Friday, November 8, 2013

Clickjacking

     Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

     A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers load another page over it in a transparent layer. The users think that they are clicking visible buttons, while they are actually performing actions on the hidden page

Examples
     A user might receive an email with a link to a video about a news item, but another valid page, say a product page on Amazon.com, can be "hidden" on top or underneath the "PLAY" button of the news video. The user tries to "play" the video but actually "buys" the product from Amazon.

Other known exploits include:
Tricking users into enabling their webcam and microphone through Flash.
Tricking users into making their social networking profile information public.
Making users follow someone on Twitter.
Sharing links on Facebook.

Likejacking
     Likejacking is a malicious technique of tricking users of a website into posting a Facebook status update for a site they did not intentionally mean to "like".

Cursorjacking
     Cursorjacking is a UI redressing technique to change the cursor from the location the user perceives.

The overall idea is simple.
A visitor is lured to evil page. No matter how. “Click to get 1000000$” or whatever.
The evil page puts a “get rich now” link with z-index=-1.
The evil page includes a transparent iframe from the victim domain, say facebook.com and positions it so that “I like it” button is right over the link.

Here’s how it looks (half-transparent iframe for demo purposes):


      A click on the link actually happens on the iframe. Bingo! If the visitor is logged into facebook (and most of time he is), then facebook.com receives the click on behalf of the visitor.

On Twitter, it was the “Follow” button.

Thursday, June 6, 2013

Top 10 Database Attacks

1. Excessive privileges.
When users (or applications) are granted database privileges that exceed the requirements of their job function, these privileges may be used to gain access to confidential information. For example, a university administrator whose job requires read-only access to student records may take advantage of excessive update privileges to change grades.

The solution to this problem (besides good hiring policies) is query-level access control. Query-level access control restricts privileges to minimum-required operations and data. Most native database security platforms offer some of these capabilities (triggers, RLS, and so on), but the manual design of these tools make them impractical in all but the most limited deployments.

2. Privilege abuse
Users may abuse legitimate data access privileges for unauthorized purposes. For example, a user with privileges to view individual patient records via a custom healthcare application client may abuse that privilege to retrieve all patient records via a MS-Excel client.

The solution is access control policies that apply not only to what data is accessible, but how data is accessed. By enforcing policies for time of day, location, and application client and volume of data retrieved, it is possible to identify users who are abusing access privileges.

3. Unauthorized privilege elevation
Attackers may take advantage of vulnerabilities in database management software to convert low-level access privileges to high-level access privileges. For example, an attacker might take advantage of a database buffer overflow vulnerability to gain administrative privileges.

Privilege elevation exploits can be defeated with a combination of query-level access control and traditional intrusion prevention systems (IPS). Query-level access control can detect a user who suddenly uses an unusual SQL operation, while an IPS can identify a specific documented threat within the operation.

4. Platform vulnerabilities
Vulnerabilities in underlying operating systems may lead to unauthorized data access and corruption. For example, the Blaster worm took advantage of a Windows 2000 vulnerability to take down target servers.

IPS tools are a good way to identify and/or block attacks designed to exploit known database platform vulnerabilities.

5. SQL injection
SQL injection attacks involve a user who takes advantage of vulnerabilities in front-end web applications and stored procedures to send unauthorized database queries, often with elevated privileges. Using SQL injection, attackers could even gain unrestricted access to an entire database.

Query-level access control detects unauthorized queries injected via web applications and/or stored procedures.

6. Weak audit
Weak audit policy and technology represent risks in terms of compliance, deterrence, detection, forensics and recovery.

Unfortunately, native database management system (DBMS) audit capabilities result in unacceptable performance degradation and are vulnerable to privilege-related attacks -- i.e. developers or database administrators (DBAs) can turn off auditing.
Most DBMS audit solutions also lack necessary granularity. For example, DBMS products rarely log what application was used to access the database, the source IP addresses and failed queries.
Network-based audit appliances are a good solution. Such appliances should have no impact on database performance, operate independently of all users and offer granular data collection.

7. Denial of service
Denial of service (DoS) may be invoked through many techniques. Common DoS techniques include buffer overflows, data corruption, network flooding and resource consumption. The latter is unique to the database environment and frequently overlooked.

DoS prevention should occur at multiple layers including the network, applications and databases.
Database-related recommendations include deploying an IPS and connection rate controls. By rapidly opening a large number of connections, connection rate controls can prevent individual users from consuming database server resources.

8. Database protocol vulnerabilities
Vulnerabilities in database protocols may allow unauthorized data access, corruption or availability. For example, the SQL Slammer worm took advantage of a Microsoft SQL Server protocol vulnerability to execute attack code on target database servers.

Protocol attacks can be defeated by parsing and validating SQL communications to make sure they are not malformed.

9. Weak authentication
Weak authentication schemes allow attackers to assume the identity of legitimate database users. Specific attack strategies include brute force attacks, social engineering, and so on.

Implementation of passwords or two-factor authentication is a must. For scalability and ease-of-use, authentication mechanisms should be integrated with enterprise directory/user management infrastructures.

10. Exposure of backup data
Some recent high profile attacks have involved theft of database backup tapes and hard disks.

All backups should be encrypted. In fact, some vendors have suggested that future DBMS products may not support the creation of unencrypted backups. Encryption of online production database information is a poor substitute for granular privilege controls.


Conclusion
Although databases and their contents are vulnerable to a host of internal and external threats, it is possible to reduce the attack vectors to near zero. By addressing these threats you will meet the requirements of the most regulated industries in the world.

Wednesday, June 5, 2013

SQL INJECTION

            Without proper safeguards, applications are vulnerable to various forms of security attack. One particularly pathetic  method of attack is called SQL injection. Using this method, a hacker can pass string input to an application with the hope of gaining unauthorized access to a database.

            SQL injection is a technique to maliciously exploit applications that use client-supplied data in SQL statements. Attackers trick the SQL engine into executing unintended commands by supplying specially crafted string input, thereby gaining unauthorized access to a database in order to view or manipulate restricted data.

            SQL injection techniques may differ, but they all exploit a single vulnerability in the application. 
The following things might result from SQL injection:
  • The user could log in to the application as another user, even as an administrator.
  • The user could view private information belonging to other users e.g. details of other users’ profiles, their transaction details etc.
  • The user could change application configuration information and the data of the other users.
  • The user could modify the structure of the database; even delete tables in the application database.
  • The user could take control of the database server and execute commands on it at will.
Since, the SQL Injection consequences is severe, The SQL Injection testing must be done during the security testing of an application.

The SQL injection problem should be tested only in the test environment.

If the application has a log in page, it is possible that the application uses a dynamic SQL  statement s  in the Inputbox  or any  text box that gives an input to the application to access the Database user details etc .

If the tester would enter John as the UserName (in the textbox for user name) and Smith as strPassword (in the textbox for password), the SQL statement would become:
SELECT * FROM Users WHERE User_Name = ‘John’ AND Password = ‘Smith’;

If the tester would enter John’– as UserName and ‘smith’ as Password, the SQL statement would become:
SELECT * FROM Users WHERE User_Name = ‘John’– AND Password = ‘Smith’;

Note that the part of the SQL statement after John is turned into a comment. If there were any user with the user name of John in the Users table, the application could allow the tester to log in as the user John. The tester could now view the private information of the user John.

Q)What if the tester does not know the name of any existing user of the application?

In such a case, the tester could try common user names like admin, administrator and sysadmin. If none of these users exist in the database, the tester could enter John’ or ‘x’=’x as UserName and Smith’ or ‘x’=’x  as Password. This would cause the SQL statement to become like the one below.

SELECT * FROM Users WHERE User_Name = ‘John’ or ‘x’='x’ AND Password = ‘Smith’ or ‘x’=’x’;

Since ‘x’=’x’ condition is always true, the result set would consist of all the rows in the Users table. The application could allow the tester to log in as the first user in the Users table.

If the tester would enter John’; DROP table users_details;’—as strUserName and anything as strPassword, the SQL statement would become like the one below.

SELECT * FROM Users WHERE User_Name = ‘John’; DROP table users_details;’ –‘ AND Password = ‘Smith’;

This statement could cause the table “users_details” to be permanently deleted from the database.

Though the above examples deal with using the SQL injection technique only the log in page, the tester should test this technique on all the pages of the application that accept user input in textual format e.g. search pages, feedback pages etc.

Some of the other login bypassing queries are:-

  •                admin' --
  •                admin' #
  •                admin'/*
  •                ' or 1=1--
  •                ' or 1=1#
  •                ' or 1=1/*
  •                ') or '1'='1--
  •                ') or ('1'='1--

Wednesday, April 17, 2013

Email Address Validation.

List of valid and invalid email format which can be used for testing is as follows.

Valid Email address Reason
email@domain.com Valid email
firstname.lastname@domain.com Email contains dot in the address field
email@subdomain.domain.com Email contains dot with subdomain
firstname+lastname@domain.com Plus sign is considered valid character
email@123.123.123.123 Domain is valid IP address
email@[123.123.123.123] Square bracket around IP address is considered valid
"email"@domain.com Quotes around email is considered valid
1234567890@domain.com Digits in address are valid
email@domain-one.com Dash in domain name is valid
_______@domain.com Underscore in the address field is valid
email@domain.name .name is valid Top Level Domain name
email@domain.co.jp Dot in Top Level Domain name also considered valid (use co.jp as example here)
firstname-lastname@domain.com Dash in address field is valid
Invalid Email address Reason
plainaddress Missing @ sign and domain
#@%^%#$@#$@#.com Garbage
@domain.com Missing username
Joe Smith <email@domain.com> Encoded html within email is invalid
email.domain.com Missing @
email@domain@domain.com Two @ sign
.email@domain.com Leading dot in address is not allowed
email.@domain.com Trailing dot in address is not allowed
email..email@domain.com Multiple dots
あいうえお@domain.com Unicode char as address
email@domain.com (Joe Smith) Text followed email is not allowed
email@domain Missing top level domain (.com/.net/.org/etc)
email@-domain.com Leading dash in front of domain is invalid
email@domain.web .web is not a valid top level domain
email@111.222.333.44444 Invalid IP format
email@domain..com Multiple dot in the domain portion is invalid

Thursday, December 6, 2012

What to Test in a Login Page?

User Interface
Tab Order - Is there a logical order to using the tab key?
Username field focus - when arriving at the page is the cursor focused on the username field?
Use of enter key - does selecting enter activate the Login button?
Accessibility - are the form fields correctly identified and labelled?
The look - does it look ok? Everything aligned ok?
Content - is the content up to scratch? Any typos?
Links - are there any other existing links on the page? Are they valid?

Security
Password - is it shown in asterisks?
Password - can it be copied and pasted?
Password - is there a minimum complexity on the password?
View Source - is valuable information given away in the HTML source code?
SQL Injection - is it vulnerable to SQL input?
Pages - can pages behind the wall be accessed without logging in?
URL Manipulation - can the URLs be edited to gain access where it should not be allowed?
Multiple accounts - can different accounts be logged in at the same time in the same browser?
Cookies - can they be edited? Disabled?

Functionality
Login - is it possible to login successfully? Unsuccessfully?
Logout - if user logs out, do they log out as expected?
Forgot password - does it exist? does the process work? Is it prone to security failure? URL
manipulation?
Back and Forward buttons - how does the application cope when using the browser Back and Forward
buttons?
Remember me - is there a “Remember me” option? Does it as standard? What if password is changed?
Compatibility - is there a need to test in other browsers?
Data - is there a minimum or maximum length of characters? What are the boundaries? What are the
allowed characters?
Error handling - how are errors handled and displayed?

Tuesday, December 4, 2012

Mobile Application Testing Checklist.

Installation
  • Verify that application will download properly.
  • Verify that application will install properly.
  • Verify that proper application Icon is displayed.
  • Verify that the application will  launch successfully.
Splash Screen
  • Verify that proper splash screen is displayed.
  • Splash screen should not remain for more than 3 seconds.
Application Stability
  • Verify that the Application will not crash or freeze at any time while running.
  • Verify that the application must not lose any information as a result of a forcible close.
  • Verify that the application will work properly after system shut down and restart.
  • Verify that the application will not cause any problem to other application which is installed in the device.
Network Testing
  • Observe the behavior of the application during no network range.
  • Observe the behavior of the application when network is back in action.
  • Observe the application behavior under Wi-fi network range.
  • Observe the application behavior under 3G network.
  • Observe the application behavior under low network range.
  • Observe the application behavior under Airplane mode.
Voice Call Handling
  • Verify that the user can accept voice call during application running.
  • Verify that the user can reject voice call during application running.
  • Verify that the user can establish a voice call during application running.
SMS Handling
  • Verify that user can get SMS alert when application is running.
  • Verify that the application will not quit when user will get an SMS alert.
  • Verify that user can resume back from the same point after reading the SMS.
  • Verify that user can send an SMS during application running.
Battery Related Testing
  • Error message should be displayed for low battery during application running.
  • Verify that the application is running under low battery.
  • Verify that the application will not affect when we insert or remove charger.
  • Verify that application does not consume battery excessively.
Low Memory
  • Verify that application displays proper error message when device memory is low and exits gracefully from the situation.
Continual Keypad Entry
  • Verify that continual key pad entry do not cause any problem.
External Incoming Communication
  • Application should gracefully handle the condition when incoming communication is made via Bluetooth/Infrared.
Application Version
  • Verify that the application version is properly displaying in the application.
Uninstall
  • Verify that application can be uninstalled successfully.
  • Verify that proper confirmation message is displayed before uninstalling the application.

Wednesday, October 31, 2012

Database Testing.

To test the database:
  • Create a controlled version of the migrated database.
  • Oracle recommends that you keep the database migration scripts in a source control system.
  • Design a set of test cases that you can use to test the Oracle database from unit to system level. The test cases should:
Ensure the following:
  • All the users in the source database have migrated successfully.
  • Privileges and grants for users are correct.
  • Tables have the correct structure, defaults are functioning correctly, and errors did not occur during mapping or generation.
Validate that the data migrated successfully by doing the following:
  • Comparing the number of rows in the Oracle database with those in the source database.
  • Calculating the sum of numerical columns in the Oracle database and compare with those in the source database.
Ensure that the following applies to constraints:
  • You cannot enter duplicate primary keys.
  • Foreign keys prevent you from entering inconsistent data.
  • Check constraints prevent you from entering invalid data.
  • Check that indexes and sequences are created successfully.
Ensure that views migrated successfully by doing the following:
  • Comparing the number of rows in the Oracle database with those in the source database.
  • Calculating the sum of numerical columns in the Oracle database and compare with those in the source database.
Ensure that triggers, procedures, and functions are migrated successfully. Check that the correct values are returned for triggers and functions.

Data integrity is tested by the following tests:
  • Verify that you can create, modify, and delete any data in tables.
  • Verify that sets of radio buttons represent fixed sets of values.
  • Verify that a blank value can be retrieved from the database.
  • Verify that, when a particular set of data is saved to the database, each value gets saved fully, and the truncation of strings and rounding of numeric values do not occur.
  • Verify that the default values are saved in the database, if the user input is not specified.
  • Verify compatibility with old data, old hardware, versions of operating systems, and interfaces with other software.