Monday, June 18, 2007

Penetration Testing: Web-Applications Test-Cases (Chapter 1)

(Images have been used for html tags and scripts as tags are not permitted in some of blogspot fields and scripts may get executed in readers' browser)

Broken Authentication and Session Management:

•For well known applications try a Google search for default usernames and password. Try those first.

•If there is no lock out policy in place, try brute force or dictionary attack (You may try Brutus tool which supports both, basic Authentication and Frame based Authentication)

•Basic Authentication: Basic authentication uses 'Authorization' as the cookie name to store the user's credentials. Use WebScarab -> Tools -> Transcoder to Base64 decode the the value in the Authorization cookie.

•Server may skip authentication if you send the right cookie. Intercept the cookies using a Proxy (Paros or WebScarab, both are free) and try to replay the cookie.

•Try guessing cookie values and manipulate cookie value while transfer through Paros or WebScarab.

Buffer Overflows:

Make an http request to application with long query string . Request should be denied and the application should not crash.

You may try long Character string //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////


2652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652 (You may try TamperIE tool for Internet Explorer, it’s a free tool and has few inbuilt cases)

Improper Error Handling:

You can change length, existence, or values of authentication parameters. Try deleting a parameter ENTIRELY with browser plug-in or proxy. Apart from interesting error messages, there is a high probability that you may get authenticated also.
Insecure Storage:

Primarily you test week encoding methods used for session ids, cookies, basic authentication etc. you may try Cain & Abel Tool (Free) or online ASCII converters.

Denial of Service:

Access 2 applications/services hosted on the same server. Bombard one of the applications/service with load of request. Now try to make request to other application. Request should be denied.
In case account lockout is configured, Try high number of invalid logons to lock-down. You may try automated tools.

Insecure Configuration Management:

Try to guess the URL for the admin page
Try directory traversal
Try OS command injection

To be continued…………with Chapter 2

            No comments: