web application assessment · owasp web site – owasp testing guide v3. title: microsoft...
TRANSCRIPT
Web Application AssessmentWeb Application Assessment
March 2009March 2009
A D V I S O R Y S E R V I C E S
2PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.
AgendaAgenda
Definitions
Landscape of current web applications
Required skills
Attack surface
Scope
Methodology
Soft skills
3PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.
DefinitionsDefinitions
Black box testing
White box testing
Grey box testing
What about code reviews?
4PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.
Landscape – Typical ApplicationLandscape – Typical Application
Client – Javascript, VB, ActionScript
AJAX/JSON – user experience
Server – C#, VB, PHP, Java, ColdFusion, Perl, Ruby
Web services – SOAP, WSDL, UDDI
Database – Oracle, MySQL, MS SQL, Postgres
LDAP – AD, Novell, Sun
Does this list scare you?
5PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.
All this and more…All this and more…
RegEx
URL, Hex, Base64, Unicode encoding
HTML encoding
SQL syntax
XML
LDAP
All of this in addition to the basics like HTML, CSS, HTTP, HTTPS, IIS/Apache, SSL
6PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.
RegEx ExamplesRegEx Examples
‘^SELECT’
S%65L%65CT
^(?!000)([0-6]\d{2}|7([0-6]\d|7[012]))([ -]?)(?!00)\d\d\3(?!0000)\d{4}$
'[0-9]\{1,3\}\.[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}'
7PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.
Encoding ExamplesEncoding Examples
‘ or 1=1—
%27%6f%72%20%31%3d%31%2d%2d
password
cGFzc3dvcmQ=
8PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.
Attack SurfaceAttack Surface
Client
Browser, AJAX, Flash, Plugins
Server
Web server (Apache, IIS, Sun One)
Web Application
Forms
Cookies
Query parameters
File upload/download
Contact Us functionality
Business logic
Concurrency
Web services
9PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.
Start with the ScopeStart with the ScopeStart with the Scope
Take a monumental task, and confine it
URL or IP Address
Client-side, or just server/application?
What to test for?
How to perform those tests?
10PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.
MethodologyMethodology
Reconnaissance
Document
Mapping
Document
Plan
Document
Test
Document
Exploit
Document
11PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.
ReconnaissanceReconnaissance
External (e.g. Google)
From the site
Platform (e.g. Windows/IIS)
Development technology(ies) (e.g. .NET with JavaScript)
SSL and weak ciphers
Robots.txt and crossdomain.xml
Map the application (spider)
Enumerate directory/files
Determine functionality
Locate entry points
Look for comments and hidden fields
12PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.
ToolsTools
Landscape
Gooscan
Fierce
Maltego®
Web Scanners
Nikto
Burp ®
Appscan ®
Hailstorm ®
Focussed tools
HTTPrint
Wmap
DirBuster
SSLDigger
General Web Assessment Tools
Burp Suite®
WebScarab
Firefox® Addons
Firebug & Firecookie
TamperData
JSView
OWASP LiveCD
Samurai
13PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.
Post Information GatheringPost Information Gathering
Analyze accumulated results from all tools
Document the application
Look for areas of vulnerability:
Authentication/Authorization
Cookie Attributes – Expires, Path, Domain, and Secure
Traversal
Injection
XSS
CSRF
Application logic
Concurrency
Race Conditions
14PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.
Post Information Gathering (2)Post Information Gathering (2)
Determine how users are authenticated, and look for user contexts to reverse engineer the authorization scheme
Document the important web functions, associated pages, and parameters
Document the application and logic flow
Use all of this information to create a plan of exploit, to seek out vulnerabilities
15PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.
Finding the Cool StuffFinding the Cool Stuff
Automated vs Manual
Let’s avoid the flame wars!
This is where the methodology helps
Let the automated tools do some of the digging and heavy liftingfor you
That still leaves plenty for you to manually test
16PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.
What is the cool stuff?What is the cool stuff?
Injection
XSS
CSRF
17PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.
SQLiSQLi
Assumptions:
You know the basics of SQL
You know the basics of SQLi
3 Classes:
Inband
Out of band
Inferential
How do you test for it?
How do you validate?
18PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.
SQLi Starts at HomeSQLi Starts at Home
Source: http://xkcd.com/327/Source: http://xkcd.com/327/
19PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.
SQL Injection TypesSQL Injection Types
Error
Ask the DB a question that will produce an error, and examine the error to glean
information.
Union
Use SQL Union statement to combine two Select statements.
Useful for data extraction
Blind
Ask the DB only True/False questions, and measure the response based on the
type of page returned, or the time it took to respond.
20PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.
SQLi ToolsSQLi Tools
Mieliekoek.pl – Will use the output from HTTrack for its target list; Looks for “ODBC” in the output; Configurable SQLi syntax
SQLMap – Python command line tool; Blind and Union SQLi; Can use Burp or WebScarab logs for targets list
Wapiti – Set of Python scripts for testing SQLi, CRLF, XSS, and others;
Absinthe – GUI tool that can aid in the download of schema and contents of a database; Does not find SQL injection points; Usesblind injection techniques or error based for SQL Server
SQL Inject Me – Firefox addon to test for error based SQLi
SQLiX – OWASP Perl command line tool to test for error based and blind SQL injection; It can run exploits as well
SQL Power Injector - .Net based tool to find and exploit SQLi; Focuses on blind injection, but does not try to locate the vulnerability
21PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.
Mitigating and Preventing SQLiMitigating and Preventing SQLi
Validating input
‘ or 1=1--
‘or 2=2--
‘ or 1 in (select @@version)--
Parameterized queries
Stored procedures – really?
Web application firewalls – really?
22PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.
Other Injection TypesOther Injection Types
LDAP
XPATH
OS
Tools?
How do you test for it?
23PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Reflected vs. Stored
Which is more dangerous?
DOM-based XSS
How do you test for these? Automated tools?
24PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.
Cross Site Request ForgeryCross Site Request Forgery
How does this differ from XSS?
Subtle
Preventable
How do you test for it?
25PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.
XSS and CSRFXSS and CSRF
Understand Same-Origin Policy
Understand Adobe’s recent Cross-domain policy
Understand the nuances of these policies, and how different browsers interpret those nuances
26PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.
Soft SkillsSoft Skills
Documentation
Understand risk, business risk
Communication
Scope
Testing windows, methodology, etc.
Expectations
Time management
27PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.
References:References:
Advanced SQL Injection In SQL Server Applications by Chris Anley (NGS Software)
Advanced SQL Injection by Joe McCray
Web Application Disassembly with ODBC Error Messages by David Litchfield
Cross Site Scripting Explained by Amit Klein
Cross Site Request Forgeries: Exploitation and Prevention by Zeller and Felton
OWASP Web Site – OWASP Testing Guide v3