Web security testing using Burp and Firebug STC 2012 - QAI

DECISION MODIFICATIVE N° 1 – BP 2011 – COMMUNE :Madame le Maire expose au Conseil Municipal que le montant des dépensesimprévues de fonctionnement inscrites au budget primitif 2011 au compte 022pour un montant de 32 053,90 € dépasse les 7,5% des dépenses réellesautorisées soit la somme de 5 425,74 € en trop qu’il est nécessaire de répartirsur d’autres imputations budgétaires.Le Conseil Municipal,Entendu l’exposé de Madame le Maire,Et après en avoir délibéré, à l’unanimité,DECIDE de procéder aux modifications budgétaires suivantes :Compte 022 : - 5 425,74 €Compte 60631 : + 1 000,00 €Compte 60632 : + 800,00 €Compte 61522 : + 800,00 €Compte 61523 : + 2 325,74 €Compte 6261 : + 500,00 €.DECISION MODIFICATIVE N° 2 BP 2011 – COMMUNE :Madame le Maire expose au Conseil Municipal que les comptes concernant lesopérations d’investissement relatives à l’équipement scolaire et à la rénovationdes bâtiments de l’auberge n’ont pas été suffisamment approvisionnés.Elle expose également à l’assemblée la nécessité d’équiper la 4° salle de classeet le commerce multiservices avec des extincteurs et tous les accessoires requisen matière de prévention incendie, ainsi que la nécessité d’aménager le parkingde l’école.Aussi, afin de pouvoir faire face à ces dépenses, il est donc nécessaire deprocéder à des modifications budgétaires.Le Conseil Municipal,Entendu l’exposé de Madame le Maire,Et après en avoir délibéré, à l’unanimité,DECIDE d’effectuer les opérations budgétaires suivantes :Compte D 2184 – opération 03024 : - 1 500,00 €Compte D 2184 – opération 07053 : + 1 500,00 €Compte D 2313 – opération 2011005 : - 6 666,10 €Compte D 2132 – opération 08063 : + 3 000,00 €Compte D21568 - opération 2011012 : + 2 500,00 €Compte D 2152 - opération 2011013 : + 1 166,10 €.

Web security testing using BurpSet up the BrowserThe Burp Suite proxy will use port8080 by default.Picture shows the set up of Fire Foxbrowser wherein the request –response process is routed throughport 8080 on a local host.4ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Web security testing using BurpProxyBurp Proxy is an intercepting proxyserver for security testing of webapplications. It operates as a man-inthe-middlebetween your browser andthe target application.From proxy, requests can be sent toother burp tools for further analysis byusing Action button.5ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Web security testing using BurpIntruderBurp Intruder is a tool for automating customized attacks against webapplications.6ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Web security testing using BurpIntruder – Attack typesSniper: This uses a single set of payloads. It targets each position in turn,and inserts each payload into that position in turn. The total number ofrequests generated in the attack is the product of the number of positions andthe number of payloads in the payload set.Battering Ram: This uses a single set of payloads. It iterates through thepayloads, and inserts the same payload into all of the defined positions atonce. The total number of requests generated in the attack is the number ofpayloads in the payload set.7ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Web security testing using BurpIntruder - Attack types (ctd..)Pitchfork: This uses multiple payload sets. There is a different payload setfor each defined position (up to a maximum of 8). The attack iterates throughall payload sets simultaneously, and inserts one payload into each definedposition. The total number of requests generated by the attack is the numberof payloads in the smallest payload set.Cluster Bomb: This uses multiple payload sets. There is a different payloadset for each defined position (up to a maximum of 8). The attack iteratesthrough each payload set in turn, so that all permutations of payloadcombinations are tested. The total number of requests generated by theattack is the product of the number of payloads in all defined payload sets –this may be extremely large.8ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Web security testing using BurpPayload sets:Intruder – Select payload1. Preset list2. Runtime file3. Custom iterator4. Character substitution5. Case substitution6. Recursive grep7. Illegal Unicode8. Character9. Blocks10. Numbers11. Dates12. Brute forcer13. Null payloads9ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Web security testing using BurpIntruder – Execution and ResultsAfter Execution is over a separatewindow will be opened which will showeach test, the payload used, the statuscode, length and in our case the testswhich match our XPATH patternmatch word.10ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Web security testing using BurpRepeaterIt is a tool for manually modifying andreissuing individual HTTP requests,and analyzing their responses.It is best used in conjunction with theother Burp Suite tools.For example, we can send a requestfrom the Burp Proxy browsing history,or from the results of a Burp Intruderattack, and manually adjust therequest to fine-tune an attack or probefor vulnerabilities.11ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Web security testing using BurpRepeater (ctd..)In the Repeater tool we can modify therequest however we want and click onthe “go” button. The response will beshown in the bottom pane.The error message we received in theresponse shown above was:Incorrect username: Invalid XPathexpression://users/user[username=''']/passwordExpected: ]12ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Web security testing using BurpRepeater (ctd..)When we use the Repeater to submit arequest where the username value is ‘ or ’1′=’1 we get a different error. The error tellsus the password (blank in the request) wesubmitted was incorrect. The XPATH querywill now look something like this://users/user[username=' ' or '1' ='1']/passwordSince we know the user name now, we canbrute force the password using intruder.13ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Web security testing using BurpComparerIt is a simple tool for performing acomparison between any two items of data.In the context of attacking a web application,this requirement will typically arise when wewant to quickly identify the differencesbetween two application responses orbetween two application requests.14ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Web security testing using BurpComparer (ctd..)We can select two responses and click onone of the two compare types.Words: This comparison tokenizes eachitem based on whitespace delimiters, andidentifies the token-level edits required totransform the first item into the second.Bytes: This comparison identifies the byteleveledits required to transform the first iteminto the second.15ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Web security testing using BurpPotential issues uncovered in security testing: In application level there is a restriction to a field not to take more than 32characters, but using burp proxy when we edit and send a value of more than32 characters, stack is overflowed and all inbuilt Java functions are displayedon the browser which is a very good input for a malicious user.Restricted user has some disabled links since user has no rights to see thosepages. But after sending a request to server by just changing the node link inthe Proxy, user got the access to Unauthorized page16ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Web security testing using FirebugFirebug is a web development tool that facilitates the debugging,editing, and monitoring of any website's CSS, HTML, DOM, XHR,and JavaScript. Firebug integrates with Firefox and allows users toinspect the different web elements and help users to break thesecurity barriers by editing the HTML codes inside the web page.17ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Web security testing using FirebugPicture shows an application wherelogged in user is not having enoughpermissions to view other ownersdata and hence owner field isdisabled for this logged in user.User is already installed Firebug atclient side and hence after rightclicking on any field “Inspect element”appears.18ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Web security testing using FirebugOnce user selects Inspect elementoption, Firebug opens up in a windowintegrated with Firefox browser anddisplays html code related to disabledowner field and high light with bluebackground.By deleting the “Read-only” attributefrom owner’s HTML code user canmake this field editable and cansearch for the data related to otherowners which is not at all acceptablefrom security aspects.19ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Web security testing using Burp and FirebugBenefits:Identify and manage vulnerabilities in Web application.Ensure web applications requirements are met when they aresubjected to malicious input data.20ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Web security testing using Burp and FirebugQueries ..?21ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.