Testing Types for Security Testing
Configuration Management Security Testing
Often analysis of the network infrastructure and
web application architecture can reveal good amount of information such as
source code, HTTP methods permitted, administrative functionality,
authentication methods, infrastructural configurations etc. In present scenarios, complexity of
interconnected and heterogeneous web server infrastructure, which can count hundreds
of servers, makes configuration management review and validation a fundamental
step in testing. The application
penetration test should include the checking of how infrastructure was deployed
and secured. While the application may
be secure, a small aspect of the configuration could still be at a default
install stage and vulnerable to exploitation.
Testing for Configuration Management usually includes –
»
Usage
of strong cipher algorithm and its proper implementation
»
Security
of DB listener port and component
»
web
servers, database servers, authentication servers, software versions and its associated
vulnerabilities
»
Default
configuration of application and its associated vulnerabilities
»
File
extension handling configuration
»
Presence
of redundant, readable and downloadable files on a web server
»
Admin
functionality usage by authorized users
»
Configuration
of HTTP methods and its associated vulnerabilities
List of scanners tools that can
identify vulnerabilities related to configurations are as follows-
Vulnerability Type
|
Open
Source / Free Tools
|
Commercial
Tools
|
Application Configuration Weakness
|
W3AF, Nessus, Sandcat, arachni, oedipus, iScan, N-Stalker,
WSTool
|
IBM AppScan, WebInspect, Cenzic Hailstorm, Acunetix, Skipfish,
Sandcat, Jsky, Netsparker, Grendel Scan, ParosPro, Webcruiser, Web Injection
Scanner
|
HTTP Methods and XST
|
W3AF, Nessus, Sandcat, arachni, ZAP, Oedipus, Andiparos, Watobo,
Jsky, N-Stalker
|
IBM AppScan, WebInspect, Cenzic Hailstorm, Acunetix, Skipfish,
Sandcat, Jsky, Netsparker, Burpsuite, Vega, Grendel Scan, ParosPro, Paros
Proxy, iScan
|
Old, Backup and Unreferenced files
|
W3AF, ZAP, Syhunt Mini, Wapiti, WATOBO, Andiparos, Paros Proxy
|
IBM AppScan, WebInspect, Acunetix, Burp Suite Professional, NTO
Spider, Syhunt Dynamic, QualysGuard WAS, Netsparker, ScantoSecure, N-Stalker
|
Authentication Security Testing
Authentication is the process of attempting to
verify the digital identity of the sender of a communication. The sender could be user, process or
device. A common example of such a
process is the logon process but authentication happens every time when we use
our computers. Much of the
authentication that happens is transparent to the user and handled via
computer. Testing the authentication
schema means understanding how the authentication process works and use that
information to circumvent the authentication mechanism. As a Penetration
Tester, it is valuable to be able to gain the trust of a system and bypass
security as an authorized entity. The
most common method by which people confirm their identity is something they know
such as a password. Testing for Authentication
usually includes -
»
Understand
if data travel unencrypted from the web browser to the server
»
Collecting
set of valid user names and then trying brute force testing
»
Trying
default username and password of deployed application / server
»
Retrieve
a valid user account and password by trying to enumerate many
»
Bypassing
the authentication schema by tampering with requests and tricking the
application
»
Flaw
in the “Remember Password” and “Password Reset” functions
»
Flaw
the logout and caching functions
»
CAPTCHA
validation
»
Evaluating
the strength of a “Multiple Factors Authentication System” like OTP (One Time
Password)
»
Testing
for race condition, a situation difficult to test for
List of scanners tools that can
identify vulnerabilities related to authentication are as follows-
Vulnerability Type
|
Open
Source / Free Tools
|
Commercial
Tools
|
Bypassing Authentication Schema
|
Nessus, WebScarab, WebGoat
|
IBM AppScan, WebInspect, Cenzic Hailstorm, NTOSpider, Grendel
Scan
|
Session Management Security Testing
Authentication and Session Management take care
of all aspects of handling user authentication and managing active
sessions. HTTP is a stateless protocol
and hence even simple logic requires a user’s multiple requests to be associated
with each other across a ‘session’. With
regards to web applications, a session is the length of time users spend on a
website. It is always advisable to
manage authorized sessions duration prudently.
The goal of penetration tester is to identify accounts that are
permitted access to sessions with high-level privileges and unlimited time to
access the web application. Testing for
Session Management usually includes -
»
Understand
the existing Session Management schema
»
Understand
if cookies are protected
»
Access
another user’s account through the active session (Session Fixation)
»
Retrieving
Session Tokens whilst in transit between the Client browser and the application
server
»
Force
an unknowing user to execute unwanted actions (Cross Site Request Forgery)
List of scanners tools that can
identify vulnerabilities related to sessions are as follows-
Vulnerability Type
|
Open
Source / Free Tools
|
Commercial
Tools
|
Session Identifier Complexity Analysis
|
W3AF, Nessus, Sandcat, Jsky, Webscarab
|
Cenzic Hailstorm, NTO Spider, Sandcat, Burpsuite, Grendel Scan
|
Authorization Security Testing
Authorization is the concept of allowing access
to resources only to those permitted to use them. While Authentication is about
establishing and verifying user identity, Authorization is about
permissions. Is an user allowed to
perform the operation it is invoking?
Testing for Authorization means understanding how the authorization
process works and using that information to circumvent the authorization. Testing for Authorization usually includes -
»
Execute
a path traversal attack and access reserved information
»
Bypassing
the authorization schema
»
User
can escalate his / her privilege within the application by himself
List of scanners tools that can
identify vulnerabilities related to authorization are as follows-
Vulnerability Type
|
Open
Source / Free Tools
|
Commercial
Tools
|
Path Traversal
|
W3AF, IronWASP, ZAP, arachni, SkipFish, Wapiti, Vega, WATOBO,
safe3wvs, WebSecurify
|
IBM AppScan, WebInspect, Acunetix, Burp Suite Professional, NTO
Spider, Syhunt Dynamic, WAS, Netsparker, ScantoSecure, Jsky, N-Stalker,
Ammonite, ParosPro
|
Privilege Escalation
|
Webscarab
|
IBM AppScan, WebInspect, Cenzic Hailstorm, NTOSpider
|
Business Logic Security Testing
Business logic can have
security flaws that allow a user to do something that isn't allowed by the business.
For example, Can a user make a purchase for a negative amount of money? Attacks
on the business logic of an application are dangerous, difficult to detect and
are usually specific to the application.
This type of vulnerability cannot be detected by a vulnerability scanner
and relies upon the skills and creativity of the penetration tester.
There are no scanners tools that can
identify vulnerabilities related to business logic as it is more context
driven.
Vulnerability Type
|
Open
Source / Free Tools
|
Commercial
Tools
|
-
|
No Tool
|
No Tool
|
Data Validation Security Testing
One security weakness that leads to almost all of
the vulnerabilities in web application such as XSS, SQL Injection etc. is
erroneous data from external entity. The data from external entity can be
tampered with by an attacker or unknowingly given by user and hence it is
important to filter and sanitize all input data by the application before it is
trusted and processed. Data Validation testing is the task of testing all
possible form of input, to understand if the application scrutinize all data
correctly or not. Data Validation testing
usually includes –
»
Make
victim loading the offending URI (Reflected Cross-site Scripting)
»
Store
malicious code into the web page (Stored Cross-site Scripting)
»
Controlling
a DOM element (DOM Cross-site Scripting)
»
Vulnerabilities
like DOM based Cross-site Scripting in flawed Flash application
»
Injection
of SQL query via the input data (SQL Injection)
»
Manipulating
input parameters and passed to internal search, add and modify functions (LDAP
Injection)
»
Inject
a particular XML document into the application (XML Injection)
»
Inject
code into HTML pages (SSI Injection)
»
Inject
data into the application so that it executes user-controlled XPath queries
(XPath Injection)
»
Inject
arbitrary IMAP/SMTP commands into the mail servers (IMAP / SMTP Injection)
»
Inject
into the application data that will be later executed by web server (Code
Injection)
»
Inject
an OS command through an HTTP request (OS Commanding)
»
Understand
different types of buffer overflow vulnerabilities
»
HTTP
splitting and HTTP smuggling
List of scanners tools that can
identify vulnerabilities related to data input from external entities are as
follows-
Vulnerability Type
|
Open
Source / Free Tools
|
Commercial
Tools
|
Buffer Overflow
|
W3AF, Nessus, Sandcat
|
IBM AppScan, WebInspect, Accunetix, Sandcat
|
Format String
|
W3AF, Nessus
|
IBM AppScan, WebInspect, Cenzic Hailstorm, Skipfish, Vega
|
Code Injection
|
Sandcat, arachini, Uber Web Security Scanner
|
IBM AppScan, Cenzic Hailstorm, Acunetix, SandcatCS, Skipfish,
Netsparker
|
DOM Based Cross Site Scripting
|
W3AF, Watobo, arachini
|
IBM AppScan, Cenzic Hailstorm, Acunetix, NTO Spider
|
HTTP Splitting / Smuggling
|
WebGoat, W3AF, Nessus, SandcatCS, arachini, Wapiti, ZAP,
PowerFuzzer, Andiparos, Paros Proxy, Web Securify, WebScarab
|
IBM AppScan, WebInspect, Cenzic Hailstorm Professional,
Acunetix, NTOSpider, Sandcat Pro, Jsky, Netsparker, Burpsuite, Vega, Grendel
Scan, ParosPro
|
IMAP/SMTP Injection
|
W3AF, Sandcat CS
|
IBM AppScan, Acunetix, Sandcat
|
LDAP Injection
|
W3AF, SandcatCS, arachini, Wapiti, Power Fuzzer, Uber Web Security
Scanner
|
IBM AppScan, WebInspect, Cenzic Hailstorm Professional,
Acunetix, Sandcat Pro, Jsky, Burp Suite
|
OS Commanding
|
W3AF, Nessus, Sandcat, arachni, Wapiti, PowerFuzzer, Oedipus
|
IBM AppScan, WebInspect, Cenzic Hailstorm, Acunetix, NTO Spider,
Sandcat, Skipfish, Jsky, Netsparker, Burpsuite, Vega
|
Reflected Cross Site Scripting
|
W3AF, IronWASP, ZAP, arachni, Syhunt Mini (Sandcat Mini),
SkipFish, Wapiti, Sandcat, Vega, Grendel Scan, WATOBO, Andiparos,
PowerFuzzer, Paros Proxy, Oedipus, Uber Web Security Scanner, Jsky, safe3wvs,
WebSecurify, Grabber, Netsparker, WebCruiser, Proxy Strike, Acunetix WVS,
WebScarab, N-Stalker, XSSer, Gamja, Secubat, WSTool, XSSploit, Screaming CSS,
XSSS, Crawlfish
|
IBM AppScan, WebInspect, Acunetix, Burp Suite Professional, NTO
Spider, Syhunt Dynamic, QualysGuard WAS, Netsparker, ScantoSecure, Jsky,
N-Stalker, Ammonite, ParosPro, WebCruiser
|
SQL Injection
|
W3AF, IronWASP, ZAP, arachni, Syhunt Mini (Sandcat Mini),
SkipFish, Wapiti, Sandcat, Vega, Grendel Scan, WATOBO, Andiparos, PowerFuzzer,
Paros Proxy, Oedipus, Uber Web Security Scanner, Jsky, safe3wvs, WebSecurify,
Grabber, Netsparker, WebCruiser, Proxy Strike, SQLiX, sqlmap, Gamja, Mini
Mysqlator, Secubat, WSTool, DSSS, aidSQL, Scrawlr, LoverBoy, SQLID,
VulnDetector, openAcunetix, Priamos, Gamja,
Secubat, XCobra, safe3wvs, iScan
|
IBM AppScan, WebInspect, Acunetix, Burp Suite Professional, NTO
Spider, Syhunt Dynamic, QualysGuard WAS, Netsparker, ScantoSecure, Jsky,
N-Stalker, Ammonite, ParosPro, WebCruiser
|
SSI Injection
|
W3AF, Nessus, ZAP, Andiparos, Paros Proxy, Proxy Strike
|
IBM AppScan, WebInspect, Cenzic Hailstorm, ParosPro
|
Stored Cross Site Scripting
|
W3AF, Nessus, Wapiti, PowerFuzzer, XSSploit
|
IBM AppScan, WebInspect, Cenzic Hailstorm, Acunetix, NTO Spider,
Skipfish, Netsparker, BurpSuite
|
XML Injection
|
Nessus, Uber Web Security Scanner
|
IBM AppScan, Skipfish, BurpSuite, Vega
|
Xpath Injection
|
W3AF, SandcatCS, Sandcat, arachni, Wapiti, Powerfuzzer,
WebCruiser
|
IBM AppScan, WebInspect, Acunetix, Skipfish, Sandcat, Jsky,
WebCruiser
|
Cross Site Scripting
|
W3AF, IronWASP, ZAP, arachni, Syhunt Mini (Sandcat Mini),
SkipFish, Wapiti, Vega
|
IBM AppScan, WebInspect, Acunetix, Burp Suite Professional, NTO
Spider, Syhunt Dynamic, Netsparker, ScantoSecure, Jsky, N-Stalker, Ammonite
|
Unvalidated Redirects and Forwards
|
W3AF, IronWASP, ZAP, arachni, Skipfish
|
IBM AppScan, WebInspect, Acunetix, Burp Suite Professional, NTO
Spider, QualysGuard WAS, Netsparker, ScantoSecure, N-Stalker
|
Denial of Service Security Testing
One of the most common and simplest forms of
attack on a system is Denial of Service (DoS) attack. This attack does not attempt to intrude to
the system or to obtain sensitive information; it simply aims to prevent
legitimate users from accessing the system.
DoS attacks can be on individual machines, on the network that connects
the machines or all the machines simultaneously. It is based on the fact that any device has
operational limits. Any computer system,
web server or network can handle a finite load and simply overloading the
system with requests will block serving the requests of legitimate users. In
this section, focus will be attacks against availability that can be launched
by just one malicious user on a single machine.
Denial of Service (DoS) testing usually includes -
»
Forcing
the underlying database to carry out CPU intensive queries by using several
wildcards
»
Locking
valid user accounts by repeatedly attempting to log in with a wrong password
»
Causing
DoS attack by overflowing one or more data structure of the target application
»
Exhaust
server resources by making it allocate a very high number of objects
»
Force
the application to loop through a code segment that needs high computing
resources
»
Fill
the target disks by log data
»
Understand
if application properly releases resources (memory or files) after their usage
»
Allocate
big amount of data into a user session object
List of scanners tools that can
identify vulnerabilities related to DoS attack are as follows-
Vulnerability Type
|
Open
Source / Free Tools
|
Commercial
Tools
|
Regular Expression Denial of Service
|
W3AF, Nessus, Wapiti, safe3wvs, WebSecurify
|
WebInspect
|
Web Service Security Testing
Web services are exposed to net like
any other service but can be used on HTTP, FTP, SMTP and MQ among other
transport protocols. The Web Services
Framework utilizes the HTTP protocol in conjunction with XML, SOAP, REST, WSDL
and UDDI technologies. The
vulnerabilities in web services are similar to other vulnerabilities, such as
SQL injection, information disclosure and leakage but Web Services also have
unique XML / parser related vulnerabilities.
Web service security testing usually includes -
»
Understand
the Web service entry point and the communication schema
»
Invoke
an operation that is not used in a standard SOAP Request
»
Sending
very large or malformed XML messages
»
Attack
the Web service by passing malicious content on the HTTP GET string
»
Attach
binary files (executables, malware etc.) to Web service if it accepts
attachments
»
Conduct
man-in-the-middle of the attack
List of scanners tools that can
identify vulnerabilities related to web services are as follows-
Vulnerability Type
|
Open
Source / Free Tools
|
Commercial
Tools
|
XML Content Level
|
WebScarab, Metasploit
|
-
|
XML Structural
|
Webscarab
|
-
|
AJAX Security Testing
AJAX uses XMLHttpRequest object and
JavaScript to make asynchronous requests to the web server, parsing the
responses and then updating the page DOM and CSS. AJAX application is more complicated because
processing is done on both the client side and the server side. This complexity is avoided by having
framework but that also result in situations where developers do not fully
understand where the code will execute, and can lead to a situation where it is
difficult to properly assess the risk associated with particular applications
or features. AJAX applications have same
vulnerabilities like SQL injection, data validation etc. that a traditional web
application can have. In addition, AJAX
application can be vulnerable to new classes of attack such as Cross Site
Request Forgery (XSRF). Testing AJAX
applications can be challenging due to different encoding or serialization
scheme used by developers while submitting POST data and make it difficult for
testing tools to reliably create automated test requests. The use of web proxy tool is extremely
helpful for analyzing the traffic.
List of scanners tools that can
identify vulnerabilities related to AJAX are as follows-
Vulnerability Type
|
Open
Source / Free Tools
|
Commercial
Tools
|
AJAX Vulnerabilities
|
OWASP Sprajax, safe2wvs, Sandcat, W3AF
|
Acunetix, Hailstorm, WebInspect, Watchfire, N-Stalker, Grabber,
IBM AppScan, Jsky, Netsparker, NTOSpider, ParosPro, Sandcat
|
Comments
Post a Comment