Showing posts with label OWASP. Show all posts
Showing posts with label OWASP. Show all posts
WEB SERVICES TESTING
Manusia Tak Sempurna
1. WS Information Gathering
The first step to perform a Web Service Test is to determine the WS entry points and the communication schema: this is
described in the WSDL associated with the WS.

2. Testing WSDL
Check the WSDL of the web service to find the entry points and try to invoke an operation that is not used in a standard SOAP Request. Ensure that the WS doesn’t give some confidential information

3. XML Structural Testing
This section discusses the types of attack vectors one could send to a web service in an attempt to assess its reaction to malformed or maliciously-crafted messages. For example, elements which contain large numbers of attributes can cause problems with parsers. This category of attack also includes XML documents which are not well-formed XML (e.g., with overlapping elements, or with open tags that have no matching close tags). DOM-based parsing can be vulnerable to DoS due to the fact that the complete message is loaded into memory (as opposed to SAX parsing). For example, oversized attachments can cause an issue with DOM architectures.

4. XML Content-level Testing
Content-level attacks target the server hosting a web service and any applications that are utilized by the service, including web servers, databases, application servers, operating systems, etc. Content-level attack vectors include
  1) SQL Injection or XPath injection
  2) Buffer Overflow and 
  3) Command Injection.

5. HTTP GET parameters/REST Testing
Many XML applications are invoked by passing them parameters using HTTP GET queries. These are sometimes known as
“REST-style" Web Services (REST = Representational State Transfer). These Web Services can be attacked by passing
malicious content on the HTTP GET string (e.g. extra long parameters (2048 chars), SQL statements/injection (or OS
Injection parameters).

6. Naughty SOAP attachments
This section describes attack vectors for Web Services that accept attachments. The danger exists in the processing of the attachment on the server and redistribution of the file to clients.

7. Replay Testing
This section describes testing replay vulnerabilities of a web service. The threat for a replay attack is that the attacker can assume the identity of a valid user and commit some nefarious act without detection
Labels: 0 comments | | edit post
AJAX TESTING
Manusia Tak Sempurna
1. AJAX Vulnerabilities
Asynchronous Javascript and XML (AJAX) is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since AJAX is still a new technology, there are many security issues that have not yet been fully researched. Some of the security issues in AJAX include:
• Increased attack surface with many more inputs to secure
• Exposed internal functions of the application
• Client access to third-party resources with no built-in security and encoding mechanisms
• Failure to protect authentication information and sessions
• Blurred line between client-side and server-side code, resulting in security mistakes
2. How to test AJAx
Because most attacks against AJAX applications are analogs of attacks against traditional web applications, testers should refer to other sections of the testing guide to look for specific parameter manipulations to use in order to discover vulnerabilities. The challenge with AJAX-enabled applications is often finding the endpoints that are the targets for the asynchronous calls and then determining the proper format for requests.
Labels: 0 comments | | edit post
DENIAL OF SERVICE TESTING
Manusia Tak Sempurna
1. Testing for SQL Wildcard_Attacks
2. D Locking Customer Accounts
In this test we check whether an attacker can lock valid user accounts by repeatedly attempting to log in with a wrong password.
when we try to login by exist account and wrong password or  by not exist account and wrong password we get the following error message:


when we try to register by the axist account we get the following error message:

3. Buffer Overflows
4. User Specified Object Allocation
In this test we check whether it is possible to exhaust server resources by making it allocate a very high number of objects.

Our targets can not be attacked using this method:
 
5. User Input as a Loop Counter
6. Writing User Provided Data to Disk
With this test, we check that it is not possible to cause a DoS condition by filling the target disks with log data
7. Failure to Release Resources
With this test, we check that the application properly releases resources (files and/or memory) after they have been used.
8. Storing too Much Data in Session
In this test, we check whether it is possible to allocate big amounts of data into a user session object in order to make the server exhaust its memory resources.
Labels: 0 comments | | edit post
DATA VALIDATION TESTING
Manusia Tak Sempurna

TESTING FOR REFLECTED CROSS SITE SCRIPTING (OWASP-DV-001)
Reflected Cross-site Scripting (XSS) is another name for non-persistent XSS, where the attack doesn’t load with the vulnerable web application but is originated by the victim loading the offending URI. In this article we will see some ways to
test a web application for this kind of vulnerability.
TESTING FOR STORED CROSS SITE SCRIPTING (OWASP-DV-002)
Stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores that input in a data store for later use. The input that is stored is not correctly filtered. As a consequence, the malicious data will appear to be part of the web site and run within the user’s browser under the privileges of the web application.
This vulnerability can be used to conduct a number of browser-based attacks including:
  •  Hijacking another user’s browser
  •  Capturing sensitive information viewed by application users
  •  Pseudo defacement of the application
  •  Port scanning of internal hosts (“internal” in relation to the users of the web application)
  •  Directed delivery of browser-based exploits
  •  Other malicious activities
TESTING FOR DOM BASED CROSS SITE SCRIPTING (OWASP-DV-003)
The DOM, or Document Object Model is the structural format that may be used to represent documents in the browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie. The DOM is also used by the browser for security – for example to limit scripts on different domains obtaining session cookies for other domains. A DOM-based cross site scripting vulnerability may occur when active content, such as a JavaScript function, is modified by a specially crafted request such that a DOM element that can be controlled by an attacker.
TESTING FOR CROSS SITE FLASHING (OWASP-DV-004)
ActionScript is the language, based on ECMAScript, used by Flash applications when dealing with interactive needs. ActionScript, like every other language, has some implementation patterns which could lead to security issues.
In particular, since Flash applications are often embedded in browsers, vulnerabilities like DOM based Cross Site Scripting could be present in flawed Flash applications.
SQL INJECTION (OWASP-DV-005)
A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file existing on the DBMS file system and, in some cases, issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.
LDAP INJECTION (OWASP-DV-006)
LDAP is an acronym for Lightweight Directory Access Protocol. It is a paradigm to store information about users, hosts and many other objects. LDAP Injection is a server side attack, which could allow sensitive information about users and hosts represented in an LDAP structure to be disclosed, modified or inserted.
This is done by manipulating input parameters afterwards passed to internal search, add, and modify functions.
ORM INJECTION (OWASP-DV-007)
ORM Injection is an attack using SQL Injection against an ORM generated data access object model. From the point of view of a tester, this attack is virtually identical to a SQL Injection attack. However, the injection vulnerability exists in code generated by the ORM tool.
XML INJECTION (OWASP-DV-008)
In this section, we describe a practical example of XML Injection: first we define an XML style communication, and we show how it works. Then we describe the discovery method in which we try to insert XML metacharacters. Once the first step is accomplished, the tester will have some information about XML structure, so it will be possible to try to inject XML data and tags (Tag Injection).
SSI INJECTION (OWASP-DV-009)
Web servers usually give to the developer the possibility of adding small pieces of dynamic code inside static HTML pages, without having to play with full-fledged server-side or client-side languages. This feature is incarnated by the Server-Side Includes (SSI), a very simple extension that can enable an attacker to inject code into HTML pages, or even perform remote code execution.
XPATH INJECTION (OWASP-DV-010)
XPath is a language that has been designed and developed to operate on data that is described with XML. The XPath injection allows an attacker to inject XPath elements in a query that uses this language. Some of the possible goals are to bypass authentication or access information in an unauthorized manner.
IMAP/SMTP INJECTION (OWASP-DV-011)
This threat affects all applications that communicate with mail servers (IMAP/SMTP), generally webmail applications. The aim of this test is to verify the capacity to inject arbitrary IMAP/SMTP commands into the mail servers, due to input data not properly sanitized.
CODE INJECTION (OWASP-DV-012)
This section describes how a tester can check if it is possible to enter code as input on a web page and have it executed by
the web server.
OS COMMANDING (OWASP-DV-013)
In this paragraph we describe how to test an application for OS commanding testing: this means try to inject an on command through an HTTP request to the application.
BUFFER OVERFLOW TESTING (OWASP-DV-014)
INCUBATED VULNERABILITY TESTING (OWASP-DV-015)
Also often referred to as persistent attacks, incubated testing is a complex testing that needs more than one data validation vulnerability to work. In this section we describe a set of examples to test an Incubated Vulnerability.
  •  The attack vector needs to be persisted in the first place, it needs to be stored in the persistence layer, and this would only occur if weak data validation was present or the data arrived into the system via another channel such as an admin console or directly via a backend batch process.
  •  Secondly once the attack vector was “recalled” the vector would need to be executed successfully. For example, an incubated XSS attack would require weak output validation so the script would be delivered to the client in its executable form.
TESTING FOR HTTP SPLITTING/SMUGGLING (OWASP-DV-016)
We will analyze two different attacks that target specific HTTP headers: HTTP splitting and HTTP smuggling. The first attack exploits a lack of input sanitization which allows an intruder to insert CR and LF characters into the headers of the
application response and to ‘split’ that answer into two different HTTP messages. The goal of the attack can vary from a cache poisoning to cross site scripting. In the second attack, the attacker exploits the fact that some specially crafted HTTP
messages can be parsed and interpreted in different ways depending on the agent that receives them. HTTP smuggling requires some level of knowledge about the different agents that are handling the HTTP messages (web server, proxy, firewall) and therefore will be included only in the Gray Box testing section

Labels: 0 comments | | edit post
BUSINESS LOGIC TESTING
Manusia Tak Sempurna

Testing for business logic flaws in a multi-functional dynamic web application requires thinking in unconventional ways. If
an application’s authentication mechanism is developed with the intention of performing steps 1,2,3 in order to
authenticate, what happens if you go from step 1 straight to step 3? In this simplistic example, does the application provide
access by failing open, deny access, or just error out with a 500 message? There are many examples that can be made, but
the one constant lesson is “think outside of conventional wisdom”. This type of vulnerability cannot be detected by a
vulnerability scanner and relies upon the skills and creativity of the penetration tester. In addition, this type of vulnerability
is usually one of the hardest to detect, but, at the same time, usually one of the most detrimental to the application, if
exploited.
Business logic may include:
  • Business rules that express business policy (such as channels, location, logistics, prices, and products); and
  • Workflows based on the ordered tasks of passing documents or data from one participant (a person or a software system) to another.
Attacks on the business logic of an application are dangerous, difficult to detect, and are usually specific to the application
being tested.
Labels: 0 comments | | edit post
AUTHORIZATION TESTING
Manusia Tak Sempurna
Testing for Path Traversal (OWASP-AZ-001)

Many web applications use and manage files as part of their daily operation. Using input validation methods that have not been well designed or deployed, an aggressor could exploit the system in order to read/write files that are not intended to be accessible. In particular situations, it could be possible to execute arbitrary code or system commands.
Stage a
Input Vectors Enumeration (a systematic evaluation of each input vector)
Stage b
Testing Techniques (a methodical evaluation of each attack technique used by an attacker to exploit the
vulnerability)


Testing for bypassing authorization schema (OWASP-AZ-002)

This kind of test focuses on verifying how the authorization schema has been implemented for each role/privilege to get access to reserved functions/resources.


Testing for Privilege Escalation (OWASP-AZ-003)

This section describes the issue of escalating privileges from one stage to another. During this phase, the tester should
verify that it is not possible for a user to modify his or her privileges/roles inside the application in ways that could allow
privilege escalation attacks.


Labels: 0 comments | | edit post
Session Management Testing
Manusia Tak Sempurna

TESTING FOR SESSION MANAGEMENT SCHEMA (OWASP-SM-001)

Method POST
Header Value
Content-Type multipart/form-data; boundary=d41d8cd98f00b204e9800998ecf8427e
Content-length 38


00000000 2D 2D 64 34 31 64 38 63 64 39 38 66 30 30 62 32 --d41d8cd98f00b2
00000010 30 34 65 39 38 30 30 39 39 38 65 63 66 38 34 32 04e9800998ecf842
00000020 37 65 2D 2D 0D 0A 7e--..

Cokies

akakom_tpl=akakom; __utma=242819602.142294096.1307223034.1307223034.1307430533.2; __utmz=242819602.1307223034.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 69cb2eb0a19889c0e172765110b05475=8t1prvlodibs737lv6i4tf8st4; __utmb=242819602.1.10.1307430533; __utmc=242819602

Burp Suite

pic 1
pic 2
pic 3

Web Scarab


HTTP/1.1 301 Moved Permanently
Date: Tue, 07 Jun 2011 07:34:06 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Set-Cookie: 69cb2eb0a19889c0e172765110b05475=pseoevo6b6n1042tuvdc0gmq13; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Location:
Content-length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

TESTING FOR COOKIES ATTRIBUTES (OWASP-SM-002)


TESTING FOR SESSION FIXATION (OWASP-SM_003)
found in picture no 1

TESTING FOR EXPOSED SESSION VARIABLES (OWASP-SM-004)

TESTING FOR CSRF (OWASP-SM-005)


Labels: 0 comments | | edit post
Authentication Testing
Manusia Tak Sempurna
<Credentials transport over an encrypted channel (OWASP-AT-001)>
not found
<Testing for user enumeration (OWASP-AT-002)>
>>we are test for valid user/right password
>>now i will try to insert a invalid userID and wrong password
 >>result

>>this try to insert the valid userID and wrong password

>>result

>>and accidentally

<Testing for Guessable (Dictionary) User Account (OWASP-AT-003)>
>>before we guest the password default, we search where the login admin interface with nikto


- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.4
---------------------------------------------------------------------------
+ Target IP:          110.76.151.4
+ Target Hostname:    www.akakom.ac.id
+ Target Port:        80
+ Start Time:         2011-06-05 14:32:56
---------------------------------------------------------------------------
+ Server: Apache/2.2.3 (CentOS)
+ Retrieved x-powered-by header: PHP/5.3.5
+ robots.txt contains 14 entries which should be manually viewed.
+ ETag header found on server, inode: 5594158, size: 11692, mtime: 0x963c12c0
+ Apache/2.2.3 appears to be outdated (current is at least Apache/2.2.17). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ /index.php/\"><script><script>alert(document.cookie)</script><: eZ publish v3 and prior allow Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3233: /phpinfo.php: Contains PHP configuration information
+ OSVDB-682: /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-8193: /index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc: EW FileManager for PostNuke allows arbitrary file retrieval.
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /error_log: This might be interesting...
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3092: /login/: This might be interesting...
+ OSVDB-3092: /logs/: This might be interesting...
+ OSVDB-3092: /phpmyadmin/: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3092: /phpMyAdmin/: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6448 items checked: 2 error(s) and 22 item(s) reported on remote host
+ End Time:           2011-06-05 14:46:34 (818 seconds)
---------------------------------------------------------------------------

we found the login for phpmyadmin 


>>Try the following usernames at phpmyadmin with : -”root”,”admin”,”akakom”. These are the probably which used for admin akakom. Attemp any combination of the above in both the usernam and the password fields.
While we are trying to breakthrough in php my admin, the server was drop down with mysql server error



<Brute Force Testing (OWASP-AT-004)>
>>we use hydra to brute-force

Hydra v6.3 (c) 2011 by van Hauser / THC and David Maciejak - use allowed only for legal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2011-06-05 13:03:22
[DATA] 3 tasks, 1 servers, 3 login tries (l:1/p:3), ~1 tries per task
[DATA] attacking service http-get on port 80
[VERBOSE] Resolving addresses ... done
[DEBUG] Code: attack Time: 1307253802
[DEBUG] Options: mode 48 ssl 1 restore 0 showAttempt 0 tasks 3 tnp 1 tpsal 1 exit_found 0 miscptr /foo/bar/protected.html service http-get
[DEBUG] Brains: active 0 targets 1 finished 0 todo_all 3 todo 3 sent 0 found 0 countlogin 1 sizelogin 6 countpass 3 sizepass 6
[DEBUG] Target 0 - target www.akakom.ac.id ip 110.76.151.4 login_no 0 pass_no 0 sent 0 pass_state 0 use_count 0 max_use_count 255 done 0 fail_count 0 login_ptr admin pass_ptr admin
[DEBUG] Task 0 - pid 0 active 0 redo 0 current_login_ptr (null) current_pass_ptr (null)
[DEBUG] Task 1 - pid 0 active 0 redo 0 current_login_ptr (null) current_pass_ptr (null)
[DEBUG] Task 2 - pid 0 active 0 redo 0 current_login_ptr (null) current_pass_ptr (null)
[VERBOSE] More tasks defined than login/pass pairs exist. Tasks reduced to 3.
[ATTEMPT] target www.akakom.ac.id - login "admin" - pass "" - child 0 - 1 of 3
[ATTEMPT] target www.akakom.ac.id - login "admin" - pass "admin" - child 1 - 2 of 3
[DEBUG] pass_state: 2 login_no: 0 pass_no: 2 (countlogin: 1 countpass:3)
[STATUS] attack finished for www.akakom.ac.id (waiting for children to finish)
[ATTEMPT] target www.akakom.ac.id - login "admin" - pass "" - child 2 - 4 of 3
DEBUG_CONNECT_OK
DEBUG_CONNECT_OK
DEBUG_CONNECT_OK
Error: SSL Connect 0
Error: SSL Connect 0
Error: SSL Connect 0
Could not create an SSL session: error:00000000:lib(0):func(0):reason(0)
Error: Child with pid 10686 terminating, can not connect
Could not create an SSL session: error:00000000:lib(0):func(0):reason(0)
Error: Child with pid 10685 terminating, can not connect
Could not create an SSL session: error:00000000:lib(0):func(0):reason(0)
Error: Child with pid 10684 terminating, can not connect
Hydra (http://www.thc.org/thc-hydra) finished at 2011-06-05 13:03:23
<finished>



<Testing for bypassing authentication schema (OWASP-AT-005)>
<Testing for vulnerable remember password and pwd reset (OWASP-AT-006)> 
>>this site has facility forgot password for his member's

<Testing for Logout and Browser Cache Management (OWASP-AT-007)> 
<Testing for CAPTCHA (OWASP-AT-008)>
not found
<Testing Multiple Factors Authentication (OWASP-AT-009)>
<Testing for Race Conditions (OWASP-AT-010)>

Labels: 0 comments | | edit post