Post on 01-Aug-2020
Web Application
Penetration Testing
https://ubcert.ir 2019/11/04
Outline
2
▰ Introduction
▰ About Web Penetration Testing
▰ OWASP
▻ ASVS
▻ OWASP Top 10
▰ About HTTP
▰ Common Vulnerability
▰ Information Gathering
▰ Penetration Testing Report & Contract
▰ Attack Scenario
Introduction
▰ Holding Workshops - UBCERT
▰ Why Web Penetration Testing
3
Deface
4
1%
99%
IR Deface vs Total Deface – Summer 98
Methodology
▰ Ethical Hacking
▰ Penetration Testing
▰ Vulnerability Assessment
▰ Security Audit
▰ Standard
5
Type of Penetration Testing
6
Gray Box
Testing
White Box
Testing
Black Box
Testing
Penetration Testing Limits
7
▰ Confidentiality of Data
▰ Timing Limitation
▰ Tools Restrictions
▰ Avoid DOS Attack
Priority of Vulnerability
8
▰ P1: Critical
▰ P2: High
▰ P3: Medium
▰ P4: Low
▰ P5: Information
Vulnerability List
CWE(Common Weakness Enumeration)
https://cwe.mitre.org/index.html
OWASP
9
▰ OWASP Tools Project:
▻ ZAP: Zed Attacker Project
▻ BWA : Broken Web Application
▻ DIR Buster
▻ SQLiX
▻ Web Scarab
▰ OWASP Code Project:
▻ ModSecurity : Cure Rule Set
▻ OWASP CSRFGuard
▰ OWASP Documentation Project:
▻ ASVS: Application Security
Verification Standard
▻ OWASP Top 10
▻ OWASP Testing Guide
OWASP ASVS Certificate
10
▰ OWASP ASVS:
▻ Web Application
▻ Server Configuration
▻ Mobile Client
▻ Web Service
▻ Communication
OWASP ASVS - File Upload
11
V12.1 File Upload Requirements
Although zip bombs are eminently testable using penetration testing techniques, they are considered L2 and above to encourage design and development consideration with careful manual testing, and to avoid automated or unskilled manual penetration testing of a denial of service condition.
# Description L1 L2 L3 CWE
12.1.1 Verify that the application will not accept large files that could fill up storage or cause a denial of service attack.
✓ ✓ ✓ 400
12.1.2 Verify that compressed files are checked for "zip bombs" - small input files that will decompress into huge files thus exhausting file storage limits.
✓ ✓ 409
12.1.3 Verify that a file size quota and maximum number of files per user is enforced to ensure that a single user cannot fill up the storage with too many files, or excessively large files.
✓ ✓ 770
OWASP Top 10
12
▰ OWASP Project
OWASP Top 10
13
OWASP Top 10 vs OWASP ASVS
14
OWASP BWA
15
Download :
https://sourceforge.net/proj
ects/owaspbwa/files
OWASP Check List
▰ https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
▰ https://github.com/0xRadi/OWASP-Web-Checklist
16
About HTTP
17
HTTP
18
HTTP Request (Header)
▰ Host
▰ User Agent
▰ Cookie
▰ Refer
▰ Accept-Encoding
▰ Tools: HTTP Proxy , Live HTTP Header
19
HTTP Response
▰ Status Code (1xx , 2xx , 3xx , 4xx , 5xx)
▻ https://developer.mozilla.org/en-US/docs/Web/HTTP/Status
▰ Set-cookie
▰ Server
▰ Content-Length
▰ X-Power
20
telnet ubcert.ir:80GET / HTTP/1.1Host: ubcert.ir
21
HTTP Request/Response
HTTP Response – Status Code
▰ Status Code (1xx , 2xx , 3xx , 4xx , 5xx)
▻ https://developer.mozilla.org/en-US/docs/Web/HTTP/Status
▰ Informational responses (100–199),
▰ Successful responses (200–299),
▰ Redirects (300–399),
▰ Client errors (400–499),
▰ and Server errors (500–599). 22
HTTP Method
▰ GET: url,255
▰ Post
▰ Head
▰ Trace
▰ Put , Delete
▰ Option
▻ nmap --script http-methods ubcert.ir23
Request:DELETE /mysql/database.sql HTTP/1.1
Response:HTTP/1.1 200 OK
Date: Wed, 21 Oct 2019 07:28:00 GMT
<html>
<body>
<h1>File deleted.</h1>
</body>
</html>
HTTP Method
24
--script http-methods
HTTP/S Proxy
25
Cookie
▰ HTTP Stateless
▰ session id
▻ PHPID
▻ .ASPXAUTH
▰ Set-cookie
26
Cookie - continue
▰ Persistent
▻ IE: C:\Users\User\AppData\Local\Microsoft
\Windows\INetCache
▻ Chrome: sqlite3
▰ Non-persistent
▰ Cookie parameter
Domain Path
http only Secure
Expire 27
Cookie - continue
28
HTTP/1.1 vs HTTP/2
▰ HTTP/1.1▰ HTTP Header Field:▰ https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
▰ HTTP/2
▰ Binary Data
▰ Asynchronous
▰ Compressed
▰ and…
▰ HTTPS 29
Common Vulnerability
30
Injection
▰ Critical / High Vulnerability
▰ SQL Injection
▰ Command Injection
▰ LDAP Injection
▰ OS Injection/shell
▰ Xpath
▰ …
31
Injection
32
Select * from employee where userid=‘112’ and password=‘aaa’
Select * from employee where userid=‘112’ and password=‘aaa’ OR ‘1’=‘1‘
Injection
▰ Critical / High Vulnerability
33
Prevent Injection Attack
▰ Input Validation
▰ Escape Special Characters
▰ White List
▰ Black List
34
Broken Authentication
▰ High Vulnerability
▰ State:
▰ Cookie in Client Side
▰ Session in Server Side
▰ Session Hijacking:
▻ Packet Sniffing
▻ Proxy / Http Referrer Log
35
Broken Authentication
▰ Vulnerable:
▰ User credential not protected with hash & encryption
▰ Ex: user id, user name ,… >>> ali13980730
▰ Session id guessed
▰ Session id exposed in URL
▰ Session id send over http (unencrypt connection)
▰ Session are not expired (time out)
36
Prevent Broken Authentication
▰ Multi factor Auth
▰ Password checking
▰ Limit failed login
▰ Session timeout
37
XSS
▰ High Vulnerability
▰ Type XSS
▰ Reflected
▰ Stored XSS
▰ DOM-Based
38
Prevent XSS Attack
▰ Input Validation
▰ Escape Special Characters
▰ White list
39
Open Redirect
▰ Medium Vulnerability
▰ http://shaprak.ir?url=shaaprak.com
▰ Using for phishing
▰ Run malicious script
▰ Session hijacking
40
Prevent Open Redirect
▰ Create/use Whitelist▻ http://example.com/?url=http://www.ubcert.ir@attacker.com
▻ http://example.com/?url=ubcert.ir&url=attacker.com
▻ http://www.ubcert.ir/http://www.attacker.com/
▰ ASP.Net:
➢ url.IsLocalUrl()
▰ PHP:
➢ Prevent http: or https:41
Using Components with known vulnerabilities
▰ Medium/High Vulnerability
▰ Component with vulnerability
▻ Wordpress plugin
▻ CMS such as drupal, joomla,…
▻ .Net component
▻ Php frameworks
▻ And …42
Google Dork – Wordpress Deface
43
▰ GHDB
▻ https://www.exploit-db.com/google-hacking-database
▰ Wordpress Deface:
▻ Formcraft Plugin
Prevent Components Vulnerabilities
▰ Identify component version
▰ Upgrade cms
▰ Update plugins
▰ Update jquery plugin
44
CSRF
▰ Medium Vulnerability
▰ User must be logged in
▰ Attacker forges request as
trusted user/admin
45
Prevent CSRF
▰ Use Post Method
▰ Use token in session
▰ Get Confirm
46
Sensitive Data Exposure
▰ Low/Medium Vulnerability
▰ Information in Database
▰ Personal data
▰ Weak cipher
▰ Encrypt sensitive data
▰ Strong cipher
47
Information Gathering
48
Subdomains
49
▰ Sublist3r
▻ https://github.com/aboul3la/Sublist3r
whatweb
50
>Whatweb –v ubcert.ir
Robots.txt
51
▰ robots.txt
▻ http://example.com/robots.txt
52
THANKS!Any questions?