4.0

More documents

Recommendations

Info

154 Web Application Penetration Testing • Amit Klein: “HTTP Response Smuggling” - http://www.securityfocus.com/archive/1/425593 • Chaim Linhart, Amit Klein, Ronen Heled, Steve Orrin: “HTTP Request Smuggling” - http://www.cgisecurity.com/lib/httprequest-smuggling.pdf Testing for Error Code (OTG-ERR-001) Summary Often, during a penetration test on web applications, we come up against many error codes generated from applications or web servers. It’s possible to cause these errors to be displayed by using a particular requests, either specially crafted with tools or created manually. These codes are very useful to penetration testers during their activities, because they reveal a lot of information about databases, bugs, and other technological components directly linked with web applications. This section analyses the more common codes (error messages) and bring into focus their relevance during a vulnerability assessment. The most important aspect for this activity is to focus one’s attention on these errors, seeing them as a collection of information that will aid in the next steps of our analysis. A good collection can facilitate assessment efficiency by decreasing the overall time taken to perform the penetration test. Attackers sometimes use search engines to locate errors that disclose information. Searches can be performed to find any erroneous sites as random victims, or it is possible to search for errors in a specific site using the search engine filtering tools as described in 4.2.1 Conduct Search Engine Discovery and Reconnaissance for Information Leakage (OTG-INFO-001) Web Server Errors A common error that we can see during testing is the HTTP 404 Not Found. Often this error code provides useful details about the underlying web server and associated components. For example: Not Found The requested URL /page.html was not found on this server. Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7g DAV/2 PHP/5.1.2 Server at localhost Port 80 This error message can be generated by requesting a non-existent URL. After the common message that shows a page not found, there is information about web server version, OS, modules and other products used. This information can be very important from an OS and application type and version identification point of view. Other HTTP response codes such as 400 Bad Request, 405 Method Not Allowed, 501 Method Not Implemented, 408 Request Time-out and 505 HTTP Version Not Supported can be forced by an attacker. When receiving specially crafted requests, web servers may provide one of these error codes depending on their HTTP implementation. Testing for disclosed information in the Web Server error codes is related testing for information disclosed in the HTTP headers as described in the section Fingerprint Web Server (OTG-IN- FO-002). Application Server Errors Application errors are returned by the application itself, rather than the web server. These could be error messages from framework code (ASP, JSP etc.) or they could be specific errors returned by the application code. Detailed application errors typically provide information of server paths, installed libraries and application versions. Database Errors Database errors are those returned by the Database System when there is a problem with the query or the connection. Each Database system, such as MySQL, Oracle or MSSQL, has their own set of errors. Those errors can provide sensible information such as Database server IPs, tables, columns and login details. In addition, there are many SQL Injection exploitation techniques that utilize detailed error messages from the database driver, for in depth information on this issue see Testing for SQL Injection (OTG-INPVAL-005) for more information. Web server errors aren’t the only useful output returned requiring security analysis. Consider the next example error message: Microsoft OLE DB Provider for ODBC Drivers (0x80004005) [DBNETLIB][ConnectionOpen(Connect())] - SQL server does not exist or access denied What happened? We will explain step-by-step below. In this example, the 80004005 is a generic IIS error code which indicates that it could not establish a connection to its associated database. In many cases, the error message will detail the type of the database. This will often indicate the underlying operating system by association. With this information, the penetration tester can plan an appropriate strategy for the security test. By manipulating the variables that are passed to the database connect string, we can invoke more detailed errors. Microsoft OLE DB Provider for ODBC Drivers error ‘80004005’ [Microsoft][ODBC Access 97 ODBC driver Driver]General error Unable to open registry key ‘DriverId’ In this example, we can see a generic error in the same situation which reveals the type and version of the associated database system and a dependence on Windows operating system registry key values. Now we will look at a practical example with a security test against a web application that loses its link to its database server and does not handle the exception in a controlled manner. This could be caused by a database name resolution issue, processing of unexpected variable values, or other network problems. Consider the scenario where we have a database administration web portal, which can be used as a front end GUI to issue database
155 Web Application Penetration Testing queries, create tables, and modify database fields. During the POST of the logon credentials, the following error message is presented to the penetration tester. The message indicates the presence of a MySQL database server: Microsoft OLE DB Provider for ODBC Drivers (0x80004005) [MySQL][ODBC 3.51 Driver]Unknown MySQL server host If we see in the HTML code of the logon page the presence of a hidden field with a database IP, we can try to change this value in the URL with the address of database server under the penetration tester’s control in an attempt to fool the application into thinking that the logon was successful. Another example: knowing the database server that services a web application, we can take advantage of this information to carry out a SQL Injection for that kind of database or a persistent XSS test. How to Test Below are some examples of testing for detailed error messages returned to the user. Each of the below examples has specific information about the operating system, application version, etc. Test: 404 Not Found telnet 80 GET / HTTP/1.1 host: Result: HTTP/1.1 404 Not Found Date: Sat, 04 Nov 2006 15:26:48 GMT Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7g Content-Length: 310 Connection: close Content-Type: text/html; charset=iso-8859-1 ... 404 Not Found ... Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7g at Port 80 Test: Network problems leading to the application being unable to access the database server Result: Microsoft OLE DB Provider for ODBC Drivers (0x80004005) ‘ [MySQL][ODBC 3.51 Driver]Unknown MySQL server host Test: Authentication failure due to missing credentials Result: Firewall version used for authentication: Error 407 FW-1 at : Unauthorized to access the document. • Authorization is needed for FW-1. • The authentication required by FW-1 is: unknown. • Reason for failure of last attempt: no user Test: 400 Bad Request telnet 80 GET / HTTP/1.1 Result: HTTP/1.1 400 Bad Request Date: Fri, 06 Dec 2013 23:57:53 GMT Server: Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.9 with Suhosin-Patch Vary: Accept-Encoding Content-Length: 301 Connection: close Content-Type: text/html; charset=iso-8859-1 ... 400 Bad Request ... Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.9 with Suhosin-Patch at 127.0.1.1 Port 80 ... Test: 405 Method Not Allowed telnet 80 PUT /index.html HTTP/1.1 Host: Result: HTTP/1.1 405 Method Not Allowed Date: Fri, 07 Dec 2013 00:48:57 GMT Server: Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.9 with Suhosin-Patch Allow: GET, HEAD, POST, OPTIONS Vary: Accept-Encoding Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 ... 405 Method Not Allowed ... Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.9 with Suhosin-Patch at Port 80 ...
Page 1 and 2:
1 Testing Guide 4.0 Project Leaders
Page 3 and 4:
Testing Guide Foreword - Table of c
Page 5 and 6:
3 Testing Guide Foreword - Table of
Page 7 and 8:
5 Testing Guide Foreword - By Eoin
Page 9 and 10:
7 Testing Guide Frontispiece 1 Test
Page 11 and 12:
9 Testing Guide Introduction 2 The
Page 13 and 14:
11 Testing Guide Introduction vide
Page 15 and 16:
13 Testing Guide Introduction Testi
Page 17 and 18:
15 Testing Guide Introduction laid
Page 19 and 20:
17 Testing Guide Introduction valid
Page 21 and 22:
19 Testing Guide Introduction USER
Page 23 and 24:
21 Testing Guide Introduction ment
Page 25 and 26:
23 Testing Guide Introduction offen
Page 27 and 28:
25 The OWASP Testing Framework sect
Page 29 and 30:
27 Web Application Penetration Test
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
101 Web Application Penetration Tes
Page 105 and 106: 103 Web Application Penetration Tes
Page 155: 153 Web Application Penetration Tes
Page 207 and 208:
Page 209 and 210:
Page 211 and 212:
209 same code can be applied to ses
Page 213 and 214:
211 Reporting Test ID Lowest versio
Page 215 and 216:
213 Reporting Test ID Business Logi
Page 217 and 218:
215 Appendix kajfghlhfkcocafkcjlajl
Page 219 and 220:
217 Appendix Testing - http:/www.ni
Page 221 and 222:
219 Cross Site Scripting (XSS) For
Page 223 and 224:
221 LDAP Injection For details on L
show all

4.0

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?