GWAPT

Ace your homework & exams now with Quizwiz!

HTTP Status Codes

1xx Informationl, 2xx Success, 3xx Redirection, 4xx Client Error, 5xx Server Error.

Hybrid Web App PenTesting

A mix of manual and auto pen testing. Scanners are a starting point. Manual verfication follows up.

OWASP Top Ten

A1-Injection.A-2 Broken Authentication and Session Management,A3-Cross-Site Scripting,A4-Insecure Direct Object Ref

Same Origin Policy

AJAX does not change the SOP. Can only access data from same Host, protocol and port.

AJAX

AJAX enables web2.0 with XML to provide dynmanic app functions

Cookies

AKA Session Token. Sent to the Browser by the Server. Part of the HTTP Header. Stored in Browser.Part of Session Tracking state.

Authentication Bypass

Access restricted content without authentication. Lack of authentication verification. Gaining privilege escalation.

Oauth 2.0

Adds token expiration and SSL communications to protect tokens. Only one token sent in an API call. Less complex than 1.o. Bearer.

Cross Site Request Forgery (CSRF)

An attacker can inject a transaction as a legitimate user. The site trusts the user.Takes advantage of an active session a browser has.

Blind SQL Injection

Asks the database True/False questions. Makes it harder to the atacker because the Databse does not display any error messages.

the Harvester

Automates the collection of e-mail addresses,IP addresses, domain names by using search engines by screen scraping or API calls.

Client Authentication

Basic, Digest,Integrated Windows, Forms- Based, Oauth

HTTP/2 Protocol

Binary, Push Promise, Multiplexed,HPACK,Faster

Spidering

Can be automated or manual. Major piece of web app pentesting. Manual is browsing to each page and selecting File>Save as option

HTML Comments

Can be included in the server response and visible by the client. It can reveal functionality,issues,explanations, passwords,usernames.

Netcat

Can connect to a web server,retrieve pages and inspect server response data. Header might reveal server's version.

Logic Attacks

Client Controls code execution. Application processes the transaction incorrectly.Harder for automated tools to find.

Client Side Sessions

Client-side vs Server-side

AJAXSMashups

Combines 2 or more applications to provide a larger feature set.Popular feature. SOP causes issues. Proxies remove issue

Default Web Pages

Common issue. Identify the server software. Documentation is left on servers.Access it via IP instead of hostname. Use Nikto for finds.

Forms-based Authentication

Common on modern sites. Uses HTML forms integrated with normal web pages.Back-end auth depends on Developer.Uses LDAP or DB

Software Configuration

Config of the underlying Server and network services is paramount to fing what features are available, Request methods,etc.

HTTP Request CONNECT, PUT and DELETE

Connect-creates an HTTP tunnel, used for Proxies,SSL and Websockets.Put-uploads data to the location specified by the URL. Delete-removes the resource specified by the URL..htaccess .

Nmap

Connects to each port and looks for a banner.Version detection of the services found -sV. -A performs both version scanning and OS ID.

Robots.txt

Controls the spidering Robots by disallowing access through the User-Agent.

CEWL

Custom Word List Generator. Unique wordlist based on the website

MySQL

DB Fingerprinting. SELECT @@version (if response is) 'De' 'nt' . ..schema_name FROM information_schema.schemata

Oracle

DB Fingerprinting. SELECT @@version (if response is) 'De' || 'nt' . **...owner FROM all_tables...table_name FROM all_tables.

MSSQL

DB Fingerprinting. SELECT @@version (if response is) 'De'+'nt' . ..name FROM sys.databases..name FROM sys.tablesFROM sys.colu

Dig

DNS Client on *Nix systems including OSX. Powerful. Example Syntax: [email protected] sec542.org -t axfr (zone transfer)

NSLookup

DNS lookup for Windows.Limited functionality compared to Dig

Attacker's Perspective Forms-Based Authentication

Depends on the Developer. Prone to SQLi and XSS. Captures Authentication token: session, cookie, others.Spoofing,Phishing Site

JavaScript

Dynamic Client-Side Scripting language.Mainly used in websites. Most common client -side scripting language.

OpenSSL

Enables us to generate,sign,manage and validate certificates as well as making SSL connections directly. It's the SSL swiss army knife.

Qualys SSL Labs

Evaluating SSL configurations with a letter grade.

IFRAMES

Exploiting CSRF.iframe tag is created on malicious link. Victim needs has an active session on the browser.<iframe src='http.></iframe>

Browsers

Extensibility,Extensions,Add-Ons and No interference in security

FOCA

Fingerprinting Organizations with Collective Archives. Free. Foca Metadata can search, download, analyze and produce docs.

HTTP Request Example

GET Request;User Agent String;Host;Proxy;Cookie and Content-Length.

HTTP Methods; GET, POST, HEAD, TRACE, OPTIONS, CONNECT, PUT, DELETE

Get- Client Request/POST-Request a Web resource/Head-Returns HTTP Header/Trace-Echo the Requestfor diags/Options-List Support

Information Leakage

Good for Recon. Exposes Valid users,type of SQL DB and Schema. OS versions. Directory structure and current versions.

Heartbleed

HB OpenSSL named after TLS. Affects versions 1.0.1>1.0.1f. Allows remote reading of 64K chunks of RAM from the OpenSSL server.

AJAX Exploitation

Harder because of client side logic is dynamic. Tools need to parse the site like Zap's Ajax Spider

Attacking CSRF

Image tag,Ifame, CSS or JS import and XMLHTTP. Attacker needs to get the victim to view page while victim has an active session.

Fingerprinting DB

Important to determine the DB backend. Select @@version (MySQL and MSSQL)

Maltego

Info mapping tool that finds relationships between people,sites and companies. Uses transforms to build the hierarchy of information.

Fiddler

Interception Proxy for Windows. Freeand supports Watcher and ViewStateViewer Extensions

AJAX API

Javascript files,Jquery, Moo Tools,JSON.

Digest Authentication

Just like Basic Authentication, except it uses MD5 to send password hashes.Has a Nonce as Salt and a qop (quality of protection) flag

File Injection (LFI/RFI)

LFI- Allows the attacker to read files from the server. Info Disclosure RFI-Allows the attacker to retrieve files from remote serverCode exe

AJAX Attack Surface

Larger than normal applications because of Business logic and large amounts of client side-code. Prone to XSS and SQL

Command Injection

Less Common. Allows us to input OS commands through the web app. 2 types: Local Results and Remote Results.

JSON

Light-weight data interchange.Used by AJAX to parse on the client. Eval() function invokes Javascript. Fast but complex.

Grey Box

Limited Info at the beginning of the test.. URL's, User Accounts. Most common type of test.

Black Box

Little to no info provided to testers in advance. Just the target Company, Ip address range and an URL.Not common in WAPT.

Attacker's Perspective of HTTP Digest Authentication

MITM attacks. Nonce Predictability issue. Digest has no concept of Account Lockout and maximum number of logins

Integrated Windows Authentication

MS Proprietary. Challenge-Response Protocol. NTLM or Kerberos passed over HTTP/S. Seen in Intranets and requires AD Domains.

Burp Suite

More than ann Interception Proxy. It can analyze and inject traffic

Reporting

Most important piece. Main Components: Executive Summary,Introduction, Methodology,Findings nad Conclusions.

Server Version

Netcraft is helpful in identyfing Web server version passively

Hidden Form Fields

Not displayed to the user, but the values are passed back to the server. <input type=''hidden''name=''username''value=''c_smith''>

NULL Parameter

Null is %00. Terminates the parameter. /etc/passwd%00

Attacker's Perspective of Oauth

Oauth 1.0 tokens never expire. Spoofing the site. Insecure storage of the Key.

PHP

PHP Shell_exec function script for nefarious purposes

Attacker's Perspective of HTTP Basic Authentication

Pain text sniffing. No logout functionality,account lockout or maximum number of logins

Server Profiling

Part of the Recon process. Identifying the server software and versions can help guide our attacks.

Attacker's Perspective of Windows Authentication

Perfect for CSRF, XSS is useful.Always logged on. Focus on client machines

Nikto

Perl. Uses a DB to automatically look for vulnerable Apps.Discovers Default files on the server and favicon.ico to known icons

Mash-ups

Popular feature in AJAX Web 2.0 sites.Combines 2 or more applications to provide a larger feature set. SOP can cause issues.

Attack Platform

Pre-Built VMs like Samurai WTF, Kali Linux-web metapackage and Security 542 Xubuntu

Interception Proxies

Primary role in a Web pen tester's arsenal.Interception between the Application and the client is the main goal. Burp, ZAP and Fiddler.

Attacker's Perspective of Session State

Primary target for Web Apps such as hijacking someone else's session. Burp can intercept the sessions and scripts can brute force.

FuzzDB

Project that provides a series of attack strings, these strings can be fed into a tool like BURP intruder to fuzz an apllication. Github

Penetration Testing Methodology

Proven(track record);Repeatable(Developers can reproduce results); Explainable(Understands the problems and fixes)

Document Object Model (DOM)

Provides Standard interface to the Document and allows scripts to dynamically acces and update content, structure or page style.

Directory Traversal /File Inclusion

Provides the ability to leave web root directory structure. File include can read files within Webroot. ../../etc or C:\Windows.

Attacker's Perspective HTTP

Put, Delete, Connect, Trace. Prone to XSS attacks

SQLMap

Python Script, low failure rate and comes with w3af. Most important tool for injection testing/exploitation.

BBQSQL

Python-based. Exploits blind SQL injection flaws. Performs binary and frequency search.

HTTP Basic Authentication

RFC 1945.Uses a Realm for ID. Encoded in base64. Web Server handles verification(.htaccess;IIS local acct).

Recon-ng

Recon framework written in Python. Includes modules to interact with internet devices to obtain info. Good for automation.

BeEF

Ruby based Browser Exploitation Framework payload delivery for XSS due to interprotocol features

Metasploit

Ruby-based. Most popular exploitation framework. It incorporates modules and auxiliary modules for exploitation

SQL Commands

SELECT(common verb);INSERT(add datato a table); UPDATE(Modify data);DELETE(Delete data in a table); DROP(Delete a Table);UNION

HTTPS SSL/TLS

SSLv3 is bad. TLSv1.2 is good. Test with:nmap -p443 --script=ssl-enum-ciphers www.sec542.org script.

Automated Web App Pen testing

Scannning fast for vulnerabilitites, False Positives

Shodan

Search Engine for IoT. Great for OSINT/Recon.

Fuzzing

Sending Random or Pseudorandom strings via various inputs, such as attack strings or wordlists like ' or 1=1 --

Google Hacking

Source of queries to find interesting info.(Google Dorks)Database entries include searches for files containing passwords,apps,error.

HTTP Protocol

Stateless, unreliable. HTTP 1.1 added virtual host support, support for caching,proxies and compression. Options Added.

HTTP Response

Status Code Response, Server, Server time and Content length.

SQL Injection

The flaw stems from allowing user-supplied input to be used in a dynamically built SQL query that is sent to the backend database.

Session Tracking

To track sessions you need a token, numeric ID,session ID or other info to be passed between client and server.Developer oversees it!

Cross Site Scripting (XSS)

Tricking the browser into executing code.The browser believes the code is part of the site and runs that context. Browser is the target!

DNS

UDP Por 53 <512bytes TCP 53 >512Bytes for payloads.1,00 DNS TLD's

Python

Used for both Web apps and client programs,. Used within a web application.

Side Channel Attacks

Uses physical attributes to break a system. EMI, Heat, Sound, Time. Monitoring CPU utilization can inidcate CPU load in encryption

Mutillidae

Vulnerable web app that runs in LAMP/XAMPP

HTML Injection

When a user is able to control an input point and is able to inject arbitratry HTML code into the vulnerable web page.<h1> Alert!</h1>

Google Search Engine Directives

site:www.sans.org;inurl:"Admin login";Link:sans.org;ext:xls


Related study sets

Principles of Nutrition Week 2: Quiz

View Set

*HURST REVIEW Qbank/Customize Quiz - Adult Health

View Set

Chapter 1: The Nature of Economics

View Set

Interperiod Tax Allocation Basics

View Set

Chapter 01 Quiz [The Sociological Perspective]

View Set

History Study Guide (Mesopotamia/Ancient Egypt/Ancient Greece)

View Set