Académique Documents
Professionnel Documents
Culture Documents
Checklist
Siddharth Anbalahan
Senior Security Engineer
Agenda
HTTP Basics
Web Application Security Testing tool
Our Experiences
Security Testing Checklist
Author Bio
Siddharth Anbalahan, senior security Engineer, Paladion
Web server
HTTP Basics - Contd
HTTP is anonymous and stateless
No persistent connection between user & server
Each request is discrete
For a new request, the server has no way of knowing if it is related
to the previous request
2 main types
GET, when you click on a link
GET/AccountSummary?account=33445224566&type=credit_card
Non-persistent –
Stored in the browser’s memory
Lost when browser is closed
HTTP Basics Contd
User Sessions
Managed and Identified by a unique
session Token
Assigned by the server when user logs in
Sent by the Browser with every HTTP
request
HTTP Basics Contd
Sent in the following ways
In the GET/POST request as a variable
GET /ViewAccountSummary.asp?Sessionid=344475524855699
&accountnum=344
POST /ChangePassword.asp
Host: www.site.com
&sessionid=445566229530554333203 &oldpass=sangita &newpass=pakala
In the GET/POST request as a cookie
POST /TransferFunds.asp
Host: www.bank.com
Cookie: ASPSessionID=3444755248556935589933204105399
&FromAcct=34455334&ToAcct=62452135&Amount=1000
Web Application Security Testing
Tool
Web Proxy Editor
Tool to intercept HTTP traffic between browser and server
We can even modify data before sending to the server
Intercept the traffic between browser and the web server
SQL Injection
SQL Injection
Probably the most notorious attack on
applications
Relies on manipulating SQL queries
constructed by the application
Expected:
username: abc
password: test123
The unexpected:
username: abc';
abc'; --
password:
Login Successful
http://target.site/login.jsp
Expected
The Unexpected
from user
Malicious User
Weak Application
Vulnerabilities
POST /TransferFunds.jsp
&amount = 100&from=34455334&to=34551231
Variable Manipulation
The Challenge
Many Variables to Play with
Target Business Logic – Interesting Variables
FromAcct
Amount
Manipulate multiple variable simultaneously
Attacker can siphon off funds, commit fraudulent
transactions, exceed or bypass business limits.
Web Application
Vulnerabilities
validatepass(‘shakti456’,’shakti123’)
Javascript code that stores and
validates new password against
previous and current passwords
Sensitive data in source code
Registration page
Javascript code that stores all
usernames of the application
Executed
Malicious Link
http://bank.com/account.jsp? <SCRIPT>Send cookie to attacker.com
http://bank.com/login/
User
Internet
Banking
Cookie
XSS
Vulnerable Targets
User Forums
Chat rooms
Mail Or Messaging Facility
Online bulletin boards
Anything that reflects user’s input back
without validation
Web Application
Vulnerabilities
Users may
inadvertently save
passwords when
browser prompts
them to do so.
Feature known as
“Autocomplete” in
IE and
“Remember
Passwords” in
Firefox
Autocomplete feature
A local attacker can steal passwords of
users from the browser as they are stored
in plain text.
Browser Refresh
Resubmits requests to the server
Headers, variables, form fields, the works
Intercept
POST Login ID+Password
www.website.com/Welcomepage.jsp
Browser Refresh
A local attacker can steal passwords of
users of the application.
Browser Cache
A local store to improve performance
The Temporary Internet Files folder in IE
The Profile’s Application Data folder in FF
Pages accessed over HTTPs also get cached in the
local store.
In IE these pages are stored in
C:\Documents and Settings\username\Local Settings\Temporary
Internet Files\
and in Firefox in
C:\Documents and Settings\Username\Local
Settings\Application Data\Mozilla\Firefox\Profiles\
5rrn80xr.default\Cache
Browser Cache
Open Application
cached pages in
Notepad.
A local attacker
can steal account
activities
transaction details
and secrets of an
application user.
Security Testing
Checklist
The Checklist
The Checklist
1. Authentication
Back-Refresh on login/change password page
Autocomplete feature active
2. SQL Injection
Are dynamic SQL queries used by the application?
Inject single qoutes (‘) to generate DB errors.
3. XSS
Are there input pages that are displayed to other
users?
Inject Javascript - <script>alert(“XSS”)</script>
The Checklist contd
4. Weak Session Tracking
Session token – random?
Session token – expires on logout?
Session token – times out on inactivity?
Session token – Issued new on login?
Session token – sent over SSL?
5. Variable Manipulation
Possible to login as ‘A’ and commit transactions on
behalf of ‘B’ using data of ‘B’?
Bypass clientside validation?
The Checklist contd
6. Broken Access Control
Can authentication be bypassed
With deep unreferenced links
Direct links to sensitive files(Pdfs, XLS etc.)
Can authorization be bypassed
By referencing administration pages
Can sensitive data be stolen
By referencing default application config files
By referencing application log files
The Checklist contd
7. Sensitive data leaking out
HTML view source has sensitive data?
Hard coded secrets in Javascript?
Sensitive pages in browser cache?
Application Security Testing:
Recommended Tools
Web Proxy Editors
WebScarab(http://dawes.za.net/rogan/webscarab/)
Paros Proxy(www.parosproxy.org)
Burp Suite(www.portswigger.net/suite/)
Browser Extensions
HTML Source Code Explorer( IE 5.0 and above)
www.vdberg.org/~richard/htmlbar.html
Firefox Browser Extensions (addons.mozilla.org )