Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Application Hacker’s Toolkit

Published byAbigayle Hubbard Modified over 6 years ago

Similar presentations

Presentation on theme: "Web Application Hacker’s Toolkit"— Presentation transcript:

1 Web Application Hacker’s Toolkit
Computer Science and Engineering

2 Computer Science and Engineering
Review Web Applications characteristics Computer Science and Engineering

3 Computer Science and Engineering
Functionality Server side technologies: Scripting languages Web application platform Web server software Databases Back-end components Client-side technologies: Browser Extension technologies Computer Science and Engineering

4 Application Characteristics
Understand what application does and how it behaves Content Functionality Find out: Application behavior Core security mechanisms Technologies being used Computer Science and Engineering

5 Enumerating Content and Functionality
Manual vs. automated browsing Walk through the application Follow every link Navigate through multistage functions Web spidering Tools to follow all links until no new content is found Can parse static HTML, multi-stage functionality, form-based navigation, client-side JavaScript Computer Science and Engineering

6 Computer Science and Engineering
Automated Spidering E.g., Burp Spider, WebScarab General limitations: Cannot handle dynamically created menus Limited depth to find links May fail input validation for multistage functionality Unique content is identified by URL  not good for form-based navigation May fail authentication session Computer Science and Engineering

7 User Directed Spidering
User walks through the application and uses a spider to collect and analyze findings Good for Unusual or complex navigation needs User control of input data User can login to application and pass authentication User can decide on requested functions Computer Science and Engineering

8 Computer Science and Engineering
Application Hacking Computer Science and Engineering

9 Computer Science and Engineering
Hacking Steps 1. Configure browser to use spider Browse the application normally Visit every link Proceed through multi-stage functions JavaScrip enabled/disabled; cookies enabled/disabled Review site map to identify non-visited content Do an automated spidering Computer Science and Engineering

10 Discovering Hidden Content
Not directly linked to or reachable from the main page E.g., testing and debugging content, different functionality for different types of users, backup copies, archives, old version of files, default application functionality, log files, etc. Added attack points, sensitive content, etc. Automated, brute-force attack: Burp Intruder WebscarabTutorial – Computer Science and Engineering

11 Computer Science and Engineering
Hacking Steps 2 Make unusual requests and identify response Use site map to identify hidden content Use brute-force attacks to identify how application handles requests Manually review responses Inferencing from published content (e.g., naming) Compile list of names of subdirectories Identify naming schemes, file extensions Review all client side code Look at temporary files Computer Science and Engineering

12 Use Public Information
Find old resources Search Engines: Advanced Search: resource, login, links, related Google domains Omitted results Cashed versions Other domains of the same organization Web archives, e.g., WayBack Machine Computer Science and Engineering

13 Web Server Vulnerabilities
Web server software vulnerability Default content Sample and diagnostic scripts Standard functionality Wikto: a tool that checks for flaws in web servers Nikto: checks for potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems, configuration issues, etc.   Computer Science and Engineering

14 Computer Science and Engineering
Additional Mappings Functional paths URL query parameters Discovering Hidden Parameters Try default parameter names, e.g, debug, test, hide, etc. Monitor responses to identify anomalies Analyzing Applications Functionality, behavior, security Server side functionality Computer Science and Engineering

15 Mapping the Attack Surface
Use the results of the analysis to find vulnerabilities Computer Science and Engineering

16 Easy picking: @ Hidden symbol in URL
Change IP address (only the info to the right is used) Browser vulnerability “You are about to log in to the site “cse.sc.edu” with the username “farkas”, but the website does not require authentication. This may be an attempt to trick you.” Twitter – executable JavaScript

17 Who is at risk? Client: browsers Complex systems Plug-ins, extensions
Server authentication JavaScript and paid ads  ease of propagating malicious code Never trust a client on the server side Never trust a browser on the client side

18 Improve client security
Install patches to the browser Update commonly used plug-ins Eliminate unused plug-ins Heed your browser warnings Make antivirus software watch browser and downloads Clear history, stored files, and cookies If a file is not signed and trusted, don’t download it

19 Improve server side security
Never execute client input as code Never allow client input to pass into the system without validating it internally Scrub client input for any known exploits and suspect characters Keep a layer of indirection between client input received and the system Manage sessions from inside the trust boundary and not on the client side Never encode secrets of functional variables in information sent to the clies.

20 Web Application Vulnerabilities
Computer Science and Engineering

21 Ways of Attacking Applications
Use of a web browser only Use of an intercepting web proxy Use of a standalone application scanner Computer Science and Engineering

22 Computer Science and Engineering
Declining number of users but still the leader Native support for ActiveX control Must work with Windows platform Anti-XSS filter with IE 8 Extensions: HttpWatch: analyzes HTTP requests and responses, details of headers, cookies, URLs, request parameters, HTTP status codes, and redirect Computer Science and Engineering

23 Integrated Testing Suits
Intercepting proxy Achilles proxy: early, basic proxy, standalone application, displayed each request and response for editing Modern proxies: Highly functional tool suits Several interconnected tools to facilitate common tasks of attacks Useful for both defense and offense Computer Science and Engineering

24 Computer Science and Engineering
Some of the Tools Differ widely in their functionalities The best one: Burp Suite Others: WebScarab Paros Zed Attack Proxy Andiparos Fiddler Etc. Computer Science and Engineering

25 Computer Science and Engineering
How the Tools Work Several complementary tools that share information about the target application IE Target application Attacker Toolkit: monitors interaction between the attacker and the target application. Stores all requests and responses and all details about the target application. Computer Science and Engineering

26 Computer Science and Engineering
1. Intercepting Proxies Basic HTTP messages: Intercepting proxy acts as a normal web proxy Proxy CONNECT IE The web browser send the hostname of the application. The proxy resolves the corresponding IP address and converts the request to a non-proxy equivalent message. Attacker Computer Science and Engineering

27 Computer Science and Engineering
Toolkit Elements An intercepting proxy A web application spider A customizable web application fuzzer A vulnerability scanner A manual request tool Functions for analyzing session cookies and tokens Other functions and utilities Computer Science and Engineering

28 Computer Science and Engineering
1. Intercepting Proxies Must configure the attacker’s browser to use an intercepting proxy (listen at a specified port) Can be easily configured for the 3 most popular browsers If you are using a thick client and cannot configure a proxy you need to modify the OS files to resolve the hostname used by the application to allow the proxy to listen on this communication Computer Science and Engineering

29 1. Normal Web Proxy HTTPS messages Proxy IE After the connection was
SSL handshake After the connection was established, the proxy acts as a TCP-level relay between the client and the application. Client Computer Science and Engineering Computer Science and Engineering 29

30 Watch Webscarab Tutorial https://www.youtube.com/watch?v=UD6qGXw9JIo
Computer Science and Engineering

31 1. Intercepting Proxy HTTPS messages Proxy IE After the connection was
SSL handshake SSL handshake After the connection was established, the proxy acts as a TCP-level relay between the client and the application. Attacker Computer Science and Engineering Computer Science and Engineering Computer Science and Engineering 31 31

32 Computer Science and Engineering
SSL Handshake Phase 1 C  S: CLIENTHELLO S  C: SERVERHELLO [CERTIFICATE] [SERVERKEYEXCHANGE] [CERTIFICATEREQUEST] SERVERHELLODONE C  S: [CERTIFICATE] CLIENTKEYEXCHANGE [CERTIFICATEVERIFY] CHANGECIPHERSPEC FINISH S  C: CHANGECIPHERSPEC Security capabilities Phase 2 Optional server messages Phase 3 Client key exchange Phase 4 Change cipher suite 32 Computer Science and Engineering

33 Computer Science and Engineering
Fake Certificates Proxies certificate may not be accepted Cross-domain requests Users’ trust Burp Suite: generates a unique CA certificate for the current user. Use this to generate new certificates for the proxy. Computer Science and Engineering

34 Common features of the Intercepting Proxies
Fine-grained intercepting rules Detailed history of all requests and responses Automated match and replace rules for dynamic modification of the requests and responses Access to proxy’s functionality within the web browser Utilities Computer Science and Engineering

35 2. Web Application Spider
Share data with intercepting proxies Manual spidering followed by automated spidering Challenges: Form-based navigation JavaScript enabled navigation Multistage functions Authentication and sessions Parameter-based identifications Tokens and cookies Computer Science and Engineering

36 Common Functionalities of Web Spiders
Automatic update or the site map based on data supplied by the proxy Parsing proxy data for links Fine-grained control over the scope of spidering Automatic parsing and analysis of HTML forms, scripts, comments, images Automated and user-guided submission of forms Automatic retrieval of the root of all enumerated directories Computer Science and Engineering

37 3. Web Application Fuzzers
Use automation to perform common attack tasks Common features: Manually configured probing for common vulnerabilities A set of built-in payload and functions to generate arbitrary payload Save attack results and response data Customizable functions for viewing and analyzing responses Functions tor extracting useful data from the applications Computer Science and Engineering

38 4. Web Application Vulnerability Scanners
Passive scanning: monitoring the requests and responses passing through the local proxy Detect vulnerabilities: clear text password, incorrect cookie, etc Non-invasive, often used for penetration testing Active scanning: sending new requests to the target application To tests for XSS vulnerability, HTTP header injection, etc. Can be potentially dangerous Computer Science and Engineering

39 Computer Science and Engineering
5. Manual request Tools Functionality to issue a single request and view its response Can be very useful when need slight modification of the request based on the responses Can be both standalone tool and web browser-based Common features: Integration with other suit components Keep record on all requests and responses Multitabbed interface: handle multiple items Computer Science and Engineering

40 6. Session Token Analyzer
Randomness of session cookies Burp Sequencer: standard statistical tests Computer Science and Engineering

41 Computer Science and Engineering
Testing Workflow Recon and analysis Confirm vulnerabilities Browser Interc. Proxy Spider active Passive scanning passive Content Disc. P. history Site map Scanner Repeater Fuzzer Token analyzer Vulnerability detection and exploitation Vulnerabilities Computer Science and Engineering

42 Alternatives to Intercepting Proxies
Non-traditional applications Cannot use proxy Browser extensions Extend functionality Does not interfere with the network-layer communication between the server and the browser Allows to submit arbitrary request to the application Computer Science and Engineering

43 Computer Science and Engineering
Methodology Recon and analysis Map application content Analyze application Analysis Application logic: test client side controls and for logic flaws Access handling: test authentication, session management, access control Input handling: fuzz all parameters, test specific functionalities Application hosting: test for shared hosting issues, test the web server Miscellaneous checks Information leakage Computer Science and Engineering

44 Computer Science and Engineering
Next Class XSS vulnerabilities Google Gruyere Overview Computer Science and Engineering

Download ppt "Web Application Hacker’s Toolkit"

Similar presentations

©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Computer Science and Engineering 1 Web Application Hacker’s Toolkit.

Computer Science and Engineering 1 Web Application Hacker’s Toolkit.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Chapter 6: Hostile Code Guide to Computer Network Security.

Chapter 6: Hostile Code Guide to Computer Network Security.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
INTRODUCTION TO WEB DATABASE PROGRAMMING

INTRODUCTION TO WEB DATABASE PROGRAMMING
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

Similar presentations

Ads by Google