Amish Umesh - Future Of Web App Testing - ClubHack2007

The Future Of Automated W b Application A t t d Web A li ti Testing g

Preview • Web 1 0 1.0 • Application architecture and it’s traditional analysis methodology • Automated web application testing and it's limitation • Web 2.0 • H How it works k • Challenges and limitation of web 2.0 application testing • Next generation auditing tool © net-square

Web 1.0 Application behavior and it’s it s traditional analysis methodology

Web 1.0 Application Architecture HTTP Firewall SQL request Database (cleartext or SSL) Web app DB Web app Web Web Client Server Web app DB Web app HTTP reply (HTML, Javascript, •Apache Written in: Database VBscript, •IIS •ASP connection: etc) •Netscape •JSP •ADO, etc… •Perl, etc •ODBC, etc. © net-square

Web 1.0 Application Architecture • Works with page refresh • Form submitting model • Inputs submitted via query string or form parameters • Browser generates http requests for images, js, etc. while rendering html response through DOM • Request also can be sent by javascript, ActiveX, Applets, Flash, etc. directly © net-square

Web 1.0 Application Architecture • Server & Web Application • Parses http request and map URL with web application physical resource • Generates HTML Response based on the supplied resource query and input parameters © net-square

Web 1.0 Traditional Analysis methodology

Traditional Analysis methodology • Information gathering • Http Response Code – 2xx, 4xx, 5xx • Htt contents Http t t • Extract forms and query string parameters. • Hidden fields comments mail ids fields, comments, ids, • Cookie name / value • Java scripts, • ActiveX and Applets • Find injection point suspicious field or query point, string parameters © net-square

Traditional Analysis methodology • Manipulate field with malicious characters and send request • L k at the ht l response, get some clue, Look t th html t l modify parameters and send request. • Do same again and again until…. Bingo !! • Resources used, , • Browser • Plug-ins (livehttp header or web browser Plug ins toolbar) • Sniffer © net-square

Web 1.0 Automated web application testing and It's Challenges & limitation

Automated web application testing • Input – index page or list of stored URLS • Configurations – depth, within domain, max links, include li k i l d / exclude, user-agent, etc. l d t t • Testing methodology • Crawls web application recursively and collects URLS • Find injection point or attack vector for URL • Query String parameters • It’s Html response form fields • Cookie © net-square

Automated web application testing • Popular Web Application Scanners • NTObjective’s NTOSpider • IBM/W t hfi ’ A S IBM/Watchfire’s AppScan • HP/SPI Dynamics’ WebInspect • Demo • NTOInsight © net-square

It's Challenges & Limitations • Building correct attack request • Forms submission by “onclick” event • Wrong action or target picked up by automated tool • Manage context through out the session • Logout innocently • C Crawl a site in certain order – logical action • Infinite crawl – Dynamic URL creation © net-square

It's Challenges & Limitations • Executing java script like a Browser • Dynamic menus and css • URL d decryption on th fl b j ti the fly by java scripts i t • Identify correct attack vector in URL • No question mark in a URL • Strange extension • Custom techniques to supply inputs. © net-square

It's Challenges & Limitations • False positive/negative and duplication • Detects vulnerability through http response code • O regex pattern search in html response Or tt h i ht l • How to detect persistent XSS?? • Custom response code (obfuscated 200) • Random 404 pages © net-square

It's Challenges & Limitations • Authenticated scanning • Login automatically on authenticated URL, • Where to go after authentication ? • Form based authentication • Success or fail how to decide ? fail, • Captcha, how to handle ? • Broken access controls • Information leakage • Design issues © net-square

Scanners are also getting smarter • Page Signature technology being used to identify obfuscated 200, random 404 pages and Form based authentication • Java scripts based URLs can be fetched by regex bbased search d h • Most of the scanners identify technical vulnerabilities like SQL Injection, XSS, etc. j , , © net-square

Web 2.0 How it works !!

Web 2.0 Technology • Web 2 0 Applications are on the rise 2.0 • Rich Internet Applications (RIA) – reshaping application front • Web Services on the rise – forming backend of applications • Gartner is advising companies to take up Web services now, or risk losing out to competitors , g p embracing the technology. © net-square

Web 2.0 Technology • Web Services is forming back end and accessible on SOAP • AJAX – empowering browsers • XML based services • Rich Internet Applications are consuming back end web services • Search engines and mechanisms for web services publishing and accessing • Security evolving around web services © net-square

Ajax model Classic web application model Ajax-enabled web application model Browser user interface JavaScript call HTML + CSS data Browser user interface Ajax engine HTTP request HTTP request Transport layer HTML + CSS data XML Data web server web and/or XMLserver Data stores, Data stores, backend processing, backend processing, legacy systems legacy systems server-side systems server-side systems © net-square Source : http://www.adaptivepath.com/publications/essays/archives/000385.php

AJAX introduction x Source : http://www.adaptivepath.com/publications/essays/archives/000385.php © net-square

Win32 APP vs Web 2.0 Win32 GUI application model Ajax-enabled web application model Desktop Browser Win32 GUI user interface Win32 Msg JavaScript call User Data HTML + CSS data Win32 WndProc Msg handler AJAX (JS) Library RPC Request XHR call RPC Response XML Data RPC Services Web Services Data t D t stores, Data t D t stores, backend processing, backend processing, legacy systems legacy systems © n e t - s q u a r eserver-side systems server-side systems

Web 2.0 Challenges and limitation of web 2 0 2.0 application testing

Impact of Web 2.0 • Application Infrastructure Changing dimension Web 1.0 10 Web 2.0 20 (AI1) Protocols HTTP & HTTPS SOAP, XML-RPC, REST etc. over HTTP & HTTPS (AI2) Information HTML transfer XML, JSON, JS Objects etc. structures (AI3) Communication Synchronous Asynchronous & Cross- methods th d Postback domains (proxy) Refresh and Redirect (AI4) Information Single place information Multiple sources (Urge for sharingg (No urge for integrated information integration) i i ) platform) l f ) © net-square

Impact of Web 2.0 • Security Threats Changing dimension g g Web 1.0 Web 2.0 (T1) Entry points Structured Scattered and multiple (T2) Dependencies Limited • Multiple technologies • Information sources • Protocols (T3) Vulnerabilities Server side [Typical injections] • Web services [Payloads] • Cli t side [XSS & XSRF] Client id (T4) Exploitation Server side exploitation Both server and client side exploitation © net-square

Impact of Web 2.0 • Methodology Changing dimension Web 1.0 Web 2.0 Typical with "Host" and Footprinting DNS Empowered with search Discovery Simple Difficult with hidden calls Enumeration Structured Several streams Scanning Structured and simple Difficult with extensive Ajax Difficult with Ajax and web Automated attacks Easy after discovery services On the server-side Reverse engineering g g [Difficult] Client-side with Ajax & Flash Code reviews Focus on server-side only Client-side analysis needed © net-square

Impact of Web 2.0 • Countermeasure Changing dimension Web 1.0 Web 2.0 Multiple places [Mashups & Owner of information Single place RSS] Browser security Simple DOM usage Complex DOM usage Validations Server side Client side [incoming content] Logic shift Only on server Client side shift Secure coding Structured and single place Multiple places and scattered © net-square

Challenges and Limitation • No success with http response parsing • Everything is generated run time • Path of execution is dynamic • Cannot predict next URL p • Need to grab data in runtime through DOM • cannot use anything other than browser • human element is must © net-square

Future Approach Automated Web Application Testing

Future Approach • "only about half of the required tests for a only security assessment can be performed on a purely automated basis The other half basis. require human involvement, typically for identifying vulnerabilities in business logic “ logic. • Jeremiah Grossman (CTO, Whitehat Security) • So finally you need a tool which will have So, both the things at one place.. • B Browser based W b A li ti S b d Web Application Scanner © net-square

Future Approach • Browser based toolbar Advantages • Hybrid – Automated + Manual both • U Uses BBrowser DOM directly di tl • Crawling is possible but it is not required because It’s allow you to test per page basis so basis, test as you traverse normally, • Following challenges get resolved resolved, – Infinite crawl – Crawl a site in particular order © net-square

Future Approach • Authenticated scanning – login first and then start testing, context will be managed automatically by browser • Following challenges get resolved, • Manage context through out the session • Logout innocently • Where to go after authentication ? • Form based authentication, Success or fail, how to decide ? • Captcha. © net-square

Future Approach • The field value manipulation will be in a DOM itself. • Following challenges get resolved resolved, – Building correct attack request – Forms submission by “onclick” event – Wrong action or target picked up by automated tool – Dynamic URL creation • Java scripts execution automatically automatically, • Following challenges get resolved, • Dynamic menus and css • URL decryption on the fly by java scripts © net-square

Future Approach • False positive will be reduced by real html view, • Following challenges get resolved resolved, – False positives – XSS detection with no false positives, popup will be there. – Information leakage can be identified by html view. © net-square

Future Approach • So only approach is browser based tool i e So, tool, i.e toolbar, like human clicks and automation together!! • Security QA Toolbar http://www.isecpartners.com/SecurityQAToolbar.html © net-square

Thanks!! umesh@net square.com umesh@net-square com amish@net-square.com

http://clubhack.com	14
http://www.clubhack.com	4
http://clubhack.in	1

Amish Umesh - Future Of Web App Testing - ClubHack2007

by ClubHack

Accessibility

Categories

Upload Details

Usage Rights

3 Embeds 19

Statistics

Amish Umesh - Future Of Web App Testing - ClubHack2007 Presentation Transcript