Presentation on theme: "Ethical Hacking Module XII Web Application Vulnerabilities."— Presentation transcript:
Ethical Hacking Module XII Web Application Vulnerabilities
EC-Council Module Objective Understanding Web Application Security Common Web Application Security Vulnerabilities Web Application Penetration Methodologies Input Manipulation Authentication And Session Management Tools: Lynx, Teleport Pro, Black Widow, Web Sleuth Countermeasures
EC-Council Understanding Web Application Security Firewall Database Web App Scripts Web Server User
EC-Council Web Application Penetration Methodologies Information Gathering and Discovery Documenting Application / Site Map Identifiable Characteristics / Fingerprinting Signature Error and Response Codes File / Application Enumeration –Forced Browsing – Hidden Files – Vulnerable CGIs –Sample Files Input/Output Client-Side Data Manipulation
EC-Council Hacking Tool: Instant Source Instant Source lets you take a look at a web page's source code, to see how things are done. Also, you can edit HTML directly inside Internet Explorer! The program integrates into Internet Explorer and opens a new toolbar window which instantly displays the source code for whatever part of the page you select in the browser window.
EC-Council Hacking Tool: Lynx Lynx is a text-based browser used for downloading source files and directory links.
EC-Council Hacking Tool: Wget Wget is a command line tool for Windows and Unix that will download the contents of a web site. It works non-interactively, so it will work in the background, after having logged off. Wget works particularly well with slow or unstable connections by continuing to retrieve a document until the document is fully downloaded. Both http and ftp retrievals can be time stamped, so Wget can see if the remote file has changed since the last retrieval and automatically retrieve the new version if it has.
EC-Council Hacking Tool: Black Widow Black widow is a website scanner, a site mapping tool, a site ripper, a site mirroring tool, and an offline browser program. Use it to scan a site and create a complete profile of the site's structure, files, E- mail addresses, external links and even link errors.
EC-Council Hacking Tool: WebSleuth WebSleuth is an excellent tool that combines spidering with the capability of a personal proxy such as Achilles.
EC-Council Hidden Field Manipulation Hidden fields are embedded within HTML forms to maintain values that will be sent back to the server. Hidden fields serve as a mean for the web application to pass information between different applications. Using this method, an application may pass the data without saving it to a common backend system (typically a database.) A major assumption about the hidden fields is that since they are non visible (i.e. hidden) they will not be viewed or changed by the client. Web attacks challenge this assumption by examining the HTML code of the page and changing the request (usually a POST request) going to the server. By changing the value the entire logic between the different application parts, the application is damaged and manipulated to the new value.
EC-Council Authentication And Session Management Brute/Reverse Force Session Hijacking Session Replay Session Forgoing Page Sequencing
EC-Council Traditional XSS Web Application Hijack Scenario - Cookie stealing User is logged on to a web application and the session is currently active. An attacker knows of a XSS hole that affects that application. The user receives a malicious XSS link via an or comes across it on a web page. In some cases an attacker can even insert it into web content (e.g. guest book, banner, etc,) and make it load automatically without requiring user intervention.
EC-Council XSS Countermeasures As a web application user, there are a few ways to protect yourselves from XSS attacks. The first and the most effective solution is to disable all scripting language support in your browser and reader. If this is not a feasible option for business reasons, another recommendation is to use reasonable caution while clicking links in anonymous s and dubious web pages. Proxy servers can help filter out malicious scripting in HTML.
EC-Council Buffer Overflow in WINHLP32.EXE A buffer-overrun vulnerability in WINHLP32.EXE could result in the execution of arbitrary code on the vulnerable system. This vulnerability stems from a flaw in the Item parameter within WinHLP Command. This exploit would execute in the security context of the currently logged on user. Microsoft has released Windows 2000 Service Pack 3 (SP3), which includes a fix for this vulnerability.
EC-Council Hacking Tool: Helpme2.pl Helpme2.pl is an exploit code for WinHelp32.exe Remote Buffer Overrun vulnerability. This tool generates an HTML file with a given hidden command. When this HTML file is sent to a victim through e mail, it infects the victim's computer and executes the hidden code.
EC-Council Hacking Tool: IEEN IEEN remotely controls Internet Explorer using DCOM. If you knew the account name and the password of a remote machine, you can remotely control the software component on it using DCOM. For example Internet Explorer is one of the soft wares that can be controlled.
EC-Council Summary Attacking web applications is the easiest way to compromise hosts, networks and users. Generally nobody notices web application penetration, until serious damage has been done. Web application vulnerability can be eliminated to a great extent ensuring proper design specifications and coding practices as well as implementing common security procedures. Various tools help the attacker to view the source codes and scan for security holes. The first rule in web application development from a security standpoint is not to rely on the client side data for critical processes. Using an encrypted session such as SSL / secure cookies are advocated instead of using hidden fields, which are easily manipulated by attackers. A cross-site scripting vulnerability is caused by the failure of a web based application to validate user supplied input before returning it to the client system. If the application accepts only expected input, then the XSS can be significantly reduced.