How Are Web APPS Attacked?

Enough with the appetizers, on to the main course!

As you might have gathered by this point in the chapter, the ability to see and manipulate both graphical and raw HTTP/S is an absolute must. No proper web security assessment is possible without this capability. Fortunately, there are numerous tools that enable this functionality, and nearly all of them are free. In the final section of this chapter, we'll provide a brief overview of some of our favorites so that you can work along with us on the examples presented throughout the rest of the book. Each of the tools described below can be obtained from the locations listed in the "References and Further Reading" section at the end of this chapter.

Note 

A review of automated web application security scanners can be found in Chapter 13. The tools discussed here are basic utilities for manually monitoring and manipulating HTTP/S.

We'll address several categories of HTTP analysis and tampering tools in this section: the web browser, browser extensions, HTTP proxies, and command-line tools. We'll start with the web browser, with the caveat that this is not necessarily indicative of our preference in working with HTTP. Overall, we think browser extensions offer the best combination of functionality and ease of use when it comes to HTTP analysis, but depending on the situation, command-line tools may offer more easily scriptable functionality for the job. As with most hacking, it's common to leverage the best features of several tools to get the overall job done, so we've tried to be comprehensive in our coverage, while at the same time clearly indicating which tools are our favorites based on extensive testing in real-world scenarios.

The Web Browser

It doesn't get much more basic than the browser itself, and that's sometimes all the tool you need to perform elegant web app hacking. As we saw very early in this chapter, using the web application's graphical interface itself can be used to launch simple but devastating attacks, such as SQL injection that effectively bypasses the login (see Figure 1-1 again).

Of course, you can also tamper with the URI text in the address bar of your favorite browser and press the Send button. Figure 1-2 illustrates how easy it can be, showing how to elevate the account type from Silver to Platinum in Foundstone's Hacme bank sample application.


Figure 1-2: Using a basic web browser to attack Foundstone's Hacme bank. A simple vertical escalation attack is highlighted with a circle.

Of course, it couldn't be that easy, could it? Browsers do have two basic drawbacks: one, they perform behind-the-scenes tampering of their own with URIs (for example, IE strips out dot-dot- slashes ), and two, you can't mess with the contents of PUT requests from the browser address bar (sure, you could save the page locally, edit it, and resubmit , but who wants to go through that hassle a zillion times while analyzing a large app?).

The easy solution to this problem is browser extension-based HTTP tampering tools, which we'll discuss next .

Browser Extensions

Brower extensions are lightweight add-ons to popular web browsers that enable HTTP analysis and tampering right from within the browser interface. They're probably our favorite way to perform manual tampering with HTTP/S. Their main advantages include

  • Integration with the browser   This gives a more natural feel to the analysis, from the perspective of an actual user of the application. It also makes configuration easier; stand-alone HTTP proxies usually require separate configuration utilities that must be toggled on and off.

  • Transparency   They simply ride on top of the browser's basic functionality, which allows them to seamlessly handle any data that the browser can digest. This is particularly important for HTTPS connections, which often require stand-alone proxies to rely on separate utilities.

We'll list the currently available browser extension tools next, starting with Internet Explorer (IE) extensions, and then go on to Firefox.

Internet Explorer Extensions

Here are IE extensions for HTTP analysis and tampering, listed in order of our preference, with most recommended first.

TamperIE   TamperIE is a Browser Helper Object (BHO) from Bayden Systems. It is really simpleits only two options are to tamper with GETs and/or POSTs. By default, it's set to tamper only with POSTs, so when you encounter a POST while browsing (such as a form submission or shopping cart order form), TamperIE automatically intercepts the submission and presents the screen shown in Figure 1-3. From this screen, all aspects of the HTTP request can be altered . The POST request can be viewed in "pretty" or "raw" format, either of which can be edited. Figure 1-3 shows a straightforward attack in which the price of an item is changed within the HTTP cookie before being submitted for purchase. This example was provided by Bayden Systems' "sandbox" web purchasing application (see "References and Further Reading" at the end of this chapter for a link).


Figure 1-3: TamperIE intercepts a POST request and lets the attacker change the price of an order from $1,995 to $5. Who says web hacking doesn't pay!

If you think about it, TamperIE might be the only tool you really need for manual web app hacking. Its GET tampering feature bypasses any restrictions imposed by the browser, and the PUT feature allows you to tamper with data in the body of the HTTP request that is not accessible from the browser's address bar (yeah, OK, you could save the page locally and resubmit, but that's so old school!). We like a tool that does the fundamentals well, without need of a lot of bells , whistles, and extraneous features.

IEWatch   IEWatch is a simple but fully-functioned HTTP monitoring client that integrates into IE as an Explorer bar. When loaded to perform HTTP or HTML analysis, it takes up the lower portion of the browser window, but it's not too restricting and it's adjustable to suit tastes. IEWatch exposes all aspects of HTTP and HTTPS transactions on the fly. Everything, including headers, forms, cookies, and so on, is easily analyzed to the minutest detail simply by double-clicking the object in the output log. For example, double-clicking a cookie logged by IEWatch will pop up a new window displaying each parameter and value in the cookie. Very helpful! The only disappointment to this great tool is that it is "watch" onlyit doesn't permit tampering. IEWatch is shown in Figure 1-4 analyzing a series of HTTP requests/responses.


Figure 1-4: IEWatch performing HTTP analysis on a popular site

IE Headers   IE Headers by Jonas Blunck offers the same basic functionality of IEWatch, but it is somewhat less visually appealing. Like IEWatch, IE Headers is also an Explorer bar that sits at the bottom of the browser and displays the HTTP headers sent and received by IE as you surf the Web. It does not permit tampering with the data.

Firefox Extensions

Here are Firefox extensions for HTTP analysis and tampering, listed in order of our preference, with most recommended first.

LiveHTTPHeaders   This Firefox plug-in by Daniel Savard dumps raw HTTP and HTTPS traffic into a separate sidebar within the browser interface. Optionally, it can open a separate window (when launched from the Tools menu). LiveHTTPHeaders also adds a "Headers" tab to the Tools Page Info feature in Firefox. It's our favorite browser extension for HTTP tampering.

Firefox LiveHTTPHeaders displays the raw HTTP/S or each request/response. LiveHTTPHeaders also permits tampering via its Replay feature. By simply selecting the recorded HTTP/S request you want to replay and pressing the Replay button (which is only available when LiveHTTPHeaders is launched from the Tools menu), the selected request is displayed in a separate window, in which the entire request is editable. Attackers can edit any portion of the request they want, then simply press Replay and the new request is sent. Figure 1-5 shows the LiveHTTPHeaders replaying a POST request in which the User-Agent header has been changed to a generic string. This trivial modification can sometimes be used to bypass web application authorization, as we'll demonstrate in Chapter 5.


Figure 1-5: Firefox LiveHTTPHeaders permits tampering with HTTP data via its Replay feature.

TamperData   TamperData is a Firefox extension written by Adam Judson that allows you to trace and modify HTTP and HTTPS requests, including headers and POST parameters. It can be loaded as a sidebar or as a separate window. The tamper feature can be toggled from either place. Once set to "tamper," Firefox will present a dialog box upon each request, offering to "tamper," "submit," or "abort" the request. By selecting "tamper," the user is presented the screen shown in Figure 1-6. Every aspect of the HTTP/S request is available for manipulation within this screen. In the example shown in Figure 1-6, we've changed an HTTPS POST value to "admin," another common trick for bypassing web application security that we'll discuss in more detail in Chapter 5.


Figure 1-6: Using TamperData to modify a POST request, changing a value to "admin"

Although they offer the same basic functionality, we like LiveHTTPHeaders slightly more than TamperData, since the former presents a more "raw" editing interface. Of course, this is purely personal preference; either tool behaved functionally the same in our testing.

Modify Headers   Another Firefox extension for modifying HTTP/S requests is Modify Headers by Gareth Hunt. Modify Headers is better for persistent modification than it is for per-request manipulation. For example, if you wanted to persistently change your browser's User-Agent string or filter out cookies, Modify Headers is more appropriate than TamperData, since you don't have to wade through a zillion pop-ups and alter each request. The two tools could be used synergistically: TamperData could be used to determine what values to set through per-request experimentation, and the Modify Headers can then be set to persistently send those values throughout a given session, thereby automating the "housekeeping" of an attack.

HTTP Proxies

HTTP proxies are stand-alone programs that intercept HTTP/S communications and enable the user to analyze or tamper with the data before submitting. They do this by running a local HTTP service and redirecting the local web client there (usually by setting the client's proxy configuration to a high local TCP port like 8888). The local HTTP service, or proxy, acts as a "man-in-the-middle" and permits analysis and tampering with any HTTP sessions that pass through it.

HTTP proxies are somewhat clunkier to use than browser extensions, mostly because they have to interrupt the natural flow of HTTP. This is particularly visible when it comes to HTTPS ( especially with client certificates), which some proxies are not able to handle natively. Browser extensions don't have to worry about this, as we saw earlier.

On the plus side, HTTP proxies are capable of analyzing and tampering with nonbrowser HTTP clients , something that tools based on browser extensions obviously can't do.

On the whole, we'd prefer browser-based tools, since they're generally easier to use and put you closer to the natural flow of the application. Nevertheless, we'll highlight the currently available HTTP proxy tools next, listed in order of our preference, with most recommended first.

Tip 

Check out Bayden Systems' IEToys, which includes a Proxy Toggle add-on that can be invaluable for switching configurations easily when using HTTP proxies.

Paros Proxy

Paros Proxy is a free tool suite that includes a HTTP proxy, web vulnerability scanner, and site crawling (a.k.a. spidering) modules. It is written in Java, so in order to run it, you must install the Java Runtime Engine (JRE) from http://java.sun.com. (Sun also offers many developer kits that contain the JRE, but they contain additional components that are not strictly necessary to run Java programs like Paros Proxy.) Paros has been around for some time and is deservedly one of the most popular tools for web application security assessment available today.

Our focus here is primarily on Paros' HTTP Proxy, which is a decent analysis tool that handles HTTPS transparently and offers a straightforward "security persons'" use model, with a simple "trap" request and/or response metaphor that permits easy tampering with either side of a HTTP transaction. Figure 1-7 shows Paros tampering with the (now infamous) "Cost" field in Bayden Systems' sample shopping application.


Figure 1-7: Paros Proxy traps a HTTP POST request, permitting tampering with a hidden "Cost" field.

Paros is at or near the top of our list when it comes to HTTP proxies due to its simplicity and robust feature set, including HTTPS interception capability with client cert support. Of course, the HTTPS interception throws annoying "validate this certificate" popups necessitated by the injection of the proxy's "man-in-the-middle" cert, but this is par for the course with HTTP proxy technology today.

OWASP WebScarab

There is probably no other tool that matches OWASP's WebScarab's diverse functionality. It includes a HTTP proxy, crawler/spider, session ID analysis, script interface for automation, fuzzer, encoder/decoder utility for all of the popular web formats (Base64, MD5, and so on), and a Web Services Description Language (WSDL) and SOAP parser, to name a few of its more useful modules. It is licensed under the GNU General Public License v2. Like Paros, WebScarab is written in Java and thus requires the JRE to be installed.

WebScarab's HTTP proxy offers the expected functionality (including HTTPS interception, but also with certificate warnings like Paros). WebScarab does offer several bells and whistles like SSL client cert support, on-the-fly decoding of hex or URL-encoded parameters, built-in session ID analysis, and one-click "finish this session" efficiency enhancements. Figure 1-8 shows WebScarab tampering with the hidden "Cost" field cited throughout this chapter.


Figure 1-8: OWASP WebScarab's HTTP proxy offers on-the-fly decoding/encoding of parameters, as shown in this example using the hidden "Cost" field.

WebScarab is comparable to Paros in terms of its basic proxying functionality, but it offers more features and provides a little more "under-the-hood" access for more technical users. We'd still recommend that novice users start with Paros due to its simplicity, however.

Fiddler

This handy tool is a free release from Eric Lawrence and Microsoft, and it's the best non-Java freeware HTTP proxy we've seen. It is quite adept at manipulating HTTP requests, although as of this writing its ability to tamper with HTTPS was limited to meddling with the SSL handshake only, not data. Fiddler runs only on Windows and requires Microsoft's .NET Framework 1.1 or later to be installed.

Fiddler's interface is divided into three panes: on the left, there's a list of sessions intercepted by Fiddler; the upper-right pane contains detailed information about the request; while the lower tracks data for the response. While browsing the Web as normal in an external browser, Fiddler records each request and response in the left pane (both are included on one line as a session). When clicking on a session, the right-hand panes display the request and response details.

Note 

Fiddler automatically configures IE to use its local proxy, but other browsers like Firefox may have to be manually configured to localhost:8888.

In order to tamper with requests and responses, you have to enable Fiddler's "break-points" feature, which is accessed using the Automatic Breakpoints entry under the Rules menu. Breakpoints are roughly analogous to Paros' "trap" and WebScarab's "intercept" functionality. Breakpoints are disabled by default and they can be set to occur automatically before each request or after responses. We typically set "before request," which will then cause the browser to pause before each request, whereupon the last entry in the Fiddler session list will become visually highlighted in red. When selecting this session, a new bright red bar appears between the request and response panes on the right side. This bar has two buttons that control subsequent flow of the session: "break after response" or "run to completion."

Now you can tamper with any of the data in the request before pressing either of these buttons to submit the manipulated request. Figure 1-9 shows Fiddler tampering with our old friend, the "Cost" field in Bayden Systems' "sandbox" online purchasing application. Once again, we've enacted an ad hoc price cut for the item we've purchased.


Figure 1-9: Fiddler slashes prices by tampering with HTTP POST data. Here again we've dropped the price from $1,995 to $5.

Overall, we also like the general smartness of the Fiddler feature set, such as the ability to restrict the local proxy to outbound only (the default). Fiddler also includes scripting support for automatic flagging and editing of HTTP requests and responses; you can write .NET code to tweak requests and responses in the HTTP pipeline, and you may write and load your own custom inspector objects (using any .NET language) by simply dropping your compiled assembly .DLL into the \Fiddler\Inspectors folder and restarting Fiddler. If you want a Java-less HTTP proxy, Fiddler should be at or near the top of your list. Once it adds full HTTPS support, it'll have few peers. Until then, it will have to be amplified by the other tools we've discussed that support HTTPS (including TamperIE or LiveHTTPHeaders).

Burp Intruder

Burp Intruder is a Java-based HTTP proxy tool with numerous web application security testing features. A slower and less functional demo version is available for free as part of the Burp Suite. A stand-alone Professional version is 99.

Burp Intruder's conceptual model is not the most intuitive for novice users, but if you're willing to invest the effort to figure it out, it does offer some interesting capabilities. Its primary functionality is to iterate through several attacks based on a given request structure. The request structure essentially has to be gathered via manual analysis of the application. Once the request structure is configured within Burp Intruder, navigating to the Positions tab lets you determine at what point various attack payloads can be inserted. Then you have to go to the Payloads tab to configure the contents of each payload. Burp Intruder offers several packaged payloads, including overflow testing payloads that iterate through increasing blocks of characters and illegal Unicode-encoded input.

Once positions and payloads are set, Burp Intruder can be started, and it ferociously starts iterating through each attack, inserting payloads at each configured position and logging the response. Figure 1-10 shows the results of overflow testing using Burp Intruder.


Figure 1-10: Results from overflow testing using Burp Intruder. Note the transition from HTTP 404 to HTTP 414 "Too Long" responses, suggesting some internal limitation exists in this application.

Burp Intruder lends itself well to fuzz-testing (see Chapter 12) and denial-of-service testing (see Chapter 11) using its ignore response mode, but it isn't well-suited for more exacting work where individual, specifically crafted insertions are required. We'll examine Burp again in Chapter 13, where we'll demonstrate its prowess with large-scale automated attacks.

Watchfire PowerTools

This is a free multifunction toolset from Watchfire Corp. that includes an HTTP Proxy, Connection Tester, HTTP Request Editor, Expression Test, and Encode/Decode utility.

The HTTP Watchfire Proxy is based on Java, so it requires JRE 5 or later to run. The proxy tool operates on port 8080 by default and handles HTTPS transparently. Using it took a bit of getting used to for usthere are three modes, Smart, Automatic, and Manual. In the default mode, Automatic, all requests and responses sent via the browser pass automatically through the proxy, permitting no time for manual analysis or tampering. Set to Manual mode, every request and response has to be manually passed (using the buttons at the bottom of the tool). This gets pretty annoying fast, as most web apps pass lots of housekeeping requests for images and so on. The Smart mode attempts a happy medium between these two extremes, passing trivial requests automatically but pausing for the more substantial ones. Watchfire HTTP Proxy is otherwise unremarkable compared to the other tools we've covered so far.

Command-Line Tools

Here are a couple of our favorite command-line tools that are good to have around for scripting and iterative attacks.

Curl

Curl is a free, multiplatform command-line tool for manipulating HTTP and HTTPS. It's particularly powerful when scripted to perform iterative analyses, as we'll demonstrate in Chapters 5 and 6. Here's a simple input overflow testing routine created in Perl and piggybacked onto curl:

 $ curl https://website/login.php?user=`perl e 'print "a" x 500'` 

Netcat

The "Swiss Army Knife" of network hacking, netcat is elegant for many tasks . As you might guess from its name, it most closely resembles the UNIX cat utility for outputting the content of files. The critical difference is that netcat performs the same function for network connections: it dumps the raw input and output of network communications to the command line. We saw one simple example earlier in this chapter that demonstrated a simple HTTP request using netcat.

Tip 

Text file input can be input to netcat connections using the redirect character (<), as in nc -vv server 80 < file.txt. We'll cover some easy ways to script netcat on UNIX/Linux platforms in Chapter 2.

Although elegant, netcat requires a lot of manual effort when used for web application work, since it is simply a raw network tool. For example, if the target server uses HTTPS, a tool like SSLProxy, stunnel , or openssl is required to proxy that protocol in front of netcat (see "References and Further Reading" in this chapter for links to these utilities). As we've seen in this chapter, there are numerous tools that automatically handle basic HTTP/S housekeeping, which requires manual intervention when using netcat. Generally, we recommend using other tools discussed in this chapter for web app security testing.

Older Tools

HTTP hacking tools come and go and surge and wane in popularity. Some tools that we've enjoyed using in the past include Achilles, @Stake WebProxy, Form Scalpel, WASAT (Web Authentication Security Analysis Tool), and WebSleuth. Older versions of these tools may still be available in Internet archives, but generally, the more modern tools are superior , and we recommend consulting them first.



Hacking Exposed Web Applications
HACKING EXPOSED WEB APPLICATIONS, 3rd Edition
ISBN: 0071740643
EAN: 2147483647
Year: 2006
Pages: 127

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net