Hacking Web Applications. M o d u l e 1 3

(1)

(2)

H a c k i n g W e b A p p l i c a t i o n s

M o d u l e 1 3 E n g i n e e r e d b y H a c k e r s . P r e s e n t e d b y P r o f e s s i o n a l s .

a

C E H

E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s v 8 M o d u l e 1 3 : H a c k i n g W e b A p p l i c a t i o n s E x a m 3 1 2 - 5 0

(3)

CEH

S e c u r i t y N e w s

S e c u r i t y N e w s X S S A t t a c k s L e a d P a c k A s M o s t F r e q u e n t A t t a c k T y p e S o u r c e : h t t p : / / w w w . d a r k r e a d i n g . c o m S e c u r e c l o u d h o s t i n g c o m p a n y , F i r e H o s t , h a s t o d a y a n n o u n c e d t h e f i n d i n g s o f i t s l a t e s t w e b a p p l i c a t i o n a t t a c k r e p o r t , w h i c h p r o v i d e s s t a t i s t i c a l a n a l y s i s o f t h e 1 5 m i l l i o n c y b e r - a t t a c k s b l o c k e d b y i t s s e r v e r s i n t h e U S a n d E u r o p e d u r i n g Q 3 2 0 1 2 . T h e r e p o r t l o o k s a t a t t a c k s o n t h e w e b a p p l i c a t i o n s , d a t a b a s e s a n d w e b s i t e s o f F i r e H o s t ' s c u s t o m e r s b e t w e e n J u l y a n d S e p t e m b e r , a n d o f f e r s a n i m p r e s s i o n o f t h e c u r r e n t i n t e r n e t s e c u r i t y c l i m a t e a s a w h o l e . A m o n g s t t h e c y b e r - a t t a c k s r e g i s t e r e d i n t h e r e p o r t , F i r e H o s t c a t e g o r i s e s f o u r a t t a c k t y p e s i n p a r t i c u l a r a s r e p r e s e n t i n g t h e m o s t s e r i o u s t h r e a t . T h e s e a t t a c k t y p e s a r e a m o n g F i r e H o s t ' s ,S u p e r f e c t a ' a n d t h e y c o n s i s t o f C r o s s - s i t e S c r i p t i n g ( X S S ) , D i r e c t o r y T r a v e r s a l s , S Q L I n j e c t i o n s , a n d C r o s s - s i t e R e q u e s t F o r g e r y ( C S R F ) . O n e o f t h e m o s t s i g n i f i c a n t c h a n g e s i n a t t a c k t r a f f i c s e e n b y F i r e H o s t b e t w e e n Q 2 a n d Q 3 2 0 1 2 w a s a c o n s i d e r a b l e r i s e i n t h e n u m b e r o f c r o s s - s i t e a t t a c k s , i n p a r t i c u l a r X S S a n d C S R F a t t a c k s r o s e t o r e p r e s e n t 6 4 % o f t h e g r o u p i n t h e t h i r d q u a r t e r ( a 2 8 % i n c r e a s e d p e n e t r a t i o n ) . X S S is n o w t h e m o s t c o m m o n a t t a c k t y p e i n t h e S u p e r f e c t a , w i t h C S R F n o w i n s e c o n d . F i r e H o s t ' s s e r v e r s b l o c k e d m o r e t h a n o n e m i l l i o n X S S a t t a c k s d u r i n g t h i s p e r i o d a l o n e , a f i g u r e w h i c h r o s e

(4)

6 9 % , f r o m 6 0 3 , 0 1 6 s e p a r a t e a t t a c k s in Q 2 t o 1 , 0 1 8 , 8 1 7 in Q 3 . CSRF a t t a c k s r e a c h e d s e c o n d p l a c e o n t h e S u p e r f e c t a a t 8 4 3 , 5 1 7 . C r o s s - s i t e a t t a c k s a r e d e p e n d e n t u p o n t h e t r u s t d e v e l o p e d b e t w e e n s i t e a n d u s e r . XSS a t t a c k s i n v o l v e a w e b a p p l i c a t i o n g a t h e r i n g m a l i c i o u s d a t a f r o m a u s e r v i a a t r u s t e d s i t e ( o f t e n c o m i n g in t h e f o r m o f a h y p e r l i n k c o n t a i n i n g m a l i c i o u s c o n t e n t ) , w h e r e a s CSRF a t t a c k s e x p l o i t t h e t r u s t t h a t a s i t e h a s f o r a p a r t i c u l a r u s e r i n s t e a d . T h e s e m a l i c i o u s s e c u r i t y e x p l o i t s c a n a l s o b e u s e d t o s t e a l s e n s i t i v e i n f o r m a t i o n s u c h as u s e r n a m e s , p a s s w o r d s a n d c r e d i t c a r d d e t a i l s - w i t h o u t t h e s i t e o r u s e r ' s k n o w l e d g e . T h e s e v e r i t y o f t h e s e a t t a c k s is d e p e n d e n t o n t h e s e n s i t i v i t y o f t h e d a t a h a n d l e d b y t h e v u l n e r a b l e s i t e a n d t h i s r a n g e s f r o m p e r s o n a l d a t a f o u n d o n s o c i a l n e t w o r k i n g s i t e s , t o t h e f i n a n c i a l a n d c o n f i d e n t i a l d e t a i l s e n t e r e d o n e c o m m e r c e s i t e s a m o n g s t o t h e r s . A g r e a t n u m b e r o f o r g a n i s a t i o n s h a v e f a l l e n v i c t i m t o s u c h a t t a c k s in r e c e n t y e a r s i n c l u d i n g a t t a c k s o n P a y P a l, H o t m a i l a n d e B a y , t h e l a t t e r f a l l i n g v i c t i m t o a s i n g l e CSRF a t t a c k in 2 0 0 8 w h i c h t a r g e t e d 1 8 m i l l i o n u s e r s o f its K o r e a n w e b s i t e . F u r t h e r m o r e in S e p t e m b e r t h i s y e a r , IT g i a n t s M i c r o s o f t a n d G o o g l e C h r o m e b o t h r a n e x t e n s i v e p a t c h e s t a r g e t e d a t s e c u r i n g XSS f l a w s , h i g h l i g h t i n g t h e p r e v a l e n c e o f t h i s g r o w i n g o n l i n e t h r e a t . " C r o s s - s i t e a t t a c k s a r e a s e v e r e t h r e a t t o b u s i n e s s o p e r a t i o n s , e s p e c i a l l y i f s e r v e r s a r e n ' t p r o p e r l y p r e p a r e d , " s a id C h r is H i n k l e y , CISSP - a S e n i o r S e c u r i t y E n g i n e e r a t F i r e H o s t . " I t ' s v i t a l t h a t a n y s i t e d e a l i n g w i t h c o n f i d e n t i a l o r p r i v a t e u s e r d a t a t a k e s t h e n e c e s s a r y p r e c a u t i o n s t o e n s u r e a p p l i c a t i o n s r e m a i n p r o t e c t e d . L o c a t i n g a n d f i x i n g a n y w e b s i t e v u l n e r a b i l i t i e s a n d f l a w s is a k e y s t e p in e n s u r i n g y o u r b u s i n e s s a n d y o u r c u s t o m e r s , d o n ' t f a l l v i c t i m t o a n a t t a c k o f t h i s n a t u r e . T h e c o n s e q u e n c e s o f w h i c h c a n b e s i g n i f i c a n t , in t e r m s o f b o t h f i n a n c i a l a n d r e p u t a t i o n a l d a m a g e . " T h e S u p e r f e c t a a t t a c k t r a f f i c f o r Q 3 2 0 1 2 c a n b e b r o k e n d o w n as f o l l o w s : A s w i t h Q 2 2 0 1 2 , t h e m a j o r i t y o f a t t a c k s F i r e H o s t b l o c k e d d u r i n g t h e t h i r d c a l e n d a r q u a r t e r o f 2 0 1 2 o r i g i n a t e d in t h e U n i t e d S t a t e s ( l l m i l l i o n / 7 4 % ) . T h e r e h a s h o w e v e r , b e e n a g r e a t s h i f t in t h e n u m b e r o f a t t a c k s o r i g i n a t i n g f r o m E u r o p e t h i s q u a r t e r , as 1 7 % o f a ll m a l i c i o u s a t t a c k t r a f f i c s e e n b y F i r e H o s t c a m e f r o m t h i s r e g i o n . E u r o p e o v e r t o o k S o u t h e r n A s ia ( w h i c h w a s r e s p o n s i b l e f o r 6 % ) , t o b e c o m e t h e s e c o n d m o s t l i k e l y o r i g i n o f m a l i c i o u s t r a f f i c . V a r i e d t r e n d s a m o n g t h e S u p e r f e c t a a t t a c k t e c h n i q u e s a r e d e m o n s t r a t e d b e t w e e n t h i s q u a r t e r a n d la s t: D u r i n g t h e b u i l d u p t o t h e h o l i d a y s e a s o n , e c o m m e r c e a c t i v i t y r a m p s u p d r a m a t i c a l l y a n d c y b e r - a t t a c k s t h a t t a r g e t w e b s i t e u s e r s ' c o n f i d e n t i a l d a t a a r e a l s o l i k e l y t o i n c r e a s e as a r e s u l t . A s w e l l as c r o s s - s i t e a t t a c k s , t h e o t h e r S u p e r f e c t a a t t a c k t y p e s , S QL I n j e c t i o n a n d D i r e c t o r y T r a n s v e r s a l , s t i l l r e m a i n a s i g n i f i c a n t t h r e a t d e s p i t e a s l i g h t r e d u c t i o n in f r e q u e n c y t h i s q u a r t e r . E c o m m e r c e b u s i n e s s e s n e e d t o b e a w a r e o f t h e ris k s t h a t t h i s p e r i o d m a y p r e s e n t i t t o its s e c u r i t y , as T o d d G l e a s o n , D i r e c t o r o f T e c h n o l o g y a t F i r e H o s t e x p l a i n s , " Y o u ' d b e t t e r b e l i e v e t h a t h a c k e r s w i l l t r y a n d t a k e a d v a n t a g e o f a n y s u r g e s in h o l i d a y s h o p p i n g . T h e y w i l l b e d e v i s i n g a n u m b e r o f w a y s t h e y c a n t a k e a d v a n t a g e o f a n y w e b a p p l i c a t i o n v u l n e r a b i l i t i e s a n d w i l l u s e a n a s s o r t m e n t o f d i f f e r e n t a t t a c k t y p e s a n d t e c h n i q u e s t o d o s o . W h e n i t ' s a m a t t e r o f

(5)

d e t a i l s - t h e r e ' s n o r o o m f o r c o m p l a c e n c y . T h e s e o r g a n i s a t i o n s n e e d t o k n o w t h a t t h e r e ' s a n i n c r e a s e d l i k e l i h o o d o f a t t a c k d u r i n g t h i s t i m e a n d i t ' s t h e i r r e s p o n s i b i l i t y t o t a k e t h e n e c e s s a r y s t e p s t o s t o p s u c h a t t a c k s . "

http://w w w .darkreading.com /5 ecuritv/n ew s/2 400 095 08/firehost-q3-w eb-application-report-xss-attacks-lead-pack-as-m ost-frequent-attack-type.htm l

(6)

M o d u l e O b j e c t i v e s

CEH

J How W eb Applications Work J Session M anagem ent Attack

J W eb Attack Vectors J Attack Data Connectivity

J W eb Application Threats J Attack W eb App Client

J W eb App Hacking M ethodology J Attack W eb Services

J Footprint W eb Infrastructure ■ ^ J W eb Application Hacking Tools

J Hacking W ebS ervers ־ 1/ J C ounterm easures

J Analyze W eb Applications J W eb Application Security Tools

J Attack A uthentication M echanism J W eb Application Firewall

J Attack A uthorization Schem es J W eb Application Pen Testing

M o d u l e O b j e c t i v e s T h e m a i n o b j e c t i v e o f t h i s m o d u l e is t o s h o w t h e v a r i o u s k i n d s o f v u l n e r a b i l i t i e s t h a t c a n b e d i s c o v e r e d in w e b a p p l i c a t i o n s . T h e a t t a c k s e x p l o i t i n g t h e s e v u l n e r a b i l i t i e s a r e a l s o h i g h l i g h t e d . T h e m o d u l e s t a r t s w i t h a d e t a i l e d d e s c r i p t i o n o f t h e w e b a p p l i c a t i o n s . V a r i o u s w e b a p p l i c a t i o n t h r e a t s a r e m e n t i o n e d . T h e h a c k i n g m e t h o d o l o g y r e v e a l s t h e v a r i o u s s t e p s i n v o l v e d in a p l a n n e d a t t a c k . T h e v a r i o u s t o o l s t h a t a t t a c k e r s u s e a r e d i s c u s s e d t o e x p l a i n t h e w a y t h e y e x p l o i t v u l n e r a b i l i t i e s in w e b a p p l i c a t i o n s . T h e c o u n t e r m e a s u r e s t h a t c a n b e t a k e n t o t h w a r t a n y s u c h a t t a c k s a r e a l s o h i g h l i g h t e d . S e c u r i t y t o o l s t h a t h e l p n e t w o r k a d m i n i s t r a t o r t o m o n i t o r a n d m a n a g e t h e w e b a p p l i c a t i o n a r e d e s c r i b e d . F in a l l y w e b a p p l i c a t i o n p e n t e s t i n g is d i s c u s s e d . T h i s m o d u l e f a m i l i a r i z e s y o u w i t h :

(7)

S A t t a c k D a t a C o n n e c t i v i t y S A t t a c k W e b A p p C l i e n t s A t t a c k W e b S e r v i c e s S W e b A p p l i c a t i o n H a c k i n g T o o l s S C o u n t e r m e a s u r e s s W e b A p p l i c a t i o n S e c u r i t y T o o l s s W e b A p p l i c a t i o n F i r e w a l l S W e b A p p l i c a t i o n P e n T e s t i n g W e b A t t a c k V e c t o r s W e b A p p l i c a t i o n T h r e a t s W e b A p p H a c k i n g M e t h o d o l o g y F o o t p r i n t W e b I n f r a s t r u c t u r e H a c k i n g W e b s e r v e r s A n a l y z e W e b A p p l i c a t i o n s A t t a c k A u t h e n t i c a t i o n M e c h a n i s m A t t a c k A u t h o r i z a t i o n S c h e m e s A £ A A A

(8)

Copyright © by E & C o in a l. All Rights Reserved. Reproduction is Strictly Prohibited. ־ ־ ^ M o d u l e F l o w W e b a p p l i c a t i o n s a r e t h e a p p l i c a t i o n p r o g r a m s a c c e s s e d o n l y w i t h I n t e r n e t c o n n e c t i o n e n a b l e d . T h e s e a p p l i c a t i o n s u s e H TT P as t h e i r p r i m a r y c o m m u n i c a t i o n p r o t o c o l . G e n e r a l l y , t h e a t t a c k e r s t a r g e t t h e s e a p p s f o r s e v e r a l r e a s o n s . T h e y a r e e x p o s e d t o v a r i o u s a t t a c k s . F o r c l e a r u n d e r s t a n d i n g o f t h e " h a c k i n g w e b a p p l i c a t i o n s " w e d i v i d e d t h e c o n c e p t i n t o v a r i o u s s e c t i o n s . Q W e b A p p C o n c e p t s Q W e b A p p T h r e a t s © H a c k i n g M e t h o d o l o g y Q W e b A p p l i c a t i o n H a c k i n g T o o l s © C o u n t e r m e a s u r e s 0 S e c u r i t y T o o l s © W e b A p p P e n T e s t i n g L e t u s b e g i n w i t h t h e W e b A p p c o n c e p t s .

(9)

S e c u r i t y T o o l s W e b A p p T h r e a t s C o u n t e r m e a s u r e s ^ H a c k i n g M e t h o d o l o g y W e b A p p l i c a t i o n H a c k i n g T o o l s T h i s s e c t i o n i n t r o d u c e s y o u t o t h e w e b a p p l i c a t i o n a n d i t s c o m p o n e n t s , e x p l a i n s h o w t h e w e b a p p l i c a t i o n w o r k s , a n d i t s a r c h i t e c t u r e . I t p r o v i d e s i n s i g h t i n t o w e b 2 . 0 a p p l i c a t i o n , v u l n e r a b i l i t y s t a c k s , a n d w e b a t t a c k v e c t o r s .

(10)

CEH

Web A p p lic a tio n S ecurity

Statistics

Cross-Site Scripting Information Leakage

f f W e b A p p l i c a t i o n S e c u r i t y S t a t i s t i c s ~ S o u r c e : h t t p s : / / w w w . w h i t e h a t s e c . c o m A c c o r d i n g t o t h e W H I T E H A T s e c u r i t y w e b s i t e s t a t i s t i c s r e p o r t in 2 0 1 2 , i t is c l e a r t h a t t h e c r o s s - s i t e s c r i p t i n g v u l n e r a b i l i t i e s a r e f o u n d o n m o r e w e b a p p l i c a t i o n s w h e n c o m p a r e d t o o t h e r v u l n e r a b i l i t i e s . F r o m t h e g r a p h y o u c a n o b s e r v e t h a t in t h e y e a r 2 0 1 2 , c r o s s - s i t e s c r i p t i n g v u l n e r a b i l i t i e s a r e t h e m o s t c o m m o n v u l n e r a b i l i t i e s f o u n d in 5 5 % o f t h e w e b a p p l i c a t i o n s . O n l y 1 0 % o f w e b a p p l i c a t i o n a t t a c k s a r e b a s e d o n i n s u f f i c i e n t s e s s i o n e x p i r a t i o n v u l n e r a b i l i t i e s . In o r d e r t o m i n i m i z e t h e r is k s a s s o c i a t e d w i t h c r o s s - s i t e s c r i p t i n g v u l n e r a b i l i t i e s in t h e w e b a p p l i c a t i o n s , y o u h a v e t o a d o p t n e c e s s a r y c o u n t e r m e a s u r e s a g a i n s t t h e m .

(11)

Cross-Site Scripting

In fo rm a tio n Leakage C o n te nt Spoofing

16%

In s u ffic ie n t A u th o riz a tio n

■ L Cross-Site Request Forgery

Brute Force

Predictable Resource Location SQL In je ctio n

10% Session Fixation

In s u ffic ie n t Session Expiration

2 0 10 W O

■a

_>4 Q a

I—

H

£

C o • H 0 ■ H a . a

1

(12)

I n t r o d u c t i o n t o W e b A p p l i c a t i o n s C E H T h o u g h w e b a p p lic a t io n s e n f o r c e c e r ta in s e c u r ity p o lic ie s , t h e y a re v u ln e r a b le t o v a r io u s a tta c k s s u c h as SQL in je c t io n , c ro s s -s ite s c r ip t in g , s e s s io n h ija c k in g , e tc .

\

* , W e b a p p lic a t io n s p r o v id e a n i n t e r f a c e b e t w e e n e n d u s e rs a n d w e b s e r v e r s th r o u g h a s e t o f w e b p a g e s t h a t a re g e n e r a te d a t t h e s e rv e r e n d o r c o n t a in s c r ip t c o d e t o b e e x e c u te d d y n a m ic a lly w it h i n t h e c lie n t w e b b r o w s e r N e w w e b te c h n o lo g ie s s u c h as W e b 2 .0 p r o v id e m o r e a t t a c k s u rfa c e f o r w e b a p p lic a t io n e x p lo it a t io n

C o p y r ig h t © b y E&C01nal. A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .

W e b a p p l i c a t i o n s a n d W e b 2 .0 t e c h n o l o g i e s a r e i n v a r i a b l y u s e d t o s u p p o r t c r i t i c a l b u s in e s s f u n c t i o n s s u c h a s C R M , S C M , e tc . a n d i m p r o v e b u s in e s s e f f i c i e n c y I n t r o d u c t i o n t o W e b A p p l i c a t i o n s

W e b a p p lic a tio n s are th e a p p lic a tio n th a t ru n on th e re m o te w e b s e rv e r and send th e o u tp u t o v e r th e In te rn e t. W e b 2.0 te c h n o lo g ie s are used by all th e a p p lic a tio n s based on th e w e b -b a s e d servers such as c o m m u n ic a tio n w ith users, c lie n ts , th ir d - p a r ty users, etc.

A w e b a p p lic a tio n is c o m p ris e d o f m a n y layers o f fu n c tio n a lity . H o w e v e r, it is c o n s id e re d a th re e -la y e re d a rc h ite c tu re co n s is tin g o f p re s e n ta tio n , logic, and da ta layers.

The w e b a rc h ite c tu re re lie s s u b s ta n tia lly on th e te c h n o lo g y p o p u la riz e d by th e W o rld W id e W e b , H y p e rte x t M a rk u p Language (H TM L), and th e p rim a ry tr a n s p o r t m e d iu m , e.g. H y p e r T ext T ra n s fe r P ro to c o l (HTTP). HTTP is th e m e d iu m o f c o m m u n ic a tio n b e tw e e n th e s e rv e r and th e c lie n t. T y p ic a lly , it o p e ra te s o v e r TCP p o rt 80, b u t it m ay also c o m m u n ic a te o v e r an unused p o rt.

W e b a p p lic a tio n s p ro v id e an in te rfa c e b e tw e e n end users and w e b se rve rs th ro u g h a se t o f w e b pages th a t are g e n e ra te d a t th e s e rv e r end o r c o n ta in s c rip t code to be e x e c u te d d y n a m ic a lly w ith in th e c lie n t w e b b ro w s e r.

Som e o f th e p o p u la r w e b servers p re s e n t to d a y are M ic ro s o ft IIS, A pache S o ftw a re F o u n d a tio n 's A p a ch e HTTP S erver, A O L /N e ts c a p e 's E n te rp ris e S erver, and Sun One. Resources are called U n ifo rm R esource Id e n tifie rs (URIs), and th e y m ay e ith e r be s ta tic pages o r c o n ta in d y n a m ic c o n te n t. Since HTTP is sta te le ss, e.g., th e p ro to c o l does n o t m a in ta in a session s ta te ,

(13)

m a in ta in e d w ith th e c lie n t.

C o o kie s can be used as to k e n s , w h ic h se rve rs hand o v e r to c lie n ts to a llo w access to w e b s ite s . H o w e v e r, co o kie s are n o t p e rfe c t fr o m a s e c u rity p o in t o f v ie w because th e y can be c o p ie d and s to re d on th e c lie n t's local hard disk, so th a t users d o n o t have to re q u e s t a to k e n fo r each q u e ry . T h o u g h w e b a p p lic a tio n s e n fo rc e c e rta in s e c u rity p o licie s, th e y are v u ln e ra b le to v a rio u s a tta c k s such as SQL in je c tio n , cro ss-site s c rip tin g , session h ija c k in g , etc. O rg a n iz a tio n s re ly on w e b a p p lic a tio n s and W e b 2.0 te c h n o lo g ie s to s u p p o rt key business processes and im p ro v e p e rfo rm a n c e . N e w w e b te c h n o lo g ie s such as W e b 2.0 p ro v id e m o re a tta c k su rfa ce f o r w e b a p p lic a tio n e x p lo ita tio n .

A tta c k e rs use d iffe r e n t ty p e s o f v u ln e ra b ilitie s th a t can be d is c o v e re d in w e b a p p lic a tio n s and e x p lo it th e m to c o m p ro m is e w e b a p p lic a tio n s . A tta c k e rs also use to o ls to la u n ch a tta c k s on w e b a p p lic a tio n s .

(14)

W e b A p p l i c a t i o n C o m p o n e n t s _C Urtifwd E H itfcMjl NMhM 1

IS

C o p y r ig h t © b y E & C oinal. A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .

^ W e b A p p l i c a t i o n C o m p o n e n t s

The c o m p o n e n ts o f w e b a p p lic a tio n s are lis te d as fo llo w s

Login:

M o s t o f th e w e b s ite s a llo w a u th e n tic users to access th e a p p lic a tio n by m eans o f lo g in . It m eans th a t to access th e service o r c o n te n t o ffe re d by th e w e b a p p lic a tio n user needs to s u b m it h is /h e r u se rn a m e and p a ssw o rd . E xam ple g m a il.c o m

The Web Server:

It re fe rs to e ith e r s o ftw a re o r h a rd w a re in te n d e d to d e liv e r w e b c o n te n t th a t can be accessed th ro u g h th e In te rn e t. An e x a m p le is th e w e b pages served to th e w e b b ro w s e r by th e w e b server.

Session Tracking Mechanism:

Each w e b a p p lic a tio n has a se ssion tra c k in g m e c h a n is m . The session can be tra c k e d by using cookies, URL re w ritin g , o r Secure Sockets Layer (SSL) in fo rm a tio n .

User Permissions:

W h e n yo u are n o t a llo w e d to access th e sp e c ifie d w e b page in w h ic h yo u are logged in w ith use r p e rm issio n s, yo u m ay re d ire c t again to th e lo g in page o r to any o th e r page.

The Application Content:

It is an in te ra c tiv e p ro g ra m th a t accepts w e b re q u e s ts by c lie n ts and uses th e p a ra m e te rs th a t are se n t by th e w e b b ro w s e r fo r c a rry in g o u t c e rta in fu n c tio n s .

Data Access:

U su a lly th e w e b pages w ill be c o n ta c tin g w ith each o th e r via a da ta access lib ra ry in w h ic h all th e d a ta b a se d e ta ils are s to re d .

(15)

c h ild re n /th re a ts . This s to re d in fo rm a tio n is q u ite im p o r ta n t and necessary f o r h ig h e r levels o f th e a p p lic a tio n fr a m e w o r k . It is n o t m a n d a to ry th a t th e da ta s to re and th e w e b s e rv e r are on th e sam e n e tw o rk . T hey can be in c o n ta c t o r accessible w ith each o th e r th ro u g h th e n e tw o rk c o n n e c tio n .

Role-level System Security

Application Logic:

U sually w e b a p p lic a tio n s are d iv id e d in to tie rs o f w h ic h th e a p p lic a tio n logic is th e m id d le tie r. It receives th e re q u e s t fro m th e w e b b ro w s e r and gives it services a c c o rd in g ly . The services o ffe re d by th e a p p lic a tio n logic in c lu d e asking q u e s tio n s and g ivin g th e la te s t u p d a te s a g a in st th e d a ta b a se as w e ll as g e n e ra tin g a u se r in te rfa c e .

Logout:

An in d iv id u a l can s h u t d o w n o r log o u t o f th e w e b a p p lic a tio n o r b ro w s e r so th a t th e session and th e a p p lic a tio n associated w ith it end. The a p p lic a tio n ends e ith e r by ta k in g th e in itia tiv e by th e a p p lic a tio n logic o r by a u to m a tic a lly e n d in g w h e n th e s e rv le t session tim e s o u t.

(16)

H o w W e b A p p l i c a t i o n s W o r k C E H

S E LE C T * f r o m n e w s w h e r e i d = 6 3 2 9

O u tp u t

ID Topic News

6329 Tech CNN

C o p y r ig h t © b y E&C01nal. A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .

H o w W e b A p p l i c a t i o n s W o r k

W h e n e v e r s o m e o n e clicks o r ty p e s in th e b ro w s e r, im m e d ia te ly th e re q u e s te d w e b s ite o r c o n te n t is d is p la y e d on th e screen o f th e c o m p u te r, b u t w h a t is th e m e c h a n ism b e h in d th is? This is th e s te p -b y -s te p process th a t ta ke s place once a use r sends a re q u e s t fo r p a rtic u la r c o n te n t o r a w e b s ite w h e re m u ltip le c o m p u te rs are in v o lv e d .

The w e b a p p lic a tio n m o d e l is e xp la in e d in th re e layers. The fir s t la y e r deals w ith th e user in p u t th ro u g h a w e b b ro w s e r o r user in te rfa c e . The second la y e r c o n ta in s JSP (Java s e rv le ts ) o r ASP (A c tiv e S erver Pages), th e d y n a m ic c o n te n t g e n e ra tio n te c h n o lo g y to o ls , and th e last la ye r c o n ta in s th e d a ta b a s e fo r s to rin g c u s to m e r d a ta such as user nam es and p a ssw ords, c re d it card d e ta ils , etc. o r o th e r re la te d in fo rm a tio n .

Let's see h o w th e user trig g e rs th e in itia l re q u e s t th ro u g h th e b ro w s e r to th e w e b a p p lic a tio n se rve r:

(17)

re q u e s t m u s t be processed by th e w e b a p p lic a tio n server.

T h e re fo re , th e w e b s e rv e r passes th e user's re q u e s t to th e w e b a p p lic a tio n server. The user's re q u e s t is n o w processed by th e w e b a p p lic a tio n s e rv e r. In o rd e r to process th e user's re q u e s t, th e w e b s e rv e r accesses th e d a ta b a se placed a t th e th ir d la y e r to p e rfo rm th e re q u e s te d ta sk by u p d a tin g o r re trie v in g th e in fo rm a tio n s to re d on th e d a taba se. O nce d o n e p ro c e s s in g th e re q u e s t, w e b a p p lic a tio n s e rv e r sends th e re s u lts to th e w e b se rve r, w h ic h in tu r n sends th e re s u lts to th e user's b ro w s e r.

User Login Form Internet Firewall Web Server

(18)

W e b A p p l i c a t i o n A r c h i t e c t u r e C E H

y ^ l ln t e m e r N

(

W e b

Clients S e rv ic e s Business Layer

A p p lic a tio n S e rv e r

Business Logic J2EE .NET COM

XCode C++ COM+ Legacy Application Data Access

ה

Proxy Server, Cache P re s e n ta tio n L a y e r Firew all H TTP R e q u e s t P arse r A u th e n tic a t io n a n d Lo gin R e s o u rc e H a n d le r S e rv le t C o n ta in e r

W e b A p p l i c a t i o n A r c h i t e c t u r e

All w e b a p p lic a tio n s e x e c u te w ith th e h e lp o f th e w e b b ro w s e r as a s u p p o rt c lie n t. The w e b a p p lic a tio n s use a g ro u p o f s e rv e r-s id e s c rip ts (ASP, PHP, e tc.) and c lie n t-s id e s c rip ts (HTM L, JavaS cript, e tc.) to e x e c u te th e a p p lic a tio n . The in fo rm a tio n is p re s e n te d by using th e c lie n t-s id e s c rip t and th e h a rd w a re tasks such as s to rin g and g a th e rin g re q u ire d d a ta by th e s e rv e r-s id e s c rip t.

In th e fo llo w in g a rc h ite c tu re , th e c lie n ts uses d iffe r e n t devices, w e b b ro w s e rs , and e x te rn a l w e b services w ith th e In te rn e t to g e t th e a p p lic a tio n e x e c u te d using d iffe r e n t s c rip tin g languages. The d a ta access is h a n d le d by th e d a ta b a s e la y e r using c lo u d s e rvice s and a d a ta b a se se rve r.

(19)

Business Layer

A p plicatio n Server

J2EE .NET COM

Business logic XCode C+♦ COM♦ legacy Application Data Access

Database Layer

Cloud Services Database Server

Clients

W e b Brow ser ו — — , V • * ' ׳ י ד ג ל • י _ _ _ U S ^External™1 W e b S«rvic*1 Presentation layer F la s h . S ilv e r llj h t . J a v a S c r ip ( Smart Phonas, Web Appliance

f

Proxy Server, Cache

Web Server

Prssantation Layer Firewall HTTP Request Parser

Servlet Resource Authentication Container Handler and Login

(20)

W e b 2 . 0 A p p l i c a t i o n s C E H C«rt1fW4 itfciul NMkM J W e b 2 .0 re fe rs t o a n e w g e n e r a tio n o f W e b a p p lic a t io n s t h a t p r o v id e a n in f r a s t r u c t u r e f o r m o r e d y n a m ic u s e r p a r t ic ip a t io n , s o c ia l i n t e r a c t io n a n d c o lla b o r a t io n Blogs (W o rdp ress) Q Advanced gaming

O

D yn a m ic as o p p o s e d t o s ta tic s ite c o n te n t

O

RSS-generated syndication

O

Social n e tw o rk in g s ite s (Flickr,

' Facebook, d e l.c io .u s )

v״ ..rid'׳׳'«»?

' Q Mash-ups (Emails, IMs, Electronic

f payment systems)

O

W ikis and o th e r c o lla b o ra tiv e a p p lica tio n s

Q Google Base and other free Web services (Google Maps)

o o

New technologies like AJAX (Gmail, YouTube) Q

M o b ile a p p lic a tio n (iP h one)

O

Flash rich interface websites O

F ra m e w o rk s (Yahool Ul Library, jQ u e ry )

Cloud computing websites like W (amazon.com) ^

In te ra c tiv e e ncyclopedias a nd d ic tio n a rie s

O

ine office software (Google Docs and Microsoft light)

Ease o f d a ta c re a tio n , m o d ific a tio n , o r d e le tio n b y in d iv id u a l users

C o p y r ig h t © b y

E&C01nal.

A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d . W e b 2 . 0 A p p l i c a t i o n s

W e b 2.0 re fe rs to a n e w g e n e ra tio n o f w e b a p p lic a tio n s th a t p ro v id e an in fr a s tr u c tu r e fo r m o re d y n a m ic user p a rtic ip a tio n , social in te ra c tio n , and c o lla b o ra tio n . It o ffe rs v a rio u s fe a tu re s such as:

© Social n e tw o rk in g sites (Flickr, Facebook, d e l.cio .u s) © M a sh -u p s (e m a ils, IM s, e le c tro n ic p a y m e n t system s) © W ikis and o th e r c o lla b o ra tiv e a p p lic a tio n s

(21)

Q N e w te c h n o lo g ie s like AJAX (G m ail, Y ouTube) © Blogs (W o rd p re s s )

(22)

C E H V u l n e r a b i l i t y S t a c k _ C u s t o m W e b A p p li c a t i o n s

B

_ B u s in e s s L o g ic F la w s T e c h n ic a l V u ln e r a b i l it ie s T h i r d P a r t y C o m p o n e n t s

E l

E

O p e n S o u r c e / C o m m e r c i a l f ^ ־w r O r a c le / M y S Q L / M S S Q L A p a c h e / M i c r o s o f t IIS A pache W i n d o w s / L in u x /OSX R o u t e r / S w it c h IPS / ID S

E&C01nal.

A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .

D a t a b a s e W e b S e r v e r O p e r a t i n g S y s te m N e t w o r k S e c u r it y V u l n e r a b i l i t y S t a c k

i f

-

The w e b a p p lic a tio n s are m a in ta in e d and accessed th ro u g h v a rio u s levels th a t in c lu d e : c u s to m w e b a p p lic a tio n s , th ir d - p a r ty c o m p o n e n ts , databa ses, w e b servers, o p e ra tin g system s, n e tw o rk s , and s e c u rity . A ll th e m e c h a n is m s o r s e rvice s e m p lo y e d a t each level h e lp th e user in o n e o r th e o th e r w a y to access th e w e b a p p lic a tio n se cu re ly. W h e n ta lk in g a b o u t w e b a p p lic a tio n s , s e c u rity is a c ritic a l c o m p o n e n t to be c o n s id e re d because w e b a p p lic a tio n s are a m a jo r sources o f atta cks. The fo llo w in g v u ln e r a b ility s ta ck show s th e levels and th e c o rre s p o n d in g e le m e n t/m e c h a n is m /s e rv ic e e m p lo y e d a t each level th a t m akes th e w e b a p p lic a tio n s v u ln e ra b le :

(23)

Technical Vulnerabilities

Open Source / Commercial

Oracle / MySQL / MS SQL

Apache / M icrosoft IIS

W indow s / Linux /O S X Router / Switch

IPS /ID S Third Party Components

Security

(24)

-C E H ( ־ ־ ־ W e b A t t a c k V e c t o r s A n a t t a c k v e c t o r is a p a t h o r m e a n s b y w h i c h a n a t t a c k e r c a n g a in w a c c e s s t o c o m p u t e r o r n e t w o r k r e s o u r c e s in o r d e r t o d e l i v e r a n a t t a c k p a y lo a d o r c a u s e a m a li c i o u s o u t c o m e A t t a c k v e c t o r s i n c l u d e p a r a m e t e r m a n i p u l a t i o n , X M L p o i s o n in g , c l i e n t v a l i d a t i o n , s e r v e r m i s c o n f i g u r a t i o n , w e b s e r v ic e r o u t i n g is s u e s , a n d c r o s s - s it e s c r i p t in g S e c u r it y c o n t r o l s n e e d t o b e u p d a t e d c o n t i n u o u s l y a s t h e a t t a c k v e c t o r s k e e p c h a n g in g w i t h r e s p e c t t o a t a r g e t o f a t t a c k

E&C01nal.

A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d . W e b A t t a c k V e c t o r s

An a tta c k v e c to r is a m e th o d o f e n te rin g in to to u n a u th o riz e d system s to p e rfo rm in g m a lic io u s a tta cks. O nce th e a tta c k e r gains access in to th e system o r th e n e tw o rk he o r she d e liv e rs an a tta c k p a y lo a d o r causes a m a lic io u s o u tc o m e . No p ro te c tio n m e th o d is c o m p le te ly a tta c k - p r o o f as a tta c k v e c to rs keep ch a n g in g and e v o lv in g w ith n e w te c h n o lo g ic a l changes. E xa m p le s o f v a rio u s ty p e s o f a tta c k v e c to rs :

© P a ra m e te r m a n ip u la tio n : P ro v id in g th e w ro n g in p u t v a lu e to th e w e b services by th e a tta c k e r and g a in in g th e c o n tro l o v e r th e SQL, LDAP, XPATH, and sh e ll c o m m a n d s . W h e n th e in c o rre c t values are p ro v id e d to th e w e b services, th e n th e y b e co m e v u ln e ra b le and are easily a tta c k e d by w e b a p p lic a tio n s ru n n in g w ith w e b services.

0 X M L p o is o n in g : A tta c k e rs p ro v id e m a n ip u la te d XM L d o c u m e n ts th a t w h e n e x e c u te d can d is tu rb th e logic o f p a rsin g m e th o d on th e se rve r. W h e n huge XMLs are e x e c u te d a t th e a p p lic a tio n layer, th e n th e y can be easily be c o m p ro m is e d by th e a tta c k e r to la u n c h his o r h e r a tta c k and g a th e r in fo rm a tio n .

© C lie n t v a lid a tio n : M o s t c lie n t-s id e v a lid a tio n has to be s u p p o rte d by s e rve r-sid e a u th e n tic a tio n . The AJAX ro u tin e s can be easily m a n ip u la te d , w h ic h in tu r n m akes a w a y fo r a tta c k e rs to h a n d le SQL in je c tio n , LDAP in je c tio n , etc. and n e g o tia te th e w e b a p p lic a tio n 's key resources.

(25)

trie s to b re a k th e v a lid a tio n m e th o d s to g e t access to th e c o n fid e n tia l d a ta s to re d on th e servers.

0

W eb service ro u tin g issues:

The SOAP m essages are p e rm itte d to access d iffe r e n t nodes on th e In te rn e t by th e W S -R o u te rs . The e x p lo ite d in te rm e d ia te nodes can give access to th e SOAP m essages th a t are c o m m u n ic a te d b e tw e e n tw o e n d p o in ts .

0

Cross-site s crip tin g:

W h e n e v e r any in fe c te d Ja v a S c rip t co d e is e x e c u te d , th e n th e ta rg e te d b ro w s e rs can be e x p lo ite d to g a th e r in fo rm a tio n by th e a tta c k e r.

(26)

E&Coinal.

A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .

־ ־ ^ M o d u l e F l o w

W e b a p p lic a tio n s are ta rg e te d by a tta c k e rs fo r v a rio u s reasons. The fir s t issue is q u a lity o f th e so u rce code as re la te d to s e c u rity is p o o r and a n o th e r issue is an a p p lic a tio n w ith " c o m p le x s e tu p ." Due to th e s e lo o p h o le s , a tta c k e rs can easily la u n ch a tta c k s by e x p lo itin g th e m . N o w w e w ill discuss th e th re a ts associated w ith w e b a p p lic a tio n s .

^

Web App Pen Testing

Web App Concepts

m

Security Tools

W e b A p p T h re a ts

J k

Countermeasures

e־־־s Hacking Methodology

1 S >

Web Application Hacking Tools

B #

(27)

ta m p e rin g , in je c tio n a tta cks, cro ss-site s c rip tin g a tta cks, DoS atta cks, session fix a tio n atta cks, im p ro p e r e r ro r h a n d lin g , etc.

(28)

W e b A p p l i c a t i o n T h r e a t s 1 ־ C E H UrtiM Itkml Mstkm B r o k e n A c c o u n t M a n a g e m e n t I n f o r m a t i o n L e a k a g e I m p r o p e r E rro r H a n d lin g S to ra g e C o o k ie P o is o n in g

Cop> ■ight © b y E C -C a u a c il. A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .

W e b A p p l i c a t i o n T h r e a t s - 1

W e b a p p lic a tio n th re a ts are n o t lim ite d t o a tta c k s based on URL and p o rt8 0 . D espite using p o rts , p ro to c o ls , and th e OSI layer, th e in te g rity o f m is s io n -c ritic a l a p p lic a tio n s m u s t be p ro te c te d fro m possible fu tu r e a tta cks. V e n d o rs w h o w a n t to p ro te c t th e ir p ro d u c ts ' a p p lic a tio n s m u s t be able to deal w ith all m e th o d s o f a tta c k .

The v a rio u s ty p e s o f w e b a p p lic a tio n th re a ts are as fo llo w s : C o o k i e P o i s o n i n g

By ch a n g in g th e in fo rm a tio n in sid e th e co o k ie , a tta c k e rs bypass th e a u th e n tic a tio n process and once th e y gain c o n tro l o v e r th e n e tw o rk , th e y can e ith e r m o d ify th e c o n te n t, use th e system fo r th e m a lic io u s a tta c k , o r s te a l in fo r m a tio n fro m th e user's system .

D i r e c t o r y T r a v e r s a l

A tta c k e rs e x p lo it HTTP by using d ir e c to r y tra v e rs a l and th e y w ill be a ble to access re s tric te d d ire c to rie s ; th e y e x e c u te c o m m a n d s o u ts id e o f th e w e b s e rv e r's ro o t d ire c to ry .

U n v a l i d a t e d I n p u t

In o rd e r to bypass th e s e c u rity syste m , a tta c k e rs ta m p e r w ith th e h ttp re q u e s ts , URL, hea d e rs, fo rm fie ld s , h id d e n fie ld s , q u e ry s trin g s etc. U sers' lo g in IDs and o th e r re la te d

(29)

gain access to th e v ic tim 's system using th e in fo rm a tio n p re s e n t in cookies. Exam ples o f a tta c k s caused by u n v a lid a te d in p u t in c lu d e SQL in je c tio n , cro ss-site s c rip tin g (XSS), b u ffe r o v e rflo w s , etc.

C r o s s - s i t e S c r i p t i n g ( X S S )

" i T f An a tta c k e r bypasses th e c lie n ts ID s e c u rity m e c h a n ism and gains access p riv ile g e s , and th e n in je c ts m a lic io u s s c rip ts in to th e w e b pages o f a p a rtic u la r w e b s ite . These m a lic io u s scrip ts can even re w rite th e HTM L c o n te n t o f th e w e b s ite .

I n j e c t i o n F l a w s

In je c tio n fla w s are w e b a p p lic a tio n v u ln e ra b ilitie s th a t a llo w u n tru s te d d a ta to be in te rp re te d and e x e c u te d as p a rt o f a c o m m a n d o r q u e ry .

S Q L I n j e c t i o n

This is a ty p e o f a tta c k w h e re SQL c o m m a n d s are in je c te d by th e a tta c k e r via in p u t d a ta ; th e n th e a tta c k e r can ta m p e r w ith th e da ta .

P a r a m e t e r / F o r m T a m p e r i n g

a

_{This ty p e o f ta m p e rin g a tta c k is in te n d e d to m a n ip u la tin g th e p a ra m e te rs e xch a n g e d}

b e tw e e n c lie n t and s e rv e r in o rd e r to m o d ify a p p lic a tio n d a ta , such as use r c re d e n tia ls and p e rm issio n s, p rice and q u a n tity o f p ro d u c ts , etc. This in fo rm a tio n is a c tu a lly s to re d in co o kie s, h id d e n fo rm fie ld s , o r URL Q u e ry S trings, and is used to increase a p p lic a tio n fu n c tio n a lity and c o n tro l. M a n in th e m id d le is o n e o f th e e xa m p le s fo r th is ty p e o f a tta c k . A tta c k e rs use to o ls like W e b scarab and Paros p ro x y fo r th e s e atta cks.

D e n i a l - o f - S e r v i c e ( D o S )

M | | M ' '

t__ i__ A d e n ia l-o f-s e rv ic e a tta c k is an a tta c k in g m e th o d in te n d e d to te r m in a te th e o p e ra tio n s o f a w e b s ite o r a s e rv e r and m ake it u n a v a ila b le to in te n d e d users. For in sta n ce , a w e b s ite re la te d to a bank o r e m a il service is n o t a b le to fu n c tio n fo r a fe w h o u rs to a fe w days. This re s u lts in loss o f t im e and m o n e y.

B r o k e n A c c e s s C o n t r o l

B roken access c o n tro l is a m e th o d used by a tta c k e rs w h e re a p a rtic u la r fla w has been id e n tifie d re la te d to th e access c o n tro l, w h e re a u th e n tic a tio n is bypassed and th e a tta c k e r c o m p ro m is e s th e n e tw o rk .

VA /// C r o s s - s i t e R e q u e s t F o r g e r y

The cro ss-site re q u e s t fo rg e ry m e th o d is a kin d o f a tta c k w h e re an a u th e n tic a te d user in m a d e to p e rfo rm c e rta in ta sks on th e w e b a p p lic a tio n th a t an a tta c k e rs chooses. For e x a m p le , a user c lic k in g on a p a rtic u la r lin k s e n t th ro u g h an e m a il o r ch a t.

I n f o r m a t i o n L e a k a g e

(30)

system s o r o th e r n e tw o rk re so u rce s m u s t be p ro te c te d fro m in fo rm a tio n leakage by e m p lo y in g p ro p e r c o n te n t filt e r in g m e c h a n is m s .

I m p r o p e r E r r o r H a n d l i n g

It is necessary to d e fin e h o w th e system o r n e tw o rk s h o u ld beh a ve w h e n an e rro r occurs. O th e rw is e , it m ay p ro v id e a chance fo r th e a tta c k e r to b re a k in to th e syste m . Im p ro p e r e r r o r h a n d lin g m ay lead to DoS atta cks.

L o g T a m p e r i n g

Logs are m a in ta in e d by w e b a p p lic a tio n s to tra c k usage p a tte rn s such as use r login c re d e n tia ls , a d m in lo g in c re d e n tia ls , etc. A tta c k e rs u su a lly in je c t, d e le te , o r ta m p e r w ith w e b a p p lic a tio n logs so th a t th e y can p e rfo rm m a lic io u s a c tio n s o r h id e th e ir id e n titie s .

B u f f e r O v e r f l o w

A w e b a p p lic a tio n 's b u ffe r o v e rflo w v u ln e ra b ility occurs w h e n it fa ils to g u a rd its b u ffe r p ro p e rly and a llo w s w r itin g b e y o n d its m a x im u m size.

B r o k e n S e s s i o n M a n a g e m e n t

W h e n s e c u rity -s e n s itiv e c re d e n tia ls such as pa ssw o rd s and o th e r u se fu l m a te ria l are n o t p ro p e rly ta k e n care, th e s e ty p e s o f a tta c k s o ccu r. A tta c k e rs c o m p ro m is e th e c re d e n tia ls th ro u g h th e s e s e c u rity v u ln e ra b ilitie s .

S e c u r i t y M i s c o n f i g u r a t i o n

D e ve lo p e rs and n e tw o rk a d m in is tra to rs s h o u ld check th a t th e e n tire stack is c o n fig u re d p ro p e rly o r s e c u rity m is c o n fig u ra tio n can h a p p e n a t any le ve l o f an a p p lic a tio n stack, in c lu d in g th e p la tfo rm , w e b se rve r, a p p lic a tio n se rve r, fra m e w o rk , and c u s to m code. M issin g p a tches, m is c o n fig u ra tio n s , use o f d e fa u lt a cco u n ts, etc. can be d e te c te d w ith th e h e lp o f a u to m a te d scanners th a t a tta c k e rs e x p lo it to c o m p ro m is e w e b a p p lic a tio n s e c u rity .

B r o k e n A c c o u n t M a n a g e m e n t

--- Even a u th e n tic a tio n schem es th a t are va lid are w e a k e n e d because o f v u ln e ra b le a c c o u n t m a n a g e m e n t fu n c tio n s in c lu d in g a c c o u n t u p d a te , fo r g o tte n o r lo s t p a ssw o rd re c o v e ry o r re se t, p a ssw o rd changes, and o th e r s im ila r fu n c tio n s .

I n s e c u r e S t o r a g e

W e b a p p lic a tio n s need to s to re se n s itiv e in fo rm a tio n such as p a ssw ords, c re d it card n u m b e rs , a c c o u n t re co rd s, o r o th e r a u th e n tic a tio n in fo rm a tio n s o m e w h e re ; p o ssib ly in a d a ta b a se o r on a file syste m . If p ro p e r s e c u rity is n o t m a in ta in e d fo r th e s e s to ra g e lo c a tio n s , th e n th e w e b a p p lic a tio n m ay be a t risk as a tta c k e rs can access th e sto ra g e and m isuse th e in fo rm a tio n s to re d . Inse cu re sto ra g e o f keys, c e rtific a te s , and p a ssw o rd s a llo w th e a tta c k e r to gain access to th e w e b a p p lic a tio n as a le g itim a te user.

(31)

W e b A p p l i c a t i o n T h r e a t s ■ 2 C E H F a ilu re t o R e s t r ic t U R L A c c e s s

׳V

S e c u r ity M a n a g e m e n t E x p lo its

&

v 1 ־ I n s u f f i c i e n t T r a n s p o r t L a y e r P r o te c tio n O b fu s c a tio n A p p lic a t io n D M Z P r o to c o l A tt a c k s U n v a lid a t e d R e d ir e c t s a n d F o r w a r d s M a lic io u s F ile E x e c u tio n S e s s io n F ix a tio n A t t a c k P la t f o r m E x p lo its In s e c u r e D ir e c t O b je c t R e fe r e n c e s In s e c u r e C r y p t o g r a p h ic S to ra g e A u t h e n t ic a t i o n W e b S e rv ic e s H ija c k in g A tt a c k s

E&C01nal.

A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d . W e b A p p l i c a t i o n T h r e a t s 2 ־

P l a t f o r m E x p l o i t s

V a rio u s w e b a p p lic a tio n s are b u ilt on by using d iffe r e n t p la tfo rm s such as BEA W e b lo g ic and C oldF usion. Each p la tfo rm has v a rio u s v u ln e ra b ilitie s and e x p lo its asso cia te d w ith it.

in I n s e c u r e D i r e c t O b j e c t R e f e r e n c e s

§

_{W h e n v a rio u s in te r n a l im p le m e n ta tio n o b je c ts such as file , d ire c to ry , d a ta b a se}

re c o rd , o r key are exposed th ro u g h a re fe re n c e by a d e v e lo p e r, th e n th e in se cu re d ire c t o b je c t re fe re n c e ta ke s place.

For e x a m p le , w h e re a b a n k a c c o u n t n u m b e r is m ade a p rim a ry key, th e n th e re is a good change it can be c o m p ro m is e d by th e a tta c k e r based on such re fe re n c e s .

I n s e c u r e C r y p t o g r a p h i c S t o r a g e

W h e n s e n sitive da ta has been s to re d in th e d a taba se, it has to be p ro p e rly e n c ry p te d using c ry p to g ra p h y . A fe w c ry p to g ra p h ic e n c ry p tio n m e th o d s d e v e lo p e d by d e v e lo p e rs are n o t up to par. C ry p to g ra p h ic a lly v e ry s tro n g e n c ry p tio n m e th o d s have to be used. A t th e sam e tim e , care m u s t be ta k e n to s to re th e c ry p to g ra p h ic keys. If th e s e keys are s to re d in in se cu re places, th e n th e a tta c k e r can o b ta in th e m easily and d e c ry p t th e s e n s itiv e da ta .

(32)

A u t h e n t i c a t i o n H i j a c k i n g

In o rd e r t o id e n tify th e user, e v e ry w e b a p p lic a tio n uses u se r id e n tific a tio n such as a user ID and p a ssw o rd . O nce th e a tta c k e r c o m p ro m is e s th e syste m , v a rio u s m a lic io u s th in g s like t h e f t o f services, session h ija c k in g , and user im p e rs o n a tio n can o ccu r.

N e t w o r k A c c e s s A t t a c k s

fill 11 =

N e tw o rk access a tta c k s can m a jo rly im p a c t w e b a p p lic a tio n s . These can have an e ffe c t on basic level o f services w ith in an a p p lic a tio n and can a llo w access th a t s ta n d a rd HTTP a p p lic a tio n m e th o d s w o u ld n o t have access to .

C o o k i e S n o o p i n g

= A tta c k e rs use c o o k ie s n o o p in g on a v ic tim 's system to analyze th e ir s u rfin g h a b its and sell th a t in fo rm a tio n to o th e r a tta c k e rs o r m ay use th is in fo rm a tio n to la u n ch v a rio u s a tta c k s on th e v ic tim 's w e b a p p lic a tio n s .

W e b S e r v i c e s A t t a c k s

W e b services are p ro c e s s -to -p ro c e s s c o m m u n ic a tio n s th a t have special s e c u rity issues and needs. An a tta c k e r in je c ts a m a lic io u s s c rip t in to a w e b service and is a ble to disclose and m o d ify a p p lic a tio n data.

- ^ I n s u f f i c i e n t T r a n s p o r t L a y e r P r o t e c t i o n

SSL/TLS a u th e n tic a tio n s s h o u ld be used f o r a u th e n tic a tio n on w e b s ite s o r th e a tta c k e r can m o n ito r n e tw o rk tr a ffic to steal an a u th e n tic a te d u se r's session co o kie .

V a rio u s th re a ts such as a c c o u n t th e ft, p h is h in g a tta cks, and a d m in a c c o u n ts m ay h a p p e n a fte r system s are b e in g c o m p ro m is e d .

r ״ H i d d e n M a n i p u l a t i o n I

These ty p e s o f a tta c k s are m o s tly used by a tta c k e rs to c o m p ro m is e e -c o m m e rc e w e b s ite s . A tta c k e rs m a n ip u la te th e h id d e n fie ld s and change th e da ta s to re d in th e m . Several o n lin e s to re s face th is ty p e o f p ro b le m e v e ry day. A tta c k e rs can a lte r price s and c o n c lu d e tra n s a c tio n s w ith th e prices o f th e ir choice.

D M Z P r o t o c o l A t t a c k s

The D M Z (D e m ilita riz e d Zone) is a s e m i-tru s te d n e tw o rk zone th a t s e p a ra te s th e u n tru s te d In te rn e t fro m th e c o m p a n y 's tru s te d in te rn a l n e tw o rk . An a tta c k e r w h o is able to c o m p ro m is e a system th a t a llo w s o th e r D M Z p ro to c o ls has access to o th e r DMZs and in te rn a l system s. This level o f access can lead to :

(33)

_____ A tta c k e rs m ake a v ic tim click an u n v a lid a te d lin k th a t a p p e a rs to be a va lid site. Such re d ire c ts m ay a tte m p t to in s ta ll m a lw a re o r tr ic k v ic tim s in to d isclo sin g p a ssw o rd s o r o th e r se n s itiv e in fo rm a tio n . U nsafe fo rw a rd s m ay a llo w access c o n tro l bypass le a d in g to :

0 Session fix a tio n a tta cks

F a i l u r e t o R e s t r i c t U R L A c c e s s

An app ic a tio n o fte n sa fe g u a rd s o r p ro te c ts se n s itiv e fu n c tio n a lity and p re v e n ts th e displays o f links o r URLs fo r p ro te c tio n . A tta c k e rs access th o s e links o r URLs d ire c tly and p e rfo rm ille g itim a te o p e ra tio n s .

O b f u s c a t i o n A p p l i c a t i o n

A tta c k e rs u su a lly w o rk ha rd a t h id in g th e ir a tta c k s and to a vo id d e te c tio n . N e tw o rk and h o s t in tru s io n d e te c tio n system s (IDSs) are c o n s ta n tly lo o k in g fo r signs o f w e ll- k n o w n atta cks, d riv in g a tta c k e rs to seek d iffe r e n t w ays to re m a in u n d e te c te d . The m o s t c o m m o n m e th o d o f a tta c k o b fu s c a tio n in vo lve s e n c o d in g p o rtio n s o f th e a tta c k w ith U n ico d e , UTF-8, o r URL e n c o d in g . U n ico d e is a m e th o d o f re p re s e n tin g le tte rs , n u m b e rs , and special c h a ra c te rs so th e s e c h a ra c te rs can be d isp la ye d p ro p e rly , re g a rd le ss o f th e a p p lic a tio n o r u n d e rly in g p la tfo rm in w h ic h th e y are used.

S e c u r i t y M a n a g e m e n t E x p l o i t s

Som e a tta c k e rs ta rg e t s e c u rity m a n a g e m e n t system s, e ith e r on n e tw o rk s o r on th e a p p lic a tio n layer, in o rd e r to m o d ify o r d isa b le s e c u rity e n fo rc e m e n t. A n a tta c k e r w h o e x p lo its s e c u rity m a n a g e m e n t can d ire c tly m o d ify p r o te c tio n p o lic ie s , d e le te e x is tin g p o licie s, add n e w p o licie s, and m o d ify a p p lic a tio n s , system d a ta , and resources.

__ L * S e s s i o n F i x a t i o n A t t a c k

______ In a session fix a tio n a tta c k , th e a tta c k e r tric k s o r a ttra c ts th e user to access a le g itim a te w e b s e rv e r using an e x p lic it session ID va lu e .

M a l i c i o u s F i l e E x e c u t i o n

___ M a lic io u s file e x e c u tio n v u ln e ra b ilitie s had been fo u n d on m o s t a p p lic a tio n s . The cause o f th is v u ln e ra b ility is because o f u n ch e cke d in p u t in to th e w e b se rve r. Due to th is u n ch e cke d in p u t, th e file s o f a tta c k e rs are easily e x e c u te d and processed on th e w e b se rve r. In a d d itio n , th e a tta c k e r p e rfo rm s re m o te co d e e x e c u tio n , in s ta lls th e r o o tk it re m o te ly , and in a t least so m e cases, ta ke s c o m p le te c o n tro l o v e r th e system s.

(34)

C E H

U n v a l i d a t e d I n p u t

An a tta c k e r e xp lo its in p u t v a lid a tio n fla w s to p e rfo rm c ro s s -s ite s c rip tin g , b u ffe r o v e rflo w , in je c tio n a tta cks, etc. th a t re s u lt in d a ta t h e f t and s y s te m m a lfu n c tio n in g

D a t a b a s e • B ro w s e r in p u t n o t • v a lid a te d b y th e w e b : a p p lic a tio n s t r i n g s q l — ,,s e l e c t * fro m U s e r s w h ere u s e r = י" + U s e r . T e x t + ייי a n d p w d =י״ + P a s s w o r d .T e x t + ״ ! « r

In p u t v a lid a tio n fla w s re fe rs to a w e b a p p lic a tio n v u ln e ra b ility w h e re in p u t fr o m a c lie n t is n o t v a lid a te d b e fo re b eing p rocessed b y w e b a p p lic a tio n s and backend se rvers

Boy.com

h t t p : / / j u g g y b o y . c o m / l o g i n . a s p x ? u s e r = j a s o n s 0 p a s s = s p r x n g f i e l d

M o d ifie d Q u e ry B ro w s e r P ost R e q u e st

E&C01nal.

A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d . U n v a l i d a t e d I n p u t

An in p u t v a lid a tio n fla w re fe rs to a w e b a p p lic a tio n v u ln e ra b ility w h e re in p u t fro m a c lie n t is n o t v a lid a te d b e fo re b e in g processed by w e b a p p lic a tio n s and b a ckend servers. Sites t r y to p ro te c t th e m s e lv e s fro m m a lic io u s a tta c k s th ro u g h in p u t filtr a tio n , b u t th e re are va rio u s m e th o d s p re v a ilin g fo r th e th e p u rp o s e o f e n c o d in g . M a n y h ttp in p u ts have m u ltip le fo rm a ts th a t m ake filte r in g v e ry d iffic u lt. The c a n o n ic a liz a tio n m e th o d is used to s im p lify th e e n co d in g s and is u se fu l in a v o id in g v a rio u s v u ln e ra b le a tta cks. W e b a p p lic a tio n s use o n ly a c lie n t-s id e m e c h a n ism in in p u t v a lid a tio n and a tta c k e rs can easily bypass it. In o rd e r to bypass th e s e c u rity syste m , a tta c k e rs ta m p e r th e h ttp re q u e sts, URLs, hea d e rs, fo rm fie ld s , h id d e n fie ld s , and q u e ry strin g s. U sers׳ login IDs and o th e r re la te d d a ta g ets s to re d in th e co o kie s and th is b e co m e s a so u rce o f a tta c k f o r in tru d e rs . A tta c k e rs g a in access to th e system s by using th e in fo rm a tio n p re s e n t in th e cookies. V a rio u s m e th o d s used by hackers are SQL in je c tio n , cro ss-site s c rip tin g (XSS), b u ffe r o v e rflo w s , fo r m a t s trin g a tta cks, SQL in je c tio n , c o o k ie p o is o n in g , and h id d e n fie ld m a n ip u la tio n th a t re s u lt in da ta t h e f t and system m a lfu n c tio n in g .

(35)

h t t p : / / j u g g y b o y . c o m / l o g i n . a s p x ? u s e r = j a s o n s @ p a s s = s p r i n g f i e l d D a t a b a s e : B ro w s e r in p u t n o t : v a lid a te d by th e w e b : a p p lic a tio n s t r i n g s q l — ,,s e l e c t * fr o m U s e r s

Wtmmrnmr*

w h e r e u s e r = ' ” + U s e r . T e x t + ״ ' a n d p w d = 1״ + P a s s w o r d .T e x t + " ' " r M o d ifie d Q u e ry B ro w s e r P o st R e q u e s t F ig u r e 1 3 . 5 : U n v a l id a t e d I n p u t

(36)

P a r a m e t e r / F o r m T a m p e r i n g

ו

C E H

Urtifwd tlfcxjl lUthM

J A w e b p a ra m e te r ta m p e rin g a tta c k invo lve s th e m a n ip u la tio n o f p a ra m e te rs e xcha n g ed b e tw e e n ______ . - - . c lie n t and se rve r in o rd e r to m o d ify a p p lic a tio n data such as u se r cre d e n tia ls and p e rm issio n s,

p rice , and q u a n tity o f p ro d u c ts

J A p a ra m e te r ta m p e rin g a tta c k e x p lo its v u ln e ra b ilitie s in in te g rity and logic v a lid a tio n m e cha n ism s th a t m a y re s u lt in XSS, SQL in je c tio n , etc.

P a r a m e t e r / F o r m T a m p e r i n g r- • ■יייח

P a ra m e te r ta m p e rin g is a s im p le fo rm o f a tta c k a im e d d ire c tly a t th e a p p lic a tio n 's business logic. This a tta c k ta ke s a d v a n ta g e o f th e fa c t th a t m a n y p ro g ra m m e rs re ly on h id d e n o r fix e d fie ld s (such as a h id d e n ta g in a fo rm o r a p a ra m e te r in an URL) as th e o n ly s e c u rity m e a su re fo r c e rta in o p e ra tio n s . To bypass th is s e c u rity m e c h a n is m , an a tta c k e r can change th e s e p a ra m e te rs .

D e ta ile d D e s c rip tio n

S erving th e re q u e s te d file s is th e m a in fu n c tio n o f w e b servers. D u rin g a w e b session, p a ra m e te rs are e xchang ed b e tw e e n th e w e b b ro w s e r and th e w e b a p p lic a tio n in o rd e r to m a in ta in in fo rm a tio n a b o u t th e c lie n t's session, w h ic h e lim in a te s th e need to m a in ta in a c o m p le x d a ta b a se on th e s e rv e r side. URL q u e rie s, fo rm fie ld s , and co o kie s are used to pass th e p a ra m e te rs .

C hanged p a ra m e te rs in th e fo rm fie ld are th e b est e x a m p le o f p a ra m e te r ta m p e r in g . W h e n a user selects an H TM L page, it is s to re d as a fo rm fie ld v a lu e , and tra n s fe rre d as an HTTP page to th e w e b a p p lic a tio n . These values m ay be p re -s e le c te d (c o m b o box, ch e ck box, ra d io b u tto n s , e tc.), fre e te x t, o r h id d e n . An a tta c k e r can m a n ip u la te th e s e values. In som e e x tre m e cases, it is ju s t like saving th e page, e d itin g th e HTM L, and re lo a d in g th e page in th e w e b b ro w s e r.