From: Dinis Cruz (dinis@ddplus.net)
Date: Thu Mar 25 2004 - 18:39:32 EST
Hello Mark
How are you approaching your penetration tests?
a) purely from the outside (emulating external attacks) or
b) also from the inside (i.e. internal attacks launched from other
websites co-hosted in the same server)
In the a) case (Pen-test from the outside) I would look at these
vulnerabilities:
- Input validation issues (as noted by most previous comments to this
thread)
- Defense in depth issues (i.e. does the site has a multi-layer
security system). I have found that most web applications don’t perform
'stack-walks' (to use a .Net term) when executing administrative
commands. They assume that all requests that they receive are valid and
don't check if the user making the request has privileges to do so (they
rely on the client not having the option to make those requests). To
exploit these vulnerabilities all you need to do is to resend the
administrative requests (via the implemented method: Get, Post or SOAP)
under an anonymous account or under a normal user account (I hope this
explanation makes sense to you)
If you are also doing b) tests (from the inside) you basically want to
check how securely configured is the server and again how many layers
exist in their security system. You can use the ANSA tool that we
developed at Owasp (see http://www.owasp.org and
http://domain444037.sites.fasthosts.com/) to see how the server is
configured. Also check out the unpublished "Undocumented Asp.Net
Security" document that I wrote and that Joel Friedman kindly provided
the link (see bellow) for more details about security vulnerabilities in
Asp.Net.
In this scenario (multi-websites hosted in same server) it really comes
down to this: What is the level of trust used by the hosted websites?
Any website that is running with Full Trust (default configuration) can
be used to compromise the server and access the data from the other
co-located websites.
Of course that the other area that you need to look at is the server's
own security. That is, how protected is the server from external and
internal attacks (attacks from other computers located in the same local
network)
If you haven't done so already I would invite you to check the work that
OWASP is doing besides the ANSA and other security related tools there
are two projects that you might be very interested in:
- "OWASP Testing Document" document
- "OWASP web application penetration testing" checklist
See http://sourceforge.net/mailarchive/forum.php?forum_id=12589 for more
details.
Hope this helps
Best regards
Dinis Cruz
.Net Security Consultant
DDPlus (www.ddplus.net)
> -----Original Message-----
> From: Joel Friedman [mailto:jfriedman@datapipe.com]
> Sent: 25 March 2004 01:53
> To: pen-test@securityfocus.com
> Subject: RE: Pen-tester's analysis of .NET security?
>
>
> Here is an excerpted copy of an email correspondence I had with Dinis
> Cruz,
> .Net Security Consultant
>
> Thank you for interest in our Asp.Net security Research. I have
compiled
> most of our Asp.Net content (including the security guides) in an
> unpublished paper called "Undocumented Asp.Net Security" (110 pages):
>
> ...
>
> * You can download it from here:
> http://www.ddplus.net/projects/Undocumented_ASP.NET_Security_V0.91.zip
>
> Because you need to ensure the security and resilience of your web
> servers, I would call your attention to the Asp.Net Security Analyzer
> (ANSA) web application, created and developed by us.
>
> ANSA has been donated to the OWASP (Open Web Application Security
> Project), and we are now active members on their DotNet developed
> efforts.
>
> * Main OWASP DotNet page: http://www.owasp.org/dotnet
>
> ...
>
>
>
> Joel Friedman, CISSP
>
>
> -----Original Message-----
> From: Lachniet, Mark [mailto:mlachniet@sequoianet.com]
> Sent: Wednesday, March 24, 2004 2:48 PM
> To: pen-test@securityfocus.com
> Subject: Pen-tester's analysis of .NET security?
>
> Is anyone aware of a whitepaper or analysis of the security features
> (and weaknesses?) of Microsoft's .NET platform for web applications?
A
> number of interesting features, such as input validation and session
> tracking, are built into .NET, and I'd be interested to hear if anyone
> has kicked it around much.
>
> Please note, I am *not* interested in references to Microsoft
> documentation, developer web sites, or conventional information
sources,
> but rather information from the viewpoint of a pen-tester doing web
> application security analysis work.
>
> Thank you in advance,
>
> Mark Lachniet
>
>
>
>
------------------------------------------------------------------------
> ---
> You're a pen tester, but is google.com still your R&D team?
> Now you can get trustworthy commercial-grade exploits and the latest
> techniques from a world-class research group.
> www.coresecurity.com/promos/sf_ept1
>
------------------------------------------------------------------------
> ----
>
>
>
>
>
------------------------------------------------------------------------
-- > - > You're a pen tester, but is google.com still your R&D team? > Now you can get trustworthy commercial-grade exploits and the latest > techniques from a world-class research group. > www.coresecurity.com/promos/sf_ept1 > ------------------------------------------------------------------------ -- > -- > > > > --- > Incoming mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.634 / Virus Database: 406 - Release Date: 18/03/2004 > --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.634 / Virus Database: 406 - Release Date: 18/03/2004 --------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:51 EDT