CEH Module 13 - Hacking Web Applications


Terms in this set (...)

Web 2.0
refers to a new generation of web applications that provide an infrastructure for more dynamic user participation, social interaction and collaboration.
Vulnerability Stack
Security, Network, Operating System, Web Server, Database, Third Party Components, and Custom Web Application
Attack Vector
A path or means by which an attacker can gain access to computer or network resources in order to deliver an attack payload or cause a malicious outcome
unvalidated Input
A web application vulnerability where input from a client is not validated before being processed by web applications and backend servers, allowing an attacker to perform XSS, buffer overflow, injections attacks.
Parameter/Form tampering
Involves manipulating of parameters between client and server in order to modify application data such as user credentials and permissions, etc
Directory Traversal
Allows attackers to access restricted directories including application source course, configuration, and critical system files, or execute commands outside of the web server's root directory.
Security Misconfiguration
Using misconfiguration vulnerabilities, attackers gain unauthorized access to default accounts, read unused pages, exploit unmatched flaws, and read or write unprotected files and directories, etc.
Injection Flaws
Web app vulnerabilities that allow untrusted data to be interpreted and executed as part of a command or query
SQL Injection
Uses a series of malicious SQL queries to directly manipulate the database and bypass normal security protocols.
Command Injection Attacks
Shell Injection, HTML injection, and File injection
Shell Injection
An attacker tries to craft an input string to gain shell access to a web server
HTML Embedding
Injecting HTML directly into a site using input parameters which are not validated by server
File Injection
The attacker injects malicious code into system files
LDAP Injection
an attack which takes advantage of non-validated web app input to pass LDAP filters used for searching directory services to obtain direct access to databases behind an LDAP tree
Hidden Field Manipulation
Attackers can examine the HTML code of the page and change the hidden field values in order to change post requests to the server
Cross Site Scripting (XSS)
exploits vulnerabilities in dynamically generated web pages, which enables malicious attackers to inject client-side script into web pages viewed by other users.
Cross Site Request Forgery (CSRF)
exploits web page vulnerabilities to allow attacker to force an unsuspecting user's browser to send malicious requests they did not intend. The victim use holds an active session with a trusted site and simultaneously visits a malicious site, which injects an HTTP request for the trusted site into the victim user's session, compromising its integrity.
Web Application Denial-of-Service (DOS) Attack
Attackers exhaust available server resources by sending hundreds of resource-intensive requests, such as pulling out large image files or requesting dynamic pages that require expensive search operations on the backend database servers
Buffer Overflow Attacks
allow an attacker to modify the target process's address space in order to control the process execution, crash the process, and modify internal variables. Attackers modify function pointers used by the application to direct program execution through a jump or call instruction and points it to a location in the memory containing malicious codes.
Cookie/Session Poisoning
Modifying the contents of a cookie (personal information stored in a web user's computer) in order to bypass security protocols and allowing attacker to run malicious code or modify user's online account
Session Fixation Attack
Attacker tricks the user to access a genuine web server using an explicit session ID value, and then the attacker assumes the identity of the victim and exploits their credentials at the server.
Broken Authentication and Session Management
An attacker uses vulnerabilities in the authentication or session management functions such as exposed accounts, session IDs, logout, password management, timeouts, remember me, secret question, account update, and others to impersonate users.
Unvalidated Redirects and Forwards
Unvalidated redirects enable attackers to install malware or trick victims into disclosing passwords or other sensitive information, whereas unsafe forwards may allow access control bypass
Web Services XML Poisoning
Attackers insert malicious XML code in SOAP requests to perform XML node manipulation or XML schema poisoning n order to generate errors in XML parsing logic and break execution logic. Attackers can also manipulate XML external entity references that can lead to arbitrary file or TCP connection openings.
Session Token Sniffing
Attackers sniff the application traffic with tools like Wireshark and if the HTTP cookies are being uses as the transmission mechanism for session tokens and the secure flag is not set, attackers can replay the cookie to gain unauthorized access
Injection Attacks
Attacks where attackers supply craft malicious input that is syntactically correct according to the interested language being used in order to break the applications normal intended functionality
Web Script Injection
User input is used to insert code that is dynamically executed
OS Commands Injection
Entering malicious codes into input fields if applications utilized user input in a system-level command
SMTP Injection
Inject arbitrary SMTP commands into applications and SMTP server conversations to generate large volumes of spam email
SQL Injection
Enter a series of malicious SQL queries into input fields to directly manipulate the database
LDAP Injection
Take advantage of non-validated web application input vulnerabilities to pass LDAP filters to obtain direct access to databases
XPath Injection
Enter malicious strings in input fields in order to manipulate the Path query so that it interferes with the application's logic
Connection Pool DoS
Attackers examine the connection pooling settings of the application, constructs a large malicious SQL query, and runs multiple queries simultaneously to consume all connections in the connection pool, causing database queries to fail for legitimate users.
Web service probing attacks
Attacks where attacker traps WSDL documents from web app, creates some valid requests using XML schemas that can be submitted to web service, and then uses these requests to introduce input errors in order to analyze the server responses and look for security weaknesses
SOAP Injection
Attacker injects malicious query strings in the user input fields to bypass web services authentication mechanisms and access backend databases. (Similar to SQL injections attack)
XML Injection
- Attacker inject XML data and tags into user input fields to manipulate XML schema or populate XML database with bogus entries.
- can be uses to bypass authentication, escalate privileges, and generate web series DoS attacks
Web service Parsing Attacks
An attack which exploits vulnerabilities and weaknesses in the processing capabilities of the XML parser to create a denial-of-service attack or generate logical errors in web service request processing
Web service parsing attack
An attack which exploits vulnerabilities and weaknesses in the processing capabilities of the XML parser to create a denial-of-service attack or generate logical errors in web service request processing
Two Types of Web service parsing attacks
Recursive payload and excessive payload
URL encoding
The process of converting URL into valid ASCII format so that data an be safely transported over HTTP. It encodes URLs by replacing unusual ASCII characters with "%" followed by the character's two-digit ASCII code expressed in hexadecimal (ex: %20 == space)
HTML encoding
An encoding scheme used to represent unusual characters so that they can be safely combined with an HTML document. It defines several HTML entities to represent particularly usual characters such as: & <
Unicode encoding
Encoding scheme that replaces unusual characters with "%u" followed by the character's code point mapping expressed in hexadecimal.
UTF-8 encoding
A variable length encoding standard which uses each byte expressed in hexadecimal and preceded by the % prefix.
Base64 encoding
An encoding scheme which represents any binary data using only printable ASCII characters. Usually used for encoding email attachments over SMTP
Hex Encoding
HTML encoding scheme uses hex value of every character to represent a collection of character for transmitting binary data