1BO4r2U
1BO4r2U
1BO4r2U
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
181 182<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
allow users 5 minutes to complete a transaction or the transaction<br />
is invalidated.<br />
Example 4<br />
Suppose a precious metals e-commerce site allows users to make<br />
purchases with a price quote based on market price at the time they<br />
log on. What if an attacker logs on and places an order but does not<br />
complete the transaction until later in the day only of the price of the<br />
metals goes up? Will the attacker get the initial lower price?<br />
How to Test<br />
• Review the project documentation and use exploratory testing<br />
looking for application/system functionality that may be impacted<br />
by time. Such as execution time or actions that help users predict<br />
a future outcome or allow one to circumvent any part of the business<br />
logic or workflow. For example, not completing transactions<br />
in an expected time.<br />
• Develop and execute the mis-use cases ensuring that attackers<br />
can not gain an advantage based on any timing.<br />
Related Test Cases<br />
• Testing for Cookies attributes (OTG-SESS-002)<br />
• Test Session Timeout (OTG-SESS-007)<br />
References<br />
None<br />
Remediation<br />
Develop applications with processing time in mind. If attackers<br />
could possibly gain some type of advantage from knowing the different<br />
processing times and results add extra steps or processing<br />
so that no matter the results they are provided in the same time<br />
frame.<br />
Additionally, the application/system must have mechanism in<br />
place to not allow attackers to extend transactions over an “acceptable”<br />
amount of time. This may be done by cancelling or resetting<br />
transactions after a specified amount of time has passed like<br />
some ticket vendors are now using.<br />
Test number of times a function can be used<br />
limits (OTG-BUSLOGIC-005)<br />
Summary<br />
Many of the problems that applications are solving require limits<br />
to the number of times a function can be used or action can be executed.<br />
Applications must be “smart enough” to not allow the user<br />
to exceed their limit on the use of these functions since in many<br />
cases each time the function is used the user may gain some type<br />
of benefit that must be accounted for to properly compensate the<br />
owner. For example: an eCommerce site may only allow a users<br />
apply a discount once per transaction, or some applications may<br />
be on a subscription plan and only allow users to download three<br />
complete documents monthly.<br />
Vulnerabilities related to testing for the function limits are application<br />
specific and misuse cases must be created that strive to<br />
exercise parts of the application/functions/ or actions more than<br />
the allowable number of times.<br />
Attackers may be able to circumvent the business logic and execute<br />
a function more times than “allowable” exploiting the application for<br />
personal gain.<br />
Example<br />
Suppose an eCommerce site allows users to take advantage of any<br />
one of many discounts on their total purchase and then proceed to<br />
checkout and tendering. What happens of the attacker navigates<br />
back to the discounts page after taking and applying the one “allowable”<br />
discount? Can they take advantage of another discount? Can<br />
they take advantage of the same discount multiple times?<br />
How to Test<br />
• Review the project documentation and use exploratory testing<br />
looking for functions or features in the application or system that<br />
should not be executed more that a single time or specified number<br />
of times during the business logic workflow.<br />
• For each of the functions and features found that should only<br />
be executed a single time or specified number of times during the<br />
business logic workflow, develop abuse/misuse cases that may<br />
allow a user to execute more than the allowable number of times.<br />
For example, can a user navigate back and forth through the pages<br />
multiple times executing a function that should only execute once?<br />
or can a user load and unload shopping carts allowing for additional<br />
discounts.<br />
Related Test Cases<br />
• Testing for Account Enumeration and Guessable User Account<br />
(OTG-IDENT-004)<br />
• Testing for Weak lock out mechanism (OTG-AUTHN-003)<br />
References<br />
• InfoPath Forms Services business logic exceeded the maximum<br />
limit of operations Rule - http://mpwiki.viacode.com/default.aspx-<br />
?g=posts&t=115678<br />
• Gold Trading Was Temporarily Halted On The CME This Morning<br />
- http://www.businessinsider.com/gold-halted-on-cme-for-stoplogic-event-2013-10<br />
Remediation<br />
The application should have checks to ensure that the business logic<br />
is being followed and that if a function/action can only be executed<br />
a certain number of times, when the limit is reached the user can<br />
no longer execute the function. To prevent users from using a function<br />
over the appropriate number of times the application may use<br />
mechanisms such as cookies to keep count or through sessions not<br />
allowing users to access to execute the function additional times.<br />
Testing for the Circumvention of Work Flows<br />
(OTG-BUSLOGIC-006)<br />
Summary<br />
Workflow vulnerabilities involve any type of vulnerability that allows<br />
the attacker to misuse an application/system in a way that will allow<br />
them to circumvent (not follow) the designed/intended workflow.<br />
“A workflow consists of a sequence of connected steps where each<br />
step follows without delay or gap and ends just before the subsequent<br />
step may begin. It is a depiction of a sequence of operations,<br />
declared as work of a person or group, an organization of staff, or<br />
one or more simple or complex mechanisms. Workflow may be seen<br />
as any abstraction of real work.” (https://en.wikipedia.org/wiki/<br />
Workflow)<br />
The application’s business logic must require that the user complete<br />
specific steps in the correct/specific order and if the workflow is<br />
terminated without correctly completing, all actions and spawned<br />
actions are “rolled back” or canceled. Vulnerabilities related to the<br />
circumvention of workflows or bypassing the correct business logic<br />
workflow are unique in that they are very application/system specific<br />
and careful manual misuse cases must be developed using requirements<br />
and use cases.<br />
The applications business process must have checks to ensure that<br />
the user’s transactions/actions are proceeding in the correct/acceptable<br />
order and if a transaction triggers some sort of action, that<br />
action will be “rolled back” and removed if the transaction is not successfully<br />
completed.<br />
Examples<br />
Example 1<br />
Many of us receive so type of “club/loyalty points” for purchases<br />
from grocery stores and gas stations. Suppose a user was able to<br />
start a transaction linked to their account and then after points have<br />
been added to their club/loyalty account cancel out of the transaction<br />
or remove items from their “basket” and tender. In this case the<br />
system either should not apply points/credits to the account until<br />
it is tendered or points/credits should be “rolled back” if the point/<br />
credit increment does not match the final tender. With this in mind,<br />
an attacker may start transactions and cancel them to build their<br />
point levels without actually buy anything.<br />
Example 2<br />
An electronic bulletin board system may be designed to ensure that<br />
initial posts do not contain profanity based on a list that the post is<br />
compared against. If a word on a “black” the list is found in the user<br />
entered text the submission is not posted. But, once a submission is<br />
posted the submitter can access, edit, and change the submission<br />
contents to include words included on the profanity/black list since<br />
on edit the posting is never compared again. Keeping this in mind,<br />
attackers may open an initial blank or minimal discussion then add in<br />
whatever they like as an update.<br />
How to Test<br />
Generic Testing Method<br />
• Review the project documentation and use exploratory testing<br />
looking for methods to skip or go to steps in the application process<br />
in a different order from the designed/intended business logic flow.<br />
• For each method develop a misuse case and try to circumvent or<br />
perform an action that is “not acceptable” per the the business logic<br />
workflow.<br />
Testing Method 1<br />
• Start a transaction going through the application past the points<br />
that triggers credits/points to the users account.<br />
• Cancel out of the transaction or reduce the final tender so that the<br />
point values should be decreased and check the points/ credit system<br />
to ensure that the proper points/credits were recorded.<br />
Testing Method 2<br />
• On a content management or bulletin board system enter and save<br />
valid initial text or values.<br />
• Then try to append, edit and remove data that would leave the existing<br />
data in an invalid state or with invalid values to ensure that the<br />
user is not allowed to save the incorrect information. Some “invalid”<br />
data or information may be specific words (profanity) or specific topics<br />
(such as political issues).<br />
Related Test Cases<br />
• Testing Directory traversal/file include (OTG-AUTHZ-001)<br />
• Testing for bypassing authorization schema (OTG-AUTHZ-002)<br />
• Testing for Bypassing Session Management Schema (OTG-<br />
SESS-001)<br />
• Test Business Logic Data Validation (OTG-BUSLOGIC-001)<br />
• Test Ability to Forge Requests (OTG-BUSLOGIC-002)<br />
• Test Integrity Checks (OTG-BUSLOGIC-003)<br />
• Test for Process Timing (OTG-BUSLOGIC-004)<br />
• Test Number of Times a Function Can be Used Limits (OTG-BUS-<br />
LOGIC-005)<br />
• Test Defenses Against Application Mis-use (OTG-BUSLOGIC-007)<br />
• Test Upload of Unexpected File Types (OTG-BUSLOGIC-008)<br />
• Test Upload of Malicious Files (OTG-BUSLOGIC-009)<br />
References<br />
• OWASP Detail Misuse Cases - https://www.owasp.org/index.php/<br />
Detail_misuse_cases<br />
• Real-Life Example of a ‘Business Logic Defect - http://h30501.<br />
www3.hp.com/t5/Following-the-White-Rabbit-A/Real-Life-Example-of-a-Business-Logic-Defect-Screen-Shots/ba-p/22581<br />
• Top 10 Business Logic Attack Vectors Attacking and Exploiting<br />
Business Application Assets and Flaws – Vulnerability Detection to<br />
Fix - http://www.ntobjectives.com/go/business-logic-attack-vectors-white-paper/<br />
and http://www.ntobjectives.com/files/Business_Logic_White_Paper.pdf<br />
• CWE-840: Business Logic Errors - http://cwe.mitre.org/data/definitions/840.html<br />
Remediation<br />
The application must be self-aware and have checks in place ensuring<br />
that the users complete each step in the work flow process in the<br />
correct order and prevent attackers from circumventing/skipping/or<br />
repeating any steps/processes in the workflow. Test for workflow<br />
vulnerabilities involves developing business logic abuse/misuse cas-