Computer Networks & Security

Software bugs & Attacks

Web penetration

Web penetration

1-Vulnerabilities2-Hackers3-Categories of attacks4-What a malicious hacker do?5-Security mechanisms6-HTTP Web Servers 7-Web applications attacks8-Packages9- References

1-Vulnerabilites•Is the degree of weakness which allows the attackers to gain access to system information

•Vulnerabities types:• Technological

• TCP/IP Protocol(ARP, Session hijacking)• OS Weakness• Network equipment(routers/firewalls).

• Configuration• Unsecured user accounts• Easily user passwords• Unsecured defaults settings for an application• Misconfigured network devices

• Security policy• Lack of written policy• Software/Hardware installation and changes don’t follow the policy• No Disaster recovery plain

• Software bugs

2-Hackers•Black hats

• Individuals with computing skills• Malicious / Destructive activities• Known as Crackers

•White hats• Individuals with hacking skills• Defensive purposes• Known as Security Analysts

•Gray hats• Individuals who works Offensive and defensive

•Script kidy• A user with no knowledge of hacking.• Download hacking utilities to launch attakcs.

•Hacktivist• Hacker with political motivations.

3-Categories of attacks•Passive attacks

• No traffic sent from attacker• Difficult to detect• Like packet capturing (Wireshark, Snooping )

•Active attacks• Traffic must be sent from attacker• Easily to detect• Can access classified information• Modify data on a system

4-What a malicious hacker do?Reconnaissance

Gain information about targeted victim hosts/networks

ScanningIdentifying active hosts/open ports

Gaining accessLogging in to the host/network

Maintaining accessInstall a backdoor/root kit

Covering tracksTrying to hide the attack from

the administrator

5-Security mechanisms•No single access control ever implemented•Multiple layers of access control provides a security in depth•No single point of failure

•Firewalls• Block unwanted traffic• Direct incoming traffic to more trust internal hosts• Log traffic from/to internal(Private) network• Based on access policy which (Permit or Deny)

•Cryptography

•IDS -Intrusion Detection System-• Application layer firewall• Host based/Network based• Passive device • Offline connectivity• The detection based on signature DB.

5-Security mechanisms (Contd)

Router

Firewall

Hub

InternetLAN

IDS Sensor

•IPS – Intrusion Prevention System - • Application layer firewall• Host based/Network based• Active device• Online connectivity

5-Security mechanisms (Contd)

Router

Firewall

Internet LAN

Hub

IPS Sensor

6-HTTP Web servers

•Store, process, and deliver HTML/JAVA Scripts pages to a client using Hypertext Transfer Protocol.•This page may contains Text, Images, Scripts, Style sheets•Web client/Web agent is a web browser, or a web crawler•In 1989 by Tim Berners-Lee as a project to exchange information

•World’s first web server called CERN httpd•Ran on NeXTSTEP Workstation.

6-HTTP Web servers (Contd)HTTP Protocol based on HTTP request methods:•GET:

Request data from a resourceData pairs sent In the URLCan be cachedRemains in browser historyCan be bookmarkedshould never used when exchange sensitive datahave length restrictionsShould be used only to retrieve data

•POST: Submit data to be processed.

Data pairs sent in the HTTP message bodyNever cachedDo not remain in the browser historyCannot be bookmarkedHave no restrictions

There are also Head, Put, Delete, Options, Connect, but out of presentation scope

Cookies are used to store data between pages in the client, and session files in the servers

http://testasp.vulnweb.com/search.asp?id=1

7-Web Applications Attacks

•SQL Injection

•Cross-Site scripting XSS

7-Web Applications AttacksSQL Injection

SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution .

- Retrieve Data- Destroy Data- Change Data

7-Web Applications Attacks

1-SQL : Try to load a Course with ID 1 http://192.168.1.21/Secuirty/sql/id.php?id=1

2-SQL : Try with ID 2 http://192.168.1.21/Secuirty/sql/id.php?id=3-1

3-SQL: Combine with other tables: http://192.168.1.21/Secuirty/sql/id.php?id=1+union+Select+*+from+users

4-SQL: To retrieve the DB name:http://192.168.1.21/Secuirty/sql/id.php?id=1+union%20select+1,2,database()

SQL Injection

SQL Injection

8-Web Applications Attacks

Cross-Site scriptingHow to inject a JavaScript into HTML page either by GET or PORT method.

XSS is very similar to SQL-Injection. In SQL-Injection we exploited the vulnerability by injecting SQL Queries as user inputs. In XSS, we inject code (basically client side scripting) to the remote server.

8-Web Applications Attacks

Cross-Site scriptingTypes of Cross Site Scripting•Non-Persistent•Persistent

8-Web Applications AttacksNon- Persistent XSS

In case of Non-Persistent attack, it requires a user to visit the specially crafted link by the attacker. When the user visit the link, the crafted code will get executed by the user’s browser.

8-Web Applications AttacksPersistent XSS

In case of persistent attack, the code injected by the attacker will be stored in a secondary storage device (mostly on a database). The damage caused by Persistent attack is more than the non-persistent attack. Here we will see how to hijack other user’s session by performing XSS

9-Packages1-burpsuite_free_v1.52-SQL MAP 3-Nikto4-Nessus5-GoogleDorks6-WebCrowler (HTTPTrack, Wget)7-WebScarab (HTTP traffic interception)

10- References

• https://www.owasp.org/• http://www.thegeekstuff.com/• http://www.w3schools.com/