Difference between revisions of "Testing for Error Code (OWASP-IG-006)"

From OWASP
Jump to: navigation, search
m
Line 1: Line 1:
[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]<br>
+
[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]
 
{{Template:OWASP Testing Guide v2}}
 
{{Template:OWASP Testing Guide v2}}
  
 
== Brief Summary ==
 
== Brief Summary ==
  
Often during a penetration test on web applications we come up against many error codes generated from applications or web servers.<br>
+
Often during a penetration test on web applications we come up against many error codes generated from applications or web servers.
It's possible to cause these errors to be displayed by using a particular request specially crafted with tools or manually.<br>
+
It's possible to cause these errors to be displayed by using a particular request, either specially crafted with tools or created manually.
These codes are very useful to a pentester during his activities because they reveal a lot of information about databases, bugs, and other technological components directly linked with web application(s).<br>
+
These codes are very useful to a pentester during his activities because they reveal a lot of information about databases, bugs, and other technological components directly linked with web applications.
During the first part we'll analyse the more common codes (error messages) and we'll bring into focus the steps of vulnerability assessment.<br>
+
During the first part we'll analyse the more common codes (error messages) and bring into focus the steps of vulnerability assessment.
The most important aspect for this activity is to focus ones attention to these errors, seeing them as a collection of information that will aid in next steps of our analysis, so, a good collection can facilitate the penetration test efficiency by decreasing the time taken to perform the overall pentest activity.
+
The most important aspect for this activity is to focus one's attention on these errors, seeing them as a collection of information that will aid in next steps of our analysis,. A good collection can facilitate the penetration test efficiency by decreasing the time taken to perform the overall pentest activity.
  
 
== Description of the Issue ==
 
== Description of the Issue ==
  
A common error that we can see during our search is the HTTP 404 Not Found.<br>
+
A common error that we can see during our search is the HTTP 404 Not Found.
Often we can see this error code with many details about web server and other components.<br>
+
Often we can see this error code with many details about web server and other components.
 
For Example:
 
For Example:
  
Line 22: Line 22:
 
</pre>
 
</pre>
  
This error message can be generated with the insertion of non-existing URL.<br>
+
This error message can be generated with the insertion of non-existing URL.
After the common message that shows a page not found, there are information about web server version, OS, modules and other products used.<br>
+
After the common message that shows a page not found, there is information about web server version, OS, modules and other products used.
These information can be very important both for OS and for applications during a penetration test but web server errors aren't the only ones useful in a security analysis.<br>
+
This information can be very important both for OS and for applications during a penetration test, but web server errors aren't the only errors useful in a security analysis.
  
So, we'll analyze the next occurrence that shows an abnormal behavior:
+
We will therefore the next occurrence that shows abnormal behavior:
  
 
<pre>
 
<pre>
Line 33: Line 33:
 
</pre>
 
</pre>
  
What's happened?<br>
+
What's happened? We'll proceed step by step.
We'll proceed step by step!
+
  
 
For example, the 80004005 is a generic IIS error code which indicates that isn't possible to access a database.<br>
 
For example, the 80004005 is a generic IIS error code which indicates that isn't possible to access a database.<br>
In many cases we can see that this code is followed by the version of the database so, the pentester with this information can plan an appropriate strategy for the security test.
+
In many cases we can see that this code is followed by the version of the database. With this information, the pentester can plan an appropriate strategy for the security test.
 
<pre>
 
<pre>
 
Microsoft OLE DB Provider for ODBC Drivers error '80004005'
 
Microsoft OLE DB Provider for ODBC Drivers error '80004005'
Line 43: Line 42:
 
</pre>
 
</pre>
  
The first example shows a connection error message obtained by SQL Server Database because the database server which linked into application is down or credentials don't allow access.<br>
+
The first example shows a connection error message obtained by SQL Server Database because the database server which linked into application is down or credentials don't allow access.
But it isn't the only information that we know, in fact in this way we have discovered the kind of operating system.<br>
+
However, this isn't the only information that we know; in fact, in this way we have discovered the kind of operating system.
In this case we could verify if the web application permits change of variables value to connect to the database.<br>
+
In this case we could verify if the web application permits change of variables value to connect to the database.
In the second case we can see a generic error in the same situation (we know the database version) but with a different error message and database server.<br>
+
In the second case we can see a generic error in the same situation (we know the database version) but with a different error message and database server.
 
But in the end...It's the same thing!
 
But in the end...It's the same thing!
  
And now, we do a practical example with a security test on web application that looses the link with the database server because there is badly written code (the next error message is caused by the application which can't resolve the database server name or when the variable value is modified) or other network problems.<br>
+
Now we will look at a practical example with a security test on web application that loses the link with the database server because there is badly written code (the next error message is caused by the application, which can't resolve the database server name or when the variable value is modified) or other network problems.
  
For example, we have a database administration web portal which can be connected to db server after a log-on phase to realize query,create tables and modify database fields.<br>
+
For example, we have a database administration web portal which can be connected to db server after a log-on phase to realize queries, create tables and modify database fields.
Well, during POST of credentials for the log-on phase meet this message that evidences the presence of a MySQL database server:
+
During POST of credentials for the log-on phase meet this message that evidences the presence of a MySQL database server:
  
 
<pre>
 
<pre>
Line 59: Line 58:
 
</pre>
 
</pre>
 
 
If we see in the HTML code of the log-on page the presence of a '''hidden field''' with a database IP, we can try to change this value in the URL with the address of another database (our database for example).<br>
+
If we see in the HTML code of the log-on page the presence of a '''hidden field''' with a database IP, we can try to change this value in the URL with the address of another database (our database, for example).
 
Another example: knowing the database server that services a web application, we can take advantage of this information to carry out a SQL Injection for that kind of database or a persistent XSS test.
 
Another example: knowing the database server that services a web application, we can take advantage of this information to carry out a SQL Injection for that kind of database or a persistent XSS test.
  
Information Gathering on web applications with server side technology is quite difficult so, the information discovered can be useful for the correct execution of an attempted exploit and reduce false positives.
+
Information Gathering on web applications with server-side technology is quite difficult, but the information discovered can be useful for the correct execution of an attempted exploit and can reduce false positives.
  
 
== Black Box testing and example ==
 
== Black Box testing and example ==

Revision as of 16:18, 2 January 2007

[Up] OWASP Testing Guide v2 Table of Contents

Contents


Brief Summary

Often during a penetration test on web applications we come up against many error codes generated from applications or web servers. It's possible to cause these errors to be displayed by using a particular request, either specially crafted with tools or created manually. These codes are very useful to a pentester during his activities because they reveal a lot of information about databases, bugs, and other technological components directly linked with web applications. During the first part we'll analyse the more common codes (error messages) and bring into focus the steps of vulnerability assessment. The most important aspect for this activity is to focus one's attention on these errors, seeing them as a collection of information that will aid in next steps of our analysis,. A good collection can facilitate the penetration test efficiency by decreasing the time taken to perform the overall pentest activity.

Description of the Issue

A common error that we can see during our search is the HTTP 404 Not Found. Often we can see this error code with many details about web server and other components. For Example:

Not Found
The requested URL /page.html was not found on this server.
Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7g  DAV/2 PHP/5.1.2 Server at localhost Port 80

This error message can be generated with the insertion of non-existing URL. After the common message that shows a page not found, there is information about web server version, OS, modules and other products used. This information can be very important both for OS and for applications during a penetration test, but web server errors aren't the only errors useful in a security analysis.

We will therefore the next occurrence that shows abnormal behavior:

Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[DBNETLIB][ConnectionOpen(Connect())] - SQL server does not exist or access denied 

What's happened? We'll proceed step by step.

For example, the 80004005 is a generic IIS error code which indicates that isn't possible to access a database.
In many cases we can see that this code is followed by the version of the database. With this information, the pentester can plan an appropriate strategy for the security test.

Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC Access 97 ODBC driver Driver]General error Unable to open registry key 'DriverId'

The first example shows a connection error message obtained by SQL Server Database because the database server which linked into application is down or credentials don't allow access. However, this isn't the only information that we know; in fact, in this way we have discovered the kind of operating system. In this case we could verify if the web application permits change of variables value to connect to the database. In the second case we can see a generic error in the same situation (we know the database version) but with a different error message and database server. But in the end...It's the same thing!

Now we will look at a practical example with a security test on web application that loses the link with the database server because there is badly written code (the next error message is caused by the application, which can't resolve the database server name or when the variable value is modified) or other network problems.

For example, we have a database administration web portal which can be connected to db server after a log-on phase to realize queries, create tables and modify database fields. During POST of credentials for the log-on phase meet this message that evidences the presence of a MySQL database server:

Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[MySQL][ODBC 3.51 Driver]Unknown MySQL server host

If we see in the HTML code of the log-on page the presence of a hidden field with a database IP, we can try to change this value in the URL with the address of another database (our database, for example). Another example: knowing the database server that services a web application, we can take advantage of this information to carry out a SQL Injection for that kind of database or a persistent XSS test.

Information Gathering on web applications with server-side technology is quite difficult, but the information discovered can be useful for the correct execution of an attempted exploit and can reduce false positives.

Black Box testing and example

Test:

telnet <host target> 80
GET /<wrong page> HTTP/1.1
<CRLF><CRLF>

Result:

HTTP/1.1 404 Not Found
Date: Sat, 04 Nov 2006 15:26:48 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7g
Content-Length: 310
Connection: close
Content-Type: text/html; charset=iso-8859-1

Test:

1. network problems
2. bad configuration about host database address

Result:

Microsoft OLE DB Provider for ODBC Drivers (0x80004005) '
[MySQL][ODBC 3.51 Driver]Unknown MySQL server host

Test:

1. Authentication Failed
2. Credentials not inserted

Result:

Firewall version used for authentication

Error 407
FW-1 at <firewall>: Unauthorized to access the document.
•  Authorization is needed for FW-1.
•  The authentication required by FW-1 is: unknown.
•  Reason for failure of last attempt: no user

Gray Box testing and example

Test:

Enumeration of the directories with access denied.

http://<host>/<dir>

Result:

Directory Listing Denied
This Virtual Directory does not allow contents to be listed.
Forbidden
You don't have permission to access /<dir> on this server.

References

  • [1] [RFC2616] Hypertext Transfer Protocol -- HTTP/1.1



OWASP Testing Guide v2

Here is the OWASP Testing Guide v2 Table of Contents