Module 1.2: Mapping the application
What are attack surfaces of user input?
Client-side validation (may not be done on server side) - accespt/reject, sanitize Boundary checks Multiple validations, encoding schemes
What are some server-side functionality?
Dissecting requests Extrapolating application behavior (common code or design) Isolating unique application behaviour (added functionalities, bug fixes/patches)
What is the limit of web crawler/spider?
Does not always find everything - Dynamic content - Pre-compiled objects - Cannot evade the logout button and basic security measures
What is the 500 Internal Server Error meaning?
During content discovery, this usually indicates that the application expects certain parameters to be submited when requesting the resource/
What are attack surface of administrators?
Privileged functions to monitor and manage the web apps Trusted, usually less secure
What is the 401 Unauthorized or 403 Forbidden meaning?
This usually indicates that the requested resource exist but may not be accessed by any user, regardless of authentication status or priviledge level. It often occurs when directories are requested, and you may infer thant the directory exists.
Automated spiders can cause main website's being defaced in realtime while the spider was running
True
Effective discovery of hidden content requires a combianation of automated and manual techniques and often relies on a degree of luck
True
In some applications, running even a simple web spider that parses and request links can be extremely dangerous.
True
In user-directed spidering, any dangerous functionality, such as deleteUser.jsp, is fully enumerated and incorporated in to the proxy's site map, because links to it will be parsed out of the application's response.
True
In user-directed spidering, users can use discretion in deciding which functions to actually request or carry out.
True
What are attack surfaces of user access?
Authentication (login, multi-stage login) Session management Access control
What are some server-side technologies?
Banner grabbing HTTP fingerprinting File extensions Directory names Session tokens Third-party code
What is the banner grabbing?
Banner grabbing is the collection of information when port scanning or fuzzing to gain information such as software version.
What is the hidden contents?
Contents and functionalities are not directly linked to or reachable from the main visible content.
What is CRUD?
Create, read, update and delete are the 4 babic operations on databases.
What are common attacks of injection attack?
Database interaction (SQL injection) File upload/download (path traversel, stored XSS) User data display (XSS) Redirects (redirection/header injection) Social networks (enumerate user names, stored XSS)
Automatic spidering is always better than manual
False
A web server's responses include the following header: Server: Apache-Coyote/1.1 What does this indicate about the technologies in use on the server?
If the header is accurate, it indicates that the server is running Apache Tomcat. Tomcat is a Java Servlet Container, so the application probably uses Java and JSP technologies.
What is the 302 Found meaning?
If the redirect is to a login page, the resource may be accessible only by authenticated users. If the redirects is to an error message, this may indicate a different session. If it is to another location, the redirect may be part of the application's intended logic, and this should be investigated further.
What are attack surfaces of direct attack?
Injection attack Error handling Auditing and logging Alert systems Automated defence
What is the user-directed spidering?
Manually navigate the web app by a tool monitors all requests and responses to map the app using URLs from the browser. User can avoid problems with automated spiders by making sure all input are valid and re-active session if terminated. More complete indexing can be achived.
What is robots.txt file?
Many web server contain a file named robots.txt in the web root that contains a list of URLs that site does not want web spiders to visit or search engine to index. This file may contain some interesting information such as references to sensitive functionality.
What is the hidden parameters?
Parameters can be used but not published which is usually for testing/debugging or to access undisclosed areas of the web app. Manually add common parameter names and values
What is mapping the web application?
Reconnaissance and scanning: Gather and examine data on the web app Analyze attack surface by enumerate content and functionality, observe behavior, examine security mechanisms, Investigate technologies used
Except the Server header, where are the type and software may be disclosed?
Templates used to build HTML pages Custom HTTP headers URL query string parameters
While mapping an application, you encounter the following URL: https://wahh-app.com/public/profile/Address. asp?action=view&location=default What information can you infer about server-side technologies? What can you conjecture about other content and functionality that may exist?
The .asp file extension indicates that Microsoft's Active Server Pages are in use. The use of a /public path indicates that other interesting paths might exist, such as /private. The action=view parameter suggests that other actions may exist, such as edit, add or delete. The function of the location=default parameter should be investigated - this may contain a filename, and you should probe the application for path traversal vulnerabilities.
The application you are targeting implements web forum functionality. Here is the only URL you have discovered: http://wahh-app.com/forums/ucp.php?mode=register How might you obtain a listing of forum members?
The URL is a common fingerprint for the phpBB web forum software. Information about this software is readily available on the Internet, and you can perform your own installation to experiment on. A listing of members can be found at the following URL: http://wahh-app.com/forums/memberlist.php Individual user profiles can be found via URLs like the following: http://wahh-app.com/forums/profile.php?mode=viewprofile&u=2 Various vulnerabilities have been found in the phpBB software so you should confirm the version in use and research any associated problems.
What is the 400 Bad Reauest meaning?
The application may use a custom naming scheme for directories and files within URLs, which a particular request has not compiled with. More likely, however, is that the wordlist you are using contains some whitespace characters or other invalid syntax.
What are some key areas to investigate when analyzing the web application?
The application's core functionality Error messages, logs Redirects Security (session management, access control and authentication including support such as changing password or recovery) User input processing (URL, query strings, POST, data, cookies) Client technologies (forms, scripts, cookies, other components like applets or Flash) Server technologies (static and dynamic pages, SSL, web server software, database, email) Anything else that can give you info on internal structure
While mapping an application, you encounter the following URL: https://wahh-app.com/CookieAuth.dll?GetLogon?curl=Z2Fdefault. aspx What information can you deduce about the technologies employed on the server and how it is likely to behave?
The filename CookieAuth.dll indicates that Microsoft ISA server is being used. This is the URL for the login function, and after a successful login the application will redirect to the URL /default.aspx.
You are mapping two different web applications, and you request the URL /admin.cpf from each application. The response headers returned by each request are shown here. From these headers alone, what can you deduce about the presence of the requested resource within each application? HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Expires: Mon, 20 Jun 2011 14:59:21 GMT Content-Location: http://wahhapp.com/includes/error.htm?404;http://wahh-app.com/admin.cpf Date: Mon, 20 Jun 2011 14:59:21 GMT Content-Type: text/html Accept-Ranges: bytes Content-Length: 2117 HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 WWW-Authenticate: Basic realm="Wahh Administration Site" Content-Type: text/html;charset=utf-8 Content-Length: 954 Date: Mon, 20 Jun 2011 15:07:27 GMT Connection: close
The first response uses the HTTP status code 200, which normally indicates that the request was successful. However, the Content-Location header indicates the location from which the response was retrieved. This appears to be a dynamically generated error page, and includes the value 404 in its query string, indicating that the response contains a customized "file not found" message. The second response uses the HTTP status code 401, which suggests that the requested resource is present but that users must supply HTTP authentication credentials in order to access it. In each case, you could substantiate your conclusion by requesting a clearly non-existent item in the same directory with the same extension (for example, /iuwehuiwefuwedw.cpf) and comparing the responses. In the first application, you would expect to see a response very similar to the original. In the second application, you would expect to see a different response containing a "file not found" message.
Whar should be pay attention to when reviewing the HTTP requests?
URL file paths Parameters in the query string (after the ? marker) Parameters in the body of the request HTTP headers (especially user-agent, referal, accept, accept-language and host) Cookies Out-of-band channels (outside of the web app itself) such as retrieving data from another server or non-browser interfaces
What is web crawler/Spider?
Used to index (spider) the contents of a website - Find all link recursively - Submit HTML forms to trace through - Parse scripts to find URLs