Justice League Blog
Art of InfoJacking – What Lies Beneath
This is a guest post by Aditya K. Sood, a Security Practitioner at Cigital.
Information gathering is considered as one of the most critical step in performing aggressive penetration testing in all types of environment. With the proliferation of web vulnerabilities, the online world has introduced new protection mechanisms such as web applications firewalls. It is important to fingerprint these web application firewalls in order to conduct efficient and robust testing on websites and financial applications. Web Application Firewall (WAF) implements the concept of server cloaking, normalization with HTTP response header manipulation. It states that every WAF shows unique behavior which enables the testers to fingerprint the presence of that WAF in a production environment. The signatures are required to detect the presence of hidden devices in the network.
Proxy servers also play an important step in maintaining anonymity in the networks. Proxy servers are configured in a myriad of ways including static and dynamic configuration. Continuous testing has shown the fact that dynamic configuration in proxy servers using WPAD can indirectly harness the collective power of DHCP and DNS. The proxy file (proxy.wpad) is discovered using WPAD protocol. In addition to this, client browser also uses Proxy Auto Configuration (PAC) files which have specific “FindProxyForUrl” function that provide the connection string to the proxy server. It has been noticed that insecure access to these proxy configuration files can result in complete surrender of the entire internal network to the predators. However, fingerprinting proxy configuration files add to the taste of penetration testing.
The anonymous access to web services and protocols is a dangerous deal. It has been a major driver of differential attacks on anonymous services. However, it depends a lot on to what extent anonymous access can be exploited. For example: anonymous FTP access can be used to enumerate users, directories and initiating FTP bounce scans. These configuration flaws can be used in conjunction with web vulnerabilities to design a new attack vector. For example: – Cross Interface Attacks (CIA) in which FTP console is tested against buffer check which is further exploited to inject XSS/CSRF payloads to perform remote command execution. Design flaws in network devices can also be leveraged to extract plethora of information that can be useful in enhancing the modus operandi of penetration testing.
All these issues have been discussed in detailed at Source Conference. Please refer to the slides at: http://www.cigital.com/presentations/sourceseattle2011cigital_adityaks.pdf.
