Web-based Hacking: Servers and Applications Flashcards
Web Organizations
Internet Engineering Task Force (IETF) - creates engineering documents to help make the Internet work better from an engineering point of view. The IETF’s official documents are published as RFCs
World Wide Web Consortium - international community of member organizations who work together to develop web standards
Request for Comment (RFC)
IETF document to set an Internet standard
Open Web Application Security Project (OWASP)
A non profit focused on improving the security of software
OWASP Top 10
Represents a broad consensus on the top 10 most critical web application security flaws
OWASP Top 10 for 2018
A1. Injection Flaws (SQL, OS and LDAP) A2. Broken authentication and session management A3. Sensitive data exposure A4. XML External Entities A5. Broken Access Control A6. Security mis-configuration A7. Cross-Site Scripting (XSS) A8. Insecure Deserialization A9, Using components with known vulnerabilities A10. Insufficient logging and monitoring
OWASP - Injection Flaws
Injections can be – SQL queries, PHP queries, LDAP queries and OS commands. Wherever a user input is required or use can modify data. It can be a text box, username/password field, feedback fields, comment field, URL etc. Mitigate with Input sanitation: Implement white listing approach at server side for what all can be accepted. Use of safe API’s and parametrized queries.
OWASP - Broken authentication
When an application mismanages session related information such that the user’s identity gets compromised. The information can be in the form of session cookies, passwords, secret keys etc.”
The aim here is to either get into someone else’s session or use a session which has been ended by the user or steal session related information.
Examples:
1. Press the back button after logout to see if you can get into the previous session.
2. Try to hit the URL directly after logging out to check if you are able to access that page.
3. Check for the presence of session-related information in the URLs. Try manipulating them to check if you are able to ride someone else’s session.
4. Try finding the credentials in the source code. Right click on the page and hit view source. Sometimes coders hard code the credentials for easy access which sometimes remain there unidentified.
Mitigate with:
1. Use of multifactor authentication
2. Session isolation
3. Idle session timeouts
4. Using secured cookies
OWASP -Sensitive Data Exposure
“Attackers can sniff or modify the sensitive data if not handled securely by the application. A few examples include use of weak encryption keys, use of weak TLS.”
The goal is to identify sensitive data bits and exploit them. Not protecting data like credit cards, tax ids, and authentication credentials.
Mitigation:
1. Encrypt all data in transit and at rest.
2. Use secure protocols and algorithms.
3. Disable caching of responses with sensitive data. Hackers might get the cached copies and steal the information from them.
OWASP - XML External Entities (XXE)
“An application is vulnerable to XXE attacks if it enabled users to upload a malicious XML which further exploits the vulnerable code and/or dependencies.” This can be used to execute code, steal data and perform other malicious tasks. This includes extracting data, executing a remote request, scanning internal systems, performing denial of service.
Mitigation:
1. Avoid serialization of sensitive data
2. Implement white listing approach at server side to prevent malicious XML upload.
3. Use of Web Application Firewall (WAF) to detect and block XXE.
4. Code review
OWASP - Broken Access control
“Broken access control occurs if a user is able to access unauthorized resources, this can be access to restricted pages, database, directories etc.”
Applications have various account types depending on the users: admins, operators and reporting groups etc. One common problem is that the developers restrict the privileges just on the UI side and not on the server side. If exploited, each user can have admin rights.
Access control detection is not typically amenable to automated static or dynamic testing. Manual testing is the best way to detect missing or ineffective access control, including HTTP method (GET vs PUT).
Mitigation:
1. Invalidate tokens and cookies after logout.
2. Force login/logout after a password change.
3. Server side resource restriction e.g. directories.
4. Restrict access to all resources basis roles.
OWASP - Security misconfigurations
Developers and IT staff ensure functionality and not the security. The configurations are done on the application server, DB server, proxy, applications and other devices need to be in line with the security requirements. Most of the security requirements get missed unless identified by experts or hackers.
Examples of these security misconfigurations are weak passwords, default passwords, default scripts stored on the servers, default directories, default error messages etc.
Mitigation:
1. Have a hardening process in place for both hardware and applications. Do ensure that defaults are changed.
2. Install only the required features from a framework.
3. Review the security of the configurations at fixed intervals.
OWASP - Cross Site Scripting (XSS)
Cross-site scripting occurs when an attacker is able to insert untrusted data/scripts into a web page. The data/scripts inserted by the attackers get executed in the browser can steal users data, deface websites etc.
XSS is of 3 types:
1. Reflected
2. Stored
3. DOM-based
XSS allows attackers to execute scripts in the victim’s browser, hijack user sessions, deface websites, or redirect users to malicious sites.
Mitigation:
1. Output encoding and escaping untrusted characters.
2. Enabling Content-Security-policy (CSP)
OWASP - Insecure Deserialization
Some of the applications save data on the client side and they may be using object serialization. Applications which rely on the client to maintain state may allow tampering of serialized data. This is a new entry in the list and is difficult to exploit.
Example: Altering the serialized objects in the cookies for privilege escalation.
X: x :{ z: z:”NAME”: r:”USER”} –» Normal cookie
X: x :{ z: z:”NAME”: r:”ADMIN”} –» Altered cookie object
Mitigation:
Encryption of the serialized data.
Deserializers to run with least privilege
One of the most serious attacks possible.
OWASP - Using Components with known vulnerabilities
If any components with known vulnerabilities are used by the application, this may lead to security breaches or server takeover. The components can be coding frameworks, libraries, vulnerable functions, network frameworks etc. Examples: 1. Use of vulnerable PHP version 2. Out-dated kernel version – Linux 3. Unpatched windows. 4. Vulnerable jQuery version Mitigation: 1. Frequent patching process. 2. Subscribe to various forums which share the latest vulnerabilities along with the CVE numbers and mitigation techniques/fixes. Check if the vulnerability affects the devices/software in your inventory and fix them.
OWASP - Insufficient logging and monitoring
To ensure the malicious intent of the attackers gets noticed beforehand, it is essential to log all the activity and monitor it for any suspicious behavior.
Examples:
1. Too many failed login attempts from a particular source.
2. Too many requests from a particular source at an extremely fast/slow/fixed rate could be a DOS attempt. DO check and act.
3. Junk traffic
4. Spikes in traffic pattern when not expected.
Mitigation:
1. 24 x 7 monitoring of application traffic and log analysis.
2. Effective Security Incident and response procedures to be in place and practice.
2017 OWASP Top 10
A1. Injection Flaws (SQL, OS and LDAP)
A2. Broken authentication and session management
A3. Cross-Site Scripting (XSS)
A4. Insecure Direct Object References
A5. Security misconfiguration
A6. Sensitive data exposure
A7. Missing Function Level Access Control
A8. Cross Site Request Forgery
A9, Using components with known vulnerabilities
A10. Unvalidated redirects and forwards
Webgoat
OWASP unsecure website for demonstrating web vulnerabilities
Six different stages in web server attack methodology
- Information gathering
- Web server footprinting
- Website mirroring
- Vulnerability scanning
- Session hijacking
- Web server password cracking
Website information gathering and footprinting tools
Netcraft,
HTTPRecon,
IDServe,
HTTPrint
nmap –script http-trace -p80 localhost
Detects a vulnerable server that uses the TRACE method
nmap –script http-google-email
Lists email accounts
nmap –script hostmap-*
Discovers virtual hosts on an IP address that you are attempting to footprint
nmap –script http-enum -p80
Enumerates common web application
nmap -p80 –script http-robots.txt
Grabs the robots.txt
Website Mirroring Tools
wget, blackwidow, httrack, webcopier pro, webripper, surfoffline
Three tiered web application also known as N-Tier architecture
Each tier consists of a single role. Frontend web server, middle layer application server, and a backend database server
Web server vendors
Microsoft IIS, Apache, NGINX
NGINX
A free open source, high performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server. Uses predictable amounts of memory under load.
Web Server Security vulnerabilities
Most common are related to misconfiguration of settings, including error messages, default passwords, SSL certificates, scripts, remote admin functions, configuration files, and services on the machine.
Debug Settings
If left enabled on a web server, it will provide attackers information useful in their attack.
Apache httpd.conf
Controls aspects including who can view the server status page which contains information on the server, hosts connected, and requests being attended to. The php.ini file has the verbose error message settings.
