Date post: | 13-May-2015 |
Category: |
Technology |
Upload: | abraham-aranguren |
View: | 2,851 times |
Download: | 1 times |
Intro
33% (22 out of 66) of the tests in the OWASP Testing guide can be legally* performed at leastpartially without permission
* Except in Spain, where visiting a page can be illegal ☺
Legend
Ethics/Scope legend:
� P� No Permission needed: No attack traffic
� !� Mild attack traffic / Could break things
� !!� You better have written permission ..
Vulnerable vs. Not Vulnerable legend:
� Vulnerable
� Not Vulnerable
P
Testing: Spiders, Robots, and Crawlers (OWASP-IG-001)
� $ wget http://www.google.com/robots.txt
� Found: Analyse entries
� Not found: Indexing required?
P
Testing: Search engine discovery / reconnaissance (OWASP-IG-002)
� Google site:target.com filetype:: inurl::
� Metadata, DNS, Whois, Company info, staff, etc..
P
Testing: Identify application entry points (OWASP-IG-003)
� Use a proxy and JUST browse the site
� Let the proxy log ALL requests
� Understand the site
� Chain ratproxy to your proxy for cool ideas ☺
P
Testing for Web Application Fingerprint (OWASP-IG-004)
Get the banner:
� $ curl –i –A “Mozilla:” http://target.com | more P
Testing for SSL-TLS (OWASP-CM-001)
No traffic .. P
Testing for Admin Interfaces (OWASP-CM-007)
� 3rd party stuff on .NET ViewState, headers,..
� Telerik.Web.UI?? Google it!
P
Testing for Admin Interfaces (OWASP-CM-007) - continued
� Google for default passwords P
Testing for Admin Interfaces (OWASP-CM-007) – continued
!!
Testing for Admin Interfaces (OWASP-CM-007) - continued
!!
Testing for HTTP Methods and XST (OWASP-CM-008)
� An OPTIONS request is quite normal:
curl -i -A 'Mozilla/5.0' -X 'OPTIONS *' -k https://site.comHTTP/1.1 200 OKDate: Tue, 09 Aug 2011 13:38:43 GMTServer: Apache/2.0.63 (Unix)Allow: GET,HEAD,POST,OPTIONS,TRACEContent-Length: 0Connection: closeContent-Type: text/plain; charset=UTF-8
P
Testing for credentials transport (OWASP-AT-001)
� Is the login page on “http” instead of “https”? P
Testing for Default or Guessable User Account (OWASP-AT-003)
Analyse the username(s) they gave you to test:
� Username based on numbers?
USER12345
� Username basic on public info? (i.e. names, surnames, ..)
name.surname
P
Vulnerable Remember Password and Pwd Reset (OWASP-AT-006)
Is autocomplete set to off?
<form : autocomplete=“off”>
or
<input : autocomplete=“off”>
Look at the questions or fields in the passwordreset form :
P
Testing for Logout and Browser Cache Management (OWASP-AT-007)
Easy test: Login + Logout + Back button
Or no caching headers / not expiring session cookie:
HTTP/1.1 200 OK
Date: Tue, 09 Aug 2011 13:38:43 GMT
Server: :.
X-Powered-By: :.
Connection: close
Content-Type: text/html; charset=UTF-8
P
Testing for Captcha (OWASP-AT-008)
Can be done offline:
� Download image and try to break it
� Look for signs of weak third party components
PWNtcha - captcha decoder
P
Testing for Session Management Schema (OWASP-SM-001)
Examine cookies for weaknesses offline
Base64 MTkyLjE2OC4xMDAuMTpvd2FzcHVzZXI6cGFzc3dvcmQ6MTU6NTg=
Is
owaspuser:192.168.100.1: a7656fafe94dae72b1e1487670148412
P
Testing for cookies attributes (OWASP-SM-002)
� Secure: not set = no https
� HttpOnly: not set = cookies stealable via JS
� Domain: set properly
� Path: set to the right /sub-application
� Expires: set reasonably
P
Testing for Session Fixation (OWASP-SM-003)
Session ID NOT changed after login = Vuln
Before Login PHPSESSID:
10a966616e8ed63f7a9b741f80e65e3c
After Login PHPSESSID:
10a966616e8ed63f7a9b741f80e65e3c
P
Testing for Exposed Session Variables (OWASP-SM-004)
Session ID:
� In URL
� In POST
� In HTML
P
Testing for CSRF (OWASP-SM-005)
Look at HTML code:
No anti-CSRF token = Vulnerable
Anti-CSRF token = Wait to ACTIVE testing ☺
P
Testing for Bypassing Authorization Schema (OWASP-AZ-002)
Look at unauthenticated cross-site requests:
http://other-site.com/user=3&report=4
Referer: site.com
Change ids in application: !
http://site.com/view_doc=4
P
Testing for DOM-based Cross site scripting (OWASP-DV-003)
Review JavaScript code on the page:
<script> document.write("Site is at: " + document.location.href + "."); </script>
P
Testing for Cross site flashing (OWASP-DV-004)
Download and decompile Flash files:
$ flare hello.swf
Static / Manual analysis
P
Testing: WS Information Gathering (OWASP-WS-001)
� Google searches: inurl:wsdl site:example.com
� Web service analysis:
http://www.example.com/ws/FindIP.asmx?WSDL
� Public services search:
http://seekda.com/
http://www.wsindex.org/
http://www.soapclient.com/
P
Testing for WS Replay (OWASP-WS-007)
Similar to CSRF:
� Is there an anti-replay token in therequest/response?
P
Testing for file extensions handling (OWASP-CM-005)
_some_ attack traffic but subtle. File Uploads:
� If upload.php or .asp, .html, .. is allowed by app
� A valid GIF or JPG comment can be a validPHP script, etc ..
� Difference from attack to legit can be subtle
� File uploads are POST = 99% not logged
!!
Testing for user enumeration (OWASP-AT-002)
� Error messages
� Time differences!
Testing for Reflected/Stored Cross site scripting (OWASP-DV-001+2)
Subtle look for signs of output encoding:
� O’Brien � O'Brien
� O”Brien � O"Brien or O%22Brien
� Ted..> � Ted..> or Ted..%3E
� Ted,< � Ted,.< or Ted..%3C
Charset, etc..
!
Testing for SQL Injection (OWASP-DV-005)
Do you get a SQL error?
� Strings: O’Brien
� IDs: Instead of “1” type “1l” or “1 l”
!
Thank you
Special thanks to:
� OWASP Testing Guide contributors
� Mario Heiderich
� Chris John Riley
� Robin Wood
Abraham Aranguren
@7a_
http://7-a.org