Web Security Testing Cookbook by Paco Hope, Ben Walther

You have decoded some data in a parameter, input field, or data file and you want to create appropriate test cases for it. You have to determine what kind of data it is so that you can design good test cases that manipulate it in interesting ways.

We will consider these kinds of data:

Finding encoders and decoders for Base 16 and Base 8 are easy. Even the basic calculator on Windows can do them. Finding an encoder/decoder for Base 36, however, is somewhat rarer.

Base 64 fills a very specific niche: it encodes binary data that is not printable or safe for the channel in which it is transmitted. It encodes that data into something relatively opaque and safe for transmission using just alphanumeric characters and some punctuation. You will encounter Base 64 wrapping most complex parameters that you might need to manipulate, so you will have to decode, modify, and then reencode them.

Install OpenSSL in Cygwin (if you’re using Windows) or make sure you have the openssl command if you’re using another operating system. All known distributions of Linux and Mac OS X will have OpenSSL.

% echo 'Q29uZ3JhdHVsYXRpb25zIQ==' | openssl base64 -d

% openssl base64 -e -in input.txt -out input.b64

% echo -n '&a=1&b=2&c=3' | openssl base64 -e

You will see Base 64 a lot. It shows up in many HTTP headers (e.g., the Authorization: header) and most cookie values are Base 64-encoded. Many applications encode complex parameters with Base 64 as well. If you see encoded data, especially with equals characters at the end, think Base 64.

Notice the -n after the echo command. This prevents echo from appending a newline character on the end of the string that it is provided. If that newline character is not suppressed, then it will become part of the output. Example 4-1 shows the two different commands and their respective output.

% echo -n '&a=1&b=2&c=3' | openssl base64 -e   # Right.
JmE9MSZiPTImYz0z

% echo '&a=1&b=2&c=3' | openssl base64 -e      # Wrong.
JmE9MSZiPTImYz0zCg==

This is also a danger if you insert your binary data or raw data in a file and then use the -in option to encode the entire file. Virtually all editors will put a newline on the end of the last line of a file. If that is not what you want (because your file contains binary data), then you will have to take extra care to create your input.

You may be surprised to see us using OpenSSL for this, when clearly there is no SSL or other encryption going on. The openssl command is a bit of a Swiss Army knife. It can perform many operations, not just cryptography.

You need to encode and decode Base-36 numbers and you don’t want to write a script or program to do that. This is probably the easiest way if you just need to convert occasionally.

Brian Risk has created a demonstration website at http://www.geneffects.com/briarskin/programming/newJSMathFuncs.html that performs conversions to arbitrary conversions from one base to another. You can go back and forth from Base 10 to Base 36 by specifying the two bases in the page. Figure 4-1 shows an example of converting a large Base-10 number to Base 36. To convert from Base 36 to Base 10, simply swap the 10 and the 36 in the web page.

Figure 4-1. Converting between Base 36 and Base 10

Just because this is being done in your web browser does not mean you have to be online and connected to the Internet to do this. In fact, like CAL9000 (see Recipe 4.5), you can save a copy of this page to your local hard drive and then load it in your web browser whenever you need to do these conversions.

You need to encode or decode Base-36 numbers a lot. Perhaps you have many numbers to convert or you have to make this a programmatic part of your testing.

Of the tools we use in this book, Perl is the tool of choice. It has a library Math::Base36 that you can install using the standard CPAN or ActiveState method for installing modules. (See Chapter 2). Example 4-2 shows both encoding and decoding of Base-36 numbers.

#!/usr/bin/perl
use Math::Base36 qw(:all);

my $base10num = 67325649178; # should convert to UXFYBDM
my $base36num = "9FFGK4H";   # should convert to 20524000481

my $newb36    = encode_base36( $base10num );
my $newb10    = decode_base36( $base36num );

print "b10 $base10num\t= b36 $newb36\n";
print "b36 $base36num\t= b10 $newb10\n";

For more information on the Math::Base36 module, you can run the command perldoc Math::Base36. In particular, you can get your Base-10 results padded on the left with leading zeros if you want.

URL-encoded data uses the % character and hexadecimal digits to transmit characters that are not allowed in URLs directly. The space, angle brackets (< and >), and slash (solidus, /) are a few common examples. If you see URL-encoded data in a web application (perhaps in a parameter, input, or some source code) and you need to either understand it or manipulate it, you will have to decode it or encode it.

The easiest way is to use CAL9000 from OWASP. It is a series of HTML web pages that use JavaScript to perform the basic calculations. It gives you an interactive way to copy and paste data in and out and encode or decode it at will.

Encode

Enter your decoded data into the “Plain Text” box, then click on the “Url (%XX)” button to the left under “Select Encoding Type.” Figure 4-2 shows the screen and the results.

Figure 4-2. URL encoding with CAL9000

Decode

Enter your encoded data into the box labeled “Encoded Text,” then click on the “Url (%XX)” option to the left, under “Select Decoding Type.” Figure 4-3 shows the screen and the results.

Figure 4-3. URL decoding with CAL9000

URL-encoded data is familiar to anyone who has looked at HTML source code or any behind-the-scenes data being sent from a web browser to a web server. RFC 1738 (ftp://ftp.isi.edu/in-notes/rfc1738.txt) defines URL encoding, but it does not require encoding of certain ASCII characters. Notice that, although it isn’t required, there is nothing wrong with unnecessarily encoding these characters. The encoded data in Figure 4-3 shows an example of this. In fact, redundant encoding is one of the ways that attackers mask their malicious input. Naïve blacklists that check for <script> or even %3cscript%3e might not check for %3c%73%63%72%69%70%74%3e, even though all of them are essentially the same.

One of the great things about CAL9000 is that it is not really software. It is a collection of web pages that have JavaScript embedded in them. Even if your IT policies are super-draconian and you cannot install anything at all on your workstation, you can open these web pages in your browser from a local hard disk and they will work for you. You can easily load them onto a USB drive and load them straight from that drive, so that you never install anything at all.

The HTML specification provides a way to encode special characters so that they are not interpreted as HTML, JavaScript, or another kind of command. In order to generate test cases and potential attacks, you will need to be able to perform this kind of encoding and decoding.

The easiest choice for this kind of encoding and decoding is CAL9000. We won’t repeat the detailed instructions on how to use CAL9000 because it is pretty straightforward to use. See Recipe 4.5 for detailed instructions.

To encode special characters, you enter the special characters in the box labeled “Plain Text” and choose your encoding. You will want to enter a semicolon (;) in the “Trailing Characters” box in CAL9000.

Decoding HTML Entity-encoded characters is the same process in reverse. Type or paste the entity-encoded characters into the “encoded text box” and then click on the “HTML Entity” entry under “Select Decoding Type.”

HTML entity encoding is an area rich with potential mistakes. The authors have seen many web applications perform multiple rounds of entity encoding (e.g., the ampersand is encoded as &) in one part of the display and perform no entity encoding in other parts of the display. Not only is it important to do correctly, it turns out that since there are so many variations on HTML entity encoding, it is very challenging to write a web application that does handle encoding correctly.

When your application uses hashes, checksums, or other integrity checks over its data, you need to recognize them and possibly calculate them on test data. If you are unfamiliar with hashes, see the upcoming sidebar “What Are Hashes?.”

As with other encoding tasks, you have at least three good choices: OpenSSL, CAL9000, and Perl.

% echo -n "my data" | openssl md5

c:\> type myfile.txt | openssl md5

#/usr/bin/perl
use Digest::SHA1  qw(sha1);
$data   = "my data";
$digest = sha1($data);
print "$digest\n";

The MD5 case is shown using OpenSSL on Unix or on Windows. OpenSSL has an equivalent sha1 command. Note that the -n is required on Unix echo command to prevent the newline character from being added on the end of your data. Although Windows has an echo command, you can’t use it the same way because there is no way to suppress the carriage-return/linefeed set of characters on the end of the message you give it.

The SHA-1 case is shown as a Perl script, using the Digest::SHA1 module. There is an equivalent Digest::MD5 module that works the same way for MD5 hashes.

Note that there is no way to decode a hash. Hashes are mathematical digests that are one-way. No matter how much data goes in, the hash produces exactly the same size output.

You are likely to see time represented in a lot of different ways. Recognizing a representation of time for what it is will help you build better test cases. Not only knowing that it is time, but knowing what the programmer’s fundamental assumptions might have been when the code was written makes it easier to write targeted test cases.

Obvious time formats encode the year, month, and day in familiar arrangements, providing either two or four digits for the year. Some include hours, minutes, and seconds, possibly with a decimal and milliseconds. Table 4-2 shows several representations of June 1, 2008, 5:32:11 p.m. and 844 milliseconds. Some of the formats do not represent certain parts of the date or time. The unrepresentable parts are omitted as appropriate.

You may think that recognizing time is pretty obvious and not important to someone testing web applications, especially for security. We would argue that it is actually very important. The authors have seen many applications where time was considered to be unpredictable by the developers. Time has been used in session IDs, temporary filenames, temporary passwords, and account numbers. As a simulated attacker, you know that time is not unpredictable. As we plan “interesting” test cases on a given input field, we can narrow down the set of possible test values dramatically if we know it corresponds to a time value from the recent past or recent future.

You have determined that your application uses time in some interesting way, and now you want to generate specific values in specific formats.

Perl is a great tool for this job. You will need the Time::Local module for some manipulations of Unix time and the POSIX module for strftime. Both are standard modules. The code in Example 4-3 shows you four different formats and how to calculate them.

#!/usr/bin/perl 
use Time::Local; 
use POSIX qw(strftime); 
# June 1, 2008, 5:32:11pm and 844 milliseconds 
$year  = 2008; 
$month = 5;      # months are numbered starting at 0! 
$day   = 1; 
$hour  = 17;     # use 24-hour clock for clarity 
$min   = 32; 
$sec   = 11; 
$msec  = 844; 

# UNIX Time (Seconds since Jan 1, 1970)     1212355931 
$unixtime = timelocal( $sec, $min, $hour, $day, $month, $year ); 
print "UNIX\t\t\t$unixtime\n"; 

# populate a few values (wday, yday, isdst) that we'll need for strftime 
($sec,$min,$hour,$mday,$mon,$year, 
    $wday,$yday,$isdst) = localtime($unixtime);

# YYYYMMDDhhmmss.sss    20080601173211.844 
# We use strftime() because it accounts for Perl's zero-based month numbering 
$timestring = strftime( "%Y%m%d%H%M%S",
	$sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst ); 
$timestring .= ".$msec"; 
print "YYYYMMDDhhmmss.sss\t$timestring\n"; 

# YYMMDDhhmm  0806011732 
$timestring = strftime( "%y%m%d%H%M", $sec,$min,$hour,$mday, 
    $mon,$year,$wday,$yday,$isdst ); 
print "YYMMDDhhmm\t\t$timestring\n"; 

# POSIX in "C" Locale   Sun Jun  1 17:32:11 2008 
$gmtime = localtime($unixtime); 
print "POSIX\t\t\t$gmtime\n";

You can use perldoc Time::Local or man strftime to find out more about possible ways to format time.

ASP.NET provides a mechanism by which the client can store state, rather than the server. Even relatively large state objects (several kilobytes) can be sent as form fields and posted back by the web browser with every request. This is called the ViewState and is stored in an input called __VIEWSTATE on the form. If your application uses this ViewState, you will want to investigate how the business logic relies on it and develop tests around corrupt ViewStates. Before you can build tests with corrupt ViewStates, you have to understand the use of ViewState in the application.

Get the ViewState Decoder from Fritz Onion (http://www.pluralsight.com/tools.aspx). The simplest use case is to copy and paste the URL of your application (or a specific page) into the URL. Figure 4-4 shows version 2.1 of the ViewState decoder and a small snapshot of its output.

Figure 4-4. Decoding ASP.NET ViewState

Sometimes the program fails to fetch the ViewState from the web page. That’s really no problem. Just view the source of the web page (see Recipe 3.2) and search for <input type= "hidden" name="__VIEWSTATE"...>. Take the value of that input and paste it into the decoder.

If the example in Figure 4-4 was your application, it would suggest several potential avenues for testing. There are URLs in the ViewState. Can they contain JavaScript or direct a user to another, malicious website? What about the various integer values?

There are several questions you should ask yourself about your application, if it is using ASP.NET and the ViewState:

When it comes time to create tests for corrupted ViewStates, you will probably use tools like TamperData (see Recipe 3.6) or WebScarab (see Recipe 3.4) to inject new values.

Sometimes data is encoded multiple times, either intentionally or as a side effect of passing through some middleware. For example, it is common to see the nonalphanumeric characters (=, /, +) in a Base 64-encoded string (see Recipe 4.2) encoded with URL encoding (see Recipe 4.5). For example, V+P//z== might be displayed as V%2bP%2f%2f%3d%3d. You’ll need to be aware of this so that when you’ve completed one round of successful decoding, you treat the result as potentially more encoded data.

Sometimes a single parameter is actually a specially structured payload that carries many parameters. For example, if we see AUTH=dGVzdHVzZXI6dGVzdHB3MTIz, then we might be tempted to consider AUTH to be one parameter. When we realize that the value decodes to testuser:testpw123, then we realize that it is actually a composite parameter containing a user ID and a password, with a colon as a delimiter. Thus, our tests will have to manipulate the two pieces of this composite differently. The rules and processing in the web application are almost certainly different for user IDs and passwords.

We don’t usually include quizzes as a follow-up to a recipe, but in this case it might be worthwhile. Recognizing data encodings is a pretty important skill, and an exercise here may help reinforce what we’ve just explained. Remember that some of them may be encoded more than once. See if you can determine the kind of data for each of the following (answers in the footnotes):