\”)”>Some of my code snippets are available for view.
, and
This attack injects an IFRAME into the Web application and displays the text “XSS” followed by the session cookie. Figure€12.14 shows the attack in action. There are several XSS vectors available all over the Internet. As XSS essentially relies on the browser and its rendering of HTML and JavaScript, there are certain XSS vectors that will only work on certain browser types. Security Specialist Robert “RSnake” Hansen has an XSS sheat sheet,* which is considered an exhaustive set of XSS attack vectors that may be used by testers and researchers to test Web applications for XSS vulnerabilities.
Figure 12.13â•… Use of the BODY tag to perform an XSS attack. *
The XSS Cheat Sheet may be found at http://www/ha.ckers.org/xss.html.
270 ◾ Secure Java: For Web Application Development
Figure 12.14â•… Use of the IFRAME HTML tag as an XSS vector.
12.2.3.2╇ Testing for SQL Injection Vulnerabilities SQL injection has the infamy of being the most devastating attack against Web applications. SQL injection has also been discussed in Chapters 5 and 10. In an SQL injection attack, the attacker injects or inputs an SQL query into the application’s input field(s) and is able to extract sensitive information from the database, as a result of the crafted query to the database. Databases are the storehouses of information that is accessed by Web applications for their CRUD operations. SQL injection relies on the Web application’s incorrect parsing of SQL commands in a way that user input is parsed as an SQL command by the application to give rise to SQL injection. The first test that a tester can run is by entering a (’) or (;) in the input field along with the input. The (’) is used as a string terminator and the (;) is used to indicate the end of an SQL statement. If the application does not filter the following characters, then the application would throw an error or an exception. This error essentially indicates that the application is unable to create the SQL due to the presence of a character that is part of a dynamically generated SQL statement. Vulnerable application error pages throw detailed error messages where the SQL exception is highlighted along with the full stack trace and the line at which the exception condition occurred. SQL injection has also been used to bypass authentication mechanisms. For instance, a Java application generates an SQL statement to verify the user entered username and password against the database of usernames and passwords. A vulnerable SQL statement might look something like this: ‘SELECT * FROM USERS where username = ‘’ + request. getParameter(“username”) + ’’ AND password = ’ + request. getParameter(“password”) + ’
Such statements are vulnerable to SQL injection as they dynamically generate SQL queries from user input with little or no filtering of user input. The tester can test the authentication mechanism by entering the following user input in the username and password input fields: 1’ OR ‘1’=1
The query that will be dynamically generated is as follows:
Practical Web Application Security Testing ◾ 271 SELECT * FROM USERS where username = ‘1’ OR ‘1’=1 AND PASSWORD = ‘1’ OR ‘1’=1
This query bypasses the authentication system of the application, as ‘1’=1 is an always true condition and the database query will yield the user table being available to the tester. Another attack that can be performed is against an application’s email-password feature. The application provides an input field where the user must enter a validly registered email for the forgotten password to be emailed to the user. A vulnerable application will construct the statement as so: “SELECT email from users where email = ‘ ” + request.getParameter(email) + “ ’ ”
The tester can enter the same attack vector as given above to circumvent the control provided by the email-password feature and compromise the user tables in the Web application. SQL injection attacks may be much more advanced than the ones covered in this section. There are several cases of attacks where databases have been deleted because of SQL injection coupled with inappropriate access control set up on the database. SQL injection is quite an exhaustive topic by itself and requires supplemental reading* to provide a greater insight into the sphere of testing.
12.3╇ Summary In this chapter we began by exploring the approach that an organization or individual can adopt for assessing a Web application for security. As a part of Web application security testing, we delved into the concepts of black-box and white-box testing for Web applications to understand different dimensions of Web application security testing, with a focus on black-box testing, exploring vulnerability assessments and penetration tests. Certain tools that may be used for conducting vulnerability assessments and penetration tests for Web applications were highlighted and explained. Practical security testing techniques were explored in detail. Information gathering and enumeration, Web application access control testing, and testing for data validation were discussed in detail.
*
Additional resources on SQL injection are as follows: Steve Friedl’s Unixwiz.net Tech Tips: http://unixwiz.net/techtips/sql-injection.html SQL Injection Cheat Sheet: http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
Appendix A: Application Security Guidelines for the Payment Card Industry Standards (PCIDSS and PA-DSS) The PCI Standards have acquired an extremely important position in the world of information security and compliance today. The objectives of the standard are to protect sensitive cardholder information stored, processed, or transmitted by organizations all over the world. The PCI Standards are divided into the Payment Card Industry Data Security Standard (PCI-DSS) and the Payment Application Data Security Standard (PA-DSS). The PCI-DSS is the parent standard that is applicable to organizations storing, processing, or transmitting cardholder information, and the PA-DSS applies to commercially resold applications that are part of a card authorization or settlement process. The PCI-DSS consists of 12 requirements encompassing all aspects of information security including network security requirements, access control, encryption and data protection, logging, and log management apart from other measures like risk management, security policies and procedures, physical security, and so on. The PA-DSS is a subset of the PCI-DSS, which only deals with security implementation and documentation requirements for applications that are to be deployed in a cardholder data environment. Applications are an important aspect of compliance for the PCI Standards. All the security requirements of the standards, such as access control, encryption/data protection, and logging, apply to applications as they are applicable to operating systems, network devices, and so on. We have highlighted relevant sections of the PCI Standards relating to application security in the book. Some of those sections are as follows: ◾⊾ An overview of the PCI Standards has been provided in Section 5.3.2 where the standards (along with other relevant security compliance standards) have been introduced to the readers. The overview of the standards has been provided and some of the important requirements of the standards in relation to Web application security have been explored. 273
274 ◾ Appendix A
◾⊾ Section 7.3.1 delves into the Web application access control requirements of the PCI Standards in great depth. The section details specific requirements of the PCI Standards with reference to access control and details the implementations for these requirements. ◾⊾ Section 8.2.6 deals with the protection of cardholder data stored by an organization through a Web application. Section 8.2.6.1 details the requirements of the PCI Standards with reference to encryption and other data protection techniques like truncation and hashing for the protection of cardholder information at rest. The section discusses Requirement 3 of the PCI Standards and some implementation practices for the same. The section also explores certain sections of Requirement 4 that necessitate the use of encrypted transmission of sensitive information like cardholder information. ◾⊾ Section 9.3 details the logging and log management implementation for Web applications with reference to the PCI Standards. The various logging requirements as specified by Requirement 10 of the PCI Standards have been explored in depth and implementation practices for the same have been highlighted. ◾⊾ Chapter 11 deals with testing Web applications for security, and Section 11.2.4 extensively deals with the vulnerability assessment and penetration testing requirements of the standard. Requirement 11 of the PCI Standards deals almost exclusively with testing the organization’s IT infrastructure for vulnerabilities and performing penetration tests on a periodic basis. The section details the relevant portions of the standard that describe these requirements and also delves into the implementation practices highlighted in other sections of the chapter.
