Web-Based Hacking - Servers and Applications
Web Organizations
- Internet Engineering Task Force (IETF) - creates engineering documents to help make the Internet work better
- World Wide Web Consortium (W3C) - a standards-developing community
- Open Web Application Security Project (OWASP) - organization focused on improving the security of software
OWASP Web Top 10
- A1 - Injection Flaws - SQL, OS and LDAP injection
- A2 - Broken Authentication and Session Management - functions related to authentication and session management that aren’t implemented correctly
- A3 - Sensitive Data Exposure - not properly protecting sensitive data (SSN, CC numbers, etc.)
- A4 - XML External Entities (XXE) - exploiting XML processors by uploading hostile content in an XML document
- A5 - Broken Access Control - having improper controls on areas that should be protected
- A6 - Security Misconfiguration - across all parts of the server and application
- A7 - Cross-Site Scripting (XSS) - taking untrusted data and sending it without input validation
- A8 - Insecure Deserialization - improperly de-serializing data
- A9 - Using Components with Known Vulnerabilities - libraries and frameworks that have known security holes
- A10 - Insufficient Logging and Monitoring - not having enough logging to detect attacks
WebGoat - project maintained by OWASP which is an insecure web application meant to be tested
Web Server Attack Methodology
- Information Gathering - Internet searches, whois, reviewing robots.txt
- Web Server Footprinting - banner grabbing
- Tools
- Netcraft
- HTTPRecon
- ID Serve
- HTTPrint
- nmap
- nmap –script http-trace -p80 localhost (detects vulnerable TRACE method)
- nmap –script http-google-email
(lists email addresses) - nmap –script hostmap-*
(discovers virtual hosts on the IP address you are trying to footprint; * is replaced by online db such as IP2Hosts) - nmap –script http-enum -p80
(enumerates common web apps) - nmap -p80 –script http-robots.txt
(grabs the robots.txt file)
- Tools
- Website Mirroring - brings the site to your own machine to examine structure, etc.
- Tools
- Wget
- BlackWidow
- HTTrack
- WebCopier Pro
- Web Ripper
- SurfOffline
- Tools
- Vulnerability Scanning - scans web server for vulnerabilities
- Tools
- Nessus
- Nikto - specifically suited for web servers; still very noisy like Nessus
- Tools
- Session Hijacking
- Web Server Password Cracking
Web Server Architecture
- Most Popular Servers - Apache, IIS and Nginx
- Apache runs configurations as a part of a module within special files (http.conf, etc.)
- IIS runs all applications in the context of LOCAL_SYSTEM
- IIS 5 had a ton of bugs - easy to get into
- N-Tier Architecture - distributes processes across multiple servers; normally as three-tier: Presentation (web), logic (application) and data (database)
- Error Reporting - should not be showing errors in production; easy to glean information
- HTML - markup language used to display web pages
- HTTP Request Methods
- GET - retrieves whatever information is in the URL; sending data is done in URL
- HEAD - identical to get except for no body return
- POST - sends data via body - data not shown in URL or in history
- PUT - requests data be stored at the URL
- DELETE - requests origin server delete resource
- TRACE - requests application layer loopback of message
- CONNECT - reserved for use with proxy
- Both POST and GET can be manipulated by a web proxy
- HTTP Error Messages
- 1xx: Informational - request received, continuing
- 2xx: Success - action received, understood and accepted
- 3xx: Redirection - further action must be taken
- 4xx: Client Error - request contains bad syntax or cannot be fulfilled
- 5xx: Server Error - server failed to fulfill an apparently valid request
Web Server Attacks
- DNS Amplification - uses recursive DNS to DoS a target; amplifies DNS answers to target until it can’t do anything
- Directory Transversal (../ or dot-dot-slash) - requests file that should not be accessible from web server
- Example: http://www.example.com/../../../../etc/password
- Can use Unicode to possibly evade IDS - %2e for dot and %sf for slash
- Parameter Tampering (URL Tampering) - manipulating parameters within URL to achieve escalation or other changes
- Hidden Field Tampering - modifying hidden form fields producing unintended results
- Web Cache Poisoning - replacing the cache on a box with a malicious version of it
- WFETCH - Microsoft tool that allows you to craft HTTP requests to see response data
- Misconfiguration Attack - same as before - improper configuration of a web server
- Password Attack - attempting to crack passwords related to web resources
- Connection String Parameter Pollution - injection attack that uses semicolons to take advantage of databases that use this separation method
- Web Defacement - simply modifying a web page to say something else
- Tools
- Brutus - brute force web passwords of HTTP
- Hydra - network login cracker
- Metasploit
- Basic working is Libraries use Interfaces and Modules to send attacks to services
- Exploits hold the actual exploit
- Payload contains the arbitrary code if exploit is successful
- Auxiliary used for one-off actions (like a scan)
- NOPS used for buffer-overflow type operations
- Shellshock - causes Bash to unintentionally execute commands when commands are concatenated on the end of function definitions
Web Application Attacks
- Most often hacked before of inherent weaknesses built into the program
- First step is to identify entry points (POST data, URL parameters, cookies, headers, etc.)
- Tools for Identifying Entry Points
- WebScarab
- HTTPPrint
- BurpSuite
- Web 2.0 - dynamic applications; have a larger attack surface due to simultaneous communication
- File Injection - attacker injects a pointer in a web form to an exploit hosted elsewhere
- Command Injection - attacker gains shell access using Java or similar
- LDAP Injection - exploits applications that construct LDAP statements
- Format for LDAP injection includes )(&)
- SOAP Injection - inject query strings in order to bypass authentication
- SOAP uses XML to format information
- Messages are “one way” in nature
- Buffer Overflow (Smashing the stack) - attempts to write data into application’s buffer area to overwrite adjacent memory, execute code or crash a system
- Inputs more data than the buffer is allowed
- Includes stack, heap, NOP sleds and more
- Canaries - systems can monitor these - if they are changed, they indicate a buffer overflow has occurred; placed between buffer and control data
- XSS (Cross-site scripting) - inputting JavaScript into a web form that alters what the page does
- Can also be passed via URL (http://IPADDRESS/”;!–“
=&{()} - Can be malicious by accessing cookies and sending them to a remote host
- Can be mitigated by setting HttpOnly flag for cookies
- Stored XSS (Persistent or Type-I) - stores the XSS in a forum or like for multiple people to access
- Can also be passed via URL (http://IPADDRESS/”;!–“
- Cross-Site Request Forgery (CSRF) - forces an end user to execute unwanted actions on an app they’re already authenticated on
- Inherits identity and privileges of victim to perform an undesired function on victim’s behalf
- Captures the session and sends a request based off the logged in user’s credentials
- Can be mitigated by sending random challenge tokens
- Session Fixation - attacker logs into a legitimate site and pulls a session ID; sends link with session ID to victim. Once victim logs in, attacker can now log in and run with user’s credentials
- Cookies - small text-based files stored that contains information like preferences, session details or shopping cart contents
- Can be manipulated to change functionality (e.g. changing a cooking that says “ADMIN=no” to “yes”)
- Sometimes, but rarely, can also contain passwords
- SQL Injection - injecting SQL commands into input fields to produce output
- Data Handling - Definition (DDL), manipulation (DML) and control (DCL)
- Example - input “’ OR 1 = 1 –” into a login field - basically tells the server if 1 = 1 (always true) to allow the login.
- Double dash (–) tells the server to ignore the rest of the query (in this example, the password check)
- Basic test to see if SQL injection is possible is just inserting a single quote (‘)
- Fuzzing - inputting random data into a target to see what will happen
- Tautology - using always true statements to test SQL (e.g. 1=1)
- In-band SQL injection - uses same communication channel to perform attack
- Usually is when data pulled can fit into data exported (where data goes to a web table)
- Best for using UNION queries
- Out-of-band SQL injection - uses different communication channels (e.g. export results to file on web server)
- Blind/inferential - error messages and screen returns don’t occur; usually have to guess whether command work or use timing to know
- Tools
- Sqlmap
- sqlninja
- Havij
- SQLBrute
- Pangolin
- SQLExec
- Absinthe
- BobCat
- HTTP Response Splitting - adds header response data to an input field so server splits the response
- Can be used to redirect a user to a malicious site
- Is not an attack in and of itself - must be combined with another attack
- Countermeasures - input scrubbing for injection, SQL parameterization for SQL injection, keeping patched servers, turning off unnecessary services, ports and protocols