HACKING WEB APPLICATIONS

Web Application

A Web Application is a program that is accessed over a network connection using HTTP or HTTPS existing in the webserver. The web application is a client-server application that clients run in a web browser. The web application contains a set of web pages, scripts, images, etc. Web applications help organizations to grow their business.

Types of websites

Static Website:

A static website contains web pages with fixed content. A static site can be built using HTML and hosted on a Web server.

Dynamic Website:

The information on dynamic websites changes based on user interaction, the time zone, the viewer’s native language, and other factors. These pages include Web scripting code, such as PHP or ASP. When a dynamic page is accessed, the code within the page is parsed on the Web server, and the resulting HTML is sent to the client web browser. Dynamic websites can interact with the user, capable of access information stored on the database. Dynamic web pages are also known as database-driven websites.

How A Web Application Works:

• The user sends a request to the web server over the internet through the web browser or the application interface in the form of a URL or an HTML form.
• Web server forward these requests to the web application server.
• Web application server queries the database and generates the results for the requested task.
• Web servers respond back to the client with the requested information.

OWASP

The Open Web Application Security Project (OWASP), an online community, produces freely available articles, methodologies, documentation, tools, and technologies in the field of web application security. It aims to raise awareness about application security by identifying some of the most critical risks that organizations are facing.

OWASP Top 10 Web Application Security Risks (2017)

A1:2017                  –           Injection

A2:2017                  –           Broken Authentication

A3: 2017                 –           Sensitive Data Exposure

A4:2017                  –           XML External Entities (XXE)

A5:2017                  –           Broken Access Control

A6:2017                  –           Security Misconfiguration

A7:2017                  –           Cross-Site Scripting (XSS)

A8:2017                  –           Insecure Deserialization

A9:2017                  –           Using Components with Known Vulnerabilities

A10:2017               –           Insufficient Logging & Monitoring

 

1. Injection: Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
2. Broken Authentication: Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.
3. Sensitive Data Exposure: Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
4. XML External Entities (XXE): Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
5. Broken Access Control: Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access to other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.
6. Security Misconfiguration: Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.
7. Cross-Site Scripting (XSS): XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface websites, or redirect the user to malicious sites.

Cross-site scripting attack

• XSS attack takes advantage of dynamically generated web content based on user input provided on web pages.
• An attacker tries to inject commands in input fields provided on the web pages.
• If the webserver is unable to validate input fields on a web page properly, then it will execute the command provided by the attacker and unknowingly reveal information related to the client.

                Types of XSS

•  Cross-site scripting (Reflected)
• Cross-site scripting (Stored)
• Cross-site scripting (DOM )

 

8.Insecure Deserialization: Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.

 

9. Using Components with Known Vulnerabilities: Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.

 

10. Insufficient Logging & Monitoring: Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

Parameter Tampering

This attack involves the manipulation of parameters exchanged between client and server to modify application data such as user credentials, permissions, price, the number of products. Establishing a proxy can make the process of tampering simply if the web application fails in proper session management.

Directory Traversal

• Directory Traversal or Path Traversal is an attack on HTTP which allows attackers to access restricted directories outside of the webserver root location.
• Attackers try to access restricted directories that contain sensitive information like server configuration files, application source code, etc.,
• Attackers can manage to access files located outside the webroot because of this vulnerability.
• Example: http://www.example.com/abc.php=../../../../etc/passwd

Cross-site request forgery

Any requests sent to the server are not validated (No server-side validation). The server processes the request without verifying whether the user made the request or not. Because of poor validation, requests can be forged and sent to users to force them to do things that they are not intended to do. By clicking some links, users may unknowingly change account passwords.

Command Injection

• Command injection vulnerability in a web application allows attackers to inject untrusted data and execute it as part of a regular command or query.
• Attackers use specially crafted malicious commands or queries to exploit these vulnerabilities which may result in data loss.
• Injection attacks are possible because of poor web development capabilities.

File Inclusion

Local File Inclusion – Allows an attacker to gain access to any file on the server computer. An attacker can even access a file located apart from the web-root folder.

Remote File Inclusion – Allows an attacker to gain access to any file from any server. We can execute files located on a remote server on the vulnerable server.

 

SQL Injection:

            SQL (Structured Query Language) is a database management language used to manage databases to perform various operations like create, read, update and delete on the database. SQL is used by database administrators, as well as developers to organize user data properly. Web applications interact with the database server in the form of queries. SQL queries include select, add, insert, update, delete, create, alter and truncate.

List of Database software

• MySQL
• Microsoft SQL
• Oracle
• MongoDB
• SQL lite
• Microsoft Access
• DB2 Express-C

Database

A database is a collection of information that is organized into rows, columns, and tables, and it is indexed so that it can be easily accessed, managed and updated. Data in the database gets updated, expanded, and deleted as new information is added.

 

 Relation between Web Server and Database Server

A server is a software that runs continuously and responds to requests sent by the clients, Communication between a client and a server happens using a specific protocol example HTTP, HTTPS Server running web application include three components:

Web servers primarily respond to HTTP / HTTPS requests sent by the clients and pass these requests on to handlers.

The application server handles requests to create dynamic web pages. The application server processes the user request to generate the HTML page for the end-user, instead of serving a static HTML page stored on the disk. Application server software runs on the same physical server machine as where the webserver is running.

the database server is a server that houses a database application like JDBC, ODBC to provide database services to other computer programs. Most database applications respond to a query language. Each database understands its query language and converts each submitted query to a server-readable form and executes it to retrieve results.

The relation between the web server and the database server is the web server uses the application server to retrieve the data from the database and host the data with the help of the web server application. So web server works as the front end, and the database server works as a backend to provide data to a web server.

SQL Injection

The technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a web application for execution on backend database to retrieve information directly from the database. It is used to gain unauthorized access to the database. SQL Injection is not a vulnerability in a database or web server; it is a vulnerability in a web application that occurs due to a lack of input validation.

Types of SQL Injection attacks

• Authentication bypass attack
• Error-based SQL Injection
• Blind SQL Injection

Authentication bypass attack

The attacker uses this technique to bypass user authentication without providing the valid Username and password and tries to log into a web application with administrative privileges.

Authentication Bypass Cheat Sheet:

1’ or ‘1’ = ‘1	admin’ or 1=1
admin’ —	admin’ or 1=1–
admin’ #	admin’ or 1=1#
admin’/*	admin’) or ‘1’=’1’#
admin’ or ‘1’=’1	admin’) or ‘1’=’1’–
admin’ or ‘1’=’1’–	admin’) or (‘1’=’1’/*
admin’ or ‘1’=’1’/*	admin’) or (‘1’=’1’#
admin’ or 1=1 or “=’	admin’) or (‘1’=’1’–
admin’) or (‘1’=’1	admin’ or (‘1’=’1
admin’ or 1=1/*	admin’ or 1=1#
or 1=1	or 1=1–
or 1=1#	or 1=1/*
admin’ or 1=1 or “=’	admin’)       or     ‘1’=’1/*

 

Error-based SQL Injection

THE error-based SQL injection technique relies on error messages thrown by the database server to obtain information about the structure of the database. In some cases, error-based SQL injection alone is enough for an attacker to enumerate an entire database. While errors are very useful during the development phase of a web application, they should be disabled on a live site or logged to a file with restricted access instead. By analyzing these errors, the attacker can grab system information such as the database, database version, OS, etc.

Blind SQL injection

Blind SQL injection is a type of SQL Injection attack that queries the database true or false questions and determines the answer based on the application’s response. This attack is often used when the web application is configured to show generic error messages but has not mitigated the code that is vulnerable to SQL injection. Blind SQL injection is nearly identical to normal SQL Injection, the only difference being the way the data is retrieved from the database.

Suggestive measures for SQL Injection Vulnerability

• Never trust user      Sanitize and validate all input fields.   Use parameterized statements, separate data from SQL code.
• Reject entries that contain binary data, escape sequences and comment characters.
• Checking the privileges of a user’s connection to the database.
• Use secure hash algorithms to secure user passwords stored in the database.
• Perform source code review before hosting the website.

Suggestive measures for other web application Vulnerabilities

• Define access rights to private folders on the webserver.
• Validate user input length, perform bound checking.
• Use language-specific libraries for the programming language.
• Use the more secure HTTPS protocol instead of HTTP if available.
• Log out from online user accounts instead of directly closing the browser, to properly end sessions.
• Take careful note of security warnings from the web browser.
• Avoid clicking links to sensitive portals, such as for e-banking, instead enter the URL of the website manually.
• Keep web application building software (frameworks) up to date to protect websites from application-based attacks.