• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
 

BruCon 2011 Lightning talk winner: Web app testing without attack traffic

on

  • 2,744 views

BruCon 2011 Lightning talk winner: An OWASP focused walk-through on what can be at least partially tested without permission in a web application

BruCon 2011 Lightning talk winner: An OWASP focused walk-through on what can be at least partially tested without permission in a web application

Statistics

Views

Total Views
2,744
Views on SlideShare
2,742
Embed Views
2

Actions

Likes
2
Downloads
53
Comments
0

2 Embeds 2

http://www.docshut.com 1
http://www.slashdocs.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    BruCon 2011 Lightning talk winner: Web app testing without attack traffic BruCon 2011 Lightning talk winner: Web app testing without attack traffic Presentation Transcript

    • Web app testingwithout attack traffic Abraham Aranguren @7a_ abraham.aranguren@gmail.com http://7-a.org
    • Intro 33% (22 out of 66) of the tests in the OWASP Testing guide can be legally* performed at least partially without permission * Except in Spain, where visiting a page can be illegal ☺
    • Legend Ethics/Scope legend: P P No Permission needed: No attack traffic ! Mild attack traffic / Could break things !! You better have written permission .. Vulnerable vs. Not Vulnerable legend: Vulnerable Not Vulnerable
    • Testing: Spiders, Robots, and Crawlers(OWASP-IG-001) P $ wget http://www.google.com/robots.txt Found: Analyse entries Not found: Indexing required?
    • Testing: Search engine discovery /reconnaissance (OWASP-IG-002) Google site:target.com filetype: inurl: P Metadata, DNS, Whois, Company info, staff, etc..
    • Testing: Identify application entrypoints (OWASP-IG-003) P Use a proxy and JUST browse the site Let the proxy log ALL requests Understand the site Chain ratproxy to your proxy for cool ideas ☺
    • Testing for Web ApplicationFingerprint (OWASP-IG-004) Get the banner: P $ curl –i –A “Mozilla ” http://target.com | more
    • Testing for SSL-TLS (OWASP-CM-001) No traffic .. P
    • Testing for Admin Interfaces(OWASP-CM-007) 3rd party stuff on .NET ViewState, headers,.. P Telerik.Web.UI?? Google it!
    • Testing for Admin Interfaces(OWASP-CM-007) - continued Google for default passwords P
    • Testing for Admin Interfaces(OWASP-CM-007) – continued !!
    • Testing for Admin Interfaces(OWASP-CM-007) - continued !!
    • Testing for HTTP Methods and XST(OWASP-CM-008) An OPTIONS request is quite normal: P curl -i -A Mozilla/5.0 -X OPTIONS * -k https://site.com HTTP/1.1 200 OK Date: Tue, 09 Aug 2011 13:38:43 GMT Server: Apache/2.0.63 (Unix) Allow: GET,HEAD,POST,OPTIONS,TRACE Content-Length: 0 Connection: close Content-Type: text/plain; charset=UTF-8
    • Testing for credentials transport(OWASP-AT-001) Is the login page on “http” instead of “https”? P
    • Testing for Default or Guessable UserAccount (OWASP-AT-003) Analyse the username(s) they gave you to test: P Username based on numbers? USER12345 Username basic on public info? (i.e. names, surnames, ..) name.surname
    • Vulnerable Remember Password andPwd Reset (OWASP-AT-006) Is autocomplete set to off? P <form autocomplete=“off”> or <input autocomplete=“off”> Look at the questions or fields in the password reset form
    • Testing for Logout and Browser CacheManagement (OWASP-AT-007) Easy test: Login + Logout + Back button P Or no caching headers / not expiring session cookie: HTTP/1.1 200 OK Date: Tue, 09 Aug 2011 13:38:43 GMT Server: . X-Powered-By: . Connection: close Content-Type: text/html; charset=UTF-8
    • Testing for Captcha (OWASP-AT-008) Can be done offline: P Download image and try to break it Look for signs of weak third party components PWNtcha - captcha decoder
    • Testing for Session ManagementSchema (OWASP-SM-001) Examine cookies for weaknesses offline P Base64 MTkyLjE2OC4xMDAuMTpvd2FzcHVzZXI6cGFz c3dvcmQ6MTU6NTg= Is owaspuser:192.168.100.1: a7656fafe94dae72b1e1487670148412
    • Testing for cookies attributes(OWASP-SM-002) Secure: not set = no https P HttpOnly: not set = cookies stealable via JS Domain: set properly Path: set to the right /sub-application Expires: set reasonably
    • Testing for Session Fixation(OWASP-SM-003) Session ID NOT changed after login = Vuln P Before Login PHPSESSID: 10a966616e8ed63f7a9b741f80e65e3c After Login PHPSESSID: 10a966616e8ed63f7a9b741f80e65e3c
    • Testing for Exposed Session Variables(OWASP-SM-004) Session ID: P In URL In POST In HTML
    • Testing for CSRF (OWASP-SM-005) Look at HTML code: P No anti-CSRF token = Vulnerable Anti-CSRF token = Wait to ACTIVE testing ☺
    • Testing for Bypassing AuthorizationSchema (OWASP-AZ-002) Look at unauthenticated cross-site requests: P http://other-site.com/user=3&report=4 Referer: site.com Change ids in application: ! http://site.com/view_doc=4
    • Testing for DOM-based Cross sitescripting (OWASP-DV-003) Review JavaScript code on the page: P <script> document.write("Site is at: " + document.location.href + "."); </script>
    • Testing for Cross site flashing(OWASP-DV-004) Download and decompile Flash files: P $ flare hello.swf Static / Manual analysis
    • Testing: WS Information Gathering(OWASP-WS-001) Google searches: inurl:wsdl site:example.com P Web service analysis: http://www.example.com/ws/FindIP.asmx?WSDL Public services search: http://seekda.com/ http://www.wsindex.org/ http://www.soapclient.com/
    • Testing for WS Replay (OWASP-WS-007) Similar to CSRF: P Is there an anti-replay token in the request/response?
    • Testing for file extensions handling(OWASP-CM-005) _some_ attack traffic but subtle. File Uploads: !! If upload.php or .asp, .html, .. is allowed by app A valid GIF or JPG comment can be a valid PHP script, etc .. Difference from attack to legit can be subtle File uploads are POST = 99% not logged
    • Testing for user enumeration(OWASP-AT-002) Error messages ! Time differences
    • Testing for Reflected/Stored Cross sitescripting (OWASP-DV-001+2) Subtle look for signs of output encoding: ! O’Brien O&apos;Brien O”Brien O&quot;Brien or O%22Brien Ted..> Ted..&gt; or Ted..%3E Ted,< Ted,.&lt; or Ted..%3C Charset, etc..
    • Testing for SQL Injection (OWASP-DV-005) Do you get a SQL error? ! Strings: O’Brien IDs: Instead of “1” type “1l” or “1 l”
    • Thank you Abraham Aranguren @7a_ abraham.aranguren@gmail.com http://7-a.orgSpecial thanks to: OWASP Testing Guide contributors Mario Heiderich Chris John Riley Robin Wood