GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Transcription

1 Report on IRONWASP

2 Software Product: IronWASP Description of the Product: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners. GUI based and very easy to use, no security expertise required. Powerful and effective scanning engine. Supports recording Login sequence. Reporting in both HTML and RTF formats - Click here to view the sample report. Checks for over 25 different kinds of well-known web vulnerabilities. False Positives detection support. False Negatives detection support. Extensible via plug-ins or modules in Python, Ruby, C# or VB.NET CYBER SECURITY & PRIVACY FOUNDATION 2

3 Plugins IronWASP has a plugin system that supports Python and Ruby. The version of Python and Ruby used in IronWASP is IronPython and IronRuby which is syntactically similar to CPython and CRuby. However some of the standard libraries might not be available, instead plugin authors can make use of the powerful IronWASP API. Lab Setup: Operating System : Windows XP Web Server: Xampp 1.7.3( PHP 5.3.1, Apache/2.2.14, MySQL ) Web Application: BTS Lab Web Goat DVWA bwapp IronWASP Version: CYBER SECURITY & PRIVACY FOUNDATION 3

4 Test Criteria: We have set up the test in various levels. Cross Site Scripting: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. Cross Site Flashing: Cross Site Flashing vulnerability occurs when a flash file (swf) process the input, without sanitizing/validating the input given by a user. Cross Site Request Forgery: CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via /chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application. CYBER SECURITY & PRIVACY FOUNDATION 4

5 Clickjacking: Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both. Server Side Request Forgery: An application is vulnerable to Cross Site Port Attacks if the application processes user supplied URLs and does not verify/sanitize the backend response received from remote servers before sending it back to the client. An attacker can send crafted queries to a vulnerable web application to proxy attacks to external Internet facing servers, intranet devices and the web server itself using the advertised functionality of the vulnerable web application. File Inclusion: The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation. Insecure Direct Object Reference: Insecure Direct Object References occur when an application provides direct access to objects based on usersupplied input. As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly, for example database records or files. CYBER SECURITY & PRIVACY FOUNDATION 5

6 Unrestricted File Upload Vulnerability: When a web application allows user to upload files without any checks on its content or file type, it can be leveraged by an attacker to do malicious actions. Open URL redirection: Invalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. Broken Authentication and Session Management: Attacker uses leaks or flaws in the authentication or session management functions (e.g., exposed accounts, passwords, session IDs) to impersonate users. Security Misconfiguration: Security misconfiguration vulnerabilities could occur if a component is susceptible to attack due to an insecure configuration option. These vulnerabilities often occur due to insecure default configuration, poorly documented default configuration, or poorly documented side-effects of optional configuration. This could range from failing to set a useful security header on a web server, to forgetting to disable default platform functionality that could grant administrative access to an attacker. Sensitive Data Exposure: Sensitive data exposure vulnerabilities can occur when an application does not adequately protect sensitive information from being disclosed to attackers. For many applications this may be limited to information such as passwords, but it can also include information such as credit card data, session tokens, or other authentication credentials. CYBER SECURITY & PRIVACY FOUNDATION 6

7 Missing Function Level Access Control: Function level access control vulnerabilities could result from insufficient protection of sensitive request handlers within an application. An application may simply hide access to sensitive actions, fail to enforce sufficient authorization for certain actions, or inadvertently expose an action through a user-controlled request parameter. Buffer Overflow: By sending carefully crafted input to a web application, an attacker can cause the web application to execute arbitrary code, possibly taking over the machine. Header Injection: HTTP header injection is a general class of web application security vulnerability which occurs when Hypertext Transfer Protocol (HTTP) headers are dynamically generated based on user input. Header injection in HTTP responses can allow for HTTP response splitting (also known as CRLF Carriage Return Line Feed), Session fixation via the Set-Cookie header, crosssite scripting (XSS), and malicious redirect attacks via the location header. HTTP Parameter Pollution: Supplying multiple HTTP parameters with the same name may cause an application to interpret values in unanticipated ways. By exploiting these effects, an attacker may be able to bypass input validation, trigger application errors or modify internal variables values. Full Path Disclosure Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. example: /home/omg/htdocs/file/. CYBER SECURITY & PRIVACY FOUNDATION 7

8 Source Code Disclosure: When a web server has a vulnerability that leaks the source code of server-side scripts it is called source code disclosure. Bruteforce Login: The application does not prevent attackers from trying many username/password combinations in rapid succession in order to guess account credentials. Content Spoofing: The application displays user-defined content in the URL or page body in a way that makes it appear to be legitimate site content. Denial of Service The root cause of a Denial of service is when an attacker uses/exhausts/depletes all of the resources (such as bandwidth, database connections, disk storage, CPU, memory, threads, or application specific resources) on a system preventing legitimate users from using the system. To prevent depletion of resources the application must restrict the size or amount of resources that are requested or used. Fingerprinting: One or several components of the underlying software and framework leak version information. This could help an attacker to identify which components are vulnerable. This issue is mitigated by removing all version information. Information Leakage: The application discloses sensitive/classified data or useful data about the application that can be used for targeted attacks, even though the developer did not intend for the data to be disclosed. CYBER SECURITY & PRIVACY FOUNDATION 8

9 SSI Injection: The root cause of server-side includes/injection is the application's failure to validate data before it is inserted into a server-side interpreted HTML file. Some Web servers allow entering dynamic code to static HTML pages making it possible for an attacker to send code to a web application that will get executed by the web server and possibly gain access to files or other exploits similar to cross site scripting. XML Injection: XML documents are generated by including dynamic data without proper encoding. XPATH/XQuery Injection: The application unsafely incorporates user data into an XQuery or XPath pattern which can change the logic of the query. SQL Injection: A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. CYBER SECURITY & PRIVACY FOUNDATION 9

10 LDAP Injection: LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it s possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary commands such as granting permissions to unauthorized queries, and content modification inside the LDAP tree. Command Injection: Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation. Code Injection: Code Injection is the general term for attack types which consist of injecting code that is then interpreted/executed by the application. Code Injection differs from Command Injection in that an attacker is only limited by the functionality of the injected language itself. Insufficient Session Expiration: The application either does not implement an inactivity timeout or an absolute timeout, or the timeouts are too long to provide sufficient risk mitigation. The application does not provide a logout feature, or the feature does not actively terminate the user's session. CYBER SECURITY & PRIVACY FOUNDATION 10

11 HTTP Verb Tampering: The HTTP specification includes request methods other than the standard GET and POST requests. A standards compliant web server may respond to these alternative methods in ways not anticipated by developers. Although the common description is 'verb' tampering, the HTTP 1.1 standard refers to these request types as different HTTP 'methods.' Expression Language Injection: Expression Language (EL) Injection happens when attacker controlled data enters an EL interpreter. With EL implementations prior to 2.2, attacker can recover sensitive server side information available through implicit objects. This includes model objects, beans, session scope, application scope, etc. The EL 2.2 spec allows method invocation, which permits an attacker to execute arbitrary code within context of the application. This can manipulate application functionality, expose sensitive data, and branch out into system code access-- posing a risk of server compromise. ORM Injection: ORM Injection is an attack using SQL Injection against an ORM generated data access object model. From the point of view of a tester, this attack is virtually identical to a SQL Injection attack. However, the injection vulnerability exists in code generated by the ORM tool. IMAP/SMTP Injection: This threat affects all applications that communicate with mail servers (IMAP/SMTP), generally webmail applications. The aim of this test is to verify the capacity to inject arbitrary IMAP/SMTP commands into the mail servers, due to input data not being properly sanitized. CYBER SECURITY & PRIVACY FOUNDATION 11

12 Using Components with Known Vulnerabilities: Vulnerabilities in third-party libraries and software are extremely common and could be used to compromise the security of systems using the software. CYBER SECURITY & PRIVACY FOUNDATION 12

13 Test Details Passive Plugins Test 1: Session fixation. Result: IronWASP successfully detected the Session fixation vulnerability in the target Web application. We ran the test against the target web application that doesn't assign a new session ID when authenticating a user. IronWASP successfully detected the Session Fixation vulnerability. CYBER SECURITY & PRIVACY FOUNDATION 13

14 Test 2: X-Header Analysis. Result: IronWASP identified the PHP version running on the target server by analysing the X-header. In this test, we ran a web server that includes the PHP version details in the X-Header part of the server response. CYBER SECURITY & PRIVACY FOUNDATION 14

15 Test 3: Clickjacking Result: IronWASP only gives an alert if there is any Clickjacking Protection enabled. It would be better if IronWASP is able to give an alert if there is no X-Frame-Options. In this test, we ran the scan against the web application that has Clickjacking protection. IronWASP successfully detected that Clickjacking Protection is in use based on the X-Frame-Options header. However, IronWASP fails to report, if there is no protection implemented. CYBER SECURITY & PRIVACY FOUNDATION 15

16 Test 4: Web Server Version Identification: Result: IronWASP successfully gathered information about the target web server. IronWasp analyzed the HTTP response and found the target server is running Apache CYBER SECURITY & PRIVACY FOUNDATION 16

17 Test 5: Missing HTTP-Only Flag. Result: IronWASP successfully detected that the 'HTTP-only' flag is missing in the cookie. In this test, we ran the IronWASP scan against a web application that doesn't set HTTP-only flag in the PHP session ID cookies. IronWASP was able to detect this bug. CYBER SECURITY & PRIVACY FOUNDATION 17

18 Test 6: Open URL Redirection. Result: IronWASP reports possible Open URL Redirection. In this test, we had a web page that redirects the user to another page or website based on the given input. IronWASP was able to detect that the page is vulnerable to Open URL Redirection. CYBER SECURITY & PRIVACY FOUNDATION 18

19 Active Plugins Test 1: Reflected Cross Site Scripting. (HTTP-Get) Result: IronWASP successfully detected HTTP-GET Based, reflected XSS vulnerabilities in the target Web Application. In this test, we ran the IronWASP scan against a URL which is vulnerable to HTTP-Get based reflected XSS. And we found that IronWASP was able to detect the reflected XSS vulnerabilities. CYBER SECURITY & PRIVACY FOUNDATION 19

20 Test 2: Reflected Cross Site Scripting. (HTTP-Post) Result: IronWASP successfully detected HTTP-Post based, reflected XSS vulnerabilities in the target Web Application. In this test, we ran the IronWASP scan against a URL which is vulnerable to HTTP-Post based reflected XSS. And we found that IronWASP was able to detect the reflected XSS vulnerabilities. CYBER SECURITY & PRIVACY FOUNDATION 20

21 Test 3: Stored Cross Site Scripting. Result: IronWASP successfully detected stored XSS vulnerabilities in the target Web Application. In this test, we ran the IronWASP scan against a URL which is vulnerable to stored XSS. And we found that IronWASP was able to detect the stored XSS vulnerabilities. CYBER SECURITY & PRIVACY FOUNDATION 21

22 Test 4: Cross Site Flashing. Result: IronWASP was not able to detect Cross Site Scripting vulnerability in a vulnerable flash file. In this test, we ran the IronWASP scan against a URL containing a vulnerable flash file (.swf). And we found that IronWASP was unsuccessful in detecting the Cross Site Flashing vulnerability. CYBER SECURITY & PRIVACY FOUNDATION 22

23 Test 5: SQL Injection. Result: IronWASP was able to successfully detect that the target Web application is vulnerable to SQL Injection vulnerability. In this test, we ran the IronWASP scan against a URL which is vulnerable to SQL Injection vulnerability. And we found that IronWASP was able to detect the SQL Injection vulnerability. CYBER SECURITY & PRIVACY FOUNDATION 23

24 Test 6: Blind SQL Injection. Result: IronWASP was successful in detecting Blind SQL Injection. In this test, we ran the IronWASP scan against a URL which is vulnerable to Blind SQL Injection vulnerability. And we found that IronWASP was able to detect the Blind SQL Injection vulnerability. CYBER SECURITY & PRIVACY FOUNDATION 24

25 Test 7: SQL Injection in 302 Found page. Result: IronWASP was able to detect SQL Injection vulnerability, even when the page is redirected to another page. In this test, we had a web page that gives the details of a logged-in user. If an unauthenticated user tries to access the page, he/she will be redirected to a login page with 302 error code. However, because of insecure coding, the page process the SQL query, before forwarding the unauthenticated user to login page. So, the 302 error response will contain the result of processed SQL Query. IronWASP was able to detect this bug. CYBER SECURITY & PRIVACY FOUNDATION 25

26 Test 8: Local File Inclusion. Result: IronWASP successfully detected the Local File Inclusion vulnerability. In this test, we ran the IronWASP scan against a URL which is vulnerable to Local File Inclusion vulnerability. And we found that IronWASP was able to detect the LFI vulnerability. CYBER SECURITY & PRIVACY FOUNDATION 26

27 Test 9: Remote File Inclusion. Result: IronWASP successfully detected the Remote File Inclusion vulnerability. In this test, we ran the IronWASP scan against a URL which is vulnerable to Remote File Inclusion vulnerability. And we found that IronWASP was able to detect the Remote File Inclusion vulnerability. CYBER SECURITY & PRIVACY FOUNDATION 27

28 Test 10: Directory Listing. Result: IronWASP was able to detect Directory listing vulnerabilities. The target web application had directory listing vulnerabilities. IronWASP successfully detected the bug. CYBER SECURITY & PRIVACY FOUNDATION 28

29 Test 11: Command Injection. Result: IronWASP was able to detect a command injection vulnerability in the target web page. The target web application had a web page which is vulnerable to command injection vulnerability, which enables attacker to run command in the target server. We ran the IronWASP scan against this page and found that IronWASP was able to detect it. CYBER SECURITY & PRIVACY FOUNDATION 29

30 Test 12: Code Injection. Result: IronWASP was able to detect a code injection vulnerability in the target web page. The target web application had a web page which is vulnerable to code injection vulnerability, which enables attacker to run PHP code in the target server. We ran the IronWASP scan against this page and found that IronWASP was able to detect it. CYBER SECURITY & PRIVACY FOUNDATION 30

31 Test 13: XPath Injection. Result: IronWASP was able to detect Xpath injection vulnerability. IronWASP was in successful in detecting Xpath injection vulnerability based on the default exception message. However, it was not able to detect the bug if there is custom exception message. CYBER SECURITY & PRIVACY FOUNDATION 31

32 Test 14: Server Side Request Forgery. Result: IronWASP was unsuccessful in detecting the SSRF vulnerability. The web application had a webpage which is vulnerable to Server Side Request Forgery. IronWASP was unsuccessful in detecting this bug. After sending localhost:65555 as a payload, IronWASP scan freezes. CYBER SECURITY & PRIVACY FOUNDATION 32

33 Test 15: Test for Header Injection. Result: IronWASP successfully detected the Header Injection Vulnerability. In this test, we ran the IronWASP scan against a URL which was vulnerable to Header Injection. And we found that IronWASP was able to detect the Header Injection. CYBER SECURITY & PRIVACY FOUNDATION 33

34 Test 16: Test for SSI Injection. Result: IronWASP was not able to discover SSI Injection. In this test, we ran the IronWASP scan against a URL which is vulnerable to SSI Injection. And we found that IronWASP was not able to detect the SSI Injection. CYBER SECURITY & PRIVACY FOUNDATION 34

35 Test 17: DOM Based XSS Result: IronWASP was unsuccessful to find DOM based XSS while testing with the automated scanner. But it was successful in finding the DOM Based XSS with manual browser crawler. Plugin Used: DOM XSS Analyzer. CYBER SECURITY & PRIVACY FOUNDATION 35

36 When we tested the DOM XSS Analyzer, we discovered that if we try to analyze the proxy logs of an automated scan, it does not give any results. But if we use a browser based crawler, it is able to detect a potential DOM Based XSS. CYBER SECURITY & PRIVACY FOUNDATION 36

37 Tools: Login Sequence Recording Tools: The Login Sequence Recorder was able to record the information needed to login as a user and saves that information so that it can later be called for in other scans/scripts. CYBER SECURITY & PRIVACY FOUNDATION 37

38 Interactive Testing Tools: Test 1: Test for Broken Authentication: Result: Passed. IronWASP was successfully able to find the percentage of differences in the responses for both valid session and invalid session. CYBER SECURITY & PRIVACY FOUNDATION 38

39 Test 2: Test for Privilege Escalation: Result: IronWASP was successful in identifying potential Privilege Escalation Points. There are 2 accounts, 1. Administrator account (Full Access) 2. User Account (Limited Access) Firstly, we used the browser based crawler to crawl the website as admin. Secondly, we ran a check using a prerecorded login sequence for user and tried requesting elements that were displayed to the admin. IronWASP then was able to find the percentage of difference between a request made by the user and a request made by the admin. If the difference percentage is low, it means the page served to the user and admin are similar or else if it is high, it means the pages are different. CYBER SECURITY & PRIVACY FOUNDATION 39

40 Modules: Cross Site Request Forgery (CSRF): IronWASP has modules for CSRF POC Generation and detecting insecure CSRF Token Implementation. But it does not have any feature for finding CSRF Vulnerabilities. CSRF POC Generator. CYBER SECURITY & PRIVACY FOUNDATION 40

41 OWASP Skanda. Result: Passed. This tool allows us to exploit a known SSRF Vulnerability in a Web Application, to do a port scan of a server. CYBER SECURITY & PRIVACY FOUNDATION 41

42 Vulnerability discovery features not found in IronWASP: Insecure Direct Object Reference. Unrestricted File Upload Vulnerability. Buffer Overflow. HTTP Parameter Pollution. Full Path Disclosure. Source Code Disclosure. Bruteforce Login. Content Spoofing. Denial of Service. XML Injection. HTTP Verb Tampering. ORM Injection. IMAP/SMTP Injection. Features not yet tested: LDAP Injection. Expression Language Injection. CYBER SECURITY & PRIVACY FOUNDATION 42

43 Conclusion: We observed that IronWASP is able to detect most of the vulnerabilities that it claims it can find, and we also noticed that it has the least number of "false positives" for a tool of this kind. We believe that it has raised the standards of what a "Web Vulnerability Scanner" should comprise of. We hope that IronWASP includes the features that we marked as "feature not present" in the future releases. We also recommend that the developers work both UI and Ease of use if they want it to gain wide spread usage. The overall rating that we give IronWASP is 8/10 CYBER SECURITY & PRIVACY FOUNDATION 43