Codefest2015
2 likes1,531 views
This document provides a checklist and guidance for basic web application security testing in quality assurance. It outlines 10 areas to focus testing on: 1) information disclosure, 2) SSL/TLS, 3) slow HTTP denial of service attacks, 4) HTTP host header attacks, 5) login page over HTTPS, 6) same site scripting, 7) secure headers, 8) cross domain policy, 9) session management, and 10) URL validation. For each area, it describes the security weakness, examples of attacks, and tools that can be used to test for those weaknesses. The document is intended to help integrate an attacker perspective into QA test plans and deliver risk-based security testing.
Codefest2015
- 1. Basic Web Application Security Testing in QA Denis Kolegov Sr. Security Test Engineer, PhD F5 Networks, Tomsk State University
- 2. Who Am I? • Sr. Security Test Engineer at F5 Networks • PhD, associate professor at TSU’s Information Security and Cryptography Department • Speaker – Positive Hack Days, Zero Nights, SibeCrypt • OWASP SCG, BeEF, Metasploit contributor
- 3. Introduction • BSIMM security testing (Gary McGraw) – Enhance QA beyond functional perspective – Integrate the attacker perspective into test plans – Deliver risk-based security testing • Hack yourself first (Troy Hunt) – This approach advocates building up our cyber-offense skills, and focusing these skills inward at ourselves, to find and fix security issues before the bad guys find and exploit them
- 5. Checklist 1. Information disclosure 2. SSL/TLS 3. Slow HTTP DoS attacks 4. HTTP host header attacks 5. Login page over HTTPS 6. Same site scripting 7. Secure headers 8. Cross domain policy 9. Session management 10. URL validation
- 6. Information Disclosure • Scope – Web management interfaces – Web application reverse proxies – Error pages • Services – Goggle Search Engine – Shodan • Weaknesses – Indexing by search engines – Hardcoded keywords on error pages – Keywords in HTTP response headers
- 7. Information Disclosure • Shodan – cisco – bitrix – VMware • Google – intitle: "VMware Horizon View Administrator" – inurl:"portal/webclient/views/mainUI.html" – intitle:"Welcome to VMware ESX"
- 8. Information Disclosure • Test robots.txt User-agent: * Disallow: / • Test meta tag <META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW"> • Test that it is possible to delete or change default keywords via customization tool
- 9. SSL/TLS Testing • Testing with OpenSSL – Trustworthy checks – Old versions (0.9.8k) • Qualys SSL Labs – SSL Server Test – SSL Client Test – SSL/TLS Best Practices – API • Tools – sslscan – sslyze – ssllabs-scan
- 10. Client-Initiated Renegotiation DoS Test • Testing with OpenSSL openssl s_client –connect test.com:443 GET / HTTP/1.1 Host: test.com R … R CRLF • Proof of concept with exploit thc-ssl-dos --accept test.com 443
- 11. Slow HTTP DoS Testing • Attacks – Slowloris (slow headers) – Slow HTTP POST (slow body) – Slow Read • Apache is generally the most vulnerable server • Nginx, IIS, lighthttpd are also can be vulnerable to these attacks • Tools – https://code.google.com/p/slowhttptest/ – slowloris.pl
- 12. Slow HTTP DoS Testing • Slowloris slowhttptest -u "https://test.com/" -c 8000 -l 400 -r 4000 -i 15 -x 400 • Slow HTTP Post slowhttptest -u https://test.com/ -B -c 8000 -l 400 -r 4000 -i 15 -x 400 • Slow Read slowhttptest -u "https://test.com/js/bigfile" -X -c 5000 -r 4000 -l 400 -k 5 -n 10 -w 10 -y 300 -z 1
- 13. Same Site Scripting • DNS misconfiguration – xyz.target.com with A-record to 127.0.0.1 – xyz.target.com with A-record to private address (RFC 1918) • In multi-users system an attacker can run network service on loopback and then eavesdrops users’ cookies 1. Run "nc –lv 10024" 2. Send email with <img src=“http://xyz.target.com:10024”> • An attacker can connect to public network with the same network address and publish resource link to xyz.target.com. All users in the same public network who accessed this resource send cookies to an attacker
- 14. Same Site Scripting • Testing – nslookup localhost.target.com – DNS enumeration • Examples – https://hackerone.com/reports/1509 – https://hackerone.com/reports/7949
- 15. Login Page over HTTPS • The initial login page must be served over TLS • The login page and all subsequent authenticated pages must be exclusively accessed over TLS Troy Hunt©. OWASP Top 10 for .NET developers part 9: Insufficient Transport Layer Protection
- 16. HTTP Secure Headers • X-Frame-Options • X-XSS-Protection • X-Content-Type-Options • Strict-Transport-Security • Access-Control-Allow-Origin • Content-Security-Policy
- 17. X-Frame-Options • All about Clickjacking? • What an attacker can do – Bypass some XSS filters – Bypass XSS length restrictions – Bypass CSP via browser vulnerabilities • X-Frame-Options is an additional layer of defense against XSS
- 18. Access-Control-Allow-Origin • Access-Control-Allow-Origin is apart of the CORS specification • Access-Control-Allow-Origin: * means that the resource can be accessed by any domain in a cross-site manner • Examples – https://hackerone.com/reports/13551 – https://hackerone.com/reports/6268
- 19. Secure Headers Testing • X-Content-Type-Options: nosniff • X-Frame-Option: DENY | SAMEORIGIN • Strict-Transport-Security: max-age=31536000; includeSubDomains • X-XSS-Filter: 1; mode=block
- 20. Host Header Attacks • Weakness: a web server handles HTTP requests with arbitrary or invalid Host header • Attacks – DNS rebinding – Stored XSS – Password reset poisoning – Web-cache poisoning • Examples – https://hackerone.com/reports/13286 – https://hackerone.com/reports/487
- 21. Cross Domain Policy • A cross-domain policy file specifies the permissions that a web client such as Java, Adobe Flash, etc. use to access data across different domains • Files – crossdomain.xml – clientaccesspolicy.xml • Example of configuration weakness <cross-domain-policy> <allow-access-from domain="*" /> </cross-domain-policy> • Example – https://hackerone.com/reports/43070
- 22. Session Management • Test that session is invalidated when user logs out • Session ID is sent in HTTP cookie or header and never disclosed in URLs • Test that session ID is changed when user performs critical action – Login, logout – Password changing – Session expiration, reauthentication OWASP ASVS project
- 23. URL Validation • Weakness: insufficient input validation for URL data • Test vectors (http://test.com/foo/bar?param=value) – GET /3fb5e7a4f814d790'"<>/%2e%2e/foo/bar?param=value HTTP/1.1 – GET /foo/3fb5e7a4f814d790'"<>/%2e%2e/bar?param=value HTTP/1.1 – GET /foo/bar/3fb5e7a4f814d790'"<>/%2e%2e/?param=value HTTP/1.1 – GET /foo/bar.baz/3fb5e7a4f814d790'"<>?param=value HTTP/1.1 • Attacks – XSS – CRLF-injection (HTTP Response Splitting) – Open Redirect – Secret token leakage Sergey Bobrov©. http://habrahabr.ru/company/pt/blog/247709
- 24. URL Validation Sergey Bobrov©. http://habrahabr.ru/company/pt/blog/247709
- 25. Bibliography 1. Vladimir Kochetkov. How to Develop a Secure Web Application and Stay in Mind? 2. OWASP Testing Guide v4 3. The Building Security In Maturity Model 4. Qualys SSL LABS 5. SSL/TLS Checklist for Pentesters 6. Sergey Shekyan. Testing Web Servers for Slow HTTP Attacks 7. Troy Hunt. OWASP Top 10 for .NET developers part 9: Insufficient Transport Layer Protection 8. Sergey Belov. Show Me Impact 9. Frederik Braun and Mario Heiderich. X-Frame-Options: All about Clickjacking? 10.Guidelines for Setting Security Headers 11.Sergey Bobrov. Yet Another Vulnerability in Facebook
- 26. @dnkolegov Denis Kolegov Sr. Security Test Engineer, PhD F5 Networks, Tomsk State University Questions? dnkolegov@gmail.com