There's a tried and true method for seeking out the maximum number of vulnerabilities possible when testing your Web applications for security flaws. No, it's not a high-end Web application vulnerability scanner but rather a free "technique" that you can improve over time. You may not learn the methods overnight, but once you do, it's virtually guaranteed to take your Web vulnerability testing to the next level. It's stepping into the mindset of a malicious attacker and delving in to see what else in the Web application can be exploited.
Many people refer to this approach as penetration testing, but it's actually more than that. Technically speaking, it's called ethical hacking. This term always generates a few giggles, but it's indeed a valid form of security testing. The thing is, you'll find that by looking at your Web applications from the dark side you'll uncover and exploit weaknesses that automated scanners or checklist audits wouldn't touch in a thousand years.
The malicious mindset isn't limited to the stereotyped "hacker" as we know him. Anyone can have a malicious mindset -- not just an outsider. So, think about what an authenticated and trusted insider could do. In many cases, it's not going to be fancy cross-site scripting (XSS) or SQL injection but rather basic login mechanism tampering or URL or form field manipulation. Maybe even exploiting file transfer capabilities or disabling certain security features that no one knew he had access to.
Here's a perfect example of hacking Web applications from inside the attacker's mind:
While working on a project recently, I came across an internal Web server that hosted the security management/control application for the organization's data center. When trying to log in to the application, it prompted me for the password. I didn't have it. This is where most security scans and checklist audits would stop. But taking things further, I thought I'd Google the Web server and application name (which were conveniently displayed on the login page) along with the words "default password". Within about 3 seconds I had the default login ID and password, and sure enough, they worked!
Having more malicious thoughts, I went on to see what else could be done with the data center's controls. Conveniently, I now had the ability to do the following:
- Monitor a live video feed from inside the data center
- Reset the administrator password
- Disable logging
- Change the time on the server (to mess up any logging that had already taken place)
- Disable the door alarm sensor
- Raise the room temperature alarm threshold
Had this been a real-world intrusion, the attacker would have "owned" the system and had at his disposal all the right things to cause systems to crash, enable future access and cover his tracks. This is what the malicious mindset is all about: figuring out what can be done to perform dirty deeds in the shortest time possible with the least chance of getting caught.
Other examples of hacking Web applications from inside the attacker's mind that I've come across:
- A Web browser leaves login credentials stored in memory on a shared computer. A malicious user bellies up to the system, installs a hex editor, searches the computer's memory for "password" and the like and finds the previous user's login credentials. Boom he's in.
- A FTP log file is accessible and shows entries pointing to the local administrator's home directory (conveniently the same thing as his user ID). The attacker uses this name in a password cracking attack against the user's Web mail account.
More information on Web application hacking Software security testing: Finding your inner evildoer
How to attack (test) software yourself
Cracking passwords the Web application way
- IIS WebDav extensions are accessible to anyone on the Internet. An attacker exploits this, and by using basic HTTP requests he's able to create folders, upload malware and delete folders on the server to his heart's content.
- A minimum password requirement for a site is five numbers. Nothing fancy or complex. Knowing that most users do only what's required of them and nothing more, an attacker uses this information to tweak his Web password cracking tool to brute force dozens of passwords within minutes.
- An e-commerce application has an authentication weakness that allows a user to browse back to edit his shopping cart and account settings even after the login has timed out. An attacker can abuse this on a shared computer to manipulate someone else's order, change the shipping address, view credit card information and more to his advantage.
- A Web application uses a browser plug-in to pass a cookie to authenticate the user to the application based on the user's local Windows login ID. If the user's Windows account doesn't have Web application privileges, that's OK. All the attacker has to do is use a Web proxy to catch the HTTP cookie session during the authentication process and change the login ID to a known good one -- say the network administrator's login name -- and boom, he's in.
The possibilities are endless.
Criminals are thinking malicious thoughts, and we as IT and security professionals need to as well if we're going to defend against them. You can test this malicious mindset concept anywhere. The next time you're at a friend's house or in the grocery store, look around and see what can be exploited for ill-gotten gains. Things like door hinges accessible from the outside of a house to a harried father walking 50 feet ahead of his toddler are weaknesses just waiting to be exploited. All it takes is one bad guy to come along and act upon it.
Work on this over and over again to sharpen your malicious eye and use an otherwise negative approach to security weaknesses in a positive way. Noticeable changes will soon follow.
About the author: Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC where he specializes in performing independent security assessments. Kevin has authored/co-authored six books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels blog and information security audio books providing security learning for IT professionals on the go. Kevin can be reached at firstname.lastname@example.org.