Hands-On Ethical Hacking and Network Defense, 3rd...
Transcript of Hands-On Ethical Hacking and Network Defense, 3rd...
![Page 1: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/1.jpg)
Hands-On Ethical Hacking and Network Defense, 3rd
Edition
Chapter 10Hacking Web Servers
![Page 2: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/2.jpg)
© Cengage Learning 2017
Objectives
After completing this chapter, you will be able to:
•Describe Web applications
•Explain Web application vulnerabilities
•Describe the tools used to attack Web servers
2Hands-On Ethical Hacking and Network Defense, 3rd Edition
![Page 3: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/3.jpg)
© Cengage Learning 2017
Understanding Web Applications
• Writing a program without bugs– Nearly impossible
– Some bugs create security vulnerabilities
• Web applications also have bugs– Larger user base than standalone applications
– Bugs are a bigger problem
Hands-On Ethical Hacking and Network Defense, 3rd Edition
3
![Page 4: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/4.jpg)
© Cengage Learning 2017
Web Applications Components
• Static Web pages– Created using HTML
– Display the same information regardless of time or user
• Dynamic Web pages– Information varies
– Need special components• <form> element, AJAX, Common Gateway Interface
(CGI), Active Server Pages (ASP), PHP, ColdFusion, JavaScript, and database connectors
Hands-On Ethical Hacking and Network Defense, 3rd Edition
4
![Page 5: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/5.jpg)
© Cengage Learning 2017
Web Forms
• Use <form> element or tag in HTML document– Allows customer to submit information to Web server
• Web servers – Process information from a form using a Web
application• Easy way for attackers to intercept data users submit
– Security testers should recognize when forms are used
Hands-On Ethical Hacking and Network Defense, 3rd Edition
5
![Page 6: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/6.jpg)
© Cengage Learning 2017
Web Forms
• Web form example:<html>
<body>
<form>
Enter your username:
<input type="text" name="username">
<br>
Enter your password:
<input type="text" name="password">
</form></body></html>
Hands-On Ethical Hacking and Network Defense, 3rd Edition
6
![Page 7: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/7.jpg)
© Cengage Learning 2017
Web Forms
Hands-On Ethical Hacking and Network Defense, 3rd Edition
7
![Page 8: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/8.jpg)
© Cengage Learning 2017
Common Gateway Interface
• Handles moving data – From Web server to Web browser
• Dynamic Web pages – Many are created with CGI and scripting languages
• CGI’s main goal:– Determines how Web server passes data to Web
browser• Relies on C/C++, Perl or another scripting language to
create dynamic Web pages
• Programs are written in different languages
Hands-On Ethical Hacking and Network Defense, 3rd Edition
8
![Page 9: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/9.jpg)
© Cengage Learning 2017
Common Gateway Interface
• CGI example written in Perl:#!/usr/bin/perl
print "Content-type: text/html\n\n";
print "Hello Security Testers!";
Hands-On Ethical Hacking and Network Defense, 3rd Edition
9
![Page 10: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/10.jpg)
© Cengage Learning 2017
Third Party Frameworks and Libraries
• A few of the hundreds of frameworks designed to make programming easier:– Spring
– JSF
– AngularJS
– Yeoman
– Sass
– Vaadin
• As third-party libraries grow in popularity– Keeping them current and secure is important
Hands-On Ethical Hacking and Network Defense, 3rd Edition
10
![Page 11: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/11.jpg)
© Cengage Learning 2017
Active Server Pages
• Main difference from HTML pages– HTML documents can be displayed on the fly
• User requests a Web page, one is created
• Uses scripting languages – JScript
– VBScript
• Has evolved – Largely replaced by ASP.NET
• Not all Web servers support ASP
Hands-On Ethical Hacking and Network Defense, 3rd Edition
11
![Page 12: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/12.jpg)
© Cengage Learning 2017
Active Server Pages
• ASP example:<HTML>
<HEAD><TITLE> My First ASP Web Page </TITLE></HEAD>
<BODY>
<H1>Hello, security professionals</H1>
The time is <% = Time %>.
</BODY>
</HTML>
• Microsoft does not want users to be able to view an ASP Web page’s source code– Makes ASP more secure
Hands-On Ethical Hacking and Network Defense, 3rd Edition
12
![Page 13: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/13.jpg)
© Cengage Learning 2017
Apache Web Server
• Apache – Another Web Server program
– Said to run on more than twice as many Web servers as IIS
• Advantages– Works on just about any *nix and Windows platform
– Free
• Apache Web Server daemon (httpd) 2.4 is included on the Kali DVD
Hands-On Ethical Hacking and Network Defense, 3rd Edition
13
![Page 14: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/14.jpg)
© Cengage Learning 2017
Using Scripting Languages
• Web pages – Developed using several scripting languages
• VBScript
• JavaScript
• Many security-testing tools are written with scripting languages
• Macro viruses and worms may take advantage of cross-site scripting vulnerabilities – Most are based on scripting language
Hands-On Ethical Hacking and Network Defense, 3rd Edition
14
![Page 15: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/15.jpg)
© Cengage Learning 2017
PHP Hypertext Processor
• PHP– Enables creation of dynamic Web pages
– Similar to ASP
• Open-source server-side scripting language– Embedded in an HTML Web page
• Using PHP tags <?php and ?> browsers
– Users cannot see PHP code on their Web browser
• Originally used mainly on UNIX systems– More widely used now
• Macintosh and Windows
Hands-On Ethical Hacking and Network Defense, 3rd Edition
15
![Page 16: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/16.jpg)
© Cengage Learning 2017
PHP Hypertext Processor
• PHP example:
<html>
<head>
<title>My First PHP Program </title>
</head>
<body>
<?php echo '<h1>Hello, Security Testers!</h1>'; ?>
</body>
</html>
Hands-On Ethical Hacking and Network Defense, 3rd Edition
16
![Page 17: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/17.jpg)
© Cengage Learning 2017
Cold Fusion
• Server-side scripting language – Used to develop dynamic Web pages
– Created by the Allaire Corporation
• Uses proprietary tags – Written in ColdFusion Markup Language (CFML)
• CFML Web applications – Can contain other technologies (e.g., HTML or
JavaScript)
Hands-On Ethical Hacking and Network Defense, 3rd Edition
17
![Page 18: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/18.jpg)
© Cengage Learning 2017
Cold Fusion
• CFML example:<html>
<head>
<title>Using CFML</title>
</head>
<body>
<CFLOCATION URL="www.isecom.org/cf/index.htm" ADDTOKEN="NO">
</body>
</html>
Hands-On Ethical Hacking and Network Defense, 3rd Edition
18
![Page 19: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/19.jpg)
© Cengage Learning 2017
VBScript
• Visual Basic Script – A scripting language developed by Microsoft
– Converts static Web pages into dynamic Web pages
• Advantage:– Powerful programming language features
• The Microsoft Security Bulletin– Starting point for investigating VBScript
vulnerabilities
Hands-On Ethical Hacking and Network Defense, 3rd Edition
19
![Page 20: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/20.jpg)
© Cengage Learning 2017
VBScript
• VBScript example:<html>
<body>
<script type="text/vbscript">
document.write("<h1>Hello Security Testers!</h1>")
document.write("Date Activated: " & date())
</script>
</body>
</html>
Hands-On Ethical Hacking and Network Defense, 3rd Edition
20
![Page 21: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/21.jpg)
© Cengage Learning 2017
VBScript
Hands-On Ethical Hacking and Network Defense, 3rd Edition
21
![Page 22: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/22.jpg)
© Cengage Learning 2017
JavaScript
• Popular scripting language used for creating dynamic Web pages
• Has power of programming language– Branching
– Looping
– Testing
• Widely used
• Variety of vulnerabilities – Exploited in older Web browsers
Hands-On Ethical Hacking and Network Defense, 3rd Edition
22
![Page 23: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/23.jpg)
© Cengage Learning 2017
JavaScript
• JavaScript example:
<html>
<head>
<script type="text/javascript">
function chastise_user()
{
alert("So, you like breaking rules?")
document.getElementByld("cmdButton").focus()
}
</script>
</head>
<body>
Hands-On Ethical Hacking and Network Defense, 3rd Edition
23
![Page 24: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/24.jpg)
© Cengage Learning 2017
JavaScript
• JavaScript example (cont’d.):<h3>"If you are a Security Tester, please do not click
the command button below!"</h3>
<form>
<input type="button" value="Don't Click!" name="cmdButton"
onClick="chastise_user()" />
</form>
</body>
</html>
Hands-On Ethical Hacking and Network Defense, 3rd Edition
24
![Page 25: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/25.jpg)
© Cengage Learning 2017
JavaScript
Hands-On Ethical Hacking and Network Defense, 3rd Edition
25
![Page 26: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/26.jpg)
© Cengage Learning 2017
Connecting to Databases
• Most Web pages can display information stored on a database server
• The technology used to connect Web applications to database servers
• Depends on the OS
• Theory is the same
Hands-On Ethical Hacking and Network Defense, 3rd Edition
26
![Page 27: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/27.jpg)
© Cengage Learning 2017
Open Database Connectivity
• Open Database Connectivity (ODBC)– A standard database access method
• ODBC interface – Allows application to access data stored in a
database management system, or any system that can understand and issue ODBC commands
• Interoperability is accomplished by defining:– Standardized representation for data types
– Library of ODBC function calls
– Standard method of connecting to and logging on
Hands-On Ethical Hacking and Network Defense, 3rd Edition
27
![Page 28: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/28.jpg)
© Cengage Learning 2017
Object Linking and Embedding Database
• OLE DB– Set of interfaces that enable applications to access
data stored in DBMS
• Designed by Microsoft– Faster, more efficient, and more stable than ODBC
• Relies on connection strings– Allow the application to access data stored on
external device
• Different providers can be used– Depends on data source
Hands-On Ethical Hacking and Network Defense, 3rd Edition
28
![Page 29: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/29.jpg)
© Cengage Learning 2017
Object Linking and Embedding Database
Hands-On Ethical Hacking and Network Defense, 3rd Edition
29
![Page 30: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/30.jpg)
© Cengage Learning 2017
ActiveX Data Objects
• ActiveX Data Objects (ADO)– A programming interface for connecting Web
applications to a database
– Defines a set of technologies that allow desktop applications to interact with Web
• Steps for accessing a database:– Create ADO connection– Open database connection created
– Create ADO recordset– Open recordset and select data you need– Close recordset and database connection
Hands-On Ethical Hacking and Network Defense, 3rd Edition
30
![Page 31: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/31.jpg)
© Cengage Learning 2017
Understanding Web Application Vulnerabilities
• Many platforms and programming languages can be used to design a Web site– Application security
• As important as network security
• Attackers controlling a Web server can:– Deface the Web site
– Destroy the application’s database or sell contents
– Gain control of user accounts
– Perform secondary attacks
– Gain root access to other application servers
Hands-On Ethical Hacking and Network Defense, 3rd Edition
31
![Page 32: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/32.jpg)
© Cengage Learning 2017
Application Vulnerabilities and Countermeasures
• Open Web Application Security Project (OWASP)– Not-for-profit organization
– Finds and fights Web application vulnerabilities
– Publishes Ten Most Critical Web Application Security Risks
• Built into Payment Card Industry (PCI) Data Security Standard (DSS)
Hands-On Ethical Hacking and Network Defense, 3rd Edition
32
![Page 33: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/33.jpg)
© Cengage Learning 2017
Application Vulnerabilities and Countermeasures
• The OWASP Top Ten list:– Injection vulnerabilities
– Authentication flaws and weaknesses
– Cross-site scripting (XSS)
– Insecure direct object reference
– Security misconfigurations
– Sensitive data exposure
– Missing function level access control
– Cross-site request forgery
– Using components with known vulnerabilities
– Unvalidated redirects and requests
Hands-On Ethical Hacking and Network Defense, 3rd Edition
33
![Page 34: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/34.jpg)
© Cengage Learning 2017
Application Vulnerabilities and Countermeasures
• OWASP WebGoat project– Helps security testers learn how to conduct
vulnerability testing on Web applications
– Experts from all over the world use WebGoat
– The following slides contain images of WebGoat
Hands-On Ethical Hacking and Network Defense, 3rd Edition
34
![Page 35: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/35.jpg)
© Cengage Learning 2017
Application Vulnerabilities and Countermeasures
Hands-On Ethical Hacking and Network Defense, 3rd Edition
35
![Page 36: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/36.jpg)
© Cengage Learning 2017
Application Vulnerabilities and Countermeasures
Hands-On Ethical Hacking and Network Defense, 3rd Edition
36
![Page 37: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/37.jpg)
© Cengage Learning 2017
Application Vulnerabilities and Countermeasures
Hands-On Ethical Hacking and Network Defense, 3rd Edition
37
![Page 38: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/38.jpg)
© Cengage Learning 2017
Application Vulnerabilities and Countermeasures
Hands-On Ethical Hacking and Network Defense, 3rd Edition
38
![Page 39: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/39.jpg)
© Cengage Learning 2017
Web Application Test Execution
• Two techniques by which an application can be tested:– Static Application Security Testing (SAST)
• Analyzing an application’s source code for vulnerabilities
• A reliable way to enumerate most application vulnerabilities
– Dynamic Application Security Testing (DAST)• Analysis of a running application for vulnerabilities
• Can be used alongside SAST to prioritize SAST findings
Hands-On Ethical Hacking and Network Defense, 3rd Edition
39
![Page 40: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/40.jpg)
© Cengage Learning 2017
Information Gathering and Architecture Mapping
• Security testers should look for answers to some important questions:– Does the application have a database?– Does the application require authentication?– Does the application have static or dynamic pages?– What languages and platform does the application
use?– Are there devices in-between your Web browser and
the application designed to stop attacks from occurring?
– How does data flow in the application?
Hands-On Ethical Hacking and Network Defense, 3rd Edition
40
![Page 41: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/41.jpg)
© Cengage Learning 2017
Platform Security and Configuration
• Several different platforms and technologies can be used to develop Web applications– Attacks differ depending on platform and technology
• Footprinting is used to discover the OS and DBMS
– The more you know about a system, the easier it is to gather information about vulnerabilities
• Questions to consider:– Do the underlying platforms and components contain
known vulnerabilities?– Is the Web Server configured to protect confidentiality
of users?
Hands-On Ethical Hacking and Network Defense, 3rd Edition
41
![Page 42: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/42.jpg)
© Cengage Learning 2017
Authentication and Session Testing
• Many Web applications require another server (other than the Web server) to authenticate users– Examine how information is passed between the two
servers
– Is an encrypted channel used or is data passed in cleartext?
– Is the server used for authentication properly configured and patched?
– Are logon and password information stored in a secured location?
Hands-On Ethical Hacking and Network Defense, 3rd Edition
42
![Page 43: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/43.jpg)
© Cengage Learning 2017
Authorization Testing
• Authorization– The act of checking a user’s privileges to understand
if they should or should not have access to a page, field, resource, or action in an application
• Application developers– Commonly use hidden fields in tables and obscured
URLs to enforce their access control instead of checking users’ privileges
• Authorization testing can reveal major areas of concern – An important part of any application test
Hands-On Ethical Hacking and Network Defense, 3rd Edition
43
![Page 44: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/44.jpg)
© Cengage Learning 2017
Input Validation
• Input validation– The act of filtering, rejecting, or sanitizing a user’s
untrusted input before the application processes it
• Input validation problems can lead to– Data disclosure– Alteration
– Destruction
• Security testers should check for possibility of SQL injection used to attack the system– SQL injection: attacker inserts SQL commands in Web
application field
Hands-On Ethical Hacking and Network Defense, 3rd Edition
44
![Page 45: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/45.jpg)
© Cengage Learning 2017
Input Validation
• SQL injection example:
SELECT * FROM customer
WHERE tblusername = ' OR 1=1 - - AND tblpassword = ‘ ‘
• Because 1 and 1 is always true– The query is carried out successfully
– Double hyphens (--) are used in SQL to indicate a comment
Hands-On Ethical Hacking and Network Defense, 3rd Edition
45
![Page 46: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/46.jpg)
© Cengage Learning 2017
Input Validation
• Basic testing should look for:– Whether you can enter text with punctuation marks
– Whether you can enter a single quotation mark followed by any SQL keywords
– Whether you can get any sort of database error when attempting to inject SQL statements
– Sometimes, a Web application will give a tester no indication that a SQL statement was run
• OWASP calls this “Blind SQL injection” and it has its own set of tests that are required for detection
Hands-On Ethical Hacking and Network Defense, 3rd Edition
46
![Page 47: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/47.jpg)
© Cengage Learning 2017
Error Handling
• A Web application can be configured or written to handle errors in a variety of ways– Developers can enable debugging
– If debugging is left on, it can provide a rich source of information for attackers
• Developers should minimize the amount of information shared with attackers– When an application encounters an error
Hands-On Ethical Hacking and Network Defense, 3rd Edition
47
![Page 48: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/48.jpg)
© Cengage Learning 2017
Cryptography Testing
• Many problems in cryptography are due to simple things:– Using bad random number generators
– Using a known weak method of encryption
– An application doesn’t actually enforce the use of secure channels
– Using a self-signed certificate instead of a purchased certificate
Hands-On Ethical Hacking and Network Defense, 3rd Edition
48
![Page 49: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/49.jpg)
© Cengage Learning 2017
Business Logic Testing
• Business logic– Refers to the flow a user is expected to follow in an
application to accomplish a goal
• Example:– Before a wire transfer, user must first satisfy the
requirement of having at least that amount of money in the transferring account
– If user doesn’t have funds, transfer is halted
• Business logic testing– Involves utilizing creative ways to bypass these
checks
Hands-On Ethical Hacking and Network Defense, 3rd Edition
49
![Page 50: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/50.jpg)
© Cengage Learning 2017
Client-side Testing
• Client-side issues– Arise from code executing on the user’s machine
• Key areas to consider with a client-side test:– Does the application store sensitive information on
the client’s machine in an insecure manner?
– Does the application allow for client browser redirection if the server is fed a specially crafted request?
Hands-On Ethical Hacking and Network Defense, 3rd Edition
50
![Page 51: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/51.jpg)
© Cengage Learning 2017
Tools for Web Attackers and Security Testers
• After vulnerabilities of a Web application or an OS platform are discovered– Security testers or attackers look for tools to test or
attack the system• All platforms and Web application components have
vulnerabilities
– No matter which platform is used, there is a security hole and a tool capable of breaking into it
Hands-On Ethical Hacking and Network Defense, 3rd Edition
51
![Page 52: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/52.jpg)
© Cengage Learning 2017
Web Tools
• The Kali DVD– Is packed with free tools for hacking Web
applications
• You can install new tools with a simple – apt-get install packagename command
Hands-On Ethical Hacking and Network Defense, 3rd Edition
52
![Page 53: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/53.jpg)
© Cengage Learning 2017
Firefox and Chrome Built-In Developer Tools
• Both come with similar set of developer tools
Hands-On Ethical Hacking and Network Defense, 3rd Edition
53
![Page 54: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/54.jpg)
© Cengage Learning 2017
Burp Suite and Zed Attack Proxy
• Burp Suite– Included in Kali Linux
– Offers the tester a number of features for testing Web applications and Web services
– Allows you to intercept traffic between the Web browser and the server to inspect and manipulate requests before sending it to the server
• Zed Attack Proxy– Can be used interchangeably with Burp Suite
Hands-On Ethical Hacking and Network Defense, 3rd Edition
54
![Page 55: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/55.jpg)
© Cengage Learning 2017
Burp Suite and Zed Attack Proxy
Hands-On Ethical Hacking and Network Defense, 3rd Edition
55
![Page 56: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/56.jpg)
© Cengage Learning 2017
Wapiti
• Wapiti: Web application vulnerability scanner – Uses a black box approach
• Doesn’t inspect code
– Inspects by searching from outside • Ways to take advantage of XSS, SQL, PHP, JSP, and
file-handling vulnerabilities
– Uses “fuzzing”• Trying to inject data into whatever will accept it
Hands-On Ethical Hacking and Network Defense, 3rd Edition
56
![Page 57: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/57.jpg)
© Cengage Learning 2017
Wfetch
• Wfetch: GUI tool that queries status of Web server– Attempts authentication using:
• Multiple HTTP methods
• Configuration of hostname and TCP port
• HTTP 1.0 and HTTP 1.1 support
• Anonymous, Basic, NTLM, Kerberos, Digest, and Negotiate authentication types
• Multiple connection types
• Proxy support and client-certificate support
• Capability to enter requests manually or read from file
• Onscreen and file-based logging
Hands-On Ethical Hacking and Network Defense, 3rd Edition
57
![Page 58: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/58.jpg)
© Cengage Learning 2017
Wfetch
Hands-On Ethical Hacking and Network Defense, 3rd Edition
58
![Page 59: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/59.jpg)
© Cengage Learning 2017
Summary
• Web applications – Can be developed on many platforms
• HTML pages can contain forms, ASP, CGI, and scripting languages
• Static Web pages – Have been replaced by dynamic Web pages
• Dynamic Web pages are created using CGI, ASP, etc.
• Web forms – Allow developers to create Web pages with which
visitors can interact
Hands-On Ethical Hacking and Network Defense, 3rd Edition 59
![Page 60: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/60.jpg)
© Cengage Learning 2017
Summary
• Web applications – Use a variety of technologies to connect to
databases (e.g., ODBC, OLE DB, and ADO)
• You can install IIS – Test Web pages in Windows
• Web application vulnerabilities – Can have damaging consequences
• When conducting security tests on Web applications– Various considerations
Hands-On Ethical Hacking and Network Defense, 3rd Edition 60
![Page 61: Hands-On Ethical Hacking and Network Defense, 3rd Editioncs.boisestate.edu/~jxiao/cs332/10-web-hacking.pdf · 2019. 4. 29. · • Easy way for attackers to intercept data users submit](https://reader035.fdocuments.us/reader035/viewer/2022071506/612688d52ad3f02e0538ffc6/html5/thumbnails/61.jpg)
© Cengage Learning 2017
Summary
• Web applications that interact with databases – Might be vulnerable to SQL injection exploits
• Many tools for testing Web application vulnerabilities are available – Burp Suite
– Wapiti
– OWASP open-source software
Hands-On Ethical Hacking and Network Defense, 3rd Edition 61