Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Category:Web exploitation"

From NetSec
Jump to: navigation, search
(Created page with "== Introduction == Web exploitation is the attacking and taking advantage of a vulnerability in a computer system through a web application. There are n...")
 
 
(26 intermediate revisions by 3 users not shown)
Line 1: Line 1:
== Introduction ==
+
'''Web exploitation''' is the attacking and taking advantage of a [[vulnerability]] in a computer system through a [[web applications|web application]]. There are numerous ways to [[exploitation|exploit]] [[vulnerability|vulnerabilities]] so only some of the basics will be covered here. The topics and tools covered in this series can be dangerous enough to compromise an [[HTTP]] server's ''[[database]]'', ''source code'', or ''allow a remote [[operating system]] level shell''.
  
Web exploitation is the attacking and taking advantage of a [[vulnerability]] in a computer system through a [[web applications|web application]]. There are numerous ways to exploit [[vulnerability|vulnerabilities]] so only some of the basics will be covered here. The topics covered in this series can be dangerous enough to compromize an [[HTTP]] server's [[database]], code, or allow a remote shell.
+
When testing a domain for [[security]] problems, it is different than penetration testing a network, and different than assessing the vulnerability of a server. However, compromising one of these layers may result in the other proximal layers being compromised in the future. [[Web application]] vulnerabilities are currently the amongst the most prominent vulnerabilities exploited by [[cybercriminals]].
  
Many web sites run [[web applications]] for the purpose  of dynamic content. Usually this would include an [[SQL]] [[database]]  backend of some sort, and a [[web applications|web application]] (like forums, talkboards,  content management systems, and blogs) to interface with the [[SQL]] [[database]].  Therefore the affected languages are anything that can be used as an interface over [[HTTP]] to dynamic content.
+
<font size="-2">Special thanks to [[User:hatter|hatter]] for his contributions to this article.</font>
 +
 
 +
{{info|<center>The insecure accessing and saving of ''dynamic content'' is the chief source of most [[web exploitation]] problems.</center>}}
 +
{{social}}
  
When penetration testing a site, it is  different than penetration testing a network, and different than  penetration testing a server. However, it is good to point out, that by  compromising one of these layers, the other layers can be compromised in the future.  Web application vulnerabilities are currently the most prominent vulnerabilities exploited by [[cybercriminals]].{{warning|Exploiting these vulnerabilities against targets which you do not own without written authorization could criminalize you in many countries and most likely the one you live in.}}
 
  
 
== Affected Languages ==
 
== Affected Languages ==
 +
Many web sites run [[web applications]] for the purpose of '''dynamic content'''. Usually this would include an [[SQL]] [[database]]  backend of some sort, and a [[web applications|web application]] (like forums, talkboards, content management systems, and blogs) to interface with the [[SQL]] [[database]].  Therefore the affected [[programming language]]s are anything that can be used as an interface over [[HTTP]] to dynamic content, but are usually one of many [[interpreted languages]].
  
 
*[[PHP]]
 
*[[PHP]]
 
*[[Perl]]
 
*[[Perl]]
 +
*[[Ruby]]
 +
*[[Python]]
 
*[[CFM]]
 
*[[CFM]]
 
*[[ASP]]
 
*[[ASP]]
*[[Ruby]]
+
 
*[[Python]]{{warning|Any [[CGI]] interfaced language may also be vulnerable to web exploitation.}}
+
*Any [[CGI]] interfaced language may also be vulnerable to web exploitation.
  
 
== Types of Exploitation ==
 
== Types of Exploitation ==
{{notice|[[Vanguard]] can be used to test for many of these [[Vulnerability|vulnerabilities]].}}
+
 
*'''[[XSS|Cross Site Scripting]]'''{{info|XSS can be used to [[Cookies|capture logins and sessions]] or a page redirect if a user clicks a malicious link.}}
+
:<i>[[Vanguard]] can be used to test for many of these [[Vulnerability|vulnerabilities]].</i>
*'''[[SQL injection|SQL Injection]]'''{{info|[[SQL]] injection can be used to copy, modify, or delete the affected application's [[database]], and in some cases create a remote shell on the affected system, and sometimes [[SQL Backdoors|can allow an attacker to backdoor a web application]].}}
+
 
*'''[[File Inclusion|File Inclusion]]'''{{info|File inclusion vulnerabilities can be exploited to create a remote shell, which can lead to [[database]] manipulation and file tampering.}}
+
'''[[XSS|Cross Site Scripting]]'''
*'''[[Command Injection]]'''{{info|Command injection effectively hands a remote shell to an attacker by arbitrary [[bash]] or [[MS-DOS]] command execution.}}
+
*XSS can be used to [[Cookies|capture logins and sessions]] or a page redirect if a user clicks a malicious link.
*'''[[CSRF|Cross Site Referral Forgery]]'''{{info|CSRF allows an attacker to perform actions as any unsuspecting [[user]] that clicks a link or loads a page on a separate domain from the affected site while logged into the affected site.}}
+
'''[[SQL Injection]]'''
*'''[[XSCF|Cross Site Content Forgery]]'''{{info|XSCF Sends different data to different hosts.  This way, if a piece of malware is able to recognize the source machine as something analyzing it, the malware can return something innocent while normal users are directed to something malicious.}}
+
*[[SQL]] injection can be used to copy, modify, or delete the affected application's [[database]], and in some cases create a remote shell on the affected system, and sometimes [[SQL Backdoors|can allow an attacker to backdoor a web application]]. [[Blind SQL injection]] can be used to [[Mysqli-blindutils|retrieve data without the data ever appearing in band]].
*'''[[XSRF]]'''([[XSS]] mixed with [[CSRF]]){{info|XSRF is using XSS to produce a same-domain URL that will perform actions as the logged in user via a CSRF attack.}}
+
'''[[File Inclusion|File Inclusion]]'''
*'''[[RoR_Patching#Params_Injection_.26_Mass_Assignment_Abuse|Mass Assignment Abuse]]{{info|Mass assignment abuse can allow an attacker to directly overwrite database values without having to write any [[SQL]] queries and without the use of [[SQL injection]].}}
+
*File inclusion vulnerabilities can be [[Lfi_autopwn.pl|exploited to create a remote shell]], which can lead to [[database]] manipulation and file tampering.
 +
'''[[Command Injection]]'''
 +
*Command injection effectively hands a remote shell to an attacker by arbitrary [[bash]], [[MS-DOS]], or native command-line execution.
 +
'''[[CSRF|Cross Site Referral Forgery]]'''
 +
*CSRF allows an attacker to perform actions as any unsuspecting [[user]] that clicks a link or loads a page on a separate domain from the affected site; a user's vulnerability is limited to the time spent while logged into the affected site.
 +
'''[[XSCF|Cross Site Content Forgery]]'''
 +
*XSCF Sends different data to different hosts.  This way, if a piece of malware is able to recognize the source machine as something analyzing it, the malware can return something innocent, while unsuspecting users are directed to something of the attacker's choosing. This could range from a prank to a [[Bleeding Life|web browser drive-by exploit]], similar to [[XSS]]
 +
'''[[XSRF]]'''([[XSS]] mixed with [[CSRF]])
 +
*XSRF is using XSS to produce a same-domain URL that will perform actions as the logged in user via a [[CSRF]] attack.
 +
'''[[RoR_Patching#Params_Injection_.26_Mass_Assignment_Abuse|Mass Assignment Abuse]]
 +
*[[Mass assignment]] abuse can allow an attacker to directly overwrite [[database]] values without having to write any [[SQL]] queries and without the use of [[SQL injection]].
  
 
== Attack Vectors ==
 
== Attack Vectors ==
  
*'''[[HTTP]] GET request parameters''' (Variables in the URL){{notice|Rewritten or "clean" URL's can have GET parameters too!  [[HTTP]] HEAD requests can also exploit poor input sanitizing in these parameters.}}
+
*'''[[HTTP]] GET request parameters''' (Variables in the URL)
*'''[[HTTP]] POST request parameters''' (Fields and fieldsets in web forms){{notice|You can send post parameters to a URL that has GET parameters!}}
+
''Rewritten or "clean" URL's can have GET parameters too!  [[HTTP]] HEAD requests can also exploit poor input sanitizing in these parameters.''
*'''[[HTTP]] Header parameters'''  (Variables passed by header information){{notice|This includes cookies, user agents, connection type, and more}}
+
*'''[[HTTP]] POST request parameters''' (Fields and fieldsets in web forms)
 +
''You can send post parameters to a URL that has GET parameters!''
 +
*'''[[HTTP]] Header parameters'''  (Variables passed by header information)
 +
''This includes cookies, user agents, connection type, and more''
  
 
== Fingerprinting ==
 
== Fingerprinting ==
{{notice|[[Kolkata]] is a useful tool for fingerprinting [[web applications]].}}
+
 
 +
{{info|[[Kolkata]] is a useful tool for fingerprinting [[web applications]].}}
 +
 
 
Because web vulnerability identification sometimes requires that you identify the backbone of a particular web configuration, fingerprinting is commonly used as a medium to gain information about commonly used platforms in an attempt to identify them through common fingerprints.  
 
Because web vulnerability identification sometimes requires that you identify the backbone of a particular web configuration, fingerprinting is commonly used as a medium to gain information about commonly used platforms in an attempt to identify them through common fingerprints.  
  
 
These might include things such as common headers, footers, comments in code- or simply the existence of a very particular page. Fingerprinting is a key aspect in determining vulnerabilities in specific software packages, and might also be used in conjunction with a search engine in order to get large lists of vulnerable hosts through searching for a single commonality.
 
These might include things such as common headers, footers, comments in code- or simply the existence of a very particular page. Fingerprinting is a key aspect in determining vulnerabilities in specific software packages, and might also be used in conjunction with a search engine in order to get large lists of vulnerable hosts through searching for a single commonality.
  
== Tools ==
+
== Web Exploitation Tools ==
 
===In House===
 
===In House===
*[[Kolkata]]
+
*[[Kolkata]] - Web application static file analysis based fingerprinting engine with yml based configuration
*[[Vanguard]]
+
*[[Vanguard]] - Web application [[vulnerability]] testing and [[exploitation]] framework
*[[Lfi_autopwn.pl]]
+
*[[Lfi_autopwn.pl]] - A [[file inclusion]] based exploit utility to emulate a remote shell
*[[MySql 5 Enumeration]]
+
*[[mysqli-blindutils]] - A series of scripts and proofs of concepts for blind [[SQL injection]]
*[[GScrape]]
+
*[[GScrape]] - Google dork testing engine
  
===Third party:===
+
===Third party===
 +
*[http://portswigger.net/burp/ BurpSuite]
 
*[http://cirt.net/nikto2 Nikto]
 
*[http://cirt.net/nikto2 Nikto]
 
*[http://www.sensepost.com/labs/tools/pentest/wikto Wikto]
 
*[http://www.sensepost.com/labs/tools/pentest/wikto Wikto]
 
*[http://www.0x90.org/releases/absinthe/ Absinthe]
 
*[http://www.0x90.org/releases/absinthe/ Absinthe]
*[http://portswigger.net/burp/ BurpSuite]
 
 
*[https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project Webscarab]
 
*[https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project Webscarab]
  
Line 57: Line 77:
  
 
{{exploitation}}{{social}}
 
{{exploitation}}{{social}}
 +
<div style="clear:both;"></div>
  
  
[[Category:Exploitation]]
+
{{social}}

Latest revision as of 15:12, 13 May 2013

Web exploitation is the attacking and taking advantage of a vulnerability in a computer system through a web application. There are numerous ways to exploit vulnerabilities so only some of the basics will be covered here. The topics and tools covered in this series can be dangerous enough to compromise an HTTP server's database, source code, or allow a remote operating system level shell.

When testing a domain for security problems, it is different than penetration testing a network, and different than assessing the vulnerability of a server. However, compromising one of these layers may result in the other proximal layers being compromised in the future. Web application vulnerabilities are currently the amongst the most prominent vulnerabilities exploited by cybercriminals.

Special thanks to hatter for his contributions to this article.

c3el4.png
The insecure accessing and saving of dynamic content is the chief source of most web exploitation problems.


Affected Languages

Many web sites run web applications for the purpose of dynamic content. Usually this would include an SQL database backend of some sort, and a web application (like forums, talkboards, content management systems, and blogs) to interface with the SQL database. Therefore the affected programming languages are anything that can be used as an interface over HTTP to dynamic content, but are usually one of many interpreted languages.

  • Any CGI interfaced language may also be vulnerable to web exploitation.

Types of Exploitation

Vanguard can be used to test for many of these vulnerabilities.

Cross Site Scripting

SQL Injection

File Inclusion

Command Injection

  • Command injection effectively hands a remote shell to an attacker by arbitrary bash, MS-DOS, or native command-line execution.

Cross Site Referral Forgery

  • CSRF allows an attacker to perform actions as any unsuspecting user that clicks a link or loads a page on a separate domain from the affected site; a user's vulnerability is limited to the time spent while logged into the affected site.

Cross Site Content Forgery

  • XSCF Sends different data to different hosts. This way, if a piece of malware is able to recognize the source machine as something analyzing it, the malware can return something innocent, while unsuspecting users are directed to something of the attacker's choosing. This could range from a prank to a web browser drive-by exploit, similar to XSS

XSRF(XSS mixed with CSRF)

  • XSRF is using XSS to produce a same-domain URL that will perform actions as the logged in user via a CSRF attack.

Mass Assignment Abuse

Attack Vectors

  • HTTP GET request parameters (Variables in the URL)

Rewritten or "clean" URL's can have GET parameters too! HTTP HEAD requests can also exploit poor input sanitizing in these parameters.

  • HTTP POST request parameters (Fields and fieldsets in web forms)

You can send post parameters to a URL that has GET parameters!

  • HTTP Header parameters (Variables passed by header information)

This includes cookies, user agents, connection type, and more

Fingerprinting

c3el4.png Kolkata is a useful tool for fingerprinting web applications.

Because web vulnerability identification sometimes requires that you identify the backbone of a particular web configuration, fingerprinting is commonly used as a medium to gain information about commonly used platforms in an attempt to identify them through common fingerprints.

These might include things such as common headers, footers, comments in code- or simply the existence of a very particular page. Fingerprinting is a key aspect in determining vulnerabilities in specific software packages, and might also be used in conjunction with a search engine in order to get large lists of vulnerable hosts through searching for a single commonality.

Web Exploitation Tools

In House

Third party


Web exploitation is part of a series on exploitation.
<center>

</center>


<center>
</center>

Pages in category "Web exploitation"

The following 100 pages are in this category, out of 100 total.