SlideShare a Scribd company logo

Ceh v8 labs module 13 hacking web applications

Mehrdad Jingoism, profile picture
Mehrdad Jingoism

Web applications are vulnerable to various attacks such as SQL injection, cross-site scripting, and session hijacking. This document provides instructions on how to test a vulnerable website called Powergym for parameter tampering and cross-site scripting attacks. Learners are shown how to manipulate website parameters to view details without proper authorization, demonstrating the risk of parameter tampering. Countermeasures like validating all parameters are recommended to prevent unauthorized access through tampering.

Technology
1 of 20
Downloaded 136 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
C E H Lab M a n u a l H a c k in g W e b A p p lic a t io n s M o d u le 1 3
M odule 13 - H ackin g W eb A p p licatio n s H a c k i n g W e b Applications Hacking web app ations r f r t canying out unauthoriseda c s of a website or lic ees o ces the website d t i s eal. I C ON Valuable information Test your ** Web exercise m Lab Scenario KEY Workbook re A web application is an application that is accessed by users over a network such as the Internet or an intranet. The term may also mean a computer software application that is coded 111 a browser-supported programming language (such as JavaScript, combined with a browser-rendered markup language like HTML) and reliant on a common web browser to render the application executable. Web applications are popular due to the ubiquity of web browsers, and the convenience of using a web browser as a client. The ability to update and maintain web applications without distributing and installing software on potentially thousands of client computers is a key reason for their popularity, as is the inherent support for cross-platform compatibility. Common web applications include webmail, online retail sales, online auctions, wikis and many other functions. Web hacking refers to exploitation of applications via HTTP which can be done by manipulating the application via its graphical web interface, tampering the Uniform Resource Identifier (URI) or tampering HTTP elements not contained 111 the URL Methods that can be used to hack web applications are SQL Injection attacks. Cross Site Scripting (XSS), Cross Site Request Forgeries (CSRF), Insecure Communications, etc. As an expert E th ic al H a c k e r and S e c u rity A d m in is trato r, you need to test web applications for cross-site scripting vulnerabilities, cookie liijackuig, command injection attacks, and secure web applications from such attacks. Lab Objectives The objective of tins lab is to provide expert knowledge ot web application vulnerabilities and web applications attacks such as: ■ Parameter tampering ■ Directory traversals & T o o ls d e m o n s tr a t e d in t h i s la b a r e a v a ila b le in D:CEHT oolsC E H v8 M o d u le 13 H a c k in g W eb A p p lic a tio n s ■ Cross-Site Scripting (XSS) ■ Web Spidering ■ Cookie Poisoning and cookie parameter tampering ■ Securing web applications from hijacking Lab Environment To earn‫ ־‬out the lab, you need: ■ A computer running W in d o w s C E H Lab Manual Page 762 S e rv e r 2 0 1 2 Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 13 - H ackin g W eb A p p licatio n s A web browser with an Internet connection Lab Duration Tune: 50 Minutes Overview of Web Application Web applications provide an in te rfa c e between end users and web servers through a set of web pages generated at the server end or diat contain s c rip t co d e to be executed dynamically within the client W eb browser. TASK Lab Tasks 1 Recommended labs to assist you 111 web application: O v e rv ie w ■ Parameter tampering attacks ■ Cross-site scripting (XSS or CSS) ■ Web spidering ■ Website vulnerability scanning using Acunetix WVS Lab Analysis Analyze and document the results related to the lab exercise. Give your opinion on your target’s security posture and exposure. P LE A S E C E H Lab Manual Page 763 TA LK TO Y O U R IN S T R U C T O R IF YO U R E L A T E D TO T H IS LAB. H A V E Q U E ST IO N S Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 13 - H ackin g W eb A p p licatio n s H a c k i n g W e b Applications Though r e a pl at ns e f r e c r a n s c r t p l c e , they are vulnerable t r b p ic io n o c e t i e u i y o i i s o various a t c s such as S O L i j c i n c o s s t s r p i g and s s i n h j c i g tak, neto, rs-ie c i t n , eso iakn. I CON KEY / Valuable information Test your knowledge a Web exercise m Workbook review Lab Scenario According to die DailyNews, Cyber-crime targeted 111 new ICT policy; the government is reviewing the current Information and Communication Technology (ICT) policy in quest to incorporate other relevant issues, including addressing cyber-crime, reported to be on the increase. “Many websites and web applications are vulnerable to security threat including the government's and non-government's websites, we are therefore cautious to ensure that die problem is checked”, Mr. Urasa said. Citing some of the reasons leading to hacking, he said inadequate auditing 111 website and web applications caused by lack of standard security auditing were among problems diat many web developers faced. As an expert E th ic a l H a c k e r and S e c u rity A d m in is trato r, you should be aware of all the methods diat can be employed by an attacker towards hacking web applications and accordingly you can implement a countermeasure for those attacks. Hence, 111 diis lab you will learn how to hack a website with vulnerabilities. Lab Objectives The objective of tins lab is to help students learn how to test web applications for vulnerabilities. 111 tins lab you will perform: ■ Parameter tampernig attacks & Too ls d e m o n s tra te d in th is lab a re a v a ila b le in D:CEHT oo lsC E H v8 M o du le 13 H a c k in g W eb ■ Cross-site scnptuig (XSS or CSS) Lab Environment To earn‫ ־‬out die lab, you need: ■ Powergym website is located at D :CEH -ToolsC EHv8 Lab P re re q u isitesW eb sites P o w erg y m A p p lica tio n s C E H Lab Manual Page 764 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 13 - H ackin g W eb A p p licatio n s ■ Rim this lab 111 Windows Server 2012 host machine ■ Microsoft SQL server 2012 ■ A web browser with an Internet connection m http: //localhost/ powergym Lab Duration Time: 20 Minutes Overview of Web Applications Web applications provide an in te rfa c e between end users and web servers through a set of web pages diat are generated at die server end or diat contain s c rip t c o d e to be executed dynamically widlin die client w e b brow ser. TASK 1 P a ra m e te r T am p erin g Lab Tasks Web p a r a m e te r ta m p e rin g attacks involve the m a n ip u la tio n of parameters exchanged between a client and a server 111 order to m o d ify application data, such as user credentials and permissions, price, and quantity of products. 1. To launch a web browser move your mouse cursor to lower left corner of your desktop, and click S ta rt H U Parameter tampering attack exploits vulnerabilities in integrity and logic validation mechanisms that may result in X SS, SQ L injection. C E H Lab Manual Page 765 F IG U R E 1.1: Windows Server 2012 —Desktop view 2. From start menu apps click 011 any browser app to launch. 111 diis lab we are using F irefo x browser Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 13 - H ackin g W eb A p p licatio n s A m is to £ d in tra r Start Mae agr r ~ ,‫ן‬ *‫נ‬ e pwnil Coe oe e hm n r m * CH 1Fe or Pm md irfw W M«e jpg Ma r anV * SLee Q rr Sv S IT l‫־‬ ■U * P‫׳‬n< 0p m Parameter tampering can be employed by attackers and identity thieves to obtain personal or business information regarding the user surreptitiously. ‫׳־־‬ F IG U R E 1.2: Windows Server 2012—Start Menu Apps 3. Type http:/ /localhost/powergym 111 die address bar of the web browser, and press E n te r 4. The H o m e p ag e of P o w e rg ym appears m Countermeasures specific to the prevention o f parameter tampering involve die validation o f all parameters to ensure that they conform to standards concerning minimum and maximum allowable length, allowable numeric range, allowable character sequences and patterns, whether or not the parameter is actually required to conduct the transaction in question, and whether or not null is allowed. C E H Lab Manual Page 766 F IG U R E 1.3: Poweigvm home page 5. Assume diat you are n o t ID for diis website 6. a m em ber of diis site and you don’t have a Login 111 the address bar, try to tamper die parameter by entering various keywords. Perform a T ria l and Error on diis website 7. Click on trainers and type ‘S arah P a rtin k ’ in die search option. Click S earch Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 13 - H ackin g W eb A p p licatio n s F IG U R E 1.4: Poweigym Tiaineis page CO□ A web page contains both text and H T M L markup that is generated by the server and interpreted by die client browser. Web sites diat generate only static pages are able to have full control over how the browser interprets these pages. Web sites diat generate dynamic pages do not have complete control over how their outputs are interpreted by die client. F IG U R E 1.5: Poweigym ID page Now tamper with the parameters id= S arah P a rtin k to id=R ich ard Pete rs o n 111 die address bar and press E n ter You get die search results for R ichard P ete rs o n widiout acUially searching S arah P a rtin k 111 search field. This process of changing the id v a lu e and getting die result is known as p a ra m e te r ta m p e rin g 6 F IG U R E 1. : Poweigym widi parameter tampering 10. You have browsed a site to which you don’t have login ID and access to view details of products. You have performed dus by p a ra m e te r tam p e rin g C E H Lab Manual Page 767 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 13 - H ackin g W eb A p p licatio n s (XSS or CSS) attacks exploit vulnerabilities 111 generated web pages. This enables m a lic io u s attackers to inject clientside scnpts into web pages viewed by odier users. W eb c ro s s-s ite sc rip tin g 3 task 2 C ross-S ite d y n a m ic a lly S crip tin g A tta c k Open a web browser, type http:// localliost/ powergvm. and press E n te r 12. The h om e p ag e ot Powergvm appears ^ Cross-site scripting (X SS) is a type o f computer security vulnerability, typically found in web applications, that enables malicious attackers to inject client-side script into web pages viewed by other users. F IG U R E 1.7: Classic Cars Collection home page 1 3 To log 111 to die site, click 011 LO G IN E Q h ttp ://localhost/pc rgym F IG U R E 1.8: Powergym home page 14. The Login p ag e ot the Powergym website appears 15. Enter ‘ s a m ” as U s e r n a m e and “t e s t '’ as P assw o rd tields and click 011 Login to log into die website C E H Lab Manual Page 768 111 the respective Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 13 - H ackin g W eb A p p licatio n s c a Attackers inject JavaScript, VBScript, ActiveX, H T M L, or Flash into a vulnerable application to fool a user in order to gather data. (Read below for further details) Everything from account hijacking, changing o f user settings, cookie theft/poisoning, and false advertising is possible. F IG U R E 1.9: Powejgym Login page 16. After you log 111 to the website, hud ail input field page where you can enter cro s s-s ite scrip tin g. 111 diis lab, die c o n ta c t page contains an input held where yon can enter cross-site scnpt 17. After logging 111 it will automatically open c o n ta c t page m Most modern web applications are dynamic in nature, allowing users to customize an application website through preference settings. Dynamic web content is then generated by a server that relies on user settings. These settings often consist o f personal data that needs to be secure. F IG U R E 1.10: Powergym Contact page 18. On die contact page, enter your login name (or any name) 111 Y o u r n am e held 19. Enter any email in email address held. 111 die Y o u r m e ss ag e held, enter diis cross-site script, Chris, I love yo u r G YM ! < s c rip t> a le rt("Y o u h a v e been h ack ed ")< /s crip t> and click S u bm it 20. Oil diis page, you are te s tin g for cross-site scripting vulnerability C E H Lab Manual Page 769 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 13 - H ackin g W eb A p p licatio n s m Cross-site Scripting is among the most widespread attack methods used by hackers. It is also referred to by the names X SS and CSS. CwUcl trio ■ .t'« Join O Club ur © © F IG U R E 1.11: Powergym contact page with script 21. You have successfully added a m a lic io u s s c rip t 111 die contact page. The comment widi malicious link is sto re d on die server. Leave z trtcssaec|[bucccssMly Subtnledj m Cross-site scripting (also known as X SS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form o f a hyperlink which contains malicious content widiin it. The user most likely clicks on diis link from another website, instant message, or simply just reading a web board or email message. F IG U R E 1.12: Powergym contact page script submitted successfully 22. Whenever any m e m b e r comes to die contact page, die a le rt soon as die web page is loaded. * ••1-00‫*<י‬ pops up P ft as D *j ‫כ » מ‬ F IG U R E 1.13: Powergym Error page C E H Lab Manual Page 770 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 13 - H ackin g W eb A p p licatio n s Lab Analysis Analyze and document the results related to die lab exercise. Give your opinion 011 your target’s secuntv posture and exposure. Tool/U tility Information Collected/Objectives Achieved ■ Parameter tampering results ■ Cross-site script attack 011 website vulnerabilities Powergym Website P LE A S E TA LK TO Y O U R IN S T R U C T O R IF Y O U R E L A T E D TO T H IS LAB. H A V E Q U E ST IO N S Questions 1. Analyze how all the malicious scnpts are executed 111 a vulnerable web application. 2. Analyze if encryption protects users from cross-site scripting attacks. 3. Evaluate and list what countermeasures you need to take to defend from cross-site scripting attack. Internet Connection Required □ Yes 0 No Platform Supported El Classroom C E H Lab Manual Page 771 0 iLabs Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 13 - H ackin g W eb A p p licatio n s W e b s i t e Vulnerability S c a n n i n g U s i n g A c u n e t i x W V S A.cunetix web v l e a i i y scanner (IP1 r broadens the scope of v l e a i i y unrblt S) unrblt scanning by introducing h gh advanced h u i t cand ri rous t c n l g e designedt i ly ersi go ehoois o tackle th complexities of today'sweb-based environments. e ■ con [£Z7 Valuable information Test your knowledge ^ • Lab Scenario key Web exercise With the emergence of Web 2.0, increased information sharing through social networking and increasing business adoption of the Web as a means of doing business and delivering service, websites are often attacked directly. Hackers either seek to compromise die corporate network or die end-users accessing the website by subjecting them to drive-by downloading As many as 70% of web sites have vulnerabilities diat could lead to die theft of sensitive corporate data such as credit card information and customer lists. Hackers are concentrating dieir efforts on web-based applications - shopping carts, forms, login pages, dynamic content, etc. Accessible 24/7 from anywhere 111 the world, insecure web applications provide easy access to backend corporate databases and allow hackers to perform illegal activities using the compromised site. • ^ otkbook review Web application attacks, launched on port 80/443, go straight dirough the firewall, past operating system and network level security, and light 111 to the heart of the application and corporate data. Tailor-made web applications are often insufficiendv tested, have undiscovered vulnerabilities and are therefore easy prey for hackers. As an expert P e n e tra tio n T e s te r, find out if your website is secure before hackers download sensitive data, commit a crime using your website as a launch pad, and endanger vour business. You may use A c u n e tix W eb V u ln e ra b ility S c a n n e r (WYS) diat checks the website, analyzes the web applications and finds perilous SQL injection. Cross site scnptmg and other vulnerabilities that expose the online business. Concise reports identify where web applications need to be fixed, thus enabling you to protect your business from impending hacker attacks! C E H Lab Manual Page 772 Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 13 - H ackin g W eb A p p licatio n s Lab Objectives & The objective of tins kb is to help students secure web applications and te s t websites for vulnerabilities and threats. Too ls d e m o n s tra te d in Lab Environment th is lab a re a v a ila b le in To perform the lab, you need: D:CEHT oo lsC E H v8 ‫י‬ Acunetix Web vulnerability scanner is located at D:CEH -ToolsC EHv8 M o du le 13 M o du le 13 H a c k in g W eb A p p licatio n sW eb A p p lica tio n S ec u rity H a c k in g W eb T o o lsA cu n etix W eb V u ln e ra b ility S c a n n e r A p p lica tio n s ■ You can also download the latest version of A c u n e tix v u ln e ra b ility s c a n n e r trom the link http:/ / www.acunetix.com / vulnerability-scanner ■ If you decide to download the the lab might differ la te s t v e rs io n , W eb then screenshots shown 111 ■ A computer mnmng Windows Server 2012 ■ A web browser with an Internet connection m You can download Acunetix W V S from http://www.acunetix.com ■ Microsoft SQL Server / Microsoft Access Lab Duration Time: 20 Minutes Overview of Web Application Security Web application security is a branch of Information Security that deals specifically with security of websites, web applications and web services. $ ‫ ־‬N O T E: DO NOT SC A N A W E B S IT E W IT H O U T P R O P E R A U T H O R ISA T IO N ! m. TASK 1 S can W e b s ite fo r V u ln e ra b ility At a high level, Web application security draws on the principles of application security but applies them specifically to Internet and Web systems. Typically web applications are developed using programming languages such as PHP. Java EE, Java, Python, Ruby, ASP.NET, C#, 13.NET or Classic ASP. Lab Tasks 1. Follow the wizard-driven installation steps to install A c u n e tix W eb V u ln e r a b ility S c a n n e r. 2. To launch A c u n e tix W eb V u ln e r a b ility S c a n n e r move your mouse cursor to lower left corner of your desktop and click S ta r t C E H Lab Manual Page 773 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 13 - H ackin g W eb A p p licatio n s F IG U R E 2.1: Windows Server 2012 —Desktop view m The Executive report creates a summary o f the total number o f vulnerabilities found in every vulnerability class. This makes it ideal for management to get an overview o f the security of the site without needing to review technical details. 3. 111 start menu apps click on A c u n e tix W V S S c a n W iza rd A m is to £ d in tra r Start Pw e o rth ll r= app to launch m cc lwim < 9 H6v ) a‫־‬ pf Mngr a e A w ajre W8 /S ‫וי‬ E M llld j/ w e rrr E Sd* tu * IXo ‫־‬ < © ‫ך‬ b z . C M isam.. B E 3 F IG U R E 2.2: Launching Acunetix W V S Scan Wizard app m The scan target option, Scan single website scans a single website. ca The Scan Target option scans using saved crawling results. I f you previously performed a crawl on a website and saved the results, you can launch a scan against the saved crawl, instead o f crawling the website again. C E H Lab Manual Page 774 4. Acunetix Web Vulnerability Scanner main appears F IG U R E 2.3: Acunetix W eb Vulnerability Scanner Main W indow The S c a n W iz a rd of Acunetix Web Vulnerability Scanner appears. You can also start Scan Wizard by clicking F ile -> N e w -> N e w W e b S ite S c a n or clicking 011 N e w S c a n 011 the top right hand ot the Acunetix WVS user interface. Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 13 - H ackin g W eb A p p licatio n s 6. Check the type of Scan you want to perform, input the website URL, and click on N e x t > to continue 7. You can type http://localliost/powergrm or http://localliost/realliome 8. 111 tins lab we are scanning for vulnerabilities 111 for tins webpage http://localliost/powergrm Scan Type Select whether you want to scan a angle website or analyze the results of a previous ciawl. S m Here you can scan a single websrfe In case you want to scan a single web appfccation and not the whole site you can enter the ful path below The appfcabon supports HTTP and HTTPS websites. (•) Scan single website In Scan Option, Extensive mode, die crawler fetches all possible values and combinations o f all parameters. Websito URL:||aLWFA’W , .l.!!>J.'.'.ll.'-'l.l . ^ If you saved the site structure using the site cravrfer tool you can use the saved results here. The scan will load this data from the We instead of ctawing the site again. file crawfing O Scan usng saved crawfcng results zi Filename: If you want to scan a 1st of websites, use the Aanetw Scheduler You can access the scheduler interface by cfcckng the Ink below http: /Axalhost: 8181 / Hx> et F IG U R E 2.4: Acunetix W V S Scan Wizard Window 9. 111 O p tio n s live the settings to default click N e x t Scan Type Options ^ Options Adjust crawfcng/scanning options from this page. ( Target I —I Login Scanning options ^ Scannng profile w i enable/disable deferent tests (or group 0#tests) from the test database. Scanning proMe: £ - Default Scanning settngs allow you to adjust scannng behavior to the current scan(s). Scan settings: Default ▼ @ Save scan results to database for report generation Crawfcng options ■ A * These options will defne the behaviour of the crawler for the current scans. If yc the general crawler behaviour, you should go to settngs. □ After crawling jet me choose the fiet to scan (~1 Defne list of URL's to be processed by cravrfer at start ca The scan target option scans a list o f target websites specified in a plain text file (one target per line). acunetix 3 F am | ilen e: < Back | Next > | | Cancel F IG U R E 2.5: Acunetix W V S Options Wizard 10. Confirm targets and technologies detected by clicking on C E H Lab Manual Page 775 N ext Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 13 - H ackin g W eb A p p licatio n s m The scan target option scans a specific range o f IP s (e.g.192.168.0.10192.168.0.200) and port ranges (80,443) for available target sites. Port numbers are configurable. m The other scan options which you can select from the wizard are: 11. 111 L ogin wizard live die default settings and click N e x t ■ Manipulate H T T P headers ‫י‬ Enable Port Scanning ‫ י‬Enable AcuSensor Technology £ 7 Note: I f a specific web technology is not listed under Optimize for the technologies, it means that there are no specific tests for it. C E H Lab Manual Page 776 F IG U R E 2.7: Acunetix W V S Scan Wizard Login Option 12. Click oil F in ish button to check with the vulnerabilities of website Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 13 - H ackin g W eb A p p licatio n s Finish After analyzing the website responses, we have compied a 1st of recommendations foe the current scan. AcuSensor is enabled on Acunetix W V S but seems not to be configured on the target server(s). Instal the sensor on your target server(s). If the sensor is already instaled, set the correct password for the serverfs) by cicking on customize. You can verify if a specific server responds by using the test button from the sensor settings. y=y In Scan Options, Quick mode, the crawler fetches only a very limited number o f variations o f each parameter, because they are not considered to be actions parameters. Case insensitive server It seems that the server is usrtg CASE nsensitrve URLs If you want to set case insensitive crawling check below, otherwise value from settings wd be used * CASE insensitive crawling Addrtional hosts detected Some additional hosts were detected Check the ones you want to nclude in the scan. Save customized scan settings F IG U R E 2.8: Acunetix W V S Scan Wizard Finish 13. Click on O K 111 Limited XSS Scanning Mode warning L im it e d X S S S c a n n in g m M o d e W eb Vulnerability Scannei Free Edition h i Scan Option, Heuristic mode, the crawler tries to make heuristic decisions on which parameters should be considered as action parameters and which This version w only scan for C S Scripting vulnerabilities! ill ross ite O the full version of AcunetixW S w scan for all vulnerabilities. nly V ill OK F IG U R E 2.9: Acunetix W V S Scan Wizard -Warning 14. Acunetix Web Vulnerability Scanner s ta r ts scanning the input website. During the scan, s e c u rity a le r ts that are discovered on the website are listed 111 real time under die Alerts node 111 the S c a n R e s u lts window. A node Site Structure is also created, which lists folders discovered. ■* 5*|, 5 JJJ » Ug ■L i ___ I “ ‫״‬ .... *Sr m Note: I f the scan is launched from saved crawl results, in die Enable AcuSensor Technology option, you can specify to use sensor data from crawling results without revalidation, not to use sensor data from crawling results only, or else to revalidate sensor data. F IG U R E 2.10: Acunetix W V S Main Window after Scan C E H Lab Manual Page 777 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 13 - H ackin g W eb A p p licatio n s 15. The Web Alerts node displays all vulnerabilities found on the target website. m I f you scan an H T T P password-protected website, you are automatically prompted to specify the username and password. Acunetix W V S supports multiple sets of H T T P credential for the same target website. H T T P authentication credentials can be configured to be used for a specific website/host, U R L, or even a specific file only. 16. Web Alerts are sorted into four severity levels: ■ High Risk Alert Level 3 ■ Medium Risk Alert Level 2 ■ Low Risk Alert Level 1 ■ Informational Alert 17. The number of vulnerabilities detected is displayed 111 brackets () next to the alert categories. dA j t t 2 ( .» ‫| ־‬r r .1 ‫| יי‬A 4 ‫ * ג‬y £ « so u ru . mp a t !■ liL.llllli m.llll.llII.■.,r. k .1 ■ ii 1 - F IG U R E 2.11: Acunetix W V S Result TASK 2 Saving S can R esu lt 18. When a scan is complete, you can s a v e th e s c a n hie for analysis and comparison at a later stage. 19. To s a v e the scan results, click F ile -> S a v e desired location and save the scan results. 20. re s u lts to an external S c a n R e s u lts . Select a allow you to gather vulnerability information from the results database and present periodical vulnerability statistics. S ta tis tic a l R e p o rts 21. Tins report allows developers and management to track security changes and to compile trend analysis reports. m Statistical reports allow you to gather vulnerability information from the results database and present periodical vulnerability statistics. This report allows developers and management to track security changes and to compile trend analysis reports. C E H Lab Manual Page 778 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 13 - H ackin g W eb A p p licatio n s N ote: 111 tins kb we have used trial version so we could not able the save die results. To save die result it Acunetix WVS should be licensed version G en eratin g R epo rt 22. To generate a report, click on die the top. ca The developer report groups scan results by affected pages and files, allowing developers to quickly identify and resolve vulnerabilities. The report also features detailed remediation examples and best-practice recommendations for fixing vulnerabilities. report button on the toolbar at F IG U R E 2.13: Acunetix W V S Generate Report option 23. Tliis action starts the A c u n e tix W V S R e p o rte r. 24. The Report Viewer is a standalone application that allows you to s a v e , e x p o rt, and p rin t g e n e ra te d re p o rts . The reports can be exported to PDF, HTML, Text, Word Document, or BMP. v ie w , 25. To generate a report, follow the procedure below. Select the type of report you want to generate and click on R e p o rt W iza rd to launch a wizard to assist you. 26. If you are generating a c o m p lia n c e re p o rt, select the type of compliance report. If you are generating a c o m p a ris o n re p o rt, select the scans you would like to compare. It you are generating a monthly report, specify the month and year you would like to report. Click N e x t to proceed to the next step. 27. Configure the scan filter to list a number ot specific saved scans or leave the default selection to display all scan results. Click N e x t to proceed and select the specific scan for which to generate a report. m The Vulnerability report style presents a technical summary o f the scan results and groups all the vulnerabilities according to their vulnerability class. Each vulnerability class contains information on the exposed pages, die attack headers and the specific test details 28. Select what properties and details the report should include. Click G e n e r a te to finalize the wizard and generate the report. 29. The W V S R e p o rte r contains the following groups of reports: ■ Developer —Shows affected pages and files ■ Executive —Provides a summary of security of the website ■ Vulnerability —Lists vulnerabilities and their impact ■ Comparison —Compares against previous scans ■ Statistical —Compiles trend analysis C E H Lab Manual Page 779 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 13 - H ackin g W eb A p p licatio n s ■ Compliance Standard —PCI DSS, OWASP, WASC m The Scan Comparison report allows the user to track the changes between two scan results. H ie report documents resolved and unchanged vulnerabilities and new vulnerability details. The report style makes it easy to periodically track development changes for a web application. 'TScrtttrtitao'np'ttwuft’•!u afjrel1 *tjn I mI i t c » « nm «»v»»Mak Jl* nnnrj»YU«no«»c F IG U R E 2.14: Acunetix W V S Generate Report window Tins is sample report, as tiial version doesn’t support to generate a report of scanned website N ote: Lab Analysis Analyze and document die results related to die lab exercise. Give your opinion on your target’s security posture and exposure. Tool/Utility Information Collected/Objectives Achieved Acunetix Web Vulnerability Scanner P LE A S E TA LK TO Cross-site scripting vulnerabilities verified Y O U R IN S T R U C T O R IF Y O U R E L A T E D TO T H IS LAB. H A V E Q U E ST IO N S Questions 1. Analyze how you can schedule an unattended scan. 2. Evaluate how a web vulnerability scan is performed from an external source. Will it use up all your bandwidth? 3. Determine how Acunetix WVS crawls dirough password-protected areas. Internet Connection Required 0 Yes □ No Platform Supported 0 Classroom C E H Lab Manual Page 780 D iLabs Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

More Related Content

PDF
Implementing a comprehensive application security progaram - Tawfiq
OWASP-Qatar Chapter
 
PPTX
The bare minimum that you should know about web application security testing ...
Ken DeSouza
 
PPT
Web Application Security Testing
Marco Morana
 
PDF
Ceh v8 labs module 14 sql injection
Mehrdad Jingoism
 
PPTX
Web and Mobile Application Security
Prateek Jain
 
PPTX
Web application security
Kapil Sharma
 
PDF
Detecting malicious URLs using binary classification through ada boost algori...
IJECEIAES
 
PPTX
2 . web app s canners
Rashid Khatmey
 
Implementing a comprehensive application security progaram - Tawfiq
OWASP-Qatar Chapter
 
The bare minimum that you should know about web application security testing ...
Ken DeSouza
 
Web Application Security Testing
Marco Morana
 
Ceh v8 labs module 14 sql injection
Mehrdad Jingoism
 
Web and Mobile Application Security
Prateek Jain
 
Web application security
Kapil Sharma
 
Detecting malicious URLs using binary classification through ada boost algori...
IJECEIAES
 
2 . web app s canners
Rashid Khatmey
 

What's hot (20)

PDF
War on stealth cyber attacks phishing docusign apache metron
gvetticaden
 
PDF
Point-Of-Sale Hacking - 2600Thailand#20
Prathan Phongthiproek
 
PDF
IRJET- Phishing Website Detection System
IRJET Journal
 
PPTX
A7 Missing Function Level Access Control
stevil1224
 
PDF
Ce hv8 module 02 footprinting and reconnaissance
Mehrdad Jingoism
 
PPTX
Secure Android Apps- nVisium Security
Jack Mannino
 
PDF
Routine Detection Of Web Application Defence Flaws
IJTET Journal
 
PPTX
OWASP Top 10 Vulnerabilities 2017- AppTrana
Ishan Mathur
 
PDF
Volume 2-issue-6-2037-2039
Editor IJARCET
 
PDF
Deepfake anyone, the ai synthetic media industry enters a dangerous phase
aditi agarwal
 
PPTX
A10 - Unvalidated Redirects and Forwards
Shane Stanley
 
PDF
IRJET- Advanced Phishing Identification Technique using Machine Learning
IRJET Journal
 
PDF
Rahul-Analysis_of_Adversarial_Code
guest66dc5f
 
PPTX
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Invincea, Inc.
 
PPTX
Owasp top 10 security threats
Vishal Kumar
 
PDF
Web Application Security 101
Cybersecurity Education and Research Centre
 
PDF
Owasp Top 10-2013
n|u - The Open Security Community
 
PDF
Les 10 risques liés aux applications mobiles
Bee_Ware
 
PDF
OWASP Top 10 - 2017
HackerOne
 
PPTX
OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
OWASP Khartoum
 
War on stealth cyber attacks phishing docusign apache metron
gvetticaden
 
Point-Of-Sale Hacking - 2600Thailand#20
Prathan Phongthiproek
 
IRJET- Phishing Website Detection System
IRJET Journal
 
A7 Missing Function Level Access Control
stevil1224
 
Ce hv8 module 02 footprinting and reconnaissance
Mehrdad Jingoism
 
Secure Android Apps- nVisium Security
Jack Mannino
 
Routine Detection Of Web Application Defence Flaws
IJTET Journal
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
Ishan Mathur
 
Volume 2-issue-6-2037-2039
Editor IJARCET
 
Deepfake anyone, the ai synthetic media industry enters a dangerous phase
aditi agarwal
 
A10 - Unvalidated Redirects and Forwards
Shane Stanley
 
IRJET- Advanced Phishing Identification Technique using Machine Learning
IRJET Journal
 
Rahul-Analysis_of_Adversarial_Code
guest66dc5f
 
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Invincea, Inc.
 
Owasp top 10 security threats
Vishal Kumar
 
Web Application Security 101
Cybersecurity Education and Research Centre
 
Owasp Top 10-2013
n|u - The Open Security Community
 
Les 10 risques liés aux applications mobiles
Bee_Ware
 
OWASP Top 10 - 2017
HackerOne
 
OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
OWASP Khartoum
 

Viewers also liked (20)

PPTX
Proyecto manhattan
Fernando Navarrete
 
PDF
Ce hv8 module 14 sql injection
Mehrdad Jingoism
 
PDF
Ce hv8 module 00
Mehrdad Jingoism
 
PDF
Ceh v8 labs module 18 buffer overflow
Mehrdad Jingoism
 
PDF
Ceh v8 labs module 07 viruses and worms
Mehrdad Jingoism
 
PDF
Ceh v8 labs module 17 evading ids, firewalls and honeypots
Mehrdad Jingoism
 
PDF
Ceh v8 labs module 08 sniffers
Mehrdad Jingoism
 
PDF
Ceh v8 labs module 15 hacking wireless networks
Mehrdad Jingoism
 
PDF
Ceh v8 labs module 06 trojans and backdoors
Mehrdad Jingoism
 
PDF
Ceh v8 labs module 05 system hacking
Mehrdad Jingoism
 
DOCX
Legacy Project
Perry Stockwell
 
DOCX
Tarea vi de medios y recursos didacticos
19943812
 
PDF
Ceh v8 labs module 02 footprinting and reconnaissance
Mehrdad Jingoism
 
PDF
Ceh v8 labs module 04 enumeration
Mehrdad Jingoism
 
PPT
High Speed Parameter Estimation for a Homogenized Energy Model- Doctoral Defe...
Jon Ernstberger
 
PPTX
Who the hell is going to use this thing?
Faran Jessani
 
PDF
Ceh v8 labs module 19 cryptography
Mehrdad Jingoism
 
PDF
Ceh v8 labs module 12 hacking webservers
Mehrdad Jingoism
 
DOCX
case brief
Perry Stockwell
 
PDF
Ceh v8 labs module 00
Mehrdad Jingoism
 
Proyecto manhattan
Fernando Navarrete
 
Ce hv8 module 14 sql injection
Mehrdad Jingoism
 
Ce hv8 module 00
Mehrdad Jingoism
 
Ceh v8 labs module 18 buffer overflow
Mehrdad Jingoism
 
Ceh v8 labs module 07 viruses and worms
Mehrdad Jingoism
 
Ceh v8 labs module 17 evading ids, firewalls and honeypots
Mehrdad Jingoism
 
Ceh v8 labs module 08 sniffers
Mehrdad Jingoism
 
Ceh v8 labs module 15 hacking wireless networks
Mehrdad Jingoism
 
Ceh v8 labs module 06 trojans and backdoors
Mehrdad Jingoism
 
Ceh v8 labs module 05 system hacking
Mehrdad Jingoism
 
Legacy Project
Perry Stockwell
 
Tarea vi de medios y recursos didacticos
19943812
 
Ceh v8 labs module 02 footprinting and reconnaissance
Mehrdad Jingoism
 
Ceh v8 labs module 04 enumeration
Mehrdad Jingoism
 
High Speed Parameter Estimation for a Homogenized Energy Model- Doctoral Defe...
Jon Ernstberger
 
Who the hell is going to use this thing?
Faran Jessani
 
Ceh v8 labs module 19 cryptography
Mehrdad Jingoism
 
Ceh v8 labs module 12 hacking webservers
Mehrdad Jingoism
 
case brief
Perry Stockwell
 
Ceh v8 labs module 00
Mehrdad Jingoism
 

Similar to Ceh v8 labs module 13 hacking web applications (20)

PDF
Ce hv8 module 13 hacking web applications
Mehrdad Jingoism
 
PDF
Ceh v8 labs module 11 session hijacking
Asep Sopyan
 
PDF
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
sk0894308
 
PDF
Super1
neelakanteswarreddy
 
PDF
Module 12 (web application vulnerabilities)
Wail Hassan
 
PPTX
Introduction to Web Application Penetration Testing
Rana Khalil
 
PPT
Edinburgh
Colin McLean
 
PPTX
Ethical Hacking Course Learning and study
ndjendjeaurelien
 
PDF
Ethical hacking firefox plugin6
Srikanta Sen
 
PPTX
Ethical Hacking Techniques for Web Application Security
Boston Institute of Analytics
 
PDF
Module 11 (hacking web servers)
Wail Hassan
 
PDF
Ceh v8 labs module 09 social engineering
Mehrdad Jingoism
 
DOCX
ethical hacking report
Akhilesh Patel
 
PPT
Ethical hacking Book Review
Tirtha Mal
 
PDF
Ceh v8 labs module 00
Asep Sopyan
 
PPTX
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
SuhailShaik16
 
PPTX
Burp Suite is a powerful and widely-used tool
waudit1
 
PDF
Ceh v8 labs module 09 social engineering
Asep Sopyan
 
PPTX
Ethical hacking
Јаѓќеѕн Јажѕшаф
 
PPTX
Website Hacking and Preventive Measures
Shubham Takode
 
Ce hv8 module 13 hacking web applications
Mehrdad Jingoism
 
Ceh v8 labs module 11 session hijacking
Asep Sopyan
 
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
sk0894308
 
Super1
neelakanteswarreddy
 
Module 12 (web application vulnerabilities)
Wail Hassan
 
Introduction to Web Application Penetration Testing
Rana Khalil
 
Edinburgh
Colin McLean
 
Ethical Hacking Course Learning and study
ndjendjeaurelien
 
Ethical hacking firefox plugin6
Srikanta Sen
 
Ethical Hacking Techniques for Web Application Security
Boston Institute of Analytics
 
Module 11 (hacking web servers)
Wail Hassan
 
Ceh v8 labs module 09 social engineering
Mehrdad Jingoism
 
ethical hacking report
Akhilesh Patel
 
Ethical hacking Book Review
Tirtha Mal
 
Ceh v8 labs module 00
Asep Sopyan
 
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
SuhailShaik16
 
Burp Suite is a powerful and widely-used tool
waudit1
 
Ceh v8 labs module 09 social engineering
Asep Sopyan
 
Ethical hacking
Јаѓќеѕн Јажѕшаф
 
Website Hacking and Preventive Measures
Shubham Takode
 

Recently uploaded (20)

PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Teaching material agriculture food technology
LiaRayya
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Encapsulation theory and applications.pdf
gurumoop
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Approach and Philosophy of On baking technology
30anthuong17
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 

Ceh v8 labs module 13 hacking web applications

  • 1. C E H Lab M a n u a l H a c k in g W e b A p p lic a t io n s M o d u le 1 3
  • 2. M odule 13 - H ackin g W eb A p p licatio n s H a c k i n g W e b Applications Hacking web app ations r f r t canying out unauthoriseda c s of a website or lic ees o ces the website d t i s eal. I C ON Valuable information Test your ** Web exercise m Lab Scenario KEY Workbook re A web application is an application that is accessed by users over a network such as the Internet or an intranet. The term may also mean a computer software application that is coded 111 a browser-supported programming language (such as JavaScript, combined with a browser-rendered markup language like HTML) and reliant on a common web browser to render the application executable. Web applications are popular due to the ubiquity of web browsers, and the convenience of using a web browser as a client. The ability to update and maintain web applications without distributing and installing software on potentially thousands of client computers is a key reason for their popularity, as is the inherent support for cross-platform compatibility. Common web applications include webmail, online retail sales, online auctions, wikis and many other functions. Web hacking refers to exploitation of applications via HTTP which can be done by manipulating the application via its graphical web interface, tampering the Uniform Resource Identifier (URI) or tampering HTTP elements not contained 111 the URL Methods that can be used to hack web applications are SQL Injection attacks. Cross Site Scripting (XSS), Cross Site Request Forgeries (CSRF), Insecure Communications, etc. As an expert E th ic al H a c k e r and S e c u rity A d m in is trato r, you need to test web applications for cross-site scripting vulnerabilities, cookie liijackuig, command injection attacks, and secure web applications from such attacks. Lab Objectives The objective of tins lab is to provide expert knowledge ot web application vulnerabilities and web applications attacks such as: ■ Parameter tampering ■ Directory traversals & T o o ls d e m o n s tr a t e d in t h i s la b a r e a v a ila b le in D:CEHT oolsC E H v8 M o d u le 13 H a c k in g W eb A p p lic a tio n s ■ Cross-Site Scripting (XSS) ■ Web Spidering ■ Cookie Poisoning and cookie parameter tampering ■ Securing web applications from hijacking Lab Environment To earn‫ ־‬out the lab, you need: ■ A computer running W in d o w s C E H Lab Manual Page 762 S e rv e r 2 0 1 2 Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 3. M odule 13 - H ackin g W eb A p p licatio n s A web browser with an Internet connection Lab Duration Tune: 50 Minutes Overview of Web Application Web applications provide an in te rfa c e between end users and web servers through a set of web pages generated at the server end or diat contain s c rip t co d e to be executed dynamically within the client W eb browser. TASK Lab Tasks 1 Recommended labs to assist you 111 web application: O v e rv ie w ■ Parameter tampering attacks ■ Cross-site scripting (XSS or CSS) ■ Web spidering ■ Website vulnerability scanning using Acunetix WVS Lab Analysis Analyze and document the results related to the lab exercise. Give your opinion on your target’s security posture and exposure. P LE A S E C E H Lab Manual Page 763 TA LK TO Y O U R IN S T R U C T O R IF YO U R E L A T E D TO T H IS LAB. H A V E Q U E ST IO N S Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 4. M odule 13 - H ackin g W eb A p p licatio n s H a c k i n g W e b Applications Though r e a pl at ns e f r e c r a n s c r t p l c e , they are vulnerable t r b p ic io n o c e t i e u i y o i i s o various a t c s such as S O L i j c i n c o s s t s r p i g and s s i n h j c i g tak, neto, rs-ie c i t n , eso iakn. I CON KEY / Valuable information Test your knowledge a Web exercise m Workbook review Lab Scenario According to die DailyNews, Cyber-crime targeted 111 new ICT policy; the government is reviewing the current Information and Communication Technology (ICT) policy in quest to incorporate other relevant issues, including addressing cyber-crime, reported to be on the increase. “Many websites and web applications are vulnerable to security threat including the government's and non-government's websites, we are therefore cautious to ensure that die problem is checked”, Mr. Urasa said. Citing some of the reasons leading to hacking, he said inadequate auditing 111 website and web applications caused by lack of standard security auditing were among problems diat many web developers faced. As an expert E th ic a l H a c k e r and S e c u rity A d m in is trato r, you should be aware of all the methods diat can be employed by an attacker towards hacking web applications and accordingly you can implement a countermeasure for those attacks. Hence, 111 diis lab you will learn how to hack a website with vulnerabilities. Lab Objectives The objective of tins lab is to help students learn how to test web applications for vulnerabilities. 111 tins lab you will perform: ■ Parameter tampernig attacks & Too ls d e m o n s tra te d in th is lab a re a v a ila b le in D:CEHT oo lsC E H v8 M o du le 13 H a c k in g W eb ■ Cross-site scnptuig (XSS or CSS) Lab Environment To earn‫ ־‬out die lab, you need: ■ Powergym website is located at D :CEH -ToolsC EHv8 Lab P re re q u isitesW eb sites P o w erg y m A p p lica tio n s C E H Lab Manual Page 764 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 5. M odule 13 - H ackin g W eb A p p licatio n s ■ Rim this lab 111 Windows Server 2012 host machine ■ Microsoft SQL server 2012 ■ A web browser with an Internet connection m http: //localhost/ powergym Lab Duration Time: 20 Minutes Overview of Web Applications Web applications provide an in te rfa c e between end users and web servers through a set of web pages diat are generated at die server end or diat contain s c rip t c o d e to be executed dynamically widlin die client w e b brow ser. TASK 1 P a ra m e te r T am p erin g Lab Tasks Web p a r a m e te r ta m p e rin g attacks involve the m a n ip u la tio n of parameters exchanged between a client and a server 111 order to m o d ify application data, such as user credentials and permissions, price, and quantity of products. 1. To launch a web browser move your mouse cursor to lower left corner of your desktop, and click S ta rt H U Parameter tampering attack exploits vulnerabilities in integrity and logic validation mechanisms that may result in X SS, SQ L injection. C E H Lab Manual Page 765 F IG U R E 1.1: Windows Server 2012 —Desktop view 2. From start menu apps click 011 any browser app to launch. 111 diis lab we are using F irefo x browser Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 6. M odule 13 - H ackin g W eb A p p licatio n s A m is to £ d in tra r Start Mae agr r ~ ,‫ן‬ *‫נ‬ e pwnil Coe oe e hm n r m * CH 1Fe or Pm md irfw W M«e jpg Ma r anV * SLee Q rr Sv S IT l‫־‬ ■U * P‫׳‬n< 0p m Parameter tampering can be employed by attackers and identity thieves to obtain personal or business information regarding the user surreptitiously. ‫׳־־‬ F IG U R E 1.2: Windows Server 2012—Start Menu Apps 3. Type http:/ /localhost/powergym 111 die address bar of the web browser, and press E n te r 4. The H o m e p ag e of P o w e rg ym appears m Countermeasures specific to the prevention o f parameter tampering involve die validation o f all parameters to ensure that they conform to standards concerning minimum and maximum allowable length, allowable numeric range, allowable character sequences and patterns, whether or not the parameter is actually required to conduct the transaction in question, and whether or not null is allowed. C E H Lab Manual Page 766 F IG U R E 1.3: Poweigvm home page 5. Assume diat you are n o t ID for diis website 6. a m em ber of diis site and you don’t have a Login 111 the address bar, try to tamper die parameter by entering various keywords. Perform a T ria l and Error on diis website 7. Click on trainers and type ‘S arah P a rtin k ’ in die search option. Click S earch Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 7. M odule 13 - H ackin g W eb A p p licatio n s F IG U R E 1.4: Poweigym Tiaineis page CO□ A web page contains both text and H T M L markup that is generated by the server and interpreted by die client browser. Web sites diat generate only static pages are able to have full control over how the browser interprets these pages. Web sites diat generate dynamic pages do not have complete control over how their outputs are interpreted by die client. F IG U R E 1.5: Poweigym ID page Now tamper with the parameters id= S arah P a rtin k to id=R ich ard Pete rs o n 111 die address bar and press E n ter You get die search results for R ichard P ete rs o n widiout acUially searching S arah P a rtin k 111 search field. This process of changing the id v a lu e and getting die result is known as p a ra m e te r ta m p e rin g 6 F IG U R E 1. : Poweigym widi parameter tampering 10. You have browsed a site to which you don’t have login ID and access to view details of products. You have performed dus by p a ra m e te r tam p e rin g C E H Lab Manual Page 767 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 8. M odule 13 - H ackin g W eb A p p licatio n s (XSS or CSS) attacks exploit vulnerabilities 111 generated web pages. This enables m a lic io u s attackers to inject clientside scnpts into web pages viewed by odier users. W eb c ro s s-s ite sc rip tin g 3 task 2 C ross-S ite d y n a m ic a lly S crip tin g A tta c k Open a web browser, type http:// localliost/ powergvm. and press E n te r 12. The h om e p ag e ot Powergvm appears ^ Cross-site scripting (X SS) is a type o f computer security vulnerability, typically found in web applications, that enables malicious attackers to inject client-side script into web pages viewed by other users. F IG U R E 1.7: Classic Cars Collection home page 1 3 To log 111 to die site, click 011 LO G IN E Q h ttp ://localhost/pc rgym F IG U R E 1.8: Powergym home page 14. The Login p ag e ot the Powergym website appears 15. Enter ‘ s a m ” as U s e r n a m e and “t e s t '’ as P assw o rd tields and click 011 Login to log into die website C E H Lab Manual Page 768 111 the respective Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 9. M odule 13 - H ackin g W eb A p p licatio n s c a Attackers inject JavaScript, VBScript, ActiveX, H T M L, or Flash into a vulnerable application to fool a user in order to gather data. (Read below for further details) Everything from account hijacking, changing o f user settings, cookie theft/poisoning, and false advertising is possible. F IG U R E 1.9: Powejgym Login page 16. After you log 111 to the website, hud ail input field page where you can enter cro s s-s ite scrip tin g. 111 diis lab, die c o n ta c t page contains an input held where yon can enter cross-site scnpt 17. After logging 111 it will automatically open c o n ta c t page m Most modern web applications are dynamic in nature, allowing users to customize an application website through preference settings. Dynamic web content is then generated by a server that relies on user settings. These settings often consist o f personal data that needs to be secure. F IG U R E 1.10: Powergym Contact page 18. On die contact page, enter your login name (or any name) 111 Y o u r n am e held 19. Enter any email in email address held. 111 die Y o u r m e ss ag e held, enter diis cross-site script, Chris, I love yo u r G YM ! < s c rip t> a le rt("Y o u h a v e been h ack ed ")< /s crip t> and click S u bm it 20. Oil diis page, you are te s tin g for cross-site scripting vulnerability C E H Lab Manual Page 769 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 10. M odule 13 - H ackin g W eb A p p licatio n s m Cross-site Scripting is among the most widespread attack methods used by hackers. It is also referred to by the names X SS and CSS. CwUcl trio ■ .t'« Join O Club ur © © F IG U R E 1.11: Powergym contact page with script 21. You have successfully added a m a lic io u s s c rip t 111 die contact page. The comment widi malicious link is sto re d on die server. Leave z trtcssaec|[bucccssMly Subtnledj m Cross-site scripting (also known as X SS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form o f a hyperlink which contains malicious content widiin it. The user most likely clicks on diis link from another website, instant message, or simply just reading a web board or email message. F IG U R E 1.12: Powergym contact page script submitted successfully 22. Whenever any m e m b e r comes to die contact page, die a le rt soon as die web page is loaded. * ••1-00‫*<י‬ pops up P ft as D *j ‫כ » מ‬ F IG U R E 1.13: Powergym Error page C E H Lab Manual Page 770 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 11. M odule 13 - H ackin g W eb A p p licatio n s Lab Analysis Analyze and document the results related to die lab exercise. Give your opinion 011 your target’s secuntv posture and exposure. Tool/U tility Information Collected/Objectives Achieved ■ Parameter tampering results ■ Cross-site script attack 011 website vulnerabilities Powergym Website P LE A S E TA LK TO Y O U R IN S T R U C T O R IF Y O U R E L A T E D TO T H IS LAB. H A V E Q U E ST IO N S Questions 1. Analyze how all the malicious scnpts are executed 111 a vulnerable web application. 2. Analyze if encryption protects users from cross-site scripting attacks. 3. Evaluate and list what countermeasures you need to take to defend from cross-site scripting attack. Internet Connection Required □ Yes 0 No Platform Supported El Classroom C E H Lab Manual Page 771 0 iLabs Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 12. M odule 13 - H ackin g W eb A p p licatio n s W e b s i t e Vulnerability S c a n n i n g U s i n g A c u n e t i x W V S A.cunetix web v l e a i i y scanner (IP1 r broadens the scope of v l e a i i y unrblt S) unrblt scanning by introducing h gh advanced h u i t cand ri rous t c n l g e designedt i ly ersi go ehoois o tackle th complexities of today'sweb-based environments. e ■ con [£Z7 Valuable information Test your knowledge ^ • Lab Scenario key Web exercise With the emergence of Web 2.0, increased information sharing through social networking and increasing business adoption of the Web as a means of doing business and delivering service, websites are often attacked directly. Hackers either seek to compromise die corporate network or die end-users accessing the website by subjecting them to drive-by downloading As many as 70% of web sites have vulnerabilities diat could lead to die theft of sensitive corporate data such as credit card information and customer lists. Hackers are concentrating dieir efforts on web-based applications - shopping carts, forms, login pages, dynamic content, etc. Accessible 24/7 from anywhere 111 the world, insecure web applications provide easy access to backend corporate databases and allow hackers to perform illegal activities using the compromised site. • ^ otkbook review Web application attacks, launched on port 80/443, go straight dirough the firewall, past operating system and network level security, and light 111 to the heart of the application and corporate data. Tailor-made web applications are often insufficiendv tested, have undiscovered vulnerabilities and are therefore easy prey for hackers. As an expert P e n e tra tio n T e s te r, find out if your website is secure before hackers download sensitive data, commit a crime using your website as a launch pad, and endanger vour business. You may use A c u n e tix W eb V u ln e ra b ility S c a n n e r (WYS) diat checks the website, analyzes the web applications and finds perilous SQL injection. Cross site scnptmg and other vulnerabilities that expose the online business. Concise reports identify where web applications need to be fixed, thus enabling you to protect your business from impending hacker attacks! C E H Lab Manual Page 772 Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 13. M odule 13 - H ackin g W eb A p p licatio n s Lab Objectives & The objective of tins kb is to help students secure web applications and te s t websites for vulnerabilities and threats. Too ls d e m o n s tra te d in Lab Environment th is lab a re a v a ila b le in To perform the lab, you need: D:CEHT oo lsC E H v8 ‫י‬ Acunetix Web vulnerability scanner is located at D:CEH -ToolsC EHv8 M o du le 13 M o du le 13 H a c k in g W eb A p p licatio n sW eb A p p lica tio n S ec u rity H a c k in g W eb T o o lsA cu n etix W eb V u ln e ra b ility S c a n n e r A p p lica tio n s ■ You can also download the latest version of A c u n e tix v u ln e ra b ility s c a n n e r trom the link http:/ / www.acunetix.com / vulnerability-scanner ■ If you decide to download the the lab might differ la te s t v e rs io n , W eb then screenshots shown 111 ■ A computer mnmng Windows Server 2012 ■ A web browser with an Internet connection m You can download Acunetix W V S from http://www.acunetix.com ■ Microsoft SQL Server / Microsoft Access Lab Duration Time: 20 Minutes Overview of Web Application Security Web application security is a branch of Information Security that deals specifically with security of websites, web applications and web services. $ ‫ ־‬N O T E: DO NOT SC A N A W E B S IT E W IT H O U T P R O P E R A U T H O R ISA T IO N ! m. TASK 1 S can W e b s ite fo r V u ln e ra b ility At a high level, Web application security draws on the principles of application security but applies them specifically to Internet and Web systems. Typically web applications are developed using programming languages such as PHP. Java EE, Java, Python, Ruby, ASP.NET, C#, 13.NET or Classic ASP. Lab Tasks 1. Follow the wizard-driven installation steps to install A c u n e tix W eb V u ln e r a b ility S c a n n e r. 2. To launch A c u n e tix W eb V u ln e r a b ility S c a n n e r move your mouse cursor to lower left corner of your desktop and click S ta r t C E H Lab Manual Page 773 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 14. M odule 13 - H ackin g W eb A p p licatio n s F IG U R E 2.1: Windows Server 2012 —Desktop view m The Executive report creates a summary o f the total number o f vulnerabilities found in every vulnerability class. This makes it ideal for management to get an overview o f the security of the site without needing to review technical details. 3. 111 start menu apps click on A c u n e tix W V S S c a n W iza rd A m is to £ d in tra r Start Pw e o rth ll r= app to launch m cc lwim < 9 H6v ) a‫־‬ pf Mngr a e A w ajre W8 /S ‫וי‬ E M llld j/ w e rrr E Sd* tu * IXo ‫־‬ < © ‫ך‬ b z . C M isam.. B E 3 F IG U R E 2.2: Launching Acunetix W V S Scan Wizard app m The scan target option, Scan single website scans a single website. ca The Scan Target option scans using saved crawling results. I f you previously performed a crawl on a website and saved the results, you can launch a scan against the saved crawl, instead o f crawling the website again. C E H Lab Manual Page 774 4. Acunetix Web Vulnerability Scanner main appears F IG U R E 2.3: Acunetix W eb Vulnerability Scanner Main W indow The S c a n W iz a rd of Acunetix Web Vulnerability Scanner appears. You can also start Scan Wizard by clicking F ile -> N e w -> N e w W e b S ite S c a n or clicking 011 N e w S c a n 011 the top right hand ot the Acunetix WVS user interface. Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 15. M odule 13 - H ackin g W eb A p p licatio n s 6. Check the type of Scan you want to perform, input the website URL, and click on N e x t > to continue 7. You can type http://localliost/powergrm or http://localliost/realliome 8. 111 tins lab we are scanning for vulnerabilities 111 for tins webpage http://localliost/powergrm Scan Type Select whether you want to scan a angle website or analyze the results of a previous ciawl. S m Here you can scan a single websrfe In case you want to scan a single web appfccation and not the whole site you can enter the ful path below The appfcabon supports HTTP and HTTPS websites. (•) Scan single website In Scan Option, Extensive mode, die crawler fetches all possible values and combinations o f all parameters. Websito URL:||aLWFA’W , .l.!!>J.'.'.ll.'-'l.l . ^ If you saved the site structure using the site cravrfer tool you can use the saved results here. The scan will load this data from the We instead of ctawing the site again. file crawfing O Scan usng saved crawfcng results zi Filename: If you want to scan a 1st of websites, use the Aanetw Scheduler You can access the scheduler interface by cfcckng the Ink below http: /Axalhost: 8181 / Hx> et F IG U R E 2.4: Acunetix W V S Scan Wizard Window 9. 111 O p tio n s live the settings to default click N e x t Scan Type Options ^ Options Adjust crawfcng/scanning options from this page. ( Target I —I Login Scanning options ^ Scannng profile w i enable/disable deferent tests (or group 0#tests) from the test database. Scanning proMe: £ - Default Scanning settngs allow you to adjust scannng behavior to the current scan(s). Scan settings: Default ▼ @ Save scan results to database for report generation Crawfcng options ■ A * These options will defne the behaviour of the crawler for the current scans. If yc the general crawler behaviour, you should go to settngs. □ After crawling jet me choose the fiet to scan (~1 Defne list of URL's to be processed by cravrfer at start ca The scan target option scans a list o f target websites specified in a plain text file (one target per line). acunetix 3 F am | ilen e: < Back | Next > | | Cancel F IG U R E 2.5: Acunetix W V S Options Wizard 10. Confirm targets and technologies detected by clicking on C E H Lab Manual Page 775 N ext Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 16. M odule 13 - H ackin g W eb A p p licatio n s m The scan target option scans a specific range o f IP s (e.g.192.168.0.10192.168.0.200) and port ranges (80,443) for available target sites. Port numbers are configurable. m The other scan options which you can select from the wizard are: 11. 111 L ogin wizard live die default settings and click N e x t ■ Manipulate H T T P headers ‫י‬ Enable Port Scanning ‫ י‬Enable AcuSensor Technology £ 7 Note: I f a specific web technology is not listed under Optimize for the technologies, it means that there are no specific tests for it. C E H Lab Manual Page 776 F IG U R E 2.7: Acunetix W V S Scan Wizard Login Option 12. Click oil F in ish button to check with the vulnerabilities of website Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 17. M odule 13 - H ackin g W eb A p p licatio n s Finish After analyzing the website responses, we have compied a 1st of recommendations foe the current scan. AcuSensor is enabled on Acunetix W V S but seems not to be configured on the target server(s). Instal the sensor on your target server(s). If the sensor is already instaled, set the correct password for the serverfs) by cicking on customize. You can verify if a specific server responds by using the test button from the sensor settings. y=y In Scan Options, Quick mode, the crawler fetches only a very limited number o f variations o f each parameter, because they are not considered to be actions parameters. Case insensitive server It seems that the server is usrtg CASE nsensitrve URLs If you want to set case insensitive crawling check below, otherwise value from settings wd be used * CASE insensitive crawling Addrtional hosts detected Some additional hosts were detected Check the ones you want to nclude in the scan. Save customized scan settings F IG U R E 2.8: Acunetix W V S Scan Wizard Finish 13. Click on O K 111 Limited XSS Scanning Mode warning L im it e d X S S S c a n n in g m M o d e W eb Vulnerability Scannei Free Edition h i Scan Option, Heuristic mode, the crawler tries to make heuristic decisions on which parameters should be considered as action parameters and which This version w only scan for C S Scripting vulnerabilities! ill ross ite O the full version of AcunetixW S w scan for all vulnerabilities. nly V ill OK F IG U R E 2.9: Acunetix W V S Scan Wizard -Warning 14. Acunetix Web Vulnerability Scanner s ta r ts scanning the input website. During the scan, s e c u rity a le r ts that are discovered on the website are listed 111 real time under die Alerts node 111 the S c a n R e s u lts window. A node Site Structure is also created, which lists folders discovered. ■* 5*|, 5 JJJ » Ug ■L i ___ I “ ‫״‬ .... *Sr m Note: I f the scan is launched from saved crawl results, in die Enable AcuSensor Technology option, you can specify to use sensor data from crawling results without revalidation, not to use sensor data from crawling results only, or else to revalidate sensor data. F IG U R E 2.10: Acunetix W V S Main Window after Scan C E H Lab Manual Page 777 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 18. M odule 13 - H ackin g W eb A p p licatio n s 15. The Web Alerts node displays all vulnerabilities found on the target website. m I f you scan an H T T P password-protected website, you are automatically prompted to specify the username and password. Acunetix W V S supports multiple sets of H T T P credential for the same target website. H T T P authentication credentials can be configured to be used for a specific website/host, U R L, or even a specific file only. 16. Web Alerts are sorted into four severity levels: ■ High Risk Alert Level 3 ■ Medium Risk Alert Level 2 ■ Low Risk Alert Level 1 ■ Informational Alert 17. The number of vulnerabilities detected is displayed 111 brackets () next to the alert categories. dA j t t 2 ( .» ‫| ־‬r r .1 ‫| יי‬A 4 ‫ * ג‬y £ « so u ru . mp a t !■ liL.llllli m.llll.llII.■.,r. k .1 ■ ii 1 - F IG U R E 2.11: Acunetix W V S Result TASK 2 Saving S can R esu lt 18. When a scan is complete, you can s a v e th e s c a n hie for analysis and comparison at a later stage. 19. To s a v e the scan results, click F ile -> S a v e desired location and save the scan results. 20. re s u lts to an external S c a n R e s u lts . Select a allow you to gather vulnerability information from the results database and present periodical vulnerability statistics. S ta tis tic a l R e p o rts 21. Tins report allows developers and management to track security changes and to compile trend analysis reports. m Statistical reports allow you to gather vulnerability information from the results database and present periodical vulnerability statistics. This report allows developers and management to track security changes and to compile trend analysis reports. C E H Lab Manual Page 778 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 19. M odule 13 - H ackin g W eb A p p licatio n s N ote: 111 tins kb we have used trial version so we could not able the save die results. To save die result it Acunetix WVS should be licensed version G en eratin g R epo rt 22. To generate a report, click on die the top. ca The developer report groups scan results by affected pages and files, allowing developers to quickly identify and resolve vulnerabilities. The report also features detailed remediation examples and best-practice recommendations for fixing vulnerabilities. report button on the toolbar at F IG U R E 2.13: Acunetix W V S Generate Report option 23. Tliis action starts the A c u n e tix W V S R e p o rte r. 24. The Report Viewer is a standalone application that allows you to s a v e , e x p o rt, and p rin t g e n e ra te d re p o rts . The reports can be exported to PDF, HTML, Text, Word Document, or BMP. v ie w , 25. To generate a report, follow the procedure below. Select the type of report you want to generate and click on R e p o rt W iza rd to launch a wizard to assist you. 26. If you are generating a c o m p lia n c e re p o rt, select the type of compliance report. If you are generating a c o m p a ris o n re p o rt, select the scans you would like to compare. It you are generating a monthly report, specify the month and year you would like to report. Click N e x t to proceed to the next step. 27. Configure the scan filter to list a number ot specific saved scans or leave the default selection to display all scan results. Click N e x t to proceed and select the specific scan for which to generate a report. m The Vulnerability report style presents a technical summary o f the scan results and groups all the vulnerabilities according to their vulnerability class. Each vulnerability class contains information on the exposed pages, die attack headers and the specific test details 28. Select what properties and details the report should include. Click G e n e r a te to finalize the wizard and generate the report. 29. The W V S R e p o rte r contains the following groups of reports: ■ Developer —Shows affected pages and files ■ Executive —Provides a summary of security of the website ■ Vulnerability —Lists vulnerabilities and their impact ■ Comparison —Compares against previous scans ■ Statistical —Compiles trend analysis C E H Lab Manual Page 779 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 20. M odule 13 - H ackin g W eb A p p licatio n s ■ Compliance Standard —PCI DSS, OWASP, WASC m The Scan Comparison report allows the user to track the changes between two scan results. H ie report documents resolved and unchanged vulnerabilities and new vulnerability details. The report style makes it easy to periodically track development changes for a web application. 'TScrtttrtitao'np'ttwuft’•!u afjrel1 *tjn I mI i t c » « nm «»v»»Mak Jl* nnnrj»YU«no«»c F IG U R E 2.14: Acunetix W V S Generate Report window Tins is sample report, as tiial version doesn’t support to generate a report of scanned website N ote: Lab Analysis Analyze and document die results related to die lab exercise. Give your opinion on your target’s security posture and exposure. Tool/Utility Information Collected/Objectives Achieved Acunetix Web Vulnerability Scanner P LE A S E TA LK TO Cross-site scripting vulnerabilities verified Y O U R IN S T R U C T O R IF Y O U R E L A T E D TO T H IS LAB. H A V E Q U E ST IO N S Questions 1. Analyze how you can schedule an unattended scan. 2. Evaluate how a web vulnerability scan is performed from an external source. Will it use up all your bandwidth? 3. Determine how Acunetix WVS crawls dirough password-protected areas. Internet Connection Required 0 Yes □ No Platform Supported 0 Classroom C E H Lab Manual Page 780 D iLabs Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.