4.0

More documents

Recommendations

Info

156Web Application Penetration TestingTest: 408 Request Time-outtelnet 80GET / HTTP/1.1- Wait X seconds – (Depending on the target server, 21seconds for Apache by default)Result:HTTP/1.1 408 Request Time-outDate: Fri, 07 Dec 2013 00:58:33 GMTServer: Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.9 withSuhosin-PatchVary: Accept-EncodingContent-Length: 298Connection: closeContent-Type: text/html; charset=iso-8859-1...408 Request Time-out...Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.9with Suhosin-Patch at Port 80...Test: 501 Method Not Implementedtelnet 80RENAME /index.html HTTP/1.1Host: Result:HTTP/1.1 501 Method Not ImplementedDate: Fri, 08 Dec 2013 09:59:32 GMTServer: Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.9 withSuhosin-PatchAllow: GET, HEAD, POST, OPTIONSVary: Accept-EncodingContent-Length: 299Connection: closeContent-Type: text/html; charset=iso-8859-1...501 Method Not Implemented...Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.9with Suhosin-Patch at Port 80...Test:Enumeration of directories by using access denied error messages:http://Result:Directory Listing DeniedThis Virtual Directory does not allow contents to be listed.Tools• ErrorMint - http://sourceforge.net/projects/errormint/• ZAP Proxy - https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_ProjectReferences• [RFC2616] Hypertext Transfer Protocol -- HTTP/1.1• [ErrorDocument] Apache ErrorDocument Directive• [AllowOverride] Apache AllowOverride Directive• [ServerTokens] Apache ServerTokens Directive• [ServerSignature] Apache ServerSignature DirectiveRemediationError Handling in IIS and ASP .netASP .net is a common framework from Microsoft used for developingweb applications. IIS is one of the commonly used webservers. Errors occur in all applications, developers try to trapmost errors but it is almost impossible to cover each and everyexception (it is however possible to configure the web server tosuppress detailed error messages from being returned to theuser).IIS uses a set of custom error pages generally found in c:\winnt\help\iishelp\common to display errors like ‘404 page not found’to the user. These default pages can be changed and custom errorscan be configured for IIS server. When IIS receives a requestfor an aspx page, the request is passed on to the dot net framework.There are various ways by which errors can be handled in dot netframework. Errors are handled at three places in ASP .net:• Inside Web.config customErrors section• Inside global.asax Application_Error Sub• At the the aspx or associated codebehind page in the Page_ErrorsubHandling errors using web.configmode=”On” will turn on custom errors. mode=RemoteOnly willshow custom errors to the remote web application users. A useraccessing the server locally will be presented with the completestack trace and custom errors will not be shown to him.All the errors, except those explicitly specified, will cause a redirectionto the resource specified by defaultRedirect, i.e., myerrorpagedefault.aspx.A status code 404 will be handled by myerrorpagefor404.aspx.
157Web Application Penetration TestingHandling errors in Global.asaxWhen an error occurs, the Application_Error sub is called. A developercan write code for error handling/page redirection in thissub.Private Sub Application_Error (ByVal sender As Object, ByVal eAs System.EventArgs)Handles MyBase.ErrorEnd SubHandling errors in Page_Error subThis is similar to application error.Private Sub Page_Error (ByVal sender As Object, ByVal e AsSystem.EventArgs)Handles MyBase.ErrorEnd SubError hierarchy in ASP .netPage_Error sub will be processed first, followed by global.asaxApplication_Error sub, and, finally, customErrors section in web.config file.Information Gathering on web applications with server-sidetechnology is quite difficult, but the information discovered canbe useful for the correct execution of an attempted exploit (forexample, SQL injection or Cross Site Scripting (XSS) attacks) andcan reduce false positives.How to test for ASP.net and IIS Error HandlingFire up your browser and type a random page namehttp:\\www.mywebserver.com\anyrandomname.aspIf the server returnsThe page cannot be foundInternet Information Servicesit means that IIS custom errors are not configured. Please notethe .asp extension.Also test for .net custom errors. Type a random page name withaspx extension in your browserhttp:\\www.mywebserver.com\anyrandomname.aspxIf the server returnsServer Error in ‘/’ Application.--------------------------------------------------------------------------------The resource cannot be found.Description: HTTP 404. The resource you are looking for (or oneof its dependencies) could have been removed, had its namecustom errors for .net are not configured.Error Handling in ApacheApache is a common HTTP server for serving HTML and PHPweb pages. By default, Apache shows the server version, productsinstalled and OS system in the HTTP error responses.Responses to the errors can be configured and customized globally,per site or per directory in the apache2.conf using the Error-Document directive [2]ErrorDocument 404 “Customized Not Found error message”ErrorDocument 403 /myerrorpagefor403.htmlErrorDocument 501 http:/www.externaldomain.com/errorpagefor501.htmlSite administrators are able to manage their own errors using.htaccess file if the global directive AllowOverride is configuredproperly in apache2.conf [3]The information shown by Apache in the HTTP errors can also beconfigured using the directives ServerTokens [4] and ServerSignature[5] at apache2.conf configuration file. “ServerSignatureOff” (On by default) removes the server information from theerror responses, while ServerTokens [ProductOnly|Major|Minor|Minimal|OS|Full](Full by default) defines what informationhas to be shown in the error pages.Error Handling in TomcatTomcat is a HTTP server to host JSP and Java Servlet applications.By default, Tomcat shows the server version in the HTTPerror responses.Customization of the error responses can be configured in theconfiguration file web.xml.404/myerrorpagefor404.htmlTesting for Stack Traces (OTG-ERR-002)SummaryStack traces are not vulnerabilities by themselves, but they oftenreveal information that is interesting to an attacker. Attackersattempt to generate these stack traces by tampering with theinput to the web application with malformed HTTP requests andother input data.If the application responds with stack traces that are not managedit could reveal information useful to attackers. This informationcould then be used in further attacks. Providing debugginginformation as a result of operations that generate errors isconsidered a bad practice due to multiple reasons. For example,
Page 1 and 2:
1Testing Guide4.0Project Leaders: M
Page 3 and 4:
Testing Guide Foreword - Table of c
Page 5 and 6:
3Testing Guide Foreword - Table of
Page 7 and 8:
5Testing Guide Foreword - By Eoin K
Page 9 and 10:
7Testing Guide Frontispiece1Testing
Page 11 and 12:
9Testing Guide Introduction2The OWA
Page 13 and 14:
11Testing Guide Introductionvide en
Page 15 and 16:
13Testing Guide IntroductionTesting
Page 17 and 18:
15Testing Guide Introductionlaid on
Page 19 and 20:
17Testing Guide Introductionvalidat
Page 21 and 22:
19Testing Guide IntroductionUSERthe
Page 23 and 24:
21Testing Guide Introductionment wh
Page 25 and 26:
23Testing Guide Introductionoffendi
Page 27 and 28:
25The OWASP Testing Frameworksectio
Page 29 and 30:
27Web Application Penetration Testi
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
101Web Application Penetration Test
Page 105 and 106:
Page 107 and 108: 105Web Application Penetration Test
Page 157: 155Web Application Penetration Test
Page 209 and 210:
Page 211 and 212:
209same code can be applied to sess
Page 213 and 214:
211ReportingTest IDLowest versionIn
Page 215 and 216:
213ReportingTest IDBusiness Logic T
Page 217 and 218:
215Appendixkajfghlhfkcocafkcjlajldi
Page 219 and 220:
217AppendixTesting - http:/www.nist
Page 221 and 222:
219Cross Site Scripting (XSS)For de
Page 223 and 224:
221LDAP InjectionFor details on LDA
show all

4.0

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?