Grey hat hacking web applications

Abstract

The field of web security is constantly evolving, with statistics showing that web applications are the most common target of today's web attacks, accounting for 82% of all published commercial vulnerabilities in the first half of 2009, according to the Cenzic Security Report 03-04 for that year. Indeed, with the growing popularity of e commerce, especially B2B (Business to Business) and B2C (Business to Client) marketing, along with a notorious lack of effective security measures in web applications, cyber criminals have been provided with a more attractive target to attack, and one from which they stand to gain more, both in notoriety and financially. Attacks against web applications normally target a specific part of their infrastructure: for example, Cross-Site Scripting (XSS) attacks target clients communicating with web applications (in effect, the users), Operating System (OS) Commanding attacks target the server, in particular the underlying OS, while SOL Injection attacks target the backend functionality, usually the databases in which the web application's data is stored. In reaction to the recent surges in the number of attacks targeting the web application domain, a number of tools, systems and methodologies have emerged to deal with the most commonplace of these attacks, giving developers a basic line of defence. They vary in nature, from validation measures that block malicious data from being sent, to sanitization filters that either block attack patterns or escape them, rendering them benign. However, all these features are by no means exhaustive-with the attacks in their basic form being blocked, attackers are now changing the focus of their efforts to encoding their attacks with functionality designed to bypass security releases. Thus, the field of penetration testing is still as important as ever when it comes to web applications. Penetration Testing involves probing a system for vulnerabilities by launching a number of attacks against it with the aim of breaking it. To aid developers to this end, a number of penetration testing frameworks have emerged, mostly commercial, but with a few exceptions, such as the Metasploit Framework. This open-source framework is composed of different types of modules that work in tandem: auxiliaries are used mainly for profiling purposes, exploits target vulnerabilities and are coupled with payloads which perform the actual attacking, and encoders are used to morph the payload, allowing it to bypass any present security measures. Together, these modules automate attacks against applications, in effect providing testers with a readily available library of vulnerabilities against which they can assess their work. However, the Metasploit framework was developed around, and has traditionally been more attuned to testing for lower-level vulnerabilities in applications, especially buffer overflows, that are hardcoded with a specific application in mind. The aim of this project is to expand on the Metasploit Framework, taking it from its primary direction of low level vulnerabilities to the field of web application security, by using it to develop a number of modules targeting the client, server and backend parts of a web application, providing a good coverage of the most commonplace attacks in use today, with particular focus on targeting any defensive mechanisms dealing with input sanitization. Additionally, we will use this development to evaluate the suitability of the framework for application to the field of web application penetration testing. The modules developed during this evaluation demonstrate the Metasploit framework's suitability for expansion to the field of web application vulnerabilities, and its potential to be a critical toolkit for any web application penetration testing effort.