Chapter 6 Terms: Web-based Hacking
What is "SSI"?
"Server-side includes" are directives placed in HTML pages and evaluated on the server while pages are served.
Describe parameter tampering.
-- In parameter tampering, an attacker simply manipulates parameters within the URL string in order to modify data, such as PERMISSIONS and elevation of PRIVILEGES, PRICES, QUANTITY of goods, and CREDENTIALS. -- Parameter tampering can also occur on hidden fields in source code. The objective here is the same as "standard: parameter tampering except it involves modifying source code instead of the URL.
List the four types of web SERVER attacks.
1). Directory traversal, 2). parameter tampering, 3). URL obfuscation, and 4). password attacks.
List the four key efforts when attacking a web application.
1). Identifying an entry point, 2). identifying a server-side function, 3). identifying a server-side technology, and 4). mapping your attack surface.
List the six step web-based attack methodology.
1). Information gathering, 2). footprinting, 3). mirroring websites, 4). vulnerability scanning, 5). session hijacking, and 6). password cracking.
How is a web spider / crawler defined in robot.txt file?
user-agent:name_of_crawler
Describe directory traversal attack.
A directory traversal attack (AKA dot-dot-slash attack) is where an attacker attempts to access restricted directories and execute commands outside intended web server directories. Remember to look for %2e%2e%2f which is Unicode for "../".
What does an HTTP GET request do?
A method for returning data from a form that encodes the form data to the end of the URI. Uses up to 8 KB. Used when a web server is expected to pull.
What is a cookie?
A small text file that is stored on a host for use by the web browser for the next time a user logs in. Contains authentication details, site preferences, shopping cart contents, and session details.
What does an HTTP POST request do?
A somewhat more secure version of HTTP GET that does not display data in the URL or store it on logs in the server. Uses up to 2 GB. Pushes data directly.
What is "CGI"?
A standardized method for transferring information between a web server and an executable.
What is "heap"?
An area of memory directly "on top" of a program and IS NOT temporary (remains IN USE as the application is running).
Describe LDAP injection.
An attack that exploits applications that construct INVALIDATED LDAP statements based on user input. (&(USER=root)(&)(PASSWORD=anything)) Pay special attention to the ampersand between username and password parameters!
What is a buffer overflow / smashing the stack?
An attacker attempts to write more data into an application's prebuilt buffer area in order to overwrite adjacent memory, execute code, or crash a system/application.
What is an injection attack?
An injection attack is where an attacker inserts malicious commands into an input string. Objective is to pass exploit code to the server via poorly designed input validation.
Define a NOP sled.
Attack sends a large amount of NOP instructions into the buffer, appending command code at the end.
Define a heap buffer overflow.
Attack takes advantage of the memory on top of the application, which is allocated at runtime. Object is to overwrite function pointers. ATTACKS MEMORY IN USE.
Define shell injection.
Attacker attempts to gain shell access via Java or other functions.
Define command injection.
Attacker injects commands into the form field.
Define file injection.
Attacker inserts a POINTER in the web form input to an exploit hosted on a remote site.
Define a stack buffer overflow.
Attempts to change a function pointer to allow code execution.
What type of authentication does HTTP basic authentication use?
BASE64
Describe CGI.
CGI is a server-side function that run arbitrarily with permission from the web server. CGI scripts run as owner and are dangerous if not checked.
What is tautology in terms of SQLi?
Describes the behavior of a system when determining whether a statement is true.
Describe how to map an attack surface BEFORE attacking a web-based application.
Determine what information is best suited to set up a specific attack vector.
List the three types of injection attacks.
File injection, command injection, and shell injection.
What's the difference between HTML and XML?
HTML displays data, XML transports and stores it.
What does HTTP POST do?
HTTP POST provides data for the server to work with. It is NOT stored in the browser history, saved in server logs or displayed in the URL. HTTP POST requests are safer than HTTP GET requests. Client-side idea.
Describe how to identify a server-side function and technology when attacking a web-based application.
Identifying a server-side function and technology on a web application involves footprinting and fingerprinting. A good option here is to mirror the website, analyze it offline, and then determine the most effective way to penetrate the website online.
Describe how to identify an entry point when attacking a web-based application.
Identifying a web-based application entry point consists of fields asking for input, examining cookies, headers, POST data, and encoding and encryption measures. WebScarab, HttPrint, and Burp Suite are applications designed to help here.
http://192.165.1.100/";!- -"<XSS SCRIPT>=&{()}
Indicator of an XSS attempt.
What is a canary word?
Known value placed between the buffer and control data. If buffer overflow occurs, canary word is altered first, triggering a halt to the system.
At what layer of the OSI model does cookie authentication occur?
Layer 7, application.
What should be done to secure web servers? (Name four).
Lock down remote administration, eliminate unnecessary services, change default passwords, and modify banner statements (if applicable).
What is a union query?
Makes use of the UNION command to return the union or a target database with a database that has been crafted to steal data from.
What is the most common vulnerability on web servers?
Misconfigurations.
Apache configuration comes down to what?
Modules within special files. Ex: http.conf sets server status
Which attack advances an instruction pointer to a known memory area?
NOP sled.
Describe parameter tampering within the context of a web site's source code.
Parameter tampering within a web site's source code involves modifying hidden fields to change prices and quantity, saving the source code, and then open it in a browser.
Describe password attacks within the context of web-based hacking.
Password attacks occur on web-based hacking through the use of tools such as Metasploit, THC-Hydra, and Brutus. Brute forcing passwords over HTTP is a key concept here.
ISS configuration comes down to what?
Privileges. ISS spawns all shells as LOCAL_SYSTEM.
What does HTTP GET do?
Requests headers and metadata (same as HTTP HEAD) except it also returns body information to display in the browser. HTTP GET requests add the requested data into the URL. Client-side idea.
What does HTTP HEAD do?
Requests headers and metadata.
What other attack closely resembles LDAP injection?
SOAP (Simple Object Access Protocol) injection. SOAP is designed to exchange structured information in web services on networks and uses XML to format information.
Which attack(s) rely on invalidated input?
SQLi and XSS.
('1'='1- -
SQLi attempt.
What is a single quote indicative of?
SQLi attempt.
command'or 1=1--
SQLi attempt.
http://www.example.com/?login='OR 1=1- -
SQLi attempt.
root '-- or root ' /*
SQLi attempt.
Describe SQLi.
SQLi is where an attacker injects SQL queries directly into the invalidated input form and attempts to execute commands such as DROP, INSERT, UPDATE, SELECT, and more.
' or 1=1 --
SQLi.
What vulnerability is identified when an error is not displayed but the web page appears to be displayed differently?
SQLi.
How are robot.txt files read.
Same as an ACL on a firewall, from the top down.
Describe some ways to protect against SQLi.
Security-minded database design, using tools like Snort to monitor for SQLi attempts, and input validation.
What is "SOA"?
Service-oriented architecture is a software design idea that is based on specific pieces of software providing functionality as services between applications. *** SOA programmers make extensive use of XML. ***
Describe shell / command injection.
Shell / command injection is an attempt to gain shell access through the use of Java or other functions. It's also used to elevate privileges.
List the three types of buffer overflows.
Stack, heap, and NOP sled,
How else can XSS be used?
Steal users' cookies, upload malicious code to users connected to the server (stored XSS), and to send pop up messages to users.
if(i >= 100) then exit (1)
Stops input after 100 characters.
Describe a heap buffer attack.
Takes advantage of memory space set aside for the program itself.
What is error-based SQLi?
The opposite of blind SQLi. Considered an enumeration technique to reveal errors and information about a database.
Describe URL obfuscation.
URL obfuscation can be used to bypass basic ACLs. To get around ACLs, simply change the IP address of the victim to its binary equivalent. Ex: 200.58.77.66 equals 3359264066 in binary.
What is a TCP wrapper?
Used to control network access to TCP services.
In what case is a cookie authentication able to be replayed?
When a single key is used in encryption.
What is blind SQLi?
When an attacker knows a database is susceptible to SQLi but the database returns no error message or confirmation.
Describe how cross-site scripting works.
XSS takes advantage of poor scripting on a vulnerable website input form by sending malicious strings via email to a victim in order for the victim to execute the code on the vulnerable website.
Which attack is "all about web design and dynamic content, passing client-side scripts into a web page viewed by other users"?
XSS.
Which web-based attack allows you to DoS, steal cookies, upload malcode, and send pop ups?
XSS.
What is the "gets()" function vulnerable to?
gets() is vulnerable to buffer overflows because it does not check for buffer overruns. *** Largely replaced by fgets(). ***
Which configuration file in Apache allows you to control which items do and do not get loaded?
httpd.conf
Which configuration file in Apache allows you to set items such as disabling file extensions?
mod_negotiation