After giving my presentation on “Using Proxies to Secure Applications and More” at the TRISC 2009 conference, I decided to attend the presentation by Robert “RSnake” Hansen and Rob MacDougal entitled “Assessing Your Web App Manually Without Hacking It”.  The gist of this presentation was that with a few simple tools (Web Developer Toolbar, NoScript, you web browser) you can spend about an hour looking at the characteristics of a web application in order to determine what types and how many vulnerabilities it may have.  My notes on the presentation are below:


Step 1: Exploit Overachievers

  • Maximize value by using free tools
  • OWASP (Open Web Application Security Project)
  • WASC (Web Application Security Consortium)

Step 2: Learn

  • Security is not an arcane art reserved for people with a special gift.  It’s campfire knowledge.
    • Assess your security posture regularly
    • Do not neglect any aspect of your security; bad guys don’t (Social Engineering, Internal Network, Firewall, Web Apps, etc)

Step 3: Chase Your Tail

  • Remember where you started
    • Free tools can provide extreme amounts of value
      • OWASP (Eg: OWASP Testing Guide)
      • WASC
    • There is no magic to security

Tools Needed

  • Web Developer Toolbar
    • POST to GET
    • Response headers
  • NoScript or QuickJava

Estimating Vulnerabilities

  • Site Age – Care & Feeding
    • “Copyright 2003”
    • Alexa
    • Archive.org
    • Whois
    • Last modified date
    • Old server + modules version #’s
  • 2-3 years (2), 3-5 years (3), 5-10 years (4), 10+ (5)
  • Programming Language
    • .cfm (1)
    • AJAX (1)
    • .do/.jsp (1)
    • .cgi/.pl/.shtml (2)
    • .asp (2)
    • .php (2)
    • .aspx/.jspx/.html (0)
    • Languages + Demographics theory
  • Size of the Site Logic Complexity
    • Surf around manually
      • Sitemap
    • Google inurl: search
    • Spider (added download + added time)
    • Small (0), Medium – typical retailer (1), Large – Yahoo (3)
  • Search
    • XSS tests (1)
      • “Company”
      • I <3 U
    • SQL injection (1)
      • O’Malley
    • DoS (.5)
      • a AND b AND c …
  • Registration
    • Does it exist?  Yes (1)
    • Email validation and/or CAPTCHA (1-2)
    • Password complexity? (1)
    • Can you choose “admin” as a username? (1)
  • Security Functions
    • Does change password enforce password complexity rules
    • Does change password require the existing password
    • Can you change email address without a password
    • Can emails be changed without validating them
    • Are secret questions “strong”
  • Contact forms
    • Do they have an email address in a hidden field (1)
    • Submit a blank contact
      • Does it work without an error (1)
    • With and without JavaScript
      • Does it say “Thanks” without JS but errors when JS is turned on (1)
    • Can users contact other users on the site (Eg: Private message) (2)
  • Login
    • Does it use SSL (1)
    • Does it allow auto complete (1)
    • Does it stop me from being able to type failed logins (3)
      • Horizontal, Vertical, & Diagonal Brute Force attacks
    • Can you switch POST to GET (1)
      • Session fixation
      • CSRF (1 per major site function, EG: change password, change secret question, change email address, etc)
    • Does it auto-logout (1)
    • javascript:alert(document.cookie) (1)
  • Forgot password flow
    • Does it send the plaintext password (1)
    • Does it send a “small” key (1) – 20 bits or less
    • Does it tell you if your username is valid or not (.5)
  • File Upload
    • Does it check file extensions (.5)
    • Does it check file types (.5)
    • Does it allow re-displaying of the file (1)
  • HTML/JS/CSS Comments
    • Intranet IPs/addresses (.5)
    • Passwords (1)
    • Functionality comments (.5)
  • URL Structure
    • function?path=/files/file.asp (1)
    • something?id=104 (1)
    • search?q=bob&charset=UTF-8 (1)
      • alternate charset
      • header injection
    • redir?url=http://www.cnn.com/ (.5)
    • chngpasswd?usr=bob&pass=1234 (2)
    • /images/ If it shows a directory (1)
  • Obvious admin interfaces (2)
    • /admin/
    • /blog/wp-admin/
    • /administrator/
    • /adm/
    • admin.url.com
  • Outdated Open Source or Commercial Programs
    • PHP nuke
    • WordPress
    • Drupal
    • 3/instance
    • +1 for every major revision out of date
  • Other questions
    • Does it allow rich HTML user comments (1)
    • Does it have a send-to-friend function (1)
    • Virtual host? (MSN IP search) (1)

Things this doesn’t cover

  • Timing attacks, buffer overflows, etc
  • Network infrastructure flaws (including DNS)
  • Predictable file locations (VCS trees, etc)
  • Logic flaws
  • Backup files/folders/CVS trees, etc
  • Alternate paths of exploitation (email, FTP, APIs, etc)