In this chapter, we will learn about Web applications, Web application components, and working of Web applications, and discuss about hidden field manipulation, cross-site scripting (XSS), and Web services attacks. This chapter focuses on identifying Web application hacking and Web application security tools. This chapter covers Web application firewalls and gains insights on Web application pen testing.   13.1 Understand Web applications, Web application components, and working of Web applications Exam Focus: Understand Web applications, Web application components, and working of Web applications. Objective includes:

Understand Web applications. Identify Web application components. Understand working of Web applications.

  Web application A Web application consists of an Internet Information Services (IIS) site with a unique application pool. When a user creates a new Web application, he also creates a new database and defines the authentication method used to connect to the database. A Web application must be created first before creating a site or a site collection.  Features of Web applications The primary features of Web applications are as follows:

Web applications need only Web browsers to run applications. Web applications require very little space on client computers. Web applications do not require any upgrade. Upgrades run on the server and are

automatically delivered to users. Web applications integrate themselves easily with various server-side Web procedures,

such as email and searching. Web applications provide cross-platform compatibility.

  Web application security statistics The following are the Web application security statistics:Web application vulnerabilities PercentCross-site scripting 80 %SQL injection 62 %Parameter tampering 60 %Cookie poisoning 37 %Database Server 33 %Web Server 23 %Buffer overflow 19 %

  Components of Web applications The main components of Web applications are as follows:

Login Web server Session tracking mechanism User permissions Application content Data access Data store Role-level system security Application logic Logout

  Working of Web applications The following image shows the working of Web applications:

  13.2 Understand Web application architecture, parameter/form tampering, and injection flaws Exam Focus: Understand Web application architecture, parameter/form tampering, and injection flaws. Objective includes:

Examine Web application architecture. Assess parameter/form tampering. Understand injection flaws.

 

Web application architecture The following is the Web application architecture:

Web applications consist of four important components:

Clients: The end users of Web applications. Business layer: The business layer contains the functional algorithms that handle

information exchange between a database and a user interface. Web server: A type of server that makes a Website available on the Internet and

manages the interaction and HTTP exchanges in the background. It supplies static content to a Web browser by loading a file(s) from disk and sending it via the network to the end user's Web browser since the Website is on the Internet, management is done by a Web server. The browser and the server interact with each other using HTTP.

Database layer: The database layer is responsible for the storing, retrieval, and integrity of user data for the Web application.

  Web attack vectors

An attack vector is a path or means that an attacker can use to gain access to computer or network resources. The attacker can use the attack vector to deliver an attack payload or cause a malicious outcome. Attack vectors include the following:

Parameter manipulation XML poisoning Client validation Server misconfiguration Web service routing issues Cross-site scripting

As the attack vectors keep changing and evolving with new technological evolution, no protection method is completely attack-proof.  Vulnerability stack Enterprise security professionals deal with vulnerabilities. They have to solve as many issues as possible wherever they appear. To focus for vulnerability scanning/ assessment solutions, vulnerability stack is used. The following is the vulnerability stack:

  Web applications threats - 1 The following are Web applications threats - 1:

Cookie poisoning Insecure storage Information leakage Improper error handling Broken account management Directory traversal SQL injection Parameter/form tampering Denial of Service Buffer overflow Log tampering Unvalidated input Cross site scripting (XSS)

Injection flaws Cross site request forgery Broken access control Security misconfiguration Broken session management

  Web application threats - 2 The following are Web application threats - 2:

Platform exploits Insecure direct object references Insufficient transport layer protection Failure to restrict URL access Insecure cryptographic storage Cookie snooping Obfuscation application DMZ protocol attacks Security management exploits Authentication hijacking Network access attacks Web services attacks Hidden manipulation Unvalidated redirects and forwards Session fixation attack Malicious file extension

  Unvalidated input Input validation flaws refer to Web application vulnerabilities where validation of input from a client does not take place before Web applications and backend servers process it. Attackers exploit input validation flaws so that they can perform cross-site scripting, buffer overflow, injection attacks, etc. that lead to data theft and system malfunctioning.  Parameter/form tampering attack In a parameter/form tampering attack, the attacker modifies the hidden field values of the form and changes data. This attack can cause theft of services, escalation of access, and session hijacking. The following are countermeasures against parameter/form tampering attacks:

Field validity checking Minimizing the use of hidden parameters

  Directory traversal Directory traversal (or path traversal) is an attacking method to exploit insufficient security validation/sanitization of user-supplied input file names, so that characters representing "traverse

to parent directory" are passed through to the file APIs.

The goal of this attack is to order an application to access a computer file that is not intended to be accessible. This attack exploits a lack of security (the software is acting exactly as it is supposed to) as opposed to exploiting a bug in the code. Directory traversal is also known as the '../' (dot dot slash) attack, directory climbing, and backtracking. Some forms of this attack are also canonicalization attacks.  Security misconfiguration Attackers gain unauthorized access to default accounts, read unused pages, exploit unpatched flaws, and read or write unprotected files and directories, etc. by using misconfiguration vulnerabilities. Server misconfiguration can take place at any level of an application attack, including the following:

Platform Web server Application server Framework Custom code

The following are server configuration problems:

Server software flaws Enabling unnecessary services Improper authentication Unpatched security flaws

  Injection flaws Injection flaws are the vulnerabilities where a foreign agent illegally uses a sub-system. They are the vulnerability holes that can be used to attack applications. It is the most common technique of attacking a database. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing involuntary commands or changing data. Injection flaws include XSS (HTML Injection) and SQL Injection.

In SQL injection, malicious SQL queries are injected into user input methods. In command injection, malicious code is injected via a Web application. In LDAP injection, malicious LDAP statements are injected.

The following are countermeasures against injection flaws attacks:

Avoid accessing external interpreters wherever possible and use library API's. Use prepared statement or stored procedures to overcome the SQL injection attack. Ensure that the Web application runs only with minimum privileges. Validate data while making calls to backend databases.

  SQL injection attacks SQL injection attacks use a series of malicious SQL queries for direct manipulation of the database. To bypass normal security measures and access the valuable data, an attacker can use a vulnerable Web application. SQL injection attacks are generally executed from the address bar, from within application fields, and via queries and searches.  Command injection attacks The following are command injection attacks:

Shell injection: In order to gain shell access to a webserver, an attacker attempts to craft an input string. The following are shell injection functions:

o system()o StartProcess()o java.lang.Runtime.exec()o System.Diagnostics.Process.Start()

HTML embedding: This attack is used to deface Websites virtually. In this attack, an attacker appends an extra HTML-based content to the vulnerable Web application. Without checking for HTML code or scripting, user input to a Web script is placed into the output HTML in HTML embedding attacks.

File injection: In this attack, an attacker exploits the vulnerability and adds malicious code into system files.

  LDAP injection An LDAP injection technique takes advantage of non-validated Web application input vulnerabilities in order to pass LDAP filters. LDAP filters are used to search Directory Services in order to obtain direct access to databases behind an LDAP tree.  Working of LDAP injection LDAP injection attacks are like SQL injection attacks. But, LDAP injection attacks generate LDAP query by exploiting user parameters. Send a query to the server that generates an invalid input to test if an application is vulnerable to LDAP code injection. The LDAP server can be exploited with code injection techniques if the LDAP server returns an error.  Cross-site request forgery (CSRF) attacks Cross-site request forgery, also known as a one-click attack or session riding, is a type of malicious exploit of a Website whereby unauthorized commands are transmitted from a user that the Website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. The attack works by including a link or script in a page that accesses a site to which the user is known to have authenticated.  Working of cross-site request forgery (CSRF) attacks Cross-site request forgery (CSRF) attacks include the following steps:

1. A user uses his credentials to login to the trusted server.2. The server sets a session cookie in the user's browser.3. An attacker sends a phishing mail to trick a user and asks him to send a request to a

malicious site. 4. The user requests a page from the malicious server. The response page includes malicious

code. Malicious code is executed in the trusted server.

  Web application Denial of Service attack Attackers send hundreds of resource-intensive requests, such as pulling out large image files or requesting dynamic pages that need expensive search operations on the backend database servers in order to exhaust available server resources. Applications are vulnerable due to reasonable use of expectations, application environment bottlenecks, implementation flaws, and poor data validation. The following are the targets of attackers in Denial of Service attacks:

CPU, memory, and sockets Disk bandwidth Database bandwidth Worker processes

Existing DoS protection measures are unable to detect application-level DoS attacks, as application-level DoS attacks emulate the same request syntax and network-level traffic characteristics as that of the legitimate clients.  Examples of Denial of Service The following are examples of Denial of Service:

Login attacks: An attacker continually sends login requests that require the presentation tier to access the authentication mechanism. This may overload the login process and make it unavailable or unreasonably slow to respond.

Account lock-out attacks: An attacker may enumerate usernames via another vulnerability in the application and then use valid usernames and incorrect passwords to authenticate to the site. After the specified number of failed attempts, the use of invalid passwords will lock out the accounts. This will prevent legitimate users from using the site.

User enumeration: An attacker can automate the process of attempting common usernames from a dictionary file to enumerate the user of the application if the application states which part of the username/ password pair is incorrect.

User registration DoS: An attacker can create a program that submits the registration form repeatedly. This adds a large number of spurious users to the application.

  Buffer overflow attack Buffer overflow is a condition in which an application receives more data than it is configured to accept. It helps an attacker not only to execute a malicious code on the target system but also to install backdoors on the target system for further attacks. The attacker modifies function pointers

used by an application in order to direct program execution via a jump or call instruction and point it to a location in the memory including malicious codes. All buffer overflow attacks are due to only sloppy programming or poor memory management by the application developers.  Cookie poisoning In cookie poisoning, an attacker modifies the value of cookies before sending them back to the server. On modifying the cookie values, the attacker can log in to any other user account and can perform identity theft. The following figure explains how cookie poisoning occurs:

For example: The attacker visits an online shop that stores the IDs and prices of the items to buy in a cookie. After selecting the items that he wants to buy, the attacker changes the price of the item to 1.

Original cookie values: ItemID1 = 2ItemPrice1 = 900ItemID2 = 1ItemPrice2 = 200Modified cookie values: ItemID1 = 2ItemPrice1 = 1ItemID2 = 1ItemPrice2 = 1Now, the attacker clicks the Buy button and the prices are sent to the server that calculates the total price.

Another use of a cookie poisoning attack is to pretend to be another user after changing the username in the cookie values:Original cookie values: LoggedIn = TrueUsername = MarkModified cookie values: LoggedIn = TrueUsername = AdminNow, after modifying the cookie values, the attacker can do the admin login.  Working of cookie poisoning Cookie poisoning includes the following steps:

1. A user browses a Web page.2. Webserver replies with the requested page.3. Webserver sets a cookie on the user's browser.4. An attacker steals the cookie by using sniffing, XSS, and phishing attacks.5. An attacker uses modified cookie and then orders a product. The delivery of the product

is made to the attacker's address.

  Session fixation In session fixation attacks, the attacker attempts to exploit the vulnerability of a system by fixating another person's session identifier (SID). Session fixation attacks are achieved by creating a link to an application and appending the session identifier that the attacker wishes to give any user clicking the link.

<a href="http://php.org/index.php?PHPSESSID=14">Click here</a>

When a user accesses the developer's site through this session, he may provide sensitive information and login credentials. With such information, the attacker may ride on the same session and gain access to the user's account.

The following example involves the use of a session fixation attack:

1. An attacker uses his credentials to log on to the bank Website.2. Webserver sets a session ID on the machine of the attacker.3. The attacker sends an email including a link with a fixed session ID.4. A user is redirected to the bank Website when he clicks the link.5. The user uses his credentials and fixed session ID to log on to the server.6. The attacker uses the victim's credentials with the same session ID to log on to the server.

  Insufficient transport layer protection Weak algorithms are supported, and expired or invalid certificates are used by insufficient transport layer protection. An attacker can use unprivileged SSL setup in order to launch phishing and MITM attacks. Insufficient transport layer protection exposes user's data to untrusted third parties and can result in account theft.  Improper error handling Improper error handling provides insight into source code such as logic flaws, default accounts, etc. An attacker identifies vulnerabilities by using the information received from an error message.  Insecure cryptographic storage In insecure cryptography storage, an application securely encrypts and stores sensitive data in the database by using poorly written encryption code. An attacker can steal or modify weakly protected data such as credit cards, SSNs, and other authentication credentials.  Broken authentication and session management The following vulnerabilities in the authentication or session management are used by an attacker to impersonate users:

Exposed accounts Session IDs Logout Password management

Timeouts Remember me Secret question Account update

The attacker sniffs the network traffic or obtains the session IDs by tricking the user, and reuses the session IDs for malicious purposes.

The attacker can exploit a user's privileges by using the same browser later if an application's timeouts are not set properly and the user does not log out from sites accessed through a public computer when he closes the browser.

An attacker can access the Web application's password database. The attacker can exploit every user's password if user passwords are not encrypted.  Unvalidated redirects and forwards Attackers use unvalidated redirects to install malware or trick users to disclose passwords or other sensitive information. Unsafe forwards by a user can allow the attacker to bypass access control.

Unvalidated redirect

Unvalidated forward

  13.3 Discuss hidden field manipulation, cross-site scripting (XSS), and Web services attacks Exam Focus: Discuss hidden field manipulation, cross-site scripting (XSS), and Web services attacks. Objective includes:

Discuss hidden field manipulation attacks. Describe cross-site scripting (XSS) attacks. Understand Web services attacks.

 

Hidden field manipulation attack The selection is typically stored as form field values and sent to the application as an HTTP request when a user makes selections on an HTML page. HTML can also store field values as Hidden Fields. The browser does not render Hidden Fields to the screen. During form submissions, Hidden Fields are collected and submitted as parameters. Attackers can examine the HTML code of the page and change post requests to server by changing the hidden field values.  Cross-site scripting attack A cross-site scripting attack is one in which an attacker enters malicious data into a Website. For example, the attacker posts a message that contains malicious code to any newsgroup site. When another user views this message, the browser interprets this code and executes it and, as a result, the attacker is able to take control of the user's system. Cross-site scripting attacks require the execution of client-side languages such as JavaScript, Java, VBScript, ActiveX, Flash, etc. within a user's Web environment. With the help of a cross-site scripting attack, the attacker can perform cookie stealing, sessions hijacking, etc.

The following scenario involves the use of a cross-site scripting attack:

1. An attacker sends an email with a malicious link. The email includes a message that a user has won a lottery and needs to click a given link in order the claim the lottery.

2. The user clicks the malicious link. The legitimate server receives the request.3. The server sends a page to the user with the client profile. Malicious code is executed on

the client's Web server.4. The attacker gets access to the victim's computer.

The following is an example of an XSS attack in blog posting:

1. An attacker adds a malicious script in the comment field of the blog post. The comment with the malicious link is stored on the server.

2. When a user visits the Website, he is redirected to the malicious Website.

  Working of a cross site scripting (XSS) attack A cross site scripting attack works in the following manner:

The attacker identifies a Web site that has one or more XSS bugs. For example, a Web site that echoes the contents of a query string.

The attacker crafts a special URL that includes a malformed and malicious query string containing HTML and scripts such as JavaScript.

The attacker finds a victim and gets the victim to click on a link that includes the malformed query string. This could simply be a link to another Web page, or a link in an HTML e-mail.

Once the victim clicks the link, the victim's browser makes a GET request to the vulnerable server, bypassing the malicious query string.

The vulnerable server echoes the malicious query string back to the victim's browser, and the browser executes the JavaScript embedded in the response.

  Modes of PHP cross-site scripting There are three modes of PHP cross-site scripting:

Reflected: An attacker provides a link or other payload containing embedded malicious content, which the application immediately displays back to the victim. This is the primary form of phishing via e-mail (such as eBay scams, bank scams, etc.).

Persistent: An attacker stores malicious content within a database, which is then exposed to victims at a later time. This is the most common form of the cross-site scripting attack against forum and Web mail software.

DOM: An attacker uses the victim site's JavaScript code to perform reflected cross-site scripting. This technique is not widely used as yet, but it is just as devastating as any form of cross-site scripting.

  Web ripping Web ripping is a technique in which the attacker copies the whole structure of a Web site to the local disk and obtains all files of the Web site. Web ripping helps an attacker trace the loopholes of the Web site.  Web services architecture The following is the Web services architecture:

 

Web services attacks Web services are typically application programming interfaces (API) or Web APIs that are accessed via the Hypertext Transfer Protocol (HTTP) and executed on a remote system hosting the requested services. An attacker can inject a malicious script into a Web service, which can enable disclosure and modification of data. The following are countermeasures against Web services attacks:

Turning off Web services that are not required Providing multiple layers of protection Blocking all known attack paths for Web services

  Web services XML poisoning Attackers perform XML node manipulation or XML schema poisoning by inserting malicious XML codes in SOAP requests to produce errors in XML parsing logic and break execution logic. Attackers can manipulate XML external entity references that can result in an arbitrary file or TCP connection openings and can be exploited for other Web service attacks. XML poisoning allows attackers to perform a Denial of Service attack and compromise confidential information.  Using Burp suite for Web spidering The following actions should be taken for Web spidering using Burp suite:

1. Configure a Web browser in order to use Burp as a local proxy.2. Visit every possible URL to access the entire target application and submit all the

application forms available.3. Browse the target application with JavaScript enabled and disabled, and with cookies

enabled and disabled.4. Check the site map that the Burp proxy generates and identify any hidden application

content or functions.5. Repeat these steps recursively until no further content or functionality is recognized.

  Web services parsing attacks Web services parsing attacks create a Denial of Service attack or produce logical errors in Web service request processing by exploiting vulnerabilities and weaknesses in the processing capabilities of the XML parser. The following are payloads:

Recursive payloads: An attacker queries for Web services with a grammatically correct SOAP document that includes infinite processing loops leading to exhaustion of XML parser and CPU resources.

Oversize payloads: An attacker sends a payload that is excessively large to consume all system resources. This renders Web services inaccessible to other legitimate users.

  XML injection

Attackers manipulate XML schema or manipulate XML schema or populate XML database with bogus entries by injecting XML data and tags into user input fields. XML injection can be used for the following purposes:

To bypass authorization To escalate privileges To generate Web services DoS attacks

  SOAP injection An attacker bypasses Web services authentication mechanism and accesses backend databases by injecting malicious query strings in the user input field. SOAP injection attacks work like SQL injection attacks.  Web services probing attack An attacker analyzes the WSDL document in order to determine the following after trapping it from Web service traffic:

Purpose of the application Functional break down Entry points and message types

The attacker then selects a set of operations and formulates the request messages on the basis of rules of the XML schema that can be submitted to the Web service to create a set of valid requests. The attacker uses these requests in order to include malicious content in SOAP requests and analyzes errors in order to deeply understand potential security weaknesses.  Web service attack tools The following are Web service attack tools:

soapUI: It is a leading desktop application. It is used for inspecting, invoking, monitoring, simulating/mocking and functional/load/compliance/surveillance testing of REST/WADL and SOAP/WSDL-based Web services over HTTP. This tool is used to perform Web services probing, SOAP injection, XML injection, and Web services parsing attacks. Service simulation, functional testing, and load testing are features of the soapUI tool.

Altova XMLspy: It is the XML editor. It is used for modeling, editing, transforming, and debugging XML-related technologies. It provides unsurpassed compliance with the latest industry standards for Web services development.

  13.4 Identify Web application hacking and Web application security tools Exam Focus: Identify Web application hacking and Web application security tools. Objective includes:

Understand Web application hacking methodology.

Identify Web application hacking tools. Understand how to defend against Web application attacks. Identify Web application security tools.

  Web App hacking methodologies The following are Web App hacking methodologies:

Footprint Web infrastructure Attack Web Servers Analyze Web applications Attack authentication mechanism Attack authorization schemes Attack session management mechanism Perform injection attacks Attack data connectivity Attack Web App client Attack Web services

  Footprint Web infrastructure Web infrastructure footprinting supports attackers in selecting victims and identifying vulnerable Web applications.

Server discovery: It finds the physical servers that host a Web application. Service discovery: It finds the services that run on Web servers. These services can be

exploited as attack paths for Web app hacking. Server identification: It grabs server banners in order to identify the make and versions

of the Web server software. Hidden content discovery: It extracts content and functionality that is not directly linked

or reachable from the main visible content.

  Server discovery Server discovery provides information regarding the location of servers and makes sure that the target server is alive on Internet. The Whois lookup utility provides information regarding the IP address of Web server and DNS names. The following are Whois lookup tools:

http://www.tamos.com http://netcraft.com http://www.whois.net http://www.iptools.com

DNS interrogation delivers information regarding the location and type of servers. The following are DNS interrogation tools:

http://www.dnsstuff.com http://network-tools.com http://www.checkdns.net http://www.iptools.com

Port scanning tries to connect to a specific set of TCP or UDP ports in order to determine the service that is present on the server. Nmap, NetScan Tools Pro, and Hping are port scanning tools.  Service discovery The target Web server is scanned in order to identify common ports that are used by Web servers for different services. Nmap and NetScan Tools Pro are tools used for service discovery. Identified services serve as attack paths for Web application hacking. The following ports are used by HTTP services:Ports Typical HTTP services80 World Wide Web standard port81 Alternate WWW88 Kerberos443 SSL (https)900 IBM Websphere administration client2301 Compaq Insight Manager2381 Compaq Insight Manager over SSL4242 Microsoft Application Center Remote management7001 BEA Weblogic7002 BEA Weblogic over SSL7070 Sun JAVA Web Server over SSL8000 Alternate Web server or Web cache8001 Alternate Web server or management8005 Apache Tomcat9090 Sun Java Web Server admin module10000 Netscape Administrator interface  Server identification/ banner grabbling The server response header field is analyzed in order to identify the make, model, and version of the web server software. Attackers use this information for selecting the exploits from vulnerability database so that they may attack a webserver and applications. Telnet, Netcat, Fscan, and ID Serve are banner grabbling tools.  Hidden content discovery The hidden content and functionality that cannot be reached from the main visible content is discovered in order to exploit user privileges within the application. By this, an attacker can recover the following:

Backup copies of live files Configuration files and log files including sensitive data Backup archives including snapshots of files within the web root New functionality, which is not linked to the main application

Web spiders parse HTML form and client-side JavaScript requests and responses to automatically discover the hidden content. Paros, Burp Spider, and WebScarab are Web spidering tools.

An attacker accesses all of the application's functionality and monitors all requests and responses by using an intercepting proxy. The intercepting proxy parses all the application's responses and reports the content and functionality that it discovers. Poras Proxy is a tool used for attacker-directed spidering tool.

In brute forcing, an attacker guesses the names or identifiers of hidden content and functionality by using automation tools such as Burp suite for making huge number of requests to the Web server.  Analyze Web applications The active application's functionality and technologies are analyzed to identify the attack surfaces that it exposes. The following actions should be taken for analyzing Web applications:

Identify entry points for user: In order to identify the user input entry points, review the generated HTTP request.

Identify server-side functionality: In order to identify the server-side structure and functionality, observe the applications revealed to the client.

Identify server-side technologies: Use fingerprint techniques such as HTTP fingerprinting to fingerprint the technologies active on the server.

Map the attack surface: Recognize the various attack surfaces that are uncovered by the applications and the vulnerabilities that are related.

  Identifying entry points for user input URL, HTTP header, query string parameters, POST data, and cookies are examined to determine all user input fields. HTTP header parameters that the application can process as user inputs such as User-Agent, Referer, Accept, Accept-Language, and Host headers are identified. URL encoding techniques are determined and other encryption measures are implemented in order to secure the Web traffic such as SSL. Burp proxy, HttPrint, WebScarab, and Paros Proxy are tools that are used to identify entry points for user input.  Identifying server-side technologies The following actions should be taken in order to identify server side technologies:

A detailed server fingerprinting should be performed and HTTP headers and HTML source code should be analyzed.

URLs for file extensions, directories, and other identification information should be examined.

The error page messages should also be examined. The following session tokens are examined:

o JSESSIONID: Javao ASPSESSIONID: IIS servero ASP.NET_SessionId: ASP.NETo PHPSESSIS: PHP

  Identify server-side functionality Page source and URLs are examined and an educated guess is made in order to determine the internal structure and functionality of Web applications. Tools such as Wget, Teleport Pro, and BlackWidow are used to identify server-side functionality.  Attack authentication mechanism Design and implementation flaws in Web applications can be exploited by attackers to bypass authentication mechanisms. A failure to check password strength or insecure transportation of credentials can exploit design and implementation flaws in Web applications.

Username enumeration

The trial-and-error method can be used to guess the users of the application if login error states the part of the username and password that is incorrect. There are some applications that automatically produce account usernames depending on a sequence such as username211, username212, username213, etc. and attackers can find the sequence and enumerate valid usernames.

Password attacks

Password changing: Spider the application or create a login account to determine password change functionality within the application. In order to identify vulnerabilities in password change functionality, try random strings for "Old Password", "New Password", and "Confirm the New Password" fields and analyze errors.

Password recovery: For password recovery, an attacker can use social engineering to guess the password if the number of attempts is not limited. Applications may also send a unique recovery URL or existing password to email the address specified by the attacker.

"Remember Me" exploit: A simple persistent cookie, such as RememberUser=mark or a persistent session identifier, such as RememberUser=ABY15982010 can be used to implement "Remember Me" functions. Attackers can bypass the authentication mechanism by using an enumerated username or predicting the session identifier.

In password guessing, attackers use most commonly used passwords, footprinting target, and social engineering techniques to create a list of possible passwords, and try each password until

the correct password is found. Attackers can use tools such as Dictionary Maker to create dictionary of all possible passwords. This helps them to perform dictionary attacks. Password guessing can be carried out manually or using automated tools such as WebCracker, Brutus, Burp Insider, and THC-Hydra, etc.

In brute forcing, attackers try all possible values from a set of alphabets, numeric, and special characters to crack the log-in passwords. Attackers can use the following password cracking tools:

Burp Suite's Intruder Brutus Sensepost's Crowbar

Cookie exploitation

Attackers can use techniques such as script injection and eavesdropping to steal the cookie if the cookie includes passwords and session identifiers. Attackers then replay the cookie with the same or altered passwords or session identifiers in order to bypass Web application authentication. Attackers can use tools such as Paros Proxy, Burp Suite, etc. to trap cookies.  Authorization attack Attackers modify input fields that relate to user ID, username, access group, cost, filenames, file identifiers, etc. to manipulate the HTTP requests so that they may subvert the application authorization schemes. Attackers first access a Web application using a low privileged account, and then access protected resources by escalating privileges.  Cookie parameter tampering An attacker gathers some cookies that are set by the Web application and analyzes them to find the cookie generation mechanism. The attacker then traps cookies that are set by Web application, tampers with its parameters using tools such as Paros Proxy, and replay to the application.  Session management attack Attackers break an application's session management mechanism for the following purposes:

To bypass the authentication controls To impersonate privileged application users

Session tokens prediction and session tokens tampering are used for session token generation. Session hijacking, session replay, and man-in-the middle attacks are used for session token handling.  Injection attacks In injection attacks, attackers provide crafted malicious input that is syntactically correct according to the interpreted language. The interpreted language is used to break application's normal intend. The following are the types of injection attacks:

Web script injection: In Web script injection, a crafted input that breaks the intended data context and executes commands on the server is entered if user input is used into code that is dynamically executed.

SQL injection: In SQL injection, a series of malicious SQL queries is entered into input fields in order to directly manipulate the database.

LDAP injection: In LDAP injection, an advantage of non-validated Web application input vulnerabilities is taken to pass LDAP filters to directly access databases.

XPath injection: In XPath injection, malicious strings are entered in input fields to manipulate the XPath query so that it interferes with the application's logic.

SMTP injection: In SMTP injection, to generate large volumes of spam email, inject arbitrary SMTP commands into application and SMTP server conversation.

OS commands injection: In OS commands injection, malicious codes are entered in input fields to exploit operating systems if applications use user input in a system-level command.

  Attack data connectivity Database connection strings are used for connecting applications to database engines. Instead of abusing database queries, the way applications are connected to the database is exploited by database connectivity attacks. Connection string injection, connection string parameter pollution (CSPP) attacks, and connection pool DoS are data connectivity attacks.

In connection string injection, the attacker injects parameters in a connection string by appending them with the semicolon (;) character in a delegated authentication environment. A connection string injection attack takes place when connection strings are built based on user input by using a dynamic string concatenation.

CSPP attacks involve overwriting parameter values in the connection string. In hash stealing, the value of Data Source Parameter is replaced with that of a Rogue Microsoft SQL Server connected to the Internet running a sniffer.

In port scanning, an attacker changes the value and sees the error messages obtained to connect to different ports. In hijacking Web credentials, an attacker uses the Web Application System account instead of a user-provided set of credentials to connect to the database.

In connection pool DoS, an attacker takes the following steps in order to consume all connections in the connection pool:

1. Examine the connection pooling settings of the application.2. Construct a large malicious SQL query3. Run multiple queries simultaneously

This causes database queries to fail for legitimate users.  Attack Web services

Web services work on the top of the legacy Web applications. An underlying application's business and logic vulnerabilities will be exposed for various attacks when there is an attack on a Web service.  Web application hacking tools The following are Web application hacking tools:

Instant Source: It allows a user to see and edit the HTML code of the Web page at runtime.

Wget: Wget is a computer program that retrieves contents from Web servers. It is a part of the GNU project. It currently supports downloading via the HTTP, HTTPS, and FTP protocols, the most popular TCP/IP-based protocols used for Web browsing. Its features include recursive download, conversion of links for offline viewing of local HTML, support for proxies, and much more.

WebSleuth: WebSleuth is a manual research and exploration tool for Web applications. It can be used to get an efficient listing of all links, forms, script, and frames, to edit form elements and links, and to execute JavaScript commands with the document.

BlackWidow: BlackWidow is a Website scanner, a site mapping tool, a site ripper, and a site mirroring tool. It also works as an offline browsing program.

BURP: Burp Proxy is a proxy server for security testing of Web applications, which operates as a man-in-the-middle between the browser and the target application.

cURL: cURL is a command-line tool for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET, and TFTP.

  CookieDigger CookieDigger is used to identify weak cookie generation and insecure implementations of session management by Web applications. It collects and analyzes cookies that a Web application issues for multiple users. It reports on the following:

Predictability and entropy of the cookie Whether critical information such as, user name and password, are included in the cookie

values

  Hacking webservers The server for known vulnerabilities should be scanned by using any webserver vulnerability scanner after identifying the webserver environment. In order to exploit identified vulnerabilities, launch a webserver attack. The following tools are used for hacking webservers:

UrlScan Nikto Nessus WWWhack Acunetix Web Vulnerability Scanner

WebInspect

  Web application security tools The Web application security tools are as follows:

Nikto: Nikto is an open-source Web server scanner that tests Web servers for dangerous files/CGIs, outdated server software, and other problems. It performs generic and server-type specific checks. It also captures and prints any cookies received. It can work in both Linux and Windows environments. Nikto performs comprehensive tests against Web servers for multiple items, including over 6100 potentially dangerous files/CGIs.

Paros proxy: Paros is a Web application vulnerability scanner that supports editing/viewing HTTP/HTTPS messages on-the-fly to change items such as cookies and form fields. It also includes various features, such as Web traffic recorder, Web spider, hash calculator, and a scanner for testing common Web application attacks such as SQL injection and cross-site scripting.

WebScarab: WebScrab is a framework for analyzing the applications that communicate using the HTTP and HTTPS protocols.

WebInspect: WebInspect is a Web application vulnerability scanner that is used to perform various Web attacks such as parameter injection, cross-site scripting, directory traversal, etc.

Whisker/libwhisker: Whisker is an HTTP/Web vulnerability scanner that is written in the PERL language. Whisker runs on both Windows and UNIX environments. It provides functions for testing HTTP servers for many known security holes, particularly the presence of dangerous CGIs.

Wikto: Wikto works in the same manner as Nikto, but it also adds various functionalities, such as a Back-End miner and close Google integration.

N-Stealth: N-Stealth is a commercial Web server security scanner which includes tools such as Nessus, ISS Internet Scanner, Retina, SAINT, and Sara.

  Acunetix Web Vulnerability Scanner Acunetix Web Vulnerability Scanner uses a crawler to detect Web server type and application language. It includes advanced penetration testing tools, such as the HTTP Editor and the HTTP Fuzzer. Port scans a Web server and runs security checks against network services. Web forms and password protected areas are tested.

Acunetix Web Vulnerability Scanner has an automatic client script analyzer. The automatic client script analyzer permits security testing of Ajax and Web 2.0 application. An administrator uses the automatic client script analyzer to perform in-depth SQL injection and cross-site scripting testing.  Falcove Web vulnerability scanner Falcove is used to scan Website for application layer vulnerabilities. A user uses Falcove to penetrate into the system via vulnerable Web applications and misconfigured database

connections. It detects the Web vulnerabilities, such as cross-site scripting, SQL injection, code execution attacks, and input validation, by crawling the Website.  Netsparker Netsparker is used to perform automated comprehensive Web application scanning for vulnerabilities. SQL injection, cross-site scripting, and remote code injections may be the vulnerabilities. It detects, confirms, and exploits vulnerabilities in a single integrated environment.  N-Stalker Web application security scanner N-Stalker Web application security scanner is an effective suite of Web security assessment checks. It is used to enhance the overall security of Web applications against a wide range of vulnerabilities and sophisticated hacker attacks. It includes all Web security assessment checks, such as code injection, cross-site scripting, parameter tampering, and Web server vulnerabilities.  dotDefender dotDefender is a software based Web application firewall, which complements the network firewall, IPS, and other network-based Internet security products. For suspicious behavior, dotDefender inspects the HTTP/HTTPS traffic. dotDefender is used to detect and block injection attacks.  IBM Relational AppScan IBM Relational AppScan is a Web application security testing tool. It is used to automate vulnerability assessments. It prevents SQL injection attacks on Websites, and scans Web sites for embedded malware.  ServerDefender VP ServerDefender VP blocks threats, such as cross-site scripting, SQL injection, buffer overflows, file injection, Denial of Service, cookie poisoning, and schema poisoning, to secure the sensitive data content.  Encoding schemes Web applications use different encoding schemes to safely handle unusual characters and binary data in the desired way. The following are the types of encoding schemes:

URL encoding: It is used to convert URL into a valid ASCII format to safely transport the data over HTTP. It replaces unusual ASCII characters with "%" followed by the character's two digit ASCII code expressed in hexadecimal.

HTML encoding: It represents unusual characters so that they can be safely combined within an HTML document. It defines several HTML entities in order to represent particularly usual characters.

  Encoding schemes The following are encoding schemes:

Unicode encoding: 16-bit Unicode encoding replaces unusual Unicode characters with "%u" followed by the character's Unicode code point expressed in hexadecimal. UTF-8 is a variable length encoding standard. It uses each byte expressed in hexadecimal and preceded by the % prefix.

Base64 encoding: It uses only printable ASCII characters to represent any binary data. It is generally used to encode email attachments for safe transmission over SMTP. It is also used to encode user credentials.

Hex encoding: It represents a collection of characters for transmitting binary data by using hex value of every character.

  Defending against Web application attacks The following actions should be taken against Web application attacks:

Input validation should be performed. WAF firewall/ IDS and filter packets should be used. The firewall should be configured to deny external ICMP traffic access. The unnecessary service and ports should be shut down. Patches should be kept current. User input should be sanitized and filtered. The source code for SQL injection should be analyzed. The use of 3rd party apps should be minimized. Dynamic testing and source code analysis should be performed. LDAP filter should be made as specific as possible. Verbose error messages should be disabled and custom error pages should be used. Non-privileged account should be used to connect to the database. Stored procedures and parameter queries should be used. Least privileges should be granted to the database, tables, and columns. Commands such as xp_cmdshell should be disabled.

  Defending against a SQL injection attack The following actions should be taken against a SQL injection attack:

The length of user input should be limited. Custom error messages should be used. DB traffic should be monitored using an IDS and WAP. Commands such as xp_cmdshell should be disabled. The database server and Web server should be disabled. The attribute set to the POST method should always be used. The database service account with minimal rights should be run. The database server and Web server should be isolated. Extended stored procedures should be moved to an isolated server. Low privileged account should be used for DB connection.

 

Defending against command injection flaws The following actions should be taken to defend against command injection flaws:

Input validation should be performed. Dangerous characters should be escaped. Language-specific libraries that avoid problems due to shell commands should be used. Input and output encoding is performed. A safe API that avoids using interpreter entirely should be used. Parameterized SQL queries should be used. Requests should be structured so that all supplied parameters are treated as data, rather

than potentially executable content. Modular shell disassociation from kernel should be used.

  Defending against a DoS attack The following actions should be taken to defend against a DoS attack:

The firewall should be configured in order to deny external Internet Control Message Protocol traffic access.

The remote administration and connectivity testing should be secured. Use of unnecessary functions such as gets, strcpy should be prevented. The sensitive information should not be overwritten. Thorough input validation should be performed. Data that is processed by the attacker should be stopped from being executed.

  Defending against a Web services attack The following actions should be taken to defend against a Web services attack:

In order to grant or deny access to any type of WSDL based SOAP messages, configure WSDL Access Control Permissions.

Document-centric authentication credentials that use SAML should be used. Multiple security credentials such as X.509 Cert, SAML assertions and WS-Security

should be used. Web services-capable firewalls that can perform SOAP and ISAPI level filtering should

be deployed. Firewalls/IDS systems for a Web services anomaly and signature should be configured. Firewall/IDS systems should be configured to filter improper SOAP and XML syntax. Centralized in-line requests and responses schema validation should be implemented. External references should be blocked and pre-fetched content should be used when de-

referencing URLs. A secure repository of XML schemas should be maintained and updated.

  Defending against XSS attacks The following actions should be taken to defend against XSS attacks:

All headers, cookies, query strings, form fields, and hidden fields should be validated against a rigorous specification.

XSS vulnerabilities can be defeated by filtering script output. This prevents them from being transmitted to users.

Input and output should be encoded and Meta characters in the input should be filtered. A Web application firewall should be used to block the execution of malicious script. Websites that use HTTPS when it comes to XSS should not always be trusted. All non-alphanumeric characters should be converted to HTML character entities before

displaying the user input in search engines and forums. Testing tools should be used extensively during the design phase. They are required to

remove such XSS holes in the application before it goes into use. Some standard or signing scripts should be developed with private and public keys that

actually check in order to ascertain whether the script introduced is really authenticated.

  13.5 Understand Web application firewalls, and gain insights on Web application pen testing Exam Focus: Understand Web application firewalls, and gain insights on Web application pen testing. Objective includes:

Understand Web application firewalls. Gain insights on Web application pen testing.

  Web application firewall A Web application firewall is a type of firewall that controls input, output, and/or access from, to, or by an application or service. It monitors and blocks the input, output, or system service calls that do not meet the configured policy of the firewall. A Web application firewall controls all network traffic on any OSI layer up to the application layer. Popular Web application firewalls:

NAXSI Firewall Armorlogic Firewall Array Networks Web Application Firewall Barracuda Web Application Firewall Cisco Application Control Engine (ACE) Web Application Firewall Citrix NetScaler F5 Networks Application Security Manager ASM Fortinet Web application Firewall ModSecurity Web application Firewall MONITORAPP WEB INSIGHT SG Application Firewall Radware Web Application Firewall SonicWALL Web Application Firewall Service Imperva Web Application Firewall

  Web application pen testing

Web application pen testing is used to identify, analyze, and report vulnerabilities in a given application. The vulnerabilities may be input validation, buffer overflow, SQL injection, bypassing authentication, and code execution. Conducting a series of methodical and repeatable tests and going through all the different application vulnerabilities is the best way to perform penetration testing.

Web application pen testing is required due to the following reasons:

Identification of ports: The ports are scanned in order to identify the associated running services and perform automated or manual tests to analyze the services and find weaknesses.

Verification of vulnerabilities: The issue is tested and fixed to exploit the vulnerability. Remediation of vulnerabilities: The solution is retested against vulnerability to ensure

that it is completely secure.

  ACL Access control list (ACL) is a rule list containing access control entries. It is used to allow or deny access to network resources. ACL can be implemented on network users and network devices such as routers and firewalls. Routers and firewalls use ACL to determine which packets should be forwarded or dropped.  Steps in Web application testing In Web application penetration testing, a Penetration Tester needs to take the following steps:

1. Information gathering testingo Analyzing the robots.txt fileo Performing search engine reconnaissanceo Identifying application entry pointso Identifying Web applicationso Analyzing the output from head and options http requestso Implementing techniques such as DNS zone transfers, DNS inverse queries, Web-

based DNS searches, and querying search engineso Analyzing error codeso Testing for recognized file types/extensions/directorieso Examining source of available pageso TCP/ICMP and service fingerprint

2. Authentication testingo Testing for vulnerable remember pw and pw reseto Testing for logout and browser cache managemento Testing for captchao Testing for multiple factors authenticationo Testing for race conditions

3. Session management testingo Testing for session management using cookie tampering that results in hijacking

the sessions of legitimate users

o Testing for cookie attributes to hijack sessions using tools such as Webscarab, Burp, Paros, and Tamper

o Testing for session fixation using tools like Webscarabo Testing for exposing session variables to get the confidential informationo Testing for CSRF to compromise end user data and operate the entire Web

application 4. Authorization testing

o Testing for path traversalo Testing for bypassing authorization schemao Testing for privilege escalation

5. Data validation testingo Testing for reflected XSSo Testing for stored XSSo Testing for DOM-based XSSo Testing for cross-site flashingo Performing SQL Injection o Performing LDAP injection using Softerra and LDAP Browser toolso Performing ORM injection using Hibernate, NHibernate, and Ruby On Railso Performing XML injection by inserting XML metacharacterso Performing XPath injection by changing the query resulto Performing IMAP/SMTP injection by trying to access the backend mail server o Performing code injection attackso Performing OS commanding attackso Performing buffer overflow attacks by OllyDbgo Testing for HTTP splitting/smuggling

6. DoS attack penetration testingo Performing SQL wild character attackso Locking customer accounts to check login account infoo Performing Buffer overflow attackso Writing user provided data to disk to check local disk capacityo Checking for programming flawso Storing too much data in a session to check the session management errors

7. Performing Web services testingo Gathering Web services information such as UDDI, WSDL, SOAP, and UBR o Searching WSDL entry points using WSDigger, WebScarab, and Foundstoneo Testing XML structural issues using XML parser such as WSDiggero Testing issues in HTTP GET parameterso Testing SOAP attachments using Wireshark and WebScarab

8. Testing AJAX applicationso Testing AJAX application call endpoints using Sprajaxo Parsing the HTML and JavaScript fileso Using a proxy to observe traffic

  Web application countermeasures

The following are Web application countermeasures:

Redirects and forwards should be avoided. It should be ensured that the supplied value is valid and authorized for the user if

destination parameters cannot be avoided. SSL should be used for authenticated parts of the application. It should be verified whether all the users' identities and credentials are stored in a hashed

form. Session data should not be submitted as part of a GET and POST. A user should be logged of immediately and clear the history after using a Web

application. A user should not allow browser and Websites to save login details. The HTTP Referrer header should be checked, and URL parameters should be ignored

when a POST is processed. Weak cryptographic algorithms should not be created or used. Encryption keys should be generated offline and stored securely. It should be ensured that encrypted data stored on disk cannot be easily decrypted. Non-SSL request to Web pages should be redirected to the SSL page. The "secure" flag should be set on all sensitive cookies. SSL provider should be configured to support only strong algorithms. It should be ensured that the certificate is valid, not expired, and matches all domains that

are used by the site. SSL and other encryption technologies should be used by backend and other connections. Access rights to the protected areas of the Website should be defined. Checks/hotfixes that prevent the exploitation of the vulnerability such as Unicode to

affect the directory traversal should be applied. Web servers should be updated with security patches in a timely manner. Plain text or weakly encrypted passwords should not be stored in a cookie. Cookie's timeout should be implemented. Cookie's authentication credentials should be associated with an IP address. Logout functions should be made available. All security mechanisms should be configured and all unused services should be turned

off Roles, permissions, and accounts should be setup and all default accounts should be

disabled or their default passwords should be changed. Latest security vulnerabilities should be scanned and latest security patches should be

applied. Type, pattern, and domain value validation should be performed on all input data. LDAP filter should be made as specific as possible. The amount of data returned to the users should be validated and restricted. Tight access control should be implemented on the data in the LDAP directory. Dynamic testing and source code analysis should be performed. User input should be strongly validated. Implementing a chroot jail should be considered.

 

Chapter Summary In this chapter, we learned about Web applications, Web application components, and working of Web applications. In this chapter, we discussed about Web application hacking, Web application security tools, and Web App hacking methodologies. This chapter also focused on Web application firewalls and Web application pen testing.Glossary  Acunetix Web Vulnerability Scanner Acunetix Web Vulnerability Scanner uses crawler to detect Web server type and application language.  CookieDigger CookieDigger is used to identify weak cookie generation and insecure implementations of session management by Web applications.  Cross-site scripting attack A cross-site scripting attack is one in which an attacker enters malicious data into a Website.  Falcove Falcove is used to scan Websites for application layer vulnerabilities.  Injection flaws Injection flaws are the vulnerabilities where a foreign agent illegally uses a sub-system. They are the vulnerability holes that can be used to attack a database of Web applications. It is the most common technique of attacking a database.  SQL injection attacks SQL injection attacks use a series of malicious SQL queries in order to directly manipulate the database.  Web services parsing attacks Web services parsing attacks exploit vulnerabilities and weaknesses in the processing capabilities of the XML parser in order to create a Denial of Service attack or produce logical errors in Web service request processing.  XRX In software development, XRX is a Web application architecture based on XForms, REST, and XQuery. XRX applications store data on both the Web client and on the Web server in the XML format and do not require a translation between data formats. XRX is considered as a simple and elegant application architecture due to the minimal number of translations needed to transport data between client and server systems.