Introduction
This post describes some methods and techniques that we can use to verify and analyze security in a web application by assessing the SSL and HTTP traffic.
We will focus on how to verify SSL Protocols and Ciphers, HTTP Response Headers and scanning for SQLi and XSS vulnerabilities.
These methods could be used to test, harden and evaluate security in a given web application before moving web application to production.
Note that one cannot fully rely on automated vulnerability scanners, a security specialist should always evaluate the result. Automated scans are also seen here as a complementary to manual scan and testing.
Disclaimer – Use tools and methods in this post at your own risk.
Use only in Test/Pre-Production environments. You should only test applications that you have been specifically given permission to test.
OWASP Top 10 – 2017
The Ten Most Critical Web Application Security Risks identified by OWASP 2017 is listed here:
A1 – Injection
A2 – Broken Authentication and Session Management
A3 – Cross-Site Scripting (XSS)
A4 – Broken Access Control
A5 – Security Misconfiguration
A6 – Sensitive Data Exposure
A7 – Insufficient Attack Protection
A8 – Cross-Site Request Forgery (CSRF)
A9 – Using Components with Known Vulnerabilities
A10 – Underprotected APIs
Reference:
OWASP:
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Objectives
- Evaluate on web application vulnerabilities
- Find out whether web server is vulnerable to SQLi and XSS
- Find out if Web server is properly configured with SSL/TLS Protocols and Ciphers
- Verify if Web server exposes or is missing specific security HTTP response Headers
Requirements
Basic Linux skills are required.
Following tools are used in this post:
- Ubuntu, Debian or Kali (OS Distribution)
- SSLScan (Analyze TLS protocols and ciphers)
- Hsecscan (Analyze HTTP headers)
- w3af (Analyze and audit web server)
- OWASP ZAP (Zed Attack Proxy)
- JuiceShop (Vulnerable Web application running as Docker container)
Using SSLScan to Verify SSL/TLS Protocols and Ciphers
SSLScan is builtin to Kali, tool can be downloaded separately from GitHub:
|
1 2 |
git clone https://github.com/rbsec/sslscan.git |
We will start using sslscan to analyze SSL communication and to run a basic SSL audit.
Usage:
|
1 2 3 |
sslscan -h (Show help) sslscan Host:Port (Start SSL test) |
Fig 1. – Example of SSL Scan output
In above screenshot we verify that TLS 1.2 is in use and that most secure TLS Ciphers are configured as preffered.
Analyzing HTTP Security Response Headers with Hsecscan
In this example we use Hsecscan to analyze the HTTP Headers when communicating with specified Web server.
Usage:
|
1 2 3 |
./hsecscan.py -h (show help) ./hsecscan.py -u http://address/ (scan and analyze HTTP for specific URL) |
Fig 2. – Example of a HTTP Security Header Scan
The scan result shows which HTTP headers that should be secured, futhermore an explanation is provided with external links for additional info.
Hsecscan can be downloaded from GitHub:
|
1 2 |
git clone https://github.com/riramar/hsecscan.git |
Analyzing web server application for OWASP Top 10 with w3af
In this section we will use w3af for testing our web server application for OWASP Top 10 vulnerabilities.
w3af (web application attack and audit framework) is builtin to Kali, but can also be installed separately, from w3af website mentioned below.
Builtin w3af profile “OWASP_Top10” is being used as reference here.
This enables all OWASP Top 10 related Plugins.
|
1 2 |
w3af_console -p OWASP_TOP10 |
Customize w3af profile to suit your needs.
Enable HTML Report:
Run “w3af_console” and following commands.
|
1 2 3 4 5 6 7 |
plugins output html_file output config html_file set output_file output-report.html set verbose True back |
Set Target URL in w3af:
|
1 2 3 |
target set target http://x.x.x.x:3000/rest/product/search?q=,http://x.x.x.x:3000/rest/user/login |
Save the customized settings in a profile:
|
1 2 3 4 |
profiles save_as owasp_juiceshop back exit |
Start w3af (Duration time depends on the target URL, the size of the web site urls that are being evaluated):
|
1 2 3 |
w3af_console -p owasp_juiceshop (Loads the profile in w3af) w3af_console -P owasp_juiceshop (Loads the profile and execute the test) |
More info about w3af can be found here:
Analyzing web server application with OWASP ZAP
DISCLAIMER – it is very important to do an active test in a Test environment ONLY – NEVER use these method in a Production environment!
OWASP ZAP is a great tool for web security testing and vulnerability scanning.
We will use OWASP Zed Attack Proxy against our vulnerable test website (JuiceShop).
Start Attack by using Quick start or by using ZAP as a Proxy for your browser session.
When input forms are detected use the Fuzzer to check for SQLi or XSS vulnerabilities.
Locate HTTP POST/GET Input form, to verify whether it is vulnerable for SQLi and/or XSS.
Testing for SQLi
This POST contains the login form in our JuiceShop which we will test for SQLi:
Mark field for SQLi Fuzzing:
Choose Fuzz and select SQLi Payload:
Start the Test and evaluate:
Above screenshot shows that this web application is vulnerable to SQLi.
Testing for XSS
This GET contains the search box in our JuiceShop which we will test for XSS:
Mark field for XSS testing/fuzzing:
Choose Fuzz and select the XSS Payload:
Start the Test and evaluate:
Above screenshot shows that this web application is vulnerable to XSS.
OWASP ZAP is available for all major platforms and can be downloaded here: