4.0
1NSchAb
1NSchAb
- No tags were found...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
85<br />
Web Application Penetration Testing<br />
In this case, the value of the user parameter is used to tell the<br />
application for which user it should change the password. In many<br />
cases this step will be a part of a wizard, or a multi-step operation.<br />
In the first step the application will get a request stating for which<br />
user’s password is to be changed, and in the next step the user<br />
will provide a new password (without asking for the current one).<br />
The user parameter is used to directly reference the object of the<br />
user for whom the password change operation will be performed.<br />
To test for this case the tester should attempt to provide a different<br />
test username than the one currently logged in, and check<br />
whether it is possible to modify the password of another user.<br />
The value of a parameter is used directly to retrieve a file system<br />
resource<br />
Sample request:<br />
http: /foo.bar/showImage?img=img00011<br />
In this case, the value of the file parameter is used to tell the application<br />
what file the user intends to retrieve. By providing the<br />
name or identifier of a different file (for example file=image00012.<br />
jpg) the attacker will be able to retrieve objects belonging to other<br />
users.<br />
To test for this case, the tester should obtain a reference the user<br />
is not supposed to be able to access and attempt to access it by<br />
using it as the value of file parameter. Note: This vulnerability is<br />
often exploited in conjunction with a directory/path traversal vulnerability<br />
(see Testing for Path Traversal)<br />
The value of a parameter is used directly to access application<br />
functionality<br />
Sample request:<br />
http: /foo.bar/accessPage?menuitem=12<br />
In this case, the value of the menuitem parameter is used to tell<br />
the application which menu item (and therefore which application<br />
functionality) the user is attempting to access. Assume the user is<br />
supposed to be restricted and therefore has links available only to<br />
access to menu items 1, 2 and 3. By modifying the value of menuitem<br />
parameter it is possible to bypass authorization and access<br />
additional application functionality. To test for this case the tester<br />
identifies a location where application functionality is determined<br />
by reference to a menu item, maps the values of menu items the<br />
given test user can access, and then attempts other menu items.<br />
In the above examples the modification of a single parameter is<br />
sufficient. However, sometimes the object reference may be split<br />
between more than one parameter, and testing should be adjusted<br />
accordingly.<br />
References<br />
Top 10 2013-A4-Insecure Direct Object References<br />
Session Management Testing<br />
One of the core components of any web-based application is the<br />
mechanism by which it controls and maintains the state for a user in-<br />
teracting with it. This is referred to this as Session Management and<br />
is defined as the set of all controls governing state-full interaction between<br />
a user and the web-based application. This broadly covers anything<br />
from how user authentication is performed, to what happens<br />
upon them logging out.<br />
HTTP is a stateless protocol, meaning that web servers respond to<br />
client requests without linking them to each other. Even simple application<br />
logic requires a user’s multiple requests to be associated with<br />
each other across a “session”. This necessitates third party solutions<br />
– through either Off-The-Shelf (OTS) middleware and web server<br />
solutions, or bespoke developer implementations. Most popular web<br />
application environments, such as ASP and PHP, provide developers<br />
with built-in session handling routines. Some kind of identification token<br />
will typically be issued, which will be referred to as a “Session ID”<br />
or Cookie.<br />
There are a number of ways in which a web application may interact<br />
with a user. Each is dependent upon the nature of the site, the security,<br />
and availability requirements of the application. Whilst there are<br />
accepted best practices for application development, such as those<br />
outlined in the OWASP Guide to Building Secure Web Applications, it<br />
is important that application security is considered within the context<br />
of the provider’s requirements and expectations.<br />
Testing for Session Management Schema<br />
(OTG-SESS-001)<br />
Summary<br />
In order to avoid continuous authentication for each page of a website<br />
or service, web applications implement various mechanisms to<br />
store and validate credentials for a pre-determined timespan. These<br />
mechanisms are known as Session Management and while they are<br />
important in order to increase the ease of use and user-friendliness<br />
of the application, they can be exploited by a penetration tester to<br />
gain access to a user account, without the need to provide correct<br />
credentials.<br />
In this test, the tester wants to check that cookies and other session<br />
tokens are created in a secure and unpredictable way. An attacker<br />
who is able to predict and forge a weak cookie can easily hijack the<br />
sessions of legitimate users.<br />
Cookies are used to implement session management and are described<br />
in detail in RFC 2965. In a nutshell, when a user accesses an<br />
application which needs to keep track of the actions and identity of<br />
that user across multiple requests, a cookie (or cookies) is generated<br />
by the server and sent to the client. The client will then send the<br />
cookie back to the server in all following connections until the cookie<br />
expires or is destroyed. The data stored in the cookie can provide<br />
to the server a large spectrum of information about who the user is,<br />
what actions he has performed so far, what his preferences are, etc.<br />
therefore providing a state to a stateless protocol like HTTP.<br />
A typical example is provided by an online shopping cart. Throughout<br />
the session of a user, the application must keep track of his identity,<br />
his profile, the products that he has chosen to buy, the quantity, the<br />
individual prices, the discounts, etc. Cookies are an efficient way to<br />
store and pass this information back and forth (other methods are<br />
URL parameters and hidden fields).<br />
Due to the importance of the data that they store, cookies are there-