4.0
1NSchAb
1NSchAb
- No tags were found...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
206<br />
Web Application Penetration Testing<br />
Input Sanitization<br />
As with any data originating from untrusted sources, the data should<br />
be properly sanitised and encoded. Look out for Top 10 2013-A1-Injection<br />
and Top 10 2013-A3-Cross-Site Scripting (XSS) type issues.<br />
How to Test<br />
Black Box testing<br />
1. Identify that the application is using WebSockets.<br />
• Inspect the client-side source code for the ws:// or wss:// URI<br />
scheme.<br />
• Use Google Chrome’s Developer Tools to view the Network<br />
WebSocket communication.<br />
• Use OWASP Zed Attack Proxy (ZAP)’s WebSocket tab.<br />
Example 2<br />
Using a WebSocket client (one can be found in the Tools section below)<br />
attempt to connect to the remote WebSocket server. If the connection<br />
is allowed the WebSocket server may not be checking the<br />
WebSocket handshake’s origin header. Attempt to replay requests<br />
previously intercepted to verify that cross-domain WebSocket communication<br />
is possible.<br />
2. Origin.<br />
• Using a WebSocket client (one can be found in the Tools section<br />
below) attempt to connect to the remote WebSocket server. If a<br />
connection is established the server may not be checking the origin<br />
header of the WebSocket handshake.<br />
3. Confidentiality and Integrity.<br />
• Check that the WebSocket connection is using SSL to transport<br />
sensitive information (wss://).<br />
• Check the SSL Implementation for security issues (Valid Certificate,<br />
BEAST, CRIME, RC4, etc). Refer to the Testing for Weak SSL/<br />
TLS Ciphers, Insufficient Transport Layer Protection (OTG-<br />
CRYPST-001) section of this guide.<br />
4. Authentication.<br />
• WebSockets do not handle authentication, normal black box<br />
authentication tests should be carried out. Refer to the<br />
Authentication Testing sections of this guide.<br />
5. Authorization.<br />
• WebSockets do not handle authorization, normal black-box<br />
authorization tests should be carried out. Refer to the Authorization<br />
Testing sections of this guide.<br />
6. Input Sanitization.<br />
• Use OWASP Zed Attack Proxy (ZAP)’s WebSocket tab to replay<br />
and fuzz WebSocket request and responses. Refer to the Testing<br />
for Data Validation sections of this guide.<br />
Example 1<br />
Once we have identified that the application is using WebSockets (as<br />
described above) we can use the OWASP Zed Attack Proxy (ZAP) to<br />
intercept the WebSocket request and responses. ZAP can then be<br />
used to replay and fuzz the WebSocket request/responses.<br />
Gray Box testing<br />
Gray box testing is similar to black box testing. In gray box testing the<br />
pen-tester has partial knowledge of the application. The only difference<br />
here is that you may have API documentation for the application<br />
being tested which includes the expected WebSocket request<br />
and responses.<br />
Tools<br />
• OWASP Zed Attack Proxy (ZAP) - https://www.owasp.org/index<br />
php/OWASP_Zed_Attack_Proxy_Project<br />
ZAP is an easy to use integrated penetration testing tool for finding<br />
vulnerabilities in web applications. It is designed to be used by people<br />
with a wide range of security experience and as such is ideal for developers<br />
and functional testers who are new to penetration testing.<br />
ZAP provides automated scanners as well as a set of tools that allow<br />
you to find security vulnerabilities manually.<br />
• WebSocket Client - https://github.com/RandomStorm/scripts<br />
blob/master/WebSockets.html<br />
A WebSocket client that can be used to interact with a WebSocket<br />
server.<br />
• Google Chrome Simple WebSocket Client - https://chrome<br />
google.com/webstore/detail/simple-websocket-client/<br />
pfdhoblngboilpfeibdedpjgfnlcodoo?hl=en<br />
Construct custom Web Socket requests and handle responses to directly<br />
test your Web Socket services.<br />
References<br />
Whitepapers<br />
• HTML5 Rocks - Introducing WebSockets: Bringing Sockets to<br />
the Web: http://www.html5rocks.com/en/tutorials/websockets/<br />
basics/<br />
• W3C - The WebSocket API: http://dev.w3.org/html5/websockets/<br />
• IETF - The WebSocket Protocol: https://tools.ietf.org/html<br />
rfc6455