Major Flaws in Web Applicaitons

  • Client-side flaws are targeted flaws and exploit the client-side technologies such as AJAX JSON,and flash code to extract information from the client.
  • Directory browsing

    • DirBuster(come as an add-on to the WebScarab proxy,but can still find standlone application).Look out for backup files and renamed files by including the .bak and .old extension in the scan.

    • Comments in HTML code(use with Webscarab)

    • Mitigation:Directory browsing is a per-directory setting and it needs to be verified on each directory.In Apache ,you can use .htaccess file to override the individual directory setting and in IIS web server ,the directory permission can ben set by using the IIS manager or the appcmd command.

    • Authentication protocols and flaws:

      • Basic authentication(using the Basse64 encoding which is very easy to reverse and acquire the clear text)
      • Digest authentication(It introduced a nonce value that is used as a salt when the client shares the authentication credentials with the server.In addition to the nonce value,the MD5 hash of the password is sent instead of the Base64 encoded value.)
      • Intergrated authentication(When a user access a website that leverages intergrated authentication and is part of the same domain as the user,the client passes the token and the user is granted access to the application.LANMAN,NTLMv1,and NTLMv2 are the underlying challenge/response protocols used for the authentication that is seamless)
      • Form-based authentication
  • Brute forcing credentials:

    • Hydra:hydra 192.168.1.8 http-form-post "/form_auth/login.php:user=^USER^&pass=^PASS^:Rejected" -L user.txt -P pass.txt -t 10 -w 30 -o hydra.txt
    • There are the variable used to take input which can again be determined by viewing the source by using Ctrl+U in Firefox
  • Path traversal:

    • The most basic path traversal attack is using the ../ sequence to modify the resource request through the URL. The expression ../ is used in operating systems to move up one directory.The attacker has to guess the number of directories that he needs to move up and outside the web root which can easily be done using trial and error. If the attacker wants to move up three directories then he or she would use ../../../.
    • a malicious user may encode the absolute path to a system file into a web form and view it directly in the browser.Check whether a web server is vulnerable to traversal attack by encoding ../ in the URL

1)http://tastlab.org/..%255c..%255c..%255cboot.ini #encoding ../ in the URL 2)http://testlab.com/../../../../etc/shadow #attack to view the contents of the shadow file 3)http://testlab.com/../Windows/System32/cmd.exe?/c+dir+c:/ #attempt to invoke the cmd utility and run the dir c:\ command. (4)http://testlab.com/scripts/foo.cgi?page=../scripts/test.cgi%00txt #attempt to expose the source code of test.cgi file.

- **Attacking path traversal using Burp proxy**:An experienced attacker can navigate the filesystem and acquire the source code files if the application is vulnerable to path traversal attack.
  • Injection-based flaws(SQL injection and command injection attacks are the most common ones)

    • Command injection: command injection

    • SQL injection:can edit cookies,headers,or XML requests to submit malicious data back to the server.The manual method to discover a flaw is by using a proxy such as Burp ,Paros,or ZAP and injection data in the various fields.

  • Cross-site scripting(clitne-side attack)

    • the attack potential of the XSS flaw is not just limited to attacking the same website or stealing information from the browser;the attacker can also use it ot target other website.Here’s an illustration of cross-site scripting attack: xss

    • An easy way to indentify whether a web page is vulnerable to an XSS attack is by using the following harmless script in the input fields of the form.If a dialog box is displayed,the web application is note filtering the metacharacters and is vulnerable to an XSS attack:<script>alert("Vulnerable to XSS!!");</script>

    • XSS vulnerabilities:

      • Persistent or stored XSS flaws
      • Non persistent or reflected XSS flaw
    • Attack potential of cross-site scripting attacks

      • Steal user password and cookies
      • Scan other website and servers
      • Engage the browser into transctions on the vulnerable server without user knowledge
      • Redirect the user to another website
      • Steal files from the victims computer
  • Cross-site request forgery:Cross-site request forgery attack is also known as ont-click or session riding attack.Using random tokens,known aas Anti-CSRF tokens that change on every request,is also a good mitigation step as attacker would note know this dynamically changing random token.

  • Session-based flaws

    • Ways to steal tokens(Zed attack Proxy,Burp proxy,WebScarab:

      • Brute forcing a predictable session token
      • Sniffing a token over the wire
      • Compromising asession token using client-side attacks(XSS or malicious JavaScript)
      • Man-in-the-middle attack
  • Session fixation attack

  • File inclusion vulnerability:

    • Remote file include:PHP is most widely attacked by a remote file include vulnerability.

    • Local file include:Although the following URLs look exactly the same,they might represent entirely different attacks:

        - http://testdemo.org/mydata/info.php?file=../../../temp/shell.php
        - http://testdemo.org/mydata/info.php?file=../../../temp/shell.php
      
    • If the first URL exploits a path traversal issue,the shell.phpcontents will be displayed as text.If the second URL exploits a local file inclusion,the shell.phpcontents will be processed as PHP code and executed.

    • Here’s a snippet of code that is vulnerable to a local file inclusino attack:

    1
    2
    3
    4
    5
    
    <?php
    $file=$_GET['file'];
    {
        include("pages/$file")
    }
    
1
2
3
4
5
6
7
8
9

	- A cool attack that uses LFI is log poisoning.When make an invalid request,it gets logged on the server.If it's an Apache web server,it gets logged into the `error.log`file.Seeing that the `server logs`everything that generates an error,you can influence the content of the `error.log`file.As part of the LFI vulnerability,we can inject in PHP code along with some invalid data that would generate an error butt would also get logged into the error.log file.Now,the attacker can execute the PHP code within the `error.log`file by doing something similar to the following:`http://vulnerable.com/include.php?file=../../../../var/log/apache2/error.log`

- HTTP parmeter pollution:

	- Mitigation:The application fails to perform proper input validation which makes it overwrite hard coded values.Whitelisting expected parameters and their values should be included in the application logic and the input from the user should be sanitized against it.Web application firewalls that have been tuned to understand the flaw that can track multiple occurrences of the variable should be used to handle filtering 

- HTTP response splitting