4.0

More documents

Recommendations

Info

52Web Application Penetration Testingries can be simulated that will fill up the logs faster since, typically, asingle request will cause only a small amount of data to be logged,such as date and time, source IP address, URI request, and server result.Log rotationMost servers (but few custom applications) will rotate logs in orderto prevent them from filling up the file system they reside on. Theassumption when rotating logs is that the information in them is onlynecessary for a limited amount of time.This feature should be tested in order to ensure that:• Logs are kept for the time defined in the security policy, not moreand not less.• Logs are compressed once rotated (this is a convenience, since it willmean that more logs will be stored for the same available disk space).• File system permission of rotated log files are the same (or stricter)that those of the log files itself. For example, web servers will needto write to the logs they use but they don’t actually need to writeto rotated logs, which means that the permissions of the files canbe changed upon rotation to prevent the web server process frommodifying these.Some servers might rotate logs when they reach a given size. If thishappens, it must be ensured that an attacker cannot force logs to rotatein order to hide his tracks.Log Access ControlEvent log information should never be visible to end users. Even webadministrators should not be able to see such logs since it breaksseparation of duty controls. Ensure that any access control schemathat is used to protect access to raw logs and any applications providingcapabilities to view or search the logs is not linked with accesscontrol schemas for other application user roles. Neither should anylog data be viewable by unauthenticated users.Log reviewReview of logs can be used for more than extraction of usage statisticsof files in the web servers (which is typically what most log-basedapplication will focus on), but also to determine if attacks take placeat the web server.In order to analyze web server attacks the error log files of the serverneed to be analyzed. Review should concentrate on:• 40x (not found) error messages. A large amount of these from thesame source might be indicative of a CGI scanner tool being usedagainst the web server• 50x (server error) messages. These can be an indication of anattacker abusing parts of the application which fail unexpectedly.For example, the first phases of a SQL injection attack will producethese error message when the SQL query is not properly constructedand its execution fails on the back end database.Log statistics or analysis should not be generated, nor stored, in thesame server that produces the logs. Otherwise, an attacker might,through a web server vulnerability or improper configuration, gain accessto them and retrieve similar information as would be disclosed bylog files themselves.References[1] Apache• Apache Security, by Ivan Ristic, O’reilly, March 2005.• Apache Security Secrets: Revealed (Again), Mark Cox, November2003 - http: /www.awe.com/mark/apcon2003/• Apache Security Secrets: Revealed, ApacheCon 2002, Las Vegas,Mark J Cox, October 2002 - http: /www.awe.com/mark/apcon2002• Performance Tuning - http: /httpd.apache.org/docs/misc/perf-tuning.html[2] Lotus Domino• Lotus Security Handbook, William Tworek et al., April 2004, availablein the IBM Redbooks collection• Lotus Domino Security, an X-force white-paper, Internet SecuritySystems, December 2002• Hackproofing Lotus Domino Web Server, David Litchfield, October2001,• NGSSoftware Insight Security Research, available at http: /www.nextgenss.com[3] Microsoft IIS• IIS 6.0 Security, by Rohyt Belani, Michael Muckin, - http: /www.securityfocus.com/print/infocus/1765• IIS 7.0 Securing Configuration - http: /technet.microsoft.com/enus/library/dd163536.aspx• Securing Your Web Server (Patterns and Practices), Microsoft Corporation,January 2004• IIS Security and Programming Countermeasures, by Jason Coombs• From Blueprint to Fortress: A Guide to Securing IIS 5.0, by JohnDavis, Microsoft Corporation, June 2001• Secure Internet Information Services 5 Checklist, by Michael Howard,Microsoft Corporation, June 2000• “INFO: Using URLScan on IIS” - http: /support.microsoft.com/default.aspx?scid=307608[4] Red Hat’s (formerly Netscape’s) iPlanet• Guide to the Secure Configuration and Administration of iPlanetWeb Server, Enterprise Edition 4.1, by James M Hayes, The NetworkApplications Team of the Systems and Network Attack Center(SNAC), NSA, January 2001[5] WebSphere• IBM WebSphere V5.0 Security, WebSphere Handbook Series, byPeter Kovari et al., IBM, December 2002.• IBM WebSphere V<strong>4.0</strong> Advanced Edition Security, by Peter Kovariet al., IBM, March 2002.[6] General• Logging Cheat Sheet, OWASP• SP 800-92 Guide to Computer Security Log Management, NIST• PCI DSS v2.0 Requirement 10 and PA-DSS v2.0 Requirement 4,PCI Security Standards Council[7] Generic:• CERT Security Improvement Modules: Securing Public Web Servers- http: /www.cert.org/security-improvement/• Apache Security Configuration Document, InterSect Alliance -http: /www.intersectalliance.com/projects/ApacheConfig/index.html• “How To: Use IISLockdown.exe” - http: /msdn.microsoft.com/library/en-us/secmod/html/secmod113.aspTest File Extensions Handling for SensitiveInformation (OTG-CONFIG-003)SummaryFile extensions are commonly used in web servers to easily determinewhich technologies, languages and plugins must be used to fulfill theweb request. While this behavior is consistent with RFCs and Web
53Web Application Penetration TestingStandards, using standard file extensions provides the penetrationtester useful information about the underlying technologies used ina web appliance and greatly simplifies the task of determining theattack scenario to be used on particular technologies. In addition,mis-configuration of web servers could easily reveal confidential informationabout access credentials.Extension checking is often used to validate files to be uploaded,which can lead to unexpected results because the content is not whatis expected, or because of unexpected OS file name handling.Determining how web servers handle requests corresponding to fileshaving different extensions may help in understanding web server behaviordepending on the kind of files that are accessed. For example,it can help to understand which file extensions are returned as text orplain versus those that cause execution on the server side. The latterare indicative of technologies, languages or plugins that are used byweb servers or application servers, and may provide additional insighton how the web application is engineered. For example, a “.pl” extensionis usually associated with server-side Perl support. However, thefile extension alone may be deceptive and not fully conclusive. For example,Perl server-side resources might be renamed to conceal thefact that they are indeed Perl related. See the next section on “webserver components” for more on identifying server side technologiesand components.How to TestForced browsingSubmit http[s] requests involving different file extensions and verifyhow they are handled. The verification should be on a per web directorybasis. Verify directories that allow script execution. Web serverdirectories can be identified by vulnerability scanners, which look forthe presence of well-known directories. In addition, mirroring the website structure allows the tester to reconstruct the tree of web directoriesserved by the application.If the web application architecture is load-balanced, it is important toassess all of the web servers. This may or may not be easy, dependingon the configuration of the balancing infrastructure. In an infrastructurewith redundant components there may be slight variationsin the configuration of individual web or application servers. This mayhappen if the web architecture employs heterogeneous technologies(think of a set of IIS and Apache web servers in a load-balancing configuration,which may introduce slight asymmetric behavior betweenthem, and possibly different vulnerabilities).‘Example:The tester has identified the existence of a file named connection.inc.Trying to access it directly gives back its contents, which are:mysql_connect(“127.0.0.1”, “root”, “”)or die(“Could not connect”);The tester determines the existence of a MySQL DBMS back end, andthe (weak) credentials used by the web application to access it.The following file extensions should never be returned by a web server,since they are related to files which may contain sensitive informationor to files for which there is no reason to be served.• .asa• .incThe following file extensions are related to files which, when accessed,are either displayed or downloaded by the browser. Therefore, fileswith these extensions must be checked to verify that they are indeedsupposed to be served (and are not leftovers), and that they do notcontain sensitive information.• .zip, .tar, .gz, .tgz, .rar, ...: (Compressed) archive files• .java: No reason to provide access to Java source files• .txt: Text files• .pdf: PDF documents• .doc, .rtf, .xls, .ppt, ...: Office documents• .bak, .old and other extensions indicative of backup files (for example:~ for Emacs backup files)The list given above details only a few examples, since file extensionsare too many to be comprehensively treated here. Refer to http:/filext.com/ for a more thorough database of extensions.To identify files having a given extensions a mix of techniques can beemployed. THese techniques can include Vulnerability Scanners, spideringand mirroring tools, manually inspecting the application (thisovercomes limitations in automatic spidering), querying search engines(see Testing: Spidering and googling). See also Testing for Old,Backup and Unreferenced Files which deals with the security issuesrelated to “forgotten” files.File UploadWindows 8.3 legacy file handling can sometimes be used to defeat fileupload filtersUsage Examples:file.phtml gets processed as PHP codeFILE~1.PHT is served, but not processed by the PHP ISAPI handlershell.phPWND can be uploadedSHELL~1.PHP will be expanded and returned by the OS shell,then processed by the PHP ISAPI handlerGray Box testingPerforming white box testing against file extensions handlingamounts to checking the configurations of web servers or applicationservers taking part in the web application architecture, and verifyinghow they are instructed to serve different file extensions.If the web application relies on a load-balanced, heterogeneous infrastructure,determine whether this may introduce different behavior.ToolsVulnerability scanners, such as Nessus and Nikto check for the ex-
Page 1 and 2:
1Testing Guide4.0Project Leaders: M
Page 3 and 4: Testing Guide Foreword - Table of c
Page 5 and 6: 3Testing Guide Foreword - Table of
Page 7 and 8: 5Testing Guide Foreword - By Eoin K
Page 9 and 10: 7Testing Guide Frontispiece1Testing
Page 11 and 12: 9Testing Guide Introduction2The OWA
Page 13 and 14: 11Testing Guide Introductionvide en
Page 15 and 16: 13Testing Guide IntroductionTesting
Page 17 and 18: 15Testing Guide Introductionlaid on
Page 19 and 20: 17Testing Guide Introductionvalidat
Page 21 and 22: 19Testing Guide IntroductionUSERthe
Page 23 and 24: 21Testing Guide Introductionment wh
Page 25 and 26: 23Testing Guide Introductionoffendi
Page 27 and 28: 25The OWASP Testing Frameworksectio
Page 29 and 30: 27Web Application Penetration Testi
Page 53: 51Web Application Penetration Testi
Page 103 and 104: 101Web Application Penetration Test
Page 105 and 106:
103Web Application Penetration Test
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
Page 143 and 144:
Page 145 and 146:
Page 147 and 148:
Page 149 and 150:
Page 151 and 152:
Page 153 and 154:
Page 155 and 156:
Page 157 and 158:
Page 159 and 160:
Page 161 and 162:
Page 163 and 164:
Page 165 and 166:
Page 167 and 168:
Page 169 and 170:
Page 171 and 172:
Page 173 and 174:
Page 175 and 176:
Page 177 and 178:
Page 179 and 180:
Page 181 and 182:
Page 183 and 184:
Page 185 and 186:
Page 187 and 188:
Page 189 and 190:
Page 191 and 192:
Page 193 and 194:
Page 195 and 196:
Page 197 and 198:
Page 199 and 200:
Page 201 and 202:
Page 203 and 204:
Page 205 and 206:
Page 207 and 208:
Page 209 and 210:
Page 211 and 212:
209same code can be applied to sess
Page 213 and 214:
211ReportingTest IDLowest versionIn
Page 215 and 216:
213ReportingTest IDBusiness Logic T
Page 217 and 218:
215Appendixkajfghlhfkcocafkcjlajldi
Page 219 and 220:
217AppendixTesting - http:/www.nist
Page 221 and 222:
219Cross Site Scripting (XSS)For de
Page 223 and 224:
221LDAP InjectionFor details on LDA
show all

4.0

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?