4.0
1NSchAb
1NSchAb
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
154<br />
Web Application Penetration Testing<br />
• Amit Klein: “HTTP Response Smuggling” -<br />
http://www.securityfocus.com/archive/1/425593<br />
• Chaim Linhart, Amit Klein, Ronen Heled, Steve Orrin: “HTTP<br />
Request Smuggling” - http://www.cgisecurity.com/lib/httprequest-smuggling.pdf<br />
Testing for Error Code (OTG-ERR-001)<br />
Summary<br />
Often, during a penetration test on web applications, we come<br />
up against many error codes generated from applications or<br />
web servers. It’s possible to cause these errors to be displayed<br />
by using a particular requests, either specially crafted with tools<br />
or created manually. These codes are very useful to penetration<br />
testers during their activities, because they reveal a lot of information<br />
about databases, bugs, and other technological components<br />
directly linked with web applications.<br />
This section analyses the more common codes (error messages)<br />
and bring into focus their relevance during a vulnerability assessment.<br />
The most important aspect for this activity is to focus<br />
one’s attention on these errors, seeing them as a collection of<br />
information that will aid in the next steps of our analysis. A good<br />
collection can facilitate assessment efficiency by decreasing the<br />
overall time taken to perform the penetration test.<br />
Attackers sometimes use search engines to locate errors that<br />
disclose information. Searches can be performed to find any erroneous<br />
sites as random victims, or it is possible to search for<br />
errors in a specific site using the search engine filtering tools as<br />
described in 4.2.1 Conduct Search Engine Discovery and Reconnaissance<br />
for Information Leakage (OTG-INFO-001)<br />
Web Server Errors<br />
A common error that we can see during testing is the HTTP 404<br />
Not Found. Often this error code provides useful details about<br />
the underlying web server and associated components. For example:<br />
Not Found<br />
The requested URL /page.html was not found on this server.<br />
Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7g DAV/2<br />
PHP/5.1.2 Server at localhost Port 80<br />
This error message can be generated by requesting a non-existent<br />
URL. After the common message that shows a page not<br />
found, there is information about web server version, OS, modules<br />
and other products used. This information can be very important<br />
from an OS and application type and version identification<br />
point of view.<br />
Other HTTP response codes such as 400 Bad Request, 405<br />
Method Not Allowed, 501 Method Not Implemented, 408 Request<br />
Time-out and 505 HTTP Version Not Supported can be<br />
forced by an attacker. When receiving specially crafted requests,<br />
web servers may provide one of these error codes depending on<br />
their HTTP implementation.<br />
Testing for disclosed information in the Web Server error codes<br />
is related testing for information disclosed in the HTTP headers<br />
as described in the section Fingerprint Web Server (OTG-IN-<br />
FO-002).<br />
Application Server Errors<br />
Application errors are returned by the application itself, rather<br />
than the web server. These could be error messages from framework<br />
code (ASP, JSP etc.) or they could be specific errors returned<br />
by the application code. Detailed application errors typically provide<br />
information of server paths, installed libraries and application<br />
versions.<br />
Database Errors<br />
Database errors are those returned by the Database System<br />
when there is a problem with the query or the connection. Each<br />
Database system, such as MySQL, Oracle or MSSQL, has their<br />
own set of errors. Those errors can provide sensible information<br />
such as Database server IPs, tables, columns and login details.<br />
In addition, there are many SQL Injection exploitation techniques<br />
that utilize detailed error messages from the database driver, for<br />
in depth information on this issue see Testing for SQL Injection<br />
(OTG-INPVAL-005) for more information.<br />
Web server errors aren’t the only useful output returned requiring<br />
security analysis. Consider the next example error message:<br />
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)<br />
[DBNETLIB][ConnectionOpen(Connect())] - SQL server does not<br />
exist or access denied<br />
What happened? We will explain step-by-step below.<br />
In this example, the 80004005 is a generic IIS error code which<br />
indicates that it could not establish a connection to its associated<br />
database. In many cases, the error message will detail the type<br />
of the database. This will often indicate the underlying operating<br />
system by association. With this information, the penetration<br />
tester can plan an appropriate strategy for the security test.<br />
By manipulating the variables that are passed to the database<br />
connect string, we can invoke more detailed errors.<br />
Microsoft OLE DB Provider for ODBC Drivers error ‘80004005’<br />
[Microsoft][ODBC Access 97 ODBC driver Driver]General error<br />
Unable to open registry key ‘DriverId’<br />
In this example, we can see a generic error in the same situation<br />
which reveals the type and version of the associated database<br />
system and a dependence on Windows operating system registry<br />
key values.<br />
Now we will look at a practical example with a security test<br />
against a web application that loses its link to its database server<br />
and does not handle the exception in a controlled manner. This<br />
could be caused by a database name resolution issue, processing<br />
of unexpected variable values, or other network problems.<br />
Consider the scenario where we have a database administration<br />
web portal, which can be used as a front end GUI to issue database