Web security assessment planning


These notes are sort of logical progression of my late article "Non-intrusive critical data collection" (1), published at bugtraq.ru, 2003 and then to Belorussian print mag "Networked Solutions"..

This is a specific material not intended for general readership due to low interest in subject matter. Though, this may be useful for professionals assessing web security on a regular basis. Techiques introduced could aid in structuring collected data and site-specific info, as well as building a step-by-step checklist for security testing.

Order of actions and storing data is chosen by author's personal preferences (largely influenced by OWASP(2) guides). Any practitioner may, and likely will, use his own set of techniques and way of storing gathered data. Many of online services metioned aren't unique and someone would better code his own or use other similar services.

Notes on OWASP Testing Guide: as of current, official site offers v.3 (349 pages) but earlier it has some OWASP_Testing_Guide_v3.full.pdf (374 pages). Considering the guide's cons, it's somewhat redundant and some of scenarios covered seems to be less likely to actually happen, or very rare to meet.

Nethertheless, advice on organized testing and risk classification system are actually useful. Other guides worth mentioning are Information Technology Security Evaluation and OSSTMM (Open Source Security Testing Methodology Manual).

Resources chosen for demonstration purposes are of some non-compliant service center that breaks customer's devices instead of repairing.

Analysis order.

I use Excel sheets from crafted template to store data collected through the testing. The template includes custom codes for every data type, showing what data was gathered by which action. It also has a check-mark cell to ensure every test was made. Next cell is for actual data (and code). It looks like this:

[RDNS] | Reverse DNS | x | (Reverse DNS data here)

First step is to gather basic resource identifying data like IP, ISP, web server type. I choose combined (ping, DNS, traceroute, basic service scan) service Domain Dossier(3). Firefox addon Server Spy aids web server fingerprinting too.

simservice.ru    = (axx165.distributed.zenon.net)
samsungremont.ru =   (fe16.hc.ru)

Both sites located on shared hostings "Zenon" "Hosting-Center", using nginx and OSCommerce shop engine. simservice.ru indicates PHP/5.2.17. They also use livetex.ru online consulting widget.

To check aforementioned Reverse DNS i use Robtex(5) and BGP Looking Glass(6), thus checking if the hosting is dedicated or shared.

Next, browsing the site itself, having Firefox addon Foxmeter(7) enabled - it's a HTTP/HTTPS sniffer, clearly showing site structure, widgets, server responses. To see what HTTP methods are enabled, i send OPTIONS request using Firefox addon Poster(8) or curl. Both sites tested rejected OPTIONS request (nginx style). It could be helpful to check SSL certificate, if any. Online tool is available at serversniff.net (10). Some cases show that Google dork "victim.com" site:victim.com sometimes bring up unexpected results, like error and backend pages etc. samsungremont.ru replied to .htaccess request by Apache/1.3.42 403 error page (banner-masquerading).

At this stage it's possible to get the picture of the web server and DNS. Additional data could be found in common files robots.txt and sitemap.xml (sitemap.xml.gz). If there's no sitemap.xml, it could be generated online(9) or by a desktop application. Tested sites has default OSCommerce robots.txt, and the sitemap.xml was generated online. Identifying web designer (a company or an individual) could be useful due to repeated design solutions. For example, several companies definitely neglect .htaccess, resulting in directory listing (OWASP-AZ-001) of all of their productions. This case shows both sites were designed by pella.ru with no critical issues (if we don't count ugly background )

ISP corporate site often has useful data on security systems deployed, so it's advised to browse. To exclude repeating this step, a separate sheet is prepared to store data on ISPs: hardware, OS, IP ranges, special domains for customers). During the tests for this article it was interesting to find Zenon's modem pool data:
Guest access - demo:demo

745-7171 - Cisco Systems Access Server 5300
251-1030 - USRobotics MP16

After CMS is fingerprinted fo sure its recommended to get a copy of it. Most cases show that even major companies use free CMSes like Wordpress/Drupal/Joomla!. Non-free engines are could be obtained as trial versions, allowing to examine the structure and potential security issues. Many engines suffers from bugs like WordPress listing or Joomla! mandatory registration, enabling some backend fuctionality.

Next step is to identify data storage path and backend login interface. Accessible administrative interface classified as risk OWASP-CM-007. Test shows both sites' administrative interface located at /admin.

Any server response could bring some critical data like logins and error messages. Sometimes even cookies hold useful data that adds to server analysis. Cookies from tested sites are default OSCommerce and livetex. Internal search engine is a way to gather more data, and any form is a potential attack vector. Search engine discovered.

Concluding, let's recall basic data types gathered by aforementioned tests: IP, DNS records, web server and CMS fingerprints, a CMS copy, site structure, allowed HTTP methods, service files like robots.txt and sitemap.xml, ISP and designer identifications, data storage and administrative iterface paths. Resulting sheet will look like this:

REVERSE DNS  | + | shared
SERVER       | + | nginx 1.4.1
ISP          | + | (axx165.distributed.zenon.net) / (fe16.hc.ru)
SHARED       | + | +
CMS          | + | OSCommerce
SOURCE COPY  | + | +
HTML CHECK   | + | +
ADMIN        | + | /admin
SEARCH       | + | http://samsungremont.ru/advanced_search.php
ERRORS       | + | +
ROBOTS       | + | +
SITEMAP      | + | generic
HTACCESS     | + | 403
COOKIES      | + | +


ALiEN Assault

Inception E-Zine