Understanding Web Technologies

OWASP

• Open Web Application Security Project.
• Non-profit organization.
• Provides application security information.
• Provides free to use environments.
• OWASP is an open community dedicated to exposing breaches and raising awareness.

OWASP Top 10

• A list of the most common web-related vulnerabilities.
• Used as awareness tips when considering web application security.
• Recommended as Best Practices when building a security framework.

Client Vs Server

• Client Side – Operations that take place locally.
  • Clients access web page content stored on servers.
• Server Side – Operations that take place on a server.
  • DB management, resource distribution, etc.
• Client and server communicate via a constant exchange of information that can be targeted.

Client Side Technologies

• Technologies that are used to handle data for clients, and are vulnerable to manipulation.
• HTML - Used to present data on web pages.
• CSS - Used to design the way data appears on web pages.
• JavaScript - Used to program logic and enhance user interaction.
• JS Frameworks - Provide pre-programmed, ready-to-use features.

Server Side Technologies

• Used for server side programming or control. Server side code is not visible to clients who request web pages.
• PHP - Common, easy-to-use C based scripting language.
• ASP - Microsoft’s less common language, based on .NET.
• SQL - Data structure handling language, used for databases.
• CGI - Enables direct execution of commands on servers.
• JSP - Implements sub-applications, known as servlets.

Web Servers

• Apache – The most commonly used HTTP server, that features a high level of scalability and modularity.
• Nginx – Designed for maximum efficiency, using a minimum of resources.
• IIS – Commonly used for Windows servers, but includes a less extensive set of features.

Apache2 Service

• Available in most Linux distributions.
• Installed by running apt install apache2.
• By default, listens on port 80.
• Can be fully customized.
• Apache configuration files are located at /etc/apache2/.

Start Apache

service apache2 start

1. service – command used for service control.
2. apache2 – service that provides the HTTP server.
3. start – action command that starts the service.

HTTP Request Methods

• HTTP clients communicate with HTTP servers using request methods.
• GET method is used to request data.
• POST method is used to send information.

Request Method Identification

• There are several request methods.
• Nmap’s http-methods script helps identify them.
• It retrieves which HTTP methods the server supports.

Additional Request Methods

• HEAD - Requests information, without the body of the request.
• DELETE - Used to delete a resource in a web page.
• PUT - Replaces a resource with a provided payload.
• PATCH - Similar to PUT, but performs partial modification.
• TRACE - Used for message loopback testing and debugging.
• CONNECT - Used for stateful connection (web socket).
• OPTIONS - Requests communication options from the server.

HHTP Headers

• Used to include additional information.
• Can be enabled using a2enmod.
• Custom HTTP headers can be added.

Enable Headers

• Enabling HTTP header functionality.
• Headers cannot be used until they are enabled.
• Headers are modified using /etc/apache2/confavailable/security.conf

Security Headers

• X-Frame-OPTIONS
• X-XSS-PROTECTION
• STRICT-TRANSPORT-SECURITY
• X-CONTENT-TYPE-OPTIONS
• Security headers used to defend against HTTP server attacks.

Certification

• Digitally signed documents.
• Provide authoritative identification.
• Signed by a trusted certification authority.
• Verified by the authority’s public key.

Burp Suite

Traffic Interception Tools

• Burp Suite – web proxy written in Java, used for web application security testing.
• Fiddler – web debugging proxy that enables HTTP traffic examination for development.
• OWASP Zap – combined Zap’s pen testing project with OWASP projects for a complete solution.

Burp Suite Overview

• The dashboard of the Burp Suite tool is shown on the right.
• Provides multiple tools for security testing.
• Works with add-ons that enhance its powerful tool set.

Burp Suite Tools

• Repeater
  • Repeatedly sends packets and tracks changes in responses.
  • Used to observe server reactions.
• Intruder
  • Brute-force module.
  • Sends parameters and manipulates them.
• Sequencer
  • Sends a payload and examines the randomness of the request.
• Decoder
  • Performs conversion of various data types.
• Comparer
  • Comparison data within Burp, with other data.

Burp Suite Proxy

• Burp starts a listening proxy on 127.0.0.1:8080
• The web browser must be configured to use the proxy.
• By default, only outgoing requests are intercepted.

Burp Suite History

• Network traffic can be seen in HTTP history records.
• The traffic can be examined by clicking on the records.
• Viewing all sent data requires a browser to have the appropriate certificate.

Burp Suite Interception

• The primary Burp Suite feature is traffic manipulation.
• Interception is turned on by default and packets are delayed.
• The next step can be editing, forwarding, or dropping the traffic.

Burp Suite Repeater

• The Repeater resends data to the server.
• It can be used to manipulate captured data and then send it on to the server.
• Highly effective when testing client-server transactions.

Burp Suite Intruder

• Performs Brute-Force using various payloads.
• Captured parameters can be marked for substitution.
• A payload is selected for the substitution.

Burp Suite Sequencer

• Sequencer performs tests for randomness of values.
• Non-random values can simply be guessed or faked.
• Performs multiple tests to determine unique bit orders.