Saturday, June 7, 2014

Web Pen Test Terminology



Terminologies that seem to be always asked during interviews.  But the problem is that my memory  operates in a first in first out (FIFO) sort of way.  Which befits the definition; a method that relates to the organization and manipulation of data according to time and prioritization.  

Without further to do, the terminologies as I understand them:

Cross-Site Request Forgery (XSRF or CSRF) 

Def 

When the credentials used to access the targeted systems is sent from another application or system

Layman 

The same login can be used by another application can be used to login by another application

Example

  • Reusing the session token or cookie to login in as the current user from a different system/application
  • The login of the application can be used to login into Facebook, and Facebook uses the same login

Cause

The GET method is allowed to perform other operations besides the retrieval of data

Fix 

Unique and random session token for each GET request

How to test 

Cross-Site Tracing (XST) aka TRACE method 

Def 

Basically echoes back the http data

Example

Retrieval of the target's cookies which contain either the authentication credentials or the means to bypass access controls

Cause 

The TRACE method is enabled on the production system

Based on RFC 2616 which allows the GET method to conditionally retrieve information

Fix 

Turn off HTTP TRACE support

If your using apache then you need to install the mod_rewrite engine. Add the following lines to your httpd.conf file.

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

If your using IIS then you need to filter out everything but GET, POST, and HEAD with urlScan

How to test 

Open Burp and choose repeater. Change the request to something similar to:

TRACE / HTTP/1.0
Header1: <script>alert(document.cookie);</script>

The reply should look like this if TRACE is enabled:

HTTP/1.1 200 OK
Date: Sun, 23 Sep 2007 02:48:05 GMT
Server: Apache/1.3.34 (Ubuntu) mod_perl/1.29
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Header1: <script>alert(document.cookie);</script>

SOAP 

Simple Object Access Protocol (SOAP) standard an XML language defining a message architecture and message formats, is used by Web services it contain a description of the operations. WSDL is an XML-based language for describing Web services and how to access them. will run on SMTP,HTTP,FTP etc. 
  • Requires middleware support
  • Returns XML based data

REST 

REST Representational State Transfer (RESTful) web services. they are second generation Web Services. RESTful web services, communicate via HTTP and do not require XML messages or WSDL service-API definitions. 

  • REST no middleware is required
  • REST can return XML, plain text, JSON, HTML, etc.