Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

Conducting Web Application Pentests From Scoping to Report For Education Purposes Only

Web App Pen Tests According to OWASP: A Web Application Penetration Test focuses only on evaluating the security of a web application.the process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution.

About Me Security guy for over 6 years now. Currently working for a Fortune 500 company doing web application and infrastructure pentesting. Recently new father.

Tip If you have any interest in web app pentesting, get these books!

Topics Why Tools OWASP Top 10 Scoping What to Gather Before Starting Recon / Discovery Application Mapping Attacking Common vulnerabilities Cleanup Reporting

Settings up Browsers and Tools OWASP ZAP and Burp Great tools for the price.. Free and under $300. Lots of add-ons to these. Configure browser for pentesting and web development. Chrome and Firefox/IceWeasle Manta project OWASP Hacking Plugins Developer Tools

Why Web App Pentest Perimeter security getting better. Almost all companies have web presence. More company transactions being done through e-commerce sites. Harder to detect in a lot of cases. NIPS/NIDS don t protect well. Multiple attack points. Can attack your customers, data, and reputation by abusing web apps. Easy for attacker to hide. Compliance requirements.

Selling Web App Pentest Can be huge impact to name brand. Web apps can lead to other system compromises through attack chaining. Internal threat agents can utilize internal web app vulnerabilities to gain greater access. Web App pentest can help identify issues with or lack of SDLC (Software Development Life Cycle) Identify common build configuration issues with web servers. Help to drive secure coding standards within an organization. Provides insight on if 3 rd party software is putting you at risk.

Don t Be Like.

Tools Many to choose from. Match tools to technology. Web App scanners differ. Some are better at detecting other things. http://sectooladdict.blogspot.com/2012/07/201 2-web-application-scanner-benchmark.html Validate findings. High false positive rates. Free vs. Pay

Tools Continued Need a good proxy with the ability to spider. Burp OWASP ZAP Fiddler Good web vulnerability scanners. Burp OWASP ZAP Accuntix W3AF Most infrastructure vulnerability scanners include some web app scanning though not good ones. Good Decoder/Encoder Good Web Browser with Plugins Foxy Proxy Developer Tools Etc

Hands On Kali Linux or BackTrack 5. Test Environment using OWASP BWA and DVWA specifically. Use ZAP and if you have the resources you can run it through BURP. Don t destroy VM s for others. Don t hack others, just hands on virtual machines. Your scope is $ipaddress/dvwa. That directory and all sub directories. Stay in scope!

Test Environment Info Must connect to wireless network Targets: 192.168.1.1-10

OWASP TOP 10

OWASP Top 10 A1 Injection LDAP, OS, SQL A2 Broken Auth and Session Management Auth bypasses Cookies Session Hijacking A3 XSS (Cross-Site Scripting) Reflective Persistent (Stored) DOM A4 Insecure Direct Object Reference - Being able to access objects without proper permission. A5 Security Misconfiguration Tons of possibilities here

OWASP Top 10 Continued A6 - Sensitive Data Exposure CC # s Personal Data Valid User Accounts A7 Missing Function Level Access Control Validate requests being submitted to the server. A8 Cross-Site Request Forgery Hidden iframe Clickjacking A9 Using Components with Known Vulnerabilities Framework version vulnerabilities. A10 Unvalidated Redirects and Forwards Redirecting to other pages or websites. Sending user to malicious website

Setting Up The Pentest

Scoping Pentest type? (Black, Gray, White) Source code review? Reason for the pentest? Code update. Compliance requirement. Identify attack scope. (How far down the rabbit hole can you go.) Demonstrate vs Fully Exploit Try and set up scope to match that of a real threat. Usually won t get permission. Attack chaining. What hours can the pentest be conducted during? Have had groups try and only allow 2 hours per day on huge application. Is there a code freeze? Is there scheduled patches, or updates during the pentest? Is there schedule downtime? Production or UAT/DEV/TEST> Make sure it s a true representation of production.

Scoping Continued Identify size of the application. How many: lines of code input points different parameters Types of technology used. (If not black box testing) Server Type (IIS, Apache, Websphere, ect.) Multiple Databases? 3 rd party content? Flash objects? Framework. WSDL s? Web Services? API? Types of functionality within the application. Does the website send or receive files? WebDAV. Is there any mobile components? JAVA RMI How many user roles? Admin role, External User, Internal User?

Questions to Ask Who is the primary contact for the penetration test? Someone should be available during operating hours of the pentest. This person should be able to expand scope if needed. (new functionality identified, trust relationships in place open scope to other systems) Who can engage developers or security people for discussions if needed. Possible to get network diagram? (identify load balancers, proxies, WAFS, etc)

Engagement Description Covers what was agreed upon. Primary contacts (tester and business contact) Who gets the report. How often is there status updates? State what was agreed upon for timeline. Hours for testing. Length of testing. Time provided for report writing. Finally Delivery Day Retesting / Remediation Validation Exit Meeting Scope. Make sure to cover what is not allowed too. Covers potential impacts and what to do if there is one. If doing contracting pentest or as a 3 rd party make sure all work documents are completed as well. (SOW, NDA, ect.) CYA!

Grey and White Box Testing Make sure to gather the right info. Previous Findings / Pentest Results Sometimes retests show lack of remediation. Point that out in the final report. Source code if possible. Two user accounts per user roles. Supporting documentation. Database Version and Types. Framework versions. Webserver version.

Starting the Pentest

Recon / Discovery Identify Web Server, and Technologies in Use. HTTP Header Leakage Openssl s_client Proxy Nmap Scripts Nmap sv Whatweb good at gathering information. Load balancing detection.- Halberd (also included in W3AF.) WAF Detection Waffit, http-waf-fingerprint.nse Known vulnerabilities?

Recon / Discovery Continued Directory Bruteforce WSDL? SOAP? Web Services? WebDav? Flash? AJAX?

Recon/Discovery Black Box Shodan - http://www.shodanhq.com/ Google Hacking Bing Tor Wayback Machine Reconng Maltego Zmap University of Michigan Project Sonar Rapid 7 https://community.rapid7.com/community/infosec/sonar/blog * Things that do not directly connect to the client from your box.

Application Mapping Browse site through proxy. Build tree for spidering. Identify a user work flow. How does the application work? Function dependencies. Gain a good understanding of the application. Look at the code if provided, look at source otherwise. Are there patterns? Comments in the code? Parameters named specific way? Engagement tools from Burp will pull this out.

DEMO DVWA Recon/Mapping using Whatweb, Burp and ZAP.

Authentication A2 Identify how the website validates you. Identify if there is hidden fields that are static or unique. Is there data send in POST or GET request that is static or unique? Can you bypass authentication and directly browse to page? Are there admin portals? Default creds? Are secure passwords required? * secure might depend on company policy. Can the password reset portal be abused. Use the two accounts if there is static values, see if you can do a horizontal priv. escalation.

COOKIES

Authentication - Cookies Are cookies easily decoded? Base encoded, IP address, Time/Date etc. Is the HTTPOnly and Secure flags set? How much entropy is in the cookie value? Does the cookie change on state change? First visit to page, Successful Sign In, Signoff.

A1 - Injection

SQLi A1 - Injection Usually start with providing to user input and check for errors or unexpected returned data. Identify where user input might be included in a query. Scanners can be decent at detection. Can lead to complete system compromise, not just data. SQLi Blind Return might not be to UI. Time Based Content Based OS Command Injection Does it seem to use OS commands to run queries, or provide function? Try submitting, and &, ;, and look for results.

A1 Injection Continued LDAP Injection Inject &, *, (, ), [, ],!,

DEMO SQL Injection with Zap fuzzer. SQLMap

A3 - XSS / Cross-Site Scripting Injecting code. Can own a website with it, contrary to what developers will argue. Attack Chaining. Cookie Stealing Reflective vs Stored BeEF Framework + Metasploit = Fun

Beef and Metasploit In beef/config.yaml enable meteasploit support. Kali dir /usr/share/beef-xss. Set MSGRPC password in beef/extensions/metasploit/config.yaml Start metasploit Run: load msgrpc ServerHost=127.0.0.1 Pass=abc123 *example only but default Beef config setting.

Beef and Metasploit

Beef Exploitation

BeEF Multiple Exploitation Paths Java Applet/ Key logger Malicious Redirects A10 Cookie Stealing. Browser Exploitation through Metasploit Powershell download and execute.

Cleanup Delete any persistent XSS you ve created. Can always reproduce if necessary. Already have screen shots right? Delete any additional things you ve created unless they want evidence. Notify customer that they can remove test accounts unless they want to keep them available for remediation testing.

The Report Most important piece of the pentest. This is what adds value and will help towards remediation and risk reduction. Customize to technologies and client. Include detailed remediation options and links. Include screenshots and url s for findings. Error on the side of more detail. Customers might not always read and comprehend the report. Expect to have to explain.

Finding Example Finding: SQL Injection Risk Rating: Critical Business Impact: SQL Injection attacks can affect all security aspects of a web application. Data integrity, availability, and confidentiality can all be impacted. It was possible to extract all the information from the database and to extract password hashes of valid users. With the access level obtained during the penetration test, it would also be possible to change and modified stored data. Steps to Reproduce: 1. Login to the application at: http://ipaddress/dvwa utilizing the provided accounts. 2. Click on the SQL Injection page at http://ipaddress/dvwa/vulnerabilities/sqli/ 3. Input and notice SQL syntax error due to user input.

Finding Example Continued Expected Outcome: User input is properly escaped, and validated. Parameterized queries are used to validate user input into SQL queries. Actual Outcome: User input is not properly escaped or validated by the application. By injecting into the input field it was possible to detect a SQL injection. It was possible to use the SQL injection to enumerate all data within the database, including usernames and password hashes.

Finding Example Continued Remediation: Implement PHP Data Objects and use prepared statements, also known as parameterized queries for database queries. This prevents malicious user input from being used directly in the query itself. In addition, make sure to implement system hardening and security recommended settings for MySQL. Example of PHP parameterized query: <?php $stmt = $dbh->prepare("select * FROM REGISTRY where name =?"); if ($stmt->execute(array($_get['name']))) { while ($row = $stmt->fetch()) { print_r($row); } }?> http://us2.php.net/pdo.prepared-statements https://www.owasp.org/index.php/owasp_backend_security_project_mysql_hardening

Final Exit Meeting Hand over report if not already handed over. Discuss findings. Answer questions. Reiterate how remediation validation is going to take place.

QUESTIONS?

Resources and Links Burp Pro $300 portswigger.net/burp OWASP - https://www.owasp.org/index.php/main_page Top 10 - https://www.owasp.org/index.php/top_10_2013 ZAP - https://www.owasp.org/index.php/owasp_zed_attack_proxy_project Acunetix - http://www.acunetix.com/ Fiddler - http://fiddler2.com/ Web App Security Blogs http://www.troyhunt.com/ Pentesting Standard http://www.pentest-standard.org Test Environments Security Dojo - http://sourceforge.net/projects/websecuritydojo/ Broken Web Apps - https://code.google.com/p/owaspbwa/

Resources and Links SQLMAP http://www.slideshare.net/hcoduarte/sqlinjection-with-sqlmap http://sqlmap.org/ https://www.owasp.org/index.php/automated_ Audit_using_SQLMap OWASP Top 10 Ebook http://www.troyhunt.com/2011/12/free-ebookowasp-top-10-for-net.html