Thursday, April 10, 2014

[infosecinstitute] .NET Penetration Testing: Test Case Cheat Sheet

Having a cheat sheet is a perfect starting initiative to assist you in generating ideas while penetration testing. A test case cheat sheet is often asked for in security penetration testing, but if there is some problem with this approach it is that security testers then tend to use only predefined test cases to determine the security of a particular implementation. But the fact is that no such predefined list can include the entire set of test cases needed to ensure your application is secure. Such test cases are only sufficient to kick-start the penetration testing process. This paper is designed to show some common security pen testing cases in order to grab a particular vulnerability in the existing mechanism.

Information Disclosure
An attacker usually observes and obtains an abundance of information that the programmer left inadvertently or the application discloses. This kind of attack is not given as much attention because the programmer doesn’t understand the mindset of attacker, how exactly they will break the system.
Test Cases ScenarioExplanation
Monitor data sent across wireTraffic monitoring of a network via sniffing could reveal an abundance of important data.
Monitor data stored in filesMonitor every file used by the application or generated by the application to reveal data.
Looks for “Secret” keywordProgrammer typically stored sensitive data in a secret file which could be reverse engineered by hackers.
Examine credentials in Plan-Text while communicationSometimes username, password, IP address and key are stored and transmitted in clear text form.
Exercise Error Pages and conditionsError page or condition could reveal much information which aid hackers in an attack.
Examine contents of binary fileBinary file could contain sensitive information.
Examine the areas where data is obfuscatedIf hackers recognize the sensitive obfuscated parts which contain crucial information such as passwords, they could be decrypted even if they are obfuscated.
Examine URL for Sensitive dataDuring the absence of SSL, the URL is readable in clear text form.
Look for internal server namesInternal servers contain sensitive information and their name could aid an attacker in attacking the internal network.
Looks for more information returned than is neededSometimes an application returns too much information unnecessarily.
An information disclosure attack is considered a very deadly attack because an attacker can either use information to exploit the vulnerability directly or use it against your application to exploit another loophole. It poses the following threats:
  • Disclose application files
  • Inspect contents and path of a file
  • Disclose information about a process and its allies
  • Information retrieval through monitoring
  • Inspect Metadata of an Assembly
Pen Testing ToolsDescription
Binary EditorExamine a binary file to search important data
Ethereal, Wireshark, NetMonSniff network
Web Proxy EditorManipulate HTTP and HTTPS traffic
Burp SuitIntercept and modify HTTP and HTTPS traffic
FiddlerLog all HTTP traffic
Process ExplorerEnumerate all running process and their associated DLL of a computer
COM and ActiveX Attacks
ActiveX controls are activated on the computer when the user browses a website and installs particular applications on the client machine such as a media player. They are considered as a way to extend the functionality in the browser to accomplish actions that the browser can’t accomplish through HTML alone. Hence, it is recommended to test COM components and ActiveX controls so that other website can’t utilize these controls in a malicious manner.
Test Cases ScenarioExplanation
Examine SAFE for SCRIPTING and SAFE for INITIALIZATIONCOM objects marked with these attributes and can be maliciously implanted.
Look for SITELOCKTry to bypass it by IP obfuscation and URL encoding.
Examine Error Handling mechanismBy this, we can look for information disclosure bugs.
Examine for OverflowsTry to overrun each method, event and property.
Examine DLLCANUNLOADNOW countingArbitrary code could be run if DLL can unload prematurely.
Hackers have employed a couple of interesting tactics to exploit ActiveX controls. Here, one trick is discussed to examine ActiveX controls at the time of testing:
  • Bypass Browser Security Setting
  • Server Redirection
  • Namespace and Behavior
  • Exception Handlers
  • Return Values
Pen Testing ToolsDescription
OLEViewIt provides information about ActiveX and COM interface.
COMRaiderIt allows identifying of safe controls, type information displaying, and debugging and fuzzing of an ActiveX control.
Object BrowserDisplays type information about COM object
Component ServicesDisplays the COM objects installed on a computer via dcomcnfg.exe
ActiveX Control Test ContainerUsed for probing and testing COM interface
Managed Code Vulnerability
It is mandatory to include managed code assembly into testing because they are always susceptible and could have some serious vulnerability in the form of SQL injection, buffer overflow, and XSS. Despite being the latest version of .NET framework, many applications today are written using unmanaged code that runs directly on the system, which poses a huge threat because now the system has limited security protection from what happens when the application executes.
Test Cases ScenarioExplanation
examine UNSAFE blockManaged code can call unmanaged code, which could lead to buffer overflow attack.
examine APTCA assembliesAssembly marked with APTCA attribute can be called by a partially trusted code.
Look for AssertsIf any assembly has Assert then it can be called by a partially trusted code.
Detect sensitive data in assemblies.NET assemblies can be easily decompiled, so make sure the source doesn’t contain any secret code.
Look for PINVOKE blockCalling undamaged code from managed could lead to a serious security problem.
An attacker usually looks for these vulnerabilities related to managed code assembly in order to penetrate an application:
  • Look for unsafe block for buffer overflow attack
  • Looks for PermitOnly and Deny to Sandbox code
  • Examine broad Asserts
  • Look for partially trusted caller
  • Examine Poor Exception handling
Pen Testing ToolsDescription
Reflector, ILSPYDecompile the .NET assembly to original language written source code.
C/ C++ code analysisInform about potential defects in C/ C++ code.
FxcopMake sure either the managed code assembly adhering the .NET framework guidelines.
ILDASMDecompile code to MSIL source.
LCLintDetect common cause of buffer overrun.
PrefastStatic code analysis tool.
WinHexUseful while editing different types of binary data.
Resource HackerUsed to examine resources contained in a file.
HTML Script Injection Attacks
HTML is not only rendering codes on web pages but also assisting hackers in exploiting that code. Attackers can plant a malicious script in a way that a programmer normally couldn’t. HTML scripting attacks happens through cross site scripting (client side) or persisted XSS (script injection).
Test Cases ScenarioExplanation
<SCRIPT>alert()</SCRIPT>A standard script block
“><SCRIPT>alert()</SCRIPT>New way of executing script
‘><SCRIPT>alert()</SCRIPT>New way of executing script
</SCRIPT><SCRIPT>alert()</SCRIPT>New way of executing script
Inject CR/LFA common method to cause HTTP content splitting attacks.
Javascript:alert()Used to execute script where a URL can be specified
Vbscript:MsgBox()Used to execute script where a URL can be specified
<INPUT type= “text” style= “font-family:e/**/xpression(alert(‘Hello’))”>Tricks the parser by using C style expression methods
“onclick=javascript:alert() x=”Injects script by inserting an attribute
An XSS attack enables the hackers to perform the following operation to access sensitive data and other information which are normally prohibited to exposure:
  • Object Model Access
  • Cookies Access
  • Zone Elevation
  • User Data Access
Spoofing Attack
Targeting the application covertly on behalf of a third person and keeping safe one’s own identity comes under a spoofing attack. As a result, spoofing can cause a decision made by the user to be based on fake information. Hackers fool programs into trusting incorrect information to present information to a user through a program GUI in a misleading deceptive way.
Test Cases ScenarioExplanation
Spoof IP addressChange the IP address to hide own identity
Alter MAC addressChange the MAC address
Alter SMTP messageEverything can be spoofed such as TO, FROM, Header, BODY
Modify HTTP RefererCheck links originating from a specific place
C: mal.txt <TAB><TAB><TAB><TAB>Tab character to cause part of the filename to wrap out the viewable area websites allow the credentials to be specified as part of the URL 00mal.exeTruncate name of file by encoding null character 0D%0Amal.exeInject a new line by encoded CR/LF (%0D%0A)
C:good.txt .exeUse space in the filename to execute malicious file
Social engineering attack plays a significant role in executing a spoofing attack, which is also an ability to gain private information by misleading the target. Here, the following attacks are considered as spoofing:
  • Caller ID Spoofing
  • URL Redirection
  • Mail Spoofing
  • Reformatting using control characters
  • IP Address spoofing
Format String Attack
In C/C++ or C# language, format specifiers such %d, %f and %s determine the output on the console through printfmethods. So the goal with format string testing is to try to inject malicious input into the format specifiers of certain method calls.
Test Cases ScenarioExplanation
%n%n%n%n%n%n%n%n……%nSuch a long sequence could break the memory stack
%s%s%s%s%s%s%s%s%s…….%sSometimes %n won’t work. Hence use %s
%d%d%d%d%d%d%d%d……%dAlternative of %n
%x%x%x%x%x%x%x%x…….%xAlternative of %n
Function Inspection
Pen Testing ToolsDescription
PickleSufficient to analyze, disassemble, memory dump and asm code of a program to format string vulnerability
Hex ViewDisplay hex byte of a pickle dump output.
XML Injection Attack
XML is a universal data format that understands and is shared by almost all platforms. Applications use XML files as input to send data across the wire through an XML parser. The application then accesses the parsed version of the data. In case of not being parsed properly, the application won’t be able to access the input. Hence, the input is parsed first before sending, but that input might find security issues in the application consuming the XML.
Test Cases ScenarioExplanation
Using not well formed XMLTo crash the XML parser
Testuser1 </usr> <usr role= “admin”> Testuser2For XML injection
X’)] | //* | // * [contains(name,'yXquery or xpath injection
<! ENTITY % xx '&#x25;zz;'>Infinite entity reference loop
<? Xml version="1.0" encoding= "UTF-8"?><! DOCTYPE test [ <! ELEMENT stest ANY ><! ENTITY xx SYSTEM "C:/boot.ini"> ] ><test> &xx; </test>XML external entity attack
Here is a partial list of attacks that can happeb due to having a vulnerability in the XML data source file:
  • Directory traversal
  • Buffer overflow
  • Format String
  • HTML scripting
  • GUI spoofing
DOS Attack
The objective of DOS (Denial of Services) or DDOS (distributed DOS) is to prevent a system or user from accessing resources. It redirects a huge amount of traffic toward the server, which eventually results in resources down or out of service.
Test Cases ScenarioExplanation
Identify method that incur heavy resource penaltiesFunctions, such as those used for encryption and decryption, can be very expensive.
Change expected data typesIf an application desires a numerical value, use a character instead.
Send lots of data to the applicationThe mechanism might react differently depending on the amount of data used.
Repeat some action again and againMonitor for excessive resources, memory, CPU while repeating the same action over and over.
Connect to the server simultaneouslyConsume all of the connections that the server can handle to prevent new ones from being handled.
Exercise all error codesStudy all the error pages in search of tracking to any releasing resources.
Pen Testing ToolsDescription
LOICGenerates a moderate amount of traffic
HOICHOIC is a deadly tool to down any server in absence of safeguards
Canonicalization Attacks
An attacker can supply data in the form of a different-2 encoding scheme, characters, and delimiters in an attempt to cause the data to be interpreted incorrectly and to drive an application to make certain decisions based on those values in a Canonicalization Attack.
Test Cases ScenarioExplanation
http:// 32323541IP address in decimal form to create a dot-less address that can be used to trick some applications that attempt to detect internet or intranet zones.
%C1%81Overlong UTF-8 encoding of a character A
&gt;Html Encoding of a character >
&#65;Html Encoding of a character A
%41Hex form of a character A
%windir%notepad.exeUsing environment variable to represent a path
C:windowsnotepad.exe.Trailing period (.) to access a file
C:Progra~1Longf~1.txtShort version to access a long file name for a path
C:folder..secret.password.txtDirectory traversal
/Root or RootUsing forward and backward slash to access the root
Pen Testing ToolsDescription
OverlongUTPGenerate the overlong UTF-8 encoding for a character
Character MapDisplay the hex form of a value
ASCII TableA table that contains the numerical representation of a character
Web Text ConverterConvert a string into diverse formats
Buffer-Overflow Attack
Buffer overflow is caused when input is larger than space allocated for it, and is outside the allocated location and not handled by program memory. This eventually leads to a program crash. Buffer overflow typically results in enabling hackers to run whatever code they want to take control of the target computer.
Test Cases ScenarioExplanation
<BOF>:// to overflow protocol
http://<BOF>/mal.txtAttempt to overflow server name
http://www.test.<BOF>/mal.txtAttempt to overflow server name portion<BOF>.txtAttempt to overflow file name<BOF>Attempt to overflow extension<BOF>Attempt to overflow query string<BOF>=valueAttempt to overflow query string parameter name
<BOF>:foldertest.txtAttempt to overflow drive letter
C:<BOF>test.txtAttempt to overflow folder name
C:folder<BOF>.txtAttempt to overflow file name
C:foldertest.<BOF>Attempt to overflow file extension
Overflow occurs when the program receives more data than it expects. There are many different kinds of attacks:
  • Integer Overflow
  • Stack Overflow
  • Format String Attack
  • Heap Overrun
Pen Testing ToolsDescription
SpikeNetwork Fuzzing framework
Bound checkerAllows checking bound checking on particular set of APIs
Gflags.exeAllows to check system heap
LCLintCheck common cause of buffer overrun
IDA ProDebugger, useful to figure out how an application works
Code Disassembling
Hackers and penetration testers typically manipulate .NET managed assemblies through disassembling, in which an entire source code behind a DLL or EXE is retrieved in its original state. Malicious hackers can easily retain or reverse engineer the security restriction by examining the original source code. Code disassembling could be very beneficial in terms of identifying inherent bugs into application.
Test Cases ScenarioExplanation
Find Format String VulnerabilityFind this vulnerability without source code by debugging the application.
Spotting Insecure Function CallLook for problematic or insecure methods.
Modify Execution FlowIdentify the execution flow for crucial implementation such as serial key validation.
Look for Buffer OverflowLook for the possibility of buffer overrun.
Patching BinariesTry to patch the binary as per your requirement, such as subverting the serial key or password mechanism.
Reading Memory ContentsUse debugger to gain full access to all of the processed memory contents.
Analysis of Security UpdatesExamine specific methods which complete security updates operations.
Algorithm ReversingTry to modify the algorithm behind any functionality if the code is not obfuscated.
Pen Testing ToolsDescription
IDA ProA Debugger and disassembler for managed and unmanaged binaries.
OllyDbgWindows debugger and reverse engineer tool in 32-bit form.
ReflectorDisassembler to .NET binaries.
ILDASMGenerates MSIL code.
Weak Permissions
Permissions limit who can access certain resources and what can be done to them in application security. If the website or application software isn’t protected or managed by a proper permission sets of ACL, they are susceptible to attack.
Test Cases ScenarioExplanation
Looks for too much access on files and resourcesIf a particular group or user is not authorized to able view or delete and given too much permission then it could be a nightmare.
Looks for multistage elevationHackers usually chain several vulnerabilities together to gain upper level access.
Weak Discretionary ACLIt determines the level of access to a securable object. Sometime a web master grants permissions to a large group such as Guest, Everyone, Users, and Network Services.
NULL DACLIf a resource has a NULL DACL, it has no access control mechanism.
SQL permissionsEvery database user must assign proper access control to insert, delete, execute or update database resources.
Securable objects are assets on a computer that a user can use. These objects can be used either directly or indirectly. Here, the example of securable objects which must be protected are:
  • Directories, Registry and Files
  • Network Share
  • Process, Windows Services, and Threads
  • Active Directory components
  • COM objects
Pen Testing ToolsDescription
AccessEnumThis tool assists to detect weak permissions in files and registries.
WhoAmIThis command line utility displays all of the groups that a user belongs to.
PermCalcIt displays the permission set given to .NET assembly.
ObjSDIt display access control lists on registries, files and services.
SQL Injection Attack
SQL injection attack permits a malicious hacker to execute commands in your website which is connected to a database. The attacker aim is to provide specially crafted data to the application that uses a database to alter the behavior of SQL commands the application intends to run. However, the attacker might be able to perform such a covert operation over a website which has given high privileges or adequate safeguards to the source code, to manipulate the database.
Test Cases ScenarioExplanation
Website Error pagesError pages are a huge source to disclose or study SQL statements in order to find table, column and database name.
Comments (–)Use commenting tricks to stop the rest of a query execution.
xyz’ ; drop table test; – -Single quotation mark with semicolon to break the current SQL query.
xyz’ drop table test; – -Only a single quotation mark to break the current SQL query.
ASC; DROP Table testSometimes ASC are DESC help the attacker to cause a SQL injection.
Search code for SqlCommandSqlCommand statement usually contains a user-supplied SQL query.
Search stored procedure for EXEC, SP_EXECUTE and EXECUTESQL injection could be possible if those keywords are used to manufacture a query.
S; DROP Table test; – -It is not mandatory to use a single quotation mark while a query uses a numerical value.
Dfgdfg’ OR 1=1 – -Use this custom statement to bypass login page functionality.
“OR ‘a’='a’Always evaluates to true and is intended to check authentication bypass.
‘; DROP DATABASE pubs –Intended to delete entire database.
SQL vulnerabilities are extremely beneficial for hackers, regardless of the importance of the data in the database. Here, the following attacks lead to SQL injection and could be advantageous to an attacker.
  • Executing commands on the machine running the database
  • Tampering with data
  • Run SQL commands with elevated rights
  • Disclose sensitive information
Pen Testing ToolsDescription
OWASP Zed Attack Proxy (ZAP)Used to find vulnerabilities in web applications.
SQLInjection.tdfSQL server profiler used to monitor all of the queries execution. Hence, it is useful to detect SQL injection vulnerability.
SQL profilerThis utility used to view the SQL statement executing on a SQL Server.
sqlmapAutomates the process of exploiting SQL injection flaws.
acunetixComprehensive tool to perform penetration testing over a web application.
This article has narrated the common penetration cases scenario in .NET framework applications. We have discussed prominent vulnerabilities which are exploited by Scripting, Spoofing, Reverse Engineering, Format String, Buffer Overflow, Managed Code and Canonicalization attacks, as well as presented corresponding attack tools. We also gained an understanding of what kind of damage could happen while being exploited by these attacks. Hence, this article will be helpful for pen testing professionals to measure the security protection level in an application.

No comments:

Post a Comment