1BO4r2U
1BO4r2U
1BO4r2U
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
177 178<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
• Defying Logic: Theory, Design, and Implementation of Complex<br />
Systems for Testing Application Logic - http://www.slideshare.<br />
net/RafalLos/defying-logic-business-logic-testing-with-automation<br />
• Prevent application logic attacks with sound app security practices<br />
- http://searchappsecurity.techtarget.com/qna/0,289202,sid92_<br />
gci1213424,00.html?bucket=NEWS&topic=302570<br />
• Real-Life Example of a ‘Business Logic Defect - http://h30501.<br />
www3.hp.com/t5/Following-the-White-Rabbit-A/Real-Life-Example-of-a-Business-Logic-Defect-Screen-Shots/ba-p/22581<br />
• Software Testing Lifecycle - http://softwaretestingfundamentals.com/software-testing-life-cycle/<br />
• Top 10 Business Logic Attack Vectors Attacking and Exploiting<br />
Business Application Assets and Flaws – Vulnerability Detection<br />
to Fix - http://www.ntobjectives.com/go/business-logic-attack-vectors-white-paper/<br />
and http://www.ntobjectives.com/<br />
files/Business_Logic_White_Paper.pdf<br />
Books<br />
• The Decision Model: A Business Logic Framework Linking Business<br />
and Technology, By Barbara Von Halle, Larry Goldberg, Published<br />
by CRC Press, ISBN1420082817 (2010)<br />
Test business logic data validation<br />
(OTG-BUSLOGIC-001)<br />
Summary<br />
The application must ensure that only logically valid data can be<br />
entered at the front end as well as directly to the server side of<br />
an application of system. Only verifying data locally may leave<br />
applications vulnerable to server injections through proxies or at<br />
handoffs with other systems. This is different from simply performing<br />
Boundary Value Analysis (BVA) in that it is more difficult<br />
and in most cases cannot be simply verified at the entry point, but<br />
usually requires checking some other system.<br />
For example: An application may ask for your Social Security<br />
Number. In BVA the application should check formats and semantics<br />
(is the value 9 digits long, not negative and not all 0’s)<br />
for the data entered, but there are logic considerations also.<br />
SSNs are grouped and categorized. Is this person on a death file?<br />
Are they from a certain part of the country?<br />
Vulnerabilities related to business data validation is unique in that<br />
they are application specific and different from the vulnerabilities<br />
related to forging requests in that they are more concerned about<br />
logical data as opposed to simply breaking the business logic<br />
workflow.<br />
The front end and the back end of the application should be verifying<br />
and validating that the data it has, is using and is passing<br />
along is logically valid. Even if the user provides valid data to an<br />
application the business logic may make the application behave<br />
differently depending on data or circumstances.<br />
Examples<br />
Example 1<br />
Suppose you manage a multi-tiered e-commerce site that allows<br />
users to order carpet. The user selects their carpet, enters<br />
the size, makes the payment, and the front end application<br />
has verified that all entered information is correct and<br />
valid for contact information, size, make and color of the carpet.<br />
But, the business logic in the background has two paths, if<br />
the carpet is in stock it is directly shipped from your warehouse,<br />
but if it is out of stock in your warehouse a call is made<br />
to a partner’s system and if they have it in-stock they will<br />
ship the order from their warehouse and reimbursed by them.<br />
What happens if an attacker is able to continue a valid in-stock<br />
transaction and send it as out-of-stock to your partner? What happens<br />
if an attacker is able to get in the middle and send messages<br />
to the partner warehouse ordering carpet without payment?<br />
Example 2<br />
Many credit card systems are now downloading account balances<br />
nightly so the customers can check out more quickly for amounts<br />
under a certain value. The inverse is also true. I<br />
f I pay my credit card off in the morning I may not be able to use the<br />
available credit in the evening. Another example may be if I use my<br />
credit card at multiple locations very quickly it may be possible to<br />
exceed my limit if the systems are basing decisions on last night’s<br />
data.<br />
How to Test<br />
Generic Test Method<br />
• Review the project documentation and use exploratory testing<br />
looking for data entry points or hand off points between systems<br />
or software.<br />
• Once found try to insert logically invalid data into the application/<br />
system.<br />
Specific Testing Method:<br />
• Perform front-end GUI Functional Valid testing on the application<br />
to ensure that the only “valid” values are accepted.<br />
• Using an intercepting proxy observe the HTTP POST/GET looking<br />
for places that variables such as cost and quality are passed.<br />
Specifically, look for “hand-offs” between application/systems<br />
that may be possible injection of tamper points.<br />
• Once variables are found start interrogating the field with logically<br />
“invalid” data, such as social security numbers or unique<br />
identifiers that do not exist or that do not fit the business logic.<br />
This testing verifies that the server functions properly and does<br />
not accept logically invalid data them.<br />
Related Test Cases<br />
• All Input Validation test cases<br />
• Testing for Account Enumeration and Guessable User Account<br />
(OTG-IDENT-004)<br />
• Testing for Bypassing Session Management Schema (OTG-<br />
SESS-001)<br />
• Testing for Exposed Session Variables (OTG-SESS-004)<br />
Tools<br />
• OWASP Zed Attack Proxy (ZAP) - https://www.owasp.org/index.<br />
php/OWASP_Zed_Attack_Proxy_Project<br />
• ZAP is an easy to use integrated penetration testing tool for<br />
finding vulnerabilities in web applications. It is designed to be used<br />
by people with a wide range of security experience and as such is<br />
ideal for developers and functional testers who are new to penetration<br />
testing. ZAP provides automated scanners as well as a<br />
set of tools that allow you to find security vulnerabilities manually.<br />
References<br />
Beginning Microsoft Visual Studio LightSwitch Development<br />
- http://books.google.com/books?id=x76L_kaTgdEC&pg=PA280&lpg=PA280&dq=business+logic+example+valid+data+example&source=bl&ots=GOfQ-7f4Hu&sig=4jOejZVlig-<br />
ZOrvjBFRAT4-jy8DI&hl=en&sa=X&ei=mydYUt6qEOX54A-<br />
Pu7IDgCQ&ved=0CFIQ6AEwBDgK#v=onepage&q=business%20<br />
logic%20example%20valid%20data%20example&f=false<br />
Remediation<br />
The application/system must ensure that only “logically valid”<br />
data is accepted at all input and hand off points of the application<br />
or system and data is not simply trusted once it has entered the<br />
system.<br />
Test Ability to forge requests<br />
(OTG-BUSLOGIC-002)<br />
Summary<br />
Forging requests is a method that attackers use to circumvent the<br />
front end GUI application to directly submit information for back<br />
end processing. The goal of the attacker is to send HTTP POST/<br />
GET requests through an intercepting proxy with data values that<br />
is not supported, guarded against or expected by the applications<br />
business logic. Some examples of forged requests include exploiting<br />
guessable or predictable parameters or expose “hidden” features<br />
and functionality such as enabling debugging or presenting<br />
special screens or windows that are very useful during development<br />
but may leak information or bypass the business logic.<br />
Vulnerabilities related to the ability to forge requests is unique to<br />
each application and different from business logic data validation<br />
in that it s focus is on breaking the business logic workflow.<br />
Applications should have logic checks in place to prevent the system<br />
from accepting forged requests that may allow attackers the<br />
opportunity to exploit the business logic, process, or flow of the<br />
application. Request forgery is nothing new; the attacker uses an<br />
intercepting proxy to send HTTP POST/GET requests to the application.<br />
Through request forgeries attackers may be able to circumvent<br />
the business logic or process by finding, predicting and<br />
manipulating parameters to make the application think a process<br />
or task has or has not taken place.<br />
Also, forged requests may allow subvention of programmatic or<br />
business logic flow by invoking “hidden” features or functionality<br />
such as debugging initially used by developers and testers<br />
sometimes referred to as an ”Easter egg”. “An Easter egg is an<br />
intentional inside joke, hidden message, or feature in a work such<br />
as a computer program, movie, book, or crossword. According to<br />
game designer Warren Robinett, the term was coined at Atari by<br />
personnel who were alerted to the presence of a secret message<br />
which had been hidden by Robinett in his already widely distributed<br />
game, Adventure. The name has been said to evoke the idea of<br />
a traditional Easter egg hunt.” http://en.wikipedia.org/wiki/Easter_egg_(media)<br />
Examples<br />
Example 1<br />
Suppose an e-commerce theater site allows users to select their<br />
ticket, apply a onetime 10% Senior discount on the entire sale,<br />
view the subtotal and tender the sale. If an attacker is able to see<br />
through a proxy that the application has a hidden field (of 1 or 0)<br />
used by the business logic to determine if a discount has been taken<br />
or not. The attacker is then able to submit the 1 or “no discount<br />
has been taken” value multiple times to take advantage of the<br />
same discount multiple times.<br />
Example 2<br />
Suppose an online video game pays out tokens for points scored<br />
for finding pirates treasure and pirates and for each level completed.<br />
These tokens can later be that can later be exchanged for prizes.<br />
Additionally each level’s points have a multiplier value equal<br />
to the level. If an attacker was able to see through a proxy that<br />
the application has a hidden field used during development and<br />
testing to quickly get to the highest levels of the game they could<br />
quickly get to the highest levels and accumulate unearned points<br />
quickly.<br />
Also, if an attacker was able to see through a proxy that the application<br />
has a hidden field used during development and testing to<br />
enabled a log that indicated where other online players, or hidden<br />
treasure were in relation to the attacker, they would then be able<br />
to quickly go to these locations and score points.<br />
How to Test<br />
Generic Testing Method<br />
• Review the project documentation and use exploratory testing<br />
looking for guessable, predictable or hidden functionality of fields.<br />
• Once found try to insert logically valid data into the application/<br />
system allowing the user go through the application/system<br />
against the normal busineess logic workflow.<br />
Specific Testing Method 1<br />
• Using an intercepting proxy observe the HTTP POST/GET looking<br />
for some indication that values are incrementing at a regular interval<br />
or are easily guessable.<br />
• If it is found that some value is guessable this value may be<br />
changed and one may gain unexpected visibility.<br />
Specific Testing Method 2<br />
• Using an intercepting proxy observe the HTTP POST/GET looking<br />
for some indication of hidden features such as debug that can be<br />
switched on or activated.<br />
• If any are found try to guess and change these values to get a<br />
different application response or behavior.