{ "global": { "action.login": "Login", "action.retry": "Try again", "action.info": "Info", "action.confirm": "Confirm", "action.save": "Save", "action.cancel": "Cancel", "action.return": "Return", "action.exit": "Exit", "action.update": "Update", "action.export": "Export", "action.yes": "Yes", "action.no": "No", "username": "Username", "password": "Password", "no.progress": "No progress" }, "languageKeys":{ "de-DE": "German", "en-US": "English" }, "popup": { "success": "✔", "failure": "✘", "warning": "!", "info": "ⓘ", "error.position": { "permissionDenied": "Permission denied", "timeout": "Timeout" }, "login": { "successful": "Login successful" } }, "login": { "title": "Login", "failed": "Wrong username or password", "unauthorized": "User not found. Please register and try again" }, "project": { "title.label": "Project Title", "client.label": "Name of Client", "tester.label": "Name of Pentester", "title": "Title", "client": "Client", "tester": "Tester", "createdAt": "Created at", "overview": { "add.project": "Add Project", "no.projects": "No projects available" }, "create": { "header": "Create New Project" }, "edit": { "header": "Edit Project" }, "delete": { "title": "Delete Project", "key": "Do you want to permanently delete the project \"{{name}}\"?" }, "validationMessage": { "titleRequired": "Title is required.", "clientRequired": "Client is required.", "testerRequired": "Tester is required." }, "popup": { "not.found": "No projects found", "save.success": "Project saved successfully", "save.failed": "Project could not be saved", "update.success": "Project updated successfully", "update.failed": "Project could not be updated", "delete.success": "Project deleted successfully", "delete.failed": "Project could not be deleted" } }, "categories": { "INFORMATION_GATHERING": "Information Gathering", "CONFIGURATION_AND_DEPLOY_MANAGEMENT_TESTING": "Config & Deploy Management Testing", "IDENTITY_MANAGEMENT_TESTING": "Identity Management Testing", "AUTHENTICATION_TESTING": "Authentication Testing", "AUTHORIZATION_TESTING": "Authorization Testing", "SESSION_MANAGEMENT_TESTING": "Session Management Testing", "INPUT_VALIDATION_TESTING": "Input Validation Testing", "ERROR_HANDLING": "Error Handling", "CRYPTOGRAPHY": "Cryptography", "BUSINESS_LOGIC_TESTING": "Business Logic Testing", "CLIENT_SIDE_TESTING": "Client Side Testing" }, "finding": { "findingId": "Finding Id", "title": "Title", "impact": "Impact", "severity": "Severity", "add": "Add finding", "no.findings": "No findings available" }, "severities": { "low": "Low", "medium": "Medium", "high": "High", "critical": "Critical" }, "pentest": { "testId": "No.", "title": "Title", "findings": "Findings", "comments": "Comments", "status": "Status", "statusText": { "not_started": "Not Started", "disabled": "Disabled", "open": "Open", "in_progress": "In progress", "completed": "Completed" }, "info": { "001": "Conduct Search Engine Discovery and Reconnaissance for Information Leakage", "002": "Fingerprint Web Server", "003": "Review Webserver Metafiles for Information Leakage", "004": "Enumerate Applications on Webserver", "005": "Review Webpage Comments and Metadata for Information Leakage", "006": "Identify application entry points", "007": "Map execution paths through application", "008": "Fingerprint Web Application Framework", "009": "Fingerprint Web Application", "010": "Map Application Architecture" }, "config": { "001": "Test Network/Infrastructure Configuration", "002": "Test Application Platform Configuration", "003": "Test File Extensions Handling for Sensitive Information", "004": "Backup and Unreferenced Files for Sensitive Information", "005": "Enumerate Infrastructure and Application Admin Interfaces", "006": "Test HTTP Methods", "007": "Test HTTP Strict Transport Security", "008": "Test RIA cross domain policy" }, "ident": { "001": "Test Role Definitions", "002": "Test User Registration Process", "003": "Test Account Provisioning Process", "004": "Testing for Account Enumeration and Guessable User Account", "005": "Testing for Weak or unenforced username policy", "006": "Test Permissions of Guest/Training Accounts", "007": "Test Account Suspension/Resumption Process" }, "authn": { "001": "Testing for Credentials Transported over an Encrypted Channel", "002": "Testing for default credentials", "003": "Testing for Weak lock out mechanism", "004": "Testing for bypassing authentication schema", "005": "Test remember password functionality", "006": "Testing for Browser cache weakness", "007": "Testing for Weak password policy", "008": "Testing for Weak security question/answer", "009": "Testing for weak password change or reset functionalities", "010": "Testing for Weaker authentication in alternative channel" }, "authz": { "001": "Testing Directory traversal/file include", "002": "Testing for bypassing authorization schema", "003": "Testing for Privilege Escalation", "004": "Testing for Insecure Direct Object References" }, "sess": { "001": "Testing for Bypassing Session Management Schema", "002": "Testing for Cookies attributes", "003": "Testing for Session Fixation", "004": "Testing for Exposed Session Variables", "005": "Testing for Cross Site Request Forgery", "006": "Testing for logout functionality", "007": "Test Session Timeout", "008": "Testing for Session puzzling" }, "inpval": { "001": "Testing for Reflected Cross Site Scripting", "002": "Testing for Stored Cross Site Scripting", "003": "Testing for HTTP Verb Tampering", "004": "Testing for HTTP Parameter pollution", "005": "Testing for SQL Injection", "005_1": "Oracle Testing", "005_2": "MySQL Testing", "005_3": "SQL Server Testing", "005_4": "Testing PostgreSQL", "005_5": "MS Access Testing", "005_6": "Testing for NoSQL Injection", "006": "Testing for LDAP Injection", "007": "Testing for ORM Injection", "008": "Testing for XML Injection", "009": "Testing for SSI Injection", "010": "Testing for XPath Injection", "011": "IMAP/SMTP Injection", "012": "Testing for Code Injection", "012_1": "Testing Local File Inclusion", "012_2": "Testing Remote File Inclusion", "013": "Testing for Command Injection", "014": "Testing for Buffer overflow", "014_1": "Testing for Heap overflow", "014_2": "Testing for Stack overflow", "014_3": "Testing for Format string", "015": "Testing for incubated vulnerabilities", "016": "Testing for HTTP Splitting/Smuggling" }, "err": { "001": "Analysis of Error Codes", "002": "Analysis of Stack Traces" }, "crypst": { "001": "Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection", "002": "Testing for Padding Oracle", "003": "Testing for Sensitive information sent via unencrypted channels" }, "buslogic": { "001": "Test Business Logic Data Validation", "002": "Test Ability to Forge Requests", "003": "Test Integrity Checks", "004": "Test for Process Timing", "005": "Test Number of Times a Function Can be Used Limits", "006": "Testing for the Circumvention of Work Flows", "007": "Test Defenses Against Application Mis-use", "008": "Test Upload of Unexpected File Types", "009": "Test Upload of Malicious Files" }, "client": { "001": "Testing for DOM based Cross Site Scripting", "002": "Testing for JavaScript Execution", "003": "Testing for HTML Injection", "004": "Testing for Client Side URL Redirect", "005": "Testing for CSS Injection", "006": "Testing for Client Side Resource Manipulation", "007": "Test Cross Origin Resource Sharing", "008": "Testing for Cross Site Flashing", "009": "Testing for Clickjacking", "010": "Testing WebSockets", "011": "Test Web Messaging", "012": "Test Local Storage" } }, "objectives": { "info": { "001": "The objective is to understand what sensitive design and configuration information of the application/system/organization is exposed both directly (on the organization’s website) or indirectly (on a third party website).\n\n There are direct and indirect elements to search engine discovery and reconnaissance. \n Direct methods relate to searching the indexes and the associated content from caches.\n Indirect methods relate to gleaning sensitive design and configuration information by searching forums, newsgroups, and tendering websites.\n\n Use a search engine to search for:\n• Network diagrams and configurations\n• Archived posts and emails by administrators and other key staff\n• Log on procedures and username formats\n• Usernames and passwords\n• Error message content\n• Development, test, UAT and staging versions of the website", "002": "The objective is to find the version and type of a running web server to determine known vulnerabilities and the appropriate exploits to use during testing.\n\n Web server fingerprinting is a critical task for the penetration tester.\nKnowing the version and type of a running web server allows testers to determine known vulnerabilities and the appropriate exploits to use during testing.\n\n There are several different vendors and versions of web servers on the market today. Knowing the type of web server that is being tested significantly helps in the testing process and can also change the course of the test. The simplest and most basic form of identifying a web server is to look at the Server field in the HTTP response header.\n\n By knowing how each type of web server responds to specific commands and keeping this information in a web server fingerprint database, a penetration tester can send these commands to the web server, analyze the response, and compare it to the database of known signatures.", "003": "The objective here is to check the robots.txt file for information leakage of the web application’s directory or folder path(s).\n\n 1. Information leakage of the web application’s directory or folder path(s). \n 2. Create the list of directories that are to be avoided by Spiders, Robots, or Crawlers. \n\n Furthermore, the list of directories that are to be avoided by Spiders, Robots, or Crawlers can also be created as a dependency for Map execution paths through application.\n Web Spiders, Robots, or Crawlers retrieve a web page and then recursively traverse hyperlinks to retrieve further web content. Their accepted behavior is specified by the Robots Exclusion Protocol of the robots.txt file in the web root directory.", "004": "The objective is enumerate the applications within scope that exist on a web server.\n\n Many applications have known vulnerabilities and known attack strategies that can be exploited in order to gain remote control or to exploit data. In addition, many applications are often misconfigured or not updated. \n Web application discovery is a process aimed at identifying web applications on a given infrastructure. The latter is usually specified as a set of IP addresses (maybe a net block), but may consist of a set of DNS symbolic names or a mix of the two.", "005": "The objective is to review webpage comments and metadata to better understand the application and to find any information leakage.\n\n HTML comments are often used by the developers to include debugging information about the application. Sometimes they forget aboutthe comments and they leave them on in production.\n\n Check HTML source code for comments containing sensitive information that can help the attacker gain more insight about the application. It might be SQL code, usernames and passwords, internal IP addresses, or debugging information.", "006": "The objective is to understand how requests are formed and typical responses from the application.\n\n Enumerating the application and its attack surface is a key precursor before any thorough testing can be undertaken, as it allows the tester to identify likely areas of weakness. This aims to help identify and map out areas within the application that should be investigated once enumeration and mapping have been completed.\n\n While walking through the application, pay special attention to all HTTP requests (GET and POST Methods, also known as Verbs), as well as every parameter and form field that is passed to the application.\n In addition, take note of any interesting parameters in the URL, custom headers, or body of the requests/responses, and save them. \n Once every area of the application is mapped out, go through the application and test each of the areas that have been identified and make notes for what worked and what didn’t work.", "007": "The objective is to Map the target application and understand the principal workflows.\n\n Before commencing security testing, understanding the structure of the application is paramount.\nThere are several ways to approach the testing and measurement of code coverage:\n\n 1. Path:\n Test each of the paths through an application that includes combinatorial and boundary value analysis testing for each decision path. While this approach offers thoroughness, the number of testable paths grows exponentially with each decision branch.\n\n 2. Data flow (or taint analysis): \n Tests the assignment of variables via external interaction (normally users).\n Focuses on mapping the flow, transformation and use of data throughout an application.\n\n 3. Race:\n Tests multiple concurrent instances of the application manipulating the same data.", "008": "The objective is to define type of used web framework so as to have a better understanding of the security testing methodology. \n\n Knowing the type of framework can automatically give a great advantage if such a framework has already been tested by the penetration tester. It is not only the known vulnerabilities in unpatched versions but specific misconfigurations in the framework and known file structure that makes the fingerprinting process so important.\n\n There are several most common locations to look in in order to define the current framework:\n• HTTP headers\n• Cookies\n• HTML source code\n• Specific files and folders", "009": "The objective is to identify the web application and version to determine known vulnerabilities and the appropriate exploits to use during testing.\n\n With the vast number of free and open source software projects that are actively developed and deployed around the world, it is very likely that an application security test will face a target site that is entirely or partly dependent on these well known applications (e.g. Wordpress, phpBB, Mediawiki, etc).\n\nKnowing the web application components that are being tested significantly helps in the testing process.\nThese well known web applications have known HTML headers, cookies, and directory structures that can be enumerated to identify the application.", "010": "The application architecture needs to be mapped through some test to determine what different components are used to build the web application.\n\n In small setups, such as a simple CGI-based application, a single server might be used that runs the web server which executes the C, Perl, or Shell CGIs application, and perhaps also the authentication mechanism.\n On more complex setups multiple servers might be involved. These may include a reverse proxy, a frontend web server, an application server and a database server or LDAP server. \nEach of these servers will be used for different purposes and might be even be divided in different networks with firewalls between them (DMZs). \n\n In addition, understanding the deployed configuration of the server hosting the web application is almost as important as the application security testing itself." }, "config": { "001": "The intrinsic complexity of interconnected and heterogeneous webserver infrastructure, which can include hundreds of web applications, makes configuration management and review a fundamental step in testing and deploying every single application. It takes only a single vulnerability to undermine the security of the entire infrastructure. In order to address these problems, it is of utmost importance to perform an indepth review of configuration and known security issues.\n\nThe following steps need to be taken to test the configuration management infrastructure:\n\nStep 1:\n The different elements that make up the infrastructure need to be determined in order to understand how they interact with a web application and how they affect its security.\n\nStep 2:\n All the elements of the infrastructure need to be reviewed in order to make sure that they don’t contain any known vulnerabilities.\n\nStep 3:\n A review needs to be made of the administrative tools used to maintain all the different elements.\n\nStep 4:\n The authentication systems, need to reviewed in order to assure that they serve the needs of the application and that they cannot be manipulated by external users to leverage access.\n\nStep 5:\n A list of defined ports which are required for the application should be maintained and kept under change control.", "002": "Configuration review and testing is a critical task in creating and maintaining an architecture. This is because many different systems will be usually provided with generic configurations that might not be suited to the task they will perform on the specific site they’re installed on.\n\n While the typical web and application server installation will contain a lot of functionality (like application examples, documentation, test pages) what is not essential should be removed before deployment to avoid post-install exploitation. \n\nCGI scanners include a detailed list of known files and directory samples that are provided by different web or application servers.\nAlso will event logs often contain data that is useful to an attacker (information leakage) or can be used directly in exploits.", "003": "File extensions are commonly used in web servers to easily determine which technologies, languages and plugins must be used to fulfill the web request. \nWhile this behavior is consistent with RFCs and Web Standards, using standard file extensions provides the penetration tester useful information about the underlying technologies used in a web appliance. \n\n Determining how web servers handle requests corresponding to files having different extensions may help in understanding web server behavior depending on the kind of files that are accessed.\n\nThe following file extensions should never be returned by a web server, since they are related to files which may contain sensitive information:\n • .asa\n• .inc \n\n The following file extensions are related to files which, when accessed, are either displayed or downloaded by the browser. \n Therefore, files with these extensions must be checked to verify that they are indeed supposed to be served:\n• .zip, .tar, .gz, .tgz, .rar, ...: (Compressed) archive files\n• .java: No reason to provide access to Java source files\n• .txt: Text files\n• .pdf: PDF documents\n• .doc, .rtf, .xls, .ppt, ...: Office documents\n• .bak, .old and other extensions indicative of backup files \n\n To identify files having a given extensions a mix of techniques can be employed. \nThese techniques can include Vulnerability Scanners, spidering and mirroring tools, manually inspecting the application or querying search engines.", "004": "An important source of vulnerability lies in files which have nothing to do with the application, but are created as a consequence of editing application files, or after creating on-the-fly backup copies, or by leaving in the web tree old files or unreferenced files.\n\n Theoretically the examination should be performed by hand to be thorough. However, since in most cases copies of files or backup files tend to be created by using the same naming conventions, the search can be easily scripted.", "005": "Administrator interfaces may be present in the application or on the application server to allow certain users to undertake privileged activities on the site. Tests should be undertaken to reveal if and how this privileged functionality can be accessed by an unauthorized or standard user.\n\nAn application may require an administrator interface to enable a privileged user to access functionality that may make changes to how the site functions. \nSuch changes may include: \n• user account provisioning\n• site design and layout \n• data manipulation\n• configuration changes\n\nThe following describes vectors that may be used to test for the presence of administrative interfaces: \n• Directory and file enumeration \n• Brute forcing tools like THC-HYDRA \n• Comments and links in source code \n• Reviewing server and application documentation \n• Publicly available information (e.g. default passwords) \n• Alternative server port \n• Parameter tampering", "006": "To perform this test, the tester needs some way to figure out which HTTP methods are supported by the web server that is being examined. The OPTIONS HTTP method provides the tester with the most direct and effective way to do that. RFC 2616 states that, “The OPTIONS method represents a request for information about the communication options available on the request/response chain identified by the Request-URI”.\n\n Some of the HTTP methods can potentially pose a security risk for a web application, as they allow an attacker to modify the files stored on the web server and, in some scenarios, steal the credentials of legitimate users. More specifically, the methods that should be disabled are the following: \n• PUT: allows client to upload files to web server \n• DELETE: allwas client to delete files from web server \n• CONNECT: allows client to use web server as proxy \n• TRACE: echoes back to client whatever he sent to server", "007": "The HTTP Strict Transport Security (HSTS) feature lets a web application to inform the browser, through the use of a special response header, that it should never establish a connection to the the specified domain servers using HTTP.\n\n The HTTP strict transport security header uses two directives: \n• max-age \n• includeSubDomains \n\nTesting for the presence of HSTS header can be done by checking for the existence of the HSTS header in the server’s response in an interception proxy, or by using curl.", "008": "Rich Internet Applications (RIA) have adopted Adobe’s crossdomain.xml policy files to allow for controlled cross domain access to data and service consumption using technologies such as Oracle Java, Silverlight, and Adobe Flash. Therefore, a domain can grant remote access to its services from a different domain. \nHowever, often the policy files that describe the access restrictions are poorly configured. Poor configuration of the policy files enables Cross-site Request Forgery attacks. \n\n To test for RIA policy file weakness the tester should try to retrieve the policy files crossdomain.xml and clientaccesspolicy.xml from the application’s root, and from every folder found." }, "ident": { "001": "The objective is to validate the system roles defined within the application sufficiently define and separate each system and business role to manage appropriate access to system functionality and information. \n\n It is common in modern enterprises to define system roles to manage users and authorization to system resources. \nImportant to remember is that cold, hard authorization isn’t the only way to manage access to system objects. In more trusted environments where confidentiality is not critical, softer controls such as application workflow and audit logging can support data integrity requirements while not restricting user access to functionality.\n\n Either with or without the help of the system developers or administrators, develop an role versus permission matrix. The matrix should enumerate all the roles that can be provisioned and explore the permissions that are allowed.", "002": "Some websites offer a user registration process that automates (or semi-automates) the provisioning of system access to users. The identity requirements for access vary from positive identification to none at all, depending on the security requirements of the system. \n\n Step 1: \n Verify that the identity requirements for user registration are aligned with business and security requirements. \n\n Step 2: \n Validate the registration process. \n\n Verify that the identity requirements for user registration are aligned with business and security requirements: \n• Can anyone register for access? \n• Are registrations vetted by a human? \n• Can the same person or identity register multiple times? \n• Can users register for different roles or permissions? \n• What proof of identity is required for a registration? \n• Are registered identities verified? \n\n Validate the registration process: \n • Can identity information be easily forged or faked? \n • Can the exchange of identity information be manipulated?", "003": "Verify which accounts may provision other accounts and of what type. \n\n The provisioning of accounts presents an opportunity for an attacker to create a valid account without application of the proper identification and authorization process.\nDetermine which roles are able to provision users and what sort of accounts they can provision.", "004": "The scope of this test is to verify if it is possible to collect a set of valid usernames by interacting with the authentication mechanism of the application. \nThis test will be useful for brute force testing, in which the tester verifies if, given a valid username, it is possible to find the corresponding password. \n\nIn some cases, a message is received that reveals if the provided credentials are wrong because an invalid username or an invalid password was used. Sometimes, testers can enumerate the existing users by sending a username and an empty password. \n If the application is vulnerable, the tester receives a response message that reveals, directly or indirectly, some information useful for enumerating users.", "005": "The objective is to determine whether a consistent account name structure renders the application vulnerable to account enumeration. Determine whether the application’s error messages permit account enumeration. \n\n User account names are often highly structured (e.g. Joe Bloggs account name is jbloggs and Fred Nurks account name is fnurks) and valid account names can easily be guessed. \n • Determine the structure of account names.\n• Evaluate the application’s response to valid and invalid account names.\n• Use different responses to valid and invalid account names to enumerate valid account names.\n• Use account name dictionaries to enumerate valid account names.", "006": "Guest and Training accounts are useful ways to acquaint potential users with system functionality prior to them completing the authorisation process required for access. \n Evaluate consistency between access policy and guest/training account access permissions.", "007": "Verify the identity requirements for user registration align with business/security requirements. \n\nValidate the registration process." }, "authn": { "001": "The analysis focuses simply on trying to understand if the data travels unencrypted from the web browser to the server, or if the web application takes the appropriate security measures using a protocol like HTTPS. \n\n Testing for credentials transport means verifying that the user’s\nauthentication data are transferred via an encrypted channel to avoid being intercepted by malicious users. \n\n You can use WebScarab or any web proxy in order to capture packet headers and to inspect them. \n Check if HTTPS is used in every sensitive request, like those in log in pages, to prevent unauthorized users to intercept the data.", "002": "Often are applications, once installed, not properly configured and the default credentials provided for initial authentication and configuration are never changed. \n\n When you have identified an application interface, for example a Cisco router web interface or a Weblogic administrator portal, check that the known usernames and passwords for these devices do not result in successful authentication. To do this you can consult the manufacturer’s documentation or, in a much simpler way, you can find common credentials using a search engine or by using one of the sites or tools listed in the Reference section. \n\n When facing applications where we do not have a list of default and common user accounts we can attempt to guess valid default credentials. \n Many applications have verbose error messages that inform the site users as to the validity of entered usernames. This information will be helpful when testing for default or guessable user accounts. \n\nSince these types of default credentials are often bound to administrative accounts you can try the following usernames for the start: \n• admin \n• administrator \n• root \n• system \n• guest \n• operator \n• super", "003": "Account lockout mechanisms are used to mitigate brute force password guessing attacks. Accounts are typically locked after 3 to 5 unsuccessful login attempts and can only be unlocked after a predetermined period of time, via a self-service unlock mechanism, or intervention by an administrator. \n\n Typically, to test the strength of lockout mechanisms, you will need access to an account that you are willing or can afford to lock: \n\n Step 1: \n Evaluate the account lockout mechanism’s ability to mitigate brute force password guessing. \n\n Step 2: \nEvaluate the unlock mechanism’s resistance to unauthorized account unlocking. \n\n Without a strong lockout mechanism, the application may be susceptible to brute force attacks. After a successful brute force attack, a malicious user could have access to: \n• Confidential information or data \n• Administration panels \n• Opportunities for further attacks", "004": "While most applications require authentication to gain access to private information or to execute tasks, not every authentication method is able to provide adequate security. \n\n There are several methods of bypassing the authentication schema that is used by a web application: \n• Direct page request (forced browsing) \n• Parameter modification \n• Session ID prediction \n• SQL Injection", "005": "Browsers will sometimes ask a user if they wish to remember the password that they just entered. \n\n Having the browser store passwords is not only a convenience for end-users, but also for an attacker. If an attacker can gain access to the victim’s browser (e.g. XSS attack), then they can retrieve the stored passwords. \n Additionally where custom “remember me” functions are put in place weaknesses in how the token is stored on the client PC could expose the users passwords. \n\n Ensure that no credentials are stored in clear text or are easily retrievable in encoded or encrypted forms in cookies: \n• Look for passwords stored in cookie \n• Examine the hashing mechanism \n• Verify that credentials are only send during login \n• Consider sensitive form fields", "006": "Browsers can store information for purposes of caching and history. Caching is used to improve performance, so that previously displayed information doesn’t need to be downloaded again. \n If sensitive information is displayed to the user, then this information could be stored for purposes of caching or history, and therefore retrievable through examining the browser’s cache or by simply pressing the browser’s “Back” button. \n\n Technically, the “Back” button is a history and not a cache. The cache and the history are two different entities. However, they share the same weakness of presenting previously displayed sensitive information. \n\nThe “Back” button can be stopped from showing sensitive data. \nThis can be done by: \n• Delivering the page over HTTPS. \n• Setting Cache-Control: must-re-validate", "007": "The most prevalent and most easily administered authentication mechanism is a static password. It is lamented that most common passwords are still: 123456, password and qwerty. \n\nDetermine the resistance of the application against brute force password guessing using available password dictionaries by evaluating the length, complexity, reuse and aging requirements of passwords. \n\n Step 1: \n What characters are permitted and forbidden for use within a password? \nIs the user required to use characters from different character sets such as lower and uppercase letters, digits and special symbols? \n\n Step 2: \n How often can a user change their password? \nHow quickly can a user change their password after a previous change? \n Users may bypass password history requirements by changing their password 5 times in a row. \n\n Step 3: \n When must a user change their password? \nAfter 90 days? \nAfter account lockout due to excessive log on attempts? \n\n Step 4: \n How often can a user reuse a password? \n Does the application maintain a history of the user’s previous used 8 passwords? \n\n Step 5: \n How different must the next password be from the last password? \n\n Step 6: \nIs the user prevented from using his username or other account information (such as first or last name) in the password?", "008": "Often called “secret” questions and answers, security questions and answers are often used to recover forgotten passwords, or as extra security on top of the password. \n\n They are typically generated upon account creation and require the user to select from some pre-generated questions and supply an appropriate answer. They may allow the user to generate their own question and answer pairs. \n Both methods are prone to insecurities. Ideally, security questions should generate answers that are only known by the user, and not guessable or discoverable. \n\n The key to successfully exploiting and bypassing a weak security question scheme is to find a question or set of questions which give the possibility of easily finding the answers. \n\n Step 1: \nTry to obtain a list of security questions by creating a new account or by following the “I don’t remember my password”-process.\n\n Step 2: \n Try to create security questions by creating a new account or by configuring your existing account’s password recovery properties.\nIf the system allows the user to generate their own security questions, it is vulnerable to having insecure questions created. \n\n Step 3: \n Determine if a number of incorrectly supplied security answers trigger a lockout mechanism.", "009": "The password change and reset function of an application is a self-service password change or reset mechanism for users. \n This self-service mechanism allows users to quickly change or reset their password without an administrator intervening. \n\n Step 1: \n Determine the resistance of the application to subversion of the account change process allowing someone to change the password of an account. \n\n Step 2: \nDetermine the resistance of the passwords reset functionality against guessing or bypassing. \n\n For both password change and password reset it is important to check.. \n\n.. if users, other than administrators, can change or reset passwords for accounts other than their own. \n.. if users can manipulate or subvert the password change or reset process. \n.. if the password change or reset process is vulnerable to CSRF.", "010": "Even if the primary authentication mechanisms do not include any vulnerabilities, it may be that vulnerabilities exist in alternative legitimate authentication user channels for the same user accounts. \n\n Tests should be undertaken to identify alternative channels and, subject to test scoping, identify vulnerabilities. \n Some of these channels may themselves be separate web applications using different host names or paths. For example: \n• Standard website \n• Mobile website \n• Accessibility optimized website \n• Parallel websites that utilize same user accounts \n• Development, UAT and versions of the standard website \n\n But they could also be other types of application or business processes: \n• Mobile device app \n• Desktop application \n• Call center operators \n• Interactive voice response or phone tree systems" }, "authz": { "001": "Many web applications use and manage files as part of their daily operation. Using input validation methods that have not been well designed or deployed, an aggressor could exploit the system in order to read or write files that are not intended to be accessible. In particular situations, it could be possible to execute arbitrary code or system commands. \n\n In web servers and web applications, this kind of problem arises in path traversal/file include attacks. During an assessment, to discover path traversal and file include flaws, testers need to perform two different stages: \n\n Stage 1: \n Input Vectors Enumeration (a systematic evaluation of each input vector) \n\n Stage 2: \n Testing Techniques (a methodical evaluation of each attack technique used by an attacker to exploit the vulnerability) \n\n The next stage of testing is analyzing the input validation functions present in the web application. Using the previous example, the dynamic page called getUserProfile.jsp loads static information from a file and shows the content to users. An attacker could insert the malicious string “../../../../etc/passwd” to include the password hash file. \n It’s a common mistake by developers to not expect every form of encoding and therefore only do validation for basic encoded content. If at first the test string isn’t successful, try another encoding scheme.", "002": "This kind of test focuses on verifying how the authorization schema has been implemented for each role or privilege to get access to reserved functions and resources. \n\nFor every specific role the tester holds during the assessment, for every function and request that the application executes during the post-authentication phase, it is necessary to verify: \n • Is it possible to access that resource even if the user is not authenticated? \n • Is it possible to access that resource after the log-out? \n • Is it possible to access functions and resources that should be accessible to a user that holds a different role or privilege? \n\n Try to access the application as an administrative user and track all the administrative functions: \n • Is it possible to access administrative functions also if the tester is logged as a user with standard privileges?\n• Is it possible to use these administrative functions as a user with adifferent role and for whom that action should be denied?", "003": "Privilege escalation occurs when a user gets access to more resources or functionality than they are normally allowed. \n\n During this phase, the tester should verify that it is not possible for a user to modify his or her privileges or roles inside the application in ways that could allow privilege escalation attacks. \n The degree of escalation depends on what privileges the attacker is authorized to possess, and what privileges can be obtained in a successful exploit. \n\n In every portion of the application where a user can create information in the database (e.g., making a payment, or sending a message), can receive information (statement of account, order details, etc.), or delete information (drop user, messages, etc.), it is necessary to record that functionality. \n Try to access such functions as another user in order to verify if it is possible to access a function that should not be permitted by the user’s role/privilege.", "004": "Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. \n As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files. \n\n Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. \n\n To test for this vulnerability the tester first needs to map out all locations in the application where user input is used to reference objects directly. \n The best way to test for direct object references would be by having at least two (often more) users to cover different owned objects and functions. \n By having multiple users the tester saves valuable testing time in guessing different object names as he can attempt to access objects that belong to the other user." }, "sess": { "001": "In order to avoid continuous authentication for each page of a website or service, web applications implement various mechanisms to store and validate credentials for a pre-determined timespan. \n These mechanisms are known as Session Management. \n\n In this test, the tester wants to check that cookies and other session tokens are created in a secure and unpredictable way. An attacker who is able to predict and forge a weak cookie can easily hijack the sessions of legitimate users. \n Due to the importance of the data that they store, cookies are there fore vital in the overall security of the application. In this test the tester has to check whether the cookies issued to clients can resist a wide range of attacks aimed to interfere with the sessions of legitimate users and with the application itself. \n\n Usually the main steps of the attack pattern are the following: \n• cookie collection \n• cookie reverse engineering \n• cookie manipulation \n\n Another pattern of attack consists of overflowing a cookie. Strictly speaking, this attack has a different nature, since here testers are not trying to recreate a perfectly valid cookie. Instead, the goal is to overflow a memory area, thereby interfering with the correct behavior of the application.", "002": "Cookies are often a key attack vector for malicious users and the application should always take due diligence to protect cookies. This section looks at how an application can take the necessary precautions when assigning cookies, and how to test that these attributes have been correctly configured. \n\n Due to the sensitive nature of information in cookies, they are typically encoded or encrypted in an attempt to protect the information they contain. \n Once the tester has an understanding of how cookies are set, when they are set, what they are used for, why they are used, and their importance, they should take a look at what attributes can be set for a cookie and how to test if they are secure. \n\nBy using an intercepting proxy or traffic intercepting browser plugin, trap all responses where a cookie is set by the application (using the Set-cookie directive) and inspect the cookie for the following:\n• Secure Attribute\n• HttpOnly Attribute\n• Domain Attribute\n• Path Attribute\n• Expires Attribute", "003": "When an application does not renew its session cookie(s) after a successful user authentication, it could be possible to find a session fixation vulnerability and force a user to utilize a cookie known by the attacker. In that case, an attacker could steal the user session (session hijacking).\n\n Session fixation vulnerabilities occur when..\n .. a web application authenticates a user without first invalidating the existing session ID, thereby continuing to use the session ID already associated with the user \n.. an attacker is able to force a known session ID on a user so that, once the user authenticates, the attacker has access to the authenticated session. \n\n In the generic exploit of session fixation vulnerabilities, an attacker creates a new session on a web application and records the associated session identifier. The attacker then causes the victim to authenticate against the server using the same session identifier, giving the attacker access to the user’s account through the active session.", "004": "The Session Tokens (Cookie, SessionID, Hidden Field), if exposed, will usually enable an attacker to impersonate a victim and access the application illegitimately. It is important that they are protected from eavesdropping at all times, particularly whilst in transit between the client browser and the application servers. \n\n Using a personal proxy, it is possible to ascertain the following about each request and response: \n • Protocol used (e.g., HTTP vs. HTTPS) \n • HTTP Headers \n • Message Body (e.g., POST or page content) \n\n Protection from eavesdropping is often provided by SSL encryption, but may incorporate other tunneling or encryption. If the Session ID could be presented by an attacker to the application to gain access, then it must be protected in transit to mitigate that risk. It should therefore be ensured that encryption is both the default and enforced for any request or response where the Session ID is passed, regardless of the mechanism used. \n\n Every time the authentication is successful, the user should expect to receive: \n• A different session token \n• A token sent via encrypted channel for every HTTP Request ", "005": "CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated.\nA successful CSRF exploit can compromise end user data and operation, when it targets a normal user. If the targeted end user is the administrator account, a CSRF attack can compromise the entire web application. \n CSRF relies on the following: \n\n Point 1: \n Web browser behavior regarding the handling of session-related information such as cookies and http authentication information; \n\n Point 2: \n Knowledge by the attacker of valid web application URLs; \n\n Point 3: \n Application session management relying only on information which is known by the browser; \n\n Point 4: \n Existence of HTML tags whose presence cause immediate access to an http[s] resource; for example the image tag img \n\n The tester must know URLs in the restricted (authenticated) area. If they possess valid credentials, they can assume both roles – the attacker and the victim. In this case, testers know the URLs to be tested just by browsing around. \n\n If session management relies only on client side values (information available to the browser), then the application is vulnerable. \n For an application to not be vulnerable, it must include session-related information in the URL, in a form of unidentifiable or unpredictable by the user.", "006": "Session termination is an important part of the session lifecycle. Reducing to a minimum the lifetime of the session tokens decreases the likelihood of a successful session hijacking attack. This can be seen as a control against preventing other attacks like Cross Site Scripting and Cross Site Request Forgery. Such attacks have been known to rely on a user having an authenticated session present. \n\n A secure session termination requires at least the following components: \n • Availability of user interface controls that allow the user to manually log out \n • Session termination after a given amount of time without activity (session timeout) \n • Proper invalidation of server-side session state \n\n The proper value for the session timeout depends on the purpose of the application and should be a balance of security and usability.", "007": "In this phase testers check that the application automatically logs out a user when that user has been idle for a certain amount of time, ensuring that it is not possible to “reuse” the same session and that no sensitive data remains stored in the browser cache. \n\n The idle timeout limits the chances that an attacker has to guess and use a valid session ID from another user, and under certain circumstances could protect public computers from session reuse. Session timeout management and expiration must be enforced server-side. If some data under the control of the client is used to enforce the session timeout, an attacker could manipulate these to extend the session duration. \n\n Step 1: \nTesters have to check whether a timeout exists, for instance, by logging in and waiting for the timeout log out to be triggered. As in the log out function, after the timeout has passed, all session tokens should be destroyed or be unusable. \n\n Step 2: \n If the timeout is configured, testers need to understand whether the timeout is enforced by the client or by the server. \n\n As a general rule, everything should be checked server-side and it should not be possible, by re-setting the session cookies to previous values, to access the application again.", "008": "Session Variable Overloading (Session Puzzling) is an application level vulnerability which can enable an attacker to perform a variety of malicious actions, including by not limited to.. \n.. bypass efficient authentication enforcement mechanisms, and impersonate legitimate users. \n.. elevate the privileges of a malicious user account, in an environment that would otherwise be considered foolproof. \n.. skip over qualifying phases in multi-phase processes, even if the process includes code level restrictions. \n.. manipulate server-side values in indirect methods that cannotbe predicted or detected. \n.. execute traditional attacks in locations that were previously unreachable, or even considered secure. \n\n This vulnerability occurs when an application uses the same session variable for more than one purpose. It can be detected and exploited by enumerating all of the session variables used by the application and in which context they are valid. In particular this is possible by accessing a sequence of entry points and then examining exit points." }, "inpval": { "001": "Reflected Cross-site Scripting (XSS) occur when an attacker injects browser executable code within a single HTTP response. \nThe injected attack is not stored within the application itself; it is non-persistent and only impacts users who open a maliciously crafted link or third-party web page. \nThe attack string is included as part of the crafted URI or HTTP parameters, improperly processed by the application, and returned to the victim. One of the primary difficulties in preventing XSS vulnerabilities is proper character encoding. \n In some cases, the web server or the web application could not be filtering some encodings of characters, so, for example, the web application might filter out “ to the affected page URL which would, when executed, display the alert box. In this instance, the appended code would not be sent to the server as everything after the # character is not treated as part of the query by the browser but as a fragment. \n\n Testing for DOM-Based XSS vulnerabilities:\n Blackbox testing for DOM-Based XSS is not usually performed since access to the source code is always available as it needs to be sent to the client to be executed. \n Many websites rely on large libraries of functions, which often stretch into the hundreds of thousands of lines of code and have not been developed in-house. In these cases, top-down testing often becomes the only really viable option. \n The same can also be said for top-down testing if the inputs or lack thereof is not identified to begin with. User input comes in two main forms: \n • Input written to the page by the server in a way that does not allow direct XSS \n • Input obtained from client-side JavaScript objects \n\n Automated testing has only very limited success at identifying and validating DOM-based XSS as it usually identifies XSS by sending a specific payload and attempts to observe it in the server response. \n Manual testing should therefore be undertaken and can be done by examining areas in the code where parameters are referred to that may be useful to an attacker.", "002": "A JavaScript Injection vulnerability is a subtype of Cross Site Scripting (XSS) that involves the ability to inject arbitrary JavaScript code that is executed by the application inside the victim’s browser. \n This vulnerability can have many consequences, like disclosure of a user’s session cookies that could be used to impersonate the victim, or, more generally, it can allow the attacker to modify the page content seen by the victims or the application behavior. \n\n Such vulnerability occurs when the application lacks of a proper user supplied input and output validation. JavaScript is used to dynamically populate web pages, this injection occur during this content processing phase and consequently affect the victim. \n When trying to exploit this kind of issues, consider that some characters are treated differently by different browsers.", "003": "HTML injection is a type of injection issue that occurs when a\nuser is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page. \nThis vulnerability can have many consequences, like disclosure\nof a user’s session cookies that could be used to impersonate the\nvictim, or, more generally, it can allow the attacker to modify the\npage content seen by the victims. \n\n This vulnerability occurs when the user input is not correctly sanitized and the output is not encoded. An injection allows the attacker to send a malicious HTML page to a victim. The targeted browser will not be able to distinguish (trust) the legit from the malicious parts and consequently will parse and execute all as legit in the victim context. \n\n There is a wide range of methods and attributes that could be used to render HTML content. If these methods are provided with an untrusted input, then there is an high risk of XSS. \n Malicious HTML code could be injected for example via innerHTML, that is used to render user inserted HTML code. An improper usage of this property, that means lack of sanitization from untrusted input and missing output encoding. \n If strings are not correctly sanitized the problem could lead to XSS based HTML injection.\n Another method could be document.write() \n\n When trying to exploit this kind of issues, consider that some characters are treated differently by different browsers.", "004": "Client Side URL Redirection, also known as Open Redirection, is an input validation flaw that exists when an application accepts an user controlled input which specifies a link that leads to an external URL that could be malicious. \nThis kind of vulnerability could be used to accomplish a phishing attack or redirect a victim to an infection page. \n\nThis vulnerability occurs when an application accepts untrusted input that contains an URL value without sanitizing it. This URL value could cause the web application to redirect the user to another page as, for example, a malicious page controlled by the attacker. \n\n By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.\n Moreover open redirections could also be used to maliciously craft an URL that would bypass the application’s access control checks and then forward the attacker to privileged functions that they would normally not be able to access. \n\n Testing for Client Side URL Redirect vulnerabilities: \nWhen testers have to manually check for this type of vulnerability they have to identify if there are client side redirections implemented in the client side code. \n These redirections could be implemented, for example in JavaScript, using the “window.location” object that can be used to take the browser to another page by simply assigning a string to it. If the script does not perform any validation of the variable “redir”, then this unvalidated input is passed to the windows.location object originating a URL redirection vulnerability.", "005": "A CSS Injection vulnerability involves the ability to inject arbitrary CSS code in the context of a trusted web site, and this will be rendered inside the victim’s browser. \nThe impact of such a vulnerability may vary on the basis of the supplied CSS payload: it could lead to Cross-Site Scripting in particular circumstances, to data exfiltration in the sense of extracting sensitive data or to UI modifications. \n\n Such a vulnerability occurs when the application allows to supply user-generated CSS or it is possible to somehow interfere with the legit stylesheets. \n Injecting code in the CSS context gives the attacker the possibility to execute JavaScript in certain conditions as well as extracting sensitive values through CSS selectors and functions able to generate HTTP requests. \n\n Specifically the attacker could target the victim by asking her to visit the following URLs: \n • www.victim.com/#red;-o-link:’javascript:alert(1)’;-o-linksource:current; (Opera [8,12]) \n • www.victim.com/#red;-:expression(alert(URL=1)); (IE 7/8) \n\n Much more interesting attack scenarios involve the possibility to extract data through the adoption of pure CSS rules. \nSuch attacks can be conducted through CSS selectors and leading for instance to grab anti-CSRF tokens. \n\n Testing for CSS Injection vulnerabilities: \n Manual testing needs to be conducted and the JavaScript code analyzed in order to understand whether the attackers can inject its own content in CSS context. In particular we should be interested in how the website returns CSS rules on the basis of the inputs.", "006": "A ClientSide Resource Manipulation vulnerability is an input validation flaw that occurs when an application accepts an user controlled input which specifies the path of a resource (i.e. source of an iframe, js, applet). \nSpecifically, such a vulnerability consists in the ability to control the URLs which link to some resources present in a web page. \n The impact may vary on the basis of the type of\the element whose URL is controlled by the attacker, and it is usually adopted to conduct Cross-Site Scripting attacks. \n\n Such a vulnerability occurs when the application employs user\ncontrolled URLs for referencing external/internal resources. \n In these circumstances it is possible to interfere with the expected application’s behavior in the sense of making it load and render malicious objects. \n\n Testing for Client Side Resource Manipulation vulnerabilities:\nTo manually check for this type of vulnerability we have to identify whether the application employs inputs without correctly validating them; these are under the control of the user which could be able to specify the url of some resources. \n Since there are many resources that could be included into the application, client side scripts which handle the associated URLs should be investigated for potential issues. \n\n The following shows the possible injection points (sink) that should be checked: \n • Resource: Frame \n • Tag/Method: iframe \n • Sink: src \n\n • Resource: Link \n • Tag/Method: a \n • Sink: href\n\n • Resource: AJAX Request \n • Tag/Method: xhr.open(method, [url], true); \n • Sink: URL href\n\n • Resource: CSS \n • Tag/Method: link \n\n • Resource: Image \n • Tag/Method: img \n\n • Resource: Object \n • Tag/Method: object \n • Sink: src\n\n • Resource: Script \n • Tag/Method: script \n • Sink: data src", "007": "Cross Origin Resource Sharing or CORS is a mechanism that enables a web browser to perform “cross-domain” requests using the XMLHttpRequest L2 API in a controlled manner. \n In the past, the XMLHttpRequest L1 API only allowed requests to be sent within the same origin as it was restricted by the same origin policy. \n\n Cross-Origin requests have an Origin header, that identifies the domain initiating the request and is always sent to the server. CORS defines the protocol to use between a web browser and a server to determine whether a cross-origin request is allowed. \n In order to accomplish this goal, there are a few HTTP headers involved in this process, that are supported by all major browsers including: \n • Origin \n • Access-Control-Request-Method \n • Access-Control-Request-Headers \n • Access-Control-Allow-Origin \n • Access-Control-Allow-Credentials \n • Access-Control-Allow-Methods \n • Access-Control-Allow-Headers \n\n The CORS specification mandates that for non simple requests, such as requests other than GET or POST or requests that uses credentials, a pre-flight OPTIONS request must be sent in advance to check if the type of request will have a bad impact on the data.\n The pre-flight request checks the methods, headers allowed by the server, and if credentials are permitted, based on the result of the OPTIONS request, the browser decides whether the request is allowed or not. \n\n Check the HTTP headers in order to understand how CORS is used, in particular we should be very interested in the Origin header to learn which domains are allowed. \n Also, manual inspection of the JavaScript is needed to determine whether the code is vulnerable to code injection due to improper handling of user supplied input.", "008": "ActionScript is the language, based on ECMAScript, used by Flash applications when dealing with interactive needs. \n There are three\nversions of the ActionScript language. ActionScript 1.0 and ActionScript 2.0 are very similar with ActionScript 2.0 being an extension of ActionScript 1.0. ActionScript 3.0, introduced with Flash Player 9, is a rewrite of the language to support object orientated design. \n\n ActionScript, like every other language, has some implementation patterns which could lead to security issues.\n In particular, since Flash applications are often embedded in browsers, vulnerabilities like DOM based Cross-Site Scripting (XSS) could be present in flawed Flash applications.\n\n Decompilation \n Since SWF files are interpreted by a virtual machine embedded in the player itself, they can be potentially decompiled and analysed. The most known and free ActionScript 2.0 decompiler is flare. \n Decompilation helps testers because it allows for source code assisted, or white-box, testing of the Flash applications. HP’s free SWFScan tool can decompile both ActionScript 2.0 and ActionScript 3.0.\n\n Attacks and Flash Player Version Since May 2007, three new versions of Flash player were released by Adobe. Every new version restricts some of the attacks. \n\n Player Version: v9.0 r47/48 \n • asfunction: Yes \n • Externalinterface: Yes \n • GetURL: Yes \n • HTML Injection: Yes\n\n Player Version: v9.0 r115 \n • asfunction: No \n • Externalinterface: Yes \n • GetURL: Yes \n • HTML Injection: Yes\n\n Player Version: v9.0 r124 \n • asfunction: No \n • Externalinterface: Yes \n • GetURL: Yes \n • HTML Injection: Partially", "009": "“Clickjacking” (which is a subset of the “UI redressing”) is a malicious technique that consists of deceiving a web user into interacting with something different to what the user believes they are interacting with. \n This type of attack, that can be used alone or in combination with other attacks, could potentially send unauthorized commands or reveal confidential information while the victim is interacting on seemingly harmless web pages. \n\n A Clickjacking attack uses seemingly innocuous features of HTML and Javascript to force the victim to perform undesired actions, such as clicking on a button that appears to perform another operation. \n\n To carry out this type of technique the attacker has to create a seemingly harmless web page that loads the target application through the use of an iframe. \n Once this is done, the attacker could induce the victim to interact with his fictitious web page.\nOnce the victim is surfing on the fictitious web page, he thinks that he is interacting with the visible user interface, but effectively he is performing actions on the hidden page.\n\nThis type of attack is often designed to allow an attacker site to induce user’s actions on the target site even if anti-CSRF tokens are being used. . So it’s important, like for the CSRF attack, to individuate web pages of the target site that it take input from the user.\n\nWe have to discover if the website that we are testing has no protections against clickjacking attacks or, if the developers have implemented some forms of protection, if these techniques are liable to bypass. \nMethods to protect a web page from clickjacking can be divided in two macro-categories: \n • Client side protection: Frame Busting \n • Server side protection: X-Frame-Options \n\n Some frame busting techniques try to break frame by assigning a value to the “parent.location” attribute in the “counter-action” statement. Such actions are, for example: \n • self.parent.location = document.location \n • parent.location.href = self.location \n • parent.location = self.location", "010": "Traditionally the HTTP protocol only allows one request/response per TCP connection. Asynchronous JavaScript and XML (AJAX) allows clients to send and receive data asynchronously to the server, however, AJAX requires the client to initiate the requests and wait for the server responses (half-duplex). \n\n HTML5 WebSockets allow the client/server to create a ‘full-duplex’ (two-way) communication channels, allowing the client and server to truly communicate asynchronously. WebSockets conduct their initial ‘upgrade’ handshake over HTTP and from then on all communication is carried out over TCP channels by use of frames. \n\n 1: Identify that the application is using WebSockets \n • Inspect the client-side source code for the ws:// or wss:// URI scheme\n • Use Browser Developer Tools to view the Network WebSocket communication \n • Use OWASP Zed Attack Proxy (ZAP)’s WebSocket tab \n\n 2: Origin \n • Using a WebSocket client attempt to connect to the remote WebSocket server \n • If a connection is established the server may not be checking the origin header of the WebSocket handshake \n\n 3: Confidentiality and Integrity \n • Check that the WebSocket connection is using SSL to transport sensitive information (wss://) \n • Check the SSL Implementation for security issues s (Valid Certificate, BEAST, CRIME, RC4, etc). \n\n 4: Authentication \n • WebSockets do not handle authentication, normal black box authentication tests should be carried out \n\n 5: Authorization \n • WebSockets do not handle authorization, normal black-box authorization tests should be carried out \n\n 6: Input Sanitization \n • Use OWASP Zed Attack Proxy (ZAP)’s WebSocket tab to replay and fuzz WebSocket request and responses", "011": "Web Messaging (also known as Cross Document Messaging) allows applications running on different domains to communicate in a secure manner. \n This restriction within the browser is in place to restrict a malicious website to read confidential data from other iframes, tabs, etc, however there are some legitimate cases where two trusted websites need to exchange data between each other. To meet this need Cross Document Messaging was introduced within he WHATWG HTML5 draft specification and implemented in all major browsers. \n It enables secure communication between multiple origins across iframes, tabs and windows. \n\n The Messaging API introduced the postMessage() method, with which plain-text messages can be sent cross-origin. It consists of two parameters, message and domain. \n\n There are some security concerns when using ‘*’ as the domain that we discuss below. Then, in order to receive messages the receiving website needs to add a new event handler, and has the following attributes: \n • data: The content of the incoming message \n • origin: The origin of the sender document \n • source: source window \n\nManual testing needs to be conducted and the JavaScript code analyzed looking for how Web Messaging is implemented. \nIn particular we should be interested in how the website is restricting messages from untrusted domain and how the data is handled even for trusted domains.", "012": "Local Storage also known as Web Storage or Offline Storage is a mechanism to store data as key/value pairs tied to a domain and enforced by the same origin policy (SOP). \n There are two objects, localStorage that is persistent and is intended to survive browser/system reboots and sessionStorage that is temporary and will only exists until the window or tab is closed. \n On average browsers allow to store in this storage around 5MB per domain, that compared to the 4KB of cookies is a big difference, but the key difference from the security perspective is that the data stored in these two objects is kept in the client and never sent to the server. \n\n First of all, we need to check whether the Local Storage is used. This can be checked when using the Browser Tool and then go under Resources you will see ‘Local Storage’ and ‘Web Storage’. \n\n Next manual testing needs to be conducted in order to determine whether the website is storing sensitive data in the storage that represents a risk and will increase dramatically the impact of a information leak. \n Also check the code handling the Storage to determine if it is vulnerable to injection attacks, common issue when the code does not escape the input or output." }, "no_info": "No information for given reference number found." } }