1BO4r2U
1BO4r2U
1BO4r2U
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
179 180<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
Related Test Cases<br />
Testing for Exposed Session Variables (OTG-SESS-004)<br />
Testing for Cross Site Request Forgery (CSRF) (OTG-SESS-005)<br />
Testing for Account Enumeration and Guessable User Account<br />
(OTG-IDENT-004)<br />
Tools<br />
• OWASP Zed Attack Proxy (ZAP) - https://www.owasp.org/index.<br />
php/OWASP_Zed_Attack_Proxy_Project<br />
• ZAP is an easy to use integrated penetration testing tool for finding<br />
vulnerabilities in web applications. It is designed to be used by<br />
people with a wide range of security experience and as such is ideal<br />
for developers and functional testers who are new to penetration<br />
testing. ZAP provides automated scanners as well as a set of tools<br />
that allow you to find security vulnerabilities manually.<br />
References<br />
• Cross Site Request Forgery - Legitimizing Forged Requests<br />
- http://fragilesecurity.blogspot.com/2012/11/cross-site-request-forgery-legitimazing.html<br />
• Debugging features which remain present in the final game -<br />
http://glitchcity.info/wiki/index.php/List_of_video_games_with_<br />
debugging_features#Debugging_features_which_remain_present_in_the_final_game<br />
• Easter egg - http://en.wikipedia.org/wiki/Easter_egg_(media)<br />
• Top 10 Software Easter Eggs - http://lifehacker.com/371083/top-<br />
10-software-easter-eggs<br />
Remediation<br />
The application must be smart enough and designed with business<br />
logic that will prevent attackers from predicting and manipulating<br />
parameters to subvert programmatic or business logic flow, or exploiting<br />
hidden/undocumented functionality such as debugging.<br />
Test integrity checks (OTG-BUSLOGIC-003)<br />
Summary<br />
Many applications are designed to display different fields depending<br />
on the user of situation by leaving some inputs hidden. However, in<br />
many cases it is possible to submit values hidden field values to the<br />
server using a proxy. In these cases the server side controls must be<br />
smart enough to perform relational or server side edits to ensure<br />
that the proper data is allowed to the server based on user and application<br />
specific business logic.<br />
Additionally, the application must not depend on non-editable controls,<br />
drop-down menus or hidden fields for business logic processing<br />
because these fields remain non-editable only in the context of<br />
the browsers. Users may be able to edit their values using proxy<br />
editor tools and try to manipulate business logic. If the application<br />
exposes values related to business rules like quantity, etc. as<br />
non-editable fields it must maintain a copy on the server side and<br />
use the same for business logic processing. Finally, aside application/system<br />
data, log systems must be secured to prevent read,<br />
writing and updating.<br />
Business logic integrity check vulnerabilities is unique in that these<br />
misuse cases are application specific and if users are able to make<br />
changes one should only be able to write or update/edit specific artifacts<br />
at specific times per the business process logic.<br />
The application must be smart enough to check for relational edits<br />
and not allow users to submit information directly to the server that<br />
is not valid, trusted because it came from a non-editable controls or<br />
the user is not authorized to submit through the front end. Additionally,<br />
system artifacts such as logs must be “protected” from unauthorized<br />
read, writing and removal.<br />
Example<br />
Example 1<br />
Imagine an ASP.NET application GUI application that only allows the<br />
admin user to change the password for other users in the system.<br />
The admin user will see the username and password fields to enter<br />
a username and password while other users will not see either field.<br />
However, if a non admin user submits information in the username<br />
and password field through a proxy they may be able to “trick” the<br />
server into believing that the request has come from an admin user<br />
and change password of other users.<br />
Example 2<br />
Most web applications have dropdown lists making it easy for the<br />
user to quickly select their state, month of birth, etc. Suppose a Project<br />
Management application allowed users to login and depending<br />
on their privileges presented them with a drop down list of projects<br />
they have access to. What happens if an attacker finds the name of<br />
another project that they should not have access to and submits<br />
the information via a proxy. Will the application give access to the<br />
project? They should not have access even though they skipped an<br />
authorization business logic check.<br />
Example 3<br />
Suppose the motor vehicle administration system required an employee<br />
initially verify each citizens documentation and information<br />
when they issue an identification or driver’s license. At this point the<br />
business process has created data with a high level of integrity as<br />
the integrity of submitted data is checked by the application. Now<br />
suppose the application is moved to the Internet so employees can<br />
log on for full service or citizens can log on for a reduced self-service<br />
application to update certain information. At this point an attacker<br />
may be able to use an intercepting proxy to add or update data that<br />
they should not have access to and they could destroy the integrity<br />
of the data by stating that the citizen was not married but supplying<br />
data for a spouse’s name. This type of inserting or updating of unverified<br />
data destroys the data integrity and might have been prevented<br />
if the business process logic was followed.<br />
Example 4<br />
Many systems include logging for auditing and troubleshooting purposes.<br />
But, how good/valid is the information in these logs? Can they<br />
be manipulated by attackers either intentionally or accidentially having<br />
their integrity destroyed?<br />
How to Test<br />
Generic Testing Method<br />
• Review the project documentation and use exploratory testing<br />
looking for parts of the application/system (components i.e. For<br />
example, input fields, databases or logs) that move, store or handle<br />
data/information.<br />
• For each identified component determine what type of data/information<br />
is logically acceptable and what types the application/<br />
system should guard against. Also, consider who according to the<br />
business logic is allowed to insert, update and delete data/information<br />
and in each component.<br />
• Attempt to insert, update or edit delete the data/information<br />
values with invalid data/information into each component (i.e. input,<br />
database, or log) by users that .should not be allowed per the<br />
busines logic workflow.<br />
Specific Testing Method 1<br />
• Using a proxy capture and HTTP traffic looking for hidden fields.<br />
• If a hidden field is found see how these fields compare with the<br />
GUI application and start interrogating this value through the proxy<br />
by submitting different data values trying to circumvent the business<br />
process and manipulate values you were not intended to have<br />
access to.<br />
Specific Testing Method 2<br />
• Using a proxy capture and HTTP traffic looking a place to insert<br />
information into areas of the application that are non-editable.<br />
• If it is found see how these fields compare with the GUI application<br />
and start interrogating this value through the proxy by submitting<br />
different data values trying to circumvent the business process and<br />
manipulate values you were not intended to have access to.<br />
Specific Testing Method 3<br />
• List components of the application or system that could be edited,<br />
for example logs or databases.<br />
• For each component identified, try to read, edit or remove its information.<br />
For example log files should be identified and Testers<br />
should try to manipulate the data/information being collected.<br />
Related Test Cases<br />
All Input Validation test cases<br />
Tools<br />
• Various system/application tools such as editors and file manipulation<br />
tools.<br />
• OWASP Zed Attack Proxy (ZAP) - https://www.owasp.org/index.<br />
php/OWASP_Zed_Attack_Proxy_Project<br />
ZAP is an easy to use integrated penetration testing tool for finding<br />
vulnerabilities in web applications. It is designed to be used by<br />
people with a wide range of security experience and as such is ideal<br />
for developers and functional testers who are new to penetration<br />
testing. ZAP provides automated scanners as well as a set of tools<br />
that allow you to find security vulnerabilities manually.<br />
References<br />
• Implementing Referential Integrity and Shared Business Logic in<br />
a RDB - http://www.agiledata.org/essays/referentialIntegrity.html<br />
• On Rules and Integrity Constraints in Database Systems - http://<br />
www.comp.nus.edu.sg/~lingtw/papers/IST92.teopk.pdf<br />
• Use referential integrity to enforce basic business rules in Oracle<br />
- http://www.techrepublic.com/article/use-referential-integrity-to-enforce-basic-business-rules-in-oracle/<br />
• Maximizing Business Logic Reuse with Reactive Logic - http://<br />
architects.dzone.com/articles/maximizing-business-logic<br />
• Tamper Evidence Logging - http://tamperevident.cs.rice.edu/<br />
Logging.html<br />
Remediation<br />
The application must be smart enough to check for relational edits<br />
and not allow users to submit information directly to the server that<br />
is not valid, trusted because it came from a non-editable controls or<br />
the user is not authorized to submit through the front end. Additionally,<br />
any component that can be edited must have mechanisms in<br />
place to prevent unintentional/intentional writing or updating.<br />
Test for Process Timing<br />
(OTG-BUSLOGIC-004)<br />
Summary<br />
It is possible that attackers can gather information on an application<br />
by monitoring the time it takes to complete a task or give a respond.<br />
Additionally, attackers may be able to manipulate and break<br />
designed business process flows by simply keeping active sessions<br />
open and not submitting their transactions in the “expected” time<br />
frame.<br />
Process timing logic vulnerabilities is unique in that these manual<br />
misuse cases should be created considering execution and transaction<br />
timing that are application/system specific.<br />
Processing timing may give/leak information on what is being<br />
done in the application/system background processes. If an application<br />
allows users to guess what the particulate next outcome<br />
will be by processing time variations, users will be able to adjust<br />
accordingly and change behavior based on the expectation and<br />
“game the system”.<br />
Example<br />
Example 1<br />
Video gambling/slot machines may take longer to process a transaction<br />
just prior to a large payout. This would allow astute gamblers<br />
to gamble minimum amounts until they see the long process time<br />
which would then prompt them to bet the maximum.<br />
Example 2<br />
Many system log on processes ask for the user name and password.<br />
If you look closely you may be able to see that entering an invalid<br />
user name and invalid user password takes more time to return<br />
an error than entering a valid username and invalid user password.<br />
This may allow the attacker to know if they have a valid username<br />
and not need to rely on the GUI message.<br />
Example 3<br />
Most Arenas or travel agencies have ticketing applications that allow<br />
users to purchase tickets and reserve seats. When the user requests<br />
the tickets seats are locked or reserved pending payment. What if an<br />
attacker keeps reserving seats but not checking out? Will the seats<br />
be released, or will no tickets be sold? Some ticket vendors now only