- Owasp Testing Guide v4
- Frontispiece
- 1. Foreword
- 2. Introduction
- 3. The OWASP Testing Framework
-
4.
Web Application Security Testing
- 4.1. Introduction and Objectives
-
4.2.
Information Gathering
- 4.2.1. Conduct Search Engine Discovery and Reconnaissance for Information Leakage (OTG-INFO-001)
- 4.2.2. Fingerprint Web Server (OTG-INFO-002)
- 4.2.3. Review Webserver Metafiles for Information Leakage (OTG-INFO-003)
- 4.2.4. Enumerate Applications on Webserver (OTG-INFO-004)
- 4.2.5. Review Webpage Comments and Metadata for Information Leakage (OTG-INFO-005)
- 4.2.6. Identify application entry points (OTG-INFO-006)
- 4.2.7. Map execution paths through application (OTG-INFO-007)
- 4.2.8. Fingerprint Web Application Framework (OTG-INFO-008)
- 4.2.9. Fingerprint Web Application (OTG-INFO-009)
- 4.2.10. Map Application Architecture (OTG-INFO-010)
-
4.3.
Configuration and Deployment Management Testing
- 4.3.1. Test Network/Infrastructure Configuration (OTG-CONFIG-001)
- 4.3.2. Test Application Platform Configuration (OTG-CONFIG-002)
- 4.3.3. Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003)
- 4.3.4. Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004)
- 4.3.5. Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005)
- 4.3.6. Test HTTP Methods (OTG-CONFIG-006)
- 4.3.7. Test HTTP Strict Transport Security (OTG-CONFIG-007)
- 4.3.8. Test RIA cross domain policy (OTG-CONFIG-008)
-
4.4.
Identity Management Testing
- 4.4.1. Test Role Definitions (OTG-IDENT-001)
- 4.4.2. Test User Registration Process (OTG-IDENT-002)
- 4.4.3. Test Account Provisioning Process (OTG-IDENT-003)
- 4.4.4. Testing for Account Enumeration and Guessable User Account (OTG-IDENT-004)
- 4.4.5. Testing for Weak or unenforced username policy (OTG-IDENT-005)
-
4.5.
Authentication Testing
- 4.5.1. Testing for Credentials Transported over an Encrypted Channel (OTG-AUTHN-001)
- 4.5.2. Testing for default credentials (OTG-AUTHN-002)
- 4.5.3. Testing for Weak lock out mechanism (OTG-AUTHN-003)
- 4.5.4. Testing for bypassing authentication schema (OTG-AUTHN-004)
- 4.5.5. Test remember password functionality (OTG-AUTHN-005)
- 4.5.6. Testing for Browser cache weakness (OTG-AUTHN-006)
- 4.5.7. Testing for Weak password policy (OTG-AUTHN-007)
- 4.5.8. Testing for Weak security question/answer (OTG-AUTHN-008)
- 4.5.9. Testing for weak password change or reset functionalities (OTG-AUTHN-009)
- 4.5.10. Testing for Weaker authentication in alternative channel (OTG-AUTHN-010)
- 4.6. Authorization Testing
-
4.7.
Session Management Testing
- 4.7.1. Testing for Bypassing Session Management Schema (OTG-SESS-001)
- 4.7.2. Testing for Cookies attributes (OTG-SESS-002)
- 4.7.3. Testing for Session Fixation (OTG-SESS-003)
- 4.7.4. Testing for Exposed Session Variables (OTG-SESS-004)
- 4.7.5. Testing for Cross Site Request Forgery (CSRF) (OTG-SESS-005)
- 4.7.6. Testing for logout functionality (OTG-SESS-006)
- 4.7.7. Test Session Timeout (OTG-SESS-007)
- 4.7.8. Testing for Session puzzling (OTG-SESS-008)
-
4.8.
Input Validation Testing
- 4.8.1. Testing for Reflected Cross Site Scripting (OTG-INPVAL-001)
- 4.8.2. Testing for Stored Cross Site Scripting (OTG-INPVAL-002)
- 4.8.3. Testing for HTTP Verb Tampering (OTG-INPVAL-003)
- 4.8.4. Testing for HTTP Parameter pollution (OTG-INPVAL-004)
- 4.8.5. Testing for SQL Injection (OTG-INPVAL-005)
- 4.8.6. Testing for LDAP Injection (OTG-INPVAL-006)
- 4.8.7. Testing for ORM Injection (OTG-INPVAL-007)
- 4.8.8. Testing for XML Injection (OTG-INPVAL-008)
- 4.8.9. Testing for SSI Injection (OTG-INPVAL-009)
- 4.8.10. Testing for XPath Injection (OTG-INPVAL-010)
- 4.8.11. IMAP/SMTP Injection (OTG-INPVAL-011)
- 4.8.12. Testing for Code Injection (OTG-INPVAL-012)
- 4.8.13. Testing for Command Injection (OTG-INPVAL-013)
- 4.8.14. Testing for Buffer overflow (OTG-INPVAL-014)
- 4.8.15. Testing for incubated vulnerabilities (OTG-INPVAL-015)
- 4.8.16. Testing for HTTP Splitting/Smuggling (OTG-INPVAL-016)
- 4.9. Testing for Error Handling
- 4.10. Testing for weak Cryptography
-
4.11.
Business Logic Testing
- 4.11.1. Test Business Logic Data Validation (OTG-BUSLOGIC-001)
- 4.11.2. Test Ability to Forge Requests (OTG-BUSLOGIC-002)
- 4.11.3. Test Integrity Checks (OTG-BUSLOGIC-003)
- 4.11.4. Test for Process Timing (OTG-BUSLOGIC-004)
- 4.11.5. Test Number of Times a Function Can be Used Limits (OTG-BUSLOGIC-005)
- 4.11.6. Testing for the Circumvention of Work Flows (OTG-BUSLOGIC-006)
- 4.11.7. Test Defenses Against Application Mis-use (OTG-BUSLOGIC-007)
- 4.11.8. Test Upload of Unexpected File Types (OTG-BUSLOGIC-008)
- 4.11.9. Test Upload of Malicious Files (OTG-BUSLOGIC-009)
-
4.12.
Client Side Testing
- 4.12.1. Testing for DOM based Cross Site Scripting (OTG-CLIENT-001)
- 4.12.2. Testing for JavaScript Execution (OTG-CLIENT-002)
- 4.12.3. Testing for HTML Injection (OTG-CLIENT-003)
- 4.12.4. Testing for Client Side URL Redirect (OTG-CLIENT-004)
- 4.12.5. Testing for CSS Injection (OTG-CLIENT-005)
- 4.12.6. Testing for Client Side Resource Manipulation (OTG-CLIENT-006)
- 4.12.7. Test Cross Origin Resource Sharing (OTG-CLIENT-007)
- 4.12.8. Testing for Cross Site Flashing (OTG-CLIENT-008)
- 4.12.9. Testing for Clickjacking (OTG-CLIENT-009)
- 4.12.10. Testing WebSockets (OTG-CLIENT-010)
- 4.12.11. Test Web Messaging (OTG-CLIENT-011)
- 4.12.12. Test Local Storage (OTG-CLIENT-012)
- 5. Reporting
- 6. Appendix
Testing WebSockets (OTG-CLIENT-010)
Summary
Traditionally the HTTP protocol only allows one request/response per TCP connection. Asynchronous JavaScript and XML (AJAX) allows clients to send and receive data asynchronously (in the background without a page refresh) to the server, however, AJAX requires the client to initiate the requests and wait for the server responses (half-duplex).
HTML5 WebSockets allow the client/server to create a 'full-duplex' (two-way) communication channels, allowing the client and server to truly communicate asynchronously. WebSockets conduct their initial 'upgrade' handshake over HTTP and from then on all communication is carried out over TCP channels by use of frames.
Origin
It is the server’s responsibility to verify the Origin header in the initial HTTP WebSocket handshake. If the server does not validate the origin header in the initial WebSocket handshake, the WebSocket server may accept connections from any origin. This could allow attackers to communicate with the WebSocket server cross-domain allowing for Top 10 2013-A8-Cross-Site Request Forgery (CSRF) type issues.
Confidentiality and Integrity
WebSockets can be used over unencrypted TCP or over encrypted TLS. To use unencrypted WebSockets the ws:// URI scheme is used (default port 80), to use encrypted (TLS) WebSockets the wss:// URI scheme is used (default port 443). Look out for Top 10 2013-A6-Sensitive Data Exposure type issues.
Authentication
WebSockets do not handle authentication, instead normal application authentication mechanisms apply, such as cookies, HTTP Authentication or TLS authentication. Look out for Top 10 2013-A2-Broken Authentication and Session Management type issues.
Authorization
WebSockets do not handle authorization, normal application authorization mechanisms apply. Look out for Top 10 2013-A4-Insecure Direct Object References and Top 10 2013-A7-Missing Function Level Access Control type issues.
Input Sanitization
As with any data originating from untrusted sources, the data should be properly sanitised and encoded. Look out for Top 10 2013-A1-Injection and Top 10 2013-A3-Cross-Site Scripting (XSS)) type issues.
How to Test
Black Box testing
- Identify that the application is using WebSockets. Inspect the client-side source code for the ws:// or wss:// URI scheme. Use Google Chrome's Developer Tools to view the Network WebSocket communication. *Use OWASP Zed Attack Proxy (ZAP)'s WebSocket tab.
- Origin.
- Using a WebSocket client (one can be found in the Tools section below) attempt to connect to the remote WebSocket server. If a connection is established the server may not be checking the origin header of the WebSocket handshake.
- Confidentiality and Integrity.
- Check that the WebSocket connection is using SSL to transport sensitive information (wss://).
- Check the SSL Implementation for security issues (Valid Certificate, BEAST, CRIME, RC4, etc). Refer to the Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection (OTG-CRYPST-001) section of this guide.
- Authentication.
- WebSockets do not handle authentication, normal black-box authentication tests should be carried out. Refer to the Authentication Testing sections of this guide.
- Authorization.
- WebSockets do not handle authorization, normal black-box authorization tests should be carried out. Refer to the Authorization Testing sections of this guide.
- Input Sanitization.
- Use OWASP Zed Attack Proxy (ZAP)'s WebSocket tab to replay and fuzz WebSocket request and responses. Refer to the Testing for Data Validation sections of this guide.
Example 1
Once we have identified that the application is using WebSockets (as described above) we can use the OWASP Zed Attack Proxy (ZAP) to intercept the WebSocket request and responses. ZAP can then be used to replay and fuzz the WebSocket request/responses.
Example 2
Using a WebSocket client (one can be found in the Tools section below) attempt to connect to the remote WebSocket server. If the connection is allowed the WebSocket server may not be checking the WebSocket handshake's origin header. Attempt to replay requests previously intercepted to verify that cross-domain WebSocket communication is possible.
Gray Box testing
Gray box testing is similar to black box testing. In gray box testing the pen-tester has partial knowledge of the application. The only difference here is that you may have API documentation for the application being tested which includes the expected WebSocket request and responses.
Tools
- OWASP Zed Attack Proxy (ZAP) - https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
- WebSocket Client - https://github.com/RandomStorm/scripts/blob/master/WebSockets.html A WebSocket client that can be used to interact with a WebSocket server.
- Google Chrome Simple WebSocket Client - https://chrome.google.com/webstore/detail/simple-websocket-client/pfdhoblngboilpfeibdedpjgfnlcodoo?hl=en Construct custom Web Socket requests and handle responses to directly test your Web Socket services.
References
Whitepapers
- HTML5 Rocks - Introducing WebSockets: Bringing Sockets to the Web: http://www.html5rocks.com/en/tutorials/websockets/basics/
- W3C - The WebSocket API: http://dev.w3.org/html5/websockets/
- IETF - The WebSocket Protocol: https://tools.ietf.org/html/rfc6455
- Christian Schneider - Cross-Site WebSocket Hijacking (CSWSH): http://www.christian-schneider.net/CrossSiteWebSocketHijacking.html
- Jussi-Pekka Erkkilä - WebSocket Security Analysis: http://juerkkil.iki.fi/files/writings/websocket2012.pdf
- Robert Koch- On WebSockets in Penetration Testing: http://www.ub.tuwien.ac.at/dipl/2013/AC07815487.pdf
- DigiNinja - OWASP ZAP and Web Sockets: http://www.digininja.org/blog/zap_web_sockets.php