Security Testing 简明教程

Security Testing - Quick Guide

Security Testing - Overview

安全性测试对于保护系统免受 Web 上的恶意活动非常重要。

Security testing is very important to keep the system protected from malicious activities on the web.

What is Security Testing?

安全性测试是一种测试技术,旨在确定信息系统是否保护数据并按预期维护功能。安全性测试并不能保证系统完全安全,但将安全性测试作为测试流程的一部分很重要。

Security testing is a testing technique to determine if an information system protects data and maintains functionality as intended. Security testing does not guarantee complete security of the system, but it is important to include security testing as a part of the testing process.

安全性测试采取以下六项措施来提供安全的环境 −

Security testing takes the following six measures to provide a secured environment −

  1. Confidentiality − It protects against disclosure of information to unintended recipients.

  2. Integrity − It allows transferring accurate and correct desired information from senders to intended receivers.

  3. Authentication − It verifies and confirms the identity of the user.

  4. Authorization − It specifies access rights to the users and resources.

  5. Availability − It ensures readiness of the information on requirement.

  6. Non-repudiation − It ensures there is no denial from the sender or the receiver for having sent or received the message.

Example

在基于 Web 的应用程序中发现安全缺陷涉及复杂步骤和创造性思维。有时候,一个简单的测试就能暴露最严重的安全性风险。您可以在任何 Web 应用程序上尝试这个非常基本的测试 −

Spotting a security flaw in a web-based application involves complex steps and creative thinking. At times, a simple test can expose the most severe security risk. You can try this very basic test on any web application −

  1. Log into the web application using valid credentials.

  2. Log out of the web application.

  3. Click the BACK button of the browser.

  4. Verify if you are asked to log in again or if you are able go back to the logged in page again.

Security Testing - Process

安全性测试可以看作对系统的一次受控攻击,它以真实的方式揭示安全漏洞。其目标是评估 IT 系统的当前状态。它也被称为 penetration test 或更通俗地称为 ethical hacking

Security testing can be seen as a controlled attack on the system, which uncovers security flaws in a realistic way. Its goal is to evaluate the current status of an IT system. It is also known as penetration test or more popularly as ethical hacking.

渗透测试分阶段进行,在本节中,我们将讨论整个过程。每个阶段都应进行适当的文档记录,以便随时获得重现攻击所需的所有步骤。文档记录还可作为客户在渗透测试结束后收到的详细报告的基础。

Penetration test is done in phases and here in this chapter, we will discuss the complete process. Proper documentation should be done in each phase so that all the steps necessary to reproduce the attack are available readily. The documentation also serves as the basis for the detailed report customers receive at the end of a penetration test.

Penetration Test – Workflow

渗透测试包括四个主要阶段 −

Penetration test includes four major phases −

  1. Foot Printing

  2. Scanning

  3. Enumeration

  4. Exploitation

These four steps are re-iterated multiple times which goes hand in hand with the normal SDLC.

security testing sec testing processes

Security Testing - Malicious Software

Malicious software (malware) is any software that gives partial to full control of the system to the attacker/malware creator.

Malwares

Various forms of malware are listed below −

  1. Virus − A virus is a program that creates copies of itself and inserts these copies into other computer programs, data files, or into the boot sector of the hard-disk. Upon successful replication, viruses cause harmful activity on infected hosts such as stealing hard-disk space or CPU time.

  2. Worm − A worm is a type of malware which leaves a copy of itself in the memory of each computer in its path.

  3. Trojan − Trojan is a non-self-replicating type of malware that contains malicious code, which upon execution results in loss or theft of data or possible system harm.

  4. Adware − Adware, also known as freeware or pitchware, is a free computer software that contains commercial advertisements of games, desktop toolbars, and utilities. It is a web-based application and it collects web browser data to target advertisements, especially pop-ups.

  5. Spyware − Spyware is infiltration software that anonymously monitors users which enables a hacker to obtain sensitive information from the user’s computer. Spyware exploits users and application vulnerabilities that is quite often attached to free online software downloads or to links that are clicked by users.

  6. Rootkit − A rootkit is a software used by a hacker to gain admin level access to a computer/network which is installed through a stolen password or by exploiting a system vulnerability without the victim’s knowledge.

Preventive Measures

可以采取以下措施来避免系统中存在恶意软件:

The following measures can be taken to avoid presence of malware in a system −

  1. Ensure the operating system and applications are up to date with patches/updates.

  2. Never open strange e-mails, especially ones with attachments.

  3. When you download from the internet, always check what you install. Do not simply click OK to dismiss pop-up windows. Verify the publisher before you install application.

  4. Install anti-virus software.

  5. Ensure you scan and update the antivirus programs regularly.

  6. Install firewall.

  7. Always enable and use security features provided by browsers and applications.

Anti-Malware Software

以下软件有助于从系统中删除恶意软件:

The following software help remove the malwares from a system −

  1. Microsoft Security Essentials

  2. Microsoft Windows Defender

  3. AVG Internet Security

  4. Spybot - Search & Destroy

  5. Avast! Home Edition for personal use

  6. Panda Internet Security

  7. MacScan for Mac OS and Mac OS X

Security Testing - HTTP Protocol Basics

理解协议对于充分掌握安全测试非常重要。当我们在 Web 服务器和客户端之间截取数据包时,您将能够体会到协议的重要性。

Understanding the protocol is very important to get a good grasp on security testing. You will be able to appreciate the importance of the protocol when we intercept the packet data between the webserver and the client.

HTTP Protocol

超文本传输协议 (HTTP) 是用于分布式、协作式、超媒体信息系统的应用程序级协议。它自 1990 年以来一直是万维网数据通信的基础。HTTP 是一个通用无状态协议,还可以使用其请求方法、错误代码和标头的扩展用于其他目的。

The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. This is the foundation for data communication for the World Wide Web since 1990. HTTP is a generic and stateless protocol which can be used for other purposes as well using extension of its request methods, error codes, and headers.

基本上,HTTP 是一个基于 TCP/IP 的通信协议,用于通过 Web 传输诸如 HTML 文件、图像文件、查询结果等数据。它为计算机之间通信提供了一种标准化方式。HTTP 规范指定了如何将客户端请求的数据发送到服务器,以及服务器如何响应这些请求。

Basically, HTTP is a TCP/IP based communication protocol, which is used to deliver data such as HTML files, image files, query results etc. over the web. It provides a standardized way for computers to communicate with each other. HTTP specification specifies how clients’ requested data are sent to the server, and how servers respond to these requests.

Basic Features

以下三个基本特性使 HTTP 成为一个简单但功能强大的协议 −

There are following three basic features which make HTTP a simple yet powerful protocol −

  1. HTTP is connectionless − The HTTP client, i.e., the browser initiates an HTTP request. After making a request, the client disconnects from the server and waits for a response. The server processes the request and re-establishes the connection with the client to send the response back.

  2. HTTP is media independent − Any type of data can be sent by HTTP as long as both the client and server know how to handle the data content. This is required for client as well as server to specify the content type using appropriate MIME-type.

  3. HTTP is stateless − HTTP is a connectionless and this is a direct result that HTTP is a stateless protocol. The server and client are aware of each other only during a current request. Afterwards, both of them forget about each other. Due to this nature of the protocol, neither the client nor the browser can retain information between different requests across the web pages.

HTTP/1.0 为每次请求/响应交换使用一个新连接,而 HTTP/1.1 连接可能用于一个或多个请求/响应交换。

HTTP/1.0 uses a new connection for each request/response exchange whereas HTTP/1.1 connection may be used for one or more request/response exchanges.

Architecture

下图显示了一个 Web 应用程序非常基础的架构,并描述了 HTTP 所在的位置 −

The following diagram shows a very basic architecture of a web application and depicts where HTTP resides −

http Protocol

HTTP 协议是一个基于客户端/服务器架构的请求/响应协议,其中网络浏览器、机器人和搜索引擎等充当 HTTP 客户端,而网络服务器充当服务器。

The HTTP protocol is a request/response protocol based on the client/server architecture where web browser, robots, and search engines etc. act as HTTP clients and the web server acts as a server.

  1. Client − The HTTP client sends a request to the server in the form of a request method, URI, and protocol version, followed by a MIME-like message containing request modifiers, client information, and possible body content over a TCP/IP connection.

  2. Server − The HTTP server responds with a status line, including the protocol version of the message and a success or error code, followed by a MIME-like message containing server information, entity meta information, and possible entity-body content.

HTTP – Disadvantages

  1. HTTP is not a completely secured protocol.

  2. HTTP uses port 80 as default port for communication.

  3. HTTP operates at the application Layer. It needs to create multiple connections for data transfer, which increases administration overheads.

  4. No encryption/digital certificates are required for using HTTP.

Http Protocol Details

为了深入了解 HTTP 协议,请点击以下各个链接。

Inorder to understand the HTTP Protocol indepth, click on each on of the below links.

  1. HTTP Parameters

  2. HTTP Messages

  3. HTTP Requests

  4. HTTP Responses

  5. HTTP Methods

  6. HTTP Status Codes

  7. HTTP Header Fields

  8. HTTP Security

Security Testing - HTTPS Protocol Basics

HTTPS(安全套接字层上的超文本传输协议)或 HTTP over SSL 是由网景开发的 Web 协议。它不是一种协议,而只是将 HTTP 分层在 SSL/TLS(安全套接层/传输层安全)之上的结果。

HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) or HTTP over SSL is a web protocol developed by Netscape. It is not a protocol but it is just the result of layering the HTTP on top of SSL/TLS (Secure Socket Layer/Transport Layer Security).

简而言之,HTTPS = HTTP + SSL

In short, HTTPS = HTTP + SSL

When is HTTPS Required?

When we browse, we normally send and receive information using HTTP protocol. So this leads anyone to eavesdrop on the conversation between our computer and the web server. Many a times we need to exchange sensitive information which needs to be secured and to prevent unauthorized access.

Https protocol used in the following scenarios −

  1. Banking Websites

  2. Payment Gateway

  3. Shopping Websites

  4. All Login Pages

  5. Email Apps

Basic Working of HTTPS

  1. Public key and signed certificates are required for the server in HTTPS Protocol.

  2. Client requests for the https:// page

  3. When using an https connection, the server responds to the initial connection by offering a list of encryption methods the webserver supports.

  4. In response, the client selects a connection method, and the client and server exchange certificates to authenticate their identities.

  5. After this is done, both webserver and client exchange the encrypted information after ensuring that both are using the same key, and the connection is closed.

  6. For hosting https connections, a server must have a public key certificate, which embeds key information with a verification of the key owner’s identity.

  7. Almost all certificates are verified by a third party so that clients are assured that the key is always secure.

https Protocol

Security Testing - Encoding and Decoding

What is Encoding and Decoding?

编码是将字母、数字和其他特殊字符等一系列字符转换成专门格式以便高效传输的过程。

Encoding is the process of putting a sequence of characters such as letters, numbers and other special characters into a specialized format for efficient transmission.

解码是将编码格式转换回原字符序列的过程。它与加密完全不同,我们通常会错误地理解它。

Decoding is the process of converting an encoded format back into the original sequence of characters. It is completely different from Encryption which we usually misinterpret.

编码和解码用于数据通信和存储。编码不应该用于传输敏感信息。

Encoding and decoding are used in data communications and storage. Encoding should NOT be used for transporting sensitive information.

URL Encoding

URL 只能使用 ASCII 字符集在 Internet 上发送,并且在 URL 中包含除了 ASCII 字符之外的特殊字符时,需要对 URL 进行编码。URL 不包含空格,空格被加号 (+) 或 %20 替换。

URLs can only be sent over the Internet using the ASCII character-set and there are instances when URL contains special characters apart from ASCII characters, it needs to be encoded. URLs do not contain spaces and are replaced with a plus (+) sign or with %20.

ASCII Encoding

浏览器(客户端)会根据网页中使用的字符集对输入进行编码,而 HTML5 中的默认字符集是 UTF-8。

The Browser (client side) will encode the input according to the character-set used in the web-page and the default character-set in HTML5 is UTF-8.

下表显示了字符的 ASCII 符号及其等效符号,最后是其在传递给服务器之前可以在 URL 中使用的替换符号。

Following table shows ASCII symbol of the character and its equal Symbol and finally its replacement which can be used in URL before passing it to the server −

ASCII

Symbol

Replacement

< 32

Encode with %xx where xx is the hexadecimal representation of the character.

32

space

+ or %20

33

!

%21

34

"

%22

35

#

%23

36

$

%24

37

%

%25

38

&

%26

39

'

%27

40

(

%28

41

)

%29

42

*

*

43

+

%2B

44

,

%2C

45

-

-

46

.

.

47

/

%2F

48

0

0

49

1

1

50

2

2

51

3

3

52

4

4

53

5

5

54

6

6

55

7

7

56

8

8

57

9

9

58

:

%3A

59

;

%3B

60

>

%3C

61

=

%3D

62

>

%3E

63

?

%3F

64

@

%40

65

A

A

66

B

B

67

C

C

68

D

D

69

E

E

70

F

F

71

G

G

72

H

H

73

I

I

74

J

J

75

K

K

76

L

L

77

M

M

78

N

N

79

O

O

80

P

P

81

Q

Q

82

R

R

83

S

S

84

T

T

85

U

U

86

V

V

87

W

W

88

X

X

89

Y

Y

90

Z

Z

91

[

%5B

92

%5C

93

]

%5D

94

^

%5E

95

_

_

96

`

%60

97

a

a

98

b

b

99

c

c

100

d

d

101

e

e

102

f

f

103

g

g

104

h

h

105

i

i

106

j

j

107

k

k

108

l

l

109

m

m

110

n

n

111

o

o

112

p

p

113

q

q

114

r

r

115

s

s

116

t

t

117

u

u

118

v

v

119

w

w

120

x

x

121

y

y

122

z

z

123

{

%7B

124

%7C

125

}

%7D

126

~

%7E

127

%7F

> 127

Security Testing - Cryptography

What is Cryptography?

加密学是一门加密和解密数据的学科,它使用户能够存储敏感信息或通过不安全的网络传输它们,以便只有预期的接收者才能读取这些信息。

Cryptography is the science to encrypt and decrypt data that enables the users to store sensitive information or transmit it across insecure networks so that it can be read only by the intended recipient.

无需任何特殊措施即可读取和理解的数据称为 plaintext ,而为了隐藏其内容而伪装明文的方法称为 encryption

Data which can be read and understood without any special measures is called plaintext, while the method of disguising plaintext in order to hide its substance is called encryption.

加密的明文称为密文,将加密数据还原回明文的过程称为 decryption

Encrypted plaintext is known as cipher text and process of reverting the encrypted data back to plain text is known as decryption.

  1. The science of analyzing and breaking secure communication is known as cryptanalysis. The people who perform the same also known as attackers.

  2. Cryptography can be either strong or weak and the strength is measured by the time and resources it would require to recover the actual plaintext.

  3. Hence an appropriate decoding tool is required to decipher the strong encrypted messages.

  4. There are some cryptographic techniques available with which even a billion computers doing a billion checks a second, it is not possible to decipher the text.

  5. As the computing power is increasing day by day, one has to make the encryption algorithms very strong in order to protect data and critical information from the attackers.

How Encryption Works?

加密算法与密钥(可以是单词、数字或短语)结合使用,对明文进行加密,并且相同的明文使用不同的密钥加密为不同的密文。

A cryptographic algorithm works in combination with a key (can be a word, number, or phrase) to encrypt the plaintext and the same plaintext encrypts to different cipher text with different keys.

因此,加密数据完全依赖几个参数,例如加密算法的强度和密钥的秘密性。

Hence, the encrypted data is completely dependent couple of parameters such as the strength of the cryptographic algorithm and the secrecy of the key.

Cryptography Techniques

Symmetric Encryption - 常规加密,也称为传统加密,是仅使用一个密钥进行加密和解密的技术。例如,DES、Triple DES 算法、IBM 的 MARS、RC2、RC4、RC5、RC6。

Symmetric Encryption − Conventional cryptography, also known as conventional encryption, is the technique in which only one key is used for both encryption and decryption. For example, DES, Triple DES algorithms, MARS by IBM, RC2, RC4, RC5, RC6.

Asymmetric Encryption - 公钥加密使用一对密钥进行加密:公钥用于加密数据,私钥用于解密。公钥向人们公开,同时对私钥保密。例如,RSA、数字签名算法 (DSA)、Elgamal。

Asymmetric Encryption − It is Public key cryptography that uses a pair of keys for encryption: a public key to encrypt data and a private key for decryption. Public key is published to the people while keeping the private key secret. For example, RSA, Digital Signature Algorithm (DSA), Elgamal.

Hashing - 哈希是一种单向加密,它会创建一个无法恢复或至少无法轻松恢复的加密输出。例如,MD5 算法。它用于创建数字证书、数字签名、存储密码、验证通信等。

Hashing − Hashing is ONE-WAY encryption, which creates a scrambled output that cannot be reversed or at least cannot be reversed easily. For example, MD5 algorithm. It is used to create Digital Certificates, Digital signatures, Storage of passwords, Verification of communications, etc.

Security Testing - Same Origin Policy

同源策略 (SOP) 是 Web 应用程序安全模型中的一项重要概念。

Same Origin Policy (SOP) is an important concept in the web application security model.

What is Same Origin Policy?

根据此策略,它允许从同一站点上获取的页面上运行的脚本,这些站点可以是以下各项的组合 −

As per this policy, it permits scripts running on pages originating from the same site which can be a combination of the following −

  1. Domain

  2. Protocol

  3. Port

Example

The reason behind this behavior is security. If you have try.com in one window and gmail.com in another window, then you DO NOT want a script from try.com to access or modify the contents of gmail.com or run actions in context of gmail on your behalf.

Below are webpages from the same origin. As explained before, the same origin takes domain/protocol/port into consideration.

  1. [role="bare"]http://website.com

  2. [role="bare"]http://website.com/

  3. [role="bare"]http://website.com/my/contact.html

Below are webpages from a different origin.

  1. [role="bare"]http://www.site.co.uk(another domain)

  2. [role="bare"]http://site.org (another domain)

  3. [role="bare"]https://site.com (another protocol)

  4. [role="bare"]http://site.com:8080 (another port)

Same Origin policy Exceptions for IE

Internet Explorer has two major exceptions to SOP.

  1. The first one is related to 'Trusted Zones'. If both domains are in highly trusted zone then the Same Origin policy is not applicable completely.

  2. The second exception in IE is related to port. IE does not include port into Same Origin policy, hence the [role="bare"]http://website.com and [role="bare"]http://wesite.com:4444 are considered from the same origin and no restrictions are applied.

Security Testing - Cookies

What is a Cookie?

Cookie 是 Web 服务器发送的小段信息,存储在 Web 浏览器中以便浏览器以后读取。通过这种方式,浏览器会记住一些特定个人信息。如果黑客掌握了 Cookie 信息,则可能导致安全问题。

A cookie is a small piece of information sent by a web server to store on a web browser so that it can later be read by the browser. This way, the browser remembers some specific personal information. If a Hacker gets hold of the cookie information, it can lead to security issues.

Properties of Cookies

以下是一些 Cookie 的重要属性:

Here are some important properties of cookies −

  1. They are usually small text files, given ID tags that are stored on your computer’s browser directory.

  2. They are used by web developers to help users navigate their websites efficiently and perform certain functions.

  3. When the user browses the same website again, the data stored in the cookie is sent back to the web server to notify the website of the user’s previous activities.

  4. Cookies are unavoidable for websites that have huge databases, need logins, have customizable themes.

Cookie Contents

Cookie 包含以下信息:

The cookie contains the following information −

  1. The name of the server the cookie was sent from.

  2. The lifetime of the cookie.

  3. A value - usually a randomly generated unique number.

Types of Cookies

  1. Session Cookies − These cookies are temporary which are erased when the user closes the browser. Even if the user logs in again, a new cookie for that session is created.

  2. Persistent cookies − These cookies remain on the hard disk drive unless user wipes them off or they expire. The Cookie’s expiry is dependent on how long they can last.

Testing Cookies

Here are the ways to test the cookies −

  1. Disabling Cookies − As a tester, we need to verify the access of the website after disabling cookies and to check if the pages are working properly. Navigating to all the pages of the website and watch for app crashes. It is also required to inform the user that cookies are required to use the site.

  2. Corrupting Cookies − Another testing to be performed is by corrupting the cookies. In order to do the same, one has to find the location of the site’s cookie and manually edit it with fake / invalid data which can be used access internal information from the domain which in turn can then be used to hack the site.

  3. Removing Cookies − Remove all the cookies for the website and check how the website reacts to it.

  4. Cross-Browser Compatibility − It is also important to check that cookies are being written properly on all supported browsers from any page that writes cookies.

  5. Editing Cookies − If the application uses cookies to store login information then as a tester we should try changing the user in the cookie or address bar to another valid user. Editing the cookie should not let you log in to a different users account.

Viewing and Editing Cookies

现代浏览器支持在浏览器本身内查看/编辑 cookie 信息。此处有 Mozilla/Chrome 使用的插件,我们可以使用它们成功执行编辑。

Modern browsers support viewing/editing of the cookies inform within the Browser itself. There are plugins for mozilla/chrome using which we are able to perform the edit successfully.

  1. Edit cookies plugin for Firefox

  2. Edit This cookie plugin for chrome

编辑 cookie 的步骤如下 −

The steps should be performed to Edit a cookie −

  1. Download the plugin for Chrome from here

  2. Edit the cookie value just by accessing the 'edit this cookie' plugin from chrome as shown below.

cookie Testing

Security Testing - Hacking Web Applications

我们可以将各种方法论/方法用作执行攻击的参考。

There are various methodologies/approaches which we can make use of as a reference for performing an attack.

Web Application - PenTesting Methodologies

在制定攻击模型时可以考虑以下标准。

One can take into account the following standards while developing an attack model.

在以下列表中,OWASP 最为活跃,并且有许多贡献者。我们将重点关注 OWASP 技术,它在设计 Web 应用程序之前由每个开发团队考虑在内。

Among the following list, OWASP is the most active and there are a number of contributors. We will focus on OWASP Techniques which each development team takes into consideration before designing a web app.

  1. PTES − Penetration Testing Execution Standard

  2. OSSTMM − Open Source Security Testing Methodology Manual

  3. OWASP Testing Techniques − Open Web Application Security Protocol

OWASP Top 10

The Open Web Application Security Protocol team released the top 10 vulnerabilities that are more prevalent in web in the recent years. Below is the list of security flaws that are more prevalent in a web based application.

owasp top 10

Application - Hands On

In order to understand each one of the techniques, let us work with a sample application. We will perform the attack on 'WebGoat', the J2EE application which is developed explicitly with security flaws for learning purposes.

The complete details about the webgoat project can be located https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project. To Download the WebGoat Application, Navigate to https://github.com/WebGoat/WebGoat/wiki/Installation-(WebGoat-6.0) and goto downloads section.

To install the downloaded application, first ensure that you do not have any application running on Port 8080. It can be installed just using a single command - java -jar WebGoat-6.0.1-war-exec.jar. For more details, visit WebGoat Installation

Post Installation, we should be able to access the application by navigating to http://localhost:8080/WebGoat/attack and the page would be displayed as shown below.

webgoat login

We can use the credentials of guest or admin as displayed in the login page.

Web Proxy

In order to intercept the traffic between client (Browser) and Server (System where Webgoat Application is hosted in our case), we need to use a web proxy. We will use Burp Proxy that can be downloaded from https://portswigger.net/burp/download.html

It is sufficient if you download the free version of burp suite as shown below.

Burp Suite Download

Configuring Burp Suite

Burp Suite 是一个 Web 代理,可以截取浏览器和 Web 服务器发送和接收的每个信息包。这有助于我们在客户端向 Web 服务器发送信息之前修改内容。

Burp Suite is a web proxy which can intercept each packet of information sent and received by the browser and webserver. This helps us to modify the contents before the client sends the information to the Web-Server.

working model burp

Step 1 − 应用程序已安装在端口 8080 上,Burp 已安装在端口 8181 上,如下图所示。启动 Burp 套件并进行以下设置,以便在端口 8181 上启用它,如下所示。

Step 1 − The App is installed on port 8080 and Burp is installed on port 8181 as shown below. Launch Burp suite and make the following settings in order to bring it up in port 8181 as shown below.

configure burp suite 1

Step 2 − 我们应确保 Burp 正在侦听应用程序安装所在的端口 8080,以便 Burp 套件可以截获流量。应在 Burp 套件的范围选项卡上进行此设置,如下所示。

Step 2 − We should ensure that the Burp is listening to Port#8080 where the application is installed so that Burp suite can intercept the traffic. This settings should be done on the scope tab of the Burp Suite as shown below.

configure burp suite 2

Step 3 − 然后将浏览器的代理设置设为侦听端口 8181(Burp 套件端口)。因此,我们已配置 Web 代理来截获客户端(浏览器)与服务器(Web 服务器)之间的流量,如下所示 −

Step 3 − Then make your browser proxy settings to listen to the port 8181 (Burp Suite port). Thus we have configured the Web proxy to intercept the traffic between the client (browser) and the server (Webserver) as shown below −

configure burp suite 3

Step 4 − 配置的快照如下图所示,并附有简单的工作流图表

Step 4 − The snapshot of the configuration is shown below with a help of a simple workflow diagram as shown below

configure burp suite 4

Security Testing - Injection

Injection technique consists of injecting a SQL query or a command using the input fields of the application.

Web Application - Injection

A successful SQL injection can read, modify sensitive data from the database, and can also delete data from a database. It also enables the hacker to perform administrative operations on the database such as shutdown the DBMS/dropping databases.

Let us understand Threat Agents, Attack Vectors, Security Weakness, Technical Impact and Business Impacts of this flaw with the help of simple diagram.

sql injection

Examples

The application uses untrusted data in the construction of the following vulnerable SQL call −

String query = "SELECT * FROM EMP WHERE EMPID = '" + request.getParameter("id") + "'";

Hands On

Step 1 − Navigate to the SQL Injection area of the application as shown below.

sql injection1

Step 2 − As given in the exercise, we use String SQL Injection to bypass authentication. Use SQL injection to log in as the boss ('Neville') without using the correct password. Verify that Neville’s profile can be viewed and that all functions are available (including Search, Create, and Delete).

Step 3 - 我们可以注入 SQL 以便通过将参数发送为 'a' = 'a' 或 1 = 1 来绕过密码

Step 3 − We will Inject a SQL such that we are able to bypass the password by sending the parameter as 'a' = 'a' or 1 = 1

sql injection2

Step 4 - 在利用之后,我们可以以 Neville 身份登录,如下所示,他是管理员。

Step 4 − Post Exploitation, we are able to login as Neville who is the Admin as shown below.

sql injection3

Preventing SQL Injection

有很多方法可以防止 SQL 注入。当开发人员编写代码时,他们应确保相应处理特殊字符。OWASP 提供了反作弊秘籍/预防技术,这绝对是开发人员的指南。

There are plenty of ways to prevent SQL injection. When developers write the code, they should ensure that they handle special characters accordingly. There are cheat sheets/prevention techniques available from OWASP which is definitely a guide for developers.

  1. Using Parameterized Queries

  2. Escaping all User Supplied Input

  3. Enable Least Privilege for the database for the end users

Testing Broken Authentication

When authentication functions related to the application are not implemented correctly, it allows hackers to compromise passwords or session ID’s or to exploit other implementation flaws using other users credentials.

Let us understand Threat Agents, Attack Vectors, Security Weakness, Technical Impact and Business Impacts of this flaw with the help of simple diagram.

broken mgmt session auth flaws

Example

An e-commerce application supports URL rewriting, putting session IDs in the URL −

http://example.com/sale/saleitems/jsessionid=2P0OC2JSNDLPSKHCJUN2JV/?item=laptop

An authenticated user of the site forwards the URL to their friends to know about the discounted sales. He e-mails the above link without knowing that the user is also giving away the session IDs. When his friends use the link, they use his session and credit card.

Hands ON

Step 1 − 登录到 Webgoat 并导航至“会话管理缺陷”部分。让我们通过伪造 cookie 规避身份验证。以下是该场景的快照。

Step 1 − Login to Webgoat and navigate to 'Session Management Flaws' Section. Let us bypass the authetication by spoofing the cookie. Below is the snapshot of the scenario.

broken mgmt session auth flaws1

Step 2 − 当我们使用 webgoat/webgoat 凭据登录时,我们从 Burp Suite 中发现 JSESSION ID 为 C8F3177CCAFF380441ABF71090748F2E,而 AuthCookie 为 65432ubphcfx,身份验证成功后。

Step 2 − When we login using the credentials webgoat/webgoat, we find from Burp Suite that the JSESSION ID is C8F3177CCAFF380441ABF71090748F2E while the AuthCookie = 65432ubphcfx upon successful authentication.

broken mgmt session auth flaws2
broken mgmt session auth flaws3

Step 3 − 当我们使用 aspect/aspect 凭据登录时,我们从 Burp Suite 中发现 JSESSION ID 为 C8F3177CCAFF380441ABF71090748F2E,而 AuthCookie 为 65432udfqtb,身份验证成功后。

Step 3 − When we login using the credentials aspect/aspect, we find from Burp Suite that the JSESSION ID is C8F3177CCAFF380441ABF71090748F2E while the AuthCookie = 65432udfqtb upon successful authentication.

broken mgmt session auth flaws4

Step 4 − 现在我们需要分析 AuthCookie 模式。对于这两种身份验证,前半部分“65432”都是通用的。因此,我们现在有兴趣分析 authcookie 值的最后部分,例如 webgoat 用户的 ubphcfx 和 aspect 用户的 udfqtb。

Step 4 − Now we need to analyze the AuthCookie Patterns. The first half '65432' is common for both authentications. Hence we are now interested in analyzing the last part of the authcookie values such as - ubphcfx for webgoat user and udfqtb for aspect user respectively.

Step 5 − 如果我们深入查看 AuthCookie 值,则最后一部分与用户名长度相同。因此,很明显用户名与某种加密方法一起使用。在经过反复试验/暴力攻击机制后,我们发现将用户名 webgoat 反转;我们以 taogbew 结束,然后字母之前的字符被用作 AuthCookie。即 ubphcfx.

Step 5 − If we take a deep look at the AuthCookie values, the last part is having the same length as that of user name. Hence it is evident that the username is used with some encryption method. Upon trial and errors/brute force mechanisms, we find that after reversing the user name, webgoat; we end up with taogbew and then the before alphabet character is what being used as AuthCookie. i.e ubphcfx.

Step 6 − 如果我们传递此 cookie 值,我们可以看看会发生什么。在以 webgoat 用户身份验证时,通过执行步骤 4 和步骤 5 来查找同一用户 AuthCookie,将 AuthCookie 值更改为模拟用户 Alice。

Step 6 − If we pass this cookie value and let us see what happens. Upon authenticating as user webgoat, change the AuthCookie value to mock the user Alice by finding the AuthCookie for the same by performing step#4 and step#5.

broken mgmt session auth flaws6
broken mgmt session auth flaws5

Preventing Mechanisms

  1. Develop a strong authentication and session management controls such that it meets all the authentication and session management requirements defined in OWASP’s Application Security Verification Standard.

  2. Developers should ensure that they avoid XSS flaws that can be used to steal session IDs.

Testing Cross-Site Scripting

Cross-site Scripting (XSS) happens whenever an application takes untrusted data and sends it to the client (browser) without validation. This allows attackers to execute malicious scripts in the victim’s browser which can result in user sessions hijack, defacing web sites or redirect the user to malicious sites.

Let us understand Threat Agents, Attack Vectors, Security Weakness, Technical Impact and Business Impacts of this flaw with the help of simple diagram.

xss

Types of XSS

  1. Stored XSS − Stored XSS also known as persistent XSS occurs when user input is stored on the target server such as database/message forum/comment field etc. Then the victim is able to retrieve the stored data from the web application.

  2. Reflected XSS − Reflected XSS also known as non-persistent XSS occurs when user input is immediately returned by a web application in an error message/search result or the input provided by the user as part of the request and without permanently storing the user provided data.

  3. DOM Based XSS − DOM Based XSS is a form of XSS when the source of the data is in the DOM, the sink is also in the DOM, and the data flow never leaves the browser.

Example

The application uses untrusted data in the construction without validation. The special characters ought to be escaped.

http://www.webpage.org/task/Rule1?query=try

The attacker modifies the query parameter in their browser to −

http://www.webpage.org/task/Rule1?query=<h3>Hello from XSS"</h3>

Hands ON

Step 1 − Login to Webgoat and navigate to cross-site scripting (XSS) Section. Let us execute a Stored Cross-site Scripting (XSS) attack. Below is the snapshot of the scenario.

xss1

Step 2 − As per the scenario, let us login as Tom with password 'tom' as mentioned in the scenario itself. Click 'view profile' and get into edit mode. Since tom is the attacker, let us inject Java script into those edit boxes.

<script>
   alert("HACKED")
</script>
xss2

Step 3 − As soon as the update is over, tom receives an alert box with the message "hacked" which means that the app is vulnerable.

xss3

Step 4 − Now as per the scenario, we need to login as jerry (HR) and check if jerry is affected by the injected script.

xss4

Step 5 − After logging in as Jerry, select 'Tom' and click 'view profile' as shown below.

xss5

While viewing tom’s profile from Jerry’s account, he is able to get the same message box.

xss6

Step 6 − This message box is just an example, but the actual attacker can perform much more than just displaying a message box.

Preventive Mechanisms

  1. Developers have to ensure that they escape all untrusted data based on the HTML context such as body, attribute, JavaScript, CSS, or URL that the data is placed into.

  2. For those applications that need special characters as input, there should be robust validation mechanisms in place before accepting them as valid inputs.

Insecure Direct Object References

A direct object reference is likely to occur when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key without any validation mechanism which allows attackers to manipulate these references to access unauthorized data.

Let us understand Threat Agents, Attack Vectors, Security Weakness, Technical Impact and Business Impacts of this flaw with the help of simple diagram.

insecure direct object reference

Example

The App uses unverified data in a SQL call that is accessing account information.

String sqlquery = "SELECT * FROM useraccounts WHERE account = ?";
PreparedStatement st = connection.prepareStatement(sqlquery, ??);
st.setString( 1, request.getParameter("acct"));
ResultSet results = st.executeQuery( );

The attacker modifies the query parameter in their browser to point to Admin.

http://webapp.com/app/accountInfo?acct=admin

Hands ON

Step 1 − Login to Webgoat and navigate to access control flaws Section. The goal is to retrieve the tomcat-users.xml by navigating to the path where it is located. Below is the snapshot of the scenario.

insecure direct object reference1

Step 2 − The path of the file is displayed in 'the current directory is' field - C:\Users\userName$\.extract\webapps\WebGoat\lesson_plans\en and we also know that the tomcat-users.xml file is kept under C:\xampp\tomcat\conf

Step 3 − We need to traverse all the way out of the current directory and navigate from C:\ Drive. We can perform the same by intercepting the traffic using Burp Suite.

insecure direct object reference2

Step 4 − 如果尝试成功,它将显示 tomcat-users.xml 并显示消息“恭喜。您已成功完成本课程。”

Step 4 − If the attempt is successful, it displays the tomcat-users.xml with the message "Congratulations. You have successfully completed this lesson."

insecure direct object reference3

Preventive Mechanisms

开发人员可以使用以下资源/点作为指南,在开发阶段本身防止不安全的直接对象引用。

Developers can use the following resources/points as a guide to prevent insecure direct object reference during development phase itself.

  1. Developers should use only one user or session for indirect object references.

  2. It is also recommended to check the access before using a direct object reference from an untrusted source.

Security Misconfiguration

安全性错误配置会在将安全性设置定义、实施并作为默认值维护时发生。良好的安全性需要定义并为应用程序、Web 服务器、数据库服务器和平台部署安全的配置。软件保持最新状态同样重要。

Security Misconfiguration arises when Security settings are defined, implemented, and maintained as defaults. Good security requires a secure configuration defined and deployed for the application, web server, database server, and platform. It is equally important to have the software up to date.

security misconfiguration

Example

一些经典的安全性错误配置示例如下 −

Some classic examples of security misconfiguration are as given −

  1. If Directory listing is not disabled on the server and if attacker discovers the same then the attacker can simply list directories to find any file and execute it. It is also possible to get the actual code base which contains all your custom code and then to find a serious flaws in the application.

  2. App server configuration allows stack traces to be returned to users, potentially exposing underlying flaws. Attackers grab those extra information that the error messages provide which is enough for them to penetrate.

  3. App servers usually come with sample apps that are not well secured. If not removed from production server would result in compromising your server.

Hands ON

Step 1 − 启动 Webgoat,导航到不安全的配置部分,让我们尝试解决该挑战。快照如下所示 −

Step 1 − Launch Webgoat and navigate to insecure configuration section and let us try to solve that challenge. Snapshot of the same is provided below −

security misconfiguration1

Step 2 − 我们尽可能尝试许多选项。我们需要找到配置文件的 URL,并且我们知道开发人员遵循一种配置文件命名约定。可以是下面列出的任何一项。它通常通过蛮力技术完成。

Step 2 − We can try out as many options as we can think of. All we need to find the URL of config file and we know that the developers follow kind of naming convention for config files. It can be anything that is listed below. It is usually done by BRUTE force technique.

  1. web.config

  2. config

  3. appname.config

  4. conf

Step 3 − 在尝试各种选项后,我们发现“ http://localhost:8080/WebGoat/conf ”是成功的。如果尝试成功,则会显示以下页面 −

Step 3 − Upon trying various options, we find that 'http://localhost:8080/WebGoat/conf' is successful. The following page is displayed if the attempt is successful −

security misconfiguration2

Preventive Mechanisms

  1. All environments such Development, QA, and production environments should be configured identically using different passwords used in each environment that cannot be hacked easily.

  2. Ensure that a strong application architecture is being adopted that provides effective, secure separation between components.

  3. It can also minimize the possibility of this attack by running automated scans and doing audits periodically.

Security Testing - Sensitive Data Exposure

随着在线应用程序在互联网上日益泛滥,并非所有应用程序都是安全的。许多 Web 应用程序不能适当保护敏感的用户数据,如信用卡信息/银行账户信息/验证凭据。黑客最终可能会窃取那些受到较弱保护的数据来进行信用卡欺诈、身份盗用或其他犯罪。

As the online applications keep flooding the internet in day by day, not all applications are secured. Many web applications do not properly protect sensitive user data such as credit cards information/Bank account info/authentication credentials. Hackers might end up stealing those weakly protected data to conduct credit card fraud, identity theft, or other crimes.

Let us understand Threat Agents, Attack Vectors, Security Weakness, Technical Impact and Business Impacts of this flaw with the help of simple diagram.

sensitive data exposture

Example

以下是安全错误配置的一些经典示例:

Some of the classic examples of security misconfiguration are as given −

  1. A site simply does not use SSL for all authenticated pages. This enables an attacker to monitor network traffic and steal the user’s session cookie to hijack the users session or accessing their private data.

  2. An application stores the credit card numbers in an encrypted format in a database. Upon retrieval they are decrypted allowing the hacker to perform a SQL injection attack to retrieve all sensitive info in a clear text. This can be avoided by encrypting the credit card numbers using a public key and allowed back-end applications to decrypt them with the private key.

Hands ON

Step 1 - 启动 WebGoat 并导航到“不安全存储”部分。下面显示了它的快照。

Step 1 − Launch WebGoat and navigate to "Insecure Storage" Section. Snapshot of the same is displayed below.

insecure storage 1

Step 2 - 输入用户名和密码。现在是学习我们在前面讨论过的不同类型的编码和加密方法的时候了。

Step 2 − Enter the username and password. It is time to learn different kind of encoding and encryption methodologies that we discussed previously.

Preventive Mechanisms

  1. It is advised not to store sensitive data unnecessarily and should be scraped as soon as possible if it is no more required.

  2. It is important to ensure that we incorporate strong and standard encryption algorithms are used and proper key management is in place.

  3. It can also be avoided by disabling autocomplete on forms that collect sensitive data such as password and disable caching for pages that contain sensitive data.

Missing Function Level Access Control

大多数 Web 应用程序在向用户提供该功能之前验证功能级别访问权限。但是,如果不对服务器执行相同的访问控制检查,则黑客能够在没有适当授权的情况下渗透到应用程序中。

Most of the web applications verify function level access rights before making that functionality accessible to the user. However, if the same access control checks are not performed on the server, hackers are able to penetrate into the application without proper authorization.

Let us understand Threat Agents, Attack Vectors, Security Weakness, Technical Impact and Business Impacts of this flaw with the help of simple diagram.

missing fn level access control

Example

以下是不存在功能级别访问控制的一个经典示例 −

Here is a classic example of Missing Function Level Access Control −

黑客只是强制目标 URL。通常,管理员访问需要身份验证,但是,如果未验证应用程序访问,则未经身份验证的用户可以访问管理员页面。

The hacker simply forces target URLs. Usually admin access requires authentication, however, if the application access is not verified, then an unauthenticated user can access admin page.

' Below URL might be accessible to an authenticated user
http://website.com/app/standarduserpage

' A NON Admin user is able to access admin page without authorization.
http://website.com/app/admin_page

Hands ON

Step 1 − 通过首先查看用户列表及其访问权限,我们登录为客户经理。

Step 1 − Let us login as account manager by first going through the list of users and their access privileges.

missing fn level access control1

Step 2 − 在尝试各种组合后,我们可以发现 Larry 具有对客户经理资源的访问权限。

Step 2 − Upon trying various combinations we can find out that Larry has access to resource account manager.

missing fn level access control2

Preventive Mechanisms

  1. The authentication mechanism should deny all access by default, and provide access to specific roles for every function.

  2. In a workflow based application, verify the users’ state before allowing them to access any resources.

Cross-Site Request Forgery(CSRF)

A CSRF attack forces an authenticated user (victim) to send a forged HTTP request, including the victim’s session cookie to a vulnerable web application, which allows the attacker to force the victim’s browser to generate request such that the vulnerable app perceives as legitimate requests from the victim.

Let us understand Threat Agents, Attack Vectors, Security Weakness, Technical Impact and Business Impacts of this flaw with the help of simple diagram.

csrf

Example

Here is a classic example of CSRF −

Step 1 − Let us say, the vulnerable application sends a state changing request as a plain text without any encryption.

http://bankx.com/app?action=transferFund&amount=3500&destinationAccount=4673243243

Step 2 − Now the hacker constructs a request that transfers money from the victim’s account to the attacker’s account by embedding the request in an image that is stored on various sites under the attacker’s control −

<img src = "http://bankx.com/app?action=transferFunds&amount=14000&destinationAccount=attackersAcct#"
   width = "0" height = "0" />

Hands ON

Step 1 − Let us perform a CSRF forgery by embedding a Java script into an image. The snapshot of the problem is listed below.

csrf1

Step 2 − Now we need to mock up the transfer into a 1x1 image and make the victim to click on the same.

csrf2

Step 3 − Upon submitting the message, the message is displayed as highlighted below.

csrf3

Step 4 − Now if the victim clicks the following URL, the transfer is executed, which can be found intercepting the user action using burp suite. We are able to see the transfer by spotting it in Get message as shown below −

csrf4

Step 5 − Now upon clicking refresh, the lesson completion mark is shown.

Preventive Mechanisms

  1. CSRF can be avoided by creating a unique token in a hidden field which would be sent in the body of the HTTP request rather than in an URL, which is more prone to exposure.

  2. Forcing the user to re-authenticate or proving that they are users in order to protect CSRF. For example, CAPTCHA.

Components with Vulnerabilities

This kind of threat occurs when the components such as libraries and frameworks used within the app almost always execute with full privileges. If a vulnerable component is exploited, it makes the hacker’s job easier to cause a serious data loss or server takeover.

Let us understand Threat Agents, Attack Vectors, Security Weakness, Technical Impact and Business Impacts of this flaw with the help of simple diagram.

using components with known vulnerabilities

Example

The following examples are of using components with known vulnerabilities −

  1. Attackers can invoke any web service with full permission by failing to provide an identity token.

  2. Remote-code execution with Expression Language injection vulnerability is introduced through the Spring Framework for Java based apps.

Preventive Mechanisms

  1. Identify all components and the versions that are being used in the webapps not just restricted to database/frameworks.

  2. Keep all the components such as public databases, project mailing lists etc. up to date.

  3. Add security wrappers around components that are vulnerable in nature.

Unvalidated Redirects and Forwards

互联网上的大多数 Web 应用程序经常将用户重定向并转发到其他页面或外部网站。但是,在不验证这些页面的可信度的情况下,黑客可以将受害者重定向到网络钓鱼或恶意软件网站,或使用转发来访问未经授权的页面。

Most web applications on the internet frequently redirect and forward users to other pages or other external websites. However, without validating the credibility of those pages, hackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

Let us understand Threat Agents, Attack Vectors, Security Weakness, Technical Impact and Business Impacts of this flaw with the help of simple diagram.

unvalidated redirects and forwards

Example

Some classic examples of Unvalidated Redirects and Forwards are as given −

  1. Let us say the application has a page - redirect.jsp, which takes a parameter redirectrul. The hacker adds a malicious URL that redirects users which performs phishing/installs malware.

http://www.mywebapp.com/redirect.jsp?redirectrul=hacker.com

  1. All web application used to forward users to different parts of the site. In order to achieve the same, some pages use a parameter to indicate where the user should be redirected if an operation is successful. The attacker crafts an URL that passes the application’s access control check and then forwards the attacker to administrative functionality for which the attacker has not got the access.

http://www.mywebapp.com/checkstatus.jsp?fwd=appadmin.jsp

Preventive Mechanisms

  1. It is better to avoid using redirects and forwards.

  2. If it is unavoidable, then it should be done without involving user parameters in redirecting the destination.

AJAX Security

异步 Javascript 和 XML (AJAX) 是用于开发 Web 应用程序的最新技术之一,旨在提供丰富的用户体验。由于它是一项新技术,因此还有很多要建立的安全问题,以下是 AJAX 中的一些安全问题:

Asynchronous Javascript and XML (AJAX) is one of the latest techniques used to develope web application inorder to give a rich user experience. Since it is a new technology, there are many security issues that are yet to be completed established and below are the few security issues in AJAX.

  1. The attack surface is more as there are more inputs to be secured.

  2. It also exposes the internal functions of the applications.

  3. Failure to protect authentication information and sessions.

  4. There is a very narrow line between client-side and server-side, hence there are possibilities of committing security mistakes.

Example

以下是 AJAX 安全的一个例子:

Here is an example for AJAX Security −

2006 年,一个蠕虫病毒感染了 yahoo 邮件服务,它利用了 Yahoo 邮件 onload 事件处理中的一个漏洞,该蠕虫利用了 XSS 和 AJAX。当打开受感染的电子邮件时,蠕虫会执行其 JavaScript,向受感染用户的全部 Yahoo 联系人发送一封副本。

In 2006, a worm infected yahoo mail service using XSS and AJAX that took advantage of a vulnerability in Yahoo Mail’s onload event handling. When an infected email was opened, the worm executed its JavaScript, sending a copy to all the Yahoo contacts of the infected user.

Hands ON

Step 1 − 我们需要尝试使用 XML 注入来向已获准的奖励集中添加更多奖励。以下是该场景的快照。

Step 1 − We need to try to add more rewards to your allowed set of reward using XML injection. Below is the snapshot of the scenario.

xml injection

Step 2 − 确保使用 Burp Suite 拦截 请求和响应。设置如下所示。

Step 2 − Make sure that we intercept both request and response using Burp Suite. Settings of the same as shown below.

burp settings

Step 3 − 输入场景中给出的帐号。我们能够获得我们有资格享受的所有奖励的列表。我们有资格享受 5 个奖励中的 3 个。

Step 3 − Enter the account number as given in the scenario. We will be able to get a list of all rewards that we are eligible for. We are eligible for 3 rewards out of 5.

xml injection1

Step 4 − 现在,让我们点击“提交”,看看在响应 XML 中会看到什么。如下所示,我们有资格享受的 3 个奖励都以 XML 形式传给了我们。

Step 4 − Now let us click 'Submit' and see what we get in the response XML. As shown below the three rewards that are we are eligible are passed to us as XML.

xml injection2

Step 5 − 现在,让我们编辑那些 XML,加上另外两个奖励。

Step 5 − Now let us edit those XMLs and add the other two rewards as well.

xml injection3

Step 6 − 现在,用户可以选择所有奖励。选择我们添加的那些奖励,然后点击“提交”。

Step 6 − Now all the rewards would be displayed to the user for them to select. Select the ones that we added and click 'Submit'.

xml injection4

Step 7 − 出现以下消息,显示“* 恭喜。您已成功完成此课程”。

Step 7 − The following message appears saying, "* Congratulations. You have successfully completed this lesson."

Preventive Mechanisms

客户端 -

Client side −

  1. Use .innerText instead of .innerHtml.

  2. Do not use eval.

  3. Do not rely on client logic for security.

  4. Avoid writing serialization code.

  5. Avoid building XML dynamically.

  6. Never transmit secrets to the client.

  7. Do not perform encryption in client side code.

  8. Do not perform security impacting logic on client side.

服务器端-

Server side −

  1. Use CSRF protection.

  2. Avoid writing serialization code.

  3. Services can be called by users directly.

  4. Avoid building XML by hand, use the framework.

  5. Avoid building JSON by hand, use an existing framework.

Security Testing - Web Service

在现代的基于 Web 的应用程序中,使用 Web 服务是不可避免的,而且它们也容易受到攻击。由于 Web 服务请求从多个网站提取,因此开发人员必须采取一些额外的措施才能避免黑客进行任何形式的渗透。

In modern web-based applications, the usage of web services is inevitable and they are prone for attacks as well. Since the web services request fetch from multiple websites developers have to take few additional measures in order to avoid any kind of penetration by hackers.

Hands ON

Step 1 − 导航到 Webgoat 的 Web 服务区域,然后转到 WSDL 扫描。我们现在需要获取其他帐号的信用卡详细信息。以下是对这种情况的概述。

Step 1 − Navigate to web services area of Webgoat and go to WSDL Scanning. We need to now get credit card details of some other account number. Snapshot of the scenario is as mentioned below.

web services

Step 2 − 如果我们选择名字,则会通过 SOAP 请求 xml 调用“getFirstName”功能。

Step 2 − If we select the first name, the 'getFirstName' function call is made through SOAP request xml.

web services1

Step 3 − 通过打开 WSDL,我们可以看到有一个方法可以检索信用卡信息以及“getCreditCard”。现在,让我们使用 Burp 套件篡改输入,如下所示 −

Step 3 − By opening the WSDL, we are can see that there is a method to retrieve credit card information as well 'getCreditCard'. Now let us tamper the inputs using Burp suite as shown below −

web services2

Step 4 − 现在,让我们使用 Burp 套件修改输入,如下所示 −

Step 4 − Now let us modify the inputs using Burp suite as shown below −

web services3

Step 5 − 我们可以获得其他用户的信用卡信息。

Step 5 − We can get the credit card information of other users.

web services4

Preventive Mechanisms

  1. Since SOAP messages are XML-based, all passed credentials have to be converted to text format. Hence one has to be very careful in passing the sensitive information which has to be always encrypted.

  2. Protecting message integrity by implementing the mechanisms like checksum applied to ensure packet’s integrity.

  3. Protecting message confidentiality - Asymmetric encryption is applied to protect the symmetric session keys, which in many implementations are valid for one communication only and are discarded subsequently.

Security Testing - Buffer Overflows

当程序尝试在临时数据存储区域(缓冲区)中存储比预期更多的数据时,就会发生缓冲区溢出。由于缓冲区是为容纳有限数量的数据而创建的,因此额外信息可能会溢出到相邻缓冲区,从而损坏其中保存的有效数据。

A buffer overflow arises when a program tries to store more data in a temporary data storage area (buffer) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, thus corrupting the valid data held in them.

Example

以下是缓冲区溢出的经典示例。它展示了一个简单的缓冲区溢出,它是由依赖于外部数据来控制其行为的第一种情况引起的。无法限制用户输入的数据量,并且该程序的行为取决于用户输入的字符数。

Here is a classic examples of buffer overflow. It demonstrates a simple buffer overflow that is caused by the first scenario in which relies on external data to control its behavior. There is no way to limit the amount of data that user has entered and the behavior of the program depends on the how many characters the user has put inside.

   ...
   char bufr[BUFSIZE];
   gets(bufr);
   ...

Hands ON

Step 1 − 我们需要使用姓名和房间号登录才能获得互联网访问权限。以下是场景快照。

Step 1 − We need to login with name and room number to get the internet access. Here is the scenario snapshot.

buffer overflow

Step 2 − 我们还将在 Burp Suite 中启用“取消隐藏隐藏表单字段”,如下所示 −

Step 2 − We will also enable "Unhide hidden form fields" in Burp Suite as shown below −

buffer overflow1

Step 3 − 现在我们在姓名和房间号字段中发送输入。我们还尝试在房间号字段中注入一个很大的数字。

Step 3 − Now we send an input in name and room number field. We also try and inject a pretty big number in the room number field.

buffer overflow2

Step 4 − 隐藏字段按如下所示显示。我们单击接受条款。

Step 4 − The hidden fields are displayed as shown below. We click accept terms.

buffer overflow3

Step 5 − 攻击成功,因此由于缓冲区溢出,它开始读取相邻的内存位置,并按如下所示显示给用户。

Step 5 − The attack is successful such that as a result of buffer overflow, it started reading the adjacent memory locations and displayed to the user as shown below.

buffer overflow4

Step 6 − 现在,让我们使用显示的数据进行登录。登录后,将显示以下消息 −

Step 6 − Now let us login using the data displayed. After logging, the following message is displayed −

buffer overflow45

Preventive Mechanisms

  1. Code Reviewing

  2. Developer training

  3. Compiler tools

  4. Developing Safe functions

  5. Periodical Scanning

Security Testing - Denial of Service

拒绝服务 (DoS) 攻击是黑客让网络资源不可用的尝试。它通常会暂时或无限期地中断连接到互联网的主机。此类攻击通常针对托管在关键任务 Web 服务器(例如,银行、信用卡支付网关)上的服务。

Denial of Service (DoS) attack is an attempt by hackers to make a network resource unavailable. It usually interrupts the host, temporary or indefinitely, which is connected to the internet. These attacks typically target services hosted on mission critical web servers such as banks, credit card payment gateways.

Symptoms of DoS

  1. Unusually slow network performance.

  2. Unavailability of a particular web site.

  3. Inability to access any web site.

  4. Dramatic increase in the number of spam emails received.

  5. Long term denial of access to the web or any internet services.

  6. Unavailability of a particular website.

Hands ON

Step 1 − 启动 WebGoat 并导航到“拒绝服务”部分。该场景的快照如下所示。我们通过突破最大 DB 线程池大小来多次登录那里。

Step 1 − Launch WebGoat and navigate to 'Denial of Service' section. The snapshot of the scenario is given below. We need to login multiple times there by breaching maximum DB thread pool size.

dos

Step 2 − 首先我们需要获取有效登录的列表。在这种情况下,我们使用 SQL 注入。

Step 2 − First we need to get the list of valid logins. We use SQL Injection in this case.

dos1

Step 3 − 如果尝试成功,那么它会向用户显示所有有效凭据。

Step 3 − If the attempt is successful, then it displays all valid credentials to the user.

dos3

Step 4 − 现在使用其中每个用户登录,至少在 3 个不同的会话中,以便成功执行 DoS 攻击。正如我们所知,DB 连接只能处理两个线程,通过使用所有登录,它将创建三个线程,从而使攻击成功。

Step 4 − Now login with each one of these user in at least 3 different sessions in order to make the DoS attack successful. As we know that DB connection can handle only two threads, by using all logins it will create three threads which makes the attack successful.

dos4

Preventive Mechanisms

  1. Perform thorough input validations.

  2. Avoid highly CPU consuming operations.

  3. It is better to separate data disks from system disks.

Security Testing - Malicious File Execution

开发人员通常直接使用或将可能遭到破坏的输入与文件连接,或假设输入文件是真实的。如果数据没有经过正确检查,可能会导致 Web 服务器处理或调用遭到破坏的内容。

Developers often directly use or concatenate potentially vulnerable input with file or assume that input files are genuine. When the data is not checked properly, this can lead to the vulnerable content being processed or invoked by the web server.

Example

以下是几个经典示例:

Some of the classic examples include −

  1. Upload .jsp file into web tree.

  2. Upload .gif to be resized.

  3. Upload huge files.

  4. Upload file containing tags.

  5. Upload .exe file into web tree.

Hands ON

Step 1 - 启动 WebGoat 并导航至恶意文件执行部分。该场景的快照如下 -

Step 1 − Launch WebGoat and navigate to Malicious file execution section. The snapshot of the scenario is given below −

malacious file execution

Step 2 − 为了完成该课程,我们需在上文所说的位置中上传 guest.txt。

Step 2 − In order to complete this lesson, we need to upload guest.txt in the above said location.

Step 3 − 让我们创建一个 jsp 文件,在执行 jsp 时创建 guest.txt 文件。在这种情况下,jsp 的命名无关紧要,因为我们正执行 jsp 文件的内容。

Step 3 − Let us create a jsp file such that the guest.txt file is created on executing the jsp. The Naming of the jsp has no role to play in this context as we are executing the content of the jsp file.

<HTML>
   <% java.io.File file = new
      java.io.File("C:\\Users\\username$\\.extract\\webapps\\WebGoat\\mfe_target\\guest.txt");
      file.createNewFile(); %>
</HTML>

Step 4 − 现在,上传 jsp 文件,并在上传后复制该文件的链接位置。上传时系统将接受一张图片,但我们上传的是 jsp。

Step 4 − Now upload the jsp file and copy the link location of the same after upload. The upload is expecting an image, but we are uploading a jsp.

malacious file execution1

Step 5 − 通过导航到 jsp 文件,不会有任何信息发送给用户。

Step 5 − By navigating to the jsp file, there will not be any message to the user.

Step 6 − 现在,刷新上传 jsp 文件的会话,你会收到以下消息:“* 恭喜你。你已成功完成课程”。

Step 6 − Now refresh the session where you have uploaded the jsp file and you will get the message saying, "* Congratulations. You have successfully completed the lesson".

malacious file execution2

Preventive Mechanisms

  1. Secure websites using website permissions.

  2. Adopt countermeasures for web application security.

  3. Understand the Built-In user and group accounts in IIS 7.0.

Security Testing - Automation Tools

有各种工具可用于执行应用程序安全性测试。某些工具可以执行端到端安全性测试,而某些工具则专门用于检测系统中的特定类型缺陷。

There are various tools available to perform security testing of an application. There are few tools that can perform end-to-end security testing while some are dedicated to spot a particular type of flaw in the system.

Open Source Tools

某些开源安全性测试工具如下所示−

Some open source security testing tools are as given −

S.No.

Tool Name

1

Zed Attack Proxy Provides Automated Scanners and other tools for spotting security flaws. https://www.zaproxy.org/

2

OWASP WebScarab Developed in Java for Analysing Http and Https requests. https://www.owasp.org/index.php

3

OWASP Mantra Supports multi-lingual security testing framework https://www.owasp.org/index.php/OWASP_Mantra-_Security_Framework

4

Burp Proxy Tool for Intercepting & Modyfying traffic and works with work with custom SSL certificates. https://www.portswigger.net/Burp/

5

Firefox Tamper Data Use tamperdata to view and modify HTTP/HTTPS headers and post parameters

6

Firefox Web Developer Tools The Web Developer extension adds various web developer tools to the browser. https://addons.mozilla.org/en-US/firefox

7

Cookie Editor Lets user to add, delete, edit, search, protect and block cookies https://chrome.google.com/webstore

Specific Tool Sets

以下工具有助于我们检测系统中的特定类型漏洞−

The following tools can help us spot a particular type of vulnerability in the system −

S.No.

Link

1

OWASP SQLiX − SQL Injection https://www.owasp.org/index.php

2

Sqlninja − SQL Injection http://sqlninja.sourceforge.net/

3

SQLInjector − SQL Injection https://sourceforge.net/projects/safe3si/

4

sqlpowerinjector − SQL Injection http://www.sqlpowerinjector.com/

5

SSL Digger − Testing SSL https://www.mcafee.com/us/downloads/free-tools

6

THC-Hydra − Brute Force Password https://www.kali.org/tools/hydra/

7

Brutus − Brute Force Password https://www.hackercoolmagazine.com/brutus-password-cracker-complete-guide/

8

Ncat − Brute Force Password https://nmap.org/ncat/

9

OllyDbg − Testing Buffer Overflow http://www.ollydbg.de/

10

Metasploit − Testing Buffer Overflow https://www.metasploit.com/

Commercial Black Box Testing tools

以下是一些商业的黑盒测试工具,它们有助于我们发现所开发的应用程序中的安全问题。

Here are some of the commercial black box testing tools that help us spot security issues in the applications that we develop.

S.No

Tool

1

NGSSQuirreL NGSSQuirreL Tool

2

IBM AppScan https://www-01.ibm.com/software/awdtools/appscan/

3

Acunetix Web Vulnerability Scanner https://www.acunetix.com/

4

NTOSpider https://www.ntobjectives.com/products/ntospider.php

5

SOAP UI https://www.soapui.org/Security/getting-started.html

6

Netsparker https://www.mavitunasecurity.com/netsparker/

7

HP WebInspect http://www.hpenterprisesecurity.com/products

Free Source Code Analyzers

S.No

Tool

1

OWASP Orizon https://www.owasp.org/index.php

2

SearchDiggity https://www.bishopfox.com/resources/tools

3

FXCOP https://www.owasp.org/index.php/FxCop

4

Splint http://splint.org/

5

Boon https://www.cs.berkeley.edu/daw/boon/

6

W3af https://docs.w3af.org/en/latest/

7

FlawFinder https://www.dwheeler.com/flawfinder/

8

FindBugs http://findbugs.sourceforge.net/

Commercial Source Code Analyzers

这些分析器检查、检测和报告易受漏洞利用的源代码中的弱点 -

These analyzers examine, detect, and report the weaknesses in the source code, which are prone to vulnerabilities −

S.No

Tool

1

Parasoft C/C++ test https://www.parasoft.com/cpptest/

2

HP Fortify http://www.hpenterprisesecurity.com/products

3

Appscan http://www-01.ibm.com/software/rational/products

4

Veracode https://www.veracode.com

5

Armorize CodeSecure http://www.armorize.com/codesecure/

6

GrammaTech https://www.grammatech.com/