(More Web Hacking) In this Module, you'll lear how to use netcat to perform cursory server reconnaissance. You'll lear what a web proxy is and how it functions. You'll know how to enable your browser to use a web proxy and you'll know how to run the Burp suite to perform interception and editing of web requests. You'll be able to use this to perform Javascript validation bypass. You'll know how the Cookie Manager functions and use it to forge session tokens. 1/23
Finding Out About Web Servers using netcat root@kali:~# nc 192.168.1.191 80 GET / HTTP/1.0 Response Code followed by Headers HTTP/1.1 200 OK Date: Tue, 26 Nov 2013 15:26:01 GMT Server: Apache/2.2.22 (Ubuntu) Last-Modified: Tue, 29 Oct 2013 14:24:01 GMT ETag: "2215-119-4e9e1f7cd467d" Accept-Ranges: bytes Content-Length: 281 Vary: Accept-Encoding Connection: close Content-Type: text/html Server Version <html><body> <h1><center>welcome to Samurai-WTF!</center></h1> <script> commandmodulestr = '<script src="' + window.location.protocol + '//' + window.location.host + ':3000/hook.js type="text/javascript"><\/script>'; document.write(commandmodulestr); </script> What's this? (See next module.) </body></html> 2/23
More Information From nc root@kali:~# nc 192.168.1.191 80 GET /mutillidae/ HTTP/1.1 Host: 192.168.1.191 Host header required for HTTP/1/1 Request HTTP/1.1 200 OK Date: Tue, 26 Nov 2013 15:34:31 GMT PHP Version Server: Apache/2.2.22 (Ubuntu) (may have known flaws) X-Powered-By: PHP/5.3.10-1ubuntu3.2 Set-Cookie: PHPSESSID=gfn67c5ohin7r0qrqfv023c4a4; path=/ Set-Cookie: showhints=0 Logged-In-User: Vary: Accept-Encoding Transfer-Encoding: chunked Cookies from server Content-Type: text/html 278a <!-- I think the database password is set to blank or perhaps samurai. 3/23
Web Connection Without Proxy Typical Connection Web browser directly communicates with server. Web Server Apache (80) iceweasel(49785) 4/23
Web Connection With Proxy Instead of directly communicating to the web site, your browser connects to a proxy which forwards requests and responses. Web Server Apache (80) burpsuite(8080) iceweasel(49785) 5/23
Why Would I Ever Want a Proxy? Proxies can provide benefits: Store commonly referenced pages Restrict web usage Track web usage Much, much, more The Burp Suite implements a web proxy that provides the ability to capture, edit, replay, manipulate, and programmatically control the interactions between a web browser and any servers it may contact. 6/23
The Burp Suite Proxy Start burp in Kali by selecting Applications->Kali Linux->Web Applications ->Web Application Proxies->burpsuite 7/23
Configuring Burp Interception Proxy On the Proxy->Options Tab make sure the interface is set to 127.0.0.1:8080 8/23
Configuring IceWeasel Ice Weasel Edit->Preferences->Advanced ->Network->Settings Manual proxy configuration should be 127.0.0.1:8080 9/23
Intercepting Requests/Responses On the Burp proxy/intercept page Note that Intercept is on. 10/23
Navigate to a Web Page When navigating to 192.168.1.191/mutillidae our browser hangs. Inspecting burp shows this: 11/23
Javascript Validation Bypass Servers may try to enforce security by using Javascript client-side code to validate input. Because the server is trusting the browser to do the right thing and because the browser is under the user's control, this is inherently unreliable. The burp intruder can be effectively used to bypass client-side validation. 12/23
Toggle Security on Mutillidae to 1 The login page now protects the page with a javascript filter that disallows quote and other special characters. 13/23
Disable Javascript? Disabling Javascript doesn't help too much because the page requires javascript to render correctly. 14/23
Use Burp To Bypass the check Set burp interceptor on, enter values that will pass the Javascript filter in the Name and Password fields. 15/23
Burp View Data sent to the host has been intercepted. username and password are both xyz 16/23
Edit Data in Burp Before Forwarding Change username to ' or 1 == 1 -- and then forward to server. 17/23
Success! Response shows we are now logged in as admin. Turn Intercept off and go about your business as admin. Admin user 18/23
Forging Session Tokens If multiple web pages must be visited in the context of a single session, the server must maintain some kind of session token in the user's browser. If the security of the session information is weak, an attacker may be able to forge information from another user. 19/23
Register a new user Register a new user. Then log in. 20/23
Look at the Cookies with Cookie Manager The Cookie Manager Firefox extension is installed in Samurai WTF. 21/23
You Can Edit the UID Session Cookie In this case, klaatu (the new user) has uid 19. We can edit this to substitute a more interesting value (like 1). 22/23
Success Navigating to any page thereafter (here we pressed What Should I Do?) shows we are logged in as admin. Admin user 23/23