Sunday, 30 June 2013

Web Application Penetration Test Tricks Part I – Virus Upload

Performing a web application penetration test is not voodoo magic, but rather an exercise in knowledge, prioritization, and efficiency. During years of hard work penetration testers hone their methodology and develop efficient ways of applying their knowledge in order to identify specific vulnerabilities. The "Web Application Penetration Test Tricks" blog series will examine simple methods for testing some interesting web application vulnerabilities. In other words, we'll take a look at some tricks of the trade that you can implement while performing penetration tests against your own web applications!
Many web applications implement file upload functionality using an <input type=" file"> field. The file is uploaded to the server where the web application does something with it, often storing the file for subsequent download by other application users. What if a file containing a virus could be uploaded? Could the virus be spread to other applications users through the web application? And how could you actually test this vulnerability? You don't want to actually spread a virus, and besides local anti-virus software might interfere with testing.
The answer is the EICAR (European Institute for Computer Antivirus Research) anti-virus test file, formally known as the "EICAR Standard Anti-Virus Test File". This file contains the following 68-character plaintext string:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Although it is not actually a virus, most anti-virus software will flag files that contain this string (with up to 60 characters of optional preceding whitespace) as a virus. The anti-virus test file can be downloaded from http://www.eicar.org/85-0-Download.html. Here Microsoft Security Essentials is shown quarantining the anti-virus test file:

Here Symantec Endpoint Protection is shown detecting the anti-virus test file:

The anti-virus test file is therefore perfect for testing web applications. Just upload the file onto the web server. If the file can be subsequently downloaded with the test string intact, you know that the web application is not performing virus scanning of uploaded files. Consequently, the web application is vulnerable and can be used as a mechanism to propagate viruses to unknowing users. Web server administrators should deploy anti-virus software on web servers, and developers should ensure that the web application leverages the anti-virus software to scan uploaded files before disk storage.
That's all for the first installment of the "Web Application Penetration Test Tricks" blog series. Next time we'll take a look at clickjacking, another vulnerability that targets unknowing web application users. Cheers!