52Web Application Penetration Testingries can be simulated that will fill up the logs faster since, typically, asingle request will cause only a small amount of data to be logged,such as date and time, source IP address, URI request, and server result.Log rotationMost servers (but few custom applications) will rotate logs in orderto prevent them from filling up the file system they reside on. Theassumption when rotating logs is that the information in them is onlynecessary for a limited amount of time.This feature should be tested in order to ensure that:• Logs are kept for the time defined in the security policy, not moreand not less.• Logs are compressed once rotated (this is a convenience, since it willmean that more logs will be stored for the same available disk space).• File system permission of rotated log files are the same (or stricter)that those of the log files itself. For example, web servers will needto write to the logs they use but they don’t actually need to writeto rotated logs, which means that the permissions of the files canbe changed upon rotation to prevent the web server process frommodifying these.Some servers might rotate logs when they reach a given size. If thishappens, it must be ensured that an attacker cannot force logs to rotatein order to hide his tracks.Log Access ControlEvent log information should never be visible to end users. Even webadministrators should not be able to see such logs since it breaksseparation of duty controls. Ensure that any access control schemathat is used to protect access to raw logs and any applications providingcapabilities to view or search the logs is not linked with accesscontrol schemas for other application user roles. Neither should anylog data be viewable by unauthenticated users.Log reviewReview of logs can be used for more than extraction of usage statisticsof files in the web servers (which is typically what most log-basedapplication will focus on), but also to determine if attacks take placeat the web server.In order to analyze web server attacks the error log files of the serverneed to be analyzed. Review should concentrate on:• 40x (not found) error messages. A large amount of these from thesame source might be indicative of a CGI scanner tool being usedagainst the web server• 50x (server error) messages. These can be an indication of anattacker abusing parts of the application which fail unexpectedly.For example, the first phases of a SQL injection attack will producethese error message when the SQL query is not properly constructedand its execution fails on the back end database.Log statistics or analysis should not be generated, nor stored, in thesame server that produces the logs. Otherwise, an attacker might,through a web server vulnerability or improper configuration, gain accessto them and retrieve similar information as would be disclosed bylog files themselves.References[1] Apache• Apache Security, by Ivan Ristic, O’reilly, March 2005.• Apache Security Secrets: Revealed (Again), Mark Cox, November2003 - http: /www.awe.com/mark/apcon2003/• Apache Security Secrets: Revealed, ApacheCon 2002, Las Vegas,Mark J Cox, October 2002 - http: /www.awe.com/mark/apcon2002• Performance Tuning - http: /httpd.apache.org/docs/misc/perf-tuning.html[2] Lotus Domino• Lotus Security Handbook, William Tworek et al., April 2004, availablein the IBM Redbooks collection• Lotus Domino Security, an X-force white-paper, Internet SecuritySystems, December 2002• Hackproofing Lotus Domino Web Server, David Litchfield, October2001,• NGSSoftware Insight Security Research, available at http: /www.nextgenss.com[3] Microsoft IIS• IIS 6.0 Security, by Rohyt Belani, Michael Muckin, - http: /www.securityfocus.com/print/infocus/1765• IIS 7.0 Securing Configuration - http: /technet.microsoft.com/enus/library/dd163536.aspx• Securing Your Web Server (Patterns and Practices), Microsoft Corporation,January 2004• IIS Security and Programming Countermeasures, by Jason Coombs• From Blueprint to Fortress: A Guide to Securing IIS 5.0, by JohnDavis, Microsoft Corporation, June 2001• Secure Internet Information Services 5 Checklist, by Michael Howard,Microsoft Corporation, June 2000• “INFO: Using URLScan on IIS” - http: /support.microsoft.com/default.aspx?scid=307608[4] Red Hat’s (formerly Netscape’s) iPlanet• Guide to the Secure Configuration and Administration of iPlanetWeb Server, Enterprise Edition 4.1, by James M Hayes, The NetworkApplications Team of the Systems and Network Attack Center(SNAC), NSA, January 2001[5] WebSphere• IBM WebSphere V5.0 Security, WebSphere Handbook Series, byPeter Kovari et al., IBM, December 2002.• IBM WebSphere V<strong>4.0</strong> Advanced Edition Security, by Peter Kovariet al., IBM, March 2002.[6] General• Logging Cheat Sheet, OWASP• SP 800-92 Guide to Computer Security Log Management, NIST• PCI DSS v2.0 Requirement 10 and PA-DSS v2.0 Requirement 4,PCI Security Standards Council[7] Generic:• CERT Security Improvement Modules: Securing Public Web Servers- http: /www.cert.org/security-improvement/• Apache Security Configuration Document, InterSect Alliance -http: /www.intersectalliance.com/projects/ApacheConfig/index.html• “How To: Use IISLockdown.exe” - http: /msdn.microsoft.com/library/en-us/secmod/html/secmod113.aspTest File Extensions Handling for SensitiveInformation (OTG-CONFIG-003)SummaryFile extensions are commonly used in web servers to easily determinewhich technologies, languages and plugins must be used to fulfill theweb request. While this behavior is consistent with RFCs and Web
53Web Application Penetration TestingStandards, using standard file extensions provides the penetrationtester useful information about the underlying technologies used ina web appliance and greatly simplifies the task of determining theattack scenario to be used on particular technologies. In addition,mis-configuration of web servers could easily reveal confidential informationabout access credentials.Extension checking is often used to validate files to be uploaded,which can lead to unexpected results because the content is not whatis expected, or because of unexpected OS file name handling.Determining how web servers handle requests corresponding to fileshaving different extensions may help in understanding web server behaviordepending on the kind of files that are accessed. For example,it can help to understand which file extensions are returned as text orplain versus those that cause execution on the server side. The latterare indicative of technologies, languages or plugins that are used byweb servers or application servers, and may provide additional insighton how the web application is engineered. For example, a “.pl” extensionis usually associated with server-side Perl support. However, thefile extension alone may be deceptive and not fully conclusive. For example,Perl server-side resources might be renamed to conceal thefact that they are indeed Perl related. See the next section on “webserver components” for more on identifying server side technologiesand components.How to TestForced browsingSubmit http[s] requests involving different file extensions and verifyhow they are handled. The verification should be on a per web directorybasis. Verify directories that allow script execution. Web serverdirectories can be identified by vulnerability scanners, which look forthe presence of well-known directories. In addition, mirroring the website structure allows the tester to reconstruct the tree of web directoriesserved by the application.If the web application architecture is load-balanced, it is important toassess all of the web servers. This may or may not be easy, dependingon the configuration of the balancing infrastructure. In an infrastructurewith redundant components there may be slight variationsin the configuration of individual web or application servers. This mayhappen if the web architecture employs heterogeneous technologies(think of a set of IIS and Apache web servers in a load-balancing configuration,which may introduce slight asymmetric behavior betweenthem, and possibly different vulnerabilities).‘Example:The tester has identified the existence of a file named connection.inc.Trying to access it directly gives back its contents, which are:mysql_connect(“127.0.0.1”, “root”, “”)or die(“Could not connect”);The tester determines the existence of a MySQL DBMS back end, andthe (weak) credentials used by the web application to access it.The following file extensions should never be returned by a web server,since they are related to files which may contain sensitive informationor to files for which there is no reason to be served.• .asa• .incThe following file extensions are related to files which, when accessed,are either displayed or downloaded by the browser. Therefore, fileswith these extensions must be checked to verify that they are indeedsupposed to be served (and are not leftovers), and that they do notcontain sensitive information.• .zip, .tar, .gz, .tgz, .rar, ...: (Compressed) archive files• .java: No reason to provide access to Java source files• .txt: Text files• .pdf: PDF documents• .doc, .rtf, .xls, .ppt, ...: Office documents• .bak, .old and other extensions indicative of backup files (for example:~ for Emacs backup files)The list given above details only a few examples, since file extensionsare too many to be comprehensively treated here. Refer to http:/filext.com/ for a more thorough database of extensions.To identify files having a given extensions a mix of techniques can beemployed. THese techniques can include Vulnerability Scanners, spideringand mirroring tools, manually inspecting the application (thisovercomes limitations in automatic spidering), querying search engines(see Testing: Spidering and googling). See also Testing for Old,Backup and Unreferenced Files which deals with the security issuesrelated to “forgotten” files.File UploadWindows 8.3 legacy file handling can sometimes be used to defeat fileupload filtersUsage Examples:file.phtml gets processed as PHP codeFILE~1.PHT is served, but not processed by the PHP ISAPI handlershell.phPWND can be uploadedSHELL~1.PHP will be expanded and returned by the OS shell,then processed by the PHP ISAPI handlerGray Box testingPerforming white box testing against file extensions handlingamounts to checking the configurations of web servers or applicationservers taking part in the web application architecture, and verifyinghow they are instructed to serve different file extensions.If the web application relies on a load-balanced, heterogeneous infrastructure,determine whether this may introduce different behavior.ToolsVulnerability scanners, such as Nessus and Nikto check for the ex-