The Web Application Hacker's Toolkit

  • Most attacks require some additional tools than just using a browser.

Web Browsers

Internet Explorer

  • Consists of 45% of market.
  • Native support for ActiveX.
  • Useful extensions:
    • HttpWatch: Analyze all HTTP requests/responses for details of headers, cookies, parameters, status codes, and redirects..
    • IEWatch: Similar to HttpWatch, but also analyzes web page content lke scripts, documents, and images.

Firefox

  • Second most widely used browser at 35% of market.
  • No native support for ActiveX
  • Useful extensions:
    • HttpWatch
    • FoxyProxy: Flexile management of browser proxy config.
    • LiveHTTPHeaders: Allows for modifying requests and responses and replay individual requests.
    • PrefBar: Allows enabling and disabling cookies and switching between proxies, clearing cache, or changing user agent.
    • Wappalyzer: uncover technologies used in current page.
    • Web Developer Toolbar: many useful functions like viewing all links on a page, altering HTML to make form fields writable, removing max lengths, unhiding form fields, and changing request methods from GET to POST.

Chrome

  • Consists of 15% of market.
  • Useful Extensions:
    • XSS Rays: test for XSS vulnerabilities and allows DOM inspection
    • Cookie editor: Allow in-browser viewing and editing of cookies
    • Wappalyzer
    • Web Developer Toolbar

Integrated Testing Suites

  • Burp Suite
  • WebScarab
  • Paros
  • Zed Attack Proxy
  • Andiparos
  • Fiddler
  • CAT
  • Charles

How the Tools Work

  • Intercepting Proxies
    • Configuring Your Browser
      • IE:
        • Tools → Internet Options → Connections → LAN settings
        • ●●"Automatically detect settings" and "Use automatic configuration script" unchecked
        • In Address field set it to the proxy server address (127.0.0.1 if locally hosted)
      • Firefox
        • Tools → Options → Advanced → Network → Settings
        • Manual Proxy Configuration selected
        • In HTTP Proxy field set it to the proxy server address (127.0.0.1 if locally hosted)
      • Chrome:
        • Options → Under the Bonnet → Network → Change Proxy Settings
    • Intercepting Proxies and HTTPS
      • Described in Chapter 3
    • Common Features of Intercepting Proxies
      • Fine-grained interception rules
      • Detailed history of requests and responses
      • Automated match and replace rules
      • In-browser proxy functionality access
      • Manipulating format of HTTP messages
      • On-the-fly HTML modification
  • Web Application Spiders
    • Required additional functionality for web apps:
      • Form-based navigation
      • JS-based navigation
      • Multistage functions
      • Authentication and sessions
      • Parameter-based identifier usage
      • Tokens and other parameters in the URL query string
    • Common features:
      • Automatic update of site map
      • Passive spidering of content processed by proxy
      • Presentation of discovered content in table or tree form
      • Fine-grained control of scope of automated spidering
      • Automatic parsing of HTML forms, scripts, etc.
  • Web Vulnerability Scanners
    • Passive: Monitor requests and responses passing through local proxy to identify vulnerabilities
    • Active: sending new requests to the target application to probe for vulnerabilities
  • Web Application Fuzzer
    • Common features:
      • Manual configured probing for common vulnerabilities
      • Built-in attack payloads
      • Saving attack results and response data
      • Customizable functions
      • Functions for extracting data
  • Manual Request Tool
    • Common features:
      • Usually integrates with other suite tools
      • History of requests and responses
      • Multi-tab interface
      • Automatic following of redirects
  • Session Token Analyzers
    • Can check for randomness properties of session tokens
    • Burp Sequencer is an example.

Testing Work Flow

  • Recon and analysis:
    • Web browser
    • Intercepting proxy
      • Proxy history
      • Passive spidering → Generates site map
        • Active spidering → Spider
        • Active discovery → Content Discovery
    • Use derived attack surface and passive scan results for Vulnerability Detection and Exploitation
  • Vulnerability Detection and Exploitation
    • Using derived attack surface
      • Scanner
      • Repeater
      • Fuzzer
      • passive scan results → Token Analyzer
    • Use vulnerabilities found in browser to confirm existence

Alternatives to the Intercepting Proxy

  • Sometimes a proxy cannot be used.

  • Alternatives:

  • Tamper Data: Firefox extension that displays a pop-up when you submit a request for viewing and modifying HTTP headers and parameters.

  • TamperIE: Same functionality as Tamper Data for IE.

Standalone Vulnerability Scanners

Vulnerabilities Detected by Scanners

  • Examples:
    • Reflected XSS from user-supplied input echoes in app response
    • SQLi via signature
    • Path Traversal vulnerabilities based on response
    • Command injection based time delay or response
    • Obvious ones like cleartext password submission
  • Not reliably detectable examples:
    • Broken access controls
    • Modifying parameter value in a meaningful way
    • Logic flaws
    • Vulnerabilities based on design of functionality
    • Session hijacking attacks
    • Leakage of sensitive info

Inherent Limitations of Scanners

  • Every Web Application is Different
  • Scanners Operate on Syntax
  • Scanners Do Not Improvise
  • Scanners Are Not Intuitive

Technical Challenges Faced by Scanners

  • Authentication and Session Handling
    • Scanner must have ability to interact with session-handling mechanism
    • Scanner must have ability to detect when session is no longer valid
  • Dangerous Effects
    • Might test admin controls it randomly crawls to with dangerous consequences.
  • Individuating Functionality
    • Millions of pages that actually are just spawned from a small set of functions
    • Might infinitely generate web pages, like a calendar app.
    • Looping pages that seem different but really are just the same behavior.
  • Other Challenges to Automation
    • CAPTCHAs
    • Customized responses
    • New technologies
  • Current Products
    • Some Scanners:
      • Acunetix ~ $4,995-$6,350
      • AppScan ~ $17,550-$32,500
      • Burp Scanner = $191
      • Grendel-Scan = Free
      • HailStorm = $10,000
      • MileSCAN ~ $495-$1,495
      • NetSparker
      • N-Stalker ~ $899-6,299
      • NTOSpider = $10,000
      • Paros = Free
      • Skipfish
      • W3af = Free
      • WebInspect ~$6,000-$30,000

Using a Vulnerability Scanner

  • Considerations:

    • Limitations of scanners
    • Scanner functionality
    • Target application familiarity
    • Manually confirm vulnerabilities found

  • Fully Automated

    • Better for novices and fast assessments
  • User-Directed Scanning
    • Better for more experienced persons

Other Tools

  • Wikto/Nikto
    • Helps locate default / common third-party content on a web server.
      • Requests each item and detects if it exists
    • Large database of files and directories
    • Wikto is the Windows version
  • Firebug
    • Browser debug tool to debug and edit HTML and JS in real time.
    • Can also explore/edit DOM.
  • Hydra: Password-guessing tool usable in many situations.
  • Custom Scripts
  • Wget: Retrieve url via HTTP or HTTPS
  • Curl: Flexible CLI tool for HTTP and HTTPS tool
  • Netcat:
    • Can perform network related tasks.
    • Can open TCP connection to a server, send and retrieve requests, or create network listeners.
  • Stunnel:
    • Can create client SSL connection to a host
    • Useful to create a tunnel when a script or tool doesn't inherently work with SSL.

results matching ""

    No results matching ""