Having a cheat sheet is a perfect starting initiative to assist you in generating ideas while penetration testing. A test case cheat sheet is often asked for in security penetration testing, but if there is some problem with this approach it is that security testers then tend to use only predefined test cases to determine the security of a particular implementation. But the fact is that no such predefined list can include the entire set of test cases needed to ensure your application is secure. Such test cases are only sufficient to kick-start the penetration testing process. This paper is designed to show some common security pen testing cases in order to grab a particular vulnerability in the existing mechanism.
Information Disclosure
An attacker usually observes and obtains an abundance of information that the programmer left inadvertently or the application discloses. This kind of attack is not given as much attention because the programmer doesn’t understand the mindset of attacker, how exactly they will break the system.
| Test Cases Scenario | Explanation |
| Monitor data sent across wire | Traffic monitoring of a network via sniffing could reveal an abundance of important data. |
| Monitor data stored in files | Monitor every file used by the application or generated by the application to reveal data. |
| Looks for “Secret” keyword | Programmer typically stored sensitive data in a secret file which could be reverse engineered by hackers. |
| Examine credentials in Plan-Text while communication | Sometimes username, password, IP address and key are stored and transmitted in clear text form. |
| Exercise Error Pages and conditions | Error page or condition could reveal much information which aid hackers in an attack. |
| Examine contents of binary file | Binary file could contain sensitive information. |
| Examine the areas where data is obfuscated | If hackers recognize the sensitive obfuscated parts which contain crucial information such as passwords, they could be decrypted even if they are obfuscated. |
| Examine URL for Sensitive data | During the absence of SSL, the URL is readable in clear text form. |
| Look for internal server names | Internal servers contain sensitive information and their name could aid an attacker in attacking the internal network. |
| Looks for more information returned than is needed | Sometimes an application returns too much information unnecessarily. |
An information disclosure attack is considered a very deadly attack because an attacker can either use information to exploit the vulnerability directly or use it against your application to exploit another loophole. It poses the following threats:
- Disclose application files
- Inspect contents and path of a file
- Disclose information about a process and its allies
- Information retrieval through monitoring
- Inspect Metadata of an Assembly
| Pen Testing Tools | Description |
| Binary Editor | Examine a binary file to search important data |
| Ethereal, Wireshark, NetMon | Sniff network |
| Web Proxy Editor | Manipulate HTTP and HTTPS traffic |
| Burp Suit | Intercept and modify HTTP and HTTPS traffic |
| Fiddler | Log all HTTP traffic |
| Process Explorer | Enumerate all running process and their associated DLL of a computer |
COM and ActiveX Attacks
ActiveX controls are activated on the computer when the user browses a website and installs particular applications on the client machine such as a media player. They are considered as a way to extend the functionality in the browser to accomplish actions that the browser can’t accomplish through HTML alone. Hence, it is recommended to test COM components and ActiveX controls so that other website can’t utilize these controls in a malicious manner.
| Test Cases Scenario | Explanation |
| Examine SAFE for SCRIPTING and SAFE for INITIALIZATION | COM objects marked with these attributes and can be maliciously implanted. |
| Look for SITELOCK | Try to bypass it by IP obfuscation and URL encoding. |
| Examine Error Handling mechanism | By this, we can look for information disclosure bugs. |
| Examine for Overflows | Try to overrun each method, event and property. |
| Examine DLLCANUNLOADNOW counting | Arbitrary code could be run if DLL can unload prematurely. |
Hackers have employed a couple of interesting tactics to exploit ActiveX controls. Here, one trick is discussed to examine ActiveX controls at the time of testing:
- Bypass Browser Security Setting
- Server Redirection
- Namespace and Behavior
- Exception Handlers
- Return Values
| Pen Testing Tools | Description |
| OLEView | It provides information about ActiveX and COM interface. |
| COMRaider | It allows identifying of safe controls, type information displaying, and debugging and fuzzing of an ActiveX control. |
| Object Browser | Displays type information about COM object |
| Component Services | Displays the COM objects installed on a computer via dcomcnfg.exe |
| ActiveX Control Test Container | Used for probing and testing COM interface |
Managed Code Vulnerability
It is mandatory to include managed code assembly into testing because they are always susceptible and could have some serious vulnerability in the form of SQL injection, buffer overflow, and XSS. Despite being the latest version of .NET framework, many applications today are written using unmanaged code that runs directly on the system, which poses a huge threat because now the system has limited security protection from what happens when the application executes.
| Test Cases Scenario | Explanation |
| examine UNSAFE block | Managed code can call unmanaged code, which could lead to buffer overflow attack. |
| examine APTCA assemblies | Assembly marked with APTCA attribute can be called by a partially trusted code. |
| Look for Asserts | If any assembly has Assert then it can be called by a partially trusted code. |
| Detect sensitive data in assemblies | .NET assemblies can be easily decompiled, so make sure the source doesn’t contain any secret code. |
| Look for PINVOKE block | Calling undamaged code from managed could lead to a serious security problem. |
An attacker usually looks for these vulnerabilities related to managed code assembly in order to penetrate an application:
- Look for unsafe block for buffer overflow attack
- Looks for PermitOnly and Deny to Sandbox code
- Examine broad Asserts
- Look for partially trusted caller
- Examine Poor Exception handling
| Pen Testing Tools | Description |
| Reflector, ILSPY | Decompile the .NET assembly to original language written source code. |
| C/ C++ code analysis | Inform about potential defects in C/ C++ code. |
| Fxcop | Make sure either the managed code assembly adhering the .NET framework guidelines. |
| ILDASM | Decompile code to MSIL source. |
| LCLint | Detect common cause of buffer overrun. |
| Prefast | Static code analysis tool. |
| WinHex | Useful while editing different types of binary data. |
| Resource Hacker | Used to examine resources contained in a file. |
HTML Script Injection Attacks
HTML is not only rendering codes on web pages but also assisting hackers in exploiting that code. Attackers can plant a malicious script in a way that a programmer normally couldn’t. HTML scripting attacks happens through cross site scripting (client side) or persisted XSS (script injection).
| Test Cases Scenario | Explanation |
| <SCRIPT>alert()</SCRIPT> | A standard script block |
| “><SCRIPT>alert()</SCRIPT> | New way of executing script |
| ‘><SCRIPT>alert()</SCRIPT> | New way of executing script |
| </SCRIPT><SCRIPT>alert()</SCRIPT> | New way of executing script |
| Inject CR/LF | A common method to cause HTTP content splitting attacks. |
| Javascript:alert() | Used to execute script where a URL can be specified |
| Vbscript:MsgBox() | Used to execute script where a URL can be specified |
| <INPUT type= “text” style= “font-family:e/**/xpression(alert(‘Hello’))”> | Tricks the parser by using C style expression methods |
| “onclick=javascript:alert() x=” | Injects script by inserting an attribute |
An XSS attack enables the hackers to perform the following operation to access sensitive data and other information which are normally prohibited to exposure:
- Object Model Access
- Cookies Access
- Zone Elevation
- User Data Access
Spoofing Attack
Targeting the application covertly on behalf of a third person and keeping safe one’s own identity comes under a spoofing attack. As a result, spoofing can cause a decision made by the user to be based on fake information. Hackers fool programs into trusting incorrect information to present information to a user through a program GUI in a misleading deceptive way.
| Test Cases Scenario | Explanation |
| Spoof IP address | Change the IP address to hide own identity |
| Alter MAC address | Change the MAC address |
| Alter SMTP message | Everything can be spoofed such as TO, FROM, Header, BODY |
| Modify HTTP Referer | Check links originating from a specific place |
| C: mal.txt <TAB><TAB><TAB><TAB> | Tab character to cause part of the filename to wrap out the viewable area |
| www.test.com@www.hack.com | Some websites allow the credentials to be specified as part of the URL |
| www.test.com/mal.txt% 00mal.exe | Truncate name of file by encoding null character |
| www.test.com/mal.txt% 0D%0Amal.exe | Inject a new line by encoded CR/LF (%0D%0A) |
| C:good.txt .exe | Use space in the filename to execute malicious file |
Social engineering attack plays a significant role in executing a spoofing attack, which is also an ability to gain private information by misleading the target. Here, the following attacks are considered as spoofing:
- Caller ID Spoofing
- URL Redirection
- Mail Spoofing
- Reformatting using control characters
- IP Address spoofing
Format String Attack
In C/C++ or C# language, format specifiers such %d, %f and %s determine the output on the console through printfmethods. So the goal with format string testing is to try to inject malicious input into the format specifiers of certain method calls.
| Test Cases Scenario | Explanation |
| %n%n%n%n%n%n%n%n……%n | Such a long sequence could break the memory stack |
| %s%s%s%s%s%s%s%s%s…….%s | Sometimes %n won’t work. Hence use %s |
| %d%d%d%d%d%d%d%d……%d | Alternative of %n |
| %x%x%x%x%x%x%x%x…….%x | Alternative of %n |
| Function Inspection |
| Pen Testing Tools | Description |
| Pickle | Sufficient to analyze, disassemble, memory dump and asm code of a program to format string vulnerability |
| Hex View | Display hex byte of a pickle dump output. |
XML Injection Attack
XML is a universal data format that understands and is shared by almost all platforms. Applications use XML files as input to send data across the wire through an XML parser. The application then accesses the parsed version of the data. In case of not being parsed properly, the application won’t be able to access the input. Hence, the input is parsed first before sending, but that input might find security issues in the application consuming the XML.
| Test Cases Scenario | Explanation |
| Using not well formed XML | To crash the XML parser |
| Testuser1 </usr> <usr role= “admin”> Testuser2 | For XML injection |
| X’)] | //* | // * [contains(name,'y | Xquery or xpath injection |
| <! ENTITY % xx '%zz;'> | Infinite entity reference loop |
| <? Xml version="1.0" encoding= "UTF-8"?><! DOCTYPE test [ <! ELEMENT stest ANY ><! ENTITY xx SYSTEM "C:/boot.ini"> ] ><test> &xx; </test> | XML external entity attack |
Here is a partial list of attacks that can happeb due to having a vulnerability in the XML data source file:
- Directory traversal
- Buffer overflow
- Format String
- HTML scripting
- GUI spoofing
DOS Attack
The objective of DOS (Denial of Services) or DDOS (distributed DOS) is to prevent a system or user from accessing resources. It redirects a huge amount of traffic toward the server, which eventually results in resources down or out of service.
| Test Cases Scenario | Explanation |
| Identify method that incur heavy resource penalties | Functions, such as those used for encryption and decryption, can be very expensive. |
| Change expected data types | If an application desires a numerical value, use a character instead. |
| Send lots of data to the application | The mechanism might react differently depending on the amount of data used. |
| Repeat some action again and again | Monitor for excessive resources, memory, CPU while repeating the same action over and over. |
| Connect to the server simultaneously | Consume all of the connections that the server can handle to prevent new ones from being handled. |
| Exercise all error codes | Study all the error pages in search of tracking to any releasing resources. |
| Pen Testing Tools | Description |
| LOIC | Generates a moderate amount of traffic |
| HOIC | HOIC is a deadly tool to down any server in absence of safeguards |
Canonicalization Attacks
An attacker can supply data in the form of a different-2 encoding scheme, characters, and delimiters in an attempt to cause the data to be interpreted incorrectly and to drive an application to make certain decisions based on those values in a Canonicalization Attack.
| Test Cases Scenario | Explanation |
| http:// 32323541 | IP address in decimal form to create a dot-less address that can be used to trick some applications that attempt to detect internet or intranet zones. |
| %C1%81 | Overlong UTF-8 encoding of a character A |
| > | Html Encoding of a character > |
| A | Html Encoding of a character A |
| %41 | Hex form of a character A |
| %windir%notepad.exe | Using environment variable to represent a path |
| C:windowsnotepad.exe. | Trailing period (.) to access a file |
| C:Progra~1Longf~1.txt | Short version to access a long file name for a path |
| C:folder..secret.password.txt | Directory traversal |
| /Root or Root | Using forward and backward slash to access the root |
| Pen Testing Tools | Description |
| OverlongUTP | Generate the overlong UTF-8 encoding for a character |
| Character Map | Display the hex form of a value |
| ASCII Table | A table that contains the numerical representation of a character |
| Web Text Converter | Convert a string into diverse formats |
Buffer-Overflow Attack
Buffer overflow is caused when input is larger than space allocated for it, and is outside the allocated location and not handled by program memory. This eventually leads to a program crash. Buffer overflow typically results in enabling hackers to run whatever code they want to take control of the target computer.
| Test Cases Scenario | Explanation |
| <BOF>://www.test.com/mal.txt | Attempt to overflow protocol |
| http://<BOF>/mal.txt | Attempt to overflow server name |
| http://www.test.<BOF>/mal.txt | Attempt to overflow server name portion |
| http://www.test.com/<BOF>.txt | Attempt to overflow file name |
| http://www.test.com/mal.<BOF> | Attempt to overflow extension |
| http://www.test.com/file.aspx?<BOF> | Attempt to overflow query string |
| http://www.test.com/file.aspx?<BOF>=value | Attempt to overflow query string parameter name |
| <BOF>:foldertest.txt | Attempt to overflow drive letter |
| C:<BOF>test.txt | Attempt to overflow folder name |
| C:folder<BOF>.txt | Attempt to overflow file name |
| C:foldertest.<BOF> | Attempt to overflow file extension |
Overflow occurs when the program receives more data than it expects. There are many different kinds of attacks:
- Integer Overflow
- Stack Overflow
- Format String Attack
- Heap Overrun
| Pen Testing Tools | Description |
| Spike | Network Fuzzing framework |
| Bound checker | Allows checking bound checking on particular set of APIs |
| Gflags.exe | Allows to check system heap |
| LCLint | Check common cause of buffer overrun |
| IDA Pro | Debugger, useful to figure out how an application works |
Code Disassembling
Hackers and penetration testers typically manipulate .NET managed assemblies through disassembling, in which an entire source code behind a DLL or EXE is retrieved in its original state. Malicious hackers can easily retain or reverse engineer the security restriction by examining the original source code. Code disassembling could be very beneficial in terms of identifying inherent bugs into application.
| Test Cases Scenario | Explanation |
| Find Format String Vulnerability | Find this vulnerability without source code by debugging the application. |
| Spotting Insecure Function Call | Look for problematic or insecure methods. |
| Modify Execution Flow | Identify the execution flow for crucial implementation such as serial key validation. |
| Look for Buffer Overflow | Look for the possibility of buffer overrun. |
| Patching Binaries | Try to patch the binary as per your requirement, such as subverting the serial key or password mechanism. |
| Reading Memory Contents | Use debugger to gain full access to all of the processed memory contents. |
| Analysis of Security Updates | Examine specific methods which complete security updates operations. |
| Algorithm Reversing | Try to modify the algorithm behind any functionality if the code is not obfuscated. |
| Pen Testing Tools | Description |
| IDA Pro | A Debugger and disassembler for managed and unmanaged binaries. |
| OllyDbg | Windows debugger and reverse engineer tool in 32-bit form. |
| Reflector | Disassembler to .NET binaries. |
| ILDASM | Generates MSIL code. |
Weak Permissions
Permissions limit who can access certain resources and what can be done to them in application security. If the website or application software isn’t protected or managed by a proper permission sets of ACL, they are susceptible to attack.
| Test Cases Scenario | Explanation |
| Looks for too much access on files and resources | If a particular group or user is not authorized to able view or delete and given too much permission then it could be a nightmare. |
| Looks for multistage elevation | Hackers usually chain several vulnerabilities together to gain upper level access. |
| Weak Discretionary ACL | It determines the level of access to a securable object. Sometime a web master grants permissions to a large group such as Guest, Everyone, Users, and Network Services. |
| NULL DACL | If a resource has a NULL DACL, it has no access control mechanism. |
| SQL permissions | Every database user must assign proper access control to insert, delete, execute or update database resources. |
Securable objects are assets on a computer that a user can use. These objects can be used either directly or indirectly. Here, the example of securable objects which must be protected are:
- Directories, Registry and Files
- Network Share
- Process, Windows Services, and Threads
- Active Directory components
- COM objects
| Pen Testing Tools | Description |
| AccessEnum | This tool assists to detect weak permissions in files and registries. |
| SysInternals | —————–do———————– |
| WhoAmI | This command line utility displays all of the groups that a user belongs to. |
| PermCalc | It displays the permission set given to .NET assembly. |
| ObjSD | It display access control lists on registries, files and services. |
SQL Injection Attack
SQL injection attack permits a malicious hacker to execute commands in your website which is connected to a database. The attacker aim is to provide specially crafted data to the application that uses a database to alter the behavior of SQL commands the application intends to run. However, the attacker might be able to perform such a covert operation over a website which has given high privileges or adequate safeguards to the source code, to manipulate the database.
| Test Cases Scenario | Explanation |
| Website Error pages | Error pages are a huge source to disclose or study SQL statements in order to find table, column and database name. |
| Comments (–) | Use commenting tricks to stop the rest of a query execution. |
| xyz’ ; drop table test; – - | Single quotation mark with semicolon to break the current SQL query. |
| xyz’ drop table test; – - | Only a single quotation mark to break the current SQL query. |
| ASC; DROP Table test | Sometimes ASC are DESC help the attacker to cause a SQL injection. |
| Search code for SqlCommand | SqlCommand statement usually contains a user-supplied SQL query. |
| Search stored procedure for EXEC, SP_EXECUTE and EXECUTE | SQL injection could be possible if those keywords are used to manufacture a query. |
| S; DROP Table test; – - | It is not mandatory to use a single quotation mark while a query uses a numerical value. |
| Dfgdfg’ OR 1=1 – - | Use this custom statement to bypass login page functionality. |
| “OR ‘a’='a’ | Always evaluates to true and is intended to check authentication bypass. |
| ‘; DROP DATABASE pubs – | Intended to delete entire database. |
SQL vulnerabilities are extremely beneficial for hackers, regardless of the importance of the data in the database. Here, the following attacks lead to SQL injection and could be advantageous to an attacker.
- Executing commands on the machine running the database
- Tampering with data
- Run SQL commands with elevated rights
- Disclose sensitive information
| Pen Testing Tools | Description |
| OWASP Zed Attack Proxy (ZAP) | Used to find vulnerabilities in web applications. |
| SQLInjection.tdf | SQL server profiler used to monitor all of the queries execution. Hence, it is useful to detect SQL injection vulnerability. |
| SQL profiler | This utility used to view the SQL statement executing on a SQL Server. |
| sqlmap | Automates the process of exploiting SQL injection flaws. |
| acunetix | Comprehensive tool to perform penetration testing over a web application. |
Summary
This article has narrated the common penetration cases scenario in .NET framework applications. We have discussed prominent vulnerabilities which are exploited by Scripting, Spoofing, Reverse Engineering, Format String, Buffer Overflow, Managed Code and Canonicalization attacks, as well as presented corresponding attack tools. We also gained an understanding of what kind of damage could happen while being exploited by these attacks. Hence, this article will be helpful for pen testing professionals to measure the security protection level in an application.
No comments:
Post a Comment