More Related Content Similar to Amish Umesh - Future Of Web App Testing - ClubHack2007 (20) Amish Umesh - Future Of Web App Testing - ClubHack20072. Preview
• Web 1 0
1.0
• Application architecture and it’s traditional
analysis methodology
• Automated web application testing and it's
limitation
• Web 2.0
• H
How it works
k
• Challenges and limitation of web 2.0 application
testing
• Next generation auditing tool
© net-square
3. Web 1.0
Application behavior and it’s
it s
traditional analysis methodology
4. Web 1.0 Application Architecture
HTTP Firewall SQL
request Database
(cleartext
or SSL) Web app
DB
Web app
Web Web
Client Server Web app
DB
Web app
HTTP reply
(HTML,
Javascript, •Apache Written in: Database
VBscript, •IIS •ASP connection:
etc) •Netscape •JSP •ADO,
etc… •Perl, etc •ODBC, etc.
© net-square
5. Web 1.0 Application Architecture
• Works with page refresh
• Form submitting model
• Inputs submitted via query string or form
parameters
• Browser generates http requests for images,
js, etc. while rendering html response
through DOM
• Request also can be sent by javascript,
ActiveX, Applets, Flash, etc. directly
© net-square
6. Web 1.0 Application Architecture
• Server & Web Application
• Parses http request and map URL with web
application physical resource
• Generates HTML Response based on the
supplied resource query and input parameters
© net-square
8. Traditional Analysis methodology
• Information gathering
• Http Response Code – 2xx, 4xx, 5xx
• Htt contents
Http t t
• Extract forms and query string parameters.
• Hidden fields comments mail ids
fields, comments, ids,
• Cookie name / value
• Java scripts,
• ActiveX and Applets
• Find injection point suspicious field or query
point,
string parameters
© net-square
9. Traditional Analysis methodology
• Manipulate field with malicious characters
and send request
• L k at the ht l response, get some clue,
Look t th html t l
modify parameters and send request.
• Do same again and again until…. Bingo !!
• Resources used, ,
• Browser
• Plug-ins (livehttp header or web browser
Plug ins
toolbar)
• Sniffer
© net-square
11. Automated web application testing
• Input – index page or list of stored URLS
• Configurations – depth, within domain, max
links, include
li k i l d / exclude, user-agent, etc.
l d t t
• Testing methodology
• Crawls web application recursively and collects
URLS
• Find injection point or attack vector for URL
• Query String parameters
• It’s Html response form fields
• Cookie
© net-square
12. Automated web application testing
• Popular Web Application Scanners
• NTObjective’s NTOSpider
• IBM/W t hfi ’ A S
IBM/Watchfire’s AppScan
• HP/SPI Dynamics’ WebInspect
• Demo
• NTOInsight
© net-square
13. It's Challenges & Limitations
• Building correct attack request
• Forms submission by “onclick” event
• Wrong action or target picked up by automated tool
• Manage context through out the session
• Logout innocently
• C
Crawl a site in certain order – logical action
• Infinite crawl – Dynamic URL creation
© net-square
14. It's Challenges & Limitations
• Executing java script like a Browser
• Dynamic menus and css
• URL d
decryption on th fl b j
ti the fly by java scripts
i t
• Identify correct attack vector in URL
• No question mark in a URL
• Strange extension
• Custom techniques to supply inputs.
© net-square
15. It's Challenges & Limitations
• False positive/negative and duplication
• Detects vulnerability through http response code
• O regex pattern search in html response
Or tt h i ht l
• How to detect persistent XSS??
• Custom response code (obfuscated 200)
• Random 404 pages
© net-square
16. It's Challenges & Limitations
• Authenticated scanning
• Login automatically on authenticated URL,
• Where to go after authentication ?
• Form based authentication
• Success or fail how to decide ?
fail,
• Captcha, how to handle ?
• Broken access controls
• Information leakage
• Design issues
© net-square
17. Scanners are also getting smarter
• Page Signature technology being used to
identify obfuscated 200, random 404 pages
and Form based authentication
• Java scripts based URLs can be fetched by
regex bbased search
d h
• Most of the scanners identify technical
vulnerabilities like SQL Injection, XSS, etc.
j , ,
© net-square
19. Web 2.0 Technology
• Web 2 0 Applications are on the rise
2.0
• Rich Internet Applications (RIA) – reshaping
application front
• Web Services on the rise – forming backend of
applications
• Gartner is advising companies to take up Web
services now, or risk losing out to competitors
, g p
embracing the technology.
© net-square
20. Web 2.0 Technology
• Web Services is forming back end and accessible
on SOAP
• AJAX – empowering browsers
• XML based services
• Rich Internet Applications are consuming back end
web services
• Search engines and mechanisms for web services
publishing and accessing
• Security evolving around web services
© net-square
21. Ajax model
Classic web application model Ajax-enabled web application model
Browser
user interface
JavaScript call
HTML + CSS data
Browser
user interface Ajax engine
HTTP request HTTP request
Transport layer
HTML + CSS data XML Data
web server web and/or XMLserver
Data stores, Data stores,
backend processing, backend processing,
legacy systems legacy systems
server-side systems server-side systems
© net-square
Source : http://www.adaptivepath.com/publications/essays/archives/000385.php
22. AJAX introduction
x
Source : http://www.adaptivepath.com/publications/essays/archives/000385.php
© net-square
23. Win32 APP vs Web 2.0
Win32 GUI application model Ajax-enabled web application model
Desktop Browser
Win32 GUI user interface
Win32 Msg JavaScript call
User Data HTML + CSS data
Win32
WndProc Msg handler
AJAX (JS) Library
RPC Request XHR call
RPC Response XML Data
RPC Services Web Services
Data t
D t stores, Data t
D t stores,
backend processing, backend processing,
legacy systems legacy systems
© n e t - s q u a r eserver-side systems server-side systems
25. Impact of Web 2.0
• Application Infrastructure
Changing dimension Web 1.0
10 Web 2.0
20
(AI1) Protocols HTTP & HTTPS SOAP, XML-RPC, REST etc.
over HTTP & HTTPS
(AI2) Information HTML transfer XML, JSON, JS Objects etc.
structures
(AI3) Communication Synchronous Asynchronous & Cross-
methods
th d Postback domains (proxy)
Refresh and Redirect
(AI4) Information Single place information Multiple sources (Urge for
sharingg (No urge for integrated information
integration)
i i ) platform)
l f )
© net-square
26. Impact of Web 2.0
• Security Threats
Changing dimension
g g Web 1.0 Web 2.0
(T1) Entry points Structured Scattered and multiple
(T2) Dependencies Limited • Multiple technologies
• Information sources
• Protocols
(T3) Vulnerabilities Server side [Typical injections] • Web services [Payloads]
• Cli t side [XSS & XSRF]
Client id
(T4) Exploitation Server side exploitation Both server and client side
exploitation
© net-square
27. Impact of Web 2.0
• Methodology
Changing dimension Web 1.0 Web 2.0
Typical with "Host" and
Footprinting DNS
Empowered with search
Discovery Simple Difficult with hidden calls
Enumeration Structured Several streams
Scanning Structured and simple Difficult with extensive Ajax
Difficult with Ajax and web
Automated attacks Easy after discovery
services
On the server-side
Reverse engineering
g g [Difficult]
Client-side with Ajax & Flash
Code reviews Focus on server-side only Client-side analysis needed
© net-square
28. Impact of Web 2.0
• Countermeasure
Changing dimension Web 1.0 Web 2.0
Multiple places [Mashups &
Owner of information Single place
RSS]
Browser security Simple DOM usage Complex DOM usage
Validations Server side Client side [incoming content]
Logic shift Only on server Client side shift
Secure coding Structured and single place Multiple places and scattered
© net-square
29. Challenges and Limitation
• No success with http response parsing
• Everything is generated run time
• Path of execution is dynamic
• Cannot predict next URL
p
• Need to grab data in runtime through DOM
• cannot use anything other than browser
• human element is must
© net-square
31. Future Approach
• "only about half of the required tests for a
only
security assessment can be performed on a
purely automated basis The other half
basis.
require human involvement, typically for
identifying vulnerabilities in business logic “
logic.
• Jeremiah Grossman (CTO, Whitehat Security)
• So finally you need a tool which will have
So,
both the things at one place..
• B
Browser based W b A li ti S
b d Web Application Scanner
© net-square
32. Future Approach
• Browser based toolbar Advantages
• Hybrid – Automated + Manual both
• U
Uses BBrowser DOM directly
di tl
• Crawling is possible but it is not required
because It’s allow you to test per page basis so
basis,
test as you traverse normally,
• Following challenges get resolved
resolved,
– Infinite crawl
– Crawl a site in particular order
© net-square
33. Future Approach
• Authenticated scanning – login first and then
start testing, context will be managed
automatically by browser
• Following challenges get resolved,
• Manage context through out the session
• Logout innocently
• Where to go after authentication ?
• Form based authentication, Success or fail, how to
decide ?
• Captcha.
© net-square
34. Future Approach
• The field value manipulation will be in a
DOM itself.
• Following challenges get resolved
resolved,
– Building correct attack request
– Forms submission by “onclick” event
– Wrong action or target picked up by automated tool
– Dynamic URL creation
• Java scripts execution automatically
automatically,
• Following challenges get resolved,
• Dynamic menus and css
• URL decryption on the fly by java scripts
© net-square
35. Future Approach
• False positive will be reduced by real html
view,
• Following challenges get resolved
resolved,
– False positives
– XSS detection with no false positives, popup will be there.
– Information leakage can be identified by html view.
© net-square
36. Future Approach
• So only approach is browser based tool i e
So, tool, i.e
toolbar, like human clicks and automation
together!!
• Security QA Toolbar
http://www.isecpartners.com/SecurityQAToolbar.html
© net-square