Website Hacking Unit 1: The Basics

How do websites work? Clients speak to web servers using web browsers, which both use the HTTP protocol. Servers respond to HTTP requests with HTTP responses Greatly simplified

What does HTTP look like? Try it yourself Netcat is the swiss army knife of networking. It comes standard with Linux. You can use it to talk raw HTTP. To open Google’s homepage: $ nc google.com 80 GET / (Response truncated) HTTP typically uses port 80. What does HTTP look like? A request: Method URL Protocol version GET /index.html HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 Accept: text/html, */* Accept-Language: en-us Accept-Charset: ISO-8859-1,utf-8 Connection: keep-alive Cookie: foo=bar; visitor=15 blank line Headers Body (optional)

What does HTTP look like? Try it yourself Netcat is the swiss army knife of networking. It comes standard with Linux. You can use it to talk raw HTTP. To open Google’s homepage: $ nc google.com 80 GET / (Response truncated) HTTP typically uses port 80. What does HTTP look like? A response: Version Status code Status message HTTP/1.1 200 OK Date: Thu, 24 Jul 2008 17:36:27 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 1846 blank line <html> ... </html> Headers Body

Methods Did you notice the method in the request example? If not, go back and look at it. We used the GET method. The two most widely used methods in the HTTP protocol are GET and POST. Methods tell the server what action we want to take.

Cookies An interesting header in the request example is ‘Cookie’. Cookies are set by the server using a response header called ‘Set- Cookie’. Cookies typically hold session data, so that the server is able to remember you when you send a new HTTP request.

Status codes, quick reference Common codes: 200: OK 3xx: Redirect 403: Forbidden 404: Not found 418: I’m a teapot 500: Server error

What are parameters? The Internet used to be static pages..

What are parameters? .. now it generates dynamic responses using parameters.

What are parameters? GET request: Part of URL that starts with ‘?’ separated by ‘&’ POST request: Invisible form data! Open Developer Tools: F12 Open Network Tab: CTRL+Shift+I

Parameter examples GET URL: http://www.bio.fsu.edu/event.php?RecordID=36 (Protocol) (Host) (Script.Extension?Parameters=Value) Request body: (Empty)

Parameter examples POST URL: https://archive.org/searchresults.php Request body: search=example

Web servers There are many different web servers that will respond to your requests Apache, nginx, IIS, Tomcat, Node, and more They are capable of serving dynamically rendered pages in common programming languages.

Let’s Practice See if you can find the flags from the HTTP Basics I & II practice challenges: http://67.207.89.115:8080/

Encodings With as much data as there is on the internet, encodings ensure that data is properly sent..

URL encoding As we mentioned earlier, GET requests separate parameters with ampersand (&). But what if we want to send the message “Tom & Jerry”? It is sent like this: Tom%20%26%20Jerry %26 is the hexadecimal ASCII value of &

Python URL encoding Let’s use Python to quickly (!) encode and decode URL encoded strings for us. >>> import urllib >>> urllib.quote("Hello World!") 'Hello%20World%21' >>> urllib.unquote("Hello%20World%21") 'Hello World!'

Base64 encoding Base64 is another encoding that is used to make sure data that is sent is within the ASCII character range Here is “Hello World” in Base64: SGVsbG8gV29ybGQ= ^ Equal signs are used as padding in base64. It’s a giveaway you’re looking at base64.

Python requests library Helpful for automating HTTP interaction. Examples: import requests url = "http://67.207.89.115:8080/Practice/httpbasics.php" responseA = requests.get(url) cookie = responseA.headers['Set-Cookie'].split(";")[0] cookieData = {'Cookie':cookie} postData = {'username':'t0pS3cr3T','password':'c0NFid3nTiaL'} responseB = requests.post(url,data=postData,headers=cookieData)

Summary You can find vulnerabilities anywhere you look for them

Method Methodology: We attempt positive test and negative tests on dynamic pages to figure out what we can and can’t do Positive test: we hope the page loads Negative test: we hope the page breaks

Dynamic pages What are dynamic pages? The opposite of static pages. Static pages do nothing server-side, they just render in a browser. Dynamic pages must be processed by the server. Find ALL the dynamic pages to know your surface.

Dynamic pages Examples of dynamic pages: PHP, ASP(X), CGI, PL, CFM, JSP Non-examples of dynamic pages (static): HTML, CSS, JS These do nothing server-side NB: Not all dynamic pages expose their file type. e.g.: http://masig.fsu.edu/cgi-bin/getcoare?type=iss&id=94076

Method Why do we do two types of tests? To find blind attacks, which are harder to find Here is a universal negative test put this into anything If it breaks the page, you may be able to hack the site: ‘“>| (Quote, double quote, greater than, pipe)

Positive test example What does the original page look like before we try to break it?

Negative test example Let’s try and break it by adding ‘“>| The page breaks (it doesn’t load or produces an error). Good! We might be able to do something ..

SQLi XKCD, “Exploits of a Mom” available at https://xkcd.com/327/ under Creative Commons Attribution-NonCommercial 2.5 License

SQLi SQL: Structured Query Language, allows you to look up information in a database SQL injection is the #1 most common webapp vulnerability You’re injecting into a SQL query that you find more and more information about

SQLi Example SQL query: SELECT name from employees WHERE name=’alice’; SQL Injection: SELECT name from employees WHERE name=’alice’; DROP TABLE employees;--’;

SQLi Original page, positive test: http://target.site/person.asp?id=1 2 possible positive tests (same result as the first test): http://target.site/person.asp?id=1 and 5=5 http://target.site/person.asp?name=alice’ and ‘5’=’5 Negative test (breaks the page): http://target.site/person.asp?id=1’ https://trade-portal.codebashing.com

SQLMap SQL injections can be a little tedious, especially blind ones SQLMap: Automatic SQL injections! Downsides: lots of traffic Can’t handle edge cases.

LFI Local File Inclusion Original page, positive test: http://target.site/blog.php?page=index.html Positive test (same result as the first test): http://target.site/blog.php?page=./index.html Negative test (breaks the page): http://target.site/blog.php?page=../index.html http://demo.testfire.net/

XSS Cross Site Scripting Attack people using the server Absolutely everywhere Bug bounties pay out $200-500 for finding XSS, so definitely worthwhile to look for

XSS Add at the end of any parameter in your request http://67.207.89.115:8080/Practice/xss.php Examples: <script>alert("XSS");</script> <script>window.location.replace("http://stackoverflow.com");< /script> <script>function printFlag(){console.log(“flag{in_class_flag}”);}</script>

The ultimate goal: RCE ~$ Remote code execution Run any program you want on the target computer ‘Bad hackers’ want this for many reasons, like to collect credit card numbers, launch large DDOS attacks, use resources, etc.

How to find on target Google Use search operators site:fsu.edu (Finds every page on fsu.edu) ext:php (Finds every dynamic PHP script on fsu.edu) inurl:id (Look for ‘id’ in the URL, like id=1)

How to find (cont.) Shodan Register with a .edu email address –or– Send an email to support@shodan.io with your .edu email address, and ask for your account to be upgraded Enjoy your enterprise access!

Defense Sanitize user input! SQL: Prepared statements XSS: HTML entities LFI: Strip slashes Takeaway: Never trust the user

In-class/Homework Problem Decode this URL encoded string: %66%6c%61%67%7b%68%31%64%31%6e%67%5f%31%6e%5f %70%6c%34%31%6e%5f%73%31%74%33%7d Do a while loop to decode this base64 string until you get the flag: Vm0xd1NtUXlWa1pPVldoVFlUSlNjRlJVVGtOamJGWnhVMjA1VlU xV2NIbFdiVEZIWVZaYWRWRnNhRmRXTTFKUVZrZDRXbVF3TlZsa lJsWk9WakZLTmxaclVrZFVNVXB5VFZaV1dHSkhhRlJWYkZwM1ZG WlplVTFVVW1wTmF6VllWbGMxVjFaWFJqWldiRkpoVmpOb2FG UldXbHBrTWtaSldrWlNUbGRGU2paV2FrbzBZekZhV0ZKdVVtcGxi WE01

In-class/Homework Problem Applying Python with websites to get flags: http://ctf.hackucf.org:4000/calc/calc.php Python is useful in beating this race condition For easy HTTP requests, use the Python requests library. Optional: You might also be interested in the PyQuery library. Show your code and the flag for credit

In-class/Homework Problem Exploiting a SQL injection http://67.207.89.115:8080/WebI/sqlchallenge.php Exploiting LFI: Download flag file from the web application root http://67.207.89.115:8080/WebI/profile/index.php?page=home Defeating Obfuscation: Find the flag http://67.207.89.115:8080/WebI/tophackers.php