Kali进行web渗透测试笔记(四)
文章目录
Major Flaws in Web Applicaitons
- Client-side flaws are targeted flaws and exploit the client-side technologies such as AJAX JSON,and flash code to extract information from the client.
Directory browsing
DirBuster(come as an add-on to the WebScarab proxy,but can still find standlone application).Look out for backup files and renamed files by including the .bak and .old extension in the scan.
Comments in HTML code(use with Webscarab)
Mitigation:Directory browsing is a per-directory setting and it needs to be verified on each directory.In Apache ,you can use .htaccess file to override the individual directory setting and in IIS web server ,the directory permission can ben set by using the IIS manager or the
appcmd
command.Authentication protocols and flaws:
- Basic authentication(using the Basse64 encoding which is very easy to reverse and acquire the clear text)
- Digest authentication(It introduced a nonce value that is used as a salt when the client shares the authentication credentials with the server.In addition to the nonce value,the MD5 hash of the password is sent instead of the Base64 encoded value.)
- Intergrated authentication(When a user access a website that leverages intergrated authentication and is part of the same domain as the user,the client passes the token and the user is granted access to the application.LANMAN,NTLMv1,and NTLMv2 are the underlying challenge/response protocols used for the authentication that is seamless)
- Form-based authentication
Brute forcing credentials:
- Hydra:
hydra 192.168.1.8 http-form-post "/form_auth/login.php:user=^USER^&pass=^PASS^:Rejected" -L user.txt -P pass.txt -t 10 -w 30 -o hydra.txt
- There are the variable used to take input which can again be determined by viewing the source by using Ctrl+U in Firefox
- Hydra:
Path traversal:
- The most basic path traversal attack is using the
../
sequence to modify the resource request through the URL. The expression../
is used in operating systems to move up one directory.The attacker has to guess the number of directories that he needs to move up and outside the web root which can easily be done using trial and error. If the attacker wants to move up three directories then he or she would use../../../.
- a malicious user may encode the absolute path to a system file into a web form and view it directly in the browser.Check whether a web server is vulnerable to traversal attack by encoding
../
in the URL
- The most basic path traversal attack is using the
1)http://tastlab.org/..%255c..%255c..%255cboot.ini #encoding
../
in the URL 2)http://testlab.com/../../../../etc/shadow #attack to view the contents of the shadow file 3)http://testlab.com/../Windows/System32/cmd.exe?/c+dir+c:/ #attempt to invoke the cmd utility and run thedir c:\
command. (4)http://testlab.com/scripts/foo.cgi?page=../scripts/test.cgi%00txt #attempt to expose the source code of test.cgi file.
- **Attacking path traversal using Burp proxy**:An experienced attacker can navigate the filesystem and acquire the source code files if the application is vulnerable to path traversal attack.
Injection-based flaws(SQL injection and command injection attacks are the most common ones)
Command injection:
SQL injection:can edit cookies,headers,or XML requests to submit malicious data back to the server.The manual method to discover a flaw is by using a proxy such as Burp ,Paros,or ZAP and injection data in the various fields.
Cross-site scripting(clitne-side attack)
the attack potential of the XSS flaw is not just limited to attacking the same website or stealing information from the browser;the attacker can also use it ot target other website.Here’s an illustration of cross-site scripting attack:
An easy way to indentify whether a web page is vulnerable to an XSS attack is by using the following harmless script in the input fields of the form.If a dialog box is displayed,the web application is note filtering the metacharacters and is vulnerable to an XSS attack:
<script>alert("Vulnerable to XSS!!");</script>
XSS vulnerabilities:
- Persistent or stored XSS flaws
- Non persistent or reflected XSS flaw
Attack potential of cross-site scripting attacks
- Steal user password and cookies
- Scan other website and servers
- Engage the browser into transctions on the vulnerable server without user knowledge
- Redirect the user to another website
- Steal files from the victims computer
Cross-site request forgery:Cross-site request forgery attack is also known as ont-click or session riding attack.Using random tokens,known aas Anti-CSRF tokens that change on every request,is also a good mitigation step as attacker would note know this dynamically changing random token.
Session-based flaws
Ways to steal tokens(Zed attack Proxy,Burp proxy,WebScarab:
- Brute forcing a predictable session token
- Sniffing a token over the wire
- Compromising asession token using client-side attacks(XSS or malicious JavaScript)
- Man-in-the-middle attack
Session fixation attack
File inclusion vulnerability:
Remote file include:PHP is most widely attacked by a remote file include vulnerability.
Local file include:Although the following URLs look exactly the same,they might represent entirely different attacks:
- http://testdemo.org/mydata/info.php?file=../../../temp/shell.php - http://testdemo.org/mydata/info.php?file=../../../temp/shell.php
If the first URL exploits a path traversal issue,the
shell.php
contents will be displayed as text.If the second URL exploits a local file inclusion,theshell.php
contents will be processed as PHP code and executed.Here’s a snippet of code that is vulnerable to a local file inclusino attack:
1 2 3 4 5
<?php $file=$_GET['file']; { de("pages/$file") }
|
|