Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Will Bechtel William.Bechtel@att.com Sr. Consulting Manager - Application Security Practice Part of AT&T Business Services / Application Solutions Formerly VeriSign Global Security Consulting AT&T acquired Oct 2010 Experience with Organizations Primary verticals: Financial Services, High Tech, Retail Application Experience 15 Years software development Web commerce development for fortune 500 customers Caution Setup Tools/techniques should only be used for authorized testing. Don't Be Evil Be very careful how you configure tools or you may end up in real trouble. Page 2
Overview of Web App Pen Testing Web Application Definition Drivers for Testing High Level Methodology Overview of Tools Web App Scanners Proxies, Spiders, Fuzzers Strengths and Weaknesses Review of Vulnerabilities OWASP Top Ten Presentation Overview Demonstration of Tools/Techniques Web Application Scanner HP s AppScan Burp Professional Proxy/Scanner Page 3
Typical Web Application Web/Application Server Port 21 Port 80 / 443 Port 3389 Corporate Firewall Database Server Page 4
App Utilizes HTTP/HTTPS Web Browser Applications Web Services (blurring) Client is Web Browser Application Interface is HTML/CSS/Javascript interpreted on the client. Blurring with java and activex components delivered via HTTP. Out of scope for this presentation. From Wikipedia Web Application Defined A computer software application that is hosted in a browsercontrolled environment (e.g. a Java applet) or coded in a browsersupported language (such as JavaScript, combined with a browserrendered markup language like HTML) and reliant on a common web browser to render the application executable. Page 5
HTTP Basics Web Application Basics HTTP is a plain text protocol Browser sends request to web server Server sends back response with a status code GET /search.aspx?q=answer+to+life HTTP/1.0 HTTP 200 OK <html> <body> The answer is 42 </body> </html> Page 6
#1 Compliance PCI Requirement for Annual Pen Test Internal/External Requirement for quarterly scanning (not pen test but uses automated scanners) GLBA, FTC, SOX, HIPAA, SB1386 Partnerships Web App Pen Test Drivers Many SAAS providers perform testing to ensure customers they are secure. Risk Managment Risk Management (Lower potential liability and losses) Protect Reputation Page 7
Determine Scope Evaluate Security Requirements Evaluate Compliance Objectives Identify any out of scope areas (document) Determine Rules of Engagement Determine White Box, Grey Box, Black Box testing methodology Determine involved parties who will support testing, issues that may come up, etc Gather contact information Review communication, notification, and issue escalation procedures. Review other specific requests and rules of engagement (e.g.,periods during which testing should not be performed). Review deliverables and any requirements Application Architecture Review (if white or grey box) Review system architecture and logical model Review interfaces Methodology Page 8
Discovery Spidering Manual Traversal Automated Scanning Platform Fingerprinting (web server/app server/database server) Test for Vulnerabilities Validation of Findings Manual Testing Validation where required Manual Testing Exercise with Proxy Evaluate and Adjust Analysis and Reporting Methodology Determine and Assign Risk (risk of vuln/likelihood/overall risk/recommendation for fixing/level of effort) Document Assign risk at highest level until more information available. Page 9
Automated Web Application Scanners Seek to simulate an application tester Perform Discover (Spider) Test for known platform vulnerabilities and common misconfigurations Determine and Test Authentication/Authorization Boundaries Exercise requests/manipulate parameters Provide Analyst with Findings/Details/Recommendations Analyst reviews and removes false positives Reporting Generate reports with vulnerability details, risk ratings and recommendations for remediation from validated findings Page 10
Web App Proxy Used to test, not to improve caching performance Many proxies utilized in organizations are setup to restrict, monitor and secure outbound connections as well as to improve performance. Web Application Testing Proxy Designed specifically to perform web application testing Primary feature is to intercept and modify traffic to/from web browser and web server. Usually include spidering and sometimes scanning tools. Scanning can be passive or active. Page 11
Fuzzing (Wikipedia) Fuzz testing or fuzzing is a software testing technique that provides invalid, unexpected, or random data to the inputs of a program. If the program fails (for example, by crashing or failing built-in code assertions), the defects can be noted. Fuzzers Usually targeted at finding memory issues like buffer overflows Limited in functionality Fuzzers Some Web Proxies can be utilized as fuzzers (Burp Suite Pro, Webscarab) Page 12
Tools Strengths and Weaknesses Web App Scanning Strengths Fast, can scan for many common issues quickly, can be setup to regression test, good for finding reflected cross site scripting Weaknesses Can be difficult to configure, many times does not hold state well and misses much of app. Not good at finding subtle and multi step issues (stored xss), etc. Web Proxy Testing Strengths Good for identifying/verifying all vulnerabilities, identifies more high risk issues (multi step and authorization issues) Weaknesses Takes strong experience to utilize, time consuming compared to automated, very time consuming to do any regression testing Fuzzers Strengths finding memory issues such as buffer overflows, etc Weaknesses very narrow usage Page 13
Common Web App Vulnerabilities Open Web Application Security Project (OWASP) www.owasp.org Top Ten most common vulnerabilities - http://www.owasp.org/images/0/0f/owasp_t10_- _2010_rc1.pdf Information on how to identify and remediate these and many other application security issues Development of tools and frameworks and approaches for application security Page 14
OWASP 2010 vs 2007 (owasp slides include info taken directly from www.owasp.org site) Page 15
A1 - Injection OWASP Top Ten Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data. Injected by user input, executed on server (web/app/db). A2 Cross Site Scripting (XSS) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute script in the victim s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. Reflected (RXSS) initiated by user input, bounced (reflected) off server, executed in user browser. Stored (SXSS) initiated by user input, stored on server, later executed in user browser (can be another user). Page 16
OWASP Top Ten A3 Broken Authentication and Session Management Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit implementation flaws to assume other users identities. Very common to set session cookie before login and session fixation. A4 Insecure Direct Object References A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. https://www.bank.com/transfer?accountnum=1234 Page 17
OWASP Top Ten A5 Cross Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim s browser to send a forged HTTP request, including the victim s session cookie and any other authentication information, to a vulnerable web application. This allows the attacker to force the victim s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. A6 Security Misconfiguration Security depends on having a secure configuration defined for the application, framework, web server, application server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. Page 18
OWASP Top Ten A7 -Failure to Restrict URL Access Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks when these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway. Forced browsing A8 Unvalidated Redirects and Forwards Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages. Page 19
OWASP Top Ten A9 Insecure Cryptographic Storage Many web application do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers may use this weakly protected data to conduct identity theft, credit card fraud, or other crimes. A10 -Insufficient Transport Layer Protection Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly. Page 20
Review Analyzing the Accuracy and Time Costs of Web Application Security Scanners http://ha.ckers.org/files/accuracy_and_time_costs_of_web_ App_Scanners.pdf Scanners Does not weight vuln risk. Accunetix Web Application Scanners Appscan by IBM BurpSuitePro Hailstorm by Cenzic WebInspect by HP NTOSpider by NT OBJECTives Page 21
Burp Suite My opinion this is the current best option Free and Pro Versions Pro has scanner, state save 2 key features. Very Affordable. www.portswigger.net Paros Free Kind of dated at this point Missing key features, limited on those it does support Webscarab Web Application Proxies Free More features than Paros, less than Burp Page 22
Now the Fun Stuff Demo of Automated Scanning Tool IBM s Appscan v7.9 (formerly Watchfire) http://download.boulder.ibm.com/ibmdl/pub/software/dw/de mos/rintrotoappscan/rintrotoappscan.pdf High level overview of features Partial review of scan - Demo.testfire.net Demo of Web Proxy Testing Burp Suite Professional v1.3 - High level overview of features Demo of testing and Burp features Page 23
Thank You! William.Bechtel@att.com Page 24