; Module 12 V 30
Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out
Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

Module 12 V 30

VIEWS: 17 PAGES: 21

  • pg 1
									 Ethical Hacking


Module XII
Web Application Vulnerabilities
       Module Objective

            Understanding Web Application Security
            Common Web Application Security
             Vulnerabilities
            Web Application Penetration Methodologies
            Input Manipulation
            Authentication And Session Management
            Tools: Lynx, Teleport Pro, Black Widow, Web
             Sleuth
            Countermeasures
EC-Council
       Understanding Web Application Security

                           Firewall



       User

                                      Web App
                                       Scripts
                                                      Firewall




              Web Server

                                                 Database

EC-Council
       Common Web Application Vulnerabilities

            Reliability of Client-Side Data

            Special Characters that have not been escaped

            HTML Output Character Filtering

            Root accessibility of web applications

            ActiveX/JavaScript Authentication

            Lack of User Authentication before performing critical
             tasks.

EC-Council
       Web Application Penetration
       Methodologies

     Information Gathering            and Discovery
             • Documenting Application / Site Map
             • Identifiable Characteristics / Fingerprinting
             • Signature Error and Response Codes
             • File / Application Enumeration
                 – Forced Browsing
                 – Hidden Files
                 – Vulnerable CGIs
                 – Sample Files

     Input/Output Client-Side Data             Manipulation

EC-Council
       Hacking Tool: Instant Source

   http://www.blazingtool.com
   Instant  Source lets you take a
   look at a web page's source code,
   to see how things are done. Also,
   you can edit HTML directly
   inside Internet Explorer!
   The program    integrates into
   Internet Explorer and opens a
   new toolbar window which
   instantly displays the source
   code for whatever part of the
   page you select in the browser
   window.
EC-Council
       Hacking Tool: Lynx

       http://lynx.browser.org
          Lynx is a text-based browser used for downloading
          source files and directory links.




EC-Council
       Hacking Tool: Wget

       www.gnu.org/software/wget/wget.html
            Wget is a command line tool for Windows and Unix that
             will download the contents of a web site.
            It works non-interactively, so it will work in the
             background, after having logged off.
            Wget works particularly well with slow or unstable
             connections by continuing to retrieve a document until
             the document is fully downloaded.
            Both http and ftp retrievals can be time stamped, so
             Wget can see if the remote file has changed since the
             last retrieval and automatically retrieve the new version
             if it has.
EC-Council
       Hacking Tool: Black Widow

     http://softbytelabs .com
     Black widow     is a website
     scanner, a site mapping
     tool, a site ripper, a site
     mirroring tool, and an
     offline browser program.
     Use it to  scan a site and
     create a complete profile of
     the site's structure, files, E-
     mail addresses, external
     links and even link errors.

EC-Council
        Hacking Tool: WebSleuth
       http://sandsprite.com/sleuth/
       WebSleuth is an excellent tool that combines spidering
        with the capability of a personal proxy such as Achilles.




EC-Council
        Hidden Field Manipulation
       Hidden fields are embedded within HTML forms to maintain
        values that will be sent back to the server.
       Hidden fields serve as a mean for the web application to pass
        information between different applications.
       Using this method, an application may pass the data without
        saving it to a common backend system (typically a database.)
       A major assumption about the hidden fields is that since they
        are non visible (i.e. hidden) they will not be viewed or changed
        by the client.
       Web attacks challenge this assumption by examining the
        HTML code of the page and changing the request (usually a
        POST request) going to the server.
       By changing the value the entire logic between the different
        application parts, the application is damaged and manipulated
        to the new value.
EC-Council
       Input Manipulation

       URL Manipulation -CGI Parameter

       Tampering

       HTTP Client-Header Injection


       Filter/Intrusion Detection Evasion


       Protocol/Method   Manipulation

       Overflows



EC-Council
       What is Cross Side Scripting (XSS)?

            A Web application vulnerable to XSS allows a user to
             inadvertently send malicious data to self through that
             application.
            Attackers often perform XSS exploitation by crafting
             malicious URLs and tricking users into clicking on
             them.
            These links cause client side scripting languages
             )VBScript, JavaScript etc,) of the attacker's choice to
             execute on the victim's browser.
            XSS vulnerabilities are caused by a failure in the web
             application to properly validate user input.
EC-Council
       Authentication And Session
       Management

       Brute/Reverse Force


       Session   Hijacking

       Session   Replay

       Session   Forgoing

       Page Sequencing




EC-Council
       Traditional XSS Web Application Hijack
       Scenario - Cookie stealing
       User  is logged on to a web application and the session is
       currently active. An attacker knows of a XSS hole that affects
       that application.
       The user    receives a malicious XSS link via an e-mail or comes
       across it on a web page. In some cases an attacker can even
       insert it into web content (e.g. guest book, banner, etc,) and
       make it load automatically without requiring user intervention.




EC-Council
       XSS Countermeasures

            As a web application user, there are a few ways to
             protect yourselves from XSS attacks.
            The first and the most effective solution is to disable all
             scripting language support in your browser and email
             reader.
            If this is not a feasible option for business reasons,
             another recommendation is to use reasonable caution
             while clicking links in anonymous e-mails and dubious
             web pages.
            Proxy servers can help filter out malicious scripting in
             HTML.
EC-Council
       Buffer Overflow in WINHLP32.EXE

            A buffer-overrun vulnerability in WINHLP32.EXE
             could result in the execution of arbitrary code on the
             vulnerable system.
            This vulnerability stems from a flaw in the Item
             parameter within WinHLP Command.
            This exploit would execute in the security context of the
             currently logged on user.
            Microsoft has released Windows 2000 Service Pack 3
             (SP3), which includes a fix for this vulnerability.

EC-Council
       Hacking Tool: Helpme2.pl

            Helpme2.pl is an exploit code for WinHelp32.exe
             Remote Buffer Overrun vulnerability.

            This tool generates an HTML file with a given hidden
             command.

            When this HTML file is sent to a victim through e mail,
             it infects the victim's computer and executes the hidden
             code.



EC-Council
       Hacking Tool: WindowBomb




       An email sent with this html file attached will create pop-
       up windows until the PC's memory gets exhausted.
       JavaScript is vulnerable to simple coding such as this.

EC-Council
       Hacking Tool: IEEN

    http://www.securityfriday.com/ToolDownload/IEen
    IEEN remotely controls Internet Explorer using DCOM.
    If you knew the account name and the password of a remote
    machine, you can remotely control the software component on it
    using DCOM. For example Internet Explorer is one of the soft
    wares that can be controlled.




EC-Council
       Summary

      Attacking web applications is the easiest way to compromise hosts,
       networks and users.
      Generally nobody notices web application penetration, until serious
       damage has been done.
      Web application vulnerability can be eliminated to a great extent
       ensuring proper design specifications and coding practices as well as
       implementing common security procedures.
      Various tools help the attacker to view the source codes and scan for
       security holes.
      The first rule in web application development from a security
       standpoint is not to rely on the client side data for critical processes.
       Using an encrypted session such as SSL / “secure” cookies are
       advocated instead of using hidden fields, which are easily manipulated
       by attackers.
      A cross-site scripting vulnerability is caused by the failure of a web
       based application to validate user supplied input before returning it to
       the client system.
      If the application accepts only expected input, then the XSS can be
       significantly reduced.

EC-Council

								
To top