48Web Application Penetration TestingCache-Control: no-cacheContent-Type: text/htmlContent-Length: 83ErrorErrorFW-1 at XXXXXX: Access denied.Example of the security server of Check Point Firewall-1 NG AI “protecting”a web serverReverse proxies can also be introduced as proxy-caches to acceleratethe performance of back-end application servers. Detecting theseproxies can be done based on the server header. They can also bedetected by timing requests that should be cached by the server andcomparing the time taken to server the first request with subsequentrequests.Another element that can be detected is network load balancers.Typically, these systems will balance a given TCP/IP port to multipleservers based on different algorithms (round-robin, web server load,number of requests, etc.). Thus, the detection of this architecture elementneeds to be done by examining multiple requests and comparingresults to determine if the requests are going to the same or differentweb servers. For example, based on the Date header if the serverclocks are not synchronized. In some cases, the network load balanceprocess might inject new information in the headers that will make itstand out distinctively, like the AlteonP cookie introduced by Nortel’sAlteon WebSystems load balancer.Application web servers are usually easy to detect. The request forseveral resources is handled by the application server itself (not theweb server) and the response header will vary significantly (includingdifferent or additional values in the answer header). Another way todetect these is to see if the web server tries to set cookies which areindicative of an application web server being used (such as the JSES-SIONID provided by some J2EE servers), or to rewrite URLs automaticallyto do session tracking.Authentication back ends (such as LDAP directories, relational databases,or RADIUS servers) however, are not as easy to detect from anexternal point of view in an immediate way, since they will be hiddenby the application itself.The use of a back end database can be determined simply by navigatingan application. If there is highly dynamic content generated “on thefly,” it is probably being extracted from some sort of database by theapplication itself. Sometimes the way information is requested mightgive insight to the existence of a database back-end. For example, anonline shopping application that uses numeric identifiers (‘id’) whenbrowsing the different articles in the shop. However, when doing ablind application test, knowledge of the underlying database is usuallyonly available when a vulnerability surfaces in the application, such aspoor exception handling or susceptibility to SQL injection.References[1] WebSEAL, also known as Tivoli Authentication Manager, is a reverseproxy from IBM which is part of the Tivoli framework.[2] There are some GUI-based administration tools for Apache (likeNetLoony) but they are not in widespread use yet.Testing for configuration managementUnderstanding the deployed configuration of the server hosting theweb application is almost as important as the application securitytesting itself. After all, an application chain is only as strong as itsweakest link. Application platforms are wide and varied, but some keyplatform configuration errors can compromise the application in thesame way an unsecured application can compromise the server.Test Network/Infrastructure Configuration(OTG-CONFIG-001)SummaryThe intrinsic complexity of interconnected and heterogeneous webserver infrastructure, which can include hundreds of web applications,makes configuration management and review a fundamental step intesting and deploying every single application. It takes only a singlevulnerability to undermine the security of the entire infrastructure,and even small and seemingly unimportant problems may evolve intosevere risks for another application on the same server. In order toaddress these problems, it is of utmost importance to perform an indepthreview of configuration and known security issues, after havingmapped the entire architecture.Proper configuration management of the web server infrastructure isvery important in order to preserve the security of the application itself.If elements such as the web server software, the back-end databaseservers, or the authentication servers are not properly reviewedand secured, they might introduce undesired risks or introduce newvulnerabilities that might compromise the application itself.For example, a web server vulnerability that would allow a remoteattacker to disclose the source code of the application itself (a vulnerabilitythat has arisen a number of times in both web servers orapplication servers) could compromise the application, as anonymoususers could use the information disclosed in the source code to leverageattacks against the application or its users.The following steps need to be taken to test the configuration managementinfrastructure:• The different elements that make up the infrastructure need tobe determined in order to understand how they interact with a webapplication and how they affect its security.• All the elements of the infrastructure need to be reviewed in order tomake sure that they don’t contain any known vulnerabilities.• A review needs to be made of the administrative tools used tomaintain all the different elements.• The authentication systems, need to reviewed in order to assurethat they serve the needs of the application and that they cannot bemanipulated by external users to leverage access.• A list of defined ports which are required for the application shouldbe maintained and kept under change control.After having mapped the different elements that make up the infrastructure(see Map Network and Application Architecture) it is possibleto review the configuration of each element founded and test for anyknown vulnerabilities.How to TestKnown Server VulnerabilitiesVulnerabilities found in the different areas of the application architecture,be it in the web server or in the back end database, can severe-
49Web Application Penetration Testingly compromise the application itself. For example, consider a servervulnerability that allows a remote, unauthenticated user to uploadfiles to the web server or even to replace files. This vulnerability couldcompromise the application, since a rogue user may be able to replacethe application itself or introduce code that would affect the back endservers, as its application code would be run just like any other application.Reviewing server vulnerabilities can be hard to do if the test needs tobe done through a blind penetration test. In these cases, vulnerabilitiesneed to be tested from a remote site, typically using an automatedtool. However, testing for some vulnerabilities can have unpredictableresults on the web server, and testing for others (like those directlyinvolved in denial of service attacks) might not be possible due to theservice downtime involved if the test was successful.Some automated tools will flag vulnerabilities based on the webserver version retrieved. This leads to both false positives and falsenegatives. On one hand, if the web server version has been removedor obscured by the local site administrator the scan tool will not flagthe server as vulnerable even if it is. On the other hand, if the vendorproviding the software does not update the web server version whenvulnerabilities are fixed, the scan tool will flag vulnerabilities that donot exist. The latter case is actually very common as some operatingsystem vendors back port patches of security vulnerabilities to thesoftware they provide in the operating system, but do not do a full uploadto the latest software version. This happens in most GNU/Linuxdistributions such as Debian, Red Hat or SuSE. In most cases, vulnerabilityscanning of an application architecture will only find vulnerabilitiesassociated with the “exposed” elements of the architecture (suchas the web server) and will usually be unable to find vulnerabilitiesassociated to elements which are not directly exposed, such as theauthentication back ends, the back end database, or reverse proxiesin use.Finally, not all software vendors disclose vulnerabilities in a public way,and therefore these weaknesses do not become registered withinpublicly known vulnerability databases[2]. This information is onlydisclosed to customers or published through fixes that do not haveaccompanying advisories. This reduces the usefulness of vulnerabilityscanning tools. Typically, vulnerability coverage of these tools will bevery good for common products (such as the Apache web server, Microsoft’sInternet Information Server, or IBM’s Lotus Domino) but willbe lacking for lesser known products.This is why reviewing vulnerabilities is best done when the tester isprovided with internal information of the software used, including versionsand releases used and patches applied to the software. With thisinformation, the tester can retrieve the information from the vendoritself and analyze what vulnerabilities might be present in the architectureand how they can affect the application itself. When possible,these vulnerabilities can be tested to determine their real effects andto detect if there might be any external elements (such as intrusiondetection or prevention systems) that might reduce or negate thepossibility of successful exploitation. Testers might even determine,through a configuration review, that the vulnerability is not even present,since it affects a software component that is not in use.It is also worthwhile to note that vendors will sometimes silently fixvulnerabilities and make the fixes available with new software releases.Different vendors will have different release cycles that determinethe support they might provide for older releases. A tester with detailedinformation of the software versions used by the architecturecan analyse the risk associated to the use of old software releasesthat might be unsupported in the short term or are already unsupported.This is critical, since if a vulnerability were to surface in an oldsoftware version that is no longer supported, the systems personnelmight not be directly aware of it. No patches will be ever made availablefor it and advisories might not list that version as vulnerable as itis no longer supported. Even in the event that they are aware that thevulnerability is present and the system is vulnerable, they will need todo a full upgrade to a new software release, which might introducesignificant downtime in the application architecture or might forcethe application to be re-coded due to incompatibilities with the latestsoftware version.Administrative toolsAny web server infrastructure requires the existence of administrativetools to maintain and update the information used by the application.This information includes static content (web pages, graphic files),application source code, user authentication databases, etc. Administrativetools will differ depending on the site, technology, or softwareused. For example, some web servers will be managed using administrativeinterfaces which are, themselves, web servers (such as theiPlanet web server) or will be administrated by plain text configurationfiles (in the Apache case[3]) or use operating-system GUI tools (whenusing Microsoft’s IIS server or ASP.Net).In most cases the server configuration will be handled using differentfile maintenance tools used by the web server, which are managedthrough FTP servers, WebDAV, network file systems (NFS, CIFS) orother mechanisms. Obviously, the operating system of the elementsthat make up the application architecture will also be managed usingother tools. Applications may also have administrative interfaces embeddedin them that are used to manage the application data itself(users, content, etc.).After having mapped the administrative interfaces used to managethe different parts of the architecture it is important to review themsince if an attacker gains access to any of them he can then compromiseor damage the application architecture. To do this it is importantto:• Determine the mechanisms that control access to these interfacesand their associated susceptibilities. This information may be availableonline.• Change the default username and password.Some companies choose not to manage all aspects of their webserver applications, but may have other parties managing the contentdelivered by the web application. This external company mighteither provide only parts of the content (news updates or promotions)or might manage the web server completely (including content andcode). It is common to find administrative interfaces available from theInternet in these situations, since using the Internet is cheaper thanproviding a dedicated line that will connect the external company tothe application infrastructure through a management-only interface.In this situation, it is very important to test if the administrative interfacescan be vulnerable to attacks.References[1] WebSEAL, also known as Tivoli Authentication Manager, is a re-