Java Reference
In-Depth Information
entire code snippet that they are having trouble with, without iltering any speciic information
about the organization or any sensitive information contained in the application code. his
information helps testers (and attackers) gain a great deal of insight about the target applica-
tion. Equipped with this knowledge, testers may be able to perform more skilled tests against
the Web application.
12.2.2 Testing Web Application for Access Control
12.2.2.1 Testing for Nonsecure Passwords
Passwords are the most relied-upon authentication mechanisms for Web applications in the
present-day world. However, because of insecure application design, lack of security awareness,
and negligence, passwords are generally implemented in a nonsecure manner, leading to the
compromise of application and sensitive information. Nonsecure implementation of usernames/
passwords is perhaps the primary cause of application compromises. It is often found that Web
application users have nonsecure passwords to authenticate to the system. Nonsecure passwords
such as '123456' or 'admin' and so on are heavily in use across Web applications, servers, data-
bases, and network components. he tester must irst test the Web application for use of easily
guessable passwords and try to gain access to the application. Easily guessable weak passwords
will indicate that the Web application does not enforce strong password requirements from
its users, and therefore it is important that the said anomaly be corrected. Applications like
e-commerce and banking applications must ensure strong password requirements along with
other requirements such as password expiration, password lockouts, and resets.
12.2.2.2 Testing for Transmission of Credentials over Encrypted Channel
Network monitoring, also otherwise known as network sniing, is another attack that yields rich
results for an attacker with minimal efort. Individuals can snif network traic passing through
a network and steal credentials. he tester needs to check for the transmission of sensitive infor-
mation like credentials over encrypted connections. he tester can use a tool such as Wireshark,
Ethereal, or TCPDump to snif the network packets and regenerate the HTTP messages between
the server and the client to gain access to sensitive information like usernames, passwords, credit
card numbers, and so on. Encrypted transmissions to Web applications happen with the help of
the secure socket layer/transport layer security (SSL/TLS). HTTP traic when coupled with SSL/
TLS results in hypertext transfer protocol-secure (HTTPS). When traic is sent over the HTTPS
protocol, the connection between the client and the server is encrypted and is not vulnerable to
network traic monitoring or sniing. However, it is very important to note that just implement-
ing SSL/TLS is not a panacea for this problem. he certiicate used for the creation of encrypted
transmissions should be of a certain caliber to ensure that encrypted traic cannot be brute-forced
or otherwise read by an attacker. We have already argued in Chapter 8 against the use of nonse-
cure encryption algorithms and hashing functions like MD5 and RC4. he tester must also verify
that the certiicate is of a certain strength. his may be done with the help of SSL/TLS enumera-
tion tools like SSLDump or HTTPrint, which provide details on the strength of the SSL/TLS
certiicate. he tester may also examine the SSL certiicate from the browser to check the types of
encryption algorithms supported and then assess the strength of the certiicate and the encryption
provided by it based on this check. Figure 12.10 indicates the strength of the SSL/TLS certiicate
being accessed from the browser.
Search WWH ::
Custom Search