Web Application Penetration Testing
Will Bechtel – [email protected]
• Sr. Consulting Manager - Application Security Practice
• AT&T Consulting Part of AT&T Business Services / Application
Solutions
• Formerly VeriSign Global Security Consulting – AT&T acquired Oct
2010
Experience with Organizations
• Primary verticals: Financial Services, High Tech, Retail
Application Experience
• 15 Years software development
• Web commerce development for fortune 500 customers
Caution
• Tools/techniques should only be used for authorized testing. Don't
Be Evil…
• Be very careful how you configure tools or you may end up in real
trouble.
Overview of Web App Pen Testing
• Web Application Definition • Drivers for Testing
• High Level Methodology
Overview of Tools
• Web App Scanners
• Proxies, Spiders, Fuzzers • Strengths and Weaknesses
Review of Vulnerabilities
• OWASP Top Ten
Demonstration of Tools/Techniques
• Web Application Scanner – HP’s AppScan
Burp Professional Proxy/Scanner
Typical Web Application
Corporate Firewall Web/Application Server Database Server Port 80 / 443 Port 21 Port 3389App Utilizes HTTP/HTTPS
• Web Browser Applications • Web Services (blurring)
Client is Web Browser
• Application Interface is HTML/CSS/Javascript interpreted on the
client.
• Blurring with java and activeX components delivered via HTTP. Out
of scope for this presentation.
From Wikipedia
• A computer software application that is hosted in a
controlled environment (e.g. a Java applet) or coded in a supported language (such as JavaScript, combined with a browser-rendered markup language like HTML) and reliant on a common web browser to render the application executable.
HTTP Basics
• HTTP is a plain text protocol
• Browser sends request to web server
• Server sends back response with a status code
Web Application Basics
GET /search.aspx?q=answer+to+life HTTP/1.0 HTTP 200 OK <html> <body> The answer is 42 </body> </html>
#1 Compliance
• PCI
– Requirement for Annual Pen Test – Internal/External
– Requirement for quarterly scanning (not pen test but uses
automated scanners)
• GLBA, FTC, SOX, HIPAA, SB1386
Partnerships
• Many SAAS providers perform testing to ensure customers
they are secure.
•
Risk Managment
• Risk Management (Lower potential liability and losses) • Protect Reputation
Determine Scope
• Evaluate Security Requirements • Evaluate Compliance Objectives
• Identify any out of scope areas (document)
Determine Rules of Engagement
• Determine White Box, Grey Box, Black Box testing methodology
• Determine involved parties – who will support testing, issues that may come up, etc
• Gather contact information
• Review communication, notification, and issue escalation procedures.
• Review other specific requests and rules of engagement (e.g.,periods during which testing should not be performed).
• Review deliverables and any requirements
Application Architecture Review (if white or grey box)
• Review system architecture and logical model • Review interfaces
Discovery
• Spidering
• Manual Traversal
Automated Scanning
• Platform Fingerprinting (web server/app server/database server) • Test for Vulnerabilities
• Validation of Findings
• Manual Testing Validation where required
Manual Testing
• Exercise with Proxy • Evaluate and Adjust
Analysis and Reporting
• Determine and Assign Risk (risk of vuln/likelihood/overall
risk/recommendation for fixing/level of effort)
• Document – Assign risk at highest level until more information
Seek to simulate an application tester
• Perform Discover (Spider)
• Test for known platform vulnerabilities and common
misconfigurations
• Determine and Test Authentication/Authorization Boundaries • Exercise requests/manipulate parameters
Provide Analyst with
Findings/Details/Recommendations
• Analyst reviews and removes false positives
Reporting
• Generate reports with vulnerability details, risk ratings and
recommendations for remediation from validated findings
Used to test, not to improve caching performance
• Many proxies utilized in organizations are setup to restrict,
monitor and secure outbound connections as well as to improve performance.
Web Application Testing Proxy
• Designed specifically to perform web application testing
• Primary feature is to intercept and modify traffic to/from web
browser and web server.
• Usually include spidering and sometimes scanning tools. • Scanning can be passive or active.
Fuzzing
• (Wikipedia) Fuzz testing or fuzzing is a software testing
technique that provides invalid, unexpected, or random data to the inputs of a program. If the program fails (for example, by crashing or failing built-in code assertions), the defects can be noted.
Fuzzers
• Usually targeted at finding memory issues like buffer
overflows
• Limited in functionality
• Some Web Proxies can be utilized as fuzzers (Burp Suite Pro,
Webscarab)
Web App Scanning
• Strengths
– Fast, can scan for many common issues quickly, can be setup to regression test, good for finding reflected cross site scripting
• Weaknesses
– Can be difficult to configure, many times does not hold state well and misses much of app. Not good at finding subtle and multi step issues (stored xss), etc.
Web Proxy Testing
• Strengths
– Good for identifying/verifying all vulnerabilities, identifies more high risk issues (multi step and authorization issues)
• Weaknesses
– Takes strong experience to utilize, time consuming compared to automated, very time consuming to do any regression testing
Fuzzers
• Strengths – finding memory issues such as buffer overflows, etc • Weaknesses – very narrow usage
Open Web Application Security Project (OWASP)
• www.owasp.org
• Top Ten – most common vulnerabilities -
http://www.owasp.org/images/0/0f/OWASP_T10_-_2010_rc1.pdf
• Information on how to identify and remediate these and many
other application security issues
• Development of tools and frameworks and approaches for
application security
OWASP 2010 vs 2007
A1 - Injection
• Injection flaws, such as SQL, OS, and LDAP injection, occur when
untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data. Injected by user input, executed on server (web/app/db).
A2 –Cross Site Scripting (XSS)
• XSS flaws occur whenever an application takes untrusted data and
sends it to a web browser without proper validation and escaping. XSS allows attackers to execute script in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. Reflected (RXSS) initiated by user input, bounced (reflected) off server, executed in user browser. Stored (SXSS) – initiated by user input, stored on server, later executed in user browser (can be another user).
A3 –Broken Authentication and Session
Management
• Application functions related to authentication and session
management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit implementation flaws to assume other users’
identities. Very common to set session cookie before login and session fixation.
A4 –Insecure Direct Object References
• A direct object reference occurs when a developer exposes a
reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
https://www.bank.com/transfer?accountNum=1234
A5 –Cross Site Request Forgery (CSRF)
• A CSRF attack forces a logged-on victim’s browser to send a
forged HTTP request, including the victim’s session cookie and any other authentication information, to a vulnerable web
application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
A6 –Security Misconfiguration
• Security depends on having a secure configuration defined for
the application, framework, web server, application server, and platform. All these settings should be defined,
implemented, and maintained as many are not shipped with secure defaults.
A7 -Failure to Restrict URL Access
• Many web applications check URL access rights before
rendering protected links and buttons. However, applications need to perform similar access control checks when these
pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway. Forced browsing
A8 –Unvalidated Redirects and Forwards
• Web applications frequently redirect and forward users to
other pages and websites, and use untrusted data to
determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
A9 –Insecure Cryptographic Storage
• Many web application do not properly protect sensitive data,
such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers may use this weakly protected data to conduct identity theft, credit card fraud, or other crimes.
A10 -Insufficient Transport Layer Protection
• Applications frequently fail to encrypt network traffic when it
is necessary to protect sensitive communications. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly.
Review
• Analyzing the Accuracy and Time Costs of Web Application
Security Scanners
http://ha.ckers.org/files/Accuracy_and_Time_Costs_of_Web_ App_Scanners.pdf
– Does not weight vuln risk.
Scanners
• Accunetix • Appscan by IBM • BurpSuitePro • Hailstorm by Cenzic • WebInspect by HP • NTOSpider by NT OBJECTivesBurp Suite
• My opinion this is the current best option • Free and Pro Versions
– Pro has scanner, state save – 2 key features. Very Affordable.
• www.portswigger.net
Paros
• Free
• Kind of dated at this point
• Missing key features, limited on those it does support
Webscarab
• Free
• More features than Paros, less than Burp
Demo of Automated Scanning Tool
• IBM’s Appscan v7.9 (formerly Watchfire)
• http://download.boulder.ibm.com/ibmdl/pub/software/dw/de
mos/rIntroToAppScan/rIntroToAppScan.pdf
• High level overview of features
• Partial review of scan - Demo.testfire.net
Demo of Web Proxy Testing
• Burp Suite Professional v1.3 - High level overview of features • Demo of testing and Burp features
