4.0
1NSchAb
1NSchAb
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
187<br />
Web Application Penetration Testing<br />
• In the application navigate to the file submission or upload<br />
mechanism.<br />
• Submit the “not approved” file for upload and verify that they<br />
are properly prevented from uploading<br />
Related Test Cases<br />
• Test File Extensions Handling for Sensitive Information<br />
(OTG-CONFIG-003)<br />
• Test Upload of Malicious Files (OTG-BUSLOGIC-009)<br />
References<br />
• OWASP - Unrestricted File Upload - https://www.owasp.org<br />
index.php/Unrestricted_File_Upload<br />
• File upload security best practices: Block a malicious file<br />
upload - http://www.computerweekly.com/answer/Fileupload-security-best-practices-Block-a-malicious-file-upload<br />
• Stop people uploading malicious PHP files via forms - http:/<br />
stackoverflow.com/questions/602539/stop-peopleuploading-malicious-php-files-via-forms<br />
• CWE-434: Unrestricted Upload of File with Dangerous Type -<br />
http://cwe.mitre.org/data/definitions/434.html<br />
• Secure Programming Tips - Handling File Uploads - https:/<br />
www.datasprings.com/resources/dnn-tutorials/artmid/535/<br />
articleid/65/secure-programming-tips-handling-file-uploads?<br />
AspxAutoDetectCookieSupport=1<br />
Remediation<br />
Applications should be developed with mechanisms to only accept<br />
and manipulate “acceptable“ files that the rest of the application<br />
functionality is ready to handle and expecting. Some specific<br />
examples include: Black or White listing of file extensions,<br />
using “Content-Type” from the header, or using a file type recognizer,<br />
all to only allow specified file types into the system.<br />
Test Upload of Malicious Files<br />
(OTG-BUSLOGIC-009)<br />
Summary<br />
Many application’s business processes allow for the upload of<br />
data/information. We regularly check the validity and security of<br />
text but accepting files can introduce even more risk. To reduce<br />
the risk we may only accept certain file extensions, but attackers<br />
are able to encapsulate malicious code into inert file types. Testing<br />
for malicious files verifies that the application/system is able<br />
to correctly protect against attackers uploading malicious files.<br />
Vulnerabilities related to the uploading of malicious files is<br />
unique in that these “malicious” files can easily be rejected<br />
through including business logic that will scan files during<br />
the upload process and reject those perceived as malicious.<br />
Additionally, this is different from uploading unexpected files in<br />
that while the file type may be accepted the file may still be malicious<br />
to the system.<br />
Finally, “malicious” means different things to different systems,<br />
for example Malicious files that may exploit SQL server vulnerabilities<br />
may not be considered a “malicious” to a main frame flat<br />
file environment.<br />
The application may allow the upload of malicious files that include<br />
exploits or shellcode without submitting them to malicious<br />
file scanning. Malicious files could be detected and stopped at<br />
various points of the application architecture such as: IPS/IDS,<br />
application server anti-virus software or anti-virus scanning by<br />
application as files are uploaded (perhaps offloading the scanning<br />
using SCAP).<br />
Example<br />
Suppose a picture sharing application allows users to upload<br />
their .gif or .jpg graphic files to the web site. What if an attacker<br />
is able to upload a PHP shell, or exe file, or virus? The attacker<br />
may then upload the file that may be saved on the system and<br />
the virus may spread itself or through remote processes exes or<br />
shell code can be executed.<br />
How to Test<br />
Generic Testing Method<br />
• Review the project documentation and use exploratory testing<br />
looking at the application/system to identify what constitutes<br />
and “malicious” file in your environment.<br />
• Develop or acquire a known “malicious” file.<br />
• Try to upload the malicious file to the application/system and<br />
verify that it is correctly rejected.<br />
• If multiple files can be uploaded at once, there must be tests in<br />
place to verify that each file is properly evaluated.<br />
Specific Testing Method 1<br />
• Using the Metasploit payload generation functionality<br />
generates a shellcode as a Windows executable using the<br />
Metasploit “msfpayload” command.<br />
• Submit the executable via the application’s upload functionality<br />
and see if it is accepted or properly rejected.<br />
Specific Testing Method 2<br />
• Develop or create a file that should fail the application malware<br />
detection process. There are many available on the Internet<br />
such as ducklin.htm or ducklin-html.htm.<br />
• Submit the executable via the application’s upload functionality<br />
and see if it is accepted or properly rejected.<br />
Specific Testing Method 3<br />
• Set up the intercepting proxy to capture the “valid” request for<br />
an accepted file.<br />
• Send an “invalid” request through with a valid/acceptable file<br />
extension and see if the request is accepted or properly<br />
rejected.<br />
Related Test Cases<br />
• Test File Extensions Handling for Sensitive Information<br />
(OTG-CONFIG-003)