Hacking Web Applications
M o d u l e 1 3
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Web Applications
H a c k in g W e b A p p lic a tio n s
M o d u l e 1 3
Engineered by Hackers. P resented by Professionals.
a
CEH
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s v 8
M o d u l e 1 3 : H a c k i n g W e b A p p l i c a t i o n s
E x a m 3 1 2 - 5 0
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 13 Page 1724
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Web Applications
CEHS e c u r ity N e w s
S e c u r i t y N e w s
X S S A t t a c k s L e a d P a c k A s M o s t F r e q u e n t A t t a c k T y p e
S o u rce : h t tp :// w w w .d a r k r e a d in g . c o m
S e c ure c lo u d h o s tin g c o m p a n y , F ire H o s t, h as t o d a y a n n o u n c e d th e fin d in g s o f
its la te s t w e b a p p lic a tio n a tta c k r e p o r t, w h ic h p r o v id e s sta tis tica l a naly s is o f t h e 15 m illio n
c y b e r-a tta c k s b lo c k e d b y its s e rve rs in t h e US and E u ro p e d u r in g Q 3 2 0 1 2 . T h e r e p o r t lo o k s a t
a tta c k s o n th e w e b a p p lica tio n s , d a tab a s e s a n d w e b s ite s o f F ireH o s t's c u s to m e rs b e tw e e n J uly
a n d S e p te m b e r, a n d o ffe r s an im p re s s io n o f th e c u rr e n t in te r n e t s e c u rity c lim a te as a w h o le .
A m o n g s t th e c y b e r -a tta c k s r e g is te r e d in t h e re p o r t, F ire H o s t c a teg o ris e s f o u r a tta c k ty p e s in
p a rtic u la r as re p r e s e n tin g th e m o s t s e rio u s t h re a t . T h e s e a t ta c k ty p e s a re a m o n g F ire H o s t's
,S u p e r fe c ta ' a n d th e y co n s is t o f C ro s s-site S c rip tin g (XSS), D ir e c to ry T ra v e rs a ls , SQ L In je c tio n s ,
a n d C ross -s ite R e q u e s t F o rg e ry (CSRF).
O n e o f th e m o s t s ig n ific a n t ch a n g e s in a tta c k tra f fic seen b y F ire H o s t b e t w e e n Q 2 a n d Q 3 2 0 1 2

w a s a c o n s id e ra b le rise in th e n u m b e r o f c ro s s -s ite a tta c k s , in p a rt ic u la r XSS a n d CSRF a tta c k s
ro se to r e p r e s e n t 64% o f th e g ro u p in th e t h ir d q u a rte r (a 28 % in c reased p e n e tra t io n ). XSS is
n o w t h e m o s t c o m m o n a tta c k t y p e in t h e S u p e rfe c ta , w ith CSRF n o w in s e c o n d . F ire H o st's
s e rv e rs b lo c k e d m o r e t h a n o n e m illio n XSS a tta c k s d u r in g th is p e rio d a lo n e , a fig u re w h ic h rose
Module 13 Page 1725 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Web Applications
69%, from 603,016 separate attacks in Q2 to 1,018,817 in Q3. CSRF attacks reached second
place on the Superfecta at 843,517.
Cross-site attacks are d e pendent u pon the trust developed betw een site and user. XSS attacks
involve a w eb application gath ering m alicious data from a user via a trus ted site (ofte n com ing
in th e fo rm of a hyp erlink con taining malicious content), whereas CSRF attacks exploit th e trust
th a t a site has for a p articular user instead. These m a licious security exploits can also be used
to steal sensitive inform a tio n such as user names, passwords and cred it card details - w itho u t
the site or user's kn owledge.
The se verity o f these attacks is d e pendent on th e sensitivity o f the data handled by the
vulnera ble site and this ranges from personal data fo u nd on social netw o rk ing sites, to the
financial and confiden tial details entere d on eco m m erce sites a m o ngst others. A great num ber
o f organisations have fallen victim to such attacks in rece nt years including attacks on PayPal,
H otmail and eBay, the latter falling vic tim to a single CSRF attack in 2008 w h ich targe ted 18
m illion users of its Korean w ebsite. Furtherm o re in Sep tem ber this year, IT giants M icro soft and
Google C hrom e both ran extensive patches targete d at securing XSS flaws, highligh ting the
prevalence o f this grow ing onlin e threat.
"Cross-site attacks are a severe th rea t to business ope rations, especially if servers are n't
properly prepared," said Chris Hinkley, CISSP - a Senior Security Engineer at FireHost. "It's vital
th a t any site dealing w ith confidential or private user data takes the necessary precautions to
ensure applications rem ain p rotected. Locating and fixing any website v u ln e rabilitie s and flaw s
is a key step in ensuring your business and y o u r custom ers, d o n 't fall victim to an attack o f this
nature. The consequences o f w hich can be significant, in term s o f bo th financial and

reputatio n al d amage."
The Superfecta a ttack tra ffic for Q3 2012 can be broken d o w n as follows:
As w ith Q2 2012, th e m a jo rity of attacks FireHost blocked during the third calendar q u a rte r of
2012 originate d in th e U nited States (llm illio n / 74%). There has however, been a great shift in
the num b e r o f attacks orig inating fro m Europe this quarter, as 17% o f all malicious atta ck traffic
seen by FireHost came from this region. Europe overtook Southern Asia (w hich was responsible
fo r 6%), to be com e the second m o st likely origin of m alicious traffic.
Varied trends am ong the Superfecta attack techn iques are dem onstrated b etw e e n this q u a rte r
and last:
During the build up to the holiday season, ecom m e rc e a ctivity ramps up d ram atically and
cyber-attacks th a t ta rge t w e bsite users' co nfide ntial data are also likely to increase as a result.
As w ell as cross-site attacks, th e o th e r Superfecta attack types, SQL Injection and D irectory
Transversal, still rem ain a significant thre a t despite a slight red uction in fre quenc y this qu arter.
Ecommerce businesses need to be aware of the risks th a t this period m ay present it to its
security, as Todd Gleason, D irector of Technology at FireHost explains, "You'd b e tter believe
th a t hackers will try and take advantage o f any surges in holiday shopping. They will be devising
a n u m b e r of ways th e y can take advantage of any w eb application vulnerab ilities and w ill use
an a s sortm ent of d ifferent attack types and techniques to do so. W hen it's a m a tter of
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 13 Page 1726
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Web Applications
c o n fid e n t ia l d a ta a t risk, in c lu d in g c u s to m e r's fin a n c ia l in fo r m a tio n - c r e d it c a rd a n d d e b it c ard
d e ta ils - th e re 's n o r o o m fo r c o m p la c e n c y . T h e se o rg a n is a tio n s n e e d to k n o w t h a t th e r e 's an
in c re a s e d lik e lih o o d o f a tta c k d u rin g th is tim e a n d it's th e ir re s p o n s ib ility to ta k e t h e n e cessa ry
s te p s t o s to p suc h a tta c k s ."
Copyright © 2013 UBM Tech, A ll rights reserved
/>attacks-lead-pack-as-most-frequent-attack-type.html
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.
Module 13 Page 1727
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Web Applications
M o d u le O b je c tiv e s CEH
J How Web Applications Work J Session Management Attack
J Web Attack Vectors J Attack Data Connectivity
J Web Application Threats J Attack Web App Client
J Web App Hacking Methodology J Attack Web Services
J Footprint Web Infrastructure
■
^ J Web Application Hacking Tools
J Hacking WebServers
/1־
J Countermeasures
J Analyze Web Applications J Web Application Security Tools
J Attack Authentication Mechanism J Web Application Firewall
J Attack Authorization Schemes J Web Application Pen Testing
Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u l e O b j e c t i v e s
The main objective of this m o dule is to show the various kinds of vulnerabilitie s that
can be discovered in w e b applications. The attacks e xploiting these vulnerabilities are also
highlighted. The m o dule starts w ith a detailed description of th e w eb applications. Various w eb
application thre a ts are m e n tioned . The hacking m e thod o lo g y reveals the various steps
involved in a planned attack. The various to ols that attackers use are discussed to explain the
w ay they exploit vu lnerabilities in w e b applications. The co u nterm easures th a t can be taken to
th w a rt any such attacks are also highlighted. Security too ls th a t help n e tw o rk a d m inistrator to
m on ito r and manage the w e b application are described. Finally w e b a pplication pen testing is
discussed.
This m odule fam iliarizes you with:

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 13 Page 1728
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Web Applications
- Session M anagem e n t Attack
S A ttack Data Connectivity
S A ttack W eb A pp Client
s A tta ck W eb Services
S W eb App lication Hacking Tools
S C ounterm easures
s W e b A pplica tion Security Tools
s W e b A pplication Firewall
S W eb App lication Pen Testing
H ow W eb Applicatio ns W o rk
W e b Attack Vectors
W e b Applica tion Threats
W e b App Hacking M e thodolo g y
Footprin t W eb Infrastructure
Hacking W ebservers
Analyze W eb Applications
A ttack Authentica tion M echanism
A ttack Auth o rization Schemes
3 Page 1729 Ethical Hacking and Countermeasures Copyright © by EC־C0UI1Cil
All Rights Reserved. Reproduction is Strictly Prohibited.
A
£
A
A
A

Module
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Web Applications
Copyright © by E & C o ina l. All Rights Reserved. Reproduction is Strictly Prohibited.
־ ־ ^ M o d u l e F l o w
W e b applications are the application programs accessed only w ith Internet
con nection enabled. These applications use HTTP as th e ir prim a ry com m u n icatio n p ro to c ol.
Generally, the attackers ta rg e t these apps fo r several reasons. They are exposed to various
attacks. For clear un derstanding of th e "hacking web applicatio ns" w e divided the concept into
various sections.
Q W eb App Concepts
Q W eb App Threats
© Hacking M e th o d o lo g y
Q W eb Application Hacking Tools
© C ounterm easures
0 Security Tools
© W eb App Pen Testing
Let us begin w ith the W e b A pp concepts.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 13 Page 1730
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Web Applications
^ ^ W e b A p p P e n T e s tin g
W eb A p p C oncepts
S ecurity Tools W eb A p p Threats
C ounterm easures
^ Hacking M eth o d o lo g y
W eb A p p lication H acking Tools
T his se c tio n in tro d u c e s y o u to th e w e b a p p lic a tio n a n d its c o m p o n e n ts , e x p la in s h o w t h e w e b

a p p lic a tio n w o r k s , a n d its a rc h ite c tu r e . It p ro v id e s in s ig h t in to w e b 2.0 a p p lic a tio n , v u ln e r a b ility
stac ks, a n d w e b a t ta c k v e c to rs .
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 13 Page 1731
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Web Applications
CEH
Web Application Security
Statistics
Cross-Site Scripting
Information Leakage
Copyright © by E tC tind l. All Rights Reserved. Reproduction is Strictly Prohibited.
f f W e b A p p l i c a t i o n S e c u r i t y S t a t i s t i c s
~ Source: h ttp s ://w w w .w h ite h a ts e c .c o m
According to the WHITEHAT security w e bsite statistics re p ort in 2012, it is clear that the cross-
site s cripting vulnerabilities are fou n d on m ore w e b applications w hen compared to other
vulne rabilities. From the graph you can observe th a t in the year 2012, cross-site scripting
vulnerabilities are the m o st c o m m on vuln erabilities fo u nd in 55% of the w eb applications. O nly
10% of w eb a pplica tion attacks are based on insu fficient session e x p ira tion vulnerabilities. In
order to minim ize the risks associated w ith cross-site scripting vulnera bilities in the w eb
applications, you have to a dopt necessary counte rm easures against them .
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 13 Page 1732
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Web Applications
Cross-Site Scripting
Inform ation Leakage
Content Spoofing

16%
Insufficient Authorization
■ L Cross-Site Request Forgery
Brute Force
Predictable Resource Location
SQL Injection
10% Session Fixation
Insufficient Session Expiration
20
10
W
O
■a
>4
Q
a
I—H
£
C
o
• H
0
■ H
a .
a
1
FIGURE 13.1: WHITEHAT SECURITY WEBSITE STATISTICS REPORT, 2012
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 13 Page 1733

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Web Applications
I n t r o d u c t i o n t o W e b A p p l i c a t i o n s C E H
T ho ug h w eb ap p lic a tion s e nfo rce ce rta in
s ec urity p olic ie s, th e y are v u lne ra b le
to v ario u s a tta c ks such as SQL
in je ctio n , cross -site s crip ting ,
session h ija ck ing , etc.
\ * ,
W eb a p p lic a tio n s p ro v id e an in te rfa ce b e tw e e n
e nd us ers a nd w e b se rve rs th ro u g h a set o f
w e b pages th a t are ge ne ra te d a t th e
se rver e nd o r co n ta in s crip t co de to
be exe cu te d d yn a m ic a lly w ith in
th e c lie n t w e b b row se r
N e w w e b tec h no lo gie s such as
W e b 2 .0 p rovid e m o re a ttac k
su rfa ce fo r w eb a pplic atio n
e x p lo ita tio n
C o pyrig h t © by E&C01nal. A ll R ights R es e rved. R epro d uction is S tr ictly Prohib ite d .
W e b a p p lic a tio n s a n d W e b 2 .0
te c h n o lo g ie s a re in v a ria b ly us e d to
s u p p o rt cr itic a l b u sin e ss fu n c tio n s
s uc h as C RM , S CM , e tc . a n d im p r o v e
b u sin e s s e ffic ie n c y
I n t r o d u c t i o n t o W e b A p p l i c a t i o n s
W eb applications are the applicatio n th a t run on the rem ote web server and send the
o u tp u t over the Interne t. W eb 2.0 technologies are used by all the applications based on the
web-based servers such as co m m u nication w ith users, clients, th ird-pa rty users, etc.
A w eb application is comprised o f m any layers o f fu n c tio n ality. H owever, it is considered a

th ree-layered architecture consisting of presentation, logic, and data layers.
The web arch ite ctu re relies substantially on the techno logy popularized by the W o rld W ide
W eb, H ypertext M arkup Language (HTML), and th e prim ary tra n spo rt m edium , e.g. Hyper Text
Transfer Protocol (HTTP). HTTP is th e m edium o f com m unication between the server and the
client. Typically, it operates over TCP port 80, but it may also com m unicate over an unused
port.
W eb applications provide an interface betw een end users and w eb servers through a set of
w eb pages tha t are generated at the server end or contain script code to be executed
dynamically w ith in the client w eb browser.
Some o f the popular web servers present today are M icroso ft IIS, Apache S oftware
Foundation's Apache HTTP Server, AOL/Netscape's Enterprise Server, and Sun One. Resources
are called U niform Resource Identifiers (URIs), and they may e ith e r be static pages or contain
dynam ic content. Since HTTP is stateless, e.g., th e p rotoco l does not m aintain a session state,
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 13 Page 1734
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Web Applications
the requests fo r resources are treated as separate and unique. Thus, the integ rity o f a link is not
m aintained w ith the client.
Cookies can be used as tokens, which servers hand over to clients to allow access to websites.
However, cookies are not perfect fro m a security p oint of view because they can be copied and
stored on th e clie nt's local hard disk, so th a t users do n ot have to request a token fo r each
query. Though web applications enforce certain security policies, they are vulnerable to various
attacks such as SQL injection, cross-site scripting, session hijacking, etc. O rganizations rely on
w eb ap p lications and W eb 2.0 technologies to support key business processes and im prove
perform ance. New w eb technologies such as W eb 2.0 provide m ore attack surface for web
application exp lo ita tion.
Attackers use d iffe ren t types o f vuln e rabilities th a t can be discovered in web applications and
exploit them to com prom ise web applications. Attackers also use tools to launch attacks on

w eb applications.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 13 Page 1735
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Web Applications
W e b A p p l i c a t i o n C o m p o n e n t s
C
Urtifwd
E H
itfcMjl NMhM
1
IS
C o pyrig h t © by E&Coinal. A ll R ights Reserv ed. Rep roductio n is Stric tly P ro h ibited.
^ W e b A p p l i c a t i o n C o m p o n e n t s
The com ponents o f web applications are listed as follow s
Login: M ost o f the websites allow au th en tic users to access the applica tion by means of login. It
means th a t to access the service or content offered by the web application user needs to
subm it his/h e r usernam e and password. Example gm ail.com
The Web Server: It refers to either software or hardware intended to deliver web c o n te nt th a t
can be accessed through th e Internet. An exam ple is the web pages served to the web brow ser
by the web server.
Session Tracking Mechanism: Each w eb application has a session trackin g mechanism . The
session can be tracked by using cookies, URL rew riting, or Secure Sockets Layer (SSL)
inform ation.
User Permissions: W hen you are not allowed to access the specified w eb page in which you are
logged in w ith user perm issions, you may re direct again to the login page or to any other page.
The Application Content: It is an interactive program th a t accepts w eb requests by clients and
uses the param eters th a t are sent by the w eb browser for carrying out certain functions.
Data Access: Usually the w eb pages w ill be contacting w ith each oth er via a data access library

in which all th e database details are stored.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 13 Page 1736
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Web Applications
The Data Store: It is a w ay to the im portant data th a t is shared and synchronized between the
childre n /thre ats. This stored in fo rm ation is quite im po rta n t and necessary fo r higher levels of
the application fram ew o rk. It is not m andatory th a t the data store and the web server are on
the same network. They can be in contact or accessible w ith each o th er thro u gh the netw o rk
connection.
Role-level System Security
Application Logic: Usually w eb applications are divided into tiers o f w hich th e application logic
is the m iddle tier. It receives the request fro m the web brow ser and gives it services
accordingly. The services offered by the application logic include asking questions and giving
the latest updates against the database as well as generating a user interface.
Logout: An individual can shut down or log out of the w eb application or browser so th a t the
session and the application associated w ith it end. The application ends e ith er by taking the
initiative by the application logic or by autom atically ending when the servle t session tim es out.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 13 Page 1737
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Web Applications
H o w W e b A p p l i c a t i o n s W o r k C E H
SELECT * f ro m n e ws w h e re i d = 6 32 9
O u tp ut
ID
Topic News
6329 Tech CNN

C o pyrig h t © by E&C01nal. A ll R ights R es e rved. R epro d uction is S tr ictly Prohib ite d .
H o w W e b A p p l i c a t i o n s W o r k
W henever som eone clicks or types in the brow ser, im m ediately the requested w ebsite
or content is displayed on the screen o f the com puter, but w h at is the m echanism behind this?
This is the step-by-step process th a t takes place once a user sends a request fo r particular
conte n t o r a w ebsite w here m ultiple com puters are involved.
The w eb application model is explained in th ree layers. The first layer deals w ith the user input
thro ugh a web brow ser or user interface. The second layer contains JSP (Java servlets) or ASP
(Active Server Pages), the dynam ic conte n t generation technology to ols, and the last layer
contains the database for storing custom er data such as user names and passwords, c red it card
details, etc. or othe r related inform ation.
Let's see how the user triggers th e initia l request through th e browser to th e w eb application
server:
© First the user types the w ebsite name or URL in the brow ser and the request is sent to
the web server.
© On receiving the request ,the w e b server checks the file extension:
© If the user requests a sim ple web page w ith an HTM or HTML extension, the web
server processes the request and sends the file to the user's browser.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 13 Page 1738
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Web Applications
© If th e user requests a web page w ith th e extension CFM, CFML, or CFC, then the
request m ust be processed by the w eb application server.
Therefore, the web server passes th e user's request to the web application server.
The user's request is now processed by the web application server. In o rder to
process the user's request, the w eb server accesses the database placed at the third
layer to perform the requested task by updating or retrie ving the inform a tio n stored
on the database. Once done processing the request, web application server sends

the results to the web server, w hich in turn sends the results to the user's brow ser.
User Login Form Internet Firewall Web Server
FIGURE 1 3.2: W o rk in g o f W e b A p p lic a tion
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 13 Page 1739
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Web Applications
W e b A p p l i c a t i o n A r c h i t e c t u r e C E H
y ^ lln te m e r N
( W eb
Clients
Services
Business Layer
A pp lica tion Server
Business
Logic
J2EE .NET COM
XCode C++ COM+
Legacy Application
Data Access
ה
Proxy Server,
Cache
P re sen ta tion Layer
Firewall
HTTP R e q uest Parser
A u thentication
and Lo gin
Resou rce

H andler
Servle t
C o n tainer
Copyright © by E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b A p p l i c a t i o n A r c h i t e c t u r e
All web applications execute w ith the help of the w eb browser as a support client. The
w eb applications use a group o f server-side scripts (ASP, PHP, etc.) and client-side scripts
(HTML, JavaScript, etc.) to execute the applicatio n. The in form ation is presented by using the
client-side script and the hardware tasks such as storing and gathering required data by the
server-side script.
In the follow in g architecture, the clients uses d iffere n t devices, w eb browsers, and external
w eb services w ith the Internet to get th e application executed using d iffere nt scripting
languages. The data access is handled by th e database layer using cloud services and a
database server.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 13 Page 1740
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Web Applications
Business Layer
Application Server
J2EE
.NET COM
Business
logic
XCode
C+♦
COM♦
legacy Application
Data Access

Database Layer
Cloud Services
Database Server
Clients
W eb Browser ו——,
V • * ' ׳ י ד ג ל • י _ _ _ U S
^External™1
W eb
S«rvic*1
Presentation
layer
Flash.
S ilv e rlljh t .
Java Scrip (
Smart Phonas,
Web
Appliance
f
Proxy Server,
Cache
Web Server
Prssantation Layer
Firewall
HTTP Request Parser
Servlet Resource Authentication
Container
Handler and Login
FIGURE 13.3: W e b A p p lic a tio n A rc h ite c tu re
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.

Module 13 Page 1741
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Web Applications
W e b 2 . 0 A p p l i c a t i o n s C E H
C«rt1fW4 itfciul NMkM
J W eb 2 .0 refers to a n e w ge n e ratio n o f W e b a p plica tio ns t h a t p ro vid e an infra stru ctu re fo r m o re d yn a m ic
us er p a rtic ipa tion , so cial in te ra c tio n and co llab o ra tio n
Blogs (Wordpress)
Q Advanced gaming
O
Dynamic as opposed to static site c ontent
O
RSS-generated syndication
O
Social ne tw orkin g sites (Flickr,
' Facebook, del.cio.us)
v״ rid'׳׳'«»?
' Q Mash-ups (Emails, IMs, Electronic
f payment systems)
O
W ikis and o th er collaborative applications
Q Google Base and other free Web services
(Google Maps)
o o
New technologies like AJAX (Gmail, YouTube) Q
M ob ile application (iPhone)
O
Flash rich interface websites O
Frameworks (Yahool Ul
Library, jQ uery)

Cloud computing websites like W
(amazon.com) ^
Inte rac tive encyclopedias and dictiona rie s
O
ine office software (Google Docs and Microsoft light)
Ease of data cre a tion, modification, o r
de letio n by individual users
C o pyrig h t © by E&C01nal. A ll R ights R eserv e d . R e p rod u c tio n is S tric tly Prohib ite d .
W e b 2 . 0 A p p l i c a t i o n s
W eb 2.0 refers to a new generation o f w eb applications th a t provide an in fra structu re
fo r m ore dynam ic user particip a tion, social intera ction, and collabora tion. It offers various
features such as:
© Advanced gaming
© Dynamic as opposed to static site content
© RSS-generated syndication
© Social netw orking sites (Flickr, Facebook, del.cio.us)
© M ash-ups (em ails, IMs, ele ctronic payment systems)
© W ikis and oth er collaborative applications
© Google Base and o th er free web services (Google Maps)
© Ease of data creation, m o d ification , or deletion by individual users
© O nline office software (Google Docs and M icrosoft Light)
© Interactive encyclopedias and dictionaries
© Cloud com puting websites such as Am azon.com
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 13 Page 1742
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Web Applications
6 Fram eworks (Yahoo! Ul Library, j Query)
© Flash-rich interface websites

Q M obile application (iPhone)
Q New technologies like AJAX (Gmail, YouTube)
© Blogs (W ordpress)
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 13 Page 1743
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Web Applications
C E H
V u l n e r a b i l i t y S t a c k
_
C u s to m W e b A p p lic a tio n s
B
_
B u sine s s L ogic Fla ws
T e ch n ica l V u ln e ra b ilitie s
T h ird P a rty C o m p o n e n ts
E l
E
O p e n S o u rce / C o m m e rc ia l
f ^ ־w r O ra c le / M y SQ L / M S SQL
A p a c h e / M ic r o s o ft IIS
Apache
W in d o w s / L in u x
/OSX
R o u te r / S w itch
IPS / IDS
C o pyrig h t © by E&C01nal. A ll R ights R eserv e d . R e p rod u c tio n is S tric tly Prohib ite d .
D a ta b a se
W e b S e rve r

O p e ra tin g S ys tem
N e tw o rk
S e c u rity
V u l n e r a b i l i t y S t a c k
i f -
The w eb applications are m aintained and accessed through various levels tha t include:
custom w eb applications, th ird -pa rty components, databases, web servers, operating systems,
netw orks, and security. All the m echanism s o r services employed at each level help the user in
one or th e oth e r w ay to access the web application securely. W hen ta lking abou t w eb
applications, security is a critical com ponent to be considered because w eb applications are a
m ajor sources o f attacks. The follow ing vuln e ra b ility stack shows the levels and the
corresponding ele m ent/m echanism /service em ployed at each level that makes the web
applications vulnerable :
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 13 Page 1744
Exam 312-50 Certified Ethical Hacker
Business Logic Flaws
Technical Vulnerabilities
Open Source / Commercial
Oracle / MySQL / MS SQL
Apache / Microsoft IIS
Windows / Linux
/O S X
Router / Switch
IPS /ID S
Ethical Hacking and Countermeasures
Hacking Web Applications
Custom Web Applications
Third Party Components

Security
FIGURE 1 3.4: V u ln e ra b ility S tack
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 13 Page 1745
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Web Applications
-
C E H
(
־ ־ ־
W e b A t t a c k V e c t o r s
A n a tta c k v e c to r is a p a th o r m e a n s b y w h ic h an a tta c k e r ca n g ain
w acce ss to c o m p u te r o r n e tw o rk re sou rc e s in o r d e r to d e liv e r an
a tta c k p a y lo a d o r ca u se a m a lic iou s o u tc o m e
A tta c k ve c to rs in c lu d e p a r a m e te r m a n ip u la tio n , X M L p o is o n in g ,
c lie n t v a lid a tio n , s e rv e r m is c o n fig u ra tio n , w e b s e rvic e r o u tin g
issu e s, an d c ro s s-site s c rip tin g
S e cu rity c o n tr o ls n ee d to b e u p d a te d c o n tin u o u s ly as th e a tta c k
v e c to rs ke ep c h a n g ing w it h re s p e c t t o a ta rg e t o f a tta c k
C o pyrig h t © by E&C01nal. A ll R ights R eserv e d . R e p rod u c tio n is S tric tly Prohib ite d .
W e b A t t a c k V e c t o r s
An attack vector is a m ethod of entering into to unauthorized systems to perform ing
m alicious attacks. Once th e attacker gains access into the system or the netw o rk he or she
delivers an attack payload or causes a m alicious outcom e. No pro te c tio n m ethod is com pletely
a tta ck -proo f as attack ve ctors keep changing and evolving w ith new technological changes.
Examples o f various types o f attack vectors:
© Param eter m a nipu la tion : Providing the wrong input value to the web services by th e
attacker and gaining the control over the SQL, LDAP, XPATH, and shell com m ands.
W hen the in corre ct values are provided to the web services, then they becom e

vulnerable and are easily attacked by w eb applications running w ith web services.
0 XML poisoning: Attackers provide m anipulate d XML documents th a t when executed can
disturb the logic o f parsing m ethod on the server. W hen huge XMLs are executed at the
application layer, then th ey can be easily be com prom ised by the attacker to launch his
or her attack and gather in fo rm ation.
© C lient validatio n : M ost client-side validation has to be supported by server-side
authentication. The AJAX routines can be easily m anipulated, which in turn makes a way
fo r attackers to handle SQL injection, LDAP injection, etc. and negotiate the web
applicatio n's key resources.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 13 Page 1746
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Web Applications
0 Server M isconfiguration: The attacker exploits the vulnerabilities in the web servers and
tries to break the validation m ethods to get access to the con fid en tial data stored on
the servers.
0 Web service routing issues: The SOAP messages are perm itted to access diffe re n t nodes
on the In te rne t by the W S-Routers. The exploited in term ediate nodes can give access to
the SOAP messages th a t are comm unicated betw een tw o endpoints.
0 Cross-site scripting: W henever any infected JavaScript code is executed, then the
targeted browsers can be exploited to gather in fo rm ation by the attacker.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 13 Page 1747