Tuesday
Jan262010

Basic Web Application Security for Managers & QA - Part 1

DateTuesday, January 26, 2010 at 06:24PM
Introduction & Target Audience 
Recently, I was approached by a client who wanted to know more information on how they could map out vulnerabilities within their applications as the applications were built along side the yearly review we provide for them. My initial thoughts gravitated to talking more about a more robust SDLC (Software Development Life Cylce) process as well as providing information to the client on how to identify basic flaws within their web application and externally facing infrastructure. 
 
 
In this blog post I hope to present some basic information behind the v00d00 magic of web application testing (or application testing in general) to an audience which most likely consists of quality assurance professionals, internal audit, or even managers who may want more information on how they themselves could build in a very generic testing process to identify very generic vulnerabilities within their web applications. Most of the work which lies before you really hinges upon a few basic pieces of information coupled with a mix of out of the box thinking and practice. 
 
 
What we will cover follows:
  1. The mindset and baselining.  
  2. The Basics in Web Applications
  3. Basic Exceptions
 
Mindset ....
Just like putting your game face on, or putting on war paint for a crazy adventure you will want to really put yourself into the mindset of a hunter looking for its prey. Along your hunt you will need the courage and perseverance to hunt your prey. The prey, Implementation bugs (input validation specifically) within your companies web application.
Before beginning on your journey remember every part of the application is at your disposal and you want to think about how you can use it for your intended purposes not entirely the intended purposes set forth by the developers.  You will baseline normal activity in preparation for discovering abnormal activity (exceptions). 
 
A bit of background on Web Applications
Remember the webserver is really just a glorified file server, which acts as a presentation 
to the end user *(you, your browser etc). 
Web applications process input from the client in two common forms.
Those forms are known as HTTP GET and POST operations. 
 
A GET request basically asks the webserver to retrieve certain information from the webserver, while a POST operation pushes information into a web application. Information within a webpage (application) can be dynamically rendered based on information within a GET or a POST request.
A GET request might look like the following:
GET /MyCalendarapplication/AddMeeting.asp?day=1&time=noon
Traditionally information is requested through your web browser to the server. (You won't see the actual GET portion), but within your web browser you will see http://www.yoursite.com/MyCalendarapplication/AddMeeting.asp?day=1&time=noon
Based on the information passed to this portion of the application certain events can transpire on the application based on information passed to variables. 
Eg: /AddMeeting.asp?day=1&time=noon
AddMeeting.asp = the server side script. 
day=1&time=noon are variables in which the server side application respond to depending on what information is passed. (Variables signified by the & character) 
 
The same is true for POST operations, when variables are passed within a POST request to an application (*Note POST requests usually occur when submitting forms etc)
variables will hold information sent back to the application.
 
Your initial goal should be to walk through your application to identify the static content (eg html, css, jpg's) versus the dynamic application like content. (Eg. Php,asp,aspx,cgi )
Your secondary goal will be to map out all the information which is passed to the application, and in which manner (whether it is through a GET or a POST method.)
 
Basic things to integrate into your QA Process (Vulnerability Discovery)
Application information is generally held within a database, in which the application is talking with. By manipulating the input and or output you can discover vulnerabilities which affect the end user's browser security as well as information which is passed to the backend database. 
 
Once you have mapped out the application, server side script, or form from the static content (html), you will want to start pushing in information into each variable seeing what type of input validation is being performed on the application and how the server responds to this input. 

In your scenario , I will assume that you are doing this on a non-production box, so lets assume that verbose error messages are enabled. In this case any bad information you give to the application should present you with an error as to why you triggered an exception. 
 
Placing bad characters in variables is useful in triggering bugs. 
 
By placing characters and words like:
'
)
(
)
;
%
|
&SQL=select
*
order by
having 1 = 1 
or 1 = 1
""
||
<script
<script>alert('aa')</script>
@@version
@@
* If the application is anticipating an integer, pass text, and vice versa. If the application is assuming you pass 10 characters, pass 4,000 (get wild and crazy).
 
By passing this type of information a user can trigger bugs within the application , thus aiding in discovering generic bugs and or security problems within the application. When verbose error messages are encountered please see if the error messages are Application errors or Database errors. Regardless of what type of errors are being thrown this is where you want to question your developers on the type of input and output validation that is being performed.
 
But how and why? Why would the input above cause exceptions and how would I pass or append these characters into the web application?
 
The how is pretty simple. Since your webapplication is passing arguments which interact with a backend database you can influence how queries are performed on the backend database, thus influencing how information is presented back to the end user or what information gets requested on the database. 
 
Now for the how can I do this....
By passing extra information to the form mentioned above:
/AddMeeting.asp?day=@@version&time=';SELECT user -- 
 
 
The above request is basically saying:
To the day variable pass the global variable within the backend database @@version, by working on the assumption that at the end of the select statement on the database query will give you information held within a global variable. 
 
The second variable &time, says ' (add in more sql), end our current query by placing a ';' character, followed by asking the database to perform another query, followed by ending that query. 
If you don't get exceptions don't worry, but you could find some interesting things. 
 
A bit of validation
If you have found some exceptions you may want to know more about the exploitability of those bugs. 
Taking your testing a bit further the questions you want to start asking yourself include:
1) Where am I landing in a SQL query on the backend database given the ODBC/Database error I am getting?
2) What could I get to render within the browser, can I put any other HTML entities (HTML Characters) within the input placed into the application which may be 
  rendered back to the end user or application administrator?
 
 
Further Reading
 
Moving away from the basics to a deeper understanding you may want to read the following links and start reading some of the following books. 
     
  1. You may want to look into some basic proxies to route traffic to a web application (parosproxy (http://www.parosproxy.org) is free and useful).
  2. Check out more information at OWASP http://www.owasp.org. A good list of application vulnerability classes are outlined as well as remediation steps and triggering information. 
    3.  
  3. Input Validation and parameterized queries http://aspnet101.com/tutorials.aspx?id=1 can help prevent sql injection and other classes of vulnerabilities. 
Wrapping it up....
Hopefully you are now armed with some basic information on how to identify basic vulnerabilities within your web application as well as places you can search for more information on web application security while gaining more peace of mind. While only basic information has been shared in this article we hope this can spur on a desire to search a deeper understanding of web application bugs and input validation within applications in general. Within the next article I will outline vulnerability classes and proxies as well as more technical error messages detailing bug identification and vulnerability validation. 
 
Thanks,
Daniel Clemens

 

AuthorPacketninjas Admin | CommentPost a Comment |
tagged , , , , , , , , , , in
Tuesday
Dec152009

December BHSec Meeting

DateTuesday, December 15, 2009 at 03:00AM

The december BHSec meeting will be hosted at the Wildwood Starbucks location at 9:00AM. 

More information can be found @ http://bhsec.packetninjas.net

Cheers,

Daniel Clemens

AuthorPacketninjas Admin | CommentPost a Comment |
Tuesday
Jul282009

BIND Dynamic Update DoS, Exploit Circulates

DateTuesday, July 28, 2009 at 05:30AM
Even though most are drinking there beers at defcon some of us are working the late shift on incident response, or vulnerability validation. Tonight we just got an email from ISC about a new bug in DNS.

Please read the following information regarding the bug: https://www.isc.org/node/474

Highlights of the bug include:
*A denial of service can be triggered by a specially crafted dynamic update message for a zone for which a server is the master of.
*An exploit is being used in the wild, and exploit code is available to the masses.
*There are no workarounds, you _must_ patch!!!

Snip from Advisory that just hit the web:
dns_db_findrdataset() fails when the prerequisite section of the dynamic update message contains a record of type “ANY” and where at least one RRset for this FQDN exists on the server.

db.c:659: REQUIRE(type != ((dns_rdatatype_t)dns_rdatatype_any)) failed
exiting (due to assertion failure).

CVE Information can be found @ CVE-2009-0696

CERT Information can be found @ VU#725188

| Daniel Uriah Clemens
| Packetninjas L.L.C | | http://www.packetninjas.net
| c. 205.567.6850      | | o. 866.267.8851
- - Esse quam videra (to be , rather than to appear)
AuthorPacketninjas Admin | Comment1 Comment |
in , , , ,
Wednesday
Jul082009

Meet other Information Security Professionals @ BHSec !!

DateWednesday, July 8, 2009 at 11:17AM
Why and What?
BHSec was created as an extension of the LinkedIn group 'Alabama Security Professionals'. The goal of BHSec is to offer a time and environment where those who work within the information security field can meet, share ideas and know each other face to face. How this differs with other security groups/organizations really hinges on the need to meet and share information and not have the burden of a 'speaker' or an organization 'sponsoring' an event. BHSec is a place where information security professionals could meet to discuss security in a relaxed atmosphere where in-the-trench questions and knowledge with like minded individuals can exist. Much like ChiSec and NySec started by Matasano, BHSec hopes to fill a similar gap over a cup of coffee once a month. We don’t want a power point, or membership, the goal is to know and be known in your profession.

Topics that will likely brew up may surround anything from in depth analysis of malware and exploit development to identifying vulnerabilities to management questions and why personality tests may improve the synergy within your security group. War stories are likely to be shared most of the time, but a place where dialogue and quick facts can be shared without a powerpoint is the primary purpose of this group.

When?
The 3rd Tuesday of the month.  July 21st@ 9:00 AM
*Hopefully one week after Microsoft Tuesday many will want to talk about patch deployment or threat impact.

Where does the group meet?
The next BHSec meeting will occur at the Wildwood Starbucks location. Directions can be found the Starbucks on Lakeshore in Birmingham , Alabama.

More info?
You can find more information at:
* BHSec Website: http://bhsec.packetninjas.net
* Twitter Feed: http://twitter.com/packetninjas
* Or you can find the LinkedIn group under 'Alabama Internet Security Professionals

If all else fails you can contact me at: 205.567.6850 .

Daniel Clemens
AuthorPacketninjas Admin | Comment1 Comment |
in
Saturday
May232009

Five Provinces in China crippled due to simple DDoS Attack

DateSaturday, May 23, 2009 at 02:22PM
We routinely scour the internet searching for small blips that may be interesting. Today's news threw up some interesting fodder considering all the hype surrounding China and its release of Kylin. 

Yesterday it was reported that five providences in China had been disrupted due to a simple DDoS attack.
/snip/

This is what happened during the DNSPod incident, however, it triggered a chain of unexpected events, which led to network congestions for the carrier networks. DNSPod's servers happen to be used by Baofeng, a highly popular Chinese video streaming service. Once the millions Baofeng users fired up their desktop application, all the requests bounced off on the ISP servers, which did not know how to process them.

The intense traffic on the high-level servers caused bottlenecks, slowing everyone's Internet connection down to a crawl. In addition to the users in the five aforementioned provinces, who were severely affected, customers in Henan, Anhui and Gansu have also reportedly experienced problems.

Following the DDoS, which is also said to have influenced the accessibility of Baidu, China's number one search engine, the Ministry of Industry and Information Technology has issued a statement saying that, "Carriers and related firms should do more back-up to avoid similar incidents."

 

More information can be found here.
AuthorPacketninjas Admin | CommentPost a Comment |
in
Page 1 2 3 4 5 ... 8 Next 5 Entries »