GWAPT
HTTP Status Codes
1xx Informationl, 2xx Success, 3xx Redirection, 4xx Client Error, 5xx Server Error.
Hybrid Web App PenTesting
A mix of manual and auto pen testing. Scanners are a starting point. Manual verfication follows up.
OWASP Top Ten
A1-Injection.A-2 Broken Authentication and Session Management,A3-Cross-Site Scripting,A4-Insecure Direct Object Ref
Same Origin Policy
AJAX does not change the SOP. Can only access data from same Host, protocol and port.
AJAX
AJAX enables web2.0 with XML to provide dynmanic app functions
Cookies
AKA Session Token. Sent to the Browser by the Server. Part of the HTTP Header. Stored in Browser.Part of Session Tracking state.
Authentication Bypass
Access restricted content without authentication. Lack of authentication verification. Gaining privilege escalation.
Oauth 2.0
Adds token expiration and SSL communications to protect tokens. Only one token sent in an API call. Less complex than 1.o. Bearer.
Cross Site Request Forgery (CSRF)
An attacker can inject a transaction as a legitimate user. The site trusts the user.Takes advantage of an active session a browser has.
Blind SQL Injection
Asks the database True/False questions. Makes it harder to the atacker because the Databse does not display any error messages.
the Harvester
Automates the collection of e-mail addresses,IP addresses, domain names by using search engines by screen scraping or API calls.
Client Authentication
Basic, Digest,Integrated Windows, Forms- Based, Oauth
HTTP/2 Protocol
Binary, Push Promise, Multiplexed,HPACK,Faster
Spidering
Can be automated or manual. Major piece of web app pentesting. Manual is browsing to each page and selecting File>Save as option
HTML Comments
Can be included in the server response and visible by the client. It can reveal functionality,issues,explanations, passwords,usernames.
Netcat
Can connect to a web server,retrieve pages and inspect server response data. Header might reveal server's version.
Logic Attacks
Client Controls code execution. Application processes the transaction incorrectly.Harder for automated tools to find.
Client Side Sessions
Client-side vs Server-side
AJAXSMashups
Combines 2 or more applications to provide a larger feature set.Popular feature. SOP causes issues. Proxies remove issue
Default Web Pages
Common issue. Identify the server software. Documentation is left on servers.Access it via IP instead of hostname. Use Nikto for finds.
Forms-based Authentication
Common on modern sites. Uses HTML forms integrated with normal web pages.Back-end auth depends on Developer.Uses LDAP or DB
Software Configuration
Config of the underlying Server and network services is paramount to fing what features are available, Request methods,etc.
HTTP Request CONNECT, PUT and DELETE
Connect-creates an HTTP tunnel, used for Proxies,SSL and Websockets.Put-uploads data to the location specified by the URL. Delete-removes the resource specified by the URL..htaccess .
Nmap
Connects to each port and looks for a banner.Version detection of the services found -sV. -A performs both version scanning and OS ID.
Robots.txt
Controls the spidering Robots by disallowing access through the User-Agent.
CEWL
Custom Word List Generator. Unique wordlist based on the website
MySQL
DB Fingerprinting. SELECT @@version (if response is) 'De' 'nt' . ..schema_name FROM information_schema.schemata
Oracle
DB Fingerprinting. SELECT @@version (if response is) 'De' || 'nt' . **...owner FROM all_tables...table_name FROM all_tables.
MSSQL
DB Fingerprinting. SELECT @@version (if response is) 'De'+'nt' . ..name FROM sys.databases..name FROM sys.tablesFROM sys.colu
Dig
DNS Client on *Nix systems including OSX. Powerful. Example Syntax: [email protected] sec542.org -t axfr (zone transfer)
NSLookup
DNS lookup for Windows.Limited functionality compared to Dig
Attacker's Perspective Forms-Based Authentication
Depends on the Developer. Prone to SQLi and XSS. Captures Authentication token: session, cookie, others.Spoofing,Phishing Site
JavaScript
Dynamic Client-Side Scripting language.Mainly used in websites. Most common client -side scripting language.
OpenSSL
Enables us to generate,sign,manage and validate certificates as well as making SSL connections directly. It's the SSL swiss army knife.
Qualys SSL Labs
Evaluating SSL configurations with a letter grade.
IFRAMES
Exploiting CSRF.iframe tag is created on malicious link. Victim needs has an active session on the browser.<iframe src='http.></iframe>
Browsers
Extensibility,Extensions,Add-Ons and No interference in security
FOCA
Fingerprinting Organizations with Collective Archives. Free. Foca Metadata can search, download, analyze and produce docs.
HTTP Request Example
GET Request;User Agent String;Host;Proxy;Cookie and Content-Length.
HTTP Methods; GET, POST, HEAD, TRACE, OPTIONS, CONNECT, PUT, DELETE
Get- Client Request/POST-Request a Web resource/Head-Returns HTTP Header/Trace-Echo the Requestfor diags/Options-List Support
Information Leakage
Good for Recon. Exposes Valid users,type of SQL DB and Schema. OS versions. Directory structure and current versions.
Heartbleed
HB OpenSSL named after TLS. Affects versions 1.0.1>1.0.1f. Allows remote reading of 64K chunks of RAM from the OpenSSL server.
AJAX Exploitation
Harder because of client side logic is dynamic. Tools need to parse the site like Zap's Ajax Spider
Attacking CSRF
Image tag,Ifame, CSS or JS import and XMLHTTP. Attacker needs to get the victim to view page while victim has an active session.
Fingerprinting DB
Important to determine the DB backend. Select @@version (MySQL and MSSQL)
Maltego
Info mapping tool that finds relationships between people,sites and companies. Uses transforms to build the hierarchy of information.
Fiddler
Interception Proxy for Windows. Freeand supports Watcher and ViewStateViewer Extensions
AJAX API
Javascript files,Jquery, Moo Tools,JSON.
Digest Authentication
Just like Basic Authentication, except it uses MD5 to send password hashes.Has a Nonce as Salt and a qop (quality of protection) flag
File Injection (LFI/RFI)
LFI- Allows the attacker to read files from the server. Info Disclosure RFI-Allows the attacker to retrieve files from remote serverCode exe
AJAX Attack Surface
Larger than normal applications because of Business logic and large amounts of client side-code. Prone to XSS and SQL
Command Injection
Less Common. Allows us to input OS commands through the web app. 2 types: Local Results and Remote Results.
JSON
Light-weight data interchange.Used by AJAX to parse on the client. Eval() function invokes Javascript. Fast but complex.
Grey Box
Limited Info at the beginning of the test.. URL's, User Accounts. Most common type of test.
Black Box
Little to no info provided to testers in advance. Just the target Company, Ip address range and an URL.Not common in WAPT.
Attacker's Perspective of HTTP Digest Authentication
MITM attacks. Nonce Predictability issue. Digest has no concept of Account Lockout and maximum number of logins
Integrated Windows Authentication
MS Proprietary. Challenge-Response Protocol. NTLM or Kerberos passed over HTTP/S. Seen in Intranets and requires AD Domains.
Burp Suite
More than ann Interception Proxy. It can analyze and inject traffic
Reporting
Most important piece. Main Components: Executive Summary,Introduction, Methodology,Findings nad Conclusions.
Server Version
Netcraft is helpful in identyfing Web server version passively
Hidden Form Fields
Not displayed to the user, but the values are passed back to the server. <input type=''hidden''name=''username''value=''c_smith''>
NULL Parameter
Null is %00. Terminates the parameter. /etc/passwd%00
Attacker's Perspective of Oauth
Oauth 1.0 tokens never expire. Spoofing the site. Insecure storage of the Key.
PHP
PHP Shell_exec function script for nefarious purposes
Attacker's Perspective of HTTP Basic Authentication
Pain text sniffing. No logout functionality,account lockout or maximum number of logins
Server Profiling
Part of the Recon process. Identifying the server software and versions can help guide our attacks.
Attacker's Perspective of Windows Authentication
Perfect for CSRF, XSS is useful.Always logged on. Focus on client machines
Nikto
Perl. Uses a DB to automatically look for vulnerable Apps.Discovers Default files on the server and favicon.ico to known icons
Mash-ups
Popular feature in AJAX Web 2.0 sites.Combines 2 or more applications to provide a larger feature set. SOP can cause issues.
Attack Platform
Pre-Built VMs like Samurai WTF, Kali Linux-web metapackage and Security 542 Xubuntu
Interception Proxies
Primary role in a Web pen tester's arsenal.Interception between the Application and the client is the main goal. Burp, ZAP and Fiddler.
Attacker's Perspective of Session State
Primary target for Web Apps such as hijacking someone else's session. Burp can intercept the sessions and scripts can brute force.
FuzzDB
Project that provides a series of attack strings, these strings can be fed into a tool like BURP intruder to fuzz an apllication. Github
Penetration Testing Methodology
Proven(track record);Repeatable(Developers can reproduce results); Explainable(Understands the problems and fixes)
Document Object Model (DOM)
Provides Standard interface to the Document and allows scripts to dynamically acces and update content, structure or page style.
Directory Traversal /File Inclusion
Provides the ability to leave web root directory structure. File include can read files within Webroot. ../../etc or C:\Windows.
Attacker's Perspective HTTP
Put, Delete, Connect, Trace. Prone to XSS attacks
SQLMap
Python Script, low failure rate and comes with w3af. Most important tool for injection testing/exploitation.
BBQSQL
Python-based. Exploits blind SQL injection flaws. Performs binary and frequency search.
HTTP Basic Authentication
RFC 1945.Uses a Realm for ID. Encoded in base64. Web Server handles verification(.htaccess;IIS local acct).
Recon-ng
Recon framework written in Python. Includes modules to interact with internet devices to obtain info. Good for automation.
BeEF
Ruby based Browser Exploitation Framework payload delivery for XSS due to interprotocol features
Metasploit
Ruby-based. Most popular exploitation framework. It incorporates modules and auxiliary modules for exploitation
SQL Commands
SELECT(common verb);INSERT(add datato a table); UPDATE(Modify data);DELETE(Delete data in a table); DROP(Delete a Table);UNION
HTTPS SSL/TLS
SSLv3 is bad. TLSv1.2 is good. Test with:nmap -p443 --script=ssl-enum-ciphers www.sec542.org script.
Automated Web App Pen testing
Scannning fast for vulnerabilitites, False Positives
Shodan
Search Engine for IoT. Great for OSINT/Recon.
Fuzzing
Sending Random or Pseudorandom strings via various inputs, such as attack strings or wordlists like ' or 1=1 --
Google Hacking
Source of queries to find interesting info.(Google Dorks)Database entries include searches for files containing passwords,apps,error.
HTTP Protocol
Stateless, unreliable. HTTP 1.1 added virtual host support, support for caching,proxies and compression. Options Added.
HTTP Response
Status Code Response, Server, Server time and Content length.
SQL Injection
The flaw stems from allowing user-supplied input to be used in a dynamically built SQL query that is sent to the backend database.
Session Tracking
To track sessions you need a token, numeric ID,session ID or other info to be passed between client and server.Developer oversees it!
Cross Site Scripting (XSS)
Tricking the browser into executing code.The browser believes the code is part of the site and runs that context. Browser is the target!
DNS
UDP Por 53 <512bytes TCP 53 >512Bytes for payloads.1,00 DNS TLD's
Python
Used for both Web apps and client programs,. Used within a web application.
Side Channel Attacks
Uses physical attributes to break a system. EMI, Heat, Sound, Time. Monitoring CPU utilization can inidcate CPU load in encryption
Mutillidae
Vulnerable web app that runs in LAMP/XAMPP
HTML Injection
When a user is able to control an input point and is able to inject arbitratry HTML code into the vulnerable web page.<h1> Alert!</h1>
Google Search Engine Directives
site:www.sans.org;inurl:"Admin login";Link:sans.org;ext:xls
