Sam Bowne, profile picture
Uploaded bySam Bowne
PDF, PPTX203 views

4 Mapping the Application

The document discusses techniques for mapping web applications to identify security vulnerabilities and attack surfaces. It covers various methods such as automated and user-directed spidering, limitations of web spiders, and tools for discovering hidden content. The document also emphasizes the importance of analyzing the application's behavior, entry points for user input, and server-side functionality to uncover potential weaknesses.

Education
In this document
Powered by AI

Introduction to the course on CNIT 129S: Securing Web Applications, covering Chapter 4 on mapping the application.

Discusses mapping web applications, identifying content, functionality, hidden aspects, attack surfaces, and vulnerabilities.

Techniques for enumerating content via web spiders that load pages and identify links within targeted domains.

Focuses on web application spiders, their ability to parse HTML forms, fill them, and extract URLs while mentioning tools like Zed Attack Proxy.

Explains the role of robots.txt in guiding web spiders and potential content discovery.

Outlines limitations of automated spidering such as missed navigation mechanisms, form validation, and issues with user authentication.

User-directed spidering allows manual interaction with applications for testing, providing advantages in navigation and data entry.

Discussion on utilizing browser tools like Chrome's Developer Tools for examining requests and responses without a proxy.

Methods for discovering hidden content in applications, including testing features, backup archives, and configuration files.

Introduction to brute-force techniques in mapping, using tools like Burp's brute-forcer and Dirb.

Analyzing patterns and clues from published content to find vulnerabilities.

Using Google's Skipfish, public information, and cached content from search engines to identify vulnerabilities.

Overview of tools like Nikto and Wikto for scanning servers and identifying known vulnerabilities.

Describes mapping functional paths in applications and key areas to focus on in security assessments.

Discusses identifying request parameters, RESTful URLs, HTTP headers, and the importance of analyzing user data channels.

Techniques for identifying server-side technologies using banner grabbing and other fingerprinting methods.

Specific steps for penetration testing, including identifying entry points and examining various inputs.

Understanding server-side functionality through modification and observation of application behavior.

Exploration of error handling processes in applications and how it may reveal vulnerabilities.

Techniques for isolating unique behaviors within applications that may expose security risks.Discussing various aspects of mapping the attack surface, including client-side validation and session handling.Practical examples of attack surface mapping, demonstrating potential vulnerabilities and testing areas in web applications.

Embed presentation

Download as PDF, PPTX
CNIT 129S: Securing Web Applications Ch 4: Mapping the Applicatio n Sl 56 Updated 2-9-2023
Mapping • Enumerate application's content and functionalit y • Some is hidden, requiring guesswork and luck to discove r • Examine every aspect of behavior, security mechanisms, and technologie s • Determine attack surface and vulnerabilities
Enumerating Content and Functionality
Web Spiders • Load web page, fi nd all links on i t • (into the targeted domain ) • Load those pages, fi nd more link s • Continue until no new content is discovered
Web Application Spiders • Also parse HTML form s • Fill in the forms with preset or random values and submit the m • Trying to walk through multistage functionalit y • Can also parse client-side JavaScript to extract URL s • Tool: Zed Attack Prox y • WebScarab & CAT seem old and abandoned
Robots.txt • Intended to stop search engine s • May guide spiders to interesting content
Limitations of Automatic Spidering • May fail to handle unusual navigation mechanisms, such as dynamically created JavaScript menu s • So it may miss whole areas of an applicatio n • Links buried in compiled client-side objects like ActiveX or Java may be missed
Limitations of Automatic Spidering • Forms may have validation checks, such as user registration form s • Email address, telephone number, address, zip cod e • Too complex for most spiders, which use a single text string for all form fi eld s • Spider cannot understand the "Invalid" error messages
Limitations of Automatic Spidering • Spiders only fetch each URL onc e • But applications use forms-based navigation, in which the same URL may return different content and function s • For example, a bank may implement every user action with a POST to /account.jsp with parameters determining the actio n • Spiders aren't smart enough to handle that
Limitations of Automatic Spidering • Some applications place volatile data within URL s • Parameters containing timers or random number seed s • Spider will fetch the same page over and over, thinking it's ne w • May freeze up
Limitations of Automatic Spidering • Authentication: spider must be able to submit valid credential s • Perhaps using a valid cooki e • However, spiders often break the authenticated session, b y • Requesting a logout functio n • Submitting invalid input to a sensitive functio n • Requesting pages out-of-sequence
Warning • Spiders may fi nd an administrative page and click every lin k • Delete User, Shut Down Database, Restart Server...
User-Directed Spidering • More sophisticated and controlled technique than automated spidering, usually preferabl e • User walks through application using a browser connected to Burp (or another proxy ) • The proxy collects all requests and responses
Preparing Burp • Launch Burp Suite • Click Next, Start Burp • On the Proxy Tab, turn off Intercept • Click Open Browser
Shopping • In Burp's browser, go to http://hackazon.samsclass.inf o • Click an item, then click Add to car t • Repeat for a second item
Shopping Cart (Not logged in) • At top right, click shopping cart icon to see items
Shopping • In Burp, on the Target tab • On the Site map sub-tab • Expand http://hackazon.samsclass.info • Expand cart • Expand add • Expand user
• Note items in car t • "user" contains only 5 URLs
Logging In • In the Hackazon page, at the top right, click Sign U p • Register a new user • Log out • Sign in
• Login event seen in Burp
A
Advantages of User-Directed Spidering • User can follow unusual or complex navigation mechanism s • User can enter valid data where neede d • User can log in as neede d • User can avoid dangerous functionality, such as deleteUser.jsp
Browser Tools • Chrome's Developer Tools can show details of requests and responses within the browse r • No proxy neede d • Often useful; shows timing as well as content
Discovering Hidden Content • Finding it requires automated testing, manual testing, and luc k • Testing or debugging features left in applicatio n • Different functionality for different categories of user s • Anonymous, authenticated, administrator s • Backup copies of live fi le s • May be non-executable and reveal source code
Discovering Hidden Content • Backup archives that contain snapshot of entire applicatio n • New functionality implemented for testing but not yet linked from main applicatio n • Default functionality in an off-the-shelf application that has been super fi cially hidden from the user but not remove d • Old versions of fi les--may still be exploitable
Discovering Hidden Content • Con fi guration and include fi les containing sensitive data such as database credential s • Source fi les from which application functions were compile d • Comments in source code; may contain usernames and passwords, "test this" marks, and other useful dat a • Log fi les--may contain valid usernames, session tokens, etc.
Brute-Force Techniques • Suppose user-directed spidering fi nds the URLs on the lef t • A brute-forcer will try names as shown on the right
Burp's Brute-Forcer • Burp's brute- forcer is very slow in the free version
Dirb • Good brute-force spidering tool • Included in Kali Linux
B
Inference from Published Content • Look for pattern s • All subdirectories of "auth" start with a capital lette r • One is "ForgotPassword", so try these
Other Patterns • Names may use numbers or date s • Check include fi les from HTML and JavaScrip t • They may be publicly readabl e • Comments may include database names, SQL query string s • Java applets and ActiveX controls may contain sensitive data
More Clues • Search for temporary fi les created by tools and fi le editor s • .DS_Store fi le (a directory index created by Mac OS X ) • fi le.php-1 created when fi le.php is edite d • .tmp fi les created by many tools
Burp Pro's Content Discovery
Google's Skip fi sh • Vulnerability scanner but main strength is fi nding fi les and folder s • Links Ch 4d, 4e
Public Information • Search engines (and cached content ) • Web archives such as the Wayback Machin e • Posts to forums like Stack Exchange
Google Advanced Search
Web Server Vulnerabilities • Some Web servers let you list directory contents or see raw source cod e • Sample and diagnostic scripts may contain vulnerabilities
Nikto and Wikto • Scans servers for known vulnerable fi les and version s • Wikto is the Windows versio n • Nikto is the Linux versio n • Included in Kal i • Fast and easy to us e • Has false positives like all vulnerability scanner s • Must verify results with manual testing
Example
Functional Paths • Different from old-fashioned tree- structured fi le syste m • Every request goes to the same UR L • Parameters specify functio n • Very different structure to explore
Map of Functional Paths
Discovering Hidden Parameters • Try adding "debug=true" to request s • Or test, hide, source, etc . • Burp Intruder can do this (see Ch 14)
Analyzing the Application • Key area s • Core functionalit y • Peripheral behavior: off-site links, error messages, administrative and logging functions, and use of redirect s • Core security mechanisms: session state, access control, authenticatio n • User registration, password change, account recovery
Key Areas (continued) • Everywhere the application processes user- supplied inpu t • URL, query string, POST data, cookie s • Client-side technologie s • Forms, scripts, thick-client components (Java applets, ActiveX controls, and Flash), and cookies
Key Areas (continued) • Server-side technologie s • Static and dynamic pages, request parameters, SSL, Web server software, interaction with databases, email systems, and other back-end components
Entry Points for User Input
RESTful URLs
Request Parameters • Normally, google.com?q=duc k • Here are some nonstandard parameter formats
HTTP Headers • User-Agent is used to detect small screen s • Sometimes to modify content to boost search engine ranking s • May allow XSS and other injection attack s • Changing User-Agent may reveal a different user interface
HTTP Headers • Applications behind a load balancer or proxy may use X-Forwarded-For header to identify sourc e • Can be manipulated by attacker to inject content
Out-of-Band Channels • User data may come in vi a • Emai l • Publishing content via HTTP from another server (e.g. WebDAV ) • IDS that sniffs traf fi c and puts it into a Web applicatio n • API interface for non-browser user agents, such as cell phone apps, and then shares data with the primary web application
C
Identifying Server-Side Technologies
Banner Grabbing • Banners often leak version informatio n • Also Web page template s • Custom HTTP header s • URL query string parameters
HTTP Fingerprinting • httprecon uses subtle clues to identify versions, not just banner s • Link Ch 4h
Wappalyzer • Browser extension
File Extensions • Disclose platform or language
Error Messages
Error Message
File Extension Mappings • Different DLLs may lead to different error messages
OpenText • Vignette is now rebranded as OpenTex t • Link Ch 4i
Directory Names • Indicate technology in use
Session Tokens
Third-Party Code Components • Add common functionality lik e • Shopping cart s • Login mechanism s • Message board s • Open-source or commercia l • May contain known vulnerabilities
Hack Steps 1. Identify all entry points for user inpu t •URL, query string parameters, POST data, cookies, HTTP header s 2. Examine query string format; should be some variation on name/value pai r 3. Identify any other channels that allow user- controllable or third-party data into the app
Hack Steps 4. View HTTP server banner returned by the app; it may use several different server s 5. Check for other software identi fi ers in custom HTTP headers or HTML source code 6. Run httprint to fi ngerprint the web serve r 7. Research software versions for vulnerabilitie s 8. Review map of URLs to fi nd interesting fi le extensions, directories, etc. with clues about the technologies in use
httprint • Not updated since 2005 (link Ch 4j ) • Alternatives include nmap, Netcraft, and SHODAN (Link Ch 4k ) • Also the Wappalyzer Chrome extension
Hack Steps 9. Review names of session tokens to identify technologies being use d 10. Use lists of common technologies, or Google, to identify technologies in use, or discover other websites that use the same technologie s 11. Google unusual cookie names, scripts, HTTP headers, etc. If possible, download and install the software to analyze it and fi nd vulnerabilities
Identifying Server-Side Functionality • .jsp - Java Server Page s • OrderBy parameter looks like SQ L • isExpired suggests that we could get expired content by changing this value
Identifying Server-Side Functionality • .aspx - Active Server Pages (Microsoft ) • template - seems to be a fi lename and loc - looks like a directory; may be vulnerable to path traversa l • edit - maybe we can change fi les if this is tru e • ver - perhaps changing this will reveal other functions to attack
Identifying Server-Side Functionality • .php - PH P • Connecting to an email server, with user-controllable content in all fi eld s • May be usable to send email s • Any fi elds may be vulnerable to email header injection
Identifying Server-Side Functionality • Change action to "edit" or "add " • Try viewing other collections by changing the id number
Extrapolating Application Behavior • An application often behaves consistently across the range of its functionalit y • Because code is re-used or written by the same developer, or to the same speci fi cation s • So if your SQL injections are being fi ltered out, try injecting elsewhere to see what fi ltering is in effect
Extrapolating Application Behavior • If app obfuscates data, try fi nding a place where a user can enter an obfuscated string and retrieve the original • Such as an error messag e • Or test systematically-varying values and deduce the obfuscation scheme
Error Handling • Some errors may be properly handled and give little information Others may crash and return verbose error information
Google Dorks • Link Ch 4p
Isolate Unique Application Behavior • App may use a consistent framework that prevents attack s • Look for extra parts "bolted on" later, which may not be integrated into the framewor k • Debug functions, CAPTCHAs, usage tracking, third-party cod e • Different GUI appearance, parameter naming conventions, comments in source code
Mapping the Attack Surface • Client-side validatio n • Database interaction -- SQL injectio n • File uploading and downloading -- Path traversal, stored XS S • Display of user-supplied data - XS S • Dynamic redirects -- Redirection and header attacks
Mapping the Attack Surface • Social networking features -- username enumeration, stored XS S • Login -- Username enumeration, weak passwords, brute-force attack s • Multistage login -- Logic fl aw s • Session state -- Predictable tokens, insecure token handling
Mapping the Attack Surface • Access controls -- Horizontal and vertical privilege escalatio n • User impersonation functions -- Privilege escalatio n • Cleartext communications -- Session hijacking, credential thef t • Off-site links -- Leakage of query string parameters in the Referer heade r • Interfaces to external systems -- Shortcuts handling sessions or access controls
Mapping the Attack Surface • Error messages -- Information leakag e • Email interaction -- Email or command injectio n • Native code components or interaction -- Buffer over fl ow s • Third-party components -- Known vulnerabilitie s • Identi fi able Web server -- Common con fi guration errors, known bugs
Example • /auth contains authentication functions -- test session handling and access contro l • /core/sitestats -- parameters; try varying them; try wildcards like all and * ; PageID contains a path, try traversa l • /home -- authenticated user content; try horizontal privilege escalation to see other user's info
Example • /icons and /images -- static content, might fi nd icons indicating third- party content, but probably nothing interesting her e • /pub -- RESTful resources under / pub/media and /pub/user; try changing the numerical value at the en d • /shop -- online shopping, all items handled similarly; check logic for possible exploits
D

More Related Content

PDF
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
bySam Bowne
 
PDF
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
bySam Bowne
 
PDF
Practical Malware Analysis: Ch 15: Anti-Disassembly
bySam Bowne
 
PDF
CNIT 126: Ch 2 & 3
bySam Bowne
 
PDF
CNIT 152: 9 Network Evidence
bySam Bowne
 
PDF
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
bySam Bowne
 
PPTX
Firewall DMZ Zone
byNetProtocol Xpert
 
PDF
CNIT 126: 10: Kernel Debugging with WinDbg
bySam Bowne
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
bySam Bowne
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
bySam Bowne
 
Practical Malware Analysis: Ch 15: Anti-Disassembly
bySam Bowne
 
CNIT 126: Ch 2 & 3
bySam Bowne
 
CNIT 152: 9 Network Evidence
bySam Bowne
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
bySam Bowne
 
Firewall DMZ Zone
byNetProtocol Xpert
 
CNIT 126: 10: Kernel Debugging with WinDbg
bySam Bowne
 

What's hot

PPTX
Key management and distribution
byRiya Choudhary
 
PDF
Practical Malware Analysis: Ch 8: Debugging
bySam Bowne
 
PPTX
Malware Static Analysis
byHossein Yavari
 
PDF
How fun of privilege escalation Red Pill2017
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
PPT
Basics of IBM Tivoli Storage Manager
byimagineers7
 
PPTX
Session hijacking
byGayatri Kapse
 
PDF
Practical Malware Analysis: Ch 9: OllyDbg
bySam Bowne
 
PPTX
Network tunneling techniques
byinbroker
 
PDF
CNIT 129S: Ch 6: Attacking Authentication
bySam Bowne
 
PPTX
Windows privilege escalation by Dhruv Shah
byOWASP Delhi
 
PPTX
Cryptographic tools
byCAS
 
PDF
CNIT 129S: 8: Attacking Access Controls
bySam Bowne
 
PPT
Ipsec
byRupesh Mishra
 
PDF
6 Scope & 7 Live Data Collection
bySam Bowne
 
PDF
DeathNote of Microsoft Windows Kernel
byPeter Hlavaty
 
PDF
CNIT 126 13: Data Encoding
bySam Bowne
 
PPTX
Kerberos Authentication Protocol
byBibek Subedi
 
PPTX
Firewall
bytrilokchandra prakash
 
PDF
Understanding the Python GIL
byDavid Beazley (Dabeaz LLC)
 
PPTX
Operating system security
byRamesh Ogania
 
Key management and distribution
byRiya Choudhary
 
Practical Malware Analysis: Ch 8: Debugging
bySam Bowne
 
Malware Static Analysis
byHossein Yavari
 
How fun of privilege escalation Red Pill2017
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Basics of IBM Tivoli Storage Manager
byimagineers7
 
Session hijacking
byGayatri Kapse
 
Practical Malware Analysis: Ch 9: OllyDbg
bySam Bowne
 
Network tunneling techniques
byinbroker
 
CNIT 129S: Ch 6: Attacking Authentication
bySam Bowne
 
Windows privilege escalation by Dhruv Shah
byOWASP Delhi
 
Cryptographic tools
byCAS
 
CNIT 129S: 8: Attacking Access Controls
bySam Bowne
 
Ipsec
byRupesh Mishra
 
6 Scope & 7 Live Data Collection
bySam Bowne
 
DeathNote of Microsoft Windows Kernel
byPeter Hlavaty
 
CNIT 126 13: Data Encoding
bySam Bowne
 
Kerberos Authentication Protocol
byBibek Subedi
 
Firewall
bytrilokchandra prakash
 
Understanding the Python GIL
byDavid Beazley (Dabeaz LLC)
 
Operating system security
byRamesh Ogania
 

Similar to 4 Mapping the Application

PDF
CNIT 129S Ch 4: Mapping the Application
bySam Bowne
 
PDF
CNIT 129S: Ch 4: Mapping the Application
bySam Bowne
 
PPTX
08- pen-testing Web applications attacks.pptx
bywassimahmad9
 
PPTX
Burp Suite is a powerful and widely-used tool
bywaudit1
 
PPT
Hacking web applications
byAdeel Javaid
 
PPT
Hacking web applications
byphanleson
 
PDF
TriplePlay-WebAppPenTestingTools
byYury Chemerkin
 
PPTX
Pentesting Tips: Beyond Automated Testing
byAndrew McNicol
 
PPT
Hack applications
byenrizmoore
 
PPT
performing security testing of web applications.web-and- -hacking.ppt
bywaudit1
 
PPTX
Hacking WebApps for fun and profit : how to approach a target?
byYassine Aboukir
 
PPTX
Web application vulnerability assessment
byRavikumar Paghdal
 
PDF
CNIT 129S: 10: Attacking Back-End Components
bySam Bowne
 
PPT
Web Hacking
byInformation Technology
 
PPTX
Web Hacking With Burp Suite 101
byZack Meyers
 
PDF
Hacking Web Apps by Brent White
byEC-Council
 
PPTX
DEF CON 23 - Hacking Web Apps @brentwdesign
bybrentwdesign
 
PPT
gofortution
bygofortution
 
PPT
Beyond Automated Testing - RVAsec 2016
byAndrew McNicol
 
PDF
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 
CNIT 129S Ch 4: Mapping the Application
bySam Bowne
 
CNIT 129S: Ch 4: Mapping the Application
bySam Bowne
 
08- pen-testing Web applications attacks.pptx
bywassimahmad9
 
Burp Suite is a powerful and widely-used tool
bywaudit1
 
Hacking web applications
byAdeel Javaid
 
Hacking web applications
byphanleson
 
TriplePlay-WebAppPenTestingTools
byYury Chemerkin
 
Pentesting Tips: Beyond Automated Testing
byAndrew McNicol
 
Hack applications
byenrizmoore
 
performing security testing of web applications.web-and- -hacking.ppt
bywaudit1
 
Hacking WebApps for fun and profit : how to approach a target?
byYassine Aboukir
 
Web application vulnerability assessment
byRavikumar Paghdal
 
CNIT 129S: 10: Attacking Back-End Components
bySam Bowne
 
Web Hacking
byInformation Technology
 
Web Hacking With Burp Suite 101
byZack Meyers
 
Hacking Web Apps by Brent White
byEC-Council
 
DEF CON 23 - Hacking Web Apps @brentwdesign
bybrentwdesign
 
gofortution
bygofortution
 
Beyond Automated Testing - RVAsec 2016
byAndrew McNicol
 
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 

More from Sam Bowne

PDF
Introduction to the Class & CISSP Certification
bySam Bowne
 
PDF
Cyberwar
bySam Bowne
 
PDF
3: DNS vulnerabilities
bySam Bowne
 
PDF
8. Software Development Security
bySam Bowne
 
PDF
3. Attacking iOS Applications (Part 2)
bySam Bowne
 
PDF
12 Elliptic Curves
bySam Bowne
 
PDF
11. Diffie-Hellman
bySam Bowne
 
PDF
2a Analyzing iOS Apps Part 1
bySam Bowne
 
PDF
9 Writing Secure Android Applications
bySam Bowne
 
PDF
12 Investigating Windows Systems (Part 2 of 3)
bySam Bowne
 
PDF
10 RSA
bySam Bowne
 
PDF
12 Investigating Windows Systems (Part 1 of 3
bySam Bowne
 
PDF
9. Hard Problems
bySam Bowne
 
PDF
8 Android Implementation Issues (Part 1)
bySam Bowne
 
PDF
11 Analysis Methodology
bySam Bowne
 
PDF
8. Authenticated Encryption
bySam Bowne
 
PDF
7. Attacking Android Applications (Part 2)
bySam Bowne
 
PDF
7. Attacking Android Applications (Part 1)
bySam Bowne
 
PDF
5. Stream Ciphers
bySam Bowne
 
PDF
4. Block Ciphers
bySam Bowne
 
Introduction to the Class & CISSP Certification
bySam Bowne
 
Cyberwar
bySam Bowne
 
3: DNS vulnerabilities
bySam Bowne
 
8. Software Development Security
bySam Bowne
 
3. Attacking iOS Applications (Part 2)
bySam Bowne
 
12 Elliptic Curves
bySam Bowne
 
11. Diffie-Hellman
bySam Bowne
 
2a Analyzing iOS Apps Part 1
bySam Bowne
 
9 Writing Secure Android Applications
bySam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
bySam Bowne
 
10 RSA
bySam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
bySam Bowne
 
9. Hard Problems
bySam Bowne
 
8 Android Implementation Issues (Part 1)
bySam Bowne
 
11 Analysis Methodology
bySam Bowne
 
8. Authenticated Encryption
bySam Bowne
 
7. Attacking Android Applications (Part 2)
bySam Bowne
 
7. Attacking Android Applications (Part 1)
bySam Bowne
 
5. Stream Ciphers
bySam Bowne
 
4. Block Ciphers
bySam Bowne
 

Recently uploaded

PDF
Cultivating Greatness Pune's Best Preschools and Schools.pdf
byWellington College
 
PDF
Types of eggs and Egg membranes (Developmental Zoology)
bySudhandraKarthi
 
PPTX
Overview of how to Create a Model in Odoo 18
byCeline George
 
PDF
Risk management in Moroccan public hospitals_ a literature review
byMan_Ebook
 
PPTX
Basics in Phytochemistry, Extraction, Isolation methods, Characterisation etc.
byD. Y. Patil College of Pharmacy, Kolhapur.
 
PDF
IMANI Africa files RTI request seeking full disclosure on 2026 SIM registrati...
bynservice241
 
PPTX
META-ANALYSIS INTERPRETATION, PUBLICATION BIAS AND GRADE ASSESSMENT.pptx
bySystematic Reviews Network (SRN)
 
PPTX
Partial Correlation of Coefficient - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂
bySundar B N
 
PPTX
How to Configure Push & Pull Rule in Odoo 18 Inventory
byCeline George
 
PDF
Most Imp Chapters & Weightage for Boards 2025.pdf
byTamannaSagar
 
PPTX
The Cell & Cell Cycle-detailed structure and function of organelles.pptx
byAshish Umale
 
PPTX
Details of Epithelial and Connective Tissue.pptx
byAshish Umale
 
PPTX
Planning Assessment for Outcome-based Education
byAdri Jovin
 
PDF
Blood Group Incompatibility: Rh Factor and Erythroblastosis Fetalis
bySudhandraKarthi
 
PPTX
Nursing Unit Management, patient care unit, physical layout of nursing unit,t...
byyellow4878
 
PDF
Scalable-MADDPG-Based Cooperative Target Invasion for a Multi-USV System.pdf
byMan_Ebook
 
PDF
DHA/HAAD/MOH/DOH OPTOMETRY MCQ PYQ. .pdf
byAnmol Singh
 
PPTX
Semester 6 Unit 2 Club foot (talipes).pptx
bysachin7989
 
PPTX
How to Track a Link Using Odoo 18 SMS Marketing
byCeline George
 
PPTX
ATTENTION -PART 2.pptx Shilpa Hotakar for I semester BSc students
bySHILPA HOTAKAR
 
Cultivating Greatness Pune's Best Preschools and Schools.pdf
byWellington College
 
Types of eggs and Egg membranes (Developmental Zoology)
bySudhandraKarthi
 
Overview of how to Create a Model in Odoo 18
byCeline George
 
Risk management in Moroccan public hospitals_ a literature review
byMan_Ebook
 
Basics in Phytochemistry, Extraction, Isolation methods, Characterisation etc.
byD. Y. Patil College of Pharmacy, Kolhapur.
 
IMANI Africa files RTI request seeking full disclosure on 2026 SIM registrati...
bynservice241
 
META-ANALYSIS INTERPRETATION, PUBLICATION BIAS AND GRADE ASSESSMENT.pptx
bySystematic Reviews Network (SRN)
 
Partial Correlation of Coefficient - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂
bySundar B N
 
How to Configure Push & Pull Rule in Odoo 18 Inventory
byCeline George
 
Most Imp Chapters & Weightage for Boards 2025.pdf
byTamannaSagar
 
The Cell & Cell Cycle-detailed structure and function of organelles.pptx
byAshish Umale
 
Details of Epithelial and Connective Tissue.pptx
byAshish Umale
 
Planning Assessment for Outcome-based Education
byAdri Jovin
 
Blood Group Incompatibility: Rh Factor and Erythroblastosis Fetalis
bySudhandraKarthi
 
Nursing Unit Management, patient care unit, physical layout of nursing unit,t...
byyellow4878
 
Scalable-MADDPG-Based Cooperative Target Invasion for a Multi-USV System.pdf
byMan_Ebook
 
DHA/HAAD/MOH/DOH OPTOMETRY MCQ PYQ. .pdf
byAnmol Singh
 
Semester 6 Unit 2 Club foot (talipes).pptx
bysachin7989
 
How to Track a Link Using Odoo 18 SMS Marketing
byCeline George
 
ATTENTION -PART 2.pptx Shilpa Hotakar for I semester BSc students
bySHILPA HOTAKAR
 

4 Mapping the Application

  • 1.
    CNIT 129S: Securing WebApplications Ch 4: Mapping the Applicatio n Sl 56 Updated 2-9-2023
  • 2.
    Mapping • Enumerate application'scontent and functionalit y • Some is hidden, requiring guesswork and luck to discove r • Examine every aspect of behavior, security mechanisms, and technologie s • Determine attack surface and vulnerabilities
  • 3.
  • 4.
    Web Spiders • Loadweb page, fi nd all links on i t • (into the targeted domain ) • Load those pages, fi nd more link s • Continue until no new content is discovered
  • 5.
    Web Application Spiders •Also parse HTML form s • Fill in the forms with preset or random values and submit the m • Trying to walk through multistage functionalit y • Can also parse client-side JavaScript to extract URL s • Tool: Zed Attack Prox y • WebScarab & CAT seem old and abandoned
  • 6.
    Robots.txt • Intended tostop search engine s • May guide spiders to interesting content
  • 7.
    Limitations of Automatic Spidering •May fail to handle unusual navigation mechanisms, such as dynamically created JavaScript menu s • So it may miss whole areas of an applicatio n • Links buried in compiled client-side objects like ActiveX or Java may be missed
  • 8.
    Limitations of Automatic Spidering •Forms may have validation checks, such as user registration form s • Email address, telephone number, address, zip cod e • Too complex for most spiders, which use a single text string for all form fi eld s • Spider cannot understand the "Invalid" error messages
  • 9.
    Limitations of Automatic Spidering •Spiders only fetch each URL onc e • But applications use forms-based navigation, in which the same URL may return different content and function s • For example, a bank may implement every user action with a POST to /account.jsp with parameters determining the actio n • Spiders aren't smart enough to handle that
  • 10.
    Limitations of Automatic Spidering •Some applications place volatile data within URL s • Parameters containing timers or random number seed s • Spider will fetch the same page over and over, thinking it's ne w • May freeze up
  • 11.
    Limitations of Automatic Spidering •Authentication: spider must be able to submit valid credential s • Perhaps using a valid cooki e • However, spiders often break the authenticated session, b y • Requesting a logout functio n • Submitting invalid input to a sensitive functio n • Requesting pages out-of-sequence
  • 12.
    Warning • Spiders may fi ndan administrative page and click every lin k • Delete User, Shut Down Database, Restart Server...
  • 13.
    User-Directed Spidering • Moresophisticated and controlled technique than automated spidering, usually preferabl e • User walks through application using a browser connected to Burp (or another proxy ) • The proxy collects all requests and responses
  • 14.
    Preparing Burp • LaunchBurp Suite • Click Next, Start Burp • On the Proxy Tab, turn off Intercept • Click Open Browser
  • 15.
    Shopping • In Burp'sbrowser, go to http://hackazon.samsclass.inf o • Click an item, then click Add to car t • Repeat for a second item
  • 16.
    Shopping Cart (Notlogged in) • At top right, click shopping cart icon to see items
  • 17.
    Shopping • In Burp,on the Target tab • On the Site map sub-tab • Expand http://hackazon.samsclass.info • Expand cart • Expand add • Expand user
  • 18.
    • Note itemsin car t • "user" contains only 5 URLs
  • 19.
    Logging In • Inthe Hackazon page, at the top right, click Sign U p • Register a new user • Log out • Sign in
  • 20.
  • 21.
  • 22.
    Advantages of User-Directed Spidering •User can follow unusual or complex navigation mechanism s • User can enter valid data where neede d • User can log in as neede d • User can avoid dangerous functionality, such as deleteUser.jsp
  • 23.
    Browser Tools • Chrome'sDeveloper Tools can show details of requests and responses within the browse r • No proxy neede d • Often useful; shows timing as well as content
  • 26.
    Discovering Hidden Content •Finding it requires automated testing, manual testing, and luc k • Testing or debugging features left in applicatio n • Different functionality for different categories of user s • Anonymous, authenticated, administrator s • Backup copies of live fi le s • May be non-executable and reveal source code
  • 27.
    Discovering Hidden Content •Backup archives that contain snapshot of entire applicatio n • New functionality implemented for testing but not yet linked from main applicatio n • Default functionality in an off-the-shelf application that has been super fi cially hidden from the user but not remove d • Old versions of fi les--may still be exploitable
  • 28.
    Discovering Hidden Content •Con fi guration and include fi les containing sensitive data such as database credential s • Source fi les from which application functions were compile d • Comments in source code; may contain usernames and passwords, "test this" marks, and other useful dat a • Log fi les--may contain valid usernames, session tokens, etc.
  • 29.
    Brute-Force Techniques • Supposeuser-directed spidering fi nds the URLs on the lef t • A brute-forcer will try names as shown on the right
  • 30.
    Burp's Brute-Forcer • Burp'sbrute- forcer is very slow in the free version
  • 31.
    Dirb • Good brute-forcespidering tool • Included in Kali Linux
  • 32.
  • 33.
    Inference from Published Content •Look for pattern s • All subdirectories of "auth" start with a capital lette r • One is "ForgotPassword", so try these
  • 34.
    Other Patterns • Namesmay use numbers or date s • Check include fi les from HTML and JavaScrip t • They may be publicly readabl e • Comments may include database names, SQL query string s • Java applets and ActiveX controls may contain sensitive data
  • 35.
    More Clues • Searchfor temporary fi les created by tools and fi le editor s • .DS_Store fi le (a directory index created by Mac OS X ) • fi le.php-1 created when fi le.php is edite d • .tmp fi les created by many tools
  • 36.
  • 37.
    Google's Skip fi sh • Vulnerabilityscanner but main strength is fi nding fi les and folder s • Links Ch 4d, 4e
  • 38.
    Public Information • Searchengines (and cached content ) • Web archives such as the Wayback Machin e • Posts to forums like Stack Exchange
  • 39.
  • 40.
    Web Server Vulnerabilities •Some Web servers let you list directory contents or see raw source cod e • Sample and diagnostic scripts may contain vulnerabilities
  • 41.
    Nikto and Wikto •Scans servers for known vulnerable fi les and version s • Wikto is the Windows versio n • Nikto is the Linux versio n • Included in Kal i • Fast and easy to us e • Has false positives like all vulnerability scanner s • Must verify results with manual testing
  • 42.
  • 43.
    Functional Paths • Differentfrom old-fashioned tree- structured fi le syste m • Every request goes to the same UR L • Parameters specify functio n • Very different structure to explore
  • 44.
  • 45.
    Discovering Hidden Parameters • Tryadding "debug=true" to request s • Or test, hide, source, etc . • Burp Intruder can do this (see Ch 14)
  • 46.
    Analyzing the Application •Key area s • Core functionalit y • Peripheral behavior: off-site links, error messages, administrative and logging functions, and use of redirect s • Core security mechanisms: session state, access control, authenticatio n • User registration, password change, account recovery
  • 47.
    Key Areas (continued) •Everywhere the application processes user- supplied inpu t • URL, query string, POST data, cookie s • Client-side technologie s • Forms, scripts, thick-client components (Java applets, ActiveX controls, and Flash), and cookies
  • 48.
    Key Areas (continued) •Server-side technologie s • Static and dynamic pages, request parameters, SSL, Web server software, interaction with databases, email systems, and other back-end components
  • 49.
    Entry Points forUser Input
  • 50.
  • 51.
    Request Parameters • Normally,google.com?q=duc k • Here are some nonstandard parameter formats
  • 52.
    HTTP Headers • User-Agentis used to detect small screen s • Sometimes to modify content to boost search engine ranking s • May allow XSS and other injection attack s • Changing User-Agent may reveal a different user interface
  • 53.
    HTTP Headers • Applicationsbehind a load balancer or proxy may use X-Forwarded-For header to identify sourc e • Can be manipulated by attacker to inject content
  • 54.
    Out-of-Band Channels • Userdata may come in vi a • Emai l • Publishing content via HTTP from another server (e.g. WebDAV ) • IDS that sniffs traf fi c and puts it into a Web applicatio n • API interface for non-browser user agents, such as cell phone apps, and then shares data with the primary web application
  • 55.
  • 56.
  • 57.
    Banner Grabbing • Bannersoften leak version informatio n • Also Web page template s • Custom HTTP header s • URL query string parameters
  • 58.
    HTTP Fingerprinting • httpreconuses subtle clues to identify versions, not just banner s • Link Ch 4h
  • 59.
  • 60.
    File Extensions • Discloseplatform or language
  • 61.
  • 62.
  • 63.
    File Extension Mappings •Different DLLs may lead to different error messages
  • 64.
    OpenText • Vignette isnow rebranded as OpenTex t • Link Ch 4i
  • 65.
  • 66.
  • 67.
    Third-Party Code Components • Addcommon functionality lik e • Shopping cart s • Login mechanism s • Message board s • Open-source or commercia l • May contain known vulnerabilities
  • 68.
    Hack Steps 1. Identifyall entry points for user inpu t •URL, query string parameters, POST data, cookies, HTTP header s 2. Examine query string format; should be some variation on name/value pai r 3. Identify any other channels that allow user- controllable or third-party data into the app
  • 69.
    Hack Steps 4. ViewHTTP server banner returned by the app; it may use several different server s 5. Check for other software identi fi ers in custom HTTP headers or HTML source code 6. Run httprint to fi ngerprint the web serve r 7. Research software versions for vulnerabilitie s 8. Review map of URLs to fi nd interesting fi le extensions, directories, etc. with clues about the technologies in use
  • 70.
    httprint • Not updatedsince 2005 (link Ch 4j ) • Alternatives include nmap, Netcraft, and SHODAN (Link Ch 4k ) • Also the Wappalyzer Chrome extension
  • 71.
    Hack Steps 9. Reviewnames of session tokens to identify technologies being use d 10. Use lists of common technologies, or Google, to identify technologies in use, or discover other websites that use the same technologie s 11. Google unusual cookie names, scripts, HTTP headers, etc. If possible, download and install the software to analyze it and fi nd vulnerabilities
  • 72.
    Identifying Server-Side Functionality • .jsp- Java Server Page s • OrderBy parameter looks like SQ L • isExpired suggests that we could get expired content by changing this value
  • 73.
    Identifying Server-Side Functionality • .aspx- Active Server Pages (Microsoft ) • template - seems to be a fi lename and loc - looks like a directory; may be vulnerable to path traversa l • edit - maybe we can change fi les if this is tru e • ver - perhaps changing this will reveal other functions to attack
  • 74.
    Identifying Server-Side Functionality • .php- PH P • Connecting to an email server, with user-controllable content in all fi eld s • May be usable to send email s • Any fi elds may be vulnerable to email header injection
  • 75.
    Identifying Server-Side Functionality • Changeaction to "edit" or "add " • Try viewing other collections by changing the id number
  • 76.
    Extrapolating Application Behavior • Anapplication often behaves consistently across the range of its functionalit y • Because code is re-used or written by the same developer, or to the same speci fi cation s • So if your SQL injections are being fi ltered out, try injecting elsewhere to see what fi ltering is in effect
  • 77.
    Extrapolating Application Behavior • Ifapp obfuscates data, try fi nding a place where a user can enter an obfuscated string and retrieve the original • Such as an error messag e • Or test systematically-varying values and deduce the obfuscation scheme
  • 78.
    Error Handling • Someerrors may be properly handled and give little information Others may crash and return verbose error information
  • 79.
  • 81.
    Isolate Unique Application Behavior •App may use a consistent framework that prevents attack s • Look for extra parts "bolted on" later, which may not be integrated into the framewor k • Debug functions, CAPTCHAs, usage tracking, third-party cod e • Different GUI appearance, parameter naming conventions, comments in source code
  • 82.
    Mapping the AttackSurface • Client-side validatio n • Database interaction -- SQL injectio n • File uploading and downloading -- Path traversal, stored XS S • Display of user-supplied data - XS S • Dynamic redirects -- Redirection and header attacks
  • 83.
    Mapping the AttackSurface • Social networking features -- username enumeration, stored XS S • Login -- Username enumeration, weak passwords, brute-force attack s • Multistage login -- Logic fl aw s • Session state -- Predictable tokens, insecure token handling
  • 84.
    Mapping the AttackSurface • Access controls -- Horizontal and vertical privilege escalatio n • User impersonation functions -- Privilege escalatio n • Cleartext communications -- Session hijacking, credential thef t • Off-site links -- Leakage of query string parameters in the Referer heade r • Interfaces to external systems -- Shortcuts handling sessions or access controls
  • 85.
    Mapping the AttackSurface • Error messages -- Information leakag e • Email interaction -- Email or command injectio n • Native code components or interaction -- Buffer over fl ow s • Third-party components -- Known vulnerabilitie s • Identi fi able Web server -- Common con fi guration errors, known bugs
  • 86.
    Example • /auth containsauthentication functions -- test session handling and access contro l • /core/sitestats -- parameters; try varying them; try wildcards like all and * ; PageID contains a path, try traversa l • /home -- authenticated user content; try horizontal privilege escalation to see other user's info
  • 87.
    Example • /icons and/images -- static content, might fi nd icons indicating third- party content, but probably nothing interesting her e • /pub -- RESTful resources under / pub/media and /pub/user; try changing the numerical value at the en d • /shop -- online shopping, all items handled similarly; check logic for possible exploits
  • 88.