T14 Thursday, May 18, 2006 1:30PM S ECURITY T ESTING : A RE Y OU A D - - PDF document
BIO PRESENTATION T14 Thursday, May 18, 2006 1:30PM S ECURITY T ESTING : A RE Y OU A D EER IN THE H EADLIGHTS ? Ryan English SPI Dynamics Inc International Conference On Software Testing Analysis and Review May 15-19, 2006 Orlando, Florida USA
BIO PRESENTATION
International Conference On Software Testing Analysis and Review May 15-19, 2006 Orlando, Florida USA
Thursday, May 18, 2006 1:30PM
Ryan English SPI Dynamics Inc
Ryan English
Ryan English is the group product manager for SPI Dynamics' QAInspect(tm) Quality Assurance Security testing product line, overseeing product strategy and direction for the company's five Quality Assurance products. Prior to joining SPI Dynamics, Ryan was responsible for product management at Live Oak Technologies, a quality assurance software company. In addition, Ryan was a project manager for the supply chain software company, VerticalNet, where he assisted in the strategic growth and development of their consulting division. Ryan has also led project management teams with MCI Worldcom and DayNine. Ryan is a seasoned speaker on the topic of security testing Web applications in QA and has spoken at several Quality Assurance industry events including Mercury World 2005.
IIS SunOne Apache ASP .NET J2EE MS-SQL ORACLE DB2
HTTP/HTTPS
Corporate Inside Trusted Inside DMZ Internet
Platform Adm inistration
Application
Known Vulnerabilities BEA WebLogic IBM WebSphere Microsoft IIS
Platform
Backup Checking Common File Checks Data Extension Checking Directory Enumeration Extension Checking Forceful Browsing Hidden Web Paths Path Truncation
Adm inistration
Application Mapping Buffer Overflow Brute Force Cookie Manipulation Cookie Poisoning/ Theft Cross-site scripting Custom Application Scripting Parameter Manipulation Reverse Directory Transversal SQL Injection
Application
Design 1 X Development Unit Test 6.5X Testing Integration Testing System/Acceptance Testing 15X Deployment Customers In the Field 100X
– HTTP is stateless Request Response Server w w w .m ybank.com ( 6 4 .5 8 .7 6 .2 3 0 ) Port: 8 0 Client PC ( 1 0 .1 .0 .1 2 3 )
– Provided encryption of data between a client and server – Typically guarantees to client that server is who it asserts itself to be
SSL Tunnel Server w w w .m ybank.com ( 6 4 .5 8 .7 6 .2 3 0 ) Port: 4 4 3 Client PC ( 1 0 .1 .0 .1 2 3 )
– Allows or disallows traffic to pass from the external network to the internal network – Acts as a “traffic cop” – Port 80 (HTTP) and port 443 (HTTPS) travel freely through the firewall
SSL Tunnel Server w w w .m ybank.com ( 6 4 .5 8 .7 6 .2 3 0 ) Port: 4 4 3 Client PC ( 1 0 .1 .0 .1 2 3 )
– Monitors network for malicious activities – Typically signature based detection (similar to virus protection) – Blind to encrypted (SSL) traffic
I DS SSL Tunnel Server w w w .m ybank.com ( 6 4 .5 8 .7 6 .2 3 0 ) Port: 4 4 3 Client PC ( 1 0 .1 .0 .1 2 3 )
< a href= http: / / www.test.me> Click Here< / a>
GET / HTTP/ 1.1 Accept: * / * Accept-Language: en-us Accept-Encoding: identity User-Agent: Mozilla/ 4 .0 ( com patible; MSI E 6 .0 ; W indow s NT 5 .0 ; .NET CLR 1 .0 .3 7 0 5 ) Host: w w w .spidynam ics.com Connection: Keep-Alive HTTP/ 1 .1 2 0 0 OK Server: Microsoft-I I S/ 5 .0 Date: Mon, 07 Apr 2003 12: 52: 26 GMT Content-Length: 1 0 2 2 5 Content-Type: text/ htm l Cache-control: private Set-Cookie: ASPSESSI ONI DCSCRRCBS= GODPKFJDPJNMHGGJDOEI DDMK; path= / ; < html> < body>
Request Response Server Client PC
<a href=http://www.test.me>Click Here</a>
GET / HTTP/ 1.1 Accept: * / * Accept-Language: en-us Accept-Encoding: identity User-Agent: Mozilla/ 4 .0 ( com patible; MSI E 6 .0 ; W indow s NT 5 .0 ; .NET CLR 1 .0 .3 7 0 5 ) Host: w w w .spidynam ics.com Connection: Keep-Alive
HTTP/ 1 .1 2 0 0 OK Server: Microsoft-I I S/ 5 .0 Date: Mon, 07 Apr 2003 12: 52: 26 GMT Content-Length: 1 0 2 2 5 Content-Type: text/ htm l Cache-control: private Set-Cookie: ASPSESSI ONI DCSCRRCBS= GODPKFJDPJNMHGGJDOEI DDMK; path= / ; < html> < body>
Netw ork HTTP W eb Application
<a href=http://www.test.me/banklogin.asp?serviceName=FreebankCaastAccess&ID=5 >Click Here</a>
GET / banklogin.asp?serviceNam e= FreebankCaastAccess&tem plateNam e= prod_ sel.forte&I D= 5 HTTP/ 1.1 Accept: * / * Accept-Language: en-us Accept-Encoding: identity User-Agent: Mozilla/ 4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705) Host: www.company.com Connection: Keep-Alive Cookie: ASPSESSI ONI DCQABRCAA= DKBNDFFCLDKNPGFDDFJCLBDN HTTP/ 1.1 200 OK Server: Microsoft-IIS/ 5.0 Date: Fri, 04 Apr 2003 15: 17: 50 GMT Content-Length: 4183 Content-Type: text/ html Cache-control: private Set-Cookie: sessionid= 2 5 ; path= / ; Set-Cookie: state= GA; path= / ; Set-Cookie: usernam e= MrUser; path= / ; Set-Cookie: userid= 1 5 3 8 ; path= / ; < HTML> < HEAD> < TITLE> < / TITLE> < / HEAD> < BODY>
<a href=http://www.test.me/banklogin.asp?serviceName=Freebank CaastAccess&ID=5 >Click Here</a>
GET /banklogin.asp?serviceName=FreebankCaastAccess& templateName=prod_sel.forte&ID=5 HTTP/1.1 Accept: */* Accept-Language: en-us Accept-Encoding: identity User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705) Host: www.company.com Connection: Keep-Alive Cookie: ASPSESSIONIDCQABRCAA=DKBNDFFCLDKNPGFDDFJCLBDN
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Fri, 04 Apr 2003 15:17:50 GMT Content-Length: 4183 Content-Type: text/html Cache-control: private Set-Cookie: sessionid=25; path=/; Set-Cookie: state=GA; path=/; Set-Cookie: username=MrUser; path=/; Set-Cookie: userid=1538; path=/; <HTML> <HEAD> <TITLE></TITLE> </HEAD> <BODY>
< FORM ACTI ON= "login1 .asp" METHOD= “POST"> < br> Username:< I NPUT TYPE= "text" NAME= "login"> < BR> Password: < INPUT TYPE= "password" NAME= "password" > < BR> < INPUT TYPE= "submit"> < BR> < / FORM> POST / login1.asp HTTP/ 1.1 Accept: image/ gif, image/ x-xbitmap, image/ jpeg, image/ pjpeg, application/ vnd.ms-excel,* / * Referer: http: / / www.company.com/ banklogin.asp?serviceName= FreebankCaastAccess Accept-Language: en-us Content-Type: application/ x-www-form-urlencoded Accept-Encoding: identity User-Agent: Mozilla/ 4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705) Host: www.company.com Content-Length: 2 3 Connection: Keep-Alive Cache-Control: no-cache Cookie: ASPSESSI ONI DCQABRCAA= DKBNDFFCLDKNPGFDDFJCLBDN; sessionid= 2 5 ; state= GA;…… login= John&passw ord= Doe HTTP/ 1.1 200 OK Server: Microsoft-IIS/ 5.0 Date: Fri, 04 Apr 2003 15: 35: 00 GMT Content-Length: 80 Content-Type: text/ html Cache-control: private < html> < body> Welcome John. … … … … ..< / body> < / html>
<FORM ACTION="login1.asp" METHOD=“POST"><br> Username:<INPUT TYPE="text" NAME="login"><BR> Password:<INPUT TYPE="password" NAME="password" ><BR> <INPUT TYPE="submit"><BR> </FORM>
POST /login1.asp HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,*/* Referer: http://www.company.com/banklogin.asp?serviceName=FreebankCaastAccess Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Accept-Encoding: identity User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705) Host: www.company.com Content-Length: 23 Connection: Keep-Alive Cache-Control: no-cache Cookie: ASPSESSIONIDCQABRCAA=DKBNDFFCLDKNPGFDDFJCLBDN; sessionid=25; state=GA;…… login=John&password=Doe
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Fri, 04 Apr 2003 15:35:00 GMT Content-Length: 80 Content-Type: text/html Cache-control: private <html> <body> Welcome John. …………..</body></html>
permitting anyone able to construct a properly-crafted URL to pull down every name, credit card number and expiration date in the site's customer database -- over 200,000 in all
that says it's keeping personal information secure is doing exactly that," said Howard Beales, Director of the FTC's consumer protection bureau, in a press release.
‘/ ‘/ Login SQL Statemet ‘/ SQLtemp = "SELECT * FROM Users " & _ "WHERE userID = '" & Request.form("username") & "' " & _ "and pass = '" & Request.Form("password") & "'" Set rs = Apples.Execute(SQLtemp) If not rs.eof then ‘/ Successful login!! …..
‘/ ‘/ Login SQL Statemet ‘/ SQLtemp = "SELECT * FROM Users " & _ "WHERE userID = '" & Request.form("username") & "' " & _ "and pass = '" & Request.Form("password") & "'" Set rs = Apples.Execute(SQLtemp) If not rs.eof then ‘/ Successful login!! …..
Return Response
– The Web page is creating a SQL statement that takes two parameters. – The parameters are both strings. – The parameters are, most likely, being passed to the database unfiltered.
something like this:
Select < something> from < sometable> where < fieldone> = ‘< user input one> ’ And < fieldtwo> = ‘< user input two> ’ Select < something> from < sometable> where < fieldone> = ‘' or 1= 1 or 'a' = '’ And < fieldtwo> = ‘' or 1= 1 or 'a' = '’
cnn = new SqlConnection(… database connection information here… ); cmd = new SqlCommand("SELECT FirstName, LastName from Users “ + "WHERE UserName = @uid AND password = @passwd",cnn); cmd.Parameters.Add("@uid", SqlDbType.VarChar, 100).Value= uid; cmd.Parameters.Add("@passwd", SqlDbType.VarChar,100).Value = passwd; cnn.Open();
Cross-site scripting (also know as XSS or CSS) occurs when dynamically generated web pages display input that is not property validated. Exam ple: Hotm ail, 2 0 0 1
session cookies
server
user without proper encoding.
http://www.freebank.com/banklogin.asp?err=Invalid%20Login:%20<script>alert(document.cookie)</script>
< input type= text name= txtUserID … . < input type= text name= txtPassword… HTML var oImg = new Image;
+ document.frmTest.txtUserID.value + "." + document.frmTest.txtPassword.value; XSS JavaScript Web Log … . 127.0.0.1 GET / test/ xss.asp 200 … . 127.0.0.1 GET / MyUserID.MyPassword 404 … . 127.0.0.1 GET / test/ xss.asp 200
browser. – Data that comes from a user – Data that comes from a database – Data that comes from any dynamic source