08- pen-testing Web applications attacks.pptx
- 1. Penetration Testing V2.0 06- Web Application Attack by Dr. Eng. Wassim Ahmad PhD in Information Security CEH, MCSE, IT AUDITING AND SECURITY CONSULTANT Certified National Trainer, Certified Trainer from UN
- 3. Web application attacks In this module, we will focus on the identification and exploitation of common web application vulnerabilities. Modern development frameworks and hosting solutions have simplified the process of building and deploying web-based applications. However, these applications usually expose a large attack surface because of a lack of mature application code, multiple dependencies, and insecure server configurations. Web applications can be written in a variety of programming languages and frameworks, each of which can introduce specific types of vulnerabilities. However, the most common vulnerabilities are similar in concept, regardless of the underlying technology stack. In this module, we will discuss web application vulnerability enumeration and exploitation based on OWASP TOP 10: https://owasp.org/www-project-top-ten/ .
- 4. Web Application Enumeration It is important to identify the components that make up a web application before attempting to blindly exploit it. Before launching any attacks on a web application, we should attempt to discover the technology stack in use, which generally consists of the following components: Programming language and frameworks Web server software Database software Server operating system There are several techniques that we can use to gather this information directly from the browser. Most modern browsers include developer tools that can assist in the enumeration process. We will be focusing on Firefox since it is the default browser in Kali Linux. However, most browsers include similar developer tools.
- 5. Web Application Enumeration Inspecting Page Content: most context clues can be found in the source of the web page. The Firefox Debugger tool (found in the Web Developer menu or by pressing Ctrl+Shift+K) displays the page’s resources and content. The Debugger tool may display JavaScript frameworks, hidden input fields, comments, client-side controls within HTML, JavaScript, and much more. Try with www.megacorpone.com: it uses jQuery version 1.11.0, a common JavaScript library. In this case, the developer minified the code, making it more compact and conserving resources but making it somewhat difficult to read. Fortunately, we can “prettify” code within Firefox by clicking on the Pretty print source button with the double curly braces{}. After clicking the icon, Firefox will display the code in a format that is easier to read and follow. We can also use the Inspector tool to drill down into specific page content. Let’s use Inspector to examine the email input element from the “Contact” page by right-clicking the email address field on the page and selecting Inspect Element
- 6. Web Application Enumeration Viewing Response Headers: We can also search server responses for additional information. There are two types of tools we can use to accomplish this task. The first type of tool is a proxy, which intercepts requests and responses between a client and a webserver. We will explore proxies later in this module, but first we will explore the Network tool, launched from the Firefox Web Developer menu, to view HTTP requests and responses. This tool shows network activity that occurs after it launches, so we must refresh the page to see traffic. We can click on a request to get more details about it, in this case the response headers The “Server” header displayed above will often reveal at least the name of the web server software. In many default configurations, it also reveals the version number. Headers that start with “X-” are non-standard HTTP headers.The names or values often reveal additional information about the technology stack used by the application. Some examples of non-standard headers include X-Powered-By, x-amz-cf-id, and X-Aspnet- Version. Further research into these names could reveal additional information, such as the “x-amz-cf-id” header, which indicates the application uses Amazon CloudFront.
- 7. Web Application Enumeration Inspecting Sitemaps: Web applications can include sitemap files to help search engine bots crawl and index their sites. These files also include directives of which URLs not to crawl. These are usually sensitive pages or administrative consoles–exactly the sort of pages we are interested in. The two most common sitemap filenames are robots.txt and sitemap.xml. For example, we can retrieve the robots.txt file from www.google.com with curl: $ curl https://www.google.com/robots.txt Locating Administration Consoles: Web servers often ship with remote administration web applications, or consoles, which are accessible via a particular URL and often listening on a specific TCP port. Two common examples are the manager application for Tomcat and phpMyAdmin for MySQL hosted at /manager/html and /phpmyadmin respectively.
- 8. Web Application Assessment Tools DIRB is a web content scanner that uses a wordlist to find directories and pages by issuing requests to the server. DIRB can identify valid web pages on a web server even if the main index page is missing. $ dirb http://www.megacorpone.com -r -z 10 -r to scan non-recursively, and -z 10 to add a 10 millisecond delay to each request. Burp Suite :is a GUI-based collection of tools geared towards web application security testing, arguably best-known as a powerful proxy tool. While the free Community Edition mainly contains tools used in manual testing, the commercial versions include additional features, including a formidable web application vulnerability scanner. Let’s start with the Proxy tool. With this tool, we can intercept any request sent from the browser before it is passed on to the server. We can change almost anything about the request at this point, such as parameter names, form values, or adding new headers. This lets us test how an application handles unexpected arbitrary input.
- 9. Web Application Assessment Tools DIRB is a web content scanner that uses a wordlist to find directories and pages by issuing requests to the server. DIRB can identify valid web pages on a web server even if the main index page is missing. $ dirb http://www.megacorpone.com -r -z 10 -r to scan non-recursively, and -z 10 to add a 10 millisecond delay to each request. Burp Suite :is a GUI-based collection of tools geared towards web application security testing, arguably best-known as a powerful proxy tool. While the free Community Edition mainly contains tools used in manual testing, the commercial versions include additional features, including a formidable web application vulnerability scanner. Let’s start with the Proxy tool. With this tool, we can intercept any request sent from the browser before it is passed on to the server. We can change almost anything about the request at this point, such as parameter names, form values, or adding new headers. This lets us test how an application handles unexpected arbitrary input.
- 10. Web Application Assessment Tools Burp Suite: after setting up proxy IP and port on Burp, we need to setup the browser proxy. We can use FoxyProxy basic, which is simple on/off proxy “switcher” from the add- ons (menu). Try intercept on and off. For tls/ssl connections, we can export and install burp certificate into the browser as trusted CA. the Repeater tool, we can easily modify requests, resend them, and review the responses. To see this in action, we can right-click a request from Proxy > HTTP History and select Send to Repeater. Finally, the Intruder tool is very powerful for pentesting. Nikto: is a highly configurable Open Source web server scanner that tests for thousands of dangerous files and programs, vulnerable server versions and various server configuration issues. $ nikto -host=http://www.megacorpone.com -maxtime=60s
- 11. Exploiting Web-based Vulnerabilities Exploiting Admin Consoles: Once we’ve located an admin console, the simplest “exploit” is to just log into it. We may attempt default username/password pairs, use enumerated information to guess working credentials, or attempt brute force. To demonstrate this, we will work though an example of an attack against a poorly- configured admin console installed on our Windows 10 target. To begin, we will and set up the Windows 10 target by download, install and open the XAMPP Control panel and clicking Start for both Apache and MySQL. From Kali: $ dirb http://Windows-IP –r We may find: http://Windows-IP/phpmyadmin ,an administration tool for MySQL databases, which is particularly interesting.
- 12. 12 Wrapping up In this module, we took an introductory look at a few popular Linux command line programs. Remember to refer to the Kali Linux Training site for a refresher or more in-depth discussion.