# Web App Hacking ### Austin Security Groups: Austin OWASP Austin ISSSA Portswigger certification for web security is the best web security certification out there Network security changes a lot on whats hot right now but web security is more interesting and challenging What is a web app? Application software that is accessed using a web browser. Web apps are everywhere! Computer, tablet, TV, phone, etc ### HTTP Application layer protocol Stateless Text based Defines this is what you need in a request and a response The request/reponse protocol is what defines the web TCP ip - communication protocol, this was in HTTP1, HTTP2 Big difference in HTTP3 is that it uses UDP instead of TCP. UDP allows things to be even faster and there are security improvements ### Requests and responses Request has host that you are going to, file that you need, and protocol Response matches the protocol, gives a status code, tells you what the content is thats coming over, and throws that content back HTTP response codes: 1. Informational responses (100 - 199) - herre is some information 2. Successful responses (200-299) - everything is ok 3. Redirection messages (300-399) - this has messaged 4. Client error message (400-499) - theres something wrong with you/your browser/your request 5. Server error messages (500-599) - something is wrong on the server side Developer tools Save as HAR to get a json blob saved to your machine of a request, then you can import this HAR later to check it out With the console you can interact with the DOM, javascript, libraries etc Checking out the console is good to see if there are any errors, if its giving too much information ### Web application frameworks Set of tools and libraries put together to build tools and sites - Ruby on rails - Django - Flask - ASP - React - Angular - Thousands of variations of react and angular Point of a framework is to speed things up and build a beautiful interface or web app easier/faster Cool thing about something like react is it builds beautiful interfaces, but also has downfalls React opens up more room for bugs and security vulnerabilities If 1000 lines give you a bug, then in a million lines of code youve got 1000s of bugs. And it takes a million lines of code to write a React hello world app! Snyk - scans vulnerabilities in code especially with frameworks https://snyk.io/ ### Web application Content Management Systems (CMS) Make is super easy to make a website/add content to it, dont need to know HTML or lots of coding Make building something on the web more accessible Downside is these plugins that are used in CMS's can be insecure or straight up malware/backends But now there are groups that monitor these plugins more and new versions of plugins and themes etc Each of these CMS's have unique vulnerabilities Common CMS's: Wordpress - pretty solid/secure now Drupal - Written in PHP, nooot great pretty insecure. Mostly bc of the way it handles file handling, getting shell access was frequently very easy. Shopify ### Web application architecture Monolithic app - single application that is mostly self-contained. Not a lot of sites like this anymore. Could be a java app. Two tier - client and server. N tier - multiple servers with services broken out, eg user interface, business logic and data access. Most web apps are N tier. Even if database backend runs on the same server its still multiple tiers Cross-origin policy, developer needs to define N-tier can introduce vulnerabilities if policies arent adequately defined All about layers Think of each piece/tier as a layer starting with the browser for UI Front end components: Frameworks HTML SPA (single page application) Back end components: Services - microservices, serve a particular function APIs - front end to a database of some type Databases Role of web servers: Listens for incoming requests from clients (browsers) Accepts requets Process requests Serves up appropriate data or error messages Communicate with databse as needed Enforces security policies Logs activity - insufficient logging is a vulnerability May provide other services like caching, compression and ssl encryption Hackers if they are smart once they get on the system they are gonna do something about the logs, like modify them etc. Logs (not taking advantage of them well)are now on the OWASP Top Ten Log tampering, log poisoning for executing commands on a machine OWASP Top Ten is something to look at - The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. ### Role of application servers Handles middleware. Written in an application language like PHP, Drupal is an application server. Django, flask too. Handles business logic ### Role of databases Databases have been behind the web for a longgg time Started with text based dbs Then linux based, then relational databases now Relational - data is stored in tables with rows and columns and uses SQL to manipulate and query the data. There is a relationship between table with foreign keys and primary keys. (MySQL, PostgreSQL, Oracle, Microsoft SQL Server) NoSQL - database that stores big chunks of database in json, ex MongoDB, Cassandra. Suuuper fast DB Graph database Have to interact with all these databases differently Most important ones to understand are relational, NoSQL, and Graph. Most applications use these. Understand how queries to each of these DBs look like ### Data flow and session management Figures out how you login and what you have access to. How does it track who you are and what is the realm of users that can interact with this system and how do they authenticate to it. What permissions does the user have? Usually maintained through cookies or session IDs. Browser will give you a cookie/session ID once you login and have diff info including when it expires ### Web application security fundamentals 1. Authentication and authorization - These are diff things. Authentication is logging in, authorization is what you can do 2. Input validation. Top thing to check for with SQL injection is a single quote - '. If you put in a single quote and get an error then youve got a SQL injection. Way to avoid this is input validation 3. Secure communications. OWASP Top Ten. Encryption, information is not sent plain text. 4. Session management. This is often implemented super poorly in apps. Good session management expires cookies, deletes the session IDs and doesnt reuse them. One that bugs professor the most is reusing session IDs. A good browser should delete all your cookies when you log out. Its convenient, but not secure. This is what happens when you log in to a website, close the browser, open a new browser and go to the website and you are still logged in. 5. Access controls - About authorization. Where you can access from, what kinds of devices. If im suddenly logging in from a diff country, does that make sense? Usually done at a corporate level, not so much as the web server level. However these kinds of things do start to become valid when you are building single use applications. 6. Error handling and logging, part of OWASP top ten 7. Updating. Still so many ancient servers, super old and outdated machines or dependencies. There are sites where you can go and put "show me all the Wordpress 2.5 sites that exist" so they can get into them. Updates can be a pain but it is so worth it when the alternative is dealing with a data breach ### Understanding the threat landscape 1. Vulnerabilities including injections, XSS, CSRF, and others in OWASP Top Ten 2. Malware and viruses. If you are gonna browse, browse from a VM. Try to contain the damage. 3. Denial of service (DoS) - cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Can cost a tremendous amount of money to deal with this kind of attack 4. Social engineering - if you have a good social engineer they are always successful. Its amazing how much they can do and get people to do. Way to maintain this is least privilege, if this person is compromised then what they can do. Also, always have a backup 5. Insufficient logging and monitoring - OWASP TOp Ten 6. Infrastructure issues - Firewall goes down, WAF goes down, etc. A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic ### OWASP Top Ten 2021 Useful to know if you are applying to a security job esp. web app security 1. Broken Access Control - path traversal, permissions, CSRF, authorization, open redirect, IDOR 2. Cryptographic failures - weak cyphers, hard-coded keys, cleartext transmission 3. Injection - command injection, XSS, SQL injection 4. Insecure design - plain text storage, business logic erros, request/response smuggling 5. Vulnerable and outdated components - using components with known vulnerabilities, use of unmaintained components 6. Vulnerable and outdated components Others i didnt write but check https://owasp.org/www-project-top-ten/ ### Input validation The #1 way to protect your applications. If you make sure proper input validation is in place, which is really difficult, your application is pretty secure from hacks. A lot easier for hackers to get around your input validation if they have your source code Ensure the data is the right kind of data Is there a range? If you can put in an age, can they put they are trillions of years old? Will that break something? If you put any data into the site, you wanna think about where that data is reflected back to you Data type validation Range validation Format validation Length validation https://github.com/swisskyrepo/PayloadsAllTheThings ### Authentication and authorization Why is this important? bc session management Understand how sessions are handled Session hijacking Session fixation https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html Your app should be using a authenticatred tried and true session management system, not doing that is liker rolling your own encryption ### Session management HTTP is stateless, meaning between sessions it has no clue who you are. This means session managmeent has to be maintained is another way How? Cookies or otkens that are stored in the browser an used with each request. Session IDs can be used with session informaton stored on the server. Cookie attributes - Name: Unique identifier Value: Data stored in cookie Path: Cookies are set with an action Secure attribute - only allows cookies to be sent withh via SSL/TLS HttpOnly attribute - doesnt allow scripts to access cookies via the DOM SameSite attribute - cookies cant be sent with cross site requests, helps protect against cross site origin information leakage If you dont see these being set, thats a finding https://en.wikipedia.org/wiki/HTTP_cookie ### Cryptography HTTPS should be the only way cookies are transferred. Protecting data in flight via SSL/TLS. At minimum passwords and other sensitive data should be encrypted. Password should only use one way encryption ### Error handling Error messages should be generic and should not leak information about the system, any error message can give a lot of informationa about a site If a hacker knows what version you are running they can look at the code ### Web application penetration testing methodology Always pay attention to version numbers **Scoping:** Understand your scope - this will protect you Have your scope documented If you find you are off tthe map, let your customer know immediately Make sure you understand if you are testing against a staging, development or production sever. BE very cautious with production servers Places like hackerone give you great scope boundaries, like a list of IPs **Reconnaissance:** Finding out what you are trying to test/attack DAST - dynamic application scanning tool Wappalyzer - extension to analyze what a website is build with Shodan - https://www.shodan.io/ Google dorking - https://en.wikipedia.org/wiki/Google_hacking Things to look for on a site: What is it built with What is the server software Is there a robots.txt file Os there a sitemap.xml If allowed, fuzz it for files and directories Go thru the applications and understand how it works **Vulnerability scanning:** Ideally, you should not have to do this bc the customer should have already scanned their application. They should have found all the low-hanging fruit Scanners can miss things and miss basic stuff Customers may not want you to use scanners bc it can DOS the application or create junk data, doesnt matter in staging but may matter in production **Manual testing:** Where the web app penetration tester and bug bounty hunter live Where the expertise you develop really matters and what makes you succesful How to start? Dig into the application, understand it, create an account and use it as a user. List all the features you have access to when using that application. Make note of where you can insert, update, delete data. Do any of these features change if you are using a diff browser, mobile device, screen size. https://owasp.org/www-project-web-security-testing-guide/ **Exploitation:** When you found something that looks promising, you are trying things like SQL injection, XSS, other vulnerabilities. Goal is to successfully show that the applocation is vulnerable **Reporting:** Without a useful report, the best web application test means nothing, you have to communicate it well. https://github.com/juliocesarfort/public-pentesting-reports ### Web appliction tools LOTS of tools for web app testing. Sqlmap, qpscan, nuclei, wordpress scan, nmap (port scanner) Most important tool is an interception proxy. This is whats going to give you a view into how the application works. Some good interception proxies: Burp Zap Fiddler Docker crash course: Allows you to run many operating systems On that system you can run an application or service Minimal operating system, just enough to do what you need Docker commands have to be run with sudo (unless you add your user to the docker group) When you are web scanning use a VPN incase there is a WAF that will ban your IP If the website you are looking at uses a WAF, see if theres a way to get around it, like asking the client to whitelist your IP or if there is something you can put in the header ### SQL Injection Adding something to a request that modifies the underlying SQL query Ex. if you go to a login form and add a "tick" (') mark, that could modify the underlying query and cause an error The #7 found vulnerability in bug bounties When you are interacting with a database you are either interacting with one table or a view Most of what you interact with on a website is thru a select. But if you are creating a new account, you are updating. If you are deleting your account, you could be deleting data. How to mitigate against sql injection: 1. Input sanitization - just doing this is not enough 2. Use prepared statements (pre-compiled SQL statement with placeholders for paramater values), this is super powerful, this and input sanitization will protect from most sql injections. Also parameterized queries (select * from users where id = ?) 3. Limit user privileges 4. Use database-level security features like stored procedures, triggers and views to limit user access 5. Least privilege 6. Use a WAF (web application firewall) this is super effective 7. Keep your software up to date!!! ### Cross site scripting (XSS) When an attacker can inject code into a website that is executed by a users browser #8 in the OWASP Top Ten, however it is #1 for bug bounties accounting to hackerone This can allow the attacker to steal sensitive information like credentials or cookies. Could also allow the performance of unauthorized actions. This could be especially impactful if the user is an admin Reflected XSS Stored XSS Dom-based XSS ### File inclusion Another type of injection attack and falls under the OWASP top 10 number 1 category of injection Two types: 1. Local file inclusion 2. Remote file inclusion - call a remote file thats hosted somewhere else. very difficult to find