This document is a part of „Website Hacking in Practice” course.

Copyright by

http://www.
http://www. HackingSchool.com
Module 1

Introduction and environment

configuration

The internet and society

The internet has nowadays become essential in the lives of many people,
especially for young adults. More and more people use it for work and as an
outlet for entertainment, running errands and shopping. You may sometimes
hear “computer luddites” asking to “switch on” the internet, referring to their
web browsers. Don’t be surprised; the global network is most commonly
associated with the HTTP protocol and world wide web pages. Internet security
has become for many synonymous with website security. This is crucially
important because of the reason mentioned earlier: the internet is used for
conducting financial operations and transferring critical personal information.

Risks

On-line transactions have always incurred a degree of risk. In our case, this
risk is connected with computer criminals, a bunch who in most cases is wildly
different than the hackers depicted in Hollywood movies.

Most web attackers deal in sharing illegally-obtained personal data. Many

exploit the personal computers of unsuspecting users to create the so-called
botnets. They send spam and target web users for a variety of other unlawful
activities. Their actions are automatised and large scale.

The major threat however is not looming from big money businesses or
institutions, who probably have been taking expert care of their security. It is
18 MODULE 1.INTRODUCTION AND ENVIRONMENT CONFIGURATION

far more probable that an average web user will become a target for theft while
shopping at an online retail store.

Beginning programmers

The internet boom has created a large demand for website developers. Often
seeing it as a chance for a quick cash-grab, many young people have responded
with creating tremendous amounts of frequently faulty code. While the age of
these programmers is not by any means the deciding factor, their lack of
experience is the source of problems. In many cases they have no knowledge of
programming languages other than their own and will experiment on their
customers. The customers, in turn, focus on the external features—the design
of the website and service functionality—rather than on the code itself. This
has led to further degradation in the quality and security of created scripts.
Fortunately, a gradual improvement may be observed lately: perhaps these
beginning programmers have finally gained experience.

In this course we will present and discuss the most common website security
holes, and show as a warning the ways in which they could be exploited by
attackers to launch a successful intrusion attempt. We will also give you some
easy-to-implement tips on how to prevent those attacks: in many cases all it
takes is to be mindful of potential vulnerabilities.

Intrusion process

Three stages may be identified in the process of computer intrusion. The first
is obtaining relevant information on the target. To do this, the attacker
attempts to discover what applications are used on the targeted server (web
server engine with modules, database server, also FTP, SSH and other
protocols). This process is made easier by the fact that website designers,
opting not to duplicate the work that has been done before by others, use
ready-made scripts, frameworks and applications. An attacker takes note of
each application and its version and checks them for existing security holes, for
example by searching the message board bugtraq
(http://www.securityfocus.com/archive/1) or http://nvd.nist.gov/.
 19

This is a reminder of why it is crucial to update applications as soon as newer

versions become available.

If a number of holes is found, the attacker will usually choose the most
convenient one (i.e., the vulnerability that will give him the most privilege and
is the easiest to exploit). The report found by an attacker should contain a
description of error and ways in which it may be taken advantage of, and—if it
exists and is disclosed—the source code of an exploit. Examples of errors
which may be found in server software are, among others, buffer overflow,
heap overflow, and format string. Search the web for more information
on error classes, or consult one of the many publications covering the subject.
A good example is the beginner’s course “Hacking School”.

If the software is updated regularly, the attacker may attempt to find a

vulnerability or error in the website code on his own. And thus we arrive at the
true core of this course, which will give you the gist on the majority of the most
common attack techniques and present you with the dos and don’ts of attack
prevention. Let’s get going.

Practice: video module transcript

Welcome to the course on web application attacks. Over the next modules we
will cover the most significant issues relating to common types of web
application susceptibility, and talk of the ways in which you may defend your
applications against attacks. The first module will focus on configuring the
computer environment so that it may be used for further presentations and
experiments.

Let’s start with the Xampp package. Its components include the Apache HTTP
server, a PHP interpreter, MySQL database server, a phpMyAdmin tool for
database management, and other tools for developing web applications. We
will use the Firefox web browser and find the Xampp package. You can see
here the Xampp website. Select the Windows installation version.
20 MODULE 1.INTRODUCTION AND ENVIRONMENT CONFIGURATION

Install the package without changing the default settings.

 21

After the Xampp installation has been successfully completed, the control panel
will open. It serves as a tool to manage the individual components of the
package. We will pin it to taskbar to make it easily available for future
reference. None of the components is running, so we may safely modify our
configuration. The directory Modules has been copied to the desktop from the
disc attached to the course book (you may also download it here:
http://hackingschool.com/get-whp). It contains examples from the next
modules. We’ll also include applications needed to illustrate some of our
topics. We want it be accessible from browsers. Let’s open the directory of the
Xampp package. In apache\conf you will find the file httpd.conf, which
contains the configuration for Apache.

To support the editing of text files, install the free syntax-highlighting text
editor Notepad++. Its features include system shell integration which makes
possible the editing of files through selecting options from the context menu
for each file. The configuration file contains the section Directory. It
indicates to Apache the presence of a folder and sets access options for each
folder. We see here the definition for the htdocs directory that comes with the
xampp framework. We can copy the definition. Let’s now copy the full path to
Modules and paste it to the copied Directory definition.

Changing the slash convention is also necessary as the Apache package

supports and prefers the Linux convention even if it is launched on Windows.
22 MODULE 1.INTRODUCTION AND ENVIRONMENT CONFIGURATION

We must now logically define the relationship between the path entered in a
browser and the defined directory. For this purpose, use the command Alias.
We can see the calling of the command. Let’s redirect Modules to the
security directory.

Now, let’s launch the Apache server and check its configuration. Next, start the
MySQL server.
 23

We can see that the security directory may be opened and accessed.

The default page for the Xampp framework is running.

Let’s now use phpMyAdmin. Add a test user with access to the local host. Set
the password to test and grant the user access to a database with the same
name. All the basic access privileges are granted to the user. Let’s also select the
24 MODULE 1.INTRODUCTION AND ENVIRONMENT CONFIGURATION

option FILE. Normally, this should not be done, however for the purpose of
one of our demonstrations this is necessary.

The user has been added correctly. We must now import database dump,
which will create tables needed in the next modules and add sample data.
 25

Let’s now install the Havij Advanced SQL Injection Tool and create a
shortcut in the directory of module 20. Next, download the RIPS package for
testing PHP applications. Extract it to the directory of module 20.

We now need to download John the Ripper, a tool for cracking and
generating passwords. Extract the Windows version to the right folder.
26 MODULE 1.INTRODUCTION AND ENVIRONMENT CONFIGURATION

Next, we download another universal brute force password testing software,

the application hydra. The software is released as source code which needs to
be extracted to a folder of the right module. To compile it, we need cygwin.
The package enables compiling and starting Linux applications under the
Windows system.

Use the default installation options.

 27

Select one of the servers containing copies of the Cygwin packages.

Take time to pick the right server. Not all servers are equally fast, and
installation time depends on the server.

The packages we need to install are:

gcc
28 MODULE 1.INTRODUCTION AND ENVIRONMENT CONFIGURATION

make
ssl libraries

Make sure all of them are selected and click next. The installation of the
cygwin package depends on our internet connection and hard disk. This may
last quite long so don’t be discouraged.

The package has been installed. Open terminal and go to the directory
containing the hydra source code. Launch the command configure so that
the installation script can check whether the necessary libraries have been
installed.

Next we may launch the command make which will perform the right
compilation. After the compilation, copy the binary file to the right directory.
Launch the Windows system terminal and make sure the application is
running.
 29

As we can see, the application needs several libraries that are components of
the cygwin package. They must be placed in the directory containing the
binary file of our application. The necessary libraries have been added and the
application is running correctly.

In this way, we have made the environment ready for work and other
experiments. Thanks for your attention and see you in module 2, which
discusses the data hiding method.