Sample RepPen

0
Penetration Testing
Report

1argeL: uemocompany uS webslLe (www.democompany.neL),
roducLlon SysLem

Date 14.02.2013
D|sc|osure |eve| CCnlluLn1lAL
Created by SAnuLlnL

1

!"#$% '( )'*+%*+
Ceneral lnformaLlon .................................................................................................................................... 3
LxecuLlve Summary ..................................................................................................................................... 4
Cvervlew .................................................................................................................................................. 4
8ecommendaLlons ............................................................................................................................... 4
LlmlLaLlons ............................................................................................................................................... 4
1esLlng MeLhodology ............................................................................................................................... 4
CperaLlng SysLem vulnerablllLy AssessmenL ........................................................................................... 3
undersLandlng Lhe resulLs ........................................................................................................................... 3
llndlngs and 8ecommendaLlons .............................................................................................................. 3
u8LAu Scorlng CrlLerla ............................................................................................................................ 6
u8LAu ComposlLe 8lsk CaLegorles .......................................................................................................... 7
8emedlaLlon LfforL Level ......................................................................................................................... 7
llndlngs ueLalls ............................................................................................................................................ 8
SCL ln[ecLlon ............................................................................................................................................ 8
xSS - Cross-SlLe ScrlpLlng - !obs age ..................................................................................................... 9
SCL uenlal of Servlce ............................................................................................................................... 9
unencrypLed asswords .......................................................................................................................... 9
osslble xSS - Cross-SlLe ScrlpLlng - !obs age ..................................................................................... 10
P11 300 lnLernal Server Lrror Messages ............................................................................................. 11
lnformaLlon Leakage .............................................................................................................................. 11
lnformaLlon Leakage .............................................................................................................................. 12
WebslLe AssessmenL MeLhodology ........................................................................................................... 13
A1 - ln[ecLlon llaws ............................................................................................................................ 13
A2 - Cross SlLe ScrlpLlng ..................................................................................................................... 13
A3 - Mallclous llle LxecuLlon ............................................................................................................. 13
A4 - lnsecure ulrecL Cb[ecL 8eference ............................................................................................... 13
A3 - Cross SlLe 8equesL lorgery ......................................................................................................... 13
A6 - lnformaLlon Leakage and lmproper Lrror Pandllng ................................................................... 16
A7 - 8roken AuLhenLlcaLlon and Sesslon ManagemenL ..................................................................... 16
A8 - lnsecure CrypLographlc SLorage ................................................................................................. 17
A9 - lnsecure CommunlcaLlons .......................................................................................................... 17

2

A10- lallure Lo 8esLrlcL u8L Access ................................................................................................... 18
Ceneral 8ecommendaLlons ....................................................................................................................... 19

3

,%*%-"$ .*('-/"+0'*

1he ob[ecLlve of Lhls engagemenL ls Lo provlde a professlonal l1 SecurlLy assessmenL of Lhe pro[ecL and
lLs lnformaLlon securlLy posLure from an exLernal aLLacker's sLandpolnL. 1hls documenL conLalns Lhe
resulLs of Lhese flndlngs.
ro[ecL lnformaLlon
Company Name uemoCompany LLC
r|mary Contact
Name
!ohn uoe Department
E-Commerce & Security
1e|ephone
+1 (211) 555-5555
L-ma|| [ohn.doe[democompany.neL
8us|ness Address 333 3
Lh
Av.
C|ty ManhaLLan osta| Code 33333
kesources www.democompany.neL

8eporL ueLalls
Vers|on Date kespons|b|e erson
1.0 14.02.2013 8adu SLanescu

1eam olnL of ConLacL ueLalls
Contact Name 8adu SLanescu 1|t|e
1e|ephone +40 (722) 234-788 L-ma|| radu.sLanescu[sandllne.ro
8us|ness Address 64 8lvd. 8ucuresLll nol
C|ty 8ucharesL osta| Code

4

12%34+05% 64//"-7

85%-50%9
1he hLLp://www.democompany.neL webslLe ls hlghly vulnerable Lo SCL ln[ecLlon and xSS aLLacks. WlLh
mlnlmal efforL, an aLLacker can access Lhe daLabase and admlnlsLraLlve user passwords. We have found
several hlgh-rlsk vulnerablllLles concernlng Lhe confldenLlallLy of sysLem daLa and also vulnerablllLles
LhaL could lead Lo alLeraLlon of Lhe slLe conLenL.
:%3'//%*;"+0'*<
llxlng Lhe lssues deLalled ln Lhls reporL wlll proLecL ouLslde aLLackers buL we hlghly recommend a
securlLy focused code revlew.
We esLlmaLe a low Lo medlum efforL for flxlng Lhe crlLlcal lssues and an overall medlum efforL ln
addresslng all of Lhem.
We recommend also LesLlng Lhe webslLe from lnLernal polnL of vlew as we dlscovered posslble lssues.
=0/0+"+0'*<
uue Lo neLworklng llmlLaLlon and procedures LhaL say Lhe AdmlnlsLraLlon lnLerfaces are avallable only
from Lhe lnLraneL, we dld noL Lhoroughly LesL Lhe admlnlsLraLlon page.
!%<+0*> ?%+@';'$'>7
1he meLhodology used was focused on Lhe CWAS framework for assesslng web appllcaLlons. 1he
LesLlng meLhod was 8lackbox" alLhough some lnslde lnformaLlon was provlded.
C8l1lCAL, 4
SLvL8L, 1
MCuL8A1L, 4
0
0.3
1
1.3
2
2.3
3
3.3
4
4.3
C8l1lCAL SLvL8L MCuL8A1L
Vu|nerab|||nes

3

8A%-"+0*> 67<+%/ B4$*%-"#0$0+7 C<<%<</%*+
1he only porLs open are 80 (P11). no CS vulnerablllLles were found.
D*;%-<+"*;0*> +@% -%<4$+<
1hls reporL descrlbes flndlngs and rlsk. A flndlng ls a loglcal grouplng of one or more securlLy lssues
havlng a common cause and/or a common resoluLlon. ln addlLlon Lo ldenLlfylng Lhe underlylng cause of
vulnerablllLy, each flndlng also conLalns hyperllnks Lo affecLed resources and provldes remedlaLlon
lnformaLlon. 1he flndlngs maLrlx provlded summarlzes Lhe overall flndlngs and can be used as a
workflow plan LhaL can be Lracked wlLhln Lhe securlLy organlzaLlon. 1hls plan ls lnLended Lo asslsL Lhe
remedlaLlon Leam ln prlorlLlzlng and Lracklng Lhe remedlaLlon efforL. Lach flndlng has been caLegorlzed
accordlng Lo lLs relaLlve rlsk level and also conLalns a raLlng as Lo Lhe amounL of work and resources
requlred ln order Lo address Lhe flndlng. lL ls lmporLanL Lo relLeraLe LhaL Lhls reporL represenLs a
snapshoL" of Lhe securlLy posLure of Lhe envlronmenL aL a polnL ln Llme.
E0*;0*>< "*; :%3'//%*;"+0'*<
1he lnLerneL SecurlLy 1eam has ldenLlfled a number of areas where securlLy could be lmproved, and
recommendaLlons have been provlded for conslderaLlon. 1hls secLlon of Lhe reporL descrlbes Lhe deLalls
of our Leam observaLlons, Lhe lmpacL assoclaLed wlLh Lhe vulnerablllLles ldenLlfled, and
recommendaLlons for resolvlng Lhese vulnerablllLles. 1o asslsL ln prlorlLlzlng Lhese flndlngs, we have
caLegorlzed Lhe observaLlons wlLh rlsk ranklngs based on Lhe u8LAu model.

6

F:1CF 63'-0*> )-0+%-0"
Damage Cr|ter|a Damage
Descr|pt|on
Cr|t|ca|
(Score: 10)
n|gh
(Score: 7)
Med|um
(Score:4)
Low
(Score: 1)
D uamage 1he level of
damage and
exposure LhaL
could be cased lf
a vulnerablllLy
were explolLed
An aLLacker can
galn full access
Lo Lhe sysLem,
execuLe
commands as
rooL
admlnlsLraLor
An aLLacker can
galn non-
prlvlleged user
access, leaklng
exLremely
senslLlve
lnformaLlon
SenslLlve
lnformaLlon
leak,
uenlal of
Servlce
Leaklng
Lrlvlal
lnformaLlon
k 8eproduclblllLy 1he level of
dlfflculLy ln
reproduclng an
aLLack
1he aLLack can
be reproduced
every Llme and
does noL requlre
a Llmlng wlndow
1he aLLack can be
reproduced mosL
of Lhe Llme.
1he aLLack
can be
reproduced,
buL only wlLh
a Llmlng
wlndow.
1he aLLack ls
very dlfflculL
Lo reproduce,
even wlLh
knowledge of
Lhe securlLy
hole.
L LxplolLablllLy 1he ease Lo
whlch
Lhe aLLack could
be launched
no programmlng
skllls are
needed,
auLomaLed
explolL
Lools exlsL
A novlce
hacker could
execuLe Lhe
aLLack ln a shorL
Llme.
A skllled
programmer
could creaLe
Lhe aLLack,
and a novlce
could repeaL
Lhe sLeps.
1he aLLack
requlred a
skllled
person and
ln-depLh
knowledge
every Llme Lo
explolL.
A AffecLed users 1he volume of
users and asseLs
LhaL are affecLed
ln a successful
aLLack scenarlo
All users, defaulL
conflguraLlon,
key
cusLomers
MosL users,
common
conflguraLlon
Some users,
non-
sLandard
conflguraLlon
very small
percenLage
of users,
obscure
feaLures,
affecLs
anonymous
users
D ulscoverablllLy 1he level of
dlfflculLy lnvolved
ln enumeraLlng
Lhe vulnerablllLy
vulnerablllLy can
be found uslng
auLomaLed
scannlng Lools.
ubllshed
lnformaLlon
explalns Lhe
aLLack. 1he
vulnerablllLy ls
found ln Lhe mosL
commonly used
feaLure.
1he
vulnerablllLy
ls ln a
seldom-used
parL of Lhe
producL, and
few users
would come
across lL.
1he
vulnerablllLy
ls obscure
and lL ls
unllkely LhaL
lL would be
dlscovered.

7

F:1CF )'/A'<0+% :0<G )"+%>'-0%<

Lach vulnerablllLy or flndlng ls asslgned a composlLe 8lsk Score, calculaLed by addlng each of Lhe u8LAu
componenLs produclng a number beLween 3 and 30.
k|sk kat|ng DkLAD Score k|sk Descr|pt|on
CkI1ICAL 40 - 30 A crlLlcal flndlng or vulnerablllLy should be consldered lmmedlaLely for
revlew and resoluLlon. LxplolLaLlon of crlLlcal vulnerablllLles ls relaLlvely
easy and can lead dlrecLly Lo an aLLacker galnlng prlvlleged access (rooL
or admlnlsLraLor) Lo Lhe sysLem. llndlngs wlLh Lhls rlsk raLlng, lf noL
qulckly addressed, may pose rlsks LhaL could negaLlvely lmpacL buslness
operaLlons or buslness conLlnulLy.
SLVLkL 23 - 39 A severe flndlng or vulnerablllLy should be consldered for revlew and
resoluLlon wlLhln a shorL Llme frame. 1hese vulnerablllLles can lead Lo
an aLLacker galnlng non-prlvlleged access (sLandard user) Lo a sysLem, or
Lhe vulnerablllLy can be leveraged Lo galn elevaLed level of access.
MCDLkA1L 11 - 24 ModeraLe rlsk flndlng or vulnerablllLles should be consldered once Lhe
hlgh crlLlcal and severe rlsks have been addressed. 1hese vulnerablllLles
may leak senslLlve daLa LhaL an aLLacker can use Lo asslsL ln Lhe
explolLaLlon of oLher vulnerablllLles. ModeraLe flndlngs do noL pose a
subsLanLlal LhreaL Lo buslness operaLlons.

:%/%;0"+0'* 1(('-+ =%5%$

Lffort kat|ng Lffort Descr|pt|on
LCW* Less Lhan a day requlrlng only a mlnlmal amounL of resources.
MLDIUM* Cne Lo several days requlrlng moderaLe amounLs of resources.
nIGn* SlgnlflcanL mulLl-resource efforL LhaL may span over a conslderable amounL of Llme.
8equlred a slgnlflcanL neLwork archlLecLure change or Lhe purchase of addlLlonal
securlLy producLs.
*8emedlaLlon efforL ls CnL? from Lechnlcal polnL of vlew

8

E0*;0*>< F%+"0$<
6H= .*I%3+0'*

k|sk Leve| CkI1ICAL Cccurrences 6 Lxp|o|t
reached
DA1A8ASL ACCLSS
Score
D k L A D 1ota| kemed|at|on Lffort
7 10 10 10 10 47 LCW
Affected
resources
hLLp://www.democompany.neL/ComponenLs/admlnComponenLWyslwyg/lncludes/l-prev.php
hLLp://www.democompany.neL/ComponenLs/conLacLs/lncludes/l-prev.php
hLLp://www.democompany.neL/ComponenLs/consulLanLs/lncludes/l-prev.php
hLLp://www.democompany.neL/ComponenLs/fronLpage!ules/lncludes/l-prev.php
hLLp://www.democompany.neL/ComponenLs/fronLpageuemocompany[ules/lncludes/l-prev.php
hLLp://www.democompany.neL/ComponenLs/fronLpageuemocompanyshop/lncludes/l-prev.php

Descr|pt|on 1he parameLer 'ld' passed Lo Lhe I-prev.php flle ls vulnerable Lo Lo 8llnd SCL ln[ecLlon. 1hls allowed
full access Lo Lhe webslLes daLabases kundekort_democompany_us and new_democompany_us.
Proof of concept data extracted from the database:

MySQL global variables:
DATADIR: /var/lib/myql
BASEDIR: /usr
GENERAL_LOG_FILE: /var/lib/mysql/d30webs101.log
HOSTNAME: d30webs101
PORT: 3306
TMPDIR: /tmp
DB_USER: db_www_democompany_us@localhost

Database name: kundekort_democompany_us
Rights: SELECT, INSERT, UPDATE, DELETE,
DROP, CREATE
Sample tables, columns and data:
applicants
companyEmail
[!]
applications
applicantFirstName
applicantEmail
companyCvr
21455148
[!]
buyerEmail
smt@democompany.net
sho@abc.us
marianne.mortensen@hotmail.com
cvrs
cvrNumber
Database name: new_democompany_us
Rights: SELECT, INSERT, UPDATE, DELETE
Sample tables, columns and data:
admin_login_users
email
bill.john@democompany.net
support@example.us
password
ed79acb0cd3d7[!]
componentExtraCard
companyName
cardHolder1
storeNumber
customerNumber
orderDate
cardHolder2
component_EPageCatalogues
[...]
component_newCardApplications

9

J66 K )-'<<L60+% 63-0A+0*> K M'#< N">%

reached
IavaScr|pt Lxecut|on
Score
7 10 7 7 10 41 LCW
Affected resources hLLp://www.democompany.neL/[ob/alerL(1)
Descr|pt|on 1he u8L ls noL properly sanlLlzed allowlng Cross-SlLe ScrlpLlng aLLacks.
kecommendat|on 1he u8L should be fllLered for !avaScrlpL code or Lhe varlable passed Lo Lhe [ob" should be
sanlLlzed.

6H= F%*0"$ '( 6%-503%

k|sk Leve| CkI1ICAL Cccurrences 1S Lxp|o|t
reached
Den|a| of Serv|ce
Score
4 10 10 10 10 44 LCW
Affected resources l-prev.php?ld=1420or2028selecL20sleep2872929
Descr|pt|on 1he prevlous query ls run 4 Llmes for each web requesL because Lhe delay wlLh whlch Lhe server
responds ls 4 Llmes Lhe delay ln Lhe query (sleep(7)). 1hls could lead Lo a uenlal of Servlce
because each query ls run 4 Llmes.
kecommendat|on Check why a query runs 4 Llmes. CpLlmlze lL.
D*%*3-7A+%; N"<<9'-;<

reached
Authent|cat|on Successfu|
Score
4 10 10 10 10 44 LCW
kecommendat|on lnpuL parameLers should be sanlLlzed and casLed as lnLeger where posslble.
As a general rule, when uslng P and MySCL, parameLerlzed querles should be used, nC1 dlrecL
lnpuL from CS1 and CL1 varlables.
1he I-prev.php may be presenL also ln oLher folders of Lhe web server, do check for lLs presence as lL
ls very posslble Lo have Lhe same lssue.

10

Affected resources uaLabase: new_democompany_us
1able: adm|n_|og|n_users
Descr|pt|on 1he passwords sLored ln Lhe daLabase are noL encrypLed.
users:
bill.john@democompany.net
support@suddenly.us
Password(32 chars):
ed79acb0cd3d7[!]

1he password ln Lhls case may look llke a hash buL ls an actua| password.
kecommendat|on LncrypL all passwords and use salLlng.

N'<<0#$% J66 K )-'<<L60+% 63-0A+0*> K M'#< N">%

k|sk Leve| SLVLkL Cccurrences 2 Lxp|o|t
reached
User red|rect|on
Score
4 10 7 10 1 32 LCW
Affected resources www.democompany.neL/karrlere
Descr|pt|on ln Lhe affecLed u8L aL Lhe followlng llne:
documenL.wrlLe('<Ld><a href=hLLp://www.democompany.neL/[ob/'+[obuaLa[l][0]+'>'+[obuaLa[l
][2] +'</a></Ld>'),
1he varlable "[obuaLa" recelved from hLLp://www.[obslLe.neL/llsLlng.asp ls noL valldaLed before
belng wrlLLen Lo Lhe documenL. 1hls could lead Lo serlous xSS code ln[ecLlon.
kecommendat|on 1he [obuaLa" varlable should be sanlLlzed and deny any !avaScrlpL code.

11

O!!N PQQ .*+%-*"$ 6%-5%- 1--'- ?%<<">%<

k|sk Leve| MCDLkA1L Cccurrences 1 Lxp|o|t
reached
Server error
Score
D k L A D 1ota| kemed|at|on
Lffort
3 10 2 2 7 24 MLDIUM
Affected
resources
hLLp://www.democompany.neL/hLdocs/
hLLp://www.democompany.neL/ComponenLs/admlnComponenL1opMenu/admlnCompo
nenL1opMenu.php
Descr|pt|on Accesslng Lhese llnks Lrlgger 300 lnLernal Server Lrror. 1he 300 lnLernal Server Lrror
pages should occur only ln excepLlonal slLuaLlons. 1hls dlscloses lnformaLlon abouL
proLecLed resources. 1he server responds wlLh n11]1.0 300 lnLernal Server Lrror,
P11/1.0 ls an anomaly because all oLher responses are n11]1.1.
kecommendat|on use 404 for nonexlsLenL pages or use redlrecL pages.

.*('-/"+0'* =%"G">%

reached
Server and p|atform |nformat|on
gathered
Score
1 10 4 4 4 23 LCW
Affected
resources
hLLp://www.democompany.neL/phpmyadmln/
hLLp://www.democompany.neL/admln
Descr|pt|on 1he affecLed u8Ls are redlrecLed Lo P11S slLes accesslble only from Lhe lnLraneL
neLwork, buL ln con[uncLlon wlLh Lhe xSS explolLaLlon lL's posslble Lo send an emall Lo
any lnLernal user and use hlm as a proxy for exLernal requesL Lo access Lhe resLrlcLed
web lnLerfaces.
kecommendat|on SysLems should hlde non-essenLlal lnformaLlon.

12

.*('-/"+0'* =%"G">%

reached
Cbservat|on
Score
1 10 1 1 1 14 LCW
Affected
resources
hLLp://www.democompany.neL/4042
hLLp://www.democompany.neL/20/
hLLp://www.democompany.neL/[ules/LesL.php
hLLp://www.democompany.neL/lcons/8LAuML
Descr|pt|on We dlscovered several u8L and u8L rewrlLe rules whlch should be checked lf needed or
noL.
kecommendat|on Check Lhe need of Lhe affecLed u8Ls.

13

R%#<0+% C<<%<</%*+ ?%+@';'$'>7
CS L .*I%3+0'* E$"9<
!"#$"#%&
We found s SCL ln[ecLlon whlch lead Lo u8 daLa leakage.
()*+&
!"#$%&
Analyze Lhe appllcaLlon's lnpuLs, looklng for vecLors for ln[ecLlon. use appllcaLlon conLexL Lo lnfer how
lnpuL mlghL be used (on Lhe back end).
()*$+,*#- .*#/0
- Scan appllcaLlon wlLh AppScan
- Scan appllcaLlon wlLh AcuneLlx
- Splder webslLe wlLh webScarab
- Splder webslLe wlLh 8urp SulLe
- ull down a mlrror of Lhe webslLe uslng wgeL
1,2),3
- Splder appllcaLlon uslng webScarab and 8urp SulLe
- luzz poLenLlal vecLors uslng webScarab or 8urp SulLe:
- SCL ln[ecLlon
- LuA
- xaLh
- P1ML
- CS Command
CT L )-'<< 60+% 63-0A+0*>
!"#$"#%&
We found a xSS ln Lhe lframe from Lhe [obslLe.
!"#$%
!"#$%&
Look Lhrough Lhe appllcaLlon for lnpuL vecLors, check each poLenLlal vecLor for xSS.
()*$+,*#- .*#/0
Scan appllcaLlon wlLh AppScan
Scan appllcaLlon wlLh AcuneLlx
Splder webslLe wlLh webScarab
Splder webslLe wlLh 8urp SulLe
ull down a mlrror of Lhe webslLe uslng wgeL
1,2),3 .*#/0
Check for hldden form flelds uslng webScarab
use webScarab Lo fuzz poLenLlal vecLors
use 1amperuaLa Lo vlew appllcaLlon lnLeracLlon
Lxamlne appllcaLlon lnpuLs for poLenLlal Lo sLore xSS commands

14

Lxamlne [avascrlpL for poLenLlally-dangerous (uCM-8ased xSS) calls LhaL:
! Are conLrolled by an aLLacker:
documenL.u8L
documenL.u8LLncoded
documenL.locaLlon (and many of lLs properLles)
documenL.referrer
wlndow.locaLlon
! WrlLe raw P1ML, e.g.:
documenL.wrlLe(.)
documenL.wrlLeln(.)
documenL.body.lnnerPLml=.
! ulrecLly modlfy Lhe uCM (lncludlng uP1ML evenLs), e.g.:
documenL.forms[0].acLlon=. (and varlous oLher collecLlons)
documenL.aLLachLvenL(.)
documenL.creaLe.(.)
documenL.execCommand(.)
documenL.body. . (accesslng Lhe uCM Lhrough Lhe body ob[ecL)
wlndow.aLLachLvenL(.)

! 8eplace Lhe documenL u8L, e.g.:
documenL.locaLlon=. (and asslgnlng Lo locaLlon's href, hosL and
hosLname)
documenL.locaLlon.hosLname=.
documenL.locaLlon.replace(.)
documenL.locaLlon.asslgn(.)
documenL.u8L=.
wlndow.navlgaLe(.)
! Cpen/modlfy a wlndow, e.g.:
documenL.open(.)
wlndow.open(.)
wlndow.locaLlon.href=. (and asslgnlng Lo locaLlon's href, hosL and
hosLname)
! ulrecLly execuLe a scrlpL, e.g.:
eval(.)
wlndow.execScrlpL(.)
wlndow.seLlnLerval(.)
wlndow.seL1lmeouL(.)

13

CU L ?"$030'4< E0$% 12%34+0'*
!"#$"#%&
no slgnlflcanL flndlngs. noLe LhaL WAl flrewall blocked mosL aLLempLs.
()*+&
!"#$%&
Analyze Lhe appllcaLlon, looklng for Lhe use of exLernal ob[ecL references, such as u8Ls or flle sysLem
references.
()*$+,*#-
- none avallable.
1,2),3
- Splder appllcaLlon uslng WebScarab or 8urpSulLe
- Look for susplclous parameLers (fllename, lnclude, flle, language, eLc)
CV L .*<%34-% F0-%3+ 8#I%3+ :%(%-%*3%
!"#$"#%&
no slgnlflcanL flndlngs.
()*+&
!"#$%&
Lxamlne Lhe appllcaLlon for references Lo lnLernal ob[ecLs (daLabase references, lnLernal flles, lncludes)
()*$+,*#-
- 4$2# ,5,63,73#8
1,2),3
- MosL of Lhe work was manual, as lL ls conLexL-drlven.
CP L )-'<< 60+% :%W4%<+ E'->%-7
!"#$"#%&
()*+&
!"#$%&
Any appllcaLlon LhaL doesn'L do auLhorlzaLlon checks for acLlons ls llkely vulnerable Lo CS8l. verlfy LhaL
pages LhaL perform acLlons for Lhe user are proLecLed.
()*$+,*#-
- none avallable.

16

1,2),3
- Check Lo see lf Lhe appllcaLlon uses CS8l roLecLlons
CX L .*('-/"+0'* =%"G">% "*; ./A-'A%- 1--'- O"*;$0*>
!"#$"#%&
MulLlple lnformaLlon leaks, lncludlng error lnformaLlon, senslLlve daLa, and verslon lnformaLlon.
()*+&
!"#$%&
Lxamlne Lhe appllcaLlon ln quesLlon, looklng for error messages, or lnformaLlon LhaL shouldn'L be
avallable Lo an aLLacker. 1hls could lnclude commenLs, verbose / sysLem error messages, or oLher forms
of lnformaLlon leakage.
()*$+,*#-
1,2),3
- 8rowse Lhe appllcaLlon, looklng for lnformaLlon leakage ln conLexL
- Check Lhe appllcaLlon for cusLom errors (cusLom 404, cusLom 300)
- Check Lo see lf excepLlon handllng ls cenLrallzed.
CY L Z-'G%* C4+@%*+03"+0'* "*; 6%<<0'* ?"*">%/%*+
!"#$"#%&
noL appllcable as no user accounLs mechanlsm ls lmplemenLed.
()*+&
!"#$%&
Look Lhrough Lhe appllcaLlon for opporLunlLles Lo subverL Lhe auLhenLlcaLlon and auLhorlzaLlon
funcLlonallLy. 1he goal ls Lo verlfy LhaL Lhe appllcaLlon properly auLhenLlcaLes users and properly
proLecLs ldenLlLles and Lhelr assoclaLed credenLlals.
Check for weakness ln accounLs, passwords, sesslon Lokens, auLhenLlcaLlon code, auLhorlzaLlon code.
()*$+,*#-
- 8ruLe force accounLs (uslng auLomaLed scrlpLs), checklng for defaulL / weak accounLs
1,2),3
- Check for mulLlple auLhenLlcaLlon / auLhorlzaLlon mechanlsms.
- Analyze sLrengLh of sesslon Lokens uslng 8urp SulLe
- Check for password reseL funcLlonallLy. Can lL be mlsused?
- Check for passwords remember funcLlonallLy. ls lL sLored cllenL-slde? Pow?

17

- Check for sesslon LlmeouL, sesslon lnvalldaLlon (server / cllenL).
- Check for exposed sesslon Lokens
- Check for ln[ecLlon on logln forms (probably SCL ln[ecLlon)
- Check for parameLer manlpulaLlon LhaL mlghL afford an auLhenLlcaLed sesslon.
C[ L .*<%34-% )-7A+'>-"A@03 6+'-">%
!"#$"#%&
()*+&
!"#$%&
1he goal ls Lo verlfy LhaL Lhe appllcaLlon properly encrypLs senslLlve lnformaLlon ln sLorage.
()*$+,*#-
1,2),3
- Check Lhe appllcaLlon for:
- noL encrypLlng senslLlve daLa
- uslng home grown algorlLhms
- lnsecure use of sLrong algorlLhms
- ConLlnued use of proven weak algorlLhms (Mu3, SPA-1, 8C3, 8C4, eLc.)
- Pard codlng keys, and sLorlng keys ln unproLecLed sLores
- Make sure daLa passed ln Lhe u8L ls encrypLed or hashed
C\ L .*<%34-% )'//4*03"+0'*<
!"#$"#%&
()*+&
!"#$%&
Check Lhe appllcaLlon Lo ensure LhaL encrypLlon ls used on all senslLlve u8Ls. Also, verlfy LhaL encrypLlon
sLrengLh ls sufflclenL for Lhe senslLlvlLy of Lhe daLa
AuLomaLed
- 8un ssl-labs Lo verlfy supporLed clphers
Manual
- verlfy LhaL all senslLlve pages are encrypLed wlLh SSL.
- verlfy LhaL all calls Lo Lhe server (lncludlng llash & A!Ax calls) are encrypLed.

18

CSQL E"0$4-% +' :%<+-03+ D:= C33%<<
!"#$"#%&
1wo logln pages have been found. 1hls may be a problem, lf Lhese u8Ls were noL lnLended for publlc
access.
()*+&
!"#$%&
Check appllcaLlon for u8LS and lnpuL parameLers LhaL llkely exlsL, based on appllcaLlon conLexL.
()*$+,*#-
- 8un ulrbusLer on appllcaLlon Lo bruLe force posslble u8Ls
1,2),3
- use appllcaLlon conLexL Lo search for llkely resources (/admln, eLc).
- Search for:
- "Pldden" or "speclal" u8Ls, rendered only Lo admlnlsLraLors or prlvlleged users ln Lhe
presenLaLlon layer, buL accesslble Lo all users lf Lhey know lL exlsLs, such as /admln or
/addCarL. 1hls ls parLlcularly prevalenL wlLh menu code. AppllcaLlons ofLen allow access
Lo "hldden" flles, such as sLaLlc xML or sysLem generaLed reporLs, LrusLlng securlLy
Lhrough obscurlLy Lo hlde Lhem. Code LhaL enforces an access conLrol pollcy buL ls ouL of
daLe or lnsufflclenL.

19

,%*%-"$ :%3'//%*;"+0'*<
xSS revenLlon 8ules Summary
Data 1ype Context Defense
SLrlng P1ML 8ody P1ML LnLlLy encodlng
SLrlng Safe P1ML ALLrlbuLes Aggresslve P1ML LnLlLy
Lncodlng
Cnly place unLrusLed daLa
lnLo a whlLellsL of safe
aLLrlbuLes (llsLed below).
SLrlcLly valldaLe unsafe
aLLrlbuLes such as
background, ld and name.
SLrlng CL1 parameLer u8L encodlng
SLrlng unLrusLed u8L ln a S8C or P8Ll
aLLrlbuLe
Cannonlcallze lnpuL
u8L valldaLlon
Safe u8L verlflcaLlon
WhlLellsL hLLp and hLLps
u8L's only (Avold Lhe
!avaScrlpL roLocol Lo Cpen
a new Wlndow)
ALLrlbuLe encoder
SLrlng CSS value SLrlcL sLrucLural valldaLlon
CSS Pex encodlng
Cood deslgn of CSS leaLures
SLrlng !avascrlpL varlable Lnsure !avaScrlpL varlables
are quoLed
!avaScrlpL Pex Lncodlng
!avaScrlpL unlcode Lncodlng
Avold backslash encodlng (\"
or \' or \\)
P1ML P1ML 8ody P1ML valldaLlon (!Soup,
AnLlSamy, P1ML SanlLlzer)
SLrlng uCM xSS uCM based xSS revenLlon
CheaL SheeL

Sample RepPen

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Sample RepPen

Caricato da

Copyright:

Formati disponibili

0

Potrebbero piacerti anche