4.0
1NSchAb
1NSchAb
- No tags were found...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
185<br />
Web Application Penetration Testing<br />
credit system to ensure that the proper points/credits were<br />
recorded.<br />
Testing Method 2<br />
• On a content management or bulletin board system enter and<br />
save valid initial text or values.<br />
• Then try to append, edit and remove data that would leave the<br />
existing data in an invalid state or with invalid values to ensure<br />
that the user is not allowed to save the incorrect information.<br />
Some “invalid” data or information may be specific words<br />
(profanity) or specific topics (such as political issues).<br />
Related Test Cases<br />
• Testing Directory traversal/file include (OTG-AUTHZ-001)<br />
• Testing for bypassing authorization schema (OTG-AUTHZ-002)<br />
• Testing for Bypassing Session Management Schema<br />
(OTGSESS-001)<br />
• Test Business Logic Data Validation (OTG-BUSLOGIC-001)<br />
• Test Ability to Forge Requests (OTG-BUSLOGIC-002)<br />
• Test Integrity Checks (OTG-BUSLOGIC-003)<br />
• Test for Process Timing (OTG-BUSLOGIC-004)<br />
• Test Number of Times a Function Can be Used Limits<br />
(OTG-BUSLOGIC-005)<br />
• Test Defenses Against Application Mis-use<br />
(OTG-BUSLOGIC-007)<br />
• Test Upload of Unexpected File Types (OTG-BUSLOGIC-008)<br />
• Test Upload of Malicious Files (OTG-BUSLOGIC-009)<br />
References<br />
• OWASP Detail Misuse Cases - https://www.owasp.org/index<br />
php/Detail_misuse_cases<br />
• Real-Life Example of a ‘Business Logic Defect - http://h30501<br />
www3.hp.com/t5/Following-the-White-Rabbit-A/Real-Life-<br />
Example-of-a-Business-Logic-Defect-Screen-Shots/bap/22581<br />
• Top 10 Business Logic Attack Vectors Attacking and Exploiting<br />
Business Application Assets and Flaws – Vulnerability Detection<br />
to Fix - http://www.ntobjectives.com/go/business-logicattack-vectors-white-paper/<br />
and http://www.ntobjectives.<br />
com/files/Business_Logic_White_Paper.pdf<br />
• CWE-840: Business Logic Errors - http://cwe.mitre.org/data<br />
definitions/840.html<br />
Remediation<br />
The application must be self-aware and have checks in place ensuring<br />
that the users complete each step in the work flow process<br />
in the correct order and prevent attackers from circumventing/skipping/or<br />
repeating any steps/processes in the workflow.<br />
Test for workflow vulnerabilities involves developing business<br />
logic abuse/misuse cases with the goal of successfully completing<br />
the business process while not completing the correct steps<br />
in the correct order.<br />
Test defenses against application mis-use<br />
(OTG-BUSLOGIC-007)<br />
Summary<br />
The misuse and invalid use of of valid functionality can identify<br />
attacks attempting to enumerate the web application, identify<br />
weaknesses, and exploit vulnerabilities. Tests should be undertaken<br />
to determine whether there are application-layer defensive<br />
mechanisms in place to protect the application.<br />
The lack of active defenses allows an attacker to hunt for vulnerabilities<br />
without any recourse. The application’s owner will thus<br />
not know their application is under attack.<br />
Example<br />
An authenticated user undertakes the following (unlikely) sequence<br />
of actions:<br />
[1] Attempt to access a file ID their roles is not permitted to<br />
download<br />
[2] Substitutes a single tick (‘) instead of the file ID number<br />
[3] Alters a GET request to a POST<br />
[4] Adds an extra parameter<br />
[5] Duplicates a parameter name/value pair<br />
The application is monitoring for misuse and responds after the<br />
5th event with extremely high confidence the user is an attacker.<br />
For example the application:<br />
• Disables critical functionality<br />
• Enables additional authentication steps to the remaining<br />
functionality<br />
• Adds time-delays into every request-response cycle<br />
• Begins to record additional data about the user’s interactions<br />
(e.g. sanitized HTTP request headers, bodies and response<br />
bodies)<br />
If the application does not respond in any way and the attacker<br />
can continue to abuse functionality and submit clearly malicious<br />
content at the application, the application has failed this<br />
test case. In practice the discrete example actions in the example<br />
above are unlikely to occur like that. It is much more probable that<br />
a fuzzing tool is used to identify weaknesses in each parameter<br />
in turn. This is what a security tester will have undertaken too.<br />
How to Test<br />
This test is unusual in that the result can be drawn from all the<br />
other tests performed against the web application. While performing<br />
all the other tests, take note of measures that might<br />
indicate the application has in-built self-defense:<br />
• Changed responses<br />
• Blocked requests<br />
• Actions that log a user out or lock their account