lptv4 module 28 application penetration testing_norestriction

Click here to load reader

Post on 08-Nov-2014

67 views

Category:

Documents

3 download

Embed Size (px)

DESCRIPTION

LPTv4 Module 28 Application Penetration Testing_NoRestriction

TRANSCRIPT

ECSA/LPT

EC Council EC-Council

Module XXVIII Application Penetration Testing g

Penetration Testing RoadmapStart Here Information Gathering Vulnerability Analysis External Penetration Testing

Fi Firewall ll Penetration Testing

Router and Switches Penetration Testing

Internal Network Penetration Testing

IDS Penetration Testing Contd Application Penetration Testing Stolen Laptop, PDAs and Cell Phones Penetration Testing

Wireless Network Penetration Testing

Denial of Service Penetration Testing

Social Engineering Penetration Testing

Password Cracking Penetration Testing

EC-Council

Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Penetration Testing Roadmap (cont d) (contd)Contd Physical S Security i Penetration Testing Database P Penetration i testing i VoIP P Penetration i T Testing i

Virus and Vi d Trojan Detection

War Dialing

VPN Penetration Testing

Log Management Penetration Testing End Here Data Leakage Penetration Testing Security Patches Penetration Testing

File Integrity Checking

Blue Tooth and Hand held Device Penetration Testing

Email Security Penetration Testing g

Telecommunication And Broadband Communication Penetration Testing

EC-Council

Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Application TestingSoftware testing g is an integral g p part of the software development process. Application testing involves:Software application testing.

Web application testing.

EC-Council

Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

What is a Defect?A defect d f t is i an abnormality b lit or malfunction lf ti f from product d t specifications. ifi ti

Example: if the specifications say that spellcheck spellcheck is to be added to the mortgage application, and the final product does not include the spellcheck feature, then it is a defect.

EC-Council

Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Defects vs. FailuresA defect is incorporated into the software application system. system

A defect that causes an error in operation or negatively impacts a user/customer is called a failure.

EC-Council

Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Defect RatioIt is estimated that leading software developers were producing software with production defect rates of one defect per 30,000 lines of source code.

EC-Council

Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Requirements and Design TestingTest the following: g Who can access the program? Are there different classes of users? Does each class of user have the correct functionality? Can a user of one class obtain additional privileges?

EC-Council

Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Web Applications Penetration TestingWeb application pp vulnerabilities g generally y stem from improper handling of client requests and/or a lack of input validation checking on the part of the developer.

EC-Council

Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

What is a Web Application?A web application is an application, application generally comprising a collection of scripts, that resides on a web server and interacts with databases or other sources of dynamic content.

EC-Council

Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Web Application Penetration Testing Steps1 2 3 4 5 6 7 8 9EC-Council Fingerprinting the web application environment Investigate the output From HEAD and OPTIONS HTTP requests Investigate the format and wording of 404/other error pages Test for recognized file types/extensions/directories Examine source of available pages Manipulate inputs in order to elicit a scripting error Test inner working of a web application Test database connectivity Test the application codeCopyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Web Application Penetration Testing Steps (cont (contd) d)10 11 12 13 14 15 16 17 18EC-Council Testing the use of GET and POST in web application Test for parameter-tampering attacks on website Test for URL manipulation Test for cross site scripting Test for hidden fields Test cookie attacks Test for buffer overflows Test for bad data Test client-side scriptingCopyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Web Application Penetration Testing Steps (cont (contd) d)19 20 21 22 23 24 25 26 27EC-Council Test for known vulnerabilities Test for race conditions Test with user protection via browser settings Test for command execution vulnerability Test for SQL injection attacks Test for blind SQL injection Test for session fixation attack Test for session hijacking Test for XPath injection attackCopyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Web Application Penetration Testing Steps (cont (contd) d)28 29 30 31 32 33 34 35EC-Council Test for server side include injection attack Test for logic flaws Test for binary y attacks Test for XML structural Test for XML content-level Test for WS HTTP GET parameters/REST attacks Test for naughty SOAP attachments Test T for f WS replay lCopyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Step 1: Fingerprinting the Web Application pp EnvironmentOne of the first steps of the penetration test should be to identify the web application environment, including the scripting language and web server software in use, and the operating system of the target server.

EC-Council

Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Step 2: Investigate the Output from HEAD and OPTIONS Http RequestsThe header and any page returned from a HEAD or OPTIONS request will usually contain a SERVER: string or similar detailing the web server software version and possibly the scripting environment or operating system in use.OPTIONS / HTTP/1.0 HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Wed, 04 Jun 2003 11:02:45 GMT MS-Author-Via: DAV Content-Length: 0 Accept-Ranges: none DASL: DAV: 1 1, 2 Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH Allow: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK Cache-Control: private EC-CouncilCopyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Step 3: Investigate the Format and Wording of 404/Other Error PagesSome application pp environments ( (such as ColdFusion) ) have customized, and therefore easily recognizable, error pages, and will often give away the software versions of the scripting language in use. use

EC-Council

Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Step 4: Test for Recognized File Types/Extensions/DirectoriesMany web services (such as Microsoft IIS) will react differently to a request for a known and supported file extension than an unknown extension. The tester Th t t should h ld attempt tt t to t request t common fil file extensions t i such h as .ASP, ASP .HTM, .PHP, .EXE and watch for any unusual output or error codes.

GET /blah.idq HTTP/1.0 HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Wed, 04 Jun 2003 11:12:24 GMT Content-Type: text/html The IDQ file blah.idq could not be foundEC-CouncilCopyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Step 5: Examine Source of Available PagesThe source code Th d from f the h immediately i di l accessible ibl pages of f the application front-end may give clues as to the underlying application environment.Home Page < t content="Microsoft = 255) { document.forms['product'].elements['quantity'].value= ''; alert('Invalid alert( Invalid quantity quantity'); ); return false; } else { return true; } >

This suggests that the application is trying to protect the form handler f from quantity tit values l of f 255 of f more - the th maximum i value l of f a tinyint ti i t field in most database systems.EC-CouncilCopyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Step 8: Test Database ConnectivityA li ti Applications may require i access t to servers such h as d databases. t b

Access rights should be limited to the minimum rights required.

Access rights should be limited for the duration that access is necessary. Check for a target application administrator (unrestricted) access rights.EC-CouncilCopyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Step 9: Test the Application CodeTest for backdoors: Backdoors may be created by the developers to facilitate debugging and a d troubleshooting t oub es oot g

Test for exception handling and failure notification Test for login IDs and passwords Check for the misuse of superuser accounts

EC-Council

Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Step 9: Test the Application Code (cont (contd) d)Look for IDs and p passwords in the clear when connecting to and accessing servers, directories, databases, and other resources.

Test for comments in the HTML code that might reveal user ID and password information, code paths, or directory and executable file names.

Test for error messages that reveal server name, root directory name, or other pertinent i i information f