4.0

More documents

Recommendations

Info

82 Web Application Penetration Testing • Windows shell: Appending any of the following to paths used in a shell command results in no difference in function: • Angle brackets “>” and “
83 Web Application Penetration Testing References Whitepapers • phpBB Attachment Mod Directory Traversal HTTP POST Injection - http: /archives.neohapsis.com/archives/ fulldisclosure/2004-12/0290.html[6] • Windows File Pseudonyms: Pwnage and Poetry - http: /www. slideshare.net/BaronZor/windows-file-pseudonyms[7] Testing for Bypassing Authorization Schema (OTG-AUTHZ-002) Summary This kind of test focuses on verifying how the authorization schema has been implemented for each role or privilege to get access to reserved functions and resources. For every specific role the tester holds during the assessment, for every function and request that the application executes during the post-authentication phase, it is necessary to verify: • Is it possible to access that resource even if the user is not authenticated? • Is it possible to access that resource after the log-out? • Is it possible to access functions and resources that should be accessible to a user that holds a different role or privilege? Try to access the application as an administrative user and track all the administrative functions. • Is it possible to access administrative functions also if the tester is logged as a user with standard privileges? • Is it possible to use these administrative functions as a user with adifferent role and for whom that action should be denied? How to test Testing for access to administrative functions For example, suppose that the ‘AddUser.jsp’ function is part of the administrative menu of the application, and it is possible to access it by requesting the following URL: https:/www.example.com/admin/addUser.jsp Then, the following HTTP request is generated when calling the AddUser function: POST /admin/addUser.jsp HTTP/1.1 Host: www.example.com [other HTTP headers] userID=fakeuser&role=3&group=grp001 What happens if a non-administrative user tries to execute that request? Will the user be created? If so, can the new user use their privileges? Testing for access to resources assigned to a different role For example analyze an application that uses a shared directory to store temporary PDF files for different users. Suppose that documentABC.pdf should be accessible only by the user test1 with roleA. Verify if user test2 with roleB can access that resource. Tools • OWASP WebScarab: OWASP WebScarab Project • OWASP Zed Attack Proxy (ZAP) Testing for Privilege escalation (OTG-AUTHZ-003) Summary This section describes the issue of escalating privileges from one stage to another. During this phase, the tester should verify that it is not possible for a user to modify his or her privileges or roles inside the application in ways that could allow privilege escalation attacks. Privilege escalation occurs when a user gets access to more resources or functionality than they are normally allowed, and such elevation or changes should have been prevented by the application. This is usually caused by a flaw in the application. The result is that the application performs actions with more privileges than those intended by the developer or system administrator. The degree of escalation depends on what privileges the attacker is authorized to possess, and what privileges can be obtained in a successful exploit. For example, a programming error that allows a user to gain extra privilege after successful authentication limits the degree of escalation, because the user is already authorized to hold some privilege. Likewise, a remote attacker gaining superuser privilege without any authentication presents a greater degree of escalation. Usually, people refer to vertical escalation when it is possible to access resources granted to more privileged accounts (e.g., acquiring administrative privileges for the application), and to horizontal escalation when it is possible to access resources granted to a similarly configured account (e.g., in an online banking application, accessing information related to a different user). How to test Testing for role/privilege manipulation In every portion of the application where a user can create information in the database (e.g., making a payment, adding a contact, or sending a message), can receive information (statement of account, order details, etc.), or delete information (drop users, messages, etc.), it is necessary to record that functionality. The tester should try to access such functions as another user in order to verify if it is possible to access a function that should not be permitted by the user’s role/privilege (but might be permitted as another user). For example: The following HTTP POST allows the user that belongs to grp001 to access order #0001: POST /admin/addUser.jsp HTTP/1.1 Host: www.example.com [other HTTP headers] userID=fakeuser&role=3&group=grp001 Verify if a user that does not belong to grp001 can modify the value of the parameters ‘groupID’ and ‘orderID’ to gain access to that privileged data.
Page 1 and 2:
1 Testing Guide 4.0 Project Leaders
Page 3 and 4:
Testing Guide Foreword - Table of c
Page 5 and 6:
3 Testing Guide Foreword - Table of
Page 7 and 8:
5 Testing Guide Foreword - By Eoin
Page 9 and 10:
7 Testing Guide Frontispiece 1 Test
Page 11 and 12:
9 Testing Guide Introduction 2 The
Page 13 and 14:
11 Testing Guide Introduction vide
Page 15 and 16:
13 Testing Guide Introduction Testi
Page 17 and 18:
15 Testing Guide Introduction laid
Page 19 and 20:
17 Testing Guide Introduction valid
Page 21 and 22:
19 Testing Guide Introduction USER
Page 23 and 24:
21 Testing Guide Introduction ment
Page 25 and 26:
23 Testing Guide Introduction offen
Page 27 and 28:
25 The OWASP Testing Framework sect
Page 29 and 30:
27 Web Application Penetration Test
Page 31 and 32:
29 Web Application Penetration Test
Page 33 and 34: 31 Web Application Penetration Test
Page 83: 81 Web Application Penetration Test
Page 103 and 104: 101 Web Application Penetration Tes
Page 135 and 136:
133 Web Application Penetration Tes
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
Page 143 and 144:
Page 145 and 146:
Page 147 and 148:
Page 149 and 150:
Page 151 and 152:
Page 153 and 154:
Page 155 and 156:
Page 157 and 158:
Page 159 and 160:
Page 161 and 162:
Page 163 and 164:
Page 165 and 166:
Page 167 and 168:
Page 169 and 170:
Page 171 and 172:
Page 173 and 174:
Page 175 and 176:
Page 177 and 178:
Page 179 and 180:
Page 181 and 182:
Page 183 and 184:
Page 185 and 186:
Page 187 and 188:
Page 189 and 190:
Page 191 and 192:
Page 193 and 194:
Page 195 and 196:
Page 197 and 198:
Page 199 and 200:
Page 201 and 202:
Page 203 and 204:
Page 205 and 206:
Page 207 and 208:
Page 209 and 210:
Page 211 and 212:
209 same code can be applied to ses
Page 213 and 214:
211 Reporting Test ID Lowest versio
Page 215 and 216:
213 Reporting Test ID Business Logi
Page 217 and 218:
215 Appendix kajfghlhfkcocafkcjlajl
Page 219 and 220:
217 Appendix Testing - http:/www.ni
Page 221 and 222:
219 Cross Site Scripting (XSS) For
Page 223 and 224:
221 LDAP Injection For details on L
show all

4.0

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?