4.0
1NSchAb
1NSchAb
- No tags were found...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
35<br />
Web Application Penetration Testing<br />
where. This may happen either by error (due to misconfigurations), or<br />
intentionally (for example, unadvertised administrative interfaces).<br />
To address these issues, it is necessary to perform web application<br />
discovery.<br />
Test Objectives<br />
Enumerate the applications within scope that exist on a web server<br />
How to Test<br />
Black Box Testing<br />
Web application discovery is a process aimed at identifying web applications<br />
on a given infrastructure. The latter is usually specified as<br />
a set of IP addresses (maybe a net block), but may consist of a set of<br />
DNS symbolic names or a mix of the two. This information is handed<br />
out prior to the execution of an assessment, be it a classic-style<br />
penetration test or an application-focused assessment. In both<br />
cases, unless the rules of engagement specify otherwise (e.g., “test<br />
only the application located at the URL http: /www.example.com/”),<br />
the assessment should strive to be the most comprehensive in<br />
scope, i.e. it should identify all the applications accessible through<br />
the given target. The following examples examine a few techniques<br />
that can be employed to achieve this goal.<br />
Note: Some of the following techniques apply to Internet-facing<br />
web servers, namely DNS and reverse-IP web-based search services<br />
and the use of search engines. Examples make use of private<br />
IP addresses (such as 192.168.1.100), which, unless indicated otherwise,<br />
represent generic IP addresses and are used only for anonymity<br />
purposes.<br />
There are three factors influencing how many applications are related<br />
to a given DNS name (or an IP address):<br />
1. Different base URL<br />
The obvious entry point for a web application is www.example.<br />
com, i.e., with this shorthand notation we think of the web application<br />
originating at http: /www.example.com/ (the same applies for<br />
https). However, even though this is the most common situation,<br />
there is nothing forcing the application to start at “/”.<br />
For example, the same symbolic name may be associated to three<br />
web applications such as: http: /www.example.com/url1 http: /<br />
www.example.com/url2 http: /www.example.com/url3<br />
In this case, the URL http: /www.example.com/ would not be associated<br />
with a meaningful page, and the three applications would<br />
be “hidden”, unless the tester explicitly knows how to reach them,<br />
i.e., the tester knows url1, url2 or url3. There is usually no need to<br />
publish web applications in this way, unless the owner doesn’t want<br />
them to be accessible in a standard way, and is prepared to inform<br />
the users about their exact location. This doesn’t mean that these<br />
applications are secret, just that their existence and location is not<br />
explicitly advertised.<br />
2. Non-standard ports<br />
While web applications usually live on port 80 (http) and 443 (https),<br />
there is nothing magic about these port numbers. In fact, web applications<br />
may be associated with arbitrary TCP ports, and can be<br />
referenced by specifying the port number as follows: http[s]: /www.<br />
example.com:port/. For example, http: /www.example.com:20000/.<br />
3. Virtual hosts<br />
DNS allows a single IP address to be associated with one or more<br />
symbolic names. For example, the IP address 192.168.1.100 might<br />
be associated to DNS names www.example.com, helpdesk.example.<br />
com, webmail.example.com. It is not necessary that all the names<br />
belong to the same DNS domain. This 1-to-N relationship may be reflected<br />
to serve different content by using so called virtual hosts. The<br />
information specifying the virtual host we are referring to is embedded<br />
in the HTTP 1.1 Host: header [1].<br />
One would not suspect the existence of other web applications in addition<br />
to the obvious www.example.com, unless they know of helpdesk.example.com<br />
and webmail.example.com.<br />
Approaches to address issue 1 - non-standard URLs<br />
There is no way to fully ascertain the existence of non-standardnamed<br />
web applications. Being non-standard, there is no fixed criteria<br />
governing the naming convention, however there are a number of<br />
techniques that the tester can use to gain some additional insight.<br />
First, if the web server is mis-configured and allows directory browsing,<br />
it may be possible to spot these applications. Vulnerability scanners<br />
may help in this respect.<br />
Second, these applications may be referenced by other web pages<br />
and there is a chance that they have been spidered and indexed by<br />
web search engines. If testers suspect the existence of such “hidden”<br />
applications on www.example.com they could search using the site<br />
operator and examining the result of a query for “site: www.example.<br />
com”. Among the returned URLs there could be one pointing to such a<br />
non-obvious application.<br />
Another option is to probe for URLs which might be likely candidates for<br />
non-published applications. For example, a web mail front end might<br />
be accessible from URLs such as https:/www.example.com/webmail,<br />
https:/webmail.example.com/, or https:/mail.example.com/. The<br />
same holds for administrative interfaces, which may be published at<br />
hidden URLs (for example, a Tomcat administrative interface), and yet<br />
not referenced anywhere. So doing a bit of dictionary-style searching<br />
(or “intelligent guessing”) could yield some results. Vulnerability scanners<br />
may help in this respect.<br />
Approaches to address issue 2 - non-standard ports<br />
It is easy to check for the existence of web applications on non-standard<br />
ports. A port scanner such as nmap [2] is capable of performing<br />
service recognition by means of the -sV option, and will identify http[s]<br />
services on arbitrary ports. What is required is a full scan of the whole<br />
64k TCP port address space.<br />
For example, the following command will look up, with a TCP connect<br />
scan, all open ports on IP 192.168.1.100 and will try to determine what<br />
services are bound to them (only essential switches are shown – nmap<br />
features a broad set of options, whose discussion is out of scope):<br />
nmap –PN –sT –sV –p0-65535 192.168.1.100<br />
It is sufficient to examine the output and look for http or the indication<br />
of SSL-wrapped services (which should be probed to confirm<br />
that they are https). For example, the output of the previous command<br />
coullook like: