Kamis, 02 Juni 2011

Web Application Penetration With OWASP Metodology

Information Gathering
the first phase in security assessment is focused on collecting as much information about a target application . Information Gathering is a necessary step of a penetration test. This task can be carried out in many different ways.


Spider,Robots,Crawler (OWASP-IG-001)
this phase of information Gathering process consist of browsing and capturing resources related to the application being tested.
now I want to show you how to test the robots.txt on a web application
as an example, the robot.txt file from http://akakom.ac.id/robots.txt after I hint enter, the result as below
User-agent: *
Disallow: /administrator/
Disallow: /cache/
Disallow: /components/
Disallow: /images/
Disallow: /includes/
Disallow: /installation/
Disallow: /language/
Disallow: /libraries/
Disallow: /media/
Disallow: /modules/
Disallow: /plugins/
Disallow: /templates/
Disallow: /tmp/
Disallow: /xmlrpc/
we can see all directory are in the akakom.ac.id but all of them are disallow. now we have to got some information from the target. This phase usually called black box testing.
Black box example :
the robots.txt file retrive from the web root directory of the web server. If you are using linux system operation open the terminal then type wget http://akakom.ac.id.robots.txt the hint enter you will find result as below
--2011-06-02 18:50:20-- http://www.akakom.ac.id/robots.txt
Resolving www.akakom.ac.id... 110.76.151.4
Connecting to www.akakom.ac.id|110.76.151.4|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 304 [text/plain]
Saving to: `robots.txt.1'
100%[====================================================>] 304 --.-K/s in 0s
2011-06-02 18:50:21 (35.7 MB/s) - `robots.txt.1' saved [304/304]
there is one way to analyst your robots.txt using google web master tools..but sorry I couldn't explain more about this phase.
Gray box testing
the process is the same as Black Box testing above.
Search Engine Discovery (OWASP-IG-002)
this section describe how to search the google index and remove the associated web content from the google cache
for black box testing in this phase
using the advanced “site:” search operator, it is possible to restrict search result to a specified domain
for example to find web content of akakom.ac.id by google cache the following google search query is issued
site:akakom.ac.id then you will find index from the website



IDENTIFY APPLICATION ENTRY POINTS (OWASP-IG-003)
Enumerating the application and its attack surface is a key precursor before any thorough testing can be undertaken, as it
allows the tester to identify likely areas of weakness. This section aims to help identify and map out areas within the
application that should be investigated once enumeration and mapping has been completed.
DESCRIPTION OF THE ISSUE
Before any testing begins, always get a good understanding of the application and how the user/browser communicates
with it. As you walk through the application, pay special attention to all HTTP requests (GET and POST Methods, also known
as Verbs), as well as every parameter and form field that are passed to the application. In addition, pay attention to when
GET requests are used and when POST requests are used to pass parameters to the application. It is very common that GET
requests are used, but when sensitive information is passed, it is often done within the body of a POST request. Note that
to see the parameters sent in a POST request, you will need to use a tool such as an intercepting proxy (for example,
OWASP's WebScarab) or a browser plug-in. Within the POST request, also make special note of any hidden form fields that
are being passed to the application, as these usually contain sensitive information, such as state information, quantity of
items, the price of items, that the developer never intended for you to see or change.
Black Box testing and example
after I tried with GET http://www.akakom.ac.id
I cant understand what are these all but I try it again I was found some variable are used in this web application
then I tried using host:http//www.akakom.ac.id i find much domain or host from akakom.ac.id that you can collect thes for information
shown below 
 

 

GRAY BOX TESTING AND EXAMPLE
Testing for application entry points via a Gray Box methodology would consist of everything already identified above with
one caveat. This would be if there are any external sources from which the application receives data and processes it (such
as SNMP traps, syslog messages, SMTP, or SOAP messages from other servers). If there are any external sources of input
into the application then a meeting with the application developers could identify any functions that would accept or
expect user input and how it's formatted. For example, the developer could help in understanding how to formulate a
correct SOAP request that the application would accept and where the web service resides (if the web service or any other
function hasn't already been identified during the black box testing).
REFERENCES
Whitepapers
TESTING FOR WEB APPLICATION FINGERPRINT (OWASP-IG-004)
BRIEF SUMMARY
Web server fingerprinting is a critical task for the Penetration tester. Knowing the version and type of a running web server
allows testers to determine known vulnerabilities and the appropriate exploits to use during testing.
DESCRIPTION OF THE ISSUE
There are several different vendors and versions of web servers on the market today. Knowing the type of web server that
you are testing significantly helps in the testing process, and will also change the course of the test. This information can be
derived by sending the web server specific commands and analyzing the output, as each version of web server software
may respond differently to these commands. By knowing how each type of web server responds to specific commands and
keeping this information in a web server fingerprint database, a penetration tester can send these commands to the web
server, analyze the response, and compare it to the database of known signatures. Please note that it usually takes several
different commands to accurately identify the web server, as different versions may react similarly to the same command.
Rarely, however, different versions react the same to all HTTP commands. So, by sending several different commands, you
increase the accuracy of your guess
Black Box testing using nmap
nmap -sV -sT akakom.ac.id
root@bt~#nmap -sV -sT www.akakom.ac.id
Starting Nmap 5.21 ( http://nmap.org ) at 2011-06-02 10:23 WIT
Nmap scan report for akakom.ac.id (110.76.151.2)
Host is up (0.0011s latency).
rDNS record for 110.76.151.2: ns.akakom.ac.id
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.5 (protocol 2.0)
25/tcp open smtp Sendmail 8.14.4/8.14.4
53/tcp open domain ISC BIND localhost
80/tcp open http Apache httpd
110/tcp open pop3 Dovecot pop3d
143/tcp open imap Dovecot imapd
445/tcp filtered microsoft-ds
587/tcp open smtp Sendmail 8.14.4/8.14.4
993/tcp open ssl/imap Dovecot imapd
995/tcp open ssl/pop3 Dovecot pop3d
Service Info: Host: mail.akakom.ac.id; OS: Unix
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.96 seconds
using nmap to scan what service and port are runniang and open in akakom.ac.id  and we can see on the above.
APPLICATION DISCOVERY (OWASP-IG-OO5)
A paramount step in testing for web application vulnerabilities is to find out which particular applications are hosted on a
web server.
Many applications have known vulnerabilities and known attack strategies that can be exploited in order to gain remote
control or to exploit data. In addition, many applications are often misconfigured or not updated, due to the perception
that they are only used "internally" and therefore no threat exists.
Black box testing
root@bt:~# host -t ns akakom.ac.id
akakom.ac.id name server gway.akakom.ac.id.
akakom.ac.id name server ns.akakom.ac.id.
root@bt:~# host -l akakom.ac.id ns.akakom.ac.id
; Transfer failed.
Using domain server:
Name: ns.akakom.ac.id
Address: 110.76.151.2#53
Aliases:

Host akakom.ac.id.stmik.akakom not found: 9(NOTAUTH)
; Transfer failed.
root@bt:~# host -l akakom.ac.id gway.akakom.ac.id
;; Connection to 110.76.151.1#53(110.76.151.1) for akakom.ac.id failed: connection refused.
ANALYSIS OF ERROR CODES (OWASP-IG-006)
BRIEF SUMMARY
Often during a penetration test on web applications we come up against many error codes generated from applications or
web servers. It's possible to cause these errors to be displayed by using a particular request, either specially crafted with
tools or created manually. These codes are very useful to penetration testers during their activities because they reveal a
lot of information about databases, bugs, and other technological components directly linked with web applications. Within
this section we'll analyze the more common codes (error messages) and bring into focus the steps of vulnerability
assessment. The most important aspect for this activity is to focus one's attention on these errors, seeing them as a
collection of information that will aid in the next steps of our analysis. A good collection can facilitate assessment efficiency
by decreasing the overall time taken to perform the penetration test.
i tried to insert url like this
www.akakom.ac.id/tugas.php


  

Tidak ada komentar:

Posting Komentar