Upload
mahmoud-eladawi
View
77
Download
3
Tags:
Embed Size (px)
DESCRIPTION
LPTv4 Module 28 Application Penetration Testing_NoRestriction
Citation preview
ECSA/LPT
EC CouncilModule XXVIII
EC-CouncilApplication Penetration Testing g
Penetration Testing Roadmap
Start HereInformation Vulnerability External
Gathering Analysis Penetration Testing
Fi ll Router and InternalFirewall
Penetration Testing
Router and Switches
Penetration Testing
Internal Network
Penetration Testing
IDS
Penetration Testing
Wireless Network
Penetration Testing
Denial of Service
Penetration Testing
Password Cracking
Stolen Laptop, PDAs and Cell Phones
Social EngineeringApplication
Cont’d
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration TestingPenetration Testing Penetration TestingPenetration Testing
Penetration Testing Roadmap (cont’d)(cont d)
Cont’dPhysical S i
Database P i i
VoIP P i T iSecurity
Penetration Testing
Penetration testing Penetration Testing
Vi dVirus and Trojan
Detection
War Dialing VPN Penetration Testing
Log Management
Penetration Testing
File Integrity Checking
Blue Tooth and Hand held
Device Penetration Testing
Telecommunication And Broadband Communication
Email Security Penetration Testing
Security Patches
Data Leakage Penetration Testing
End Here
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Communication Penetration Testing
gPenetration Testing
Penetration Testing
Application Testing
Software testing is an integral part of the software g g pdevelopment process.
Application testing involves:
Software application testing.
Web application testing.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
What is a Defect?
A d f t i b lit lf ti f d t ifi tiA defect is an abnormality or malfunction from product specifications.
Example: if the specifications say that “spellcheck” is to be added to the Example: if the specifications say that spellcheck is to be added to the mortgage application, and the final product does not include the “spellcheck” feature, then it is a defect.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Defects vs. Failures
A defect is incorporated into the software application systemA defect is incorporated into the software application system.
A defect that causes an error in operation or negatively impacts a user/customer is called a failure.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Defect Ratio
It is estimated that leading software developers were producingIt is estimated that leading software developers were producingsoftware with production defect rates of one defect per 30,000lines of source code.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Requirements and Design Testing
Test the following:
• Who can access the program? • Are there different classes of users?
g
• Does each class of user have the correct functionality? • Can a user of one class obtain additional privileges?
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Web Applications Penetration TestingTesting
Web application vulnerabilities generally stem from pp g yimproper handling of client requests and/or a lack of input validation checking on the part of the developer.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
What is a Web Application?
A web application is an application generally comprising aA web application is an application, generally comprising acollection of scripts, that resides on a web server and interactswith databases or other sources of dynamic content.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Web Application Penetration Testing Steps
1 • Fingerprinting the web application environment
Testing Steps
2 • Investigate the output From HEAD and OPTIONS HTTP requests
3 • Investigate the format and wording of 404/other error pages
4 • Test for recognized file types/extensions/directories
5 • Examine source of available pages 5
6 • Manipulate inputs in order to elicit a scripting error
• Test inner working of a web application7 • Test inner working of a web application
8 • Test database connectivity
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
9 • Test the application code
Web Application Penetration Testing Steps (cont’d)
10 • Testing the use of GET and POST in web application
Testing Steps (cont d)
11 • Test for parameter-tampering attacks on website
12 • Test for URL manipulation
13 • Test for cross site scripting
14 • Test for hidden fields14
15 • Test cookie attacks
• Test for buffer overflows 16 • Test for buffer overflows
17 • Test for bad data
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
18 • Test client-side scripting
Web Application Penetration Testing Steps (cont’d)
19 • Test for known vulnerabilities
Testing Steps (cont d)
20 • Test for race conditions
21 • Test with user protection via browser settings
22 • Test for command execution vulnerability
23 • Test for SQL injection attacks23
24 • Test for blind SQL injection
• Test for session fixation attack 25 • Test for session fixation attack
26 • Test for session hijacking
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
27 • Test for XPath injection attack
Web Application Penetration Testing Steps (cont’d)
28• Test for server side include injection attack
Testing Steps (cont d)
29• Test for logic flaws
30• Test for binary attacks
30y
31• Test for XML structural
32• Test for XML content-level
33• Test for WS HTTP GET parameters/REST attacks
33
34• Test for naughty SOAP attachments
T f WS l
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
35• Test for WS replay
Step 1: Fingerprinting the Web Application Environmentpp
One of the first steps of the penetration test should be toidentify the web application environment, including thescripting language and web server software in use, and thescripting language and web server software in use, and theoperating system of the target server.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 2: Investigate the Output from
HEAD and OPTIONS Http RequestsHEAD and OPTIONS Http Requests
The header and any page returned from a HEAD or OPTIONS request will usuallycontain a SERVER: string or similar detailing the web server software version and
OPTIONS / HTTP/1.0
contain a SERVER: string or similar detailing the web server software version andpossibly the scripting environment or operating system in use.
HTTP/1.1 200 OKServer: Microsoft-IIS/5.0Date: Wed, 04 Jun 2003 11:02:45 GMTMS-Author-Via: DAVMS-Author-Via: DAVContent-Length: 0Accept-Ranges: noneDASL: <DAV:sql>DAV: 1 2DAV: 1, 2Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCHAllow: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
UNLOCKCache-Control: private
Step 3: Investigate the Format and Wording of 404/Other Error Pages Wording of 404/Other Error Pages
Some application environments (such as ColdFusion) havepp ( )customized, and therefore easily recognizable, error pages,and will often give away the software versions of thescripting language in usescripting language in use.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 4: Test for Recognized File
Types/Extensions/DirectoriesTypes/Extensions/DirectoriesMany web services (such as Microsoft IIS) will react differently to a request for a known and supported file extension than an unknown request for a known and supported file extension than an unknown extension.
Th t t h ld tt t t t fil t i h ASP The tester should attempt to request common file extensions such as .ASP, .HTM, .PHP, .EXE and watch for any unusual output or error codes.
GET /blah.idq HTTP/1.0
HTTP/1.1 200 OKServer: Microsoft-IIS/5.0Date: Wed, 04 Jun 2003 11:12:24 GMTContent-Type: text/html
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
<HTML>The IDQ file blah.idq could not be found
Step 5: Examine Source of
Available PagesAvailable Pages
Th d f h i di l ibl fThe source code from the immediately accessible pages ofthe application front-end may give clues as to theunderlying application environment.
<title>Home Page</title>< t t t "Mi ft Vi l St di 7 0"<meta content="Microsoft Visual Studio 7.0" name="GENERATOR"><meta content="C#" name="CODE_LANGUAGE"><meta content="JavaScript" pname="vs_defaultClientScript">
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 6: Manipulate Inputs in
Order to Elicit a Scripting ErrorOrder to Elicit a Scripting Error
In the example below, the most obvious variable (ItemID) hasIn the example below, the most obvious variable (ItemID) hasbeen manipulated to fingerprint the web applicationenvironment:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 7: Test Inner Working of a Web ApplicationWeb Application
Javascript and other client-side code can also provide many clues as tothe inner workings of a web application
<INPUT TYPE="SUBMIT" onClick="if (document.forms['product'].elements['quantity'].value
the inner workings of a web application.
>= 255) {document.forms['product'].elements['quantity'].value=
'';alert('Invalid quantity');alert( Invalid quantity );return false;
} else {return true;
}“>
This suggests that the application is trying to protect the form handlerf tit l f f th i l f ti i t
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
from quantity values of 255 of more - the maximum value of a tinyintfield in most database systems.
Step 8: Test Database ConnectivityConnectivity
A li ti i t h d t bApplications may require access to servers such as databases.
Access rights should be limited to the minimum rights required.
Access rights should be limited for the duration that access is necessary.
Check for a target application “administrator” (unrestricted) access rights.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
access rights.
Step 9: Test the Application Code
Test for backdoors:
• Backdoors may be created by the developers to facilitate debugging and troubleshooting
Test for backdoors:
Test for exception handling and failure notification
a d t oub es oot g
Test for login IDs and passwords
Check for the misuse of superuser accounts
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 9: Test the Application Code (cont’d)
Look for IDs and passwords “in the clear”
Code (cont d)
pwhen connecting to and accessing servers, directories, databases, and other resources.
Test for comments in the HTML code that might reveal user ID and password information, code paths, or directory and executable file names.
Test for error messages that reveal server name, root directory name, or other
i i f i b h
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
pertinent information about the servers.
Random Numbers vs. Unique
NumbersNumbers
Check for random and unique Check for random and unique numbers
D l i ill Developers sometimes will use a random number when what they really want is a unique number
It is important to distinguish between these two concepts
In randomness, the same number may come up several times
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
y p
Step 10: Testing the Use of GET and POST in Web Applicationa d OS Web pp cat o
When a user clicks on a link in the page to go to an externallyli k d b i h b ill d h URL i f i hlinked website, the browser will send the URL information to thelinked site as part of the REFERRER information.
Sensitive information is leaked in GET requests.
POST d h HTTP b d POST commands use the HTTP body to handle information.
The information is hidden from view The information is hidden from view during POST.
Use POST instead of GET
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Use POST instead of GET.
Step 11: Test for Parameter-Tampering Attacks on Website Tampering Attacks on Website
Try to manipulate the URL strings to
• Example: By visiting i /b k df
Try to manipulate the URL strings to retrieve sensitive information:
www.xsecurity.com/bank_acct001.pdf, you can retrieve a report on your bank account activities.
• What happens if you replace bank _acct001.pdf by bank acct002.pdf? Will you be able to get a report for bank_acct002.pdf? Will you be able to get a report for another savings account for which you do not have authorization?
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 12: Test for URL ManipulationManipulation
Modify the URL of the website by trying different valuesModify the URL of the website by trying different values.
Example:
• http://targetsite/forum/?cat=2• http://targetsite/forum/?cat=6
Example:
p // g / /
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 13: Test for Cross Site ScriptingScripting
Inject code by breaking out the <h1> tag: // /http://www.targetsite.com/page.asp?pageid=10&lang=en&t
itle=Section%20Title</h1><script>alert(‘XSS%20attack’)</script>Use TemperIE tool Intercept in the clients GET and POST requests which Use TemperIE tool Intercept in the clients GET and POST requests, which will bypass client-side javascript input validation code to you.
( )
Tools used:
• Paros proxy (www.parosproxy.org)• Fiddler (www.fiddlertool.com/fiddler)• Burp proxy (www.portswigger.net/proxy/)• TamperIE (www.bayden.com/dl/TamperIESetup.exe)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
TamperIE (www.bayden.com/dl/TamperIESetup.exe)
Step 14: Test for Hidden Fields
Hidden fields sometimes carry sensitive dataHidden fields sometimes carry sensitive data.
Example: Pricing information
Try to view the source change the price of an item and then save the Try to view the source, change the price of an item, and then save the HTML on the client-side to see if the server will use that value to calculate the total.
<FORM METHOD="LINK" ACTION="/shop/checkout.htm"><INPUT TYPE="HIDDEN" name="quoteprice" value="4.25">Quantity: <INPUT TYPE="text"NAME="totalnum"> <INPUT TYPE="submit" VALUE="Checkout">
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
NAME= totalnum > <INPUT TYPE= submit VALUE= Checkout ></FORM>
Step 15: Test Cookie Attacks
By changing the values in cookies attackers might be able to gain By changing the values in cookies, attackers might be able to gain access to accounts that they do not own.
Stealing a user’s cookie might enable the attacker to access an account without having to use authentication.
Set-Cookie: PASSWORD=g0d; path=/; expires=Friday, 20-Jul-03 23:23:23 GMT20-Jul-03 23:23:23 GMT
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 16: Test for Buffer Overflows
The goal of testing for a buffer overflow is to show that sending too h d h ill h b h i much data to the program will cause the program to behave in an
unexpected manner.
• You send very large amounts of data to the bufferU i t d t i t t l t f d t
How do you test for buffer overflow?
• Using cut-and-paste is one way to generate large amounts of data
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 17: Test for Bad Data
For example, entering p , g</body></html> into an application as your name may work and this name is stored into the d t bdatabase.
Wh th d t b d When the database produces reports that are to be viewed with a browser, these reports are broken.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 18: Test Client-Side Scripting Scripting
Capture the URL after a valid logon.
Launch a new browser and use the captured URL to go to the page that supposedly you must go through proper authentication.
See if you can get in.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 19: Test for Known Vulnerabilities Vulnerabilities
Test known vulnerabilities in Test known vulnerabilities in third-party software used in the web applications.
Use Bugtraq to monitor these vulnerabilities.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 20: Test for Race Conditions
Applications can use multiple Applications can use multiple threads to achieve concurrent processing.
Test for these in applications.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 21: Test with User Protection via Browser Settingsg
B tti li it Browser settings can limit exposure to harmful Internet content.
How would the setting of type of content affect your application?
For example, if cookies handling is disabled, will your application still d sab ed, w you app cat o st work?
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 22: Test for Command Execution Vulnerabilityy
When a web application does not properlypp p p ysanitize user-supplied input before using itwithin application code, it may be possibleto trick the application into executingoperating system commandsoperating system commands.
The executed commands will run with thesame permissions of the component thatp pexecuted the command (e.g. databaseserver, web application server, web server,etc.) .
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 23: Test for SQL Injection AttacksAttacks
SQL injection happens when a developer accepts user input that is directly placed into a SQL statement and does not properly filter out directly placed into a SQL statement and does not properly filter out dangerous characters.
This can allow an attacker to not only steal data from your database, but also modify and delete it.
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'[Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near thekeyword 'or'./wasc.asp, line 69
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 24: Test for Blind SQL InjectionInjection
When an attacker executes SQL injection attacks sometimes the server When an attacker executes SQL injection attacks sometimes the server responds with error messages from the database server complaining that the SQL query's syntax is incorrect.
Blind SQL injection is identical to normal SQL injection except that when an attacker attempts to exploit an application rather then getting a useful error message, they get a generic page specified by the developer instead. error message, they get a generic page specified by the developer instead.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 25: Test for Session Fixation Attack Fixation Attack
Session fixation is an attack technique that forces a user's session ID toli it lan explicit value.
Depending on the functionality of the target web site, a number oft h i b tili d t "fi " th i ID ltechniques can be utilized to "fix" the session ID value.
These techniques range from cross-site scripting exploits to pepperingth b it ith i l d HTTP tthe website with previously made HTTP requests.
After a user's session ID has been fixed, the attacker will wait for him orh t l iher to login.
Once the user does so, the attacker uses the predefined session ID valuet hi h li id tit
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
to assume his or her online identity.
Step 26: Test for Session HijackingHijacking
Locate target user, find the active session, and track it.
Assume the sequence number (blind hijacking).
Check whether decommissioning the host (DoS) is caused.Check whether decommissioning the host (DoS) is caused.
Hijack the session.
Resume the session after finishing the hijack.
Tools used for session hijacking:
• Juggernaut• Hunt• TTY Watcher
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• T-Sight
Step 27: Test for XPath Injection AttackInjection Attack
XPath Injection is an attack technique used to exploit websites that construct XPath queries from user-supplied input.
XPath 1.0 is a language used to refer to parts of an XML document. It can be used directly by an application to query an XML document, or as y y pp q ypart of a larger operation such as applying an XSLT transformation to an XML document, or applying an XQuery to an XML document.
The syntax of XPath bears some resemblance to an SQL query, and indeed, it is possible to form SQL-like queries on an XML document using XPath.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
using XPath.
Step 28: Test for Server Side Include Injection AttackInclude Injection Attack
SSI Injection (Server-side Include) is a server-side exploit technique j p qthat allows an attacker to send code into a web application, which will later be executed locally by the web server.
SSI Injection exploits a web application's failure to sanitize user-supplied data before they are inserted into a server-side interpreted HTML file.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 29: Test for Logic Flaws
A logic flaw is a failure in the web application's logic toA logic flaw is a failure in the web application s logic tocorrectly perform conditional branching or apply security.
<?php $a=false;
$b=true; $c=false;
if ($b && $c || $a && $c || $b) echo "True";
else echo "False"; ?>
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 30: Test for Binary Attacks
Web applications developed in a language that employs static b ff ( h / ) b l bl di i l bibuffers (such as C/C++) may be vulnerable to traditional binary attacks such as format string bugs and buffer overflows.
Format string attacks occur when certain C functions process inputs containing formatting characters (%).
Example:
• printf/fprint/sprintf, syslog() and setproctitle() functions
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 31: Test for XML StructuralStructural
Create structured XML documents to build a denial of service attack by overloading the XML parser.g p
Send large or malformed XML message to server.
Ch k ll th t b i lid t d h
• Enumeration. • fractionDigits.
L h
Check all the parameter being validated, such as:
• Length.• maxExclusive.• maxInclusive.• maxLength.
i E l i• minExclusive.• minInclusive.• minLength.• Pattern.
t t lDi it
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• totalDigits.• whiteSpace.
Step 32: Test for XML Content-levellevel
h b i d fi i i l i h h b b lTest the web service definition language with the webscarab tool.
Modify the parameter’s data based on the WSDL’s definition for Modify the parameter s data based on the WSDL s definition for the parameter.
Check whether you can use web service by escalated privileges.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 33: Test for WS HTTP GET Parameters/REST AttacksParameters/REST Attacks
T HTTP GET iTest HTTP GET query string:
• https://www.targetsite.com/accountinfo?accountnumber=1234567&userId=aci9485jfuhe92
Result of this string:
• <?xml version="1.0" encoding="ISO-8859-1"?> <Account="1234567"> <balance>€100</balance> <body>Bank of Targetsite account info</body> </Account>
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 33: Test for WS HTTP GET Parameters/REST Attacks (cont’d)
Now test this vector:
Parameters/REST Attacks (cont d)
• https://www.targetsite.com/accountinfo?accountnumber=1234567'exec master..xp_cmdshell 'net user Vxr pass /Add
d i jf h&userId=asi9485jfuhe92
Identify for the following:
• Maximum length and minimum length • Validate payload
Identify for the following:
• Validate payload• Implement “exact match", "known good" and "known bad" in order• Validate parameter names and existence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 34: Test for Malicious SOAP AttachmentsSOAP Attachments
Search web service definition language (WSDL) which accepts attachment
Attach and post SOAP message with non-destructive virus like EICAR
Set parameter ‘true’ in SOAP response with the UploadFileResult which vary on each serviceservice
Store EICAR test virus file on the host’s server
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
and redistribute it as a PDF
Step 35: Test for WS Replay
Install WebScarab and use it as a proxy to capture the HTTP trafficInstall WebScarab and use it as a proxy to capture the HTTP traffic.
U i th k t t d b th l TCPR l t i iti t th Using the packets captured by ethereal, use TCPReplay to initiate the replay attack by reposting the packet.
Resend the original message or change the message to determine the host server.
Capture many packets within estimated time to determine session ID patterns in order to assume a valid session ID for the replay attack.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Testing Tools
AtStake WebProxy
SPIKE Proxy
WebserverFP
KSES
Mieliekoek.pl
Sleuth
Webgoat
AppScan
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
AtStake WebProxy
WebProxy sits between the client browser and the web applicationWebProxy sits between the client browser and the web application,capturing and decoding requests to allow the developer to analyze userinteractions, study exploit techniques, and manipulate requests on-the-fly.y
http://www.atstake.com/webproxy
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SPIKE Proxy
SPIKE proxy functions as a HTTP/HTTPS proxy and allows the blackboxSPIKE proxy functions as a HTTP/HTTPS proxy and allows the blackboxtester to automate a number of web application vulnerability tests(including SQL injection, directory traversal and brute-force attacks).
http://www.immunitysec.com/spike.html
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
WebserverFP
WebserverFP is an HTTPD fingerprinting tool that uses values andWebserverFP is an HTTPD fingerprinting tool that uses values andformatting within server responses to determine the web serversoftware in use.
http://www.astralclinic.com
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
KSES/ Mieliekoek.pl
KSES:
• KSES is an HTML security filter written in PHP. It filters all 'nasty' HTML elements and helps to prevent input validation issues such as
KSES:
HTML elements and helps to prevent input validation issues such as XSS and SQL Injection attacks.
• http://sourceforge.net/projects/kses
Mieliekoek.pl:
• This tool, written by [email protected], will crawl through a collection of pages and scripts searching for potential SQL Injection issues. http://www securityfocus com/archive/101/257713
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• http://www.securityfocus.com/archive/101/257713
Sleuth
Sleuth is a commercial application for locating web applicationSleuth is a commercial application for locating web applicationsecurity vulnerabilities. It includes intercept proxy and web-spiderfeatures.
http://www.sandsprite.com/Sleuth
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Webgoat
The OWASP Webgoat project aims to create an interactive The OWASP Webgoat project aims to create an interactive learning environment for web application security.
It teaches developers, using practical exercises, the most common web application security and design flaws.
It is written in Java and installers are available for both *nix and Win32 systems.
http://www.owasp.org/development/webgoat
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
AppScan
A S i i l b li ti it t ti t l AppScan is a commercial web application security testing tool developed by Sanctum Inc.
It includes features such as code sanitation, offline analysis, and automated scan scheduling.
http://www.sanctuminc.com/solutions/appscan/indep // / / pp /x.html
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
URL Scan
URL Scan is a plug-in for IIS that allows for request-based filtering (not signature-based) of incoming requests.
By enabling some of these filters, it is possible to prevent exploitation of known, or new unpublished vulnerabilities. exploitation of known, or new unpublished vulnerabilities.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Software testing is an integral part of the software development process.
Web application penetration testing provides the test results for:
• Environmental and inner workings of a web application.• Database connectivity and application code.
provides the test results for:
y pp• Hidden fields and cookie attacks.• Buffer overflows and bad data.• Client-side scripting and race conditions.• Known vulnerabilities and command execution vulnerabilities• Known vulnerabilities and command execution vulnerabilities.• SQL injection and blind SQL attack.• Session fixation and XPath injection attack.• Logic flaws and binary attacks.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited