Wednesday, June 25, 2014

PENESTRATION TESTING PART 2 WITH NIKTO

Identifying Injection Points

If your web page is static, you cannot test it as far as security concern. You can test it at some sort of view but you can’t play with it much as compare to dynamic page. Nikto scanner is a good utility which works best in testing static sites. There has to be some interaction between client and server via login panel, comment section, register page, contact us form and so on.

“Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated – Nikto Official Website.”

Tools like nikto might face problems or does not give efficient output while you test dynamic application. 

For our test I am opening user lookup page for now. Page looks like below figure. First let us understand how this page works and as we can see here there are 2 input fields such as username and password. But as I told its browser’s interpretation that webpage should look like this. So to begin the test, let us give any input and intercept the request so that we will come to know which parameters it is passing to the server and how our input value is assigned to those parameters.



For testing purpose you can give any input as you like, I personally give the username as jonnybravo and password momma. You can choose any input as you like but I personally prefer this input because of one major reason. When any webpage encodes your input, it will never encode alphabetic. So in my case I have not used any special character or something like that. So I am assuming that I will find this input in request as well as response. It doesn’t matter if login gets successful or not. After giving inputs I clicked on login button and captured request from the burp is as follows.


GET /chintan/index.php?page=user-info.php&username=chintan&password=chintan&user-info-php-submit-button=View+Account+Details HTTP/1.1
Host: local host
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/chintan/index.php?page=user-info.php&username=jonnybravo&password=momma&user-info-php-submit-button=View+Account+Details
Cookie: showhints=0; PHPSESSID=d3kmtdkar70bahk12c3ost5hd6
Connection: keep-alive


There are main 3 parts where you can inject something. They are illustrated as follows.
    1.  URL – Check whether there is any parameter passed or not. By watching our request we can see that there are couple of parameters passed. In our request page, username, passwords etc.. are the parameters passed. Burp often calls it params instead of whole word parameters. If we look at our request it shows the method they are using to pass the parameters is GET. It can be post as well. GET usually passes parameters in URL only. In post method those parameters are passed separately(not un URL) down in the request body.


“Burp has an ability to convert your GET method into post and post method into GET.”

So here lets change this method to post by right clicking in the request area anywhere and selecting the option which shows change request method.  
 
 



One you changed to request method, it will be converted into post request and then it will look like below.

POST /chintan/index.php HTTP/1.1
Host: local host
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/chintan/index.php?page=user-info.php
Cookie: showhints=0; PHPSESSID=d3kmtdkar70bahk12c3ost5hd6
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 104

page=user-info.php&username=jonnybravo&password=chintan&user-info-php-submit-button=View+Account+Details

You can see here params are passed separately(not in URL) down in the request body.

     1. Cookie : We can also pass data through the cookie. It might have parameters and the values sometimes you can change the value according to your need.

POST /chintan/index.php HTTP/1.1
Host: local host
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/chintan/index.php?page=user-info.php
Cookie: showhints=0; PHPSESSID=d3kmtdkar70bahk12c3ost5hd6
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 104

page=user-info.php&username=jonnybravo&password=chintan&user-info-php-submit-button=View+Account+Details


     2. Body :  Last but not the least is a body part. As I have mentioned that in POST request, data is passed at the bottom part of the request separately but not in URL. So you can modify that value of the params there in the body part. Considering above request, body parts are as follow.


page=user-info.php&username=jonnybravo&password=chintan&user-info-php-submit-button=View+Account+Details

If you are confused that what are the params and which are their values then click on the params tab to see the list of the parameter names and their values. Due to having POST request we have 4 params in our request body part.




One you changed to request method, it will be converted into post request and then it will look like below.



POST /chintan/index.php HTTP/1.1
Host: local host
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/chintan/index.php?page=user-info.php
Cookie: showhints=0; PHPSESSID=d3kmtdkar70bahk12c3ost5hd6
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 104

page=user-info.php&username=jonnybravo&password=chintan&user-info-php-submit-button=View+Account+Details



You can see here params are passed separately(not in URL) down in the request body.


    1. Cookie : We can also pass data through the cookie. It might have parameters   and the values sometimes you can change the value according to your need.


POST /chintan/index.php HTTP/1.1
Host: local host
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/chintan/index.php?page=user-info.php
Cookie: showhints=0; PHPSESSID=d3kmtdkar70bahk12c3ost5hd6
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 104

page=user-info.php&username=jonnybravo&password=chintan&user-info-php-submit-button=View+Account+Details



     2. Body :  Last but not the least is a body part. As I have mentioned that in POST request, data is passed at the bottom part of the request separately but not in URL. So you can modify that value of the params there in the body part. Considering above request, body parts are as follow.



page=user-info.php&username=jonnybravo&password=chintan&user-info-php-submit-button=View+Account+Details


If you are confused that what are the params and which are their values then click on the params tab to see the list of the parameter names and their values. Due to having POST request we have 4 params in our request body part. 




Let’s get back to original GET request and then we will see the param tab. At that moment we will be listed here the URL type instead of body.




So you can see here that all body parameter type is converted in to URL because it is a GET request.



Scenario 1: Let us just assume that this login panel is not allowing us to enter the username except “admin”. To support this security mechanism, developer might have put javascript validation on this page which does not allow any other username param’s value except admin. So in this case how do we bypass that mechanism to test the other desired username.


Solution 1: In that case initially we will give admin as a username so at client side, page will validate the username admin and will allow us to send the request. As soon as we click on send the requests we will see intercept it using burp. So intercepted request should look like below.



GET /chintan/index.php?page=user-info.php&username=admin&password=momma&user-info-php-submit-button=View+Account+Details HTTP/1.1

Host: local host

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://localhost/chintan/index.php?page=user-info.php&username=jonnybravo&password=momma&user-info-php-submit-button=View+Account+Details
Cookie: showhints=0; PHPSESSID=d3kmtdkar70bahk12c3ost5hd6
Connection: keep-alive


As you can see yellow highlighted parts username and param’s value is respectively admin and momma. We have already pass through javascript validation. Now we can modify the values over here and we can forward the request to submit it to the server.



GET /chintan/index.php?page=user-info.php&username=jonnybravo&password=momma&user-info-php-submit-button=View+Account+Details HTTP/1.1
 
So you can see that I simply changed the value of username parameter by editing and if you want to confirm that value is really changed then you can go to param tab to see the new value of username param. In my case it is as follows. 






Now I will forward this request and will have a look at the browser. So my browser will look like below pic.





Here you can still see that at the time of giving username and password, I gave admin(which is still there) but we intercepted request changed param value to from admin to jonnybravo and then our request is authenticated with the server with new username and password. As there is no any username consisting jonnybravo in the database so I have got authentication fail error.


“Thus how we can bypass javascript validation on any form or authentication panel.”

So It was all about identifying injection points, intercepting request and changing the request to get to post and vice-versa. We have also seen what params is called in burp suite along with its value. I also demonstrated how to change the value of params in order to submit the request. Main aim of doing so, was to bypass the javascript validation at client side.
Posted by at No comments:

PENETRATION WITH OWASP AND BURP SUIT

WEB PENETRATION  PART 1

In this series of articles, I am going  to demonstrate how you can manually exploit the vulnerability of a web application, compared to using any automation tool, in order to find vulnerabilities in the application. Almost all companies worldwide focus on manual testing of web application rather than running web application scanners, which limit your knowledge and skills and the scope of finding a vulnerability with your testing.
For the whole series I am going to use these programs:


  1. NOWASP Mutiliadae
  2. BURP Proxy
NOWASP Mutiliadae
NOWASP Mutiliadae is a purposely vulnerable web application containing more than 40 vulnerabilities. It includes all of the OWASP top 10 vulnerabilities along with vulnerabilities from other organizations’ lists. There are other small and mid-level range vulnerabilities that are scanned by different web application scanners, such as Vega, Acunetix, Nikto, w3af, etc. I am going to use the latest version of this project, which has an object-oriented design to provide better understanding of all vulnerabilities of the web application.


Burp Suite
Another tool that I am going to use is burp proxy. This is interception proxy tool which interacts between client(browser application eg. Firefox, chrome) and the website or server. It will be running on my local machine and it will intercept inbound and outbound traffic between your browser and the target host(in our case target host is NOWASP mutiliade). Major use of this tool is when you make request to access the server, burp suite intercepts that request which is going from your machine to the server/website and you can change the request according to your need. Also it revels the type of the request whether it is GET or POST request or another. Burp has also an ability to show you the list of parameters which are used by website in order to pass your request to from you to server. You can manipulate the request in the way you want in order to check the security of that particular web application. To intercept request your burp proxy listener must be configured on 127.0.0.1 local host and port 8080. Then you also set this proxy configuration in your web browser. After doing so, go to burp suite => proxy tab => Intercept is on (Make sure this button is pressed/should be on). I will not go deep into the all tabs and what are their functionality. You can see burp manual or documentation for that.


Working flow of Web


Before we go ahead, it’s good to understand how web works in backend which you cannot see on your web browser. When you visit any website your browser asks for any file from the webserver which can be html,php,js(javascript),css, aspx etc.. Using burp suite we can observe that request as shown below. To see the request I configured burp and my browser as mentioned above and then I am visiting HTML5 storage page shown in below picture.
  

As soon as I click on the link, burp will intercept this below request which you are making. You can see here it is requesting an index.php page from the server. Not only this burp will also show you the parameter which is required for passing to load whole page. Here that parameter is page and the value of that parameter is html5-storage.php.


GET /chintan/index.php?page=html5-storage.php HTTP/1.1
Host: local host
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://local host/chintan/
Cookie: showhints=0; username=chintan; uid=19; PHPSESSID=j53u16lcdkjq0eec6nfijphkd4
Connection: keep-alive

As I need to access this page so I will forward this request and in below section if you see response tab then I will get below response 200 OK.

HTTP/1.1 200 OK
Date: Sat, 28 Dec 2013 23:30:08 GMT
Server: Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7
X-Powered-By: PHP/5.4.7
Logged-In-User: chintan
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 46178

200 OK shows that my request has been successfully processed and I am given back the response. Then if I will see my web browser My full web page would have been loaded there.

Remember: HTML file is dynamically created each time when you make request. PHP file in the backend will see at your request and will create a html file to send you on your browser in order to render the page. Whatever you see on your web browser is not a web page. That is your browser’s interpretation that how your web page should look like graphically. 

Always make a good practice to see the webpage from source code and get yourself familiar with that but now with the one that you see graphically on your web browser. Get yourself familiar with javascript, xml and all html tags if possible.”

Where to start?
This is the common problem of all beginners that from where to start actual testing what to do first. As we all know the ethical hacking life cycle. First phase is information gathering or reconnaissance. In our case I will get information about the website and server as much as I can without actually going and surfing each webpage. If you have noticed then from above request and response we have already came to know about something in it. That information is as follows.
No.
Information
1.
Server – Apache
2.
Apache Version – 2.4.3
3.
Server Side Coding – PHP
4.
PHP version – 5.4.7
6.
HTTPs Protocol – SSL Used
7.
SSL Version – 1.0.1c

There are plenty of ways for information gathering. However people mostly follow Google, recon-ng framework and other application security testing tools which have crawling option. I will list all the pages and folder of my target using spider option in burp suite. To do that add go to history and check the 1st page you visited. Right click on that and select the option add to scope.


Now if you go to target tab you will see your scope of testing website which is local host in my case as shown below. 




“It will also list the all other websites which are being visited without you knowing. Let us consider any live website there will be like, share button or some kind of advertisement so it will also get listed here. To remove items which is not in our scope,click on the filter bar and set your all option shown as below figure then click anywhere on blank page and changes will be applied.”
  


After that as I mentioned I need to spider this host so I will right click on local host and selection spider this hostoption. If your target application is having form submission then you will get a popup to fill and submit the form values.




After clicking on that spidering of your target host will be started. If you go to the spider tab you will see something like below picture.
  

“Note that if request queue becomes and remains 0 for more than enough time, it means spidering of that web application is finished. “


Then you can go ahead and check again target option you will see the list of all pages which is having by that web application. Some new pages might have added.
  
Proxy Setting
There is no any particular settings or configuration. I personally set these configurations as showing in figure. 




The reason I am using these settings because (1) our target host might link to ton of other websites via share buttons, advertisements etc.. So I want to intercept all the communication between myself and my target host only not another website. That is why I tick that checkbox which shows only intercept the request which is in target scope. (2) Not only request I also want to intercept each response which is processed by server against my all response so that I can come to know if my request is processed properly or have I been redirected to somewhere etc.. So I tick that option and make it on which shows intercept all the responses.
Posted by at 1 comment:
Subscribe to: Comments (Atom)