lptv4 module 28 application penetration testing_norestriction

ECSA/LPT

EC CouncilModule XXVIII

EC-CouncilApplication Penetration Testing g

Penetration Testing Roadmap

Start HereInformation Vulnerability External

Gathering Analysis Penetration Testing

Fi ll Router and InternalFirewall

Penetration Testing

Router and Switches

Penetration Testing

Internal Network

Penetration Testing

IDS

Penetration Testing

Wireless Network

Penetration Testing

Denial of Service

Penetration Testing

Password Cracking

Stolen Laptop, PDAs and Cell Phones

Social EngineeringApplication

Cont’d

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Penetration TestingPenetration Testing Penetration TestingPenetration Testing

Penetration Testing Roadmap (cont’d)(cont d)

Cont’dPhysical S i

Database P i i

VoIP P i T iSecurity

Penetration Testing

Penetration testing Penetration Testing

Vi dVirus and Trojan

Detection

War Dialing VPN Penetration Testing

Log Management

Penetration Testing

File Integrity Checking

Blue Tooth and Hand held

Device Penetration Testing

Telecommunication And Broadband Communication

Email Security Penetration Testing

Security Patches

Data Leakage Penetration Testing

End Here



Communication Penetration Testing

gPenetration Testing

Penetration Testing

Application Testing

Software testing is an integral part of the software g g pdevelopment process.

Application testing involves:

Software application testing.

Web application testing.



What is a Defect?

A d f t i b lit lf ti f d t ifi tiA defect is an abnormality or malfunction from product specifications.

Example: if the specifications say that “spellcheck” is to be added to the Example: if the specifications say that spellcheck is to be added to the mortgage application, and the final product does not include the “spellcheck” feature, then it is a defect.



Defects vs. Failures

A defect is incorporated into the software application systemA defect is incorporated into the software application system.

A defect that causes an error in operation or negatively impacts a user/customer is called a failure.



Defect Ratio

It is estimated that leading software developers were producingIt is estimated that leading software developers were producingsoftware with production defect rates of one defect per 30,000lines of source code.



Requirements and Design Testing

Test the following:

• Who can access the program? • Are there different classes of users?

g

• Does each class of user have the correct functionality? • Can a user of one class obtain additional privileges?



Web Applications Penetration TestingTesting

Web application vulnerabilities generally stem from pp g yimproper handling of client requests and/or a lack of input validation checking on the part of the developer.



What is a Web Application?

A web application is an application generally comprising aA web application is an application, generally comprising acollection of scripts, that resides on a web server and interactswith databases or other sources of dynamic content.



Web Application Penetration Testing Steps

1 • Fingerprinting the web application environment

Testing Steps

2 • Investigate the output From HEAD and OPTIONS HTTP requests

3 • Investigate the format and wording of 404/other error pages

4 • Test for recognized file types/extensions/directories

5 • Examine source of available pages 5

6 • Manipulate inputs in order to elicit a scripting error

• Test inner working of a web application7 • Test inner working of a web application

8 • Test database connectivity



9 • Test the application code

Web Application Penetration Testing Steps (cont’d)

10 • Testing the use of GET and POST in web application

Testing Steps (cont d)

11 • Test for parameter-tampering attacks on website

12 • Test for URL manipulation

13 • Test for cross site scripting

14 • Test for hidden fields14

15 • Test cookie attacks

• Test for buffer overflows 16 • Test for buffer overflows

17 • Test for bad data



18 • Test client-side scripting


19 • Test for known vulnerabilities


20 • Test for race conditions

21 • Test with user protection via browser settings

22 • Test for command execution vulnerability

23 • Test for SQL injection attacks23

24 • Test for blind SQL injection

• Test for session fixation attack 25 • Test for session fixation attack

26 • Test for session hijacking



27 • Test for XPath injection attack


28• Test for server side include injection attack


29• Test for logic flaws

30• Test for binary attacks

30y

31• Test for XML structural

32• Test for XML content-level

33• Test for WS HTTP GET parameters/REST attacks

33

34• Test for naughty SOAP attachments

T f WS l



35• Test for WS replay

Step 1: Fingerprinting the Web Application Environmentpp

One of the first steps of the penetration test should be toidentify the web application environment, including thescripting language and web server software in use, and thescripting language and web server software in use, and theoperating system of the target server.



Step 2: Investigate the Output from

HEAD and OPTIONS Http RequestsHEAD and OPTIONS Http Requests

The header and any page returned from a HEAD or OPTIONS request will usuallycontain a SERVER: string or similar detailing the web server software version and

OPTIONS / HTTP/1.0

contain a SERVER: string or similar detailing the web server software version andpossibly the scripting environment or operating system in use.

HTTP/1.1 200 OKServer: Microsoft-IIS/5.0Date: Wed, 04 Jun 2003 11:02:45 GMTMS-Author-Via: DAVMS-Author-Via: DAVContent-Length: 0Accept-Ranges: noneDASL: <DAV:sql>DAV: 1 2DAV: 1, 2Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCHAllow: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK



UNLOCKCache-Control: private

Step 3: Investigate the Format and Wording of 404/Other Error Pages Wording of 404/Other Error Pages

Some application environments (such as ColdFusion) havepp ( )customized, and therefore easily recognizable, error pages,and will often give away the software versions of thescripting language in usescripting language in use.



Step 4: Test for Recognized File

Types/Extensions/DirectoriesTypes/Extensions/DirectoriesMany web services (such as Microsoft IIS) will react differently to a request for a known and supported file extension than an unknown request for a known and supported file extension than an unknown extension.

Th t t h ld tt t t t fil t i h ASP The tester should attempt to request common file extensions such as .ASP, .HTM, .PHP, .EXE and watch for any unusual output or error codes.

GET /blah.idq HTTP/1.0

HTTP/1.1 200 OKServer: Microsoft-IIS/5.0Date: Wed, 04 Jun 2003 11:12:24 GMTContent-Type: text/html



<HTML>The IDQ file blah.idq could not be found

Step 5: Examine Source of

Available PagesAvailable Pages

Th d f h i di l ibl fThe source code from the immediately accessible pages ofthe application front-end may give clues as to theunderlying application environment.

<title>Home Page</title>< t t t "Mi ft Vi l St di 7 0"<meta content="Microsoft Visual Studio 7.0" name="GENERATOR"><meta content="C#" name="CODE_LANGUAGE"><meta content="JavaScript" pname="vs_defaultClientScript">



Step 6: Manipulate Inputs in

Order to Elicit a Scripting ErrorOrder to Elicit a Scripting Error

In the example below, the most obvious variable (ItemID) hasIn the example below, the most obvious variable (ItemID) hasbeen manipulated to fingerprint the web applicationenvironment:



Step 7: Test Inner Working of a Web ApplicationWeb Application

Javascript and other client-side code can also provide many clues as tothe inner workings of a web application

<INPUT TYPE="SUBMIT" onClick="if (document.forms['product'].elements['quantity'].value

the inner workings of a web application.

>= 255) {document.forms['product'].elements['quantity'].value=

'';alert('Invalid quantity');alert( Invalid quantity );return false;

} else {return true;

}“>

This suggests that the application is trying to protect the form handlerf tit l f f th i l f ti i t



from quantity values of 255 of more - the maximum value of a tinyintfield in most database systems.

Step 8: Test Database ConnectivityConnectivity

A li ti i t h d t bApplications may require access to servers such as databases.

Access rights should be limited to the minimum rights required.

Access rights should be limited for the duration that access is necessary.

Check for a target application “administrator” (unrestricted) access rights.



access rights.

Step 9: Test the Application Code

Test for backdoors:

• Backdoors may be created by the developers to facilitate debugging and troubleshooting

Test for backdoors:

Test for exception handling and failure notification

a d t oub es oot g

Test for login IDs and passwords

Check for the misuse of superuser accounts



Step 9: Test the Application Code (cont’d)

Look for IDs and passwords “in the clear”

Code (cont d)

pwhen connecting to and accessing servers, directories, databases, and other resources.

Test for comments in the HTML code that might reveal user ID and password information, code paths, or directory and executable file names.

Test for error messages that reveal server name, root directory name, or other

i i f i b h



pertinent information about the servers.

Random Numbers vs. Unique

NumbersNumbers

Check for random and unique Check for random and unique numbers

D l i ill Developers sometimes will use a random number when what they really want is a unique number

It is important to distinguish between these two concepts

In randomness, the same number may come up several times



y p

Step 10: Testing the Use of GET and POST in Web Applicationa d OS Web pp cat o

When a user clicks on a link in the page to go to an externallyli k d b i h b ill d h URL i f i hlinked website, the browser will send the URL information to thelinked site as part of the REFERRER information.

Sensitive information is leaked in GET requests.

POST d h HTTP b d POST commands use the HTTP body to handle information.

The information is hidden from view The information is hidden from view during POST.

Use POST instead of GET



Use POST instead of GET.

Step 11: Test for Parameter-Tampering Attacks on Website Tampering Attacks on Website

Try to manipulate the URL strings to

• Example: By visiting i /b k df

Try to manipulate the URL strings to retrieve sensitive information:

www.xsecurity.com/bank_acct001.pdf, you can retrieve a report on your bank account activities.

• What happens if you replace bank _acct001.pdf by bank acct002.pdf? Will you be able to get a report for bank_acct002.pdf? Will you be able to get a report for another savings account for which you do not have authorization?



Step 12: Test for URL ManipulationManipulation

Modify the URL of the website by trying different valuesModify the URL of the website by trying different values.

Example:

• http://targetsite/forum/?cat=2• http://targetsite/forum/?cat=6

Example:

p // g / /



Step 13: Test for Cross Site ScriptingScripting

Inject code by breaking out the <h1> tag: // /http://www.targetsite.com/page.asp?pageid=10&lang=en&t

itle=Section%20Title</h1><script>alert(‘XSS%20attack’)</script>Use TemperIE tool Intercept in the clients GET and POST requests which Use TemperIE tool Intercept in the clients GET and POST requests, which will bypass client-side javascript input validation code to you.

( )

Tools used:

• Paros proxy (www.parosproxy.org)• Fiddler (www.fiddlertool.com/fiddler)• Burp proxy (www.portswigger.net/proxy/)• TamperIE (www.bayden.com/dl/TamperIESetup.exe)



TamperIE (www.bayden.com/dl/TamperIESetup.exe)

Step 14: Test for Hidden Fields

Hidden fields sometimes carry sensitive dataHidden fields sometimes carry sensitive data.

Example: Pricing information

Try to view the source change the price of an item and then save the Try to view the source, change the price of an item, and then save the HTML on the client-side to see if the server will use that value to calculate the total.

<FORM METHOD="LINK" ACTION="/shop/checkout.htm"><INPUT TYPE="HIDDEN" name="quoteprice" value="4.25">Quantity: <INPUT TYPE="text"NAME="totalnum"> <INPUT TYPE="submit" VALUE="Checkout">



NAME= totalnum > <INPUT TYPE= submit VALUE= Checkout ></FORM>

Step 15: Test Cookie Attacks

By changing the values in cookies attackers might be able to gain By changing the values in cookies, attackers might be able to gain access to accounts that they do not own.

Stealing a user’s cookie might enable the attacker to access an account without having to use authentication.

Set-Cookie: PASSWORD=g0d; path=/; expires=Friday, 20-Jul-03 23:23:23 GMT20-Jul-03 23:23:23 GMT



Step 16: Test for Buffer Overflows

The goal of testing for a buffer overflow is to show that sending too h d h ill h b h i much data to the program will cause the program to behave in an

unexpected manner.

• You send very large amounts of data to the bufferU i t d t i t t l t f d t

How do you test for buffer overflow?

• Using cut-and-paste is one way to generate large amounts of data



Step 17: Test for Bad Data

For example, entering p , g</body></html> into an application as your name may work and this name is stored into the d t bdatabase.

Wh th d t b d When the database produces reports that are to be viewed with a browser, these reports are broken.



Step 18: Test Client-Side Scripting Scripting

Capture the URL after a valid logon.

Launch a new browser and use the captured URL to go to the page that supposedly you must go through proper authentication.

See if you can get in.



Step 19: Test for Known Vulnerabilities Vulnerabilities

Test known vulnerabilities in Test known vulnerabilities in third-party software used in the web applications.

Use Bugtraq to monitor these vulnerabilities.



Step 20: Test for Race Conditions

Applications can use multiple Applications can use multiple threads to achieve concurrent processing.

Test for these in applications.



Step 21: Test with User Protection via Browser Settingsg

B tti li it Browser settings can limit exposure to harmful Internet content.

How would the setting of type of content affect your application?

For example, if cookies handling is disabled, will your application still d sab ed, w you app cat o st work?



Step 22: Test for Command Execution Vulnerabilityy

When a web application does not properlypp p p ysanitize user-supplied input before using itwithin application code, it may be possibleto trick the application into executingoperating system commandsoperating system commands.

The executed commands will run with thesame permissions of the component thatp pexecuted the command (e.g. databaseserver, web application server, web server,etc.) .



Step 23: Test for SQL Injection AttacksAttacks

SQL injection happens when a developer accepts user input that is directly placed into a SQL statement and does not properly filter out directly placed into a SQL statement and does not properly filter out dangerous characters.

This can allow an attacker to not only steal data from your database, but also modify and delete it.

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'[Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near thekeyword 'or'./wasc.asp, line 69



Step 24: Test for Blind SQL InjectionInjection

When an attacker executes SQL injection attacks sometimes the server When an attacker executes SQL injection attacks sometimes the server responds with error messages from the database server complaining that the SQL query's syntax is incorrect.

Blind SQL injection is identical to normal SQL injection except that when an attacker attempts to exploit an application rather then getting a useful error message, they get a generic page specified by the developer instead. error message, they get a generic page specified by the developer instead.



Step 25: Test for Session Fixation Attack Fixation Attack

Session fixation is an attack technique that forces a user's session ID toli it lan explicit value.

Depending on the functionality of the target web site, a number oft h i b tili d t "fi " th i ID ltechniques can be utilized to "fix" the session ID value.

These techniques range from cross-site scripting exploits to pepperingth b it ith i l d HTTP tthe website with previously made HTTP requests.

After a user's session ID has been fixed, the attacker will wait for him orh t l iher to login.

Once the user does so, the attacker uses the predefined session ID valuet hi h li id tit



to assume his or her online identity.

Step 26: Test for Session HijackingHijacking

Locate target user, find the active session, and track it.

Assume the sequence number (blind hijacking).

Check whether decommissioning the host (DoS) is caused.Check whether decommissioning the host (DoS) is caused.

Hijack the session.

Resume the session after finishing the hijack.

Tools used for session hijacking:

• Juggernaut• Hunt• TTY Watcher



• T-Sight

Step 27: Test for XPath Injection AttackInjection Attack

XPath Injection is an attack technique used to exploit websites that construct XPath queries from user-supplied input.

XPath 1.0 is a language used to refer to parts of an XML document. It can be used directly by an application to query an XML document, or as y y pp q ypart of a larger operation such as applying an XSLT transformation to an XML document, or applying an XQuery to an XML document.

The syntax of XPath bears some resemblance to an SQL query, and indeed, it is possible to form SQL-like queries on an XML document using XPath.



using XPath.

Step 28: Test for Server Side Include Injection AttackInclude Injection Attack

SSI Injection (Server-side Include) is a server-side exploit technique j p qthat allows an attacker to send code into a web application, which will later be executed locally by the web server.

SSI Injection exploits a web application's failure to sanitize user-supplied data before they are inserted into a server-side interpreted HTML file.



Step 29: Test for Logic Flaws

A logic flaw is a failure in the web application's logic toA logic flaw is a failure in the web application s logic tocorrectly perform conditional branching or apply security.

<?php $a=false;

$b=true; $c=false;

if ($b && $c || $a && $c || $b) echo "True";

else echo "False"; ?>



Step 30: Test for Binary Attacks

Web applications developed in a language that employs static b ff ( h / ) b l bl di i l bibuffers (such as C/C++) may be vulnerable to traditional binary attacks such as format string bugs and buffer overflows.

Format string attacks occur when certain C functions process inputs containing formatting characters (%).

Example:

• printf/fprint/sprintf, syslog() and setproctitle() functions



Step 31: Test for XML StructuralStructural

Create structured XML documents to build a denial of service attack by overloading the XML parser.g p

Send large or malformed XML message to server.

Ch k ll th t b i lid t d h

• Enumeration. • fractionDigits.

L h

Check all the parameter being validated, such as:

• Length.• maxExclusive.• maxInclusive.• maxLength.

i E l i• minExclusive.• minInclusive.• minLength.• Pattern.

t t lDi it



• totalDigits.• whiteSpace.

Step 32: Test for XML Content-levellevel

h b i d fi i i l i h h b b lTest the web service definition language with the webscarab tool.

Modify the parameter’s data based on the WSDL’s definition for Modify the parameter s data based on the WSDL s definition for the parameter.

Check whether you can use web service by escalated privileges.



Step 33: Test for WS HTTP GET Parameters/REST AttacksParameters/REST Attacks

T HTTP GET iTest HTTP GET query string:

• https://www.targetsite.com/accountinfo?accountnumber=1234567&userId=aci9485jfuhe92

Result of this string:

• <?xml version="1.0" encoding="ISO-8859-1"?> <Account="1234567"> <balance>€100</balance> <body>Bank of Targetsite account info</body> </Account>



Step 33: Test for WS HTTP GET Parameters/REST Attacks (cont’d)

Now test this vector:

Parameters/REST Attacks (cont d)

• https://www.targetsite.com/accountinfo?accountnumber=1234567'exec master..xp_cmdshell 'net user Vxr pass /Add

d i jf h&userId=asi9485jfuhe92

Identify for the following:

• Maximum length and minimum length • Validate payload

Identify for the following:

• Validate payload• Implement “exact match", "known good" and "known bad" in order• Validate parameter names and existence



Step 34: Test for Malicious SOAP AttachmentsSOAP Attachments

Search web service definition language (WSDL) which accepts attachment

Attach and post SOAP message with non-destructive virus like EICAR

Set parameter ‘true’ in SOAP response with the UploadFileResult which vary on each serviceservice

Store EICAR test virus file on the host’s server



and redistribute it as a PDF

Step 35: Test for WS Replay

Install WebScarab and use it as a proxy to capture the HTTP trafficInstall WebScarab and use it as a proxy to capture the HTTP traffic.

U i th k t t d b th l TCPR l t i iti t th Using the packets captured by ethereal, use TCPReplay to initiate the replay attack by reposting the packet.

Resend the original message or change the message to determine the host server.

Capture many packets within estimated time to determine session ID patterns in order to assume a valid session ID for the replay attack.



Testing Tools

AtStake WebProxy

SPIKE Proxy

WebserverFP

KSES

Mieliekoek.pl

Sleuth

Webgoat

AppScan



AtStake WebProxy

WebProxy sits between the client browser and the web applicationWebProxy sits between the client browser and the web application,capturing and decoding requests to allow the developer to analyze userinteractions, study exploit techniques, and manipulate requests on-the-fly.y

http://www.atstake.com/webproxy



SPIKE Proxy

SPIKE proxy functions as a HTTP/HTTPS proxy and allows the blackboxSPIKE proxy functions as a HTTP/HTTPS proxy and allows the blackboxtester to automate a number of web application vulnerability tests(including SQL injection, directory traversal and brute-force attacks).

http://www.immunitysec.com/spike.html



WebserverFP

WebserverFP is an HTTPD fingerprinting tool that uses values andWebserverFP is an HTTPD fingerprinting tool that uses values andformatting within server responses to determine the web serversoftware in use.

http://www.astralclinic.com



KSES/ Mieliekoek.pl

KSES:

• KSES is an HTML security filter written in PHP. It filters all 'nasty' HTML elements and helps to prevent input validation issues such as

KSES:

HTML elements and helps to prevent input validation issues such as XSS and SQL Injection attacks.

• http://sourceforge.net/projects/kses

Mieliekoek.pl:

• This tool, written by [email protected], will crawl through a collection of pages and scripts searching for potential SQL Injection issues. http://www securityfocus com/archive/101/257713



• http://www.securityfocus.com/archive/101/257713

Sleuth

Sleuth is a commercial application for locating web applicationSleuth is a commercial application for locating web applicationsecurity vulnerabilities. It includes intercept proxy and web-spiderfeatures.

http://www.sandsprite.com/Sleuth



Webgoat

The OWASP Webgoat project aims to create an interactive The OWASP Webgoat project aims to create an interactive learning environment for web application security.

It teaches developers, using practical exercises, the most common web application security and design flaws.

It is written in Java and installers are available for both *nix and Win32 systems.

http://www.owasp.org/development/webgoat



AppScan

A S i i l b li ti it t ti t l AppScan is a commercial web application security testing tool developed by Sanctum Inc.

It includes features such as code sanitation, offline analysis, and automated scan scheduling.

http://www.sanctuminc.com/solutions/appscan/indep // / / pp /x.html



URL Scan

URL Scan is a plug-in for IIS that allows for request-based filtering (not signature-based) of incoming requests.

By enabling some of these filters, it is possible to prevent exploitation of known, or new unpublished vulnerabilities. exploitation of known, or new unpublished vulnerabilities.



Summary

Software testing is an integral part of the software development process.

Web application penetration testing provides the test results for:

• Environmental and inner workings of a web application.• Database connectivity and application code.

provides the test results for:

y pp• Hidden fields and cookie attacks.• Buffer overflows and bad data.• Client-side scripting and race conditions.• Known vulnerabilities and command execution vulnerabilities• Known vulnerabilities and command execution vulnerabilities.• SQL injection and blind SQL attack.• Session fixation and XPath injection attack.• Logic flaws and binary attacks.



lptv4 module 28 application penetration testing_norestriction

Documents

software development process

web server software

replay attack

web application

application code

session id

buffer overflows

supplied input