This is the last article of the series of safety tests of web applications. In previous articles we have seen many interesting exposures as SQL injection, Cross site scripting vulnerabilities related to the environment and so on. If you have not gone through these articles, you may find it interesting to read in the articles section.
In this part we will examine security issues related to authentication and Web Services. Authentication is the core of many Web applications, since in the WWW world, we need to verify the connection of each client to ensure that there is a malicious user. Similarly Web services are commonplace these days, and most common applications used daily, may be using Web services. Threats associated with Web services are very different from what we have seen.
Authentication can be vulnerable for various reasons. As a tester, the security of web application certification, these are the things you should consider --
Fake Cryptography
Traces of cryptography and obtaining traffic information dates back hundreds of years. It becomes even more important when most of our personal data on the Internet for everyone to see, if not encrypted properly.
There are many ways that data can be encrypted so it is hard for anyone on the Internet to understand. Often, developers also rely on weaker encryption technology or use their own substitution cipher, which can be very easy to break for the experienced hacker. It is also possible to get an idea about the encryption technology used by looking at the encrypted data. For example, the presence of alpha-numeric characters only and '=' may indicate that the base64 encoding is used to hide data. Similarly, if you have access to the encrypted data and encrypted data, you can make minor changes in data and analyze the encrypted data to determine whether substitution cipher was used.
The only way to protect against this attack is to use widely known security algorithms like RSA, Triple DES etc. as oppose to inventing something new. Encryption using strong cryptographic process is an effective way of making sure that information is available to only cleared users.
Breaking authentication
In the world of Web applications, is extremely important to ensure that the information given to the appropriate users. Most of the time-out mechanism to make this insurance is through the use of username / password or some other form of validation to ensure that the user requests the user in fact, real. When a legitimate user transmits this information from the browser to the server, this information is online and potentially available to all hackers to exploit. If this data is not coded correctly, this information can be interpreted as if nonce feature does not apply, each applicant can be played by the attacker. Even on the client side, you should ensure that simple and very informative posts related to validation errors are not making life easy for attacker and harder for you. It is also necessary to check whether there are any restrictions on the length of the password field, if the username password case sensitive or not, and so on. If possible techniques such as CAPTCHA (that accompanies the recognition of simple words in image format, it will be difficult for teams to identify, but easy for humans) can also be applied as a protection against brute force attack. You should also make sure you always make sense, information is sent over HTTPS instead of HTTP.
Web Services
Last part of this series is devoted to security testing for Web services. In recent years we have seen tremendous growth in the use of Web services. Before housing in the safety issues associated with Web services, to analyze very briefly, what is web service? Web Services are self-described, independent of the functionality of the modular pieces that can be published, located, and invoked across the Internet. Web services can expose business functionality, data and services via the web through their interfaces. At the heart of Web services are different technologies such as Extensible Markup Language (XML), Simple Object Access Protocol (SOAP), Web Service Description Language (WSDL) and Universal Description, Discovery and Integration (UDDI). XML is used to describe data independent of the application, platform, protocol, etc SOAP is used to transport network XML, WSDL contains information related to the UDDI interface and allows you to find specific web service you need. WSDL offers many advantages over traditional APIs that it provides flexibility, platform independence, together with architecture vague, imprecise because of their architecture and general availability of its interface, Web services are vulnerable to threats from some more, along with some of the threats that have already included in our previous articles.
WSDL Scanning Attack
Although WSDL is designed to expose and describe all information that is available in a method, not a time for information in its side wall corporation may also be accessible to the general public. This can occur for many reasons. For an experienced striker who could be a wonderful piece of information. WSDL Scanning publicly available is not very difficult. Most citizens from Web services can also be accessed by search engines by specifying your search, for example, on Google you can search for specific file types or the presence of certain keywords, as in the WSDL URL.
Parameter Manipulation
As the person responsible for ensuring that their service is safe and secure website, you need to make sure they still do all the validations that you would otherwise. For example, the underlying format for transferring data in web services is XML and it can be assumed that a valid request for data will be well trained and follow the rules specified in XML schema, still need to validate all data it receives. XML examine 1 = 1 or - as a valid string, but you must ensure that the chains and understand how these can be used for attacks in your web application and must be validated before being processed.
X Path Injection
X Path is a language for querying XML documents. It is very similar to SQL in purpose, but instead of consulting a database of tables and rows, using X Path can query an XML document for specific information by specifying the node, node-set, etc. An attacker can inject malicious X Path expression as part of a valid SOAP request, which can lead to unauthorized access of data. While using web services, try injecting XPAT very similar to SQL injection and are based on the validation of all data it receives.
Recursive and high attack payload
XML uses nesting to represent the complex relationship between the elements. When an element within another element, the inner element which is called nested. Nesting is often used to represent real world structures in a better way. However, an attacker can easily nest thousands of elements or attributes in an attempt to break the Web service. Since most XML based system attempts to load the entire document before processing, nesting or too large XML document can potentially break the web services. Especially if your application is using DOM (XML loaded into memory before accessing it), could be susceptible to this vulnerability.
These items are influenced by the book ( "How To Break Web Software" by Mike Andrews and James A. Whittaker) I recently read and you should be good reading for you if you need information on the implementation of web security testing.
0 comments:
Post a Comment