68Web Application Penetration TestingUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it;rv:1.8.1.14) Gecko/20080404Accept: text/xml,application/xml,application/xhtml+xml,-text/htmlAccept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: https: /www.example.com/form.htmlIf-Modified-Since: Mon, 30 Jun 2008 07:55:11 GMTIf-None-Match: “43a01-5b-4868915f”You can see that the data is transferred in clear text in the URLand not in the body of the request as before. But we must considerthat SSL/TLS is a level 5 protocol, a lower level than HTTP,so the whole HTTP packet is still encrypted making the URLunreadable to a malicious user using a sniffer. Nevertheless asstated before, it is not a good practice to use the GET method tosend sensitive data to a web application, because the informationcontained in the URL can be stored in many locations suchas proxy and web server logs.Gray Box testingSpeak with the developers of the web application and try tounderstand if they are aware of the differences between HTTPand HTTPS protocols and why they should use HTTPS for transmittingsensitive information. Then, check with them if HTTPSis used in every sensitive request, like those in log in pages, toprevent unauthorized users to intercept the data.Tools• WebScarab• OWASP Zed Attack Proxy (ZAP)ReferencesWhitepapers• HTTP/1.1: Security Considerations - http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html• SSL is not about encryptionTesting for default credentials(OTG-AUTHN-002)SummaryNowadays web applications often make use of popular opensource or commercial software that can be installed on serverswith minimal configuration or customization by the serveradministrator. Moreover, a lot of hardware appliances (i.e. networkrouters and database servers) offer web-based configuration oradministrative interfaces.Often these applications, once installed, are not properly configuredand the default credentials provided for initial authenticationand configuration are never changed. These default credentialsare well known by penetration testers and, unfortunately, also bymalicious attackers, who can use them to gain access to varioustypes of applications.Furthermore, in many situations, when a new account is createdon an application, a default password (with some standard characteristics)is generated. If this password is predictable and theuser does not change it on the first access, this can lead to an attackergaining unauthorized access to the application.The root cause of this problem can be identified as:• Inexperienced IT personnel, who are unaware of the importanceof changing default passwords on installed infrastructurecomponents, or leave the password as default for “ease ofmaintenance”.• Programmers who leave back doors to easily access and testtheir application and later forget to remove them.• Applications with built-in non-removable default accounts witha preset username and password.• Applications that do not force the user to change the defaultcredentials after the first log in.How to TestTesting for default credentials of common applicationsIn black box testing the tester knows nothing about the applicationand its underlying infrastructure. In reality this is often nottrue, and some information about the application is known. Wesuppose that you have identified, through the use of the techniquesdescribed in this Testing Guide under the chapter InformationGathering, at least one or more common applications thatmay contain accessible administrative interfaces.When you have identified an application interface, for examplea Cisco router web interface or a Weblogic administrator portal,check that the known usernames and passwords for these devicesdo not result in successful authentication. To do this you canconsult the manufacturer’s documentation or, in a much simplerway, you can find common credentials using a search engine orby using one of the sites or tools listed in the Reference section.When facing applications where we do not have a list of defaultand common user accounts (for example due to the fact that theapplication is not wide spread) we can attempt to guess valid defaultcredentials. Note that the application being tested may havean account lockout policy enabled, and multiple password guessattempts with a known username may cause the account to belocked. If it is possible to lock the administrator account, it may betroublesome for the system administrator to reset it.Many applications have verbose error messages that inform thesite users as to the validity of entered usernames. This informationwill be helpful when testing for default or guessable user accounts.Such functionality can be found, for example, on the login page, password reset and forgotten password page, and signup page. Once you have found a default username you could alsostart guessing passwords for this account.More information about this procedure can be found in the sectionTesting for User Enumeration and Guessable User Account and inthe section Testing for Weak password policy.Since these types of default credentials are often bound to administrativeaccounts you can proceed in this manner:
69Web Application Penetration Testing• Try the following usernames - “admin”, “administrator”, “root”,“system”, “guest”, “operator”, or “super”.These are popular among system administrators and are oftenused. Additionally you could try “qa”, “test”, “test1”, “testing” andsimilar names. Attempt any combination of the above in both theusername and the password fields. If the application is vulnerableto username enumeration, and you manage to successfullyidentify any of the above usernames, attempt passwords in asimilar manner. In addition try an empty password or one ofthe following “password”, “pass123”, “password123”, “admin”,or “guest” with the above accounts or any other enumeratedaccounts.Further permutations of the above can also be attempted. Ifthese passwords fail, it may be worth using a common usernameand password list and attempting multiple requests against theapplication. This can, of course, be scripted to save time.• Application administrative users are often named after theapplication or organization.This means if you are testing an application named “Obscurity”,try using obscurity/obscurity or any other similar combination asthe username and password.• When performing a test for a customer, attempt using namesof contacts you have received as usernames with any commonpasswords. Customer email addresses mail reveal the useraccounts naming convention: if employee John Doe has the emailaddress jdoe@example.com, you can try to find the names ofsystem administrators on social media and guess their usernameby applying the same naming convention to their name.• Attempt using all the above usernames with blank passwords.• Review the page source and JavaScript either through a proxyor by viewing the source. Look for any references to users andpasswords in the source.For example “If username=’admin’ then starturl=/admin.aspelse /index.asp” (for a successful log in versus a failed log in).Also, if you have a valid account, then log in and view everyrequest and response for a valid log in versus an invalid log in,such as additional hidden parameters, interesting GET request(login=yes), etc.• Look for account names and passwords written in commentsin the source code. Also look in backup directories for sourcecode (or backups of source code) that may contain interestingcomments and code.Testing for default password of new accountsIt can also occur that when a new account is created in an applicationthe account is assigned a default password. This passwordcould have some standard characteristics making it predictable. Ifthe user does not change it on first usage (this often happens ifthe user is not forced to change it) or if the user has not yet loggedon to the application, this can lead an attacker to gain unauthorizedaccess to the application.The advice given before about a possible lockout policy and verboseerror messages are also applicable here when testing fordefault passwords.The following steps can be applied to test for these types of defaultcredentials:• Looking at the User Registration page may help to determine theexpected format and minimum or maximum length of theapplication usernames and passwords. If a user registration pagedoes not exist, determine if the organization uses a standardnaming convention for user names such as their email address orthe name before the “@” in the email.• Try to extrapolate from the application how usernames aregenerated.For example, can a user choose his/her own username or doesthe system generate an account name for the user based onsome personal information or by using a predictable sequence? Ifthe application does generate the account names in a predictablesequence, such as user7811, try fuzzing all possible accountsrecursively.If you can identify a different response from the application whenusing a valid username and a wrong password, then you can try abrute force attack on the valid username (or quickly try any of theidentified common passwords above or in the reference section).• Try to determine if the system generated password is predictable.To do this, create many new accounts quickly after one anotherso that you can compare and determine if the passwordsare predictable. If predictable, try to correlate these with theusernames, or any enumerated accounts, and use them as abasis for a brute force attack.• If you have identified the correct naming convention for the username, try to “brute force” passwords with some commonpredictable sequence like for example dates of birth.• Attempt using all the above usernames with blank passwords orusing the username also as password value.Gray Box testingThe following steps rely on an entirely Gray Box approach. If onlysome of this information is available to you, refer to black boxtesting to fill the gaps.• Talk to the IT personnel to determine which passwords theyuse for administrative access and how administration of theapplication is undertaken.• Ask IT personnel if default passwords are changed and if defaultuser accounts are disabled.• Examine the user database for default credentials as describedin the Black Box testing section. Also check for empty passwordfields.• Examine the code for hard coded usernames and passwords.• Check for configuration files that contain usernamesand passwords.• Examine the password policy and, if the application generates itsown passwords for new users, check the policy in use for thisprocedure.Tools• Burp Intruder: http: /portswigger.net/burp/intruder.html• THC Hydra: http: /www.thc.org/thc-hydra/• Brutus: http: /www.hoobie.net/brutus/• Nikto 2: http: /www.cirt.net/nikto2ReferencesWhitepapers• CIRT http: /www.cirt.net/passwords• Government Security - Default Logins and Passwords forNetworked Devices http: /www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php• Virus.org http: /www.virus.org/default-password/