72
Comprehensive tour of web application attacks Ahmed Sherif EG-CERT 1

Common Web Application Attacks

Embed Size (px)

Citation preview

Comprehensive tour of web application attacks Ahmed Sherif EG-CERT

1

BIO • Web application Penetration Tester with over 5 years

experience in the information security field . • Ahmed is currently holding a position as information security

engineer at EG-CERT , where he is responsible for conducting penetration testing for different governmental entities.

• Ahmed started his career as a web developer then moved to the information security field . He has also contributed to many security projects as well as having been co-founder of the "iScanner" project .

• has been acknowledged by many organizations for finding security issues in their websites as part of bug-bounty program such as Yahoo, Ebay, Adobe and LinkedIn.

2

Agenda • Security in Corporates . • Web Technologies . • OWASP Security Testing Methodologies . • The Most Important phase in security testing. • Camouflage . • Common web attacks . • Real World examples in well known organizations . • Play with Script Kiddies. • Demo • Questions ?

3

• use highly priced security software for :

Anti-Virus. Firewall with Deep Packet Inspections. IDS – Intrusion Detection Systems. IPS – Intrusion Prevention System. Honeypots. Dashboards , Real Time Visualizations.

4

Breaches

5

Why ? 80% of all security breaches takes

place due to unpatched software , in other words , due to not applying security or reliability fixes from the vendor for the software installed .

6

What about other 20% ? :

Penetration Test is a proactive and authorized attempt to evaluate the security of an organization infrastructure by safely attempting to exploit system vulnerabilities, including OS,Service and application flaws, improper configuration, and even risky end-user behavior. Penetration testing is an and .

7

8

• This Testing Methodology approach will be based on OWASP web application Penetration Testing method .

9

Information Gathering . Configuration and Deploy Management Testing. Identity Management Testing . Authentication Testing. Authorization Testing. Session Management testing. Input Validation testing. Testing for error handling . Testing for weak cryptography. Business Logic Testing. Client Side Testing.

10

Information Gathering .

11

Conduct Search Engine Discovery and Reconnaissance for Information Leakage. Fingerprint Web Server. Review Webserver Metafiles for Information Leakage . Enumerate Applications on Webserver. Review Webpage Comments and Metadata for Information Leakage. Identify application entry points. Map execution paths through application. Fingerprint Web Application Framework. Fingerprint Web Application. Map Application Architecture.

12

13

Server : Apache/2.2.15 (CentOs)

14

This section describes how to test the robots.txt file for information leakage of the web application's directory or folder path(s).

Information leakage of the web application's directory or folder path(s) Create the list of directories that are to be avoided by Spiders, Robots, or Crawlers.

15

Web application discovery is a process aimed at identifying web applications on a given infrastructure.

1. Different base URL Ex: example.com/url1 Ex: Example.com/url2 Tools : DirBuster,Burp Intruder. Search Engine “site: example.com”

2. Non-standard ports web applications may be associated with arbitrary TCP ports. Ex: Example.com:8000 Tools : Nmap.

3. Virtual hosts DNS allows a single IP address to be associated with one or more symbolic names Ex: IP address 41.xx.xx.xx might be associated to DNS names www.example.com, mail.example.com.

16

17

Test Objectives

Understand how requests are formed and typical responses from the application

Requests: Identify where GETs are used and where POSTs are used.

Within the POST request, pay special attention to any hidden parameters.

Identify all the parameters of the query string. These usually are in a pair format, such as foo=bar.

pay attention to any additional or custom type headers not typically seen (such as debug=False).

Responses: Identify where new cookies are set (Set-Cookie header), modified, or added to. Identify where there are any redirects (3xx HTTP status code), 400 status codes, in particular 403 Forbidden, and 500 internal server errors during normal responses. Also note where any interesting headers are used. For example, "Server: BIG-IP" indicates that the site is load balanced. 18

Test Objectives

Map the target application and understand the principal workflows.

19

To define type of used web application and web framework so as to have a better understanding of the security testing methodology.

There are several most common locations to look in in order to define the current framework:

HTTP headers Cookies HTML source code Specific files and folders

20

21

22

23

Tools

24

Tools

25

Meta Generator. Server Header X-Powered-By Header Another headers such as (X-Aspnet-version). Known Paths (wp-content for wordpress). File extensions.

26

Remove X-Powered-By Headers and add custom one

Edit Server Signature from Mod Security

27

Example 1

28

Apache 2.4.7.

PHP 5.5.9.

Ubuntu 14.04.

29

30

Common web attacks Cross-Site Scripting (XSS). Cross-Site Request Forgery (CSRF). Session Management . SQL injection . Directory Traversal. Command Injection .

31

XSS is a vulnerability which is present in websites or web applications, allow hackers to insert their client side (normally JavaScript) in those web pages. Type of XSS:

Stored XSS . Reflected XSS . Dom-Based XSS.

32

Acunetix Report For 2015 – 38% of websites vulnerable to XSS 33

Compromised Web application

Attacker

Retrieved Compromised Page

34

Reflected attacks are those where the injected code is reflected off the web server .

When a user tricked into clicking on a malicious link or submitting a specially crafted form, the injected code travels to the vulnerable web server, which reflects the attack back to the user’s browser. The browser then executes the code because it came from a “trusted” server.

35

Index.php?name=x<script>malicious code</script>

36

37

38

Attack Payload :

"><script>confirm(1)</script>

39

No Tags Encoded

40

&quot;&gt;&lt;script&gt;confirm(1)&lt;/script&gt;

&quot; “

&gt; >

&lt; <

41

42

Intra-net Hacking .

43

Get local IP . Local port scanning .

44

Cookie Stealing :

45

XSS Defacement :

46

CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated.

an attacker may force the users of a web application to execute actions of the attacker's choosing.

47

User has to be logged in .

https://www.MyBank.com/Transfer?from=user&to=hacker&amount=5000.

48

49

Leave Group request doesn’t contain any tokens .

Proof Of Concept :

50

SQL injection is a code injection technique used to attack an application by sending input from a user defined source that is later interpreted and executed by the SQL database. SQL injection attacks work because the input taken from the user input is

combined unfiltered or filtered poorly with a SQL statements that is passed to the database that allows the form user to manipulate the query.

51

Attacker may exploit SQL injection vulnerability to retrieve data from database or escalate to execute commands on system.

:

Identify the vulnerability. Fingerprint Server . Enumerate data from Database . Upload Backdoor.

52

53

: Using SQL errors we extract data from the

system error message. Example:

“Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in”.

54

Blind SQL Injection is a type of an attack that runs valid queries on the database often using timing along with true or false parameters.

The results from the timing attacks and the true or false evaluations can help determine if the system is vulnerable.

This attack method is used when the web application is configured to NOT show generic error messages.

55

SELECT * FROM Table WHERE id ='1‘;

SELECT * FROM Table WHERE id =1;

56

“SELECT * FROM orders where orderNumber = 1 AND TRUE;

False

57

“SELECT * FROM orders where orderNumber = 1 AND TRUE;

False

58

“SELECT * FROM orders where orderNumber = 1 OR TRUE;

False

59

Fingerprinting Knowing the system architecture aides the attacker on crafting specific SQL injection queries that later will be used to steal data.

60

UNION SELECT UNION will allows the joining of another query to the first

query. Effectively joining them into one set.

SELECT * FROM orders WHERE id = 1 UNION SELECT 1,2,3,4,5,...,x;

61

SQLMAP SQLmap is an open source penetration testing tool that

automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.

62

63

Status Code Meaning

1xx informational

2xx Successful

3xx Redirection

4xx Bad Request

5xx Internal Server Error

64

What If we could …

65

Access Target URL .

Read Links.

Test Them Out .

If true : continue .

What If all “FALSE”

66

• Every Response : 200 OK . 404 Not Found . 500 Internal Server Error .

67

68

69

70

71