4.0

More documents

Recommendations

Info

180Web Application Penetration Testingpossible to exceed my limit if the systems are basing decisionson last night’s data.How to TestGeneric Test Method• Review the project documentation and use exploratory testinglooking for data entry points or hand off points between systemsor software.• Once found try to insert logically invalid data into the application/system.Specific Testing Method:• Perform front-end GUI Functional Valid testing on theapplication to ensure that the only “valid” values are accepted.• Using an intercepting proxy observe the HTTP POST/GET looking for places that variables such as cost and quality are passed.Specifically, look for “hand-offs” between application/systemsthat may be possible injection of tamper points.• Once variables are found start interrogating the field with logically “invalid” data, such as social security numbers or uniqueidentifiers that do not exist or that do not fit the business logic.This testing verifies that the server functions properly anddoes not accept logically invalid data them.Related Test Cases• All Input Validation test cases• Testing for Account Enumeration and Guessable User Account(OTG-IDENT-004)• Testing for Bypassing Session Management Schema(OTG-SESS-001)• Testing for Exposed Session Variables (OTG-SESS-004)Tools• OWASP Zed Attack Proxy (ZAP) -https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project• ZAP is an easy to use integrated penetration testing tool forfinding vulnerabilities in web applications. It is designed to beused by people with a wide range of security experience and assuch is ideal for developers and functional testers who are newto penetration testing. ZAP provides automated scanners aswell as a set of tools that allow you to find security vulnerabilitiesmanually.ReferencesBeginning Microsoft Visual Studio LightSwitch Development -http://books.google.com/books?id=x76L_kaTgdEC&pg=PA280&lpg=PA280&dq=business+logic+example+valid+data+example&source=bl&ots=GOfQ-7f4Hu&sig=4jOejZVligZOrvjBFRAT4-jy8DI&hl=en&sa=X&ei=mydYUt6qE-OX54APu7IDgCQ&ved=0CFIQ6AEwBDgK#v=onepage&q=business%20logic%20example%20valid%20data%20example&f=falseRemediationThe application/system must ensure that only “logically valid”data is accepted at all input and hand off points of the applicationor system and data is not simply trusted once it has enteredthe system.Test Ability to forge requests(OTG-BUSLOGIC-002)SummaryForging requests is a method that attackers use to circumventthe front end GUI application to directly submit information forback end processing. The goal of the attacker is to send HTTPPOST/GET requests through an intercepting proxy with data valuesthat is not supported, guarded against or expected by theapplications business logic. Some examples of forged requestsinclude exploiting guessable or predictable parameters or expose“hidden” features and functionality such as enabling debuggingor presenting special screens or windows that are veryuseful during development but may leak information or bypassthe business logic.Vulnerabilities related to the ability to forge requests is uniqueto each application and different from business logic data validationin that it s focus is on breaking the business logic workflow.Applications should have logic checks in place to prevent thesystem from accepting forged requests that may allow attackersthe opportunity to exploit the business logic, process, or flowof the application. Request forgery is nothing new; the attackeruses an intercepting proxy to send HTTP POST/GET requests tothe application. Through request forgeries attackers may be ableto circumvent the business logic or process by finding, predictingand manipulating parameters to make the application think aprocess or task has or has not taken place.Also, forged requests may allow subvention of programmatic orbusiness logic flow by invoking “hidden” features or functionalitysuch as debugging initially used by developers and testerssometimes referred to as an ”Easter egg”. “An Easter egg is anintentional inside joke, hidden message, or feature in a work suchas a computer program, movie, book, or crossword. According togame designer Warren Robinett, the term was coined at Atari bypersonnel who were alerted to the presence of a secret messagewhich had been hidden by Robinett in his already widely distributedgame, Adventure. The name has been said to evoke the ideaof a traditional Easter egg hunt.” http://en.wikipedia.org/wiki/Easter_egg_(media)ExamplesExample 1Suppose an e-commerce theater site allows users to select theirticket, apply a onetime 10% Senior discount on the entire sale,view the subtotal and tender the sale. If an attacker is able tosee through a proxy that the application has a hidden field (of1 or 0) used by the business logic to determine if a discount hasbeen taken or not. The attacker is then able to submit the 1 or “nodiscount has been taken” value multiple times to take advantageof the same discount multiple times.
181Web Application Penetration TestingExample 2Suppose an online video game pays out tokens for points scoredfor finding pirates treasure and pirates and for each level completed.These tokens can later be that can later be exchangedfor prizes. Additionally each level’s points have a multiplier valueequal to the level. If an attacker was able to see through a proxythat the application has a hidden field used during developmentand testing to quickly get to the highest levels of the game theycould quickly get to the highest levels and accumulate unearnedpoints quickly.Also, if an attacker was able to see through a proxy that the applicationhas a hidden field used during development and testingto enabled a log that indicated where other online players, or hiddentreasure were in relation to the attacker, they would then beable to quickly go to these locations and score points.How to TestGeneric Testing Method• Review the project documentation and use exploratory testinglooking for guessable, predictable or hidden functionality offields.• Once found try to insert logically valid data into the application/system allowing the user go through the application/systemagainst the normal busineess logic workflow.Specific Testing Method 1• Using an intercepting proxy observe the HTTP POST/GETlooking for some indication that values are incrementing at aregular interval or are easily guessable.• If it is found that some value is guessable this value may bechanged and one may gain unexpected visibility.Specific Testing Method 2• Using an intercepting proxy observe the HTTP POST/GETlooking for some indication of hidden features such as debugthat can be switched on or activated.• If any are found try to guess and change these values to get adifferent application response or behavior.Related Test CasesTesting for Exposed Session Variables (OTG-SESS-004)Testing for Cross Site Request Forgery (CSRF) (OTG-SESS-005)Testing for Account Enumeration and Guessable User Account(OTG-IDENT-004)ToolsOWASP Zed Attack Proxy (ZAP) - https://www.owasp.orgindex.php/OWASP_Zed_Attack_Proxy_ProjectZAP is an easy to use integrated penetration testing tool forfinding vulnerabilities in web applications. It is designed to beused by people with a wide range of security experience and assuch is ideal for developers and functional testers who are newto penetration testing. ZAP provides automated scanners aswell as a set of tools that allow you to find security vulnerabilitiesmanually.ReferencesCross Site Request Forgery - Legitimizing Forged Requestshttp://fragilesecurity.blogspot.com/2012/11/cross-siterequest-forgery-legitimazing.htmlDebugging features which remain present in the final gamehttp://glitchcity.info/wiki/index.php/List_of_video_games_with_debugging_features#Debugging_features_which_remain_present_in_the_final_gameEaster egg - http://en.wikipedia.org/wiki/Easter_egg_(media)Top 10 Software Easter Eggs - http://lifehacker.com/371083/top-10-software-easter-eggsRemediationThe application must be smart enough and designed with businesslogic that will prevent attackers from predicting and manipulatingparameters to subvert programmatic or business logicflow, or exploiting hidden/undocumented functionality such asdebugging.Test integrity checks (OTG-BUSLOGIC-003)SummaryMany applications are designed to display different fields dependingon the user of situation by leaving some inputs hidden.However, in many cases it is possible to submit values hiddenfield values to the server using a proxy. In these cases the serverside controls must be smart enough to perform relational orserver side edits to ensure that the proper data is allowed to theserver based on user and application specific business logic.Additionally, the application must not depend on non-editablecontrols, drop-down menus or hidden fields for business logicprocessing because these fields remain non-editable only in thecontext of the browsers. Users may be able to edit their valuesusing proxy editor tools and try to manipulate business logic.If the application exposes values related to business rules likequantity, etc. as non-editable fields it must maintain a copy onthe server side and use the same for business logic processing.Finally, aside application/system data, log systems must be securedto prevent read, writing and updating.Business logic integrity check vulnerabilities is unique in thatthese misuse cases are application specific and if users are ableto make changes one should only be able to write or update/editspecific artifacts at specific times per the business process logic.The application must be smart enough to check for relationaledits and not allow users to submit information directly to theserver that is not valid, trusted because it came from a non-editablecontrols or the user is not authorized to submit throughthe front end. Additionally, system artifacts such as logs must be“protected” from unauthorized read, writing and removal.Example
Page 1 and 2:
1Testing Guide4.0Project Leaders: M
Page 3 and 4:
Testing Guide Foreword - Table of c
Page 5 and 6:
3Testing Guide Foreword - Table of
Page 7 and 8:
5Testing Guide Foreword - By Eoin K
Page 9 and 10:
7Testing Guide Frontispiece1Testing
Page 11 and 12:
9Testing Guide Introduction2The OWA
Page 13 and 14:
11Testing Guide Introductionvide en
Page 15 and 16:
13Testing Guide IntroductionTesting
Page 17 and 18:
15Testing Guide Introductionlaid on
Page 19 and 20:
17Testing Guide Introductionvalidat
Page 21 and 22:
19Testing Guide IntroductionUSERthe
Page 23 and 24:
21Testing Guide Introductionment wh
Page 25 and 26:
23Testing Guide Introductionoffendi
Page 27 and 28:
25The OWASP Testing Frameworksectio
Page 29 and 30:
27Web Application Penetration Testi
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
101Web Application Penetration Test
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132: 129Web Application Penetration Test
Page 181: 179Web Application Penetration Test
Page 211 and 212: 209same code can be applied to sess
Page 213 and 214: 211ReportingTest IDLowest versionIn
Page 215 and 216: 213ReportingTest IDBusiness Logic T
Page 217 and 218: 215Appendixkajfghlhfkcocafkcjlajldi
Page 219 and 220: 217AppendixTesting - http:/www.nist
Page 221 and 222: 219Cross Site Scripting (XSS)For de
Page 223 and 224: 221LDAP InjectionFor details on LDA
show all

4.0

Create successful ePaper yourself

Delete template?

Save as template?