BruCon 2011 Lightning talk winner: Web app testing without attack traffic


Published on

BruCon 2011 Lightning talk winner: An OWASP focused walk-through on what can be at least partially tested without permission in a web application

Published in: Technology, Design
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

BruCon 2011 Lightning talk winner: Web app testing without attack traffic

  1. 1. Web app testingwithout attack traffic Abraham Aranguren @7a_
  2. 2. Intro 33% (22 out of 66) of the tests in the OWASP Testing guide can be legally* performed at least partially without permission * Except in Spain, where visiting a page can be illegal ☺
  3. 3. Legend Ethics/Scope legend: P P No Permission needed: No attack traffic ! Mild attack traffic / Could break things !! You better have written permission .. Vulnerable vs. Not Vulnerable legend: Vulnerable Not Vulnerable
  4. 4. Testing: Spiders, Robots, and Crawlers(OWASP-IG-001) P $ wget Found: Analyse entries Not found: Indexing required?
  5. 5. Testing: Search engine discovery /reconnaissance (OWASP-IG-002) Google filetype: inurl: P Metadata, DNS, Whois, Company info, staff, etc..
  6. 6. Testing: Identify application entrypoints (OWASP-IG-003) P Use a proxy and JUST browse the site Let the proxy log ALL requests Understand the site Chain ratproxy to your proxy for cool ideas ☺
  7. 7. Testing for Web ApplicationFingerprint (OWASP-IG-004) Get the banner: P $ curl –i –A “Mozilla ” | more
  8. 8. Testing for SSL-TLS (OWASP-CM-001) No traffic .. P
  9. 9. Testing for Admin Interfaces(OWASP-CM-007) 3rd party stuff on .NET ViewState, headers,.. P Telerik.Web.UI?? Google it!
  10. 10. Testing for Admin Interfaces(OWASP-CM-007) - continued Google for default passwords P
  11. 11. Testing for Admin Interfaces(OWASP-CM-007) – continued !!
  12. 12. Testing for Admin Interfaces(OWASP-CM-007) - continued !!
  13. 13. Testing for HTTP Methods and XST(OWASP-CM-008) An OPTIONS request is quite normal: P curl -i -A Mozilla/5.0 -X OPTIONS * -k HTTP/1.1 200 OK Date: Tue, 09 Aug 2011 13:38:43 GMT Server: Apache/2.0.63 (Unix) Allow: GET,HEAD,POST,OPTIONS,TRACE Content-Length: 0 Connection: close Content-Type: text/plain; charset=UTF-8
  14. 14. Testing for credentials transport(OWASP-AT-001) Is the login page on “http” instead of “https”? P
  15. 15. Testing for Default or Guessable UserAccount (OWASP-AT-003) Analyse the username(s) they gave you to test: P Username based on numbers? USER12345 Username basic on public info? (i.e. names, surnames, ..) name.surname
  16. 16. Vulnerable Remember Password andPwd Reset (OWASP-AT-006) Is autocomplete set to off? P <form autocomplete=“off”> or <input autocomplete=“off”> Look at the questions or fields in the password reset form
  17. 17. Testing for Logout and Browser CacheManagement (OWASP-AT-007) Easy test: Login + Logout + Back button P Or no caching headers / not expiring session cookie: HTTP/1.1 200 OK Date: Tue, 09 Aug 2011 13:38:43 GMT Server: . X-Powered-By: . Connection: close Content-Type: text/html; charset=UTF-8
  18. 18. Testing for Captcha (OWASP-AT-008) Can be done offline: P Download image and try to break it Look for signs of weak third party components PWNtcha - captcha decoder
  19. 19. Testing for Session ManagementSchema (OWASP-SM-001) Examine cookies for weaknesses offline P Base64 MTkyLjE2OC4xMDAuMTpvd2FzcHVzZXI6cGFz c3dvcmQ6MTU6NTg= Is owaspuser: a7656fafe94dae72b1e1487670148412
  20. 20. Testing for cookies attributes(OWASP-SM-002) Secure: not set = no https P HttpOnly: not set = cookies stealable via JS Domain: set properly Path: set to the right /sub-application Expires: set reasonably
  21. 21. Testing for Session Fixation(OWASP-SM-003) Session ID NOT changed after login = Vuln P Before Login PHPSESSID: 10a966616e8ed63f7a9b741f80e65e3c After Login PHPSESSID: 10a966616e8ed63f7a9b741f80e65e3c
  22. 22. Testing for Exposed Session Variables(OWASP-SM-004) Session ID: P In URL In POST In HTML
  23. 23. Testing for CSRF (OWASP-SM-005) Look at HTML code: P No anti-CSRF token = Vulnerable Anti-CSRF token = Wait to ACTIVE testing ☺
  24. 24. Testing for Bypassing AuthorizationSchema (OWASP-AZ-002) Look at unauthenticated cross-site requests: P Referer: Change ids in application: !
  25. 25. Testing for DOM-based Cross sitescripting (OWASP-DV-003) Review JavaScript code on the page: P <script> document.write("Site is at: " + document.location.href + "."); </script>
  26. 26. Testing for Cross site flashing(OWASP-DV-004) Download and decompile Flash files: P $ flare hello.swf Static / Manual analysis
  27. 27. Testing: WS Information Gathering(OWASP-WS-001) Google searches: inurl:wsdl P Web service analysis: Public services search:
  28. 28. Testing for WS Replay (OWASP-WS-007) Similar to CSRF: P Is there an anti-replay token in the request/response?
  29. 29. Testing for file extensions handling(OWASP-CM-005) _some_ attack traffic but subtle. File Uploads: !! If upload.php or .asp, .html, .. is allowed by app A valid GIF or JPG comment can be a valid PHP script, etc .. Difference from attack to legit can be subtle File uploads are POST = 99% not logged
  30. 30. Testing for user enumeration(OWASP-AT-002) Error messages ! Time differences
  31. 31. Testing for Reflected/Stored Cross sitescripting (OWASP-DV-001+2) Subtle look for signs of output encoding: ! O’Brien O&apos;Brien O”Brien O&quot;Brien or O%22Brien Ted..> Ted..&gt; or Ted..%3E Ted,< Ted,.&lt; or Ted..%3C Charset, etc..
  32. 32. Testing for SQL Injection (OWASP-DV-005) Do you get a SQL error? ! Strings: O’Brien IDs: Instead of “1” type “1l” or “1 l”
  33. 33. Thank you Abraham Aranguren @7a_ http://7-a.orgSpecial thanks to: OWASP Testing Guide contributors Mario Heiderich Chris John Riley Robin Wood