1BO4r2U
1BO4r2U
1BO4r2U
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
185 186<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
Example<br />
Suppose a picture sharing application allows users to upload their .gif<br />
or .jpg graphic files to the web site. What if an attacker is able to upload<br />
a PHP shell, or exe file, or virus? The attacker may then upload<br />
the file that may be saved on the system and the virus may spread itself<br />
or through remote processes exes or shell code can be executed.<br />
How to Test<br />
Generic Testing Method<br />
• Review the project documentation and use exploratory testing<br />
looking at the application/system to identify what constitutes and<br />
“malicious” file in your environment.<br />
• Develop or acquire a known “malicious” file.<br />
• Try to upload the malicious file to the application/system and verify<br />
that it is correctly rejected.<br />
• If multiple files can be uploaded at once, there must be tests in<br />
place to verify that each file is properly evaluated.<br />
Specific Testing Method 1<br />
• Using the Metasploit payload generation functionality generates a<br />
shellcode as a Windows executable using the Metasploit “msfpayload”<br />
command.<br />
• Submit the executable via the application’s upload functionality<br />
and see if it is accepted or properly rejected.<br />
Specific Testing Method 2<br />
• Develop or create a file that should fail the application malware<br />
detection process. There are many available on the Internet such as<br />
ducklin.htm or ducklin-html.htm.<br />
• Submit the executable via the application’s upload functionality<br />
and see if it is accepted or properly rejected.<br />
Specific Testing Method 3<br />
• Set up the intercepting proxy to capture the “valid” request for an<br />
accepted file.<br />
• Send an “invalid” request through with a valid/acceptable file extension<br />
and see if the request is accepted or properly rejected.<br />
Related Test Cases<br />
• Test File Extensions Handling for Sensitive Information (OTG-CON-<br />
FIG-003)<br />
• Test Upload of Unexpected File Types (OTG-BUSLOGIC-008)<br />
Tools<br />
• Metasploit’s payload generation functionality<br />
• Intercepting proxy<br />
References<br />
• OWASP - Unrestricted File Upload - https://www.owasp.org/index.php/Unrestricted_File_Upload<br />
• Why File Upload Forms are a Major Security Threat - http://<br />
www.acunetix.com/websitesecurity/upload-forms-threat/<br />
• File upload security best practices: Block a malicious file upload<br />
- http://www.computerweekly.com/answer/File-upload-security-best-practices-Block-a-malicious-file-upload<br />
• Overview of Malicious File Upload Attacks - http://securitymecca.com/article/overview-of-malicious-file-upload-attacks/<br />
• Stop people uploading malicious PHP files via forms - http://<br />
stackoverflow.com/questions/602539/stop-people-uploadingmalicious-php-files-via-forms<br />
• How to Tell if a File is Malicious - http://www.techsupportalert.<br />
com/content/how-tell-if-file-malicious.htm<br />
• CWE-434: Unrestricted Upload of File with Dangerous Type -<br />
http://cwe.mitre.org/data/definitions/434.html<br />
• Implementing Secure File Upload - http://infosecauditor.wordpress.com/tag/malicious-file-upload/<br />
• Watchful File Upload - http://palizine.plynt.com/issues/2011Apr/file-upload/<br />
• Matasploit Generating Payloads - http://www.offensive-security.com/metasploit-unleashed/Generating_Payloads<br />
• Project Shellcode – Shellcode Tutorial 9: Generating Shellcode<br />
Using Metasploit http://www.projectshellcode.com/?q=node/29<br />
• Anti-Malware Test file - http://www.eicar.org/86-0-Intendeduse.html<br />
Remediation<br />
While safeguards such as black or white listing of file extensions,<br />
using “Content-Type” from the header, or using a file type recognizer<br />
may not always be protections against this type of vulnerability.<br />
Every application that accepts files from users must have a<br />
mechanism to verify that the uploaded file does not contain malicious<br />
code. Uploaded files should never be stored where the users<br />
or attackers can directly access them.<br />
Client-Side Testing<br />
Client-Side testing is concerned with the execution of code on the<br />
client, typically natively within a web browser or browser plugin.<br />
The execution of code on the client-side is distinct from executing<br />
on the server and returning the subsequent content.<br />
Testing for DOM-based Cross site scripting<br />
(OTG-CLIENT-001)<br />
Summary<br />
DOM-based Cross-Site Scripting is the de-facto name for XSS<br />
bugs which are the result of active browser-side content on a<br />
page, typically JavaScript, obtaining user input and then doing<br />
something unsafe with it which leads to execution of injected<br />
code. This document only discusses JavaScript bugs which lead<br />
to XSS.<br />
The DOM, or Document Object Model, is the structural format<br />
used to represent documents in a browser. The DOM enables dynamic<br />
scripts such as JavaScript to reference components of the<br />
document such as a form field or a session cookie. The DOM is also<br />
used by the browser for security - for example to limit scripts on<br />
different domains from obtaining session cookies for other domains.<br />
A DOM-based XSS vulnerability may occur when active<br />
content, such as a JavaScript function, is modified by a specially<br />
crafted request such that a DOM element that can be controlled<br />
by an attacker.<br />
There have been very few papers published on this topic and, as<br />
such, very little standardization of its meaning and formalized<br />
testing exists.<br />
How to Test<br />
Not all XSS bugs require the attacker to control the content returned<br />
from the server, but can instead abuse poor JavaScript<br />
coding practices to achieve the same results. The consequences<br />
are the same as a typical XSS flaw, only the means of delivery is<br />
different.<br />
In comparison to other cross site scripting vulnerabilities (reflected<br />
and stored XSS), where an unsanitized parameter is passed<br />
by the server, returned to the user and executed in the context of<br />
the user’s browser, a DOM-based XSS vulnerability controls the<br />
flow of the code by using elements of the Document Object Model<br />
(DOM) along with code crafted by the attacker to change the flow.<br />
Due to their nature, DOM-based XSS vulnerabilities can be executed<br />
in many instances without the server being able to determine<br />
what is actually being executed. This may make many of the<br />
general XSS filtering and detection techniques impotent to such<br />
attacks.<br />
<br />
document.write(“Site is at: “ + document.location.href + “.”);<br />
<br />
The first hypothetical example uses the following client side code:<br />
An attacker may append #alert(‘xss’) to the affected<br />
page URL which would, when executed, display the alert<br />
box. In this instance, the appended code would not be sent to the<br />
server as everything after the # character is not treated as part<br />
of the query by the browser but as a fragment. In this example,<br />
the code is immediately executed and an alert of “xss” is displayed<br />
by the page. Unlike the more common types of cross site scripting<br />
(Stored and Reflected) in which the code is sent to the server<br />
and then back to the browser, this is executed directly in the user’s<br />
browser without server contact.<br />
The consequences of DOM-based XSS flaws are as wide ranging<br />
as those seen in more well known forms of XSS, including cookie<br />
retrieval, further malicious script injection, etc. and should therefore<br />
be treated with the same severity.<br />
Black Box testing<br />
Blackbox testing for DOM-Based XSS is not usually performed<br />
since access to the source code is always available as it needs to<br />
be sent to the client to be executed.<br />
Gray Box testing<br />
Testing for DOM-Based XSS vulnerabilities:<br />
JavaScript applications differ significantly from other types of<br />
applications because they are often dynamically generated by<br />
the server, and to understand what code is being executed, the<br />
website being tested needs to be crawled to determine all the<br />
instances of JavaScript being executed and where user input<br />
is accepted. Many websites rely on large libraries of functions,<br />
which often stretch into the hundreds of thousands of lines of<br />
code and have not been developed in-house. In these cases,<br />
top-down testing often becomes the only really viable option,<br />
since many bottom level functions are never used, and analyzing<br />
them to determine which are sinks will use up more time than is<br />
often available. The same can also be said for top-down testing<br />
if the inputs or lack thereof is not identified to begin with.<br />
User input comes in two main forms:<br />
• Input written to the page by the server in a way that does not<br />
allow direct XSS<br />
• Input obtained from client-side JavaScript objects<br />
Here are two examples of how the server may insert data into<br />
JavaScript:<br />
var data = “”;<br />
var result = someFunction(“”);<br />
And here are two examples of input from client-side JavaScript<br />
objects:<br />
var data = window.location;<br />
var result = someFunction(window.referer);<br />
While there is little difference to the JavaScript code in how they<br />
are retrieved, it is important to note that when input is received<br />
via the server, the server can apply any permutations to the data<br />
that it desires, whereas the permutations performed by JavaScript<br />
objects are fairly well understood and documented, and<br />
so if someFunction in the above example were a sink, then the<br />
exploitability of the former would depend on the filtering done<br />
by the server, whereas the latter would depend on the encoding<br />
done by the browser on the window.referer object.<br />
Stefano Di Paulo has written an excellent article on what browsers<br />
return when asked for the various elements of a URL using<br />
the document. and location. attributes.<br />
Additionally, JavaScript is often executed outside of <br />
blocks, as evidenced by the many vectors which have led to XSS<br />
filter bypasses in the past, and so, when crawling the application,<br />
it is important to note the use of scripts in places such as<br />
event handlers and CSS blocks with expression attributes.<br />
Also, note that any off-site CSS or script objects will need to be<br />
assessed to determine what code is being executed.