Continues from: How Sneaky can a Hacker be: Part 1-3
Invalid Web Links, Broken Web Links and Typo’s
In this section, we are going to take advantage of human error and mistakes to divulge vulnerabilities or sensitive information from the web page. All of our activity will be audited as normal and allowed by the website. We now want to check if the website is exposing directory services, which will allow us to view and access all directories, pages and images being hosted by the website. On most websites, we can simply right click on an image that’s not hyper linked, then open the image in a new tab. This will load only the image in the new tab. Notice the web address of the image. Remove a directory or two from the web address and see what happens. In most cases if directory services is enabled, you will see a list of the contents of the current directory and any sub directories available. Directory services or Indexing is usually turned on during the developing stages of a website by the developer’s. Sometimes they forget to disable it when their done. You can also find images viewing the source code.
Now we need to take advantage of the typos that people make while online. A typo in a websites URL may include; an extra “/”, miss spelled domain name, forgetting a “dash“ or “underscore”, adding extra words to the URL. Typos in a website address will display error messages letting the user know they have make a mistake. These error messages in most cases will provide us with information about the backend server hosting the website or web application.
Our goal here is to trigger some of these error messages and make the website think it was a simple mistake or typo. When performing these actions, you do have to be careful, as some security devices may detect your activity. Your activity may be detected if you make the typos in a certain format. Remember, to keep in mind that the typo needs to appear as if a normal user made the typo.
The error messages that we are looking for may disclose the following information:
• Web server Platform used to host the website or web application
• Web Server Platform version installed on the server
• Operating system installed on the server
• Operating system version installed on the server
• Database platform currently being host on the server
• Database platform version installed on the server
• Default User name and password
If a website or web application is setup correctly, when these typos are used it will display a message to the user. For example; “Oops! The page you are looking for could not be found”. We are hoping that it’s not setup correctly and the error message provides us with some of the information listed above. There’s a saying “A picture is worth a thousand words” and in this case these error messages even if there is no text present can disclose information. For example; if you get an IIS error message from the website, you can usually tell just by looking at the display of the message, what version of IIS is currently installed. We would also know that IIS can only run on a Windows operating system and only certain versions of IIS only run on certain versions of Windows operating systems. Let’s say, we believe the IIS version is version 8. This would let us know that the host server operating system is a Windows Server 2012. Web server platforms all display distinct error message that discloses there platform and sometimes there version.
If the website or web application is hosting a database on the backend, some of these typos may be seen as potential database commands, when they actually are not. In these cases, you will receive an error message from the database being hosted. Different database platforms display district error messages that make it easy to determine. Typically when you receive an error from a database it will include some information about the command it was trying to run, also if verbose messaging is enabled, you will receive a very detailed error message usually containing a long string or query message. The database platform can also be a hint to what operating system is running on the host server.
The techniques in this article are examples of how an attacker can retrieve information about your company’s network without you knowing that it happened. If your website or web application is setup correctly, then an attacker would not be able to utilize most of these tactics. These types of tactics are some of the more difficult to monitor with any SIEM product.
OUR SECURITY SERVICES INCLUDE:
- Risk Assessments
- Penetration Testing
- Web Application Testing
- Security Awareness Training
- Managed SIEM
- Managed Security Services (MSSP)
- Security Consulting