Web Admin Blog Real Web Admins. Real World Experience.

Assessing Your Web App Manually Without Hacking It

After giving my presentation on "Using Proxies to Secure Applications and More" at the TRISC 2009 conference, I decided to attend the presentation by Robert "RSnake" Hansen and Rob MacDougal entitled "Assessing Your Web App Manually Without Hacking It".  The gist of this presentation was that with a few simple tools (Web Developer Toolbar, NoScript, you web browser) you can spend about an hour looking at the characteristics of a web application in order to determine what types and how many vulnerabilities it may have.  My notes on the presentation are below:

Step 1: Exploit Overachievers

• Maximize value by using free tools
• OWASP (Open Web Application Security Project)
• WASC (Web Application Security Consortium)

Step 2: Learn

• Security is not an arcane art reserved for people with a special gift.  It’s campfire knowledge.
  • Assess your security posture regularly
  • Do not neglect any aspect of your security; bad guys don’t (Social Engineering, Internal Network, Firewall, Web Apps, etc)

Step 3: Chase Your Tail

• Remember where you started
  • Free tools can provide extreme amounts of value
    • OWASP (Eg: OWASP Testing Guide)
    • WASC
  • There is no magic to security

Tools Needed

• Web Developer Toolbar
  • POST to GET
  • Response headers
• NoScript or QuickJava

Estimating Vulnerabilities

• Site Age – Care & Feeding
  • “Copyright 2003”
  • Alexa
  • Archive.org
  • Whois
  • Last modified date
  • Old server + modules version #’s
• 2-3 years (2), 3-5 years (3), 5-10 years (4), 10+ (5)
• Programming Language
  • .cfm (1)
  • AJAX (1)
  • .do/.jsp (1)
  • .cgi/.pl/.shtml (2)
  • .asp (2)
  • .php (2)
  • .aspx/.jspx/.html (0)
  • Languages + Demographics theory
• Size of the Site Logic Complexity
  • Surf around manually
    • Sitemap
  • Google inurl: search
  • Spider (added download + added time)
  • Small (0), Medium – typical retailer (1), Large – Yahoo (3)
• Search
  • XSS tests (1)
    • “Company”
    • I <3 U
  • SQL injection (1)
    • O’Malley
  • DoS (.5)
    • a AND b AND c …
• Registration
  • Does it exist?  Yes (1)
  • Email validation and/or CAPTCHA (1-2)
  • Password complexity? (1)
  • Can you choose “admin” as a username? (1)
• Security Functions
  • Does change password enforce password complexity rules
  • Does change password require the existing password
  • Can you change email address without a password
  • Can emails be changed without validating them
  • Are secret questions “strong”
• Contact forms
  • Do they have an email address in a hidden field (1)
  • Submit a blank contact
    • Does it work without an error (1)
  • With and without JavaScript
    • Does it say “Thanks” without JS but errors when JS is turned on (1)
  • Can users contact other users on the site (Eg: Private message) (2)
• Login
  • Does it use SSL (1)
  • Does it allow auto complete (1)
  • Does it stop me from being able to type failed logins (3)
    • Horizontal, Vertical, & Diagonal Brute Force attacks
  • Can you switch POST to GET (1)
    • Session fixation
    • CSRF (1 per major site function, EG: change password, change secret question, change email address, etc)
  • Does it auto-logout (1)
  • javascript:alert(document.cookie) (1)
• Forgot password flow
  • Does it send the plaintext password (1)
  • Does it send a “small” key (1) – 20 bits or less
  • Does it tell you if your username is valid or not (.5)
• File Upload
  • Does it check file extensions (.5)
  • Does it check file types (.5)
  • Does it allow re-displaying of the file (1)
• HTML/JS/CSS Comments
  • Intranet IPs/addresses (.5)
  • Passwords (1)
  • Functionality comments (.5)
• URL Structure
  • function?path=/files/file.asp (1)
  • something?id=104 (1)
  • search?q=bob&charset=UTF-8 (1)
    • alternate charset
    • header injection
  • redir?url=http://www.cnn.com/ (.5)
  • chngpasswd?usr=bob&pass=1234 (2)
  • /images/ If it shows a directory (1)
• Obvious admin interfaces (2)
  • /admin/
  • /blog/wp-admin/
  • /administrator/
  • /adm/
  • admin.url.com
• Outdated Open Source or Commercial Programs
  • PHP nuke
  • Wordpress
  • Drupal
  • 3/instance
  • +1 for every major revision out of date
• Other questions
  • Does it allow rich HTML user comments (1)
  • Does it have a send-to-friend function (1)
  • Virtual host? (MSN IP search) (1)

Things this doesn’t cover

• Timing attacks, buffer overflows, etc
• Network infrastructure flaws (including DNS)
• Predictable file locations (VCS trees, etc)
• Logic flaws
• Backup files/folders/CVS trees, etc
• Alternate paths of exploitation (email, FTP, APIs, etc)

About Josh

Josh graduated in 2002 from the University of Texas at Austin with a BS in Computer Science. He was formerly a member of the Internet Systems team at AMD, a Systems Administrator with BearingPoint, and worked on a contract for the US Army before becoming a member of the Web Systems team at National Instruments in January of 2007. He recently attained his CISSP certification and specializes in the area of web application security.