4.0

More documents

Recommendations

Info

28Web Application Penetration Testing• Phase 2 Active mode:In this phase the tester begins to test using the methodology describedin the follow sections.The set of active tests have been split into 11 sub-categories for atotal of 91 controls:• Information Gathering• Configuration and Deployment Management Testing• Identity Management Testing• Authentication Testing• Authorization Testing• Session Management Testing• Input Validation Testing• Error Handling• Cryptography• Business Logic Testing• Client Side TestingTesting for Information GatheringUnderstanding the deployed configuration of the server hosting theweb application is almost as important as the application securitytesting itself. After all, an application chain is only as strong as itsweakest link. Application platforms are wide and varied, but some keyplatform configuration errors can compromise the application in thesame way an unsecured application can compromise the server.Conduct search engine discovery/reconnaissancefor information leakage (OTG-INFO-001)SummaryThere are direct and indirect elements to search engine discoveryand reconnaissance. Direct methods relate to searching the indexesand the associated content from caches. Indirect methods relate togleaning sensitive design and configuration information by searchingforums, newsgroups, and tendering websites.Once a search engine robot has completed crawling, it commences indexingthe web page based on tags and associated attributes, such as, in order to return the relevant search results [1]. If the robots.txt file is not updated during the lifetime of the web site, and inlineHTML meta tags that instruct robots not to index content have notbeen used, then it is possible for indexes to contain web content notintended to be included in by the owners. Website owners may usethe previously mentioned robots.txt, HTML meta tags, authentication,and tools provided by search engines to remove such content.Search operatorsUsing the advanced “site:” search operator, it is possible to restrictsearch results to a specific domain [2]. Do not limit testing to justone search engine provider as they may generate different resultsdepending on when they crawled content and their own algorithms.Consider using the following search engines:• Baidu• binsearch.info• Bing• Duck Duck Go• ixquick/Startpage• Google• Shodan• PunkSpiderDuck Duck Go and ixquick/Startpage provide reduced informationleakage about the tester.Google provides the Advanced “cache:” search operator [2], but thisis the equivalent to clicking the “Cached” next to each Google SearchResult. Hence, the use of the Advanced “site:” Search Operator andthen clicking “Cached” is preferred.The Google SOAP Search API supports the doGetCachedPage and theassociated doGetCachedPageResponse SOAP Messages [3] to assistwith retrieving cached pages. An implementation of this is under developmentby the OWASP “Google Hacking” Project.PunkSpider is web application vulnerability search engine. It is of littleuse for a penetration tester doing manual work. However it canbe useful as demonstration of easiness of finding vulnerabilities byscript-kiddies.Example To find the web content of owasp.org indexed by a typicalsearch engine, the syntax required is:site:owasp.orgTest ObjectivesTo understand what sensitive design and configuration information ofthe application/system/organization is exposed both directly (on theorganization’s website) or indirectly (on a third party website).How to TestUse a search engine to search for:• Network diagrams and configurations• Archived posts and emails by administrators and other key staff• Log on procedures and username formats• Usernames and passwords• Error message content• Development, test, UAT and staging versions of the websiteTo display the index.html of owasp.org as cached, the syntax is:cache:owasp.org
29Web Application Penetration TestingGoogle Hacking DatabaseThe Google Hacking Database is list of useful search queries for Google.Queries are put in several categories:• Footholds• Files containing usernames• Sensitive Directories• Web Server Detection• Vulnerable Files• Vulnerable Servers• Error Messages• Files containing juicy info• Files containing passwords• Sensitive Online Shopping InfoTools[4] FoundStone SiteDigger: http:/www.mcafee.com/uk/downloads/free-tools/sitedigger.aspx[5] Google Hacker: http:/yehg.net/lab/pr0js/files.php/googlehacker.zip[6] Stach & Liu’s Google Hacking Diggity Project: http:/www.stachliu.com/resources/tools/google-hacking-diggity-project/[7] PunkSPIDER: http:/punkspider.hyperiongray.com/ReferencesWeb[1] “Google Basics: Learn how Google Discovers, Crawls, andServes Web Pages” - https:/support.google.com/webmasters/answer/70897[2] “Operators and More Search Help”: https:/support.google.com/websearch/answer/136861?hl=en[3] “Google Hacking Database”: http:/www.exploit-db.com/google-dorks/RemediationCarefully consider the sensitivity of design and configuration informationbefore it is posted online.Periodically review the sensitivity of existing design and configurationinformation that is posted online.Fingerprint Web Server (OTG-INFO-002)SummaryWeb server fingerprinting is a critical task for the penetration tester.Knowing the version and type of a running web server allows testersto determine known vulnerabilities and the appropriate exploits to useduring testing.There are several different vendors and versions of web servers onthe market today. Knowing the type of web server that is being testedsignificantly helps in the testing process and can also change thecourse of the test.This information can be derived by sending the web server specificcommands and analyzing the output, as each version of web serversoftware may respond differently to these commands. By knowinghow each type of web server responds to specific commands andkeeping this information in a web server fingerprint database, a penetrationtester can send these commands to the web server, analyzethe response, and compare it to the database of known signatures.Please note that it usually takes several different commands to accuratelyidentify the web server, as different versions may react similarlyto the same command. Rarely do different versions react the same toall HTTP commands. So by sending several different commands, thetester can increase the accuracy of their guess.Test ObjectivesFind the version and type of a running web server to determine knownvulnerabilities and the appropriate exploits to use during testing.How to TestBlack Box testingThe simplest and most basic form of identifying a web server is to lookat the Server field in the HTTP response header. Netcat is used in thisexperiment.Consider the following HTTP Request-Response:$ nc 202.41.76.251 80HEAD / HTTP/1.0HTTP/1.1 200 OKDate: Mon, 16 Jun 2003 02:53:29 GMTServer: Apache/1.3.3 (Unix) (Red Hat/Linux)Last-Modified: Wed, 07 Oct 1998 11:18:14 GMTETag: “1813-49b-361b4df6”Accept-Ranges: bytesContent-Length: 1179Connection: closeContent-Type: text/htmlFrom the Server field, one can understand that the server is likelyApache, version 1.3.3, running on Linux operating system.Four examples of the HTTP response headers are shown below.From an Apache 1.3.23 server:HTTP/1.1 200 OKDate: Sun, 15 Jun 2003 17:10: 49 GMTServer: Apache/1.3.23Last-Modified: Thu, 27 Feb 2003 03:48: 19 GMTETag: 32417-c4-3e5d8a83Accept-Ranges: bytesContent-Length: 196Connection: closeContent-Type: text/HTML
Page 1 and 2: 1Testing Guide4.0Project Leaders: M
Page 3 and 4: Testing Guide Foreword - Table of c
Page 5 and 6: 3Testing Guide Foreword - Table of
Page 7 and 8: 5Testing Guide Foreword - By Eoin K
Page 9 and 10: 7Testing Guide Frontispiece1Testing
Page 11 and 12: 9Testing Guide Introduction2The OWA
Page 13 and 14: 11Testing Guide Introductionvide en
Page 15 and 16: 13Testing Guide IntroductionTesting
Page 17 and 18: 15Testing Guide Introductionlaid on
Page 19 and 20: 17Testing Guide Introductionvalidat
Page 21 and 22: 19Testing Guide IntroductionUSERthe
Page 23 and 24: 21Testing Guide Introductionment wh
Page 25 and 26: 23Testing Guide Introductionoffendi
Page 27 and 28: 25The OWASP Testing Frameworksectio
Page 29: 27Web Application Penetration Testi
Page 33 and 34: 31Web Application Penetration Testi
Page 81 and 82:
79Web Application Penetration Testi
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
101Web Application Penetration Test
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
Page 143 and 144:
Page 145 and 146:
Page 147 and 148:
Page 149 and 150:
Page 151 and 152:
Page 153 and 154:
Page 155 and 156:
Page 157 and 158:
Page 159 and 160:
Page 161 and 162:
Page 163 and 164:
Page 165 and 166:
Page 167 and 168:
Page 169 and 170:
Page 171 and 172:
Page 173 and 174:
Page 175 and 176:
Page 177 and 178:
Page 179 and 180:
Page 181 and 182:
Page 183 and 184:
Page 185 and 186:
Page 187 and 188:
Page 189 and 190:
Page 191 and 192:
Page 193 and 194:
Page 195 and 196:
Page 197 and 198:
Page 199 and 200:
Page 201 and 202:
Page 203 and 204:
Page 205 and 206:
Page 207 and 208:
Page 209 and 210:
Page 211 and 212:
209same code can be applied to sess
Page 213 and 214:
211ReportingTest IDLowest versionIn
Page 215 and 216:
213ReportingTest IDBusiness Logic T
Page 217 and 218:
215Appendixkajfghlhfkcocafkcjlajldi
Page 219 and 220:
217AppendixTesting - http:/www.nist
Page 221 and 222:
219Cross Site Scripting (XSS)For de
Page 223 and 224:
221LDAP InjectionFor details on LDA
show all

4.0

Create successful ePaper yourself

Delete template?

Save as template?