Difference between revisions of "Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005)"

From OWASP
Jump to: navigation, search
m (Black Box testing and example)
(minor corrections and changes, added a tools section)
(12 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{Template:OWASP Testing Guide v3}}
+
{{Template:OWASP Testing Guide v4}}
  
 
== Brief Summary ==
 
== Brief Summary ==
Line 7: Line 7:
  
 
== Description of the Issue ==  
 
== Description of the Issue ==  
<br>
 
 
An application may require an administrator interface to enable a privileged user to access functionality that may make changes to how the site functions. Such changes may include:
 
An application may require an administrator interface to enable a privileged user to access functionality that may make changes to how the site functions. Such changes may include:
  
 
- user account provisioning<br>
 
- user account provisioning<br>
- Site design and layout<br>
+
- site design and layout<br>
- data manipultion<br>
+
- data manipulation<br>
 
- configuration changes<br>
 
- configuration changes<br>
  
In many instances, such interfaces are usually implemented with little thought of how to separate them from the normal users of the site. Testing is aimed at discovering these administrator interfaces and accessing functionality intended for the privileged users.  
+
In many instances, such interfaces do not have sufficient controls to protect them from unauthorized access. Testing is aimed at discovering these administrator interfaces and accessing functionality intended for the privileged users.
<br>
+
  
 
== Black Box testing and example ==
 
== Black Box testing and example ==
The following describes vectors that may be used to test for the presence of administrative interfaces. These techniques may also be used for testing for related issues including privilege escalation and are described elsewhere in this guide in greater detail:<br>
+
The following describes vectors that may be used to test for the presence of administrative interfaces. These techniques may also be used for testing for related issues including privilege escalation, and are described elsewhere in this guide(for example [https://www.owasp.org/index.php/Testing_for_Bypassing_Authorization_Schema_%28OWASP-AZ-002%29 Testing for Bypassing Authorization Schema (OWASP-AZ-002)] and [https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_%28OWASP-AZ-004%29 Testing for Insecure Direct Object References (OWASP-AZ-004)] in greater detail.
 +
 
 +
* Directory and file enumeration - An administrative interface may be present but not visibly available to the tester. Attempting to guess the path of the administrative interface may be as simple as requesting: ''/admin or /administrator etc..'' or in some scenarios can be revealed within seconds using [http://www.exploit-db.com/google-dorks Google dorks].
 +
* There are many tools available to perform brute forcing of server contents, see the tools section below for more information. 
  
* Directory and file Enumeration - An administrative interface may be present but not visibly available to the tester. Attempting to guess the path of the administrative interface may be as simple as requesting:
 
/admin or /administrator etc..<br>
 
 
A tester may have to also identify the filename of the administration page. Forcibly browsing to the identified page may provide access to the interface.
 
A tester may have to also identify the filename of the administration page. Forcibly browsing to the identified page may provide access to the interface.
  
* Comments and links in Source - Many sites use common code that is loaded for all site users. By examining all source sent to the client, links to administrator functionality may be discovered and should be investigated.  
+
* Comments and links in source - Many sites use common code that is loaded for all site users. By examining all source sent to the client, links to administrator functionality may be discovered and should be investigated.  
  
* Reviewing Server and Application Documentation - If the application server or application is deployed in its default configuration it may be possible to access the administration interface using information described in configuration or help documentation. Default password lists should be consulted if an administrative interface is found and credentials are required.
+
* Reviewing server and application documentation - If the application server or application is deployed in its default configuration it may be possible to access the administration interface using information described in configuration or help documentation. Default password lists should be consulted if an administrative interface is found and credentials are required.
  
* Alternative Server Port - Administration interfaces may be seen on a different port on the host than the main application. For example, Apache Tomcat's Administration interface can often be seen on port 8080.
+
* Publicly available information – many applications such as wordpress have default administrative interfaces  
  
* Parameter Tampering - A GET or POST parameter or a cookie variable may be required to enable the administrator functionality. Clues to this
+
* Alternative server port - Administration interfaces may be seen on a different port on the host than the main application. For example, Apache Tomcat's Administration interface can often be seen on port 8080.
include the presence of hidden fields such as:
+
 
 +
* Parameter tampering - A GET or POST parameter or a cookie variable may be required to enable the administrator functionality. Clues to this include the presence of hidden fields such as:
  
 
  <input type="hidden" name="admin" value="no">
 
  <input type="hidden" name="admin" value="no">
Line 41: Line 41:
  
 
Once an administrative interface has been discovered, a combination of the above techniques may be used to attempt to bypass authentication. If this fails, the tester may wish to attempt a brute force attack. In such an instance the tester should be aware of the potential for administrative account lockout if such functionality is present.
 
Once an administrative interface has been discovered, a combination of the above techniques may be used to attempt to bypass authentication. If this fails, the tester may wish to attempt a brute force attack. In such an instance the tester should be aware of the potential for administrative account lockout if such functionality is present.
 +
  
 
== Gray Box testing and example ==  
 
== Gray Box testing and example ==  
Line 50: Line 51:
 
== References ==
 
== References ==
 
* Default Password list: http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php
 
* Default Password list: http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php
 +
* Default Password list: http://www.cirt.net/passwords
 +
 +
 +
== Tools ==
 +
* [https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project Dirbuster] This currently inactive OWASP project is still a great tool for brute forcing directories and files on the server.
 +
* [https://www.thc.org/thc-hydra/ THC-HYDRA] is a tool that allows brute-forcing of many interfaces, including form-based HTTP authentication.
 +
 +
A brute forcer is much better when it uses a good dictionary, for example the [https://www.netsparker.com/blog/web-security/svn-digger-better-lists-for-forced-browsing/ netsparker] dictionary.

Revision as of 16:03, 22 April 2014

This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project

Brief Summary


Administrator interfaces may be present in the application or on the application server to allow certain users to undertake privileged activities on the site. Tests should be undertaken to reveal if and how this privileged functionality can be accessed by an unauthorized or standard user.

Description of the Issue

An application may require an administrator interface to enable a privileged user to access functionality that may make changes to how the site functions. Such changes may include:

- user account provisioning
- site design and layout
- data manipulation
- configuration changes

In many instances, such interfaces do not have sufficient controls to protect them from unauthorized access. Testing is aimed at discovering these administrator interfaces and accessing functionality intended for the privileged users.

Black Box testing and example

The following describes vectors that may be used to test for the presence of administrative interfaces. These techniques may also be used for testing for related issues including privilege escalation, and are described elsewhere in this guide(for example Testing for Bypassing Authorization Schema (OWASP-AZ-002) and Testing for Insecure Direct Object References (OWASP-AZ-004) in greater detail.

  • Directory and file enumeration - An administrative interface may be present but not visibly available to the tester. Attempting to guess the path of the administrative interface may be as simple as requesting: /admin or /administrator etc.. or in some scenarios can be revealed within seconds using Google dorks.
  • There are many tools available to perform brute forcing of server contents, see the tools section below for more information.

A tester may have to also identify the filename of the administration page. Forcibly browsing to the identified page may provide access to the interface.

  • Comments and links in source - Many sites use common code that is loaded for all site users. By examining all source sent to the client, links to administrator functionality may be discovered and should be investigated.
  • Reviewing server and application documentation - If the application server or application is deployed in its default configuration it may be possible to access the administration interface using information described in configuration or help documentation. Default password lists should be consulted if an administrative interface is found and credentials are required.
  • Publicly available information – many applications such as wordpress have default administrative interfaces
  • Alternative server port - Administration interfaces may be seen on a different port on the host than the main application. For example, Apache Tomcat's Administration interface can often be seen on port 8080.
  • Parameter tampering - A GET or POST parameter or a cookie variable may be required to enable the administrator functionality. Clues to this include the presence of hidden fields such as:
<input type="hidden" name="admin" value="no">

or in a cookie:

Cookie: session_cookie; useradmin=0

Once an administrative interface has been discovered, a combination of the above techniques may be used to attempt to bypass authentication. If this fails, the tester may wish to attempt a brute force attack. In such an instance the tester should be aware of the potential for administrative account lockout if such functionality is present.


Gray Box testing and example

A more detailed examination of the server and application components should be undertaken to ensure hardening (i.e. administrator pages are not accessible to everyone through the use of IP filtering or other controls), and where applicable, verification that all components do not use default credentials or configurations.
Source code should be reviewed to ensure that the authorization and authentication model ensures clear separation of duties between normal users and site administrators. User interface functions shared between normal and administrator users should be reviewed to ensure clear separation between the drawing of such components and information leakage from such shared functionality.

References


Tools

  • Dirbuster This currently inactive OWASP project is still a great tool for brute forcing directories and files on the server.
  • THC-HYDRA is a tool that allows brute-forcing of many interfaces, including form-based HTTP authentication.

A brute forcer is much better when it uses a good dictionary, for example the netsparker dictionary.