BruCon 2011 Lightning talk winner: Web app testing without attack traffic

1. Web app testing without attack traffic Abraham Aranguren @7a_ abraham.aranguren@gmail.com http://7-a.org

2. Intro 33% (22 out of 66) of the tests in the OWASP Testing guide can be legally* performed at least partially without permission * Except in Spain, where visiting a page can be illegal ☺

3. Legend Ethics/Scope legend: P P No Permission needed: No attack traffic ! Mild attack traffic / Could break things !! You better have written permission .. Vulnerable vs. Not Vulnerable legend: Vulnerable Not Vulnerable

4. Testing: Spiders, Robots, and Crawlers (OWASP-IG-001) P $ wget http://www.google.com/robots.txt Found: Analyse entries Not found: Indexing required?

5. Testing: Search engine discovery / reconnaissance (OWASP-IG-002) Google site:target.com filetype: inurl: P Metadata, DNS, Whois, Company info, staff, etc..

6. Testing: Identify application entry points (OWASP-IG-003) P Use a proxy and JUST browse the site Let the proxy log ALL requests Understand the site Chain ratproxy to your proxy for cool ideas ☺

7. Testing for Web Application Fingerprint (OWASP-IG-004) Get the banner: P $ curl –i –A “Mozilla ” http://target.com | more

8. Testing for SSL-TLS (OWASP-CM- 001) No traffic .. P

9. Testing for Admin Interfaces (OWASP-CM-007) 3rd party stuff on .NET ViewState, headers,.. P Telerik.Web.UI?? Google it!

10. Testing for Admin Interfaces (OWASP-CM-007) - continued Google for default passwords P

11. Testing for Admin Interfaces (OWASP-CM-007) – continued !!

12. Testing for Admin Interfaces (OWASP-CM-007) - continued !!

13. Testing for HTTP Methods and XST (OWASP-CM-008) An OPTIONS request is quite normal: P curl -i -A 'Mozilla/5.0' -X 'OPTIONS *' -k https://site.com HTTP/1.1 200 OK Date: Tue, 09 Aug 2011 13:38:43 GMT Server: Apache/2.0.63 (Unix) Allow: GET,HEAD,POST,OPTIONS,TRACE Content-Length: 0 Connection: close Content-Type: text/plain; charset=UTF-8

14. Testing for credentials transport (OWASP-AT-001) Is the login page on “http” instead of “https”? P

15. Testing for Default or Guessable User Account (OWASP-AT-003) Analyse the username(s) they gave you to test: P Username based on numbers? USER12345 Username basic on public info? (i.e. names, surnames, ..) name.surname

16. Vulnerable Remember Password and Pwd Reset (OWASP-AT-006) Is autocomplete set to off? P <form autocomplete=“off”> or <input autocomplete=“off”> Look at the questions or fields in the password reset form

17. Testing for Logout and Browser Cache Management (OWASP-AT-007) Easy test: Login + Logout + Back button P Or no caching headers / not expiring session cookie: HTTP/1.1 200 OK Date: Tue, 09 Aug 2011 13:38:43 GMT Server: . X-Powered-By: . Connection: close Content-Type: text/html; charset=UTF-8

18. Testing for Captcha (OWASP-AT- 008) Can be done offline: P Download image and try to break it Look for signs of weak third party components PWNtcha - captcha decoder

19. Testing for Session Management Schema (OWASP-SM-001) Examine cookies for weaknesses offline P Base64 MTkyLjE2OC4xMDAuMTpvd2FzcHVzZXI6cGFz c3dvcmQ6MTU6NTg= Is owaspuser:192.168.100.1: a7656fafe94dae72b1e1487670148412

20. Testing for cookies attributes (OWASP-SM-002) Secure: not set = no https P HttpOnly: not set = cookies stealable via JS Domain: set properly Path: set to the right /sub-application Expires: set reasonably

21. Testing for Session Fixation (OWASP-SM-003) Session ID NOT changed after login = Vuln P Before Login PHPSESSID: 10a966616e8ed63f7a9b741f80e65e3c After Login PHPSESSID: 10a966616e8ed63f7a9b741f80e65e3c

22. Testing for Exposed Session Variables (OWASP-SM-004) Session ID: P In URL In POST In HTML

23. Testing for CSRF (OWASP-SM-005) Look at HTML code: P No anti-CSRF token = Vulnerable Anti-CSRF token = Wait to ACTIVE testing ☺

24. Testing for Bypassing Authorization Schema (OWASP-AZ-002) Look at unauthenticated cross-site requests: P http://other-site.com/user=3&report=4 Referer: site.com Change ids in application: ! http://site.com/view_doc=4

25. Testing for DOM-based Cross site scripting (OWASP-DV-003) Review JavaScript code on the page: P <script> document.write("Site is at: " + document.location.href + "."); </script>

26. Testing for Cross site flashing (OWASP-DV-004) Download and decompile Flash files: P $ flare hello.swf Static / Manual analysis

27. Testing: WS Information Gathering (OWASP-WS-001) Google searches: inurl:wsdl site:example.com P Web service analysis: http://www.example.com/ws/FindIP.asmx?WSDL Public services search: http://seekda.com/ http://www.wsindex.org/ http://www.soapclient.com/

28. Testing for WS Replay (OWASP-WS- 007) Similar to CSRF: P Is there an anti-replay token in the request/response?

29. Testing for file extensions handling (OWASP-CM-005) _some_ attack traffic but subtle. File Uploads: !! If upload.php or .asp, .html, .. is allowed by app A valid GIF or JPG comment can be a valid PHP script, etc .. Difference from attack to legit can be subtle File uploads are POST = 99% not logged

30. Testing for user enumeration (OWASP-AT-002) Error messages ! Time differences

31. Testing for Reflected/Stored Cross site scripting (OWASP-DV-001+2) Subtle look for signs of output encoding: ! O’Brien O'Brien O”Brien O"Brien or O%22Brien Ted..> Ted..> or Ted..%3E Ted,< Ted,.< or Ted..%3C Charset, etc..

32. Testing for SQL Injection (OWASP- DV-005) Do you get a SQL error? ! Strings: O’Brien IDs: Instead of “1” type “1l” or “1 l”

33. Thank you Abraham Aranguren @7a_ abraham.aranguren@gmail.com http://7-a.org Special thanks to: OWASP Testing Guide contributors Mario Heiderich Chris John Riley Robin Wood

BruCon 2011 Lightning talk winner: Web app testing without attack traffic

BruCon 2011 Lightning talk winner: Web app testing without attack traffic

Recommended

More Related Content

What's hot

What's hot(20)

Similar to BruCon 2011 Lightning talk winner: Web app testing without attack traffic

Similar to BruCon 2011 Lightning talk winner: Web app testing without attack traffic(20)

Recently uploaded

Recently uploaded(20)

BruCon 2011 Lightning talk winner: Web app testing without attack traffic