BruCon 2011 Lightning talk winner: Web app testing without attack traffic
Web app testingwithout attack traffic Abraham Aranguren @7a_ firstname.lastname@example.org http://7-a.org
Intro 33% (22 out of 66) of the tests in the OWASP Testing guide can be legally* performed at least partially without permission * Except in Spain, where visiting a page can be illegal ☺
Legend Ethics/Scope legend: P P No Permission needed: No attack traffic ! Mild attack traffic / Could break things !! You better have written permission .. Vulnerable vs. Not Vulnerable legend: Vulnerable Not Vulnerable
Testing: Spiders, Robots, and Crawlers(OWASP-IG-001) P $ wget http://www.google.com/robots.txt Found: Analyse entries Not found: Indexing required?
Testing: Search engine discovery /reconnaissance (OWASP-IG-002) Google site:target.com filetype: inurl: P Metadata, DNS, Whois, Company info, staff, etc..
Testing: Identify application entrypoints (OWASP-IG-003) P Use a proxy and JUST browse the site Let the proxy log ALL requests Understand the site Chain ratproxy to your proxy for cool ideas ☺
Testing for Web ApplicationFingerprint (OWASP-IG-004) Get the banner: P $ curl –i –A “Mozilla ” http://target.com | more
Testing for SSL-TLS (OWASP-CM-001) No traffic .. P
Testing for Admin Interfaces(OWASP-CM-007) 3rd party stuff on .NET ViewState, headers,.. P Telerik.Web.UI?? Google it!
Testing for Admin Interfaces(OWASP-CM-007) - continued Google for default passwords P
Testing for Admin Interfaces(OWASP-CM-007) – continued !!
Testing for Admin Interfaces(OWASP-CM-007) - continued !!
Testing for HTTP Methods and XST(OWASP-CM-008) An OPTIONS request is quite normal: P curl -i -A Mozilla/5.0 -X OPTIONS * -k https://site.com HTTP/1.1 200 OK Date: Tue, 09 Aug 2011 13:38:43 GMT Server: Apache/2.0.63 (Unix) Allow: GET,HEAD,POST,OPTIONS,TRACE Content-Length: 0 Connection: close Content-Type: text/plain; charset=UTF-8
Testing for credentials transport(OWASP-AT-001) Is the login page on “http” instead of “https”? P
Testing for Default or Guessable UserAccount (OWASP-AT-003) Analyse the username(s) they gave you to test: P Username based on numbers? USER12345 Username basic on public info? (i.e. names, surnames, ..) name.surname
Vulnerable Remember Password andPwd Reset (OWASP-AT-006) Is autocomplete set to off? P <form autocomplete=“off”> or <input autocomplete=“off”> Look at the questions or fields in the password reset form
Testing for Logout and Browser CacheManagement (OWASP-AT-007) Easy test: Login + Logout + Back button P Or no caching headers / not expiring session cookie: HTTP/1.1 200 OK Date: Tue, 09 Aug 2011 13:38:43 GMT Server: . X-Powered-By: . Connection: close Content-Type: text/html; charset=UTF-8
Testing for Captcha (OWASP-AT-008) Can be done offline: P Download image and try to break it Look for signs of weak third party components PWNtcha - captcha decoder
Testing for Session ManagementSchema (OWASP-SM-001) Examine cookies for weaknesses offline P Base64 MTkyLjE2OC4xMDAuMTpvd2FzcHVzZXI6cGFz c3dvcmQ6MTU6NTg= Is owaspuser:192.168.100.1: a7656fafe94dae72b1e1487670148412
Testing for cookies attributes(OWASP-SM-002) Secure: not set = no https P HttpOnly: not set = cookies stealable via JS Domain: set properly Path: set to the right /sub-application Expires: set reasonably
Testing for Session Fixation(OWASP-SM-003) Session ID NOT changed after login = Vuln P Before Login PHPSESSID: 10a966616e8ed63f7a9b741f80e65e3c After Login PHPSESSID: 10a966616e8ed63f7a9b741f80e65e3c
Testing for Exposed Session Variables(OWASP-SM-004) Session ID: P In URL In POST In HTML
Testing for CSRF (OWASP-SM-005) Look at HTML code: P No anti-CSRF token = Vulnerable Anti-CSRF token = Wait to ACTIVE testing ☺
Testing for Bypassing AuthorizationSchema (OWASP-AZ-002) Look at unauthenticated cross-site requests: P http://other-site.com/user=3&report=4 Referer: site.com Change ids in application: ! http://site.com/view_doc=4
Testing for Cross site flashing(OWASP-DV-004) Download and decompile Flash files: P $ flare hello.swf Static / Manual analysis
Testing: WS Information Gathering(OWASP-WS-001) Google searches: inurl:wsdl site:example.com P Web service analysis: http://www.example.com/ws/FindIP.asmx?WSDL Public services search: http://seekda.com/ http://www.wsindex.org/ http://www.soapclient.com/
Testing for WS Replay (OWASP-WS-007) Similar to CSRF: P Is there an anti-replay token in the request/response?
Testing for file extensions handling(OWASP-CM-005) _some_ attack traffic but subtle. File Uploads: !! If upload.php or .asp, .html, .. is allowed by app A valid GIF or JPG comment can be a valid PHP script, etc .. Difference from attack to legit can be subtle File uploads are POST = 99% not logged
Testing for user enumeration(OWASP-AT-002) Error messages ! Time differences
Testing for Reflected/Stored Cross sitescripting (OWASP-DV-001+2) Subtle look for signs of output encoding: ! O’Brien O'Brien O”Brien O"Brien or O%22Brien Ted..> Ted..> or Ted..%3E Ted,< Ted,.< or Ted..%3C Charset, etc..
Testing for SQL Injection (OWASP-DV-005) Do you get a SQL error? ! Strings: O’Brien IDs: Instead of “1” type “1l” or “1 l”
Thank you Abraham Aranguren @7a_ email@example.com http://7-a.orgSpecial thanks to: OWASP Testing Guide contributors Mario Heiderich Chris John Riley Robin Wood