Web Application Attacks

Web Application Assessment Methodology

1. Information Gathering
   1. What does the web app do?
   2. What language(s) are used?
   3. What is the software running the web server?
   4. ...
2. Increase our permissions or move laterally
3. Repeat steps 1 and 2 (-> Enumerate and adapt) until every avenue has been tried or the target system is successfully compromised

Web Application Enumeration

• Understand the tech stack used by the web app:
  • Language and Frameworks
  • Web Server Software
  • Database Software
  • Host Operating System

Inspecting URLs

• File Extensions can revel the language
• This is becoming less common because modern frameworks allow routing

Inspecting Page Content

• Inspect the source of the webpage using the browsers debugger to identify:
  • Frameworks and their versions
  • Hidden Input Fields
  • Comments
  • Client Side Controls
  • JavaScript code
  • ...

Viewing Response Headers

• Use the browser's debugger networking section
  • The Server Header usually reveals the Web Server Software and its version (sometimes even the Operating System)
  • X- are none standard HTTP Headers, these can be used to identify further elements of the tech stack

Inspecting Sitemaps

• Sitemaps include what bots should index and what NOT to index
• Common sitemaps are:
  • https://www.google.com/sitemap.xml
  • https://www.google.com/robots.txt
    • Allow: should be indexed
    • Disallow: should NOT be indexed (-> interesting for us)

Locating Administration Consoles

• Common to be found wrongly configured as the default is insecure:
  • Tomcat Manager
  • PHP MyAdmin (MySQL)

Web Application Assessment Tools

DIRB

• Uses a wordlist to identify valid directories/pages even if they aren't indexed
• dirb http://www.megacorpone.com -r -z 10
  • -r: NONE-recursively
  • -z: add a delay for each request (in milliseconds)

Burp Suite

• Powerful Proxy with a LOT more features
• burpsuite
  • Access the Java Runtime warning
  • Select "Start Burp"
  • Select "Proxy"
    • Used to Intercept, Inspect and Modify or Drop requests
    • List the HTTP Traffic History (this can be used in the Repeater)

Nikto

• Very aggressive Web Server Software Scanner to find low hanging fruits
  • nikto -host=http://www.megacropone.com -maxtime=30s
    • -maxtime: Halt the scan after the time limit
    • -T: Tune the scan

Web Application Strategies

• Exploiting Admin Consoles
• Cross-Site Scripting
• Directory Traversal Vulnerabilities
• File Inclusion Vulnerabilities
• SQL Injection

Relevant Note(s): Penetration Testing