4.0

More documents

Recommendations

Info

60 Web Application Penetration Testing Pragma: no-cache Set-Cookie: adminOnlyCookie1=...; expires=Tue, 18-Aug- 2009 22:44:31 GMT; domain=www.example.com Set-Cookie: adminOnlyCookie2=...; expires=Mon, 18-Aug- 2008 22:54:31 GMT; domain=www.example.com Set-Cookie: adminOnlyCookie3=...; expires=Sun, 19-Aug- 2007 22:44:30 GMT; domain=www.example.com Content-Language: EN Connection: close Content-Type: text/html; charset=ISO-8859-1 If the tester gets a “405 Method not allowed” or “501 Method Unimplemented”, the target (application/framework/language/ system/firewall) is working correctly. If a “200” response code comes back, and the response contains no body, it’s likely that the application has processed the request without authentication or authorization and further testing is warranted. If the tester thinks that the system is vulnerable to this issue, they should issue CSRF-like attacks to exploit the issue more fully: • HEAD /admin/createUser.php?member=myAdmin • HEAD /admin/changePw.php?member=myAdmin&passwd= foo123&confirm=foo123 • HEAD /admin/groupEdit.php?group=Admins&member=myAd min&action=add With some luck, using the above three commands - modified to suit the application under test and testing requirements - a new user would be created, a password assigned, and made an administrator, all using blind request submission. Tools • NetCat - http: /nc110.sourceforge.net • cURL - http: /curl.haxx.se/ References Whitepapers • RFC 2616: “Hypertext Transfer Protocol -- HTTP/1.1” • RFC 2109 and RFC 2965: HTTP State Management Mechanism” • Jeremiah Grossman: “Cross Site Tracing (XST)” - http: /www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_ XST_ebook.pdf • Amit Klein: “XS(T) attack variants which can, in some cases, eliminate the need for TRACE” - http: /www.securityfocus.com/ archive/107/308433 • Arshan Dabirsiaghi: “Bypassing VBAAC with HTTP Verb Tampering” - http: /static.swpag.info/download/Bypassing_ VBAAC_with_HTTP_Verb_Tampering.pdf Test HTTP Strict Transport Security (OTG-CONFIG-007) Summary The HTTP Strict Transport Security (HSTS) header is a mechanism that web sites have to communicate to the web browsers that all traffic exchanged with a given domain must always be sent over https, this will help protect the information from being passed over unencrypted requests. Considering the importance of this security measure it is important to verify that the web site is using this HTTP header, in order to ensure that all the data travels encrypted from the web browser to the server. The HTTP Strict Transport Security (HSTS) feature lets a web application to inform the browser, through the use of a special response header, that it should never establish a connection to the the specified domain servers using HTTP. Instead it should automatically establish all connection requests to access the site through HTTPS. The HTTP strict transport security header uses two directives: • max-age: to indicate the number of seconds that the browser should automatically convert all HTTP requests to HTTPS. • includeSubDomains: to indicate that all web application’s subdomains must use HTTPS. Here’s an example of the HSTS header implementation: Strict-Transport-Security: max-age=60000; includeSubDomains The use of this header by web applications must be checked to find if the following security issues could be produced: • Attackers sniffing the network traffic and accessing the information transferred through an unencrypted channel. • Attackers exploiting a man in the middle attack because of the problem of accepting certificates that are not trusted. • Users who mistakenly entered an address in the browser putting HTTP instead of HTTPS, or users who click on a link in a web application which mistakenly indicated the http protocol. How to Test Testing for the presence of HSTS header can be done by checking for the existence of the HSTS header in the server’s response in an interception proxy, or by using curl as follows: $ curl -s -D- https:/domain.com/ | grep Strict Result expected: Strict-Transport-Security: max-age=... References • OWASP HTTP Strict Transport Security - https: /www.owasp. org/index.php/HTTP_Strict_Transport_Security • OWASP Appsec Tutorial Series - Episode 4: Strict Transport Security - http: /www.youtube.com/watch?v=zEV3HOuM_Vw • HSTS Specification: http: /tools.ietf.org/html/rfc6797
61 Web Application Penetration Testing Test RIA cross domain policy (OTG-CONFIG-008) Summary Rich Internet Applications (RIA) have adopted Adobe’s crossdomain.xml policy files to allow for controlled cross domain access to data and service consumption using technologies such as Oracle Java, Silverlight, and Adobe Flash. Therefore, a domain can grant remote access to its services from a different domain. However, often the policy files that describe the access restrictions are poorly configured. Poor configuration of the policy files enables Cross-site Request Forgery attacks, and may allow third parties to access sensitive data meant for the user. What are cross-domain policy files? A cross-domain policy file specifies the permissions that a web client such as Java, Adobe Flash, Adobe Reader, etc. use to access data across different domains. For Silverlight, Microsoft adopted a subset of the Adobe’s crossdomain.xml, and additionally created it’s own cross-domain policy file: clientaccesspolicy.xml. Whenever a web client detects that a resource has to be requested from other domain, it will first look for a policy file in the target domain to determine if performing cross-domain requests, including headers, and socket-based connections are allowed. Master policy files are located at the domain’s root. A client may be instructed to load a different policy file but it will always check the master policy file first to ensure that the master policy file permits the requested policy file. Crossdomain.xml vs. Clientaccesspolicy.xml |ªMost RIA applications support crossdomain.xml. However in the case of Silverlight, it will only work if the crossdomain.xml specifies that access is allowed from any domain. For more granular control with Silverlight, clientaccesspolicy.xml must be used. Policy files grant several types of permissions: • Accepted policy files (Master policy files can disable or restrict specific policy files) • Sockets permissions • Header permissions • HTTP/HTTPS access permissions • Allowing access based on cryptographic credentials An example of an overly permissive policy file: How can cross domain policy files can be abused? • Overly permissive cross-domain policies. • Generating server responses that may be treated as crossdomain policy files. • Using file upload functionality to upload files that may be treated as cross-domain policy files. Impact of abusing cross-domain access • Defeat CSRF protections. • Read data restricted or otherwise protected by cross-origin policies. How to Test Testing for RIA policy files weakness: To test for RIA policy file weakness the tester should try to retrieve the policy files crossdomain.xml and clientaccesspolicy.xml from the application’s root, and from every folder found. For example, if the application’s URL is http: /www.owasp.org, the tester should try to download the files http: /www.owasp.org/ crossdomain.xml and http: /www.owasp.org/clientaccesspolicy. xml. After retrieving all the policy files, the permissions allowed should be be checked under the least privilege principle. Requests should only come from the domains, ports, or protocols that are necessary. Overly permissive policies should be avoided. Policies with “*” in them should be closely examined. Example: Result Expected: • A list of policy files found. • A weak settings in the policies. Tools • Nikto • OWASP Zed Attack Proxy Project • W3af References Whitepapers • UCSD: “Analyzing the Crossdomain Policies of Flash Applications” - http: /cseweb.ucsd.edu/~hovav/dist/ crossdomain.pdf • Adobe: “Cross-domain policy file specification” - http: /www.adobe.com/devnet/articles/crossdomain_policy_ file_spec.html • Adobe: “Cross-domain policy file usage recommendations for Flash Player” - http: /www.adobe.com/devnet/flashplayer/ articles/cross_domain_policy.html • Oracle: “Cross-Domain XML Support” - http: /www.oracle.com/technetwork/java/javase/ plugin2-142482.html#CROSSDOMAINXML • MSDN: “Making a Service Available Across Domain Boundaries”
Page 1 and 2:
1 Testing Guide 4.0 Project Leaders
Page 3 and 4:
Testing Guide Foreword - Table of c
Page 5 and 6:
3 Testing Guide Foreword - Table of
Page 7 and 8:
5 Testing Guide Foreword - By Eoin
Page 9 and 10:
7 Testing Guide Frontispiece 1 Test
Page 11 and 12: 9 Testing Guide Introduction 2 The
Page 13 and 14: 11 Testing Guide Introduction vide
Page 15 and 16: 13 Testing Guide Introduction Testi
Page 17 and 18: 15 Testing Guide Introduction laid
Page 19 and 20: 17 Testing Guide Introduction valid
Page 21 and 22: 19 Testing Guide Introduction USER
Page 23 and 24: 21 Testing Guide Introduction ment
Page 25 and 26: 23 Testing Guide Introduction offen
Page 27 and 28: 25 The OWASP Testing Framework sect
Page 29 and 30: 27 Web Application Penetration Test
Page 61: 59 Web Application Penetration Test
Page 103 and 104: 101 Web Application Penetration Tes
Page 113 and 114:
111 Web Application Penetration Tes
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
Page 143 and 144:
Page 145 and 146:
Page 147 and 148:
Page 149 and 150:
Page 151 and 152:
Page 153 and 154:
Page 155 and 156:
Page 157 and 158:
Page 159 and 160:
Page 161 and 162:
Page 163 and 164:
Page 165 and 166:
Page 167 and 168:
Page 169 and 170:
Page 171 and 172:
Page 173 and 174:
Page 175 and 176:
Page 177 and 178:
Page 179 and 180:
Page 181 and 182:
Page 183 and 184:
Page 185 and 186:
Page 187 and 188:
Page 189 and 190:
Page 191 and 192:
Page 193 and 194:
Page 195 and 196:
Page 197 and 198:
Page 199 and 200:
Page 201 and 202:
Page 203 and 204:
Page 205 and 206:
Page 207 and 208:
Page 209 and 210:
Page 211 and 212:
209 same code can be applied to ses
Page 213 and 214:
211 Reporting Test ID Lowest versio
Page 215 and 216:
213 Reporting Test ID Business Logi
Page 217 and 218:
215 Appendix kajfghlhfkcocafkcjlajl
Page 219 and 220:
217 Appendix Testing - http:/www.ni
Page 221 and 222:
219 Cross Site Scripting (XSS) For
Page 223 and 224:
221 LDAP Injection For details on L
show all

4.0

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?