QA: Базовое тестирование защищенности веб-приложений в...
Transcript of QA: Базовое тестирование защищенности веб-приложений в...
Basic Web Application
Security Testing in QA
Denis
Kolegov
Sr. Security Test
Engineer, PhD
F5 Networks,
Tomsk State University
Who Am I?
• Sr. Security Test Engineer at F5 Networks
• PhD, associate professor at TSU’s Information Security and
Cryptography Department
• Speaker
– Positive Hack Days, Zero Nights, SibeCrypt
• OWASP SCG, BeEF, Metasploit contributor
Introduction
• BSIMM security testing (Gary McGraw)
– Enhance QA beyond functional perspective
– Integrate the attacker perspective into test plans
– Deliver risk-based security testing
• Hack yourself first (Troy Hunt)
– This approach advocates building up our cyber-offense skills, and
focusing these skills inward at ourselves, to find and fix security issues
before the bad guys find and exploit them
Causes and Consequences
Checklist
1. Information disclosure
2. SSL/TLS
3. Slow HTTP DoS attacks
4. HTTP host header attacks
5. Login page over HTTPS
6. Same site scripting
7. Secure headers
8. Cross domain policy
9. Session management
10. URL validation
Information Disclosure
• Scope – Web management interfaces
– Web application reverse proxies
– Error pages
• Services – Goggle Search Engine
– Shodan
• Weaknesses – Indexing by search engines
– Hardcoded keywords on error pages
– Keywords in HTTP response headers
Information Disclosure
• Shodan
– cisco
– bitrix
– VMware
– intitle: "VMware Horizon View Administrator"
– inurl:"portal/webclient/views/mainUI.html"
– intitle:"Welcome to VMware ESX"
Information Disclosure
• Test robots.txt
User-agent: *
Disallow: /
• Test meta tag
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
• Test that it is possible to delete or change default keywords via
customization tool
SSL/TLS Testing
• Testing with OpenSSL
– Trustworthy checks
– Old versions (0.9.8k)
• Qualys SSL Labs
– SSL Server Test
– SSL Client Test
– SSL/TLS Best Practices
– API
• Tools
– sslscan
– sslyze
– ssllabs-scan
Client-Initiated Renegotiation DoS Test
• Testing with OpenSSL
openssl s_client –connect test.com:443
GET / HTTP/1.1
Host: test.com
R
…
R
CRLF
• Proof of concept with exploit
thc-ssl-dos --accept test.com 443
Slow HTTP DoS Testing
• Attacks
– Slowloris (slow headers)
– Slow HTTP POST (slow body)
– Slow Read
• Apache is generally the most vulnerable server
• Nginx, IIS, lighthttpd are also can be vulnerable to these attacks
• Tools
– https://code.google.com/p/slowhttptest/
– slowloris.pl
Slow HTTP DoS Testing
• Slowloris
slowhttptest -u "https://test.com/" -c 8000 -l 400 -r 4000 -i 15 -x 400
• Slow HTTP Post
slowhttptest -u https://test.com/ -B -c 8000 -l 400 -r 4000 -i 15 -x 400
• Slow Read
slowhttptest -u "https://test.com/js/bigfile" -X -c 5000 -r 4000 -l 400 -k 5
-n 10 -w 10 -y 300 -z 1
Same Site Scripting
• DNS misconfiguration
– xyz.target.com with A-record to 127.0.0.1
– xyz.target.com with A-record to private address (RFC 1918)
• In multi-users system an attacker can run network service on loopback
and then eavesdrops users’ cookies
1. Run "nc –lv 10024"
2. Send email with <img src=“http://xyz.target.com:10024”>
• An attacker can connect to public network with the same network address
and publish resource link to xyz.target.com. All users in the same public
network who accessed this resource send cookies to an attacker
Same Site Scripting
• Testing
– nslookup localhost.target.com
– DNS enumeration
• Examples
– https://hackerone.com/reports/1509
– https://hackerone.com/reports/7949
Login Page over HTTPS
• The initial login page must be served over TLS
• The login page and all subsequent authenticated pages must be
exclusively accessed over TLS
Troy Hunt©. OWASP Top 10 for .NET developers part 9: Insufficient Transport Layer Protection
HTTP Secure Headers
• X-Frame-Options
• X-XSS-Protection
• X-Content-Type-Options
• Strict-Transport-Security
• Access-Control-Allow-Origin
• Content-Security-Policy
X-Frame-Options
• All about Clickjacking?
• What an attacker can do
– Bypass some XSS filters
– Bypass XSS length restrictions
– Bypass CSP via browser vulnerabilities
• X-Frame-Options is an additional layer of defense
Access-Control-Allow-Origin
• Access-Control-Allow-Origin is apart of the CORS specification
• Access-Control-Allow-Origin: * means that the resource can be
accessed by any domain in a cross-site manner
• Examples
– https://hackerone.com/reports/13551
– https://hackerone.com/reports/6268
Secure Headers Testing
• X-Content-Type-Options: nosniff
• X-Frame-Option: DENY | SAMEORIGIN
• Strict-Transport-Security: max-age=31536000;
includeSubDomains
• X-XSS-Filter: 1; mode=block
Host Header Attacks
• Weakness: a web server handles HTTP requests with arbitrary
or invalid Host header
• Attacks
– DNS rebinding
– Stored XSS
– Password reset poisoning
– Web-cache poisoning
• Examples
– https://hackerone.com/reports/13286
– https://hackerone.com/reports/487
Cross Domain Policy
• A cross-domain policy file specifies the permissions that a web client such as Java,
Adobe Flash, etc. use to access data across different domains
• Files
– crossdomain.xml
– clientaccesspolicy.xml
• Example of configuration weakness
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
• Example
– https://hackerone.com/reports/43070
Session Management
• Test that session is invalidated when user logs out
• Session ID is sent in HTTP cookie or header and never disclosed in URLs
• Test that session ID is changed when user performs critical action
– Login, logout
– Password changing
– Session expiration, reauthentication
OWASP ASVS project
URL Validation
• Weakness: insufficient input validation for URL data
• Test vectors (http://test.com/foo/bar?param=value) – GET /3fb5e7a4f814d790'"<>/%2e%2e/foo/bar?param=value HTTP/1.1
– GET /foo/3fb5e7a4f814d790'"<>/%2e%2e/bar?param=value HTTP/1.1
– GET /foo/bar/3fb5e7a4f814d790'"<>/%2e%2e/?param=value HTTP/1.1
– GET /foo/bar.baz/3fb5e7a4f814d790'"<>?param=value HTTP/1.1
• Attacks – XSS
– CRLF-injection (HTTP Response Splitting)
– Open Redirect
– Secret token leakage
Sergey Bobrov©. http://habrahabr.ru/company/pt/blog/247709
URI Validation
Sergey Bobrov©. http://habrahabr.ru/company/pt/blog/247709
Bibliography
1. Vladimir Kochetkov. How to Develop a Secure Web Application and Stay in Mind?
2. OWASP Testing Guide v4
3. The Building Security In Maturity Model
4. Qualys SSL LABS
5. SSL/TLS Checklist for Pentesters
6. Sergey Shekyan. Testing Web Servers for Slow HTTP Attacks
7. Troy Hunt. OWASP Top 10 for .NET developers part 9: Insufficient Transport Layer Protection
8. Sergey Belov. Show Me Impact
9. Frederik Braun and Mario Heiderich. X-Frame-Options: All about Clickjacking?
10.Guidelines for Setting Security Headers
11.Sergey Bobrov. Yet Another Vulnerability in Facebook
@dnkolegov
Denis
Kolegov
Sr. Security Test
Engineer, PhD
F5 Networks,
Tomsk State University
Questions?