4.0

More documents

Recommendations

Info

72 Web Application Penetration Testing Session ID Prediction Many web applications manage authentication by using session identifiers (session IDs). Therefore, if session ID generation is predictable, a malicious user could be able to find a valid session ID and gain unauthorized access to the application, impersonating a previously authenticated user. The following figure shows that with a simple SQL injection attack, it is sometimes possible to bypass the authentication form. In the following figure, values inside cookies increase linearly, so it could be easy for an attacker to guess a valid session ID. n the following figure, values inside cookies change only partially, so it’s possible to restrict a brute force attack to the defined fields shown below. Gray Box Testing If an attacker has been able to retrieve the application source code by exploiting a previously discovered vulnerability (e.g., directory traversal), or from a web repository (Open Source Applications), it could be possible to perform refined attacks against the implementation of the authentication process. In the following example (PHPBB 2.0.13 - Authentication Bypass Vulnerability), at line 5 the unserialize() function parses a user supplied cookie and sets values inside the $row array. At line 10 the user’s MD5 password hash stored inside the back end database is compared to the one supplied. In PHP, a comparison between a string value and a boolean value SQL Injection (HTML Form Authentication) SQL Injection is a widely known attack technique. This section is not going to describe this technique in detail as there are several sections in this guide that explain injection techniques beyond the scope of this section. 1. if ( isset($HTTP_COOKIE_VARS[$cookiename . ‘_sid’]) || 2. { 3. $sessiondata = isset( $HTTP_COOKIE_VARS[$cookiename . ‘_data’] ) ? 4. 5. unserialize(stripslashes($HTTP_COOKIE_VARS[$cookiename . ‘_data’])) : array(); 6. 7. $sessionmethod = SESSION_METHOD_COOKIE; 8. } 9. 10. if( md5($password) == $row[‘user_password’] && $row[‘user_active’] ) 11. 12. { 13. $autologin = ( isset($HTTP_POST_VARS[‘autologin’]) ) ? TRUE : 0; 14. } (1 - “TRUE”) is always “TRUE”, so by supplying the following string (the important part is “b:1”) to the unserialize() function, it is possible to bypass the authentication control: a:2:{s:11:”autologinid”;b:1;s:6:”userid”;s:1:”2”;}
73 Web Application Penetration Testing Tools • WebScarab • WebGoat • OWASP Zed Attack Proxy (ZAP) References Whitepapers • Mark Roxberry: “PHPBB 2.0.13 vulnerability” • David Endler: “Session ID Brute Force Exploitation and Prediction” - http: /www.cgisecurity.com/lib/SessionIDs.pdf Testing for Vulnerable Remember Password (OTG-AUTHN-005) Summary Browsers will sometimes ask a user if they wish to remember the password that they just entered. The browser will then store the password, and automatically enter it whenever the same authentication form is visited. This is a convenience for the user. Additionally some websites will offer custom “remember me” functionality to allow users to persist log ins on a specific client system. Having the browser store passwords is not only a convenience for end-users, but also for an attacker. If an attacker can gain access to the victim’s browser (e.g. through a Cross Site Scripting attack, or through a shared computer), then they can retrieve the stored passwords. It is not uncommon for browsers to store these passwords in an easily retrievable manner, but even if the browser were to store the passwords encrypted and only retrievable through the use of a master password, an attacker could retrieve the password by visiting the target web application’s authentication form, entering the victim’s username, and letting the browser to enter the password. Additionally where custom “remember me” functions are put in place weaknesses in how the token is stored on the client PC (for example using base64 encoded credentials as the token) could expose the users passwords. Since early 2014 most major browsers will override any use of autocomplete=”off” with regards to password forms and as a result previous checks for this are not required and recommendations should not commonly be given for disabling this feature. However this can still apply to things like secondary secrets which may be stored in the browser inadvertently. How to Test • Look for passwords being stored in a cookie. Examine the cookies stored by the application. Verify that the credentials are not stored in clear text, but are hashed. • Examine the hashing mechanism: if it is a common, well-known algorithm, check for its strength; in homegrown hash functions, attempt several usernames to check whether the hash function is easily guessable. • Verify that the credentials are only sent during the log in phase, and not sent together with every request to the application. • Consider other sensitive form fields (e.g. an answer to a secret question that must be entered in a password recovery or account unlock form). Remediation Ensure that no credentials are stored in clear text or are easily retrievable in encoded or encrypted forms in cookies. Testing for Browser cache weakness (OTG-AUTHN-006) Summary In this phase the tester checks that the application correctly instructs the browser to not remember sensitive data. Browsers can store information for purposes of caching and history. Caching is used to improve performance, so that previously displayed information doesn’t need to be downloaded again. History mechanisms are used for user convenience, so the user can see exactly what they saw at the time when the resource was retrieved. If sensitive information is displayed to the user (such as their address, credit card details, Social Security Number, or username), then this information could be stored for purposes of caching or history, and therefore retrievable through examining the browser’s cache or by simply pressing the browser’s “Back” button. How to Test Browser History Technically, the “Back” button is a history and not a cache (see http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html#sec13.13). The cache and the history are two different entities. However, they share the same weakness of presenting previously displayed sensitive information. The first and simplest test consists of entering sensitive information into the application and logging out. Then the tester clicks the “Back” button of the browser to check whether previously displayed sensitive information can be accessed whilst unauthenticated. If by pressing the “Back” button the tester can access previous pages but not access new ones, then it is not an authentication issue, but a browser history issue. If these pages contain sensitive data, it means that the application did not forbid the browser from storing it. Authentication does not necessarily need to be involved in the testing. For example, when a user enters their email address in order to sign up to a newsletter, this information could be retrievable if not properly handled. The “Back” button can be stopped from showing sensitive data. This can be done by: • Delivering the page over HTTPS. • Setting Cache-Control: must-re-validate Browser Cache Here testers check that the application does not leak any sensitive data into the browser cache. In order to do that, they can use a proxy (such as WebScarab) and search through the server responses that belong to the session, checking that for every page that contains sensitive information the server instructed the browser not to cache any data. Such a directive can be issued in the HTTP response headers:
Page 1 and 2:
1 Testing Guide 4.0 Project Leaders
Page 3 and 4:
Testing Guide Foreword - Table of c
Page 5 and 6:
3 Testing Guide Foreword - Table of
Page 7 and 8:
5 Testing Guide Foreword - By Eoin
Page 9 and 10:
7 Testing Guide Frontispiece 1 Test
Page 11 and 12:
9 Testing Guide Introduction 2 The
Page 13 and 14:
11 Testing Guide Introduction vide
Page 15 and 16:
13 Testing Guide Introduction Testi
Page 17 and 18:
15 Testing Guide Introduction laid
Page 19 and 20:
17 Testing Guide Introduction valid
Page 21 and 22:
19 Testing Guide Introduction USER
Page 23 and 24: 21 Testing Guide Introduction ment
Page 25 and 26: 23 Testing Guide Introduction offen
Page 27 and 28: 25 The OWASP Testing Framework sect
Page 29 and 30: 27 Web Application Penetration Test
Page 73: 71 Web Application Penetration Test
Page 103 and 104: 101 Web Application Penetration Tes
Page 125 and 126:
123 Web Application Penetration Tes
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
Page 143 and 144:
Page 145 and 146:
Page 147 and 148:
Page 149 and 150:
Page 151 and 152:
Page 153 and 154:
Page 155 and 156:
Page 157 and 158:
Page 159 and 160:
Page 161 and 162:
Page 163 and 164:
Page 165 and 166:
Page 167 and 168:
Page 169 and 170:
Page 171 and 172:
Page 173 and 174:
Page 175 and 176:
Page 177 and 178:
Page 179 and 180:
Page 181 and 182:
Page 183 and 184:
Page 185 and 186:
Page 187 and 188:
Page 189 and 190:
Page 191 and 192:
Page 193 and 194:
Page 195 and 196:
Page 197 and 198:
Page 199 and 200:
Page 201 and 202:
Page 203 and 204:
Page 205 and 206:
Page 207 and 208:
Page 209 and 210:
Page 211 and 212:
209 same code can be applied to ses
Page 213 and 214:
211 Reporting Test ID Lowest versio
Page 215 and 216:
213 Reporting Test ID Business Logi
Page 217 and 218:
215 Appendix kajfghlhfkcocafkcjlajl
Page 219 and 220:
217 Appendix Testing - http:/www.ni
Page 221 and 222:
219 Cross Site Scripting (XSS) For
Page 223 and 224:
221 LDAP Injection For details on L
show all

4.0

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?