SESSION TOKEN VULNERABILITY IN WEB APPLICATIONS: WEBGOAT DEMO

Week Seven ↓

A plethora of web applications require a mechanism for session management. This security function is performed with the help of session tokens. An application can use this feature to uniquely identify a user’s request and interaction (Portswigger, 2017). These tokens are assigned to users while accessing resources (Raj, 2017). Since session tokens play a pivotal role in session management, attackers find them to be a point of interest. When tokens are compromised, it could lead to authentication bypass, account hijack and at worst, administrative access (Portswigger, 2017).

Generally, an attack on session tokens involves hijacking a valid user session by predicting session tokens generated by weak algorithms. This attack is successful for several reasons which include: indefinite session expiration time, weak session token generation algorithm, small length session tokens, insecure handling of session tokens and so on (Oriyano, 2016). The attacker analyses the session tokens to determine its pattern. This analysis is performed using automated tools like Burp Suite that inspect traffic between browsers and applications, trap cookies and collect a high number of session tokens. 

Furthermore, “session management mechanisms can be vulnerable to attack if tokens are generated in an unsafe manner that enables an attacker to predict values of tokens that have been issued to other users. A password recovery token, sent to a user's registered email address is an example where an application's security depends on the unpredictability of tokens it generates” (Portswigger, 2017).

WebGoat, the web application used for this demonstration, is an insecure application maintained by Open Web Application Security Project (OWASP) and is designed to depict the behavior of a vulnerable environment (Akshay, 2017). The application shows a “common server-side flaw intended to help people learn about web application security and penetration testing techniques” (Akshay, 2017).

countermeasures

 This session management vulnerability can be mitigated by: 

• Using long random strings as session tokens;
• Implementing a “timeout ()” function to destroy the session when expired;
• Associating cookie authentication credential with an IP address;
• Installing patches and software updates;
• Generating session tokens after successful login and accepting session tokens generated by server only;
• Passing the authentication cookies over https connection.

References

Sean-Philip Oriyano. (April, 2016). CEH v9: Certified Ethical Hacker Version 9 Study Guide, Edition 3.

Akshay Rijhwani. (May, 2017). What is WebGoat? Retrieved from https://www.quora.com/What-is-WebGoat

Raj Chandel. (July, 2017). Beginner Guide to Understand Cookies and Session Management. Retrieved from http://www.hackingarticles.in/beginner-guide-understand-cookies-session-management/

Portswigger Web Security. (2017). Using Burp to attack Session Management. Retrieved from https://support.portswigger.net/customer/portal/articles/1964053-using-burp-to-attack-session-management

 

Video Credit: Jdasinger. May 10, 2017

PHARMING ATTACK: DNS CACHE POISONING USING MORPHEUS

Week Six ↓

In a pharming attack, Domain Name System (DNS) host record is manipulated to redirect a website’s traffic to another malicious website. This could also be done by exploiting DNS server software vulnerabilities.  An example of this attack, also called a DNS spoofing was recorded in 2010 in which the Great firewall of china blocked websites on the DNS level by pointing to an incorrect address. An ISP then mistakenly configured its DNS server to pull information from these servers and this cached information was spreads across many other ISPs until there was a major inaccessibility of internet resources (Chris, 2016). 

OVERVIEW OF DNS CACHE POISONING 
DNS helps to contact the appropriate server about any domain name to be accessed. This server resolves this domain name into an IP address and information is accessible upon locating this logical address. Since it is not feasible for the internet to have one DNS server, ISPs use Home routers as DNS servers and cache DNS entries on your computer. This reduces the latency in looking up DNS information.
This DNS cache/host file (located on C:\Windows\System32\drivers\etc in windows) can be manipulated to specify that a domain name can be reached through the attacker’s IP address. In the screenshot below, the victim is redirected to a spoofed website upon entering the “facebook.com”. This DNS spoofing attack can be done with a tool called Morpheus.

 “Morpheus is a framework tool which automates TCP/UDP packet manipulation tasks by using etter filters to manipulate target requests/responses under MitM attacks, replacing the TCP/UDP packet contents before forward the packet back to the target host” (TWR, 2016). With Morpheus, DNS lookups can be hijacked and manipulated in an easy way.

Mitigation

DNSSEC provides a solution to this by using asymmetric keys to sign DNS entries. This way, all records are authenticated to tell trusted and illegitimate records apart (Chris, 2016). 

References

Chris Hoffman. (September 2016). What is DNS Cache Poisoning? Retrieved from https://www.howtogeek.com/161808/htg-explains-what-is-dns-cache-poisoning/

TWR. (December, 2016). Morpheus-Automated Ettercap TCP/IP Hijacking Tool. Retrieved from https://latesthackingnews.com/2016/12/19/morpheus-automated-ettercap-tcpip-hijacking-tool/

Video Credit: MrPedroUbuntu. December 26, 2016

SESSION HIJACKING USING FIRESHEEP

Week Five ↓

 Most websites use Secure Socket Layer(SSL) encryption (indicated by ‘https://’) when a user submits login credentials, but subsequent data exchanges are not encrypted (Krebs, 2010). These websites use cookies to identify sessions and these cookies are sent unencrypted with post-login data. Once these cookies are intercepted by an eavesdropper during sniffing, and the contents are known, a bogus HTTP request can then be created using this cookie; to access a victim’s account. Eric Butler in 2010 released a tool called “Firesheep” that allows “hackers to eavesdrop on unencrypted wireless networks and steal the sessions of other users who are logged on to popular websites” (Mike, 2011). With this Firefox extension, a malicious user can gain access to different sessions. Firesheep is available on all Operating systems.

countermeasures

“The most effective solution to this is end-to-end encryption, known on the web as HTTPS or SSL” (Krebs, 2010). Two of the most widely used Firefox add-ons that provide encryption while surfing using public networks are presented. They force specific websites to encrypt all traffic (including post-login traffic) (Krebs, 2010).

• HTTPS Everywhere. “This extension encrypts communication with a number of major websites by default” (Mohit, 2010). It also allows users to add other sites to the “HTTPS” list.

• Force-TLS. This add-on does not come with any websites listed, but allows you to add new websites to its list.

Also, tunneling your connections through a VPN will provide encryption and make your communication obfuscated to eavesdroppers (Mike, 2011).

References

Krebs Brian. (October, 2010). Firesheep: Baaaaad News for the Unwary’ Released. Retrieved from https://krebsonsecurity.com/2010/10/firesheep-baaaaad-news-for-the-unwary/

Mohit Kumar. (November, 2010). HTTPS Everywhere: Another tool to protect from Firesheep. Retrieved from https://thehackernews.com/2010/12/https-everywhere-another-tool-to.html

Mike Chapple. (February, 2011). Firesheep, Fireshepherd, and Facebook: Understanding Session Hijacking. Retrieved from http://www.ciscopress.com/articles/article.asp?p=1680707&seqNum=2

Video Credit: Daniel Taschik. November 14, 2012

TEAMVIEWER VULNERABILITY-BE AWARE

Week Four ↓

Most of us use third party remote desktop applications for several tasks. TeamViewer is one of these applications and it was recently discovered that you can completely take over a server(the remote desktop session  initiator who needs to view a user's desktop) or a client(the user who's desktop is shared)(Swati, 2017) without the victims consent.

The exploit leverages "naked inline hooking and direct memory modification to change TeamViewer permissions" (Swati, 2017). Gellin, who wrote the code stated that the code allows the server (hacker) to enable "switch sides" feature after authenticating with the client (victim) (Gellen, 2017). Conversely, it allows the client (hacker) to control the server's (victim) mouse and keyboard.

AttaCk vector

The Gellen tool “utilizes signature/pattern scanning to dynamically locate key parts in the code at which the assembly registers hold pointers to interesting classes” (Gellen, 2017). “Applies inline naked hooks also known as code caves, to hi-jack the pointers to use for modification via direct memory access to their reversed classes” (Gellen, 2017).

Mitigation

The vulnerability is cross platform; it exists in Windows, Linux, MacOS versions of TeamViewer and can be mitigated by installing patched versions of the software as soon as they become available (Swati, 2017). 

References

Gellin. (December, 2017). TeamViewer Permissions Hook V1. Retrieved from https://github.com/gellin/TeamViewer_Permissions_Hook_V1

Swati Khandelwal. (December, 2017). New TeamViewer hack could allow clients to hijack viewers’ computer. Retrieved from https://thehackernews.com/2017/12/teamviewer-hacking-tool.html

Video Credit: Tutoriale PC. December 8, 2017