====== Hacking - Web Vulnerability Assessment Methodologies ======
===== Risk, Threats and Vulnerabilities =====
**Threat** is a party with the intent and capability to exploit a vulnerability in an asset. This could be an malicious hacker or an disgruntled employee.
A **vulnerability** is weakness in an asset that can be exploited. For an example, the security hole in Microsoft WMF (Windows Meta File) format is an vulnerability.
**Risk** is the probability of harmful consequences resulting from interactions between threats and vulnerable assets. Conventionally risk is expressed by the relation:
Risk = Severity x Likelihood
* **Severity:** If asset or control gets compromised, what kind of information or access does the attacker get? Grabbing banners or list directories are rated less severe then for an example gaining administrative access to the system.
* **Likelihood:** How likely is it that this will happen? For an vulnerability, how easy is it to find and exploit? A published exploit or a worm using this vulnerability to spread increases the likelihood of this happening compared to a vulnerability which is hard to exploit and requires a lot of insider information. In short: How skilled must the threat be to exploit the asset?
===== Profiling the Platform =====
* Port Scanning and Service Identification
* Vulnerability Scanning
When you do security assessment of a website you should start with profiling the server. By knowing what the server is running you can better target your attacks. It will also cover any low-hanging fruit a malicious attacker might exploit.
===== Profiling the Application =====
* Enumerate the Directory Structure and Files
* Identify Authentication Mechanism
* Identify Authorization Mechanism
* Identify All “Support” Files
* Identify All Include Files
* Enumerate All Forms
* Enumerate All GET Parameters
* Identify Vectors for Directory Attacks
* Identify Areas that Provide File Upload Capability
* Identify Errors
* Determine Which Pages Require SSL
===== Web Application Assessment Tools =====
* Web Browser
* Man-in-the-middle HTTP / HTTPS proxy
* Enumeration and fuzzer software
* Encoders / Decoders
For any web application assessment you would need a few tools. You would need a web browser to interact with the application in question, a man-in-the-middle intercepting http/https proxy, various enumeration and fuzzer software and optionally, but very likely, some software to help you encode/decode various encodings.
Fuzzy testing is a software testing technique that provides random data to the inputs of a program. If the program fails (for example, by crashing, or by failing built-in code assertions), the defects can be noted. The great advantage of fuzzy testing is that the test design is extremely simple, and free of preconceptions about system behavior.
===== A Word About Web Browsers =====
If your browser is not supported you might miss functionality in the application due to incompatible browser optimizations or functionality.
You don't want to end up in an situation where a particular usability bug manifests itself using an "unsupported" browser and you have to re-validate the bug using a "supported" browser.
Having said that, there has been occasions where a unsupported browser has uncovered bugs in the targeted application.
===== Man-in-the-middle HTTP / HTTP proxy =====
One can argue that the most important and useful tool to have in your web application kit is the intercepting man-in-the-middle proxy.
This piece of software allows you to inspect and modify and data sent to or received from the web application.
This will allow you, for an example, to send requests that would not have passed any browser based verification.
===== Web Application Attacks =====
* Generic Input Validation
* Character Encoding
* Alternate Request Methods
* SQL Injection
* Cross-Site Scripting
===== Generic Input Validation =====
* Hidden fields modification
* Unchecked email
===== Source Disclosure =====
* Source should be kept secure.
===== Character Encoding =====
URL Encoding (Escaped Characters)
|Alphanumeric|a-z A-Z 0-9|
|Reserved|; / ? : @ & = + $ ,|
|Marks|- _ . ! ~ * ' ( )|
|Space|0x20 (ASCII hexadecimal value)|
|Delimiters|< > # % "|
|Unwise|{ } | \ ^ [ ] `|
|Unicode| |
===== Alternate Request Methods =====
* OPTIONS
* BROWSE
* CONNECT
* COPY
* DELETE
* HEAD
* LOCK
* MKCOL
===== SQL Injection =====
* SELECT Statement Manipulation
* Retrieve Arbitrary Data with SELECT plus UNION
* Use INSERT to Modify Data
* Salient Information for Common Databases
==== Server Default Accounts View Users Useful Variables ====
=== Microsoft SQL Server ===
sa / EXEC master..sp_who2; EXEC master..xp_loginconfig; SELECT * FROM sysusers; SELECT * FROM syslogins; EXEC xp_msver; @@servername @@version
=== MySQL ===
root / SELECT host,user,password FROM user; SHOW VARIABLES; @@version
=== Oracle ===
internal / oracle oracle / oracle Scott / tiger sys / Change_on_install system / manager others* SELECT A.USERNAME, A.PASSWORD FROM SYS.DBA_USERS A; SHOW PARAMETERS
=== PostgreSQL ===
postgres / (must be defined) SELECT * FROM pg_shadow; SELECT * FROM pg_group;
==== Common SQL Injection Strings ====
Raw String URL Encoded Version Effect ‘ %27 Initial test. If this generates an error, then the application is vulnerable to SQL injection. % %% %25 %25%25 Represents a wild card. Can be used to retrieve multiple rows as opposed to a single value. ‘;--
%27%3b%2d%2d %3b%2d%2d SQL comment. Use this to truncate a statement so that further SQL syntax within the statement is ignored.
==== Database Specific Notes ====
=== Microsoft SQL Server ===
The easiest method to identify a potentially vulnerable application that uses an MSSQL back-end is to insert a single quote (‘) into URL parameters (or any/all input boxes). Examine the output, HTML source, or even the URL parameters for a tell-tale sign.
=== Oracle ===
Oracle supports comments delimited by the double-dash as well as C-style syntax.
SELECT * FROM table /* this comment is ignored */ WHERE foo = ‘bar’;
For database enumeration: SQL> show user; USER is "SYS"
=== MySQL ===
Comments in MySQL: Double-dash (- -) requires space (%20) immediately after hash (#) C-style comments (/* comment */).
Read from the File System mysql>
CREATE TABLE foo (bar TEXT);
LOAD DATA INFILE '/etc/passwd' INTO TABLE foo;
SELECT * FROM foo;
SELECT * FROM employees INTO OUTFILE ‘/tmp/foo’;
or
https://website/vuln.cgi?param=%27;+SELECT+%2a+FROM+employees+INTO+OUTFILE+%27%2ftmp%2f..%08%27;
=== PostgreSQL ===
Does NOT:
* Support file input
* Support file output
* Support UNION
* Have the immediate command execution vulnerabilities for a database like Microsoft SQL Server.
BUT File Read/Write Access is still available using COPY statement
=== Putting It Together ===
* Identify a vulnerable parameter.
* Examine errors for indicators of a SQL injection.
* Examine errors for information on database, table, and column names.
* Query standard variables for the type of database.
* Determine system-specific users.
* Determine database-specific users.
* Determine application-specific users.
* Query standard database objects
* Record available databases, tables, columns, and known row values.
* Query arbitrary data from application tables.
* Use OR TRUE=TRUE commands to bypass authentication.
* Insert arbitrary data into standard database tables.
* Insert arbitrary data into application tables.
* Attempt to read and write files on the operating system.
* Execute arbitrary commands on the database’s host operating system
* Send files to an FTP, HTTP, TFTP server or netcat listener.
* Write files to the web document root.
* Overwrite important configuration files.
* Denial of service
==== SQL Injection ====
* Numeric SQL Injection
* Blind SQL Injection
* String SQL Injection
===== Cross Site Scripting =====
Testing for Cross Site Scripting
Filtering for '<' and '>' on input is not enough, can easily be bypassed with encoding
%3cscript%3ealert(document%2ecookie)%3cscript%3e
Other script languages
* VBScript
* Java
* ActiveX
* Flash
==== Cross Site Scripting ====
* Stored XSS
* Reflected XSS
===== Token Analysis =====
==== Encoded vs. Encrypted ====
There is a big difference between encoded and encrypted data. Encoded data, using for an example [wikipedia:Base64|Base64], is always reversible and only provides obfuscation and not confidentiality or protect it against tempering.
* Pattern Analysis
* Session Attacks
* Session Correlation
===== Security Assessment of Web Services =====
Nowadays it becomes more and more common that at least part of the sites functionality is available as a web service.
To perform a complete vulnerability assessment of the target web application you will need to cover any and all web services as well.
==== What are Web Services? ====
What is a web service? Although there is no universal definition of a web service, I think the Apple developer connection has defined it pretty well:
"The term web services refer to architecture, standards, technology and business models that provide an implementation-independent way for applications to communicate with each other".
Web services perform functions, which can be anything from simple requests to complicated business processes. It allows you to mash up your flickr photos with Google earth using geo tagging.
==== WSDL Scanning ====
WSDL scanning refers to an adversary enumerating interfaces, data types, binding information and address information using publicly available WSDL files.
=== WSDL Scanning using Google ===
Google can find public WSDL over the Internet Signatures filetype:wsdl amazon index of "/wsdl“ inurl:wsdl amazon
=== WSDL Scanning using wsChess ===
* Free .NET tool developed by NetSquare, Inc
* http://net-square.com/wsChess/
* Comprised of
* wsPawn - Web services foot printing, discovery and search tools.
* wsKnight - Web services profiling, proxy and audit tool.
* wsRook - This is a regular expression-based defense for web services input content.
=== WSDL Scanning using WSDigger ===
* Free .NET tool by Foundstone.
* Functionality include
* Helps search for WSDL in public / private UDDI
* Open source framework for WS attacks
* Current checks include SQL / XSS / XPATH injections. Trivial to add other checks
==== Parameter Enumeration ====
* Enumeration refers to systematically checking system interface for simplistic attacks
* Parameter tampering refers to sending malicious quality and quantity of data to method parameters
* Parameter Enumeration using WSDigger
==== Coercive Parsing – Jumbo Payload ====
XML is verbose in a way it marks data and information Gigabyte files norms in multimedia world Overtly large documents can cause denial of service attacks Parsers based on DOM specially susceptible.
==== Coercive Parsing – Recursive payload ====
XML allows nesting ELEMENTS within documents Malicious document 100K level deep might stress out / DOS the parser.
==== Coercive Parsing – Replay attack ====
Similar to web application replay attacks or network ping of death attack.
Send repeated valid SOAP messages.
Drains web services XML parser and results in denial of service.
==== External References - External Entity ====
XML can build documents dynamically by pointing to external data URI External URI can contain malicious data.
==== External References - Routing Detours ====
SOAP by itself does not define routing path. It is generally embedded in another application layer protocol (HTTP) WS-Routing extends SOAP with addressing structure to define complete message path Extended SOAP message is self contained, does not have to be bound to any application layer protocol and can be sent over TCP
Routing Detours Attacks occur when interim web service station are compromised, resulting in malicious routes Vulnerabilities Insert bogus routes Get access to sensitive information Deny service by routing to non-existing destination External References - Routing Detours External References - Schema Poisoning Schema provides formatting instructions for XML parsers interpreting XML documents. It often use external data types by including references to external schema / name space Schema poisoning requires schema to be compromised and replaced with a new one This leads to easy DOS and other data manipulation attacks Malicious Content – Attachment Binary attachments like executables, images can be transferred with valid XML Valid attachments like excel sheets can contain malicious macros Viruses / Trojan horses Attachment can be attached or referenced
==== Malicious Content – Attachment ====
SOAPBox Demo
==== Malicious Content – SQL injection ====
Similar to SQL injection in web applications. Inject SQL queries / commands as part of SOAP message.
==== Malicious Content – XPATH injection ====
XPATH language helps find information in the XML document.
=== Sample XPATH Expressions ===
/Books/*/Nodes
/Books/Book/@Pages
/Books/Book[./Publisher = "lulu"]
/Books/Book[./Pages > 100]
=== XPATH Injections ===
/Books/Book[./Pages > 100 or 1=1]
=== Automated XPATH injection ===
todo