Lecture 5 Web Hacking 1: Client bypass, Tampering, Brute Forcing
What is Burpsuite?
Burp Suite is a tool for testing Web application security. Best hacking tool. It provides a proxy server, and several features to smart-alter the web traffic. For example every packet can be resent by the repeater module and edited before at byte level. Any client side validation can be bypassed with Burp.
What is a Content Management System?
CMS are designed to create and modify the content of Web pages easily. The feature of CMS includes Web-based publishing, format management, history editing and version control, indexing, search, and retrieval. Typical CMS is wordpress. If a vulnerability of CMS appears millions of websites can be vulnerable suddenly.
What are some input filtering options?
Form elements with restrictions (max length of input, restriction for special characters, only special characters are allowed, predefined input option e.g. radiobutton, combo) Javascript filtering (the javascript is running on client side, more complex validation can be done)
What is HTTP Response Splitting?
Here, the attacker manipulates the request header. He can insert a fake body alongside the real body, and the web server will think it's two request and will cache both. Through this, you might be able to manipulate the web server.
What is Tamper data?
Tamper Data is a Firefox addon that is able to show all packets crossing the browser with their details. Can also modify content data. The main function is to view and modify the http/https header and POST data.
What are some ways of attacking a webpage?
The client, using a browser, has many files, like HTMl, JS and CSS. If we mislead the user and send some fake data, we might able to do some ricks with the web server, i.e. execute some javaScript file. On the server side, it's running an operating system. One computer can run several services, and if, for example, a FTP server has anonymous enabled, all servers might get compromised. We have to secure everything, including the operating system. And without appropriate configuration and validation, we can compromise the website.
What is a web developer extension?
Web developer extension provides several features to modify the client side appearance. It can modify the form elements, disable javascript, remove validations, etc. Can download the web developer extension. Go to a website with protected password (astetix), and the web extension will bypass this, and show the password.
What is a security aspect of JavaScript?
What can javaScript do with our browser? Dynamic pages, handle cookies. The questions is: what is it that we cannot do with javaScript? Cannot access the local files due to sandboxing. Not a good idea from a security point of view.
What are the steps to comprising a server?
- First use it in a normal way - Decide whether it is a simple static site or it has complex dynamic content - Try to find not intended content (comments in source code - Try to find hidden content without link (factory default folders, user folders, configuration files) robot.txt has search engine data. - Try to obtain as much info as it is possible (information disclosures) - Force the site to error (invalid inputs) and see the result
What is Client side filtering?
Client side filters should be used to improve the user experience. Server side filters should be used to improve security. They often check the same things. The client side is done so a form doesn't have to be submitted before notifying the user that something isn't right. The server side is done to make sure a malicious user didn't bypass your client side checks. Client side input filtering is not input validation! Any data on the client side can be modified (it's my browser I can decide what data will be sent out). Client side filtering can be bypassed easily, that practically means no additional security
What is the Directory Brute-Force /dirt protocol?
Different web servers use different default folders and default files. Dirb has collections of typical webserver related folder names. Dirb brute-forces the folders and files using the dictionaries. Example: Use dirb to find hidden content on http://193.225.218.118 «dirb http://193.225.218.118 /usr/share/dirb/wordlists/big.txt».
Why are default scripts dangerous, particularly cgi-bin/test-chi?
On many web sites there exists a file called test-cgi (usually in the cgi-bin directory or somewhere similar). There is a problem with many of these test-cgi files. If your test-cgi file contains the following line (verbatim) then you are probably vulnerable. echo QUERY_STRING = $QUERY_STRING All of these lines should have the variables enclosed in loose quotes ("). Without these quotes certain special characters (specifically '*') get expanded where they shouldn't. Thus submitting a query of '*' will return the contents of the current directory (probably where all of the cgi files are... gee, there's jj and phf. Hmmm what are all those other cgi's that I haven't seen... wonder what holes exist in those?). Sending in a query of '/*' will list the root directory. And so on, and so on.
What do you use the HTTP Put method for?
PUT method was used to place and update website content before ftp. If it is enabled for a folder and the folder has permission to write then the attacker can take advantage of that vulnerability and upload arbitrary file. Use nmap to upload a script, i.e. put something into the web server. The server now has the script.php file. nmap -ST p8000 localhost —script http-put —script-args http-put.url='b.bhp', http-put, file=«'a.text».
What does Chrome Postman do?
Postman interceptor can set custom headers (including cookies) and view cookies already set on the domain.
What is the Robots.txt file?
Robots.txt is a file that has to be placed in the webroot folder. Search engine robots read the file and process all the disallowed entities. On the other hand it is an information disclosure. It also means that the listed entities exist.
Explain server side scripts
Server side scripts are executed on the server side. Many languages exist: php, perl, ruby, java, asp, etc. After the execution a static html is generated and that is sent to the client. The server-side environment that runs a scripting language is a web server. A user's request is fulfilled by running a script directly on the web server to generate dynamic HTML pages. This HTML is then sent to the client browser. It is usually used to provide interactive web sites that interface to databases or other data stores on the server. Can be dangerous if no validation.
How do you brute force HTTP with hydra?
Similarly to the previously discussed protocols the username (username file) and the password (password file) have to be provided. Contrary to the previous cases Hydra needs a keyword to identify negative answers (reverse brute-force). hydra -l username -P passwordfile url.to.bf http-post-form "/portal/xlogin/:ed=^USER^&pw=^PASS^:F=Invalid"
With HTTP, what is in the request and response message?
The request contains the protocol version, the requested file, the web method and the hostname, while response contains the web answer, the data an the content type.
What is the webserver?
The web server is an application that is running under an OS. The user that runs the web server should have the least privileges. Never run a web server as a root! The webserver user has access to its own folder (webroot, e.g. /var/www, c:/inetpub, etc.) and the logging directory.
What is the webserver configuration file?
The webserver configuration file contains almost all the server settings. The server side script settings (e.g. where's the php binary), the index file extensions (in which order should the default page be considered, e.g: 1.index.php, 2.index.htm), default error messages (404 File not found page) have to be placed inside the conf file.
What is a way to configure a webserver?
Use .htaaccess. An .htaccess file is a way to configure the details of your website without altering the server config files.
