OWASP OTG-configuration (OWASP Thailand chapter november 2015)

OTG-CONFIG
OWASP Thailand Chapter (26th November 2015)

OWASP Testing Guide: Configuration and Deployment Management Testing 2
Who am I
• Noppadol Songsakaew
- IT security enthusiastic
- gamer (play on smartphone)
- book reader (IT, Chinese novel)
• Work
Senior Associate at PwC (Thailand)

Who is this talk for ?
• Developers
• Software Testers
• Security Guys
• Project Managers sir!
• Anyone who interesting in IT security

Objective of this talk
To build the testing knowledge of :
• Network & Infrastructure configuration
• Web server configuration
• Sensitive data handling
• Application protocol
• Cross domain policy

and Why would you care ?
Only one broken chain link will let the malicious user compromise
your servers.

“You can’t build a secure application without
performing security testing on it. Testing is part
of a wider approach to building a secure
system.”
- Eoin Keary, OWASP Global Board
What is OWASP Testing Guide

Agenda
1. Test Network/Infrastructure Configuration (OTG-CONFIG-001)
2. Test Application Platform Configuration (OTG-CONFIG-002)
3. Test File Extensions Handling for Sensitive Information (OTG-
CONFIG-003)
4. Review Old, Backup and Unreferenced Files for Sensitive
Information (OTG-CONFIG-004)
5. Enumerate Infrastructure and Application Admin Interfaces
(OTG-CONFIG-005)
6. Test HTTP Methods (OTG-CONFIG-006)
7. Test HTTP Strict Transport Security (OTG-CONFIG-007)
8. Test RIA cross domain policy (OTG-CONFIG-008)

1. Test Network/Infrastructure Configuration
(OTG-CONFIG-001)
Test Objectives
• To map the infrastructure supporting the
application and understand how it affects
the security of the application.

(OTG-CONFIG-001)
How to test
• Known Server Vulnerabilities
– Not all software vendors disclose vulnerabilities in a public way.
– Beware false positive from automate scanning tool.
– Backporting patch
Tools
OpenVAS, Nessus, Core Impact, Nexpose

(OTG-CONFIG-001)
How to test
(https://exchange.xforce.ibmcloud.com)

(OTG-CONFIG-001)
How to test
(https://www.cvedetails.com)

(OTG-CONFIG-001)
How to test
• Review a software components
– Configuration files will tell you which modules are enable or disable
• Administrative tools
– All web server allowed administrator to manage a web server by
different ways such as plain text configuration files (in the Apache,
nginx) or use operating-system GUI tools (Microsoft’s IIS server).
– Determine the mechanisms that control access to these interfaces and
their associated susceptibilities.

2. Test Application Platform Configuration
(OTG-CONFIG-002)
Test Objectives
• To assess the default configuration of
installed web server and remove
unnecessary files (application examples files,
documentation files, test pages)

(OTG-CONFIG-002)
How to test
• Sample and known files and directories
• Configuration review
– Check privilege of minimized privileges in the operating system
– SSL Protocol Configuration
– Errors Pages Configuration
– Make sure the server software properly logs both legitimate access
and errors.

(OTG-CONFIG-002)
How to test
• Logging
– Do the logs contain sensitive information?
– Are the logs stored in a dedicated server?
– Can log usage generate a Denial of Service condition?
– How are they rotated? Are logs kept for the sufficient time?
– How are logs reviewed? Can administrators use these reviews to
detect targeted attacks?
– How are log backups preserved?
– Is the data being logged data validated (min/max length, chars etc)
prior to being logged?

3. Test File Extensions Handling for Sensitive
Test Objectives
• To test the behaviour of each extension to
assess that when users access our pages
what kind of information display to users

How to test
• Forced browsing
Example:
The tester has identified the existence of a file named
connection.inc. Trying to access it directly gives back its contents,
which is

How to test
• Make sure you check all below file extensions:
.zip, .tar, .gz, .tgz, .rar: (Compressed) archive files
.java: No reason to provide access to Java source files
.txt: Text files
.pdf: PDF documents
.docx, .rtf, .xls, .pptx,: Office documents
.bak, .old and other extensions indicative of backup files

Example:

4. Review Old Backup and Unreferenced Files for
Sensitive Information (OTG-CONFIG-004)
Test Objectives
• To find sensitive information from files that
left on a server

How to test
• Check from the public contents
- Comment in source-code
- Java script connected to related page
-/robots.txt

How to test
• Blind guessing
- For example, if a page ’viewuser.asp’ is found, then look also
for ‘edituser.aspx’.
- If ‘/app/user’ is found, then an attacker will look also
for ’/app/admin’ and ‘/app/manager’.
- Using Dictionary or brute forcing a directory paths and files on a
web server
Tools
‘Wfuzz’, ‘Burp (Intruder)’, ‘ZAP’

How to test
• Information obtained through server
vulnerabilities and misconfiguration
- Directory listing Vulnerability

5. Enumerate Infrastructure and Application
Admin Interfaces (OTG-CONFIG-005)
Test Objectives
• To discover administrator interfaces and
accessing functionalities intended for the
privileged users.

How to test
- Reviewing server and application documentation
- Directory and file enumeration by searching for: /admin or
/administrator
- Publicly available information. Many applications such as
wordpress have default administrative interfaces.
- Alternative server port. Administration interfaces may be seen
on a different port on the host than the main application. For
example, Apache Tomcat's Administration interface can often be
seen on port 8080.
- Clue from cookie information:

Test Objectives
• To check that how a web server handles
different type of HTTP Methods

What is HTTP Methods
The method that indicates the desired action to be performed on the
identified resource at the web server.

to indicate the desired action to be performed on the identified resource.
There are 8 methods in HTTP /1.1
1) GET: Requests a representation of the specified resource.
2) POST: Requests that a web server accepts and stores the data enclosed
in the body of the request message.
3) HEAD : Request a resource and response identical to the one that would
correspond to a GET request, but without the response body
4) PUT : This method allows a client to upload new files on the web server.

The method that indicates the desired action to be performed on the
identified resource at the web server.
There are 8 methods in HTTP /1.1 (cont..)
5) DELETE: This method allows a client to delete a file on the web server.
6) TRACE: This method simply echoes back to the client whatever string has
been sent to the server, and is used mainly for debugging purposes.
7) OPTIONS: The OPTIONS method returns the HTTP methods that the
server supports for the specified URL
8) CONNECT: This method could allow a client to use the web server as a
proxy

How to test
- Using ‘Nmap’ to list supported methods

How to test
- Using ‘netcat’

7. Test HTTP Strict Transport Security
(OTG-CONFIG-007)
Test Objectives
• To verify that a web server always exchange
an information with web browser over
HTTPS.

(OTG-CONFIG-007)
How to test
• Testing for the presence of HSTS header can be done by checking for the
existence of the HSTS header in the server's response in an interception
proxy, or by using curl as follows:
curl –D https://facebook.com
• Expected result:

(OTG-CONFIG-007)
Example
When the expiration time specified by the Strict-Transport-Security header
elapses, the next attempt to load the site via HTTP will proceed as normal
instead of automatically using HTTPS.

8. Test RIA cross domain policy
(OTG-CONFIG-008)
What is RIA?
RIA (Rich Internet Application) is a Web application that has many of the
characteristics of desktop application software, typically delivered by way
of a site-specific browser, a browser plug-in, extensive use of JavaScript.
Example of RIA:
Adobe Flash, JavaFX, and Microsoft Silverlight.

(OTG-CONFIG-008)
What is cross domain policy?
• A cross-domain policy file ("crossdomain.xml" in Flash and
"clientaccesspolicy.xml" in Silverlight) defines a whitelist of domains
from which a server is allowed to make cross-domain requests. When
making a cross-domain request, the Flash or Silverlight client will first
look for the policy file on the target server. If it is found, and the domain
hosting the application is explicitly allowed to make requests, the
request is made.
• The crossdomain.xml file is normally present on the root of the web
server.

(OTG-CONFIG-008)
How cross domain policy really works?
For example:

(OTG-CONFIG-008)
How to test
To test for RIA policy file weakness the tester should try to retrieve the
policy files crossdomain.xml and clientaccesspolicy.xml from the
application's root, and from every folder found.
Browse to : http://www.example.com/crossdomain.xml

OWASP OTG-configuration (OWASP Thailand chapter november 2015)

OWASP OTG-configuration (OWASP Thailand chapter november 2015)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (6)

Similar to OWASP OTG-configuration (OWASP Thailand chapter november 2015)

Similar to OWASP OTG-configuration (OWASP Thailand chapter november 2015) (20)

Recently uploaded

Recently uploaded (20)

OWASP OTG-configuration (OWASP Thailand chapter november 2015)