Certified Ethical Hacker - Part 12-2 - Hacking Web Applications

by Riazul H. Rozen
Feb. 26, 2018 0 comments 3 minute read Certifications CEH
Download PDF

Web applications: A walkthrough on threats and attacks

Web applications and web 2.0 technologies are used to execute important business functions such as CRM, SCM amongst others. Web applications are programs that connect end users to web servers, through web pages or codes that are implemented within the client web browser. Web 2.0 technologies are more susceptible to attacks than their web application counterparts, but this does not mean web applications are in the clear, as they also vulnerable to attacks like cross site scripting, SQL injection e.t.c

How attackers exploit system flaws

These attacks could occur as a result of system flaws, as in the case of invalidated input. Here, the data sent in by the end user is not verified before it is sent to the backend servers and web applications. An attack could steal data or information by ploughing through this weakness to perform breaches like SQL injections, cross site scripting and buffer flows.

Form tampering is another means of exploitation, and attackers use SSL or SSQ injections as a means to manipulate these systems. Here, the parameters for communication between the server and end users is tampered with in such a manner that data like credentials, prices, quantity of goods are changed with the client being none the wiser.

Another way attackers can tamper with web applications is through directory traversal. This allows malicious users gain access to restricted directories, critical system files, configurations and program source code, with the aim of sending commands and having them implemented outside of the web servers root directory. Variables with references like “dot.dot.slash ../” are usually exploited by these attackers. Malicious users can also gain access to files located outside the web applications directory using the traversal method.

System misconfiguration is vulnerable to attacks, firstly because default accounts do not change, and secondly the application server admin is installed and not removed. When the attacker figures out the standard administration pages, it is possible to gain access to the system and exploit it. System misconfiguration could occur at any level of the web application hierarchy, from custom code to web application server, the platform and framework, thereby making it possible for attackers to exploit and manipulate default accounts, read and write unprotected files, untreated flaws, read unused pages e.t.c

Attackers could implement malicious codes that take advantage of injection flaws, ultimately leading to denial of access, data corruption or loss and deficiency of culpability. What are injection flaws? These are flaws that allow invalidated data to be processed and executed as commands or queries. These flaws are easily discovered with consistent scanning of the systems, and are common in legacy code discovered in SQL, LDAP and Xpath queries e.t.c .

Methods for exploiting web applications

Attackers gain access to the web applications and manipulate using the following methods:

SQL injection

Attackers inject harmful SQL queries into user input forms. They could also reach web applications through address bars and within application fields. This method helps them exploit vulnerable web applications, by overriding security functions and gaining access to important data. This method is initiated by sending a “test’) ;DROP TABLE Messages ;--” command to the web server which in turn drops messages through the internet, and creates a means for the injection process.

SQL injection

LDAP injection

LDAP search directories store information that is situated at different levels known as an LDAP tree. An attacker bypasses security and exploits vulnerabilities that don’t allow for validating web application input, skirts through the LDAP tree and access the major database by injecting malicious LDAP statements. To determine if a server can be exploited by this method, send a query to the server and if an error message is sent back, it is an affirmation that the server can be attacked with code injection.

LDAP injection

Command injections

Attackers inject malicious code through web applications by initiating a input string system with the aim of gaining shell access to the web servers. Attackers use this method to deface websites, by adding extra codes or scripts to the HTML.

File injection

Here, malicious codes are injected into system files. The malicious code is entered as an account number, with a password into a website page. The password changes to ”new password” when the submit button is clicked, and the web script is unaware that an attack is launched, rather it thinks that only the URL of the banner image file is inserted. This exploitation technique allows the attacker divert the servers use of system files to use a remote file that has been chosen by the attacker.

File injection

Hidden field manipulation attack

When users choose objects on a HTML page, these objects are stored as field values, and some of these values are hidden, sent to the HTTP request and stored as parameters for future selections. For the field manipulation attack, the attackers check the HTML code of the target page; manipulate the data, so a different field value pops up when an end user makes selections on an HTML page.

Cross site scripting (XSS) attacks

Here, attackers inject client-side scripts into web pages, and this can be viewed by anybody who accesses these pages. The attack works mostly for pages that are created dynamically, hence allowing the attacker exploit security vulnerabilities that occur with input data that are not authenticated before they are run in the system. Malicious objects from JavaScript, Flash, VBScript and HTML, are hidden in legitimate requests and sent to the server.

Cross site scripting (XSS) attacks

Cross scripting attacks can also be performed through emails. Here, the attacker sends the user a malicious link, stating a prize has been won and requesting credentials. When the end user clicks the link, the result is sent to a server which in turn sends a profile page with blank spaces for filling credentials. When the user fills the profile, the attacker extracts banking information to perform theft operations.

This method could also be used to steal user cookies, by hosting a malicious site which when viewed by the user, provides the HTML with the malicious link, and if the user runs the HTML, the attacker steals the cookies, and sends a request with the stolen cookies

Published with the express permission of the author.