Successfully reported this slideshow.
Your SlideShare is downloading. ×

BruCon 2011 Lightning talk winner: Web app testing without attack traffic

More Related Content

BruCon 2011 Lightning talk winner: Web app testing without attack traffic

  1. 1. Web app testing without attack traffic Abraham Aranguren @7a_ abraham.aranguren@gmail.com http://7-a.org
  2. 2. Intro 33% (22 out of 66) of the tests in the OWASP Testing guide can be legally* performed at least partially without permission * Except in Spain, where visiting a page can be illegal ☺
  3. 3. Legend Ethics/Scope legend: P P No Permission needed: No attack traffic ! Mild attack traffic / Could break things !! You better have written permission .. Vulnerable vs. Not Vulnerable legend: Vulnerable Not Vulnerable
  4. 4. Testing: Spiders, Robots, and Crawlers (OWASP-IG-001) P $ wget http://www.google.com/robots.txt Found: Analyse entries Not found: Indexing required?
  5. 5. Testing: Search engine discovery / reconnaissance (OWASP-IG-002) Google site:target.com filetype: inurl: P Metadata, DNS, Whois, Company info, staff, etc..
  6. 6. Testing: Identify application entry points (OWASP-IG-003) P Use a proxy and JUST browse the site Let the proxy log ALL requests Understand the site Chain ratproxy to your proxy for cool ideas ☺
  7. 7. Testing for Web Application Fingerprint (OWASP-IG-004) Get the banner: P $ curl –i –A “Mozilla ” http://target.com | more
  8. 8. Testing for SSL-TLS (OWASP-CM- 001) No traffic .. P
  9. 9. Testing for Admin Interfaces (OWASP-CM-007) 3rd party stuff on .NET ViewState, headers,.. P Telerik.Web.UI?? Google it!
  10. 10. Testing for Admin Interfaces (OWASP-CM-007) - continued Google for default passwords P
  11. 11. Testing for Admin Interfaces (OWASP-CM-007) – continued !!
  12. 12. Testing for Admin Interfaces (OWASP-CM-007) - continued !!
  13. 13. Testing for HTTP Methods and XST (OWASP-CM-008) An OPTIONS request is quite normal: P curl -i -A 'Mozilla/5.0' -X 'OPTIONS *' -k https://site.com HTTP/1.1 200 OK Date: Tue, 09 Aug 2011 13:38:43 GMT Server: Apache/2.0.63 (Unix) Allow: GET,HEAD,POST,OPTIONS,TRACE Content-Length: 0 Connection: close Content-Type: text/plain; charset=UTF-8
  14. 14. Testing for credentials transport (OWASP-AT-001) Is the login page on “http” instead of “https”? P
  15. 15. Testing for Default or Guessable User Account (OWASP-AT-003) Analyse the username(s) they gave you to test: P Username based on numbers? USER12345 Username basic on public info? (i.e. names, surnames, ..) name.surname
  16. 16. Vulnerable Remember Password and Pwd Reset (OWASP-AT-006) Is autocomplete set to off? P <form autocomplete=“off”> or <input autocomplete=“off”> Look at the questions or fields in the password reset form
  17. 17. Testing for Logout and Browser Cache Management (OWASP-AT-007) Easy test: Login + Logout + Back button P Or no caching headers / not expiring session cookie: HTTP/1.1 200 OK Date: Tue, 09 Aug 2011 13:38:43 GMT Server: . X-Powered-By: . Connection: close Content-Type: text/html; charset=UTF-8
  18. 18. Testing for Captcha (OWASP-AT- 008) Can be done offline: P Download image and try to break it Look for signs of weak third party components PWNtcha - captcha decoder
  19. 19. Testing for Session Management Schema (OWASP-SM-001) Examine cookies for weaknesses offline P Base64 MTkyLjE2OC4xMDAuMTpvd2FzcHVzZXI6cGFz c3dvcmQ6MTU6NTg= Is owaspuser:192.168.100.1: a7656fafe94dae72b1e1487670148412
  20. 20. Testing for cookies attributes (OWASP-SM-002) Secure: not set = no https P HttpOnly: not set = cookies stealable via JS Domain: set properly Path: set to the right /sub-application Expires: set reasonably
  21. 21. Testing for Session Fixation (OWASP-SM-003) Session ID NOT changed after login = Vuln P Before Login PHPSESSID: 10a966616e8ed63f7a9b741f80e65e3c After Login PHPSESSID: 10a966616e8ed63f7a9b741f80e65e3c
  22. 22. Testing for Exposed Session Variables (OWASP-SM-004) Session ID: P In URL In POST In HTML
  23. 23. Testing for CSRF (OWASP-SM-005) Look at HTML code: P No anti-CSRF token = Vulnerable Anti-CSRF token = Wait to ACTIVE testing ☺
  24. 24. Testing for Bypassing Authorization Schema (OWASP-AZ-002) Look at unauthenticated cross-site requests: P http://other-site.com/user=3&report=4 Referer: site.com Change ids in application: ! http://site.com/view_doc=4
  25. 25. Testing for DOM-based Cross site scripting (OWASP-DV-003) Review JavaScript code on the page: P <script> document.write("Site is at: " + document.location.href + "."); </script>
  26. 26. Testing for Cross site flashing (OWASP-DV-004) Download and decompile Flash files: P $ flare hello.swf Static / Manual analysis
  27. 27. Testing: WS Information Gathering (OWASP-WS-001) Google searches: inurl:wsdl site:example.com P Web service analysis: http://www.example.com/ws/FindIP.asmx?WSDL Public services search: http://seekda.com/ http://www.wsindex.org/ http://www.soapclient.com/
  28. 28. Testing for WS Replay (OWASP-WS- 007) Similar to CSRF: P Is there an anti-replay token in the request/response?
  29. 29. Testing for file extensions handling (OWASP-CM-005) _some_ attack traffic but subtle. File Uploads: !! If upload.php or .asp, .html, .. is allowed by app A valid GIF or JPG comment can be a valid PHP script, etc .. Difference from attack to legit can be subtle File uploads are POST = 99% not logged
  30. 30. Testing for user enumeration (OWASP-AT-002) Error messages ! Time differences
  31. 31. Testing for Reflected/Stored Cross site scripting (OWASP-DV-001+2) Subtle look for signs of output encoding: ! O’Brien O&apos;Brien O”Brien O&quot;Brien or O%22Brien Ted..> Ted..&gt; or Ted..%3E Ted,< Ted,.&lt; or Ted..%3C Charset, etc..
  32. 32. Testing for SQL Injection (OWASP- DV-005) Do you get a SQL error? ! Strings: O’Brien IDs: Instead of “1” type “1l” or “1 l”
  33. 33. Thank you Abraham Aranguren @7a_ abraham.aranguren@gmail.com http://7-a.org Special thanks to: OWASP Testing Guide contributors Mario Heiderich Chris John Riley Robin Wood

×