This document provides an agenda for a presentation on comprehensive web application attacks. The presenter, Ahmed Sherif, has over 5 years of experience in penetration testing and web application security. The agenda includes an overview of security in corporations and web technologies, the OWASP security testing methodology, common web attacks like XSS and SQL injection, and a demo of these attacks. The goal is to educate attendees on how to identify and address vulnerabilities in web applications.

1. Comprehensive tour of
web application attacks
Ahmed Sherif
EG-CERT
1

2. BIO
• Web application Penetration Tester with over 5 years
experience in the information security field .
• Ahmed is currently holding a position as information security
engineer at EG-CERT , where he is responsible for conducting
penetration testing for different governmental entities.
• Ahmed started his career as a web developer then moved to
the information security field . He has also contributed to
many security projects as well as having been co-founder of
the "iScanner" project .
• has been acknowledged by many organizations for finding
security issues in their websites as part of bug-bounty
program such as Yahoo, Ebay, Adobe and LinkedIn. 2

3. Agenda
• Security in Corporates .
• Web Technologies .
• OWASP Security Testing Methodologies .
• The Most Important phase in security testing.
• Camouflage .
• Common web attacks .
• Real World examples in well known organizations .
• Play with Script Kiddies.
• Demo
• Questions ?
3

4. • use highly priced security software for :
Anti-Virus.
Firewall with Deep Packet Inspections.
IDS – Intrusion Detection Systems.
IPS – Intrusion Prevention System.
Honeypots.
Dashboards , Real Time Visualizations.
4

5. Breaches
5

6. Why ?
80% of all security breaches takes
place due to unpatched software , in
other words , due to not applying
security or reliability fixes from the
vendor for the software installed .
6

7. What about other 20% ?
:
Penetration Test is a proactive and authorized attempt to
evaluate the security of an organization infrastructure by
safely attempting to exploit system vulnerabilities,
including OS,Service and application flaws, improper
configuration, and even risky end-user behavior.
Penetration testing is an and .
7

8. 8

9. • This Testing Methodology approach will be
based on OWASP web application Penetration
Testing method .
9

10. Information Gathering .
Configuration and Deploy Management Testing.
Identity Management Testing .
Authentication Testing.
Authorization Testing.
Session Management testing.
Input Validation testing.
Testing for error handling .
Testing for weak cryptography.
Business Logic Testing.
Client Side Testing.
10

11. Information Gathering .
11

12. Conduct Search Engine Discovery and Reconnaissance for
Information Leakage.
Fingerprint Web Server.
Review Webserver Metafiles for Information Leakage .
Enumerate Applications on Webserver.
Review Webpage Comments and Metadata for Information
Leakage.
Identify application entry points.
Map execution paths through application.
Fingerprint Web Application Framework.
Fingerprint Web Application.
Map Application Architecture.
12

13. 13

14. Server : Apache/2.2.15 (CentOs)
14

15. This section describes how to
test the robots.txt file for
information leakage of the
web application's directory
or folder path(s).
Information leakage of
the web application's
directory or folder
path(s)
Create the list of
directories that are to
be avoided by Spiders,
Robots, or Crawlers.
15

16. Web application discovery is
a process aimed at
identifying web applications
on a given infrastructure.
1. Different base URL
Ex: example.com/url1
Ex: Example.com/url2
Tools : DirBuster,Burp
Intruder.
Search Engine “site:
example.com”
2. Non-standard ports
web applications may be associated
with arbitrary TCP ports.
Ex: Example.com:8000
Tools : Nmap.
3. Virtual hosts
DNS allows a single IP address to be
associated with one or more symbolic
names
Ex: IP address 41.xx.xx.xx might be
associated to DNS names
www.example.com, mail.example.com.
16

17. 17

18. Test Objectives
Understand how requests are formed
and typical responses from the
application
Requests:
Identify where GETs are used and
where POSTs are used.
Within the POST request, pay special
attention to any hidden parameters.
Identify all the parameters of the
query string. These usually are in a
pair format, such as foo=bar.
pay attention to any additional or
custom type headers not typically
seen (such as debug=False).
Responses:
Identify where new cookies are set (Set-
Cookie header), modified, or added to.
Identify where there are any redirects (3xx
HTTP status code), 400 status codes, in
particular 403 Forbidden, and 500 internal
server errors during normal responses.
Also note where any interesting headers are
used. For example, "Server: BIG-IP"
indicates that the site is load balanced.
18

19. Test Objectives
Map the target application and understand the
principal workflows.
19

20. To define type of used web application and web
framework so as to have a better understanding of
the security testing methodology.
There are several most common locations to look in in
order to define the current framework:
HTTP headers
Cookies
HTML source code
Specific files and folders
20

21. 21

22. 22

23. 23

24. Tools
24

25. Tools
25

26. Meta Generator.
Server Header
X-Powered-By Header
Another headers such as (X-Aspnet-version).
Known Paths (wp-content for wordpress).
File extensions.
26

27. Remove X-Powered-By Headers and add custom one
Edit Server Signature from Mod Security
27

28. Example 1
28

29. Apache 2.4.7.
PHP 5.5.9.
Ubuntu 14.04.
29

30. 30

31. Common web attacks
Cross-Site Scripting (XSS).
Cross-Site Request Forgery (CSRF).
Session Management .
SQL injection .
Directory Traversal.
Command Injection .
31

32. XSS is a vulnerability which is present in
websites or web applications, allow hackers to
insert their client side (normally JavaScript) in
those web pages.
Type of XSS:
Stored XSS .
Reflected XSS .
Dom-Based XSS.
32

33. Acunetix Report For 2015 – 38% of websites vulnerable to XSS
33

34. Compromised Web application
Attacker
Retrieved Compromised Page
34

35. Reflected attacks are those where the injected code is
reflected off the web server .
When a user tricked into clicking on a malicious link or
submitting a specially crafted form, the injected code
travels to the vulnerable web server, which reflects the
attack back to the user’s browser. The browser then
executes the code because it came from a “trusted”
server.
35

36. Index.php?name=x<script>malicious code</script>
36

37. 37

38. 38

39. Attack Payload :
"><script>confirm(1)</script>
39

40. No
Tags Encoded
40

41. &quot;&gt;&lt;script&gt;confirm(1)&lt;/script&gt;
&quot; “
&gt; >
&lt; <
41

42. 42

43. Intra-net Hacking .
43

44. Get local IP .
Local port scanning .
44

45. Cookie Stealing :
45

46. XSS Defacement :
46

47. CSRF is an attack which forces an end user to execute
unwanted actions on a web application in which he/she is
currently authenticated.
an attacker may force the users of a web application to
execute actions of the attacker's choosing.
47

48. User has to be logged in .
https://www.MyBank.com/Transfer?from=user&to=hacker&
amount=5000.
48

49. 49

50. Leave Group request doesn’t contain any tokens .
Proof Of Concept :
50

51.  SQL injection is a code injection technique
used to attack an application by sending input from a user defined source
that is later interpreted and executed by the SQL database.
 SQL injection attacks work because the input taken from the user input is
combined unfiltered or filtered poorly with a SQL statements that is
passed to the database that allows the form user to manipulate the
query.
51

52.  Attacker may exploit SQL injection vulnerability to retrieve data from
database or escalate to execute commands on system.
:
Identify the vulnerability.
Fingerprint Server .
Enumerate data from Database .
Upload Backdoor.
52

53. 53

54. :
 Using SQL errors we extract data from the
system error message.
 Example:
 “Warning: mysql_fetch_array() expects
parameter 1 to be resource, boolean given
in”.
54

55.  Blind SQL Injection is a type of an attack that runs
valid queries on the database often using timing
along with true or false parameters.
 The results from the timing attacks and the true
or false evaluations can help determine if the
system is vulnerable.
 This attack method is used when the web
application is configured to NOT show generic
error messages.
55

56.  SELECT * FROM Table WHERE id ='1‘;
 SELECT * FROM Table WHERE id =1;
56

57.  “SELECT * FROM orders where orderNumber = 1 AND TRUE;
False
57

58.  “SELECT * FROM orders where orderNumber = 1 AND TRUE;
False
58

59.  “SELECT * FROM orders where orderNumber = 1 OR TRUE;
False
59

60. Fingerprinting
 Knowing the system architecture aides the attacker on
crafting specific SQL injection queries that later will be used to
steal data.
60

61. UNION SELECT
 UNION will allows the joining of another query to the first
query. Effectively joining them into one set.
SELECT * FROM orders WHERE id = 1 UNION SELECT
1,2,3,4,5,...,x;
61

62. SQLMAP
 SQLmap is an open source penetration testing tool that
automates the process of detecting and exploiting SQL
injection flaws and taking over of database servers.
62

63. 63

64. Status Code Meaning
1xx informational
2xx Successful
3xx Redirection
4xx Bad Request
5xx Internal Server Error
64

65. What If we could …
65

66. Access Target URL .
Read Links.
Test Them Out .
If true : continue .
What If all “FALSE”
66

67. • Every Response :
 200 OK .
 404 Not Found .
 500 Internal Server Error .
67

68. 68

69. 69

70. 70

71. 71

72. ahmadsherif24@gmail.com
72