Hacking Web Servers

April 15, 2010

MIS 4600 – MBA 5880 - © Abdou Illia

Objectives

Describe Web applicationsExplain Web application vulnerabilitiesDescribe the tools used to attack Web servers

2

Web Applications componentsStatic Web pages

Created using HTMLDynamic Web pages

Need special components<form> tagsCommon Gateway Interface (CGI)Active Server Pages (ASP)PHPColdFusionScripting languagesDatabase connectors

3

Active Server Pages (ASP)With ASP, developers can display HTML

documents to users on the flyMain difference from pure HTML pagesWhen a user requests a Web page, one is

created at that timeASP uses scripting languages such as

JScript or VBScriptNot all Web servers support ASP

4

Active Server Pages (ASP) (continued)ASP example<HTML><HEAD><TITLE> My First ASP Web Page </TITLE></HEAD>

<BODY><H1>Hello, security professionals</H1>The time is <% = Time %>.

</BODY></HTML>Microsoft does not want users to be able

to view an ASP Web page’s source codeThis can create serious security problems

5

Apache Web ServerTomcat Apache is another Web Server

programTomcat Apache hosts anywhere from

50% to 60% of all Web sitesAdvantages

Works on just about any *NIX and Windows platform

It is freeRequires Java 2 Standard Runtime

Environment (J2SE, version 5.0)6

Using Scripting Languages

Dynamic Web pages can be developed using scripting languagesVBScriptJavaScriptPHP

7

PHP: Hypertext Processor (PHP)

Enables Web developers to create dynamic Web pagesSimilar to ASP

Open-source server-side scripting languageCan be embedded in an HTML Web page using PHP

tags <?php and ?>

Users cannot see PHP code on their Web browser

Used primarily on UNIX systemsAlso supported on Macintosh and Microsoft platforms

8

99

PHP example<html>

<head>

<title>My First PHP Program </title>

</head>

<body>

<?php echo '<h1>Hello, Security Testers!</h1>'; ?>

</body>

</html>

As a security tester you should look for PHP vulnerabilities

PHP: Hypertext Processor (cont.)

VBScriptVisual Basic Script is a scripting

language developed by MicrosoftConverts static Web pages into dynamic

Web pagesTakes advantage of the power of a full

programming languageVBScript is also prone to security

vulnerabilitiesCheck the Microsoft Security Bulletin for

information about VBScript vulnerabilities10

VBScript (cont.)VBScript example<html>

<body>

<script type="text/vbscript">

document.write("<h1>Hello Security Testers!</h1>")

document.write("Date Activated: " & date())

</script>

</body>

</html>

11

12

1313

JavaScriptPopular scripting languageJavaScript also has the power of a

programming languageBranchingLoopingTesting

Variety of vulnerabilities exist for JavaScript that have been exploited in older Web browsers

JavaScript (continued)

JavaScript example<html><head><script type="text/javascript">function chastise_user(){alert("So, you like breaking rules?")document.getElementByld("cmdButton").focus()}</script></head><body><h3>"If you are a Security Tester, please do not click the commandbutton below!"</h3><form><input type="button" value="Don't Click!" name="cmdButton"onClick="chastise_user()" /></form></body></html>14

15

16

SQL injection attacks

Imagine this form

17

<form name =Validate” action=validate.asp” method = “post”>Username: <input= type=“text” name=“username”password: <input= type=“text” name=“password”<input type=“submit”></form>

Validate.aspDim username, password, sql-statemetdim comm, rsusername = request.Form(“username”)password = reqiest.Form(“password”)set comm = server.createObject(“ADODB.Connection”set rs = server.createObject(ADODB.Recordset)sql_statement = “SELECT * FROM customer WHERE tblusername = ‘” & username & “ ‘ AND tblpassword=‘” & password & “’”comm.Open “provider=SQLOLEDB; Data Source=(local);Initial Catalog=CustomerDB; User Id=sa; Password=“rs.Open sql_statementif not rs.eof the response.write “Welcome!”else response.write “Please reenter your username and password”endif

SQL injectionIf Bob logged on with his credential, the

SELECT statement would loook like:SELECT * FROM customer WHERE tblusername =

‘bob’ AND tblpassword = ‘password’If Bob entered the following when prompted: ‘

OR 1=1 --Then the SQL statement would beSELECT * FROM customer WHERE tblusername = ‘

’ OR 1=1 – ‘ AND tblpassword = ‘ ’Because 1=1 is true, the querry will be

successful. Double hyphens (--) are used to represent a comment in SQL

18