Introduction TO WEB
Introduction TO WEB
Introduction TO WEB
Because web applications are an interface on the internet for many organizations,
attackers could exploit these applications and infiltrate into devices, they could
capture personal data or cause service breakdowns inflicting a serious amount of
financial damage.
Below you will find some attack methods used to infiltrate web applications. We
will address these methods in our “Web Attacks 101” course; we will explain
what these methods are, how and why attackers use them and how we can detect
such activities.
• SQL Injection
• Command Injection
• IDOR
When you look at the daily life of the Average Joe you will see that he uses many
web applications throughout the day. There are those who visit Spotify to listen
to music, those who visit YouTube to watch videos or those who use social media.
“””Recent research shows that 75% of cyber attacks are done at the web
application level.“”” [1]
It is crucial that a SOC analyst detects these web application based attacks which
are the preference of attackers and takes precautions against them.
OWASP
It goes without doubt that OWASP is one of the best resources to gain
information about web application security.
OWASP Top Ten
OWASP publishes a list of 10 web application vulnerabilities that possess the
most critical security risks every couple of years. As of the writing of this article,
the latest publication was in 2021.
The OWASP list published in 2021 contains these critical security risks:
2. Cryptographic Failures
3. Injection
4. Insecure Design
5. Security Misconfiguration
For a start, it’s important to know that the HTTP protocol is on the 7 th layer of the
OSI model. This means that protocols such as the Ethernet, IP, TCP, and SSL are
used before the HTTP protocol.
HTTP communication takes place between the server and the client. First, the
client requests a specific resource from the server. The server receives the HTTP
request and sends back an (HTTP Response) to the client after passing it through
certain controls and processes. The client’s device receives the response and
displays the requested resource in an appropriate format.
There is a standard HTTP format, and all requests must comply with this format
so web servers can understand the request. If the request is sent in a different
format, then the web server will not understand it and it will send an error to the
user or the web server may not be able to provide service (which is another attack
type).
An HTTP Request line consists of a request line, request headers and a request
message body. A request line consists of the HTTP method and the resou rce
requested from the web server. The request header contains certain headers that
the server will process. The request message body contains data that is intended
to be sent to the server.
In the image above you see an example of an HTTP Request. Let’s e xamine this
HTTP Request line by line.
HTTP Responses
Once the web server receives an HTTP Request, it performs the required controls
and processes and then sends the requested resource to the client. There is no
uniform process here because there are numerous technologies and designs
involved. The server may pull data from the database according to what the
requested resource is, or it can process according to incoming data. But the HTTP
Response Message must reach the client after all the processing.
If a web page was requested, there will usually be HTML codes in the Response
Body. When the client receives the HTML code, the web browser processes the
HTML code and displays the web page.
You can see a HTTP Response request in the image above. Let’s examine a HTTP
Response request based on this image.
Status Line
There is information about the HTTP version and HTTP response status code in
the Status Line. HTTP response status code is used to describe the status of the
request. There are many HTTP response status codes, but they can be
summarized as so:
Here are some HTTP Response Headers that you may come across frequently:
● Date: The exact time the server sent the HTTP Response to the client.
● Connection: It states how the connection will be handled, just like in the
HTTP Request header.
● Server: Information about the server’s operating system and the web
server’s version.
Response Body
The HTTP Response Body contains the resource that was sent by the server and
requested by the client.
A user is generally expected to enter his/her username and password on the login
page. On the other side, the web application will use this username and password
information to create a SQL query like the one below:
The meaning of this SQL query is “bring me all the information about the user
from the users table whose name is USERNAME and whose password
is USER_PASSWORD”. If the web application does find a matching user, it will
authenticate the user, if it cannot find a user after the query is performed then the
login will be unsuccessful.
So, what if we did not use this system the way it was designed and we put an
apostrophe (‘) in the username area? The SQL query will be as below and the
error will be excluded from the database because the query was faulty.
‘ OR 1=1 – -
When the attacker sends the payload the web application will execute the
following SQL query:
This example is a typical SQL injection attack. Of course SQL injection attacks are
not limited to this example, the attacker could use SQL to execute commands in
the system with the help of SQL commands such as xp_cmdshell.
• Authentication bypass
• Command execution
You may use the methods listed below to detect SQL Injection devices:
Detection Example
We have access logs of a web application that was victim to a SQL Injection
attack.
You may not have heard what an access log is before. In short, these are the web
server’s access logs. These logs usually contain the source IP address, date,
requested URL, HTTP method, user-agent and HTTP Response code. These logs
are very useful in investigations.
Firstly, when we look at the pages that were requested we see that besides
pages like “info.php” which is fairly readable, there are also requests made for
pages that are complex and have symbols like %. We cannot say that requests for
pages like these are malicious but the fact that they are made repetitively and
many times is suspicious.
First of all, let’s talk about what the % symbols mean. When we request a page
that contains special characters, these requests are not directly transferred to the
web server. Instead, our browsers perform a URL encoding (Percent Encoding) of
the special characters and replaces each special character with a character string
that begins with % and has 2 hexadecimal characters in it. So the pages
containing the % symbol above are pages that contain special characters.
Now that we understand what the % symbols mean, let’s revisit the access logs.
When we look at the requests, we can easily see that besides the % symbols
there are readable words such as “UNION”, “SELECT”, “AND”, “CHR”. Because
these are specific words that belong to SQL, we can determine that we are face to
face with a SQL Injection attack.
To save our eyes, let’s make the examination a little easier :) You can conduct a
search using the keywords “Online URL Decoder” to find web applications that
will automatically do the URL decoding for you. In order to read these access logs
easier I will get help from these web applications, by doing so I won’t have to
strain my eyes or yours.
Let me add a little note. It is not wise to upload something like an access logs
which contain critical information on a 3rd party web application. The access logs
I uploaded were prepared specifically for this training so there is no problem in
my doing so. But you shouldn’t make such mistakes in your professional life.
When we do the URL decoding we can more clearly see that this is a SQL
Injection attack. So what should we do now? Yes, we have confirmed that it is a
SQL Injection attack but do we leave it there?
Of course not. Now we are going to find any other pieces of information that we
can from these access logs.
First, let’s look at the request dates. All the SQL Injection payloads were sent on
“19/Feb/2022 11:09:24”. We can see that more than 50 requests were made in 1
second. The fact that so many requests were made in such a short time shows us
that this is an automatized attack. Additionally, as we have mentioned before,
when attackers perform manual tests they choose to test easy payloads first. But
when we look at the access logs we see that the payloads are very compl icated.
This goes to show that the attack may very well be automated.
We have confirmed that a SQL Injection attack has been performed and that it has
been performed with an automated device. So we can end our analysis, right?
There is one more step left to do. We need to determine whether the attack was
successful or not. You can determine whether a SQL Injection attack has been
successful by looking at the response but in your professional career you will
almost never have access to the response. We can presume that all responses
will be about the same size because the attack is performed on the same page
and over the “id” variable. We can estimate the success of the attack by looking at
the size of the response.
Unfortunately, the basic web server that was developed to serve as an example
cannot supply a reliable response size. Therefore, we cannot estimate if the attack
has been successful looking at this example. But with web servers that have been
configured correctly, we can find the response size within the access logs. You
can examine this area to determine whether there is a notable difference in
response sizes. If there is a notable difference you can estimate that the attack
has been successful. But in this situation it would be best to escalate th is alert to
a higher-tier analyst.
What we know:
Today most frameworks that are used to develop web applications have taken
preventative measures against cross-site scripting attacks. But we still frequently
see XSS vulnerabilities today because frameworks are sometimes not used, or the
framework itself has an XSS vulnerability and the data coming from the user is
not sanitized.
XSS Types
3. DOM Based XSS: DOM Based XSS is an XSS attack wherein the
attack payload is executed as a result of modifying the
DOM “environment” in the victim’s browser used by the
original client side script, so that the client side code
runs in an “unexpected” manner. (OWASP)
Let’s look at the piece of code above. What it does is actually very basic. It merely
displays whatever is entered in the ‘user’ parameter. If we enter “LetsDefend” as
the ‘user’ parameter, we will see the words “Hello LetsDefend”.
Up till now, there is no problem. If we enter the appropriate data in the user
parameter, we are greeted with a warm salutation. But, as we have seen above,
there is no control mechanism for the user parameter. This means that whatever
we enter in the “user” parameter will be included in the HTTP Response that we
receive back.
So,what would happen if we didn’t enter a normal value but instead we entered a
payload that would summon a pop-up?
Payload: <script>alert(1)</script>
So, this is exactly how XSS works. Because the value entered by the user is not
confirmed attacker may enter whatever javascript code he likes and get the result
he wants.What if the attacker wants to redirect the user to a malicious site?
Payload: <script>window.location=’https://google.com’</script>
https://letsdefend.io/xss_example.php?user=%3Cscript%3Ewindow.location=%27
https://google.com%27%3C/script%3E
Of course we are not going to direct you to a web application. Directing you to
Google will be sufficient as an example. When the user clicks on the URL he will
be directed to Google instead of the perfect LetsDefend web application.
How Attackers Leverage with XSS Attacks
Because XSS is a client-based attack method, it may seem less important than
other attack methods but XSS attacks and their impact should not be taken for
granted.
• Capture credentials
Example of a Detection
In this example, we see access logs from an Apache server with Wordpress. Don’t
forget to revisit our article on “Detecting SQL Injection Attacks” for more
information about access logs.
Now, let’s examine the access logs that have been provided.
Firstly, let’s take a general look at the requests that have been made and try to
understand them. We see that all the requests have been made for the “/blog/”
page and that only the “s” parameter values have been changed. If you pay
attention to the URLs of the web pages you visit, you would have noticed that
when you perform a search in Wordpress, the words you enter are sent using the
“?s=” parameter. The example we are looking at shows us that these are searches
performed in Wordpress.
It is hard to find easily readable examples like the example in the “Detecting SQL
Injection Attacks” article. Instead, we find characters that have transformed into
%XX as a result of URL encoding. We will perform URL decoding next but first
let’s take a look at the URLs and try to see if we can recognize any words.
When we look at the logs, we notice javascript related words such as “script”,
“prompt”, and “console.log”. When we see javascript it immediately brings XSS to
mind. If we do a URL decoding we will easily be able to understand the requests
that are made.
When we take another look at the access logs after performing a URL decoding
we clearly see the XSS payloads. We can definitely say that the Wordpress
application which we got these access logs from has become the victim of a XSS
attack.
When we look at the requested IP addresses, we see there are more than one.
Are more than one attackers trying to perform a XSS attack simultaneously? Or is
the attacker constantly changing his IP address to avoid being blocked by security
products such as firewalls and IPS? If you check the IP address you will see that it
belongs to Cloudflare. Because the Wordpress application has been put behind
Cloudflare, it is quite normal that Cloudflare is making the request.
When we examine the dates of the requests, we find that there was a request
made every 3-4 seconds. It is not really possible for a human to try to enter this
many XSS payloads in such a short time but you may not be able to be sure that
the number of requests made per second is excessive. We are lucky because we
have the User-Agent information in this example. If we examine this information
we see that it belongs to a urllib library. This shows us that these requests were
made through an automated vulnerability scanner tool.
We cannot say anything definite because we don’t have access to the responses.
Because the command that the attacker sends will be using the rights of the web
application user, a misconfigured web application would grant the attacker access
with admin rights.
Let’s say we have a basic web application that copies the user’s file in the “/tmp”
folder. The web application’s code is below.
Under normal conditions the application will work normally if used accurately. For
example if we load a file named “letsdefend.txt” it will successfully copy the file
to the “/tmp” folder.
So, what will happen if we upload a file named “letsdefend;ls;.txt”? The command
would become:
Command: cp letsdefend;ls;.txt
“;” signifies that the command has ended. So when we look at the payload above,
there are three different commands that the operating system executes. These
are:
1. cp letsdefend
2. ls
3. .txt
The first command is for the copying process but if the parameters are not
entered correctly it will not work correctly.
Command #2 is the directory listing command the attacker wants to execute. The
user does not receive the command output so the attac ker cannot see the files in
the directory but the operating system successfully executes the command.
When the operating system wants to execute command number 3 there will be
an error message because there is no “.txt” command.
As you see, the code has been executed in the web server’s operating system. So,
what if the attacker uploads a file named ““letsdefend;shutdown;.txt”? The
operating system would shut itself down, and the web application will not be
able to function.
The attacker can create a reverse shell in the operating system with the help of
the accurate payload.
Detection Example
In this example we will not be looking at access logs, rather we will be examining
a HTTP Request.
GET / HTTP/1.1
Host: yourcompany.com
Accept-Language: en-US,en;q=0.9
Connection: close
If we look at the HTTP Request above, we see that the main page of the web
application yourcompany[.]com has been requested.
But when we look at the HTTP Request Headers we see a suspicious situation
in the User-Agent header. There is a bash command in the User-Agent header
whereas there should be browser/operating system information here.
When the bash command which is located within User-Agent is executed, the
“/etc/passwd” file’s contents will be returned to the attacker in the HTTP
Response header as “NS”.
What is IDOR?
Insecure Direct Object Reference (IDOR), is a vulnerability caused by the lack of
an authorization mechanism or because it is not used properly. It enables a person
to access an object that belongs to another.
Among the highest web application vulnerability security risks published in the
2021 OWASP, IDOR or “Broken Access Control” takes first place.
How IDOR Works
IDOR is not a security vulnerability caused by unsanitary conditions like other web
application based security vulnerabilities. The attacker manipulates the
parameters sent to the web application, gains access to an object that doesn’t
belong to himself and is able to read, change or erase the contents.
Let’s imagine a basic web application. It retrieves the “id” variable from the user,
then it displays data that belongs to the user who made the request.
URL: https://letsdefend.io/get_user_information?id=1
When a request is made in our web application, like the one above, it displays the
information of the user with an id value of 1.
If I am the user who made the request and my id value is 1 everything will work
normally. When I make the request I will see my personal information.
If the web application is not controlling: “Does the “id” value in the request
belong to the person making the request?” then anyone can make this request and
see my personal information.This web vulnerability is called IDOR.
On top of this, unnecessary parameters should be removed and only the least
amount of parameters should be taken away from the user. If we think about the
previous example, we don’t need to get the “id” parameter. Instead of getting
the “id” parameter from user, we can identify the person who made the request
using the session information.
Having the HTTP Response at hand would help to identify IDOR attacks. But
HTTP Responses are not logged for various reasons and thus it is harder to
identify IDOR attacks.
There are a couple of methods used in identifying IDOR attacks. These are:
Detection Example
Below you can see a screen image of logs found on a web server running
Wordpress.
As in our other examples, let’s start with a general, broad based examination.
Because there are no special characters included in the requests that were made
we can easily read the logs.
If you have used the Wordpress application before you might know that the “wp -
admin/user-edit.php?user_id=” page contains information about registered
Wordpress users. It could be seen as normal to be able to access this page, in fact
if you have more than one user you may be gaining access with more than one
“user_id: parameter. But it is not normal to have this many different “user_id”
parameters.
When we look at what the source IP was we see it belongs to Cloudflare. This
means that the web application that we received the access log for was using a
Cloudflare service. This is why the requests were transmitted to the web
application through Cloudflare.
We see 15-16 requests within the short time frame that access logs are recorded
and this shows us that the attack is performed with an automated device. If we
look at the User-Agent header we can see it says “wfuzz/3.1.0”. Wfuzz is a device
that is frequently used by attackers. We did not only determine that this attack
was performed by an automated scanner tool, we also determined that it was
performed by a tool named Wfuzz.
But we still haven’t answered the most important question. Has the attack been
successful?
Our job would be easier if we had the HTTP Responses. Because we don’t have
the HTTP Responses let’s look at the response size in the Access Logs and make
an inference.
Like we mentioned before, the requested page was displaying user information.
Information such as the users’ names, last names and usernames’ total size will
not be the same. This is why we can ignore requests with a response size of 479
bytes.
If we look at the requests with a response size of 5691 and 5692, we see that the
response code will be 302 (redirect). Successful web requests will generally be
answered with the response code 200. So we can say that the attack was not
successful. But this information alone may not be sufficient to determine the
attack as unsuccessful.
There are 10 requests with the response size of 5692 and 4 with the response
size of 5691.
Like we stated before, there is a very low possibility for the total of all
information like the user’s name, last name, username to be equal. This
strengthens the possibility that the attack was not successful.
Detecting RFI & LFI Attacks
Attackers can read sensitive files on the web server, they can see the files that
contain passwords that would enable them to reach the server remotely.
The attackers host malicious codes on their prepared server and they invite the
victim website over the remote server and try to get it to execute.
SQL Injection vulnerabilities occur when data received from a user is e ntered in
SQL queries; Command Injection vulnerabilities happen when data received from
a user is executed directly in the system shell; IDOR vulnerabilities occur when
data received from a user is used to directly access objects. RFI and LFI
vulnerabilities are caused by the use of data received from a user directly in the
system or to include a file on a remote server.
Why would data received from a user be used to include a file? Web applications
have become highly complicated and unfortunately each feat ure that is developed
is used for malicious purposes. The language option found in web applications is
used in order to include files based on data received from a user.
If we examine the piece of code in the image above, we see that the desired
website language is selected by using the “language” parameter received from
the user.
In a normal situation the web application will work as planned. For example if
“en” is entered as the “language” parameter we will receive the file seen below.
“website/en/home.php”
But if an attacker enters the payload seen below into the “language” parameter
then unfortunately the web application will display the “/etc/passwd” file to the
user.
Payload: /../../../../../../../../../etc/passwd%00
“website//../../../../../../../../../etc/passwd%00/home.php
“../” is used to go to the parent directory. Because the attacker does not know
what directory the web application is in, he tries hard to reach the “root” directory
using “../”. Later, he names the “/etc/passwd” file and enables the inclusion of the
file within the web application. “%0” is used to end the string. This way, the
remaining “/home.php” string is not read by the web application.
• Code execution
• Denial of service
How to Prevent LFI & RFI
The most effective way to prevent RFI and LFI attacks is to sanitize any data
received from a user before using it. Do not forget that client based controls are
easily bypassed. This is why you should always do your controls on both the
client-side and the server-side.