4.0

68Web Application Penetration TestingUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it;rv:1.8.1.14) Gecko/20080404Accept: text/xml,application/xml,application/xhtml+xml,-text/htmlAccept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: https: /www.example.com/form.htmlIf-Modified-Since: Mon, 30 Jun 2008 07:55:11 GMTIf-None-Match: “43a01-5b-4868915f”You can see that the data is transferred in clear text in the URLand not in the body of the request as before. But we must considerthat SSL/TLS is a level 5 protocol, a lower level than HTTP,so the whole HTTP packet is still encrypted making the URLunreadable to a malicious user using a sniffer. Nevertheless asstated before, it is not a good practice to use the GET method tosend sensitive data to a web application, because the informationcontained in the URL can be stored in many locations suchas proxy and web server logs.Gray Box testingSpeak with the developers of the web application and try tounderstand if they are aware of the differences between HTTPand HTTPS protocols and why they should use HTTPS for transmittingsensitive information. Then, check with them if HTTPSis used in every sensitive request, like those in log in pages, toprevent unauthorized users to intercept the data.Tools• WebScarab• OWASP Zed Attack Proxy (ZAP)ReferencesWhitepapers• HTTP/1.1: Security Considerations - http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html• SSL is not about encryptionTesting for default credentials(OTG-AUTHN-002)SummaryNowadays web applications often make use of popular opensource or commercial software that can be installed on serverswith minimal configuration or customization by the serveradministrator. Moreover, a lot of hardware appliances (i.e. networkrouters and database servers) offer web-based configuration oradministrative interfaces.Often these applications, once installed, are not properly configuredand the default credentials provided for initial authenticationand configuration are never changed. These default credentialsare well known by penetration testers and, unfortunately, also bymalicious attackers, who can use them to gain access to varioustypes of applications.Furthermore, in many situations, when a new account is createdon an application, a default password (with some standard characteristics)is generated. If this password is predictable and theuser does not change it on the first access, this can lead to an attackergaining unauthorized access to the application.The root cause of this problem can be identified as:• Inexperienced IT personnel, who are unaware of the importanceof changing default passwords on installed infrastructurecomponents, or leave the password as default for “ease ofmaintenance”.• Programmers who leave back doors to easily access and testtheir application and later forget to remove them.• Applications with built-in non-removable default accounts witha preset username and password.• Applications that do not force the user to change the defaultcredentials after the first log in.How to TestTesting for default credentials of common applicationsIn black box testing the tester knows nothing about the applicationand its underlying infrastructure. In reality this is often nottrue, and some information about the application is known. Wesuppose that you have identified, through the use of the techniquesdescribed in this Testing Guide under the chapter InformationGathering, at least one or more common applications thatmay contain accessible administrative interfaces.When you have identified an application interface, for examplea Cisco router web interface or a Weblogic administrator portal,check that the known usernames and passwords for these devicesdo not result in successful authentication. To do this you canconsult the manufacturer’s documentation or, in a much simplerway, you can find common credentials using a search engine orby using one of the sites or tools listed in the Reference section.When facing applications where we do not have a list of defaultand common user accounts (for example due to the fact that theapplication is not wide spread) we can attempt to guess valid defaultcredentials. Note that the application being tested may havean account lockout policy enabled, and multiple password guessattempts with a known username may cause the account to belocked. If it is possible to lock the administrator account, it may betroublesome for the system administrator to reset it.Many applications have verbose error messages that inform thesite users as to the validity of entered usernames. This informationwill be helpful when testing for default or guessable user accounts.Such functionality can be found, for example, on the login page, password reset and forgotten password page, and signup page. Once you have found a default username you could alsostart guessing passwords for this account.More information about this procedure can be found in the sectionTesting for User Enumeration and Guessable User Account and inthe section Testing for Weak password policy.Since these types of default credentials are often bound to administrativeaccounts you can proceed in this manner: