Wep Application Security Archives - Ninad Mathpati https://ninadmathpati.com/category/wep-application-security/ Security Consultant Sun, 06 Dec 2020 18:00:45 +0000 en-US hourly 1 https://ninadmathpati.com/wp-content/uploads/2020/06/cropped-cropped-emoji-32x32.png Wep Application Security Archives - Ninad Mathpati https://ninadmathpati.com/category/wep-application-security/ 32 32 Web Application Pentesting Methodology-Part 2 (Client-side vulnerabilities) https://ninadmathpati.com/2019/10/08/web-application-pentesting-methodology-part-2-client-side-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=web-application-pentesting-methodology-part-2-client-side-vulnerabilities https://ninadmathpati.com/2019/10/08/web-application-pentesting-methodology-part-2-client-side-vulnerabilities/#respond Tue, 08 Oct 2019 14:07:18 +0000 https://cyberzombie.in/?p=4088 Read More

]]>
Hello Guys, took a bit long, but as I said here is the 2nd part of web application pen-testing methodology.

Before going for client-side vulnerabilities, I would like to describe how a browser works briefly!

So basically whats the definition of a web browser?

Something that helps in opening Facebook, youtube etc. is it just that? It’s an application which can be used to fetch or access information from the world wide web.

How does a browser work?

The browser has 3 main components

  • Browser user interface
  • browser engine
  • rendering engine

Browser user interface: 

BUI is a method of connecting to an application by using the browser’s functionalities such as forward button, back button, proxy, URL bar,…etc.

Browser engine: 

It acts as an intermediate to UI and rendering engine it collects all the inputs and data from the user interface and queries it to the rendering engine.

Rendering engine:

The rendering engine is something which processes the request web page according to the data. Here is the main process where everything works, this engine renders that HTML, XML..etc. Data to generate the display layout.

Browser Workflow

This was a short description of how a browser works, If you want to go more in detail you can go through the blog of  Monica raghuwanshi.

Now moving on to the client-side vulnerabilities!

Client-side vulnerabilities are the major problems on the UI workflow, such as client-side data validation bypass, failed to add proper header leading to clickjacking…etc.

Some major client-side vulnerabilities are,

  • Testing for XSS
  • Testing for IDOR
  • Testing for CSRF
  • Testing for Javascript validation bypass
  • Testing for HTML Injection
  • Testing for Clickjacking
  • Testing for Cross-Origin Resource Sharing
  • Testing Client-Side Storage
  • Testing for Insecure URL redirects
  • …etc,

NOTE:- I would be not describing the definitions of this test cases in details; rather I would prefer providing you with a practical example on each of them.

Testing for XSS(Cross-Site Scripting)

As almost everyone knows there are 3 types of XSS

  • Reflected XSS
  • Stored XSS
  • Dom XSS

Now if we go for reflected XSS, We can describe it as, 

let’s take an example, suppose an e-commerce website is there, and there is a search bar to search for the required things, suppose you enter a malicious payload instead of any product name, like 

<script>alert(document.domain)</script>

This will alert pop up with the domain name, in the same way, the attacker can steal user cookies, which may lead to account takeover.

This was a short description of the reflected XSS, now let’s move forward with stored XSS,

Here, in this case, suppose you have a signup form, and it is implemented so that when the user signups with the defined credentials. The username is getting reflected on the home page (after login). so here the attacker might make a username with a malicious payload such as 

<img src=x onerror=alert(‘document.domain’)>;

When the desired user logins through the application a pop up will appear in front of him showing the domain name. This type of scenarios is called stored XSS, where the entered field id is getting stored in the DB without validation. Thus leading to stored cross-site attacks.

Blind XSS is a variant of persistent/stored XSS vulnerability. They occur when the attacker input is saved by the web server and executed as a malicious script in another part of the application or another application. For example, Let’s suppose there’s a cryptocurrency trading related website, where it asks for identity verification before moving forward and creating/importing our wallet, while verification it asks for name, id no, and snap of id, we can use the blind XSS payload here in the mane field and try to get our malicious script executed by the admin. In contrast, he tries to verify our data. There are many other scenarios where we can find Blind Xss some of them are,

  • Contact/Feedback pages
  • Log viewers
  • Exception handlers
  • Chat applications / forums
  • Customer ticket applications
  • Web Application Firewalls
  • Any application that requires user moderation

If you want to test for Blind XSS here are the best tools as of me,

Now the most difficult type of XSS is DOM-based XSS.

Here, suppose there’s a big application it has a lot of data stored in it. There will be a search bar to search for any information, so what we do is we enter a malicious payload like “/><script>alert(‘document.domain’);</script> instead of searching anything, but to the surprise what is see is as soon as I enter(only entered not clicked enter) this payload I m getting a pop-up, why this is happening?

It is because, in the backend, the query given by the user is being directly getting executed instantly, so the pop up appeared. This is what a dom based XSS is, it’s an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client-side script so that the client-side code runs in an “unexpected” manner. 

These are just the simple example where there was no security implemented for XSS attack, but there are many instances where you need to bypass the validation or WAF some of the tricks to bypass the waf are given below,

Kona WAF (Akamai) Bypass:

 \');confirm(1);//

ModSecurity WAF Bypass:

<img src=x onerror=prompt(document.cookie) onerror=prompt(document.domain) onerror=prompt(document.domain)>

Incapsula WAF Bypasses:

 <iframe/onload='this["src"]="javas	cript:al"+"ert""';> <img/src=q onerror='new Function`al\ert\`1\"'>

Wordfence XSS Bypasses:

<meter onmouseover="alert(1)"
'">><div><meter onmouseover="alert(1)"</div>"
>><marquee loop=1 width=0 onfinish=alert(1)>

Thanks to EdOverflow and other researchers who believe in Sharing the knowledge for the above details.

Here’s another reference for different types of WAF bypass.

Testing for Insecure Direct Object Reference (IDOR)

This is a type of vulnerability in which the attacker can fetch any user’s information, Suppose there is an HR management tool in your company and when you log in to it, the URL appears to be such as

https://www.xyzcompany.com/hrms/user_id=1234

Now if we change the user_id parameter value to something else, we get another employee’s information. Thus this shows that the given application is vulnerable to Insecure Direct Object Reference Attack.

Looks simple right this, but this might lead to a complete company’s data loss, theft, and manipulation.

Here is the example of it where I was able to delete company whole DB at once using IDOR,

https://ninadmathpati.com/how-critical-is-idor-vulnerability-can-it-take-down-a-whole-company/

Testing for Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery is a type of attack in which the attacker can perform malicious activities in the user’s account without his knowledge. But to make this attack critical, the user’s interaction is needed, or we need a session id of the user. Only this attack is possible. For example, CSRF can suppose an email change option on my profile page, where there is no kind of verification done. In contrast, the email is changed, so the attacker can generate a CSRF request to change the account’s email. Thus after this, the only thing we need is user’s interaction, if the user clicks on the malicious link the email of the victim’s account is changed and then the attacker can go in a normal way to reset the password and request a password reset.

So here we can describe the impact as Business-critical as we can completely take over the account.

Another scenario can be like, suppose there’s an e-commerce website and we know that any security measures for CSRF attack are not implemented there. So suppose the victim has added something to the cart, what an attacker can do is generate a CSRF request to add the desired item to the victim’s cart, once it’s generated then and if the victims click on the link and proceed with the cart payment. Thus the attacker can order anything for him through anybody.

These were some attack scenarios of CSRF,

What’s the best way to check if CSRF security measure is implemented or not just give a check on the request part for CSRF token if it’s implemented then chances are there that the company has implemented CSRF security measure

Testing for Javascript validation bypass

Javascript validation bypass, we can call is as client-side validation bypass too, what happens here, in this case, suppose a developer has implemented a feature in my profile page that the user cannot change the user-id of the account, once it’s generated, so as shown in the below fig. the developer has implemented client-side security measure so the user cannot edit the email field, when we give a check at the inspect element there we can see that field is disabled to make changes,

Client-Side Bypass

If we change it to enabled or remove it and process the request to change the email-id and if email-id gets changed, we can say it as this is a javascript validation bypass, this was a basic scenario of this attack. There is a lot of another scenario where we can change the email id of the account or perform an XSS attack, such as, let us say there a username filed on my profile page where the developer has implemented client-side security measure that we cannot use any symbols like (><\/;'”..etc.) so here the attacker can type any name in the username field and process the request and intercept it with burp suite, there the attacker can go and change the username field and add any malicious script and forward the request, thus bypassing client-side validation here and performing an XSS attack.

Testing for HTML Injection

This attack is a lot similar to an XSS attack, but here the impact is different than that of XSS attack, In XSS attack the attacker aims to steal the session id whereas here the attacker tries to deface the website. In general, we can say in XSS we use script tags, whereas, in the HTML injection, we use HTML tags to exploit, of course, we can use any tags to exploit both the vulnerabilities.

Here the attack scenario can be like suppose there’s an internal application of a company product where on the home page it’s showing the details of the work done in a flow chart or any diagrammatic representation, there is a field where this data is stored and showed on the home page, Now suppose while entering the data what if the attacker succeeds to add iframe tag in that desired field. The result will be if the page is vulnerable to HTML injection, we will be able to see an iframe on the home page, thus leading to defacement of the website.

But my suggestion is if there’s HTML injection possible there are more chances that there might be an XSS attack also possible.

Testing for Clickjacking

Clickjacking is a type of vulnerability in which the attacker tries to impersonate a site and steal the user’s clicks on that website. This attack can lead to download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, purchase products online..etc.

Here is the perfect example of an exploit which I found on Imperva

  1. The attacker creates an attractive page which promises to give the user a free trip to Tahiti.
  2. In the background the attacker checks if the user is logged into his banking site and loads the screen that enables the transfer of funds, using query parameters to insert the attacker’s bank details into the form.
  3. The bank transfer page is displayed in an invisible iframe above the gift page. The “Confirm Transfer” button exactly aligned over the “Receive Gift” button visible to the user.
  4. The user visits the page and clicks the “Book My Free Trip” button.
  5. In reality, the user is clicking on the invisible iframe and has clicked the “Confirm Transfer” button. Funds are transferred to the attacker.
  6. The user is redirected to a page with information about the gift (not knowing what happened in the background).

This was one scenario of bank transfer the attacker can steal user’s credentials too by this attack like we can carry out the same attack. Still, for social networking websites, we can post anything from the victim’s account. By this, I guess the impact of clickjacking must be clear if not then you can refer the below two links

Clickjacking in Google worth 14981.7$

Clickjacking on Google MyAccount Worth 7,500$

The easy way to check if the security measure for clickjacking is implemented or not is by looking for X-FRAME header or CSP header’s

Testing for Cross-Origin Resource Sharing

CORS is a vulnerability where the attacker can steal sensitive data of the user such as Payment info, messages, email id, contact no, depending on the application of any type of sensitive information.

I would like to share a bit more about this as this is one of the high-level vulnerabilities, so basically CORS is all about the resource sharing in between two sites, as we know

“It is very important that JavaScript that is running on one domain can only read data from that very domain”

If we want to fetch any information from other services, we will use Cross-origin Resource sharing.

So how do look for it?

Check the request part if any origin header is included then you can try to cors there. CORS is often implemented but not configured properly; the domains should be properly filtered.

How do we exploit it?

we can use Curl to exploit and check if you could succeed.

Curl command: curl https://www.edmodo.com -H “Origin: https://evil.com

-H: Header

-I: Fetch the HTTP-header only

Testing Client-Side Storage

Testing for the client-side database is basically an information disclosure vulnerability. If you give a check through inspect element, in your browsers for Local storage you would find some information, this local storage works using the setItem and getItem functions. So if the attacker finds an XSS in the domain, then he can easily fetch the information stored in the local storage. The severity of the information might vary form-critical to a low level, but we know that we can find something in the local storage. So this testing is also essential while doing a penetration test for a web application.

Web-Sql

You can look here for more info about this topic here

Testing for Insecure URL redirects

A URL redirect is a vulnerability where the attacker able to redirect the victim to a malicious website hosted by the attacker. in this case, there are many ways where we can redirect the victim to the evil page the basic technique is suppose you have a vulnerable link such as

http://www.target.site?#redirect=www.target1.in

here the attacker can easily change the URL as http://www.target.site?#redirect=www.fake-target.site 

and forward it to the victim and carry out an attack, but nowadays this URL redirects are very much secure, some ways to bypass this security measure are like using CRLF(%0d%0a) injection, template injection, parameter pollution..etc

All the injection part I will be discussing in the server-side testing blog.

So Alas, I hope this would be helpful to both professional and aspiring web application pen-testers. I hope you enjoyed reading this.

In the next blog, I will be covering the server-side vulnerabilities, feel free to reach out to me.

Hope you like it,

Till then, Happy Hacking

]]>
https://ninadmathpati.com/2019/10/08/web-application-pentesting-methodology-part-2-client-side-vulnerabilities/feed/ 0
Web Application PenTesting Part 1 (Methodology) https://ninadmathpati.com/2019/06/30/web-application-pentesting-part-1-methodology/?utm_source=rss&utm_medium=rss&utm_campaign=web-application-pentesting-part-1-methodology https://ninadmathpati.com/2019/06/30/web-application-pentesting-part-1-methodology/#comments Sun, 30 Jun 2019 09:58:16 +0000 https://cyberzombie.in/?p=3922 Read More

]]>
Hello Guys, Ninad here I hope you are doing good, so today’s topic is How to start with web application pen-testing. I would be dividing this Web Application Pentesting into 3 parts,


Part 1) Methodology.
Part 2) Client-side attacks.
Part 3) Server-side attacks.

In Part 1 Methodology, I would be Sharing my knowledge with you about How to start with Web Application pen-testing?
In Part 2 Client-side attacks, I would go in detail for client-side attacks like How to attack? How to mitigate? What are the client side attacks?
In Part 3 Server-side attacks, I would go in detail for Server-side attacks like How to attack? How to mitigate? What are the client side attacks? What is the attack scenario’s ..etc.

So Generally, What is Pen-testing?
As of me,

It’s a practice implemented to mitigate security threats in any domain

Here we are going to discuss Web Application Pen-testing, There’s one point which I would like to make it clear that web application pen-testing is totally different than bug bounties. So Don’t get confused with it.

How to Start Web Application Pen-testing?

There are some security testing standards In web application pen-testing which you would like to follow Such as
1) OWASP (Open Web Application Security Project)
2) SANS (Sysadmin, Audit, Network And Security )
3) OSSTMM ( Open source SecurityTesting Methodology Manual)
4) ISSAF ( Information Systems Security Assesment Framework)

If you would ask me How to?

I would start with basic’s, one should have basic knowledge of how a web application works, some programming knowledge like HTML, CSS Javascript, PHP, MYSQL..etc.
basically, if you have the above then you are good to start web application pen-testing. After this, you Should get know how a web application works its workflow, like what is HTTP? https? …etc.

How would you go for it? let divide the web application pen-testing into two parts
1) Client side pen-testing
2) Server-side pen-testing

Client-side pen testing:

Client-side attacks are quite different. These are attacks that target vulnerabilities in client applications that interact with a malicious server or process malicious data. Here, the client initiates the connection that could result in an attack. If a client does not interact with a server, it is not at risk, because it doesn’t process any potentially harmful data sent from the server. Client-side pen-testing may consist of vulnerabilities which often takes the form of unpatched software on a desktop or laptop. Depending on the nature of the vulnerable application, an attacker could exploit it via a specially-crafted email attachment or by convincing the user to visit a malicious Web site. Some targets include Web Browser’s, Adobe Acrobat, Macromedia Flash, QuickTime and Java Runtime Environment.

Some of the client side attacks might be like XSS, redirects, Phishing, Clickjacking, IDOR ..etc

Server-side Pen-Testing:

Server-side attacks seek to compromise and breach the data and applications that are present on a server.
Server-side attack target web server for downloading or viewing files like scripts, web shells, configuration files without proper authorization. Most of the time server-side attacks don’t require user interaction. These attacks can be used with web servers. We can also use them against a normal computer that people use every day. Some of the server side attacks are like RCE, Shell Uploading, RFI..etc.

In client-side attacks generally what happens is that an attacker can Mess up with the external part of the website mostly but in the server side the attacker is able to change the code or many internal files.

How to start with Web Application Pen-Testing?

—————————————————————————————————————————————————————-

Enumeration -> Enumeration -> Enumeration -> Scanning -> Manual testing

—————————————————————————————————————————————————————–

So how to go for Enumeration -> Enumeration -> Enumeration

My way for getting a description of the website is Virustotal
Looking for subdomain go for Amass
Looking for any OSNIT info go for Spiderfoot
Looking for how the application is made using Wappalyzer
Check for the Components with known vulnerabilities like check for the server name and version which the site is working on, there might be chances that the server might be vulnerable to some RCE, INJECTIONS …etc
Check for Low-level vulnerabilities like SPF, HTTP headers, NO rate limiting …etc

After that, once the basic enumeration part is done I would like to go for,
The medium level and high-level vulnerabilities like XSS, injections, Idor, chain attacks, Privilege escalation..etc.

So this was my methodology for Web Application pen-testing.

Furthermore, Testing You can go through the Methodology given within the web application hackers handbook.
1) Analyze the application
2) Test for the client side workflow
3)Test the authentication workflow
4)Test for session management
5)Test for Acces controls
6) Test for Input based Vulnerabilities
7)Tests for business login errors
8) Test for privilege escalation
9) Test for Injection attacks
10) Test for server level attacks

Now let’s take an example,

Suppose there’s a Login page now, On the basic login page, we will be having a User name and password field, submit button, Forgot password and Terms and services page link.


Now here the client side attack will be like,
There’s a forgot password section in the login page, if the attacker gets a forgot password link such as

https://xyz.com/email=ascd@xyz.com&token=aaaasdfgfdhs1232#@$

Now here if the attacker is able to alter the email address and able to reuse the token or if he is successful in carrying out an HTTP pollution attack here, and if he is able to take over the account by this method then this attack can be called as a client-side attack.

Now on the same page, you can see that there is a terms and services field also, can you check the link given there? can we carry try to carry out an RFI (Remote file inclusion) attack there

https://xyz.com/page=terms

Suppose if the attacker is able to alter the PAGE parameter and successfully carry out his RFI there then this kind of attack can be called as Server-side attacks

So this was all about the service side and client side attacks
This was all about the web application pen-testing methodology, Do let me know if you need any help in web application pen-testing

In the next part, I would be discussing in deep about the Client-side attacks, ways to carry out an attack, its mitigations..etc

Hope you like it,

Till then, Happy Hacking.

]]>
https://ninadmathpati.com/2019/06/30/web-application-pentesting-part-1-methodology/feed/ 8