Web Exploitation

Find and demonstrate vulnerabilities in various web applications from the browser, or other tools. The basic techniques used for web exploitation include: 

1. Browser Investigations (using the browser’s ‘Developer Tools’ or ‘Inspect’ function) 
   • Review the Browser’s source code for comments and vulnerabilities (e.g., HTML, JavaScript, CSS)
   • Find hidden directories  (e.g., /robots.txt , /logon, etc)
   • Review update browser Cookies 
   • Enter cross site commands (SQL injections,  Linux commands, etc) in web page input fields (e.g., logon field)
2. Linux Command Line Investigations:
   • Scan the the URL for open ports  (see nmap) 
   • Scan the URL for hidden directories (see Gobuster)
   • Use burpsuite to intercept and alter messages between the browser and Webserver (see Burpsuite)

Related Web Concepts:

• Related Web Concepts:
  • Web Network Concepts:
    • URL (Uniform Resource Locator)  –  web address that references to a web resource (e.g., website,) 
    • HTTP / HTTPS –  is an application level protocol that dictates how the information on the World Wide Web travels, HTTPS is the encrypted version of HTTP.
    • Browser – Software program used to view websites or files.
    • Web Server – Hardware and software that stores, processes and delivers web pages (content) to clients.
    • Database Server – Backend servers that store the data and are updated by the web server applications (not  accessible from the browser)
  • Web Browser Source Code: 
    • HTML – Hypertext Markup Language used to layout color, language, and graphics on a webpage.
    • JavaScript – enables interactive web pages and is an essential part of web applications.
    • Cascading Style Sheets (CSS) –  style sheet used to present a document written in HTML
  • Other Browser Information
    • Cookie – small piece of data sent stored on the user’s computer to remember stateful info (ie. browsing activity).
    • User agent (UA) – helps identify which browser is being used, what version, and on which operating system. 

• Basic Web Attacks
  • Access control / privilege escalation – attack by bypassing authentication and session management controls
  • Path Traversal –  find files and directories that are outside the root folder.
  • SQL Injection (SQLI) – interfere with the queries that an application makes to its database.
  • Cross-site scripting (XSS) – masquerade as the user (victim) to access data and authorities. 
  • Cross-site request forgery (CSRF) – induce users to perform actions that they do not intend to perform
  • FTP Anonymous Logon – FTP (port 21) may allow clear text authentication or anonymous connection.

Basic CTF Web Challenge Tactics

Basic Web Exploitation CTF challenges will frequently require students to do the following:

1. Use the Browser’s Developer Tools: Use the ‘Developer Tools’ to inspect the browser code, run javascript and alter cookies.
   • Look at the HTML, CSS, or JavaScript source files for helpful tools. 
   • Check the Cookies for useful info
   • Look for hidden directories   
   • Check the /robots.txt  directory
2. Linux Command Line Steps: 
   • Scan the the URL for open ports with vulnerabilities  (see nmap) 
   • Scan the URL for hidden directories (see Gobuster)
   • Use burpsuite to intercept and alter messages between the browser and Webserver (see Burpsuite)
3. Check for Anonymous FTP Logon – Scan for open FTP port (port 21) that can be exploited (e.g., nmap -A -T4 [website.com])
4. Perform a Path Traversal –  find files and directories that are outside the root folder (e.g., robots.txt, Gobuster )
5. Perform a SQL Injection (SQLI) – Basic SQL injection challenges will most likely be associated with the WHERE clause of a SELECT query.  Below are some basic techniques:
6. Change User agent (UA) – Clues may indicate the CTF flag is visible if you change the user agent (ie, mobile). Browser extension may be required.

Other Web Attacks (more advanced)

1. XML External Entity (XXE) Injection – interfere XML processing to interact with any backend systems.
2. Server-side request forgery (SSRF) –  induce the server-side application to make HTTP requests to an arbitrary domain.
3. Cross-origin resource sharing (CORS) – uncontrolled access to web resources located outside of a given domain.
4. Cross-site scripting (XSS) – masquerade as a victim user, to carry out any actions and access the user’s data. 
5. Cross-site request forgery (CSRF) – an attacker to induce users to perform actions that they do not intend to perform.
6. DOM-based vulnerabilities –  website contains vulnerable JavaScript that passes false value (source) to a function (sink).
7. Access control / privilege escalation – attack by bypassing authentication and session management controls
8. Clickjacking (UI redressing) – user is tricked into clicking on actionable content by clicking on some decoy website. 

Recommended Commands & Tools:

1. nmap – Search for open ports and vulnerabilities   (nmap -sV  <ip_address>)
2. /robots.txt –  pages or files that search engines can’t request from your site but may provide useful info to an attacker.
3. Gobuster – multi threaded tool for brute force discovery of hidden directories and files  (Kali)    
4. Browser Development Tool Option:  – use to review/alter source, run javascript and change cookies running in the local browser.
5. User Agent Extension – allows browser to switch user agent (ie. the browser that interacts with Web content)  
6. MetaSploit Framework (MSF) – verify vulnerabilities, manage security assessments and improve security.
7. BurpSuite – Tools used to test Web application security with a proxy server, scanner, intruder, spider, repeater, decoder, comparer, extender and sequencer.

References:

1. Difference between a web server, an application server, and a database server (Medium)
2. Youtube:  Capture the Flag: Exploring Web Pages  (05:22)
3.  The Web Application Hacker’s Handbook
4. Youtube: HTML + CSS + JavaScript introduction – web 0x00 (8:41)
5. Youtube: Google Chrome Developer Tools Crash Course (51:19)
6. Youtube: How hackers use DevTools – Web Security #4 (11:36)
7. Youtube: How to Hack Websites with Chrome Dev Tools, Tampermonkey, and jQuery! (34:20)
8. Hack Websites and Customize CSS with Chrome Inspector (12:25)
9. SQL Injection Attack Tutorial (2019) (15:24)
10. XXE Injection Attack Tutorial (2019) (16:48)
11. Cross Site Request Forgery – Computerphile (9:19)

Other resources (under review):

1. Va Cyber Range: Capture the Flag Web Challenges, Part 1 (56:37)
2. Va Cyber Range: Capture the Flag: Web Challenges, Part 2 (49:00)
3. Va Cyber Range: More Web Application Vulnerabilities: Command Injection (with hands on) (58:09)