Tweaking Android - Boost

“When you modify a certain piece of hardware for better performance, it is often referred to as "tweaking" it. Overclocking the computer's CPU or changing jumper settings on the motherboard are common examples of hardware tweaking. Removing system limitations and adding plug-ins or extensions to a computer's operating system are types of software tweaking.”

Before learning hacking, let’s make sure that your device is responsive and free from lags. To do this, you need to tweak your device. This tutorial is for non-Rooted devices. First things first, let’s ask: what causes android to lag? “Your Android phone was probably fast when you first bought it, right? Then over time it began running more slowly. This is a common problem and nothing to worry about.” -Scott Adam Gordon (www.androidpit.com). There are common reasons why your device is lag such as: It can be cause by an App, Too many applications running on background, and/or the system itself.

HOW TO FIX

Method 1: Uninstalling, Stopping, and/or Freezing Applications 

•  You need to sacrifice your apps to gain speedy performance for your device. If you have Facebook app or Facebook messenger installed, you need to say goodbye to them (Unless if you’re not ready to move on...). 
•  If you don’t want to uninstall applications, you might consider stopping these applications from running on background. To do this, go to settings>Apps> then choose any app then tap “Force stop”. 
•  Freezing applications/Disabling can be useful if you think that you’re not using a system app often. Go to settings>apps>System Apps> then select any apps then tap on Disable. NOTE: Some System Apps cannot be disabled because if they do, you might end up bricking your device. These methods are completely safe to do.  

Disabling animations could help your device run faster. To do this, you need to enable Developer Option. On Android 4.2 and higher, you must enable this screen as follows:

•  Open the Settings app.
•  (Only on Android 8.0 or higher) Select System.
•  Scroll to the bottom and select about phone.
•  Scroll to the bottom and tap Build number 7 times.
•  Return to the previous screen to find Developer options near the bottom.

Note: If your device is lower than version than 4.2, search online on how to enable Developer Option.

Method 3: Install these apps to boost device performance. 

•  Clean Master LITE – Helps you stop all the apps processes plus cleans useless files, claimed to be the best booster on play store. See for yourself. (https://play.google.com/store/apps/details?id=com.cmcm.lite) 
•  Greenify – Works on Rooted and non-Rooted device. Force Stops all applications in one tap! I suggest you to pay for the pro version, it hibernates all the apps including system apps. (https://play.google.com/store/apps/details?id=com.oasisfeng.greenify)

There you go! Your device should be faster now! If you still don’t feel any difference, don’t worry this is not hacking yet. Later, we’ll going to hack your device’s system.

Recover or Shred deleted files

Deleted Files can still be recovered. As hackers, we might have saved important/ confidential files on an android device and anyone can recover this – It is death to our part. Therefore, we might need to shred this data.

How to recover deleted files? 

First, we must know how to recover deleted files. There are numbers of file recovery apps but I use “GT File Recovery.” It is so user friendly that I don’t even need to explain to you how to use it! It only requires Root access and that’s it!  

How to shred deleted files? 

Shredding files means deleting a file forever. For this tutorial, we will use Fshred. Download the app on Play Store and open the app. you will be asked on which storage space you wanted to wipe/shred. The Fshred creates a huge file to fill up your selected storage’s free space; if this happens, all deleted files will be impossible to be recovered. NOTE: Fshred does not harm anything on your device; it does not delete any existing files. Just make sure that your device is on its full energy before you start shredding.

Alternative Recovery apps

Source: Google Play Store

1. Disk Digger (Photo Recovery)

2. Photo Recovery

3. Deleted Photo Recovery

4. Dumpster (Photo & Video Recovery)

5. Memory card Recovery

6. GT Recovery

7. The Recovery app

8. Undeleter (This one is the most effective but the recovery features are paid)

9. GT Sms Recovery (Recover Text messages)

Fixing bootloop (soft brick) 

What is bootloop?

 It is when your Android device is stuck on device’s boot a.k.a stuck at Logo problem. This often happens when you tampered something on your device’s system files. On some cases, there are unrooted Android devices that experience bootloop because of factory defect; but normally, bootloop happens only on rooted devices. Some people call this problem as soft brick, because the device is not totally bricked at all, it is half dead though…

What is the cause of Bootloop?

 “Boot Loop Causes. The core problem found in a boot loop is a miscommunication that prevents the Android operating system from completing its launch. These can be caused by corrupt app files, faulty installs, viruses, malware and broken system files.”

How to fix? 

Warning: This tutorial may not be compatible with all Android devices. 

For this tutorial, we are going to use SP flash Tool. SP Flash tool is an application you could find very useful in fixing extreme cases of a bricked MTK Android (e.g Tecno, Gionee, Infinix, Opsson, Innjoo etc) like the phone not coming on at all or not booting into recovery mode etc.

Requirements

 Your Android Smartphone should have at-least 40-50 percent of battery to perform the Flashing Process.

Android Malwares – Ghost push

Malwares are softwares or applications which you do not want to be installed. Malwares bring viruses to your device and also a threat to your security.

Ghost Push is a family of malware that infects the Android OS by automatically gaining root access, downloading malicious software, masquerading as a system app, and then losing root access, which then makes it virtually impossible to remove the infection even by factory reset unless the firmware is reflashed. The malware hogs all the system resources, making the phone unresponsive and draining the battery. Advertisements continually appear either as full or partial screen ads or in the status bar. Unwanted apps and malicious software are automatically downloaded and installed when connected to the internet. The malware is hard to detect.

It was discovered in September 18, 2015 by Cheetah Mobile's CM Security Research Lab. 

Further investigation of Ghost Push revealed more recent variants, which, unlike older ones, employ the following routines that make them harder to remove and detect: 

•  encrypt its APK and shell code,
•  run a malicious DEX file without notification,
•  add a “guard code” to monitor its own processes,
•  rename .APK (Android application package) files used to install the malicious apps,
•  And launch the new activity as the payload.

.Source: https://en.wikipedia.org/wiki/Ghost_Push

I am a victim of this malware too and it took me a week before I discovered the tool to remove this malware.

How is this part of hacking? 

This Malware is created by hackers to steal your personal information on your device. Protecting yourself from these hackers is an important thing to learn. 

Let’s get started! 

If you think that you are infected, Download and install “Stubborn Trojan Killer” by Cheetah Mobile on Google Play store. Run the app, then let it decide if you are infected or not and how to fix it. If Stubborn Trojan Killer prompts or asks for root permission, please grant it.

Unlimited Game Resources and The Lucky Patcher

 Unlimited Game Resources 

Are you an Android Gamer? Have you ever thought of hacking your game’s resources? Do you want unlimited Gold, Gems, health, etc.? Well, for this tutorial, you’ll need to install “Game Guardian” app. Unfortunately, Game Guardian is not available on Google play store, this means, you will have to download online and install the apk file of this app.

Where to download GameGuardian

1. Open your fastest browser (Be sure to be connected to a Wi-Fi for faster download)

2. Go to https://gameguardian.net/download

3. Download the Game Guardian app then install.

How to use Game Guardian? 

NOTE: Game Guardian can only hack offline games. The best way to learn this hack is watching how it is done. YouTube link: https://www.youtube.com/watch?v=lbk9FDdIsAU 

Some Android Games are hard to hack, if you are on that case, you might consider downloading modified version of your Game at https://www.apklover.net

The Lucky Patcher 

Almost every Root user knows the power of lucky patcher. Lucky Patcher is an app that was developed by Chelpus. This app allows the user to block ads, Uninstall system applications, Install app as System app, Modify applications, and the best of all: paying in-app-purchases for free. Lucky Patcher was banned from play store because of course; it is a threat to Google’s business.

WARNING: Lucky Patcher is illegal. That’s why I like it!

Download and Install Lucky Patcher at https://lucky-patcher.en.uptodown.com/android

Then, you’re on your own.

• The first and foremost features of Lucky Patcher are its proficiency to remove and delete all the advertisements from the Android apps.
• This tool also allows you to modify apps permission.
• It also allows you to remove license verification from the specified apps which mean downloading apps from other sites instead of Google Play Store will lead to license verification failed.
• With the help of this tool, you can remove all the pre-installed apps on your Android devices.
• You can have rooted and un-rooted devices to make use of all the features. You can get all the list of your installed apps once you install and use Lucky Patcher.
• It is very easy to use, and on a single screen, you can control all your apps that are available on your device.

The Deep Web – TOR Network

“Tor is free software for enabling anonymous communication. The name is derived from an acronym for the original software project name "The Onion Router". Tor directs Internet traffic through a free, worldwide, volunteer overlay network consisting of more than seven thousand relays to conceal a user's location and usage from anyone conducting network surveillance or traffic analysis. Using Tor makes it more difficult to trace Internet activity to the user: this includes "visits to Web sites, online posts, instant messages, and other communication forms". The intent for Tor's use is to protect the personal privacy of its users, as well as their freedom and ability to conduct confidential communication by keeping their Internet activities from being monitored.”

Why Should I use TOR? 

Okay, there are some tutorials that I’m not including here because it’s too seriously illegal in nature. If you connect to a TOR network and access the Deep Web, You’ll learn more not just about android hacking but hacking itself.

Wait, what is Deep web anyway? 

The deep web is the part of the World Wide Web that is not indexed by traditional search engines. Deep Web is only reachable through TOR, This means, you cannot access the deep web with your regular internet connection.

How to connect to TOR and access Deep Web?

1. Install “Orbot” and “Orfox” on Play Store.

2. Open Orbot then Tap on connect.

3. You can now enjoy Deep Web Content using Orfox Browser.

Note: It is possible to configure TOR to use Root access to enable you to access Deep Web using any browser.

Virtual Private Network (VPN)

FAIR WARNING: Virtual Private Networks or VPNs might be illegal on your country. On some countries like as Turkey, China, and Iran are blocking Facebook, Twitter, and YouTube and if you are in any of this countries, you may not be able to access your favorite sites. The only way to unblock them is by using VPN. For this Tutorial I recommend using Easy VPN.

NOTE: Some VPN apps gives free Internet access but not for this tutorial. 

Easy VPN installed!

Open Easy VPN and choose the country of your choice or press connect right away. The VPN will fake your device location. You can now enjoy your favorite apps and sites.

What is VPN and how does it work?

 Here’s the complete explanation: 

Source: https://gizmodo.com/5990192/vpns-what-they-do-how-they-work-and-whyyoure-dumb-for-not-using-one

For as ubiquitous as connectivity has become and how reliant we've grown on it, the Internet is still a digital jungle where hackers easily steal sensitive information from the ill-equipped and where the iron-fisted tactics of totalitarian regimes bent on controlling what their subjects can access are common. So instead of mucking around in public networks, just avoid them. Use a VPN instead. Between Wi-Fi spoofing, Honeypot attacks, and Fire sheep, public networks really are cesspools. But if you're working remotely and need to access sensitive data on your company's private servers, doing so from an unsecured public network like a coffee shop Wi-Fi hotspot could put that data, your company's business, and your job at stake.

VPNs, or Virtual Private Networks, allow users to securely access a private network and share data remotely through public networks. Much like a firewall protects your data on your computer, VPNs protect it online. And while a VPN is technically a WAN (Wide Area Network), the front end retains the same functionality, security, and appearance as it would on the private network. 

For this reason, VPNs are hugely popular with corporations as a means of securing sensitive data when connecting remote data centers. These networks are also becoming increasingly common among individual users—and not just torrenters. Because VPNs use a combination of dedicated connections and encryption protocols to generate virtual P2P connections, even if snoopers did manage to siphon off some of the transmitted data, they'd be unable to access it on account of the encryption. What's more, VPNs allow individuals to spoof their physical location—the user's actual IP address is replaced by VPN provider—allowing them to bypass content filters. So, you may live in Tehran but appear to live in Texas, enabling you to slip past the government filters and commit the treasonous act of watching a YouTube video. The horror

Establishing one of these secure connections—say you want to log into your private corporate network remotely—is surprisingly easy. The user first connects to the public internet through an ISP, and then initiates a VPN connection with the company VPN server using client software. And that's it! The client software on the server establishes the secure connection, grants the remote user access to the internal network and— Bing, bang, boom—you're up to your elbows in TPS reports. The horror.

Many security protocols have been developed as VPNs, each offering differing levels of security and features. Among the more common are:

•  IP security (IPsec): IPsec is often used to secure Internet communications and can operate in two modes. Transport mode only encrypts the data packet message itself while Tunneling mode encrypts the entire data packet. This protocol can also be used in tandem with other protocols to increase their combined level of security.
•  Layer 2 Tunneling Protocol (L2TP)/IPsec: The L2TP and IPsec protocols combine their best individual features to create a highly secure VPN client. Since L2TP isn't capable of encryption, it instead generates the tunnel while the IPsec protocol handles encryption, channel security, and data integrity checks to ensure all of the packets have arrived and that the channel has not been compromised. 
•  Secure Sockets Layer (SSL) and Transport Layer Security (TLS): SSL and TLS are used extensively in the security of online retailers and service providers. These protocols operate using a handshake method. As IBM explains, "A HTTPbased SSL connection is always initiated by the client using a URL starting with https:// instead of with http://. At the beginning of an SSL session, an SSL handshake is performed. This handshake produces the cryptographic parameters of the session." These parameters, typically digital certificates, are the means by which the two systems exchange encryption keys, authenticate the session, and create the secure connection. 
•  Point-to-Point Tunneling Protocol (PPTP): PPTP is a ubiquitous VPN protocol used since the mid-1990s and can be installed on a huge variety of operating systems has been around since the days of Windows 95. But, like L2TP, PPTP doesn't do encryption; it simply tunnels and encapsulates the data packet. Instead, a secondary protocol such as GRE or TCP has to be used as well to handle the encryption. And while the level of security PPTP provides has been eclipsed by new methods, the protocol remains a strong one, albeit not the most secure.
• Secure Shell (SSH): SSH creates both the VPN tunnel and the encryption that protects it. This allows users to transfer information unsecured data by routing the traffic from remote fileservers through an encrypted channel. The data itself isn't encrypted but the channel it’s moving through is. SSH connections are created by the SSH client, which forwards traffic from a local port one on the remote server. All data between the two ends of the tunnel flow through these specified ports.

 These SSH tunnels are the primary means of subverting the government content filters described earlier. For example, if the filter prohibits access to TCP port 80, which handles HTTP, all user access to the Internet is cut off. However, by using SSH, the user can forward traffic from port 80 to another on the local machine which will still connect to the remote server's port 80. So as long as the remote server allows outgoing connections, the bypass will work. SSH also allows protocols that would otherwise be blocked by the firewall, say those for torrenting, to get past the wall by "wrapping" themselves in the skin of a protocol that the firewall does allow.

To actually create the VPN tunnel, the local machine needs to be running a VPN client. Open VPN is a popular—and free—multi-platform application, as is LogMeIn Hamachi. Windows users also have the option of using the native OS VPN client.

So whether you're a cubicle monkey, file pirate, or just don't want The Man getting all grabby with your personal data, virtual private networks are the best means of securing traffic short of copying it to a flash drive and driving there yourself.

Web application Cross Site Scripting (XSS)

even though cross site scripting is more considered as a client or user based attack we did separate it in a dedicated part due to its importance and varieties of exploitation scenarios as we can differentiate three main categories of CSS attacks: 

•  Echo or reflected attack: in this category the attack depends on the existence of page men to be a convenience but it become a vulnerability due to full or partial reflection of the entered information as is. 
• Stored Script attack: this category covers the attacks based on the attacker being able to store contents on the server side without being sanitized that will be available to other users. 
•  Data Object Model attack: The attacker in this category depends on the updating the Data Object Model of the document to cause change on the page not on the reflection of information through the server. 

  Echo or reflection based XSS

Attack requirement:

A. The user access a page that contains a vulnerable page with echo

B. No sanitization is applied on the reflected input passed to that page

Attack process:

A. The attacker creates a link to the trusted site containing the vulnerable echo page passing the JavaScript as parameter.

B. The server will send the response containing the inserted script.

C. The client executes the JavaScript and containing any special message or forwarding request to phished site or simply send back session information which will help the attacker in initiating a session hijacking. 

Example:

A. The attacker creates an email containing a link as follow: 

<a href=”http://theTrustedVulnerableSite.com /echoPage.php?message=” >Visit page

B. The echo page will generate the page containing the script, the script will be executed and show the alert.in real life example the payload script can be s script that sends session cookie information automatically to attacker. 

Attack Execution-Business Logic

Attacking business logic is one of the methods used to compromise a web application noting that discovering a logical flaw is a hard task because this kind of flaws does not have a specific signature as other types of vulnerabilities and it can be totally different from one application to another but attacker can try a set of possible vulnerabilities that might exist in the probed application.

1- Encrypt and disclose the key: Using the same encryption for two pair of information one is visible and the other is not. An example about that might appear in (remember me) functionality where the developer implements the same encryption key for a cookie containing session ID information and what is called screen name (the user name shown on screen). 

The main problem in the logic is that the attacker can tamper and replay what is encrypted and protected. This actually is not the problem of weak encryption but the usage of the same key with value that is visible (the screen name) which makes it easy for attacker to predict the used key and unlock the encryption of the Session ID information.   

2- Overloading dual privileges: Implementing an overloaded method for password change for administrators and normal users depending on the existence of the (old password parameter) which gives the attacker the ability to use non valid parameter list to be routed to administrator’s version.

3- Multistage manipulation: Sometimes the developer makes a bad assumption that user will follow all steps in a multistage task in the right sequence but this is not always the case as an attacker can manipulate the client to avoid passing through a specific stage which will cause sometimes a great damage.an example about this attack is manipulating a sequence parameter that hold the current stage in purchasing multistage task to purchase a digital content without passing in payment phase. 

4- Overlapped checks: Another case is the case where the business logic does not consider out of band inputs for all methods related to same input. an example is a banking web application containing transfer method dedicated to do the transfer and a pre-check method to restrict transfers for amounts higher than (10,000$) and route such transfers to be approved by senior manager. The pre-checked method considers only the check for a number higher than 10,000$ so the flaw was that even a negative number will pass through that test and the negative value will go directly to the transfer method that takes the absolute value of the number so if somebody tries to transfer (-900,0000$) the transfer will be authorized with no senior manager review. 

5- Bulk but for a while: A scenario where attacker can get benefit from bulk purchase then purchase only one item is also a flaw based on the assumption that the user will send the full list of purchased product after getting the discount. 

6- Forgotten escape: this attack is based on the assumption that a sanitization method is available and will prevent all malicious characters that might cause a problem but the developer forgot the escape which itself does not represent a problem but escaping the escape by the mean of disable the sanitization functionality. An example is the usage of an input like ( whatever \;ls ) in this case the sanitization will turn the clean input to poisoned one ( whatever \\;ls ) which will reactivate the semicolon malicious effect. 

7- Defence+Defence=? : sometimes the intersection of two defense mechanisms can be used by the attacker to initiate a successful attack. An example is the usage of an extra single quotation mark to escape a single quotation mark as a defense mechanism to prevent SQL injection, and truncation length limiter mechanism for input as a second mechanism to minimize the ability to enter unexpected amount of entry. The flaw resides in the usage of the second mechanism by the attacker to break the first. 

if the user login query was:

Select * from users where username=’user name’ and password=’password’;

Now if the attacker provides the a user name containing ( xxxxxxx….xxxx’) where 127(x) character is there and a password ( or 1=1--) the resulting query

Select * from users where username=’xxxx..xxx’’and password=’ or 1=1--’; 

Will break the login functionality as the extra added quotation by the first mechanism will be truncated by the second. 

8- Race condition: in the case of race condition the vulnerability appears only for a short period of time, it is hard to detect and reproduce, but it can open a door wildly if exploited. an example is the case of login function that mistakenly stores part of session information as a static information that are used as an identifier in other functionalities so if two users use the login functionality exactly in the same time there is a big chance that they can reach the functionalities that uses the static identifier. 

   

Authorization and Attack Execution-data stores

Authorization the process of giving someone permission to do or have something it defines how access is controlled in the context of what is access by whom. In authorization we can talk about three types of authorities: 

1- Vertical authority: it is about the level of access to specific functionality set for each type of users an example is the difference in authority between administrator and a normal user. 

2- Horizontal authority: this type of authority is about controlling the access in the same functionality, as example having the authority to access the web mail functionality does not mean ability to access any email account. 

3- Contextual authority: this type of authority is related to current application state which can be explained in the perspective of multistage process where available functionalities are specified according to present state. 

attacking those concentrate accordingly on breaking the access control using three methods: 

•  Vertical privilege escalation: The focus in this method is to gain higher level of access related to more privileged type of users. 
•  Horizontal privileges escalation: tries to compromise resources to which he is not entitled. For example, in web mail application to read other people’s e-mail 
•  Business logic exploitation tries to exploit a flaw in the application’s state machine to have access to an important resource. For example, a user may be able to bypass the payment step in a shopping checkout sequence.  

Attack requirement: 

A. Different privileges to different users on functionalities 

B. Different privileges to different users on resources. 

C. Privileged user used functionalities are in the same application containing configuration and motoring it 

Attack Process: 

A. Configure Burp as a proxy and disable interception, browse all the application’s content within one user context. If the target is to test vertical access controls higher privileges account should be used. 

B. Be sure to map all functionalities by checking Burp’s site map. 

C. use the context menu to select the “compare site maps” feature. 

D. To select the second site map to be compared, you can either load this from a Burp state file or have Burp dynamically re-request the first site map in a new session context. 

E. To test horizontal access controls between users of the same type, you can simply load a state file you saved earlier, having mapped the application as a different user. For testing vertical access controls, it is preferable to re-request the high-privilege site map as a low-privileged user, because this ensures complete coverage of the relevant functionality.

 F. To re-request the first site map in a different session, you need to configure Burp’s session-handling functionality with the details of the low-privilege user sessin (for example, by recording a login macro or providing a specific cookie to be used in requests 

G. It is necessary that define suitable scope rules to prevent Burp from requesting any logout function.

Data storage is one of the main components of most of web applications, it contains the information about the key business functionalities in addition to users account information which makes it a delicious meal for an attacker. Data storages have many types that rely on multiple technologies, it can be as simple as plain text file or sophisticated Data base management system like Oracle.

No matter what used Data stores are it can become vulnerable if the attacker finds a way to interface the data store through the application functionalities or being able to access it directly in case of Data remote access availability. Injection is one of the common types of attacks that commonly executed to compromise data stores, it generally depends on the nature of interpreted languages characterized by parsing and executing instructions in the run time. PHP, Perl, SQL and LDAP are well-known examples of interpreted languages used in web application development. 

The main idea that helps in compromising interpreted language is being able to inject special characters or instruction that have grammar match in the language syntax. 

The following listing a simple SQL syntax that retrieve user records that has a matching user name and password to those entered in quotations. 

Select * from users where username = ‘usrName’ and password = ‘pass’   

If the application that include this syntax is vulnerable to injection by mean of absence of sanitization functionality for entered values, the attacker will be able to enter the value of ( admin’- - ) in the user name and any password to gain administrator account privileges as the resulting code that is going to be executed by the interpreter is:

Select * from users where username = ‘admin’- -‘ and password = ‘anyPass’   

The (- -) is the special syntax to begin comment in SQL, which means that the interpreter will ignore everything after (--) and will retrieve the admin record.

 

Password management exploit

In many situation developers do not focus on protecting privileged pages from privileged users so the mistakes that are covered in main login page reappear in the change password, forget password or remember me option.

Mistakes like allowing unlimited number of false login, providing different message depending on bad or valid password and checking the validity of password before matching with new password. 

Another issue raise when dealing with Forgotten password, a weak method might lead to use challenge questions that are much more easier to break, like pet name or first name for mother..etc. Another source of danger as mentioned is the option of remembering the password which can be reflected using cookie based approach through non encrypted or weak encryption that might allow the attacker to understand the identifier used and generate similar one. 

Attack requirement: 

A. No or weak locking policy 

B. Verbos messages for false and valid login 

C. Storing password locally through weak identifier 

Attack process: 

A. For change and forgot password process is totally similar to brute force process 

B. As for the password remember option user should check for cookies and any stored non encrypted or weakly encrypted value or identifier by capturing and examining the sent request after activating remember me option using a tool Like Burp proxy. 

C. If the identifier can be easily generated, generate different identifiers and iteratively check if this will allow compromising other accounts using Burp to achieve that.  

Impersonation Functionality

In many cases, application implements an impersonation functionality in order to be able to control a user account by a privileged person in the organization.an example is the case of a bank customer account and an account supervisor where the supervisor has the privilege to access the customer account and execute tasks on his behalf. The main issue related to impersonation that the functionality is treated as hidden functionality with minimal control over access or as a back door that can be accessed through simple password.

Attack requirement: 

A. The impersonation functionality is using a back door or hidden functionality 

B. Minimal control on the access through that functionality (vulnerable to brute force or bad password)  

Attack process: 

Use the same process applied in brute force attack or bad password depending on the case 

Other issues

Other issues related password might be things like vulnerabilities caused by inefficient handling of errors in login process or multistage login. The storage of non-encrypted password values might also represent a serious problem which makes the usage of MD5 or SH1 necessary to eliminate such threat.

Web application Authentication methods

Authentication as mentioned earlier is the process or action of proving or showing something to be true, genuine, or valid Authentication in web application is done through different methods the most common are:

•  HTML Form based authentication: this is the most common method to apply authentication in a web application. The used credentials are mostly the user name and a password but sometimes in critical application extra credentials are applied like the usage of special pin code or a key generate by one time password device. 
•  Other methods might be depending on HTTP based basic or digest authentication where HTTP basic sends credentials encoded unencrypted with base64 encoding in time where digest method uses hash function to encrypt credentials and nonce value from the server this is why basic HTTP authentication should be used only if the channel is secure with   (Https). Those methods is usually used on local networks not on the internet.
• Client SSL certificate with or without a smart card but this can represent a distribution problem 
•  Some application uses Windows-integrated authentication using NTLM or Kerberos and authentication services like windows passport.  

Attack bad passwords

Not having a special password complexity enforcement functionality can make attacking through the password very easy as many password are predictable or could be a common dictionary word or even empty or has the same username value.

 Some users tend to leave the default or preconfigured password which makes the attack much easier.

Attack requirement:

 Week or no password

Attack Process

a- Try empty and default values for password.

b- Try common dictionary password.

c- If you own an account or self registered try short passwords, user name like passwords to check if that is permitted to disclose the password rules 

Brute force attack

Leaving login process to be repeated unconditionally will make authentication vulnerable to brute force attack which will end in braking authentication with the speed that a penetration system can iteratively try different possible passwords.

Attack requirement:

A. No or client side only check for number of login fails.

B. Not very gonium powerful password.

C. If a self-registering account Is available better to create an account. 

 

Attack process: 

A. Before going directly to automate the attack explore the locking policy manually beginning by trying at least (10) bad password values on the same account, check any messages and accessibility of the account with the right password. 

B. If the account was locked, try to monitor any cookie to discover it the locking is based on client side information that you can manipulate. 

C. See if the system allows you to login with right user name and password, if yes you can keep guessing. 

D. Monitor to find any difference in response between bad login and successful one to depend on when start in automated phase. A Burp comparer tool can provide a good way to do that  

E. Use an automation tool to iteratively try different user names and password. (Burp is an example) 

F. Monitor results and collect broken account information. 

G. Different messages can be a very good pointer that you did a bad guess the user name only or both credentials. 

intercepting messages from Flash, Java applet and Silverlight

Browser extension that technologies permit the execution of a code in a sandbox, It was used originally to provide simple improving on the presentation of the web application like creating animation or vivid contents , with much of flexibility and power these technologies provide developers used it to create full component and applications.

After all those components are used in the web pages and need to interact using the web protocols so exchanged information are transmitted over Http and usually in objects or complex structures. Attacker can compromise the messages exchanged with those extensions and refactor it. 

Main target of the attack is to initiate attacks like SQL injection, buffer overflow or manipulate parameters to have application related gain. Attack requirement 

•  Extension interacts with server through Http
•  No special encryption is used to preserve messages confidentiality. 

Attack process

1. Capture the request initiated by the page using a proxy like Burp.

2. Depending on the type of extension use the right deciphering method to unpack the message sent.

• 
  
•  Java applets use Java serialization which can be deciphered using aplugin on Burp (JDSer).
•  As for Flash it normally uses (AMF Action Message Format) whichis supported by default by Burp.
•  Silver light uses (WFC windows communications foundation) andSOAP (NBFS) message format that can be deciphered using a plugin named (WCF Binary Soap Plug-In) by (labs@gdssecurity.com)

3. A special tab will show the object content sent in the ciphered message.

4. Alter the message as requested and forward the request.

5. Capture the response and see deciphered contents. 

  

Decompile Flash, Java applet and Silverlight

  This attack depends on disclosing the business logic executed in a browser extension like Java applet, Flash or Silverlight component Java applets and SWF file contains bytecode that can be decompiled to recover the original source through tools like JAD for java applet, Flare for flash and Telerik Just Decompiler for Silverlight XAP files. (software are available in supplementary materials)

Attack requirement 

•  Targeted functionality fully executed on the client side. 
•  Low complexity of application bytecode. 

Attack process

 1. use Flare, JAD or Telerik decompiler depending on the type of component. The result will be ActionScript source for Flare or Java for JAD. 

2. review the source to identify any attack points that will enable you to reengineer the Flash object and bypass any controls implemented within it. 

3. modify the decompiled source to change the behavior of the applet, recompile it to bytecode, and modify the source code of the HTML page to load the modified applet in place of the original. 

Attack Execution the client

1 Attack the client

If the mapping and analysis level showed flaws on the client side it will be a good idea to begin there. The client (browser) is easily reachable by attacker and can be compromise and manipulated to initiate a full attack or partial attack as base for other types of attacks.

Due to the many types of possible client attacks the coming parts will explain some possible attack execution scenario on client and examples about each type.

2 Two types of attacks  

  No matter what technologies are used in attacking client side, all attacks will take one of two main types: Exploits and Trickery. 

In Exploit attacks a malicious code is executed on the client side and its host due to resident vulnerability and of course the countermeasure can simply be getting rid of that exploited vulnerability, from the other hand the trickery attacks are based on behavior of human operator after getting seduced by an attractive message or offer to make action that disclose important information or be used to access the information or allow the attacker to install a software that can be used later to extract data from client machine

3 Flash Cookies (LSO)

Flash uses what is called Flash Cookies for client-side storage which Is a text file with the extension (.lso) being able to access and manipulate this file will give the ability to change the behavior of the flash object.

Attack requirement:

A. Being able to access the LSO file

B. No validation for data retrieved from the LSO files stored on the client. 

Attack process

A. Access the LSO file.

B. Use the LSO editor to change an invalidated value that might give higher

privileges 

Example: 

This example will allow the attacker to get higher discount rate on a purchase done through a flash object.   

A. Locate the LSO file.

B. Use LSO editor to change the discount value

C. As soon as the flash object retrieve the local storage from the lso file it will apply the new discount rate if no validation where done by the server. 

Attack analyzing

 Attack analyzing stage 

Benefiting enumerated information to specify the attack surface and going through a full feasibility study to decide if the resources including information and time required to execute the attack are in hand and serve the main attack purpose. 

Analyzing and understanding the meaning behind the collected information is essential to be able to move on to execution stage. The main purpose of analyzing stage is to:  

•  Specify attack surface: figuring what are possible scenarios to execute the attack and compromise the application
•  Specify the feasibility of each scenario from resource and time point of view 

Attack analyzing – Specify attack surface 

With lot of information attacker should know exactly where to begin from, the experience is essential in this level and can save lot of time. The number of attack points can be very big, so the following is a good practical check list to begin from to extract the attack scenarios list:

•  Client side validation: a fast and good place to begin from is specifying if the input validation is done on client, server or both sides.an easy entry might be related to a client side only input validation
• Search collected information for any sign of possible SQL injection, Database issue, root database account or any code or discovered comment that might give partial or full access to the database.
•  Available upload or download functionalities with path traversal vulnerability that give the ability to benefit relative path that use double dots ( ..\ ) to enable manipulation files or folders outside the root directory by manipulating the parameters. 
•  Check for ability to display user supplied data cross site scripting or possibility of injecting or storing a cross site scripting on uploading a file or open editors. 
• Check ability to use invalidated parameters pushed to pages that do redirects to check Invalidated Redirects and Forwards or dynamic redirects.
•  Login issues and possibility of using brute force attack: any hints found about passwords or comments about user name can be added to attack dictionary which might minimize effort and time needed to break in. 
•  Isolate available information that might help in escalate privileges like cookies and session state information. 
•  Using collected info try to identify non encrypted communication channels 
•  Identify interfaces to external system it might represent an information leakage point
• Analyze all generated error message for information leakage. 
•  Identify any pages that interact with mail server to try command or email injection 
•  Identify the usage of native code that might be a potential vulnerability for buffer over flow.
•  Identify any known structure , folder names , themes from known third party application which can open the door to search for known vulnerabilities
• Identify common vulnerability in the used web server.   

For web application security. You can benefit from many available tools to help to scan the application and give a good initial picture about the attack surface.

Attack analyzing – feasibility & priority 

At the end of this stage the attacker should have a list of possible attack scenarios with priority for each attack type. The resulted priority is guided by the complexity, purpose of attack and extra needed information. Attacker should create a list of possible attacks along with estimated requested resources then to specify priority.

Factors that affect prioritization can be related to the purpose or to needed resources. Attacker can use a prioritization table that reassemble to the following: 

Weights given to each factor might differ depending on the importance of each factor to the attacker but a rough estimation can be generated by average of factors estimated as percentage. 

   

Other source of public information

Many information that you can benefit from are available publicly about the functionality and content outside the website those information can be reached through search engines and cached copies , a post on development forum or using web archives like the one exist on www.archive.org To be able to use search engines effectively try to use the special search features like the following that can be namely used with google:

Site: www.theExploredSite which return all references indexed by google. Site: www.theExploredSite login that returns all pages containing login Link: www.theExploredSite returns all pages on other websites that has link to that specific site. 

Related: www.theExploredSite returns similar web pages.

 Another valuable source of information is special purpose search engines that embed some intelligence dedicated to retrieve a specific type of information. Melissa Data can help you freely gather information on people associated with a target web application this kind of information sometimes hold higher level of importance to the attacker than technical information.to enrich the retrieved result using an open source tool like Maltego can be irresistible, where Maltego helps visualize the relationships among people, organizations, web sites, Internet infrastructure can aid in information gathering, and it can find affiliations between components within an organization. Even with information as simple as a domain name or an IP address, it can query publicly available records to discover connections.   

Use web server vulnerabilities:

 Lot of software used frequently on web server are deployed with default configuration, folder structure and file locations which makes it good place to dig for some information. Brute force approach is also used in checking vulnerabilities in known set of third party application and web server modules.an example about a good tool for that purpose is WIKTO

Mapping parameters:

 Parameters can be mapped sometimes directly if it was sent through query string like in: http://myWebSite/addUser.php?name=sami&mobile=0987655441 If application is using URLs after rewriting parameters as part of the slash separated string a trial to change or remove values should take place with assessment of generated response. For hidden parameters guessing is the only way as example the assessment of the existence of (debug) parameters that helps developer to test pages and bypass the authentication process.  

Documenting your findings:

When trying to map and profile the application you will get a lot of information specially if you are using multiple tools and approaches, organizing your results and deciding which are relevant is very important in order to be able to analyses that information later on. Using matrix and charts can be very helpful..

Also the usage of diagrams that represent the web site is essential to understand different functionalities.it is also preferable to give different color to static and dynamic pages where static pages are those pages that does not involve and server side executable contents like files with html extension. Include the diagram the structure of web site with available passed parameters Other Information that should be documented in addition to pages’ information are Directory structure, common file extension, any content based on plugin like flash or silver lite or java virtual machine like applet, common cookies and query string and parameters.  

Attack Mapping-Information about Intermediaries

As part of mapping infrastructure it is important to identify any mediators like virtual servers, load balancer, proxies or firewalls because the existence of such components in the targeted victim environment might derive totally different attack approach.

 The following examples explain main practices used to identify such intermediaries:

Detecting load balancers: - Surrounding IP scan - Detecting unsynchronized time stamp - detecting different (last modified or Etag) header for the same resource - Existence of unusual cookies. - Different SSL certificate

Detecting load balancers:

- Surrounding IP scan

- Detecting unsynchronized time stamp

- detecting different (last modified or Etag) header for the same resource

- Existence of unusual cookies.

- Different SSL certificate

Detecting Proxies:

- Using Trace command that echo the exact request and detect changes.

- Standard connect test

- Standard proxy request 

Mapping Application

To Map the application functionality, contents and workflow attacker can use many methods and apply it through different tools.  

Mapping functionalities and contents: 

Web application crawling: 

using special software that automate the generation of http requests attacker can capture the returned results and recursively auto extract included links, forms and even included client side script in the purpose of building a Skelton for the web site functionalities and contents. An example about a tool that help to spidering a site is Burp suite, the fully automated approach might not be the best solution to get a good picture about the functionalities and contents of the application due to the fact that automated solutions might not be able to capture links included in complicated Java Scripts or compiled client code like flash or java applet. 

From the other hand the multilevel input validation techniques used by modern application prevent spidering applications from bypassing successive levels with randomly generated contents. Another issue also is related to URL based seeding used by the spidering application as the later tend to remove repeated successive URL to prevent an infinite loop like when having a single URL usage for multiple action http://myBank/manage.php or conversely being locked in with same URL that uses a time stamp as parameters.

User Guided spidering: 

An alternative (or complementary) to the usage of auto crawling is the usage of user driven spidering where user manually explore the different application functionalities including the entry of forms information. 

In that type of spidering the spidering software logs user input and result returned by the explored application. the used tool work as a Proxy/spider that intercept all requests and responses. In this approach the user can guarantee that session is active and all the entered information fulfill the expected human interaction rules.

Hidden content spidering: 

Accessing the main stream contents mainly does not provide fast and delicious bite of information, accessing archived contents, backups, test files, source files, comments gives lot of information and maybe some easy to exploit vulnerabilities. This type of content can be discovered by inferencing from published contents or using a brute force approach that test destinations based on directory of common words like common folders and service names, an example about that will be:  

If a published destination content were found on address like:

http://theSiteName.com/stable/en/about

It will be a good idea to test addresses like

http://theSiteName.com/archived/en/about

http://theSiteName.com/development/en/about

http://theSiteName.com/old/en/about 

As example adding Robots.txt to your brute force directory might end with being able to get this file if existed which will provide a very good source for information as attacker might be able to map special folders or file depending on indexing rules set in that file. If the file contains the (Disallow: /something) rule this will tell for sure that (something) might contains a sensitive contents or refers to administrative page that administrator does not want it to be index.