12.7 Web App Pen Testing
Web Application Pen Testing
- Web application pen testing is used to identify, analyze, and report vulnerabilities such as input validation, buffer overflow, SQL injection, bypassing authentication, code execution, etc. in a given application.
- The best way to perform penetration testing is to conduct a series of methodical and repeatable tests, and to work through all of the different application vulnerabilities.
- Identification of Ports: Scan the ports to identify the associated running services and analyze them through automated or manual tests to find weaknesses.
- Verification of Vulnerabilities: To exploit the vulnerability in order to test and fix the issue.
- Remediation of Vulnerabilities: To retest the solution against vulnerability to ensure that it is completely secure.
- The general steps involved in web-application penetration testing are listed below to give you an idea of how to proceed:
- Define Objective
- Information gathering
- Configuration management testing
- Authentication testing
- Session management testing
- Denial-of-service testing
- Data validation testing
- Business logic testing
- Authorization testing
- Web services testing
- AJAX testing
- Document all the findings
Information Gathering
- Retrieve and analyze robots.txt file using tools such as GNU Wget.
- Use the advanced "site:" search operator and then click "Cached" to perform search engine reconnaissance.
- Identify application entry points using tools such as Webscarab, Burp proxy, OWASP ZAP, TamperID (for Internet Explorer), or Tamper Data (for Firefox).
- To identify web applications: probe for URLs, do directory-style searching (intelligent guessing) and perform vulnerability scanning using tools such as Nmap (Port Scanner) and Nessus.
- Implement techniques such as DNS zone transfers, DNS inverse queries, web-based DNS searches, querying search engines (googling).
- Analyze error codes by requesting invalid pages and utilize alternate request methods (POST/PUT/Other) in order to collect confidential information from the server.
- Examine the source code from the accessible pages of the application front-end.
- Test for recognized file types/extensions/directories by requesting common file extensions such as .ASP, .HTM, .PHP, .EXE, and watch for any unusual output or error codes.
- Perform TCP/ICMP and service fingerprinting using traditional fingerpriting tools such as Nmap and Queso, or the more recent application fingerprinting tool Amap.
Configuration Management Testing
- Identify the ports associated to SSL/TLS wrapped services using Nmap and Nessus.
- Perform network scanning and analyze the web server banner.
- Test the application configuration management using CGI scanners and reviewing the contents of the web server, application server, comments, configuration and logs.
- Use vulnerability scanners, spidering and mirroring tools, search engines queries or perform manual inspection to test for file extensions handling.
- Review source code, enumerate application pages and functionality.
- Perform directory and file enumeration, reviewing server and application documentation, etc. to test for infrastructure and application admin interfaces.
- Review OPTIONS HTTP method using Netcat or Telnet.
Authentication Testing
- Try to reset passwords by guessing, social engineering, or cracking secret questions, if used. Check if "remember my password" mechanism is implemented by checking the HTML code of the login page.
- Check if it is possible to "reuse" a session after logout. Also check if the application automatically logs out a user when that user has been idle for a certain amount of time, and that no sensitive data remains stored in the browser cache.
- Identify all parameters that are sent in addition to the decoded CAPTCHA value from the client to the server and try to send an old decoded CAPTCHA value with an old CAPTCHA ID of an old session ID.
- Check if users hold a hardware device of some kind in addition to the password. Check if hardware device communicates directly and independently with the authentication infrastructure using an additional communication channel.
- Attempt to force a race condition, make multiple simultaneous requests while observing the outcome for unexpected behavior. Perform code review.
Session Management Testing
- Collect sufficient number of cookie samples, analyze the cookie generation algorithm and forge a valid cookie in order to perform the attack.
- Test for cookie attributes using intercepting proxies such as Webscarab, Burp proxy, OWASP ZAP, or traffic intercepting browser plug-in's such as "TamperIE" (for IE) and "Tamper Data" (for Firefox).
- To test for session fixation, make a request to the site to be tested and analyze vulnerabilities using the WebScarab tool.
- Test for exposed session variables by inspecting encryption & reuse of session token, proxies & caching, GET & POST, and transport vulnerabilities.
- Examine the URLs in the restricted area to test for CSRF.
Authorization Testing
- Test for path traversal by performing input vector enumeration and analyzing the input validation functions present in the web application.
- Test for bypassing authorization schema by examining the admin functionalities, to gain access to the resources assigned to a different role.
- Test for role/privilege manipulation.
Data Validation Testing (?)
- Detect and analyze input vectors for potential vulnerabilities, analyze the vulnerability report and attempt to exploit it. Use tools such as OWASP CAL9000, WebScarab, XSS-Proxy, ratproxy, and Burp Proxy.
- Analyze HTML code, test for Stored XSS, leverage Stored XSS, verify if the file upload allows setting arbitrary MIME types using tools such as OWASP CAL9000, Hackvector, XSS-Proxy, Backframe, WebScarab, Burp, and XSS Assistant.
- Perform source code analysis to identify JavaScript coding errors.
- Analyze SWF files using tools such as SWFIntruder, Decompiler - Flare, Compiler - MTASC, Disassembler - Flasm, Swfmill, and Debugger Version of Flash Plugin/Player.
- Perform Standard SQL Injection Testing, Union Query SQL Injection Testing, Blind SQL Injection Testing, and Stored Procedure Injection using tools such as OWASP SQLiX, sqlninja, SqlDumper, SQLPower Injector, etc.
- Use a trial and error approach by inserting
(
,|
,&
,*
and the other characters in order to check the application for errors. Use the tool Softerra LDAP Browser. - Discover vulnerabilities of an ORM tool and test web applications that use ORM. Use tools such as Hibernate ORM, Nhibernate, and Ruby On Rails.
- Try to insert XML metacharacters.
- Find if the web server actually supports SSI directives using tools such as Web Proxy Burp Suite, OWASP ZAP, WebScarab, String search: grep.
- Inject XPath code and interfere with the query result.
- Identify vulnerable parameters. Understand the data flow and deployment structure of the client, and perform IMAP/SMTP command injection.
- Inject code (a malicious URL) and perform source code analysis to discover code injection vulnerabilities.
- Perform manual code analysis and craft malicious HTTP requests using
|
to test for OS command injection attacks. - Perform manual and automated code analysis using tools such as OllyDbg to detect buffer overflow condition.
- Upload a file that exploits a component in the local user workstation, when viewed or downloaded by the user, perform XSS, and SQL injection attack.
- Identify all user controlled input that influences one or more headers in the response, and check whether he or she can successfully inject a CR+LF sequence in it.
Denial-of-Service Testing
- Craft a query that will not return a result and includes several wildcards. Test manually or employ a fuzzer to automate the process.
wildcard: 萬用字元
- Test that an account does indeed lock after a certain number of failed logins. Find places where the application discloses the difference between valid and invalid logins.
- Perform a manual source code analysis and submit a range of inputs with varying lengths to the application.
- Find where the numbers submitted as a name/value pair might be used by the application code and attempt to set the value to an extremely large numeric value, then see if the server continues to respond.
- Enter an extremely large number in the input field that is used by application as a loop counter.
- Use a script to automatically submit an extremely long value to the server in the request that is being logged.
- Identify and send a large number of requests that perform database operations and observe any slowdown or new error messages.
- Create a script to automate the creation of many new sessions with the server and run the request that is suspected of caching the data within the session for each one.
Web Services Testing (?)
- To gather WS information use tools such as wsChess, Soaplite, CURL, etc. and online tools such as UDDI Browser, WSIndex, and Xmethods.
- Use tools such as WSDigger, WebScarab, and Foundstone to automate web services security testing.
- Pass malformed SOAP messages to XML parser or attach a very large string to the message. Use WSDigger to perform automated XML structure testing.
- Use web application vulnerability scanners such as WebScarab to test XML content-level vulnerabilities.
- Pass malicious content on the HTTP GET strings that invoke XML applications.
- Craft an XML document (SOAP message) to send to a web service that contains malware as an attachment to check if XML document has SOAP attachment vulnerability.
- Attempt to resend a sniffed XML message using Wireshark and WebScarab.
AJAX Testing (?)
- Enumerate the AJAX call endpoints for the asynchronous calls using tools such as Sprajax.
- Observe HTML and JavaScript files to find URLs of additional application surface exposure.
- Use proxies and sniffers to observe traffic generated by user-viewable pages and the background asynchronous traffic to the AJAX endpoints in order to determine the format and destination of the requests.
Web Application Pen Testing Framework: Kali Linux
- Kali Linux is an advanced penetration testing and security auditing Linux distribution.
- It contains more than 300 penetration testing tools.
Web Application Pen Testing Framework: Metasploit
- The Metasploit Framework is a penetration testing toolkit, exploit development platform, and research tool that includes hundreds of working remove exploits for a variety of platforms.
- It helps pen testers to verify vulnerabilities and manage security assessments.
Web Application Pen Testing Framework: Browser Exploitation Framework (BeEF)
- The Browser Exploitation Framework (BeEF) is an open-source penetration testing tool used to test and exploit web application and browser-based vulnerabilities.
- BeEF provides the penetration tester with practical client side attack vectors and leverages web application and browser vulnerabilities to assess the security of a target and carry out further intrusions.
Web Application Pen Testing Framework: PowerSploit (?)
- PowerSploit is a collection of MIcrosoft PowerShell modules that can be used to aid reverse engineers, forensic analysts, and penetration testers during all phases of an assessment.
- Some of the PowerSploit modules and scripts:
- CodeExecution
- ScriptModification
- Persistence
- PETools
- ReverseEngineering
- AntivirusBypass
- Exfiltration