IERG4210 Web Programming and Security

THE CHINESE UNIVERSITY OF HONG KONG

Penetration Testing of Web Applications(Draft)

1

Sherman ChowDept. of Information Engineering

The Chinese University of Hong Kong

Adapted based on materials prepared by Adonis P. H. Fung and revised by Kehuan Zhang

Agenda• Overview of Security Assessments

– Vulnerability Assessments, Penetration Testing, Security Audits

• High-level Concept/Architecture– Blackbox: (can only do) Crawling, Fuzzing, Output Evaluating– Whitebox: Source Code, Server Setting, etc. available for test/analysis– “Greybox,” and Blackbox vs. Whitebox

• On actual usage, i.e., the tool– Automated tools, but use them with human knowledge

2

Different Kinds of Security Assessments1. Vulnerability Assessments2. Penetration Testing3. Security Audits

• What is the difference?

3

Vulnerability Assessments• Scan a network for known security weaknesses

– To test system and network devices for exposure to common attacks• Evaluate the system security against known vulnerabilities

• Limitations:– Only can guarantee the system security state at a certain point in time– Has to be performed regularly

• especially when some major software updates or security attacks reported– The outcome quality highly depends on the quality of the tools used

4

Penetration Testing (PT)• The Damage is under control

– Malicious attack try to steal information or damage the target system

• Simulated attack– “Simulated attack” try to have better understanding of the system

• Many tools and methods• Finding known and possibly unknown vulnerabilities

5

Security Audit• Auditing is on a broad scope, not just confined to the code

– Infrastructure, Network– Software, Hardware– Policy, Procedure, Administrations, etc.

• Not to focus on some specific technical problems

• Evaluate the security level of the whole (collection of) system, an organization, or an ecosystem or some bigger context

• HIPPA (the Health Insurance Portability & Accountability Act)– e.g., the data privacy of electronic medical record (EMR)– EMR are made accessible to some healthcare personnel, but not others– It is beyond the security of some code, or the use of encryption, etc.

6

Brief Summary of the Differences1. Vulnerability Assessments

– Check if a system has certain vulnerabilities– The system may still suffer from unknown vulnerabilities

2. Penetration Testing– Check if a system is secure when under attacks– Try to discover “unknown” vulnerabilities, e.g., not in the checklist

• But, of course, passing the PT does not mean there are no unknown bugs

3. Security Audits– Check if a system follows certain regulations– Auditing can only reduce the risk, but no guarantees about security

• It is important to understand the differences among them

7

Adversary Model• Know your enemies (or some assumptions about them)

• Who will be the adversary?• What do they want?• What are their capabilities?

• Who will be the victim?• What are the defender’s capabilities?

• What are the attacking surfaces?• What are the conditions for each attacking surface?• What will be the consequences?• …

8

What do we know before testing?• External testing

– Based on all information that can be acquired publicly

• Internal testing– Tests will be performed from some internal network points

• Blackbox: “Zero-knowledge” testing• “Greybox”: Partial-knowledge testing• Whitebox: Complete-knowledge testing

9

Who do the testing?• Do-it-Yourself– Not recommended– Limitations: Experiences, Effectiveness, Cost, etc.

• Outsourcing (hiring a tiger team)– Recommended– Need well defined and reach some agreement

• Assumptions, resources, scope, testing locations/points, etc.– Find a responsible company with good reputations

• Will not leak testing results to any third party– Still need the capability to understand the contract terms

10

How to do the testing?• Manual testing

– cf., Capture the Flag

• Automated testing– cf., Cyber Grant Challenge– sites.google.com/site/bletchleypark2/misc/cyber-grand-challenge– (archiving https://www.darpa.mil/program/cyber-grand-challenge)

• A mixed approach for most of the time

11

Basic Flow of (Network) PT• Scanning and Reconnaissance

– Find the target– Understand network topology– etc.

• Collect Information– Find potential vulnerabilities

• Testing– Confirm their existence

• Planning an attack– Manual/auto attack?– When? Where? etc.

• Apply the attack• Post-attack analysis

– Try to wipe the traces

12

• Advanced:the threat actor is at the national level or state-sponsored

• Persistent:stealthy, unauthorized access remains undetected for an extended period

Advanced Persistent Threat (APT)

Reference: https://en.wikipedia.org/wiki/Advanced_persistent_threat 13

Blackbox Vulnerability Testing• Blackbox Scanning

– explores a web application by crawling through its web pages and examines it for security vulnerabilities, which involves generation of malicious inputs and evaluation of application's responses• NIST’s definition

– Assumption: No knowledge on internal (i.e., server-side) logics• Core Components

– Crawling : Discover, record, and follow new links/requests– Fuzzing : Repeat recorded requests with mutated request parameters– Evaluating: Mostly pattern matching, vulnerability dependent

• Can Discover Web Vulnerabilities– Reflected XSS, stored XSS, DOM XSS, SQL injection,– Path disclosure, Server Profiling, SSL/TLS settings, LFI/RFI, etc.

• LFI/RFI: Local/Remote File Inclusion– Others: Missing Authentication Check, CSRF, Parameter Tampering

14

Architecture of Blackbox Scanner• Crawler

– Make request to http://example.com• The Seed Request

– Extract Link/Form/XHR/Redirections– Store the captured requests to queue in a

scheduler• Fuzzer

– Malicious input generator replacing request parameters• e.g., query, body, headers

– Reproduce the request• Output Evaluating

– Mostly pattern matching– To check if malicious inputs being

reflected or caused an error– i.e., Did some attacks succeeded?

15

Crawler (for attacking, not indexing/ranking)

16

Like a Browser

Crawling: Request Extractor• Hyperlinks by document.getElementsByTagName()

– <a href="url">, <area href="url">• Forms by enumerating all key/value possibilities (for fuzzer)

– <form method="post” action="url">– <input name="" value="">– <select name="" multiple></select>– <textarea name=""></textarea>

• Redirections by detecting page navigations– HTTP 3xx location header– JavaScript location object– HTML meta header

• XHR by wrapping XMLHttpRequest objects– XMLHttpRequest.prototype.open(method, url, async)– XMLHttpRequest.prototype.send(reqBody)

17

Request/Response Deduplication• Request Deduplication to avoid duplicated requests

– Multiple pages might have hyperlinks to the same page– At most one request per signature

:= (method, URL, sorted request parameters)– Pros: save resources and bandwidth, and hence faster– Cons: if state changed at server, might miss newly introduced links

• Response Deduplication to avoid fuzzing similar pages– Multiple pages are derived from the same template– Features for detection: hyperlinks, tags hierarchy, similarity indexes– Historic resp. dedup: fuzz only if a page changed and do the “delta”

18

Downloader/Renderer & Event Enumerations• Headless Browser (i.e., full-featured, no screen) to render• To save bandwidth, no need to download images and CSS

• Event capturing and synthesizing amid catching newly generated links– e.g.,: onload, onclick , onkey , onmouse , setTimeout, etc.

• Advanced topic: Workflow event explorations– Consider a page is found to have 5 buttons– Click button 1, a dialog is shown with more buttons– What to click next? Depth-first (New buttons first) vs. Breath-first

19

WIVET Crawling Coverage

20Reference: http://sectoolmarket.com/wivet-score-unified-list.html

Fuzzing• General Approach

– Reproduce a request/event from crawler– With some request parameters mutated– Replaced with some (hardcoded) attack vectors for XSS, SQLi, etc.

• a.k.a. malicious input generation

• Adaptive Approach– Attack vector list is long, and thus time/bandwidth consuming– First round: try if some sensitive chars are reflected or result in error– e.g., for XSS, test if any of sensitive characters '><" are escaped– Second round: only if yes, fuzz it with further attack vectors

21

Evaluating• General Approach (mostly pattern matching)

– For every fuzzing attempt, examine the HTTP response – Reflected XSS: if the attack vector is reflected (not escaped/altered) – Stored XSS: if the attack vector is found in any previous HTTP response – SQLi: if the attack vector results in any error message or more/less data

• Other Approaches– DOM XSS: untrusted inputs rendered on client-side (not from HTML) – Tainting: track if a variable propagate from source to critical sinks [*]

• Instrument a headless browser• Special marker on all variables from request parameters• Inherit special marker for all string operations (like copy)• Marked vars reaching critical sinks (e.g., innerHTML, eval(),etc.)

22

Whitebox Vulnerability Scanning [*]• Pattern Matching

– Check if there’re any safe calls (e.g., sanitizer functions)– Check if there’re any dangerous calls (e.g., dynamic execution like eval())– Check if there’re any dangerous vars (e.g., global variables)

• Tainting– Given an attack vector coming through req.query / req.body– Check if it reaches non-sanitized html contexts (XSS) or SQL calls (SQLi)

• Control-Flow Test (to ensure control-flow integrity, CFI)– Explore all branches that might be traversed– Each branch instrumented to check test coverage

• Symbolic Execution (most computationally expensive)– Again, explore all branches that might be traversed– Execute a program without a concrete value like tainting– Determine what constraints can reach a particular branch (if (s==1) fail())– Use a constraint solver to determine the actual value

23

Whitebox vs. Blackbox• Advantages over blackbox approach

– Enhance/ensure exhaustiveness– Statements instrumented to check percentage covered by tests– Can literally go through every branch/possibility (e.g., if-then-else)– Can help with getting a precise input for exploit generation

• Disadvantages over blackbox approach– Approach is language and framework specific– May require domain knowledge on the application logic/functionality– Does not scale well with complex and large applications

• Greybox: Whitebox + blackbox– e.g., easier to get an exhaustive sitemap by traversing routes in node.js– With blackbox alone, it depends on providing all entry points as

seeding requests for subsequent crawling

24

PENETRATION TOOLSGood tools are prerequisite to doing a good job

25

Kail Linux

• a Debian-derived Linux distribution designed for digital forensics and PT

• preinstalled with numerous penetration-testing programs.• can be run from a hard disk, live CD/USB

• a supported platform of the Metasploit Project's Metasploit Framework• a tool for developing and executing security exploits.

26

Install Kali Linux• Download ISO:

– https://www.kali.org/downloads– Can run as a LiveCD in virtual machines (e.g., VMWare, VirtualBox)– Or Burn to USB/CD and boot machine directly

• Or Download disk images directly– https://www.offensive-security.com/kali-linux-vmware-virtualbox-

image-download– Create a virtual machine, and use the downloaded file as virtual disk

• Docker image:– https://www.kali.org/news/official-kali-linux-docker-images

• e.g., https://www.youtube.com/watch?v=lZAoFs75_cs&ab_channel=freeCodeCamp.org

27

whois: for information gathering• querying a database that store the registered users of an Internet

resource– such as a domain name, an IP address block, or an autonomous system

• also used for a wider range of other information

• You may need get and install whois in kali with command:– apt-get install whois

• whois <ipaddress>– Use ping to translate a domain name to an ip address

• Under ICANN organization's agreements, whois may be used for any lawful purposes– except to enable marketing or spam, – or to enable high volume, automated processes to query a registrar or

registry's systems, except to manage domain names.

• e.g., https://github.com/whois-server-list/whois-server-list28

NMAP• Free Security Scanner for Network Exploration & Hacking• Server Fingerprinting and Profiling

• Mapping out the network (routers, IP address range, etc.)• Port scanning (which IP has port 80 opened, other ports)• OS detection (to exploit existing vulnerabilities of some OS)

• e.g., nmap -A -T4 192.168.1.112• http://nmap.online

• https://nmap.org/book (“NMAP network scanning”)– Hardcopies in CUHK library– (Books on Kali Linux may also be useful)– Many other online resources

29

Collect Information• To find potential vulnerabilities of the target• Manually test-and-try

– Online vulnerability search engine http://web.nvd.nist.gov/view/vuln/search

– https://www.openssl.org/news/vulnerabilities.html– https://httpd.apache.org/security/vulnerabilities_24.html

• Automatic tools – vulnerabilities scanners– Online scanners

• https://asafaweb.com (dedicated ASP.net websites, now ended…)• https://dev.ssllabs.com/ssltest (for SSL related)• https://geekflare.com/ssl-test-certificate (a blog w/ 10 online tools)

– Dedicated applications

30

Shadow Security Scanner• Trial version: http://www.safety-lab.com/en/download.htm

• Identify known and unknown vulnerabilities• Suggest corresponding fixes• Report possible security hole within a network• Support many protocols and software

– like HTTP, CGI, MySQL, TCP/IP, etc.

• Database Scanner, Web Analyzer, IM Sniffer • for Windows95/98/NT/Me/2000/XP/2003/Vista/2008/7/8/2012/10

• Other dedicated applications: Whisker, WebInspect, etc.

31

Nessus• www.tenable.com/products/nessus/select-your-operating-system• sudo dpkg -i Nessus-8.14.0-.....deb

• Need to register and get a free activation code• Start the service and access it in browser

• Customizescanning tasks

32

Learning/Educational Platforms• DVWA: Damn Vulnerable Web Applications

– http://www.dvwa.co.uk• It is a server environment setup with PHP+MySQL+Apache

– Similar to www.owasp.org/index.php/Category:OWASP_WebGoat_Project• It contains many purposely designed vulnerable web applications

– So, you can play with on web vulnerability and penetration testing

• Install Approach 1: ISO image file + liveCD mode + Virtual machine– www.vulnhub.com/entry/damn-vulnerable-web-application-dvwa-107,43

• Install Approach 2: manual installation and configuration– https://github.com/RandomStorm/DVWA/archive/v1.9.zip

• Using Docker:– Docker image for DVWA: https://github.com/infoslack/docker-dvwa– Docker for OWASP-Goat: https://github.com/WebGoat/WebGoat

33

Apply the attack• A natural next step after having find a vulnerability • Manual approach:

– write some code by your own to craft necessary packets/interactions with the server to exploit its vulnerability

• Automatic approach:– reuse some existing tools to exploit the vulnerability, e.g., metasploit

34

Metasploit [*]• It is a framework that provides information about security

vulnerabilities of a server and help the penetration testing• Open-source: http://www.metasploit.com• Metasploit can do more than exploiting web applications• For web application:

– Use Web Vulnerability Scanner module “WMAP”– Refer to: http://www.offensive-security.com/metasploit-

unleashed/WMAP_Web_Scanner• Some metasploit console commands

– msfconsole– load wmap– wmap_sites –a <URL>– wmap_sites –l– wmap_run –t– wmap_run –e– vulns

• e.g., www.osslab.tw:8880/User:alang/Private_Zone/Hacker35

root@kali:~# service postgresql startroot@kali:~# msfdb initroot@kali:~# msfdb start

Many more…• Nikto: An open-source web server scanner

– http://sectools.org/tool/nikto– e.g., nikto -host http://192.168.1.1– https://nikto.online

• W3af: A web application attack and audit framework– http://w3af.org– http://w3af.sourceforge.net/documentation/user/w3afUsersGuide.pdf– http://resources.infosecinstitute.com/w3af-tutorial– https://www.youtube.com/results?search_query=w3af+tutorial

• Webseclab: A toolkit to construct new test cases from a sample set– https://github.com/yahoo/webseclab

• Firing Range: A test bed for web application security scanners– https://github.com/google/firing-range

• Price and Feature Comparison of Web Application Scanner:– http://sectoolmarket.com/price-and-feature-comparison-of-web-

application-scanners-unified-list.html 36

•Understanding•How to apply•Security implications

↓↓↓

A Quick Recap (1/2)

A Quick Recap (2/2)

Questions you should be able to solve• What is xxx?• How xxx (attack or defense) works?

– Need understanding of the principle and details• Why xxx can or cannot work?• Compare and contrast• Distinguish between legal/legitimate case vs. Illegal cases• How to apply?

– Analyze the application of certain techniques– When given a design problem, how will you solve it?

• Find vulnerability in non-secure code

• How to accommodate/tolerate an instructor who is assigned to teach a new course, to teach online, to teach so many students from different years and background, to work with TAs he didn’t work with, etc.

What did you learn?• Some programming languages for both client- and server-side• Security (design) principles and common vulnerabilities• Some fundamental concept that is not likely to change easily• Security threats confronting web browsers and protocols• Some related technologies such as database and cryptography• Some performance issues and SEO optimization tricks• Security-consciousness throughout the development cycle

• I hope you have acquired some special mindset or skillset• Stay humble (or be humbled), much more to learn• I learn a lot with you and enjoyed it in this semester too• The real world is not exam questions or checklists to do.

40