Upload
hoang-chi-linh
View
239
Download
0
Embed Size (px)
Citation preview
8/2/2019 Vulnerability Test Cases
1/46
Reflected Cross Site Scriptin
Payload Origin
1 User Input Parameter2 User Input Parameter
3 User Input Parameter4 User Input Parameter
5 User Input Parameter6 User Input Parameter
7 User Input Parameter8 User Input Parameter
9 User Input Parameter10 User Input Parameter
11 User Input Parameter12 User Input Parameter
13 User Input Parameter
14 User Input Parameter15 User Input Parameter16 User Input Parameter
17 User Input Parameter18 User Input Parameter
19 User Input Parameter20 User Input Parameter
21 User Input Parameter22 User Input Parameter
23 User Input Parameter24 User Input Parameter
25 User Input Parameter26 User Input Parameter
27 User Input Parameter28 User Input Parameter
29 User Input Parameter30 User Input Parameter
31 User Input Parameter32 User Input Parameter
Payload Origin: GET Inp
8/2/2019 Vulnerability Test Cases
2/46
g Test Cases
Output Context
HTML Page
HTML Page - Tag Scope
HTML Tag StructureHTML Comment
HTML Page - FrameSet Scope
HTML Tag Structure (Base)
HTML Property (Double Quote Property Delimiter)
HTML Property (Single Quote Property Delimiter)
HTML Tag Structure (SRC Property RFI)
HTML Tag Event (JS, Double Quote String Delimiter)
HTML Tag Event (JS, Single Quote String Delimiter)HTML Tag Event (JS, Any Delimiter)
HTML Tag Event (VBS, Double Quote String Delimiter)
HTML Tag Event (VBS, Single Quote String Delimiter)HTML Tag Event (VBS, Any Delimiter)
HTML Tag Property (Script Supporting)
Javascript Context (Property, Double Quote String Delimiter)
Javascript Context (Property, Single Quote String Delimiter)
Javascript Context (Property, No String Delimiter)
VBScript Context (Property, Double Quote String Delimiter)
VBScript Context (Property, No String Delimiter)
HTML Script Tag Scope (JS, Double Quote String Delimiter)
HTML Script Tag Scope (JS, Single Quote String Delimiter)
HTML Script Tag Scope (JS, Delimiter Free)
HTML Script Tag Scope (VBS, Double Quote String Delimiter)HTML Script Tag Scope (VBS, Delimiter Free)
HTML Script Tag Scope (JS, Single Line Comment)
HTML Script Tag Scope (JS, Multi Line Comment)
HTML Script Tag Scope (VBS)
Multiple RXSS Vulnerabilities
HTML Page Scope During an Exception
HTTP Page (Viewstate Required)
ut Parameter, POST Input Parameter
8/2/2019 Vulnerability Test Cases
3/46
Vulnerable Location Barrier 1
Y
Y
YY
Y
Y Angle Brackets Encoding
Y Angle Brackets Encoding
Y Angle Brackets Encoding
Y Angle Brackets Encoding
Y Angle Brackets Encoding
Y Angle Brackets EncodingY Angle Brackets Encoding
Y Angle Brackets Encoding
Y Angle Brackets EncodingY Angle Brackets Encoding
Y Angle Brackets Encoding
Y Angle Brackets Encoding
Y Angle Brackets Encoding
Y Angle Brackets Encoding
Y Angle Brackets Encoding
Y Angle Brackets Encoding
Y Angle Brackets Encoding
Y Angle Brackets Encoding
Y Angle Brackets Encoding
Y Angle Brackets EncodingY Angle Brackets Encoding
Y JS Comment 1 (//)
Y JS Comment 2 (/**/)
Y VBS Comment ('/Rem)
Y Multiple Vulnerabilities
Y Exception Scope Coverage Required
Y Viewstate Required
8/2/2019 Vulnerability Test Cases
4/46
Barrier 2
Single Quote Encoding
Double Quote Encoding
Single Quote & Double Quote Encoding
Double Quote Encoding
Single Quote EncodingSingle Quote & Double Quote Encoding
Double Quote Encoding
Single Quote EncodingSingle Quote & Double Quote Encoding
Single Quote & Double Quote Encoding
Single Quote Encoding
Double Quote Encoding
Single Quote & Double Quote Encoding
Single Quote Encoding
Single Quote & Double Quote Encoding
Single Quote Encoding
Double Quote Encoding
Single Quote & Double Quote Encoding
Single Quote EncodingSingle Quote & Double Quote Encoding
Angle Brackets Encoding
Angle Brackets Encoding
Angle Brackets Encoding
8/2/2019 Vulnerability Test Cases
5/46
Barrier 3 Barrier 4 Vulnerable
Y
Y
YY
Y
Y
Y
Y
Y
Y
YY
Y
YY
Simple RFI Signature Validation/Removal (http) Y
Y
Y
Y
Y
Y
Y
Y
Y
YY
Y
Y
Y
8/2/2019 Vulnerability Test Cases
6/46
Sample Payload
8/2/2019 Vulnerability Test Cases
7/46
Reflected Cross Site Scriptin
Payload Origin
1 User Input Parameter2 User Input Parameter
3 User Input Parameter4 User Input Parameter
5 User Input Parameter6 User Input Parameter
7 User Input Parameter
Payload Origin: GET Inp
8/2/2019 Vulnerability Test Cases
8/46
g Test Cases - False Positives
Output Context
HTML Tag Property (.Net Classic Case)
HTML Tag Property
HTML Tag PropertyHTML Tag Property
HTTP Response Header
HTML Tag Property (Text Only)
HTML Body
ut Parameter, POST Input Parameter
8/2/2019 Vulnerability Test Cases
9/46
Vulnerable Location Barrier 1
Y Double Quote Encoding
Y Single Quote Encoding
Y Double Quote EncodingY Single Quote Encoding
Y CRLF Removal / Encoding / Validation
Y Angle Brackets Encoding
Y Angle Brackets Encoding
8/2/2019 Vulnerability Test Cases
10/46
Barrier 2
CRLF Removal
CRLF Removal
Angle Brackets EncodingAngle Brackets Encoding
Single Quote & Double Quote Encoding
8/2/2019 Vulnerability Test Cases
11/46
Barrier 3 Barrier 4 Vulnerable
N
N
Equality Sign Encoding NEquality Sign Encoding N
N
N
8/2/2019 Vulnerability Test Cases
12/46
Sample Payload
8/2/2019 Vulnerability Test Cases
13/46
SQL Injection Test Cases
Payload Origin
1 User Input Parameter2 User Input Parameter
3 User Input Parameter4 User Input Parameter
5 User Input Parameter6 User Input Parameter
7 User Input Parameter8 User Input Parameter
9 User Input Parameter10 User Input Parameter
11 User Input Parameter
12 User Input Parameter13 User Input Parameter14 User Input Parameter
15 User Input Parameter16 User Input Parameter
17 User Input Parameter18 User Input Parameter
19 User Input Parameter
Payload Origin: GET Inp
Assumptions: SQL Inje
8/2/2019 Vulnerability Test Cases
14/46
Case Description
Login Page - String Parameters (2) - Login Bypass - Errornous 500 ResponseSearch Page - String Parameter - Union Exploit - Errornous 500 Response
Calc Page - String Parameter - Boolean Exploit - Errornous 500 Response
Update Page - String Parameter - SQL Command Injection - Errornous 500 Response
Search Page - String OR Int Parameter - Runtime Error Boolean Exploit - Errornous 500 Respon
View Page - Numeric Parameter - Permission Bypass - Errornous 500 Response
Search Page - Numeric Parameter - Union Exploit - Errornous 500 ResponseCalc Page - Numeric Parameter - Boolean Exploit - Errornous 500 Response
Update Page - Numeric Parameter - SQL Command Injection - Errornous 500 Response
Search Page - Numeric Parameter - Runtime Error Boolean Exploit - Errornous 500 Response
View Page - Date Parameter - Permission Bypass - Errornous 500 Response
Search Page - Date Parameter - Union Exploit - Errornous 500 ResponseCalc Page - Date Parameter - Boolean Exploit - Errornous 500 Response
Update Page - Date Parameter - SQL Command Injection - Errornous 500 Response
Search Page - Date Parameter Without Quotes - Union Exploit - Errornous 500 Response
View Page - Numeric Parameter Without Quotes - Permission Bypass - Errornous 500 Response
Search Page - Numeric Parameter Without Quotes - Union Exploit - Errornous 500 Response
Calc Page - Numeric Parameter Without Quotes - Boolean Exploit - Errornous 500 Response
Update Page - Numeric Parameter Without Quotes - SQL Command Injection - Errornous 500 R
ut Parameter, POST Input Parameter
tion in UPDATE covers similar cases of INSERT and DELETE statements, while SQL In
8/2/2019 Vulnerability Test Cases
15/46
Vulnerable Location SQL Statement Context
Y SELECT (WHERE Clause)Y SELECT (WHERE Clause)
Y SELECT (WHERE Clause)
Y UPDATE (SET Clause)
Y SELECT (ORDER BY Clause)
Y SELECT (WHERE Clause)
Y SELECT (WHERE Clause)Y SELECT (WHERE Clause)
Y UPDATE (WHERE Clause)
Y SELECT (ORDER BY Clause)
Y SELECT (WHERE Clause)
Y SELECT (WHERE Clause)Y SELECT (WHERE Clause)
Y UPDATE (WHERE Clause)
Y SELECT (WHERE Clause)
Y SELECT (WHERE Clause)
Y SELECT (WHERE Clause)
Y SELECT (WHERE Clause)
Y UPDATE (WHERE Clause)
R BY clause covers similar cases of GROUP BY a
8/2/2019 Vulnerability Test Cases
16/46
Barrier 1
Injection into an Order By clause
Injection into an Order By clause
Single Quote & Double Quote Input Validation
Single Quote & Double Quote Input Validation
Single Quote & Double Quote Input Validation
Single Quote & Double Quote Input Validation
Single Quote & Double Quote Input Validation
d HAVING clauses.
8/2/2019 Vulnerability Test Cases
17/46
Barrier 2
Semicolon Validation
Semicolon Validation
Injection Into Date Field Without Quotes
Semicolon Validation
8/2/2019 Vulnerability Test Cases
18/46
Barrier 3 Barrier 4 Vulnerable
YY
Y
Y
Y
Y
YY
Y
Single & Double Quote Validation Y
Y
YY
Y
Y
Y
Y
Y
Y
8/2/2019 Vulnerability Test Cases
19/46
Sample Payload
8/2/2019 Vulnerability Test Cases
20/46
SQL Injection Test Cases
Payload Origin
1 User Input Parameter2 User Input Parameter
3 User Input Parameter4 User Input Parameter
5 User Input Parameter6 User Input Parameter
7 User Input Parameter8 User Input Parameter
9 User Input Parameter10 User Input Parameter
11 User Input Parameter
12 User Input Parameter13 User Input Parameter14 User Input Parameter
15 User Input Parameter16 User Input Parameter
17 User Input Parameter18 User Input Parameter
19 User Input Parameter
Payload Origin: GET Inp
Assumptions: SQL Inje
8/2/2019 Vulnerability Test Cases
21/46
Case Description
Login Page - String Parameters (2) - Login Bypass - Errornous 200 ResponseSearch Page - String Parameter - Union Exploit - Errornous 200 Response
Calc Page - String Parameter - Boolean Exploit - Errornous 200 Response
Update Page - String Parameter - SQL Command Injection - Errornous 200 Response
Search Page - String OR Int Parameter - Runtime Error Boolean Exploit - Errornous 200 Respon
View Page - Numeric Parameter - Permission Bypass - Errornous 200 Response
Search Page - Numeric Parameter - Union Exploit - Errornous 200 ResponseCalc Page - Numeric Parameter - Boolean Exploit - Errornous 200 Response
Update Page - Numeric Parameter - SQL Command Injection - Errornous 200 Response
Search Page - Numeric Parameter - Runtime Error Boolean Exploit - Errornous 200 Response
View Page - Date Parameter - Permission Bypass - Errornous 200 Response
Search Page - Date Parameter - Union Exploit - Errornous 200 ResponseCalc Page - Date Parameter - Boolean Exploit - Errornous 200 Response
Update Page - Date Parameter - SQL Command Injection - Errornous 200 Response
Search Page - Date Parameter Without Quotes - Union Exploit - Errornous 200 Response
View Page - Numeric Parameter Without Quotes - Permission Bypass - Errornous 200 Response
Search Page - Numeric Parameter Without Quotes - Union Exploit - Errornous 200 Response
Calc Page - Numeric Parameter Without Quotes - Boolean Exploit - Errornous 200 Response
Update Page - Numeric Parameter Without Quotes - SQL Command Injection - Errornous 200 R
ut Parameter, POST Input Parameter
tion in UPDATE covers similar cases of INSERT and DELETE statements, while SQL In
8/2/2019 Vulnerability Test Cases
22/46
Vulnerable Location SQL Statement Context
Y SELECT (WHERE Clause)Y SELECT (WHERE Clause)
Y SELECT (WHERE Clause)
Y UPDATE (SET Clause)
Y SELECT (ORDER BY Clause)
Y SELECT (WHERE Clause)
Y SELECT (WHERE Clause)Y SELECT (WHERE Clause)
Y UPDATE (WHERE Clause)
Y SELECT (ORDER BY Clause)
Y SELECT (WHERE Clause)
Y SELECT (WHERE Clause)Y SELECT (WHERE Clause)
Y UPDATE (WHERE Clause)
Y SELECT (WHERE Clause)
Y SELECT (WHERE Clause)
Y SELECT (WHERE Clause)
Y SELECT (WHERE Clause)
Y UPDATE (WHERE Clause)
R BY clause covers similar cases of GROUP BY a
8/2/2019 Vulnerability Test Cases
23/46
Barrier 1
Injection into an Order By clause
Injection into an Order By clause
Single Quote & Double Quote Input Validation
Single Quote & Double Quote Input Validation
Single Quote & Double Quote Input Validation
Single Quote & Double Quote Input Validation
Single Quote & Double Quote Input Validation
d HAVING clauses.
8/2/2019 Vulnerability Test Cases
24/46
Barrier 2
Semicolon Validation
Semicolon Validation
Injection Into Date Field Without Quotes
Semicolon Validation
8/2/2019 Vulnerability Test Cases
25/46
Barrier 3 Barrier 4 Vulnerable
YY
Y
Y
Y
Y
YY
Y
Single & Double Quote Validation Y
Y
YY
Y
Y
Y
Y
Y
Y
8/2/2019 Vulnerability Test Cases
26/46
Sample Payload
8/2/2019 Vulnerability Test Cases
27/46
SQL Injection Test Cases
Payload Origin
1 User Input Parameter2 User Input Parameter
3 User Input Parameter4 User Input Parameter
5 User Input Parameter6 User Input Parameter
7 User Input Parameter8 User Input Parameter
9 User Input Parameter10 User Input Parameter
11 User Input Parameter
12 User Input Parameter13 User Input Parameter14 User Input Parameter
15 User Input Parameter16 User Input Parameter
17 User Input Parameter18 User Input Parameter
19 User Input Parameter
Payload Origin: GET Inp
Assumptions: SQL Inje
8/2/2019 Vulnerability Test Cases
28/46
Case Description
Login Page - String Parameters (2) - Login Bypass - Different Valid 200 ResponsesSearch Page - String Parameter - Union Exploit - Different Valid 200 Responses
Calc Page - String Parameter - Boolean Exploit - Different Valid 200 Responses
Update Page - String Parameter - SQL Command Injection - Different Valid 200 Responses
Search Page - String OR Int Parameter - Runtime Error Boolean Exploit - Different Valid 200 Re
View Page - Numeric Parameter - Permission Bypass - Different Valid 200 Responses
Search Page - Numeric Parameter - Union Exploit - Different Valid 200 ResponsesCalc Page - Numeric Parameter - Boolean Exploit - Different Valid 200 Responses
Update Page - Numeric Parameter - SQL Command Injection - Different Valid 200 Responses
Search Page - Numeric Parameter - Runtime Error Boolean Exploit - Different Valid 200 Respon
View Page - Date Parameter - Permission Bypass - Different Valid 200 Responses
Search Page - Date Parameter - Union Exploit - Different Valid 200 ResponsesCalc Page - Date Parameter - Boolean Exploit - Different Valid 200 Responses
Update Page - Date Parameter - SQL Command Injection - Different Valid 200 Responses
Search Page - Date Parameter Without Quotes - Union Exploit - Different Valid 200 Responses
View Page - Numeric Parameter Without Quotes - Permission Bypass - Different Valid 200 Resp
Search Page - Numeric Parameter Without Quotes - Union Exploit - Different Valid 200 Respons
Calc Page - Numeric Parameter Without Quotes - Boolean Exploit - Different Valid 200 Respons
Update Page - Numeric Parameter Without Quotes - SQL Command Injection - Different Valid 2
ut Parameter, POST Input Parameter
tion in UPDATE covers similar cases of INSERT and DELETE statements, while SQL In
8/2/2019 Vulnerability Test Cases
29/46
Vulnerable Location SQL Statement Context
Y SELECT (WHERE Clause)Y SELECT (WHERE Clause)
Y SELECT (WHERE Clause)
Y UPDATE (SET Clause)
Y SELECT (ORDER BY Clause)
Y SELECT (WHERE Clause)
Y SELECT (WHERE Clause)Y SELECT (WHERE Clause)
Y UPDATE (WHERE Clause)
Y SELECT (ORDER BY Clause)
Y SELECT (WHERE Clause)
Y SELECT (WHERE Clause)Y SELECT (WHERE Clause)
Y UPDATE (WHERE Clause)
Y SELECT (WHERE Clause)
Y SELECT (WHERE Clause)
Y SELECT (WHERE Clause)
Y SELECT (WHERE Clause)
Y UPDATE (WHERE Clause)
R BY clause covers similar cases of GROUP BY a
8/2/2019 Vulnerability Test Cases
30/46
Barrier 1
Injection into an Order By clause
Injection into an Order By clause
Single Quote & Double Quote Input Validation
Single Quote & Double Quote Input Validation
Single Quote & Double Quote Input Validation
Single Quote & Double Quote Input Validation
Single Quote & Double Quote Input Validation
d HAVING clauses.
8/2/2019 Vulnerability Test Cases
31/46
Barrier 2
Semicolon Validation
Semicolon Validation
Injection Into Date Field Without Quotes
Semicolon Validation
8/2/2019 Vulnerability Test Cases
32/46
Barrier 3 Barrier 4 Vulnerable
YY
Y
Y
Y
Y
YY
Y
Single & Double Quote Validation Y
Y
YY
Y
Y
Y
Y
Y
Y
8/2/2019 Vulnerability Test Cases
33/46
Sample Payload
8/2/2019 Vulnerability Test Cases
34/46
SQL Injection Test Cases
Payload Origin
1 User Input Parameter2 User Input Parameter
3 User Input Parameter4 User Input Parameter
5 User Input Parameter6 User Input Parameter
7 User Input Parameter8 User Input Parameter
Payload Origin: GET Inp
8/2/2019 Vulnerability Test Cases
35/46
Output Context
View Page - Numeric Parameter - Blind - 200 Valid & Default Value on Exceptions
View Page - String Parameter - Blind - 200 Valid & Default Value on Exceptions
View Page - Date Parameter - Blind - 200 Valid & Default Value on ExceptionsTime Based Exploit - String - No Response Differentation
Time Based Exploit - Number - No Response Differentation
Time Based Exploit - Date - No Response Differentation
Time Based Exploit - Number Without Quotes - No Response Differentation
Time Based Exploit - Date Without Quotes - No Response Differentation
ut Parameter, POST Input Parameter
8/2/2019 Vulnerability Test Cases
36/46
Vulnerable Location SQL Statement Cont Barrier 1
Y
Y
YY
Y
Y
Y Quote Validation
Y Quote Validation
8/2/2019 Vulnerability Test Cases
37/46
Barrier 2
8/2/2019 Vulnerability Test Cases
38/46
Barrier 3 Barrier 4 Vulnerable
Y
Y
YY
Y
Y
8/2/2019 Vulnerability Test Cases
39/46
Sample Payload
8/2/2019 Vulnerability Test Cases
40/46
SQL Injection Test Cases - F
Payload Origin
1 User Input Parameter2 User Input Parameter
3 User Input Parameter4 User Input Parameter
5 User Input Parameter6 User Input Parameter
7 User Input Parameter8 User Input Parameter
9 User Input Parameter10 User Input Parameter
Payload Origin: GET Inp
8/2/2019 Vulnerability Test Cases
41/46
lse Positive Test Cases
Case Description
Login Page - Prepared Statements and Input Validation - Throws 500 Exception On Validation F
Login Page - Prepared Statements and Input Validation - Throws 500 SQL Exception On Validat
Login Page - Prepared Statements and Input Validation - Throws 200 Exception On Validation FLogin Page - Prepared Statements and Input Validation - Throws 200 SQL Exception On Validat
Login Page - Prepared Statements and Input Validation - Presents a Different 200 Validation Fa
Honey pot - Fake SQL Error Message Without SQL In the Code
Login Page - Prepared Statements and Input Validation - Throws 500 Exception Due to Unrelat
Login Page - Prepared Statements and Input Validation - Throws 200 Exception Due to Unrelat
Update Page - Prepared Statements - Response Unaffected By Valid Input and Affected By Inva
Update Page - Prepared Statements - All Responses Are Unaffected By Input
ut Parameter
8/2/2019 Vulnerability Test Cases
42/46
Vulnerable Location SQL Statement Context
N SELECT (WHERE Clause)
N SELECT (WHERE Clause)
N SELECT (WHERE Clause)N SELECT (WHERE Clause)
N UPDATE (WHERE Clause)
N None
N SELECT (WHERE Clause)
N UPDATE (WHERE Clause)
N UPDATE (WHERE Clause)
N
8/2/2019 Vulnerability Test Cases
43/46
Barrier 1
Prepared Statements
Prepared Statements
Prepared StatementsPrepared Statements
Prepared Statements
Honey Pot (No SQL)
Prepared Statements
Prepared Statements
Prepared Statements
Prepared Statements
8/2/2019 Vulnerability Test Cases
44/46
Barrier 2
Quotes, Comments and Semicolon Validation
Quotes, Comments and Semicolon Validation
Quotes, Comments and Semicolon ValidationQuotes, Comments and Semicolon Validation
Quotes, Comments and Semicolon Validation
Implementation Flaw Causes Exception
Implementation Flaw Causes Exception
Quotes and Semicolon Validation
8/2/2019 Vulnerability Test Cases
45/46
Barrier 3 Barrier 4
8/2/2019 Vulnerability Test Cases
46/46
False Positive Potential Sample Trigger
Y '
Y '
Y 'Y '
Y '
Y '
Y '
Y '
Y Any Input
Y Any Input