Ethical H ackin g an d

Coun term easures Coun term easures Version 6

  Mo d u le XVII Web Application Vuln erabilities Scen ario Kim berly, a web application developer works for a ban k, Kim berly a web application developer works for a ban k

X Ban k4u. Recen tly X Ban k4u in troduced a n ew service called

  

“Mortgage Application Service”. Kim berly was assign ed the task

of creatin g the application which supported the n ew service. She fin ds Shrin kW arp, an ASP based application on the In tern et. The application suited perfectly for her developm en t. She

n egotiates the price with the ven dor an d purchases the software

for the firm . She was successful in im plem en tin g the project in tim e. XBan k4u

was ready to serve its custom ers on lin e for the n ew service usin g

the application that Kim berly had design ed. A week later XBan k4u website was defaced!

W as Kim berly ’s decision to purchase the application justified?

Is it safe to trust a third party application ? s it safe to t ust a thi d pa ty application ?

  News Source: http:/ / searchsecurity .techtarget.com .au/

  Module Objective

This m odule will fam iliarize you with :

• Web Application Setup • Objectives of Web Application H ackin g • Objectives of Web Application H ackin g
• An atom y of an Attack • Web Application Threats • Coun term easures • Coun term easures
• Web Application H ackin g Tools

Module Flow

  Web Application Setup An atom y of an Attack

  Web Application H ackin g Coun term easures

  W b A li i Web Application Threats

  Web Application H ackin g Tools

Web Application Setup

  A clien t/ server software application that in teracts pp with users or other system s usin g H TTP Modern application s are written in J ava (or sim ilar lan guages) an d run on distributed application servers, con n ectin g to m ultiple data sources through com plex busin ess logic tiers sources through com plex busin ess logic tiers

  Web Application Setup (con t’d)

  

Web Application H ackin g

Exploitative behaviors E l i i b h i

• Defacin g websites
• Stealin g credit card in form ation
• Exploitin g server-side scriptin g scriptin g
• Exploitin g buffer overflows
• Dom ain Nam e Server (DNS) attacks
• Em ployin g m alicious code
• Den ial of Service • Destruction of Data

  An atom y of an Attack SCANNING

  INFORMATION GATH ERING TESTING TESTING PLANNING TH E ATTACK PLANNING TH E ATTACK LAUNCH ING TH E ATTACK LAUNCH ING TH E ATTACK Web Application Threats

  Cross site scriptin g Log tam perin g

  Cross-site scriptin g SQL in jection Com m an d in jection

  Log tam perin g Error m essage in terception attack Obfuscation application j

  Cookie/ session poison in g Param eter/ form tam perin g pp

  Platform exploits DMZ protocol attacks

  Buffer overflow Directory traversal/ forceful browsin g

  Security m an agem en t exploits Web services attacks

  Cryptographic in terception Cookie sn oopin g

  Zero day attack Network access attacks

  Authen tication hijackin g TCP fragm en tation

Cross-Site Scriptin g/ XSS Flaws

  Cross-site scriptin g occurs when an attacker uses a web application to sen d m alicious code; gen erally J avaScript code; gen erally J avaScript Stored attacks are those where the in jected code is perm an en tly stored on the target servers in a database Reflected attacks are those where the in jected code takes an other route to the victim , such as in an em ail m essage Disclosure of the user’s session cookie allows an attacker to hijack the user’s session an d take over the accoun t

  I In cross-site scriptin g, en d user files are disclosed, Trojan horse program s are in stalled, it i ti d fil di l d T j h i t ll d the user to som e other page is redirected, an d presen tation of the con ten t is m odified Web servers, application servers, an d web application en viron m en ts are susceptible to , pp , pp p cross-site scriptin g

An Exam ple of XSS

  A hacker realizes that the XSECURITY website suffers from a cross-site scriptin g bug

The hacker sen ds you an e-m ail that claim s you have just won a vacation getaway an d all you have to do is

"click here" to claim your prize The URL for the hypertext lin k is www.xsecurity.com / default.asp?n am e=<script>evilScript()</ script >

When you click this lin k, the website tries to be frien dly by greetin g you, but in stead displays, “Welcom e

Back !” What happen ed to your n am e? By clickin g the lin k in the e-m ail, you have told the XSECURITY website that your n am e is <script>evilScript()</ script> The web server gen erated H TML with this “n am e” em bedded an d sen ds it to your browser Your browser correctly in terprets this as script an d run s the script If this script in structs the browser to sen d a cookie con tain in g your stock portfolio to the hacker's com puter, it quickly com plies After all, the in struction cam e from the XSECURITY website, which own s that cookie

  An Exam ple of XSS (con t’d)

Coun term easures

  Validate all headers, cookies, query strin gs, form fields, an d hidden fields (i.e., all param eters) again st a rigorous specification Adopt a strin gen t security policy Ad t t i t it li Filterin g script output can also defeat XSS vuln erabilities by preven tin g them from bein g tran sm itted to users

  SQL In jection

  SQL In jection uses SQL to directly m an ipulate database s data SQL In jection uses SQL to directly m an ipulate database’s data An attacker can use a vuln erable web application to bypass n orm al security m easures an d A tt k l bl b li ti t b l it d obtain direct access to the valuable data SQL In jection attacks can often be executed from the address bar, from within application fields, an d through queries an d searches

  Coun term easure

• Check the user’s in put provided to database queries
• Validate an d san itize every user variable passed to V lid d i i i bl d the database

Com m an d In jection Flaws

  Com m an d in jection flaws relay the m alicious code through a web application to an other system Attacks in clude calls to the operatin g system via system calls, the use of extern al program s via shell com m an ds, as well as the use of extern al program s via shell com m an ds as well as calls to the backen d databases via SQL (i.e., SQL in jection ) Scripts written in Perl, python , an d other lan guages can be in jected in to the poorly design ed web application s

Coun term easures

  Use lan guage-specific libraries that avoid problem s due to shell com m an ds Validate the data provided to preven t an y m alicious con ten t Structure requests so that all supplied param eters are treated as data, rather than poten tially executable con ten t J 2EE en viron m en ts allow the use of the J ava san dbox, which can preven t the execution of system com m an ds

Cookie/ Session Poison in g

  Cookies are used to m ain tain session state in the otherwise stateless H TTP protocol Poison in g allows an attacker to in ject the m alicious con ten t, m odify the user's on -lin e experien ce, an d obtain y p the un authorized in form ation A A proxy can be used for rewritin g the session data, b d f iti th i d t displayin g the cookie data, an d/ or specifyin g a n ew user ID or other session iden tifiers in the cookie

Coun term easures

  Do n ot store plain text or weakly en crypted password in a Do n ot store plain text or weakly en crypted password in a cookie Im plem en t cookie’s tim eout Cookie’s authen tication creden tials should be associated with an IP address Make logout fun ction s available

Param eter/ Form Tam perin g

  Param eter/ Form tam perin g takes advan tage of the hidden k d f h h dd fields that work as the on ly security m easure in som e application s Modifyin g this hidden field value will cause the web application to chan ge accordin g to the n ew data in corporated It can cause theft of services, escalation of access, an d session hijackin g Coun term easure: Field validity checkin g

  H idden Field at

Buffer Overflow

  Buffer overflow is the corrupt execution stack of a web application Buffer overflow flaws in custom web application s are less likely to be detected li ti l lik l t b d t t d Alm ost all kn own web servers, application servers, an d web application en viron m en ts are susceptible to attack (but n ot J ava an d J 2EE en viron m en ts except for overflows in the J VM itself) f fl i h J VM i lf)

Coun term easures

  Validate in put len gth in form s Check boun ds an d m ain tain extra care when usin g loops to copy data copy data StackGuard an d StackShield for Lin ux are tools to defen d program s an d system s again st stack-sm ashin g

Directory Traversal/ Forceful Browsin g Browsin g

  Directory traversal/ forceful browsin g attack occurs when the attacker is able to browse directories an d files outside the n orm al application access Itexposes the directory structure of the application, and te poses t e d ecto y st uctu e o t e app cat o , a d often the un derlyin g web server an d operatin g system An attacker can en um erate con ten ts, access secure or restricted pages, an d gain con fiden tial in form ation , locate source code, an d so on

Coun term easures

  Defin e access rights to the protected areas of the website Apply checks/ hot fixes that preven t the exploitation of the vuln erability such as Un icode to affect directory traversal vuln erability such as Un icode to affect directory traversal Web servers should be updated with security patches in a tim ely m an n er Cryptographic In terception

  Usin g cryptography, a con fiden tial m essage can be securely sen t between two parties b i En crypted traffic flows through n etwork firewalls an d IDS system s En crypted traffic flows through n etwork firewalls an d IDS system s an d is n ot in spected If an attacker is able to take advan tage of a secured chan n el, he/ she can exploit it m ore efficien tly than an open chan n el

  Coun term easure

• Use of Secure Sockets Layer (SSL) an d advan ced private key protection protection

Cookie Sn oopin g

  In an attem pt to protect cookies, site developers often en code the cookies cookies Easily reversible en codin g m ethods such as Base64 an d ROT13 (rotatin g the letters of the alphabet 13 characters) give a false sen se of (rotatin g the letters of the alphabet 13 characters) give a false sen se of the security regardin g the use of cookies Cookie sn oopin g techn iques can use a local proxy to en um erate cookies Cookie sn oopin g techn iques can use a local proxy to en um erate cookies

  Coun term easures:

• Use en crypted cookies
• Em bed source’s IP address in the cookie
• In tegrate cookie s m echan ism fully with SSL fun ction ality • In tegrate cookie’s m echan ism fully with SSL fun ction ality for secured rem ote web application access

  Authen tication H ijackin g

  Authen tication prom pts a user to supply the creden tials that allow access to the application d i l h ll h li i It can be accom plished through:

• Basic authen tication
• Stron g authen tication m ethods

  Web application s authen ticate in varyin g m ethods En forcin g a con sisten t authen tication policy between m ultiple an d disparate application s can prove to be a real challen ge A security lapse can lead to theft of service, y p session hijackin g, an d user im person ation

Coun term easures

  Use authen tication m ethods that use secure chan n els wherever possible Use authen tication m ethods that use secure chan n els wherever possible In stan t SSL can be con figured easily to en crypt all traffic between the clien t an d g y yp the application U Use cookies in a secure m an n er where possible ki i h ibl

  Log Tam perin g

  Logs are kept to track the usage pattern s of the application Logs are kept to track the usage pattern s of the application Log tam perin g allows attackers to cover their tracks or alter web tran saction records records Attackers strive to delete logs, m odify logs, chan ge user in form ation , or otherwise destroy eviden ce of an y attack otherwise destroy eviden ce of an y attack

  Coun term easure Coun term easure

• Digitally sign an d stam p logs
• Separate logs for system even ts
• Main tain tran saction log for all application even ts • Main tain tran saction log for all application even ts

  Error Message In terception

  In form ation in error m essages is often rich with site-specific in form ation that can be used to:

• Determ in e the techn ologies used in the web application s
• Determ in e whether the attack attem pt was successful
• Receive hin ts for attack m ethods to try n ext

  Coun term easure Coun term easure

• Website cloakin g capabilities m ake en terprise web resources in visible to hackers

  Attack Obfuscation

  Attackers often work hard to m ask an d otherwise hide their attacks to avoid detection Most com m on m ethod of attack obfuscation in volves en codin g portion s of the attack with Un icode, UTF-8 , or URL en codin g Multiple levels of en codin g can be used to further bury the attack It is used for theft of service, accoun t hijackin g, in form ation disclosure, website defacem en t, an d so on

Coun term easures:

• Thoroughly in spect all traffic
• Block or tran slate Un icode an d UTF-8 en codin g to detect attacks

Platform Exploits

  Web application s are built upon application platform s, such as Web application s are built upon application platform s such as BEA Weblogic, ColdFusion , IBM WebSphere, Microsoft .NET, an d Sun J AVA techn ologies Vuln erabilities in clude the m iscon figuration of the application , bugs, in secure in tern al routin es, hidden processes an d com m an ds, an d third-party en han cem en ts The exploit of application platform vuln erabilities can allow:

• Access to developer areas
• The ability to update application an d site con ten t

  DMZ Protocol Attacks

  DMZ (Dem ilitarized Zon e) is a sem i-trusted n etwork zon e that separates the un trusted In tern et from the com pan y's trusted in tern al n etwork

  

Most com pan ies lim it the protocols allowed to flow through their DMZ

  An attacker who is able to com prom ise a system that allows other DMZ protocols, has access to other DMZ an d in tern al system s. This level of access can lead to: can lead to:

• Com prom ise of the web application an d data
• Defacem en t of websites
• Access to in tern al system s, in cludin g databases, backups, an d source code Access to in tern al system s, in cludin g databases, backups, an d source code

  DMZ

  Coun term easures

  Deploy a robust security policy Adopt a soun d auditin g policy Use sign atures to detect an d block well-kn own attacks

• Sign atures m ust be available for all form s of attack an d m ust be con tin ually updated b ti ll d t d

  Security Man agem en t Exploits Security m an agem en t system s are targeted to turn off security y g y g y en forcem en t An exploit of security m an agem en t can lead to the m odification of An exploit of security m an agem en t can lead to the m odification of protection policies

Coun term easures

• There should be a sin gle con solidated way to m an age the security that is specific to each application
• Firewalls should be used

  Web Services Attacks

  Web services allow process-to-process com m un ication between web application s An attacker can in ject a m alicious script in to a web service that will en able disclosure an d m odification of the data that will en able disclosure an d m odification of the data

  Coun term easures: Coun term easures:

• Turn off web services that are n ot required for regular operation s
• Provision for m ultiple layers of protection
• Block all kn own attack paths without relyin g on sign ature database alon e

  Zero-Day Attacks

  Zero-day attacks take place between the tim e a vuln erability is discovered by a researcher or attacker and the tim e that the vendor issues a corrective patch h tt k d th ti th t th d i ti t h Most zero-day attacks are on ly available as han d-crafted exploit code, but zero- day worm s have caused rapid pan ic d h d id i Zero-day vuln erability is the laun chin g poin t for further exploitation of the web application and en viron m ent li ti d i t

  Coun term easures:

• No security solution can claim that they will totally protect again st all zero-day attacks
• En force strin gen t security policies
• Deploy a firewall an d en able heuristics (heuristics—com m on - D l fi ll d bl h i ti (h i ti sen se rules drawn from experien ce—to solve problem s) scan n in g

  Network Access Attacks All traffic to an d from a web application traverses n etworks All traffic to an d from a web application traverses n etworks These attacks use techn iques like spoofin g, bridgin g, ACL bypass, an d stack attacks k k Sn iffin g n etwork traffic will allow viewin g of application com m an ds, authen tication in form ation , an d application data as it traverses the authen tication in form ation an d application data as it traverses the n etwork

  Coun term easures C

• Shut down un n ecessary services thereby shuttin g un n ecessary listen in g ports
• Defin e firewall rules to pass on ly legitim ate traffic D fi fi ll l t l l iti t t ffi

TCP Fragm en tation

  Every m essage that is tran sferred between com puters by a data n etwork is broken down Every m essage that is tran sferred between com puters by a data n etwork is broken down in to packets Often packets are lim ited to a pre-determ in ed size for in teroperability with physical Oft k t li it d t d t i d i f i t bilit ith h i l n etworks A tt An attack directly again st a web server would specify that the "Push" flag is set, which k di tl i t b ld if th t th "P h" fl i t hi h would force every packet in to the web server’s m em ory. In this way, an attack would be delivered piece-by-piece, without the ability to detect the attack

  Coun term easure:

• Use packet filterin g devices an d firewall rules to thoroughly U k t filt i d i d fi ll l t th hl in spect the n ature of the traffic directed at a web server

H ackin g Tools

  In stan t Source Wget WebSleuth BlackWidow BlackWidow Win dowBom b Burp B cURL In stan t Source In stan t Source tool allows you to see an d edit the H TML source code of the web pages of the web pages It can be executed from In tern et It can be executed from In tern et Explorer where a n ew toolbar win dow displays the source code for an y selected part of the page in the browser win dow th b i d

  Source: http:/ / w w w .blazingtool.com

  

In stan t Source: Screen shot

H ackin g Tool: Wget

  Wget is a com m an d lin e tool for Win dows an d Un ix that will down load the con ten ts of a ge s a co a d e oo o do s a d U a do oad e co e s o a website It works n on -in teractively in the backgroun d after the user logs off It works particularly well with slow or un stable con n ection s by con tin uin g to retrieve a docum en t un til the docum en t is fully down loaded Both http an d ftp retrievals can be tim e stam ped, so Wget can see if the rem ote file has chan ged sin ce the last retrieval an d autom atically retrieve the n ew version if it has _{Source: w w w .gn u.org/}

  Wget: Screen shot WebSleuth: Screen shot WebSleuth is a tool that com bin es spiderin g WebSleuth is a tool that com bin es spiderin g with the capability of a person al proxy such as Achilles

  Picture Source: http:/ / sandsprite.com / sleuth/

BlackWidow

  Black widow is a website scan n er, a site m appin g tool, a site ripper, a site m irrorin g tool, an d an offlin e browser program ffli b It can be used to scan a I b d site an d create a com plete profile of the site's structure, files, Em ail addresses, extern al Em ail addresses extern al lin ks, an d even lin k errors

  Source: http:/ / softby telabs.com

SiteScope Tool

  Foun dston e SiteScope is a free tool that helps website own ers, developers, an d m an agers to easily m ap out the n avigation of a web application y p g pp This tool creates a site m ap an d gathers useful data for basic f l d f b i m etrics

WSDigger Tool – Web Services Testin g Tool Testin g Tool

  WSDigger is a free open source tool design ed by Foun dston e to autom ate black-box web services security testin g It is m ore than a tool; it is a web services testin g fram ework services testin g fram ework This fram ework con tain s sam ple attack This fram ework con tain s sam ple attack plug-in s for SQL in jection , cross site scriptin g, an d XPATH in jection attacks

  WSDigger: Screen shot

CookieDigger Tool

  CookieDigger helps iden tify weak cookie gen eration an d in secure im plem en tation s of the session m an agem en t by web application s g y pp The tool works by collectin g an d an alyzin g cookies issued by a web application for m ultiple users The tool reports on the predictability an d en tropy of the cookie an d whether critical The tool reports on the predictability an d en tropy of the cookie an d whether critical in form ation , such as user n am e an d password, are in cluded in the cookie values

SSL Digger Tool

  SSLDigger is a tool to assess the stren gth of SSL servers by testin g the supported ciphers supported ciphers Som e of these ciphers are kn own to be in secure

H ackin g Tool: Win dowBom b

  An em ail sen t with this htm l code attached will create pop-up win dows un til the PC's m em ory gets exhausted J avaScript is vuln erable to sim ple codin g such as the exam ple given below:

  Burp: Position in g Payloads Burp is a tool for perform in g autom ated attacks again st web- en abled application s en abled application s

  Source: http:/ / portsw igger.n et Burp: Con figurin g Payloads an d Con ten t En um eration Con ten t En um eration

  Burp com es precon figured with attack payloads an d it can check for com m on databases on a Lotus Dom in o server com m on databases on a Lotus Dom in o server

  Burp: Password Guessin g Burp can be used for password guessin g as well as data m in in g Burp can be used for password guessin g as well as data m in in g

Burp Proxy: In terceptin g H TTP/ S Traffic H TTP/ S Traffic

  Burp proxy operates as a m an -in -the-m iddle between the en d browser an d the target web server, an d allows the attacker to in tercept, in spect, an d m odify the raw traffic web server, an d allows the attacker to in tercept, in spect, an d m odify the raw traffic passin g in both direction s

  Burp Proxy: H ex-editin g of In tercepted Traffic In tercepted Traffic

  Burp proxy allows the attacker to m odify in tercepted traffic in both text an d hexadecim al form ; so even tran sfers of bin ary data can be m an ipulated

  Burp Proxy: Browser Access to Request H istory Request H istory

  B i t i l t hi t f t t b th Burp proxy m ain tain s a com plete history of every request sen t by the browser

  Tool: Burpsuite

  Burp suite is an in tegrated platform for attackin g web application s It allows an attacker to com bin e m an ual an d autom ated techn iques to en um erate, an alyze, attack, an d exploit web application s The arious burp tools ork together effecti el to share in form ation an d allo fin din gs The various burp tools work together effectively to share in form ation an d allow fin din gs iden tified within on e tool to form the basis of an attack usin g an other

  Key features in clude:

  y

• Ability to passively spider an application in a n on -in trusive m an n er
• On e-click tran sfer of in terestin g requests between plug-in s, e.g. from proxy request history, or a web page form en um erated with burp spider
• Exten sibility via IBurpExten der in terface, which allows third-party code to exten d

  y p , p y fun ction ality of burp suite

• • Cen trally con figured settin gs for down stream proxies, web an d proxy authen tication ,

  an d loggin g
• Plug-in s can run in a sin gle tabbed win dow, or be detached in in dividual win dows
• All plug-in s an d suite con figuration is option ally persisten t across program loads p g g p y p p g
• Run s in both Lin ux an d Win dows

  Burpsuite: Screen shot 1

  Burpsuite: Screen shot 2

  H ackin g Tool: cURL

  cURL is a m ulti-protocol tran sfer library It is a clien t side URL tran sfer library supportin g FTP, FTPS, H TTP, H TTPS, GOPH ER, TELNET, DICT, FILE, an d LDAP cURL supports H TTPS certificates, H TTP POST, H TTP PUT, FTP uploadin g, Kerberos, H TTP form -based upload, proxies, cookies, user+password authen tication , file tran sfer resum e, http proxy tun n elin g, an d m ore htt t li d

  Source: http:/ / curl.haxx.se Proof of Con cept cURL: Screen shot

dotDefen der d dotDefen der is a web application attack protection tool that blocks D f d i b li i k i l h bl k attacks that are m an ifested within the H TTP request logic such as:

• S QL In je ctio n - dotDefen der in tercepts an d blocks attem pts to in ject SQL statem en ts that corrupt or gain access to the corporate data
• P ro xy Ta ke o ve r - dotDefen der in tercepts an d blocks attem pts to divert traffic to an un authorized site
• Cro s s -s ite S crip tin g - dotDefen der in tercepts an d blocks attem pts to in ject m alicious scripts that hijack the m achin es of subsequen t site visitors
• H e a d e r Ta m p e rin g - dotDefen der iden tifies an d blocks requests con tain in g the corrupted header data p
• Pa th Tra ve rs a l - dotDefen der blocks attem pts to n avigate through the host's in tern al file system
• P ro b e s - dotDefen der detects an d blocks attem pts to ferret the system ’s in form ation
• Kn o w n Atta cks - dotDefen der recogn izes an d blocks attacks bearin g kn own • Kn o w n Atta cks dotDefen der recogn izes an d blocks attacks bearin g kn own sign atures
_{Source: http:/ / w w w .dotdefender.com}

dotDefen der

  Acun etix Web Scan n er

  Acun etix laun ches all the Google hackin g database queries on to the crawled con ten t of your website, to fin d an y sen sitive data or exploitable targets before con ten t of your website to fin d an y sen sitive data or exploitable targets before a “search en gin e hacker” does

  Source: http:/ / w w w .acunetix.com Acun etix Web Scan n er: Screen shot Screen shot

  AppScan – Web Application Scan n er Scan n er

  AppScan provides security testin g throughout the application developm en t lifecycle, which tests security assuran ce in the developm en t stage Vuln erability detects by sim ulatin g hacker attacks such as:

• Cross-Site Scriptin g • Cross Site Scriptin g
• H TTP Respon se Splittin g
• Param eter Tam perin g
• H idden Field Man ipulation
• Backdoors/ Debug Option s
• Stealth Com m an ding g
• Forceful Browsin g
• Application Buffer Overflows • Cookie Poison in g
• Third-party m iscon figuration s
• Kn own vuln erabilities
• H TTP Attacks H TTP A k
• SQL In jection
• Suspicious Con ten t
• XML/ SOAL Tests • Con ten t Spoofin g
• LDAP In jection • LDAP In jection
• Session Fixation
_{Source: w w w .w atchfire.com}

  AppScan : Screen shot AccessDiver Source: http:/ / w w w .accessdiv er.com

  AccessDiver: Screen shot

  Tool: Falcove Web Vuln erability Scan n er Scan n er Falcove is used by web-site own ers to see whether their web sites are hackable or vuln erable to attacks hackable or vuln erable to attacks It fin ds vuln erabilities before hackers do an d takes n ecessary precaution s to im plem en t the corrective action s p p

Features:

• Gives you an idea whether your website is secure again st web attacks
• Crawler feature autom atically checks for web vuln erabilities A dit ll d i t t i l di d • Audits all dyn am ic con ten t in cludin g password fields, shoppin g carts, an d other web application s
• Gen erates pen etration reports that give you a certain idea abo t o r ebsites' sec rit le el certain idea about your websites' security level<
• Gives you an idea whether your website is

  Falcove Web Vuln erability Scan n er: Screen shot Screen shot

Tool: NetBrute

  NetBrute scan s a ran ge of IP addresses for shared resources that have been shared via Microsoft File resources that have been shared via Microsoft File an d Prin ter Sharin g

  It shows an y SMB com patible shared resources (i.e. Sam ba Servers on a Un ix/ Lin ux m achin e)

  It is used by system adm in istrators or hom e users to see what types of resources are shared an d to warn the com puter users if an y un secured resources are displayed resources are displayed

  It fin ds all resources, whether they have passwords or n ot NetBrute: Screen shot

Tool: Em sa Web Mon itor

  Em sa web m on itor is a sm all web m on itorin g program that run s on your desktop an d allows the user to m on itor uptim e status of several websites It works by periodically pin gin g the rem ote sites, an d showin g the pin g tim e as well as a sm all graph that allows the user to quick y view recen t h th t ll th t q i k i t m on itorin g history It is rather sim ple but useful in m on itorin g a set of websites

Tool: KeepNI

  Keep an eye on your web site s fun ction ality Keep an eye on your web site’s fun ction ality It assures that your site is up an d fully fun ction al every tim e ti When ever a m alfun ction is detected, KeepNI i im m ediately alerts you di l l KeepNI has an exten sive loggin g facility to watch an d alert l It logs an d an alyzes the collected data to presen t a full com prehen sive view of your web site’s perform an ce

  KeepNI: Screen shot

Tool: Parosproxy

  Parosproxy is written in J ava an d useful for testin g web Parosproxy is written in J ava an d useful for testin g web application s an d in secure session s Paros s proxy n ature, all H TTP an d H TTPS data between Paros’s proxy n ature all H TTP an d H TTPS data between server an d clien t, in cludin g cookies an d form fields, can be in tercepted an d m odified

  Parosproxy: Screen shot

Tool: WebScarab

  WebScarab is a J ava fram ework for an alyzin g application s that com m un icate usin g the H TTP an d H TTPS protocols usin g the H TTP an d H TTPS protocols It operates as an in terceptin g proxy, allowin g operator to review an d m odify requests created by the browser before they are sen t to the server an d vice versa requests created by the browser before they are sen t to the server an d vice versa WebScarab can in tercept both H TTP an d H TTPS com m un ication Operator can also review the con versation s (requests an d respon ses) that have passed through WebScarab

  WebScarab: Screen shot 1

  WebScarab: Screen shot 2

  WebScarab: Screen shot 3

  Tool: Watchfire AppScan Watchfire® AppScan ® autom ates web application security pp pp y audits to en sure the security an d com plian ce of websites f

Ben efits:

• Fully outsourced web application vuln erability

  y pp y m an agem en t

• Direct access to Watchfire security experts an d in dustry best practices
• Best path to actionable data for web application ’s est pat to act o ab e data o eb app cat o s security m an agem en t
• Dram atically reduces the learn in g curve an d adoption tim e
• Shields again st loss of kn owledge related to Shields again st loss of kn owledge related to turn over or reorgan ization

  Watchfire AppScan : Screen shot

Tool: WebWatchBot

  WebWatchBot is a m on itorin g an d an alysis software W bW t hB t i it i d l i ft for web sites an d IP devices in cludin g Pin g, H TTP, H TTPS, SMTP, POP3, FTP, Port, an d DNS checks It provides in -depth m on itorin g an d alertin g fun ction ality as well as tools to an alyze an d visualize historical data with real-tim e chartin g an d graphs historical data with real tim e chartin g an d graphs Addition al features in clude an option to run as a p Win dows Service, custom izable 3D charts with prin t support, SQL database storage, etc.

  

WebWatchBot: Screen shot

Ratproxy

  Ratproxy is a sem i-autom ated an d largely passive web application security audit tool dit t l It is design ed specifically for an accurate an d sen sitive detection , an d It is design ed specifically for an accurate an d sen sitive detection , an d autom atic an n otation of poten tial problem s It is optim ized for security-relevan t design pattern s based on the observation i i i d f i l d i b d h b i of existin g, user-in itiated traffic in com plex web en viron m en ts

  H ow Does it Avoid False Positives? Positives? For accurately reportin g of problem s an d to reduce the n um ber of false alarm s, ratproxy reduce the n um ber of false alarm s ratproxy has to con sidered the followin g poin ts:

• What the declared an d actually detected MIME type for the docum en t is? d i ?
• H ow pages respon d to havin g cookie-based authen tication rem oved?
• Whether requests seem to con tain n on -trivial sufficien tly Whether requests seem to con tain n on trivial, sufficien tly com plex security token s, or other m echan ism s that m ay m ake the URL difficult to predict?
• Whether an y n on -trivial parts of the query are echoed back in the respon se, and in what con text? d i h t t t?
• Whether the in teraction occurs on a boun dary of a set of dom ain s defin ed by run tim e settin gs as the trusted en viron m en t subjected to the audit, an d the rest of the world? ,

  Screen shot

Tool: Mapper

  Mapper helps you m ap the files, file param eters, an d values of an y site you wish to test Sim ply browse the site as a n orm al user while recordin g your session with Achilles (Mapper supports other proxies as well), an d run Mapper on the Achilles (Mapper supports other proxies as well) an d run Mapper on the resultin g log file It will create an Excel CSV file that allows you to study the directory an d file structure of the site, the param eter n am es of every dyn am ic page en coun tered structure of the site the param eter n am es of every dyn am ic page en coun tered (such as ASP/ J SP/ CGI), an d their values for every tim e you request for them It helps you to quickly locate design errors an d param eters that m ay be pron e to SQL Injection or param eter tam perin g problem s j i i bl Supports n on-stan dard param eter delim iters an d MVC-based web sites Supports n on-stan dard param eter delim iters an d MVC-based web sites

  Mapper: Screen shot

What H appen ed Next Kim berly could n ot solve the m ystery behin d the hack

  J ason Sprin gfield, an Ethical hacker was called in to in vestigate the case. in vestigate the case J ason con ducted a pen etration test on the website of

  XBan k4u. The test results exposed a vuln erability in the

Shrin kWarp application which could lead to web page

defacem en t. S Som e other loopholes foun d on the website were also th l h l f d th b it l fixed by J ason .

Sum m ary

  Web application s are clien t/ server software application s that in teract with users or Web application s are clien t/ server software application s that in teract with users or other system s usin g H TTP Attackers m ay try to deface the website, steal credit card in form ation , in ject m alicious codes, exploit server side scriptin gs, an d so on Com m an d in jection , XSS attacks, Sql In jection , Cookie Sn oopin g, cryptographic In terception , an d Buffer Overflow are som e of the threats again st web application s Organ ization policies m ust support the coun term easures again st all such types of attacks