The security tools and methodologies used when dealing with a web application can vary from researcher to researcher. Nevertheless, there are general principles that should be followed when attacking a web application, regardless of the tools used. In this module, we will introduce some of the more common tools and how they are used, which will provide us with sufficient tooling for the remainder of this course.
Before we get started, it's important to clarify that, similar to approaches taken when targeting Windows or Linux binary applications, exploitation research into web applications can be conducted from a white box or a black box perspective. In a white box scenario, the researcher either has access to the original source code or is at least able to recover it in a near-original state. When neither of these scenarios is possible, the researcher has to adopt a black box approach, in which minimal information about the target application is available. In this case, in order to find a vulnerability, the researcher needs to observe the behavior of the application by inspecting the output and or the effects generated as result of precisely crafted input requests. Arguably, web applications present a slightly easier target than traditional compiled applications when tested using a white box approach. The reason behind this is that in most cases, web applications are written in interpreted languages, which require no reverse engineering. Moreover, as we will see during this course, the source code for web applications written in byte-code based languages such as Java, .NET, or similar can also be trivially recovered into near-original state with the help of specialized tools.
It's worth mentioning that the ability to recover and read the source code of a modern web application does not reduce the complexity of the required research. However, once the application source code is recovered, the researcher is able to inspect the internal structure of the application and perform a thorough analysis of the code flow. Therefore, in order to conduct a deep vulnerability analysis of the selected test cases, we will mostly use this approach throughout the course.
The exposure to, and complete understanding of, common coding pitfalls combined with chained attack methods will provide us with a good foundation of knowledge that can be used in various scenarios.
1.1 Web Traffic Inspection
One of the first steps when dealing with an unknown web application should always be traffic inspection. While there are many elements a web application can present to the end-user withinthe browser interface, most applications also make numerous requests between a client and server during the construction of those elements before they reach their final presentation state.In other words, a simple request from a browser to render a webpage such as www.offensivesecurity.com will likely translate into a number of additional HTTP requests behind the scenes.
In order to access the rest of this course content, you must enroll in Offensive Security's Advanced Web Attacks and Exploitation online course.
- Explore unique challenges and vulnerabilities related to web applications
- Gain access to OffSec's innovative virtual labs for a unique, hands-on learning experience
- Earn the highly sought-after Offensive Security Web Expert (OSWE) certification
1.2 Interacting with Web Listeners with Python
The focus for this course is the creation of fully functional and complex exploits for targeted web applications and our language of choice for this task is Python. Nevertheless, if you are already well-versed in a different language and prefer to develop the course exercises in it, you are certainly welcome to do so. In Python, a very popular library that can be used to interact with a web application is the requests library. While there are many well-written guides on how to use requests, including the official documentation, we will demonstrate a very basic way to get us started. The following script will issue an HTTP request to the ManageEngine webserver in the labs and output the details of the relative response:
1.3 Source Code Recovery
As we mentioned at the beginning of this module, the ability to recover the source code from webapplications written in compiled languages is extremely valuable. In this course, we will be focusing mainly on Java and .NET source code recovery, as they are directly related to the vulnerable applications we will explore.