Web Exploitations

Learning outcomes:

  • Define web site weaknesses including the top 10 website security risks
  • Describe possible exploits for input fields
  • Explain the use and effect of buffer overflows
  • Explain how set-up and configuration of the web server provides vulnerabilities
  • List potential issues with web site structure and what industry best practices are for each issue
  • Describe XSS, demonstrate it's use and list potential detection and prevention measure
  • Show how scripting can cause web exploitation

Would you like to download my PowerPoint to follow along?

  • What is Website Exploitation
    • When you find a vulnerability in a website to take advantage of to make the website do something it shouldn't
    • Most vulnerabilities are found by automated means and tools, not doing things by hand
    • However! There are some trials you can do looking at things like URL manipulation that you can play with by hand easily
  • Basics of Website Hacking
    • Look at the code for the website (HTML/CSS/Javascript/PHP code)
    • File structure
      • Can you see files you shouldn't?
      • Layout of the server?
      • Upload files?
      • Permissions to access things you shouldn't have?
    • URL attacks
      • Look at the URL, can you see any extensions? Files?
      • What if you change the URL can you get somewhere you shouldn't be?
    • HTTP Flood Attack
      • GET/POST attacks by hand
        • GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP/1.1
        • What if you change the attempt parameter? such as Putting ALICE instead of BOB
        • More detailed example can be found at the bottom of This page
  • Input Field Exploits
    • Buffer overflow
    • Special characters
    • Poor access right configuration
    • Error messages that say too much
    • URL exploitation
    • Are there hidden unlinked to common pages or files?
    • If they use things like user=14 search=75 can we play with those numbers to run our own queries?
  • OWASP top 10 as of 2022 Please see here for most up to date list
    • Broken Access Control
    • Cryptographic Failures
    • Injection
    • Insecure Design
    • Security Misconfiguration
    • Vulnerable and Outdated Components
    • Identification and Authentication Failures
    • Software and Data Integrity Failures
    • Security Logging and Monitoring Failures
    • Server-Side Request Forgery
  • Examples of how some of those can be exploited
    • Injection
      • Injecting information into websites
      • Cross Site Scripting (XSS)
      • Some examples of common issues are SQL injections, and not sanitizing user input data
      • Example Scenario: Change a SQL query to have '1'='1 as the ID giving root permissions to the attacker
    • Cryptographic failures
      • Formally known as Sensitive Data Exposure
      • Examples of issues include transmitting data in clear text, using outdated algorithms, not enforing encryption, and storing too much sensitive data
      • Example Scenario: Database of credit cards are stored plain text in an AWS bucket
    • Security Misconfiguration
      • Some examples include using default username/passwords, not upgrading to latest security features or patches, unneeded features and overly informative error messages
      • Example Scenario: AWS bucket from previous example was set to default permissions, but the cloud provider has default as sharing and open to the internet at large.
    • Vulnerable and outdated components
      • Some examples of issues include not knowing the versions you're running, or not updating to the latest version, not upgrading or updating your underlying structure, and not regularly scanning and monitoring your system and the news for the latest exploits
      • Example Scenario: You have decided to run your server on an older version of the OS because that's what you were familiar with, but it's no longer being patched, and is getting no updates. Because it's 10yrs old you aren't protected from any of the newer rootkits or even bugs like heartbleed.
    • Security Monitoring and logging failures
      • Some examples of issues include not keeping track of failed logins, warning or errors. Not keeping track of API access. Not backing up your logs.
      • Example Scenario: Literally most data breaches, including the large Experian one.
  • Injection Style Attacks in Depth
    • Code injection - inserts application code into application
    • Email header injection - IMAP/SMTP commands to mail server
    • Host Header Injection - Abuse on implicit trust of HTTP host header
    • LDAP injection - Adds LDAP statements to execute LDAP commands
    • OS command injection - puts OS commands into the web
    • XPath injection - user supplied info to construct and Xpath query for XML data
    • SQL Injections
      • 2 stages
        • Stage 1 is trials and see what you get from the application
        • Stage 2 is specially crafted input to take advantage of what you found in stage 1
      • Classifications
        • Classic- you can see errors you shouldn't and can guess at what to do from there Such as this one by 7Safe or attacks on UNION
        • Blind - can't see error messages or responses
        • Database specific - you know the type of database they are running and take advantage of that (mySQL vs mongoDB vs Oracle)
        • Compound or out-of-band These are uncommon, needs very specific features enabled
      • Some Examples of SQL injection tools both Open Source and in Kali/li>
        • SQLMap and NoSQLMap
        • JSQL Injection
        • WhiteWindow
        • BBQSQL
        • SQLninja
        • BSQL hacker
    • Cross Site Scripting (XSS)
      • Malicious scripts injected into trusted webpages
      • Attacker uses a web app to send the malicious code
      • Flaws that make this possible is anywhere you allow user input without validation, sanitization or encoding.
      • Can be done through web requests or when data is in dynamic content sent to a webpage
      • Frequently seen with malicious ads on websites, but malicious code can be JavaScript, HTML, Flash or any other executable code
      • Can be stored or persistent code saved on a target server
      • Can be reflected off another server or delivered in an email
      • XSS vulnerabilities are hard to find because you need to securely review all the code and look for where input from an HTTP request could make its way to HTML output
      • Many HTML tags can transmit bad Javascript
      • Nessus (Not free) and Nikto (free) can scan for surface vulnerabilities
  • Website Frameworks
    • Wordpress
    • 3rd party templates (Wix, squarespace...)
    • Plugins
    • If you aren't a full time web developer think about taking advantage of the tools available. Everything has vulnerabilities. Languages, frameworks, everything. It's more important to do security basics on a website then it is to DIY everything. And it's important to test your websites and see what a hacker would see.

Suggested Activities and Discussion Topics:

  • Try a basic mission on "Hack this site!" Register Here for Free
    • Basic Missions require very basic HTML knowledge. If you don't know HTML, try looking through the code, play with the URL, think basic, don't over work this.
  • Try out a basic SQL injection in a safe space This is a site that was built specially for education on SQL injection
    • It is OK to try this on the specific site listed above
    • It is NOT OK to try this anywhere else without written permission from your teacher/Instructor
  • Go to This site and try out a XSS attack
    • This is part of a Bug Bounty Program training. More info can be found Here

Would you like to see some more classes? Click here