Web Application Pentesting

Introduction to Web Application Pentest

Why do we need security?

We live in a connected world. The internet has changed everyday life all around the world by allowing almost constant real-time interaction. Suddenly normal daily routine tasks, errands, and communication can be accessed 24/7, 365 from the comfort of our home.

What started out as a streamlined way to communicate and share information has exploded into a way for businesses to market products, sell services, and to reach new customers through completely new avenues.

2

Why do we need security?

With this gain in the ease of consuming services, it has also made it easier for those with not so honest intentions to look for ways to take advantage of this new medium for gain and profit.

Much like a physical bank has to have security personnel, online markets need to be secured as well.

3

Important Terms to remember

The following are important terms that we will use in the course:• SQL Injection:

• consists of insertion or "injection" of a SQL query via the input data from the client to the application

• Cross-site Scripting (XSS): • a type of injection, in which malicious scripts are injected into otherwise

benign and trusted web sites

• Document Object Model (DOM): • a programming interface for HTML, XML and SVG documents. It provides

a structured representation of the document as a tree structure.

4

Important Terms to remember

• Command Injection: • an attack in which the goal is to execute arbitrary commands on the host

operating system via a vulnerable application

• File Inclusions: • a type of vulnerability most often found on websites. It allows an attacker

to include a file, usually through a script on the web server.

• Code Injection: • the attacker is able to inject code that is then interpreter and executed by

the application

• Frame Injection: • an attack on certain web browsers to load arbitrary code in the browser

5

Important Terms to remember

• Response Splitting:• is an attack by which the attacker sends a single HTTP request that forces

the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response.

• Open Redirection: • Is when an application that takes a parameter and redirects a user to the

parameter value without any validation

• Version Disclosure: • Is when the web application discloses the Web server version details in

the HTTP response header

6

Important Terms to remember

• ASP .Net View state: • is the method that the ASP.NET page framework uses to preserve the

page and control values in between round trips.

• Web Backdoor:• is a mean of accessing a computer program that bypasses its security

mechanisms.

• Stack Trace: • a stack trace (also called stack backtrace or stack traceback) is a report of

the active stack frames at a certain point in time during the execution of a program.

7

Introduction to Web Application Pentesting

Web Application Testing can expose weaknesses in application systems that are not otherwise addressed by traditional network defense mechanisms.

Given that the application is authorized to communicate past those defense mechanisms, attacking an application vulnerability may allow attackers to gain access to networks that are well defended otherwise.

8

Introduction to Web Application Pentesting

The process typically includes the following stages: • Scope of engagement

• Information Gathering

• Vulnerability identification

• Exploitation

• Post Exploitation

• Reporting

9

Scope of Engagement

Defining the Scope of Engagement is one of the most important parts of a Penetration Testing Engagement.

Scoping Meeting: Within the scoping meeting several important elements will be covered such as start and end dates, IP Ranges and domains to be covered, discussion around dealing with any third parties such as Cloud Providers, Internet Service Providers, Managed Security Services Providers, and many other topics.

In addition, discussions should be had around the countries where servers are hosted.

10

Scope of Engagement

Scope in a web application penetration test is often defined in terms of domains therefore, the client usually will want a penetration test against a subdomain, such as: www.pentest.this

At this point you will immediately wonder (and ask) whether subdomains (such as intranet.pentest.this, email.pentest.this) are included and, if so, which ones.

11

Scope of Engagement

Parties should define boundaries around acceptable social engineering pretexts, and any Denial of Service Testing.

Lastly, goals of the testing should be made very clear as to ensure effective completion, and payment terms of the engagement once the goals are met.

12

Scope of Engagement

Defining boundaries for the engagement help to eliminate scope creep, or at least define what parties need to be involved in discussing and managing any perceived scope creep.

Boundaries are critical from a legal perspective, because any test beyond the defined scope is a breach of the Rules of Engagement, and therefore could result in criminal charges.

Moreover, defining applicable lines of communication between the testers and the customers is essential for the best outcome.

13

Scope of Engagement

Emergency contacts should be established for issues including incident reporting process, incident definition, status report frequencies and checkpoints needed for the project.

Lastly rules of the engagement must be defined: timelines, locations, evidence handling measures, regular meeting rhythms and the time of the day to test are also all important aspects to cover.

14

Scope of Engagement

At the conclusion of the scoping effort, all parties involved in the execution or support of the penetration testing engagement should have a clear and concise idea of the boundaries involved within the engagement. This will help to ensure that analysts have a reference to begin, and project and business managers have an understanding of what is included.

Should any issues or conflicts come up during the exercises, the parties should have a frame of reference in which to discuss and reach a mutually beneficial resolution.

15

Liabilities and Responsibilities

A penetration test poses a number of risks for both the client and the penetration tester.

During a penetration test things can certainly go wrong and you will need to ensure that most of the things that you can anticipate might go wrong, are dealt with in the pre-engagement phase.

16

Liabilities and Responsibilities

Regardless of what can go wrong, even in a perfect penetration testing engagement, there are responsibilities that you will be accountable for. Possible liabilities could be:

17

You access sensitive data out-of-scope

You accidentally remove data

You accidentally cause unavailability of services

Other catastrophic event with an impact on the organization

Liabilities and Responsibilities

Possible responsibilities are:

18

Keeping the client informed and up to date during your pentest

Keeping reports and collected data in a safe place

Following a code of ethics

Nondisclosure of any information

Liabilities and Responsibilities

Liabilities should be dealt with by an attorney.

Your lawyer will try to eliminate any accountability for data loss and other catastrophic events, unless of course, you did them on purpose.

Responsibilities are pretty simple: care and ethics. You will store the reports of your client encrypted and destroy them after you provide them to the client.

You will also never disclose any information you come across during the engagement, to anyone.

19

Non-disclosure Agreements

A non-disclosure agreement (NDA) is part of any engagement. Basically, the penetration tester guarantees, in writing, that any discovered vulnerabilities, exploits used or developed, and, in general, any information (not previously public) related to the organization, accessed during the engagement, will not be disclosed to any third party.

This is a critical aspect for the client, and you will want to make sure to provide plenty of assurance of both your ethical conduct and your respect for their confidentiality.

20

The Emergency Plan

An emergency plan is a good idea for both the pentester and the client. It shows the client that you care and will save both of you from legal issues, should any arise as a result of your testing.

An emergency plan is put into action when things go wrong during the engagement such as: a server failing due to heavy scans, a database table being altered during an exploitation phase, or any other potentially debilitating result of our actions.

Protect yourself, and protect the client!

21

The Emergency Plan

An emergency plan simply involves the following factors: • The timetable

• The contact in charge of responding to the emergency plan

• The solutions to apply to the issue

The timetable or schedule of the tasks allow the client to know exactly what is going on, where, and what the criticality is for each task.

So, for instance, if criticality is high, the client can have a team ready and alert them quickly to act on the emergency plan.

22

The Emergency Plan

The emergency plan is meaningless if: • The pentester does not know who to contact

• The contact is not readily available

• There is no written plan

Make sure to have all of the above in place before you begin the engagement.

23

Allowed Techniques

Closely related to the emergency plan and how you should avoid destroying their systems, you should agree with the client beforehand which intrusive techniques you are allowed to use.

Defining what is allowed and what is not in advance will greatly decrease the chances of surprising the client with really bad news.

Intrusive techniques are those that not only can cause damage, but also they have the possibility for serious embarrassment in the client organization.

24

Allowed Techniques

The following is a list of the most common intrusive techniques: • Brute force attacks

• Social Engineering

• Data harvesting of temporary internet files and history

• Phishing attacks

25

Allowed Techniques

Social engineering is not always in scope during a penetration test. The same goes for phishing attacks. Generally exposing human weaknesses is much more embarrassing than doing the same for technology. Businesses generally do not feel comfortable exposing these weaknesses and tend to keep this out-of-scope.

In order to overcome this embarrassment you should ensure the client’s maximum confidentiality about the names of the employees who fell victim to such attacks during the pentest.

That may help to get social attacks in-scope again.

26