SESSION 14

1.  
2. ARBITRARY FILE UPLOAD
3. =====================
4. Arbitrary File - An Arbitrary file is a Malicious Shell File which if Uploaded by a Attacker into a Web Application, will give a full Control to the Server Machine the website is hosted including exploring and doing any operations.
5. Arbitrary File upload is a Situation where we input and upload such Arbitrary Files into the input method of those web application and get the whole access of the Server Machine a website is hosted.
6.  
7. Attack Vectors
8. ============
9. A attacker can get full control of the Server Machine.
10. After getting access into the server, he/she can Deface and delete all the websites hosted in the Server if it is a Shared Server.
11.  
12. Demonstration in DVWA and LVS.
13.  
14. ------------------------------------------------------------------------------------
15.  
16. POST PARAMETER INJECTION
17. ==========================
18. POST Parameter Injection is the attack vector when we tamper and manipulate POST Parameters and with HTTP Headers through some tools like Tamper Data, Burp Suite etc.
19. First we have to capture the http packets Parameters moving from a browser to a Web Server.
20.  
21. Demonstration on DVWA Arbitrary File Upload on Medium Level on changing extension of the Arbitrary File through Tamper Data.
22.  
23. TOOLS
24. -------
25. Tamper Data
26. Burpsuite
27.  
28. ----------------------------------------------------------------------------------------------------------
29.  
30.  
31.  
32.  
33. ESSION 14
34. ===========
35.  
36. INTRODUCTION TO BURP SUITE
37. ===========================
38. Burp Suite is a graphical tool for testing Web application security. Burp Scanner can automatically move parameters between different locations, such as URL parameters and cookies for doing Vulnerability Assessment and Penetration Testing of a Web Application.
39.  
40. The tool is written in Java and developed by a organization named PortSwigger Security. We also use Burp Suite for Tampering of data moving through one Node to another.
41. There are particularly 2 Versions of Burp Suite :
42.  
43. = Professional Version $349.00 per user, per year having all the functions.
44. = Community Edition which is free of cost.
45.  
46. Features of Burp Suite :
47. ================
48. = Proxy Services : In Burpsuite, everything starts with setting up your browser to Burp’s proxy. It sets up as a Socket in Burp which initiates and tells that where to intercept the data. It lets you tamper the request and response the way you want it. You can change form methods from GET to POST or vice-versa, unhide hidden fields, enable disabled fields etc.
49.  
50. = Intruder : A Intruder is like a master spy in Burp Suite which helps in attacking to the Web Application in many ways. Burp Intruder is meant for exploitation and automating attacks. For that Intruder is a very good and efficient request sender and response collector. This is basically used for performing powerful customized attacks to find and exploit unusual vulnerabilities.
51. It is further having Payloads and Attack Modes. Payloads are the data malicious or non-malicious we sent to a web application. Attack Modes define how to send it. Attacks Modes are “Cluster Bomb”, “Sniper” etc.
52.  
53. = Scanner : The scanner can interact with your web application and can detect simple security issues like if the password is being submitted in GET method or advanced vulnerabilities. You can set the speed of scanning, pause and resume, choose scan areas and more.
54.  
55. = Spider : Spidering or web crawling , is the process of automatically following all the links on a web page to discover both static and dynamic web resources of the web application.
56.  
57. = Repeater : Repeater can select a request from Target or other sources and send it to Repeater to further tampering with the request by changing the data being sent, request method, cookie values and many other client side values.
58.  
59. BRUTE FORCING USING BURP SUITE
60. ===============================
61.  
62. Brute Force Attack : Brute forcing is a trial and error method used by application programs to decode encrypted data such as passwords by hit and trial through exhaustive effort by employing intellectual strategies.
63.  
64. Let us first understand the flaw through which Brute Forcing is working. Brute Forcing is working because of the flaw of Filtration on Login Forms. If there is not any extra layer of security or any limit to enter the credentials, Brute Forcing can be done.
65.  
66. Demonstration on DVWA, LVS and demo.testfire.net .
67. Using Burp Suite Community Edition.
68.  
69. STEPS :
70. =======
71.  
72. = Opening up the Target’s Web Application, where we want to Brute Force.
73. = Setting Up Proxy Settings in Browser
74. - Browser Setting > Network Setting > Proxy Configuration > Manual Proxy > Enter a Socket with local host > 127.0.0.1:9500
75. - Check mark it > Use this proxy server for all protocol
76. - Clear all details from "No Proxy for".
77. - Click on Apply.
78. = Opening up Burp Suite
79. = Go to Proxy > Options > Enter Proxy Socket which we entered on the Browser Settings.
80. = Click on Intercept > Intercept is ON (This will start capturing moving packets)
81. = Enter anything on the Login Form, Either Username and Password or both with anything.
82. = Burp Suite will start blinking.
83. = Burp Suite have captured a Packet, Select that Packet from Burp Suite containing credentials > Right Click > Send to Intruder.
84. = Turn Off Intercept Mode.
85. = Go to Intruder > Position > Clear
86. = Select the Parameters you want to start brute forcing on.
87. - Select value of username < Add
88. - Select value of password < Add
89. = Select the Attacking Mode
90. = Sniper Mode : If you know either one of Username or Password.
91. = Cluster Bomb Mode : If you don’t know anything about Credentials and you want to Bruteforce on both Username and Password.
92. = Go to Payloads > Setting up a Wordlist in Payloads > Giving a Default list on any random Credentials for Login into DVWA or demo.testfire.net
93. = Select Values for Payloads
94. Payload : 1 > list of usernames
95. Payload : 2 > list of passwords
96. = Options > Grep Match > Clear
97. = Username and/or password incorrect. < Add
98. = Click on “Start Attack”
99. = Examine the Length Codes of the Payloads
100. = There must be some common Length Number, Click on every Different one.
101. = Go to Response of that Payload.
102. = Click on Render. (Which will show you the image of Web Application in itself)
103. = Find out the Correct Username and Password and enter.
104.  
105. AUTHENTICATION BYPASS USING BURPSUITE
106. ======================================
107.  
108. When we consider Brute forcing by Burp suite, if a login form is not having any of the password we entered in the Payloads, we can see and examine that if a website is Vulnerable to Authentication Bypass or not.
109.  
110. Steps -
111. For Authentication Bypass, we first have to scan the vulnerabilities and check that if Authentication Bypass can happen or not.
112. If Yes, we have to put
113. Username : 1'or'1'='1 Password : 1'or'1'='1
114. Username : admin'or'1'or'1'='1 Password : admin'or'1'or'1'='1
115. Username : x’or’x’=’x Password : x’or’x’=’x
116.  
117. -----------------------------------------------------------------------------------------------------------------------------------