Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Web app testingwithout attack traffic          Abraham Aranguren                 @7a_     abraham.aranguren@gmail.com     ...
Intro  33% (22 out of 66) of the tests in the OWASP   Testing guide can be legally* performed at least   partially without...
Legend Ethics/Scope legend:                             P   P    No Permission needed: No attack traffic   !   Mild attack...
Testing: Spiders, Robots, and Crawlers(OWASP-IG-001)                                             P   $ wget http://www.goo...
Testing: Search engine discovery /reconnaissance (OWASP-IG-002)   Google site:target.com filetype: inurl:                 ...
Testing: Identify application entrypoints (OWASP-IG-003)                                                   P   Use a proxy...
Testing for Web ApplicationFingerprint (OWASP-IG-004)  Get the banner:                                     P   $ curl –i –...
Testing for SSL-TLS (OWASP-CM-001) No traffic ..                   P
Testing for Admin Interfaces(OWASP-CM-007)   3rd party stuff on .NET ViewState, headers,..   P   Telerik.Web.UI?? Google it!
Testing for Admin Interfaces(OWASP-CM-007) - continued   Google for default passwords   P
Testing for Admin Interfaces(OWASP-CM-007) – continued                               !!
Testing for Admin Interfaces(OWASP-CM-007) - continued                               !!
Testing for HTTP Methods and XST(OWASP-CM-008)   An OPTIONS request is quite normal:                         P curl -i -A ...
Testing for credentials transport(OWASP-AT-001)   Is the login page on “http” instead of “https”?   P
Testing for Default or Guessable UserAccount (OWASP-AT-003)  Analyse the username(s) they gave you to test:   P    Usernam...
Vulnerable Remember Password andPwd Reset (OWASP-AT-006) Is autocomplete set to off?                       P <form    auto...
Testing for Logout and Browser CacheManagement (OWASP-AT-007)  Easy test: Login + Logout + Back button                    ...
Testing for Captcha (OWASP-AT-008) Can be done offline:                             P  Download image and try to break it ...
Testing for Session ManagementSchema (OWASP-SM-001)  Examine cookies for weaknesses offline   P  Base64   MTkyLjE2OC4xMDAu...
Testing for cookies attributes(OWASP-SM-002)   Secure: not set = no https                     P   HttpOnly: not set = cook...
Testing for Session Fixation(OWASP-SM-003)  Session ID NOT changed after login = Vuln   P  Before Login PHPSESSID:  10a966...
Testing for Exposed Session Variables(OWASP-SM-004)  Session ID:                       P   In URL   In POST   In HTML
Testing for CSRF (OWASP-SM-005) Look at HTML code:                           P No anti-CSRF token = Vulnerable Anti-CSRF t...
Testing for Bypassing AuthorizationSchema (OWASP-AZ-002)  Look at unauthenticated cross-site requests:   P  http://other-s...
Testing for DOM-based Cross sitescripting (OWASP-DV-003)  Review JavaScript code on the page:          P  <script> documen...
Testing for Cross site flashing(OWASP-DV-004)  Download and decompile Flash files:   P  $ flare hello.swf  Static / Manual...
Testing: WS Information Gathering(OWASP-WS-001)    Google searches: inurl:wsdl site:example.com   P    Web service analysi...
Testing for WS Replay (OWASP-WS-007) Similar to CSRF:                         P   Is there an anti-replay token in the   r...
Testing for file extensions handling(OWASP-CM-005)  _some_ attack traffic but subtle. File Uploads:    !!    If upload.php...
Testing for user enumeration(OWASP-AT-002)   Error messages              !   Time differences
Testing for Reflected/Stored Cross sitescripting (OWASP-DV-001+2)  Subtle look for signs of output encoding:   !   O’Brien...
Testing for SQL Injection (OWASP-DV-005)  Do you get a SQL error?                   !   Strings: O’Brien   IDs: Instead of...
Thank you                   Abraham Aranguren                          @7a_              abraham.aranguren@gmail.com      ...
Upcoming SlideShare
Loading in …5
×

BruCon 2011 Lightning talk winner: Web app testing without attack traffic

3,476 views

Published on

BruCon 2011 Lightning talk winner: An OWASP focused walk-through on what can be at least partially tested without permission in a web application

Published in: Technology, Design
  • Be the first to comment

BruCon 2011 Lightning talk winner: Web app testing without attack traffic

  1. 1. Web app testingwithout attack traffic Abraham Aranguren @7a_ abraham.aranguren@gmail.com http://7-a.org
  2. 2. Intro 33% (22 out of 66) of the tests in the OWASP Testing guide can be legally* performed at least partially without permission * Except in Spain, where visiting a page can be illegal ☺
  3. 3. Legend Ethics/Scope legend: P P No Permission needed: No attack traffic ! Mild attack traffic / Could break things !! You better have written permission .. Vulnerable vs. Not Vulnerable legend: Vulnerable Not Vulnerable
  4. 4. Testing: Spiders, Robots, and Crawlers(OWASP-IG-001) P $ wget http://www.google.com/robots.txt Found: Analyse entries Not found: Indexing required?
  5. 5. Testing: Search engine discovery /reconnaissance (OWASP-IG-002) Google site:target.com filetype: inurl: P Metadata, DNS, Whois, Company info, staff, etc..
  6. 6. Testing: Identify application entrypoints (OWASP-IG-003) P Use a proxy and JUST browse the site Let the proxy log ALL requests Understand the site Chain ratproxy to your proxy for cool ideas ☺
  7. 7. Testing for Web ApplicationFingerprint (OWASP-IG-004) Get the banner: P $ curl –i –A “Mozilla ” http://target.com | more
  8. 8. Testing for SSL-TLS (OWASP-CM-001) No traffic .. P
  9. 9. Testing for Admin Interfaces(OWASP-CM-007) 3rd party stuff on .NET ViewState, headers,.. P Telerik.Web.UI?? Google it!
  10. 10. Testing for Admin Interfaces(OWASP-CM-007) - continued Google for default passwords P
  11. 11. Testing for Admin Interfaces(OWASP-CM-007) – continued !!
  12. 12. Testing for Admin Interfaces(OWASP-CM-007) - continued !!
  13. 13. Testing for HTTP Methods and XST(OWASP-CM-008) An OPTIONS request is quite normal: P curl -i -A Mozilla/5.0 -X OPTIONS * -k https://site.com HTTP/1.1 200 OK Date: Tue, 09 Aug 2011 13:38:43 GMT Server: Apache/2.0.63 (Unix) Allow: GET,HEAD,POST,OPTIONS,TRACE Content-Length: 0 Connection: close Content-Type: text/plain; charset=UTF-8
  14. 14. Testing for credentials transport(OWASP-AT-001) Is the login page on “http” instead of “https”? P
  15. 15. Testing for Default or Guessable UserAccount (OWASP-AT-003) Analyse the username(s) they gave you to test: P Username based on numbers? USER12345 Username basic on public info? (i.e. names, surnames, ..) name.surname
  16. 16. Vulnerable Remember Password andPwd Reset (OWASP-AT-006) Is autocomplete set to off? P <form autocomplete=“off”> or <input autocomplete=“off”> Look at the questions or fields in the password reset form
  17. 17. Testing for Logout and Browser CacheManagement (OWASP-AT-007) Easy test: Login + Logout + Back button P Or no caching headers / not expiring session cookie: HTTP/1.1 200 OK Date: Tue, 09 Aug 2011 13:38:43 GMT Server: . X-Powered-By: . Connection: close Content-Type: text/html; charset=UTF-8
  18. 18. Testing for Captcha (OWASP-AT-008) Can be done offline: P Download image and try to break it Look for signs of weak third party components PWNtcha - captcha decoder
  19. 19. Testing for Session ManagementSchema (OWASP-SM-001) Examine cookies for weaknesses offline P Base64 MTkyLjE2OC4xMDAuMTpvd2FzcHVzZXI6cGFz c3dvcmQ6MTU6NTg= Is owaspuser:192.168.100.1: a7656fafe94dae72b1e1487670148412
  20. 20. Testing for cookies attributes(OWASP-SM-002) Secure: not set = no https P HttpOnly: not set = cookies stealable via JS Domain: set properly Path: set to the right /sub-application Expires: set reasonably
  21. 21. Testing for Session Fixation(OWASP-SM-003) Session ID NOT changed after login = Vuln P Before Login PHPSESSID: 10a966616e8ed63f7a9b741f80e65e3c After Login PHPSESSID: 10a966616e8ed63f7a9b741f80e65e3c
  22. 22. Testing for Exposed Session Variables(OWASP-SM-004) Session ID: P In URL In POST In HTML
  23. 23. Testing for CSRF (OWASP-SM-005) Look at HTML code: P No anti-CSRF token = Vulnerable Anti-CSRF token = Wait to ACTIVE testing ☺
  24. 24. Testing for Bypassing AuthorizationSchema (OWASP-AZ-002) Look at unauthenticated cross-site requests: P http://other-site.com/user=3&report=4 Referer: site.com Change ids in application: ! http://site.com/view_doc=4
  25. 25. Testing for DOM-based Cross sitescripting (OWASP-DV-003) Review JavaScript code on the page: P <script> document.write("Site is at: " + document.location.href + "."); </script>
  26. 26. Testing for Cross site flashing(OWASP-DV-004) Download and decompile Flash files: P $ flare hello.swf Static / Manual analysis
  27. 27. Testing: WS Information Gathering(OWASP-WS-001) Google searches: inurl:wsdl site:example.com P Web service analysis: http://www.example.com/ws/FindIP.asmx?WSDL Public services search: http://seekda.com/ http://www.wsindex.org/ http://www.soapclient.com/
  28. 28. Testing for WS Replay (OWASP-WS-007) Similar to CSRF: P Is there an anti-replay token in the request/response?
  29. 29. Testing for file extensions handling(OWASP-CM-005) _some_ attack traffic but subtle. File Uploads: !! If upload.php or .asp, .html, .. is allowed by app A valid GIF or JPG comment can be a valid PHP script, etc .. Difference from attack to legit can be subtle File uploads are POST = 99% not logged
  30. 30. Testing for user enumeration(OWASP-AT-002) Error messages ! Time differences
  31. 31. Testing for Reflected/Stored Cross sitescripting (OWASP-DV-001+2) Subtle look for signs of output encoding: ! O’Brien O&apos;Brien O”Brien O&quot;Brien or O%22Brien Ted..> Ted..&gt; or Ted..%3E Ted,< Ted,.&lt; or Ted..%3C Charset, etc..
  32. 32. Testing for SQL Injection (OWASP-DV-005) Do you get a SQL error? ! Strings: O’Brien IDs: Instead of “1” type “1l” or “1 l”
  33. 33. Thank you Abraham Aranguren @7a_ abraham.aranguren@gmail.com http://7-a.orgSpecial thanks to: OWASP Testing Guide contributors Mario Heiderich Chris John Riley Robin Wood

×