Web penetration testing strategy [2]

HTTPHeader
The HTTP request contains many header information. obviously, you can control all the header information, but if you set the header value to something wrong, it is very likely that this request will be abolished, and the server will simply ignore your modified request. most programs only use several common headers:
· Referer
Meaning: confirm the link from which the client jumps here.
· Cookie
Meaning: cookies sent from the client are accepted.
· User-Agent
Meaning: used to confirm the browser used by the client
· X-Forwarded-
Meaning: get the IP address of the client (this is not the best way to get the IP address, because it can be forged)
Other HTTP headers are used by the server. security risks may occur when the server processes these headers. However, it is much more difficult to find bugs on the web server than in web programs.
A very important header is "Host ". the Host header is used by web servers to determine which website you want to access. for example, when several websites are built on one server (providing virtual host services), the external ip addresses of several websites are the same. when you access a website, although the ip addresses of several websites are the same, the server will check the host field value so that it will know which website you want to visit, the content of this website will be returned to you. if you change the value of the Host field to an IP address or an invalid Host name, you may get the content returned by other websites.
When you send a request, the server returns an http response, for example, the following response:

HTTP/1.1 200 OKDate: Sun, 03 Mar 2013 10:56:20 GMTServer: Apache/2.2.16 (Debian)X-Powered-By: PHP/5.3.3-7+squeeze14Content-Length: 6988Content-Type: text/html<!DOCTYPE html>

The status code in the response is very important. The returned status code is in the first line of the response. The client will process the response according to the response code.

The following status codes are common.


200 "OK:
The server has successfully processed the request.


302 Found:
Redirection


401 Unauthorized:
Access Restricted


404 Not Found:
Requested resource not found


500 Internal Server Error:
An error occurred while the server was processing the request.

Some status codes are uncommon, such as 418: I'm a teapot.

The HTTP header is followed by the status code. The returned HTTP header will affect the way the browser displays the webpage. In the response in the preceding example, the header contains the following information:

· Date

Description: Date

· Sever

Meaning: Some server information is disclosed in the header. This is the apache server, version 2.2.16.

· X-Powered-

Meaning: more information is displayed in the header.

· Content-Length

Meaning: the header indicates the response size.

· Content-type

Meaning: the header tells the browser what is returned. If the value is text/html, the browser will render the response. If it is text/plain, the browser will not render it.

· Content

Meaning: Some of the returned information can be HTML webpages and images. When the browser receives an HTML webpage, it will parse it and automatically accept some other files, such:

Javascript files

CSS file

Image

...


HTTPs

HTTPs is only an SSL-based HTTP. SSL protocol that ensures the client:

It interacts with the correct server: the authentication connection is secure: encryption.

SSL has many versions, some of which are considered weak (SSLv1 and SSLv2 ).

SSL can also be used to confirm the identity of the client. The client has a certificate, which ensures that only clients with valid certificates can communicate with the server.

This method is often used in systems with high security requirements. However, saving certificates is a headache.


Listeners
HTTP
Request

There are three methods to listen to HTTP requests:

· Use Wireshark or tcpdump to directly listen to networks

· View data in a browser. Most browsers have plug-ins that allow users to view sent and received data packets.

· Set a proxy in the browser and Server

The three methods have advantages and disadvantages. which method is used depends on whether SSL is used for the connection and whether the user wants to modify the request.


Generate
HTTP
Request

There are several methods to generate requests

Because HTTP is a text-based protocol, you can use telnet or netcat to construct requests.

You can also program to send HTTP data. It is easy to read and write data on the network using socket.

All languages have HTTP libraries. With these libraries, we can easily construct and send requests and obtain responses.

Of course, the simplest thing is to use a browser to send a request.

Using a browser is obviously the most convenient. However, other methods are more helpful for connecting HTTP request details.

Send a request via telnet

 

 
$ telnet vulnerable 80GET / HTTP/1.1Host: vulnerable

You can also use netcat



$ Echo "GET/HTTP/1.1 \ r \ nHost: vulnerable \ r \ n" | nc vulnerable 80






Data Encoding


Code
Vs
Data

Most security problems occur when attackers can upload data, and applications will execute the data as code.

For example, xss and SQL injection.


URL
Encoding

Some characters must be specially treated in HTTP:

For example, the question mark (?) in the url ?, &, = Has its own meaning. however, for most attacks, these characters are required. to ensure that these characters can be understood as values rather than request separators, we should encode these characters. the simplest encoding method is % followed by the hexadecimal value of the character. to obtain the hexadecimal value of a character, we should understand the ascii code table. the following table shows the characters and the encoded values in the corresponding URL:

Character URL encoded value


\r                  %0d\n                  %0a%20              or `+`?                     %3f&                    %26=                    %3d;                      %3b#                    %23%                    %25



To get the complete ASCII code table, you can use the man ascii command on most linux systems, or google.


Two encoding times

Sometimes, the detected system decoded twice. For example, after the server decoding, the application decoded the second time. In this case, we should encode the characters we want to send twice.

For example, if you want to encode equal sign = twice, the first time it is encoded as % 3d, the second time it is encoded as % 253d. after the server receives % 253d, it will be decoded to % 3d, and the application will decode % 3d to =. two encodings can also be used for bypass filtering.


HTML
Encoding

Like URL encoding, some characters in the HTML environment also have special meanings, so if you want to use them as common values, you also need to encode them.

Character HTML encoded value






\r                  %0d\n                  %0a%20              or `+`?                     %3f&                    %26=                    %3d;                      %3b#                    %23%                    %25
Any character can be encoded in decimal or hexadecimal format.

For example, = can be encoded as & #61;, or as & # x3d;. (Note that there are; semicolons)


Cookies
And
Sessions

The server uses an HTTP header: Set-Cookie to initialize the Cookie. After the browser receives this header, the cookie is automatically

This cookie is sent back to the server and will be carried with the cookie header in each subsequent request.

The Set-Cookie header contains the following optional fields:

· Expiration date

Expiration time: Tell the browser when to delete the cookie.

· Domain:

Tell the browser which host or subdomain name the cookie should be sent to. The subdomain can read the cookie of the parent domain.

· Path:

Tell the browser the path to which the cookie should be sent. Only js code in the target path can read this cookie.


Security Mark

The Path and Domain fields are usually used for security purposes. Cookies have two security-related signs.

· HttpOnly

It can prevent js Code from reading and writing cookies. In this way, the document. cookie in the Cross-Site script does not work, and the cookie cannot be stolen.

· Secure

With this sign
CookieThis cookie is not transmitted if the request is HTTP.
SessionThe mechanism adopts the server-side persistence scheme. The cookie mechanism adopts the client-side persistence scheme.

When the client accesses a program, the program creates a session for the customer, the server first checks whether the client's request contains a session id. If the request contains a session id, it indicates that the client has created a session, the server retrieves the session according to the session id (if the session id cannot be retrieved, a new one may be created). If the client request does not contain the session id, the client creates a session and generates a session id associated with this session. The session id value should be a string that is neither duplicated nor easily found to be regular and counterfeited, this session id will be returned to the client for saving in this response. The cookie can be used to save the session id, so that the browser can automatically send the id to the server according to the Rules during the interaction.

· Rack: Session: Cookie

Rack-based programs are used by default (Rack is used in most Ruby programs ). it provides a different session method. although the user can receive the session information, the information is encrypted. in this way, the user cannot modify the information in the session (but once decoded, the user can access it again ).

In PHP, by default, each sessions is stored in a file and is not encrypted. (In the Debian system, the location is/var/lib/php5 ). if you have the permission to access these files, you can read

The session information of another user is returned. For example, if your session id is o8d7lr4p16d9gec7ofkdbnhm93, you will see a file named "Callback", which contains the session information.



 

 
  
 
   
 
    
 
 
    
# Cat/var/lib/php5/sess_o8d7lr4p16d9gec7ofkdbnhm93pentesterlab | s: 12: "pentesterlab ";
 
   
 
  

 
HTTP
Authentication

HTTP also provides methods to authenticate users. There are three methods available in the Protocol:

· Basic Authencation

The username and password are base64 encoded and use the Authencation header:



 

 
  
 
   
 
    
 
 
    
Authorization: basic YWRtaW46YWRtaW4K.
 
   
 
  

 
Digest Authencation

The server sends a-(unique information), and the client returns a-(hash encryption information, including the user's password). This method ensures that the password sent to the server is encrypted.

· NTLM authencation

This method is mainly used in Microsoft Systems and is similar to Digest.


Web
Service

To call a remote method, it is a good method to send a request to the service through HTTP. Basically, a command is sent to the server and a response is returned. The message can be:

· HTTP Request

· XML Message

· JSON-based messages

Remote commands can be accepted by the server:

· URL-based

· Based on the HTTP header (for example, the SOAPAction header)

Testing web Services is similar to testing common web applications, but browsers cannot interact with the server. if you have a sample request, you can use a tool or script language to fuzz the request and attack the server code.


Web
Application Security


Client Security

A common mistake is that programmers perform security checks on clients, such as javascript, to verify whether a mobile phone number is valid.

At the beginning, the user will enter a mobile phone number



JS Code will check this value



This phone number seems to be valid.



This value will be sent to the server.









If this value is invalid, the browser will not send this request.



Js Code will check this value



It also indicates that this value is incorrect.





The request will be sent to the server.

This check method is low-energy and can be bypassed easily. Therefore, it cannot be used as a security check mechanism. However, by limiting the number of requests sent to the server, this check method can reduce the burden on the server. If every request sent to the server is correct, the wrong request will not be sent to the server, which reduces the burden on the server.


Bypassing client checks

To bypass this side of the client, you need to set up a proxy server like Burp Suite. After you run the proxy server, you also need to set up to allow your browser to forward all requests to this proxy server (adjust the browser settings or environment variables based on your browser and operating system ). Then you can see the requests sent by all browsers and the ability to intercept and modify request data.

After you set up this proxy server, you will be able to intercept the requests sent by the browser.



Then you can modify it:



The server will respond to your modified request:



Enter the correct value in the browser to submit the form. However, when the proxy server intercepts this request, it can modify this value to attack the web application.

 

 




Server

Application Security is implemented on the server side.
All received information should not be trusted; data itself and data format should be considered as malicious input.. Do not expect a series of input parameters; they can be mixed or arrays. Do not expect the input parameter to be an integer; it can be a string. Even the host Name of the current server (provided by the host header) can be maliciously input. Do not trust any input data and make sure that you have checked all input data again. If you write a vulnerable application, you may find some problems. Do not expect that someone else cannot find the problem. If you write something vulnerable to security, someone will always find the vulnerability.