Book 2 - Part II:

Ch9, Ch10, Ch13, Ch14

Hacking Web Applications and
Common Vulnerabilities

First Edition
March 2020
 Introduction to Hacking Web
Applications

• Use a wide array of exploits, all of which are extremely common and
found often throughout many of today’s web applications.

• You will have both the recon skills required to find bugs in
applications that you can exploit, and the offensive hacking skills
required to build and deploy payloads that take advantage of those
security bugs.
 The Hacker’s Mindset
• The majority of hacking is actually data gathering and analysis.

• Most hackers don’t deconstruct or modify software but instead

analyze software in order to work with the existing codebase—
seeking entry points rather than making them.

• A good hacker is constantly on the lookout for clues that could lead
to the discovery of a vulnerability.

• The nature of this work means that even a good hacker can go a
significant amount of time without a big success.

• The hacker must also carefully keep a record of your prior attempts,
and the lessons learned from them.

• In the history of software security, hackers must constantly be

improving their skill set.
• Old techniques may become less valuable as the web adapts.
 Applied Recon
• We learn how to scout a web application, learning various bits about
its underlying technology and structure along the way.

• We learn how to determine what type of API an application was

using to serve data to its clients (the browser in our examples).

• We use a combination of public records and network scripts to

discover undocumented API endpoints.

• We learn how to identify third-party dependencies in an application.

• How to find a security hole that resulted from an integration
between custom code and third-party code.
 Applied Recon
• Understanding how to figure out the authentication scheme in place
for a web application is also crucial.
• Most web applications today offer a superset of guest
functionality to authenticated users.
• The number of APIs you can attack with an authentication token
is greater.

• The recon skills and the hacking skills go hand in hand.

• Hacking and recon are all complex and interesting skills on their
own, but together they are significantly more valuable.
 Cross-Site Scripting
• Cross-Site Scripting (XSS) vulnerabilities are some of the
most common vulnerabilities throughout the internet.

• The XSS attack functions by taking advantage of the fact

that web applications execute scripts on users’ browsers.

• XXS attacks are categorized a number of ways with the big

three:
• Stored (the code is stored on a database prior to execution)
• Reflected (the code is not stored in a database, but reflected by a
server)
• DOM-based (code is both stored and executed in the browser)
 XSS Discovery and Exploitation
• Imagine you are unhappy with the level of service provided by mega-
bank.com.

• mega-bank.com offers a customer support portal, support.megabank.com,

where you can write feedback and hopefully hear back from a customer
support representative.
Customer
Comment
Customer with little bit tech, add in some HTML bold tags

• I am not happy with the service provided by

• I am not happy with the service
your bank.
provided by your bank.
• I have waited 12 hours for my deposit to show
• I have waited 12 hours for my deposit
up in the web application.
to show up in the web application.
• <strong>Please improve your web application.
• Please improve your web application.
</strong>
• Other banks will show deposits
• Other banks will show deposits instantly.
instantly.
 XSS Discovery and Exploitation
MegaBank
support

• Hello, I am Sam with MegaBank support.

• I am sorry you are unhappy with our
application.
• We have a scheduled update next month on
the fourth that should increase the speed at
which deposits are reflected in our app.
• By the way, how did you bold that text?

• Our customer support request included a tag in this case.

• Very simple architectural mistake that can be deadly to a company if left

alone until a hacker finds it.
 XSS Discovery and Exploitation

Simple XSS
attack

1. The attacker injects a payload into the website’s database by submitting a vulnerable
form with malicious JavaScript content.
2. The victim requests the web page from the web server.
3. The web server serves the victim’s browser the page with attacker’s payload as part of
the HTML body.
4. The victim’s browser executes the malicious script contained in the HTML body. In this
case, it sends the victim’s cookie to the attacker’s server.
5. The attacker now simply needs to extract the victim’s cookie when the HTTP request
arrives at the server.
6. The attacker can now use the victim’s stolen cookie for impersonation.
 (1) Stored XSS
• Stored XSS attacks are interesting because they are the easiest
type of XSS to detect, but often one of the most dangerous
because many times they can affect the most users.

• A stored database object can be viewed by many users. In some

cases all of your users could be exposed to a stored XSS attack if a
global object is infected.

• The permanent nature of a stored XSS makes detection quite

easy. Although the script itself executes on the client (browser),
the script is stored in a database ”server side”.

• The scripts are stored as text server side, and are not evaluated.
 (1) Stored XSS

Malicious script uploaded by a user that is stored in a database and then

later requested and viewed by other users, resulting in script execution on
their machines.
 (2) Reflected XSS
• Believing reflected XSS attacks are
often much more difficult for newly
minted hackers to find and take
advantage of than stored XSS attacks.

• Reflected XSS attacks operate

identically to stored XSS attacks but are
not stored in a database, nor should
they regularly hit a server.

• A reflected XSS affects the code of the

client in the browser directly without
relying on a server to relay a message
to be rendered with a script to be
executed.
 (2) Reflected XSS

• An XSS allows an attacker to inject a script into the content of a website or app.
When a user visits the infected page, the script will execute in the victim’s browser.

• This allows attackers to steal private information like cookies, account information,
or to perform custom operations while impersonating the victim’s identity.

• Compared to stored XSS, reflected XSS only require the malicious script to be added
to a link and that a user clicks on it.
 (3) DOM-Based XSS
• DOM XSS attacks are much more difficult
to find and take advantage of than
traditional reflected or stored XSS, as they
require deep knowledge of the browser
DOM and JavaScript.

• The major difference between for DOM

XSS and other forms of XSS is that
DOMbased XSS attacks never require any
interaction with a server.

• DOM-based XSS has two elements:

• The source of user input
• The target where this user input is
written, called a sink.
 (3) DOM-Based XSS
• Source is a JavaScript property that accepts data which is
controlled by the attacker. The most common source for DOM
XSS is the URL.

• Popular source functions are:

o document.URL Example\ JavaScript code
o document.documentURI <script>
o document.URLUnencoded alert(location.href);
o document.baseURI </script>
o location
o location.href

• Sink is a potentially dangerous JavaScript function which are

responsible for showing and writing the sent values.
Example\ JavaScript code
• Popular sink functions are:
<script>
o document.write, doucment.writeln
document.write(‘hello world’) ;
o anyElement.innerHTML </script>
 Injection
• One of the most commonly known types of attacks
against a web application is SQL injection.

• SQL injection is a type of injection attack that specifically

targets SQL databases,
• Allowing a malicious user to either provide their own parameters
to an existing SQL query, or to escape an SQL query and provide
their own query.

• Injection attacks have two major components: an

interpreter and a payload from a user that is somehow
read into the interpreter.
 (1) SQL Injection
• An SQL string is escaped in an HTTP
payload, leading to custom SQL queries
being executed on behalf of the end user.

• Many Open Source Software(OSS)

packages were built using a combination
of PHP and SQL (often MySQL).

• SQL injection is a code injection technique

that might destroy your database.

• SQL injection is one of the most common

web hacking techniques.

• SQL injection is the placement of

malicious code in SQL statements, via web
page input.
 (1) SQL Injection
The potential dangers of using user input in SQL statements:
SQL Injection Based on 1=1 is Always True
Create an SQL statement to select a user, with a given user id.

The SQL statement will look like this:

SELECT * FROM Users WHERE UserId = 105 OR 1=1;

The SQL above is valid and will return ALL rows from the "Users" table,
since OR 1=1 is always TRUE.

SELECT UserId, Name, Password FROM Users WHERE UserId = 105 or 1=1;

A hacker might get access to all the user names and passwords in a
database, by simply inserting 105 OR 1=1 into the input field.
 SQL Injection
The potential dangers of using user input in SQL statements:
SQL Injection Based on ""="" is Always True
Here is an example of a user login on a web site:
uName = getRequestString("username");
uPass = getRequestString("userpassword");
sql = 'SELECT * FROM Users WHERE Name ="' + uName + '" AND Pass ="'
+ uPass + '"'

Result
SELECT * FROM Users WHERE Name ="John Doe" AND Pass ="myPass"

A hacker might get access to user names and passwords in

a database by simply inserting " OR ""=" into the user name
or password text box:

The code at the server will create a valid SQL statement like this:
Result

SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""=""
The SQL above is valid and will return all rows from the "Users" table, since OR ""="" is always
TRUE.
(1) SQL Injection
 (2) Code Injection
• Code Injection is the general term for
attack types which consist of injecting code
that is then interpreted/executed by the
application.

• The code injection attack runs under an

interpreter or Command-Line Interface
(CLI) called by an API end‐point.

• This type of attack exploits poor handling

of untrusted data. These types of attacks
are usually made possible due to a lack of
proper input/output data validation.

• Attackers identify user input validation

flaws such as — data format, allowed
characters, and the amount of expected
data — and use them as the basis for
developing malicious code.
 (2) Code Injection
Example:

Consider a website that extracts a value from a URL parameter and applies the eval()
function to examine its content:

$myvar = "varname";
$x = $_GET['arg'];
eval("$myvar = $x;");

If there is no input validation on URL parameters, the attacker can inject a command
into the parameter:

http://example.com/index.php?arg=1; phpinfo()

The page will then evaluate the expression arg=1; phpinfo() and run the system
command planted by the attacker.
phpinfo() function is useful for gaining information about the configuration of the environment in which
the web service runs.
(2) Code Injection
 (2) Code Injection
• Comparison between Code injection and SQL injection:

CLI Injection SQL Injection

less common CLI injection More common SQL injection

Knowledge of exploiting SQL Knowledge of exploiting SQL

databases through injection databases through injection
is less common is very common

Code injection attacks are SQL injection attacks are

harder to research easy to research
 (3) Command Injection
• A malicious user adds custom commands that
modify the normal operation of the API
endpoint.

• Command injection is an elevated form of code

injection where rather than performing
unintended actions against a CLI or interpreter,
we are performing unintended actions against
an OS.

• The ability to execute commands (typically Bash)

against a Unix-based OS (Macintosh or Linux) has
very serious risks attached to it.
• If we have direct access to the host Unix OS,
and our commands are interpreted as a
super user, we can do anything we want to
that OS.

• OS injection, Command Injection, and Arbitrary

Command Execution are synonyms of Command
Execution.
 (3) Command Injection
• A compromised OS gives the hacker access to a number of very integral
files and permissions, such as:
• /etc/passwd
Keeps track of every user account on the OS

• /etc/shadow
Contains encrypted passwords for users

• ~/.ssh
Contains SSH keys for communicating with other systems

• /etc/apache2/httpd.conf
Configuration for Apache-based servers

• /etc/nginx/nginx.conf
Configuration for Nginx-based servers
 (3) Command Injection
Example: File Name as Command Argument

• Here is an example of a program that allows remote users to view the

contents of a file, without being able to modify or delete it. The program
runs with root privileges:

• It only enables read-only access to files—it enables a command injection

attack. If the attacker passes, instead of a file name, a string like:

• The call to system() will fail to execute, and then the operating system will
perform recursive deletion of the root disk partition.
 (3) Command Injection

whoami— Show information about the user

 Denial of Service
• Denial-of-Service (DoS) attack is an attack meant to shut
down a machine or network, making it inaccessible to its
intended users.

• DoS attacks accomplish this by flooding the target with

traffic, or sending it information that triggers a crash.

• In both instances, the DoS attack deprives legitimate

users (i.e. employees, members, or account holders) of
the service or resource they expected.
 (1) regex DoS
• Regular-expression-based DoS (regex DoS) vulnerabilities are
some of the most common forms of DoS in web applications
today.

• Regular expressions are often used in web applications to

validate form fields and make sure the user is inputting text
that the server expects.

• A Regular expression is a pattern of characters and can be

used as a tool for finding those patterns within a string.

• For example, regular expression is used in web application for:

1. Input validation
2. Searching through text
 (1) regex DoS
• Simple Regex example:
o Starts with “A”
o Proceeded with “B”
o OR multiple occurrences of “C”
o Multiple B’s proceeded with multiple C’s
o End with “D”
 (1) regex DoS
• How does a Regex work?
 (2) Logical DoS Vulnerabilities
• With logical DoS vulnerabilities,
server resources are drained by an
illegitimate user. As a result,
legitimate users experience
performance degradation or loss
of service.

• Logical DoS vulnerabilities are

some of the hardest to find and
exploit, but appear more
frequently in the wild than
expected. These require a bit of
expertise to pin down and take
advantage of.
 (2) Logical DoS Vulnerabilities
• For example, a photo-sharing application could expose an API
route that permits a user to upload a photo. During upload, this
application could perform:
o Database writes (store metadata regarding the photo)
o Drive writes (log that the photo was uploaded successfully)
o SQL join (to accumulate enough data on the user and albums to populate
the
o metadata write)
o File backup (in case of catastrophic server failure)

• We cannot easily time the duration of these operations on a

server that we do not have access to it.

• We can use a combination of timing and estimation to determine

which operations are longer than others.

• We can also approximate the structure of backend code by

closely analyzing network payloads and the UI.
 (2) Logical DoS Vulnerabilities
• Given the way the operation scales based on user account
archetype, we can deduce that we could create a profile to eat up
server resource time via GET /metadata/:userid.

• That’s just an example of how logical DoS attacks are found and
exploited.

o These attacks differ by case—hence the “logical DoS” as defined

by the particular application logic in the application you are
exploiting.
 (3) Distributed DoS
• A Distributed Denial of Service (DDoS) attack occurs when multiple
systems orchestrate a synchronized DoS attack to a single target. The
essential difference is that instead of being attacked from one
location, the target is attacked from many locations at once.
 (3) Distributed DoS
• With DDoS, server resources are drained by a large number of
illegitimate users. Because they are requesting en masse, they may
even be able to perform standard requests. At scale this will drown
out server resources for legitimate users.
 (3) Distributed DoS
• In practice, most DDoS attacks do not perform logical or regex-based
DoS and instead attack at a lower level (usually at the network level,
instead of at the application level).

• Most botnet-based DDoS attacks will make requests directly against

a server’s IP address, and not against any specific API endpoint.

• The Most Famous DDoS Attacks:

1) The Google Attack(October 16, 2020)
o The attackers used several networks to spoof 167 Mpps (millions of
packets per second) to 180,000 exposed CLDAP, DNS, and SMTP servers.

2) Amazon Web Services Attack (February 2020)

o 800-pound gorilla of everything cloud computing was hit by a gigantic
DDoS attack.