Contents

CEH-Module14 - Hacking Web Applications

Website Visitors:
Contents

Web Application

A web application is a type of software application that runs on a web server and is accessed through a web browser over a network, such as the internet. It typically uses a combination of server-side scripts (like PHP, Python, or Java) to handle the logic and database interactions, and client-side scripts (like JavaScript) to manage the user interface and interactions. Web applications can range from simple, static web pages to complex, dynamic applications with real-time updates and interactive features. Examples include online stores like Amazon, eBay, Shopify etc, social media platforms like Facebook, Instagram, Twitter, webmail services like Gmail, Outlook.com, and online banking portals, learning platforms like coursera, udemy.

Web Service

A web service is a software system designed to support interoperable machine-to-machine interaction over a network. It provides a standardized way for different software applications to communicate with each other over the internet or an intranet, regardless of the programming languages, platforms, or devices they are running on.

Web services typically use standard web protocols and formats, such as HTTP, XML, and JSON, to exchange data. They are often used to enable communication between different systems and to integrate disparate systems, allowing them to share data and functionality.

There are several types of web services, including:

  1. SOAP (Simple Object Access Protocol): A protocol for exchanging structured information in the implementation of web services.

  2. REST (Representational State Transfer): A more lightweight and flexible approach to web services that uses standard HTTP methods (GET, POST, PUT, DELETE) to perform operations on resources.

  3. JSON-RPC and XML-RPC: Remote Procedure Call (RPC) protocols that use JSON or XML as the format for data exchange.

Web services play a crucial role in modern software development, enabling the creation of distributed and interconnected systems that can easily communicate and exchange data.

Examples: weather service, payment gateway, mapping service like google maps, social media API, messaging services

Website vs Web Application vs Web Service

All three terms - website, web application, and web service - are related to the world wide web, but they serve different purposes:

  • Website: Think of a website as a collection of electronic documents (webpages) that are accessed over the internet using a web browser. Websites are primarily for displaying information - text, images, videos, etc. They may allow some basic interaction, like filling out a form, but generally users cannot manipulate the content itself. A website is like an online brochure - it presents information for you to consume.

  • Web Application (Web App): A web application is more interactive than a website. It’s a software program that you access through a web browser, just like a website. However, web apps allow you to do things and change data. For example, a webmail application like Gmail allows you to compose, send, and receive emails. An online store is another example - you can browse products, add them to your cart, and complete a purchase. Web apps typically require a back-end server to process information and store data.

  • Web Service: A web service acts behind the scenes, providing data or functionality to other applications. Web services don’t have a user interface and are typically accessed by other software programs rather than humans. They use standardized ways to communicate, like SOAP or REST APIs. For instance, a web service might provide weather data to a weather app, or product information to an online store.

Here’s an analogy: Imagine a restaurant. The website is like the restaurant’s menu - it shows you what’s available. The web application is like the online ordering system - it allows you to interact with the menu and place an order. The web service is like the kitchen - it prepares the food based on the order received through the web application.

OWASP

The Open Worldwide Application Security Project (OWASP) is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the fields of IoT, system software and web application security. The OWASP provides free and open resources. It is led by a non-profit called The OWASP Foundation. The OWASP Top 10 - 2021 is the published result of recent research based on comprehensive data compiled from over 40 partner organizations.

OWASP TOP 10 - 2021 report

Cryptographic Failure/ Sensitive data exposure

In the context of the Open Web Application Security Project (OWASP), cryptography failures or sensitive data exposure refer to security vulnerabilities related to the use of cryptography in web applications. These vulnerabilities can lead to the exposure of sensitive information, such as passwords, financial data, or personal information, to unauthorized users.

Some common cryptographic failures and sensitive data exposure issues identified by OWASP include:

  1. Weak Encryption: The use of weak encryption algorithms or inadequate key lengths can make encrypted data vulnerable to attacks, such as brute force attacks or cryptographic analysis.

  2. Insecure Storage of Cryptographic Keys: Storing cryptographic keys insecurely, such as in plaintext or in easily accessible locations, can lead to the compromise of encrypted data.

  3. Improper Cryptographic Usage: Incorrect implementation or misuse of cryptographic algorithms and protocols can introduce vulnerabilities that can be exploited by attackers.

  4. Insufficient Transport Layer Protection: Failing to use secure communication protocols, such as TLS (Transport Layer Security), can expose sensitive data to interception during transmission.

  5. Weak Password Storage: Storing passwords in plaintext or using weak hashing algorithms without salting can lead to the exposure of user credentials in the event of a data breach.

OWASP provides guidance and best practices for developers to secure their web applications against cryptographic failures and sensitive data exposure vulnerabilities, such as using strong encryption algorithms, securely storing cryptographic keys, and properly implementing secure communication protocols.

Injection Flaws

Injection flaws in web applications, according to OWASP (Open Web Application Security Project), are vulnerabilities that allow attackers to inject malicious code into an application. This code can then be executed by the application, leading to a variety of negative consequences.

Here’s a breakdown of what injection flaws are and why they’re risky for web apps:

  • The Attack: An attacker sends data to the application that is not properly validated or sanitized. This data can contain malicious code that exploits weaknesses in how the application processes information.
  • The Impact: If successful, the attacker’s code can trick the application into performing unintended actions. This could involve:
    • Stealing sensitive data like user logins or credit card information.
    • Modifying data on the server.
    • Taking control of the server itself.

Here are some of the most common types of injection flaws:

  • SQL Injection (SQLi): This targets SQL queries used to interact with databases. The attacker can inject malicious SQL code to steal data, modify data, or even take control of the database server.

  • Cross-Site Scripting (XSS): This targets user input fields in web applications. The attacker can inject malicious scripts that run in the user’s browser, potentially stealing session cookies, redirecting users to malicious sites, or defacing the website. In comments section or any available pages attacker enters a script so that whenever that page loads, the script is executed.

  • Command Injection: This targets parts of the application that execute operating system commands. The attacker can inject malicious commands to steal files, install malware, or damage the server.

    • File injection: Add another URL in the primary URL end so that when users click on the actual url, that scipt/malware is executed on the server side or on client side.
    • Shell injection, HTML embedding, and File injection are part of command injection.
  • LDAP injection: LDAP injection is a type of injection attack where an attacker can manipulate LDAP (Lightweight Directory Access Protocol) queries used by an application to interact with a directory service. By injecting malicious LDAP queries, an attacker can manipulate the behavior of the application and potentially gain unauthorized access to sensitive information or perform other malicious actions.

    LDAP injection using the payload username)(&)) is an attempt to manipulate an LDAP query to perform unintended actions. In LDAP, the & character is a logical AND operator, and the ) character is used to close an LDAP filter expression. By injecting )(&)) into a username field, an attacker may attempt to terminate the original LDAP query and add their own logic to the query, potentially allowing them to bypass authentication or extract sensitive information from the LDAP server.

    For example, if the original LDAP query was something like (uid=<username>), the injected query might look like (uid=username)(&)), which could result in a query that evaluates to (uid=username)(&)(objectclass=*), potentially returning all entries in the LDAP directory.

By understanding injection flaws and how to prevent them, web developers can help to build more secure applications. For more information on injection flaws and how to mitigate them, you can refer to the OWASP resources on Injection A03 Injection - OWASP Top 10:2021.

Cross Site Scripting (XSS) Attack

Cross-Site Scripting (XSS) injection is a type of web application security vulnerability that allows an attacker to inject malicious code, usually in the form of JavaScript, into a website. This malicious code is then executed by the user’s browser, allowing the attacker to steal sensitive information, hijack user sessions, or take control of the user’s browser.

XSS injection occurs when a web application fails to properly validate or sanitize user input, allowing an attacker to inject malicious code into the website. This can happen in various ways, such as:

  • Through user input fields, such as text boxes or comment sections
  • Through URL parameters or query strings
  • Through file uploads or other types of user-submitted data

There are three main types of XSS injection:

  • Stored XSS: This type of XSS occurs when the malicious code is stored on the server-side and is executed every time a user visits the affected page.
  • Reflected XSS: This type of XSS occurs when the malicious code is reflected back to the user’s browser, usually through a phishing email or a malicious link.
  • DOM-based XSS: This type of XSS occurs when the malicious code is executed on the client-side, without being stored on the server-side.

XSS injection can be used to perform a variety of malicious activities, including:

  • Stealing user credentials or sensitive information
  • Hijacking user sessions or taking control of the user’s browser
  • Conducting phishing attacks or spreading malware
  • Defacing websites or disrupting online services

To prevent XSS injection, web developers can take several steps, including:

  • Validating and sanitizing user input
  • Using secure coding practices, such as encoding user input
  • Implementing Content Security Policy (CSP) to restrict the types of scripts that can be executed on a website
  • Using web application firewalls (WAFs) to detect and block malicious traffic

Security Misconfiguration

Attackers gain unauthorized access to default accounts, read/write to protected files etc.. by exploiting misconfiguration vulnerabilities. These misconfigurations include unvalidated inputs, parameter/form tampering, improper error handling, insufficient transport layer protection (Weak algorithm, invalid certs), improper restriction of XXE (which discloses internal files using file URI handler, internal SMB file shares on upatched windows servers, internal port scanning etc..).

Vulnerable and Outdated Components/Broken Authentication

Vulnerable and Outdated Components is one of the top ten web application security risks identified by OWASP. This risk refers to the use of components, such as libraries, frameworks, and other software modules, that contain known vulnerabilities. These vulnerabilities can be exploited by attackers to compromise the security of the application.

Attackers search for vulnerabilities on sites like exploit-db or cxsecurity.com.

Identification and Authentication Failures

Identification and authentication failures are a common issue in web applications that can lead to security vulnerabilities. OWASP, the Open Web Application Security Project, highlights these failures as a significant risk in web application security. Here are some common examples:

  1. Weak Password Policies: Allowing users to create weak passwords (e.g., too short, easily guessable) increases the risk of unauthorized access.

  2. Brute Force Attacks: Not implementing protections against brute force attacks, where an attacker tries many passwords until one works, can lead to successful unauthorized access.

  3. Insecure Authentication Methods: Using insecure authentication methods, such as transmitting passwords in plain text, can expose credentials to interception.

  4. Insufficient Account Lockout: Not implementing account lockout mechanisms after multiple failed login attempts can make it easier for attackers to guess passwords.

  5. Session Management Issues(Session ID in URLs): Poorly managed session tokens can lead to session hijacking or session fixation attacks, where an attacker can impersonate a legitimate user.

  6. Insecure Password Recovery: Weak or insecure password recovery mechanisms can allow attackers to reset passwords and gain unauthorized access.

  7. Session ID in URLs: Attackers sniff the network traffic or trick users to get session IDs and then reuse those session IDs for malicious purposes.

  8. Password Exploitation: Attackers can gain access to a web application’s password database. If user passwords are not encrypted, an attacker can exploit any user’s password

  9. Timeout Exploitation: If an application’s timeouts are not set properly and a user closes their browser without logging out from sites accessed through a public computer, an attacker can use the same browser later and exploit that user’s privileges

Security Logging and Monitoring

Security logging and monitoring failures are significant risks identified by OWASP that can lead to security vulnerabilities and hinder the detection of malicious activity in web applications. Some common failures in this area include:

  1. Insufficient Logging: Not logging enough information about security-relevant events, making it difficult to detect and investigate security incidents.

  2. Ineffective Log Management: Poorly managed logs, such as logs stored in locations accessible to attackers or logs that are not protected against tampering, can lead to loss or manipulation of critical log data.

  3. Lack of Monitoring: Failure to actively monitor logs for suspicious activity or security events, leading to delayed detection of security incidents.

  4. Ignoring Log Analysis: Not analyzing logs or failing to use automated tools to analyze logs for patterns of malicious activity can result in missed security threats.

  5. Inadequate Incident Response: Not having a well-defined incident response plan or failing to act promptly upon detection of a security incident can exacerbate the impact of a security breach.

By addressing these failures, organizations can improve their ability to detect and respond to security incidents in a timely manner, reducing the impact of potential breaches.

Server-Side Request Forgery

Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to send crafted requests from a public web server to other resources on the internal network or the internet. This can be used to interact with internal systems, access sensitive information, or perform actions on behalf of the server. OWASP lists SSRF as a common web application security risk.

Unvalidated Redirects & Forwards

Unvalidated Redirects and Forwards is a common web application security risk identified by OWASP. It occurs when a web application redirects or forwards a user to a URL specified by the attacker without properly validating or sanitizing the user-supplied input. This can be exploited by attackers to redirect users to malicious websites, phishing pages, or other dangerous locations.

Watering Hole Attack

A watering hole attack is a type of cyber attack that targets a specific group of individuals by infecting websites that are likely to be visited by the targeted group. The name “watering hole” comes from the idea of predators waiting near watering holes for animals to come and drink, making them vulnerable to attack.

Here’s how a watering hole attack typically works:

  1. Identifying Targeted Websites: Attackers identify websites that are frequently visited by the target group. These could be websites related to the target’s industry, interests, or geographic location.

  2. Injecting Malware: The attacker compromises the targeted websites by injecting malicious code. This code may exploit vulnerabilities in the website’s software or infrastructure.

  3. User Infection: When users from the targeted group visit the compromised website, they unknowingly download and execute the malicious code, which could lead to the installation of malware on their devices.

  4. Data Theft or Espionage: Once the malware is installed, it can be used to steal sensitive information, such as login credentials, financial information, or intellectual property, from the victim’s device.

Cross-Site Request Forgery (CSRF) Attack

Cross-Site Request Forgery (CSRF) is a type of cyber attack where a malicious website, email, or other communication forces a user’s web browser to perform an unwanted action on a trusted site where the user is authenticated. CSRF attacks exploit the trust that a site has in a user’s browser.

Here’s how a CSRF attack typically works:

  1. Authentication: The user is logged into a trusted website, such as a bank or social media site, in one tab or window of their web browser.

  2. CSRF Attack Site: The user visits a malicious website, which contains a hidden form or script that sends a request to the trusted site on behalf of the user.

  3. Unwanted Action: The hidden request sent by the malicious site could, for example, transfer money, change account settings, or post content on the user’s behalf on the trusted site.

  4. Execution: The user’s browser, because it is logged into the trusted site, automatically includes the necessary authentication credentials in the request, making it appear legitimate to the trusted site.

Cookie/Session Poisoning

Cookie/session poisoning is a form of attack where an attacker manipulates cookies or session tokens to gain unauthorized access to a user’s account or to impersonate the user. This attack can lead to various security breaches, including unauthorized data access, account takeover, and privilege escalation.

Here’s how cookie/session poisoning typically works:

  1. Cookie Manipulation: The attacker intercepts and modifies cookies or session tokens in transit between the user’s browser and the web server.

  2. Cookie/session theft: The attacker steals a user’s cookie or session token, either by intercepting it in transit or by exploiting vulnerabilities in the web application.

  3. Cookie/session replay: The attacker replays a stolen cookie or session token to gain unauthorized access to the user’s account.

  4. Cookie/session tampering: The attacker modifies the contents of a cookie or session token to change the user’s privileges or access level.

Hidden Field Manipulation Attack

Hidden field manipulation is a type of attack where an attacker modifies the values of hidden form fields on a web page to manipulate the application’s behavior. Hidden fields are typically used to store data that should not be visible or editable by users, such as session tokens or form parameters.

Here’s how a hidden field manipulation attack typically works:

  1. Identifying Hidden Fields: The attacker inspects the HTML code of a web page to identify hidden form fields that can be manipulated.

  2. Modifying Hidden Fields: Using browser developer tools or other means, the attacker modifies the values of hidden fields to insert malicious data or change the intended values.

  3. Submitting the Form: The attacker submits the form with the manipulated hidden field values, causing the application to process the form based on the modified data.

  4. Impact: Depending on the nature of the hidden field and the application’s logic, the attack can lead to various consequences, such as unauthorized access, privilege escalation, or data manipulation.

Ex: On a website, attackers can change the price value of a product in an e-commerce website, if that website is vulnerable to the attack.

Clickjacking Attack

Clickjacking, also known as a UI redress attack, is a malicious technique used by attackers to trick users into clicking on something different from what they perceive, potentially revealing confidential information, initiating undesired actions, or taking control of their computer while clicking on seemingly innocuous web pages. Users will not see a transparent iframe on the website. When they click on it, it opens links in different tabs or download malware etc..

Here’s how a clickjacking attack typically works:

  1. Creating a Trap: The attacker creates a malicious web page that contains elements (e.g., buttons, forms) that are overlaid with transparent or opaque layers.

  2. User Interaction: The attacker entices the victim to visit the malicious web page, either through social engineering techniques or by embedding the malicious content in a legitimate website.

  3. Invisible Action: When the victim interacts with the visible elements on the malicious web page (e.g., by clicking), their actions are actually performed on the hidden elements of another web page that the attacker controls.

  4. Consequences: The victim unknowingly performs actions on the attacker’s web page, which can include transferring funds, changing account settings, or posting messages on social media.

Use clickJackPoc.py file for clickjacking. Create a text file with your domain name and run python3 clickjackpoc.py -f filename.txt command. creates a html file with the domain name you add in the filename.

A pass-the-cookie attack is a cyberattack technique that steals a user’s session cookie to impersonate them and gain unauthorized access to their accounts or data.

The pass-the-cookie attack occurs when attackers obtain a clone of a cookie from the user’s browser and uses the cookie to establish a session with the target web server.

The Target: Session Cookies

  • Web applications often use cookies to store user session information. These cookies are small pieces of data placed on a user’s device by the web server. They typically contain a unique identifier that allows the application to recognize the user and maintain their logged-in state without requiring them to re-enter their credentials every time they navigate the application.

The Attack Strategy:

  • In a pass-the-cookie attack, the attacker steals the valid session cookie of a legitimate user. This can be achieved through various methods, such as:
    • Man-in-the-middle attacks: Intercepting communication between the user’s device and the web application to steal cookies.
    • Malware: Tricking the user into installing malicious software that steals cookies stored on their device.
    • Social engineering: Phishing emails or other deceptive tactics to lure users into revealing their cookies or login credentials.

Bypassing Defenses:

  • Once the attacker has the cookie, they can use it on their own device to impersonate the legitimate user. This bypasses login screens and multi-factor authentication (MFA) since the attacker has a valid session cookie already linked to the user’s account.

The Consequences:

  • If successful, a pass-the-cookie attack can grant the attacker access to the victim’s account and potentially:
    • Steal sensitive data like financial information or personal details.
    • Modify or delete data within the application.
    • Perform actions on behalf of the victim, which could be used for further malicious activities.

Detecting Web Application Firewall and Proxies

Using tools like wafw00f, we can determine if a website has waf. Nmap also has waf detection scripts.

Proxy servers generally add certain headers in the response header field. Use the HTTP/1.1 trace method to identify any changes that a proxy server made to the request. There are several techniques that can help identify the use of proxies:

  1. Reverse IP Lookup: Perform a reverse IP lookup on the target site’s IP address. If the IP address is associated with a proxy service, this may indicate the use of a proxy.

  2. Proxy Detection Services: Use online proxy detection services or APIs that can analyze HTTP headers, IP addresses, and other data to determine if a proxy is being used.

  3. HTTP Headers: Examine the Via and X-Forwarded-For HTTP headers in the response. These headers are often added by proxies and can reveal their presence.

  4. Network Traffic Analysis: Analyze network traffic patterns, such as multiple requests from the same IP address or unusual patterns of incoming and outgoing traffic, which may indicate the use of a proxy.

  5. User Agent Strings: Check the User-Agent HTTP header to see if it matches known proxy user agents. Some proxies modify the User-Agent header, which can be used to detect their presence.

  6. DNS Lookups: Perform DNS lookups on subdomains (e.g., proxy.example.com) or domains associated with known proxy services, as they may be used to route traffic through proxies.

  7. SSL/TLS Certificates: Examine SSL/TLS certificates for the target site. If the certificate is issued to a proxy service or contains proxy-related information, this may indicate the use of a proxy.

Detect Load Balancers

Using tools like dig and load balancing detector (lbd), we can find if there are any load balancers for a website.

Dig command provides detailed results and is used to identify whether the target domain is resolving to multiple IP addresses.

dig google.com

In the output, Answer section, you can see multiple IPs with same host. So, this means there is a load balancer for this website.

lbd google.com (install this software) to view about load balancer details.

Identify Entry Points for User Input

Identifying entry points for user input is crucial for understanding potential attack surfaces in a web application. Here are some common entry points where user input can be submitted and should be carefully validated and sanitized:

  1. Web Forms: Forms on web pages that accept user input, such as login forms, registration forms, search forms, and contact forms.

  2. URL Parameters: Parameters in URLs, such as query strings (?key1=value1&key2=value2) or path parameters, that can be manipulated by users.

  3. Cookies: Cookies that are set by the server and sent with each request, which can sometimes be manipulated by users.

  4. HTTP Headers: Headers such as User-Agent, Referer, and Cookie that can be modified by users and sent with HTTP requests.

  5. File Uploads: Forms that allow users to upload files, which can be manipulated to upload malicious files or exploit vulnerabilities in the file processing logic.

  6. AJAX Requests: Requests made using JavaScript’s XMLHttpRequest or Fetch API, which can send user input to the server asynchronously.

  7. API Endpoints: Endpoints exposed by the application’s API that accept user input, such as RESTful endpoints or GraphQL queries.

  8. Database Queries: Any queries to a database that are constructed using user input, which can be vulnerable to SQL injection if not properly sanitized.

  9. Third-party Integrations: Any integrations with third-party services that accept user input, such as payment gateways or social media APIs.

It’s important to validate and sanitize user input at each of these entry points to prevent common vulnerabilities such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).

Tools Used: Burp Suite, OWASP Zed Attack proxy, WebScarab, Httprint

Burp Suite

Identify Entry Points for Server Side Technologies

Identifying entry points for server-side technologies is important for understanding the potential attack surface of a web application. Here are some common entry points where server-side technologies can be interacted with:

  1. Web Server: The web server itself, such as Apache HTTP Server, Nginx, or Microsoft IIS, serves as the entry point for incoming HTTP requests.

  2. Application Server: If the web application uses an application server, such as Tomcat, Jetty, or WildFly, this server is another entry point where server-side code is executed.

  3. Server-side Scripting: Server-side scripting languages like PHP, Python (e.g., with Django or Flask), Ruby (e.g., with Ruby on Rails), and Node.js can process user input and generate dynamic web content.

  4. Database Server: The database server, such as MySQL, PostgreSQL, MongoDB, or SQL Server, is an entry point for executing queries and accessing data.

  5. API Endpoints: If the web application exposes an API (Application Programming Interface), the API endpoints serve as entry points for interacting with the application programmatically.

  6. Middleware: Middleware components, such as caching servers (e.g., Redis, Memcached) or message brokers (e.g., RabbitMQ, Kafka), are entry points for handling specific types of processing or communication.

  7. Server-side Includes (SSI): If the web server is configured to use Server-side Includes, it allows for embedding the output of a script (e.g., CGI, PHP) into an HTML document.

  8. File System: The file system of the server can be an entry point if the web application allows file uploads or if there are vulnerabilities that allow access to sensitive files.

It’s important to secure these entry points to prevent common vulnerabilities such as SQL injection, cross-site scripting (XSS), and unauthorized access to files or resources. Measures such as input validation, output encoding, secure coding practices, and regular security assessments can help protect against these threats.

Identifying Web Application Vulnerabilities

Web application scanning tools: WPScan vulnerability database, Arachni, appspider, uniscan, Vega.

Using Vega you can find and validate SQL injection, Cross-Site Scripting(xss), and find any disclosed sensitive information and other vulnerabilities.

You can also use other web application vulnerability scanning tools such as WPScan Vulnerability Database (https://wpscan.com), Arachni (https://www.arachni-scanner.com), appspider (https://www.rapid7.com), or Uniscan (https://sourceforge.net) to discover vulnerabilities in the target website.

Bypass Client-Side Controls

Bypassing client-side controls refers to circumventing or bypassing security measures implemented on the client side (in the user’s browser) to enforce security policies. While client-side controls can enhance user experience and provide some level of security, they are often considered less reliable than server-side controls and can be bypassed by attackers.

HTTP Request Tampering

HTTP request tampering can involve various techniques, including query string tampering and manipulation of HTTP headers. These methods are used by attackers to modify the content of HTTP requests sent to a web server. Here’s how each technique works:

  1. Query String Tampering: The query string is the part of a URL that comes after the ‘?’ symbol and contains key-value pairs (e.g., ?key1=value1&key2=value2). Attackers can tamper with the query string by modifying parameter values or adding new parameters to change the behavior of the request. For example, an attacker could change a user_id parameter to access another user’s data or add a isAdmin=true parameter to escalate privileges.

  2. HTTP Header Manipulation: HTTP headers are used to pass additional information about the request or the client to the server. Attackers can manipulate headers to impersonate other users, bypass security controls, or modify the behavior of the request. For example, an attacker could modify the User-Agent header to impersonate a different browser or device, or modify the Referer header to spoof the source of the request.

Local File Inclusion

Local File Inclusion (LFI) is a type of vulnerability that occurs when a web application includes a file (usually a script or configuration file) from the local file system using user-controllable input. This vulnerability can allow an attacker to view sensitive files, execute arbitrary code, or gain unauthorized access to the server.

Here’s how LFI works:

  1. User Input: The web application includes a file based on user input, typically through parameters in the URL or form inputs.

  2. Path Traversal: An attacker manipulates the user-controllable input to traverse the file system and include files outside of the intended directory.

  3. File Inclusion: The web application includes the manipulated file path, allowing the attacker to read or execute the contents of the included file.

For example, consider a web application that includes a file based on a page parameter in the URL:

1
http://example.com/page.php?page=about.php

An attacker could manipulate the page parameter to include a sensitive file, such as /etc/passwd, which could lead to the disclosure of sensitive information:

1
http://example.com/page.php?page=../../../../../../etc/passwd

To prevent Local File Inclusion vulnerabilities, developers should:

  • Avoid including files based on user-controllable input.
  • If file inclusion is necessary, validate and sanitize the input to ensure that it only includes files from a predefined list of allowed paths.
  • Use whitelisting instead of blacklisting to prevent path traversal attacks.
  • Implement proper access controls and permissions to restrict access to sensitive files.

Attack Shared Environments

Few organizations use third party service providers for hosting and maintaining their web applications and relevant web infrastrcuture. If attackers can get into that third party service provider, chances are, they can get into your environment as well.

Connection Pool Dos

Connection pooling in the context of networking or database management refers to the practice of maintaining a pool of connections that are ready for use instead of opening and closing connections for each request. This helps improve performance by reducing the overhead of establishing new connections.

A Denial of Service (DoS) attack on a connection pool could involve flooding the pool with requests, exhausting the available connections, and preventing legitimate users from accessing the pool. To mitigate this, you can implement measures such as limiting the number of connections a client can make, implementing rate limiting, or using tools that automatically detect and block malicious traffic.

If you’re experiencing a DoS attack on your connection pool, it’s crucial to investigate the source of the attack, implement the necessary security measures, and potentially involve your network or security team to help mitigate the attack.

Web API

A web API, short for Web Application Programming Interface, acts like a middleman between different applications on the web. It lets them talk to each other and share information.

Here’s a breakdown:

  • Imagine a web application as a restaurant. It has features and data (like menus and ingredients) but can’t directly access what other applications (restaurants) have.
  • The web API is the waiter. It takes requests from one application (like your order) and delivers them to another (the kitchen). It also brings back the response (your food).
  • There are two main types of waiters (web APIs):
    • Server-side web API: This waiter works for the kitchen (web server). It lets other applications request data or functionalities from the server. For example, a weather app might use this type of API to get weather information from a weather service.
    • Client-side web API: This waiter works for you (the web browser). It allows web pages to access features built into the browser, like playing videos or finding your location.

In essence, web APIs enable applications to communicate and exchange data seamlessly, without needing to understand each other’s inner workings.

In short, a Web API (Application Programming Interface) is a set of rules and protocols that allows one software application to interact with another over the internet. It defines the methods and data formats used for communication, enabling different systems to exchange information and perform actions.

We have different types of Web Service APIs: Rest, SOAP, Restful, xml-rpc and json-rpc.

Webhooks

Webhooks are user-defined HTTP callbacks that are triggered by specific events. When an event occurs, the source site makes an HTTP request to the URL configured for the webhook, allowing you to receive real-time data or notifications.

For example, in a webhook integration with a payment gateway, you might set up a webhook to receive a notification when a payment is processed successfully. When the payment is successful, the payment gateway sends a POST request to your webhook URL with information about the payment, allowing your application to process the payment confirmation in real time.

Webhooks are commonly used for various purposes, such as:

  1. Notifications: To receive notifications about events, such as new orders, comments, or updates.
  2. Automation: To trigger actions in response to events, such as updating a database or sending emails.
  3. Integration: To integrate different systems or services, such as syncing data between applications.

Webhooks are a powerful tool for building real-time integrations and automating workflows between different systems.

Login/Credential Stuffing Attack

A login or credential stuffing attack is a type of cyber attack where an attacker uses automated tools to attempt to gain unauthorized access to user accounts by trying to login with stolen credentials, typically obtained from data breaches or leaks. The attacker uses these stolen credentials in an attempt to “stuff” or fill the login forms of various online services, such as websites, applications, or APIs, hoping to successfully authenticate and gain access to the accounts.

API DDOS Attack

A Distributed Denial of Service (DDoS) attack targeting an API involves overwhelming the API server with a large volume of requests, causing it to become slow or unresponsive to legitimate users. This type of attack is typically carried out by a botnet, a network of compromised computers controlled by the attacker.

Web Shell

A web shell is a malicious script or program that attackers deploy on web servers to gain remote access and control over the server. Once a web shell is uploaded to a vulnerable server, it can be used to execute commands, upload/download files, and perform various actions as if the attacker had direct access to the server’s command-line interface.

A web shell is a malicious script that gives attackers remote control over a compromised web server. It essentially provides a backdoor entry for them to perform actions on the server.

How it works:

  • Deployment: Attackers first need to find a way to upload the web shell script onto the target web server. This can happen through vulnerabilities in the server software, website applications, or even successful phishing attacks.

  • Functionality: Once uploaded, the web shell acts like a command prompt accessible through a web browser. Attackers can use it to issue various commands on the server, just like they would on a local computer.

Web Application Fuzz Testing

Web application fuzz testing, also known as fuzzing, is a software testing technique used to discover vulnerabilities in web applications by sending invalid, unexpected, or random data as inputs. The goal of fuzz testing is to identify security vulnerabilities, such as buffer overflows, input validation errors, and other types of input-related issues that could be exploited by attackers.

Fuzz testing can be an effective way to uncover vulnerabilities in web applications, especially those related to input validation and handling. However, it’s important to note that fuzz testing is not a comprehensive security testing solution and should be used in conjunction with other security testing techniques, such as code reviews and penetration testing, to ensure the security of your web applications.

Source Code Review

Source code review is a crucial aspect of ethical hacking, also known as penetration testing or white-hat hacking. It involves manually examining the source code of an application or system to identify potential security vulnerabilities and weaknesses. The primary goal of source code review is to detect and report security flaws before they can be exploited by malicious hackers.

Benefits of Source Code Review:

  • Identifies vulnerabilities early in the development cycle, reducing the cost and effort required to fix them later on.
  • Helps to ensure compliance with security standards and regulations.
  • Enhances the overall security posture of the application or system.
  • Provides a detailed understanding of the codebase, allowing for more effective testing and validation.

Types of Source Code Review:

  • Manual Review: A manual examination of the source code by a human reviewer.
  • Automated Review: Uses automated tools to scan the source code for potential vulnerabilities.
  • Hybrid Review: A combination of manual and automated review techniques.

Steps Involved in Source Code Review:

  1. Pre-Review: The reviewer familiarizes themselves with the codebase, including its architecture, functionality, and security requirements.
  2. Code Analysis: The reviewer examines the source code, looking for potential security vulnerabilities, such as:
    • Input validation and sanitization issues
    • Authentication and authorization weaknesses
    • Data encryption and storage problems
    • Error handling and logging issues
  3. Vulnerability Identification: The reviewer identifies and documents potential security vulnerabilities.
  4. Risk Assessment: The reviewer assesses the risk associated with each identified vulnerability.
  5. Reporting: The reviewer provides a detailed report of the findings, including recommendations for remediation.

Tools Used in Source Code Review:

  • Static Analysis Tools: Such as SonarQube, Veracode, and Fortify.
  • Dynamic Analysis Tools: Such as OWASP ZAP and Burp Suite.
  • Code Review Tools: Such as GitHub Code Review and Gerrit.

Best Practices for Source Code Review:

  • Use a combination of manual and automated review techniques.
  • Use a risk-based approach to prioritize vulnerabilities.
  • Involve multiple reviewers to ensure thoroughness.
  • Use a standardized review process and checklist.
  • Continuously monitor and update the review process.

In conclusion, source code review is an essential aspect of ethical hacking, allowing organizations to identify and address potential security vulnerabilities before they can be exploited. By following best practices and using a combination of manual and automated review techniques, organizations can ensure the security and integrity of their applications and systems.

Web Application Security Testing Tools

There are several web application security testing tools available that can help you identify and mitigate vulnerabilities in your web applications. Some popular tools include:

  1. Acunetix is a web vulnerability scanner that helps you identify vulnerabilities such as SQL injection, XSS, and CSRF in your web applications. It offers both on-premises and cloud-based solutions.

  2. N-Stalker is another web application security scanner that helps you identify vulnerabilities in your web applications. It offers a range of security testing tools and services to help you secure your web applications.

  3. OWASP ZAP (Zed Attack Proxy): An open-source web application security scanner that helps you find vulnerabilities in your web applications during the development and testing phases.

  4. Burp Suite: A popular toolkit for web application security testing, including scanning, crawling, and exploiting vulnerabilities. It offers both free and paid versions.

  5. Netsparker: A web application security scanner that helps you identify vulnerabilities such as SQL injection, XSS, and CSRF in your web applications.

  6. Acunetix: A web vulnerability scanner that helps you identify security vulnerabilities in your web applications and APIs.

  7. Qualys Web Application Scanning (WAS): A cloud-based web application security scanner that helps you identify vulnerabilities in your web applications and APIs.

  8. Nmap (Network Mapper): Although primarily a network scanner, Nmap can also be used for web application security testing to discover open ports and services on a web server.

  9. SQLMap: A popular open-source tool for detecting and exploiting SQL injection vulnerabilities in web applications.

  10. Skipfish: A web application security scanner that helps you identify vulnerabilities such as SQL injection, XSS, and CSRF in your web applications.

  11. Wapiti: A web application security scanner that helps you identify vulnerabilities such as SQL injection, XSS, and CSRF in your web applications.

  12. Arachni: A feature-rich, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.

These tools can help you identify and fix vulnerabilities in your web applications, making them more secure against potential attacks.

Browser Exploitation Framework

The Browser Exploitation Framework (BeEF) is a tool that focuses on exploiting web browsers. It is designed to assess the security posture of a target environment by using client-side attack vectors. BeEF allows penetration testers to assess the security of a system by leveraging the web browser as a platform.

Some key features of BeEF include:

  1. Browser-based exploitation: BeEF leverages vulnerabilities in web browsers to execute malicious code and take control of the browser.

  2. Client-side attacks: BeEF can launch various client-side attacks, such as phishing attacks, keylogging, and session hijacking, to compromise the target’s browser.

  3. Command and control: BeEF provides a command and control interface that allows the attacker to interact with compromised browsers and execute commands on the target system.

  4. Modular framework: BeEF is highly modular and extensible, allowing developers to create custom modules to extend its functionality.

Other tools include metasploit, powersploit, watcher, invicti, arachni.

Web Application Firewalls

HCL appscan standard, Alteon integrated waf, Qualys waf, Barracuda waf, ThreatSentry and dotDefender.

Perform Web Application Reconnaissance using Nmap and Telnet

Telnet www.moviescope.com 80

Next enter, GET / HTTP/1.0

This shows the web server details with the version.

nmap -T4 -A -v www.moviescope.com

 In real-time, an attacker can specify either the IP address of a target machine or the URL of a website. In both cases, the attacker obtains the banner information of the respective target. In other words, if the attacker entered an IP address, they receive the banner information of the target machine; if they enter the URL of a website, they receive the banner information of the respective web server that hosts the website.

Identify Web Server Directories

  • nmap -sV --script=http-enum www.moviescope.com

  • gobuster dir -u www.moviescope.com -w /home/attacker/filename.txt -  dir: uses the directory or file brute-forcing mode, -u: specifies the target URL (here, www.moviescope.com), and -w: specifies the wordlist file used for directory brute-forcing (here, filename.txt).

  • python3 dirsearch.py -u http://www.moviescope.com (-u specifies the URL) python3 dirsearch.py -u http://www.moviescope.com -e aspx (searches with a file extension.) python3 dirsearch.py -u http://www.moviescope.com -x 403 (-x excludes status code).

Web Application Reconnaissance using WhatWeb

WhatWeb identifies websites and recognizes web technologies, including content management systems (CMS), blogging platforms, statistics and analytics packages, JavaScript libraries, web servers, and embedded devices. It also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.

Open an elevated shell prompt in parrotos and run whatweb command.

Ex: whatweb www.google.com and whatweb -v www.google.com to provide more verbose information.

whatweb --log-verbose=logwebreport www.google.com to save the output to a report.

Owasp Zap

OWASP Zed Attack Proxy (ZAP) is an integrated penetration testing tool for finding vulnerabilities in web applications. It offers automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. ZAP provides functionality for a range of skill levels—from developers to testers new to security testing, to security testing specialists.

Install owasp zap in your parrot os and run zaproxy command. This will start owasp zap application. Select the automated scan option and enter your website details. Wait for the scan to finish and view the results.

Now, navigate to the Messages tab under the Spider tab to view more detailed information regarding the URLs obtained while performing the web spidering, as shown in the screenshot.

Note: In real-time, attackers perform web spidering or crawling to discover hidden content and functionality, which is not reachable from the main visible content, to exploit user privileges within the application. It also allows attackers to recover backup copies of live files, configuration and log files containing sensitive data, backup archives containing snapshots of files within the web root, and new functionality that is not linked to the main application.

Identify XSS Vulnerabilities in Web Applications using PwnXSS

PwnXSS is an open-source XSS scanner that is used to detect cross-site scripting (XSS) vulnerabilities in websites. It is a multiprocessing and customizable tool written in Python language.

To perform scan on target website, type python3 pwnxss.py -u http://testphp.vulnweb.com and press Enter.

Note: -u: specifies the target url (here, http://testphp.vulnweb.com).

Exploit Parameter Tampering and XSS Vulnerabilities in Web Applications

Parameter tampering is a type of attack where an attacker tries to manipulate parameters exchanged between a client and a server. This attack is commonly associated with web applications and occurs when an attacker modifies parameters in a URL, form fields, or cookies to gain unauthorized access to resources or manipulate the application’s behavior.

For example, in a web application that uses URL parameters to identify users (e.g., https://example.com/profile?user_id=123), an attacker could change the user_id parameter to access another user’s profile (e.g., https://example.com/profile?user_id=456).

To prevent parameter tampering, developers should validate and sanitize all input data, use secure communication protocols (e.g., HTTPS), and implement access controls to ensure that users can only access the resources they are authorized to.

Let’s say you open a website and login. After logging in, in the address bar, if it says http://www.website.com/id=2, you change the id to 4. It opens other user profile. This process of changing the ID value and getting the result is known as parameter tampering. Web XSS attacks exploit vulnerabilities on dynamically generated web pages. This enables malicious attackers to inject client-side scripts into the web pages viewed by other users.

Cross-site Request Forgery (CSRF) Attack

Cross-Site Request Forgery (CSRF) is an attack where an attacker tricks a user into unknowingly executing actions on a website they are authenticated on. The attacker crafts a malicious request and tricks the user into executing it, leveraging the user’s existing authentication on the targeted site.

Here’s how a CSRF attack typically works:

  1. The attacker creates a malicious webpage or email containing a crafted request to the targeted website.
  2. The user visits the malicious webpage or opens the email, which automatically triggers the request in the background.
  3. Since the user is already authenticated on the targeted website, the request is executed, potentially causing actions such as changing account settings, making purchases, or transferring funds, all without the user’s knowledge.

One of the examples for CSRF attack is through using wpscan software to identify vulnerable wordpress plugins installed in a wordpress site.

On your linux machine install wpscan and run, wpscan --api-token [API Token from wpscan.comSite] --url http://wordpressSiteURL --plugins-detection aggressive --enumerate vp and press Enter. --enumerate vp: specifies the enumeration of vulnerable plugins.

Enumerate and Hack a Web Application using WPScan and Metasploit

On your linux machine install wpscan and run, wpscan --api-token [API Token] --url http://wordpressSiteURL --enumerate u and press Enter. --enumerate u: specifies the enumeration of usernames.

This will list usernames if you have any vulnerable plugins. Next we need to find the password.

Run msfconsole command use the wordpress_login_enum auxiliary. use auxiliary/scanner/http/wordpress_login_enum set the options and run.

Exploit a Remote Command Execution Vulnerability to Compromise a Target Web Server

Damn Vulnerable Web App (DVWA) is a deliberately vulnerable web application designed for security professionals, web developers, and educators to learn about web application security. It is intentionally insecure and contains various vulnerabilities that are commonly found in web applications, such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).

Users can practice their skills in identifying, exploiting, and mitigating these vulnerabilities in a legal and ethical environment. DVWA is often used as a training tool in cybersecurity courses and workshops to help individuals understand and improve web application security practices.

Install DVWA and run the website. Login and select “Command Injection” option to the left and enter the target machine ip address. You can see the ping reply. Now go to DVWA Security option to the left and change the security level to low.

Next goto command injection tab and run any windows command with a | option. Ex: In the Enter an IP address column you can run, | hostname or | whoami or any other windows commands. If the server is vulnerable, it will run the command on the target server.

Your inbox needs more DevOps articles.

Subscribe to get our latest content by email.