Skip to content

Latest commit

 

History

History
161 lines (148 loc) · 9.78 KB

6 - Web-Based Hacking - Servers and Applications.md

File metadata and controls

161 lines (148 loc) · 9.78 KB
Raw

Web-Based Hacking - Servers and Applications

Web Organizations

  • Internet Engineering Task Force (IETF) - creates engineering documents to help make the Internet work better
  • World Wide Web Consortium (W3C) - a standards-developing community
  • Open Web Application Security Project (OWASP) - organization focused on improving the security of software

OWASP Web Top 10

  • A1 - Injection Flaws - SQL, OS and LDAP injection
  • A2 - Broken Authentication and Session Management - functions related to authentication and session management that aren't implemented correctly
  • A3 - Sensitive Data Exposure - not properly protecting sensitive data (SSN, CC numbers, etc.)
  • A4 - XML External Entities (XXE) - exploiting XML processors by uploading hostile content in an XML document
  • A5 - Broken Access Control - having improper controls on areas that should be protected
  • A6 - Security Misconfiguration - across all parts of the server and application
  • A7 - Cross-Site Scripting (XSS) - taking untrusted data and sending it without input validation
  • A8 - Insecure Deserialization - improperly de-serializing data
  • A9 - Using Components with Known Vulnerabilities - libraries and frameworks that have known security holes
  • A10 - Insufficient Logging and Monitoring - not having enough logging to detect attacks

WebGoat - project maintained by OWASP which is an insecure web application meant to be tested

Web Server Attack Methodology

  • Information Gathering - Internet searches, whois, reviewing robots.txt
  • Web Server Footprinting - banner grabbing
    • Tools
      • Netcraft
      • HTTPRecon
      • ID Serve
      • HTTPrint
      • nmap
        • nmap --script http-trace -p80 localhost (detects vulnerable TRACE method)
        • nmap --script http-google-email (lists email addresses)
        • nmap --script hostmap-* (discovers virtual hosts on the IP address you are trying to footprint; * is replaced by online db such as IP2Hosts)
        • nmap --script http-enum -p80 (enumerates common web apps)
        • nmap -p80 --script http-robots.txt (grabs the robots.txt file)
  • Website Mirroring - brings the site to your own machine to examine structure, etc.
    • Tools
      • Wget
      • BlackWidow
      • HTTrack
      • WebCopier Pro
      • Web Ripper
      • SurfOffline
  • Vulnerability Scanning - scans web server for vulnerabilities
    • Tools
      • Nessus
      • Nikto - specifically suited for web servers; still very noisy like Nessus
  • Session Hijacking
  • Web Server Password Cracking

Web Server Architecture

  • Most Popular Servers - Apache, IIS and Nginx
  • Apache runs configurations as a part of a module within special files (http.conf, etc.)
  • IIS runs all applications in the context of LOCAL_SYSTEM
  • IIS 5 had a ton of bugs - easy to get into
  • N-Tier Architecture - distributes processes across multiple servers; normally as three-tier: Presentation (web), logic (application) and data (database)
  • Error Reporting - should not be showing errors in production; easy to glean information
  • HTML - markup language used to display web pages
  • HTTP Request Methods
    • GET - retrieves whatever information is in the URL; sending data is done in URL
    • HEAD - identical to get except for no body return
    • POST - sends data via body - data not shown in URL or in history
    • PUT - requests data be stored at the URL
    • DELETE - requests origin server delete resource
    • TRACE - requests application layer loopback of message
    • CONNECT - reserved for use with proxy
    • Both POST and GET can be manipulated by a web proxy
  • HTTP Error Messages
    • 1xx: Informational - request received, continuing
    • 2xx: Success - action received, understood and accepted
    • 3xx: Redirection - further action must be taken
    • 4xx: Client Error - request contains bad syntax or cannot be fulfilled
    • 5xx: Server Error - server failed to fulfill an apparently valid request

Web Server Attacks

  • DNS Amplification - uses recursive DNS to DoS a target; amplifies DNS answers to target until it can't do anything
  • Directory Transversal (../ or dot-dot-slash) - requests file that should not be accessible from web server
  • Parameter Tampering (URL Tampering) - manipulating parameters within URL to achieve escalation or other changes
  • Hidden Field Tampering - modifying hidden form fields producing unintended results
  • Web Cache Poisoning - replacing the cache on a box with a malicious version of it
  • WFETCH - Microsoft tool that allows you to craft HTTP requests to see response data
  • Misconfiguration Attack - same as before - improper configuration of a web server
  • Password Attack - attempting to crack passwords related to web resources
  • Connection String Parameter Pollution - injection attack that uses semicolons to take advantage of databases that use this separation method
  • Web Defacement - simply modifying a web page to say something else
  • Tools
    • Brutus - brute force web passwords of HTTP
    • Hydra - network login cracker
    • Metasploit
      • Basic working is Libraries use Interfaces and Modules to send attacks to services
      • Exploits hold the actual exploit
      • Payload contains the arbitrary code if exploit is successful
      • Auxiliary used for one-off actions (like a scan)
      • NOPS used for buffer-overflow type operations
  • Shellshock - causes Bash to unintentionally execute commands when commands are concatenated on the end of function definitions

Web Application Attacks

  • Most often hacked before of inherent weaknesses built into the program
  • First step is to identify entry points (POST data, URL parameters, cookies, headers, etc.)
  • Tools for Identifying Entry Points
    • WebScarab
    • HTTPPrint
    • BurpSuite
  • Web 2.0 - dynamic applications; have a larger attack surface due to simultaneous communication
  • File Injection - attacker injects a pointer in a web form to an exploit hosted elsewhere
  • Command Injection - attacker gains shell access using Java or similar
  • LDAP Injection - exploits applications that construct LDAP statements
    • Format for LDAP injection includes )(&)
  • SOAP Injection - inject query strings in order to bypass authentication
    • SOAP uses XML to format information
    • Messages are "one way" in nature
  • Buffer Overflow (Smashing the stack) - attempts to write data into application's buffer area to overwrite adjacent memory, execute code or crash a system
    • Inputs more data than the buffer is allowed
    • Includes stack, heap, NOP sleds and more
    • Canaries - systems can monitor these - if they are changed, they indicate a buffer overflow has occurred; placed between buffer and control data
  • XSS (Cross-site scripting) - inputting JavaScript into a web form that alters what the page does
    • Can also be passed via URL (http://IPADDRESS/";!--"=&{()}
    • Can be malicious by accessing cookies and sending them to a remote host
    • Can be mitigated by setting HttpOnly flag for cookies
    • Stored XSS (Persistent or Type-I) - stores the XSS in a forum or like for multiple people to access
  • Cross-Site Request Forgery (CSRF) - forces an end user to execute unwanted actions on an app they're already authenticated on
    • Inherits identity and privileges of victim to perform an undesired function on victim's behalf
    • Captures the session and sends a request based off the logged in user's credentials
    • Can be mitigated by sending random challenge tokens
  • Session Fixation - attacker logs into a legitimate site and pulls a session ID; sends link with session ID to victim. Once victim logs in, attacker can now log in and run with user's credentials
  • Cookies - small text-based files stored that contains information like preferences, session details or shopping cart contents
    • Can be manipulated to change functionality (e.g. changing a cooking that says "ADMIN=no" to "yes")
    • Sometimes, but rarely, can also contain passwords
  • SQL Injection - injecting SQL commands into input fields to produce output
    • Data Handling - Definition (DDL), manipulation (DML) and control (DCL)
    • Example - input "' OR 1 = 1 --" into a login field - basically tells the server if 1 = 1 (always true) to allow the login.
    • Double dash (--) tells the server to ignore the rest of the query (in this example, the password check)
    • Basic test to see if SQL injection is possible is just inserting a single quote (')
    • Fuzzing - inputting random data into a target to see what will happen
    • Tautology - using always true statements to test SQL (e.g. 1=1)
    • In-band SQL injection - uses same communication channel to perform attack
      • Usually is when data pulled can fit into data exported (where data goes to a web table)
      • Best for using UNION queries
    • Out-of-band SQL injection - uses different communication channels (e.g. export results to file on web server)
    • Blind/inferential - error messages and screen returns don't occur; usually have to guess whether command work or use timing to know
    • Tools
      • Sqlmap
      • sqlninja
      • Havij
      • SQLBrute
      • Pangolin
      • SQLExec
      • Absinthe
      • BobCat
  • HTTP Response Splitting - adds header response data to an input field so server splits the response
    • Can be used to redirect a user to a malicious site
    • Is not an attack in and of itself - must be combined with another attack
  • Countermeasures - input scrubbing for injection, SQL parameterization for SQL injection, keeping patched servers, turning off unnecessary services, ports and protocols