4.0

More documents

Recommendations

Info

202Web Application Penetration Testing• Restricted frames with Internet Explorer: Starting fromInternet Explorer 6, a frame can have the “security” attributethat, if it is set to the value “restricted”, ensures that JavaScriptcode, ActiveX controls, and re-directs to other sites do notwork in the frame.Example:• Sandbox attribute: with HTML5 there is a new attribute called“sandbox”. It enables a set of restrictions on content loadedinto the iframe. At this moment this attribute is only compatiblewhit Chrome and Safari.Example:• Design mode: Paul Stone showed a security issue concerningthe “designMode” that can be turned on in the framing page (viadocument.designMode), disabling JavaScript in top and subframe.The design mode is currently implemented in Firefoxand IE8.onBeforeUnload eventThe onBeforeUnload event could be used to evade frame bustingcode. This event is called when the frame busting code wants todestroy the iframe by loading the URL in the whole web page andnot only in the iframe. The handler function returns a string thatis prompted to the user asking confirm if he wants to leave thepage. When this string is displayed to the user is likely to cancelthe navigation, defeating traget’s frame busting attempt.The attacker can use this attack by registering an unload eventon the top page using the following example code:www.fictitious.sitewindow.onbeforeunload = function(){return “ Do you want to leave fictitious.site?”;}The previous technique requires the user interaction but, thesame result, can be achieved without prompting the user. Todo this the attacker have to automatically cancel the incomingnavigation request in an onBeforeUnload event handler by repeatedlysubmitting (for example every millisecond) a navigationrequest to a web page that responds with a “HTTP/1.1 204 NoContent” header.Since with this response the browser will do nothing, the resultingof this operation is the flushing of the request pipeline, renderingthe original frame busting attempt futile.Following an example code:204 page:Attacker’s page:var prevent_bust = 0;window.onbeforeunload = function() {prevent_bust++;};setInterval(function() {if (prevent_bust > 0) {prevent_bust -= 2;window.top.location =“http: /attacker.site/204.php”;}}, 1);XSS FilterStarting from Google Chrome 4.0 and from IE8 there were introducedXSS filters to protect users from reflected XSS attacks. Navaand Lindsay have observed that these kind of filters can be used todeactivate frame busting code by faking it as malicious code.• IE8 XSS filter: this filter has visibility into all requests andresponses parameters flowing through the web browser andit compares them to a set of regular expressions in order to lookfor reflected XSS attempts. When the filter identifies a possibleXSS attacks; it disable all inline scripts within the page, includingframe busting scripts (the same thing could be done with externalscripts). For this reason an attacker could induces a false positiveby inserting the beginning of the frame busting script into a requestparameters.Example: Target web page frame busting code:if ( top != self ){top.location=self.location;}Attacker code:
203Web Application Penetration Testing• Chrome 4.0 XSSAuditor filter: It has a little different behaviourcompared to IE8 XSS filter, in fact with this filter an attacker coulddeactivate a “script” by passing its code in a request parameter.This enables the framing page to specifically target a single snippetcontaining the frame busting code, leaving all the other codesintact.Example: Target web page frame busting code:if ( top != self ){top.location=self.location;}Attacker code:Redefining locationFor several browser the “document.location” variable is an immutableattribute. However, for some version of Internet Explorerand Safari, it is possible to redefine this attribute. This fact can beexploited to evade frame busting code.• Redefining location in IE7 and IE8: it is possible to redefine“location” as it is illustrated in the following example. By defining“location” as a variable, any code that tries to read or to navigateby assigning “top.location” will fail due to a security violation and sothe frame busting code is suspended.Example:var location = “xyz”;• Redefining location in Safari 4.0.4: To bust frame busting codewith “top.location” it is possible to bind “location” to a functionvia defineSetter (through window), so that an attempt to read ornavigate to the “top.location” will fail.responses and is used to mark web pages that shouldn’t be framed.This header can take the values DENY, SAMEORIGIN, ALLOW-FROMorigin, or non-standard ALLOWALL. Recommended value is DENY.The “X-FRAME-OPTIONS” is a very good solution, and was adoptedby major browser, but also for this technique there are some limitationsthat could lead in any case to exploit the clickjacking vulnerability.Browser compatibilitySince the “X-FRAME-OPTIONS” was introduced in 2009, this headeris not compatible with old browser. So every user that doesn’t havean updated browser could be victim of clickjacking attack.BrowserLowest versionInternet Explorer 8.0Firefox (Gecko) 3.6.9 (1.9.2.9)Opera10.50Safari4.0Chrome4.1.249.1042ProxiesWeb proxies are known for adding and stripping headers. In the casein which a web proxy strips the “X-FRAME-OPTIONS” header thenthe site loses its framing protection.Mobile website versionAlso in this case, since the “X-FRAME-OPTIONS” has to be implementedin every page of the website, the developers may have notprotected the mobile version of the website.Create a “proof of concept”Once we have discovered that the site we are testing is vulnerableto clickjacking attack, we can proceed with the development of a“proof of concept” to demonstrate the vulnerability. It is importantto note that, as mentioned previously, these attacks can be used inconjunction with other forms of attacks (for example CSRF attacks)and could lead to overcome anti-CSRF tokens. In this regard we canimagine that, for example, the target site allows to authenticatedand authorized users to make a transfer of money to another account.Suppose that to execute the transfer the developers have plannedthree steps. In the first step the user fill a form with the destinationaccount and the amount. In the second step, whenever the user submitsthe form, is presented a summary page asking the user confirmation(like the one presented in the following picture).Example:window.defineSetter(“location” , function(){});Server side protection: X-Frame-OptionsAn alternative approach to client side frame busting code was implementedby Microsoft and it consists of an header based defense. Thisnew “X-FRAME-OPTIONS” header is sent from the server on HTTPFollowing a snippet of the code for the step 2:/generate random anti CSRF token$csrfToken = md5(uniqid(rand(), TRUE));
Page 1 and 2:
1Testing Guide4.0Project Leaders: M
Page 3 and 4:
Testing Guide Foreword - Table of c
Page 5 and 6:
3Testing Guide Foreword - Table of
Page 7 and 8:
5Testing Guide Foreword - By Eoin K
Page 9 and 10:
7Testing Guide Frontispiece1Testing
Page 11 and 12:
9Testing Guide Introduction2The OWA
Page 13 and 14:
11Testing Guide Introductionvide en
Page 15 and 16:
13Testing Guide IntroductionTesting
Page 17 and 18:
15Testing Guide Introductionlaid on
Page 19 and 20:
17Testing Guide Introductionvalidat
Page 21 and 22:
19Testing Guide IntroductionUSERthe
Page 23 and 24:
21Testing Guide Introductionment wh
Page 25 and 26:
23Testing Guide Introductionoffendi
Page 27 and 28:
25The OWASP Testing Frameworksectio
Page 29 and 30:
27Web Application Penetration Testi
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
101Web Application Penetration Test
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
Page 143 and 144:
Page 145 and 146:
Page 147 and 148:
Page 149 and 150:
Page 151 and 152:
Page 153 and 154: 151Web Application Penetration Test
Page 203: 201Web Application Penetration Test
Page 211 and 212: 209same code can be applied to sess
Page 213 and 214: 211ReportingTest IDLowest versionIn
Page 215 and 216: 213ReportingTest IDBusiness Logic T
Page 217 and 218: 215Appendixkajfghlhfkcocafkcjlajldi
Page 219 and 220: 217AppendixTesting - http:/www.nist
Page 221 and 222: 219Cross Site Scripting (XSS)For de
Page 223 and 224: 221LDAP InjectionFor details on LDA
show all

4.0

Create successful ePaper yourself

Delete template?

Save as template?