Null meet-14th May16 > Lesser Known WebApp attacks

Dear Friends,

If you missed the Null meet on 14th May. you can check out my presentation on slideshare
Topic: Lesser known webApp attacks

Null 14 may_lesser_known_attacks_by_ninadsarang from Ninad Sarang | ECSA v8 | CEH v8

Happy hacking :)

(Relative Path Overwrite) RPO XSS

Welcome Readers,

As I promised this post is exclusively written for RPO (Relative Path Overwrite) XSS. Lets understand what is RPO and  how it can be exploited with XSS.

RPO XSS Introduction

The RPO (Relative path overwrite XSS) is publicized by Gareth Heyes in 2014. This attack utilizes a crafted URL (typically with a PATH_INFO), to force the target Web page to load itself as a style sheet, when it contains both path-relative style sheets and attacker-controllable contents.

          In the Relative path overwrite XSS we will first understand difference between relative and absolute path. An absolute URL is basically the full URL for a destination address including the protocol and domain name whereas a relative URL doesn’t specify a domain or protocol and uses the existing destination to determine the protocol and domain.
Example: Absolute URL:   https://thehacker.co.in/test
               Relative URL:    test/some_subdirectory
The relative URL shown will look for ‘test’ and automatically include the domain before it based on the current domain name. There are two important variations of a relative URL, the first is we can use the current path and look for a directory within it such as “abc” or use common directory traversal techniques such as “../../abc”.

Description and Attack scenario

RPO XSS attack utilizes a crafted URL (typically with a PATH_INFO), to force the target Web page to load itself as a style sheet, when it contains both path-relative style sheets and attacker-controllable contents.
We have seen the difference between actual path and relative path. Now let’s demonstrate this finding.
To exploit this findings three things are necessary,
1) stored XSS that allows CSS injection.
2) URL Rewriting.
3) Relative addressing to CSS style sheet.

To check the RPO hit the below url,
www.webdevelopersnotes.com/graphics/index.php3

Mighty XSS (Basics of Cross Site Scripting)

Welcome Readers,

In the last post I talked about mXSS. In this post we will cover about XSS type and various XSS attack.
First of all what is XSS and why it is considered so danger and have third place in OWASP top 10. Lets decode this jargon.
As name suggest XSS (Cross Site Scripting) is some form of script/code that attacker use for malicious purpose.Our web applications have multiple input fields like forms, comment box, email, upload field etc etc.
These are the entry points where user suppose to enter valid information. but think as a hacker what if we can write some script/code in the comment box of web application and on posting that comment on site gives some different output than expected.
Take an example there is a bank website and on home page there is search box present to search bank related information on that website.

Mutation XSS

Hello Friends,

Welcome back :) Today I'm sharing my research on mutation cross site scripting. On studying and reading lot of stuff finally decided to write article about mXSS. I hope you will find it useful.

Mutation Cross site scripting (mXSS)

The New class of XSS vector, the class of mutation based XSS (mXSS) vector discovered by Mario Heiderich. This mXSS may occur in innerHTML. This vulnerability affects major browsers like IE, Firefox, Chrome etc.

Famous applications like Yahoo, Rediff mails, Zimbra etc like commercial products were vulnerable to mXSS. This type of XSS vectors managed to bypass widely deployed server side XSS protections tecniques like HTML purifier, Kses, htmlLawed etc. and client side filters like XSS auditor, IE XSS filter, WAF systems, IDS and IPS.

Introduction

The mXSS is an XSS vector that is mutated from safe state to unsafe unfiltered state. Server- and client-side XSS filters share the assumption that their HTML output and the browser-rendered HTML content are mostly identical. The most common form of mXSS is from incorrect reads of innerHTML. The user provided content is mutated by the browser, such that a harmless string passes nearly all XSS filters is ultimately transformed into active XSS attack vector by the browser.

Web-Application testing guide

Dear Friends,

In the last post we have covered Nmap tool and its commands. Lets move to web application testing and testing guide. Today I'm going to share my exclusive web application checklist that helps to test all test cases.
Before that little about well known security community OWASP.
Open Web Application Security Project is an online community which creates freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
You can read about it on Wiki or on their site.
OWASP published their top 10 vulnerabilities in web application. The OWASP Top 10 - 2013 is as follows:

• Injection
• Broken Authentication and Session Management
• Cross-Site Scripting (XSS)
• Insecure Direct Object References
• Security Misconfiguration
• Sensitive Data Exposure
• Missing Function Level Access Control
• Cross-Site Request Forgery (CSRF)
• Using Components with Known Vulnerabilities
• Unvalidated Redirects and Forwards

Network Testing tools- Nmap

Hello Readers,

Welcome back :) Till now we have understood web application architecture, web applications and its interception techniques. This all possible if we do a whitebox testing. What if you have only domain address or ip address of target in short you need to perform black box testing. So what should be the approach for testing. We will talk about this in this post..
Consider you have target Ip or target url. If you have URL obtain its Ip by intercepting it in burp and analyze its Ip. Now we need to scan this Ip to know its port status. That is Port Scanning. 

"Port is an endpoint of communication in an operating system. While the term is also used for hardware devices, in software it is a logical construct that identifies a specific process or a type of service".

To scan the ports offered by that server Ip we will use Nmap tool (Network Mapper).
Nmap allows us to know which ports are open or closed on a particular system, or to find out what the Operating System in use.

Basic 4: Proxy intercepting tools- Part 2

Welcome Readers,

Well we understood how to configure proxy tools. In this post I will tell you some tricky conditions where you will be confused why burp is not intercepting traffic. Lets see one by one.

Consider you are security testing professional and you got assignment for web application security assessment. Now according to situation the testing application may be internet facing or intranet facing (Note: Intranet is in-house network). and in an organization subnets are created to share internet via single public facing IP address. To make it simple read below example/
Lets say there is ABC organization having 3 departments HR, IT and Finance. Each department has approximate 50-60 employees. Now to provide internet facility to each employee system ABC org. bought leased line from service provider. ABC org.'s network guy made multiple subnets to provide internet facility to everybody now every system will access internet via proxy provided by network guy.
Condition 1: Now coming back to testing first question will come to testers mind how to intercept internal applications? answer is simple we just need to configure burp tool as we configure for HTTP applications.
Reason: Intranet applications are developed for internal use so they are not accessible from internet.
so we just need to put local host in browser and local host in burp.
Note: some time you need some system authentication while testing so that can be automated via burp in Options>connections>platform authentication.
in the Destination host put application intranet IP.

Basic 3: Proxy intercepting tools- Part 1

Hello Readers,

In this post we will learn about the proxy tools and configuration. In most web application testing testers use Portswigger Burpsuite tool. This tool is excellent proxy tool. There are many feature provided for manual as well as automated testing.
Well I am not going to cover each and every feature of this tool. You will surely find everything about this tool on its website. I am going to cover its tricky parts like configuring burp in various ways to intercept most of web applications.
In my career when I started web application testing. I was bit orthodox. I used to have paros, webscarab tools because they have basic features and easy to use and configure. But at some stage you need more powerful tool that can automate and provide more scope to widen your test skills. Certainly Burp was my answer. So I will advice you to start with basic use of burp so you will become familiar with its features.
Lets start with Burps main window,