4.0
1NSchAb
1NSchAb
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
53<br />
Web Application Penetration Testing<br />
Standards, using standard file extensions provides the penetration<br />
tester useful information about the underlying technologies used in<br />
a web appliance and greatly simplifies the task of determining the<br />
attack scenario to be used on particular technologies. In addition,<br />
mis-configuration of web servers could easily reveal confidential information<br />
about access credentials.<br />
Extension checking is often used to validate files to be uploaded,<br />
which can lead to unexpected results because the content is not what<br />
is expected, or because of unexpected OS file name handling.<br />
Determining how web servers handle requests corresponding to files<br />
having different extensions may help in understanding web server behavior<br />
depending on the kind of files that are accessed. For example,<br />
it can help to understand which file extensions are returned as text or<br />
plain versus those that cause execution on the server side. The latter<br />
are indicative of technologies, languages or plugins that are used by<br />
web servers or application servers, and may provide additional insight<br />
on how the web application is engineered. For example, a “.pl” extension<br />
is usually associated with server-side Perl support. However, the<br />
file extension alone may be deceptive and not fully conclusive. For example,<br />
Perl server-side resources might be renamed to conceal the<br />
fact that they are indeed Perl related. See the next section on “web<br />
server components” for more on identifying server side technologies<br />
and components.<br />
How to Test<br />
Forced browsing<br />
Submit http[s] requests involving different file extensions and verify<br />
how they are handled. The verification should be on a per web directory<br />
basis. Verify directories that allow script execution. Web server<br />
directories can be identified by vulnerability scanners, which look for<br />
the presence of well-known directories. In addition, mirroring the web<br />
site structure allows the tester to reconstruct the tree of web directories<br />
served by the application.<br />
If the web application architecture is load-balanced, it is important to<br />
assess all of the web servers. This may or may not be easy, depending<br />
on the configuration of the balancing infrastructure. In an infrastructure<br />
with redundant components there may be slight variations<br />
in the configuration of individual web or application servers. This may<br />
happen if the web architecture employs heterogeneous technologies<br />
(think of a set of IIS and Apache web servers in a load-balancing configuration,<br />
which may introduce slight asymmetric behavior between<br />
them, and possibly different vulnerabilities).<br />
‘Example:<br />
The tester has identified the existence of a file named connection.inc.<br />
Trying to access it directly gives back its contents, which are:<br />
<br />
mysql_connect(“127.0.0.1”, “root”, “”)<br />
or die(“Could not connect”);<br />
The tester determines the existence of a MySQL DBMS back end, and<br />
the (weak) credentials used by the web application to access it.<br />
The following file extensions should never be returned by a web server,<br />
since they are related to files which may contain sensitive information<br />
or to files for which there is no reason to be served.<br />
• .asa<br />
• .inc<br />
The following file extensions are related to files which, when accessed,<br />
are either displayed or downloaded by the browser. Therefore, files<br />
with these extensions must be checked to verify that they are indeed<br />
supposed to be served (and are not leftovers), and that they do not<br />
contain sensitive information.<br />
• .zip, .tar, .gz, .tgz, .rar, ...: (Compressed) archive files<br />
• .java: No reason to provide access to Java source files<br />
• .txt: Text files<br />
• .pdf: PDF documents<br />
• .doc, .rtf, .xls, .ppt, ...: Office documents<br />
• .bak, .old and other extensions indicative of backup files (for example:<br />
~ for Emacs backup files)<br />
The list given above details only a few examples, since file extensions<br />
are too many to be comprehensively treated here. Refer to http:/filext.<br />
com/ for a more thorough database of extensions.<br />
To identify files having a given extensions a mix of techniques can be<br />
employed. THese techniques can include Vulnerability Scanners, spidering<br />
and mirroring tools, manually inspecting the application (this<br />
overcomes limitations in automatic spidering), querying search engines<br />
(see Testing: Spidering and googling). See also Testing for Old,<br />
Backup and Unreferenced Files which deals with the security issues<br />
related to “forgotten” files.<br />
File Upload<br />
Windows 8.3 legacy file handling can sometimes be used to defeat file<br />
upload filters<br />
Usage Examples:<br />
file.phtml gets processed as PHP code<br />
FILE~1.PHT is served, but not processed by the PHP ISAPI handler<br />
shell.phPWND can be uploaded<br />
SHELL~1.PHP will be expanded and returned by the OS shell,<br />
then processed by the PHP ISAPI handler<br />
Gray Box testing<br />
Performing white box testing against file extensions handling<br />
amounts to checking the configurations of web servers or application<br />
servers taking part in the web application architecture, and verifying<br />
how they are instructed to serve different file extensions.<br />
If the web application relies on a load-balanced, heterogeneous infrastructure,<br />
determine whether this may introduce different behavior.<br />
Tools<br />
Vulnerability scanners, such as Nessus and Nikto check for the ex-