2U
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
175 176<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
attackers may be able to insert “unvalidated” data/information into<br />
the application/system at “handoff points” where the application/<br />
system believes that the data/information is “good” and has been<br />
valid since the “entry points” performed data validation as part of the<br />
business logic workflow.<br />
4.12.2 Test Ability to forge requests (OTG-BUSLOGIC-002)<br />
In forged and predictive parameter request testing, we verify that<br />
the application does not allow users to submit or alter data to any<br />
component of the system that they should not have access to, are<br />
accessing at that particular time or in that particular manner. This is<br />
important because without this safeguard attackers may be able to<br />
“fool/trick” the application into letting them into sections of thwe<br />
application of system that they should not be allowed in at that<br />
particular time, thus circumventing the applications business logic<br />
workflow.<br />
4.12.3 Test Integrity Checks (OTG-BUSLOGIC-003)<br />
In integrity check and tamper evidence testing, we verify that the application<br />
does not allow users to destroy the integrity of any part of<br />
the system or its data. This is important because without these safe<br />
guards attackers may break the business logic workflow and change<br />
of compromise the application/system data or cover up actions by<br />
altering information including log files.<br />
4.12.4 Test for Process Timing (OTG-BUSLOGIC-004)<br />
In process timing testing, we verify that the application does not<br />
allow users to manipulate a system or guess its behavior based on<br />
input or output timing. This is important because without this safeguard<br />
in place attackers may be able to monitor processing time and<br />
determine outputs based on timing, or circumvent the application’s<br />
business logic by not completing transactions or actions in a timely<br />
manner.<br />
4.12.5 Test Number of Times a Function Can be Used Limits<br />
(OTG-BUSLOGIC-005)<br />
In function limit testing, we verify that the application does not allow<br />
users to exercise portions of the application or its functions more<br />
times than required by the business logic workflow. This is important<br />
because without this safeguard in place attackers may be able to use<br />
a function or portion of the application more times than permissible<br />
per the business logic to gain additional benefits.<br />
4.12.6 Testing for the Circumvention of Work Flows (OTG-BUSLOG-<br />
IC-006)<br />
In circumventing workflow and bypassing correct sequence testing,<br />
we verify that the application does not allow users to perform actions<br />
outside of the “approved/required” business process flow. This<br />
is important because without this safeguard in place attackers may<br />
be able to bypass or circumvent workflows and “checks” allowing<br />
them to prematurely enter or skip “required” sections of the application<br />
potentially allowing the action/transaction to be completed<br />
without successfully completing the entire business process, leaving<br />
the system with incomplete backend tracking information.<br />
4.12.7 Test Defenses Against Application Mis-use (OTG-BUSLOG-<br />
IC-007)<br />
In application mis-use testing, we verify that the application does not<br />
allow users to manipulate the application in an unintended manner.<br />
4.12.8 Test Upload of Unexpected File Types (OTG-BUSLOGIC-008)<br />
In unexpected file upload testing, we verify that the application does<br />
not allow users to upload file types that the system is not expecting<br />
or wanted per the business logic requirements. This is important<br />
because without these safeguards in place attackers may be able to<br />
submit unexpected files such as .exe or .php that could be saved to<br />
the system and then executed against the application or system.<br />
4.12.9 Test Upload of Malicious Files (OTG-BUSLOGIC-009)<br />
In malicious file upload testing, we verify that the application does<br />
not allow users to upload files to the system that are malicious or<br />
potentially malicious to the system security. This is important because<br />
without these safeguards in place attackers may be able to<br />
upload files to the system that may spread viruses, malware or even<br />
exploits such as shellcode when executed.<br />
Tools<br />
While there are tools for testing and verifying that business processes<br />
are functioning correctly in valid situations these tools are incapable<br />
of detecting logical vulnerabilities. For example, tools have no<br />
means of detecting if a user is able to circumvent the business process<br />
flow through editing parameters, predicting resource names or<br />
escalating privileges to access restricted resources nor do they have<br />
any mechanism to help the human testers to suspect this state of<br />
affairs.<br />
The following are some common tool types that can be useful in<br />
identifying business logic issues.<br />
HP Business Process Testing Software<br />
• http://www8.hp.com/us/en/software-solutions/software.html?-<br />
compURI=1174789#.UObjK3ca7aE<br />
Intercepting Proxy - To observe the request and response blocks<br />
of HTTP traffic.<br />
• Webscarab - https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project<br />
• Burp Proxy - http://portswigger.net/burp/proxy.html<br />
• Paros Proxy - http://www.parosproxy.org/<br />
Web Browser Plug-ins - To view and modify HTTP/HTTPS headers,<br />
post parameters and observe the DOM of the Browser<br />
• Tamper Data (for Internet Explorer) - https://addons.mozilla.org/<br />
en-us/firefox/addon/tamper-data/<br />
• TamperIE (for Internet Explorer) - http://www.bayden.com/tamperie/<br />
• Firebug (for Internet Explorer) - https://addons.mozilla.org/en-us/<br />
firefox/addon/firebug/ and http://getfirebug.com/<br />
Miscellaneous Test Tools<br />
• Web Developer toolbar - https://chrome.google.com/webstore/<br />
detail/bfbameneiokkgbdmiekhjnmfkcnldhhm<br />
The Web Developer extension adds a toolbar button to the browser<br />
with various web developer tools. This is the official port of the<br />
Web Developer extension for Firefox.<br />
• HTTP Request Maker - https://chrome.google.com/webstore/detail/kajfghlhfkcocafkcjlajldicbikpgnp?hl=en-US<br />
Request Maker is a tool for penetration testing. With it you can<br />
easily capture requests made by web pages, tamper with the<br />
URL, headers and POST data and, of course, make new requests<br />
• Cookie Editor - https://chrome.google.com/webstore/detail/<br />
fngmhnnpilhplaeedifhccceomclgfbg?hl=en-US<br />
Edit This Cookie is a cookie manager. You can add, delete, edit,<br />
search, protect and block cookies<br />
• Session Manager - https://chrome.google.com/webstore/detail/bbcnbpafconjjigibnhbfmmgdbbkcjfi<br />
With Session Manager you can quickly save your current browser<br />
state and reload it whenever necessary. You can manage multiple<br />
sessions, rename or remove them from the session library. Each<br />
session remembers the state of the browser at its creation time,<br />
i.e. the opened tabs and windows. Once a session is opened, the<br />
browser is restored to its state.<br />
• Cookie Swap - https://chrome.google.com/webstore/detail/dffhipnliikkblkhpjapbecpmoilcama?hl=en-US<br />
Swap My Cookies is a session manager, it manages your cookies,<br />
letting you login on any website with several different accounts.<br />
You can finally login into Gmail, yahoo, hotmail, and just any website<br />
you use, with all your accounts; if you want to use another<br />
account just swap profile!<br />
• HTTP Response Browser - https://chrome.google.com/webstore/detail/mgekankhbggjkjpcbhacjgflbacnpljm?hl=en-US<br />
Make HTTP requests from your browser and browse the response<br />
(HTTP headers and source). Send HTTP method, headers and body<br />
using XMLHttpRequest from your browser then view the HTTP<br />
status, headers and source. Click links in the headers or body to<br />
issue new requests. This plug-in formats XML responses and uses<br />
Syntax Highlighter < http://alexgorbatchev.com/ >.<br />
• Firebug lite for Chrome - https://chrome.google.com/webstore/<br />
detail/bmagokdooijbeehmkpknfglimnifench<br />
Firebug Lite is not a substitute for Firebug, or Chrome Developer<br />
Tools. It is a tool to be used in conjunction with these tools. Firebug<br />
Lite provides the rich visual representation we are used to<br />
see in Firebug when it comes to HTML elements, DOM elements,<br />
and Box Model shading. It provides also some cool features like<br />
inspecting HTML elements with your mouse, and live editing CSS<br />
properties.<br />
References<br />
Whitepapers<br />
• Business Logic Vulnerabilities in Web Applications -<br />
http://www.google.com/url?sa=t&rct=j&q=Business-<br />
LogicVulnerabilities.pdf&source=web&cd=1&cad=rja&ved=0CDIQFjAA&url=http%3A%2F%2Faccorute.<br />
googlecode.com%2Ffiles%2FBusinessLogicVulnerabilities.pdf&ei=2Xj9UJO5LYaB0QHakwE&usg=AFQjCNGlAcjK2uz2U87bTjTHjJ-T0T3THg&bvm=bv.41248874,d.dmg<br />
• The Common Misuse Scoring System (CMSS): Metrics for Software<br />
Feature Misuse Vulnerabilities - NISTIR 7864 - http://csrc.<br />
nist.gov/publications/nistir/ir7864/nistir-7864.pdf<br />
• Designing a Framework Method for Secure Business Application<br />
Logic Integrity in e-Commerce Systems, Faisal Nabi - http://ijns.<br />
femto.com.tw/contents/ijns-v12-n1/ijns-2011-v12-n1-p29-41.<br />
pdf<br />
• Finite State testing of Graphical User Interfaces, Fevzi Belli -<br />
http://www.slideshare.net/Softwarecentral/finitestate-testing-of-graphical-user-interfaces<br />
• Principles and Methods of Testing Finite State Machines - A Survey,<br />
David Lee, Mihalis Yannakakis - http://www.cse.ohio-state.<br />
edu/~lee/english/pdf/ieee-proceeding-survey.pdf<br />
• Security Issues in Online Games, Jianxin Jeff Yan and Hyun-Jin<br />
Choi - http://homepages.cs.ncl.ac.uk/jeff.yan/TEL.pdf<br />
• Securing Virtual Worlds Against Real Attack, Dr. Igor Muttik,<br />
McAfee - https://www.info-point-security.com/open_downloads/2008/McAfee_wp_online_gaming_0808.pdf<br />
• Seven Business Logic Flaws That Put Your Website At Risk – Jeremiah<br />
Grossman Founder and CTO, WhiteHat Security - https://<br />
www.whitehatsec.com/resource/whitepapers/business_logic_flaws.html<br />
• Toward Automated Detection of Logic Vulnerabilities in Web<br />
Applications - Viktoria Felmetsger Ludovico Cavedon Christopher<br />
Kruegel Giovanni Vigna - https://www.usenix.org/legacy/event/<br />
sec10/tech/full_papers/Felmetsger.pdf<br />
• 2012 Web Session Intelligence & Security Report: Business Logic<br />
Abuse, Dr. Ponemon - http://www.emc.com/collateral/rsa/silvertail/rsa-silver-tail-ponemon-ar.pdf<br />
• 2012 Web Session Intelligence & Security Report: Business Logic<br />
Abuse (UK) Edition, Dr. Ponemon - http://buzz.silvertailsystems.<br />
com/Ponemon_UK.htm<br />
OWASP Related<br />
• Business Logic Attacks – Bots and Bats, Eldad Chai - http://<br />
www.imperva.com/resources/adc/pdfs/AppSecEU09_Business-<br />
LogicAttacks_EldadChai.pdf<br />
• OWASP Detail Misuse Cases - https://www.owasp.org/index.<br />
php/Detail_misuse_cases<br />
• How to Prevent Business Flaws Vulnerabilities in Web Applications,<br />
Marco Morana - http://www.slideshare.net/marco_morana/issa-louisville-2010morana<br />
Useful Web Sites<br />
• Abuse of Functionality - http://projects.webappsec.org/w/<br />
page/13246913/Abuse-of-Functionality<br />
• Business logic - http://en.wikipedia.org/wiki/Business_logic<br />
• Business Logic Flaws and Yahoo Games - http://jeremiahgrossman.blogspot.com/2006/12/business-logic-flaws.html<br />
• CWE-840: Business Logic Errors - http://cwe.mitre.org/data/<br />
definitions/840.html