Web application technologies

1. Web application
technologies 101
Web application penetration testing v3.1
1WAPTP v3.1 - gray hat security c 2017
Professional

1. Web application technologies
Introduction
Web applications are applications running on web servers and accessible
via web browsers. It makes bridge between user and server.
We interact with web applications every day, as almost every website
over the Internet includes some kind of applications in its web pages.
The intelligence could be either client side or server side.
You need to get some web application fundamental aspects that a
modern web applications have, So you too!

CORS – Cross-origin Resource Sharing
HTTP Cookies
Same Origin Policy (SOP)
Encoding Schemes
HTTP/S Protocol basics

HTTP/S Protocol Basics

Hypertext Transfer Protocol (HTTP) is the most used application protocol
on the Internet. It is stateless protocol.
It is the client-server protocol used to deliver web pages to the user.
In HTTP, the client usually a web browser(Firefox, IE) connects to a web
server such as MS IIS or Apache HTTP Server.
Nowadays, HTTP is also used by many mobile and
modern applications.

HTTP Request
HTTP Response
USER (Client)
SERVER
Client sends request to the server stating required
information, and server responds accordingly
6
www.grayhat.in
WAPTP v3.1 - gray hat security c 2017

Every HTTP communication has the following header format:
HTTP Header format:
Header-name: header value

HTTP Request looks like following:
Empty body message

As the name suggests, GET method sometimes also called HTTP “verb” is
used to fetch or request data from the server.
Most Common example: It is used to open websites in browser

Path Protocol version
In HTTP request, there is a path /
after GET request that instructs
server to which resource or
directory the browser is making
request for.
Protocol version is used to specify
the types of communication.
Host is URL you type in browser
USER-AGENT is browser of yours
ACCEPT header tells the server
about type of format it can accept
text/html

When server receives HTTP
Request from a client, it sends
back the HTTP Response to the
client.
At this time Response has the
message body.
HTTP Response header consists
of: Server status, cached content,
server and version, content-type,
application used, data and time,
content length(in bytes),
connection to reuse in future or
keep-alive etc…

POST method: Query
strings are sent in HTTP
message body of POST
method
POST method are more
secure than GET method
as data is not sent in URL
like GET request does.
12
POST /login/login_form.php HTTP/1.1
Host: grayhat.in
Username=demo&password=demo
</>
Never use GET method to submit
password

200 OK Successful HTTP requests
301 Moved Permanently Site has been moved to new URL
302 Found Site temporarily moved to new URL
400 Bad Request Incorrect syntax
401 Unauthorized Authentication issues
13
HTTP message code

401 Unauthorized Authentication issues
403 Forbidden Server refused to respond – Non priv
404 Not Found Requested page not found on server
500 Internal Server Error Server does not process such request
14
HTTP message code

HTTP is a clear-text protocol, as sniffers can intercept the traffic
between two user or sometimes whole network.
This is where HTTPS comes into action. HTTPS or HTTP over SSL/TLS
Provides strong encryption by encrypting the data transmitted in the
wire.
SSL/TLS :- Secure Socket Layer / Transport Layer Security
15
HTTPS

HTTPS makes authenticated session with confidentiality and integrity
as follows:
16
HTTPS
HTTP Unsecured Connection
SSL/TLS
???..
Hacker
User Server
Application layer secured

If SSL/TLS is there, server will not be hacked or it is protected well.
As of now, you can understand that SSL/TLS will not protect from
attacks such as, SQLi, XSS, CSRF etc.. Or even application itself.
SSL protects only data transmission between client and server.
What if website have SQLi vulnerability ? Or any flaws at web
application level ?
17
Common Myth

HTTP status codes definitions:
https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
HTTP methods explained: (HEAD, PUT, DELETE, OPTIONS, CONNECT)
https://www.w3schools.com/tags/ref_httpmethods.asp
HTTP Headers: (Must Read)
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
18
References

Encoding Schemes

Encoding Schemes
In computers, Encoding is the process of putting a sequence of
characters (letters, numbers, punctuation, and certain symbols) into a
specialized format for efficient transmission, storage and SECURITY as
well.
We will dive into:
URL Encoding (Percent Encoding)
Double Encoding
Base64 Encoding
20

Encoding Schemes
Since, the URL can only be sent over internet using ASCII-characters.
And URL encoding fulfills the same requirements.
In URL Encoding, certain characters are converted into hexadecimal
format and preceded by % symbol in a URL as follows:
i.e. %20 (%20 or + both are used for space key)
URL Encoding replaces unsafe or non-ascii characters with % followed
by two hexadecimal digits.
21
URL Encoding

Encoding Schemes
In URL, some reserved characters such as / that is used to separate
paths in URL. If this character is used by somemeans, then it must be
encoded otherwise URL parser will be throwing errors.
‘/’ Encoding %2F
These characters are not encoded A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
as part of URL Encoding, a b c d e f g h i j k l m n o p q r s t u v w x y z
But, we can encode using ASCII table 0 1 2 3 4 5 6 7 8 9 - .~_
22
URL Encoding
http://www.asciitable.com/

Encoding Schemes
URL Encoded characters Table:
23
URL Encoding
Character Encoded Character Encoded Character Encoded Character Encoded
<space> %20 ; %3B , %2C @ %40
= %3D %5C “ %22 % %25
$ %26 [ %5B : %3A + %2B
< %3C ] %5D / %2F - -
> %3E { %7B # %23 - -
^ %5E } %7D ? %3F - -
` %60 | %7C & %24 - -

Encoding Schemes
Double Encoding is similar to URL/percent encoding. Encoding takes
place two times at this time while it is encoded one time in URL
encoding.
This technique was used in famous IIS “Directory Traversal Attack” 2001
(../../ or dot dot slash). Pretty useful in evading filters.
“<“ encoded in percent encoding to “%3C”
Double encoding: Only the preceding % is encoded.
Final becomes: %=25(Percent encoding), + 3C = %253C(Double encoding)
24
Double Encoding

Encoding Schemes
Double Encoding doesn’t need to be memorized.
Just put “25” before URL encoded as follows:
URL encoded: / = %2F, Double encoded: / = %252F
URL Encoded:
http%3A%2F%2Fgrayhat.in%2Fcourses%2FWAPTP
Double Encoded:
http%253A%252F%252Fgrayhat.in%252Fcourses%252FWAPTP
25
Double Encoding

Encoding Schemes
XSS Filter Evasion using Double Encoding
26
Double Encoding
http://grayhat.in/search.php?q=%253Cscript%2
53Ealert(%2527XSS%2527)%253C%252Fscript%253E
http://grayhat.in/search.php?q=
%3Cscript%3Ealert(%27XSS%27)%3C%2
Fscript%3E
Double Encoded URL Percent Encoded URL
XSS FilterHacker Web Server
XSS Filter Decoded the
“Double encoded payload”,
and becomes URL/Percent
encoded finally at server and
executed successfully.http://grayhat.in/search.php?q=<script>
alert('XSS')</script>

Encoding Schemes
Base64 is a encoding mechanism that was first used in email (RFC
1421) to send binary data such as attachments sent in ASCII format. It
is very common in website to encode session IDs, parameters, media
Base64 encoding makes character set of 64 printable ASCII characters
that includes:
▪ A to Z characters
▪ a to z characters
▪ = (equal)
▪ + (plus sign)
▪ / (forward-slash)
27
Base64 Encoding

Encoding Schemes
Base64 Encoding process:
• Input bytes stream are divided into blocks of
3 bytes.
• 3 bytes joined to make 24 bits
• 24 bits divided into 4 groups of 6 bits each.
• Each 6 bits are mapped to decimal first then
map each group of 6 bits to 1 printable
character set from encoding table.
• If the last 3 byte block has only 1 byte of
input data, then 2 byte of zero are padded.
And at last these padding are overridden
with 2 equal signs (==).
• If the last 3 byte block has 2 byte of input
data, then 1 byte of zero are padded. And
after encoding it is overridden with 1 equal
sign(=).
28
Base64 Encoding
Value Encoded Value Encoded Value Encoded Value Encoded
Base64 Encoding Table

Encoding Schemes
Example:
29
Base64 Encoding
Input data: G
Input bits(bin): 01000111
Padding: 01000111 00000000 00000000
Joined(24bits): 010001110000000000000000
Divided(6bits each): 010001 110000 000000 000000
Decimal value: 17 48 = =
Base64 encoded: R w = =
Encoded: Rw==
Base64 Encoding of (gray hat security) : Z3JheSBoYXQgc2VjdXJpdHk=

Encoding Schemes
URI characters defined in RFC 3986:
https://www.ietf.org/rfc/rfc3986.txt
URL Encoding detailed:
https://www.w3schools.com/tags/ref_urlencode.asp
URL Encoder/decoder:
http://meyerweb.com/eric/tools/dencoder/
Base64 detailed overview:
https://www.lifewire.com/base64-encoding-overview-1166412
http://base64encode.net/
30
References

Same Origin Policy (SOP)

Same Origin Policy
Same Origin Policy is the critical point of “web application security”
According to SOP, it restricts JavaScript code from setting and
accessing properties on a resource coming from a different origin.
Same Origin Policy determines the origin (in browser) on behalf of:
32
Protocol : Hostname : Port
To determine if JavaScript can access the resource; Protocol,
Hostname and Port must match with the origin.

Same Origin Policy
A JavaScript code on: https://www.grayhat.in:941
can read resources from:
https://www.grayhat.in:941
https://www.grayhat.in:941/courses
https://www.grayhat.in:941/courses/341
https://www.grayhat.in:941/WAPTP/courses
But can not read from:
http://www.grayhat.in:941
https://sec.grayhat.in:941/courses
https://www.grayhat.in:8087/courses/341
https://www.grayhatsec.in:941/WAPTP/courses
33
Example:

Same Origin Policy
Almost entire, security of “web application” is in hand of SOP.
Same Origin Policy is used for JavaScript but also for AJAX, Flash,
Cookies and most importantly origin-separated data stored in local
storage of webserver.(for multiple domain).
SOP applies only to the actual code of a script. We can still add
external resources using HTML tags like <img>, <iframe>, <script>,
object and so on.
34

Same Origin Policy
Same Origin Policy (SOP):
https://www.w3.org/Security/wiki/Same_Origin_Policy
RIA Cross Domain Policy:
https://www.owasp.org/index.php/Test_RIA_cross_domain_policy_(OTG-
CONFIG-008)
35
References

HTTP Cookies

HTTP Cookies
In 1994 sessions and cookies were invented by Netscape to make
HTTP stateful (As HTTP is a stateless protocol).
An HTTP Cookie (also Web cookie) is piece of data sent by server to
web browser to be stored inside it(cookie.txt).
The web browser send it back to the server in the next request to
validate the same textual information (cookie) stored by web server
to the browser.
37

HTTP Cookies
Usually, cookies are used for:
• Session management
• Shopping carts
• gaming site to remember scores
• Keep users logged-in
• Tracking user behavior
38
Session-Cookies expires when HTTP sessions are closed(Closing of web browser)

HTTP Cookies
A Server set cookie using set-cookie HTTP Header field
whenever it get HTTP request from the client browser.
39
HTTP/1.1 200 OK
Date: Sun, 25 Jul 2017 02:44:25 GMT
Content-Type: text/html;
Server: Apache/2.4.27 (CentOS)
Set-Cookie: ID=Value; expires=Mon,
27-Jan-2018 22:36:21 GMT; path=/;
domain=.grayhat.in; HttpOnly
It contains: cookie contents, expiration, path, domain
and http flags(HttpOnly, Secure).
Browser decide whether cookie will be sent or not
based on; domain, path, http flags and expiration
date and time value.
HttpOnly Flag:- If set, Cookies cannot be accessed
through client side script(javaScript) or XSS attacks.
Secure Flag:- If set, Cookies Sent only over SSL/TLS
#Browser sends cookie in each request to its corresponding domain and subdomains

HTTP Cookies
When server does not set domain attribute in cookies, the browser
set it automatically with server domain and set as host-only Flag.
Host-Only Flag means, cookie will be set and valid for that specified
domain only( i.e grayhat.in)
If path attribute is set: path=/course/course1
Cookie will set to its domain and resources in:
/course/course1
/course/course1/course2/../../
But it will not set to: /videos; /lectures or any other than set path.
40

HTTP Cookies
41
grayhat.in
Set-Cookie: v=cookiedata; domain=grayhat.in
Sub2.grayhat.inSub1.grayhat.in
GET /login.php HTTP/1.1
Cookie will be valid for all subdomains

HTTP Cookies
42
grayhat.in
Set-Cookie: v=cookiedata; domain=sub1.grayhat.in
Cookie will not be valid for sub2.grayhat.in

HTTP Cookies
43
grayhat.in
Set-Cookie: v=cookiedata;
Cookie will not be valid for any subdomains
Host-Only

HTTP Cookies
HTTP Cookies Explained:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
RFC 6265:How Server installs a cookie in browser and more about its functionality
https://tools.ietf.org/html/rfc6265
44
References

CORS

CORS
Cross-origin Resource Sharing – CORS is a systematic way used by
browsers to make Cross-domain communication uninterrupted.
46
Source: https://developer.mozilla.org
CORS gives secure access-control mechanism
for cross-domain data transfer.
As SOP restricts cross-domain access, but
cross-domain data communication is needed
for: CSS, Fonts, image/videos, invocations of
APIs
To get rid of these limitations, Cross-origin
Resource Sharing was deployed by web
browsers.

CORS
Cross-origin Resource Sharing (CORS) detailed explanations:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
47
References

Web application technologies

More Related Content

Similar to Web application technologies

Recently uploaded

Web application technologies