OWASP Testing for Authorization and Weak Crypto

Testing for Authorization

Directory traversal/file include

Bypassing Authorization Schema

Privilege escalation

Insecure Direct Object References

Testing for weak Cryptography

Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection

Various types of information which must be protected can be also transmitted in clear text. It is possible to check if this information is transmitted over HTTP instead of HTTPS.

Example 1. Basic Authentication over HTTP
Basic Authentication, after log in, credentials are encoded — and not encrypted — into HTTP Headers.

Testing for Weak SSL/TLS Ciphers/Protocols/Keys vulnerabilities

Example 2. SSL service recognition via nmap
 The first step is to identify ports which have SSL/TLS wrapped services. In this example we search for SSL services using nmap with “-sV” option, used to identify services and it is also able to identify SSL services

Example 3. Checking for Certificate information, Weak Ciphers and SSLv2 via nmap

Example 4 Checking for Client-initiated Renegotiation and Secure Renegotiation via openssl (manually)

Example 5. Testing supported Cipher Suites, BEAST and CRIME attacks via TestSSLServer
TestSSLServer is a script which permits the tester to check the cipher suite and also for BEAST and CRIME attacks. BEAST (Browser Exploit Against SSL/TLS) exploits a vulnerability of CBC in TLS 1.0. CRIME (Compression Ratio Info-leak Made Easy) exploits a vulnerability of TLS Compression, that should be disabled.

Example 6. Testing SSL/TLS vulnerabilities with sslyze
 Sslyze is a python script which permits mass scanning and XML output.

Example 7. Testing SSL/TLS with testssl.sh
 Testssl.sh is a Linux shell script which provides clear output to facilitate good decision making.

Example 8. Testing SSL/TLS with SSL Breacher

Testing SSL certificate validity — client and server

Example 1. Testing for certificate validity (manually)

Example 8. Testing via HTTP proxy

Padding Oracle

Testing for padding oracle vulnerabilities
First the possible input points for padding oracles must be identified. Generally the following conditions must be met
1. The data is encrypted. Good candidates are values which appear to be random.
2. A block cipher is used. The length of the decoded (Base64 is used often) cipher text is a multiple of common cipher block sizes like 8 or 16 bytes. Different cipher texts (e.g. gathered by different sessions or manipulation of session state) share a common divisor in the length.

Sensitive information sent via unencrypted channels

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.