Embed Size (px)
Citation preview
Three Techniquesfor
Web Security TestingUsing a
ProxyPaco Hope, [email protected]
Twitter: @pacohope
About Me• Consultant 13 years
• Software security: code, design, risk• Financial, gaming, retail• Source code, architecture, security testing
• (ISC)² European Advisory Council• CISSP and CSSLP exam item author
• Author: 2 books + 1 chapter• OWASP Mobile Top Ten contributor• BS and MS in Computer Science• Passionate about software testers as an untapped
resource in software security
Goals• Understand the proxy
• HTTP and HTTPS• How to configure and run it
• Intercept some requests and modify them• Intercept some replies and modify them
Functional Testing vs. Security TestingTesting against the design/requirements is not enough:
Stories, Requirements,
Features, DesignActual
implementation
Missing features(found in functional testing)
Potential security vulnerabilities(not found in functional tests)
Boundary condition analysis (edge and corner cases) Security testers
must think “outside the box”
HTTPIN A NUTSHELL
Requests and Responses
GET / HTTP/1.1
Host: www.cigital.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Thu, 03 Jul 2014 10:24:38 GMT
Server: Apache
X-Powered-By: PHP/5.5.10
X-Pingback: http://www.cigital.com/xmlrpc.php
Link: <http://www.cigital.com/>; rel=shortlink
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 27893
[HTML document]
Client¹ Sends Server Responds
¹ ”client” can be a browser, mobile device,or anything making HTTP requests
HTTP Requests GET /training/ HTTP/1.1
Host: www.cigital.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.cigital.com/
Cookie: __utma=269626595.872944553.1402325345.1402909557.1404383087.3; [truncated...]
Connection: keep-alive
Structureo Method/path/protocol
versiono Headers
• User-agent and referrer may not always be there
• Browser includes all the cookies it has for the site to which it connects
HTTP/1.1 200 OK
Date: Thu, 20 Mar 2014 17:05:51 GMT
Server: Apache/1.2.34 (Debian)
X-Powered-By: PHP/1.2.3-4+deb7u7
X-Pingback: http://www.cigital.com/xmlrpc.php
Link: <http://www.cigital.com/?p=4370>; rel=shortlink
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Set-Cookie: name=value
Set-Cookie: name2=value2; Expires=Wed, 09 Jun 2021 10:18:14 GMT
Connection: Keep-Alive
[HTML document]
Structure:• Headers first• Blank line• ContentResponse codes:• 200 OK• 404 Not Found
HTTP Responses
URL Encoding
http://example.com/test?url=http://www.cigital.com/ àhttp://example.com/test?url=http%3A%2F%2Fwww.cigital.com%2FImportant to consider when modifying requests in web security tests:
http://www.example.com/request.php?param1=abc+123¶m2=A&B
param1 = param2 =
URL encoding is applied in HTTP messages to URL parameters and HTML form data.
“abc 123” “A”
RESTful Web Services
• Parameters are usually a part of the path:http://example.com/customers/1234
• HTTP methods used:
RESTful web services use HTTP in a slightly different way to normal web pages:
Method Resource collection Resource itemGET List items in collection Get representation of itemPUT Replace collection Update/replace itemPOST Create item in collection Create sub-item under current item
DELETE Delete entire collection Delete item
Resource collectionResource item
Cookies• Are sent back with all requests to the domain from
which they were set• Are stored by client (mobile phone, browser, etc.) and
used until they expire• Survive browser/computer/device restart
• Session cookies have no expiration and live as long as the browser process is running
Server response
HTTP/1.1 200 OK
…
Set-Cookie: session=id; secure; httpOnly
Set-Cookie: cookie2=persistent; Expires=Wed, 09 Jun 2021 10:18:14 GMT
Subsequent client request
GET /index.html HTTP/1.1
…
Cookie: session=id; cookie2=persistent
Cookies
Detour into HTTPS (TLS/SSL)• Simply protects the channel from eavesdroppers• Modest authenticity check on web server• If the app is buggy/vulnerable, then TLS just makes
connections opaque• Example:
• 4 people in a coffee shoppe/at the office on the same wifi• One goes to a web site• What can the others see?
Standard HTTP
GET /office/document.html
GET /office/document.html
HTTP
With HTTPS
GET /office/document.html
VG9wIDMgV2ViIFNlY3VyaXR5IFRlc3Rpbmcg
HTTPS
Vulnerabilities and HTTPS
GET /vulnerable/thing
HTTP
GET /vulnerable/thing
HTTPS
PROXIES
HTTP Proxies
• Speed up Internet access• Filter undesirable or malicious
content• Prevent data leakage• Provide anonymity
Intermediaries between clients and servers and may be used for several good reasons:
HTTP Proxy TypesThree main types of HTTP proxies:
Forward proxy
Reverse proxy
Open proxy
What We’re Doing: Local Proxy
Your Browser
Proxy
The Network /Internet
Web Site to Test
Inside YourComputer / Laptop
Another Possibility
Your Browser
Proxy
The Network /Internet
Web Site to Test
Inside YourComputer / Laptop
MobileDevice
ROADMAP• INSTALL• CONFIGURE• PITFALLS• RUN
Installing• Two proxies worth considering
• ZAP (“Zed Attack Proxy”) from OWASP• 100% Free• https://www.owasp.org/index.php/OWASP_Zed_Atta
ck_Proxy_Project• Burp Suite: commercial• Free Version (lacks advanced security tools)• £239 / $349 / €329 per user per year• https://www.portswigger.net/
We’ll look at Burp today
BUILDING SECURITY IN
Demo 1WebGoat and Burp
Config
1. Start WebGoat
2. Start Burp3. Disable
Intercept4. Change
Burp Port5. Configure
Firefox6. Do a
couple requests
7. Examine them
• Most software uses your operating system proxy settings• You might not have rights
to change it• It’s a pain to test when
EVERYTHING YOU DO goes through the proxy
Why I Use Firefox for Proxy-Based Testing
• Lots of apps use port 8080• Tomcat•WebGoat• Specialist software
• Proxy (Burp/ZAP) is often easier to change
• Setting the OS proxy is disruptive
• Might need to set “upstream proxy” to use your corporate proxy
Other Possible Pitfalls
What Is Proxying Good For?• Bypassing client-side protections• Exploring client-side behaviour• Examining data in transit
BUILDING SECURITY IN
Demo 2Intercept
and Tamper With a
Request
1. Improper Error Handling Lesson
2. Intercept the Login Request
3. Remove the Password Parameter
BUILDING SECURITY IN
Demo 3Intercept
a Response
1. WebGoat AJAX -> XML
2. Load Lesson3. Turn on
Intercept4. Submit
Account Number
5. Intercept Request
6. Intercept Response
7. Edit Response8. Forward
Edited Response
CONCLUSIONS• INSTALL• CONFIGURE• PITFALLS• RUN
• This is way off the “happy path”
• Allows better coverage of errors, edge cases, etc.
• Bypasses client-side checks
The Value of A Proxy
• Manual testing• Can spend a lot of
time for few (spectac-ular) results
• May require deep insight into the app
Disadvantages
Resources in This WebinarResource URLBurp Suite https://portswigger.net/OWASP WebGoat https://github.com/WebGoatOWASP Zed Attack Proxy (ZAP)
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Firefox Web Browser https://mozilla.com/
The best time to plant an oak tree was twenty years ago.
The next best time is now.—Ancient Proverb
Paco Hope, CISSP, CSSLP
[email protected]: @pacohope
