Monday, June 25, 2007

Paros Proxy: Step-by-Step Guide (Automated Security Assessment)

In continuation to the last post, here is a hands-on with Paros proxy. As already mentioned, it is a great tool for first-cut assessment of web-applications’ security. Configure the proxy settings of web browser, visit few web pages of the test site to create a seed for crawler to start from, spider and finally scan. That’s it! Within 15 minutes (since launch of the application) you will be having a vulnerabilities list from where you can start a further, in-depth assessment.

Step 1:

Check the Proxy settings of Paros from Tools>Options



Local proxy is the setting which you will configure on the web-browser. By default, Paros uses localhost as proxy address and 8080 as the port.
Under Connection settings you configure the address and port number for your corporate/ISP proxy. In case you are not behind a proxy server, leave it remain unchecked (default setting). Additionally, you can bypass certain addresses and configure proxy authentication details also.





Step 2:

Next, open the proxy settings configuration box of your web browser and configure proxy server address and port number i.e. Paros settings.

Step 3:

Next, open the web-site you want to assess.

And access (crawl) some of the URLs manually, so that Paros get a seed to start crawling.





Step 4:


Once seed has been generated in Paros, highlight the web-site, right-click and select Spider.



This will start the auto crawling function.
Step 5:


Now select Analyze>Scan policy from the top-menu.
And select the Vulnerabilities you want to scan for. Notice, that it has almost all the OWASP top 10 vulnerabilities.
Step 6:

Once scan policy is defined, you can start the scan for one or more (all) web-sites visible under Sites pane.





Once the scan process is completed, you can view the results with test data in Alerts window (Bottom).

Step 7:

Now, you can generate a detailed report on findings from Report> Last Scan Report





Assessment report will have Vulnerability description, exact instances (URL & affected parameters), recommended solution and relevant references.

I hope the post was informative for you and within a short time span you will also be able to perform your first Automated Web-Application vulnerability scan.

Automated Web-Site Crawling Tools

Manual Application Security testing provides granular control however it may sometimes become very exhaustive and monotonous. As a professional Application Security tester, often you will come across such projects where testing of hundreds of web pages would be required, and in case you do not have sufficient time their is a high probability of missing critical vulnerabilities.

There comes the requirement for automation of crawling and scanning. It can save tremendous amount of time and labor. Apart from these two obvious benefits, you can get a high level schema of the whole web site in just few minutes and once you can view the logical interconnectivity of web-pages/scripts its far easy to plan the attack phase.
The two most popular and free, automated crawlers are:

Web-Site layout after crawling is finished:

WebScarab
Basically these are proxy applications with in-built crawling function. These operate as a man-in the-middle between your browser and web server. Every request/response between your browser and the server is trapped and proxy maintains a log of every single transaction. You can select any of the sites cached by proxy and crawl (Paros and WebScarab use “spider” term for crawling) for interconnected web-pages.

Additionally, Paros can scan a web site for vulnerabilities and generate a vulnerability report with vulnerability priority, description and recommended countermeasures.
Other crawler applications are:
  • Wget (It can crawl and download the contents of a web site, supported on Windows & *nix)
  • Teleport Pro (It is a windows based commercial tool for crawling and local caching)
  • Lynx (It is an advanced, text based browser for *nix platform)

Till now, it was the positives of automated crawlers…however, these have following limitations as well:

  • Automated Crawlers do not work well with client side code like Java Script, Java Applet, Flash, ActiveX
  • Since these are automated by nature, they do not interact well with web pages requiring human input and may not be able to result in all possible child routes (web pages).
  • Crawlers may not be able to retrieve complete hierarchy of sites having multiple level of web authentication. For example, even after logging in, you may be required to submit a transaction password or fill an input, based on some graphics (CAPTCHAs).
  • Crawlers may not be able to retrieve complete hierarchy of those sites which produce different web-pages for different user types (role-based authentication). In such cases only pages accessible to current user will be retrieved.
  • Crawlers may miss the URLs which are coded inside function calls instead of html code.
  • Crawlers do a multi-thread search, therefore web-sites having restrictions on multiple simultaneous sessions for same user may get locked and result into denial of service.

Due to these reasons, Professional Testers prefer a mix of automated tools and manual testing. They split the whole projects on the basis of different access (crawl) levels and test them separately.

Friday, June 22, 2007

XSS Vulnerability in www.blogger.com

XSS Vulnerabilty example:

Hyderabadi Biryani @ HYDERABAD HOUSE

In the olden days when the armies marched long stretches, they were to be fed in the most befittingly nutritious manner. Hence they carried with them heards of sheep, goats, rations of rice and wheat as their staple diet. The meat was then cooked with rice or wheat, what was cooked with rice came to be known as BIRYANI and with wheat as HALEEM. The remnants of the lamb such as Trotters, organs etc was cooked overnight and served the next morning came to be known as NAHARI/PAYA.

The Nizam & other members of the royal family, such as Salar Jung, Viqar-ul-Umrah with unwavered dedication from the Royal cooks of the erstwhile Nizam perfected this most ordinary cooking by using expensive, special and aromatic ingredients to produce food of the highest quality of taste and nutrition, creating a perfect balance of proteins, carbohydrates etc. The extent of care taken is evident from the fact that even the metal that is used in the cooking vessels, was predominantly copper, which helps in slow cooking, while retaining the original flavours of meats etc.

HYDERABAD HOUSE, (estd 1975 by its founder Late Mir Baber Ali) continues this legacy with equal finesse, which has made it a household name among one and all in Hyderabad. Hyderabad House intends to promote this unique cuisine not only in the city of Hyderabad but also to all parts of the country and abroad.

Tuesday, June 19, 2007

Tamper Data: Firefox Add-On for Web-Application Security Testing

(Images have been used for html tags and scripts as tags are not permitted in some of blogspot fields and scripts may get executed in readers' browser)

Tamper Data is a very powerful, free add-on for Mozilla Firefox. Truly speaking, I never expected an 80 KB plugin to have so many functionalities.
You can tamper (As the name suggests) HTTP/HTTPS requests by traping browser responses, manipulating HTTP parameters like content-type and length (useful in HTTP Splitting), Cookies and POST data, you can add or delete elements/fields and last but not the least, you have a good number of in-built test cases which you can try during web-application security testing.

Lets have a quick look of the product and parallaly leran some hacking....;-)

Tablet Super Store is an Online PC Shop (http://www.bayden.com/sandbox/shop/), intentionally designed with a vulnerability so that wanna be penetration testers can test their metal.






We will also try to hack it, but in a while...

First, some home-work with Tamper Data (TD). If you have downloaded and installed the tool from Mozilla Firefox' addon site (https://addons.mozilla.org/en-US/firefox/addon/966) you will find it under Tools>Tamper Data.
Next, Select Start Tamper option from TD menu to trap every Web request/response. As you can see in the image below, the moment a request/response is generated it gets trapped in between your browser and the web-server. You get 3 options:
  1. Tamper (To manipulate)
  2. Submit (Accept the request/response AS-IS)
  3. Abort Request (stop the data flow before it reaches web-server)

Additionally, it asks Continue Tampering? (no need for explanation)




While shopping at the PC Mall, I selected the quantity of PCs I wanted to purchase and clicked ORDER and I got a pop-up with three options mentioned above. lets Tamper....
Wow..All HTTP request/response fields are available in an easy to understand format (I hope you also prefer tabuler view of HTTP data over raw view, and in case you dont understand raw view at the moment, forget it).

Here comes the best part of TD. As you can see in the image below, you get a good number of options to try on trapped data. Add/delete fields, play with encoding/decoding, try some Input Validation, Cross-Site Scripting or otherwise SQL Injection.


Lets see what do we have for Input validation....


A variety of data formats which you can try for Input validation, Client-Side Validation and sometime for Buffer overflow tests.
Next comes, XSS or Cross-Site scripting.

You have a good variety of scripting tests. You may start with Alert test which works well in most of the XSS vulnerable sites. (Hint: Try it in someone's guestbook or feedback form. In case the site is XSS vulnerable she will get a nice pop-up with hello message written over it.)
Next in the row is SQL (Mother of all Database hacks)


Try these tests for authentication, authrization testing i.e. to get the whole list of accounts when you are supposed to have access to only yours, or may be none :-)
Now back to online PC shop. So how many to buy......oh u can buy only upto 3 PCs in a shot :-(


Lets tamper...Hmmmmm so there lies the hidden cost field. How about 5 dollers per PC? and yes lets buy 30 PCs in one shot....

Bingo!!!!!!!! 30 PCs for 150$.....not bad for the first hands-on of Web-Applications penetration testing :-)


Similar to TD you have TamperIE for Internet Explorer. However, TamperIE is not as powerful as TD.

For the geeks.....their are more powerful tools, but everything comes at a cost. Either they are commercial tools (Appscan, webinspect, Acunetix) or else man-in-the-middle Proxies (Paros, WebScarab, both free) which require a lil better understanding of pen-testing concepts and proxy configuration.

For beginners..TD is worth a try....

Monday, June 18, 2007

Penetration Testing: Web-Applications Test-Cases (Chapter 1)

(Images have been used for html tags and scripts as tags are not permitted in some of blogspot fields and scripts may get executed in readers' browser)





Broken Authentication and Session Management:


•For well known applications try a Google search for default usernames and password. Try those first.

•If there is no lock out policy in place, try brute force or dictionary attack (You may try Brutus tool which supports both, basic Authentication and Frame based Authentication)

•Basic Authentication: Basic authentication uses 'Authorization' as the cookie name to store the user's credentials. Use WebScarab -> Tools -> Transcoder to Base64 decode the the value in the Authorization cookie.

•Server may skip authentication if you send the right cookie. Intercept the cookies using a Proxy (Paros or WebScarab, both are free) and try to replay the cookie.

•Try guessing cookie values and manipulate cookie value while transfer through Paros or WebScarab.

Buffer Overflows:

Make an http request to application with long query string . Request should be denied and the application should not crash.



You may try long Character string //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////


or

2652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652652 (You may try TamperIE tool for Internet Explorer, it’s a free tool and has few inbuilt cases)



Improper Error Handling:

You can change length, existence, or values of authentication parameters. Try deleting a parameter ENTIRELY with browser plug-in or proxy. Apart from interesting error messages, there is a high probability that you may get authenticated also.
Insecure Storage:

Primarily you test week encoding methods used for session ids, cookies, basic authentication etc. you may try Cain & Abel Tool (Free) or online ASCII converters.

Denial of Service:

Access 2 applications/services hosted on the same server. Bombard one of the applications/service with load of request. Now try to make request to other application. Request should be denied.
In case account lockout is configured, Try high number of invalid logons to lock-down. You may try automated tools.


Insecure Configuration Management:

Try to guess the URL for the admin page
Try directory traversal
Try OS command injection


To be continued…………with Chapter 2


            Friday, June 15, 2007

            Cost-Cutting, Compliance and Security

            My curiosity propelled me into the world of computer security. Beginning of the journey was quite tough as the bean counters of corporate world were busy with cost cutting (really? Or the cost cutting doesn’t apply to boss’ female secretary and other cronies ;-) )
            However, things have started improving for security consultants as organizations have started acting for the sake of standards compliance (typically a Whitewash).

            Hopefully, things will improve further and Chief Security Officers/Managers will also get a promotion from the role of scapegoat to some active role in the organizations. Till that time, live with cost cutting and compliance…..