Web Exploitation
Web exploitation is the attacking and taking advantage of a vulnerability in a computer system through a web application. There are numerous ways to exploit vulnerabilities so only some of the basics will be covered here. Any of the topics covered below by themselves can be dangerous enough to cripple an entire server or website, gaining enough access to even remotely take over daemons and services enough to "spawn a shell," or gain enough access to gain system or root level access.
Contents
Escape Strings
Null bytes, escape strings, and SQL injection all work the same way. When a computer sees a combination of characters as user input, it is called a string. In many languages strings are truncated by null bytes, or by other escape sequences. In other words, if the computer sees a null Byte in a combination of user input, the computer assumes that the null Byte is the end of the input, allowing an attacker to inject malicious code into the space between the real end of the input and what the computer believes to be the end of the input. So for example, sometimes null [[[Byte|bytes]] are used to perform directory transversal. IIS web servers hold all of their information for their web serving in C:\InetPub; however the attacker wants to see just the C drive. As a result, the attacker requests:
/%00../
Directory Transversal & Null Bytes
The “%00” is a null Byte. The string of characters "../" is a request for a higher level directory. Ordinarily, the HTTP server would never show you the higher level directory, however because it doesn't realize that the higher level directory was asked for, the attacker is able to look at a higher level directory. The web server only sees the domain because the %00 blinds it to the %00 and everything after it, however when it processes the request to retrieve the file, the request is to view “../”, which is the higher level directory.
Other Escape Strings
A null Byte is a small example of an "escape string". An escape string is any character or combination thereof that a program will recognize as the end of user input. For example, the escape string used in SQL injection is usually an apostrophe ('), or %27, which is the bytecode representation of an apostrophe. Remote SQL injection vulnerabilities affect databases. SQL is widely used by things like shopping carts, forums, dynamic web sites like MySpace, deviantart, facebook, and the like, as well as banks, credit unions, and other financial institutions. When SQL injection can be successfully exploited it is a critical vulnerability in the affected site and should be patched immediately, because it may lead to compromise or loss of customer data, employee data, financial data, or anything else stored in the SQL database. SQL injection has two attack vectors, one in a URL, the other in a web based form.
When penetration testing a site, it is different than penetration testing a network, and different than penetration testing a server. However, it is good to point out, that by compromising the web application layer sometimes the server can be compromised, and sometimes by compromising the server, the web application layer can be compromised.
Web Applications
Another few steps back. Many web sites run web applications for the purpose of dynamic content. Usually this would include an SQL database backend of some sort, and web applications (like forums, talkboards, content management systems, and blogs) are generally written in (but not limited to) PHP, python, perl, ASP, ASPX (.NET 2.0+), ruby, or other form of CGI. Other web exploitation includes XSS, CSRF, and file inclusion.
Tools
- Nikto
- Wikto
- Absinthe
Web Exploitation Visit the Web applications Portal for complete coverage.
|