hacking web servers april 15, 2010 mis 4600 – mba 5880 - © abdou illia
TRANSCRIPT
Hacking Web Servers
April 15, 2010
MIS 4600 – MBA 5880 - © Abdou Illia
Objectives
Describe Web applicationsExplain Web application vulnerabilitiesDescribe the tools used to attack Web servers
2
Web Applications componentsStatic Web pages
Created using HTMLDynamic Web pages
Need special components<form> tagsCommon Gateway Interface (CGI)Active Server Pages (ASP)PHPColdFusionScripting languagesDatabase connectors
3
Active Server Pages (ASP)With ASP, developers can display HTML
documents to users on the flyMain difference from pure HTML pagesWhen a user requests a Web page, one is
created at that timeASP uses scripting languages such as
JScript or VBScriptNot all Web servers support ASP
4
Active Server Pages (ASP) (continued)ASP example<HTML><HEAD><TITLE> My First ASP Web Page </TITLE></HEAD>
<BODY><H1>Hello, security professionals</H1>The time is <% = Time %>.
</BODY></HTML>Microsoft does not want users to be able
to view an ASP Web page’s source codeThis can create serious security problems
5
Apache Web ServerTomcat Apache is another Web Server
programTomcat Apache hosts anywhere from
50% to 60% of all Web sitesAdvantages
Works on just about any *NIX and Windows platform
It is freeRequires Java 2 Standard Runtime
Environment (J2SE, version 5.0)6
Using Scripting Languages
Dynamic Web pages can be developed using scripting languagesVBScriptJavaScriptPHP
7
PHP: Hypertext Processor (PHP)
Enables Web developers to create dynamic Web pagesSimilar to ASP
Open-source server-side scripting languageCan be embedded in an HTML Web page using PHP
tags <?php and ?>
Users cannot see PHP code on their Web browser
Used primarily on UNIX systemsAlso supported on Macintosh and Microsoft platforms
8
99
PHP example<html>
<head>
<title>My First PHP Program </title>
</head>
<body>
<?php echo '<h1>Hello, Security Testers!</h1>'; ?>
</body>
</html>
As a security tester you should look for PHP vulnerabilities
PHP: Hypertext Processor (cont.)
VBScriptVisual Basic Script is a scripting
language developed by MicrosoftConverts static Web pages into dynamic
Web pagesTakes advantage of the power of a full
programming languageVBScript is also prone to security
vulnerabilitiesCheck the Microsoft Security Bulletin for
information about VBScript vulnerabilities10
VBScript (cont.)VBScript example<html>
<body>
<script type="text/vbscript">
document.write("<h1>Hello Security Testers!</h1>")
document.write("Date Activated: " & date())
</script>
</body>
</html>
11
12
1313
JavaScriptPopular scripting languageJavaScript also has the power of a
programming languageBranchingLoopingTesting
Variety of vulnerabilities exist for JavaScript that have been exploited in older Web browsers
JavaScript (continued)
JavaScript example<html><head><script type="text/javascript">function chastise_user(){alert("So, you like breaking rules?")document.getElementByld("cmdButton").focus()}</script></head><body><h3>"If you are a Security Tester, please do not click the commandbutton below!"</h3><form><input type="button" value="Don't Click!" name="cmdButton"onClick="chastise_user()" /></form></body></html>14
15
16
SQL injection attacks
Imagine this form
17
<form name =Validate” action=validate.asp” method = “post”>Username: <input= type=“text” name=“username”password: <input= type=“text” name=“password”<input type=“submit”></form>
Validate.aspDim username, password, sql-statemetdim comm, rsusername = request.Form(“username”)password = reqiest.Form(“password”)set comm = server.createObject(“ADODB.Connection”set rs = server.createObject(ADODB.Recordset)sql_statement = “SELECT * FROM customer WHERE tblusername = ‘” & username & “ ‘ AND tblpassword=‘” & password & “’”comm.Open “provider=SQLOLEDB; Data Source=(local);Initial Catalog=CustomerDB; User Id=sa; Password=“rs.Open sql_statementif not rs.eof the response.write “Welcome!”else response.write “Please reenter your username and password”endif
SQL injectionIf Bob logged on with his credential, the
SELECT statement would loook like:SELECT * FROM customer WHERE tblusername =
‘bob’ AND tblpassword = ‘password’If Bob entered the following when prompted: ‘
OR 1=1 --Then the SQL statement would beSELECT * FROM customer WHERE tblusername = ‘
’ OR 1=1 – ‘ AND tblpassword = ‘ ’Because 1=1 is true, the querry will be
successful. Double hyphens (--) are used to represent a comment in SQL
18