Ethical Hacking Tutorials - Learn Web Hacking?

The Language of the Web.

• HTML: .html, .htm, html4
• Dynamic HTML(DHTML): .dhtml
• XML(eXtensible Markkup Language): .xml
• XHTML: .XML

HTML Elements - Their Attributes and Security Implications

<form>

Form for user input Whenever a program accepts user input, a security risk exists. In fact, that is how most attacks occur submission of characters to a program that isn't expecting them, resulting in abnormal results.

<form action>

Action Attributes This <form> attribute defines the executing program on the Web Server. by knowing the name of the program processing the user-supplied data an attacker can learn valuable information about the Web server and potentially find a backup or older version of the program in the same or other directories.

<form method>

Method Attribute This <form> attribute defines the mechanism for sending user-supplied information to the Web server's processing program. Two methods exist for submitting information to the program. POST and GET. By understanding the method of submission, an attacker can listen to the information (which may be sensitive in nature), or worse, alter the information being sent and produce abnormal results.

<script language=<variable>>

Scripting The <script> element, used in conjunction with the "language" attribute, allows an attacker to modify any client-side scripting being sent to the browser. When an attacker can modify the client-side scripting. she can then bypass certain filtering or sensitization scripts. Client-side scripting languages.

Include: Javascript, VBScript, JScript, XML.

<input> 

Input form control The <input> elements allows for an input control for a form. Specific attributes can be altered to send undesirable data to the Web server.

<input type=hidden>

Type Attribute The "type" attribute, when assigned the value of "hidden," can allow an attacker to change the "value" attribute to something undesirable. For example, some Web sites use a hidden attribute to store the price of an item in a shopping cart, which allows an attacker to change the price of that item manually to whatever he wants. If there is no server-side processing and validation of the price, an attacker can purchase items online at significantly reduced prices.

<input maxlength=<variable>>

Max length attribute The "max length" attribute can be altered by an attacker causing it to submit large strings that can disable a Web server if not preprocessed appropriately.

<input size=<variable>>

Size attribute Similar to the "max length" attribute, the "size" attribute can be altered by an attacker causing it to submit large strings that can disable a Web server if not preprocessed appropriately.

<applet>

Java Applet This element is used to display or run a Java Applet Because Java is transmitted in the clear and uses a known bute code for execution. it can be seen on the wire by using a packet analyzer such as
Snort or EtherPeek For more information about decompiling Java applets and the <applet> tags.

<object>

This element type is used for displaying an ActiveX control, but it can also be used for Java applets. An attacker can send an e-mail with HTML embedded and have the reader execute an ActiveX control which can take over the system The <object> element is among the best ways to propagate an e-mail virus

<embed> 

This element type is used in conjunction with the <object> tag to display ActiveX and Netscape plug-ins

What is ActiveX?

ActiveX is not a Programming Language, but rather a set of rules for how the application should share information.

How a Web Server Work?

protocol(http ro https)://servername/path/to/resource?parameters

The Browser breaks the URL into three Parts

1. The Protocol: Http or Https
2. The Server Name:  www.example.com
3. The Page Name: webpage.html

Symbols use in Web Server

Alphanumeric Symboles        -         A-Z, a-z, 0-9
                           
Reserved Symbols                   -          ;, /, @, =, &, +, <, >, #, %, ", etc.

Other Special Characters       -          -, _, ~, *, ', (), {}, |, \, ^, [].

What is the Meaning of Parameters?

?  -  Query String separator. The part of the URL string to the right of the? symbols are the Query String.

&  -  Parameter delimiter, Used to separate name=value parameter pairs on the Query String.

=  -  Separates the parameter name from the parameter value while passing parameters, using the Query String.

+  -  Is translated into space.

: -  Protocol separator. The portion of the URL string from the beginning to the: symbols 

# -  Used to specify an anchor point within a Web page.

% -  Used as an escape character for specifying hexadecimally encoded characters

@ -  Used in mailto: URLs while specifying Internet e-mail addresses or in passing user login credentials to a password-protected the resource, especially over FTP(File Transfer Protocol).

~ -   Used for specifying a user's home directory on a multiuser system such as Unix.

Let's Understand How to Work URL

http://html.net/page.php?id=12345

The HTTP query string contains a variable named "id", with the value "12345"

http://html.net/page.php?name=John

Again, you have a variable ("name") with a value "John"

https://www.amazon.com/order/buy.asp?item=A003&pmt=visa

buy.asp - The extension .asp suggests that this file is actually a Microsoft IIS Web Server Pages(ASP) file. ASP files run almost exclusively on Microsoft IIS Web Server; Hence www.amazon.com is most probably a Windows NT/200/XP server running on ISS. item=A003, suggests that the item being bought is assigned an item code and that the item details must be stored in a database. The most popular choice of a database platform for Windows NT is usually some form of Microsoft SQL Server or Microsoft Access Database. If it is a small site, it might be Microsoft Access. pmt=visa, suggests that the payment for the purchase is being made by a credit card -- in this case, a Visa Card.

• Apache Web Server
• IIS Web Server
• Unix

Web Hacking Refer to Exploitation of via HTTP Port 80

• Parameter Tempering
• Directory Traversals
• Cross-Site Scripting(xss)
• Web Spidering
• Cookies Poising
• Cookie Parameter
• Cookie Stealing

Types of Parameter Tampering

Parameter Tempering is a form of Web-Based attack in which certain parameters in the Uniform Resource Locator(URL) or Web page form field data entered by a user are changed without that user's authorization. This points the browser to a link, page or side other than the one the user intends.

Form-Based Parameter Tempering

When a user makes selections on an HTML page, they are usually stored as form field values and sent to the Web application as an HTTP request. These values can be pre-selected (combo box, checkbox, radio button, etc), free text or hidden. All of these values can be manipulated by an attacker. In most cases, this is as simple as saving the page, editing the HTML and reloading the page in the Web browser.

Hidden fields are parameters invisible to the end user, normally used to provide status information to the Web application. For example, consider a products order form that includes the following hidden field.

<input type="hidden" name="price" value="5999.90"> Modifying this hidden field value will cause the Web application to charge according to the new amount.

Combo boxes, checkboxes, and radio buttons are examples of pre-selected parameters used to transfer information between different pages while allowing the user to select one of several predefined values. In a parameter tampering attack,

An attacker may manipulate these values. 

For example, consider a form that include the following combo box:

<FORM METHOD=POST ACTION="money.html">
Source Account <SELECT NAME="acc">
<OPTION VALUE="123456789">******789</OPTION>
<OPTION VALUE="888888888">******888</OPTION></SELECT>
<BR>Amount:<INPUT NAME="Amount" SIZE="50">
<BR>Destination Account:<INPUT NAME="acc" SIZE="50">
<BR><INPUT TYPE=SUBMIT><INPUT TYPE=RESED>
</FORM>

Path Traversal Attack

A Path Traversal attack aims to access files and directories that are stored outside the web root folder. By browsing the application the attacker looks for absolute links to files stored on the web server. By manipulating a variable that reference files with "dot dot slah (../)" sequence and its variables. it may be possible to access arbitrary files and directories stored on the file system. Including application source code configuration and critical system files. limited by system operational access control. The attacker user "../" sequences to move up to root directory thus permitting navigation through the file system
This attack is also known as "dot dot slash", "directory traversal", "directory climbing" and "backtracking".

Web servers provide two main levels of security mechanisms 

• Access Control Lists(ACLs)
• ROOT Directory

An Access Control List is used in the authorization process. It is a list which the web server's administrator uses to indicate which users or groups are able to access, modify or execute particular files on the server, as well as other access rights.

The root directory is a specific directory on the server file system in which the users are confined. Users are not able to access anything.

For example, The default root directory if ISS on Windows is C:\Inetpub\wwwroot and with this setup, a user does not have access to C:\Windows but has access to C:\Inetpub\wwwroot\news and any other directories and files under the root directory (provided that the user is authenticated via the ACLs).

The root directory prevents users from accessing sensitive files on the server such as cmd.exe on Windows platforms and the password file on LINUX/UNIX platforms

This vulnerability can exist either in the web server software itself or in the web application code.

In order to perform a Directory Traversal Attack, all an attacker needs is a web browser and some knowledge on where to blindly find

%2e%2e%2f          -       represents         -         ../
%2e%2e/                 -      represents         -         ../
..%2f                         -     represents          -        ../
%2e%2e%5c           -     represents          -        ..\
%2e%2e\                  -     represents          -       ..\
..%5c                         -    represents           -       ..\
%252e%252%255   -    represents           -       ..\
..%255c                     -    represents           -       ..\

and so on.

../   -   To Mean UP One Level

Example:

Path Traversal attacks against a web server

http://example/../../../../../passwd

http://example/..%255c..%255cboot.ini

http://example/..%u2216..%u2216someother/file

Path Traversal attacks against a web application

Original: http://example/foo.cgi?home-index.html Attack

Web Spidering

A spider is a program that visits Web sites and reads their pages and other information in order to create entries for a search engine index. The major search engines on the Web all have such a program, which is also known as a "crawler" or a "bot". Spiders are typically programmed to visit sites that have been submitted by their owners as new or updated. Spiders are called spiders because they usually visit many sites in parallel of the same time, their "legs" spanning a large area of the "web." Spiders can crawl through a site's pages in several ways. One way is to follow all the hypertext links in each page until all the pages have been read.

How does any spider start its travels over the Web?

The usual starting points are lists of heavily used servers and very popular pages. The spider will begin with a popular site, indexing the words on its pages and following every link found within the site. In this way, the spidering system quickly begins to travel, spreading out across the most widely used portions of the Web.

GOOGLE began as an academic search engine. It the paper that describes how the system was built, Sergey Brin and Lawrence Page give an example of how quickly their spiders can work. They built their initial system to use multiple spiders, usually three at one time. Each spider could keep about 300 connections to Web pages open at a time. At its peak performance, using four spiders, their system could crawl over 100 pages per second, generating around 600 kilobytes of data each second.

XSS (Cross-Site Scripting)

XSS is a security breach that takes advantage of the dynamically generated Web page. In an XSS attack, a web application is sent with a script that activates when it is read by an unsuspecting users browser or by an application that has not protected itself against cross-site scripting.

The actual XSS attack is formed by injecting insanities input into a web application. The input is usually in the form of javascript, which can be stored by the application and returned to other users when they visit the page. Thereby executing the javascript in the user's browser.

Common exploitations include search engine boxes, online forums, and public accessed blogs. Once XSS has been launched, the attacker can change user setting, hijack accounts, poison cookies with malicious code, expose SSL connections, access restricted sites and even launch false advertisements.

The simplest way to avoid XSS is to add code to a Web application that causes the dynamic input to ignore certain command tags. Scripting tags that take advantage of XSS include <script>, <OPJECT>, <APPLET>, <EMBED>, and <FORM>.

Common Languages used for XSS

1. JavaScript
2. VBScript
3. HTML
4. Perl
5. C++
6. ActiveX
7. Flash.

Cross-Site Scripting Attack also is referred to as malicious tagging and sometimes abbreviated as CSS, though CSS is more commonly used as an abbreviation for cascading style sheets.

Related:

• Ethical Hacking Tutorials - What is SQL Injection Attack?
• Ethical Hacking Tutorials - What is Social Engineering Attack?
• How to Become a Computer Expert?
• Google Dorks List with Examples

Tags: hacking,ethical hacking,hacking tutorial,tutorial,hacking tutorials,website hacking,learn hacking,kali linux hacking tutorials,web security,hacking course,how to learn hacking,best websites for hacking,best website to learn hacking,best websites for learning hacking,ethical hacking tutorials,ctf hacking tutorial,web hacking course,wordpress hacking tutorial,ethical hacking tutorial,web hacking