QA: Базовое тестирование защищенности веб-приложений в рамках QA
1. Basic Web Application
Security Testing in QA
Denis
Kolegov
Sr. Security Test
Engineer, PhD
F5 Networks,
Tomsk State University
2. Who Am I?
• Sr. Security Test Engineer at F5 Networks
• PhD, associate professor at TSU’s Information Security and
Cryptography Department
• Speaker
– Positive Hack Days, Zero Nights, SibeCrypt
• OWASP SCG, BeEF, Metasploit contributor
3. Introduction
• BSIMM security testing (Gary McGraw)
– Enhance QA beyond functional perspective
– Integrate the attacker perspective into test plans
– Deliver risk-based security testing
• Hack yourself first (Troy Hunt)
– This approach advocates building up our cyber-offense skills, and
focusing these skills inward at ourselves, to find and fix security issues
before the bad guys find and exploit them
5. Checklist
1. Information disclosure
2. SSL/TLS
3. Slow HTTP DoS attacks
4. HTTP host header attacks
5. Login page over HTTPS
6. Same site scripting
7. Secure headers
8. Cross domain policy
9. Session management
10. URL validation
6. Information Disclosure
• Scope
– Web management interfaces
– Web application reverse proxies
– Error pages
• Services
– Goggle Search Engine
– Shodan
• Weaknesses
– Indexing by search engines
– Hardcoded keywords on error pages
– Keywords in HTTP response headers
7. Information Disclosure
• Shodan
– cisco
– bitrix
– VMware
• Google
– intitle: "VMware Horizon View Administrator"
– inurl:"portal/webclient/views/mainUI.html"
– intitle:"Welcome to VMware ESX"
8. Information Disclosure
• Test robots.txt
User-agent: *
Disallow: /
• Test meta tag
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
• Test that it is possible to delete or change default keywords via
customization tool
9. SSL/TLS Testing
• Testing with OpenSSL
– Trustworthy checks
– Old versions (0.9.8k)
• Qualys SSL Labs
– SSL Server Test
– SSL Client Test
– SSL/TLS Best Practices
– API
• Tools
– sslscan
– sslyze
– ssllabs-scan
10. Client-Initiated Renegotiation DoS Test
• Testing with OpenSSL
openssl s_client –connect test.com:443
GET / HTTP/1.1
Host: test.com
R
…
R
CRLF
• Proof of concept with exploit
thc-ssl-dos --accept test.com 443
11. Slow HTTP DoS Testing
• Attacks
– Slowloris (slow headers)
– Slow HTTP POST (slow body)
– Slow Read
• Apache is generally the most vulnerable server
• Nginx, IIS, lighthttpd are also can be vulnerable to these attacks
• Tools
– https://code.google.com/p/slowhttptest/
– slowloris.pl
13. Same Site Scripting
• DNS misconfiguration
– xyz.target.com with A-record to 127.0.0.1
– xyz.target.com with A-record to private address (RFC 1918)
• In multi-users system an attacker can run network service on loopback
and then eavesdrops users’ cookies
1. Run "nc –lv 10024"
2. Send email with <img src=“http://xyz.target.com:10024”>
• An attacker can connect to public network with the same network address
and publish resource link to xyz.target.com. All users in the same public
network who accessed this resource send cookies to an attacker
14. Same Site Scripting
• Testing
– nslookup localhost.target.com
– DNS enumeration
• Examples
– https://hackerone.com/reports/1509
– https://hackerone.com/reports/7949
17. X-Frame-Options
• All about Clickjacking?
• What an attacker can do
– Bypass some XSS filters
– Bypass XSS length restrictions
– Bypass CSP via browser vulnerabilities
• X-Frame-Options is an additional layer of defense
18. Access-Control-Allow-Origin
• Access-Control-Allow-Origin is apart of the CORS specification
• Access-Control-Allow-Origin: * means that the resource can be
accessed by any domain in a cross-site manner
• Examples
– https://hackerone.com/reports/13551
– https://hackerone.com/reports/6268
20. Host Header Attacks
• Weakness: a web server handles HTTP requests with arbitrary
or invalid Host header
• Attacks
– DNS rebinding
– Stored XSS
– Password reset poisoning
– Web-cache poisoning
• Examples
– https://hackerone.com/reports/13286
– https://hackerone.com/reports/487
21. Cross Domain Policy
• A cross-domain policy file specifies the permissions that a web client such as Java,
Adobe Flash, etc. use to access data across different domains
• Files
– crossdomain.xml
– clientaccesspolicy.xml
• Example of configuration weakness
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
• Example
– https://hackerone.com/reports/43070
22. Session Management
• Test that session is invalidated when user logs out
• Session ID is sent in HTTP cookie or header and never disclosed in URLs
• Test that session ID is changed when user performs critical action
– Login, logout
– Password changing
– Session expiration, reauthentication
OWASP ASVS project
25. Bibliography
1. Vladimir Kochetkov. How to Develop a Secure Web Application and Stay in Mind?
2. OWASP Testing Guide v4
3. The Building Security In Maturity Model
4. Qualys SSL LABS
5. SSL/TLS Checklist for Pentesters
6. Sergey Shekyan. Testing Web Servers for Slow HTTP Attacks
7. Troy Hunt. OWASP Top 10 for .NET developers part 9: Insufficient Transport Layer Protection
8. Sergey Belov. Show Me Impact
9. Frederik Braun and Mario Heiderich. X-Frame-Options: All about Clickjacking?
10.Guidelines for Setting Security Headers
11.Sergey Bobrov. Yet Another Vulnerability in Facebook