Hacking Web Applications M o d u l e 1 3 Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications H a c k in g W e b A p p lic a tio n s M o d u l e 1 3 Engineered by Hackers. P resented by Professionals. a CEH E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s v 8 M o d u l e 1 3 : H a c k i n g W e b A p p l i c a t i o n s E x a m 3 1 2 - 5 0 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited. Module 13 Page 1724 Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications CEHS e c u r ity N e w s S e c u r i t y N e w s X S S A t t a c k s L e a d P a c k A s M o s t F r e q u e n t A t t a c k T y p e S o u rce : h t tp :// w w w .d a r k r e a d in g . c o m S e c ure c lo u d h o s tin g c o m p a n y , F ire H o s t, h as t o d a y a n n o u n c e d th e fin d in g s o f its la te s t w e b a p p lic a tio n a tta c k r e p o r t, w h ic h p r o v id e s sta tis tica l a naly s is o f t h e 15 m illio n c y b e r-a tta c k s b lo c k e d b y its s e rve rs in t h e US and E u ro p e d u r in g Q 3 2 0 1 2 . T h e r e p o r t lo o k s a t a tta c k s o n th e w e b a p p lica tio n s , d a tab a s e s a n d w e b s ite s o f F ireH o s t's c u s to m e rs b e tw e e n J uly a n d S e p te m b e r, a n d o ffe r s an im p re s s io n o f th e c u rr e n t in te r n e t s e c u rity c lim a te as a w h o le . A m o n g s t th e c y b e r -a tta c k s r e g is te r e d in t h e re p o r t, F ire H o s t c a teg o ris e s f o u r a tta c k ty p e s in p a rtic u la r as re p r e s e n tin g th e m o s t s e rio u s t h re a t . T h e s e a t ta c k ty p e s a re a m o n g F ire H o s t's ,S u p e r fe c ta ' a n d th e y co n s is t o f C ro s s-site S c rip tin g (XSS), D ir e c to ry T ra v e rs a ls , SQ L In je c tio n s , a n d C ross -s ite R e q u e s t F o rg e ry (CSRF). O n e o f th e m o s t s ig n ific a n t ch a n g e s in a tta c k tra f fic seen b y F ire H o s t b e t w e e n Q 2 a n d Q 3 2 0 1 2 w a s a c o n s id e ra b le rise in th e n u m b e r o f c ro s s -s ite a tta c k s , in p a rt ic u la r XSS a n d CSRF a tta c k s ro se to r e p r e s e n t 64% o f th e g ro u p in th e t h ir d q u a rte r (a 28 % in c reased p e n e tra t io n ). XSS is n o w t h e m o s t c o m m o n a tta c k t y p e in t h e S u p e rfe c ta , w ith CSRF n o w in s e c o n d . F ire H o st's s e rv e rs b lo c k e d m o r e t h a n o n e m illio n XSS a tta c k s d u r in g th is p e rio d a lo n e , a fig u re w h ic h rose Module 13 Page 1725 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited. Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications 69%, from 603,016 separate attacks in Q2 to 1,018,817 in Q3. CSRF attacks reached second place on the Superfecta at 843,517. Cross-site attacks are d e pendent u pon the trust developed betw een site and user. XSS attacks involve a w eb application gath ering m alicious data from a user via a trus ted site (ofte n com ing in th e fo rm of a hyp erlink con taining malicious content), whereas CSRF attacks exploit th e trust th a t a site has for a p articular user instead. These m a licious security exploits can also be used to steal sensitive inform a tio n such as user names, passwords and cred it card details - w itho u t the site or user's kn owledge. The se verity o f these attacks is d e pendent on th e sensitivity o f the data handled by the vulnera ble site and this ranges from personal data fo u nd on social netw o rk ing sites, to the financial and confiden tial details entere d on eco m m erce sites a m o ngst others. A great num ber o f organisations have fallen victim to such attacks in rece nt years including attacks on PayPal, H otmail and eBay, the latter falling vic tim to a single CSRF attack in 2008 w h ich targe ted 18 m illion users of its Korean w ebsite. Furtherm o re in Sep tem ber this year, IT giants M icro soft and Google C hrom e both ran extensive patches targete d at securing XSS flaws, highligh ting the prevalence o f this grow ing onlin e threat. "Cross-site attacks are a severe th rea t to business ope rations, especially if servers are n't properly prepared," said Chris Hinkley, CISSP - a Senior Security Engineer at FireHost. "It's vital th a t any site dealing w ith confidential or private user data takes the necessary precautions to ensure applications rem ain p rotected. Locating and fixing any website v u ln e rabilitie s and flaw s is a key step in ensuring your business and y o u r custom ers, d o n 't fall victim to an attack o f this nature. The consequences o f w hich can be significant, in term s o f bo th financial and reputatio n al d amage." The Superfecta a ttack tra ffic for Q3 2012 can be broken d o w n as follows: As w ith Q2 2012, th e m a jo rity of attacks FireHost blocked during the third calendar q u a rte r of 2012 originate d in th e U nited States (llm illio n / 74%). There has however, been a great shift in the num b e r o f attacks orig inating fro m Europe this quarter, as 17% o f all malicious atta ck traffic seen by FireHost came from this region. Europe overtook Southern Asia (w hich was responsible fo r 6%), to be com e the second m o st likely origin of m alicious traffic. Varied trends am ong the Superfecta attack techn iques are dem onstrated b etw e e n this q u a rte r and last: During the build up to the holiday season, ecom m e rc e a ctivity ramps up d ram atically and cyber-attacks th a t ta rge t w e bsite users' co nfide ntial data are also likely to increase as a result. As w ell as cross-site attacks, th e o th e r Superfecta attack types, SQL Injection and D irectory Transversal, still rem ain a significant thre a t despite a slight red uction in fre quenc y this qu arter. Ecommerce businesses need to be aware of the risks th a t this period m ay present it to its security, as Todd Gleason, D irector of Technology at FireHost explains, "You'd b e tter believe th a t hackers will try and take advantage o f any surges in holiday shopping. They will be devising a n u m b e r of ways th e y can take advantage of any w eb application vulnerab ilities and w ill use an a s sortm ent of d ifferent attack types and techniques to do so. W hen it's a m a tter of Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited. Module 13 Page 1726 Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications c o n fid e n t ia l d a ta a t risk, in c lu d in g c u s to m e r's fin a n c ia l in fo r m a tio n - c r e d it c a rd a n d d e b it c ard d e ta ils - th e re 's n o r o o m fo r c o m p la c e n c y . T h e se o rg a n is a tio n s n e e d to k n o w t h a t th e r e 's an in c re a s e d lik e lih o o d o f a tta c k d u rin g th is tim e a n d it's th e ir re s p o n s ib ility to ta k e t h e n e cessa ry s te p s t o s to p suc h a tta c k s ." Copyright © 2013 UBM Tech, A ll rights reserved http://www.darkreading.com/5ecuritv/news/240009508/firehost-q3-web-application-report-xss- attacks-lead-pack-as-most-frequent-attack-type.html Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited. Module 13 Page 1727 Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications M o d u le O b je c tiv e s CEH J How Web Applications Work J Session Management Attack J Web Attack Vectors J Attack Data Connectivity J Web Application Threats J Attack Web App Client J Web App Hacking Methodology J Attack Web Services J Footprint Web Infrastructure ■ ^ J Web Application Hacking Tools J Hacking WebServers /1־ J Countermeasures J Analyze Web Applications J Web Application Security Tools J Attack Authentication Mechanism J Web Application Firewall J Attack Authorization Schemes J Web Application Pen Testing Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. M o d u l e O b j e c t i v e s The main objective of this m o dule is to show the various kinds of vulnerabilitie s that can be discovered in w e b applications. The attacks e xploiting these vulnerabilities are also highlighted. The m o dule starts w ith a detailed description of th e w eb applications. Various w eb application thre a ts are m e n tioned . The hacking m e thod o lo g y reveals the various steps involved in a planned attack. The various to ols that attackers use are discussed to explain the w ay they exploit vu lnerabilities in w e b applications. The co u nterm easures th a t can be taken to th w a rt any such attacks are also highlighted. Security too ls th a t help n e tw o rk a d m inistrator to m on ito r and manage the w e b application are described. Finally w e b a pplication pen testing is discussed. This m odule fam iliarizes you with: Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited. Module 13 Page 1728 Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications - Session M anagem e n t Attack S A ttack Data Connectivity S A ttack W eb A pp Client s A tta ck W eb Services S W eb App lication Hacking Tools S C ounterm easures s W e b A pplica tion Security Tools s W e b A pplication Firewall S W eb App lication Pen Testing H ow W eb Applicatio ns W o rk W e b Attack Vectors W e b Applica tion Threats W e b App Hacking M e thodolo g y Footprin t W eb Infrastructure Hacking W ebservers Analyze W eb Applications A ttack Authentica tion M echanism A ttack Auth o rization Schemes 3 Page 1729 Ethical Hacking and Countermeasures Copyright © by EC־C0UI1Cil All Rights Reserved. Reproduction is Strictly Prohibited. A £ A A A Module Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications Copyright © by E & C o ina l. All Rights Reserved. Reproduction is Strictly Prohibited. ־ ־ ^ M o d u l e F l o w W e b applications are the application programs accessed only w ith Internet con nection enabled. These applications use HTTP as th e ir prim a ry com m u n icatio n p ro to c ol. Generally, the attackers ta rg e t these apps fo r several reasons. They are exposed to various attacks. For clear un derstanding of th e "hacking web applicatio ns" w e divided the concept into various sections. Q W eb App Concepts Q W eb App Threats © Hacking M e th o d o lo g y Q W eb Application Hacking Tools © C ounterm easures 0 Security Tools © W eb App Pen Testing Let us begin w ith the W e b A pp concepts. Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited. Module 13 Page 1730 Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications ^ ^ W e b A p p P e n T e s tin g W eb A p p C oncepts S ecurity Tools W eb A p p Threats C ounterm easures ^ Hacking M eth o d o lo g y W eb A p p lication H acking Tools T his se c tio n in tro d u c e s y o u to th e w e b a p p lic a tio n a n d its c o m p o n e n ts , e x p la in s h o w t h e w e b a p p lic a tio n w o r k s , a n d its a rc h ite c tu r e . It p ro v id e s in s ig h t in to w e b 2.0 a p p lic a tio n , v u ln e r a b ility stac ks, a n d w e b a t ta c k v e c to rs . Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited. Module 13 Page 1731 Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications CEH Web Application Security Statistics Cross-Site Scripting Information Leakage Copyright © by E tC tind l. All Rights Reserved. Reproduction is Strictly Prohibited. f f W e b A p p l i c a t i o n S e c u r i t y S t a t i s t i c s ~ Source: h ttp s ://w w w .w h ite h a ts e c .c o m According to the WHITEHAT security w e bsite statistics re p ort in 2012, it is clear that the cross- site s cripting vulnerabilities are fou n d on m ore w e b applications w hen compared to other vulne rabilities. From the graph you can observe th a t in the year 2012, cross-site scripting vulnerabilities are the m o st c o m m on vuln erabilities fo u nd in 55% of the w eb applications. O nly 10% of w eb a pplica tion attacks are based on insu fficient session e x p ira tion vulnerabilities. In order to minim ize the risks associated w ith cross-site scripting vulnera bilities in the w eb applications, you have to a dopt necessary counte rm easures against them . Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited. Module 13 Page 1732 [...]... b a p p lic a tio n s ^ Web App Pen Testing m Jk Web App Concepts Security Tools W e b A p p T h re a ts Countermeasures e‫־‬s Hacking Methodology ‫־־‬ 1S > Web Application Hacking Tools B# Module 13 Page 1748 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved Reproduction is Strictly Prohibited Ethical Hacking and Countermeasures Hacking Web Applications Exam 312-50... th e level th a t levels and m akes th e th e web a p p lic a tio n s v u ln e ra b le : Module 13 Page 1744 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved Reproduction is Strictly Prohibited Ethical Hacking and Countermeasures Hacking Web Applications Exam 312-50 Certified Ethical Hacker Business Logic Flaws Custom W eb Applications Technical Vulnerabilities Open... se server Module 13 Page 1740 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved Reproduction is Strictly Prohibited Ethical Hacking and Countermeasures Hacking Web Applications Exam 312-50 Certified Ethical Hacker Business Layer Clients ,— — ‫ו‬ U S W e b Brow ser _ ‫י‬ Presentation ‫ד י ׳‬layer • ‫לג‬ • V J2EE F la s h S ilv e r llj h t Smart Phonas, Web Appliance... Session Fixation 1 In su fficien t Session Expiration 10 20 FIGURE 13. 1: WHITEHAT SECURITY WEBSITE STATISTICS REPORT, 2012 Module 13 Page 1733 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved Reproduction is Strictly Prohibited Ethical Hacking and Countermeasures Hacking Web Applications Exam 312-50 Certified Ethical Hacker In tr o d u c tio n to W e b A p p lic a... e results to th e user's b ro w se r User Login Form Internet Firewall Web Server FIG U R E 1 3 2 : W o r k in g o f W e b A p p lic a t io n Module 13 Page 1739 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved Reproduction is Strictly Prohibited Ethical Hacking and Countermeasures Hacking Web Applications W e b Exam 312-50 Certified Ethical Hacker A p p lic a t io... te n sio n , th e w e b se rve r processes th e re q u e s t and sends th e file to th e user's b ro w s e r Module 13 Page 1738 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved Reproduction is Strictly Prohibited Ethical Hacking and Countermeasures Hacking Web Applications © Exam 312-50 Certified Ethical Hacker If th e user re q u e sts a w e b page w ith th e e xte... ic c o n te n t Since HTTP is stateless, e.g., th e p ro to c o l does n o t m a in ta in a session state, Module 13 Page 1734 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved Reproduction is Strictly Prohibited Ethical Hacking and Countermeasures Hacking Web Applications Exam 312-50 Certified Ethical Hacker th e re q u e sts fo r resources are tre a te d as se p a... w e b a p p lic a tio n s A tta c k e rs also use to o ls to launch atta cks on w e b a p p lic a tio n s Module 13 Page 1735 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved Reproduction is Strictly Prohibited Ethical Hacking and Countermeasures Hacking Web Applications W e b Exam 312-50 Certified Ethical Hacker A p p lic a t io n C o m p o n e n ts C Urtifwd E H... e e ncyclo p e d ia s and d ic tio n a rie s © C loud c o m p u tin g w e b s ite s such as A m a zo n co m Module 13 Page 1742 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved Reproduction is Strictly Prohibited Ethical Hacking and Countermeasures Hacking Web Applications Exam 312-50 Certified Ethical Hacker 6 F ra m e w o rks (Yahoo! Ul Library, j Q uery) © Flash-rich... p lic a tio n (iP hone) Q N ew te c h n o lo g ie s like AJAX (G m ail, YouTube) © Blogs (W o rd p re s s ) Module 13 Page 1743 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved Reproduction is Strictly Prohibited Ethical Hacking and Countermeasures Hacking Web Applications V u l n Exam 312-50 Certified Ethical Hacker e r a b i l i t y S C E H t a c k _ B E l C u s t . Strictly Prohibited. Module 13 Page 1727 Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications M o d u le O b je c tiv e s CEH J How Web Applications Work. Attack J Web Attack Vectors J Attack Data Connectivity J Web Application Threats J Attack Web App Client J Web App Hacking Methodology J Attack Web Services J Footprint Web Infrastructure ■ ^ J Web. Hacking Web Applications M o d u l e 1 3 Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Hacking Web Applications H a c k in g W e b A