A Web Application Hacker’s Toolkit
Some attacks on web applications can be performed using only a standard web browser; however, the majority of them require you to use some additional tools. Many of these tools operate in conjunction with the browser, either as extensions that modify the browser’s own functionality, or as external tools that run alongside the browser and modify its interaction with the target application.
The most important item in your toolkit falls into this latter category, and operates as an intercepting web proxy, enabling you to view and modify all of the HTTP messages passing between your browser and the target application. In recent years, basic intercepting proxies have evolved into powerful integrated tool suites containing numerous other functions designed to help you attack web applications. We will examine the three most popular integrated suites and describe how you can best make use of their functionality.
The second main category of tool is the web application scanner. This is a product designed to automate many of the tasks involved in attacking a web application, from initial mapping through to probing for vulnerabilities. We will examine the inherent strengths and weaknesses of web application scanners, and briefly look at the two current market leaders in this area.
Web Browsers
A web browser is not exactly a hack tool, being the standard means by which web applications are designed to be accessed. Nevertheless, your choice of web browser may have an impact on your effectiveness when attacking a web application. Further, there are various extensions available to different types of browsers, which can assist you in carrying out an attack.
Internet Explorer
Microsoft’s Internet Explorer (IE) is currently the most widely used web browser, comprising approximately 60% of the market at the time of writing. Virtually all web applications are designed for and tested on IE, making it a good choice for an attacker because most applications’ content and functionality will be correctly displayed and usable within IE. In particular, other browsers do not natively support ActiveX controls, making IE mandatory if an application employs this technology. One restriction imposed by IE is that, unlike using the other browsers, you are restricted to working with the Microsoft Windows platform.
Because of IE’s widespread adoption, when you are testing for cross-site scripting and other attacks against application users, you should always try to make your attacks work against this browser .
Various useful extensions are available to IE that may be of assistance when attacking web applications, including the following:
■ HttpWatch analyzes all HTTP requests and responses, providing details of headers, cookies, URLs, request parameters, HTTP status codes, and redirects
■ IEWatch performs very similar functions to HttpWatch, and also provides some analysis of HTML documents, images, scripts, and the like.
■ TamperIE allows viewing and modification of HTTP requests and responses within the browser.
Firefox
Firefox is currently the second most widely used web browser, comprising approximately 35% of the market at the time of writing. The majority of web applications work correctly on Firefox; however, there is no native support for ActiveX controls.
Figure -1: HttpWatch provides analysis of the HTTP requests issued by Internet
Explorer.
There are many subtle variations among different browsers’ handling of HTML, particularly when this does not strictly comply to the standards. Often, you will find that an application’s defenses against cross-site scripting mean that your attacks are not effective against every browser platform. Firefox’s popularity is easily sufficient to make this is a feasible target for XSS attacks, so you should test these against Firefox if you encounter difficulties getting them to work against IE.
A large number of browser extensions are available for Firefox that may be useful when attacking web applications, including the following:
■ FoxyProxy enables flexible management of the browser’s proxy configuration, allowing quick switching, setting of different proxies for different URLs, and so on.
■ Tamper Data allows viewing and modification of HTTP requests and responses within the browser.
■ LiveHTTPHeaders also allows modification of requests and responses, and replaying of individual requests.
■ AddNEditCookies enables the addition and modification of cookies’ values and attributes.
■ CookieWatcher enables a cookie’s value to be monitored in a status bar.
Figure -2: AddNEditCookies allows direct modification
of cookie values and attributes from within Firefox.
Opera
Opera is a relatively little-used browser, having less than 2% of the market share at the time of this writing. Relatively few applications are specifically tested on Opera. Nevertheless, it provides a number of features that may be useful when attacking web applications. The interface is highly customizable, giving easy access to some of the more obscure features that attackers are often interested in. Here are some useful Opera functions:
■ F12+x enables or disables the proxy.
■ ALT+CTRL+L displays all the links in the document.
■ CTRL+F3 displays the syntax-highlighted source of the current page.
■ ALT+T+A+C displays cookies, and allows them to be edited.
■ ALT+T+D deletes all private data, which can be useful for cleaning up caches and cookies to create a fresh start within the application.
■ The Wand feature allows usernames and passwords to be remembered and automatically filled in on future visits.
NEXT is..Integrated Testing Suites……………………………………..,,,,,,,,,,,,,,,,,,,,,,,,,,,,,