CompTIA CYSA+ CS0-002 – Analyzing Application Assessments part 3

6. OWASP ZAP (OBJ 1.4)

OWASP Zap. In this lesson we’re going to talk about the Owas Foundations Zap program. Now, Zap is the Zach proxy, also known as Zap. It’s an open source interception proxy and web application assessment tool that’s written in Java. Now because it’s written in Java. It works on Windows systems, Linux systems and Mac systems. Just like Burp suite does. Now, this is an open source program, which means you, you can actually take that code and modify it to your heart’s content and they won’t mind. Now, just like Burp Suite, Owasapp does include crawlers to automate the discovery of links and content within a web application. So for example, here on the screen you can see that the tool has connected to that web server and it’s starting to find all of the different web pages that are associated with this particular website.

So we have five one five support, five one five support, comrobots, txtmap, Xmldvwa, Dvwadvwa, and it will keep going on and on until it finds all the web pages on this site. It’s a great way for it to index the site so you can then look for vulnerabilities in those pages. Now, in addition to that, OAS Zapp will also include automated vulnerability scanning. By using its scan engine to do this, you’re going to end up setting up a scam policy much like you do with Nessus, and then it will be able to go through and look for those things based on the different plugins that you have. For instance, if you decide you want to use a scan policy to be able to detect the client browser, or to conduct information gathering or trying to do injections, you could do all of that from within this tool.

Now, in addition to all of that, it also has this nice feature called the Heads Up Display or HUD mode. This provides alert, indications and scan tools within your browser when you go and open pages within a website. So if I open up my web browser and I’m scanning this website, which happens to be Dvwa, I can actually go through. And you’ll see there’s those tools on the left hand side. Notice at the top bar it’s highlighted in orange, and on the left side I have the different tools based on that toolbar. On the left hand side I can see that there is one orange alert and four yellow alerts. And if I click on those, I would get more information about them. On the right hand side, I can get different information about the different sites, I can start crawling.

I can do some kind of exploitations on them and other things all from within this web browser because it’s integrated with this tool set. Now, for the exam, again, you do not need to know how to use the OAS Zapp tool. It’s something that’s great for you to spend some time in and gain to understand it. But for the exam, you don’t have to. You should be aware of what this tool is. It’s an intercept proxy, and it has the ability to do web application vulnerability scanning as well. That’s as deep as you need to know when we talk about the OAS zap for the cysaplus exam. Now, in the real world, you’ll probably want to get comfortable using something like burp suite or the OAS zap tool, because it will help you as you do your web application scanning and vulnerability assessments.

7. Analyzing Web Applications (OBJ 1.4)

Analyzing web applications. In this lesson we’re going to go through a couple of different ways to look at web applications. We’re going to use Nikto, which is a vulnerability scanner. We’re going to use Burp Suite which is an interception proxy. And we’re even going to go through and look at some SQL injections and some hands on injections. So let’s go ahead and get started. What I’m going to do first is jump into my lab environment and we’re going to start with NICTO. As I said, Nikto is a web application vulnerability scanner. If you think about Nessus and Qualis and things like that, those are used against your infrastructure servers, routers switches and hosts. But if you want to look at a web application in depth, you really want to use something like Nicko.

So you’re going to go into your terminal and you’re going to run the command Nikdohost and the IP of the host you’re trying to scan. In my case, it’s Ten 1010. Now, once you do that, you’re going to see some of the issues that were found. For instance, you can see on this first line that the server is an Apache 2. 4. 6 server being run on sent OS. Now, as you go through, you can see there are some anti clickjacking options that are not present. You could see some cross site scripting protection headers are not defined. You can see some X content type options is not set. And as you go down, you’re going to see all the different vulnerabilities. As you get even further down you’re going to see things that say OSVDB, which are some vulnerability database files that are going to tell you exactly what was tested.

So you could see that under eight seven, seven there is an Http trace method that is activated and this suggests that the host is vulnerable to an attack. And so as you go through, you can identify each of these different things and then you can look them up, research them and figure out how to solve those issues. Now the next thing we want to do is test our website and look at it from a probing perspective for directories and files. We can do this using a different plugin inside of Niko. So I’m going to use Niktohost Ten 1010 plugins and then the plugin I want to use in my case, it’s going to be a dictionary under dictionary user wordlistdirb common TXT. When I do that, I’m going to be able to run a scan for common file and directory names on that server. Next, let’s run a command to find any files that require authorization to view.

I can do this by using Niktohost Ten 100:10 display and the number four note. This will show me all the files that are now identified that would have required authorization to view. The next thing I want to do is try to perform a Credentialed scan against that web application. And I want to save that output as an HTML report. Nikto can do this as well. We’re going to type in Niktohost http ten 100:10 Dvwa, which is the web application that I want to go after. Then ID and the credentials in my case admin with a password of password. And then I want to output that by using O and then routedownloadsdvwa HTM and then format and put it into HTML format. So I’ll type in HTM. Once I do that, I’m going to now have that file inside that root directory underneath the downloads folder.

If I want to see that because it’s an HTML file, I need to open it using Firefox. So I’ll type in Firefox root, downloadsdvwa, HTML and this will show me all of the information in that report. Now as I go through that report, I can see all the different issues that were found. For instance, there’s directory indexing not found, there’s configuration information that could be remotely available and there’s other things like that as we go through it. For instance, this PHP revealed that’s being shown where sensitive information is being displayed to the client as they go into that application. So these are all just a quick summary of some of the issues we found with this vulnerable web application. Now, the next thing I want to test is I want to move beyond Nikto. So we’ve done Nikto and we have some good baseline knowledge of how this works.

Now, let’s move into Burp suite. Burp Suite is an interception proxy and so the first thing I need to do is configure it. To be able to configure an interception proxy, I have to set up my proxy on my web browser. So I’m going to go into my web browser and I’m going to type in about colon preferences, hashtag Advanced and then press Enter. When I do this it’s going to bring up a page and I need to scroll all the way to the end of the page and click Settings. Once I click on Settings, I now need to select the manual proxy configuration radio button and then type in the web proxy’s address. In my case, one hundred and twenty seven zero one. That’s my local host. That’s the machine where I’m going to be running Burp Suite. Then under the port I’m going to type in 80 80 which is the common Http proxy port.

And then I’m going to check use this proxy server for all protocols. So anything running on this machine that uses the network will use this local host as my proxy. And then I’m going to click OK. And next I need to open up Burp Suite and I need to accept the default configurations. Now we’re ready to start inspecting sessions and header data. To do this, we’re going to use Burp Suite to monitor and record those web sessions. This will allow us to inspect it and if we want, modify the data that’s going between the browser and the server. This can include things like your headers, your cookies and your form field submissions. Now, the first thing I want to do is click on the proxy tab and then click the Intercept is on button to toggle that intercept off.

Now, I want to arrange my Firefox and my Burp Suite windows so I can see both of them as I’m going through this process. So you’ll see, I have them on the left and the right. In Firefox, I’m going to go to the website that I want to look at. In my case, www dot five one five, support Dvwa. And then I’m going to log into that web application using my credentials. Now, as a regular user, I have usernames and passwords. In this case I have admin as the username and password as the password. Now, in Burp suite, I can click on the Http history tab and this is going to list all the different requests that have been proxied while Burp suite was on. Now, if I select the get row, I can see the request here for Dvwa. Note the server’s response here. They are issuing a redirect to the login page.

Now if I select the get row requesting that Dvwa login PHP form, this is going to show me exactly what happened here. I can go ahead and check the output of the various tabs here, things like raw headers, HTML and render. And as I look at those, I can see the browser’s request and the server’s response. Now you can see here that the application has set two different cookies. One is to identify the security level that we’re going to be issued and the other is to set up a session ID. Now remember, Http is a stateless protocol. So if I want to be able to tell who is talking to my server, I have to use cookies or some other session management technique. All right, now if I select the post row, I can see the information that was submitted from my browser. In here you can actually view the clear text credentials inside of Burp suite.

So I can see that the username was admin and the password was password and that they used this user token of this random long string. Now, why could I see this credential information? Well, because we use Http instead of Https. And so you can see why it’s so important that you use secure connections when you’re transiting information back and forth. The next thing I want to start working on is testing command injection. And so to do this, I’m going to go into the browser and select the command injection tab in the Dvwa web application. Now obviously in a real world experience, the attacker would have to spend a lot of time mapping out pages and forms and finding things through their reconnaissance. But Dvwa is built for us as cybersecurity analysts to be able to use this with known sets of bad issues so we can test things against it and see what they look like in the field.

Now, when we do this, we see that there is a box here that’s going to allow us to put a command in. Now, it’s supposed to be used for the ping command, but if somebody didn’t program this right, that means you might be able to run any command you want. So let’s go ahead and try it. All right, so I’m going to enter ten 10 one in the box and click Submit. This is going to allow me to ping that device, that web server. Now that works great, but what if this person didn’t do their coding right? And instead of just issuing the ping command, I could issue other commands maybe. Well, let’s try a couple of Linux commands and see if we can do a command injection. Let’s try inserting LS and typing submit. What do we see? Nothing. It didn’t work for us. All right, let’s try something else.

Let’s try typing in ten 10 one like we did before and then put ampersand ampersandls. What happens this time? Well, there you go. We got the ping that we were expecting, but we also got the directory listing, so we were able to do a command injection here. Let’s go ahead and try another one. Let’s try one ampersand ampersand PS e. This will tell us if it’s going to accept anything with a number first and then going from there. Well, that one didn’t do anything. Let’s try something else. Let’s try putting in ten, 10 one, ampersand ampersand PS e and click submit. Yes, that one worked. It does the ping and then it shows me the processes that are being executed here. So it is allowing me to do command chaining as long as I start with an IP address. Let’s try some more.

How about ten, 10 one, ampersand ampersand netstat, tlnp and then click submit. Is this going to work? Yes, it is. We’re going to get that ping and then the executing of that command because we’re chaining these commands together inside this box. It appears to me that all this box is doing is checking, did you put in an IP address? And it’s going to execute that by a ping. And then if you use the ampersand ampersand, you can put any command you want afterwards. So I might be able to access files. For instance, what if I could go in there and use ten, 10 one, ampersand ampersandcat etsy password and click submit. Look at that. We were able to get the ping and then we got the password file. Well, if we can get the password file, let’s go ahead and grab the shadow file.

Let’s try ten 10 one, ampersand ampersandcat etsy shadow and click submit. Now, unfortunately, reading the shadow file didn’t work. Why is that? Well, because the shadow file has specific permissions on it to protect it from things like this happening. Now the command Catsy shadow did work but it couldn’t display the shadow file because that shadow file is protected. Now to confirm this, let’s go ahead and check a couple more commands. Let’s try ten, 10, one, ampersand, ampersand, who am I? This will tell us who we are actually operating as. And in this case you can see we’re operating as the user known as Apache because we’re running it through the web server. Let’s go ahead and see if we can get some more information.

What if we did ten, 10, one, ampersand, ampersand get entpasswd zero? What is this going to do? Well, this is going to get us the root user, which is user ID zero. It’s going to get their information from the password file and display it to the screen. Now if we do this, we want to see what the group is for that. We could try that by doing ten, 10, one, ampersand, ampersand get ENT group and then root. And when we do that, you’re going to see that we have the root user, is a member with group X and is the user ID of zero. Next, let’s go ahead and try doing some fuzzed input and see if that’s going to do anything for us. So what we’re going to do here is instead of just inventing different commands to throw at this misbehaving inbox, we can start doing a more structured approach by sending in fuzz data.

This is a fuzzer and essentially we can use Burp suite as that fuzzer. This will help us to automate a lot of this testing instead of me sitting here and typing in all these commands by myself. So let’s go ahead and click on the SQL injections tab. And here we’re going to type a one in the box and click Submit. When we do that, we see what the function is supposed to do. When you give it a user ID, it’s going to give you their first name and their last name. In this case, admin and admin. Now in Burp suite, if I go to the Http History tab, I can right click on that last request and click Send to intruder. Now once I go to the Intruder tab within the intruder module, I can select the Positions tab and then click the clear button. Here I’m going to select the character one following the ID equals in the first line.

And then I’m going to click Add. Next I’m going to click on the Payloads tab and from here I’m going to click the Load button and then browse to user wordlist wfuzinjectionsql TXT and then I’ll click Start Attack. Now what is this doing? Well, what I just did was I selected the variable that I want to change that ID equals one and I want to start putting ID equals whatever the lines are of this SQL file. And so this is going to automate my attack for me. So as I go through, it’s going to go through and put each and every one in there. And as that attack progresses, you’re going to observe the length column. The unmodified input is going to return a page that is 48 68 bytes in length. Now, if you look at the response with a length of 48 nine, you’re going to see they’re basically blank, while anything smaller has returned an unformatted error message.

Now, if we want to sort the output by length, we can click on the length column and then we can look for any response that’s larger than 48 68. For instance, I have one that is 51 76. This is an apostrophe or one equals one or quote equals apostrophe. Now what does that look like to you? To me it looks like an SQL injection, right? If you look through this, all of these different things being shown here that are above that threshold of 48 68 are different forms of SQL injections. Now I want you to look at the response for anything with that single quote payload because again, this is a simple SQL statement. And basically if this form that we have on the Dvwa isn’t doing input validation, it’s going to allow me to do these SQL injections. All right, enough of that for now. Let’s go ahead and close the intruder window to stop our attack.

All right. So now that we know that this thing is vulnerable to SQL injection, let’s take a look at the code itself and do a manual analysis of it so we can review that vulnerable code. If I switch back to my browser and I click on the SQL injection page, I can click it and then look at view source. When I do this, the source code is going to pop up. When we look at that, we’re going to compare all levels by clicking on that button. Now, as we compare each iteration of the code, we can see that the higher security code has some input validation while the lower ones don’t. For example, you can see the Is numeric function here within this first if block. Now basically what this does is any input that comes in is checked using if it’s numeric, and if it is numeric, it’s going to process it. If it is not numeric, it’s going to delete it and just ignore that. This essentially is a basic form of input validation.

Now this only is going to check this number, this input if it is a number, because we’re expecting ID to equal some number. And so we want to prevent anything else from being there. So if I put a postrophe, that would prevent this, right? Because it’s not numeric. Now you’ll notice at the bottom under the commented code here, we also have this little validation statement that’s going to make sure only one results is returned. So if I put in number one, I should only get the first entry, the admin admin. If I put in two, I should get that for the second user and not the third, fourth and fifth user. This would only give us one row at a time from the database. So you can see here that the data inside the row count has to be equal to one. If it is, get the values. If not, we’re going to ignore it. So that’s the way that we can do some basic input validation. So this is a good input validation method to prevent an SQL.