Web application penetration testing v3.

1
Professional
1. Web application
technologies 101

WAPTP v3.1 - gray hat security c 2017 1

1. Web application technologies

Introduction
Web applications are applications running on web servers and accessible
via web browsers. It makes bridge between user and server.

We interact with web applications every day, as almost every website

over the Internet includes some kind of applications in its web pages.
The intelligence could be either client side or server side.

You need to get some web application fundamental aspects that a

modern web applications have, So you too!

WAPTP v3.1 - gray hat security c 2017 2

1. Web application technologies

HTTP/S Protocol basics

Encoding Schemes

Same Origin Policy (SOP)

HTTP Cookies

CORS – Cross-origin Resource Sharing

WAPTP v3.1 - gray hat security c 2017 3

1. Web application technologies

HTTP/S Protocol Basics

WAPTP v3.1 - gray hat security c 2017 4

HTTP/S Protocol Basics

Hypertext Transfer Protocol (HTTP) is the most used application protocol

on the Internet. It is stateless protocol.

It is the client-server protocol used to deliver web pages to the user.

In HTTP, the client usually a web browser(Firefox, IE) connects to a web

server such as MS IIS or Apache HTTP Server.

Nowadays, HTTP is also used by many mobile and

modern applications.

WAPTP v3.1 - gray hat security c 2017 5

HTTP/S Protocol Basics

Client sends request to the server stating required

information, and server responds accordingly

www.grayhat.in
HTTP Request

HTTP Response
USER (Client)
SERVER

WAPTP v3.1 - gray hat security c 2017 6

HTTP/S Protocol Basics

Every HTTP communication has the following header format:

HTTP Header format:

Header-name: header value

WAPTP v3.1 - gray hat security c 2017 7

HTTP/S Protocol Basics

HTTP Request looks like following:

Empty body message

WAPTP v3.1 - gray hat security c 2017 8

HTTP/S Protocol Basics

As the name suggests, GET method sometimes also called HTTP “verb” is
used to fetch or request data from the server.

Most Common example: It is used to open websites in browser

WAPTP v3.1 - gray hat security c 2017 9

HTTP/S Protocol Basics
Path Protocol version

In HTTP request, there is a path /

after GET request that instructs
server to which resource or
directory the browser is making
request for.

Protocol version is used to specify

the types of communication.

Host is URL you type in browser

USER-AGENT is browser of yours

ACCEPT header tells the server

about type of format it can accept
text/html
WAPTP v3.1 - gray hat security c 2017 10
HTTP/S Protocol Basics

When server receives HTTP

Request from a client, it sends
back the HTTP Response to the
client.

At this time Response has the

message body.

HTTP Response header consists

of: Server status, cached content,
server and version, content-type,
application used, data and time,
content length(in bytes),
connection to reuse in future or
keep-alive etc…

WAPTP v3.1 - gray hat security c 2017 11

HTTP/S Protocol Basics

</>
POST method: Query POST /login/login_form.php HTTP/1.1
Host: grayhat.in
strings are sent in HTTP Username=demo&password=demo
message body of POST
method

POST method are more

secure than GET method
as data is not sent in URL Never use GET method to submit
like GET request does. password

WAPTP v3.1 - gray hat security c 2017 12

HTTP/S Protocol Basics

HTTP message code

200 OK Successful HTTP requests

301 Moved Permanently Site has been moved to new URL

302 Found Site temporarily moved to new URL

400 Bad Request Incorrect syntax

401 Unauthorized Authentication issues

WAPTP v3.1 - gray hat security c 2017 13

HTTP/S Protocol Basics

HTTP message code

401 Unauthorized Authentication issues

403 Forbidden Server refused to respond – Non priv

404 Not Found Requested page not found on server

500 Internal Server Error Server does not process such request

WAPTP v3.1 - gray hat security c 2017 14

HTTP/S Protocol Basics

HTTPS
HTTP is a clear-text protocol, as sniffers can intercept the traffic
between two user or sometimes whole network.

This is where HTTPS comes into action. HTTPS or HTTP over SSL/TLS
Provides strong encryption by encrypting the data transmitted in the
wire.

SSL/TLS :- Secure Socket Layer / Transport Layer Security

WAPTP v3.1 - gray hat security c 2017 15

HTTP/S Protocol Basics

HTTPS
HTTPS makes authenticated session with confidentiality and integrity
as follows:

Application layer secured

Hacker

???..
SSL/TLS

HTTP Unsecured Connection

User Server
WAPTP v3.1 - gray hat security c 2017 16
HTTP/S Protocol Basics

Common Myth
If SSL/TLS is there, server will not be hacked or it is protected well.

As of now, you can understand that SSL/TLS will not protect from
attacks such as, SQLi, XSS, CSRF etc.. Or even application itself.

SSL protects only data transmission between client and server.

What if website have SQLi vulnerability ? Or any flaws at web

application level ?

WAPTP v3.1 - gray hat security c 2017 17

HTTP/S Protocol Basics

References
HTTP status codes definitions:
https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

HTTP methods explained: (HEAD, PUT, DELETE, OPTIONS, CONNECT)

https://www.w3schools.com/tags/ref_httpmethods.asp

HTTP Headers: (Must Read)

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers

WAPTP v3.1 - gray hat security c 2017 18

1. Web application technologies

Encoding Schemes

WAPTP v3.1 - gray hat security c 2017 19

Encoding Schemes

In computers, Encoding is the process of putting a sequence of

characters (letters, numbers, punctuation, and certain symbols) into a
specialized format for efficient transmission, storage and SECURITY as
well.

We will dive into:

URL Encoding (Percent Encoding)
Double Encoding
Base64 Encoding

WAPTP v3.1 - gray hat security c 2017 20

Encoding Schemes

URL Encoding
Since, the URL can only be sent over internet using ASCII-characters.
And URL encoding fulfills the same requirements.

In URL Encoding, certain characters are converted into hexadecimal

format and preceded by % symbol in a URL as follows:

i.e. %20 (%20 or + both are used for space key)

URL Encoding replaces unsafe or non-ascii characters with % followed

by two hexadecimal digits.

WAPTP v3.1 - gray hat security c 2017 21

Encoding Schemes

URL Encoding
In URL, some reserved characters such as / that is used to separate
paths in URL. If this character is used by somemeans, then it must be
encoded otherwise URL parser will be throwing errors.

‘/’ Encoding %2F

These characters are not encoded ABCDEFGHIJKLMNOPQRSTUVWXYZ

as part of URL Encoding, abcdefghijklmnopqrstuvwxyz
But, we can encode using ASCII table 0 1 2 3 4 5 6 7 8 9 - .~_

http://www.asciitable.com/

WAPTP v3.1 - gray hat security c 2017 22

Encoding Schemes

URL Encoding
URL Encoded characters Table:
Character Encoded Character Encoded Character Encoded Character Encoded

<space> %20 ; %3B , %2C @ %40

= %3D \ %5C “ %22 % %25

$ %26 [ %5B : %3A + %2B

< %3C ] %5D / %2F - -

> %3E { %7B # %23 - -

^ %5E } %7D ? %3F - -

` %60 | %7C & %24 - -

WAPTP v3.1 - gray hat security c 2017 23

Encoding Schemes

Double Encoding
Double Encoding is similar to URL/percent encoding. Encoding takes
place two times at this time while it is encoded one time in URL
encoding.

This technique was used in famous IIS “Directory Traversal Attack” 2001
(../../ or dot dot slash). Pretty useful in evading filters.

“<“ encoded in percent encoding to “%3C”

Double encoding: Only the preceding % is encoded.
Final becomes: %=25(Percent encoding), + 3C = %253C(Double encoding)

WAPTP v3.1 - gray hat security c 2017 24

Encoding Schemes

Double Encoding
Double Encoding doesn’t need to be memorized.

Just put “25” before URL encoded as follows:

URL encoded: / = %2F, Double encoded: / = %252F

URL Encoded:
https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttp%2Fgrayhat.in%2Fcourses%2FWAPTP
Double Encoded:
http%253A%252F%252Fgrayhat.in%252Fcourses%252FWAPTP

WAPTP v3.1 - gray hat security c 2017 25

Encoding Schemes

Double Encoding
XSS Filter Evasion using Double Encoding XSS Filter Decoded the
“Double encoded payload”,
and becomes URL/Percent
encoded finally at server and
http://grayhat.in/search.php?q=<script> executed successfully.
alert('XSS')</script>

Double Encoded URL Percent Encoded URL

http://grayhat.in/search.php?q=
http://grayhat.in/search.php?q=%253Cscript%2
%3Cscript%3Ealert(%27XSS%27)%3C%2
53Ealert(%2527XSS%2527)%253C%252Fscript%253E
Fscript%3E

Hacker XSS Filter Web Server

WAPTP v3.1 - gray hat security c 2017 26

Encoding Schemes

Base64 Encoding
Base64 is a encoding mechanism that was first used in email (RFC
1421) to send binary data such as attachments sent in ASCII format. It
is very common in website to encode session IDs, parameters, media

Base64 encoding makes character set of 64 printable ASCII characters

that includes:
▪ A to Z characters
▪ a to z characters
▪ = (equal)
▪ + (plus sign)
▪ / (forward-slash)
WAPTP v3.1 - gray hat security c 2017 27
Encoding Schemes

Base64 Encoding
Base64 Encoding process: Base64 Encoding Table

• Input bytes stream are divided into blocks of Value Encoded Value Encoded Value Encoded Value Encoded
3 bytes.
• 3 bytes joined to make 24 bits
• 24 bits divided into 4 groups of 6 bits each.
• Each 6 bits are mapped to decimal first then
map each group of 6 bits to 1 printable
character set from encoding table.
• If the last 3 byte block has only 1 byte of
input data, then 2 byte of zero are padded.
And at last these padding are overridden
with 2 equal signs (==).
• If the last 3 byte block has 2 byte of input
data, then 1 byte of zero are padded. And
after encoding it is overridden with 1 equal
sign(=).
WAPTP v3.1 - gray hat security c 2017 28
Encoding Schemes

Base64 Encoding
Example:
Input data: G
Input bits(bin): 01000111
Padding: 01000111 00000000 00000000
Joined(24bits): 010001110000000000000000
Divided(6bits each): 010001 110000 000000 000000
Decimal value: 17 48 = =
Base64 encoded: R w = =
Encoded: Rw==
Base64 Encoding of (gray hat security) : Z3JheSBoYXQgc2VjdXJpdHk=
WAPTP v3.1 - gray hat security c 2017 29
Encoding Schemes

References
URI characters defined in RFC 3986:
https://www.ietf.org/rfc/rfc3986.txt

URL Encoding detailed:

https://www.w3schools.com/tags/ref_urlencode.asp

URL Encoder/decoder:
http://meyerweb.com/eric/tools/dencoder/

Base64 detailed overview:

https://www.lifewire.com/base64-encoding-overview-1166412
http://base64encode.net/

WAPTP v3.1 - gray hat security c 2017 30

1. Web application technologies

Same Origin Policy (SOP)

WAPTP v3.1 - gray hat security c 2017 31

Same Origin Policy

Same Origin Policy is the critical point of “web application security”

According to SOP, it restricts JavaScript code from setting and

accessing properties on a resource coming from a different origin.

Same Origin Policy determines the origin (in browser) on behalf of:

Protocol : Hostname : Port

To determine if JavaScript can access the resource; Protocol,

Hostname and Port must match with the origin.
WAPTP v3.1 - gray hat security c 2017 32
Same Origin Policy

Example:
A JavaScript code on: https://www.grayhat.in:941

can read resources from:

https://www.grayhat.in:941
https://www.grayhat.in:941/courses
https://www.grayhat.in:941/courses/341
https://www.grayhat.in:941/WAPTP/courses
But can not read from:
http://www.grayhat.in:941
https://sec.grayhat.in:941/courses
https://www.grayhat.in:8087/courses/341
https://www.grayhatsec.in:941/WAPTP/courses

WAPTP v3.1 - gray hat security c 2017 33

Same Origin Policy

Almost entire, security of “web application” is in hand of SOP.

Same Origin Policy is used for JavaScript but also for AJAX, Flash,
Cookies and most importantly origin-separated data stored in local
storage of webserver.(for multiple domain).

SOP applies only to the actual code of a script. We can still add
external resources using HTML tags like <img>, <iframe>, <script>,
object and so on.

WAPTP v3.1 - gray hat security c 2017 34

Same Origin Policy

References
Same Origin Policy (SOP):
https://www.w3.org/Security/wiki/Same_Origin_Policy

RIA Cross Domain Policy:

https://www.owasp.org/index.php/Test_RIA_cross_domain_policy_(OTG-
CONFIG-008)

WAPTP v3.1 - gray hat security c 2017 35

1. Web application technologies

HTTP Cookies

WAPTP v3.1 - gray hat security c 2017 36

HTTP Cookies

In 1994 sessions and cookies were invented by Netscape to make

HTTP stateful (As HTTP is a stateless protocol).

An HTTP Cookie (also Web cookie) is piece of data sent by server to

web browser to be stored inside it(cookie.txt).

The web browser send it back to the server in the next request to
validate the same textual information (cookie) stored by web server
to the browser.

WAPTP v3.1 - gray hat security c 2017 37

HTTP Cookies

Usually, cookies are used for:

• Session management
• Shopping carts
• gaming site to remember scores
• Keep users logged-in
• Tracking user behavior

Session-Cookies expires when HTTP sessions are closed(Closing of web browser)

WAPTP v3.1 - gray hat security c 2017 38

HTTP Cookies

A Server set cookie using set-cookie HTTP Header field

whenever it get HTTP request from the client browser.
It contains: cookie contents, expiration, path, domain HTTP/1.1 200 OK
and http flags(HttpOnly, Secure). Date: Sun, 25 Jul 2017 02:44:25 GMT
Content-Type: text/html;
Browser decide whether cookie will be sent or not Server: Apache/2.4.27 (CentOS)
based on; domain, path, http flags and expiration Set-Cookie: ID=Value; expires=Mon,
date and time value. 27-Jan-2018 22:36:21 GMT; path=/;
domain=.grayhat.in; HttpOnly
HttpOnly Flag:- If set, Cookies cannot be accessed
through client side script(javaScript) or XSS attacks.

Secure Flag:- If set, Cookies Sent only over SSL/TLS

#Browser sends cookie in each request to its corresponding domain and subdomains
WAPTP v3.1 - gray hat security c 2017 39
HTTP Cookies

When server does not set domain attribute in cookies, the browser
set it automatically with server domain and set as host-only Flag.

Host-Only Flag means, cookie will be set and valid for that specified
domain only( i.e grayhat.in)

If path attribute is set: path=/course/course1

Cookie will set to its domain and resources in:
/course/course1
/course/course1/course2/../../
But it will not set to: /videos; /lectures or any other than set path.
WAPTP v3.1 - gray hat security c 2017 40
HTTP Cookies

GET /login.php HTTP/1.1

Set-Cookie: v=cookiedata; domain=grayhat.in

grayhat.in

Cookie will be valid for all subdomains

Sub1.grayhat.in Sub2.grayhat.in

WAPTP v3.1 - gray hat security c 2017 41

HTTP Cookies

GET /login.php HTTP/1.1

Set-Cookie: v=cookiedata; domain=sub1.grayhat.in

grayhat.in

Cookie will not be valid for sub2.grayhat.in

Sub1.grayhat.in Sub2.grayhat.in

WAPTP v3.1 - gray hat security c 2017 42

HTTP Cookies

GET /login.php HTTP/1.1

Set-Cookie: v=cookiedata;

Host-Only grayhat.in

Cookie will not be valid for any subdomains

Sub1.grayhat.in Sub2.grayhat.in

WAPTP v3.1 - gray hat security c 2017 43

HTTP Cookies

References
HTTP Cookies Explained:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies

RFC 6265:How Server installs a cookie in browser and more about its functionality
https://tools.ietf.org/html/rfc6265

WAPTP v3.1 - gray hat security c 2017 44

1. Web application technologies

CORS

WAPTP v3.1 - gray hat security c 2017 45

CORS

Cross-origin Resource Sharing – CORS is a systematic way used by

browsers to make Cross-domain communication uninterrupted.
CORS gives secure access-control mechanism
for cross-domain data transfer.

As SOP restricts cross-domain access, but

cross-domain data communication is needed
for: CSS, Fonts, image/videos, invocations of
APIs

To get rid of these limitations, Cross-origin

Resource Sharing was deployed by web
browsers.

Source: https://developer.mozilla.org

WAPTP v3.1 - gray hat security c 2017 46

CORS

References
Cross-origin Resource Sharing (CORS) detailed explanations:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

WAPTP v3.1 - gray hat security c 2017 47