Web Application Vulnerabilities - HOW TO HACK: HACKING SECRETS EXPOSED: A BEGINNER'S GUIDE (2014)

HOW TO HACK: HACKING SECRETS EXPOSED: A BEGINNER'S GUIDE (2014)

Chapter 14. Web Application Vulnerabilities

Weakness in web applications allow hackers to carry out various malicious attacks such as hijacking accounts, stealing identities, gaining access to confidential information and so on. In this chapter we will look at some of the common vulnerabilities found in web applications and ways to exploit them.

WEB APPLICATION BASICS

A web application is a client/server software that runs on a computer and interacts with the users or other systems using protocols such as HTTP. Most web applications are typically written using programming languages like Java, PHP, Perl, Microsoft .NET and so on. Each server has multiple web applications running on it using which it is possible to make back and forth communication between the client and the server for carrying out tasks such executing database queries, retrieving files etc. The following steps explain the working of web applications on a server:

1. The client makes a request for a web page by typing its URL on the browser.

2. The target web server receives this request and forwards the same to the web applications residing on it.

3. The web applications will process the request to fetch all the necessary information required for the output (such as querying database, processing image etc.) and sends it back to the web server.

4. The web server forwards the output back to the requesting client's browser.

image

Figure 14. 1

TYPES OF WEB APPLICATION VULNERABILITIES

Now, let us discuss some of the different types of vulnerabilities found in web applications, how they work and ways to exploit them.

Cross-Site Scripting (XSS)

Cross-site scripting (also known as XSS) is a type of attack that injects malicious scripts (such as JavaScript, ActiveX, VBScript, Flash etc.) into vulnerable web pages of a site. This malicious script gets stored on the website itself and whenever users visit this site or browse its pages the script gets launched on the client's side to initiate an attack. In simple words XSS is a type of attack that exploits a vulnerable site and uses it as an intermediary to carry out attacks on the end users.

Key Concepts of XSS

· XSS is a web based attack performed on vulnerable web applications.

· In XSS attacks, the final target or the victim is the end-user and not the vulnerable application.

· Here, the vulnerable web page or application is used just as a conduit to reach the final target who is the end user.

Impact of XSS Attack

When attackers succeed in exploiting XSS vulnerabilities, they can perform the following activities on the client side:

· Gain access to session cookies and hijack user accounts.

· Spread worms, virus and Trojans.

· Gain access to the end user's files and directories.

· Remotely control the user's browser activity.

XSS Scenario

Let us assume that a hacker discovers an XSS vulnerability in one of the web applications of a large website like facebook.com. The hacker exploits this vulnerability and injects a malicious code on to one of the Facebook's web page. Whenever users visit this page, the malicious code runs on their browser and steals their session cookie and sends this information back to the hacker. The attacker will now use this cookie to hijack the user's session and easily gain access to his/her Facebook account.

XSS Countermeasures

Today, modern websites rely heavily on complex web applications to deliver dynamic content outputs based on user specific needs and preferences. Unlike static websites, it is not possible for the dynamic websites to exercise complete control over how their output is interpreted by the client. This may open up a possibility for the presence of XSS vulnerabilities in one or more web applications used by the dynamic website. You can take up the following countermeasures to stop XSS attacks on your websites:

· Strictly validate all the incoming data to the web applications before execution.

· Adopt a strict security policy to prevent people from directly submitting scripts to the server.

· Filter the input data to remove any of the existing scripts in it before processing them.

SQL Injection

Web applications use databases to store data needed for websites to deliver specific content to visitors and render other useful information. Databases may also contain other vital information such as user credentials, financial documentations, user specific data and many other confidential information. Whenever legitimate users place a request to view or modify this information, SQL queries (also called SQL commands) are used by web application to fetch or modify the data stored in the databases.

SQL injection is a type of attack where the attacker tries to pass SQL command itself (instead of text data) through the web application for execution by the backend database. Here the attacker injects specially crafted SQL commands to input fields such as search boxes, login fields, feedback forms etc. that are meant to receive valid data. If the web applications fail to properly validate the input before passing it on to the database, this may grant unauthorized access to the attacker and permit him to view or modify information from the database.

Key Concepts of SQL Injection

· SQL injection is a software vulnerability that occurs when user data inputs are sent directly to the SQL interpreter for execution without proper validation.

· Attackers use input fields to pass specially crafted SQL queries in an attempt to trick the interpreter to execute unintended commands on the database.

Impact of SQL Injection Attack

Upon success, an SQL injection attack may allow the hacker to perform the following activities:

· Bypass user authentication and gain unauthorized access.

· Gain access to important parts of the database and view unintended data.

· Add or remove new entries to the database.

· Sometimes it is even possible to completely wipe out the contents of the database.

SQL Injection Example

Let us assume that there exists a login page designed to allow users to access a restricted area of the website upon authenticating their credentials. When a genuine user enters his "username" and "password" in the login field, the web application executes an SQL query in the background on a database which contains a list of usernames and passwords. If the "username-password" pair is said to be matching the user is granted access; otherwise access is denied.

Suppose when a genuine user enters his credentials as follows:

Username: tom

Password: pass2000

The SQL query used to perform this match would be something as follows:

SELECT * FROM users WHERE username='tom' and password='pass2000'

Here the above SQL query is trying to find a row in the database by matching the "username-password" pair using the logical and operator. The and operator returns TRUE only when both the operands (username & password) matches. Otherwise access will be denied.

Imagine what would happen when a hacker discovers a SQL injection vulnerability on this login page. He would inject a specially crafted SQL command into the login field as follows:

Username: tom

Password: ' or '1'='1

The vulnerable web application simply passes the data in the password field without proper validation and hence it gets interpreted as an SQL command instead of a normal text data. Now, the SQL query used to perform this match would be something as follows:

SELECT * FROM users WHERE username='tom' and password='' or '1'='1'

Here the logical operator or holds TRUE even if only one of its operands matches. In this case '1'='1' matches and hence the hacker is granted access to the restricted area for the website. This way, the SQL injection vulnerability helps hacker bypass the authentication system and gain unauthorized access to the system.

SQL Injection Countermeasures

· Adopt an input validation technique to sanitize the user input before passing it on to the database applications for execution.

· Users must be given least permission when they are allowed to access the database.

· Web applications must not be allowed to access database with administrator privileges. Instead use a limited account when accessing databases via web applications.

Command Injection

Command injection (also known as shell injection) is a type of attack where the attacker exploits vulnerable web applications to inject malicious codes into the backend applications in order to seek unauthorized access to data or network resources. This attack is very similar to the SQL injection attack described above.

Dynamic web pages use web applications to present user specific data and carry out other dynamic operations such as retrieving the contents of a file, sending emails etc. These web applications in turn make use of underlying programs such as shell scripts and operating system calls to complete specific requests and actions.

If web applications such as form fields fail to sanitize user input data before passing the same to the backend applications, an attacker can easily exploit them to perform command injection attack.

Command Injection Countermeasures

The following are some of the countermeasures that can be employed to prevent command injection attacks:

· Properly sanitize and validate the user input data to remove any of the existing malicious content.

· Structure requests so that all supplied parameters are treated as data instead of potentially executable content.

· Make sure that you strip out potentially dangerous characters like semicolons, pipes (|) and ampersands (&) from user input before passing it onto the underlying programs.

· If possible, avoid passing user given arguments to OS programs.

Buffer Overflow

Buffer overflow (also known as buffer overrun) is a type of exploit that takes advantage of vulnerable applications that are waiting to process user inputs. A web application is said to be vulnerable to this kind of attack when the application, while writing data to the buffer overruns the buffer limit and overwrites to adjacent memory.

Key Concepts of Buffer Overflow

· Buffer overflow happens when the size of user input data is larger than its allocated buffer size and the application overruns its buffer's boundary when writing the input to the memory.

· The goal is to trigger buffer overflows in vulnerable applications through inputs that are designed to execute malicious codes or alter the normal flow of the program to the flow determined by the hacker.

Types of Buffer Overflows

Buffer overflow attacks can be classified into two main types as follows:

· Heap based attacks

· Stack based attacks

Heap based attack works by flooding the memory space that is dynamically allocated to a program, but the difficulty involved in carrying out such attacks makes them rare. On the other hand stack based attacks are the easiest and hence most widely performed by the attackers.

Stack Buffer Overflow Example

A stack is a computer memory used when one function within a program calls another. This stack contains data, local variables (variables that are private to a function), function arguments and most importantly the return address of the instruction to return when one function finishes. In other words, when "FunctionA" calls "FunctionB", the CPU needs to know where to go back when "FunctionB" finishes its task and this return address (back to "FunctionA") is stored in the stack.

Consider the following sample code:

void functionA ()

{

functionB ( ReadUserName (socket) );

}

void functionB (char *name)

{

char name_arr[10];

strcpy (name_arr, name);

}

In the above example, functionA reads the string (user name) from the from the user and passes it on to the functionB for copying the same to a buffer (name_arr[10]) for which the size allocated is 10 bytes. When the attacker enters a cleverly devised input name whose size is larger than 10 bytes, the data can overflow beyond the memory parts assigned to "name_arr" resulting in a buffer overflow. Remember that a stack also contains return address for functionA when functionB completes its execution. When the buffer overflows, the attacker can manipulate the stack to set his own return address to the point where his malicious program exists in the buffer. In this way, the attacker can exploit stack overflow vulnerability in web applications to execute his own malicious codes and take control of the system.

Buffer Overflow Countermeasures

· Validate input length of data in forms before passing them on to the functions.

· Practice safe and secure coding habits when dealing with buffers.

· Use tools like Stack Shield and Stack Guard for Linux systems to defend against stack overflow attacks.

Directory Traversal

Directory traversal is a type of HTTP vulnerability used by hackers to gain access to restricted directories and file system on a web server. Directory traversal attack happens due to the web servers's inability to validate/filter user inputs. Web applications developed using programming languages like PHP, Python, Perl, Apache and ColdFusion are commonly vulnerable to this type of attack.

Key Concepts of Directory Traversal

· Using this vulnerability attackers can browse directories and files that are outside normal application access.

· This type of attack exposes directory structure, underlying web server and operating system of the vulnerable machine.

· Attack allows hacker to gain access to restricted pages and confidential information on the system.

Directory Traversal Countermeasures

· Properly validate user inputs from browsers.

· Employ filters to block URLs containing commands and escape codes that are commonly used by attackers.

· Define access rights to protected areas of the website so as to restrict normal user access.

· Keep your web server software up-to-date with latest patches and updates.

TOOLS FOR VULNERABILITY SCANNING

The following are some of the popular tools that can be used to find vulnerabilities in web applications.

· Acunetix: This is an enterprise level web application vulnerability scanner and penetration testing tool available for Windows machines.

· W3af: This is an open source web application attack and audit tool for Linux, BSD, Mac and Windows machines.

· Vega: This tool is used to find and fix commonly found web application vulnerabilities like XSS, SQL injection and more. It is an open source tool written in Java and available for both Windows and Linux operating systems.

· Arachni: This is a powerful open source tool used by penetration testers and system administrators to evaluate the security of web applications. The tool is available for Linux and Mac platforms.

· X5S: X5S is a powerful tool designed to find cross-site scripting vulnerabilities in web applications.