Web Application Testing Basic Checklist for Pentesters
Web Applications are the chief way in which the companies represent themselves in the Online World. The E-commerce often uses them for online transactions and common people like to provide them with private and personal information. We almost never ask ourselves how safe the web surfing really is?
Web Applications is defined as: "A web-based application is any application that uses a web browser as a client. The term may also mean a computer software application that is coded in a browser-supported programming language (such as JavaScript, combined with a browser-rendered markup language like HTML) and reliant on a common web browser to render the application executable." - source: Wikipedia.
Nowadays, these are the ways in which a company lures its customers to various deals, if it is an E-commerce website, the developers make sure that it looks good rather than securing the more vital features of their web applications. The Social networking websites are also considered as web applications and the users provide them with vital information without much thinking.
Every day we come across the news that some website was hacked, but what do we really do about it? The security of the web applications is always questioned. As Pentesters, we must alwazs remember that There's nothing as absolute security and it is our duty to make others feel safe by testing inter alia web applications.
Nowadays, these are the ways in which a company lures its customers to various deals, if it is an E-commerce website, the developers make sure that it looks good rather than securing the more vital features of their web applications. The Social networking websites are also considered as web applications and the users provide them with vital information without much thinking.
Every day we come across the news that some website was hacked, but what do we really do about it? The security of the web applications is always questioned. As Pentesters, we must alwazs remember that There's nothing as absolute security and it is our duty to make others feel safe by testing inter alia web applications.
OWASP
Open-Web Application Security Project (OWASP) is a non-profit charitable organization focused on improving the security. It lays down the following Top 10 Vulnerabilities found in Web Applications in their 2013 list:
- A1- Injection,
- A2- Authentication and Session Management,
- A3- Cross-Site Scripting(XSS),
- A4-Insecure Direct Object References,
- A5-Security Misconfiguration,
- A6-Sensitive Data Exposure,
- A7-Missing Function Level Control,
- A8-Cross Site Request Forgery(CSRF),
- A9-Using components with known Vulnerabilities,
- A10-Unvalidated redirects and forwards.
I will not be discussing all these vulnerabilities but only the basic ones which SecurityResearchers generally use for testing a Website. nLet's Begin.
INJECTION
Injection Attacks, can be SQL injection, XPath, SOAP,LDAP injection etc.
SQL injections have been with us for the long time and they still exist as one of the prevalent vulnerabilities that exist in various web applications, recently one of the SQL injections was found in a Nokia website.
An SQL injection attack would mean inserting an SQL query through the Input fields from the client to the application or server which would result in some form of manipulation. A successful SQL injection attack can do various things such as reading data from the Database, manipulating data i.e. performing operations such as insert, delete, update data in the database and execute administrative commands. SQL injection attacks can be of the following three types:
SQL injections have been with us for the long time and they still exist as one of the prevalent vulnerabilities that exist in various web applications, recently one of the SQL injections was found in a Nokia website.
An SQL injection attack would mean inserting an SQL query through the Input fields from the client to the application or server which would result in some form of manipulation. A successful SQL injection attack can do various things such as reading data from the Database, manipulating data i.e. performing operations such as insert, delete, update data in the database and execute administrative commands. SQL injection attacks can be of the following three types:
- Inband - Data is extracted from the same channel through which the SQL query is passed into the code.
- Out-of-band - Data is extracted from a different source.
- Inferential - There is no actual transfer of data, but the tester is able to reconstruct the information by sending crafted requests and seeing the manner in which the database handles them.
Can be broadly be Time Based Injection, Blind SQL injection and Union Based.
Testing for SQL injection
Each Input parameter should be checked for the Injection flaws. It is not easy to find and confirm the existence of SQL injection flaws.
Each Input parameter should be checked for the Injection flaws. It is not easy to find and confirm the existence of SQL injection flaws.
- Each Parameter should be checked by inserting a single quote and checking the error responses received through it including the 404 Not Found.
- Confirming the presence of SQL injection can be done using the concatenation operator(||). However, if this character is filtered there still might be SQLi since you do not do this character.
For example: A bookstore web application made by implementing SQL searches for the books by an author in the following way: http://www.example.com/pls/
Authentication and Session Management
Authentication and Session Management flaws are given as A2 in the OWASP list of Top 10 2013 vulnerabilities but they do not get their deserved importance. They exist in various forms which I will discuss. I, myself, have discovered these flaws in various websites including Google.
Authentication in Greek means Real or Genuine. In web application, Authentication is done by the various web applications through the LOGIN process, which identifies the user as being genuine. The user has to identify himself by providing the authentication mechanism with the valid credentials in the form of a valid username and password.
Authentication in Greek means Real or Genuine. In web application, Authentication is done by the various web applications through the LOGIN process, which identifies the user as being genuine. The user has to identify himself by providing the authentication mechanism with the valid credentials in the form of a valid username and password.
Testing for Authentication
Credentials Transport over an unencrypted channel user's credentials are not always transferred in an unencrypted form over the channel, so any attacker can eavesdrop the important credentials.
Sometimes, even the HTTPS sites send their credentials which are to be stored in the form of cookies in the client side are transported in an unencrypted form.
Sometimes, even the HTTPS sites send their credentials which are to be stored in the form of cookies in the client side are transported in an unencrypted form.
Partial-Encryption
The sites which have not implemented full site HTTPS often transmit their important cookies such as a user's Session id etc can be transmitted through the HTTP pages of the HTTPS site.
The sites which have not implemented full site HTTPS often transmit their important cookies such as a user's Session id etc can be transmitted through the HTTP pages of the HTTPS site.
user Enumeration
This is the type of testing in which we test the authentication mechanism of the web application to see if we could get any valid usernames. It would also employ brute force to test if one could also find a password for the valid username got through this testing method. The tester will check if the authentication mechanism gives any kind of hints when we try to authenticate ourselves with the wrong username or passwords. The error messages received from the server side when testing the authentication mechanism such as the LOGIN pages reveal a lot. For eg: Figure 1. Here in this example, The error message displayed by the server is "PASSWORD IS INCORRECT" which in the other way means that the supplied username is correct.
This is the type of testing in which we test the authentication mechanism of the web application to see if we could get any valid usernames. It would also employ brute force to test if one could also find a password for the valid username got through this testing method. The tester will check if the authentication mechanism gives any kind of hints when we try to authenticate ourselves with the wrong username or passwords. The error messages received from the server side when testing the authentication mechanism such as the LOGIN pages reveal a lot. For eg: Figure 1. Here in this example, The error message displayed by the server is "PASSWORD IS INCORRECT" which in the other way means that the supplied username is correct.
Source:PenTest
No comments:
Post a Comment