Trustwave Application Penetration Test Digitaltransactions-080815

More documents

Recommendations

Info

CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY Trustwave 3.1 Information Gathering Application Penetration Test Before performing active testing, Trustwave gathered information about the manner in which the various elements of the application operate. Manual investigation and automated tools were used to traverse the entire application in order to document all distinct inputs and processes. Trustwave used automated tools to make a local copy of the Digital Transactions webpages and investigated them in detail. Working with local copies of the HTML, the Trustwave team mapped the application’s attack surface by determining how various application elements are called as well as the parameters and data types passed to the application elements. All HTTP queries that accepted clientsupplied data were deemed a distinct element of the application. The application was then investigated online to better understand how elements worked together and to discover any elements that may have been missed during the HTML review. 3.2 Application Investigation After gaining a basic understanding of the application environment, Trustwave manually probed the various application elements identified, as described within the Information Gathering section of this methodology. Test data for each parameter was supplied and traced throughout the application. Data flows and application-interdependencies were discovered. Client-side scripting was traced manually. 3.2.1 Site Overview The Digital Transactions application is a ColdFusion application that does not require authentication. The site consists of online articles for “Digital Transactions” magazine related information technology and it’s effect on business and consumers. The site also provides research documents on consumer electronic transactions in PDF format as a product. The application itself is Internet-accessible. 3.2.2 Data Handling and Request Processing The Trustwave team reviewed the application for generic vulnerabilities which occur in a wide variety of applications. These issues are generally due to incorrect or unsafe handling of clientsupplied data. To that end, attempts were made to disrupt the process-flow and induce the application to behave in unexpected, anomalous, or dangerous ways by supplying specific and hazardous data. This includes data containing characters that could either redirect program flow or force errors. The majority of web-based application vulnerabilities fall into the general category of “improper meta-character handling”. This category includes such issues as SQL Injection, Shell-Escape Command Execution and Cross-Site Scripting (XSS). The essential issue underlying all metacharacter vulnerabilities is a failure on the applications part to correctly filter and interpret - 10 - Copyright © 2008 Trustwave. All Rights Reserved. CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY
CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY Trustwave Application Penetration Test unexpected characters. These characters are sometimes referred to as “special” characters. Different shells, applications, command processors and languages respond in different but predictable ways to specific combinations of characters. If an application does not properly sanitize client input, a malicious user may, among other actions, be able to access or modify protected or privileged data, execute arbitrary code on a server, or induce a legitimate user to execute code on the attacker’s behalf. In testing for meta-character sanitization, Trustwave supplied data with specific characters and interpreted server responses. Meta-characters that have meaning to a wide variety of applications were tested; some of these characters are likely benign in the Boland Hills application infrastructure. Since application infrastructure changes cannot be accurately predicted, Trustwave feels that the best approach is to protect against all meta-characters, not just those known to the current environment. An analysis of each category can be found below. Session Management (Analysis of session state, cookies, session theft) Input Validation (This attack tree is predicated on poor application input validation) Parameter Tampering (These attacks deal primarily with data theft, and escalation of privileges - there is overlap with Input Validation attacks) Programmatic Errors (These attacks are launched against the application engine and application server themselves. They deal with “universal” weaknesses in the architecture that manifest themselves in the application flow.) Cookie Predictability, Cookie Manipulation, Cookie Analysis, Session Theft, Session Fixation, Session Trapping, Ability to Sniff Application Traffic, Potential for Man in the Middle, Potential for phishing, Eavesdropping, Cross-Site Request Forgery, and others. Cross-Site Scripting (XSS), Alternate XSS Syntax, Blind SQL Injection, Blind XPath Injection, Command Injection, Handling of Meta-Characters, HTTP Response Splitting, Application Interpreter Injection, SQL Injection, Server-Side Includes (SSI) Injection, Encoding Types Supported, and others. Type Conversion Errors, Argument Injection or Modification, Code/Command Injection, Application Common Elements, Direct Dynamic Code Evaluation, HTTP Request Smuggling, HTTP Response Splitting, XML Injection, and others. Directory/Path Traversal, Attacks Against Application Error Pages, Buffer Overflows, Format String, Forceful Browsing, Integer Overflows/Underflows, Log Forging, and others. Table 4 - Application Attack Classes - 11 - Copyright © 2008 Trustwave. All Rights Reserved. CONFIDENTIAL INFORMATION – FOR INTERNAL USE ONLY
Page 1 and 2: Boland Hills Application Penetratio
Page 3 and 4: CONFIDENTIAL INFORMATION - FOR INTE
Page 9: CONFIDENTIAL INFORMATION - FOR INTE

Trustwave Application Penetration Test Digitaltransactions-080815

Create successful ePaper yourself

Delete template?

Save as template?