Web app testingwithout attack traffic

Abraham Aranguren

@7a_

abraham.aranguren@gmail.com

http://7-a.org

Intro

33% (22 out of 66) of the tests in the OWASP Testing guide can be legally* performed at leastpartially without permission

* Except in Spain, where visiting a page can be illegal ☺

Legend

Ethics/Scope legend:

� P� No Permission needed: No attack traffic

� !� Mild attack traffic / Could break things

� !!� You better have written permission ..

Vulnerable vs. Not Vulnerable legend:

� Vulnerable

� Not Vulnerable

P

Testing: Spiders, Robots, and Crawlers (OWASP-IG-001)

� $ wget http://www.google.com/robots.txt

� Found: Analyse entries

� Not found: Indexing required?

P

Testing: Search engine discovery / reconnaissance (OWASP-IG-002)

� Google site:target.com filetype:: inurl::

� Metadata, DNS, Whois, Company info, staff, etc..

P

Testing: Identify application entry points (OWASP-IG-003)

� Use a proxy and JUST browse the site

� Let the proxy log ALL requests

� Understand the site

� Chain ratproxy to your proxy for cool ideas ☺

P

Testing for Web Application Fingerprint (OWASP-IG-004)

Get the banner:

� $ curl –i –A “Mozilla:” http://target.com | more P

Testing for SSL-TLS (OWASP-CM-001)

No traffic .. P

Testing for Admin Interfaces (OWASP-CM-007)

� 3rd party stuff on .NET ViewState, headers,..

� Telerik.Web.UI?? Google it!

P

Testing for Admin Interfaces (OWASP-CM-007) - continued

� Google for default passwords P

Testing for Admin Interfaces (OWASP-CM-007) – continued

!!

Testing for Admin Interfaces (OWASP-CM-007) - continued

!!

Testing for HTTP Methods and XST (OWASP-CM-008)

� An OPTIONS request is quite normal:

curl -i -A 'Mozilla/5.0' -X 'OPTIONS *' -k https://site.comHTTP/1.1 200 OKDate: Tue, 09 Aug 2011 13:38:43 GMTServer: Apache/2.0.63 (Unix)Allow: GET,HEAD,POST,OPTIONS,TRACEContent-Length: 0Connection: closeContent-Type: text/plain; charset=UTF-8

P

Testing for credentials transport (OWASP-AT-001)

� Is the login page on “http” instead of “https”? P

Testing for Default or Guessable User Account (OWASP-AT-003)

Analyse the username(s) they gave you to test:

� Username based on numbers?

USER12345

� Username basic on public info? (i.e. names, surnames, ..)

name.surname

P

Vulnerable Remember Password and Pwd Reset (OWASP-AT-006)

Is autocomplete set to off?

<form : autocomplete=“off”>

or

<input : autocomplete=“off”>

Look at the questions or fields in the passwordreset form :

P

Testing for Logout and Browser Cache Management (OWASP-AT-007)

Easy test: Login + Logout + Back button

Or no caching headers / not expiring session cookie:

HTTP/1.1 200 OK

Date: Tue, 09 Aug 2011 13:38:43 GMT

Server: :.

X-Powered-By: :.

Connection: close

Content-Type: text/html; charset=UTF-8

P

Testing for Captcha (OWASP-AT-008)

Can be done offline:

� Download image and try to break it

� Look for signs of weak third party components

PWNtcha - captcha decoder

P

Testing for Session Management Schema (OWASP-SM-001)

Examine cookies for weaknesses offline

Base64 MTkyLjE2OC4xMDAuMTpvd2FzcHVzZXI6cGFzc3dvcmQ6MTU6NTg=

Is

owaspuser:192.168.100.1: a7656fafe94dae72b1e1487670148412

P

Testing for cookies attributes (OWASP-SM-002)

� Secure: not set = no https

� HttpOnly: not set = cookies stealable via JS

� Domain: set properly

� Path: set to the right /sub-application

� Expires: set reasonably

P

Testing for Session Fixation (OWASP-SM-003)

Session ID NOT changed after login = Vuln

Before Login PHPSESSID:

10a966616e8ed63f7a9b741f80e65e3c

After Login PHPSESSID:

10a966616e8ed63f7a9b741f80e65e3c

P

Testing for Exposed Session Variables (OWASP-SM-004)

Session ID:

� In URL

� In POST

� In HTML

P

Testing for CSRF (OWASP-SM-005)

Look at HTML code:

No anti-CSRF token = Vulnerable

Anti-CSRF token = Wait to ACTIVE testing ☺

P

Testing for Bypassing Authorization Schema (OWASP-AZ-002)

Look at unauthenticated cross-site requests:

http://other-site.com/user=3&report=4

Referer: site.com

Change ids in application: !

http://site.com/view_doc=4

P

Testing for DOM-based Cross site scripting (OWASP-DV-003)

Review JavaScript code on the page:

<script> document.write("Site is at: " + document.location.href + "."); </script>

P

Testing for Cross site flashing (OWASP-DV-004)

Download and decompile Flash files:

$ flare hello.swf

Static / Manual analysis

P

Testing: WS Information Gathering (OWASP-WS-001)

� Google searches: inurl:wsdl site:example.com

� Web service analysis:

http://www.example.com/ws/FindIP.asmx?WSDL

� Public services search:

http://seekda.com/

http://www.wsindex.org/

http://www.soapclient.com/

P

Testing for WS Replay (OWASP-WS-007)

Similar to CSRF:

� Is there an anti-replay token in therequest/response?

P

Testing for file extensions handling (OWASP-CM-005)

_some_ attack traffic but subtle. File Uploads:

� If upload.php or .asp, .html, .. is allowed by app

� A valid GIF or JPG comment can be a validPHP script, etc ..

� Difference from attack to legit can be subtle

� File uploads are POST = 99% not logged

!!

Testing for user enumeration (OWASP-AT-002)

� Error messages

� Time differences!

Testing for Reflected/Stored Cross site scripting (OWASP-DV-001+2)

Subtle look for signs of output encoding:

� O’Brien � O&apos;Brien

� O”Brien � O&quot;Brien or O%22Brien

� Ted..> � Ted..&gt; or Ted..%3E

� Ted,< � Ted,.&lt; or Ted..%3C

Charset, etc..

!

Testing for SQL Injection (OWASP-DV-005)

Do you get a SQL error?

� Strings: O’Brien

� IDs: Instead of “1” type “1l” or “1 l”

!

Thank you

Special thanks to:

� OWASP Testing Guide contributors

� Mario Heiderich

� Chris John Riley

� Robin Wood

Abraham Aranguren

@7a_

abraham.aranguren@gmail.com

http://7-a.org