BruCon 2011 Lightning talk winner: Web app testing without attack traffic
3 likes4,146 views
The document outlines various web application testing techniques that can be performed, many of which do not require permission, except in certain jurisdictions like Spain. It provides guidelines based on the OWASP testing guide, detailing methods for testing vulnerabilities, identifying application entry points, and analyzing the security of session management and user credentials. Additionally, the document emphasizes the importance of ethical considerations in testing practices.
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
- 1. Web app testing without attack traffic Abraham Aranguren @7a_ abraham.aranguren@gmail.com http://7-a.org
- 2. Intro 33% (22 out of 66) of the tests in the OWASP Testing guide can be legally* performed at least partially without permission * Except in Spain, where visiting a page can be illegal ☺
- 3. Legend Ethics/Scope legend: P P No Permission needed: No attack traffic ! Mild attack traffic / Could break things !! You better have written permission .. Vulnerable vs. Not Vulnerable legend: Vulnerable Not Vulnerable
- 4. Testing: Spiders, Robots, and Crawlers (OWASP-IG-001) P $ wget http://www.google.com/robots.txt Found: Analyse entries Not found: Indexing required?
- 5. Testing: Search engine discovery / reconnaissance (OWASP-IG-002) Google site:target.com filetype: inurl: P Metadata, DNS, Whois, Company info, staff, etc..
- 6. Testing: Identify application entry points (OWASP-IG-003) P Use a proxy and JUST browse the site Let the proxy log ALL requests Understand the site Chain ratproxy to your proxy for cool ideas ☺
- 7. Testing for Web Application Fingerprint (OWASP-IG-004) Get the banner: P $ curl –i –A “Mozilla ” http://target.com | more
- 8. Testing for SSL-TLS (OWASP-CM- 001) No traffic .. P
- 9. Testing for Admin Interfaces (OWASP-CM-007) 3rd party stuff on .NET ViewState, headers,.. P Telerik.Web.UI?? Google it!
- 10. Testing for Admin Interfaces (OWASP-CM-007) - continued Google for default passwords P
- 11. Testing for Admin Interfaces (OWASP-CM-007) – continued !!
- 12. Testing for Admin Interfaces (OWASP-CM-007) - continued !!
- 13. Testing for HTTP Methods and XST (OWASP-CM-008) An OPTIONS request is quite normal: P curl -i -A 'Mozilla/5.0' -X 'OPTIONS *' -k https://site.com HTTP/1.1 200 OK Date: Tue, 09 Aug 2011 13:38:43 GMT Server: Apache/2.0.63 (Unix) Allow: GET,HEAD,POST,OPTIONS,TRACE Content-Length: 0 Connection: close Content-Type: text/plain; charset=UTF-8
- 14. Testing for credentials transport (OWASP-AT-001) Is the login page on “http” instead of “https”? P
- 15. Testing for Default or Guessable User Account (OWASP-AT-003) Analyse the username(s) they gave you to test: P Username based on numbers? USER12345 Username basic on public info? (i.e. names, surnames, ..) name.surname
- 16. Vulnerable Remember Password and Pwd Reset (OWASP-AT-006) Is autocomplete set to off? P <form autocomplete=“off”> or <input autocomplete=“off”> Look at the questions or fields in the password reset form
- 17. Testing for Logout and Browser Cache Management (OWASP-AT-007) Easy test: Login + Logout + Back button P Or no caching headers / not expiring session cookie: HTTP/1.1 200 OK Date: Tue, 09 Aug 2011 13:38:43 GMT Server: . X-Powered-By: . Connection: close Content-Type: text/html; charset=UTF-8
- 18. Testing for Captcha (OWASP-AT- 008) Can be done offline: P Download image and try to break it Look for signs of weak third party components PWNtcha - captcha decoder
- 19. Testing for Session Management Schema (OWASP-SM-001) Examine cookies for weaknesses offline P Base64 MTkyLjE2OC4xMDAuMTpvd2FzcHVzZXI6cGFz c3dvcmQ6MTU6NTg= Is owaspuser:192.168.100.1: a7656fafe94dae72b1e1487670148412
- 20. Testing for cookies attributes (OWASP-SM-002) Secure: not set = no https P HttpOnly: not set = cookies stealable via JS Domain: set properly Path: set to the right /sub-application Expires: set reasonably
- 21. Testing for Session Fixation (OWASP-SM-003) Session ID NOT changed after login = Vuln P Before Login PHPSESSID: 10a966616e8ed63f7a9b741f80e65e3c After Login PHPSESSID: 10a966616e8ed63f7a9b741f80e65e3c
- 22. Testing for Exposed Session Variables (OWASP-SM-004) Session ID: P In URL In POST In HTML
- 23. Testing for CSRF (OWASP-SM-005) Look at HTML code: P No anti-CSRF token = Vulnerable Anti-CSRF token = Wait to ACTIVE testing ☺
- 24. Testing for Bypassing Authorization Schema (OWASP-AZ-002) Look at unauthenticated cross-site requests: P http://other-site.com/user=3&report=4 Referer: site.com Change ids in application: ! http://site.com/view_doc=4
- 25. Testing for DOM-based Cross site scripting (OWASP-DV-003) Review JavaScript code on the page: P <script> document.write("Site is at: " + document.location.href + "."); </script>
- 26. Testing for Cross site flashing (OWASP-DV-004) Download and decompile Flash files: P $ flare hello.swf Static / Manual analysis
- 27. Testing: WS Information Gathering (OWASP-WS-001) Google searches: inurl:wsdl site:example.com P Web service analysis: http://www.example.com/ws/FindIP.asmx?WSDL Public services search: http://seekda.com/ http://www.wsindex.org/ http://www.soapclient.com/
- 28. Testing for WS Replay (OWASP-WS- 007) Similar to CSRF: P Is there an anti-replay token in the request/response?
- 29. Testing for file extensions handling (OWASP-CM-005) _some_ attack traffic but subtle. File Uploads: !! If upload.php or .asp, .html, .. is allowed by app A valid GIF or JPG comment can be a valid PHP script, etc .. Difference from attack to legit can be subtle File uploads are POST = 99% not logged
- 30. Testing for user enumeration (OWASP-AT-002) Error messages ! Time differences
- 31. Testing for Reflected/Stored Cross site scripting (OWASP-DV-001+2) Subtle look for signs of output encoding: ! O’Brien O'Brien O”Brien O"Brien or O%22Brien Ted..> Ted..> or Ted..%3E Ted,< Ted,.< or Ted..%3C Charset, etc..
- 32. Testing for SQL Injection (OWASP- DV-005) Do you get a SQL error? ! Strings: O’Brien IDs: Instead of “1” type “1l” or “1 l”
- 33. Thank you Abraham Aranguren @7a_ abraham.aranguren@gmail.com http://7-a.org Special thanks to: OWASP Testing Guide contributors Mario Heiderich Chris John Riley Robin Wood