Advertisements
This is the last article in the web application security testing series. In the earlier articles we have seen many interesting vulnerabilities like SQL injection, Cross site scripting, vulnerabilities related to the environment and so on. If you have not gone through these articles, you might find it interesting to read them in out article section.
In this part we will explore the security issues related to Authentication and Web Services. Authentication is the core of many web applications, since in the WWW world, we need to check connection from every client to make sure that it is not from a malicious user. Similarly Web services are common place these days, and most of the common applications that you use on daily basis, might be using web services. Threats associated with the web services are very much different from what we have already seen.
Authentication can become vulnerable because of various reasons. As a tester, certifying security of your web application these are the things you should consider �
Fake Cryptography
Traces of cryptography and securing information on the transit can be traced back to hundreds of year. It becomes even more important when most of our personal data is on the internet for everyone to view, if it is not encrypted properly.
There are many ways in which data can be encrypted thus making it difficult for any one on the internet to understand it. Often programmers also rely on weaker encryption technology or use their own cipher substitution, which might be very easy to break for the seasoned hacker. It is also possible to get some idea about the encryption technologies being used by looking at the encrypted data. For example, presence of only alpha-numeric characters and '=' can indicate that base64 encoding is being used to hide the data. Similarly, if you have access to the data being encrypted and encrypted data, you can make minor change in the data and analyze the encrypted data to find out if substitution cipher has been used.
The only way to protect against this attack is to use well known security algorithms like RSA, Triple DES etc. as oppose to inventing something new. Encryption using strong cryptographic technique is a very effective way of making sure that information is accessible to only authorized users.
Breaking Authentication
In the web application arena, it is extremely important to make sure that information is given to appropriate users. Most of the time mechanism of making this sure is by implementing username/password or some other form of validation, which make sure that requested user in indeed the real user. When a legitimate user transmits this information from browser to server, this information is on the net and potentially available to every hacker to exploit. If this data is not encoded properly, this information can be interpreted, if feature like nonce is not implemented, whole request can be replayed by attacker. Even at the client side, you need to make sure that simple and overly informative messages related to validation failures are not making life easy for attacker and harder for you. You also need to check if there is some restriction on the field length for password, if login name passwords are case sensitive or not and so on. If possible techniques like CAPTCHA (Accompanying simple word recognition in image format, which will be difficult for the computers to identify but easy for humans) can also implemented as a protection against brute force attack. You should also make sure that wherever it make sense, information is sent over HTTPS instead of HTTP.
Web Services
Last part of this series is devoted to the security testing for web services. In past few years, we have seen tremendous growth in the usage of web services. Before dwelling into the security aspects related to web services, lets discuss very briefly, what is Web Service? Web Services are self describing, self contained modular pieces of functionality that can be published, located, and invoked across the Internet. Web Services can expose business functionality, data and services over the web using their Interfaces. At the core of web services lie different technologies like extensible Mark-up language (XML), Simple Object Access Protocol (SOAP), Web Service Description Language (WSDL) and Universal Description, Discovery and Integration (UDDI). XML is used to describe the data independent of application, platform, protocol etc. SOAP is used to transport XML in the network, WSDL contains the information related to interface and UDDI allows you to find specific web service you need. WSDL offers many benefits over traditional API's as it provides flexibility, platform independence along with the loosely coupled architecture, Because of its loosely coupled architecture and general availability of its interface, Web services are vulnerable to some more threats along with some of the threats we have already covered in our previous articles.
WSDL Scanning Attack
Though WSDL is designed to expose and describe all the information that is available in a method, some time information not intended for out side your corporation wall can also become accessible to general public. This might happen because of many reasons. For a seasoned attacker, that might be a wonderful piece of information. Scanning for the publicly available WSDL is also not very difficult. Most of the public facing web services can also be accessed by search engines by specifying appropriate search string, for example in Google you can search for specific file types or presence of some keywords like WSDL in URL.
Parameter Tampering
As a person responsible for making sure that your web service is safe and secure, you need to make sure that you still do all the validations that you would do otherwise. For example, underlying format for transferring data in web services is XML and it can be assumed that in a valid request data will be well formed and will follow rules specified in XML schema, still you need to validate every data you receive. XML will consider 1=1 or � as valid string, but you need to make sure and understand that strings like these can be used to perform attacks on your web application and should be validated before further processing.
XPATH Injection
XPATH is a language for querying XML document. It is very much similar to SQL in purpose, but instead of querying a database for tables and rows, using XPATH you can query a XML document for specific information by specifying node, node-set etc. An attacker can inject malicious XPATH expression as part of valid SOAP request, which can lead to unauthorized data access as well. While using web services, you should treat XPAT injection very much similar to the SQL injection and rely on validating every data you receive.
Recursive and Oversize Payload attack
XML uses nesting to represent complex relationship among elements. When an element appears within another element, the inner element is termed as nested. Nesting is typically used to represent real world structures in a better way. However, an attacker can easily nest thousands of elements or attributes in an attempt to break web service. Since most of the XML based system attempt to load complete document before processing it, nesting or overly big XML document can potentially break the web services. Specially, if your application is using DOM (loading XML into memory before accessing it) , it might be susceptible to this vulnerability.
These articles are influenced by the book ( "How to Break Web Software" from Mike Andrews and James A. Whittaker ) I have recently read and should be a good read for you if you need information on web application security testing.
