When applied to web apps, security misconfigurations can cover a wide variety of different issues that might lead to exploitation. The unifying factor in security misconfigurations is that some function of the web app is being implemented incorrectly with regard to security, or implemented without any protections whatsoever. Examples of improper configurations include:

  • Rolling your own encryption schemes instead of relying on industry standards.
  • Failing to remove content that no longer applies to the app and simply adds to its attack surface.
  • Failing to remove debugging controls after the app is pushed into production.
  • Exposing sensitive data to the client through unprotected files and folders.
  • Failing to patch vulnerable software modules.
  • Failing to set secure values in app frameworks, APIs, and other modules.
  • Processing sensitive data on the client side instead of on the server.
  • Failing to remove unused administrative or default accounts.

Security misconfigurations can enable multiple exploits. One such exploit is cookie manipulation, in which you modify a web cookie in some malicious way. For example, an e-commerce site might store the price of an item in the user's shopping cart in the cookie itself. You can modify this price value in the cookie to something lower and then send a request back to the server with this cookie. The server might respond by actually lowering the price of the item to the value you set. This is why properly secured web apps will typically only contain a session identifier in the cookie, and handle sensitive data processing (like product price) entirely on the server side.

Another exploit is called directory traversal, which is the practice of accessing a file from a location that the user is not authorized to access. You can do this by inducing a web app to backtrack through the directory path so that the app reads or executes a file in a parent directory. The most simple example of directory traversal involves sending a ..\ or ../ command request to the application or API, which then traverses up one parent directory for each one of these commands. Directory traversal is the most effective when you're able to traverse all the way back to the root to execute basically any command or program in any folder on the computer. However, this will only work if the application has been improperly configured to be able to access such folders.

Encoding Directory Traversal Requests

Properly configured web servers will filter out known untrusted input like the directory traversal character set. The filter may handle the input in some way or simply block the request altogether. However, you may be able to bypass these filters by encoding characters in your requests in hexadecimal. For example, %2E is equivalent to . (period) and %2F is equivalent to / (slash). So, instead of navigating to http://site.example/../../Windows/system32/cmd.exe to access a command shell on a Windows server, you could encode the URL as follows:

http://site.example/%2E%2E%2F%2E%2E%2FWindows/system32/cmd.exe

You can even double encode characters to get around filters that account for simple encoding. For example, you can encode the % symbol itself, which is %25 in hexadecimal. So, instead of %2E for a period, it would be %252E. The full example would then change to the following:

http://site.example/%252E%252E%252F%252E%252E%252FWindows/system32/cmd.exe

Poison Null Byte

A null byte is a character with a value of zero that is used in most programming languages to indicate the termination of a string. With a poison null byte, you can use this termination character to exploit a web app that does not properly handle null terminators. The hexadecimal representation of the poison null byte is %00. The poison null byte can support several different attacks, including directory traversal. For example, assume that the web app enables users to retrieve any file in the /var/www directory that has a .php extension, and nothing else. Even if you can traverse the file system to break out of that directory, you may not be able to access a specific file if it doesn't end in .php. The poison null byte, however, can get around this:

http://site.example/page.php?file=../../etc/passwd%00

This indicates to the web app to drop the .php extension that it otherwise expects, enabling you to retrieve the passwd file.

Exploitation Tools

When it comes to exploiting misconfigurations or other weaknesses in web apps, you don't just need to rely on a browser. OWASP Zed Attack Proxy (ZAP) and the Browser Exploitation Framework (BeEF) are examples of tools that can automate the process of exploiting a number of web app vulnerabilities.