Web Application

Penetration Testing

https://ubcert.ir 2019/11/04

Outline

2

▰ Introduction

▰ About Web Penetration Testing

▰ OWASP

▻ ASVS

▻ OWASP Top 10

▰ About HTTP

▰ Common Vulnerability

▰ Information Gathering

▰ Penetration Testing Report & Contract

▰ Attack Scenario

Introduction

▰ Holding Workshops - UBCERT

▰ Why Web Penetration Testing

3

Deface

4

1%

99%

IR Deface vs Total Deface – Summer 98

Methodology

▰ Ethical Hacking

▰ Penetration Testing

▰ Vulnerability Assessment

▰ Security Audit

▰ Standard

5

Type of Penetration Testing

6

Gray Box

Testing

White Box

Testing

Black Box

Testing

Penetration Testing Limits

7

▰ Confidentiality of Data

▰ Timing Limitation

▰ Tools Restrictions

▰ Avoid DOS Attack

Priority of Vulnerability

8

▰ P1: Critical

▰ P2: High

▰ P3: Medium

▰ P4: Low

▰ P5: Information

Vulnerability List

CWE(Common Weakness Enumeration)

https://cwe.mitre.org/index.html

OWASP

9

▰ OWASP Tools Project:

▻ ZAP: Zed Attacker Project

▻ BWA : Broken Web Application

▻ DIR Buster

▻ SQLiX

▻ Web Scarab

▰ OWASP Code Project:

▻ ModSecurity : Cure Rule Set

▻ OWASP CSRFGuard

▰ OWASP Documentation Project:

▻ ASVS: Application Security

Verification Standard

▻ OWASP Top 10

▻ OWASP Testing Guide

OWASP ASVS Certificate

10

▰ OWASP ASVS:

▻ Web Application

▻ Server Configuration

▻ Mobile Client

▻ Web Service

▻ Communication

OWASP ASVS - File Upload

11

V12.1 File Upload Requirements

Although zip bombs are eminently testable using penetration testing techniques, they are considered L2 and above to encourage design and development consideration with careful manual testing, and to avoid automated or unskilled manual penetration testing of a denial of service condition.

# Description L1 L2 L3 CWE

12.1.1 Verify that the application will not accept large files that could fill up storage or cause a denial of service attack.

✓ ✓ ✓ 400

12.1.2 Verify that compressed files are checked for "zip bombs" - small input files that will decompress into huge files thus exhausting file storage limits.

✓ ✓ 409

12.1.3 Verify that a file size quota and maximum number of files per user is enforced to ensure that a single user cannot fill up the storage with too many files, or excessively large files.

✓ ✓ 770

OWASP Top 10

12

▰ OWASP Project

OWASP Top 10

13

OWASP Top 10 vs OWASP ASVS

14

OWASP BWA

15

Download :

https://sourceforge.net/proj

ects/owaspbwa/files

OWASP Check List

▰ https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents

▰ https://github.com/0xRadi/OWASP-Web-Checklist

16

About HTTP

17

HTTP

18

HTTP Request (Header)

▰ Host

▰ User Agent

▰ Cookie

▰ Refer

▰ Accept-Encoding

▰ Tools: HTTP Proxy , Live HTTP Header

19

HTTP Response

▰ Status Code (1xx , 2xx , 3xx , 4xx , 5xx)

▻ https://developer.mozilla.org/en-US/docs/Web/HTTP/Status

▰ Set-cookie

▰ Server

▰ Content-Length

▰ X-Power

20

telnet ubcert.ir:80GET / HTTP/1.1Host: ubcert.ir

21

HTTP Request/Response

HTTP Response – Status Code

▰ Status Code (1xx , 2xx , 3xx , 4xx , 5xx)

▻ https://developer.mozilla.org/en-US/docs/Web/HTTP/Status

▰ Informational responses (100–199),

▰ Successful responses (200–299),

▰ Redirects (300–399),

▰ Client errors (400–499),

▰ and Server errors (500–599). 22

HTTP Method

▰ GET: url,255

▰ Post

▰ Head

▰ Trace

▰ Put , Delete

▰ Option

▻ nmap --script http-methods ubcert.ir23

Request:DELETE /mysql/database.sql HTTP/1.1

Response:HTTP/1.1 200 OK

Date: Wed, 21 Oct 2019 07:28:00 GMT

<html>

<body>

<h1>File deleted.</h1>

</body>

</html>

HTTP Method

24

--script http-methods

HTTP/S Proxy

25

Cookie

▰ HTTP Stateless

▰ session id

▻ PHPID

▻ .ASPXAUTH

▰ Set-cookie

26

Cookie - continue

▰ Persistent

▻ IE: C:\Users\User\AppData\Local\Microsoft

\Windows\INetCache

▻ Chrome: sqlite3

▰ Non-persistent

▰ Cookie parameter

Domain Path

http only Secure

Expire 27

Cookie - continue

28

HTTP/1.1 vs HTTP/2

▰ HTTP/1.1▰ HTTP Header Field:▰ https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html

▰ HTTP/2

▰ Binary Data

▰ Asynchronous

▰ Compressed

▰ and…

▰ HTTPS 29

Common Vulnerability

30

Injection

▰ Critical / High Vulnerability

▰ SQL Injection

▰ Command Injection

▰ LDAP Injection

▰ OS Injection/shell

▰ Xpath

▰ …

31

Injection

32

Select * from employee where userid=‘112’ and password=‘aaa’

Select * from employee where userid=‘112’ and password=‘aaa’ OR ‘1’=‘1‘

Injection

▰ Critical / High Vulnerability

33

Prevent Injection Attack

▰ Input Validation

▰ Escape Special Characters

▰ White List

▰ Black List

34

Broken Authentication

▰ High Vulnerability

▰ State:

▰ Cookie in Client Side

▰ Session in Server Side

▰ Session Hijacking:

▻ Packet Sniffing

▻ Proxy / Http Referrer Log

35

Broken Authentication

▰ Vulnerable:

▰ User credential not protected with hash & encryption

▰ Ex: user id, user name ,… >>> ali13980730

▰ Session id guessed

▰ Session id exposed in URL

▰ Session id send over http (unencrypt connection)

▰ Session are not expired (time out)

36

Prevent Broken Authentication

▰ Multi factor Auth

▰ Password checking

▰ Limit failed login

▰ Session timeout

37

XSS

▰ High Vulnerability

▰ Type XSS

▰ Reflected

▰ Stored XSS

▰ DOM-Based

38

Prevent XSS Attack

▰ Input Validation

▰ Escape Special Characters

▰ White list

39

Open Redirect

▰ Medium Vulnerability

▰ http://shaprak.ir?url=shaaprak.com

▰ Using for phishing

▰ Run malicious script

▰ Session hijacking

40

Prevent Open Redirect

▰ Create/use Whitelist▻ http://example.com/?url=http://www.ubcert.ir@attacker.com

▻ http://example.com/?url=ubcert.ir&url=attacker.com

▻ http://www.ubcert.ir/http://www.attacker.com/

▰ ASP.Net:

➢ url.IsLocalUrl()

▰ PHP:

➢ Prevent http: or https:41

Using Components with known vulnerabilities

▰ Medium/High Vulnerability

▰ Component with vulnerability

▻ Wordpress plugin

▻ CMS such as drupal, joomla,…

▻ .Net component

▻ Php frameworks

▻ And …42

Google Dork – Wordpress Deface

43

▰ GHDB

▻ https://www.exploit-db.com/google-hacking-database

▰ Wordpress Deface:

▻ Formcraft Plugin

Prevent Components Vulnerabilities

▰ Identify component version

▰ Upgrade cms

▰ Update plugins

▰ Update jquery plugin

44

CSRF

▰ Medium Vulnerability

▰ User must be logged in

▰ Attacker forges request as

trusted user/admin

45

Prevent CSRF

▰ Use Post Method

▰ Use token in session

▰ Get Confirm

46

Sensitive Data Exposure

▰ Low/Medium Vulnerability

▰ Information in Database

▰ Personal data

▰ Weak cipher

▰ Encrypt sensitive data

▰ Strong cipher

47

Information Gathering

48

Subdomains

49

▰ Sublist3r

▻ https://github.com/aboul3la/Sublist3r

whatweb

50

>Whatweb –v ubcert.ir

Robots.txt

51

▰ robots.txt

▻ http://example.com/robots.txt

52

THANKS!Any questions?