4.0
1NSchAb
1NSchAb
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
73<br />
Web Application Penetration Testing<br />
Tools<br />
• WebScarab<br />
• WebGoat<br />
• OWASP Zed Attack Proxy (ZAP)<br />
References<br />
Whitepapers<br />
• Mark Roxberry: “PHPBB 2.0.13 vulnerability”<br />
• David Endler: “Session ID Brute Force Exploitation and Prediction”<br />
- http: /www.cgisecurity.com/lib/SessionIDs.pdf<br />
Testing for Vulnerable Remember Password<br />
(OTG-AUTHN-005)<br />
Summary<br />
Browsers will sometimes ask a user if they wish to remember the<br />
password that they just entered. The browser will then store the<br />
password, and automatically enter it whenever the same authentication<br />
form is visited. This is a convenience for the user.<br />
Additionally some websites will offer custom “remember me”<br />
functionality to allow users to persist log ins on a specific client<br />
system.<br />
Having the browser store passwords is not only a convenience<br />
for end-users, but also for an attacker. If an attacker can gain access<br />
to the victim’s browser (e.g. through a Cross Site Scripting<br />
attack, or through a shared computer), then they can retrieve the<br />
stored passwords. It is not uncommon for browsers to store these<br />
passwords in an easily retrievable manner, but even if the browser<br />
were to store the passwords encrypted and only retrievable<br />
through the use of a master password, an attacker could retrieve<br />
the password by visiting the target web application’s authentication<br />
form, entering the victim’s username, and letting the browser<br />
to enter the password.<br />
Additionally where custom “remember me” functions are put in<br />
place weaknesses in how the token is stored on the client PC (for<br />
example using base64 encoded credentials as the token) could<br />
expose the users passwords. Since early 2014 most major browsers<br />
will override any use of autocomplete=”off” with regards to<br />
password forms and as a result previous checks for this are not<br />
required and recommendations should not commonly be given for<br />
disabling this feature. However this can still apply to things like<br />
secondary secrets which may be stored in the browser inadvertently.<br />
How to Test<br />
• Look for passwords being stored in a cookie.<br />
Examine the cookies stored by the application.<br />
Verify that the credentials are not stored in clear text, but are<br />
hashed.<br />
• Examine the hashing mechanism: if it is a common, well-known<br />
algorithm, check for its strength; in homegrown hash functions,<br />
attempt several usernames to check whether the hash function<br />
is easily guessable.<br />
• Verify that the credentials are only sent during the log<br />
in phase, and not sent together with every request<br />
to the application.<br />
• Consider other sensitive form fields (e.g. an answer to a secret<br />
question that must be entered in a password recovery<br />
or account unlock form).<br />
Remediation<br />
Ensure that no credentials are stored in clear text or are easily retrievable<br />
in encoded or encrypted forms in cookies.<br />
Testing for Browser cache weakness<br />
(OTG-AUTHN-006)<br />
Summary<br />
In this phase the tester checks that the application correctly instructs<br />
the browser to not remember sensitive data.<br />
Browsers can store information for purposes of caching and history.<br />
Caching is used to improve performance, so that previously<br />
displayed information doesn’t need to be downloaded again.<br />
History mechanisms are used for user convenience, so the user<br />
can see exactly what they saw at the time when the resource was<br />
retrieved. If sensitive information is displayed to the user (such<br />
as their address, credit card details, Social Security Number, or<br />
username), then this information could be stored for purposes of<br />
caching or history, and therefore retrievable through examining<br />
the browser’s cache or by simply pressing the browser’s “Back”<br />
button.<br />
How to Test<br />
Browser History<br />
Technically, the “Back” button is a history and not a cache (see<br />
http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html#sec13.13).<br />
The cache and the history are two different entities.<br />
However, they share the same weakness of presenting previously<br />
displayed sensitive information.<br />
The first and simplest test consists of entering sensitive information<br />
into the application and logging out. Then the tester clicks<br />
the “Back” button of the browser to check whether previously<br />
displayed sensitive information can be accessed whilst unauthenticated.<br />
If by pressing the “Back” button the tester can access previous<br />
pages but not access new ones, then it is not an authentication<br />
issue, but a browser history issue. If these pages contain sensitive<br />
data, it means that the application did not forbid the browser from<br />
storing it.<br />
Authentication does not necessarily need to be involved in the<br />
testing. For example, when a user enters their email address in<br />
order to sign up to a newsletter, this information could be retrievable<br />
if not properly handled.<br />
The “Back” button can be stopped from showing sensitive data.<br />
This can be done by:<br />
• Delivering the page over HTTPS.<br />
• Setting Cache-Control: must-re-validate<br />
Browser Cache<br />
Here testers check that the application does not leak any sensitive<br />
data into the browser cache. In order to do that, they can<br />
use a proxy (such as WebScarab) and search through the server<br />
responses that belong to the session, checking that for every<br />
page that contains sensitive information the server instructed the<br />
browser not to cache any data. Such a directive can be issued in<br />
the HTTP response headers: