Attacking Web Applications

Web Application

• Fill an important gap between the website front end and the database doing the work

• Often hacked because of inherent weaknesses built into the program

  • overlooked known vulnerabilities

  • unpatched security flaws

  • default passwords

• Identifying entry points

  • Examine cookies and headers

  • Examine POST data

  • Examine encoding or encryption measures

  • URL (input parameters)

• Tools to identify entry points

  • WebScarab

  • HTTPrint

  • Burp Suite

Injection Attacks

• Injecting malicious commands

• Objective - pass exploit code to the server through poorly designed input validation in the application

• Methods

  • File Injection - attacker injects a pointer in the web form input to an exploit hosted on a remote site.

  • Command Injection - attacker injects commands into the form fields instead of the expected test entry

  • Shell Injection - attacker tries to gain shell access using Java or other functions

LDAP Injection

Simple Object Access Protocol (SOAP) Injection

• Designed to exchange structured information in web services in computer network and uses XML to format information

• Lets you inject malicious query strings that let you bypass authentication and access databases behind the scenes

• Compatible with HTTP Protocol and SMTP

• Messages are usually one way

Buffer Overflow

• Attempt to write more data into an application's buffer area in order to overwrite adjacent memory, execute code, or crash a system (application)

• Basically input more data than the buffer is allocated to hold

• Can result in

  • crashing the application or machine

  • altering the application's data pointers

• Canary words

  • can be used to prevent buffer overflow attacks

  • they are known values placed between the buffer and control data

  • If a buffer overflow happens, the canary word will be changed first, triggering a stop to the system

• Other countermeasures are

  • Address Space Layout Randomization (ASLR)

  • Data Execution Prevention (DEP)

XSS

• Attacker takes advantage of scripting and have it do something other than the intended response

• Things you can do

  • DoS attack

  • E-mail XSS attack

  • Persistent XSS or Type-I XSS

  • Upload malicious code to users connected to the server

  • Send pop-up messages to users

  • Steal virtually anything

    • PHP Session IDs - attacker can masquerade as the user plugged into the session

• Mitigation

  • Setting the HttpOnly flag in cookies prevents cookies from being accessible by a client-side script

Cross-Site Request Forgery

Session Fixation

• Similar to CSRF

• Attacker logs in to a legitimate site and pulls a session ID

• Attacker then sends an e-mail with a link containing the fixed session ID

• The user clicks it and logs in to the same legitimate site, the attacker can now log in and run using the user's credentials

Cookies

• Cookies are a small text-based file that is stored on your system for use by the web server the next time you log in

• Contain information such as

  • Authentication details

  • Site preferences

  • Shopping cart contents

  • Session details

  • Passwords (sometimes)

• They are sent in the header of an HTTP response from a web server and may or may not have an expiration date

• Can be manipulated to use as spyware (used to track computer activity), change pricing options or even authenticate to a server

• Sometimes run them through a Unicode (Base64) decoder

SQL Injection

HTTP Attack

• Often called HTTP response splitting

• Attack adds header response data to an input field so that the server splits the response in a couple directions

• Attacker controls the content of the second header, which can be used for any number of things

  • redirecting the user to a malicious site the attacker runs

• Designed to allow other attacks (through the second header content) to work