Professional Documents
Culture Documents
Web Applications
Hacking Web
Applications
• Understand Concepts of Web Applications
Goals • Understand Threats Related to Web Apps
• Understand Web App Hacking Methodology
• Learn Web App Hacking Tools
• Understand Web App Countermeasures
• Learn Web App Security Tools
• Understand Web App Penetration Testing
Module 12.0 Hacking Web Applications
• 12.1 Web Application Concepts
• 12.2 Web App Vulnerabilities and Exploits
• 12.3 Web Application Threats
• 12.4 Injection Attacks
• 12.5 Hidden Fields and Clickjacking
• 12.6 Cross Site Attacks
• 12.7 Additional Web App Attacks
• 12.8 Web App Hacking Methodology
• 12.9 Web App Hacking Countermeasures
• 12.10 Web App Security Tools
• 12.11 Web Application Pen Testing
12.1 Web
Application
Concepts
How Web Applications Work
• Establish an interface between web servers and end users via web
pages
• Web apps are vulnerable to attacks, even with some security policies
in place
• Web 2.0 technologies make it easier to exploit web apps
• Important business functions are supported by Web apps and Web
2.0 technologies
How Web Apps Work Web Server
Browser-based form
User
Web App
Web Server
Operating System
Network
Physical Environment
Common Web App Vulnerabilities
• Web apps interact with users over a network
• Accessibility leads to attackers manipulating
components
• Steal data, compromise sessions, disrupt
operations, etc.
• Web apps communicate in languages that
support browsers and HTTP/S
• HTML and JavaScript are standard
• Runs on frameworks like AngularJS, Ruby on
Rails, Django, etc.
• Communicates with backend database using
SQL
Common Web App Vulnerabilities
(cont’d)
• General vulnerabilities :
• Poorly implemented security configurations
• Failings in authentication and authorization
• Weaknesses to various types of code
injection
• Weaknesses to XSS and CSRF
• Weaknesses to clickjacking
• Weaknesses to file inclusion
• Insecure coding practices
Security Misconfiguration
Exploits
• Misconfigurations means the app is implemented
incorrectly or with no protections
• Examples:
• Rolling your own encryption
• Failing to remove legacy content
• Failing to remove debugging control.
• Exposing sensitive data through unprotected
files/folders
• Failing to patch vulnerabilities
• Failing to set secure values in web modules
• Processing sensitive data on the client side
• Failing to remove unused admin and default
accounts
Security Misconfiguration
Exploits (cont’d)
• Cookie manipulation:
• Modify a web cookie in a malicious way
• E-commerce site has item price in user's
cookie
• Modify cookie to lower price and send it
back to server
• Properly configured cookies include
session identifiers only
Security Misconfiguration
Exploits (cont’d)
• Directory traversal:
• Accessing a file from a location user is
not authorized to access
• Induce web app to backtrack through
directory path
• App reads or executes file in parent
directory
• Most effective if you can traverse up to
root of server
• Works when app is improperly
configured to access parent folders
• Encode traversal text to get around filters
• Double encode to get around stronger filters
Authentication Attacks
• Cracking credentials:
• Cracking techniques and tools also apply to
web apps
• Weak passwords make it easier to crack
• App might have default credentials that were
never changed
• Might be able to dump hashes for offline
cracking
• Session hijacking:
• Users assigned session IDs in web cookies for
authentication
• Steal session ID to take over session and
assume user privileges
• Steal through sniffing, XSS, etc.
Authentication Attacks
(cont’d)
• Redirecting:
• Append URL request to legitimate site
• Useful with phishing as user recognizes and
trusts legit site
• Could set up a login page on that looks real
Authentication Attacks (cont’d)
• Attack process:
• Send phishing email with HTML
• User clicks link and is taken to legitimate login site
• User enters credentials and is authenticated
• Legitimate site redirects user
• Malicious page looks identical to legitimate page and asks for
credentials a second time
• User inputs credentials
• Malicious page steals credentials and sends user back to
legitimate site
• Legitimate site already authenticated user; user is unaware
of attack
12.3 Web
Application
Threats
Web Applications Threats
• Cookie Poisoning • Tampering with Logs
• Insecure Storage • Unvalidated Input
• Information Leaks • Broken Control Access
• Broken Account Management • Misconfiguration of Security
• Improper Handling of Errors • Broken Session Management
• Tampering with Form/Parameters • SQL Injections
• Directory Traversal • Cross-site Scripting (XSS)
• DoS • Cross-site Forgery
• Buffer Overflow • Injection Flaws
Web Applications Threats (cont’d)
• Platform Exploits • Authentication Hijacking
• References to Insecure Direct • Redirects/Forwards that are
Objects Unvalidated
• Insufficient Transport Layer • Session Fixation Attacks
Protection • CAPTCHA Attacks
• In ability to Restrict Access to URL • Cookie Snooping
• Insecure Cryptographic Storage • Network Access Attacks
• Obfuscation App • Hidden Manipulation
• Attacks on DMZ Protocol • Web Services Attacks
• Security Management Exploits
Unvalidated Input
• Vulnerability in a Web app in which client input is not validated prior
to being processed
• Attackers use flaws in input validation to perform attacks to cause
data theft/system malfunction
Unicode Exploit
• Unusual Unicode characters are used to obfuscate malicious code
• Certain Unicode characters can cause arbitrary command execution
on IIS
Parameter/Form Tampering
• Attacker manipulates parameters sent between server and client
• Goal to alter app data
• Uses vulnerabilities in logic validation mechanisms/integrity
Authorization Attacks
(cont’d)
• Parameter pollution:
• Supply multiple instances of same
parameter in HTTP request
• App may not properly handle these
multiple instances
• Enables modification of values or
triggering errors
Authorization Attacks
(cont’d)
SQL Injection
• Adding an apostrophe to user name field in login
form
• The apostrophe is not valid and may trigger an
error
• Response can indicate column names
• Can also indicate where to add parentheses to
complete syntax
• Can also leverage always-true values and comment
characters
• Certain web APIs allow stacking queries in same
call
• A Union operation combines results of two or
more SELECT statements which can merge data
from tables not directly exposed by the app
• Only works when queries have same number
of columns
• Provide actual column names
HTML Injection
LDAP Injections
• LDAP is a directory service that hierarchically stores/organizes data
based on specific attributes
• Based on client-server model
• Clients can use filters to search the LDAP directory
• Gets past LDAP filters by taking advantage of non-validated web app
input vulnerabilities
• Allows direct access to LDAP tree databases
• Makes use of user parameters to create an LDAP query
• LDAP vulnerability can be tested by sending a query to the server
12.5 Hidden
Fields and
Clickjacking
Hidden Field Manipulation Attack
• Selections on an HTML page are stored as field values and sent to the
app to generate an HTTP request
• Field values can be stored as hidden fields (not rendered to screen)
• Hidden values are still submitted as parameters when forms are
submitted
• Attackers can change hidden field values to change post requests
Clickjacking
• Clickjacking is an attack in where a user is fooled into
clicking a web page link that is different from where they
had intended to land
• Victim clicks link and may be redirected to a pharming
page or other malicious page
• A visitor to a site thinks he/she is clicking on a button
to close a window; instead, the action of clicking the
“X” button prompts the computer to download a
Trojan horse, transfer money from a bank account or
turn on the computer’s built-in microphone or
webcam
• The host website may be a legitimate site that's been
hacked or a spoofed version of some well-known site
• The attacker tricks users into visiting the site through
links online or in email messages
Clickjacking (cont’d)
• The issue is said to result from an integral flaw in
browser software and affects Internet Explorer (IE),
Firefox, Safari and Opera
• Only non-GUI browsers, such as Lynx, are protected,
because there is nothing in the interface that's
clickable
• FACEBOOK is a common venue for clickjacking
Clickjacking Example
Entice people
to click this
Precisely
overlay it on
top of this
12.6 Cross
Site Attacks
Cross-Site Scripting Attacks
• Client-side script can be injected onto a web page
• Attackers exploit dynamically generated web page vulnerabilities
• Attack requires inclusion of invalidated input data in dynamic content
• Malicious code is hidden within legitimate requests
• Attacks used for things like:
• Data theft
• Probing Intranet
• Remote monitoring/key logging
• Manipulation of data
Cross-Site Scripting (XSS)
Attacks
• Cross-Site Scripting is an attack in which
malicious JavaScript is inserted and executes
on the client's browser
• Can steal cookies, read sensitive info, inject
malware, and more
• One of the most popular and effective attacks
Cross-Site Scripting (XSS)
Attacks (cont’d)
• Three categories:
• Stored (persistent) injects scripts that
remain on the server
• Reflected inject scripts that are sent to
server and then bounce back to user
• DOM-based is executed entirely on client
side
• Probe input components for XSS weaknesses
• Inject script into form to pop up on client’s
browser
Cross-Site Scripting (XSS)
Attacks (cont’d)
• Use social engineering to craft injected URL
• Persistent attack requires modifying data
stored by app
• Try with forms you know store data, like
site feedback page
• Not all injection points are visible
• May be able to POST data in HTTP request
• Depends on web app technology
• Cross-Site Request Forgery is
an attack where an
Cross-Site established trust between and
authorized user and a website
Request is exploited