Re: Application & Iplanet/Apache web server vulnerability and penetration testing

From: Philippe Langlois (phil@jah.net)
Date: Wed Sep 18 2002 - 18:58:04 EDT


In addition to that, try:

- Try to enable DEBUG mode by passing additionnal things such as DEBUG=1 to
  legitimate http GET or POST queries.

- As for mapping the site (and presentation to the final customer),
  using Mercury Interactive Astra software, you can produce nice maps
  of the website that sometime helps you spot in two seconds
  (litterally) some unknown and not well connected pages of the site
  that may have been forgotten about except in one page which kept the
  link. And usually these pages are the one using this forgotten-about
  CGI script developped 5 years ago... :) Plus it's very nice to
  present to the customer (yes, blame me, it does remind me of Qualys'
  network mapping applet :).

Regards,

-- 
Philippe Langlois
http://www.wavesecurity.com - Wireless LAN security scanner & IDS
http://www.TSTForce.com - Security consulting
>1 - requests for diffrent directories on the webserver such as
>	/admin/
>	/adm/
>	/test/
>	/logs/ etc..
>    also match these requests with the type of business the app is
>running , for instance if it's a bank and the name is 'freebank' then
>look for directories such as /freebank/,/banking/,/finance/ etc. this
>might get you access to directory listings that could show valuable
>files
>
>2 - check for common files in each of the directories , look for core
>files or ws_ftp.log,test.html files, these can give great info on the
>system 
>
>3 - look for any pages with user input on the site and check for
>directory traversal attacks such as /../etc/passwd, or command execution
>|/bin/ls etc.. feed the website with odd input like *,!,` etc, look for
>any detailed error msgs that might lead you further
>
>4 - Crawl the site and search the text for any comments '<!--' see if
>any valuable info is located in them, also look for hidden tags
>'type=hidden' to see if file locations or prices are stored there
>
>5 - Identify the way cookies are setup, if they have cookies are thier
>id numbers sequential or easily munged with base64 or XOR, if they are
>then try to identify a protected page and send requests with other id
>numbers to see if access is given
>
>6 - Check for old/backup files that might have been created, if thier is
>a login.php page look for login.php.bak,login.old etc.. these can return
>source code
>
>7 - In all input fields check for sql injection, input single quotes
>into the fields and look for database errors
>
>8 - Check for all the known issues, do a search on neohapsis for
>netscape or apache, 
>	netscape : host.com/?wp-ver-info
>		   host.com/?properties
>		   host.com/admin-serv/config/adm.conf
>		   host.com/search?
>		   etc..
>	Apache:
>		   check for openssl overflow issue
>		   chunked encoding
>		   host.com/server-info
>		   host.com/server-status
>		   etc..
>
>
>On Mon, 2002-09-16 at 13:05, Steven Walker wrote:
>> Dear Group,
>> 
>> I have been given a project to perform web application vulnerability testing
>> on iPlanet and Apache web servers.  The servers run on NT/2000, Solaris
>> 2.7-8, (iPlanet) and Linux, Solaris (Apache).
>> 
>> In house tools are Wisker, WHArenal, NMAP, NESSUS.  I have only used NMAP
>> and NESSUS so far for firewall and internal network testing.
>> 
>> I am at a loss at where to start the process and am trying to determine if
>> additional tools are needed.
>> 
>> 1. I would obviously harden the web server OS's by closing unnecessary
>> ports, ensuring proper patch levels, getting rid of rhost and equiv files,
>> enforcing password policies, limiting accounts, use ssh for administration,
>> etc.
>> 
>> 2. I don't know what to do on the web servers other than delete example
>> scripts and ensure default passwords are changed to stronger ones.  Are
>> there any links that you know of that would provide a checklist of iPlanet
>> and Apache vulnerability checks.  Are there any recommended tools that can
>> automate this process?  Any suggestions on iPlanet and Apache security?
>> 
>> 3. Regarding web applications, I will be expected to test applications
>> before they go into production.  I know to test for buffer overflows buy
>> inputting non expected characters into fields.  Beyond that what advice
>> could you give or methodology could you direct me too.  Jobs are tough to
>> find out there, I could use your help in keeping this one.  Thanks for all
>> of you who will help me.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:25 EDT