05.12.12 QA Lab: тестирование программного обеспечения.
Upcoming events: goo.gl/I2gJ4H
В этом докладе мы рассмотрим самые распространенные проблемы в безопасности приложений и то, как вы можете их найти в ваших проектах. Мы коснемся инструментария взломщика веб-приложений и основных уязвимостей - XSS, SQL инъекций, XXE, аутентификации, авторизации, управления сессиями, атак отказа в обслуживании, и так далее.
3. AppSec testing tools
the Swiss Army Knife of AppSec – Fiddler
not just a proxy
inspect HTTP and HTTPS! (best served in RAW)
modify and replay
intercept mid-air
setup reverse proxy mode
get request stats
set filters
do text encoding
scripting in C#
4. AppSec testing tools
WireShark – when Fiddler doesn’t cut it
only passive traffic monitoring
sees everything!
your browser’s developer console
socket programming in any language, e.g.
Python
hacker’s mindset
5. Mapping application’s content
read the feature specs
monitor HTTP traffic for all user data entry points
look at interface differences for different user
roles
record a request such controls send for users who
can use them and replay them with user sessions
that can’t
discover hidden content
ViewDocument.jsp Delete, Upload, Edit, Create,
etc.
lookout for direct server file access (filename
7. Input vulnerabilities: basic
checks
check if server correctly handles unexpected
data
negative indexes and values
overly large integers
zero-bytes
look for differences in processing of directly
submitted values AND when parsed from a user
uploaded or controlled file
relates to ALL input-based vulnerabilities!
8. Input vulnerabilities: SQL
injections
use DB server management software and
profiler
submit ‘ or “ in request, not only “Edit”
operations!
SQLi can be anywhere where DB is accessed
based on user data, in any way!
monitor for server errors AND the DB
log/profiler!
broken SQL query in DB log, error, etc?..
REPORT!
9. Input vulnerabilities: XSS
injections
general principle – lack of input encoding
user submitted data is unmodified in HTML page
from Google XSS guide: "A good test string is
>'>"><img src=x onerror=alert(0)
generally, raise an ALARM for any of the
following 5:
< > & " ‘
within HTML actions and JavaScript code,
additionally
n r ’ ” uXXXX
sometimes escaping won’t help
10. Input vulnerabilities: XSS
injections
reflected XSS
when a part of URL is reflected back in HTML page
DON’T forget to URL encode special characters!
e.g.:
http://url.com/1.jsp?param=%3E%3Cscript%3Ealert
(1)%3C%2Fscript%3E
stored XSS
a malicious string is added to the server once and
displayed as a part of a page to everyone viewing it
from POST body, HTTP header, uploaded file,
HTML based server log, etc… MANY vectors!
11. Input vulnerabilities: XSS
injections
DOM XSS
caused by unsafe JS during runtime inside the
browser
same principles apply (at this low level)
monitor for special chars appearing in resulting
HTML!
example:
http://url.com/page.jsp?param=value#section1%3E
%3Cscript%3Ealert(1)%3C%2Fscript%3E
13. Input vulns: HTTP header
injection
for each response header where user data appears
try inserting carriage-return and line-feed symbols
the actual symbols! “0d” and “0a” in hex
if they are returned in server response header
unmodified
ALARM! malicious server headers can be forged or HTTP
split!
Example evil URL:
http://url.com/page.jsp?contentType=text/html%0d%0aE
vilHeader%3A%20blabla
Example vulnerable server response:
HTTP/1.1 200 OK
Content-Type: text/html
EvilHeader: blabla
14. Input vulns: XML injections -
XXE
XML External Entities
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/shadow" > ] >
<username>&xxe;</username><password>…………
…
if no error or file is retruned by server – ALARM!
if gives an error, but it disappears after you
remove embedded entity and leave only
declaration, ALARM!
16. Input vulns: Open redirection
if the URL data specifies a redirection target
try modifying or adding the redirection domain, e.g.
in
http://url.com/qcbin/authentication-point/web-ui-
login.jsp?redirect-url=%2Fui%2F
after that, trigger an event that causes redirection,
e.g. login
if it redirects to a different domain, ALARM!
18. Denial of Service
check if server correctly handles unexpected
data
zero-bytes in input
XML “billion laughs” attack or XXE of a huge file
(/dev/random or c:pagefile)
unpacking large low entropy data
regex, globbing and other text processing
functionality
asynchronous/heavy functionality invocation
API request flooding
slow HTTP - thread/socket exhaustion