Monday, 16 May 2011

Building a web-application hacking lab - to practice web attacks

One of the most important aspects of improving your web-application security-testing skills, is practice. There are a wealth of attack vectors in modern feature rich web-applications, and familiarity with the various attacks and tools are key to finding and plugging holes.


Web application problems

There are many categories of web-application exploits; from ones that most security professionals should have heard of, such as XSS, SQL-injection, session-hijacking and authentication bypass, to less well known techniques, such as; fixed-sessions and session prediction, cross-site-request-forgery (CSRF), XPath-injection, LDAP-injection, SOAP-injection, OS command and script injections, CGI overflows and format-string vulnerabilities, local and remote file inclusion (RFI/LFI), directory traversal, logic-flaws, encoding and canonicalization issues.

There are also insecure client-side code and input-validation issues such as AJAX UIs, Java applets and flash components (which can be decompiled and changed) and the end-user to consider.

In short, there are many potential problems in modern websites and web UIs.


The attackers toolkit

There are many tools available to the attacker can use, some of which are very advanced and simple to use. These can range from the very noisy bruteforce, fingerprinting and spidering tools, to very stealthy attack-frameworks with encoding/encryption to prevent detection.

Some tools have inbuilt abilities to pivot from a compromised system and attack other machines. There are also some very well written frameworks that focus on client-side exploitation, such as XSS and CSRF, social engineering, browser exploits, and various spoofing and session-hijacking techniques to attack end-users.

There are hundreds of tools for web-application attacks. Here are some of the main opensource or free ones (in no particular order); Nikto, wfuzz, Webscarab, skipfish, Paros, Burpsuite, SET, BeEF, Grendel scan, HTTPPrint, sqlmap, Tamperdata, wget, curl, Cewl, Fierce, Dirbuster, the list goes on and on...


Building a web-application hacking lab

So, with dozens of technique types, hundreds of tools available to exploit them, and many thousands of potential exploits out there, it is important to constantly practice techniques to stay ahead of the game. One of the best ways to do this is in a virtual lab, using one of the many virtualization technologies, such as vmware, virtual-server, virtual-box etc. I use vmware player currently, but use whatever you think is best for you.

I am currently using three systems as my attack systems, Backtrack 4, 5 and SamuraiWTF. These are both Linux distrobutions which have various hacking tools preinstalled and configured.
(SamuraiWTF is more focused specifically on Web attacks, where as I would consider Backtrack as "The Daddy" of Security Distros, covering pretty much every attack vector.)


Safely attacking target systems with known vulnerabilities

There are various applications and Linux distributions that have been released specifically to help security experts learn about vulnerabilities, and practice exploitation. These deliberately-vulnerable test systems often come as VMs or Live CDs which you can fire up and attack. Some of the more popular ones include:

Metasploitable
Damn Vulnerable Web Application (DVWA)
WebGoat (included with WS Dojo below)
Maven Web Security Dojo
Damn Vulnerable Linux (DVL)

I would consider all of these worth downloading, as they are quick to set up and attack in a virtual lab, so are great to practice your skills on. However, as these are all designed to be vulnerable, and the exploits are often documented, so they are typically easier targets than real applications.

However, there is quite a lot there to keep you whist you are learning the tools.


Potentially exploitable systems with unknown status

There are also many free virtual appliances and web applications that you can download and test in your own virtual environment. For example, there are thousands of free and evaluation virtual appliances on the vmware virtual-appliance marketplace site (check the T's and C's first ;o)

Though the above are mostly Linux systems, in my lab I also have various virtual Windows systems, where I can install free and evaluation applications to test them out.

Testing unknown apps can help sharpen your techniques; as when you don't know what you are looking for, you have to map the application properly, and try lots of options see what you can find.

You can also help the IT community as a whole if you find and report issues to try to get them fixed by the software vendor, so that is good for everyone.

1 comment: