On this lab, we need to describe the flaw of web application and how it is exploited. Besides that, we also have to exploit the web vulnerabilities. After that, we need to list prevention method that can be taken to overcome web application vulnerabilities.
WHAT IS WEB APPLICATION SECURITY??
Web application or simply called webapp is an application that can be accessed using a web browser over a network, either the Internet or within the Local Area Network. It is developed using browser-supported language such as HTML, JavaScript, PHP, ASP and etc. The script produced is then rendered by common web browser. Web application let user to access application or system anywhere and at any time provided the user is connected to a network connection and there is a web browser installed on the machine. This ease of usage makes webapp popular among Internet user. Moreover the ability to update and maintain web applications without distributing and installing software on potentially thousands of client computers contribute to the popularity of the webapp. Nowadays webapp is used for accessing mail, online banking, online shopping, online reservation, wikis and many other functions.
An increase in the usage of web applications is directly related to an increase in the number of security incidents for them. Even though the server is patch with the latest version of the software, the network are installed with the latest firewall system and Intrusion detection system is deployed to monitor the network, if the web application itself is lack of security features the vital information stored in its content is still expose to intrusion. A Web application system should be carefully and safely develop because it is the first line of defense, any fault or flaws in it development stage, the server configuration and even the scripting used in it development can bring a major loop hole that can be manipulated by intruder to be used as the backdoor to the entire network.
Web Application
Web application is an application that can be accessed using a web browser over a network. It is developed using browser-supported language such as HTML, JavaScript, PHP, ASP and etc. We also can use software such as dreamweaver to create a web application. The script produced is then rendered by common web browser. User can access web application anywhere and at any time, but user need to connect to a network connection and there is a web browser installed on the machine. This ease of usage makes web application popular among
internet user. Moreover the ability to update and maintain web applications without distributing and installing software on potentially thousands of client computers contribute to the popularity of the webapp. Nowadays webapp is used for accessing mail, online banking, online shopping, online reservation, wikis and many other functions.
The Open Web Application Security Project (OWASP) is an open community that focuses on improving the security of application software. Anyone can join this community and contribute an idea for developing secure software. OWASP provide free material such as article on secure programming, security testing guide and much more but all of the material is under free software license.
WebGoat
WebGoat is simulation toolkit used to demonstrate how we can exploit the vulnerabilities of a poorly design web application. WebGoat provide hints and code to fexploit the vulnerabilities. WebGoat will keep track on the progress of the user on every lesson they completed, user can see their level of competence in trying to solve every problem given in the lesson.The primary goal of the WebGoat project is simple, to create a de-facto interactive teaching environment for web application security.
WebScarab
WebScarab is another tool to expose the working of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that application has been designed or implemented. WebScarab can use in any platform because it developed use JAVA programming language. WebScarab can intercept HTTP and HTTPS communication.
WebGoat and WebScarab
WebGoat = Simulation toolkit used to demonstrate how we can exploit the vulnerabilities of a poorly design web application.
WebScarab = Tool for everyone who need to expose the working of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that application has been designed or implemented.
Web Application Hacking simulation using WebGoat and WebScarab
Step 1: Copy the WebGoat-OWASP_Standard-5.2.zip and extract it to the C:\ drive.
Step 2: Open the C:\ WebGoat-5.2 folder and open the webgoat.bat to start the apache tomcat J2EE.
Step 3:Open an IE 6.0 web browser or a firefox web browser and type http://localhost/WebGoat/attack.
Step 4: Login as User Name: guest Password: guest
Step 5: Open webscarab-selfcontained-20070504-1631.jar
Step 6: If the WebScarab does not open do install the JDK module (jdk-6u4-windows-i586-p.exe) to your computer.
Step 7: Once the WebScarab started
Step 8: Next Configure the Web browser proxy starting so that it listen to 127.0.0.1 (localhost) port 8008.
Step 9: Go to WebScarab and click on the intercept tab and enable the intercept request checkbox but disable the intercept response checkbox. This will enable the intercept features of the WebScarab in which it will intercept any request signal from the web browser.
Step 10: Close your previous web browser, open it again and type in http://localhost/WebGoat/attack.
Step 11: WebScarab will intercept your request to visit the website by prompting an Edit request window as depicted in figure 5.6. This prompted window shows the request data that you send to the web server.
Step12: The text field indicated by the arrow shows the text field containing the data you send to the web server and it can be modified.(in some of the following task you need to modified the content of the text field to help you solve the problem in lesson.
Step13: For this task do not changes the text field value just click the [Accept changes] button to view the WebGoat main page.
Step 14: Each time you click on a submit button or a link on the webpage, the Edit request window will always appear, so make sure you click on Accept changes button to view your request page display on the browser.
Getting started with WebGoat and WebScarab
Step 1: Click on [Start WebGoat]
Step 2: Click on the Introduction | How to work with WebGoat menu.
Step 3: Read and follow the instruction given in the WebGoat.
XSS Attack
Step 1: Click on the Cross Site Scripting (XSS) | Phising with XSS menu
Step 2: Apply the script below to the text field in order to create a false login page so that you can harvest the username and password keyed in by the user.
Step 3: Once you hit the Search button you will see a comment page containing a place for you to login. This login page is created using the java script above.
Step 4: Try login in with any username and password; if this is a real phishing website you would not get the prompted message on your screen but the value you supplied might be send across the world to a server that gather the login information.
Step 5: Next click on the Cross Site Scripting (XSS) | Reflected XSS Attacks menu.
Step 6: In this lesson some prevention mechanism has been build in the script, some field have a validation toward the character you supplied. It will reject any tag symbol you used, however there are still some that is not protected. By using the script below find which the text field that can be exploited using XSS attack?
Injection Flaws
Step 1: Click on the Injection Flaws | Numeric SQL Injection menu.
Step 2: From the combo list choose a weather station and click the [Go!] button, (Do not forget to click on the accept changes button of the edit request windows) you will get the information for the country you select.
Step 3: To apply the Injection flaws you need to choose a new country and click [Go!] button. Before clicking the [Accept changes] button on the edit request windows, in the [URLEncoded] tab, add the value station variable with
This is input is a numerical value
Step 4: Once the value is changed, click [Accept changes] button. The entire data is displayed on the screen. This shows that by manipulating the input field that is not properly design we can display the entire data in the database.
Step 5: Repeat this task on the Injection Flaws | String SQL Injection. Use the right input for this problem and compare the result. (Hint: The input should be a string).
Malicious File Execution
Step 1: Click on the Injection Flaws | Command Injection menu.
Step2: By choosing the lesson plan to view and clicking on [View] button, user will be shown the content of the lesson. This exercise will manipulate the input field by adding the input with a command line instruction.
Step 3: Select a new lesson and click [View]. Before clicking the [Accept changes] button add the following command to your HelpFile variable value
This command will display directory list and network configuration setup.
Step 4: Once you click the [Accept changes] button the following output will be displayed on the screen.
Monday, October 26, 2009
Lab 5 - Web Application
Posted by ~Nurul Ain~ at 8:29 AM
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment