Web Applications (Whiteboard)

[toggle_content title="Transcript"] Welcome to Web Application Pen Testing. This whole module is huge. There is so much that we realistically you could do here. It could take months and months and months to build proficiency here. This its own course this is its own subject matter. This is its own field of study - so we are going to highlight it as opposed to getting all the nitty gritty details. So it has to deal with web applications there was a book written some time ago called the web applications hackers handbook and it will be the go to book for years and years to come. This book has been light years ahead of just about anything that you will find in this subject matter. There is also some really other good books out there. I don't want to discount those but this is basically the new foundation for how to approach this whole field. So the concept here is besides the obvious web application. What are components of them - how do they go wrong? So let us start here with some basic concepts here. Because the web applications this is where we get cross side scripting. It exploits the relationship between the client and the server. Cross side scripting you also have vast amounts of information leakage. Some of it out there which is not harmless – not harmful in itself but could result in a secondary attack which could be harmful. So information leakage things as simple as error messages while they don't seem like a big deal but if that error message allows you to exploit or gain the insight necessarily to exploit the service that ultimately could lead to credit card numbers on your website. Contents spoofing - websites hold content legitimate content and bad content. So you can spoof that content - weak authentication - everything about the authentication process. Authentication in a nutshell is I am acclaimed identity - prove it. We all connect to a web server, so let us exploit that relationship - cross site requests forgery. You kind of have to deal with this one backwards. It is a forged request that goes from one side to another. Brute forcing - Mama are we there yet? Mama are we there yet? Mama are we there yet? Keep trying things over and over and over again if someone is not monitoring the web application. You can just have at it - predictable resources - for example it is pretty well know that you can go to /administrator and that is normally the administrative login for the web portal that stuff realistically should be changed. SQL injection its own field of study in the terms of databases. Well most web resources are stored in the database whether it be mySQL or MSSQL or Oracle whatever this is - SQL injection is its own field of study. Session fixation - this is where the hacker has some information and he needs to get a victim to concentrate on what the web hacker is now saying. Hey please click on this because this will get me in. You have tricked the user into clicking on something and then ultimately exploits something. No session exploration or indefinite session times. This is also another problem with web servers. Web 1.0 concepts versus Web 2.0 concepts Web 1.0 concepts these were more or less static sites or resumes or all about the business at hand. Web 2.0 is less about the business and more about the end users using the website. So a great example of web 1.0 versus web 2.0 is just a very static web page that is Web 1.0 things like YouTube or any customer oriented website like YouTube where it is all user generated content or user generated features. Those are Web 2.0 concepts. So we need to look at those just a little bit more - things like blogs you can have everybody and their uncle go to their website and post the blog. What is user generated content therefore Web 2.0 you have concepts like Ajax. Google used these, YouTube uses these - this when you start typing and it starts to predicts and narrow down what you are actually searching for - or even flash you could consider that web 2.0 oriented or tools like jquery or cloud concepts in general this is really Storing things out on the internet in some sort of public fashion like a great example of cloud storage would be DropBox or Wikipedia, online dictionaries and things like that or gaming sites or every traditional RSS or social networking in general. So we are very much Web 2.0 now it is all about the end users and making the web site valuable for the users. The site that you are on right now - web 2.0 oriented. It is focussing on the end users - so when it comes to hacking web applications there is all sorts of threats that could go wrong. Things like cookie poisoning - web servers - store little pieces of code on your client side computer. While You can poison them directory traversal, navigating predicting and enumerating what the directories look like - very easily you can figure out if it is Unix oriented or Apache versus Windows oriented. Unvalidated input - can you just supply anything to the web server - SQL injection notice I have a note here Chichi I used Chichi whenever I possibly can. SQL injection sheets cheat sheet it is cross scripting cheats apparently I can't say the cheat sheet but that is okay. Use them to your advantage and instead of trying to memorize all of the possible combinations of SQL injections for MSSQL or mySQL, Oracle - use cheat sheets them to our advantage. Same thing with cross eyed scripting - you want to know what they look like there is plenty of cheat sheets out there use them. It is a great way to kind of keep a lot of information on the tips of your fingers - cross request forgery. What we talked about – form tampering, insecure storage or how does the web server store its information that the users are uploading are there picture directories or are they video directories. What are the permissions on those directories? How are you handling the errors? Are you giving an error message to your end user - does the end user even need to see that. Buffer overflows are its own field of study log tampering, clearing your logs changing integrity of them. All of the account management remember Web 2.0 is user centric. So user is going to need to have accounts. How do you manage them - how do you things like password reset functions and things like that. How do you manage sessions? Can you just go to the online site and add something to a check out without creating an account. Ultimately you are storing things on a server! Platform specific exploits either with the application in themselves be a Joomla, Drupal WordPress or maybe at the operating system level. Is it Unix versus windows etc authentication hijacking - see the session hijacking module cookies snooping just finding out what is in the cookies in itself. Session fixation tricking the user malicious code execution denial of service that is its own field of study. No encrption, no SSL, no IPSec, no transport level security - even XML poisoning these are all potential threats for things to wrong in the world of web application pen testing. So let is look at the counter measures - become an expert - it is really that simple. Normally I would like to list off top ten or fifteen here. In this case there is just way too many I would fill this whole board four to five times over. There is so much that goes on specifically in this subject matter you have to become an expert this is not something that you are going to learn overnight. Learning each one of these techniques just learning cross side scripting and Form tampering that could take a lot to learn as opposed to buffer overflows or SQL injections. Some of it you have to learn the whole field of databases before you can just become good at SQL injection versus you want to become a great web application pen tester. You have to understand all of the components of HTML. One of the best tools out there for learning this is a tool called the burp suite. It is something that you can use to dissect the Web process over and over and over again. So let us go ahead and look at some hands on examples. [/toggle_content] This whiteboard lecture video covers web applications in great detail. Web applications play an important role in every organization. Cyber defense requires a thorough understand of web application security issues.
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?