4.0
1NSchAb
1NSchAb
- No tags were found...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
57<br />
Web Application Penetration Testing<br />
may be tempted to zip them first. Be careful not to forget behind<br />
those archive files.<br />
• Appropriate configuration management policies should help not to<br />
leave around obsolete and unreferenced files.<br />
• Applications should be designed not to create (or rely on) files stored<br />
under the web directory trees served by the web server. Data files,<br />
log files, configuration files, etc. should be stored in directories<br />
not accessible by the web server, to counter the possibility of<br />
information disclosure (not to mention data modification if web<br />
directory permissions allow writing).<br />
• File system snapshots should not be accessible via the web if the<br />
document root is on a file system using this technology. Configure<br />
your web server to deny access to such directories, for example<br />
under apache a location directive such this should be used:<br />
<br />
Order deny,allow<br />
Deny from all<br />
<br />
Enumerate Infrastructure and Application Admin<br />
Interfaces (OTG-CONFIG-005)<br />
Summary<br />
Administrator interfaces may be present in the application or on the<br />
application server to allow certain users to undertake privileged activities<br />
on the site. Tests should be undertaken to reveal if and how<br />
this privileged functionality can be accessed by an unauthorized or<br />
standard user.<br />
An application may require an administrator interface to enable a privileged<br />
user to access functionality that may make changes to how the<br />
site functions. Such changes may include:<br />
• user account provisioning<br />
• site design and layout<br />
• data manipulation<br />
• configuration changes<br />
In many instances, such interfaces do not have sufficient controls to<br />
protect them from unauthorized access. Testing is aimed at discovering<br />
these administrator interfaces and accessing functionality intended<br />
for the privileged users.<br />
How to Test<br />
Black Box Testing<br />
The following section describes vectors that may be used to test for<br />
the presence of administrative interfaces. These techniques may also<br />
be used to test for related issues including privilege escalation, and are<br />
described elsewhere in this guide(for example Testing for bypassing<br />
authorization schema (OTG-AUTHZ-002) and Testing for Insecure Direct<br />
Object References (OTG-AUTHZ-004) in greater detail.<br />
• Directory and file enumeration. An administrative interface may be<br />
present but not visibly available to the tester. Attempting to guess<br />
the path of the administrative interface may be as simple as<br />
requesting: /admin or /administrator etc.. or in some scenarios can<br />
be revealed within seconds using Google dorks.<br />
• There are many tools available to perform brute forcing of server<br />
contents, see the tools section below for more information. * A<br />
tester may have to also identify the file name of the administration<br />
page. Forcibly browsing to the identified page may provide access to<br />
the interface.<br />
• Comments and links in source code. Many sites use common code<br />
that is loaded for all site users. By examining all source sent to the<br />
client, links to administrator functionality may be discovered and<br />
should be investigated.<br />
• Reviewing server and application documentation. If the application<br />
server or application is deployed in its default configuration it may<br />
be possible to access the administration interface using information<br />
described in configuration or help documentation. Default password<br />
lists should be consulted if an administrative interface is found and<br />
credentials are required.<br />
• Publicly available information. Many applications such as wordpress<br />
have default administrative interfaces .<br />
• Alternative server port. Administration interfaces may be seen on<br />
a different port on the host than the main application. For example,<br />
Apache Tomcat’s Administration interface can often be seen on port<br />
8080.<br />
• Parameter tampering. A GET or POST parameter or a cookie variable<br />
may be required to enable the administrator functionality. Clues to<br />
this include the presence of hidden fields such as:<br />
<br />
or in a cookie:<br />
Cookie: session_cookie; useradmin=0<br />
Once an administrative interface has been discovered, a combination<br />
of the above techniques may be used to attempt to bypass authentication.<br />
If this fails, the tester may wish to attempt a brute force attack.<br />
In such an instance the tester should be aware of the potential for administrative<br />
account lockout if such functionality is present.<br />
Gray Box Testing<br />
A more detailed examination of the server and application components<br />
should be undertaken to ensure hardening (i.e. administrator<br />
pages are not accessible to everyone through the use of IP filtering<br />
or other controls), and where applicable, verification that all components<br />
do not use default credentials or configurations.<br />
Source code should be reviewed to ensure that the authorization and<br />
authentication model ensures clear separation of duties between<br />
normal users and site administrators. User interface functions shared<br />
between normal and administrator users should be reviewed to ensure<br />
clear separation between the drawing of such components and<br />
information leakage from such shared functionality.<br />
Tools<br />
• Dirbuster This currently inactive OWASP project is still a great tool for<br />
brute forcing directories and files on the server.<br />
• THC-HYDRA is a tool that allows brute-forcing of many interfaces,<br />
including form-based HTTP authentication.<br />
• A brute forcer is much better when it uses a good dictionary, for