SlideShare a Scribd company logo

4 Mapping the Application

Sam Bowne, profile picture
Sam Bowne

The document discusses techniques for mapping web applications to identify security vulnerabilities and attack surfaces. It covers various methods such as automated and user-directed spidering, limitations of web spiders, and tools for discovering hidden content. The document also emphasizes the importance of analyzing the application's behavior, entry points for user input, and server-side functionality to uncover potential weaknesses.

Education
1 of 88
Download to read offline
1
2
Most read
3
4
5
6
Most read
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
CNIT 129S: Securing Web Applications Ch 4: Mapping the Applicatio n Sl 56 Updated 2-9-2023
Mapping • Enumerate application's content and functionalit y • Some is hidden, requiring guesswork and luck to discove r • Examine every aspect of behavior, security mechanisms, and technologie s • Determine attack surface and vulnerabilities
Enumerating Content and Functionality
Web Spiders • Load web page, fi nd all links on i t • (into the targeted domain ) • Load those pages, fi nd more link s • Continue until no new content is discovered
Web Application Spiders • Also parse HTML form s • Fill in the forms with preset or random values and submit the m • Trying to walk through multistage functionalit y • Can also parse client-side JavaScript to extract URL s • Tool: Zed Attack Prox y • WebScarab & CAT seem old and abandoned
Robots.txt • Intended to stop search engine s • May guide spiders to interesting content
Limitations of Automatic Spidering • May fail to handle unusual navigation mechanisms, such as dynamically created JavaScript menu s • So it may miss whole areas of an applicatio n • Links buried in compiled client-side objects like ActiveX or Java may be missed
Limitations of Automatic Spidering • Forms may have validation checks, such as user registration form s • Email address, telephone number, address, zip cod e • Too complex for most spiders, which use a single text string for all form fi eld s • Spider cannot understand the "Invalid" error messages
Limitations of Automatic Spidering • Spiders only fetch each URL onc e • But applications use forms-based navigation, in which the same URL may return different content and function s • For example, a bank may implement every user action with a POST to /account.jsp with parameters determining the actio n • Spiders aren't smart enough to handle that
Limitations of Automatic Spidering • Some applications place volatile data within URL s • Parameters containing timers or random number seed s • Spider will fetch the same page over and over, thinking it's ne w • May freeze up
Limitations of Automatic Spidering • Authentication: spider must be able to submit valid credential s • Perhaps using a valid cooki e • However, spiders often break the authenticated session, b y • Requesting a logout functio n • Submitting invalid input to a sensitive functio n • Requesting pages out-of-sequence
Warning • Spiders may fi nd an administrative page and click every lin k • Delete User, Shut Down Database, Restart Server...
User-Directed Spidering • More sophisticated and controlled technique than automated spidering, usually preferabl e • User walks through application using a browser connected to Burp (or another proxy ) • The proxy collects all requests and responses
Preparing Burp • Launch Burp Suite • Click Next, Start Burp • On the Proxy Tab, turn off Intercept • Click Open Browser
Shopping • In Burp's browser, go to http://hackazon.samsclass.inf o • Click an item, then click Add to car t • Repeat for a second item
Shopping Cart (Not logged in) • At top right, click shopping cart icon to see items
Shopping • In Burp, on the Target tab • On the Site map sub-tab • Expand http://hackazon.samsclass.info • Expand cart • Expand add • Expand user
• Note items in car t • "user" contains only 5 URLs
Logging In • In the Hackazon page, at the top right, click Sign U p • Register a new user • Log out • Sign in
• Login event seen in Burp
A
Advantages of User-Directed Spidering • User can follow unusual or complex navigation mechanism s • User can enter valid data where neede d • User can log in as neede d • User can avoid dangerous functionality, such as deleteUser.jsp
Browser Tools • Chrome's Developer Tools can show details of requests and responses within the browse r • No proxy neede d • Often useful; shows timing as well as content
4 Mapping the Application
4 Mapping the Application
Discovering Hidden Content • Finding it requires automated testing, manual testing, and luc k • Testing or debugging features left in applicatio n • Different functionality for different categories of user s • Anonymous, authenticated, administrator s • Backup copies of live fi le s • May be non-executable and reveal source code
Discovering Hidden Content • Backup archives that contain snapshot of entire applicatio n • New functionality implemented for testing but not yet linked from main applicatio n • Default functionality in an off-the-shelf application that has been super fi cially hidden from the user but not remove d • Old versions of fi les--may still be exploitable
Discovering Hidden Content • Con fi guration and include fi les containing sensitive data such as database credential s • Source fi les from which application functions were compile d • Comments in source code; may contain usernames and passwords, "test this" marks, and other useful dat a • Log fi les--may contain valid usernames, session tokens, etc.
Brute-Force Techniques • Suppose user-directed spidering fi nds the URLs on the lef t • A brute-forcer will try names as shown on the right
Burp's Brute-Forcer • Burp's brute- forcer is very slow in the free version
Dirb • Good brute-force spidering tool • Included in Kali Linux
B
Inference from Published Content • Look for pattern s • All subdirectories of "auth" start with a capital lette r • One is "ForgotPassword", so try these
Other Patterns • Names may use numbers or date s • Check include fi les from HTML and JavaScrip t • They may be publicly readabl e • Comments may include database names, SQL query string s • Java applets and ActiveX controls may contain sensitive data
More Clues • Search for temporary fi les created by tools and fi le editor s • .DS_Store fi le (a directory index created by Mac OS X ) • fi le.php-1 created when fi le.php is edite d • .tmp fi les created by many tools
Burp Pro's Content Discovery
Google's Skip fi sh • Vulnerability scanner but main strength is fi nding fi les and folder s • Links Ch 4d, 4e
Public Information • Search engines (and cached content ) • Web archives such as the Wayback Machin e • Posts to forums like Stack Exchange
Google Advanced Search
Web Server Vulnerabilities • Some Web servers let you list directory contents or see raw source cod e • Sample and diagnostic scripts may contain vulnerabilities
Nikto and Wikto • Scans servers for known vulnerable fi les and version s • Wikto is the Windows versio n • Nikto is the Linux versio n • Included in Kal i • Fast and easy to us e • Has false positives like all vulnerability scanner s • Must verify results with manual testing
Example
Functional Paths • Different from old-fashioned tree- structured fi le syste m • Every request goes to the same UR L • Parameters specify functio n • Very different structure to explore
Map of Functional Paths
Discovering Hidden Parameters • Try adding "debug=true" to request s • Or test, hide, source, etc . • Burp Intruder can do this (see Ch 14)
Analyzing the Application • Key area s • Core functionalit y • Peripheral behavior: off-site links, error messages, administrative and logging functions, and use of redirect s • Core security mechanisms: session state, access control, authenticatio n • User registration, password change, account recovery
Key Areas (continued) • Everywhere the application processes user- supplied inpu t • URL, query string, POST data, cookie s • Client-side technologie s • Forms, scripts, thick-client components (Java applets, ActiveX controls, and Flash), and cookies
Key Areas (continued) • Server-side technologie s • Static and dynamic pages, request parameters, SSL, Web server software, interaction with databases, email systems, and other back-end components
Entry Points for User Input
RESTful URLs
Request Parameters • Normally, google.com?q=duc k • Here are some nonstandard parameter formats
HTTP Headers • User-Agent is used to detect small screen s • Sometimes to modify content to boost search engine ranking s • May allow XSS and other injection attack s • Changing User-Agent may reveal a different user interface
HTTP Headers • Applications behind a load balancer or proxy may use X-Forwarded-For header to identify sourc e • Can be manipulated by attacker to inject content
Out-of-Band Channels • User data may come in vi a • Emai l • Publishing content via HTTP from another server (e.g. WebDAV ) • IDS that sniffs traf fi c and puts it into a Web applicatio n • API interface for non-browser user agents, such as cell phone apps, and then shares data with the primary web application
C
Identifying Server-Side Technologies
Banner Grabbing • Banners often leak version informatio n • Also Web page template s • Custom HTTP header s • URL query string parameters
HTTP Fingerprinting • httprecon uses subtle clues to identify versions, not just banner s • Link Ch 4h
Wappalyzer • Browser extension
File Extensions • Disclose platform or language
Error Messages
Error Message
File Extension Mappings • Different DLLs may lead to different error messages
OpenText • Vignette is now rebranded as OpenTex t • Link Ch 4i
Directory Names • Indicate technology in use
Session Tokens
Third-Party Code Components • Add common functionality lik e • Shopping cart s • Login mechanism s • Message board s • Open-source or commercia l • May contain known vulnerabilities
Hack Steps 1. Identify all entry points for user inpu t •URL, query string parameters, POST data, cookies, HTTP header s 2. Examine query string format; should be some variation on name/value pai r 3. Identify any other channels that allow user- controllable or third-party data into the app
Hack Steps 4. View HTTP server banner returned by the app; it may use several different server s 5. Check for other software identi fi ers in custom HTTP headers or HTML source code 6. Run httprint to fi ngerprint the web serve r 7. Research software versions for vulnerabilitie s 8. Review map of URLs to fi nd interesting fi le extensions, directories, etc. with clues about the technologies in use
httprint • Not updated since 2005 (link Ch 4j ) • Alternatives include nmap, Netcraft, and SHODAN (Link Ch 4k ) • Also the Wappalyzer Chrome extension
Hack Steps 9. Review names of session tokens to identify technologies being use d 10. Use lists of common technologies, or Google, to identify technologies in use, or discover other websites that use the same technologie s 11. Google unusual cookie names, scripts, HTTP headers, etc. If possible, download and install the software to analyze it and fi nd vulnerabilities
Identifying Server-Side Functionality • .jsp - Java Server Page s • OrderBy parameter looks like SQ L • isExpired suggests that we could get expired content by changing this value
Identifying Server-Side Functionality • .aspx - Active Server Pages (Microsoft ) • template - seems to be a fi lename and loc - looks like a directory; may be vulnerable to path traversa l • edit - maybe we can change fi les if this is tru e • ver - perhaps changing this will reveal other functions to attack
Identifying Server-Side Functionality • .php - PH P • Connecting to an email server, with user-controllable content in all fi eld s • May be usable to send email s • Any fi elds may be vulnerable to email header injection
Identifying Server-Side Functionality • Change action to "edit" or "add " • Try viewing other collections by changing the id number
Extrapolating Application Behavior • An application often behaves consistently across the range of its functionalit y • Because code is re-used or written by the same developer, or to the same speci fi cation s • So if your SQL injections are being fi ltered out, try injecting elsewhere to see what fi ltering is in effect
Extrapolating Application Behavior • If app obfuscates data, try fi nding a place where a user can enter an obfuscated string and retrieve the original • Such as an error messag e • Or test systematically-varying values and deduce the obfuscation scheme
Error Handling • Some errors may be properly handled and give little information Others may crash and return verbose error information
Google Dorks • Link Ch 4p
4 Mapping the Application
Isolate Unique Application Behavior • App may use a consistent framework that prevents attack s • Look for extra parts "bolted on" later, which may not be integrated into the framewor k • Debug functions, CAPTCHAs, usage tracking, third-party cod e • Different GUI appearance, parameter naming conventions, comments in source code
Mapping the Attack Surface • Client-side validatio n • Database interaction -- SQL injectio n • File uploading and downloading -- Path traversal, stored XS S • Display of user-supplied data - XS S • Dynamic redirects -- Redirection and header attacks
Mapping the Attack Surface • Social networking features -- username enumeration, stored XS S • Login -- Username enumeration, weak passwords, brute-force attack s • Multistage login -- Logic fl aw s • Session state -- Predictable tokens, insecure token handling
Mapping the Attack Surface • Access controls -- Horizontal and vertical privilege escalatio n • User impersonation functions -- Privilege escalatio n • Cleartext communications -- Session hijacking, credential thef t • Off-site links -- Leakage of query string parameters in the Referer heade r • Interfaces to external systems -- Shortcuts handling sessions or access controls
Mapping the Attack Surface • Error messages -- Information leakag e • Email interaction -- Email or command injectio n • Native code components or interaction -- Buffer over fl ow s • Third-party components -- Known vulnerabilitie s • Identi fi able Web server -- Common con fi guration errors, known bugs
Example • /auth contains authentication functions -- test session handling and access contro l • /core/sitestats -- parameters; try varying them; try wildcards like all and * ; PageID contains a path, try traversa l • /home -- authenticated user content; try horizontal privilege escalation to see other user's info
Example • /icons and /images -- static content, might fi nd icons indicating third- party content, but probably nothing interesting her e • /pub -- RESTful resources under / pub/media and /pub/user; try changing the numerical value at the en d • /shop -- online shopping, all items handled similarly; check logic for possible exploits
D

More Related Content

PPTX
Attacking thru HTTP Host header
Sergey Belov
 
PDF
CNIT 129S: Ch 6: Attacking Authentication
Sam Bowne
 
PDF
CNIT 129S: Ch 3: Web Application Technologies
Sam Bowne
 
PPTX
SSRF For Bug Bounties
OWASP Nagpur
 
PDF
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
PDF
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
PPTX
Pentesting ReST API
Nutan Kumar Panda
 
PPSX
Broken Authentication & authorization
Sarwar Jahan M
 
Attacking thru HTTP Host header
Sergey Belov
 
CNIT 129S: Ch 6: Attacking Authentication
Sam Bowne
 
CNIT 129S: Ch 3: Web Application Technologies
Sam Bowne
 
SSRF For Bug Bounties
OWASP Nagpur
 
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Pentesting ReST API
Nutan Kumar Panda
 
Broken Authentication & authorization
Sarwar Jahan M
 

What's hot (20)

PPT
Cross Site Request Forgery
Tony Bibbs
 
PDF
CNIT 126 6: Recognizing C Code Constructs in Assembly
Sam Bowne
 
PPT
iOS Application Pentesting
n|u - The Open Security Community
 
PDF
OWASP API Security Top 10 - API World
42Crunch
 
PPTX
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
APIsecure_ Official
 
PPT
Secure code practices
Hina Rawal
 
PPTX
Command injection
penetration Tester
 
PDF
Ch 12 Attacking Users - XSS
Sam Bowne
 
PDF
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
PPT
Hacking web applications
Adeel Javaid
 
PPTX
Brute force-attack presentation
Mahmoud Ibra
 
PDF
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
Sam Bowne
 
PDF
CNIT 126 8: Debugging
Sam Bowne
 
PDF
Web Application Penetration Testing
Priyanka Aash
 
PPTX
Deep dive into ssrf
n|u - The Open Security Community
 
PDF
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
Sam Bowne
 
PDF
Thick Client Penetration Testing.pdf
SouvikRoy114738
 
PDF
Bug Bounty Secrets
n|u - The Open Security Community
 
PDF
Practical Malware Analysis Ch13
Sam Bowne
 
PDF
Android Security & Penetration Testing
Subho Halder
 
Cross Site Request Forgery
Tony Bibbs
 
CNIT 126 6: Recognizing C Code Constructs in Assembly
Sam Bowne
 
iOS Application Pentesting
n|u - The Open Security Community
 
OWASP API Security Top 10 - API World
42Crunch
 
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
APIsecure_ Official
 
Secure code practices
Hina Rawal
 
Command injection
penetration Tester
 
Ch 12 Attacking Users - XSS
Sam Bowne
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
Hacking web applications
Adeel Javaid
 
Brute force-attack presentation
Mahmoud Ibra
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
Sam Bowne
 
CNIT 126 8: Debugging
Sam Bowne
 
Web Application Penetration Testing
Priyanka Aash
 
Deep dive into ssrf
n|u - The Open Security Community
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
Sam Bowne
 
Thick Client Penetration Testing.pdf
SouvikRoy114738
 
Bug Bounty Secrets
n|u - The Open Security Community
 
Practical Malware Analysis Ch13
Sam Bowne
 
Android Security & Penetration Testing
Subho Halder
 
Ad

Similar to 4 Mapping the Application (20)

PDF
CNIT 129S Ch 4: Mapping the Application
Sam Bowne
 
PDF
CNIT 129S: Ch 4: Mapping the Application
Sam Bowne
 
PPTX
08- pen-testing Web applications attacks.pptx
wassimahmad9
 
PPTX
Burp Suite is a powerful and widely-used tool
waudit1
 
PPT
Hacking web applications
phanleson
 
PDF
TriplePlay-WebAppPenTestingTools
Yury Chemerkin
 
PPTX
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
PPT
Hack applications
enrizmoore
 
PPT
performing security testing of web applications.web-and- -hacking.ppt
waudit1
 
PPTX
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
 
PPTX
Web application vulnerability assessment
Ravikumar Paghdal
 
PDF
CNIT 129S: 10: Attacking Back-End Components
Sam Bowne
 
PPT
Web Hacking
Information Technology
 
PPTX
Web Hacking With Burp Suite 101
Zack Meyers
 
PDF
Hacking Web Apps by Brent White
EC-Council
 
PPTX
DEF CON 23 - Hacking Web Apps @brentwdesign
brentwdesign
 
PPT
gofortution
gofortution
 
PPT
Beyond Automated Testing - RVAsec 2016
Andrew McNicol
 
PDF
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET Journal
 
PDF
Burp suite
Yashar Shahinzadeh
 
CNIT 129S Ch 4: Mapping the Application
Sam Bowne
 
CNIT 129S: Ch 4: Mapping the Application
Sam Bowne
 
08- pen-testing Web applications attacks.pptx
wassimahmad9
 
Burp Suite is a powerful and widely-used tool
waudit1
 
Hacking web applications
phanleson
 
TriplePlay-WebAppPenTestingTools
Yury Chemerkin
 
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
Hack applications
enrizmoore
 
performing security testing of web applications.web-and- -hacking.ppt
waudit1
 
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
 
Web application vulnerability assessment
Ravikumar Paghdal
 
CNIT 129S: 10: Attacking Back-End Components
Sam Bowne
 
Web Hacking
Information Technology
 
Web Hacking With Burp Suite 101
Zack Meyers
 
Hacking Web Apps by Brent White
EC-Council
 
DEF CON 23 - Hacking Web Apps @brentwdesign
brentwdesign
 
gofortution
gofortution
 
Beyond Automated Testing - RVAsec 2016
Andrew McNicol
 
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET Journal
 
Burp suite
Yashar Shahinzadeh
 
Ad

More from Sam Bowne (20)

PDF
Introduction to the Class & CISSP Certification
Sam Bowne
 
PDF
Cyberwar
Sam Bowne
 
PDF
3: DNS vulnerabilities
Sam Bowne
 
PDF
8. Software Development Security
Sam Bowne
 
PDF
3. Attacking iOS Applications (Part 2)
Sam Bowne
 
PDF
12 Elliptic Curves
Sam Bowne
 
PDF
11. Diffie-Hellman
Sam Bowne
 
PDF
2a Analyzing iOS Apps Part 1
Sam Bowne
 
PDF
9 Writing Secure Android Applications
Sam Bowne
 
PDF
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
PDF
10 RSA
Sam Bowne
 
PDF
12 Investigating Windows Systems (Part 1 of 3
Sam Bowne
 
PDF
9. Hard Problems
Sam Bowne
 
PDF
8 Android Implementation Issues (Part 1)
Sam Bowne
 
PDF
11 Analysis Methodology
Sam Bowne
 
PDF
8. Authenticated Encryption
Sam Bowne
 
PDF
7. Attacking Android Applications (Part 2)
Sam Bowne
 
PDF
7. Attacking Android Applications (Part 1)
Sam Bowne
 
PDF
5. Stream Ciphers
Sam Bowne
 
PDF
6 Scope & 7 Live Data Collection
Sam Bowne
 
Introduction to the Class & CISSP Certification
Sam Bowne
 
Cyberwar
Sam Bowne
 
3: DNS vulnerabilities
Sam Bowne
 
8. Software Development Security
Sam Bowne
 
3. Attacking iOS Applications (Part 2)
Sam Bowne
 
12 Elliptic Curves
Sam Bowne
 
11. Diffie-Hellman
Sam Bowne
 
2a Analyzing iOS Apps Part 1
Sam Bowne
 
9 Writing Secure Android Applications
Sam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
10 RSA
Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
Sam Bowne
 
9. Hard Problems
Sam Bowne
 
8 Android Implementation Issues (Part 1)
Sam Bowne
 
11 Analysis Methodology
Sam Bowne
 
8. Authenticated Encryption
Sam Bowne
 
7. Attacking Android Applications (Part 2)
Sam Bowne
 
7. Attacking Android Applications (Part 1)
Sam Bowne
 
5. Stream Ciphers
Sam Bowne
 
6 Scope & 7 Live Data Collection
Sam Bowne
 

Recently uploaded (20)

PDF
Basic Mud Logging Guide for educational purpose
wdandworks
 
PDF
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
PDF
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
PDF
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
PDF
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
PPTX
master seminar digital applications in india
ananyaray35
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PPTX
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
PPTX
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
PPTX
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
PDF
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
PPTX
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
PDF
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
PPTX
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
PPTX
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
PDF
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
PPTX
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
PDF
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
Basic Mud Logging Guide for educational purpose
wdandworks
 
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
master seminar digital applications in india
ananyaray35
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
RMMM.pdf make it easy to upload and study
sajedul2
 
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 

4 Mapping the Application

  • 1. CNIT 129S: Securing Web Applications Ch 4: Mapping the Applicatio n Sl 56 Updated 2-9-2023
  • 2. Mapping • Enumerate application's content and functionalit y • Some is hidden, requiring guesswork and luck to discove r • Examine every aspect of behavior, security mechanisms, and technologie s • Determine attack surface and vulnerabilities
  • 4. Web Spiders • Load web page, fi nd all links on i t • (into the targeted domain ) • Load those pages, fi nd more link s • Continue until no new content is discovered
  • 5. Web Application Spiders • Also parse HTML form s • Fill in the forms with preset or random values and submit the m • Trying to walk through multistage functionalit y • Can also parse client-side JavaScript to extract URL s • Tool: Zed Attack Prox y • WebScarab & CAT seem old and abandoned
  • 6. Robots.txt • Intended to stop search engine s • May guide spiders to interesting content
  • 7. Limitations of Automatic Spidering • May fail to handle unusual navigation mechanisms, such as dynamically created JavaScript menu s • So it may miss whole areas of an applicatio n • Links buried in compiled client-side objects like ActiveX or Java may be missed
  • 8. Limitations of Automatic Spidering • Forms may have validation checks, such as user registration form s • Email address, telephone number, address, zip cod e • Too complex for most spiders, which use a single text string for all form fi eld s • Spider cannot understand the "Invalid" error messages
  • 9. Limitations of Automatic Spidering • Spiders only fetch each URL onc e • But applications use forms-based navigation, in which the same URL may return different content and function s • For example, a bank may implement every user action with a POST to /account.jsp with parameters determining the actio n • Spiders aren't smart enough to handle that
  • 10. Limitations of Automatic Spidering • Some applications place volatile data within URL s • Parameters containing timers or random number seed s • Spider will fetch the same page over and over, thinking it's ne w • May freeze up
  • 11. Limitations of Automatic Spidering • Authentication: spider must be able to submit valid credential s • Perhaps using a valid cooki e • However, spiders often break the authenticated session, b y • Requesting a logout functio n • Submitting invalid input to a sensitive functio n • Requesting pages out-of-sequence
  • 12. Warning • Spiders may fi nd an administrative page and click every lin k • Delete User, Shut Down Database, Restart Server...
  • 13. User-Directed Spidering • More sophisticated and controlled technique than automated spidering, usually preferabl e • User walks through application using a browser connected to Burp (or another proxy ) • The proxy collects all requests and responses
  • 14. Preparing Burp • Launch Burp Suite • Click Next, Start Burp • On the Proxy Tab, turn off Intercept • Click Open Browser
  • 15. Shopping • In Burp's browser, go to http://hackazon.samsclass.inf o • Click an item, then click Add to car t • Repeat for a second item
  • 16. Shopping Cart (Not logged in) • At top right, click shopping cart icon to see items
  • 17. Shopping • In Burp, on the Target tab • On the Site map sub-tab • Expand http://hackazon.samsclass.info • Expand cart • Expand add • Expand user
  • 18. • Note items in car t • "user" contains only 5 URLs
  • 19. Logging In • In the Hackazon page, at the top right, click Sign U p • Register a new user • Log out • Sign in
  • 21. A
  • 22. Advantages of User-Directed Spidering • User can follow unusual or complex navigation mechanism s • User can enter valid data where neede d • User can log in as neede d • User can avoid dangerous functionality, such as deleteUser.jsp
  • 23. Browser Tools • Chrome's Developer Tools can show details of requests and responses within the browse r • No proxy neede d • Often useful; shows timing as well as content
  • 26. Discovering Hidden Content • Finding it requires automated testing, manual testing, and luc k • Testing or debugging features left in applicatio n • Different functionality for different categories of user s • Anonymous, authenticated, administrator s • Backup copies of live fi le s • May be non-executable and reveal source code
  • 27. Discovering Hidden Content • Backup archives that contain snapshot of entire applicatio n • New functionality implemented for testing but not yet linked from main applicatio n • Default functionality in an off-the-shelf application that has been super fi cially hidden from the user but not remove d • Old versions of fi les--may still be exploitable
  • 28. Discovering Hidden Content • Con fi guration and include fi les containing sensitive data such as database credential s • Source fi les from which application functions were compile d • Comments in source code; may contain usernames and passwords, "test this" marks, and other useful dat a • Log fi les--may contain valid usernames, session tokens, etc.
  • 29. Brute-Force Techniques • Suppose user-directed spidering fi nds the URLs on the lef t • A brute-forcer will try names as shown on the right
  • 30. Burp's Brute-Forcer • Burp's brute- forcer is very slow in the free version
  • 31. Dirb • Good brute-force spidering tool • Included in Kali Linux
  • 32. B
  • 33. Inference from Published Content • Look for pattern s • All subdirectories of "auth" start with a capital lette r • One is "ForgotPassword", so try these
  • 34. Other Patterns • Names may use numbers or date s • Check include fi les from HTML and JavaScrip t • They may be publicly readabl e • Comments may include database names, SQL query string s • Java applets and ActiveX controls may contain sensitive data
  • 35. More Clues • Search for temporary fi les created by tools and fi le editor s • .DS_Store fi le (a directory index created by Mac OS X ) • fi le.php-1 created when fi le.php is edite d • .tmp fi les created by many tools
  • 37. Google's Skip fi sh • Vulnerability scanner but main strength is fi nding fi les and folder s • Links Ch 4d, 4e
  • 38. Public Information • Search engines (and cached content ) • Web archives such as the Wayback Machin e • Posts to forums like Stack Exchange
  • 40. Web Server Vulnerabilities • Some Web servers let you list directory contents or see raw source cod e • Sample and diagnostic scripts may contain vulnerabilities
  • 41. Nikto and Wikto • Scans servers for known vulnerable fi les and version s • Wikto is the Windows versio n • Nikto is the Linux versio n • Included in Kal i • Fast and easy to us e • Has false positives like all vulnerability scanner s • Must verify results with manual testing
  • 43. Functional Paths • Different from old-fashioned tree- structured fi le syste m • Every request goes to the same UR L • Parameters specify functio n • Very different structure to explore
  • 45. Discovering Hidden Parameters • Try adding "debug=true" to request s • Or test, hide, source, etc . • Burp Intruder can do this (see Ch 14)
  • 46. Analyzing the Application • Key area s • Core functionalit y • Peripheral behavior: off-site links, error messages, administrative and logging functions, and use of redirect s • Core security mechanisms: session state, access control, authenticatio n • User registration, password change, account recovery
  • 47. Key Areas (continued) • Everywhere the application processes user- supplied inpu t • URL, query string, POST data, cookie s • Client-side technologie s • Forms, scripts, thick-client components (Java applets, ActiveX controls, and Flash), and cookies
  • 48. Key Areas (continued) • Server-side technologie s • Static and dynamic pages, request parameters, SSL, Web server software, interaction with databases, email systems, and other back-end components
  • 49. Entry Points for User Input
  • 51. Request Parameters • Normally, google.com?q=duc k • Here are some nonstandard parameter formats
  • 52. HTTP Headers • User-Agent is used to detect small screen s • Sometimes to modify content to boost search engine ranking s • May allow XSS and other injection attack s • Changing User-Agent may reveal a different user interface
  • 53. HTTP Headers • Applications behind a load balancer or proxy may use X-Forwarded-For header to identify sourc e • Can be manipulated by attacker to inject content
  • 54. Out-of-Band Channels • User data may come in vi a • Emai l • Publishing content via HTTP from another server (e.g. WebDAV ) • IDS that sniffs traf fi c and puts it into a Web applicatio n • API interface for non-browser user agents, such as cell phone apps, and then shares data with the primary web application
  • 55. C
  • 57. Banner Grabbing • Banners often leak version informatio n • Also Web page template s • Custom HTTP header s • URL query string parameters
  • 58. HTTP Fingerprinting • httprecon uses subtle clues to identify versions, not just banner s • Link Ch 4h
  • 60. File Extensions • Disclose platform or language
  • 63. File Extension Mappings • Different DLLs may lead to different error messages
  • 64. OpenText • Vignette is now rebranded as OpenTex t • Link Ch 4i
  • 65. Directory Names • Indicate technology in use
  • 67. Third-Party Code Components • Add common functionality lik e • Shopping cart s • Login mechanism s • Message board s • Open-source or commercia l • May contain known vulnerabilities
  • 68. Hack Steps 1. Identify all entry points for user inpu t •URL, query string parameters, POST data, cookies, HTTP header s 2. Examine query string format; should be some variation on name/value pai r 3. Identify any other channels that allow user- controllable or third-party data into the app
  • 69. Hack Steps 4. View HTTP server banner returned by the app; it may use several different server s 5. Check for other software identi fi ers in custom HTTP headers or HTML source code 6. Run httprint to fi ngerprint the web serve r 7. Research software versions for vulnerabilitie s 8. Review map of URLs to fi nd interesting fi le extensions, directories, etc. with clues about the technologies in use
  • 70. httprint • Not updated since 2005 (link Ch 4j ) • Alternatives include nmap, Netcraft, and SHODAN (Link Ch 4k ) • Also the Wappalyzer Chrome extension
  • 71. Hack Steps 9. Review names of session tokens to identify technologies being use d 10. Use lists of common technologies, or Google, to identify technologies in use, or discover other websites that use the same technologie s 11. Google unusual cookie names, scripts, HTTP headers, etc. If possible, download and install the software to analyze it and fi nd vulnerabilities
  • 72. Identifying Server-Side Functionality • .jsp - Java Server Page s • OrderBy parameter looks like SQ L • isExpired suggests that we could get expired content by changing this value
  • 73. Identifying Server-Side Functionality • .aspx - Active Server Pages (Microsoft ) • template - seems to be a fi lename and loc - looks like a directory; may be vulnerable to path traversa l • edit - maybe we can change fi les if this is tru e • ver - perhaps changing this will reveal other functions to attack
  • 74. Identifying Server-Side Functionality • .php - PH P • Connecting to an email server, with user-controllable content in all fi eld s • May be usable to send email s • Any fi elds may be vulnerable to email header injection
  • 75. Identifying Server-Side Functionality • Change action to "edit" or "add " • Try viewing other collections by changing the id number
  • 76. Extrapolating Application Behavior • An application often behaves consistently across the range of its functionalit y • Because code is re-used or written by the same developer, or to the same speci fi cation s • So if your SQL injections are being fi ltered out, try injecting elsewhere to see what fi ltering is in effect
  • 77. Extrapolating Application Behavior • If app obfuscates data, try fi nding a place where a user can enter an obfuscated string and retrieve the original • Such as an error messag e • Or test systematically-varying values and deduce the obfuscation scheme
  • 78. Error Handling • Some errors may be properly handled and give little information Others may crash and return verbose error information
  • 81. Isolate Unique Application Behavior • App may use a consistent framework that prevents attack s • Look for extra parts "bolted on" later, which may not be integrated into the framewor k • Debug functions, CAPTCHAs, usage tracking, third-party cod e • Different GUI appearance, parameter naming conventions, comments in source code
  • 82. Mapping the Attack Surface • Client-side validatio n • Database interaction -- SQL injectio n • File uploading and downloading -- Path traversal, stored XS S • Display of user-supplied data - XS S • Dynamic redirects -- Redirection and header attacks
  • 83. Mapping the Attack Surface • Social networking features -- username enumeration, stored XS S • Login -- Username enumeration, weak passwords, brute-force attack s • Multistage login -- Logic fl aw s • Session state -- Predictable tokens, insecure token handling
  • 84. Mapping the Attack Surface • Access controls -- Horizontal and vertical privilege escalatio n • User impersonation functions -- Privilege escalatio n • Cleartext communications -- Session hijacking, credential thef t • Off-site links -- Leakage of query string parameters in the Referer heade r • Interfaces to external systems -- Shortcuts handling sessions or access controls
  • 85. Mapping the Attack Surface • Error messages -- Information leakag e • Email interaction -- Email or command injectio n • Native code components or interaction -- Buffer over fl ow s • Third-party components -- Known vulnerabilitie s • Identi fi able Web server -- Common con fi guration errors, known bugs
  • 86. Example • /auth contains authentication functions -- test session handling and access contro l • /core/sitestats -- parameters; try varying them; try wildcards like all and * ; PageID contains a path, try traversa l • /home -- authenticated user content; try horizontal privilege escalation to see other user's info
  • 87. Example • /icons and /images -- static content, might fi nd icons indicating third- party content, but probably nothing interesting her e • /pub -- RESTful resources under / pub/media and /pub/user; try changing the numerical value at the en d • /shop -- online shopping, all items handled similarly; check logic for possible exploits
  • 88. D