4.0

More documents

Recommendations

Info

184 Web Application Penetration Testing Suppose an eCommerce site allows users to take advantage of any one of many discounts on their total purchase and then proceed to checkout and tendering. What happens of the attacker navigates back to the discounts page after taking and applying the one “allowable” discount? Can they take advantage of another discount? Can they take advantage of the same discount multiple times? How to Test • Review the project documentation and use exploratory testing looking for functions or features in the application or system that should not be executed more that a single time or specified number of times during the business logic workflow. • For each of the functions and features found that should only be executed a single time or specified number of times during the business logic workflow, develop abuse/misuse cases that may allow a user to execute more than the allowable number of times. For example, can a user navigate back and forth through the pages multiple times executing a function that should only execute once? or can a user load and unload shopping carts allowing for additional discounts. Related Test Cases • Testing for Account Enumeration and Guessable User Account (OTG-IDENT-004) • Testing for Weak lock out mechanism (OTG-AUTHN-003) References InfoPath Forms Services business logic exceeded the maximum limit of operations Rule - http://mpwiki.viacode.com/default.aspx?g=posts&t=115678 Gold Trading Was Temporarily Halted On The CME This Morning - http://www.businessinsider.com/gold-halted-on-cme-forstop-logic-event-2013-10 Remediation The application should have checks to ensure that the business logic is being followed and that if a function/action can only be executed a certain number of times, when the limit is reached the user can no longer execute the function. To prevent users from using a function over the appropriate number of times the application may use mechanisms such as cookies to keep count or through sessions not allowing users to access to execute the function additional times. Testing for the Circumvention of Work Flows (OTG-BUSLOGIC-006) Summary Workflow vulnerabilities involve any type of vulnerability that allows the attacker to misuse an application/system in a way that will allow them to circumvent (not follow) the designed/intended workflow. “A workflow consists of a sequence of connected steps where each step follows without delay or gap and ends just before the subsequent step may begin. It is a depiction of a sequence of operations, declared as work of a person or group, an organization of staff, or one or more simple or complex mechanisms. Workflow may be seen as any abstraction of real work.” (https:// en.wikipedia.org/wiki/Workflow) The application’s business logic must require that the user complete specific steps in the correct/specific order and if the workflow is terminated without correctly completing, all actions and spawned actions are “rolled back” or canceled. Vulnerabilities related to the circumvention of workflows or bypassing the correct business logic workflow are unique in that they are very application/system specific and careful manual misuse cases must be developed using requirements and use cases. The applications business process must have checks to ensure that the user’s transactions/actions are proceeding in the correct/acceptable order and if a transaction triggers some sort of action, that action will be “rolled back” and removed if the transaction is not successfully completed. Examples Example 1 Many of us receive so type of “club/loyalty points” for purchases from grocery stores and gas stations. Suppose a user was able to start a transaction linked to their account and then after points have been added to their club/loyalty account cancel out of the transaction or remove items from their “basket” and tender. In this case the system either should not apply points/ credits to the account until it is tendered or points/credits should be “rolled back” if the point/credit increment does not match the final tender. With this in mind, an attacker may start transactions and cancel them to build their point levels without actually buy anything. Example 2 An electronic bulletin board system may be designed to ensure that initial posts do not contain profanity based on a list that the post is compared against. If a word on a “black” the list is found in the user entered text the submission is not posted. But, once a submission is posted the submitter can access, edit, and change the submission contents to include words included on the profanity/black list since on edit the posting is never compared again. Keeping this in mind, attackers may open an initial blank or minimal discussion then add in whatever they like as an update. How to Test Generic Testing Method • Review the project documentation and use exploratory testing looking for methods to skip or go to steps in the application process in a different order from the designed/intended business logic flow. • For each method develop a misuse case and try to circumvent or perform an action that is “not acceptable” per the the business logic workflow. Testing Method 1 • Start a transaction going through the application past the points that triggers credits/points to the users account. • Cancel out of the transaction or reduce the final tender so that the point values should be decreased and check the points/
185 Web Application Penetration Testing credit system to ensure that the proper points/credits were recorded. Testing Method 2 • On a content management or bulletin board system enter and save valid initial text or values. • Then try to append, edit and remove data that would leave the existing data in an invalid state or with invalid values to ensure that the user is not allowed to save the incorrect information. Some “invalid” data or information may be specific words (profanity) or specific topics (such as political issues). Related Test Cases • Testing Directory traversal/file include (OTG-AUTHZ-001) • Testing for bypassing authorization schema (OTG-AUTHZ-002) • Testing for Bypassing Session Management Schema (OTGSESS-001) • Test Business Logic Data Validation (OTG-BUSLOGIC-001) • Test Ability to Forge Requests (OTG-BUSLOGIC-002) • Test Integrity Checks (OTG-BUSLOGIC-003) • Test for Process Timing (OTG-BUSLOGIC-004) • Test Number of Times a Function Can be Used Limits (OTG-BUSLOGIC-005) • Test Defenses Against Application Mis-use (OTG-BUSLOGIC-007) • Test Upload of Unexpected File Types (OTG-BUSLOGIC-008) • Test Upload of Malicious Files (OTG-BUSLOGIC-009) References • OWASP Detail Misuse Cases - https://www.owasp.org/index php/Detail_misuse_cases • Real-Life Example of a ‘Business Logic Defect - http://h30501 www3.hp.com/t5/Following-the-White-Rabbit-A/Real-Life- Example-of-a-Business-Logic-Defect-Screen-Shots/bap/22581 • Top 10 Business Logic Attack Vectors Attacking and Exploiting Business Application Assets and Flaws – Vulnerability Detection to Fix - http://www.ntobjectives.com/go/business-logicattack-vectors-white-paper/ and http://www.ntobjectives. com/files/Business_Logic_White_Paper.pdf • CWE-840: Business Logic Errors - http://cwe.mitre.org/data definitions/840.html Remediation The application must be self-aware and have checks in place ensuring that the users complete each step in the work flow process in the correct order and prevent attackers from circumventing/skipping/or repeating any steps/processes in the workflow. Test for workflow vulnerabilities involves developing business logic abuse/misuse cases with the goal of successfully completing the business process while not completing the correct steps in the correct order. Test defenses against application mis-use (OTG-BUSLOGIC-007) Summary The misuse and invalid use of of valid functionality can identify attacks attempting to enumerate the web application, identify weaknesses, and exploit vulnerabilities. Tests should be undertaken to determine whether there are application-layer defensive mechanisms in place to protect the application. The lack of active defenses allows an attacker to hunt for vulnerabilities without any recourse. The application’s owner will thus not know their application is under attack. Example An authenticated user undertakes the following (unlikely) sequence of actions: [1] Attempt to access a file ID their roles is not permitted to download [2] Substitutes a single tick (‘) instead of the file ID number [3] Alters a GET request to a POST [4] Adds an extra parameter [5] Duplicates a parameter name/value pair The application is monitoring for misuse and responds after the 5th event with extremely high confidence the user is an attacker. For example the application: • Disables critical functionality • Enables additional authentication steps to the remaining functionality • Adds time-delays into every request-response cycle • Begins to record additional data about the user’s interactions (e.g. sanitized HTTP request headers, bodies and response bodies) If the application does not respond in any way and the attacker can continue to abuse functionality and submit clearly malicious content at the application, the application has failed this test case. In practice the discrete example actions in the example above are unlikely to occur like that. It is much more probable that a fuzzing tool is used to identify weaknesses in each parameter in turn. This is what a security tester will have undertaken too. How to Test This test is unusual in that the result can be drawn from all the other tests performed against the web application. While performing all the other tests, take note of measures that might indicate the application has in-built self-defense: • Changed responses • Blocked requests • Actions that log a user out or lock their account
Page 1 and 2:
1 Testing Guide 4.0 Project Leaders
Page 3 and 4:
Testing Guide Foreword - Table of c
Page 5 and 6:
3 Testing Guide Foreword - Table of
Page 7 and 8:
5 Testing Guide Foreword - By Eoin
Page 9 and 10:
7 Testing Guide Frontispiece 1 Test
Page 11 and 12:
9 Testing Guide Introduction 2 The
Page 13 and 14:
11 Testing Guide Introduction vide
Page 15 and 16:
13 Testing Guide Introduction Testi
Page 17 and 18:
15 Testing Guide Introduction laid
Page 19 and 20:
17 Testing Guide Introduction valid
Page 21 and 22:
19 Testing Guide Introduction USER
Page 23 and 24:
21 Testing Guide Introduction ment
Page 25 and 26:
23 Testing Guide Introduction offen
Page 27 and 28:
25 The OWASP Testing Framework sect
Page 29 and 30:
27 Web Application Penetration Test
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
101 Web Application Penetration Tes
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136: 133 Web Application Penetration Tes
Page 185: 183 Web Application Penetration Tes
Page 211 and 212: 209 same code can be applied to ses
Page 213 and 214: 211 Reporting Test ID Lowest versio
Page 215 and 216: 213 Reporting Test ID Business Logi
Page 217 and 218: 215 Appendix kajfghlhfkcocafkcjlajl
Page 219 and 220: 217 Appendix Testing - http:/www.ni
Page 221 and 222: 219 Cross Site Scripting (XSS) For
Page 223 and 224: 221 LDAP Injection For details on L
show all

4.0

Create successful ePaper yourself

Delete template?

Save as template?