ch10_hacking web servers

Hands-On Ethical Hacking and Network DefenseChapter 10Hacking Web Servers

Hands-On Ethical Hacking and Network Defense

ObjectivesDescribe Web applicationsExplain Web application vulnerabilitiesDescribe the tools used to attack Web servers


Web ServersThe two main Web servers are Apache (Open source) and IIS (Microsoft)

Image from netcraft.com (link Ch 10c)


Understanding Web ApplicationsIt is nearly impossible to write a program without bugsSome bugs create security vulnerabilitiesWeb applications also have bugsWeb applications have a larger user base than standalone applicationsBugs are a bigger problem for Web applications


Web Application ComponentsStatic Web pagesCreated using HTMLDynamic Web pagesNeed special components tagsCommon Gateway Interface (CGI) scriptsActive Server Pages (ASP)PHPColdFusionScripting languages like JavaScriptODBC (Open Database connector)


Web FormsUse the element or tag in an HTML documentAllows customer to submit information to the Web serverWeb servers process information from a Web form by using a Web applicationEasy way for attackers to intercept data that users submit to a Web server


Web Forms (continued)Web form example

Enter your username:

Enter your password:


Common Gateway Interface (CGI)Handles moving data from a Web server to a Web browserThe majority of dynamic Web pages are created with CGI and scripting languagesDescribes how a Web server passes data to a Web browserRelies on Perl or another scripting language to create dynamic Web pages


CGI LanguagesCGI programs can be written in different programming and scripting languagesC or C++PerlUnix shell scriptingVisual BasicFORTRAN


Common Gateway Interface (CGI) (continued)CGI exampleWritten in PerlHello.plShould be placed in the cgi-bin directory on the Web server#!/usr/bin/perlprint "Content-type: text/html\n\n";print "Hello Security Testers!";


Another CGI ExampleLink Ch 10a: Sams Feedback FormLink Ch 10b: CGI Script in Perl that processes the data from the form


Active Server Pages (ASP)Microsofts server-side script engineHTML pages are staticalways the sameASP creates HTML pages as needed. They are not staticASP uses scripting languages such as JScript or VBScriptNot all Web servers support ASPIIS supports ASPApache doesnt support ASP as well


Active Server Pages (ASP)You cant see the source of an ASP page from a browserThis makes it harder to hack into, although not impossibleASP examples at links Ch 10d, e, f


Apache Web ServerApache is the most popular Web Server programAdvantagesStable and reliableWorks on just about any *NIX and Windows platformIt is free and open sourceSee links Ch 10g, 10h


Using Scripting LanguagesDynamic Web pages can be developed using scripting languagesVBScriptJavaScriptPHP


PHP: Hypertext Processor (PHP)Enables Web developers to create dynamic Web pagesSimilar to ASPOpen-source server-side scripting languageCan be embedded in an HTML Web page using PHP tags Users cannot see PHP code in their Web browserUsed primarily on UNIX systemsAlso supported on Macintosh and Microsoft platforms


PHP ExampleExample

See links Ch 10k, 10lPHP has known vulnerabilitiesSee links Ch 10m, 10nPHP is often used with MySQL Databases


ColdFusionServer-side scripting language used to develop dynamic Web pagesCreated by the Allaire CorporationPurchased by Macromedia, now owned by Adobe -- ExpensiveUses its own proprietary tags written in ColdFusion Markup Language (CFML)CFML Web applications can contain other technologies, such as HTML or JavaScript


ColdFusion ExampleEx

See links Ch 10o


ColdFusion VulnerabilitiesSee links Ch 10p, 10q


VBScriptVisual Basic Script is a scripting language developed by MicrosoftYou can insert VBScript commands into a static HTML page to make it dynamicProvides the power of a full programming languageExecuted by the clients browser


VBScript Example

document.write("Hello!")document.write("Date Activated: " & date())

See link Ch 10r works in IE, but not in FirefoxFirefox does not support VBScript (link Ch 10s)


VBScript vulnerabilitiesSee links Ch 10t, 10u


JavaScriptPopular scripting languageJavaScript also has the power of a programming languageBranchingLoopingTesting


JavaScript Example

function chastise_user(){alert("So, you like breaking rules?")document.getElementByld("cmdButton").focus()}

Don't click the button!

See link Ch 10v works in IE and Firefox


JavaScript VulnerabilitiesSee link Ch 10w


Connecting to DatabasesWeb pages can display information stored on databasesThere are several technologies used to connect databases with Web applicationsTechnology depends on the OS usedODBCOLE DBADOTheory is the same


Open Database Connectivity (ODBC)Standard database access method developed by the SQL Access GroupODBC interface allows an application to accessData stored in a database management system (DBMS)Can use Oracle, SQL, or any DBMS that understands and can issue ODBC commandsInteroperability among back-end DBMS is a key feature of the ODBC interface


Open Database Connectivity (ODBC) (continued)ODBC definesStandardized representation of data typesA library of ODBC functionsStandard methods of connecting to and logging on to a DBMS


OLE DB and ADOObject Linking and Embedding Database (OLE DB) andActiveX Data Objects (ADO)These two more modern, complex technologies replace ODBC and make up"Microsofts Universal Data AccessSee link Ch 10x


Understanding Web Application VulnerabilitiesMany platforms and programming languages can be used to design a Web siteApplication security is as important as network security


Attackers controlling a Web server canDeface the Web siteDestroy or steal companys dataGain control of user accountsPerform secondary attacks from the Web siteGain root access to other applications or servers


Open Web Application Security Project (OWASP)Open, not-for-profit organization dedicated to finding and fighting vulnerabilities in Web applicationsPublishes the Ten Most Critical Web Application Security Vulnerabilities


Top-10 Web application vulnerabilitiesUnvalidated parametersHTTP requests from browsers that are not validated by the Web serverInserted form fields, cookies, headers, etc. (See link Ch 10y)Broken access controlDevelopers implement access controls but fail to test them properlyFor example, letting an authenticated user read another users files


Top-10 Web application vulnerabilities (continued)Broken account and session managementEnables attackers to compromise passwords or session cookies to gain access to accountsCross-site scripting (XSS) flawsAttackers inject code into a web page, such as a forum or guestbookWhen others user view the page, confidential information is stolen See link Ch 10zaBuffer overflowsIt is possible for an attacker to use C or C++ code that includes a buffer overflow


Top-10 Web application vulnerabilities (continued)Command injection flawsAn attacker can embed malicious code and run a program on the database serverExample: SQL InjectionError-handling problemsError messages may reveal information that an attacker can useInsecure use of cryptographyStoring keys, certificates, and passwords on a Web server can be dangerous


Top-10 Web application vulnerabilities (continued)Remote administration flawsAttacker can gain access to the Web server through the remote administration interfaceWeb and application server misconfigurationAny Web server software out of the box is usually vulnerable to attackDefault accounts and passwordsOverly informative error messages


Application Vulnerabilities Countermeasures (continued)WebGoat projectHelps security testers learn how to perform vulnerabilities testing on Web applicationsDeveloped by OWASPIts like HackThisSite without the helpful forumTutorials for WebGoat are being made, but they arent yet ready


Assessing Web ApplicationsIssues to considerDynamic Web pagesConnection to a backend database serverUser authentication What platform was used?


Does the Web Application Use Dynamic Web Pages?Static Web pages do not create a secure environmentIIS attack example: Directory TraversalAdding ..\ to a URL refers to a directory above the Web page directoryEarly versions of IIS filtered out \, but not %c1%9c, which is a Unicode version of the same characterSee link Ch 10 zh


Connection to a Backend Database ServerSecurity testers should check for the possibility of SQL injection being used to attack the systemSQL injection involves the attacker supplying SQL commands on a Web application field


SQL Injection ExampleHTML form collects name and pwSQL then uses those fields:SELECT * FROM customerWHERE username = name' AND password = pw' If a hacker enters a name of OR 1=1 --The SQL becomes:SELECT * FROM customerWHERE username = OR 1=1 --' AND password = pwWhich is always true, and returns all the records


HackThisSite


Connection to a Backend Database ServerBasic testing should look forWhether you can enter text with punctuation marksWhether you can enter a single quotation mark followed by any SQL keywordsWhether you can get any sort of database error when attempting to inject SQL


User AuthenticationMany Web applications require another server to authenticate usersExamine how information is passed between the two serversEncrypted channelsVerify that logon and password information is stored on secure placesAuthentication servers introduce a second target


What Platform Was Used?Popular platforms include:IIS with ASP and SQL Server (Microsoft)Linux, Apache, MySQL, and PHP (LAMP)Footprinting is used to find out the platformThe more you know about a system the easier it is to gather information about its vulnerabilities


Tools of Web Attackers and Security TestersChoose the right tools for the jobAttackers look for tools that enable them to attack the systemThey choose their tools based on the vulnerabilities found on a target system or application


Web ToolsCgiscan.c: CGI scanning toolWritten in C in 1999 by Bronc BusterTool for searching Web sites for CGI scripts that can be exploitedOne of the best tools for scanning the Web for systems with CGI vulnerabilitiesSee link Ch 10zi


cgiscan and WebGoat


Web Tools (continued)Phfscan.cWritten to scan Web sites looking for hosts that could be exploited by the PHF bugThe PHF bug enables an attacker to download the victims /etc/passwd fileIt also allows attackers to run programs on the victims Web server by using a particular URLSee links Ch 10zj, 10 zk


Web Tools (continued)Wfetch: GUI tool from MicrosoftDisplays information that is not normally shown in a browser, such as HTTP headersIt also attempts authentication usingMultiple HTTP methodsConfiguration of host name and TCP portHTTP 1.0 and HTTP 1.1 supportAnonymous, Basic, NTLM, Kerberos, Digest, and Negotiation authentication typesMultiple connection typesProxy supportClient-certificate supportSee link Ch 10zl


ch10_hacking web servers

Documents

hacking web servershands

handson ethical hacking

web browserrelies

web applicationshands

web serverhands

network defensehands

network defensechapter

main web servers