OWASP Plan
Application Security Reviews
OWASP
November 15, 2006
David Byrne, CISSP, MCSE
Security Architect
EchoStar Satellite, LLC
David.Byrne@EchoStar.com
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org
Testing Steps
Planning
Reconnaissance
Infrastructure
Input validation
Denial of Service (DoS)
Authentication & Authorization
Information Disclosure
Code Review
Reporting
OWASP
2
OWASP Testing Guide
Version 2 is being completed
http://www.owasp.org/index.php/Web_Applicati on_Penetration_Testing_AoC
OWASP
3
OWASP Top 10
1. Unvalidated Input
2. Broken Access Control
Session Management
3. Broken Authentication and
Session Management
4. Infrastructure Vulnerabilities
5. Information Disclosure
6. Insecure Storage
7. Improper Error Handling
8. Application Denial of Service
9. Buffer Overflow
Management
10. Insecure Configuration
Management
OWASP
4
Planning
Change Management
Don’t get fired
Communicate fully
Get approvals in writing
Clearly defined scope
Test or production
Which web servers will be targeted
Can vulnerabilities be exploited
Can modifications be made via exploits
Will Denial of Service be tested
Are brute force attacks allowed
White box vs. black box
OWASP
5
Planning - Tools
Presenter's favorites
WebScarab – Testing proxy, fuzzer, spider, more
Nessus – General vulnerability scanner
Wikto – Signature-based web scanning, Google reconnaissance
Nmap – Port scanner & fingerprinting
WireShark (Ethereal) – Packet capture
Other free tools
Nikto – Signature-based web scanning
Pantera – New tool from OWASP, automated scanning
Paros – Testing proxy, spider
BurpSuite – Testing proxy, more
Commercial tools
Acunetix Web Vulnerability Scanner
Cenzic Hailstorm
N-Stealth
Sensepost Suru
SPI Dynamics WebInspect
Watchfire AppScan
OWASP
6
WebScarab
Proxy
Records all HTTP sessions
Allows requests & responses to be intercepted and modified
Displays HTTP sessions in parsed or raw formats
Reveals hidden fields
Manual requests
Web Services tools
Session ID Analysis
Fuzzer
Automated extensions checking (.bak, etc)
OWASP
7
Reconnaissance & Automated Scanning
Google (Wikto) – Can find some vulnerabilities, pages difficult to navigate to
Spider (WebScarab)
Specialized Web scanners (Wikto, commercial) – Known web-app vulnerabilities; simple cases of XSS, SQL injection, etc.
Try to identify what off-the-shelf software is being used, then research vulnerabilities (securityfocus.com)
Source code
Look on open file shares
Look for unsecured code repositories
OWASP
8
Infrastructure
Port scan (nmap)
General vulnerability scan (Nessus)
Unsecured HTTP management ports
Web Server attacks
Application framework attacks: WebMethods,
WebLogic, other J2EE, ColdFusion, etc
Miscellaneous vulnerable services; NetBIOS,
RPC, etc.
OWASP
9
Input Validation
SQL Injection
Cross Site Scripting (XSS)
Buffer Overflows
OWASP
10
SQL Injection
Caused by failure to properly validate userprovided input
Allows arbitrary commands to be executed in the database
Example for a login:
Username = byrned
Password = very_secure
OWASP
11
SQL Injection
SELECT count(userID)
FROM users
WHERE username = 'byrned' AND password = 'very_secure'
OWASP
12
SQL Injection
Username: byrned' OR 1=1 --
SELECT count(userID)
FROM users
WHERE username = 'byrned' OR 1=1 -' AND password = 'very_secure'
OWASP
13
SQL Injection
Test by inserting string delimiting characters such as a single quote
Look for error messages
OWASP
14
SQL Injection
Customer Search Tool
Zip Code:
Submit query = "SELECT name, address, city, state, zip" +
"FROM customers" +
"WHERE zip = ' " + zipcode + " ' ";
OWASP
15
SQL Injection
This information is updated every Thursday
Name Address City State Zip
David Byrne 123 Main St Denver CO 80202
John Doe 345 17th St Denver CO 80202
OWASP
16
SQL Injection zip: 80202' OR 1=1 --
SELECT name, address, city, state, zip
FROM customers
WHERE zip = '80202' OR 1=1 -- '
OWASP
17
SQL Injection zip: 80202' OR 1=1 --
Name Address
David Byrne 123 Main St
John Doe 345 17th St
City
Denver
Denver
State Zip
CO 80202
CO 80202
Peter Smith 678 Main St
Jane Peterson 445 6 Ave
Sue Brown
Sometown CA
Lakeside ID
90332
12345
421 Evergreen St Springfield MD 13512
OWASP
18
SQL Injection zip: 80202' UNION SELECT username, password, null, null, null FROM users --
SELECT name, address, city, state, zip
FROM customers
WHERE zip = '80202'
UNION
SELECT username, password, null, null, null
FROM users -- '
OWASP
19
SQL Injection
Name
David Byrne
John Doe
Peter Smith
Jane Peterson
Sue Brown byrned jdoe smithp jpeter browns
Address
123 Main St
345 17th St
678 Main St
445 6 Ave
421 Evergreen St very_secure asdf mary jane123 f35.0=(Gd
City
Denver
Denver
Sometown
Lakeside
Springfield
State Zip
CO 80202
CO
CA
80202
90332
ID
MD
12345
13512
OWASP
20
SQL Injection
Resources:
http://www.owasp.org/index.php/SQL_Injection
http://www.unixwiz.net/techtips/sql-injection.html
http://www.imperva.com/application_defense_center/ white_papers/blind_sql_server_injection.html
http://www.ngssoftware.com/papers/advanced_sql_in jection.pdf
http://www.nextgenss.com/papers/more_advanced_s ql_injection.pdf
OWASP
21
Cross Site Scripting (XSS)
Allows an attacker to imbed arbitrary HTML inside a web page
Can be persistent (e.g. a bulletin board) or dynamic (e.g. a URL)
JavaScript can
Redirect the browser to an attack site
Monitor and report browsing activity using frames
Launch attacks against browser vulnerabilities
Steal cookies
Perform actions while impersonating user (MySpace worm)
OWASP
22
Cross Site Scripting (XSS)
Look for any content in a web page that was based on user-provided input
Check the source: The content might be in the
HTML, but not displayed
Input isn’t limited to visible form fields. Look at cookies, HTTP headers, URL query strings, hidden fields
Standard pages aren’t the only source of XSS; error pages (even 404s) are frequently vulnerable
OWASP
23
Cross Site Scripting (XSS)
Customer Search Tool
Zip Code:
Submit
No results were found for zip code '00000'
OWASP
24
Cross Site Scripting
<script>alert("XSS")</script>
OWASP
25
Cross Site Scripting (XSS)
Resources:
http://ha.ckers.org/xss.html
http://www.cgisecurity.com/articles/xss-faq.shtml
http://www.owasp.org/index.php/XSS
OWASP
26
Buffer Overflows
Not common with modern web environments
With black box, send long strings for different parameters, >1024 bytes; might have to switch to POST
White box techniques beyond presentation’s scope
OWASP
27
Denial of Service (DoS)
Locking Customer Accounts
Buffer Overflows
User Specified Object Allocation
User Input as a Loop Counter
Writing User Provided Data to Disk
Failure to Release Resources
Storing too Much Data in Session
http://www.owasp.org/index.php/Testing_for_a pplication_layer_Denial_of_Service_%28DoS%
29_attacks
OWASP
28
Authentication & Authorization
Session IDs
Authentication
Authorization
OWASP
29
Session IDs
Session IDs best stored in a cookie, not in the
URL
Should be randomly generated
Should be from a large data set (>= 128 bits recommended)
Use WebScarab’s Session ID analyzer
OWASP
30
WebScarab Session ID Analysis
OWASP
31
Cookie Analysis – Data Formats
Plain text
This is a test string with some odd characters !@#$%^&*()_+-=\
Hexadecimal: Base 16 representation of the ASCII character numbers. Characters 0-9,a-f
546869732069732061207465737420737472696e67207769746820736f6d65206f646420
636861726163746572732021402324255e262a28295f202d3d
Base64: Complicated. See http://en.wikipedia.org/wiki/Base64. Characters A-Z,a-z,0-9,/,+, and equal (=) for suffix padding
VGhpcyBpcyBhIHRlc3Qgc3RyaW5nIHdpdGggc29tZSBvZGQgY2hhcmFjdGVycyAhQCMkJV4m
KigpXyAtPQ==
HTML encoding: HTML escaped characters using the character numbers. Uses this format: ampersand (&), pound (#), character number in decimal (0-9), semicolon (;)
This is a tes
;t string wit&
#104; some odd ch
;aracters !@#$&
#37;^&*()_ -=
OWASP
32
Cookie Analysis – Data Formats
HTTP URL encoding: spaces turned to plus (+), non alphanumeric characters encoded with percent (%), then the hexadecimal character number (0-9,a-f)
This+is+a+test+string+with+some+odd+characters+%21%40%23%24%25%5E%26%2A%
28%29_+-%3D
HTTP URL encoding – all hex: In addition to the standard URL encoding described above, all characters, including alphanumeric, can be hex encoded
%54%68%69%73%20%69%73%20%61%20%74%65%73%74%20%73%74%72%69%6e%67%20%77%69
%74%68%20%73%6f%6d%65%20%6f%64%64%20%63%68%61%72%61%63%74%65%72%73%20%21
%40%23%24%25%5e%26%2a%28%29%5f%20%2d%3d
IP Address formatting
Octet, most common:
10.1.124.3
Hex, obtained by converting each octet into a two digit hexadecimal number:
0A017C03
Decimal, obtained by converting the hex format into a base 10 number:
167869443
OWASP
33
Authentication
SQL Injection
LDAP Injection
Session Hijacking
Theft of cookies/session IDs through XSS
Guessing valid session IDs
Theft of session IDs stored in URLs via browser history
High or missing timeout values
Brute force password attacks (THC-Hydra)
Field changes:
http://www.site.com/page.asp?authenticated=no
http://www.site.com/page.asp?authenticated=yes
Password reset facilities
New passwords emailed
Process flow for question response
OWASP
34
Authorization Bypassing
Manually browse to known URLs without authentication
Obtain admin & user credentials, try to access admin pages with user login
Directory traversals & listing
Original: http://www.example.com/app/auth/login.php
Request: http://www.example.com/app/auth/
Request: http://www.example.com/app/
Request: http://www.example.com/../
http://www.owasp.org/index.php/Bypassing_Authenticati on_Schema_AoC
OWASP
35
Information Disclosure
Directory traversal & listing
HTML & JavaScript comments
Error messages can divulge:
Operating System environmental parameters
Web Server settings
Database drivers in use
SQL queries run on a page
Software versions
OWASP
36
Code Review
SQL queries
Stored procedures
User-supplied input as part of output
Operating System / shell commands
Error handling routines
Source code storage & access
Authentication & authorization mechanisms
http://www.owasp.org/index.php/OWASP_Code_Review_Guide_Table_of_C ontents
OWASP
37
Reporting
Severity
Category (OWASP Top 10)
Location (e.g. line 23 of /search/main.php)
Example exploit
Impact of exploit (e.g. theft of credit card data)
Recommended remediation
Third party documentation (vendor or OWASP)
OWASP
38
Reporting - Categorize severity
PCI severity levels: https://pcisecuritystandards.org/pdfs/pci_scanning_procedures_v1-1.pdf
5
4
3
2
1
Urgent Trojan Horses; file read and writes exploit; remotecommand execution
Critical Potential Trojan Horses; file read exploit
High Limited exploit of read; directory browsing; DoS
Medium Sensitive configuration information can be obtained by hackers
Low Information can be obtained by hackers on configuration
Common Vulnerability Scoring System (CVSS) http://www.first.org/cvss/ http://nvd.nist.gov/cvss.cfm?calculator
Remote vs. local expliot
Attack complexity
Authentication required
Availability of exploit
Type of fix available
C/A/I impact
Impact value rating
Organization specific potential for loss
Percentage of vulnerable systems
Level of vulnerability confirmation
OWASP
39
Example Finding
11. Improper use of varchar data types
Severity: Critical
Category: Injection Flaws
Exploitation prerequisites: Internet access; authentication may not be required for all pages
Description
Some pages handle numeric data types as “varchars” (character string). This makes SQL injection possible, despite the “cfqueryparam” tag; since there is no quote to break out of, escaping quote characters won’t help. This occurs in many pages.
Example
\dsg\createNewPage.cfm; line 54
<CFQUERY name="tied" DATASOURCE = "#APPLICATION.DATASOURCE#"> select user_name from users (nolock) where user_number =
<cfqueryparam value="#url.usernumber#" cfsqltype="CF_SQL_VARCHAR">
</CFQUERY>
Recommendation
Every file should be reviewed for how each SQL query or stored procedure is called. Change all numeric SQL parameters to use CF_SQL_INTEGER.
References http://www.adobe.com/devnet/coldfusion/articles/cfqueryparam.html
http://www.owasp.org/index.php/Data_Validation
OWASP
40
