The anatomy of a web exploit

 

Overview

I started out in cybersecurity only a year ago, and one of the things that got me started into security was web application security and network security. I hope that I can use this blog to share some interesting insight into what got me into Infosec, and provide some resources which has helped me so far. I am, only a year into this, so this is pretty much beginning of the beginning and there is a mountain to climb ahead.

History of the World Wide Web

In 1990’s, when the Internet was born, the landscape was quite different than what it is today. From the options of playing games directly on browser, getting videos to auto-adjust to our internet speed, and Netflix occupying our free time, we had none of this. The infamous dial-up tone and waiting time to load a simple website made up the childhood memories of a typical 90’s kid.

The first foundation seed which led to the development of the world wide web however, was sown much earlier. Memex was a hypothetical system coined in 1945 which proposed that individuals could store a large no of books, create and follow a links of associated and personal annotations. In 1960’s IBM came up with the General Markup Language (GML) which would evolve into SGML, a pre-cursor to HTML about to come.

By the mid 1990’s the web would start to become popular and the users would begin to shift from the older technologies, to the new kid on the block being the web browser, beginning the browser wars. You must note,that this was a time with little to no standards in place. Browsers were competing of which one can display even the most poorly coded HTML for displaying a show of superior compatibility over the competitors and this bred anarchy. In 1994, Tim Berners Lee and Dan Connolly began working on a cross-platform markup language called HTML to set a standard and curb the anarchy and fill in the void of lack of standards, and then would began formulating the HTTP with IP addresses, path names and domains, birthing the World Wide Web. The handful of corporations who could sponsor them formed the W3c and begin working on HTML 2.o , eventually leading to HTML 3.2.

From the new millennium onwards, Netscape would fade and be a name reminding of the gone era , and Microsoft would become a big player with IE controlling close to 90% of the browser market share (Yes, there was a time when IE was big). Microsoft would gift something really important in the context of the Web, the XMLHttpRequest which would later be synonymous with AJAX. The cases of virus infection would grow exponentially too, due to the faster spread mechanism of the Internet- and there is no great story without the villains. The Phreakers (phone hackers) would now evolve to become Hackers, and malware would begin to use emails, social engineering and other novel attacks to spread.

Owing to the XMLHttprequest and the growing popularity of Internet, Web2.0 would be born leading us from the static web to the more dynamic web utilizing multiple scripts.and multiple browsers would compete challenging to dethrone the IE. With Web2.0, the evolution of the User as a threat would materialise, browser security would begin to be exploited, and people would begin to get Rick Rolled on Youtube- behold! this would mark the commencement the era of the new web. Websites like Facebook, and YouTube would dominate the Internet, and with the rise of the crowd attracting websites, attackers would identify these as lucrative targets with impact and payoff.

Now we are anticipating Web 3.0 with the focus now shifting to anti-monopoly and privacy, and not just security. DuckDuckGo, the Tor Project would be the harbingers of bringing privacy to the forefront of discussion on the Web. The cry to remove middlemen, the rise of blockchain are built around the central narrative of putting the end users in control and possess ownership of their data. Services like Tuatanota have birthed an email service which is end-to-end encrypted , to serve a better privacy model for emails, and WhatsAppis built with end-to-end encrypted chats with Signal Protocol- These have set the cogs in motion, and further advanced the initiative for a Web centered around privacy.

Web-security

The web model would mark a dramatic shift in application security. It would separate the “client” consisting of the user and the browser, and the server which would be the owner of the domain. The support for multimedia, and dynamic content would bring new challenges. With the need for persistent user session , and encryption being used for HTTPS certificates would mandate the CA model as the web standard as new attacks and security measures would need to be set in place to ensure that these measures are defended substantially.

The browsers would become a pivotal point and frontline defense of user privacy and security. The handling of cookies would spawn attacks like XSRF, one which would end up plaguing the popular site of MySpace. With all that said, we can conclude that web has become a complex tool of many cogs and parts with intricate details that could be exploited. Let’s move onto the section of resources and how to get started to climb this mountain and embark on this Odyssey (That was too )

My guide to web security

Before you jump in and start using automated tools , which will give you results but you would end up facing a road block very soon. And the harder, longer , boring path of going through the concepts always has the benefit in the longer run.

Step 1: Understand HTTP

Since this is the base protocol that powers the web, understanding just how it works would go a long way. It is connectionless, and uses a connection based transport protocol, TCP. It is important to understand that HTTP by its nature is stateless, and session and persistence is added to the Web by mechanisms such as cookies.

Step 2: Understand web technologies (HTML/Javascript/CSS)

It is important to understand what Javascript is , and how it works. Lot of client side attacks exploit Javascript in one way or the other, so understand how it works is important. Also, it is important to understand the difference between AJAX requests and normal requests (href and URL types).

Step 3: Understand Same Origin/ Cross-Origin, Cookies

Attacks like CSRF are pivoted around Same Origin request, and CORS is put in place to relax the SOP. It is important to understand which aspect controls what, and how the browser is the centre of user security on the Web.

Step 4: Develop a web application, Break it, Patch, Repeat

Computer Science and Computer Security are not dichotomies. All good and experienced hackers, are intrinsically computer scientists. Read the biography of Kevin Mitnick, that guy’s love of computers made him the god that he is today. Liveoverflow is an absolute GOAT in it, and his immense knowledge of Javascript and security led him to find XSS in Google. If you can break things, but do not know how to patch it , the knowledge would be of little value.

Once you develop and break a web application by carrying out the common attacks you would get something invaluable - Perspective, you would know how easy or hard it is to miss things while building a web app.

Step 5: Play CTF’s ,test yourself and adapt

Play web based challenges to keep yourself in the game, and read up on news and techniques and safeguards. I have placed the resources to practice in a separate section down below.

Web is a dynamic place, where attacks become relevant, and also harder to achieve with new defenses and as awareness spreads. Learn about the new defenses, the latest web exploit, and follow users on Twitter and YouTube such as Liveoverflow.

Resources

With all that being said, I have put down a list of resources such as books, github repos,courses, and ctf styled challenges which have helped me. I will keep updating this section as I find more helpful resources and links.

Courses

  • Pentesteracademy Courses are really good place to start , with the whole of security in general. The content is amazing and on wide array of evolving topics. The tutor Vivek Ramachandran is really good at teaching concepts from the ground up, and he really knows whatever topic he is teaching extremely well. The web security courses are, and each one is really incisive -
    • Javascript for Pentesters
    • Web Application Pentesting Challenges
    • Web Application pentesting
  • This Github repository is really good for following courses on Information security in general. awesome-infosec

Books

  • Web Application Hacker Handbook 2: The defacto guide to getting started into web application security. It is really exhaustive and touches upon the entire web hacking mindset and methodology really well. It includes authors’ experiences in web security, and how they bypassed seemingly secure defense mechanisms. These are the guys behind the company Portswigger which gave us famous web proxy and security toolkit Burpsuite. The Portswigger has its own set of web security challenges which you should check out. This book however as of this date, is somewhat outdated and does not cover topics like CSP, but really good to get started. Link

  • The Tangled Web: This book is definitely one of the finest books on Web security. It is well written, and covers topics like URL parsing and browser security in great depth. No matter where you are in becoming good at Web Security, this book is definitely worth a read, even though it was written a while back. Link:

  • Real World Bug Hunting: This book is from the co-owners of Hackerone, and is really useful for getting started at bug bounty and putting to real-world vulnerability hunting the knowledge you have been gathering for so long.

    Link

Web-based Challenges

These are some of the challenges I played, there could be a lot out there better than these. I will add to the list as I discover more and more challenges.

  • This one is hosted by google and a great exercise in thinking out of the box for XSS challenges. These are a set of 6 challenges hosted by google and really fun to solve. https://xss-game.appspot.com/
  • Natas Wargames: The Overthewire wargames community has done a great job in maintaining the fun computer security challenges, kudos to them. I have only played bandit and natas and learnt a great deal while playing them. Definitely check them out- For web security the challenge they host is called “Natas” , a series of 34 challenges in web security. https://overthewire.org/wargames/natas/
  • Netforce: Another set of numerous fun challenges on web security is netforce, which hosts multiple challenges under different categories. https://www.net-force.nl/challenges/
  • Other: The other challenges which are really useful, and not necessarily strictly under the domain of web security are Vulnhub, Rootme , Hackthebox and Pentester Labs. Rootme and Vulnhub are free, but I guess you need to pay for accessing all of the PentesterLabs. Pentester academy has their own set of diverse labs on security at https://attackdefense.com

For CTF’s the best place to check and compete is https://ctftime.org/ctfs.

Some important YouTube channels to follow are LiveOverflow ,John Hammond.

For keeping yourselves updated, follow /r/netsec on reddit which has security news, breaches and even hiring threads.