web应用程序安全测试-part2(原创翻译)

我希望你已经看过这篇文章的第一部分了，其内容为web应用程序是怎样不同于传统的CS结构。如果你还没看过，你会发现看一下会比较有帮助。

在这一部分我们将探讨哪部分信息对客户端来说是有用的。哪些信息可以从客户端所访问的网页收集到？确保web应用程序有合适的安全性是如何的重要？cookies是什么且如何为web应用程序所用？

对web应用程序来说收集尽可能多关于程序信息的安全性测试是非常重要的。你需要找出在你们组织之外连接你们的应用程序的用户有多少，他们寻找什么样的信息。对组织之外的人有用的典型的信息可以归类为以下方面：

ü 嵌入在html源码里的注释和敏感信息

ü 服务器和http响应而产生的错误信息

ü 应用程序错误信息

在web应用程序的开发过程中，考虑这些方面是非常重要的。注释和敏感信息对开发维护代码是非常有帮助的。但如果被恶意用户截获对程序同样很危险。同样，用来改善可用性的详细的错误信息，也可能会产生安全漏洞。

客户端显示的html源码对攻击者来说可能是非常有用的信息来源。所有人都很容易看到html源码因为它是未编译的而且没有隐藏注释。对测试web应用程序安全性的你来说，你应该注意敏感信息比如密码、用户名、数据库名，连接字符串等等。作为一个为安全性负责的人来说，你需要确保在html源码中不存在敏感信息。

为了开始攻击web应用程序，重要的是，知道页面如何被访问及从一个页面到另一个页面需要什么样的数据和参数。为这一目的你需要留意网站及寻找关键值对。你应该创建网站地图。可以用工具或者手动打开所有页面来创建合适的地图。创建页面地图后，通过在html源码中用特定字符串搜索，与html注释、程序注释、ip地址、邮件地址、sql查询、数据库连接字符串、隐性的输入文件等相关的字符串。

如果在此过程中尝试改变参数，你将会在返回的错误信息中发现有趣的信息。有时服务器或应用程序返回了过于有用的信息，这给予攻击者微妙的暗示。比如在登录过程中提供了无效的密码，如果服务器返回的错误信息类似于“无效的秘密”，它基本上指出了用户名是正确的。

之前制作的地图还可以帮助你猜测在服务器上的文件名和目录结构。利用这一技术你可以访问没有呈现在网页链接或者用户不可见的文件。那些不能被客户端浏览的文件一定要放在客户端不容易接近的地方。利用这些有根据的猜测，恶意用户甚至可以获得网站的管理员和控制面板，这些通常是运行在独立的分站点或不同端口的。利用一些端口扫描和其它强制工具，这些类型的漏洞很容易被发现。

web应用程序的脆弱也会暴露在熟悉的用户界面操作。例如，网站中用了一些列表框来获取用户输入。这是为了确保客户端用户不会输入列表框之外的选项。开发团队做这样的假设很简单，不需要做其他额外的确认。他们没有认识到的是，很容易在页面的源码中改变这些数据，甚至可以利用一些工具篡改传输中的请求。而且，如果认证是在客户端，还有可能绕过认证。不仅可以通过禁用java脚本而且可以通过保存文件的本地副本来消除这些验证。为了增加安全性，确保这些验证同样存在服务器端是非常必要的。

另外需要在客户端检查的是cookies。人们不熟悉cookies，cookies是web应用程序存储在客户端硬盘上的文本类型的小文件。web应用程序在并发访问中重用这些数据。web应用程序可以永久的\非永久的或安全的\非安全形式的产生cookies。cookies是个性化的，而且用完后的信息是过期的。cookies可以被用在很多途径。cookies以特定的格式保存在特定的地址。如果你的应用程序的所有功能都依赖于cookies，必须测试cookies是不是能跟你的程序一起运行。

希望理解威胁安全的不同途径后，能提高你对web应用程序安全性测试重要性的认识。在下一节里，我们将探讨客户端提供的数据是怎样被测量的，而服务器是怎样被攻击的。

原文：

 Web Application Security Testing - Part 2

I hope that you have already read first part of this article and familiar with the concept of how web applications are different from traditional client-server applications. If you have not, you might find it useful to read Part-1 as well.

In this part we will explore what kind of information is available to the client? What kind of information can be gathered from the pages which client can access? How validation is important to ensure proper security for the web application? What are cookies and how web applications use them?

It is very important in web application security testing to gather as much information about your application as you can. You need to find out how people outside your organization will access your web application and what kind of information they can access. Typical information that will be available to any person outside your organization could be categorized as

   * Comments & Sensitive information embedded in the HTML source code

   * Error messages generated at the server and HTTP response returned.

   * Application error message

During web application development, it is very important to think about these aspects. Comments or sensitive information can be very useful for you while developing and maintaining the code, but if it is accessed by malicious user it can be dangerous. Similarly, detailed error messages given to improve usability can results in the security loophole.

HTML source present on the client side can be an excellent source of information for the attacker. It is very easy for everyone to view HTML source code and since it is not compiled, there is no way to hide HTML comments. For testing web applications for security, you should look for the sensitive information like passwords, usernames, database names, connection strings etc. As a person responsible for security testing you need to make sure that sensitive information is not present in the HTML source code.

In order to start attack on any web application, it is important to know how its pages can be accessed, what kind of data and parameters are passed from one page to another. You can keep an eye on the URL for this purpose and look for key-value pairs. You should always consider creating page map of your site containing this information. You can use tool or can create it manually by navigating to all the pages and making appropriate maps. After you have created this page map, you can search HTML source for specific strings containing information related to HTML comments, Application Comments, IP Address, E-Mail Address, SQL Queries, Database Connection Strings, Hidden input fields etc.

If you try to change parameters selected during this process and resubmit the request, you can find interesting information in error messages. Sometimes server or application throws overly helpful error messages which can give subtle hints to the attackers. For example on supplying invalid password during login process if system throws error like 'invalid password' , it essentially means that username is proper.

Page map created earlier can also help you in guessing file names and directory structure present on the web server. Using this technique you can access files for which there is no link present on the pages, or which is not intended to be visible to the user. You must always check for the presence of any pattern in file names and location. Files which should not be viewed by clients should be located in places not accessible to the clients. Using this technique of educated guessing, malicious users can even access admin or control panel of the website, which usually runs as a separate sub-site or run on a different port. These type of loopholes can be identified easily by tools like port scanners and other brute-force tools.

Vulnerability of the web application can also be exposed by manipulating UI controls. For example, you might have used websites containing list boxes to take user input. Reason for providing list box is to make sure that client do not choose any other option apart from whatever is supplied in the list. It is very easy for development team to make this assumption and not do any other form of validation. What they fail to realize is that, these values can be changed by making changes in the page source even request can be tampered on transit using appropriate tools. Also if validations are present at the client-side, it is still possible to bypass those validations. This could be achieved either by disabling the java scrīpts or saving a local copy of the file and removing those validations. To safeguard from these vulnerabilities, it is essential to make sure that validations are present on the server side as well.

Another thing that should be checked at the client side is cookies. For people not familiar with cookies, cookies are small files of textual data that a web application writes on a client's hard drive. Web application can reuse this data on subsequent visits. Cookies can be delivered by web application using either persistent/non-persistent and secure/non-secure mode. Cookies can be used for personalization or making sure that information is not accessed after it is expired. There are many ways in which cookies can be used. Cookies are normally stored at predefined location with predefined formats. If your application relies on cookies for any functionality, it is essential for you to make sure that tempered cookies can not be used with your application.

Hope after understanding the different ways in which security can be compromised, you will appreciate the importance of security testing of web applications. In the next article, we will explore how data supplied by client can be tempered and servers can be attacked.

You can read more articles on software testing in our article section. You can suggest topics of your interest here , we will try to provide information on those topics as well.