Web Applications
Web applications
are software that runs on web servers and are accessible via web browsers.The web app world is heterogeneous, since every web app can be differently developed to accomplish the same task.
This great flexibility in development results in more flexibility in creating insecure code and messing things up.
📕 "With great power comes great responsibility." {Stan Lee}
HTTP Protocol Basics
⚡ P.T. Usage:
Ability to exploit web applications and find vulnerabilities in web servers and services
Web app technology is used market-wide also by desktop and mobile apps
HTTP
(HyperText Transfer Protocol) is one of the most used application protocol on the Internet, built on top of TCP.
It is the client-server protocol used to transfer web pages and web application data.
Is is a stateless protocol.
The client (a web browser) connects to a web server (usually Microsoft IIS, Apache HTTP Server, or others) by sending HTTP requests to the server and getting back HTTP responses.
First a TCP connection is established, then the HTTP messages are sent.
HTTP Requests
The structure of an HTTP message |
"Start line\r\n" |
"Headers\r\n" |
"\r\n" |
"Message Body\r\n" |
"\r\n"
(carriage return & newline) are used to the lines in HTTP.Each start-line contains 3 elements:
an
HTTP method
(verb/noun) that states the type of the request, like: GET, PUT, POST, HEAD, OPTIONSthe
request target
(URL/path), which resource the browser is asking forthe protocol version (
HTTP/1.x
)which defines the structure of the remaining message, telling the server how to communicate with the browser
Each header is represented in a single line, composed of a String followed by a colon (:) and a value:
Header-name: value
The
Host
value is obtained from the URI (Uniform Resource Identifier) of the resource.User-Agent
- reveals the client software issuing the request (Chrome, Safari, Firefox, mobile app ...) and the operating system version.Accept
- expected document type.
HTTP Responses
The web server processes the request and sends an HTTP response back to the client:
The start-line, called the
status-line
, contains the protocol version, a status code and a status text.HTTP headers same as above, different headers may appear, such as:
Cache-Control
- informs the client about cached content (saves bandwidth)Content-Type
- lets the client know how to interpret the bodyServer
- header of the web server, software running (useful in pentesting!)Content-Length
- length in bytes of the message body
The
body
is separated from the header by 2 empty lines (\r\n\r\n).
HTTP Request / Response example
Common status codes:
Status code | Meaning |
---|---|
200 OK | the request has succeeded (Successful codes 2xx) |
301 Moved Permanently | the target resource has been assigned a new permanent URI (Redirection codes 3xx) |
302 Found | the target resource resides temporarily under a different URI (Redirection codes 3xx) |
403 Forbidden | the server understood the request but refuses to authorize it, client doesn't have enough privileges (Client Error codes 4xx) |
404 Not Found | the origin server did not find a current representation for the target resource or is not willing to disclose that one exists (Client Error codes 4xx) |
500 Internal Server Error | the server encountered an unexpected condition that prevented it from fulfilling the request (Server Error codes 5xx) |
502 Bad Gateway | the server, while acting as a gateway or proxy, received an invalid response from an inbound server it accessed while attempting to fulfill the request (Server Error codes 5xx) |
📌 For more in depth info refer to RFC 9110 - HTTP Semantics
HTTPS Protocol Basics
HTTP (a clear-text protocol) can be protected using an encryption layer, by using a cryptographic protocol like SSL/TLS.
HTTPS
(HTTP Secure) is a method to run HTTP over SSL/TLS.
This encryption layer protects data exchanged between the client and the server, but it does not protect against web application flaws. XSS and SQL injections attack will still work.
It provides confidentiality, integrity protection and authentication to the HTTP protocol.
Application layer communication cannot be sniffed or altered by an eventual attacker.
Traffic can be sniffed and inspected by a user, but he cannot know HTTP headers, body, target domain or what data is exchanged.
Target IP address and target port can be recongnized
DNS (or similar protocols) may disclose which domain user tries to resolve
📌 Refer to the High Performance Browser Networking book for more in depth information.
Command Line / GUI Tools
Netcat
netcat
or nc
is a tool that reads and writes data accross network connections (opens a raw connection to a service port for example), using TCP or UDP protocol.
considered as a Swiss army knife of networking tools
used to debug and monitor network connections, scan for open ports, transfer data, listen for incoming connections (reverse shells) and more
nc -h
Establishing a connection to a server and communicate via HTTP:
nc -v example.com 80
nc -v my.ine.com 80
Check if a port is opened:
nc -zv HOST PORT#
-z performs a port scan against a given host and port or port range.
Burp Suite
Burp Suite
is an integrated platform and graphical tool for performing security testing of web apps, by testing, mapping and analyze the application's attack surface.
it is written in Java, developed by PortSwigger.
can be used as proxy server, scanner, intruder, repeater, spider, decoder, comparer, sequencer, extender and more.
Using the Repeater tool:
Example of a GET request on port 80:
Example of a 301 Moved Permanently response and redirection:
301 response received:
By clicking the
Follow redirection
button, it follows the redirection (to the Location) in the current response without manually modifying the request to the target domain. I this case it got redirected to the HTTPS page:
OpenSSL
OpenSSL
is a full-featured toolkit for general-purpose cryptography and secure communication, a widely used implementation of the Transport Layer Security (TLS) protocol.
📕 Check the OpenSSL Cookbook by Ivan Ristić.
Establish a HTTPS connection using the s_client subcommand:
the SSL handshake is only done at the beginning of the session.
openssl s_client -connect my.ine.com:443
openssl s_client -connect HOTS:PORT -debug
- to analyze the handshake and the encrypted communication.
openssl s_client -connect HOTS:PORT -state
- to print the state of the handshake.
openssl s_client -connect HOTS:PORT -quiet
- no s_client output.
In Burp Suite, HTTPS can be flagged to be used in the Repeater target configuration:
no handshake/encryption shown
focus on analyzing the request
📌 More on Burp Suite in the PortSwigger Documentation
HTTP Cookies
⚡ P.T. Usage:
Cookies are foundation of authorization of many applications
Lots of exploits rely on stealing cookies
To make HTTP (stateless) work like a stateful protocol, cookies were invented by Netscape (in 1994).
Cookies
are stored in the cookie jar of the web browser, a storage space used by the browser.To set a cookie, the server must use the
Set-Cookie
HTTP header field in the response message. The cookie will be sent from the server to the user agent:
Cookies Format
Cookies contain the following attributes:
Attribute | Value |
Cookie content - KEY=Value |
|
Expiration date - validity time window |
|
Max-Age - Seconds until cookie expiration |
|
Path - in the requested URL |
|
Domain - Host to send the cookie to |
|
Optional Flags |
|
Cookies are sent only to the valid domain/path, according to their expiration date and their flags, and browsers use these attributes to choose to send a cookie in a request or not.
Cookies Domain & Path
The scope of the cookie is set by the
Domain
andPath
fields, so the browser send the cookie only to the right domain.After a web server sets the domain field via a cookie, the browser will use the cookie for every request sent to that domain and all its subdomains.
If domain attribute is not specified, the browser will automatically set the domain as the server domain and set the
host-only
flag. The cookie will be sent only the that precise hostname.
The browser will send a cookie to the right domain and to any subpath of the path field value.
Other Attributes
Expired cookies are not sent to the server and session cookies expire with the HTTP session.
HttpOnly
flag forbids JavaScript from accessing the cookie. It prevents any non-HTML technology (JavaScript, Flash, Java ...) from reading the cookie, mitigating cross-site scripting attacks (cookie stealing via XSS).Secure
flag creates secure cookies sent only over an HTTPS connection. It's more resistant to man-in-the-middle attacks (MITM).A server can set multiple values (key=value) with a single Set-Cookie header.
📌 For more in depth info on cookies format and usage, refer to the RFC 6265 - HTTP State Management Mechanism.
Sessions
Websites can also store information (variables specific for a given visit) on the server side instead of the client side, by using sessions.
Each user session is identified by a
session id
ortoken
assigned by the server to the client, which presents this ID for each subsequent request.By that session ID, the server retrieves the state of the client and its associated variables.
Session ID can be stored as a cookie, form field or URL.
It is a unique number used to identify a logged in user session.
Application logic is hidden and the cost of cookies data transmission is reduced.
Session Cookies
Session IDs are installed on the web browser by using session cookies.
Each development language has its own default session parameter name:
PHPSESSID
,JSESSIONID
, custom-names, etc.Session IDs are also transmitted via
GET
requests.
Browser activities generating session cookies are:
logging in
opening a specific web page
change settings in the web application
📌 For more in depth information check the Beginner Guide to Understand Cookies and Session Management article.
A web developer tool can be used to analyze web applications, examine, edit, and debug HTML, CSS, and JavaScript, inspect and manipulate Cookies.
Firefox has a built in set of web developer tools - Firefox DevTools.
Same Origin Policy (SOP)
SOP
(Same Origin Policy) is a web browser security mechanism that restricts scripts on one origin from accessing data from another origin. For example, it prevents JavaScript code from getting or setting properties on a resource coming from a different origin.
Web application security is entirely based on Same Origin Policy.
Domain (hostname), port and protocol must match to determine if JavaScript can access a resource.
SOP applies to the actual code of a script.
SOP allows embedding of external resources with HTML tags like
img
,script
,iframe
,video
, etc. Any JS on the page won't be able to read the contents of these resources.There some exceptions to the same-origin policy (
location
,length
,replace
, others).Cookies are often accessible from all subdomains of a site (the is technically a different origin) - check the
HttpOnly
flag.
Burp Suite Tool
⚡ P.T. Usage:
Web application behavior study and analysis
Attacks, finding and test vulnerabilities
Burp Suite is an intercepting proxy
, a tool that lets the user analyze and modify any request and any response exchanged between an HTTP client and server.
Another widely used intercepting tool is OWASP Zed Attack Proxy (ZAP).
Intercepting proxy is NOT a web proxy. Proxy servers provides a gateway (a layer of security as web filters, firewalls) between end-users and the web pages they visit online.
Burp Suite will let a user:
Intercept requests and responses between the browser and the web server
Requests can be intercepted and modified before they are sent to the remote server
Build requests manually
Header and body of a message can be manually or automatically altered
Crawl a website automatically
Fuzz web apps with valid/invalid inputs to test their behavior
Burp Suite - Tools
Proxy - operates as a web proxy server that let the user view, intercept, inspect and modify the raw traffic passing in both directions. Operates in conjunction with Burp's browser (or with external browser with Burp's CA certificate and an addon like FoxyProxy).
Intercept and modify headers in the Raw tab or in the Headers tab of the Inspector tool.
Even with interception off, Burp will still collect info on the traffic. This can be checked in the Proxy - History tab or in the Target - Site Map tab.
Repeater - used for manually manipulating and reissuing raw HTTP and WebSocket messages, in order to analyze the application's response.
Provides syntax highlighting, raw and rendered responses, integration with other Burp tools.
netcat
ortelnet
can be used to do the same thing too, without the above benefits.Proxy can intercept a request and send it to the Repeater function (
CTRL+R
):
📌 For a better overview of all the Burp Suite Tools, check the official documentation here.
🔬 Check Burp Suite Basics - Directory Enumeration lab.
Last updated