Vulnerability Test Cases

8/2/2019 Vulnerability Test Cases

1/46

Reflected Cross Site Scriptin

Payload Origin

1 User Input Parameter2 User Input Parameter






13 User Input Parameter

14 User Input Parameter15 User Input Parameter16 User Input Parameter









Payload Origin: GET Inp


2/46

g Test Cases

Output Context

HTML Page

HTML Page - Tag Scope

HTML Tag StructureHTML Comment

HTML Page - FrameSet Scope

HTML Tag Structure (Base)

HTML Property (Double Quote Property Delimiter)

HTML Property (Single Quote Property Delimiter)

HTML Tag Structure (SRC Property RFI)

HTML Tag Event (JS, Double Quote String Delimiter)

HTML Tag Event (JS, Single Quote String Delimiter)HTML Tag Event (JS, Any Delimiter)

HTML Tag Event (VBS, Double Quote String Delimiter)

HTML Tag Event (VBS, Single Quote String Delimiter)HTML Tag Event (VBS, Any Delimiter)

HTML Tag Property (Script Supporting)

Javascript Context (Property, Double Quote String Delimiter)

Javascript Context (Property, Single Quote String Delimiter)

Javascript Context (Property, No String Delimiter)

VBScript Context (Property, Double Quote String Delimiter)

VBScript Context (Property, No String Delimiter)

HTML Script Tag Scope (JS, Double Quote String Delimiter)

HTML Script Tag Scope (JS, Single Quote String Delimiter)

HTML Script Tag Scope (JS, Delimiter Free)

HTML Script Tag Scope (VBS, Double Quote String Delimiter)HTML Script Tag Scope (VBS, Delimiter Free)

HTML Script Tag Scope (JS, Single Line Comment)

HTML Script Tag Scope (JS, Multi Line Comment)

HTML Script Tag Scope (VBS)

Multiple RXSS Vulnerabilities

HTML Page Scope During an Exception

HTTP Page (Viewstate Required)

ut Parameter, POST Input Parameter


3/46

Vulnerable Location Barrier 1

Y

Y

YY

Y

Y Angle Brackets Encoding





Y Angle Brackets EncodingY Angle Brackets Encoding













Y JS Comment 1 (//)

Y JS Comment 2 (/**/)

Y VBS Comment ('/Rem)

Y Multiple Vulnerabilities

Y Exception Scope Coverage Required

Y Viewstate Required


4/46

Barrier 2

Single Quote Encoding

Double Quote Encoding

Single Quote & Double Quote Encoding


Single Quote EncodingSingle Quote & Double Quote Encoding













Angle Brackets Encoding




5/46

Barrier 3 Barrier 4 Vulnerable

Y

Y

YY

Y

Y

Y

Y

Y

Y

YY

Y

YY

Simple RFI Signature Validation/Removal (http) Y

Y

Y

Y

Y

Y

Y

Y

Y

YY

Y

Y

Y


6/46

Sample Payload


7/46

Reflected Cross Site Scriptin

Payload Origin







8/46

g Test Cases - False Positives

Output Context

HTML Tag Property (.Net Classic Case)

HTML Tag Property

HTML Tag PropertyHTML Tag Property

HTTP Response Header

HTML Tag Property (Text Only)

HTML Body



9/46

Vulnerable Location Barrier 1

Y Double Quote Encoding

Y Single Quote Encoding

Y Double Quote EncodingY Single Quote Encoding

Y CRLF Removal / Encoding / Validation




10/46

Barrier 2

CRLF Removal

CRLF Removal

Angle Brackets EncodingAngle Brackets Encoding



11/46


N

N

Equality Sign Encoding NEquality Sign Encoding N

N

N


12/46

Sample Payload


13/46

SQL Injection Test Cases

Payload Origin












Assumptions: SQL Inje


14/46

Case Description

Login Page - String Parameters (2) - Login Bypass - Errornous 500 ResponseSearch Page - String Parameter - Union Exploit - Errornous 500 Response

Calc Page - String Parameter - Boolean Exploit - Errornous 500 Response

Update Page - String Parameter - SQL Command Injection - Errornous 500 Response

Search Page - String OR Int Parameter - Runtime Error Boolean Exploit - Errornous 500 Respon

View Page - Numeric Parameter - Permission Bypass - Errornous 500 Response

Search Page - Numeric Parameter - Union Exploit - Errornous 500 ResponseCalc Page - Numeric Parameter - Boolean Exploit - Errornous 500 Response

Update Page - Numeric Parameter - SQL Command Injection - Errornous 500 Response

Search Page - Numeric Parameter - Runtime Error Boolean Exploit - Errornous 500 Response

View Page - Date Parameter - Permission Bypass - Errornous 500 Response

Search Page - Date Parameter - Union Exploit - Errornous 500 ResponseCalc Page - Date Parameter - Boolean Exploit - Errornous 500 Response

Update Page - Date Parameter - SQL Command Injection - Errornous 500 Response

Search Page - Date Parameter Without Quotes - Union Exploit - Errornous 500 Response

View Page - Numeric Parameter Without Quotes - Permission Bypass - Errornous 500 Response

Search Page - Numeric Parameter Without Quotes - Union Exploit - Errornous 500 Response

Calc Page - Numeric Parameter Without Quotes - Boolean Exploit - Errornous 500 Response

Update Page - Numeric Parameter Without Quotes - SQL Command Injection - Errornous 500 R


tion in UPDATE covers similar cases of INSERT and DELETE statements, while SQL In


15/46

Vulnerable Location SQL Statement Context

Y SELECT (WHERE Clause)Y SELECT (WHERE Clause)

Y SELECT (WHERE Clause)

Y UPDATE (SET Clause)

Y SELECT (ORDER BY Clause)



Y UPDATE (WHERE Clause)










R BY clause covers similar cases of GROUP BY a


16/46

Barrier 1

Injection into an Order By clause


Single Quote & Double Quote Input Validation





d HAVING clauses.


17/46

Barrier 2

Semicolon Validation


Injection Into Date Field Without Quotes



18/46


YY

Y

Y

Y

Y

YY

Y

Single & Double Quote Validation Y

Y

YY

Y

Y

Y

Y

Y

Y


19/46

Sample Payload


20/46


Payload Origin














21/46

Case Description

Login Page - String Parameters (2) - Login Bypass - Errornous 200 ResponseSearch Page - String Parameter - Union Exploit - Errornous 200 Response

Calc Page - String Parameter - Boolean Exploit - Errornous 200 Response

Update Page - String Parameter - SQL Command Injection - Errornous 200 Response

Search Page - String OR Int Parameter - Runtime Error Boolean Exploit - Errornous 200 Respon

View Page - Numeric Parameter - Permission Bypass - Errornous 200 Response

Search Page - Numeric Parameter - Union Exploit - Errornous 200 ResponseCalc Page - Numeric Parameter - Boolean Exploit - Errornous 200 Response

Update Page - Numeric Parameter - SQL Command Injection - Errornous 200 Response

Search Page - Numeric Parameter - Runtime Error Boolean Exploit - Errornous 200 Response

View Page - Date Parameter - Permission Bypass - Errornous 200 Response

Search Page - Date Parameter - Union Exploit - Errornous 200 ResponseCalc Page - Date Parameter - Boolean Exploit - Errornous 200 Response

Update Page - Date Parameter - SQL Command Injection - Errornous 200 Response

Search Page - Date Parameter Without Quotes - Union Exploit - Errornous 200 Response

View Page - Numeric Parameter Without Quotes - Permission Bypass - Errornous 200 Response

Search Page - Numeric Parameter Without Quotes - Union Exploit - Errornous 200 Response

Calc Page - Numeric Parameter Without Quotes - Boolean Exploit - Errornous 200 Response

Update Page - Numeric Parameter Without Quotes - SQL Command Injection - Errornous 200 R




22/46




















23/46

Barrier 1








d HAVING clauses.


24/46

Barrier 2






25/46


YY

Y

Y

Y

Y

YY

Y


Y

YY

Y

Y

Y

Y

Y

Y


26/46

Sample Payload


27/46


Payload Origin














28/46

Case Description

Login Page - String Parameters (2) - Login Bypass - Different Valid 200 ResponsesSearch Page - String Parameter - Union Exploit - Different Valid 200 Responses

Calc Page - String Parameter - Boolean Exploit - Different Valid 200 Responses

Update Page - String Parameter - SQL Command Injection - Different Valid 200 Responses

Search Page - String OR Int Parameter - Runtime Error Boolean Exploit - Different Valid 200 Re

View Page - Numeric Parameter - Permission Bypass - Different Valid 200 Responses

Search Page - Numeric Parameter - Union Exploit - Different Valid 200 ResponsesCalc Page - Numeric Parameter - Boolean Exploit - Different Valid 200 Responses

Update Page - Numeric Parameter - SQL Command Injection - Different Valid 200 Responses

Search Page - Numeric Parameter - Runtime Error Boolean Exploit - Different Valid 200 Respon

View Page - Date Parameter - Permission Bypass - Different Valid 200 Responses

Search Page - Date Parameter - Union Exploit - Different Valid 200 ResponsesCalc Page - Date Parameter - Boolean Exploit - Different Valid 200 Responses

Update Page - Date Parameter - SQL Command Injection - Different Valid 200 Responses

Search Page - Date Parameter Without Quotes - Union Exploit - Different Valid 200 Responses

View Page - Numeric Parameter Without Quotes - Permission Bypass - Different Valid 200 Resp

Search Page - Numeric Parameter Without Quotes - Union Exploit - Different Valid 200 Respons

Calc Page - Numeric Parameter Without Quotes - Boolean Exploit - Different Valid 200 Respons

Update Page - Numeric Parameter Without Quotes - SQL Command Injection - Different Valid 2




29/46




















30/46

Barrier 1








d HAVING clauses.


31/46

Barrier 2






32/46


YY

Y

Y

Y

Y

YY

Y


Y

YY

Y

Y

Y

Y

Y

Y


33/46

Sample Payload


34/46


Payload Origin







35/46

Output Context

View Page - Numeric Parameter - Blind - 200 Valid & Default Value on Exceptions

View Page - String Parameter - Blind - 200 Valid & Default Value on Exceptions

View Page - Date Parameter - Blind - 200 Valid & Default Value on ExceptionsTime Based Exploit - String - No Response Differentation

Time Based Exploit - Number - No Response Differentation

Time Based Exploit - Date - No Response Differentation

Time Based Exploit - Number Without Quotes - No Response Differentation

Time Based Exploit - Date Without Quotes - No Response Differentation



36/46

Vulnerable Location SQL Statement Cont Barrier 1

Y

Y

YY

Y

Y

Y Quote Validation

Y Quote Validation


37/46

Barrier 2


38/46


Y

Y

YY

Y

Y


39/46

Sample Payload


40/46

SQL Injection Test Cases - F

Payload Origin








41/46

lse Positive Test Cases

Case Description

Login Page - Prepared Statements and Input Validation - Throws 500 Exception On Validation F

Login Page - Prepared Statements and Input Validation - Throws 500 SQL Exception On Validat

Login Page - Prepared Statements and Input Validation - Throws 200 Exception On Validation FLogin Page - Prepared Statements and Input Validation - Throws 200 SQL Exception On Validat

Login Page - Prepared Statements and Input Validation - Presents a Different 200 Validation Fa

Honey pot - Fake SQL Error Message Without SQL In the Code

Login Page - Prepared Statements and Input Validation - Throws 500 Exception Due to Unrelat

Login Page - Prepared Statements and Input Validation - Throws 200 Exception Due to Unrelat

Update Page - Prepared Statements - Response Unaffected By Valid Input and Affected By Inva

Update Page - Prepared Statements - All Responses Are Unaffected By Input

ut Parameter


42/46


N SELECT (WHERE Clause)


N SELECT (WHERE Clause)N SELECT (WHERE Clause)

N UPDATE (WHERE Clause)

N None




N


43/46

Barrier 1

Prepared Statements

Prepared Statements

Prepared StatementsPrepared Statements

Prepared Statements

Honey Pot (No SQL)

Prepared Statements

Prepared Statements

Prepared Statements

Prepared Statements


44/46

Barrier 2

Quotes, Comments and Semicolon Validation


Quotes, Comments and Semicolon ValidationQuotes, Comments and Semicolon Validation


Implementation Flaw Causes Exception

Implementation Flaw Causes Exception

Quotes and Semicolon Validation


45/46

Barrier 3 Barrier 4


46/46

False Positive Potential Sample Trigger

Y '

Y '

Y 'Y '

Y '

Y '

Y '

Y '

Y Any Input

Y Any Input

Documents

Vulnerability Test Cases