Ethical H ackin g an d
Coun term easures
Coun term easures
Version 6
Mo d u le XVII
Scen ario
Kim berly a web application developer works for a ban k
Kim berly, a web application developer works for a ban k,
X Ban k4u.
Recen tly
X Ban k4u
in troduced a n ew service called
“Mortgage Application Service”. Kim berly was assign ed the task
of creatin g the application which supported the n ew service.
She fin ds
Shrin kW arp,
an ASP based application on the In tern et.
The application suited perfectly for her developm en t. She
n egotiates the price with the ven dor an d purchases the software
for the firm .
She was successful in im plem en tin g the project in tim e. XBan k4u
was ready to serve its custom ers on lin e for the n ew service usin g
the application that Kim berly had design ed.
A week later XBan k4u website was defaced!
News
Module Objective
This m odule will fam iliarize you with :
• Web Application Setup
• Objectives of Web Application H ackin g
• Objectives of Web Application H ackin g
• An atom y of an Attack
• Web Application Threats
• Coun term easures
• Coun term easures
Module Flow
Web Application Setup An atom y of an Attack
Web Application H ackin g Coun term easures
W b A li i
Web Application Threats Web Application
Web Application Setup
A clien t/ server software application that in teracts
pp
with users or other system s usin g H TTP
Modern application s are written in J ava (or
sim ilar lan guages) an d run on distributed
Web Application H ackin g
E
l i
i
b h
i
• Defacin g websites
Exploitative behaviors
• Stealin g credit card
in form ation
• Exploitin g server-side
scriptin g
scriptin g
• Exploitin g buffer overflows
• Dom ain Nam e Server (DNS)
attacks
• Em ployin g m alicious code
• Den ial of Service
An atom y of an Attack
SCANNING
INFORMATION GATH ERING
TESTING
TESTING
PLANNING TH E ATTACK PLANNING TH E ATTACK
Web Application Threats
Cross site scriptin g Log tam perin g
Cross-site scriptin g SQL in jection
Com m an d in jection
Log tam perin g
Error m essage in terception attack Obfuscation application
j
Cookie/ session poison in g Param eter/ form tam perin g
pp Platform exploits DMZ protocol attacks
Buffer overflow
Directory traversal/ forceful browsin g
Security m an agem en t exploits Web services attacks
Cryptographic in terception Cookie sn oopin g
Zero day attack
Network access attacks
Cross-Site Scriptin g/ XSS Flaws
Cross-site scriptin g occurs when an attacker uses a web application to sen d m alicious code; gen erally J avaScript
code; gen erally J avaScript
Stored attacks are those where the in jected code is perm an en tly stored on the target servers in a database
Reflected attacks are those where the in jected code takes an other route to the victim , such as in an em ail m essage
Disclosure of the user’s session cookie allows an attacker to hijack the user’s session an d take over the accoun t
I it i ti d fil di l d T j h i t ll d
In cross-site scriptin g, en d user files are disclosed, Trojan horse program s are in stalled, the user to som e other page is redirected, an d presen tation of the con ten t is m odified
An Exam ple of XSS
A hacker realizes that the XSECURITY website suffers from a cross-site scriptin g bug
The hacker sen ds you an e-m ail that claim s you have just won a vacation getaway an d all you have to do is "click here" to claim your prize
The URL for the hypertext lin k is www.xsecurity.com / default.asp?n am e=<script>evilScript()</ script>
When you click this lin k, the website tries to be frien dly by greetin g you, but in stead displays, “Welcom e Back !”
What happen ed to your n am e? By clickin g the lin k in the e-m ail, you have told the XSECURITY website that your n am e is <script>evilScript()</ script>
The web server gen erated H TML with this “n am e” em bedded an d sen ds it to your browser
Your browser correctly in terprets this as script an d run s the script
Coun term easures
Validate all headers, cookies, query strin gs, form fields, an d hidden fields (i.e., all param eters) again st a rigorous
specification
Ad t t i t it li Adopt a strin gen t security policy
SQL In jection
SQL In jection uses SQL to directly m an ipulate database’s data SQL In jection uses SQL to directly m an ipulate database s data
A tt k l bl b li ti t b l it d
An attacker can use a vuln erable web application to bypass n orm al security m easures an d obtain direct access to the valuable data
SQL In jection attacks can often be executed from the address bar, from within application fields, an d through queries an d searches
• Check the user’s in put provided to database queries
V lid d i i i bl d
Coun term easure
Com m an d In jection Flaws
Com m an d in jection flaws relay the m alicious code through a web application to an other system
Attacks in clude calls to the operatin g system via system calls, the use of extern al program s via shell com m an ds as well as the use of extern al program s via shell com m an ds, as well as calls to the backen d databases via SQL (i.e., SQL in jection )
Coun term easures
Use lan guage-specific libraries that avoid problem s due to shell com m an ds
Validate the data provided to preven t an y m alicious con ten t
Structure requests so that all supplied param eters are treated as data, rather than poten tially executable con ten t
Cookie/ Session Poison in g
Cookies are used to m ain tain session state in the otherwise stateless H TTP protocol
Poison in g allows an attacker to in ject the m alicious
con ten t, m odify the user's on -lin e experien ce, an d obtain y p the un authorized in form ation
A b d f iti th i d t A proxy can be used for rewritin g the session data,
Coun term easures
Do n ot store plain text or weakly en crypted password in a Do n ot store plain text or weakly en crypted password in a cookie
Im plem en t cookie’s tim eout
Cookie’s authen tication creden tials should be associated with an IP address
Param eter/ Form Tam perin g
k d f h h dd Param eter/ Form tam perin g takes advan tage of the hidden fields that work as the on ly security m easure in som e
application s
Modifyin g this hidden field value will cause the web application to chan ge accordin g to the n ew data in corporated
It can cause theft of services, escalation of access, an d session hijackin g
Buffer Overflow
Buffer overflow is the corrupt execution stack of a web application
Buffer overflow flaws in custom web
li ti l lik l t b d t t d application s are less likely to be detected
Alm ost all kn own web servers, application servers, an d web application
en viron m en ts are susceptible to attack (but n ot J ava an d J 2EE en viron m en ts
Coun term easures
Validate in put len gth in form s
Check boun ds an d m ain tain extra care when usin g loops to copy data
copy data
Directory Traversal/ Forceful
Browsin g
Browsin g
Directory traversal/ forceful browsin g attack occurs when the attacker is able to browse directories an d files outside the n orm al application access
Itexposes the directory structure of the application, and te poses t e d ecto y st uctu e o t e app cat o , a d often the un derlyin g web server an d operatin g system
Coun term easures
Defin e access rights to the protected areas of the website
Apply checks/ hot fixes that preven t the exploitation of the vuln erability such as Un icode to affect directory traversal vuln erability such as Un icode to affect directory traversal
Cryptographic In terception
Usin g cryptography, a con fiden tial m essage can be securely sen t
b i
between two parties
En crypted traffic flows through n etwork firewalls an d IDS system s En crypted traffic flows through n etwork firewalls an d IDS system s an d is n ot in spected
If an attacker is able to take advan tage of a secured chan n el, he/ she can exploit it m ore efficien tly than an open chan n el
• Use of Secure Sockets Layer (SSL) an d advan ced private key protection
Coun term easure
Cookie Sn oopin g
In an attem pt to protect cookies, site developers often en code the cookies
cookies
Easily reversible en codin g m ethods such as Base64 an d ROT13
(rotatin g the letters of the alphabet 13 characters) give a false sen se of (rotatin g the letters of the alphabet 13 characters) give a false sen se of the security regardin g the use of cookies
Cookie sn oopin g techn iques can use a local proxy to en um erate cookies Cookie sn oopin g techn iques can use a local proxy to en um erate cookies
Coun term easures:
• Use en crypted cookies
• Em bed source’s IP address in the cookie
• In tegrate cookie’s m echan ism fully with SSL fun ction ality • In tegrate cookie s m echan ism fully with SSL fun ction ality
Authen tication H ijackin g
Authen tication prom pts a user to supply the
d i l h ll h li i
creden tials that allow access to the application
It can be accom plished through:
• Basic authen tication
• Stron g authen tication m ethods
Web application s authen ticate in varyin g m ethods
En forcin g a con sisten t authen tication policy between m ultiple an d disparate application s can prove to be a real challen ge
Coun term easures
Use authen tication m ethods that use secure chan n els wherever possible Use authen tication m ethods that use secure chan n els wherever possible
In stan t SSL can be con figured easily to en crypt all traffic between the clien t an d g y yp the application
U ki i h ibl
Log Tam perin g
Logs are kept to track the usage pattern s of the application Logs are kept to track the usage pattern s of the application
Log tam perin g allows attackers to cover their tracks or alter web tran saction records
records
Attackers strive to delete logs, m odify logs, chan ge user in form ation , or otherwise destroy eviden ce of an y attack
otherwise destroy eviden ce of an y attack
Coun term easure
• Digitally sign an d stam p logs • Separate logs for system even ts
• Main tain tran saction log for all application even ts
Coun term easure
Error Message In terception
In form ation in error m essages is often rich with site-specific in form ation that can be used to:
• Determ in e the techn ologies used in the web application s • Determ in e whether the attack attem pt was successful • Receive hin ts for attack m ethods to try n ext
Coun term easure
• Website cloakin g capabilities m ake en terprise web resources in visible to hackers
Attack Obfuscation
Attackers often work hard to m ask an d otherwise hide their attacks to avoid detection
Most com m on m ethod of attack obfuscation in volves en codin g portion s of the attack with Un icode, UTF-8 , or URL en codin g
Multiple levels of en codin g can be used to further bury the attack
It is used for theft of service, accoun t hijackin g, in form ation disclosure, website defacem en t, an d so on
• Thoroughly in spect all traffic
Coun term easures:
Platform Exploits
Web application s are built upon application platform s such as Web application s are built upon application platform s, such as BEA Weblogic, ColdFusion , IBM WebSphere, Microsoft .NET, an d Sun J AVA techn ologies
Vuln erabilities in clude the m iscon figuration of the application , bugs, in secure in tern al routin es, hidden processes an d
com m an ds, an d third-party en han cem en ts
The exploit of application platform vuln erabilities can allow:
• Access to developer areas
DMZ Protocol Attacks
DMZ (Dem ilitarized Zon e) is a sem i-trusted n etwork zon e that separates the un trusted In tern et from the com pan y's trusted in tern al n etwork
Most com pan ies lim it the protocols allowed to flow through their DMZ
An attacker who is able to com prom ise a system that allows other DMZ
protocols, has access to other DMZ an d in tern al system s. This level of access can lead to:
can lead to:
• Com prom ise of the web application an d data • Defacem en t of websites
Coun term easures
Deploy a robust security policy
Adopt a soun d auditin g policy
Use sign atures to detect an d block well-kn own attacks
• Sign atures m ust be available for all form s of attack an d m ust
b ti ll d t d
Security Man agem en t Exploits
the security that is specific to each applicationWeb Services Attacks
Web services allow process-to-process com m un ication between web application s
An attacker can in ject a m alicious script in to a web service that will en able disclosure an d m odification of the data that will en able disclosure an d m odification of the data
Coun term easures:
• Turn off web services that are n ot required for regular operation s
• Provision for m ultiple layers of protection
Coun term easures:
Zero-Day Attacks
Zero-day attacks take place between the tim e a vuln erability is discovered by a h tt k d th ti th t th d i ti t h researcher or attacker and the tim e that the vendor issues a corrective patch
Most day attacks are on ly available as han d-crafted exploit code, but
zero-d h d id i
day worm s have caused rapid pan ic
Zero-day vuln erability is the laun chin g poin t for further exploitation of the web li ti d i t
Coun term easures:
application and en viron m ent
• No security solution can claim that they will totally protect again st all zero-day attacks
• En force strin gen t security policies
D l fi ll d bl h i ti (h i ti
Network Access Attacks
All traffic to an d from a web application traverses n etworks
All traffic to an d from a web application traverses n etworks
These attacks use techn iques like spoofin g, bridgin g, ACL bypass, an d
k k
stack attacks
Sn iffin g n etwork traffic will allow viewin g of application com m an ds,
authen tication in form ation an d application data as it traverses the
authen tication in form ation , an d application data as it traverses the
n etwork
C
• Shut down un n ecessary services thereby shuttin g un n ecessary listen in g ports
D fi fi ll l t l l iti t t ffi
Coun term easures
TCP Fragm en tation
Every m essage that is tran sferred between com puters by a data n etwork is broken down Every m essage that is tran sferred between com puters by a data n etwork is broken down in to packets
Oft k t li it d t d t i d i f i t bilit ith h i l Often packets are lim ited to a pre-determ in ed size for in teroperability with physical n etworks
A tt k di tl i t b ld if th t th "P h" fl i t hi h An attack directly again st a web server would specify that the "Push" flag is set, which would force every packet in to the web server’s m em ory. In this way, an attack would be delivered piece-by-piece, without the ability to detect the attack
U k t filt i d i d fi ll l t th hl
Coun term easure:
In stan t Source
In stan t Source tool allows you to
see an d edit the H TML source code
of the web pages
of the web pages
It can be executed from In tern et
It can be executed from In tern et
Explorer where a n ew toolbar
win dow displays the source code
for an y selected part of the page in
th b
i d
the browser win dow
H ackin g Tool: Wget
Wget is a com m an d lin e tool for Win dows an d Un ix that will down load the con ten ts of a ge s a co a d e oo o do s a d U a do oad e co e s o a website
It works n on -in teractively in the backgroun d after the user logs off
It works particularly well with slow or un stable con n ection s by con tin uin g to retrieve a docum en t un til the docum en t is fully down loaded
Both http an d ftp retrievals can be tim e stam ped, so Wget can see if the rem ote file has chan ged sin ce the last retrieval an d autom atically retrieve the n ew version if it has
WebSleuth: Screen shot
WebSleuth is a tool that com bin es spiderin g
WebSleuth is a tool that com bin es spiderin g
with the capability of a person al proxy such
as Achilles
BlackWidow
Black widow is a website scan n er, a site m appin g
Em ail addresses extern al Em ail addresses, extern al lin ks, an d even lin k
SiteScope Tool
Foun dston e SiteScope is a free tool that helps website own ers, developers, an d m an agers to easily m ap out the n avigation of a web applicationy p g pp
This tool creates a site m ap an d gathers
WSDigger Tool – Web Services
Testin g Tool
Testin g Tool
WSDigger is a free open source tool design ed by Foun dston e to autom ate black-box web services security testin g
It is m ore than a tool; it is a web services testin g fram ework
services testin g fram ework
CookieDigger Tool
CookieDigger helps iden tify weak cookie gen eration an d in secure im plem en tation s of the session m an agem en t by web application sg y pp
The tool works by collectin g an d an alyzin g cookies issued by a web application for m ultiple users
SSL Digger Tool
SSLDigger is a tool to assess the stren gth of SSL servers by testin g the
supported ciphers
supported ciphers
H ackin g Tool: Win dowBom b
An em ail sen t with this htm l code attached will create pop-up win dows un til the PC's m em ory gets exhausted
Burp: Position in g Payloads
Burp is a tool for perform in g autom ated attacks again st
web-en abled application s
Burp: Con figurin g Payloads an d
Con ten t En um eration
Con ten t En um eration
Burp com es precon figured with attack payloads an d it can check for com m on databases on a Lotus Dom in o server
Burp: Password Guessin g
Burp Proxy: In terceptin g
H TTP/ S Traffic
H TTP/ S Traffic
Burp Proxy: H ex-editin g of
In tercepted Traffic
In tercepted Traffic
Burp Proxy: Browser Access to
Request H istory
Request H istory
B i t i l t hi t f t t b th Burp proxy m ain tain s a com plete history of every request sen t by the
Tool: Burpsuite
Burp suite is an in tegrated platform for attackin g web application s
It allows an attacker to com bin e m an ual an d autom ated techn iques to en um erate, an alyze, attack, an d exploit web application s
The arious burp tools ork together effecti el to share in form ation an d allo fin din gs The various burp tools work together effectively to share in form ation an d allow fin din gs iden tified within on e tool to form the basis of an attack usin g an other
Key features in clude:
• Ability to passively spider an application in a n on -in trusive m an n er
• On e-click tran sfer of in terestin g requests between plug-in s, e.g. from proxy request history, or a web page form en um erated with burp spider
• Exten sibility via IBurpExten der in terface, which allows third-party code to exten d
y
y p , p y
fun ction ality of burp suite
• Cen trally con figured settin gs for down stream proxies, web an d proxy authen tication , an d loggin g
H ackin g Tool: cURL
cURL is a m ulti-protocol tran sfer library
It is a clien t side URL tran sfer library supportin g FTP, FTPS, H TTP, H TTPS, GOPH ER, TELNET, DICT, FILE, an d LDAP
cURL supports H TTPS certificates, H TTP POST, H TTP PUT, FTP uploadin g, Kerberos, H TTP form -based upload, proxies, cookies, user+password authen tication , file tran sfer
htt t li d
dotDefen der
d
D f
d
i
b
li
i
k
i
l h
bl
k
dotDefen der is a web application attack protection tool that blocks
attacks that are m an ifested within the H TTP request logic such as:
• S QL In je ctio n - dotDefen der in tercepts an d blocks attem pts to in ject SQL statem en ts that corrupt or gain access to the corporate data
• P ro xy Ta ke o ve r - dotDefen der in tercepts an d blocks attem pts to divert traffic to an un authorized site
• Cro s s -s ite S crip tin g - dotDefen der in tercepts an d blocks attem pts to in ject m alicious scripts that hijack the m achin es of subsequen t site visitors
• H e a d e r Ta m p e rin g - dotDefen der iden tifies an d blocks requests con tain in g the corrupted header data p
Acun etix Web Scan n er
Acun etix Web Scan n er:
Screen shot
AppScan – Web Application
Scan n er
Scan n er
AppScan provides security testin g throughout the application developm en t lifecycle, which tests security assuran ce in the developm en t stage
• Cross Site Scriptin g
Vuln erability detects by sim ulatin g hacker attacks such as: • Cross-Site Scriptin g
• H TTP Respon se Splittin g • Param eter Tam perin g • H idden Field Man ipulation • Backdoors/ Debug Option s • Stealth Com m an dingg • Forceful Browsin g
• Application Buffer Overflows • Cookie Poison in g
• Third-party m iscon figuration s • Kn own vuln erabilities
Tool: Falcove Web Vuln erability
Scan n er
Scan n er
Falcove is used by web-site own ers to see whether their web sites are
hackable or vuln erable to attacks
hackable or vuln erable to attacks
It fin ds vuln erabilities before hackers do an d takes n ecessary
precaution s to im plem en t the corrective action s
p
p
• Gives you an idea whether your website is
Features:
• Gives you an idea whether your website is secure again st web attacks
• Crawler feature autom atically checks for web vuln erabilities
A dit ll d i t t i l di d • Audits all dyn am ic con ten t in cludin g password
fields, shoppin g carts, an d other web application s
Falcove Web Vuln erability Scan n er:
Screen shot
Tool: NetBrute
NetBrute scan s a ran ge of IP addresses for shared resources that have been shared via Microsoft File resources that have been shared via Microsoft File an d Prin ter Sharin g
It shows an y SMB com patible shared resources (i.e. Sam ba Servers on a Un ix/ Lin ux m achin e)
It is used by system adm in istrators or hom e users to see what types of resources are shared an d to warn the com puter users if an y un secured
resources are displayed resources are displayed
Tool: Em sa Web Mon itor
Em sa web m on itor is a sm all web m on itorin g
program that run s on your desktop an d allows the user to m on itor uptim e status of several websites
It works by periodically pin gin g the rem ote sites, an d showin g the pin g tim e as well as a sm all
h th t ll th t q i k i t graph that allows the user to quick y view recen t m on itorin g history
Tool: KeepNI
Keep an eye on your web site’s fun ction ality
Keep an eye on your web site s fun ction ality
It assures that your site is up an d fully fun ction al every
ti
tim e
When ever a m alfun ction is detected, KeepNI
i
di
l
l
im m ediately alerts you
KeepNI has an exten sive loggin g facility to watch an d
l
alert
Tool: Parosproxy
Parosproxy is written in J ava an d useful for testin g web
Parosproxy is written in J ava an d useful for testin g web
application s an d in secure session s
Tool: WebScarab
WebScarab is a J ava fram ework for an alyzin g application s that com m un icate usin g the H TTP an d H TTPS protocols
usin g the H TTP an d H TTPS protocols
It operates as an in terceptin g proxy, allowin g operator to review an d m odify requests created by the browser before they are sen t to the server an d vice versa requests created by the browser before they are sen t to the server an d vice versa
WebScarab can in tercept both H TTP an d H TTPS com m un ication
Tool: Watchfire AppScan
Watchfire® AppScan ® autom ates web application security
pp
pp
y
audits to en sure the security an d com plian ce of websites
f
• Fully outsourced web application vuln erability
Ben efits:
y pp y
m an agem en t
• Direct access to Watchfire security experts an d in dustry best practices
• Best path to actionable data for web application ’s est pat to act o ab e data o eb app cat o s security m an agem en t
• Dram atically reduces the learn in g curve an d adoption tim e
Tool: WebWatchBot
W bW t hB t i
it
i
d
l
i ft
WebWatchBot is a m on itorin g an d an alysis software
for web sites an d IP devices in cludin g Pin g, H TTP,
H TTPS, SMTP, POP3, FTP, Port, an d DNS checks
It provides in -depth m on itorin g an d alertin g
fun ction ality as well as tools to an alyze an d visualize
historical data with real tim e chartin g an d graphs
historical data with real-tim e chartin g an d graphs
Addition al features in clude an option to run as a
p
Ratproxy
Ratproxy is a sem i-autom ated an d largely passive web application security dit t l
audit tool
It is design ed specifically for an accurate an d sen sitive detection , an d It is design ed specifically for an accurate an d sen sitive detection , an d autom atic an n otation of poten tial problem s
i i i d f i l d i b d h b i
H ow Does it Avoid False
Positives?
Positives?
For accurately reportin g of problem s an d to
reduce the n um ber of false alarm s ratproxy
• What the declared an d actually detected MIME type for the
d i ?
reduce the n um ber of false alarm s, ratproxy
has to con sidered the followin g poin ts:
docum en t is?
• H ow pages respon d to havin g cookie-based authen tication rem oved?
• Whether requests seem to con tain n on -trivial sufficien tly Whether requests seem to con tain n on trivial, sufficien tly
com plex security token s, or other m echan ism s that m ay m ake the URL difficult to predict?
• Whether an y n on -trivial parts of the query are echoed back in the d i h t t t?
respon se, and in what con text?
Tool: Mapper
Mapper helps you m ap the files, file param eters, an d values of an y site you wish to test
Sim ply browse the site as a n orm al user while recordin g your session with Achilles (Mapper supports other proxies as well) an d run Mapper on the Achilles (Mapper supports other proxies as well), an d run Mapper on the resultin g log file
It will create an Excel CSV file that allows you to study the directory an d file structure of the site the param eter n am es of every dyn am ic page en coun tered structure of the site, the param eter n am es of every dyn am ic page en coun tered (such as ASP/ J SP/ CGI), an d their values for every tim e you request for them
It helps you to quickly locate design errors an d param eters that m ay be pron e to
j i i bl
SQL Injection or param eter tam perin g problem s
What H appen ed Next
Kim berly could n ot solve the m ystery behin d the hack.
J ason Sprin gfield, an Ethical hacker was called in to
in vestigate the case
in vestigate the case.
J ason con ducted a pen etration test on the website of
XBan k4u. The test results exposed a vuln erability in the
Shrin kWarp application which could lead to web page
defacem en t.
S
th
l
h l
f
d
th b it
l
Sum m ary
Web application s are clien t/ server software application s that in teract with users or Web application s are clien t/ server software application s that in teract with users or other system s usin g H TTP
Attackers m ay try to deface the website, steal credit card in form ation , in ject m alicious codes, exploit server side scriptin gs, an d so on
Com m an d in jection , XSS attacks, Sql In jection , Cookie Sn oopin g, cryptographic In terception , an d Buffer Overflow are som e of the threats again st web application s