Entry books (2)-Web Application Security (www.team509.com)

As we all know, it is increasingly difficult to launch a successful network attack this year, especially when we perform penetration testing for the customer's security services. Customers who are willing to spend money to make us a Security Service have a lot of money in their hands, such as firewall, IDs, IPS, And it is useless, we have seen an example of adding two firewalls to the front of a Web server. In this case, many attack methods are not available, especially the buffer overflow method, and the security level of administrators is also greatly improved, the era of money fraud by scanning a few scanners is gone forever.

 

Entry books (2)-Web Application Security

 

Wooshi@gmail.com

 

As we all know, it is increasingly difficult to launch a successful network attack this year, especially when we perform penetration testing for the customer's security services. Customers who are willing to spend money to make us a Security Service have a lot of money in their hands, such as firewall, IDs, IPS, And it is useless, we have seen an example of adding two firewalls to the front of a Web server. In this case, many attack methods are not available, especially the buffer overflow method, and the security level of administrators is also greatly improved, the era of money fraud by scanning a few scanners is gone forever. Now, what security is the most useful and likely to cause problems? The answer is the security of web applications. Most of these programs are developed by the customer. The quality of the customer's own programmers is quite different from that of the programmers of major vendors such as Web server and Web application server, in addition, the customer often ignores the security testing during the development process, which causes great security problems. We used to evaluate the security of some e-commerce websites. Theoretically, these customers involved in online transactions should do well in terms of security. Unfortunately, no, without exception, these websites have serious web application security problems, which can be completely reversed.

So what are the main aspects of Web Application Security? Generally, there are the following problems:

(1) SQL injection, which is currently the most important part of Web Application Security. SQL injection is divided into blind injection and Injection Based on the returned error values. the two aspects are described in detail in [1], [2], and [3]. I will not go down here. It should be emphasized that the injection based on the error returned value is often much more effective than the blind injection, so try to use the injection based on the error returned value. However, blind injection has an advantage. It has an automated attack tool, absinthe. Currently, it supports three types of databases: MSSQL, Oracle, and PostgreSQL. You can find the table name in many aspects, column name and download record. But also some commonly used database is not supported, MS access and MySQL is because the function is too simple, there is no way to do a lot of things, however, I cannot figure it out when DB2 and Informix are not added. I guess the reason is that these two databases are not widely used. For how to use the SQL injection of MS access and MySQL, see [4] and [5]. Finally, it is emphasized that the SQL injection of the numeric type is more widely used than that of the character type, because the SQL injection of the character type requires special characters ', at present, many websites are filtered out through various methods (IIS, lockdown, Apache, and mod_security.

(2) trust client. Excessive trust in the client will cause disastrous consequences. At present, many e-commerce websites in China have many such problems. They use JavaScript to write a lot of scripts and place them locally for execution, in fact, some malicious attackers can easily skip the trap set like this. They only need a proxy, and WebProxy is a good tool. What is often prone to problems is that the value should be the same before and after it is read from the client. At this time, we can use proxy to get rid of data, so that we can spend a small amount of money to buy good things.

(3) directory indexing is usually used on UNIX hosts because the directory has not been removed from the readable permission. This problem was supposed to be big or small. It is nothing more than letting users see all the files in the directory, however, many files in these directories are invisible, such as source code Backup files and packaging files.
(4) Information Leakage refers to the leakage of debug information, that is, the system handles errors when a problem occurs. Attackers can use this information to obtain some version information and the modules used by the application server.
(5) obtain non-web files. The main point is to pack files (rar,tar.gz, tgz, etc), backup files (. Bak ,~, Etc), header file (. Inc,. Asa, etc), these files often contain important content, has a very high value. I have seen more than once that the user name and password are written in these files. The most important thing is that you can often see the source code through these files to prepare for further attacks.

(6) CSS attacks. The malicious data inserted in the HTML code of the remote web page is trusted by the user. However, when the browser downloads the page, the script embedded in the page will be interpreted and executed, it can be used to steal cookies. for details, refer to [6].
(7) reverse proxy. Web Proxy servers are usually bidirectional, that is, they allow internal access to the outside and external access to the inside. Bidirectional proxy may have serious consequences, leading to the loss of important internal documents, set it as your browser's proxy and try to access the internal address you know. Of course, you can also use some app tokens to automatically complete this job.

(8) Execution of illegal commands. When the system calls some external programs to execute some functions, we have a chance. If you find that your target website is shell script and Perl, the probability of such a problem is relatively high, also, if you find that your target website uses LDAP for some functions, try to enter some wildcards, such as "*" in the appropriate places, which may surprise you.
(9) Users' identity authentication and password retrieval problems. Many websites often add a small authentication image to prevent brute-force cracking, but doublelee proves that this method is not reliable, for details, see [7]. The password retrieval problem is often very mentally retarded. I have seen countless times that the answer is the same as the question. There are also some very vulnerable brute-force attacks, such as birthday, color, and so on.

(10) problems related to website development language features. For example, the Perl % 00 issue, the buffer overflow of C/C ++, ASP, JSP, and so on.

After talking about this, what we need as a beginner is a good tool that can automatically test the problems mentioned above, currently, two commercial scanners for Web apps are better on the market: appscan and webinspect. The advantage of appscan is that the scanning speed is very fast and it can be combined manually and automatically, that is to say, you can manually log on to the website and then switch to the automatic mode to automatically analyze the pages and content after logon. Webinspect is more authoritative and has a lot of content, but it is slow. The third type is appdetective, which is fast. The three business software mentioned above can basically achieve automated testing. Of course there are a lot of free software, such as nikto and wikto, but the results I use seem to be relatively useful for commercial software.

Well, let's talk about it first.

Refer:

 

[1] http://www.nextgenss.com/papers/advanced_ SQL _injection.pdf

[2] http://www.nextgenss.com/papers/more_advanced_ SQL _injection.pdf

[3] http://www.spidynamics.com/whitepapers/Blind_SQLInjection.pdf

[4] http://seclists.org/lists/pen-test/2003/May/0074.html

[5] http://www.nextgenss.com/papers/HackproofingMySQL.pdf

[6] http://www-128.ibm.com/developerworks/cn/security/s-csscript/index.html

[7] http: // 63.223.72.218/modules. php? Name = News & file = article & SID = 9