This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
With quicker time response, advance functionality and availability of the web application at any place of the world and cost effective implementation, all the business and government application has moved to Web Application from desktop applications. For instant an organization with different branches at different places Web Application has linked them together with centralized database which are in most case lies on the core system of the organization. An attacker can access whatever data they need at any place using public internet if there is any vulnerability on the application. Not only the get access to the data bases they can pass easily any network defence and manipulate whole network of the organization.
There are several web application software for developing web applications in short period of time, but making the secure web application is the most challenging task for the developer. Even after the secure web application is developed, hosting into the world wide service may arise some vulnerability because of third party application used or by the improper network configuration.
Web application is based on client-server architecture where client is system who accesses server by using web page browser. As the client can be any system using internet is therefore not a trusted source. This is main problem with the web application; it has to processes and accepts the data from the non-trusted sources. There are several other reasons which combine to aggravated unsecure web application. The following are the reason that may arises the web security threats.
Immature Security Awareness: Web application may uses third party applications other than the database system like voice over internet protocol (VoIP), this allow other ports to open. Because of this nature and unawareness of web application nature, the security defence implementation is different than that of the other network defence
In-House Development: Because of cost reasons many organization develop the web applications by the staff that have some knowledge of development or by the contractors. They combine some template and customize them using new code. This may lead to arise of vulnerability need third party are developed in-house by an organization's own staff or contractors.
Deceptive Simplicity: There are several web application development platforms and powerful tools available freely. Using these, even beginner developer can simply build web application with desire function from scratch in short duration. Developing such web application is not a big concern but the main thing is about the secure web application. Web applications created by such individuals who lack depth knowledge and experience in identifying security threats may leads to vulnerable web application.
Time Constraints and Budget: Most of the small organizations need a web application developed with low budget and within short duration of times. The developer because of competitive market has to balance this factor by neglecting low profile vulnerabilities to give full functional web application. These vulnerabilities may cause the security threats as anyone can access system using back-end behind the several layer of defence of system.
The testing of the web application is quite different than that of network testing. To make the secure web application, both the network architecture and web application code should be secure. The security issues with network architecture are proper installation of the web server and database connectivity with strong authentication. The major security issue with web application is improper coding. There no need of the extra tools for most of the attack. For instant a person with basic knowledge SQL can easily play with web site using the web browser and just attack the web application database. Hence the testing of the web application code is vital.
As already mentioned, for web application, all the client that connect web server are consider as trusted. Therefore the developer develops the web application taking care of this fact. Following are the core elements that are to be considered in developing the web application:
Handle unauthorized access: Users are given different level of the access to the application's functionality and data and hence unauthorized access should be handled. Moreover, login bypass should be handled more carefully. Other important thing to handle unauthorized access is proper session management.
Handle user input: The web application functions are predetermined. To prevent malformed input from causing unwanted behaviour, user input should be handled.
Handle attacker: The attacker may directly target the web application by seeing how error generated by inputting unanticipated values or by trying frequently to input values to get access with automated tools. To ensure proper behaviour of the application appropriate defensive like alerting administrator, proper handling of errors messages and maintaining the audit logs. The offensive counter measures like responding slowly to attacker or by terminating the session.
Administrative Management: In the web application the management is done via web interface as administrative functions are within the application. The proper measure should be taken care for this by removing setting like renaming administrative account if possible, strong authentication and deleting or moving to different location any unwanted files with default setting which have a lot of information about web application.
Above mention general view of security issue in the web application are divided into 9 categories which is further into 66 controls on the OWASP web penetration methodology. The job of web application penetration tester is to thoroughly test above security issue.
A penetration test is a method of evaluating the security of a computer system or network by simulating an attack. A Web Application Penetration Test focuses only on evaluating the security of a web application. The process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution. There are several such methodology which consider different factor while evaluating the web application. Some of popular methodologies are highlighted below:
For propose of the task given the general methodology was adapted with OSWP top ten venerability assessment. The phases adapted for web application penetration testing is shown in fig:
Reconnaissance - In this phase all the services that are used by the domain is scanned. The actions performed are port scan, fingering operating system, fingering web and database server. Tools used are Zenmap and Nikto.
Mapping - Mapping the phase for exploring the web application different WebPages for discovering all function and and input fields. To achieve better mapping all the pages is explored manually and where appropriate entering data on the input fields. And if possible pages explored by login into the web application enhance the finding of the vulnerabilities. Further exploring is done by spidering the web application. Spidering visit the WebPages by using the URL link that is in the provided webpage provided. The tools used for this on phase are Zed Attack Proxy and BrupSuite
Discovery - Form the scanning done above an automated vulnerability scanning is done to find the threats in the web application layer. There may be several possible vulnerabilities and due to time constraint only top ten OSWP security vulnerabilities are taken into account. OSWP manual provide good background on these. The tools used for this phase are ZAP and w3af.
Top ten vulnerabilities that were conducted are
Broken authentication: This category of vulnerability encompasses various defects within the application's login mechanism, which may enable an attacker to guess weak passwords, launch a brute-force attack, or bypass the login altogether.
Broken access controls: This involves cases where the application fails to properly protect access to its data and functionality, potentially enabling an attacker to view other users' sensitive data held on the server, or carries out privileged actions.
SQL injection: This vulnerability enables an attacker to submit crafted input to interfere with the application's interaction with back-end databases. An attacker may be able to retrieve arbitrary data from the application, interfere with its logic, or execute commands on the database server itself.
Cross-site scripting: This vulnerability enables an attacker to target other users of the application, potentially gaining access to their data, performing unauthorized actions on their behalf, or carrying out other attacks against them.
Information leakage: This involves cases where an application divulges sensitive information that is of use to an attacker in developing an assault against the application, through defective error handling or other behavior
Exploitation: - From the result obtained discovery manual attack is done. Using automated tools won't provide a perfect attack as the web application coding varies according to developers. For instant login form can uses different ways of SQL queries in the server side and passing of data from client to server side may be scripted differently. Because of such reason different vulnerabilities for same method may be found. The best way to attack is to analysis how the page behaves when an input is provided. The attack analysis is done by providing the unexpected input to the data entry points. BeEF, AJAXShell
Foundstone Hacme Book web application is used for the testing. The installation guide for these can be found on the zip files of web application setup file. There are few changes to be made for Hacme Books so that it can be access through other system on the network.
Configration of Hackme Books
All of the IP address 127.0.01 in file "server.xml" from the directory "C:\Program Files \Foundstone Free Tools\Hacme Books 2.0\tomcat\conf" is replaced by to 192.168.0.142, ip address of the web application hosting system.
Web addresses of all three web application in virtual machines are as follow:
Hacme Books: http://192.168.0.142:8989/HacmeBooks/
The web penetration test performed here is modified to meet the time constration
First step on this phase is to find the ports running on the on the given domain in form of IP 192.168.0.142. Zenmap is used for this. The screen shot of saved xml format is shown in figure
As per know http link from setup of the web application, port 8989 is the target. The detail port scanning report is in the appendix
To gather further information on this port, Nikto is used. Nikto is well know tool for the web scanning with proper use of command lots of information can be gather on the given port. The command used is "./nikto.pl -host 192.168.0.142 -port 8989. The screenshot of information found is show on figure
From both Zenmap and Nikto, the Web server name found is "Apache-Coyote/1.1". Nikto further provide information that method allowed are GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS of which PUT, DELETE AND TRACE are shown as vulnerabilities. Also it shows that Tomcat is installed which provide GET method and type is MywebServer 1.0.2 which is vulnerable to HTML injection.
The first step of this phase is to integrate Proxy with web browser. The Proxy used is Zed Attack Proxy (ZAP). For seting up the proxy setting go to tools->options and then select "Local Proxy" and set the address as 127.0.0.1 or localhost. The port is set to 8080 this also the default setting of the ZAP. Figure show the setting made in ZAP
To integrate the Firefox browser with the ZAP proxy under Edit->Preference there is Advance. On Network -there is Setting as highlighted on Firefox Preference window shown in figure . Clicking on Setting another window appears as FoxyProxy Standard(shown on figure ), on Mode drop down button selection of the pre-configure proxies are there. ZAP proxy is selected as the choice.
After all these setting, entire web application was explored using Firefox. While exploring the registration of new user, login into website, book search, add to chart, forget your password and so on. All of these activities were passed through the proxy which are being recorded. Figure shows a screenshot of this.
In site windows the entire site visited was recorded which also the method it invoke. In Request tab, the process taken while a page is visited shown like cookie, content type and so on. Below this, all the user input are recorded as they are send to the server. Figure shows Response tab of site visited http://192.168.0.142:8989/HacmeBooks/autorize password is sent in the encrypted format.
Through analysis of the web application was done. The functionality like was done like checking the
it may be seen that password is in encrypted fromat
In discovery phase the vulnerability on web application are searched. For searching the vulnerabilities ZAP is a great tool. It searches the vulnerability from the site that has been visited. The screenshot of the scan result is shown in the figure
The complete scan result is in appendix
The vulnerability was also checked using the w3af tools. The result obtained
The exploit was done on the bases of the vulnerability show by the ZAP proxy. Following are the exploit made. Some more information were discovered about the database like name of the tables, columns on a particular tables, SQL queries used in the server sides.
Cross Site Scripting
Inproper Use of Crypto
Based on Phase 3 on all user input places the attack is tried.
Seach Book :-From the vulnerability assessment it is found that the SQL injection is possible through the search box. The basic concept of SQL query on the search is
SELECT ,title, price FROM products WHERE bookname like '%hacking% ';
A attacker can change this way it function like
SELECT ,title, price FROM products WHERE bookname like '%hacking' UNION SELECT * FROM users;--% '
Or may be like this
SELECT ,title, price FROM products WHERE bookname like '%hacking';+UNION SELECT * FROM users;--%
All the characters after - are taken as comment in the SQL query
While trying this code error was generated, this was pretty intresting. Screenshoot of this is shown in figure
Trying such such function like select create or insert did not work in the search box.
The command for shutting down the SQL server is SHUTDOWN. Different combination base on SQL query logic is done. With few hit and try method of below is tried.
') SHUTDOWN; -
Successful attack was made by ' ;+SHUTDOWN;--
Now when the book searching is made, an error message appears as shown in figure
Login: The basic SQL queries of the login is
SELECT username, password FROM users WHERE username='UserID' AND password='PassWord';
Now as the username is unique only one result is possible if there exit such users. If query obtain a result it reply to Web Server to sending the information and then user is allowed to login. Due to secure coding for Login on the client-side no SQL injection was possible.
PassWordHint: This allow users to give hint about their password. Here username is entered and on submission Password Hint is returned. The possible SQL query may be like
SELECT passwordHint FROM user WHERE username='userID';
The string based SQL injection is not possible as everything passed is taken as whole string. It does not provide any error for inserting SQL special characters. But when the numeric based SQL injection is made it as given below its show the password hints.
' or 1=1--
' or 1=1 ORDER BY password--
The screenshots for the result obtained by ' or 1=1 ORDER BY password-- is shown in the figure
This attack was tried totally based on just hit and trial methods. After several guessing the attack was successful. This could be a threat if a person keep the password and username as a password hint.
Signup from: Signup from is provided to register new users on web application. Here, when all the data in the field is entered and signup button is clicked client side validation is done to check for proper values are being entered or not. Like email should have @. The value entered on the input field is shown in figure. In Username value is entered as sandeep' to check for SQL injection.
For this enter a error is show which reveal out the name of the table users along with all of its datafield, that is, columns on the table and even the SQL query used. This is serious discloser of the of the database. The error message is shown in figure
Also it is seen that password is passed in encrypted format. Some other SQL injection was made but no success was obtain except discloser of the relevant inform about database.
Feedback Form: For this a username by 1007081-san is created and the login using it. After login, with successful login information some feature books name are show. Clicking on the detail information on the book and a feedback form is appeared. From the vulnerability scan it was found this has SQL injection.
The SQL query for such input is like
UPDATE product SET feedback='newsecret' WHERE book_id_pk= '742';
SQL injection can be done to create, insert and delete tables even database. In this case a new table was created as users_backup with field that was same as found on from figure
The SQL injection is done by sending text as shown in figure
As no message is provided that table is created it has to be verified manually. To verify if the table is created or not again same feedback as in figure is entered. This time a error message appears indicating that this table has already exist. The error message generated is show in figure. This also indicate that table is created by the previous entry on feedback submission.
Broken Access Control
To perform the broken access control at least two account is needed. One of these user account must have ordered books and another without any order. The steps performed are as follows
Login to the user with no order is done.
Click on "My Order" menu. It display a message as "You do not have any past order on redirected page to "mainMenu.html". as shown in the figure
Next step is to view order of other users. For this a user account should be know who have ordered some books. A user with name "1007081-san" is created with some books been order. To access this account "My Order", a URL is entered as
The screenshot of result obtained on the web browser is show on figure
This is a serious vulnerability as it discloses the person Credit Card Number. This page only displays the information but if the attacker get access to the pages where data can be changes it causes serious threat.
Cross Site Scripting