A Case Study in the Hacking of Web Applications
In this case study, Caleb Sima, a well-known application security expert, was engaged to hack a client’s web applications. This example of discovering a security risk is a good cautionary tale to help protect your private information.
Mr. Sima was hired to perform a web application penetration test to assess the security of a well-known financial website. Equipped with nothing more than the URL of the main financial site, Mr. Sima set out to find what other sites existed for the organization and began by using Google to search for possibilities.
Mr. Sima initially ran an automated scan against the main servers to discover any low-hanging fruit. This scan provided information on the web server version and some other basic information but nothing that proved useful without further research. While Mr. Sima performed the scan, neither the IDS nor the firewall noticed any of his activity.
Then Mr. Sima issued a request to the server on the initial web page, which returned some interesting information. The web application appeared to be accepting many parameters, but as Mr. Sima continued to browse the site, he noticed that the parameters in the URL stayed the same.
Mr. Sima decided to delete all the parameters within the URL to see what information the server would return when queried. The server responded with an error message describing the type of application environment.
Next, Mr. Sima performed a Google search on the application that resulted in some detailed documentation. Mr. Sima found several articles and tech notes within this information that showed him how the application worked and what default files might exist. In fact, the server had several of these default files.
Mr. Sima used this information to probe the application further. He quickly discovered internal IP addresses and what services the application was offering. As soon as Mr. Sima knew exactly what version the admin was running, he wanted to see what else he could find.
Mr. Sima continued to manipulate the URL from the application by adding & characters within the statement to control the custom script. This technique allowed him to capture all source code files. Mr. Sima noted some interesting filenames, including VerifyLogin.htm, ApplicationDetail.htm, CreditReport.htm, and ChangePassword.htm.
Then Mr. Sima tried to connect to each file by issuing a specially formatted URL to the server. The server returned a User not logged in message for each request and stated that the connection must be made from the intranet.
Mr. Sima knew where the files were located and was able to sniff the connection and determine that the ApplicationDetail.htm file set a cookie string. With little manipulation of the URL, Mr. Sima hit the jackpot. This file returned client information and credit cards when a new customer application was being processed. CreditReport.htm allowed Mr. Sima to view customer credit report status, fraud information, declined-application status, and other sensitive information.
The lesson: Hackers can utilize many types of information to break through web applications. The individual exploits in this case study were minor, but when combined, they resulted in severe vulnerabilities.
Caleb Sima was a charter member of the X-Force team at Internet Security Systems and was the first member of the penetration testing team. Mr. Sima went on to co-found SPI Dynamics (later acquired by HP) and become its CTO, as well as director of SPI Labs, the application-security research and development group within SPI Dynamics.