Penetration Testing mailing list archives

Re: Application & Iplanet/Apache web server vulnerability and penetration testing

From: Caleb Sima <csima () spidynamics com>
Date: 17 Sep 2002 13:42:52 -0400

Steven,

A couple of basic things on a black perspective that you should look for
are below. You can also download webinspect from www.spidynamics.com
and have it check for all of these things for you.

1 - requests for diffrent directories on the webserver such as
        /admin/
        /adm/
        /test/
        /logs/ etc..
    also match these requests with the type of business the app is
running , for instance if it's a bank and the name is 'freebank' then
look for directories such as /freebank/,/banking/,/finance/ etc. this
might get you access to directory listings that could show valuable
files

2 - check for common files in each of the directories , look for core
files or ws_ftp.log,test.html files, these can give great info on the
system 

3 - look for any pages with user input on the site and check for
directory traversal attacks such as /../etc/passwd, or command execution
|/bin/ls etc.. feed the website with odd input like *,!,` etc, look for
any detailed error msgs that might lead you further

4 - Crawl the site and search the text for any comments '<!--' see if
any valuable info is located in them, also look for hidden tags
'type=hidden' to see if file locations or prices are stored there

5 - Identify the way cookies are setup, if they have cookies are thier
id numbers sequential or easily munged with base64 or XOR, if they are
then try to identify a protected page and send requests with other id
numbers to see if access is given

6 - Check for old/backup files that might have been created, if thier is
a login.php page look for login.php.bak,login.old etc.. these can return
source code

7 - In all input fields check for sql injection, input single quotes
into the fields and look for database errors

8 - Check for all the known issues, do a search on neohapsis for
netscape or apache, 
        netscape : host.com/?wp-ver-info
                   host.com/?properties
                   host.com/admin-serv/config/adm.conf
                   host.com/search?
                   etc..
        Apache:
                   check for openssl overflow issue
                   chunked encoding
                   host.com/server-info
                   host.com/server-status
                   etc..


On Mon, 2002-09-16 at 13:05, Steven Walker wrote:

Dear Group,

I have been given a project to perform web application vulnerability testing
on iPlanet and Apache web servers.  The servers run on NT/2000, Solaris
2.7-8, (iPlanet) and Linux, Solaris (Apache).

In house tools are Wisker, WHArenal, NMAP, NESSUS.  I have only used NMAP
and NESSUS so far for firewall and internal network testing.

I am at a loss at where to start the process and am trying to determine if
additional tools are needed.

1. I would obviously harden the web server OS's by closing unnecessary
ports, ensuring proper patch levels, getting rid of rhost and equiv files,
enforcing password policies, limiting accounts, use ssh for administration,
etc.

2. I don't know what to do on the web servers other than delete example
scripts and ensure default passwords are changed to stronger ones.  Are
there any links that you know of that would provide a checklist of iPlanet
and Apache vulnerability checks.  Are there any recommended tools that can
automate this process?  Any suggestions on iPlanet and Apache security?

3. Regarding web applications, I will be expected to test applications
before they go into production.  I know to test for buffer overflows buy
inputting non expected characters into fields.  Beyond that what advice
could you give or methodology could you direct me too.  Jobs are tough to
find out there, I could use your help in keeping this one.  Thanks for all
of you who will help me.

Sincerely

Steven M. Walker  CISSP, GSEC, ABCP
Security Specialist
44 W. Douglas Dr.
Saint Peters, MO 63376
Office:  636.279.2206
Home: 636.278.8004




----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/




----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Application & Iplanet/Apache web server vulnerability and penetration testing Steven Walker (Sep 16)
- Re: Application & Iplanet/Apache web server vulnerability and penetration testing Caleb Sima (Sep 18)
  - Re: Application & Iplanet/Apache web server vulnerability and penetration testing Philippe Langlois (Sep 19)
- Re: Application & Iplanet/Apache web server vulnerability and penetration testing Kevin Spett (Sep 18)
- Re: Application & Iplanet/Apache web server vulnerability and penetration testing Scott Nursten (Sep 18)