Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Web Exploitation"

From NetSec
Jump to: navigation, search
(Tools)
Line 1: Line 1:
Web exploitation is the attacking and taking advantage of a [[vulnerability]] in a computer system through a [[web applications|web application]]. There are numerous ways to exploit [[vulnerability|vulnerabilities]] so only some of the basics will be covered here. Any of the topics covered below by themselves can be dangerous enough to cripple an entire server or website, gaining enough access to even remotely take over daemons and services enough to "spawn a shell," or gain enough access to gain system or root level access.
+
= Web Exploitation =
  
 +
Web exploitation is the attacking and taking advantage of a [[vulnerability]] in a computer system through a [[web applications|web application]]. There are numerous ways to exploit [[vulnerability|vulnerabilities]] so only some of the basics will be covered here. The topics covered in this series can be dangerous enough to compromize an [[HTTP]] server's database, code, or allow a remote shell.
  
 +
Many web sites run [[web applications]] for the purpose  of dynamic content. Usually this would include an [[SQL]] [[database]]  backend of some sort, and a [[web applications|web application]] (like forums, talkboards,  content management systems, and blogs) to interface with the [[SQL]] [[database]].  Therefore the affected languages are anything that can be used as an interface over [[HTTP]] to dynamic content.
  
====Escape Strings====
+
When penetration testing a site, it is different than penetration testing a network, and different than  penetration testing a server. However, it is good to point out, that by  compromising one of these layers, the other layers can be compromised in the future.  Web application vulnerabilities are currently the most prominent vulnerabilities exploited by [[cybercriminals]].{{warning|Exploiting these vulnerabilities without written authorization could criminalize you in many countries and most likely the one you live in.}}
Null [[Byte|bytes]], escape strings, and [[SQL injection]] all work the same way. When a computer sees a combination of characters as user [[input]], it is called a string. In many languages strings are truncated by null [[Byte|bytes]], or by other escape sequences. In other words, if the computer sees a null [[byte|Byte]] in a combination of user [[input]], the computer assumes that the null [[byte|Byte]] is the end of the [[input]], allowing an attacker to inject malicious code into the space between the real end of the [[input]] and what the computer believes to be the end of the [[input]]. So for example, sometimes null [[[Byte|bytes]] are used to perform directory transversal. IIS web servers hold all of their information for their web serving in C:\InetPub; however the attacker wants to see just the C drive. As a result, the attacker requests:
+
  /%00../
+
  
 +
= Affected Languages =
  
====Directory Transversal & Null Bytes====
+
*[[PHP]]
The “%00” is a null [[byte|Byte]]. The string of characters "../" is a request for a higher level directory. Ordinarily, the [[HTTP]] server would never show you the higher level directory, however because it doesn't realize that the higher level directory was asked for, the attacker is able to look at a higher level directory.  The web server only sees the domain because the %00 blinds it to the %00 and everything after it, however when it processes the request to retrieve the file, the request is to view “../”, which is the higher level directory.
+
*[[Perl]]
 +
*[[ASP]]
 +
*[[Ruby]]
 +
*[[Python]]
 +
*Anything powered by [[CGI]]
  
 +
= Types of Exploitation =
  
====Other Escape Strings====
+
*[[XSS|Cross Site Scripting]]{{info|XSS can be used to capture logins and sessions or a page redirect if a user clicks a malicious link.}}
A null [[byte|Byte]] is a small example of an "escape string".  An escape string is any character or combination thereof that a program will recognize as the end of user [[input]]. For example, the escape string used in [[SQL injection]] is usually an apostrophe ('), or %27, which is the bytecode representation of an apostrophe. Remote [[SQL injection]] vulnerabilities affect [[Database|databases]]. [[SQL]] is widely used by things like shopping carts, forums, dynamic web sites like MySpace, deviantart, facebook, and the like, as well as banks, credit unions, and other financial institutions. When [[SQL injection]] can be successfully exploited it is a critical [[vulnerability]] in the affected site and should be [[patched]] immediately, because it may lead to compromise or loss of customer data, employee data, financial data, or anything else stored in the [[SQL]] [[database]][[SQL injection]] has two attack vectors, one in a URL, the other in a web based form.
+
*[[SQL injection]]{{info|SQL injection can be used to copy, modify, or delete the affected application's database, and in some cases create a remote shell on the affected system.}}
 +
*[[Local_File_Inclusion|File Inclusion]]{{info|File inclusion vulnerabilities can be exploited to create a remote shell, which can lead to database manipulation and file tampering.}}
 +
*[[Command Injection]]{{info|Command injection effectively hands a remote shell to an attacker by arbitrary bash or ms-dos command execution.}}
 +
*[[CSRF|Cross Site Referral Forgery]]{{info|CSRF allows an attacker to perform actions as any unsuspecting user that clicks a link or loads a page on a separate domain from the affected site while logged into the affected site.}}
 +
*[[XSCF|Cross Site Content Forgery]]{{info|XSCF Sends different data to different hosts.  This way, if a piece of malware is able to recognize the source machine as something analyzing it, the malware can return something innocent while normal users are directed to something malicious.}}
 +
*[[XSRF]] ([[XSS]] mixed with [[CSRF]]){{info|XSRF is using XSS to produce a same-domain URL that will perform actions as the logged in user}}
 +
*Mass Assignment Abuse
  
When penetration testing a site, it is different than penetration testing a network, and different than penetration testing a server. However, it is good to point out, that by compromising the [[web applications|web application]] layer sometimes the server can be compromised, and sometimes by compromising the server, the web application layer can be compromised. 
 
  
 +
= Attack Vectors =
  
====Web Applications====
+
*[[HTTP]] GET request parameters (Variables in the URL){{notice|Rewritten or "clean" URL's can have GET parameters too!}}
Another few steps back. Many web sites run [[web applications]] for the purpose of dynamic content. Usually this would include an [[SQL]] [[database]] backend of some sort, and web [[applications]] (like forums, talkboards, content management systems, and blogs) are generally written in (but not limited to) [[PHP]], [[python]], [[perl]], [[ASP]], [[ASPX (.NET 2.0+)]], [[ruby]], or other form of [[CGI]].  Other web exploitation includes [[XSS]], [[CSRF]], and [[file inclusion]].
+
*[[HTTP]] POST request parameters (Fields and fieldsets in web forms){{notice|You can send post parameters to a URL that has GET parameters!}}
 +
*[[HTTP]] Header parameters  (Variables passed by header information){{notice|This includes cookies, user agents, connection type, and more}}
  
 +
== Tools ==
  
====Tools====
+
*[http://cirt.net/nikto2 Nikto]
*Nikto
+
*[http://www.sensepost.com/labs/tools/pentest/wikto Wikto]
*Wikto
+
*[http://www.0x90.org/releases/absinthe/ Absinthe]
*Absinthe
+
  
 
{{series
 
{{series

Revision as of 18:43, 26 October 2011

Web Exploitation

Web exploitation is the attacking and taking advantage of a vulnerability in a computer system through a web application. There are numerous ways to exploit vulnerabilities so only some of the basics will be covered here. The topics covered in this series can be dangerous enough to compromize an HTTP server's database, code, or allow a remote shell.

Many web sites run web applications for the purpose of dynamic content. Usually this would include an SQL database backend of some sort, and a web application (like forums, talkboards, content management systems, and blogs) to interface with the SQL database. Therefore the affected languages are anything that can be used as an interface over HTTP to dynamic content.

When penetration testing a site, it is different than penetration testing a network, and different than penetration testing a server. However, it is good to point out, that by compromising one of these layers, the other layers can be compromised in the future. Web application vulnerabilities are currently the most prominent vulnerabilities exploited by cybercriminals.

RPU0j.png Exploiting these vulnerabilities without written authorization could criminalize you in many countries and most likely the one you live in.

Affected Languages

Types of Exploitation

c3el4.png XSS can be used to capture logins and sessions or a page redirect if a user clicks a malicious link.
c3el4.png SQL injection can be used to copy, modify, or delete the affected application's database, and in some cases create a remote shell on the affected system.
c3el4.png File inclusion vulnerabilities can be exploited to create a remote shell, which can lead to database manipulation and file tampering.
c3el4.png Command injection effectively hands a remote shell to an attacker by arbitrary bash or ms-dos command execution.
c3el4.png CSRF allows an attacker to perform actions as any unsuspecting user that clicks a link or loads a page on a separate domain from the affected site while logged into the affected site.
c3el4.png XSCF Sends different data to different hosts. This way, if a piece of malware is able to recognize the source machine as something analyzing it, the malware can return something innocent while normal users are directed to something malicious.
c3el4.png XSRF is using XSS to produce a same-domain URL that will perform actions as the logged in user
  • Mass Assignment Abuse


Attack Vectors

  • HTTP GET request parameters (Variables in the URL)
    Notice: Rewritten or "clean" URL's can have GET parameters too!
  • HTTP POST request parameters (Fields and fieldsets in web forms)
    Notice: You can send post parameters to a URL that has GET parameters!
  • HTTP Header parameters (Variables passed by header information)
    Notice: This includes cookies, user agents, connection type, and more

Tools



Web Exploitation
is part of a series on

Web applications

Visit the Web applications Portal for complete coverage.