Web Application Penetration Testing

Nowadays everything we see and find is computerized and interconnected, and it is hard to find anything that is not computerized or cannot be computerized. Due this factor, many businesses have improved their efficiency, productivity, save lot of energy (human and machinery), introduce more innovative products and services as well as made services available at fingertips of customers. For instance, web enabled service of banks like internet banking, which enabled customers to stay at home and make all the transactions such as paying utility bills, making other financial transactions, transferring money, checking accounts details etc with comfort and ease. This became possible due to secure web applications used by banks. However, not to forget everything comes with a risk and side effects. In Web applications that we use can have numerous unidentified and hidden vulnerabilities, security loopholes, improper codes, errors and inconsistencies. These could open up disasters to organizations and users if not identified before hand and managed effectively. Hence, organizations need to test these web applications with proven web application testing methodology to correct these vulnerabilities. There are many methodologies existing and organizations can use what is most suitable for the web applications that they require to test. This article will illustrate how to perform web application penetration testing effectively with proven methodology.

Penetration testing is a process of proactive and authorized evaluation of organizational information for security weaknesses. During the process, it analyzes for design weaknesses, technical flaws and vulnerabilities. At the end of the security measures evaluation process, it delivers comprehensive report to executives, management and technical expert’s review. Penetration testing could satisfy the goals of organizations such as test and validate the efficiency of implemented security protections and controls, to enable internal and external vulnerability perspective to organizations, and provide productive information for auditing teams for regulatory compliances, etc.

Web Application penetration test is a part of penetration testing, which only focuses on penetrating web applications and identifying vulnerabilities and weaknesses. Thereafter, reporting that to management and technical experts via reports. This includes the assessment of the web applications and the impact to the organization and often with a proposal for risk mitigation or technical solution.

As of any software and product, Web Applications also need security test to verify that it can handle what they are promising. Web applications have taken serious measures in implementing security within the web applications. On the other hand, it provides required level of security and not susceptible to any identified security vulnerabilities, weaknesses or improper input, modifications, etc. For instance, consider an internet-banking site. It stores personal sensitive information of users such as sensitive financial information and transaction details. If an attacker is able to access this information due to vulnerability in the web application; attacker can perform any transaction, modification, or insert hidden code, etc to the web applications. Hence, could harvest all the customer information and financial details as well as manipulate any information. This would be devastating news for the banking institute as well as their customers. Hence, it is critical to validate the security posture of web applications with web application penetration testing ,to be sure the level of security of the organization.

Since, there are many vulnerabilities in web applications, web applications penetration testers and developers need to concentrate on these items during their testing and application development. It is much better if application developers are well aware and educated to develop secure web applications rather than fixing vulnerabilities later when implemented. Below given list include few of the common web application vulnerabilities.

· Cross-Site Scripting (XSS)

· Cross-Site Request Forgery (CSRF)

· OSAP injection

· SMTP command injection

· Blind SQL/XPath injection

· Code executioin

· CRLF injection / HTTP response splitting

· SQL injection

· Cookie manipulation

· Script source code disclosure

Web Application penetration testing is a complex task and requires very well organized steps to identify and evaluate security measures. Methodology allows this complex process to streamline and have a standardized way to perform each task. OWASP (Open Web Application Security Project) Testing Guide is a proven and recognized Web Application penetration methodology, as well as OSSTMM (Open Source Security Testing Methodology Manual).Below illustrates how to perform Web Application penetration testing and its steps. This is a lengthy process however; it is noted here with brief description.

i. Fingerprint web application environment - this is the basic step to start with, you need to identify web application environment such as used scripting language, web server software, version, operating system, etc.

ii. Investigate the output form HEAD and OPTION HTTP request - these two options usually contain with web server software version, scripting environment and operating system in use.

iii. Investigate format and wording of 404 and other errors - some application environment such as ColdFusion maintain custom error pages that consist of software versions of the scripting language in use.

iv. Test for recognized file types, extensions and directories - different web servers respond differently for unknown extensions than known. Request will monitor for any unusual output or error codes.

v. Examine the source of available pages - immediately accessible pages of front end application’s source code will give very useful details

vi. Manipulate inputs to elicit scripting errors

vii. Test the inner working of web application - scripting languages like Javascript and client-side code can provide information of inner working of web applications

viii. Test database connectivity - access rights should be limited to minimum rights required and limited to required time duration.

ix. Test application code - check for misuse of super user accounts, login ID and passwords, exception /error handling and backdoors left by developers.

x. Test GET and POST in web application - check how these GET and POST are used in web applications.

xi. Test for parameter tampering attacks on the website - try to manipulate URL strings to retrieve sensitive information.

xii. Test URL manipulation - modify URL to see whether you can access unauthorized areas.

xiii. Test Cross-Site Scripting - use tools like, Paros proxy, Fiddler, and Burp proxy to test for these vulnerabilities.

xiv. Test for hidden fields - inspect source code to see if there is any hidden information stored. Try to modify source code and save, then execute and see whether the changes are accepted.

xv. Test for cookies attacks - stealing user cookies will enable attackers to access an account without any authentication.

xvi. Test for buffer overflows - send large amount of data to the buffer, where the buffer will crash and will result in unexpected behavior.

xvii. Test for bad data - enter data in to application by entering between will store in the database, later will result in inaccurate reports.

xviii. Test for client-side scripting - capture a URL after valid login and enter that URL in to a new browser. Check whether you can login without authentication.

xix. Test for known vulnerabilities - use Bugtraq to monitor these vulnerabilities

xx. Test for race condition - application use multiple threads to achieve simultaneous processing, check for this condition.

xxi. Test user protection via browser settings - browser settings provide protection from harmful contents, check whether this is supported.

xxii. Test for command execution vulnerabilities - web applications not properly sanitize the user input data before using it within the application. Application could execute the operating system commands using this.

xxiii. Check for SQL injection attacks - when directly input SQL statements by user are not properly sanitized attacker can steal data from your database, modify and delete.

xxiv. Check for Blind SQL injection attacks - this is identical to SQL injection except it gets a generic page specified by the developer.

xxv. Test for session fixation attacks - this is where attacker tries to use previously used session ID to log again.

xxvi. Check for session hijacking attacks - attacker tries to locate active session and track it, disconnect the host and hijack the session and resume the session after hijacking and use to his will.

xxvii. Check for XPath injection attacks - technique use to exploit website that construct XPath queries from the user supplied input.

xxviii. Test for server side include injection attacks - this exploit web application’s failure to sanitize user supplied data before they are inserted to server side interpreted HTML file

xxix. Check for logic flaws - this is a failure of performing conditional branching or apply security in web applications.

xxx. Check for binary attacks - static buffers may be vulnerable to binary attacks such as format string bugs and butter overflows.

xxxi. Check for XML structural - try to overload the XML parser by sending large amount or malformed XML messages to server.

xxxii. Test for XML content level - use Webscarab tool to test Web Service Definition Language, modify parameter’s data based on WSDL’s definition and check whether you can use web services with escalated privileges.

xxxiii. Test for WS HTTP GET parameter/RESET attacks - check for maximum and minimum length, validate payload, validate the parameter’s names and existence

xxxiv. Test for suspicious SOAP attachments - search wed service definition language that accepts attachments.

xxxv. Test for WS replay - user tools such as WebScarab to capture HTTP traffic and try to perform replay attack.

• Few handy Tools for the tester
• AtStake WebProxy
• SPIKE Proxy
• Httprecon - http://www.computec.ch/projekte/httprecon/
• KSES - http://sourceforge.net/projects/kses/
• Mieliekoek.pl
• Sleuth
• Webgoat - https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
• AppScan
• Nikto - http://cirt.net/nikto2

Every vulnerability found during the web application penetration testing process should be properly documented with valid evidences. Do not try to fix or modify the vulnerability to enhance security of the web application at this moment. This is not a duty of a penetration tester. Penetration tester could inform the relevant authorities if there is an immediate threat, otherwise these findings should be included in to the final reports of the client organization. Make sure the identified vulnerabilities exist with evidence. Furthermore, have proof of concepts to show this could enable greater danger if exploited by an attacker. Penetration tester should not exploit the vulnerabilities and cause any harm to web application of relevant systems. However, if the organization requested and agreed to exploit any vulnerability found during the process, you may proceed. Penetration tester could recommend possible security control measures that organizations could take in order to mitigate the risk exposed due to the vulnerabilities.

This paper discussed briefly how and what areas of a web application needs to be checked for vulnerabilities. In addition, what sort of vulnerabilities that we can find in general. This does not cover comprehensive web application testing in detail or discuss tools in depth. However, few tools that can be used are listed and where the details of these tools can be referred is noted.