Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Slides:



Advertisements
Similar presentations
Chapter 6 Server-side Programming: Java Servlets
Advertisements

Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 15 Introduction to Rails.
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
1.  Understanding about How to Working with Server Side Scripting using PHP Framework (CodeIgniter) 2.
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
Exploiting Information Disclosure Vincent CH14. Introduction In this chapter, we will try to extract further information from an application during an.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.
1 Chapter 12 Working With Access 2000 on the Internet.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
HTTP Overview Vijayan Sugumaran School of Business Administration Oakland University.
Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Chapter 6: Hostile Code Guide to Computer Network Security.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.
1 ADVANCED MICROSOFT WORD Lesson 15 – Creating Forms and Working with Web Documents Microsoft Office 2003: Advanced.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
A Security Review Process for Existing Software Applications
1 PHP and MySQL. 2 Topics  Querying Data with PHP  User-Driven Querying  Writing Data with PHP and MySQL PHP and MySQL.
JavaScript, Fourth Edition
AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.
Copyright © 2007, Oracle. All rights reserved. Managing Concurrent Requests.
Computer Security and Penetration Testing
9 Chapter Nine Compiled Web Server Programs. 9 Chapter Objectives Learn about Common Gateway Interface (CGI) Create CGI programs that generate dynamic.
OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
ASP.NET.. ASP.NET Environment ASP.NET is Microsoft's programming framework that enables the development of Web applications and services. It is an easy.
Chapter 8 Cookies And Security JavaScript, Third Edition.
Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.
Srikar Nadipally. Outline Finding and Exploiting XSS Vulnerabilities Standard Reflected XSS Stored XSS DOM based XSS Prevention of XSS attack Reflect.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
NMD202 Web Scripting Week3. What we will cover today Includes Exercises PHP Forms Exercises Server side validation Exercises.
Chapter 6 Server-side Programming: Java Servlets
Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.
Web Applications Testing By Jamie Rougvie Supported by.
1 Web Servers (Chapter 21 – Pages( ) Outline 21.1 Introduction 21.2 HTTP Request Types 21.3 System Architecture.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
 Previous lessons have focused on client-side scripts  Programs embedded in the page’s HTML code  Can also execute scripts on the server  Server-side.
27.1 Chapter 27 WWW and HTTP Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
WEB SERVER SOFTWARE FEATURE SETS
What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.
Configuring and Deploying Web Applications Lesson 7.
1 Java Server Pages A Java Server Page is a file consisting of HTML or XML markup into which special tags and code blocks are inserted When the page is.
EValid LoadTest, eV.manger and Validation. Agenda Load Test capability of eValid How to execute load test by using eValid Introduction to eV.manager Validation.
Oracle Business Intelligence Foundation – Testing and Deploying OBI Repository.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
27.1 Chapter 27 WWW and HTTP Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.
Chapter 7 SQL Injection I: Identification
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Chapter 7: Identifying Advanced Attacks
Data Virtualization Tutorial… CORS and CIS
A Security Review Process for Existing Software Applications
Testing REST IPA using POSTMAN
Chapter 15 Introduction to Rails.
Lecture 2 - SQL Injection
Presentation transcript:

Automating Bespoke Attack Ruei-Jiun Chapter 13

Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing JAttack ◦ a simple bespoke automation tool based on Java Burp Intruder (an intruder tool in Burp Suite)

Why automating bespoke attacks? Performing bespoke attacks manually can be extremely laborious and is prone to mistakes The use of automation strengthen and accelerate bespoke attacks

Uses for Bespoke Automation There are three main situations in which bespoke automated techniques can be employed to assist you in attacking a web application ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing

Detecting Hits There are numerous attributes of responses in which systematic variations may be detected, and which may provide the basis for an automated attack ◦ HTTP Status Code ◦ Response Length ◦ Response Body ◦ Location Header ◦ Set-Cookie Header ◦ Time Delays

HTTP Status Code 200 – The default response code, meaning “ok.” 301 or 302 – A redirection to a different URL. 401 or 403 – The request was not authorized or allowed. 404 – The requested resource was not found. 500 – The server encountered an error when processing the request.

Response Length Dynamic application pages construct responses using a page template which has a fixed length and insert per-response content into template If the per-response content does not exist or is invalid, the application might return an empty template Different response lengths may point towards the occurrence of an error or the existence of additional functionality

Response Body It is common for the returned data to contain literal strings or patterns such as not found, error, exception, illegal, invalid, that can be used to detect hits

Location Header In some cases, the application will respond to every request for a particular URL with an HTTP redirect Location The target of HTTP redirect is specified in the Location header Request Parameters correct incorrect.../download.jsp.../error.jsp

Time Delays The time taken to return the response may differ between valid and invalid parameters are submitted When an invalid username is submitted, the application may respond immediately However, when a valid username is submitted, the application may perform some computationally intensive validation of supplied credentials

Enumerating Valid Identifiers Various kinds of name and identifiers are used to refer to individual items of data and resources ◦ Such as account no., usernames, document IDs ◦ PageNo= As an attacker your task is to discover some or all of the valid identifiers in use.

Enumerating Valid Identifiers -Scripting the Attack

Enumerating identifiers - JAttack Request parameter class - hold parameter details - can be manipulated - attached to a request

Enumerating identifiers - JAttack

Specify URL details

Enumerating identifiers - JAttack

Compile and run Jattack Outout

Harvesting Data There are many vulnerabilities that enables you to extract useful data from web applications For example, a personal profile page may display the personal and banking details of the current user and indicate that user’s privilege level within the application

Harvesting Data Consider this request used by an online retailer, which displays the details of a specific order Assume there is an access control vulnerability that any user can view the details of any order

Harvesting Data The format of parameter OrderRef : 6-digit date + 4-digit number When the details for an order are displayed, the page source contains the personal data within an HTML table like the following

Harvesting Data -JAttack Modify the response parsing to search the response and extract what we want

Harvesting Data -JAttack Configure the request to what we are interested

Harvesting Data -JAttack Output

Web Application Fuzzing Using bespoke automation, you can quickly generate huge numbers of requests containing common attack strings, and quickly assess the server’s responses. This technique is often referred to as fuzzing. Various attack strings designed to cause anomalous behavior are submitted to see if particular common vulnerabilities are exist

Web Application Fuzzing Consider the example request

Web Application Fuzzing ‘ — This will generate an error in some instances of SQL injection. ;/bin/ls — This string will cause unexpected behavior in some cases of command injection.../../../../../etc/passwd — This string will cause a different response in some cases where a path traversal flaw exists. xsstest — If this string is copied into the server’s response then the application may be vulnerable to cross-site scripting.

Web Application Fuzzing - JAttack Implement new payload containing fuzz strings

Web Application Fuzzing - JAttack Configure request details

Web Application Fuzzing - JAttack Modify response parsing

Web Application Fuzzing - JAttack Output

Burp Intruder A unique tool that implements all the functionality that we described Enable us to perform all kinds of bespoke automated attacks with a minimum of configuration Fully integrated with the other Burp Suite tools like proxy and spider

Burp Intruder 3 Steps: 1.Positioning payloads 2.Choosing payloads 3.Configuring Response Analysis

Burp Intruder 1. Positioning payloads

Burp Intruder 2. Choosing payloads

Burp Intruder 3. Configuring Response Analysis

Burp Intruder – Enumerating Identifiers Consider the following session tokens that you logged in for several times to get Modifying second potion of the tokens does not invalidate the tokens

Burp Intruder – Enumerating Identifiers 1. Configure the payload position

Burp Intruder – Enumerating Identifiers 2. Configure the payload source to generate hexadecimal numbers

Burp Intruder – Enumerating Identifiers 3. Launch the attack to see the results

Burp Intruder – Harvesting Data Suppose you found that you have access to a logging function using the more privileged session token, and log file entries are accessed using the following request

Burp Intruder – Harvesting Data 1. Use a numeric payload source to generate integers within the range of identifiers

Burp Intruder – Harvesting Data 2. Configure Intruder to capture information in a usable form

Burp Intruder – Harvesting Data Result

Burp Intruder – Fussing Functionality that can be reached only by privileged users is often less secure because it is assumed that only trusted users will access it

Burp Intruder – Fussing

Result

Summary It is possible to automate virtually any manual procedure to use the power and reliability of the computer to attack Using bespoke automation in an effective way requires experience, skill, and imagination Tools will help you

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.