QA: Базовое тестирование защищенности веб-приложений в рамках QA

Basic Web Application

Security Testing in QA

Denis

Kolegov

Sr. Security Test

Engineer, PhD

F5 Networks,

Tomsk State University

Who Am I?

• Sr. Security Test Engineer at F5 Networks

• PhD, associate professor at TSU’s Information Security and

Cryptography Department

• Speaker

– Positive Hack Days, Zero Nights, SibeCrypt

• OWASP SCG, BeEF, Metasploit contributor

Introduction

• BSIMM security testing (Gary McGraw)

– Enhance QA beyond functional perspective

– Integrate the attacker perspective into test plans

– Deliver risk-based security testing

• Hack yourself first (Troy Hunt)

– This approach advocates building up our cyber-offense skills, and

focusing these skills inward at ourselves, to find and fix security issues

before the bad guys find and exploit them

Causes and Consequences

Checklist

1. Information disclosure

2. SSL/TLS

3. Slow HTTP DoS attacks

4. HTTP host header attacks

5. Login page over HTTPS

6. Same site scripting

7. Secure headers

8. Cross domain policy

9. Session management

10. URL validation

Information Disclosure

• Scope – Web management interfaces

– Web application reverse proxies

– Error pages

• Services – Goggle Search Engine

– Shodan

• Weaknesses – Indexing by search engines

– Hardcoded keywords on error pages

– Keywords in HTTP response headers

Information Disclosure

• Shodan

– cisco

– bitrix

– VMware

• Google

– intitle: "VMware Horizon View Administrator"

– inurl:"portal/webclient/views/mainUI.html"

– intitle:"Welcome to VMware ESX"

Information Disclosure

• Test robots.txt

User-agent: *

Disallow: /

• Test meta tag

<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">

• Test that it is possible to delete or change default keywords via

customization tool

SSL/TLS Testing

• Testing with OpenSSL

– Trustworthy checks

– Old versions (0.9.8k)

• Qualys SSL Labs

– SSL Server Test

– SSL Client Test

– SSL/TLS Best Practices

– API

• Tools

– sslscan

– sslyze

– ssllabs-scan

Client-Initiated Renegotiation DoS Test

• Testing with OpenSSL

openssl s_client –connect test.com:443

GET / HTTP/1.1

Host: test.com

R

…

R

CRLF

• Proof of concept with exploit

thc-ssl-dos --accept test.com 443

Slow HTTP DoS Testing

• Attacks

– Slowloris (slow headers)

– Slow HTTP POST (slow body)

– Slow Read

• Apache is generally the most vulnerable server

• Nginx, IIS, lighthttpd are also can be vulnerable to these attacks

• Tools

– https://code.google.com/p/slowhttptest/

– slowloris.pl

Slow HTTP DoS Testing

• Slowloris

slowhttptest -u "https://test.com/" -c 8000 -l 400 -r 4000 -i 15 -x 400

• Slow HTTP Post

slowhttptest -u https://test.com/ -B -c 8000 -l 400 -r 4000 -i 15 -x 400

• Slow Read

slowhttptest -u "https://test.com/js/bigfile" -X -c 5000 -r 4000 -l 400 -k 5

-n 10 -w 10 -y 300 -z 1

Same Site Scripting

• DNS misconfiguration

– xyz.target.com with A-record to 127.0.0.1

– xyz.target.com with A-record to private address (RFC 1918)

• In multi-users system an attacker can run network service on loopback

and then eavesdrops users’ cookies

1. Run "nc –lv 10024"

2. Send email with <img src=“http://xyz.target.com:10024”>

• An attacker can connect to public network with the same network address

and publish resource link to xyz.target.com. All users in the same public

network who accessed this resource send cookies to an attacker

Same Site Scripting

• Testing

– nslookup localhost.target.com

– DNS enumeration

• Examples

– https://hackerone.com/reports/1509

– https://hackerone.com/reports/7949

Login Page over HTTPS

• The initial login page must be served over TLS

• The login page and all subsequent authenticated pages must be

exclusively accessed over TLS

Troy Hunt©. OWASP Top 10 for .NET developers part 9: Insufficient Transport Layer Protection

HTTP Secure Headers

• X-Frame-Options

• X-XSS-Protection

• X-Content-Type-Options

• Strict-Transport-Security

• Access-Control-Allow-Origin

• Content-Security-Policy

X-Frame-Options

• All about Clickjacking?

• What an attacker can do

– Bypass some XSS filters

– Bypass XSS length restrictions

– Bypass CSP via browser vulnerabilities

• X-Frame-Options is an additional layer of defense

Access-Control-Allow-Origin

• Access-Control-Allow-Origin is apart of the CORS specification

• Access-Control-Allow-Origin: * means that the resource can be

accessed by any domain in a cross-site manner

• Examples

– https://hackerone.com/reports/13551

– https://hackerone.com/reports/6268

Secure Headers Testing

• X-Content-Type-Options: nosniff

• X-Frame-Option: DENY | SAMEORIGIN

• Strict-Transport-Security: max-age=31536000;

includeSubDomains

• X-XSS-Filter: 1; mode=block

Host Header Attacks

• Weakness: a web server handles HTTP requests with arbitrary

or invalid Host header

• Attacks

– DNS rebinding

– Stored XSS

– Password reset poisoning

– Web-cache poisoning

• Examples

– https://hackerone.com/reports/13286

– https://hackerone.com/reports/487

Cross Domain Policy

• A cross-domain policy file specifies the permissions that a web client such as Java,

Adobe Flash, etc. use to access data across different domains

• Files

– crossdomain.xml

– clientaccesspolicy.xml

• Example of configuration weakness

<cross-domain-policy>

<allow-access-from domain="*" />

</cross-domain-policy>

• Example

– https://hackerone.com/reports/43070

Session Management

• Test that session is invalidated when user logs out

• Session ID is sent in HTTP cookie or header and never disclosed in URLs

• Test that session ID is changed when user performs critical action

– Login, logout

– Password changing

– Session expiration, reauthentication

OWASP ASVS project

URL Validation

• Weakness: insufficient input validation for URL data

• Test vectors (http://test.com/foo/bar?param=value) – GET /3fb5e7a4f814d790'"<>/%2e%2e/foo/bar?param=value HTTP/1.1

– GET /foo/3fb5e7a4f814d790'"<>/%2e%2e/bar?param=value HTTP/1.1

– GET /foo/bar/3fb5e7a4f814d790'"<>/%2e%2e/?param=value HTTP/1.1

– GET /foo/bar.baz/3fb5e7a4f814d790'"<>?param=value HTTP/1.1

• Attacks – XSS

– CRLF-injection (HTTP Response Splitting)

– Open Redirect

– Secret token leakage

Sergey Bobrov©. http://habrahabr.ru/company/pt/blog/247709

URI Validation

Sergey Bobrov©. http://habrahabr.ru/company/pt/blog/247709

Bibliography

1. Vladimir Kochetkov. How to Develop a Secure Web Application and Stay in Mind?

2. OWASP Testing Guide v4

3. The Building Security In Maturity Model

4. Qualys SSL LABS

5. SSL/TLS Checklist for Pentesters

6. Sergey Shekyan. Testing Web Servers for Slow HTTP Attacks

7. Troy Hunt. OWASP Top 10 for .NET developers part 9: Insufficient Transport Layer Protection

8. Sergey Belov. Show Me Impact

9. Frederik Braun and Mario Heiderich. X-Frame-Options: All about Clickjacking?

10.Guidelines for Setting Security Headers

11.Sergey Bobrov. Yet Another Vulnerability in Facebook

@dnkolegov

Denis

Kolegov

Sr. Security Test

Engineer, PhD

F5 Networks,

Tomsk State University

Questions?

[email protected]