Overview of Web Application Request Processing Database server Database application server Application Back-end server Web server Script Firewall Bad HTTP Request... Web Applications A
Trang 11
Trang 2Do you know What is it…?
“Apache Struts 2 Vulnerability (CVE-2018-11776) Exploited in CroniX Crypto-Mining Campaign”
Trang 3Hackers Hijacked MEGA Chrome Extension To Steal Login Credentials
Trang 4Account Takeover
Protection
Trang 5Web Application Concepts
Trang 6Overview of Web Application Request
Processing
Database server
Database application
server
Application Back-end server
Web server
Script
Firewall
Bad HTTP
Request
Trang 7Web Applications Are Vulnerable Even With
SSL
Attacker Internet Firewall Web Server Database
• Most ports blocked www.hackmebank.com
• Port 443 OK SSL encrypted traffic
Data breach (unauthorized data)
verified
Attacker sends valid HTTP request with SQL injection to https://www.hackmebank.com
/
Firewall allows SSL traffic through
Hacker delivers payload wrapped in
SSL SQL injection data breach
58
Trang 8Overview Of Web Application Communication Elements
client and server
structure
Trang 10HTTP Request Components: Request
Line
GET /home/browse.php?id=29&user=fred HTTP/1.1
• Method
• The Universal Resource Identifier (URI),
which identifies the requested
Trang 11Method: Perform Actions On A
Server HTTP 1.1 methods
• HTTP/1.1 (and 1.0, 0.9) sends everything in plain text
• HTTP/2 uses binary encoding
• HTTP/2 still has the same HTTP methods
Trang 12Query String – Specify A Requested Resource Type
Trang 13Query String – Parameter/Value Using GET
GET /search.php ?q=example HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms- excel, application/vnd.ms-powerpoint, application/msword, */*
Encoding: gzip, deflate
Accept-Language: en-us Connection: Keep-Alive
Trang 14Parameter/Value Using POST
<FORM NAME=login ACTION=login.php
METHOD=POST>
<INPUT type="text" name="username" >
<INPUT type="text" name="password" >
<A href="forgotpasswd.php">Forgot your password?</A>
<INPUT type="submit" name="action" value="Go!">
</FORM>
student1 student1
Trang 15POST Data - Example
Trang 16Risks In Other Methods
Method
DELETE Delete data from server
CONNECT Connect to server
TRACE Echo back to the client whatever string has been sent to the server
Trang 17HTTP Request Components: Headers
GET /home/browse.php?id=29 HTTP/1.1
Accept: image/gif, image/jpeg, */*
Referer: http://auction.example.com
Accept-Language: en
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible;
MSIE 6.0;)
Host:
auction.example.com
*Required by HTTP 1.1
Trang 18revalidate,post-check=0, pre-check=0
Pragma: no-cache Keep-Alive: timeout=15, max=96 Connection: Keep- Alive Content-Type: text/html Content-Length: 22367
<HTML>
<HEAD>
<TITLE>PHPAUCTION</
TITLE>
Trang 19HTTP Response Status Codes
3 digit number informs client if request was fulfilled or not.
Trang 20HTTP Response Status Code Examples
Trang 21Parsing File Types, URLs, and Parameters
?name=Student1&status=1 HTTP/1.1\r\nHost: 172.16.200.10\r\n
Connection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n Referer: http://172.29.44.44/search.php?q=data\r\n
Accept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1\r\n
GET
/home/mydata/search php
Trang 22Common Web Application Vulnerabilities
Trang 23Common Exploits Against Web
Hidden field manipulation
Unvalidated redirects &
Trang 24Broken Authentication & Session
Management
credentials
3 User clicks on a link to http://www.hacker.com / in a forum.
www.hacker.com and finds user’s SESSION ID from URL
5 Hacker uses SESSION ID and takes over victim’s account
2
App uses URL rewriting (appends SESSION ID in the URL)
Application
Trang 25Parameter “nick” is passed as input to the user_menu.php form on the query string
Parameter Tampering
Trang 27Forceful Browsing
Trang 29The ‘price’ parameter value appears in a hidden field in the source HTML It can be modified before sending it back to the application:
Hidden Field Manipulation
Trang 33Unvalidated Redirects and Forwards
3 2
Attacker sends attack to victim via email or webpage
From: Internal Revenue Service Subject: Your Unclaimed Tax Refund
Our records show you have an unclaimed federal tax refund Please click here to initiate your claim.
1
Application redirects victim to attacker’s site
Request sent to vulnerable site, including attacker’s destination site as parameter
Redirect sends victim to attacker site
4 Evil site installs malware on victim, or phish’s for private information
Victim clicks link containing unvalidated parameter
Evil Site
http://www.irs.gov/taxrefund/claim.jsp?year=2 006& … &dest=www.evilsite.com
Trang 34Cross-Site Request Forgery
1 User authenticated with
bank.com (target).
2 User simultaneously tricked
into visiting another site such
as a chat forum.
3 Hacker posts message with
malicious HTML on site chat
forum.
Hacker
<img src= http://bank.com/withdraw?account=Savings&amount=1000
”& ”>
Trang 35Cross-Site Scripting (XSS)
Exploits user’s trust of the application
• Steal cookie: Session hijacking
• Change content on the page: Site defacement
• Install Trojan Horse programs
• Change Field Parameters
Trang 36Cross-Site Scripting (XSS)
Trang 37• System calls to the OS: (-exec cat /etc/passwd)
Trang 38SQL Injection
Trang 39String SQL Injection – Exploit
Trang 40ONLINE LAB
Trang 41Lab Guide
https://clouddocs.f5.com/training/community/waf/html/class3/class3.html