OWASP Europe Summit Portugal 2008. Web Application Assessments
1 like2,006 views
The document presents a guide on web application assessments focusing on reconnaissance and profiling techniques essential for penetration testing. It covers stages such as web application discovery, information gathering, and attack vectors analysis with examples from real-world vulnerabilities. Key strategies and tools for identifying security flaws are discussed to enhance the effectiveness of security assessments.
![1. Introduction
Physical world example: “The terrible event of New York of
September 11, 2001”
1996: a terrorist presented the idea to Osama bin Laden.(*)
[I want to attack a webapp]
1999: target selections and arrange travel for the
hijackers.(*) [Application Discovery]
2000: terrorists took flying lessons. (*) [Information Gathering]
The terrorists carried out maps, photos and videos, as well
as analysis. (*) [Attack Vectors Analysis]
2001: The attack is running in a few hours. (*) [Exploit]
Years of preparation to carry out an attack within
hours!(*)http://en.wikipedia.org/wiki/September_11_attacks
OWASP
8](https://image.slidesharecdn.com/owaspsummitportugal08-webapplicationassessments-131204071546-phpapp02/85/OWASP-Europe-Summit-Portugal-2008-Web-Application-Assessments-8-320.jpg)
![2. Stage I: Web Application Discovery
Hidden applications based on different base URL
Suppose that http[s]://www.example.com return:
"No web server configured at this address" (or a similar
message).
But there may be accessible applications:
http[s]://www.example.com/app1
http[s]://www.example.com/somepath/app2
http[s]://www.example.com/some-strange-URL
OWASP
12](https://image.slidesharecdn.com/owaspsummitportugal08-webapplicationassessments-131204071546-phpapp02/85/OWASP-Europe-Summit-Portugal-2008-Web-Application-Assessments-12-320.jpg)
![2. Stage I: Web Application Discovery
Hidden applications based on non-standard ports
The application can not be in the 80 or 443 ports
For example:
http[s]://www.example.com:35000
OWASP
14](https://image.slidesharecdn.com/owaspsummitportugal08-webapplicationassessments-131204071546-phpapp02/85/OWASP-Europe-Summit-Portugal-2008-Web-Application-Assessments-14-320.jpg)
OWASP Europe Summit Portugal 2008. Web Application Assessments
- 1. Web Application Assesments: Reconnaisance and Profiling November 6th, 2008 Faro (Portugal) Vicente Aguilera Díaz OWASP Spain Chapter Leader CISA,CISSP,ITIL,CEH|I,OPST,OPSA vicente.aguilera@owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
- 2. About the instructor Vicente Aguilera Díaz CISA, CISSP, ITIL, CEH Instructor, OPST, OPSA Co-founder of Internet Security Auditors OWASP Spain Chapter Leader Contributor at OWASP Testing Guide v2, WASC Threat Classification v2, WASC Articles and OISSG ISSAF projects. Technical council member of the spanish magazine RedSeguridad Rewarded in 2008 by the spanish magazine SIC Publication of vulnerabilities (Oracle,Squirrelmail, ...) and speaker at security conferences (OWASP, RedIRIS, HackMeeting, FIST, IGC) about WebAppSec OWASP 2
- 4. Agenda 1. Introduction 2. Web Application Discovery 3. Information Gathering 4. Attack Vectors Analysis 5. Examples in the real world 6. References OWASP 4
- 5. Agenda 1. Introduction 2. Web Application Discovery 3. Information Gathering 4. Attack Vectors Analysis 5. Examples in the real world 6. References OWASP 5
- 6. 1. Introduction Reconnaissance is the initial phase of any application pentest Requires the most time of an attack process Involves manual and automated techniques More information = attacks with more success Any information is useful It's necessary to understand the application Before executing an attack is necessary to develop a methodically plan OWASP 6
- 7. 1. Introduction Scope of this presentation Pentester I want to attack a webapp Application Discovery Information Gathering Attack Vectors Analysis Target Identification Reconnaisance and Profiling Specific Testing Design Exploit! Hacker OWASP 7
- 8. 1. Introduction Physical world example: “The terrible event of New York of September 11, 2001” 1996: a terrorist presented the idea to Osama bin Laden.(*) [I want to attack a webapp] 1999: target selections and arrange travel for the hijackers.(*) [Application Discovery] 2000: terrorists took flying lessons. (*) [Information Gathering] The terrorists carried out maps, photos and videos, as well as analysis. (*) [Attack Vectors Analysis] 2001: The attack is running in a few hours. (*) [Exploit] Years of preparation to carry out an attack within hours!(*)http://en.wikipedia.org/wiki/September_11_attacks OWASP 8
- 9. 1. Introduction Key stages: Stage I: Web Application Discovery Stage II: Information Gathering Stage III: Attack Vectors Analysis OWASP 9
- 10. Agenda 1. Introduction 2. Web Application Discovery 3. Information Gathering 4. Attack Vectors Analysis 5. Examples in the real world 6. References OWASP 10
- 11. 2. Stage I: Web Application Discovery For a pentest is necessary to test all web applications accessibles through the target A web server can hide different applications. How? 1. Different base URL 2. Non-standard ports 3. Virtual hosts OWASP 11
- 12. 2. Stage I: Web Application Discovery Hidden applications based on different base URL Suppose that http[s]://www.example.com return: "No web server configured at this address" (or a similar message). But there may be accessible applications: http[s]://www.example.com/app1 http[s]://www.example.com/somepath/app2 http[s]://www.example.com/some-strange-URL OWASP 12
- 13. 2. Stage I: Web Application Discovery Hidden applications based on different base URL How to discovery these applications? Taking advantage of directory browsing References from other(s) web page(s) Analyzing the application code Probing for URLs candidates. For example: – /admin/ – /downloads/ – /partners/ Resources enumeration/discovery tools: – DirBuster OWASP 13
- 14. 2. Stage I: Web Application Discovery Hidden applications based on non-standard ports The application can not be in the 80 or 443 ports For example: http[s]://www.example.com:35000 OWASP 14
- 15. 2. Stage I: Web Application Discovery Hidden applications based on non-standard ports How to discovery these applications? Require a full scan of the whole 64k TCP port address space Example: nmap –PN –sT –sV –p0-65535 <ip> Observe the response to a request (using a HTTP method) on the port detected will allow confirm the discovery OWASP 15
- 16. 2. Stage I: Web Application Discovery Hidden applications based on virtual hosts A single IP address can have associate one or more symbolic names. For example, the IP address 192.168.1.61 might be associated to DNS names: www.example.com webmail.example.com intranet.example.com OWASP 16
- 17. 2. Stage I: Web Application Discovery Hidden applications based on virtual hosts How to discovery these applications? DNS zone transfers dig @dns domain -t AXFR DNS inverse queries dig @dns -x <IP> Web-based DNS searches http://searchdns.netcraft.com/?host=microsoft.com http://whois.webhosting.info/x.x.x.x http://search.msn.com (syntax: "ip:x.x.x.x") Googling OWASP 17
- 18. 2. Stage I: Web Application Discovery A penetration test or an application-focused assessment must identify all the applications available, and select those that are part of scope to analyze Each application discovered can have known vulnerabilities and known attack strategies that can be exploited in order to gain remote control or data exploitation Security through obscurity is a weak security control It is necessary to implement additional security layers at different levels As result of this stage, we have a list of webapp targets: IP(s), domain(s), URL(s) OWASP 18
- 19. Agenda 1. Introduction 2. Web Application Discovery 3. Information Gathering 4. Attack Vectors Analysis 5. Examples in the real world 6. References OWASP 19
- 20. 3. Stage II: Gathering Information Main purpose: To create a base of knowledge useful in later stages (attacks?) The information should be as accurate as possible The information obtained will allow drive the attacks The questions are... Which issues should be reviewed? How obtain useful information? OWASP 20
- 21. 3. Stage II: Gathering Information Which issues should be reviewed? Relatives to: Platform Application Users Attack surface How to obtain useful infomation? Through: Search engines Information repositories (including people!) – http://www.nettrace.com.au/resource/search/people.html The target application OWASP 21
- 22. 3. Stage II: Gathering Information Platform Technologies Web/Application servers Authentication type and resources Database fingerprinting OS fingerprinting Third-party components OWASP 22
- 23. 3. Stage II: Gathering Information Platform : Technologies Technologies analysis For example: ASP.NET, JSP, PHP, Javascript, CGIs How? File extension – .aspx : .NET application Error messages – .NET errors : .NET application – Stack Traces : Java – Source code revelation Code Analysis – public code (and private downloaded code!) Cookies: JSPSESSIONID, PHPSESSIONID OWASP 23
- 24. 3. Stage II: Gathering Information Platform : Web/Application servers Web/Application servers analysis For example: IIS/6.0, Tomcat, WebLogic Server 10 How? HTTP Headers analysis – Headers specifics – Response codes and code messages Error pages Tools: – netcat – HTTPrint OWASP 24
- 25. 3. Stage II: Gathering Information Platform : Authentication type and resources Authentication type and resources analysis For example: form based, HTTP basic, NTLM Which information is used? Resources: For example: – /admin/ – /intranet/login.jsp How? Application browsing Resources discovery HTTP Headers analysis OWASP 25
- 26. 3. Stage II: Gathering Information Platform : Database fingerprinting Database usage/type analysis For example: SQL Server, Oracle, MySQL How? Error messages Probing different SQL injections – Database specifics Public documentation about the webapp? Database fingerprinting tools OWASP 26
- 27. 3. Stage II: Gathering Information Platform : OS Fingerprinting OS Fingerprinting analysis For example: Windows 2000 SP2, Linux, CISCO IOS How? Simple: forcing the system to display the banner TCP-based techniques Tools – www.netcraft.com – p0f – nmap OWASP 27
- 28. 3. Stage II: Gathering Information Platform / Third-party components Third-party components analysis For example: banners, embedded code How? Browsing the application OWASP 28
- 29. 3. Stage II: Gathering Information Application Standard software Purpose Web based administration Client/Server side validation Features related to authentication Session state Anti-automation systems Error handling OWASP 29
- 30. 3. Stage II: Gathering Information Application : Standard software Standard software analysis For example: Drupal, Wordpress, phpBB How? Search for known resources at known locations Error messages pages Client code analysis OWASP 30
- 31. 3. Stage II: Gathering Information Application : Purpose Purpose analysis For example: Web Banking, Ticket Sales, CRM How? Browsing the application Client code analysis Resources enumeration/discovery OWASP 31
- 32. 3. Stage II: Gathering Information Application : Web based administration Web based administration analysis For example: /backdoor, /admin How? Browsing the application Evade access restrictions Creating an account in the application robots.txt OWASP 32
- 33. 3. Stage II: Gathering Information Application : Client/Server side validation Client/Server side validation analysis For example: only client side validation How? Removing restrictions on the client side Forcing entry parameters to certain values OWASP 33
- 34. 3. Stage II: Gathering Information Application : Features related to authentication Features related to authentication analysis For example: password recovery, user registration How? Browsing the application Creating an account in the application Analyzing which funcionalities allow to auth a user OWASP 34
- 35. 3. Stage II: Gathering Information Application : Session state Session state analysis For example: session cookie, hidden field, URL How? Analyzing requests in authenticated mode Reviewing application cookies Client code analysis OWASP 35
- 36. 3. Stage II: Gathering Information Application : Anti-automation systems Anti-automation systems analysis For example: captchas, lock account How? Identify which features can be executed by an automated process Identify the mechanism(s) that not allow an automated process OWASP 36
- 37. 3. Stage II: Gathering Information Application : Error handling Error handling analysis For example: customized error pages, display controlled/not controlled error messages, How? Analyzing error scenarios Provoking error situations that may not be controlled by the application OWASP 37
- 38. 3. Stage II: Gathering Information Users Roles Application users typology OWASP 38
- 39. 3. Stage II: Gathering Information Users : Roles Roles analysis For example: administrator, manager, demo, standard user How? Analyzing client code Spoofing users Evade access restrictions OWASP 39
- 40. 3. Stage II: Gathering Information Users : Application users typology Application users typology analysis For example: internal users, partners, public How? Browsing the application Analyzing client code OWASP 40
- 41. 3. Stage II: Gathering Information Attack Surface Analysis Elements: Code Entry points Services Protocols OWASP 41
- 42. 3. Stage II: Gathering Information Attack Surface Analysis : Code Always will find vulnerabilities in the code More code = more vulnerabilities The aim of this stage is to identify/enumerate all the accessible code The public code and the code accessible by remote users is particularly sensitive OWASP 42
- 43. 3. Stage II: Gathering Information Attack Surface Analysis : Entry points It's necessary to identify all the entry points to the application More entry points = more attack vectors Some examples of entry points: URL parameter Hidden field Cookie OWASP 43
- 44. 3. Stage II: Gathering Information Attack Surface Analysis : Services The excess of services increases the exposure area It's interesting to detect the privileges level with which you access these services The aim of this stage is to identify/enumerate all the services availables and their privilege level OWASP 44
- 45. 3. Stage II: Gathering Information Attack Surface Analysis : Protocols The most importants: TCP / UDP UPD increases the attack surface The aim of this stage is to identify/enumerate all the protocols availables OWASP 45
- 46. Agenda 1. Introduction 2. Web Application Discovery 3. Information Gathering 4. Attack Vectors Analysis 5. Examples in the real world 6. References OWASP 46
- 47. 4. Stage III: Attack Vectors Analysis On the basis of information gathered in previous phases, it is possible to identify the attack vectors most likely to succeed Standard software? Disk access? Database access? Which information is used to authenticate a user? Anti-automation systems? Third-party components? Relationships with other systems? Critical operations? OWASP 47
- 48. Agenda 1. Introduction 2. Web Application Discovery 3. Information Gathering 4. Attack Vectors Analysis 5. Examples in the real world 6. References OWASP 48
- 49. 5. Examples in the real world Exploiting real vulnerabilities in real applications from the Real Santa Eulália Hotel: IMAP/SMTP Injection in Squirrelmail CSRF in Gmail ??? in Oracle OWASP 49
- 50. 5. Examples in the real world IMAP/SMTP Injection in Squirrelmail Suppose that we have obtained the next information from the previous stages: Application Discovery: http://x.x.x.x/sm/login.php Information Gathering: Squirrelmail 1.4.4 Attack Vectors Analysis: IMAP/SMTP Injection OWASP 50
- 51. 5. Examples in the real world IMAP/SMTP Injection in Squirrelmail Remember... IMAP/SMTP Injection: allows for arbitrary injection of IMAP or SMTP commands to the mail servers through a web application improperly validating user supplied data. OWASP 51
- 52. 5. Examples in the real world IMAP/SMTP Injection in Squirrelmail Some examples of attacks: Exploitation of vulnerabilities in the IMAP/SMTP protocol Application restrictions evasion Anti-automation process evasion Information leaks Relay/SPAM The attack process: Identify vulnerable parameters Understanding the parameter and the context IMAP/SMTP command injection OWASP 52
- 53. 5. Examples in the real world IMAP/SMTP Injection in Squirrelmail Detection and exploit! DEMO Executing arbitrary IMAP commands (blind injection?) Evading restrictions (CAPTCHA) Port scanning internal systems OWASP 53
- 54. 5. Examples in the real world CSRF in Gmail Suppose that we have obtained the next information from the previous stages: Application Discovery: https://www.google.com/accounts/ServiceLogin Information Gathering: Google webmail Attack Vectors Analysis: CSRF (Cross-site Request Forgery) OWASP 54
- 55. 5. Examples in the real world CSRF in Gmail Remember... CSRF (Cross-site Request Forgery): forces a logged-on victim’s browser to send a request to a vulnerable web application, which then performs the chosen action on behalf of the victim. OWASP 55
- 56. 5. Examples in the real world CSRF in Gmail Detection and exploit! DEMO What has happened to your Gmail password? OWASP 56
- 57. 5. Examples in the real world ??? in Oracle I can not reveal details of this vulnerability because it's an UNPUBLISHED vulnerability What allow the exploitation of this vulnerability? Access to the target file system Possible execution of arbitrary operating system commands OWASP 57
- 58. 5. Examples in the real world ??? in Oracle Downloading the /etc/passwd and /etc/hosts files: OWASP 58
- 59. Agenda 1. Introduction 2. Web Application Discovery 3. Information Gathering 4. Attack Vectors Analysis 5. Examples in the real world 6. References OWASP 59
- 60. 6. References Professional Pen Testing for Web Applications Andres Andreu The Security Development Lifecycle Michael Howard and Steve Lipner MX Injection: Capturing and Exploiting Hidden Mail Servers http://www.webappsec.org/projects/articles/121106.shtml OWASP Development Guide http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Testing Guide http://www.owasp.org/index.php/Category:OWASP_Testing_Project and ALL the OWASP Projects! http://www.owasp.org OWASP 60
- 61. Thank's! Any question? All your comments will be appreciated vicente.aguilera@owasp.org vaguilera@isecauditors.com OWASP 61