• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Amish Umesh - Future Of Web App Testing  - ClubHack2007
 

Amish Umesh - Future Of Web App Testing - ClubHack2007

on

  • 1,296 views

 

Statistics

Views

Total Views
1,296
Views on SlideShare
1,275
Embed Views
21

Actions

Likes
0
Downloads
13
Comments
0

3 Embeds 21

http://clubhack.com 14
http://www.clubhack.com 6
http://clubhack.in 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Amish Umesh - Future Of Web App Testing  - ClubHack2007 Amish Umesh - Future Of Web App Testing - ClubHack2007 Presentation Transcript

    • The Future Of Automated W b Application A t t d Web A li ti Testing g
    • Preview • Web 1 0 1.0 • Application architecture and it’s traditional analysis methodology • Automated web application testing and it's limitation • Web 2.0 • H How it works k • Challenges and limitation of web 2.0 application testing • Next generation auditing tool © net-square
    • Web 1.0 Application behavior and it’s it s traditional analysis methodology
    • Web 1.0 Application Architecture HTTP Firewall SQL request Database (cleartext or SSL) Web app DB Web app Web Web Client Server Web app DB Web app HTTP reply (HTML, Javascript, •Apache Written in: Database VBscript, •IIS •ASP connection: etc) •Netscape •JSP •ADO, etc… •Perl, etc •ODBC, etc. © net-square
    • Web 1.0 Application Architecture • Works with page refresh • Form submitting model • Inputs submitted via query string or form parameters • Browser generates http requests for images, js, etc. while rendering html response through DOM • Request also can be sent by javascript, ActiveX, Applets, Flash, etc. directly © net-square
    • Web 1.0 Application Architecture • Server & Web Application • Parses http request and map URL with web application physical resource • Generates HTML Response based on the supplied resource query and input parameters © net-square
    • Web 1.0 Traditional Analysis methodology
    • Traditional Analysis methodology • Information gathering • Http Response Code – 2xx, 4xx, 5xx • Htt contents Http t t • Extract forms and query string parameters. • Hidden fields comments mail ids fields, comments, ids, • Cookie name / value • Java scripts, • ActiveX and Applets • Find injection point suspicious field or query point, string parameters © net-square
    • Traditional Analysis methodology • Manipulate field with malicious characters and send request • L k at the ht l response, get some clue, Look t th html t l modify parameters and send request. • Do same again and again until…. Bingo !! • Resources used, , • Browser • Plug-ins (livehttp header or web browser Plug ins toolbar) • Sniffer © net-square
    • Web 1.0 Automated web application testing and It's Challenges & limitation
    • Automated web application testing • Input – index page or list of stored URLS • Configurations – depth, within domain, max links, include li k i l d / exclude, user-agent, etc. l d t t • Testing methodology • Crawls web application recursively and collects URLS • Find injection point or attack vector for URL • Query String parameters • It’s Html response form fields • Cookie © net-square
    • Automated web application testing • Popular Web Application Scanners • NTObjective’s NTOSpider • IBM/W t hfi ’ A S IBM/Watchfire’s AppScan • HP/SPI Dynamics’ WebInspect • Demo • NTOInsight © net-square
    • It's Challenges & Limitations • Building correct attack request • Forms submission by “onclick” event • Wrong action or target picked up by automated tool • Manage context through out the session • Logout innocently • C Crawl a site in certain order – logical action • Infinite crawl – Dynamic URL creation © net-square
    • It's Challenges & Limitations • Executing java script like a Browser • Dynamic menus and css • URL d decryption on th fl b j ti the fly by java scripts i t • Identify correct attack vector in URL • No question mark in a URL • Strange extension • Custom techniques to supply inputs. © net-square
    • It's Challenges & Limitations • False positive/negative and duplication • Detects vulnerability through http response code • O regex pattern search in html response Or tt h i ht l • How to detect persistent XSS?? • Custom response code (obfuscated 200) • Random 404 pages © net-square
    • It's Challenges & Limitations • Authenticated scanning • Login automatically on authenticated URL, • Where to go after authentication ? • Form based authentication • Success or fail how to decide ? fail, • Captcha, how to handle ? • Broken access controls • Information leakage • Design issues © net-square
    • Scanners are also getting smarter • Page Signature technology being used to identify obfuscated 200, random 404 pages and Form based authentication • Java scripts based URLs can be fetched by regex bbased search d h • Most of the scanners identify technical vulnerabilities like SQL Injection, XSS, etc. j , , © net-square
    • Web 2.0 How it works !!
    • Web 2.0 Technology • Web 2 0 Applications are on the rise 2.0 • Rich Internet Applications (RIA) – reshaping application front • Web Services on the rise – forming backend of applications • Gartner is advising companies to take up Web services now, or risk losing out to competitors , g p embracing the technology. © net-square
    • Web 2.0 Technology • Web Services is forming back end and accessible on SOAP • AJAX – empowering browsers • XML based services • Rich Internet Applications are consuming back end web services • Search engines and mechanisms for web services publishing and accessing • Security evolving around web services © net-square
    • Ajax model Classic web application model Ajax-enabled web application model Browser user interface JavaScript call HTML + CSS data Browser user interface Ajax engine HTTP request HTTP request Transport layer HTML + CSS data XML Data web server web and/or XMLserver Data stores, Data stores, backend processing, backend processing, legacy systems legacy systems server-side systems server-side systems © net-square Source : http://www.adaptivepath.com/publications/essays/archives/000385.php
    • AJAX introduction x Source : http://www.adaptivepath.com/publications/essays/archives/000385.php © net-square
    • Win32 APP vs Web 2.0 Win32 GUI application model Ajax-enabled web application model Desktop Browser Win32 GUI user interface Win32 Msg JavaScript call User Data HTML + CSS data Win32 WndProc Msg handler AJAX (JS) Library RPC Request XHR call RPC Response XML Data RPC Services Web Services Data t D t stores, Data t D t stores, backend processing, backend processing, legacy systems legacy systems © n e t - s q u a r eserver-side systems server-side systems
    • Web 2.0 Challenges and limitation of web 2 0 2.0 application testing
    • Impact of Web 2.0 • Application Infrastructure Changing dimension Web 1.0 10 Web 2.0 20 (AI1) Protocols HTTP & HTTPS SOAP, XML-RPC, REST etc. over HTTP & HTTPS (AI2) Information HTML transfer XML, JSON, JS Objects etc. structures (AI3) Communication Synchronous Asynchronous & Cross- methods th d Postback domains (proxy) Refresh and Redirect (AI4) Information Single place information Multiple sources (Urge for sharingg (No urge for integrated information integration) i i ) platform) l f ) © net-square
    • Impact of Web 2.0 • Security Threats Changing dimension g g Web 1.0 Web 2.0 (T1) Entry points Structured Scattered and multiple (T2) Dependencies Limited • Multiple technologies • Information sources • Protocols (T3) Vulnerabilities Server side [Typical injections] • Web services [Payloads] • Cli t side [XSS & XSRF] Client id (T4) Exploitation Server side exploitation Both server and client side exploitation © net-square
    • Impact of Web 2.0 • Methodology Changing dimension Web 1.0 Web 2.0 Typical with "Host" and Footprinting DNS Empowered with search Discovery Simple Difficult with hidden calls Enumeration Structured Several streams Scanning Structured and simple Difficult with extensive Ajax Difficult with Ajax and web Automated attacks Easy after discovery services On the server-side Reverse engineering g g [Difficult] Client-side with Ajax & Flash Code reviews Focus on server-side only Client-side analysis needed © net-square
    • Impact of Web 2.0 • Countermeasure Changing dimension Web 1.0 Web 2.0 Multiple places [Mashups & Owner of information Single place RSS] Browser security Simple DOM usage Complex DOM usage Validations Server side Client side [incoming content] Logic shift Only on server Client side shift Secure coding Structured and single place Multiple places and scattered © net-square
    • Challenges and Limitation • No success with http response parsing • Everything is generated run time • Path of execution is dynamic • Cannot predict next URL p • Need to grab data in runtime through DOM • cannot use anything other than browser • human element is must © net-square
    • Future Approach Automated Web Application Testing
    • Future Approach • "only about half of the required tests for a only security assessment can be performed on a purely automated basis The other half basis. require human involvement, typically for identifying vulnerabilities in business logic “ logic. • Jeremiah Grossman (CTO, Whitehat Security) • So finally you need a tool which will have So, both the things at one place.. • B Browser based W b A li ti S b d Web Application Scanner © net-square
    • Future Approach • Browser based toolbar Advantages • Hybrid – Automated + Manual both • U Uses BBrowser DOM directly di tl • Crawling is possible but it is not required because It’s allow you to test per page basis so basis, test as you traverse normally, • Following challenges get resolved resolved, – Infinite crawl – Crawl a site in particular order © net-square
    • Future Approach • Authenticated scanning – login first and then start testing, context will be managed automatically by browser • Following challenges get resolved, • Manage context through out the session • Logout innocently • Where to go after authentication ? • Form based authentication, Success or fail, how to decide ? • Captcha. © net-square
    • Future Approach • The field value manipulation will be in a DOM itself. • Following challenges get resolved resolved, – Building correct attack request – Forms submission by “onclick” event – Wrong action or target picked up by automated tool – Dynamic URL creation • Java scripts execution automatically automatically, • Following challenges get resolved, • Dynamic menus and css • URL decryption on the fly by java scripts © net-square
    • Future Approach • False positive will be reduced by real html view, • Following challenges get resolved resolved, – False positives – XSS detection with no false positives, popup will be there. – Information leakage can be identified by html view. © net-square
    • Future Approach • So only approach is browser based tool i e So, tool, i.e toolbar, like human clicks and automation together!! • Security QA Toolbar http://www.isecpartners.com/SecurityQAToolbar.html © net-square
    • Thanks!! umesh@net square.com umesh@net-square com amish@net-square.com