.Net Penetration Testing: Cheat Sheet

This article provides a cheat sheet for .Net Penetration Testing.

Having a cheat sheet is a perfect starting initiative to assist you with generating ideas during penetration testing. A test case cheat sheet list is often asked for security penetration testing but the problem with this approach is that security testers then tend to use only predefined test cases to determine the security of a specific implementation. But in reality there is no such predefined list that includes all the test cases needed to ensure your application is secure. Such test cases are only sufficient to kick-start the penetration testing process. This paper is designed to offer some common security penetration testing cases in order to grab a specific vulnerability in the existing mechanism.

Information Disclosure

An attacker usually observes and obtains an abundance of information that the programmer left inadvertently or the application discloses. This kind of attack is not given as much attention as others because programmers don't understand the mindset of the attacker, how exactly they will break the system.



An information disclosure attack is considered to be a very deadly attack because the attacker can either use the information to exploit the vulnerability directly or could use it against your application to exploit another loophole. It poses the following threats:

  • Disclose application files
  • Inspect contents and path of a file
  • Disclose information about a process and its allies
  • Information retrieval through monitoring
  • Inspect Metadata of an Assembly



COM and ActiveX Attacks

ActiveX controls are activated on the computer when the user browses a website and installed specific applications on the client machine such as Media player. They are considered to be a way to extend the functionality in the browser to accomplish actions that the browser can't accomplish through HTML alone. Hence, it is recommended to test COM components and ActiveX controls so that other websites can't utilize these controls in a malicious manner.



Hackers employ a couple of tactics to exploit ActiveX controls. Here, some of the tricks to examine ActiveX controls for at the time of testing is as the following:

  • Bypass Browser Security Setting
  • Server Redirection
  • Namespace and Behavior
  • Exception Handlers
  • Return Values



Managed Code Vulnerability

It is mandatory to include a managed code assembly into testing because they are always susceptible and could have some serious vulnerabilities in the form of SQL Injection, Buffer overflow and XSS. Despite being the latest version of the .NET Framework, many applications today are written using unmanaged code that run directly on the system that presents a huge threat because now the system has limited security protection from what happens when the application executes.



Attacker usually looks for these of vulnerability related to managed code assembly in order to penetration into application.

  • Look at unsafe blocks for buffer overflow attacks
  • Look for PermitOnly and Deny to Sandbox code
  • Examine broad Asserts
  • Look for a partially trusted caller
  • Examine Poor Exception handling



HTML Script Injection Attacks

HTML is not only rendering codes on web pages but also assist hackers in exploiting that code. Attackers plant malicious script in a way that a programmer normally couldn't. HTML scripting attacks are done using cross-site scripting (client-side) or persisted XSS (script injection).



An XSS attack enables the hackers to do the following operations to access sensitive data and other information that is normally not exposed:

  • Object Model Access
  • Cookies Access
  • Zone Elevation
  • User Data Access

Spoofing Attack

Targeting the application covertly on behalf of the third person identity and keeping their own identity safe is a spoofing attack. As a result, spoofing can cause a decision made by the user to be based on fake information. Hackers fool programs into trusting incorrect information to present information to a user through a program GUI in a misleading and deceptive manner.



A Social Engineering attack plays a significant role for execution of a spoofing attack, that is also an ability to gain private information by misleading the target. Here, the following attacks are considered to be spoofing:

  • Caller ID Spoofing
  • URL Redirection
  • Mail Spoofing
  • Reformatting using control characters
  • IP Address spoofing

Format String Attack

In C/C++ or the C# language format specifiers such %d, %f and %s determine the output on the console through printf methods. So the goal of format string testing is to try to inject malicious input into the format specifiers of certain method calls.



XML Injection Attack

XML is a universal data format that is understood and shared by nearly all platforms. Applications can use an XML file to send data across the wire to an XML parser. The application then accesses the parsed version of the data. In case of not being parsed properly, the application won't be able to access the input. Hence, the input is parsed first before it is sent but that input might find security issues in the application consuming the XML.



Here is a partial list of attacks that happen due to a vulnerability in an XML data source file:

  • Directory traversal
  • Buffer overflow
  • Format String
  • HTML scripting
  • GUI spoofing

DOS Attack

The objective of Denial of Services (DOS) or Distributed DOS (DDOS) is to prevent a system or user from accessing resources. A huge amount of traffic is redirected toward the server that eventually the result is a resource is down or out of service.



Canonicalization Attacks

An attacker can supply data in the form of 2 different encoding schemes, characters and/or delimiters in an attempt to cause the data to be interpreted incorrectly and drive the application to make certain decisions based on those values in the Canonicalization Attack.



Buffer-Overflow Attack

Buffer Overflow is caused when an input is larger than the space allocated for it that is outside the allocated location and not handled by the program memory that eventually leads to a program crash. Buffer Overflow typically results in enabling hackers to run whatever code they want to take control of the target computer.



The overflow occurs when the program receives more data than it expects. That is a much different kind of attack as in the following;

  • Integer Overflow
  • Stack Overflow
  • Format String Attack
  • Heap Overrun



Code Disassembling

Hackers and Penetration Testers typically manipulate .NET managed assemblies through disassembling in which the entire source code behind a DLL or EXE is retrieved in its original state. Malicious hackers can easily retain or reverse engineer the security restriction by examining the original source code. Code disassembling could be very beneficial in terms of identifying inherent bugs in applications.



Weak Permissions

Permissions limit who can access certain resources and what can be done to them in application security. If the website or application software isn't protected or managed by proper permission sets of ACL, they are susceptible to attack.



Securable objects are assets on a computer that a user can use. These objects can be used either directly or indirectly. The following are examples of securable objects that must be protected:

  • Directories, Registry and Files
  • Network Share
  • Process, Windows Services and Threads
  • Active Directory components
  • COM objects




SQL Injection Attack

A SQL injection attack permits a malicious hacker to execute commands in your website that is connected to a database. The attacker intent is to provide specially crafted data to the application that uses a database to alter the behavior of SQL commands the application intends to run. However, the attacker might be able to perform such covert operations over a website that has given high privileges or adequate safeguards to source code, to manipulate the database.



SQL vulnerabilities are extremely beneficial for hackers, regardless of the importance of the data in the database. Here, the following attacks are explaining that SQL injection leads and to which an attacker could be advantageous.

  • Executing Commands on a machine running a database
  • Tampering with data
  • Run SQL commands with elevated rights
  • Disclose Sensitive Information



Summary

This article has explained the common penetration case scenarios in the .NET Framework applications. We have discussed a couple of prominent vulnerabilities that are exploited by such scripting, spoofing, Reverse Engineering, Format string, Buffer Overflow, managed code and Canonicalization attacks as well as presenting corresponding attack tools. We have also gotten an understanding of what kind of damage could be done when exploited by these attacks. Hence, this article might be helpful for penetration testing professional to measure the security protection level in an application.