Having a cheat sheet is a perfect starting initiative to assist you
in generating ideas while penetration testing. A test case cheat sheet
is often asked for in security penetration testing, but if there is some
problem with this approach it is that security testers then tend to use
only predefined test cases to determine the security of a particular
implementation. But the fact is that no such predefined list can include
the entire set of test cases needed to ensure your application is
secure. Such test cases are only sufficient to kick-start the
penetration testing process. This paper is designed to show some common
security pen testing cases in order to grab a particular vulnerability
in the existing mechanism.
Information Disclosure
An attacker usually observes and obtains an abundance of information
that the programmer left inadvertently or the application discloses.
This kind of attack is not given as much attention because the
programmer doesn’t understand the mindset of attacker, how exactly they
will break the system.
Test Cases Scenario |
Explanation |
Monitor data sent across wire |
Traffic monitoring of a network via sniffing could reveal an abundance of important data. |
Monitor data stored in files |
Monitor every file used by the application or generated by the application to reveal data. |
Looks for “Secret” keyword |
Programmer typically stored sensitive data in a secret file which could be reverse engineered by hackers. |
Examine credentials in Plan-Text while communication |
Sometimes username, password, IP address and key are stored and transmitted in clear text form. |
Exercise Error Pages and conditions |
Error page or condition could reveal much information which aid hackers in an attack. |
Examine contents of binary file |
Binary file could contain sensitive information. |
Examine the areas where data is obfuscated |
If hackers recognize
the sensitive obfuscated parts which contain crucial information such as
passwords, they could be decrypted even if they are obfuscated. |
Examine URL for Sensitive data |
During the absence of SSL, the URL is readable in clear text form. |
Look for internal server names |
Internal servers contain sensitive information and their name could aid an attacker in attacking the internal network. |
Looks for more information returned than is needed |
Sometimes an application returns too much information unnecessarily. |
An information disclosure attack is considered a very deadly attack
because an attacker can either use information to exploit the
vulnerability directly or use it against your application to exploit
another loophole. It poses the following threats:
- Disclose application files
- Inspect contents and path of a file
- Disclose information about a process and its allies
- Information retrieval through monitoring
- Inspect Metadata of an Assembly
Pen Testing Tools |
Description |
Binary Editor |
Examine a binary file to search important data |
Ethereal, Wireshark, NetMon |
Sniff network |
Web Proxy Editor |
Manipulate HTTP and HTTPS traffic |
Burp Suit |
Intercept and modify HTTP and HTTPS traffic |
Fiddler |
Log all HTTP traffic |
Process Explorer |
Enumerate all running process and their associated DLL of a computer |
COM and ActiveX Attacks
ActiveX controls are activated on the computer when the user browses a
website and installs particular applications on the client machine such
as a media player. They are considered as a way to extend the
functionality in the browser to accomplish actions that the browser
can’t accomplish through HTML alone. Hence, it is recommended to test
COM components and ActiveX controls so that other website can’t utilize
these controls in a malicious manner.
Test Cases Scenario |
Explanation |
Examine SAFE for SCRIPTING and SAFE for INITIALIZATION |
COM objects marked with these attributes and can be maliciously implanted. |
Look for SITELOCK |
Try to bypass it by IP obfuscation and URL encoding. |
Examine Error Handling mechanism |
By this, we can look for information disclosure bugs. |
Examine for Overflows |
Try to overrun each method, event and property. |
Examine DLLCANUNLOADNOW counting |
Arbitrary code could be run if DLL can unload prematurely. |
Hackers have employed a couple of interesting tactics to exploit
ActiveX controls. Here, one trick is discussed to examine ActiveX
controls at the time of testing:
- Bypass Browser Security Setting
- Server Redirection
- Namespace and Behavior
- Exception Handlers
- Return Values
Pen Testing Tools |
Description |
OLEView |
It provides information about ActiveX and COM interface. |
COMRaider |
It allows identifying of safe controls, type information displaying, and debugging and fuzzing of an ActiveX control. |
Object Browser |
Displays type information about COM object |
Component Services |
Displays the COM objects installed on a computer via dcomcnfg.exe |
ActiveX Control Test Container |
Used for probing and testing COM interface |
Managed Code Vulnerability
It is mandatory to include managed code assembly into testing because
they are always susceptible and could have some serious vulnerability
in the form of SQL injection, buffer overflow, and XSS. Despite being
the latest version of .NET framework, many applications today are
written using unmanaged code that runs directly on the system, which
poses a huge threat because now the system has limited security
protection from what happens when the application executes.
Test Cases Scenario |
Explanation |
examine UNSAFE block |
Managed code can call unmanaged code, which could lead to buffer overflow attack. |
examine APTCA assemblies |
Assembly marked with APTCA attribute can be called by a partially trusted code. |
Look for Asserts |
If any assembly has Assert then it can be called by a partially trusted code. |
Detect sensitive data in assemblies |
.NET assemblies can be easily decompiled, so make sure the source doesn’t contain any secret code. |
Look for PINVOKE block |
Calling undamaged code from managed could lead to a serious security problem. |
An attacker usually looks for these vulnerabilities related to managed code assembly in order to penetrate an application:
- Look for unsafe block for buffer overflow attack
- Looks for PermitOnly and Deny to Sandbox code
- Examine broad Asserts
- Look for partially trusted caller
- Examine Poor Exception handling
Pen Testing Tools |
Description |
Reflector, ILSPY |
Decompile the .NET assembly to original language written source code. |
C/ C++ code analysis |
Inform about potential defects in C/ C++ code. |
Fxcop |
Make sure either the managed code assembly adhering the .NET framework guidelines. |
ILDASM |
Decompile code to MSIL source. |
LCLint |
Detect common cause of buffer overrun. |
Prefast |
Static code analysis tool. |
WinHex |
Useful while editing different types of binary data. |
Resource Hacker |
Used to examine resources contained in a file. |
HTML Script Injection Attacks
HTML is not only rendering codes on web pages but also assisting
hackers in exploiting that code. Attackers can plant a malicious script
in a way that a programmer normally couldn’t. HTML scripting attacks
happens through cross site scripting (client side) or persisted XSS
(script injection).
Test Cases Scenario |
Explanation |
<SCRIPT>alert()</SCRIPT> |
A standard script block |
“><SCRIPT>alert()</SCRIPT> |
New way of executing script |
‘><SCRIPT>alert()</SCRIPT> |
New way of executing script |
</SCRIPT><SCRIPT>alert()</SCRIPT> |
New way of executing script |
Inject CR/LF |
A common method to cause HTTP content splitting attacks. |
Javascript:alert() |
Used to execute script where a URL can be specified |
Vbscript:MsgBox() |
Used to execute script where a URL can be specified |
<INPUT type= “text” style= “font-family:e/**/xpression(alert(‘Hello’))”> |
Tricks the parser by using C style expression methods |
“onclick=javascript:alert() x=” |
Injects script by inserting an attribute |
An XSS attack enables the hackers to perform the following operation
to access sensitive data and other information which are normally
prohibited to exposure:
- Object Model Access
- Cookies Access
- Zone Elevation
- User Data Access
Spoofing Attack
Targeting the application covertly on behalf of a third person and
keeping safe one’s own identity comes under a spoofing attack. As a
result, spoofing can cause a decision made by the user to be based on
fake information. Hackers fool programs into trusting incorrect
information to present information to a user through a program GUI in a
misleading deceptive way.
Test Cases Scenario |
Explanation |
Spoof IP address |
Change the IP address to hide own identity |
Alter MAC address |
Change the MAC address |
Alter SMTP message |
Everything can be spoofed such as TO, FROM, Header, BODY |
Modify HTTP Referer |
Check links originating from a specific place |
C:\ mal.txt <TAB><TAB><TAB><TAB> |
Tab character to cause part of the filename to wrap out the viewable area |
www.test.com@www.hack.com |
Some websites allow the credentials to be specified as part of the URL |
www.test.com/mal.txt% 00mal.exe |
Truncate name of file by encoding null character |
www.test.com/mal.txt% 0D%0A mal.exe |
Inject a new line by encoded CR/LF (%0D%0A) |
C:\good.txt .exe |
Use space in the filename to execute malicious file |
Social engineering attack plays a significant role in executing a
spoofing attack, which is also an ability to gain private information by
misleading the target. Here, the following attacks are considered as
spoofing:
- Caller ID Spoofing
- URL Redirection
- Mail Spoofing
- Reformatting using control characters
- IP Address spoofing
Format String Attack
In C/C++ or C# language, format specifiers such %d, %f and %s determine the output on the console through
printf
methods. So the goal with format string testing is to try to inject
malicious input into the format specifiers of certain method calls.
Test Cases Scenario |
Explanation |
%n%n%n%n%n%n%n%n……%n |
Such a long sequence could break the memory stack |
%s%s%s%s%s%s%s%s%s…….%s |
Sometimes %n won’t work. Hence use %s |
%d%d%d%d%d%d%d%d……%d |
Alternative of %n |
%x%x%x%x%x%x%x%x…….%x |
Alternative of %n |
Function Inspection |
|
Pen Testing Tools |
Description |
Pickle |
Sufficient to analyze, disassemble, memory dump and asm code of a program to format string vulnerability |
Hex View |
Display hex byte of a pickle dump output. |
XML Injection Attack
XML is a universal data format that understands and is shared by
almost all platforms. Applications use XML files as input to send data
across the wire through an XML parser. The application then accesses the
parsed version of the data. In case of not being parsed properly, the
application won’t be able to access the input. Hence, the input is
parsed first before sending, but that input might find security issues
in the application consuming the XML.
Test Cases Scenario |
Explanation |
Using not well formed XML |
To crash the XML parser |
Testuser1 </usr> <usr role= “admin”> Testuser2 |
For XML injection |
X’)] | //* | // * [contains(name,’y |
Xquery or xpath injection |
<! ENTITY % xx ‘%zz;’> |
Infinite entity reference loop |
<? Xml
version=”1.0″ encoding= “UTF-8”?><! DOCTYPE test [ <! ELEMENT
stest ANY ><! ENTITY xx SYSTEM “C:/boot.ini”> ]
><test> &xx; </test> |
XML external entity attack |
Here is a partial list of attacks that can happeb due to having a vulnerability in the XML data source file:
- Directory traversal
- Buffer overflow
- Format String
- HTML scripting
- GUI spoofing
DOS Attack
The objective of DOS (Denial of Services) or DDOS (distributed DOS)
is to prevent a system or user from accessing resources. It redirects a
huge amount of traffic toward the server, which eventually results in
resources down or out of service.
Test Cases Scenario |
Explanation |
Identify method that incur heavy resource penalties |
Functions, such as those used for encryption and decryption, can be very expensive. |
Change expected data types |
If an application desires a numerical value, use a character instead. |
Send lots of data to the application |
The mechanism might react differently depending on the amount of data used. |
Repeat some action again and again |
Monitor for excessive resources, memory, CPU while repeating the same action over and over. |
Connect to the server simultaneously |
Consume all of the connections that the server can handle to prevent new ones from being handled. |
Exercise all error codes |
Study all the error pages in search of tracking to any releasing resources. |
Pen Testing Tools |
Description |
LOIC |
Generates a moderate amount of traffic |
HOIC |
HOIC is a deadly tool to down any server in absence of safeguards |
Canonicalization Attacks
An attacker can supply data in the form of a different-2 encoding
scheme, characters, and delimiters in an attempt to cause the data to be
interpreted incorrectly and to drive an application to make certain
decisions based on those values in a Canonicalization Attack.
Test Cases Scenario |
Explanation |
http:// 32323541 |
IP address in decimal
form to create a dot-less address that can be used to trick some
applications that attempt to detect internet or intranet zones. |
%C1%81 |
Overlong UTF-8 encoding of a character A |
> |
Html Encoding of a character > |
A |
Html Encoding of a character A |
%41 |
Hex form of a character A |
%windir%\notepad.exe |
Using environment variable to represent a path |
C:\windows\notepad.exe. |
Trailing period (.) to access a file |
C:\Progra~1\Longf~1.txt |
Short version to access a long file name for a path |
C:\folder\..\secret\.\password.txt |
Directory traversal |
/Root or \Root |
Using forward and backward slash to access the root |
Pen Testing Tools |
Description |
OverlongUTP |
Generate the overlong UTF-8 encoding for a character |
Character Map |
Display the hex form of a value |
ASCII Table |
A table that contains the numerical representation of a character |
Web Text Converter |
Convert a string into diverse formats |
Buffer-Overflow Attack
Buffer overflow is caused when input is larger than space allocated
for it, and is outside the allocated location and not handled by program
memory. This eventually leads to a program crash. Buffer overflow
typically results in enabling hackers to run whatever code they want to
take control of the target computer.
Test Cases Scenario |
Explanation |
<BOF>://www.test.com/mal.txt |
Attempt to overflow protocol |
http://<BOF>/mal.txt |
Attempt to overflow server name |
http://www.test.<BOF>/mal.txt |
Attempt to overflow server name portion |
http://www.test.com/<BOF>.txt |
Attempt to overflow file name |
http://www.test.com/mal.<BOF> |
Attempt to overflow extension |
http://www.test.com/file.aspx?<BOF> |
Attempt to overflow query string |
http://www.test.com/file.aspx?<BOF>=value |
Attempt to overflow query string parameter name |
<BOF>:\folder\test.txt |
Attempt to overflow drive letter |
C:\<BOF>\test.txt |
Attempt to overflow folder name |
C:\folder\<BOF>.txt |
Attempt to overflow file name |
C:\folder\test.<BOF> |
Attempt to overflow file extension |
Overflow occurs when the program receives more data than it expects. There are many different kinds of attacks:
- Integer Overflow
- Stack Overflow
- Format String Attack
- Heap Overrun
Pen Testing Tools |
Description |
Spike |
Network Fuzzing framework |
Bound checker |
Allows checking bound checking on particular set of APIs |
Gflags.exe |
Allows to check system heap |
LCLint |
Check common cause of buffer overrun |
IDA Pro |
Debugger, useful to figure out how an application works |
Code Disassembling
Hackers and penetration testers typically manipulate .NET managed
assemblies through disassembling, in which an entire source code behind a
DLL or EXE is retrieved in its original state. Malicious hackers can
easily retain or reverse engineer the security restriction by examining
the original source code. Code disassembling could be very beneficial in
terms of identifying inherent bugs into application.
Test Cases Scenario |
Explanation |
Find Format String Vulnerability |
Find this vulnerability without source code by debugging the application. |
Spotting Insecure Function Call |
Look for problematic or insecure methods. |
Modify Execution Flow |
Identify the execution flow for crucial implementation such as serial key validation. |
Look for Buffer Overflow |
Look for the possibility of buffer overrun. |
Patching Binaries |
Try to patch the binary as per your requirement, such as subverting the serial key or password mechanism. |
Reading Memory Contents |
Use debugger to gain full access to all of the processed memory contents. |
Analysis of Security Updates |
Examine specific methods which complete security updates operations. |
Algorithm Reversing |
Try to modify the algorithm behind any functionality if the code is not obfuscated. |
Pen Testing Tools |
Description |
IDA Pro |
A Debugger and disassembler for managed and unmanaged binaries. |
OllyDbg |
Windows debugger and reverse engineer tool in 32-bit form. |
Reflector |
Disassembler to .NET binaries. |
ILDASM |
Generates MSIL code. |
Weak Permissions
Permissions limit who can access certain resources and what can be
done to them in application security. If the website or application
software isn’t protected or managed by a proper permission sets of ACL,
they are susceptible to attack.
Test Cases Scenario |
Explanation |
Looks for too much access on files and resources |
If a particular group
or user is not authorized to able view or delete and given too much
permission then it could be a nightmare. |
Looks for multistage elevation |
Hackers usually chain several vulnerabilities together to gain upper level access. |
Weak Discretionary ACL |
It determines the
level of access to a securable object. Sometime a web master grants
permissions to a large group such as Guest, Everyone, Users, and Network
Services. |
NULL DACL |
If a resource has a NULL DACL, it has no access control mechanism. |
SQL permissions |
Every database user must assign proper access control to insert, delete, execute or update database resources. |
Securable objects are assets on a computer that a user can use. These
objects can be used either directly or indirectly. Here, the example of
securable objects which must be protected are:
- Directories, Registry and Files
- Network Share
- Process, Windows Services, and Threads
- Active Directory components
- COM objects
Pen Testing Tools |
Description |
AccessEnum |
This tool assists to detect weak permissions in files and registries. |
SysInternals |
—————–do———————– |
WhoAmI |
This command line utility displays all of the groups that a user belongs to. |
PermCalc |
It displays the permission set given to .NET assembly. |
ObjSD |
It display access control lists on registries, files and services. |
SQL Injection Attack
SQL injection attack permits a malicious hacker to execute commands
in your website which is connected to a database. The attacker aim is to
provide specially crafted data to the application that uses a database
to alter the behavior of SQL commands the application intends to run.
However, the attacker might be able to perform such a covert operation
over a website which has given high privileges or adequate safeguards to
the source code, to manipulate the database.
Test Cases Scenario |
Explanation |
Website Error pages |
Error pages are a huge source to disclose or study SQL statements in order to find table, column and database name. |
Comments (–) |
Use commenting tricks to stop the rest of a query execution. |
xyz’ ; drop table test; – – |
Single quotation mark with semicolon to break the current SQL query. |
xyz’ drop table test; – – |
Only a single quotation mark to break the current SQL query. |
ASC; DROP Table test |
Sometimes ASC are DESC help the attacker to cause a SQL injection. |
Search code for SqlCommand |
SqlCommand statement usually contains a user-supplied SQL query. |
Search stored procedure for EXEC, SP_EXECUTE and EXECUTE |
SQL injection could be possible if those keywords are used to manufacture a query. |
S; DROP Table test; – – |
It is not mandatory to use a single quotation mark while a query uses a numerical value. |
Dfgdfg’ OR 1=1 – – |
Use this custom statement to bypass login page functionality. |
“OR ‘a’=’a’ |
Always evaluates to true and is intended to check authentication bypass. |
‘; DROP DATABASE pubs — |
Intended to delete entire database. |
SQL vulnerabilities are extremely beneficial for hackers, regardless
of the importance of the data in the database. Here, the following
attacks lead to SQL injection and could be advantageous to an attacker.
- Executing commands on the machine running the database
- Tampering with data
- Run SQL commands with elevated rights
- Disclose sensitive information
Pen Testing Tools |
Description |
OWASP Zed Attack Proxy (ZAP) |
Used to find vulnerabilities in web applications. |
SQLInjection.tdf |
SQL server profiler used to monitor all of the queries execution. Hence, it is useful to detect SQL injection vulnerability. |
SQL profiler |
This utility used to view the SQL statement executing on a SQL Server. |
sqlmap |
Automates the process of exploiting SQL injection flaws. |
acunetix |
Comprehensive tool to perform penetration testing over a web application. |
Summary
This article has narrated the common penetration cases scenario in
.NET framework applications. We have discussed prominent vulnerabilities
which are exploited by Scripting, Spoofing, Reverse Engineering, Format
String, Buffer Overflow, Managed Code and Canonicalization attacks, as
well as presented corresponding attack tools. We also gained an
understanding of what kind of damage could happen while being exploited
by these attacks. Hence, this article will be helpful for pen testing
professionals to measure the security protection level in an
application.
0 comments:
Post a Comment