Certified Ethical Hacker (CEHv13) Module 14 Hacking Web Applications

Web Applications

Software programs that run on web browsers and act as the interface between users and web servers through web pages

Web Application Steps

1. User enters the website name or URL in the browser and the user's request is sent to the web server

2. On receiving the request, the web server checks the file extension for processing

3. Web server passes the user's request to the web application server, which processes the user's request

4. Web application server then accesses the database to perform the requested task by updating or retrieving the information stored on it

5. After processing the request, the web application server finally sends the results to the web server, which in turn sends the results to the user's browser

Web Application Layers

1. Client or presentation layer

2. Business logic layer (Web Server Logic Layer, Business Logic Layer)

3. Database layer

Client or presentation layer

Includes all physical devices present on the client side

Business logic layer layers

- Web Server Logic Layer

- Business Logic Layer

Web Server Logic Layer

Contains code that reads data from the browser and returns the results

Business Logic Layer

Includes the functional logic of the web application, which is implemented using technologies

Database Layer

Consists of cloud services, a B2B layer that holds all the commercial transactions, and a database server that supplies an organization's production data in a structured form

Web Service

An application or software that is deployed over the Internet

Web Service Architecture

Describes the interactions among the service provider, service requester, and service registry

Web Service Roles

- Service Provider

- Service Requester

- Service Registry

Service Provider

Platform from where services are provided

Service Requester

An application or client that is seeking a service or trying to establish communication with a service

Service Registry

The place where the provider loads service descriptions

Web Server Operations

- Publish

- Find

- Bind

Publish Operation

During this operation, service descriptions are published to allow the requester to discover the services.

Find Operation

The requester tries to obtain the service description

Bind Operation

The requester calls and establishes communication with the services during run time, using binding data inside the service descriptions to locate and invoke the services

Web Service Artifcats

- Service

- Service Description

Service Artifcat

Software module offered by the service provider over the Internet

Service Description Artifact

It provides interface details and service implementation detail

XML

Web services use XML for data representation and transportation

Coarse Grained Service

A combination of multiple fine-grained services

Synchronous Service

Are called by users who wait for a response

Asynchronous Service

Are called by users who do not wait for a response

Simple Object Access Protocol (SOAP)

Defines XML Format

Types of Web Services

- SOAP

- RESTful

Universal Description, Discovery, and Integration (UDDI)

A directory service that lists all the services available

Components of Web Service Architecture

- UDDI

- WSDL

- WS-Security

Web Services Description Language (WSDL)

An XML-based language that describes and traces web services

Web Services Security (WS-Security)

An extension of SOAP and aims to maintain the integrity and confidentiality of SOAP messages as well as to authenticate users

OWASP Top 10 Application Security Risks (2021)

- A01: Broken Access Control

- A02 - Cryptographic Failures

- A03 - Injection

- A04 - Insecure Design

- A05 - Security Misconfiguration

- A06 - Vulnerable and Outdated Components

- A07 - Identification and Authentication Failures

- A08 - Software and Data Integrity Failures

- A09 - Security Logging and Monitoring Failures

- A10 - Server-Side Request Forgery (SSRF)

OWASP Top 10 Application Security Risks A01 - Broken Access Control

related to improperly enforced restrictions on the actions of authenticated users.

OWASP Top 10 Application Security Risks A02 - Cryptographic Failures

Application developers fail to implement strong cryptographic keys, use old keys, or fail to enforce proper key management

OWASP Top 10 Application Security Risks A03 - Injection

Occur when untrusted data are sent to an interpreter as part of a command or query

OWASP Top 10 Application Security Risks A04 - Insecure Design

During application development, if security controls are not properly implemented considering the latest business risks, various design flaws may occur

OWASP Top 10 Application Security Risks A05 - Security Misconfiguration

Due in part to manual or ad hoc configuration (or no configuration at all); insecure default configurations; open S3 buckets; misconfigured HTTP headers; error messages containing sensitive information; and failure to patch or upgrade systems, frameworks, dependencies, and components in a timely manner (or at all).

OWASP Top 10 Application Security Risks A07 - Identification and Authentication Failures

Functions related to identification, authentication and session management implemented incorrectly, allowing attackers to assume the identities of other users (temporarily or permanently)

OWASP Top 10 Application Security Risks A09 - Security Logging and Monitoring Failures

Occur via insufficient log monitoring, the local storage of logs, inadequate error messages, inappropriate alert mechanisms for failed-login attempts, or applications failing to identify threats in advance

OWASP Top 10 Application Security Risks A10 - Server-Side Request Forgery (SSRF)

A web security vulnerability that arises when remote resources are obtained by an application without verifying the URL entered by the user

Access Control

Refers to how a web application grants access to create, update, and delete any record/content or function to some privileged users while restricting access to other users

SQL Injection

Used to take advantage of non-validated input vulnerabilities to pass SQL commands through a web application for execution by a backend database

Command Injection

Attackers identify an input validation flaw in an application and exploit the vulnerability by injecting a malicious command in the application to execute supplied arbitrary commands on the host operating system

LDAP Injection

Websites that construct LDAP statements from user-supplied input are exploited for launching attack

XSS

Occur when an application includes untrusted data in a new web page without proper validation or escaping

Unvalidated Input

Refer to a web application vulnerability whereby input from a client is not validated before being processed by web applications and backend servers

Parameter/Form Tampering

Involves the manipulation of parameters exchanged between the client and the server to modify application data such as user credentials and permissions, prices, and quantities of products

Improper Error Handling

It is necessary to define how a system or network should behave when an error occurs. Otherwise, the error may provide a chance for an attacker to break into the system

Insufficient Transport Layer Protection

Occurs when an application fails to protect sensitive traffic flowing in a network

Injecting an SSRF payload

This attack involves selecting a parameter and inserting an SSRF payload that can support a file or URL. It allows attackers to make certain modifications to the header field and change it to plaintext. The new payload is then inserted into the parameter in place of a file.

Cross-Site Port Attack (XSPA)

This type of SSRF attack allows attackers to scan for the open ports of a server

Directory Traversal

Occurs when the attacker is able to browse the directories and files outside the normal application access

Hidden Field Manipulation Attack

Attackers can change the hidden field values to change post requests to the server

Pass-the-Cookie Attack

Allow attackers to access a user's web services by obtaining a clone of a cookie from the user's browser and using the cookie to establish a session with the target web server

Same-Site Attack

Occur when an attacker targets a subdomain of a trusted organization and attempts to redirect users to an attacker-controlled web page

Shell Injection

An attacker tries to craft an input string to gain shell access to a web server

HTML Embedding

The user input to a web script is placed into the output HTML without being checked for HTML code or scripting

File Injection

The attacker exploits this vulnerability and injects malicious code into system files

Server-Side JS Injection

Vulnerabilities that manifest when an application integrates user-controllable values into a string that the code interpreter dynamically validates

Server-Side Includes Injection

Attackers pass malicious SSI directives as input values to perform malicious activities

Server-Side Template Injection

Occurs when users are allowed to insert unsafe inputs into a server-side template

Log Injection

Attackers launch log injection attacks by exploiting unsanitized or unvalidated inputs to application logs

HTML Injection

An HTML injection attack is initiated by injecting HTML code via vulnerable form inputs of a web page to change the appearance of the website or the information provided to its users

CRLF Injection

In a carriage return line feed (CRLF) injection attack, attackers inject carriage return (\r) and line feed (\n) characters into the user's input to trick the web server, web application, or user into believing that the current object is terminated and a new object has been initiated

Java Naming and Directory Interface (JNDI) Injection

A Java-based API that takes a single parameter as input and searches for the requested object based on the specified name. If the parameter resides in malicious services managed by attackers, then the application fetches a malicious class object from the server, which leads to remote code execution and eventually the compromise of the application.

Java Naming and Directory Interface (JNDI)

A Java-based API that takes a single parameter as input and searches for the requested object based on the specified name

XSS Attack

Cross-site scripting (XSS or CSS) attacks exploit vulnerabilities in dynamically generated web pages, which enables malicious attackers to inject client-side script into web pages viewed by other users

XSS Filters

XSS filter implementations are applied to web browsers to protect them from imminent XSS attacks

Web Based Timing Attack

A web-based timing attack is a type of side-channel attack performed by attackers to retrieve sensitive information such as passwords from web applications by measuring the response time taken by the server.

Direct Timing Attack

Direct timing attacks are carried out by measuring the approximate time taken by the server to process a POST request to deduce the existence of a username

Cross Site Timing Attack

A cross-site timing attack is another type of timing attack, in which attackers send crafted request packets to the website using JavaScript

Browser-based Timing Attack

Attackers take advantage of side-channel leaks of a browser to estimate the time taken by the browser to process the requested resources

Cache Storage Timing Attack

The Cache API interface (used to load, fetch, and delete any responses) offers complete cache (memory) to the developers. Loading resources in the disk takes some amount of time based on the resource size. If attackers can estimate the time taken by the browser to perform this task, they can measure the corresponding response size.

XML External Entity (XXE) Attack

An XML External Entity attack is a Server-side Request Forgery (SSRF) attack whereby an application can parse XML input from an unreliable source because of the misconfigured XML parser. In this attack, an attacker sends a malicious XML input containing a reference to an external entity to the victim's web application. When this malicious input is processed by a weakly configured XML parser of the target web application, it enables the attacker to access protected files and services from servers or connected networks.

Session Fixations Attack

In a session fixation attack, the attacker tricks or attracts the user to access a legitimate web server using an explicit session ID value

Open Redirection

Open redirection is a vulnerability that allows attackers to add their own parameters to a URL to redirect users from trusted websites to malicious sites

Header-Based Open Redirection

It is a process of modifying the HTTP location header to redirect users to a malicious page

JavaScript-Based Open Redirection

It is a process of injecting JavaScript into a web-page response received from the corresponding web server

Magecart Attack

A Magecart attack, also referred to as web skimming, involves an attacker inserting malicious code into a target website to collect sensitive customer data during an online transaction.

Watering Hole Attack

In a watering hole attack, the attacker identifies the kind of websites frequently surfed by a target company/individual and tests these websites to identify any possible vulnerabilities. Once the attacker identifies the vulnerabilities, he/she injects a malicious script/code into the web application that can redirect the web page and download malware onto the victim's machine.

Cross site request forgery (CSRF) Attack

Cross-site request forgery (CSRF), also known as a one-click attack, occurs when a hacker instructs a user's web browser to send a request to the vulnerable website through a malicious web page

Cookie

Cookies are generally used to maintain a session between web applications and users

Cookie poisoning

Cookie poisoning alters the value of a cookie at the client side before the request is sent to the server

Serialization and Deserialization

As data in the computer is stored in the form of data structures (graph, trees, array, etc.), data serialization and deserialization is an effective process for linearizing and de-linearizing data objects to transport them to other networks or systems.

Web Service XML Poisoning

Attackers insert malicious XML code in SOAP requests

DNS Rebinding

An attacker creates a malicious website and registers it with the DNS server controlled by him. Now, the attacker configures the DNS server to send DNS responses with very short TTL values to avoid caching of the responses. When the victim opens the malicious website, the attacker's DNS server sends the IP Address of the HTTP server that hosts the attacker-controlled website. The web server responds with a page that runs JavaScript code in the victim's browser. When the browser runs the JavaScript, it makes a DNS request for the domain (owing to the short TTL configuration), but the attacker-controlled DNS server responds with a new IP.

Clickjacking Attack

A clickjacking attack is performed when the target website is loaded into an iframe element that is masked with a web page element that appears legitimate. The victim is tricked into clicking on the invisible controls or the deceptive UI elements that automatically trigger various malicious actions,

MarioNet Attack

MarioNet is a browser-based attack that runs malicious code inside the browser, and the infection persists even after closing or browsing away from the malicious web page through which the infection has spread

Cookie Snooping

Attackers use cookie snooping on victims' systems to analyze the users' surfing habits and sell that information to other attackers or to launch various attacks on the victims' web applications

RC4 NOMORE Attack

This attack exploits the vulnerabilities present in a web server that uses the RC4 encryption algorithm for accessing encrypted sensitive information. Attackers use RC4 NOMORE to decrypt the web cookies secured by the HTTPS protocol and inject arbitrary packets. After stealing a valid cookie, the attacker impersonates the victim and logs into the website using the victim's credentials,

Buffer Overflow

A web application's buffer overflow vulnerability occurs when it fails to guard its buffer properly and allows writing beyond its maximum size

Business Logic Bypass Attack

A business logic bypass attack targets a specific or intended functionality of a web application rather than exploiting traditional software vulnerabilities

CAPTCHA

CAPTCHA is a challenge-response type of test implemented by web applications to check whether the response is generated by a computer

Denial-of-Service (DoS)

A DoS attack is an attack on the availability of a service, which reduces, restricts, or prevents access to system resources by its legitimate users

H2C Smuggling Attack

The H2C Smuggling attack is a web security attack that allows attackers to exploit vulnerabilities in the handling of HTTP/2 connections

JavaScript Hijacking

A vulnerability that enables attackers to capture sensitive information from systems using JavaScript Objects (JSON) as a data carrier

Cross-Site WebSocket Hijacking (CSWH)

A web security vulnerability that allows an attacker to establish a WebSocket connection with a vulnerable web application using the identity of a victim

demilitarized zone (DMZ)

A semi-trusted network zone that separates the untrusted Internet from the company's trusted internal network

Web App Hacking Methodology

1. Footprint Web Infrastructure

2. Analyze Web Applications

3. Bypass Client side controls

4. Attack authentication mechanism

5. Attack authorization schemes

6. Attack access controls

7. Attack Session Management Mechanism

8. Perform Injection Attacks

9. Attack application logic flaws

10. Attack Shared Environments

11. Attack database connectivity

12. Attack web app client

13. Attack web services

Footprinting

Footprinting is the process of gathering complete information about a system and all its related components, as well as how they work.