02
  • 2.1
  • 2.2
  • 2.3
  • 2.4
  • 2.5
  • 2.6
  • 2.7

  • HTTP Request/Post Parameters

    So far we have looked at HTTP request methods, headers and HTTP response codes. Whilst any of these components could be used within Application processing the majority of our interaction is performed via HTTP Request parameters. POST parameters and cookies. In this section we take a brief tour of the common ways in which interaction with an application is achieved.

    Query String Parameters

    Query string parameters as the name suggests are passed within the query string following the name of the requested resource. A typical query string is formatted as follows:

    Resource ? Parameter = Value Delimiter Parameter Value
    /login.asp ? username = jill & password = s3cur31zz

    For example the following URL passes two parameters to the resource ‘login.asp” ; username and password with the values “jill” and “s3cur31zz” respectively.

    http://www.sec-1.com/login.asp?username=jill&password= s3cur31zz

    The above format is the industry standard for the majority of web application platforms such as ASP.NET, JSP, ColdFusion and PHP, however there are a number of alternative variants. For example, applications built on the Ruby on Rails framework pass query string parameters in the following format:

    Controller / Action / ID
    News / showarticle = 10

    The following URL invokes the application component (controller) and passes the value = “10” to the “showarticle” function.

    http://scanner.sec-1.cpm/news/showarticle/10

    Ruby on Rails also supports a more traditional format e.g.

    http://www.sec-1.com/authenticate/user/?username=jill&password= s3cur31zz

    A full analysis of Ruby on Rails and other variations is beyond the scope of this module. However the testing methodology is platform independent and applies to all web application technologies.

    It is the tester’s responsibility to identify parameters to the application by manipulating values passed to the application and monitoring the response.

    Identifying Query String Parameters

    Occasionally you will encounter an application where parameter values are not immediately obvious as in the previous examples. A number of steps can be taken in order to determine how a particular application is interpreting data passed via a URL.
    Modify the values passed on within the query string to include special characters such as ‘and’ to determine how the application handles the modification. Some dynamic variables can appear as part of the standard file path, if changing these values results in an application error it is likely that modified value is being processed as a variable by the application.
    Review the source code to look for comments that suggest the presence of a CMS. If a CMS is identified, attempt to obtain a copy and review its functionality.

    In the majority of cases query string parameter value pairs are obvious at first glance. By browsing the application and applying some common sense logic you should be able to identify where dynamic/user supplied parameters are being passed to the application.

  • POST Parameters

    POST parameters are typically generated when forms are submitted by the user. However several other components will frequently POST data to the server such as Ajax JavaScript components and Shockwave flash files.

    Standard POST (a.k.a Form) parameters are structured in the same was as in Query Strings with each parameter value pair separated with an ampersand delimiter. The following POST Request illustrates the submitting of two parameters “username” and “password” with the values “jill” and “hacker123” respectively:

    POST /process_login2.asp HTTP/1.1
Accept: * / *
Accept-Encoding: gzip, deflate
Referer: http:/ /192.168.0.197/
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Host: www.sec-1.com
Content-Length: 32
Cookie: ASP.NET_SessionId=xxxxx

username=jill&password=hacker123

    As with query strings the above example is typical but several variables exist. The following are the most common:

    Multipart Post

    Multipart POST is used when binary data such as the contents of a file or online HTML editor are required. Multipost forms can be implemented by including ENCTYPE=”multipart/form-data” within the form specification.

    Example:

    <FORM METHOD=”POST” ENCTYPE=”multipart/form-data” ACTION=”upload1.asp”>

    Each parameter within a multipart post is separated using a randomly generated boundary value. The generated boundary is specified within the Content-Type request header as illustrated in the following example:

    POST /admin/upload1.asp HTTP/1.1
Accept: * / *
Accept-Language: en-gb
Content-Type: multipart/form-data; boundary=7d84212124065c
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Proxy-Connection: Keep-Alive
Host: 192.168.0.197
Pragma: no-cache
Cookie: ASPSESSIONIDCSDRRRAC=xxxx
Content-Length:429
---------------------7d84212124065c
Content-Disposition: form-date; name=”FILE!”; filename=”C:\thefile.txt”
Content-Type: text/plain

I am the file contents

-----------------------7d84212124065c
Content-Disposition: form-data; name=”saveto’

disk

---------------------7d84212124065c

    Within each boundary the first line defines the “Content-Disposition” MIME header along with the name and any additional parameter properties. For file uploads a Content-Type header specific to that boundary is included before the file data. The parameter values can be found within the body of the boundary following a mandatory blank line. For example the parameter “saveto” has a value of “disk” in the above example.

  • SOAP / XML RPC Post

    SOAP and XML-RPC provide a standardized platform-independent method of calling an application’s functions remotely. For example, Google provides an Application Programming Interface (API) accessible via XML-RPC to perform Google searches and access additional functionality. The primary benefit of such an interface is that it allows developers to share or export functionality across any platform and programming language. Both interfaces pass parameters by placing data within open and close tags;

    SOAP <m:parameter_name>value</m:parameter_name>
    XML-RPC <m:parameter_name>value</m:parameter_name>

    SOAP Request

    POST /Instock HTTP/1.1
Host: www.example.org
Content-Type: application/soap+xml; charset=utf-8
Content-Length: nnn

<?xml version=”1.0”>
<soap:Envelope
xmlns:soap=http://www.w3.org/2001/12/soap-envelope
soap:encodingStyle=’ http://www.w3.org/2001/12/soap-encoding”>
<soap:Bodyxmlns:m=http://www.example.org/stock>
    <m:GetStockPrice>
<m:StockName>IBM</m:StockName>
    </m:GetStockPrice>
</soap:Body>
</soap:Envelope>

    XML-RPC Request

    POST /RPC2 HTTP/1.0
User-Agent: Frontier/5.1.2 (WinNT)
Host: betty.userland.com
Content-Type: text/xml
Content-length: 181

<?xml version=”1.0”?>
<methodCall>
<methodName>examples.getStateName</methodName>
<params>
<value><i4>41</i4></value>
</param>
</params>
</methodCall>

    Referred to as SOAP envelopes or XML Elements

  • Cookies

    Cookies are typically implemented to store client specific data and to identify individual users of an application (see HTTP sessions). Cookies are set via the “Set-Cookie” server response header; the client browser reads the value and resubmits it with each subsequent request.

    The following optional parameters define how are used by the client browser:

    Parameter Description
    Path Defines the path for which the cookie is valid
    Domain Specifies the domain for which the cookie is valid. The specified domain must be the same or a parent of the domain from which the cookie is issued
    Secure The cookie should only be submitted over secure HTTPS connections
    Expires Defines an expiry date for the cookie. If this value is not set the cookie is maintained for the current browser session only.
    HttpOnly This parameter prevents the cookie from being accessed by client side scripts such as the JavaScript document.cookie method. The HttpOnly method was implemented to help prevent session stealing via Cross Site Scripting attacks. Unfortunately not all browsers support this option.

    Example Server Response including the “Set-Cookie” Header

    HTTP/1.1 200 OK
Date: Tue, 06 May 2008 10:48:42 GMT
Server: Mongrel 1.1.1
Status: 200 OK
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 3737
Set-Cookie: sessionid=xxx; path=/
Connection: close

    Example subsequent request including application set cookie:

    GET / HTTP/1.1
Accept: * / *
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Host: www.domain_name.com
Proxy-Connection: Keep-Alive
Cookie: sessionid=xxxxxx

  • HTTP Sessions /State

    HTTP is a stateless protocol. The standard operation of the HTTP protocol is that the client sends a HTTP request, receives a response then closes the connection. This process is performed for each requested resource and may occur several times to load each page (e.g. when linked resources such as images are required). This method of operation does not scale well when user specific content is required such as a user profile or shopping basket.

    HTTP Sessions provide a solution to this problem by assigning a unique identifier to each application user which is stored as a cookie by the browser. This unique identifier or “session ID” is resubmitted by the client for the duration of the browser session or until the “Expires” cookie value is reached. The web application can then use the session ID value to store complex server side data structures bound to each session ID.

    Most application frameworks such as The Java Platform and ASP .NET handle session ID allocation automatically and provide the developer with access to server side variables in which to store session specific data.

    Session IDs are often used to identify each user and authorize access to resources following an authentication process. There are a number of potential security pitfalls to be aware of when working with sessions. Session ID security is covered in detail later.

  • Encoding Schemes

    HTTP is a plain text protocol, in order to support special characters and binary a number of encoding standards were introduced.

    When attacking an application it is often necessary to encode your input to match the encoding scheme used by the application. In some cases it is possible to attack an application by encoding data in a certain way to bypass input validation filters or to manipulate the function that accepts the data.

    URL Encoding

    URLs and Form Post strings are permitted to include printable characters as defined by the US-ASCII standard (within the range 0x20-0x7e). Characters that have a special meaning or characters that are outside of the printable range must be encoded.

    Special characters are defined as characters that have a special meaning within a URL or Form POST string, for example the ‘&’ character is used as a delimiter between parameters, therefore if you want to use this character as data it must be encoded. URL encoding operates by taking the decimal ASCII character code and prefixes it with a % symbol.

    For example to have a value of fish&chips passed to the parameter food the following encoded string could be used;

    http://www.sec-1.com/eat.asp?food=fish%26chips

    The character ‘&’ has been encoded as %26 to ensure the application receives the value fish&chips and does not interpret ‘&’ as meaning ‘next parameter’.

    URL characters such as &, ? and = should be used un-encoded when their special meaning is intended.

    The following characters should be encoded when injected into a URL or POST string as data.

    Character URL Encoded Version
    = %3d
    % %25
    space %20 (an unencoded + symbol can also be used)
    & %26
    ‘ %27
    “ %22
    # %23
    ? %3f
    ; %3b
    + %2b
    New Line %0a
    Carriage Return %0d
    Null Byte %00
    `(Back Tick) %60

    The following Perl script can be used to display the encoded version for each character entered at the keyboard. For complete listing see 🔗 http://www.asciitable.com/

    # Perl script to encode URL characters
print “Enter string to encode:”;
$qstring = <STDIN>;chomp $qstring;
      $out = encode_http($qstring);
print $out
sub encode_http{
       @subvar=@_;
      my $sqlstr = $subvar[0];
      @ASCII = unpack(“C*”,$sqlstr);
       foreach $line (@ASCII){
            $encoded = sprint(‘%1x’’$line);
            $encoded_command .= “$encoded”;
      }
return $encoded_command;
}

    HTML Encoding

    HTML encoding is used to convert HTML special characters to a safe equivalent that can be displayed without interfering with HTML structure. There are two primary types of HTML encoding, the first uses an ampersand followed by an alias for the character terminated with a semicolon. A second method exists using the following format " where 34 is the character code in decimal.

    All characters can be encoded using either scheme; however the following characters are usually encoded to prevent data written to a HTML page from interfering with the structure:

    Character HTML Encoding HTML Encoding Decimal
    " &quot; &#34;
    ' &apos; &#39;
    & &#amp; &#38;
    > &#gt; &#62;
    < &#lt; &#60;

    HTML encoding is frequently implemented to prevent Cross Site Scripting Attacks. This is covered in a section of the course dedicated to cross site scripting.

    Unicode Encoding

    Unicode encoding is implemented to support a wide range of character types from all languages that may fall outside of the 1 byte = 1 character that we typically use in the west (Basic Latin).

    💡 From Wikipedia

    You are likely to encounter this type of encoding when characters such as obscure mathematical symbols or characters from non-Latin based languages are entered as data to an application. Malicious hackers are interested in Unicode encoding because it can be used to bypass input validation filters. The following table lists common characters and their Unicode equivalents;

    Common Special Characters

    Character Unicode Encoding Character Unicode Encoding
    / %u2215
    %u2044
    %uff0f    		 ( %uff08
    %u0028
    \ %u2215
    %uff3c    		 ) %uff09
    %u0029
    ' %u0027
    %u02b9
    %u02bc
    %u02C8
    %u2032
    %uff07    		 , (Comma) %uff0c
    %u002c
    " %u0022
    %uff02    		 % %u0025
    %uff05

    Alpha Numeric (Aa-Zz 0-9) Characters

    Character Unicode Encoding Character Unicode Encoding
    a / A %uff41 / %uff21 s / S %uff53 / %uff33

    Base64 Encoding

    Base64 encoding allows any binary data to be represented as printable ASCII text using the following character set:

    AB-YZab-yz-12-9+/=

    Base64 encoding is commonly used for encoding email attachments to allow them to be delivered safely using SMTP protocol. It is also used to encode authentication credentials for transmission over HTTP.

    Base64 encoding processes data in chunks of 3 bytes. If the length of the data to be encoded is not divisible by 3 the resulting base64 encoded string is padded using ‘=’ symbols.

    X
    In computing, UTF-16 (16-bit Unicode Transformation Format) is a variable-length character encoding for Unicode, capable of encoding the entire Unicode repertoire. The encoding form maps code points (characters) into a sequence of 16-bit words, called code units. For characters in the Basic Multilingual Plane (BMP) the resulting encoding is a single 16-bit word. For characters in the other planes, the encoding will result in a pair of 16-bit words, together called a surrogate pair. All possible code points from U+0000 through U+10FFFF, except for this surrogate code points U+D800-U+DFFF (which are not characters) are uniquely mapped by UTF-16 regardless of the code point’s current or future character assignment or sue.

  • HTTP Authentication

    The majority of web applications implement an application integrated authentication system based upon HTML forms instead of native HTTP authentication schemes. By implementing the authentication system at application level the developer can easily make use of session handling and database integration components provided by the framework. As an addition benefit, form based authentication systems are compatible with all browsers including those found on portable devices.

    Authentication Description
    Basic Basic authentication is a simple authentication scheme that transmits base 64 encoded credentials within a HTTP request header. Credentials are sent in each subsequent request to the application

    Base64 encoded credentials can easily be decoded if captured in plain text. It is possible to use Basic authentication securely if implemented via SSL.
    Digest Digest authentication operates using a challenge response mechanism based upon the MD5 hashing algorithm. Digest authentication is intended to obsolete basic authentication as a more secure alternative. It is still possible to crack Digest authentication via brute force and dictionary attack methods and therefore it is recommended that digest be used via SSL where possible

    Reference
    🔗 Digest access authentication
    NTLM NTLM authentication is based on the Microsoft Windows authentication mechanism. NTLM is also based on challenge response and is more secure than Basic Authentication.
    Form Based Form based authentication is by far the most popular form of authentication in use on the internet. There is no written standard for form authentication however most systems are based upon username and password and are submitted via HTML form over a HTTPS (SSL) connection.

    Form based authentication is typically designed by application developers. A key benefit of this form of authentication is that the advanced features such as Captcha challenge response and multistage authentication systems can be implemented.
School of Computing, Engineering and Built Environment