WEB APPLICATION PENETRATION TESTING Anurag Srivastava Information Security ResearcherPRE NULL MEET LUCKNOW

Introduction To Web-Application Penetration TestingProcess to check and penetrate the security of a web application or a websiteprocess involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilitiesAny security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.

Why Web Application Penetration Testing ?

Common MisnomersOur site is safe We have Firewalls in place We encrypt our data We have IDS/IPSWe have a privacy policy

Top Ten Critical Bugs According To Owasp !Injection like Sql ,Os and LdapBroken Authentication And Session ManagementXSS Cross Site ScriptingInsecure Direct Object ReferenceSecurity MisconfigurationSensitive Data ExposureMissing Function level Access ControlCSRF -Cross Site Request ForgeryUsing Components with Known VulnerabilitiesUnvalidated Redirects and Forwards

InjectionSuch As Sql,Os and LDAP InjectionsUntrusted data is sent to an interpreter as part of a command or query.Attackers hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

Sql Injection

Trying the basic - 1' or '1'='1 in the vulnerable input field in order to get the username,password and confirm the sql injection vulnerability Returns true for all

Blind Sql Injection I tried to execute a sql query in the input field here along with a true return value

I tried to execute the database() to extract the db name.queryDatabase Name (DVWA)

Am I Vulnerable To 'Injection'? Verify that all use of interpreters clearly separates untrusted data from the command or query Code analysis tools can help a security analyst find the use of interpreters and trace the data flow through the application Poor error handling makes injection flaws easier to discover

XSS Cross Site ScriptingOccurs whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. Allows attackers to execute scripts in the victims browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

Payload

Payload used :- Stored XSS

Payload used - alert(document.cookie)

Am I Vulnerable To 'Cross-Site Scripting (XSS)'? Vulnerable if you do not ensure that all user supplied input is properly escaped, or you do not verify it to be safe via input validation, before including that input in the output page. If Ajax is being used to dynamically update the page, are you usingsafe JavaScript APIs? For unsafe JavaScript APIs, encoding or validation must also be used.

CSRF Cross Site Request ForgeryAttack forces a logged-on victims browser to send a forged HTTP request, including the victims session cookie and any other automatically included authentication information, to a vulnerable web application Allows the attacker to force the victims browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

CSRF

The Request doesnot have CSRF token/access token and thus we can take advantage to generate a csrf

We are using the same form which our vulnerable website uses but we are changing the value of the password and thus resetting the password to anything we wish ..

New password: Confirm new password:

Submitting the form

Wow ! Password has been Changed

Am I Vulnerable To 'Cross-Site Request Forgery (CSRF)'? Check if any links and forms lack an unpredictable CSRF token. Without such a token, attackers can forge malicious requests. An alternate defense is to require the user to prove they intended to submit the request, either through reauthentication, or some other proof they are a real user (e.g., a CAPTCHA).

Only 10 ?

NO , There are not only 10 but hundreds of issues that could affect the overall security of a web application.

COUNTERMEASURES For Injections - Use a safe API which avoids the use of the interpreter entirely or provides a parameterized interface. For XSS - Properly escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. For CSRF - Include the unique token in a hidden field. Requiring the user to reauthenticate, or prove they are a user (e.g., via a CAPTCHA) can also protect against CSRF.

Thanks !Anurag Srivastava Information Source OWASP

**************