Security Testing


Published on

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security Testing

  1. 1. Security Testing <ul><li>Software quality assurance has often focused on identifying problems that are caused without intention. </li></ul><ul><ul><li>Does the application behave as expected in terms of functionality, performance, capacity, etc.? </li></ul></ul><ul><ul><li>Does the application do what it should do? </li></ul></ul><ul><li>A secure application must be able to deal with someone who is intentionally trying to exploit a vulnerability. </li></ul><ul><ul><li>Does the application do what it shouldn’t do? </li></ul></ul>
  2. 2. Objectives <ul><li>Focus on vulnerabilities to unauthorized access or manipulation </li></ul><ul><li>Objective: identify any vulnerabilities and protect a system. </li></ul><ul><ul><li>Data </li></ul></ul><ul><ul><ul><li>Integrity </li></ul></ul></ul><ul><ul><ul><li>Confidentiality </li></ul></ul></ul><ul><ul><ul><li>Availability </li></ul></ul></ul><ul><ul><li>Network computing resources </li></ul></ul>
  3. 3. Examples of security objectives <ul><li>Verify that errors are handled correctly so that the program safely recovers from erroneous input. </li></ul><ul><li>Verify that cross-site browser scripting is not possible. </li></ul><ul><li>Verify that user input provided through a web form will not allow direct execution of SQL statements on a database supporting the application. </li></ul><ul><li>Verify that exceeding a nominal buffer size does not allow the installation of malicious code. </li></ul><ul><li>Verify that private data is protected while in transit or being stored. </li></ul><ul><li>Verify access controls </li></ul>
  4. 4. Strategy for security tests <ul><li>Ensure that “attack” use cases – malicious use of system resources – are part of the test campaign. </li></ul><ul><li>Ensure that security is part of the development strategy. </li></ul><ul><li>Model threat possibilities, and use the outcome of the analysis. </li></ul><ul><li>Items identified as the greatest risk should be the focus of testing. </li></ul><ul><li>When illegal input is permitted, attempt to create inputs that deliberately cause a program fault to see if the application can enter an unanticipated state. </li></ul>
  5. 5. A system’s “attack surface” <ul><li>The “attack surface” of a system are the interface points where a user may gain access to application resources: </li></ul><ul><ul><li>Application programming interfaces (APIs) </li></ul></ul><ul><ul><li>Pipes, shared memory, sockets </li></ul></ul><ul><ul><li>Network ports </li></ul></ul><ul><ul><li>Files: permanent and temporary </li></ul></ul><ul><ul><li>Other OS resources: registries, etc. </li></ul></ul>
  6. 6. Common Vulnerabilities <ul><li>Poor use of cryptography </li></ul><ul><li>Tracking of users and their permissions </li></ul><ul><li>Flawed input validation </li></ul><ul><li>Weak structural security </li></ul><ul><li>Programming language implementation issues </li></ul><ul><li>Platform implementation issues </li></ul><ul><li>Generic application security issues </li></ul><ul><li>Development process issues </li></ul><ul><li>Weak deployment </li></ul>
  7. 7. Poor choice of cryptography <ul><li>Unless you are an expert in the field, do not attempt to implement encryption yourself. Use an approved library that has been tested thoroughly . </li></ul><ul><li>Be sure you are familiar with the algorithms you are using, and on what basis their security rests. </li></ul><ul><li>Do not rely on “security by obscurity” where a flaw is believed to be hidden. </li></ul><ul><li>Hard-coded passwords, even if camouflaged by XORs, etc, are not secure. </li></ul><ul><li>Sensitive information – including personal information – should not be put in a position where it could be read externally, and it should be present only when necessary: </li></ul><ul><ul><li>temporary files </li></ul></ul><ul><ul><li>logs </li></ul></ul>
  8. 8. Tracking of Users and their Permissions <ul><li>Authentication </li></ul><ul><ul><li>Clients must prove their validity before allowing access to sensitive information. </li></ul></ul><ul><ul><li>Prevent password cracking via brute force or guessing. </li></ul></ul><ul><li>Session management </li></ul><ul><ul><li>For client access, ensure that a unique, non-guessable session identifier is used, and that it is encrypted. </li></ul></ul><ul><li>Authorization </li></ul><ul><ul><li>Ensure that clients can perform only the minimum functions needed for what they need to do. </li></ul></ul>
  9. 9. Flawed Input Validation <ul><li>This is the most common cause of security issues. </li></ul><ul><li>Any input provided by the user, or received from any external source, needs to be thoroughly validated. </li></ul><ul><li>Validation in a secure context </li></ul><ul><ul><li>While validation at the client (e.g. JavaScript in a browser) is faster, it is not secure. </li></ul></ul><ul><li>Centralized validation </li></ul><ul><ul><li>If validation is distributed throughout an application, it is harder to check for correctness, and often easier to bypass. </li></ul></ul><ul><ul><li>Perform as close to user input as possible, without compromising location (see previous point). </li></ul></ul><ul><li>Secure component boundaries </li></ul><ul><ul><li>At any external component boundary – databases, sockets, etc. – communication must either be authenticated, or input values checked. </li></ul></ul><ul><ul><li>Often, internal input interfaces – even if there is external exposure – are assumed to produce correct input. </li></ul></ul>
  10. 10. Weak Structural Security <ul><li>Large attack surface </li></ul><ul><ul><li>More external connections decreases security </li></ul></ul><ul><ul><ul><li>Use of many communication ports, files, etc. </li></ul></ul></ul><ul><ul><li>If input undergoes a large amount of processing before authentication, authorization, and validation, a larger range of input could be flawed. </li></ul></ul><ul><li>Running a process at too high a privilege level </li></ul><ul><ul><li>Daemon processes running at system/administrator privilege level can be exploited to gain access to system resources. </li></ul></ul><ul><li>No defence in depth </li></ul><ul><ul><li>Use multiple layers of security, so that if one fails, another layer may prevent a security breach. </li></ul></ul><ul><li>Not failing securely </li></ul><ul><ul><li>Error handling is often not as well designed or tested. </li></ul></ul><ul><ul><li>Error message could give away sensitive information. </li></ul></ul>
  11. 11. Other design flaws <ul><li>Mixing code and data </li></ul><ul><ul><li>Sending a JavaScript input validation routine to a browser, which could be modified by a user. </li></ul></ul><ul><ul><li>Writing SQL statements directly from user input. </li></ul></ul><ul><li>Misplaced trust in external systems </li></ul><ul><ul><li>Assumption is that if input is computer generated, it will be correct. </li></ul></ul><ul><li>Insecure default values </li></ul><ul><ul><li>Many systems get deployed with default values, so the default configuration should be especially secure. </li></ul></ul><ul><li>No audit logs </li></ul><ul><ul><li>Provide capability to locate and trace security breaches. </li></ul></ul>
  12. 12. Compiled language issues <ul><li>Buffer/array overflows </li></ul><ul><ul><li>No checking of string or array lengths in C/C++. </li></ul></ul><ul><ul><li>Buffer overruns can put return addresses on program stack. </li></ul></ul><ul><ul><li>Mismatch of format codes (e.g. %d ) and variables in printf type statements </li></ul></ul><ul><li>Integer type overflows </li></ul><ul><li>Heap overflows </li></ul><ul><li>Function pointer overwriting </li></ul>
  13. 13. Interpreted/Script language issues <ul><li>Metacharacters (e.g. ; | ) with special meanings </li></ul><ul><ul><li>User inputs may include metacharacters that affect script operations. </li></ul></ul><ul><li>Script command injection </li></ul><ul><ul><li>Creation of user input that will get executed as a script. </li></ul></ul><ul><ul><li>Perl example, Unix system: </li></ul></ul><ul><ul><ul><li>Command: [user input to variable $to ] </li></ul></ul></ul><ul><ul><ul><li>/usr/lib/sendmail $to </li></ul></ul></ul><ul><ul><ul><li>User enters: </li></ul></ul></ul><ul><ul><ul><li>; rm –rf /; </li></ul></ul></ul><ul><li>Automatically created variables </li></ul><ul><ul><li>Variables are created as needed, but often variables can also be entered via command line arguments or URLs. </li></ul></ul>
  14. 14. Virtual Machine Languages <ul><li>Poor exception handling </li></ul><ul><ul><li>Exception in secure part of code may transfer control to insecure part of code. </li></ul></ul><ul><li>Native code </li></ul><ul><ul><li>Virtual machine cannot check native code. </li></ul></ul>
  15. 15. Platform Issues <ul><li>Directory traversal from URLs </li></ul><ul><ul><li>The last part of a URL is interpreted by web servers as a directory traversal from a root directory for the web application. </li></ul></ul><ul><ul><li>Enter a URL that ends with something like </li></ul></ul><ul><li>Symbolic links </li></ul><ul><ul><li>If an application accesses a file, a symbolic link may allow an attacker to redirect to a file of their choice. </li></ul></ul><ul><ul><li>If an application is known to delete a file with a specific name, a symbolic link may allow an attacker to delete files arbitrarily. </li></ul></ul><ul><li>Character encoding conversions </li></ul><ul><ul><li>You might check for the character / in the above input to prevent directory traversal, but with URLs, the following are also interpreted as a / : %2f, %255c, %c0%af </li></ul></ul>
  16. 16. Generic application security issues <ul><li>Cross-site scripting </li></ul><ul><ul><li>Using user input to get script code from another site to be executed on a site which already has a valid session id / cookie. </li></ul></ul><ul><ul><li>Retrieving session identifiers or cookies from a valid session, and using them to hijack the session. </li></ul></ul>
  17. 17. Generic application security issues <ul><li>SQL Injection </li></ul><ul><li>Security attack consisting of: </li></ul><ul><ul><li>Entering unexpected SQL code in a form in order to manipulate a database in unanticipated ways </li></ul></ul><ul><ul><li>Attacker’s expectation: back processing is supported by SQL database </li></ul></ul><ul><li>Caused by: </li></ul><ul><ul><li>The ability to string multiple SQL statements together and to execute them in a batch </li></ul></ul><ul><ul><li>Using text obtained from user interface directly in SQL statements. </li></ul></ul>
  18. 18. SQL injection example <ul><li>Designer intends to complete this SQL statement with values obtained from two user interface fields. </li></ul><ul><ul><li>SELECT * FROM bank </li></ul></ul><ul><ul><li>WHERE LOGIN = '$id' AND PASSWORD = '$password' </li></ul></ul><ul><li>Malicious user enters: </li></ul><ul><ul><li>Login = ADMIN </li></ul></ul><ul><ul><li>And </li></ul></ul><ul><ul><li>Password = anything' OR 'x'='x </li></ul></ul><ul><li>Result: </li></ul><ul><ul><li>SELECT * FROM bank </li></ul></ul><ul><ul><li>WHERE LOGIN = 'ADMIN' AND PASSWORD = 'anything' OR 'x'='x ' </li></ul></ul>
  19. 19. Development Process Issues <ul><li>Poor communication and documentation </li></ul><ul><ul><li>Developer of one code section does not document all assumptions made by the code, which is needed for other developers to use the code. </li></ul></ul><ul><ul><li>Lack of security standards </li></ul></ul><ul><ul><li>Reactive security: patches are made only when problems found in field </li></ul></ul>
  20. 20. Weak deployment <ul><li>Assumption that internal files and registry entries will not be tampered with. </li></ul><ul><li>Assumption that configuration file is always created by the system, and that it is well-formed. </li></ul><ul><li>Running software at unnecessarily high privilege level </li></ul><ul><li>Default settings are insecure </li></ul><ul><ul><li>Example: well known root password is default at installation, and user is not forced to change it. </li></ul></ul>
  21. 21. Web Application Security <ul><li>Source: OWASP Testing Guide, version 2.0, available from </li></ul><ul><ul><li>OWASP: Open Web Application Security Project </li></ul></ul><ul><li>Advocates combination of automated and manual approaches: use tools but know their strengths and limitations. </li></ul><ul><li>Four elements: </li></ul><ul><ul><li>Manual inspection and reviews </li></ul></ul><ul><ul><li>Threat modelling </li></ul></ul><ul><ul><li>Code review </li></ul></ul><ul><ul><li>Penetration testing </li></ul></ul><ul><ul><ul><li>Most of what follows is for this element. </li></ul></ul></ul>
  22. 22. Phases of penetration testing <ul><li>Steps: </li></ul><ul><ul><li>Information gathering </li></ul></ul><ul><ul><li>Business logic testing </li></ul></ul><ul><ul><li>Authentication testing </li></ul></ul><ul><ul><li>Session management testing </li></ul></ul><ul><ul><li>Data validation testing </li></ul></ul><ul><ul><li>Denial of service testing </li></ul></ul><ul><ul><li>Web service / AJAX testing </li></ul></ul>
  23. 23. Information gathering <ul><li>Fingerprinting: is it possible to identify the type of web server? </li></ul><ul><li>Spidering (Googling): attempt to find direct entry pages via URLs. </li></ul><ul><li>Error messages: do they give away information such as... </li></ul><ul><ul><li>server, operating system, etc. </li></ul></ul><ul><ul><li>presence of a database, specific DB used </li></ul></ul><ul><ul><li>when something is “not found”, what was being searched </li></ul></ul><ul><li>File extensions in URLs: indicating technology used </li></ul><ul><ul><li>Example: .jsp  Java server pages </li></ul></ul>
  24. 24. Fingerprinting <ul><li>The HTTP reply contents and format yield enough information to identify the system and software: </li></ul><ul><li>Example: request to various servers is HEAD / HTTP/1.0 </li></ul><ul><li>Reply from an Apache server: </li></ul><ul><ul><li>HTTP/1.1 200 OK Date: Sun, 15 Jun 2003 17:10: 49 GMT Server: Apache/1.3.23 Last-Modified: Thu, 27 Feb 2003 03:48: 19 GMT ETag: 32417-c4-3e5d8a83 Accept-Ranges: bytes Content-Length: 196 Connection: close Content-Type: text/HTML </li></ul></ul><ul><li>Reply from a Microsoft server: </li></ul><ul><ul><li>HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Expires: Tue, 17 Jun 2003 01:41: 33 GMT Date: Mon, 16 Jun 2003 01:41: 33 GMT Content-Type: text/HTML Accept-Ranges: bytes Last-Modified: Wed, 28 May 2003 15:32: 21 GMT ETag: b0aac0542e25c31: 89d Content-Length: 7369 </li></ul></ul>
  25. 25. Error message analysis <ul><li>Send badly formed messages and see what can be learned from the responses </li></ul><ul><li>From an HTTP “404 not found” response: </li></ul><ul><li>Not Found The requested URL /page.html was not found on this server. Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7g DAV/2 PHP/5.1.2 Server at localhost Port 80 </li></ul><ul><ul><li>Server type, operating system, software versions, PHP scripting,... </li></ul></ul><ul><li>From a malformed database connect command: </li></ul><ul><li>Microsoft OLE DB Provider for ODBC Drivers error '80004005' [Microsoft][ODBC Access 97 ODBC driver Driver] General error Unable to open registry key 'DriverId' </li></ul><ul><ul><li>Database, vendor, database type, ODBC driver, name of a registry key, ... </li></ul></ul>
  26. 26. Business Logic Testing <ul><li>This type of testing has to be specific for an application. </li></ul><ul><li>Some general elements </li></ul><ul><ul><li>Use cases </li></ul></ul><ul><ul><li>Abuse cases </li></ul></ul><ul><ul><li>Business scenarios: browsing, searching, ordering, checkout </li></ul></ul><ul><ul><li>Workflow scenarios: order creation and processing </li></ul></ul><ul><ul><li>Differing user roles: customer, administrator </li></ul></ul><ul><ul><ul><li>Access rights and privileges </li></ul></ul></ul>
  27. 27. Authentication Testing (1) <ul><li>Test for default or guessable userid-password combinations </li></ul><ul><ul><li>default administrator account </li></ul></ul><ul><ul><li>password dictionary </li></ul></ul><ul><li>Test for scenarios that may bypass authentication entirely: </li></ul><ul><ul><li>Direct page requests </li></ul></ul><ul><ul><li>Guessing session identifiers </li></ul></ul><ul><ul><li>URL parameter modification: </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><ul><ul><li>change to: </li></ul></ul></ul><ul><ul><ul><li> </li></ul></ul></ul>
  28. 28. Authentication Testing (2) <ul><li>Directory traversal: test that a user cannot travel outside of an application’s folder structure. </li></ul><ul><ul><li>Example: </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><ul><ul><ul><li>Goes to the application root folder and then returns the file file1.html in that folder. </li></ul></ul></ul></ul><ul><ul><li>Try (if it is known that the server is Unix/Linux based) to obtain password file : </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><li>Test password reset functions: </li></ul><ul><ul><ul><li>Can the secret question answer be guessed? </li></ul></ul></ul><ul><ul><ul><ul><li>Example: make of first car: there are only so many car models... </li></ul></ul></ul></ul><ul><li>Test for post-logout session access: </li></ul><ul><ul><li>Use of a previously valid cookie </li></ul></ul><ul><ul><li>Back button on browser </li></ul></ul>
  29. 29. Session management testing <ul><li>How is a session identified? </li></ul><ul><ul><li>Possibilities: cookie, session ID, hidden field </li></ul></ul><ul><ul><li>Are the identifiers... </li></ul></ul><ul><ul><ul><li>decodable? (i.e. they were encrypted insecurely from something like a user name) </li></ul></ul></ul><ul><ul><ul><li>reusable? </li></ul></ul></ul><ul><ul><ul><li>predictable? </li></ul></ul></ul><ul><li>Can valid cookies be generated by a user? </li></ul><ul><li>Are session variables exposed? </li></ul><ul><ul><li>Example: generating a new session ID for a secure transaction (via https:// ) that is then sent over an insecure channel (via http:// ) </li></ul></ul>
  30. 30. Data validation testing - Injection <ul><li>Using the following as entered data in an attempt to inject into code: </li></ul><ul><ul><li>Script language (e.g. JavaScript, PHP) commands </li></ul></ul><ul><ul><li>Operating system commands </li></ul></ul><ul><ul><li>Programming language code </li></ul></ul><ul><ul><li>SQL statements </li></ul></ul><ul><ul><ul><li>Object-relational mapping tool (e.g. Hibernate, Toplink) commands </li></ul></ul></ul><ul><ul><li>Directory access protocol (e.g. LDAP) commands </li></ul></ul><ul><ul><li>XML data / XPath queries </li></ul></ul><ul><ul><li>E-mail protocol (e.g. IMAP, SMTP) commands </li></ul></ul>
  31. 31. Data Validation Testing - Overflow <ul><li>Attempt to overflow and/or corrupt (usually with large input) </li></ul><ul><ul><li>Input buffers </li></ul></ul><ul><ul><li>Stack </li></ul></ul><ul><ul><ul><li>can overwrite instruction pointers </li></ul></ul></ul><ul><ul><li>Heap </li></ul></ul><ul><ul><ul><li>creation of too many objects </li></ul></ul></ul><ul><ul><li>Format strings </li></ul></ul><ul><ul><ul><li>mismatch of format codes and parameters in printf() type statements. </li></ul></ul></ul>
  32. 32. Denial of service testing <ul><li>Denial of service: arranging that legitimate customers are not able to perform transactions. </li></ul><ul><li>Example: </li></ul><ul><ul><li>A host is supposed to respond to an internet control management protocol (ICMP) “echo” message by sending an “echo reply”. </li></ul></ul><ul><ul><li>Messages are intended for use as network diagnostics to confirm connectivity. </li></ul></ul><ul><ul><li>Overwhelming a server with “echo” messages so that incoming message queues are too full to accept regular connection requests effectively puts the system out of service. </li></ul></ul>
  33. 33. Denial of service scenarios <ul><li>Locking customers out of their accounts </li></ul><ul><ul><li>repeated incorrect login attempts on a valid userid </li></ul></ul><ul><ul><li>being able to reset passwords (e.g. from the secret questions) </li></ul></ul><ul><li>Incoming message buffer overflow: </li></ul><ul><ul><li>connection requests, echo messages </li></ul></ul><ul><li>User can indirectly cause the following to happen an arbitrary number of times: </li></ul><ul><ul><li>object creation </li></ul></ul><ul><ul><li>loop execution </li></ul></ul><ul><ul><li>write to disk (e.g. log files) </li></ul></ul><ul><li>Failure to release resources (e.g. database connections) </li></ul><ul><li>Too much session data </li></ul>
  34. 34. Web services testing <ul><li>XML parsing </li></ul><ul><ul><li>malformed XML may throw exceptions </li></ul></ul><ul><ul><li>long XML may cause parsing delays or (if DOM parsing is used) memory issues </li></ul></ul><ul><li>URL parameters written into XML </li></ul><ul><li>String content can include system commands, SQL statements, ... </li></ul><ul><li>SOAP with attachments: malicious code in the attachment </li></ul><ul><li>Replay attacks: capture a legitimate session and replay it. </li></ul><ul><li>AJAX: </li></ul><ul><ul><li>service endpoint discovery </li></ul></ul><ul><ul><li>modification of JavaScript sent to browser </li></ul></ul>
  35. 35. Tool resources <ul><li>Debuggers </li></ul><ul><li>File handler locators: show OS resources used </li></ul><ul><ul><li>Example: “Process Explorer” for Windows identifies resources such as registry keys, sockets, named pipes, shared memory, etc. used by an application. </li></ul></ul><ul><li>Fingerprinters: determine software used from response formats. </li></ul><ul><li>Sniffers: observe network protocol messages </li></ul><ul><li>Fuzzers: generate malformed inputs </li></ul><ul><li>Proxies: intercept messages between client and server (or vice versa), and possibly modify them. </li></ul><ul><li>Password cracking tools: </li></ul><ul><ul><li>Identify potentially insecure passwords before they can be exploited. </li></ul></ul>
  36. 36. Windows ProcessExplorer
  37. 37. Setting up a test lab <ul><li>Arrange for an isolated network </li></ul><ul><ul><li>Need to be able to control all aspects of an attack. </li></ul></ul><ul><ul><li>Arrange to instrument software on both client and server machines with tools such as Process Explorer. </li></ul></ul><ul><ul><li>Security failures cannot be propagated to public network. </li></ul></ul><ul><li>Need to be able to generate arbitrary network traffic. </li></ul><ul><li>Use default, or most popular, installation of software. </li></ul><ul><li>Install proxies to be able to modify network traffic generated by client or server. </li></ul><ul><li>Custom client can generate malicious traffic to server. </li></ul>
  38. 38. Port discovery <ul><li>Identify ports used by an application. </li></ul><ul><li>Example: use netstat command on Windows or Unix. </li></ul><ul><li>Proto Local Address Foreign Address State </li></ul><ul><li>TCP LISTENING </li></ul><ul><li>TCP LISTENING </li></ul><ul><li>TCP LISTENING </li></ul><ul><li>TCP LISTENING </li></ul><ul><li>TCP LISTENING </li></ul><ul><li>TCP LISTENING </li></ul><ul><li>TCP LISTENING </li></ul><ul><li>TCP LISTENING </li></ul><ul><li>TCP LISTENING </li></ul><ul><li>TCP LISTENING </li></ul><ul><li>TCP LISTENING </li></ul><ul><li>TCP LISTENING </li></ul><ul><li>TCP LISTENING </li></ul><ul><li>TCP ESTABLISHED </li></ul><ul><li>TCP ESTABLISHED </li></ul><ul><li>TCP TIME_WAIT </li></ul><ul><li>TCP LISTENING </li></ul><ul><li>TCP CLOSE_WAIT </li></ul><ul><li>TCP CLOSE_WAIT </li></ul><ul><li>UDP *:* </li></ul><ul><li>UDP *:* </li></ul><ul><li>UDP *:* </li></ul><ul><li>UDP *:* </li></ul><ul><li>UDP *:* </li></ul><ul><li>UDP *:* </li></ul><ul><li>UDP *:* </li></ul><ul><li>UDP *:* </li></ul><ul><li>UDP *:* </li></ul><ul><li>UDP *:* </li></ul>
  39. 39. Port scanning <ul><li>Port scanners are available that will attempt to discover open ports on a system. </li></ul><ul><li>When an open port is discovered, various test messages can be sent to the port, and the exact format and content of the reply can be used to identify the exact version of an operating system on the machine. </li></ul><ul><li>Example of this type of tool: </li></ul><ul><ul><li>nmap , available at </li></ul></ul>
  40. 40. Sniffers <ul><li>Tools that can observe network protocol messages. </li></ul><ul><li>Typically, a sniffer tool turns sets the Ethernet interface card in “promiscuous” mode, where frames broadcast on the network are not filtered by the interface. </li></ul><ul><ul><li>Result: all frames on a local area network can be captured and analyzed. </li></ul></ul><ul><li>If the tool is aware of protocol message format, it can also interpret the field values. </li></ul><ul><li>Useful for diagnosing network problems. </li></ul><ul><ul><li>Example: configuration where two hosts use same address. </li></ul></ul><ul><li>For security testing, they can be used for: </li></ul><ul><ul><li>Capturing field values of authenticated sessions. </li></ul></ul><ul><ul><li>Observing the effects of attack messages. </li></ul></ul>
  41. 41. Sniffer tools <ul><li>Example: Wireshark (ex. Ethereal) </li></ul><ul><ul><li>Open source protocol analyzer available from </li></ul></ul><ul><ul><li>Version 1.0.0 available Mar. 31/08 </li></ul></ul><ul><ul><li>Features </li></ul></ul><ul><ul><ul><li>Capture live packet data from a network interface. </li></ul></ul></ul><ul><ul><ul><li>Display packets with detailed protocol information. </li></ul></ul></ul><ul><ul><ul><li>Packet filter and search </li></ul></ul></ul>
  42. 42. Sample Wireshark session
  43. 43. Proxies <ul><li>A proxy passes messages between a client and a server, or vice versa. </li></ul><ul><ul><li>Proxy can intercept, or modify, messages that pass by. </li></ul></ul><ul><li>Malicious proxy could use client credentials to create its own session on a server. </li></ul>Client Server Proxy
  44. 44. Proxy example: WebScarab <ul><li>Available from OWASP: </li></ul><ul><li>Use: </li></ul><ul><ul><li>Proxy runs on a selected port (8008 by default) </li></ul></ul><ul><ul><li>Set browser to use this port as a proxy on the local host. </li></ul></ul><ul><ul><li>WebScarab will then record (and potentially modify) traffic that passes through in both directions. </li></ul></ul>
  45. 45. WebScarab features <ul><li>Proxy - observes traffic between the browser and the web server. </li></ul><ul><ul><li>Able to observe both HTTP and encrypted HTTPS traffic, by negotiating an SSL connection between WebScarab and the browser instead of simply connecting the browser to the server and allowing an encrypted stream to pass through it. </li></ul></ul><ul><li>Manual intercept </li></ul><ul><ul><li>Allows the user to modify HTTP and HTTPS requests and responses on the fly, before they reach the server or browser. </li></ul></ul><ul><li>Beanshell </li></ul><ul><ul><li>Allows for the execution of arbitrarily complex operations on requests and responses. Anything that can be expressed in Java can be executed. </li></ul></ul>
  46. 46. WebScarab features <ul><li>Reveal hidden fields. </li></ul><ul><li>Bandwidth simulator </li></ul><ul><ul><li>Allows the user to emulate a slower network, in order to observe how their website would perform when accessed over, say, a modem. </li></ul></ul><ul><li>Spider </li></ul><ul><ul><li>Identifies new URLs on the target site, and fetches them on command. </li></ul></ul><ul><li>Manual request </li></ul><ul><ul><li>Allows editing and replay of previous requests, or creation of entirely new requests. </li></ul></ul>
  47. 47. Proxy example: WebScarab <ul><li>SessionID analysis </li></ul><ul><ul><li>Collects and analyses a number of cookies (and eventually URL-based parameters too) to visually determine the degree of randomness and unpredictability. </li></ul></ul><ul><li>Parameter fuzzer </li></ul><ul><ul><li>Performs automated substitution of parameter values that are likely to expose incomplete parameter validation, leading to vulnerabilities like Cross Site Scripting (XSS) and SQL Injection. </li></ul></ul><ul><li>Search for items in responses, and compare with previous reponses </li></ul>
  48. 48. Proxy example: WebScarab <ul><li>SOAP </li></ul><ul><ul><li>Plugin that parses WSDL, and presents the various functions and the required parameters, allowing them to be edited before being sent to the server. </li></ul></ul><ul><li>Extensions </li></ul><ul><ul><li>Automates checks for files that were mistakenly left in web server's root directory (e.g. .bak , ~ , etc). </li></ul></ul><ul><ul><li>Checks are performed for both, files and directories (e.g. /app/login.jsp will be checked for /app/login.jsp.bak , /app/login.jsp~ , / , /app.tar.gz , etc). </li></ul></ul><ul><ul><li>Extensions for files and directories can be edited by user. </li></ul></ul><ul><li>Passive analysis plugin that searches for user-controlled data in HTTP response headers and body </li></ul>
  49. 49. WebScarab: Message summary
  50. 50. WebScarab: Message Details
  51. 51. WebScarab - Spider
  52. 52. Fuzzers <ul><li>Tool objective: take correct input and perform various modifications to generate incorrect input. </li></ul><ul><li>Original correct request: </li></ul><ul><li>Enumeration: </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><li>Replacive fuzzing </li></ul><ul><ul><li>Cross-site scripting: </li></ul></ul><ul><ul><li>>&quot;><script>alert(&quot;XSS&quot;)</script>& </li></ul></ul><ul><li>Format string errors </li></ul><ul><li>Integer overflows </li></ul><ul><li>-1, 0, 0x100, 0x1000, 0x3fffffff, 0x7ffffffe, 0x7fffffff, 0x80000000, 0xfffffffe, 0xffffffff, 0x10000, 0x100000 </li></ul>
  53. 53. Fuzzers <ul><li>SQL injection </li></ul><ul><ul><li>' OR 1=1— </li></ul></ul><ul><ul><li>OR 1=1 </li></ul></ul><ul><ul><li>' OR '1'='1 </li></ul></ul><ul><ul><li>; OR '1'='1‘ </li></ul></ul><ul><ul><li>INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost', PASSWORD('pass123')) </li></ul></ul><ul><ul><li>GRANT CONNECT TO name; GRANT RESOURCE TO name; </li></ul></ul><ul><li>XML injection </li></ul><ul><ul><li><![CDATA[<script>var n=0;while(true){n++;}</script>]]> </li></ul></ul><ul><ul><li><?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?><foo><![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('gotcha');<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo> </li></ul></ul>