social pharmacy d-pharm 1st year by Pragati K. Mahajan
Web application vulnerability assessment
1.
2. o A penetration test is a method of evaluating
the security of a computer system or network by
simulating an attack.
o A Web Application Penetration Test focuses only on
evaluating the security of a web application.
o The process involves an active analysis of the
application for any weaknesses, technical flaws, or
vulnerabilities.
o Any security issues that are found will be presented
to the system owner together with an assessment of
their impact and often with a proposal for mitigation
or a technical solution.
2
3. o What is a vulnerability?
A vulnerability is a flaw or weakness in a system's
design, implementation, or operation and management that
could be exploited to violate the system's security policy.
• A threat is a potential attack that, by exploiting a
vulnerability, may harm the assets owned by an
application (resources of value, such as the data in a
database or in the file system).
• A test is an action that tends to show a vulnerability in the
application.
And Vulnerability is everywhere !!
3
5. The OWASP Web Application Penetration
Testing method is based on the black box approach.
The tester knows nothing or very little information
about the application to be tested.
The testing model consists of:
o Tester: Who performs the testing activities
o Tools and methodology: The core of this Testing
Guide project
o Application: The black box to test
5
6. The test is divided into 2 phases:
1. Passive mode
2. Active mode
In the passive mode, the tester tries to
understand the application's logic, and plays with
the application. Tools can be used for information
gathering.
At the end of this phase, the tester should
understand all the access points (gates) of the
application
6
7. In this phase, the tester begins to test using the
methodology. We have split the set of active tests in 12
sub-categories for a total of 91 controls:
I. Information Gathering
II. Configuration and Deploy Management Testing
III. Identity Management Testing
IV. Authentication Testing
V. Authorization Testing
VI. Session Management Testing
VII. Data Validation Testing
VIII. Error Handling
IX. Cryptography
X. Logging
XI. Business Logic Testing
XII. Client Side Testing
7
9. 1. Conduct Search Engine Discovery and Reconnaissance
for Information Leakage
2. Fingerprint Web Server
3. Review Webserver Metafiles for Information Leakage
4. Enumerate Applications on Webserver
5. Review Webpage Comments and Metadata for
Information Leakage
6. Identify application entry points
7. Map execution paths through application
8. Fingerprint Web Application Framework
9. Fingerprint Web Application
10. Map Network and Application Architecture
9
11. Using a search engine, search for:
[1] Network diagrams and configurations
[2] Archived posts and emails by administrators and other key staff
[3] Logon procedures and username formats
[4] User names and passwords
[5] Error message content
[6] Development, test, UAT and staging versions of the website
Queries are put in several categories:
Footholds
Files containing usernames
Sensitive Directories
Web Server Detection
Vulnerable Files
Vulnerable Servers
Error Messages
Files containing juicy info
Files containing passwords
Sensitive Online Shopping Info
11
13. Knowing the version and type of a running web server
allows testers to determine known vulnerabilities and the
appropriate exploits to use during testing.
13
14. robots.txt file for Information Leakage of the web application's
directory/folder path(s).
14
15. Testing for web application vulnerabilities is to find out
which particular applications are hosted on a web server
15
29. Cookie default name contain its framework
Word press directory structure
More different framework cookie name refer : Page 75-76 (Documentation)
29
30. Currently one of the best fingerprinting tools on the market.
Included in a default Kali Linux build
30
31. This great tool works on the principle of static file
checksum based version difference thus providing a very
high quality of fingerprinting. Language: Python
31
33. Web server fingerprinting is a critical task for the
Penetration tester. Knowing the version and type of a
running web server allows testers to determine known
vulnerabilities and the appropriate exploits to use during
testing.
Nmap version detection offers a lot of advanced features
that can help in determining services that are running on a given
host, it obtains all data by connecting to open ports and
interrogating them by using probes that the specific services
understand.
33
34. • List all the possible administrative interfaces.
• Determine if administrative interfaces are available from an
internal network or are also available from the Internet.
Firewall/IDS Identifier script
34
35. 1. Test Network/Infrastructure Configuration
2. Test Application Platform Configuration
3. Test File Extensions Handling for Sensitive Information
4. Backup and Unreferenced Files for Sensitive Information
5. Enumerate Infrastructure and Application Admin Interfaces
6. Test HTTP Methods
7. Test HTTP Strict Transport Security
8. Test RIA cross domain policy
35
36. Proper configuration management of the web server
infrastructure is very important in order to preserve the security of
the application itself. If elements such as the web server software,
the back-end database servers, or the authentication servers are
not properly reviewed and secured, they might introduce
undesired risks or introduce new vulnerabilities that might
compromise the application itself.
1. WebSEAL, also known as Tivoli Authentication Manager, is a reverse
proxy from IBM which is part of the Tivoli framework.
2. There are some GUI-based administration tools for Apache (like
NetLoony) but they are not in widespread use yet.
36
37. 1. Handle server errors (40x or 50x) with custom-made pages instead of
with the default web server pages.
2. Logging information
3. Keep in mind that all users can read .NET Framework machine.config and
root web.config files by default.
4. Only enable server modules (ISAPI extensions in the IIS case) that are
needed for the application.
37
38. Many web servers and application servers provide, in a default
installation, sample applications and files that are provided for the benefit
of the developer and in order to test that the server is working properly
right after installation.
However, many default web server applications have been later
known to be vulnerable. This was the case, for example, for CVE-1999-
0449 (Denial of Service in IIS when the Exair sample site had been
installed), CAN-2002-1744 (Directory traversal vulnerability in
CodeBrws.asp in Microsoft IIS 5.0), CAN-2002-1630 (Use of sendmail.jsp in
Oracle 9iAS), or CAN-2003-1172 (Directory traversal in the view-source
sample in Apache’s Cocoon).
38
40. When each file stem is tested, Burp check for various different extensions,
according to these settings.
40
41. While most of the files within a web server are directly
handled by the server itself, it isn't uncommon to find
unreferenced and/or forgotten files that can be used to obtain
important information about either the infrastructure or the
credentials.
Same as above test but only for backup information
41
42. THC-HYDRA for brute force attack
1)Set target port number or Protocol
2)Add Username and Password list
42
45. The use of this header by web applications avoids must be checked to
know if the following security issues could be produced:
• Attackers sniffing the network traffic and accessing the information
transferred through unencrypted channel.
• Attackers exploiting a man in the middle attack because of the
problem of accepting certificates that are not trusted.
• Users who mistakenly entered an address in the browser putting
HTTP instead of HTTPS, or users who click on a link in a web
application which mistakenly indicated the http protocol.
Strict-Transport-Security: max-age=60000; includeSubDomains
HSTS Header
45
46. Rich Internet Applications (RIA) have adopted Adobe's
crossdomain.xml policy files in order to allow for controlled cross
domain access to data and service consumption using technologies
such as Oracle Java, Silverlight, and Adobe Flash.
46
47. 1. Test Role Definitions
2. Test User Registration Process
3. Test Account Provisioning Process
4. Testing for Account Enumeration and Guessable User Account
5. Testing for Weak or unenforced username policy
47
48. ROLE PERMISSION OBJECT CONSTRAINTS
Administrator Read Customer
records
Manager Read Customer
records
Only records related to business
unit
Staff Read Customer
records
Only records associated with
customers assigned by Manager
Customer Read Customer
record
Only own record
48
54. User account names are often highly
structured (e.g. Joe Bloggs account name is
jbloggs and Fred Nurks account name is
fnurks) and valid account names can easily be
guessed.
54
55. 1. Testing for Credentials Transported over an Encrypted Channel
2. Testing for default credentials
3. Testing for Weak lock out mechanism
4. Testing for bypassing authentication schema
5. Test remember password functionality
6. Testing for Browser cache weakness
7. Testing for Weak password policy
8. Testing for Weak security question/answer
9. Testing for weak password change or reset functionalities
10. Testing for Weaker authentication in alternative channel
55
59. Accounts are typically locked after 3 to 5 unsuccessful login
attempts and can only be unlocked after a predetermined
period of time, via a self-service unlock mechanism, or
intervention by an administrator.
59
60. There are several methods to bypass the authentication
schema in use by a web application:
Direct page request (forced browsing)
Parameter modification
Session ID prediction
SQL injection
60
62. • Remember password functionality store your credential in
cookie
• You must check that credential is encrypted or not
62
63. Cache-Control: must-revalidate, pre-check=0, post-check=0,
max-age=0, s-maxage=0
--------------------------------
HTTP/1.1:
Cache-Control: no-cache
-------------------------------
HTTP/1.0:
Pragma: no-cache
Expires: <past date or illegal value (e.g., 0)>
63
64. The most prevalent and most easily administered authentication
mechanism is a static password. The password represents the
keys to the kingdom, but is often subverted by users in the name
of usability.
In each of the recent high profile hacks that have revealed user
credentials, it is lamented that most common passwords are still:
123456, password
64
65. Pre-generated questions:
• The majority of pre-generated questions are fairly simplistic in nature
and can lead to insecure answers. For example:
• The answers may be known to family members or close friends of the
user, e.g. "What is your mother's maiden name?", "What is your date of
birth?"
• The answers may be easily guessable, e.g. "What is your favorite color?",
"What is your favorite baseball team?"
• The answers may be brute forcible, e.g. "What is the first name of your
favorite high school teacher?" - the answer is probably on some easily
downloadable lists of popular first names, and therefore a simple brute
force attack can be scripted.
• The answers may be publicly discoverable, e.g. "What is your favorite
movie?" - the answer may easily be found on the user's social media
profile page.
65
66. In addition to the previous test it is important to verify:
Is the old password requested to complete the change?
The most insecure scenario here is if the application permits the
change of the password without requesting the current password.
Indeed if an attacker is able to take control of a valid session (s)he
could easily change the victim's password.
66
67. In addition to the previous test it is important to verify:
Is the old password requested to complete the change?
The most insecure scenario here is if the application permits the
change of the password without requesting the current password.
Indeed if an attacker is able to take control of a valid session (s)he
could easily change the victim's password.
67
68. 1. Testing Directory traversal/file include
2. Testing for bypassing authorization schema
3. Testing for Privilege Escalation
4. Testing for Insecure Direct Object References
68
70. Is it possible to access that resource even if the user is not authenticated?
Is it possible to access that resource after the log-out?
Is it possible to access functions and resources that should be accessible
to a user that holds a different role/privilege?
POST /admin/addUser.jsp HTTP/1.1
Host: www.example.com
[other HTTP headers]
userID=fakeuser&role=3&group=grp001
70
73. Insecure Direct Object References allow attackers to bypass
authorization and access resources directly by modifying the
value of a parameter used to directly point to an object.
73
75. 1. Testing for Bypassing Session Management Schema
2. Testing for Cookies attributes
3. Testing for Session Fixation
4. Testing for Exposed Session Variables
5. Testing for Cross Site Request Forgery
6. Testing for logout functionality
7. Test Session Timeout
8. Testing for Session puzzling
75
76. If you have access to the session management schema
implementation, you can check for the following:
Random Session Token
Token length
Session Time-out
Cookie configuration:
o non-persistent: only RAM memory
o secure (set only on HTTPS channel): Set Cookie:
cookie=data; path=/; domain=.aaa.it; secure
o HTTPOnly (not readable by a script): Set Cookie:
cookie=data; path=/; domain=.aaa.it; HTTPOnly
76
81. How are Session IDs transferred? e.g., GET, POST, Form Field (including
hidden fields)
Are Session IDs always sent over encrypted transport by default?
Is it possible to manipulate the application to send Session IDs
unencrypted? e.g., by changing HTTP to HTTPS?
What cache-control directives are applied to requests/responses
passing Session IDs?
Are these directives always present? If not, where are the exceptions?
Are GET requests incorporating the Session ID used?
If POST is used, can it be interchanged with GET?
81
82. Request submission without any CSRF request token.
A successful CSRF exploit can compromise end user data and
operation, when it targets a normal user.
If the targeted end user is the administrator account, a CSRF attack can
compromise the entire web application.
82
83. Testing for logout user interface:
Testing for server-side session termination
Testing for session timeout
Testing session clean at client side
In this phase, we check that the application automatically
logs out a user when that user has been idle for a certain amount
of time, ensuring that it is not possible to “reuse” the same session
and that no sensitive data remains stored in the browser cache.
83
84. This vulnerability occurs when an application uses the same session
variable for more than one purpose. An attacker can potentially access
pages in an order unanticipated by the developers so that the session
variable is set in one context and then used in another.
84
85. 1. Testing for Reflected Cross Site Scripting
2. Testing for Stored Cross Site Scripting
3. Testing for HTTP Verb Tampering
4. Testing for HTTP Parameter pollution
5. Testing for SQL Injection
5.1 Oracle Testing
5.2 MySQL Testing
5.3 SQL Server Testing
5.4 Testing PostgreSQL
5.5 MS Access Testing
5.6 Testing for NoSQL injection
………..
85
86. 6. Testing for LDAP Injection
7. Testing for ORM Injection
8. Testing for XML Injection
9. Testing for SSI Injection
10. Testing for XPath Injection
11. IMAP/SMTP Injection
12. Testing for Code Injection
12.1 Testing for Local File Inclusion
12.2 Testing for Remote File Inclusion
13. Testing for Command Injection
14. Testing for Buffer overflow
14.1 Testing for Heap overflow
14.2 Testing for Stack overflow
14.3 Testing for Format string
15. Testing for incubated vulnerabilities
16. Testing for HTTP Splitting/Smuggling
86
87. Reflected Cross-site Scripting (XSS) occur when an attacker injects
browser executable code within a single HTTP response.
http://example.com/index.php?user=<script>alert(123)</script>
Bypass XSS filters
Page#224
87
95. Web Application Server
Backend
Parsing Result Example
ASP.NET / IIS concatenated with a
comma
color=red,blue
ASP / IIS concatenated with a
comma
color=red,blue
PHP / Apache Last occurrence only color=blue
PHP / Zeus Last occurrence only color=blue
JSP, Servlet / Apache
Tomcat
First occurrence only color=red
JSP, Servlet / Oracle
Application Server 10g
First occurrence only color=red
http://example.com/?color=red&color=blue
95
96. Authentication bypass
POST /add-authors.do HTTP/1.1
security_token=attackertoken&blogID=attackerblogidvalue&
blogID=victimblogidvalue&authorsList=tester@gmail.com(att
acker email)&ok=Invite
JSP, Servlet / Jetty First occurrence only color=red
IBM Lotus Domino Last occurrence only color=blue
IBM HTTP Server First occurrence only color=red
mod_perl, libapreq2 /
Apache
First occurrence only color=red
Perl CGI / Apache First occurrence only color=red
mod_wsgi (Python) /
Apache
First occurrence only color=red
Python / Zope All occurrences in List
data type
color=['red','blue']
96
103. LDAP injection testing is similar to SQL Injection testing. The differences
are that we use the LDAP protocol instead of SQL and that the target is
an LDAP Server instead of a SQL Server.
"(&(uid="+user+")(userPassword={MD5}"+base64(pack("H*",md5(pass)))+"))";
103
104. An ORM is an Object Relational Mapping tool. It is used to
expedite object oriented development within the data access layer of
software applications, including web applications.
for ORM Injection vulnerabilities is identical to SQL Injection
testing (see Testing for SQL Injection).
Orders.find_all "customer_id = 123 AND
order_date = '#{@params['order_date']}'"
Simply sending "' OR 1--" in the form where order date can be
entered can yield positive results.
104
106. Web servers usually give developers the ability to add
small pieces of dynamic code inside static HTML pages, without
having to deal with full-fledged server-side or client-side
languages. This feature is incarnated by Server-Side Includes (SSI)
Injection.
106
107. .shtml file
Putting an SSI directive into a static HTML document is as easy as
writing a piece of code like the following:
--------------------------------------------------------
<!--#echo var="DATE_LOCAL" -->
--------------------------------------------------------
to print out the current time.
-----------------------------------------------------------------------
<!--#include virtual="/cgi-bin/counter.pl" -->
-----------------------------------------------------------------------
to include the output of a CGI script.
-----------------------------------------------------------------
<!--#include virtual="/footer.html" -->
-------------------------------------------------------------------
to include the content of a file or list files in a directory.
----------------------------------------------
<!--#exec cmd="ls" -->
----------------------------------------------
to include the output of a system command.
107
122. 1. Testing for Weak SSL/TSL Ciphers, Insufficient Transport
Layer Protection
2. Testing for Padding Oracle
3. Testing for Sensitive information sent via unencrypted
channels
122
130. 1. Testing for DOM based Cross Site Scripting
2. Testing for JavaScript Execution
3. Testing for HTML Injection
4. Testing for Client Side URL Redirect
5. Testing for CSS Injection
6. Testing for Client Side Resource Manipulation
7. Test Cross Origin Resource Sharing
8. Testing for Cross Site Flashing
9. Testing for Clickjacking
10. Testing WebSockets
11. Test Web Messaging
12. Test Local Storage
130
142. The Open Web Application Security Project (OWASP)
is a 501(c)(3) worldwide not-for-profit charitable organization
focused on improving the security of software.
OWASP mission is to make software security visible, so that
individuals and organizations worldwide can make informed
decisions about true software security risks.
142
143. Net-Square Solutions Private Limited is a niche
Information Security Service provider. Net-Square completely
and mainly focused on technology based areas of
information security like application & infrastructure security.
Net-Square Solutions was founded by an
internationally experienced Information security specialist
Saumil Shah in the year 2000. Since then the Net-Square has
conducted many assignments for some of the best
Organizations in the World in sectors ranging from Banking
& Financial Services to Telecom to Retail to Pharmaceuticals.
143