Skip to main content

CEH v10: 14 Hacking Web Applications

Certified Ethical Hacker v10 Chapter 14: Hacking Web Applications.

Terminology

Web Applications are that applications that is running on a remote application server and available for clients over the internet.

Server Administrators are responsible for the web server's safety, speed, functioning and performance.

Application Administrators are responsible for the management and configuration required for the web application.

Clients are the endpoints which interact with the web application / server.

How Web Applications work?

Front-end < - > Back-end

Users are interacting with the front-end. The processing was controlled and processed by the back-end.

Server-side languages:

  • PHP
  • Java
  • C#
  • Python
  • JavaScript
  • many more...

Client-side languages:

  • CSS
  • JavaScript
  • HTML

Layers of Web Applications

  • Presentation Layer is responsible for displaying the information to the user.
  • Logical Layer : manipulate information to and from the forms.
  • Data Layer : hold the data for the application.

Web 2.0

In web 1.0, the users are limited to passive viewing the content.

In web 2.0, the users can interact and collaborate, it contain rich user experience, dynamic content.

Web Application Threats

  • Cookie poisoning
  • Insecure storage
  • Information leakage
  • Directory traversal
  • Parameter/Form tampering
  • DOS attack
  • Buffer overflow
  • Log tampering
  • SQL injection
  • Cross-site Script
  • Cross-site Request Forgery
  • Security misconfiguration
  • Broken session management
  • DMZ attacks
  • Session hijacking
  • Network access attacks

Unvalidated input

Process an non-validated input from the client to the back-end. This is a major vulnerability, this is the basics of injection attacks (SQL injection, xss, buffer overflow).

Parameter / Form Tampering

Parameter tempering is an attack, where the attacker manipulate the parameter while client and server are communicating with each other. Parameters such as Uniform Resource Locator (URL) or web page form fields are modified (cookies, HTTP Header, form fields).

Injection Flaws

Works if a web application allows untrusted input to be executed.

  • Malicious code injection
  • File injection
  • SQL injection
  • Command injection
  • LDAP injection

SQL Injection

Injection of malicious SQL queries. Attacker can manipulate the database These vulnerabilities can be detected by using an automated scanner.

Command Injection

  • Shell injection
  • File injection
  • HTML embedding

LDAP Injection

Attacker can access the database using LDAP filter to search information.

DoS Attack

  • User Registration DoS : an automated process, the attacker keep registering fake accounts.
  • Login DoS : attacker keep sending login requests.
  • User Enumeration : attacker brute force login credentials with a dictionary attacks.
  • Account Lock : attacker attempt to lock the user account by attempting invalid passwords.

Web Application Hacking Methodology

Analyze Web Application

  • Observing functionality
  • Identify vulnerabilities, entry points, servers
  • HTTP request analyze
  • HTTP fingerprinting
  • Hidden content discovery

Attack Authentication

Exploit the authentication mechanism:

  • Username enumerate
  • Cookie exploitation
  • Session attacks
  • Password attacks

Authorization Attack Schemes

  • Accessing the web application with low level privilege account, then escalate privileges to get information
  • Parameter tampering (URL, POST data, Query string, cookies, HTTP header)

Session Management Attack

Impersonate a legitimate user.

Session hijacking techniques:

  • Session token prediction
  • Session token tampering
  • Man-in-the-Middle attack
  • Session replay

Injection Attacks

Inject malicious code, commands and files.

Techniques:

  • Web Script injection
  • OS Command injection
  • SMTP injection
  • SQL injection
  • LDAP injection
  • XPath injection
  • Buffer Overflow
  • Canonicalization

Data Connectivity Attack

Exploit the data connectivity between application and its database. Data connection requires a connection string.

  • Connection String Injection
  • Connection String Parameters Pollution (CSPP)
  • Connection Pool DoS

Countermeasures

Percent Encoding

Percent Encoding or URL Encoding is a technique for secure handling of URL by replaces unsafe and non-ascii characters with % followed by two hexadecimal digits.

Example:

%20 or + both are used for SPACE

In URL:, there are some reserved character such as '/' that is used to separate paths in URL. To use this not as separator, then it must be encoded.

%2F used for '/'

Full list of percent encoded characters here

HTML Encoding

HTML Encoding specify how special character will shown.

SQL Injection Contermeasures

  • Input validation
  • Customized error messages
  • Monitoring database traffic
  • Limit length of user input

XSS Attack Countermeasures

  • Testing tools
  • Filtering meta
  • Filtering output

DOS Attack Countermeasures

  • Reverse proxy
  • Remove unnecessary functions
  • Secure remote administration
  • Firewall
  • IDS

Other Countermeasures

  • Dynamic testing
  • Source Code analysis
  • Strong cryptography
  • Use SSL
  • Hotfixes / patches
  • Cookie timeout