Documente Academic
Documente Profesional
Documente Cultură
Matteo Meucci
Alberto Revelli
EUSecWest07
March 1st, 2007 London
Copyright 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.
Agenda:
OWASP Projects The new Testing Guide: goals and deliverables The OWASP Testing Framework The Testing Methodology: how to test The reporting: how to evaluate the risk and write a report How the Guide will be useful to the web security industry Q&A
EUSecWest 07
OWASP
INS Consultant (www.ins.com), CISSP, CISA 6+ years on Information Security focusing on Application Security OWASP Italy founder and Chair OWASP Testing Guide lead 2007
Alberto Revelli
Consultant for Spike Reply (www.reply.it) 5+ years of full-time penetration testing Developer of sqlninja Technical Director of the Italian chapter of OWASP
OWASP
3
EUSecWest 07
The Open Web Application Security Project (OWASP) is dedicated to finding and fighting the causes of insecure software. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work. Participation in OWASP is free and open to all. Everything here is free and open source. Main objectives: producing tools, standards and documentations related to Web Application Security. Thousands active members, 82 local chapters in the world
BuildingGuide CLASP Ajax Orizon .NET, Java Yours! Testing Guide WebScarab Validation Certification
Top 10
Training
Conferences WebGoat Building our brand
Chapters
Project incubator Wiki portal Forums Blogs
EUSecWest 07
OWASP
EUSecWest 07
OWASP
Testing Guide
Vulnerabilities
Vulnerability
System Impacts
Asset
Countermeasures
Countermeasure
Attacks
Attack
Building Guide
EUSecWest 07
OWASP
OWASP Testing Guide v2: Goals Review all the documentation on testing: July 14, 2004
"OWASP Web Application Penetration Checklist", Version 1.1
December 2004
"The OWASP Testing Guide", Version 1.0
Create a complete new project focused on Web Application Penetration Testing Create a reference for application testing
Describe the OWASP methodology
EUSecWest 07
OWASP
* Vicente Aguilera * Mauro Bregolin * Tom Brennan * Gary Burns * Luca Carettoni * Dan Cornell * Mark Curphey * Daniel Cuthbert * Sebastien Deleersnyder * Stephen DeVries * Stefano Di Paola
* David Endler * Giorgio Fedon * Javier Fernndez-Sanguino * Glyn Geoghegan * Stan Guzik * Madhura Halasgikar * Eoin Keary * David Litchfield * Andrea Lombardini * Ralph M. Los * Claudio Merloni
* Matteo Meucci * Marco Morana * Laura Nunez * Gunter Ollmann * Antonio Parata * Yiannis Pavlosoglou * Carlo Pelliccioni * Harinath Pudipeddi * Alberto Revelli * Mark Roxberry * Tom Ryan
* Anush Shetty * Larry Shields * Dafydd Studdard * Andrew van der Stock * Ariel Waissbein * Jeff Williams
EUSecWest 07
OWASP
Dec 2006:
Review all the Guide Write the Guide in doc format
Jan 2007:
OWASP Testing Guide Release Candidate 1: 272 pages, 46 tests Feedback and review
Feb 2007:
OWASP Testing Guide v2 officially released
EUSecWest 07
OWASP
10
1. Frontispiece 2. Introduction
EUSecWest 07
OWASP
11
Principles of Testing: comparing the state of something against a set of criteria defined and complete.
We want security testing not be a black art
Testing Techniques:
Manual Inspections & Reviews Threat Modeling Code Review
Penetration Testing
EUSecWest 07
OWASP
12
EUSecWest 07
OWASP
13
EUSecWest 07
OWASP
14
Code Reviews:
Static code reviews validate the code against a set of checklists:
CIA Triad
EUSecWest 07
OWASP
15
Phase 5: Maintenance and Operations Conduct operational management reviews Conduct periodic health checks Ensure change verification
EUSecWest 07
OWASP
16
What is a vulnerability?
A weakness on a asset that makes a threat possible
References
EUSecWest 07
OWASP
18
The penetration tester does not have any information about the structure of the application, its components and internals
Gray Box
The penetration tester has partial information about the application internals. E.g.: platform vendor, sessionID generation algorithm
White box testing, defined as complete knowledge of the application internals, is beyond the scope of the Testing Guide and is covered by the OWASP Code Review Project
EUSecWest 07
OWASP
19
Testing Model
We have split the set of tests in 8 sub-categories (for a total amount of 48 controls):
Information Gathering
Business logic testing Authentication Testing Session Management Testing
Information Gathering
The first phase in security assessment is of course focused on collecting all the information about a target application. Using public tools it is possible to force the application to leak information by sending messages that reveal the versions and technologies used by the application Available techniques include: Raw HTTP Connections (netcat) The good ol' tools: nmap, amap, ... Web Spiders Search engines (Google Dorking) SSL fingerprinting File extensions handling Backups and unreferenced files
EUSecWest 07
OWASP
21
EUSecWest 07
OWASP
22
Apache 1.3.23
HTTP/1.1 505 HTTP Version Not Supported Server: obfuscated :P Date: Mon, 16 Jun 2003 06:04: 04 GMT Content-length: 140 Content-type: text/HTML Connection: close
HTTP/1.1 200 OK Server: obfuscated :P Content-Location: http://target.com/Default.htm Date: Fri, 01 Jan 1999 20:14: 02 GMT Content-Type: text/HTML Accept-Ranges: bytes Last-Modified: Fri, 01 Jan 1999 20:14: 02 GMT ETag: W/e0d362a4c335be1: ae1 Content-Length: 133
IIS 5.0
EUSecWest 07
OWASP
24
This step is the most difficult to perform with automated tools, as it requires the penetration tester to perfectly understand the business logic that is (or should be) implemented by the application
EUSecWest 07
OWASP
25
New customers, when buying a SIM card, can open a free, permanent webmail account with the flawedphone.com domain The webmail account is preserved even if the customer transfers the SIM card to another telecom operator However, as long as the SIM card is registered to FlawedPhone, each time an email is received an SMS message is sent to the customer The SMS application checks that the target phone number is a legitimate customer from its own copy of the FlawedPhone customers list
EUSecWest 07
OWASP
26
All FlawedPhone systems worked as expected, and there were no bugs in the application code. Still, the logic was flawed.
EUSecWest 07
OWASP
27
Deal 2 cards The difference between t1 and t2 was enough to give the player an edge over the house
upcard == Ace ?
yes
no
hole == ten ?
yes
t1 Offer Insurance t1 != t2
EUSecWest 07
t2
OWASP
28
Authentication testing
Testing the authentication scheme means understanding how the application checks for users' identity and using that information to circumvent that mechanism and access the application without having the proper credentials
Tests include the following areas: Default or Guessable Accounts Brute-force Bypassing Authentication Directory Traversal / File Include Vulnerable Remember Password and Password Reset Logout and Browser Cache Management
EUSecWest 07
OWASP
29
Tests include the following areas: Analysis of the session management scheme Cookie and session token manipulation Exposed session variables Cross Site Request Forgery HTTP Exploiting
EUSecWest 07
OWASP
30
EUSecWest 07
OWASP
31
EUSecWest 07
OWASP
32
SQL Injection Test that the application properly filters SQL code embedded in the user input
Other attacks based of faulty input validation... LDAP/XML/SMTP/OS injection Buffer overflows
EUSecWest 07 OWASP
33
2) Upload the script and call debug.exe on it. Now we have uploaded an executable using only normal http request :)
http://www.victim.com/login.asp?code=0;exec+master..our_cmdshell+'echo+n+prog.tx t+>+prog.scr';
....
http://www.victim.com/login.asp?code=0;exec+master..our_cmdshell+'debug+<+prog. scr'; http://www.victim.com/checkid.asp?code=0;exec+master..our_cmdshell+'ren+prog.txt +prog.exe';
EUSecWest 07 OWASP
EUSecWest 07
OWASP
36
EUSecWest 07
OWASP
37
EUSecWest 07
OWASP
38
EUSecWest 07
OWASP
39
EUSecWest 07
OWASP
40
AJAX Testing
AJAX (Asynchronous JavaScript and XML) is a web development technique used to create more interactive web applications. XMLHttpRequest object and JavaScript to make asynchronous requests for all communication with the server-side application. Main security issues: AJAX applications have a greater attack surface because a big share of the application logic is moved on the client side AJAX programmers seldom keep an eye on what is executed by the client and what is executed by the server Exposed internal functions of the application Client access to third-party resources with no built-in security and encoding mechanisms Failure to protect authentication information and sessions AJAX Bridging
EUSecWest 07 OWASP
41
AJAX Testing
While in traditional web applications it is very easy to enumerate the points of interaction between clients and servers, when testing AJAX pages things get a little bit more complicated, as server-side AJAX endpoints are not as easy or consistent to discover To enumerate endpoints, two approaches must be combined:
Look through HTML and Javascript (e.g: look for XmlHttpRequest objects) Use a proxy to monitor traffic Tools: OWASP Sprajax or Firebug add-on for Firefox
Then you can test it as described before (SQL Inj, etc..) ...and don't forget AJAX potential in prototype hijacking and resident XSS !
EUSecWest 07
OWASP
42
EUSecWest 07
OWASP
43
EUSecWest 07
OWASP
44
Vulnerability Factors:
Ease of discovery (0-9) Ease of exploit (0-9) Awareness (0-9) Intrusion detection (0-9)
EUSecWest 07 OWASP
45
Technical impact:
Loss Loss Loss Loss of of of of confidentiality (0-9) integrity (0-9) availability (0-9) accountability (0-9)
Business impact:
Financial damage (0-9) Reputation damage (0-9) Non-compliance (0-9) Privacy violation (0-9)
EUSecWest 07
OWASP
46
In the example above, the likelihood is MEDIUM, and the technical impact is HIGH, so from technical the overall severity is HIGH. But business impact is actually LOW, so the overall severity is best described as LOW as well.
EUSecWest 07 OWASP
47
EUSecWest 07
OWASP
48
Writing Report
I. Executive Summary II. Technical Management Overview III Assessment Findings IV Toolbox
EUSecWest 07
OWASP
49
Pen-testers
A structured approach to the testing activities A checklist to be followed A learning and training tool A tool to understand web vulnerabilities and their impact A way to check the quality of the penetration tests they buy
Clients
More in general, the Guide aims to provide a pen-testing standard that creates a 'common ground' between the pen-testing industry and its client. This will raise the overall quality and understanding of this kind of activity and therefore the general level of security in our infrastructures
EUSecWest 07
OWASP
50
Whats next
You should adopt this guide in your organization
Continuously reprioritize OWASP Testing Guide next steps:
Continuously improve the Testing Guide: its a live document! Contribute to the new version Improve the client side testing
EUSecWest 07
OWASP
51
Thank you!