Wednesday, November 7, 2012

Security testing

Security Testing

First thing is first, to start testing for Security bugs we need to first know what to find. What are we looking for? Any ideas? :?: :!:

:idea: :idea: :idea:
Yes? The girl in the back with the blue shirt, what's that you say? A work-list? That's correct! Thanks. :D

So we need a work-list - a method - something generic that will cover all exits on any pattern. How can we come up with something like that?! Oh, that's where I come in :lol:

When ever we like to test for security we need to focus on the following list:
Input Validation - attacks like - XSS and SQL injection
Authentication - DoS, Brute force attack and Spamming (attacks on forms)
Session & Cookie management - account hijacking by editing or stealing the session with an attack called Man In The Middle (MITM)
Authorization - attacks that will gain you access to other accounts or admin privileges
Error handling - Information Disclosure of server's version and other component such as database version
Coding - text files or JS (javascript) containing juicy information (paths to admin panel for example), Coding remarks may also be very handy
Network Configurations - open ports that can gain an attacker a nice back-door to the server (21:FTP, 22:SSH, 23:Telnet, 1433:MsSQL, 3306:MySQL etc.). Also, forbidden HTTP methods such as PUT, DELETE, TRACE can give a big advantage to the attacker.

----It is better that you copy and paste this list----

So, after we've come up with a good and solid list, we need to understand how to test. Let's say we've asked to test :)

Oh, almost forgot - every one of the sections above (AKA our worklist) is attached to the other. You'll see :geek:

The first section is Input Validation.
Read - Cross-Site Scripting (XSS) and SQL injection from my 'Becoming a hacker' topic, to learn the basics of testing input validations.

Testing input validation can lead you very quickly to discover the site's Error handling, if one of your injections haven't sanitized correctly the server will probably redirect you to it's error page. If the site's admin haven't implemented a nice redirection to an error like 'Sorry, but the page you were looking for is not here', the server's error will
pop displaying an information about it... some time's it can lead you to a new attack :mrgreen:

Authentication, Session & Cookie management, Authorization are all a part of using the right tool.

Authentication - The easiest way to discover rather a form is vulnerable to Brute Force is to look for a Captcha implementation. A Captcha is a well known feature that monitors the form for human usage only. All we're talking about is an image with numbers in it and a field for the user to copy those numbers.. the problem is that their is no automated tool yet to read those images and copy their content to the field. That way an admin can be sure that automated tools would have hard time to hijack accounts.
A nice tool for a PoC (Proof of Concept) will be the Burp Proxy.
The free license is enough.
Go to those links after you've successfully downloaded the proxy, and used my examples. See ya soon.
1. Burp/Session 1
2. Burp/Session 2
3. Burp/Session 3

Now that you are Burp freaks... we'll go back to our worklist.
Next is Session & Cookie management, Well I'm not gonna teach it because it takes time
and experience. After you know how to use the burp, and where the Cookie: header is, all you need to do is read about Session Fixation and you'd understand everything.
If you really want to simulate a hijack, take my example for Click Jacking. Enjoy 8-)

Authorization - Let's say we're testing on
Now after entering the site there is an immediate redirection to
uTest will probably give you a user and pass and than all you need to do is login.
After logging in you noticed this URL:
How could it be vulnerable?
Look again... what is the first parameter? that's correct - uid --> user id
means your user id is 1203. So basically there is a list in the database and you are number 1203. Does it necessarily means that there are more than 1200 users.. of course not. This number can be a part of an automated sequence.
If the Session management is misconfigured, authorization can be manipulated using this parameter.. all you need to do is switch the numbers. Yes you can also try 1203'+or+'1'='1 or 1203">....
You see... all strings attached.
Another attack can occur using Coding section on our list.
Javascript files can hold this record -
Code: Select all
 path = url + /admin/panel/index.php

Only copy and paste it and maybe you will achieve authorization bypass. Even if not full.. a partial also helps.

Network Configurations - in order to find the open ports you need to install Nmap.
Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

To test HTTP methods all you need to do is first replace GET/POST with OPTIONS and than you'll get the methods available.
one of the dangerous ones is PUT, and it has two main kinds of uses.
1. Active/diactive components - like Refresh
2. Create new files or Directories on the server - RISK

If an attacker can use the PUT method she can create a file with a malicious admin panel called Shell. This shell can operate a lot of dangerous features such as malicious scripts, SQL queries, open ports for back-doors, DoS (denial of service) scripts and more.
DELETE method has also the same pattern only instead of create it deletes the file/directory. I think you guessed the risk.. 8-)
TRACE method can cause - Cross-Site Tracing (XST).
and more...

Well there you go... you're all set for your first Security test.
Wish you best of luck, and may the force be with you.

No comments:

Post a Comment