Often analysis of the infrastructure and topology architecture can reveal a great deal about a web application. Information
such as source code, HTTP methods permitted, administrative functionality, authentication methods and infrastructural
configurations can be obtained.
- SSL/TLS TESTING (OWASP-CM-001)
BRIEF SUMMARY
Due to historical exporting restrictions of high grade cryptography, legacy and new web servers could be able to handle a
weak cryptographic support.
Even if high grade ciphers are normally used and installed, some misconfiguration in server installation could be used to
force the use of a weaker cipher to gain access to the supposed secure communication channel.
- Black Box Testing
In order to detect possible support of weak ciphers, the ports associated to SSL/TLS wrapped services must be identified.
These typically include port 443 which is the standard https port, however this may change because a) https services may be configured to run on non-standard ports, and b) there may be additional SSL/TLS wrapped services related to the web
application. In general a service discovery is required to identify such ports.
The nmap scanner, via the “–sV” scan option, is able to identify SSL services. Vulnerability Scanners, in addition to
performing service discovery, may include checks against weak ciphers (for example, the Nessus scanner has the capability of checking SSL services on arbitrary ports, and will report weak ciphers).
we can see how many open port in akakom.ac.id using nmap scanner . the second scanning i try to use nessus scanner for scanning Vulnerability. go to application > backtrack > Vulnerability assessment > Vulnerability Scanner > Nessus > nessus register, it will bring you to register page on browser. after finished you got an email open that and follow the instruction how to start the nessus scanner.
go address bar and type http://localhost:8843 you will met page like this below
login with your account, after logged go to scan tab click add then enter your scanning name, target, and application test then click launch scan..wait until finishing scan and download it. during scanning you can see what port are open on the target.
Manually audit weak SSL cipher levels with OpenSSL. The following will attempt to connect to Google.com with
SSLv2.
root@bt:~# openssl s_client -no_tls1 -no_ssl3 -connect www.akakom.ac.id:443
CONNECTED(00000003)
3046:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
root@bt:~# openssl s_client -no_tls1 -connect www.akakom.ac.id:443
CONNECTED(00000003)
depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify error:num=10:certificate has expired
notAfter=Sep 18 11:51:59 2009 GMT
verify return:1
depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
notAfter=Sep 18 11:51:59 2009 GMT
verify return:1
---
Certificate chain
0 s:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
i:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEDjCCA3egAwIBAgICYYAwDQYJKoZIhvcNAQEFBQAwgbsxCzAJBgNVBAYTAi0t
MRIwEAYDVQQIEwlTb21lU3RhdGUxETAPBgNVBAcTCFNvbWVDaXR5MRkwFwYDVQQK
ExBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLExZTb21lT3JnYW5pemF0aW9uYWxV
bml0MR4wHAYDVQQDExVsb2NhbGhvc3QubG9jYWxkb21haW4xKTAnBgkqhkiG9w0B
CQEWGnJvb3RAbG9jYWxob3N0LmxvY2FsZG9tYWluMB4XDTA4MDkxODExNTE1OVoX
DTA5MDkxODExNTE1OVowgbsxCzAJBgNVBAYTAi0tMRIwEAYDVQQIEwlTb21lU3Rh
dGUxETAPBgNVBAcTCFNvbWVDaXR5MRkwFwYDVQQKExBTb21lT3JnYW5pemF0aW9u
MR8wHQYDVQQLExZTb21lT3JnYW5pemF0aW9uYWxVbml0MR4wHAYDVQQDExVsb2Nh
bGhvc3QubG9jYWxkb21haW4xKTAnBgkqhkiG9w0BCQEWGnJvb3RAbG9jYWxob3N0
LmxvY2FsZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCk1G04ZZqc
FdKGvfPTke/ed7CAPz9/6GYUH1ZkkVznDoGiA2oK+EeAQKODU9Ud1HFo7cnUdiqb
LE4y/w64yPm5ICekZr6fKS91Y6hXqDeRMle0bTdkg7zYG54a3p1U/+0oesok3DbC
zHHqYExDgTojxdlPj1aHAxHvxu7iH/fYOwIDAQABo4IBHTCCARkwHQYDVR0OBBYE
FEGwfGoX9C9WvUPCU6bVc5Igzoj1MIHpBgNVHSMEgeEwgd6AFEGwfGoX9C9WvUPC
U6bVc5Igzoj1oYHBpIG+MIG7MQswCQYDVQQGEwItLTESMBAGA1UECBMJU29tZVN0
YXRlMREwDwYDVQQHEwhTb21lQ2l0eTEZMBcGA1UEChMQU29tZU9yZ2FuaXphdGlv
bjEfMB0GA1UECxMWU29tZU9yZ2FuaXphdGlvbmFsVW5pdDEeMBwGA1UEAxMVbG9j
YWxob3N0LmxvY2FsZG9tYWluMSkwJwYJKoZIhvcNAQkBFhpyb290QGxvY2FsaG9z
dC5sb2NhbGRvbWFpboICYYAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOB
gQAdx3Uv0rHbmbd9zbi0wiN+O0h5oQijUy4KwwNfrgP1F1yEqPPOn1JP36KMorsE
A+7lEP1mekGEQjwyEWO0UidwyhMniLVB6+EChDlhbXodAJKO1nf9NIgqcy1udb9b
ou7o60PVGTEJjLbV+khpYFzz93cdbPHCUlVfc0ChFisR+w==
-----END CERTIFICATE-----
subject=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
issuer=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
---
No client certificate CA names sent
---
SSL handshake has read 1629 bytes and written 335 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : DHE-RSA-AES256-SHA
Session-ID: E94511C7BB19BDB7E5309257B2C6BFFC53A61BC1B8DB37D3259940793EC04EFE
Session-ID-ctx:
Master-Key: 0A4AD681B128858C54E6477E4B403CDE781ACB2DD08B7DD17E636553A20FB90425AB4B47F6E43A7EC2EECA4C579F8167
Key-Arg : None
Start Time: 1307200661
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
---
closed
- TESTING SSL CERTIFICATE VALIDITY – CLIENT AND SERVER
2. DB LISTENER TESTIND (OWASP-CM-003)
During the configuration of a database server, many DB administrators do not adequately consider the security of the DB listener component. The listener could reveal sensitive data as well as configuration settings or running database instances if insecurely configured and probed with manual or automated techniques. Information revealed will often be useful to a
tester serving as input to more impacting follow-on tests.
this phase was passing because target www.akakom.ac.id not use oracle.
3. INFRASTRUCTURE CONFIGURATION MANAGEMENT TESTING (OWASP-CM-003)
4. Application Configuration Management Testing (OWASP-CM-004)
Web applications hide some information that is usually not considered during the development or configuration of the application itself. This data can be discovered in the source code, in the log files or in the default error codes of the web servers. A correct approach to this topic is fundamental during a security assessment.
5. Testing for File Extensions Handling(OWASP-CM-005)
The file extensions present in a web server or a web application make it possible to identify the technologies which compose the target application, e.g. jsp and asp extensions. File extensions can also expose additional systems connected to the application.
root@bt:/pentest/web/nikto# ./nikto.pl -h akakom.ac.id
- Nikto v2.1.4
---------------------------------------------------------------------------
+ Target IP: 110.76.151.2
+ Target Hostname: akakom.ac.id
+ Target Port: 80
+ Start Time: 2011-06-06 13:23:31
---------------------------------------------------------------------------
+ Server: Apache
+ Root page / redirects to: http://www.akakom.ac.id/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-5737: WebLogic may reveal its internal IP or hostname in the Location header. The value is "http://www.akakom.ac.id/".
+ OSVDB-27071: /phpimageview.php?pic=javascript:alert(8754): PHP Image View 1.0 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3931: /myphpnuke/links.php?op=search&query=[script]alert('Vulnerable);[/script]?query=: myphpnuke is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3931: /myphpnuke/links.php?op=MostPopular&ratenum=[script]alert(document.cookie);[/script]&ratetype=percent: myphpnuke is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /modules.php?op=modload&name=FAQ&file=index&myfaq=yes&id_cat=1&categories=%3Cimg%20src=javascript:alert(9456);%3E&parent_id=0: Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /modules.php?letter=%22%3E%3Cimg%20src=javascript:alert(document.cookie);%3E&op=modload&name=Members_List&file=index: Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-4598: /members.asp?SF=%22;}alert('Vulnerable');function%20x(){v%20=%22: Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-2946: /forum_members.asp?find=%22;}alert(9823);function%20x(){v%20=%22: Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ 6448 items checked: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2011-06-06 13:23:54 (23 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
6. Old, Backup and Unreferenced Files (OWSP-CM-006)
Redundant, readable and downloadable files on a web server, such as old, backup and renamed files, are a big source of information leakage. It is necessary to verify the presence of these files because they may contain parts of source code, installation paths as well as passwords for applications and/or databases.
7. Infrastructure and Application Admin Interfaces(OWASP-CM-007)
During the configuration of a database server, many DB administrators do not adequately consider the security of the DB listener component. The listener could reveal sensitive data as well as configuration settings or running database instances if insecurely configured and probed with manual or automated techniques. Information revealed will often be useful to a
tester serving as input to more impacting follow-on tests.
this phase was passing because target www.akakom.ac.id not use oracle.
3. INFRASTRUCTURE CONFIGURATION MANAGEMENT TESTING (OWASP-CM-003)
The intrinsic complexity of interconnected and heterogeneous web server infrastructure, which can count hundreds of web
applications, makes configuration management and review a fundamental step in testing and deploying every single
application. In fact it takes only a single vulnerability to undermine the security of the entire infrastructure, and even small
and (almost) unimportant problems may evolve into severe risks for another application on the same server. In order to
address these problems, it is of utmost importance to perform an in-depth review of configuration and known security
issues.
4. Application Configuration Management Testing (OWASP-CM-004)
Web applications hide some information that is usually not considered during the development or configuration of the application itself. This data can be discovered in the source code, in the log files or in the default error codes of the web servers. A correct approach to this topic is fundamental during a security assessment.
5. Testing for File Extensions Handling(OWASP-CM-005)
The file extensions present in a web server or a web application make it possible to identify the technologies which compose the target application, e.g. jsp and asp extensions. File extensions can also expose additional systems connected to the application.
root@bt:/pentest/web/nikto# ./nikto.pl -h akakom.ac.id
- Nikto v2.1.4
---------------------------------------------------------------------------
+ Target IP: 110.76.151.2
+ Target Hostname: akakom.ac.id
+ Target Port: 80
+ Start Time: 2011-06-06 13:23:31
---------------------------------------------------------------------------
+ Server: Apache
+ Root page / redirects to: http://www.akakom.ac.id/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-5737: WebLogic may reveal its internal IP or hostname in the Location header. The value is "http://www.akakom.ac.id/".
+ OSVDB-27071: /phpimageview.php?pic=javascript:alert(8754): PHP Image View 1.0 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3931: /myphpnuke/links.php?op=search&query=[script]alert('Vulnerable);[/script]?query=: myphpnuke is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3931: /myphpnuke/links.php?op=MostPopular&ratenum=[script]alert(document.cookie);[/script]&ratetype=percent: myphpnuke is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /modules.php?op=modload&name=FAQ&file=index&myfaq=yes&id_cat=1&categories=%3Cimg%20src=javascript:alert(9456);%3E&parent_id=0: Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /modules.php?letter=%22%3E%3Cimg%20src=javascript:alert(document.cookie);%3E&op=modload&name=Members_List&file=index: Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-4598: /members.asp?SF=%22;}alert('Vulnerable');function%20x(){v%20=%22: Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-2946: /forum_members.asp?find=%22;}alert(9823);function%20x(){v%20=%22: Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ 6448 items checked: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2011-06-06 13:23:54 (23 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
6. Old, Backup and Unreferenced Files (OWSP-CM-006)
Redundant, readable and downloadable files on a web server, such as old, backup and renamed files, are a big source of information leakage. It is necessary to verify the presence of these files because they may contain parts of source code, installation paths as well as passwords for applications and/or databases.
7. Infrastructure and Application Admin Interfaces(OWASP-CM-007)
Many applications use a common path for administrative interfaces which can be used to guess or brute force administrative passwords. This test tends to find admin interfaces and understand if it is possible to exploit it to access to
admin functionality.
admin functionality.
i have found the admin page for phpmyadmin
8. Testing for HTTP Methods and XST (OWASP-CM-008)
In this test we check that the web server is not configured to allow potentially dangerous HTTP commands (methods) and that Cross Site Tracing (XST) is not possible.
In this test we check that the web server is not configured to allow potentially dangerous HTTP commands (methods) and that Cross Site Tracing (XST) is not possible.
Tidak ada komentar:
Posting Komentar