Git-Mirrors/sec-pentesting-toolkit
1
0
Fork 0
mirror of https://github.com/autistic-symposium/sec-pentesting-toolkit.git synced 2025-05-02 14:56:10 -04:00
Code Issues Projects Releases Packages Wiki Activity

WebHacking: README, urllib2 scripts

Browse source
This commit is contained in:
Mari Wahl 2014-12-29 13:06:07 -05:00
parent 54d8d02892
commit a36bde60b7
15 changed files with 209 additions and 99 deletions
Download patch file Download diff file Expand all files Collapse all files

143
Web_Security/README.md
View file

@ -1,14 +1,53 @@
# Web Security
* If a database is involved --> SQL injection.
## Folders:
* If the input is used in the website --> XSS vulnerability.
### urllib2
- simple GET, POST, header, authentication scripts
- Scanning CMS suites installations
- Brute force directories and file locations
- Brute force HTML form authentication
### OS Command Injection
- Brute force password
### SQLi
- Brute force password
- Timed SQLi
- Cookie force brute
### PHP Shellcodes
- php primer
- xor
- exploits
### User ID
- cookie auth
- user id
### Phishing
- log.php
### Scanners
- heartbleed
---
## Steps of web exploitation:
1. Information Gathering
### 1) Information Gathering
* creation of dictionary: with **cewl.rb**/
@ -22,9 +61,14 @@ $ wget -rck <TARGET-WEBSITE>
* a search for other domains that are hosted on the same IP (virtual host): with **revhosts**.
* Tips:
* If a database is involved --> SQL injection.
* If the input is used in the website --> XSS vulnerability.
2. Automatic Testing (scanners)
### 2) Automatic Testing (scanners)
* Tools: **Nikto**, **w3af**, **skipfish**, **Arachni**, **ZAP**/
@ -37,11 +81,11 @@ $ wget -rck <TARGET-WEBSITE>
* fuzzing to the various parameters, directories and others, in order to identify different types of vulnerabilities such as: XSS, SQLi, LDAPi, Xpathi, LFI, or RFI. Tool: **PowerFuzzer**, **Pipper** or ***Burpproxy***. A good fuzzy dictionary is **fuzzdb**.
3. Manual testing
### 3. Manual testing
* testing vulnerabilities: Burpproxy, ZAP, sitescope.
* identify components and plugins that have enabled the Website, as might be the following types of CMS (Content Managment Systems): Joomla Component, Wordpress plugin, Php-Nuke, drupal, Movable Type, Custom CMS, Blogsmith/Weblogs, Gawker CMS, TypePad, Blogger/Blogspot, Plone, Scoop, ExpressionEngine, LightCMS, GoodBarry, Traffik, Pligg, Concrete5, Typo3, Radiant CMS, Frog CMS, Silverstripe, Cushy CMS etc. Then find known vulnerabilities and **/** associated with it. Tools: **joomla Scan** or **cms-explorer**.
* identify components and plugins that have enabled the Website, as might be the following types of CMS (Content Management Systems): Joomla Component, Wordpress plugin, Php-Nuke, drupal, Movable Type, Custom CMS, Blogsmith/Weblogs, Gawker CMS, TypePad, Blogger/Blogspot, Plone, Scoop, ExpressionEngine, LightCMS, GoodBarry, Traffik, Pligg, Concrete5, Typo3, Radiant CMS, Frog CMS, Silverstripe, Cushy CMS etc. Then find known vulnerabilities and **/** associated with it. Tools: **joomla Scan** or **cms-explorer**.
* headers, http methods, sessions, certifications: we could use any tool like a proxy or a simple telnet connection to the Website.
* fingerprinting to identify the architecture and configuration of the site: **httprint**.
@ -83,15 +127,15 @@ $ hydra -L users.txt -P pass.txt <WEBSTE> http-head/private
```
* [My list of common web vulnerabilities.](http://bt3gl.github.io/a-list-of-common-web-vulnerabilities.html)
---
## How do You Hack a Web Application
* Fuzz testing: what happens when unexpected data is sent into the application?
* Authentication testing: are authentication requirements always enforced?
* Authorization testing: can authorization be bypassed?
* Information disclosure: is information disclosed that might help compromise the application.
* **Fuzz testing**: what happens when unexpected data is sent into the application?
* **Authentication testing**: are authentication requirements always enforced?
* **Authorization testing**: can authorization be bypassed?
* **Information disclosure**: is information disclosed that might help compromise the application.
### Web Testing Methodology:
@ -103,37 +147,19 @@ $ hydra -L users.txt -P pass.txt <WEBSTE> http-head/private
* Unprivileged/Privileged.
- Identify key requests, functionality during crawl.
- Use logs as input for fuzzing GET & POST parameters.
- Use authenticated log to uncover unprotected resources.
- Use privileged log to uncover resources withou proper authorization.
- Use privileged log to uncover resources without proper authorization.
- Analyze logs for other potential weakness.
## Folders:
---
### OS Command Injection
### SQLi
- Brute force password
- Timed SQLi
- Cookie force brute
### PHP Shells
- php primer
- xor
- exploits
### User ID
- cookie auth
- user id
### Other Resources
#### When we have a Website/IP Address:
### When we have a Website/IP Address:
- Try to add folders to the domain, such as http://csaw2014.website.com or http://key.website.com.
@ -152,7 +178,7 @@ $ hydra -L users.txt -P pass.txt <WEBSTE> http-head/private
## URLs
#### Octal
### Octal
- Example: http://017700000001 --> 127.0.0.1
@ -160,10 +186,10 @@ $ hydra -L users.txt -P pass.txt <WEBSTE> http-head/private
((206 * 256 + 191) * 256 + 158 ) * 256 + 50 = 3468664370.
Now, there is a further step that can make this address even more obscure. You can add to this dword number, any multiple of the quantity 4294967296 (2564)
Now, there is a further step that can make this address even more obscure. You can add to this dword number, any multiple of the quantity 4294967296 (2564)
#### Great @
### Great @
- Everything between "http://" and "@" is completely irrelevant
@ -172,7 +198,7 @@ http://doesn'tmatter@www.google.org
http://!$^&*()_+`-={}|[]:;@www.google.com
```
- @ symbol can be represented by its hex code %40
- @ symbol can be represented by its hex code %40
- dots are %2e
@ -199,7 +225,7 @@ http://!$^&*()_+`-={}|[]:;@www.google.com
- Accept-Language: supported language codes
- Referer: originating page for the request
* The headers are terminated with a single empty line, which may be followed by any payload the client wishes to pass to the server (the length should be specified with the Content-Length header).
* The headers are terminated with a single empty line, which may be followed by any payload the client wishes to pass to the server (the length should be specified with the Content-Length header).
* The payload is usually browser data, but there is no requirements.
@ -241,7 +267,7 @@ name=John&type=2
### Session IDs
* HTTP protocol does not maintain state between requests. To maintain a state, must use a state tracking mechanism such as session identifier (session ID), which is passed within a request to associate requests with a session.
* HTTP protocol does not maintain state between requests. To maintain a state, must use a state tracking mechanism such as session identifier (session ID), which is passed within a request to associate requests with a session.
* Session ID's can be passed in these places:
- URL
@ -260,11 +286,6 @@ Set-Cookie: SID=472ndsw;expires=DATE;path=/;domain=SITE,HttpOnly
* Client sends Cookie header to server to continue session.
-----
## Tools
- Burp Suite
- FireBug] in Firefox
----
@ -342,10 +363,10 @@ SELECT user_id FROM user_data WHERE name='john' and password='password'
* Browser naively submits credentials when attempting to retrieve resources.
* Identification and verification manual of CSRF can be done by checking in the website's forms (usually where most often find this vulnerability).
* Identification and verification manual of CSRF can be done by checking in the website's forms (usually where most often find this vulnerability).
* To check this, you will need to copy an original request (GET / POST) on a form and then make a change in the parameters and re-send the same request modified. If the server does not return an error, it can be considered that it is vulnerable to
CSRF.
CSRF.
* To perform this task, we can use the tools **csrftester** or **burp** proxy.
@ -435,11 +456,11 @@ GET /Vuln.jsp?p1=<script>evil();</script>
* Encode attack strings: URL, UTF-8, UTF-7
* Trick browser into using alternative character set (necessity of encoding consistence):
```
<?php
header('Content-Type: text/html; charset=UTF-7');
$string = "<script>alert('XSS');</script>";
$string = mb_convert_encoding($string, 'UTF-7');
echo htmlentities($string);
<?php
header('Content-Type: text/html; charset=UTF-7');
$string = "<script>alert('XSS');</script>";
$string = mb_convert_encoding($string, 'UTF-7');
echo htmlentities($string);
?>
```
@ -661,20 +682,12 @@ Authorization: Basic YWRtaW46YWRtaW4=
</body>
```
----
-----------------
[FireBug]: http://getfirebug.com/
[Burp Suite]: http://portswigger.net/burp/
[pngcheck]: http://www.libpng.org/pub/png/apps/pngcheck.html
[karmadecay]: http://karmadecay.com/
[tineye]: https://www.tineye.com/
[images.google.com]: https://images.google.com/?gws_rd=ssl
[base64 decoding]: http://www.motobit.com/util/base64-decoder-encoder.asp
[subbrute.py]: https://github.com/SparkleHearts/subbrute
[pnginfo]: http://www.stillhq.com/pngtools/
[namechk]: http://namechk.com
## Other Tools
* [FireBug](http://getfirebug.com/)
* [Burp Suite](http://portswigger.net/burp/)