Web Application Hackers

Toolkit

Computer Science and 1

 Review
Web Applications characteristics

Computer Science and 2

 Functionality

Server side technologies:

Scripting languages
Web application platform
Web server software
Databases
Back-end components
Client-side technologies:
Browser Extension technologies

Computer Science and 3

 Application
Characteristics
Understand what application does and how it behaves
Content
Functionality
Find out:
Application behavior
Core security mechanisms
Technologies being used

Computer Science and 4

 Enumerating Content
and Functionality
Manual vs. automated browsing
Walk through the application
Follow every link
Navigate through multistage functions
Web spidering
Tools to follow all links until no new content is found
Can parse static HTML, multi-stage functionality,
form-based navigation, client-side JavaScript

Computer Science and 5

 Automated Spidering

E.g., Burp Spider, WebScarab

General limitations:
Cannot handle dynamically created menus
Limited depth to find links
May fail input validation for multistage functionality
Unique content is identified by URL not good for
form-based navigation
May fail authentication session

Computer Science and 6

 User Directed Spidering
User walks through the application and uses a spider to
collect and analyze findings
Good for
Unusual or complex navigation needs
User control of input data
User can login to application and pass authentication
User can decide on requested functions

Computer Science and 7

APPLICATION HACKING

Computer Science and 8

 Hacking Steps 1.

Configure browser to use spider

Browse the application normally
Visit every link
Proceed through multi-stage functions
JavaScrip enabled/disabled; cookies
enabled/disabled
Review site map to identify non-visited content
Do an automated spidering

Computer Science and 9

 Discovering Hidden
Content
Not directly linked to or reachable from the main page
E.g., testing and debugging content, different
functionality for different types of users, backup
copies, archives, old version of files, default
application functionality, log files, etc.
Added attack points, sensitive content, etc.
Automated, brute-force attack: Burp Intruder
Burp Suite Tutorial The Intruder Tool,
http://www.securityninja.co.uk/hacking/burp-suite-tutorial-the-i
ntruder-tool/

Computer Science and 10

 Hacking Steps 2
Make unusual requests and identify response
Use site map to identify hidden content
Use brute-force attacks to identify how application handles requests
Manually review responses
Inferencing from published content (e.g., naming)
Compile list of names of subdirectories
Identify naming schemes, file extensions
Review all client side code
Look at temporary files

Computer Science and 11

 Use Public Information
Find old resources
Search Engines:
Advanced Search: resource, login, links, related
Google domains
Omitted results
Cashed versions
Other domains of the same organization
Web archives, e.g., WayBack Machine

Computer Science and 12

 Web Server
Vulnerabilities
Web server software vulnerability
Default content
Sample and diagnostic scripts
Standard functionality
Wikto: a tool that checks for flaws in web servers
http://sectools.org/tool/wikto/
Nikto: checks for potentially dangerous files/CGIs, checks for
outdated versions of over 1200 servers, and version specific
problems, configuration issues, etc. http://sectools.org/tool/nikto

Computer Science and 13

 Additional Mappings
Functional paths
URL query parameters
Discovering Hidden Parameters
Try default parameter names, e.g, debug, test, hide, etc.
Monitor responses to identify anomalies
Analyzing Applications
Functionality, behavior, security
Server side functionality

Computer Science and 14

 Mapping the Attack
Surface
Use the results of the analysis to find vulnerabilities

Computer Science and 15

 Easy picking: @

Hidden symbol in URL

Change IP address (only the info to the right of @
is used)
Browser vulnerability
You are about to log in to the site cse.sc.edu with the
username farkas, but the website does not require
authentication. This may be an attempt to trick you.
Twitter executable JavaScript after @

16
 Who is at risk?

Client: browsers
Complex systems
Plug-ins, extensions
Server authentication
JavaScript and paid ads ease of propagating
malicious code
Never trust a client on the server side
Never trust a browser on the client side

17
 Improve client security
Install patches to the browser
Update commonly used plug-ins
Eliminate unused plug-ins
Heed your browser warnings
Make antivirus software watch browser and
downloads
Clear history, stored files, and cookies
If a file is not signed and trusted, dont download it

18
 Improve server side
security
Never execute client input as code
Never allow client input to pass into the system without
validating it internally
Scrub client input for any known exploits and suspect characters
Keep a layer of indirection between client input received and the
system
Manage sessions from inside the trust boundary and not on the
client side
Never encode secrets of functional variables in information sent
to the clies.

19
 Web Application
Vulnerabilities

Computer Science and 20

 Biggest Threats to Web
Applications
Cross-site scripting (XSS)
Cross-site request forgeries (CSRF)
Remote file uploads, (buffer overflow, SQL injection,
etc.)

Trust between the clients machine and the web

applications.

21
 XSS

Inject client-side script into Web pages

Client views web page download script
Used for bypass access controls such as the same origin
policy
Permits scripts running on pages originating from the
same site ( scheme, hostname, and port number) to
access each other's Document Object Model with no
specific restrictions
XMLHttpRequest and Robots.txt

Computer Science and 22

 How to avoid XSS?

Scrub all input

Escape output for display
Use trusted solutions when available
Use separate variables for scrubbed input

23
 Cross-site request
forgery
Exploits the trust between server and client machine
Mostly http requests and responses
Based on how web pages are delivered along with
images and other web content
 Prevent CSRF

Require verification and stages for sensitive

applications
Use anti-CSRF tokens in your forms and processing
Use post as the mean of taking form input
Get: encodes the data of the form into the url of the
recipient, appending it to the query string of the
request
Post: encodes it as a message
 Unrestricted file upload
Users may upload malicious files
Uploaded files can be called by a url (if stored on the
web server)
Example: php
Embedded in image files
Compile php code

26
 Avoid file upload
problems
System should determine file name
Do not allow users to access the folders where content
is uploaded
Parse file extensions carefully or set your own file
parser
White list extensions
Be secure with the .htaccess file (controls accesses to
the files on the server

27
 Adobe Flash

99% of all internet connected machines use AdobeFlesh

No internal automated update capability
Flash security policy: Same Origin
Can be modified by XML cross-domain policy
declaration
Can facilitate XSS, CSRF, DNS rebiding

28
 Ways of Attacking
Applications
Use of a web browser only
Use of an intercepting web proxy
Use of a standalone application scanner

Computer Science and 29

 Web Browsers

Choice of web browser impacts the effectiveness of the

attack
Most popular browsers:
Internet Explorer
Firefox
Chrome
Extensions: additional web browser functionalities

Computer Science and 30

 IE

Declining number of users but still the leader

Native support for ActiveX control
Must work with Windows platform
Anti-XSS filter with IE 8
Extensions:
HttpWatch: analyzes HTTP requests and responses,
details of headers, cookies, URLs, request
parameters, HTTP status codes, and redirect

Computer Science and 31

 Integrated Testing Suits

Intercepting proxy
Achilles proxy: early, basic proxy, standalone
application, displayed each request and response for
editing
Modern proxies:
Highly functional tool suits
Several interconnected tools to facilitate common
tasks of attacks
Useful for both defense and offense

Computer Science and 32

 Some of the Tools

Differ widely in their functionalities

The best one: Burp Suite
Others:
WebScarab
Paros
Zed Attack Proxy
Andiparos
Fiddler
Etc.

Computer Science and 33

 How the Tools Work
Several complementary tools that share information
about the target application

IE

Target application
Attacker
Toolkit: monitors interaction between the attacker and the target
application. Stores all requests and responses and all details
about the target application.

Computer Science and 34

 Toolkit Elements

1. An intercepting proxy
2. A web application spider
3. A customizable web application fuzzer
4. A vulnerability scanner
5. A manual request tool
6. Functions for analyzing session cookies and tokens
7. Other functions and utilities

Computer Science and 35

 1. Intercepting Proxies

Must configure the attackers browser to use an

intercepting proxy (listen at a specified port)
Can be easily configured for the 3 most popular
browsers
If you are using a thick client and cannot configure a
proxy you need to modify the OS files to resolve the
hostname used by the application to allow the proxy to
listen on this communication

Computer Science and 36

 1. Intercepting Proxies
Basic HTTP messages: Intercepting proxy acts as a
normal web proxy
CONNECT
IE Proxy

The web browser send the hostname

of the application.
Attacker
The proxy resolves the corresponding IP address
and converts the request to a non-proxy equivalent
message.
Computer Science and 37
 1. Normal Web Proxy

HTTPS messages

CONNECT
IE Proxy
SSL handshake

After the connection was

Client established, the proxy acts as a TCP-level
relay between the client and the application.

Computer Science and 38

 1. Intercepting Proxy

HTTPS messages

CONNECT
IE Proxy

SSL handshake SSL handshake

After the connection was

Attacker established, the proxy acts as a TCP-level
relay between the client and the application.

Computer Science and 39

 SSL Handshake
Phase 1
Security capabilities 1. C S: CLIENTHELLO
2. S C: SERVERHELLO
[CERTIFICATE]
Phase 2 [SERVERKEYEXCHANGE]
Optional server messages [CERTIFICATEREQUEST]
SERVERHELLODONE
3. C S: [CERTIFICATE]
Phase 3 CLIENTKEYEXCHANGE
Client key exchange [CERTIFICATEVERIFY]
CHANGECIPHERSPEC
Phase 4 FINISH
Change cipher suite 4. S C: CHANGECIPHERSPEC
FINISH 40

Computer Science and 40

 Fake Certificates

Proxies certificate may not be accepted

Cross-domain requests
Users trust
Burp Suite: generates a unique CA certificate for the
current user. Use this to generate new certificates for
the proxy.

Computer Science and 41

 Common features of the
Intercepting Proxies
Fine-grained intercepting rules
Detailed history of all requests and responses
Automated match and replace rules for dynamic
modification of the requests and responses
Access to proxys functionality within the web browser
Utilities

Computer Science and 42

 2. Web Application
Spider
Share data with intercepting proxies
Manual spidering followed by automated spidering
Challenges:
Form-based navigation
JavaScript enabled navigation
Multistage functions
Authentication and sessions
Parameter-based identifications
Tokens and cookies

Computer Science and 43

 Common Functionalities
of Web Spiders
Automatic update or the site map based on data
supplied by the proxy
Parsing proxy data for links
Fine-grained control over the scope of spidering
Automatic parsing and analysis of HTML forms,
scripts, comments, images
Automated and user-guided submission of forms
Automatic retrieval of the root of all enumerated
directories

Computer Science and 44

 3. Web Application
Fuzzers
Use automation to perform common attack tasks
Common features:
Manually configured probing for common vulnerabilities
A set of built-in payload and functions to generate arbitrary
payload
Save attack results and response data
Customizable functions for viewing and analyzing responses
Functions tor extracting useful data from the applications

Computer Science and 45

 4. Web Application
Vulnerability Scanners
Passive scanning: monitoring the requests and
responses passing through the local proxy
Detect vulnerabilities: clear text password, incorrect cookie,
etc
Non-invasive, often used for penetration testing
Active scanning: sending new requests to the target
application
To tests for XSS vulnerability, HTTP header injection, etc.
Can be potentially dangerous

Computer Science and 46

 5. Manual request
Tools
Functionality to issue a single request and view its response
Can be very useful when need slight modification of the request
based on the responses
Can be both standalone tool and web browser-based
Common features:
Integration with other suit components
Keep record on all requests and responses
Multitabbed interface: handle multiple items

Computer Science and 47

 6. Session Token
Analyzer
Randomness of session cookies
Burp Sequencer: standard statistical tests

Computer Science and 48

 Testing Workflow
Confirm Recon and analysis
Browser
vulnerabilities

Interc. Proxy
active Spider
Passive passive
scanning
Content Disc.
P. history Site map

Scanner Repeater Fuzzer Token analyzer

Vulnerability detection
Vulnerabilities and exploitation

Computer Science and 49

 Alternatives to
Intercepting Proxies
Non-traditional applications
Cannot use proxy
Browser extensions
Extend functionality
Does not interfere with the network-layer
communication between the server and the browser
Allows to submit arbitrary request to the application

Computer Science and 50

 Methodology
1. Recon and analysis
Map application content
Analyze application
2. Analysis
Application logic: test client side controls and for logic flaws
Access handling: test authentication, session management, access
control
Input handling: fuzz all parameters, test specific functionalities
Application hosting: test for shared hosting issues, test the web server
Miscellaneous checks
Information leakage

Computer Science and 51

 Next Class

Buffer overflow and application software insecurity

Computer Science and 52