Ethical Hacking v10 Module 12 – Hacking

Web Applications
Hacking Web
Applications
 • Understand Concepts of Web Applications
Goals • Understand Threats Related to Web Apps
• Understand Web App Hacking Methodology
• Learn Web App Hacking Tools
• Understand Web App Countermeasures
• Learn Web App Security Tools
• Understand Web App Penetration Testing
Module 12.0 Hacking Web Applications
• 12.1 Web Application Concepts
• 12.2 Web App Vulnerabilities and Exploits
• 12.3 Web Application Threats
• 12.4 Injection Attacks
• 12.5 Hidden Fields and Clickjacking
• 12.6 Cross Site Attacks
• 12.7 Additional Web App Attacks
• 12.8 Web App Hacking Methodology
• 12.9 Web App Hacking Countermeasures
• 12.10 Web App Security Tools
• 12.11 Web Application Pen Testing
 12.1 Web
Application
Concepts
How Web Applications Work
• Establish an interface between web servers and end users via web
pages
• Web apps are vulnerable to attacks, even with some security policies
in place
• Web 2.0 technologies make it easier to exploit web apps
• Important business functions are supported by Web apps and Web
2.0 technologies
How Web Apps Work Web Server

Browser-based form

User
Web App

Web Server OS Database

Hacker
Web 2.0 Application Architecture
Web 2.0 app architecture consists of:
• Clients
• Web Server
• Business Layer
• Database Layer
Web Application Overview
• Web apps provide an infrastructure
for dynamic user participation
online
• Includes active content,
collaboration, social interaction
• Also introduces new technologies
to be exploited
Web Application Example
Common Web App Programming Languages
• PHP
• Java EE
• Java
• Python
• Ruby
• ASP.NET
• C#
• VB.NET
• Classic ASP
Web 2.0 Applications
• Interoperability
• User-centered Design
• Collaboration on the Web
• Interactive Data Sharing
12.2 Web App
Vulnerabilities
and Exploits
Web App Vulnerability Stack
Web App
Third Party
Components
Database

Web Server

Operating System

Network

Physical Environment
Common Web App Vulnerabilities
• Web apps interact with users over a network
• Accessibility leads to attackers manipulating
components
• Steal data, compromise sessions, disrupt
operations, etc.
• Web apps communicate in languages that
support browsers and HTTP/S
• HTML and JavaScript are standard
• Runs on frameworks like AngularJS, Ruby on
Rails, Django, etc.
• Communicates with backend database using
SQL
Common Web App Vulnerabilities
(cont’d)
• General vulnerabilities :
• Poorly implemented security configurations
• Failings in authentication and authorization
• Weaknesses to various types of code
injection
• Weaknesses to XSS and CSRF
• Weaknesses to clickjacking
• Weaknesses to file inclusion
• Insecure coding practices
 Security Misconfiguration
Exploits
• Misconfigurations means the app is implemented
incorrectly or with no protections
• Examples:
• Rolling your own encryption
• Failing to remove legacy content
• Failing to remove debugging control.
• Exposing sensitive data through unprotected
files/folders
• Failing to patch vulnerabilities
• Failing to set secure values in web modules
• Processing sensitive data on the client side
• Failing to remove unused admin and default
accounts
 Security Misconfiguration
Exploits (cont’d)

• Cookie manipulation:
• Modify a web cookie in a malicious way
• E-commerce site has item price in user's
cookie
• Modify cookie to lower price and send it
back to server
• Properly configured cookies include
session identifiers only
 Security Misconfiguration
Exploits (cont’d)
• Directory traversal:
• Accessing a file from a location user is
not authorized to access
• Induce web app to backtrack through
directory path
• App reads or executes file in parent
directory
• Most effective if you can traverse up to
root of server
• Works when app is improperly
configured to access parent folders
• Encode traversal text to get around filters
• Double encode to get around stronger filters
 Authentication Attacks
• Cracking credentials:
• Cracking techniques and tools also apply to
web apps
• Weak passwords make it easier to crack
• App might have default credentials that were
never changed
• Might be able to dump hashes for offline
cracking
• Session hijacking:
• Users assigned session IDs in web cookies for
authentication
• Steal session ID to take over session and
assume user privileges
• Steal through sniffing, XSS, etc.
 Authentication Attacks
(cont’d)
• Redirecting:
• Append URL request to legitimate site
• Useful with phishing as user recognizes and
trusts legit site
• Could set up a login page on that looks real
Authentication Attacks (cont’d)

• Advanced redirect attack exploits returnUrl parameter in

ASP.NET
• User's cookie expires or needs to be generated
• User is directed to legitimate site's default login page
• User authenticates, then is sent to page specified in
returnUrl
Authentication Attacks (cont’d)

• Attack process:
• Send phishing email with HTML
• User clicks link and is taken to legitimate login site
• User enters credentials and is authenticated
• Legitimate site redirects user
• Malicious page looks identical to legitimate page and asks for
credentials a second time
• User inputs credentials
• Malicious page steals credentials and sends user back to
legitimate site
• Legitimate site already authenticated user; user is unaware
of attack
 12.3 Web
Application
Threats
Web Applications Threats
• Cookie Poisoning
• Insecure Storage
• Information Leaks
• Broken Account Management
• Improper Handling of Errors
• Tampering with Form/Parameters • SQL Injections
• Directory Traversal
• DoS
• Buffer Overflow
• Tampering with Logs
• Unvalidated Input
• Broken Control Access
• Misconfiguration of Security
• Broken Session Management
• Cross-site Scripting (XSS)
• Cross-site Forgery
• Injection Flaws
Web Applications Threats (cont’d)
• Platform Exploits
• References to Insecure Direct
Objects
• Insufficient Transport Layer
Protection
• In ability to Restrict Access to URL
• Insecure Cryptographic Storage
• Obfuscation App
• Attacks on DMZ Protocol
• Security Management Exploits
• Authentication Hijacking
• Redirects/Forwards that are
Unvalidated
• Session Fixation Attacks
• CAPTCHA Attacks
• Cookie Snooping
• Network Access Attacks
• Hidden Manipulation
• Web Services Attacks
Unvalidated Input
• Vulnerability in a Web app in which client input is not validated prior
to being processed
• Attackers use flaws in input validation to perform attacks to cause
data theft/system malfunction
Unicode Exploit
• Unusual Unicode characters are used to obfuscate malicious code
• Certain Unicode characters can cause arbitrary command execution
on IIS
Parameter/Form Tampering
• Attacker manipulates parameters sent between server and client
• Goal to alter app data
• Uses vulnerabilities in logic validation mechanisms/integrity
Authorization Attacks
(cont’d)
• Parameter pollution:
• Supply multiple instances of same
parameter in HTTP request
• App may not properly handle these
multiple instances
• Enables modification of values or
triggering errors
 Authorization Attacks
(cont’d)

• Typical GET request example for search

functionality:
• http://test/?search=weather
• Polluting request with second search
parameter:
• http://test/?search=weather&sea
rch
• App may only validate last occurrence of
parameter
• Throws out empty parameter but keeps first
one
• Page might return weather search results or
throw an error
Authorization Attacks
(cont’d)
• POST request to sign in to web portal
using security token:
• http://test/?token=<user
token>&portalID=<victim
portal ID>
Authorization Attacks
(cont’d)
• Polluting request with second
portalID parameter:
• http://test/?token=<attacker
token>&portalID=<attacker
portal ID>&portalID=<victim
portal ID>
• Direct object reference:
• Reference to actual name of system
object used by app
 Authorization Attacks
(cont’d)
• Manipulate parameter that directly references an
object
• Can grant access to objects not authorized to
access
• SQL call might request account info by referencing
acctname parameter.
• Replace acctname value with different
name/number
• Grants access to other account if insecurely
referenced in app
Directory Traversal
• Attackers gain access to restricted directories
• Attackers can execute commands outside of the root directory of the
server
• Attackers are able to manipulate variables related to ../ files
• Attackers can use directory traversal to access files located outside
the Web publishing directory
Security Misconfiguration
• Attackers acquire:
• Unauthorized access to default accounts,
• Ability to read unused pages
• Ability to read/write unprotected files
• Ability to exploit unpatched flaws
• May occur at any level of the application stack
• Examples:
• Default accounts not changed
• App server admin console installed automatically and not removed
• Standard admin pages discovered on server
12.4 Injection
Attacks
Injection Flaws
• Vulnerabilities in web apps that permit untrusted data to be used
• Attackers use malicious commands/queries to exploit injection flaws
• Injection flaws are common in legacy code
• Types of injection flaws include:
• SQL injection
• Command injection
• LDAP injection
SQL Injection Attacks
• Database is manipulated by a series of malicious SQL queries
• Normal security measures can be bypassed via a vulnerable web app
• Attacks can be executed via:
• Address bars
• App fields
• Searches/queries
 • SQL Injection is an attack in which one or more
functions of SQL queries are modified by
inserting malicious SQL code in the web app
• Basic functions: Select, insert, delete, update
• Test every input element (URL parameters,
form fields, cookies, etc.)
• Simplest injection method is to submit a single
apostrophe
• Helps reveal errors in input handling
• May provide correct syntax needed
• Can help you construct more effective SQL
injection query

SQL Injection
 • Adding an apostrophe to user name field in login
form
• The apostrophe is not valid and may trigger an
error
• Response can indicate column names
• Can also indicate where to add parentheses to
complete syntax
• Can also leverage always-true values and comment
characters
• Certain web APIs allow stacking queries in same
call
• A Union operation combines results of two or
more SELECT statements which can merge data
from tables not directly exposed by the app
• Only works when queries have same number
of columns
• Provide actual column names

SQL Injection (cont’d)

Basic SQL Injection Example
Blah’ or 1=1

--This example returns ALL accounts and their balances:

SELECT accountNumber, balance FROM
accounts WHERE account_owner_id = 0 OR 1=1
Command Injection Attacks
• Shell Injection:
• Attacker gains shell access to web server by creating an input string
• HTML Injection:
• Adding additional HTML-based content to a vulnerable web app to deface a
website
• File Injection:
• Process of injecting malicious code into system files
 Code Injection
• Enabled by weak or non-existent input
processing
• Permits:
• DoS of app
• Privilege escalation
• Exposing and exfiltrating sensitive data
• Installing malware on server
• Defacing a website
• Mechanisms and outcomes depend on
language used in injection
• Restricted to languages supported by web app
technology
• An HTML attack is where HTML elements are injected into
a web app for malicious purposes
• Like other injections, you are targeting input components
• Adding valid code that the app will execute
• Commonly used to modify page contents
• Web app has a field for submitting feedback
• Feedback is displayed on page for others to see
• Field doesn't sanitize input
• HTML gets added to page because app fails to strip the
tags out
• User browses page and can click the link
• Use with social engineering to send crafted link with
injected code

HTML Injection
LDAP Injections
• LDAP is a directory service that hierarchically stores/organizes data
based on specific attributes
• Based on client-server model
• Clients can use filters to search the LDAP directory
• Gets past LDAP filters by taking advantage of non-validated web app
input vulnerabilities
• Allows direct access to LDAP tree databases
• Makes use of user parameters to create an LDAP query
• LDAP vulnerability can be tested by sending a query to the server
12.5 Hidden
Fields and
Clickjacking
Hidden Field Manipulation Attack
• Selections on an HTML page are stored as field values and sent to the
app to generate an HTTP request
• Field values can be stored as hidden fields (not rendered to screen)
• Hidden values are still submitted as parameters when forms are
submitted
• Attackers can change hidden field values to change post requests
 Clickjacking
• Clickjacking is an attack in where a user is fooled into
clicking a web page link that is different from where they
had intended to land
• Victim clicks link and may be redirected to a pharming
page or other malicious page
• A visitor to a site thinks he/she is clicking on a button
to close a window; instead, the action of clicking the
“X” button prompts the computer to download a
Trojan horse, transfer money from a bank account or
turn on the computer’s built-in microphone or
webcam
• The host website may be a legitimate site that's been
hacked or a spoofed version of some well-known site
• The attacker tricks users into visiting the site through
links online or in email messages
 Clickjacking (cont’d)
• The issue is said to result from an integral flaw in
browser software and affects Internet Explorer (IE),
Firefox, Safari and Opera
• Only non-GUI browsers, such as Lynx, are protected,
because there is nothing in the interface that's
clickable
• FACEBOOK is a common venue for clickjacking
Clickjacking Example
Entice people
to click this

Precisely
overlay it on
top of this
 12.6 Cross
Site Attacks
Cross-Site Scripting Attacks
• Client-side script can be injected onto a web page
• Attackers exploit dynamically generated web page vulnerabilities
• Attack requires inclusion of invalidated input data in dynamic content
• Malicious code is hidden within legitimate requests
• Attacks used for things like:
• Data theft
• Probing Intranet
• Remote monitoring/key logging
• Manipulation of data
Cross-Site Scripting (XSS)
Attacks
• Cross-Site Scripting is an attack in which
malicious JavaScript is inserted and executes
on the client's browser
• Can steal cookies, read sensitive info, inject
malware, and more
• One of the most popular and effective attacks
Cross-Site Scripting (XSS)
Attacks (cont’d)
• Three categories:
• Stored (persistent) injects scripts that
remain on the server
• Reflected inject scripts that are sent to
server and then bounce back to user
• DOM-based is executed entirely on client
side
• Probe input components for XSS weaknesses
• Inject script into form to pop up on client’s
browser
 Cross-Site Scripting (XSS)
Attacks (cont’d)
• Use social engineering to craft injected URL
• Persistent attack requires modifying data
stored by app
• Try with forms you know store data, like
site feedback page
• Not all injection points are visible
• May be able to POST data in HTTP request
• Depends on web app technology
 • Cross-Site Request Forgery is
an attack where an
Cross-Site established trust between and
authorized user and a website
Request is exploited

Forgery (XSRF) • Exploits server’s trust in user

• Takes advantage of saved
Attacks authentication to access
sensitive data
• Craft URL and send to victim
• Victim clicks link and
automatically signs in to
site due to a saved cookie
Also known as CSRF
• Requested action executes
automatically
 • Power of CSRF is that it's difficult
to detect
• Attack is carried out by
Cross-Site browser as if user requested
it
Request • User could enter same URL
Forgery Attacks manually and get same result
• Nearly impossible for
(cont’d) browser to distinguish CSRF
from normal activity
• CSRF can be difficult to execute
• Requires finding form that
can do something malicious
• Requires knowing the right
values that aren't obscured
• Sites that check referrer
header will disallow requests
from different origins
 12.7
Additional
Web App
Attacks
Web Application Denial-of-Service Attack
• Attackers overload server resources by sending hundreds of requests
• App-level attacks simulate requests from legitimate clients
• App-level attacks are undetectable
• Vulnerable apps include:
• Poor validation of data
• Flaws in implementation
• Reasonable use of expectations
• Bottlenecks in the application environment
• Targets include disk bandwidth, worker processes, CPU, etc.
Buffer Overflow Attacks
• App writes more data than a block of memory is designed to hold
• Allows attackers to change address space of target process
• Attackers direct program execution to memory locations containing
malicious code
Cookie/Session Poisoning
• Cookies are required to maintain session state
• Poisoning:
• Alters the cookie content
• Permits the injection of malicious content, alter user’s experience, gather
sensitive information
• Rewrites session data
Session Fixation Attack
• Attacker tricks user into using an explicit session ID to access a web
server
• Attacker can assume the user’s identity and exploit their credentials
CAPTCHA Attacks
• CAPTCHA does not allow automated software to perform actions in a
system
• Goal is to ensure users are human
• Attacker can exploit CAPTCHA vulnerabilities to compromise web app
security
• Types of CAPTCHA attacks:
• Breaching client-side trust
• Attacking CAPTCHA image
• Manipulating server-side implementation
Insufficient Transport Layer Protection
• Supports algorithms that are weak
• Uses invalid/expired certificates
• Allows attacker to launch MITM/phishing attacks
• Vulnerability reveals user data to untrusted third-parties
• Potential account theft
Improper Error Handling
• Provides attackers knowledge of source code
• Allows attackers to take advantage of things like default
accounts/logic flaws
• Attackers use information in error message to identify vulnerabilities
• Information includes:
• System call failure
• Network timeout
• Null pointer exceptions
• Database unavailable
• App environment
• Web app logical flow
Insecure Cryptographic Storage
• An app uses inadequate encryption code to securely encrypt/store
sensitive data
• Attackers can steal/modify data with insufficient protection
Broken Authentication and Session
Management
• Attackers impersonate users by exploiting vulnerabilities in:
• Authentication functions
• Session management functions
• Types of broken authentication/session management:
• Session ID in URLs
• Password Exploitation
• Timeout Exploitation
Unvalidated Redirects and Forwards
• Attackers can:
• Install malware
• Trick users into providing passwords
• Access control bypass
Web Services Attacks
• Many new attack vectors as web services evolve
• Based on XML protocols that are vulnerable to web app threats
• Attacker attacks the web services stack, which includes:
• Transport Layer
• Access Layer
• Discovery Layer
• Security Layer
• Presentation Layer
12.8 Web App
Hacking
Methodology
Footprint Web Infrastructure
• First step in web app hacking
• Allows attackers to choose victims/identify vulnerable web apps
• Footprinting allows:
• Server Discovery
• Service Discovery
• Hidden Content Discover
• Server Identification
Attacking Web Servers
• Identify web server
• Scan the server for vulnerabilities
• Launch web server attack
• Launch DoS attack
• Potential tools include:
• UrlScan
• Nikto
• Nessus
• Acunetix Web Vulnerabilitiy
• WebInspect
Analyze Web Applications
• To analyze app functionality/technology to:
• Identify user input entry points
• Identify server-side technology
• Identify server-side functionality
• Map the attack surface
Attack Authentication Mechanism
• Allows attackers to exploit web app design/implementation flaws
• Attack types include:
• User Name Enumeration
• Session Attacks
• Cookie Exploitation
• Password Attacks
Attack Authorization Schemes
• Achieved by manipulating HTTP requests via modification of input
fields
• Begins with access to web app through low-privileged account
• Attacker then escalates privileges to access secure resources
• Types of authorization schemes include:
• Uniform Resource Identifier
• Parameter Tampering
• POST Data
• HTTP Headers
• Query String and Cookies
• Hidden Tags
Session Management Attacks
• Attacker bypasses authentication controls by breaking the app’s
session management mechanism
• Allows attackers to impersonate legitimate app users
• Types of session management attacks:
• Session Token Generation
• Session Token Handling
Perform Injection Attacks
• Attacker breaks app’s normal input by injecting malicious input
• Types of injection attacks include:
• Web Scripts Injection
• LDAP Injection
• OS Commands Injection
• XPath Injection
• SMTP Injection
• Buffer Overflow
• SQL Injection
• Canonicalization
Attack Data Connectivity
• Apps connected to database via database connection strings
• Attacks exploit how apps connect to database
• Types of data connectivity attacks:
• Connection String Injection
• Connection Pool DoS
• Connection String Pollution (CSPP) Attacks
Web Application Client Attacks
• Attacker interacts with server-side app
• Attacker accesses unauthorised data/executes malicious actions
• Types of web app client attacks:
• Cross-site Scripting
• Rediretion Attacks
• HTTP Header Injection
• Frame Injection
• Request Forgery Attack
• Session Fixation
• Privacy Attacks
• ActiveXAttacks
Web Services Attacks
• Attacks on web service exposes underlying business/logic
vulnerabilities
• Types of web services attacks:
• SOAP Injection
• XML Injection
• WSDL Probing Attacks
• Information Leakage
• Application Logic Attacks
• Database Attacks
• DoS Attacks
 12.9 Web App
Hacking
Countermeasures
Encoding Schemes
• URL Encoding
• HTML Encoding
• Unicode Encoding
• Base64 Encoding
• Hex Encoding
Defending Against SQL Injection Attacks
• Put limit on length of user input
• Ensure all database traffic is monitored
• Ensure use of custom error messages
• Disable certain commands, such as xp_cmdshell
• Set method attribute to POST/use low-privilege account for connection
• Ensure database/web servers are isolated
• Ensure minimal rights on database service
• Store extended procedures on an isolated server
• All user inputs should be validated/sanitized
• Ensure use of typesafe variables/functions
Defending Against Command Injection Flaws
• Ensure input validation is performed
• Ensure escape from dangerous characters
• Encode input/output
• Ensure use of language-specific libraries
• Ensure use of safe APIs
• Ensure all request parameters are interpreted as data
• Ensure use of modular shell disassociation
• Ensure use of parameterized SQL series
Defending Against XSS Attacks
• Ensure validation of all parameters against strict specifications
• Ensure use of testing tools during design phase
• Ensure use of web app firewall
• Ensure conversion of non-alphanumeric characters to HTML character
entities
• Websites with HTTPS cannot always be trusted in terms of XXS
• Be sure to filter script output
• Put into place a standard of signing scripts with public/private keys
Defending Against DoS Attacks
• Ensure firewall is configured to deny ICMP traffic
• Ensure remote admin/connectivity testing are secure
• Do not allow use of unnecessary functions
• Ensure input validation is executed
• Ensure sensitive information cannot be overwritten
• Ensure data processed by attacker cannot be executed
Defending Against Web Services Attacks
• Ensure WSDL Access Control Permissions are configured to grant/deny access to
WSDL-based SOAP messages
• Ensure deployment of firewalls that can filter SOAP/ISAPI
• Ensure implementation of centralized inline requests/responses schema
validation
• Ensure use of SAML document-centric authentication credentials
• Ensure IDS systems/firewalls are configured for signature detection/web services
anomaly
• Ensure external references are blocked and use of pre-fetched content
• Ensure use of multiply security credentials
• Ensure IDS systems/firewalls filter improper XML/SOAP syntax
• Ensure security repository of XML schemes is maintained/updated
Secure CAPTCHA Implementation
• No client has direct access to CAPTCHA solution
• Do not reuse CAPTCHA/ensure randomly distorted CAPTCHA image of
text
• Ensure use of well-established CAPTCHA implementation and permit
users to use audio
• Ensure individual letters are warped
• Ensure letters in security code are random
• Ensure communication between website and CAPTCHA system is
encrypted
• Ensure use of multiple fonts in CAPTCHA
Countermeasures for Web App Attacks
• Unvalidated Redirects/Forwards
• Broken Authentication/Session Management
• Cross-site Request Forgery
• Insecure Cryptographic Storage
• Insufficient Transport Layer Protection
• Directory Traversal
• Cookie/Session Poisoning
• Security Misconfiguration
• LDAP Injection Attacks
• File Injection Attacks
12.10 Web App
Security Tools
Web Application Security Tools
• Acunetix Web Vulnerability • skipfish
Scanner • SecuBat Vulnerability Scanner
• Watcher Web Security Tool • SPIKE Proxy
• Netsparker • Websecurify
• N-Stalker Web Application • NetBrute
Security Scanner
• x5s
• VampireScan
• WSSA – Web Site Security Audit
• Syhunt Mini
• Ratproxy
• OWASP ZAP
Web Application Security Tools (cont’d)
• Wapiti • Arachni
• WebWatchBot • Vega
• KeepNI
• Grabber
• XSSS
• Syhunt Hybrid
• Exploit-Me
• WSDigger
Web Application Firewalls
• dotDefender
• ServerDefender VP
• Radware’s AppWall
• ThreatSentry
• QualysGuard WAF
• ThreatRadar
• ModSecurity
• Barracuda Web Application
Firewall
• SteelApp Web App Firewall
• IBM Security AppScan
• Trustwave Web Application
Firewall
• Cyberoam’s Web Application
Firewall
 12.11 Web
Application Pen
Testing
Web Application Hacking Tools
• Burp Suite Professional • HttpBee
• CookieDigger • Teleport Pro
• WebScarab • WebCopier
• Instant Source • HTTTrack
• w3af • MileSCAN ParosPro
• GNU Wget • Metasploit
• BlackWidow
• cURL
Web Application Pen Testing
• Used to identify/report/analyze vulnerabilities in a web app
• Performed by conducting series of methodical/repeatable tests
• Why app pen testing:
• Identifies ports
• Verifies vulnerabilities
• Remediates vulnerabilities
Information Gathering
• Analysis of robots.txt file
• Execution of search engine reconnaissance
• Identification of app entry points
• Identification of web apps
• Analysis of O/P coming from OPTIONS/HEAD requests
• Analysis of error codes
• Testing for recognizable file extensions/directories/types
• Examination of available page sources
• Fingerprinting of TCP/ICMP and services
Configuration Management
• Execution of SSL/TLS testing
• Execution of infrastructure configuration management testing
• Execution of handling of file extensions
• Verification of existence of unreferenced/old/backup files
• Execution of testing for XST/HTTP methods
• Execution of testing infrastructure/app admin interfaces
Authentication
• Ensure testing for vulnerabilities in Remember Password/password
reset
• Ensure testing for browser cache/logout management
• Ensure testing for CAPTCHA
• Ensure testing for multiple factors authentication
• Ensure testing for race conditions
Session Management
• Ensure testing for session management schema
• Ensure testing for cookie attributes
• Ensure testing for session fixation
• Ensure testing for exposed session variables
• Ensure testing for Cross-site Request Forgery (CSRF)
Authorization
• Ensure testing for path traversal
• Ensure testing for HTTP request tampering
• Ensure testing for cookie parameter tampering
• Ensure testing for privilege escalation
Data Validation
• Testing for reflected cross-site scripting
• Testing for stored cross-site scripting
• Testing for DOM-based cross-site scripting
• Testing for cross-site flashing
• Execution of SQL injection testing
• Execution of LDAP injection testing
• Execution of ORM injection testing
• Execution of XML injection testing
Data Validation (cont’d)
• Testing for SSI injection testing
• Execution of XPath injection testing
• Execution of IMAP/SMTP injection testing
• Execution of code testing
• Execution of O/S commanding
• Execution of buffer overflow testing
• Execution of incubated vulnerability testing
• Testing for HTTP splitting/smuggling
DoS
• Testing for SQL Wildcard attacks
• Testing for locked customer accounts
• Testing for overflow of buffer
• Testing for user-specific object allocation
DoS (cont’d)
• Testing for user input as loop-counter
• Writing user data to disk
• Testing for appropriate resource release
• Testing for too much data stored in a session
Web Services
• Collecting Web Services information
• Testing WSDL
• Testing structural component of XML
• Testing content-level XML
• Testing REST/HTTP GET parameters
• Testing Naughty SOAP attachments
• Executing replay testing
AJAX
• Testing for AJAX
• Parsing HTML/JavaScript files
• Ensure use of proxy for traffic observation
Web App Penetration Testing Frameworks
• Kali Linux
• Metasploit
• Browser Exploitation Framework (BeEF)
• PowerSploit
 • Organizations have heavy reliance on web apps
and Web 2.0
• Web apps/services are increasingly targeted by
Hacking Web attackers

Applications • Examples of web app vulnerabilities are injection

flaws, SQL injection, and XSS
Review • Attackers can exploit input validation flaws to
execute web app attacks
• Majority of flaws are due to misconfiguration or
poor coding practices
• Examples of countermeasures include secure app
development, using WAF Firewall/UDS, and input
validation
Lab 12: Hacking Web
Applications