- Web Server and Web Application Hacking
- Web 2.0: dynamic applications; have a larger attack surface due to simultaneous communication
- Internet Engineering Task Force (IETF): creating engineering documents to help make the Internet work better
- World Wide Web Consortium (W3C): a standards-developing community
- Open Web Application Security Project (OWASP): an organization focused on improving the security of software
- WebGoat: project maintained by OWASP which is an insecure web application meant to be tested
- A1 Injection Flaws: SQL, OS and LDAP injection
- A2 Broken Authentication and Session Management: functions related to authentication and session management that aren't implemented correctly
- A3 Sensitive Data Exposure: not properly protecting sensitive data (SSN, CC numbers, etc.)
- A4 XML External Entities (XXE): exploiting XML processors by uploading hostile content in an XML document
- A5 Broken Access Control: having improper controls on areas that should be protected
- A6 Security Misconfiguration: across all parts of the server and application
- A7 Cross-Site Scripting (XSS): taking untrusted data and sending it without input validation
- A8 Insecure Deserialization: improperly de-serializing data
- A9 Using Components with Known Vulnerabilities: libraries and frameworks that have known security holes
- A10 Insufficient Logging and Monitoring: not having enough logging to detect attacks
- Most Popular Servers: Apache, IIS and Nginx
- Apache runs configurations as a part of a module within special files (http.conf, etc.)
- IIS runs all applications in the context of LOCAL_SYSTEM
- IIS 5 had a ton of bugs - easy to get into
- N-Tier Architecture: distributing processes across multiple servers; normally as three-tier: Presentation (web), logic (application) and data (database)
- Error Reporting: should not be showing errors in production; easy to glean information
- HTML: markup language used to display web pages
- HTTP Request Methods
- GET: retrieving whatever information is in the URL; sending data is done in URL
- HEAD: identical to get except for no body return
- POST: sending data via body - data not shown in URL or in history
- PUT: requesting data be stored at the URL
- DELETE: requesting origin server delete resource
- TRACE: requesting application layer loopback of message
- CONNECT: reserved for use with proxy
- HTTP Error Messages
- 1xx: Informational: request received, continuing
- 2xx: Success: action received, understood and accepted
- 3xx: Redirection: further action must be taken
- 4xx: Client Error: request contains bad syntax or cannot be fulfilled
- 5xx: Server Error: server failed to fulfill an apparently valid request
| Stack Layer | Service | Technic |
|---|---|---|
| 7 | Custom Web Applications | Business Logic |
| 6 | Third Party Components | Open Source/Commercial |
| 5 | Web Server | Apache/MS IIS |
| 4 | Database | Oracle/MySQL/MS SQL |
| 3 | Operating System | Windows/Linux/OS X |
| 2 | Network | Router/Switch |
| 1 | Security | IPS/IDS |
- Information Gathering: Internet searches, whois, reviewing robots.txt
- Web Server Footprinting: banner grabbing
- nmap
- Detect vulnerable TRACE method:
nmap --script http-trace -p80 localhost - List email addresses:
nmap --script http-google-email <target> - Discover virtual hosts on same IP address you're footprinting,
*is online db such as IP2Hosts:nmap --script hostmap-_* <host> - Enumerate common web apps:
nmap --script http-enum -p80 <target> - Grab robots.txt:
nmap -p80 --script http-robots.txt <target> - Find out what options are supported by an HTTP server:
nmap --script http-methods <target>
- Detect vulnerable TRACE method:
- Other tools
- Netcraft
- HTTPRecon
- ID Serve
- HTTPrint
- nmap
- Website Mirroring
- Bringing the site to your own machine to examine structure, etc.
- Tools
- Wget
- BlackWidow
- HTTrack
- WebCopier
- SurfOffline
- Vulnerability Scanning
- Scanning web server for vulnerabilities
- Tools
- Nessus
- Nikto: specifically suited for web servers; still very noisy like Nessus; scan files and vulnerable CGIs
- Session Hijacking
- Web Server Password Cracking
- Most often hacked before of inherent weaknesses built into the program
- First step is to identify entry points (POST data, URL parameters, cookies, headers, etc.)
- Tools
- WebScarab: provided by OWASP
- Burp Suite
- httprint
- Tools
- Cookies:
- Small text-based files stored that contains information like preferences, session details or shopping cart contents
- Can be manipulated to change functionality (e.g. changing a cooking that says "ADMIN=no" to "yes")
- Sometimes, but rarely, can also contain passwords
- DNS Amplification: uses recursive DNS to DoS a target; amplifies DNS answers to target until it can't do anything
- Directory Transversal (../ or dot-dot-slash)
- Example:
http://www.example.com/../../../../etc/password - File requested that should not be accessible from web server
- Using Unicode to possibly evade IDS:
%2efor dot and%sffor slash
- Example:
- Parameter Tampering (URL Tampering): manipulating parameters within URL to achieve escalation or other changes
- Hidden Field Tampering: modifying hidden form fields producing unintended results
- Web Cache Poisoning: replacing the cache on a box with a malicious version of it
- Wfetch: Microsoft tool that allows you to craft HTTP requests to see response data
- Misconfiguration Attack: improper configuration of a web server
- Password Attack: attempting to crack passwords related to web resources
- Connection String Parameter Pollution: injection attack that uses semicolons to take advantage of databases that use this separation method
- Web Defacement: simply modifying a web page to say something else
- Shellshock
- Causes Bash to unintentionally executing commands when commands are concatenated on the end of function definitions
- RCE via Apache CGI Script
- Tools
- Brutus: brute force web passwords of HTTP
- Hydra: network login cracker
- Metasploit
- Exploits hold the actual exploit
- Payload contains the arbitrary code if exploit is successful
- Auxiliary used for one-off actions (like a scan)
- NOPS used for buffer-overflow type operations
- Attacker injects a pointer in a web form to an exploit hosted elsewhere
- Attacker gains shell access using Java or similar
- Attacker exploits applications that construct LDAP statements
- Format for LDAP injection including
)(&)
- Injecting query strings in order to bypass authentication
- Using XML to format information
- Messages are one way in nature
-
Injecting SQL commands into input fields to produce output
-
Double dash (--) tells the server to ignore the rest of the query:
' OR 1 = 1 --, basically tells the server if 1 = 1 (always true) -
Basic test to see if SQL injection is possible is just inserting a single quote
' -
In-band SQL injection: using same communication channel to perform attack
-
Error-based SQL Injection: most common used, inserting bad input to get database-level error message
- System stored procedure
- Illegal/Logically incorrect query:
SELECT * FROM users WHERE name='bob"' AND password =, gets'Unclosed quotation mark after sting " AND password='xxx"."
-
UNION SQL Injection: most common used, using
UNIONclause to append a malicious query -
Tautology: using always true statements to test SQL (e.g. 1=1)
A End of Line Comment: writing a line of code that ends in comment
--SELECT * FROM users WHERE name='admin'--' AND password = 'password' -
Inline Comment: using in-line comment
/* */ -
Piggybacked Query: using semicolon
;to add malicious query after original query
-
-
Out-of-band SQL injection: using different communication channels (e.g. export results to file on web server)
-
Blind/inferential SQL injection: error messages and screen returns don't occur, usually have to guess whether command work or use timing to know
- Time delay: inserting wait function for delay
- Boolean exploitation: manipulating valid statements that evaluate to true and false in HTTP request parameter
https://example.com/item.aspx?id=67 and 1=2gets SQL querySELECT * FROM items WHERE ID=67 AND 1=2, if vulnerable to SQL injection, no item will showhttps://example.com/item.aspx?id=67 and 1=1gets SQL querySELECT * FROM items WHERE ID=67 AND 1=1, if vulnerable to SQL injection, item 67 will show
- Heavy query: in case it's impossible to use time delay function in query, generates heavy queries instead
-
MS SQL Server injection: running commands from SQL shell by using
xp_cmdshell -
Countermeasures
- To counter Database server runs OS commands
- Running database service account with minimal rights
- Disabling commands like xp_cmdshell
- To counter Using privileged account to connect to database
- Monitoring DB traffic using an IDS, WAP
- Using low privileged account for DB connection
- To counter Error message revealing important information
- Suppressing all error messages
- Using custom error messages
- To counter No Data validation at the server
- Filtering all client Data
- Sanitizing Data
- To counter Database server runs OS commands
-
Tools
- Sqlmap
- sqlninja
- Inputting JavaScript into a web form alters what the page does
- Can also be passed via URL
http://IPADDRESS/";!--"<XSS>=&{()} - Can be malicious by accessing cookies and sending them to a remote host
- Can be mitigated by setting HttpOnly flag for cookies
- DOM Based XSS (Type 0): a form of XSS where the entire tainted data flow from source to sink takes place in the browser, and the data flow never leaves the browser. e.g.: the URL of the page or an element of HTML...
- Stored XSS (Persistent or Type I): stores the XSS in a forum or like on the target server, for multiple people to access
- Reflected XSS (Non-persistent or Type II): occurs when user input is immediately returned by a web application, without permanently storing the user provided data
- Forcing an end user to execute unwanted actions on an app they're already authenticated on
- Inheriting identity and privileges of victim to perform an undesired function on victim's behalf
- Capturing the session and sends a request based off the logged in user's credentials
- Can be mitigated by sending random challenge tokens
- Also known as a user interface redress attack
- Used to trick web users to click something different from what they think they are clinking
- Attempting to write data into application's buffer area to overwrite adjacent memory, execute code or crash a system
- Inputting more data than the buffer is allowed
- Including stack, heap, NOP sleds (hex value 0x09) and more
- Session Fixation: attacker logs into a legitimate site and pulls a session ID, then sends link with session ID to victim. Once victim logs in, attacker can now log in and run with user's credentials
- Fuzzing: inputting random data into a target to see what will happen
- HTTP Response Splitting
- Adding header response data to an input field so server splits the response
- It's not an attack by itself, so it must be combined with another attack
- Can be used to redirect a user to a malicious site
- CSPP (Connection Stream Parameter Pollution): polluting connection strings between the Web application authenticating a user to the database, for example, by injecting phony parameters into the connection strings using semicolons as separators