Security Testing

Sunday, November 11, 2018

HTTP response and other metadata




HTTP flood attacker volumetric attack, allien using a botnet “Zombie army”. It is bring down the targeted site or server. It is also a type of DDOS attack.
HTTP flood attacks are very difficult to differentiate from valid traffic because they use standard URL requests. This makes them one of the most advanced non-vulnerability security challenges facing servers and applications today. Traditional rate-based detection is ineffective in detecting HTTP flood attacks, since traffic volume in HTTP floods is often under detection thresholds.
The most highly-effective mitigation on a combination of traffic profiling methods, including identifying IP reputation, keeping track abnormal activity and employing progressive security challenges (e.g., asking to parse JavaScript).


Attacker use illegal version like .9. WAF trigger the alert of HTTP illegal HTTP version.


If an application server receives too many headers there are more headers than are defined as the max. according to the config.

Prevent:-

The max. number of headers can be increased using the ‘Maximum Headers’ property associated with the HTTP transport or the ‘limitNumHeaders’ property on a transport channel.

WAF detect HTTP parameter pollution attack and customer can choose to either alert or block session that attempt to pass multiple HTTP parameter like null value.
Null character is harmful may be it’s deploy the null injection.
Prevent:-
WAF policy-“null character in parameter name” that is currently set to alert customer should review that alerts generate  the policy and check for any false positive.
See the below Null injection blog

Wednesday, September 19, 2018

Ovely permissive CORS

Origin header is sent by the browser in a CORS request and indicates that origin request. It may be spoofed outside the browser, so need to check that application-level protocols for protect sensitive data.
Access-Control-Allow-Origin is a response header used by a server to indicate which domains are allowed to read the response.
Insecure configurations as for example using '*' wildcard as value of the Access-Control-Allow-Origin header means all domains are allowed. Other insecure example is when the server returns back the Origin header without any additional checks, what can lead to access of sensitive data. This configuration is very insecure, and is not acceptable, except in case of a public API that is intended to be accessible by everyone.

add_header Access-Control-Allow-Origin $cors_header;
add_header Access-Control-Allow-Credentials true;

Sunday, September 16, 2018

Query Parameter SSL

URL contain a sensitive query parameter and stored in the browser history. Web application may be configured log the URL of all request. So, result is sensitive parameter is saved in the log.
Fix:
The solution to this problem requires two steps:

· If necessary then pass sensitive data. Once a user is authenticated with a session ID limited lifetime.
· Use non-persistent, session level cookies to hold session IDs and other private data.

The advantage of using session level cookies to carry this information:

· They are not stored in the browsers history or on the disk
· They are usually not stored in server logs
· They are not passed to embedded resources such as images or javascript libraries
. They only apply to the domain and path for which they were issued

Saturday, September 15, 2018

Insecure HTTP Methods Enabled



Attacker sends a request of type "OPTIONS" to the Web server of your application to determine what HTTP methods are supported by the server. Allow: HEAD, GET, PUT, POST, DELETE, TRACE, OPTIONS
The header Allow includes a list of supported HTTP methods.
Application is insecure if Allow header contains methods such as DELETE or PUT.

Wednesday, September 12, 2018

Web Application Source Code Disclosure Pattern Found

It is possible to retrieve the source code from server side script and also may possible to expose the business logic or sensitive information such as username and password.


Possible Causes
· Patches for 3rd. party products were not installed
· Temporary files were left in production environment
· Debugging information was left by the programmer in web pages
Application source code should not be accessible to web users, as it may contain sensitive application information and back-end logic.
It can give an attacker useful guidance for future exploitation. Leakage of sensitive information may carry various levels of risk and should be limited whenever possible.
Recommendation
There are many ways to revealing application source code. To ensure that your application does not allow web users access to source code. [1] Check that all system patches related to source code disclosure are installed. [2] Check that no application source code is left in HTML comments. [3] Check that all source code files are removed from the production environment


Thursday, September 6, 2018

Security terms Salt, Nonce, Rainbow


Salt
A new salt (form of encryption) is randomly generated for each password. Setting a salt and a password are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database.
Nonce
Nonce is an arbitrary number used only once in a cryptographic communication. It is a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks.
Rainbow
A rainbow table is a precomputed table. This table use for reversing cryptographic hash function, usually for cracking password hashes. Tables using for recover a plaintext password up to a certain length consisting of a limited set of characters. It take less computer processing time and more storage than a brute-force attack which calculates a hash on every attempt, but more processing time and less storage than a simple lookup table with one entry per hash.

Monday, August 20, 2018

Authentication and Authorization


· Authentication is the process of verifying who you are. When you log on to a PC with a user name and password you are authenticating.
· Authorization is after verifying that you have access to something. Gaining access to a resource because the permissions configured on it allow you access is authorization.
Authentication can be done using the following methods:
  • Local Code42 platform directory
  • LDAP
  • Single Sign-On (SSO)
  • RADIUS
Authorization can be done using the following methods:
· Local Code42 platform directory
  • LDAP