Skip to content
Search
Generic filters
Exact matches only

Web Security

Hacking webservers

Why hacking a webserver? → accessible via internet, several attack vectors available, gain access to user accounts

Web Server vulnerabilities → server setting, poor user security (passwords), applications, misconfigured security settings, no authentication, unpatched servers, unnecessary services, poor file/directory permissions

Results of a successful web hack → access to sensitive data and to user account, defacement of web site, launch secondary attacks, compromise other systems

Webserver attacks

– DNS attacks → DNS server hijacking attack (redirect web queries to imposter webserves) and DNS amplification attack (DoS or DDoS)

– HTTP-based attacks → HTTP response splitting attack (insert content into HTTP header section, this split response into 2 responses) and HTTP cache poisoning attack (place invalid data within the browser’s cache, so browser queries rogue web server)

– Other attacks: MitM, phishing, password cracking, SQL injection, Applicationbased attack, Misconfiguration of webserver

Attack methodology

Different method:

– Information

– Mirroring:
Tools → wget, HTTrack, rsync, BlackWindow, WebCopier

– Vulnerability Scanning:
Tools → Scan My Server, SUCURI, Detectify, Web Inspector, SiteGuarding

– Session Hijacking:
Techniques → Cross-site scripting, Sidejacking, Fixation, Malware Examples → Firesheep, WhatsApp sniffer, CookieCadger Tools → Firesheep, CookieCatcher, Wireshark, Burp Suite, JHijack

– Password Hacking

Countermeasures

– Mainteing patches
– Securing the Web Server
– Monitor web server for changes (use tool as WebsiteCDS)
– General policies → pay attention to permissions for your file, audit your system (look log files), look session ID tracking, make use of ACL, tray to make your machine stand alone, be careful with script, have a secure DB

System patch management

Patching Policies:

Tools to patch your system: GFI LanGuard, Secunia CSI, MaaS360 Patch Analyzer, Security manager Plus, Prism Suite, Microsoft Baseline Security Analyzer

Security tools

  • Scanners → Nscan, SAINTscanner, N-Stalker
  • Compliance → NetIQ, retinaCS
  • Testing → WebInspect, W3af

Hacking Web Applications

Vectors to attack a Web Applications: unvalidated input, form tampering, directory traversal, misconfiguration, XSS

A web application injection provides attacker with access to “back end” of web application. There are several types: LDAP, File, XML, XPath, OS Command, HTML and SQL injection.

Some additional web application attacks: CSRF, DoS, Cookie poisoning, session poisoning, session fixation, buffer overflow, storage, error handling, transport layer, redirects, CAPTCHA and Authentication.

Web Application methodology:

– Footprinting and Analize(13.2 & 13.3)
1) Determine server type → tool: whois
2) Discover web services → tool: DNS interrogation
3) Extract server info → tool: port scanning
4) Discover hidden content (content not accessible via visible web link) → Discovered by Brute force probe or spidering
5) Footprinting the web server itself → tools: Nessus, HP Webinspect, Acunetix Web vulnerability scanner

– Authentication process (13.4) → several possible weak spots:

– user account names → hacker can gather info from contents of error message, be aware of common name → hacker can gain info with brute force (using user name dictionary)

– password → weak spots: password guessing, common password, “remember me”; it’s recommended to change password

– cookies → stolen cookie can provide user and password → tools: Burp Suite, Zed Attack Proxy

– session itself

– Session process (13.5) → attack methods: Token generation (prediction or tampering) and Token handling (session replay, session hijacking and MitM attack)

– Injection attack

– Data (try to access to DB) (13.6) → web application often connect to backend DB software that can contain sensitive data. A hacker can gain access to DB in order to: steal or modify data or block access to the DB itself.

Methods:

  • connection pool DoS (block the access)
  • connection string injection (pass info into the DB in order to have access to DB)
  • connection string parameter pollution (modify existing parameters in DB)
  • Client (try to attack the client side)
  • Services

Web Application security tools

1) Vulnerability scanners

2) Full Audit and testing

3) Other tools: x5s, SPIKE Proxy, Ratproxy, Web Site Security Audit, VampireScan, N-Stalker

Penetration testing techniques

  1. Probe the system
  2. Test the system
  3. Probe authentication
  4. Session management
  5. Test data validation

SQL injection

SQLi is when the attacker executes malicious SQL statements to your database: these statements are also called “malicious payload”.

SQLi attacks are used for:

  • Bypass authentication
  • Retrieve DB contents
  • Modify DB contents
  • Deface websites

Attacks using SQLi

Three categories of attacks:

  • 1st order attacks → directly insert payloads and the code is immediately executed
  • 2nd order attacks → the payload is inserted in the DB and then executed by another application
  • Lateral injection attacks → use of TO_CHAR() function to inject payload

Several attack methods:
Tautology → inject parameters conditional statements to evaluate “true” conditions. It’s often used to bypass authentication (for example setting user_id and password as ‘a’ OR ‘1=1’)
Illegal/Logically incorrect queries → gain info about backend DB to use this info in the future: injects illegal queries to produce error messages and find useful info in these messages
UNION query → inject an UNION command to obtaining a second table of data beyond a legitimate one in the first SELECT Stored procedure → execute procedures stored in the DB (often possible if you know the DB type). The procedure can be run after the semicoloncharacter: SELECT legitimate-commands; PROCEDURE
End of line comment → at the end of malicious code we add “–” to disable any legitimate code that follows
Time-based → use WAITFOR statements to determine if an operation was successfull by response times
Boolean exploitation → inject statements to evaluate true & false; results will tell if injection was successful

Methodology

Steps:

  1. Gather Information: probe application for DB connection, attempt SQLi to generate errors (with these you can determine DB engine, functionalities, acceptable commands, data types and structure), insert string when numeric is requested, try to use UNION statements
  2. Launch simple attacks: try UNION statements, stored procedure, try to bypass logins, blind SQLi
  3. Launch advanced attacks: data enumeration, create accounts, gather passwords, execute OS commands, access the file system

SQLi tools

SQLmap → insert injection flaws
SQLninja → to gain remote access to DB (it can be integrated with Metasploit) Safe3 SQLinjector → support both HTTP and HTTPS, support  multiple authentication methods
Other tools:

SQLi defense methods

  • Turn off error messages or use customized ones
  • Filter data input
  • Monitor all access attempts
  • Limit DB accounts access
  • Run operations as non-privileged user
  • Verify all data for size and type
  • Reject comments and binary data
  • Limit access to sensitive data
  • Use hashed passwords in the DB

SQLi detection tools

  • dotDefender, snort, SQLiX Project
  • Others:

 

error: Content is protected !!