Penetration Testing for Web Applications
A penetration test, or pentest, is a simulated attack against a computer system for the purpose of identifying vulnerabilities in the system’s defenses. It has a specific set of goals that generally involve gaining control over the system and accessing its data. The tester then reviews the available information on the system and develops strategies for achieving those goals. Pentests may be classified into black box test and white box tests. A black box pentest provides only basic information to the tester such as the name of the target organization. White box pentests provide the tester with detailed information about the target system itself.
A pentest includes the following phases of operation:
- Validating input
- Gathering information
- Detecting hidden form elements
- Testing authentication mechanisms
A Web application generally consists of a set of scripts that reside on a Web server. These scripts interact with sources of dynamic content such as a database and share that content with users via a web browser. Web applications are quickly becoming the most common means for users to access information due to the ubiquity and convenience of web browsers. Typical web applications include portals, search engines, shopping carts, portal systems and Webmail.
Web applications are critical to the operation of online businesses, which also makes them attractive targets to attackers. These applications must be publicly accessible by their very nature, eliminating obscurity as a possible security strategy. Furthermore, web applications must process data requests with the Hypertext Transfer Protocol (HTTP), which employs many encapsulation techniques that easily lend themselves to exploiting vulnerabilities in an application. Web application vulnerabilities can generally be classified into two categories, including lack of input validation by the developer and improper handling of client requests.
A web application typically uses a FORM submission to interact with a user, which usually occurs when a user clicks on a button or some other widget. GET variables make these inputs visible within the resulting URL, while POST requests require examination of the form-input pages to determine the user’s inputs. However, a penetration tester must use all possible input methods to elicit exceptions from the application. The tester can then manipulate the input and examine the application’s behavior for unexpected results.
Identifying problems with input validation is particularly difficult in web applications due to the large number of user interactions they typically possess. Pentests are an effective method of exposing these issues, although web applications are also vulnerable to traditional attack methods that exploit poor authentication, inadvertent disclosure of environment information and application bugs. Penetration testers must take all of these possibilities into account, especially when performing black box testing.
The next step in penetration testing is usually to gather information on the web application’s environment, especially the server’s operating system, Web server software and application’s scripting language. This information is easy to obtain, and typically involves sending HEAD and OPTIONS requests to the Web server. The output from these requests will usually contain a string with the version of the Web server software and possibly the operating system and scripting language as well.
Penetration testers can often obtain the version of the scripting language from its error pages, especially if it uses customized error pages as ColdFusion does. Testers can obtain an error page from the Web server by intentionally requesting a page they know to be invalid with request methods such as POST, PUT and Other. Furthermore, Web services like Microsoft IIS handle requests for unknown file extensions differently than supported file extensions like .ASP, .EXE, HTM and PHP. A request for an unknown extension may therefore generate output with information that a penetration tester will find useful.
Hidden Form Elements
The developers of Web applications often require information from the client computer that should be protected from the user. The HIDDEN HTTP tag provides this capability on the Web page rendered by the browser, although it doesn’t hide this information in the source code for that page. Poorly written ordering systems have often allowed the user to save a local copy of an order confirmation page, edit a HIDDEN variable such as price and resubmit the edited page to obtain an unauthorized discount on the product.
This practice is declining, and modern applications typically encrypt HIDDEN fields that contain sensitive information. However, unencrypted HIDDEN fields still provide information that may be useful to penetration testers. They should therefore examine all source pages to identify information that the developer has disclosed inadvertently. Common examples of this type of information include the source of active content, pointers to linked content and source files with weak permissions.
Authentication in a web application generally involves a client making an initial request for a resource from the server, which then requests authentication from the client. If the client repeats the request with the proper authentication credentials, the server provides the requested resource. The inability to provide strong authentication is one of the greatest vulnerabilities of Web applications. Furthermore, application developers often fail to use the most secure authentication mechanisms that are available.
For example, HTTP uses two types of authentication, including Basic and Digest. The primary difference between these two types is that Basic authentication uses clear text, while Digest authentication uses encrypted values. Penetration testers should attempt to determine which authentication mechanism is used for each resource in a Web application. This information is especially useful for applications with a session capability, which requires the client to provide the session’s authentication status in a cookie or HTTP header. Penetration testers may therefore be able to obtain the authentication credentials with methods such as brute force or reassembling the string from known elements.