Penetration Testing (Manual / Business Logic Testing)

• To achieve the minimum requirements for penetration testing, the four-phase

process shown in Figure 7.3 should be followed.

Assignment 1I :
1. Choose any Penetration testing tool
2. Download and install it
3. Write down all steps you are following in the tool to
perform penetration testing

BITS Pilani, Pilani Campus

INTRODUCTION TO WEB APPLICATION
PENETRATION TESTING
WHO AM I?

 University of Ottawa student – Master of Computer Science

 Thesis: Comparative Analysis of Open-source Web Application
Vulnerability Scanners
 Previous work experience include: Software developer, Tester,
Ransomware researcher, Security Analyst.
 Aspiring Ethical Hacker!
 Removed my wisdom tooth a week ago 

3
OUTLINE

 Introduction to web application penetration testing

 Software setup
 Mapping and analyzing the application
 Bypassing client-side controls
 Attacking authentication
 Attacking session management
 Attacking data stores

4
THE WEB APPLICATION HACKER’S HANDBOOK

 Bible of web application penetration testing.

 Good mix of theory and practice.
 Most of the examples in the slides are from this book.

5
TOOLS NEEDED FOR WORKSHOP

 Burp Community Edition

 OWASP ZAP
 VirtualBox
 OWASP BWA Project
 FoxyProxy Standard
 Modern browser (preferably Firefox)

Note: You should have these tools already installed. An

email was sent to registered participants prior to
workshop.

6
INTRODUCTION

SECTION 1
WHY THE WEB?

 Let’s look at some statistics:

 Over 3.9 billion internet users in the world
 Over 1.9 billion websites online

 We use websites for everything: e-commerce, online banking to social networking, social media, etc.
 Web security has become a major concern for businesses.
 Recent example: Equifax. The breach exposed the personal information of 143 million US users and an estimated
100,000 Canadian users.
 According to Trustwave’s 2018 Global Security Report:
 100% of the web applications scanned by Trustwave displayed at least one vulnerability.
 Median number of 11 vulnerabilities detected per application.

8
HOW TO SECURE A WEB APPLICATION?

Combination of techniques are used:

 Secure coding practices
 Web application firewalls
 Static code analysis
 Web application penetration testing
 Etc.

9
WHAT IS WEB APP PEN TESTING?

 Combination of manual and automated tests to identify vulnerabilities, security flaws and/or threats in a web
application.
 Categorized into three types:
 White box: Tester has complete access and in-depth knowledge of the system. Access to source code is usually given.
 Black box: Tester is given little to no information about the system. Just the URL of the application is usually given.
 Grey box: Combination of white box and black box penetration testing. Limited information and access is given to the tester.

 Several methodologies and guidelines: OWASP, PTES, PCI DSS, etc.

 Most important thing to keep in mind: you need permission to perform a security test!

10
WHAT IS OWASP?

 Stands for Open Web Application Security Project

 International open source community “dedicated to enabling
organizations to conceive, develop, acquire, operate, and maintain
applications that can be trusted”.
 Contains widely used and popular tools such as the ZAP.
 OWASP TOP 10 Project

11
ABSTRACT PEN TESTING METHODOLOGY

Mapping +
Reconnaissance Discovery Exploitation
Analyzing

12
SOFTWARE SETUP

SECTION 2
SOFTWARE SETUP

1. Download VirtualBox and OWASP BWA Project virtual machine.

2. Install OWASP BWA Project vm on VirtualBox.
3. Download Firefox and FoxyProxy add-on.
4. Download Burp Suite Community Edition and OWASP ZAP.
5. Configure Burp and ZAP in FoxyProxy.

14
HOW DOES A PROXY WORK?

15
SOFTWARE SETUP

Setup Demonstration

16
MAPPING AND ANALYZING THE APPLICATION

SECTION 3
MAPPING THE APPLICATION

 Explore the visible content

 Review public resources
 Identify any hidden content

18
ANALYZING THE APPLICATION

 Identify functionality
 Identify data entry points
 Identify the technologies used
 Map the attack surface

19
EXERCISE #1: WACKOPICKO

Web Spidering
Your goal is to use ZAP spider to crawl the application.
1. Configure browser to work with ZAP
2. Load the application on configured browser
3. Include root application URL in context.
4. Right click on the root URL in the Sites tree map >
select Attack > select Spider.
5. Right click on the root URL in the Sites tree map >
select Attack > select Ajax Spider.

20
EXERCISE #1: WACKOPICKO

Solution demonstration using ZAP and Burp Suite.

21
BYPASSING CLIENT-SIDE CONTROLS

SECTION 4
CLIENT-SIDE VS SERVER-SIDE VALIDATION

Client-side Server-side

3 2 3
1 1
2

23
BYPASSING CLIENT-SIDE CONTROLS

 Allowing clients to submit arbitrary input is a core security problem in web applications.
 Users have full control of everything submitted from the client.
 Can cause a range of problems including corrupting data stores, allowing unauthorized access to users and buffer overflows.
 In general, there are two ways client-side controls are used to restrict user input:
 Transmitting data via the client using mechanisms that “prevent” user interaction. Examples include hidden form fields,
disabled elements, referrer header, URL parameters, etc.
 Controlling user input using measures that “restrict” user input. Examples include HTML form features, client-side scripts,
etc.

24
TRANSMITTING DATA VIA THE CLIENT

 Example #1: Hidden Form Field

Code

Request

25
TRANSMITTING DATA VIA THE CLIENT

 Example #2: HTTP Cookies

 Response: Request:

26
EXERCISE #2: WEBGOAT

Exploit Hidden Fields

Try to purchase the HDTV for less than the purchase price, if you have not done so already.

27
EXERCISE #2: WEBGOAT

Solution Demonstration

28
RESTRICTING USER DATA

 Example #3: Length Limits

29
RESTRICTING USER DATA

 Example #4: Disabled Elements

30
EXERCISE #3: WEBGOAT

Bypass HTML Field Restrictions

You must submit invalid values for all six
fields in one form submission.

31
EXERCISE #3: WEBGOAT

Solution Demonstration

32
 RESTRICTING USER DATA

 Example #5: Script-Based Validation

33
EXERCISE #4: WEBGOAT

Bypass Client Side JavaScript Validation

You must break all 7 validators at the same
time.

34
EXERCISE #4: WEBGOAT

Solution Demonstration

35
ATTACKING AUTHENTICATION

SECTION 5
 AUTHENTICATION

 Authentication is a mechanism for validating a user.

 There are many authentication technologies:
 HTML forms-based authentication
 Multifactor authentication
 Client SSL certificates and/or smartcards
 etc
 In general, there are two factors that result in insecure authentication:
 Design flaws in authentication mechanisms
 Implementation flaws in authentication

37
DESIGN FLAWS IN AUTHENTICATION MECHANISMS

 Bad passwords*
 Brute-forcible logins
 Verbose Failure messages
 Vulnerable transmission of credentials
 Weaknesses in password change functionality
 Weaknesses in forgotten password functionality*
 etc.

38
 BAD PASSWORDS

 Very short or blank passwords

 Common dictionary words or names
 The same as the username
 Still set to the default value

 Check the strength of your password:

https://password.kaspersky.com/

39
EXERCISE #5: WEBGOAT

Forgot Password
The goal is to retrieve the password of another user.

40
EXERCISE #5: WEBGOAT

Solution Demonstration

41
 IMPLEMENTATION FLAWS IN AUTHENTICATION

 Fail-open login mechanisms

 Defects in multistage login mechanisms*
 Assumption that access to a later stage means that the user cleared prior stages.
 Trusting client side data across stages

 Insecure storage of credentials

 etc.

42
EXERCISE #6: WEBGOAT
Multi Level Login 2
Your goal is to log in as Jane.

43
EXERCISE #6: WEBGOAT

Solution Demonstration

44
ATTACKING SESSION MANAGEMENT

SECTION 6
ATTACKING SESSION MANAGEMENT

 Understand the mechanism

 Test session tokens for meaning
 Test session tokens for predictability
 Check for session termination

46
EXERCISE #7: WACKOPICKO

Session Management
Try to determine how the session is being calculated for the admin interface. Log in as admin/admin multiple
times to solve this exercise.

47
EXERCISE #7: WACKOPICKO

Solution Demonstration

48
ATTACKING DATA STORES

SECTION 7
ATTACKING DATA STORES

 Most applications have a data store to manage and store data.

 User accounts, credentials and personal information.
 Prices of items
 Orders
 Privilege level of a user

 We’ll test for SQL injections.

 Supply unexpected syntax that might cause problems in the application.
 Identify and analyze any anomalies and error messages received.
 Attempt to exploit the vulnerability

50
EXERCISE #8: WEBGOAT

String SQL Injection

Try to inject an SQL string that results in all the credit card numbers being displayed. Try the user name of
'Smith'.

51
EXERCISE #8: WEBGOAT

Solution Demonstration

52
CONCLUSION

SECTION 8
WHAT NEXT?

Concepts
we learned
today

Remaining
concepts

54
WHAT NEXT?

 Read books
 Get a mentor
 So many free online resource! (Cybrary, coursera, MIT open
courseware, etc.)
 Practice on intentionally vulnerable web applications
 Participate in CTF competitions
 Attend conferences
 Contribute to open-source security projects
 Apply to security jobs (Even if you don’t have all the
qualifications. Most people don’t!)
 Take life one step at a time. You can do this!

55
GET IN TOUCH!

/ranakhalil1

https://rkhal101.github.io/

@rana__khalil

/rkhal101

56
 GET IN TOUCH!

Laptop stickers
generously donated
by OWASP!
57