This text started out as PowerPoint slides to facilitate lecture led training, but is now being transformed to become a text book for both classroom style and self study learning.
This work is Copyright © 2005, 2006, 2007 Michael Boman. This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License.
Web Vulnerability Assessment Methodologies
Before we start we should clarify what we mean with Threats and Vulnerabilities. No area can exist as a profession unless it has clearly defined its basic concepts.
Threat is an party with the intent and capability to exploit an vulnerability in an asset. This could be an malicious hacker or an disgruntled employee.
An vulnerability is weakness in an asset that can be exploited. For an example, the security hole in Microsoft WMF (Windows Meta File) format is an vulnerability.
Risk is the probability of harmful consequences resulting from interactions between threats and vulnerable assets. Conventionally risk is expressed by the relation
Risk = Severity x Likelihood
When you do security assessment of a website you should start with profiling the server. By knowing what the server is running you can better target your attacks. It will also cover any low-hanging fruit a malicious attacker might exploit.
For any web application assessment you would need a few tools. You would need a web browser to interact with the application in question, a man-in-the-middle intercepting http/https proxy, various enumeration and fuzzer software and optionally, but very likely, some software to help you encode/decode various encodings.
Fuzz testing or fuzzing is a software testing technique that provides random data ("fuzz") to the inputs of a program. If the program fails (for example, by crashing, or by failing built-in code assertions), the defects can be noted. The great advantage of fuzz testing is that the test design is extremely simple, and free of preconceptions about system behavior. Fuzz testing was developed at the University of Wisconsin-Madison in 1989 by Professor Barton Miller and the students in his graduate Advanced Operating Systems class.
If your browser is not supported you might miss functionality in the application due to incompatible browser optimizations or functionality. You don't want to end up in an situation where a particular usability bug manifests itself using an "unsupported" browser and you have to re-validate the bug using a "supported" browser. Having said that, there has been occasions where a unsupported browser has uncovered bugs in the targeted application.
One can argue that the most important and useful tool to have in your web application kit is the intercepting man-in-the-middle proxy. This piece of software allows you to inspect and modify and data sent to or received from the web application. This will allow you for an example send requests that would not have passed any browser based verification.
We will mainly use Paros Proxy as the man-in-the-middle proxy.
Hidden fields modification
One could expect that today's developers
URL Encoding (Escaped Characters)
Server Default Accounts View Users Useful Variables
sa / <blank> EXEC master..sp_who2; EXEC master..xp_loginconfig; SELECT * FROM sysusers; SELECT * FROM syslogins; EXEC xp_msver; @@servername @@version
root / <blank> SELECT host,user,password FROM user; SHOW VARIABLES; @@version
internal / oracle oracle / oracle Scott / tiger sys / Change_on_install system / manager others* SELECT A.USERNAME, A.PASSWORD FROM SYS.DBA_USERS A; SHOW PARAMETERS
postgres / <locked> (must be defined) SELECT * FROM pg_shadow; SELECT * FROM pg_group;
Raw String URL Encoded Version Effect ‘ %27 Initial test. If this generates an error, then the application is vulnerable to SQL injection. % %% %25 %25%25 Represents a wild card. Can be used to retrieve multiple rows as opposed to a single value. ‘;--
%27%3b%2d%2d %3b%2d%2d SQL comment. Use this to truncate a statement so that further SQL syntax within the statement is ignored.
The easiest method to identify a potentially vulnerable application that uses an MSSQL back-end is to insert a single quote (‘) into URL parameters (or any/all input boxes). Examine the output, HTML source, or even the URL parameters for a tell-tale sign.
Oracle supports comments delimited by the double-dash as well as C-style syntax. SELECT * FROM table /* this comment is ignored */ WHERE foo = ‘bar’; For database enumeration: SQL> show user; USER is "SYS"
Comments in MySQL: Double-dash (- -) requires space (%20) immediately after hash (#) C-style comments (/* comment */). Read from the File System mysql> CREATE TABLE foo (bar TEXT); mysql> LOAD DATA INFILE '/etc/passwd' INTO TABLE foo; mysql> SELECT * FROM foo; SELECT * FROM employees INTO OUTFILE ‘/tmp/foo’; https://website/vuln.cgi?param=%27;+SELECT+%2a+FROM+employees+INTO+OUTFILE+%27%2ftmp%2f..%08%27;
BUT File Read/Write Access is still available using COPY statement
Numeric SQL Injection
Blind SQL Injection
String SQL Injection
Testing for Cross Site Scripting
Filtering for '<' and '>' on input is not enough, can easily be bypassed with encoding
Other script languages
There is a big difference between encoded and encrypted data. Encoded data, using for an example [wikipedia:Base64|Base64], is always reversible and only provides obfuscation and not confidentiality or protect it against tempering.
Now days it becomes more and more common that at least part of the sites functionality is available as a web service. To perform a complete vulnerability assessment of the target web application you will need to cover any and all web services as well.
What is a web service? Although there is no universal definition of a web service, I think the Apple developer connection has defined it pretty well:
"The term web services refer to architecture, standards, technology and business models that provide an implementation-independent way for applications to communicate with each other".
Web services perform functions, which can be anything from simple requests to complicated business processes. It allows you to mash up your flickr photos with Google earth using geo tagging.
WSDL scanning refers to an adversary enumerating interfaces, data types, binding information and address information using publicly available WSDL files
Google can find public WSDL over the Internet Signatures filetype:wsdl amazon index of "/wsdl“ inurl:wsdl amazon
XML is verbose in a way it marks data and information Gigabyte files norms in multimedia world Overtly large documents can cause denial of service attacks Parsers based on DOM specially susceptible
XML allows nesting ELEMENTS within documents Malicious document 100K level deep might stress out / DOS the parser
Similar to web application replay attacks or network ping of death attack
Send repeated valid SOAP messages
Drains web services XML parser and results in denial of service
XML can build documents dynamically by pointing to external data URI External URI can contain malicious data
SOAP by itself does not define routing path. It is generally embedded in another application layer protocol (HTTP) WS-Routing extends SOAP with addressing structure to define complete message path Extended SOAP message is self contained, does not have to be bound to any application layer protocol and can be sent over TCP
Routing Detours Attacks occur when interim web service station are compromised, resulting in malicious routes Vulnerabilities Insert bogus routes Get access to sensitive information Deny service by routing to non-existing destination External References - Routing Detours External References - Schema Poisoning Schema provides formatting instructions for XML parsers interpreting XML documents. It often use external data types by including references to external schema / name space Schema poisoning requires schema to be compromised and replaced with a new one This leads to easy DOS and other data manipulation attacks Malicious Content – Attachment Binary attachments like executables, images can be transferred with valid XML Valid attachments like excel sheets can contain malicious macros Viruses / Trojan horses Attachment can be attached or referenced
Similar to SQL injection in web applications. Inject SQL queries / commands as part of SOAP message
XPATH language helps find information in the XML document
/Books/Book[./Pages > 100 or 1=1]
Web Service SQL Injection