OWASP OTG-configuration (OWASP Thailand chapter november 2015)

OTG-CONFIGOWASP Thailand Chapter (26th November 2015)

OWASP Testing Guide: Configuration and Deployment Management Testing 2

Who am I

• Noppadol Songsakaew- IT security enthusiastic- gamer (play on smartphone)- book reader (IT, Chinese novel)

• WorkSenior Associate at PwC (Thailand)


Who is this talk for ?•Developers•Software Testers•Security Guys•Project Managers sir!•Anyone who interesting in IT security


Objective of this talkTo build the testing knowledge of :

• Network & Infrastructure configuration• Web server configuration• Sensitive data handling• Application protocol• Cross domain policy


and Why would you care ?Only one broken chain link will let the malicious user compromise your servers.


“You can’t build a secure application without performing security testing on it. Testing is part of a wider approach to building a secure system.”

- Eoin Keary, OWASP Global Board

What is OWASP Testing Guide


Agenda1.Test Network/Infrastructure Configuration (OTG-CONFIG-001)2.Test Application Platform Configuration (OTG-CONFIG-002)3.Test File Extensions Handling for Sensitive Information (OTG-

CONFIG-003)4.Review Old, Backup and Unreferenced Files for Sensitive

Information (OTG-CONFIG-004)5.Enumerate Infrastructure and Application Admin Interfaces (OTG-

CONFIG-005)6.Test HTTP Methods (OTG-CONFIG-006)7.Test HTTP Strict Transport Security (OTG-CONFIG-007)8.Test RIA cross domain policy (OTG-CONFIG-008)


1. Test Network/Infrastructure Configuration (OTG-CONFIG-001)

Test Objectives

• To map the infrastructure supporting the application and understand how it affects the security of the application.



How to test•Known Server Vulnerabilities– Not all software vendors disclose vulnerabilities in a public way.– Beware false positive from automate scanning tool.– Backporting patch

ToolsOpenVAS, Nessus, Core Impact, Nexpose



How to test•Known Server Vulnerabilities (https://exchange.xforce.ibmcloud.com)



How to test•Known Server Vulnerabilities (https://www.cvedetails.com)



How to test•Review a software components – Configuration files will tell you which modules are enable or disable

•Administrative tools– All web server allowed administrator to manage a web server by

different ways such as plain text configuration files (in the Apache, nginx) or use operating-system GUI tools (Microsoft’s IIS server).

– Determine the mechanisms that control access to these interfaces and their associated susceptibilities.


2. Test Application Platform Configuration (OTG-CONFIG-002)

Test Objectives• To assess the default configuration of

installed web server and remove unnecessary files (application examples files, documentation files, test pages)



How to test• Sample and known files and directories• Configuration review

– Check privilege of minimized privileges in the operating system– SSL Protocol Configuration– Errors Pages Configuration– Make sure the server software properly logs both legitimate access

and errors.



How to test• Logging

– Do the logs contain sensitive information?– Are the logs stored in a dedicated server?– Can log usage generate a Denial of Service condition?– How are they rotated? Are logs kept for the sufficient time?– How are logs reviewed? Can administrators use these reviews to

detect targeted attacks?– How are log backups preserved?– Is the data being logged data validated (min/max length, chars etc)

prior to being logged?


3. Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003)

Test Objectives• To test the behaviour of each extension to

assess that when users access our pages what kind of information display to users



How to test• Forced browsingExample:

The tester has identified the existence of a file named connection.inc. Trying to access it directly gives back its contents, which is



How to test• Make sure you check all below file extensions:

.zip, .tar, .gz, .tgz, .rar: (Compressed) archive files

.java: No reason to provide access to Java source files

.txt: Text files

.pdf: PDF documents

.docx, .rtf, .xls, .pptx,: Office documents

.bak, .old and other extensions indicative of backup files



Example:


4. Review Old Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004)

Test Objectives• To find sensitive information from files that

left on a server



How to test• Check from the public contents

- Comment in source-code

- Java script connected to related page

-/robots.txt



How to test• Blind guessing

- For example, if a page ’viewuser.asp’ is found, then look also for ‘edituser.aspx’.- If ‘/app/user’ is found, then an attacker will look also for ’/app/admin’ and ‘/app/manager’.- Using Dictionary or brute forcing a directory paths and files on a web server

Tools‘Wfuzz’, ‘Burp (Intruder)’, ‘ZAP’



How to test• Information obtained through server

vulnerabilities and misconfiguration- Directory listing Vulnerability


5. Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005)

Test Objectives• To discover administrator interfaces and

accessing functionalities intended for the privileged users.



How to test- Reviewing server and application documentation- Directory and file enumeration by searching for: /admin or /administrator- Publicly available information. Many applications such as wordpress have default administrative interfaces.- Alternative server port. Administration interfaces may be seen on a different port on the host than the main application. For example, Apache Tomcat's Administration interface can often be seen on port 8080.- Clue from cookie information:




6. Test HTTP Methods (OTG-CONFIG-006)

Test Objectives• To check that how a web server handles

different type of HTTP Methods



What is HTTP MethodsThe method that indicates the desired action to be performed on the identified resource at the web server.



What is HTTP Methodsto indicate the desired action to be performed on the identified resource.There are 8 methods in HTTP /1.1 1) GET: Requests a representation of the specified resource.2) POST: Requests that a web server accepts and stores the data enclosed in the body of the request message.3) HEAD : Request a resource and response identical to the one that would correspond to a GET request, but without the response body4) PUT : This method allows a client to upload new files on the web server.



What is HTTP MethodsThe method that indicates the desired action to be performed on the identified resource at the web server.There are 8 methods in HTTP /1.1 (cont..)5) DELETE: This method allows a client to delete a file on the web server.6) TRACE: This method simply echoes back to the client whatever string has been sent to the server, and is used mainly for debugging purposes.7) OPTIONS: The OPTIONS method returns the HTTP methods that the server supports for the specified URL8) CONNECT: This method could allow a client to use the web server as a proxy



How to test- Using ‘Nmap’ to list supported methods



How to test- Using ‘netcat’


7. Test HTTP Strict Transport Security (OTG-CONFIG-007)

Test Objectives• To verify that a web server always exchange

an information with web browser over HTTPS.



How to test• Testing for the presence of HSTS header can be done by checking for

the existence of the HSTS header in the server's response in an interception proxy, or by using curl as follows:

curl –D https://facebook.com

• Expected result:



Example

When the expiration time specified by the Strict-Transport-Security header elapses, the next attempt to load the site via HTTP will proceed as normal instead of automatically using HTTPS.


8. Test RIA cross domain policy (OTG-CONFIG-008)

What is RIA?RIA (Rich Internet Application) is a Web application that has many of the characteristics of desktop application software, typically delivered by way of a site-specific browser, a browser plug-in, extensive use of JavaScript.

Example of RIA:

Adobe Flash, JavaFX, and Microsoft Silverlight.



What is cross domain policy? • A cross-domain policy file ("crossdomain.xml" in Flash and

"clientaccesspolicy.xml" in Silverlight) defines a whitelist of domains from which a server is allowed to make cross-domain requests. When making a cross-domain request, the Flash or Silverlight client will first look for the policy file on the target server. If it is found, and the domain hosting the application is explicitly allowed to make requests, the request is made.

• The crossdomain.xml file is normally present on the root of the web server.



How cross domain policy really works?For example:



How to test

To test for RIA policy file weakness the tester should try to retrieve the policy files crossdomain.xml and clientaccesspolicy.xml from the application's root, and from every folder found.

Browse to : http://www.example.com/crossdomain.xml

Technology

OWASP OTG-configuration (OWASP Thailand chapter november 2015)