The Origin of Vulnerabilities
One of the most common tasks when doing penetration testing is enumeration. Enumeration consists in making queries to a system in order to obtain information about its user names or other resources that can be used as targets in the process. It is usually easier to get access to a system or application with a valid user than with a sophisticated exploit.
The canonical way to enumerate users in a UNIX system was to use finger, but if sendmail was running in the system it is far more popular to use the SMTP commands VRFY (verify) and EXPN (expand) together with a dictionary of user names. Both commands will confirm or deny the existence of a user account with the provided name.
If a web application is one of the targets in the penetration test, enumeration is done in a different way because its users aren't the same as the system users. Many of those web applications have a sign up page that allow the user to subscribe in order to get access to the service. Some of those applications allow the user to select a user name, which has to be verified to confirm that no other user exists with that name already. That verification can be used to enumerate users using the same user name dictionary used with the sendmail commands.
In a traditional web app the user name will be verified when the user has filled up the form and pressed the submit button. Additionally those applications that want to avoid automatic user registration, like email accounts, use a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) that requires the user to introduce some letters that are displayed in distorted image. If there is no CAPTCHA then each user can be verified sending the required HTTP request with the username. Some AJAX web applications make this process even easier. As in the alternative offered by the web programmer guru Reuven M. Lerner in his ATF October 2006 column, if an asynchronous request is done to verify the user before allowing him to submit the data, the same URL can be used to enumerate the users. The solution to both cases is to use the CAPTCHA for the verification also, instead of using it only for the registration. If the CAPTCHA is not solved the server refuses to verify the user.
Another attack that can be avoided using a CAPTCHA is the brute forcing of web applications. If an attacker is trying to obtain access to a web application that uses known email accounts as user names or whose users have already been enumerated, one possible next step is to perform a brute force attack. If the application doesn't have a mechanism to restrict the maximum number of attempts, then the attacker will be able to use a dictionary to guess the password. Most modern systems (Linux, Windows 2003, ...) have some kind of restriction in the number of attempts, such as blocking the account temporary or indefinitely. However, this philosophy hasn't been applied to many web applications yet. There are some exceptions, though. Gmail does a good job at avoiding brute force attacks using CAPTCHAS after some unsuccessful attempts.
If you have done penetration testing for a while now, you might be thinking that those vulnerabilities are old and you would be right. But the fact is that these vulnerabilities have evolved to persist in a new environment. They are probably the stronger vulnerabilities because they can survive in every environment with an effective disguise that makes them invisible to its natural predator, the programmer.
The canonical way to enumerate users in a UNIX system was to use finger, but if sendmail was running in the system it is far more popular to use the SMTP commands VRFY (verify) and EXPN (expand) together with a dictionary of user names. Both commands will confirm or deny the existence of a user account with the provided name.
If a web application is one of the targets in the penetration test, enumeration is done in a different way because its users aren't the same as the system users. Many of those web applications have a sign up page that allow the user to subscribe in order to get access to the service. Some of those applications allow the user to select a user name, which has to be verified to confirm that no other user exists with that name already. That verification can be used to enumerate users using the same user name dictionary used with the sendmail commands.
In a traditional web app the user name will be verified when the user has filled up the form and pressed the submit button. Additionally those applications that want to avoid automatic user registration, like email accounts, use a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) that requires the user to introduce some letters that are displayed in distorted image. If there is no CAPTCHA then each user can be verified sending the required HTTP request with the username. Some AJAX web applications make this process even easier. As in the alternative offered by the web programmer guru Reuven M. Lerner in his ATF October 2006 column, if an asynchronous request is done to verify the user before allowing him to submit the data, the same URL can be used to enumerate the users. The solution to both cases is to use the CAPTCHA for the verification also, instead of using it only for the registration. If the CAPTCHA is not solved the server refuses to verify the user.
Another attack that can be avoided using a CAPTCHA is the brute forcing of web applications. If an attacker is trying to obtain access to a web application that uses known email accounts as user names or whose users have already been enumerated, one possible next step is to perform a brute force attack. If the application doesn't have a mechanism to restrict the maximum number of attempts, then the attacker will be able to use a dictionary to guess the password. Most modern systems (Linux, Windows 2003, ...) have some kind of restriction in the number of attempts, such as blocking the account temporary or indefinitely. However, this philosophy hasn't been applied to many web applications yet. There are some exceptions, though. Gmail does a good job at avoiding brute force attacks using CAPTCHAS after some unsuccessful attempts.
If you have done penetration testing for a while now, you might be thinking that those vulnerabilities are old and you would be right. But the fact is that these vulnerabilities have evolved to persist in a new environment. They are probably the stronger vulnerabilities because they can survive in every environment with an effective disguise that makes them invisible to its natural predator, the programmer.
posted by Jorge Ortiz at 2:15 AM
0 Comments:
Post a Comment
<< Home