3. What I need for start?
Skin-deep knowledge:
• Web technologies
• Http protocol
• Html
• JavaScript
• Web vulnerabilities
4. Tools:
• Web proxies:
• Fiddler
• Burp Suite
• …
• Web spiders:
• Burp Suite
• WebScarab
• …
What I need for start?
5. Workflow
• Information gathering
• Test authentication
• Test session management
• Test authorization
• Fuzz parameters
• File Uploads
• Denial of Service
7. Information gathering
• Hidden content
• Comments
• Logical names
• Brute-Force
• HTTP headers
• Vulnerability in third-party components
• Answers from server (Server header, custom headers, html templates)
• Default content (Wikto)
• Identify all entry points
8. Test authentication
• Determine the type of authentication mechanism
• HTML forms-based authentication
• HTTP basic and digest authentication
• Client SSL certificates and/or smartcards
• …
• Check the required password complexity
• Review the rules
• Try to register accounts
• Try to change password
• Very short or blank
• Common dictionary words or names
• The same as the username
• Still set to a default value
Administrative passwords may in fact be weaker than the password
policy allows.
password
website name
12345678
qwerty
abc123
111111
monkey
12345
Login name
9. Test authentication
• Test for delay after login with wrong credentials
• Duration of the lockout
• Number of failed attempts
• The way, how server detects it
• Test the error handle mechanism
• Difference between messages text
• Minor differences in responses
• Different time of response
10. Test authentication
• Test “change password” functionality
• Verbose error message if invalid username
• Brute-force of password
• Username enumeration
• Test “password recovery” functionality
• Simple questions
• Brute-force of answer easier than password
11. Test authentication
• Test “remember me” functionality
• Simple persistent cookie: Remember=username;
• Identifier of user: Remember=475;
• Brute-Force credentials
12. Test session management
• Investigate session Token
• Try to decrypt
• Try changing the token’s value one byte at a time
• Brute-Force token value
• Session termination and Log out functionality
Server can check only part from token data
Using a list of enumerated
or common usernames, they can quickly generate large numbers of potentially
valid tokens and test these to confi rm which are valid.
Concealed sequences
n Time dependency
n Weak random number generation
Server can check only part from token data
Using a list of enumerated
or common usernames, they can quickly generate large numbers of potentially
valid tokens and test these to confi rm which are valid.
Concealed sequences
n Time dependency
n Weak random number generation