4.0
1NSchAb
1NSchAb
- No tags were found...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
44<br />
Web Application Penetration Testing<br />
• Remove any unnecessary comments (copyrights, bug<br />
information, specific framework comments)<br />
• Remove META and generator tags<br />
• Use the companies own css or js files and do not store those in a<br />
framework-specific folders<br />
• Do not use default scripts on the page or obfuscate them if they<br />
must be used.<br />
Specific files and folders<br />
General guidelines:<br />
• Remove any unnecessary or unused files on the server. This<br />
implies text files disclosing information about versions and<br />
installation too.<br />
• Restrict access to other files in order to achieve 404-response<br />
when accessing them from outside. This can be done, for<br />
example, by modifying htaccess file and adding RewriteCond<br />
or RewriteRule there. An example of such restriction for two<br />
common WordPress folders is presented below.<br />
RewriteCond %{REQUEST_URI} /wp-login\.php$ [OR]<br />
RewriteCond %{REQUEST_URI} /wp-admin/$<br />
RewriteRule $ /http:/your_website [R=404,L]<br />
However, these are not the only ways to restrict access. In order to<br />
automate this process, certain framework-specific plugins exist.<br />
One example for WordPress is StealthLogin (http: /wordpress.org/<br />
plugins/stealth-login-page).<br />
Additional approaches<br />
General guidelines:<br />
[1] Checksum management<br />
The purpose of this approach is to beat checksum-based scanners<br />
and not let them disclose files by their hashes. Generally, there are<br />
two approaches in checksum management:<br />
• Change the location of where those files are placed (i.e. move<br />
them to another folder, or rename the existing folder)<br />
• Modify the contents - even slight modification results in a<br />
completely different hash sum, so adding a single byte in the end<br />
of the file should not be a big problem.<br />
[2] Controlled chaos<br />
A funny and effective method that involves adding bogus files and<br />
folders from other frameworks in order to fool scanners and confuse<br />
an attacker. But be careful not to overwrite existing files and<br />
folders and to break the current framework!<br />
Fingerprint Web Application<br />
(OTG-INFO-009)<br />
Summary<br />
There is nothing new under the sun, and nearly every web application<br />
that one may think of developing has already been developed.<br />
With the vast number of free and open source software projects<br />
that are actively developed and deployed around the world, it is<br />
very likely that an application security test will face a target site<br />
that is entirely or partly dependent on these well known applications<br />
(e.g. Wordpress, phpBB, Mediawiki, etc). Knowing the web<br />
application components that are being tested significantly helps<br />
in the testing process and will also drastically reduce the effort<br />
required during the test. These well known web applications have<br />
known HTML headers, cookies, and directory structures that can<br />
be enumerated to identify the application.<br />
Test Objectives<br />
Identify the web application and version to determine known vulnerabilities<br />
and the appropriate exploits to use during testing.<br />
How to Test<br />
Cookies<br />
A relatively reliable way to identify a web application is by the application-specific<br />
cookies.<br />
Consider the following HTTP-request:<br />
GET / HTTP/1.1<br />
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0)<br />
Gecko/20100101 Firefox/31.0<br />
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />
Accept-Language: en-US,en;q=0.5<br />
‘’’Cookie: wp-settings-time-1=1406093286; wp-settingstime-2=1405988284’’’<br />
DNT: 1<br />
Connection: keep-alive<br />
Host: blog.owasp.org<br />
The cookie CAKEPHP has automatically been set, which gives information<br />
about the framework being used. List of common cookies<br />
names is presented in Cpmmon Application Identifiers section.<br />
However, it is possible to change the name of the cookie.<br />
HTML source code<br />
This technique is based on finding certain patterns in the HTML<br />
page source code. Often one can find a lot of information which<br />
helps a tester to recognize a specific web application. One of the<br />
common markers are HTML comments that directly lead to application<br />
disclosure. More often certain application-specific paths<br />
can be found, i.e. links to application-specific css and/or js folders.<br />
Finally, specific script variables might also point to a certain application.<br />
From the meta tag below, one can easily learn the application<br />
used by a website and its version. The comment, specific paths<br />
and script variables can all help an attacker to quickly determine<br />
an instance of an application.<br />
<br />
More frequently such information is placed between tags, in tags or at the end of the page. Neverthe-