web application assessment · owasp web site – owasp testing guide v3. title: microsoft...

Web Application AssessmentWeb Application Assessment

March 2009March 2009

A D V I S O R Y S E R V I C E S

2PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.PRIVATE AND CONFIDENTIAL © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.

AgendaAgenda

Definitions

Landscape of current web applications

Required skills

Attack surface

Scope

Methodology

Soft skills


DefinitionsDefinitions

Black box testing

White box testing

Grey box testing

What about code reviews?


Landscape – Typical ApplicationLandscape – Typical Application

Client – Javascript, VB, ActionScript

AJAX/JSON – user experience

Server – C#, VB, PHP, Java, ColdFusion, Perl, Ruby

Web services – SOAP, WSDL, UDDI

Database – Oracle, MySQL, MS SQL, Postgres

LDAP – AD, Novell, Sun

Does this list scare you?


All this and more…All this and more…

RegEx

URL, Hex, Base64, Unicode encoding

HTML encoding

SQL syntax

XML

LDAP

All of this in addition to the basics like HTML, CSS, HTTP, HTTPS, IIS/Apache, SSL


RegEx ExamplesRegEx Examples

‘^SELECT’

S%65L%65CT

^(?!000)([0-6]\d{2}|7([0-6]\d|7[012]))([ -]?)(?!00)\d\d\3(?!0000)\d{4}$

'[0-9]\{1,3\}\.[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}'


Encoding ExamplesEncoding Examples

‘ or 1=1—

%27%6f%72%20%31%3d%31%2d%2d

password

cGFzc3dvcmQ=


Attack SurfaceAttack Surface

Client

Browser, AJAX, Flash, Plugins

Server

Web server (Apache, IIS, Sun One)

Web Application

Forms

Cookies

Query parameters

File upload/download

Contact Us functionality

Business logic

Concurrency

Web services


Start with the ScopeStart with the ScopeStart with the Scope

Take a monumental task, and confine it

URL or IP Address

Client-side, or just server/application?

What to test for?

How to perform those tests?


MethodologyMethodology

Reconnaissance

Document

Mapping

Document

Plan

Document

Test

Document

Exploit

Document


ReconnaissanceReconnaissance

External (e.g. Google)

From the site

Platform (e.g. Windows/IIS)

Development technology(ies) (e.g. .NET with JavaScript)

SSL and weak ciphers

Robots.txt and crossdomain.xml

Map the application (spider)

Enumerate directory/files

Determine functionality

Locate entry points

Look for comments and hidden fields


ToolsTools

Landscape

Gooscan

Fierce

Maltego®

Web Scanners

Nikto

Burp ®

Appscan ®

Hailstorm ®

Focussed tools

HTTPrint

Wmap

DirBuster

SSLDigger

General Web Assessment Tools

Burp Suite®

WebScarab

Firefox® Addons

Firebug & Firecookie

TamperData

JSView

OWASP LiveCD

Samurai


Post Information GatheringPost Information Gathering

Analyze accumulated results from all tools

Document the application

Look for areas of vulnerability:

Authentication/Authorization

Cookie Attributes – Expires, Path, Domain, and Secure

Traversal

Injection

XSS

CSRF

Application logic

Concurrency

Race Conditions


Post Information Gathering (2)Post Information Gathering (2)

Determine how users are authenticated, and look for user contexts to reverse engineer the authorization scheme

Document the important web functions, associated pages, and parameters

Document the application and logic flow

Use all of this information to create a plan of exploit, to seek out vulnerabilities


Finding the Cool StuffFinding the Cool Stuff

Automated vs Manual

Let’s avoid the flame wars!

This is where the methodology helps

Let the automated tools do some of the digging and heavy liftingfor you

That still leaves plenty for you to manually test


What is the cool stuff?What is the cool stuff?

Injection

XSS

CSRF


SQLiSQLi

Assumptions:

You know the basics of SQL

You know the basics of SQLi

3 Classes:

Inband

Out of band

Inferential

How do you test for it?

How do you validate?


SQLi Starts at HomeSQLi Starts at Home

Source: http://xkcd.com/327/Source: http://xkcd.com/327/


SQL Injection TypesSQL Injection Types

Error

Ask the DB a question that will produce an error, and examine the error to glean

information.

Union

Use SQL Union statement to combine two Select statements.

Useful for data extraction

Blind

Ask the DB only True/False questions, and measure the response based on the

type of page returned, or the time it took to respond.


SQLi ToolsSQLi Tools

Mieliekoek.pl – Will use the output from HTTrack for its target list; Looks for “ODBC” in the output; Configurable SQLi syntax

SQLMap – Python command line tool; Blind and Union SQLi; Can use Burp or WebScarab logs for targets list

Wapiti – Set of Python scripts for testing SQLi, CRLF, XSS, and others;

Absinthe – GUI tool that can aid in the download of schema and contents of a database; Does not find SQL injection points; Usesblind injection techniques or error based for SQL Server

SQL Inject Me – Firefox addon to test for error based SQLi

SQLiX – OWASP Perl command line tool to test for error based and blind SQL injection; It can run exploits as well

SQL Power Injector - .Net based tool to find and exploit SQLi; Focuses on blind injection, but does not try to locate the vulnerability


Mitigating and Preventing SQLiMitigating and Preventing SQLi

Validating input

‘ or 1=1--

‘or 2=2--

‘ or 1 in (select @@version)--

Parameterized queries

Stored procedures – really?

Web application firewalls – really?


Other Injection TypesOther Injection Types

LDAP

XPATH

OS

Tools?



Cross Site Scripting (XSS)Cross Site Scripting (XSS)

Reflected vs. Stored

Which is more dangerous?

DOM-based XSS

How do you test for these? Automated tools?


Cross Site Request ForgeryCross Site Request Forgery

How does this differ from XSS?

Subtle

Preventable



XSS and CSRFXSS and CSRF

Understand Same-Origin Policy

Understand Adobe’s recent Cross-domain policy

Understand the nuances of these policies, and how different browsers interpret those nuances


Soft SkillsSoft Skills

Documentation

Understand risk, business risk

Communication

Scope

Testing windows, methodology, etc.

Expectations

Time management


References:References:

Advanced SQL Injection In SQL Server Applications by Chris Anley (NGS Software)

Advanced SQL Injection by Joe McCray

Web Application Disassembly with ODBC Error Messages by David Litchfield

Cross Site Scripting Explained by Amit Klein

Cross Site Request Forgeries: Exploitation and Prevention by Zeller and Felton

OWASP Web Site – OWASP Testing Guide v3

web application assessment · owasp web site – owasp testing guide v3. title: microsoft...

Documents