Analyzing and Testing Web Application Security based on OWASP Top 10 – SQLi and XSS

Introduction

This post describes some methods and techniques that we can use to verify and analyze security in a web application by assessing the SSL and HTTP traffic.
We will focus on how to verify SSL Protocols and Ciphers, HTTP Response Headers and scanning for SQLi and XSS vulnerabilities.

These methods could be used to test, harden and evaluate security in a given web application before moving web application to production.
Note that one cannot fully rely on automated vulnerability scanners, a security specialist should always evaluate the result. Automated scans are also seen here as a complementary to manual scan and testing.

Disclaimer – Use tools and methods in this post at your own risk.
Use only in Test/Pre-Production environments. You should only test applications that you have been specifically given permission to test.

OWASP Top 10 – 2017

The Ten Most Critical Web Application Security Risks identified by OWASP 2017 is listed here:

A1 – Injection
A2 – Broken Authentication and Session Management
A3 – Cross-Site Scripting (XSS)
A4 – Broken Access Control
A5 – Security Misconfiguration
A6 – Sensitive Data Exposure
A7 – Insufficient Attack Protection
A8 – Cross-Site Request Forgery (CSRF)
A9 – Using Components with Known Vulnerabilities
A10 – Underprotected APIs

OPWASP-Top10-2017

Reference:

OWASP:

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Objectives

  • Evaluate on web application vulnerabilities
    • Find out whether web server is vulnerable to SQLi and XSS
    • Find out if Web server is properly configured with SSL/TLS Protocols and Ciphers
    • Verify if Web server exposes or is missing specific security HTTP response Headers

Requirements

Basic Linux skills are required.

Following tools are used in this post:

  • Ubuntu, Debian or Kali (OS Distribution)
  • SSLScan (Analyze TLS protocols and ciphers)
  • Hsecscan (Analyze HTTP headers)
  • w3af (Analyze and audit web server)
  • OWASP ZAP (Zed Attack Proxy)
  • JuiceShop (Vulnerable Web application running as Docker container)

Using SSLScan to Verify SSL/TLS Protocols and Ciphers

SSLScan is builtin to Kali, tool can be downloaded separately from GitHub:

We will start using sslscan to analyze SSL communication and to run a basic SSL audit.

Usage:

Fig 1. – Example of SSL Scan output

img-alternative-text

In above screenshot we verify that TLS 1.2 is in use and that most secure TLS Ciphers are configured as preffered.

Analyzing HTTP Security Response Headers with Hsecscan

In this example we use Hsecscan to analyze the HTTP Headers when communicating with specified Web server.

Usage:

Fig 2. – Example of a HTTP Security Header Scan

img-alternative-text

The scan result shows which HTTP headers that should be secured, futhermore an explanation is provided with external links for additional info.

Hsecscan can be downloaded from GitHub:

Analyzing web server application for OWASP Top 10 with w3af

In this section we will use w3af for testing our web server application for OWASP Top 10 vulnerabilities.
w3af (web application attack and audit framework) is builtin to Kali, but can also be installed separately, from w3af website mentioned below.

Builtin w3af profile “OWASP_Top10” is being used as reference here.

This enables all OWASP Top 10 related Plugins.

Customize w3af profile to suit your needs.

Enable HTML Report:

Run “w3af_console” and following commands.

Set Target URL in w3af:

Save the customized settings in a profile:

Start w3af (Duration time depends on the target URL, the size of the web site urls that are being evaluated):

More info about w3af can be found here:

w3af

Analyzing web server application with OWASP ZAP

DISCLAIMER – it is very important to do an active test in a Test environment ONLY – NEVER use these method in a Production environment!

OWASP ZAP is a great tool for web security testing and vulnerability scanning.

We will use OWASP Zed Attack Proxy against our vulnerable test website (JuiceShop).

Start Attack by using Quick start or by using ZAP as a Proxy for your browser session.

When input forms are detected use the Fuzzer to check for SQLi or XSS vulnerabilities.

Locate HTTP POST/GET Input form, to verify whether it is vulnerable for SQLi and/or XSS.

Testing for SQLi

This POST contains the login form in our JuiceShop which we will test for SQLi:

img-alternative-text

Mark field for SQLi Fuzzing:

img-alternative-text

Choose Fuzz and select SQLi Payload:

img-alternative-textimg-alternative-text

Start the Test and evaluate:

img-alternative-text

Above screenshot shows that this web application is vulnerable to SQLi.

Testing for XSS

This GET contains the search box in our JuiceShop which we will test for XSS:

img-alternative-text

Mark field for XSS testing/fuzzing:

img-alternative-text

Choose Fuzz and select the XSS Payload:

img-alternative-textimg-alternative-text

Start the Test and evaluate:

img-alternative-text

Above screenshot shows that this web application is vulnerable to XSS.

OWASP ZAP is available for all major platforms and can be downloaded here:

OWASP ZAP

Leave a Reply