4.0
1NSchAb
1NSchAb
- No tags were found...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
172<br />
Web Application Penetration Testing<br />
suites or Certificates. Apart from other vulnerabilities discussed<br />
in other parts of this guide, a vulnerability exists when the server<br />
provides the website both with the HTTP and HTTPS protocols,<br />
and permits an attacker to force a victim into using a non-secure<br />
channel instead of a secure one.<br />
Surf Jacking<br />
The Surf Jacking attack [7] was first presented by Sandro Gauci<br />
and permits to an attacker to hijack an HTTP session even when<br />
the victim’s connection is encrypted using SSL or TLS.<br />
The following is a scenario of how the attack can take place:<br />
• Victim logs into the secure website at https://somesecuresite/.<br />
• The secure site issues a session cookie as the client logs in.<br />
• While logged in, the victim opens a new browser window and<br />
goes to http:// examplesite/<br />
• An attacker sitting on the same network is able to see the clear<br />
text traffic to http://examplesite.<br />
• The attacker sends back a “301 Moved Permanently” in<br />
response to the clear text traffic to http://examplesite. The<br />
response contains the header “Location: http://somesecuresite<br />
/”, which makes it appear that examplesite is sending the web<br />
browser to somesecuresite. Notice that the URL scheme is<br />
HTTP not HTTPS.<br />
• The victim’s browser starts a new clear text connection to<br />
http://somesecuresite/ and sends an HTTP request containing<br />
the cookie in the HTTP header in clear text<br />
• The attacker sees this traffic and logs the cookie for later use.<br />
To test if a website is vulnerable carry out the following tests:<br />
[1] Check if website supports both HTTP and HTTPS protocols<br />
[2] Check if cookies do not have the “Secure” flag<br />
SSL Strip<br />
Some applications supports both HTTP and HTTPS, either for<br />
usability or so users can type both addresses and get to the site.<br />
Often users go into an HTTPS website from link or a redirect.<br />
Typically personal banking sites have a similar configuration with<br />
an iframed log in or a form with action attribute over HTTPS but<br />
the page under HTTP.<br />
An attacker in a privileged position - as described in SSL strip<br />
[8] - can intercept traffic when the user is in the http site and<br />
manipulate it to get a Man-In-The-Middle attack under HTTPS.<br />
An application is vulnerable if it supports both HTTP and HTTPS.<br />
Testing via HTTP proxy<br />
Inside corporate environments testers can see services<br />
that are not directly accessible and they can access them<br />
only via HTTP proxy using the CONNECT method [36].<br />
Most of the tools will not work in this scenario because they try<br />
to connect to the desired tcp port to start the SSL/TLS handshake.<br />
With the help of relaying software such as socat [37] testers<br />
can enable those tools for use with services behind an HTTP<br />
proxy.<br />
Example 8. Testing via HTTP proxy<br />
To connect to destined.application.lan:443 via proxy<br />
10.13.37.100:3128 run socat as follows:<br />
Then the tester can target all other tools to localhost:9999:<br />
$ openssl s_client -connect localhost:9999<br />
All connections to localhost:9999 will be effectively relayed by<br />
socat via proxy to destined.application.lan:443.<br />
Configuration Review<br />
Testing for Weak SSL/TLS Cipher Suites<br />
Check the configuration of the web servers that provide https<br />
services. If the web application provides other SSL/TLS wrapped<br />
services, these should be checked as well.<br />
Example 9. Windows Server<br />
Check the configuration on a Microsoft Windows Server (2000,<br />
2003 and 2008) using the registry key:<br />
$ socat TCP-LISTEN:9999,reuseaddr,fork<br />
PROXY:10.13.37.100:destined.application.lan:443,proxyport=3128<br />
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\<br />
that has some sub-keys including Ciphers, Protocols and KeyExchangeAlgorithms.<br />
Example 10: Apache<br />
To check the cipher suites and protocols supported by the<br />
Apache2 web server, open the ssl.conf file and search for the<br />
SSLCipherSuite, SSLProtocol, SSLHonorCipherOrder,SSLInsecureRenegotiation<br />
and SSLCompression directives.<br />
Testing SSL certificate validity – client and server<br />
Examine the validity of the certificates used by the application<br />
at both server and client levels. The usage of certificates is primarily<br />
at the web server level, however, there may be additional<br />
communication paths protected by SSL (for example, towards<br />
the DBMS). Testers should check the application architecture to<br />
identify all SSL protected channels.<br />
Tools<br />
• [21][Qualys SSL Labs - SSL Server Test | https://www.ssllabs.<br />
com/ssltest/index.html]: internet facing scanner<br />
• [27] [Tenable - Nessus Vulnerability Scanner | http://www.<br />
tenable.com/products/nessus]: includes some plugins to test<br />
different SSL related vulnerabilities, Certificates and the presence<br />
of HTTP Basic authentication without SSL.<br />
• [32] [TestSSLServer | http://www.bolet.org/TestSSLServer/]:<br />
a java scanner - and also windows executable - includes tests<br />
for cipher suites, CRIME and BEAST<br />
• [33] [sslyze | https://github.com/iSECPartners/sslyze]: is a<br />
python script to check vulnerabilities in SSL/TLS.