Skip to main content

Web Application Hacking Techniques Part - 5



Top ten Vulnerabilities of Web Applications

Introduction

   Welcome to module 5 of the “Web Application Hacking Techniques” workshop. So far, we have presented different methods and techniques to exploit web application vulnerabilities. We have covered SQL Injections and command execution vulnerabilities with hands-on labs and also have explained a couple of other web application vulnerabilities, such as XSS, etc.

   Since information security is a very organized field, it has some set standards and frameworks that are consistently followed by security professionals. It’s worthwhile to talk about the top ten web application vulnerabilities, which are considered, accepted and recognized by industry leading organizations. These top ten vulnerabilities are listed by OWASP (Open Web Application Security Project).

Prerequisites

   It is recommended that you should first complete the previous four modules and then start module 5, otherwise you might not get all the benefits from this module.

Top 10 OWASP Vulnerabilities

  In order to strengthen the security of your web application, you need to be aware of the top trends in web application vulnerabilities so that you can ensure that such vulnerabilities don’t exist in your web applications.

  OWASP top ten provides the powerful awareness for web application security and underlying vulnerabilities. Following are the latest top ten vulnerabilities as highlighted by OWASP team.

• A1 Injection
• A2 Broken Authentication and Session Management
• A3 Cross-Site Scripting (XSS)
• A4 Insecure Direct Object References
• A5 Security Misconfiguration
• A6 Sensitive Data Exposure
• A7 Missing Function Level Access Control
• A8 Cross-Site Request Forgery (CSRF)
• A9 Using Components with Known Vulnerabilities
• A10 Unvalidated Redirects and Forwards

   Although these top ten vulnerabilities details are freely available on the OWASP website, we will present few of these vulnerabilities in a chart format and will demonstrate how you can exploit this in a web application. We will not be able to cover all of these vulnerabilities in execution, however, you can exploit in the lab environment we have shown in the previous module. Since this vulnerable application is the older version you might find some differences in mapping the current top ten and the Mutillidae application listing.


SQLi Extract Data

  We have already presented how to setup your virtual lab environment in the previous module. Browse through the Metasploitable as shown below and use the following web application.



  Now, get to the following web page as shown below. This will take you to the A1 injection vulnerability demonstration page.



SQLi Bypass Authentication

   In this attack vector, you can bypass the user login screen and can easily login without any supplied user id or password. Browse the following page on this vulnerable web application.



   Use the SQL injection bypass technique as shown below as user and password [‘OR ‘a’=’a] and hit login. You will easily bypass the authentication.


Here you go with bypassing the login authentication, notice the logged in user.


Command Injection DNS Lookup

   Now, let’s execute command execution vulnerability as listed in OWASP Top ten vulnerabilities. Browse to the following page.







Code we are injecting:

<h1>Sorry. There has been a system error. <br /> <br /> Please login again </
h1> <br/> Username<input type=”text”> <br/> Password <input type=”text”> <br/> <br/> <input type=”submit” value=”Submit”><h1>&nbsp;</h1>

We will insert this code in the DNS lookup field and you can see the result as shown below.


Summary

   To proceed further in order to understand each vulnerability in more granular details, it is recommended to go through the OWSAP top 10 vulnerabilities detailed information.

You can visit the following link and continue reading: https://www.owasp.org/index.php/Top_10_2013- A5-Security_Misconfiguration.

Popular posts from this blog

Haking On Demand_WireShark - Part 5

Detect/Analyze Scanning Traffic Using Wireshark “Wireshark”, the world’s most popular Network Protocol Analyzer is a multipurpose tool. It can be used as a Packet Sniffer, Network Analyser, Protocol Analyser & Forensic tool. Through this article my focus is on how to use Wireshark to detect/analyze any scanning & suspect traffic. Let’s start with Scanning first. As a thief studies surroundings before stealing something from a target, similarly attackers or hackers also perform foot printing and scanning before the actual attack. In this phase, they want to collect all possible information about the target so that they can plan their attack accordingly. If we talk about scanning here they want to collect details like: • Which IP addresses are in use? • Which port/services are active on those IPs? • Which platform (Operating System) is in use? • What are the vulnerabilities & other similar kinds of information. • Now moving to some popular scan methods and ho
Read more

Bypassing Web Application Firewall Part - 2

WAF Bypassing with SQL Injection HTTP Parameter Pollution & Encoding Techniques HTTP Parameter Pollution is an attack where we have the ability to override or add HTTP GET/POST parameters by injecting string delimiters. HPP can be distinguished in two categories, client-side and server-side, and the exploitation of HPP can result in the following outcomes:  •Override existing hardcoded HTTP parameters  •Modify the application behaviors   •Access and potentially exploit uncontrollable variables  • Bypass input validation checkpoints and WAF rules HTTP Parameter Pollution – HPP   WAFs, which is the topic of interest, many times perform query string parsing before applying the filters to this string. This may result in the execution of a payload that an HTTP request can carry. Some WAFs analyze only one parameter from the string of the request, most of the times the first or the last, which may result in a bypass of the WAF filters, and execution of the payload in the server.  Let’s e
Read more

Bypassing Web Application Firewall Part - 4

Securing WAF and Conclusion DOM Based XSS DOM based XSS is another type of XSS that is also used widely, and we didn’t discuss it in module 3. The DOM, or Document Object Model, is the structural format used to represent documents in a browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie, and it is also a security feature that limits scripts on different domains from obtaining cookies for other domains. Now, the XSS attacks based on this is when the payload that we inject is executed as a result of modifying the DOM environment in the victim’s browser, so that the code runs in an unexpected way. By this we mean that in contrast with the other two attacks, here the page that the victim sees does not change, but the injected code is executed differently because of the modifications that have been done in the DOM environment, that we said earlier. In the other XSS attacks, we saw the injected code was
Read more