4.0

85Web Application Penetration TestingIn this case, the value of the user parameter is used to tell theapplication for which user it should change the password. In manycases this step will be a part of a wizard, or a multi-step operation.In the first step the application will get a request stating for whichuser’s password is to be changed, and in the next step the userwill provide a new password (without asking for the current one).The user parameter is used to directly reference the object of theuser for whom the password change operation will be performed.To test for this case the tester should attempt to provide a differenttest username than the one currently logged in, and checkwhether it is possible to modify the password of another user.The value of a parameter is used directly to retrieve a file systemresourceSample request:http: /foo.bar/showImage?img=img00011In this case, the value of the file parameter is used to tell the applicationwhat file the user intends to retrieve. By providing thename or identifier of a different file (for example file=image00012.jpg) the attacker will be able to retrieve objects belonging to otherusers.To test for this case, the tester should obtain a reference the useris not supposed to be able to access and attempt to access it byusing it as the value of file parameter. Note: This vulnerability isoften exploited in conjunction with a directory/path traversal vulnerability(see Testing for Path Traversal)The value of a parameter is used directly to access applicationfunctionalitySample request:http: /foo.bar/accessPage?menuitem=12In this case, the value of the menuitem parameter is used to tellthe application which menu item (and therefore which applicationfunctionality) the user is attempting to access. Assume the user issupposed to be restricted and therefore has links available only toaccess to menu items 1, 2 and 3. By modifying the value of menuitemparameter it is possible to bypass authorization and accessadditional application functionality. To test for this case the testeridentifies a location where application functionality is determinedby reference to a menu item, maps the values of menu items thegiven test user can access, and then attempts other menu items.In the above examples the modification of a single parameter issufficient. However, sometimes the object reference may be splitbetween more than one parameter, and testing should be adjustedaccordingly.ReferencesTop 10 2013-A4-Insecure Direct Object ReferencesSession Management TestingOne of the core components of any web-based application is themechanism by which it controls and maintains the state for a user in-teracting with it. This is referred to this as Session Management andis defined as the set of all controls governing state-full interaction betweena user and the web-based application. This broadly covers anythingfrom how user authentication is performed, to what happensupon them logging out.HTTP is a stateless protocol, meaning that web servers respond toclient requests without linking them to each other. Even simple applicationlogic requires a user’s multiple requests to be associated witheach other across a “session”. This necessitates third party solutions– through either Off-The-Shelf (OTS) middleware and web serversolutions, or bespoke developer implementations. Most popular webapplication environments, such as ASP and PHP, provide developerswith built-in session handling routines. Some kind of identification tokenwill typically be issued, which will be referred to as a “Session ID”or Cookie.There are a number of ways in which a web application may interactwith a user. Each is dependent upon the nature of the site, the security,and availability requirements of the application. Whilst there areaccepted best practices for application development, such as thoseoutlined in the OWASP Guide to Building Secure Web Applications, itis important that application security is considered within the contextof the provider’s requirements and expectations.Testing for Session Management Schema(OTG-SESS-001)SummaryIn order to avoid continuous authentication for each page of a websiteor service, web applications implement various mechanisms tostore and validate credentials for a pre-determined timespan. Thesemechanisms are known as Session Management and while they areimportant in order to increase the ease of use and user-friendlinessof the application, they can be exploited by a penetration tester togain access to a user account, without the need to provide correctcredentials.In this test, the tester wants to check that cookies and other sessiontokens are created in a secure and unpredictable way. An attackerwho is able to predict and forge a weak cookie can easily hijack thesessions of legitimate users.Cookies are used to implement session management and are describedin detail in RFC 2965. In a nutshell, when a user accesses anapplication which needs to keep track of the actions and identity ofthat user across multiple requests, a cookie (or cookies) is generatedby the server and sent to the client. The client will then send thecookie back to the server in all following connections until the cookieexpires or is destroyed. The data stored in the cookie can provideto the server a large spectrum of information about who the user is,what actions he has performed so far, what his preferences are, etc.therefore providing a state to a stateless protocol like HTTP.A typical example is provided by an online shopping cart. Throughoutthe session of a user, the application must keep track of his identity,his profile, the products that he has chosen to buy, the quantity, theindividual prices, the discounts, etc. Cookies are an efficient way tostore and pass this information back and forth (other methods areURL parameters and hidden fields).Due to the importance of the data that they store, cookies are there-